IT Security and Cryptography
Prof. Dr.Ing. Tibor Jager
Suche
News

Accepted Paper to the Journal of Cryptology
The research paper "Session Resumption Protocols and Efficient Forward Security for TLS 1.3 0RTT"... [more] 
GDD Science Award for Kai Gellert
Dr.Ing. Kai Gellert was awarded this year's science award from the Society for Data Protection and... [more] 
Tibor Jager joins the program committee of ESORICS 2021
ESORICS 2021 is the 26th European Symposium on Research in Computer Security. [more] 
PhD Defense: Dr.Ing. Rafael Kurek
Dr.Ing. Rafael Kurek successfully defended his PhD thesis "Effcient Cryptographic Constructions... [more] 
Keynote talk on TLS 1.3 and RealWorld Crypto at ISC 2020
On December 16, 2020, Tibor Jager gave a keynote talk on "RealWorld Cryptography from an Academic... [more]
Theses
We offer theses for many topics in the area of ITsecurity and cryptography.
If you are interested in writing a thesis in our group, please contact Tobias Handirk (tobias.handirk{at}uniwuppertal.de).
Open Topics
 Practical multiparty computation with OblivC (B)
 How to defend the compressthenencrypt attacks (M)
 Security analysis of IM Telegram (M)
 Security analysis of IM Briar (B/M)
 Security analysis of an Instant Messaging Protocol (B/M)
 Implementing TimeLock Encryption using Trusted Execution Environments (B)
 Implementation and comparison of the JKM PKCS#1 v1.5 Signatures (B/M)
 DoubleBase Chains for Efficient Scalar Multiplications on Elliptic Curves (M)
 Fixing SNARG construction of Lipmaa (M)
 Program some complex proof using an existing SNARG library (B)
 Proving the security of extractable OWE (B/M)
 Proving the security of a QANIZK based a signature scheme (M)
 Implementing PSKonly Key Establishment Protocols (B/M)
 Implementing Cryptography Protocols using Noise (B/M)
 A study of augmented PAKE (M)
 SSH as a PartiallySpecified Channel (M)
 Updatable Encryption: Is there a use case? (B)
 Literature Review; MultiUser ORAM (B)
 PRF Length Reduction & Tightness: Survey and implementation (B)
 Implementing forwardsecure Threshold Schemes (B)
 Survey Preprocessing: dLog bounds and attacks (M)
 MemoryTight Key Encapsulation: The case of Hashed ElGamal (B/M)
 On the memorytightness of GCMbased channels (M)
 Authenticated Denial of Existence in DNSSEC (B)
 Verifiable Random Functions from Standard Assumptions using Balanced Admissible Hash Functions (B/M)
 Which Alexa 500 server (still) fails ROBOT? (B)
 Exploring side channels in CPU architectures (M)
 TLS in the cloud: Recipe for disaster? (B/M)
A detailed description of the topics can be found below.
Ongoing Theses
none
Finished Theses
2020
 Formalizing Security for Session Resumption Across Hostnames (MA, Tobias Handirk)
 Instanziierung von Verifiable Random Functions mit Computational Admissible Hash Functions (BA, Robin Stunic)
 Efficient Point Multiplication on Elliptic Curves (BA, Robin Jaroschek)
Abstracts
Practical multiparty computation with OblivC
This topic is about multiparty computation in the real world. Multiparty computation (MPC) makes it possible for multiple distributed parties to jointly compute a program over their secret inputs while keeping the privacy of their inputs. OblivC is a simple GCC wrapper that makes it easy to embed secure multiparty computation protocols inside regular C programs. This topic is about implementing multiparty protocol with OblivC. You can start with programs with very simple functionalities and build more complex ones afterwards. You will gain both practical experience and theoretical understanding about MPC from this topic.
How to defend the compressthenencrypt attacks
Compression is widely used to reduce the communication overhead and encryption is widely used to protect the privacy of the message. However, their combination fails to provide both of these two good properties. The compressthenencrypt attacks (such as CRIME, BREACH, TIME and HEIST attacks) are able to steal secret information from encrypted messages without any knowledge of the decryption key. This kind of leakage is direct and can not be prevented even if the encryption is leakageresilient. It seems that traditional securities for encryption fail to provide any protection against such attacks. This topic is about exploring countermeasures for such attacks from both theoretical and practice perspectives.
