CS409m: Introduction to Cryptography


Symmetric-key encryption, public-key encryption and zero-knowledge proofs

  • Instructor: Chethan Kamath
  • When and where: Slot 5 (08:00-09:25, Wednesdays and Fridays) in CC101
  • Teaching assistants: Priyanshu Singh (24M2101)
  • Contact hours: After lectures, and by appointment (via e-mail)
  • Weekly TA session: TBA
  • Announcements and online discussion: Moodle

[+]

Overview


Description

Cryptography is the science of securely carrying out tasks (e.g., communication) in presence of adversaries (e.g., eavesdroppers). In this course, we will first study certain basic tasks in cryptography (e.g., secure communication), with an emphasis on precise modelling of the adversary's capabilities and goal -- the threat model -- and formally proving security in this model -- the security proof. Then, we will see how more complex applications you use everyday (e.g., HTTPS, secure messaging, one-time password) can be built on top of these. Additionally, we will also have hands-on sessions aimed at exposing you to real world cryptographic libraries.

Prerequisites

Discrete structures and probability theory are soft prerequisites. This course will involve some amount of theory, and thus we will expect mathematical maturity.

Who can credit?

Since the course is a minor, it is open to all non-CS, non-freshmen UGs.

Grading and Attendance

Weightage Towards
35% End-sem
28% Mid-sem
20% Two (out of three) quizzes
10% Two lab exercises (tentative)
5% Class participation, pop-quizzes
2% Feedback

Attendance is not mandatory (but encouraged). There will be four ungraded assignments to help you with quizzes and exams.


[+]

Course Material


# Date Slides + Topics Covered (Tentative)
L01 29/Jul [↓][↓]
  • Administrivia
  • Overview of the course
  • Classical ciphers
LE0 30/Jul [↗] Lab Exercise 0
L02 31/Jul [↓][↓]
  • Basic probability theory
  • Concentration inequalities
  • Randomised algorithms
Module I: Secure Communication in the Shared-Key Setting
L03 05/Aug [↓][↓]
  • Perfect secrecy against eavesdroppers
  • One-time pad
  • Limitations: Shannon's impossibility
L04 07/Aug [↓][↓]
  • Models of computation: Turing Machine
  • Negligible functions
  • Computational secrecy against eavesdroppers
A1 07/Aug [↗] Assignment 1
L05 12/Aug [↓][↓] [↓]
  • Computational secrecy against eavesdroppers
  • Pseudo-random generators (PRG)
  • Computational OTP
  • Main tool: security reduction
L06 14/Aug [↓][↓] [↓]
  • Candidate constructions of PRG
  • Length-extension of PRG
  • Main tool: hybrid argument
Q1 14/Aug [↗] Quiz 1: 17:00-18:00 in TBD
L07 19/Aug [↓][↓]
  • Encrypting multiple messages
  • Pseudo-random function (PRF)
  • Random oracles
L08 21/Aug [↓][↓]
  • Goldreich-Goldwasser-Micali PRF
  • Chosen-plaintext attack (CPA)
  • CPA-secure SKE from PRF
LE1 21/Aug [↗] Lab Exercise 1
H 26/Aug No lecture: Id-e-Milad
L09 28/Aug [↓][↓]
  • Block ciphers
  • Modes of Operation
A2 12/Aug [↗] Assignment 2
L10 02/Sep [↓][↓]
  • Chosen-ciphertext attack (CCA)
  • Padding oracle attack
  • Message-Authentication Codes (MACs)
L11 04/Sep [↓][↓] [↓]
  • Construcing CCA-secure SKE
  • Domain extension of MACs
Q2 07/Sep [↗] Quiz 2: 08:15-09:25 in TBD
L12 08/Sep [↓][↓] [↓]
  • TBD
L13 11/Sep [↓][↓] [↓]
  • TBD
M 12-20/Sep [↗] Mid-sem:TBA
Module II: Secure Communication in the Public-Key Setting
L14 23/Sep [↓][↓]
  • Key exchange
  • Basic group theory
L15 25/Sep [↓][↓]
  • Diffie-Hellman key exchange (DHKE)
  • Public-key encryption (PKE)
  • Elgamal encryption
L14 30/Sep [↓][↓]
  • Basic number theory
  • Goldwasser-Micali encryption
  • RSA encryption
A3 30/Sep [↗] Assignment 3
H 02/Oct No lecture: Mahatma Gandhi Jayanti
L17 07/Oct [↓][↓]
  • Digital signature
  • One-way function (OWF)
  • Lamport's one-time signature
L18 09/Oct [↓][↓]
  • Signing longer messages: hash-then-sign paradigm
  • Collision-resistant hash function
  • Domain extension: Merkle-Damgård and Merkle Tree
Q3 14/Oct [↗] Quiz 3: 17:00-18:00 in TBD
L19 16/Oct [↓][↓]
  • Efficient (many-time) signatures
  • Trapdoor permutation and hash-then-invert paradigm
  • Identification protocols and Fiat-Shamir Transform
LE2 16/Oct [↗] Lab Exercise 2
Module III: Applications
L20 21/Oct [↓][↓]
  • Interactive proof (IP)
  • IP for graph non-isomorphism (GNI)
L21 23/Oct [↓][↓]
  • Zero-knowledge (ZK) IP
  • ZK IP for GI and GNI
  • ZK Proof of Knowledge (ZKPoK)
A4 23/Oct [↗] Assignment 4
L22 28/Oct [↗]
  • eVoting: setting and requirements
  • How Helios Voting works
  • Tools used: homomorphic PKE, distributed decryption, non-interactive ZKPoK
L23 30/Oct [↗]
  • Background: certificates and PKI
  • SSL/TLS
  • Tools used: almost everything from Modules I and II
L24 31/Oct [↗]
  • Secure messaging
  • Signal protocol a/k/a the double ratchet
  • Tools used: DHKE, key-derivation function (KDF), SKE (AEAD)
L25 04/Nov [↗]
  • Bitcoin
  • Zerocash
  • Tools used: everything from Module II, ZKP and commitment
L26 06/Nov [↗]
  • TBD
E 14/Nov [↗] End-sem: 09:00-12:00 in LA002

[+]

Resources


Below you can find the list of resources relevant to this course. The list of per-lecture resources (e.g., further reading) can be found at the end of the respective lecture slide.

Textbooks Background Material
  • Basic probability theory can be found in §A.3 of Katz-Lindell. The first recitation in MIT6875 is another resource.
  • Basic number theory can be found in §B of Katz-Lindell. The third recitation in MIT6875 is another resource.
  • Basic computational complexity can be found in the second recitation in MIT6875.
Related Courses Prior Iterations