Im Wintersemester bietet der Lehrstuhl für Security Engineering ein Seminar für Bachelor- und Masterstudenten an.
Vorkenntnisse im Bereich IT-Sicherheit oder Kryptografie sind abhängig vom Thema erforderlich.
Die Anmeldung erfolgt über die zentrale Anmeldung der Fakultät für Informatik und FlexNow.
Hauptsprache der Veranstaltung ist Englisch.
ZIEL DES SEMINARS
Ziel des Seminars ist das Erlernen von wissenschaftlichem Schreiben und Präsentieren, sowie eigenständiges Arbeiten und Selbstorganisation. Die Teilnehmenden setzen sich mit einem aktuellen Forschungsthema im Bereich Security Engineering auseinander und präsentieren dieses am Ende des Semesters im Plenum.TERMINE WiSe 2025/2026
| 01.08. - 01.09.2025 | Anmeldung über die zentrale Anmeldung der Fakultät für Informatik und FlexNow |
| 15.10.2025 | Einführungsveranstaltung (Anwesenheitspflicht in Präsenz) |
| 04.11.2025 | Abgabe des Exposés |
| 07.01.2026 | Abgabe der vorläufigen Endversion zur Korrektur beim/bei der BetreuerIn |
| 27.01.2026 | Abgabe der finalen Endversion nach Einpflegen der Korrekturen |
| 10.02.2026 (vsl.) | Präsentationstag (Anwesenheitspflicht in Präsenz) |
| Während des Semesters | Regelmäßiger Austausch mit dem/der BetreuerIn nach individueller Absprache |
THEMEN WiSe 2025/2026
| Nr. | Titel | Beschreibung | Quellen |
|---|---|---|---|
| 1 | Low Randomness Masking Schemes (Master) |
Abstract: Masking schemes are designed to counter side-channel attacks against cryptographic implementations.
The said schemes heavily rely on random bits, which are drawn from Random Number Generators (RNGs).
The latter are costly resources, and as such, ongoing efforts are made to reduce the use of randomness for masking schemes.
Your seminar paper: The aim is to provide an overview of the techniques used to reduce the use of randomness in hardware masking and what the current limitations are [1-4]. Prerequisites: Master student |
[1] [2] [3] [4] |
| 2 | Horizontal Side-Channel Attacks |
Abstract: Masking schemes are designed to counter side-channel attacks against cryptographic implementations.
We prove the security of those masking schemes for a given security model. The most common and abstract one is the d-probing model [2].
However, in [2], the authors show that this security model does not protect against horizontal side-channel attacks.
It motivated the use of less abstract security model, like the random probing model [3], which captures better the physical reality of the side channel effects. Your seminar paper: The aim is thus to present what are horizontal side-channel attacks and how we can attack masking schemes that were proven secure in the d-probing model. |
[1] [2] [3] |
| 3 | INDIANA - Verifying (Random) Probing Security through Indistinguishability Analysis |
Abstract: Masking as countermeasure against side-channel attacks is complex and error-prone to implement, necessitating automated verification methods for the security of masked circuit designs.
INDIANA is a formal security evaluation tool, that verifies masked circuit security in the threshold d-probing, and the random probing model. Your seminar paper: For this work, your task is to write an extensive summary with necessary preliminaries and their respective literature. |
[1] |
| 4 | Insights to Hardware Security Verification in the Threshold Probing Model |
Abstract: Side-channel attacks are a serious threat to the security of cryptographic algorithm implementations.
Masking, with its sound theoretical foundations, is the most prominently used and researched countermeasure.
Still, implementing masked circuits securely is a complex and error-prone task, which calls for verification methods to evaluate circuit design security before deployment. SILVER relies on using Reduced Order
Binary Decision Diagrams (ROBDDs) uses the statistical independence of probability distributions to identify leakage.
PROLEAD uses a simulation based approach to detect leakage, allowing for the verification of larger circuits. Your seminar paper: For this work, your task is to compare both tools and discuss their respective advantages/disadvantages. |
[1] [2] |
| 5 | Side-Channel Leakage Assessment Methodology |
Abstract: Side-channel attacks exploit unintended information leakage of cryptographic systems.
Effective leakage assessment methodologies, such as the Test Vector Leakage Assessment (TVLA), are critical for assessing these vulnerabilities, so that they could be counteracted. Your seminar paper: This paper should summarize the TVLA methodology and discuss its advantages and weaknesses. A comparison between post-silicon and pre-silicon assessment approaches should be made, discussing their strengths and limitations. Additionally, further literature review on recent advancements in side-channel leakage assessment techniques should be included. Prerequisites: Basic Understanding of Hardware and Statistics |
[1] [2] |
| 6 | Efficient Hardware Design of the Post-Quantum KEM HQC |
Abstract: HQC (Hamming Quasi-Cyclic) is a code-based public key encryption scheme designed to provide security against attacks by both classical and quantum computers. HQC has been selected by the NIST for standardization.
