Applied Cryptography
CMPS 297AD/396AI
Welcome to the website for the Applied Cryptography course at the American University of Beirut! This page serves as a unified and self-sufficient source of truth on everything concerning your course.
Bookmark this website for the duration of the course and visit it regularly. All course news will be kept up to date on this website.
Check out this video about the course!
Last updated: Loading...
Class starts in: Loading...
Applied Cryptography explores the core theory of modern cryptography and how to apply these fundamental principles to build and analyze real-world secure systems. We start with foundational concepts—such as Kerckhoff's Principle, computational hardness, and provable security—before moving on to key cryptographic primitives like pseudorandom generators, block ciphers, and hash functions. Building on this solid groundwork, we will survey how these technologies power critical real-world deployments such as TLS, secure messaging protocols (e.g., Signal), and post-quantum cryptography. We will also delve into specialized topics like high-assurance cryptographic implementations, elliptic-curve-based systems, and zero-knowledge proofs to give you a complete understanding of contemporary cryptography's scope and impact. By the end of the semester, you will have gained both a rigorous theoretical perspective and practical hands-on experience, enabling you to evaluate, design, and implement cryptographic solutions.
Note: This website is an informal resource, and not a substitute for the AUB learning management system.
This course is intended for senior undergraduate students. Graduate students are also welcome to register provided that they are working on a research topic that is relevant to this course. The following prerequisites are optional but recommended:
If you want to understand whether you have the sufficient background for this course, review this revision chapter and try to do all the exercises.
I'm thrilled to announce that the Applied Cryptography course is now essentially complete and ready for the Fall semester! We now have seven comprehensive problem sets, five engaging lab project proposals, and all slides for Part 2 are finished except for the final couple of sessions (which will be ready soon).
I'm also excited to introduce The Key Exchange, our optional informal discussion sessions where we'll explore cutting-edge cryptographic topics, current events in security, and dive deeper into areas of particular student interest. Think of it as our cryptographic coffee hour where curiosity drives the conversation!
For a lighter introduction to what we'll be studying, check out this fun video I made about the course — I promise it's more entertaining than a formal syllabus reading!
With the term starting soon, I'm looking forward to meeting all of you and embarking on this cryptographic journey together. Don't forget to email me at [email protected] if you have any questions about the course, prerequisites, or anything else. See you soon!
Older news entries are kept for the academic year for archival purposes.
The course plan, readings, slides, problem sets and lab project proposals for Part 1 of the course are now all complete and available on this website!
Things may change during the semester as Part 1 is being taught, but the course is beginning to take real shape, and the materials should at the very least be able to provide prospective students with an idea of what to expect. Also, the course schedule for Part 2 now looks much more mature and substantial, and will likely only change minimally as the course is developed.
I'm excited to announce that our course has been officially assigned the course numbers CMPS 297AD (undergraduate) and CMPS 396AI (graduate). Please use these numbers when registering for the class through the university system.
Please note that this website is still very much under construction! I'm not even set on the course schedule yet. Everything isn't final. Some things could be outright wrong. Feedback welcome.
Every lecture will be accompanied by outside readings that expand on what is discussed in class or present the same material in a different way. Neither the readings nor the lectures are a replacement for each other; deeply understanding the material will likely require attendance as well as reading. It is possible to read before or after class, depending on your learning style.
Aside from the textbooks and materials, students will also require their own personal computer for various parts of this course. Linux, Mac and Windows computers are all suitable.
Oregon State University, 2021
Mike Rosulek
Required. This textbook is the primary resource for our course and is available free of charge online.
Note: For this course, we will be using an updated edition of the textbook that is not yet released to the public. Professor Rosulek has been gracious enough to grant us access in advance — access will be shared privately with students during the course.
No Starch Press, 2024
Jean-Philippe Aumasson
Required. This textbook provides practical insights into cryptographic implementations and complements the theoretical foundation from The Joy of Cryptography.
Online readings provide essential supplementary material that expands on specific cryptographic concepts, vulnerabilities, and practical implementations discussed throughout the course.
Interactive learning tools provide hands-on learning experiences that help reinforce cryptographic concepts through visualization, simulation, and practical application in ways that complement traditional reading materials.
A PDF copy of the Fall 2025 syllabus is available.
