ECS 227  Modern Cryptography 
Phillip Rogaway
 Copyright notice: Lecture notes
available from this Web page are Copyright 1996 by Phillip Rogaway.

Disclaimer: These notes are quick, not polished. They are
written shortly after each lecture.
Please forgive their myriad mistakes.

Request: Please don't use these notes (eg., in another cryptography class)
without my consent.
Topic for Lecture 18 (Thursday, 3/12/96):
Finish Message authentication codes (MACs). Discuss an Internet key distribution
protocol.
Lecture Notes
 Lecture 1: Introduction (1/9/96)
We describe the "classical" and "provable security" approaches to cryptography.
We give various examples of cryptographic problems.
 Lecture 2: Confusion/Diffusion Primitives (1/11/96)
We describe typical primitives to be used as the target of our reductions.
Most of the time is spent looking at DES; a bit of time on SHA.
 Lecture 3: Reducibility and the Modeling of Block Ciphers(1/16/96)
We show that an iterated hash is
collisionintractable as long as its compression function is.
We define a Finite PRP and prove a simple theorem about the robustness of the definition.
 Lecture 4: Pseudorandom Generators and Functions(1/23/96)
We review the notion of a Finite PRP and develop a notion for a PRG.
We construct the latter from the former. We develop a notion for a Finite PRF.
 Lecture 5: Analysis of PRG[Counter] Construction(1/25/96)
We prove the exact security of a simple generator constructed from our Finite PRP.
 Lecture 6: Asymptotic Cryptography and NonUniformity(1/30/96)
We talk about cryptography in the asymptotic, complexitytheoretic tradition.
We define PRGs and OWFs in this way. Then we describe nonuniformity and show BPP is in P/poly.
 Lectures 78: Symmetric Encryption (2/1/96, 2/6/96)
We develop two definitions for symmetric encryption: security in the sense of
indistinguishability, and semantic security.
 Lecture 9: Finish Symmetric Encryption; Start Asymmetric Encryption (2/8/96)
We prove that security in the sense of indistinguishability implies semantic security.
We begin our treatment of asymmetric encryption, describing the general
setup, as well as RSA.
 Lecture 10: Asymmetric Encryption (2/13/96)
We define trapdoor permutations and asymmetric encryption schemes, and we show how to
achieve the former from the later, assuming a hardcore bit for the trapdoor permutation.
 Lectures 1112: The GoldreichLevin HardCore Bit (2/13/96)
We prove that the innerproduct bit is hardcore for any padded oneway function. This shows that
secure encryption is possible, assuming a trapdoor permutation.

Lectures 13: Efficient asymmetric encryption (Part I) (2/22/96).
We describe and motivate OAEP  an efficient scheme for hashbased asymmetric encryption. (Notes
by Rick Vaughn.)
 Lectures 14: Efficient asymmetric encryption (Part II) (2/27/96).
Review. Then a formal notion for encryption in the random oracle model. Malleablity. Plaintext awareness.
(Notes by Joel Dodson.)
 Lectures 15: Plaintext awareness and Digital signatures (2/29/96).
We develop the notion of plaintext awareness, and we describe how to modify OAEP to make it
plaintext aware. We begin our treatment of digital signatures.
(Notes by John Black.)
 Lectures 16: Digital signatures (3/5/96).
We define digital signatures; describe the RSA PKCS signing scheme; give a signing method which
is provably secure assuming an ideal hash function; and give a method with improved exact security.
 Lectures 17: Message Authentication Codes (3/7/96).
What are MACs, and a simple way to achieve them (Steven's MAC).
WegmanCarter MAC.
 Lectures 18: MACs and Key Distribution (3/12/96).
Finish MACs: correctness of the WCMAC; an AXU2 hash family; and the twostep MAC approach.
Discussion on key distribution, as time permits.
Homework Assignments
Administrative
More Stuff
Our Class
John Black (blackj@cs).
Steven Cheung (cheung@cs).
Joel Dodson (dodson@cs).
Aaron Douthat (douthat@cs).
Ted Krovetz (krovetz@cs).
Julie Lang (lang@cs).
Marc Liebermann (lieberma@cs).
Eddie Lo (loe@cs).
Thilo Salmon (salmon@math).
Rick Vaughn (vaughn@math).
Scott Walnum (walnum@cs).