Read and follow the Alan Sherman's "Some advice on writing technical reports."
Your project must be original. Surveys are not acceptable. Reviews are discouraged unless they contain significant original critical content.
You are welcome to, encouraged to, but not required to use computational tools in your work.
It is acceptable if you are unable to solve your original problem. In this case, document your findings and partial work, and try to solve a simple special case of your problem.
Most successful work is highly focused.
Pick a thesis that interests you greatly. Be sure you have a thesis (topic + attitude) and not just a topic. A good place to start is to read selected research papers from a conference that interests you (e.g. Crypto 98, ACM Conference on Computer and Communications Security, Fast Software Encryption, USENIX, IEEE [Oakland] Conference on Privacy and Security).
Some generic suggestions include: (1) automatic cryptanalysis of some hand cipher, (2) application of cryptography to some modern focused problem (e.g. micropayments in electronic commerce), (3) extension of a research paper, (4) creation of a learning module for this course, and (5) analysis of a submission for the AES.
There is no page limit. I suggest about 10 pages. Less than five leaves little room to develop an idea, and I don't want to read much more than 10 pages unless the report is extremely good. The length should be appropriate for what you have to say.
Be sure your report is complete in document and includes an informative abstract. See my guidelines for writing a technical report.
Hand in your report on plain white 8.5 x 11 inch paper with no covers and with one staple in the upper left corner. If you include any appendices, do not staple them to the body of the report; hand them in separately.
If you do any computer work, please hand in a documented listing of all source code you wrote as an appendix.