W4261 Introduction to Cryptography: Fall 2025 Lecture Summaries

Below are brief summaries written after each lecture, of what was covered, together with recommended readings (in some cases, when explicitly indicated, the readings are required). Readings refer by default to chapters from the required textbook, though sometimes may include pointers to other texts found on the readings page, or to handouts written by us. The material in class does not correspond exactly to the material in the textbook. Often the readings below contain significantly more details and proofs than covered in class. Conversely, class sometimes contains material that is not in the textbook (I'll try to indicate when this is the case).

You are (only) responsible for (all) the material taught in class, any readings explicitly marked below as required (even if not covered in class), and anything covered by our homework. It will be assumed that before each lecture you carefully go over the previous lecture and required readings (if any).

• Lecture 1 (9/4) Introduction to modern cryptography, overview of this class and logistics. Kerckhoffs' principle. Definition of private key encryption scheme syntax and correctness. Overview of some basic historical ciphers (Atbash, shift, substitution) and simple attacks (brute force/exhaustive search, frequency analysis). Motivation for rigorous definition of security and discussion of what secrecy for private key encryption should mean (assuring that the key is hard to guess or that the message is hard to guess are not sufficient for security; definition of secrecy should work for any message distribution or prior knowledge of the adversary). Definition of perfect secrecy. This definition captures the intuition that the ciphertext contains no new information about the message, or equivalently: for any two messages m and m', any possible ciphertext c is equally likely to be the encryption of m or m' (subject to a random key generation). The shift and stream ciphers do not satisfy perfect secrecy.
  Reading: Chapter 1


• Lecture 2 (9/9) Defined one-time-pad (OTP) encryption scheme, and proved that it satisfies correctness and perfect secrecy. Discussed several (interrelated) problems with OTP, related to security and efficiency. First, we showed that you cannot reuse the key for more than one message (we can define perfect secrecy for multiple messages, and show OTP does not satisfy it). We briefly mentioned that if we allow encryption schemes to be stateful, and use a new independent key for each message, then this can be overcome (but keeping state opens the door to more problems). Additionally, the key is as long as the message. We then proved that both these problems are not specific to OTP, but inherent: every perectly secret scheme must have a key space at least as large as the message space, and no scheme can satisfy perfect secrecy for more than one message (ie., no perfectly secret scheme allows for key reuse). We discussed motivation for our move to computational security. Intuitively, we want to require that any polynomial time (efficient) adversary cannot break security, except with negligile probability (we recalled the definition of negligible). We gave some high level comments and motivation, and next time we will see a formal, game-based definition.
  Reading: Chapter 2, 3.1
  If needed, you should brush up on asymptotic notation, ppt algorithms, and negligible functions (see 3.1.2 in textbook, as well as appendix A and other materials in the background section of the webpage, as needed.


• Lecture 3 (9/11) Defined EAV-security for a computational private-key encryption scheme (also known as indistinguishability in the presence of an eavesdropper or single ciphertext only attack). Noted that if we remove the restriction on the adversary's running time, and set the advantage to 0 (rather than negligible), this would become another equivalent definition of perfect secrecy. Outlined why proving that there exists a EAV-secure scheme would yield a prove that P ≠ NP, and thus is hard. Instead, we rely on well-studied complexity assumptions. We mentioned that we know how to construct EAV-secure encryption from other cryptographic primitives, and in fact there are many such primitives who are known to be equivalent (OWF, PRG, PRF, private key encryption, signature schemes, and many more) -- we will cover many of these in the class, starting right now with PRG. We motivated and defined pseudorandom generators (PRG). Gave some simple non-examples. Showed that for any G, any algorithm that can check whether a given string is in the range of G or not, can distinguish outputs of G from random. Thus, no PRG is secure against computationally unbounded adversaries (and if the check can be performed efficiently, G is not a PRG). This also implies that if PRG exist, P≠ NP.
  Reading: Chapter 3.2.1, 3.3


