Topics in Cryptography

**Instructor:**

Nadia Heninger
(nadiah at cis dot upenn.edu, 464 Levine GRW)

**Lectures:**

Wednesday 3-6 pm, Towne 307

This course is a research seminar on selected topics in cryptography, both applied and theoretical. A tentative list of topics includes:

- Applied cryptography: public and private key encryption, digital signatures and authentication; applications
- Cryptographic security: random number generation; implementation and protocol issues; side-channel attacks
- Factoring and discrete log algorithms
- Lattices: lattice algorithms; cryptanalysis using lattices; lattice-based cryptography and fully-homomorphic encryption

For the research project, you should try to do something nontrivial but tractable. If you're more applied, an implementation or experiments are fine; if you're more theoretical, you can understand a difficult area or try to prove an extension of existing work. You will write a research report describing the papers you read, what you tried to do, and any results, in the format of a conference paper. 10-15 pages if you're working alone, 15-20 pages if you're working with a partner.

You should come talk to me for help identifying a suitable project.

Project reports are due **December 11**.

Topic
| Readings
| Hands-on Exploration
| |

8/28 | Introduction; practical cryptography overview: stream ciphers, block ciphers, hash functions | Optional additional references:
- Katz & Lindell Ch. 2-4
- Handbook of Applied Cryptography Ch. 1, Ch. 7, Ch. 9
| When you visit a https web site, look at the connection and certificate information and make a note of what ciphers and key sizes are being used. Try installing Wireshark, capturing some of your traffic, and inspecting a few cryptographic protocols (https, ssh, etc.). |

9/4 | Practical cryptography overview continued: message authentication codes, public-key cryptography, digital signatures |
- New directions in cryptography by Diffie and Hellman (1976)
- A method for obtaining digital signatures and public-key cryptography by Rivest, Shamir, and Adleman (1978)
Optional additional references:
- Katz & Lindell Ch. 7,9,10,12
- Jean Gallier's Notes on Public Key Cryptography and Primality Testing
- Handbook of Applied Cryptography Ch. 2.5, Ch. 3, Ch. 8, Ch. 11
| |

9/11 | Guest lecture: Brett Hemenway on oblivious transfer and multiparty computation | ||

9/18 | Factoring and discrete log algorithms |
- A tale
of two sieves by Pomerance (1996)
*(paper presentation by Chris K.)*
Optional further reading:
- Factoring integers with the number field sieve by Buhler, Lenstra, and Pomerance (1993)
- Factorization of a 768-bit RSA modulus by Kleinjung et al. (2010)
- Function Field Sieve Method for Discrete Logarithms over Finite Fields by Adleman and Huang (1999)
- A quasi-polynomial algorithm for discrete logarithm in finite fields of small characteristic by Barbulescu, Gaudry, Joux, and Thomé (2013)
| Install CADO-NFS and try your hand at factoring some large numbers. |

9/25 | How is SSL broken? Let us count the ways: MD5, BEAST, RC4... |
- MD5 to be
considered harmful today by Sotirov, Stevens, Appelbaum,
Lenstra, Molnar, Osvik, de Weger (2009)
*(paper presentation by Hamidhasan A.)* - Here come the xor ninjas by Duong and Rizzo (2011)
- On the security of RC4 in TLS by AlFardan, Bernstein, Paterson, and Schuldt (2013)
Optional further reading:
- MD5 to be considered harmful someday by Kaminsky (2004)
- Counter-cryptanalysis by Stevens (2013)
| Use HashClash to construct your own MD5 collision. |

