Credits: 5

Schedule: 09.09.2019 - 05.12.2019

Contact information for the course (applies in this implementation): If you have questions, you can ask one of the teaching assistants during the exercise sessions. You can go to all exercise sessions, not only the one you are registered for, but registered participants have priority of attendance (in case more people want to attend than fit into the room). Also note that you will receive feedback from the teaching assistant of the group for which you are registered. For administrative questions that the teaching assistants cannot answer, you can ask Prof. Chris Brzuska. You can discuss content questions with the teaching assistants and you can contact Prof. Kaisa Nyberg for teaching period I and Prof. Chris Brzuska for teaching period II.

Teaching Period (valid 01.08.2018-31.07.2020): 

I - II (Autumn)

Learning Outcomes (valid 01.08.2018-31.07.2020): 

Having completed the course, you understand the security that commonly used cryptographic primitives provide as well as their limits. You are able to judge whether a cryptographic building block is suitable for use in a particular application, and you can assess security models for applications critically. You can construct reductions between cryptographic primitives and recognize whether small modifications to a cryptographic primitive compromise their security.

Content (valid 01.08.2018-31.07.2020): 

We introduce cryptographic security models and concepts and understand the relations between them. We then apply the learnt concepts and techniques to real-world problems. In particular, we cover:

  • One-way functions
  • Pseudorandomness
  • Pseudorandom generators
  • Pseudorandom functions
  • symmetric encryption
  • asymmetric encryption
  • message authentication codes
  • signature schemes
  • secure channels
  • recent attacks on real-life protocols such as TLS, IPsec,...

Details on the course content (applies in this implementation): In teaching period I, Prof. Kaisa Nyberg will teach the foundations of the design of cryptographic algorithms and cryptanalysis. Below is a tentative list of contents for teaching period I. Note that we might not be able to cover all, and that the contents are not restricted to the below contents:

Lecturer: Kaisa Nyberg

Lecture 1: 

Definition of cryptosystem

Plaintext alphabets and their arithmetic

Attack models

Substitution ciphers

Shift cipher

Frequency analysis

Vigenère cipher

Cryptanalysis of Vigenère cipher

Lecture 2: 

Shannon's bound

Onetime pad

Stream cipher

Diffusion and confusion

Product ciphers

Block ciphers: Feistel, SPN

S-box

Linear layer

Lecture 3: 

Block cipher example designs

Complementation property of DES

Index of coincidence as statistical attack

Differential cryptanalysis

Differential distribution table

Differential trails

Wide-trail strategy

Lecture 4: 

The last-round trick

Provable security

Cradic

Linear cryptanalysis

Correlation

Linear trails

Lecture 5: 

Key recovery using linear cryptanalysis

Matsui's Algorithm 2

Encryption using block cipher

Meet-in-the-middle attack

Block cipher modes of operation

Lecture 6:

Block cipher based message authentication 

AES


Recommended books for teaching period I:

"Cryptography, Theory and Practice" by Douglas Stinson;

"Understanding Cryptography" by Christof Paar and Jaan Pelzl, Springer 2009, there are several copies of the latter book available at the CS library

Good, comprehensive, and free references include:

I Menezes, van Oorschot, Vanstone, Handbook of Applied

Cryptography,

http://www.cacr.math.uwaterloo.ca/hac/

I Smart, Cryptography, An Introduction,

http://www.cs.bris.ac.uk/~nigel/Crypto_Book/

In teaching period II, Prof. Chris Brzuska will teach the foundations of rigorous analysis of cryptographic constructions, assuming the primitives are secure. Below is a tentative list of contents for teaching period I. Note that we might not be able to cover all, and that the contents are not restricted to the below contents:

Lecturer: Chris Brzuska

Lecture 7: Indistinguishability and PRGs

  • Pseudorandomness
  • Pseudorandom generators (PRG)
  • Encoding security properties as indistinguishability games
  • Conventions, notation 

Lecture 8: Proofs of indistinguishability and PRFs

  • Pseudorandom functions (PRF)
  • Reductions
  • Increasing the output length of a PRG (might partially be done in the exercises)
  • Building a PRG from a PRF (might partially be done in the exercises)

Lecture 9: Message authentication

  • Message authentication codes (MAC)
  • Strong unforgeability of MACs as a game
  • Building a strongly unforgeable MAC from a secure PRF
  • Signature schemes

Lecture 10: Encryption

  • Symmetric encryption (SE)
  • Confidentiality
  • Indistinguishability under chosen plaintext attacks (IND-CPA)
  • Indistinguishability under chosen ciphertext attacks (IND-CCA)
  • Authenticated encryption (AE)
  • Building a strongly unforgeable MAC from a secure PRF
  • Public-key encryption (PKE)

Lecture 11: TLS Record Layer

  • Authenticated encryption: Foundations
  • Authenticated encryption in TLS: From theoretical weaknesses to practical attacks in 16 years

Lecture 12: TLS Handshake Protocol

  • New TLS 1.3 Design
  • Downgrade attacks
  • Other design principles
For teaching period II, Mike Rosulek's draft book "The Joy of
Cryptography" might be helpful: https://web.engr.oregonstate.edu/~rosulekm/crypto/ Note that Rosulek does not use exactly the same formalism/notation as we use in the course, but the ideas are quite similar. You can have a look her, if you are curious of where our notation emerged: https://eprint.iacr.org/2018/306/20180403:132933

Complementary reading material: Jonathan
Katz, Yehuda Lindell
"Introduction to Modern Cryptography" and Oded Goldreich "Foundations
of Cryptography I+II".

