Please choose one candidate that you prefer.

### Course Project Candidate #1: Advanced Implementation of AES S-box using Tower Field Architecture

**Objective:**

This project aims to deepen your understanding of abstract algebra with a specific focus on finite field representations and field extensions as they are applied in cryptography. By exploring the practical implementation of the [AES S-box](https://en.wikipedia.org/wiki/Rijndael_S-box) using the Tower Field architecture, you will enhance your understanding of the algebraic structures of Galois Fields and their practical application in cryptography.

**Background & Resources:**

The Advanced Encryption Standard (AES) employs an S-box in each round of encryption and decryption, which is critical for introducing non-linearity. This S-box is based on the Galois Field $\mathrm{GF}(2^8)$. The efficient implementation of this S-box is paramount for both software and hardware cryptographic applications. The Tower Field architecture provides a method for implementing the S-box using operations in smaller fields, which can be more efficient in certain contexts.

We have briefly covered the concept of Tower Fields for Computing Inverses in the AES S-box in our lecture (Please refer to the lecture note Lec04_Algebra_FiniteFeild_Practice.ipynb). The section "Application Example: Optimize Implementation of AES S-box" is based on the work in [[Can05a]](https://www.researchgate.net/publication/235155631_A_Very_Compact_Rijndael_S-box). You may find the following resources helpful.

- [Can05a] Canright, David. "A Very Compact Rijndael S-box." Technical Report. NPS-MA-04-001, Naval Postgraduate School, 2004. [Available online](https://www.researchgate.net/publication/235155631_A_Very_Compact_Rijndael_S-box).

- [Can05b] Canright, David. "A very compact S-box for AES." International Workshop on Cryptographic Hardware and Embedded Systems. Berlin, Heidelberg: Springer Berlin Heidelberg, 2005.

- [Wei+23] Wei, Zihao, et al. "Searching the space of tower field implementations of the $\mathbb{F}_{2^8}$ inverter-with applications to AES, Camellia and SM4." International Journal of Information and Computer Security 20.1-2 (2023): 1-26. [Available online](https://github.com/zihaowei/Tower-Field-Implementation/blob/master/authorFinalVersion.pdf).

- [CMT20] Circuit Minimization Team (CMT), http://www.cs.yale.edu/homes/peralta/CircuitStuff/CMT.html, http://www.cs.yale.edu/homes/peralta/CircuitStuff/calc.pdf, http://www.cs.yale.edu/homes/peralta/CircuitStuff/GFengine.cc


**Tasks:**

1. **Theoretical Analysis:**

   - Study and report on the algebra used to get different representations of the [AES finite field](https://en.wikipedia.org/wiki/Finite_field_arithmetic#Rijndael's_(AES)_finite_field) as detailed by [[Can05a]](https://www.researchgate.net/publication/235155631_A_Very_Compact_Rijndael_S-box), with an additional focus on the implementation provided in Appendix A, case #4.

   - Explain the choice of field extensions, irreducible polynomials, and bases used in this specific case, providing a step-by-step derivation of the algebraic construction involved.

2. **Practical Implementation:**

   - Find a different set of field extensions, irreducible polynomials, or bases (you may consider those listed in [[Can05a, Appendix E]](https://www.researchgate.net/publication/235155631_A_Very_Compact_Rijndael_S-box) or [[Wei+23, Appendix Table 8]](https://github.com/zihaowei/Tower-Field-Implementation/blob/master/authorFinalVersion.pdf)).

   - Provide a detailed derivation and corresponding SageMath/Python/C/C++ implementation of the AES S-box using your chosen tower field configuration.

3. **Efficiency Analysis:**

   - Analyze the efficiency of your implementation in comparison to the standard implementation and the one discussed by [[Can05a]](https://www.researchgate.net/publication/235155631_A_Very_Compact_Rijndael_S-box).

**Deliverables:**

- A comprehensive report detailing the theoretical background, the derivation of implementation steps, and efficiency analysis. 

- Complete source code for the AES S-box implementation in C/C++/SageMath/Python, including necessary documentation (e.g., README and Makefile) to compile and run the code.

**Submission Instructions:**

- Submit the report and source code as a single zip file through the course's online learning platform.

**Individual Work:**

- This project is to be completed individually. 


