CIS 700, Fall 2014
Cryptography


Instructor:
  Nadia Heninger (nadiah at cis dot upenn.edu, 464 Levine GRW)
  Office hours: Tuesday 1-2pm and after class as needed

Lectures:
  Monday/Wednesday 12-1:30pm Moore 212

Piazza     Canvas


Course Overview

This course is a graduate-level introduction to cryptography, both theory and applications. A tentative list of topics includes:

Grading will be 50% homeworks, 50% research project, and 10% participation and brownie points. (We go to 11 in this class.) Assignments will involve both programming and mathematical proofs.

Prerequisites

This course is intended for beginning graduate students. There are no formal prerequisites, but you should have mathematical maturity equivalent to having taken algorithms/complexity (CIS 320 or 502, CIS 262 or CIS 511) or undergraduate algebra (Math 370) or number theory (Math 350). Undergraduates will need permission to enroll; this is fine if you feel you meet the prerequisites.

Schedule

Topic References Assignments
8/27 Introduction, historical ciphers, one-time pad

Notes from lecture
Katz & Lindell Ch. 1, 2
Boneh & Shoup Ch. 2.2

Further reading:
Communication theory of secrecy systems Shannon 1949
Homework 1 out
9/1 Labor Day; no class
9/3 Probability and entropy review

Notes from lecture
Katz & Lindell Appendix A
Boneh & Shoup Appendix B
Hoffstein, Pipher, & Silverman Ch. 4.3, 4.6

Further reading:
A mathematical theory of communication Shannon 1948
9/8 Semantic security, pseudorandom generators, stream ciphers, random number generation

Notes from lecture
Katz & Lindell Ch. 3
Boneh & Shoup Ch. 2.3, 3

Further reading/Research directions:
Security analysis of pseudo-random number generators with input: /dev/random is not robust by Dodis Pointcheval Ruhault Vergnaud Wichs 2013
On the security of RC4 in TLS and WPA by AlFardan, Bernstein, Paterson, Poettering, and Schuldt 2013
Spritz-a spongy RC4-like stream cipher and hash function by Rivest and Schuldt 2014
The ChaCha family of stream ciphers by Bernstein
Homework 1 due
Homework 2 out
9/10 Chosen plaintext attacks, pseudorandom permutations, block ciphers, modes of operation

Notes from lecture
Katz & Lindell Ch. 3.5, 3.6
Boneh & Shoup Ch. 4
9/15 Attacks on block ciphers

Notes from lecture
Katz & Lindell Ch. 5
Here come the xor ninjas by Duong and Rizzo 2011
Compression and information leakage of plaintext by Kelsey 2002
The CRIME attack by Rizzo and Duong 2012
9/17 Chosen ciphertext attacks, malleability, padding oracles, message authentication codes

Notes from lecture
Katz & Lindell Ch. 4.4-4.6
Boneh & Shoup Ch. 6
Security Flaws Induced by CBC Padding Applications to SSL, IPSEC, WTLS... by Vaudenay 2002
Homework 2 due
Homework 3 out
9/22 Hash functions, birthday attacks

Notes from lecture
Katz & Lindell Ch. 4
Boneh & Shoup Ch. 8.1-8.6

9/24 Hash functions in practice, length extension attacks, HMAC, authenticated encryption

Notes from lecture
Katz & Lindell Ch. 4.7-4.8
Boneh & Shoup Ch. 8.7

Further reading/research directions
MD5 to be considered harmful today by Sotirov, Stevens, Appelbaum, Lenstra, Molnar, Osvik, de Weger 2009
Counter-cryptanalysis by Stevens 2013
New collision attacks on SHA-1 based on optimal joint local-collision analysis by Stevens 2013
9/29 Computational number theory: modular arithmetic, GCDs, ideals, groups, primality testing

Notes from lecture
Katz & Lindell Ch. 7
A Computational Introduction to Number Theory and Algebra by Shoup
Homework 3 due
10/1 Discrete log, Diffie-Hellman, ElGamal

Notes from lecture
New Directions in Cryptography by Diffie and Hellman 1976
Katz & Lindell Ch. 7.3, 8.2.1, 9, 10
HAC Ch. 3.6.3
Homework 4 out
10/6 Arithmetic modulo composites, Chinese Remainder Theorem, Pohlig-Hellman discrete log, RSA, factoring

Notes from lecture
A method for obtaining digital signatures and public-key cryptography by Rivest, Shamir, and Adleman 1978
Katz & Lindell Ch. 7.1.5, 7.2, 8.1.2, 8.2.2, 10.4
HAC Ch. 3.6.4
10/8 Textbook RSA is insecure, digital signatures, RSA, DSA

Notes from lecture
Katz & Lindell Ch. 10.4, 10.6, 12
Boneh & Franklin Ch. 13

Further reading/Research directions:
Why Textbook ElGamal and RSA Encryption Are Insecure by Boneh, Joux, and Nguyen 2000
Chosen Ciphertext Attacks Against Protocols Based on the RSA Encryption Standard PKCS #1 by Bleichenbacher 1998
Efficient Padding Oracle Attacks on Cryptographic Hardware by Bardou, Focardi, Kawamoto, Simionato, Steel, Tsay 2012
Revisiting SSL/TLS Implementations: New Bleichenbacher Side Channels and Attacks by Meyer, Somorovsky, Weiss, Schwenk, Schinzel, Tews 2014
10/13 Guest Lecture: Brett Hemenway