• Lecture 4 (9/16) Showed an example of a construction of a PRG from another PRG and how to prove its security. More generally discussed security reductions in cryptography. Gave a very brief overview of how PRGs are constructed, with no details (we will show these later, and at this point in class it's ok if you didn't follow these constructions). In particular, mentioned practical block-cipher based constructions, and an example of a construction based on a number theoretic assumption (DDH). Proved that if G is a PRG, then G(G(·)) is also a PRG. Our proof was based on the hybrid argument technique (and can be generalized for any poly number of applications). Showed that if there's a PRG with even one bit expansion, then there is a PRG with arbitrary polynomial expansion, which can generate one bit at a time (sometimes called a stream cipher). We claimed that if a PRG exists, then there exists a EAV-secure encryption scheme. We showed the construction (which is similar to OTP but uses a pseudorandom one-time pad).
  Reading: Chapter 3.3. The construction from one bit expansion to arbitrary expansion PRG is in Chapter 8.4.2 (the proof is not part of our material). The rest is included here for your information but you are not responsible for it at this point: Constructions of PRG are covered in the book in sections 7.1,7.2,and 8. The DDH-based PRG candidate is not in the textbook, but the assumption itself is definition 9.64.


• Lecture 5 (9/18) Proved that the construction we saw last time (pseudorandom OTP) satisfies EAV-security. This gives us a construction with short keys, but we discussed why this does not satisfy multiple-message security (the same key can only be used once). We discussed how this could be addressed with stateful encryption (also sometimes called stream cipher), but requiring state is problematic (and our definition of encryption scheme is stateless). Instead, we will see in the next lectures how we can construct an encryption scheme with stronger security, by using PRFs. Defined CPA-security for private key encryption. Noted that CPA-security implies security for multiple messages (ie key can be reused). Discussed why CPA security requires randomized encryption (no deterministic scheme can have CPA-security), and in fact each message should have super-polynomially many different encryptions under the same key.
  Reading: Chapter 3.3, 3.4


• Lecture 6 (9/23) We gave some intuition for how one could try to use a random function to achieve CPA secure encryption. However, this approach is not efficient, and the key (a specification of a random function) would be exponentially long. This is one motivation for the definition of pseudorandom functions (PRF). we defined PRF, discussed differences between PRG and PRF, and showed an example of a construction that is not a PRF. We proved that PRF implies a PRG, and noted that this corresponds to a common way in practice to construct stream ciphers from block ciphers (a primitive we will discuss later). We also showed that PRG implies a PRF, via the GGM construction (we showed the construction but not the proof).
  Reading: 3.5.1. 3.6.1 has the construction of PRG from PRF (although it is in the context of stateful encryption with stream ciphers, which they define formally and we didn't). 8.5 has the GGM construction of PRF from PRG.


• Lecture 7 (9/28) We showed how we can use a PRF to construct CPA secure encryption for fixed length messages (the message length is the size of the PRF output for the given key length). We proved security of this construction (which relies on the security of the PRF and on the input-block-size of the PRF being long enough). We defined pseudorandom permutations (PRP) and strong PRP, and noted that the term "blockcipher" typically refers to a strong PRP. Showed the Feistel network construction, in which each round (and thus any number of rounds) is always a permutation (efficiently computable and invertible, for any efficiently computable round function). Stated (without proof) the Luby-Rackoff theorem: if we instantiate a Feistel network with round functions that are PRF with independent key for each round, then after three rounds we get a PRP (but not a strong PRP), and after four rounds we get a strong PRP (one or two rounds do not give a PRP). As a consequence, PRF implies strong PRP (and thus, so far we've seen equivalence among PRG, PRF, PRP, and strong PRP, in the sense that if one exists, the other one does too). Finally, we mentioned why PRP on its own is not a CPA secure encryption, although it can be used to construct CPA secure encryption, as we saw for fixed-block length, and will see for arbitrary length message next time.
  Reading: 3.5.2, 7.2.2, 8.6


