2DMI10 — Applied Cryptography — 2018

Andreas Hülsing, MF 6.097a, e-mail a.t.huelsing@tue.nl
GPG-keys:

• ECC (works only with some new clients): 0x53326FBC75914DAC
  Fingerprint: 2175 060A 3942 4BD6 6723 4D50 5332 6FBC 7591 4DAC
  
• RSA: 0x0DA13BD2EE8C7E67
  Fingerprint: 81C1 1CEA EB82 7C69 22A1 6FE0 0DA1 3BD2 EE8C 7E67
  

Dates and time:		Location:
Tuesday, 10:45 - 12:45		FLUX 0.01
Thursday, 13:30 - 15:30		AUD 10

Last lecture on Thursday, January 10th.

All lectures are recorded. The videos should be online the day after the lecture. You can find the videos at the TU/e Mediasite (videocollege.tue.nl) under TU/e lectures → (2) Computer Science → 2DMI10 (2017-2018).

At the end of this course:

• you understand the cryptography behind modern cryptographic system
• and how it interacts with higher protocol levels;
• you know how to choose the right crypto primitive for a situation;
• you know how to analyze the security of security systems involving cryptography.

This course deals with modern applications of cryptography. Topics covered are

• security proofs for real world primitives (the random oracle model),
• cryptographic aspects of internet protocols (TLS, IPsec),
• cryptographic aspects of anonymity networks (Mixnets, Tor),
• cryptographic aspects of private online communication (OTR, Signal),
• public-key infrastructure (PKI) including trust models and validation models for X.509 and PGP,
• real-world problems such as kleptography,
• cryptographic aspects of e-cash including Bitcoin,
• post-quantum cryptography
• identity-based cryptography, and
• other recent topics in real world cryptography (e.g., we covered DNSSEC and Password hashing in previous years).

These topics will be explained and failure cases and popular attacks will be pointed out.

This year examination consists of one written assignment and (for the first time) an exam. The written assignment will be to discuss a research paper in one of the topics covered in the course.

The assignment accounts for 1/2 of the final grade. The other 1/2 is your exam grade.

All papers must be submitted encrypted and signed by email.

The exam is scheduled for Monday, 21 January 2019, 13:30 - 16:30 in Gemini-Zuid, rooms 3A.12 and 3A.13.

The exam will be a short quiz about the contents of the course. The exam is closed book, however, you are allowed to bring one sheet of A4 paper, with hand-written notes on both sides.
As I was asked this several times: I will not ask you to write a proof (but I might ask about the concept of proofs).

• Assignment description.
  

  Deadlines:
  Publication of assignment:	Thursday, December 13th.
  Choice of topic:	before Wednesday, December 19th, 23:59.
  Assignment of topic:	till Monday, December 24th.
  Submission of paper:	before Friday, February 1st, 23:59.

Here you find for each lecture a note on what has been treated, the slides, and further literature for some topics.

Lecture on PKI.
Slides: [pptx] [pdf]
Topics: PKI basics; X.509; PGP; Certificates; Trust Models; Direkt trust; Web of trust; Hierarchical trust; Certificate chain validation.
Further reading:

• J. Buchmann, E. Karatsiolis, and A. Wiesmaier. Introduction to Public Key Infrastructures. Springer, 2013.

Remember to set up PGP for email. Starting next week I will not accept unsigned / unencrypted emails for this class anymore. My proposed solution is to use Thunderbird as email client together with the enigmail plugin. However, there exist workable solutions for all set-ups. Please test your set-up with fellow students (if you do not use the TB+enigmail set-up, preferably with fellow students with a different set-up to test for compatibility!). Don't forget to upload your public key on a key server.

Lecture on PKI.
Slides: [pptx] [pdf]
Topics: PKI; X.509 Certificates; Revocation (CRL, OCSP, Novomodo); WebPKI (Incidents and counter measures).
Further reading:

• J. Buchmann, E. Karatsiolis, and A. Wiesmaier. Introduction to Public Key Infrastructures. Springer, 2013.
• S. Micali. Novomodo. PKI Research Workshop. 2002
• The EFF SSL observatory
• OWASP on certificate pinning
• Certificate Transparency

Lecture on IPsec and SSL/TLS.
Slides: [pdf]
Topics: Crypto on different layers of the network stack; IPsec; SSL and TLS.
Further reading:

• RFC 8446 TLS 1.3
• For Internet protocols Wikipedia has very well written articles.

Lecture on Attacks on SSL/TLS.
Slides: [pdf]
Topics: SSLstrip, BEAST, CRIME, BREACH, POODLE, FREAK, Logjam, ...
Further reading:

• Summarizing Known Attacks on Transport Layer Security (TLS) and Datagram TLS (DTLS)
• Just ask your favorite search engine about the respective attacks and you will find a never ending stream of sources, ranging from explainations to tools that allow to experimentally verify the attacks...

Lecture by Lorenz on elliptic curves.
Notes: [pdf]
Topics: Edwards curves, other curve forms, point counting, security, weak classes, projective coordinates.
Further reading:

• (Rather advanced) lecture notes by Ben Lynn
• Lawrence C. Washington, Elliptic Curves: Number Theory and Cryptography, Taylor & Francis, 2008.

