Sedat Akleylek
sedat.akleylek at ut dot ee
The projects are suitable for all degrees (BSc, MSc, PhD).
A Comparison of Post-Quantum Symmetric-based Signature Schemes
The task is to understand the symmetric-based signature schemes submitted to the NIST Post-Quantum Cryptography Standardization Project. The signature schemes are Picnic, AIMer, Ascon-Sign, FAEST, SPHINCS, SPHINCS-Alpha [1,2, 3]. At least 3 signature schemes are selected for both theoretical and practical comparison. The comparison includes performance analysis (running time, etc.) and the structural similarities/differences.
[2] https://csrc.nist.gov/Projects/pqc-dig-sig/round-2-additional-signatures
[3] https://kpqc.or.kr/competition_02.html
A Report on the Shortest Linear Program and Its Variants
Symmetric-key cryptosystems have both diffusion and confusion layers. The Shortest Linear Program (SLP) problem is the number of linear operations necessary to compute a set of linear forms. In this project, the task is to understand and implement circuit minimization algorithms for linear/permutation layers of symmetric-key cryptosystems. [1,2] provide code examples for the Boyar-Peralta algorithm. [3] explains the Boyar-Peralta algorithm. The report presents the basic workflow of the circuit minimization algorithms, their comparison, implementation results on linear layers, and a discussion of them.
[1] https://bitbucket.org/anubhab001/boyar-peralta-xor3/src/master/
[2] https://github.com/thomaspeyrin/XORreduce
[3] https://doi.org/10.1007/s00145-012-9124-7
A Report on the Host-Based Intrusion Detection-Prevention Systems
A host-based intrusion detection system (HIDS) monitors and analyzes the internal activities of a computer system, including network traffic on its interfaces, similar to a network-based intrusion detection system (NIDS). Unlike NIDS, which focuses on overall network traffic, HIDS specializes in detecting internal threats by tracking host activities. The task is to classify the machine/deep learning methods used in HIDS, provide details on the datasets, define the advantages/disadvantages, and compare them based on success rates.
A Survey on Lattice Sieving and Enumeration Algorithms
Lattice-based cryptography has been used to obtain efficient quantum-secure cryptographic primitives. The hardness of the underlying lattice problems, such as the shortest vector problem (SVP) and the closest vector problem (CVP), is evaluated using enumeration and sieving algorithms. In this project, the aim is to present a survey of the state of the art in lattice sieving and enumeration algorithms, with emphasis on time and area complexity. Then, a tool will be implemented for each hard problem to check the security claim.
Maiara Bollauf
maiara.bollauf at ut dot ee
The project is suitable for MSc and PhD students interested in lattice-based security. Desired background includes linear algebra and programming skills.
Physical Layer Security in Practice
Wiretap channel communication is a fundamental model in physical-layer security that leverages information-theoretic principles to guarantee security without imposing any assumptions on the adversary’s computational capabilities. This approach is particularly relevant for 5G communications and beyond. Lattice coding offers a promising approach to secure communication over Gaussian channels, though most existing results remain largely theoretical. This project focuses on implementing a simple lattice coding scheme for low-dimensional lattices to evaluate theoretical lattice constructions in practice. The objective is to experimentally analyze performance and determine the noise conditions under which reliable communication and information-theoretic security can be achieved.
Additionally, are you interested in lattice-based cryptography? Perfect. So do I! If you would like to explore this mathematically rich and quantum-resistant world, get in touch and we will find a suitable topic for you!
Toomas Krips
toomas.krips at ut dot ee
Phases of MPC
In some constructions used for MPC (secure multiparty computation), there are techniques where one computes a moderate-size (think in the order of magnitude of a million nodes) tree where at each node one computes t children of the node by computing some pseudorandom function. Often t=2. GGM trees and function secret sharing are two common examples. These protocols have two phases, and often people look at just the second phase, which is called the evaluation phase. However, to do the first phase, the setup phase, separately from the second phase, one would either need a trusted third party or to compute it over MPC. However, evaluating common PRGs such as AES is very expensive over MPC. We are wondering whether there might be sense in trying a PRG that is defined as PRG(x)=g^x for a fixed g over some ring. In that case one can precompute a lot of values g^{2^i} that might be helpful in the evaluation and plausibly, be faster than computing AES over MPC.
