Instructors: Luca Trevisan and David Wagner.

Time: 12:30--2:00pm, Tuesdays and Thursdays.

Location: 306 Soda.

Prerequisites: CS 170 or equivalent.

Web page:

This class teaches the theory, foundations and applications of modern cryptography. In particular, we treat cryptography from a complexity-theoretic viewpoint. In recent years, researchers have found many practical applications for these theoretical results, and so we will also discuss their impact along the way and how one may use the theory to design secure systems.

Jan 22: [L] Basic motivating scenarios for cryptography. Definition of one-way functions, trapdoor functions, and permutations. Basics on number theory, RSA. [notes]

Jan 24: [L] Rabin's function, definitions of security. [notes]

Jan 29: [L] Hard-core predicates, the Goldwasser-Micali cryptosystem. [notes]

Jan 31: [L] Proof of the Goldreich-Levin Theorem [notes]

Feb 5: [D] Stronger definitions of security (non-malleability, chosen cyphertext attacks) [notes]

Feb 7: [D] Relations between notions of security; The random oracle
model [notes]

For more on random oracles, see
this
paper. David covered the schemes in Sections 3.1 and 3.2 in class on
Feb 7.

Feb 12: [D] IND-CCA2 implies NM-CCA2; information-theoretic security,
the one-time pad, Shannon's results on perfect encryption.
[notes]

Also, the first homework (ps)(pdf)
is now available.

New: the homework was updated
Feb 17 to fix an error in Problem 4(a).

Feb 14: [L] Definition of one-way functions, weak and strong one-way functions. [notes]

Feb 19: [D] Building PRG's from OWF's. The Blum-Micali-Yao construction of a pseudorandom generator. Increasing the stretching factor of a PRG. [notes]

Feb 21: [L] Constructions of pseudorandom generators from one-way functions. The Goldreich-Goldwasser-Micali construction of a pseudorandom function. [notes]

Feb 26: [D] The Luby-Rackoff construction of pseudorandom permutations.
[notes]

New: The second homework (ps)(pdf)
is now available.

Feb 28: [D] Definitions of security for symmetric key encryption. Modes
of operation.
[notes]

New: A sample solution set for the first
homework (ps) is now available.

Mar 5: [D] Implications of left-or-right security. Proofs of security for CTR mode against chosen-plaintext attack. [notes]

Mar 7: [D] Message authentication: definitions, constructions, CBC-MAC.
How to build symmetric-key encryption secure against chosen-ciphertext
attack.
[notes]

The paper by Hugo Krawczyk mentioned
in class can be found
here,
for the curious. (See especially Section 4.2.)

Mar 12: [L] Introduction to Zero Knowledge proof systems

Mar 14: [L] Commitment schemes, analysis of the GMW Zero Knowledge protocol
for 3-coloring, introduction to proofs of knowledge [notes]

New: A sample solution set for the second
homework (ps) is now available.

New: The midterm
(ps)(pdf)
is now available.

A frequently asked question on the midterm:
if you had a question about problem 6 on the midterm, you may to read
the
following clarification.

New: A sample solution set for the second
homework (ps) is now available.

Mar 19: [D] Public-key signature schemes. Definitions of security, RSA-based schemes secure in the random oracle model, FDH. [notes]

Mar 21: [D] Public-key signature schemes, continued. PSS-0. Discrete
log-based schemes. Schnorr identification protocol, Schnorr signatures.

New: Midterm
solutions (ps) (pdf)
are now available. (Note: the version on the web page here has been updated
with extra material on common errors which wasn't in the paper version
handed out in class on May 21.)

New:information
on projects is now available.

Apr 2: [L] Public-key signatures: existence conditions, constructions
of signatures based on any one-way function.
[notes]

See sections 6.4.1 and 6.4.2 in Oded Goldreich's draft
of volume 2

Apr 4: [L] Construction of Universal One-Way Hash Functions from One-Way
Permutations.

See section 6.4.3 in Oded Goldreich's draft
of volume 2

Apr 9: [L] Oracles and Separations.

Impossibility of basing public-key encryption on one-way
permutations.

The Impagliazzo-Rudich
paper

Apr 11: [D] Secret sharing. Shamir's scheme, generalized access structures.
[notes]
(Scribe: Rob Johnson)

Shamir's
original paper is available online.

Apr 16: [D] Threshold cryptography. Verifiable secret sharing (Feldman & Pedersen's schemes), n-out-of-n RSA, w-out-of-n El Gamal, key generation of w-out-of-n El Gamal, proactive security.

Apr 18: [D] Secure voting schemes. The Cramer-Gennaro-Schoenmaker scheme, zero knowledge proofs of disjunctions, the Benaloh scheme.

Apr 22: [D] Electronic cash. Blind signatures, Chaum's online ecash scheme, payer- and payee-anonymity. [notes]

Apr 25: no lecture.

Apr 30: [L] Secure 2-party computation. The semi-honest model, oblivious transfer. [notes]

May 2: [L] Secure 2-party computation, continued. Definitions.

May 7: [L] Secure 2-party computation, continued. A construction provably secure in the malicious model.

May 9: [L] Secure multi-party computation.

May 14: [D] Cryptographic protocols. Mutual authentication, secure key exchange. Attacks, formal methods for protocol verification.

Take-home midterm: 30%

Final project: 50%

There will be no final.

Please turn in your homework solutions on paper at the beginning of class on the appropriate day.

You are welcome to discuss the questions on the homeworks with others and work on them collaboratively.

The following sources may be helpful as a reference, and will provide supplemental material.

- S. Goldwasser and M. Bellare, Lecture Notes on Cryptography.
- Available online at http://www-cse.ucsd.edu/users/mihir/papers/gb.html.
- O. Goldreich, Foundations of Cryptography, Cambridge Univ. Press, 2001.

- L.N. Childs, A Concrete Introduction to Higher Algebra, Springer, 1995.

The CS276 Instructors, cs276@mozart.cs.berkeley.edu, http://www.cs.berkeley.edu/~daw/cs276/.