W4261 Introduction to Cryptography:
Fall 2012 Lecture Summaries
- Lecture 1 (9/4) Introduction to class and to modern
cryptography (cryptographic applications, primitives,
assumptions, Kerckhoff's principle, etc). Discussion and
motivation for (private key) encryption schemes, and what security
should mean. Reading: Chapter 1.
- Lecture 2 (9/6)
Overview of some classical ciphers. Two (equivalent, though we did
not prove) definitions of perfect security. One time pad
satisfies perfect security. Reading: Chapter 2. Homework 1 out.
- Lecture 3 (9/11)
Inherent problems with perfectly secure encryption (proved the key
space must be larger than message space, no security for multiple
messages unless we add a persisting state, etc). Motivation and
discussion for the computational approach. Definition of
computational security (indistinguishability against
eavesdropper). Motivated PRG as a tool for encryption.
Reading: Chapter 3.1, 3.2.
- Recitation 1 (9/13)
Review of randomized algorithms and discrete probability facts.
Adversarial based definition of perfect security. Prove
equivalence of different perfect security definitions.
Introduction to modular arithmetic, cyclic groups, Zn, Zn*, phi(n)
extended Euclidean algorithm for gcd and inverse finding in Zn*,
Euler theorem/ Fermat's little theorem, efficient generation of
random primes, quadratic residues.
Reading: Appendix A, B.1, B.2, Prof Trevisan's probability notes
(see background reading).
Homework 1 due.
- 9/18 class cancelled due to Rosh Hashana
- Lecture 4 (9/20)
Motivation and definition of PRG. Application for encryption
(stream cipher). Discussion of PRG constructions in
theory and in practice. Mentioned some vulnerabilities of practical
constructions and improper use. Proved that if P=NP then no PRG
exists (justifying why we rely on some computational
assumptions). Reading: Chapter 3.3.
- Lecture 5 (9/25)
Review of PRG and Encryption definitions, mentioned variable
length PRG.
Formal proof that if PRG exist, then the stream-cipher is secure
encryption (indistinguishable against an eavesdropper).
Discussed the general proof by reduction paradigm.
Informally defined security for multiple messages, and showed that
this scheme, and any other deterministic one, fails (unless a
stateful version is used).
Stated that if there is PRG with any expansion, then there is a
PRG with arbitrary polynomial expansion (outlined the
construction but no formal proof). Reading: Chapter 3.4.
Homework 2 out.
- Lecture 6 (9/27)
Proved that if G is a PRG, G⋅ G is also a PRG (proof using a
hybrid argument). Discussed other good and bad construction of
PRGs from other PRGs. Defined chosen plaintext attack (CPA)
secure encryption. Reading: Chapter 3.5.
- Lecture 7 (10/2)
CPA security review. CPA security implies multiple message CPA
security (proof omitted). CPA security cannot be achieved by
deterministic (stateless) encryption. Proof that given a truly
random function shared as a (exponential size) key, CPA security
can be achieved. Definition of pseudorandom functions (PRF), and
their use for CPA secure encryption (proof to be completed next
time). Discussion of PRFs and their comparison to PRGs.
Reading: Chapter 3.6.1, 3.6.2
- Lecture 8 (10/4) Review of PRF. Finished proof that PRF
can be used for CPA secure encryption (for fixed length messages of
same size as PRF block). Defined strong PRPs (aka block
ciphers), and noted they cannot be directly used as encryption
algorithms (different modes of encryption use them as a building
block, needs to be used right to get secure encryption). Discussed
different modes of encryption (ECB, a fresh random block for each
message block, randomized counter mode, CBC) and compared their
security and efficiency properties. Briefly mentioned malleability
attacks.
Reading: Chapter 3.6.2, 3.6.3, 3.6.4
- Lecture 9 (10/9)
Review of modes of encryption (focusing on randomized counter
mode), high level overview of proof of CPA security (noted that
this requires that with overwhelming probability the same input is
never fed to the PRF, which means block size should be long
enough). Definition of CCA security (also discussed motivation,
and, informally, the weaker notions of CCA1 security and
non-malleability). Proof that the PRF based encryption we saw is
not CCA secure. Summary of symmetric encryption from
pseudorandom objects.
Constructions of PRG from PRF (easy) and of PRF from PRG (GGM tree
construction); discussion of block ciphers vs stream ciphers.
