Position on Side-Channel Analysis and Mitigation (Ph.D./PostDoc)


Side channels pose a serious threat to the confidentiality of secrets. Execution characteristics (like, e.g., running time or power consumption) might provide attackers with information that enables them, for instance, to learn a cryptographic key or to make a brute-force attack for obtaining a cryptographic key feasible. Meltdown, Spectre, and Platypus are prominent examples of such side-channel vulnerabilities.

In a side-channel attack, an attacker observes characteristics of a program run, (e.g., the duration of the run) and exploits these observation to deduce secrets (e.g., cryptographic keys). Such attacks target concrete implementations and might succeed even against programs whose underlying algorithm was proven to be secure. Formal models and static program analyses enable the derivation of reliable guarantees of how much information could be leaked at most via a side channel during a run of a given program. Experiments, including proof-of-concept attacks, can used to demonstrate the seriousness of side-channel vulnerabilities.

Our overall goal in this project is to create a framework for detecting side-channel vulnerabilities in cryptographic implementations and for systematically assessing their seriousness using formal and experimental analyses. Moreover, we aim at increasing the trustworthiness of cryptographic implementations by mitigation techniques and by engineering techniques.

The Position

In this position, you will contribute to detecting side-channel vulnerabilities, understanding their severity, mitigating them, and/or avoiding them by construction. Two complementary research directions are possible that fit different backgrounds and interests.
  • Your research could focus on quantitative formal models for capturing varying degrees of confidentiality and on quantitative program analyses for deriving such quantitative security guarantees while taking micro-architectural features of the underlying execution platform into account. In this direction, you could build on our prior foundational research and our tool development (including multiple variants of the tools SideChannelFinder and CacheAudit).
  • Alternatively, your research could focus on demonstrating the seriousness of side-channel vulnerabilities by the feasibility of exploits and on developing construction principles whose application ensures that side-channel vulnerabilities are avoided proactively when engineering security-critical systems. You could build on our prior research on distinguishing experiments for timing side channels and for software-based energy side channels.
This position is associated with the project "Secure Refinement of Cryptographic Algorithms" in the DFG CRC CROSSING.

Prior Skills and Experiences

The two possible research directions on side-channel analysis and mitigation differ in which skills are required.
  • Research on static program analyses and formal models:  Prior knowledge in at least one of program analyses, formal methods, mathematical logic, or information theory is expected. Competences in tool development, in using theorem provers, side channels, or in other aspects of IT-security are not expected, but would be a plus.
  • Research on experimental analyses and engineering techniques:  Prior knowledge in at least one of side-channel attacks, side-channel analysis, or experimental evaluations is expected. Good programming skills, a broader knowledge of IT-security, competences in statistics, or competences in information theory are not expected, but would be a plus.
For both directions you should be highly motivated to tackle challenging research problems, to produce innovative insights and tools, to strive for international visibility as a researcher, and be open minded. You need good language skills in English (writing and talking). Prior knowledge of the German language is not expected, but you should be willing to obtain basic skills within a year.

Formal Prerequisites

What we offer

How To Apply

The Environment

A A A | Print | Imprint | Sitemap | Contact
zum Seitenanfang