Latest News
 20100901: the reexam will take place on Friday, October 15, 10:00 am, in Lecture Hall 001, building E1 3.
 20100721: seating plan for the final exam is available.
 20100531: seating plan for the midterm exam is available.
 20100416: tutorials are assigned, registration is closed.
 20100331: time tables for lectures and tutorials are online.
 20100214: registration is open. Please register until Friday, 16th.
 20091209: the website is online.
Description
This course is an introduction to Modern Cryptography. It will introduce cryptography from scratch, i.e., no previous knowledge in cryptography or computer security is required. The list of topics comprises: Informationtheoretic security and the Onetime Pad
 Symmetric encryption, stream ciphers, block ciphers, Data Encryption Standard (DES), Advanced Encryption Standard (AES)
 Asymmetric encryption, cryptosystems based on RSA and on the discrete logarithm problem, CramerShoup encryption
 Digital signature schemes
 Cryptographic hash functions
 Selected cryptographic protocols and their security
 Crypto in the "real world"
 Basic concepts of advanced cryptographic primitives and current research topics: Bit commitment, zeroknowledge proofs, simulatability, linking formal verification and cryptography
 Jonathan Katz, Yehuda Lindell: Introduction to Modern Cryptography. Chapman & Hall/Crc, 2008
 Douglas R. Stinson: Cryptography: Theory and Practice. CRC Press, 2005
 Nigel Smart: Cryptography: An Introduction. McGrawHill, 2003
Prerequisites
This course is a core theory lecture. Basic knowledge in computability, complexity theory, and number theory is useful, but not utterly necessary, as it can be acquired during the course.Tutorials
The following tutorials are available:1  Thu, 1416  E2.1, SR007 (map)  Dominik Feld 
2  Thu, 1416  E1.4, R023 (map)  Ines Ciolacu 
3  Thu, 1416  E1.3, SR 16 (map)  Anton Krohmer 
4  Thu, 1416  E1.1, U12 (map)  Sebastian Meiser 
5  Thu, 1618  E2.1, SR007 (map)  Dominik Feld 
6  Thu, 1618  E1.7, R001 (map)  Ines Ciolacu 
7  Thu, 1618  E1.1, U12 (map)  Sebastian Meiser 
Why are all tutorials at the same day?
→ See the section on quizzes below.
Michael Backes will be available for your questions on Friday, 1213.
Office: building E1.1, room 211.
Raphael Reischuk will be available for your questions whenever his door is open.
Office: building E1.1, room 217.
The tutors will be available for your questions at the following times in building E1.1, room 218:
 Mon, 12:00 to 14:00
 Wed, 12:30 to 14:30
Homeworks
Weekly homework exercises will be handed out in class and posted to the course page each Tuesday, after the lecture. Their solutions will be posted one week later. No homeworks have to be submitted, but you are encouraged to ask any question you might have concerning the course in the office hours. Homework exercises will thus not influence your grade, however, by presenting solutions in the tutorials you may gain a better grading in the quiz, see below.Weekly Quiz
Each tutorial starts with a short (approx. 15 minutes) quiz covering the topics of the same lectures that were addressed in the corresponding homework assignment. Your overall quizgrade is determined by dropping the quiz with the lowest grading, and calculating the average of the remaining quizzes.You can further improve your quizgrade by a "good presentation" of your solutions of the homework exercises in the tutorials. In this case, you may drop another quiz, i.e., at most two quizzes may be dropped. Please be aware that there is a limited number of exercises, and if more than one student opts for one particular solution, a random student will be drawn. So start early enough!
Quizzes will affect your final grading by 30%, and you need an overall quizgrading of at least 50% to pass the course.
Exams
There will be two mandatory exams: A midterm exam, and a final exam.The midterm exam will be approx. one hour and consist of multiplechoice and simple questions intended to test your basic understanding of the course material covered so far. Your midterm grade will affect your final grading by 20%, however, there is no lower bound that has to be reached in order to pass the course.
The final exam will be a written test of two hours. It will make up 50% of your final grade, you need at least 50% to pass the course.
Grading & Requirements for Passing the Course
Let Q be your quiz score, M your score in the midterm exam, E your score in the final exam, and B your score in the backup exam, each in percent. Then your final overall score Final is calculated as
Final = 0.3*Q + 0.2*M + 0.5*Max(E,B)
You pass the course if
Q ≥ 50% and Max(E,B) ≥ 50% and Final ≥ 50%
Q: I got only 49% in the quizzes, but 100% in both exams, will I pass?
A: No, you need 50% in your quizzes to pass.
Q: I got only 49% in the final exam, but 100% in the quizzes and the midterm exam, will I pass?
A: No, you need 50% in your final exam to pass. Consider participating in the backup exam.
Q: I got only 30% in the midterm exam, but 100% in final exam and in the quizzes, will I pass?
A: Yes, there is no minimum requirement on the midterm exam. However, of course, you need a final score of 50% to pass.
Backup Exams
Date and time of the backup exam will be announced. You may take part in the backup exam if you qualified for the final exam, i.e., you got at least 50% score in the quizzes.The backup exam will be written. Please note that if you have passed the final exam and also take the backup exam, the better score between the two will count for your final grade.
Lecture Overview, Material & Tutorials
#  Date  Topics  Slides  Homework  References 

