Hasso-Plattner-Institut
Prof. Dr. Anja Lehmann
 

Cryptography (Lecture, Master, 6 ECTS)

Prof. Anja Lehmann, Karla Friedrichs, Vera Wesselkamp, Andrey Sidorenko

Description

Cryptography is the discipline concerned with the design and analysis of protocols and techniques that secure information against adversarial access or manipulation. This lecture provides a rigorous introduction to modern cryptography, presenting the algorithmic and mathematical foundations as well as the formal security notions underlying symmetric and public-key primitives. The fundamental principle of modern cryptography—provable security—is a central theme of the course: formal attacker models are defined, and the security of the presented cryptographic methods is proven under well-specified complexity assumptions within these models. Participants will gain a systematic understanding of how the most common cryptographic constructions are designed, analyzed, and deployed to achieve provable security.

Topic Overview

  • Information-theoretical vs. complexity-theoretical security
  • Symmetric cryptography: Symmetric encryption, Pseudorandom functions, Message authentication codes (MAC), Hash functions, Authenticated encryption
  • Asymmetric cryptography: Diffie-Hellman key exchange, Public-key encryption, Digital signatures

The lecture is based mainly on the book: Katz, Lindell: Introduction to Modern Cryptography (currently 3rd edition, 2020), but also takes inspiration from Boneh, Shoup:  A Graduate Course in Applied Cryptography  (v6, 2023)

Requirements

The lecture requires basic knowledge of mathematics and theoretical computer science. In particular, students must be able to apply elementary proof techniques. Additional lectures/exercises will be offered alongside the lecture, in which elementary basics can be refreshed. 

Organisation & Exam

Weekly lecture and several smaller excercise groups out of which you can choose one. We also offer a voluntary Crypto CTF along the course to provide a more hands-on access to the lecture's topics. 

Written exam.

Links

[Moodle] [CAS Campus] // to be added

    ­­­


     

    It Wasn't Me, It Was You! Deniable Authentication for the EUDI (Master Project, 12 ECTS)

    Prof. Anja Lehmann, Karla Friedrichs, Cavit Özbay

    The eIDAS 2.0 regulation requires every EU member state to provide a digital identity solution—the EU Digital Identity (EUDI) Wallet—by the end of 2026. The EU decided to build the wallet from classic ECDSA-signed credentials, where a digital identity is simply an issuer’s signature on the set of user attributes. In Germany this choice drew criticism from consumer- and data-protection organizations, who argued that signed credentials lack an important privacy property: plausible deniability. When a user presents their digital identity, anyone can verify this presentation—and hence verifiers might be tempted to store and trade the authenticated data. This issue received attention since it is perceived as a downgrade from the prior German eID, where authentication is an online process between chip and verifier and cannot be forwarded.

    This criticism, however, conflates a property of the signature scheme with a property of the presentation protocol. Deniability is easy to add on top of ECDSA, using standard zero-knowledge techniques. The idea (sketched in more detail here) is that the verifier holds its own key pair and that the user never hands over the issuer's signature in full. Instead, she reveals only a part of it and proves, in zero knowledge, that she either knows the rest of a valid issuer signature or the verifier's secret key. Since the verifier knows its own secret key, it could have produced this proof itself—so the presentation convinces the intended verifier but is worthless as evidence to anyone else, exactly the deniability the critics asked for.

    This is a promising starting point, but it is only a first step: The construction relies on each credential being used only once—which, while consistent with the planned EUDI deployment, might be more restrictive than necessary—and it has not yet been integrated into real EUDI data formats. This master project takes up these two open challenges.

     

    Your Tasks

    The exact scope will depend on the size and interests of the group.

    • Formalise a multi-show security model for deniable signed credentials
    • Design and formally analyse constructions that satisfy the requirements of the model, in particular, that allow the reuse of (ECDSA) signatures without losing deniability
    • Integrate deniable presentations into the EUDI data formats and protocol flows 
    • Demonstrate real-world feasibility through a proof-of-concept implementation and a performance evaluation.

     

    For more information on our project, see our project description or poster

    The deniable ECDSA construction is sketched here