1

Cybersecurity Education: Bridging the GapBetween Hardware and Software Domains

Marcin Lukowiak⇤, Stanisław Radziszowski†, Jim Vallino‡,and Christopher Wood†‡

⇤Department of Computer Engineering, †Department of Computer Science, ‡Departmentof Software Engineering, Rochester Institute of Technology, Rochester, NY 14623

Email: Marcin.Lukowiak@rit.edu

Abstract—With the continuous growth of cyberinfras-tructure throughout modern society, the need for securecomputing and communication is more important thanever before. As a result, there is also an increasing needfor entry-level developers who are capable of designing andbuilding practical solutions for systems with stringent secu-rity requirements. This calls for careful attention to algo-rithm choice and implementation method, as well as trade-offs between hardware and software implementations. Thispaper describes motivation and efforts taken by three de-partments at Rochester Institute of Technology (ComputerEngineering, Computer Science and Software Engineering)that were focused on creating a multi-disciplinary coursethat integrates the algorithmic, engineering, and practicalaspects of security as exemplified by applied cryptography.In particular, the paper presents the structure of this newcourse, covered topics, lab tools and results from the firsttwo spring quarter offerings in 2011 and 2012.

Index Terms—Security-Oriented Curriculum, Cyberse-curity Education, Multi-Disciplinary Applied Cryptogra-phy, Hardware and Software Design

I. INTRODUCTION

With the growth and pervasiveness of cyberin-frastructure in modern society, secure computingand communication have become critically impor-tant. Sample applications with important securityrequirements include e-commerce, voice/video com-munications, secure databases, and financial markettransactions. In addition, there is a growing trend to-ward integrating security into many different pointsof the information technology infrastructure, suchas embedding in disk drives, processors (e.g., built-in encryption/decryption), trusted system boards,network switching elements, mobile devices, andsensors. All of these points require careful attentionto algorithm choice and implementation method,and trade-offs between software and hardware. The

development of such systems requires a populationof entry-level developers who have the knowledgeand skills needed to design them. One of the key el-ements of this is an understanding of cryptographicalgorithms and their implementation.

In a typical approach, the study of cryptographyand security in undergraduate computing programsfocuses primarily on the mathematical aspects ofcryptography, which unfortunately gives studentsfundamental theory but not practical implementa-tion experience. To gain the necessary knowledgeand skills, a student must learn concepts fromthe multiple disciplines of computer engineering,computer science, and software engineering, as eachof them play a significant role in different aspectsof secure computing and communications, whichis schematically presented in Figure 1. This is notdone in standard undergraduate computing curric-ula. Computer engineering students usually learnhow to design general purpose digital systems, butthey lack the knowledge related to the design of spe-cialized cryptographic circuits and optimizations ofhardware-software co-designs. Those students whomay do some cryptographic design might constructa hardware implementation of a particular algorithmwithout knowing the fundamental theory on which itis based. Computer science and software engineer-ing students study cryptographic algorithms mostlyas a mathematical exercise with some softwareimplementation. They rarely investigate the perfor-mance of their implementations and are usually notfamiliar with software optimizations or hardwareimplementations. In many applications, implemen-tation aspects are crucial because of the complexityof cryptographic algorithms. This is especially truesince they may operate upon data from a streaming

2

Secure Computing and Communications

Computer Science & Math

algorithm security and complexity

Computer Engineering

secure hardware design Software Engineering

secure software design

Fig. 1. The multi-disciplinary relationship that served as the basisfor the new course draws from the fields of computer engineering,computer science, and software engineering.

communications channel, with a constrained powerbudget, or in an environment where side-channelattacks can be exploited to compromise the system.

Our review of the coursework available at otherinstitutions found only a few examples of coursesthat have content which crosses disciplines, andnone have the comprehensive, integrated approach.Two examples would be graduate-level courses inthe Electrical and Computer Engineering Depart-ments at Worcester Polytechnic Institute [1] andat Virginia Tech [2]. Realizing this, the authors ofthis paper developed and introduced a new multi-disciplinary course entitled “Hardware and SoftwareDesign for Cryptographic Applications”.

The design of this course, focused on under-graduate students, emphasizes active learning ped-agogy [3] [4] [5]. This pedagogy strives to im-mediately engage students with the material beingcovered through hands-on exercises during classtime rather than being primarily lecture-based withother learning activities occurring only outside ofthe class. Within this course, team assignments andprojects require implementations of selected crypto-graphic primitives. Such implementations are thenfollowed by an in-depth comparison and contrastof various implementation alternatives, includingsoftware, custom Field Programmable Gate Array(FPGA) hardware, and hybrid hardware-software.This crosses three disciplines to span the range ofskills from fundamental theory to practical software

and hardware implementations.This course uses the multi-disciplinary approach

which Vallino and Czernikowski [6] [7] showedwas effective for teaching courses in real-time andembedded systems. To the extent possible, studentteams are composed of one computer engineeringstudent and one software engineering or computerscience student. Computer engineering students leadthe hardware design portions of each project, whilesoftware engineering and computer science studentslead the software development portions. The breadthof material dispersed throughout the course coversmany different aspects of software and hardwaredevelopment and revisits the mathematical theorybehind their designs. Such structure provides stu-dents with ample opportunity to reinforce the fun-damental concepts taught in lectures with hands-onexercises conducted in a studio setting. The courseis organized to fit a quarter system with 10 weeksof classes.

This course emphasizes learning through hands-on exercises, with team assignments and projectsrequiring implementations of selected cryptographicprimitives. Such implementations are then followedby an in-depth comparison and contrast of vari-ous implementation alternatives, including software,custom Field Programmable Gate Array (FPGA)hardware, and hybrid hardware-software. This al-lows to cross three disciplines to span the range ofskills from fundamental theory to practical softwareand hardware implementations. Student teams inour course are ideally composed of one computerengineering student and one software engineeringor computer science student. Computer engineeringstudents lead the hardware design portions of eachproject, while software engineering and computerscience students lead the software development por-tions.

Although many different cryptographic primitiveswere incorporated into the lectures, the primaryfocus was on the Advanced Encryption Standard(AES) and the SHA-3 hash function candidates.The AES was a clear candidate for study due to itsstatus as the leading block cipher after its selectionby NIST in 2001 [8]. Similarly, the SHA-3 hashfunction finalist candidates were investigated forthe course project because of their importance forthe cybersecurity community, and the large amountof readily available material associated with theNIST competition [9] [10]. The different trade-

3

offs that exist between the candidate functions pro-vided students with a realistic perspective on thechallenges faced when designing and implementingthese algorithms.

The development platform was the Xilinx ML-507 evaluation board. It comes equipped with theVirtex-5 FXT FPGA device, which combines anembedded PowerPC 440 processor and reconfig-urable fabric on a single chip. Like most modernFPGAs, this device is also capable of running soft-core processors within the FPGA resources. Thewhole platform was well-suited for all practicalassignments due to the large number of availablelogic cells and external memory, both of which gavethe students more freedom when experimenting withvarious software and hardware designs.

This paper first describes the structure of the newcourse. It then enumerates the sequence of in-classlectures and laboratory exercises, including selec-tion criteria for course topics, tools, techniques, anddevelopment methodologies used to illustrate theseconcepts. Lastly, potential modifications are iden-tified from the experiences developing the course,presenting the material in class, and the feedbackreceived from the students who participated. Thisfeedback is also presented and analyzed as a meansof quantifying the course learning objectives andoutcomes.

II. COURSE STRUCTURE

At a high level, there are four different areas ofmaterial covered in this course: 1) cryptographicfoundations, 2) FPGA-based embedded systems, 3)embedded software development and optimization,and 4) hardware and hardware-software co-designand development.

The complete progression of the course for 10weeks of classes with 4 contact hours per weekis shown in Figure 2, where each week typicallyconsists of one lecture and one lab assignment. Thiscan be varied based on student prerequisites for thecourse and the outcome learning objectives.

A. Layered ProgressionThe ultimate goal of the course is to teach stu-

dents about various aspects of applied cryptographyusing a layered approach, in which each layercontains more implementation abstractions and lessalgorithmic details than its successor. The base

for this layered structure was defined by takingthe different backgrounds of the target studentsinto consideration. In our case, this meant that thecourse started with software-oriented exercises andgradually moved elements of these solutions intohardware. At each step, more algorithmic details areunveiled to the students as they experimented withdifferent implementation techniques. This created anatural progression for the material taught in thecourse where each specific implementation drewfrom the design of its predecessor.

The following list presents the consecutive im-plementations of the core AES algorithm as thecourse progressed through the various layers (seealso Figure 5):

• Software-only implementation based on a di-rect translation of the mathematical operationsin the cipher algorithm [8]. The focus was oncode readability and maintainability.

• Optimized version of the AES based on the T-box design [11] with further performance im-provements based on loop manipulation, datasize adjustment, and function inlining.

• Hardware-software implementation using theImpulse C development tool. This version wasa direct translation of the unoptimized versionof the AES with no focus on performancedegradation due to pointer manipulation, mem-ory usage, loop sizes, and data types.

• Optimized version of hardware-software imple-mentation of the AES developed with ImpulseC, where the details of the underlying commu-nication buses and available memory resourceswere taken into account to reduce the overallcycle count.

• All hardware implementation of the AES witha folded register architecture (amounting in a32-bit data path) [12].

