Handouts

All handouts in the course will be available here. The information given below may be updated during the course, in which case we will ping students with a post.

General Information

Latex and Running Ubuntu in a Virtual Machine on Windows

To install Ubuntu in your VM Ware player, start the player, create a new virtual machine, and browse for the ISO-file. All you need to do is enter your name and password, the rest is taken care of by VM Ware player. When this is done you open a browser inside your Ubuntu and download ubuntu.tar.gz from this page. Look inside the scripts and comment out the things you do not want, the script is reasonably well documented.

Group Project

The goal of the project is give you a full stack experience of real-world cryptography. The results can serve as great work samples when you apply for a job.

  • Part I (20P). Consider how a voter can authenticate itself in an electronic voting system. Write down descriptions of a few methods in about 4 pages (with reasonable margins and font size). Use your own judgement to determine how many schemes you describe, but it is more fun if you choose systems that are as diverse as possible, i.e., simply looking at Google login and Yahoo login is not a good solution.

    We will discuss everybody's solutions in class. Then you will pick one (not necessarily one of those you described) and go into more detail.

  • Part II (20P). Choose an authentication scheme that allows both theoretical study and practical implementation. Unfortunately this reduces the set of possible choices. Kerberos and most likely biometrical schemes can not be used. BankID is somewhat special. The protocol is not available so it can not be used in this part, but it is perhaps too tempting as a real life example, so when you implement you can switch to it if you like.

    Then motivate your choice, and describe the scheme at an abstract level and argue as rigorously as you can that it is secure. This means: describing a security goal/definition, stating assumptions explicitly, stating security parameters, defining computations and messages sent, and argue that the system satisfies the security goal given the assumptions. Express this as precisely as you can. It is a good idea to play devil's advocate with yourself here. Try to break it in every way you can think of and understand why you fail.

    It does not mean describing things at a byte level. Use a mathematical style of writing and no pseudo-code that resembles real code. It is perfectly fine to simplify things you do not think are essential in your exposition and argument. The focus in this part of the project is to understand the key ideas of the scheme. Feel free to draw pictures, but if you do it by hand, then please use clear hand writing for any symbols.

  • Part III and Part IV (20P+20P=40P). Choose an authentication scheme, implement a demo, describe how it works, demo it, and witness a demo. More precisely:
    1. You have considered several systems in Part I and Part II. Choose a system that is feasible for you to implement a mock-up client and possibly a server. Make sure that you read about the system at a technical level before you start coding. Ask yourself what libraries and APIs are available for a programming language that you like?
    2. Implement a demo client and if needed a server. The technical details differ depending on if you use a third party for authentication (e.g., BankID and Facebook), if the system is token based or signature based, if you use a browser or a stand-alone client etc. Any programming language can be used, but it is often a good idea to use one that is "native" to the APIs. Demo means demo, so don't try to implement everything from scratch.
    3. Describe the system at a technical level, e.g., what flags, options, configuration, packaging schemes are used. Determine if it is a faithful refinement of a sound abstract scheme. Are they "cheating" somewhere? Is the "cheating" sound? Security parameters? Try to identify weak points! Give also a brief assessment of APIs, documentation, unintuitive or dangerous ambiguities, and difficulties encountered, i.e., summarize your experience.
    4. Prepare a demo session targeting fellow students, and then explain and demo your system to another project group. Your session should take 20 min and involve use, browsing code, and a summary of your findings.
    5. Every group should give a demo to one other group (or one more on a volunteer basis if needed). Write a half-page about the demo you were given by the other group. Note if the group takes significantly more or less than 20 min.

Homework

  • Homework I 
    • LaTeX solution template
    • Note that you can work in groups of at most three students as discussed in class for theoretical problems, but not for the implementation problems. Read the updated rules above.
    • Ciphertext-only attack on d × d Hill in O(d13d). (there will be a homework problem based on this paper)
    • CORRECTION: In 6c) you can consider S to be padded with zeros to fix the mismatch between the support of S and the domain of RO, i.e., you can think of S a random variable of the form S'|0000....0 where S' is randomly distributed in {0,1}^128.
  • Homework II

Slides From Lectures

Lecture slides for all lectures are available below. They will be updated regularly to reflect changes in the course and what is said and covered on the blackboard during lectures. Slides may be added or removed, but slides from given lectures will at most be corrected. It gives a good idea of the course content.

About recording lectures

On KTH campus it is illegal to record audio or video of any lectures without the lecturer's explicit permission. This applies to all recordings, even those for your own use.

Why is this important?

The most important reason is that there are students with hidden identity at KTH. Leaking the identity of these students may jeopardize their safety. Examples include: political refugees, court witnesses, and people escaping domestic violence or threats. Due to personal experience with one of these examples, I take this very seriously.

Only a chosen few (not me) know who they are, so we have to behave as if they are in every class. If I allow recording, then I am responsible for making sure that recordings are done in such a way that no other students appear in the recording, and I simply do not have the time to do that.

Lectures are also structured differently depending on the audience, and if KTH lectures appear online we obviously want the audio and video to be of high quality.

Last year I had to "save" students from the involvement by the legal department by hunting down a bunch of copies and getting written statements from every student that had those that they were deleted and had not spread further.

Let us take pictures of the blackboard for everybody instead!

I do understand that you want to take pictures of the blackboard, so I suggest that:

  1. before each lecture somebody volunteers to sit in the front and take pictures,
  2. you send those pictures to me,
  3. you delete them when I have acknowledged that I have them, and
  4. I check them and post them on the handouts page for everybody.

I hope that you find this to be a reasonable solution!

....and I am going to assume that nobody recorded anything during the first two lectures unless you posted it online.

