Math 690 Spring 2004, MW 111 Room DRL 4E9
Mathematical Foundations of Computer Security
Office: Room 4E6 in David Rittenhouse Laboratory
Telephone: eight five nine eight three
( Math. Dept. Office: eight eight one seven eight )
Fax: three four zero six three
Email: lastname at math
Office Hours: By appointment
About This Course
"What is to distinguish a digital dollar when it is as easily reproducible
as the spoken word? How do we converse privately when every syllable is
bounced off a satellite and smeared over an entire continent? How should a
bank know that it really is Bill Gates requesting from his laptop in Fiji
a transfer of $100,000,.....,000 to another bank? Fortunately, the
mathematics of cryptography can help. Cryptography provides techniques
for keeping information secret, for determining that information has not
been tampered with, and for determing who authored pieces of information."
(From the Foreword by R. Rivest to the "Handbook of Applied Cryptography"
by Menezes, van Oorschot, and Vanstone.)
This course for graduate students and advanced undergraduates will discuss
security protocol design and analysis and the related areas of cryptography.
The course will complement but not presuppose CIS 677 and Math 524 from Fall
2003 and is intended to be more advanced than CIS 551 in Spring 2004. We will
cover the necessary background for students who have not taken CIS 677 or
Math 524.
Textbooks
Further References

O. Goldreich. Foundations of Cryptography  Volume 2.

R. Focardi, R. Gorrieri (Eds.) Foundations of Security Analysis and Design.
Tutorial Lectures.
Springer Lecture Notes in Computer Science, Volume 2171, 2001.
ISBN 3540428968.

"Handbook of Applied Cryptography" by
Menezes, van Oorschot, and Vanstone.
CRC Press, Fifth Printing, 2001. ISBN: 0849385237.

GoldwasserBellare lecture notes on cryptography at MIT.

Dodis cryptography lecture notes at NYU.

J. Clark and J. Jacob. A Survey of Authentication Protocol Literature.
Version 1.0, November, 1997.
 R. Kemmerer, C. Meadows, and J. Millen. Three Systems for Cryptographic
Protocol Analysis. Journal of Cryptology, Vol. 7, no. 2, 1994.

Kerberos: The Network Authentication Protocol.

The Kerberos Network Authentication Service (V5) Internet Draft.
 F. Butler, I. Cervesato, A. Jaggard, and A. Scedrov.
A formal analysis of some properties of Kerberos 5 using MSR.
In: S. Schneider, ed., 15th IEEE Computer Security Foundations Workshop,
Cape Breton, Nova Scotia, Canada, June, 2002. IEEE Computer Society Press,
2002, pp. 175190. Preliminary version
[.pdf].

The TLS Protocol Version 1.0 RFC 2246.

The SSL Protocol Version 3.0 Internet Draft.
 D. Wagner and B. Schneier.
Analysis of the SSL 3.0 Protocol.
 J. Mitchell, V. Shmatikov, and U. Stern.
FiniteState Analysis of SSL 3.0.

J.C. Mitchell, M. Mitchell, and U. Stern. Automated Analysis of Cryptographic
Protocols Using Murphi, IEEE Symp. Security and Privacy, Oakland, 1997, pages
141153.

J.P. Anderson. Computer Security Technology Planning Study.
ESDTR7351, ESD/AFSC, Hanscom AFB, Bedford, MA (Oct. 1972)
[NTIS AD758 206].

M. Bishop's History of Computer Security Web Site at UC Davis.
 O. Goldreich. "Modern Cryptography, Probabilistic Proofs and
Pseudorandomness." SpringerVerlag, 1999. ISBN: 354064766X.

Ron Rivest's Cryptography and Security Page at MIT.

The Cypherpunks Home Page at UC Berkeley.

Crypto FAQ site at RSA Security.
TakeHome Midterm Due in Class on Wednesday, March 24
 Suppose that fourdigit PINs are distributed uniformly at random.
How many people must be in a room for the probability that two of them
have the same PIN to be at least 1/2 ?
 Prove that the Caesar cipher does not have perfect secrecy.
 Use exhaustive key search to decrypt the following ciphertext, which
was encrypted using a shift cipher: JBCRCLQRWCRVNBJENBWRWN .
 Prove that if (2^n)  1 is a prime, then n is a prime,
and if (2^n) + 1 is a prime, then n is a power of 2.
The first type of prime is called a Mersenne prime, and the second type
is called a Fermat prime.
 Using the Fundamental Theorem of Arithmetic, prove that the product
of (1  1/p) over all primes p is zero.
 Consider the following linear recurrence over Z_2 of degree four:
z_(i+4) = (z_i + z_(i+3)) mod 2, for i greater or equal to 0.
For each of the 16 possible initialization vectors (z_0 , z_1 , z_2 , z_3)
determine the period of the resulting keystream.
This is a complete list of midterm assignments due March 24, 2004.
In the news ...