- Class timing: Monday (11:00 am - 12:30 pm) and Wednesday (11:00 am - 12:30 pm)
- Venue: CSA 252

- Class timing: Monday (11:00 am - 12:30 pm) and Wednesday (11:00 am - 12:30 pm)
- Venue: CSA 252

One way Functions (Permutations), Hard-core Predicates, Pseudo-random Generators, (Strong) Pseudo-random Functions (Permutations)

Secret Key Encryptions (SKE): Various security notions such as perfect security, semantic security, indistinguishability based Security, CPA Security, CCA Security, Constructions, Block Cipher Mode of Operations.

Message Authentication Codes (MAC): Various Secrity notions such as CMA Security, (weak/strong) CMVA security, Domain Extension, CBC-MAC.

Advanced Encryption Schemes: Authenticated Encryptions.

The course evaluation for the first half will be done as follows

- Scribe (10): Every student must scribe at least one lecture. The scribe submission deadline is one week after the corresponding lecture. The template tex file for a scribe can be downloaded from here. As you have guessed, the submission must be in Latex. Get first-hand ideas about scribing from various course webpages. Such as this.
- "Chalk & Talk" Session (10): The goal of this session is to cover breadth of the course. Every student has to make a 30 mins presentation on a topic not covered in the class. Topics will be suggested in the lectures. We will have two sessions every week on Friday between 12:00 noon - 1:00 pm.
- Final Exam (30): It will be a written exam conducted on 27.02.16 between 2 - 5 pm.

Reference Books:

- Jonathan Katz and Yehuda Lindell, Introduction to Modern Cryptography, second edition 2014, CRC Press.
**You should definitely have a copy of this book. We will mostly follow this book.** - Cryptography: Theory and Practice by Douglas Stinson, Third edition, CRC Press.
- Handbook of Applied Cryptography by Alfred Menezes, Paul Oorschot and Scott Vanstone. Available Online .
- Foundations of Cryptography by Oded Goldreich. Available Online .
- Cryptography, An Introduction by Nigel Smart. Available Online .

- Crypto Courses by Yehuda Lindell
- Crypto Courses by Jonathan Katz
- Crypto Courses by Yevgeniy Dodis
- Crypto Course by Ivan Damgaard & Claudio Orlandi
- Crypto Courses by Mihir Bellare.
- Crypto Courses by Rafael Pass.

- Office Hours: Monday Wednsday 12:30 - 1:00 pm or by appointment

Will be updated as and when the course progresses.

## Lecture # and Date | ## Lecture contents | ## Slides / Reading material (KL: Katz-Lindell 2nd Edition) | ## Scribes | ## Problem Set (KL: Katz-Lindell 2nd Edition) |
---|---|---|---|---|

Lecture 1 (06-01-2016) | Introduction, Classical Crypto vs. Modern Crypto, Three Pillars of Modern crypto (definition/assumption/proof), Classical ciphers and pitfalls. Inroad towards Modern Crypto. | [pptx] / Chapter 1 of KL | ||

Lecture 2 (10-01-2016) | Perfect Security: Definition, Construction (Vernam Cipher), Proof; Drawbacks of OTP | [pptx] / Chapter 2 of KL | Jayam [pdf], Gaurav [pdf] | |

Lecture 3 (12-01-2016) | Proof for the inherent drawback on key length, Equivalent Alternative Definitions for Perfect Security, Shannon's Theorem, Relaxing perfect security. Introduction to Computational Security. | [pptx] / Chapter 2 of KL | Atlanta [pdf], Pratik [pdf] | Chapter 2 Questions from KL |

Lecture 4 (18-01-2016) | Computational Security: Necessity of the relaxations in threat and break models. Definitions of PPT and negligible functions, Security Parameter. Sematic Security, Indistinguishability-based Security and its variant, Pseudorandom distributions. | [pptx / KL pp. 43-59 | Shipra [pdf], Seba Ann [pdf] | |

