Cryptography -- Fall 2010

CAS 762: Cryptography
Fall 2010

Instructor: Michael Soltys, email: my last name at mcmaster.ca
Course Outline
Lectures: Wednesdays 5:00-8:00 in ITB-222.
Course outline: An introduction to mathematical cryptography.

Textbooks:

	We are going to following this textbook. An introduction to mathematical cryptography by Jeffrey Hoffstein, Jill Pipher and Joseph H. Silverman
	Recommended reading as background for lattice based crypto. (Note that any basic linear algebra textbook would do.) Linear Algebra Problem Book by Paul Halmos
	Recommended reading for number theory background (Appendix A) as well as Diffie-Hellman, ElGamal, RSA and the Rabin-Miller algorithm. An introduction to the analysis of algorithms by Michael Soltys

Check this web page regularly for announcements.
Please Read: McMaster Academic Integrity Statement.

Announcements:

Dec 2: Final exam extension: The final is due on December 13th. Please put a hard copy in my mailbox before the end of the day.
Dec 2: Slides from the presentation by Xiang Yin about Digital Cash.
Nov 25: A list of recent talks:
- Ariel Fernadez on DES and AES
- Mohamed Sabry on Homomorphic Encryption
- Guohong Rong on Bilinear Parings on Elliptic Curves
Nov 15: Second talk on LLL by Peter Kandolf from Nov 10.
Nov 4: We had two presentation on Wednesday Nov 3:
- Enigma Part 2 by Jason Jaskolka
- SVP is NP-hard via randomized reductions by Tim Paterson
Nov 2: In question 4 of the midterm, A finds v as follows: A selects any random number s and squares it mod n to obtain v.
Nov 2: Slides from two and three lectures ago on cryptographic protocols -- needed for the midterm assignment (especially, the 3-way protocol).
Nov 2: Slides from Oct 27 lecture -- basic definitions of security.
Nov 1: Final assignment, due on Dec 10.
Nov 1: Cipher text.
Oct 21: Slides on PGP by Guohong Rong, from a talk given on Oct 20.
Oct 17: Midterm due on Nov 10.
Oct 16: We are ready to start scheduling a second round of talks. Remember that Each student gives two talks:
- dates colored as such indicate a first talk
- while dates colored as such indicate a second talk .
Let me know if you would rather talk on a different topic than one of the topics listed below.
Oct 15: Slides of Peter Kandolff about LLL.
Oct 14: Slides of Xiang Yin on NTRU from Oct 13.
Oct 11: Slides from the Oct 6 lecture on Cryptographic Protocols (Kerberos).
Oct 8: Slides from the presentations on Wednesday Oct 6:
- Enigma by Jason.
- Lattices by Ariel.
Oct 4: Slides from the Sept 29 lecture on the Rabin-Miller algorithm and reductions.
Oct 2: Slides from Sabry's presentation on GGH on Sept 29.
Sept 30: Slides from Tim's presentation on hashing on Sept 29.
Sept 27: Click here for the slides from lecture on Sept 22. The password is posted on my office door.
Sept 4: First lecture on Wednesday September 15, 5-8pm, in ITB-222.

Assignments and presentations:

List of Projects

Project Nr. Project Title Speaker Date

Material for the following three projects can also be found in "An introduction to mathematical cryptography", Hoffstein, Pipher, Silverman (HPS henceforth). The 3 cryptosystems are mentioned in the first paragraph of page 383, and more detailed citations than here are given.

1 Ajtai-Dwork cryptosystem Read the paper: M. Ajtai & C. Dwork, "A public-key cryptosystem with worst-case / average-case equivalence" in STOC 1998.

2 GGH cryptosystem Read the paper: O. Goldreich, S. Goldwasser, S. Halevi, "Public-key cryptosystems from lattice reduction problems" in Advances in Cryptology, CRYPTO 1997. Also section 6.8 in HPS. Mohamed Sabry Sept 29

3 NTRU cryptosystem Read the paper: J. Hoffstein, J. Pipher, J.H. Silverman, "NTRU: a ring-based public key cryptosystem" in Algorithmic Number Theory 1998. Also section 6.10 in HPS. Xiang Yin Oct 13

The following two projects are based on two papers of Ajtai on hard lattice problems.

4 M. Ajtai, "Generating hard instances of lattice problems", ECCC TR96-007.

5 M. Ajtai, "The shortest vector problem in L_2 is NP-hard for randomized reductions", ECCC TR97-046. In particular, understand why SVP is NP-hard under the "randomized reduction hypothesis" (which from footnote 5, page 371, in HPS seems to say that P is properly contained in ZPP - using standard complexity theoretic terminology). I find this very intriguing. Tim Paterson Nov 3

The following projects have a complexity flavor.

