W4261 Introduction to Cryptography: Fall 2019 Lecture Summaries

• Lecture 1 (9/3) Introduction to modern cryptography, overview and the goals of this class. Definition of private key encryption scheme syntax and correctness. Kerckhoffs' principle. Overview of some basic historical ciphers (Atbash, Caesar, shift) and simple attacks (brute force, frequency analysis). Motivation for rigorous definition of security and discussion of what secrecy for private key encryption should mean (assuring that the key is hard to guess and that the message is hard to guess are both necessary but not sufficient for security; definition of secrecy should work for any message distribution or prior knowledge of the adversary).
  Reading: Chapter 1.


• Lecture 2 (9/5) Discussion leading to two equivalent definitions of perfect secrecy, capturing the intuition that the ciphertext contains no new information about the plaintext (we did not prove equivalence of the definitions). Proved that the shift cipher is not perfectly secret. Defined the one-time pad (OTP) encryption scheme and proved that it is perfectly secret. Discussed two problems with OTP, which turn out to be inherent problems with any perfectly secret encryption. First, it cannot be used more than one time: we defined perfect secrecy for encryption of two messages, and proved that no (stateless) encryption scheme can satisfy perfect secrecy for two messages. Second, it has long keys: for any perfectly secret encryption, the key space must be at least as large as the message space.
  Reading: 2.1-2.3
  Required reading before lecture 3: Perfect (adversarial) indistinguishability - Definition 2.5 (a third equivalent definition, starting on the bottom of p.30 and through p.31). If needed, you should also brush up on asymptotic notation, ppt algorithms and negligible functions (see bottom of page 47 through 49, and if you need more check appendix A and other materials in the background section here).


• Lecture 3 (9/10) Discussed framework for cryptographic theorems (requiring a definition of attack model and what breaking security means), motivated computational security, and discussed necessity of relaxations (security only against efficient adversaries and allowing a negligible error probability). Definition of EAV security (indistinguishability for a single message against an eavesdropper). Outlined why having an EAV-secure encryption scheme would imply P ≠ NP, and thus proving that such a scheme exists is very hard (at least as hard as proving P ≠ NP). Instead, we rely on assumptions. Constructing secure private key encryption by merely assuming P ≠ NP is not known and a big open problem. We do know how to construct it from other primitives (OWF, PRG, PRF, Block ciphers, MAC, Signatures are all equivalent primitives, which we will talk about). In turn, these primitives can be constructed from mathematical assumptions or engineered designs. Brief overview for PRG and how they can be used for EAV-secure encryption.
  Reading: 3.1, 3.2.1


• Lecture 4 (9/12) After a quick review of last time and discussion of pseudorandomness, we defined a pseudorandom generator (PRG). We showed that if you can test whether a string is in the image of G or not, then you can distinguish the output of G from uniform, and thus, if such a test can be done efficiently, G is not a PRG. Discussed some examples of constructions and whether they are necessarily a PRG or not. Along the way, discussed proofs by reduction. Quick overview of types of PRG constructions (stream ciphers, or mathematical constructions), and an example of a number-theoretic based candidate PRG: If p,q are primes such that p=2q+1, and if g is an element of order q in Zp*, then G(a,b)=(g^a,g^b,g^{ab}) (everything mod p) is believed to be pseudorandom (and is certainly efficiently computatble, deterministic, and length expanding). This is called the DDH assumption, which we will revisit later (if you didn't follow this example now, that is ok -- you should be able to follow it by the end of class).
  Reading: 3.3.1, 3.3.2. The DDH-based PRG is not in the textbook, but the assumption itself (more formally and for general groups) is definition 8.63 in the textbook (you are not responsible for it at this point).


