CS 276 Projects
General
Your term project should address some research issue in cryptography. There
are two categories of projects:

Study projects involve the survey of a series of research papers
on a particular subject. Read 23 papers on a subject. Then, write a short
report summarizing the most interesting conceptual and technical content
from those papers. Imagine you are giving a lecture in CS276 next year
on the most interesting thing you took away from your readings; then, write
a set of lecture notes for that lecture, and turn that in as your report.
Your report definitely does not need to (and probably should not) cover all
of the technical content of those papers; instead, just pick the most
enlightening part. Put some thought into how to strip the subject down into
the most essential ideas to take away (as opposed to the boring technical
calculations), and how to present them in a simplified form that will be
easy to understand.
(If you had to sit in on a 90minute lecture, what would
you most want to hear about?) Like any good lecture, your report should
make clear how the presented content fits into the broader field of
cryptography.
There is no page limit (either minimum or maximum), and reports will be
evaluated on technical content (not on length), but we expect that a typical
report would be about 3 to 8 pages long.
If you do a study project, the expectation is that you should take
effort to make your report "beautiful". Your report does not have to
provide a comprehensive survey of the entire topic area you chose,
but the parts it does present should be
well thoughtout, clearly presented and organized, conceptually
cohesive, and easy to read.

Research projects are of theoretical nature, and are directed to
prove some novel result (one not previously known). Topics should be chosen
so that proofs should not be very hard, and that the final result should
be interesting. Since theoretical research is intrinsically unpredictable,
it is possible that one month (or twenty years, for that matter) might
not be enough to come up with a solution. Partial solutions will be accepted.
In case of no results, the project can be turned into a study project on
the same topic.
If you're at a loss for a project topic, we have prepared a list of possible
project topics that you can peruse as examples of how to a pick a suitable
project. See below. But don't feel limited to these suggestions! They are
intended only as examples.
Collaboration
Projects will be done individually.
Topics
To whet your creativity, we give a few possible ideas for projects. The
projects described below are just a set of suggestions, and you may submit
a proposal for a project based on any topic you like (not necessarily one
based on a suggestion below). The proposal should be compatible with the
topic of this course.
If you just want to peruse the literature, good places to start include
the Journal of Cryptology; conference proceedings from CRYPTO, EUROCRYPT,
TCC, and ASIACRYPT (these are all available in one convenient location in the
Engineering library); and
the IACR eprint
archive. Many of the papers below can be found online at
Springer's
LINK service, through the library's INSPEC database (use Melvyl online),
or on the authors' home pages.
Proposals
When you have chosen a project topic, please send email to
daw@cs.berkeley.edu
describing your proposal. The email should contain the title of the project
and a short (oneparagraph) description of the topic. For study projects,
please also include the list of papers you are planning to read.
Your project proposal is due April 14th.
Final reports
The final report is due 9am, May 15th.
This is a strict deadline. Absolutely no extensions will be allowed.
Any reports submitted after the deadline risk not being considered.
In either case, the deadline is the same:
Monday,
May 15, before 9:00am.
You may submit
your project report electronically or on paper. I prefer electronic submission,
although you may choose either.
If you submit the final report electronically, it must be in a format
which is easily readable on Unix platforms: that means HTML, Postscript,
or PDF is fine (but no Microsoft Word, please). If you submit on paper, place
it in David Wagner's mailbox in Soda Hall (in the mailroom, or outside
his office: 629 Soda).
Format of the Report
LaTeX is present on most Unix system and is part of standard Linux distributions.
There are several free ports of TeX and LaTeX to Windows,
including MiKTeX.
You can also write up the project report with a word processor, provided
mathematical notation comes out reasonably readable.
Advice on writing
If you are not familiar with writing papers in computer science (or even
if you are), the following resources may help:
Example study projects

GamePlaying Proofs.

I mentioned in class the gameplaying paradigm for proving security
theorems. This formalizes a set of transformations that can be made to
an algorithm without changing its observable behavior, which lets you
model many kinds of security reductions.
Read more about the details in the papers below.
References:

Amplification of Hardness for OneWay Functions and Permutations.