Douglas Wikström skapade sidan 1 november 2016

kommenterade 18 januari 2017

Hi,

Are there any reading guidelines?

Anmäl missbruk
Lärare kommenterade 18 januari 2017

There will be no reading guidelines. One of the course goals is that students practice to find relevant literature on their own.

Furthermore, depending on the interests of the class we may focus more, or less, on different topics throughout the course.

However, Stinsons's book is the main source and the lecture slides from last year that is available on the Handouts page gives a decent idea of what is covered. Those slides will be updated throughout the course to better reflect the actual content this year. Some material is probably covered in Katz and Lindells book. See Resources.Feel free to skip lectures, but it is your responsibility to know what goes on during the lectures, and I do some things on the blackboard that do not appear on slides!

Anmäl missbruk
kommenterade 19 januari 2017

Would it be possible to upload the slides as handouts? (1 slide per page)

I guess this does the trick: \documentclass[handout]{beamer}

Anmäl missbruk
kommenterade 19 januari 2017

Just to clarify, is the link under "Slides From Lectures" all lectures combined together, or is it just the first one? It's 442 pages long, which seems too long to be just one lecture.

Anmäl missbruk
Lärare kommenterade 19 januari 2017

Davis, I am not sure what you want to accomplish. Please be more specific.

Erik, yes those are all the slides in one file from last year. Some will not be used this year and slides may be added.

Anmäl missbruk
kommenterade 19 januari 2017

Now the presentation is very long and it partially depends that some of the slides have duplicate information. Take the slide "Cipher (Symmetric Cryptosystem)", it has 6 slides to view the same information. 

For presentation purposes it is great, but when viewing it on the computer or if I would like to print some slides it would be nice if you could merge those.

If you compile your beamer with the "handout" parameter it should do it. If it does not work then it is ok.

Anmäl missbruk
Lärare kommenterade 20 januari 2017

Now I see what you mean. I have added such a version.

Anmäl missbruk
kommenterade 20 januari 2017

Is there any way for you to note in the slides which topics (or more specifically which slides) were discussed during what specific lecture? 

Meaning, if I'd like to read up on the material before a lecture, I should know roughly how many slides I have to go through and where to start. 

This also helps if someone missed a lecture and wants to catch up on what was discussed during that lecture. 

Anmäl missbruk
kommenterade 23 januari 2017

bump

Anmäl missbruk
En användare har tagit bort sin kommentar
kommenterade 23 februari 2017

Hej!
Dyker Homework 1 upp snart?

Anmäl missbruk
Douglas Wikström redigerade 30 mars 2017

All handouts in the course will be available here. The information given below may be updated during the course, in which case we will ping students with a post.

General Information
* Course description (170117)
* Rules for solving problems and handing in solutions UPDATED FOR 2017.
* Example of compiled solution set and the corresponding LaTeX source. Note that this is an example that should not be used to typeset any real set of solutions. It is only used to illustrate what is expected from students. There will be a separate template for each homework.


Latex and Running Ubuntu in a Virtual Machine on Windows
* The Not So Short Introduction to LaTeX (see also the template above).
* VM Ware Player (free for non-commercial use)
* Download Ubuntu ISO-file
To install Ubuntu in your VM Ware player, start the player, create a new virtual machine, and browse for the ISO-file. All you need to do is enter your name and password, the rest is taken care of by VM Ware player. When this is done you open a browser inside your Ubuntu and download ubuntu.tar.gz from this page. Look inside the scripts and comment out the things you do not want, the script is reasonably well documented.

Group Project
* Part I. Consider how a voter can authenticate itself in an electronic voting system. Write down descriptions of a few methods in about 4 pages (with reasonable margins and font size). Use your own judgement to determine how many schemes you describe, but it is more fun if you choose systems that are as diverse as possible, i.e., simply looking at Google login and Yahoo login is not a good solution. We will discuss everybody's solutions in class. Then you will pick one (not necessarily one of those you described) and go into more detail.


* Part II. Choose an authentication scheme that allows both theoretical study and practical implementation. Unfortunately this reduces the set of possible choices. Kerberos and most likely biometrical schemes can not be used. BankID is somewhat special. The protocol is not available so it can not be used in this part, but it is perhaps too tempting as a real life example, so when you implement you can switch to it if you like. Then motivate your choice, and describe the scheme at an abstract level and argue as rigorously as you can that it is secure. This means: describing a security goal/definition, stating assumptions explicitly, stating security parameters, defining computations and messages sent, and argue that the system satisfies the security goal given the assumptions. Express this as precisely as you can. It is a good idea to play devil's advocate with yourself here. Try to break it in every way you can think of and understand why you fail.

It does not mean describing things at a byte level. Use a mathematical style of writing and no pseudo-code that resembles real code. It is perfectly fine to simplify things you do not think are essential in your exposition and argument. The focus in this part of the project is to understand the key ideas of the scheme. Feel free to draw pictures, but if you do it by hand, then please use clear hand writing for any symbols.


Homework
* Homework I 
* LaTeX solution template
* Note that you can work in groups of at most three students as discussed in class for theoretical problems, but not for the implementation problems. Read the updated rules above.
* Ciphertext-only attack on d × d Hill in O(d13d). (there will be a homework problem based on this paper)

* Homework II will appear here.
Slides From Lectures Lecture slides for all lectures are available below. They will be updated regularly to reflect changes in the course and what is said and covered on the blackboard during lectures. Slides may be added or removed, but slides from given lectures will at most be corrected. It gives a good idea of the course content.