• Friday 9/13 2pm: Review session 1 led by Lali and Eli


• Lecture 5 (9/17) Review of PRG definition. Mentioned the equivalent game-based definition and showed equivalence. Proved that if G is a PRG then G(G(·)) is also a PRG (same proof also works for composition of any two PRGs). Our proof used the hybrid method (with one hybrid in between the two distributions we need to prove indistinguishable) although there are also other (better in some ways) proofs. We concluded that if there's a PRG with any expansion (even one bit), then there's a PRG with any polynomial expansion (we sketched the proof, which generates one bit at a time, sometimes called a stream cipher). We proved that if a PRG exists, then there's a EAV-secure encryption scheme (a pseudorandom one-time pad). The proof was (as usual) via a reduction. We discussed why this scheme is not secure when encrypting more than one message with the same key, and why in fact there is no (stateless) deterministic encryption scheme that satisfies two message EAV security. We mentioned the stateful use of PRG for encrypting multiple messages via stream ciphers, but keeping state is often not desirable or possible (for both functionality and security reasons). With stateless encryption as our default, we concluded that encryption must be randomized.
  Reading: 3.3, 7.4.2.


• Lecture 6 (9/19) Review of structure of cryptographic proofs by reduction and hybrid arguments. Discussion of several stronger attack models, and definition of CPA secure encryption. We mentioned (without proof) that CPA security for one message implies CPA security for multiple messages. Showed why any scheme with deterministic encryption cannot satisfy CPA security (more generally, no scheme with only polynomially many possible ciphertexts for each message can satisfy CPA security). Mentioned that if we could have a random function as a secret key, we could use it towrads building CPA secure encryption (although we didn't yet show how, and it's not obvious). However, a random function takes exponential length to describe. This motivates the notion of pseudorandom functions (PRF), which we defined.
  Reading: 3.4, 3.5.1


• Lecture 7 (9/24) Reviewed notions of CPA secure encryption and PRFs, some examples and discussion, showed that PRF implies PRG (with proof), and that PRG implies PRF (showed the GGM construction but not the proof). Defined PRP and strong PRP. Discussed why PRF cannot be used directly as-is as an encryption scheme (e.g., it is deterministic), and showed how we can use a PRF to construct get a CPA secure encryption scheme (with randomized encryption). We will prove security next time.
  Reading: 3.5.1, 7.5, 3.5.2.


• Lecture 8 (9/26) Reviewed PRG and PRF, differences between them, and went over common quiz mistakes. Showed that a PRF can be used (as a component in a randomized algorithm) to construct a CPA-secure encryption scheme for messages of fixed length (the block-size length). Proved CPA-security (and discussed general proofs based on PRF). Started discussing encryption of longer messages by parsing them into blocks (with appropriate padding to have the length be a multiple of the block size). Block-by-block padding remains CPA secure and enjoys various other advantages, but ciphertext length is twice the message length, which we'd like to improve.
  Reading: 3.5.2, 3.6.2.
  Required reading within two weeks: Either chapter 6 or chapter 7 (see details in HW2).


• Friday 9/27 4:30pm: Review session 2 led by Alex and Lali


• Lecture 9 (10/1) Reviewed the notion of block ciphers (typically used as a synonym for strong PRPs), a special case of PRFs (in some applications we will see strong PRP are needed, and in some any PRF will do). Showed that if any CPA secure encryption scheme exists for fixed message size, there's CPA secure encryption scheme for a longer message size: block-by-block encryption remains CPA secure (proof using a hybrid argument, which we didn't show). Discussed modes of encryption, aimed at using block-ciphers to encrypt longer messages with better ciphertext expansion, and various other desired properties, while maintaining CPA security. ECB mode (not even EAV secure - do not use!). CBC mode (CPA secure). A small modification using CBC mode in a stateful way is no longer CPA secure, which was used to launch a successful attack ("BEAST") on SSL/TLS in 2011 (lesson: use crypto primitives correctly- only as intended and proved!). CTR mode. Defined Feistel networks and showed that for any round functions and any number of rounds this results in a permutation (which is efficiently computable and invertible). Luby Rackoff theorem: if we instantiate a Feistel network with round functions that are PRF with independent key for each round, then after 3 rounds we get a PRP (but not a strong PRP), and after 4 rounds we get a strong PRP (proof not shown).
  Reading: 3.6.2, 6.2.2, 7.6.
  Required reading for next time: Appendix A.4 (birthday paradox review): you should understand the statement (as we will use it). You don't have to know the proof (although it's easy enough and worth reading).
  


