## Applied Cryptography - CSCI 531, Spring 2016

General Information
 Time : MW 9:30am - 10:50am Location : OHE 100D Instructor : Bill Cheng (for office hours, please see instructor's web page), E-mail: .   (Please do not send HTML-only e-mails. They will not be read.) TA : Chien-Lun Chen, E-mail: , Office Hours: Fri 3:10pm - 5:00pm in PHE 320 Grader : Peera Yoodee, E-mail: .  (The grader will hold office hours the week after the announcement of each assignment's grades.) Midterm Exam : during class, Mon, 3/7/2016 (firm) Final Exam : 8am-10am, Fri, 5/6/2016 (firm)

Class Resources

News
(in reversed chronological order)
• 4/28/2016: The discussion section today is moved to 2:00-3:00pm (due to a meeting I have to attend which starts at 12:30pm). Sorry about the inconvenience.

• 4/27/2016: The final exam will be closed book, closed notes, and closed everything, except for a single (letter-sized) "crib sheet / cheat sheet". (You can write or print whatever you want on it on both sides of the cheat sheet. Magnifying glasses are not allowed, so don't print too small! You will be required to turn in the cheat sheet together with the exam paper.)

Also, no calculators, cell phones, or any electronic gadgets are allowed. Please bring a photo ID. Your ID will be collected at the beginning of the exam and will be returned to you when you turn in your exam. There will be assigned seating.

The final exam will cover everything from math background for AES (slide 12 of lecture 11 on 2/22/2016) to slide 10 of lecture 25 on 4/20/2016. Here is a quick summary of the topics (not all topics covered are listed):

• Block Ciphers
• AES
• math for Rijndael
• xtime()
• multiplication in GF(28)
• multiplicative inverse in GF(28)
• extended Euclidean algorithm
• table method
• multiplication of polynomials with coefficients in GF(28)
• components and structure of Rijndael
• SubBytes() and InvSubBytes()
• ShiftRows() and InvShiftRows()
• MixColumns() and InvMixColumns()
• key expansion
• equivalent inverse cipher
• security of Rijndael
• Generating Primes
• math background
• square root
• Legendre and Jacobi symbols
• pseudosquares
• Blum integers
• integer factorization
• primality proving algorithms
• using the factorization of n-1
• Pocklington's theorem
• probabilistic primality tests
• Fermat's test
• Carmichael number
• Solovey-Strassen test
• Miller-Rabin test
• generating probable primes
• RANDOM-SEARCH(k,t)
• generating provable primes
• Maurer's algorithm
• Public-key Encryption
• background
• extended Euclidean algorithm
• modular exponentiation algorithm
• Chinese remainder theorem
• residue number system
• Garner's algorithm
• RSA
• the RSA problem
• key generation
• security of RSA
• small exponent problem
• forward search attack
• multiplicative properties
• common modulus attack
• cycling attack
• message concealing
• Diffie-Hellman
• the Diffie-Hellman problem
• ElGamal
• key generation
• encryption/decryption
• randomized encryption
• Rabin
• key generation
• encryption/decryption
• finding square roots
• Pseudorandom Bit Generators
• linear congruential generator
• polynomial-time statistical tests
• statistics background
• normal distribution
• chi-square distribution
• five basic tests
• frequency (mono-bit) test
• serial (two-bit) test
• poker test
• runs test
• autocorrelation test
• cryptographically secure PRBG
• RSA pseudorandom bit generator
• Blum-Blum-Shub pseudorandom bit generator
• Stream Ciphers
• synchronous vs. self-synchronizing stream ciphers
• LFSR
• connection polynomial
• linear complexity
• Berlekamp-Massey algorithm
• Non-linear FSR
• de Bruijn FSR
• Stream ciphers based on LFSRs
• Geffe generator
• correlation attacks and correlation immunity
• summation generator
• non-linear filter generator and knapsack generator
• clock controlled generators
• alternating step generator
• shrinking generator
• Stream ciphers not based on LFSRs
• RC4 (FMS attack excluded)
• SEAL
• Hash Functions
• keyed hash functions
• MACs
• unkeyed hash functions
• MDCs
• OWHF
• CRHF
• hash function properties
• compression
• ease of computation
• preimage resistance
• 2nd-preimage resistance
• collision resistance
• computational resistance for MACs
• Yuval's birthday attack
• one-way functions
• compression functions
• DES-based one-way functions
• other one-way functions
• iterated hash functions
• Merkle's meta-method for hashing
• Merkle Damgard strengthening
• unkeyed hash functions
• single-length and double-length MDCs
• MD5
• MD5 & SHA-1 seriously broken
• keyed hash functions
• CBC-based MACs
• HMAC
• Digital Signatures
• classification of digital signature schemes
• digital signature schemes with appendix
• digital signature schemes with message recovery
• redundancy function
• attack on digital signature schemes
• digital signature schemes
• RSA digital signature scheme
• reblocking problem
• ElGamal digital signature scheme
• DSA
• One-time digital signatures
• Lamport
• Rabin
• Merkle
• Introduction to Cryptographic Protocols
• protocol and mechanism failures
• key management via symmetric-key techniques
• key management via public-key techniques
• certificate and certificate authority
• trusted third party
• public-key infrastructure
• week 7 discussion
• review of finite field, multiplying & dividing polynomials, modular exponentiation
• week 9 discussion (HW5)
• AES
• week 10 discussion
• review of AES math
• week 11 discussion (HW6)
• trial division
• Miller Rabin
• random search
• Maurer's algorithm
• week 12 discussion
• review of RSA, Chinese remainder theorem, Garner's algorithm
• week 13 discussion (HW7)
• RC4
• frequency (mono-bit) test
• serial (two-bit) test
• poker test
• runs test
• autocorrelation test

• 3/29/2016: The discussion section this Thursday (3/31/2016) is canceled (due to a meeting I have to attend which starts at 12:30pm and I'm doing CS 531 midterm regrade afterwards). I'm making it up by extending this Wednesday's office by one hour (from 2pm to 4pm). Sorry about the inconvenience.

