ECS 189A - Cryptography - Spring 2011 - List of Lecture Topics

Lecture Topic

Week 1 Lect 01 - M 3/28 Admin stuff: Read course information handout. Introduction: Four classical problems. Key distribution. Dating problem. Millionaire’s problem.

Lect 02 - W 3/30 Physical solution for millionaire’s problem. Protocol for the average-salary problem. The ring \Z_N of integers modulo N. Space aliens: chess is a stupid game.

Lect 03 - F 4/01 Substitution ciphers (a bad encryption scheme). Diaconis’ ciphertext-only attack. Other problems with the scheme. Alphabets, strings. Approximating ln n!

Week 2 Lect 04 - M 4/04 Stream ciphers. Three notions of security: Shannon security, perfect privacy, perfect indistinguishability. One-time pads. Problems with one-time pads.

Lect 05 - W 4/06 PS1 due. Truly random number generators. Breaking PRGs with 2^k time. Fields, irreducible polynomials, primitive polynomials, and LFSRs.

Lect 06 - F 4/08 The recurrence relation associated to an LFSR. Galois form of an LFSR. Trivium. RC4. Dealing with key-setup costs and loss of synchronization: PRFs.

Week 3 Lect 07 - M 4/11 The Data Encryption Standard (DES): history, Feistel networks, definition of the algorithm, implementation comments, exhaustive key search.

Lect 08 - W 4/13 PS2 due. Analysis of exhaustive key search. Protecting DES from it: 3DES and DESX. Why 2DES doesn’t work. Linear & Differential cryptanalysis.

Lect 09 - F 4/15 Description of AES and the process by which it arose. Defining a blockcipher’s security by associating a real number to an adversary: Adv(A).

Week 4 Lect 10 - M 4/18 Review: gjm-security. Too weak. Key-recovery (kr) security. Too weak. The ideal blockcipher, Bloc(n). A reduction: gjm-secure ⇒ kr-secure.

Lect 11 - W 4/20 Review of last lecture. PRP-security (expressed in two way). PRP-security implies key-recovery security (didn’t finish analyzing the reduction).

Lect 12 - F 4/22 PS3 due. Finish analyzing the reduction from last time. Tightness of reductions. ECB mode. Problems with ECB mode. Dealing with the length-restriction issue.

Week 5 Lect 13 - M 4/25 More modes of operation: ECB, CBC#, CBC$, CTR#, CTR$. How do you know if an encryption mode is good? Towards a definition of security (ind-security).

Lect 14 - W 4/27 The ind notion of security. The ind$-notion. ind$-security implies ind-security: a hybrid argument. Trying to break the ind-security of some modes.

Lect 15 - F 4/29 Finish symmetric encryption. Cryptographic hash functions: one-wayness, second preimage resistance, and collision resistance. Applications.

Week 6 Lect 16 - M 5/02 Merkle-Damgaard and Davies-Meyer constructions. Definition of SHA1. Problems defining collision-resistance: the “human ignorance” viewpoint.

Lect 17 - W 5/04 PS4 due. Finish human-ignorance view. Proving Merkle-Damgaard. Constructing a PRF on {0,1}*: keying MD doesn’ work; CR-hash then PRP does.

Lect 18 - F 5/06 Correcting an error from last time. HMAC and its security. The CBC MAC and CMAC, and their security. MACs. PRF-secure implies MAC-secure.

Week 7 Lect 19 - M 5/9 Authenticated encryption. Ways to combine a PRF and an ind-secure encryption scheme. Another wrong approach: adding a checksum to CBC encryption.

Lect 20 - W 5/11 Authenticated encryption, cont. Why adding redundancy to CBC encryption doesn’t work. Associated data. AE modes CCM, GCM, and OCB.

Lect 21 - F 5/13 Finishing OCB: realizing tweakable blockciphers. Public-key encryption. Trapdoor permutations. Diffie-Hellman key exchange. Two DH assumptions.

Week 8 Lect 22 - M 5/16 PS5 due. Review of trapdoor permutations, DH assumptions, and ElGamal encryption. Defining public-key encryption. Defining digital signatures.

Lect 23 - W 5/18 Number-theoretic preliminaries. Description of the raw RSA trapdoor permutation. Raw RSA as an encryption scheme (wrong) or signature scheme (wrong).

Lect 24 - F 5/20 Encrypting with RSA: bit-by-bit enc + random x with lsb(x)=b. PKCS #1, v.1. OAEP. The random-oracle paradigm. Signing with RSA: PKCS #1, v.1, and FDH.

Week 9 Lect 25 - M 5/23 PS6 due. The PSS signature scheme. ElGamal and DSA signatures. Elliptic curve groups (how to define addition) and why they’re used.

Lect 26 - W 5/25 Signing with a hash function: Lamport signatures and Merkle trees. Public-key certificates and IBE. What an FHE scheme does.

Lect 27 - F 5/27 The Oblivious Transfer (OT) problem and an RSA-based solution. 2-Party Secure Function Evaluation (2P SFE) and a solution with OT and a blockcipher.

Week 10 Lect xx - M 5/30 Holiday — no class. Don’t come to class. Go away. Do something interesting. Go study your crypto, of course.

Lect 28 - W 6/01 PS7 due. Zero-knowledge interactive proofs. ZK protocol for GRAPH 3-COLOR. The ambiguous relationship between cryptography and power. Bye!

Lect xx - F 6/03 I will lead a review session (it is of course optional) from 2:10–4 in our usual room.