All software was written using the C pro-gramming language and hardware was modeledusing Very-high-speed integrated circuits Hard-ware Description Language (VHDL). In addition,a hardware-software co-design methodology waspracticed using Impulse C, which is a specializedsubset of the C programming language intended forrapid hardware and hardware-software developmentusing a C-to-FPGA compilation engine [13].

In both offerings of this course, improving studentunderstanding of the cryptographic algorithms anddifferent implementation techniques by removing

4

high-level abstractions paved the way for each newimplementation of the AES. As part of each im-plementation exercise, students were required toanalyze their work from performance gain and asso-ciated cost perspectives. This was a necessary stepto understand the balancing act that exists betweendevelopment time and effort, design complexity andcode readability, implementation cost (source codesize and circuit area), and performance improve-ments.

B. Breadth of Material

1) Cryptographic Foundations: From a crypto-graphic standpoint, the focus of the course was onblock ciphers and hash function implementationsin both software and on FPGA-based embeddedsystems. The AES has been, and continues to be,the subject of intense research in large part focusingon software and hardware optimization efforts, andresistance to side-channel attacks, all of which tiein with the underlying theme of this course.

In addition to the AES algorithm itself, studentswere also introduced to various NIST-recommendedmodes of operation for block ciphers. The followinglist enumerates these modes and how they contributeto the security properties of block ciphers [14], [15],[16], [17], [18], [19].

• Confidentiality - Electronic Code Book (ECB),Cipher Block Chaining (CBC), Cipher Feed-back (CFB), Output Feedback (OFB), Counter(CTR), Ciphertext Stealing for CBC mode.

• Authentication - Cipher Block Chaining Mes-sage Authentication Code (CBC-MAC).

• Confidentiality and Authentication - CBC-MAC with Counter, or Galois/Counter Mode(GCM).

• Confidentiality on Storage Devices - Tweakableencryption XOR-Encrypt-XOR (XEX), XEX-based tweaked Code Book with CiphertextStealing (XTS).

For a practical assignment, the focus was mainlyon the Galois/Counter Mode mode of operation inorder to study both data confidentiality and au-thentication. Given that the students were alreadyfamiliar with the mathematical and algorithm designbackground concepts from previous lectures and as-signments, the integration of this mode of operationwas relatively seamless. The culmination of this

material resulted in a software implementation ofthe core AES-GCM.

Following a similar mindset, the course projectwas based upon the SHA-3 hash function compe-tition. This exposed students to hash functions asanother class of cryptographic primitives. It alsoprepared them for the undoubtedly large integrationeffort in which existing hash functions will bereplaced by the soon-to-be-selected SHA-3 winner.

Various topics on public-key cryptography, in-cluding RSA, ElGamal, and elliptic curve cryp-tosystems [20], were also integrated into the courseschedule. These served to emphasize the need forsecurity through cryptography and the applicabilityof cryptographic primitives in the real world. Itwas also necessary to cover the basic mathemat-ical properties and operations that are utilized insuch designs in order for the students to graspthe specific details of these algorithms. This partof material was largely focused on binary fieldarithmetic (specifically, Galois fields GF(28) andGF(2128)). The properties of finite fields and relatedoperations were discussed in class. The studentswere left to explore these ideas in more detail aspart of an exercise where they had to implement alibrary of finite field functions. In addition to basicaddition, subtraction, and multiplication operations,the students were asked to implement functions tofind the multiplicative inverses using the extendedEuclidean Algorithm [20], and generators of thefield.

2) FPGA-Based Embedded Systems: A portionof the course was devoted to the discussion ofFPGA-based embedded systems. Due to the in-herent co-existence of hardware and software inthese systems, as well as the numerous performance,power, and size constraints they face. They areparticularly useful for cryptographic applicationsbecause they provide the following:

• Algorithm acceleration with spatial (parallel)computing in FPGA fabric.

• Flexibility of processor-based computing usinghigh-level software tools.

• Tightly coupled hardware and software do-mains for performance and flexibility benefits.A more in depth treatment of this benefit wasdescribed by [21] [22].

In order to familiarize the students with thisplatform the first two lab exercises served to intro-duce the basic design flow and techniques for using

5

AES software

Analysis, optimization, and rework Analysis, optimization, and rework Analysis and rework

week

Lectures

Lab exercises

Design of FPGA based embedded platforms, software development, profiling

methodologies

Finite field arithmetic and mathematical

library

HW/SW co-design with Impulse C

AES HW/SW co-design with Impulse C

FPGA based embedded platforms

Security need, applications of

private and public key

cryptosystems

Binary finite field arithmetic

AES block cipher, software

optimization techniques

Hashing functions and

their applications

Impulse C programming

model and design flow

Block cipher modes of operation

Digital design with VHDL

1 2 3 4 5 6 7

Custom hardware

accelerator design

8

Special topics

9 10

Customer AES hardware

accelerator

AES-Galois/Counter Mode

software

Fig. 2. Weekly progression of the course lecture material and lab exercises. Special topics include an overview of public-key cryptosystems,side channel attacks, and memory encryption. These can vary based on active research in the area, and are meant to expose students tocurrent challenges being addressed by engineers and researchers.

