CIS600 Applied Cryptography

  • Instructor: Yuzhe (Richard) Tang
  • Time: MW 10:35 - 11:55 am
  • Place: Link Hall 211

Reading materials

  • Textbooks
    • Introduction to Modern Cryptography (2nd edition), Jonathan Katz and Yehuda Lindell, (KL)
    • Bitcoin and Cryptocurrency Technologies, Arvind Narayanan, Joseph Bonneau, Edward Felten, Andrew Miller, Steven Goldfeder, [online book], (BtC)
    • Cryptography Engineering: Design Principles and Practical Applications, 1st Edition, Niels Ferguson, Bruce Schneier, Tadayoshi Kohno (FSK)
    • A Graduate Course in Applied Cryptography, Dan Boneh and Victor Shoup, [pdf], BS
    • Principles of Computer System Design: An Introduction, Information Security (Chapter 11), Jerome H. Saltzer, M. Frans Kaashoek, [online book], (SK)


  • Class participation (10%), Homework/Programming tasks/Presentation (50%), Exams (40%)


week topic questions
1,2 intro KL1, [slides] 1. What are the two typical formal properties required in a cryptographic scheme? 2. What are the three elements in provable security? 3. What are two parts in a formal security defintion?
3 perfect secrecy KL2,B 1. name the theorem for computing conditional probability. 2. How to formally describe a discrete random variable? 3. Describe the scheme of perfectly-secret encryption, 4.Describe the intuition and formal definition of perfect secrecy. 5. Describe an alternative (and equivalent) definition of perfect secrecy. 6. Name one construction achieving perfect secrecy. What's drawback of this construction. Is the drawback specific to the construction?
4 private-key encryption KL3.1,3.2,3.4,3.5 1. What's difference between perfect secrecy and comptutational security? 2. Name as many games as possible in computational security. Describe the difference among them. 3. What primitives are used in constructing CPA-secure encryption? What assumptions are made?
5 mode of operations KL3.6,FSK4 1. Name as many Blockcipher modes of operations as possible. Are they CPA-secure?
6 key-exchange & TLS KL10,12.7/8, [First msec in HTTPS] 1. Describe the security game defined for key-exchange protocols? How many "parties" are involved? 2. How many rounds are there in a KE protocol? 3. Name the KE protocol based on DL hardness. 4. What's the KE protocol used in key-distribution center? How is it less practical than the DL-based KE protocol? 5. Name at least two building blocks in TLS handshake.
7.1 MAC KL4 1. What're security game and security definition in MAC? 2. Describe a construction of fixed-length MAC and what primitives are used. 3. Name one domain-extension construction for variable-length MAC. 4. Which construction paradigm is provably secure for authenticated encryption?
7.2 SW attestation, [SGX explained]-Chap3.3
8.1 hash KL5 1. what're three security notions for Hash? 2. name the domain extension for Hash? 3. name the industrial-standard variable-length MAC? 4. name a generic attack against hash? 5. name one application of hash.
8.2 recitation (HW 1,2)
9 Spring break
10.1 blockchain: intro. BtC2 1. name two basic functionalities of any currency. 2. name one attack unique in digital currency. 3. what's the idea of bitcoin to decentralize trust? 4. what makes bitcoin consensus protocol practically working despite the negative theoretical result?
10.2 TPM-measurement [TCG] Guest lecture by Scott Constable [webpage]
11 hash applications and BitCoin consensus KL5.6,BtC1,2 1. which security notion of hash is necessary for the security of Merkle tree? 2. which security notation(s) of hash is/are necessary for the security of commitment scheme? 3. what property of BitCoin P2P network is necessary for the security of consensus against double-spend attack? 4. what incentive technique is used in BitCoin consensus?
12.1 group theory KL8 & PKE KL11 1. name the hardness assumption behind DH protocol? 2. what defines a residue group. 3. name one thing different in PKE security from PrivKE security. 4. name the scheme used for PKE domain-extension. 5. name the DH-based construction for PKE
12.2 digital signature KL12 1. Name the transform paradigm for constructing fixed-length digital signature (from identification scheme). 2. Name the domain-extension scheme to construct variable-length digital signature. 3. Compare MAC and DS, describe the differentiating property.
13.1 recitation (HW 3,4)
13.2 exam. 1
14 Bitcoin anonimity BtC6,BS2.3 1. name one de-anonymization attack against Bitcoin. 2. name one defense heuristic for Bitcoin anonymity. 3. name one cryptographic protocol for defense in Bitcoin anonimity.
15.1 Security protocols SK11.5 and Kerboros[link]