Week 11 Lect xx - R 6/09 Final – 10:30-12:30 (146 Robbins)

ECS 189A - Cryptography - Spring 2011 - List of Lecture Topics
	Lecture	Topic
Week 1	Lect 01 - M 3/28	Admin stuff: Read course information handout. Introduction: Four classical problems. Key distribution. Dating problem. Millionaire’s problem.
	Lect 02 - W 3/30	Physical solution for millionaire’s problem. Protocol for the average-salary problem. The ring \Z_N of integers modulo N. Space aliens: chess is a stupid game.
	Lect 03 - F 4/01	Substitution ciphers (a bad encryption scheme). Diaconis’ ciphertext-only attack. Other problems with the scheme. Alphabets, strings. Approximating ln n!
Week 2	Lect 04 - M 4/04	Stream ciphers. Three notions of security: Shannon security, perfect privacy, perfect indistinguishability. One-time pads. Problems with one-time pads.
	Lect 05 - W 4/06	PS1 due. Truly random number generators. Breaking PRGs with 2^k time. Fields, irreducible polynomials, primitive polynomials, and LFSRs.
	Lect 06 - F 4/08	The recurrence relation associated to an LFSR. Galois form of an LFSR. Trivium. RC4. Dealing with key-setup costs and loss of synchronization: PRFs.
Week 3	Lect 07 - M 4/11	The Data Encryption Standard (DES): history, Feistel networks, definition of the algorithm, implementation comments, exhaustive key search.
	Lect 08 - W 4/13	PS2 due. Analysis of exhaustive key search. Protecting DES from it: 3DES and DESX. Why 2DES doesn’t work. Linear & Differential cryptanalysis.
	Lect 09 - F 4/15	Description of AES and the process by which it arose. Defining a blockcipher’s security by associating a real number to an adversary: Adv(A).
Week 4	Lect 10 - M 4/18	Review: gjm-security. Too weak. Key-recovery (kr) security. Too weak. The ideal blockcipher, Bloc(n). A reduction: gjm-secure ⇒ kr-secure.
	Lect 11 - W 4/20	Review of last lecture. PRP-security (expressed in two way). PRP-security implies key-recovery security (didn’t finish analyzing the reduction).
	Lect 12 - F 4/22	PS3 due. Finish analyzing the reduction from last time. Tightness of reductions. ECB mode. Problems with ECB mode. Dealing with the length-restriction issue.
Week 5	Lect 13 - M 4/25	More modes of operation: ECB, CBC#, CBC$, CTR#, CTR$. How do you know if an encryption mode is good? Towards a definition of security (ind-security).
	Lect 14 - W 4/27	The ind notion of security. The ind$-notion. ind$-security implies ind-security: a hybrid argument. Trying to break the ind-security of some modes.
	Lect 15 - F 4/29	Finish symmetric encryption. Cryptographic hash functions: one-wayness, second preimage resistance, and collision resistance. Applications.
Week 6	Lect 16 - M 5/02	Merkle-Damgaard and Davies-Meyer constructions. Definition of SHA1. Problems defining collision-resistance: the “human ignorance” viewpoint.
	Lect 17 - W 5/04	PS4 due. Finish human-ignorance view. Proving Merkle-Damgaard. Constructing a PRF on {0,1}*: keying MD doesn’ work; CR-hash then PRP does.
	Lect 18 - F 5/06	Correcting an error from last time. HMAC and its security. The CBC MAC and CMAC, and their security. MACs. PRF-secure implies MAC-secure.
Week 7	Lect 19 - M 5/9	Authenticated encryption. Ways to combine a PRF and an ind-secure encryption scheme. Another wrong approach: adding a checksum to CBC encryption.
	Lect 20 - W 5/11	Authenticated encryption, cont. Why adding redundancy to CBC encryption doesn’t work. Associated data. AE modes CCM, GCM, and OCB.
	Lect 21 - F 5/13	Finishing OCB: realizing tweakable blockciphers. Public-key encryption. Trapdoor permutations. Diffie-Hellman key exchange. Two DH assumptions.
Week 8	Lect 22 - M 5/16	PS5 due. Review of trapdoor permutations, DH assumptions, and ElGamal encryption. Defining public-key encryption. Defining digital signatures.
	Lect 23 - W 5/18	Number-theoretic preliminaries. Description of the raw RSA trapdoor permutation. Raw RSA as an encryption scheme (wrong) or signature scheme (wrong).
	Lect 24 - F 5/20	Encrypting with RSA: bit-by-bit enc + random x with lsb(x)=b. PKCS #1, v.1. OAEP. The random-oracle paradigm. Signing with RSA: PKCS #1, v.1, and FDH.
Week 9	Lect 25 - M 5/23	PS6 due. The PSS signature scheme. ElGamal and DSA signatures. Elliptic curve groups (how to define addition) and why they’re used.
	Lect 26 - W 5/25	Signing with a hash function: Lamport signatures and Merkle trees. Public-key certificates and IBE. What an FHE scheme does.
	Lect 27 - F 5/27	The Oblivious Transfer (OT) problem and an RSA-based solution. 2-Party Secure Function Evaluation (2P SFE) and a solution with OT and a blockcipher.
Week 10	Lect xx - M 5/30	Holiday — no class. Don’t come to class. Go away. Do something interesting. Go study your crypto, of course.
	Lect 28 - W 6/01	PS7 due. Zero-knowledge interactive proofs. ZK protocol for GRAPH 3-COLOR. The ambiguous relationship between cryptography and power. Bye!
	Lect xx - F 6/03	I will lead a review session (it is of course optional) from 2:10–4 in our usual room.
Week 11	Lect xx - R 6/09	Final – 10:30-12:30 (146 Robbins)