### ECS 127 Schedule – Cryptography – Spring 2024 – Phillip Rogaway

• Details get filled in as the course progresses
• Student notes for each lecture (no longer directly linked to in the table)
• Professor videos for lectures 2W onward (but you still need to come and listen to lecture!)
• Lecture list from Winter 2019
Class Topic
1M 4/01 Basics. Read the syllabus. Introduction: four basic problems in cryptography: {priv, auth} x {sym, asym}. Other ways to create asymmetry.
1W 4/03 Quiz. Secret Key Exchange (SKE) and the DH protocol. Mean salary computation in the physical and communication model.
1R 4/04 PS1 in discussion section
1F 4/05 Defined groups. Z_2, Z_N, Z_2^*. Why Z_2^* is cryptographically useful. The OTP encryption scheme.
2M 4/08 Quiz. Reviewing OTP encryption. Correctness. Defining perfect privacy for one message or multiple messages.
2W 4/10 Review. Secret sharing: 2-of-2, threshold schemes, definition for the general problem.
2R 4/11 Solutions to PS2. Map a deal to a point in Z_{C(52,26)}. Breaking LR-privacy for a deterministic, stateless enc scheme.
2F 4/12 Quiz. Privacy notion for secret sharing (SS). Shamir SS (original paper) Pseudorandom generators (PRGs). RC4
3M 4/15 Approaches to handling the domain & stretch of a PRG. Reductions. From stretch-1 to long-stretch.
3W 4/17 ∃ secure asym PRG ⇒ P≠NP. A reduction: if g is a secure stretch-1 PRG then G[g] is a secure arbitrary-stretch PRG. Problems with RC4/PRGs.
3R 4/18 Solutions to PS3. Defining indistinguishability. Asymptotic way to do that.
3F 4/19 Quiz. Problems with PRGs and with RC4. Syntax of a PRF (pseudorandom function). A well-designed PRF: Dan Bernstein’s ChaCha20
4M 4/22 The PRF security notion. |Func(n,m)|. Using a PRF to encrypt: prob. enc. with a PRF / ChaCha20.
4W 4/24 Quiz. Notions of enc scheme security: LR, ind0, ind\$. LR-security is equivalent to ind0-security. ind\$ security is stronger.
4R 4/25 An alternative Chernoff bound for the HW. A more efficient way to use a minimal-stretch PRG.
4F 4/26 Finishing the reduction for ind\$ ⇒ ind0. Syntax for blockcipher. Signatures and initial history of DES and AES.
5M 4/29 Syntax and security definition for blockciphers. How DES works. Why it’s key is so short.
5W 5/01 Cat Day: visits from Peanut and Cloud. Winner’s Do Artifacts have Politics? (recommended), and the key length of DES. AES. Arithmetic in GF(2^8).
5R 5/02 Going over a practice quiz, including substitution ciphers and password guessing. Review of GF(2^8) multiplication.
5F 5/03 Quiz. Using a PRP to encrypt: ECB mode mode and critique. CTR mode. The PRP/PRF switching lemma.
6M 5/06 Game-playing arguments; finish PRP/PRF switching lemma. Proving security of CTR mode. CBC encryption. Malleability of CBC-encrypted text.
6W 5/08 CBC-ctr is not ind-secure; CBC\$ is. Nonmalleability. CTR and CBC are malleable. MT cutoff. Then: the CBC MAC. The definition of a MAC.
6R 5/09 Midterm review sessions: we worked out old midterms, as well as the last problem on the current problem sets.
6F 5/10 Midterm 1. Cheat-sheet allowed (one side of one page). Overflow room: Wellman 207. About 20 students should go there.
7M 5/13 Midterms weren't great. A dog visits. MACs. PRFs are good MACs. Raw CBC MAC: no good. Fixing it: CMAC. Carter-Wegman MACs. GMAC.
7W 5/15 Review of material on MACs. Evaluating polynomials efficiently. Generic composition (prob enc + MAC).
7R k/16 MT questions. Authenticated encryption (AE / AEAD) (Slides, we covered 1–19)
7F 5/17 Finished AE, covering CCM, OCB, and tweakable blockcipher. Cryptographic hash functions. Collision intractability.
8M 5/20 Crypt hash functions: additional uses, Merkle-Damgard, Davies-Meyer. Making the blockcipher (SHA-1). PK encryption: syntax.
Deadline, 10pm, for +4% early-turnin final project.
8W 5/22 Quiz. Defining ind-security for a PK-enc scheme. Using DH key-exchange for an enc scheme. DDH vs. CDH. The random-oracle model (ROM).
8R 5/23 HW6, problems 19 and 20. Breaking CBC-enc-with-arbitrary-redundancy as an AEAD scheme.
8F 5/24 Review: random oracles, CDH vs. DDH. DH-encryption with DHIES. Trapdoor permutations. Not for direct use. The RSA trapdoor permutation.
9M 5/27 Deadline, 10pm, for +3% early-turnin final project. Holiday; no school; you will be lonely all by yourself in Wellman.
9W 5/29 Trapdoor permutations, cont. Encrypting by f(M) (no), or by f(R) || H(R)⊕M, OAEP. Digital signatures. Signing by g(M) (no), or by FDH or PSS.
9R 5/30 We went over Problem 20 from today’s problem set, then the 2019 final for the class.
9F 5/31 Stateful digital signatures from a hash function (Lamport’s scheme, Merkle trees). The grid of goal, revisited.
9U 6/02 8-10pm, totally optional activity: rock climbing (without the rocks) at Rocknasium. Suggest to fill out the waiver in advance.
10M 6/03 Midterm 2. Overflow room is Wellman 115 (about 28 students should go there). Deadline, 10pm, for final project.
10W 6/05 Talk: The Last Lecture: A dozen suggestions you probably don’t want to hear.
Essay I considered for today (if you have time): The Moral Character of Cryptographic Work (2015), On Being a Computer Scientist Human Being in the Time of Collapse (last ECS20 lecture), and Radical CS (2023).
10R 6/05 Optional disc at 11am (TLC 3212) & 2pm (TLC 2218): zero-knowledge proofs. Tea party. Bring a mug and, if you can, a thermos of coffee or tea. You could bake something, too.