## List of supervisors and schedule

Contact details of supervisors

## List of projects

### Supervised by Helger Lipmaa

All following topics are primarily meant for students who want to do thesis (B.Sc., M.Sc., Ph.D.) on the corresponding topic. Otherwise, please clearly state your motivation.

**Bulletin boards**

In context of e-voting, but also many other applications, one often assumes that one has access to a secure public bulletin board with the following functionality:

- everybody can write to it and read it

- nobody can erase messages from it

In Estonia, there has been done significant amount of research on time-stamping that can be seen as approximating bulletin boards. However, time-stamping provides usually a single server that is a single point of failure. A better approach in applications like e-voting is to use multi-party computation, guaranteeing byzantine fault tolerance; i.e., fault tolerance given that a large portion of servers is online and non-malicious at any given moment.

A student is expected to make a survey of some relevant papers (see [1] and papers referred there / referring to it) that states clearly the objectives of byzantine fault tolerance, describes some of the best protocols for it, and performs efficiency analysis.

[1] Castro, Liskov. Practical Byzantine Fault Tolerance and Proactive Recovery, 2002

B.Sc., M.Sc. or Ph.D. level

**Incoercible e-voting**

Most cryptographic protocols are supposed to provide privacy and correctness. On top of it, an e-voting protocol also has to be incoercible. Intuitively, this means that nobody should be able to coerce voters into voting against this will. While this sounds intuitive, achieving incoercibility in the real world is complicated by many issues; in particular, since it collides with another desired property (verifiability). Achieving both without cheating (e.g., giving voters secure hardware) is impossible [1]. Moreover, it has also been difficult to formalize incoercibility in a way that would result in some realistic properties; there have been several attempts, the most recent one being [2]. On the other hand, while the formalization of [2] is interesting, the resulting protocol assumes too much from the trusted hardware, and also seems to be quite inefficient.

A student is expected to make a survey mostly about [2], surveying the definition of incoercibility and the proposed e-voting protocol. On top of it, the student ought to read more papers on incoercibility and describe alternative protocols.

[1] Chevallier-Mames, Fouque, Pointcheval, Stern, Traoré. On Some Incompatible Properties of Voting Schemes, 2006

[2] Alwen, Ostrovsky, Zhou, Zikas. Incoercible Multi-party Computation and Universally Composable Receipt-Free Voting. Crypto 2015

B.Sc., M.Sc. or Ph.D. level

*Assigned to Sergio Andrés Figueroa Santos*

**Efficient Shuffle Arguments**

Intuitively, a mix-net consists of sequential mix-servers. Each mix-server obtains a list of ciphertexts, shuffles them randomly, rerandomizes, and sends the result to the next mix-server. A typical application of a mix-net is e-voting, where each voter sends an encrypted ballot to the mix-net, and the output is equal to encryptions of the same-ballots but in a random order.

If at least one mix-server is honest, then this guarantees "location privacy" in the sense that one cannot create a link between any output ciphertext and the corresponding input ciphertext. To achieve correctness,each mix-server also construct a zero-knowledge shuffle argument (ZKSA). If the ZKSA verifies, then it is guaranteed that this mix-server performed correctly, without violating privacy. This means, that any mix-server who operates incorrectly (e.g., tries to change the encrypted ballots), is caught.

There are many efficient shuffle arguments. The student is expected to compare some of the most efficient ZKSAs: this includes writing down the intuitive explanation of how those arguments work, concrete arguments, explaining security proofs, and also efficiency analysis. Lipmaa is a site leader of a large EU project on mix-nets; and is especially interested in students working on this topic. Some example ZKSAs are listed below:

[1] Groth. A Verifiable Securet Shuffle of Homomorphic Encryptions. 2010

[2] Furukawa. Efficient and Verifiable Shuffling and Shuffle Decryption. 2005

[3] Terelius, Wikström. Proofs of Restricted Shuffles. 2010; More efficient version commerically available as "Verificatum" (http://www.verificatum.org/)

Other references are available.

B.Sc., M.Sc. or Ph.D. level

*Assigned to Janno Siim*

### Supervised by Benson Muite

**Password cracking**

Parallel computers are used for password cracking. Write an introductory survey of their use and determine the state of the art in the area. In particular, determine what types of methods are currently breakable. Alternatively, give a detailed overview of a recent paper in this area.

B.Sc. or M.Sc. level

**Security on shared resources**

Many people send unencrypted email and use unencrypted social networking sites because of poor user interfaces. Encryption tools exist, but seem not to be offered in free services. If one operates or has access to data from several large service providers, it is possible to aggregate a significant amount of information that could be used for financial gain -- the competitive free market system is based on secrets, whereas a managed market system could operate without secrets. Make suggestions for how to create simple user friendly encryption interfaces and estimate the level of adoption that would be required to allow for privacy preserving communication.

