ECS 227 - Modern Cryptography Spring 2007 - List of Lecture Topics

Wk ....Lecture.... ................................................................................Topic ................................................................................

0 #01 (W 3/28) Introduction. Classical vs. modern cryptography. NP-Completeness analogy. "Where" provable security is done. Classical goals. Bit commitment.

1 #02 (M 4/02) Coin flipping, dating problem, general secure function evaluation. Blockciphers and their syntax. DES and its history. DES is not a group.

#03 (W 4/04) History of AES. A description of the algorithm. Finite fields. Key-recovery security, Adv^kr_E(A), and why it doesn't work.

2 #xx (M 4/09) Phil is out of town today. Lecture, with and bagels, moved to Friday, 4/13.

#04 (W 4/11) One-more-pair blockcipher security and its problems. The PRP and PRF notions for blockcipher security. PRP/PRF switching lemma and a proof for it.

#05 (F 4/13) The bug in the PRP/PRF switching lemma. A game-playing proof. The Fundamental Lemma. Bernstein's PRP/PRF switching lemma and its proofs.

3 #06 (M 4/16) Finish Bernstein's Lemma. PRP-security ==> KR-security. PRP2 security (E_K E_K vs E_K pi). PRP ==> implies PRP2 security: a hybrid argument.

#07 (W 4/18) Finish proof of PRP/PRP2 equivalence. Symmetric encryption: the syntax of an encryption scheme.

4 #08 (M 4/23) Notions for symmetric encryption scheme security: semantic security; (left-or-right) indistinguishability; real-or-random security; find-then-guess security.

#09 (W 4/25) Solutions to HW 1. Proving the equivalence of our various notions of encryption.

5 #10 (M 4/30) IND$ implies RR-security. Attacks on CBC encryption schemes. Proving the security of CBC$.

#11 (W 5/02) Variants: stateful encryption, nonce-based encryption. Discussion about student projects. CCA2 security. Authenticated encryption.

6 #12 (M 5/07) Tweakable blockciphers. An AE scheme based on them. Realizing an efficient tweakable blockcipher.

#13 (W 5/09) Various notions for authentication: authenticated encryption, MACs, MAC generation/verification. Wegman-Carter MACs.

7 #14 (M 5/14) Two flavors of WC MACs. An e-AU hash function by polynomial evaluation. Proving security for WC MACs. Examples: Poly1305, UMAC, CMAC.

#15 (W 5/16) Cryptographic hash functions. Merkle-Damgard iteration. SHA-1. HMAC. The WC view of HMAC. The makings of a standard.

8 #16 (M 5/21) Solns to HW 2. Generic composition: IND-CPA prob encryption + a PRF. Nonce-based case. Public-key encryption. Security notions. ElGamal.

#17 (W 5/23) DL, CDH, DDH. IND-CPA/IND-CCA of ElGamal. Cramer-Shoup. The random-oracle paradigm. DHIES. Hybrid encryption.

9 #xx (M 5/28) Memorial Day - no class

#18 (W 5/30) Trapdoor permutations. The RSA trapdoor permutation. Hardcore bits. How to encrypt with RSA. OAEP.

#xx (R 5/31) Distinguished Lecture: Prof. Silvio Micali will speak on optomistic exchanges at 3:10 in 1065 Kemper.

10 #19 (M 6/04 Digital signatures. Definitions and RSA-FDH. A RO-model proof.

#20 (W 6/06) Entity authentication and key distribution. Vocabulary. Variants. The Needham-Schroeder protocol. A model and a sketch of a definition.

ECS 227 - Modern Cryptography Spring 2007 - List of Lecture Topics
Wk	....Lecture....	................................................................................Topic ................................................................................
0	#01 (W 3/28)	Introduction. Classical vs. modern cryptography. NP-Completeness analogy. "Where" provable security is done. Classical goals. Bit commitment.
1	#02 (M 4/02)	Coin flipping, dating problem, general secure function evaluation. Blockciphers and their syntax. DES and its history. DES is not a group.
	#03 (W 4/04)	History of AES. A description of the algorithm. Finite fields. Key-recovery security, Adv^kr_E(A), and why it doesn't work.
2	#xx (M 4/09)	Phil is out of town today. Lecture, with and bagels, moved to Friday, 4/13.
	#04 (W 4/11)	One-more-pair blockcipher security and its problems. The PRP and PRF notions for blockcipher security. PRP/PRF switching lemma and a proof for it.
	#05 (F 4/13)	The bug in the PRP/PRF switching lemma. A game-playing proof. The Fundamental Lemma. Bernstein's PRP/PRF switching lemma and its proofs.
3	#06 (M 4/16)	Finish Bernstein's Lemma. PRP-security ==> KR-security. PRP2 security (E_K E_K vs E_K pi). PRP ==> implies PRP2 security: a hybrid argument.
	#07 (W 4/18)	Finish proof of PRP/PRP2 equivalence. Symmetric encryption: the syntax of an encryption scheme.
4	#08 (M 4/23)	Notions for symmetric encryption scheme security: semantic security; (left-or-right) indistinguishability; real-or-random security; find-then-guess security.
	#09 (W 4/25)	Solutions to HW 1. Proving the equivalence of our various notions of encryption.
5	#10 (M 4/30)	IND$ implies RR-security. Attacks on CBC encryption schemes. Proving the security of CBC$.
	#11 (W 5/02)	Variants: stateful encryption, nonce-based encryption. Discussion about student projects. CCA2 security. Authenticated encryption.
6	#12 (M 5/07)	Tweakable blockciphers. An AE scheme based on them. Realizing an efficient tweakable blockcipher.
	#13 (W 5/09)	Various notions for authentication: authenticated encryption, MACs, MAC generation/verification. Wegman-Carter MACs.
7	#14 (M 5/14)	Two flavors of WC MACs. An e-AU hash function by polynomial evaluation. Proving security for WC MACs. Examples: Poly1305, UMAC, CMAC.
	#15 (W 5/16)	Cryptographic hash functions. Merkle-Damgard iteration. SHA-1. HMAC. The WC view of HMAC. The makings of a standard.
8	#16 (M 5/21)	Solns to HW 2. Generic composition: IND-CPA prob encryption + a PRF. Nonce-based case. Public-key encryption. Security notions. ElGamal.
	#17 (W 5/23)	DL, CDH, DDH. IND-CPA/IND-CCA of ElGamal. Cramer-Shoup. The random-oracle paradigm. DHIES. Hybrid encryption.
9	#xx (M 5/28)	Memorial Day - no class
	#18 (W 5/30)	Trapdoor permutations. The RSA trapdoor permutation. Hardcore bits. How to encrypt with RSA. OAEP.
	#xx (R 5/31)	Distinguished Lecture: Prof. Silvio Micali will speak on optomistic exchanges at 3:10 in 1065 Kemper.
10	#19 (M 6/04	Digital signatures. Definitions and RSA-FDH. A RO-model proof.
	#20 (W 6/06)	Entity authentication and key distribution. Vocabulary. Variants. The Needham-Schroeder protocol. A model and a sketch of a definition.