Hence, efficient hardware implementations of this schemes are required for practical deployment. Your seminar paper: This paper should provide a summary of how HQC works and the principles behind its key encapsulation mechanism. A comparison of different hardware implementations of HQC should be made, highlighting their efficiency, performance, and practical considerations. The paper should also roughly compare the HQC implementations with the optimizations applied in the BIKE hardware implementations. Prerequisites: PQC, Hardware design |
[1] [2] [3] [4] |
| 7 | Compress: Generate Small and Fast Masked Pipelined Circuits |
Abstract: Masking is one of the most popular and well-studied countermeasures against side-channel attacks. Gadget-based masking, relying on the construction of secure atomic building blocks (so-called gadgets) and replacing all gates in a circuit with these gadgets, is a common technique for the automated application of masking. Due to the varying amounts of register stages in different gadgets, automatically masked circuits are often suboptimal in terms of latency (and area) as they introduce many unneeded registers to ensure correct timing behavior. In [1], the authors present COMPRESS, a novel tool that is able to minimize the number of register stages in a circuit while keeping functional correctness and security guarantees, among other optimizations. Your seminar paper: Your task in this seminar is to give an overview of the different optimization techniques that COMPRESS uses. For this, you should first summarize masking and the different gagdets, before presenting the novel optimization techniques proposed in the paper and their influence on the performance of a design. Finally, you should evaluate the performance of the optimized designs when compared to normal, unoptimized designs. Prerequisites: Digitaltechnik (required), Physical Attacks and Countermeasures (helpful), Kryptographie auf Haradwarebasierten Plattformen (helpful) |
[1] |
| 8 | Code-based Masking: From Fields to Bits - Bitsliced Higher-Order Masked SKINNY |
Abstract: Masking, especially boolean masking, is one of the most prevalent and investigated countermeasures against side-channel attacks. A rather new masking approach, namely code-based masking, has the potential to achieve higher security orders than boolean masking. However, applications of code-based masking have so far been limited to ciphers where the S-box can be efficiently over entire words, e.g., the AES S-box, while other S-boxes operating over a bitwise structure cannot be masked using codes. In [1], the authors bridge this gap by proposing masked linear and non-linear circuits that operate over bits of code-based sharings, proving their security and composability. The proposed new masked curcuits achieve a higher a security level than comparable boolean masked implementations while also outperforming boolean masking in terms of randomness and gate count. Your seminar paper: Your seminar work should give an overview over different established masking techniques, especially boolean masking, before explaining the novel code-based masking techniques of the paper in more detail. Here, you should present and explain the formal definitions of the proposed gadgets as well as their correctness and security proofs. Finally, you should compare the performance and security results of the presented SKINNY implementation with existing implementations from academic literature. Prerequisites: Physical Attacks and Countermeasures (helpful), Provable Security (helpful) |
[1] |
| 9 | Spectres are haunting Intel – Mispredictions & Microcode |
Abstract: Since their publication in 2018, Spectre-style attacks won’t leave CPU manufactures and users alone. By purposefully mistraining the branch predictor of modern CPUs, it is possible to load normally inaccessible data into the cache. Even though the cached data is not directly readable, a timing side channel can be used to extract it anyways.
To remedy the situation without recalling CPUs, Intel issued microcode updates. Simply put, microcode acts as hidden processor inside the actual CPU and translates machine instructions into actions the underlying hardware can actually understand. Microcode is not hardcoded and can be updated, giving the manufacturer the ability to fix production errata in post. Your seminar paper: In this seminar you will take a closer look at how microcode defenses fail to protect against Spectre [1] and how the microcode implementation itself enables Spectre [2]. |
[1] [2] |
| 10 | Yet Another Evidence Against Logic Locking: MiG-V |
Abstract: Hailed as the first german made RISC-V core with security enhancements, it has been shown lately that the employed “logic locking” mechanism makes it possible to extract security sensitive data. Logic locking inserts key gates into a circuit, which only propagate the correct value to other gates if the correct key bits are applied. Even though it has been shown multiple times that various logic locking schemes can be broken, it still being used. Your seminar paper: In this seminar you will take a closer look at MiG-V [1] and the associated attack [2]. |
[1] [2] |
| 11 | Spec-o-Scope |
Abstract: Over the last two decades, microarchitectural side channels have been the focus of a large body of research on the development of new attack techniques, exploiting them to attack various classes of targets and designing mitigations. One line of work focuses on increasing the speed of the attacks, achieving higher levels of temporal resolution that can allow attackers to learn finer-grained information. The most recent addition to this line of work is Prime+Scope [CCS '21], which only requires a single access to the L1 cache to confirm the absence of victim activity in a cache set. While significantly faster than prior attacks, Prime+Scope is still an order of magnitude slower than cache access. In this work, we set out to close this gap.