It is possible to show that
if f is a weak one way function (i.e., oneway for a small fraction
of the input space), then fk(x1,...,xk)
= f(x1),...,f(xk) is a strong oneway function. In general, the probability
that an adversary can invert the function goes down (about) exponentially
in k. Study other methods of amplifying hardness. One possible focus: If
f is a oneway permutation, then there is a way of doing a similar amplification
without blowing up the input size of the function  which is what becomes
the length of the key in applications to encryption (a related question
can be found in the list of research problems). Another possibility: If
f_k is a pseudorandom permutation, composition amplifies its hardness (g_{k,k'}(x)
= f_k'(f_k(x)). (A nice project would be to study Luby and Rackoff's work
on this, and translate their asymptotic analysis to the concrete security
realm.) A third possibility: amplification of PRF's.
References:

Goldreich's book, sections 2.3 and 2.6

Luby's book, Chapter 3

Goldreich, Impagliazzo, Levin, Venkatesen, Zuckerman,
"Securitypreserving
amplification of hardness", FOCS'90.

Luby, Rackoff, "How to construct pseudorandom permutations from random
functions", SIAM J. Computing, vol 17 no 2, April 1988.

Luby, Rackoff, "Pseudorandom permutation generators and cryptographic
composition", STOC 1986.

Myers,
"Efficient
Amplification of the Security of Weak PseudoRandom Function Generators",
EUROCRYPT 2001.

Generic algorithms for the discrete log

The discrete log problem plays a key role in publickey cryptography. Several
authors have studied the hardness of the discrete log against
generic
algorithms (i.e., algorithms that use only the group operations, but not
anything about the representation of group elements) and obtained interesting
hardness results.
References:

DiffieHellman

The discrete log assumption says that the discrete log is hard in some cyclic
group G, i.e., given g and u, it is hard to find u so that y=g^u. The
DiffieHellman (DH) problem is, given g,g^u,g^v, find g^{uv}. The Decision
DiffieHellman (DDH) problem is to distinguish the distribution (g,g^u,g^v,g^{uv})
from (g,g^u,g^v,g^w). Study the hardness of these problems, their relationships,
and their applications to cryptography.
References:

Boneh,
"The
Decision DiffieHellman problem", 3rd ANTS, LNCS 1423, 1998.

Maurer, Wolf,
"The
DiffieHellman Protocol", Designs, Codes, and Cryptography, vol. 19,
pp. 147171, 2000.

Boneh, Lipton,
Algorithms
for black box fields and their application to cryptography, CRYPTO'96.

Fast message authentication

The CarterWegman paradim has been a goldmine of techniques for building
fast MACs with provable security properties. Study the underlying proposal
and the stateoftheart schemes. Alternatively, study the HMAC construction
(in widespread use in practice) and its provable security properties.
References:

Krawczyk, LFSRbased hashing and authentication, CRYPTO'94.

Shoup,
On fast and provably
secure message authentication based on universal hashing, CRYPTO'96.

Bellare, Canetti, Krawczyk,
Keying
hash functions for message authentication, CRYPTO'96. (See also their
Cryptobytes paper, on the same web page.)

Bernstein,
Floatingpoint arithmetic
and message authentication. (See particularly Sections 1, 810.)

Black, Halevi, Krawczyk, Krovetz, Rogaway,
"UMAC:
Fast and secure message authentication", CRYPTO '99.

Pseudorandom Generators from OneWay Functions

The result that allows to base all privatekey encryption as well as signature
schemes on the existence of oneway funcitons.
References:

Goldreich Section 3.5

Luby Chapter 9

Hastad, Impagliazzo, Levin and Luby. "Construction of a pseudorandom generator
from any oneway function," SIAM J. on Computing, 28(4):13641396, 1999.

Attacks on RSA

Several innocentlooking restrictions of RSA or ways to implement it as
a cryptosystem can yield dramatic security flaws.
References:

Boneh,
"Twenty
years of attacks on the RSA cryptosystem", Notices of the AMS 46(2)203213,
1999.

Boneh, Joux, and Nguyen,
Why
Textbook ElGamal and RSA Encryption are Insecure, ASIACRYPT'00.

Hastad, "Solving
simultaneous modular equations of low degree", SICOMP 17(2):336341,
1988.

