Lectures

W4261 Introduction to Cryptography: Fall 2014 Lecture Summaries

These are brief (possibly non-comprehensive) summaries written shortly after each lecture, of what was covered. Exercises are optional, and not meant to be submitted, but recommended for your own understanding (some of them are meant to be very easy, but some are challenging). Sometimes the answers can be found in the text: try to figure it out yourself before completing the reading. Reading is from the textbook, but often includes significantly more details than were covered in class (for example, we skipped some proofs that are covered in the readings below). Conversely, class occasionally contains material that is not in the textbook (I've tried to indicate when this is the case). Please go over the previous class material (using your notes and textbook as appropriate) before every lecture.

Lecture 1 (9/2) Introduction to modern cryptography and the goals of this class. Definition of private key encryption scheme syntax and correctness. Kerckhoff's principle. Overview of some historical ciphers (Atbash, Caesar, shift, substitution, Vigenere) and simple attacks (brute force, frequency analysis).
Exercise: Define these ciphers via the (GEN, ENC, DEC) syntax. Decipher the ciphertext provided on page 13 (that was encoded using a substitution cipher).
Reading: 1.1-1.3.

Lecture 2 (9/4) Motivation for rigorous definitions and proofs of security in modern cryptography, typically based on computational assumptions (e.g., mentioned that P not equal to NP is a necessary assumption in many cases). Different attack models for encryption schemes (ciphertext only, known plaintext, chosen plaintext, chosen ciphertext attacks). Discussion and motivation for what secrecy of private-key encryption should mean (assuring that the key is hard to guess and that the message is hard to guess is necessary but not sufficient for security; definition of secrecy should work for any message distribution or prior knowledge of the adversary). Two (equivalent, though we did not prove) definitions of perfect secrecy, capturing the intuition that the ciphertext contains no information about the plaintext.
Reading: 1.4, 2.1.

Lecture 3 (9/9) Shift cipher is not perfectly secret for 2-character messages (but yes for one character messages). Defined one-time pad scheme (OTP) and proved that it is perfectly secret. Inherent problems with perfectly secret encryption: First, showed that one-time pad cannot be used to send multiple messages; this problem is inherent to any (stateless) perfectly secret scheme, but can be fixed by using a stateful encryption algorithm (often not desirable). Second, proved that for any perfectly secret encryption, the key space must be larger than message space. Discussion and motivation for the computational approach. Brief background on probabilistic polynomial time algorithms.
Exercise: Prove that the Vigenere cipher (parallelized shift) is not perfectly secret. Prove that no deterministic scheme can achieve perfect secrecy for multiple messages.
Reading: 2.2, 2.3, 2.5, 3.1. HW1 out on 9/10.

Lecture 4 (9/11) Definition of negligible functions; adding two negligible functions or multiplying a negligible function by a polynomial is still negligible. Security parameter. Definition of EAV-security (indistinguishability for a single message against an eavesdropper). We do not know whether EAV-secure schemes exist (this requires computational assumptions), but we will prove it based on other primitives and assumptions. Began to motivate PRG and the one time pseudorandom pad encryption scheme. Discussed proofs by reduction.
Exercise: Consider our definition of EAV-security (Def 3.8 in textbook). Prove that if the ppt restriction is removed and we require prob[...]=1/2 (without adding a negligible function), this definition becomes equivalent to perfect secrecy.
Reading: 3.1, 3.2.1, a bit of 3.3 and 3.4.1.

Lecture 5 (9/16) Pseudorandom generators (PRG) motivation and definition. Showed an attack on any alleged PRG G via checking whether the string is in the image of G or not. Conclusions (informal): (1) there is no perfectly secret PRG: an exhaustive search (exponential time attack) always distinguishes from random. (2) For any G, if there's an efficient way to check whether a string is in the image of G or not, G is not a PRG. The latter implies that if there exists a PRG G, then P is not equal to NP. Showed the "one-time pseudorandom pad" encryption scheme based on a PRG G, and proved that if G is a PRG, the above scheme satisfies EAV-security (proof by reduction). Brief discussion of concrete security (in the scheme above there is almost no degradation in security in the reduction).
Exercises: (1) Prove that definition 3.9 (different formalization of indistinguishability against eavesdropper) is equivalent to our standard definition of EAV-security (definition 3.8) (2) a student asked: Assume you are given G where it is hard to efficiently test whether a string is in the image of G or not. Does this mean that G is a PRG? Try to formalize this question and then answer it (note: there are different reasonable formalizations, that may result in different answers).
Reading: 3.3, 3.4.1