One-way functions, hardcore predicates

Notes from lecture
Katz & Lindell Ch. 6
Further Reading:
A hard-core predicate for all one-way functions by Goldreich and Levin 1989
The security of all RSA and discrete log bits by Håstad and Nåslund 2004
10/15 Guest Lecture: Brett Hemenway
Semantic security, the random oracle model

Notes from lecture
Katz & Lindell Ch. 13

Random Oracles are Practical: A Paradigm for Designing Efficient Protocols by Bellare and Rogaway 1995
The Random Oracle Methodology, Revisited by Canetti, Goldreich, and Halevi 1998
10/20 Constructing secure channels, TLS, POODLE
Notes from lecture
This POODLE Bites: Exploiting The SSL 3.0 Fallback
by Moeller, Duong, Kotowicz 2014

Further reading:
Ferguson Schneier & Kohno Ch. 14
The Secure Sockets Layer (SSL) Protocol Version 3.0 by Freier Karlton Kocher 2011
The Transport Layer Security (TLS) Protocol Version 1.2 by Dierks and Rescorla 2008
Homework 4 due
10/22 Guest Lecture: Brett Hemenway
Other public-key crypto: Goldwasser-Micali, Rabin, Paillier

Notes from lecture
Katz & Lindell Ch. 13
Paillier's Cryptosystem by Dario Catalano

Further Reading:
A Generalization of Paillier's Public-Key System with Applications to Electronic Voting by Damgård, Jurik, and Nielsen
Single Database Private Information Retrieval with Logarithmic Communication by Chang 2004
An Oblivious Transfer Protocol with Log-Squared Communication by Lipmaa 2004
10/27 Subexponential factoring: elliptic curve method, quadratic sieve

Notes from lecture
Katz & Lindell Ch. 8.1.1, 8.1.3

Further Reading:
A tale of two sieves by Pomerance (1996)
Factoring integers with the number field sieve by Buhler, Lenstra, and Pomerance (1993)
Factorization of a 768-bit RSA modulus by Kleinjung et al. (2010)
10/29 Bleichenbacher RSA signature forgery, Index calculus

Notes from lecture
Katz & Lindell 8.2.4
Bleichenbacher's RSA signature forgery based on implementation error

Further Reading:
A new index calculus algorithm with complexity L(1/4 + o(1)) in small characteristic by Joux 2013
A quasi-polynomial algorithm for discrete logarithm in finite fields of small characteristic by Barbulescu Gaudry Joux and Thome 2013
Homework 5 out
11/3 Secret sharing

Notes from lecture
How to share a secret by Shamir 1979

Other resources:
Secret-sharing schemes: A survey by Beimel 2011
David Wagner lecture notes
Project Proposal Due
11/5 Commitment schemes

Notes from lecture
Lecture notes by Yevgeniy Dodis

Further reading:
A practical scheme for non-interactive verifiable secret sharing by Feldman 1987
11/10 Zero-knowledge proofs

Notes from lecture
Lecture notes by David Wagner
Lecture notes by Boaz Barak 1 2
The knowledge complexity of interactive proof systems by Goldwasser, Micali, and Rackoff 1989

Further reading/research topics:
Zerocoin: Anonymous Distributed E-Cash from Bitcoin by Miers, Garman, Green, Rubin 2013
Zerocash: Decentralized Anonymous Payments from Bitcoin by Ben-Sasson, Chiesa, Garman, Green, Miers, Tromer, Virza 2014
SNARKs for C: Verifying Program Executions Succinctly and in Zero Knowledge by Ben-Sasson, Chiesa, Genkin, Tromer, Virza 2013
Homework 5 due
11/12 Lattices

Notes from lecture
Daniele Micciancio lecture notes 1 2
Oded Regev lecture notes
11/17 LLL, Coppersmith's method

Notes from lecture
Factoring Polynomials with Rational Coefficients by Lenstra Lenstra and Lovasz 1982
The two faces of lattices in cryptology by Nguyen 2001
Using LLL-reduction for solving RSA and factorization problems: a survey by May 2007
11/19 More lattice cryptanalysis

Notes from lecture
Slides
Homework 6 out
Due December 10
11/24 Lattice-based cryptography

Notes from lecture
12/1 Side-channel attacks

Notes from lecture
12/3 Project presentations
12/8 Project presentations

Project

Final project guidelines can be found here.

Assignments

Homework should be submitted using Canvas before noon on the day it is due. For programming exercises, submit the code you wrote and a short description of how you solved the problem. For mathematical or written exercises, please write up your solutions using Latex and submit a pdf to Canvas. If you've never used Latex before, you may want to make sure you can install and compile. Here is a useful reference for Latex.

Recommended Textbook


Additional Resources