Abschlussarbeiten

FULLY HOMOMORPHIC ENCRYPTION

(Master – im­me­dia­te­ly – 6 months)

MOTIVATION

With fully homomorphic encryption (FHE), encrypted data is not only secured when stored, but also during computations. Since Gentry’s seminal work in 2009, multiple schemes have been developed that focus on different areas of computing. However, using FHE is still very expensive with respect to development and runtime costs. Thus, there are still lots of open research problems in improving the performance of existing schemes as well as advancing the FHE ecosystem as a whole for users and developers.

RESEARCH IDEAS

As fully homomorphic encryption in itself exceeds the scope of a single thesis, we list some ideas for your inspiration. Additionally, you can always contact us for more ideas or if you have any questions.

• Automatic creation of fully homomorphic encryption circuits
• Optimization of low-level lattice operations in software or hardware
• …

CONTACT

Johannes Mono

ATTACKS ON THE CPU MICROARCHITECTURE

(Bachelor /Master – im­me­dia­te­ly – 3 /6 months)

MOTIVATION:

The CPU microarchitecture – that is, the internal state of the processing unit – became an increasingly attractive target for attackers. Spectre and Meltdown [1] famously demonstrated the feasibility of microarchitectural attacks in real world scenarios. However, the field of attack vectors is very broad, reaching from transient execution attacks [2] over reliability issues like Rowhammer [3] to timing based side channels, e.g., in caches. Since modern CPUs are incredible complex pieces of engineering, many aspects of the CPU have been left unheeded with vulnerabilities likely to be exploitable.

RESEARCH QUESTION:

The topic offers the opportunity of several thesis works. Depending on your personal interests and experience, we can find a fitting topic. It is possible to evaluate the attacks on real hardware (e.g. current ARM or Intel processors) or in a simulator. For the latter, we mostly use the Gem5 CPU simulator, see [4]

REQUIREMENTS

Ideally, the student has low-level C programming skills and a basic understanding of CPU internals.

REFERENCES

[1] Spectre and Meltdown – https://meltdownattack.com /
[2] C. Canella et al. “A Systematic Evaluation of Transient Execution Attacks and Defenses” (2019) – Link
[3] O. Mutlu, et al. “RowHammer: A retrospective” (2019) – Link
[4] Gem5 CPU Simulator – Link

CONTACT:

Advisor: Jan Philipp Thoma
Mail: jan.thoma@rub.de

MICROARCHITECTURAL COUNTERMEASURES

(Bachelor /Master – im­me­dia­te­ly – 3 /6 months)

MOTIVATION:

The CPU microarchitecture – that is, the internal state of the processing unit – became an increasingly attractive target for attackers. Spectre and Meltdown [1] famously demonstrated the feasibility of microarchitectural attacks in real world scenarios. However, the field of attack vectors is very broad, reaching from transient execution attacks [2] over reliability issues like Rowhammer [3] to timing based side channels, e.g., in caches. Since modern CPUs are incredible complex pieces of engineering, there is a never ending source of novel attack vectors, requiring performance preserving countermeasures.

RESEARCH QUESTION:

The topic offers the opportunity of several thesis works. Depending on your personal interests and experience, we can find a fitting topic. Since manufacturing of a complete processor is infeasible due to the complexity, we evaluate the countermeasures in a cycle accurate CPU simulator. Therefore, we mostly use the Gem5 CPU simulator, see [4]

REQUIREMENTS

Ideally, the student has low-level C programming skills and a basic understanding of CPU internals.

REFERENCES

[1] Spectre and Meltdown – https://meltdownattack.com /
[2] C. Canella et al. “A Systematic Evaluation of Transient Execution Attacks and Defenses” (2019) – Link
[3] O. Mutlu, et al. “RowHammer: A retrospective” (2019) – Link
[4] Gem5 CPU Simulator – Link

CONTACT:

Advisor: Jan Philipp Thoma
Mail: jan.thoma@rub.de

SECURITY-AWARE HARDWARE DESIGN AT THE ARCHITECTURAL LEVEL

(Master – im­me­dia­te­ly – 6 months)

MOTIVATION:

Security-aware Electronic Design Automation (EDA) is a promising solution for bridging the gap between system architects and security experts by automatically implementing state-of-the-art defense mechanisms in modern hardware. For this, security analysis and transformations are done at different levels of design abstraction, to create secure-by-design hardware for digital systems. One such abstraction level is the architectural level, where the interaction of different modules and system parts can be analyzed, customized, and secured. Together with analysis at other abstraction levels, this might allow the detection of vulnerabilities in the microarchitecture early in the design process. To enable analysis across different design stages a unified Intermediate Representation (IR) for the entire design stack is necessary, where different abstraction levels are supported through different language features.

RESEARCH QUESTION:

As part of this thesis, you will extend LLHD [1] to include an architectural level, as proposed in [2], using the MLIR framework [3]. Further, you will investigate security analyses and security transformations that target the resulting architectural design level.

REQUIREMENTS

Ideally, the student has good programming skills and some basic understanding of hardware design.

