Introduction to modern cryptography

I Introduction and Classical Cryptography

1. Introduction

Cryptography and Modern Cryptography

The Setting of Private-Key Encryption

Historical Ciphers and Their Cryptanalysis

Principles of Modern Cryptography

Principle 1 - Formal Definitions

Principle 2 - Precise Assumptions

Principle 3 - Proofs of Security

Provable Security and Real-World Security

References and Additional Reading

Exercises

2. Perfectly Secret Encryption

Definitions

The One-Time Pad

Limitations of Perfect Secrecy

*Shannon's Theorem

References and Additional Reading

Exercises

II Private-Key (Symmetric) Cryptography

3. Private-Key Encryption

Computational Security

The Concrete Approach

The Asymptotic Approach

Defining Computationally Secure Encryption

The Basic Definition of Security (EAV-Security)

*Semantic Security

Constructing an EAV-Secure Encryption Scheme

Pseudorandom Generators

Proofs by Reduction

EAV-Security from a Pseudorandom Generator

Stronger Security Notions

Security for Multiple Encryptions

Chosen-Plaintext Attacks and CPA-Security

CPA-Security for Multiple Encryptions

Constructing a CPA-Secure Encryption Scheme

Pseudorandom Functions and Permutations

CPA-Security from a Pseudorandom Function

Modes of Operation and Encryption in Practice

Stream Ciphers

Stream-Cipher Modes of Operation

Block Ciphers and Block-Cipher Modes of Operation

*Nonce-Based Encryption

References and Additional Reading

Exercises

4. Message Authentication Codes

Message Integrity

Secrecy vs Integrity

Encryption vs Message Authentication

Message Authentication Codes (MACs) - Definitions

Constructing Secure Message Authentication Codes

A Fixed-Length MAC

Domain Extension for MACs

CBC-MAC

The Basic Construction

*Proof of Security

GMAC and Poly

MACs from Difference-Universal Functions

Instantiations

*Information-Theoretic MACs

One-Time MACs from Strongly Universal Functions

One-Time MACs from Difference-Universal Functions

Limitations on Information-Theoretic MACs

References and Additional Reading

Exercises

5. CCA-Security and Authenticated Encryption

Chosen-Ciphertext Attacks and CCA-Security

Padding-Oracle Attacks

Defining CCA-Security

Authenticated Encryption

Defining Authenticated Encryption

CCA Security vs Authenticated Encryption

Authenticated Encryption Schemes

Generic Constructions

Standardized Schemes

Secure Communication Sessions

References and Additional Reading

Exercises

6. Hash Functions and Applications

Definitions

Collision Resistance

Weaker Notions of Security

Domain Extension: The Merkle-Damgard Transform

Message Authentication Using Hash Functions

Hash-and-MAC

HMAC

Generic Attacks on Hash Functions

Birthday Attacks for Finding Collisions

Small-Space Birthday Attacks

*Time/Space Tradeo s for Inverting Hash Functions

The Random-Oracle Model

The Random-Oracle Model in Detail

Is the Random-Oracle Methodology Sound?

Additional Applications of Hash Functions

Fingerprinting and Deduplication

Merkle Trees

Password Hashing

Key Derivation

Commitment Schemes

References and Additional Reading

Exercises

7. Practical Constructions of Symmetric-Key Primitives

Stream Ciphers

Linear-Feedback Shift Registers

Adding Nonlinearity

Trivium

RC4

ChaCha20

Block Ciphers

Substitution-Permutation Networks

Feistel Networks

DES - The Data Encryption Standard

3 DES: Increasing the Key Length of a Block Cipher

AES -The Advanced Encryption Standard

*Differential and Linear Cryptanalysis

Compression Functions and Hash Functions

Compression Functions from Block Ciphers

MD5, SHA-1, and SHA-2

The Sponge Construction and SHA-3 (Keccak)

