Cryptography

**Instructor:**

David Wagner
(daw@cs, 629 Soda Hall)

**Lectures:**

Tuesday/Thursday 11:00-12:30, 306 Soda

**Office Hours:**

Wagner: Tuesday 3:00-4:00 in 629 Soda.

- Final project reports are due Monday, May 15th, 9am.

Here is a list of lectures and the topics covered.

Topic |
Readings |
||

1 |
Jan 17 | Introduction. Basic motivating scenarios for cryptography. History. Information-theoretic secrecy. | S'04 notes; B&R Chapter 1 |

2 |
Jan 19 | Shannon secrecy. Indistinguishability of distributions: statistical indistinguishability; statistical indistinguishability. | scribe notes |

3 |
Jan 24 | Indistinguishability (cont.). Pseudorandom generators. | scribe notes |

4 |
Jan 26 | Making big PRGs from little PRGs. The GGM construction. Pseudorandom functions. | scribe notes |

5 |
Jan 31 | Stream ciphers. Pseudorandom permutations. Block ciphers. The birthday paradox. PRF/PRP switching lemma. | scribe notes; B&R Chapter 3 (see S3.9 for more on game-playing) |

6 |
Feb 2 | Symmetric-key encryption algorithms. Definitions of security (IND-CPA): real-or-random security. Simplified counter mode. | scribe notes; B&R Chapter 4 |

7 |
Feb 7 | Modes of operations for block ciphers: CFB mode, counter mode, CBC mode. | scribe notes |

8 |
Feb 9 | Definitions of security (IND-CPA): real-or-random, find-then-guess, left-or-right, semantic security. Equivalence of real-or-random, find-then-guess, and left-or-right. | scribe notes |

9 |
Feb 14 | Message integrity: INT-PTXT, INT-CTXT. Encryption does not provide integrity. Message authentication codes (MACs). PRFs are good MACs. | scribe notes; B&R Chapter 6 |

10 |
Feb 16 | 2-universal hashing. Stretching the input size of a PRF. Hash-based MACs. HMAC | scribe notes |

11 |
Feb 21 | Broken systems: SSLv2, SSH1, 802.11 WEP. | scribe notes |

12 |
Feb 23 | Broken systems: WEP, IPSec. The need for message authentication when encrypting. IND-CCA2. IND-CPA and INT-CTXT => IND-CCA2. | S'04 notes: (1), (2), (3). |

13 |
Feb 28 | Refresher on computational number theory. | B&R Chapter 7 |

14 |
Mar 2 | Trapdoor one-way permutations. Rabin, RSA. | scribe notes; B&R Chapter 8 |

15 |
Mar 7 | Square roots modulo n are as hard as factoring. Hard-core bits. Goldwasser-Micali. | scribe notes |

16 |
Mar 9 | The Goldreich-Levin theorem. | scribe notes; Bellare notes |

17 |
Mar 14 | One-way functions. Hardcore bits for any one-way function. Hybrid cryptosystems. | scribe notes |

18 |
Mar 16 | Discrete log based cryptosystems. Hardness assumptions: Discrete log, CDH, DDH. Diffie-Hellman, El Gamal. | scribe notes |

19 |
Mar 21 | The random oracle model. IND-CPA public-key encryption using random oracles. | scribe notes |

20 |
Mar 23 | IND-CCA2 public-key encryption using random oracles. Public-key signatures: some insecure schemes. | scribe notes; B&R Chapter 9 |

21 |
Apr 4 | Public-key signatures using random oracles. Full Domain Hash (FDH). Probabilistic Full Domain Hash (PFDH). | scribe notes. |

22 |
Apr 6 | Pitfalls of the random oracle model. Secure bit commitment. Coin flipping protocols. Interactive proof systems. | |

23 |
Apr 11 | Zero knowledge proofs: honest-verifier zero knowledge, zero knowledge, graph 3-coloring, graph isomorphism, zero knowledge proofs for any language in NP. | scribe notes. |

24 |
Apr 13 | Non-interactive zero knowledge proofs via the Fiat-Shamir heuristic. Mixnets. Visual cryptography. | scribe notes. |

25 |
Apr 18 | Guest lecture (Naveen Sastry): electronic voting. | scribe notes. |

26 |
Apr 20 | Electronic voting protocols: the Cramer-Gennaro-Schoenmakers protocol; Chaum's optical scan system. Zero knowledge protocols in protocol design. | scribe notes. |

