ECS 227 - Lecture Topics - 2003
Lecture topics for my Fall 2003 cryptography class.
There will be 10 lectures, three hours per lecture.
I will fill in the material we got to after
each lecture. You're on your own to find the corresponding material in our course notes or in other
sources.
- Lect 1 - Oct 1 - Introduction.
Modern vs. classical cryptography. Sample cryptographic problems:
sym/asym encryption; sym/asym message authentication; authenticated key distribution;
the dating problem and SFE in general. Block ciphers.
Descriptions of DES and AES.
- Lect 2 - Oct 8 -
Odds and ends: one-time-pad encryption. Finish AES description (multiplying in GF(2^8)).
Using a block cipher: CTR mode. PRFs.
Block-cipher security notions: key recovery, PRP security, PRF security, under KPA, CPA, CCA.
- Lect 3 - Oct 15 - PRP/PRF switching lemma (and intro to game-playing proofs).
A reduction: PRF-security implies KR-security.
Symmetric encryption.
Encryption scheme syntax. Semantic security.
- Lect 4 - Oct 22 -
Second lecture on symmetric encryption.
IND is equivalent to IND1. RZ (real-or-zero) security. RZ-security implies IND-security.
IND-security implies RZ security. RND security.
- Lect 5 - Oct 29 - Final lecture on symmetric encryption.
Review. RND security implies IND. A full proof that
CTR$ mode is RND$ secure. Breaking CBC-Counter and CBC-Chain. A proof that CTR$ is RND secure.
- Lect 6 - Nov 5 - Hash functions.
History of MD4, MD5, SHA1. Definition of SHA1. Hash functions are families. Collision intractability.
The Merkle-Damgard theorem. UOWHFs. Universal hash functions. Universal hashing by polynomial
evaluation.
- Lect 7 - Nov 12 - Message authentication.
Encryption-with-redundancy doesn't provide authenticity.
Authenticity of ciphertexts. MACs. Ad hoc MACs from block ciphers. The HMAC construction.
The CBC MAC. EMAC. Three theorems: (1) PRFs are MACs. (2) The WC3 construction
gives a PRF. (3) CBC MAC is AU2.
- Lect 8 - Nov 19 - Authenticated encryption.
Correct and incorrect generic composition methods. Two-pass schemes with a single key.
Tweakable block ciphers. A one pass scheme (what one might call OCB1/IAPM1) from a tweakable
block cipher. Constructing the tweakable block cipher by the XEX construction.
Mathematical preliminaries. Facts about prime numbers,
Z_n^*, Lagrange's theorem, etc.
- Lect 9 - Nov 24 - Public-key encryption.
The RSA trapdoor permutation. Definition of a trapdoor permutation. The RSA assumption.
Definition of public-key encryption. RSA PKCS #1 encryption.
Hardcore bits. Secure encryption with RSA. OAEP-RSA.
- Lect 10 - Dec 3 - Random-oracle model..
Idea of RO model. Definition of encryption-scheme security in the RO model. Controversy about
RO model. Proof of security for (x^3 mod n, H(x)+M) encryption.
Zero-knowledge.. NP viewed as interaction. ZK proof
of G3C in the lead-plate model, and in the standard model. Definition of ZK.
ZK proof of HC. Implications of NP in ZK. Bye!
Phil Rogaway's homepage