Cryptography

**Instructor:**

Nadia Heninger
(nadiah at cis dot upenn.edu, 464 Levine GRW)

Office hours: Tuesday 1-2pm and after class as needed

**Lectures:**

Monday/Wednesday 12-1:30pm Moore 212

**Piazza** **Canvas**

This course is a graduate-level introduction to cryptography, both theory and applications. A tentative list of topics includes:

- Symmetric cryptography: block ciphers, stream ciphers, modes of operation
- Message integrity, hash functions
- Public-key cryptography: number-theoretic notions, public-key encryption schemes, digital signatures
- Cryptographic security: key management, network security protocols, random number generation, side-channel attacks
- Magical crypto tricks: secret sharing, commitments, zero-knowledge proofs
- Research topics: privacy-enhancing technologies, lattices, etc.

Topic
| References
| Assignments
| |

8/27 | Introduction, historical ciphers, one-time pad Notes from lecture |
Katz & Lindell Ch. 1, 2 Boneh & Shoup Ch. 2.2 Further reading:Communication theory of secrecy systems Shannon 1949 | Homework 1 out |

9/1 | Labor Day; no class | ||

9/3 | Probability and entropy review Notes from lecture |
Katz & Lindell Appendix A Boneh & Shoup Appendix B Hoffstein, Pipher, & Silverman Ch. 4.3, 4.6 Further reading:A mathematical theory of communication Shannon 1948 | |

9/8 | Semantic security, pseudorandom generators, stream ciphers, random number generation Notes from lecture |
Katz & Lindell Ch. 3 Boneh & Shoup Ch. 2.3, 3 Further reading/Research directions:Security analysis of pseudo-random number generators with input: /dev/random is not robust by Dodis Pointcheval Ruhault Vergnaud Wichs 2013 On the security of RC4 in TLS and WPA by AlFardan, Bernstein, Paterson, Poettering, and Schuldt 2013 Spritz-a spongy RC4-like stream cipher and hash function by Rivest and Schuldt 2014 The ChaCha family of stream ciphers by Bernstein | Homework 1 due Homework 2 out |

9/10 | Chosen plaintext attacks, pseudorandom permutations, block ciphers, modes of operation Notes from lecture |
Katz & Lindell Ch. 3.5, 3.6 Boneh & Shoup Ch. 4 | |

9/15 | Attacks on block ciphers Notes from lecture |
Katz & Lindell Ch. 5 Here come the xor ninjas by Duong and Rizzo 2011 Compression and information leakage of plaintext by Kelsey 2002 The CRIME attack by Rizzo and Duong 2012 | |

9/17 | Chosen ciphertext attacks, malleability, padding oracles, message authentication codes Notes from lecture | Katz & Lindell Ch. 4.4-4.6 Boneh & Shoup Ch. 6 Security Flaws Induced by CBC Padding Applications to SSL, IPSEC, WTLS... by Vaudenay 2002 | Homework 2 due Homework 3 out |

9/22 | Hash functions, birthday attacks Notes from lecture | Katz & Lindell Ch. 4 Boneh & Shoup Ch. 8.1-8.6 | |

9/24 | Hash functions in practice, length extension attacks, HMAC, authenticated encryption Notes from lecture | Katz & Lindell Ch. 4.7-4.8 Boneh & Shoup Ch. 8.7 Further reading/research directionsMD5 to be considered harmful today by Sotirov, Stevens, Appelbaum, Lenstra, Molnar, Osvik, de Weger 2009 Counter-cryptanalysis by Stevens 2013 New collision attacks on SHA-1 based on optimal joint local-collision analysis by Stevens 2013 | |

9/29 | Computational number theory: modular arithmetic, GCDs, ideals, groups, primality testing Notes from lecture | Katz & Lindell Ch. 7 A Computational Introduction to Number Theory and Algebra by Shoup | Homework 3 due |

10/1 | Discrete log, Diffie-Hellman, ElGamal Notes from lecture | New Directions in Cryptography by Diffie and Hellman 1976 Katz & Lindell Ch. 7.3, 8.2.1, 9, 10 HAC Ch. 3.6.3 | Homework 4 out |

10/6 | Arithmetic modulo composites, Chinese Remainder Theorem, Pohlig-Hellman discrete log, RSA, factoring Notes from lecture | A method for obtaining digital signatures and public-key cryptography by Rivest, Shamir, and Adleman 1978 Katz & Lindell Ch. 7.1.5, 7.2, 8.1.2, 8.2.2, 10.4 HAC Ch. 3.6.4 | |

10/8 | Textbook RSA is insecure, digital signatures, RSA, DSA Notes from lecture | Katz & Lindell Ch. 10.4, 10.6, 12 Boneh & Franklin Ch. 13 Further reading/Research directions:Why Textbook ElGamal and RSA Encryption Are Insecure by Boneh, Joux, and Nguyen 2000 Chosen Ciphertext Attacks Against Protocols Based on the RSA Encryption Standard PKCS #1 by Bleichenbacher 1998 Efficient Padding Oracle Attacks on Cryptographic Hardware by Bardou, Focardi, Kawamoto, Simionato, Steel, Tsay 2012 Revisiting SSL/TLS Implementations: New Bleichenbacher Side Channels and Attacks by Meyer, Somorovsky, Weiss, Schwenk, Schinzel, Tews 2014 | |