Part 1 explores the theoretical underpinnings of modern cryptography through the lens of provable security. Starting with introductory concepts and perfect secrecy in the one-time pad, we progressively build a rigorous framework for understanding and analyzing cryptographic primitives. We examine fundamental building blocks like pseudorandom generators, functions, and permutations, then advance to encryption schemes secure against increasingly powerful adversaries—from passive eavesdroppers to active attackers who can manipulate ciphertexts. The section also covers essential cryptographic tools including collision-resistant hash functions, digital signatures, and key exchange protocols. Throughout these topics, we emphasize formal security definitions, reduction proofs, and the connections between theoretical security guarantees and practical implementations. By the end of this section, students will have developed a comprehensive understanding of provable security techniques that form the foundation for analyzing and designing secure cryptographic systems.
This introduction establishes the foundation for the entire course by covering the scope, objectives, and structure of applied cryptography. We'll discuss key themes that will recur throughout the semester, including the balance between theory and practice, the importance of formal security definitions, and the evolution of cryptographic thinking. Students will gain a clear understanding of what to expect from the course and how the various topics connect to form a coherent framework for secure system design.
This topic introduces the concept of perfect secrecy through the One-Time Pad (OTP) encryption system and explores its mathematical proof of unconditional security. While theoretically unbreakable, we'll examine the severe practical limitations that make OTP challenging to deploy in real-world systems, including key generation, distribution, and management problems. The topic then transitions to Kerckhoff's fundamental principle—that a cryptosystem should remain secure even if everything about the system, except the key, is public knowledge. We'll discuss how this principle has shaped modern cryptographic design philosophy and why security through obscurity fails as a long-term strategy for protecting sensitive information.
This topic begins by delving into the rigorous mathematical frameworks that allow cryptographers to provide formal security guarantees for cryptographic schemes. We'll examine how precise definitions of security properties create a foundation for meaningful analysis, and explore various adversarial models that capture different threat scenarios. The concept of reduction—proving that breaking a scheme is at least as hard as solving some well-studied mathematical problem—will be thoroughly explored. We then transition to modern computational cryptography, moving from unconditional security to a more practical approach where security is defined against computationally bounded adversaries. Students will learn about indistinguishability as a fundamental security concept, the bad-event technique for security proofs, and birthday probabilities in cryptographic attacks. The session provides essential mathematical foundations for understanding modern cryptographic security, including quantitative intuition about large numbers (like 2128) and tiny probabilities (like 2-80) that define practical security boundaries, preparing students for subsequent topics in pseudorandomness.
This topic explores three fundamental pseudorandom primitives that enable practical cryptography. Pseudorandom generators (PRGs) solve one-time pad's key length limitation by expanding short seeds into longer outputs indistinguishable from random. Pseudorandom functions (PRFs) extend this by creating massive virtual dictionaries mapping inputs to pseudorandom outputs, allowing parties with a shared secret to derive unlimited pseudorandom data. Pseudorandom permutations (PRPs), also called block ciphers, provide both forward and inverse operations indistinguishable from random permutations. We'll examine key constructions including GGM (building PRFs from PRGs), the Feistel network (building invertible PRPs from non-invertible PRFs), and the PRF-PRP switching lemma that enables interchangeability in security proofs. Throughout, we'll emphasize crucial security principles like the PRF "Golden Rule" of preventing input repetition.
This topic explores advanced security models for symmetric-key encryption, beginning with chosen-plaintext attack (CPA) security, where ciphertexts must be indistinguishable from random strings. We'll examine why deterministic encryption cannot achieve this security level and explore solutions including randomized PRF-based schemes and block cipher modes like CBC and CTR, while explaining why ECB mode remains fundamentally insecure. The topic then advances to chosen-ciphertext attacks (CCA), where adversaries can decrypt chosen ciphertexts, demonstrating how even CPA-secure schemes like CTR mode remain vulnerable due to their malleability. We'll analyze practical format-oracle attacks that exploit information leakage during decryption to recover entire plaintexts, and examine how preventing adversaries from creating valid modified ciphertexts is essential for achieving comprehensive CCA security in real-world systems.