---

### Course Project Candidate #2: Index Calculus Algorithm for Discrete Logarithm in Finite Fields of Small Characteristic

**Objective:**

This project aims to deepen your understanding of number theory and abstract algebra by exploring the practical and theoretical aspects of solving the discrete logarithm problem using the Index Calculus algorithm in finite fields. By engaging with this advanced topic, you will enhance your ability to apply complex mathematical concepts to real-world cryptographic challenges.

**Background & Resources:**

The discrete logarithm problem is a cornerstone of cryptographic security, particularly in systems based on public key cryptosystems. Index calculus algorithms represent a significant class of algorithms for tackling hard number-theoretic problems, applicable not only to finite fields but also to elliptic and hyperelliptic curves. Our course has briefly covered Joux's algorithm for discrete logarithms in small characteristic fields, focusing only on its novel approaches in the first step of the index calculus algorithm (Lec04_Algebra_FiniteFeild_Practice_Index.ipynb). You may find the following resources helpful.

Key resources:

- **[Joux13]** Antoine Joux. "A new index calculus algorithm with complexity L (1/4+ o(1)) in very small characteristic." IACR ePrint Archive, Report 2013/095, 2013. [Access here](https://eprint.iacr.org/2013/095)

- **[BGJT14]** Razvan Barbulescu, Pierrick Gaudry, Antoine Joux, and Emmanuel Thomé. "A heuristic quasi-polynomial algorithm for discrete logarithm in finite fields of small characteristic." Springer Berlin Heidelberg, 2014. [Access here](https://doi.org/10.1007/978-3-642-55220-5_1) and [here](https://eprint.iacr.org/2013/400)

- **[Joux09]** Antoine Joux. "Algorithmic Cryptanalysis." Chapman and Hall/CRC, 2009.

**Tasks:**

1. **Theoretical Analysis:**

   - Conduct a comprehensive study of the algebraic methods used in [[Joux13]](https://eprint.iacr.org/2013/095) (you may only focus on the generation of multiplicative relations among elements within a small smoothness basis.)

   - Delve into the construction and properties of finite fields as applied in the index calculus algorithm, detailing the step-by-step algebraic processes and any optimizations proposed in the literature.

2. **Practical Implementation:**

   - Develop a detailed derivation and implement the initial phase of the index calculus algorithm as described in [[Joux13]](https://eprint.iacr.org/2013/095) using SageMath, Python, or C/C++. Your implementation should closely follow the theoretical framework laid out in your analysis.

   - You can also conduct the theoretical analysis and practical implementation for the second step of the index calculus algorithm [[Joux13, Section 5]](https://eprint.iacr.org/2013/095) and [[BGJT14]](https://eprint.iacr.org/2013/400).

3. **Efficiency Analysis:**

   - Evaluate the computational efficiency of your implementation. Consider metrics such as runtime, memory usage, and scalability.

   - Compare your implementation's performance with theoretical expectations and any available benchmarks.

**Deliverables:**

- A comprehensive report that details the theoretical background, implementation steps, and a critical analysis of the efficiency of your solution. The report should also reflect on the challenges encountered, and the insights gained through the project.

- Complete source code for the algorithm's implementation, including all necessary files (e.g., README, Makefile) to ensure reproducibility and verification.

**Submission Instructions:**

- Submit the report and source code as a single zip file through the course's online learning platform.

**Individual Work:**

- This project is to be completed individually. 

---

### Course Project Candidate #3: Accurate estimates of the data complexity and success probability for various cryptanalyses

**Objective:**

This project aims to deepen your understanding of probability and statistical theories by exploring their applications in evaluating cryptanalysis. By engaging with this topic, you will enhance your ability to use and build statistic tools and models to analyze probabilistic algorithms, providing accurate evaluation on the effectiveness and efficiency of cryptographic attacks.

**Background & Resources:**

Cryptanalysis often relies on statistical analysis of plaintext/ciphertext pairs to extract some information on the key. Developing accurate statistical models to estimate data complexity and success probability is crucial for assessing the efficiency of cryptographic attacks. This project focuses on replicating and applying the methods used in key literature to evaluate the complexity and success probabilities of practical attacks, particularly differential cryptanalysis.

