W4261 Introduction to Cryptography:
Fall 2014 Lecture Summaries
These are brief (possibly non-comprehensive) summaries written shortly after
each lecture, of what was covered. Exercises are optional, and not
meant to be
submitted, but recommended for your own understanding (some of them
are meant to be very easy, but some are challenging). Sometimes the
answers can be found in the text: try to figure it out yourself before
completing the reading. Reading is from the textbook, but often
includes significantly more details than were covered in
class (for example, we skipped some proofs that are covered in the readings below).
Conversely, class occasionally contains material that is not in
the textbook (I've tried to indicate when this is the case).
Please go over the previous class material (using your
notes and textbook as appropriate) before every lecture.
- Lecture 1 (9/2) Introduction to modern cryptography and
the goals of this class. Definition of private key encryption scheme
syntax and correctness. Kerckhoff's principle. Overview of some
historical ciphers (Atbash, Caesar, shift, substitution, Vigenere) and
simple attacks (brute force, frequency analysis).
Exercise: Define
these ciphers via the (GEN, ENC, DEC) syntax. Decipher the
ciphertext provided on page 13 (that was encoded using a
substitution cipher).
Reading: 1.1-1.3.
- Lecture 2 (9/4)
Motivation for rigorous definitions and proofs of security in
modern cryptography, typically based on computational assumptions
(e.g., mentioned that P not equal to NP is a necessary assumption
in many cases).
Different attack models for encryption schemes (ciphertext only,
known plaintext, chosen plaintext, chosen ciphertext attacks).
Discussion and motivation for what secrecy of private-key
encryption should mean (assuring that the key is hard to guess
and that the message is hard to guess is necessary but not
sufficient for security; definition of secrecy should work for
any message distribution or prior knowledge of the adversary).
Two (equivalent, though we did not prove) definitions of perfect
secrecy, capturing the intuition that the ciphertext contains no
information about the plaintext.
Reading: 1.4, 2.1.
-
Lecture 3 (9/9) Shift cipher is not perfectly secret for
2-character messages (but yes for one character messages).
Defined one-time pad scheme (OTP) and proved that it is perfectly
secret. Inherent problems with perfectly secret encryption:
First, showed that one-time pad cannot be used to send multiple
messages; this problem is inherent to any (stateless) perfectly
secret scheme, but can be fixed by using a stateful encryption
algorithm (often not desirable). Second, proved that for any
perfectly secret encryption, the key space must be larger than
message space. Discussion and motivation for the computational
approach. Brief background on probabilistic polynomial time
algorithms.
Exercise: Prove that the Vigenere cipher (parallelized shift) is not
perfectly secret. Prove that no deterministic scheme can achieve
perfect secrecy for multiple messages.
Reading: 2.2, 2.3, 2.5, 3.1.
HW1 out on 9/10.
-
Lecture 4 (9/11)
Definition of negligible functions; adding two negligible
functions or multiplying a negligible function by a polynomial is
still negligible. Security parameter. Definition of EAV-security
(indistinguishability for a single message against an
eavesdropper). We do not know whether EAV-secure schemes exist
(this requires computational assumptions), but we will prove it
based on other primitives and assumptions. Began to motivate PRG
and the one time pseudorandom pad encryption scheme. Discussed
proofs by reduction.
Exercise: Consider our definition of EAV-security (Def 3.8 in
textbook). Prove that if the ppt restriction is removed and we
require prob[...]=1/2 (without adding a negligible function), this
definition becomes equivalent to perfect secrecy.
Reading: 3.1, 3.2.1, a bit of 3.3 and 3.4.1.
- Lecture 5 (9/16) Pseudorandom generators (PRG)
motivation and definition. Showed an attack on any alleged PRG G
via checking whether the string is in the image of G or not.
Conclusions (informal): (1) there is no perfectly secret PRG: an
exhaustive search (exponential time attack) always distinguishes
from random. (2) For any G, if there's an efficient way to check
whether a string is in the image of G or not, G is not a PRG. The
latter implies that if there exists a PRG G, then P is not equal
to NP. Showed the "one-time pseudorandom pad" encryption scheme
based on a PRG G, and proved that if G is a PRG, the above scheme
satisfies EAV-security (proof by reduction). Brief discussion of
concrete security (in the scheme above there is almost no
degradation in security in the reduction).
Exercises: (1) Prove that definition 3.9 (different formalization
of indistinguishability against eavesdropper) is equivalent to our standard
definition of EAV-security (definition 3.8)
(2) a student asked: Assume you are given G where it is hard
to efficiently test whether a string is in the image of G or not.
Does this mean that G is a PRG? Try to formalize this question
and then answer it (note: there are different reasonable
formalizations, that may result in different answers).
Reading: 3.3, 3.4.1
- Lecture 6 (9/18)
Defined multiple message EAV-security. Proved that no (stateless)
deterministic encryption scheme can achieve it.
Defined stream ciphers as a pair (Init,GetBits) that induces a
PRG (where new pseudorandom bits can be generated dynamically as
needed). Mentioned (without a formal definition or proof) that it
can be used for stateful encryption achieving multiple message
EAV-security. Discussed some simple potential PRG construction examples and
whether they are good PRGs or not. In particular, a PRG can be
composed with itself to obtain another PRG with a higher expansion
factor (stretch). Theorem: if there is a PRG that expands by one
bit, then for any polynomial l(n) there's a PRG (stream
cipher) that expands by l(n) bits. We showed the
construction (iterative applications of G on the n-bit state), but
did not prove it is a PRG.
Exercise: For each of the example constructions we saw, prove
whether it is a PRG or not (namely convert our informal class
discussion into full proofs).
Reading: 3.4.2, 3.4.3, 6.4.2 (without the proof). The stream
cipher definition is not in the text.
- Lecture 7 (9/23)
Defined CPA security.
Example: the one-time pseudorandom pad scheme (which is EAV
secure) does not satisfy CPA security. Same attack works on any
deterministic scheme, or any scheme with only few possible
encryptions for each message. CPA security implies multiple
message CPA security (formal proof omitted). Showed that if the
secret key is a random function from n bits to n bits (exponential
size key), then can achieve CPA security by choosing the value of
the function on a random input as a pad. Since we cannot use an
exponential size key, this motivates pseudoranom functions (PRF).
Defined PRFs, gave example of a function that is not a PRF,
discussed connection of PRF to PRG and their differences.
Exercises: Prove that any scheme satisfying CPA secure encryption,
must have super polynomially many possible encryptions for each
message.
Reading: 3.5, 3.6.1.
HW1 due.
- Lecture 8 (9/24)
Showed that PRF implies PRG (in particular,
G(s)=F(s,0n)||F(s,1n) is a PRG if F is a
PRF). Defined PRP and strong PRP (block ciphers).
Discussed why block ciphers cannot be directly used as encryption
algorithms. Showed how to use PRF for CPA-secure encryption (where
encryption outputs (r,f(r) xor m) for a random r).
Started proving that this construction is CPA secure, will complete
the proof next time.
Exercise: If F is a PRF, is the following construction a PRG?
G(s)=F(0n,s)||F(1n,s) (namely swapping the
role of the key and input in the construction we saw above).
Reading: 3.6.2, 3.6.3
- Lecture 9 (9/30) Review of material. Completed proof that PRF
implies CPA secure encryption. Encryption of longer messages:
block-by-block encryption (remains CPA secure), and more efficient
modes of operation. We saw ECB (not even EAV secure, do not use!); CBC
mode (CPA secure, but discussed a CPA attack on the stateful
Chained-CBC version); CTR mode (CPA secure).
Exercise: Consider CBC and CTR modes applied on a single block
message. For each, write out the encryption scheme and prove that
it is CPA secure. Then think of a stateful variant where the IV
is replaced by a counter that increases with each new message
sent (rather than being chosen uniformly). Do these schemes remain
CPA secure? argue why yes, or provide a CPA attack if not.
