Navigationsweiche Anfang

Navigationsweiche Ende

Select language

IT Security and Cryptography


Prof. Dr.-Ing. Tibor Jager

News

  • Accepted paper at the 14th ACM WORKSHOP ON ARTIFICIAL INTELLIGENCE AND SECURITY
    The paper "Automated Detection of Side Channels in Cryptographic Protocols: DROWN the ROBOTs!" was... [more]
  • 2 Accepted Papers at Asiacrypt 2021
    Two research papers from our chair were accepted to the 27th Annual International Conference on the... [more]
  • PhD Defense: Dr.-Ing. Peter Chvojka
    Dr.-Ing. Peter Chvojka successfully defended his PhD thesis "Time Reveals The Truth - More Efficient... [more]
  • Kai Gellert appointed to a tenured position
    Kai Gellert was appointed to a tenured position (Akademischer Rat) with effect from April 2. [more]
  • Tibor Jager invited to the program committee of the IEEE Security and Privacy 2022 conference
    The IEEE Security and Privacy conference ("Oakland") ist the flagship conference of IEEE in IT... [more]
go to Archive ->

Theses

We offer theses for many topics in the area of IT security and cryptography.

If you are interested in writing a thesis in our group, please contact Tobias Handirk (tobias.handirk{at}uni-wuppertal.de).

Open Topics

  • Practical multi-party computation with Obliv-C (B)
  • How to defend the compress-then-encrypt attacks (M)
  • Security analysis of IM Telegram (M)
  • Security analysis of an Instant Messaging Protocol (B/M)
  • Implementing Time-Lock Encryption using Trusted Execution Environments (B)
  • Implementation and comparison of the JKM PKCS#1 v1.5 Signatures (B/M)
  • Double-Base Chains for Efficient Scalar Multiplications on Elliptic Curves (M)
  • Implementing PSK-only Key Establishment Protocols (B/M)
  • Implementing Cryptography Protocols using Noise (B/M)
  • A study of augmented PAKE (M)
  • SSH as a Partially-Specified Channel (M)
  • Updatable Encryption: Is there a use case? (B)
  • Literature Review; Multi-User ORAM (B)
  • Memory-Tight Key Encapsulation: The case of Hashed El-Gamal (B/M)
  • On the memory-tightness of GCM-based channels (M)
  • Authenticated Denial of Existence in DNSSEC (B)
  • Verifiable Random Functions from Standard Assumptions using Balanced Admissible Hash Functions (B/M)
  • Exploring side channels in CPU architectures (M)
  • TLS in the cloud: Recipe for disaster? (B/M)
  • Parallelised Feature Extraction from Large Network Traces (B/M)
  • Interpretable Machine Learning for Network Trace Analysis (B/M)
  • Fuzzing in the TLS World (B/M)
  • Machine Learning ensembles for Hardware Side Channel Attacks (B/M)
  • Examining blockchains and their suitability as computational reference clocks (B)

A detailed description of the topics can be found below.

Ongoing Theses

  • Isogeny-based Signatures (MA, Jonas von der Heyden)
  • Detection of Timing Side Channels - Extending the AutoSCA Tool (BA, Anastasija Berlinblau)

Finished Theses

2021

  • Explanation of the Briar App (BA, Pascal Jeschke)
  • Length-Hiding Encryption: Implementation and Analysis (BA, Tom Neuschulten)

2020

  • Formalizing Security for Session Resumption Across Hostnames (MA, Tobias Handirk)
  • Instanziierung von Verifiable Random Functions mit Computational Admissible Hash Functions (BA, Robin Stunic)
  • Efficient Point Multiplication on Elliptic Curves (BA, Robin Jaroschek)

Abstracts

Practical multi-party computation with Obliv-C

This topic is about multi-party computation in the real world. Multi-party computation (MPC) makes it possible for multiple distributed parties to jointly compute a program over their secret inputs while keeping the privacy of their inputs. Obliv-C is a simple GCC wrapper that makes it easy to embed secure multi-party computation protocols inside regular C programs. This topic is about implementing multi-party protocol with Obliv-C. You can start with programs with very simple functionalities and build more complex ones afterwards. You will gain both practical experience and theoretical understanding about MPC from this topic.

 

How to defend the compress-then-encrypt attacks

Compression is widely used to reduce the communication overhead and encryption is widely used to protect the privacy of the message. However, their combination fails to provide both of these two good properties. The compress-then-encrypt attacks (such as CRIME, BREACH, TIME and HEIST attacks) are able to steal secret information from encrypted messages without any knowledge of the decryption key. This kind of leakage is direct and can not be prevented even if the encryption is leakage-resilient. It seems that traditional securities for encryption fail to provide any protection against such attacks. This topic is about exploring countermeasures for such attacks from both theoretical and practice perspectives.

