W4261 Introduction to Cryptography: Lecture Summaries
- Lectures 1 (9/6)
Introduction to class and to modern cryptography; Kerckhoff's principle; some classical
ciphers and discussion of their insecurity; intuitive
discussion of security and attacks (e.g., what counts as a violation,
when does brute force attack work, mentioned that an upper bound on the
length of the message is always leaked).
Readings: Ch.1
- Lecture 2: (9/8)
Private key encryption: syntax and correctness;
discussion and motivation for security definitions; two formal definitions of
perfect secrecy; the definitions are equivalent (didn't prove);
when is the shift cipher (or the parallel variation of it) perfectly secret.
Readings: Ch.2
- Lecture 3 (9/13)
A third equivalent definition of perfect secrecy (defined through
a game with an adversary, based on indistinguishability); Define the one time
pad scheme and prove its perfect secrecy; problems with the one time
pad (some of which are inherent for any perfectly secret scheme),
including large key space, only a single message unless we add a persisting
state, etc; motivation for the computational approach.
- Lecture 4 (9/15)
Prove that for any perfectly secret scheme, |K|>|M|,
discussion of security definitions and attack models,
discussion of computational approach,concrete vs
asymptotic definitions, proof by reduction,
necessity of assumption,
complexity of cryptographic primitives (informal discussion of
relation to P vs NP and Impagliazzo's worlds).
Problem Set 1 out
- Lecture 5 (9/20)
Formal definition of computationally secret encryption scheme
(indistinguishability against an eavesdropper), security
parameter, brute force attack or guessing attack, feasible
computation and negligible functions.
Motivated pseudorandom generators (PRG) as a tool for encryption,
intuition and formal definition of a PRG.
Readings: Ch. 3.1, 3.2, 3.3, Appendix A,
Further
Background,
- Lecture 6 (9/22)
Pseudorandom generators (stream ciphers). Short discussion
(without definitions or details) of PRG
constructions: theoretical/provable, such as from one-way functions
(e.g., factoring-based repeated squaring mod n, outputting the iterated
least-significant-bit), and practical/ad-hoc (e.g., RC4, its
identified vulnerability and how to overcome it).
Proved that if PRG exist, then private key encryption (indistinguishable against
eavesdropper) exists, even with a message longer than the key (use a
pseudorandom pad: proof by reduction).
Problem Set 1 Due
Readings: Ch. 3.4.1
- Lecture 7 (9/27)
Briefly touched upon variable length PRG and encryption. Defined multiple-message indistinguishability against eavesdropper.
The construction we saw last time (using a pseudo-random pad) does not satisfy it.
This (insecurity against multiple messages)
is inherent for all encryption schemes where the encryption algorithm is deterministic.
Can be overcome by adding state.
We discussed how to do this in a stateless manner.
Came to a probabilistic construction based on a PRG G(r,k) with stronger properties,
where the output looks random even when the first argument r is known to the adversary,
and even when called multiple times with the same k, as long as the first (known) argument is fresh every time.
Started discussion of CPA security.
Readings: Ch. 3.4-3.5
Problem Set 2 out
- Lecture 8 (10/4)
Defined CPA security, noted that it can only be achieved with randomized
encryption, and that CPA security implies multiple-message CPA security;
we sketched an inefficient CPA secure scheme using a random function
(=exponential size description) as a key.
This was one (of many) motivations of PRF,
which we started to define and discuss.
Readings: Ch. 3.5-3.6
- Lecture 9 (10/6)
Definition and discussion of PRF (we also mentioned PRPs); PRFs/block ciphers cannot be used as-is for encryption; proof of security for a CPA secure scheme based on PRF; started discussion of modes of encryption for more efficient constructions (saw randomized counter mode).
Readings: Ch.3.6
- Lecture 10 (10/11)
Further discussion of randomized counter mode and its advantages
(does not require inverting F, paralleliable, provides a stream cipher);
quick summary of what we saw computationally secure encryption;
started discussing message authentication codes.
Contrast between encryption and authentication (cannot directly use
one to achieve the other, secrecy does not provide integrity).
Definition of security for MACS (existential unforgeability against adaptive chosen message attacks).
PRF as a fixed message MAC is secure (we did not prove). Some failed attempts at constructing arbitrary length MAC via block-by-block techniques.
Readings: Ch.4.1-4.4
- Lecture 11 (10/13)
We proved that a PRF is a good fixed message MAC.
Showed how to use fixed message MAC to construct an arbitrary message MAC,
using block-by-block tagging, where the block includes an index,
random message identifier, and message length. Then we saw the more efficient
CBC-MAC (with no proof).