Fig. 3. General structure of the embedded system developed by thestudents. Components surrounded by dashed lines indicate that theyare optional and are not required for normal system operation.

FPGA-based embedded systems. These exercisesincluded working with the Xilinx Platform Studio(XPS) and Embedded Development Kit (EDK) tocreate multiple configurations with both the hard-core PowerPC and soft-core MicroBlaze processorsand run sample test applications. Additionally, thestudents were shown how to add custom IP (In-tellectual Property) components to their configura-tions, including timers, counters, and an interruptcontroller, which were later used to profile softwareapplications using a simple cycle-based measure.

3) Embedded Software Development and Opti-mization: From an implementation standpoint, thefocus was on translating cryptographic algorithmsand designs into running software and hardware,profiling and analyzing these implementations, and

taking further actions to improve their performance.The optimization efforts were centered around the

standard closed loop optimization cycle, as depictedin Figure 4. To identify the performance bottlenecksin the original AES implementation, the studentsused a counter for simple cycle-based measurementsand the GNU profiling tool gprof to analyze thesource code at runtime, with and without the in-struction and data caches enabled.

This analysis exposed students to the performancecritical sections of the core AES algorithm. As partof unveiling the next implementation layer in thecourse the students exercised this knowledge byconducting both code-level refactoring and design-level modifications to optimize the software. Theseoptimizations were primarily focused on basic coderestructuring techniques with emphasis on the targetplatform. These implementation-specific techniquesincluded:

• loop manipulation,• replacing finite field arithmetic operations with

lookup tables (LUTs),• function inlining,• data type resizing and data structure refactor-

ing.In addition to these optimizations, the students

also explored the T-table design for AES, whichexploits the independence between the SubBytes,ShiftRows, and MixColumns operations in the ci-pher. This allowed them to be combined into fourdifferent 1024 byte lookup tables, each one repre-

6

initial development

functional verification

identify bottlenecks

analyze and generate alternatives

implement enhancements

Fig. 4. The standard closed loop optimization cycle that is followedto incrementally improve performance of software and hardwareapplications.

senting the result of the operations on a 32-bit wordin the internal state array. Using these tables thestudents reduced an entire round of encryption (anddecryption) to a series of table lookups and XORoperations, which greatly improved the performanceof their software implementations at the cost ofapplication size.

4) Hardware and Hardware-Software Designand Development: The next phase was to port theexisting software implementations to a hardware-software project. This served as the students’ firstexposure to custom hardware accelerator versionsof the core AES algorithm. To facilitate the ini-tial hardware and hardware-software development,Impulse C, a C-to-FPGA programming model andcompilation engine that promotes rapid prototyp-ing of digital hardware using a subset of the Cprogramming language was introduced. Using Im-pulse C as an efficient tool in the developmentof hardware systems by software oriented studentswas studied by [22]. In this course students usedit to transform their existing software designs forAES to hybrid hardware-software solutions thatperformed at significantly higher levels. This wasa two-fold process that first consisted of abstractingthe AES encryption routine as a single hardwareprocess that was driven by two software processes,as shown in Figure 5. The producer software processwas responsible for feeding the encryption processwith plaintext and key data. Once encrypted, theciphertext was streamed to the consumer process.

TABLE IAES IMPLEMENTATION PERFORMANCE GAINS.

Implementation type Relative performanceUnoptimized software 1.0Optimized software 5.6Unoptimized Impulse C 128.6Optimized Impulse C 137.2

After the students became familiar with the Im-pulse C programming model and the C-to-VHDLcompilation process, the next step was to analyzeand optimize the existing implementation for im-proved throughput. This included using a varietyof techniques, shown below, that exploit the codegeneration stages of the Impulse C compiler.

• Change the size of the streaming interfaces tomatch the width of the data transfer bus toimprove consumption rates.

• Modify the size of the data types in arrays tomake full use of the PLB for memory fetches.

• Replace arrays with local variables where pos-sible to reduce external memory reads.

• Split up arrays into smaller constituent arraysto parallelize memory accesses to make use ofmultiple memory channels.

• Modify loops to experiment with both im-proved parallelism and reduced code size.

• Pipeline blocks of code where possible to im-prove throughput.

Using the optimized Impulse C tool studentswere able to achieve a speedup of 137.2 from theoriginal software implementation using the PLB forcommunication, as shown in Table I. The overheadof software and hardware process communicationwas the ultimate bottleneck in the solution, as thebandwidth of the PLB only allowed for so muchdata to be transferred every clock cycle. Futurecourse offerings will transition from a dependencyon the PLB to the Fast Simplex Link (FSL) forcommunication with custom hardare accelerators.As part of this shift, students were asked to ex-periment with both the PLB and FSL in theirlab exercises. Preliminary performance results fromthese are detailed in Table I.

It is important to recognize that the C-to-FPGAtranslation process was also a limiting factor in theperformance of the solution. Since Impulse C issimply another abstraction layer on top of a cus-tom HDL implementation, the compilation processgenerates code according to a generic template.

7

FPGAFPGA

Impulse C Impulse C

AESAES Test Driver

Hardware-Software with

Custom Hardware Accelerator

Generated From Impulse C

Custom Hardware

Accelerator

Producer

AES

Consumer

AES

Producer

Consumer

AES

Processor (MicroBlaze)

Hardware Accelerator

Fabric

FPGA

FPGA

Processor (MicroBlaze)

Processor (MicroBlaze)

Processor (MicroBlaze)

Hardware Accelerator

Fabric

PLB/FSL

PLB

Fig. 5. The incremental development versions of AES that were studied throughout the course. The left box depicts the original softwareversion of AES as it was run on the ML507 development board. The top two boxes show the incremental development cycle used to translatethe software version into a hardware-software co-designed application using Impulse C. The bottom box depicts the design of the customhardware accelerated version of AES, where the software was only responsible for driving the internal logic of the hardware component.The FSL was added to the custom hardware accelerator implementations to expose students to the different interfaces available on the targetplatform.

Typically, the resulting code will not be as conciseor efficient as if it were manually modeled and thensynthesized.

The next and final stage in the development cyclefocused on customized hardware accelerators forthe AES encryption engine. This required an under-standing of basic hardware modelling and digitaldesign concepts. The difficulty of this part of thecourse is that it had to be tailored towards software-oriented students, who might lack the computerand electrical engineering background that otherstudents possessed. To account for such students,a single class was dedicated to VHDL syntax,development practices, and modelling techniques.This was done in order to provide them with enoughinformation to at least interpret and understandVHDL code.

Once the students became acquainted with hard-ware modelling techniques and design flows, theywere provided with a working implementation of theAES engine. A high-level design of this module is

shown in Figure 6. After verifying the functionalityof this model using a provided testbench, the stu-dents were asked to modify redesign the architectureusing a folded register scheme in order to shortenthe width of the data path.

Putting all of these stages together, the overallflow of the AES implementations throughout thecourse is depicted in Figure 5.

C. Course Project

The SHA-3 hash function candidates were chosenas the basis for the course project because of theirimportance in the study and practice of cybersecu-rity [9].

With the results of the SHA-3 competition stillpending, hash function research efforts continuedwith the five finalist functions (BLAKE, Grøstl,JH, Keccak, and Skein [10]). Given the importanceof selecting the candidate that provides the bestcombination of security, performance, simplicity,

8

AES

AES ENGINE

Ciphertext Register

Expanded Key Memory

Input128

Plaintext Register

AES KEY EXPANSION

Expansion Logic

TempRegisters

32

Output

+

+

Round number

16 SBoxes

clk +

128

128

128

128 128 128128 3216 SBoxes Shift Rows

LogicMix Column

Logic

Fig. 6. High-level design of AES custom hardware accelerator. Input and output to the module consists of streams of 32-bit words thatcontain the key and plaintext data on the input channel and the ciphertext on the output channel.

and modularity, many teams across the world havefocused on the mathematical and statistical proper-ties, and the implementation efficiency of these fivehash functions.

For the purpose of the project, the students weredivided into five teams; each one focusing on asingle SHA-3 finalist. The term-long project hadfour major parts culminating with a research paperand presentation by each team. The highlights ofeach part were:

1) Researching the history of hash functions, thecurrent standard hash functions, and recentadvancements in cryptanalysis efforts that tar-get hash functions.

2) Discussing the internal algorithmic details ofthe teams hash function, which served as abasis for the remaining parts of the project.

3) Analyzing published research efforts on thedesign, implementation and performance ofthe hash function.

4) Implementing the hash function in softwareusing the publicly available resources pro-vided by each SHA-3 candidate team.

In order for students to have a common baselinefor comparison of their results, all teams imple-mented the 512-bit digest versions of their hashfunctions. All teams quantified the performanceof their implementations by collecting cycles/byte

measurements on fixed sized messages.Now, with Keccak announced as the winner [23],

we anticipate more attention in our courses will bedevoted to this particular algorithm.

III. STUDENT IMPACT

In order to assess achievement of the courselearning objectives and outcomes, an anonymoussurvey was administrated to the students at the endof the course, to which 21 answers were received.The main results are summarized in Tables IIand III, which indicate an overwhelming agreementthat this new course successfully completed allspecified goals. The following are some exemplaryquotes from students that illustrate their supportand approval of this new course.

The course material was diverse enough for thevarious disciplines and covered a great deal ofmaterial.

It has opened my eyes to more topics that arecommonly discussed in industry. I am interestedin obtaining a Ph.D. in the field of computersecurity, and this course plays right into theresearch and materials I am interested in.

9

I think demonstrating hardware/software co-design is very valuable to students since thisis such a common team configuration in theindustry. This will help to develop practicalskills.

I think the most difficult thing will be takingall the prerequisites - the value of this coursecould be immense if everyone came into theclass with a strong background in crypto, andboth hardware and software design.

A few auxiliary questions were asked in the sur-vey in order to measure student’s general interestsin applied cryptography, their self-assessment onbackground preparation, and achievements in thiscourse. Selected results referring to this part of thesurvey are presented in Table IV.

In the second offering of the course in the springquarter of 2012, we also included a longitudinaltest that quantitatively assessed general knowledgeacquired throughout the term. Questions were drawnfrom the areas of cryptographic foundations, FPGA-based embedded systems, and high-level synthesis.This test was administered at both the begining andend of the course. Tables V and VI present theresults that were collected.

We performed a 1-tailed paired difference t-testanalysis on the sample of 13 students. Our analysisindicated that there was a statistically significantincrease in knowledge acquisition for all questiongroups, with a p-value less than 0.005, based onthe pre- test and post-test mean scores derived fromthe data in Table V. In calculating the mean, unan-swered questions were treated as incorrect answers.Our result can easily be seen in the raw data shownin Table VI by observing the three-fold decrease inunanswered and incorrect questions from 141 to 45,and approximately a doubling of correct answersfrom 68 to 122. Also, there was a clear lack ofknowledge in high-level synthesis and cryptography,as shown by the large cluster of unanswered ques-tions from these two categories in the perliminarytest. However, as the results show, knowledge inthese areas showed a three-fold decrease from 96unanswered and incorrect answers to 34 unansweredand incorrect answers.

IV. DISCUSSION

Our students have particularly varied back-grounds because they are coming from differentdepartments. The balance of different componentsof our course can be adjusted to take into accountspecific needs of enrolled students. For example,computer engineering students may need more ma-terial on cryptography whereas software engineeringand computer science students almost certainly willrequire more extensive lectures and practice onhardware implementations. Additional material oncryptography could include more thorough treat-ment of number theoretic foundations or complexitytheory considerations in relation to the securitycryptographic primitives. Extended hardware per-spectives for software-oriented students might en-compass more time dedicated to high-level synthesistools and methodologies, custom digital logic designwith hardware description languages, and targetimplementation platforms.

The project activity of the initiative describedin this paper is based on the finalist SHA-3 hashfunction candidates. With the announcement of Kec-cak [24] as the winner of the SHA-3 competitionon October 2, 2012 [23], it will be natural toshift more of the focus of the material of thiscourse towards this algorithm. The current DigitalSignature Standard (DSS) uses as its component theSHA-1 hashing, whose security has been questioned[9] [10] and has different message digest lengthfrom SHA-3. Thus, we expect that in the nearfuture there will be intense discussion and perhapseven similar competition organized to propose andintroduce new standards for cryptographic digitalsignatures. In such a case we would like to followsuch developments in our course by refocusing theproject activity towards signatures.

V. CONCLUSION

This course was developed as part of a newsecurity-oriented curriculum that draws from thefields of computer science, computer engineering,and software engineering. The main goal was toaccommodate a mixture of computer engineering,software engineering, and computer science studentsby teaching them about the theoretical and practicalaspects of developing implementations of crypto-graphic primitives, such as block ciphers and hashfunctions. The focus was on the standardized AES

10

TABLE IICOURSE LEARNING OBJECTIVES QUANTIFIED FROM STUDENT SURVEY.

Learning objective Strongly agree Agree Undecided Disagree Strongly disagreeProvide knowledge and understanding for design andimplementation of cryptographic primitives on FPGA-basedembedded systems. 52% 48% 0% 0% 0%Provide knowledge and understanding ofhardware/software co-design methodologies and techniques. 48% 52% 0% 0% 0%

TABLE IIIMEASURABLE LEARNING OUTCOMES QUANTIFIED FROM STUDENT SURVEY.

Learning outcome Strongly agree Agree Undecided Disagree Strongly disagreeStudents have successfully customized and implemented anFPGA based embedded processor system; students understandhow to configure linker scripts and build software projectsfor cryptographic primitives. 67.0% 33.0% 0.0% 0.0% 0.0%Students know how to profile software applications to identifyperformance bottlenecks. Students have successfully optimized asoftware application to improve performance; students haveanalyzed cost in terms of the application size. 47.6% 47.6% 4.8% 0.0% 0.0%Students have successfully performed high level synthesisfrom C programs to FPGA hardware; students have analyzedperformance improvement in a hardware/software system. 57.1% 38.1% 0.0% 0.0% 4.8%Students have successfully implemented a custom hardwareaccelerator for selected architecture to achieve desiredperformance in cost and area. 52.4% 47.6% 0.0% 0.0% 0.0%

TABLE IVSELECTED AUXILIARY QUESTIONS. THE ENTRY MARKED ⇤ INDICATES NO REPLIES WERE GIVEN FOR THE CORRESPONDING QUESTION,

NOT EXPLICIT DISAGREEMENT.

Question Strongly agree Agree Undecided Disagree Strongly disagreeThe amount I learned was worth the time invested in thiscourse. 52.4% 28.6% 19.0% 0.0% 0.0%My preparation was adequate for taking this course. 52.4% 38.1% 4.8% 4.8% 0.0%I would recommend to a friend to take this course as anelective. 52.4% 38.1% 9.5% 0.0% 0.0%This course increased my interest in computer security. 23.8% 47.6% 23.8% 0.0% 4.8%⇤

I plan to seek employment in the computer security area. 9.5% 4.8% 52.4% 23.8% 9.5%

TABLE VINDIVIDUAL STUDENT SCORES GATHERED FROM THE PRE-TEST AND POST-TEST. OUT OF 15 TOTAL STUDENTS IN THE CLASS, 12

PROVIDED BOTH SETS OF DATA.

Pre-Test Post-Test Score DataCorrect Incorrect Unanswered Correct Incorrect Unanswered Pre-Test Scores Post-Test Scores Score Differences

4 2 8 12 0 2 28.57 85.71 57.147 2 5 11 2 1 50.00 78.57 28.575 2 7 12 1 1 35.71 85.71 50.003 1 10 12 0 2 21.43 85.71 64.287 2 5 11 1 2 50.00 78.57 28.576 0 8 12 0 2 42.86 85.71 42.853 2 9 6 5 3 21.43 42.86 21.431 4 9 3 2 8 7.14 21.43 14.296 6 2 12 2 0 42.86 85.71 42.854 0 10 9 0 5 28.57 64.29 35.726 2 6 11 2 1 42.86 78.57 35.716 3 5 11 3 0 42.86 78.57 35.71

11

TABLE VIQUANTITATIVE RESULTS FROM PRE- AND POST-TESTS ADMINISTERED IN THE SECOND OFFERING OF THE COURSE. THE TABLE ENTRIES

ARE AGGREGATE SUMS OVER ALL COLLECTED TESTS.

Pre-Test Post-Test Question SubjectCorrect Incorrect Unanswered Correct Incorrect Unanswered44 14 31 61 3 8 FPGA-based embedded systems6 11 28 20 8 7 High-level synthesis

18 7 50 41 7 12 Cryptography

algorithm for the majority of the lecture and labmaterial, and the SHA-3 hash function competitionfor the course project.

The material provided to students, both in classand in the lab exercises, covers a number of differ-ent topics, including theoretical background for thechosen cryptographic primitives, FPGA-based em-bedded system platforms and components, softwareimplementation and optimization, and hardware ac-celerators design and modelling. Several engineer-ing tools have been introduced for use throughoutthe course, including the Xilinx Platform Studio andEmbedded Development Kit, gprof, and Impulse C.

Organizing the course material to represent an in-cremental structure proved to be an effective methodfor reinforcing the content provided in class lec-tures. This was reflected in the quantitative resultstaken from the student impact survey. The courselearning outcomes and objectives were achievedwhile covering a wide breadth of material withinthe time constraints of a 10-week term.

Future offerings of this course will more em-phasize on aspects of custom and secure hardwaredesign, including side-channel attacks and counter-measure methods.

VI. ACKNOWLEDGEMENT

This work was supported in part by the NSFCCLI grant award 08-546 DUE-0837656. Any opin-ions, findings, and conclusions or recommendationsexpressed in this material are those of the authorsand do not necessarily reflect the views of theNational Science Foundation.

REFERENCES

[1] Worcester Polytechnic Institute, “ECE 673Advanced Cryptography.” [Online]. Available:http://www.ece.wpi.edu/Graduate/13509.htm

[2] Virginia Tech, “ECE 5520 Secure Hardware Design.” [Online].Available: http://www.ece.vt.edu/schaum/securehw.html

[3] R. Hake, “Interactive-engagement versus traditional methods:A six-thousand-student survey of mechanics test data for intro-ductory physics courses,” American journal of Physics, vol. 66,p. 64, 1998.

[4] M. Prince, “Does active learning work? a review ofthe research,” JOURNAL OF ENGINEERING EDUCATION-WASHINGTON-, vol. 93, pp. 223–232, 2004.