• Lecture 8 (9/30) Discussed how to use PRF (or block-ciphers) to get CPA-secure encryption of shorter messages (by padding to block length), and how to use them to encrypt longer messages. Towards that end, we claimed that if there's CPA secure encryption for a fixed message size, block-by-block encryption remains CPA secure for longer messages (proof is by a hybrid argument, but we did not show it). Discussed modes-of-encryption, which are ways to use PRF/PRP/block ciphers towards encrypting longer messages, with better efficiency (specfically, better ciphertext length) than the naive way to encrypt block-by-block, while maintaining other desirable properties (plus CPA security). Mentioned ECB mode (not even EAV secure -- do not use!), CBC mode and CTR mode (both CPA secure). We also mentioned that while CTR mode can be used in a stateful way, using CBC mode in a stateful way makes it no longer CPA secure, which was used to launch a successful attack ("BEAST") on SSL/TLS in 2011 (lesson: use crypto primitives correctly -- only as intended and proved). Some informal discussion of what is needed for a mode-of-encryption to maintain CPA security, and the relation to block size and the "birthday" attack (which takes time roughly square root of that of a brute force attack). Quick review of what we've seen in class so far (including how you can use block-cipher to get CPA secure encryption and other primitives), and started discussing how block-ciphers are constructed in practice. High level overview of DES structure and its security: remains secure without significant practical attacks (could be assumed to be a strong PRP), but since key size and sometimes block size are too small for use today, should not be considered secure as-is.
  Reading: 3.5.2, 3.6.3, 7.2.3, 7.2.4, 7.2.5.


• Review by Tony Fields (10/2)


• Lecture 9 (10/7) A brief review of where we are and the relation between the primitives we saw so far (and a reminder that we cannot unconditionally prove these computational primitives exist unless we can prove P is not equal to NP). Continuing with practical blockcipher constructions, we mentioned that any attack (namely breaking the security of the blockcipher sa a PRP) that is better than brute force is considered a vulnerability. Discussed how to extend the effective key-length of a given PRP (motivated by DES): composing three times (e.g., 3DES) effectively doubles the key size (no known non-trivial attacks), but twice (2DES) does not (susceptible to meet-in-the-middle attacks), although composing a PRP twice is still a PRP (so 2DES is still at least as secure as DES - but 3DES has double key-size security). Discussed AES structure and its security (very strong according to all current indications). Gave a high level overview of theoretical construction. In particular, defined one-way functions (OWF) and discussed its importance as a minimal building block in cryptography (equivalent to all "minicrypt" primitives). Defined hard-core bit (HCB) and mentioned the Goldreich-Levin theorem, which shows how to get a HCB from every OWF. We also defined one-way permutations (OWP) and sketched how OWP imply PRG, going through their HCB. This construction can also be used as a stream cipher. (We also mentioned that any OWF imply PRG but didn't show how).
  Reading: 7.2.3-7.2.5, 8.1-8.4 (although we only gave a high level overview of these parts, skipping proofs and many details).


• Lecture 10 (10/9) Switched to a new goal: authenticity/integrity, rather than secrecy. Showed that encryption does not necessarily provide authentication. Motivated and defined message authentication codes (MACs). Defined security of a MAC (existential unforgeability against adaptive chosen message attacks), including the variations of fixed-length MAC and strong MAC (noting that if the MAC algorithm is deterministic then there's a unique tag for each message and standrad MAC implies strong MAC in this case). Explained why replay attacks are not handled by the MAC definition, and that they should be protected at the level of the message (mentioned approaches using counters or time stamps). Claimed that a PRF can be used as a secure fixed-length MAC. Discussed how to use a fixed-length MAC to get a MAC for longer messages: simply authenticating each block separately and some more sophisticated variations do not work (we discussed attacks based on reordering blocks, mixing blocks from different messages, and truncating blocks). But a secure MAC can be obtained with a block-by-block approach if we include in each block also a random message identifier, length of message, and the index of the block. This results in a long tag, while there are much more efficient schemes (with a single-block tag even for long messages), as we will see next time.
  Reading: 4.1, 4.2, 4.3


• Lecture 11 (10/14) Showed CBC-MAC: a way to use a PRF to construct a short MAC (one block) for long messages, pointing out the main differences with CBC encryption (no IV and no intermediate values), which are essential for security. We claimed that CBC-MAC is a secure MAC for fixed-length messages (arbitrarily long messages but just one length, agreed upon and fixed in advance). Two ways to augment CBC-MAC to be secure for arbitrary (variable) length messages: either prepend the length of the message as a first block, or apply an additional layer of PRF at the end with a fresh key. (We will see hash-based MAC later as another efficient and secure alternative). Motivated and defined chosen ciphertext attack (CCA) security, and mentioned the weaker CCA1 ("lunchtime attack") version. Motivations we discussed include the following. First, "padding oracle attacks" (a special case of CCA) were successfully used on several practical systems. Second, non-malleability (given an encryption of a message, cannot get an encryption of a related message), which is well motivated in many applications (while in other applications we may want the opposite, "fully homomorphic encryption", but we did not discuss or define this). CCA security implies non-malleability. The encryption schemes we've seen so far are not CCA secure (we showed an attack on the one where ciphertexts are of the form (r,Fk(r) xor m)). We claimed that if Fk is a strong PRP, an encryption scheme where ciphertexts are of the form Fk(r||m) for a random r, is CCA secure. However, next time we will construct a better CCA secure scheme (one that will also achieve authentication). Motivated and defined Authenticated Encryption (AE), which achieves both secrecy (CCA security) and authentication (unforgeability - defined slightly differently than unforgeability for MAC, to account for the fact that the message is given in an encrypted form).
  Reading: 4.1-4.3, 4.4.1, 5.1, 5.2, 5.3.1