References and Additional Reading

Exercises

8. *Theoretical Constructions of Symmetric-Key Primitives

One-Way Functions

Definitions

Candidate One-Way Functions

Hard-Core Predicates

From One-Way Functions to Pseudorandomness

Hard-Core Predicates from One-Way Functions

A Simple Case

A More Involved Case

The Full Proof

Constructing Pseudorandom Generators

Pseudorandom Generators with Minimal Expansion

Increasing the Expansion Factor

Constructing Pseudorandom Functions

Constructing (Strong) Pseudorandom Permutations

Assumptions for Private-Key Cryptography

Computational Indistinguishability

References and Additional Reading

Exercises

III Public-Key (Asymmetric) Cryptography

9. Number Theory and Cryptographic Hardness Assumptions

Preliminaries and Basic Group Theory

Primes and Divisibility

Modular Arithmetic

Groups

The Group ZN

*Isomorphisms and the Chinese Remainder Theorem

Primes, Factoring, and RSA

Generating Random Primes

*Primality Testing

The Factoring Assumption

The RSA Assumption

*Relating the Factoring and RSA Assumptions

Cryptographic Assumptions in Cyclic Groups

Cyclic Groups and Generators

The Discrete-Logarithm/Diffie-Hellman Assumptions

Working in (Subgroups of) Zp

Elliptic Curves

*Cryptographic Applications

One-Way Functions and Permutations

Collision-Resistant Hash Functions

References and Additional Reading

Exercises

10. *Algorithms for Factoring and Computing Discrete Logarithms

Algorithms for Factoring

Pollard's p - Algorithm

Pollard's Rho Algorithm

The Quadratic Sieve Algorithm

Generic Algorithms for Computing Discrete Logarithms

The Pohlig-Hellman Algorithm

The Baby-Step/Giant-Step Algorithm

Discrete Logarithms from Collisions

Index Calculus: Computing Discrete Logarithms in Zp

Recommended Key Lengths

References and Additional Reading

Exercises

11. Key Management and the Public-Key Revolution

Key Distribution and Key Management

A Partial Solution: Key-Distribution Centers

Key Exchange and the Diffie-Hellman Protocol

The Public-Key Revolution

References and Additional Reading

Exercises

12. Public-Key Encryption

Public-Key Encryption - An Overview

Definitions

Security against Chosen-Plaintext Attacks

Multiple Encryptions

Security against Chosen-Ciphertext Attacks

Hybrid Encryption and the KEM/DEM Paradigm

CPA-Security

CCA-Security

CDH/DDH-Based Encryption

El Gamal Encryption

DDH-Based Key Encapsulation

*A CDH-Based KEM in the Random-Oracle Model

*Chosen-Ciphertext Security and DHIES/ECIES

RSA-Based Encryption

Plain RSA Encryption

Padded RSA and PKCS # v

*CPA-Secure Encryption without Random Oracles

OAEP and PKCS # v

*A CCA-Secure KEM in the Random-Oracle Model

RSA Implementation Issues and Pitfalls

References and Additional Reading

Exercises

13. Digital Signature Schemes

Digital Signatures - An Overview

Definitions

The Hash-and-Sign Paradigm

RSA-Based Signatures

Plain RSA Signatures

RSA-FDH and PKCS #1 Standards

Signatures from the Discrete-Logarithm Problem

Identification Schemes and Signatures

The Schnorr Identification/Signature Schemes

DSA and ECDSA

Certificates and Public-Key Infrastructures

Putting It All Together { TLS

*Signcryption

References and Additional Reading

Exercises

14. *Post-Quantum Cryptography

Post-Quantum Symmetric-Key Cryptography

Grover's Algorithm and Symmetric-Key Lengths

Collision-Finding Algorithms and Hash Functions

Shor's Algorithm and its Impact on Cryptography

Post-Quantum Public-Key Encryption

Post-Quantum Signatures

Lamport's Signature Scheme

Chain-Based Signatures

Tree-Based Signatures

References and Additional Reading

Exercises

15. *Advanced Topics in Public-Key Encryption

Public-Key Encryption from Trapdoor Permutations

Trapdoor Permutations

Public-Key Encryption from Trapdoor Permutations

The Paillier Encryption Scheme

The Structure of Z_N

The Paillier Encryption Scheme

Homomorphic Encryption

Secret Sharing and Threshold Encryption

Secret Sharing

Verifiable Secret Sharing

Threshold Encryption and Electronic Voting

The Goldwasser-Micali Encryption Scheme

Quadratic Residues Modulo a Prime

Quadratic Residues Modulo a Composite

The Quadratic Residuosity Assumption

The Goldwasser-Micali Encryption Scheme

The Rabin Encryption Scheme

Computing Modular Square Roots

A Trapdoor Permutation Based on Factoring

The Rabin Encryption Scheme

References and Additional Reading

Exercises

Index of Common Notation

Appendix A Mathematical Background

A Identities and Inequalities

A Asymptotic Notation

A Basic Probability

A The \Birthday" Problem

A *Finite Fields

Appendix B Basic Algorithmic Number Theory

B Integer Arithmetic

B Basic Operations

B The Euclidean and Extended Euclidean Algorithms

B Modular Arithmetic

B Basic Operations

B Computing Modular Inverses

B Modular Exponentiation

B *Montgomery Multiplication

B Choosing a Uniform Group Element

B *Finding a Generator of a Cyclic Group

B Group-Theoretic Background

B Efficient Algorithms

References and Additional Reading

Exercises