Cryptology I

Lecture spring 2017

Instructor Dominique Unruh <<surname> at ut dot ee>
Teaching assistant
Tore Vincent Carstens <<firstname dot thirdname at gmx dot de>
Lecture Period February 8, 2017 - May 24, 2017
Lectures Wednesdays, 12:15-13:45, room 218 (Paabel) (Unruh; may sometimes be switched with tutorial)
Practice sessions
Wednesdays, 16:15-17:45, room 220 (Paabel) (Unruh/Fauzi)
Course Material Lecture notes, blackboard photos (of practice), and exam study guide.
Language English
Mailing list
Contact Dominique Unruh <<surname> at ut dot ee>

Topics covered

2017-02-15 (lecture)Classical ciphers.[video]
2017-02-15b (lecture)Perfect secrecy. One-time pad. Security and limitations of OTP. Streamciphers (basic construction). LFSR.[video]
2017-02-22 (lecture)Stream ciphers (ctd.). IND-OT-CPA security. Pseudo-random generators (PRG). Security proof for stream ciphers.[video]
2017-02-22 (practice)Breaking a substitution cipher. Malleability of one-time-pad (bank transfer). Attacking the linear congruence randomness generator.
2017-03-01 (lecture)Block ciphers. AES (construction). Feistel networks. Provable security vs. best effort.[video]
2017-03-01 (practice)Security proof: If G is PRG, then H(x,y):=G(x)||y is PRG. Insecurity of 3-round-Feistel.
2017-03-08 (lecture)Security notions of block ciphers: strong PRP. Provable security & "best-effort security". Security of encryption: IND-CPA. Modes of operation: ECB, CBC. Insecurity of ECB. IND-CPA security of CBC (only claim).[video]
2017-03-08 (practice)Security of AES with missing AddRoundKey/SubBytes/MixColumns/ShiftRows
2017-03-15 (lecture)Public key encryption. Textbook RSA. RSA-assumption. Weaknesses of textbook RSA.[video]
2017-03-15 (practice)Malleability of CBC mode, "Crypto competition": Authenticated encryption
2017-03-22 (lecture)ElGamal. Decisional Diffie-Hellman (DDH) assumption. IND-CPA (public-key). Security of ElGamal.[video]
2017-03-22 (practice)Breaking 3RSA for small messages. RSA with N=pqr
2017-03-29 (lecture)Malleability of ElGamal. Definition IND-CCA. Hybrid Encryption. Message authentication codes (MACs). Hash functions. Collision-resistance.[video]
2017-03-29 (practice)Repetition ElGamal
2017-04-05 (lecture)Iterated hash. Merkle-Damgård construction. Insecurity of Merkle-Damgård as a MAC. HMAC.[video]
2017-04-05 (practice)Insecurity of ElGamal mod p. Quadratic residues.
2017-04-12 (lecture)EF-CMA definition. MAC from block cipher/PRF. Extending message space of MACs. CBC-MAC, DMAC, and their security. Davies-Meyer. Miyaguchi-Preneel. Birthday attacks for hashes.[video]
2017-04-12 (practice)Breaking Iterated Hash / Merkle-Damgård with various compression functions.
2017-04-19 (lecture)Signatures. EF-CMA. One-way functions. One-time signature construction.[video]


Your current amount of points in the homework can be accessed here.
Out Due Homework Solution
2017-02-172017-03-03Homework 1Solution 1,
2017-03-032017-03-17Homework 2,, prg.pySolution 2,,
2017-03-212017-04-01Homework 3,, ecb-distinguish-2.txt, ecb-distinguish-1.txt, 3rsa-aes.pySolution 3,,
2017-04-042017-04-17Homework 4, hybrid.pySolution 4,
2017-04-212017-05-05Homework 5, 


The course "Cryptology I" introduces the basics of cryptography. After discussing historic ciphers and their weaknesses, we introduce modern cryptographic primitives such as encryption and signature schemes, hash functions, one-way functions etc. We explain how the security of cryptographic schemes is defined and proven. We study advanced cryptographic schemes such as zero-knowledge proofs and secure function evaluation.


"Elements of Discrete Mathematics" or some comparable mathematical foundations.


The following reading supplements this lecture (optional!)

Lindell and Katz, Introduction to Modern Cryptography, Chapman & Hall, 2007.
Materials from the course "Topics of Mathematics in Cryptology" (especially the chapter on probability and the one on modular arithmetic).