### ECS 227 - Modern Cryptography Spring 2007 - List of Lecture Topics

Wk ....Lecture.... ................................................................................Topic ................................................................................
0 #01 (W 3/28) Introduction. Classical vs. modern cryptography. NP-Completeness analogy. "Where" provable security is done. Classical goals. Bit commitment.
1 #02 (M 4/02) Coin flipping, dating problem, general secure function evaluation. Blockciphers and their syntax. DES and its history. DES is not a group.
#03 (W 4/04) History of AES. A description of the algorithm. Finite fields. Key-recovery security, Adv^kr_E(A), and why it doesn't work.
2 #xx (M 4/09) Phil is out of town today. Lecture, with and bagels, moved to Friday, 4/13.
#04 (W 4/11) One-more-pair blockcipher security and its problems. The PRP and PRF notions for blockcipher security. PRP/PRF switching lemma and a proof for it.
#05 (F 4/13) The bug in the PRP/PRF switching lemma. A game-playing proof. The Fundamental Lemma. Bernstein's PRP/PRF switching lemma and its proofs.
3 #06 (M 4/16) Finish Bernstein's Lemma. PRP-security ==> KR-security. PRP2 security (E_K E_K vs E_K pi). PRP ==> implies PRP2 security: a hybrid argument.
#07 (W 4/18) Finish proof of PRP/PRP2 equivalence. Symmetric encryption: the syntax of an encryption scheme.
4 #08 (M 4/23) Notions for symmetric encryption scheme security: semantic security; (left-or-right) indistinguishability; real-or-random security; find-then-guess security.
#09 (W 4/25) Solutions to HW 1. Proving the equivalence of our various notions of encryption.
5 #10 (M 4/30) IND\$ implies RR-security. Attacks on CBC encryption schemes. Proving the security of CBC\$.
#11 (W 5/02) Variants: stateful encryption, nonce-based encryption. Discussion about student projects. CCA2 security. Authenticated encryption.
6 #12 (M 5/07) Tweakable blockciphers. An AE scheme based on them. Realizing an efficient tweakable blockcipher.
#13 (W 5/09) Various notions for authentication: authenticated encryption, MACs, MAC generation/verification. Wegman-Carter MACs.
7 #14 (M 5/14) Two flavors of WC MACs. An e-AU hash function by polynomial evaluation. Proving security for WC MACs. Examples: Poly1305, UMAC, CMAC.
#15 (W 5/16) Cryptographic hash functions. Merkle-Damgard iteration. SHA-1. HMAC. The WC view of HMAC. The makings of a standard.
8 #16 (M 5/21) Solns to HW 2. Generic composition: IND-CPA prob encryption + a PRF. Nonce-based case. Public-key encryption. Security notions. ElGamal.
#17 (W 5/23) DL, CDH, DDH. IND-CPA/IND-CCA of ElGamal. Cramer-Shoup. The random-oracle paradigm. DHIES. Hybrid encryption.
9 #xx (M 5/28) Memorial Day - no class
#18 (W 5/30) Trapdoor permutations. The RSA trapdoor permutation. Hardcore bits. How to encrypt with RSA. OAEP.
#xx (R 5/31) Distinguished Lecture: Prof. Silvio Micali will speak on optomistic exchanges at 3:10 in 1065 Kemper.
10 #19 (M 6/04 Digital signatures. Definitions and RSA-FDH. A RO-model proof.
#20 (W 6/06) Entity authentication and key distribution. Vocabulary. Variants. The Needham-Schroeder protocol. A model and a sketch of a definition.