Readings refer to

**[Jan 29]**

Lecture canceled due to snow.

**[Jan 31: Lecture 1]**(slides)

Introduction and overview. Private-key cryptography. The syntax of private-key encryption. The shift cipher.**Reading:**Sections 1.1-1.3.

**[Feb 5: Lecture 2]**(slides (updated))

ASCII, hex, and the ASCII shift cipher. Elementary cryptanalysis and frequency analysis. The Vigenere cipher.**Reading:**Sections 1.3 and 1.4. (Note: The ASCII shift/Vigenere ciphers are not covered in the book.)

**[Feb 7: Lecture 3]**(slides)

Modern cryptography: definitions, assumptions, and proofs. Perfect secrecy. The one-time pad. Proving security of the one-time pad.**Reading:**Sections 1.4, 2.1, and 2.2.

**[Feb 12: Lecture 4]**(slides)

Randomness generation and implementing the one-time pad. Limitations of perfect secrecy. Toward computational notions of security.**Reading:**Sections 2.3, 3.1, and 3.2.1.

**[Feb 14: Lecture 5]**(slides)

A computational notion of security. Pseudorandomness and pseudorandom generators.**Reading:**Sections 3.2.1 and 3.3.1.

**[Feb 19: Lecture 6]**(slides)

The pseudo-OTP. Proofs by reduction, and a proof of security for the pseudo-OTP. Security for multiple encryptions.**Reading:**Sections 3.3.1-3.3.3 and 3.4.1.

**[Feb 21: Lecture 7]**(slides)

Drawbacks of deterministic encryption. Chosen-plaintext attacks and CPA-security. Pseudorandom functions.**Reading:**Sections 3.4.2 and 3.5.1.

**[Feb 26: Lecture 8]**(slides)

Pseudorandom permutations and block ciphers. CPA-security from pseudorandom functions.**Reading:**Section 3.5.2.

**[Feb 28: Lecture 9]**(slides)

Block-cipher and stream-cipher modes of operation. Message integrity and message authentication codes (MACs).**Reading:**Sections 3.6 and 4.1.

**[Mar 5: Lecture 10]**(slides)

Defining security for MACs. A fixed-length MAC. MACs for arbitrary-length messages. CBC-MAC.**Reading:**Sections 4.2, 4.3, and 4.4.1.

**[Mar 7: Lecture 11]**(slides)

CBC-MAC. Chosen-ciphertext attacks and CCA-security. Padding-oracle attacks. Authenticated encryption and generic constructions.**Reading:**Section 4.4.1, 3.7, 4.5.1, 4.5.2, and 4.5.4.

**[Mar 12: Lecture 12]**(slides)

Secure sessions. Exam review.**Reading:**Section 4.5.3.

**[Mar 14: Midterm]**

The exam will be on any material covered in class through Mar 7. The exam is open-book/open-notes; no electronic devices will be allowed.

**[Mar 26: Lecture 13]**(slides)

Hash functions and collision resistance. Birthday attacks on hash functions. The Merkle-Damgard transform. HMAC.**Reading:**Sections 5.1.1, 5.2, 5.3.1, and 5.4.1. (We did not cover Section 5.3.2 in class, but you should be aware that HMAC is a widely used and standardized message authentication code.)

**[Mar 28: Lecture 14]**(slides)

Hash functions as random oracles. Additional applications of hash functions. Exam review.**Reading:**Sections 5.5 and 5.6.1-5.6.4.

**[Apr 2: Lecture 15]**(slides)

Practical constructions of stream ciphers. LFSRs. Adding non-linearity. Correlation attacks. Trivium. RC4.**Reading:**Sections 6.1.1 and 6.1.2. (Correlation attacks are not in the book. You don't need to know any details of Trivium or RC4.)

**[Apr 4: Lecture 16]**(slides)

Practical constructions of block ciphers. Substitution-permutation networks (SPNs). Attacks on reduced-round SPNs.**Reading:**Section 6.2.1.

**[Apr 9: Lecture 17]**(slides)

Feistel networks. The Data Encryption Standard (DES). 2DES and triple-DES. Meet-in-the-middle attacks. The Advanced Encryption Standard (AES).**Reading:**Sections 6.2.2, 6.2.3, 6.2.4, and 6.2.5.

**[Apr 11: Lecture 18]**(slides)

Practical constructions of hash functions: the Davies-Meyer construction. Basic number theory and algorithmic number theory. Modular arithmetic. Efficient exponentiation.**Reading:**Sections 6.3.1, 8.1.1, and 8.1.2; Appendices B.1 and B.2.1-B.2.3.

**[Apr 16: Lecture 19]**(slides)

Efficient exponentiation. Group theory.**Reading:**Sections 8.1.3 and 8.1.4.

**[Apr 18: Lecture 20]**(slides)

Group theory. Primality testing, the factoring assumption, and the RSA assumption.**Reading:**Sections 8.2.1, 8.2.3, and 8.2.4.

**[Apr 23: Lecture 21]**(slides)

The RSA assumption. Cyclic groups. The discrete-logarithm assumption and the Diffie-Hellman assumptions.**Reading:**Sections 8.3.1-8.3.3.

**[Apr 25: Lecture 22]**(slides)

Algorithms for factoring and computing discrete logarithms; concrete parameters. Drawbacks of private-key cryptography. Key exchange and the Diffie-Hellman key-exchange protocol.**Reading:**Sections 9.3, 10.1, 10.3, and 10.4.

**[Apr 30: Lecture 23]**(slides)

The public-key setting. Public-key encryption: syntax and definitions of security. Definitions of security for public-key encryption. El Gamal encryption.**Reading:**Sections 11.1, 11.2 (but not the proof of Theorem 11.6), and 11.4.1.

**[May 2: Lecture 24]**(slides)

El Gamal encryption. Hybrid encryption and the KEM/DEM paradigm.**Reading:**Sections 11.3 (but not the proof of Theorem 11.12), 11.4.1, 11.4.2, and 11.4.4 (just the fact that El Gamal encryption is malleable).

**[May 7: Lecture 25]**(slides)

RSA-based encryption. Padded RSA (PKCS #1 v1.5). RSA-OAEP (PKCS #1 v2). Digital signatures.**Reading:**Sections 11.5.1 (through page 412), 11.5.2, 11.5.4, and 12.1.

**[May 9: Lecture 26]**(slides)

The hash-and-sign paradigm. RSA-based signatures. (EC)DSA. Certificates and public-key infrastructures.**Reading:**Sections 12.2-12.4 and 12.7.

**[May 14: Lecture 27]**(slides)

Certificates and public-key infrastructures. SSL/TLS. Final review. Quantum computing and post-quantum cryptography.**Reading:**Section 12.8. The material on quantum computing and post-quantum cryptography will not be on the final exam.

**[May 20: Final Exam]**10:30-12:30 (as per the official schedule)