This topic explores collision-resistant hash functions, cryptographic primitives that convert arbitrary-length inputs to fixed-length outputs while making it computationally infeasible to find colliding inputs. We'll examine three essential properties—collision resistance, preimage resistance, and second preimage resistance—while exploring practical applications in password storage, data integrity verification, and proof-of-work systems. The topic introduces the counterintuitive birthday paradox, demonstrating why collisions can be found after approximately square-root-many attempts rather than brute force. We'll survey hash function evolution from broken algorithms like MD5 and SHA-1 to modern standards like SHA-2, SHA-3, and BLAKE3, while analyzing vulnerabilities including precomputation attacks using rainbow tables and length extension weaknesses in Merkle-Damgård constructions. The topic covers critical defensive techniques including properly salting hashes and implementing specialized password hashing algorithms like PBKDF2 and memory-hard functions such as Scrypt, which resist hardware acceleration attacks by requiring significant memory resources, providing comprehensive guidance for secure hash function implementation in real-world systems.
This topic explores computational hardness problems that form the cornerstone of modern public-key cryptography, with particular focus on the discrete logarithm problem that underpins Diffie-Hellman key exchange. We'll examine how complexity theory provides a framework for classifying problems based on their computational difficulty, covering fundamental complexity classes including P, NP, and the famous unsolved P vs. NP problem. The topic then investigates the discrete logarithm problem in detail, analyzing its computational complexity and known algorithms, before exploring how this hard problem enables the revolutionary Diffie-Hellman protocol that allows two parties to establish a shared secret over an insecure channel. We'll examine the mathematical foundations of DH using modular exponentiation in prime fields, the computational hardness assumptions (CDH and DDH) that underpin its security, and protocol variants including anonymous and authenticated DH. The topic concludes by analyzing practical implementation considerations, security pitfalls, and how theoretical hardness assumptions translate into real-world cryptographic security.
This topic explores elliptic curve cryptography (ECC), an approach that provides stronger security with smaller keys than traditional cryptosystems like RSA. We'll examine the mathematical foundations of elliptic curves and their group structure supporting point addition and scalar multiplication operations. The topic covers the elliptic curve discrete logarithm problem (ECDLP) that underpins ECC's security, and how it enables efficient implementations of key exchange (ECDH) and digital signatures (ECDSA and EdDSA/Ed25519). We'll analyze the advantages of ECC, including faster signing operations and significantly shorter keys and signatures compared to RSA, while examining critical implementation considerations that affect security. The topic concludes with guidance on selecting appropriate curves, comparing standardized options like NIST curves and Curve25519, and exploring potential vulnerabilities including invalid curve attacks, randomness failures, and interoperability challenges in modern ECC deployments.
Part 2 shifts from theoretical foundations to practical applications, examining how cryptographic principles are implemented in real-world systems. We begin with secure messaging protocols that provide forward secrecy and post-compromise security through ratcheting mechanisms, then explore authenticated key exchange protocols that secure communications against active adversaries. The section covers advanced concepts like zero-knowledge proofs that enable proving knowledge without revealing secrets, and post-quantum cryptography designed to resist attacks from quantum computers. We examine critical infrastructure protocols like TLS that secure internet communications, cloud security applications of cryptography, and analyze significant cryptographic failures to extract valuable design lessons. The course then investigates formal verification and high-assurance implementations that provide mathematical guarantees of security, specialized cryptography in cryptocurrencies, secure multiparty computation enabling joint computation without revealing inputs, and privacy-preserving technologies that protect sensitive information while enabling useful computation. By connecting theoretical foundations to practical systems, students will develop the knowledge needed to evaluate, implement, and design secure cryptographic solutions for complex real-world environments.
This topic examines the Transport Layer Security (TLS) protocol, the backbone of secure communication on the internet that secures billions of connections daily. We'll explore the evolution from SSL to modern TLS 1.3, analyzing the protocol architecture, handshake process, and the cryptographic primitives deployed at each stage. The session covers key exchange mechanisms, authentication methods, and the cipher suites that provide confidentiality and integrity protections. Students will learn about certificate validation, trust models, and the public key infrastructure (PKI) that underpins TLS security. We'll also investigate significant vulnerabilities that have affected TLS implementations throughout its history, including FREAK, Logjam, Heartbleed, and POODLE, analyzing how these vulnerabilities arose and the mitigations developed in response. The topic concludes with practical deployment considerations, performance optimizations like session resumption and 0-RTT, and the security trade-offs encountered when configuring TLS in production environments.
