CS 290G: Introduction to Modern Cryptography (Winter 2016)

Instructor: Stefano Tessaro, tessaro(at)cs(dot)ucsb(dot)edu

Class time and location: TR 3-4:50pm (Phelps 2510)

Office hours: T 5-6pm or by appointment (HFH 1117)

Class webpage: http://www.cs.ucsb.edu/~tessaro/cs290/

Piazza: We will be using Piazza for class-related discussions. The Piazza page will be set up soon.


  • [Jan 5, 2016]: Ready to go, some important updates to assessment and added Piazza links.
  • [Dec 17, 2015]: Home page set up. Please check regularly for updates (there will be some!)

Course Description

Cryptography provides the basic technology to protect information and to communicate securely. This class is a self-contained graduate-level introduction to modern cryptography. We will study tools and techniques to design systems with provable security guarantees.

A main high-level objective of the class is to learn how security of cryptographic algorithms is properly defined, and to understand security proofs and what type of guarantees they provide.

Required background: Even though the material has direct practical applications, the class will take a rigorous approach: Exposure to undergraduate-level basics of probability, algebra / elementary number theory (modular arithmetic) and complexity theory (in particular, to reductions) is expected, as well as a certain level of mathematical maturity (students should be ready to understand mathematical proofs, and to write simple ones). If in doubt, contact the instructor! Extension students: If you are visiting UCSB and want to attend this class, you need permission from me -- get in touch with me and be ready to give copy of your transcripts to make sure you have the appropriate background.

Assessment (tentative): Final assessment will depend on a combination of homework (there will be four problem sets, accounting overall to 1/2 of the grade), a take-home final (accounting to 30% of the grade), and a small project (20%). Homework and project can be solved in pairs, but you should be able to demonstrated individual contribution. More specific information is available on the class slides.

Piazza: Please use our Piazza page (at https://piazza.com/ucsb/winter2016/cs290g/home, sign up here: https://piazza.com/ucsb/winter2016/cs290g) for asking general questions or anything else.

Textbook: No textbook will be required, but the following are great resources to support the class (most of them are available for download):

As a warning, there is no general agrement on notation among cryptographers, and the above resources all use somewhat different approaches to cover similar things.


The following is a tentative schedule, and is intended to give a rough idea about what I hope to cover in the class and in which order. There will be (slight) changes depending on the pace of the class.

WeekDate Lecture contents Reading material / Slides Assignments
1 2016-01-05 Welcome to CS290G
  • Course organization
  • Introduction to cryptographic thinking and provable security: One-time pad and RSA encryption
  • Informal definition of a one-way function / one-way permutation
2016-01-07 Computational Hardness
  • Computational resources
  • Polynomial time and negligible functions
  • One-way functions and permutations
  • Universal one-way functions
22016-01-12 Class is canceled (TCC '16)
2016-01-14 Pseudorandomness I
  • Computational indistinguishability and pseudorandom generators (PRGs)
  • One-wayness of PRGs
  • Hardcore bits
  • Building a PRG from a one-way permutation
3 2016-01-19 Pseudorandomness II
  • PRG Extension
  • Hybrid arguments
  • Pseudorandom functions and permutations
2016-01-21 Pseudorandomness III
  • Indistinguishability proofs: The "Switching Lemma"
  • Practical candidates: Block ciphers and AES
4 2016-01-26 Pseudorandomness IV
  • PRFs from PRGs -- The GGM construction
  • PRPs from PRGs -- Feistel Networks
2016-01-28 Symmetric Encryption
  • Definition of a symmetric encryption scheme
  • Semantic Security
  • IND-CPA security
  • Counter-mode encryption
  • Other modes of operation
5 2016-02-02 Message Authentication
  • Unpredictability under a chosen-message attack
  • Pseudorandomness vs unpredictability
  • MAC constructions from PRFs
2016-02-04 Authenticated Encryption
  • Authenticated Encryption: INT-PTXT, INT-CTXT
  • Symmetric encryption against chosen-ciphertext attacks
  • Encrypt-then-MAC, MAC-then-Encrypt, Encrypt-and-MAC
  • AEAD schemes
6 2016-02-09 Public-key Encryption I
  • Diffie-Hellman Key Agreement
  • Security notions for public-key encryption: IND-CPA / IND-CCA
  • Recap on finite group
  • Diffie-Hellman type assumption
2016-02-11 Public-key Encryption II
  • ElGamal Encryption
  • Generic Constructions from Tradpoor-Functions
  • Goldwasser-Micali Encryption
7 2016-02-16 CCA Security I
  • The Random-Oracle Model (ROM)
  • Public-key encryption secure against chosen-ciphertext attacks in the ROM
2016-02-18 CCA Security II
  • Hash-proof systems (HPS)
  • CPA security from HPS
  • CCA security from HPS
8 2016-02-23 Digital Signatures
  • Construction from one-way functions
  • Efficient signatures in the ROM: Full-domain hash (FDH)
2016-02-25 Identity-based encryption
  • IBE security definition
  • Signatures from IBE
  • CCA-security from IBE
  • High-level definition of bilinear map
  • Boneh-Franklin IBE
9 2016-03-01 Lattice-Based Cryptography
  • Lattice-based cryptography, an overview
  • The Learning With Errors (LWE) problem
  • Encryption from LWE
2016-03-03 Fully-Homomorphic Encryption
  • FHE from LWE
10 2016-03-08 Cryptographic Protocols I
  • Two-party computation
  • Oblivious Transfer
  • Garbled Circuits
2016-03-10 Cryptographic Protocols II
  • Zero-knowledge proofs
  • Fiat-Shamir transform