Reading: 3.5, 3.6.
- Lecture 10 / Recitation 1 by Yuan (10/2)
Reviewed proof by reduction,
with examples of valid (but sometimes pathological) PRG constructions,
and introduced hybrid argument
to prove that G(G(s)) is a PRG.
Compared definitions of PRGs and PRFs,
including which parameters were secret,
and which were under the control of the adversary.
Proved the construction of PRGs from PRFs,
and the first step in the construction of PRFs from PRGs.
Considered alternative constructions in both directions,
and why they don't work.
Proved equivalence between standard security definition
(the adversary doesn't succeed with probability
non-negligibly more than 1/2),
and definition 3.9
(the adversary's output varies only negligibly depending on
which message, m_0 or m_1, was encrypted).
Sketched proof that CPA security implies multiple-message CPA security,
using definition 3.9 and hybrid argument.
Showed attack against a scheme with no message length restrictions
to motivate requirement for equal message lengths.
HW2 out on 10/3
- Lecture 11 (10/7)
CCA secure encryption motivation and definition. Discussed
padding oracle attacks, and showed a setting (CAPTCHA server)
where this is a very real attack model (but we didn't show an
attack on a specific padding scheme). All schemes we saw so far
fail under a CCA attack (demonstrated on the CPA-secure
(r,f_k(r)\xor m) scheme). Informal discussion of malleability
/ non-malleability / homomorphic encryption (examples where
malleability may be bad and when it may be good). This completes
private key encryption constructions for now (we will get back to
constructing CCA secure encryption). Showed a number theoretic
construction of a PRG: DH(a,b) = (g^a, g^b, g^ab) mod p (note
that this is length expanding).
DDH assumption says that if p, g satisfy certain properties, then
the above is a PRG.
Exercise: Complete the CCA attack on the encryption scheme above:
write the adversary explicitly and analyze its success
probability.
Reading: 3.7. Not in textbook: the padding oracle attacks, PRG
based on DDH assumption (though the assumption itself is
definition 7.60 in textbook, our description was informal).
- Lecture 12 (10/9)
Number theory review geared towards working in Zp* for prime p:
modular arithmetic, Z_N, Z_N*, Z_p*, Fermat's little theorem
(when working in Zp* for prime p, exponent can be reduced mod
p-1), Zp* is a cyclic group (wrt multiplication). Given p,g, can
define exponentiation function and discrete log function (its
inverse). There are efficient algorithms for all the following
tasks: testing whether a number is prime; generating a random n
bit prime p together with a generator of Zp*, computing the
exponentiation function mod p. (We did not show the algorithms for
any of the above, except the algorithm to select a random n bit
prime, if we don't care about the generator). Discrete Log
Assumption (DLA). Discussed some failed attempts at constructing
a PRG based on DLA, then showed the Blum-Micali generator, which
is a PRG under DL Assumption. Very informal and high level
overview of how the above generalizes to any "one way permutation (OWP)"
using any "hard core bit", and one exists based on Goldreich-Levin
construction (we did not see how.) Also known that one way
function (OWF) implies
PRG but more complex. Summary of theoretical
constructions: OWF, PRG, PRF, PRP, private key encryption all
computationally equivalent. OWF can be constructed by relying on
assumptions such as DLA.
Reading: parts of 7.1, 7.2.1, 7.3. Touched on topics in chapter
6. Not in the textbook: Blum-Micali PRG construction (but it follows
from instantiating the construction in theorem 6.7 with the
exponentiation OWP in Zp*, based on DLA).
- Recitation 2 by Luke (10/10)
Reviewed negligible function definition. Clarified PRPs and strong
PRPs / block ciphers vs PRFs. Luby-Rackoff
construction. Discussed how to go about proability analysis for
attacks in proofs. Reviewed the proof of CPA security of the
Enc_k(m)=(r,f_k(r) xor m) as a case study.
