CAS CS 538 Cryptography

Administrativia

General info Instructor: Course page: Gene Itkis (itkis+cs538@cs.bu.edu) Course page: www.cs.bu.edu/fac/itkis/538 Also found from the CS dept. courses page 11/22/2018 Gene Itkis, CS538 Crypto

General Info Prerequisite: CS 332 or consent of instructor Relation to CS458 Overlap exists, but approach is different Here (cs538) much more formal & rigorous Homeworks pen & paper ~weekly 11/22/2018 Gene Itkis, CS538 Crypto

WEB page Info sources Office hours: M 12-1pm, W 2:30-4:30pm www.cs.bu.edu/~itkis/538 Office hours: M 12-1pm, W 2:30-4:30pm email – mailing list: csmail –a cs538 For personal mail remember: there are many of you, 1 of me. So please do not take it personally in case of delays. Do not hesitate to call or stop by, esp. in case of delays! 11/22/2018 Gene Itkis, CS538 Crypto

Collaboration NO!!! Discussing concepts and ideas, as well as system features is OK (encouraged!!!) Always give credit when using someone else’s work See web page for more details 11/22/2018 Gene Itkis, CS538 Crypto

Grading Approximately: 70% - homeworks 30% - final No midterm! 11/22/2018 Gene Itkis, CS538 Crypto

End of Administrativia Questions? End of Administrativia

Topics Perfect security: Shannon's lower bound & the Vernam cipher (one-time pad) Pseudorandom generators (a.k.a. stream ciphers): definition, discrete log problem, and Blum-Micali construction Indistinguishability-based definition and composability theorem for pseudorandom generators Integer factorization, Chinese remainder theorem, and Blum-Blum-Shub pseudorandom generator Intuition and first examples of public-key encryption: RSA, Rabin. Definition of security. Encrypting long messages with RSA, Blum-Goldwasser and PKCS #1 Brief history. Diffie-Hellman key agreement, decisional Diffie-Hellman assumption, and ElGamal encryption Introduction to one-way and trapdoor functions, hardcore bits, Goldreich-Levin construction. Definition of digital signatures. Signature schemes and hash functions. Merkle trees. Random oracle model. Full-domain hash RSA and Rabin Symmetric ciphers and message authentication codes Zero-Knowledge proofs Secret sharing Multiparty computation 11/22/2018 Gene Itkis, CS538 Crypto

Topics (coarse grain) Perfect Info-Theoretic Security Pseudo-Randomness (definitions and constructions) Generators & Functions Computational Security – definitions & constructions Encryption, Signatures One-Way & Trap-Door functions (integrated above) Hashing: collision-resistance, random oracle Extra: ZKP, multi-party computation 11/22/2018 Gene Itkis, CS538 Crypto

How (and why) Rigorous: formal definitions and proofs Often the defined goals will look impossible to achieve, but we’ll prove that our constructions satisfy such strong definitions (under some reasonable assumptions) Explicit: precise formal assumptions Unified: theoretical and applied together Though focus is more on theory, this theory is directly relevant to applications Background reviewed in the book’s Appendices Big-O, number-theoretic algorithms, reductions, complexity 11/22/2018 Gene Itkis, CS538 Crypto

“Generic Template” Functional definition Security definition “modules” and “interfaces” Security definition Possibly many for the functional definition Construction Typically many Security proof For a <construction – security definition> pair 11/22/2018 Gene Itkis, CS538 Crypto

Information-Theoretic Security: Perfect secrecy & One-Time Pad Let’s dive in! 11/22/2018 Gene Itkis, CS538 Crypto