10/2 | Side-channel attacks |
- Introduction to differential power analysis by Kocher, Jaffe, Jun, and Rohatgi (2011)
- Timing attacks on implementations of Diffie-Hellman, RSA, DSS, and other systems by Kocher (1996)
- Remote
timing attacks are practical by Brumely and Boneh
(2003)
*(paper presentation by Antonis P.)* - Chosen ciphertext attacks against protocols based on the RSA encryption standard PKCS #1 by Bleichenbacher (1998)
Optional further reading
- Differential power analysis by Kocher, Jaffe, and Jun (1999)
- Keyboard acoustic emanations revisited by Zhang, Zhou, and Tygar (2005)
- Cross-VM side channels and their use to extract private keys by Zhang, Juels, Reiter, and Ristenpart (2012)
- Remote timing attacks are still practical by Brumely and Tuveri (2011)
- Compression and information leakage of plaintext by Kelsey (2002)
- The CRIME attack by Rizzo and Duong (2012)
- Lest we remember: Cold boot attacks on encryption keys by Halderman, Schoen, Heninger, Clarkson, Paul, Calandrino, Feldman, Appelbaum, and Felten (2008)
| Use a memory extracting tool to dump the contents of your RAM to a file. Then browse through it to see what you can find. You can try the strings utility or the tools here. |

10/9 | Random number generation; entropy failures |
- When Private Keys are Public:
Results from the 2008 Debian OpenSSL Vulnerability by Yilek,
Rescorla, Shacham, Enright, and Savage (2009)
*(paper presentation by Rafi R.)* - Mining your Ps and Qs:
Detection of widespread weak keys by Heninger, Durumeric,
Wustrow, and Halderman (2012)
*(paper presentation by Bekah O.)*
| Take a look at OpenSSL's random number generation code. Take a look at the Linux random number generation code. |

10/16 | Introduction to lattices |
- The two faces of lattices in cryptology by Nguyen (2001)
Optional additional references:
| Install Sage and use it to explore lattices and lattice basis reduction algorithms. |

10/23 | Lattices and public-key cryptanalysis; Coppersmith's method |
- Twenty
years of attacks on the RSA cryptosystem by Boneh
*(paper presentation by Yang L.)* - Using LLL-reduction for solving RSA and factorization problems: A survey by May
| |

10/30 | Lattice-based cryptography |
- Lattice-based
cryptography by Miccancio and Regev (2008)
*(paper presentation by Justin H.)* - The learning with errors problem by Regev (2010)
- On
ideal lattices and learning with errors over rings by
Lyubashevsky, Peikert, and Regev (2010)
*(paper presentation by Kevin S.)*
| |

11/6 | Fully-homomorphic encryption |
- Homomorphic encryption
from learning with errors: Conceputally-simpler,
asymptotically-faster, attribute-based by Gentry, Sahai, and
Waters (2013)
*(paper presentation by Kevin T.)*
| |

11/13 | Polynomial lattices and error-correcting codes |
- Ideal forms of
Coppersmith's theorem and Guruswami-Sudan list decoding by
Cohn and Heninger (2011)
*(paper presentation by Arthur A.)* - Approximate common divisors via lattices by Cohn and Heninger (2012)
| |

11/20 | Privacy-enhancing technologies |
- Tor:
The second-generation onion router by Dingledine, Mathewson,
and Syverson (2004)
*(paper presentation by Harjot G.)* - Off-the-record
communication, or, why not to use PGP by Borisov, Goldberg,
and Brewer (2004)
*(paper presentation by Andrew R.)* - Bitcoin: A Peer-to-Peer
Electronic Cash System by Nakamoto (2008)
*(paper presentation by Nikos V.)*
| Try using the Tor browser. Try using OTR. |

11/27 | No class; Thanksgiving schedule | ||

12/4 | Probably no class. |

- Introduction to Modern Cryptography by Katz and Lindell. A comprehensive introductory-level textbook covering both theory and practice.
- Introduction to Modern Cryptography by Bellare and Rogaway. Course notes for an introductory course.
- Cryptography Engineering by Ferguson, Schneier, and Kohno. A practice-oriented introductory text.
- The Handbook of Applied Cryptography by Menezes, van Oorschot, and Vanstone. A classic reference, though somewhat out of date.