Wir sind immer an Studierenden interessiert, die bei uns eine Bachelor- oder Masterarbeit schreiben möchten. Es sind keine besonderen Vorkenntnisse erforderlich, d.h. Grundlagen der Kryptographie, algorithmische oder VHDL Grundlagen können während der Arbeit erlernt werden. Die Ausschreibung richtet sich gleichermaßen an Studierende der ET, IT, AI und ITS.

Bei Interesse an einer Abschlussarbeit an unserem Lehrstuhl könnt Ihr einfach eine E-Mail an seceng+thesis@rub.de schreiben, idealerweise mit einem aktuellen Transcript of Records und Eurem bevorzugten Thema/Themengebiet

Darüber hinaus bietet unser Lehrstuhl aktuell folgende Themen zur Bearbeitung für Bachelor- und Masterarbeiten an. Ausführliche Beschreibungen befinden sich weiter unten.


Hardware Implementation of the Fixed-Weight Sampler in BIKE


MOTIVATION. In 2017, the National Institute of Standards and Technology (NIST) announced a post-quantum standardization process and started a call for proposals to find new cryptographic algorithms that are secure against attacks mounted on quantum computers. After several rounds, the NIST announced eight finalists and seven alternative candidates [3]. Three of them rely on code-based cryptography which applies approaches from coding theory to construct public key cryptosystems. Besides cryptographic security, other metrics like efficient implementations on different platforms play a crucial role in the standardization process.

RESEARCH PROBLEM. One of the alternate candidates of the code-based cryptosystems is the Bit Flipping Key Encapsulation (BIKE) scheme [1]. Over the last years, researchers presented efficient BIKE implementations for x86 architectures, microcontrollers, and Field-Programmable Gate Arrays (FPGAs). However, due to an attack presented in 2022 [2], the BIKE team adapted the specification of the fixed-weight polynomial sampler. The new approach is based on the Fisher-Yate sampling [6] and required on all three Key Encapsulation Mechanism (KEM) operations. Even though the specification of BIKE has been adapted, the corresponding hardware implementation still uses the old rejection sampling.

YOUR TASK. As a first step, you should get familira with BIKE and different fixed-weight sampling algorithms. Aftwerwards, you should study the hardware implementations of BIKE which has been presented in [4, 5]. The corresponding hardware description is available at GitHub. Based on these resources, you should adapt the existing implementation of the rejection sampling with the new specifications of BIKE’s fixed-weight sampler. Within the design process of the new sampler, you should explore different implementation strategies and document the advantages and disadvan- tages.

REQUIREMENTS. Since the task requires writing Verilog code, it would be beneficial to have some experience in hardware design.

CONTACT. If you are interested in this topic, please contact: Dr.-Ing. Jan Richter-Brockmann (jan.richter-brockmann@rub.de).


[1] Olivier Blazy et al. BIKE - Bit Flipping Key Encapsulation. 2021. URL: https://bikesuite.org/ (visited on 04/07/2022).
[2] Qian Guo et al. “Don’t Reject This: Key-Recovery Timing Attacks Due to Rejection-Sampling in HQC and BIKE”. In: IACR Trans. Cryptogr. Hardw. Embed. Syst. 2022.3 (2022), pp. 223–263.
[3] NIST. Post-Quantum Cryptography | CSRC. 2022. URL: https://csrc.nist.gov/projects/post-quantum-cryptography/round-3-submissions (visited on 04/07/2022).
[4] Jan Richter-Brockmann, Johannes Mono, and Tim Güneysu. “Folding BIKE: Scalable Hardware Implementation for Reconfigurable Devices”. In: IEEE Trans. Computers 71.5 (2022), pp. 1204–1215. DOI: 10 . 1109 / TC . 2021 . 3078294. URL: https://doi.org/10.1109/TC.2021.3078294.
[5] Jan Richter-Brockmann et al. “Racing BIKE: Improved Polynomial Multiplication and Inversion in Hardware”. In: IACR Trans. Cryptogr. Hardw. Embed. Syst. 2022.1 (2022), pp. 557–588. DOI: 10.46586/tches.v2022.i1.557-588. URL: https://doi.org/10.46586/tches.v2022.i1.557-588
[6] Nicolas Sendrier. “Secure Sampling of Constant-Weight Words — Application to BIKE”. In: IACR Cryptol. ePrint Arch. (2021), p. 1631. URL: https://eprint.iacr.org/2021/1631.

