1.4 Security Deﬁnitions

1.5 The Model of Adversary

1.6 Road map to Encryption

One-way and trapdoor functions

2.1 One-Way Functions: Motivation

2.2 One-Way Functions: Deﬁnitions

2.2.1 (Strong) One Way Functions

2.2.2 Weak One-Way Functions

2.2.3 Non-Uniform One-Way Functions

2.2.4 Collections Of One Way Functions

2.3 In Search of Examples

2.3.1 The Discrete Logarithm Function

2.3.2 The RSA function

2.3.3 Connection Between The Factorization Problem And Inverting RSA

2.3.4 The Squaring Trapdoor Function Candidate by Rabin

2.3.5 A Squaring Permutation as Hard to Invert as Factoring

2.4 Hard-core Predicate of a One Way Function

2.4.1 Hard Core Predicates for General One-Way Functions

2.4.2 Bit Security Of The Discrete Logarithm Function

2.4.3 Bit Security of RSA and SQUARING functions

2.5 One-Way and Trapdoor Predicates

2.5.1 Examples of Sets of Trapdoor Predicates

3.2 The Existence Of A Pseudo-Random Generator

3.3 Next Bit Tests

3.4 Examples of Pseudo-Random Generators

3.4.1 Blum/Blum/Shub Pseudo-Random Generator

4.1 What is a block cipher?

4.2 Data Encryption Standard (DES)

4.2.1 A brief history

4.2.2 Construction

4.2.3 Speed

4.3 Key recovery attacks on block ciphers

4.4 Iterated-DES and DESX

4.4.1 Double-DES

4.4.2 Triple-DES

4.4.3 DESX

4.4.4 Why a new cipher?

4.5 Advanced Encryption Standard (AES)

4.6 Limitations of key-recovery based security

4.7 Problems

Pseudo-random functions

5.1 Function families

5.2 Random functions and permutations

5.2.1 Random functions

5.2.2 Random permutations

5.3 Pseudorandom functions

5.4 Pseudorandom permutations

5.4.1 PRP under CPA

5.4.2 PRP under CCA

5.4.3 Relations between the notions

5.5 Modeling block ciphers

5.6 Example Attacks

5.7 Security against key recovery

5.8 The birthday attack

5.9 The PRP/PRF switching lemma

5.10 Sequences of families of PRFs and PRPs

5.11 Some applications of PRFs

5.11.1 Cryptographically Strong Hashing

5.11.2 Prediction

5.11.3 Learning

5.11.4 Identify Friend or Foe

5.11.5 Private-Key Encryption

5.12 Historical notes

5.13 Problems

Private-key encryption

6.1 Symmetric encryption schemes

6.2 Some symmetric encryption schemes

6.2.1 The one-time-pad encryption scheme

6.2.2 Some modes of operation

6.3 Issues in privacy

6.4 Indistinguishability under chosen-plaintext attack

6.4.1 Deﬁnition

6.4.2 Alternative interpretation

6.4.3 Why is this a good deﬁnition?

6.5 Example chosen-plaintext attacks

6.5.1 Attack on ECB

6.5.2 Any deterministic, stateless schemes is insecure

6.5.3 Attack on CBC encryption with counter IV

6.6 IND-CPA implies PR-CPA

6.7 Security of CTR modes

6.7.1 Proof of Theorem 6.13

6.7.2 Proof of Theorem 6.14

6.8 Security of CBC with a random IV

6.9 Indistinguishability under chosen-ciphertext attack

6.10 Example chosen-ciphertext attacks

6.10.1 Attacks on the CTR schemes

6.10.2 Attack on CBC$

6.11 Other methods for symmetric encryption

6.11.1 Generic encryption with pseudorandom functions

6.11.2 Encryption with pseudorandom bit generators

6.11.3 Encryption with one-way functions

6.12 Historical notes

6.13 Problems

Public-key encryption

7.1 Deﬁnition of Public-Key Encryption

7.2 Simple Examples of PKC: The Trapdoor Function Model

7.2.1 Problems with the Trapdoor Function Model

7.2.2 Problems with Deterministic Encryption in General

7.2.3 The RSA Cryptosystem

7.2.4 Rabin’s Public key Cryptosystem

7.4.3 General Probabilistic Encryption

7.4.4 Eﬃcient Probabilistic Encryption

7.4.5 An implementation of EPE with cost equal to the cost of RSA

7.4.6 Practical RSA based encryption

7.4.7 Enhancements

7.5 Exploring Active Adversaries

8.1 The hash function SHA1

8.2 Collision-resistant hash functions

8.3 Collision-ﬁnding attacks

8.4 One-wayness of collision-resistant hash functions

8.5 The MD transform

8.6 Collision-resistance under hidden-key attack

8.7 Problems

Message authentication

9.1 The setting

9.2 Privacy does not imply authenticity

9.3 Syntax of message-authentication schemes

9.4 A deﬁnition of security for MACs

9.4.1 Towards a deﬁnition of security

9.4.2 Deﬁnition of security

9.5 Examples

9.6 The PRF-as-a-MAC paradigm

9.7 The CBC MACs

9.7.1 The basic CBC MAC

9.7.2 Birthday attack on the CBC MAC

9.7.3 Length Variability

9.8 MACing with cryptographic hash functions

9.8.1 The HMAC construction

9.8.2 Security of HMAC

9.8.3 Resistance to known attacks

9.9 Universal hash based MACs

9.10 Minimizing assumptions for MACs

9.11 Problems

Digital signatures

10.1 The Ingredients of Digital Signatures

10.2 Digital Signatures: the Trapdoor Function Model

10.3 Deﬁning and Proving Security for Signature Schemes

10.3.1 Attacks Against Digital Signatures

10.3.2 The RSA Digital Signature Scheme

10.3.3 El Gamal’s Scheme

10.3.4 Rabin’s Scheme

10.4 Probabilistic Signatures

10.4.1 Claw-free Trap-door Permutations

10.4.2 Example: Claw-free permutations exists if factoring is hard

10.4.3 How to sign one bit

10.4.4 How to sign a message

10.4.5 A secure signature scheme based on claw free permutations

10.4.6 A secure signature scheme based on trapdoor permutations

10.5.3 Generation of RSA parameters

10.5.4 One-wayness problems

10.5.5 Trapdoor signatures

10.5.6 The hash-then-invert paradigm

10.5.7 The PKCS #1 scheme

10.5.8 The FDH scheme

10.5.9 PSS0: A security improvement

10.5.10 The Probabilistic Signature Scheme – PSS

10.5.11 Signing with Message Recovery – PSS-R

10.5.12 How to implement the hash functions

10.5.13 Comparison with other schemes

10.6 Threshold Signature Schemes

10.6.1 Key Generation for a Threshold Scheme

10.6.2 The Signature Protocol

Key distribution

11.1 Diﬃe Hellman secret key exchange

11.1.1 The protocol

11.1.2 Security against eavesdropping: The DH problem

11.1.3 The DH cryptosystem

11.1.4 Bit security of the DH key

11.1.5 The lack of authenticity

11.2 Session key distribution

11.2.1 Trust models and key distribution problems

11.2.2 History of session key distribution

11.2.3 An informal description of the problem

11.2.4 Issues in security

11.2.5 Entity authentication versus key distribution

11.3 Three party session key distribution

11.4 Authenticated key exchanges

11.4.1 The symmetric case

11.4.2 The asymmetric case

11.5 Forward secrecy

12.1 Some two party protocols

12.1.1 Oblivious transfer

12.1.2 Simultaneous contract signing

12.1.3 Bit Commitment

12.1.4 Coin ﬂipping in a well

12.1.5 Oblivious circuit evaluation

12.1.6 Simultaneous Secret Exchange Protocol

12.2 Zero-Knowledge Protocols

12.2.1 Interactive Proof-Systems(IP)

12.2.2 Examples

12.2.3 Zero-Knowledge

12.2.4 Deﬁnitions

12.2.5 If there exists one way functions, then NP is in KC[0]

12.2.6 Applications to User Identiﬁcation

12.3 Multi Party protocols

12.3.1 Secret sharing