• Lecture 12 (10/16) Given a secure (private key) encryption scheme and a secure MAC scheme, how do we construct an AE scheme? We discussed three general approaches (all were used in real systems). Encrypt-and-Authenticate: satisfies unforgeability (we sketched the reduction), but not even CPA secure - do not use. Authenticate-then-encrypt: satisfies unforgeability, as well as maintaining the encryption security (CPA or CCA) of the underlying encryption scheme (the notes include a reduction for CPA security, but we didn't go through it in class). Encrypt-then-authenticate: satisfies unforgeability, and maintains encryption security. Moreover, if the underlying MAC is a strong MAC, and the encryption scheme is CPA secure, Encrypt-then-authenticate results in a CCA secure encryption scheme (we sketched the main part of the reduction, but without a full proof). This is why it's the best way to combine the two: it allows not only to obtain AE, but also to upgrade private key encryption from CPA secure to CCA secure. As a rule of thumb, whenever active adversaries are a concern, you should always authenticate as a last step / have your algorithms start with verifying a MAC on the received message, before using other cryptographic operations like decryption. Wrapped up our "minicrypt" primitives and started some informal discussion about the next topic, hash functions.
  Reading: 5.2, 5.3.1, 6.1


• Lecture 13 (10/21) Informal discussion of "minicrypt": all the primitives implied by OWF (we saw PRG, PRF, PRP, MAC, AE, CPA secure and CCA secure private key encryption all reduce to each other/equivalent computational assumptions). Collision resistant hash functions (CRHF) is "in between" this private key and public key crypto worlds (informal discussion): On one hand, it's the first primitive we see that is not known to be implied by OWF/not in minicrypt, and there is some evidence it may not be (so, it's harder to construct), and it also does not require parties to share secret information that the adversary does not have. On the other hand, it's closer to minicrypt/symmetric key primitives in terms of techniques used in practice, having extremely practically efficient candidate ad-hoc constructions. We gave a formal defintiion of CRHF (for fixed length, aka compression function, and for arbitrary length). Generic attacks on any hash function: exhaustive search (aka brute force), and birthday attack, which takes time about square root of exhaustive search. This means we need a longer output (for security against 2^n attack, we need to choose output length at least 2n). Mentioned some weaker notions of security for hash function: second preimage resistance, preimage resistance/one-wayness, and discussed the much stronger notion of random oracle model/heuristic. Informaly discussed the cryptographic asymptotic keyed definition of CRHF vs the practical use of fixed, unkeyed hash functions (although in any case there's never a secret key -- the adversary knows everything about the function). Showed the Merkle-Damgard transform for constructing an arbitrary length CRHF from a fixed length one, and sketched the proof. Started discussing some applications of hash functions (informally and without proof): for fingerprinting/equality checking in many different contexts, such as deduplication, or password storage. We'll continue next time.
  Reading: 6.1-6.3, 6.5, 6.6.1-6.6.3,