• Lecture 10 (10/3) High level overview and general principles for block ciphers in practice. Discussed concrete security with fixed key and block sizes (any attack faster than exhaustive search constitutes a serious weakness). Discussed DES structure and its security: remains without any significant practical attacks beyond exhaustive search, but key size and sometimes block size are too small for use today. Discussed how to increase key length for a given block cipher: 3DES effectively doubles key size (no known non-trivial attacks) but 2DES does not (susceptible to meet-in-the-middle attack). Discussed AES structure and its security (very strong according to all indications). Discussed how you should not design your own block cipher, just use AES -- it is well studied and has been subject to much scrutiny. Moreover, use it correctly: if you use it as a component in some construction, make sure the construction is provably secure assuming the building block is a strong PRP.
  Reading: 6.2.1 (we just barely touched on this), 6.2.2, 6.2.3, 6.2.4, 6.2.5.
  


• Lecture 11 (10/8) After a short review, started talking about chosen ciphertext attack (CCA) security. Discussed definition (the standard one, also called CCA2, as well as the weaker CCA1 version). Discussed motivation for for why we would want such security. Discussed padding oracle attacks (a special case of CCA attacks), which were successfully used in many cases. This includes a CAPTCHA server setting (we discussed the setting but not the details of the padding scheme or attack), as well as the POODLE attack on SSL3 (we gave a more detailed, though not complete, description of the padding and the attack). All encryption schemes we've seen so far are not CCA secure (we showed an explicit attack on the one where ciphertexts are of the form (r,Fk(r) xor m)). We mentioned that CCA secure encryption can be constructed, as we will see a little later. Short informal discussion of non-malleability / fully homomorphic encryption (examples where malleability of encrypted messages is desirable and undesirable; CCA security requires non-malleability).
  Reading: 3.7. Note that the textbook describes a different padding-oracle attack than the one we saw (but the ideas are similar). You can read more about the POODLE attack we described in the security advisory that exposed it (around Sep 2014).


• Lecture 12 (10/10) Summary of all primitives seen so far and their relationships (and a quick mention of how they are instantiated), including examples of EAV/CPA/CCA secure encryption schemes from pseudorandom primitives. The CCA-secure example was new: if F is a strong PRP with block size 2n, and we encrypt an n-bit message m by outputting F_k(r||m) (where k is the key and r is a random n-bit string), this gives a CCA secure encryption scheme (we did not prove this). We defined one-way functions and briefly talked about their importance (without proofs or detail): OWF imply PRG (via the important Goldreich-Levin theorem, which we didn't show), and is in fact equivalent to all other primitives we mentioned (as well as to MAC and Signature schemes, which we haven't mentioned yet). Message authentication codes (MACS): discussed motivation and goals (authenticity and integrity). Encryption does not generally provide authentication (demonstrated via several of the encryption schemes we've seen so far). Definition of secure MACs (existential unforgeability against adaptive chosen message attack), including variations of fixed-length MAC and strong MAC (where any valid new pair (m,t) is considered a forgery, even if only t is new and m was already asked before). Noted that if the Mac algorithm is deterministic then there is a unique tag for each message, and thus standard MAC security implies strong MAC security in this case. Mentioned that replay attacks are not considered here (and should be protected at the level of the message, via time stamps or counters - we did not elaborate). Showed a construction of a secure fixed-length MAC by using a PRF and proved its security. For longer messages, we showed that simply authenticating each message block separately does not work (messages can be forged by reordering blocks or mixing blocks from different previous messages).
  Reading: 4.1, 4.2, 4.3.1. Details about OWF, Goldreich-Levin theorem, and how to construct PRG from OWF, are all in Chapter 7, which is one of the two choices for the required reading in HW2 (if you chose the other one you just need to know what we stated in class).


