I will be teaching CS6111: Foundations of Cryptography in Semester 1, 2023-24. The course will cover foundations of cryptography with a focus on the theoretical foundations underpinning modern cryptography and with emphasis on security definitions and rigorous proofs of security.
The course will require mathematical maturity and has a significant mathematical component. No advanced mathematical knowledge is necessary but familiarity with discrete mathematics and theory of computation will be helpful.
I will primarily be following the textbook Introduction to Modern Cryptography by Jonathan Katz and Yehuda Lindell. Some additional references that are freely available are given below.
Instructor: Aishwarya Thiruvengadam. Email: aishwarya at cse dot iitm dot ac dot in.
Teaching Assistants: Jyothishmathi (cs22m049 at smail.iitm.ac.in), Vikram (cs19b021 at smail.iitm.ac.in), Pallavi (cs20d202 at smail.iitm.ac.in)
The class will be held at SSB 134/135 on Mondays 17:00-17:50, Wednesdays 14:00-15:15 and Thursdays 15:30-16:45.
Grading will be based on homework assignments (30%), scribe notes (8%), midterm exam (25%), final exam (35%) and class participation (2%).
Students may collaborate on homework assignments but the names of the student(s) with whom one has collaborated must be written down.
Lectures 1 & 2: Introduction. Syntax of private-key encryption. Historical ciphers and their cryptanalysis. Reading: Chapter 1
Lectures 3 & 4: Definition of perfect Secrecy and its equivalent formulation. Perfect indistinguishability. Reading: Chapter 2.1
Lectures 5 & 6: The One-Time Pad. Limitations of Perfect Secrecy. Computational Security. Reading: Chapters 2.2, 2.3 and 3.1.
Lectures 7, 8 & 9: Defining Computationally Secure Encryption. Pseudorandom Generators. Reading: Chapter 3.2 (up to Definition 3.8), Chapter 3.3 (up to Construction 3.17; excluding the section on Stream Ciphers).
Lectures 10 & 11: Security for Multiple Encryptions. Chosen-Plaintext Attacks and CPA-Security. CPA-Security for Multiple Encryptions. Reading: Chapter 3.4.
Lectures 12 & 13: Pseudorandom Functions. CPA-Secure Encryption from Pseudorandom Functions. Reading: Chapter 3.5.1 (up to Example 3.26), Chapter 3.5.2.
Lecture 14: Pseudorandom Permutations/ Block Ciphers. Block Cipher Modes of Operation. Reading: Chapter 3.5.1 (from Pseudorandom Permutations/ Block Ciphers), Chapter 3.6.2 (up to Theorem 3.32).
Lectures 15 & 16: CPA-security of Counter Mode. Chosen-Ciphertext Attacks. Padding Oracle Attacks. Reading: Chapter 3.6.2 (from Theorem 3.32), Chapter 3.7.
Lectures 17 & 18: Message Integrity. Message Authentication Codes. Fixed-length MAC. Reading: Chapters 4.1, 4.2 and 4.3.1.
Lecture 19: Domain Extension for MACs, CBC-MAC. Reading: Chapters 4.3.2 and 4.4.1.
Lectures 20 & 21: Authenticated Encryption. Generic Constructions. CCA-Secure Encryption. Reading: Chapters 4.5.1, 4.5.2 and 4.5.4.
Lecture 22: Key Distribution and Key Management. Key Exchange. Reading: Chapter 10.1 and 10.3 (up to Definition 10.1). Optional Reading: Chapter 10.2.
Lectures 23 & 24: The Diffie-Hellman key-exchange protocol. The Discrete-Logarithm and Diffie-Hellman Assumptions. Reading: Chapter 8.3.2 and 10.3 (from Definition 10.1). Background Reading on group theory: Groups, Group Exponentiaion, Cyclic groups and generators from Chapter 8.1.3 and 8.3.1.
Lecture 25: Proof of security of the Diffie-Hellman key-exchange protocol. The Public-Key Revolution. Public-Key Encryption. Reading: Chapter 10.3 (from Theorem 10.3), 10.4, 11.1 and 11.2 (up to Definition 11.1).
Lectures 25 & 26: Security against Chosen-Plaintext Attacks. Multiple Encryptions. Reading: Chapters 11.2.1 and 11.2.2 (excluding Proof of Theorem 11.6).
Lectures 27 & 28: El Gamal Encryption and its proof of Security based on DDH assumption. Reading: Chapter 11.4.1.
Lecture 29: Hybrid Encryption. Security against Chosen-Ciphertext Attacks. Vulnerability of El Gamal encryption scheme to chosen-ciphertext attacks. Reading: Chapters 11.3 (only up to paragraph below Figure 11.1), 11.2.3, 11.4.4 (only the first paragraph).
Lecture 30: The Group Z_N*. The Factoring Assumption. Reading: Chapters 8.1.4, 8.2 (only up to the discussion on the weak factoring experiment preceding Section 8.2.1) and 8.2.3. Background Reading on Modular Arithmetic: Chapter 8.1.2.
Lecture 31: The RSA Assumption. Plain RSA Encryption and its Insecurity. Reading: Chapters 8.2.4 and 11.5.1 (up to the paragraph after Example 11.27). Optional Reading: More attacks on Plain RSA in Chapter 11.5.1.
Lecture 32: Padded RSA. CCA-security of RSA-based encryption schemes. Reading: Chapter 11.5.2 (the attack on RSA PKCS #1 v1.5 was not discussed in class), 11.5.4 (up to Figure 11.4).
Lecture 33: RSA-OAEP. Digital Signatures. Security Definitions. Insecurity of Plain RSA Signature. RSA-FDH. Reading: Chapter 11.5.4 (from RSA-OAEP onwards), 12.1, 12.2, 12.4 (up to Construction 12.6). Optional Reading: RSA Implementation Issues and Pitfalls covered in Chapter 11.5.6.
Readings above refer to sections from the second edition of the textbook Introduction to Modern Cryptography by Jonathan Katz and Yehuda Lindell. Additional references that are freely available:
A Graduate Course in Applied Cryptography by Boneh and Shoup.
Lecture Notes on Cryptography by Goldwasser and Bellare.
CSE207:Modern Cryptography by Bellare.
The Joy of Cryptography by Rosulek.