• Lecture 14 (10/23) Continued with (informally described) applications of hash functions. Merkle trees of CRHF constitutes a CRHF if the number of leaves is fixed. Useful in many applications, including for verifiable computation and verifiable storage (using a short hash for the data on the leaves, client who wants to retrieve a single leaf only needs logarithmically many hash values to verify the root hash (rather than retrieving the whole tree). Hashing for MAC: hash-and-MAC is a secure way for domain extension, using any CRHF and fixed length MAC of matching lengths. To build MAC directly from hashing alone, can use HMAC, a standardized, provably secure based on CRHF, and very efficient design, widely used in practice (we did not show how). Applications of hash functions in the random oracle model (ROM) (CRHF not enough for these): removing interactions in protocols via the Fiat-Shamir methodology (explained the idea, we will also revisit). We mentioned that hash functions are heavily used in the blockchain/cryptocurrency context, in several different ways. This includes fingerprinting, Merkle trees, and Fiat-Shamir mentioned above, as well as for proof of work (which also needs the ROM, standard CRHF not enough). Quick review of hash function constructions: theoretical constructions can be based on concrete assumptions such as the number theoretic assumptions we will see next. Don't know how to construct directly from public-key encryption (we will define PKE soon). In practice, efficient ad-hoc designs: MD5 and SHA1 should not be used (collisions found, including meaningful collisions). SHA2 (eg SHA256) and SHA3 (the standardization of Keccak, winner of NIST competition) - considered secure.
  We switched gears and started talking about some number theory background (superficial: we are only focusing on the purposes of this class, and not giving proofs of these facts). Noted that when given an integer N as an input (say in binary), the length of the input is log N, so to be efficient we need to run in time polylog(N). Modular arithmetic/ computing mod N. Can efficiently find gcd and inverses mod N. Groups, including the special cases of (Z_N,0) wrt modular addition, (Z_N*,1) wrt modular multiplication. Gave the formula for φ(N)=|Z_N*|. If a finite group is of order q, then for every element x in the group x^q=1 (so exponent can be reduced mod q). In particular for any N, and any x in Z_N*, x^φ(N)=1 mod N (special case for a prime p: x^(p-1)=1 mod p). Can use this to compute modular exponentiation mod N: reduce base mod N and reduce exponent mod φ(N).
  Reading: 6.6.1-6.6.3, 7.3.2, 7.3.3 (but we skipped many details). Appendix B (except the starred parts), 9.1.1-9.1.4


• Lecture 15 (10/28) Continued number theory facts and examples. Defined cyclic groups. The following are cyclic: (a) (Z_N,+) for any N, (b) (Z_p*,×) for a prime p, (c) any group of prime order. There is an efficient algorithm that (on input 1^n) selects a random n-bit prime with a generator of Z_p*. Noted that the group (Z_p*,×) is isomorphic to the group (Z_p-1,+) via the following isomorphism: map x ∈ Z_p-1 to g^x ∈ Z_p*, where g is a a generator of Z_p*. Note that this isomorphism (in this direction) is efficiently computable, but computing the inverse of this bijection is believed hard (this is the DLA assumption wrt the group (Z_p*,×). Discrete log assumption (DLA) wrt to a given cyclic group generator, and discussion. DLA believed to be true for Z_p* (but known to be false for some other groups) . Diffie Hellman key exchange, and discussion of required assumptions. This led to the definition of the computational DH assumption (CDH) and the decisional DH assumption (DDH). DDH implies CDH, which in turn implies DLA. The converse is not true in general (there are specific useful groups where DDH is false, but DLA is believed to hold), and even in specific useful groups where DDH is believed to hold, we don't have a proof that it is equivalent to DLA (thus, DLA is the best/weakest assumption of the three).
  Reading: 9.1.1-9.1.4, 9.3.1, 9.3.2, 11.3. You're encouraged to also read 11.1,11.2 (but this is not required).


• Lecture 16 (10/30) Reviewed the DH key exchange protocol. DDH implies that the key agreed on is indistinguishable from a random element in the group, which gives security of KE against a passive adversary. We mentioned that for an active attacker, the DH KE scheme we saw is not secure (eg, there is a devastating "man in the middle" attack). Still, today's KE protocols (e.g in SSL/TLS) use this DH KE idea, modified to allow an "authenticated channel" with the help of a Certificate Authority (CA), to prevent active attacks (we did not discuss any details about how, or what a CA is). Going back to passive security for DH KE, while DLA and CDH are believed to be true in Z_p*, DDH does not hold in this group, and so we use DH key exchange in a related subgroup where it is believed to hold, as we described next. We defined QRp, the subgroup of quadratic residues mod p (this group is cyclic and generated by the g^2 where g is a generator of Zp*; it is of size (p-1)/2). We argued that for a prime p it's easy to tell whether an element of Zp* is in QRp or not (by raising it to (p-1)/2 and checking if we get 1), and that this can be used to break the DDH assumption in Zp*. A similar attack works for any composite order group, but this attack does not work in a prime order group (this is one of several advantages of working in prime order groups). If p is a safe prime (p=2q+1 where q is a prime) then QRp is of prime order q. For this group, DDH is believed to be true, and so we can apply the DH KE for this group to get indistinguishability (namely passive security).
  Discussion of Public Key Encryption (PKE), with a quick historic overview. Definition of PKE with CPA security. Noted that EAV security for one message, multiple messages, and CPA security are all equivalent for PKE (this also means that there does not exist PKE with perfect security, even for EAV, single message, and large keys - brute force attack always breaks security). Mentioned that CPA secure PKE is equialent to two-round KE (we will expand on this next time). Informal diiscussion of differences between PKE and private key encryption (pros and cons).