Lecture 6 (9/18) Defined multiple message EAV-security. Proved that no (stateless) deterministic encryption scheme can achieve it. Defined stream ciphers as a pair (Init,GetBits) that induces a PRG (where new pseudorandom bits can be generated dynamically as needed). Mentioned (without a formal definition or proof) that it can be used for stateful encryption achieving multiple message EAV-security. Discussed some simple potential PRG construction examples and whether they are good PRGs or not. In particular, a PRG can be composed with itself to obtain another PRG with a higher expansion factor (stretch). Theorem: if there is a PRG that expands by one bit, then for any polynomial l(n) there's a PRG (stream cipher) that expands by l(n) bits. We showed the construction (iterative applications of G on the n-bit state), but did not prove it is a PRG.
Exercise: For each of the example constructions we saw, prove whether it is a PRG or not (namely convert our informal class discussion into full proofs).
Reading: 3.4.2, 3.4.3, 6.4.2 (without the proof). The stream cipher definition is not in the text.

Lecture 7 (9/23) Defined CPA security. Example: the one-time pseudorandom pad scheme (which is EAV secure) does not satisfy CPA security. Same attack works on any deterministic scheme, or any scheme with only few possible encryptions for each message. CPA security implies multiple message CPA security (formal proof omitted). Showed that if the secret key is a random function from n bits to n bits (exponential size key), then can achieve CPA security by choosing the value of the function on a random input as a pad. Since we cannot use an exponential size key, this motivates pseudoranom functions (PRF). Defined PRFs, gave example of a function that is not a PRF, discussed connection of PRF to PRG and their differences.
Exercises: Prove that any scheme satisfying CPA secure encryption, must have super polynomially many possible encryptions for each message.
Reading: 3.5, 3.6.1. HW1 due.

Lecture 8 (9/24) Showed that PRF implies PRG (in particular, G(s)=F(s,0ⁿ)||F(s,1ⁿ) is a PRG if F is a PRF). Defined PRP and strong PRP (block ciphers). Discussed why block ciphers cannot be directly used as encryption algorithms. Showed how to use PRF for CPA-secure encryption (where encryption outputs (r,f(r) xor m) for a random r). Started proving that this construction is CPA secure, will complete the proof next time.
Exercise: If F is a PRF, is the following construction a PRG? G(s)=F(0ⁿ,s)||F(1ⁿ,s) (namely swapping the role of the key and input in the construction we saw above).
Reading: 3.6.2, 3.6.3

Lecture 9 (9/30) Review of material. Completed proof that PRF implies CPA secure encryption. Encryption of longer messages: block-by-block encryption (remains CPA secure), and more efficient modes of operation. We saw ECB (not even EAV secure, do not use!); CBC mode (CPA secure, but discussed a CPA attack on the stateful Chained-CBC version); CTR mode (CPA secure).
Exercise: Consider CBC and CTR modes applied on a single block message. For each, write out the encryption scheme and prove that it is CPA secure. Then think of a stateful variant where the IV is replaced by a counter that increases with each new message sent (rather than being chosen uniformly). Do these schemes remain CPA secure? argue why yes, or provide a CPA attack if not.
Reading: 3.5, 3.6.

Lecture 10 / Recitation 1 by Yuan (10/2) Reviewed proof by reduction, with examples of valid (but sometimes pathological) PRG constructions, and introduced hybrid argument to prove that G(G(s)) is a PRG. Compared definitions of PRGs and PRFs, including which parameters were secret, and which were under the control of the adversary. Proved the construction of PRGs from PRFs, and the first step in the construction of PRFs from PRGs. Considered alternative constructions in both directions, and why they don't work. Proved equivalence between standard security definition (the adversary doesn't succeed with probability non-negligibly more than 1/2), and definition 3.9 (the adversary's output varies only negligibly depending on which message, m_0 or m_1, was encrypted). Sketched proof that CPA security implies multiple-message CPA security, using definition 3.9 and hybrid argument. Showed attack against a scheme with no message length restrictions to motivate requirement for equal message lengths.
HW2 out on 10/3