This topic presents a biographical narrative of RC4 (Rivest Cipher 4), tracing its remarkable journey from promising youth to eventual downfall in cryptographic history. We'll examine RC4's birth as a proprietary stream cipher at RSA Security in 1987, its meteoric rise to become the most widely deployed stream cipher in the world, and its golden era powering protocols like WEP, SSL, and TLS due to its simplicity and performance advantages. The topic then chronicles RC4's gradual decline as researchers uncovered a series of increasingly devastating weaknesses, starting with the 2001 Fluhrer-Mantin-Shamir attack on WEP, through the 2013 discovery of extensive biases in RC4-generated keystreams that enabled practical attacks against TLS, culminating in the 2015 "Bar Mitzvah" and RC4 NOMORE attacks that could recover passwords and other sensitive information from encrypted connections. We'll analyze how the security community responded to these revelations, including browser vendors' gradual restriction of RC4 ciphersuites and the IETF's eventual formal prohibition of RC4 in TLS in 2015, while drawing broader lessons about cryptographic lifecycle management, the importance of formal security analysis, and how the story of RC4 exemplifies both the evolution of cryptanalytic techniques and the challenges of maintaining backward compatibility in security protocols.
This topic traces the evolution of secure messaging from early failures to modern protocols, examining how cryptographic innovation has shaped private communication. We begin with PGP's usability challenges and fundamental limitations, understanding why "Johnny Can't Encrypt" despite decades of effort. The topic then explores Off-the-Record (OTR) messaging's revolutionary features—forward secrecy through ephemeral keys, deniable authentication via MACs instead of signatures, and automatic key exchange—demonstrating how synchronous protocols solved many of PGP's problems. We dive deep into authenticated key exchange protocols like SIGMA, examining how they prevent man-in-the-middle attacks while maintaining identity protection. The discussion covers proper key derivation functions (HKDF) for deriving multiple keys from shared secrets, addressing the shortcomings of ad-hoc approaches. We then transition to Signal's asynchronous messaging architecture, analyzing X3DH key exchange and the Double Ratchet's elegant combination of symmetric and Diffie-Hellman ratcheting. The topic critically examines post-compromise security's promises versus reality, revealing through formal analysis why perfect healing is impossible in practical systems that must handle state loss. We also contrast Signal's approach with alternatives like Telegram's controversial design choices. Throughout, we'll analyze the fundamental trade-offs between security guarantees, usability, and real-world deployment constraints that shape how billions of messages are protected daily. We'll also examine modern extensions including secure group messaging protocols like MLS (Messaging Layer Security) that scale encrypted conversations to thousands of participants.
This topic examines end-to-end encrypted (E2EE) cloud storage systems, addressing the fundamental challenge of protecting user data from cloud providers while maintaining usability. We begin by contrasting regular cloud storage (where providers control encryption keys) with E2EE storage (where users control keys), exploring the security guarantees and usability trade-offs inherent in each approach. The topic analyzes critical failures in deployed E2EE storage systems, including the MEGA attacks that exploited missing integrity protection and weak password hashing to achieve complete key recovery, and the Nextcloud vulnerabilities that forced the company to disable core features due to authentication flaws and implementation bugs. We examine WhatsApp's encrypted backup system as a case study, analyzing both its innovative use of hardware security modules (HSMs) with the OPAQUE protocol for password-based key recovery, and its limitations including trust assumptions and specification ambiguities. The topic explores advanced authentication approaches beyond simple password hashing, including zero-knowledge protocols like SRP and OPAQUE that prevent offline dictionary attacks. We conclude by studying a formal treatment of E2EE cloud storage that demonstrates how to design provably secure protocols using standard cryptographic primitives, clean key hierarchies, and formal security analysis. Throughout, we emphasize that security requires more than encryption—authentication, integrity, and careful protocol design are equally critical—and that formal analysis before deployment is essential to avoid the costly failures seen in real-world systems.
This topic explores high-assurance cryptography, examining how computer-aided cryptography (CAC) tools address the notorious difficulty of correctly designing, implementing, and deploying cryptographic systems. We'll analyze the three levels of complexity—design, implementation, and deployment—where subtle flaws can compromise security, understanding how formal verification provides mathematical guarantees at each level. The topic covers both symbolic and computational approaches to design-level security, comparing tools like ProVerif and Tamarin for protocol analysis with CryptoVerif and F* for computational proofs. Students will learn how modern verification techniques enable both functional correctness and performance optimization, challenging the traditional trade-off between verified code and speed. We'll examine implementation-level security challenges including side-channel attacks and constant-time programming, understanding how CAC tools can prove absence of timing leaks. The topic includes hands-on exploration of tools like the hax playground for extracting formal models from Rust code. Through a detailed case study of TLS 1.3's development, we'll see how formal methods transformed protocol design from reactive patching to proactive verification, discovering real vulnerabilities and influencing standardization. By understanding these high-assurance techniques, students will be equipped to apply formal methods to their own cryptographic implementations, bridging the gap between theoretical security and practical deployment.