27 |
Apr 25 | P vs NP and the existence of cryptographic primitives. Reductions and separations. Equivalence of OWFs, PRGs, PRFs, PRPs, symmetric-key encryption, bit commitment, coin flipping, public-key signatures. Relationship to trapdoor OWPs, public-key encryption, public-key key agreement. Impagliazzo-Rudich. | scribe notes. |

28 |
Apr 27 | Blind signatures, electronic cash. Chaum's anonymous e-cash protocol, payer- and payee-anonymity. | scribe notes. |

29 |
May 2 | Secure multi-party computation, secure function evaluation. Threat models: honest-but-curious, malicious. Yao's garbled circuits. 1-out-of-2 oblivious transfer. | scribe notes. |

May 4 | Class cancelled. | ||

30 |
May 9 | Secret sharing. Shamir's method. Polynomial interpolation. Threshold cryptography; threshold El Gamal decryption. Program obfuscation, and its impossibility. | scribe notes #1, scribe notes #2. |

There is no required textbook. The primary set of formal notes is: Mihir Bellare and Phil Rogaway, Introduction to Modern Cryptography. This is useful as a secondary reference for reading.

Scribe notes from previous semesters of CS276 are also available: Spring 2004, Spring 2002. Those scribe notes are a helpful resource if you want further detail on what we covered in lecture. (Caution: they haven't been carefully proof-checked, so they might have occasional errors and typos.)

Other readings: Salil Vadhan's Intro to Crypto, Goldwasser and Bellare's Lecture Notes on Crypto.

We will assume basic background with probability theory, algorithms, complexity
theory, and number theory.
For review purposes, you may refer to Luca Trevisan's
Notes on Algebra and
Notes on Probability.

- Homework 1 (due 1/31); solution.
- Homework 2 (due 3/9); solution.
- Homework 2' (due 3/23).
- Take-home midterm (due 4/13); solution.

This class teaches the theory, foundations and applications of modern cryptography. In particular, we treat cryptography from a complexity-theoretic viewpoint. In recent years, researchers have found many practical applications for these theoretical results, and so we will also discuss their impact along the way and how one may use the theory to design secure systems.

*CS276: Cryptography.* Prerequisite: CS170. Graduate survey of modern topics on theory, foundations, and applications of modern cryptography. One-way functions; pseudorandomness; encryption; authentication; public-key cryptosystems; notions of security. May also cover zero-knowledge proofs, multi-party cryptographic protocols, practical applications, and/or other topics, as time permits.

This list is tentative and subject to change.

- Introduction. Basic motivating scenarios for cryptography. History. Information-theoretic secrecy.
- Block ciphers. Standard modes of operation.
- Pseudorandom functions. Pseudorandom permutations. The birthday paradox. Applications. One-way functions.
- Symmetric encryption schemes. Definitions. IND-CPA. Security of standard modes of operation. IND-CCA2.
- Message authentication. MACs. Definitions. PRFs as MACs. CBC-MAC.
- Authenticated encryption. INT-PTXT. INT-CTXT. Non-malleability.
- Commitment schemes. Hard-core predicates. Goldreich-Levin theorem.
- Pseudorandom generators. PRG's from OWF's. Blum-Micali-Yao.
- PRF's from PRG's. Goldreich-Goldwasser-Micali
- Basics on number theory. Number-theoretic primitives. RSA. Rabin's function. Definition of trapdoor one-way functions.
- Public-key encryption. Definitions. Semantic security. Message indistinguishability. Goldwasser-Micali cryptosystem. Hybrid encryption.
- Digital signatures. Trapdoor signatures. RSA. Random oracles. Full-domain hash. PSS.
- Zero knowledge proofs. Proofs of knowledge.
- Foundations. Constructions of signatures based on any one-way function. Oracles and separations.

- Secret sharing. Shamir's scheme. Generalized access structures.
- Threshold cryptography. Verifiable secret sharing. Proactive security.
- Secure voting schemes. Electronic cash.
- Secure multi-party computation.
- Cryptographic protocols.

Undergraduates, please see
my policy on undergraduate admission to CS276.

- Homeworks: 10%
- Scribe notes: 20%
- Take-home midterm: 30%
- Final project: 40%

You will be asked to write a set of scribe notes for either a lecture or for a set of homework solutions. We strongly recommend that scribe notes be written in LaTeX. Please make an effort to make your scribe notes "beautiful", clear, and readable. Scribe notes will be due one week after the lecture you are scribing.

You will do a final project. Final project reports are due Monday, May 15th, 9am.

We will assign several homework sets throughout the semester. Please turn in your homework solutions on paper at the beginning of class on the appropriate day.

David Wagner, daw@cs.berkeley.edu, http://www.cs.berkeley.edu/~daw/.