Lecture 11 (10/7) CCA secure encryption motivation and definition. Discussed padding oracle attacks, and showed a setting (CAPTCHA server) where this is a very real attack model (but we didn't show an attack on a specific padding scheme). All schemes we saw so far fail under a CCA attack (demonstrated on the CPA-secure (r,f_k(r)\xor m) scheme). Informal discussion of malleability / non-malleability / homomorphic encryption (examples where malleability may be bad and when it may be good). This completes private key encryption constructions for now (we will get back to constructing CCA secure encryption). Showed a number theoretic construction of a PRG: DH(a,b) = (g^a, g^b, g^ab) mod p (note that this is length expanding). DDH assumption says that if p, g satisfy certain properties, then the above is a PRG.
Exercise: Complete the CCA attack on the encryption scheme above: write the adversary explicitly and analyze its success probability.
Reading: 3.7. Not in textbook: the padding oracle attacks, PRG based on DDH assumption (though the assumption itself is definition 7.60 in textbook, our description was informal).

Lecture 12 (10/9) Number theory review geared towards working in Zp* for prime p: modular arithmetic, Z_N, Z_N*, Z_p*, Fermat's little theorem (when working in Zp* for prime p, exponent can be reduced mod p-1), Zp* is a cyclic group (wrt multiplication). Given p,g, can define exponentiation function and discrete log function (its inverse). There are efficient algorithms for all the following tasks: testing whether a number is prime; generating a random n bit prime p together with a generator of Zp*, computing the exponentiation function mod p. (We did not show the algorithms for any of the above, except the algorithm to select a random n bit prime, if we don't care about the generator). Discrete Log Assumption (DLA). Discussed some failed attempts at constructing a PRG based on DLA, then showed the Blum-Micali generator, which is a PRG under DL Assumption. Very informal and high level overview of how the above generalizes to any "one way permutation (OWP)" using any "hard core bit", and one exists based on Goldreich-Levin construction (we did not see how.) Also known that one way function (OWF) implies PRG but more complex. Summary of theoretical constructions: OWF, PRG, PRF, PRP, private key encryption all computationally equivalent. OWF can be constructed by relying on assumptions such as DLA.
Reading: parts of 7.1, 7.2.1, 7.3. Touched on topics in chapter 6. Not in the textbook: Blum-Micali PRG construction (but it follows from instantiating the construction in theorem 6.7 with the exponentiation OWP in Zp*, based on DLA).

Recitation 2 by Luke (10/10) Reviewed negligible function definition. Clarified PRPs and strong PRPs / block ciphers vs PRFs. Luby-Rackoff construction. Discussed how to go about proability analysis for attacks in proofs. Reviewed the proof of CPA security of the Enc_k(m)=(r,f_k(r) xor m) as a case study.

Lecture 13 (10/14) Review of PRP vs strong PRP (CPA vs CCA attack on pseudoranmdomness). Defined Feistel networks, showed that this gives a permutation for any round functions chosen, and any number of rounds. Showed that one round is not a PRP, regardless of round function. Hinted at the attack on two rounds (also not PRP). Said (without showing) that three rounds is not a strong PRP. Luby-Rackoff theorem: Feistel with round functions being PRF with independent keys gives PRP after 3 rounds, and strong PRP after 4 rounds (no proof). Conclude that PRF implies strong PRP. Discussion of what this means for practical ciphers using Feistel network (and mentioned there are other theorems for more rounds and weaker round-functions). Practical constructions of stream ciphers: discuss security (or lack thereof), block ciphers can be used in stream cipher modes for better security. LFSR (not secure!), and overview of ways to introduce non-linearity, e.g. as done in Trivium cipher (optimized for hardware). RC4 (very fast in software), widely used but has vulnerabilities. Presented the RC4 algorithm (with additional details completed in the following class), and discussed weakness of second byte, as well as weakness with IV that was used to break WEP standard.
Exercise: Find an attack on two round Feistel, showing it is not a PRP.
Reading: 5.2, 6.6, our discussion of stream ciphers details is not in textbook except a very short summary on p.77. Trivium is described here (in much more detail than we did).