We draw on techniques from research into microarchitectural weird gates, software constructs that exploit transient execution to perform arbitrary computation on cache state. We design the Spec-o-Scope gate, a new weird gate that performs 10 cache probes in quick succession, which forms the basis for our eponymous attack. Our Spec-o-Scope attack achieves an order of magnitude improvement in temporal resolution compared to the previous state-of-the-art of Prime+Scope, reducing the measurement time from ~70 cycles to only 5 --- only one cycle more than an L1 cache access.
Your seminar paper: Your task is to understand and present the techniques used in this paper to improve the temporal resolution of an attacker. You should also look at related work in this field and compare it to this paper. |
[1] |
| 12 | ShowTime |
Abstract: Microarchitectural attacks typically rely on precise timing sources to uncover short-lived secret-dependent activity in the processor. In response, many browsers and even CPU vendors restrict access to fine-grained timers. While some attacks are still possible, several state-of-the-art microarchitectural attack vectors are actively hindered or even eliminated by these restrictions.
This paper proposes ShowTime, a general framework to expose arbitrary microarchitectural timing channels to coarse-grained timers. ShowTime consists of Convert routines, transforming microarchitectural leakage from one type to another, and Amplify routines, inflating the timing difference of a single microarchitectural event to make it distinguishable with crude sources of time. Your seminar paper: Your task is to understand and present the techniques employed in this paper for utilising arbitrary microarchitectural timing channels in conjunction with coarse-grained timers. You should also look at related work in this field and compare it to this paper. |
[1] |
| 13 | Security Models for Attribute-Based Encryption |
Abstract: Attribute-based encryption (ABE) is a powerful primitive which enforces access control on a cryptographic level.
As common today, the security of new schemes is proven theoretically according to some model.
These models differ in nature and range from realistic attack scenarios to simplified assumption to facilitate security proofs.
It is therefore necessary to carefully examine the context when a scheme is claimed to be "secure". Your seminar paper: For your seminar paper you should dive into the security models of (pairing-based) attribute-based encryption. Start by introducing key concepts of ABE and illustrating the scenario in which it can be applied. Further, show the security models used in literature, e.g., the static- and full-security paradigm, and juxtapose their differences. Finally, discuss in how far the models realistically represent practical use-cases. Prerequisites: Background in discrete mathematics and cryptography highly recommended. |
[1] |
| 14 | How to Hash into an Elliptic Curve |
Abstract: Elliptic curves are a powerful building block for cryptographic schemes, including key exchange, encryption and signatures.
Many advanced schemes, such as attribute-based encryption (ABE), require a hash operation, i.e., a mapping from bit-strings to points on the curve.
Realizing such a hash function efficiently and securely is non-trivial, but essential to leverage the full potential of ECC in practice. Your seminar paper: For your seminar paper you should dive into the mathematics of hashing to elliptic curves. To do so, you should first give definitions of elliptic curves and the related concepts. Then, present the internal workings of at least two approaches of how hashes to elliptic curves can be realized in practice. Discuss their advantages and disadvantages as well as the security features. Prerequisites: Background in discrete mathematics and cryptography required. |
[1] |
| 15 | Glitch-Stopping Circuits: Hardware Secure Masking without Registers |
Abstract: Masking is one of the most popular countermeasures to protect implementations against power and electromagnetic side-channel attacks because it offers provable security. Masking has been shown secure against d-threshold probing adversaries by Ishai et al. at CRYPTO'03, but this adversary's model doesn't consider any physical hardware defaults and thus such masking schemes were shown to be still vulnerable when implemented as hardware circuits. To address these limitations glitch-extended probing adversaries and correspondingly glitch-immune masking schemes have been introduced. This paper introduces glitch-stopping circuits, which coincide with circuits protected via glitch-immune masking when instantiated with registers. Then we show that one can instantiate glitch-stopping circuits without registers by using clocked logic gates or latches. Your seminar paper: Understand the theoretical foundations of masking and why we need registers in conventional circuits, Introduce and discuss the new glitch-stopping techniques introduced by the authors of [1] and compare it with existing methods, Highlight the advantages / disadvantages of their techniques Prerequisites: Basic knowledge of digital circuit design (-> "Digitaltechnik" lecture) |
[1] |
| 16 | Composable Gadgets with Reused Fresh Masks: First-Order Probing-Secure Hardware Circuits with only 6 Fresh Masks |
