ECS 189A - Cryptography - Spring 2011 - List of Lecture Topics |
|||
---|---|---|---|
Lecture | Topic | ||
Week 1 | Lect 01 - M 3/28 | Admin stuff: Read course information handout. Introduction: Four classical problems. Key distribution. Dating problem. Millionaire’s problem. | |
Lect 02 - W 3/30 | Physical solution for millionaire’s problem. Protocol for the average-salary problem. The ring \Z_N of integers modulo N. Space aliens: chess is a stupid game. | ||
Lect 03 - F 4/01 | Substitution ciphers (a bad encryption scheme). Diaconis’ ciphertext-only attack. Other problems with the scheme. Alphabets, strings. Approximating ln n! | ||
Week 2 | Lect 04 - M 4/04 | Stream ciphers. Three notions of security: Shannon security, perfect privacy, perfect indistinguishability. One-time pads. Problems with one-time pads. | |
Lect 05 - W 4/06 | PS1 due. Truly random number generators. Breaking PRGs with 2^k time. Fields, irreducible polynomials, primitive polynomials, and LFSRs. | ||
Lect 06 - F 4/08 | The recurrence relation associated to an LFSR. Galois form of an LFSR. Trivium. RC4. Dealing with key-setup costs and loss of synchronization: PRFs. | ||
Week 3 | Lect 07 - M 4/11 | The Data Encryption Standard (DES): history, Feistel networks, definition of the algorithm, implementation comments, exhaustive key search. | |
Lect 08 - W 4/13 | PS2 due. Analysis of exhaustive key search. Protecting DES from it: 3DES and DESX. Why 2DES doesn’t work. Linear & Differential cryptanalysis. | ||
Lect 09 - F 4/15 | Description of AES and the process by which it arose. Defining a blockcipher’s security by associating a real number to an adversary: Adv(A). | ||
Week 4 | Lect 10 - M 4/18 | Review: gjm-security. Too weak. Key-recovery (kr) security. Too weak. The ideal blockcipher, Bloc(n). A reduction: gjm-secure ⇒ kr-secure. | |
Lect 11 - W 4/20 | Review of last lecture. PRP-security (expressed in two way). PRP-security implies key-recovery security (didn’t finish analyzing the reduction). | ||
Lect 12 - F 4/22 | PS3 due. Finish analyzing the reduction from last time. Tightness of reductions. ECB mode. Problems with ECB mode. Dealing with the length-restriction issue. | ||
Week 5 | Lect 13 - M 4/25 | More modes of operation: ECB, CBC#, CBC$, CTR#, CTR$. How do you know if an encryption mode is good? Towards a definition of security (ind-security). | |
Lect 14 - W 4/27 | The ind notion of security. The ind$-notion. ind$-security implies ind-security: a hybrid argument. Trying to break the ind-security of some modes. | ||
Lect 15 - F 4/29 | Finish symmetric encryption. Cryptographic hash functions: one-wayness, second preimage resistance, and collision resistance. Applications. | ||
Week 6 | Lect 16 - M 5/02 | Merkle-Damgaard and Davies-Meyer constructions. Definition of SHA1. Problems defining collision-resistance: the “human ignorance” viewpoint. | |
Lect 17 - W 5/04 | PS4 due. Finish human-ignorance view. Proving Merkle-Damgaard. Constructing a PRF on {0,1}*: keying MD doesn’ work; CR-hash then PRP does. | ||
Lect 18 - F 5/06 | Correcting an error from last time. HMAC and its security. The CBC MAC and CMAC, and their security. MACs. PRF-secure implies MAC-secure. | ||
Week 7 | Lect 19 - M 5/9 | Authenticated encryption. Ways to combine a PRF and an ind-secure encryption scheme. Another wrong approach: adding a checksum to CBC encryption. | |
Lect 20 - W 5/11 | Authenticated encryption, cont. Why adding redundancy to CBC encryption doesn’t work. Associated data. AE modes CCM, GCM, and OCB. | ||
Lect 21 - F 5/13 | Finishing OCB: realizing tweakable blockciphers. Public-key encryption. Trapdoor permutations. Diffie-Hellman key exchange. Two DH assumptions. | ||
Week 8 | Lect 22 - M 5/16 | PS5 due. Review of trapdoor permutations, DH assumptions, and ElGamal encryption. Defining public-key encryption. Defining digital signatures. | |
Lect 23 - W 5/18 | Number-theoretic preliminaries. Description of the raw RSA trapdoor permutation. Raw RSA as an encryption scheme (wrong) or signature scheme (wrong). | ||
Lect 24 - F 5/20 | Encrypting with RSA: bit-by-bit enc + random x with lsb(x)=b. PKCS #1, v.1. OAEP. The random-oracle paradigm. Signing with RSA: PKCS #1, v.1, and FDH. | ||
Week 9 | Lect 25 - M 5/23 | PS6 due. The PSS signature scheme. ElGamal and DSA signatures. Elliptic curve groups (how to define addition) and why they’re used. | |
Lect 26 - W 5/25 | Signing with a hash function: Lamport signatures and Merkle trees. Public-key certificates and IBE. What an FHE scheme does. | ||
Lect 27 - F 5/27 | The Oblivious Transfer (OT) problem and an RSA-based solution. 2-Party Secure Function Evaluation (2P SFE) and a solution with OT and a blockcipher. | ||
Week 10 | Lect xx - M 5/30 | Holiday — no class. Don’t come to class. Go away. Do something interesting. Go study your crypto, of course. | |
Lect 28 - W 6/01 | PS7 due. Zero-knowledge interactive proofs. ZK protocol for GRAPH 3-COLOR. The ambiguous relationship between cryptography and power. Bye! | ||
Lect xx - F 6/03 | I will lead a review session (it is of course optional) from 2:10–4 in our usual room. | ||
Week 11 | Lect xx - R 6/09 | Final – 10:30-12:30 (146 Robbins) |