Cryptology I

Lecture spring 2018

Instructor	Dominique Unruh <<surname> at ut dot ee>
Teaching assistant	Tore Vincent Carstens <<firstname dot thirdname at gmx dot de>
Lecture Period	Feb 15 - Wed 30
Lectures	Wednesday, 12:15-13:45, room 218 (Paabel) (Unruh; may sometimes be switched with practice)
Practice sessions	Wednesday, 16:15-17:45, room 220 (Paabel) (Unruh/Carstens)
Course Material	Lecture notes, blackboard photos (of practice), and exam study guide.
Language	English
Mailing list	ut-crypto1@googlegroups.com
Contact	Dominique Unruh <<surname> at ut dot ee>

Topics covered

2018-02-14 (lecture)	Historical ciphers.	[video]
2018-02-14b (lecture)	Perfect secrecy. One-time pad. Security and limitations of OTP.	[video]
2018-02-21 (lecture)	Stream ciphers (ctd.). IND-OT-CPA security. Pseudo-random generators (PRG). Security proof for G(k)⊕m encryption scheme.	[video]
2018-02-21 (practice)	Breaking a substitution cipher. Malleability of one-time-pad (bank transfer).
2018-03-01 (lecture)	Block ciphers. AES (construction). Feistel networks. Provable security vs. best effort.	[video]
2018-03-01 (practice)	Security proof: If G is PRG, then H(x,y):=G(x)\|\|y is PRG. Very short intro to linear feedback shift registers (LFSR).
2018-03-07 (lecture)	Security notions of block ciphers: strong PRP. Security of encryption: IND-CPA. Modes of operation: ECB, CBC. Insecurity of ECB. IND-CPA security of CBC (only claim).	[video]
2018-03-07 (practice)	Security of AES with missing AddRoundKey/SubBytes/MixColumns/ShiftRows
2018-03-14 (lecture)	Public key encryption. Textbook RSA. RSA-assumption. Weaknesses of textbook RSA.	[video]
2018-03-14 (practice)	Recap: linear functions. Malleability of CBC mode. "Crypto competition": Authenticated encryption.
2018-03-21 (lecture)	ElGamal. Decisional Diffie-Hellman (DDH) assumption. IND-CPA (public-key). Security of ElGamal.	[video]
2018-03-21 (practice)	Breaking 3RSA for small messages.
2018-03-28 (lecture)	Malleability of ElGamal. Definition IND-CCA. Hybrid Encryption. Message authentication codes (MACs). Hash functions. Collision-resistance. Iterated Hash. Collision-resistance and non-collision-resistance of Iterated Hash.	[video]
2018-03-28 (practice)	Insecurity of ElGamal mod p. Quadratic residues. Breaking collision resistance for various compression functions.
2018-04-04 (lecture)	Merkle-Damgård construction. EF-CMA definition. Insecurity of Merkle-Damgård as a MAC. CBC-MAC, DMAC, and their security. MAC from block cipher/PRF. Extending message space of MACs.	[video]
2018-04-04 (practice)	Breaking Iterated Hash / Merkle-Damgård with various compression functions. Breaking sponge without padding.
2018-04-11 (lecture)	Davies-Meyer. Miyaguchi-Preneel. Birthday attacks for hashes. Signatures. EF-CMA. One-way functions.	[video]
2018-04-11 (practice)	Two variants of EF-CMA. Constructing bad MACs secure under these variants.
2018-04-18 (lecture)	One-time signature construction. EF-OT-CMA. Tree-based signatures (how to get signatures from one-time signatures).	[video]
2018-04-18 (practice)	Constructing a secure protocol for movie download using PKE and signatures.
2018-04-25 (lecture)	Full-domain hash (FDH). Random oracle model/heuristic. EF-CMA in random oracle model. Security proof of FDH.	[video]
2018-04-25 (practice)	Estimating length of tree based signatures.
2018-05-02 (lecture)	Secure function evaluation. Yao's garbled circuits. Oblivious transfer (OT).	[video]
2018-05-02 (practice)	Unsoundness of random oracle heuristic. Definition and security proof: One-way functions in the random oracle model.
2018-05-09 (lecture)	Zero-knowledge proofs.	[video]
2018-05-09 (practice)	Repetition OT and Yaos protocol. Different more active secure versions of Yaos protocol
2018-05-16 (lecture)	Symbolic cryptography. Needham-Schröder-(Lowe) protocols (NSL). Modeling and proving security of NSL symbolically.	[video]
2018-05-16 (practice)	Schnorr's ZK protocol.
2018-05-34 (practice)	Symbolic crypto analysis of "movie download" protocol

Homework

Your current amount of points in the homework can be accessed here.

Out	Due	Homework	Solution
2018-02-22	2018-03-02	Homework 1, wordlist.txt	Solution 1, otp-xor-advanced.py, otp-xor.py
2018-03-01	2018-03-09	Homework 2, ind-ot-cpa.py, prg.py	Solution 2, ind-ot-cpa-solution.py
2018-03-08	2018-03-16	Homework 3, ecb-distinguish-2.txt, ecb-distinguish.py, ecb-distinguish-1.txt	Solution 3, ecb-distinguish-sol.py
2018-03-15	2018-03-23	Homework 4, 3rsa-aes.py	Solution 4, 3rsa-aes-adv.py
2018-03-22	2018-03-30	Homework 5, additive-group.py	Solution 5, additive-group-solution.py
2018-03-30	2018-04-06	Homework 6, hybrid.py	Solution 6, hybrid-solution.py
2018-04-05	2018-04-13	Homework 7	Solution 7
2018-04-12	2018-04-20	Homework 8, birthday.py, owf.py	Solution 8, owf-solution.py
2018-04-19	2018-04-27	Homework 9	Solution 9
2018-05-03	2018-05-11	Homework 10, yao-gate.py	Solution 10, yao-gate-solution.py
2018-05-11	2018-05-18	Homework 11, zk-prog.py	Solution 11, zk-prog-solution.py
2018-05-17	2018-05-25	Homework 12	Solution 12

Description

The course "Cryptology I" introduces the basics of cryptography. After discussing historic ciphers and their weaknesses, we introduce modern cryptographic primitives such as encryption and signature schemes, hash functions, one-way functions etc. We explain how the security of cryptographic schemes is defined and proven. We study advanced cryptographic schemes such as zero-knowledge proofs and secure function evaluation.

Requirements

"Elements of Discrete Mathematics" or some comparable mathematical foundations.

Reading

The following reading supplements this lecture (optional!)

Lindell and Katz, Introduction to Modern Cryptography, Chapman & Hall, 2007.
Materials from the course "Topics of Mathematics in Cryptology" (especially the chapter on probability and the one on modular arithmetic).