This course for graduate students and advanced undergraduates will discuss security protocol design and analysis and the related areas of cryptography.

- "Introduction to Modern Cryptography" by J. Katz and Y. Lindell. Chapman & Hall/CRC, 2008. ISBN: 1584885513. (Required.) Please note Errata for this book.
- "Formal Models and Techniques for Analyzing Security Protocols" by V. Cortier and S. Kremer (Eds.). IOS Press, 2011. ISBN: 978-1-60750-713-0. (Recommended.)

- Security protocol analysis slides.
- "Foundations of Cryptography: Volume 1, Basic Tools" by Goldreich. Cambridge University Press, 2001. ISBN: 0521791723.
- O. Goldreich. Foundations of Cryptography - Volume 2.
- "Cryptography: Theory and Practice. Third Edition" by Stinson. Chapman & Hall/CRC, 2005. ISBN: 1584885084.
- Johannes A. Buchmann: "Introduction to Cryptography". Springer, Second Edition, 2004. Paperback. ISBN 9780387207568.
- R. Focardi, R. Gorrieri (Eds.) Foundations of Security Analysis and Design. Tutorial Lectures. Springer Lecture Notes in Computer Science, Volume 2171, 2001. ISBN 3-540-42896-8.
- "Handbook of Applied Cryptography" by Menezes, van Oorschot, and Vanstone. CRC Press, Fifth Printing, 2001. ISBN: 0-8493-8523-7.
- Goldwasser-Bellare lecture notes on cryptography at MIT.
- Dodis cryptography lecture notes at NYU.
- J. Clark and J. Jacob. A Survey of Authentication Protocol Literature. Version 1.0, November, 1997.
- R. Kemmerer, C. Meadows, and J. Millen. Three Systems for Cryptographic Protocol Analysis. Journal of Cryptology, Vol. 7, no. 2, 1994.
- Kerberos: The Network Authentication Protocol.
- IETF Kerberos Working Group.
- IETF TLS Working Group.
- D. Wagner and B. Schneier. Analysis of the SSL 3.0 Protocol.
- J. Mitchell, V. Shmatikov, and U. Stern. Finite-State Analysis of SSL 3.0.
- J.P. Anderson. Computer Security Technology Planning Study. ESD-TR-73-51, ESD/AFSC, Hanscom AFB, Bedford, MA (Oct. 1972) [NTIS AD-758 206].
- M. Bishop's History of Computer Security Web Site at UC Davis.
- "The Rise and Fall of Knapsack Cryptosystems" by A. M. Odlyzko.
- O. Goldreich. "Modern Cryptography, Probabilistic Proofs and Pseudo-randomness." Springer-Verlag, 1999. ISBN: 3-540-64766-X.
- Ron Rivest's Cryptography and Security Page at MIT.

Basic Concepts of Cryptology: Substitution Ciphers, Permutation Ciphers, Vigenere Cipher, Rotor Machines, Attack Models. Symmetric Ciphers, Block Ciphers, One-Time Pad, Information-Theoretic Properties of One-Time Pad, Perfect Secrecy, Misuses of One-Time Pad, Malleability. Stream Ciphers, Linear Feedback Shift Register, Golomb's Randomness Postulates, Linear Complexity, Non-linear Filters, Knapsack Keystream Generator.

Introduction to Number Theory: Congruences, Chinese Remainder Theorem, Fermat's Little Theorem, Euler's Theorem, Modular Exponentiation by Repeated Squaring, Special Cases of Factoring. Finite Fields. Quadratic Residues and Reciprocity.

Diffie-Hellman Key Exchange Protocol. Discrete Logarithm. Security of Diffie-Hellman Key Exchange Protocol. Attacks. RSA Public-Key Cryptosystem. One-Way Functions. Attacks on RSA. ElGamal Public-Key Cryptosystem.

Digital Signatures. Attack Models. RSA-based Signatures. Signatures Based on Discrete Logarithm.

Non-keyed has functions. Birthday paradox. Iteration lemma. Keyed hash functions. Message authentication code (MAC). Universal hash functions.

Network security protocols. Needham-Schroeder public-key exchange protocol. Lowe anomaly. Dolev-Yao symbolic model. Multiset-rewriting formalism. Undecidability of secrecy for network security protocols.

Kerberos authentication protocol. Cross-realm extension of Kerberos. Public-key extension of Kerberos, PKINIT. Identity misbinding attack on PKINIT.

Contract-signing protocols. Fairness.

Formal encryption. Computational soundness and completeness.

- Exercise 1.4abc on p. 28 of Katz-Lindell.
- Exercise 1.5 on p. 28 of Katz-Lindell.
- Exercise 1.6 on p. 28 of Katz-Lindell.
- Exercise 2.3 on p. 41 of Katz-Lindell.
- Exercise 2.4 on p. 41 of Katz-Lindell.
- Exercise 2.5 on p. 41 of Katz-Lindell.
- Exercise 7.5 on p. 294 of Katz-Lindell.
- Exercise 7.6 on p. 294 of Katz-Lindell.
- Exercise 7.8 on p. 294 of Katz-Lindell.
- Exercise 7.10 on p. 294 of Katz-Lindell.
- Exercise 7.11abc on pp. 294-295 of Katz-Lindell.
- Exercise 7.14 on p. 295 of Katz-Lindell. Assume
*d <= phi(N)*. - Prove that if
*(2^n) - 1*is a prime, then*n*is a prime, and if*(2^n) + 1*is a prime, then*n*is a power of*2*. The first type of prime is called a Mersenne prime, and the second type is called a Fermat prime.

- Five-page written report on one of the following two topics:
- Transport Layer Security (TLS) protocol.
- IKEv2 Internet Key Exchange protocol.

- Exercise 10.11 on p. 381 of Katz-Lindell.
- Exercise 10.13 on p. 382 of Katz-Lindell.
- Exercise 10.14 on p. 382 of Katz-Lindell.
- Exercise 11.12 on p. 420 of Katz-Lindell.
- Exercise 12.3 on p. 454 of Katz-Lindell.