Lecture 14 (10/16) Described the recent POODLE (padding oracle) attack on SSL3. Block ciphers used in practice. General principles: concrete security with fixed key and block sizes, attacks that are faster than exhaustive search constitue a serious weakness, avalanche effect). Substitution permutation networks (SPN) structure. DES high level overview (16 round Feistel, round function is a SPN with special non-permutation S boxes, S boxes and following permutation satisfy some "avalanche effect" properties).
Reading: 5.1, 5.3. POODLE attack is not in textbook but see the security advisory that exposed it (September 2014). HW2 due.

Lecture 15 (10/21) Discussed security of DES (remains without any significant practical attacks, but key size, and sometimes block size, are too small). Incresing key length for block cipher: double encryption and attack on it, triple encryption (3-DES is a reasonable choice). High level overview of AES history, security (seems very strong) and construction (variation on SPN with one S-box permutation applied on each byte, and an invertible linear transformation instead of a permutation at the end of each round). Conclude part on pseudorandom primitive constructions, and start message authentication codes (MACS). Discussed motivation and goals (authenticity and integrity). Encryption does not generally provide authentication (as we can see for all schemes we saw so far, including stream ciphers and CPA secure encryption such as CTR and CBC modes of operation). Motivated the definition of security (existential unforgeability against adaptive chosen message attack), but did not give the formal definition yet.
Reading: 5.4, 5.5 (also recommended: 5.6), 4.1, 4.2.

Lecture 16 (10/23) Definitions of security for MAC, fixed-length MAC, and strong MAC (where any valid new pair (m,t) is considered a forgery, even if only t is new and m was asked before). Noted that if Mac is deterministic then there's a unique tag for each message, and standard and strong MAC security definitions are equivalent. Example of attack outside our model: overview of timing attack on MAC if adversary has access to verification (based on the time it takes for Vrfy to reject). Construction of (fixed-length) MAC using PRF, and security proof sketch.
Exercises: (1) Prove that for a strong MAC (eg when Mac is deterministic), adding access to a Vrfy oracle in the security definition does not add power. (2) Reconstruct by yourself the proof of security for using a PRF as a MAC.
Reading: 4.3, 4.4 (strong MAC and timing attack discussion not in text). HW3 out on 10/25.

Lecture 17 (10/28) Domain extension for MAC (arbitrary length MAC based on fixed length MAC): authenticating block-by-block, including random identifier, length of message, and index of block in each block. Showed attacks on block-by-block authentication with any of these removed. Security proof sketch. CBC-MAC (arbitrary length MAC using PRF): showed construction, noted main differences with CBC encryption - no IV and no intermediate values, and stated security properties (without proof): this is secure for a fixed number of blocks only. Two ways to make it secure for arbitrary length messages: either prepend the length of the message as the first block, or apply one more layer of PRF at the end, with a new key. Note: in a future lecture we will show hash-based MACs as another alternative.
Exercises: (1) Can there be a secure MAC and two different messages m, m' such that Mac_k(m)=Mac_k(m')? Can such m,m' be found efficiently? Can such m,m' be found efficiently given the key k? (2) Choose a couple of the following CBC-MAC variants and show attacks breaking their security: adding IV; disclosing intermediate output blocks; plain CBC-MAC for arbitrary length m; appending the length of the message as last block.
Reading: 4.4, 4.5

Lecture 18 (10/30) Authenticated Encryption: discussion and definition (CCA security plus unforgeability). Examples of general combination of any CPA secure encryption with secure MAC: (1) Enc and Authenticate: not even CPA secure. (2) Authenticate-then-Encrypt: achieves unforgeability (we saw the reduction), and CPA security (outlined the reduction). But does not achieve CCA (we already saw the padding oracle attacks on SSL's authenticate-then-encrypt scheme). Thus not authenticated encryption. (3) Encrypt-then-Authenticate: achieves unforgeability and CPA security. For CCA, if given (c,t) easy to come with a valid (c,t') for another t', can feed that to decryption oracle and break CCA. But if using strong MAC, then this in fact achieves also CCA, and thus authenticated encryption (gave some intuition for the proof).
Exercises: prove the unforgeability and CPA security of the above schemes (where applicable). Try to prove CCA security of the last scheme.
Reading: Authenticated encryption is not in the text, but see 4.8 for the CCA security of encrypt-then-authenticate with strong MAC (the book uses "MAC with unique tags").

