W4261 Introduction to Cryptography: Lectures and Readings

• Lectures 1 & 2 9/8 and 9/10
  Intro to class and overview, private key encryption, syntax and correctness, some discussion of security requirements (e.g., Kerckhoff's principle, assuming that the attacker knows the details of what algorithm is used), basic attack models (ciphertext only, known plaintext, chosen plaintext, chosen ciphertext), some classical ciphers (atbash, shift, substitution, one-time pad), and attacks (including a discussion of when does brute-force attack work?)
  Readings: Ch.1, 2

• Lectures 3 & 4 9/15 and 9/17
  Discussion and formal definition for perfect secrecy (a couple equivalent variants) The one-time pad and proof of perfect secrecy Problems with one-time pad:
  1. not secure for more than one message (this problem can be overcome if stateful encryption is allowed)
  2. requires large key material (as long as the message)
  These problems are inherent for *any* encryption scheme satisfying perfect secrecy. Specifically: -- we noted (without proof) that problem (1) is inherent to any stateless encryption scheme satisfying perfect secrecy (and actually the problem remains even for computational secrecy - which we'll define next lecture - if the scheme is deterministic) -- problem (2) is inherent to any encryption scheme satisfying perfect secrecy -- we proved that any such scheme has a keyspace at least as large as the message space. So, problem (1) means the definition is "too weak" (we prefer a definition that will retain security for multiple messages, without keeping any state), and problem (2) means the definition is "too strong" (unachievable except with very large key, which we would like to avoid). We also pointed out that any scheme that avoids problem (2), namely any scheme that has a smaller keyspace than message space, must allow the adversary to learn something about the message either with some (possibly small but non-zero) probability (by guessing the key), or by running for sufficiently long time (exhaustive search). All this motivates the definition of computational security (and also means that the key space must be large).
  Readings: Ch. 2
  Problem Set 1 out

• Lecture 5 9/22
  Introduction to computational security Definition of perfect secrecy in terms of indistinguishability for any adversary Relaxation of this to (t,epsilon) security Towards asymptotic definition: (t,epsilon) security for "feasible" t and "negligible" epsilon. Brief overview of algorithms notation (running time, randomized algorithms, feasible algorithms = polynomial time)
  Readings: Ch. 3.1, 3.2, 3.1.2, Appendix A, Further Background

• Lectures 6 & 7 9/27 and 9/29
  Complete algorithms overview (negligible functions, etc). Definition of private key encryption in the computational setting: defining computational secrecy (indistinguishability against eavesdropper). Pseudorandom generators, stream ciphers: motivation and definition. Briefly discussed constructions of PRG (some assumption is needed unless we can prove P not equal to NP. Ad hoc constructions such as RC4, and constructions from one-way functions - which we haven't defined yet). Using PRG for secure encryption (with messages much longer than key) -- proof of security of construction (indistinguishability against eavesdropper, single message) from a secure PRG (proof by reduction). For all definitions we gave both concrete and asymptotic versions.
  Notes about differences with book: we have not introduced (at least for now) the definition and notation the book uses (e.g. Def 3.8). Instead we use an indistinguishability based definition (similar to Def 3.9 in the book). We also often provide concrete (t,epsilon)-security definitions in addition to the asymptotic based ones.
  Readings: Ch. 3.1.3, 3.3, 3.4

• Lectures 8, 9 & 10 10/1, 10/6 and 10/8
  Introduction to computational security. Assuming the existence of PRG we can provide secure encryption against an eavesdropper (ciphertext only attack). Defined security for multiple-messages, and showed that the scheme we saw is not secure for multiple messages.
  Theorem: no scheme with deterministic encryption is secure for multiple messages (proof left as exercise).
  Defined security against chosen-plaintext attack (CPA). CPA-security (for one message) automatically implies CPA-security for multiple messages (we did not prove this). Defined PRF (with discussion of PRP and strong PRP). Showed how to use PRF for CPA-secure encryption.
  Readings: Ch. 3.5, 3.6

• Lecture 11 10/13
  Completed proof of CPA security for the PRF-based private key encryption we saw, which is a fixed-length encryption. Discussed variable-length encryption and modes of operation, including: straight forward application of block-by-block encryption, ECB mode, (randomized) counter mode, and CBC. These (and other) modes of encryption rely on PRF or PRP or strong PRP (which we formally defined today).
  Readings: Complete through Ch. 3 with exception of 3.7

• Lectures 12, 13 & 14 10/15, 10/20 and 10/22
  Message Authentication Codes: definition
  Contrast between encryption and authentication (cannot directly use one to achieve the other)
  PRF as a fixed message MAC
  Constructing arbitrary length MACs: failed constructions and attacks; (secure) CBC-MAC
  Combining encryption with authentication: encrypt-and-authenticate (not secure), authenticate-then-encrypt (secure in that it maintains CPA secrecy and achieves existential unforgeability against CMA, but it is not secure against a chosen ciphertext attack-- CCA); encrypt-then-authenticate (secure, and even boosts secrecy to be CCA secure, even when starting from just a CPA secure encryption).
  Readings: 4.1-4.5, 4.9 (note: we did not give a formal definition of CCA secrecy, nor a formal definition of security that combines both secrecy and authentication)

• Lectures 15 & 16 10/27 and 10/29
  Collision resistant hash function (CRHF): definitions, birthday attack, merkle-damgard transform, CRHF in practice.
  Using CRHF for authentication, and high-level overview of NMAC and HMAC (without many details). Summary of known implications among primitives (owf to pseudorandom objects to private key encryption and macs), with high-level discussion of some practical constructions (of pseudorandom objects) vs theoretical constructions (by using OWF, in turn constructed from number theoretic assumptions).
  Definition of OWF.
  Readings: 4.6, 4.7, 6.1.1

• Lectures 17 & 18 11/5 and 11/10
  Definitions of one-way functions and permutations. Proved that private key encryption (that can encrypt more messages than its key space) implies OWF. Intuitive discussion of why OWF are necessary for most cryptographic primitives. If P=NP then OWF do not exist (intuitive explanation, no proof nor a rigorous discussion of P vs NP).
  Definition of a collection (family) of OWF (or OWP). Claimed without proof that there exists a family of OWF if and only if there exists a OWF.
  Candidate OWF (families): subset sum, discrete log. Discrete Log Assumption.
  An efficient algorithm to select a random n-bit prime. (efficient due to the facts that primality is efficiently testable, and that the density of primes is high).
  Readings: 6.1.2, 6.1.3, 6.7, 7.2.1/i>