CS 276: Cryptography


CS 276 is a graduate class on cryptography offered in the Spring 2002 semester.
Instructors: Luca Trevisan and David Wagner.
Time: 12:30--2:00pm, Tuesdays and Thursdays.
Location: 306 Soda.
Prerequisites: CS 170 or equivalent.
Web page: http://www.cs.berkeley.edu/~daw/cs276/

This class teaches the theory, foundations and applications of modern cryptography. In particular, we treat cryptography from a complexity-theoretic viewpoint. In recent years, researchers have found many practical applications for these theoretical results, and so we will also discuss their impact along the way and how one may use the theory to design secure systems.


macro files for scribes are here

Jan 22:  [L] Basic motivating scenarios for cryptography. Definition of one-way functions, trapdoor functions, and permutations. Basics on number theory, RSA. [notes]

Jan 24: [L] Rabin's function, definitions of security. [notes]

Jan 29: [L] Hard-core predicates, the Goldwasser-Micali cryptosystem. [notes]

Jan 31: [L]  Proof of the Goldreich-Levin Theorem [notes]

Feb 5: [D] Stronger definitions of security (non-malleability, chosen cyphertext attacks) [notes]

Feb 7: [D] Relations between notions of security; The random oracle model [notes]
       For more on random oracles, see this paper. David covered the schemes in Sections 3.1 and 3.2 in class on Feb 7.

Feb 12: [D] IND-CCA2 implies NM-CCA2; information-theoretic security, the one-time pad, Shannon's results on perfect encryption. [notes]
       Also, the first homework (ps)(pdf) is now available.
       New: the homework was updated Feb 17 to fix an error in Problem 4(a).

Feb 14: [L] Definition of one-way functions, weak and strong one-way functions. [notes]

Feb 19: [D] Building PRG's from OWF's. The Blum-Micali-Yao construction of a pseudorandom generator. Increasing the stretching factor of a PRG. [notes]

Feb 21: [L] Constructions of pseudorandom generators from one-way functions. The Goldreich-Goldwasser-Micali construction of a pseudorandom function. [notes]

Feb 26: [D] The Luby-Rackoff construction of pseudorandom permutations. [notes]
      New: The second homework (ps)(pdf) is now available.
Announcement: talk on RSA in Math colloquium on Thursday

Feb 28: [D] Definitions of security for symmetric key encryption. Modes of operation. [notes]
      New: A sample solution set for the first homework (ps) is now available.

Mar 5: [D] Implications of left-or-right security. Proofs of security for CTR mode against chosen-plaintext attack. [notes]

Mar 7: [D] Message authentication: definitions, constructions, CBC-MAC. How to build symmetric-key encryption secure against chosen-ciphertext attack. [notes]
       The paper by Hugo Krawczyk mentioned in class can be found here, for the curious. (See especially Section 4.2.)

Mar 12: [L] Introduction to Zero Knowledge proof systems

Mar 14: [L] Commitment schemes, analysis of the GMW Zero Knowledge protocol for 3-coloring, introduction to proofs of knowledge [notes]
      New: A sample solution set for the second homework (ps) is now available.
      New: The midterm (ps)(pdf) is now available.
      A frequently asked question on the midterm: if you had a question about problem 6 on the midterm, you may to read the following clarification.
      New: A sample solution set for the second homework (ps) is now available.

Mar 19: [D] Public-key signature schemes. Definitions of security, RSA-based schemes secure in the random oracle model, FDH. [notes]

Mar 21: [D] Public-key signature schemes, continued. PSS-0. Discrete log-based schemes. Schnorr identification protocol, Schnorr signatures.
      New: Midterm solutions (ps) (pdf) are now available. (Note: the version on the web page here has been updated with extra material on common errors which wasn't in the paper version handed out in class on May 21.)
      New:information on projects is now available.

Apr 2: [L] Public-key signatures: existence conditions, constructions of signatures based on any one-way function. [notes]
See sections 6.4.1 and 6.4.2 in Oded Goldreich's draft of volume 2

Apr 4: [L] Construction of Universal One-Way Hash Functions from One-Way Permutations.
See section 6.4.3 in  Oded Goldreich's draft of volume 2

Apr 9: [L] Oracles and Separations.
   Impossibility of basing public-key encryption on one-way permutations.
   The Impagliazzo-Rudich paper

Apr 11: [D] Secret sharing. Shamir's scheme, generalized access structures. [notes] (Scribe: Rob Johnson)
      Shamir's original paper is available online.

Apr 16: [D] Threshold cryptography. Verifiable secret sharing (Feldman & Pedersen's schemes), n-out-of-n RSA, w-out-of-n El Gamal, key generation of w-out-of-n El Gamal, proactive security.

Apr 18: [D] Secure voting schemes. The Cramer-Gennaro-Schoenmaker scheme, zero knowledge proofs of disjunctions, the Benaloh scheme.

Apr 22: [D] Electronic cash. Blind signatures, Chaum's online ecash scheme, payer- and payee-anonymity. [notes]

Apr 25: no lecture.

Apr 30: [L] Secure 2-party computation. The semi-honest model, oblivious transfer. [notes]

May 2: [L] Secure 2-party computation, continued. Definitions.

May 7: [L] Secure 2-party computation, continued. A construction provably secure in the malicious model.

May 9: [L] Secure multi-party computation.

May 14: [D] Cryptographic protocols. Mutual authentication, secure key exchange. Attacks, formal methods for protocol verification.

Course description

CS276: Cryptography. Prerequisite: CS170. Graduate survey of modern topics on theory, foundations, and applications of modern cryptography. One-way functions; pseudorandomness; encryption; authentication; public-key cryptosystems; notions of security. May also cover zero-knowledge proofs, multi-party cryptographic protocols, practical applications, and/or other topics, as time permits.


Scribe notes: 20%
Take-home midterm: 30%
Final project: 50%

There will be no final.

Scribe notes

You will be asked to write a set of scribe notes for either a lecture or for a set of homework solutions. We strongly recommend that scribe notes be written in LaTeX. A template will be made available here in the future.


There will be a final project. Further details may be found here.

Problem sets

To really learn this material, it is important that you not only watch our lectures but also try your hand at a few problems and practice the material. To help with this, we will assign a few homework assignments throughout the semester, to appear here as they are assigned.

Please turn in your homework solutions on paper at the beginning of class on the appropriate day.

You are welcome to discuss the questions on the homeworks with others and work on them collaboratively.


There is no required textbook.

The following sources may be helpful as a reference, and will provide supplemental material.

S. Goldwasser and M. Bellare, Lecture Notes on Cryptography.
Available online at http://www-cse.ucsd.edu/users/mihir/papers/gb.html.
O. Goldreich, Foundations of Cryptography, Cambridge Univ. Press, 2001.
We will assume basic background with probability theory, algorithms, complexity theory, and number theory. For review purposes, you may refer to Prof. Trevisan's Notes on Algebra and Notes on Probability. If you prefer a textbook covering this background material, we recommend the following:
L.N. Childs, A Concrete Introduction to Higher Algebra, Springer, 1995.

Office hours

Luca Trevisan: Mondays 2:00-3:30pm (615 Soda). David Wagner: Tuesdays 2:00-3:30pm (765 Soda).

The CS276 Instructors, cs276@mozart.cs.berkeley.edu, http://www.cs.berkeley.edu/~daw/cs276/.