Princeton University

Computer Science 433


Cryptography or "secret writing" has been around for about 4000 years, but was revolutionized in the last few decades. The first aspect of this revolution involved placing cryptography on more solid mathematical grounds, thus transforming it from an art to a science and showing a way to break out of the "inventbreaktweak" cycle that characterized crypto throughout history. The second aspect was extending cryptography to applications far beyond simple codes, including some paradoxical impossiblelooking creatures such as public key cryptography , zero knowledge proofs, and playing poker over the phone.
This course will be an introduction to modern "postrevolutionary" cryptography with an emphasis on the fundamental ideas (as opposed to an emphasis on practical implementations). Among the topics covered will be private key and public key encryption schemes (including DES/AES and RSA), digital signatures, oneway functions, pseudorandom generators, zeroknowledge proofs, and security against active attacks (e.g., chosen ciphertext (CCA) security). As time permits, we may also cover more advanced topics such as the Secure Socket Layer (SSL/TLS) protocol and the attacks on it (Goldberg and Wagner, Bleichenbacher), secret sharing, twoparty and multiparty secure computation, and quantum cryptography.
The main prerequisite for this course is ability to read, write (and perhaps enjoy!) mathematical proofs. In addition, familiarity with algorithms and basic probability theory will be helpful. No programming knowledge is needed. If you're interested in the course but are not sure you have sufficient background, or you have any other questions about the course, please contact me at
KL Book: Chapter 1  introduction.
Additional reading: You can find more information about historical ciphers on the web page Alex Biryukov's wonderful Course on Cryptanalysis.
Mathematical proofs: Some links on reading, writing and coming up with mathematical proofs. Chapters 1 and 3 of the LehmanLeighton notes of an MIT course can be useful. Some tips on mathematical writing in general and proofs in particular can be found in these few pages from Knuth, Larrabee, and Roberts. On a lighter and more general note, you might be interested to read Keith Devlin's musing about mathematical proofs.
Reading for next class: We'll start to use probability a lot (although only
very basic things). The handout contains some references.
We'll start also thinking about defining security for encryption schemes. Throughout this course
the theme of such definitions will be rigor  mathematical precision and being conservative 
making very strong demands on the security. The KatzLindell excerpt explains some of the motivation behind this. See also pages 2025 of Goldreich's book
(Volume 1).
KL Book: Chapter 2  Perfectly secret encryption
Additional reading: Lecture 2 of Bellare's course discusses the issues in defining security for encryption schemes and perfect security. See also Section 6.4 in the GolwasserBellare lecture notes. The definition of perfect secrecy was first given by Shannon in this 1949 paper, but our discussion followed more closely the approach of Goldwasser and Micali who, when referring to the indistinguishability definition for encryption schemes, said: "A good disguise should not allow a mother to distinguish between her own children".
Reading for next class: Next class we'll discuss computational models such as
the Turing machine. You might want to take a look
at
this chapter from my upcoming book with Sanjeev Arora.
Additional reading: You might want to look at the
Boolean circuits
and
NP completeness chapter from my upcoming book with Sanjeev Arora.
Some handouts from the last offer of this course:
Powerpoint Slides (did not use these in class)
computational models handout and figure.
Computational complexity is covered in many places
and in particular in Sipser's book. If you prefer PowerPoint slides
you can look at Muli Safra's complexity
course. In particular the first 5 presentations there (Introduction,
Preliminaries, Reductions, Cook Theorem, and NPcomplete Problems) roughly cover the material
we discussed (and of course also some things we did not discuss). As I already mentioned,
once we have an impossibility result, the right thing to do is to try to bypass it. This holds also for
NPcompleteness results where once a problem is NPcomplete, and hence is probably not
efficiently solvable, people try to approximately solve it (for example, if we can't
color a graph in the minimum number of colors, try to color it within a factor of at most K times
the minimum for some k.). This
web site tracks the current approximation status of many problems. In many cases we can prove
that it is NPhard to even approximate some problems. For a good exposition of this, see Sanjeev
Arora's thesis.
KL Book: Chapter 3  Private key encryption and pseudorandomness
Additional reading: Please take a look at Section 6.4.2 of
the KatzLindell book. You might also want to look at Goldreich's
Treatment of pseudorandom generators
(Volume I, pages 101117).
KL book: Pages 8293 and 221225. (Sections 3.5, 3.6.1, 3.6.2 and 6.5). See also the following excerpt from Goldreich's book on the construction of PRF's from PRG's. (This excerpt is from a draft  see Goldreich Vol I for the updated version.)
Additional reading:Goldreich Volume II (Chapter 5) contains an extensive discussion of the definitions of encryption schemes.
