CS 294: Analysis and design of cryptographic primitives

Overview

This is a graduate advanced topics class offered in the Spring 2002 semester. We will study the art and science of building and breaking various cryptographic algorithms, such as DES, AES, RSA, and others. I will introduce you to techniques for analyzing the security of such algorithms. However, I will not discuss how to use these primitives in protocols and other applications, nor will I cover the theoretical foundations underlying cryptography; see CS 276 (Cryptography) for that.

I will not assume any prior background in cryptography; there are no prerequisites; and I welcome any interested students to join us. However, if you are going to take only one course in cryptography in your life, I urge you to consider taking CS 276 instead, as that will give you a broader view of the field.

There will be one lecture a week, and I hope to encourage discussion and student participation. I will select topics partially according to student interest. There is no required textbook, and I will not require you to read papers, but there will be homeworks from time to time.

Course description

CS 294: Analysis and design of cryptographic primitives. Advanced topics class on cryptographic design and analysis, focusing on cryptographic primitives such as bulk encryption algorithms, block ciphers, stream ciphers, message authentication algorithms, cryptographic hash functions, public-key encryption and signature algorithms, and so on. Will cover various cryptanalytic techniques, including differential cryptanalysis, linear cryptanalysis, time-space tradeoffs, birthday attacks, and others. May cover other topics according to student interest. (2 units)

Grading

Handouts

Projects

New: Information on project presentations is now available. Check here to see when you are scheduled to give your presentation.

Lectures

I was asked to make available the notes I use for lecturing, so here they are. Beware! They were only intended for my own purposes, and so they are very rough, not checked, and vague on some areas (e.g., those areas that I know very well and don't need notes on).

Jan 22: Introduction; classical ciphers [notes]

Jan 29: Hash functions; structural cryptanalysis [notes]

Feb 5: structural cryptanalysis; properties of random functions; computational aspects of the birthday paradox [notes]

Feb 12: introduction to differential cryptanalysis [notes] [see also the following tutorial]

Feb 19: advanced differential and linear cryptanalysis

Note: I've posted a clarification on approximating linear cipher components.

Feb 26: truncated differential cryptanalysis, other advanced attacks on block ciphers

Announcement: talk on RSA in Math colloquium on Thursday

Mar 5: design elements for symmetric-key ciphers [notes]

Mar 12: number-theoretic public-key algorithms: RSA, factoring, etc.

Relevant survey papers: Attacks on RSA, Integer factoring.

Mar 19: algebraic public-key systems and algebraic attacks [notes]

(please see the notes for a clarification on the "affine multiple" attack)

For further reading: HFE (an algebraic cryptosystem), relinearization (see Sections 5.1,5.2)

Mar 26: spring break, no class

Apr 2: stream ciphers, Hellman's time-space tradeoff

References: HAC Chapter 6

Apr 9: Berlekamp-Massey

References: HAC Chapter 6; Golomb, Shift Register Sequences

Apr 16: lattices: lattice-based cryptosystems, lattice attacks [notes]

Apr 23: implementation attacks: timing analysis, power attacks, fault attacks

Apr 30: class cancelled (work on your projects!)

May 7: project presentations

May 14: project presentations

Reference material