Navigationsweiche Anfang

Navigationsweiche Ende

Select language

IT Security and Cryptography


Prof. Dr.-Ing. Tibor Jager

News

  • PhD Defense: Dr.-Ing. Kai Gellert
    Dr.-Ing. Kai Gellert successfully defended his PhD thesis "Construction and Security Analysis of... [more]
  • Accepted Paper to the Journal of Cryptology
    The research paper "On the Tight Security of TLS 1.3: Theoretically-Sound Cryptographic Parameters... [more]
  • Accepted Paper to the Journal of Cryptology
    The paper "Bloom Filter Encryption and Applications to Efficient Forward-Secret 0-RTT Key Exchange"... [more]
  • Accepted paper to the Computer Journal
    The paper "A Modern View on Forward Security" by Kai Gellert (in collaboration with Colin Boyd from... [more]
  • Accepted paper at ICICS 2020
    The research paper "Client-oblivious OPRAM" by Gareth T. Davies and co-authors Christian Janson (TU... [more]
go to Archive ->

Abschlussarbeiten

Wir bieten Abschlussarbeiten zu diversen Themen im Bereich IT-Sicherheit und Kryptographie an.

Sollte Interesse an einer Abschlussarbeit in unserer Fachgruppe bestehen, bitten wir um Kontaktnahme mit Rafael Kurek (kurek{at}uni-wuppertal.de).

Offene Themen

  • Practical multi-party computation with Obliv-C
  • How to defend the compress-then-encrypt attacks
  • Security analysis of IM Telegram
  • Security analysis of IM Briar
  • Security analysis of a Instat Messaging Protocol
  • Impl. Time-Lock Encryption using Trusted Execution Env.
  • Impl. and comparison of the JKM PKCS#1 v1.5 Signatures
  • Double-Base Chains for Effic. Scalar Multiplications on Elliptic Curves
  • Fixing SNARG construction of Lipmaa
  • Program some complex proof using an existing SNARG library
  • Proving a security of extractable OWE
  • Proving the security of a QA-NIZK based a signature scheme
  • Implementing PSK-only Key Establishment Protocols
  • Implementing Cryptography Protocols using Noise
  • A study of augmented PAKE
  • SSH as a Partially-Specified Channel
  • Updatable Encryption: Is there a use case?
  • Literature Review; Multi-User ORAM
  • PRF Length Reduction & Tightness: Survey and implementation
  • Implementing forward-secure Threshold Schemes
  • Seurvey Preprocessing: dLog bounds and attacks
  • Memory-Tight Key Encapsulation: The case of Hashed El-Gamal
  • On the memory-tightness of GCM-based channels
  • Authenticated Denial of Existence in DNSSEC
  • Verifiable Random Functions from Standard Assumptions using Balanced Admissible Hash Functions
  • Which Alexa 500 server (still) fails ROBOT?
  • Exploring side channels in CPU architectures
  • TLS in the cloud: Recipe for desaster?

    Eine ausführlichere Beschreibung der einzelnen Themen findet sich unten

Laufende Arbeiten

  • Effiziente Punktmultiplikation auf elliptischen Kurven (BA, Robin Jaroschek)

Abgeschlossene Arbeiten

2020

  • Formalizing Security for Session Resumption Across Hostnames (MA, Tobias Handirk)
  • Instanziierung von Verifiable Random Functions mit Computational Admissible Hash Functions (BA, Robin Stunic)

Abstracts

***Practical multi-party computation with Obliv-C
This topic is about multi-party computation in the real world. Multi-party computation (MPC) makes it possible for multiple distributed parties to jointly compute a program over their secret inputs while keeping the privacy of their inputs. Obliv-C is a simple GCC wrapper that makes it easy to embed secure multi-party computation protocols inside regular C programs. This topic is about implementing multi-party protocol with Obliv-C. You can start with programs with very simple functionalities and build more complex ones afterwards. You will gain both practical experience and theoretical understanding about MPC from this topic.


***How to defend the compress-then-encrypt attacks
Compression is widely used to reduce the communication overhead and encryption is widely used to protect the privacy of the message. However, their combination fails to provide both of these two good properties. The compress-then-encrypt attacks (such as CRIME, BREACH, TIME and HEIST attacks) are able to steal secret information from encrypted messages without any knowledge of the decryption key. This kind leakage is direct and can not be prevented even if the encryption is leakage-resilient. It seems that traditional securities for encryption fail to provide any protection against such attacks. This topic is about exploring countermeasures for such attacks from both theoretical and practice perspectives.