12.3.2 Veriﬁable Secret Sharing

12.3.3 Anonymous Transactions

12.3.4 Multiparty Ping-Pong Protocols

12.3.5 Multiparty Protocols When Most Parties are Honest

12.4 Electronic Elections

12.4.1 The Merritt Election Protocol

12.4.2 A fault-tolerant Election Protocol

12.4.3 The protocol

12.4.4 Uncoercibility

12.5 Digital Cash

12.5.1 Required properties for Digital Cash

12.5.2 A First-Try Protocol

12.5.3 Blind signatures

12.5.4 RSA blind signatures

12.5.5 Fixing the dollar amount

12.5.6 On-line digital cash

12.5.7 Oﬀ-line digital cash

The birthday problem

A.1 The birthday problem

Some complexity theory background

B.1 Complexity Classes and Standard Deﬁnitions

B.1.1 Complexity Class P

B.1.2 Complexity Class NP

B.1.3 Complexity Class BPP

B.2 Probabilistic Algorithms

B.2.1 Notation For Probabilistic Turing Machines

B.2.2 Diﬀerent Types of Probabilistic Algorithms

B.2.3 Non-Uniform Polynomial Time

B.3 Adversaries

B.3.1 Assumptions To Be Made

B.4 Some Inequalities From Probability Theory

Some number theory background

C.1 Groups: Basics

C.2 Arithmatic of numbers: +, *, GCD

C.3 Modular operations and groups

C.3.1 Simple operations

C.3.2 The main groups: Zn and Z∗n

C.3.3 Exponentiation

C.4 Chinese remainders

C.5 Primitive elements and Z∗p

C.5.1 Deﬁnitions

C.5.2 The group Z∗p

C.5.3 Finding generators

C.6 Quadratic residues

C.7 Jacobi Symbol

C.8 RSA

C.9 Primality Testing

C.9.1 PRIMES ∈ NP

C.9.2 Pratt’s Primality Test

C.9.3 Probabilistic Primality Tests

C.9.4 Solovay-Strassen Primality Test

C.9.5 Miller-Rabin Primality Test

C.9.6 Polynomial Time Proofs Of Primality

C.9.7 An Algorithm Which Works For Some Primes

C.9.8 Goldwasser-Kilian Primality Test

C.9.9 Correctness Of The Goldwasser-Kilian Algorithm

C.9.10 Expected Running Time Of Goldwasser-Kilian

C.9.11 Expected Running Time On Nearly All Primes

C.10 Factoring Algorithms

C.11 Elliptic Curves

C.11.1 Elliptic Curves Over Zn

C.11.2 Factoring Using Elliptic Curves

C.11.3 Correctness of Lenstra’s Algorithm

C.11.4 Running Time Analysis

D.1 Authentication

D.2 Privacy

D.3 Key Size

D.4 E-mail compatibility

D.5 One-time IDEA keys generation

D.6 Public-Key Management

E.1 Secret Key Encryption

E.1.1 DES

E.1.2 Error Correction in DES ciphertexts

E.1.3 Brute force search in CBC mode

E.1.4 E-mail

E.2 Passwords

E.3 Number Theory

E.3.1 Number Theory Facts

E.3.2 Relationship between problems

E.3.3 Probabilistic Primality Test

E.4 Public Key Encryption

E.4.1 Simple RSA question

E.4.2 Another simple RSA question

E.4.3 Protocol Failure involving RSA

E.4.4 RSA for paranoids

E.4.5 Hardness of Diﬃe-Hellman

E.4.6 Bit commitment

E.4.7 Perfect Forward Secrecy

E.4.8 Plaintext-awareness and non-malleability

E.4.9 Probabilistic Encryption

E.5 Secret Key Systems

E.5.1 Simultaneous encryption and authentication

E.6 Hash Functions

E.6.1 Birthday Paradox

E.6.2 Hash functions from DES

E.6.3 Hash functions from RSA

E.7 Pseudo-randomness

E.7.1 Extending PRGs

E.7.2 From PRG to PRF

E.8 Digital Signatures

E.8.1 Table of Forgery

E.8.2 ElGamal

E.8.3 Suggested signature scheme

E.8.4 Ong-Schnorr-Shamir

E.9 Protocols

E.9.1 Unconditionally Secure Secret Sharing

E.9.2 Secret Sharing with cheaters

E.9.3 Zero–Knowledge proof for discrete logarithms

E.9.4 Oblivious Transfer

E.9.5 Electronic Cash

E.9.6 Atomicity of withdrawal protocol

E.9.7 Blinding with ElGamal/DSS