1  20100413  Organizatorial aspects. Historical overview of cryptography. Information theoretic security. Perfect secrecy. Onetime pad. 
Lecture Notes 1  2.3, Katz/Lindell p. 327, 2936, 

2  20100416  Stream ciphers, randomness 
(cipher) 
Lecture Notes 2.4 

3  20100420  Pseudorandom permutations, pseudorandom functions, switching lemma, modes of operation 
Lecture Notes 3 Katz/Lindell 3 

4  20100423  Definitions of security, DES, Feistel networks  Lecture Notes 3.3  4.2  
5  20100427  DES, AES 
Lecture Notes 4.2  4.5 Katz/Lindell 5 

6  20100430  Message authentication codes 
Lecture Notes 5.1  5.2 Katz/Lindell 4.1  4.5 

7  20100507  Collision resistant hash functions  Lecture Notes 5.3  5.5  
8  20100511  Basic number theory facts  Lecture Notes 6  
9  20100518  The ElGamal publickey encryption scheme  Lecture Notes 7  
10  20100521  CCA2 security, keyed hash functions, CramerShoup  Lecture Notes 8.1  8.2  
11  20100528  Proof: CramerShoup is CCA2secure assuming DDH  –  Lecture Notes 8.3  
12  20100601  The RSA trapdoor permutation  Lecture Notes 9.1  9.3  
20100604  Midterm Exam  
13  20100608  The RSA trapdoor permutation (attacks)  Lecture Notes 9.4  9.5  
14  20100611  Digital Signature Schemes 
Lecture Notes 10 Katz/Lindell 12 

15  20100615  Certificates  Lecture Notes 11  
16  20100618  Authentication  
17  20100622  Protocols for Authentication, SSL  Lecture Notes 12  
18  20100625  Commitment Schemes  Lecture Notes 13  
19  20100629  Secret Sharing  Lecture Notes 14  
20  20100706  Secret Sharing, ZeroKnowledge  Lecture Notes 15  
21  20100709  ZeroKnowledge, Formal Methods  Dominique Unruh's notes on formal methods  
22  20100713  Quantum Cryptography  
23  20100716  LatticeBased Cryptography  
24  20100720  Question and Answer Session  
20100723  Final Exam 
There are the following tutorials:
#  Date  Lectures  Quiz  Comments 
I  Thu, 20100422  1,2  1  exception: group 6 (Ines) will be in E1.4, R019 
II  Thu, 20100429  3,4  2  exception: group 6 (Ines) will be in E1.7, R323 
III  Thu, 20100506  5,6  3  
Thu, 20100513  Ascension Day  
IV  Thu, 20100520  7  4  
V  Thu, 20100527  8,9,10  5  
VI  Thu, 20100603    Corpus Christi  
Midterm Exam  
VII  Thu, 20100617  6  
VIII  Thu, 20100624  7  exception: group 2 (Ines) will be in E1.3, R528  
IX  Thu, 20100701  8  
X  Thu, 20100708  9  
XI  Thu, 20100715  10  exception: group 6 (Ines) will be in E1.7, R323  
Final Exam 
Registration and Mailing List
Registration is closed. In case you still want to register, please contact Raphael Reischuk.Further Reading
 Summary of basic probability theory by David Joyce (pdf): A very concise introduction to probability theory.
 Introduction to probability by Albert Meyer (pdf): Provides more material on probability theory.
 A Primer on number theory for computer scientists by Victor Shoup (pdf): Provides more material and more details on number theory and algebra.