W4261 Introduction to Cryptography:
Spring 2022 Lecture Summaries
Lecture notes from class (lightly edited) are uploaded to courseworks (under "files").
Below are brief summaries written after each lecture, of
what was covered, together with recommended readings (in some
cases, when explicitly indicated, the readings are required).
Readings refer by default to chapters from the
required textbook, though sometimes may include pointers to other
texts found on the readings page, or
to handouts written by us. The material in class does not
correspond exactly to the material in the textbook. Often the
readings below contain significantly more details and proofs than
covered in class. Conversely, class sometimes contains material
that is not in the textbook (I'll try to indicate when this is the
case).
You are (only) responsible for (all) the material taught in class,
any readings explicitly marked below as required (even if not
covered in class), and anything covered by our homework.
It will be assumed that before each lecture you carefully go
over the previous lecture and required readings (if any).
- Lecture 1 (9/5)
Introduction to modern cryptography, overview of this class.
Definition of private key encryption scheme syntax and
correctness. Kerckhoffs' principle. Overview of some basic
historical ciphers (Atbash, shift, substitution) and simple attacks
(brute force/exhaustive search, frequency
analysis). Motivation for rigorous
definition of security and discussion of what secrecy for
private key encryption should mean
(assuring that the key is hard to guess or that the message is hard
to guess are not sufficient for security;
definition of secrecy should work for any message distribution or
prior knowledge of the adversary).
Reading: Chapter 1.
- Lecture 2 (9/7)
Discussion leading to two equivalent definitions of perfect
secrecy, capturing the intuition that the ciphertext
contains no new information about the plaintext (we did not
prove equivalence of the definitions).
Proved that the shift cipher is not perfectly secret.
Defined the one-time pad (OTP) encryption scheme and
proved that it is perfectly secret.
Discussed two problems with OTP, related to efficiency and security.
First, it requires the keys to be as long as the messages.
Second, it cannot be used more than one time: we defined
perfect secrecy for encryption of two messages, and claimed
that OTP does not satisfy it.
We mentioned (and will prove next time) that both
these problems are in fact inherent to every perfectly secret
scheme: any such scheme must have a key space as large as the
message space, and no such scheme can be perfectly secret for
two messages.
Reading: 2.1-2.3
- Lecture 3 (9/12) Proved that every perfectly secret
scheme must have a key space at least as large as the message
space (so, if these spaces consist of all strings of a
certain length, the key length cannot be shorter than the
message length). Proved that no encryption scheme can satisfy
correctness and perfect secrecy for two messages.
Motivated computational security and our
asymptotic approach (security only against polynomial time
adversaries, and allowing negligible probability of adversary
success). Definition of EAV-security (indistinguishability
in the presense of an eavesdropper--single ciphertext only attack).
Noted that if we remove the restriction on the adversary's
running time, and set the advantage to 0 (rather than
negligible), this would become another equivalent definition of
perfect secrecy.
Mentioned that EAV secure encryption is equivalent to many
other primitives (that we will define later) such as OWF, PRG, PRF,
stronger notions of secure
encryption, Block ciphers, MACs, Signature schemes, and many others (they are
all equivalent in the sense that
one primitive exists if and only if the other one does.
Mentioned that we don't know how to unconditionally prove that
an EAV-secure encryption scheme (or the equivalent primitive)
exists -- if we could prove it,
we would have a proof that P is not equal NP. This is why
assumptions are necessary.
Costructing secure private key encryption from this minimal
assumption P ≠ NP is not known and is a major open problem
(instead, we know how to construct it from stronger assumptions,
as we will see later).
Reading: 3.1, 3.2.1. (you may be interested in
3.2.2, but we will not cover it).
- Lecture 4 (9/14)
Discussed and defined pseudorandom generators (PRG).
Mentioned that there cannot be a PRG secure against unbounded
adversaries (we'll prove next time).
Showed some examples of how to prove a suggested construction
is not a PRG, and an example of a construction of a PRG from
another PRG. Discussed structure of cryptographic proofs via
reductions.
Reading: 3.3.1, 3.3.2
- Lecture 5 (9/19)
Proved that an algorithm D that can tell whether a given
element is in the range (image) of G, can break G (distinguish
its outputs from random with non-negligible probability).
Such an algorithm can always be implemented inefficiently via
exhausing search, and thus no PRG exists that is secure
against unbounded adversaries. If such an algorithm can be
implemented efficiently for some G, then that G is not a PRG.
We noted that checking if an
element is in the image can be easily verified given a witness
(preimage), and thus if P=NP no PRG can exist.
We quickly covered a candidate number-theoretic PRG: in some
finite groups of prime order, given the group and a generator
g, the algorithm G(a,b)=(g^a,g^b,g^{ab}) is believed to be
pseudorandom (and is certainly efficiently computable,
deterministic, and length expanding). The assumption that it's
pseudorandom is called the DDH assumption, and we will revisit
it later in class, with much more detail (so it's ok if you
did not follow this example at this point in class).
We proved that if G is a PRG then G(G(·)) is also a
PRG. Our proof used the hybrid method
(with one hybrid in between the two distributions we need to
prove indistinguishable), which is a very common technique.
We showed that if there's a PRG with
any expansion (even one bit), then there's a PRG with any
polynomial expansion (we sketched the proof, which generates
one bit at a time, sometimes called a stream cipher).
Reading: 3.3. The construction increasing the expansion is
described and proved in 8.4.2 (the proof is not part of the
class material). The DDH-based PRG is not in the textbook,
but the assumption itself is definition 8.63 in the textbook
(you are not responsible for it at this point in class).
- Lecture 6 (9/21) We proved that if a PRG exists,
then there exists a EAV-secure encryption scheme (based on a
pseudorandom one-time pad). This is not secure for multiple
messages, but can be used in a stateful mode (encryption via
stream cipher). Our definition of encryption is stateless, which
is preferable in most cases. Defined CPA security, which implies
multiple message security. Explained why any CPA secure scheme
must have randomized encryption (in fact, with the same key and
the same message, the encryption algorithm must have super-poly
many possible ciphertexts that it can output).
How we could possibly construct such a scheme still remains a
mystery (but not for long!)
Reading: 3.4 (and if you want to read ahead, 3.5.1)
Back to
Course Main Page