W4261 Introduction to Cryptography:
Fall 2019 Lecture Summaries
Below are brief summaries written shortly after each lecture, of
what was covered, together with recommended (and in some cases
required) readings. Readings refer by default to chapters from the
required textbook, though sometimes may include pointers to other
texts found on the readings page, or
to handouts written by us. The material in class does not
correspond exactly to the material in the textbook. Often the
readings below contain significantly more details and proofs than
covered in class. Conversely, class sometimes contains material
that is not in the textbook (I'll try to indicate when this is the
case).
You are (only) responsible for (all) the material taught in class,
any readings marked below as required (even if not covered in
class), and anything covered by our homework.
It will be assumed that before each lecture you carefully go over
the previous lecture and any required readings.
- Lecture 1 (9/3)
Introduction to modern cryptography, overview and the goals of
this class. Definition of private key encryption scheme
syntax and correctness. Kerckhoffs' principle. Overview of
some basic historical ciphers (Atbash, Caesar, shift) and
simple attacks (brute force, frequency analysis). Motivation
for rigorous definition of security and discussion of what
secrecy for private key encryption should mean (assuring that
the key is hard to guess and that the message is hard to guess
are both necessary but not sufficient for security; definition
of secrecy should work for any message distribution or prior
knowledge of the adversary).
Reading: Chapter 1.
- Lecture 2 (9/5)
Discussion leading to two equivalent definitions of perfect
secrecy, capturing the intuition that the ciphertext contains
no new information about the plaintext (we did not prove
equivalence of the definitions).
Proved that the shift cipher is not perfectly secret.
Defined the one-time pad (OTP) encryption scheme and proved
that it is perfectly secret.
Discussed two problems with OTP, which turn out to be inherent
problems with any perfectly secret encryption. First, it
cannot be used more than one time: we defined
perfect secrecy for encryption of two messages, and proved
that no (stateless) encryption scheme can satisfy perfect
secrecy for two messages. Second, it has long keys: for any
perfectly secret encryption, the key space must be at least as
large as the message space.
Reading: 2.1-2.3
Required reading before lecture 3: Perfect (adversarial)
indistinguishability - Definition 2.5 (a third equivalent
definition, starting
on the
bottom of p.30 and through p.31).
If needed, you should also brush up on asymptotic notation,
ppt algorithms and negligible functions
(see bottom of page 47
through 49, and if you need more check appendix A and other
materials in
the background section
here).
- Lecture 3 (9/10)
Discussed framework for cryptographic theorems (requiring a
definition of attack model and what breaking security means),
motivated computational security, and discussed necessity of
relaxations (security only against efficient adversaries and
allowing a negligible error probability). Definition of EAV
security (indistinguishability for a single message against an
eavesdropper). Outlined why having an EAV-secure encryption
scheme would imply P ≠ NP, and thus proving that such a
scheme exists is very hard (at least as hard as proving P ≠
NP). Instead, we rely on assumptions. Constructing secure
private key encryption by merely assuming P ≠ NP is not
known and a big open problem. We do know how to construct it
from other primitives (OWF, PRG, PRF, Block ciphers, MAC, Signatures
are all equivalent primitives, which we will talk about). In
turn, these primitives can be constructed from mathematical
assumptions or engineered designs. Brief overview for PRG
and how they can be used for EAV-secure encryption.
Reading: 3.1, 3.2.1
- Lecture 4 (9/12) After a quick review of last time
and discussion of pseudorandomness, we defined a pseudorandom
generator (PRG). We showed
that if you can test whether a string is in the image of G or
not, then you can distinguish the output of G from
uniform, and thus, if such a test can be done efficiently, G is not
a PRG. Discussed some examples of constructions and whether they
are necessarily a PRG or not. Along the way, discussed proofs by
reduction. Quick overview of types of PRG constructions (stream
ciphers, or mathematical constructions), and an example of a
number-theoretic based candidate PRG: If p,q are primes such
that p=2q+1, and if g is an element of order q in Zp*, then
G(a,b)=(g^a,g^b,g^{ab}) (everything mod p) is believed to be
pseudorandom (and is certainly efficiently computatble,
deterministic, and length expanding). This is called the DDH
assumption, which we will revisit later (if you didn't follow
this example now, that is ok -- you should be able to follow
it by the end of class).