Lecture 5 (20-01-2016) | Pseudo-random Generators (PRGs): Definition, No PRG against unbounded distinguisher; coa-secure Scheme from PRG, Proof by Reduction, Proof of coa-secure scheme; coa-mult security and proof that no deterministic enc can be coa-mult secure. | [pptx] /KL pp. 60-72 | Nidhi (ls) [pdf], Sruthi [pdf], Indu [pdf] | KL 3.1-3.8 |

Lecture 6 (25-01-2016) | CPA, cpa security for single and multiple messages, why cpa security stronger than coa-mult. Need of randomized encryption scheme, PRF, definition, PRP, Strong PRP. | [pptx] /KL pp. 73-81 | Subhajit [pdf], Bhavana [pdf]. | KL 3.9-3.17 |

Lecture 7 (27-01-2016) | cpa-secure scheme from PRF, proof of security, Block-cipher mode of operations: ECB, CBC, OFB, CTR | [pptx]/ KL 82-95 | Sudeep [pdf],Aditi [pdf] | KL 3.19-3.23, 3.25-3.27, 3.29 |

Lecture 8 (01-02-2016) | Chosen Ciphertext Attacks (CCA), Padding Oracle Attack on CBC-mode encryption, cca-security, Break of cpa-secure (PRF-based) schemes. Malleability. Introduction to MACs. Issues of Message Authetication and Message Integrity. (strong and weak) cma-security for MACs. | [pptx] / KL 96-100,107-116. | Arya [pdf], Kaushik [pdf] | KL 3.18, 3.28 |

Lecture 9 (04-02-2016) | MAC, Various Security Notions (cma, strong cma, cmva, strong cmva), cma-secure MAC from PRF, Domain Extension, Authenticated Encryption: Definition (cpa-security + Cipher Integrity), Construction from cpa-secure SKE and scma-secure MAC. Three approaches: authenticate-and-encrypt, authenticate-then-encrypt, encrypt-then-authenticate. | [pptx] / KL 389-399,405-404, 387-89 | Tapesh [pdf] | KL Chapter 4 questions |

Tutorial I (by Ajith) (08-02-2016) | Questions from the topics covered | [pdf] | ||

Tutorial II (by Ajith) (13-02-2016; 11-12:30pm) | Questions from the topics covered | [pdf] | ||

Lecture 10 (15-02-2016) | strong cma-security and deterministic MACs, Autheticated Encryption based on encrypt-then-authenticate, proof of security, why the proof does not work for authenticate-then-encrypt approach. AE implies CCA security. Looking back and Ahead. | [pptx] | Puran [pdf], Kshitij [pdf], Mukesh (ls) [pdf] | KL Chapter 4 questions |

Lecture 11 (17-02-2016) | PRG implies PRF (GGM Tree Construction). Hybrid Arguments. Proof. | [pptx] | Sayantan [pdf], Sameer (ls) [pdf] , Sriram (ls) [pdf], Jigyasa (ns), Padma Bhushan (ls) [pdf] | KL 7.14,7.15 |

Lecture 12 (20-02-2016; 10:30-12:30 pm) | One-way Functions (OWF), One-way Permutations (OWP), Hard-core Predicates, OWF (OWP) implies Hard-core Predicates (Goldreich-Levin Theorem). | [pptx] | Pranav [pdf], Prateek (ls) [pdf], Biswajit (ls) [pdf], Kuntal [pdf], Anupam [pdf] | KL Chapter 7 Questions |

Tutorial III (by Ajith) (21-02-2016; 11:00-12:30 pm) | Questions from the topics covered | [pdf] | ||

Lecture 13 (22-02-2016) | One-way Functions (OWP) and Hard-core Predicates implies PRG. | [pptx] | Ishan [pdf], Prokash (ns), Nihesh [pdf], Soumya (ns) | KL Chapter 7 Questions |

Lecture 14 (24-02-2016) | Candidate OWF/OWP from Number Theory, RSA Assumption. | [pptx] |