• Friday 10/11 11:30am: Review session 3 led by Eli and Alex


• Lecture 13 (10/15) Domain extension for MAC: we can use a fixed length MAC to build arbitrary length MAC. This can be done by authenticating block-by-block, where each block also includes a random identifier, length of message, and index of the block (with any of these missing there's an attack, but with all these it's secure). Here the tag is longer than the message, while much more efficient schemes (with shorter tags of just one block length) exist. We showed CBC-MAC for longer messages using an underlying PRF. The basic construction is secure only for fixed-length messages (with an arbitrary, but fixed and agreed on in advance, number of blocks). We showed attacks if different length messages can be authenticated. We pointed out main differences with CBC Encryption (no IV and no intermediate values), which are essential for security. Two ways to augment CBC-MAC to be secure for arbitrary length messages: either prepend the length of the message as the first block, or apply an additional layer of PRF at the end with a fresh key. These are secure and used in practice. (We will see hash-based MAC later as another practical and secure alternative). For all the above, we did not show any proofs of security. Authenticated Encryption: discussion and definition (satisfying both standard CCA security, and a tailored unforgeability definition).
  Reading: 4.3.2, 4.4.1, 4.5.1


• Lecture 14 (10/17) Achieving authenticated encryption from underlying primitives of CPA secure encryption and MACs: we analyzed three attempts (all were at one point used in real systems). Encrypt-and-Authenticate: satisfies unforgeability (we showed the reduction) but not even CPA secure - we saw attacks (do not use). Authenticate-then-Encrypt: satisfies unforgeability, as well as maintaining the encryption security of the underlying scheme (we saw the reduction showing that CPA security is maintained; one can similarly show that CCA security is also maintained if the underlying scheme was CCA secure to begin with). However, if the underlying scheme was only CPA secure, this scheme is also only CPA secure, and can be vulnerable to CCA attacks: we saw one example of CCA attack, when the underlying scheme encrypts the ciphertext and tag separately; the POODLE attack we saw in lecture 18, and many other padding-oracle attacks are other examples applied to this authenticate-then-encrypt setting. Encrypt-then-authenticate: satisfies unforgeability. If the MAC is not a strong MAC, this may be vulnerable to CCA attack. However, if the underlying MAC is strong (e.g, any determinisitc MAC), and the underlying encryption is CPA secure, this is CCA secure (hence, authenticated encryption). Hence, use encrypt-then-authenticate! (as a rule of thumb, whenever you are concerned with active adversaries, all your algorithms should start with verifying a MAC on the received message, before doing other cryptographic operations like decryption). Note that encrypt-then-authenticate is also a way to boost from CPA to CCA security, even if you don't care about authentication.
  Reading: 4.5.1, 4.5.2, 4.5.4.
  Required reading by lecture 16 (10/24):Number theoretic background: Appendix B (without the starred parts), 8.1.1, 8.1.2, 8.1.3, 8.1.4, 8.2.1, 8.3.1. If you'd like to see more examples or a different exposition, you can also check out the relevant parts of Angluin's notes (in particular parts 4,5,6,8,9) and/or Smart's Chapter 1 (especially part 1 and 3).


• Lecture 15 (10/22) Collision resistant hash functions (CRHF): motivation and definition (for fixed length and arbitrary length). Several informal discussions: asymptotic keyed definition vs practical unkeyed hash functions (note that in any case there's no secret key), weaker definitions (second preimage resistance/target collision resistance, preimage resistance/one-wayness), random oracle model. Merkle-Damgard transform for domain extension (from fixed to variable length CRHF). Generic attacks: "birthday" attack takes time about square root of brute force. This means we need a longer output (for security against 2^n attack, we need to choose output length at least 2n).
  Reading: 5.1, 5.2, 5.4.1, 5.5