Reading: 3.3.1, 3.3.2. The DDH-based PRG is not in the textbook,
but the assumption itself (more formally and for general
groups) is definition 8.63 in the textbook (you are not
responsible for it at this point).
- Friday 9/13 2pm: Review session 1 led by Lali and Eli
- Lecture 5 (9/17)
Review of PRG definition. Mentioned the equivalent game-based
definition and showed equivalence. Proved that if G is a PRG
then G(G(·)) is also a PRG (same proof also works for
composition of any two PRGs). Our proof used the hybrid method
(with one hybrid in between the two distributions we need to
prove indistinguishable) although there are also other (better
in some ways) proofs. We concluded that if there's a PRG with
any expansion (even one bit), then there's a PRG with any
polynomial expansion (we sketched the proof, which generates
one bit at a time, sometimes called a stream cipher). We
proved that if a PRG exists, then there's a EAV-secure
encryption scheme (a pseudorandom one-time pad). The proof was
(as usual) via a reduction. We discussed why this scheme is
not secure when encrypting more than one message with the same key,
and why in fact there is no (stateless) deterministic
encryption scheme that satisfies two message EAV security.
We mentioned the stateful use of PRG for encrypting multiple
messages via stream ciphers, but keeping state is often not
desirable or possible (for both functionality and security
reasons).
With stateless encryption as our default, we concluded that
encryption must be randomized.
Reading: 3.3, 7.4.2.
- Lecture 6 (9/19)
Review of structure of cryptographic proofs by reduction
and hybrid arguments. Discussion of several stronger attack
models, and definition of CPA secure
encryption. We mentioned (without proof) that CPA security
for one message implies CPA security for multiple messages.
Showed why any scheme with deterministic encryption cannot
satisfy CPA security (more generally, no scheme with only
polynomially many possible ciphertexts for each message can
satisfy CPA security). Mentioned that if we could have a
random function as a secret key, we could use it towrads
building CPA secure encryption (although we didn't yet show
how, and it's not obvious). However, a random function takes
exponential length to describe. This motivates the notion of
pseudorandom functions (PRF), which we defined.
Reading: 3.4, 3.5.1
- Lecture 7 (9/24)
Reviewed notions of CPA secure encryption and PRFs, some
examples and discussion, showed that PRF implies PRG (with
proof), and that PRG implies PRF (showed the GGM construction
but not the proof). Defined PRP and strong PRP. Discussed why
PRF cannot be used directly as-is as an encryption scheme (e.g., it
is deterministic), and showed how we can use a PRF to construct
get a CPA secure encryption scheme (with randomized
encryption). We will prove security next time.
Reading: 3.5.1, 7.5, 3.5.2.
- Lecture 8 (9/26)
Reviewed PRG and PRF, differences between them, and went over
common quiz mistakes. Showed that a PRF can be used (as a
component in a randomized algorithm) to construct a CPA-secure
encryption scheme for messages of fixed length (the block-size
length). Proved CPA-security (and discussed general proofs
based on PRF). Started discussing encryption of longer
messages by parsing them into blocks (with appropriate padding
to have the length be a multiple of the block
size). Block-by-block padding remains CPA secure and enjoys
various other advantages, but ciphertext length is twice the
message length, which we'd like to improve.
Reading: 3.5.2, 3.6.2.
Required reading within two weeks: Either chapter 6 or
chapter 7 (see details in HW2).
- Friday 9/27 4:30pm: Review session 2 led by Alex and
Lali
- Lecture 9 (10/1)
Reviewed the notion of block ciphers (typically used as a
synonym for strong PRPs), a special case of PRFs (in some
applications we will see strong PRP are needed, and in some
any PRF will do).
Showed that if any CPA secure encryption scheme exists for
fixed message size, there's CPA secure encryption scheme for a
longer message size: block-by-block encryption remains CPA
secure (proof using a hybrid argument, which we didn't show).
Discussed modes of encryption, aimed at using block-ciphers to
encrypt longer messages with better ciphertext expansion, and
various other desired properties, while maintaining CPA security.
ECB mode (not even EAV secure - do not use!). CBC mode (CPA
secure). A small modification using CBC mode in a stateful
way is no longer CPA secure, which was used to launch a
successful attack ("BEAST") on SSL/TLS in 2011 (lesson: use
crypto primitives correctly- only as intended and
proved!). CTR mode. Defined Feistel networks and showed that
for any round functions and any number of rounds this results
in a permutation (which is efficiently computable and invertible).
