Schedule from Spring 2016
Schedule from Spring 2011
ECS 127 - Cryptography - Winter 2019 - List of Lecture Topics |
|||
---|---|---|---|
Lecture | Topic | Notes | |
Week 1 | L01 - M 1/07 | Logistics (read the course information sheet). Introduction: four basic crypto problems, {privacy, authenticity} x {sym, asym}. Ways of creating asymmetry between Sender, Receiver, and Adversary. No disc sections this week; no office hours until Thursday. | [BR.Ch1], [DH76] |
L02 - W 1/09 | Introduction, part 2: protocols. Secret Key Exchange (SKE). Authenticated Key Exchange (AKE). Secret Sharing: 1-out-of-2 method, and k-out-of-n method (Shamir’s Secret Sharing). Q1 | [DH76], [Sh79], Finite Fields | |
L03 - F 1/11 | Slower treatment of finite fields (and groups). Encrypting an n-valued quantity using arithmetic in ℤn. MPC and the average-salary problem. | 𝅘𝅥𝅮 𝅘𝅥𝅯 | |
Week 2 | L04 - M 1/14 | Q2. The Definition → Protocol → Proof pipeline. OTP(k). Syntax of a sym enc scheme. Perfect privacy. | [BS.ch2], |
L05 - W 1/16 | Two more notions of enc scheme privacy: Shannon security and indistinguishability. Equivalence of the three notions (for one-query IND). | . | |
L06 - F 1/18 | Multi-query indistinguishability. Deterministic, stateless encryption can’t achieve it. Det encryption must have a key space as big as the msg space. OTP*(k). Vernam ciphers and PRGs. RC4. Q3 | . | |
Week 3 | XX - M 1/21 | Holiday: MLK’s birthday | MLK.1, MLK.2, MLK.3, MLK.4 |
L07 - W 1/23 | Unifying our PRG notions. Definitional variants for PRGs. Reductions. Example: G is a secure PRG implies Vernam[G] is an IND-secure enc scheme | . | |
L08 - F 1/25 | Q4. Problems with RC4 and its signature. The notion of a PRF. ChaCha20 as an example PRF. | Two slides from class, Bernstein paper on ChaCha | |
Week 4 | L09 - M 1/28 | The definition of a PRF and a PRP. Nice things about ChaCha. Why constant-time matters. Ah historically important PRP: DES. Q5. | Slides from class. Coppersmith: DES and its strength against attacks |
L10 - W 1/30 | The politics of DES (56-bit keys, hw-only, export control, standardization obstruction); cf with Winner’s account of Moses’s bridges. The AES blockcipher & arith in GF(28). | Wiki:AES | .|
L11 - F 2/01 | Description of the books, classes, and video courses on our homepage. The birthday problem and its analysis. The PRP/PRF switching lemma. The Fundamental Lemma of Game-Playing | [BR] chapts 3, 4 (switching lemma is 4.9) | |
Week 5 | L12 - M 2/04 | Q6. Finishing proof of the PRP/PRF switching lemma. CTR[E] mode of operation and its IND-security. | . |
L13 - W 2/06 | Finishing the proof of CTR-mode security: a reduction. Other modes of operation: ECB is IND-insecure. CBC with a 0-IV is IND-insecure. CBC with a random IV is IND-secure. | slides | |
L14 - F 2/08 | Dog Day!!!. The key-recovery notion of blockcipher security and its insufficiency. PRP-security implies KR-security. The IND$ definition of enc scheme security. IND does not imply IND$ | [BR:4.7] | |
Week 6 | L15 - M 2/11 | Stronger encryption goals: CCA-security and nonmalleability and authenticated encryption. Changing the syntax: nonces and AD. Disc section: IND$-security implies IND-security | . |
L16 - W 2/13 | Q7. Message authentication codes: syntax and security definition. Secure PRFs are secure MACs. The (raw) CBC MAC and its insecurity. Fixing the CBC MAC: the 3-key construction. Almost-universal hash functions | . | |
L17 - F 2/15 | Midterm exam | . | |
Week 7 | XX - M 2/18 | Holiday: President’s Day | . |
L18 - W 2/20 | Review of MACs, PRFs, CMAC, AU-hashing. Polynomial evaluation ("GHASH") is a good AU-hash function. The Wegman-Carter (hash-then-encrypt) paradigm to make a PRF. A second, equivalent defn for an AEAD scheme: priv+auth | slides | |
L19 - F 2/22 | Generic composition and the mismatch between the classical taxonomy and creating a modern AE scheme. A quick survey of some AEAD schemes: SIV, AES-GCM-SIV, CCM, GCM, OCB, AEGIS, DEOXYS-II. Use of Tweakable blockciphers | slides | |
Week 8 | L20 - M 2/25 | Q8. Cryptographic hashing. Philosophical concerns on definitions by human ignorance. Applications of cryptographic hashing. The Merkle-Damgård approach. Discussion section: the asymptotic approach for cryptographic defns | Formalizing Human Ignorance (not to be confused with The Basic Laws of Human Stupidity) |
L21 - W 2/27 | Proof and then statement for the Merkle-Damgård construction. The Davis-Meyer construction. An example full construction: SHA256. Formalizing the syntax and security for public-key encryption | slides. | |
L22 - F 3/01 | Q9. Two-independent-flow SKE implies PKE. How to solve SKE (poorly) using hash functions: Merkle puzzles. Mathematical background and solution for Diffie-Hellman Key Exchange | Merkle’s paper on SKE using puzzles. How to really say Damgård’s name | |
Week 9 | L23 - M 3/04 | DH-related assumptions (DL, CDH, DDH, HDH). CCA-security for PKE. How really to encrypt with DH: DHIES. The RSA trapdoor permutation | slide |
L24 - W 3/06 | General definition of a trapdoor permutation. The RSA assumption. Ways to encrypt with RSA: lsb-method, RO method, OAEP. random-oracle model | . | |
L25 - F 3/08 | Q10. Review: DL, CDH, DDH; trapdoor permutations; the RSA traddoor permutation; the ROM; OAEP. Digital signatures: syntax, security defn, wrong construction from a trapdoor permutation like RSA. | slides | |
Week 10 | L26 - M 3/11 | Right and wrong approaches to sign with RSA. Signing does not required AKE/PKE: signing with a hash function: Lamport signatures and Merkle signatures. | Example of a modern hash-based signature |
L27 - W 3/13 | Humus. The Moral Character of Cryptographic Work and the character/sociology of cryptographic research. | slides (only covered half of these) | |
L28 - F 3/15 | Garbled circuits (described from a two-key tweakble blockcipher). 2-Party SFE from garbled circuits and oblivious transfer. Prizes! Why are you here — should you not be on strike? | Slides. Also: Greta-1, Greta-2, and a recent essay by Jem Bendell | |
Week 11 | xx - W 3/20 | Review session, 3:30-5:30pm, 1003 Giedt | . |
XX - F 3/22 | Final exam, 1-3 pm | . |