1/9, 1/11: Introductory video, function families, blockciphers, the sets Perm(n) and BC(k,n), formalizing security against key-recovery attacks

1/16: (first in-class lecture) the KR-security notion; exhaustive key-search adversary, analysis of KR-advantage of EKS adversary in the ideal cipher model

1/18: why KR-security isn’t sufficient for real-world crypto needs, the PRP security notion

1/23: PRP-security implies KR-security (first “reduction” proof)

1/25: Introduction of SPRP notion; “unpacking” KR, PRP and SPRP notions, as well as the PRP implies KR result; modern blockcipher design principles (part 1)

1/30: Modern blockcipher design principles (part 2); DES and AES

2/1: Beginning to build encryption schemes: ECB, CBC and CTR

2/6: more discussion of CBC and CTR modes; IV-based encryption scheme syntax; the IND-CPA notions

2/8: more discussion of CTR, notions, and setting up for the CTR proof of security

2/13: Proving that CTR mode (with concatenated IV and block counter) is IND-CPA against nonce-respecting adversaries; unpacking the result; a practical view of what a proof of security really means

2/15: Introducing AEAD and a notion of authenticity for encryption schemes

2/20: [Tangent about the Synopsys headache], AEAD via generic composition of IV-based encryption and a PRF, the Auth notion, replay attacks; beginning to build VIL-PRFs from FIL-PRFs (e.g. blockciphers) and hash functions; hash functions and the CR and CAU notions

2/22: The beginnings of Merkle-Damgard

2/27: The MD iteration and the MD theorem (CR preservation); preimage-resistance, CR implies Pre (to a point); polynomial hashing

3/1: Padding oracle attacks on CBC mode

3/13: Basic ideas of key exchange/agreement and a simple notion of KE security; introduction of PKE and signature schemes; key-transport KE, forward secrecy and ephemeral public keys

3/15: DH key exchange; groups, cyclic groups, generators; the CDH, DDH and DL problems

3/20: Exploring the DDH hardness assumption; QR(p); efficient tests for membership in QR(p); square-and-multiply exponentiation; generic DL-finding attacks

3/22: El Gamal is IND-CPA secure under the DDH assumption

3/27: Special lecture by Chris Patton on TLS, in particular TLS 1.3

3/27: IND-CPA for PKE schemes; 1-query IND-CPA security implies q-query IND-CPA security (with a factor of q loss)

4/3: Random oracle model, IND-CPA in the ROM, El Gamal is (1-query) IND-CPA in the ROM under the CDH assumption (part 1)

4/5: El Gamal is (1-query) IND-CPA in the ROM under the CDH assumption (part 2)

4/10: RSA and the RSA hardness assumption; trying to build encryption schemes from RSA (Also, posted RSA-based KEM video.)

4/12: Key encapsulation mechanisms (KEM), building efficient PKE schemes from KEMs;

4/17: RSA-OAEP; Digital signatures, UF-CMA, hash-then-sign signatures

4/19: RSA-FDH and (sketch of proof of) UF-CMA security in the ROM

*4/24: PSS; interactive proof systems, zero-knowledge proofs, … *