Instructor:
Nadia Heninger
(nadiah at cis dot upenn dot edu, 604 Levine)
Office hours: Tuesday 12pm
TA:
Paul Lou
(plou at seas dot upenn dot edu)
Office hours: Tuesday 45pm, Levine 6th floor bump space
Lectures:
Monday/Wednesday 3:00pm4:30pm Towne 311
Teaching Resources:
Grades/Homework on Canvas
Announcements/Questions on Piazza
Grading:
30% Homework
30% Midterm
30% Final project
10% Participation, brownie points, and grading
This course is a graduatelevel introduction to cryptography, both theory and applications. A tentative list of topics includes:
If your primary interest is in cryptocurrencies or blockchain technology, you will probably be more interested in LGST 299/799.
Topic  References  Assignments  
8/29  Introduction, onetime pad 
Katz & Lindell Ch. 1, 2 Boneh & Shoup Ch. 2.2 Further reading: Communication theory of secrecy systems Shannon 1949  Homework 1 assigned 
9/5  Math Review: Probability and basic number theory 
Katz & Lindell Appendix A, Ch. 8.1 Boneh & Shoup Appendix A, B Hoffstein, Pipher, & Silverman Ch. 1, Ch. 4.3, 4.6 Further reading: Alistair Sinclair scribe notes on Chernoff bounds  
9/10  Semantic security, pseudorandom generators, stream ciphers 
Katz & Lindell Ch. 3 Boneh & Shoup Ch. 2.3, 3  Homework 1 due
Homework 2 assigned 
9/12  Stream ciphers, chosen plaintext attacks 
Katz & Lindell Ch. 3.5, 3.6 Boneh & Shoup Ch. 4 Further reading/Research directions: All Your Biases Belong To Us: Breaking RC4 in WPATKIP and TLS by Vanhoef and Piessens Attacks Only Get Better: Password Recovery Attacks Against RC4 in TLS by Garman, Paterson, and Van der Merwe On the security of RC4 in TLS and WPA by AlFardan, Bernstein, Paterson, Poettering, and Schuldt 2013 Spritza spongy RC4like stream cipher and hash function by Rivest and Schuldt 2014 The ChaCha family of stream ciphers by Bernstein  
9/17  Block ciphers, modes of operation, block cipher attacks Guest lecture: Barak Shani 
Katz & Lindell Ch. 5  
9/19  Chosen ciphertext attacks, malleability, padding oracles Guest lecture: Marcella Hastings  Katz & Lindell Ch. 4.44.6 Boneh & Shoup Ch. 6 Security Flaws Induced by CBC Padding Applications to SSL, IPSEC, WTLS... by Vaudenay 2002 Here come the xor ninjas by Duong and Rizzo 2011 Compression and information leakage of plaintext by Kelsey 2002 The CRIME attack by Rizzo and Duong 2012  
9/24  Message authentication codes, hash functions, birthday attacks  Katz & Lindell Ch. 4 Boneh & Shoup Ch. 8.18.6  Homework 2 due 
9/26  Hash functions in practice  Katz & Lindell Ch. 4.74.8 Boneh & Shoup Ch. 8.7 Further reading/research directions The making of Keccak by Bertoni, Daemen, Peeters, Van Assche 2015 MD5 to be considered harmful today by Sotirov, Stevens, Appelbaum, Lenstra, Molnar, Osvik, de Weger 2009 Countercryptanalysis by Stevens 2013 The first collision for full SHA1 by Stevens, Bursztein, Karpman, Albertini, Markov 2017 
Homework 3 assigned

10/1  Length extension attacks, HMAC, authenticated encryption  Katz & Lindell Ch. 7  
10/3  Computational number theory: Modular arithmetic, groups, rings, fields, efficient algorithms and hard problems 
Katz & Lindell Ch. 8 HAC Ch. 3.6.3 Further reading: A Computational Introduction to Number Theory and Algebra, Ch. 3, 6 by Shoup Fast multiplication and its applications by Bernstein  
10/8  DiffieHellman, ElGamal  New Directions in Cryptography by Diffie and Hellman 1976 Katz & Lindell Ch. 7.3, 8.2.1, 9, 10 Further reading: A personal view of averagecase complexity by Impagliazzo 1995  
10/10  Arithmetic modulo composites, Chinese Remainder Theorem, PohligHellman discrete log 