Recitation 3 by George (10/31) Review and another example of padding oracle attack for SSL/TLS. Proof of CPA security for CTR mode of encryption (proved the security if using a random function, did not have time for second part, security for the scheme with PRF by reduction).

Lecture 19 (11/6) Motivated and defined collision resistant hash functions (note that there is a key but it is not secret, it is randomly chosen and fixed and published; we sometimes omit it in notation). Discussed weaker possible definitions (target collision resistance and preimage resistance) and how they imply each other. Birthday attack (sketch the analysis of the expected number of successes per t samples), implying we need long enough output (length 2n if we want security of against 2^n time adversary). Merkle-Damgard transform for CRHF domain extension (gave intuition for proof of security). Using fixed length MAC and CRHF can get arbitrary length MAC by hash and MAC (without proof). Discussed MAC using only CRHF: H(k||m) not secure, but adding another hash depending on a second key in the last block, as done in HMAC, is secure (no proof). Construction of fixed length hash function based on DLA on Zp* (compresses by one bit), and the main argument of the proof.
Exercises: Prove that H(k||m) is not necessarily a secure MAC when H is a CRHF (consider H the Merkle-Damgard transform).
Reading: 4.6, 4.7.2. A DLA based hash function similar to the one we showed is in section 7.4.2. HW3 due.

Lecture 20 (11/11) Review of CRHF, brief discussion of application to password hashing, and overview of practical CRHF constructions: MD5 (collisions found, do not use), SHA1 (vulnerabilities known but no collision found yet), SHA2 family, and the recently announced winner for SHA3 competition, Keccak. Number theory review: extended Euclidean algorithm for gcd, and its use to find modular inverses efficiently. Defined groups and saw some properties of finite groups (e.g., for all x, x^|G|=1). Noted (Zn,0) is a group with respect to modular addition, (Zn*,1) is a group with respect to modular multiplication. Defined Euler's totient function Phi(n)=|Zn*| and saw the formula to compute it given n's prime factorization. Defined QRn, the group of quadratic residues mod n. For a prime p, there are efficient algorithm to check whether a number is in QRp, and if so finding its sqare root. If p is a safe prime (p=2q+1) then QRp is a prime order cyclic group generated by g^2 (if g is a generator of Zp*).
Reading: 4.6.5, 7.1, 7.3 HW4 out on 11/12.

Lecture 21 (11/13) Stated the discrete log assumption (DLA) as a general group assumption, and introduced also the computational Diffie-Hellman (CDH) assumption and the Decisional Diffie-Hellman (DDH) assumption, and the relationship among them (implications in one direction). Showed Diffie-Hellman key exchange, and discussed its security (key is indistinguishable from a random group element under DDH assumption). Showed why the DDH assumption does not hold over Zp* (g^{xy} is distinguishable from random even given only p,g, since it has probability 3/4 to be in QRp). DDH assumption believed to be true over QRp when p is a safe prime (and QRp a cyclic group of prime order).
Exercises: Formalize the definition of secure key exchange (security against a passive adversary), and prove that the DH key exchange protocol satisfies it if the DDH assuption is true (we sketched both these things in class, and they are done formally in the textbook, but try to do it yourself before reading in the textbook).
Reading: 7.3.2, 9.3, 9.4

Recitation 4 by Yuan (11/14) Review of reduction proof techniques, and how to detect possible insecurity when these techniques fail. Showed examples of insecure encryption MAC schemes, and where you would be stuck if you tried to prove security by reduction, including plain CBC-MAC with variable length, or with length appended to the end. Also showed how to find collisions for Merkle-Damgård variation without bit length appended to end.

Lecture 22 (11/18) Review of DH KE. Discussed random group element vs random string. To get the latter need to apply a key derivation function, which is possible through strong extractors (we did not define), or through a hash function with the random oracle model (ROM) proof heuristic. Brief overview of ROM in general. Discussed insecurity of DH KE against active attacks, such as "man in the middle" attack. Mentioned that for authenticated channel need some sort of key distribution (possibly through a centralized entity). Introduce Public key encryption, discussed historic context, advantages and disadvantages compared with private (symmetric) key crypto. Defined PKE security (indistinguishability). Here eavesdropper is equivalent to CPA and to multiple message indistinguishability (also equivalent to "semantic security" which we did not define). Showed that PKE implies KE, and KE in two rounds implies PKE. We instantiated the latter on DH KE, to get the El-Gamal PKE (roughly, use the first KE message as public key, and to encrypt use the second KE message plus hide the plaintext using the resulting shared key).
Exercises: prove that the El-Gamal encryption scheme is a CPA-secure PKE under the DDH assumption.
Reading: 9.3, 9.4, 10.1, 10.2, 10.5, 13.1