This topic explores post-quantum cryptography, which addresses the threat quantum computers pose to current cryptographic systems. We'll examine how quantum algorithms like Shor's can break widely-used public-key cryptography based on factoring and discrete logarithms, while Grover's algorithm reduces symmetric-key security by effectively halving key lengths. The topic introduces the Learning With Errors (LWE) problem as a foundation for post-quantum cryptography, explaining how its computational hardness against quantum attacks makes it suitable for building secure cryptographic primitives. We'll analyze practical LWE-based key exchange protocols that form the basis for NIST's standardized post-quantum schemes like ML-KEM. Students will understand both the theoretical foundation of quantum-resistant cryptography and the practical considerations for implementing these systems in real-world applications, preparing them for the transition to a post-quantum cryptographic landscape.
This topic examines the cryptographic foundations of cryptocurrencies, tracing the evolution from Bitcoin's revolutionary peer-to-peer electronic cash system to Ethereum's programmable blockchain and modern scaling solutions. We begin with Bitcoin's elegant solution to the double-spending problem through proof-of-work consensus, exploring how cryptographic primitives like digital signatures, hash functions, and Merkle trees enable trustless digital money without central authorities. The topic analyzes Bitcoin's UTXO model, mining economics, difficulty adjustment mechanisms, and the security guarantees provided by computational work. We then transition to Ethereum's innovations, examining how smart contracts extend blockchain functionality beyond simple payments to enable complex decentralized applications through the Ethereum Virtual Machine (EVM). Students will learn about Solidity programming, understand critical security vulnerabilities like reentrancy attacks, and explore Ethereum's transition from proof-of-work to proof-of-stake consensus. The topic concludes with an in-depth analysis of Layer 2 scaling solutions, comparing state channels, sidechains, optimistic rollups, and zero-knowledge rollups that achieve higher throughput while inheriting Layer 1 security. Throughout, we'll examine the fundamental trade-offs between decentralization, security, and scalability that shape cryptocurrency design, preparing students to understand and contribute to the rapidly evolving blockchain ecosystem.
This topic explores zero-knowledge proofs, a cryptographic innovation that enables proving knowledge of information without revealing the information itself. We begin with the fundamental paradox: how can one convince a verifier of knowing a secret while revealing nothing about it? The topic introduces the three essential properties—completeness (honest provers succeed), soundness (dishonest provers fail), and zero-knowledge (no information leakage)—through concrete examples like the Schnorr identification protocol. We examine Sigma protocols as a general framework for interactive zero-knowledge proofs, understanding their characteristic three-message structure and how they can prove complex statements through AND/OR compositions. The topic then explores the Fiat-Shamir transformation, which converts interactive proofs into non-interactive ones using hash functions, enabling applications like digital signatures and blockchain protocols. We analyze the shift from custom protocols to general-purpose zero-knowledge systems based on arithmetic circuits, allowing developers to prove arbitrary computations while hiding sensitive inputs. The topic includes critical analysis of recent attacks on Fiat-Shamir that demonstrate the fragility of theoretical security in practice. Finally, we examine real-world deployments including Zcash's privacy-preserving cryptocurrency and Google's recent open-source initiative for age verification, exploring how zero-knowledge proofs are transitioning from academic theory to mainstream technology that could fundamentally reshape online privacy and digital identity.
This topic explores Secure Multiparty Computation (MPC), a powerful cryptographic paradigm that enables multiple parties to jointly compute functions over their private inputs without revealing those inputs to each other. We'll examine the theoretical foundations of MPC, including feasibility results, security models, and the distinctions between semi-honest and malicious adversaries. The topic covers core MPC techniques including Yao's garbled circuits, secret sharing schemes like Shamir's threshold method, and oblivious transfer protocols that enable secure two-party computation. Students will learn about practical MPC frameworks and implementations such as SCALE-MAMBA, MP-SPDZ, and EMP-toolkit, analyzing their performance characteristics and security guarantees. We'll investigate applications of MPC across various domains, including private data analysis, secure auctions, privacy-preserving machine learning, and confidential financial systems. The topic also addresses performance optimizations like preprocessing, circuit minimization, and communication-efficient protocols that make MPC increasingly practical for real-world use. We'll conclude with case studies of deployed MPC systems, examining how these technologies overcome real-world implementation challenges to enable secure collaboration while maintaining strict privacy guarantees.
