CS 591 V1 | Class Profile

Course Information
Staff
Resources

Description

This course introduces the science and art behind the design, security analysis, implementation, and cryptanalysis of modern day cryptosystems.

First, we will examine several primitives including block ciphers and collision-resistant hash functions, which we will apply in order to design cryptosystems that protect the privacy and authenticity of data at rest and in transit. Second, we will examine how cryptography can overcome, or be harmed by, systems security concerns. Third, we will explore the state of the art in secure messaging systems that leverage public and secret key cryptography to protect communications even in the case of prior or future device compromise. Finally, we will examine the mathematical strength of block ciphers and hash functions toward common types of mathematical cryptanalysis.

General Information

Meeting times

This class meets MW 12:20-1:35pm in MCS room B21.

VPN information

Some of the textbooks and reading assignments require access to the websites of publishers like Springer, IEEE, and ACM. You will only be able to access these papers if you are on the BU network or if you VPN into it. Instructions to VPN into the BU network are located here: http://www.bu.edu/tech/services/support/remote/vpn/. Alternatively, prepending "http://ezproxy.bu.edu/login?url=" to the front of a URL allows you to view a single website through the BU network without the need to VPN.

Office hours

Office hours are typically Tu 12-2pm and Fri 3-5pm in MCS room 164.

Announcements

Course schedule

1/22/17 1:08 PM

This post will be continually updated as new readings and assignments are posted.

Part 1. The power of random-looking permutations

Week	Topic	Required reading (by the end of the week)	Additional resources	Due date
1	Block ciphers	Rogaway: The Moral Character of Cryptographic Work (paper, post @7)	The Handbook on Applied Crypto (sections 1.1-1.2) concisely specifies the types of problems that we will address during this course. I highly recommend reading it. Impagliazzo's Five Worlds paper defines the concepts of Minicrypt and Cryptomania. See also this summary blog post. The first two sections of this paper elegantly summarize the Even-Mansour scheme. The Block Cipher Companion (chapter 3) describes AES. See also Moserware's stickfigure guide to AES.
2	Encrypting by enciphering	Two related papers: Whitten & Tygar 1999: Why Johnny Can't Encrypt Renaud et al 2014: Why Jane Doesn't Protect Her Privacy Post @13	The Block Cipher Companion (chapter 4) describes several popular encryption modes. Bellare, Rogaway 2000 describes encryption via encoding + enciphering. Rogaway 2009 describes practice-oriented provable cryptography.	PS1 due 2/3
3	MACs and hash functions	Canetti, Goldreich, and Halevi: The random oracle model, revisited (paper, post @26)	The Hash Function BLAKE (section 2.4) surveys the popular methods of hash function design from a fixed-length permutation or compression function, including Merkle-Damgard, HAIFA, and the sponge function construction. The Hash Function Lounge lists well-studied hash functions. See also this website, which details their perceived strength over time. Georgiev et al show that authenticity only matters if software properly validates signatures. Unfortunately, this is not always the case.
4	Alternate designs	Post @29 (note: you have two weeks to complete this reading)	The Keccak website has many excellent resources, including reference implementations of Keccak and the slides I use in Lecture 7 Liskov, Rivest, Wagner 2002 introduces tweakable block ciphers. There are also two recent papers on tweakable Even-Mansour specifically (1, 2). The Block Cipher Companion (chapter 5) describes the power of brute-force searches, including time-memory trade-offs.	PS2 due 2/17
5	Authenticated encryption	Many papers listed in post @29	Evaluation of some block cipher modes of operation is a slightly-dated but excellent summary + comparison of the standardized modes: CBC, CTR, HMAC, GCM, and a few others How to choose an Authenticated Encryption mode provides a brief comparison of the standardized AE modes. See also this table. Blog post containing one cryptographer's view of the best ciphers to use nowadays. The ongoing CAESAR competition attempts to design good misuse-resistant AE schemes (see also this list of CAESAR ciphers). Gueron, Lindell 2015 combines Galois counter mode with SIV mode for incredibly fast misuse-resistant AE on Intel processors (using AES-NI for AES and the Galois hash).