- Lecture 13 (10/14)
Review of PRP vs strong PRP (CPA vs CCA attack on
pseudoranmdomness).
Defined Feistel networks, showed that this gives a permutation for
any round functions chosen, and any number of rounds. Showed that
one round is not a PRP, regardless of round function. Hinted at
the attack on two rounds (also not PRP). Said (without showing)
that three rounds is not a strong PRP. Luby-Rackoff theorem:
Feistel with round functions being PRF with independent keys gives
PRP after 3 rounds, and strong PRP after 4 rounds (no proof).
Conclude that PRF implies strong PRP.
Discussion of what this means for practical ciphers using Feistel
network (and mentioned there are other theorems for more rounds
and weaker round-functions).
Practical constructions of stream ciphers: discuss security (or
lack thereof), block ciphers can be used in stream cipher modes
for better security. LFSR (not secure!), and overview of ways to
introduce non-linearity, e.g. as done in Trivium cipher (optimized
for hardware). RC4 (very fast in software), widely used but has
vulnerabilities. Presented the RC4 algorithm (with additional
details completed in the following class), and discussed
weakness of second byte, as well as weakness with IV that was used
to break WEP standard.
Exercise: Find an attack on two round Feistel, showing it is not
a PRP.
Reading: 5.2, 6.6, our discussion of stream ciphers details is not
in textbook except a very short summary on p.77.
Trivium is described
here
(in much more detail than we did).
- Lecture 14 (10/16)
Described the recent POODLE (padding oracle) attack on SSL3.
Block ciphers used in practice. General principles: concrete
security with fixed key and block sizes, attacks that are faster
than exhaustive search constitue a serious weakness, avalanche
effect). Substitution permutation networks (SPN)
structure. DES high level overview (16 round Feistel, round
function is a SPN with special non-permutation S boxes, S boxes
and following permutation satisfy some "avalanche effect"
properties).
Reading: 5.1, 5.3. POODLE attack is not in textbook but see the
security
advisory that exposed it (September 2014).
HW2 due.
- Lecture 15 (10/21)
Discussed security of DES (remains without any significant
practical attacks, but key size, and sometimes block size, are
too small). Incresing key length for block cipher: double
encryption and attack on it, triple encryption (3-DES is a
reasonable choice). High level overview of AES history, security
(seems very strong) and construction (variation on SPN with one
S-box permutation applied on each byte, and an invertible linear
transformation instead of a permutation at the end of each round).
Conclude part on pseudorandom primitive constructions, and start
message authentication codes (MACS). Discussed motivation and goals
(authenticity and integrity). Encryption does not generally
provide authentication (as we can see for all schemes we saw so
far, including stream ciphers and CPA secure encryption such as CTR
and CBC modes of operation).
Motivated the definition of security (existential unforgeability
against adaptive chosen message attack), but did not give the
formal definition yet.
Reading: 5.4, 5.5 (also recommended: 5.6), 4.1, 4.2.
- Lecture 16 (10/23)
Definitions of security for MAC, fixed-length MAC, and strong MAC
(where any valid new pair (m,t) is considered a forgery, even if
only t is new and m was asked before). Noted that if Mac is
deterministic then there's a unique tag for each message, and
standard and strong MAC security definitions are equivalent.
Example of attack outside our model: overview of timing attack on
MAC if adversary has access to verification (based on the time it
takes for Vrfy to reject). Construction of (fixed-length) MAC
using PRF, and security proof sketch.
Exercises: (1) Prove that for a strong MAC (eg when Mac is
deterministic), adding access to a Vrfy oracle in the security
definition does not add power. (2) Reconstruct by yourself the
proof of security for using a PRF as a MAC.
Reading: 4.3, 4.4 (strong MAC and timing attack discussion not in
text).
HW3 out on 10/25.
