Sedat Akleylek
sedat.akleylek@ut.ee
The projects are suitable for all degrees (BSc, MSc, PhD)
A Comparison of Post-Quantum Symmetric-based Signature Schemes
The task is to understand the symmetric-based signature schemes submitted to NIST Post-Quantum Cryptography Standardization Project. The signature schemes are Picnic, AIMer, Ascon-Sign, FAEST, SPHINCS, SPHINCS-Alpha [1,2, 3]. At least 3 signature schemes are selected for both theoretical and practical comparison. The comparison includes performance analysis (running time, etc.) and the structural similarities/differences.
[2] https://csrc.nist.gov/Projects/pqc-dig-sig/round-2-additional-signatures
[3] https://kpqc.or.kr/competition_02.html
Performance Analysis of Quantum Secure Digital Signature Algorithms in Blockchain
The security of blockchain depends on traditional public key cryptography (elliptic curve algorithms, etc.) and hash functions (SHA-256, etc.); however, the arrival of large-scale quantum computers would make these public-key cryptographic methods susceptible to quantum-based attacks due to Shor’s algorithm. There are several studies to explore the performance of post-quantum signatures for blockchain and/or cryptocurrency systems [1, 2, 3]. The task is to prepare a report on those algorithms and analyze the performances of the lattice-based digital signature schemes, such as Crystal Dilithium, FALCON, and Hawk, in blockchain systems.
[1] https://doi.org/10.1109/COMST.2023.3325761
[2] https://doi.org/10.1007/978-3-031-10507-4_11
A Report on the Host-Based Intrusion Detection-Prevention Systems
A host-based intrusion detection system (HIDS) monitors and analyzes the internal activities of a computer system, including network traffic on its interfaces, similar to a network-based intrusion detection system (NIDS). Unlike NIDS, which focuses on overall network traffic, HIDS specializes in detecting internal threats by tracking host activities. The task is to classify the machine/deep learning methods used in HIDS, give the details about the datasets, define the advantages/disadvantages, and compare them according to the success rate.
Irina Bocharova, Boris Kudryashov
irina.bocharova@ut.ee, boris.kudryashov@ut.ee
Attacks Based on Finding Low-Weight Codewords in a Linear Code
This is a never-outdated topic equally important for communications, cryptology, zero-knowledge, etc. Although the problem is known to be NP-hard, some combinatorial tricks and limitations on codes allow for a crucial reduction in the complexity exponent, and thereby compromise some security protocols.
The seminar presentation can be based on the recent overview: Baldi, M., Barenghi, A., Chiaraluce, F., Pelosi, G., & Santini, P. (2019). A Finite Regime Analysis of Information Set Decoding Algorithms. Algorithms, 12(10), 209. https://doi.org/10.3390/a12100209
Maiara Bollauf
maiara.bollauf@ut.ee
The projects are suitable for MSc and PhD students interested in code and lattice-based cryptography. Desired background includes linear algebra and number theory.
Attacks on the Code Equivalence Problem
The code equivalence problem (CEP) asks to find, if it exists, an isometry between two linear codes. The hardness of this problem is highly dependent on information given by the hull of a code, i.e., the intersection between a code and its dual. The goal of this project is to study a recent attack on the CEP involving simply the coordinate-wise (or Schur) product between such codes. More details at: https://eprint.iacr.org/2025/1017
Heart of Lattice-Based Cryptography
My research interests are mostly focused on the mathematics of lattice-based cryptography and I am open to exploring any problem along this theoretical direction. If this aligns with your interests, please reach out so we can discuss potential topics.
Peeter Laud
peeter.laud@cyber.ee
Learning with Rounding
Learning with Rounding (LWR), introduced at EUROCRYPT 2012 by Banerjee, Peikert and Rosen, is a hardness assumption similar to Learning with Errors (LWE), used in lattice-based cryptography. In LWR, the random error of LWE is replaced with deterministic rounding. This makes the assumption more attractive in settings where one wants to avoid extra randomness or simply have smaller values. A number of encryption schemes based on LWR and its variants (RLWR and MLWR, similar to RLWE and MLWE) have been proposed, some of them may currently be on standards track. Problems reducible to LWR also pop up in other contexts, e.g. in side-channel analysis of implementations of lattice-based cryptography.
The seminar work would be to study the hardness of different variants of LWR, on the basis of a number of papers (starting from the EUROCRYPT 2012 paper named above) that have considered it. We want to build up an understanding of the relation of hardness of LWR/RLWR/MLWR vs. the hardness of LWE/RLWE/MLWE, with different possible distributions of the secret and the error (including reductions among LWR with different parameters). We want to see how the arguments for the hardness of LWE apply to LWR. In particular, we want to obtain that understanding for the parameter ranges that are used in more popular lattice-based cryptographic algorithms.
Slides: here
Sven Laur
swen@ut.ee
Fine-Grained Execution Modelling of Multi-Party Computation Protocols
Your task is to build a simulator that takes in protocol execution logs and determines how much time a protocol or its subsection takes under different network configurations. As a first step you need to parse protocol logs and create a simplified execution model that abstracts away all the computational details and models only message passing. As the second step you should use probabilistic models to estimate message delivery times and determine the complete execution time together with idle time estimation. That is how much time is spent on waiting messages. The simulator should output various graphs that aid cryptographers to design more efficient protocols.