• Lecture 17 (11/6) We showed that PKE is equivalent to 2-messae key exchange (although we didn't formally define the latter, but we showed the constructions in both directions). Using this construction to get PKE from the DH KE protocol (which hsa two rounds) gives the El Gamal PKE scheme. We described El Gamal and claimed that it is CPA secure under the DDH assumption.
  Defined the Factoring assumption (which can be phrased as: multiplying two large primes is a one-way function). Noted that the grade-school algorithm for factoring is not polynomial time, and mentioned that we have better algorithms, but those are still not polynomial time. Also noted there is a polynomial time quantum algorithm breaking this assumption.
  Defined the RSA function, and showed that it is a permutation over Z_N*. RSA assumption wrt GenRSA experiment generating (N,e,d) (variations on how e is chosen yield different assumptions, all considered hard). If factoring assumption is false (factoring easy) then RSA assumption is false, but the other direction is not known (thus, RSA is a stronger / worse assumption). Indeed, factoring N=pq is equivalent to finding φ(N) and equivalent to finding d (the inverse of e) from (N,e), and any of these can be used to take e-th roots mod N and break the RSA assumption. However, it's possible that there are other ways to break RSA even if factoring is hard. Textbook (plain) RSA and its insecurity as a PKE (e.g., it is deterministic; there are other attacks as well). RSA encryption refers (or should) to secure randomized schemes based on the RSA assumptions (we will elaborate next time). We discussed (informally) the concept of a trapdoor function (TDF) or a trapdoor permutation (TDP): easy to compute and hard to invert, but easy to invert given a trapdoor. The RSA function is is a TDP, under the RSA assumption. Using a TDF/TDP directly is not a good PKE, but any TDF can be used to get a secure PKE, via a hard-core bit (continued next time)


• Lecture 18 (11/11) We showed that any TDP can be used to get a CPA secure PKE, via a hard-core bit (HCB) -- mentioned that this is true also for any TDF, but we only showed the construction for a TDP (ie a TDF that is also a permutation). Specifically for the RSA permutation, it is known (though we did not prove) that under the RSA assumption, the least significant bit (lsb) is a hard-core bit. That is: if there's a ppt algorithm that given N,e, and x^e mod N can find the lsb(x) with probability non-negligibly better than 1/2, then there's a ppt algorithm that given the same input, can recover x completely with non-negligible probability. This yields a PKE scheme for one bit messages, secure under the RSA assumption: the encryption outputs (r^e, lsb(r) xor m). The construction is for one-bit messages (basically using the HCB as a one-time-pad). Longer messages can be encrypted bit by bit.
  More efficient options include the following. Padded RSA PKE (can prove security under RSA assumption when message length is at most logarithmic in n, insecurity when random pad is at most logarithmic in n, and we do not have a proof nor an attack when the message and pad are of the same length). Hashing-based encryption, where the encryption outputs (r^e, H(r) xor m), which can be proven CPA secure in the ROM under the RSA assumption. These, or variations with specific padding patterns, have often been used in practice.
  Towards constructing CPA secure encryption based on factoring (which is a better assumption than RSA), we claimed that the factoring assumption holds if and only if it is hard to find square roots mod N=pq (a proof is included in the notes at the end of lecture, which also mentions the Chinese Remainder Theorem, but this is not part of the class material). Defined the Rabin function (squaring mod N=pq), which is a 4:1 function. Based on above claim, this is a TDF under the factoring assumption. We can use this TDF (adding randomization and some care) to get CPA secure encryption based on the hardness of factoring. On the other hand, due to equivalence to factoring, schemes based on this assumption are often more susceptible to CCA attacks, which could allow to completely factor N.
  Defined CCA secure PKE. PKE schemes we saw so far are not CCA secure. Brief overview of how to achieve CCA secure PKE schemes. There are ones based on number theoretic assumptions (for example, the Cramer-Shoup DDH-based efficient scheme, schemes based on Factoring, etc). There are also hashing-based schemes, e.g. OAEP, which are secure in the ROM, under number-theoretic assumptions. However, it is not known how to construct CCA secure PKE from CPA secure PKE (in contrast to the private key setting).