6 Show that CVP is NP-hard (this is related to 5 above).

7 SVP is not harder than CVP O. Goldreich, D. Micciancio, S. Safra, J.P. Seifert, "Approximating shortest lattice vectors is not harder than approximating closest lattice vectors", Information Processing Letters 1999 ([45] in HPS)

8 An overview of the complexity of lattice problems D. Miccancio and S. Goldwasser, "Complexity of Lattice Problems" ([77] in HPS)

The following is really a linear algebra project.

9a LLL algorithm Section 6.12.2; first understand the Gaussian lattice reduction algorithm in 2 dimensions (Ariel & I gave a proof that the Gaussian algorithm runs in polynomial time). Then LLL is easier to understand. This project is really covering section 6.12 & 6.13 in HPS, which have some very beautiful mathematics. Peter Kandolf Oct 13

9b Correctness of the LLL algorithm. This is theorem 6.68, pg 413, in the textbook, but notice that the proof given there is incomplete, in the sense that it assumes that L is a subset of Z^n, whereas in the general case it is a subset of R^n. For a full version, see Factoring polynomials with Rational Coefficients by Lenstra, Lenstra and Lovasz, 1982. Peter Kandolf Nov 10

Assorted projects.

11 Homomorphic encryption, based on an article in the Communications of the ACM "Computing Arbitrary Functions of Encrypted Data" by Craig Gentry, March 2010, vol 53, no 3 Mohamed Sabry Nov 24
12a Enigma machine In the 1920s, the encryption generated by the Enigma machine was believed to be unbreakable---with a theoretical number of ciphering possibilities of 3x10^{114}, that belief was not unjustified. The Enigma machine based its cipher capabilities on a series of wired rotor wheels and a plugboard. Through a web of internal wiring, each of the twenty-six input contacts on the rotor were connected to a different output contact. The wiring connections of one rotor differed from the connections on any other rotor. Yet, the Enigma ciphers were broken during WWII at Bletchley Park. Jason Jaskolka Oct 6

12b Breaking the code of the Enigma machine. Jason Jaskolka Nov 3

13 Hash functions Cryptographic hash functions such as SHA-1 or MD5 are widely used in cryptography. In digital signature schemes, messages m are first hashed and the hash value h(m) is signed in place of m. Hash values are used to check the integrity of public keys. Pseudorandom bit strings are generated by hash functions. When used with a secret key, cryptographic hash functions become message authentication codes (MACs), the preferred tool in protocols like SSL and IPSec to check the integrity of a message and to authenticate the sender. Tim Paterson Sept 29

14 The Gnu Privacy Guard, GnuPG, also known as GPG, is a complete and free implementation of the OpenPGP standard---which is the most widely used email encryption standard in the world. The OpenPGP standard was originally derived from PGP (Pretty Good Privacy), first created by Phil Zimmermann in 1991. Guohong Rong Oct 20

15 Holomorphic encryption - pg 97 in ACM Comm. vol 53, no 03 Examples of applications: m1,...mk are k votes, compute c=E(m1,...,mk), compute from c the number of yes votes, c', and send c' without knowing what this number is. OR a search engine might receive an encrypted query; process it, without knowing what it is, and send back the encrypted answer - cloud computing.

16 SVP, CVP vs. GLRAlg (Gaussian Reduction Algorithm), BabAlg (Babai's Algorithm). Ariel Fernandez Oct 6

17 Symmetric key cryptography: DES and AES. Ariel Fernandez Nov 17

18 Active research seminar: Covert Channels.
This will be Jason's 3rd talk; I have asked Jason to repeat his excellent cryptography seminar from Oct 13 Jason Jaskolka Dec 1

19 Digital cash. References: chapter 4.5 (pg 115) in "Introduction to Cryptography" by Delfs & Knebl, as well as Camenisch, Maurer & Stadler, "Digital payment systems with passive anonimity revoking trustees", Lecture Notes in Computer Science, 1996. Xiang Yin Dec 1

