CS276: Cryptography (F2017)

Basics


Instructor(s): Alessandro Chiesa
Teaching Assistant(s): Benjamin Caulfield (bcaulfield[at]berkeley[dot]edu)
Time: TR 12.30-14.00
Location: 320 Soda Hall
Office Hours: TR 16:00-17:00 in 529 Cory Hall

Course Description


This course offers a graduate introduction to cryptography, the science of securing data and computation against various adversarial behaviors. Topics covered include fundamental tools (such as encryption, pseudorandomness, digital signatures, zero knowledge, and secure computation) as well as a selection of tools with more advanced security properties (options include fully-homomorphic encryption, obfuscation, delegation protocols, and others).

The Piazza website is here.

Prerequisites


The official prerequisite is CS 170 (or equivalent). All students with "mathematical maturity" (ease with proofs, algorithms, elementary number theory, and discrete probability) and curiosity about cryptography are welcome.

Requirements


Completing the course requires completing four (4) homework assignments and a final project; in addition, students will rotate in producing scribe notes for the lectures. Grading will be based 50% on the problem sets, 25% on the final project, 15% on scribe notes, and 10% on class attendance and participation.

Reading and Resources


This course has no required textbook, but essentially all the material covered in class can be found online. For example, the following references could be useful.

Books:

Lecture notes:

Also useful:

Assignments


Homework assignments must be written using this TeX template.

Collaboration policy: You are free to collaborate with other students on the assignments, but you must turn in your individually written up solution, specifying the names of any collaborators. Additionally, you may make use of published material, provided that you acknowledge all sources used.

Schedule


# Date Topic Reading
1 2017.08.24
  • introduction to the course
  • negligible and noticeable functions
  • (uniform and non-uniform) probabilistic polynomial time algorithms
  • one-way functions

Textbooks:

  • Foundations of Cryptography, Volume 1
  • § 2.2 , One-way functions: definitions
  • Introduction to Modern Cryptography
  • § 7.1, One-way functions

Papers:

Videos:

2 2017.08.29
  • fixing values of one-way functions
  • composition of one-way functions
  • hardness amplification: from weak to strong one-way functions

Textbooks:

  • Foundations of Cryptography, Volume 1
    • § 2.3, Weak one-way functions imply strong ones

Videos:

3 2017.08.31
  • universal one-way functions
  • hardcore predicates
  • Goldreich–Levin predicate

Lecture notes:

Textbooks:

  • Foundations of Cryptography, Volume 1
    • § 2.4.1, Universal one-way function
    • § 2.5, Hard-core predicates
  • Introduction to Modern Cryptography
    • § 7.3, Hard-core predicates from one-way functions

Videos:

4 2017.09.05
  • statistical vs computational indistinghuishability of distributions
  • hybrid argument
  • pseudorandomness generators (PRGs)
  • one-way permutations imply PRGs with 1-bit expansion

Lecture notes:

Textbooks:

  • Foundations of Cryptography, Volume 1
    • § 3.1, Motivating discussion
    • § 3.2, Computational indistinguishability
    • § 3.3.1, Standard definition of pseudorandom generators
    • § 3.4, Constructions based on one-way permutations
  • Introduction to Modern Cryptography
    • § 7.8, Computational indistinguishability
    • § 7.4, Constructing pseudorandom generators

Videos:

5 2017.09.07
  • PRGs evaluated on independent seeds
  • PRGs with 1-bit expansion imply PRGs with polynomial expansion
  • pseudorandom functions

Lecture notes:

Textbooks:

  • Foundations of Cryptography, Volume 1
    • § 3.3.2, Increasing the expansion factor
    • § 3.6, Pseudorandom functions
  • Introduction to Modern Cryptography
    • § 7.5, Constructing pseudorandom functions

Videos:

6 2017.09.12
  • PRGs imply pseudorandom functions
  • pseudorandom permutations
  • Feistel permutations

Lecture notes:

Textbooks:

  • Foundations of Cryptography, Volume 1
    • § 3.6, Pseudorandom functions
    • § 3.7, Pseudorandom permutations
  • Introduction to Modern Cryptography
    • § 7.5, Constructing pseudorandom functions
    • § 7.6, Constructing (strong) pseudorandom permutations

Videos:

Papers:

7 2017.09.14
  • Luby–Rackoff construction of pseudorandom permutations
  • commitment schemes
  • one-way permutations imply 1-bit commitment schemes

Lecture notes:

Textbooks:

  • Foundations of Cryptography, Volume 1
    • § 3.7, Pseudorandom permutations
    • § 4.4.1, Commitment schemes

