|2019-02-13 (lecture)||Historical ciphers. Perfect secrecy. One-time pad.||[video]|
|2019-02-20 (practice)||Breaking a substitution cipher. Malleability of one-time-pad (bank transfer).|
|2019-02-27 (lecture)||Limitations of one-time-pad/perfect security. Streamciphers. IND-OT-CPA security.||[video]|
|2019-02-27 (practice)||Brief introduction to PRGs. Security proof: If G is PRG, then H(x,y):=G(x)||y is PRG. Very short intro to linear feedback shift registers (LFSR).|
|2019-03-06 (lecture)||Pseudo-random generators (PRG). Security proof for G(k)⊕m encryption scheme. Blockciphers. AES (started).||[video]|
|2019-03-06 (practice)||Game-based security of one-time pad.|
|2019-03-13 (lecture)||AES (continued). Feistel networks. Definition: strong pseudorandom permutation (PRP).||[video]|
|2019-03-13 (practice)||Security of AES with missing AddRoundKey/SubBytes/MixColumns/ShiftRows. Insecurity of 1-round, 2-round and 3-round-Feistel.|
|2019-03-20 (lecture)||Definition IND-CPA. ECB mode (and its weakness). CBC mode. IND-CPA security of CBC.||[video]|
|2019-03-20 (practice)||Malleability of CBC mode. Recap: Strong PRP. 3-round-Feistel is not strong PRP.|
|2019-03-27 (lecture)||Public key encryption. Textbook RSA. RSA assumption. Weaknesses of textbook RSA.||[video]|
|2019-03-27 (practice)||Crypto competition: authenticated encryption|
|2019-04-03 (lecture)||ElGamal encryption. Decisional Diffie-Hellman (DDH) assumption. IND-CPA security (public key case). ElGamal is IND-CPA secure.||[video]|
|2019-04-03 (practice)||(In)security of small variants of RSA|
|2019-04-10 (lecture)||Malleability of ElGamal. IND-CCA security. RSA-OAEP. Hybrid encryption.|
|2019-04-10 (practice)||Insecurity of ElGamal modulo prime.|
|2019-04-17 (lecture)||Hash functions. Collision-resistance. Davies-Meyer. Miyaguchi-Preneel. Iterated Hash. Collision-resistance and non-collision-resistance of Iterated Hash.
Merkle-Damgård construction. Message authentication codes (MACs). Insecurity of Merkle-Damgård as a MAC.||[video]|
|2019-04-17 (practice)||Breaking collision resistance for various compression functions. Breaking sponge without padding.|
|2019-04-24 (lecture)||Constructions of MACs (secure/insecure): HMAC, CBC-MAC, DMAC, blockcipher as MAC, message length extension using hash functions. EF-CMA security. Birthday attack on hash functions.||[video]|
|2019-04-24 (practice)||Variants of EF-CMA (EF-NMA, EF-OT-CMA). Building information-theoretically secure EF-OT-CMA MACs|
|2019-05-08 (lecture)||Signatures. EF-CMA security (for signatures).
Naive construction of signatures. One-way functions.
Lamport's one-time signatures||[video]|
|2019-05-08 (practice)||Design of a movie download protocol|
|2019-05-15 (lecture)||Tree-based signatures (how to get signatures from one-time signatures).||[video]|
|2019-05-15 (practice)||Insecurity of Lamport's one-time signature in twice-sign-scenario.
Estimating length of tree based signatures.|
|2019-05-22 (lecture)||Unsoundness of random oracle heuristic. Definition and security proof: One-way functions in the random oracle model.|