**[Jan 25: Cancelled due to snow]**

**[Jan 27: Lecture 1]**

Introduction and overview. Private-key cryptography. The syntax of private-key encryption. The shift cipher.**Reading:**Sections 1.1-1.3.

**[Jan 29: Lecture 2]**

ASCII, hex, and the ASCII shift cipher. Basic cryptanalysis using frequency analysis.**Reading:**Section 1.3. (Note: please read about the substitution cipher even though we did not cover it in class.)

**[Feb 1: Lecture 3]**

The Vigenere cipher and further cryptanalysis. Modern cryptography: definitions, assumptions, and proofs.**Reading:**Sections 1.3 and 1.4.

**[Feb 3: Lecture 4]**

Perfect secrecy.**Reading:**Section 2.1.

**[Feb 5: Lecture 5]**

The one-time pad and its limitations. Generating high-quality randomness.**Reading:**Sections 2.2 and 2.3.

**[Feb 8: Lecture 6]**

Limitations of perfect secrecy. Toward computational notions of security. A computational notion of secrecy.**Reading:**Sections 2.3, 3.1, and 3.2.1.

**[Feb 10: Lecture 7]**

Pseudorandomness.**Reading:**Section 3.3.1.

**[Feb 12: Lecture 8]**

Pseudorandom generators. The pseudo-OTP: Non-trivial encryption from any pseudorandom generator. Proofs by reduction. Proof of security for the pseudo-OTP.**Reading:**Section 3.3.

**[Feb 15: Cancelled due to snow]**

**[Feb 17: Lecture 9]**

Stream ciphers. Security for multiple encryptions.**Reading:**Sections 3.3 and 3.4.1.

**[Feb 19: Lecture 10]**

Drawbacks of deterministic encryption. Chosen-plaintext attacks. Pseudorandom functions.**Reading:**Sections 3.4.2 and 3.5.1.

**[Feb 22: Lecture 11]**

Pseudorandom permutations and block ciphers. CPA-security from pseudorandom functions.**Reading:**Section 3.5.2.

**[Feb 24: Lecture 12]**

CPA-security from pseudorandom functions. Encrypting arbitrary-length messages.**Reading:**Section 3.6.

**[Feb 26: Lecture 13]**

Stream-cipher and block-cipher modes of operation.**Reading:**Section 3.6.

**[Feb 29: Lecture 14]**

Security against chosen-ciphertext attacks. Padding-oracle attacks.**Reading:**Section 3.7.

**[Mar 2: Lecture 15]**

Padding-oracle attacks. Message integrity and message authentication codes (MACs).**Reading:**Section 4.1.

**[Mar 4: Lecture 16]**

Defining security for MACs. A fixed-length MAC. MACs for arbitrary-length messages.**Reading:**Sections 4.2 and 4.3.

**[Mar 7: Lecture 17]**

CBC-MAC.**Reading:**Section 4.4.1.

**[Mar 9: Midterm]**

The exam will be on any material covered in class through Mar 4. The exam is open-book/open-notes.

**[Mar 11: Lecture 18]**

Authenticated encryption and generic constructions.**Reading:**Sections 4.5.1 and 4.5.2.

**[Mar 21: Lecture 19]**

Authenticated encryption. The encrypt-then-authenticate construction. Secure communication sessions. Exam review.**Reading:**Sections 4.5.3 and 4.5.4.

**[Mar 23: Lecture 20]**

Hash functions and collision resistance. Hash-and-Mac, HMAC. Birthday attacks on hash functions.**Reading:**Sections 5.1, 5.3.1, and 5.4.1.

**[Mar 25: Lecture 21]**

Additional applications of hash functions. The random-oracle model.**Reading:**Sections 5.5, 5.6.1-5.6.4.

**[Mar 28: Lecture 22]**

Practical constructions of stream ciphers. LFSRs. Adding non-linearity to LFSRs. Trivium.**Reading:**Sections 6.1.1-6.1.3.

**[Mar 30: Lecture 23]**

Practical constructions of block ciphers. Substitution-permutation networks (SPNs). Attacks on reduced-round SPNs.**Reading:**Section 6.2.1.

**[Apr 1: Lecture 24]**

Attacks on reduced-round SPNs. Feistel networks.**Reading:**Section 6.2.2.

**[Apr 4: Lecture 25]**

The Data Encryption Standard (DES).**Reading:**Section 6.2.3.

**[Apr 6: Lecture 26]**

2DES and triple-DES. Meet-in-the-middle attacks.**Reading:**Section 6.2.4.

**[Apr 8: Lecture 27]**

AES. Practical constructions of hash functions. The Merkle-Damgard transform.**Reading:**Sections 6.2.5, 6.3.1, and 5.2.

**[Apr 11: Lecture 28]**

Basic number theory and algorithmic number theory.**Reading:**Section 8.1.1 and Appendices B.1, B.2.1-B.2.3.

**[Apr 13: Lecture 29]**

Modular arithmetic and efficient algorithms.**Reading:**Section 8.1.2.

**[Apr 15: Lecture 30]**

Group theory.**Reading:**Sections 8.1.3 and 8.1.4.

**[Apr 18: Lecture 31]**

Group theory.**Reading:**Sections 8.1.3 and 8.1.4.

**[Apr 20: Lecture 32]**

The factoring assumption.**Reading:**Sections 8.2.1 and 8.2.3.

**[Apr 22: Lecture 33]**

The factoring and RSA assumptions.**Reading:**Sections 8.2.3 and 8.2.4.

**[Apr 25: Lecture 34]**

Cyclic groups. Hardness assumptions in cyclic groups: the discrete-logarithm assumption.**Reading:**Sections 8.3.1-8.3.3.

**[Apr 27: Lecture 35]**

The decisional Diffie-Hellman problem. Drawbacks of private-key cryptography. The Diffie-Hellman key-exchange protocol, and how it addresses these drawbacks. The public-key setting.**Reading:**Sections 10.1, 10.3, and 10.4.

**[Apr 29: Lecture 36]**

Public-key encryption: syntax and definitions of security. The KEM/DEM paradigm and hybrid encryption.**Reading:**Sections 11.1, 11.2 (but not 11.2.2), and 11.3 (but not the proof of Theorem 11.12).

**[May 2: Lecture 37]**

Hybrid encryption. El Gamal encryption.**Reading:**Sections 11.4.1 and the beginning of 11.4.4 (the fact that El Gamal encryption is malleable).

**[May 4: Lecture 38]**

RSA-based encryption. Padded RSA (PKCS #1 v1.5). Digital signatures.**Reading:**Sections 11.5.1 (through page 412), 11.5.2, 11.5.4, and 12.1.

**[May 6: Lecture 39]**

Digital signatures. The hash-and-sign paradigm. RSA-based signatures.**Reading:**Sections 12.2, 12.3, and 12.4.

**[May 9: Lecture 40]**

Final review. Certificates and public-key infrastructures. SSL/TLS.**Reading:**Sections 12.7 and 12.8.

**[May 18, 8:00-10:00: Final Exam]**in CSIC 2117