Lecture 23 (11/20) Factoring assumption, and discussion of its hardness (best algorithm known is super polynomial). RSA assumption (with respect to GenRSA - various choices of e are possible, all considered hard). This is a stronger assumption than factoring assumption: factoring is equivalent to finding phi(N) and equivalent to finding the inverse of e, and all these would imply that RSA function can be inverted, but the other direction is not known (it's possible that factoring is hard, but breaking RSA is easy). Discussed plain (textbook) RSA and its insecurity as a PKE (e.g., it is deterministic). RSA gives a trapdoor permutation TDP (we did not define formally). To get secure PKE we must introduce some randomness. Described one way (provably secure) to transform any TDP to a secure PKE via hardcore bit; for RSA, the lsb of the input is a hardcore bit, so (r^e,lsb(r) xor m) is a secure PKE for one bit messages under the RSA assumption.
Reading: 7.2, 10.4.1, 13.2 (without proofs), and informal overview of 10.7. HW4 due 11/21.

Lecture 24 (11/25) Review of textbook RSA. Need for longer keys than private key encryption, since there are sub-exponential (but super-polynomial) attacks (see links page for current recommended key lengths). There are several attacks on textbook RSA (we saw another one, when the message is smaller than N^1/e), so randomness needed. The PKE based on a lsb (more generally hardcore bit) that we saw last time can be extended to longer messages (still one exponentiation per bit). Padded RSA can be proven secure if the message is only O(log n) bits and the rest is the padding; it can be shown insecure when the padding is only O(log n) bits; when half the bits are message and half padding we do not know how to prove nor break security (similar schemes have been used in practice). Another option is to encrypt by (r^e, H(r) xor m) which can be proven secure under RSA assumption in the random oracle model (ROM). CCA security: defined, mentioned (without showing) that El-Gamal is malleable and thus not CCA secure, showed that plain RSA is malleable and thus not CCA secure. Padded RSA, depending on the padding, not susceptible to same CCA attack, but a previous standard PKCS #1 v1.5 was broken via a different padding oracle attacks. Newer standard versions are based on RSA-OAEP, a padding that utilizes two hash functions in a Feistel structure (we did not describe in detail), provably CCA secure in ROM. Mentioned without details that there are several CCA secure schemes (in the standard model), both generically from any TDP, and efficient ones from assumptions such as DDH, factoring, RSA. Overview of Rabin (squaring) function (for N=pq generated appropriately). This is a 4:1 function but if N is Blum integer it is a permutation over QR_N. We mentioned (without proof) that hardness of inverting this function is equivalent to factoring assumption (in this sense, better than RSA). However, even more susceptible to CCA (CCA attack can completely factor N). Hybrid encryption and the KEM/DEM paradigm: more efficient than PKE; if KEM is CPA secure and DEM is a EAV-secure private key encryption, the result is CPA secure PKE. If KEM is CCA secure and DEM is CCA secure private key encryption, the result is CCA secure PKE (did not prove these theorems, nor formally defined CPA and CCA security for KEM, but discussed the theorems and their implications informally). Example of KEM that is CCA secure in ROM under RSA assumption: (r^e, H(r)).
Exercise: Find a CCA attack on El Gamal encryption
Reading: 10.4, 10.6, 11.2 (informal overview), 10.3 (although the textbook doesn't cover CCA security for KEM/DEM). HW5 out 11/26.