## Group #: members | ## Date and Time | ## Topic | ## Supplementary reading material |
---|---|---|---|

Group 1 (Two): Pranav and Sayantan | Friday (22.01.16); 12 noon - 12:30 pm | Equivalences between Various Definitions of Perfect Security | [pdf] |

Group 2 (One): Shruthi | Friday (22.01.16); 12:30 - 13:50 pm | OTP Implementation Details and Cryptanalysis of Reusing Key | [pdf] |

Group 3 (One): Bhavana | Friday (29.01.16); 12:00 - 12:15 pm | ind-security implies bitwise-security of the messages | KL Chapter 3.2 |

Group 4 (One): Aditi | Friday (29.01.16); 12:15 - 12:30 pm | Equivalence of ind-security and its variant. | |

Group 5 (One): Nidhi | Friday (05.02.16); 12:00 - 12:15 pm | If PRG exists, then OWF exists. | KL Chapter 7.7 |

Group 6 (One): Ishaan | Friday (05.02.16); 12:16 - 12:30 pm | If coa-secure SKE exists, then OWF exists | KL Chapter 7.7 |

Group 7 (One): Atlanta | Friday (05.02.16); 12:31 - 12:45 pm | If PRF exists, then so does PRG | |

Group 8 (Two): Arya, Soumyo | Friday (05.02.16); 12:45 - 1:15 pm | A PPT D cannot distinguish a TRF from a TRP (for the same domain and co-domain) except with negl. prob. | |

Group 9 (Two): Shipra, Jayam | Wednesday (10.02.16); 11 - 11:29 am | cpa-security of CTR mode | |

Group 10 (Two): Puran, Kshitij | Wednesday (10.02.16); 11:30 - 11:59 am | Construction of a cpa-secure scheme from two given schemes one of which is cpa-secure, but not known which of the two. Proof of security. | |

Group 11 (Three): Pratik, Kuntal, Anupam | Wednesday (10.02.16); 12:00 - 12:45 pm | Domain Extension of MAC | |

Group 12 (Two): Prateek, tapesh | Wednesday (10.02.16); 12:00 - 12:29 pm | Stream Ciphers and Trivium | |

Group 13 (Four): Seba Ann, Indu, Mukesh, Gaurav | Friday (11.02.16); 12:00 - 1:00 pm | Information Theoretic MAC | |

Group 14 (One): Sameer Shah | Friday (19.02.16); 12:00 - 12:30 pm | Authenticate-then-encrypt approach instantiated with cpa-secure SKE and cma-secure MAC yields a cpa-secure scheme with WEAK ciphertext integrity. | |

Group 15 (Two): Biswajit, Prokash | Friday (19.02.16); 12:30 - 1:00 pm | F: SPRP, m: n/2 bits, k= n-bits, c = Fk(m||r), r: n/2 bit random string. Prove cca-security. Prove that it is not secure according to Definition 2 of AE. | |

Group 16 (Two): Sriram C., Padma Bhushan | Friday (26.02.16); 12:00 - 12:30 pm | PRF implies PRP (Feistel Construction). | |

Group 17 (One): Sudeep | Friday (26.02.16); 12:30 - 12:45 pm | If a one-to-one function has hard-core predicate then it must be one-way. | |

Group 18 (One): Jigyasa | Friday (26.02.16); 12:45 - 1:00 pm | If f is a OWF, then prove or disprove that g(x) = (f(x),f(f(x))) is a OWF. | |

Group 19 (Two): Subhajit, Kaushik | Friday (26.02.16); 2:00 - 2:30 pm | If there exists a PRF that maps n-length key and input to 1-bit output, then there exists a PRF that maps n2-length key and n-bit input to n-bit output. | |

Group 20 (One): Nihesh | Friday (26.02.16); 2:30 - 2:45 pm | If G: {0,1}n {0,1}n+1 is a PRG, then G is a OWF. |