Readings: Ch.4.4-4.5
- Lecture 12 and 13 (10/18-10/20)
Combining encryption with authentication:
encrypt-and-authenticate (not secure),
authenticate-then-encrypt (secure in that it maintains CPA secrecy and
achieves existential unforgeability against CMA,
but it is not secure against a chosen ciphertext attack-- CCA);
encrypt-then-authenticate
(secure, and even boosts secrecy to be CCA secure,
even when starting from just a CPA secure encryption).
CRHF: definition, use for authentication (through hash-and-mac),
weaker forms of the definition:
target CR (=second preimage resistance) and one-wayness
(=preimage resistance); birthday attack,
hash functions in practice (mentioned insecurity of MD5,
vulnerability of SHA1, ongoing SHA-3 competition),
Merkle-Damgard transform.
Readings: Ch.4.9, 4.6
- Lecture 14 (10/25)
Using CRHF for authentication (very high level overview of NMAC, mentioned HMAC but didn't describe it).
Practical construction of PRP (=block ciphers). Overview of substitution-permutation networks and feistel networks, and their use in AES and DES, double-DES, triple-DES, attacks. We did not give full descriptions (let alone proofs) of any of these, just technical and historical overview, principles, and discussion of security and attacks. Started discussion of theoretical construction of pseudorandom objects, and defined one way functions.
Readings: Ch.5
- Lecture 15 (10/27)
Overview of theoretical constructions: one-way function (OWF) definition, stated that OWF <==> private key encryption (also <==> PRG <==> PRF <==> MAC and more), possible OWF (or one-way permutation) candidates (subset sum, multiplication of 2 large primes, exponentiation of a generator g modulo a prime p), hard-core bit definition, Goldreich-Levin theorem, PRG from OWP and HCB.
Readings: Ch.6.1-6.4 (no proofs)
- Lecture 16 (11/1)
Brief review of number theory and algorithmic facts,
including efficient generation of random primes, Zn, Zn*, phi(n),
Cyclic groups, arithmetic in these groups, extended Euclid algorithm
for gcd and inverse finding in Zn*, the QR(n) subgroup
of Zn*, discrete log assumption.
Readings: Ch.7.1, Appendix B.1
- Midterm (11/3)
- No class, Election Day (11/8)
- Lecture 17 (11/10)
Intro to public key cryptography.
Diffie Hellman Key agreement. Discrete log, computational Diffie-Hellman (CDH),
and Decisional Diffie Hellman (DDH) assumptions.
DDH assumption false on Zp* but believed to be true on a prime order
subgroup QRp (when p=2q+1). Security of DH key agreement
protocol under DDH.
Public key encryption (PKE) vs private key encryption.
Readings: Ch.9
- Lecture 18(11/15)
Definition of PKE and its security (indistinguishability),
informal discussion of semantic security (equivalent to indistinguishability);
these notions imply security against CPA.
Noted that perfect security for PKE is not possible,
and that the encryption scheme in a PKE has to be probabilistic
(with exponentially many possible encryptions for the same message).
Showed the El Gamal PKE scheme (secure under DDH assumption).
Presented "textbook RSA" and how it is sometimes used for
encryption by applying the RSA function on the
message + random padding (this is not provably secure).
Readings: Ch.10.1, 10.2, 10.4, 10.5
- Lecture 19(11/17)
Factoring assumption, RSA assumption, textbook RSA (a TDP)
and its use for secure PKE: padded RSA heuristic, provable
construction from any TDP using hard-core-bit (e.g., msb for RSA).
Review of number theoretic easy (poly time) problems,
and hardness assumptions, very briefly mentioned hardness
of square roots modulo a composite and the Rabin TDF and corresponding PKE.
Readings: Ch.7.2, 10.4, 10.7, 11.2
- Lecture 20(11/22)
Digital signature schemes: motivation and comparison to symmetric (MAC)
setting (linear number of keys, no shared secrets, public verifiability,
transferability and non-repudiation). Definition of security (existential
unforgeability against CMA).
Using fixed-message signatures and CRHF to get arbitrary length message
signatures ("hash-and-sign" paradigm).
Text-book RSA signatures and their insecurity (two attacks).
Hashed RSA signature ("full domain hash"), stated its security
in the random oracle model (discussion of the random oracle model heuristic).
Readings: Ch.12.1-.4, 13.1
- Thanksgiving (11/24)
- Lecture 21 (11/29)
Lamport's one time signature schemes for l bit messages,
plus proof of (one-time) security.
Discussed (without showing) general construction of secure signature schemes.
Interactive proof systems and zero knowledge:
discussed informally, and showed a protocol for
proving to a color blind person that two cards have
different colors, as well as proving to an efficient
verifier that two graphs are not isomorphic
(GNI problem, with an unbounded prover).
Both are honest-verifier-zero-knowledge.
- Lecture 22 (12/01)
ZK interactive proof systems: definitions, and examples of graph isomorphism,
and of square root mod N. The latter is not just a ZK proof,
but a ZK proof of knowledge (we did not define this formally).
Back
to Course Main Page