Internships

Open Calls

This page lists the internship projects currently available in the Center for Cybersecurity of Fondazione Bruno Kessler (FBK). Please note that these are curricular internship projects (which does not include financial compensation) intended specifically for bachelor’s and master’s university students, and not employment contracts. Please refer to jobs.fbk.eu/ for job offers and open positions.

Procedure

  1. Application: submit your application for the internship project you are interested in using the designated online form and providing the required information. Make sure to apply before the specified deadline. You are advised not to apply to more than two projects at the same time.
  2. Selection: project supervisors will review the applications and choose the most suitable candidate. If needed, they may request an oral interview during the selection process. Each project is evaluated independently.
  3. Results: once the selection process is complete, all applicants (both selected and not selected) will be notified of the outcome for the specific project.

For general inquiries, you can email internships-cs@fbk.eu. If you have specific questions about a project, please reach out to the project supervisor directly.

Please note that applications sent via email will not be considered.

Projects are listed starting with those that have the earliest submission deadlines.

Trusted Execution Environments for Cryptographic Access Control ALEPH

ID: p-2025-aleph-3

Published on: Tuesday, 4 November 2025

Deadline for Applications: Wednesday, 31 December 2025 at 23:59

Description:

The possibility (and convenience) of storing and sharing data through the cloud entails a set of concerns to data security, such as the presence of external attackers, malicious insiders, and honest-but-curious cloud providers. Cryptographic Access Control (CAC) addresses these concerns but presents practical limitations, primarily due to the computational overhead of key management and user revocation. Stemming from a collaboration between the Center for Cybersecurity (CS) of FBK and the Ca' Foscari University of Venice (UniVE), a recently published article [1] proposes an abstract methodology to integrate Trusted Execution Environments (TEEs) with CAC and relieve such overhead. In this context, applicants would collaborate on extending the work in [1] by choosing one or more of the following activities:

  1. review the methodology in [1] and investigate its security. This activity may include the use of formal methods;
  2. implement and experimentally evaluate the performance of the methodology. This activity may include coding, interfacing with TEEs, and integration with tools implementing CAC such as CryptoAC [2].
This project provides the opportunity to acquire the fundamentals of scientific research, investigate and explore cutting-edge and relevant research topics, and engage in software engineering and development while allowing applicants to design, propose, and implement their own ideas.

Type: Internship + Thesis

Levels: BSc, MSc

Supervisors: Stefano Berlato (sberlato@fbk.eu), Matteo Busi

Prerequisites:

  • Basic understanding of cybersecurity principles.
  • Basic knowledge of programming and applied cryptography.
  • Knowledge of trusted execution environments and formal methods may be advantageous.

Objectives:

  • Familiarization and study of the context (i.e., cryptographic access control, trusted execution environments).
  • Investigation of possible extensions to the solution proposed in [1].
  • Implementation and evaluation of the chosen extensions.

Topics: Access Control, Applied Cryptography, Trusted Execution Environments

References:

  • [1] Work-in-Progress: Optimizing Performance of User Revocation in Cryptographic Access Control with Trusted Execution Environments • Link
  • [2] CryptoAC • Link

Formalizing a Trust-based Key Management System ALEPH

ID: p-2025-aleph-5

Published on: Tuesday, 18 November 2025

Deadline for Applications: Wednesday, 31 December 2025 at 23:59

Description:

A recent paper presented at SACMAT 2025 [1] introduces a methodology for mediating access to cloud-hosted data using trust predicates that determine whether access control should be enforced cryptographically or delegated to trusted (centralized) infrastructure to reduce computational cost. This project aims to provide a mathematical foundation for that methodology and apply it to the more generic lifecycle of cryptographic keys. The objective is to design and analyze a predicate-driven key management system that determines when to generate, rotate, re-encrypt, or distribute keys according to both traditional best practices (e.g., NIST SP 800-57) and trust predicates as well. Possible activities include:

  1. familiarize and study of the context;
  2. formalize key management operations (e.g., generation, rotation, re-encryption, revocation) using suitably-designed state-transition rules, defining then how trust predicates influence such operations;
  3. identify invariants on state-transition rules that guarantee safe key management;
  4. introduce a cost function for expensive operations (e.g., rotation, re-encryption) and formulate an optimization problem to balance security and computational cost and find the optimal trade-off;
  5. verify the predicate-driven key management system with formal tools (e.g., ProVerif, Tamarin, Coq, or an SMT solver);
  6. implement the aforementioned predicate-driven key management system, possibly integrating it with the tool described in [1];
  7. extend the model to support crypto-agility (e.g., algorithm migration with minimal overhead).
This project provides the opportunity to acquire the fundamentals of scientific research and explore cutting-edge and relevant research topics while allowing applicants to design, propose, and implement their own ideas.

