Wir sind immer an Studierenden interessiert, die bei uns eine Bachelor- oder Masterarbeit schreiben möchten. Es sind keine besonderen Vorkenntnisse erforderlich, d.h. Grundlagen der Kryptographie, algorithmische oder VHDL Grundlagen können während der Arbeit erlernt werden. Die Ausschreibung richtet sich gleichermaßen an Studierende der ET, IT, AI und ITS.

Bei Interesse an einer Abschlussarbeit an unserem Lehrstuhl könnt Ihr einfach eine E-Mail an seceng-thesis@rub.de schreiben, idealerweise mit einem aktuellen Transcript of Records und Eurem bevorzugten Thema/Themengebiet

Darüber hinaus bietet unser Lehrstuhl aktuell folgende Themen zur Bearbeitung für Bachelor- und Masterarbeiten an. Ausführliche Beschreibungen befinden sich weiter unten.


Automated and Security-Aware Design Space Exploration in Hardware

MOTIVATION. With the increasing complexity of modern cryptography, especially Post-Quantum Cryptography (PQC), and considering physical implementation attacks, the design space of efficient hardware instances often grows exorbitantly. As a consequence, designers are often unable to weigh all possible design options and base design decisions on their experience. In a similar way, achieving security against physical attacks usually requires the expertise of experienced designers. However, ideally, design decisions should be made based on the predicted performance of the design, and physical security should be natively built-in into the design process.

RESEARCH PROBLEM. We have recently developed the new HADES-framework [1] and its proof-of-concept implementation at our chair. Using generic hardware descriptions, so-called templates, our tool is able to automatically explore the design space and predict the performance of different design options, allowing to make qualified design decisions based on the predicted performance. Our tool is furthermore able to include countermeasures against side-channel attacks into the design-space exploration, and finally outputs side-channel secure designs in standard VHDL or Verilog.

YOUR TASK. Your task is to extend our tool, either by adding templates (e.g., for symmetric cryptography such as PRESENT) or by implementing new features in the backend. Possible tasks can include:

  • Addition of new templates for symmetric cryptography (PRESENT, LED, Skinny, Speedy, ...)
  • Designing templates for asymmetric cryptography (RSA, ECC, ...)
  • Adding new performance metrics for the design space exploration (e.g., critical path)
  • Implementation of optimizations during the design space exploration such as local optimizations
  • Optimization of randomness usage for side-channel protection

REQUIREMENTS. Our tool is written in Scala and SpinalHDL. Therefore, you ideally have experience with hardware implementations (VHDL/Verilog/SpinalHDL) and with object-oriented programming (Scala/Java/C++).

CONTACT. If you are interested in this topic, please contact: Fabian Buschkowski (fabian.buschkowski@rub.de) or Georg Land (georg.land@rub.de).


[1] Fabian Buschkowski, Georg Land, Jan Richter-Brockmann, Pascal Sasdrich, and Tim Güneysu. "HADES: Automated Hardware Design Exploration for Cryptographic Primitives". In: Cryptology ePrint Archive, Paper 2024/130. URL: https://eprint.iacr.org/2024/130

Green Crypto: Minimizing Power Consumption via HW/SW Co-Design

MOTIVATION. The rising threat of quantum computers currently drives the research, standardization as well as deployment of post-quantum schemes. Simultaneously, we experience a significant spread of embedded devices which impose various restrictions, such as limited memory or an (ultra-) low power consumption. There exist some works which report the power consumption of some hardware or software implementations, but possibly an even lower power-consumption can be achieved with a more refined implementation. Alternatively, a hybrid HW/SW implementation may even further reduce the energy requirements.