Papers:

8 2017.09.19
  • 1-bit commitment schemes imply multi-bit commitment schemes
  • intro to encryption schemes
  • single-message perfect message indistinguishability
  • one-time pad and its limitations
  • single-message computational message indistinguishability

Lecture notes:

Textbooks:

  • Foundations of Cryptography, Volume 2
    • § 5.1, The basic setting
    • § 5.2, Definitions of security
  • Introduction to Modern Cryptography
    • § 2, Perfectly secret encryption
    • § 3.1, Computational security
    • § 3.2, Defining computationally secure encryption

Papers:

Videos:

9 2017.09.21
  • equivalence of message indistinguishability and semantic security
  • shrinking one-time pad's key with PRGs
  • multi-message computational message indistinguishability
  • security against chosen plaintext attacks

Lecture notes:

Textbooks:

  • Foundations of Cryptography, Volume 2
    • § 5.3.3, Private-key encryption schemes
    • § 5.4.3, Chosen plaintext attack
  • Introduction to Modern Cryptography
    • § 3.3, Constructing secure encryption schemes
    • § 3.4, Stronger security notions

Papers:

Videos:

10 2017.09.26
  • PRFs imply security against chosen plaintext attacks
  • modes of encryption
  • security against CPA vs CCA1 vs CCA2

Lecture notes:

Textbooks:

  • Foundations of Cryptography, Volume 2
    • § 5.4.4, Chosen ciphertext attack
  • Introduction to Modern Cryptography
    • § 3.5, Constructing CPA-secure encryption schemes
    • § 3.6, Modes of operation
    • § 3.7, Chosen-ciphertext attacks

Papers:

Videos:

11 2017.09.28
  • message authentication codes
  • constructions based on PRFs
  • CPA security and MACs imply CCA2 security

Lecture notes:

Textbooks:

  • Foundations of Cryptography, Volume 2
    • § 6.1, The setting and definitional issues
    • § 6.3, Constructions of message authentication schemes
    • § 6.1.5.1, Augmenting the attack with a verification oracle
  • Introduction to Modern Cryptography
    • § 4.1, Message integrity
    • § 4.2, Message authentication codes - definitions
    • § 4.3, Constructing secure message authentication codes
    • § 4.4, CBC-MAC

Papers:

Videos:

12 2017.10.03
  • CPA security and MACs imply CCA2 security
  • combining CPA security and MACs in other (insecure) ways
  • collision-resistant functions
  • Merkle–Damgård transform

Lecture notes:

Textbooks:

  • Foundations of Cryptography, Volume 2
    • § 6.2.3, Constructing collision-free hashing functions
  • Introduction to Modern Cryptography
    • § 4.5, Authenticated encryption
    • § 5.1.1, Collision resistance
    • § 5.2, Domain extension: the Merkle–Damgård transform
    • § 5.4, Generic attacks on hash functions

Papers:

Videos:

13 2017.10.05
  • intro to public-key cryptography
  • public-key encryption schemes
  • trapdoor one-way permutations
  • TOWPs imply public-key encryption schemes
  • RSA as a TOWP

Lecture notes:

Textbooks:

  • Foundations of Cryptography, Volume 2
    • § 5.1.1, Private-key versus public-key schemes
    • § 5.1.2, The syntax of encryption schemes
    • § 5.3.4, Public-key encryption schemes
    • § 5.5.1, On using encryption schemes
  • Introduction to Modern Cryptography
    • § 11.1, Public-key encryption - an overview
    • § 11.2, Definitions
    • § 11.5, RSA encryption
    • § 13.1, Public-key encryption from trapdoor permutations

Papers:

14 2017.10.10
  • hybrid encryption
  • DDH assumption (and where it might hold)
  • ElGamal encryption scheme
  • DDH assumption for quadratic residues

Lecture notes:

Textbooks:

  • Foundations of Cryptography, Volume 2
    • § 5.5.3, On some popular schemes
  • Introduction to Modern Cryptography
    • § 8.3, Cryptographic assumptions in cyclic groups
    • § 11.3, Hybrid encryption and the KEM/DEM paradigm
    • § 11.4, CDH/DDH-based encryption

Papers:

15 2017.10.12
  • CCA2 security in the asymmetric setting
  • CCA2 security in the random oracle model

Lecture notes:

Textbooks:

  • Introduction to Modern Cryptography
    • § 11.5.5, A CCA-Secure KEM in the random-oracle model

Papers:

16 2017.10.17
  • definition of signature schemes
  • one-time signatures
  • hash-then-sign paradigm
  • key refreshing

Lecture notes:

Textbooks:

  • Foundations of Cryptography, Volume 2
    • § 6.1, The setting and definitional issues
    • § 6.2, Length-restricted signature scheme
    • § 6.4.1, One-time signature schemes
  • Introduction to Modern Cryptography
    • § 12.1, Digital signatures - an overview
    • § 12.2, Definitions
    • § 12.2, The hash-and-sign paradigm
    • § 12.6.1, Lamport's signature scheme
    • § 12.6.2, Chain-based signatures

Papers:

17 2017.10.19
  • from one-time signatures to full security
  • signatures in the random oracle model
  • signcryption

Lecture notes:

Textbooks:

  • Foundations of Cryptography, Volume 2
    • § 6.4.2, From one-time signature schemes to general ones
  • Introduction to Modern Cryptography
    • § 12.4.2, RSA-FDH
    • § 12.6.3, Tree-based signatures
    • § 12.9, Signcryption

Papers:

18 2017.10.24
  • interactive proofs
  • graph non-isomorphism is in IP
  • honest-verifier zero knowledge
  • graph isomorphism is in HVZK-IP

Lecture notes:

Textbooks:

  • Foundations of Cryptography, Volume 1
    • § 4.1, Zero-knowledge proofs: motivation
    • § 4.2, Interactive proof systems
    • § 4.3, Zero-knowledge proofs: definitions

Papers:

Videos:

19 2017.10.26
  • (malicious-verifier) zero knowledge
  • graph isomorphism is in ZK-IP
  • computational zero knowledge for graph 3-coloring

Lecture notes:

Textbooks:

  • Foundations of Cryptography, Volume 1
    • § 4.1, Zero-knowledge proofs: motivation
    • § 4.2, Interactive proof systems
    • § 4.3, Zero-knowledge proofs: definitions

Papers:

Videos:

20 2017.10.31
  • computational zero knowledge for graph 3-coloring (continued)

Lecture notes:

Textbooks:

  • Foundations of Cryptography, Volume 1
    • § 4.4, Zero-knowledge proofs for NP

Papers:

21 2017.11.02
  • zero knowledge proof of knowledge for discrete logarithms
  • zero knowledge is not closed under parallel composition
  • witness indistinguishability
  • parallel composition for witness indistinguishability
  • from witness indistinguishability to zero knowledge

Lecture notes:

Textbooks:

  • Foundations of Cryptography, Volume 1
    • § 4.5.4, Zero-Knowledge and parallel Composition
    • § 4.6, Witness indistinguishability and hiding

Papers:

22 2017.11.07
  • VBB obfuscation for TMs and circuits
  • impossibility of VBB obfuscation

Lecture notes:

Papers:

23 2017.11.09
  • indistinguishability obfuscation (iO)
  • witness encryption
  • iO implies witness encryption
  • iO and OWFs imply public-key encryption
  • best-possible obfuscation (BPO)
  • VBBO implies BPO
  • BPO vs IO

Lecture notes:

Papers:

Videos:

24 2017.11.14
  • iO amplification: from NC1 to all circuits
  • iO and coRP != NP implies OWFs

Lecture notes:

Papers:

Videos:

25 2017.11.16
  • iO and coRP != NP implies OWFs
  • VBB implies OWFs
  • differing-inputs obfuscation
  • extractable witness encryption

Papers:

Videos:

26 2017.11.21
  • algorithms for computing discrete logarithms
  • baby-step giant-step algorithm
  • Pohlig–Hellman algorithm
  • Shoup's lower bound for generic algorithms

Lecture notes

Textbooks:

  • Introduction to Modern Cryptography
    • § 8.2 Algorithms for computing discrete logarithms
      • § 8.2.1, The baby-step/giant-step algorithm
      • § 8.2.2, The Pohlig–Hellman algorithm

Papers:

X 2017.11.23

No class.

No class.

27 2017.11.28
  • definition of SNARGs in the random-oracle model
  • definition of PCPs
  • statement of PCP Theorem: NP ⊆ PCP[O(log n), O(1)]
  • construction of SNARGs from PCPs

Papers:

New York Times article about the PCP Theorem:

28 2017.11.30
  • exponential-size PCP for 3SAT
    • testing linearity (statement only)
    • 3SAT ⊆ PCP1,0.5[poly(n),O(1)]{0,1}
    • good query complexity, bad proof length

Lecture notes:

Papers:

New York Times article about ZCash, which uses linear PCPs within zk-SNARKs: