## Supervisors and Topics

## Bingsheng Zhang: Cryptanalysis and Theoretical Cryptography

**Cryptanalysis with cube attack**

The aim is to give an overview of basic cube attacks for stream ciphers and block ciphers. After that student must get familiar with extended cube attacks and examine the possibility of combining evolutionary algorithm with cube attack.**Oblivious Transfer**

The student must give an overview what is non-committing encryption and properly formalize adaptive security for oblivious transfer. Finally, study how to use non-committing encryption to construct adaptively secure OT.

## Dan Bogdanov: Applied Cryptography and Security

**Practical attacks against against a passively secure MPC system**

**Assigned to**Riivo Talviste

It is known that passive security is a weak property in secure computation. We intend to find out, what kind of practical attacks are feasible against an actual MPC system that is proven to be secure against a passive adversary. We will consider the Sharemind system and construct real-world attacks against reliability, confidentiality and integrity of the system.**Performance analysis of network-bound MPC**

**Assigned to**Reimo Rebane

The computational performance of share computing systems is known to be network-bound. We will conduct experiments with the Sharemind system to find links between the structure of a protocol and its performance. We will also perform experiments to learn how bandwidth and latency reductions affect the computational performance of an MPC system.

## Liina Kamm: Formal Verification of Cryptographic Proofs

**Tools for analysing the security of symmetric primitives**

**Assigned to**Kristjan Krips

Pseudorandomness and collision resistance are the two most prominent properties of symmetric primitives. Depending on the construction of these primitives, different steps must be be taken to prove that the construction is secure. The aim of the seminar paper on this topic is to find and describe the different reduction schemes that can be used to prove this property.

## Dominique Unruh: Theoretical Cryptography

**Computational soundness**

There are two common approaches to verifying the security of cryptographic protocols. The first is the computational approach. In this approach, cryptographic algorithms are modeled as polynomial-time algorithms, and security against polynomial-time adversaries is shown by complexity-theoretic reductions. The second is the symbolic approach. Here we abstract away from the details of the cryptography, and represent messages as symbolic terms. This approach is considerably less realistic, but it allows for automatic security-verification using a computer. Computational soundness is a technique to get the best of both worlds: we show that security in the symbolic model implies security in the computational model.**Everlasting security**

Most protocols are based on the assumption that some computational problems are hard (such as breaking a particular encryption scheme). However, it is a strong assumption that, e.g., an encryption scheme will stay secure forever. Thus, anything encrypted today could be stored by an adversary today and broken retroactively in the future. Protocols that make sure that this cannot happen are said to have everlasting security - they make sure that once the protocol is over, no one, no matter how powerful, can decipher any data from the protocol.**Protocol analysis using refinement types**

The automatic verification of the security of protocols is a useful but difficult task. One approach for verifying security are type systems. One annotates protocols with suitable types (similar to "int", "bool", "array of string", etc., but more powerful). By choosing the right type system, one can ensure that any well-typed program is secure.**Rational cryptography**

Traditionally, in cryptography we try to make protocols secure against arbitrary malicious attacks. In many cases, however, one can assume that the attacker is rational: he will only perform attacks from which he benefits. Rational cryptography uses game-theoretic tools to develop protocols that are secure as long as the attacker is rational.**Secure composition of cryptographic protocols**

Cryptographic protocols often have a nasty property: Although one can show that a given protocol is secure when running on its own, the sameprotocol can become insecure when running together with another protocol or with other copies of itself. One is therefore interested in protocols that compose securely, that is, protocol that do not loose their security when running in a larger context.

## Helger Lipmaa: Theoretical Cryptography

**Fully homomorphic encryption**

## Jan Willemson: Security

**Differential privacy**

Datasets, statistical surveys and data analysis queries usually leak information about sensitive attributes. The amount of leaked information depends on the background knowledge available to the attacker and thus many security definitions, like k-anonymity and l-diversity, are adequate in limited settings. Differential privacy is a security notion that can provide universal security guarantees. The aim of this seminar work is to give a coherent overview about differential privacy.

## Peeter Laud: Cryptographic Protocols. Program Semantics

**Location privacy in a spatial computer**

Proto is a programming language for spatial computers. A spatial computer ﬁlls the space. Each point performs computations. The programs are automatically transformed into local actions that are executed approximately by the actual network of devices. Location privacy is an important concept in contemporary world. Hence, we get a natural question is it possible to state and prove claims about location privacy in**proto**.**Review papers for language-based security**- Andrei Sabelfeld, David Sands: Dimensions and Principles of Declassification. CSFW 2005: 255-269
- Andrei Sabelfeld, Andrew C. Myers. Language-Based Information-Flow Security. IEEE J. on Selected Areas in Communications 21(1):2003

**Protocol analysis**- Catherine Meadows. Formal Methods for Cryptographic Protocol Analysis: Emerging Issues and Trends. IEEE J. on Selected Areas in Communications 21(1):2003
- ProVerif: www.proverif.ens.fr
- Avispa toolset: http://www.avispa-project.org/
- www.usenix.org/events/sec08/tech/slides/mitchell_slides.pdf

## Sven Laur: Theoretical Cryptography

- Lecture notes for Cryptology II course
- Optimal design of authentication protocols based on mobile phones

**Assigned to:**Kristjan Krips

### Meelis Roos: Data Security

**GPU abil kiirendatud rünedetuvastussüsteem**

Levinumad ründetuvastussüsteemid (IDS) nagu Snort ja Suricata kasutavad arvuti põhiprotsessoreid (CPU) pakettide analüüsiks. See osutub sageli pudelikaelaks suurte namdeedastuskiiruste juures. Eesmärgiks on kirjutada eksperimentaalne GPU abil kiirendatud ründetuvastussüsteem, et hinnata, kas GPU abil IDS kiirendamine on perspektiivikas.

### Sven Heiberg

**Analysis of Zeus crimeware kit**

In May 2011 a version of the source code of crimeware kit Zeus leaked into public. Zeus is one of the most prominent botnets aimed towards stealing banking information. Zeus has modular and extensible architecture which makes it easy to widen its possibilities. For example some versions of the malware contain smartcard support module. The task would be to analyze the Zeus source code to- map it's architecture
- detect the mechanisms of stealth, spread and attack
- find counter-methods to the Zeus mechanisms.

**I-voting - analysis, implementation and attacking of i-voting protocols****S4A - Centralized intrusion detection for friendly networks**

### Rafik Chaabouni: Practical Security and Hacking

**Eavesdropping VoIP**

The goal of this project is to eavesdrop a secure VoIP communication. Three steps are required. First a reverse engineering on the target secure VoIP application should be achieved. Then, an analysis of the deployed security has to be performed in order to retrieve a method to decrypt communications. Finally, a practical live example should be accomplished in order to demonstrate the acquired knowledge. This is an advanced topic.**Automated vulnerability searching tools**

Basic flaws are still highly present around us. Nowadays automated tools to find and exploit them are becoming common. The goal of this project is to select one of them, study the flaws that it targets, understand how it works and demonstrate its functionalities in a real case scenario.**Cookie Monster**

Despite the creation of Firesheep and Faceniff, HTTPS/SSL is still neglected for cookies transfer. The goal of this project is to create a broader cookie stealer, ideally not limited to a browser nor to a platform. Its demonstration will be performed in a closed network with an unsecure server.