This is an overview of “modern” (post-WW2) cryptography covering some properties and cryptographic primitives. Definitions and proofs omitted.

- Properties
- Confidentiality – Unauthorized can’t read message.
- Integrity – Message not changed by unauthorized.
- Authentication – Message from authorized.

- Primitives
- Symmetric key ciphers and public key cryptosystems
- Block (AES) and stream (RC4)
- RSA and ElGamal

- Hashes
- SHA-256

- MACs (symmetric key) and Digital Signatures (public key)
- HMAC
- RSA and DSA

- Symmetric key ciphers and public key cryptosystems

**Kerckhoffs**‘ **principle**: Always assume everything about a cryptosystem is publicly known except for the key. In other the encryption and decryption algorithms should be public. This means e.g a ciphertext-only attacker is able to try out different keys for decryption, since he knows the encryption and decryption algorithms but not the key.

Confidentiality is provided by symmetric key ciphers and public key cryptosystems. Without the shared symmetric key or private key an adversary cannot gain information about the plaintext.

- IND-CPA and IND-CCA.
- IND-CCA -> IND-CPA.

Integrity is provided by a hash. Actually this is not really true because a man in the middle can easily change the message and generate a new hash for it. But if the hash is transmitted through a secure channel then if the message gives the same hash then the message is unchanged.

- Collision resistance, 2nd preimage resistance, and preimage resistance.
- Collision resistance -> 2nd preimage resistance.
- 2nd preimage resistance -/> preimage resistance.
- Preimage resistance -/> 2nd preimage resistance.

Authentication is provided by a message authentication code (symmetric key) or a digital signature (public key). These also ensure integrity (and a digital signature additionally provides non-repudiability since only one person possesses the secret signing key). Without the shared symmetric key or secret signing key an attacker cannot produce a valid MAC for the shared symmetric key or a valid digital signature for the public verification key.

Symmetric and public key cryptosystems:

- Encryption alone does not provide integrity.
- Symmetric key: Block and stream ciphers
- Block ciphers (e.g AES)
- ECB – Deterministic. Not IND-CPA secure. Both parallel.
- CBC – Encryption sequential, decryption parallel. Bit error affects 2 blocks.
- CFB – Encryption sequential, decryption parallel. Bit error affects 2 blocks. Only uses encryptor. Self-synchronizing stream cipher.
- OFB – Both sequential. Keystream precomputable. Bit error affects only 1 bit. Only uses encryptor. Synchronous stream cipher.
- CTR – Both parallel. Bit error affects only 1 bit. Only uses encryptor. Synchronous stream cipher.

- Stream ciphers (e.g RC4)
- Use a generated keystream to XOR the message.

- Block ciphers (e.g AES)
- Public key: RSA and ElGamal
- Textbook RSA
- Deterministic: not IND-CPA secure.

- RSA-OAEP
- IND-CCA secure under RSA assumption in random oracle model.

- ElGamal
- IND-CPA secure under DDH assumption.
- Malleable: not IND-CCA secure.

- Textbook RSA

MACs and digital signatures:

- MACs: HMAC
- All PRFs are EUF-CMA secure.
- CBC-MAC: Length extension attacks.
- HMAC is a PRF if its compression function is a PRF.

- Digital signatures: RSA and DSA
- Textbook RSA
- Not EUF-CMA secure. Selective forgery under CMA. Existential forgery under key-only attack.

- RSA-FDH
- EUF-CMA in random oracle model.

- DSA / EC-DSA
- Believed to be EUF-CMA, however not proven.
- Broken if the discrete log can be calculated.

- Textbook RSA

To add confidentiality to a message, you encrypt it. Since public key crypto is slower than symmetric key (by thousands of times) what people normally do is to encrypt a message using the symmetric key and then encrypt that key using public key encryption. This is called hybrid encryption and is used by practically all existing public key implementations, such as TLS.

To add integrity and authentication to a message, you add a digital signature. You could also hash the message and sign the hash instead of the entire message. In fact that is the way it is normally done.

If you want both confidentiality and integrity+authentication, you first encrypt and then you hash the ciphertext and sign the hash.