Luby Rackoff theorem: if we instantiate a
Feistel network with round functions that are PRF with
independent key for each round, then after 3 rounds we get a
PRP (but not a strong PRP), and after 4 rounds we get a strong
PRP (proof not shown).
Reading: 3.6.2, 6.2.2, 7.6.
Required reading for next time: Appendix A.4 (birthday
paradox review): you should understand the statement (as
we will use it). You don't have to know the proof (although
it's easy enough and worth reading).
- Lecture 10 (10/3)
High level overview and general principles for block ciphers
in practice. Discussed concrete security with fixed key and
block sizes (any attack faster than exhaustive search
constitutes a serious weakness). Discussed DES structure and
its security: remains without any significant practical
attacks beyond exhaustive search, but key size and sometimes
block size are too small for use today. Discussed how to
increase key length for a given block cipher: 3DES effectively
doubles key size (no known non-trivial attacks) but 2DES does not
(susceptible to meet-in-the-middle attack). Discussed AES
structure and its security (very strong according to all
indications). Discussed how you should not design your own
block cipher, just use AES -- it is well studied and has been
subject to much scrutiny. Moreover, use it correctly: if you
use it as a component in some construction, make sure the
construction is provably secure assuming the building block is
a strong PRP.
Reading: 6.2.1 (we just barely touched on this), 6.2.2, 6.2.3,
6.2.4, 6.2.5.
- Lecture 11 (10/8)
After a short review, started talking about chosen ciphertext
attack (CCA) security. Discussed definition (the standard
one, also called CCA2, as well as the weaker CCA1 version).
Discussed motivation for for why we would want such security.
Discussed padding oracle attacks (a special case of CCA
attacks), which were successfully used in many cases.
This includes a CAPTCHA server setting (we discussed
the setting but not the details of the padding scheme or
attack), as well as the POODLE attack on SSL3 (we gave a more
detailed, though not complete, description of the padding and
the attack). All encryption schemes we've seen so far are not
CCA secure (we showed an explicit attack on the one where
ciphertexts are of the form (r,Fk(r) xor m)). We mentioned
that CCA secure encryption can be constructed, as we will see
a little later.
Short informal discussion of non-malleability /
fully homomorphic encryption (examples where malleability of
encrypted messages is desirable and undesirable; CCA security
requires non-malleability).
Reading: 3.7. Note that the textbook describes a different
padding-oracle attack than the one we saw (but the ideas are
similar). You can read more about the POODLE attack we
described in the
security
advisory that exposed it (around Sep 2014).
- Lecture 12 (10/10)
Summary of all primitives seen so far and their relationships
(and a quick mention of how they are instantiated),
including examples of EAV/CPA/CCA secure encryption schemes
from pseudorandom primitives. The CCA-secure example was new:
if F is a strong PRP with block size 2n, and we encrypt an
n-bit message m by outputting F_k(r||m) (where k is the key and
r is a random n-bit string), this gives a CCA secure
encryption scheme (we did not prove this).
We defined one-way functions and briefly talked about their
importance (without proofs or detail): OWF imply PRG (via the
important Goldreich-Levin theorem, which we didn't show), and
is in fact equivalent to all other primitives we mentioned
(as well as to MAC and Signature schemes, which we haven't
mentioned yet).
Message authentication codes (MACS): discussed motivation and
goals (authenticity and integrity). Encryption does not
generally provide authentication (demonstrated via several
of the encryption schemes we've seen so far). Definition of
secure MACs (existential unforgeability against adaptive
chosen message attack), including variations of fixed-length
MAC and strong MAC (where any valid new pair (m,t) is
considered a forgery, even if only t is new and m was already
asked before). Noted that if the Mac algorithm is
deterministic then there is a unique tag for each message, and
thus standard MAC security implies strong MAC security in this
case. Mentioned that replay attacks are not considered here
(and should be protected at the level of the message, via time
stamps or counters - we did not elaborate).
Showed a construction of a secure fixed-length MAC by using a
PRF and proved its security. For longer messages, we showed
that simply authenticating each message block separately does
not work (messages can be forged by reordering blocks or
mixing blocks from different previous messages).
Reading: 4.1, 4.2, 4.3.1.