Type: Internship + Thesis

Level: MSc

Supervisor: Stefano Berlato (sberlato@fbk.eu)

Prerequisites:

  • Background in mathematics and cryptography.
  • Familiarity with logic, formal methods, and optimization techniques.
  • Basic knowledge of programming (for modeling or simulation) and knowledge of formal verification tools is useful but not required.

Topics: Formal Methods, Applied Cryptography, Key Management

Notes: The above list comprises all possible activities; actual activities will likely be a subset defined according to interests and time availability.

References:

  • [1] Relying on Trust to Balance Protection and Performance in Cryptographic Access Control • Link

On the Implementation and Evaluation of Contextual Reading Access Control Encryption ALEPH

ID: p-2025-aleph-8

Published on: Monday, 1 December 2025

Deadline for Applications: Wednesday, 31 December 2025 at 23:59

Description:

Access Control Encryption (ACE) [1] enforces both read and write access control directly at the encryption layer. In ACE, all messages are transmitted in encrypted form and mediated by a sanitizer, a component that ensures only policy-compliant ciphertexts are forwarded and removes any subliminal channels, without ever learning the plaintext or the identities of the communicating parties. Contextual Reading ACE (CR-ACE) extends ACE by enabling context-dependent read access to encrypted data. In CR-ACE, decryption succeeds only if both the global access policy and contextual conditions (such as workflow stage, location, or emergency status) are satisfied. The underlying construction combines ACE with an Attribute-Based Key Encapsulation Mechanism (ABKEM) and a Data Encapsulation Mechanism (DEM). This project aims to implement and experimentally evaluate a first prototype implementation of CR-ACE, focusing on the public-context scenario, i.e., when contextual attributes are non-sensitive and can be attached in clear to sanitized ciphertexts. Possible activities include:

  1. study of the CR-ACE model and its formal security guarantees;
  2. assessment of whether the disjunction of equalities policy is sufficient to express access control (potentially with context) for realistic, small-scale scenarios, providing a qualitative analysis;
  3. implementation of a proof-of-concept prototype of CR-ACE based on the strengthened ACE construction by Badertscher et al. [2] (e.g., implementations for ElGamal, zero-knowledge proof systems, and digital signatures);
  4. development of minimal case studies illustrating CR-ACE's contextual policies (e.g., workflow-stage in supply chain scenarios);
  5. evaluation of the real-world applicability and scalability of CR-ACE through quantitative performance analysis, overheads measurements, and potential optimizations.
The above list comprises all possible activities; actual activities will likely be a subset defined according to interests and time availability. Please see the "Additional Information" below.

Type: Internship + Thesis

Level: MSc

Supervisors: Roberta Cimorelli Belfiore, Stefano Berlato (sberlato@fbk.eu)

Prerequisites:

  • Basic knowledge of applied cryptography and use of cryptographic libraries.
  • Experience with programming (preferably Rust and Go, otherwise Kotlin/Java and C/C++).
  • Familiarity with access control concepts.

Topics: Applied Cryptography, Access Control Encryption

Notes:

Additional Information The project encourages exploration of original research directions beyond implementation, allowing candidates the opportunity to contribute with novel insights (e.g., on side-channel resistance, post-quantum adaptations, or other emerging aspects). Should the work produce results suitable for publication, candidates will naturally be involved according to their contribution. Possible project phases:
  1. study phase: understand ACE [1] , CR-ACE, and the strengthened security model by Badertscher et al. [2];
  2. core implementation: develop the ACE prototype (sPKE + ACE logic) and integrate ABKEM/DEM for contextual policies;
  3. experimental evaluation: implement a minimal case study and evaluate correctness, sanitization effectiveness, decryption time, and ciphertext size;
  4. extension (if time permits): support for more complex policies, and additional case studies.
The ACE construction by Badertscher et al. [2] is built on the following cryptographic components:
  1. Enhanced Sanitizable Public-Key Encryption (sPKE). Components: ElGamal encryption, NIZK proofs (with extractability and one-time simulation soundness), signature schemes, pseudorandom functions (PRF). Required libraries: Implementations for ElGamal, zero-knowledge proof systems, and digital signatures;
  2. ACE Layer. Additional components: Role management, policy enforcement, modification detection algorithm (DMod). Integration: Combining sPKE with ACE-specific logic for access control
  3. CR-ACE Extension. Additional components: ABKEM (Attribute-Based Key Encapsulation Mechanism), DEM (Data Encapsulation Mechanism). Required libraries: Attribute-based encryption implementations.

References:

  • [1] Access control encryption: Enforcing information flow with cryptography • Link
  • [2] Strengthening access control encryption • Link