REFERENCES

[1] F. Schuiki, et al. “LLHD: A Multi-level Intermediate Representation for Hardware Description Languages” (2020)
[2] A. Sharifian, et al. “μIR -An Intermediate Representation for Transforming and Optimizing the Microarchitecture” (2019)
[2] C. Lattner, et al. “MLIR: A Compiler Infrastructure for the End of Moore’s Law” (2020)

CONTACT:

Advisor: Jakob Feldtkeller
Mail: jakob.feldtkeller@rub.de

COMPUTER-AIDED SECURITY

(Bachelor / Master – im­me­dia­te­ly – 3 / 6 months)

MO­TI­VA­TI­ON

With ever increasing complexity of Integrated Circuits and Electronic Systems, manual design and development processes are becoming more difficult and cumbersome. Instead, designers and developers are assisted by modern and computer-aided Electronic Design Automation (EDA) tools that handle complex and labor-intensive tasks automatically in order to allow rapid and high-quality development of complex ICs. In addition, these tools provide automatic optimization for various metrics, including area, latency, performance, or power and energy consumption to increase efficiency and quality of the final electronic systems.

However, security as an optimization aspect is mostly neglected when addressing classical metrics as area and performance. In fact, authenticity, integrity, and confidentiality of modern ICs is becoming more and more important in recent years. However, integration and evaluation of security features still is a manual and downstream process and since many security goals including secure data flow (non-interference), side-channel resistance, fault tolerance, and hardware obfuscation can only be addressed at certain stages of the manufacturing chain, security is often neglected or rejected as it would interrupt tight and efficient manufacturing processes.

RE­SE­ARCH QUES­TI­ON

As this is a very broad topics and certainly exceeds the scope of a single thesis, we offer multiple theses with focus on different aspects, including (but not limited to):

• Automated integration of security features
• Formal verification of security properties
• Optimization of security features
• Development of security extensions for (existing) EDA tools
• Secure High-Level Synthesis (HLS)
• …

CONTACT

Advisor: Pascal Sasdrich
Mail: pascal.sasdrich@rub.de

IMPLEMENTATION OF LATTICE CO-PROCESSOR FOR RISCV CPU

(Masterthesis – im­me­dia­te­ly – 6 Months)

MO­TI­VA­TI­ON

In the current NIST standardization [1] for post quantum secure algorithms, many lattice-based schemes are among the most promising candidates. There are plenty software implementations of these schemes, however, a broad adoption of new encryption standards requires efficient hardware accelerators to efficiently use them on constrained devices, i.e. embedded systems.
The RISCV instructions set poses the first completely open source instruction set architecture (ISA). In particular, the VexRiscv processor [2] is a good platform to implement modular extensions to a RISCV processor. The goal of this thesis is, to develop a generic lattice accelerator as an extension to the VexRiscv CPU. The accelerator should be able to run different lattice-based schemes.

RE­SE­ARCH QUES­TI­ON

You will implement a modular lattice extension to the VexRiscv CPU in SpinalHDL [3] and optimize it as much as possible. Some design concepts of a modular lattice accelerator can be seen in [4].

REFERENCES

[1] NIST PQC
[2] VexRiscv
[3] SpinalHDL
[4] Banerjee, U., Ukyab, T. S., & Chandrakasan, A. P. (2019). Sapphire: A Configurable Crypto-Processor for Post-Quantum Lattice-based Protocols. IACR Transactions on Cryptographic Hardware and Embedded Systems, 2019(4)

REQUIREMENTS

Ideally, you should have made first experiences with VHDL (e.g., by having attended Cryp­to­gra­phy on Hard­ware-ba­sed Plat­forms). SpinalHDL is a high-level language that is easy to learn and that simplifies development compared to VHDL significantly.

CONTACT

Advisor: Jan Philipp Thoma and Georg Land
Mail: jan.thoma@rub.de or georg.land@rub.de

SOFTWARE IMPLEMENTATION OF LATTICE-BASED TECHNIQUES FOR ANONYMOUS CREDENTIALS

(Bachelor / Master – im­me­dia­te­ly – 3 / 6 months)

MO­TI­VA­TI­ON

With anonymous credentials [1], users can identify themselves to service providers and prove the possession of a credential in a zero-knowledge manner. To achieve this, many theoretical, probably practically inefficient approaches have been proposed in the past.

Lattice-based cryptography offers a wide range of potential applications that go beyond classic primitves like encryption and signatures. Recent work has shown that lattice-based systems can be used to implement anonymous credentials efficiently, utilizing advanced cryptographic techniques like zero-knowledge proofs of knowledge [2][3][4] or attribute-based signatures [5]. However, these proposals mostly lack practical implementations.

RE­SE­ARCH QUES­TI­ON

You will implement advanced lattice-based schemes like a zero-knowledge proof or an attribute-based signature in C or C++.

REFERENCES

[1] SECURITY WITHOUT IDENTIFICATION: TRANSACTION SYSTEMS TO MAKE BIG BROTHER OBSOLETE
[2] Lattice-Based Group Signatures and Zero-Knowledge Proofs of Automorphism Stability
[3] Efficient Lattice-Based Zero-Knowledge Arguments with Standard Soundness: Construction and Applications
[4] Practical Exact Proofs from Lattices: New Techniques to Exploit Fully-Splitting Rings
[5] Group Signatures without NIZK: From Lattices in the Standard Model

REQUIREMENTS

Ideally, some experience with software implementation in C/C++ and the willingness to learn.