B.Sc. or M.Sc. level

### Supervised by Arnis Parsovs

**Password-based encryption in ZIP files**

PDF and ZIP software provides off-the-shelf solution for password protecting sensitive content. The task for this project is to study how password-based encryption is implemented in ZIP and PDF file formats. The student is expected to implement proof-of-concept password cracker and study already available password crackers and provide some numbers of password cracking performance on modern hardware.

B.Sc. or M.Sc. level

*Assigned to Dmitri Gabbasov*

**Password-based encryption in PDF files**

*Assigned to Yauhen Yakimenka*

### Supervised by Pille Pullonen

**The Simplest Protocol for Oblivious Transfer**

Diffie-Hellman key exchange is a very well known protocol where two parties can agree on a joint secret key. However, this paper twists this idea to obtain a protocol for oblivious transfer. In addition to theoretical results they also propose an implementation of this protocol using elliptic curves.

The work of the student is to understand the protocol and describe the concrete advancements with respect to previous oblivious transfer protocols. Especially, to compare the security properties and efficiency to Bellare-Micali and Naor-Pinkas oblivious transfer. If possible, also the complexity of implementing the protocols should be summarized.

Based on the paper by Tung Chou and Claudio Orlandi, available at: https://eprint.iacr.org/2015/267, LATINCRYPT 2015

M.Sc. or Ph.D. level

*Assigned to Sander Siim*

**Literature overview about active security in garbled circuits**

There are many ideas that have been considered for ensuring the security of garbled circuits. Current main ideas are the cut and choose technique (Lindell & Pinkas 2007) and the LEGO protocol family (Nielsen and Orlandi 2009). I can provide more references, but not an exhaustive list.

The students work is to provide a literature overview of the different branches of work in this area. Especially, to collect all relevant references and their main ideas and security guarantees. The report should also include approaches that have been later shown to be faulty together with a summary of their problems.

M.Sc. or Ph.D. level

*Assigned to Cesar Pereida*

### Supervised by Vitaly Skachek

**Computing functions in the network**

The following network communications scenario is studied: source nodes generate random messages, and a receiver node computes a target function. The goal is to maximize “computing capacity”, i.e. the average number of times the function can be computed per network usage. The min-cut in the graph (with respect to the network computing problem) plays a pivotal role in analyzing the computing capacity. The min-cut is an upper bound on the maximum achievable rate and it is a tight bound for computing any target function in multi-edge tree networks.

The student has to read the paper, to write a report and to make a presentation at the seminar. The topic can be extended to a Master's thesis topic.

The topic is based on the following paper: R. Appuswamy, M. Franceschetti, N. Karamchandani, and K. Zeger, "Network Coding for Computing: Cut-Set Bounds",
*IEEE Transactions on Information Theory*,
vol. 57, no. 2, pp. 1015-1030, February 2011.

M.Sc. or Ph.D. level

### Supervised by Vitaly Skachek and Helger Lipmaa

**Information-theoretic PIR with Low Storage Overhead**

Private information retrieval (PIR) protocols are used to read a data item from a database without leaking any information about what item was read. It turns out to be possible to perform information-theoretic PIR by using coding, when the storage overhead is essentially optimal, without sacrificing any communication complexity. Thus, well-known k-server PIR protocols can be efficiently emulated, while preserving both privacy and communication complexity but significantly reducing the storage overhead. In this project the student will have to read the paper, to write a report and to make a presentation in the class.

Based on: Arman Fazeli, Alexander Vardy, and Eitan Yaakobi, "PIR with Low Storage Overhead: Coding instead of Replication", available at http://arxiv.org/abs/1505.06241.

M.Sc. or Ph.D. level

*Assigned to Ehsan Ebrahimi*

### Supervised by Gelo Noel Tabia

**Quantum key distribution as a tool in cryptography**

Quantum key distribution (QKD) describes a set of protocols for establishing a secret key using a quantum channel and an authenticated classical channel. In general, secret keys are used as part of some larger cryptographic system. It is therefore, important to analyze how QKD can be integrated properly in security infrastructures.

The goal of this project is to review the practical use of QKD in secure communications, namely in key renewal schemes for symmetric encryption over point-to-point links and key agreement over a network of users. The student may also choose any other topic of interest relating to QKD.

[1] R. Alleaume, et al., “Using quantum key distribution for cryptographic purposes: a survey”, Theor. Comput. Sci., 560 (2014) 62-81. Available at http://arxiv.org/abs/quant-ph/0701168.

BSc or MSc level

**Quantum error-correcting codes**

Error correction describes a method for reliably transmitting information over a noisy channel, typically achieved by encoding some redundancy in messages. Error correction becomes a necessary tool in quantum information processing because quantum states are very susceptible to unwanted interactions with the environment that lead to information loss.

Quantum error correction was believed to be a difficult task because (i) quantum states cannot be arbitrarily copied, and (ii) measurements disturb a quantum, so checking for errors becomes a bit problematic. As it turned out, neither issue is a major obstacle for developing codes that can correct quantum errors.