Lecture 25 (12/2) Digital signatures: motivation and discussion of differences with MAC (including public verifiability, transferability, and non-repudiation). Definition of signature schemes and their security. Insecurity of plain-RSA signatures: (1) a no-message attack forging some message (applies to any TDP used directly for signing); (2) CMA forging any message you want (based on RSA malleability). Note on signatures vs PKE: the notion that they are "opposite/dual" and that "to sign, you just decrypt, to verify encrypt" is wrong (often does not make sense even syntactically, and when it does it's not secure; e.g. this notion is correct for textbook RSA, but that is not secure for either signatures nor encryption). Approaches to constructing secure signature: (1) heuristic constructions, based on number theoretic assumptions (2) constructions provably secure in the random oracle model (ROM), based on number theoretic assumptions or generic ones like TDP (3) constructions provably secure in the standard model: (a) from OWF, (b) from CRHF, (c) efficient ones from number theoretic assumptions. We saw the full domain hash (RSA-FDH), which is provably secure in the ROM (under RSA assumption, or any other TDP that is used). We then saw the Schnorr identification scheme, secure under DLA [although we did not formally define identification schemes]. We then mentioned how to translate this to the Schnorr signature scheme, by replacing the interactive challenge with a hash. The obtained Schnorr signature is as follows: for PK=g^x, SK=x, to sign m: compute I=g^k for a random k, r=H(I,m), s=rx + k, and output (r,s). To verify a signature (r,s) on m, compute I = g^s / y^r, and accept iff H(I,m)=r. This can be proven secure in the ROM (and under DLA). Mentioned very briefly DSA and ECDSA, widely used heuristic signatures constructions also based on an identification scheme based on DLA, however we have no proof of security (nor break). Mentioned that signature scheme can be constructed with provable security even from OWF, and in this sense belong in the "private key world" (you don't need a trapdoor or a PKE to obtain signatures). Note: we did not provide any proofs in this lecture.
Readings: 12.1-12.4, 13.3. We mentioned the schemes described in sections 12.5-12.7 but did not show what the schemes are (note: DSA and ECDSA are part of the DSS of 12.7). The text does not include Schnorr (or any) identification scheme, nor Schnorr signatures.

Lecture 26 (12/4) This lecture did not contain details nor formal definitions/theorems, but rather a (very) high level overview of more advanced crypto topics (including current crypto research and protocols). We started with a quick overview of how TLS works (this is a practical application that uses a lot of the primitives we discussed in the class). Then discussed how crypto is a necessary but not sufficient component of any secure system. We mentioned some research directions in cryptography that aim to expand the cryptographic models and thus the implications of a crypto security proof: leakage resilient and tamper proof crypto, and forward secure signatures (incorporating in the adversarial model partial leakage on keys, tampering of keys, or complete leakage of keys that doesn't break security of previously generated signatures). We then mentioned fully homomorphic encryption and functional encryption, as well as outsourced and verifiable computation, all of which allow for much richer applications of cryptography (currently these are still within the theoretical realm because of efficiency considerations and being very recent). We provided a little more detail on secure computation (still an active area of research but began in the 80s and by now can often be practical). We overviewed the goal and motivated secure computation. Example protocol: computing the sum of all inputs (using a "telephone game" style protocol). This protocol is secure in the semi-honest (aka honest-but-curious) model against coalitions of size 1. Stated the general (meta) theorem: any function that can be efficiently computed, can be efficiently computed securely (true in various contexts, adversarial models, etc, including against maximal coalitions). Another example: computing oblivious transfer (OT) among two parties: Alice's input is two bits {S0,S1}, and Bob's input is a selection bit {b}; Bob's output is Sb (but no information on the other secret), and Alice gets no output (no information). This turns out to be a complete primitive (if OT can be securely computed, then any efficient function can be securely computed). We showed a protocol for OT based on the RSA assumption (in fact any TDP can be used), which is secure in the semi-honest model. Mentioned that there is a general poly time transformation of any protocol secure in the semi-honest model, to a protocol secure in the malicious model, using zero-knowledge proofs. Did not have much time to talk about zero-knowledge proofs, but mentioned that they exist for any NP language (assuming OWF exist), and allow to prove statements such as "x is in L" while revealing no information beyond the truth of the statement. The Schnorr identification protocol we saw last time is a "zero knowledge proof of knowledge" (we didn't define this), where the prover is proving that he knows the discrete log of a given element, without revealing any other information (in particular, keeping the discrete log hidden).

Recitation 5 by George (12/5) Showed the CPA security proof for the El Gamal encryption scheme. Overview of the proof of unforgeability of FDH-RSA signature scheme under the RSA assumption in the random oracle model (we went through the proof but omitted some technical details).

Back to Course Main Page