MS-E1687 - Advanced Topics in Cryptography V D, Lecture, 8.1.2024-8.4.2024
This course space end date is set to 08.04.2024 Search Courses: MS-E1687
Topic outline
-
-
Deadline: January 12, 23.59 via MyCourses.
tl;dr version of the assignment:
- Read 18 pages of https://cseweb.ucsd.edu/~mihir/papers/eakd.pdf
- Write the model in pseudo-code
- Write down questions you have on the paper
The PDF version of the assignment has more details and some hints than the above.
Correction: The PDF originally said "Monday, January 12" which I now corrected to "Friday, January 12", since January 12 is a Friday.
-
tl;dr version of assignment 2 (longer version in the PDF):
Task 0: Read the paper
Task 1: Find an attack on the protocol on the 1st page of the PDF.
Task 2: Ask questions (instructions as in week 1)
-
Exercise 1:
Explain the gap between the AKE^static model and/or the protocol description used in Brzuska-Jacobsen (which we read last week) and the real-life protocol deployment that enables the attack described in this paper. How would we need to change the AKE^static model or protocol description by Brzuska-Jacobsen in order to capture the attack scenario described in the paper?
(EDIT: Exercise 1 was edited on January 22 at 18:31 in order to clarify the question.)
Exercise 2:
Ask questions :-). (Instructions as in Assignment 1.)
-
Exceptionally, this week's assignment is an exercise sheet --- the point is to get an overview over popular security notions that can be satisfied by key exchange protocols relying on symmetric long-term keys. The exercise sheet has lots of exercises, you can choose what you find most interesting --- max. 5 points.
EDIT (January 31, 20:00): The adversary was missing the NEWSESSION query, I added it now.
-
Exercise 1 (3 points): Answer the questions written on page 6 of the PDF below.
Exercise 2 (2 points): Ask questions and come discuss them on February 12, 12:30 - 14:00.
-
See 1st page of PDF.
-
Note that I posted this assignment early. Only start this after assignment 6 :-).
See 1st of PDF for details of assignment 7.
Update: While usually the deadline is on Friday, I accidentally put Saturday in the system. So, since I made this mistake, it's completely fine to submit until end of Saturday (rather than end of Friday as usually).
-
Deadline: March 15, 2024
Exercise 1: Ask questions (2 points), discussion: March 18, 2024
Exercise 2:
(a) What is the freshness predicate for full forward secrecy which this paper considers? (0.5 points)
(b) How does this freshness predicate differ from the freshness predicate for full forward secrecy in Assignment 4 and why? (0.5 points)
(c) What is the difference between weak forward secrecy and full forward secrecy? (0.5 points)
(d) What is a key confirmation message and how/why does it help to upgrade from weak to full forward secrecy? (0.5 p)
(e) Describe your understanding of why the security loss in the number of parties occurs in the reduction and why this seems hard to avoid. Of course, it is hard to avoid, because the paper has a proof that it is hard to avoid... ...but what is the conceptual reason in your understanding (you do not need to read the impossibility result and I did not include it into the printout)? (1pt)
-
Recommended deadline: March 22, 2024 (I promise to include the questions)
Cut-off deadline: March 25, noon (if submitting on Friday is stressful, you can submit up to the cut-off deadline. The earlier you submit, the more likely it is that I include the questions into the Monday discussions.)
Discussion: March 25, 2024, 12:30
Exercise 1: Ask questions (2 points)
Exercise 2 (max. 3 points out of 4, you can, but do not need to answer all):
(a) Explain what the random oracle model is (1 points). [You can also Google further info beyond this paper...]
(b) Explain how, conceptually, the event QueryRO helps the adversary break OWVwFS (1 point).
(c) Can we easily replace the random oracle with a collision-resistant hash-function so that the same proof still goes through? Explain how or why not (1 point).
(d) In Assignment 8, we read that a multiplicative loss in the number of parties is inherent in some sense, while this paper can avoid a multiplicative loss in the number of parties. Why is there no contradiction between the statement in Assignment 8 and the statement made in this paper?
-
(0) Choose a paper published in EUROCRYPT, CRYPTO, or ASIACRYPT in 2018 - 2023 (*) (0 points)
(1) Say why you chose the paper. What do you expect to learn from the paper? Which parts of the paper are you planning to read? The answer to the last two questions should be so that they can serve as a "reading assignment". (2 points, requires attending the session on April 8)
Your self-made reading assignment will be 3 points (Deadline April 8, noon), feel free to suggest how to distribute the points. I might refine your reading assignment (and point distribution) if I think that it is too easy/hard.
(*) Older versions of these conferences are fine, too, and some other publication venues such as other IACR conferences or S&P or CCS are typically also good --- but I don't commit to approving those.
-
Work on your own assignment (3 points, see detailed instructionsby yourself :-)).
-