- Lecture 17 (10/28)
Domain extension for MAC (arbitrary length MAC based on fixed
length MAC): authenticating block-by-block, including random
identifier, length of message, and index of block in each block.
Showed attacks on block-by-block authentication with any of these
removed. Security proof sketch.
CBC-MAC (arbitrary length MAC using PRF): showed construction,
noted main differences with CBC encryption - no IV and no
intermediate values, and stated security properties (without
proof): this is secure for a fixed number of blocks only. Two
ways to make it secure for arbitrary length messages: either
prepend the length of the message as the first block, or apply one
more layer of PRF at the end, with a new key. Note: in a future
lecture we will show hash-based MACs as another alternative.
Exercises: (1) Can there be a secure MAC and two different
messages m, m' such that Mac_k(m)=Mac_k(m')? Can such m,m' be
found efficiently? Can such m,m' be found efficiently given the
key k? (2) Choose a couple of the following CBC-MAC variants and
show attacks breaking their security:
adding IV; disclosing intermediate output blocks; plain CBC-MAC
for arbitrary length m; appending the length of the message as
last block.
Reading: 4.4, 4.5
- Lecture 18 (10/30)
Authenticated Encryption: discussion and definition (CCA security
plus unforgeability).
Examples of general combination of any CPA secure encryption with
secure MAC:
(1) Enc and Authenticate: not even CPA secure.
(2) Authenticate-then-Encrypt: achieves unforgeability (we saw
the reduction), and CPA security (outlined the reduction). But
does not achieve CCA (we already saw the padding oracle attacks on
SSL's authenticate-then-encrypt scheme). Thus not authenticated
encryption.
(3) Encrypt-then-Authenticate: achieves unforgeability and CPA
security. For CCA, if given (c,t) easy to come with a valid
(c,t') for another t', can feed that to decryption oracle and
break CCA. But if using strong MAC, then this in fact achieves
also CCA, and thus authenticated encryption (gave some intuition
for the proof).
Exercises: prove the unforgeability and CPA security of the above
schemes (where applicable). Try to prove CCA security of the last
scheme.
Reading: Authenticated encryption is not in the text, but see 4.8
for the CCA security of encrypt-then-authenticate with strong MAC
(the book uses "MAC with unique tags").
- Recitation 3 by George (10/31)
Review and another example of padding oracle attack for SSL/TLS.
Proof of CPA security for CTR mode of encryption (proved the
security if using a random function, did not have time for second
part, security for the scheme with PRF by reduction).
- Lecture 19 (11/6)
Motivated and defined collision resistant hash functions (note
that there is a key but it is not secret, it is randomly chosen
and fixed and published; we sometimes omit it in notation). Discussed weaker possible definitions
(target collision resistance and preimage resistance) and how they
imply each other. Birthday attack (sketch the analysis
of the expected number of successes per t samples), implying we
need long enough output (length 2n if we want security of against
2^n time adversary).
Merkle-Damgard transform for CRHF domain extension (gave intuition
for proof of security).
Using fixed length MAC and CRHF can get arbitrary length MAC by
hash and MAC (without proof).
Discussed MAC using only CRHF: H(k||m) not secure, but adding
another hash depending on a second key in the last block, as done
in HMAC, is secure (no proof).
Construction of fixed length hash function based on DLA on Zp*
(compresses by one bit), and the main argument of the proof.
Exercises: Prove that H(k||m) is not necessarily a secure MAC when
H is a CRHF (consider H the Merkle-Damgard transform).
Reading: 4.6, 4.7.2. A DLA based hash function similar to the one
we showed is in section 7.4.2.
HW3 due.
- Lecture 20 (11/11)
Review of CRHF, brief discussion of application to password
hashing, and overview of practical CRHF constructions: MD5
(collisions found, do not use), SHA1 (vulnerabilities known but no
collision found yet), SHA2 family, and the recently announced
winner for SHA3 competition, Keccak.
