||General introduction to cryptography. Classical ciphers.
||Perfect secrecy. One time pad. Limitations of these.
||Breaking a subsitution cipher. "Two time pad" security. Exploiting malleability.
||Stream ciphers. IND-OT-CPA. How security proofs work.
||Defining "random looking ciphertexts". Proof "random looking ciphertexts" implies IND-OT-CPA.
||Block ciphers. Feistel networks. DES. 2DES. Meet in the middle. 3DES.
||Breaking 1-round and 2-round Feistel nets. Meet-in-the-middle attack on 4DES.
||Security of block ciphers. Provable security vs. best-effort design. Strong PRP. IND-CPA. Modes of operation: ECB, CBC.
||Modes of operation for authenticated encryption ("crypto competition").
||Public key encryption. Textbook RSA. RSA assumption. ElGamal.
||Breaking insecure mod-p ElGamal.
of ElGamal. DDH-assumption. IND-CPA (public key variant). Malleability
of ElGamal (auction example & chosen ciphertext attack). IND-CCA.
RSA-OAEP. Hybrid encryption.
||Constructing non-malleable encryption schemes for longer messages ("crypto competition")
||MACs. Hash functions. Iterated hash + attack. Merkle-Damgard. Insecurity of MD as MAC. HMAC
||MD5 with length in the beginning
-> attack. Constructing compression function with weakness for
Iterated Hash. Crypto competition: MACs from block ciphers.
||EF-CMA security. CBC-MAC +
insecurity of it. DMAC. PRF is MAC. Message space extension of MACs
using hash functions. Davies-Meyer. Miyaguchi-Preneel. Birthday attack
on hash functions.
||EF-CMA definition: necessity of the MAC- and Verify-queries. Key-dependent message security.
||Signatures. EF-CMA (for
signatures). Naive approach: encryption as signature. One-way
functions. One-time signatures from OWFs (Lamport's scheme).
||Building a protocol (putting all stuff together).
||Signatures from one-time signatures: stateful chain construction and stateless tree construction.
||Proof of the tree construction for signatures.
||Full domain hash (FDH) signatures. Random oracle model / heuristic. Security of RSA-FDH. Unsoundness of the random oracle.
||One-wayness of the random oracle.
||Needham-Schroeder protocol (attack & fix). Symbolic cryptography
||Symbolic analysis of toy protocols. Modeling XOR in symbolic analysis.
||Zero-knowledge proofs. Yao's garbled circuits.
||Examples of protocols that are/are not ZK proofs. Parallel composition of ZK proofs.