**[Jan 24: Lecture 1]**(slides)

Introduction and overview. Private-key cryptography. The syntax of private-key encryption. The shift cipher.**Reading:**Sections 1.1-1.3.

**[Jan 29: Lecture 2]**(slides)

ASCII, hex, and the ASCII shift cipher. Elementary cryptanalysis and frequency analysis. The Vigenere cipher.**Reading:**Sections 1.3 and 1.4. (Note: The ASCII shift/Vigenere ciphers are not covered in the book.)

**[Jan 31: Lecture 3]**(slides)

Modern cryptography: definitions, assumptions, and proofs. Perfect secrecy. The one-time pad.**Reading:**Sections 1.4, 2.1, and 2.2.

**[Feb 5: Lecture 4]**(slides)

Proving security of the one-time pad. Randomness generation and implementing the one-time pad. Limitations of perfect secrecy. Toward computational notions of security.**Reading:**Sections 2.2, 2.3, and 3.1.

**[Feb 7: Lecture 5]**(slides)

A computational notion of security. Pseudorandomness and pseudorandom generators.**Reading:**Sections 3.1, 3.2.1, and 3.3.1.

**[Feb 12: Lecture 6]**(slides)

Pseudorandom generators and stream ciphers. The pseudo-OTP. Proofs by reduction, and a proof of security for the pseudo-OTP. Security for multiple encryptions. Drawbacks of deterministic encryption.**Reading:**Sections 3.3.1-3.3.3 and 3.4.1.

**[Feb 14: Lecture 7]**(slides)

Chosen-plaintext attacks and CPA-security. Pseudorandom functions.**Reading:**Sections 3.4.2 and 3.5.1.

**[Feb 19: Lecture 8]**(slides)

Pseudorandom permutations and block ciphers. CPA-security from pseudorandom functions. Encrypting arbitrary-length messages: block-cipher modes of operation.**Reading:**Section 3.5.2 and 3.6.2.

**[Feb 21: Lecture 9]**(slides)

Stream ciphers and stream-cipher modes of operation. Chosen-ciphertext attacks. Security against chosen-ciphertext attacks. Padding-oracle attacks.**Reading:**Sections 3.6.1, 3.7.1, and 3.7.2.

**[Feb 26: Lecture 10]**(slides)

Padding-oracle attacks. Message integrity and message authentication codes (MACs). Defining security for MACs. A fixed-length MAC.**Reading:**Sections 4.1 and 4.2.

**[Feb 28: Lecture 11]**(slides)

A fixed-length MAC (continued). MACs for arbitrary-length messages. CBC-MAC.**Reading:**Sections 4.3 and 4.4.1.

**[Mar 5: Lecture 12]**(slides)

Exam review. Authenticated encryption and generic constructions. Secure sessions.**Reading:**Sections 4.5.1-4.5.4.

**[Mar 7: Midterm]**(Note: the exam will be in both the regular class room as well as ESJ 1224)

The exam will be on any material covered in class through Feb 28. The exam is open-book/open-notes, but no electronic devices will be allowed.

**[Mar 12: Lecture 13]**(slides)

Hash functions and collision resistance. Birthday attacks on hash functions. Hash-and-Mac, HMAC. Additional applications of hash functions.**Reading:**Sections 5.1.1, 5.3.1, 5.4.1, and 5.6.1.

**[Mar 14: Lecture 14]**(slides)

Additional applications of hash functions. Exam review.**Reading:**Sections 5.6.2-5.6.4.

**[Mar 26: Lecture 15]**(slides)

Practical constructions of stream ciphers. LFSRs. Adding non-linearity to LFSRs. Trivium.**Reading:**Section 6.1.1-6.1.3. (The exam will not cover Section 6.1.3.)

**[Mar 28: Lecture 16]**(slides)

RC4. Case study: vulnerabilities in WEP. Practical constructions of block ciphers. Confusion/diffusion. Substitution-permutation networks (SPNs).**Reading:**Sections 6.1.4 and 6.2.1. (The exam will not cover Section 6.1.4. The material on WEP is not in the book.)

**[Apr 2: Lecture 17]**(slides)

Substitution-permutation networks (SPNs). Attacks on reduced-round SPNs.**Reading:**Section 6.2.1.

**[Apr 4: Lecture 18]**(slides)

Feistel networks. The Data Encryption Standard (DES). 2DES and triple-DES. Meet-in-the-middle attacks.**Reading:**Sections 6.2.2, 6.2.3, and 6.2.4.

**[Apr 9: Lecture 19]**(slides)

The Advanced Encryption Standard (AES). The random-oracle model. Practical constructions of hash functions: the Davies-Meyer and Merkle-Damgard constructions.**Reading:**Sections 6.2.5, 6.3.1, 5.2, and 5.5.

**[Apr 11: Lecture 20]**(slides)

Basic number theory and algorithmic number theory. Modular arithmetic and efficient algorithms. Efficient exponentiation.**Reading:**Sections 8.1.1 and 8.1.2; Appendices B.1 and B.2.1-B.2.3.

**[Apr 16: Lecture 21]**(slides)

Group theory.**Reading:**Sections 8.1.3 and 8.1.4.

**[Apr 18: Lecture 22]**(slides)

The factoring assumption. Primaily testing. The RSA assumption.**Reading:**Sections 8.2.1, 8.2.3, and 8.2.4.

**[Apr 23: Lecture 23]**(slides)

Cyclic groups. Hardness assumptions in cyclic groups: the discrete-logarithm assumption and Diffie-Hellman problems.**Reading:**Sections 8.3.1-8.3.3.

**[Apr 25: Lecture 24]**(slides)

Concrete parameters. Drawbacks of private-key cryptography. The Diffie-Hellman key-exchange protocol and the public-key setting. Public-key encryption: syntax and definitions of security.**Reading:**Sections 9.3, 10.1, 10.3, 10.4, and 11.1.

**[Apr 30: Guest Lecture]**(slides)

Special topic: secret sharing.

**[May 2: Lecture 25]**(slides)

Definitions of security for public-key encryption. Hybrid encryption and the KEM/DEM paradigm. El Gamal encryption.**Reading:**Sections 11.2 (but not the proof of Theorem 11.6), 11.3 (but not the proof of Theorem 11.12), 11.4.1, 11.4.2, and 11.4.4 (just the fact that El Gamal encryption is malleable).

**[May 7: Lecture 26]**(slides)

RSA-based encryption. Padded RSA (PKCS #1 v1.5). PKCS #1 v2. Digital signatures.**Reading:**Sections 11.5.1 (through page 412), 11.5.2, 11.5.4, and 12.1.

**[May 9: Lecture 27]**(slides)

The hash-and-sign paradigm. RSA-based signatures. DSA. Certificates and public-key infrastructures.**Reading:**Sections 12.2-12.4 and 12.7.

**[May 16: Final Exam]**1:30-3:30 PM

The final exam will be held in ESJ 2208,**not**the regular classroom.