BACHELOR- UND MASTERARBEITEN
Wir sind immer an Studierenden interessiert, die bei uns eine Bachelor- oder Masterarbeit schreiben möchten. Es sind keine besonderen Vorkenntnisse erforderlich, d.h. Grundlagen der Kryptografie, algorithmische oder VHDL Grundlagen können während der Arbeit erlernt werden. Die Ausschreibung richtet sich darüber hinaus gleichermaßen an Studenten der ET, IT, AI und ITS. Bei Interesse einfach Prof. Güneysu oder einen Mitarbeiter kontaktieren.
Unser Lehrstuhl bietet aktuell folgende Themen zur Bearbeitung für Bachelor- und Masterarbeiten an. Ausführliche Beschreibung befinden sich weiter unten.
Übersicht
GASYN - Secure Gadget Synthesizer and Logic Optimizer
MOTIVATION. Secure implementation of cryptographic algorithms in software or hardware is a challenging problem. Extensive research has been devoted to the development of efficient countermeasures against physical Side-Channel Analysis (SCA). Lately, masking has been established as promising concept due to its theoretically sound foundations allowing to model and prove its security guarantees. Still, correct and secure implementation of masking schemes is a mostly manual, delicate, complex, and error-prone task. This motivates the need for automated tools that assist designers and engineers to securely implement cryptographic operations in hardware.
BACKGROUND. Experience has shown that new masking schemes often have a short retention time, mostly due to inaccuracies and design flaws. As a consequence, a new line of research emerged, investigating the masking of atomic and reusable components, often considered as gadgets in literature, to limit the engineering complexity and error susceptibility [8, 7, 6, 5, 2, 1, 3].
RESEARCH PROBLEM. The supplementary material of [4] presents different latency-optimized S-boxes using a custom 2-input AND gadget. However, neither different gadget layouts and variants, nor alternative optimization objectives (e.g., area or randomness reduction) have been addressed.
YOUR TASK. In this project, you will a gadget-oriented logic synthesizer allowing to generate secure and optimized hardware circuits (area, latency, or randomness) using a custom set of masked gadgets. More precisely, this project requires the following tasks:
- Literature study (10%)
- Requirement analysis and concept definition (10-20%)
- Implementation and debugging (40-50%)
- Implementation of a custom gadget library
- Construction of a SAT/SMT-based gadget synthesizer
- Integration of optimization strategies for area, latency, or randomness reduction
- Testing and writing (30%)
REQUIREMENTS. Digital logic, hardware design, C/C++ programming, basics on SAT & SMT solvers.
CONTACT. If you are interested in this topic, please contact: Dr.-Ing. Pascal Sasdrich (pascal.sasdrich@rub.de).
LITERATURE
| [1] | Gilles Barthe et al. “Strong Non-Interference and Type-Directed Higher-Order Masking”. In: SIGSAC. ACM, 2016. DOI: 10.1145/ 2976749.2978427 |
| [2] | Gilles Barthe et al. “Verified Proofs of Higher-Order Masking”. In: EUROCRYPT. LNCS. Springer, 2015. DOI: 10.1007/978- 3- 662-46800-5\_18 |
| [3] | Gaëtan Cassiers and François-Xavier Standaert. “Trivially and Efficiently Composing Masked Gadgets With Probe Isolating Non- Interference”. In: IEEE TIFS (2020). DOI: 10.1109/TIFS.2020.2971153 |
| [4] | Gaëtan Cassiers et al. “Hardware Private Circuits: From Trivial Composition to Full Verification”. In: IEEE TC (2021). DOI: 10. 1109/TC.2020.3022979 |
| [5] | Hannes Groß, Rinat Iusupov, and Roderick Bloem. “Generic Low-Latency Masking in Hardware”. In: IACR TCHES 2 (2018). DOI: 10.13154/tches.v2018.i2.1-21. |
| [6] | Hannes Groß and Stefan Mangard. “A unified masking approach”. In: JCEN (2018). DOI: 10.1007/s13389-018-0184-y |
| [7] | Hannes Groß, Stefan Mangard, and Thomas Korak. “Domain-Oriented Masking: Compact Masked Hardware Implementations with Arbitrary Protection Order”. In: TIS@CCS. ACM, 2016. DOI: 10.1145/2996366.2996426. |
| [8] | Oscar Reparaz et al. “Consolidating Masking Schemes”. In: CRYPTO. LNCS. Springer, 2015. DOI: 10.1007/978-3-662-47989- 6\_37 |
NTT with Arbitrary Polynomial Degrees
MOTIVATION. For lattice-based cryptography, the number theoretic transform (NTT) is an essential operation for efficient multiplication of polynomials. Usually, these polynomials use a power-of-two degree such that the NTT is fully splitting. With arbitrary polynomial degrees however, the NTT is not fully splitting and thus has performance implications [1].
RESEARCH PROBLEM. Your task is to investigate the memory-time tradeoff that non power-of-two degree polynomials have with the NTT. For this, a formula should be derived that allows the application of the NTT to non power-of-two degree polynomials. Additionally, a performance evaluation with code should be performed.
REQUIREMENTS. Basics in number theory, C programming.
CONTACT. If you are interested in this topic, please contact: Johannes Mono (johannes.mono@rub.de).
LITERATURE
| [1] | Chung, Chi-Ming Marvin, et al. "NTT multiplication for NTT-unfriendly rings: New speed records for Saber and NTRU on Cortex-M4 and AVX2." IACR Transactions on Cryptographic Hardware and Embedded Systems (2021): 159-188. |
Microarchitectural Side Channel Attacks and Countermeasures
MOTIVATION. The internal hardware of modern CPUs, i.e., the microarchitecture, has long been considered a trust anchor that works as a foundation for higher level system security. While this assumption has been challenged time and again, only recent attacks including Spectre [1] and Meltdown [2] saw the industry taking this problem seriously. There are many aspects of microarchitectural vulnerabilities, ranging from cache side channel attacks [3] over Rowhammer [4] to speculative execution attacks [5].
RESEARCH PROBLEM. Aiding current research projects at the Chair for Security Engineering, your thesis will review and advance the current state of research. This may include the design and/or evaluation of attacks and countermeasures. In many cases these attacks directly operate on the CPU hardware. Especially for the evaluation of countermeasures, we often use the gem5 simulator [6].
REQUIREMENTS. C/C++ programming skills, basics of x86 assembly, basic understanding of CPU designs (pipeline, caches, etc.)
CONTACT. If you are interested in this field of research, we can discuss potential topics suited to your prior knowledge and interests. If you already have a specific topic in mind, feel free to propose it directly. Please contact Jan Philipp Thoma, jan.thoma@rub.de and include a recent transcript or records.
LITERATURE
| [1] | Kocher, Paul, et al. "Spectre attacks: Exploiting speculative execution." 2019 IEEE Symposium on Security and Privacy (SP). IEEE, 2019. |
| [2] | Lipp, Moritz, et al. "Meltdown: Reading kernel memory from user space." 27th USENIX Security Symposium (USENIX Security 18). 2018. |
| [3] | Yarom, Yuval, and Katrina Falkner. "{FLUSH+ RELOAD}: A High Resolution, Low Noise, L3 Cache {Side-Channel} Attack." 23rd USENIX security symposium (USENIX security 14). 2014. |
| [4] | Mutlu, Onur, and Jeremie S. Kim. "Rowhammer: A retrospective." IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems 39.8 (2019): 1555-1571. |
| [5] | Canella, Claudio, et al. "A systematic evaluation of transient execution attacks and defenses." 28th USENIX Security Symposium (USENIX Security 19). 2019. |
| [6] | Lowe-Power, Jason, et al. "The gem5 simulator: Version 20.0+." arXiv preprint arXiv:2007.03152 (2020). |
Security-Oriented Electronic Design Automation
MOTIVATION. With ever increasing complexity of Integrated Circuits and Electronic Systems, manual design and development processes are becoming more difficult and cumbersome. Instead, designers and developers are assisted by modern and computer-aided Electronic Design Automation (EDA) tools that handle complex and labor-intensive tasks automatically in order to allow rapid and high-quality development of complex ICs. In addition, these tools provide automatic optimization for various metrics, including area, latency, performance, or power and energy consumption to increase efficiency and quality of the final electronic systems. However, security as an optimization aspect is mostly neglected when addressing classical metrics as area and performance. In fact, authenticity, integrity, and confidentiality of modern ICs is becoming more and more important in recent years. However, integration and evaluation of security features still is a manual and downstream process and since many security goals including secure data flow (non-interference), side-channel resistance, fault tolerance, and hardware obfuscation can only be addressed at certain stages of the manufacturing chain, security is often neglected or rejected as it would interrupt tight and efficient manufacturing processes.
RESEARCH PROBLEM. As this is a very broad topic and certainly exceeds the scope of a single thesis, we offer multiple theses with focus on different aspects, including (but not limited to):
- Automated integration of security features
- Formal verification of security properties
- Optimization of security features
- Development of security extensions for (existing) EDA tools
- Secure High-Level Synthesis (HLS)
REQUIREMENTS. Digital logic, hardware design and security, physical attacks and countermeasures, solid programming skills, hardware description languages, formal verification, etc. (depending on the specific thesis topic and tasks).
CONTACT. If you are interested in this field of research, we can discuss potential topics suited to your prior knowledge and interests. If you already have a specific topic in mind, feel free to propose it directly. Please contact Dr.-Ing. Pascal Sasdrich (pascal.sasdrich@rub.de) and include a recent transcript or records.
Low-Noise Microarchitectural Measurement Setup
MOTIVATION. Over the last decade and especially in recent years, security researchers moved their attention to the underlying hardware and found ways to exploit the microarchitecture of contemporary CPUs. It has been shown multiple times that caches can leak information by purposefully manipulating their contents and causing exploitable timing differences. Furthermore, SPECTRE and MELTDOWN showed that oversights in the implementation of speculative execution as well as predictions can have severe security considerations.