* Lecture slides 170117 (compiled for presentation with step-wise disclosure of items)
* Lecture slides 170117 (compiled to be printed)
About recording lectures On KTH campus it is illegal to record audio or video of any lectures without the lecturer's explicit permission. This applies to all recordings, even those for your own use.

Why is this important? The most important reason is that there are students with hidden identity at KTH. Leaking the identity of these students may jeopardize their safety. Examples include: political refugees, court witnesses, and people escaping domestic violence or threats. Due to personal experience with one of these examples, I take this very seriously.

Only a chosen few (not me) know who they are, so we have to behave as if they are in every class. If I allow recording, then I am responsible for making sure that recordings are done in such a way that no other students appear in the recording, and I simply do not have the time to do that.

Lectures are also structured differently depending on the audience, and if KTH lectures appear online we obviously want the audio and video to be of high quality.

Last year I had to "save" students from the involvement by the legal department by hunting down a bunch of copies and getting written statements from every student that had those that they were deleted and had not spread further.

Let us take pictures of the blackboard for everybody instead! I do understand that you want to take pictures of the blackboard, so I suggest that:


* before each lecture somebody volunteers to sit in the front and take pictures,
* you send those pictures to me,
* you delete them when I have acknowledged that I have them, and
* I check them and post them on the handouts page for everybody.
I hope that you find this to be a reasonable solution!

....and I am going to assume that nobody recorded anything during the first two lectures unless you posted it online.

kommenterade 30 mars 2017

Task 10 in homework 1 says "Use a big integer library for multiplication, e.g., GMP in C/C++". However, submissions to modexp on Kattis are not linked with GMP, resulting in compile error if we try to use it. See my test submission: https://kth.kattis.com/submissions/1767959. In order to enable GMP support, the flags "-lgmp" and "-lgmpxx" need to be added to the g++ command.

Now this is possible to do on Kattis, as GMP works for the problem factoring, from the Advanced Algorithms course. It just does not seem to have been enabled in this case.

Could you look into this?

Anmäl missbruk
Lärare kommenterade 30 mars 2017

Thank you for the feedback. I will ask them to add this ASAP.

Anmäl missbruk
kommenterade 30 mars 2017

How would you like us to hand in the assignments where we have to write actual code? Is there maybe some sort of package for Latex that you recommend which improves readability, or should we just copy-paste the code?

Anmäl missbruk
kommenterade 31 mars 2017

For implementation assignments of actual code:

1. Make sure you are registered for the course on Kattis. To specify:
on https://kth.kattis.com/courses - when you're logged in, under Current Courses, the entry "Kryptografins grunder – DD2448" should read "krypto17  (registered)", with a green background. If it does not, click the krypto17 link and click the text link for "I am a student taking this course and I want to register for it on Kattis".

2. Submit the file to Kattis on the problem page relevant to the problem. Again, make sure you are logged in. The kattis page for each problem is given in the exam, including a hotlink for compatible PDF readers.

Anmäl missbruk
kommenterade 31 mars 2017

Should javas BigInteger be used for all implementation assignments?

Anmäl missbruk
kommenterade 3 april 2017

Hello!

For the implementation questions, it works on my computer, but when I run it on Kattis it gives me a Run Time Error related to input/output understanding. My Java code is reading from System.in and creating output with System.out.println(). How are we meant to read in input and print output?

Thanks!

Anmäl missbruk
kommenterade 3 april 2017

@Rebecca

If it sais how large the input numbers are you should be able to figure out if you need it or not.

If it doesn't say it's usually safe to assume that it will fit in a int_64

@Natalie

There are some test assignments to understand I/O in kattis like

https://kth.kattis.com/problems/hello

and some simple ones like:

https://open.kattis.com/problems/modulo

Anmäl missbruk
kommenterade 3 april 2017

This might be a very stupid question, but what exactly does "All integers are positive and given in decimal." mean?

Anmäl missbruk
kommenterade 3 april 2017

That you won't find negative numbers or numbers written in hexadecimal or binary ...

Anmäl missbruk
kommenterade 4 april 2017

But I will find doubles in the input data? I get a NumberFormatException when trying to convert the input to a long or int, but not when I'm interpreting it as a double. Am I correct?

If the above is true, I think that it is very confusing to state that: "All integers are positive..."

Any help?

Anmäl missbruk
kommenterade 4 april 2017

I'm not sure about doubles in the input but worth noticing is that numbers to large to fit inside an integer or a long will throw a NumberFormatException when parsed.

Anmäl missbruk
kommenterade 4 april 2017

@alexander

@natalie

When asking for help it's a lot easier if you state what problem you are having problems with.

@alexander
https://en.wikipedia.org/wiki/Integer

aka a whole number, not integer as in the data-type. Why double works is because you probably have an overflow as Erik stated.

Anmäl missbruk
kommenterade 5 april 2017

In problem 6c it is stated that S is a random variable over {0, 1}^128 and RO: {0, 1}^256 -> {0, 1}^256. Then S is not in the domain of RO and I am not sure how to interpret RO(S).

Is there a typo in one of the sets?

Anmäl missbruk
kommenterade 6 april 2017

For the AES implementation, I have a working python solution but am very confused by the reading of the input in kattis. Since it's a binary input, it doesn't seem like we can use the "for line in sys.stdin:
ab = line.split()" method that is described in the Help tab. This is pretty frustrating because the main task of the problem is to figure out the AES algorithm, not how to deal with Kattis input. Does anyone know how we can get the input from Kattis?

Anmäl missbruk
kommenterade 6 april 2017

Hi,

I am trying to complete the factorization of RSA modulus (problem 12). My program works locally on the provided samples. However, I get Wrong Answer in Kattis, even on the first test, which is supposed to be, I believe, the sample one.

