**CS 127/CSCI E-127: Introduction to Cryptography**

Fall 2013

**SYLLABUS**

Summary | Topics | Prerequisites | Problem Sets & Collaboration Policy | Discussion Tools | Readings | Sections | Grading | Related Courses

Lecturer: Prof. Salil Vadhan

Shopping week office hours (MD 337): Mon 9/2 2-5, Tue 9/3 11:30-12:30, Thu 9/5 11:30-12:30, 1:30-2:30, Fri 9/6 11-12, 3:30-4:30, Mon 9/9 3:30-5:30, Tue 9/10 11:30-12:30

[Sign up for a 15 min slot on door, or by emailing Carol Harlow (harlow@seas.harvard.edu)]

Admin Assistant: Carol Harlow (MD 343)

Teaching Fellow: Mark Bun (MD 138), and possibly others TBD

Course website: http://people.seas.harvard.edu/~salil/cs127/

Staff e-mail: cs127@seas.harvard.edu

Past Q evaluations (under previous numbering CS 127/CSCI E-177): Fall
01, Spring
03, Fall 06 (FAS), Fall 06 (DCE)

Time & Place for CS 127 lectures: TuTh 10-11:30, Maxwell Dworkin G-125
**
**Lecture videos will be recorded for CSCI E-127 students (and will be made available to CS 127 students)

Cryptography is the science of designing algorithms and protocols that guarantee privacy, authenticity, and integrity of data when parties are communicating or computing in an insecure environment. The recent explosion of electronic communication and commerce has expanded the significance of cryptography far beyond its historical military role into all of our daily lives. For example, cryptography provides the technology that allows you to use your credit card to make on-line purchases without allowing other people on the internet to learn your credit card number.

The past 25 years have also seen cryptography transformed from an ad hoc
collection of mysterious tricks into a rigorous science based on firm
complexity-theoretic foundations. It is this modern, complexity-theoretic
approach to cryptography that will be the focus of this course.
Specifically, we will see how cryptographic problems can be given *precise*
*mathematical definitions*. Then we will construct algorithms which *provably*
satisfy these definitions, under precisely stated and widely believed
assumptions. For example, we will see how to prove statements of the
flavor "Encryption algorithm X hides all information about the message
being transmitted, under the assumption that factoring integers is
computationally infeasible." (Of course, this kind of statement will
be given a precise meaning.)

What can you hope to learn from this course?

**Definitions:**Why it is important to precisely define cryptographic problems, and how to do so for several important problems (encryption, authentication, digital signatures, ...). The kinds of subtleties that arise in such definitions, and how to critically evaluate and interpret cryptographic definitions.

**Constructions & Proofs of Security:**Examples of general & concrete solutions to various cryptographic problems, and how to prove that they satisfy the definitions mentioned above (based on precisely stated assumptions).

**Foundations:**The assumptions on which modern cryptography is based, and their implications.

**Theory vs. Practice:**This course will focus on theory, but we will discuss how the theory relates to what is actually done in practice.

**Applications:**If time permits, we will see one or two examples of how to address cryptographic issues in higher-level protocol problems, such as auctions, voting, or electronic cash.

**Security:**This is not a course on security, but if time permits, we will discuss how cryptography fits into the broader contexts of network and systems security.

What this course will NOT teach you:

**Acronyms:**There are many different cryptographic algorithms, protocols, and standards out there, each their own acronym. It is not the aim of this course to cover these specific systems, which may come and go, but rather the general principles on which good cryptography is based. Understanding these principles will enable you to evaluate the specific systems you encounter outside this course, on your own. (This is not to say that the course will be without examples, but the examples will be selectively chosen mainly for illustrative purposes.)

**Hacking:**We will not teach you how to "break" or "hack" systems.

**Security:**We will not teach you "how to secure your system". Cryptography is only one part of security, albeit an important one.

**Everything there is to know about cryptography:**Cryptography is a vast subject, and we will not attempt to be comprehensive here. Instead, we aim to convey the main principles, philosophy, and techniques which guide the subject, focusing on the most basic primitives, such as encryption and digital signatures. This should put you in a good position to read about other topics on your own or take more advanced courses on cryptography.

- Introduction
- Review of Algorithms and Probability
- Private-Key Encryption: Defining Security
- Pseudorandom Generators & Stream Ciphers
- One-Way Functions
- Computational Number Theory
- Pseudorandom Functions & Block Ciphers
- Private-Key Encryption: Constructions
- Private-Key Encryption in Practice
- Trapdoor Functions & Public-Key Encryption
- Message Authentication Codes
- Digital Signatures in Theory & Practice
- Collision-Resistant Hashing
- Zero-Knowledge Proofs (time permitting)
- (Fully) Homomorphic Encryption (time permitting)
- Secure Protocols (time permitting)
- Network & Systems Security (time permitting)
- Policy Issues (time permitting)
- Conclusions & what we didn't cover

The formal prerequisite for the course is one prior course in theoretical computer science, such as CS 121 or 124. The main skills that will be assumed from these courses are:

- The ability to understand and write formal mathematical definitions and proofs.
- Comfort with reasoning
about algorithms, such as proving their correctness and analyzing their
running times.