CONTACT

Advisor: Georg Land
Mail: georg.land@rub.de

COUNTERMEASURES AGAINST COMBINED SIDE-CHANNEL ANALYSIS AND FAULT-INJECTION ATTACKS

(Masterthesis – im­me­dia­te­ly – 6 Months)

MO­TI­VA­TI­ON

Cryptographic hardware implementations are generally vulnerable against physical attacks like Side-Channel Attacks (SCA) and Fault-Injections Attacks (FIA). Over the last decades, researchers from academia and industry proposed many countermeasures to thwart these attacks individually. However, since it is insufficient to protect a target implementation only against one of these attack vectors, combined approaches, which can counteract SCA and FIA, gained more and more interest in the last years [1, 2, 3]. Especially the combination of Threshold Implementation (TI) [4] and linear Error-Correcting Codes (ECCs) [5] is a popular approach to achieve increased security against physical attacks. Nevertheless, a simultaneous protection cannot be ensured and most of the proposed schemes are vulnerable against combined attacks.

RE­SE­ARCH QUES­TI­ON

As part of this thesis, you first should investigate possible vulnerabilities of a hardware implementation of a cryptographic algorithm protected by TI and ECCs. This specific implementation is designed to correct occurring errors achieving an increased security against FIA. However, these correction modules offer a possible attack vector which should be exploited by a combined attack using SCA and FIA. Subsequently, you should design and develop suitable countermeasure to thwart such combined countermeasures.

REFERENCES

[1] Schneider, Tobias, et al. „ParTI: Towards Combined Hardware Countermeasures against Side-Channel and Fault-Injection Attacks.“
[2] De Meyer, Lauren, et al. „M&M: Masks and Macs against physical attacks.“
[3] Reparaz, Oscar, et al. „CAPA: the spirit of beaver against physical attacks.“
[4] Nikova, Svetla, et al. „Threshold implementations against side-channel attacks and glitches.“
[5] Aghaie, Anita, et al. „Impeccable circuits.“

REQUIREMENTS

Ideally, the student has some basic background of SCA, FIA and VHDL and attended the lecture on Cryptography on Programmable Hardware.

CONTACT

Advisor: Jan Richter-Brockmann and Pascal Sasdrich
Mail: jan.richter-brockmann@rub.de or pascal.sasdrich@rub.de

LEAKAGE SIMULATION USING MACHINE LEARNING

(Bachelorthesis – im­me­dia­te­ly – 3 Months)

MO­TI­VA­TI­ON

Since the 1st discovery of Side-Channel Analysis (SCA) in 1999, many novel attack techniques have been invented and shown to be effective. Fortunately, many security-critical cryptographic implementations nowadays already consider the threat of SCA during the design phase and implement appropriate mechanisms and countermeasures to protect against revelation of sensitive and secret information. However, although many secure masking schemes have been proposed to protect against SCA, practical implementation of these schemes is a dicult and sophisticated task for most designers. Since even small imperfections in the implementation of a masking scheme can result in an entirely insecure design, security validation processes are required and performed to evaluate and assess the overall security of the nal device. Usually, these security validation processes are performed after implementation on a testing device using a physical test setup and empirical leakage assessment methodology resulting in a complex, lengthy, tedious and manual task.

BACK­GROUND

In 2016, Oscar Reparaz [1] addressed the problem of simplifying, improving and accelerating the security validation process using on-the-fly trace simulation before performing a leakage evaluation based on state-of-the-art leakage detection tests. In particular, this work presents an approach based on simulated traces generated from high-level source code which are analyzed using leakage detection tests based on Welsh’s t-test. Further, the simulated traces are generated based on a preselected power model chosen by the designer.

RE­SE­ARCH QUES­TI­ON

As part of this thesis, you will investigate the following research question: Can we use Machine Learning (ML) techniques to generate simulated power traces based on a more realistic power model? In particular, you will select and implement an appropriate ML algorithm that can be trained and improved using practically generated traces measured on a real physical device. Eventually, your framework should be able to automatically analyze and validate novel (untested) implementations for flaws and potential problems of incorporated side-channel protection mechanisms.

REFERENCES

[1] Oscar Reparaz. Detecting Flawed Masking Schemes with Leakage Detection Tests. FSE 2016.

REQUIREMENTS

Ideally, the student has some basic knowledge on SCA and ML and has good skills in writing efficient software.

CONTACT

Advisor: Pascal Sasdrich
Mail: pascal.sasdrich@rub.de

COMBINED FAULT-INJECTION AND SIDE-CHANNEL ANALYSIS

(Masterthesis – im­me­dia­te­ly – 6 Months)

MO­TI­VA­TI­ON

Physical and implementation attacks, including Side-Channel Analysis (SCA) and Fault-Injection Analysis (FIA) have gained a lot of attention by academic and industrial research during the last two decades. Rather than addressing flaws in cryptographic schemes to reveal and extract secret information, those attack vectors exploit vulnerabilities and flaws in physical implementations of algorithms that are considered to be cryptographically secure.
However, since techniques to advert SCA and FIA usually are of completely different nature and follow design strategies that often are incompatible, combining both countermeasures in the same design is a challenging tasks that only gained attention recently. Still, ensuring that the combination and interplay of both approaches does not lever the protection mechanism and does not reduce the security of the cryptographic implementation is an open problem. In particular, from an adversary perspective, using both attack vectors simultaneously could help to reveal secret information although appropriate countermeasures against both attack vectors are in place.

BACK­GROUND

In 2016, Schneider et al. [1] addressed the problem of achieving resistance against SCA and FIA simultaneously using Error-Correcting Codess (ECCs) for Concurrent Error Detection (CED) in combination with a provable 1st-order secure Threshold Implementations (TIs) for side-channel protection. This seminal work has been extended by others, including Reparaz et al. [2] and De Meyer et al. [3]. While the approach of Reparaz et al. was inspired by Multi-Party Computation (MPC) protocols and masking techniques to simultaneously implement protection against SCA and FIA, De Meyer et al. combined Message Authentication Code (MAC) tags (originating from information theory) with masking to extend the protection against SCA and FIA.

