CSEP 590: Applied Cryptography

CSEP 590: Applied Cryptography (Spring '19)

[Annnouncements] [General Info] [Team ] [Weekly Schedule] [Resources ] [Interaction / Q&A] [Grading Policy] [Schedule and Homework]

Announcements

March 29: Full webpage is live.

General information

Topics: Basic cryptographic primitives (block ciphers, secret- and public-key encryption, authenticated encryption, message authentication, signatures, ...), cryptographic protocols (e.g. TLS), attack vectors (padding-oracle attacks, side-channel attacks, etc). Also, advanced cryptographic techniques (zero-knowledge proofs, multi-party computation,...).
The class will adopt rigorous security definitions and statements, but mostly replace proofs with attack-driven intuition.
Prerequisites: No formal prerequisites, except for basic mathematical proficiency as expected in an undergraduate CS program, as well as a certain affinity to rigorous thinking. Basic programming skills (we will mostly use Python).

Team

Instructor: Stefano Tessaro, tessaro(at)cs(dot)washington(dot)edu

Teaching assistants

Xin Yang (yx1992@cs)
Xihu Zhang (xihu@cs)

Weekly schedule

Class time and location
Monday 6:30-9:20pm (CSE2 G10 (Gates Center))
Office hours
ST: Mo 5-6pm or by appointment (CSE 666)
TA Office Hours: TBD

Resources

No mandatory textbook. Slides will be made available (password protected).

The following are lecture notes/textbooks on cryptography (all but one free), which (often) adopt a more formal approach than the one from this class.

D. Boneh and V. Shoup, A Graduate Course in Applied Cryptography. (Great overlap with class, just with more proofs.)
M. Bellare and P. Rogaway, Introduction to Modern Cryptography. (An excellent reference for a concrete security treatment, albeit somewhat incomplete.)
M. Rosulek, The Joy of Cryptography. (Undergraduate-level introduction to cryptography.)
J. Katz and Y. Lindell, Introduction to Modern Cryptography. (An actual textbook.)

Interaction / Q&A

We are going to use Google Discussion Board and a class mailing list. Instructions will be provided.

Grading

Homework: There will be 6 problem sets distributed over the quarter. Problem sets are generally posted online on Friday, by 11:59pm PST, and are due 11 days later on Tuesday, 11:59pm PST. Homework will be graded and you are required to hand in your own solution for each homework. (Refer to the "Academic Integrity" paragraph below for further details.) You are allowed 3 late days overall throughout the quarter.
Homework submissions will be online via Gradescope (instructions will be provided soon).
Project: An important component of this class will be a project, to be undertaken by teams of two students. (Contact the lecturer in case of issues with this, exceptions can be made but are not the norm.) The final outcome of the project is a report (we will likely dispense with presentations, due to the projected high number of students). Examples of projects include (but are not limited to):
- Reading a research paper and/or a cryptographic standard/RFC (either existing, or a current proposal), and writing a summary.
- Studying a real-world application or implementation of cryptography (either a well-known one, or something specific to your personal experience) and documenting it (or formalizing the underlying threat model).
- Some cryptography-specific implementation problem.
- Anything else really, just let your creativity flow.
A project proposal (0.5-1 pages) describing the planned work and the two members of esach time is due on Monday, April 29. Early submissions are welcome and encouraged. The final project is due then on Tuesday, June 11, 11:59pm.
Final grade: The final grade will be distributed as follows: Homework (60%), project (40%). The lowest homework score will be dropped. Participation (in class and online) will be taken into account for partial bonus credit in borderline cases.
Academic Integrity: Homework assignments are meant to be solved individually, whereas collaboration with a team-mate is required for the project component of the class. Please refer to the Allen School's Academic Misconduct webpage for a detailed description of what is allowable and what is not.

Schedule and Homework

The following is a tentative schedule, and is intended to give a rough idea about what I hope to cover in the class and in which order. There will be (slight) shifts depending on the pace of the class, and more information will appear on the schedule as lectures are completed. (Initially, contents will be vague for later lectures.)

Week	Date	Lecture contents	Notes / slides / assignments
1	2019-04-01	Introduction Organizational details. Introduction: What is cryptography? Introduction to symmetric encryption Historic ciphers Attack models (ciphertext only, known-plaintext, chosen-plaintext) Block ciphers Definition ECB and its insecurity An introduction to computational indistinguishability PRF security	Slides Lecture 1
2	2019-04-08	Block ciphers (cont'd) Examples of insecure block ciphers AES construction Modes of operation CTR/CBC modes IND-CPA security for symmetric encryption Stream ciphers: Constructions from block ciphers & ad-hoc designs Case study: Breaking RC4 Introduction to integrity Integrity issues Case study: Padding-oracle attacks against CBC	Slides Lecture 2 HW1 (Posted: 04/05; Due: 04/15) Solution 1
3	2019-04-15	Message Integrity Hash functions: Basic properties (collision resistance, second preimage resistance, etc) Generic attacks againt hash functions The Merkle-Damgaard and sponge constructions. (And practical instantiations.) Message-authentication codes (MACs) Basic keying of hash functions & extension attacks HMAC/CBC Authenticated Encryption Plaintext and ciphertext integrity Generic composition: Secure and insecure solutions AEAD and nonce-based encryption Dedicated modes (in particular, GCM) Nonce repetitions, nonce-misuse resistance, picking nonces	Slides Lecture 3 HW2 (Posted: 04/12; Due: 04/22) Solution 2 Padding oracle attack (solution in Python)
4	2019-04-22	Public-key crypto foundations Finite groups Modular arithmetic: Multiplicative inverses and Z^_P Cyclic groups The Discrete Logarithm problem Elliptic curves Public-key Cryptography* Diffie-Hellman Key-Exchange Hardness of the discrete logarithm problem	Slides Lecture 4
5	2019-04-29	RSA Encryption Plain RSA PKCS#1 encryption RSA-OAEP and chosen-ciphertext security Basic attacks and factoring Digital Signatures Functionality RSA Signatures Authenticated Key Exchange (AKE) Generic constructions: One-sided and two-sided AKE Forward security Diffie-Hellman AKE TLS 1.3 handshake Attacks against older TLS versions: FREAK and LogJam	Slides Lecture 5 HW3 (Posted: 04/26; Due: 05/07) Solutions HW3
6	2019-05-06	Certificates, PKIs, and authenticated key exchange Certificates and public-key infrastructures Identification protocols Password-based identification: Salting, iteration, etc. Slow hash functions Memory-hard functions One-time passwords Challenge-response	Slides Lecture 6 HW4 (Posted: 05/03; Due: 05/14) Solution 4
7	2019-05-13	Random-number generation Bad RNGs (Mersenne Twister) RNG security: Pseudorandomness, forward-security, post-comrpomise security Hash-based RNG design RNG attacks Case studies: More real-world protocols Messaging: The Double Ratchet Protocol	Slides Lecture 7 HW5 (Posted: 05/10; Due: 05/21) Solution 5
8	2019-05-20	Multi-party computation Two-party computation Oblvious transfer Garbled Circuits and Yao's protocol Private set intersection Secret sharing and multi-party computation	Slides Lecture 8 HW6 (Posted: 05/19; Due: 05/31)
9	2019-05-27	No class (Memorial Day)
10	2019-06-03	Zero-knowldge proofs Zero-knowledge proofs of knowledge An application: Privacy-preserving cryptocurrencies A generic zkSNARK construction	Slides Lecture 9 Bitcoin review