Key resources:

- **[BGT11]** Blondeau, Céline, Benoît Gérard, and Jean-Pierre Tillich. "Accurate estimates of the data complexity and success probability for various cryptanalyses." Designs, codes and cryptography 59.1 (2011): 3-34. [Access here](https://www.rocq.inria.fr/secret/Jean-Pierre.Tillich/publications/DCC.pdf)

- **[Sel08]** Selçuk, Ali Aydın. "On probability of success in linear and differential cryptanalysis." Journal of Cryptology 21 (2008): 131-147. [Access here](https://dx.doi.org/10.1007/s00145-007-9013-7)

- **[Abe+14]** Abed, Farzaneh, et al. "Differential cryptanalysis of round-reduced Simon and Speck." FSE 2014. [Access here](https://link.springer.com/chapter/10.1007/978-3-662-46706-0_27)

**Tasks:**

1. **Theoretical Analysis:**

   - Conduct a detailed examination of the probability and statistical theory used in [[BGT11]](https://www.rocq.inria.fr/secret/Jean-Pierre.Tillich/publications/DCC.pdf), focusing on the methods for estimating data complexity and success probability.

   - Implement Algorithm 1 and replicate the results depicted in Figures 1, 2, 4, and 5 of [[BGT11]](https://www.rocq.inria.fr/secret/Jean-Pierre.Tillich/publications/DCC.pdf) using the equations and theorems provided in the paper. Your implementation can be in C/C++, Python, SageMath, MATLAB, or any suitable statistical tool.

2. **Practical Implementation:**

   - Analyze the data complexity and success probability for the differential attack on the 10-round Speck32/64 as described in [[Abe+14, Section 6.1]](https://link.springer.com/chapter/10.1007/978-3-662-46706-0_27) (but with different thresholds)

     - Consider various values of error probabilities ($\alpha$ and $\beta$), for each pair of $\alpha$ and $\beta$, employ the methods from [[BGT11]](https://www.rocq.inria.fr/secret/Jean-Pierre.Tillich/publications/DCC.pdf) to determine the minimum number of samples and the corresponding relative threshold. 

     - Re-evaluate the attack's complexity and, (optionally) perform experimental attacks to compare theoretical and practical complexities.

     - Generate plots illustrating the relationship between data complexity and the values of $\alpha$ and $\beta$, both theoretically and experimentally (if applicable).

**Deliverables:**

- A comprehensive report that include:

  - A detailed theoretical background and the replication results from [[BGT11]](https://www.rocq.inria.fr/secret/Jean-Pierre.Tillich/publications/DCC.pdf). 

  - A thorough analysis of the complexity and success probability of the differential attack on 10-round Speck32/64 in [[Abe+14, Section 6.1]](https://link.springer.com/chapter/10.1007/978-3-662-46706-0_27).

  - Reflections on the challenges encountered, any discrepancies with theoretical predictions, and insights gained from the project.

- Source code: Complete and well-documented code necessary to verify your analysis and results, including any scripts for generating plots and statistical analysis.

**Submission Instructions:**

- Submit the report and source code as a single zip file through the course's online learning platform.

**Individual Work:**

- This project is to be completed individually. 

---

### Course Project Candidate #4: Custom Topic

If you are interested in a more personalized learning experience, a self-chosen or tailored topic for the course project is also acceptable. 

**A few mental impulses for topic selection**:

- Is there a specific mathematical problem in cryptography that aligns with your current or future work?

- Are there fundamental concepts in Number Theory, Abstract Algebra, or Probability and Statistical Theory related to cryptography that you wish to explore more thoroughly?

- How can your topic contribute to existing knowledge or practices in Cryptology?

**Project Scope**:

- The chosen project should ideally encompass both theoretical analysis and practical experiments within the realm of cryptography or cryptanalysis. This dual approach ensures a comprehensive understanding and demonstrates the practical implications of theoretical concepts.

**Deliverables**:

- Technical Report: A comprehensive report detailing the theoretical background, methodologies, findings, and significance of your research.

- Experimental Implementations: Practical code or simulations that demonstrate the application of your theoretical findings. Include all necessary documentation to ensure reproducibility.

**Guidelines**

- Your topic is well-defined and coordinated with me before you start working on it

- Your intended topic lies within the scope of the course ("Mathematical Foundations of Cryptography")

- I am open to discuss with you in finding and formulating a suitable topic. My

    - Email: zzbao@mail.tsinghua.edu.cn

    - Phone: 15201279013 （微信同号）

    - Room: 西主楼1区404 

**Submission Instructions**:

- Submit all components, including the technical report and any associated code or experimental results, as a single zip file via the course's online learning platform.

**Individual Work:**

- This project is to be completed individually. 