The task of the student would be understanding the problem, doing an implementation of the setups and comparing the different phases. Alternatively, for a more theoretical side, the student could try to understand more deeply whether this approach would be valid security-wise. For a larger project, the student could do both.
Helger Lipmaa
helger.lipmaa at ut dot ee
Machine Learning and Cryptography
It is important to address all aspects of AI security. The current project is for a student who is more precisely interested in the connection between machine learning and cryptography. The supervisor just participated in the winter school on this topic (https://ai4i.it/ias-winter-school-2026/) that featured some of the world’s leading specialists presenting on both the foundations of the field and the latest research results. The student is expected to write a survey on one topic related to the topics presented in this winter school. The concrete topic can be decided in discussion with the supervisor (who has access to all slides and can provide links to the papers). Some example topics: efficient ZKML (proving that model inference is correct), embedding trapdoors in ML models, constructing locality-sensitive hashes, (im)possibility of watermarks in LLMs, using neural networks as a cryptographic machine model.
Audience: mathy MSc student with existing crypto/ML background who might be interested in future research on the topic.
Advanced Topics in zk-SNARKs
The goal of zk-SNARKs is to allow one party (the prover) to prove to the second party (the verifier) that certain computation was done correctly, such that the verifier accepts only correct computation outputs, and importantly, verification is much faster than recomputation. The supervisor is giving the corresponding course in Tartu (https://courses.cs.ut.ee/2025/zk/fall). The student is supposed to write a survey on some of the more advanced topics covered in this course (or beyond its scope). For example, folding schemes, hash-based zk-SNARKs (e.g., FRI), or lattice-based PQ constructions.
Audience: mathy MSc student with existing crypto background who might be interested in future research on the topic.
Roberto Parisella
roberto.parisella at ut dot ee
Advanced Security of Zero-Knowledge Proofs
A zero-knowledge proof is a cryptographic protocol that allows one party (the prover) to convince another party (the verifier) that a statement is true without revealing any additional information beyond the truth of the statement itself. Formally, such protocols satisfy completeness, soundness, and zero-knowledge, meaning that honest proofs are accepted, false statements cannot be convincingly proven (except with negligible probability), and the verifier learns nothing other than validity. Zero-knowledge proofs are fundamental in modern cryptography, enabling privacy-preserving authentication, secure e-voting, and scalable blockchain systems.
Zero-knowledge proofs also play an important role in secure multi-party computation, where multiple parties jointly compute a function over their private inputs without revealing those inputs to one another. In this setting, zero-knowledge techniques are used to ensure that each participant follows the protocol correctly while keeping their data confidential, thereby strengthening both correctness and privacy guarantees. A particularly strong notion in multi-party computation is adaptive security, which informally means that the protocol remains secure even if an adversary decides whom to corrupt during the execution of the protocol, rather than fixing the corrupted parties in advance.
In this project, we investigate the security property required for zero-knowledge proofs, which are used as a primitive in adaptive secure multi-party computation.
The project is suitable for all degrees (BSc, MSc, PhD).
It is desired to be familiar with the topic of reductions.
Arnis Paršovs
arnis.parsovs at ut dot ee
Applied Cyber Security Topics
Applied cyber security group offers research seminar supervision on various cyber security-related topics for students who are interested in more applied research that may involve hands-on activities as well. Various hardware can be provided to students for experiments. Students who are doing applied research must still describe the research they have performed in a seminar report and convince the supervisor that the work done is worth 3 ECTS (~78 hours of work).
Students are welcome to contact Arnis Paršovs (arnis.parsovs@ut.ee) with their seminar topic ideas.
Recommended prerequisites: Applied Cryptography (MTAT.07.017) / Web Security (LTAT.04.018)
Level:BSc, MSc or PhD
Pille Pullonen-Raudvere
pille.pullonen-raudvere at cyber dot ee
Secure Computation Functionalities from Function Secret Sharing
Function secret sharing is a method for securely sharing a function so that two parties can later evaluate this function and learn additively secret shared results. In theory the notion applies to all functions but in practice reasonable constructions are known for distributed point functions and distributed comparison functions. The goal of this project is to study how these functions are used to support various other operations such as machine learning activation functions like ReLu or sigmoid.
The main sources for this work are https://eprint.iacr.org/2020/1392 and https://eprint.iacr.org/2019/1095
I am also open to supervising other secure multi-party computation related topics.
Vitaly Skachek
vitaly.skachek at ut dot ee
Survey on Privacy-Preserving Federated Learning
The past four years have witnessed the rapid development of federated learning (FL). However, new privacy concerns have also emerged during the aggregation of the distributed intermediate results. The emerging privacy-preserving FL (PPFL) has been heralded as a solution to generic privacy-preserving machine learning. However, the challenge of protecting data privacy while maintaining the data utility through machine learning still remains. In this project, we will discuss challenges and existing approaches to the privacy-preserving federated learning.
Based on the survey paper (and other sources): X. Yin, Y. Zhu, J. Hu, "A comprehensive survey of privacy-preserving federated learning: A taxonomy, review, and future directions", ACM Computing Surveys, vol. 54(6).
Private Information Retrieval from MDS Coded Data in Distributed Storage Systems
The problem of providing privacy, in the private information retrieval (PIR) sense, to users requesting data from a distributed storage system (DSS), is considered. The DSS is coded by an (n, k, d) maximum distance separable code to store the data reliably on unreliable storage nodes. Some of these nodes can be spies which report to a third party, such as an oppressive regime, which data is being requested by the user. An information theoretic PIR scheme ensures that a user can satisfy its request while revealing no information on which data is being requested to the nodes. In this project, we will study PIR schemes with low download communication cost.
Based on the paper: R. Tajeddine, O. W. Gnilke, S. El Rouayheb, "Private information retrieval from MDS coded data in distributed storage systems", IEEE Transactions on Information Theory, vol. 64(11), 2018.
Janno Siim
janno.siim at ut dot ee
Fast Subvector Commitments
A commitment scheme is a cryptographic construction that realizes a sealed envelope. In the commitment phase, Alice sends a commitment C (the envelope) containing a message m to Bob. The commitment C will not reveal any information about m. Later, Alice can reveal the message m inside C. In fact, by the properties of the commitment scheme, Alice cannot convince Bob that C opens to any other message m’ != m. There are numerous cryptographic applications that require commitment schemes. Think, for example, of auctions where parties have to keep their bids hidden until the end of the bidding phase. A recent work by a visiting professor Matteo Campanelli proposes a particularly efficient subvector commitment scheme. In this commitment scheme, one commits to a vector and later opens some subset of its positions. The goal of the project is to understand the techniques described in the paper https://eprint.iacr.org/2026/118 and to write a report accessible to a good master's student.
Level: Master’s or PhD.
MPC-in-the-head (joint with Toomas Krips, toomas.krips at ut dot ee)
Zero-knowledge proofs allow proving the validity of statements without leaking any additional information. On the other hand, secure multi-party computation (MPC) enables the calculation of arbitrary functions over the parties' secret data. These two distinct privacy-preserving tools have a surprising connection through the MPC-in-the-head technique. The prover (of the zero-knowledge proof) can simulate the MPC protocol “in its head”, which yields a highly efficient zero-knowledge proof. The MPC-in-the-head technique is one of the most promising approaches for achieving post-quantum secure signature schemes.
