Boston University CAS CS 548: AdvancedCryptography
Problem Set 1 (PostScript) (PDF)
Problem Set 2 (PostScript) (PDF)
Problem Set 3 (PostScript) (PDF)
- Lecture 1 (Jan. 17): Notions of security for public-key encryption:
We didn't cover a follow-up that discusses three equivalent definitions
- Lecture 2 (Jan. 19):
Three equivalent notions of nonmalleability [BS99] (briefly); begin Cramer-Shoup CCA2-secure encryption [CS98] (journal version, 2003)
- Lecture 3 (Jan. 24) More on Cramer-Shoup encryption
- Lecture 4 (Jan. 26) Security and authenticity for symmetric encryption: definitions and relations [KY00] (journal version, 2006)
- Lecture 5 (Jan. 31) One-time security symmetric encryption
CPA-secure symmetric encryption: counter mode with random IV [BDJR97];
CCA-secure symmetric encryption: constructions via composition [BN00]
- Lecture 6 (Feb. 2) Hybrid (public+symmetric) encryption and the KEM-DEM paradigm [CS98];
Gennaro-Shoup improvement to Cramer-Shoup [GS04]. We didn't get to signcryption (combining signatures and encryption), but if it is a subject that interests you, then [Dod05] is a good short survey, and Zheng's page is quite comprehensive.
- Lecture 7 (Feb. 7) ElGamal encryption based on computaional Diffie-Hellman in the random oracle model. Introduction to elliptic curves and bilinear pairings
- Lecture 8 (Feb. 9) Short signatures based on pairings [BLS01]; identity-based
encryption in the random-orcle model [BF01]
- Lecture 9 (Feb. 14) Finish up [BF01]. Start identity-based encryption
without random oracles (selective-id secure only) [BB04a]. Please note that I am converting
notation for [BB04a] for the group G1 from multiplicative
to additive to be consistent with what did before; also, at least for now, I am removing all the hierarchical stuff. Here is the notation equivalence table.
- Lecture 10 (Feb. 16). Continue [BB04a].
CCA2 security from IBE [CHK04],
combined as [BCHK05].
- Lecture 11 (Feb. 23). Hierarchical IBE [GS02] with random oracles; selective-id secure hierarchical IBE without random oracles
(and adding CCA2 via [BCHK05]).
IBE without random oracles
- Lecture 12 (Feb. 28). Forward-secure digital signatures [BM99]: definition and tree-based
- Lecture 13 (Mar. 2). Krawczyk's forward-secure signatures [Kra00]; begin Itkis-Reyzin forward-secure signatures [IR01].
- Lecture 14 (Mar. 14). Guilliou-Quisquater identification and signatures
forking lemma [PS96], [OO98];
from identification to signatures via the Fiat-Shamir transform [FS86], [AABN02]
- Lecture 15 (Mar. 16). Itkis-Reyzin forward-secure signatures (guest lecture by Gene Itkis) [IR01].
- Lecture 16 (Mar. 21). Finish forward-secure signatures; brief introduction
to intrusion-resilient model [IR02].
- Lecture 17 (Mar. 23). Forward-secure encryption [CHK03].
- Lecture 18 (Mar. 28). t-wise independent hashing; pairwise-independent
hashing and Wegman-Carter MACs [WC81].
- Lecture 19 (Mar. 30). Finish up Wegman-Carter MACs; application of
pairwise-independent hashing to hash tables [CW77],
[CW79]; statistical distance; start
leftover hash lemma
(we are following the exposition from [Sti02], see also references therein).
- Lecture 20 (Apr. 4). Leftover hash lemma and applications.
- Lecture 21 (Apr. 6). Guest lecture on Tor by
- Lecture 22 (Apr. 11). Fuzzy extractors [DORS06].
- Lecture 23 (Apr. 13). Student presentations: Danielle (Forward Security for Secret-Key Cryptography [BY03]), Bhavana (Correcting Errors without Leaking Partial Information [DS05], see also [DS04]).
- Lecture 24 (Apr. 18). Student presentations: Debajyoti (Minicrypt, Cryptomania and Pessiland [Imp95] [GST05]
[Wee06]), Ben (Key-Insulated cryptography [DKXY02]).
- Lecture 25 (Apr. 20). Student presentations: Kevin (Formal
models of cryptographic protocols under active attacks [Her05] [ABHS05] Kevin's notes, Konrad (Side-Channel Attacks and Countermeasures).
- Lecture 26 (Apr. 25). Student presentations: Nenad
(One way functions and pseudorandom generators, [GL89]) [HILL99]),
David (Proving the existence of one-way functions [AGGM05]
- Lecture 27 (Apr. 27). Student presentations: Konstantin (Rational Secure Multiparty Computation [IML06]), Thinh (MMM Forward-Secure Signatures [MMM02]).
Note: to view Adobe Acrobat files, you need to install the free Acrobat Reader.