Syllabus
- How to Model Cryptographic Primitives and Protocols
- Analysis of Randomised Algorithms
- Computational Indistinguishability
- Semantic Security and Cryptosystems
- Security Notions for Public Key Cryptosystems
- Message Authentication Codes
- Commitment schemes
- Entity Authentication
- Sigma protocols
- Digital signatures
- Zero-knowledge proofs
- Security of Protocols
- Oblivious Transfer
Under constructions. Materials will be updated
Authorship of example solutions
The example solutions to most of the exercises are generated in close collaboration with students. For many exercises, I have taken the solution type set by a student and modified it. By doing it I have tried to keep the original solution scheme but iron out some technical wrinkles or add emphasis on the details I believe are worth stressing. The PDF files do not contain explicit references of authorship, I will thank all of my contributors separately
- Alisa Pankova
- Ehsan Ebrahimi
- Filip Ivanov
- Ilya Kuzovkin
- Ivo Kubjas
- Kristiina Rahkema
- Karl Tarbe
- Margus Niitsoo
- Pille Pullonen
- Prastudi Fauzy
- Sanja Scepanovic
- Sander Siim
The table showing who are the authors of which exercises can be downloaded form here Δ
How to Model Cryptographic Primitives and Protocols
Lecture (PDF)
- Cryptographic absraction techniques
- Functional requirements. Attacks and security requirements
- Discrete logarithm and abstract DL, CDH and DDH groups
- Factorisation problem and abstract distribution of RSA moduli
- Basic reductions between DL, CDH and DDH problems
- Random self-reducibility and its consequences
Exercise session (PDF)
- Formalisation of cryptographic primitives
- Formalisation of attack senarios and security definitions
- Self-reducibility and Diffie-Hellman problem
Example solutions
- Electronic lottery
- Hash functions
- Password hashing
- Random self-reducibility of discrete logarithm
- Random self-reducibility of Computational Diffie-Hellman Problem
- Weak random self-reducibility of Decisional Diffie-Hellman Problem
- Random self-reducibility of Decisional Diffie-Hellman Problem
- Alternative explanation to random self-reducibility of Decisional Diffie-Hellman Problem
Analysis of Randomised Algorithms
Lecture (PDF)
- Turing Machines. Random Access Machines. Circuits
- Chebyshev, Markov and Jensen inequalities
- Standard amplification techniques and their connection to inequalities
- Relation between expected and strict running-time
- Total probability formula and analysis by exhaustive decomposition
- Entropy and its basic properties
Exercise session (PDF)
- Subtleties and paradoxes of computational models
- Applications of total probability formula
- Applications of Chebyshev, Markov and Jensen inequalities
Example solutions
- From expected running time to strict running time
- Amplification by majority voting
- Standard analysis of combiner constructions
- On the necessity of universality in the timing model
- On the random self-reducibility of the most significant bit of discrete logarithm
- Independence of biased coin throws
Literature:
- Stintson, Cryptography: Theory and Practice, Chapter 2 (entropy).
- Cook, S. A., Reckhow, R. A. Time-bounded random access machines.
- C. E. Shannon, Communication Theory of Secrecy Systems
Computational Indistinguishability
Lecture (PDF)
- Statistical and computational distance
- Pseudorandom generators, functions and permutations
- Guessing games and semantic security
- IND-SEM theorem and some conclusions
Exercise session (PDF)
- Statistical tests
- Trade-offs between false positives and false negatives
- Naive estimates on computational distance
- Properties of computational distance
- Application of guessing games
Example solutions
- Tradeoffs between false positives and false negatives
- Explicit estimation of computational distances
- Lottery game with indistinguishable distributions
- Classical hybrid argument
- Convex closure of distinguishers
- Existence of hard-core bits
Semantic Security and Cryptosystems
Lecture (PDF)
- The proof of IND-SEM theorem
- Symmetric key cryptosystems
- IND-FPA security and semantic security
- Insufficiency of IND-FPA security in practical settings
- IND-CPA security and constructive IND-SEM theorem
- PRF/PRP switching lemma
Supporting materials. Example solutions
- IND-SEM proof in details (PDF)
- Coin-fixing argument and semantic security
- Semantic security of randomised functions
Exercise session (PDF Δ)
- Random functions and permutations
- Analysis of PRF/PRP switching lemma
- Game-based proof for the PRF/PRP lemma
- Anaysis of ECB, CBC, CTR encryption modes
- Left-or-right and real-or-random games
Example solutions
- Insecurity of ECB mode of operation
- Static non-malleability implies IND-CPA security
- BAD reduction schema and its applications
