1/28: We gave a brief introduction to cryptography. The goals of modern cryptography are data privacy and data integrity and authenticity. We will devote the next few lectures to data privacy and more specifically symmetric key encryption. We surveyed several historical encryption schemes or "ciphers." For each scheme we isolated the secret key, encryption and decryption algorithms. We then discussed how each scheme could be broken.

1/30: We reviewed the Vigenere cipher and how it can be broken using frequency analysis. We discussed a two-step procedure for breaking the cipher. After seeing many insecure schemes, we turned our attention to secure symmetric key encryption schemes. As a first step, we discussed what it means for an encryption scheme to be secure. We presented the formal definition of an encryption scheme.

2/4: We reviewed the formal definition of an encryption scheme. We introduced Shannon's perfect secrecy as well as two additional formulations. We proved that all three formulations are equivalent.

2/6: We introduced a game-based definition for perfect secrecy. Here, the adversary is an entity which is explicitly modeled and which participates in an experiment with a challenger. We described the "one-time pad" encryption scheme (also known as Vernam's cipher) and proved that it achieves perfect secrecy. We then discussed the drawbacks of the "one-time pad" construction. Namely, that the secret key is the same length as the transmitted message and that a secret key can only be used a single time to encrypt a message. We then showed that these limitations are inherent: Any perfectly-secret encryption scheme must have a key space that is at least as large as the message space.

2/11: We motivated a computational approach to security which has the potential to bypass the severe limitations of perfect secrecy. The computational approach to security incorporates two relaxations (1) Security is only preserved against "efficient" adversaries (2) Adversaries can potentially succeed with some "very small" probability. We discussed two approaches for formalizing the above--the concrete approach and the asymptotic approach. In this course we will employ the asymptotic approach. In the asymptotic approach, "efficient" adversaries means adversaries who run in polynomial time in the security parameter and "very small" probability means success probability which is negligible in the security parameter. We then discussed the difficulty of proving that schemes are unconditionally computationally secure. We therefore adopt the following strategy: We assume that some low-level problem is hard to solve and then prove that the construction is secure under this assumption. We discussed the proof by reduction method.

2/18: We presented the definition of private key encryption with indistinguishable encryptions in the presence of an eavesdropper. We discussed the differences between this definition and the game-based information-theoretic definition from Chapter 2. We discussed the power of the indistinguishability definition and, in particular, showed that the indistinguishability definition implies that an attacker cannot guess any particular bit of an encrypted random message with probability that is noticeably better than 1/2.

2/20: We presented the definition of semantic security in the presence of an eavesdropper and intuitively discussed why this is the "right" definition of security. We mentioned that the indistinguishability definition and the semantic security definition are equivalent (but did not present the proof). We introduced the notion of pseudorandomness and gave the formal definition of a pseudorandom generator. We then presented the construction and security proof of private key encryption with indistinguishable encryptions in the presence of an eavesdropper from a pseudorandom generator.