• Lecture 16 (10/24) Overview of CRHF in practice: MD5 and SHA1 should not be used (collisions found, including collisions with chosen format or meaning). SHA2 family currently considered good, as is SHA3, which is the standardization of Keccak, the winner of the NIST competition a few years ago. A common design paradigm is relying on a custom-designed block-cipher (taking part of the input as the key) to get a fixed length compression function, then applying Merkle-Damgrard extension to arbitrary length. This design is not generically secure with an arbitrary block-cipher, and not secure with standard block-ciphers like AES. We discussed some applications of hash functions (informally and without proofs): For MAC domain extension, hash-and-MAC is secure (using any CRHF and fixed length MAC of matching lengths). To build MAC directly from hashing alone, can use HMAC, a standardized, provably secure, and very efficient design, widely used in practice. Hash functions are used for fingerprinting/equality checking in many different contexts, such as deduplication, or verifying integrity of a downloaded file. Merkle trees of hash functions constitute a CRHF if the number of leaves is fixed. Password hashing. Blockchain (hashing used for fingerprinting previous blocks / proving integrity of chain, as well as for proof of work / puzzle solving). We quickly showed a construction of a fixed-length hash function that shrinks by one bit, which is provably secure assuming the discrete log assumption (DLA).
  Reading: 6.3, 5.3, 5.6.1, 5.6.2, 5.6.3, the DLA based construction is in 8.4.2 (for general groups - we wrote it for Zp* - we will discuss the DLA more carefully in the following lectures).


• Lecture 17 (10/29) Motivated the use of number theory and other mathematical assumptions for instantiating the (private key) primitives we saw so far, as well as public key cryptography which we will see next. Quick (and superficial) review of some facts from number and group theory (without proofs): finding gcd and inverses mod N. Groups, including the special cases of (Zn,0) wrt modular addition, (Zn*,1) wrt modular multiplication. If a group is of size q, then for every element x in the group x^q=1 (so exponent can be reduced mod q). In particular for any n, and any x in Zn*, x^φ(n)=1 mod n (special case for a prime p: x^(p-1)=1 mod p). For primes p, Zp* is a cyclic group (of order p-1). Discrete Log assumption (DLA) and discussion.
  Reading: Appendix B (except the starred parts), 8.1.1-8.1.4, 8.3.1, 8.3.2


• Wed 10/30 8pm: Review session 4 led by Lali and Eli


• Lecture 18 (10/31) Quick review of proofs in the random oracle model, as well as last lecture. Diffie Hellman key exchange, and discussion regarding required assumptions. This led to the definition of the computational DH assumption (CDH) and the decisional DH assumption (DDH). DDH implies CDH, which in turn implies DLA. The converse is not true in general, and even in specfic useful groups where DDH is believed to hold, we don't have a proof that it is equivalent to DLA (thus, DLA is the best/weakest assumption of the three). Going back to KE, DDH implies the key agreed in DH KE is indistinguishable from a random element in the group. However, DDH does not hold in Zp* (although DLA and CDH are believed to hold) as we showed next. We defined QRp, the subgroup of quadratic residues mod p (this group happens to be cyclic and generated by the g^2 where g is a generator of Zp*; it is of size (p-1)/2). We argued that for a prime p it's easy to tell whether an element of Zp* is in QRp or not (by raising it to (p-1)/2 and checking if we get 1), and that this can be used to break the DDH assumption in Zp*. A similar attack works for any composite order group, but this attack does not work in a prime order group. If p is a safe prime (p=2q+1 where q is a prime) then QRp is of prime order q. For this group, DDH is believed to be true, and so we can apply the DH KE for this group to get indistinguishability (namely passive security). We mentioned that for an active attacker, the DH KE scheme we saw is not secure (eg, there is a devastating "man in the middle" attack). Still, today's KE protocols (e.g in SSL/TLS) use this DH KE idea, modified to allow an "authenticated channel" with the help of a Certificate Authority (CA), to prevent active attacks (we did not discuss any details about how, or what a CA is).
  Reading: 8.3.1-8.3.3, 10.3. You're encouraged to also read 10.1 and 10.2 (but this is not required).