YOUR RESEARCH PROBLEM. The goal of this thesis is to minimize the power consumption of a (post-quantum) cryptographic scheme by investigating the spectrum between pure hardware, pure software and HW/SW co-designed implementations. Concretely, this includes the following subtasks:

  • literature research for existing implementations with a focus on minimizing the power consumption
  • identification of available schemes and subroutines
  • research and development of evaluation metrics as well as a test setup and hardware/RISC-V targets
  • definition and selection of focal points on the spectrum of hardware/software co-design
  • design, implementation and/or procurement of relevant implementations
  • evaluation of numerous implementations w.r.t. the previously defined metrics
  • write-up and presentation of the methodology, results, possible short-comings and outlooks

PREREQUISITES. As this topic is about hardware-software co-design you should be knowledgable with both software- (C, C++) as well as hardware-programming (Verilog, VHDL). Familiarity with power measurements or the mathematical basics of post-quantum cryptographic schemes are beneficial but not required.

CONTACT. If you are interested in this topic, please contact Sven Argo or Dr.-Ing. Jan Richter-Brockmann.


[1] Energy Consumption Evaluation of Post-Quantum TLS 1.3 for Resource-Constrained Embedded Devices
[2] BIKE - Bit Flipping Key Encapsulation
[3] Hardware-Software Co-Design of BIKE with HLS-Generated Accelerators
[4] Carry-less to BIKE Faster
[5] Folding BIKE: Scalable Hardware Implementation for Reconfigurable Devices
[6] Optimizing BIKE for the Intel Haswell and ARM Cortex-M4

Hardware Implementation of the Fixed-Weight Sampler in BIKE


MOTIVATION. In 2017, the National Institute of Standards and Technology (NIST) announced a post-quantum standardization process and started a call for proposals to find new cryptographic algorithms that are secure against attacks mounted on quantum computers. After several rounds, the NIST announced eight finalists and seven alternative candidates [3]. Three of them rely on code-based cryptography which applies approaches from coding theory to construct public key cryptosystems. Besides cryptographic security, other metrics like efficient implementations on different platforms play a crucial role in the standardization process.

RESEARCH PROBLEM. One of the alternate candidates of the code-based cryptosystems is the Bit Flipping Key Encapsulation (BIKE) scheme [1]. Over the last years, researchers presented efficient BIKE implementations for x86 architectures, microcontrollers, and Field-Programmable Gate Arrays (FPGAs). However, due to an attack presented in 2022 [2], the BIKE team adapted the specification of the fixed-weight polynomial sampler. The new approach is based on the Fisher-Yate sampling [6] and required on all three Key Encapsulation Mechanism (KEM) operations. Even though the specification of BIKE has been adapted, the corresponding hardware implementation still uses the old rejection sampling.

YOUR TASK. As a first step, you should get familira with BIKE and different fixed-weight sampling algorithms. Aftwerwards, you should study the hardware implementations of BIKE which has been presented in [4, 5]. The corresponding hardware description is available at GitHub. Based on these resources, you should adapt the existing implementation of the rejection sampling with the new specifications of BIKE’s fixed-weight sampler. Within the design process of the new sampler, you should explore different implementation strategies and document the advantages and disadvan- tages.

REQUIREMENTS. Since the task requires writing Verilog code, it would be beneficial to have some experience in hardware design.

CONTACT. If you are interested in this topic, please contact: Dr.-Ing. Jan Richter-Brockmann (jan.richter-brockmann@rub.de).


[1] Olivier Blazy et al. BIKE - Bit Flipping Key Encapsulation. 2021. URL: https://bikesuite.org/ (visited on 04/07/2022).
[2] Qian Guo et al. “Don’t Reject This: Key-Recovery Timing Attacks Due to Rejection-Sampling in HQC and BIKE”. In: IACR Trans. Cryptogr. Hardw. Embed. Syst. 2022.3 (2022), pp. 223–263.
[3] NIST. Post-Quantum Cryptography | CSRC. 2022. URL: https://csrc.nist.gov/projects/post-quantum-cryptography/round-3-submissions (visited on 04/07/2022).
[4] Jan Richter-Brockmann, Johannes Mono, and Tim Güneysu. “Folding BIKE: Scalable Hardware Implementation for Reconfigurable Devices”. In: IEEE Trans. Computers 71.5 (2022), pp. 1204–1215. DOI: 10 . 1109 / TC . 2021 . 3078294. URL: https://doi.org/10.1109/TC.2021.3078294.
[5] Jan Richter-Brockmann et al. “Racing BIKE: Improved Polynomial Multiplication and Inversion in Hardware”. In: IACR Trans. Cryptogr. Hardw. Embed. Syst. 2022.1 (2022), pp. 557–588. DOI: 10.46586/tches.v2022.i1.557-588. URL: https://doi.org/10.46586/tches.v2022.i1.557-588
[6] Nicolas Sendrier. “Secure Sampling of Constant-Weight Words — Application to BIKE”. In: IACR Cryptol. ePrint Arch. (2021), p. 1631. URL: https://eprint.iacr.org/2021/1631.