Details about OWF, Goldreich-Levin theorem, and
how to construct PRG from OWF, are all in Chapter 7, which is
one of the two choices for the required reading in HW2 (if you
chose the other one you just need to know what we stated in
class).
- Friday 10/11 11:30am: Review session 3 led by Eli and Alex
- Lecture 13 (10/15)
Domain extension for MAC: we can use a fixed length MAC to
build arbitrary length MAC. This can be done by authenticating
block-by-block, where each block also includes a random identifier,
length of message, and index of the block (with any of these
missing there's an attack, but with all these it's secure).
Here the tag is longer than the message, while much more
efficient schemes (with shorter tags of just one block length)
exist.
We showed CBC-MAC for longer messages using an
underlying PRF. The basic construction is secure only for
fixed-length messages (with an arbitrary, but fixed and agreed
on in advance, number of blocks). We showed attacks if
different length messages can be authenticated. We pointed out
main differences with CBC Encryption (no IV and no
intermediate values), which are essential for security.
Two ways to augment CBC-MAC to be secure for arbitrary length
messages: either prepend the length of the message as the
first block, or apply an additional layer of PRF at the end
with a fresh key. These are secure and used in practice. (We
will see hash-based MAC later as another practical and secure
alternative). For all the above, we did not show any proofs
of security.
Authenticated Encryption: discussion and definition
(satisfying both standard CCA security, and a tailored
unforgeability definition).
Reading: 4.3.2, 4.4.1, 4.5.1
- Lecture 14 (10/17)
Achieving authenticated encryption from underlying primitives of
CPA secure encryption and MACs: we analyzed three
attempts (all were at one point used in real systems).
Encrypt-and-Authenticate: satisfies unforgeability (we showed
the reduction) but not even CPA secure - we saw attacks (do not use).
Authenticate-then-Encrypt: satisfies unforgeability, as well
as maintaining the encryption security of the underlying
scheme (we saw the reduction showing that CPA security is
maintained; one can similarly show that CCA security is also
maintained if the underlying scheme was CCA secure to begin
with). However, if the underlying scheme was only CPA secure,
this scheme is also only CPA secure, and can be vulnerable to
CCA attacks: we saw one example of CCA attack, when the
underlying scheme encrypts the ciphertext and tag
separately; the POODLE attack we saw in lecture 18, and many
other padding-oracle attacks are other examples applied to
this authenticate-then-encrypt setting.
Encrypt-then-authenticate: satisfies unforgeability. If the
MAC is not a strong MAC, this may be vulnerable to CCA
attack. However, if the underlying MAC is strong (e.g, any
determinisitc MAC), and the underlying encryption is CPA
secure, this is CCA secure (hence, authenticated encryption).
Hence, use encrypt-then-authenticate! (as a rule of thumb,
whenever you are concerned with active adversaries, all your
algorithms should start with verifying a MAC on the received
message, before doing other cryptographic operations like
decryption).
Note that encrypt-then-authenticate is also a way to boost
from CPA to CCA security, even if you don't care about
authentication.
Reading: 4.5.1, 4.5.2, 4.5.4.
Required reading by lecture 16 (10/24):Number theoretic
background: Appendix B (without the starred parts),
8.1.1, 8.1.2, 8.1.3, 8.1.4, 8.2.1, 8.3.1.
If you'd like to see more examples or a different exposition,
you can also check out the relevant parts of Angluin's notes (in
particular parts 4,5,6,8,9) and/or
Smart's Chapter 1 (especially part 1
and 3).
- Lecture 15 (10/22)
Collision resistant hash functions (CRHF): motivation and definition
(for fixed length and arbitrary length).
Several informal discussions: asymptotic keyed definition vs
practical unkeyed hash functions
(note that in any case there's no secret key),
weaker definitions (second preimage resistance/target
collision resistance, preimage resistance/one-wayness), random
oracle model. Merkle-Damgard transform for domain extension
(from fixed to variable length CRHF). Generic attacks: "birthday"
attack takes time about square root of brute force. This means
we need a longer output (for security against 2^n attack, we
need to choose output length at least 2n).
Reading: 5.1, 5.2, 5.4.1, 5.5
- Lecture 16 (10/24)
Overview of CRHF in practice: MD5 and SHA1 should not be used
(collisions found, including collisions with chosen format or
meaning). SHA2 family currently considered good, as is SHA3,
which is the standardization of Keccak, the winner of the NIST
competition a few years ago.