Any idea what could cause that? Cheers!

Anmäl missbruk
kommenterade 6 april 2017

@natalie

You will have to read until EOF. Yes the input is not in as nice of a structure as one might wish and I've already talked to Douglas about this but it won't change for this round.

I might as well tell you now that your python solution will be too slow (unless you know magic) for the simple reason that no one has ever submitted a solution that was fast enough (look in the stats section). There might be (and there is) 106 blocks that you have to encrypt.

@aurelien

Have you tried using the diff tool when comparing the answers? Kattis treats all differences as an error, even if it is just simple things like new-lines and white space. Also, have you remembered to sort the values?

Anmäl missbruk
kommenterade 6 april 2017

Hi,

Yes, I used the diff tool and it returned nothing (i.e., my output is similar to sample.ans). I also sort the values.

Anmäl missbruk
kommenterade 7 april 2017

The first test case on Kattis is not always the same as the example. I know that multiple people have passed so there has to be something wrong with your algorithm.

You can try to simply print the answer for the test case to verify if it's the same as the example or not.

Anmäl missbruk
kommenterade 13 april 2017

As a help for anyone trying to debug their AES implementation, here is what mine spits out after each step (converted to hex for readability): https://pastebin.com/yXMJz6d3

Anmäl missbruk
kommenterade 13 april 2017

Hi,

Did the person that took a photo on the blackboard when Douglas went through assignment 19 of the homework ever share that photo?

Would appreciate if the picture was shared.

Best regards!

Anmäl missbruk
kommenterade 13 april 2017

@Johan

For AES the official standard document has test vectors (aka all values at every step):

http://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.197.pdf

There are also good youtube videos showing the same things.

Anmäl missbruk
kommenterade 14 april 2017

I have two questions about question 18 in HW1.

  1. Are all values but x known?
  2. Is the value y given as it is, or is it given mod q or mod p?

Anmäl missbruk
kommenterade 14 april 2017

Have the problem with Task 10, Kattis not compiling the GMP library been solved. I still get compile error there on Kattis with the GMP.

Anmäl missbruk
Douglas Wikström redigerade 14 april 2017

All handouts in the course will be available here. The information given below may be updated during the course, in which case we will ping students with a post.

General Information
* Course description (170117)
* Rules for solving problems and handing in solutions UPDATED FOR 2017.
* Example of compiled solution set and the corresponding LaTeX source. Note that this is an example that should not be used to typeset any real set of solutions. It is only used to illustrate what is expected from students. There will be a separate template for each homework.


Latex and Running Ubuntu in a Virtual Machine on Windows
* The Not So Short Introduction to LaTeX (see also the template above).
* VM Ware Player (free for non-commercial use)
* Download Ubuntu ISO-file
To install Ubuntu in your VM Ware player, start the player, create a new virtual machine, and browse for the ISO-file. All you need to do is enter your name and password, the rest is taken care of by VM Ware player. When this is done you open a browser inside your Ubuntu and download ubuntu.tar.gz from this page. Look inside the scripts and comment out the things you do not want, the script is reasonably well documented.

Group Project
* Part I. Consider how a voter can authenticate itself in an electronic voting system. Write down descriptions of a few methods in about 4 pages (with reasonable margins and font size). Use your own judgement to determine how many schemes you describe, but it is more fun if you choose systems that are as diverse as possible, i.e., simply looking at Google login and Yahoo login is not a good solution. We will discuss everybody's solutions in class. Then you will pick one (not necessarily one of those you described) and go into more detail.


* Part II. Choose an authentication scheme that allows both theoretical study and practical implementation. Unfortunately this reduces the set of possible choices. Kerberos and most likely biometrical schemes can not be used. BankID is somewhat special. The protocol is not available so it can not be used in this part, but it is perhaps too tempting as a real life example, so when you implement you can switch to it if you like. Then motivate your choice, and describe the scheme at an abstract level and argue as rigorously as you can that it is secure. This means: describing a security goal/definition, stating assumptions explicitly, stating security parameters, defining computations and messages sent, and argue that the system satisfies the security goal given the assumptions. Express this as precisely as you can. It is a good idea to play devil's advocate with yourself here. Try to break it in every way you can think of and understand why you fail.

It does not mean describing things at a byte level. Use a mathematical style of writing and no pseudo-code that resembles real code. It is perfectly fine to simplify things you do not think are essential in your exposition and argument. The focus in this part of the project is to understand the key ideas of the scheme. Feel free to draw pictures, but if you do it by hand, then please use clear hand writing for any symbols.


Homework
* Homework I 
* LaTeX solution template
* Note that you can work in groups of at most three students as discussed in class for theoretical problems, but not for the implementation problems. Read the updated rules above.
* Ciphertext-only attack on d × d Hill in O(d13d). (there will be a homework problem based on this paper)
* CORRECTION: In 6c) you can consider S to be padded with zeros to fix the mismatch between the support of S and the domain of RO, i.e., you can think of S a random variable of the form S'|0000....0 where S' is randomly distributed in {0,1}^128.
* Homework II will appear here.
Slides From Lectures Lecture slides for all lectures are available below. They will be updated regularly to reflect changes in the course and what is said and covered on the blackboard during lectures. Slides may be added or removed, but slides from given lectures will at most be corrected. It gives a good idea of the course content.


* Lecture slides 170117 (compiled for presentation with step-wise disclosure of items)
* Lecture slides 170117 (compiled to be printed)
About recording lectures On KTH campus it is illegal to record audio or video of any lectures without the lecturer's explicit permission. This applies to all recordings, even those for your own use.

Why is this important? The most important reason is that there are students with hidden identity at KTH. Leaking the identity of these students may jeopardize their safety. Examples include: political refugees, court witnesses, and people escaping domestic violence or threats. Due to personal experience with one of these examples, I take this very seriously.

Only a chosen few (not me) know who they are, so we have to behave as if they are in every class. If I allow recording, then I am responsible for making sure that recordings are done in such a way that no other students appear in the recording, and I simply do not have the time to do that.

Lectures are also structured differently depending on the audience, and if KTH lectures appear online we obviously want the audio and video to be of high quality.

Last year I had to "save" students from the involvement by the legal department by hunting down a bunch of copies and getting written statements from every student that had those that they were deleted and had not spread further.

Let us take pictures of the blackboard for everybody instead! I do understand that you want to take pictures of the blackboard, so I suggest that:


* before each lecture somebody volunteers to sit in the front and take pictures,
* you send those pictures to me,
* you delete them when I have acknowledged that I have them, and
* I check them and post them on the handouts page for everybody.
I hope that you find this to be a reasonable solution!

....and I am going to assume that nobody recorded anything during the first two lectures unless you posted it online.

kommenterade 15 april 2017

For the implementation part of the homework, is it enough to submit the code on Kattis, or do we have to describe our solutions in a document?

Anmäl missbruk
kommenterade 17 april 2017

Are we supposed to hand in two reports, one individual for the Implementations and one for the group's theoretical answers?

Anmäl missbruk
kommenterade 17 april 2017

The professor said that he will retrieve implementation submissions directly from Kattis, hence a single report for the theoretical part should be enough.

Anmäl missbruk
Douglas Wikström redigerade 19 april 2017

All handouts in the course will be available here. The information given below may be updated during the course, in which case we will ping students with a post.

General Information
* Course description (170117)
* Rules for solving problems and handing in solutions UPDATED FOR 2017.
* Example of compiled solution set and the corresponding LaTeX source. Note that this is an example that should not be used to typeset any real set of solutions. It is only used to illustrate what is expected from students. There will be a separate template for each homework.


Latex and Running Ubuntu in a Virtual Machine on Windows
* The Not So Short Introduction to LaTeX (see also the template above).
* VM Ware Player (free for non-commercial use)
* Download Ubuntu ISO-file
To install Ubuntu in your VM Ware player, start the player, create a new virtual machine, and browse for the ISO-file. All you need to do is enter your name and password, the rest is taken care of by VM Ware player. When this is done you open a browser inside your Ubuntu and download ubuntu.tar.gz from this page. Look inside the scripts and comment out the things you do not want, the script is reasonably well documented.

Group Project The goal of the project is give you a full stack experience of real-world cryptography. The results can serve as great work samples when you apply for a job.¶
* Part I (20P). Consider how a voter can authenticate itself in an electronic voting system. Write down descriptions of a few methods in about 4 pages (with reasonable margins and font size). Use your own judgement to determine how many schemes you describe, but it is more fun if you choose systems that are as diverse as possible, i.e., simply looking at Google login and Yahoo login is not a good solution. We will discuss everybody's solutions in class. Then you will pick one (not necessarily one of those you described) and go into more detail.


* Part II (20P). Choose an authentication scheme that allows both theoretical study and practical implementation. Unfortunately this reduces the set of possible choices. Kerberos and most likely biometrical schemes can not be used. BankID is somewhat special. The protocol is not available so it can not be used in this part, but it is perhaps too tempting as a real life example, so when you implement you can switch to it if you like. Then motivate your choice, and describe the scheme at an abstract level and argue as rigorously as you can that it is secure. This means: describing a security goal/definition, stating assumptions explicitly, stating security parameters, defining computations and messages sent, and argue that the system satisfies the security goal given the assumptions. Express this as precisely as you can. It is a good idea to play devil's advocate with yourself here. Try to break it in every way you can think of and understand why you fail.

It does not mean describing things at a byte level. Use a mathematical style of writing and no pseudo-code that resembles real code. It is perfectly fine to simplify things you do not think are essential in your exposition and argument. The focus in this part of the project is to understand the key ideas of the scheme. Feel free to draw pictures, but if you do it by hand, then please use clear hand writing for any symbols.


* Part III and Part IV (20P+20P=40P). Choose an authentication scheme, implement a demo, describe how it works, demo it, and witness a demo. More precisely:
* You have considered several systems in Part I and Part II. Choose a system that is feasible for you to implement a mock-up client and possibly a server. Make sure that you read about the system at a technical level before you start coding. Ask yourself what libraries and APIs are available for a programming language that you like?
* Implement a demo client and if needed a server. The technical details differ depending on if you use a third party for authentication (e.g., BankID and Facebook), if the system is token based or signature based, if you use a browser or a stand-alone client etc. Any programming language can be used, but it is often a good idea to use one that is "native" to the APIs. Demo means demo, so don't try to implement everything from scratch.
* Describe the system at a technical level, e.g., what flags, options, configuration, packaging schemes are used. Determine if it is a faithful refinement of a sound abstract scheme. Are they "cheating" somewhere? Is the "cheating" sound? Security parameters? Try to identify weak points! Give also a brief assessment of APIs, documentation, unintuitive or dangerous ambiguities, and difficulties encountered, i.e., summarize your experience.
* Prepare a demo session targeting fellow students, and then explain and demo your system to another project group. Your session should take 20 min and involve use, browsing code, and a summary of your findings.
* Every group should give a demo to one other group (or one more on a volunteer basis if needed). Write a half-page about the demo you were given by the other group. Note if the group takes significantly more or less than 20 min.

