**[Aug 30: Lecture 1]**

Introduction and overview. Basics of private-key encryption; some historical encryption schemes and their cryptanalysis.**Reading:**Sections 1.1, 1.2, and 1.3 (through page 14)

**[Sept 1: Lecture 2]**

Historical encryption schemes and their cryptanalysis. Principles of modern cryptography: definitions, assumptions, proofs. Perfect secrecy and the one-time pad encryption scheme.**Reading:**Sections 1.3, 1.4, 2.1, and 2.2

**[Sep 8: Lecture 3]**

Limitations of perfect secrecy. Perfect indistinguishability and its equivalence to perfect secrecy. Computational security.**Reading:**Sections 2.2, 2.3, 3.1.1, 3.1.2, and 3.2.1

**[Sep 13: Lecture 4]**

Computational security, examples. Pseudorandom generators.**Reading:**Sections 3.2.1 and 3.3

**[Sep 15: Lecture 5]**

From pseudorandom generators to secure encryption (with a key shorter than the message). Proofs by reduction. Pseudorandom functions.**Reading:**Sections 3.1.3, 3.4.1, and 3.6.1. (Note: although we did not cover it in class, please also read Sections 3.4.2 and 3.4.3.)

**[Sep 20: Lecture 6]**

Pseudorandom functions, block ciphers. Security for multiple encryptions and CPA-security. Importance of randomized encryption. A CPA-secure encryption scheme from any pseudorandom function.**Reading:**Sections 3.4.3, 3.5, 3.6.2, and 3.6.3.

**[Sep 22: Lecture 7]**

A CPA-secure encryption scheme from any pseudorandom function. Encrypting long messages; modes of encryption.**Reading:**Sections 3.6.3 and 3.6.4.

**[Sep 27: Lecture 8]**

Security against chosen-ciphertext attacks; non-malleability. Message integrity and message authentication codes.**Reading:**Sections 3.7, 4.1, 4.2, and 4.3.

**[Sep 29: Lecture 9]**

A message authentication code (MAC) for short messages. Extending it to handle long messages. CBC-MAC.**Reading:**Sections 4.4 and 4.5.

**[Oct 4: Lecture 10]**

Cryptographic hash functions; collision-resistance. "Hash-and-MAC" (HMAC).**Reading:**Sections 4.6.1, 4.6.2, and 4.7.1.

**[Oct 6: Lecture 11]**

Birthday attacks on hash functions. The Merkle-Damgard transformation. Hash functions in practice. CCA-secure private-key encryption.**Reading:**Sections 4.6.3-4.6.5, 4.8. (See also Appendix A.4 for a formal treatment of birthday attacks.)

Some more information about the ASP.NET vulnerability we discussed in class can be found here

**[Oct 11: Lecture 12]**

Secure message transmission: secure combination of encryption and message authentication. Block cipher design principles**Reading:**Sections 4.9 and 5.1.

**[Oct 13: Lecture 13]**

Block cipher design principles: substitution/permutation networks; Feistel networks.**Reading:**Sections 5.1 and 5.2.

**[Oct 18: Lecture 14]**

DES, triple-DES, and AES.**Reading:**Sections 5.3-5.5.

**[Oct 20: Midterm Exam]**

**[Oct 25: Lecture 15]**

Midterm review. One-way functions and using them to construct pseudorandom generators.**Reading:**Sections 6.1, 6.2, and 6.4.

**[Oct 27: Lecture 16]**

Introduction to number theory. Primes, divisibility, modular arithmetic, efficient modular exponentiation.**Reading:**Sections 7.1.1, 7.1.2, B.1, B.2.1-B.2.3.

**[Nov 1: Lecture 17]**

Introduction to group theory, Z_N, and Z*_N.**Reading:**Sections 7.1.3 and 7.1.4.

**[Nov 3: Lecture 18]**

Primes, the factoring assumption, and the RSA problem.**Reading:**Section 7.2 (except 7.2.2)

**[Nov 8: Lecture 19]**

Cyclic groups, generators. (25 minute lecture due to Odlyzko's colloquium talk.)**Reading:**Section 7.3.1

**[Nov 10: Lecture 20]**

The discrete logarithm and Diffie-Hellman problems. The public-key revolution.**Reading:**Sections 7.3.2, 7.3.3, 9.1, and 9.3.

**[Nov 15: Lecture 21]**

Diffie-Hellman key exchange. Introduction to public-key encryption.**Reading:**Sections 9.4, 10.1, and 10.2.

**[Nov 17: Lecture 22]**

(Guest lecture by Seung Geol Choi.) Hybrid encryption. RSA encryption.**Reading:**Sections 10.3 and 10.4.

**[Nov 22: Lecture 23]**

(Guest lecture by Prof. Bill Gasarch.) Private information retrieval.**Reading:**None.

**[Nov 24: Lecture 24]**

Hybrid encryption; "textbook RSA" encryption and why it should not be used; padded RSA. El Gamal encryption.**Reading:**Sections 10.3, 10.4, and 10.5.

**[Nov 29: Lecture 25]**

Chosen-ciphertext security for public-key encryption. Digital signature schemes.**Reading:**Sections 10.6, 12.1, and 12.2.

**[Dec 1: Lecture 26]**

"Textbook RSA" signatures and why they are insecure. Hash-and-sign; hashed RSA. Lamport's one-time signature scheme and chain-based signatures.**Reading:**Sections 12.3, 12.4, 12.5, and 12.6.1

**[Dec 6: Lecture 27]**

Stateful signature schemes. Chain-based and tree-based signature schemes. Certificates and public-key infrastructures.**Reading:**Sections 12.6 and 12.8.

**[Dec 8: Lecture 28]**

Course review**Reading:**Here are the slides from class