• Lecture 19 (11/13) General discussion of other assumptions in cryptography. A quick overview of lattice-based assumptions and Learning With Error (LWE), including motivation and applications. In particular, we mentioned (informally) fully homomorphich encryption (FHE) and that it can be constructed based on the LWE assumption. To wrap up PKE topic, we discussed a typical use of encryption in practice: hybrid encryption (aka KEM-DEM paradigm): use PKE to encrypt a random key which is subsequently used for private key encryption. This allows to combine advantages from both types of schemes.
  Digital signatures: motivation and discussion of differences with MAC. Definition of signature schemes and their security (existential unforgeability against CMA).


• Lecture 20 (11/18) We discussed the wrong notion that signatures and PKE are dual in the sense that you can "sign by decrypting, verify by encrypting". This does not make sense with our modern terminology, even syntactically, since a secure PKE must be randomized, and every message has exponentially many ciphertexts. This notion was suggested by Diffie and Hellman in their seminal work where they propose the idea of PKE and signature schemes, but what they referred to as PKE is what we call a TDP (trapdoor permutation) today (which is a deterministic function). Insecurity of plain ("textbook") RSA signatures: on the quiz we saw one attack, and in class we generalized it and showed another. Specifically, we had a chosen message attack allowing to forge a signature on a message of the adversary's choice (this uses the multiplicative homomorphism of the RSA function). We also had an attack that applies to any scheme that simply calls a TDP on a message to sign it: this attack used no chosen-message queries, and forged a signature on some message (e.g., a random message).
  We gave an overview of different approaches for constructing secure signature schemes: (1) heuristic constructions based on number theoretic assumptions, (2) constructions provably secure in the random oracle model (ROM), based on number theoretic assumptions (or generic TDP+ROM) (3) provably secure constructions (in the standard model) from: (a) one-way functions, (b) CRHF, (c) number theoretic assumptions. Our discussion included the following details. (3a) is the best, minimal assumption: it is possible to construct signature schemes from OWF (although we did not show how), so, in terms of complexity, signatures are equivalent to OWF (and therefore also to private key encryption, MAC, PRF, etc) -in that way it is like a private key primitive (in minicrypt!). However, this is also the least efficient construction -- the other approaches yield more efficient schemes. For (2), we described the RSA Full Domain Hash (RSA-FDH), as well as any TDP-FDH (the scheme is basically "hash and TDP^-1"), which is secure in the ROM. We also mentioned that hash-and-sign is a secure approach to domain extension (similarly to the MAC case).
  Towards showing constructions of other signature schemes, and as an important primitive on its own, we informally defined identification schemes, which allow Alice to prove to Bob that she holds the sk associated with her pk, without revealing information that will allow an adversary to impersonate her later. We showed the Schnorr identification scheme which is secure based on DLA (looking ahead to next classes: this is a zk-pok for discrete log). We discussed the Fiat-Shamir paradigm that allows to remove interaction from a 3-round scheme where the second message is random, by using a hash function, modeled as a random oracle (security is in the ROM). Using Fiat-Shamir with Schnorr identification gives Schnorr signature scheme (another example of (2)). Finally, schemes for (1) include DSA and ECDSA, which are part of NIST's digital signature standard. These are also based on DLA identification scheme, which has been heuristically made non-interactive by using a hash function and another public function.


• Lecture 21 (11/20) Interactive proof systems, zero-knowledge proofs, variations and applications (not on exam, but will be on homework)


• Lecture 22 (11/22) Continue with interactive proof systems, zero-knowledge proofs, variations and applications (not on exam, but will be on homework)


• Review by Tianqi Yang (12/2)

Back to Course Main Page