RE­SE­ARCH QUES­TI­ON

As part of this thesis, you will investigate the following research question: Do all those approaches, designed to withstand both SCA and FIA, protect against simultaneous attacks? In particular, you will investigate if we can use fault-injection attacks to lever the protection against SCA or if we can use side-channel analysis to lever the protection against FIA in order to eventually reveal secret information although countermeasures are implemented.

REFERENCES

[1] Tobias Schneider, Amir Moradi, and Tim Güuneysu. ParTI: Towards Combined Hardware Countermeasures against Side-Channel and Fault-Injection Attacks. CRYPTO 2016.
[2] Oscar Reparaz, Lauren De Meyer, Begül Bilgin, Victor Arribas, Svetla Nikova, Ventzislav Nikov, Nigel P. Smart. CAPA: The Spirit of Beaver Against Physical Attacks. CRYPTO 2018.
[3] Lauren De Meyer, Victor Arribas, Svetla Nikova, Ventzislav Nikov, Vincent Rijmen. M&M: Masks and Macs against Physical Attacks. TCHES 2019.

REQUIREMENTS

This topic requires some solid background on SCA, FIA, and hardware development. Ideally, the student should have completed the courses on Physical Attacks and Countermeasures and Cryptography on Programmable Hardware.

CONTACT

Advisor: Pascal Sasdrich
Mail: pascal.sasdrich@rub.de

FAULT PROPAGATION AND FAULT SEVERITY IN HARDWARE CIRCUITS

(Masterthesis – im­me­dia­te­ly – 6 Months)

MO­TI­VA­TI­ON

Ac­tive phy­si­cal at­tacks, par­ti­cu­lar­ly Fault-In­jec­tion Ana­ly­sis (FIA), pose a se­rious and often un­de­re­sti­ma­ted thre­at to phy­si­cal im­ple­men­ta­ti­ons of cryp­to­gra­phic al­go­rith­ms. Often, dis­tur­bing the exe­cu­ti­on of cryp­to­gra­phic ope­ra­ti­ons through pre­cise­ly in­jec­ted faults al­lows to re­veal and extract secret in­for­ma­ti­on even­tual­ly al­lowing to break the se­cu­ri­ty of the over­all sys­tem. Most of all, since ne­cessa­ry tools and equip­ment to pre­cise­ly in­ject faults have been im­pro­ved dra­ma­ti­cal­ly over the last years, at­ta­ckers are be­co­ming in­crea­sin­gly power­ful. To this end, de­si­gners of cryp­to­gra­phic im­ple­men­ta­ti­ons are ob­li­ged to con­s­i­der pro­tec­tion against FIA as early as du­ring the de­sign and im­ple­men­ta­ti­on phase. For this, va­rious Con­cur­rent Error De­tec­tion (CED) sche­mes have been pro­po­sed as coun­ter­me­a­su­res based on red­un­dancy in area or time. Howe­ver, ana­ly­sis and eva­lua­ti­on of the ef­fec­tiven­ess of a cho­sen CED du­ring the de­sign and im­ple­men­ta­ti­on phase is still an open pro­blem.

BACK­GROUND

For­mal ve­ri­fi­ca­ti­on of hard­ware coun­ter­me­a­su­res against phy­si­cal at­tacks (in­clu­ding Si­de-Chan­nel Ana­ly­sis (SCA) and FIA) based on ana­ly­sis of the Hard­ware De­scrip­ti­on Lan­gua­ge (HDL) or gate-le­vel net­list is a te­dious and time con­su­ming tasks that only re­cent­ly gained some at­ten­ti­on. Due to the com­ple­xi­ty and size of mo­dern, se­cu­ri­ty-cri­ti­cal hard­ware cir­cuits, the scale and com­ple­xi­ty of phy­si­cal at­tacks, and the re­qui­red know­ledge and ex­per­ti­se, tool-sup­por­ted ana­ly­sis and ve­ri­fi ca­ti­on of the cir­cuit is be­co­ming in­crea­sin­gly im­portant.

RE­SE­ARCH QUES­TI­ON

As part of this the­sis, you will in­ves­ti­ga­te the fol­lowing re­se­arch ques­ti­on: Can we iden­ti­fy and de fine pro­per­ties that cha­rac­te­ri­ze the fault pro­pa­ga­ti­on and fault se­ve­ri­ty for a com­bi­na­tio­nal hard­ware cir­cuit. In par­ti­cu­lar, you will in­ves­ti­ga­te ap­proa­ches to re­du­ce the com­ple­xi­ty of an ex­haus­ti­ve fault si­mu­la­ti­on for ana­ly­sis of the fault pro­pa­ga­ti­on be­ha­vi­or by fin­ding sen­si­ti­ve lo­ca­ti­ons which allow to in­ject faults with high im­pact (i.e., hig­her se­ve­ri­ty). Even­tual­ly, you should de­ve­lop a frame­work that can au­to­ma­te the ana­ly­sis and si­mu­la­ti­on of the fault be­ha­vi­or of an ar­bi­tra­ry hard­ware cir­cuit.

REQUIREMENTS

Ide­al­ly, the stu­dent is fa­mi­li­ar with the basic con­cepts of some HDL (e.g., VHDL or Ve­ri­log) and has basic know­ledge on C/C++ and Py­thon pro­gramming.