Security analysis of IM Telegram
The goal of this master thesis is to analyze the instant messenger Telegram (https://telegram.org/). A first step is the analysis of the used building blocks. This includes explanations for the used cryptographic primitives as well as their interaction on a beginner friendly level. Based on this, the goal of this thesis is to analyze Telegram's group chats. The work of Rösler, Mainka and Schwenk (https://eprint.iacr.org/2017/713.pdf) analysed the group chats of Whatsapp, Signal and Threema. They showed that it was for example possible to add users to group chats, without the group participants noticing. Your task will be to analyze if Telegram is vulnerable to similar attacks. This thesis is mostly of theoretical nature. In case an attack vector would be found, it would be possible to test these in practice, depending on the time available. Prior knowledge in the field of cryptography and ITsecurity is helpful, but not necessary. In case of missing prior knowledge in these fields, a corresponding familiarisation has to be expected. The master thesis will be written in englisch.
Security analysis of IM Briar
The goal of this bachelor is to analyze the instant messenger Briar (https://briarproject.org/). Tasks include the analysis of the used protocols as well as presenting the used building blocks in a beginner friendly manner (https://code.briarproject.org/briar/briar/wikis/home). A distinct feature of Briar is the support of offline chats via wifi or bluetooth. Depending on prior knowledge und the course of the thesis, an experimental analysis of the offline chats is possible. The specific tasks and goals of the thesis will be formulated together with the advisor. This way you have the opportunity to customize the thesis to fit your interests. Prior knowledge in the field of cryptography and ITsecurity is helpful, but not necessary. In case of missing prior knowledge in these fields, a corresponding familiarisation has to be expected.The thesis can be written either in english or german.
Security analysis of an Instant Messaging Protocol
We want to give you the opportunity to analyze an instant messenger of your choice in your thesis. While Whatsapp, Signal etc. enjoyed a propper security analysis in the past, there are still many IM services available which lack a security analysis. Do you know or use one of these services? Then please contact us. Together we will work out the details for a thesis on an instant messenger proposed by you.
Implementing TimeLock Encryption using Trusted Execution Environment
TimeLock encryption (TLE) is a primitive that allows one to encrypt data for a fixed period of time. After this time has elapsed, the underlying plaintext should be accessible to all. Previous solutions have either required exceptionally high computational effort from the decryptor, in the form of a time lock puzzle, or has required an always online Trusted Third Party. The goal of this thesis would be to try and alleviate some these drawbacks using a Trusted Execution Environment (TEE). Specifically, the student is expected to build a working proof of concept in AMD’s SME/SEV or Google’s Asylo that matches the extant Intel SGX implantation.
Implementation and comparison of the JKM PKCS#1 v1.5 Signatures
The PKCS#1 v1.5 signature scheme is one of the most widely deployed signature schemes in practice and remains supported to this date due to compatability issues. However, there was no security proof of the scheme until the result of Jager, Kakvi and May [1]. The proof however, uses a nonstandard variant of the scheme. The task for this thesis is to implement this variant of the scheme and compare the performance to the standard scheme. Ideally, the implementation would use both the Mask Generation
DoubleBase Chains for Efficient Scalar Multiplications on Elliptic Curves
Fixing SNARG construction of Lipmaa
Efficiently proving a membership of some instance x in an NP language L is one of the central topics of cryptography. Protocols which are designed for this purpose are called proof systems.
For practical applications it is important that these proof systems fulfil some security guarantees (soundness, zero knowledge) and efficiency requirements (low communication complexity  noninteraction, succinctness). (Zero Knowledge) Succinct NonInteractive Arguments or shortly (zk)SNARGs are one of the practically implementable proof systems. The main task of this thesis would be to study one concrete SNARG construction, explain the ideas in detail, fix the construction and the security proof.
Program some complex proof using an existing SNARG library
Efficiently proving a membership of some instance x in a NP language L is one of the central topics of cryptography. Protocols which are designed for this purpose are called proof systems.
For practical applications it is important that these proof systems fulfils some security guarantees (soundness, zero knowledge) and efficiency requirements (low communication complexity  noninteraction, succinctness).
(Zero Knowledge) Succinct NonInteractive Arguments or shortly (zk)SNARGs are one of the practically implementable proof systems. There exists several libraries which enable us to implement an efficient proofs for given language L. In the thesis a student should choose one or several such a libraries and implement such a proof system for some nontrivial language L (for example proving that two ciphertexts encrypt the same message m.)
Proving the security of extractable OWE
Witness encryption (WE) allow us to encrypt a message m using some instance x of a NP language L. Everyone who knows a witness w, proving the membership of x in L, is able to decrypt a ciphertext. This novel type of encryption scheme has plethora applications.
One interesting variant of WE is offline witness encryption (OWE) which has additional setup algorithm. The first OWE construction combines NoarYung paradigm with indistinguishability obfuscation (iO). The purpose of the thesis is to obtain extractable OWE, which enables us to extract a valid witness w in some cases.