GASYN - Secure Gadget Synthesizer and Logic Optimizer


MOTIVATION. Secure implementation of cryptographic algorithms in software or hardware is a challenging problem. Extensive research has been devoted to the development of efficient countermeasures against physical Side-Channel Analysis (SCA). Lately, masking has been established as promising concept due to its theoretically sound foundations allowing to model and prove its security guarantees. Still, correct and secure implementation of masking schemes is a mostly manual, delicate, complex, and error-prone task. This motivates the need for automated tools that assist designers and engineers to securely implement cryptographic operations in hardware.

BACKGROUND. Experience has shown that new masking schemes often have a short retention time, mostly due to inaccuracies and design flaws. As a consequence, a new line of research emerged, investigating the masking of atomic and reusable components, often considered as gadgets in literature, to limit the engineering complexity and error susceptibility [8, 7, 6, 5, 2, 1, 3].

RESEARCH PROBLEM. The supplementary material of [4] presents different latency-optimized S-boxes using a custom 2-input AND gadget. However, neither different gadget layouts and variants, nor alternative optimization objectives (e.g., area or randomness reduction) have been addressed.

YOUR TASK. In this project, you will a gadget-oriented logic synthesizer allowing to generate secure and optimized hardware circuits (area, latency, or randomness) using a custom set of masked gadgets. More precisely, this project requires the following tasks:

  • Literature study (10%)
  • Requirement analysis and concept definition (10-20%)
  • Implementation and debugging (40-50%)
    • Implementation of a custom gadget library
    • Construction of a SAT/SMT-based gadget synthesizer
    • Integration of optimization strategies for area, latency, or randomness reduction
  • Testing and writing (30%)

REQUIREMENTS. Digital logic, hardware design, C/C++ programming, basics on SAT & SMT solvers.

CONTACT. If you are interested in this topic, please contact: Dr.-Ing. Pascal Sasdrich (pascal.sasdrich@rub.de).


[1] Gilles Barthe et al. “Strong Non-Interference and Type-Directed Higher-Order Masking”. In: SIGSAC. ACM, 2016. DOI: 10.1145/ 2976749.2978427
[2] Gilles Barthe et al. “Verified Proofs of Higher-Order Masking”. In: EUROCRYPT. LNCS. Springer, 2015. DOI: 10.1007/978- 3- 662-46800-5\_18
[3] Gaëtan Cassiers and François-Xavier Standaert. “Trivially and Efficiently Composing Masked Gadgets With Probe Isolating Non- Interference”. In: IEEE TIFS (2020). DOI: 10.1109/TIFS.2020.2971153
[4] Gaëtan Cassiers et al. “Hardware Private Circuits: From Trivial Composition to Full Verification”. In: IEEE TC (2021). DOI: 10. 1109/TC.2020.3022979
[5] Hannes Groß, Rinat Iusupov, and Roderick Bloem. “Generic Low-Latency Masking in Hardware”. In: IACR TCHES 2 (2018). DOI: 10.13154/tches.v2018.i2.1-21.
[6] Hannes Groß and Stefan Mangard. “A unified masking approach”. In: JCEN (2018). DOI: 10.1007/s13389-018-0184-y
[7] Hannes Groß, Stefan Mangard, and Thomas Korak. “Domain-Oriented Masking: Compact Masked Hardware Implementations with Arbitrary Protection Order”. In: TIS@CCS. ACM, 2016. DOI: 10.1145/2996366.2996426.
[8] Oscar Reparaz et al. “Consolidating Masking Schemes”. In: CRYPTO. LNCS. Springer, 2015. DOI: 10.1007/978-3-662-47989- 6\_37