[5] H. Hadim and S. Esche, “Enhancing the engineering curriculumthrough project-based learning,” in Frontiers in Education,2002. FIE 2002. 32nd Annual, vol. 2. IEEE, 2002, pp. F3F–1.

[6] J. Vallino and R. Czernikowski, “Interdisciplinary teaming asan effective method to teach real-time and embedded systemscourses,” in Proceedings of the Workshop on Embedded SystemsEducation 2008, October 2008.

[7] ——, “Thinking inside the box: a multi-disciplinary real-timeand embedded systems course sequence,” in Frontiers in Ed-ucation, 2005. FIE ’05. Proceedings 35th Annual Conference,oct. 2005, pp. T3G –12.

[8] National Institute of Standards and Technology,“Specification for the Advanced Encryption Stan-dard (AES),” Federal Information Processing Stan-dards Publication 197, 2001. [Online]. Available:http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf

[9] R. Kayser, “Announcing request for CandidateAlgorithm Nominations for a New CryptographicHash Algorithm (SHA-3) Family,” Federal Register,vol. 72, no. 212, November 2, 2007. [Online]. Available:http://csrc.nist.gov/groups/ST/hash/documents/FR Notice Nov07.pdf

[10] National Institute of Standards and Technology, Computer Se-curity Division, Cryptographic Hash Project Website. [Online].Available: http://csrc.nist.gov/groups/ST/hash/index.html

[11] J. Daemen and V. Rijmen, “AES Proposal: Rijndael,” March1999.

[12] P. Chodowiec and K. Gaj, “Very Compact FPGA Implemen-tation of the AES Algorithm,” in Cryptographic Hardwareand Embedded Systems - CHES 2003, ser. Lecture Notes inComputer Science, vol. 2779. Springer Berlin / Heidelberg,2003, pp. 319–333.

[13] D. Pellerin and S. Thibault, Practical FPGA Programming inC. Prentice Hall, 2005.

[14] M. Dworkin, “Recommendation for Block Cipher Modes ofOperation, Methods and Techniques,” National Institute ofStandards and Technology, Tech. Rep. 800-38A, 2001. [On-line]. Available: http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf

[15] ——, “Recommendation for Block Cipher Modes of Operation:Galois/Counter Mode (GCM) and GMAC,” National Instituteof Standards and Technology, Tech. Rep. 800-38D, 2007. [On-line]. Available: http://csrc.nist.gov/publications/nistpubs/800-38D/SP-800-38D.pdf

[16] ——, “Recommendation for Block Cipher Modes ofOperation: The CCM Mode for Authentication andConfidentiality,” National Institute of Standards andTechnology, Tech. Rep. 800-38C, 2007. [Online]. Avail-

12

able: http://csrc.nist.gov/publications/nistpubs/800-38C/SP800-38C updated-July20 2007.pdf

[17] ——, “Recommendation for Block Cipher Modes of Operation:The CMAC Mode for Authentication,” National Institute ofStandards and Technology, Tech. Rep. 800-38B, 2005. [On-line]. Available: http://csrc.nist.gov/publications/nistpubs/800-38B/SP 800-38B.pdf

[18] ——, “Recommendation for Block Cipher Modes ofOperation: The XTS-AES Mode for Confidentiality onStorage Devices,” National Institute of Standards andTechnology, Tech. Rep. 800-38E, 2010. [Online]. Avail-able: http://csrc.nist.gov/publications/nistpubs/800-38E/nist-sp-800-38E.pdf

[19] ——, “Recommendation for Block Cipher Modes of Operation,Cipher Modes of Operation: Three Variants of CiphertextStealing for CBC Mode,” National Institute of Standards andTechnology, Tech. Rep. Addendum to 800-38A, 2010. [On-line]. Available: http://csrc.nist.gov/publications/nistpubs/800-38a/addendum-to-nist sp800-38A.pdf

[20] D. Stinson, Cryptography: Theory and Practice. CRC Press,third edition, 2006.

[21] P. Schaumont, “A Senior-Level Course in Hardware-SoftwareCodesign,” in Microelectronic Systems Education, 2007. MSE’07. IEEE International Conference on, june 2007, pp. 7 –8.

[22] Y. Dandass, “Teaching Application Implementation on FPGAsto Computer Science and Software Engineering Students,”Computers in Education Journal, vol. 18, no. 1, January 2008.

[23] “NIST selects winner of secure hash algorithm (SHA-3) competition,” http://www.nist.gov/itl/csd/sha-100212.cfm.[Online]. Available: http://www.nist.gov/itl/csd/sha-100212.cfm

[24] G. Bertoni, J. Daemen, M. Peeters, and G. V. Assche, “Keccakspecifications,” 2009.