**[Aug 29: Lecture 1]**

Introduction and overview. Basics of private-key encryption; some historical encryption schemes and their cryptanalysis.**Reading:**Sections 1.1, 1.2, and 1.3 (though page 11).

**[Aug 31: Lecture 2]**

Historical schemes and their cryptanalysis.**Reading:**Section 1.3.

**[Sep 5: Lecture 3]**

Defining secure encryption; perfect secrecy and the one-time pad.**Reading:**Sections 1.4, 2.1, and 2.2.

**[Sep 7: Lecture 4]**

Threat models for encryption; limits of perfectly secret encryption. Toward a computational notion of security.**Reading:**Sections 2.3, 2.5, and 3.1.1.

**[Sep 10: Lecture 5]**

A computational notion of security. Indistinguishability in the presence of an eavesdropper.**Reading:**Sections 3.1.2 and 3.2.1.

**[Sep 12: Lecture 6]**

Pseudorandomness and pseudorandom generators. Non-trivial encryption from any pseudorandom generator.**Reading:**Sections 3.3, 3.4.1, and 3.1.3.

**[Sep 14: Lecture 7]**

Proof of security for the "pseudo one-time-pad" scheme. Security against chosen-plaintext attacks.**Reading:**Sections 3.1.3, 3.4.1, 3.4.2, and 3.5.

**[Sep 17: Lecture 8]**(TA lecture)

Pseudorandom functions.**Reading:**Section 3.6.1.

**[Sep 19: Lecture 9]**

Pseudorandom functions and permutations/block ciphers. Application to CPA-secure encryption.**Reading:**Sections 3.6.1, 3.6.2, and 3.6.3.

**[Sep 21: Lecture 10]**

Proof of security for CPA-secure encryption. Encrypting arbitrary-length messages, modes of encryption.**Reading:**Sections 3.6.2 and 3.6.4.

**[Sep 24: Lecture 11]**

Modes of encryption (CBC-, OFB-, and CTR-mode). Chosen-ciphertext attacks and CCA-security. Padding-oracle attacks. Introduction to message integrity.**Reading:**Sections 3.6.4, 3.7, 4.1, and 4.2.

**[Sep 26: Lecture 12]**(TA lecture)

Message authentication codes, and a basic construction.**Reading:**Sections 4.3 and 4.4.

**[Sep 28: Lecture 13]**

Proof of security for the basic MAC. MACs for arbitrary length messages.**Reading:**Section 4.4.

**[Oct 1: Lecture 14]**(TA lecture)

CBC-MAC. Authenticated encryption.**Reading:**Sections 4.4.1, 4.5.1, and 4.5.2 here

**[Oct 3: Lecture 15]**

Authenticated encryption and secure sessions.**Reading:**Sections 4.5.2 and 4.5.3 here

**[Oct 5: Lecture 16]**

Collision-resistant hash functions, HMAC.**Reading:**Sections 4.6.1, 4.6.2, and 4.7.1. (We mentioned HMAC but did not go into the details.)

**[Oct 8: Lecture 17]**(TA lecture)

Birthday attacks on hash functions. The Merkle-Damgard transform.**Reading:**Sections 4.6.3 (only the basic birthday attack) and 4.6.4.

**[Oct 10: Lecture 18]**

The Merkle-Damgard construction. Hash functions in practice. Constructing hash functions from block ciphers.**Reading:**Section 4.6.4 and 4.6.5. (The material on constructing hash functions from block ciphers is not in the book.)

**[Oct 12: Lecture 19]**

Practical constructions of block ciphers. Substitution/permutation networks (SPNs), and the confusion/diffusion paradigm.**Reading:**Pages 159-167

**[Oct 15: Lecture 20]**

SPNs, the avalanche effect, and key-recovery attacks against 2-round SPNs. Feistel networks.**Reading:**Pages 167-172. (*Note:*the attack on a 2-round SPN given in class is different from the attack given in the book.)

**[Oct 17: Midterm exam]**

**[Oct 19: Lecture 21]**

Midterm review. Introduction to DES.**Reading:**page 173

**[Oct 22: Lecture 22]**

DES, attacks on reduced-round DES.**Reading:**Section 5.3

**[Oct 24: Lecture 23]**

Double and triple DES; AES.**Reading:**Sections 5.4 and 5.5

**[Oct 26: Lecture 24]**

From one-way functions to pseudorandom generators.**Reading:**Sections 6.1 and 6.2.

**[Oct 29: Lecture 25]**

(Cancelled due to storm)

**[Oct 31: Lecture 26]**

Introduction to algorithmic number theory.**Reading:**Sections 7.1.1 and 7.1.2; Appendices B.1, B.2.1, and B.2.2.

**[Nov 2: Lecture 27]**

Introduction to group theory.**Reading:**Appendix B.2.3; Section 7.1.3

**[Nov 5: Lecture 28]**

Primality testing and prime-number generation.**Reading:**Sections 7.1.4 and 7.2.1.

**[Nov 7: Lecture 29]**

The factoring and RSA assumptions. Cyclic groups.**Reading:**Sections 7.2.3, 7.2.4, and 7.3.1.

**[Nov 9: Lecture 30]**

Cyclic groups and the discrete-logarithm assumption.**Reading:**Sections 7.3.2 and 7.3.3.

(The following are*not required*, but are related to material we talked about in class: Section 7.3.4, Appendix B.3.)

**[Nov 12: Lecture 31]**

Cyclic groups and the Diffie-Hellman assumptions.**Reading:**Sections 7.3.2 and 7.3.3.

**[Nov 14: Lecture 32]**

Diffie-Hellman key exchange.**Reading:**Sections 7.3.2, 7.3.3, 9.1, 9.3, and 9.4.

**[Nov 16: Lecture 33]**

The public-key setting and public-key encryption.**Reading:**Sections 9.1, 9.3, 9.4, 10.1, and 10.2.

**[Nov 19: Lecture 34]**

Definitions of security for public-key encryption. El Gamal encryption.**Reading:**Sections 10.2 and 10.5.

**[Nov 21: Lecture 35]**

RSA encryption.**Reading:**Sections 10.4.1 and 10.4.3.

**[Nov 26: Lecture 36]**

Key lengths for public-key crypto. Hybrid encryption.**Reading:**Section 10.3.

**[Nov 28: Lecture 37]**

Chosen-ciphertext attacks and malleability.**Reading:**Section 10.6.

**[Nov 30: Lecture 38]**

Chosen-ciphertext attacks. Digital signature schemes.**Sections 10.6 and 12.1**.

**[Dec 3: Lecture 39]**

Signature schemes and definitions. Textbook RSA and padded RSA.**Reading:**Sections 12.2 and 12.3.

**[Dec 5: Lecture 40]**

DSS. The Lamport one-time signature scheme.**Reading:**Sections 12.7 and 12.5.

**[Dec 7: Lecture 41]**

The Hash-and-sign paradigm. Certificate authorities and PKI.**Reading:**Sections 12.4 and 12.8.

**[Dec 10: Lecture 42]**

Putting it all together: the SSL protocol. Course review.