NTT with Arbitrary Polynomial Degrees


MOTIVATION. For lattice-based cryptography, the number theoretic transform (NTT) is an essential operation for efficient multiplication of polynomials. Usually, these polynomials use a power-of-two degree such that the NTT is fully splitting. With arbitrary polynomial degrees however, the NTT is not fully splitting and thus has performance implications [1].

RESEARCH PROBLEM. Your task is to investigate the memory-time tradeoff that non power-of-two degree polynomials have with the NTT. For this, a formula should be derived that allows the application of the NTT to non power-of-two degree polynomials. Additionally, a performance evaluation with code should be performed.

REQUIREMENTS. Basics in number theory, C programming.

CONTACT. If you are interested in this topic, please contact: Johannes Mono (johannes.mono@rub.de).


[1] Chung, Chi-Ming Marvin, et al. "NTT multiplication for NTT-unfriendly rings: New speed records for Saber and NTRU on Cortex-M4 and AVX2." IACR Transactions on Cryptographic Hardware and Embedded Systems (2021): 159-188.

Microarchitectural Side Channel Attacks and Countermeasures


MOTIVATION. The internal hardware of modern CPUs, i.e., the microarchitecture, has long been considered a trust anchor that works as a foundation for higher level system security. While this assumption has been challenged time and again, only recent attacks including Spectre [1] and Meltdown [2] saw the industry taking this problem seriously. There are many aspects of microarchitectural vulnerabilities, ranging from cache side channel attacks [3] over Rowhammer [4] to speculative execution attacks [5].

RESEARCH PROBLEM. Aiding current research projects at the Chair for Security Engineering, your thesis will review and advance the current state of research. This may include the design and/or evaluation of attacks and countermeasures. In many cases these attacks directly operate on the CPU hardware. Especially for the evaluation of countermeasures, we often use the gem5 simulator [6].

REQUIREMENTS. C/C++ programming skills, basics of x86 assembly, basic understanding of CPU designs (pipeline, caches, etc.)

CONTACT. If you are interested in this field of research, we can discuss potential topics suited to your prior knowledge and interests. If you already have a specific topic in mind, feel free to propose it directly. Please contact Moritz Peters, moritz.peters-v41@rub.de and include a recent transcript or records.


[1] Kocher, Paul, et al. "Spectre attacks: Exploiting speculative execution." 2019 IEEE Symposium on Security and Privacy (SP). IEEE, 2019.
[2] Lipp, Moritz, et al. "Meltdown: Reading kernel memory from user space." 27th USENIX Security Symposium (USENIX Security 18). 2018.
[3] Yarom, Yuval, and Katrina Falkner. "{FLUSH+ RELOAD}: A High Resolution, Low Noise, L3 Cache {Side-Channel} Attack." 23rd USENIX security symposium (USENIX security 14). 2014.
[4] Mutlu, Onur, and Jeremie S. Kim. "Rowhammer: A retrospective." IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems 39.8 (2019): 1555-1571.
[5] Canella, Claudio, et al. "A systematic evaluation of transient execution attacks and defenses." 28th USENIX Security Symposium (USENIX Security 19). 2019.
[6] Lowe-Power, Jason, et al. "The gem5 simulator: Version 20.0+." arXiv preprint arXiv:2007.03152 (2020).

Security-Oriented Electronic Design Automation


MOTIVATION. With ever increasing complexity of Integrated Circuits and Electronic Systems, manual design and development processes are becoming more difficult and cumbersome. Instead, designers and developers are assisted by modern and computer-aided Electronic Design Automation (EDA) tools that handle complex and labor-intensive tasks automatically in order to allow rapid and high-quality development of complex ICs. In addition, these tools provide automatic optimization for various metrics, including area, latency, performance, or power and energy consumption to increase efficiency and quality of the final electronic systems.
However, security as an optimization aspect is mostly neglected when addressing classical metrics as area and performance. In fact, authenticity, integrity, and confidentiality of modern ICs is becoming more and more important in recent years. However, integration and evaluation of security features still is a manual and downstream process and since many security goals including secure data flow (non-interference), side-channel resistance, fault tolerance, and hardware obfuscation can only be addressed at certain stages of the manufacturing chain, security is often neglected or rejected as it would interrupt tight and efficient manufacturing processes.

RESEARCH PROBLEM. As this is a very broad topic and certainly exceeds the scope of a single thesis, we offer multiple theses with focus on different aspects, including (but not limited to):

  • Automated integration of security features
  • Formal verification of security properties
  • Optimization of security features
  • Development of security extensions for (existing) EDA tools
  • Secure High-Level Synthesis (HLS)

REQUIREMENTS. Digital logic, hardware design and security, physical attacks and countermeasures, solid programming skills, hardware description languages, formal verification, etc. (depending on the specific thesis topic and tasks).

CONTACT. If you are interested in this field of research, we can discuss potential topics suited to your prior knowledge and interests. If you already have a specific topic in mind, feel free to propose it directly. Please contact Dr.-Ing. Pascal Sasdrich (pascal.sasdrich@rub.de) and include a recent transcript or records.

Implementation and Side-Channel Security of Multivariate Quadratic Signature Schemes.

MOTIVATION. In the light of the potential threat of large-scale quantum computers breaking today's deployed cryptography, NIST has launched standardization efforts for post-quantum secure KEMs and Signature schemes. Recently, NIST has announced several schemes to be standardized. Additionally, a fourth round will be opened soon for signature schemes that are not based on lattice assumptions. For this round, it is expected that several signature schemes based on multivariate quadratic assumptions are submitted.

RESEARCH PROBLEM AND YOUR TASK. Here are a few works on several topics related to implementation issued. This includes:

  1. Embedded Software Implementations
  2. Hardware Implementations
  3. Side-Channel Attacks and Countermeasures
Depending on the type of your thesis and your preferences, you could work on one or multiple of these aspects.

REQUIREMENTS. Depending on the direction you aim at: VHDL, embedded C and Assembly, and/or side-channel analysis.

CONTACT. If you are interested in this research topic, please contact Georg Land (georg.land@rub.de) and include a recent transcript or records.


[1] MAYO: Practical Post-Quantum Signatures from Oil-and-Vinegar Maps

Secure Computation


MOTIVATION. Over the last decade and especially in recent years, many new attacks have been developed that target both desktop- as well as embedded-grade hardware. For example, it has been shown multiple times that caches can leak information by purposefully manipulating their contents and causing exploitable timing differences. Furthermore, SPECTRE and MELTDOWN showed that oversights in the implementation of speculative execution as well as predictions can have severe security considerations. Lastly, with the increasing number of IoT devices adversaries started focusing on exploiting these low-performance devices, thus prompting for solutions that require low overhead.

RESEARCH PROBLEM AND YOUR TASK. We have developed different countermeasures against the threats mentioned above. To provide a more in-depth evaluation we still require some implementations. This includes, for example:

  1. Implementing a TLB countermeasure into a softcore OOO-CPU
  2. Implementing an ISA Extension against fault in a softcore embedded-grade CPU (with compiler support)
  3. Researching fault-free ISA designs and evaluating them in HW
This is not a complete list of possible topics. We are also open for your ideas in this area.

REQUIREMENTS. Depending on the direction you aim at: Experience with hardware description languages, high-level languages if you aim to provide compiler support

CONTACT. If you are interested in this topic, please contact: M.Sc. Florian Stolz (florian.stolz@rub.de)