CS 276, Spring 2004

  David Wagner (daw@cs, 765 Soda Hall, 642-2758)

  Monday/Wednesday, 10:30-12:00, 310 Soda



Here is a list of past lectures and the topics covered. I've also indicated possibilities for further reading. B&R = Bellare & Rogaway's notes; V7 = Vadhan's lecture 7; etc.

01 (1/21): Introduction. Basic motivating scenarios for cryptography. History. Information-theoretic secrecy. [notes] (V1,V3; B&R intro, B&R info-theory)

02 (1/26): Shannon secrecy. Computational indistinguishability. Pseudorandom generators. [notes] (V3,V11; B&R info-theory)

03 (1/28): Exercises with indistinguishability. Pseudorandom functions. Pseudorandom permutations. [notes + notes] (B&R block ciphers, B&R prfs; V12)

04 (2/2): Pseudorandom functions and permutations. The birthday paradox. PRF/PRP switching lemma. [notes + notes] (B&R prfs, B&R Appendix A; V12)

05 (2/4): Guest lecture from Umesh Vazirani.

06 (2/9): Symmetric-key schemes. Definitions of security (IND-CPA): real-or-random, left-or-right, find-then-guess. Equivalence of real-or-random and left-or-right. [notes] (B&R symm encryption)

07 (2/11): Left-or-right and find-then-guess are equivalent. Semantic security. Find-then-guess and semantic security are equivalent. [notes + notes] (B&R symm encryption)

08 (2/18): CTR mode is IND-CPA secure. Message integrity: INT-PTXT, INT-CTXT. Encryption does not provide integrity. [notes + notes] (B&R integrity)

09 (2/23): Message authentication codes (MACs). 2-universal hashing. PRFs are good MACs. Stretching the input size of a PRF. [notes + notes]

10 (2/25): HMAC. Broken systems. The need for message authentication when encrypting. IND-CCA2. [notes + notes]

11 (3/1): IND-CPA and INT-CTXT => IND-CCA2. Intro to number theory: groups, finite fields, Fermat's theorem, Euler's theorem, Legendre symbols, quadratic residues. [notes] (paper on EtA, AtE, E&A) (B&R number thy)

12 (3/3): Public key encryption. Trapdoor one-way permutations: RSA, Rabin. Hard-core bits. [notes + notes] (B&R asym enc)

13 (3/8): Goldreich-Levin theorem. Goldwasser-Micali public-key encryption. [notes] (Goldreich-Levin notes: from a previous class, from Mihir Bellare)

14 (3/10): Goldwasser-Micali for arbitrary-length messages. Hard-core bits from any trapdoor one-way permutation. The random oracle model. Simple RSA. [??? + notes] (paper on random oracles)

15 (3/15): Chosen-ciphertext secure public-key encryption in the random oracle model. Non-malleability. Public-key signatures. Several candidate signature schemes. [David M. + notes]

16 (3/17): Full Domain Hash (FDH). Probabilistic Full Domain Hash (PFDH). Pitfalls of the random oracle model. [notes + notes]

17 (3/29): Implications in symmetric-key cryptography. The following are equivalent: OWF, PRG, PRF, PRP, symmetric-key encryption, bit commitment, coin flipping. [notes + Alex]

18 (3/31): Guest lecture from Vinod Prabhakaran: information-theoretic (unconditionally secure) cryptography.

19 (4/5): Bit commitment, coin flipping. Signatures from any one-way function. Black-box reductions and separations, Impagliazzo-Rudich. [notes + notes]

20 (4/7): Algebraic cryptanalysis of public-key cryptosystems. Factoring: Fermat's method, Dixon's algorithm, quadratic sieve. Attacks on RSA: the common modulus attack, the related message attack. Lattices and cryptanalysis.

21 (4/12): Interactive proof systems. Zero-knowledge proofs. ZKIP for 3-coloring. Zero-knowledge proofs of knowledge.