CONTACT

Advisor: Pascal Sasdrich
Mail: pascal.sasdrich@rub.de

EFFICIENT HARDWARE IMPLEMENTATION OF BIKE

(Masterthesis – im­me­dia­te­ly – 6 Months)

ABSTRACT:

In 2017 the Na­tio­nal In­sti­tu­te of Stan­dards and Tech­no­lo­gy (NIST) an­noun­ced a stan­dar­diza­t­i­on pro­cess to de­ve­lop post-quan­tum re­sis­tant cryp­to­gra­phy. Re­cent­ly, the NIST selec­ted and pu­blis­hed the re­main can­di­da­tes for the se­cond round. One sub­mis­si­on from the pu­blic-key en­cryp­ti­on al­go­rith­ms is BIKE which is a code-ba­sed ap­proach [1]. Since now, the aut­hors con­cen­tra­ted their work on ef­fi­ci­ent soft­ware im­ple­men­ta­ti­ons only. As part of the round two sub­mis­si­on, they pro­vi­ded first hard­ware im­ple­men­ta­ti­ons for the key ge­ne­ra­ti­on (Key­Gen) and the en­cap­su­la­ti­on (En­caps) al­go­rithm to set first bench­marks re­gar­ding speed and hard­ware uti­liza­t­i­on. Howe­ver, re­sults for ef­fi­ci­ent decap­su­la­ti­on im­ple­men­ta­ti­ons and con­stant time ap­proa­ches for Key­Gen and En­caps are still mis­sing.

As part of a mas­ter the­sis, the mis­sing en­cap­su­la­ti­on al­go­rithm should be im­ple­men­ted for an Artix 7 FPGA. After sur­moun­ting the dif­fi­cul­ties in the un­der­ly­ing bit-flip­ping al­go­rithm, an ad­ap­ta­ti­on of Key­Gen and En­caps should be ac­com­plis­hed to rea­li­ze a con­stant time im­ple­men­ta­ti­on. Fi­nal­ly, the im­ple­men­ted de­signs should be eva­lua­ted re­gar­ding speed and area con­sump­ti­on.

REFERENCES

[1] Aragon, Nicolas, et al. „BIKE: bit flipping key encapsulation.“ (2017).

REQUIREMENTS

Knowledge of VHDL and FPGAs is preferable.

CONTACT:

Advisor: Jan Richter-Brockmann
Mail: jan.richter-brockmann@rub.de

AUTOMATIC ERROR DETECTION IN HIGH LEVEL SYNTHESIS DESIGN

(Bachelor – im­me­dia­te­ly – 3 months)

MOTIVATION:

High-Level Synthesis (HLS) allows the design of hardware at an abstract, algorithmic level without dealing with the specific implementation at the gate or register transfer level. As such, HLS is comparable to high-level programming languages and offers similar benefits. Comparable to software, it is possible to introduce security features automatically during the synthesis process and, hence, support the designer in the task of building a secure system. Since contemporary HLS tools do not support any notion of security today, this is an open and promising research field.

RESEARCH QUESTION:

One class of attacks against hardware implementations are fault attacks [1], where an attacker exploits a faulty computation of a device to recover some secret information. As part of this thesis, you should investigate the option of introducing automatic countermeasures against fault attacks into a hardware design during high-level synthesis. As a starting point, you will look into impeccable circuits [2] and analyze their applicability and constraints for high-level synthesis.

REQUIREMENTS

Ideally, the student has good programming skills and some basic understanding of hardware design (Verilog/VHDL).

REFERENCES

[1] D. Boneh, et al. “On the Importance of Checking Cryptographic Protocols for Faults” (1997)
[2] A. Aghaie, et al. “Impeccable Circuits” (2019)

CONTACT:

Advisor: Jakob Feldtkeller
Mail: jakob.feldtkeller@rub.de

ADVANCED LASER FAULT INJECTION

(Bachelor / Master – im­me­dia­te­ly – 3 / 6 months)

BACKGROUND

Fault Injection Attacks allow to break mathematically secure cryptographic schemes by disturbing the execution of the actual implementation, e.g., on a microcontroller or a smartcard. In the past, semi-invasive techniques based on the exposure of an IC to laser light have proven to be particularly successful. Our group built an advanced lab setup for performing laser fault injection attacks. The setup features two independent laser diodes to overcome certain countermeasures, e.g., redundant computation in two independent parts of the IC. The setup is proven to work very well and code to operate the lasers and stages was already developed.

WHAT CAN YOU DO?:

During this thesis, you will design and perform practical experiments on a previously selected target. For example, one possible target is an ASIC implementing various countermeasures against fault injection. It was developed at SECENG, i.e., we have the implementation and its layout to identify potential targets quickly. The exact details and goals will be discussed individually in person. The topic is well suited both for students of ITS and ET/IT. To practically implement the experiments, it is useful that you are familiar either with at least one suitable PC programming language, e.g., C or C++. However, this is not a strict requirement, as most concepts base on simple ideas that are quickly understood.

CONTACT

Advisor: Aein Rezaei Shahmirzadi and David Knichel
Mail: Aein.RezaeiShahmirzadi@rub.de or David.Knichel@rub.de

COUNTERMEASURES AGAINST SIDE-CHANNEL ATTACK AND STATISTICAL INEFFECTIVE FAULT ATTACK (SIFA)

(Bachelor / Master – im­me­dia­te­ly – 3 / 6 months)

MOTIVATION

Recently, Statistical Ineffective Fault Attack (SIFA) [1] was proposed that used only fault free ciphertexts to reveal the information. In [2] has been shown that how to attack implementations protected with both masking and detection-based fault countermeasures using a single fault induction per execution by SIFA. It shows that SIFA pose a threat for many practical implementations of symmetric cryptography. In particular, countermeasures against both power analysis and fault attacks typically do not prevent straightforward SIFA attacks that require very limited knowledge about the concrete attacked implementation.