A common design paradigm is relying on a custom-designed
block-cipher (taking part of the input as the key) to get a
fixed length compression function, then applying
Merkle-Damgrard extension to arbitrary length. This design is
not generically secure with an arbitrary block-cipher, and
not secure with standard block-ciphers like AES.
We discussed some applications of hash functions (informally
and without proofs): For MAC domain extension, hash-and-MAC is
secure (using any CRHF and fixed length MAC of matching
lengths). To build MAC directly from hashing alone, can use
HMAC, a standardized, provably secure, and very efficient
design, widely used in practice.
Hash functions are used for fingerprinting/equality
checking in many different contexts, such as deduplication, or
verifying integrity of a downloaded file. Merkle trees of hash
functions constitute a CRHF if the number of leaves is fixed.
Password hashing. Blockchain (hashing used for fingerprinting previous
blocks / proving integrity of chain, as well as for proof of
work / puzzle solving). We quickly showed a construction of a
fixed-length hash function that shrinks by one bit, which is provably
secure assuming the discrete log assumption (DLA).
Reading: 6.3, 5.3, 5.6.1, 5.6.2, 5.6.3, the DLA based
construction is in 8.4.2 (for general groups - we wrote it for
Zp* - we will discuss the DLA more carefully in the following
lectures).
- Lecture 17 (10/29)
Motivated the use of number theory and other mathematical
assumptions for instantiating the (private key) primitives we
saw so far, as well as public key cryptography which we will
see next.
Quick (and superficial) review of some facts from
number and group theory (without proofs): finding gcd and
inverses mod N. Groups, including the special cases of (Zn,0)
wrt modular addition, (Zn*,1) wrt modular multiplication.
If a group is of size q, then for every element x in the group
x^q=1 (so exponent can be reduced mod q). In particular for
any n, and any x in Zn*, x^φ(n)=1 mod n (special case for
a prime p: x^(p-1)=1 mod p).
For primes p, Zp* is a cyclic group (of order p-1). Discrete
Log assumption (DLA) and discussion.
Reading: Appendix B (except the starred parts), 8.1.1-8.1.4, 8.3.1, 8.3.2
- Wed 10/30 8pm: Review session 4 led by Lali and Eli
- Lecture 18 (10/31)
Quick review of proofs in the random oracle model, as well as
last lecture. Diffie Hellman key exchange, and discussion
regarding required assumptions. This led to the definition of
the computational DH assumption (CDH) and the decisional DH
assumption (DDH). DDH implies CDH, which in turn implies
DLA. The converse is not true in general, and even in specfic
useful groups where DDH is believed to hold, we don't have a
proof that it is equivalent to DLA (thus, DLA is the
best/weakest assumption of the three). Going back to KE, DDH
implies the key agreed in DH KE is indistinguishable from a
random element in the group.
However, DDH does not hold in
Zp* (although DLA and CDH are believed to hold) as we showed
next.
We defined QRp, the subgroup of quadratic residues mod p (this
group happens to be cyclic and generated by the g^2 where g is
a generator of Zp*; it is of size (p-1)/2). We argued that
for a prime p it's easy to tell whether an element of Zp* is
in QRp or not (by raising it to (p-1)/2 and checking if we get
1), and that this can be used to break the DDH
assumption in Zp*. A similar attack works for any composite
order group, but this attack does not work in a prime order
group. If p is a safe prime (p=2q+1 where q is a prime) then
QRp is of prime order q. For this group, DDH is believed to be
true, and so we can apply the DH KE for this group to get
indistinguishability (namely passive security). We mentioned
that for an active attacker, the DH KE scheme we saw is not
secure (eg, there is a devastating "man in the middle"
attack). Still, today's KE protocols (e.g in SSL/TLS) use this
DH KE idea, modified to allow an "authenticated channel" with
the help of a Certificate Authority (CA), to prevent active
attacks (we did not discuss any details about how, or what a
CA is).
Reading: 8.3.1-8.3.3, 10.3. You're encouraged to also read 10.1 and 10.2 (but this is not required).
- Lecture 19 (11/7)
Review and elaboration: working in prime order groups. Operations
that are computationally efficient (multiplication, exponentiation,
recognizing the identity, linear operations in the exponent).
Hardness assumptions (conjectured true in some group): DL, CDH, DDH.
Mentioned bilinear groups: the (efficieintly computable) bilinear map
(also called "pairing") renders DDH false, but also allows new
applications that require degree 2 operations (multiplication) in the
exponent, such as 3 party key agreement (we didn't show), and many
other things. Public Key Encryption (PKE): quick historical
overview and discussion of differences with private key
setting. Definition of CPA security. Noted that EAV security for one
message, multiple messages, and CPA security are all equivalent for
PKE (this also means that there does not exist PKE with perfect
security, even for EAV, single message, and large keys - brute force
attack always breaks security).
Noted that, like in the private key case, Enc must be randomized,
and there must be super polynomially many encryptions for each
message. PKE is equivalent to 2-messae KE (although we didn't formally
define the latter). We showed the PKE obtained from the DH KE
protocol -- this is the El Gamal PKE, secure under the
DDH assumption (proof of security left as an exercise).
Reading: 8.3.3, 10.4, 11.1, 11.2.1, 11.2.2, 11.4.1. The bilinear
maps discussion is not in the textbook. You can find a lot of material
(slides and videos) on the
BIU
winter schhool on bilinear pairings in cryptography: this is a
good resource for information on elliptic curves and pairings in
crypto, but what we covered in class is contained in the first 6
slides of Boneh's lecture
on pairing basics (upto the point stating DDH is easy).
- Lecture 20 (11/12)
Factoring assumption (which can be phrased as: multiplying two large
primes is a one-way function).
RSA function, which is a permutation over Z_N*.
RSA assumption wrt GenRSA experiment generating (N,e,d)
(variations on how e is chosen yield different assumptions, all
considered hard). If factoring assumption is false (factoring easy)
then RSA assumption is false, but the other direction is not known
(thus, RSA is a stronger assumption). Indeed, factoring N=pq is
equivalent to finding φ(N) and can be used to find the inverse
of e, all of which allow to take e-th roots mod N and break the RSA
assumption. However, it's possible that there are other ways to
break RSA even if factoring is hard.
Textbook (plain) RSA and its insecurity as a PKE (e.g., it is
deterministic; there are other attacks as well).
We discussed informally the concept of a trapdoor permutation (the
RSA function is one, under the RSA assumption): a permutation that
is easy to compute and hard to invert, but easy to invert given a
trapdoor. Any trapdoor permutation can be used to get a secure PKE,
via a hard-core bit (we didn't formally define). Specifically for the
RSA permutation, it is known (though we did not prove) that under
the RSA assumption, the lsb is a hard-core bit. That is: if there's
a ppt algorithm that given N,e, and x^e mod N can find the lsb(x)
with probability non-negligibly better than 1/2, then there's a ppt
algorithm that given the same input, can recover x completely with
non-negligible probability. This yields a PKE scheme for one bit
messages, secure under the RSA assumption: the encryption outputs
(r^e, lsb(r) xor m).
More efficient options include the following.
Padded RSA PKE (can prove security under
RSA assumption when message length is at most logarithmic in n,
insecurity when random pad is at most logarithmic in n, and we do
not have a proof nor an attack when the message and pad are of the
same length). Hashing-based encryption, where the encryption outputs
(r^e, H(r) xor m), which can be proven CPA secure in the ROM under
the RSA assumption. These (and variations with specific padding patterns)
have often been used in practice.
Reading: 8.2, 11.5 (only some parts), touched on 13.1
- Lecture 21 (11/14)
Rabin function (squaring mod N=pq). We showed that this is a 4:1
function (along the way mentioning the Chinese Remainder
Theorem).
We also mentioned that if p, q are both
3 mod 4, then this is a permutation over QR_N.
We showed that inverting this function (i.e., taking square
roots mod N) is equivalent to factoring N. Thus, this is a
better (weaker) assumption than RSA.
On the other hand, due to equivalence to factoring, schemes
based on this assumption are often more susceptible to CCA
attacks.
Defined CCA secure PKE. PKE schemes we saw so far are not CCA
secure: we demonstrated by showing attack on El Gamal, and
mentioned practical CCA attacks carried out
against the standardized padding of RSA.
Mentioned that there are provably CCA secure schemes based on
number theoretic assumptions (for example, the Cramer-Shoup
DDH-based efficient scheme). However, it is not known how to
construct CCA secure PKE from CPA secure PKE.
Mentioned OAEP: padding-based RSA (with two hash functions in
a 2-round Feistel network), which is often used in practice
and is CCA-secure in the ROM under the RSA assumption.
The most typical use of PKE is for hybrid encryption: use PKE
to encrypt a random key which is subsequently used for
private key encryption (we briefly mentioned the notion of
KEM/DEM for hybrid encryption).
Reading: 11.2.3, 11.3 (much abbreviated), 11.5, 13.5
- Lecture 22 (11/19)
Digital signatures: motivation and discussion of differences
with MAC (including public verifiability, transferability, and
non-repudiation). Definition of signature schemes and their
security (existential unforgeability against CMA). Insecurity
of plain RSA signatures: First, we showed a no-chosen-message
attack forging a signature on some message (this attack
applies to any TDP which is used directly for signing). Then
we showed a CMA attack that allows to forge a signature on any
message (this attack is based on the malleability of the RSA
function). We discussed the wrong notion that
signatures and PKE are dual in the sense that you can
"sign by decrypting, verify by encrypting". This does not
make sense with our modern terminology, even syntactically,
since a secure PKE must be randomized, and every message has
exponentially many ciphertexts.
This notion was suggested by Diffie and Hellman in their
seminal work where they propose the idea of PKE and signature
schemes, but what they referred to as PKE is what we call
"trapdoor permutation" today (which is a deterministic
function). We mentioned that it is known how to construct
signature schemes from PKE, and even from private key
encryption (or PRG/PRF/OWF etc), but we do not know how to
construct PKE from signature schemes.
Approaches for constructing secure signatures: (1) heuristic
constructions, based on number theoretic assumptions (these
include DSA and ECDSA, which are part of NIST's digital
signature standard). (2) constructions provably secure in the
random oracle model (ROM), based on number theoretic
assumptions (or generic TDP) - we described the RSA full
domain hash as an example. (3) provably secure
constructions (in the standard model): (a)
relatively-efficient ones form number theoretic assumptions,
(b) from CRHF (we described a one-time one-bit signature
scheme from OWF, which can be combined with a CRHF to get
standard secure signature schemes).
(c) from OWF (these are the most complex, most
secure, and least efficient).
We then discussed complexity of known algorithms to break DLA
and factoring assumption: for DLA mod a prime p and for
factoring, sub-exponential (but super polynomial) algorithms
are known, hence a larger key size is needed (e.g., 3072 bits
for "128-bit security"). For DLA over elliptic curve groups,
the best attack is exponential, and so a shorter key length
can be chosen (e.g., 256 bits). Both DLA and factoring can be
broken with a polynomial time quantum attack. This is not yet
a threat in the short-run, but may become one. This motivates
the push towards "post-quantum cryptography", namely using
assumptions that are not known to be breakable by quantum
computers. The main candidates are lattice-based assumptions,
which we will mention next time.
Reading: 12.1-12.4, 12.6.1. Factoring
and discrete log algorithms are described in chapter 9 (we
only mentioned their complexity). You can also check out recommended
key lengths here.
- Lecture 23 (11/21)
Lattice based cryptography: motivation and discussion.
E.g., in addition to "post-quantum", some lattice based
assumptions are known to give us strong cryptographic primitives
that we don't know how to get otherwise, such as fully
homomorphic encryption (which we did not discuss).
Defined LWE assumption (search and decision versions are
equivalent here). Showed a one-bit PKE scheme which is CPA
secure under the LWE assumption.
Zero knowledge proofs: motivation, discussion, and
applications (e.g., identification protocols, compiling
protocols secure against passive adversaries to protocols secure
against active adversaries, etc). Showed protocols for proving
two cards are different colors (informal), and a protocol for
proving that a given element is a quadratic non-residue.
Defined interactive proof systems.
All languages in NP have a simple interactive proof system
(in fact, it's a non-interactive one) where the prover sends
the witness to the verifier. This simple protocol is clearly not
ZK (we will define the zero knowledge property next time).
Note: there were no proofs in this lecture.
Reading: The material from this lecture is not in our
textbook. You can find more information on the LWE problem in
Regev's 2010 survey (what we
mentioned in class is a subset of section 1, and section 4).
- Thur 11/21 8pm: Review session 5 led by Alex and Lali
- Lecture 24 (11/26)
Review and discussion of interactive proof systems
(mentioned that the corresponding class IP was proven to be
equal to PSPACE). Defined zero knowledge proof systems, which
include the same completeness and soundness properties, and an
additional zk property, defined via the simulation paradigm
(perfect, statistical, or computational).
