 Topic
 References
 Assignments

9/28
 Introduction, onetime pad
Lecture via Zoom
Lecture slides

Boneh & Shoup Ch. 2.1
Further reading:
Communication theory of secrecy systems Shannon 1949
Cryptanalysis of the Lorenz cipher (video)
Did a broken random number generator in Cuba help expose a Russian espionage network? by Matt Blaze 2020
A History of US Communications Security by David Boak 1973

Homework 1 Available

10/3
 PRGs and stream cipher encryption
Lecture slides

Boneh & Shoup Ch. 2.2, Ch. 3.13.3
Further reading/Research directions:
All Your Biases Belong To Us: Breaking RC4 in WPATKIP and TLS by Vanhoef and Piessens
Attacks Only Get Better: Password Recovery Attacks Against RC4 in TLS by Garman, Paterson, and Van der Merwe
On the security of RC4 in TLS and WPA by AlFardan, Bernstein, Paterson, Poettering, and Schuldt 2013
The ChaCha family of stream ciphers by Bernstein
Security analysis of pseudorandom number generators with input: /dev/random is not robust by Dodis Pointcheval Ruhault Vergnaud Wichs 2013


10/5
 Block ciphers
Lecture slides

Boneh & Shoup Ch. 4.14.2
Further reading/Research directions:
Biclique Cryptanalysis of the Full AES by Bogdanov, Khovratovich, and Rechberger 2011

Homework 2 Available

10/10
 PRFs, chosen plaintext attacks, block cipher modes of operation
Lecture slides
 Boneh & Shoup Ch. 4.4, Ch. 5
Further reading/research:
Stealthy DopantLevel Hardware Trojans by Becker, Regazzoni, Paar, Burleson 2013

Homework 1 Due

10/12
 Message authentication codes and message integrity; problems with CBC mode
Lecture slides
 Boneh & Shoup Ch. 6
Further reading:
Security Flaws Induced by CBC Padding
Applications to SSL, IPSEC, WTLS... by Vaudenay 2002
Here come the xor ninjas by Duong and Rizzo 2011
Compression and information leakage of plaintext by Kelsey 2002
The CRIME attack by Rizzo and Duong 2012

Homework 3 Available

10/17
 Hash functions
Lecture slides

Boneh & Shoup Ch. 8
Further reading/research directions:
A cryptanalytic timememory tradeoff by Hellman 1980
Parallel collision search with cryptanalytic applications by van Oorschot and Wiener 1999
The making of Keccak by Bertoni, Daemen, Peeters, Van Assche 2015
MD5 to be
considered harmful today by Sotirov, Stevens, Appelbaum,
Lenstra, Molnar, Osvik, de Weger 2009
Countercryptanalysis
by Stevens 2013
Speeding up detection of SHA1 collision attacks using unavoidable attack conditions by Stevens and Shumow 2017
The first collision for full SHA1 by Stevens, Bursztein, Karpman, Albertini, Markov 2017

Homework 2 Due

10/19
 Hash functions, MACs, and authenticated encryption
Lecture Slides
 Boneh & Shoup Ch. 8.7, 9
Further reading:
This POODLE Bites: Exploiting The SSL 3.0 Fallback by Möller, Duong, Kotowicz 2014

Homework 4 Available

10/24
 Computational number theory: Modular arithmetic, groups, rings, fields, efficient algorithms and hard problems
Lecture Slides
 Boneh & Shoup Appendix A.
Further reading:
A Computational Introduction to Number Theory and Algebra, Ch. 3, 6 by Shoup
Fast multiplication and its applications by Bernstein

Homework 3 Due

10/26
 DiffieHellman, elementary discrete log cryptanalysis
Lecture Slides
 New Directions in Cryptography by Diffie and Hellman 1976
Boneh & Shoup Ch. 10
HAC Ch. 3.6
On DiffieHellman Key Agreement with Short Exponents by van Oorschot and Wiener

Homework 5 Available

10/31
 Chinese Remainder Theorem, PohligHellman algorithm, publickey cryptography, RSA
Lecture Slides
 Boneh & Shoup Ch. 11
A method for obtaining digital signatures and publickey cryptography by Rivest, Shamir, and Adleman 1978
Further reading:
A personal view of averagecase complexity by Impagliazzo 1995

Homework 4 Due

11/2
 Elementary factoring algorithms and RSA cryptanalysis
Lecture Slides
 Boneh & Shoup Ch. 12
Further reading/Research directions:
Why Textbook ElGamal and RSA Encryption
Are Insecure by Boneh, Joux, and Nguyen 2000
Chosen Ciphertext Attacks Against Protocols Based on the RSA Encryption Standard PKCS #1 by Bleichenbacher 1998
DROWN: Breaking TLS using SSLv2 by Aviram et al. 2016
Mining Your Ps and Qs: Detection of Widespread Weak Keys in Network Devices by Heninger, Durumeric, Wustrow, and Halderman 2012
Random number generator enhancements for Linux 5.17 and 5.18 by Donenfeld