Proving the security of a QANIZK based a signature scheme
The thesis should discuss applications of QuasiAdaptive NonInteractive Zero Knowledge Proofs (QANIZKs), which are used as more efficient proof systems in various scenarios. In the paper “Shorter QuasiAdaptive NIZK Proofs for Linear Subspaces” is described one such an application, however, without detailed security proof. Later in the paper is described a construction when we are given simulation sound NIZK and CPA secure encryption, but again only rough idea of the proof is given. In the thesis both proofs should be explained in details.
Implementing PSKonly Key Establishment Protocols
Many networked devices are unable to use publickey techniques (such as DiffieHellman key exchange) to establish keys for secure communication. These devices may be constrained in terms of computational power and/or memory/storage, and at the point of fabrication a preshared key (PSK)  shared with some other device  is installed. A number of challenges arise, and investigating the interplay between the following issues will be the focus of this project: i) which PSKbased session key establishment procedures are the most secure, and the most efficient? ii) assuming the devices wish to use stateful symmetric encryption, how can the devices reliably and securely share state information? iii) is it possible to provide some notion of weak forward secrecy in the absence of public keys?
Implementing Cryptography Protocols using Noise
The Noise protocol framework (https://noiseprotocol.org/) defines (and specifies strict rules on behavior of) a number of core building blocks for implementing cryptographic protocols. It has seen widespread adoption in a short space of time, and is used in WhatsApp and WireGuard, amongst others. The aim of this project is to use Noise to build a protocol of the student's choice, preferably using one or more of the 'advanced features' in the Noise spec.
A study of augmented PAKE
In Augmented PasswordAuthenticated Key Exchange (aPAKE), a client and a server interact to agree a strong cryptographic key using the client's possiblyweak input, a password, in such a way that the server stores a function (hash) of the password and their interaction leaks no information about the key to an eavesdropper. Recent works, including the OPAQUE system (Eurocrypt 2018), are efficient and come with security proofs in supposedstrong models. The candidate will study these schemes to analyze their utility as part of the modern internet authentication infrastructure. [This can be anything from theoretical (looking at UC) to practical (optimizing OPAQUE)]
SSH as a PartiallySpecified Channel
The concept of partiallyspecified channels (PSCs) was recently introduced by Patton and Shrimpton (CCS 2018) in the context of TLS 1.3. This model allows an adversary to control all aspects of the protocol that are not explicitly named in the specification, giving potentially vast freedom to manipulate protocol behaviour. A candidate for analysis in this model is SSH: the student will first detail SSH in the context of a formal security model, and then apply the PSC technique.
Updatable Encryption: Is there a use case?
Updatable Encryption (UE) allows a client to store encrypted files on a cloud server, and to perform key rotation simply send a token to the server, who applies a (presumably efficient) function of the ciphertext and token to get a new ciphertext. Stateoftheart schemes are elegant and simple, yet use publickey techniques such as ElGamal encryption to realize UE: are there any use cases such that the ciphertext size and communication cost would be more efficient than the trivial solution of downloading, decrypting, encrypting and reuploading?
Literature Review; MultiUser ORAM
Oblivious RAM allows a data owner to interact with an untrusted storage medium in such a way that nothing other than the number of accesses is leaked. Recent research has considered multiuser ORAM (MUORAM), where multiple data owners share the same storage medium and delegate access among themselves. The candidate will review these recent efforts and summarize the stateoftheart.
PRF Length Reduction & Tightness: Survey and implementation
The goal of this thesis is to compare the efficiency of several techniques regarding length reduction and tightness in PRFs. After a formal analysis some of these techniques should be implemented and compared in practice.
Implementing forwardsecure Threshold Schemes
Forwardsecure threshold schemes are a useful tool to mitigate the damage due to secret key exposure. The goal of this thesis is to implement FST schemes with different parameters and to compare their efficiency.
Survey Preprocessing: dLog bounds and attacks
Preprocessing gives a realistic view on cryptanalysis in practice. The goal of this thesis is to write a survey about lower bounds and attacks based on the discrete logarithm problem.
MemoryTight Key Encapsulation: The Case of Hashed ElGamal
To deploy cryptographic constructions in practice as efficiently as possible, the choice of the construction's parameters (e.g., the size of the underlying algebraic group) is crucial. As it nowadays is a defacto standard that a new cryptographic construction C comes along with a proof of security, it is important that these proofs are as precise as possible to provide a meaningful aid in choosing the scheme's parameters to achieve a certain level of security. In such a security proof, one usually considers a computational problem P that is assumed to be hard (e.g., factoring of large primes or the discrete logarithm problem) and transforms an algorithm A trying to break C with respect to some welldefined security model M into an algorithm B trying to solve P. We say that algorithm B is a tight reduction if it uses approximately the same amount of resources as algorithm A does. In cryptographic research, these resources are usually running time t and success probability e. However, Auerbach et al. (CRYPTO'17) pointed out that also the memoryconsumption of a reduction is an important resource. Thus, we call a reduction memorytight if in addition the memorycomsumption of A and B is about the same. If B would use significantly more resources than A, this implies that one "looses security”. Hence, one would need to choose larger parameters as one would need with a tight reduction to compensate this loss, which in the end implies a less efficient deployment of the construction.