We mentioned that often there's an efficient prover strategy
(for completeness), for a prover holding some
witness. Soundness is still required to hold against any, even
unbounded, prover (when soundness holds only against poly time
provers, this is called an interactive argument, rather than
proof). If the ZK property holds only against the original
verifier V, this is called "honest-verifier zero knowledge".
We showed a ZK proof system for proving quadratic residuosity
modulo a composite. We showed correctness and soundness, and
showed the simulator for the zk property, which runs
in expected polynomial time, and once it halts, its output is
distributed identically to the real execution.
In this example, all properties hold without making any
computational assumptions. Moreover, this example has the
property that the honest verifier simply sends a random
challenge to the prover. For such ZK proofs, the Fiat-Shamir
methodology replaces the verifier with a random function, and
all the properties are preserved. This is often used in practice,
for example to give signature schemes secure in the random oracle model
(removing the interaction from an identification scheme).
We stated the theorem that if OWF exist, then any
language in NP has a ZK interactive proof system.
This is a very important theorem (one application we
mentioned: towards compiling protocols that are secure against
"honest-but-curious" parties who follow the protocol, into
protocols secure even against malicious parties).
The proof of this theorem is by showing a ZK proof system for
an NP-complete language: we
sketched this for graph Hamiltonicity (relying on a "commitment
scheme" as a building block - we only hinted as to what those
are, just giving some intuition). Class wrap-up.
Reading: The material from this lecture is not in our
textbook. You can find more information in the zero-knowledge
chapter of Pass-shelat textbook
(see readings page). They have a
more formal/thorough treatment than ours, and different
examples; the most relevant parts are 4.6-4.9. The QR example
we saw was actually a zero-knowledge proof of
knowledge: we did not define this, but this is the basis
of identification schemes. Thus, section 12.5 in our
textbook is also relevant. (These resources don't match
exactly what was taught in class, and we didn't have much
time; as usual, you are only responsible for what was covered
in class - see first paragraph on the top of this page).
- Lecture 25 (12/3) Lecture by Dr. Tal Rabin.
Showed 2-out-of-2 additive secret sharing. This can easily be
extended to n-out-of-n additive secret sharing. To get
2-out-of-n secret sharing, we can use 2-out-of-2 for every
pair of players, but this results in a share size that grows
linearly with the number of players. We saw a better
construction, that only grows logarithmically with the number
of players (using a 2-out-of-2 sharing for each bit in the
binary representation of the player's index).
We formally defined correctness and security of t-out-of-n
secret sharing, and proved that
the 2-out-of-2 additive scheme we saw satisfies both.
We discussed some applications to secure computation, and gave
a simple example computing sum (the general case is a vast
research area, with results showing that any function can be
computed securely in many settings).
Suppose n parties want to compute the sum of their inputs mod
p, without revealing any further information about their
input. We saw one protocol that involves each party sending a
private message to the next party. This is intuitively secure
(though we did not define security), since the message
received by each party is random, and only the final sum
revealed at the end depends on the inputs. However, this
scheme requires n sequential rounds of communication, and more
importantly it is no longer secure if two parties can
collude and compared their transcripts.
We then showed how to use n-out-of-n secret sharing to solve
both above problems, providing a protocol with a constant
number of rounds, which is secure also in the face of
collusion (again, we didn't define or prove the security).
Reading: This material is not in the textbook, but see
here for notes summarizing
the lecture.
- Lecture 26 (12/5) Lecture by Dr. Hugo Krawczyk.
Oblivious PRFs (OPRFs) and their applications. Informally
defined OPRFs and showed an implementation using a DH-based
assumption ("one-more DH assumption") in the random oracle
model. Showed an application of OPRF for greatly improving
security of cloud-based key management (and storage) systems,
and threshold OPRF. Some other applications were briefly
mentioned as well.
Reading: this material represents very recent research
(just presented at the CCS '19 conference), and not in the textbook.
However, see the slides
here. The first slide contains links to the relevant papers
(which also have definitions and proofs), for those
interested. The lecture covered the material through slide 19,
mentioning slide 20 (and slide 21 - the importance of
definitions and proofs, which were not included in the lecture
for time reasons).
Back to
Course Main Page