The goal of this project is to write a short summary of the basic idea of the MPC-in-the-head approach. The starting point might be the paper https://web.cs.ucla.edu/~rafail/PUBLIC/77.pdf
Level: Master’s or PhD
Fully Homomorphic Encryption For Dummies
Fully homomorphic encryption (FHE) is a recent revolutionary tool in cryptography that allows computation on encrypted data. In short, given a ciphertext Enc(m) that encrypts a message m, it is possible to compute Enc (f(m)), where f can be an arbitrary computation. At no point in the computation is it necessary to decrypt. The party with the secret key can later recover f(m) from Enc (f(m)). This allows outsourcing expensive computations to a server without having any worry that private information would leak. The goal of the project is to produce study material for students, which would contain the most minimalistic and simple construction of FHE, while still being educational. The integer-based FHE scheme in https://eprint.iacr.org/2009/616 seems to be a good target.
Level: can be adjusted to any level.
Nikita Snetkov
nikita.snetkov at cyber dot ee
Exponent-VRF based on Joye-Libert Encryption
Exponent Verifiable Random Function (eVRF) is a special type of verifiable random function, which allows a prover to produce a group element Y together with the proof \pi that Y=yG, where y=F(k,x) for some pseudorandom keyed function F and G is a group's generator. An eVRF could be used as building block for round-efficient multiparty protocols such as distributed key generation, two-party signing and threshold signing.
Currently, there are three main approaches to construct eVRF: 1) using Paillier encryption 2) using Diffie-Hellman construction 3) using Bulletproofs and Learning-with-Rounding assumption. The first approach is the most interesting from research perspective at the moment: theoretically, any additive homomorphic encryption could be used instead of Paillier. The goal of this topic is to construct eVRF based on Joye-Libert (JL) encryption scheme. The motivation of using JL instead of Paillier - potential construction would be smaller in size.
Audience: BSC or MSc level students with some number theory background.
Reading: eVRF - https://eprint.iacr.org/2024/397.pdf , JL encryption - https://eprint.iacr.org/2013/435
Dominique Unruh
unruh at ut dot ee
The Quantum Random Oracle
Random oracles are a proof technique in cryptography that idealizes hash functions. Basically, instead of dealing with the messy details of how a specific hash function works, we simply assume that it is a completely random function. This technique makes a lot of cryptographic proofs a lot simpler. (But it is a heuristic.) When it comes to quantum security, things get more complex. Now the adversary can do a query the oracle in a superposition between many values which messes up classical proof techniques.
The task of the seminar is to give an overview how to random oracle works in the quantum setting, and how one can do security proofs in it after all.
Prerequisites: Some crypto course and some quantum course.
Quantum Security Proofs with qRHL
Security proofs using the computer ("mechanized security proofs") show the security of a crypto protocol using the computer, to make sure there are no mistakes in the proof. One tool for this is qrhl-tool, which specifically targets security against quantum attackers, based on a logic called "quantum relational Hoare logic" (both by Unruh). In this seminar topic, you would present the logic and the tool. A bonus task (for extra credits) might include showing the security of some quantum cryptographic construction (e.g., quantum commitment schemes).
References:
https://dl.acm.org/doi/10.1145/3290346
https://dominique-unruh.github.io/qrhl-tool/
Requirements:
Some background in crypto and in quantum.
Quantum Cryptography Below One-way Functions
In classical cryptography, one-way functions are usually considered to be the weakest possible cryptographic assumption. (A one-way function is, roughly speaking, a function that one cannot invert. It is "obviously" a lot weaker than assuming something powerful such as, e.g., public key encryption.) However, if we consider quantum cryptography, this suddenly doesn't hold anymore. There are a multitude of new assumptions that are weaker (i.e., less powerful but still useful) than one-way functions. The task of this seminar is to explain this phenomenon (and to some extend also identify the relevant papers).
Requirements:
Some background in crypto and in quantum.