GASYN - Secure Gadget Synthesizer and Logic Optimizer


MOTIVATION. Secure implementation of cryptographic algorithms in software or hardware is a challenging problem. Extensive research has been devoted to the development of efficient countermeasures against physical Side-Channel Analysis (SCA). Lately, masking has been established as promising concept due to its theoretically sound foundations allowing to model and prove its security guarantees. Still, correct and secure implementation of masking schemes is a mostly manual, delicate, complex, and error-prone task. This motivates the need for automated tools that assist designers and engineers to securely implement cryptographic operations in hardware.

BACKGROUND. Experience has shown that new masking schemes often have a short retention time, mostly due to inaccuracies and design flaws. As a consequence, a new line of research emerged, investigating the masking of atomic and reusable components, often considered as gadgets in literature, to limit the engineering complexity and error susceptibility [8, 7, 6, 5, 2, 1, 3].

RESEARCH PROBLEM. The supplementary material of [4] presents different latency-optimized S-boxes using a custom 2-input AND gadget. However, neither different gadget layouts and variants, nor alternative optimization objectives (e.g., area or randomness reduction) have been addressed.

YOUR TASK. In this project, you will a gadget-oriented logic synthesizer allowing to generate secure and optimized hardware circuits (area, latency, or randomness) using a custom set of masked gadgets. More precisely, this project requires the following tasks:

  • Literature study (10%)
  • Requirement analysis and concept definition (10-20%)
  • Implementation and debugging (40-50%)
    • Implementation of a custom gadget library
    • Construction of a SAT/SMT-based gadget synthesizer
    • Integration of optimization strategies for area, latency, or randomness reduction
  • Testing and writing (30%)

REQUIREMENTS. Digital logic, hardware design, C/C++ programming, basics on SAT & SMT solvers.

CONTACT. If you are interested in this topic, please contact: Dr.-Ing. Pascal Sasdrich (pascal.sasdrich@rub.de).


[1] Gilles Barthe et al. “Strong Non-Interference and Type-Directed Higher-Order Masking”. In: SIGSAC. ACM, 2016. DOI: 10.1145/ 2976749.2978427
[2] Gilles Barthe et al. “Verified Proofs of Higher-Order Masking”. In: EUROCRYPT. LNCS. Springer, 2015. DOI: 10.1007/978- 3- 662-46800-5\_18
[3] Gaëtan Cassiers and François-Xavier Standaert. “Trivially and Efficiently Composing Masked Gadgets With Probe Isolating Non- Interference”. In: IEEE TIFS (2020). DOI: 10.1109/TIFS.2020.2971153
[4] Gaëtan Cassiers et al. “Hardware Private Circuits: From Trivial Composition to Full Verification”. In: IEEE TC (2021). DOI: 10. 1109/TC.2020.3022979
[5] Hannes Groß, Rinat Iusupov, and Roderick Bloem. “Generic Low-Latency Masking in Hardware”. In: IACR TCHES 2 (2018). DOI: 10.13154/tches.v2018.i2.1-21.
[6] Hannes Groß and Stefan Mangard. “A unified masking approach”. In: JCEN (2018). DOI: 10.1007/s13389-018-0184-y
[7] Hannes Groß, Stefan Mangard, and Thomas Korak. “Domain-Oriented Masking: Compact Masked Hardware Implementations with Arbitrary Protection Order”. In: TIS@CCS. ACM, 2016. DOI: 10.1145/2996366.2996426.
[8] Oscar Reparaz et al. “Consolidating Masking Schemes”. In: CRYPTO. LNCS. Springer, 2015. DOI: 10.1007/978-3-662-47989- 6\_37