Very recently, two results were published (Ghoshal and Tessaro (EUROCRYPT'20) and Bhattacharyya (PKC'20)) both dealing with the memorytightness of the Hashed ElGamal Key Encapsulation Mechanism. Whereas Ghoshal and Tessaro claim that the memorytightness of Hashed ElGamal is provably impossible, Bhattacharyya gives a memorytight security proof in the random oracle model for Hashed ElGamal. The goal of this thesis is to point out the differences of these two results and find out how this paradoxical situation can occur. This topic can both be a bachelor's or master's thesis. For a bachelor's thesis, we would expect that these results are presented in a consistent form and then are compared extensively. For a master's thesis, this can be extended by further analyses. Please note that this is a rather theoretical topic and a familiarisation with provable security and theoretical foundations of cryptography might be necessary. The thesis can be written in German and English, although we highly recommend writing in English.
On the (Memory)Tightness of GCMBased Channels
To deploy cryptographic constructions in practice as efficiently as possible, the choice of the construction's parameters (e.g., the size of the underlying algebraic group) is crucial. As it nowadays is a defacto standard that a new cryptographic construction C comes along with a proof of security, it is important that these proofs are as precise as possible to provide a meaningful aid in choosing the scheme's parameters to achieve a certain level of security. In such a security proof, one usually considers a computational problem P that is assumed to be hard (e.g., factoring of large primes or the discrete logarithm problem) and transforms an algorithm A trying to break C with respect to some welldefined security model M into an algorithm B trying to solve P. We say that algorithm B is a tight reduction if it uses approximately the same amount of resources as algorithm A does. In cryptographic research, these resources are usually running time t and success probability e. However, Auerbach et al. (CRYPTO'17) pointed out that also the memoryconsumption of a reduction is an important resource. Thus, we call a reduction memorytight if in addition the memorycomsumption of A and B is about the same. If B would use significantly more resources than A, this implies that one "looses security”. Hence, one would need to choose larger parameters as one would need with a tight reduction to compensate this loss, which in the end implies a less efficient deployment of the construction.
Very recently, Ghoshal, Jaeger, and Tessaro (CRYPTO'20) initiated the study of memorytight authenticated encryption. They show a number of positive and negative results in this area, one of which showing the possibility of a memorytight security proof for AESGCM. AESGCM is currently the defacto standard of symmetric encryption and is, e.g. the most used encryption mode in TLS 1.3. In this paper, they also applied their result to a simplified version of the TLS 1.3 record layer channel instantiated with AESGCM. The goal of this thesis is to revisit their analysis and compare their notion of a channel with previous notions. By comparing it to other notions, it should be researched how strong this notion actually is. An ideal outcome of this thesis for us would be a (memory)tight security proof for the TLS 1.3 AESGCM record layer protocol with a reasonable abstraction of the protocol and a reasonable notion of a channel. We are currently working on the tight security of TLS 1.3 (https://eprint.iacr.org/2020/726), which already proofs tight security of the handshake protocol of TLS 1.3. A tight analysis of the record layer, i.e. the channel, in some form would be a great complement.
Please note that this is a very theoretical topic and background in provable security is more or less mandatory. The thesis should be written in English.
Survey: Authenticated Denial of Existence in DNSSEC and its implications
In recent years DNSSEC, a suite of specifications that add authenticity and integrity to the DNS standard, gained more and more traction. Among other goals, the specifications also provide authenticity for negative DNS responses, e.g. when a queried domain does not exist. However, standardized solutions allow attackers to enumerate all domains in a DNS zone. The goal of this thesis is to survey the different approaches to Authenticated Denial of Existence in DNSSEC and their security in regards to zone enumeration.
Verifiable Random Functions from Standard Assumptions using Balanced Admissible Hash Functions
Verifiable Random Functions (VRFs) can be thought of as the publickey equivalent of Pseudorandom Functions in the sense that the correctness of the output can be publicly verified to be the correct output of the PRF. The goal of this thesis is to improve the proofs of VRFs in the standard model, that is without random oracles and based on standard assumptions. The topic can be extended to additionally apply novel proof techniques.
Which Alexa 500 server (still) fails ROBOT?
Exploring side channels in CPU architectures
TLS in the cloud: Recipe for desaster?