W4261 Introduction to Cryptography: Lecture Summaries

• Lectures 1 (9/6)
  Introduction to class and to modern cryptography; Kerckhoff's principle; some classical ciphers and discussion of their insecurity; intuitive discussion of security and attacks (e.g., what counts as a violation, when does brute force attack work, mentioned that an upper bound on the length of the message is always leaked).
  Readings: Ch.1

• Lecture 2: (9/8)
  Private key encryption: syntax and correctness; discussion and motivation for security definitions; two formal definitions of perfect secrecy; the definitions are equivalent (didn't prove); when is the shift cipher (or the parallel variation of it) perfectly secret.
  Readings: Ch.2

• Lecture 3 (9/13)
  A third equivalent definition of perfect secrecy (defined through a game with an adversary, based on indistinguishability); Define the one time pad scheme and prove its perfect secrecy; problems with the one time pad (some of which are inherent for any perfectly secret scheme), including large key space, only a single message unless we add a persisting state, etc; motivation for the computational approach.

• Lecture 4 (9/15) Prove that for any perfectly secret scheme, |K|>|M|, discussion of security definitions and attack models, discussion of computational approach,concrete vs asymptotic definitions, proof by reduction, necessity of assumption, complexity of cryptographic primitives (informal discussion of relation to P vs NP and Impagliazzo's worlds).
  Problem Set 1 out

• Lecture 5 (9/20)
  Formal definition of computationally secret encryption scheme (indistinguishability against an eavesdropper), security parameter, brute force attack or guessing attack, feasible computation and negligible functions. Motivated pseudorandom generators (PRG) as a tool for encryption, intuition and formal definition of a PRG.
  Readings: Ch. 3.1, 3.2, 3.3, Appendix A, Further Background,

• Lecture 6 (9/22)
  Pseudorandom generators (stream ciphers). Short discussion (without definitions or details) of PRG constructions: theoretical/provable, such as from one-way functions (e.g., factoring-based repeated squaring mod n, outputting the iterated least-significant-bit), and practical/ad-hoc (e.g., RC4, its identified vulnerability and how to overcome it). Proved that if PRG exist, then private key encryption (indistinguishable against eavesdropper) exists, even with a message longer than the key (use a pseudorandom pad: proof by reduction).
  Problem Set 1 Due
  Readings: Ch. 3.4.1

• Lecture 7 (9/27)
  Briefly touched upon variable length PRG and encryption. Defined multiple-message indistinguishability against eavesdropper. The construction we saw last time (using a pseudo-random pad) does not satisfy it. This (insecurity against multiple messages) is inherent for all encryption schemes where the encryption algorithm is deterministic. Can be overcome by adding state. We discussed how to do this in a stateless manner. Came to a probabilistic construction based on a PRG G(r,k) with stronger properties, where the output looks random even when the first argument r is known to the adversary, and even when called multiple times with the same k, as long as the first (known) argument is fresh every time. Started discussion of CPA security.
  Readings: Ch. 3.4-3.5
  Problem Set 2 out

• Lecture 8 (10/4)
  Defined CPA security, noted that it can only be achieved with randomized encryption, and that CPA security implies multiple-message CPA security; we sketched an inefficient CPA secure scheme using a random function (=exponential size description) as a key. This was one (of many) motivations of PRF, which we started to define and discuss.
  Readings: Ch. 3.5-3.6

• Lecture 9 (10/6)
  Definition and discussion of PRF (we also mentioned PRPs); PRFs/block ciphers cannot be used as-is for encryption; proof of security for a CPA secure scheme based on PRF; started discussion of modes of encryption for more efficient constructions (saw randomized counter mode).
  Readings: Ch.3.6

• Lecture 10 (10/11)
  Further discussion of randomized counter mode and its advantages (does not require inverting F, paralleliable, provides a stream cipher); quick summary of what we saw computationally secure encryption; started discussing message authentication codes. Contrast between encryption and authentication (cannot directly use one to achieve the other, secrecy does not provide integrity). Definition of security for MACS (existential unforgeability against adaptive chosen message attacks). PRF as a fixed message MAC is secure (we did not prove). Some failed attempts at constructing arbitrary length MAC via block-by-block techniques.
  Readings: Ch.4.1-4.4

• Lecture 11 (10/13)
  We proved that a PRF is a good fixed message MAC. Showed how to use fixed message MAC to construct an arbitrary message MAC, using block-by-block tagging, where the block includes an index, random message identifier, and message length. Then we saw the more efficient CBC-MAC (with no proof).
  Readings: Ch.4.4-4.5