NTT with Arbitrary Polynomial Degrees


MOTIVATION. For lattice-based cryptography, the number theoretic transform (NTT) is an essential operation for efficient multiplication of polynomials. Usually, these polynomials use a power-of-two degree such that the NTT is fully splitting. With arbitrary polynomial degrees however, the NTT is not fully splitting and thus has performance implications [1].

RESEARCH PROBLEM. Your task is to investigate the memory-time tradeoff that non power-of-two degree polynomials have with the NTT. For this, a formula should be derived that allows the application of the NTT to non power-of-two degree polynomials. Additionally, a performance evaluation with code should be performed.

REQUIREMENTS. Basics in number theory, C programming.

CONTACT. If you are interested in this topic, please contact: Johannes Mono (johannes.mono@rub.de).


[1] Chung, Chi-Ming Marvin, et al. "NTT multiplication for NTT-unfriendly rings: New speed records for Saber and NTRU on Cortex-M4 and AVX2." IACR Transactions on Cryptographic Hardware and Embedded Systems (2021): 159-188.

Microarchitectural Side Channel Attacks and Countermeasures


MOTIVATION. The internal hardware of modern CPUs, i.e., the microarchitecture, has long been considered a trust anchor that works as a foundation for higher level system security. While this assumption has been challenged time and again, only recent attacks including Spectre [1] and Meltdown [2] saw the industry taking this problem seriously. There are many aspects of microarchitectural vulnerabilities, ranging from cache side channel attacks [3] over Rowhammer [4] to speculative execution attacks [5].

RESEARCH PROBLEM. Aiding current research projects at the Chair for Security Engineering, your thesis will review and advance the current state of research. This may include the design and/or evaluation of attacks and countermeasures. In many cases these attacks directly operate on the CPU hardware. Especially for the evaluation of countermeasures, we often use the gem5 simulator [6].

REQUIREMENTS. C/C++ programming skills, basics of x86 assembly, basic understanding of CPU designs (pipeline, caches, etc.)

CONTACT. If you are interested in this field of research, we can discuss potential topics suited to your prior knowledge and interests. If you already have a specific topic in mind, feel free to propose it directly. Please contact Jan Philipp Thoma, jan.thoma@rub.de and include a recent transcript or records.


[1] Kocher, Paul, et al. "Spectre attacks: Exploiting speculative execution." 2019 IEEE Symposium on Security and Privacy (SP). IEEE, 2019.
[2] Lipp, Moritz, et al. "Meltdown: Reading kernel memory from user space." 27th USENIX Security Symposium (USENIX Security 18). 2018.
[3] Yarom, Yuval, and Katrina Falkner. "{FLUSH+ RELOAD}: A High Resolution, Low Noise, L3 Cache {Side-Channel} Attack." 23rd USENIX security symposium (USENIX security 14). 2014.
[4] Mutlu, Onur, and Jeremie S. Kim. "Rowhammer: A retrospective." IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems 39.8 (2019): 1555-1571.
[5] Canella, Claudio, et al. "A systematic evaluation of transient execution attacks and defenses." 28th USENIX Security Symposium (USENIX Security 19). 2019.
[6] Lowe-Power, Jason, et al. "The gem5 simulator: Version 20.0+." arXiv preprint arXiv:2007.03152 (2020).