 

Security analysis of IM Telegram

The goal of this master thesis is to analyze the instant messenger Telegram (https://telegram.org/). A first step is the analysis of the used building blocks.
This includes explanations for the used cryptographic primitives as well as their interaction on a beginner friendly level. Based on this, the goal of this thesis is to analyze Telegram's group chats. The work of Rösler, Mainka and Schwenk (https://eprint.iacr.org/2017/713.pdf) analysed the group chats of Whatsapp, Signal and Threema. They showed that it was for example possible to add users to group chats, without the group participants noticing. Your task will be to analyze if Telegram is vulnerable to similar attacks. This thesis is mostly of theoretical nature.
In case an attack vector would be found, it would be possible to test these in practice, depending on the time available. Prior knowledge in the field of cryptography and IT-security is helpful, but not necessary. In case of missing prior knowledge in these fields, a corresponding familiarisation has to be expected. The master thesis will be written in englisch.

 

Security analysis of an Instant Messaging Protocol

We want to give you the opportunity to analyze an instant messenger of your choice in your thesis. While Whatsapp, Signal etc. enjoyed a propper security analysis in the past, there are still many IM services available which lack a security analysis. Do you know or use one of these services? Then please contact us. Together we will work out the details for a thesis on an instant messenger proposed by you.

 

Implementing Time-Lock Encryption using Trusted Execution Environment

Time-Lock encryption (TLE) is a primitive that allows one to encrypt data for a fixed period of time. After this time has elapsed, the underlying plaintext should be accessible to all. Previous solutions have either required exceptionally high computational effort from the decryptor, in the form of a time lock puzzle, or has required an always online Trusted Third Party. The goal of this thesis would be to try and alleviate some these drawbacks using a Trusted Execution Environment (TEE). Specifically, the student is expected to build a working proof of concept in AMD’s SME/SEV or Google’s Asylo that matches the extant Intel SGX implantation.

 

Implementation and comparison of the JKM PKCS#1 v1.5 Signatures

The PKCS#1 v1.5 signature scheme is one of the most widely deployed signature schemes in practice and remains supported to this date due to compatability issues. However, there was no security proof of the scheme until the result of Jager, Kakvi and May [1]. The proof however, uses a non-standard variant of the scheme. The task for this thesis is to implement this variant of the scheme and compare the performance to the standard scheme. Ideally, the implementation would use both the Mask Generation

 

Double-Base Chains for Efficient Scalar Multiplications on Elliptic Curves

 

Implementing PSK-only Key Establishment Protocols

Many networked devices are unable to use public-key techniques (such as Diffie-Hellman key exchange) to establish keys for secure communication. These devices may be constrained in terms of computational power and/or memory/storage, and at the point of fabrication a pre-shared key (PSK) -- shared with some other device -- is installed. A number of challenges arise, and investigating the interplay between the following issues will be the focus of this project: i) which PSK-based session key establishment procedures are the most secure, and the most efficient? ii) assuming the devices wish to use stateful symmetric encryption, how can the devices reliably and securely share state information? iii) is it possible to provide some notion of weak forward secrecy in the absence of public keys?


 

Implementing Cryptography Protocols using Noise

The Noise protocol framework (https://noiseprotocol.org/) defines (and specifies strict rules on behavior of) a number of core building blocks for implementing cryptographic protocols. It has seen widespread adoption in a short space of time, and is used in WhatsApp and WireGuard, amongst others. The aim of this project is to use Noise to build a protocol of the student's choice, preferably using one or more of the 'advanced features' in the Noise spec.

 

A study of augmented PAKE

In Augmented Password-Authenticated Key Exchange (aPAKE), a client and a server interact to agree a strong cryptographic key using the client's possibly-weak input, a password, in such a way that the server stores a function (hash) of the password and their interaction leaks no information about the key to an eavesdropper. Recent works, including the OPAQUE system (Eurocrypt 2018), are efficient and come with security proofs in supposed-strong models. The candidate will study these schemes to analyze their utility as part of the modern internet authentication infrastructure.
[This can be anything from theoretical (looking at UC) to practical (optimizing OPAQUE)]

 

SSH as a Partially-Specified Channel

The concept of partially-specified channels (PSCs) was recently introduced by Patton and Shrimpton (CCS 2018) in the context of TLS 1.3. This model allows an adversary to control all aspects of the protocol that are not explicitly named in the specification, giving potentially vast freedom to manipulate protocol behaviour. A candidate for analysis in this model is SSH: the student will first detail SSH in the context of a formal security model, and then apply the PSC technique.

 

Updatable Encryption: Is there a use case?