Assessment Methods and Criteria (valid 01.08.2018-31.07.2020): 

Weekly exercises, course feedback (no exam)

Elaboration of the evaluation criteria and methods, and acquainting students with the evaluation (applies in this implementation): 

Individual Feedback (learning/teaching)

Please put your own name and the name of your teaching assistant onto your solution sheet. Your teaching assistant will give you individual, written feedback on your written solutions so that you can practice thorough reasoning in the context of cryptography. You can hand in solutions into the letterboxes on the left of office C210 (in the CS building) or in the lecture hall before the lectures on Monday. You can collect your individual feedback in the next exercise session or by individual agreement with your teaching assistant (please contact them via eMail). Feedback is aimed at helping to build skills successively, so we suggest to collect feedback timely if you want to make use of it.

The mapping from teaching assistants to groups H1, H2, H3, H4, H5 and H6 is:

  • Group H1: Miika Leinonen ( miika.leinonen@aalto.fi )
  • Group H2: Estuardo Alpirez Bock ( estuardo.alpirezbock@aalto.fi )
  • Group H3: Osama Abuzaid ( osama.abuzaid@aalto.fi )  
  • Group H4: Pihla Karanko ( pihla.karanko@aalto.fi )
  • Group H5: Valtteri Lipiainen ( petri.v.lipiainen@aalto.fi )
  • Group H6: Konrad Kohbrok ( konrad.kohbrok@aalto.fi )

Passing the course (testing)

We want to focus on learning/teaching and minimize the side-effects of testing. Thus, the mandatory part of the homework is kept light, and there is no exam and no grades, i.e., only a fail/pass grade. There are 10 exercise sheets with overall 40 points, i.e., 4 points per week.

We think that 32 points correspond to reasonable participation in the class, so that one can skip some exercises, based on one's own judgement of usefulness and interest. However, the passing criteria are lower: For passing the class, your points need to fulfill the following three criteria:

  • 10 or more points from teaching period I
  • 10 or more points from teching period II
  • 25 or more points overall

In light of this light requirement, no extensions for gaining points are given. You may, however, hand in exercises up to one week late to obtain individual written feedback (but no points).

Workload (valid 01.08.2018-31.07.2020): 

Lectures 24 h (16 90-minutes sessions),

Teaching in small groups 24h (16 90-minutes sessions),

Weekly written exercises 32h

Other independent work 48 h

 

Study Material (valid 01.08.2018-31.07.2020): 

Foundations of Cryptography I, Oded Goldreich

Foundations of Cryptography II, Oded Goldreich

Details on the course materials (applies in this implementation): 

Recommended books for teaching period I: "Cryptography, Theory and Practice" by Douglas Stinson; "Understanding Cryptography",

Christof Paar and Jaan Pelzl, Springer 2009, http://www.crypto-textbook.com/ , there are several copies of the latter book available at the CS library

For teaching period II, Mike Rosulek's draft book "The Joy of Cryptography" might be helpful: https://web.engr.oregonstate.edu/~rosulekm/crypto/ Note that Rosulek does not use exactly the same formalism/notation as we use in the course, but the ideas are quite similar. You can have a look her, if you are curious of where our notation emerged: https://eprint.iacr.org/2018/306/20180403:132933

Complementary reading material: Jonathan Katz, Yehuda Lindell "Introduction to Modern Cryptography" and Oded Goldreich "Foundations of Cryptography I+II".


Substitutes for Courses (valid 01.08.2018-31.07.2020): 

Replaces former course T-79.4502 / T-79.4501 Cryptography and Data Security.

Prerequisites (valid 01.08.2018-31.07.2020): 

Essential: Ability to use mathematical reasoning, formulate definitions and proofs

Highly recommended: complexity theory and discrete probabilities

Grading Scale (valid 01.08.2018-31.07.2020): 

pass/fail

Details on the schedule (applies in this implementation): 

  • Exercise Sheet 1: Handout on Monday, Sep 9, Submission on Monday, Sep 16, Feedback on Wed/Thu Sep 18/19
  • Exercise Sheet 2: Handout on Monday, Sep 16, Submission on Monday, Sep 23, Feedback on Wed/Thu Sep 25/26
  • Exercise Sheet 3: Handout on Monday, Sep 23, Submission on Monday, Sep 30, Feedback on Wed/Thu Oct 2/3
  • Exercise Sheet 4: Handout on Monday, Sep 30, Submission on Monday, Oct 7, Feedback on Wed/Thu Oct 9/10
  • Exercise Sheet 5: Handout on Monday, Oct 7, Submission on Monday, Oct 14, Feedback on Wed/Thu Oct 16/17

--- one week break (there is no exam for this course) ---

  • Exercise Sheet 6: Handout on Monday, Oct 28, Submission on Monday, Nov 4, Feedback on Wed/Thu Nov 6/7
  • Exercise Sheet 7: Handout on Monday, Nov 4, Submission on Monday, Nov 11, Feedback on Wed/Thu Nov 13/14
  • Exercise Sheet 8: Handout on Monday, Nov 11, Submission on Monday, Nov 18, Feedback on Wed/Thu Nov 20/21
  • Exercise Sheet 9: Handout on Monday, Nov 18, Submission on Monday, Nov 25, Feedback on Wed/Thu Nov 27/28
  • Exercise Sheet 10: Handout on Monday, Nov 25, Submission on Monday, Dec 2, Feedback on Wed/Thu Dec 4/5

Description

Registration and further information