Generic composition

There has been a great deal of work recently on how to securely combine
symmetrickey encryption (for confidentiality) with symmetrickey message
authentication (for integrity), and some surprises resulted. Study this
issue, or study recently proposed modes of operation that provide both
encryption and integrity all at once.
References:

Universal oneway hashes

Universal oneway hashes capture the simple notion that publickey signatures
can achieve extra security if the signer includes a random nonce in the
signature before hashing, chosen to protect herself from hash collisions.
It is natural to expect this will allow us to relax assumptions needed
on the hash functions. Study this intuitively appealing idea.
References:

Modes of operation

Pick any mode of operation (e.g., CBC, PCBC, and so on) from any crypto
textbook (e.g., Schneier's), any standard that uses crypto (e.g., IETF
TLS, IETF IPSEC, 802.11b WEP), and any other system of practical interest
(e.g., Kerberos). Study what's known in the literature about that mode
of encryption. Does it meet standard theoretical definitions of security,
like INDCPA or INDCCA2? Does it provide strong security in the practical
setting where it is used? (This might lead into the statement of an open
problem if you pick a mode whose security properties have not been studied
formally before, or even to a research project rather than a study project.)
References:

Vaudenay, "Security Flaws Induced by CBC Padding  Applications to SSL,
IPSEC,WTLS...", EUROCRYPT 2002.

Krawczyk, "The Order of Encryption and Authentication for Protecting Communications
(Or: How Secure is SSL?)", CRYPTO 2001.

Bellovin,
"Problem
Areas for the IP Security Protocols", Usenix Security '96.

Bellovin, Blaze,
"Cryptographic
Modes of Operation for the Internet", 2nd NIST Workshop on Modes of
Operation, 2001.

Borisov, Goldberg, Wagner,
Intercepting
Mobile Communications: The Insecurity of 802.11, MOBICOM 2001.

Bellare, Desai, Jokipii, Rogaway,
A
Concrete Security Treatment of Symmetric Encryption: Analysis of the DES Modes
of Operation, FOCS '97.

Random oracles

As we saw in class, the random oracle model gives a powerful way to model
the security properties of cryptographic hash functions, which are important
in practice. However, this model has important theoretical limitations
(and we use it only because there is nothing better). Learn about the controversy.
References:

Forward security

Today's systems are not invulnerable: occasionally machines are broken
into, and the intruder gains free reign on that machine for some time before
he is discovered and kicked off and the vulnerability is fixed. If machines
were to store all their past cryptographic keys, then a single intrusion
at time T might compromise all traffic before time T, say. Forwardsecure
cryptosystems are intended to reduce the window of vulnerability and thereby
provide robustness against this sort of failure mode.
References:

Cryptographic protocol design

In the computer security community, there has been a great deal of work
on verifying the security of cryptographic protocols through formal methods
and logics of authentication. That style of work has a very different flavor
from the complexitytheoretic notions of security that we've been studying
in class. Study that field of research on cryptographic protocols. There
has also been recent exciting work on relating that field's formalization
of security to the complexitytheoretic notions, which you might want to
examine.

Dolev, Yao, "On the security of public key protocols", IEEE Trans. Information
Theory, IT29(12):198208, March 1983 (earlier version in FOCS'81).

Burrows, Abadi, Needham,
A
Logic of Authentication. (the famous BAN logic)

Abadi, Rogaway,
Reconciling
two views of cryptography (The computational soundness of formal encryption),
To appear in J. Cryptology.

Abadi, Needham,
Prudent
engineering practice for cryptographic protocols

Anderson, Needham,
Robustness
principles for public key protocols, CRYPTO'95.

Anderson,
Programming
Satan's Computer", LNCS 1000.

Lampson, Abadi, Burrows, Wobber,
Authentication
in distributed systems: Theory and practice, ACM Trans. Computer Systems
10, 4 (Nov. 1992), pp 265310.

Lattices in cryptography

Recently, lattices have found many applications in cryptography. In cryptosystem
design, they have been used to construct publickey encryption based on
the worstcase hardness of various problems. In cryptanalysis, they
have been used to break knapsack encryption, broadcast encryption with
lowexponent RSA, subsetsumbased hash functions, and various other schemes.
This topic is probably too broad for one project, so you should pick some
interesting subset.
References:

Ajtai, Dwork A
public key cryptosystem with wostcase/averagecase equivalence. STOC'97.

