ECS 227 - Lecture Topics - 2005
Lecture topics for my Spring 2005 cryptography class.
There will be 19 lectures, 80 minutes each.
I will fill in the material we got to after
each lecture. You're on your own to find
the corresponding material in our course notes or in other sources.
- Lect 1 - Apr 4 -
Introduction.
Classical vs. modern cryptography. "Where" provable security is applied. NP-Completeness
analogy. Four goals: {symmetric, asymmetric} x {privacy, authenticity}.
The dating problem.
- Lect 2 - Apr 6 - More example problems: secure
function evaluation, the millionaires' problem, secure commitment, coin flipping.
One-time pad encryption. Single-message.
A definition for the goal. Multiple messages.
- Lect 3 - Apr 11 - Notions of encryption appropriate
to OTP encryption.
Blockciphers. Definition and history of DES.
- Lect 4 - Apr 13 - Definition and history of AES.
Notions of blockcipher security. Key recovery (KR: Adv^kr) and its problems
as a definition for blockcipher security.
- Lect 5 - Apr 18 - More notions of blockcipher security:
gm [guess message], np [new pair], prp [pseudorandom permutation],
prp'. Equivalence of PRP and PRP' notions. PRP-security implies KR-security.
- Lect 6 - Apr 20 -
An apparently stronger notion of
prp security, prp2 security, and a hybrid argument.
The PRP/PRF Switching Lemma.
- Lect 7 - Apr 25 -
Game-playing arguments.
Proving the Switching Lemma.
Proving the indistinguishability of (pi, pi) and (pi, pi') when the adversary
can't repeat a query across the oracles.
Modes of operation. ECB and its problems.
- Lect 8 - Apr 25 -
Symmetric encryption scheme security.
The ind-cpa definition for
encryption-scheme security. Security of CTR mode. Insecurity
of CBC-CTR and CBC-CHAIN.
- Lect 9 - May 2 -
Proving the security of CBC$.
Semantic security. IND-CPA ==> SEM-CPA.
Message authentication codes
- Lect 10 - May 4 -
Notions for message authentication.
Many queries vs. one query.
Breaking various message authentication schemes.
The CBC MAC.
- Lect 11 - May 9 -
Game chains:
Proof of security for the CBC MAC. Universal hash functions.
Carter-Wegman MACs.
- Lect 12 - May 11 -
Discussion of modern MACs: CMAC, HMAC, EMAC, PMAC.
- Lect 13 - May 16 -
The tweakable-blockcipher paradigm,
and instantiating PMAC. Construction of tweakable blockciphers.
Authenticated encryption.
Composition paradigms. A tweakable-blockcipher based solution.
- Lect 14 - May 18 -
Proving the security of our one-pass AE scheme.
Number theory:
Prime-number density, primality testing, Euclid's algorithm, the groups Z_n and Z_n^*,
Lagrange's theorem, phi(n).
- Lect 15 - May 23 -
Diffie-Hellman key exchange.
Key exchange implies PK encryption.
ElGamal encryption.
The DL assumption, CDH, and DDH. Breaking raw ElGamal encryption in Z_p^*.
RSA encryption. RSA assumption.
Breaking raw RSA encryption.
- Lect 16 - May 25 -
Definition for PK encryption.
Chosen-ciphertext attack.
Breaking ElGamal encryption in the CCA sense.
The asymptotic approach.
- Lect 17 - Jun 1 -
Hardcore bits.
Secure encryption using a hardcore bit.
One-way function and
the asymptotic equivalence of various security notions.
- Lect 18 - Jun 6 -
One-way functions imply P\ne NP.
Practical schemes: the
Random-Oracle Model.
Definitions in the RO-model.
Practical schemes for PK encryption in the RO-model.
Proving the security of a RO-model encryption scheme.
- Lect 19 - Jun 8 -
Using the
random self-reducibility of RSA
to get a better bound.
Digital signatures.
Definitions and constructions, in the standard and RO model.
Authenticated key exchange
in the two-party public-key and the three-party setting. Attacking
some AKE protocols.
Phil Rogaway's homepage