**[Sep 3: Lecture 1]**

Introduction and overview. Private-key cryptography. The syntax of private-key encryption. The shift cipher.**Reading:**Sections 1.1, 1.2, and 1.3 (through page 11).

**[Sep 5: Lecture 2]**

Historical encryption schemes and their cryptanalysis.**Reading:**Section 1.3.

**[Sep 8: Lecture 3]**

Historical encryption schemes and their cryptanalysis. Modern cryptography: definitions, assumptions, and proofs.**Reading:**Sections 1.3 and 1.4.

**[Sep 10: Lecture 4]**

Modern cryptography: definitions, assumptions, and proofs. Defining perfectly secret encryption.**Reading:**Sections 1.4 and 2.1.

**[Sep 12: Lecture 5]**

Perfect secrecy and the one-time pad. Limitations of the one-time pad.**Reading:**Section 2.2.

**[Sep 15: Lecture 6]**

Limitations of perfect secrecy. Toward computational notions of security.**Reading:**Sections 2.3, 3.1.1, and 3.1.2.

**[Sep 17: Lecture 7]**

A computational notion of secrecy.**Reading:**Sections 3.1.1, 3.1.2, and 3.2.1.

**[Sep 19: Lecture 8]**

Pseudorandom generators. Proofs by reduction. Non-trivial encryption from any pseudorandom generator.**Reading:**Sections 3.3, 3.1.3, and 3.4.1.

**[Sep 22: Lecture 9]**

Proof of security for the pseudo-OTP. Stronger notions of security: multiple encryptions and chosen-plaintext attacks. Drawbacks of deterministic encryption.**Reading:**Sections 3.4.3 and 3.5.

**[Sep 24: Lecture 10]**

Formally defining CPA-security. Pseudorandom functions.**Reading:**Sections 3.6.1 and 3.6.3.

**[Sep 26]**

Class cancelled due to Rosh Hashanah.

**[Sep 29: Lecture 11]**

Pseudorandom functions/permutations and block ciphers. CPA-security from pseudorandom functions.**Reading:**Sections 3.6.1 and 3.6.3.

**[Oct 1: Lecture 12]**

CPA-security from pseudorandom functions.**Reading:**Section 3.6.2.

**[Oct 3: Lecture 13]**

Stream-cipher and block-cipher modes of operation.**Reading:**Sections 3.4.3 and 3.6.4. (Some of the material on stream ciphers is not in the book.)

For a graphical demonstration of why ECB mode is bad, see here

**[Oct 6: Lecture 14]**

Block-cipher modes of operation. Security against chosen-ciphertext attacks.**Reading:**Sections 3.6.4 and 3.7.

**[Oct 8: Lecture 15]**

CCA-security. Padding-oracle attacks.**Reading:**Section 3.7. (The material on padding-oracle attacks is not in the book, but you can find descriptions on the web, e.g., here.)

**[Oct 10: Lecture 16]**

Integrity and message authentication codes (MACs). Defining security for MACs.**Reading:**Sections 4.1-4.3.

**[Oct 13: Lecture 17]**

A fixed-length MAC. MACs for arbitrary-length messages.**Reading:**Section 4.4.

**[Oct 15: Lecture 18]**

MACs for arbitrary-length messages. CBC-MAC.**Reading:**Sections 4.4 and 4.5.

**[Oct 17: Midterm exam]**

The exam will be on any material covered in class through Oct. 10.

**[Oct 20: Lecture 19]**

CCA-security, authenticated encryption, and generic constructions. Secure communication sessions.**Reading:**Section 4.9. (The material on secure communication sessions is not in the book.)

**[Oct 22: Lecture 20]**

Secure communication sessions. Hash functions and collision resistance. Exam review.**Reading:**Sections 4.6.1 and 4.6.3.

**[Oct 24: Lecture 21]**

Birthday attacks on hash functions. HMAC.**Reading:**Section 4.6.5. (HMAC is covered in Section 4.7, but we will cover it in less detail in class. The material on additional applications of hash functions is not in the book.)

**[Oct 27: Lecture 22]**

Hash functions in practice. The random-oracle model, and additional applications of hash functions.**Reading:**Section 13.1.

**[Oct 29: Lecture 23]**

Practical constructions of stream ciphers. LFSRs. Adding non-linearity to LFSRs.**Reading:**This material is not in the book.

**[Oct 31: Lecture 24]**

Trivium and RC4.**Reading:**This material is not in the book.

**[Nov 3: Lecture 25]**

Practical constructions of block ciphers. Substitution-permutation networks (SPNs). Attacks on reduced-round SPNs.**Reading:**Section 5.1.

**[Nov 5: Lecture 26]**

Attacks on reduced-round SPNs. Feistel networks.**Reading:**Section 5.2.

**[Nov 7: Lecture 27]**

The Data Encryption Standard (DES). 2DES and triple-DES. Meet-in-the-middle attacks.**Reading:**Sections 5.3 and 5.4.

**[Nov 10: Lecture 28]**

AES. Practical constructions of hash functions.**Reading:**Sections 5.5 and 4.6.4. The material on designing compression functions functions is not in the book.

**[Nov 12: Lecture 29]**

Basic number theory and algorithmic number theory.**Reading:**Sections 7.1.1 and 7.1.2 and Appendices B.1, B.2.1, B.2.2, and B.2.3.

**[Nov 14: Lecture 30]**

Modular arithmetic and efficient algorithms. Group theory.**Reading:**Section 7.1.3.

**[Nov 17: Lecture 31]**

Group theory.**Reading:**Sections 7.1.4.

**[Nov 19: Lecture 32]**

The factoring and RSA assumptions.**Reading:**Sections 7.2.1, 7.2.3, and 7.2.4.

**[Nov 21: Lecture 33]**

Hardness assumptions in cyclic groups: the discrete-logarithm assumption.**Reading:**Sections 7.3.1 and 7.3.2.

**[Nov 24: Lecture 34]**

The Diffie-Hellman problems. Drawbacks of private-key cryptography.**Reading:**Sections 7.3.2, 7.3.3, and 9.1.

**[Nov 26: Lecture 35]**

The Diffie-Hellman key-exchange protocol, and how it addresses the drawbacks of private-key cryptography. The public-key setting.**Reading:**Sections 9.3 and 9.4.

**[Dec 1: Lecture 36]**

Public-key encryption: syntax and definitions of security.**Reading:**Sections 10.1, 10.2.1, 10.2.2, and 10.6.

**[Dec 3: Lecture 37]**

Hybrid encryption. El Gamal encryption.**Reading:**Sections 10.3 and 10.5.

**[Dec 5: Lecture 38]**

RSA-based encryption. Padded RSA (PKCS #1 v1.5). Chosen-ciphertext attacks on El Gamal and RSA encryption.**Reading:**Sections 10.4 and 10.6.

**[Dec 8: Lecture 39]**

Digital signatures. The hash-and-sign paradigm.**Reading:**Sections 12.1, 12.2, and 12.4.

**[Dec 10: Lecture 40]**

RSA-based signatures. DSA and ECDSA.**Reading:**Sections 12.3 and 12.7.

**[Dec 12: Lecture 41]**

Certificates and public-key infrastructures. SSL/TLS. Final review.**Reading:**Section 12.8.

**[Dec 19, 8-10AM: Final Exam]**