The goal of this project is to review the basic principles behind quantum error correction and describe some simple quantum codes constructed using a framework called the stabilizer formalism.

[1] D. Gottesman, “An Introduction to Quantum Error Correction”, http://arxiv.org/abs/quant-ph/0004072

[2] D. Bacon, “Introduction to quantum error correction” in Quantum Error Correction, ed. D. A. Lidar and T. A. Brun (Cambridge University Press, 2013) pp. 46-77.

[3] M. Nielsen, I Chuang, “Quantum error-correction” in Quantum Computation and Quantum Information (Cambridge University Press, 2000) pp. 425-472.

Additional material related to quatum error correction is available here (see the last four chapters in the lecture notes): http://courses.cs.washington.edu/courses/cse599d/06wi/

MSc or PhD level. Some linear algebra background is recommended.

### Supervised by Ahto Truu (Guardtime)

**Comparison of Quantum-Proof Anonymous Key Exchange Protocols**

Diffie–Hellman key exchange is a protocol for two parties to establish a shared secret so that an eavesdropper observing their communications will not be able to learn the secret. A modern problem with this classic protocol is that it is not quantum-proof (an eavesdropper with access to a quantum computer would be able to break the protocol and learn the shared secret) and a number of alternatives have been proposed. The task is to review the major ones (RLWE, SIDH), as well as the use of quantum-proof asymmetric encryption schemes (NTRU, McEliese), and optionally others, to compare their security properties and implementation efficiency.

RLWE: http://research.microsoft.com/en-US/about/papers/post-quantum-key-exchange.pdf

SIDH: https://en.wikipedia.org/wiki/Supersingular_Isogeny_Key_Exchange

NTRU: https://en.wikipedia.org/wiki/NTRUEncrypt

McEliese: https://en.wikipedia.org/wiki/McEliece_cryptosystem

B.Sc. or M.Sc. level

*Assigned to Annabell Kuldmaa*

### Supervised by Jan Willemson and Sven Heiberg (STACC/Cybernetica/COE)

**Integer factoring using FPGAs**

Integer factoring is the number theoretic problem behind the security of RSA, the most commonly used public key cryptosystem today. It has been estimated that breaking a 1024-bit RSA modulus using general-purpose computers costs in the order of magnitude $33M, see the report https://www.ria.ee/public/RIA/Kruptograafiliste_algoritmide_uuring_2015.pdf. The report also mentions that this estimate may be lowered if special-purpose hardware (say, FPGAs) is used, but it is not known by how much. Your job is to find this out.

If you are really good in FPGA design, you will be warmly welcome to try to actually implement some smaller instance, but this is not an absolute requirement. You can also work with available literature, figuring out what operations are exactly needed and how costly they are.

M.Sc. or Ph.D. level

### Supervised by Dominique Unruh

**Formal Certification of Code-Based Cryptographic Proofs**

Cryptographic proofs are, by nature, very error-prone. Human-checked proofs will often contain errors and are thus not trustworthy. The present paper presents an approach for machine-verification of cryptographic schemes. The task is to summarize the content of the paper in an accessible form to a general CS audience. (Additional tasks for more credits are possible, too.)

http://dl.acm.org/citation.cfm?doid=1480881.1480894

M.Sc. or Ph.D. level

**Zero-knowledge against quantum attacks**

"Zero-knowledge proofs" are a highly important tool in modern cryptography. However, when faced with quantum adversaries, existing proof techniques break down. The paper describes methods how to salvage zero-knowledge proofs in a quantum setting. The task is to summarize the idea of zero-knowledge, the classical way of solving it, the problems arising in the quantum setting, and the solutions thereto, in a way accessible to a general CS audience. (Extra tasks for extra credits are possible.)

http://arxiv.org/abs/quant-ph/0511020

M.Sc. or Ph.D. level

**Quantum proofs of knowledge**

"Proofs of knowledge" are a highly important tool in modern cryptography. However, when faced with quantum adversaries, existing proof techniques break down. The paper describes methods how to salvage proofs of knowledge in a quantum setting. The task is to summarize the idea of proofs of knowledge, the classical way of solving it, the problems arising in the quantum setting, and the solutions thereto, in a way accessible to a general CS audience. (Extra tasks for extra credits are possible.)

http://eprint.iacr.org/2010/212.pdf

M.Sc. or Ph.D. level

**Protocol verification with Proverif**

The Proverif tool (http://prosecco.gforge.inria.fr/personal/bblanche/proverif/) is a popular tool for verifying the security of protocols. One inputs a protocol specification, and it automatically checks the security. The goal in the seminar project is to explain how Proverif is used (e.g., as a tutorial, based on examples), and how it works internally when verifying a protocol. (Extra tasks for extra credits are possible.)

M.Sc. level

*Assigned to Suela Kodra*