### Materials

These are not the lecture notes of the first lecture. These are just the administrative announcement made by Chris in the first lecture.

Lecture slides updated after the lecture Monday Sept 16 evening.

The exercise problems will appear here one week before the assignment deadline and model solutions after the assignment deadline.

Deadline: September 16, 2019.

The exercise problems will appear here one week before the assignment deadline and model solutions after the deadline.

Deadline: September 23, 2019.

Concerning

**Problem 4**, please consult slide 28 of Lecture 2 which was skipped at the lecture due to lack of time.Lecture slides updated after the lecture.

The exercise problems will appear here one week before the assignment deadline and model solutions after the assignment deadline.

Deadline: September 30, 2019.

Revised slides for lecture Monday, 30 September

- Problems for Assignment 4
- NB: In Problem 1, it is asked to find the output bit y_j which maximizes the
*correlation with*the linear function defined as XOR sum of all four input bits (in absolute value). This is the same as finding the output bit y_j which maximizes the correlation of the XOR sum of y_j and the four input bits with 0 (in absolute value). See file problem1.pdf for another formulation of Problem 1. - Model solutions of Assignment 4 problems

Lecture slides from Monday Oct 7.

Problems and model solution for Assignment 5

Lecture 6 slides

This Definitions & Foundations (DAF) document collects the foundations, definitions and conventions used during the course. We wrote the DAF with the following two guiding principles.

- DAF should be rather short and make it easy to find a definition fast.
- DAF should provide all necessary
*technical*content in a bottom-up fashion.

DAF thus represents the dependency of definitions, which definition builds on which other definition. We consider this a useful way to structure knowledge. In turn, lectures and Lecture Notes (LN) follow a logic of

*motivation*, justifying thoroughly why a certain concept is useful etc., which we consider a useful structure for a teaching interaction. We invite you to use DAF and LN in parallel.Section 1 of DAF provides foundations underlying this course. It is minimal, yet comprehensive, and includes intuition as well convention and notation of pseudo-code, packages and package composition. Section 2 essentially only contains the security definitions of cryptographic primitives as well as important constructions and theorems. See LN for intuition, motivation and proofs of theorems. The lectures follow the structure of the LN, and their main purpose is to motivated and communicate the conceptual ideas, techniques and approaches. Exercise sessions, discussion with other course participants and with the teachings assistants as well as personalized feedback from the teaching assistants are an opportunity to refine your understanding of the methodology of provable security/reduction-based security and your mastery of the technical implementation of the methodology.

If you find typos or other mistakes in this document, please write to Chris Brzuska or Valtteri Lipiäinen. The document with grow synchronously with the course content. The structure of the document will not change, i.e., things will only be added in the bottom of the document (but correction of typos or rephrasings etc. in earlier sections might occur, based on feedback).

Document History:

November 24, 2019, 23:26: In some places, keys were generated using a key generation algorithm, but throughout this course, we actually assumed uniformly random keys, so I removed the key generation algorithm and replaced it by uniform sampling.

November 22, 2019, 10:50: fix typo in fig 1: in real KEY[s] package in SET[s] oracle, K_r was called with index r instead of s

November 20, 2019, 18:36: Added formal AE-definition and discussion of runtime in the context of code equivalence

November 11, 2019, 09:01: Corrected typos in definitions for symmetric encryption

November 11, 2019, 05:04: Added definitions for symmetric encryption

November 4, 2019, 11:22: Added definitions for MACs.

October 30, 2019, 09:05: corrected typo: In the previous version, the checks in the SET oracle wrongly checked wheter k \neq \bot. However, they need to check that k=\bot, meaning that the key has not been assigned yet.

October 30, 2019, 01:55: corrected typo: In the previous version, the EVAL oracle was occasionally mistakenly referred to as PRF.

October 28, 2019, 15:50: added appendix, minor additional edits.

October 28, 2019, 11:30: first version

File history:

Nov 5, 2019: 02:00: corrected typo: EVAL oracle was occasionally wrongly called PRF. I renamed f_example to f_bad to emphasize that this is not a good PRF. Removed superfluous word "input" in some part of the text.

Oct 30, 2019, 09:05: corrected typo: In the previous version, the checks in the SET oracle wrongly checked wheter k \neq \bot. However, they need to check that k=\bot, meaning that the key has not been assigned yet.

Oct 29, 2019: Corrected typo: A

_{example}needs to make queries EVAL[1,0^{n}] and EVAL[1,1^{n}]instead of EVAL[1,0^{n}] and EVAL[1,1^{n}].Oct 29, 2019: This is a complete and corrected version of the notes. Note that there was a mistake in the description of A

_{example}. Namely, A_{example}needs to make queries GET[1,x] and GET[1,x'] instead of EVAL[1,x] and EVAL[1,x'], as was originally stated.Oct 28, 2019: First draft of the lecture notes of Lecture 07.

Problems and model solution for Assignment 6. If you have questions, you can ask your TAs. In case you find errors (even if you are not sure), please contact Estuardo, Pihla, Valtteri and/or Chris so that we can correct them quickly and avoid confusion for others.

Nov 07, 2019, 01:32: Expanded on the intuition for message authentication code security and included more detailed calculus of the probabilities.

Nov 06, 2019, 00:13: First draft of the lecture notes, some parts are still missing, but the main content from the lecture should be there in case you were not able to attend. Feedback is welcome (please send it to Chris), I will improve the current draft as soon as I find the time.

Problems and model solution for Assignment 7. If you have questions, you can ask your TAs. In case you find errors (even if you are not sure), please contact Estuardo, Pihla, Valtteri and/or Chris so that we can correct them quickly and avoid confusion for others.

Nov 18, 16:03: This is the first version of the Lecture Notes of Lecture 10.

Nov 18, 16:51: Corrected some errors (the first version had key generation algorithms which we do not treat this year, i.e., this year, key generation algorithms simply sample keys uniformly at random. The code was from the previous year).

Nov 20, 09:36: Included discussion of what a reduction is and discussion of overall proof structure.

Nov 24, 23:15: Included the complete proofs with all details. This is intended to be the final version of the lecture notes. If you still find typos, please let us know.

Some course participants made suggestions for how to improve the notation that we use in the course for next year, and we re-wrote an alternative version of the DAF so you can see how implementing these suggestions would look like.

Of course, we do not want to change the notation in the middle of the course, so in the lectures of this year, we keep using the original notation (as state in the DAF), but you are free to use the notation in this alternative DAF for the exercises if you prefer. In case you do, please mark this clearly on your exercise sheet.

Nov 25, 05:40: These are the lecture notes for Lecture 11. There is an additional slide set with attacks on TLS 1.2 which are not contained in these lecture notes.