Pseudorandom functions were defined and constructed by Goldreich, Goldwasser, and Micali 
(see this page for the paper, containing
also the full proof).
As mentioned, there are other more efficient candidate constructions,
including HMAC by Bellare, Canetti and Krawczyk
and a factoringbased PRF by Naor, Reingold and Rosen.
Additional reading: You should take a look at the BellareRogaway chapter on pseudorandom functions and permutations. It does not cover exactly the same material we do (which is why it would be especially worth your while to look at it). Pseudorandom permutations, and their construction based on pseudorandom functions is covered in Goldreich Vol I (link is for the older web version, see there section 3.7 page 114).
A lot more information on the AES and other block ciphers can be found on the web page for Eli Biham's modern cryptology course. In particular, this lecture covers block ciphers. See The AES Lounge for more information about the AES, its security and implementations.
If you are interested in the principles behind the design and attack of block ciphers, see this tutorial by Howard Heys and this course by David Wagner.
Finally if the skipjack/clipper story whetted your appetite for cryptoconspiracies you might want to look at this site.
For next week: Next week we'll begin to talk about the goal of integrity. There's nothing in particular you should read but try to think of the following questions:
KL book: Section 3.7 (pages 103104),
Additional reading: See this expository paper by Victor Shoup for more on the motivation behind chosen ciphertext security. You can find
here the CRYPTO 98 paper of Daniel Bleichenbacher that attacked the SSL protocol, mainly using
the fact that the underlying encryption scheme was not CCAsecure. (These sources
talk about public key encryption, but the underlying message is the same.)
Additional reading:
Lectures 9 and 10 in David Wagner's
cryptography course discuss MACs, including examples of realworld protocols that can be attacked
due to lack of MACs.
The material about the order of encryption vs.
authentication is from this CRYPTO 2001 paper by Hugo Krawczyk.
Additional reading: Oneway permutations and the hardcore bits are covered extensively in Goldreich Volume 1 (although it is perhaps too extensive for our purposes). Vadhan's lecture notes cover oneway functions, Commitment schemes and hardcore bits (see also lecture 10 and 11 there). Luca Trevisan's lecture notes on pseudorandomness have a nice presentation of the proof of the GoldreichLevin theorem. Note: You might want to look at these sources after you tried to tackle Exercise 1 on your own.
In many places there is an emphasis not so much on one way permutations but on
one way functions. Oneway functions are a generalization of oneway permutations
in the sense that every oneway permutation is a oneway function but not necessarily
vice versa. The definition is the natural way you'd generalize the definition oneway permutations to
the case where the function f() may not be onetoone:
since for a given y there may be many x's such that y=f(x), adversary is successful
if it manages to find one of them.
Reading for next time: Next week we'll start discussing
number theory, in preparation for public key encryption schemes. Some resources
for number theory include Chapter 7 and Appendix B of the KL book. There's also
an excellent book of Victor Shoup (available freely on the
web). The more you read of this book the better, however, I recommend you look
in Chapter 1 (pages 110)
and the first 5 pages of Chapter 8
(pages 180184, not including exercise 8.1).
Other particularly relevant parts of the rest of the book are:
Chapter 2 (up to and including Section 2.5), first 2 pages of Chapter 7,
Chapter 10 (up to and including 10.4.1), first two pages
of Chapter 11, Chapter 12 and Chapter 13. See also
the mathematical background appendix from my upcoming book with Sanjeev Arora.
slides (taken from Eli Biham's Technion course)
Additional reading:
As mentioned above, Shoup's book is an excellent resource
for computational number theory.
Additional reading: KL Book Sections 10.1 , 10.2, 10.4, 10.7, 11.2
Additional reading: Fuller exposition and proofs for this material can be found in Chapter 6 of Goldreich's book (Vol II) or in the fragments on the web.The GoldwasserMicaliRivest factoring based hash function is obtained through the intermediate notion of clawfree permutations. This construction is described somewhat tersely in the GolswasserBellare notes and with a bit more detail in Goldreich's sections 2.4.5 (Vol I) and 6.2.3.1 (Vol II). The paper of Bellare and Rogaway suggesting the random oracle model can be found here. One of the most powerful critiques of this model is in this paper by Canetti, Goldreich and Halevi (be sure to look at the authors' opinions at the end). Helger Limpaa collected some links related to the random oracle model.
As mentioned in class, Bellare and Rogaway built on
an earlier work of
Fiat and Shamir that gave a different construction for signature
and identification schemes using a "crazy" hash function based on zero knowledge proofs.
The BellareRogaway signature scheme with a tighter security proof can be found
here.
