CS 276 Projects

General

Your term project should address some research issue in cryptography. There are two categories of projects: If you're at a loss for a project topic, we have prepared a list of possible project topics that you can peruse as examples of how to a pick a suitable project. See below. But don't feel limited to these suggestions! They are intended only as examples.

Collaboration

Projects will be done individually.

Topics

To whet your creativity, we give a few possible ideas for projects. The projects described below are just a set of suggestions, and you may submit a proposal for a project based on any topic you like (not necessarily one based on a suggestion below). The proposal should be compatible with the topic of this course.

If you just want to peruse the literature, good places to start include the Journal of Cryptology; conference proceedings from CRYPTO, EUROCRYPT, and ASIACRYPT (these are all available in one convenient location in the Engineering library); and the IACR e-print archive. Many of the papers below can be found online at Springer's LINK service, through the library's INSPEC database (use Melvyl online), or at Citeseer.

Proposals

When you have chosen a project topic, please send us email to cs276@mozart.cs.berkeley.edu describing your proposal. The email should contain the title of the project and a short (one-paragraph) description of the topic. For study projects, please also include the list of papers you are planning to read and the "something new" you will provide.

Your project proposal is due April 16th.

Final reports

The final report is due May 20th. This is a strict deadline. You may submit your project report electronically or on paper. I prefer electronic submission, although you may choose either. In either case, the deadline is the same: Monday, May 20, before 9:00am.

If you submit the final report electronically, it must be in a format which is easily readable on Unix platforms: that means HTML, Postscript, or PDF is fine (but not Microsoft Word). If you submit on paper, place it in David Wagner's mailbox in Soda Hall (in the mailroom, or outside his office: 765 Soda).

Format of the Report

LaTeX is present on most Unix system and is part of standard Linux distributions. There are several free ports of TeX and LaTeX to Windows, including MiKTeX. You can also write up the project report with a word processor, provided mathematical notation comes out reasonably readable.

Advice on writing

If you are not familiar with writing papers in computer science (or even if you are), the following resources may help:

Example study projects

Amplification of Hardness for One-Way Functions and Permutations.
We saw in class that if f is a weak one way function, then fk(x1,...,xk) = f(x1),...,f(xk) is a strong one-way function. In general, the probability that an adversary can invert the function goes down (about) exponentially in k. Study other methods of amplifying hardness. One possible focus: If f is a one-way permutation, then there is a way of doing a similar amplification without blowing up the input size of the function --- which is what becomes the length of the key in applications to encryption (a related question can be found in the list of research problems). Another possibility: If f_k is a pseudorandom permutation, composition amplifies its hardness (g_{k,k'}(x) = f_k'(f_k(x)). (A nice project would be to study Luby and Rackoff's work on this, and translate their asymptotic analysis to the concrete security realm.) A third possibility: amplification of PRF's.

References:
Generic algorithms for the discrete log
The discrete log problem plays a key role in public-key cryptography. Several authors have studied the hardness of the discrete log against generic algorithms (i.e., algorithms that use only the group operations, but not anything about the representation of group elements) and obtained interesting hardness results.

References:
Diffie-Hellman
We used in class the assumption that the discrete log is hard in some cyclic group G, namely, given g and u, it is hard to find u so that y=g^u. The Diffie-Hellman (DH) problem is, given g,g^u,g^v, find g^{uv}. The Decision Diffie-Hellman (DDH) problem is to distinguish the distribution (g,g^u,g^v,g^{uv}) from (g,g^u,g^v,g^w). Study the hardness of these problems, their relationships, and their applications to cryptography.

References:
Fast message authentication
The Carter-Wegman paradim has been a goldmine of techniques for building fast MACs with provable security properties. Study the underlying proposal and the state-of-the-art schemes. Alternatively, study the HMAC construction (in widespread use in practice) and its provable security properties.

References:
Pseudorandom Generators from One-Way Functions
The result that allows to base all private-key encryption as well as signature schemes on the existence of one-way funcitons.

References:
Attacks on RSA
Several innocent-looking restrictions of RSA or ways to implement it as a cryptosystem can yield dramatic security flaws.

References:
Generic composition
There has been a great deal of work recently on how to securely combine symmetric-key encryption (for confidentiality) with symmetric-key message authentication (for integrity), and some surprises resulted. Study this issue, or study recently proposed modes of operation that provide both encryption and integrity all at once.

References:
Universal one-way hashes
Universal one-way hashes capture the simple notion that public-key signatures can achieve extra security if the signer includes a random nonce in the signature before hashing, chosen to protect herself from hash collisions. It is natural to expect this will allow us to relax assumptions needed on the hash functions. Study this intuitively appealing idea.

References:
Modes of operation
Pick any mode of operation (e.g., CBC, PCBC, and so on) from any crypto textbook (e.g., Schneier's), any standard that uses crypto (e.g., IETF TLS, IETF IPSEC, 802.11b WEP), and any other system of practical interest (e.g., Kerberos). Study what's known in the literature about that mode of encryption. Does it meet standard theoretical definitions of security, like IND-CPA or IND-CCA2? Does it provide strong security in the practical setting where it is used? (This might lead into the statement of an open problem if you pick a mode whose security properties have not been studied formally before, or even to a research project rather than a study project.)

References:
Random oracles
As we saw in class, the random oracle model gives a powerful way to model the security properties of cryptographic hash functions, which are important in practice. However, this model has important theoretical limitations (and we use it only because there is nothing better). Learn about the controversy.

References:
Forward security
Today's systems are not invulnerable: occasionally machines are broken into, and the intruder gains free reign on that machine for some time before he is discovered and kicked off and the vulnerability is fixed. If machines were to store all their past cryptographic keys, then a single intrusion at time T might compromise all traffic before time T, say. Forward-secure cryptosystems are intended to reduce the window of vulnerability and thereby provide robustness against this sort of failure mode.

References:
Cryptographic protocol design
In the computer security community, there has been a great deal of work on verifying the security of cryptographic protocols through formal methods and logics of authentication. That style of work has a very different flavor from the complexity-theoretic notions of security that we've been studying in class. Study that field of research on cryptographic protocols. There has also been recent exciting work on relating that field's formalization of security to the complexity-theoretic notions, which you might want to examine.
Lattices in cryptography
Recently, lattices have found many applications in cryptography. In cryptosystem design, they have been used to construct public-key encryption based on the worst-case hardness of various problems. In cryptanalysis, they have been used to break knapsack encryption, broadcast encryption with low-exponent RSA, subset-sum-based hash functions, and various other schemes. This topic is probably too broad for one project, so you should pick some interesting subset. References:
Perfect Zero Knowledge is Contained in co-AM
The result implies that, under standard assumptions, one cannot have statistical zero-knowledge proofs of NP-hard problems. So one needs to use computational zero-knowledge in order to prove everything. This is for people familiar with complexity theory.

References:
Computationally Private Information Retrieval With polylog Communication
You will have to fist study what private information retrieval is.

Research Projects


The CS276 Instructors, cs276@mozart.cs.berkeley.edu, http://www.cs.berkeley.edu/~daw/cs276/.