Reading: Chapter 3.6.4, 3.7, 6.5
- Lecture 10 (10/11) Feistel networks, transforming any
collection of functions into a permutation. Proved that
(regardless of the functions used) a 1 round Feistel network is
not a PRP, and a 2 round Feistel network is not a strong PRP.
Stated (without proof) that a 3 round Feistel network using a PRF
with independent keys for each round gives a PRP (Luby
Rackoff theorem). Overview and discussion of DES block-cipher
construction and brute force attack on it.
Reading: Chapter 5.2, 5.3, 6.6.
- Recitation 2 (10/12)
Reviewed why using a PRP directly for encryption does not provide
security (not even indistinguishability against
eavesdropper). Proof of equivalence between the CPA security
definition (Def 3.21 in text) and its variant (the CPA version of
Def 3.9 in text). Example of insecure encryption using PRG with
related keys. Example of a bad construction of PRG from PRF.
Multiple message security against eavesdropper does not imply CPA
security (counter example, assuming PRF).
- Lectures 11,12 (10/16, 10/18)
Luby-Rackoff theorem for 3 and 4 round Feistel networks,
increasing effective key size for block ciphers: 2DES (meet in
the middle attack), 3DES (no significant attacks). Brief
overview of substitution permutation networks and AES. Touched
upon other attacks and design principles for block ciphers.
Started discussing theoretical constructions of pseudorandom
objects: defined (strong) OWF, OWP, weak OWF, families of OWF.
Possible candidates based on factoring assumption (product or
squaring mod N=pq), discrete log assumption, and subset sum.
Defined hard-core predicate, and its use to show that OWP imply a
PRG with one-bit expansion. Reading: Chapter 5, 6.1, 6.2.
- Lectures 13 (10/23)
Review of hard core predicates, a proof that if f is a OWP and B
is a hard core predicate for f, then G(x)=f(x)B(x) is a PRG with
one bit expansion (and the corresponding adaptation for families
of OWP). Concluded that OWP plus HCP imply PRG with
arbitrary expansion. Saw examples of the resulting PRG using
exponentiation and most significant bit (secure based on
discrete log assumption), and using squaring mod N=pq and least
significant bit (secure based on factoring assumption).
Discussed a hard core predicate for any one way function after
slight modification: Goldreich Levin theorem. Very high level
of the proof, including the proof in an easy case. Full proof
was omitted. Concluded that any OWP implies PRG.
Stated (without proof) that general OWF also imply PRG.
Reading: Chapter 6.2, 6.3, 6.4
- Lectures 14 (10/25)
Message authentication codes (MACS): definition of
security (existential unforgeability against adaptive chosen
message attacks). Emphasized that secrecy does not imply
integrity, and encryption schemes cannot generally be used for
authentication. Proved that applying a PRF is a good MAC for a
fixed length (one block) message. Discussed how to use fixed
length MAC to obtain longer message authentication: showed
attacks on block-by-block authentication and some variations of
it. Reading: Chapter 4.1 - 4.4.
- 10/30 class cancelled due to Hurricane Sandy
- Lectures 15 (11/1)
Showed how to use fixed-length MAC to obtain an arbitrary message
MAC, using block-by-block tagging where each block includes an
index, random message identifier, and message length. Then we saw
the more efficient CBC-MAC (with no proof).
Started discussing how to combine authentication with secrecy.
Analyzed the encrypt-and-authenticate method (which is not secure
in general). Mentioned the encrypt-then-authenticate and
authenticate-then-encrypt options but did not yet analyze their
security.
Reading: Chapter 4.4, 4.5, 4.9
- Lectures 16 (11/8)
Secure message transmission protocol (authenticated encryption):
definition, and analysis of suggested constructions (borrowed from
SSH, SSL, and IPSEC):
Encrypt-and-authenticate: no CPA security.
Authenticate-then-encrypt: message integrity and CPA security, but
no CCA security.
Encrypt-then-authenticate: if MAC with unique tags, this is a secure
message transmission protocol, providing integrity and CCA
security.
This gives a construction of CCA secure private key encryption
from CPA-secure encryption plus MACs with unique tags (both of
which can be constructed from one-way functions).
Reading: Chapter 4.8, 4.9.
- Lectures 17 (11/13)
Collision resistant hash functions (CRHF): definition, and weaker
forms, e.g.~target collision resistance (=second preimage
resistance). Exhaustive search attack and birthday attack
analysis. Merkle-Damgard transform. Use of CRHF for
authentication (only high level overview and no proofs): hash-then-mac, MD
transform with secret key for the last block, and the NMAC and
HMAC variations.
Reading: Chapter 4.6, 4.7.
Homework 4 out.
- Lectures 18 (11/15)
Overview of practical constructions of CRHF: MD5 (collisions found,
should not be used), SHA-1 (known to be vulnerable), SHA-2 family
(considered safe for use), and the recently announced winner for the
SHA-3 competition, Keccak. A provably secure CRHF construction
based on the DLA in prime order cyclic groups. Some number theory
review, including: efficient algorithm to find modular inverse,
efficient algorithm to check whether a number is a
quadratic residue modulo a prime p, finding any roots modulo a
prime can also be done efficiently,
and construction of a prime order group via the QR subgroup
of Zp* for a safe prime p.
Reading: Chapter 4.6, 7.3.1-7.3.3, 7.4. For more information on
the SHA-3 competition (not required reading), see
the links page.
- Lectures 19 (11/20)
Presented Diffie Hellman Key Exchange, and discussed its
security. Discussed assumptions related to discrete log: DLA,
Computational Diffie-Hellman (CDH), Decisional Diffie-Hellman
(DDH), and their relation. DDH assumption is false on Zp*, but
believed to be true in the prime order subgroup (QRp for a safe
prime p). DH key agreement protocol is secure under DDH (for a
security definition against a passive adversary only).
Reading: Chapters 7.3.1-7.3.3, and Chapter 9 (mainly 9.4)
- Lectures 20 (11/27)
Public key encryption (PKE): discussion, advantages and
disadvantages compared to private key encryption.
Definition of PKE and its security (indistinguishability);
mentioned (informally) semantic security (equivalent to
indistinguishability); these notions imply security against CPA.
Noted that perfect security for PKE is not possible, and that the
encryption scheme in a PKE has to be probabilistic (with
exponentially many possible encryptions for the same message).
PKE from 2 round key exchange:
showed the El Gamal PKE scheme (secure under DDH assumption).
Defined trapdoor permutation (TDP) families, and mentioned that
trapdoor functions (TDF) can be defined similarly. Candidate TDP: RSA
function (a TDP under the RSA assumption). Discussed relation
between RSA assumption and Factoring assumption (not known to be
equivalent). Candidate TDF: Rabin/squaring function. Mentioned
(without proof) that this is a
TDF under the factoring assumption (no stronger assumption
necessary). Use of TDP for PKE: direct TDP application is not
secure (specifically, "textbook RSA" is not secure). Showed a
secure construction of PKE from TDP and their hard-core bits
(requiring one TDP application per bit).
Reading: Chapter 10.1, 10.2, 10.5, 10.7, 10.4, 11.2.2.
- Lectures 21 (12/4)
More efficient heuristics for secure PKE from TDP (e.g., from
RSA): padded RSA (no provable security unless the random pad is
long and the message is only logarithmic); hash-and-TDP PKE -
provably secure in the random oracle model. Discussed the random
oracle model and its positives and negatives, theoretically and
practically. Mentioned hybrid encryption.
Digital signature schemes: motivation and comparison to symmetric
(MAC) setting (linear number of keys, no shared secrets, public
verifiability, transferability and non-repudiation). Definition
of security (existential unforgeability against CMA).
Direct application of TDP for signatures is insecure (showed 2
attacks, one generic, and one on textbook RSA).
Discussed why the historical notion of signatures and PKE being
"dual" or "inverse" of each other is misguided.
Full domain hash ("hash and TDP signatures") can be proven secure
in the random oracle model. Mentioned that provably secure
signature schemes can be constructed from various assumptions,
such as number theoretic assumptions, CRHF, or even OWF.
Reading: Chapter 10.4, 13, 10.3, 12.1-12.3.
- Lectures 22 (12/6)
Overview of signature constructions. Provable constructions of
digital signatures: general methodology (aka "the paradox"),
lamport's one time signatures from OWF, and hints at how to extend it to
fully secure signatures from CRHF (Merkle signatures and
beyond). Summary of assumptions from which provable signatures can
be constructed. Wrap-up: CCA2 encryption, (fully/somewhat)
homomorphic encryption, functional encryption; two crypto classes
next semester.
Reading: Chapter 12.5, 12.6, 10.6
Back
to Course Main Page