CS 294: Analysis and design of cryptographic primitives
This is a graduate advanced topics class offered
in the Spring 2002 semester. We will study the art and science
of building and breaking various cryptographic algorithms, such as
DES, AES, RSA, and others. I will introduce you to techniques for
analyzing the security of such algorithms. However, I will not discuss
how to use these primitives in protocols and other applications, nor will
I cover the theoretical foundations underlying cryptography; see
CS 276 (Cryptography) for that.
I will not
assume any prior background in cryptography; there are no prerequisites;
and I welcome any interested students to join us. However, if you are going
to take only one course in cryptography in your life, I urge you to consider
taking CS 276 instead, as that will give you a broader view of the field.
There will be one lecture a week, and I hope to encourage discussion
and student participation.
I will select topics partially according to student interest.
There is no required textbook, and I will not
require you to read papers, but there will be homeworks from time to time.
CS 294: Analysis and design of cryptographic primitives.
Advanced topics class on cryptographic design and analysis,
focusing on cryptographic primitives such as bulk encryption
algorithms, block ciphers, stream ciphers, message authentication
algorithms, cryptographic hash functions, public-key encryption
and signature algorithms, and so on.
Will cover various cryptanalytic techniques, including
differential cryptanalysis, linear cryptanalysis, time-space tradeoffs,
birthday attacks, and others.
May cover other topics according to student interest.
Instructor: David Wagner.
Time: Tuesdays, 3:30--5:00pm.
Location: 405 Soda.
Web page: http://www.cs.berkeley.edu/~daw/teaching/cs294-s02/
Office hours: Tuesdays 2:00-3:30pm (765 Soda).
Class project: 50%
Class participation: 15%
Jan 22 (ps) (pdf).
Jan 29 (ps) (pdf),
sample solution (ps)
Feb 19 (ps) (pdf).
sample solution (ps)
[solutions for 3x3 SPN now available]
A project page is now available.
Please check here for instructions on selecting a project.
Proposals were due April 12th.
Information on project presentations
is now available. Check here to see when you are scheduled
to give your presentation.
I was asked to make available the notes I use for lecturing,
so here they are. Beware! They were only intended for my own
purposes, and so they are very rough, not checked, and vague on some areas
(e.g., those areas that I know very well and don't need notes on).
- Jan 22: Introduction; classical ciphers
- Jan 29: Hash functions; structural cryptanalysis
- Feb 5: structural cryptanalysis; properties of random functions;
computational aspects of the birthday paradox
- Feb 12: introduction to differential cryptanalysis
[see also the following
- Feb 19: advanced differential and linear cryptanalysis
- Note: I've posted a clarification
on approximating linear cipher components.
- Feb 26: truncated differential cryptanalysis, other advanced attacks
on block ciphers
talk on RSA in Math colloquium
- Mar 5: design elements for symmetric-key ciphers
- Mar 12: number-theoretic public-key algorithms: RSA, factoring, etc.
- Relevant survey papers:
Attacks on RSA,
- Mar 19: algebraic public-key systems and algebraic attacks
- (please see the notes for a clarification
on the "affine multiple" attack)
- For further reading:
HFE (an algebraic
(see Sections 5.1,5.2)
- Mar 26: spring break, no class
- Apr 2: stream ciphers, Hellman's time-space tradeoff
- References: HAC Chapter 6
- Apr 9: Berlekamp-Massey
- References: HAC Chapter 6; Golomb, Shift Register Sequences
- Apr 16: lattices: lattice-based cryptosystems, lattice attacks
- Apr 23: implementation attacks:
timing analysis, power attacks, fault attacks
- Apr 30: class cancelled (work on your projects!)
- May 7: project presentations
- May 14: project presentations
For some reference material, you can see
the Handbook of Applied Cryptography
(Menezes, van Oorschot, and Vanstone), available in the library