 Homework
* Homework I 
* LaTeX solution template
* Note that you can work in groups of at most three students as discussed in class for theoretical problems, but not for the implementation problems. Read the updated rules above.
* Ciphertext-only attack on d × d Hill in O(d13d). (there will be a homework problem based on this paper)
* CORRECTION: In 6c) you can consider S to be padded with zeros to fix the mismatch between the support of S and the domain of RO, i.e., you can think of S a random variable of the form S'|0000....0 where S' is randomly distributed in {0,1}^128.

* Homework II will appear here.
Slides From Lectures Lecture slides for all lectures are available below. They will be updated regularly to reflect changes in the course and what is said and covered on the blackboard during lectures. Slides may be added or removed, but slides from given lectures will at most be corrected. It gives a good idea of the course content.


* Lecture slides 170117 (compiled for presentation with step-wise disclosure of items)
* Lecture slides 170117 (compiled to be printed)
About recording lectures On KTH campus it is illegal to record audio or video of any lectures without the lecturer's explicit permission. This applies to all recordings, even those for your own use.

Why is this important? The most important reason is that there are students with hidden identity at KTH. Leaking the identity of these students may jeopardize their safety. Examples include: political refugees, court witnesses, and people escaping domestic violence or threats. Due to personal experience with one of these examples, I take this very seriously.

Only a chosen few (not me) know who they are, so we have to behave as if they are in every class. If I allow recording, then I am responsible for making sure that recordings are done in such a way that no other students appear in the recording, and I simply do not have the time to do that.

Lectures are also structured differently depending on the audience, and if KTH lectures appear online we obviously want the audio and video to be of high quality.

Last year I had to "save" students from the involvement by the legal department by hunting down a bunch of copies and getting written statements from every student that had those that they were deleted and had not spread further.

Let us take pictures of the blackboard for everybody instead! I do understand that you want to take pictures of the blackboard, so I suggest that:


* before each lecture somebody volunteers to sit in the front and take pictures,
* you send those pictures to me,
* you delete them when I have acknowledged that I have them, and
* I check them and post them on the handouts page for everybody.
I hope that you find this to be a reasonable solution!

....and I am going to assume that nobody recorded anything during the first two lectures unless you posted it online.

kommenterade 3 maj 2017

When will the scores of group project part II appear in rapp? It has been quite a while now.

Anmäl missbruk
kommenterade 4 maj 2017

@Alexander For our group it is up now!

Anmäl missbruk
kommenterade 4 maj 2017

Same four our group but still not any results on Group project 1 though for our group.

Anmäl missbruk
Douglas Wikström redigerade 11 maj 2017

All handouts in the course will be available here. The information given below may be updated during the course, in which case we will ping students with a post.

General Information
* Course description (170117)
* Rules for solving problems and handing in solutions UPDATED FOR 2017.
* Example of compiled solution set and the corresponding LaTeX source. Note that this is an example that should not be used to typeset any real set of solutions. It is only used to illustrate what is expected from students. There will be a separate template for each homework.


Latex and Running Ubuntu in a Virtual Machine on Windows
* The Not So Short Introduction to LaTeX (see also the template above).
* VM Ware Player (free for non-commercial use)
* Download Ubuntu ISO-file
To install Ubuntu in your VM Ware player, start the player, create a new virtual machine, and browse for the ISO-file. All you need to do is enter your name and password, the rest is taken care of by VM Ware player. When this is done you open a browser inside your Ubuntu and download ubuntu.tar.gz from this page. Look inside the scripts and comment out the things you do not want, the script is reasonably well documented.

Group Project The goal of the project is give you a full stack experience of real-world cryptography. The results can serve as great work samples when you apply for a job.


* Part I (20P). Consider how a voter can authenticate itself in an electronic voting system. Write down descriptions of a few methods in about 4 pages (with reasonable margins and font size). Use your own judgement to determine how many schemes you describe, but it is more fun if you choose systems that are as diverse as possible, i.e., simply looking at Google login and Yahoo login is not a good solution. We will discuss everybody's solutions in class. Then you will pick one (not necessarily one of those you described) and go into more detail.


* Part II (20P). Choose an authentication scheme that allows both theoretical study and practical implementation. Unfortunately this reduces the set of possible choices. Kerberos and most likely biometrical schemes can not be used. BankID is somewhat special. The protocol is not available so it can not be used in this part, but it is perhaps too tempting as a real life example, so when you implement you can switch to it if you like. Then motivate your choice, and describe the scheme at an abstract level and argue as rigorously as you can that it is secure. This means: describing a security goal/definition, stating assumptions explicitly, stating security parameters, defining computations and messages sent, and argue that the system satisfies the security goal given the assumptions. Express this as precisely as you can. It is a good idea to play devil's advocate with yourself here. Try to break it in every way you can think of and understand why you fail.

It does not mean describing things at a byte level. Use a mathematical style of writing and no pseudo-code that resembles real code. It is perfectly fine to simplify things you do not think are essential in your exposition and argument. The focus in this part of the project is to understand the key ideas of the scheme. Feel free to draw pictures, but if you do it by hand, then please use clear hand writing for any symbols.