Homework 6 Available

11/7
 Digital signatures
Lecture Slides
 Boneh & Shoup Ch. 13


11/9
 Elliptic curve cryptography
Lecture Slides
 Boneh & Shoup Ch. 15
Further reading/Research directions:
A riddle wrapped in an enigma by Koblitz and Menezes 2015
Curve25519: new DiffieHellman speed records by Bernstein 2006

Homework 5 Due

11/14
 Authenticated Key Exchange; TLS
Lecture Slides
 Boneh & Shoup Ch. 21
Further reading/research directions:
A Messy State of the Union: Taming the Composite State Machines of TLS by Beurdouche, Barghavan, DelignatLavaud, Fournet, Kohlweiss, Pironti, Strub, and Zinzindohoue 2015
SMACK: State Machine AttaCKs against TLS
Triple Handshakes and Cookie Cutters:
Breaking and Fixing Authentication over TLS by Bhargavan et al. 2014
A CrossProtocol Attack on the TLS Protocol by Mavrogiannopoulos, Vercauteren, Velichkov, Preneel 2012

Homework 7 Available
Bonus Exercise Available

11/16
 Authenticated key exchange, continued


Homework 6 Due

11/21
 Latticebased cryptanalysis
Lecture Slides

Daniele Micciancio lecture notes 1 2
Oded Regev lecture notes
Factoring Polynomials with Rational Coefficients by Lenstra Lenstra and Lovasz 1982
The two faces of lattices in cryptology by Nguyen 2001
Using LLLreduction for solving RSA and factorization problems: a survey by May 2007
Recovering cryptographic keys from partial information, by example by De Micheli and Heninger 2020

Homework 8 Available

11/28
 Index calculus for factoring and discrete log
Lecture via Zoom
Lecture Slides

Imperfect Forward Secrecy: How DiffieHellman Fails in Practice by Adrian, Bhargavan, Durumeric, Gaudry, Green, Halderman, Heninger, Springall, Thome, Valenta, VanderSloot, Wustrow, ZanellaBeguelin, Zimmermann
Further reading:
A new index calculus algorithm with complexity L(1/4 + o(1)) in small characteristic by Joux 2013
A quasipolynomial algorithm for discrete logarithm in finite fields of small characteristic by Barbulescu Gaudry Joux and Thome 2013

Homework 7 Due

11/30

Key Overwriting Attacks
Guest Lecture: Miro Haller
Lecture slides (updated)
recording

The lecture is based on the following papers (but reading them is optional, they go in much more detail than what we'll cover.)
MEGA: Malleable Encryption Goes Awry by Backendal, Haller, and Paterson. IEEE S&P 2023.
Caveat Implementor! Key Recovery Attacks on MEGA by Albrecht, Haller, Mareková, and Paterson. Eurocrypt 2023.
Victory by KO: Attacking OpenPGP Using Key Overwriting by Bruseghini, Huigens, Paterson. CCS 2022.



12/5
 Random number generation
Lecture Slides
 Further reading/research directions:
An Analysis of the NIST SP 80090A Standard by Woodage and Shumow 2019
Security Analysis of PseudoRandom Number Generators with Input: /dev/random is not Robust by Dodis et al. 2013
When Private Keys are Public: Results from the 2008 Debian OpenSSL Vulnerability by Yilek et al. 2009
Authentication Failures in NIST version of GCM by Joux
NonceDisrespecting Adversaries: Practical Forgery Attacks on GCM in TLS by Bock et al. 2016
On the Practical Exploitability of Dual EC in TLS Implementations by Checkoway et al. 2014
A Systematic Analysis of the Juniper Dual EC Incident by Checkoway et al. 2016
Cryptanalytic Attacks on Pseudorandom Number Generators by Kelsey Schneier Wagner and Hall 1998
Practical state recovery attacks against legacy RNG implementations by Cohney Green Heninger 2018


12/7
 Postquantum cryptography
Lecture Slides
 Further reading
Algorithms for Quantum Computation: Discrete Logarithms and Factoring by Shor 1994
Quantum Computing: Progress and Prospects National Academies report 2019
A Resource Estimation Framework for Quantum Attacks Against Cryptographic Functions by Mosca and Gheorghiu 2017
NIST PostQuantum Cryptography Round 3 Submissions
Boneh & Shoup Ch. 14

Homework 8 Due
Bonus Exercise Due