• Lecture 19 (11/7) Review and elaboration: working in prime order groups. Operations that are computationally efficient (multiplication, exponentiation, recognizing the identity, linear operations in the exponent). Hardness assumptions (conjectured true in some group): DL, CDH, DDH. Mentioned bilinear groups: the (efficieintly computable) bilinear map (also called "pairing") renders DDH false, but also allows new applications that require degree 2 operations (multiplication) in the exponent, such as 3 party key agreement (we didn't show), and many other things. Public Key Encryption (PKE): quick historical overview and discussion of differences with private key setting. Definition of CPA security. Noted that EAV security for one message, multiple messages, and CPA security are all equivalent for PKE (this also means that there does not exist PKE with perfect security, even for EAV, single message, and large keys - brute force attack always breaks security). Noted that, like in the private key case, Enc must be randomized, and there must be super polynomially many encryptions for each message. PKE is equivalent to 2-messae KE (although we didn't formally define the latter). We showed the PKE obtained from the DH KE protocol -- this is the El Gamal PKE, secure under the DDH assumption (proof of security left as an exercise).
  Reading: 8.3.3, 10.4, 11.1, 11.2.1, 11.2.2, 11.4.1. The bilinear maps discussion is not in the textbook. You can find a lot of material (slides and videos) on the BIU winter schhool on bilinear pairings in cryptography: this is a good resource for information on elliptic curves and pairings in crypto, but what we covered in class is contained in the first 6 slides of Boneh's lecture on pairing basics (upto the point stating DDH is easy).
  


• Lecture 20 (11/12) Factoring assumption (which can be phrased as: multiplying two large primes is a one-way function). RSA function, which is a permutation over Z_N*. RSA assumption wrt GenRSA experiment generating (N,e,d) (variations on how e is chosen yield different assumptions, all considered hard). If factoring assumption is false (factoring easy) then RSA assumption is false, but the other direction is not known (thus, RSA is a stronger assumption). Indeed, factoring N=pq is equivalent to finding φ(N) and can be used to find the inverse of e, all of which allow to take e-th roots mod N and break the RSA assumption. However, it's possible that there are other ways to break RSA even if factoring is hard. Textbook (plain) RSA and its insecurity as a PKE (e.g., it is deterministic; there are other attacks as well). We discussed informally the concept of a trapdoor permutation (the RSA function is one, under the RSA assumption): a permutation that is easy to compute and hard to invert, but easy to invert given a trapdoor. Any trapdoor permutation can be used to get a secure PKE, via a hard-core bit (we didn't formally define). Specifically for the RSA permutation, it is known (though we did not prove) that under the RSA assumption, the lsb is a hard-core bit. That is: if there's a ppt algorithm that given N,e, and x^e mod N can find the lsb(x) with probability non-negligibly better than 1/2, then there's a ppt algorithm that given the same input, can recover x completely with non-negligible probability. This yields a PKE scheme for one bit messages, secure under the RSA assumption: the encryption outputs (r^e, lsb(r) xor m). More efficient options include the following. Padded RSA PKE (can prove security under RSA assumption when message length is at most logarithmic in n, insecurity when random pad is at most logarithmic in n, and we do not have a proof nor an attack when the message and pad are of the same length). Hashing-based encryption, where the encryption outputs (r^e, H(r) xor m), which can be proven CPA secure in the ROM under the RSA assumption. These (and variations with specific padding patterns) have often been used in practice.
  Reading: 8.2, 11.5 (only some parts), touched on 13.1


• Lecture 21 (11/14) Rabin function (squaring mod N=pq). We showed that this is a 4:1 function (along the way mentioning the Chinese Remainder Theorem). We also mentioned that if p, q are both 3 mod 4, then this is a permutation over QR_N. We showed that inverting this function (i.e., taking square roots mod N) is equivalent to factoring N. Thus, this is a better (weaker) assumption than RSA. On the other hand, due to equivalence to factoring, schemes based on this assumption are often more susceptible to CCA attacks. Defined CCA secure PKE. PKE schemes we saw so far are not CCA secure: we demonstrated by showing attack on El Gamal, and mentioned practical CCA attacks carried out against the standardized padding of RSA. Mentioned that there are provably CCA secure schemes based on number theoretic assumptions (for example, the Cramer-Shoup DDH-based efficient scheme). However, it is not known how to construct CCA secure PKE from CPA secure PKE. Mentioned OAEP: padding-based RSA (with two hash functions in a 2-round Feistel network), which is often used in practice and is CCA-secure in the ROM under the RSA assumption. The most typical use of PKE is for hybrid encryption: use PKE to encrypt a random key which is subsequently used for private key encryption (we briefly mentioned the notion of KEM/DEM for hybrid encryption).
  Reading: 11.2.3, 11.3 (much abbreviated), 11.5, 13.5