Lecture by Lorenz on elliptic curves.
Notes: [pdf]
Topics: Pairings, immediate consequences (transfer attacks, DDH solving, BLS signatures), pairings from elliptic curves (torsion subgroups, Weil pairing and modified Weil pairing), types of pairings.
Further reading:

• (Rather advanced) lecture notes by Ben Lynn
• Lawrence C. Washington, Elliptic Curves: Number Theory and Cryptography, Taylor & Francis, 2008.

Lecture on security of in use RSA signature schemes.
Slides: [pptx] [pdf]
Topics: Attacks on textbook RSA signatures and variants; existential unforgeability under adaptive chosen message attacks; the random oracle model; full domain hash; RSA-PFDH with secruity reduction in ROM.
Further reading:

• Jonathan Katz. Digital Signatures. Springer, 2010
• J.-F. Misarsky. How (not) to design RSA signature schemes. International Workshop on Public Key Cryptography, PKC 1998, pp 14-28. Springer, 1998
• Jean-Sébastien Coron, David Naccache, Yvo Desmedt, Andrew Odlyzko, Julien P. Stern. Index Calculation Attacks on RSA Signature and Encryption. Designs, Codes and Cryptography, January 2006, Volume 38, Issue 1, pp 41-53. Springer 2006.

Lecture on identity-based cryptography.
Slides: [pdf]
Topics: Identity-based cryptography, models for IB signature schemes (IBS) and encryption (IBE), generic construction for (IBS), Shamir's IBS, ind-id-cca/cpa, Boneh-Franklin IBE, security reduction for BF-IBE.
Further reading:

• Notes I made for myself containing the security proof for the generic IBS scheme and the steps needed for factoring given n,e,d: [pdf]
• The original paper: Adi Shamir. Identity-based cryptosystems and signature schemes. Crypto'84, Springer, 1985.
• A nice book on the topic: Marc Joye and Gregory Neven. Identity-Based Cryptography. IOS Press, 2009.
• The proof for Shamir's and other IBS: M. Bellare, C. Namprempre, and G.Neven. Security Proofs for Identity-Based Identification and Signature Schemes. Eurocrypt'04. Springer, 2004.

Lecture on electronic cash.
Slides: [pdf]
Topics: Blind Signatures, RSA Blind Signatures, Chaums eCash (online, offline), Bitcoin.
Further reading:

• Lecture Notes by Bellare and Goldwasser with nice explaination of eCash
• David Chaum. Blind signatures for untraceable payments. Crypto 1982. (The original paper by Chaum)
• Chaum, Fiat, Naor. Untraceable electronic cash. Crypto 1990. (The offline scheme)
• Satoshi Nakamoto. Bitcoin: A peer-to-peer electronic cash system. (The original paper)
• Bitcoin statistics.

Lecture on anonymity networks.
Slides: [pdf]
Slides part 2: [pptx] [pdf]
Topics: Dining cryptographers, mix nets, Tor; Zero-knowledge proofs
Further reading:

• Anonbib
• Censorbib
• How governments have tried to block Tor [28C3]
• Tor: Overview
• Consensus Health
• Tor Metrics
• Tor Atlas
• Tor Specifications

Lecture on private social communication.
Slides: [pdf]
Topics: Secure chat protocols; OTR, mpOTR, SCIMP, Signal Protocol.
Further reading:

• Off-the-Record Communication, or, Why Not To Use PGP
• mpOTR
• OTRv4
• Silent Circle Instant Messaging Protocol Protocol Specification
• Signal Protocol Explaination
• Signal Blog

Lecture on post-quantum cryptography.
Slides: [pdf] [pptx]
Topics: Quantum computation; conjectured quantum-hard problems; multivariate, code-base, lattice-based crypto; hash-based signatures.
Further reading:

• NIST Post-Quantum Cryptography project.
• PQCRYPTO summer school website.
• Explanation of the quantum part of Shor's algorithm by Scott Aaronson.
• Bernstein, Buchmann, Dahmen. Post-quantum cryptography. Springer, Berlin, 2009. ISBN 978-3-540-88701-0.
• Kaye, Laflamme, Mosca. An Introduction to Quantum Computing. Oxford University Press, 2006.
• Chris Peickert. A Decade of Lattice Cryptography. IACR eprint, 2015. (Survey on lattice-based cryptography)

Lecture by Mina Sheikh Alishahi on Secure Multi-party Computation.
Slides: [pdf]
Topics: Topics: Homomorphic encryption and application to different scenarios for MPC: love game, finding potential terrorists, face recognition, auction, distributed data clustering.
Further reading:

• Love Game
• Finding Potential Terrosits
• Face Recognition
• Distributed Data Clustering

Lecture on Password Security and Password Hashing.
Slides: [pdf]
Topics: Different ways how to create passwords; dictionaries and rainbow tables; PBKDF2, bcrypt, scrypt, and Argon2.
Further reading:

• PBKDF2: RFC 2898
• bcrypt
• scrypt
• Password Hashing Competition
• Argon2

• Surveillance Self-Defense
• Let's Encrypt
• Cryptopals Real World Crypto Challenges

Latest modification: January 16, 2019.