Cryptography and Computer Security

Course: 6.s
Dates: Aug 3 - 7, 1998
Tuition: $2,300*
CEUs: 4.0

Instructors:

Shafi Goldwasser : Prof., Dept of Computer Science, MIT, and member of the Cryptography and Information Security (CIS) group at MIT's Laboratory for Computer Science, and
Mihir Bellare: Asst. Prof., Dept of Computer Science, University of Califormia at San Diego.

Overview

The last twenty years have witnessed a major development in the field of cryptography and security. Namely, the invention of formal methods to prove the security of cryptographic protocols. Whereas the design of such protocols has so far been largely an empirical and ad hoc procedure, the new methods give rise to a more rigorous approach which can yield protocols with significantly greater assurance. Furthermore, these methods are now being systematically applied to yield concrete proposals of systems which are both efficent and can be proven to comply with strong security requirements. This development takes on special significance in the light of the rising need to use cryptographic methods to protect the privacy, authenticity, and integrity of digital information, and to exploit the full potential of the Internet.

In this course we will focus on the design and analysis of cryptographic algorithms and protocols . We will describe the state of the art of cryptographic algorithms and protocols available today. We will explain the notion of provable security, and present constructions of proven secure schemes for a variety of basic cryptographic tasks. We will address the potential of using cryptography for the challenges and opportunities that are presented by the Internet, addressing both basic tasks such as encryption, authentication, and key distribution, and more advanced tasks such as electronic commerce, distributed lotteries, and electronic elections.

Topics

The primitives: One way and trapdoor functions; candidate for them arising from hard problem in number theory, combinatorics and algebra, such as RSA, factoring, logarithms in finite fields and over elliptic curves, and decoding random linear codes; block ciphers and modelling them as pseudo-random functions; hash functions; the random oracle model.

Encryption: Private and public key methods; probabilistic encryption; security requirements in presence of different security models (passive adversary, chosen ciphertext); construction of private key encryption schemes from block ciphers; constructions of public key encryption schemes; efficiency considerations in choosing specific encryption schemes.

Data authentication: Data authentication mechanisms for the private key model (message authentication) and the public key model (digital signatures); finger-printing for virus protection; security definitions for these primitives in presence of different adversaries (known message attack, chosen message attack); constructions of message authentication schemes from block ciphers; constructions of message authentication schemes from hash functions; constructions of signature schemes; efficiency issues in the design of authentication primitives, such as on-line vs. off-line signatures, batch signing and verifying, and incremental cost signatures.

Entity authentication and key distribution: Two party authentication and session key exchange protocols, in both the private key and the public key models; three party (Kerberos type) session key distribution protocols; security definitions for these tasks; practical and proven secure protocols for these tasks; further issues in session key distribution (dictionary attacks, perfect forward secrecy, insider attacks).

Key management: Authentication servers for public key systems; authentication servers for private key systems; certificates; certificate chains.

Zero Knowledge Protocols: Zero Knowledge protocols and proofs; zero-knowledge based smart card identification protocols and protocol design.

Pseudo Random Number Generartors: LFSRs; cryptographically strong pseudo random number generators; their uses in cryptograhy; the problems of getting good random bits.

Selection of advanced topics: Drawn from

Electronic commerce: Electronic payment via credit cards; micro-payments; electronic cash.
Certified mail.
Two party protocols: Oblivous transfer, bit commitment, coin tossing, and possibility and impossibility for secure general two party computations
Multi Party Protocols: electronic elections, bidding protocols, lotteries, and distributed games over the internet.
Software protection and virus protection.
Government versus society: key escrow, translucent cryptography, multi-grade cryptography.
Threshold cryptography, group signatures, secret sharing, verifiable secret sharing.
Proactive security.

Expected Background

We will assume a typical college background in algorithms and mathematics for computer science students. In general, ease with computer algorithms concepts is highly recommended.

Course Format

Each morning will be devoted to two lectures, separated by a coffee break. After lunch there will be a either two lectures, or one lecture and a problem/discussion session. On the last day of the course, the afternoon will be devoted to discussion of particular topics in security relevant to the particular students attending.

Web sources on cryptography and security

There is a lot of information on cryptography and security available on the world wide web. As a starting point, here is a short list of high level link collections . Following the pointers here, you can find: basic cryptogrpahic information (what is RSA, what is PGP, ...); organizations concerned with cryptography and security; source code for cryptogrpahic functions; publications; lists of cryptographers; and many more things.

*A limited number of scholarships are available to defray one-half of program tuition for members of teaching staffs (ranks of instructor or higher) of other US educational institutions. Written requests should accompanmy requests for scholarships.