• Lecture 22 (11/19) Digital signatures: motivation and discussion of differences with MAC (including public verifiability, transferability, and non-repudiation). Definition of signature schemes and their security (existential unforgeability against CMA). Insecurity of plain RSA signatures: First, we showed a no-chosen-message attack forging a signature on some message (this attack applies to any TDP which is used directly for signing). Then we showed a CMA attack that allows to forge a signature on any message (this attack is based on the malleability of the RSA function). We discussed the wrong notion that signatures and PKE are dual in the sense that you can "sign by decrypting, verify by encrypting". This does not make sense with our modern terminology, even syntactically, since a secure PKE must be randomized, and every message has exponentially many ciphertexts. This notion was suggested by Diffie and Hellman in their seminal work where they propose the idea of PKE and signature schemes, but what they referred to as PKE is what we call "trapdoor permutation" today (which is a deterministic function). We mentioned that it is known how to construct signature schemes from PKE, and even from private key encryption (or PRG/PRF/OWF etc), but we do not know how to construct PKE from signature schemes. Approaches for constructing secure signatures: (1) heuristic constructions, based on number theoretic assumptions (these include DSA and ECDSA, which are part of NIST's digital signature standard). (2) constructions provably secure in the random oracle model (ROM), based on number theoretic assumptions (or generic TDP) - we described the RSA full domain hash as an example. (3) provably secure constructions (in the standard model): (a) relatively-efficient ones form number theoretic assumptions, (b) from CRHF (we described a one-time one-bit signature scheme from OWF, which can be combined with a CRHF to get standard secure signature schemes). (c) from OWF (these are the most complex, most secure, and least efficient). We then discussed complexity of known algorithms to break DLA and factoring assumption: for DLA mod a prime p and for factoring, sub-exponential (but super polynomial) algorithms are known, hence a larger key size is needed (e.g., 3072 bits for "128-bit security"). For DLA over elliptic curve groups, the best attack is exponential, and so a shorter key length can be chosen (e.g., 256 bits). Both DLA and factoring can be broken with a polynomial time quantum attack. This is not yet a threat in the short-run, but may become one. This motivates the push towards "post-quantum cryptography", namely using assumptions that are not known to be breakable by quantum computers. The main candidates are lattice-based assumptions, which we will mention next time.
  Reading: 12.1-12.4, 12.6.1. Factoring and discrete log algorithms are described in chapter 9 (we only mentioned their complexity). You can also check out recommended key lengths here.


• Lecture 23 (11/21) Lattice based cryptography: motivation and discussion. E.g., in addition to "post-quantum", some lattice based assumptions are known to give us strong cryptographic primitives that we don't know how to get otherwise, such as fully homomorphic encryption (which we did not discuss). Defined LWE assumption (search and decision versions are equivalent here). Showed a one-bit PKE scheme which is CPA secure under the LWE assumption. Zero knowledge proofs: motivation, discussion, and applications (e.g., identification protocols, compiling protocols secure against passive adversaries to protocols secure against active adversaries, etc). Showed protocols for proving two cards are different colors (informal), and a protocol for proving that a given element is a quadratic non-residue. Defined interactive proof systems. All languages in NP have a simple interactive proof system (in fact, it's a non-interactive one) where the prover sends the witness to the verifier. This simple protocol is clearly not ZK (we will define the zero knowledge property next time). Note: there were no proofs in this lecture.
  Reading: The material from this lecture is not in our textbook. You can find more information on the LWE problem in Regev's 2010 survey (what we mentioned in class is a subset of section 1, and section 4).