* Part III and Part IV (20P+20P=40P). Choose an authentication scheme, implement a demo, describe how it works, demo it, and witness a demo. More precisely:
* You have considered several systems in Part I and Part II. Choose a system that is feasible for you to implement a mock-up client and possibly a server. Make sure that you read about the system at a technical level before you start coding. Ask yourself what libraries and APIs are available for a programming language that you like?
* Implement a demo client and if needed a server. The technical details differ depending on if you use a third party for authentication (e.g., BankID and Facebook), if the system is token based or signature based, if you use a browser or a stand-alone client etc. Any programming language can be used, but it is often a good idea to use one that is "native" to the APIs. Demo means demo, so don't try to implement everything from scratch.
* Describe the system at a technical level, e.g., what flags, options, configuration, packaging schemes are used. Determine if it is a faithful refinement of a sound abstract scheme. Are they "cheating" somewhere? Is the "cheating" sound? Security parameters? Try to identify weak points! Give also a brief assessment of APIs, documentation, unintuitive or dangerous ambiguities, and difficulties encountered, i.e., summarize your experience.
* Prepare a demo session targeting fellow students, and then explain and demo your system to another project group. Your session should take 20 min and involve use, browsing code, and a summary of your findings.
* Every group should give a demo to one other group (or one more on a volunteer basis if needed). Write a half-page about the demo you were given by the other group. Note if the group takes significantly more or less than 20 min.

Homework
* Homework I 
* LaTeX solution template
* Note that you can work in groups of at most three students as discussed in class for theoretical problems, but not for the implementation problems. Read the updated rules above.
* Ciphertext-only attack on d × d Hill in O(d13d). (there will be a homework problem based on this paper)
* CORRECTION: In 6c) you can consider S to be padded with zeros to fix the mismatch between the support of S and the domain of RO, i.e., you can think of S a random variable of the form S'|0000....0 where S' is randomly distributed in {0,1}^128.

* Homework II will appear here.
Slides From Lectures Lecture slides for all lectures are available below. They will be updated regularly to reflect changes in the course and what is said and covered on the blackboard during lectures. Slides may be added or removed, but slides from given lectures will at most be corrected. It gives a good idea of the course content.


* Lecture slides 170117 (compiled for presentation with step-wise disclosure of items)
* Lecture slides 170117 (compiled to be printed)
About recording lectures On KTH campus it is illegal to record audio or video of any lectures without the lecturer's explicit permission. This applies to all recordings, even those for your own use.

Why is this important? The most important reason is that there are students with hidden identity at KTH. Leaking the identity of these students may jeopardize their safety. Examples include: political refugees, court witnesses, and people escaping domestic violence or threats. Due to personal experience with one of these examples, I take this very seriously.

Only a chosen few (not me) know who they are, so we have to behave as if they are in every class. If I allow recording, then I am responsible for making sure that recordings are done in such a way that no other students appear in the recording, and I simply do not have the time to do that.

Lectures are also structured differently depending on the audience, and if KTH lectures appear online we obviously want the audio and video to be of high quality.

Last year I had to "save" students from the involvement by the legal department by hunting down a bunch of copies and getting written statements from every student that had those that they were deleted and had not spread further.

Let us take pictures of the blackboard for everybody instead! I do understand that you want to take pictures of the blackboard, so I suggest that:


* before each lecture somebody volunteers to sit in the front and take pictures,
* you send those pictures to me,
* you delete them when I have acknowledged that I have them, and
* I check them and post them on the handouts page for everybody.
I hope that you find this to be a reasonable solution!

....and I am going to assume that nobody recorded anything during the first two lectures unless you posted it online.

kommenterade 11 maj 2017

Will the passing grade limit be lowered since the course description states: "Each homework satisfies I + T ≥ 100", while HW2 only has 50T + 29I?

Anmäl missbruk
kommenterade 11 maj 2017

Will we get our grade for HW1 before the deadline of HW2? It would be nice to know how many points we received on the first homework so we know what to aim for in HW2.

Anmäl missbruk
kommenterade 14 maj 2017

I encountered a problem when trying to solve the SHA 256 implementation exercise for HW2. The example inputs/outputs that are given on Kattis never correspond to the output given by any other SHA256 hash generator. For example, the first example on Kattis is 'e5', and its output is 'ab61ba11a38b007ff98baa3ab20e2a584e15269fd428db3c857e2a2d568b5725'. However when using any other SHA-256 hashing tool, we get '43700797e2f9d4ad38ccf1355df3233453396bfcc8db8e424486e37bae42a9ec'. Am I missing something here?

Anmäl missbruk
kommenterade 14 maj 2017

Maybe those encrypt the string "e5" rather than the bytes?

Anmäl missbruk
kommenterade 14 maj 2017

For the SHA256 exercise you have to interpret the input as bytes in hexadecimal encoding (it is stated in the input specification). So, for example, the string 'e5' represents a single byte with the value 229. Hashing tools usually read input as characters.

Anmäl missbruk
kommenterade 15 maj 2017

Is it possible to get a latex solution template for HW2

Anmäl missbruk
kommenterade 15 maj 2017

Are there going to be more homework problems so that HW2 satisfies T+I >= 100? If so, it would be good if they appeared soon.

Anmäl missbruk
En användare har tagit bort sin kommentar
kommenterade 17 maj 2017

https://cseweb.ucsd.edu/~mihir/papers/gb.pdf 

This is a great complement to the slides.

Anmäl missbruk
En användare har tagit bort sin kommentar
kommenterade 21 maj 2017

It seems like the homework hasn't been updated to satisfy the predetermined condition T+I >= 100. Is it now safe to assume that the passing grade limits for I and T points will be lowered? If this is the case, it would be nice to announce the new limits. It would also be nice receive the scoring for the first homework, which we handed in over a month ago.

Anmäl missbruk
kommenterade 22 maj 2017

I doesn't seem like there is much of a need to lower the limit for a passing grade since there is more or less enough points in HW2 to pass the entire course without even getting points from HW1. There more interesting question is how the higher grade levels are weighted.

