ECS 227 - Modern Cryptography -
- Copyright notice: Lecture notes
available from this Web page are Copyright 1996 by Phillip Rogaway.
Disclaimer: These notes are quick, not polished. They are
written shortly after each lecture.
Please forgive their myriad mistakes.
Request: Please don't use these notes (eg., in another cryptography class)
without my consent.
Topic for Lecture 18 (Thursday, 3/12/96):
Finish Message authentication codes (MACs). Discuss an Internet key distribution
- Lecture 1: Introduction (1/9/96)
We describe the "classical" and "provable security" approaches to cryptography.
We give various examples of cryptographic problems.
- Lecture 2: Confusion/Diffusion Primitives (1/11/96)
We describe typical primitives to be used as the target of our reductions.
Most of the time is spent looking at DES; a bit of time on SHA.
- Lecture 3: Reducibility and the Modeling of Block Ciphers(1/16/96)
We show that an iterated hash is
collision-intractable as long as its compression function is.
We define a Finite PRP and prove a simple theorem about the robustness of the definition.
- Lecture 4: Pseudorandom Generators and Functions(1/23/96)
We review the notion of a Finite PRP and develop a notion for a PRG.
We construct the latter from the former. We develop a notion for a Finite PRF.
- Lecture 5: Analysis of PRG[Counter] Construction(1/25/96)
We prove the exact security of a simple generator constructed from our Finite PRP.
- Lecture 6: Asymptotic Cryptography and Non-Uniformity(1/30/96)
We talk about cryptography in the asymptotic, complexity-theoretic tradition.
We define PRGs and OWFs in this way. Then we describe non-uniformity and show BPP is in P/poly.
- Lectures 7-8: Symmetric Encryption (2/1/96, 2/6/96)
We develop two definitions for symmetric encryption: security in the sense of
indistinguishability, and semantic security.
- Lecture 9: Finish Symmetric Encryption; Start Asymmetric Encryption (2/8/96)
We prove that security in the sense of indistinguishability implies semantic security.
We begin our treatment of asymmetric encryption, describing the general
setup, as well as RSA.
- Lecture 10: Asymmetric Encryption (2/13/96)
We define trapdoor permutations and asymmetric encryption schemes, and we show how to
achieve the former from the later, assuming a hard-core bit for the trapdoor permutation.
- Lectures 11-12: The Goldreich-Levin Hard-Core Bit (2/13/96)
We prove that the inner-product bit is hard-core for any padded one-way function. This shows that
secure encryption is possible, assuming a trapdoor permutation.
Lectures 13: Efficient asymmetric encryption (Part I) (2/22/96).
We describe and motivate OAEP - an efficient scheme for hash-based asymmetric encryption. (Notes
by Rick Vaughn.)
- Lectures 14: Efficient asymmetric encryption (Part II) (2/27/96).
Review. Then a formal notion for encryption in the random oracle model. Malleablity. Plaintext awareness.
(Notes by Joel Dodson.)
- Lectures 15: Plaintext awareness and Digital signatures (2/29/96).
We develop the notion of plaintext awareness, and we describe how to modify OAEP to make it
plaintext aware. We begin our treatment of digital signatures.
(Notes by John Black.)
- Lectures 16: Digital signatures (3/5/96).
We define digital signatures; describe the RSA PKCS signing scheme; give a signing method which
is provably secure assuming an ideal hash function; and give a method with improved exact security.
- Lectures 17: Message Authentication Codes (3/7/96).
What are MACs, and a simple way to achieve them (Steven's MAC).
- Lectures 18: MACs and Key Distribution (3/12/96).
Finish MACs: correctness of the WC-MAC; an AXU2 hash family; and the two-step MAC approach.
Discussion on key distribution, as time permits.
John Black (blackj@cs).
Steven Cheung (cheung@cs).
Joel Dodson (dodson@cs).
Aaron Douthat (douthat@cs).
Ted Krovetz (krovetz@cs).
Julie Lang (lang@cs).
Marc Liebermann (lieberma@cs).
Eddie Lo (loe@cs).
Thilo Salmon (salmon@math).
Rick Vaughn (vaughn@math).
Scott Walnum (walnum@cs).