10/13 | Guest Lecture: Brett Hemenway One-way functions, hardcore predicates Notes from lecture |
Katz & Lindell Ch. 6Further Reading:A hard-core predicate for all one-way functions by Goldreich and Levin 1989 The security of all RSA and discrete log bits by Håstad and Nåslund 2004 | |

10/15 | Guest Lecture: Brett Hemenway Semantic security, the random oracle model Notes from lecture |
Katz & Lindell Ch. 13 Random Oracles are Practical: A Paradigm for Designing Efficient Protocols by Bellare and Rogaway 1995 The Random Oracle Methodology, Revisited by Canetti, Goldreich, and Halevi 1998 | |

10/20 | Constructing secure channels, TLS, POODLE
Notes from lecture |
This POODLE Bites: Exploiting The SSL 3.0 Fallback by Moeller, Duong, Kotowicz 2014 Further reading:Ferguson Schneier & Kohno Ch. 14 The Secure Sockets Layer (SSL) Protocol Version 3.0 by Freier Karlton Kocher 2011 The Transport Layer Security (TLS) Protocol Version 1.2 by Dierks and Rescorla 2008 | Homework 4 due |

10/22 | Guest Lecture: Brett Hemenway Other public-key crypto: Goldwasser-Micali, Rabin, Paillier Notes from lecture |
Katz & Lindell Ch. 13 Paillier's Cryptosystem by Dario Catalano Further Reading:A Generalization of Paillier's Public-Key System with Applications to Electronic Voting by Damgård, Jurik, and Nielsen Single Database Private Information Retrieval with Logarithmic Communication by Chang 2004 An Oblivious Transfer Protocol with Log-Squared Communication by Lipmaa 2004 | |

10/27 | Subexponential factoring: elliptic curve method, quadratic sieve Notes from lecture |
Katz & Lindell Ch. 8.1.1, 8.1.3Further Reading:A tale of two sieves by Pomerance (1996) Factoring integers with the number field sieve by Buhler, Lenstra, and Pomerance (1993) Factorization of a 768-bit RSA modulus by Kleinjung et al. (2010) | |

10/29 | Bleichenbacher RSA signature forgery, Index calculus Notes from lecture | Katz & Lindell 8.2.4 Bleichenbacher's RSA signature forgery based on implementation error Further Reading:A new index calculus algorithm with complexity L(1/4 + o(1)) in small characteristic by Joux 2013 A quasi-polynomial algorithm for discrete logarithm in finite fields of small characteristic by Barbulescu Gaudry Joux and Thome 2013 | Homework 5 out |

11/3 | Secret sharing Notes from lecture |
How to share a secret by Shamir 1979Other resources:Secret-sharing schemes: A survey by Beimel 2011 David Wagner lecture notes | Project Proposal Due |

11/5 | Commitment schemes Notes from lecture |
Lecture notes by Yevgeniy DodisFurther reading:A practical scheme for non-interactive verifiable secret sharing by Feldman 1987 | |

11/10 | Zero-knowledge proofs Notes from lecture |
Lecture notes by David Wagner Lecture notes by Boaz Barak 1 2 The knowledge complexity of interactive proof systems by Goldwasser, Micali, and Rackoff 1989 Further reading/research topics: Zerocoin: Anonymous Distributed E-Cash from Bitcoin by Miers, Garman, Green, Rubin 2013 Zerocash: Decentralized Anonymous Payments from Bitcoin by Ben-Sasson, Chiesa, Garman, Green, Miers, Tromer, Virza 2014 SNARKs for C: Verifying Program Executions Succinctly and in Zero Knowledge by Ben-Sasson, Chiesa, Genkin, Tromer, Virza 2013 | Homework 5 due |

11/12 | Lattices Notes from lecture |
Daniele Micciancio lecture notes 1 2 Oded Regev lecture notes | |

11/17 | LLL, Coppersmith's method Notes from lecture |
Factoring Polynomials with Rational Coefficients by Lenstra Lenstra and Lovasz 1982 The two faces of lattices in cryptology by Nguyen 2001 Using LLL-reduction for solving RSA and factorization problems: a survey by May 2007 | |

11/19 | More lattice cryptanalysis Notes from lecture Slides | Homework 6 out Due December 10 | |

11/24 | Lattice-based cryptography Notes from lecture | ||

12/1 | Side-channel attacks Notes from lecture | ||

12/3 | Project presentations | ||

12/8 | Project presentations |

- Homework 1 due September 8
- Homework 2 due September 17
- Homework 3 due September 29
- Homework 4 due October 20
- Homework 5 due November 10
- Homework 6 due December 10

- Introduction to Modern Cryptography by Katz and Lindell. A copy should be on reserve in the Rosengarten Reserve Room in the Van Pelt-Dietrich Library Center.

- A Graduate Course in Applied Cryptography by Boneh and Shoup. Unfinished draft available online; ask me for password.
- An Introduction to Mathematical Cryptography by Hoffstein, Pipher, and Silverman. A mathematically-oriented introductory text.
- Introduction to Modern Cryptography by Bellare and Rogaway. Online course notes for an introductory course.
- Cryptography Engineering by Ferguson, Schneier, and Kohno. A practice-oriented introductory text.
- The Handbook of Applied Cryptography by Menezes, van Oorschot, and Vanstone. A classic reference, available for free online.