Abstract: Albeit its many benefits, masking cryptographic hardware designs has proven to be a non-trivial and error-prone task, even for experienced engineers. Masked variants of atomic logic gates, like AND or XOR – commonly referred to as gadgets – aim to facilitate the process of masking large circuits by offering free composition while sustaining the overall design’s security in the d-probing adversary model. A wide variety of research has already been conducted to (i) find formal properties a gadget must fulfill to guarantee composability and (ii) construct gadgets that fulfill these properties, while minimizing overhead requirements. In all existing composition frameworks like NI/SNI/PINI and all corresponding gadget realizations, the security argument relies on the fact that each gadget requires individual fresh randomness. Naturally, this approach leads to very high randomness requirements of the resulting composed circuit. In this work, we present composable gadgets with reused fresh masks (COMAR), allowing the composition of any first-order secure hardware circuit utilizing only 6 fresh masks in total. Your seminar paper: Familiarize yourself with different security notions and the theoretical modelling of side-channel security, Present the concept of randomness-optimized COMAR gadgets introduced in [1] in a detailed fashion, Highlight the advantages and disadvantages compared to other existing gadget constructions Prerequisites: A basic understanding of digital circuits (-> "Digitaltechnik" lecture), Affinity for theoretical topics |
[1] |
| 17 | Systemization of Knowledge: Secure FPGA Multi-Tenancy in the Cloud |
Abstract: In the context of cloud computing Field Programmable Gate Arrays (FPGAs) have been adopted as specialized hardware accelerators. The same hardware device might be shared by multiple tenants simultaneously, a malicious attacker might be able to disrupt another tenant or gather their private data or intellectual property. The paper presents the progress of academic and commercial FPGA multi-tenant resource sharing. It also presents exploits against FPGA sharing and their countermeasures. Your seminar paper: Give overview on FPGA sharing models, Present exploits on FPGA sharing and their mitigations, FOCUS: Compare progress in the academic and commercial field and present open research questions Prerequisites: DESIRED INTEREST: FPGAs, Multi-tenant systems, cloud computing, Virtualization, IP protection |
[1] |
| 18 | Survey: Exploiting JTAG and Its Mitigation in IOT (Master) |
Abstract: In the context of embedded devices JTAG is a commonly used standard for debugging and testing during development and manufacturing. The JTAG interface provides a potential attack vector to maliciously manipulate deployed devices. The paper presents a survey over various attacks and their mitigations. Your seminar paper: Give overview over the JTAG standard, Present and compare JTAG exploitations given in the paper, FOCUS: Explain mitigations against JTAG exploitations given in the paper Prerequisites: Master student, DESIRED INTERESTS: Embedded Devices, JTAG, Internet of Things (IoT), Firmware Exploits, Physical Attacks, Public Key Cryptography (PKC), Challenge Response |
[1] |
| 19 | IP security in cloud computing: FPGA Bitstream encryption (Master) |
Abstract: Field Programmable Gate Arrays (FPGAs) have been adopted as specialized hardware accelerators in a wide range of applications like cloud computing. The paper addresses the issue of IP (Intellectual Property) theft by creating an encryption scheme for FPGA bitstreams. Your seminar paper: Give short overview of FPGA bitstreams, Short comparison with similar work: protection of FPGA bitstreams, FOCUS: Identify the main ideas of the proposed scheme used in the paper Prerequisites: Master student, Desired interests: FPGAs, Cloud Computing, Cryptography (Key Aggregation) |
[1] |
| 20 | MAYO Key Recovery by Fixing Vinegar Seeds | Abstract: As the industry prepares for the transition to post-quantum
secure public key cryptographic algorithms, vulnerability analysis of their
implementations is gaining importance. A theoretically secure cryptographic algorithm should also be able to withstand the challenges of physical attacks in real-world environments. MAYO is a candidate in the on-
going NIST post-quantum standardization process for
selecting additional digital signature schemes. Your seminar paper: The main resource for this seminar topic demonstrates fault injection attacks on a MAYO implementation which should be understood, processed and set into context by the student. Prerequisites: Math and formalism shouldn't be red flags for you. |
[1] |
| 21 | MPC-in-the-Head Signatures (Master) | Abstract: Post-quantum signature schemes can be grouped depending on the mathematical problems their security assumptions are based on.
One of these groups that is also represented with several candidates in the ongoing NIST call for additional PQC signature schemes are the so-called MPC-in-the-Head schemes. Your seminar paper: You should understand and explain how MPCitH signature schemes work. The seminar paper should also include a discussion of advantages and shortcommings compared to other families of PQC signature algorithms like lattice-based crypto, and an introduction of individual schemes like SDitH and Mirath. Prerequisites: Strong Mathematical background (required), first familiarities with post-quantum cryptography (helpful). Not recommended for Bachelor students.> |
[1] |
VORLAGEN
FRAGEN UND KONTAKT ZUM SEMINAR
Fragen bitte per E-Mail an Elisabeth Krahmer (elisabeth.krahmer@rub.de).