CS 294: Analysis and design of cryptographic primitives


This is a graduate advanced topics class offered in the Spring 2002 semester. We will study the art and science of building and breaking various cryptographic algorithms, such as DES, AES, RSA, and others. I will introduce you to techniques for analyzing the security of such algorithms. However, I will not discuss how to use these primitives in protocols and other applications, nor will I cover the theoretical foundations underlying cryptography; see CS 276 (Cryptography) for that.

I will not assume any prior background in cryptography; there are no prerequisites; and I welcome any interested students to join us. However, if you are going to take only one course in cryptography in your life, I urge you to consider taking CS 276 instead, as that will give you a broader view of the field.

There will be one lecture a week, and I hope to encourage discussion and student participation. I will select topics partially according to student interest. There is no required textbook, and I will not require you to read papers, but there will be homeworks from time to time.

Course description

CS 294: Analysis and design of cryptographic primitives. Advanced topics class on cryptographic design and analysis, focusing on cryptographic primitives such as bulk encryption algorithms, block ciphers, stream ciphers, message authentication algorithms, cryptographic hash functions, public-key encryption and signature algorithms, and so on. Will cover various cryptanalytic techniques, including differential cryptanalysis, linear cryptanalysis, time-space tradeoffs, birthday attacks, and others. May cover other topics according to student interest. (2 units)

Instructor: David Wagner.
Time: Tuesdays, 3:30--5:00pm.
Location: 405 Soda.
Web page: http://www.cs.berkeley.edu/~daw/teaching/cs294-s02/
Office hours: Tuesdays 2:00-3:30pm (765 Soda).


Class project: 50%
Homework: 35%
Class participation: 15%


Thought problems: Jan 22 (ps) (pdf).
Homeworks: Jan 29 (ps) (pdf), sample solution (ps)
Feb 19 (ps) (pdf). sample solution (ps) (pdf) [solutions for 3x3 SPN now available]


A project page is now available. Please check here for instructions on selecting a project. Proposals were due April 12th.

New: Information on project presentations is now available. Check here to see when you are scheduled to give your presentation.


I was asked to make available the notes I use for lecturing, so here they are. Beware! They were only intended for my own purposes, and so they are very rough, not checked, and vague on some areas (e.g., those areas that I know very well and don't need notes on).

Jan 22: Introduction; classical ciphers [notes]
Jan 29: Hash functions; structural cryptanalysis [notes]
Feb 5: structural cryptanalysis; properties of random functions; computational aspects of the birthday paradox [notes]
Feb 12: introduction to differential cryptanalysis [notes] [see also the following tutorial]
Feb 19: advanced differential and linear cryptanalysis
Note: I've posted a clarification on approximating linear cipher components.
Feb 26: truncated differential cryptanalysis, other advanced attacks on block ciphers
Announcement: talk on RSA in Math colloquium on Thursday
Mar 5: design elements for symmetric-key ciphers [notes]
Mar 12: number-theoretic public-key algorithms: RSA, factoring, etc.
Relevant survey papers: Attacks on RSA, Integer factoring.
Mar 19: algebraic public-key systems and algebraic attacks [notes]
(please see the notes for a clarification on the "affine multiple" attack)
For further reading: HFE (an algebraic cryptosystem), relinearization (see Sections 5.1,5.2)
Mar 26: spring break, no class
Apr 2: stream ciphers, Hellman's time-space tradeoff
References: HAC Chapter 6
Apr 9: Berlekamp-Massey
References: HAC Chapter 6; Golomb, Shift Register Sequences
Apr 16: lattices: lattice-based cryptosystems, lattice attacks [notes]
Apr 23: implementation attacks: timing analysis, power attacks, fault attacks
Apr 30: class cancelled (work on your projects!)
May 7: project presentations
May 14: project presentations

Reference material

For some reference material, you can see the Handbook of Applied Cryptography (Menezes, van Oorschot, and Vanstone), available in the library or here.
David Wagner, daw@cs.berkeley.edu, http://www.cs.berkeley.edu/~daw/.