Nguyen, Stern, "Cryptanalysis of the AjtaiDwork cryptosystem", CRYPTO'98.

Goldreich, Goldwasser, Halevi Publickey
cryptosystems from lattice reduction problems, 1997.

Micciancio,
course
notes

Joux, Stern,
"Lattice
reduction: a toolbox for the cryptanalyst", J. of Cryptology (1998),
11 (3), 161185.

Boneh,
"Twenty
years of attacks on the RSA cryptosystem", Notices of the AMS 46(2)203213,
1999. (Read only the parts that use lattices.)

Perfect Zero Knowledge is Contained in coAM

The result implies that, under standard assumptions, one cannot have statistical
zeroknowledge proofs of NPhard problems. So one needs to use computational
zeroknowledge in order to prove everything. This is for people familiar
with complexity theory.
References:

Computationally Private Information Retrieval With polylog Communication

You will have to first study what private information retrieval is.
Research Projects

Oneway functions from PRF's
Let F:K x X > K be a PRF with keyspace K and outputs from K, and define
G(K) = F_K(0). Is G guaranteed to be a oneway function? Give a proof
or a disproof.
Reference: Wagner and Goldberg Proofs of security for the Unix password hashing algorithm,
ASIACRYPT 2000.

Randomnessefficient Amplification of Hardness for General OneWay Functions
Apply the techniques of Impagliazzo's paper referenced below to the
case of oneway functions, and show that from a (S,11/n)one way function
f:{0,1}^n > f:{0,1}^n you can get a (S/poly(n),1/n^c)one way function
g:{0,1}^m > {0,1}^m, where, for fixed c, m=O(n). Proving the existence
of hardcore sets for oneway functions is actually much easier than for
predicates. The rest of the proof goes unchanged, except that some hashing
is needed to keep the output length low. (This is probably the simplest
problem in the list.)
Reference: Impagliazzo Hard
core distributions for somewhat hard problems, FOCS'95.

The BlumMicaliYao Generator with a Weak OneWay Permutation
What can be said about the output of the BlumMicaliYao generator
when it is constructed starting from a weak oneway permutation? Perhaps
the output is indistinguishable from some distribution having large entropy
(a similar result was proved for a different kind of generator). If this
is true, and the proof has good quantitative parameters, the consequence
would be a new, more efficient, transformation of weak one permutations
into pseudorandom generators.
References:

Impagliazzo Hard
core distributions for somewhat hard problems, FOCS'95. (Contains a
result that might be helpful)

Goldreich, Nisan, Wigderson, On
Yao's XOR Lemma, ECCC TR9550, 1995 (Revised 1998). (Contains a good
exposition of Impagliazzo's result)

Nisan Extracting
randomness: how and why, 1996. (General reference on entropy, statistical
distance, and efficient transformation of certain distributions in certain
other ones)

Sudan, Trevisan, Vadhan Pseudorandom
generators without the XOR Lemma, STOC'99. (The result about the different
kind of generator)

Even stronger notions of security
Consider the follow notion of security for symmetrickey encryption,
let's call it LORCCA3. Define S_b as the selection operator on pairs,
i.e., S_0(x,y) = x, S_1(x,y) = y. The scheme is LORCCA3 secure if no adversary
can guess b, even when given the two oracles E_k o S_b and D_k o S_b (subject
to the restriction that the adversary cannot query its encryption oracle
on any pair containing a plaintext returned by a previous decryption oracle
call, nor query its decryption oracle on any pair containing a
previously returned ciphertext).
How this notion compare to previous notions? Does LORCCA2 imply LORCCA3?
Does LORCCA3 imply LORCCA2? Give reductions that are as tight as possible
(or separations that are as strong as possible).

CFB encryption
Give a correct proof of security for CFB mode encryption. Handle the
case of mbit CFB mode, for small values of m, if you can.

The CS276 Instructors,
daw@cs.berkeley.edu,
http://www.cs.berkeley.edu/~daw/cs276/.