Part 2. Cryptography meets systems: a love/hate story

Wk	Topic	Required reading	Additional resources	Due date
6	Protecting data at rest	(none)	BitLocker drive encryption overview Short description of the disk encryption system used in Windows. You don't want XTS Description of the tweakable block cipher used in full-disk encryption, as detailed by a critic. (Also, Wikipedia has diagrams of XTS mode.) iOS security guide Apple's description of the cryptographic security in recent iPhones. See also this analysis. Start using the Secure Enclave Crypto API Web service that handles authentication using the iPhone's secure enclave. Security Models for Pseudo-Random Number Generators Why Replace SHA-1 with BLAKE2?	PS3 due 3/2
	(spring break)
7	Padding oracles	Egele et al: An empirical study of cryptographic misuse in Android applications (paper, post @61). Please read before lecture on Wed 3/15	YouTube video of a lecture on padding oracles by Prof. Matt Green Blog post by CloudFlare summarizing padding oracle attacks on CBC Blog post describing the padding oracle attack that was introduced in OpenSSL as part of the effort to fix the prior padding oracle.
8	Side channels	Spreitzer et al, Systematic Classification of Side-Channel Attacks: A Case Study for Mobile Devices (paper, post @68)	Osvik, Shamir, Tromer 2006 describes cache-based side channel attacks on AES Bernstein 2005 also studies cache-based side channel attacks, with remote network exploitation Crypto coding rules gives guidelines on producing timing-independent code Almeida et al 2015 explains the difficulty in writing software to prevent timing attacks, and provides a methodology for proving cryptosystems secure against timing attacks.	PS4 due 3/24

Part 3. Structured forgetfulness: dropping keys before they can be stolen

Wk	Topic	Required reading	Additional resources	Due date
9	Delegation & group keying	(None required. Optional: Challenges in Authenticated Encryption)	Itkis' survey on forward secrecy Chosen ciphertext attack on Apple iMessage A subset cover-based dynamic group keying scheme A survey on group keying protocols
10	Authenticated key exchange	Two papers/blog posts by Bryant and Davis, post @105	Canetti-Krawczyk model of authenticated key exchange Hugo Krawczyk's improvements to the original key exchange model, adding weak perfect forward secrecy and key compromise impersonation LaMacchia et al's further improvements	Test on 4/3
11	Key ratcheting & secure messaging	(none)	Technical description of the Signal double ratchet algorithm and also the Triple Diffie-Hellman key exchange (which builds upon some of the ideas from last week's papers) An opinion article on why forward secrecy may not always be needed. Cohn-Gordon et al on backward, or post-compromise secrecy A similar set of authors formally analyze Signal RWC 2017 talks: Trevor Perrin on Signal and Luke Garratt on its formal evaluation Recommended key lengths for ciphers	PS5 due 4/13

Part 4. When reductions fail: dealing with the lowest layer

Wk	Topic	Required reading	Additional resources	Due date
12	Randomness	(none)	The plain simple reality of entropy, Video on the options to request random numbers from a desktop machine. History of random.org's use of EM noise to generate entropy Linux's use of keystroke timings and mouse movements to generate entropy Salil Vadhan's Pseudorandomness textbook describes the theory of (1) extractors that cull nearly-uniform bits from a long string with some entropy and (2) pseudorandom generators that create the appearance of more entropy than actually exists in a string. Dodis et al 2013 explains how to harvest & use sources of entropy. Bernstein's attack when somebody can control one of your sources of supposedly-true randomness and can choose it after the other sources are publicly known. Spec for a new design for Linux's /dev/urandom. See a critique here.
13	Cryptanalysis of AES	Herley and van Oorschot: Science, Security, and the Elusive Goal of Security as a Scientific Pursuit (paper, post @119)	The Block Cipher Companion (chapters 6-7) introduce the ideas behind differential & linear cryptanalysis. Kranz, Leander, and Wiemer 2017 give a detailed survey of linear cryptanalysis. S-box, SET, Match: A Toolbox for S-box Analysis is a paper with accompanying C code that computes cryptanalytic metrics. A Sage Library for Analysis of Nonlinear Boolean Mappings is a paper with accompanying Sage code that generates S-boxes from several families proposed in prior papers. Also, it analyzes any S-box that you provide against a variety of cryptanalytic metrics. The Wide Trail Design Strategy is a guide produced by the creators of AES. The concepts are applicable to several other block ciphers and SHA-3 submissions. Introduction to the design & cryptanalysis of block ciphers (slides 46-57) overviews the wide trail strategy.
14	Final project presentations	(none)		PS6 due 5/1 Final project report due 5/3