It is also important that you are familiar with basic discrete probability. A few of the homework problems will involve writing small computer programs (in a language of your choice), so basic programming skills will also be needed.

Additional background that will be helpful:

- Complexity Theory: NP-completeness, reductions
- Randomized Algorithms, such as a primality testing algorithm.
- Basic Number Theory: modular arithmetic, Chinese Remainder Theorem.
- Probability Theory:
independence, conditional probabilities, expectation, Bayes' Law.

While it is not necessary to have had exposure to *all*
of these topics prior to CS 127, familiarity with none will probably make it
quite difficult to keep up.

The course will have weekly problem sets, typically due 5pm on Fridays via electronic submission. You are allowed 6 late days for the semester, of which at most 2 can be used on any individual problem set. (1 late day = 24 hours exactly). In case of an emergency which requires an exception to these rules, please have your resident dean (or research advisor, in the case of graduate students) contact me. We strongly recommend typing your solutions, ideally using LaTeX.

Students are encouraged to discuss the course material and the homework
problems with each other in *small* groups (2-3 people).
Discussion of homework problems may include brainstorming and verbally walking
through possible solutions, but should not include one person telling the
others how to solve the problem. In addition, each person must write up
their solutions independently, and these write-ups should not be checked
against each other or passed around.

While working on your problem sets, you may not refer to existing solutions, whether from other students, past offerings of this course, materials available on the internet, or elsewhere. All problem sets should include a collaboration statement listing all collaborators and sources of ideas other than the course materials.

We will use two online tools to facilitate discussion and participation in the class.

The first is NB, a collaborative PDF annotation tool where we will post copies of the reading in advance of lecture. Starting with the Thursday 9/5 lecture, you will be expected to do the reading *prior to lecture*, and provide comments on it using NB by 9pm the night before. Your comments can point out parts of the reading that you found confusing or interesting, questions that came to your mind as you read the text, answers to other students' questions or comments, etc. The comments will enable us to focus class time on the most difficult and/or interesting aspects of the material.

We will also use Piazza to facilitate additional discussion among students and the staff, beyond those that relate to specific readings.

You will receive invitation emails to both NB and Piazza during the first week of classes (based on the email address you provide in the survey); let us know ASAP if you do not have access.

The required text for the course is: Jonathan Katz and Yehuda
Lindell. *An
Introduction to Modern Cryptography. * The authors have are also providing us with a draft of the 2nd edition of the text, which we will use for posting on NB.

Another text that may be useful is Oded Goldreich's *Foundations of
Cryptography. * This two-volume set is a very comprehensive
and definitive treatment of the theoretical foundations of
cryptography. Volumes I and II cover most of what we'll be doing in
this course far greater depth, though the treatment is more abstract than
ours. If you plan to continue on in cryptography (particularly as a
researcher), I highly recommend purchasing these books.

Other texts on cryptography take a much less careful approach to definitions and proofs of security than we do. Still, they can serve as good references for more examples of concrete cryptosystems used in practice and some high-level ideas. After this course, you should understand how to critically evaluate the merits or deficiencies of the cryptosystems described in the books below (and indeed we urge you to have a critical eye when reading them):

- Alfred J. Menezes, Paul C.
van Oorschot, and Scott A. Vanstone.
*Handbook of Applied Cryptography.* - Douglas R. Stinson.
*Cryptography: Theory and Practice.* - Bruce Schneier.
*Applied Cryptography.*

For background reading on probability, algorithms, complexity theory, and number theory, we recommend:

- Thomas Cormen, Charles
Leiserson, Ron Rivest, and Cliff Stein.
*Introduction to Algorithms.* - Michael Sipser.
*Introduction to the Theory of Computation.*

- Weekly problem sets: 45% (lowest score dropped)
- Two in-class quizzes (on Tue 10/1 and on Thu 11/14): 10% each
- Final exam: 25%
- Class participation (based on lecture, section, NB, Piazza, and office hours): 10%

There will be weekly sections, which will be used to clarify
difficult points from lecture, review background material, go over previous
homework solutions, and sometimes provide interesting supplementary material.

- CS 121/CSCI E-121 - Introduction to the Theory of Computation, CS 124/CSCI E-124 - Data Structures and Algorithms. The two possible prerequisites. Both are highly recommended, and CS 127 should not be considered a substitute for them.
- Math 124 - Number Theory. (and possibly Math E-321 - Hidden Gems: Advanced Topics in Classical Mathematics). Number Theory is the main source of the hard computational problems on which cryptography is built. An excellent complement if taken before, concurrently, or after.