RE­SE­ARCH QUES­TI­ON

As part of this thesis, you will investigate the following research question: Are the proposed schemes really secure? How can we reduce their overhead? In addition, can we identify new countermeasures against both power side-channel attacks and SIFA?

REQUIREMENTS

Ide­al­ly, the stu­dent is fa­mi­li­ar with the basic con­cepts of some HDL (e.g., VHDL or Ve­ri­log) and has basic know­ledge on C/C++ pro­gramming. In addition, the student should have some basic background on physical attacks and countermeasures.

REFERENCES

CONTACT

Advisor: Aein Rezaei Shahmirzadi
Mail: Aein.RezaeiShahmirzadi@rub.de

CYCLE ACCURATE PROCESSOR SIMULATION IN GEM5

(Bachelor / Master – im­me­dia­te­ly – 3 / 6 months)

MOTIVATION

In recent years, attacks targeting microarchitectural properties of modern CPUs became a hotly debated topic in the research field of cybersecurity. With novel attack vectors like Meltowon [4] and Spectre [3], attackers can efficiently bypass higher level security mechanisms such as memory safety. Since the microarchitectural state of a CPU is not normally transparent to attackers – as well as any legitimate user – data is usually extracted via a timing side channel. Common side channels are based on caches or memory controllers.
The investigation of microarchitectural properties is no easy as dumping the microarchitectural state is normally not feasible. Therefore, we need a powerful simulator. Gem5 [1,2] is a simulation framework that lets you define CPUs in higher level languages (Python and C++) and then run cycle accurate simulations from it. It is possible to run real world programs and produce (graphical) output of internal CPU properties during runtime.

RE­SE­ARCH QUES­TI­ON

As part of this thesis, you should first familiarize with the Gem5 simulation framework. The goal is to build a cycle accurate simulator of a simple 5-7 stage RISC-V [5] CPU which allows dynamic configuration of hardware properties such as cache layout and branch prediction. As part of your thesis, you should evaluate your processor against existing RISC-V CPUs.

REQUIREMENTS

The student is required to have good programming skills in C++ and Python. Basic knowledge of CPU internals will be helpful.

REFERENCES

CONTACT

Advisor: Jan Philipp Thoma
Mail: jan.thoma@rub.de

SCA-PROTECT DESIGNS IN SOFTWARE PLATFORMS

(Bachelor / Master – im­me­dia­te­ly – 3/6 months)

MOTIVATION:

Being based on a sound theoretical basis, masking schemes are commonly applied to protect cryptographic implementations against Side-Channel Analysis (SCA) attacks. Software platforms are popular both in the research area and industry. So developing secure software implementations has gotten a lot of attention. As a matter of fact, it is important to consider all components of the software platforms, e.g., piplining, cache, etc., to design a real secure software implementations. Hence, several thought-secure implementations exhibit leakage in practice even though their mathematical backgrounds seem sound.Being based on a sound theoretical basis, masking schemes are commonly applied to protect cryptographic implementations against Side-Channel Analysis (SCA) attacks. Software platforms are popular both in the research area and industry. So developing secure software implementations has gotten a lot of attention. As a matter of fact, it is important to consider all components of the software platforms, e.g., piplining, cache, etc., to design a real secure software implementations. Hence, several thought-secure implementations exhibit leakage in practice even though their mathematical backgrounds seem sound.

RESEARCH QUESTION:

The goal of this thesis is to compare the approaches in the literature in software platforms and ideally construct a more efficient design. Constructing SCA-protected AES, as the most widely deployed block cipher, has been trivially the focus of several research projects, with a direct use in industry. So basically concentrating on AES as a case study would be the best in this work.

REQUIREMENTS

Ideally, the student has good programming skills and some basic understanding of hardware security.

REFERENCES

[1] H. Gross, et al. “First-Order Masking with Only Two Random Bits” (2019)
[2] A.R. Shahmirzadi, et al. “Re-Consolidating First-Order Masking Schemes – Nullifying Fresh Randomness” (2020)

CONTACT:

Advisor: Aein Rezaei Shahmirzadi
Mail: aein.rezaeishahmirzadi@rub.de

ELECTROMAGNETIC FAULT INJECTION (EMFI)

(Bachelor / Master – im­me­dia­te­ly – 3 / 6 months)

BACKGROUND

Fault attacks aim to jeopardize the security of a cryptographic implementation by forcing the device to run outside its specification. This misbehavior possibly causes faults when processing sensitive data and can lead to successful secret extraction even if the underlying cryptographic primitives are mathematically secure. Faults can be caused by clock glitches and voltages spikes, but also by exposing the device’s circuit to laser beams and electromagnetic (EM) pulses [1]. EM pulses create a sudden current flow in the power/ ground networks of an IC, causing voltage drops and/or ground bounces. As laser beams have high spatial and temporal resolution, most of the research was done in this area. Nonetheless, EMFI is expected to have some advantages over laser fault injection [2] and is thus a promising topic for further exploration.