This topic explores timelock encryption, a fascinating cryptographic innovation that enables messages to be encrypted such that they can only be decrypted after a predetermined time has elapsed. We'll examine both the theoretical foundations and practical implementation of timelock encryption using the League of Entropy, an existing threshold network that implements threshold BLS signatures within Boneh and Franklin's identity-based encryption (IBE) framework. The topic demonstrates how this network, which broadcasts BLS signatures for each time interval (round number), effectively functions as a decentralized key custodian that periodically publishes private keys for an IBE system where identities correspond to specific time periods. We'll analyze the elegant design that requires cryptographic operations only from encryptors and decryptors while allowing the threshold network to remain unmodified and unaware of the timelock functionality. Students will gain hands-on experience with an open-source implementation of this scheme and explore a production-ready web interface utilizing the League of Entropy's distributed randomness beacon service. This creative application of cryptography showcases how existing cryptographic primitives can be combined in innovative ways to enable entirely new functionalities, inspiring students to think beyond conventional applications as they develop their own cryptographic solutions.
Check the Syllabus for detailed information on class grading criteria, as well as how lab projects, problem sets and exams will be designed and presented.
Problem sets will be assigned periodically throughout the semester to reinforce and deepen your understanding of the lecture material. Each set will include a range of exercises—some focused on theoretical proofs and problem-solving, others requiring short coding tasks or computational experiments. These assignments are designed to bridge the gap between abstract cryptographic concepts and their concrete applications. You are encouraged to start working on each problem set early and to seek guidance during office hours or lab project sessions if you encounter difficulties.
This problem set focuses on the fundamental concepts of provable security covered in the first three topics of the course. It consists of four main sections: Cryptographic Foundations, which tests your understanding of basic security goals and perfect secrecy; Provable Security, which explores library interchangeability and formal security proofs; Computational Cryptography, which examines computational security concepts, distinguishability, and the bad events technique; and Application of Cryptographic Principles, which challenges you to analyze block cipher modes, evaluate real-world implementations, and design secure protocols. The assignments blend theoretical analysis with practical applications, requiring you to demonstrate both mathematical reasoning and applied cryptographic thinking. A bonus challenge on the discrete logarithm problem offers extra credit for those wanting to explore advanced concepts.
This problem set explores symmetric cryptography fundamentals covered in topics 1.4, 1.5 and 1.6, addressing four key areas: pseudorandomness, encryption security models, hash functions, and practical applications. In pseudorandomness, you'll analyze PRG constructions, PRF security requirements including the "Golden Rule," and Feistel cipher properties. The encryption security section examines why deterministic encryption fails CPA security, format oracle attacks against CPA-secure schemes, and authenticated encryption constructions including AES-GCM. The hash function component investigates collision resistance properties, construction methods like Merkle-Damgård versus Sponge, and specialized password hashing algorithms including memory-hard functions. Real-world case studies challenge you to apply these concepts to file storage systems, software update verification, and password management implementations.
This problem set covers topics 1.7 and 1.8, focusing on cryptographic hardness foundations, Diffie-Hellman security, and elliptic curves. You'll analyze implications of mathematical breakthroughs like P=NP, evaluate discrete logarithm security, and assess parameter selection. The Diffie-Hellman section explores attack scenarios, man-in-the-middle defenses, and SSH trust models. For elliptic curves, you'll examine curve selection, invalid curve attacks, and implementation vulnerabilities including side-channel attacks. Applied case studies challenge you to design key exchange protocols, analyze cryptocurrency signatures, and architect secure communication systems. Throughout, assignments balance mathematical analysis with practical deployment considerations.
This problem set explores real-world cryptographic protocols from topics 2.1, 2.2, and 2.3: Transport Layer Security, RC4 cryptanalysis, and secure messaging. The TLS section analyzes attack scenarios including downgrade vulnerabilities and certificate compromises, while examining TLS 1.3's design decisions around forward secrecy and cryptographic agility. The RC4 component investigates stream cipher vulnerabilities through WEP forensics, emphasizing cryptographic lifecycle management. The secure messaging section compares PGP and Signal's designs, analyzes authenticated key exchange protocols, and identifies flaws in broken ratcheting protocols. Throughout, assignments balance theoretical security analysis with practical deployment considerations, examining real-world trade-offs in protocol design and migration strategies. A bonus challenge offers deeper exploration into formal verification's impact on TLS 1.3, RC4's cryptanalytic timeline, or modern messaging protocol convergence.
