CS 120: Introduction to Cryptography
Fall 2006

PRELIMINARY SYLLABUS

Lecturer: Prof. Salil Vadhan and Dr. Alon Rosen
Teaching Fellow:  Florin Ciocan
Course website: http://people.seas.harvard.edu/~salil/cs120
Staff e-mail: cs120@eecs.harvard.edu
Past CUE evalutions: Fall 01, Spring 03

## Summary

Cryptography is the science of designing algorithms and protocols that guarantee privacy, authenticity, and integrity of data when parties are communicating or computing in an insecure environment.  The recent explosion of electronic communication and commerce has expanded the significance of cryptography far beyond its historical military role into all of our daily lives.  For example,  cryptography provides the technology that allows you to use your credit card to make on-line purchases without allowing other people on the internet to learn your credit card number.

The past 25 years have also seen cryptography transformed from an ad hoc collection of mysterious tricks into a rigorous science based on firm complexity-theoretic foundations.  It is this modern, complexity-theoretic approach to cryptography that will be the focus of this course.  Specifically, we will see how cryptographic problems can be given precise mathematical definitions.  Then we will construct algorithms which provably satisfy these definitions, under precisely stated and widely believed assumptions.  For example, we will see how to prove statements of the flavor "Encryption algorithm X hides all information about the message being transmitted,  under the assumption that factoring integers is computationally infeasible."  (Of course, this kind of statement will be given a precise meaning.)

What can you hope to learn from this course?

• Definitions:  Why it is important to precisely define cryptographic problems,  and how to do so for several important problems (encryption, authentication, digital signatures, ...).  The kinds of subtleties that arise in such definitions, and how to critically evaluate and interpret cryptographic definitions.
• Constructions & Proofs of Security:  Examples of general & concrete solutions to various cryptographic problems, and how to prove that they satisfy the definitions mentioned above (based on precisely stated assumptions).
• Foundations: The assumptions on which modern cryptography is based, and their implications.
• Theory vs. Practice:  This course will focus on theory, but we will discuss how the theory relates to what is actually done in practice.
• Applications: If time permits, we will see one or two examples of how to address cryptographic issues in higher-level protocol problems, such as auctions, voting, or electronic cash.
• Security: This is not a course on security, but if time permits, we will discuss how cryptography fits into the broader contexts of network and systems security.

What this course will NOT teach you:

• Acronyms:  There are many different cryptographic algorithms, protocols, and standards out there, each their own acronym.  It is not the aim of this course to cover these specific systems, which may come and go, but rather the general principles on which good cryptography is based.  Understanding these principles will enable you to evaluate the specific systems you encounter outside this course, on your own.  (This is not to say that the course will be without examples, but the examples will be selectively chosen mainly for illustrative purposes.)
• Hacking:  We will not teach you how to "break" or "hack" systems.
• Security:  We will not teach you "how to secure your system".  Cryptography is only one part of security, albeit an important one.
• Everything there is to know about cryptography:  Cryptography is a vast subject, and we will not attempt to be comprehensive here.  Instead, we aim to convey the main principles, philosophy, and techniques which guide the subject, focusing on the most basic primitives, such as encryption and digital signatures.  This should put you in a good position to read about other topics on your own or take more advanced courses on cryptography.

## Tentative List of Topics

1. Introduction
2. Review of Algorithms and Probability
3. Private-Key Encryption: Defining Security
4. Computational Number Theory
5. One-Way Functions
6. Pseudorandom Generators & Pseudorandom Functions
7. Private-Key Encryption: Constructions
8. Private-Key Encryption in Practice: Block Ciphers
9. Trapdoor Functions & Public-Key Encryption
10. Message Authentication, Digital Signatures, and Hashing
11. Zero-Knowledge Proofs
12. Protocols
13. Network & Systems Security
14. Policy Issues
15. Conclusions & what we didn't cover

# Prerequisites

The formal prerequisite for the course is one prior course in theoretical computer science, such as CS 121 or 124.   (Students with strong math backgrounds may be able to manage with extra background reading and/or taking CS 124 concurrently; come to my office hours to discuss.)  The main skills that will be assumed from these courses are:

• The ability to understand and write formal mathematical definitions and proofs.
• Comfort with reasoning about algorithms, such as proving their correctness and analyzing their running times.

It is also important that you are familiar with basic probability .  Additional background that will be helpful:

• Complexity Theory: NP-completeness, reductions
• Randomized Algorithms, such as a primality testing algorithm.
• Basic Number Theory: modular arithmetic, Chinese Remainder Theorem.
• Probability Theory: independence, conditional probabilities, expectation, Bayes' Law.

While it is not necessary to have had exposure to all of these topics prior to CS 120, familiarity with none will probably make it quite difficult to keep up.

• Weekly problem sets: 50%
• Two in-class quizzes: 10% each
• Final exam: 25%
• Class participation: 5%

Your class participation grade is based on participation in lecture, but can also be boosted by participation in section and/or coming to office hours or section with "good" questions or comments.  A "good" question is one which is not just aimed to help you answer questions on the problem set or exam.  It is one that shows genuine interest in the material and that you have been thinking about the course material on your own.  Do not be afraid of asking "stupid" questions!

# Problem Sets & Collaboration Policy

The course will have weekly problem sets, due TBA (in the box labelled CS 120 in the basement of Maxwell Dworkin.) You are allowed 6 late days for the semester, of which at most 2 can be used on any individual problem set. (1 late day = 24 hours exactly).  In case of an emergency which requires an exception to these rules, please have your senior tutor call me.

Students are encouraged to discuss the course material and the homework problems with each other in small groups (2-3 people).   Discussion of homework problems may include brainstorming and verbally walking through possible solutions, but should not include one person telling the others how to solve the problem.  In addition, each person must write up their solutions independently, and these write-ups should not be checked against each other or passed around.

# Sections

There will be weekly sections, which will be used to clarify difficult points from lecture, review background material, go over previous homework solutions, and sometimes provide interesting supplementary material.

There is no required text for the course other than the lecture notes, but you may find the following to be useful references (but beware that some of the notation, conventions, and definitions may differ slightly from lecture):

• Jonathan Katz and Yehuda Lindell.  An Introduction to Modern Cryptography.  This is a preliminary version of a textbook in-writing that the authors have graciously allowed us to use.  Its level and contents seem to fit CS 120 very well, so copies of the relevant chapters will be handed out in class. The preliminary state of the book means, however, that some chapters are not yet written (particularly the ones relevant to the beginning of the course) and that there may be some errors.  In return for the authors' sharing this book with us, we should compile a list of errors and constructive suggestions to send the authors at the end of the term.  We will set up a discussion tool on the course website for this purpose.

• Oded Goldreich. Foundations of Cryptography.  This two-volume set is a very comprehensive and definitive treatment of the theoretical foundations of cryptography.  Volumes I and II cover most of what we'll be doing in this course far greater depth, though the treatment is more abstract than ours. Volume I contains most of the still-unwritten material from the Katz-Lindell text.  If you plan to continue on in cryptography (particularly as a researcher), I highly recommend purchasing these books.

Other texts on cryptography take a much less careful approach to definitions and proofs of security than we do.  Still, they can serve as good references for more examples of concrete cryptosystems used in practice and some high-level ideas.  After this course, you should understand how to critically evaluate the merits or deficiencies of the cryptosystems described in the books below (and indeed we urge you to have a critical eye when reading them):

For background reading on probability, algorithms, complexity theory, and number theory, I recommend: