Department of Computer Science and Technology

Course pages 2019–20

Hardware Security

Principal lecturers: Dr Markus Kuhn, Dr Sergei Skorobogatov, Dr Franck Courbon
Additional lecturer: Shih-Chun You
Taken by: MPhil ACS, Part III
Code: P232
Hours: 16 (4 lectures, 6 practical exercises, 3x2h seminar sessions)
Class limit: max. 8 students
Prerequisites: Digital Electronics, Programming in C


This course provides a practical introduction to aspects of hardware security, in particular the reverse engineering of embedded microcontroller devices that implement a cryptographic application.

The particular target on which the practical exercises center this year is the evaluation kit of an authentication chip embedded in consumer electronics accessories, such as ink-jet printer tanks or batteries, which implements a challenge-response protocol based on elliptic-curve public-key cryptography.


  1. Lecture 1: Introduction to Hardware Security (Skorobogatov)
    Exercise 1: ARM Cortex programming, debugging, decompiling, logic analysis (Kuhn)
  2. Lecture 2 + Exercise 2: PCB reverse engineering (Skorobogatov)
  3. Lecture 3: Public-key cryptography (Kuhn)
    Exercise 3: firmware readout and protocol logging (Skorobogatov+Kuhn)
  4. Lecture 4: Elliptic-curve cryptography (Kuhn)
    Exercise 4: decompilation – communications (Kuhn+Skorobogatov)
  5. Lecture 5: Feedback on exercises (Skorobogatov+Kuhn)
    Exercise 5: decompilation – elliptic-curve cryptography (Kuhn+You)
  6. Reading class 1: side-channel analysis (Kuhn+You)
    Exercise 6: re-implementation of single-wire interface or elliptic-curve layer
  7. Reading class 2: VLSI reverse engineering (Courbon)
  8. Reading class 3: fault attacks (Courbon)

In addition to these eight weekly 2-hour meetings, there will also be an optional weekly 1-hour exercise help session.

Each exercise is due after two weeks.


On completion of this module, students should:

  • have gained hands-on experience in some of the tools and methods involved in reverse-engineering a digital product,
  • better understand the problem of hardening a product design against reverse engineering and tampering,
  • be familiar with a range of hardware-level attack techniques and countermeasures.


The course includes three reading sessions in which several papers are discussed. Each student is expected to give a 20–30 minute presentation covering 1–3 papers in one of these reading sessions and prepare an essay on the topics covered.

Practical work

Exercise 1: implementation of a basic morse-code transmitter and receiver on a 32-bit microcontroller (warm-up exercise for familiarization with ARM Cortex-M4 development, debugging and decompilation)

Exercise 2: preparation of a circuit diagram from high-resolution photographs and X-ray images of a target printed circuit board

Exercise 3: extraction of the firmware and recording of a protocol exchange from a microcontroller PCB (same target as in Exercise 2).

Exercises 4+5: partial decompilation (using Ghidra) of the firmware extracted in Exercise 3, along the execution path taken by the protocol exchange observed in Exercise 3.

Exercise 6: reimplementation of the observed and decompiled elliptic-curve scalar multiplication (ECSM) operation in a high-level language (e.g., Python, Sage, Julia, Perl)


60% exercises: each exercise handed in will be marked and the scores of the four exercises with the highest mark will each contribute 15% to the overall mark of the course.

20% reading-class presentation.

20% reading-class essay.

Recommended reading

Hankerson/Menezes/Vanstone: Guide to Elliptic Curve Cryptography. Springer 2004.

Mangard/Oswald/Popp: Power Analysis Attacks: Revealing the Secrets of Smart Cards power analysis attacks. Springer 2007.