**[Aug 29: Lecture 1]**

Introduction and overview. Private-key cryptography. The syntax of private-key encryption. The shift cipher.**Reading:**Sections 1.1-1.3.

**[Aug 31: Lecture 2]**

ASCII, hex, and the ASCII shift cipher. Elementary cryptanalysis.**Reading:**Section 1.3. (Note: The ASCII shift cipher is not covered in the book.)

**[Sept 2: Lecture 3]**

The substitution cipher. Basic cryptanalysis using frequency analysis. The Vigenere cipher and further cryptanalysis.**Reading:**Sections 1.3 and 1.4.

**[Sept 7: Lecture 4]**

Modern cryptography: definitions, assumptions, and proofs. Toward a definition of perfect secrecy.**Reading:**Section 2.1.

**[Sept 9: Lecture 5]**

Perfect secrecy. The one-time pad. Randomness generation and implementing the one-time pad.**Reading:**Sections 2.2 and 2.3.

**[Sept 12: Lecture 6]**

Limitations of perfect secrecy and the one-time pad. Toward computational notions of security.**Reading:**Section 2.3.

**[Sept 14: Lecture 7]**

A computational notion of security.**Reading:**Sections 3.1 and 3.2.1.

**[Sept 16: Lecture 8]**

Pseudorandomness and pseudorandom generators.**Reading:**Section 3.3.1.

**[Sept 19: Lecture 9]**

The pseudo-OTP. Proofs by reduction, and a proof of security for the pseudo-OTP. Stream ciphers. Security for multiple encryptions. Drawbacks of deterministic encryption.**Reading:**Sections 3.3.2, 3.3.3, and 3.4.1. Please also read the part about stream ciphers on pages 64-65 even though we did not cover it yet in class.

**[Sept 21: Lecture 10]**

Chosen-plaintext attacks and CPA-security. Pseudorandom functions.**Reading:**Sections 3.4.2 and 3.5.1.

**[Sept 23: Lecture 11]**

Pseudorandom permutations and block ciphers. CPA-security from pseudorandom functions.**Reading:**Section 3.5.2.

**[Sept 26: Lecture 12]**

CPA-security from pseudorandom functions. Encrypting arbitrary-length messages: block-cipher modes of operation.**Reading:**Section 3.6.2.

**[Sept 28: Lecture 13]**

Stream-cipher modes of operation. Chosen-ciphertext attacks.**Reading:**Sections 3.3.1, 3.6.1, and 3.7.1.

**[Sept 30: Lecture 14]**

Security against chosen-ciphertext attacks. Padding-oracle attacks.**Reading:**Section 3.7.2.

**[Oct 3: Lecture 15]**

Message integrity and message authentication codes (MACs). Defining security for MACs.

The lecture will be given by a graduate student. A pre-recorded lecture covering the same material is available here.**Reading:**Sections 4.1 and 4.2.

**[Oct 5: Lecture 16]**

A fixed-length MAC. MACs for arbitrary-length messages.**Reading:**Section 4.3.

**[Oct 7: Lecture 17]**

CBC-MAC.**Reading:**Section 4.4.1.

**[Oct 10: Midterm I]**

The exam will be on any material covered in class through Oct 7. The exam is open-book/open-notes, but no electronic devices will be allowed.

**[Oct 12: Lecture 18]**

Authenticated encryption and generic constructions.

The lecture will be given by a graduate student. A pre-recorded lecture covering the same material is available here.**Reading:**Sections 4.5.1 and 4.5.2.

**[Oct 14: Lecture 19]**

Midterm review. Secure communication sessions.**Reading:**Section 4.5.3.

**[Oct 17: Lecture 20]**

Hash functions and collision resistance. Birthday attacks on hash functions. Hash-and-Mac, HMAC.

The lecture will be given by a colleague. A pre-recorded lecture covering (mostly) the same material is available here.**Reading:**Sections 5.1.1, 5.3.1, and 5.4.1.