Number theory review: extended Euclidean algorithm for gcd, and
its use to find modular inverses efficiently. Defined groups and
saw some properties of finite groups (e.g., for all x, x^|G|=1).
Noted (Zn,0) is a group with respect to modular addition, (Zn*,1)
is a group with respect to modular multiplication. Defined Euler's
totient function Phi(n)=|Zn*| and saw the formula to compute it
given n's prime factorization. Defined QRn, the group of
quadratic residues mod n. For a prime p, there are efficient
algorithm to check whether a number is in QRp, and if so finding
its sqare root. If p is a safe prime (p=2q+1) then QRp is a prime
order cyclic group generated by g^2 (if g is a generator of
Zp*).
Reading: 4.6.5, 7.1, 7.3
HW4 out on 11/12.
- Lecture 21 (11/13)
Stated the discrete log assumption (DLA) as a general group
assumption, and introduced also the computational Diffie-Hellman
(CDH) assumption and the Decisional Diffie-Hellman (DDH)
assumption, and the relationship among them (implications in one
direction). Showed Diffie-Hellman key exchange, and discussed its
security (key is indistinguishable from a random group element
under DDH assumption).
Showed why the DDH assumption does not hold over Zp* (g^{xy}
is distinguishable from random even given only p,g, since it has
probability 3/4 to be in QRp). DDH assumption believed to be true
over QRp when p is a safe prime (and QRp a cyclic group of prime
order).
Exercises: Formalize the definition of secure key exchange
(security against a passive adversary), and prove that the DH key
exchange protocol satisfies it if the DDH assuption is true (we
sketched both these things in class, and they are done formally in
the textbook, but try to do it yourself before reading in the
textbook).
Reading: 7.3.2, 9.3, 9.4
- Recitation 4 by Yuan (11/14)
Review of reduction proof techniques,
and how to detect possible insecurity when these techniques fail.
Showed examples of insecure encryption MAC schemes,
and where you would be stuck if you tried to prove security by reduction,
including plain CBC-MAC with variable length,
or with length appended to the end.
Also showed how to find collisions for Merkle-Damgård
variation without bit length appended to end.
- Lecture 22 (11/18)
Review of DH KE. Discussed random group element vs random string.
To get the latter need to apply a key derivation function, which
is possible through strong extractors (we did not define), or
through a hash function with the random oracle model (ROM) proof
heuristic. Brief overview of ROM in general. Discussed
insecurity of DH KE against active attacks, such as "man in the
middle" attack. Mentioned that for authenticated channel need
some sort of key distribution (possibly through a centralized
entity). Introduce Public key encryption, discussed historic
context, advantages and disadvantages compared with private
(symmetric) key crypto. Defined PKE security
(indistinguishability). Here eavesdropper is equivalent to CPA
and to multiple message indistinguishability (also equivalent to
"semantic security" which we did not define). Showed that PKE
implies KE, and KE in two rounds implies PKE. We instantiated the
latter on DH KE, to get the El-Gamal PKE (roughly, use the
first KE message as public key, and to encrypt use the second KE
message plus hide the plaintext using the resulting shared
key).
Exercises: prove that the El-Gamal encryption scheme is a CPA-secure
PKE under the DDH assumption.
Reading: 9.3, 9.4, 10.1, 10.2, 10.5, 13.1
- Lecture 23 (11/20)
Factoring assumption, and discussion of its hardness (best
algorithm known is super polynomial). RSA assumption (with respect
to GenRSA - various choices of e are possible, all considered
hard). This is a stronger assumption than factoring assumption:
factoring is equivalent to finding phi(N) and equivalent to
finding the inverse of e, and all these would imply that RSA
function can be inverted, but the other direction is not known
(it's possible that factoring is hard, but breaking RSA is easy).
