Problem Set 1 (PostScript) (PDF)

Problem Set 2 (PostScript) (PDF)

Problem Set 3 (PostScript) (PDF)

Lecture schedule:

- Lecture 1 (Jan. 17): Notions of security for public-key encryption: [BDPR98]. We didn't cover a follow-up that discusses three equivalent definitions of non-malleability [BS99].
- Lecture 2 (Jan. 19): Three equivalent notions of nonmalleability [BS99] (briefly); begin Cramer-Shoup CCA2-secure encryption [CS98] (journal version, 2003)
- Lecture 3 (Jan. 24) More on Cramer-Shoup encryption
- Lecture 4 (Jan. 26) Security and authenticity for symmetric encryption: definitions and relations [KY00] (journal version, 2006)
- Lecture 5 (Jan. 31) One-time security symmetric encryption [KY00]; CPA-secure symmetric encryption: counter mode with random IV [BDJR97]; CCA-secure symmetric encryption: constructions via composition [BN00]
- Lecture 6 (Feb. 2) Hybrid (public+symmetric) encryption and the KEM-DEM paradigm [CS98]; Gennaro-Shoup improvement to Cramer-Shoup [GS04]. We didn't get to signcryption (combining signatures and encryption), but if it is a subject that interests you, then [Dod05] is a good short survey, and Zheng's page is quite comprehensive.
- Lecture 7 (Feb. 7) ElGamal encryption based on computaional Diffie-Hellman in the random oracle model. Introduction to elliptic curves and bilinear pairings in cryptography.
- Lecture 8 (Feb. 9) Short signatures based on pairings [BLS01]; identity-based encryption in the random-orcle model [BF01]
- Lecture 9 (Feb. 14) Finish up [BF01]. Start identity-based encryption
without random oracles (selective-id secure only) [BB04a]. Please note that I am converting
notation for [BB04a] for the group
*G*_{1}from multiplicative to additive to be consistent with what did before; also, at least for now, I am removing all the hierarchical stuff. Here is the notation equivalence table. - Lecture 10 (Feb. 16). Continue [BB04a]. CCA2 security from IBE [CHK04], [BK05], combined as [BCHK05].
- Lecture 11 (Feb. 23). Hierarchical IBE [GS02] with random oracles; selective-id secure hierarchical IBE without random oracles [BB04a] (and adding CCA2 via [BCHK05]). IBE without random oracles [BB04b].
- Lecture 12 (Feb. 28). Forward-secure digital signatures [BM99]: definition and tree-based construction.
- Lecture 13 (Mar. 2). Krawczyk's forward-secure signatures [Kra00]; begin Itkis-Reyzin forward-secure signatures [IR01].
- Lecture 14 (Mar. 14). Guilliou-Quisquater identification and signatures [GQ88a], [GQ88b]; forking lemma [PS96], [OO98]; from identification to signatures via the Fiat-Shamir transform [FS86], [AABN02]
- Lecture 15 (Mar. 16). Itkis-Reyzin forward-secure signatures (guest lecture by Gene Itkis) [IR01].
- Lecture 16 (Mar. 21). Finish forward-secure signatures; brief introduction to intrusion-resilient model [IR02].
- Lecture 17 (Mar. 23). Forward-secure encryption [CHK03].
- Lecture 18 (Mar. 28). t-wise independent hashing; pairwise-independent hashing and Wegman-Carter MACs [WC81].
- Lecture 19 (Mar. 30). Finish up Wegman-Carter MACs; application of pairwise-independent hashing to hash tables [CW77], [CW79]; statistical distance; start leftover hash lemma [ILL89], [HILL99] (we are following the exposition from [Sti02], see also references therein).
- Lecture 20 (Apr. 4). Leftover hash lemma and applications.
- Lecture 21 (Apr. 6). Guest lecture on Tor by Roger Dingledine.
- Lecture 22 (Apr. 11). Fuzzy extractors [DORS06].
- Lecture 23 (Apr. 13). Student presentations: Danielle (Forward Security for Secret-Key Cryptography [BY03]), Bhavana (Correcting Errors without Leaking Partial Information [DS05], see also [DS04]).
- Lecture 24 (Apr. 18). Student presentations: Debajyoti (Minicrypt, Cryptomania and Pessiland [Imp95] [GST05] [Wee06]), Ben (Key-Insulated cryptography [DKXY02]).
- Lecture 25 (Apr. 20). Student presentations: Kevin (Formal models of cryptographic protocols under active attacks [Her05] [ABHS05] Kevin's notes, Konrad (Side-Channel Attacks and Countermeasures).
- Lecture 26 (Apr. 25). Student presentations: Nenad (One way functions and pseudorandom generators, [GL89]) [HILL99]), David (Proving the existence of one-way functions [AGGM05] [Imp95] [GG98] [BT03]).
- Lecture 27 (Apr. 27). Student presentations: Konstantin (Rational Secure Multiparty Computation [IML06]), Thinh (MMM Forward-Secure Signatures [MMM02]).

Note: to view Adobe Acrobat files, you need to install the free Acrobat Reader.