Updatable Encryption (UE) allows a client to store encrypted files on a cloud server, and to perform key rotation simply send a token to the server, who applies a (presumably efficient) function of the ciphertext and token to get a new ciphertext. State-of-the-art schemes are elegant and simple, yet use public-key techniques such as ElGamal encryption to realize UE: are there any use cases such that the ciphertext size and communication cost would be more efficient than the trivial solution of downloading, decrypting, encrypting and re-uploading?

 

Literature Review; Multi-User ORAM

Oblivious RAM allows a data owner to interact with an untrusted storage medium in such a way that nothing other than the number of accesses is leaked. Recent research has considered multi-user ORAM (MU-ORAM), where multiple data owners share the same storage medium and delegate access among themselves. The candidate will review these recent efforts and summarize the state-of-the-art.

 

Memory-Tight Key Encapsulation: The Case of Hashed El-Gamal

To deploy cryptographic constructions in practice as efficiently as possible, the choice of the construction's parameters (e.g., the size of the underlying algebraic group) is crucial. As it nowadays is a de-facto standard that a new cryptographic construction C comes along with a proof of security, it is important that these proofs are as precise as possible to provide a meaningful aid in choosing the scheme's parameters to achieve a certain level of security. In such a security proof, one usually considers a computational problem P that is assumed to be hard (e.g., factoring of large primes or the discrete logarithm problem) and transforms an algorithm A trying to break C with respect to some well-defined security model M into an algorithm B trying to solve P. We say that algorithm B is a tight reduction if it uses approximately the same amount of resources as algorithm A does. In cryptographic research, these resources are usually running time t and success probability e. However, Auerbach et al. (CRYPTO'17) pointed out that also the memory-consumption of a reduction is an important resource. Thus, we call a reduction memory-tight if in addition the memory-comsumption of A and B is about the same. If B would use significantly more resources than A, this implies that one "looses security”. Hence, one would need to choose larger parameters as one would need with a tight reduction to compensate this loss, which in the end implies a less efficient deployment of the construction.

Very recently, two results were published (Ghoshal and Tessaro (EUROCRYPT'20) and Bhattacharyya (PKC'20)) both dealing with the memory-tightness of the Hashed El-Gamal Key Encapsulation Mechanism. Whereas Ghoshal and Tessaro claim that the memory-tightness of Hashed El-Gamal is provably impossible, Bhattacharyya gives a memory-tight security proof in the random oracle model for Hashed El-Gamal. The goal of this thesis is to point out the differences of these two results and find out how this paradoxical situation can occur. This topic can both be a bachelor's or master's thesis. For a bachelor's thesis, we would expect that these results are presented in a consistent form and then are compared extensively. For a master's thesis, this can be extended by further analyses. Please note that this is a rather theoretical topic and a familiarisation with provable security and theoretical foundations of cryptography might be necessary. The thesis can be written in German and English, although we highly recommend writing in English.

 

On the (Memory-)Tightness of GCM-Based Channels

To deploy cryptographic constructions in practice as efficiently as possible, the choice of the construction's parameters (e.g., the size of the underlying algebraic group) is crucial. As it nowadays is a de-facto standard that a new cryptographic construction C comes along with a proof of security, it is important that these proofs are as precise as possible to provide a meaningful aid in choosing the scheme's parameters to achieve a certain level of security. In such a security proof, one usually considers a computational problem P that is assumed to be hard (e.g., factoring of large primes or the discrete logarithm problem) and transforms an algorithm A trying to break C with respect to some well-defined security model M into an algorithm B trying to solve P. We say that algorithm B is a tight reduction if it uses approximately the same amount of resources as algorithm A does. In cryptographic research, these resources are usually running time t and success probability e. However, Auerbach et al. (CRYPTO'17) pointed out that also the memory-consumption of a reduction is an important resource. Thus, we call a reduction memory-tight if in addition the memory-comsumption of A and B is about the same. If B would use significantly more resources than A, this implies that one "looses security”. Hence, one would need to choose larger parameters as one would need with a tight reduction to compensate this loss, which in the end implies a less efficient deployment of the construction.

Very recently, Ghoshal, Jaeger, and Tessaro (CRYPTO'20) initiated the study of memory-tight authenticated encryption. They show a number of positive and negative results in this area, one of which showing the possibility of a memory-tight security proof for AES-GCM. AES-GCM is currently the de-facto standard of symmetric encryption and is, e.g. the most used encryption mode in TLS 1.3. In this paper, they also applied their result to a simplified version of the TLS 1.3 record layer channel instantiated with AES-GCM. The goal of this thesis is to revisit their analysis and compare their notion of a channel with previous notions. By comparing it to other notions, it should be researched how strong this notion actually is. An ideal outcome of this thesis for us would be a (memory-)tight security proof for the TLS 1.3 AES-GCM record layer protocol with a reasonable abstraction of the protocol and a reasonable notion of a channel. We are currently working on the tight security of TLS 1.3 (https://eprint.iacr.org/2020/726), which already proofs tight security of the handshake protocol of TLS 1.3. A tight analysis of the record layer, i.e. the channel, in some form would be a great complement.

