Teaching
I will be teaching CS6111: Foundations of Cryptography in Semester 1, 2023-24. The course will cover foundations of cryptography with a focus on the theoretical foundations underpinning modern cryptography and with emphasis on security definitions and rigorous proofs of security.
The course will require mathematical maturity and has a significant mathematical component. No advanced mathematical knowledge is necessary but familiarity with discrete mathematics and theory of computation will be helpful.
I will primarily be following the textbook Introduction to Modern Cryptography by Jonathan Katz and Yehuda Lindell. Some additional references that are freely available are given below.
General Information:
Instructor: Aishwarya Thiruvengadam. Email: aishwarya at cse dot iitm dot ac dot in.
Teaching Assistants: Jyothishmathi (cs22m049 at smail.iitm.ac.in), Vikram (cs19b021 at smail.iitm.ac.in), Pallavi (cs20d202 at smail.iitm.ac.in)
The class will be held at SSB 134/135 on Mondays 17:00-17:50, Wednesdays 14:00-15:15 and Thursdays 15:30-16:45.
Grading will be based on homework assignments (30%), scribe notes (8%), midterm exam (25%), final exam (35%) and class participation (2%).
Students may collaborate on homework assignments but the names of the student(s) with whom one has collaborated must be written down.
Lecture Schedule:
Lectures 1 & 2: Introduction. Syntax of private-key encryption. Historical ciphers and their cryptanalysis. Reading: Chapter 1
Lectures 3 & 4: Definition of perfect Secrecy and its equivalent formulation. Perfect indistinguishability. Reading: Chapter 2.1
Lectures 5 & 6: The One-Time Pad. Limitations of Perfect Secrecy. Computational Security. Reading: Chapters 2.2, 2.3 and 3.1.
Lectures 7, 8 & 9: Defining Computationally Secure Encryption. Pseudorandom Generators. Reading: Chapter 3.2 (up to Definition 3.8), Chapter 3.3 (up to Construction 3.17; excluding the section on Stream Ciphers).
Lectures 10 & 11: Security for Multiple Encryptions. Chosen-Plaintext Attacks and CPA-Security. CPA-Security for Multiple Encryptions. Reading: Chapter 3.4.
Lectures 12 & 13: Pseudorandom Functions. CPA-Secure Encryption from Pseudorandom Functions. Reading: Chapter 3.5.1 (up to Example 3.26), Chapter 3.5.2.
Lecture 14: Pseudorandom Permutations/ Block Ciphers. Block Cipher Modes of Operation. Reading: Chapter 3.5.1 (from Pseudorandom Permutations/ Block Ciphers), Chapter 3.6.2 (up to Theorem 3.32).
Lectures 15 & 16: CPA-security of Counter Mode. Chosen-Ciphertext Attacks. Padding Oracle Attacks. Reading: Chapter 3.6.2 (from Theorem 3.32), Chapter 3.7.
Lectures 17 & 18: Message Integrity. Message Authentication Codes. Fixed-length MAC. Reading: Chapters 4.1, 4.2 and 4.3.1.
Lecture 19: Domain Extension for MACs, CBC-MAC. Reading: Chapters 4.3.2 and 4.4.1.
Lectures 20 & 21: Authenticated Encryption. Generic Constructions. CCA-Secure Encryption. Reading: Chapters 4.5.1, 4.5.2 and 4.5.4.
Lecture 22: Key Distribution and Key Management. Key Exchange. Reading: Chapter 10.1 and 10.3 (up to Definition 10.1). Optional Reading: Chapter 10.2.
Lectures 23 & 24: The Diffie-Hellman key-exchange protocol. The Discrete-Logarithm and Diffie-Hellman Assumptions. Reading: Chapter 8.3.2 and 10.3 (from Definition 10.1). Background Reading on group theory: Groups, Group Exponentiaion, Cyclic groups and generators from Chapter 8.1.3 and 8.3.1.
Lecture 25: Proof of security of the Diffie-Hellman key-exchange protocol. The Public-Key Revolution. Public-Key Encryption. Reading: Chapter 10.3 (from Theorem 10.3), 10.4, 11.1 and 11.2 (up to Definition 11.1).
Lectures 25 & 26: Security against Chosen-Plaintext Attacks. Multiple Encryptions. Reading: Chapters 11.2.1 and 11.2.2 (excluding Proof of Theorem 11.6).
Lectures 27 & 28: El Gamal Encryption and its proof of Security based on DDH assumption. Reading: Chapter 11.4.1.
Lecture 29: Hybrid Encryption. Security against Chosen-Ciphertext Attacks. Vulnerability of El Gamal encryption scheme to chosen-ciphertext attacks. Reading: Chapters 11.3 (only up to paragraph below Figure 11.1), 11.2.3, 11.4.4 (only the first paragraph).
Lecture 30: The Group Z_N*. The Factoring Assumption. Reading: Chapters 8.1.4, 8.2 (only up to the discussion on the weak factoring experiment preceding Section 8.2.1) and 8.2.3. Background Reading on Modular Arithmetic: Chapter 8.1.2.
Lecture 31: The RSA Assumption. Plain RSA Encryption and its Insecurity. Reading: Chapters 8.2.4 and 11.5.1 (up to the paragraph after Example 11.27). Optional Reading: More attacks on Plain RSA in Chapter 11.5.1.
Lecture 32: Padded RSA. CCA-security of RSA-based encryption schemes. Reading: Chapter 11.5.2 (the attack on RSA PKCS #1 v1.5 was not discussed in class), 11.5.4 (up to Figure 11.4).
Lecture 33: RSA-OAEP. Digital Signatures. Security Definitions. Insecurity of Plain RSA Signature. RSA-FDH. Reading: Chapter 11.5.4 (from RSA-OAEP onwards), 12.1, 12.2, 12.4 (up to Construction 12.6). Optional Reading: RSA Implementation Issues and Pitfalls covered in Chapter 11.5.6.
References:
Readings above refer to sections from the second edition of the textbook Introduction to Modern Cryptography by Jonathan Katz and Yehuda Lindell. Additional references that are freely available:
A Graduate Course in Applied Cryptography by Boneh and Shoup.
Lecture Notes on Cryptography by Goldwasser and Bellare.
CSE207:Modern Cryptography by Bellare.
The Joy of Cryptography by Rosulek.