WHAT CAN YOU DO?:

Our group recently acquired up-to-date equipment for EM pulse injection. During this thesis you will use this equipment to perform practical evaluations on previously selected targets. Possible questions to be answered are: What faults can be caused on the target? Which areas of the chip are sensitive to EMFI? What is the size of the affected area? Can we change the data flow? Can we manipulate the program flow? If you are interested in this topic, we will together determine the scope of your thesis in more detail.

REQUIREMENTS:

The topic is well suited both for students of ITS and ET/IT. To practically implement the experiments, it is useful that you are familiar either with at least one suitable PC programming language, e.g., C or C++. However, this is not a strict requirement, as most concepts base on simple ideas that are quickly understood.

REFERENCES

CONTACT

Advisor: David Knichel
and Aein Rezaei Shahmirzadi
Mail: David.Knichel@rub.de or Aein.RezaeiShahmirzadi@rub.de

ADIABATIC LOGIC AS A COUNTERMEASURE AGAINST SIDE-CHANNEL ANALYSIS ATTACK

(Bachelor / Master – 3 / 6 months)

BACKGROUND

Adiabatic Logic actually is a methodology to design low-power applications. But their ability to balance the consumed power can make them a good countermeasure against power-analysis side-channel attacks [1–4].The main reason to consider adiabatic logics in physical security domain is their ability to soften energy dissipation profile by reducing the amplitude of the current of the power supply. Furthermore, adiabatic logic cells have dual-rail structure. Hence, they inherently satisfy the goal of DPA-resistant logic styles, i.e. achieving a constant number of transitions per working cycle [5], [6]. Basic concept of adiabatic is charging/discharging a capacitor by a constant current instead of a constant voltage, but in practical cases due to difficulty of using a constant current source, the current source is replaced by a ramp-type voltage source. Every adiabatic logic at least has two main working phases, ”Evaluation” and ”Recovery”, although most recently proposed works have 4 working phases. All adiabatic cells should be designed based on these key-rules [7]: 1) Turning on a transistor which has a non-zero potential difference between its drain and source is forbidden. 2) Turning off a transistor which current is still passing through it, is not permitted.

WHAT CAN YOU DO?:

This thesis can be defined in two basic and advanced modes: In basic phase, which is suitable for bachelor students, we want to do a comparative study on all previous adiabatic families which has been introduced as a countermeasure against power-analysis side-channel attacks. The aim of advanced mode, which is suitable for Master students, is to design a new adiabatic family.

REQUIREMENTS:

Although in Basic mode, simulation and analysis of circuits is not necessary, by the way knowledge of Spice and MATLAB can be very helpful. In advanced the design should be simulated and the results should be compared with other state of the arts. So it is necessary for students to know/learn one of the Spice-based simulators such as Hspice, LTspice, Ngspice, etc. A also the results should be analysed by MATLAB, C++, Python, etc

REFERENCES

CONTACT

Advisor: Bijan Fadaeinia
Mail: Bijan.Fadaeinia@rub.de

NANO-SCALE SIDE-CHANNEL ANALYSIS

(Masterarbeit – Bachelorarbeit)

Background:
The traditional use case of cryptography, namely transferring secret messages between two distant parties, does not involve any adversarial access to the machines that execute cryptographic algorithms. Hence, for several decades, mathematical security of the applied ciphers was the only important criterion. For many of todays applications on the other hand this assumption is no longer suitable. Smart-cards, RFID tags, electronic door locks and keys as well as many further small scale devices in the IoT are in the hands of potential adversaries with a constant and non-observable physical access to them. The most prominent class of attacks that becomes important in such a setting is the side-channel analysis. Side-channel analysis attacks are based on the observation of the physical properties of a cryptographic device and try to learn information about the internal key material. These physical properties, like e.g. the power consumption or the electromagnetic emanation, vary significantly when the respective technology is scaled down as aggressively as current nanometer CMOS processes. Thus, it is crucial to keep effective countermeasures against side-channel attacks up-to-date and to generate new ones that fit the altered conditions.

What can you do?
One of the most important – technology scaling-induced – changes in the power consumption characteristics of physical devices is the rise of the static power consumption. Since many countermeasures against power analysis attacks are based on concealing the data dependency in the dynamic currents, it can be possible to circumvent these by exploiting the information leakage through the static power dissipation.
Our group has recently built a sophisticated measurement setup for static power analysis and carried out several preliminary experiments with promising results. However, it is necessary to advance the research in this area. Concrete thesis topics can include the development and test of new countermeasures against static power analysis, the study of temperature effects on the static and dynamic power consumption in different technologies and the improvement of the existing measurement setup.
The topic is well suited both for students of ITS and ET/IT. To practically implement and test the countermeasures and to work with the FPGA boards, it is necessary that you are familiar with VHDL and at least one suitable PC programming language, e.g., C or C++. It is also possible to realize smaller parts of the project as a Studien- or Bachelorarbeit.

Contact:
If this sounds interesting to you, please contact Thorben Moos (thorben.moos@rub.de)

EFFICIENT HARDWARE IMPLEMENTATION OF DILITHIUM

(Masterthesis – im­me­dia­te­ly – 6 Months)

MOTIVATION:

Once efficient large-scale quantum computers will be available, conventional DH-based and factoring-based public key encryption and signature primitives can be broken. However, there are several schemes that are based on (presumably) quantum-resistant problems. The US-american National Institute of Standards and Technology has launched a standardization process in 2016 – similar to the AES standardization that started in 1997 – which aims to find secure and efficient replacements for currently deployed public key schemes. Even though for each proposed scheme at least one software implementation is provided, the efficiency of hardware implementations is not yet known for many proposals.

