This post will be continually updated as new readings and assignments are posted.

Part 1. The power of random-looking permutations

Week	Topic	Textbook reading	Optional resources	Due date
1	Introduction & building blocks	The Handbook on Applied Crypto, sections 1.1-1.2. This text concisely lists the types of security concerns that we will study in this course. Security Engineering, sections 5.1-5.2. This text summarizes early xor- and random function-based ciphers. Rogaway's The Moral Character of Cryptographic Work. Please read pages 1-9 and 29-32.	Impagliazzo's Five Worlds paper defines the concepts of Minicrypt and Cryptomania. See also this summary blog post. Two papers on the usability of cryptosystems: Why Johnny Can't Encrypt and Why Jane Doesn't Protect Her Privacy Herley and van Oorschot: Science, Security, and the Elusive Goal of Security as a Scientific Pursuit	Lab 1 due 1/26
2	Message authenticity	Read or (better) listen to NPR's Planet Money episode 773 about pseudorandomness gone wrong A Graduate Course in Applied Cryptography, read chapter 6 through the end of 6.4.1 (pages 212-226)	Moserware's stickfigure guide to AES. Georgiev et al show that authenticity only matters if software properly validates signatures. Unfortunately, this is not always the case.	Lab 2 due 2/4
3	Hash functions	The Hash Function BLAKE, Sections 1.1, 2.1, 2.2, and 2.4.	The Hash Function Lounge lists well-studied hash functions. See also this website, which details their perceived strength over time. Salvaging Merkle-Damgard for Practical Applications shows several types of applications that "mask" the deficiencies of the M-D paradigm. Rogaway and Bellare's appendix on the birthday bound. The Keccak (aka SHA-3) website has links to many excellent papers and presentations. Canetti, Goldreich, and Halevi's The Random Oracle Model, Revisited	Lab 3 due 2/9
4	Encryption via enciphering	Introduction to Modern Cryptography, Sections 4.1 through 4.7. (The rest of the chapter is optional but worthwhile to read if you have the time.)	Bellare, Rogaway 2000 describes encryption via encoding + enciphering. Rogaway 2009 describes practice-oriented provable cryptography.	Lab 4 due 2/16

Part 2. Cryptography meets reality: a love/hate story

Wk	Topic	Textbook reading	Optional resources	Due date
5	Encrypting data at rest	The Block Cipher Companion, Sections 4.1 through 4.4 and also Sec 4.6. Everything here should be review except for CFB and OFB modes (Sec 4.2.1 and 4.2.2); just ignore those.		Test on 2/21, no lab
6	Padding oracles	A Graduate Course in Applied Cryptography, pages 350-354 (that is, Sections 9.4.2 and 9.4.3)	YouTube video of a lecture on padding oracles by Prof. Matt Green Blog post by CloudFlare summarizing padding oracle attacks on CBC Blog post describing the padding oracle attack that was introduced in OpenSSL as part of the effort to fix the prior padding oracle. Chosen ciphertext attack on Apple iMessage	Lab 5 due 3/2
	(spring break)
7	Side channels	Systematic Classification of Side-Channel Attacks: A Case Study for Mobile Devices	Crypto coding rules gives guidelines on producing timing-independent code Constant time toolkit to aid you in writing timing-independent code Osvik, Shamir, Tromer 2006 describes cache-based side channel attacks on AES Bernstein 2005 also studies cache-based side channel attacks, with remote network exploitation Almeida et al 2015 explains the difficulty in writing software to prevent timing attacks, and provides a methodology for proving cryptosystems secure against timing attacks. The ChipWhisperer wiki page describes how to use the FPGA circuit board that I used in class to conduct a power attack. You can buy your own board in their store.	Lab 6 due 3/16
8	Authenticated encryption	A Graduate Course in Applied Cryptography, Sections 9.1-9.6 (i.e., pages 347-370), except the part you already read in Week 6	Challenges in Authenticated Encryption Evaluation of some block cipher modes of operation is a slightly-dated but excellent summary + comparison of the standardized modes: CBC, CTR, HMAC, GCM, and a few others How to choose an Authenticated Encryption mode provides a brief comparison of the standardized AE modes. See also this table. Blog post containing a few cryptographers' views of the best ciphers to use nowadays (updated over time). The ongoing CAESAR competition attempts to design good misuse-resistant AE schemes (see also this list of CAESAR ciphers). Gueron, Lindell 2015 combines Galois counter mode with SIV mode for incredibly fast misuse-resistant AE on Intel processors (using AES-NI for AES and the Galois hash).	Lab 7 due 3/23