RESEARCH PROBLEM. Analyzing new or existing side-channels on the CPU level can become overly tedious when using stock operating systems. A modern operating system runs multiple processes at the same time, schedules cores, manages the memory and reacts to interrupts. This has three major drawbacks: (1) All of these actions cause noise, which must be filtered out. (2) We do not have full control over the system, e.g., we cannot force a specific memory layout. (3) Information about processes, such as memory mappings, are for good reasons, private and can only be accessed via work-arounds.
YOUR TASK. In this work, you will design a bare-metal setup for INTEL/AMD CPUs so that we have full access to the system with minimal noise. The bare-metal program should initialize the system and make it possible for us to send code to it evaluate the results (e.g., register contents). Furthermore, it should be possible to start at least one other logical core, so that we can simulate hyperthreaded environment with two processes/threads running.
REQUIREMENTS. C, Basic x86 Assembly, Knowledge about low-level programming/kernel programming
CONTACT. If you are interested in this topic, please contact: M.Sc. Florian Stolz (florian.stolz@rub.de)
Removing the Dust from Correlation Power Analysis: Innovative Statistical Methods for Secret Key Recovery
MOTIVATION. Correlation Power Analysis (CPA) [1] - as a side-channel-based method for recovering a device's secret - is a long-standing and well-studied attack vector for security-critical applications. Albeit still very effective in many cases, a lot of progress has been made to achieve thorough protection against textbook CPA attacks by applying a variety of different countermeasures.
RESEARCH PROBLEM. Your task is to slip into the role of an malicious adversary and apply new statistical methods to improve existing CPA-based attacks and to compare these methods with the conventional ones. Depending on your background and your experience, the task will be adjusted but will most likely include measurements and attacks on real-world security devices.
REQUIREMENTS. Structured way of working, C/C++ programming
CONTACT. If you are interested in this field of research, we can discuss potential topics suited to your prior knowledge and interests. Please contact David Knichel (david.knichel@rub.de) and include a recent transcript of records.
LITERATURE
| [1] | https://wiki.newae.com/Correlation_Power_Analysis |
Energy/power consumption of cryptographic primitives on a prototype chip (Bachelor)
MOTIVATION. Ever since the introduction of differential power in 1999, the cryptographic hardware community has been looking for countermeasures to protect embedded devices. The benefits as well as difficulties of masking as a countermeasure against side-channel analysis attacks, have been proven through several scientific articles and experimental investigations. Masked implementations can be made efficient towards a cost function like area, latency, or power consumption, and their security can be proven using abstractions such as the probing model.
RESEARCH PROBLEM. Your task is to measure the energy/power consumption of some protected and unprotected cryptographic primitives on a prototype chip. Please have a look at this paper [1].
REQUIREMENTS. Structured way of working, C/C++ programming
CONTACT. If you are interested in this field of research, please contact Aein Rezaei Shahmirzadi (aein.rezaeishahmirzadi@rub.de) and include a recent transcript of records.
LITERATURE
| [1] | https://ieeexplore.ieee.org/iel7/9145512/9154905/09154996.pdf |
Evaluating software masking scheme on lightweight blockcipher PIPO
MOTIVATION. Lightweight blockciphers become increasingly important, especially in industries where speed and code size or area consumption matter. A new lightweight cipher called PIPO [1] was introduced in 2020, promising to be very efficient even in the masked domain. Masking ciphers is crucial as the unprotected versions can easily be broken by a side-channel adversary measuring the power consumption of the physical device. While we gain security, the drawback of masked implementations is the overhead in terms of speed and code size.
RESEARCH PROBLEM. Your task is to implement the bitsliced PIPO cipher with a proper masking scheme [2] on an ARM cortex m0+. Afterward, the power consumption should be measured and evaluated. Besides the security, also a comparison regarding code size and execution time should be performed.
REQUIREMENTS. Structured way of working, C/C++ programming, basics in ARM assembly
CONTACT. If you are interested in this topic, please contact Jannik Zeitschner (jannik.zeitschner@rub.de).
LITERATURE
| [1] | https://link.springer.com/chapter/10.1007/978-3-030-68890-5_6 |
| [2] | https://link.springer.com/chapter/10.1007/978-3-030-89432-0_14 |
Compiler Analysis on Constant-Time
MOTIVATION. The constant-time programming discipline is an effective countermeasure against timing attacks, which pose a serious threat to software systems. Tools for automated verification of constant-time security have been developed for various programming languages. An open problem however is to maintain the security guarantees of the source code during compilation, as studies have shown, that compilers sometimes translate constant-time code into insecure binaries.
RESEARCH PROBLEM. While this problem is generally understood and problematic code patterns have been identified, there has been so far only little research on the exact translation passes, where the compiler introduces leakage. Your task is to identify the compilation passes in the LLVM compiler framework with automated testing using existing constant-time verifiers on the LLVM intermediate language.
REQUIREMENTS. C/C++/Rust programming skills, assembly basics, basic understanding of compilers.
CONTACT. If you are interested in this research topic, please contact Markus Krausz (markus.krausz@rub.de) and include a recent transcript or records.