22 (4/14): Secret sharing. Shamir's scheme for t-out-of-n sharing. Verifiable secret sharing. Pedersen's VSS scheme. [notes] [partial notes (from S'02) + errata regarding accusals + Shamir's original paper]

23 (4/19) Secure multi-party computation. The millionaire's problem. Adversary models: semi-honest, malicious. Definitions of security for the semi-honest model. Oblivious transfer. [partial notes (from S'02) + notes on the defn]

24 (4/21) A general 2-party protocol secure against semi-honest attackers, for any functionality. Definitions of security for the malicious model.

25 (4/26) Finishing up multi-party computation. Electronic cash. Blind signatures, Chaum's online ecash scheme, payer- and payee-anonymity. [notes (from S'02)]

26 (4/28) Threshold cryptography. Schemes with trusted dealer: RSA, El Gamal. Security in the malicious model. Distributed key generation for El Gamal.

27 (5/3) Electronic voting protocols. Honest-verifier zero-knowledge proofs of knowledge of a discrete log; of equality of two discrete logs. The Fiat-Shamir heuristic for non-interactive ZK. The disjunction trick. The Cramer-Gennaro-Schoenmakers protocol.

28 (5/5) Mixes. Publicly verifiable mixes. Anonymous email. Visual cryptography. Chaum's digital voting protocol.


Homework 1 (due 2/2): assignment [solution].

Homework 2 (due 2/9): assignment [solution].

Midterm 1 (due 3/17): assignment [solution] [common errors].

Course Overview

This class teaches the theory, foundations and applications of modern cryptography. In particular, we treat cryptography from a complexity-theoretic viewpoint. In recent years, researchers have found many practical applications for these theoretical results, and so we will also discuss their impact along the way and how one may use the theory to design secure systems.

Official Course Description

CS276: Cryptography. Prerequisite: CS170. Graduate survey of modern topics on theory, foundations, and applications of modern cryptography. One-way functions; pseudorandomness; encryption; authentication; public-key cryptosystems; notions of security. May also cover zero-knowledge proofs, multi-party cryptographic protocols, practical applications, and/or other topics, as time permits.


This list is tentative and subject to change.

If there is time, advanced topics may also include:

Enrollment Policies

The class appears to be over-enrolled at the moment. This is a graduate course, and as such, EECS graduate students will receive first priority on taking the course. I hope to be able to accomodate all interested EECS graduate students.

I have received many queries about whether the class is open to undergraduates; my policy on undergraduate admission to CS276 is available.


Homeworks: 10%
Scribe notes: 20%
Take-home midterm: 30%
Final project: 40%

You will be asked to write a set of scribe notes for either a lecture or for a set of homework solutions. We strongly recommend that scribe notes be written in LaTeX. Please make an effort to make your scribe notes "beautiful", clear, and readable.

You will do a final project. Further details will be made available here.

We will assign several homework sets throughout the semester. To really learn this material, it is important that you not only watch our lectures but also practice the material. Please turn in your homework solutions on paper at the beginning of class on the appropriate day.


There is no required textbook.

The following sources may be helpful as a reference, and will provide supplemental material.

M. Bellare and P. Rogaway, Introduction to Modern Cryptography.
We will follow their exposition fairly closely.
S. Goldwasser and M. Bellare, Lecture Notes on Cryptography.
Another excellent set of notes, with a somewhat different focus.
S. Vadhan, Introduction to Cryptography.
An excellent if introductory set of class notes.
Various authors, Scribe notes for CS276 in Spring 2002.
The notes from the last time this course was offered.
O. Goldreich, Foundations of Cryptography, Cambridge Univ. Press, 2001.
A more abstract treatment of the topic. Goldreich's writings are the canonical treatment of multi-party computation and other advanced topics.
We will assume basic background with probability theory, algorithms, complexity theory, and number theory. For review purposes, you may refer to Prof. Trevisan's Notes on Algebra and Notes on Probability. If you prefer a textbook covering this background material, we recommend the following:
L.N. Childs, A Concrete Introduction to Higher Algebra, Springer, 1995.

David Wagner, daw@cs.berkeley.edu, http://www.cs.berkeley.edu/~daw/.