Part 3. Structured forgetfulness: dropping keys before they can be stolen

Wk

Topic

Textbook reading

Optional resources

Due date

9

Authenticated key exchange

Models of authenticated key exchange

Canetti-Krawczyk model of authenticated key exchange
Hugo Krawczyk's improvements to the original key exchange model, adding weak perfect forward secrecy and key compromise impersonation
LaMacchia et al's further improvements

Group keying

A subset cover-based dynamic group keying scheme
A survey on group keying protocols

No lab due this week

10

Key evolution & ratcheting

Itkis' survey on Forward security
EFF blog post on security, privacy, and anonymity properties one might want in a messaging system

Technical description of the Signal double ratchet algorithm and also the Triple Diffie-Hellman key exchange (which builds upon some of the ideas from last week's papers)
An opinion article on why forward secrecy may not always be needed.
Cohn-Gordon et al on backward, or post-compromise secrecy
A similar set of authors formally analyze Signal
RWC 2017 talks: Trevor Perrin on Signal and Luke Garratt on its formal evaluation
Recommended key lengths for ciphers
Comparison of secure messaging applications

Test on 4/2

Lab 8 due 4/6

Part 4. When reductions fail: dealing with the lowest layer

Wk	Topic	Textbook reading	Optional resources	Due date
11	Designing ciphers & random number generators	Egele et al: An empirical study of cryptographic misuse in Android applications (this is the topic of Prof. Egele's guest lecture)	The plain simple reality of entropy, Video on the options to request random numbers from a desktop machine. History of random.org's use of EM noise to generate entropy Linux's use of keystroke timings and mouse movements to generate entropy Salil Vadhan's Pseudorandomness textbook describes the theory of (1) extractors that cull nearly-uniform bits from a long string with some entropy and (2) pseudorandom generators that create the appearance of more entropy than actually exists in a string. Dodis et al 2013 explains how to harvest & use sources of entropy. Bernstein's attack when somebody can control one of your sources of supposedly-true randomness and can choose it after the other sources are publicly known. Spec for a new design for Linux's /dev/urandom. See a critique here. Not-so-random-numbers in virtualized environments.
12	Cryptanalysis	The Block Cipher Companion, chapters 6-7	Kranz, Leander, and Wiemer 2017 give a detailed survey of linear cryptanalysis. S-box, SET, Match: A Toolbox for S-box Analysis is a paper with accompanying C code that computes cryptanalytic metrics. A Sage Library for Analysis of Nonlinear Boolean Mappings is a paper with accompanying Sage code that generates S-boxes from several families proposed in prior papers. Also, it analyzes any S-box that you provide against a variety of cryptanalytic metrics. The Wide Trail Design Strategy is a guide produced by the creators of AES. The concepts are applicable to several other block ciphers and SHA-3 submissions. Introduction to the design & cryptanalysis of block ciphers (slides 46-57) overviews the wide trail strategy.

Part 5. Special topics

Wk

Topic

Textbook reading

Optional resources

Due date

13

Protected computing

Fuller et al. Cryptographically protected database search

Lab 9 due 4/27

14

Law + crypto

All the crypto code you’ve ever written is probably broken

Orin Kerr's Computer Crime Law (Introduction)
Jack Balkin's essay about online regulation of speech in a world where conversations are facilitated by corporate intermediaries
Alan Rozenshtein's article about online regulation of surveillance by corporate intermediaries (i.e., privatizing the 4th amendment just as Balkin worries about privatization of the 1st amendment)

Lab 10 due 5/2

#pin