Anmäl missbruk
kommenterade 22 maj 2017

@Robert What are you talking about? Douglas stated clearly in the course description that the condition would be met. He also said during his last lecture that he would either add points to HW2 or lower the limits. There was also enough T points in HW1 to get a passing grade, but what does it matter? Just because you can solve all the problems easily doesn't mean that others can as well. We are lacking at least 21 possible T points, and the teacher promised that he would fix it. 

Why make promises or state it in the course plan if it's not going to be fulfilled? That's just stupid. 

Forgive me but I don't understand your reasoning at all. "It doesn't seem like there is much of a need to lower the limit" might be the case for you but not for everyone. 

Anmäl missbruk
En användare har tagit bort sin kommentar
kommenterade 23 maj 2017

The problems are more or less equally hard so there being fewer points available shouldn't be a problem since there still more points than you need. The limiting factor for solving problems is usually time so if there would have been more problems most people wouldn't have been able to solve more problems. If you are on the verge of not passing then you will have solved less than 1/3 of the problems so the amount of problems isn't really a problem.

For higher grades it's more important since there is a hell of a getting 90% of the points and getting 99% (which is practically impossible).

After working a lot as a teacher assistant I'm also worried about people passing without having learned the course material an not only about people not passing.

I would rather fail a course for not understanding the material than passing without deserving it.

Anmäl missbruk
kommenterade 23 maj 2017

Also, don't get me wrong. I'm arguing in regards to what I think is fair from a "neutral" perspective. I don't give a single shit about my own grade, I simply want to learn the material.

Anmäl missbruk
kommenterade 23 maj 2017

I think you are a potato.

Anmäl missbruk
En person gillar kommentaren
kommenterade 23 maj 2017

@Robert I don't care if there are enough points in HW2 to pass the whole course. A course description is a guideline and the teacher should stick to it. Of course some adjustments can be made throughout the course, and I'm more than sure that everyone would be okay with it if there wasn't a complete lack of communication from the teacher. 

This course has been a structural disaster since day one and that's why people are pissed. I'm sure that I'm not the only one taking multiple courses simultaneously, which makes it impossible to learn everything from every course in the amount of time we have (and with homeworks being uploaded on such short notice). Since you have spent 9 years at KTH, you should obviously know this (or not). Different people have different priorities, and that's why we have a grading system. If you want to learn everything then go ahead and get an A or get a PhD in cryptography or whatever. You have to understand that there are people that are different compared to you, people that actually want to learn the foundations of cryptography and not become experts in the area. 

Take a look at this feed. Question after question is being asked without nearly a single response from the teacher. During lectures, we get promises that KTH social will be updated with information shortly, but this almost never happens. We always have to ask and ask and ask for basic information, which is usually not posted at all or posted incompletely after a long amount of time. Assignments that are handed in over a month ago are still not graded. The quiz got cancelled with one weeks notice. How can you not agree that there is something wrong here?

You are not arguing from a neutral perspective, you are arguing from your and Douglas perspective. Saying "The problems are more or less equally hard so there being fewer points available shouldn't be a problem since there still more points than you need." is not a neutral opinion, some people are more skilled in other theoretical areas than the ones in the homework. 

What Douglas posted yesterday (the points being multiplied by 71/50) was a good thing. What was wrong was that he posted it one and a half week too late. Do you notice the pattern?

With that said, this is my last post here. I hope that everyone passes so we don't have to spend another semester taking this shit-show of a course. 

Have a nice day.

Anmäl missbruk
kommenterade 23 maj 2017

I was trying to play the devils advocate, but I guess it went "so so".

I'm not saying that there hasn't done a lot of problems with the course. I was trying to discuss the question on it's own merit.

But I didn't read the situation correctly and people were angrier than expected and some people seem to have been offended.

So, I'm sorry.

Also, I'm a potato.

Anmäl missbruk
Lärare kommenterade 23 maj 2017

Alexander and others, I suggest that we sit down and discuss it and it would be great if more people joined. Let us find a date, you can propose 1-2 times/dates. Then I will make a doodle and book a big enough room for those that want to join. I know that they did this in another course and it was fruitful.

There are many considerations that goes into planning a course and you obviously experience it from a different perspective than I do.

Your feedback is most welcome.

Anmäl missbruk
kommenterade 23 maj 2017

Concerning kth.krypto.feldman: https://kth.kattis.com/problems/kth.krypto.feldman

> You are given s1,,sk with k>d such that for at least d+1 distinct ii we have s'i=si. You job is to recover a0.

Do you mean that all s'1..s'k are proper solutions, or if k>(d+1), may some be false? If the former, are they given in order (so that the input subsection is k, f(1), f(2)..f(k))? Or do we only know that they are solutions? The text is rather unclear on this.

Thanks in advance

Sean

Anmäl missbruk
kommenterade 24 maj 2017

For at least d+1of the given s' values it is true that s'i == si.

So some of them may be "wrong".

The text is not ambiguous but it is not presented in the easiest to understand way.

Anmäl missbruk
kommenterade 25 maj 2017

Has anyone got any additional testcases for the feldman implementation excersise? My python implementation gets the first case correct and then I get 'wrong answer'. All testcases I can come up with it gets right..

Anmäl missbruk
En användare har tagit bort sin kommentar
kommenterade 26 maj 2017

Hi,
In 10a, PRG' is given as a pseudo random function but it has the mathematical definition of a pseudo random generator i.e no mention of a key. The part of the question 'and prove that it is a pseudo-random generator' is a bit ambiguous as they are different(the pseudo-random function has two parameters). 

Anmäl missbruk
En person gillar kommentaren
kommenterade 26 maj 2017

It's just a typo. Exercise 10a asks to prove the output extension for a pseudo-random generator.

Anmäl missbruk
Feedback Nyheter