Katz & Lindell Ch. 7.1.5, 7.2, 8.1.2, 8.2.2, 10.4 HAC Ch. 3.6.4 
Homework 3 due Homework 4 assigned 
10/15  RSA encryption, textbook RSA is insecure  Katz & Lindell Ch. 10.4, 10.6 Boneh & Shoup Ch. 13 A method for obtaining digital signatures and publickey cryptography by Rivest, Shamir, and Adleman 1978 Further reading/Research directions: Why Textbook ElGamal and RSA Encryption Are Insecure by Boneh, Joux, and Nguyen 2000 Chosen Ciphertext Attacks Against Protocols Based on the RSA Encryption Standard PKCS #1 by Bleichenbacher 1998 Efficient Padding Oracle Attacks on Cryptographic Hardware by Bardou, Focardi, Kawamoto, Simionato, Steel, Tsay 2012 Revisiting SSL/TLS Implementations: New Bleichenbacher Side Channels and Attacks by Meyer, Somorovsky, Weiss, Schwenk, Schinzel, Tews 2014  
10/17  RSA and DSA digital signatures Guest lecture: Barak Shani  Katz & Lindell Ch. 12  
10/22  Constructing secure channels 
Further reading: Ferguson Schneier & Kohno Ch. 14 SIGMA: the "SIGnandMAc" Approach to Authenticated DiffieHellman and its Use in the IKE Protocols by Krawczyk 2003  
10/24  TLS 
Further reading: The Transport Layer Security (TLS) Protocol Version 1.3 by Rescorla, 2018 TLS Ecosystem Woes by Benjamin 2018 (video) The Transport Layer Security (TLS) Protocol Version 1.2 by Dierks and Rescorla 2008 
Homework 4 due Homework 5 assigned 
10/29  Random number generation issues; Index calculus algorithms for factoring  Katz & Lindell Ch. 9.1,9.2 Mining your Ps and Qs: Detection of widespread weak keys in network devices by Heninger, Durumeric, Wustrow, and Halderman 2012 Further Reading: Weak Keys Remain Widespread in Network Devices by Hastings, Fried, and Heninger 2016 A tale of two sieves by Pomerance (1996) Factoring integers with the number field sieve by Buhler, Lenstra, and Pomerance (1993) Factorization of a 768bit RSA modulus by Kleinjung et al. (2010)  
10/31  Index calculus for discrete log; Export cryptography, FREAK, Logjam TLS downgrade attacks 
SMACK: State Machine AttaCKs against TLS A Messy State of the Union: Taming the Composite State Machines of TLS by Beurdouche, Barghavan, DelignatLavaud, Fournet, Kohlweiss, Pironti, Strub, and Zinzindohoue 2015 Imperfect Forward Secrecy: How DiffieHellman Fails in Practice by Adrian, Bhargavan, Durumeric, Gaudry, Green, Halderman, Heninger, Springall, Thome, Valenta, VanderSloot, Wustrow, ZanellaBeguelin, Zimmermann (slides) Further reading: A new index calculus algorithm with complexity L(1/4 + o(1)) in small characteristic by Joux 2013 A quasipolynomial algorithm for discrete logarithm in finite fields of small characteristic by Barbulescu Gaudry Joux and Thome 2013  Project proposals due 
11/5  Midterm exam  
11/7  Elliptic Curves and Primality Testing Guest Lecture: Barak Shani 
Homework 5 due  
11/12  Lattices 
Daniele Micciancio lecture notes 1 2 Oded Regev lecture notes Factoring Polynomials with Rational Coefficients by Lenstra Lenstra and Lovasz 1982 The two faces of lattices in cryptology by Nguyen 2001 Using LLLreduction for solving RSA and factorization problems: a survey by May 2007  
11/14  LLL, Coppersmith's method Slides 
Factoring Polynomials with Rational Coefficients by Lenstra Lenstra and Lovasz 1982 The two faces of lattices in cryptology by Nguyen 2001 Using LLLreduction for solving RSA and factorization problems: a survey by May 2007  Homework 6 assigned 
11/20  Secret sharing 
How to share a secret by Shamir 1979 Other resources: Secretsharing schemes: A survey by Beimel 2011 David Wagner lecture notes  
11/26  Project presentations  
11/28  Project presentations  Homework 6 due 