Lecture Schedule, Spring 2011

• [Jan 25: Lecture 1]
  Introduction and overview. Perfect secrecy and the one-time pad encryption scheme. Limitations of perfect secrecy.
  Reading: Chapter 1 (Section 1.3 is not required, but you may find it interesting); Chapter 2 (except Section 2.4)
  
  
• [Jan 27: Class cancelled due to snow]
  
  
• [Feb 1: Lecture 2]
  Computational security. Pseudorandom generators and the pseudo one-time pad encryption scheme. Proofs by reduction.
  Reading: Sections 3.1, 3.2.1, 3.3, and 3.4.1
  
  
• [Feb 3: Lecture 3]
  Multiple-message indistinguishability, and a proof that deterministic encryption cannot satisfy this definition. Pseudorandom functions. An encryption scheme that is indistinguishable for multiple messages.
  Reading: Sections 3.4.4, 3.6.1, and 3.6.2
  
  
• [Feb 8: Lecture 4]
  Proof of multiple-message indistinguishability. Definition of CPA-security. Pseudorandom permutations and block ciphers (DES, 3DES, AES). Modes of encryption.
  Reading: Sections 3.5, 3.6.3, 3.6.4
  
  
• [Feb 10: Lecture 5]
  Message authentication codes. A MAC for fixed-length messages. Extending this to a MAC for arbitrary length messages. CBC-MAC.
  Reading: Sections 4.1-4.5
  
  
• [Feb 15: Lecture 6]
  Collision-resistant hash functions. Birthday attacks. A constant-space birthday attack. The Merkle-Damgard construction.
  Reading: Section 4.6.
  
  
• [Feb 17: Lecture 7]
  The hash-and-MAC approach to constructing secure message authentication codes. CCA-security. Achieving simultaneous privacy and integrity.
  Reading: Sections 3.7, 4.7.1, 4.8, 4.9
  
  
• [Feb 22: Lecture 8]
  In-class review of assigned exercises. One-way functions and examples. An overview of the construction of pseudorandom permutations from one-way functions. Hard-core bits.
  Reading: Sections 6.1, 6.2, 6.3
  
  
• [Feb 24: Lecture 9]
  In-class review of assigned exercises. The Goldreich-Levin theorem.
  Reading: Section 6.3
  
  
• [Mar 1: Lecture 10]
  The Goldreich-Levin theorem. Pseudorandom generators from one-way permutations. Increasing the expansion of a pseudorandom generator.
  Reading: Section 6.4
  
  
• [Mar 3: Lecture 11]
  Proof by hybrid argument. Constructing a pseudorandom function from a pseudorandom generator. Feistel networks, and constructing a pseudorandom permutation from a pseudorandom function.
  Reading: Sections 6.5, 6.6 (Section 5.2 is also relevant, and Section 5.3.2 contains some related material for those who are interested)
  
  
• [Mar 8: Lecture 12]
  Constructing a pseudorandom permutation from a pseudorandom function (proof). Introduction to number theory and algebra.
  Reading: The proof for the 3-round Feistel network that I presented in class is from Goldreich, "Foundations of Cryptography, vol 1". The number theory I presented was from Sections 7.1.1-7.1.4 of the class text.
  
  
• [Mar 10: Lecture 13]
  Group theory; algorithmic number theory.
  Reading: Sections 7.1.4, 7.1.5, B.1, and B.2
  
  
• [Mar 15: Lecture 14]
  Primality testing; the factoring assumption.
  Reading: Sections 7.2.1, 7.2.2, and 7.2.3.
  
  
• [Mar 17: Lecture 15]
  A one-way function and a family of one-way permutations based on factoring. The RSA assumption. Introduction to cyclic groups.
  Reading: Sections 7.2.3, 7.2.4, 7.4.1, and 11.2.2. (Efficient computation of modular square roots is discussed in Section 11.2.1.)
  
  
• [Mar 29: Lecture 16]
  Cyclic groups, the discrete logarithm and Diffie-Hellman assumptions. Collision-resistant hash functions from the discrete logarithm assumption.
  Reading: Sections 7.3.1, 7.3.2, 7.3.3, and 7.4.2.
  
  
• [Mar 31: Lecture 17]
  Limitations of private-key cryptography. KDCs. Public-key cryptography and Diffie-Hellman key exchange. Security of Diffie-Hellman key exchange. Definitions of security for public-key encryption.
  Reading: Chapter 9; Section 10.1.
  
  
• [Apr 5: Lecture 18]
  Definitions of security for public-key encryption. Textbook RSA and attacks. Padded RSA. Trapdoor permutations based on RSA. Public-key encryption from trapdoor permutations.
  Reading: Sections 10.2, 10.4, and 10.7.
  
  
• [Apr 7: Lecture 19]
  Trapdoor permutations from factoring. El Gamal encryption.
  Reading: Sections 11.1.1, 11.1.2, 11.2.1, 11.2.2, and 10.5.
  
  
• [Apr 12: Lecture 20]
  Hybrid encryption. Chosen-ciphertext security: its importance, and attacks on El Gamal and padded RSA. Introduction to digital signatures.
  Reading: Sections 10.3, 10.6, and 12.1.
  
  
• [Apr 14: Lecture 21]
  Introduction to digital signatures. Textbook RSA and attacks. Hashed RSA and the hash-and-sign paradigm. Lamport's one-time signature scheme. Extension to "chain-based" signatures.
  Reading: Sections 12.1-12.6.1.
  
  
• [Apr 19: Guest lecture -- Dr. Dominique Schroeder]
  Public-key identification schemes. Passive security. Construction from signature schemes. "Deniability", and the Schnorr identification scheme.
  Reading: This material is not covered in the book.
  
  
• [Apr 21: Lecture 22]
  Tree-based signatures, and (stateless) signatures from one-way functions. The random oracle model.
  Reading: Sections 12.6.2 and 13.1.
  
  
• [Apr 26: Guest lecture -- Dr. Dominique Schroeder]
  Negative results regarding the random oracle model. Signatures via the Fiat-Shamir transform.
  Reading: This material is not covered in the book.
  
  
• [Apr 28: Lecture 23]
  Public-key encryption and digital signatures in the random oracle model. CCA-secure public-key encryption in the RO model.
  Reading: Sections 13.2.1, 13.2.2, and 13.3.
  
  
• [May 3: Lecture 24]
  Special topic I -- CCA-secure public-key encryption without random oracles: The Cramer-Shoup encryption scheme.
  Reading: You can find the original proof here or in Section 6 here. Alternative writeups are available as my previous lecture notes (lectures 9 and 10).
  
  
• [May 5: Lecture 25]
  Special topic II -- secure two-party computation: Definition of semi-honest security. Oblivious transfer. A linear-round protocol.
  Reading: A good overview of secure computation can be found here. Rabin's (handwritten!) manuscript introducing oblivious transfer is here. The protocol for general functions can be found in Goldreich's book.
  
  
• [May 10: Lecture 26]
  A linear-round protocol for semi-honest secure two-party computation. Special topic III -- zero-knowledge proofs. Some complexity theory background. ZK proofs for 3-colorability.
  Reading: Oded Goldreich's surveys on interactive proof systems and zero-knowledge proofs.