Additional reading: Chosen ciphertext security was defined by Rackoff and Simon. As mentioned in the notes for lecture 9, Victor Shoup has a very nice expository paper about this concept. The first construction that was proven to be chosenciphertext secure was given in this paper of Dolev, Dwork and Naor. However, this construction is quite complicated and inefficient. Perhaps the simplest (although rather inefficient) construction and analysis of a "randomoracle free" CCAsecure encryption is given in this paper by Lindell. Both constructions use an ingredient that we did not talk about in class (noninteractive zero knowledge proofs) but is described in Goldreich's book (Vol I).
The first scheme we presented in class was taken from the original randomoracle paper by Bellare and Rogaway. An efficient encryption scheme with a proof of "almost CCA security" in the random oracle model is the OAEP scheme of Bellare and Rogaway. However, in this paper by Shoup he shows some "holes" in that proof and gives a different randomoracle based construction. Perhaps the simplest and most efficient encryption that has a proof of CCA security in the random oracle model is this one by Dan Boneh.
In this wonderful paper of Cramer and Shoup they present an efficient encryption scheme that has a "real" (no random oracles) proof of CCA security based on the DDH assumption.
Even if a scheme is proven to be CCA secure, this only implies real world security if the real world adversary does not have access to additional information from observing say the time it takes servers to answer queries or other such things  see this paper for a demonstration of this issue.
Additional reading: See Bleichenbacher's paper for more information about his attack on RSA as used in the SSL protocol. Some related attacks can be found here. As mentioned in the reading for the previous lecture, even when using assumed CCA secure schemes, an adversary may use timing and/or error message information to attack a scheme, as demonstrated in this CRYPTO 2001 paper by Manger.
The SSL protocol is also described in
these notes by Lindell. Some attacks on SSL V3.0 are described in
this paper by Schneier and Wagner (although it is preBleichenbacher, and so does not
include many strong attacks, to quote from a summary of a talk by Wagner on this work:
"In general, this analysis was informal, not formal, meaning that it can only illustrate
flaws in the protocol, not prove that it's correct."). The attack on the
pseudorandom generator used by Netscape
was given in this
paper by Goldberg and Wagner.
Additional readings: One of the best nontechnical explanation of zero knowledge appears in this paper by Naor, Naor and Reingold published in the prestigious Journal of Craptology.
The most extensive treatment of Zero Knowledge is in Goldreich, Vol I, Chapter 3 (see also fragments on the web). For a shorter version, see chapter 4 of foundations of cryptography  a primer). Goldreich also has tutorial on zero knowledge including the basic notions and more recent developments as well. protocol QR I described in class is also described in these UCB computer security lecture notes.
You can find on line the
original paper of Goldwasser, Micali and Rackoff presenting zero knowledge. Zero knowledge is also the topic
of many dissertations (including my own), I particularly recommended
Uri Feige's thesis
Additional reading: I strongly recommend you look at the following lecture notes of an MIT course by Silvio Micali (one of the inventors of zero knowledge). Lectures 1 to 5 cover the material we talked about in class. If you are interested in more about zero knowledge then the rest of the lectures are a good place to start. A good overview of the material is in pages 1 to 17 of Goldreich's tutorial on zero knowledge. For full proofs see Goldreich's book or the fragments on the web. In particular, reduction of error by sequential composition is covered in section 4.3.4 of the fragments, and the protocol for 3coloring is covered in section 4.4.
If you like slides, you can see some
of this material in PowerPoint format from Muli Safra's course (see also
these slides from Ely Porat).
Additional reading: Dan Boneh's group has a
web page on Identity Based Encryption where you can
find the original BonehFranklin paper and also download encrypted email software based on IBE.
The forwardsecure encryption scheme given in class is from
this note by Canetti and Halevi which is a simplification of the construction of
this paper by Canetti, Halevi and Katz (the latter however is
better in the sense that it does not need a large storage by the sender and also does not
use the random oracle model). See this paper by Bellare
and Yee for a treatment of forward security for private key primitives.
Additional reading: You can find more about PGP key reconstruction on the PGP user guide.
Here's a nice puzzle
about visual cryptography. You can find the relevant papers from Moni
Naor's web page. See also Doug Stinson's page on
visual cryptogeaphy.
You can find a nice and relatively simple threshold RSA signature scheme in
this paper by Shoup. See this paper of Tal Rabin
on how to convert the scheme we saw in class to a general threshold, robust, and proactive scheme.
I was actually once involved in writing
Java implementation of
proactively secure protocols.