***Security analysis of IM Telegram
The goal of this master thesis is to analyze the instant messenger Telegram (https://telegram.org/). A first step is the analysis of the used building blocks.
This includes explanations for the used cryptographic primitives as well as their interaction on a beginner friendly level. Based on this, the goal of this thesis is to analyze Telegram's group chats. The work of Rösler, Mainka and Schwenk (https://eprint.iacr.org/2017/713.pdf) analysed the group chats of Whatsapp, Signal and Threema. They showed that it was for example possible to add users to group chats, without the group participants noticing. Your taks will be to analyze if Telegram is vulnerable to similar attacks. This thesis is mostly of theoretical nature.
In case an attack vector would be found, it would be possible to test these in practice, depending on the time available. Prior knowledge in the field of cryptography and IT-security is helpful, but not necessary. In case of missing prior knowledge in these fields, a corresponding familiarisation has to be expected. The master thesis will be written in englisch.


***Security analysis of IM Briar
The goal of this bachelor is to analyze the instant messenger Briar (https://briarproject.org/).
Tasks include the analysis of the used protocols as well as presenting the used building blocks in a beginner friendly manner (https://code.briarproject.org/briar/briar/wikis/home).
A distinct feature of Briar is the support of offline chats via wifi or bluetooth.
Depending on prior knowledge und the course of the thesis, an experimental analysis of the offline chats is possible. The specific tasks and goals of the thesis will be formulated together with the advisor. This way you have the opportunity to customize the thesis to fit your interests.
Prior knowledge in the field of cryptography and IT-security is helpful, but not necessary.
In case of missing prior knowledge in these fields, a corresponding familiarisation has to be expected.The thesis can be written either in english or german.


***Security analysis of a Instat Messaging Protocol
We want to give you the opportunity to analyze an instant messenger of your choice in your thesis. While Whatsapp, Signal etc. enjoyed a propper security analysis in the past, there are still many IM services available which lack a security analysis. Do you know or use one of these services? Then please contact us. Together we will work out the details for a thesis on an instant messenger proposed by you.


***Impl. Time-Lock Encryption using Trusted Execution Env.
Time-Lock encryption (TLE) is a primitive that allows one to encrypt data for a fixed period of time. After this time has elapsed, the underlying plaintext should be accessible to all. Previous solutions have either required exceptionally high computational effort from the decryptor, in the form of a time lock puzzle, or has required an always online Trusted Third Party. The goal of this thesis would be to try and alleviate some these drawbacks using a Trusted Execution Environment (TEE). Specifically, the student is expected to build a working proof of concept in AMD’s SME/SEV or Google’s Asylo that matches the extant Intel SGX implantation.


***Impl. and comparison of the JKM PKCS#1 v1.5 Signatures
The PKCS#1 v1.5 signature scheme is one of the most widely deployed signature schemes in practice and remains supported to this date due to compatability issues. However, there was no security proof of the scheme until the result fo Jager, Kakvi and May [1]. The proof however, uses a non-standard variant of the scheme. The task for this thesis is to implement this variant of the scheme and compare the performance to the standard scheme. Ideally, the implementation would use both the Mask Generation


***Double-Base Chains for Effic. Scalar Multiplications on Elliptic Curves


***Fixing SNARG construction of Lipmaa
Efficiently proving a membership of some instance x in a NP language L is one of the central topics of cryptography. Protocols which are designed for this purpose are called proof systems.
For practical applications it is important that these proof systems fulfils some security guarantees (soundness, zero knowledge) and efficiency requirements (low communication complexity - non-interaction, succinctness). (Zero Knowledge) Succinct Non-Interactive Arguments or shortly (zk)SNARGs are one of the practically implementable proof systems. The main task of this thesis would be to study one concrete SNARG construction, explain the ideas in details, fix the construction and the security proof.


***Program some complex proof using an existing SNARG library
Efficiently proving a membership of some instance x in a NP language L is one of the central topics of cryptography. Protocols which are designed for this purpose are called proof systems.
For practical applications it is important that these proof systems fulfils some security guarantees (soundness, zero knowledge) and efficiency requirements (low communication complexity - non-interaction, succinctness).
(Zero Knowledge) Succinct Non-Interactive Arguments or shortly (zk)SNARGs are one of the practically implementable proof systems. There exists several libraries which enable us to implement an efficient proofs for given language L. In the thesis a student should choose one or several such a libraries and implement such a proof system for some non-trivial language L (for example proving that two ciphertexts encrypt the same message m.)


***Proving a security of extractable OWE
Witness encryption (WE) allow us to encrypt a message m using some instance x of a NP language L. Everyone who knows a witness w, proving the membership of x in L, is able to decrypt a ciphertext. This novel type of encryption scheme has plethora applications.
One interesting variant of WE is offline witness encryption (OWE) which has additional setup algorithm. The first  OWE construction combines Noar-Yung paradigm with indistinguishability obfuscation (iO). The purpose of the thesis is to obtain extractable OWE, which enable us to extract a valid witness w in some cases.