RESEARCH QUESTION:

CRYSTALS-DILITHIUM [1,2] is a signature scheme from the group of schemes based on module lattices. In the thesis, the scheme should be implemented efficiently for an Artix-7 FPGA and evaluated regarding speed and area consumption.

REFERENCES

[1] Ducas, Léo, et al. „Crystals–dilithium: Digital signatures from module lattices.“ (2018).
[2] https://pq-crystals.org/dilithium/index.shtml

REQUIREMENTS

Knowledge of VHDL and FPGAs

CONTACT:

Advisor: Georg Land
Mail: georg.land@rub.de

UNSUPERVISED LEARNING ON PUFS

(Masterarbeit – Bachelorarbeit)

Background:
One of the recent cryptographic components which are attracted to an increased interest is Physically Unclonable Functions (PUFs). PUFs have been used for various applica- tions, including anti-counterfeiting schemes, key generation algorithms, and in the design of block ciphers. However, there are several different attacks on PUFs which one of the more prevalent ones are machine learning attacks with the aim of modeling the PUFs and simulate them in the requested function by an attacker. Having PUFs mathematical mod- els would be helpful to learn the desired countermeasures against these machine learning attacks. These modeling attacks can be exemplified by Artificial Neural Networks (ANN), Logistic Regression (LR), and covariance matrix adaptation evolution strategy (CMA-ES). How- ever, all of these algorithms are learning PUFs in the supervised approach. Therefore, unsupervised networks which are also helpful to discriminate the fake PUFs from the real ones, can be useful tools in the learning of PUFs which do not have the mathematical models.

Research Question
In this thesis, we are focusing on the common delay-based PUFs such as Arbiter PUFs and XOR Arbiter PUFs in which investigate the unsupervised learning methods. These modeled PUFs can be verified through several PUF-based authentication protocols which need the model of PUF in the server side to compensate the memory attacks and area consumptions.

Requirements
Ideally, the student is familiar with the basic concepts of Machine Learning and python programming or another programming language for these algorithms.

Contact:
If this sounds interesting to you, please contact Anita Aghaie (anita.aghaie@rub.de)

PHYSICAL UNCLONABLE FUNCTIONS ON FPGAS

(Masterarbeit – Bachelorarbeit)

Background:
Physically Unclonable Functions (PUFs) generate a „digital fingerprint“ of a device. They are based on process variations to create device-specific responses, which are often used as cryptographic keys or authentication protocols. One of the most applicable delay-based PUFs is Arbiter PUF that like all PUFs pro- duce unpredictable and unclonable responses. Nevertheless, they are threatening through various attack models including machine learning attacks, side-channel attacks, and Tro- jams. Physical learning with any modeling is recently proposed as a new physical attack against PUFs in which the adversary can measure the PUFs unpredictable and unique physical characteristics. The attack scenario can be readout circuit to measure the physi- cal characteristics of the targeted PUF primitives is embedded into the design. Here, the implementation platform is an FPGA.

Research Question
In this thesis, we focus on a new proposed attack which can be embodied as a hardware Trojan. It can model delay-based PUFs in a cloning approach without any machine learn- ing process. In fact, there are PUF applications which boost the security of cryptographic algorithms against hardware Trojans, e.g., using partial and dynamic reconfigurability on FPGAs.

Requirements
Ideally, the student is familiar with the basic concepts of hardware security, FPGAs and HDL programming to implement the algorithms.

Contact:
If this sounds interesting to you, please contact Anita Aghaie (anita.aghaie@rub.de)

SIDE-CHANNEL MEASUREMENT BOARD

(Masterthesis – immediately – 6 Months)

ABSTRACT:

Physical Side-Channel Attacks (SCA) are an important security thread to many cryptographic implementations. Therefore, many countermeasures against these attacks where proposed in the scientific community and are implemented in the industry. Although provably secure countermeasures against SCA do exist, the models which the security proofs rely on can not capture every relevant aspect of the physical world a crypto-devices lives in. For this reason, every design needs to be tested and validated with actual measurements in order to reliably determine its resistance against SCA. We have developed a high-speed SCA measurement framework which can collect the required data from microcontroller or FPGA implementations of cryptographic primitives [1]. For the most part, this framework relies on commercially available SCA-boards ([2], [3]) or microcontroller boards [4] on which the analyzed algorithm is run.

WHAT CAN YOU DO?

The goal of your thesis is the development of a new printed circuit board (PCB) for side-channel evaluation that addresses some of the shortcomings of the commercial boards. The focus in this work is mainly on achieving higher flexibility (i.e. supporting different FPGAs and microcontrollers) and high-speed measurements while producing low levels of electrical noise. You do not have to develop every part of the system yourself but can use commercially available sub components such as highly integrated FPGA-boards. You thesis should include a comparison of relevant parameters of your board with state-of-the-art equipment available at the chair.

REFERENCES

[1] Flo­ri­an Bache, Chris­ti­na Plump, Jonas Wloka, Tim Gü­ney­su. „Evaluation of (power) side-channels in cryptographic implementations.“ (2019).
[2] Sakura-G.
[3] Sakura-X.
[4] STM32f4 Discovery.

REQUIREMENTS

Some experience in PCB design and familiarity with a hardware description language (e.g. VHDL, Verilog) is necessary.

CONTACT:

Advisor: Florian Bache
Mail: florian.bache@rub.de