This is a graduate advanced topics class offered in the Spring 2002 semester. We will study the art and science of building and breaking various cryptographic algorithms, such as DES, AES, RSA, and others. I will introduce you to techniques for analyzing the security of such algorithms. However, I will not discuss how to use these primitives in protocols and other applications, nor will I cover the theoretical foundations underlying cryptography; see CS 276 (Cryptography) for that.

I will not assume any prior background in cryptography; there are no prerequisites; and I welcome any interested students to join us. However, if you are going to take only one course in cryptography in your life, I urge you to consider taking CS 276 instead, as that will give you a broader view of the field.

There will be one lecture a week, and I hope to encourage discussion and student participation. I will select topics partially according to student interest. There is no required textbook, and I will not require you to read papers, but there will be homeworks from time to time.

*CS 294: Analysis and design of cryptographic primitives*.
Advanced topics class on cryptographic design and analysis,
focusing on cryptographic primitives such as bulk encryption
algorithms, block ciphers, stream ciphers, message authentication
algorithms, cryptographic hash functions, public-key encryption
and signature algorithms, and so on.
Will cover various cryptanalytic techniques, including
differential cryptanalysis, linear cryptanalysis, time-space tradeoffs,
birthday attacks, and others.
May cover other topics according to student interest.
(2 units)

Homework: 35%

Class participation: 15%

Homeworks: Jan 29 (ps) (pdf), sample solution (ps)

Feb 19 (ps) (pdf). sample solution (ps) (pdf) [solutions for 3x3 SPN now available]

New: Information on project presentations is now available. Check here to see when you are scheduled to give your presentation.

I was asked to make available the notes I use for lecturing,
so here they are. *Beware!* They were only intended for my own
purposes, and so they are very rough, not checked, and vague on some areas
(e.g., those areas that I know very well and don't need notes on).

- Jan 22: Introduction; classical ciphers [notes]
- Jan 29: Hash functions; structural cryptanalysis [notes]
- Feb 5: structural cryptanalysis; properties of random functions; computational aspects of the birthday paradox [notes]
- Feb 12: introduction to differential cryptanalysis [notes] [see also the following tutorial]
- Feb 19: advanced differential and linear cryptanalysis
- Note: I've posted a clarification on approximating linear cipher components.
- Feb 26: truncated differential cryptanalysis, other advanced attacks on block ciphers
- Announcement: talk on RSA in Math colloquium on Thursday
- Mar 5: design elements for symmetric-key ciphers [notes]
- Mar 12: number-theoretic public-key algorithms: RSA, factoring, etc.
- Relevant survey papers: Attacks on RSA, Integer factoring.
- Mar 19: algebraic public-key systems and algebraic attacks [notes]
- (please see the notes for a clarification on the "affine multiple" attack)
- For further reading: HFE (an algebraic cryptosystem), relinearization (see Sections 5.1,5.2)
- Mar 26: spring break, no class
- Apr 2: stream ciphers, Hellman's time-space tradeoff
- References: HAC Chapter 6
- Apr 9: Berlekamp-Massey
- References: HAC Chapter 6; Golomb,
*Shift Register Sequences* - Apr 16: lattices: lattice-based cryptosystems, lattice attacks [notes]
- Apr 23: implementation attacks: timing analysis, power attacks, fault attacks
- Apr 30: class cancelled (work on your projects!)
- May 7: project presentations
- May 14: project presentations

David Wagner, daw@cs.berkeley.edu, http://www.cs.berkeley.edu/~daw/.