20 Bilinear pairings on elliptic curves Guohong Rong Nov 24

Project Nr.	Project Title	Speaker	Date
Material for the following three projects can also be found in "An introduction to mathematical cryptography", Hoffstein, Pipher, Silverman (HPS henceforth). The 3 cryptosystems are mentioned in the first paragraph of page 383, and more detailed citations than here are given.
1	Ajtai-Dwork cryptosystem Read the paper: M. Ajtai & C. Dwork, "A public-key cryptosystem with worst-case / average-case equivalence" in STOC 1998.
2	GGH cryptosystem Read the paper: O. Goldreich, S. Goldwasser, S. Halevi, "Public-key cryptosystems from lattice reduction problems" in Advances in Cryptology, CRYPTO 1997. Also section 6.8 in HPS.	Mohamed Sabry	Sept 29
3	NTRU cryptosystem Read the paper: J. Hoffstein, J. Pipher, J.H. Silverman, "NTRU: a ring-based public key cryptosystem" in Algorithmic Number Theory 1998. Also section 6.10 in HPS.	Xiang Yin	Oct 13
The following two projects are based on two papers of Ajtai on hard lattice problems.
4	M. Ajtai, "Generating hard instances of lattice problems", ECCC TR96-007.
5	M. Ajtai, "The shortest vector problem in L_2 is NP-hard for randomized reductions", ECCC TR97-046. In particular, understand why SVP is NP-hard under the "randomized reduction hypothesis" (which from footnote 5, page 371, in HPS seems to say that P is properly contained in ZPP - using standard complexity theoretic terminology). I find this very intriguing.	Tim Paterson	Nov 3
The following projects have a complexity flavor.
6	Show that CVP is NP-hard (this is related to 5 above).
7	SVP is not harder than CVP O. Goldreich, D. Micciancio, S. Safra, J.P. Seifert, "Approximating shortest lattice vectors is not harder than approximating closest lattice vectors", Information Processing Letters 1999 ([45] in HPS)
8	An overview of the complexity of lattice problems D. Miccancio and S. Goldwasser, "Complexity of Lattice Problems" ([77] in HPS)
The following is really a linear algebra project.
9a	LLL algorithm Section 6.12.2; first understand the Gaussian lattice reduction algorithm in 2 dimensions (Ariel & I gave a proof that the Gaussian algorithm runs in polynomial time). Then LLL is easier to understand. This project is really covering section 6.12 & 6.13 in HPS, which have some very beautiful mathematics.	Peter Kandolf	Oct 13
9b	Correctness of the LLL algorithm. This is theorem 6.68, pg 413, in the textbook, but notice that the proof given there is incomplete, in the sense that it assumes that L is a subset of Z^n, whereas in the general case it is a subset of R^n. For a full version, see Factoring polynomials with Rational Coefficients by Lenstra, Lenstra and Lovasz, 1982.	Peter Kandolf	Nov 10
Assorted projects.
11	Homomorphic encryption, based on an article in the Communications of the ACM "Computing Arbitrary Functions of Encrypted Data" by Craig Gentry, March 2010, vol 53, no 3	Mohamed Sabry	Nov 24
12a	Enigma machine In the 1920s, the encryption generated by the Enigma machine was believed to be unbreakable---with a theoretical number of ciphering possibilities of 3x10^{114}, that belief was not unjustified. The Enigma machine based its cipher capabilities on a series of wired rotor wheels and a plugboard. Through a web of internal wiring, each of the twenty-six input contacts on the rotor were connected to a different output contact. The wiring connections of one rotor differed from the connections on any other rotor. Yet, the Enigma ciphers were broken during WWII at Bletchley Park.	Jason Jaskolka	Oct 6
12b	Breaking the code of the Enigma machine.	Jason Jaskolka	Nov 3
13	Hash functions Cryptographic hash functions such as SHA-1 or MD5 are widely used in cryptography. In digital signature schemes, messages m are first hashed and the hash value h(m) is signed in place of m. Hash values are used to check the integrity of public keys. Pseudorandom bit strings are generated by hash functions. When used with a secret key, cryptographic hash functions become message authentication codes (MACs), the preferred tool in protocols like SSL and IPSec to check the integrity of a message and to authenticate the sender.	Tim Paterson	Sept 29
14	The Gnu Privacy Guard, GnuPG, also known as GPG, is a complete and free implementation of the OpenPGP standard---which is the most widely used email encryption standard in the world. The OpenPGP standard was originally derived from PGP (Pretty Good Privacy), first created by Phil Zimmermann in 1991.	Guohong Rong	Oct 20
15	Holomorphic encryption - pg 97 in ACM Comm. vol 53, no 03 Examples of applications: m1,...mk are k votes, compute c=E(m1,...,mk), compute from c the number of yes votes, c', and send c' without knowing what this number is. OR a search engine might receive an encrypted query; process it, without knowing what it is, and send back the encrypted answer - cloud computing.
16	SVP, CVP vs. GLRAlg (Gaussian Reduction Algorithm), BabAlg (Babai's Algorithm).	Ariel Fernandez	Oct 6
17	Symmetric key cryptography: DES and AES.	Ariel Fernandez	Nov 17
18	Active research seminar: Covert Channels. This will be Jason's 3rd talk; I have asked Jason to repeat his excellent cryptography seminar from Oct 13	Jason Jaskolka	Dec 1
19	Digital cash. References: chapter 4.5 (pg 115) in "Introduction to Cryptography" by Delfs & Knebl, as well as Camenisch, Maurer & Stadler, "Digital payment systems with passive anonimity revoking trustees", Lecture Notes in Computer Science, 1996.	Xiang Yin	Dec 1
20	Bilinear pairings on elliptic curves	Guohong Rong	Nov 24

CAS 762: Cryptography Fall 2010

CAS 762: Cryptography
Fall 2010