***Proving the security of a QA-NIZK based a signature scheme
The thesis should discuss applications of Quasi-Adaptive Non-Interactive Zero Knowledge Proofs (QA-NIZKs), which are used as more efficient proof systems in various scenarios. In the paper “Shorter Quasi-Adaptive NIZK Proofs for Linear Subspaces” is described one such an application, however, without detailed security proof. Later in the paper is described a construction when we are given simulation sound NIZK and CPA secure encryption, but again only rough idea of the proof is given. In the thesis both proofs should be explained in details.


***Implementing PSK-only Key Establishment Protocols 
Many networked devices are unable to use public-key techniques (such as Diffie-Hellman key exchange) to establish keys for secure communication. These devices may be constrained in terms of computational power and/or memory/storage, and at the point of fabrication a pre-shared key (PSK) -- shared with some other device -- is installed. A number of challenges arise, and investigating the interplay between the following issues will be the focus of this project: i) which PSK-based session key establishment procedures are the most secure, and the most efficient? ii) assuming the devices wish to use stateful symmetric encryption, how can the devices reliably and securely share state information? iii) is it possible to provide some notion of weak forward secrecy in the absence of public keys?


*** Implementing Cryptography Protocols using Noise 
The Noise protocol framework (https://noiseprotocol.org/) defines (and specifies strict rules on behavior of) a number of core building blocks for implementing cryptographic protocols. It has seen widespread adoption in a short space of time, and is used in WhatsApp and WireGuard, amongst others. The aim of this project is to use Noise to build a protocol of the student's choice, preferably using one or more of the 'advanced features' in the Noise spec.


***A study of augmented PAKE 
In Augmented Password-Authenticated Key Exchange (aPAKE), a client and a server interact to agree a strong cryptographic key using the client's possibly-weak input, a password, in such a way that the server stores a function (hash) of the password and their interaction leaks no information about the key to an eavesdropper. Recent works, including the OPAQUE system (Eurocrypt 2018), are efficient and come with security proofs in supposed-strong models. The candidate will study these schemes to analyze their utility as part of the modern internet authentication infrastructure.
[This can be anything from theoretical (looking at UC) to practical (optimizing OPAQUE)]


***SSH as a Partially-Specified Channel 
The concept of partially-specified channels (PSCs) was recently introduced by Patton and Shrimpton (CCS 2018) in the context of TLS 1.3. This model allows an adversary to control all aspects of the protocol that are not explicitly named in the specification, giving potentially vast freedom to manipulate protocol behaviour. A candidate for analysis in this model is SSH: the student will first detail SSH in the context of a formal security model, and then apply the PSC technique.


***Updatable Encryption: Is there a use case? 
Updatable Encryption (UE) allows a client to store encrypted files on a cloud server, and to perform key rotation simply send a token to the server, who applies a (presumably efficient) function of the ciphertext and token to get a new ciphertext. State-of-the-art schemes are elegant and simple, yet use public-key techniques such as ElGamal encryption to realize UE: are there any use cases such that the ciphertext size and communication cost would be more efficient than the trivial solution of downloading, decrypting, encrypting and re-uploading?


***Literature Review; Multi-User ORAM 
Oblivious RAM allows a data owner to interact with an untrusted storage medium in such a way that nothing other than the number of accesses is leaked. Recent research has considered multi-user ORAM (MU-ORAM), where multiple data owners share the same storage medium and delegate access among themselves. The candidate will review these recent efforts and summarize the state-of-the-art.


***PRF Length Reduction & Tightness: Survey and implementation
The goal of this thesis is to compare the efficiency of several techniques regarding length reduction and tightness in PRFs. After a formal analysis some of these techniques should be implemented and compared in practice.


***Implementing forward-secure Threshold Schemes
Forward-secure threshold schemes are a useful tool to mitigate the damage due to secret key exposure. The goal of this thesis is to implement FST schemes with different parameters and to compare their efficiency.


***Survey Preprocessing: dLog bounds and attacks
Preprocessing gives a realistic view on cryptanalysis in practice. The goal of this thesis is to write a survey about lower bounds and attacks based on the discrete logarithm problem.


***Memory-Tight Key Encapsulation: The Case of Hashed El-Gamal
To deploy cryptographic constructions in practice as efficiently as possible, the choice of the construction's parameters (e.g., the size of the underlying algebraic group) is crucial. As it nowadays is a de-facto standard that a new cryptographic construction C comes along with a proof of security, it is important that these proofs are as precise as possible to provide a meaningful aid in choosing the scheme's parameters to achieve a certain level of security. In such a security proof, one usually considers a computational problem P that is assumed to be hard (e.g., factoring of large primes or the discrete logarithm problem) and transforms an algorithm A trying to break C with respect to some well-defined security model M into an algorithm B trying to solve P. We say that algorithm B is a tight reduction if it uses approximately the same amount of resources as algorithm A does. In cryptographic research, these resources are usually running time t and success probability e. However, Auerbach et al. (CRYPTO'17) pointed out that also the memory-consumption of a reduction is an important resource. Thus, we call a reduction memory-tight if in addition the memory-comsumption of A and B is about the same. If B would use significantly more resources than A, this implies that one "looses security”. Hence, one would need to choose larger parameters as one would need with a tight reduction to compensate this loss, which in the end implies a less efficient deployment of the construction.

