Nowadays data controllers must design information systems that provide the highest possible privacy guarantees. A fundamental enabler to achieve this is cryptography.
This class is intended to provide an introduction to the main concepts of modern cryptography and their usage to protect data e build secure systems. The main focus will be on constructions of various building blocks, such as encryption schemes, message authentication codes and digital signatures. We will try to understand what properties we expect from these objects, how to define these properties and how to construct schemes that realize them. We will also focus on schemes that are widely used in practice. These include, for instance, AES, SHA, HMAC and RSA. However, rather than using these tools as black box, we will show how they are built and the security level they provide. No programming will be required for this class.
The goals of this course, in terms of expected results, are
Lecture based (via slides).
Should teaching be carried out in mixed mode or remotely, it may be necessary to introduce changes with respect to previous statements, in line with the programme planned and outlined in the syllabus.
Basics of Discrete math
Basics of Algorithms
Not mandatory but strongly suggested
Introduction to the main ideas of this class.
Source: Cap 1 from 
A look back: Classical Ciphers and One Time Pad. Shift cipher and substitution cipher. Cryptanalysis of the substitution cipher. Perfect Security. The substitution cipher does not guarantee perfect security. One time pad. One time pad provides perfect perfect security.
Source: Cap 2 from 
Block Ciphers – AES The blockcipher Rijndael. Pseudorandom functions and relations to block ciphers. AES in practice. Birthday Paradox.
Source: Cap 3,4 from 
Symmetric encryption: Modes of operation. ECB, CBC$, CTRC and CTR$. Security notions for
Source: Cap 5 from 
Integrity and Hash functions. Collision resistant hash functions. Generic attacks to collision resistance. SHA3.
Source: Cap 6 from 
Message Authentication. Notion of security for MACs. The PRF as a MAC paradigm. CBC-MAC. HMAC.
Source: Cap 7 from 
Intro to asymmetric cryptography. One way functions and Trapdoor (one-way) functions. Number theory basics. Discrete logarithms. Computation Diffie Hellman problem and Key Exchange. Factoring and RSA.
Source: Cap 9, 10 from , relevant parts from 
Asymmetric encryption. Notions of security for asymmetric cryptosystems. The El-Gamal encryption scheme. Homomorphic Encryption (basics). RSA-OAEP.
Source: Cap 11 from  and slides
Digital Signatures. A notion of security for digital signatures. The Hash then invert paradigm for digital signatures. Digital Signatures in practice.
Source: Cap 12 from .
Bonus Application: Bitcoin
Source: Slides and Chapter 2 of 
 M. Bellare, P. Rogaway “Introduction to Modern Cryptography” Scaricabile da http://www.cs.ucsd.edu/~mihir/cse107/classnotes.html
 V. Shoup A Computational Introduction to Number Theory and Algebra Scaricabile da http://shoup.net/ntb/
 J. Katz, Y. Lindell “Introduction to Modern Cryptography” CRC press
 A. Miller, A. Narayanan, E. Felten, J. Bonneau, and S. Goldfeder “Bitcoin and Cryptocurrency Technologies: A Comprehensive Introduction”. Princeton University Press.
|1||Some classical ciphers and their cryptanalysis. Perfect Security and One time pad.||Cap 2 from |
|2||Block Cipher and AES||Cap 3,4 from |
|3||Symmetric Encryption||Cap 5 from |
|4||Integrity and Hash Functions||Cap 6 from |
|5||Message Authentication||Cap 7 from |
|6||Intro to Asymmetric Cryptography. One way Functions and Trapdoor Functions. Discrete Logarithms, Factoring and RSA.||Cap 9, 10 from , relevant parts from |
|7||Asymmetric encryption. The El-Gamal encryption scheme. Homomorphic Encryption (basics). RSA-OAEP.||Cap 11 from  and slides|
|8||Bitcoin. How Bitcoin achieves decentralization. Proof of Work.||Cap 2 from |
The exam consists in a written test followed by an oral exam. The written test typically consists in 5 (open) questions.
To pass the written part one should get a minimum of 18.
Midterms: There might be the possibility of a midterm exam followed by a final exam. The midterm covers the part on asymmetric encryption whereas the final will be on PK cryptaography and Bitcoin.
Learning assessment may also be carried out on line, should the conditions require it.