Discussed plain (textbook) RSA and its insecurity as a PKE (e.g.,
it is deterministic). RSA gives a trapdoor permutation TDP (we did
not define formally). To get secure PKE we must introduce some
randomness. Described one way (provably secure) to transform any
TDP to a secure PKE via hardcore bit; for RSA, the lsb of the
input is a hardcore bit, so (r^e,lsb(r) xor m) is a secure PKE for
one bit messages under the RSA assumption.
Reading: 7.2, 10.4.1, 13.2 (without proofs), and informal overview of 10.7.
HW4 due 11/21.
- Lecture 24 (11/25)
Review of textbook RSA. Need for longer keys than private key
encryption, since there are sub-exponential (but super-polynomial)
attacks (see links page for current
recommended key lengths). There are several attacks on textbook
RSA (we saw another one, when the message is smaller than N^1/e),
so randomness needed. The PKE based on a lsb (more generally
hardcore bit) that we saw last time can be extended to longer
messages (still one exponentiation per bit). Padded RSA can be
proven secure if the message is only O(log n) bits and the rest is
the padding; it can be shown insecure when the padding is only O(log
n) bits; when half the bits are message and half padding we do
not know how to prove nor break security (similar schemes have been used in
practice). Another option is to encrypt by (r^e, H(r) xor m)
which can be proven secure under RSA assumption in the random
oracle model (ROM). CCA security: defined, mentioned (without
showing) that El-Gamal is malleable and thus not CCA secure,
showed that plain RSA is malleable and thus not
CCA secure. Padded RSA, depending on the padding, not susceptible
to same CCA attack, but a previous standard PKCS #1 v1.5 was broken
via a different padding oracle attacks. Newer standard versions
are based on RSA-OAEP, a padding that utilizes two hash functions
in a Feistel structure (we did not describe in detail), provably
CCA secure in ROM. Mentioned without details that there are
several CCA secure schemes (in the standard model), both
generically from any TDP, and efficient ones from assumptions such
as DDH, factoring, RSA.
Overview of Rabin (squaring) function (for N=pq generated
appropriately). This is a 4:1 function
but if N is Blum integer it is a permutation over QR_N.
We mentioned (without proof) that hardness of inverting this
function is equivalent to factoring assumption (in this sense,
better than RSA). However, even more susceptible to CCA (CCA
attack can completely factor N).
Hybrid encryption and the KEM/DEM paradigm: more efficient than
PKE; if KEM is CPA secure and DEM is a EAV-secure private key
encryption, the result is CPA secure PKE. If KEM is CCA secure
and DEM is CCA secure private key encryption, the result is CCA
secure PKE (did not prove these theorems, nor formally defined
CPA and CCA security for KEM, but discussed the theorems and their
implications informally). Example of KEM that is CCA secure in
ROM under RSA assumption: (r^e, H(r)).
Exercise: Find a CCA attack on El Gamal encryption
Reading: 10.4, 10.6, 11.2 (informal overview), 10.3 (although the
textbook doesn't cover CCA security for KEM/DEM).
HW5 out 11/26.
- Lecture 25 (12/2) Digital signatures: motivation and
discussion of differences with MAC (including public
verifiability, transferability, and non-repudiation). Definition
of signature schemes and their security. Insecurity of plain-RSA
signatures: (1) a no-message attack forging some message (applies
to any TDP used directly for signing); (2) CMA forging any message
you want (based on RSA malleability). Note on signatures vs PKE:
the notion that they are "opposite/dual" and that "to sign, you
just decrypt, to verify encrypt"
is wrong (often does not make
sense even syntactically, and when it does it's not secure;
e.g. this notion is correct for textbook RSA, but that is not
secure for either signatures nor encryption). Approaches to
constructing secure signature: (1) heuristic constructions, based
on number theoretic assumptions (2) constructions provably secure
in the random oracle model (ROM), based on number theoretic
assumptions or generic ones like TDP (3) constructions provably
secure in the standard model: (a) from OWF, (b) from CRHF, (c)
efficient ones from number theoretic assumptions. We saw the full
domain hash (RSA-FDH), which is provably secure in the ROM (under
RSA assumption, or any other TDP that is used). We then saw the
Schnorr identification scheme, secure under DLA [although we did
not formally define identification schemes]. We then mentioned
how to translate this to the Schnorr signature scheme, by
replacing the interactive challenge with a hash. The obtained
Schnorr signature is as follows: for PK=g^x, SK=x, to sign m:
compute I=g^k for a random k, r=H(I,m), s=rx + k, and output
(r,s). To verify a signature (r,s) on m, compute I = g^s / y^r,
and accept iff H(I,m)=r. This can be proven secure in the ROM (and
under DLA).