Efficiency and Security of Shuffle Networks
Random shuffle is a functionality that simplifies construction of many multi-party computation protocols. It can be trivially implemented with O(n^2) communication without any deviations. Shuffle networks offer a more communication-efficient alternative -- achieving slightly super-linear communication. However, the problem lies in the correctness -- a naive implementation does not achieve uniform sampling probability for each permutation. The aim of the work is to study existing shuffle networks and to find a good tradeoff between efficiency and security. We could also study if it is possible to generate efficiently an securely the distribution of flip-bits so that the output distribution is closer to uniform distribution.
Arnis Paršovs
arnis.parsovs@ut.ee
Applied Cyber Security Topics
Applied cyber security group offers research seminar supervision on various cyber security-related topics for students who are interested in more applied research that may involve hands-on activities as well. Various hardware can be provided to students for experiments. Students who are doing applied research must still describe the research they have performed in a seminar report and convince the supervisor that the work done is worth 3 ECTS (~78 hours of work).
Students are welcome to contact Arnis Paršovs (arnis.parsovs@ut.ee) with their seminar topic ideas.
Recommended prerequisites: Applied Cryptography (MTAT.07.017) / Web Security (LTAT.04.018)
Level:BSc, MSc or PhD
Pille Pullonen-Raudvere
pille.pullonen-raudvere@cyber.ee
Super-Rushing Adversaries and Security Against Them
This topic is based on a CRYPTO 2025 paper, an extended version is available here: https://eprint.iacr.org/2025/1394.pdf The goal is to understand the security notion of super-rushing adversaries proposed in this paper. The task is to prepare a report and presentation about the security notion and how it differs from previous notions such as rushing adversaries. Also, discuss why some secure multi-party computation protocols are naturally resilient against such adversaries.
Secure Computation Functionalities from Function Secret Sharing
Function secret sharing is a method for securely sharing a function so that two parties can later evaluate this function and learn additively secret shared results. In theory the notion applies to all functions but in practice reasonable constructions are known for distributed point functions and distributed comparison functions. The goal of this project is to study how these functions are used to support various other operations such as machine learning activation functions like ReLu or sigmoid.
The main sources for this work are https://eprint.iacr.org/2020/1392 and https://eprint.iacr.org/2019/1095
I am also open to supervising other secure multi-party computation related topics.
Janno Siim
janno.siim@ut.ee
Witness Encryption
Witness encryption is a generalization of the public key cryptosystem, where the secret key is a solution to some arbitrary cryptographic puzzle. The encryptor of the message knows the puzzle, but not necessarily the solution. The decryptor can decrypt only if it knows the solution to a puzzle. This unlocks various interesting applications, e.g., only a person who is at least 18 years old can decrypt the ciphertext, or only a person with a solution to the NY Times crossword puzzle can decrypt the ciphertext, where the message might offer some reward (key to a cryptocurrency wallet).
Efficient and general witness encryption is still an open problem. The student’s task is to write a high-level overview of witness encryption, its applications, and some intuition about the current constructions. The report does not have to be overly technical. A starting point can be the initial paper that proposed witness encryption: https://eprint.iacr.org/2013/258
Level: master’s or PhD
Fully Homomorphic Encryption For Dummies
Fully homomorphic encryption (FHE) is a recent revolutionary tool in cryptography that allows computation on encrypted data. In short, given a ciphertext Enc(m) that encrypts a message m, it is possible to compute Enc(f(m)), where f can be an arbitrary computation. At no point in the computation is it necessary to decrypt. The party with the secret key can later recover f(m) from Enc(f(m)). This allows outsourcing expensive computations to a server without having any worry that private information would leak.
The goal of the project is to produce study material for students, which would contain the most minimalistic and simple construction of FHE, while still being educational. The integer-based FHE scheme in https://eprint.iacr.org/2009/616 seems to be a good target.
Level: can be adjusted to any level
Dominique Unruh
dominique.unruh@ut.ee
The Quantum Random Oracle
Random oracles are a proof technique in cryptography that idealizes hash functions. Basically, instead of dealing with the messy details of how a specific hash function works, we simply assume that it is a completely random function. This technique makes a lot of cryptographic proofs a lot simpler. (But it is a heuristic.) When it comes to quantum security, things get more complex. Now the adversary can do a query the oracle in a superposition between many values which messes up classical proof techniques.
The task of the seminar is to give an overview how to random oracle works in the quantum setting, and how one can do security proofs in it after all.
Prerequisites: Some crypto course and some quantum course.
Note: In person supervision possible only till Sep 26. Afterwards only remotely.
Jan Willemson
jan.willemson@gmail.com
Pancake Sorting and Other Funny Zero-Knowledge Proofs
Among funny applications of zero-knowledge proofs, one can find, for example, pancake sorting. The idea is, given a sequence of n integers in a random order, to sort them by only prefix reversal operations. This paper (https://link.springer.com/chapter/10.1007/978-3-031-32636-3_13) proposes a protocol where a prover can convince a verifier that they know how to sort this sequence using these restricted operations, without revealing the sorting steps. This and other curious applications of zero-knowledge proofs are among my interests. Contact me for further details.