**[Sep 4: Lecture 1]**

Introduction and overview. Private-key cryptography. The syntax of private-key encryption. The shift cipher.**Reading:**Sections 1.1, 1.2, and 1.3 (through page 11).

**[Sep 6]**

Class cancelled due to Rosh Hashanah.

**[Sep 9: Lecture 2]**

Some historical encryption schemes and their cryptanalysis.**Reading:**Section 1.3.

**[Sep 11: Lecture 3]**

More historical encryption schemes and their cryptanalysis. Modern cryptography.**Reading:**Sections 1.3 and 1.4.

**[Sep 13: Lecture 4]**

Modern cryptography: definitions, assumptions, and proofs. Defining perfectly secret encryption.**Reading:**Sections 1.2, 1.4, and 2.1.

**[Sep 16: Lecture 5]**

Perfect secrecy and the one-time pad. Limitations of perfect secrecy. Toward a computational notion of secrecy.**Reading:**Sections 2.2 and 2.3.

**[Sep 18: Lecture 6]**

HW1 review. A computational notion of secrecy.**Reading:**Sections 3.1.1, 3.1.2, and 3.2.1. (See also the same sections in the second edition.)

**[Sep 20: Lecture 7]**(TA lecture)

Computational notions of security.**Reading:**Sections 3.1.1, 3.1.2, and 3.2.1. (See also the same sections in the second edition.)

**[Sep 23: Lecture 8]**

A computational notion of security. Pseudorandom generators.**Reading:**Sections 3.2.1 and 3.3 in the first edition. (See also Sections 3.2.1 and 3.3.1 in the second edition.)

**[Sep 25: Lecture 9]**

Pseudorandom generators and stream ciphers. Non-trivial encryption from any pseudorandom generator.**Reading:**Sections 3.1.3, 3.3, and 3.4.1 in the first edition. (Section 3.1.3 plus all of Section 3.3 in the second edition, though we did not yet talk about stream ciphers.)

**[Sep 27: Lecture 10]**(TA lecture)

Stronger notions of security for encryption.**Reading:**Sections 3.4.3 and 3.5 in the first edition. (Section 3.4 in the second edition.)

**[Sep 30: Lecture 11]**

CPA-security; impossibility of CPA-security for deterministic encryption schemes. Pseudorandom functions.**Reading:**Sections 3.5 and 3.6.1 in the first edition. (Sections 3.4 and 3.5.1 in the second edition.)

**[Oct 2: Lecture 12]**

Pseudorandom functions: definitions and (counter-)examples.**Reading:**Section 3.6.1 in the first edition. (Section 3.5.1 in the second edition.)

**[Oct 4: Lecture 13]**

Pseudorandom permutations and block ciphers. CPA-security from pseudorandom functions.**Reading:**Sections 3.6.2 and 3.6.3 in the first edition. (Sections 3.5.1 and 3.5.2 in the second edition.)

**[Oct 7: Lecture 14]**

Proving CPA-security. Modes of encryption.**Reading:**Section 3.6.4 in the first edition. (Section 3.6.2 in the second edition.)

**[Oct 9: Lecture 15]**

CCA security and malleability. Integrity and message authentication codes.**Reading:**Section 3.7 in the first edition. (Section 3.7.1 in the second edition.) Sections 4.1, 4.2, and 4.3.

**[Oct 11: Lecture 16]**

Defining security for message authentication codes. Constructing a secure MAC for short messages. Toward MACs for arbitrary length messages.**Reading:**Sections 4.3 and 4.4.

**[Oct 14: Lecture 17]**

MACs for arbitrary-length messages. CBC-MAC. Authenticated encryption.**Reading:**Sections 4.4 and 4.5 from the first edition. Section 4.5.1 from the second edition.

**[Oct 16: Lecture 18]**

Authenticated encryption. Hash functions.**Reading:**Sections 4.5.1 and 4.5.2 from the second edition. Sections 4.6.1, 4.6.3, and 4.6.5 from the first edition.