Security-Oriented Electronic Design Automation


MOTIVATION. With ever increasing complexity of Integrated Circuits and Electronic Systems, manual design and development processes are becoming more difficult and cumbersome. Instead, designers and developers are assisted by modern and computer-aided Electronic Design Automation (EDA) tools that handle complex and labor-intensive tasks automatically in order to allow rapid and high-quality development of complex ICs. In addition, these tools provide automatic optimization for various metrics, including area, latency, performance, or power and energy consumption to increase efficiency and quality of the final electronic systems.
However, security as an optimization aspect is mostly neglected when addressing classical metrics as area and performance. In fact, authenticity, integrity, and confidentiality of modern ICs is becoming more and more important in recent years. However, integration and evaluation of security features still is a manual and downstream process and since many security goals including secure data flow (non-interference), side-channel resistance, fault tolerance, and hardware obfuscation can only be addressed at certain stages of the manufacturing chain, security is often neglected or rejected as it would interrupt tight and efficient manufacturing processes.

RESEARCH PROBLEM. As this is a very broad topic and certainly exceeds the scope of a single thesis, we offer multiple theses with focus on different aspects, including (but not limited to):

  • Automated integration of security features
  • Formal verification of security properties
  • Optimization of security features
  • Development of security extensions for (existing) EDA tools
  • Secure High-Level Synthesis (HLS)

REQUIREMENTS. Digital logic, hardware design and security, physical attacks and countermeasures, solid programming skills, hardware description languages, formal verification, etc. (depending on the specific thesis topic and tasks).

CONTACT. If you are interested in this field of research, we can discuss potential topics suited to your prior knowledge and interests. If you already have a specific topic in mind, feel free to propose it directly. Please contact Dr.-Ing. Pascal Sasdrich (pascal.sasdrich@rub.de) and include a recent transcript or records.

Secure Computation


MOTIVATION. Over the last decade and especially in recent years, many new attacks have been developed that target both desktop- as well as embedded-grade hardware. For example, it has been shown multiple times that caches can leak information by purposefully manipulating their contents and causing exploitable timing differences. Furthermore, SPECTRE and MELTDOWN showed that oversights in the implementation of speculative execution as well as predictions can have severe security considerations. Lastly, with the increasing number of IoT devices adversaries started focusing on exploiting these low-performance devices, thus prompting for solutions that require low overhead.

RESEARCH PROBLEM AND YOUR TASK. We have developed different countermeasures against the threats mentioned above. To provide a more in-depth evaluation we still require some implementations. This includes, for example:

  1. Implementing a TLB countermeasure into a softcore OOO-CPU
  2. Implementing an ISA Extension against fault in a softcore embedded-grade CPU (with compiler support)
  3. Researching fault-free ISA designs and evaluating them in HW
This is not a complete list of possible topics. We are also open for your ideas in this area.

REQUIREMENTS. Depending on the direction you aim at: Experience with hardware description languages, high-level languages if you aim to provide compiler support

CONTACT. If you are interested in this topic, please contact: M.Sc. Florian Stolz (florian.stolz@rub.de)

Implementation and Side-Channel Security of Multivariate Quadratic Signature Schemes.

MOTIVATION. In the light of the potential threat of large-scale quantum computers breaking today's deployed cryptography, NIST has launched standardization efforts for post-quantum secure KEMs and Signature schemes. Recently, NIST has announced several schemes to be standardized. Additionally, a fourth round will be opened soon for signature schemes that are not based on lattice assumptions. For this round, it is expected that several signature schemes based on multivariate quadratic assumptions are submitted.

RESEARCH PROBLEM AND YOUR TASK. Here are a few works on several topics related to implementation issued. This includes:

  1. Embedded Software Implementations
  2. Hardware Implementations
  3. Side-Channel Attacks and Countermeasures
Depending on the type of your thesis and your preferences, you could work on one or multiple of these aspects.

REQUIREMENTS. Depending on the direction you aim at: VHDL, embedded C and Assembly, and/or side-channel analysis.

CONTACT. If you are interested in this research topic, please contact Georg Land (georg.land@rub.de) and include a recent transcript or records.


[1] MAYO: Practical Post-Quantum Signatures from Oil-and-Vinegar Maps