**[Oct 19: Lecture 21]**

Hash-and-Mac, HMAC. Additional applications of hash functions.**Reading:**Sections 5.3.1, 5.6.1, and 5.6.2.

**[Oct 21: Lecture 22]**

Practical constructions of stream ciphers. LFSRs.**Reading:**Section 6.1.1.

**[Oct 24: Lecture 23]**

The random-oracle model and some applications.

The lecture will be given by a graduate student, but no video will be available.**Reading:**Sections 5.5 and 5.6.4.

**[Oct 26: Lecture 24]**

Adding non-linearity to LFSRs. Trivium and RC4.**Reading:**Sections 6.1.2-6.1.4. (The exam will not cover Sections 6.1.3 and 6.1.4.)

**[Oct 28: Lecture 25]**

Practical constructions of block ciphers. Confusion/diffusion.**Reading:**Section 6.2.1.

**[Oct 31: Lecture 26]**

Substitution-permutation networks (SPNs). Attacks on reduced-round SPNs.**Reading:**Section 6.2.1.

**[Nov 2: Lecture 27]**

Feistel networks. The Data Encryption Standard (DES).**Reading:**Sections 6.2.2 and 6.2.3.

**[Nov 4: Lecture 28]**

2DES and triple-DES. Meet-in-the-middle attacks. The Advanced Encryption Standard (AES).**Reading:**Sections 6.2.4 and 6.2.5.

**[Nov 7: Lecture 29]**

Basic number theory and algorithmic number theory. Modular arithmetic and efficient algorithms.**Reading:**Section 8.1.1 and Appendices B.1 and B.2.1.

**[Nov 9: Lecture 30]**

Modular arithmetic. Efficient exponentiation.**Reading:**Section 8.1.2 and Appendices B.2.2 and B.2.3.

**[Nov 11: Lecture 31]**

Group theory.**Reading:**Sections 8.1.3 and 8.1.4.

**[Nov 14: Lecture 32]**

Group theory. The factoring assumption.**Reading:**Sections 8.2.1 and 8.2.3.

**[Nov 16: Lecture 33]**

Primaily testing. The RSA assumption.**Reading:**Section 8.2.4.

**[Nov 18: Midterm II]**

The exam will be on any material covered in class through Chapter 6. The exam is open-book/open-notes, but no electronic devices will be allowed.

**[Nov 21: Lecture 34]**

Cyclic groups. Hardness assumptions in cyclic groups: the discrete-logarithm assumption.**Reading:**Sections 8.3.1-8.3.3.

**[Nov 28: Lecture 35]**

Hardness assumptions in cyclic groups: the Diffie-Hellman problems. Drawbacks of private-key cryptography.**Reading:**Sections 10.1, 10.3, and 10.4.

**[Nov 30: Lecture 36]**

The Diffie-Hellman key-exchange protocol. The public-key setting. Public-key encryption: syntax and definitions of security. Hybrid encryption.**Reading:**Sections 11.1, 11.2 (but not the proof of Theorem 11.6), and 11.3 (but not the proof of Theorem 11.12).

**[Dec 2: Lecture 37]**

El Gamal encryption.**Reading:**Sections 11.4.1 and 11.4.4 (just the fact that El Gamal encryption is malleable).

**[Dec 5: Lecture 38]**

The random-oracle model. RSA-based encryption. Padded RSA (PKCS #1 v1.5). Chosen-ciphertext attacks on El Gamal and RSA encryption. PKCS #1 v2.**Reading:**Sections 5.5, 11.5.1 (through page 412), 11.5.2, and 11.5.4.

**[Dec 7: Lecture 39]**

Digital signatures. The hash-and-sign paradigm. RSA-based signatures. DSA.**Reading:**Sections 12.1-12.4.

**[Dec 9: Lecture 40]**

Certificates and public-key infrastructures.**Reading:**Section 12.7.

**[Dec 12: Lecture 41]**

SSL/TLS. Final review (time permitting).**Reading:**Section 12.8.

**[Dec 20: Final Exam]**8-10 AM in CSIC 2117