• Lecture 12 and 13 (10/18-10/20)
  Combining encryption with authentication: encrypt-and-authenticate (not secure), authenticate-then-encrypt (secure in that it maintains CPA secrecy and achieves existential unforgeability against CMA, but it is not secure against a chosen ciphertext attack-- CCA); encrypt-then-authenticate (secure, and even boosts secrecy to be CCA secure, even when starting from just a CPA secure encryption). CRHF: definition, use for authentication (through hash-and-mac), weaker forms of the definition: target CR (=second preimage resistance) and one-wayness (=preimage resistance); birthday attack, hash functions in practice (mentioned insecurity of MD5, vulnerability of SHA1, ongoing SHA-3 competition), Merkle-Damgard transform.
  Readings: Ch.4.9, 4.6

• Lecture 14 (10/25)
  Using CRHF for authentication (very high level overview of NMAC, mentioned HMAC but didn't describe it). Practical construction of PRP (=block ciphers). Overview of substitution-permutation networks and feistel networks, and their use in AES and DES, double-DES, triple-DES, attacks. We did not give full descriptions (let alone proofs) of any of these, just technical and historical overview, principles, and discussion of security and attacks. Started discussion of theoretical construction of pseudorandom objects, and defined one way functions.
  Readings: Ch.5

• Lecture 15 (10/27)
  Overview of theoretical constructions: one-way function (OWF) definition, stated that OWF <==> private key encryption (also <==> PRG <==> PRF <==> MAC and more), possible OWF (or one-way permutation) candidates (subset sum, multiplication of 2 large primes, exponentiation of a generator g modulo a prime p), hard-core bit definition, Goldreich-Levin theorem, PRG from OWP and HCB.
  Readings: Ch.6.1-6.4 (no proofs)

• Lecture 16 (11/1)
  Brief review of number theory and algorithmic facts, including efficient generation of random primes, Zn, Zn*, phi(n), Cyclic groups, arithmetic in these groups, extended Euclid algorithm for gcd and inverse finding in Zn*, the QR(n) subgroup of Zn*, discrete log assumption.
  Readings: Ch.7.1, Appendix B.1

• Midterm (11/3)

• No class, Election Day (11/8)

• Lecture 17 (11/10)
  Intro to public key cryptography. Diffie Hellman Key agreement. Discrete log, computational Diffie-Hellman (CDH), and Decisional Diffie Hellman (DDH) assumptions. DDH assumption false on Zp* but believed to be true on a prime order subgroup QRp (when p=2q+1). Security of DH key agreement protocol under DDH. Public key encryption (PKE) vs private key encryption.
  Readings: Ch.9

• Lecture 18(11/15)
  Definition of PKE and its security (indistinguishability), informal discussion of semantic security (equivalent to indistinguishability); these notions imply security against CPA. Noted that perfect security for PKE is not possible, and that the encryption scheme in a PKE has to be probabilistic (with exponentially many possible encryptions for the same message). Showed the El Gamal PKE scheme (secure under DDH assumption). Presented "textbook RSA" and how it is sometimes used for encryption by applying the RSA function on the message + random padding (this is not provably secure).
  Readings: Ch.10.1, 10.2, 10.4, 10.5

• Lecture 19(11/17)
  Factoring assumption, RSA assumption, textbook RSA (a TDP) and its use for secure PKE: padded RSA heuristic, provable construction from any TDP using hard-core-bit (e.g., msb for RSA). Review of number theoretic easy (poly time) problems, and hardness assumptions, very briefly mentioned hardness of square roots modulo a composite and the Rabin TDF and corresponding PKE.
  Readings: Ch.7.2, 10.4, 10.7, 11.2

• Lecture 20(11/22)
  Digital signature schemes: motivation and comparison to symmetric (MAC) setting (linear number of keys, no shared secrets, public verifiability, transferability and non-repudiation). Definition of security (existential unforgeability against CMA). Using fixed-message signatures and CRHF to get arbitrary length message signatures ("hash-and-sign" paradigm). Text-book RSA signatures and their insecurity (two attacks). Hashed RSA signature ("full domain hash"), stated its security in the random oracle model (discussion of the random oracle model heuristic).
  Readings: Ch.12.1-.4, 13.1

• Thanksgiving (11/24)

• Lecture 21 (11/29)
  Lamport's one time signature schemes for l bit messages, plus proof of (one-time) security. Discussed (without showing) general construction of secure signature schemes. Interactive proof systems and zero knowledge: discussed informally, and showed a protocol for proving to a color blind person that two cards have different colors, as well as proving to an efficient verifier that two graphs are not isomorphic (GNI problem, with an unbounded prover). Both are honest-verifier-zero-knowledge.

• Lecture 22 (12/01)
  ZK interactive proof systems: definitions, and examples of graph isomorphism, and of square root mod N. The latter is not just a ZK proof, but a ZK proof of knowledge (we did not define this formally).

Back to Course Main Page