CMSC 456 Introduction to Cryptography Jonathan Katz Overview

CMSC 456 Introduction to Cryptography Jonathan Katz

Overview of exam ¨ The exam is cumulative – More emphasis on material covered in the second half of the semester ¨ Focus on understanding and application, less on being clever ¨ Please read instructions, and describe attacks or constructions clearly and unambiguously

Chapter 1 ¨ Historical private-key encryption schemes – Why did we talk about these? ¨ Modern cryptography – Definitions – Assumptions – Proofs

Chapter 2 ¨ Perfect secrecy ¨ The one-time pad ¨ Limitations of perfect secrecy – Key as long as the message – Key can only be used once • No security against chosen-plaintext attacks – Need pre-shared key!

Chapter 3 a ¨ Computational security ¨ Private-key encryption ¨ Definitions: – Indistinguishability in the presence of an eavesdropper – Multiple-message indistinguishability – CPA-security – CCA-security

Chapter 3 b ¨ Primitives – Pseudorandom generators – Pseudorandom functions (block ciphers) • AES, 3 DES, (DES) ¨ Encryption schemes – “Pseudo one-time pad” – Deterministic encryption? – Basic CPA-secure encryption scheme – Modes of encryption

Chapter 4 a ¨ Message authentication codes, defining security ¨ Collision-resistant hash functions – SHA-1 – Birthday attacks (other applications? ) ¨ Constructions – Basic construction for short messages – HMAC – CBC-MAC

Chapter 4 b ¨ Privacy + message authentication, CCA-security – Encrypt-then-authenticate – Why are the other alternatives problematic?

Chapter 5 ¨ Definition of pseudorandomness… – Concrete security requirements ¨ Substitution-permutation networks – Attacks on reduced-round SPNs – AES ¨ Feistel networks – Attacks on reduced-round Feistel networks – DES ¨ Increasing key length – 3 DES – Meet-in-the-middle attacks

Chapter 7 ¨ Modular arithmetic, group theory, cyclic groups, generators ¨ ZN, Z*N, (N) ¨ Generating random primes ¨ Factoring assumption, RSA assumption, discrete logarithm assumption, Diffie-Hellman assumptions ¨ One-way functions, examples

Chapter 9 ¨ What are the limitations of private-key crypto? ¨ Why did we bother studying private-key crypto at all? ¨ Key exchange – Definition of security – Diffie-Hellman key exchange

Chapter 10 a ¨ Public-key encryption ¨ Definitions – Indistinguishability = CPA-security – Deterministic encryption? – CCA-security • Why important ¨ Hybrid encryption

Chapter 10 b ¨ RSA encryption – Textbook RSA • Why is it insecure? – Padded RSA ¨ El Gamal encryption – What assumption is it based on?

Chapter 12 a ¨ Digital signatures – Advantages relative to MACs? ¨ Definition of security ¨ RSA signatures – Textbook RSA • Why is it insecure? – Hashed RSA

Chapter 12 b ¨ Hash-and-sign ¨ 1 -time signatures, Lamport’s scheme ¨ PKI, certificates

The real world ¨ Pseudorandom functions (block ciphers) – AES, 3 DES ¨ Collision-resistant hash function – SHA-1, others (NIST competition) ¨ Private-key encryption – E. g. , CBC mode, others for CPA-security – Encrypt-then-authenticate for CCA-security ¨ Message authentication codes – HMAC, CBC-MAC, others

The real world ¨ Key exchange – (Authenticated) Diffie-Hellman ¨ Public-key encryption – (Variants of) padded RSA – El Gamal encryption – CCA-secure schemes ¨ Signature schemes – (Variants of) hashed RSA – DSS (we did not cover)