• Thur 11/21 8pm: Review session 5 led by Alex and Lali


• Lecture 24 (11/26) Review and discussion of interactive proof systems (mentioned that the corresponding class IP was proven to be equal to PSPACE). Defined zero knowledge proof systems, which include the same completeness and soundness properties, and an additional zk property, defined via the simulation paradigm (perfect, statistical, or computational). We mentioned that often there's an efficient prover strategy (for completeness), for a prover holding some witness. Soundness is still required to hold against any, even unbounded, prover (when soundness holds only against poly time provers, this is called an interactive argument, rather than proof). If the ZK property holds only against the original verifier V, this is called "honest-verifier zero knowledge". We showed a ZK proof system for proving quadratic residuosity modulo a composite. We showed correctness and soundness, and showed the simulator for the zk property, which runs in expected polynomial time, and once it halts, its output is distributed identically to the real execution. In this example, all properties hold without making any computational assumptions. Moreover, this example has the property that the honest verifier simply sends a random challenge to the prover. For such ZK proofs, the Fiat-Shamir methodology replaces the verifier with a random function, and all the properties are preserved. This is often used in practice, for example to give signature schemes secure in the random oracle model (removing the interaction from an identification scheme). We stated the theorem that if OWF exist, then any language in NP has a ZK interactive proof system. This is a very important theorem (one application we mentioned: towards compiling protocols that are secure against "honest-but-curious" parties who follow the protocol, into protocols secure even against malicious parties). The proof of this theorem is by showing a ZK proof system for an NP-complete language: we sketched this for graph Hamiltonicity (relying on a "commitment scheme" as a building block - we only hinted as to what those are, just giving some intuition). Class wrap-up.
  Reading: The material from this lecture is not in our textbook. You can find more information in the zero-knowledge chapter of Pass-shelat textbook (see readings page). They have a more formal/thorough treatment than ours, and different examples; the most relevant parts are 4.6-4.9. The QR example we saw was actually a zero-knowledge proof of knowledge: we did not define this, but this is the basis of identification schemes. Thus, section 12.5 in our textbook is also relevant. (These resources don't match exactly what was taught in class, and we didn't have much time; as usual, you are only responsible for what was covered in class - see first paragraph on the top of this page).


• Lecture 25 (12/3) Lecture by Dr. Tal Rabin. Showed 2-out-of-2 additive secret sharing. This can easily be extended to n-out-of-n additive secret sharing. To get 2-out-of-n secret sharing, we can use 2-out-of-2 for every pair of players, but this results in a share size that grows linearly with the number of players. We saw a better construction, that only grows logarithmically with the number of players (using a 2-out-of-2 sharing for each bit in the binary representation of the player's index). We formally defined correctness and security of t-out-of-n secret sharing, and proved that the 2-out-of-2 additive scheme we saw satisfies both. We discussed some applications to secure computation, and gave a simple example computing sum (the general case is a vast research area, with results showing that any function can be computed securely in many settings). Suppose n parties want to compute the sum of their inputs mod p, without revealing any further information about their input. We saw one protocol that involves each party sending a private message to the next party. This is intuitively secure (though we did not define security), since the message received by each party is random, and only the final sum revealed at the end depends on the inputs. However, this scheme requires n sequential rounds of communication, and more importantly it is no longer secure if two parties can collude and compared their transcripts. We then showed how to use n-out-of-n secret sharing to solve both above problems, providing a protocol with a constant number of rounds, which is secure also in the face of collusion (again, we didn't define or prove the security).
  Reading: This material is not in the textbook, but see here for notes summarizing the lecture.


• Lecture 26 (12/5) Lecture by Dr. Hugo Krawczyk. Oblivious PRFs (OPRFs) and their applications. Informally defined OPRFs and showed an implementation using a DH-based assumption ("one-more DH assumption") in the random oracle model. Showed an application of OPRF for greatly improving security of cloud-based key management (and storage) systems, and threshold OPRF. Some other applications were briefly mentioned as well.
  Reading: this material represents very recent research (just presented at the CCS '19 conference), and not in the textbook. However, see the slides here. The first slide contains links to the relevant papers (which also have definitions and proofs), for those interested. The lecture covered the material through slide 19, mentioning slide 20 (and slide 21 - the importance of definitions and proofs, which were not included in the lecture for time reasons).

Back to Course Main Page