Additional reading: Some web resources on oblivious transfer
are this page by Benn Lynn
and this page by Helger
Limpaa. A full exposition with constructions and proofs of oblivious transfer
and secure function evaluation can be found in Goldreich's book (Vol II).
This paper of Kushilevitz
and Ostrovsky gave the first computationally secure PIR with single server and sublinear
communication. It also discusses some possible applications for PIR. Amos Beimel has a webpage
on private information retrieval. This
project is about obtaining practical PIR protocols. See this
paper and the announcement for
this workshop for some information on the connections
between PIR protocols and other objects. See also this survey
on private information retrieval by Gasarch.
For a proof of security of Yao's grabled circuit protocol in the honestbutcurious
model see this paper by Lindell and Pinkas.
Additional reading: I took much of the material from the
excellent MIT course by Canetti and Rivet. I also highly recommend the following
slides by Tal Moran. Here are some additional links (curtesy of Tal Moran).
The main contenders for practical voterverifiable evoting schemes are Punchscan
and Pretavoter.
Scantegrity is another, slightly newer,
idea of Chaum's. All these systems are based on the notion of a 2part receipt that the voter
makes some checks on in the booth and then gets to keep only one part. The voting system presented in
class was based on the secrecy of the order of events in the booth, this idea was suggested in
this paper by Neff.
Another interesting suggestion is
Rivest's "Three Ballot" scheme
that does not use cryptography in the voter verification step at all, but it has some serious problems
such as reliance on very strong assumptions about the voting hardware (the paper mentions a vote buying
attack also but this seems to be less serious if the number of candidates is very small compared to the number
of voters). Finally, there is a lot of literature about "internet" voting protocols
(that ignore the human component). Until 2004, all the cryptographic
voting schemes were of this type. Helger Lipmaa's list
(http://www.adastral.ucl.ac.uk/~helger/crypto/link/protocols/voting.php)
has many of the notable ones.
For a good starting point on quantum computing, you can do far worst than explore
Scott Aaronson's home page
Some reading: An excellent discussion of provable security appears in this survey/position paper of Ivan Damgard. It refers also to issues raised in these 2004 and 2006 papers of Koblitz and Menezes, where they criticize proofs of security. In my view, some of the issues they raise are valid, though not novel, but the entire discussion is incomplete and rather misleading. See also this AMS Notices article by Koblitz and these responses (including one by me). Perhaps what bothers me most about these discussion is that they tend to focus too much on proofs of security, as opposed to precise definitions of security, whereas in my opinion the latter are even more fundamental to both the theory and practice of cryptography (although proofs are of course necessary to show that "crazysounding" definitions such as chosenmessage secure signatures or chosenciphertext secure encryption can actually be satisfied).
Additional reading:
Professor: Boaz Barak  405 CS Building. Email: Phone: 6099814982 ?> (I prefer email)
Undergraduate Coordinator: Donna O'Leary  410 CS Building  2581746 doleary@cs.princeton.edu
Teaching Assistant: Rajsekar Manokaran ( rajsekar@cs )
Grading: 50% homework, 50% takehome final. See syllabus for more details.
Homework assignment  Due 
HW1 (LaTeX source)  September 27 
HW2 (LaTeX source)  October 4 
HW3 (LaTeX source)  October 11 
HW4 (LaTeX source)  October 18 
HW5 (LaTeX source)  October 25 
HW6 (LaTeX source)  November 8 
HW7 (LaTeX source)  November 15 
HW8 (LaTeX source)  November 29 
HW9 (LaTeX source)  December 6 
HW10 (LaTeX source)  December 13 
There are several lecture notes for cryptography courses on the web. In particular the notes of Vadhan, Bellare and Rogaway, Goldwasser and Bellare and Malkin will be useful.
Some good sources for the probability and complexity/algorithms backgrounds are:
A good source for computational number theory is A Computational Introduction to Number Theory and Algebra by Victor Shoup. Note that this book freely available online under the creative commons license. Another good book on this topic is A Concrete Introduction to Higher Algebra by Lindsay Childs.
Some other more applicationoriented crypto books (note that these books take a much less careful approach to definitions and security proofs than we do in the course):
Alfred J. Menezes, Paul C. van Oorschot, and Scott A. Vanstone. Handbook of Applied Cryptography.
Douglas R. Stinson. Cryptography: Theory and Practice.
Bruce Schneier. Applied Cryptography.
Ross Anderson Security Engineering
Collaborating with your classmates on assignments is OK and even encouraged. You must, however, list your collaborators for each problem. The assignment questions have been carefully selected for their pedagogical value and may be similar to questions on problem sets from past offerings of this course or courses at other universities. Using any preexisting solutions from these other sources is strictly prohibited.