- Horizon splitting technique and its applications
- Insecurity of three round Feistel constuction against chosen ciphertext attacks
Additional exercises (PDF)
- Celebrated Feistel construction
- Constructions for pseudorandom generators
- Circular constructions: PRP => RPF => PRP, PRF => PRG => PRF
Security Notions for Public Key Cryptosystems
Lecture (PDF)
- IND-CPA security and semantic security
- Security of the ElGamal cryptosystem
- Hybrid encryption and its security
- IND-CCA1 security and improper usage of decryption key
- IND-CCA2 security and non-malleability
Exercise session (PDF)
- Analysis of hybrid encryption scheme
- Non-malleability and IND-CCA2 security
- Security of the Goldwasser-Micali cryptosystem
- Practical variants of the ElGamal cryptosystem
- Homomorphic cryptosystems and non-malleability
Example solutions
- Security of hash ElGamal cryptosystem
- Security of Goldwasser-Micaly cryptosystem
- Trivial inclusions between non-malleability and indistinguishability
- IND-FPA implies IND-CPA
- Conversion from IND-FPA to IND-CPA
Message Authentication Codes
Lecture (PDF)
- Simmons's lower bounds
- Almost universal hash functions
- Security of polynomial hashing
- Cryptographic hash functions and their properties
Exercise session (PDF)
- CBC-MAC
- NMAC, HMAC
- UMAC construction
- Authenticated symmetric key encryption
Example solutions
- Security analysis of a message authentication protocol
- Security of authenticated encryption
- Security of authenticated encryption
- Security of Poly-AES construction with randomised nonce
- Hashing as a way to extend the domain of message authentication codes
Commitment schemes
Lecture (PDF)
- Hiding and binding property
- Cryptosystems as commitment schemes
- Homomorphic commitments
- Non-malleable commitments
Exercise session (PDF)
- List commitments
- Cryptographic poker game
- Manually authenticated hybrid encryption
Example solutions
- Merkle trees are binding commitments
- Second preimage resistance implies one-wayness
- User-aided-key-agreement based on IND-CCA2 secure encryption
- User-aided-key-agreement based on non-malleable encryption
- Partial double-opening of list commitment schemes
- Basic properties of dual mode commitments
- Non-malleability implies a restricted form of semantic binding
Entity authentication
Lecture (PDF)
- Challenge-Response protocols
- Zero-knowledge proofs of knowledge
- Schnorr identification scheme
- Knowledge extraction
Exercise session (PDF)
- Security of Kerberos and MAP-1
- Proofs of possession
Example solutions
- Liveness proof based on a one-way function
- Liveness proof based on a one-way permutation
- Simplified security analysis of MAP-I protocol
Sigma Protocols
Lecture (PDF)
- Knowledge extraction
- Disjunctive and conjunctive compositions
- Honest verifier zero-knowledge proofs of knowledge
- Certified computations for semihonest verifier
Exercise session (PDF)
- Examples of sigma protocols
- Proofs of knowledge for various relations
- Matrix games and details of knowledge extraction
- Various applications of Forking Lemma
Example solutions
- Analysis of Guillou-Quisquater identification scheme
- Sigma protocol for the ElGamal encryption
- Sigma protocol for the Pedersen commitment scheme
- Weak knowledge-extractor for the Schnorr protocol
- Witness-indistinguishability of disjunctive composition of Schnorr protocols
Digital Signatures
Lecture (PDF)
- One-time signatures
- Full domain hash
- Fiat-Shamir heuristics
- Random Oracle Model
- Forking Lemma and Random Oracle Model
- Generic Signature Schemes
Exercise session (PDF Δ)
- RSA signature
- Schnorr signature
- Signatures with additional properties
Example solutions
Zero-knowledge Proofs
Lecture (PDF)
- Honest Verifier Zero Knowledge
- CDS proofs for complex relations
- Non-Interactive Zero Knowledge
- Secure coin-flipping and fully secure Zero Knowledge
Exercise session (PDF)
- Applications of CDS proof technique
- Zero knowledge proofs for NP-complete problems
Example solutions
- Simulator for the Fiat-Shamir identification protocol
- Soundness of QNR-ZK protocol with disjunctive proof of knowledge
- Simulator for the QNR-ZK protocol with disjunctive proof of knowledge
- Knowledge-extraction and simulation distance in QNR-ZK-delay protocol
Security of Protocols
Lecture (PDF)
- Primitives vs protocols
- Beaver's resilience principle
- Ideal vs real world comparison
- Sequential vs universal composability
- Trusted setup and simulation
- Re-usage of public parameters
Oblivious Transfer
Lecture (PDF)
- Various ways to extend 1-out-of-2 oblivious transfer
- Solution to millionaire problem
- Interactive secure circuit evaluation
- Aiello-Ishai-Reingold protocol for oblivious transfer
- Bellare-Micali protocol for oblivious transfer