Cryptology I

Lecture spring 2014

Instructor Dominique Unruh <<surname> at ut dot ee>
Teaching assistant
Prastudy Fauzi <<givenname> at ut dot ee>
Lecture Period February 10, 2014 - May 29, 2014
Lectures Mondays, 16:15-17:45, room 206 (Unruh; may sometimes be switched with tutorial)
Practice sessions
Thursdays, 16:15-17:45, room 206 (Unruh)
Course Material Lecture notes, blackboard photos (of practice), and exam study guide.
Language English
Mailing list
Exam Wednesday, June 4, 14:15-17:00, room 206
Contact Dominique Unruh <<surname> at ut dot ee>

Topics covered

2013-02-10 (lecture) Classical ciphers.
2013-02-13 (practice) Breaking a substitution cipher. How to define security of encryption (preview on prefect secrecy).
2013-02-17 (lecture) Perfect secrecy. One-time pad. Security and limitations of OTP.
2013-02-20 (practice) Malleability of OTP. Breaking LFSR with linear algebra.
2013-02-27 (practice) Breaking bad streamciphers. (LFSR-based, and hash-function-based.)
2013-03-03 (lecture) Streamciphers. Best-effort vs provable security. IND-OT-CPA. Pseudorandom generators. Security of streamciphers.
2013-03-06 (practice) Defining and proving security: Random looking encryptions.
2013-03-10 (lecture) Block ciphers. Construction of DES. Feistel networks. 2DES and 3DES. Meet-in-the-middle attack.
2013-03-13 (practice) Attacks on low-round Feistel networks.
2013-03-17 (lecture) Strong PRPs. Modes of operation: ECB, CBC. IND-CPA security.
2013-03-20 (practice) Building authenticated encryption (crypto competition)
2013-03-24 (lecture) Public key encryption. Textbook RSA. RSA-assumption. Weeknesses of textbook RSA
2013-03-27 (practice) Insecurity of ElGamal mod p. Quadratic residues.
2013-03-31 (lecture) ElGamal. DDH assumption. IND-CPA security (public key case). ElGamal is IND-CPA. Malleability of ElGamal.
2013-04-03 (practice) Malleability of ElGamal – example attacks.
2013-04-07 (lecture) IND-CCA security. RSA-OAEP. Hybrid encryption. MACs. Hash functions. Collision-resistance. Iterated hash construction.
2013-04-10 (practice) IND-CCA public key encryption – message length extension (crypto competition)
2013-04-14 (lecture) Security requirements and their modelling. Security requirements elicitation. Patterns and their examples. [Slides: PDF]
2013-04-21 (lecture) Insecurity of iterated hash. Merkle-Damgård. Insecurity of Merkle-Damgård MACs. HMAC. EF-CMA security (for MACs). CBC-MAC
and its insecurity. DMAC.
2013-04-24 (practice) Weakened definitions of EF-CMA and their problems.
2013-04-28 (lecture) PRF as a MAC. MAC message length extension. Davies-Meyer, Miyaguchi-Preneel. Signatures. EF-CMA (for signatures). One-way functions. One-time signatures from OWFs (Lamport).
2013-05-05 (lecture) Signatures from one-way signatures (tree construction, sketch). Full-domain hash (FDH). Random oracle model/heuristic. Security of FDH in ROM.
2013-05-08 (practice)


Your current amount of points in the homework can be accessed here.
Out / due
Feb 18 / Mar 3 Homework 1 Solution 1
Mar 10 / Mar 24
Homework 2, Solution 2
Mar 30 / Apr 7 Homework 3 Solution 3
April 9 / Apr 21 Homework 4, Solution 4,
April 22 / May 5
Homework 5
Solution 5
May 7 / May 22 Homework 6 Solution 6
May 22 / May 29 Homework 7 Solution 7


The course "Cryptology I" introduces the basics of cryptography. After discussing historic ciphers and their weaknesses, we introduce modern cryptographic primitives such as encryption and signature schemes, hash functions, one-way functions etc. We explain how the security of cryptographic schemes is defined and proven. We study advanced cryptographic schemes such as zero-knowledge proofs and secure function evaluation.


"Elements of Discrete Mathematics" or some comparable mathematical foundations.


The following reading supplements this lecture (optional!)

Lindell and Katz, Introduction to Modern Cryptography, Chapman & Hall, 2007.
Materials from the course "Topics of Mathematics in Cryptology" (especially the chapter on probability and the one on modular arithmetic).