Mentioned very briefly DSA and ECDSA, widely used heuristic signatures
constructions also based on an identification scheme based on DLA,
however we have no proof of security (nor break).
Mentioned that signature scheme can be constructed with provable
security even from OWF, and in this sense belong in the "private
key world" (you don't need a trapdoor or a PKE to obtain
signatures). Note: we did not provide any proofs in this lecture.
Readings: 12.1-12.4, 13.3. We mentioned the schemes described in
sections 12.5-12.7 but did not show what the schemes are (note:
DSA and ECDSA are part of the DSS of 12.7).
The text does not include Schnorr (or any) identification scheme,
nor Schnorr signatures.
- Lecture 26 (12/4) This lecture did not contain details
nor formal definitions/theorems, but rather a (very) high level
overview of more advanced crypto topics (including current crypto
research and protocols). We started with a quick overview of how
TLS works (this is a practical application that uses a lot of the
primitives we discussed in the class). Then discussed how crypto
is a necessary but not sufficient component of any secure system.
We mentioned some research directions in cryptography that aim to
expand the cryptographic models and thus the implications of a
crypto security proof: leakage resilient and tamper proof crypto,
and forward secure signatures (incorporating in the adversarial
model partial leakage on keys, tampering of keys, or complete
leakage of keys that doesn't break security of previously
generated signatures). We then mentioned fully homomorphic
encryption and functional encryption, as well as outsourced and
verifiable computation, all of which allow for much richer
applications of cryptography (currently these are still within the
theoretical realm because of efficiency considerations and being
very recent). We provided a little more detail on secure
computation (still an active area of research but began in the 80s
and by now can often be practical). We overviewed the goal and
motivated secure computation. Example protocol: computing the sum
of all inputs (using a "telephone game" style protocol). This
protocol is secure in the semi-honest (aka honest-but-curious)
model against coalitions of size 1. Stated the general (meta)
theorem: any function that can be efficiently computed, can be
efficiently computed securely (true in various contexts,
adversarial models, etc, including against maximal coalitions).
Another example: computing oblivious transfer (OT) among two
parties: Alice's input is two bits {S0,S1}, and Bob's input is a
selection bit {b}; Bob's output is Sb (but no information on the
other secret), and Alice gets no output (no information). This
turns out to be a complete primitive (if OT can be securely
computed, then any efficient function can be securely computed).
We showed a protocol for OT based on the RSA assumption (in fact
any TDP can be used), which is secure in the semi-honest model.
Mentioned that there is a general poly time transformation of any
protocol secure in the semi-honest model, to a protocol secure in
the malicious model, using zero-knowledge proofs. Did not have
much time to talk about zero-knowledge proofs, but mentioned that
they exist for any NP language (assuming OWF exist), and allow to
prove statements such as "x is in L" while revealing no
information beyond the truth of the statement. The Schnorr
identification protocol we saw last time is a "zero knowledge
proof of knowledge" (we didn't define this), where the prover is
proving that he knows the discrete log of a given element, without
revealing any other information (in particular, keeping the
discrete log hidden).
- Recitation 5 by George (12/5)
Showed the CPA security proof for the El Gamal encryption scheme.
Overview of the proof of unforgeability of FDH-RSA signature
scheme under the RSA assumption in the random oracle model (we
went through the proof but omitted some technical details).
Back
to Course Main Page