• 3/11/2016: The TA has an urgent family matter to take care of and has to cancel his office hours today. But I will be in my office today between 1pm and 2:50pm. Please feel free to come by my office if you were planning on seeing the TA today. Sorry about the inconvenience.
• 3/2/2016: The discussion section this Thursday (3/3/2016) is moved to 2:00-3:00pm (due to a meeting I have to attend which starts at 12:30pm). Sorry about the inconvenience.

• 3/1/2016:
• The 2015 Turing Award goes to Whitfield Diffie and Martin Hellman, cryptographers credited as the inventors of public key cryptography.

• 2/22/2016: The midterm exam will be closed book, closed notes, and closed everything (and no "cheat sheet"). Also, no calculators, cell phones, or any electronic gadgets are allowed. Please bring a photo ID. Your ID will be collected at the beginning of the exam and will be returned to you when you turn in your exam. There will be assigned seating.

The midterm exam will cover everything from the beginning of the semester till the end of DES (slide 11 of Lecture 11 on 2/22/2016) and including topics covered by the first 6 weeks of discussion sections.

Here is a quick summary of the topics (not all topics covered are listed):

• overview
• functions
• bi-jections and inverses
• one-way functions and trapdoor one-way functions
• permutations
• encryption schemes
• max number of permutations
• model of communication and channels
• types of cryptanalysis
• symmetric-key encryption
• model of communication and channels
• block ciphers
• substitution ciphers
• mono-alphabetic substitution cipher
• homophonic substitution cipher
• polyalphabetic substitution cipher
• transposition ciphers
• composition of ciphers and product ciphers
• stream ciphers
• Vernam ciphers and one-time pad
• key space issues
• digital signatures
• signing and verification transformations
• authentication and identification
• entity vs. data origina authentication
• public-key cryptography
• necessity of authentication
• digital signature from reversible public-key encryption
• cryptographic hash functions
• one-wayness
• weak collision-resistance
• strong collision-resistance
• keyed vs. unkeyed hash functions
• protocols and mechanisms
• protocol failures
• key management
• symmetric-key and trusted third party
• public-key and certificate authority
• attacks
• ciphertext-only
• known-plaintext
• chosen-plaintext
• chosen-ciphertext
• security models
• unconditional security
• complexity-theoretic security
• provable security
• computational security
• block ciphers
• classical ciphers
• simple transposition ciphers
• mono-alphabetic substitution cipher
• polygram substitution cipher
• homophonic substitution cipher
• cryptographic codes
• polyalphabetic substitution cipher
• Vigenere cipher and variants
• Jefferson cylinders and rotors and the Enigma machine
• cryptanalysis of classical ciphers
• language statistics
• block cipher analysis
• True Random Cipher
• complexity of attacks
• modes of operation
• ECB
• CBC
• CFB
• OFB
• cascade cipher and multiple encryption
• meet-in-the-middle attacks
• known-plaintext unicity distance
• attacks on multiple encryption
• DES
• product ciphers
• Fiestel
• DES algorithm
• P
• S
• E
• DES key scheduling
• V
• PC1
• PC2
• DES properties
• DES weak and semi-weak keys
• cryptanalysis of DES
• week 1 discussion (HW1)
• hexdump
• base64 encoding/decoding
• week 2 discussion
• converting integers
• bit flipping
• modular arithmetic
• Euclidean Algorithm
• primes
• week 3 discussion (HW2)
• visual cryptography
• week 4 discussion
• Playfair cipher
• Hill cipher
• Beaufort cipher
• auto-key Vigenere cipher
• Jefferson cylinder
• rotor-based machines
• week 5 discussion (HW3)
• full Vigenere cipher
• cryptanalysis
• method of Kasiski
• index of coincidences (auto-correlation only)
• week 6 discussion
• extended Euclidean Algorithm
• multiplicative inverse
• Wilson's theorem

• 2/3/2016: The discussion section this Thursday (2/4/2016) is moved to 2:30-3:30pm (due to a meeting I have to attend which starts at 12:30pm). Sorry about the inconvenience.

• 1/14/2016: I am on jury duty today. Office hour today is canceled.
• 1/12/2016:
• I won't need to go to court tomorrow (Wednesday, 1/13/2016)! Class will be held normally tomorrow.
• According to this article, we need at least 2.7 million people this year with cloud-computing skills who also understand information security.

• 1/9/2016: Unfortunately, I'm on standby for jury duty during the first week of classes this semester. I will only know if I need to go to court the night before. At this point, I know that I will not have to go to court on Monday, 1/11/2016 but I don't know about Wednesday, 1/13/2016. I will post a news item here Tuesday night on 1/12/2016 so you know if the lecture on Wednesday is canceled or not. If I have to cancel a lecture, I will find a way make up the lecture soon after.

• 1/1/2016:
• In case you did not hear the user ID and password for accessing protected area of this web site during the first lecture, please visit the request access page after semester starts and submit the requested information. (You do not have to be registered for the course to get the password. You just need to have an USC e-mail address.)

• I have replaced the number theory optional textbook because the previous one was getting expensive. You don't really have to buy any of the optional textbooks.

• Please do not send request to join the class Google Group until 1/13/2016.

• Watch this area for important announcements.

Prerequisites
CS 102L (Data Structures) or graduate standing. It is assumed that you know how to write programs in C/C++, how to use data structures and algorithms so your program can run efficiently, and how to debug programs and make them work correctly.