Very recently, two results were published (Ghoshal and Tessaro (EUROCRYPT'20) and Bhattacharyya (PKC'20)) both dealing with the memory-tightness of the Hashed El-Gamal Key Encapsulation Mechanism. Whereas Ghoshal and Tessaro claim that the memory-tightness of Hashed El-Gamal is provably impossible, Bhattacharyya gives a memory-tight security proof in the random oracle model for Hashed El-Gamal. The goal of this thesis is to point out the differences of these two results and find out how this paradoxical situation can occur. This topic can both be a bachelor's or master's thesis. For a bachelor's thesis, we would expect that these results are presented in a consistent form and then are compared extensively. For a master's thesis, this can be extended by further analyses. Please note that this is a rather theoretical topic and a familiarisation with provable security and theoretical foundations of cryptography might be necessary. The thesis can be written in German and English, although we highly recommend writing in English.


***On the (Memory-)Tightness of GCM-Based Channels
To deploy cryptographic constructions in practice as efficiently as possible, the choice of the construction's parameters (e.g., the size of the underlying algebraic group) is crucial. As it nowadays is a de-facto standard that a new cryptographic construction C comes along with a proof of security, it is important that these proofs are as precise as possible to provide a meaningful aid in choosing the scheme's parameters to achieve a certain level of security. In such a security proof, one usually considers a computational problem P that is assumed to be hard (e.g., factoring of large primes or the discrete logarithm problem) and transforms an algorithm A trying to break C with respect to some well-defined security model M into an algorithm B trying to solve P. We say that algorithm B is a tight reduction if it uses approximately the same amount of resources as algorithm A does. In cryptographic research, these resources are usually running time t and success probability e. However, Auerbach et al. (CRYPTO'17) pointed out that also the memory-consumption of a reduction is an important resource. Thus, we call a reduction memory-tight if in addition the memory-comsumption of A and B is about the same. If B would use significantly more resources than A, this implies that one "looses security”. Hence, one would need to choose larger parameters as one would need with a tight reduction to compensate this loss, which in the end implies a less efficient deployment of the construction.

Very recently, Ghoshal, Jaeger, and Tessaro (CRYPTO'20) initiated the study of memory-tight authenticated encryption. They show a number of positive and negative results in this area, one of which showing the possibility of a memory-tight security proof for AES-GCM. AES-GCM is currently the de-facto standard of symmetric encryption and is, e.g. the most used encryption mode in TLS 1.3. In this paper, they also applied their result to a simplified version of the TLS 1.3 record layer channel instantiated with AES-GCM. The goal of this thesis is to revisit their analysis and compare their notion of a channel with previous notions. By comparing it to other notions, it should be researched how strong this notion actually is. An ideal outcome of this thesis for us would be a (memory-)tight security proof for the TLS 1.3 AES-GCM record layer protocol with a reasonable abstraction of the protocol and a reasonable notion of a channel. We are currently working on the tight security of TLS 1.3 (https://eprint.iacr.org/2020/726), which already proofs tight security of the handshake protocol of TLS 1.3. A tight analysis of the record layer, i.e. the channel, in some form would be a great complement.
Please note that this is a very theoretical topic and background in provable security is more or less mandatory. The thesis should be written in English.


***Survey: Authenticated Denial of Existence in DNSSEC and its implications
In recent years DNSSEC, a suite of specifications that add authenticity and integrity to the DNS standard, gained more and more traction. Among other goals, the specifications also provide authenticity for negative DNS responses, e.g. when a queried domain does not exist. However, standardized solutions allow attackers to enumerate all domains in a DNS zone. The goal of this thesis is to survey the different approaches to Authenticated Denial of Existence in DNSSEC and their security in regards to zone enumeration.


***Verifiable Random Functions from Standard Assumptions using Balanced Admissible Hash Functions
Verifiable Random Functions (VRFs) can be thought of as the public-key equivalent of Pseudorandom Functions in the sense that the correctness of the output can be publicly verified to be the correct output of the PRF. The goal of this thesis is to improve the proofs of VRFs in the standard model, that is without random oracles and based on standard assumptions. The topic can be extended to additionally apply novel proof techniques.


***Which Alexa 500 server (still) fails ROBOT?
***Exploring side channels in CPU architectures
***TLS in the cloud: Recipe for desaster?