**[Oct 18: Lecture 19]**

Hash functions and birthday attacks. Hash-and-MAC. HMAC.**Reading:**Sections 4.6.1, 4.6.3, and 4.6.5 from the first edition.

**[Oct 21: Lecture 20]**

Exam review.

**[Oct 23: Midterm exam]**

**[Oct 25: Lecture 21]**

Practical constructions of pseudorandom generators: stream ciphers. LFSRs.**Reading:**second edition, Sections 6.1.1 and 6.1.2.

**[Oct 28: Lecture 22]**

Stream ciphers. Adding non-linearity to LFSRs. Trivium and RC4.**Reading:**second edition, Sections 6.1.2, 6.1.3, and 6.1.4 (but you are not responsible for the attacks on RC4).

**[Oct 30: Lecture 23]**

Exam review.

**[Nov 1: Lecture 24]**

Practical constructions of pseudorandom permutations: block ciphers. Substitution-permutation networks.**Reading:**second edition, Section 6.2.1.

**[Nov 4: Lecture 25]**

Substitution-permutation networks (SPNs). Attacks on reduced-round SPNs.**Reading:**second edition, Section 6.2.1.

**[Nov 6: Lecture 26]**

Feistel networks. The Data Encryption Standard (DES).**Reading:**second edition, Sections 6.2.2 and 6.2.3.

**[Nov 8: Lecture 27]**

2DES and triple-DES. Meet-in-the-middle attacks. AES.**Reading:**second edition, Sections 6.2.4 and 6.2.5.

**[Nov 11: Lecture 28]**

Basic number theory and algorithmic number theory.**Reading:**Section 7.1.1 and Appendix B.1.

**[Nov 13: Lecture 29]**

Modular arithmetic and efficient algorithms.**Reading:**Section 7.1.2 and Appendices B.2.1, B.2.2, and B.2.3.

**[Nov 15: Lecture 30]**

Group theory.**Reading:**Section 7.1.3.

**[Nov 18: Lecture 31]**

Group theory; factoring.**Reading:**Sections 7.1.4 and 7.2.1.

**[Nov 20: Lecture 32]**

The factoring and RSA assumptions. Cyclic groups.**Reading:**Sections 7.2.3, 7.2.4, and 7.3.1.

**[Nov 22: Lecture 33]**

Hardness assumptions in cyclic groups: the discrete-logarithm assumption.**Reading:**Sections 7.3.1 and 7.3.2.

**[Nov 25: Lecture 34]**

The Diffie-Hellman problems. Drawbacks of private-key cryptography, and the public-key setting.**Reading:**Sections 7.3.2, 7.3.3, 9.1, and 9.3.

**[Nov 27: Lecture 35]**

The Diffie-Hellman key-exchange protocol, and how it addresses the drawbacks of private-key cryptography.**Reading:**Section 9.4.

**[Dec 2: Lecture 36]**

The public-key setting. Public-key encryption: syntax and definitions of security.**Reading:**Sections 10.1 and 10.2.1.

**[Dec 4: Lecture 37]**

El Gamal encryption. "Textbook RSA" encryption and its insecurity.**Reading:**Sections 10.5 and 10.4.1.

**[Dec 6: Lecture 38]**

Padded RSA encryption. Hybrid encryption.**Reading:**Sections 10.4.3 and 10.3.

**[Dec 9: Lecture 39]**

Digital signatures. The "textbook RSA" signature scheme.**Reading:**Sections 12.1, 12.2, and 12.3.1.

**[Dec 11: Lecture 40]**

Hashed RSA. Certificate authorities and public-key infrastructure (PKI).**Reading:**Sections 12.3.1, 12.3.2, and 12.8. (**Optional:**See Section 13.3 for a proof of security for Hashed RSA.)

**[Dec 13: Lecture 41]**

Course review.

**[Dec 21: Final Exam]**