Please note that this is a very theoretical topic and background in provable security is more or less mandatory. The thesis should be written in English.

 

Survey: Authenticated Denial of Existence in DNSSEC and its implications

In recent years DNSSEC, a suite of specifications that add authenticity and integrity to the DNS standard, gained more and more traction. Among other goals, the specifications also provide authenticity for negative DNS responses, e.g. when a queried domain does not exist. However, standardized solutions allow attackers to enumerate all domains in a DNS zone. The goal of this thesis is to survey the different approaches to Authenticated Denial of Existence in DNSSEC and their security in regards to zone enumeration.

 

Verifiable Random Functions from Standard Assumptions using Balanced Admissible Hash Functions

Verifiable Random Functions (VRFs) can be thought of as the public-key equivalent of Pseudorandom Functions in the sense that the correctness of the output can be publicly verified to be the correct output of the PRF. The goal of this thesis is to improve the proofs of VRFs in the standard model, that is without random oracles and based on standard assumptions. The topic can be extended to additionally apply novel proof techniques.

 

Exploring side channels in CPU architectures

The repeated discovery of hardware side channels in computer architectures, like Rowhammer, Spectre and Meltdown demonstrate that cryptographic implementations are vulnerable to attacks even if implemented correctly. The thesis will consist of recreating hardware attacks with current-generation hardware and exploring the impact of countermeasures on attack reliability and overall machine performance.

 

TLS in the cloud: Recipe for desaster?

TLS has become ubiquitous for the encryption of network traffic. Nowadays, even container-to-container communication inside of cloud computing datacenters is utilising TLS. This leads to situations where assumptions made in the construction of TLS, particularly client-server communications patterns and machine separations, no longer hold. In this theses, the use of TLS in cloud contexts should be surveyed and possible attack scenarios violating TLS assumptions developed.

 

Parallelised Feature Extraction from Large Network Traces

For the use of machine learning (ML), large network traces like .pcap files need to be processed into ML-suitable formats. This feature extraction process can be very time consuming if the network trace is processed sequentially. Parallelising this process might be possible, but must take the structure of the TCP sessions in the file into account. In the process of exploring this, the constructed prototype will be then deployed to a HPC cluster for evaluation.

 

Interpretable Machine Learning for Network Trace Analysis 

As outlined in a recent preprint, machine learning (ML) promises to be a useful tool in detecting network-level cryptographic side channels. One challenge when using ML, however, is enabling interpretation of its results. Different ML algorithms enable different levels of visualisation, with some being inherently understandable by humans, like decision trees, while deep learning algorithms offer little intuitive understanding. Recent works have advanced this to allow even deep learning to be interpreted. Additionally, the setting of the ML algorithm use, which is network traffic analysis, enables some unique opportunities for visualisation and interpretable ML. This thesis explores these opportunities and analyses their usefulness as software engineer feedback.

 

Fuzzing in the TLS World

Fuzzing has a long history as a technique for the detection of vulnerabilities and abnormal behaviour of software binaries. Recently, this has been extended to the remote analysis of TLS servers. The aim of this thesis is to provide a survey of relevant works of TLS fuzzing, and highlighting gaps where further research might be appropriate. The focus lies on possible applications of Machine Learning to fuzzing, e.g. when trying to remotely identify software versions.

 

Machine Learning Ensembles for Hardware Side Channel Attacks

The various Differential Power Analysis (DPA) contests have shown that machine learning (ML) algorithms are very powerful tools for the purpose of analysing power traces. In this type of attack, the aim is to reliably match the measured power consumption to the processed secret key bytes. As observed in the contests, several ML algorithms are well-suited for this task. One possibility for improving the performance even further is relying on a combination of several ML models instead of a single one. The aim of this thesis is to explore this approach using existing DPA datasets, analysing its advantages and possible drawbacks.

 

Examining blockchains and their suitability as computational reference clocks

Liu et al. proposed the first Time-Lock Encryption scheme (https://eprint.iacr.org/2015/482.pdf), which essentially "locks" a ciphertext for a certain amount of time specified at encryption. To achieve this, they introduced the notion of a computational reference clock, which is a black box that outputs unpredictable values at regular intervals. To realise this, Liu et al. suggest using the Bitcoin blockchain. The intuition for this is that a new block appears on the blockchain every 10 minutes, thus setting a ciphertext to open after n blocks, should lock it for 10n minutes. However, is has often been observed that blocks appear faster and indeed slower than this frequency. The focus of this thesis is to examine how suitable Bitcoin is as a computational reference clock and how close it comes to the purported 10 minute average. Further investigations can be made into other blockchains if desired.