This problem set challenges you to design a complete end-to-end encrypted cloud storage system based on topic 2.4, learning from the failures of MEGA and Nextcloud. Unlike previous assignments, this open-ended design challenge requires creative protocol development and rigorous security analysis. You'll develop a comprehensive threat model addressing adversary capabilities and the "mud puddle test," design a key hierarchy supporting password-based authentication while preventing offline attacks, and specify protocols for file operations and secure sharing. The assignment covers practical implementation challenges including multi-device synchronization, performance optimization, and scalability to millions of users. You'll provide formal security analysis, demonstrating how your protocol prevents attacks that compromised existing systems. A bonus challenge offers the opportunity to extend your design with advanced features like secure computation on encrypted data, post-compromise security, or decentralized trust architectures. This project synthesizes course concepts into a practical system design that balances security, usability, and performance.
This problem set explores high-assurance cryptography and formal verification from topic 2.5, covering design-level security, implementation security, and practical computer-aided cryptography. In design-level security, you'll analyze trade-offs between symbolic (ProVerif) and computational (CryptoVerif) verification approaches and tackle tool selection for protocols combining TLS 1.3 with post-quantum mechanisms. The implementation security section examines constant-time programming challenges, compiler optimizations that break security guarantees, and hardware-level timing attacks. The computer-aided cryptography component investigates verification success stories like HACL*'s Firefox integration and the hax toolchain for extracting formal models from Rust. Throughout, assignments emphasize the gap between theoretical verification and practical deployment, exploring both the power and limitations of formal methods. A bonus challenge examines trust boundaries and deployment vulnerabilities that could bypass formal verification guarantees.
This problem set covers post-quantum cryptography from topic 2.6, examining the quantum threat and transition to quantum-resistant algorithms. The first section explores quantum computing's impact, analyzing how Shor's and Grover's algorithms affect cryptographic primitives and the store-now-decrypt-later threat. The second section focuses on post-quantum protocol design, examining hybrid key agreement in TLS 1.3 with X-Wing KEM, deployment challenges like ClientHello size limits, and comparing approaches like Apple's PQ3 versus Signal's PQXDH. The final section addresses algorithm selection and migration engineering, covering choices between ML-KEM, ML-DSA, and SLH-DSA, strategies for handling large keys and signatures, and backwards compatibility challenges. Throughout, assignments emphasize real-world deployment considerations, balancing security requirements with practical constraints. A bonus challenge involving Dr. Quantum's musical quantum computer explores attack strategies and the phenomenon of quantum rickrolling interference.
This problem set covers zero-knowledge proof concepts from topic 2.8, exploring the foundations and applications of proving knowledge without revealing information. The first section examines zero-knowledge properties through the Schnorr identification protocol, analyzing completeness, soundness via extraction, and the simulation paradigm that enables deniability. The second section focuses on Sigma protocols and composition, demonstrating how to build complex proofs including OR proofs for anonymous systems and AND proofs for proving equality of discrete logarithms across multiple platforms. The third section explores the Fiat-Shamir transformation from interactive to non-interactive proofs, examining random oracle assumptions and circuit-based approaches for general-purpose zero-knowledge systems. The final section analyzes real-world applications including Zcash's privacy-preserving transactions and Google's age verification initiative, critically evaluating the implications for privacy infrastructure and adoption challenges. A bonus challenge explores threshold signatures using OR proofs for multi-signature wallets, demonstrating advanced applications of zero-knowledge composition.
Lab projects will be worked on weekly during lab sessions intended to serve as a hands-on complement to the lectures. Each group of (one to three) students is expected to pick at most two lab topics and work on them throughout the entire course. During each lab, you will experiment with real-world libraries, and even simulate attacks or vulnerabilities to understand why certain security practices are necessary. These sessions will also help you become comfortable with relevant tools and environments, including formal analysis tools. Attendance is mandatory, and lab participation will be graded based on preparedness, engagement, and the successful completion of in-lab activities. Labs offer an excellent opportunity for collaborative problem-solving and immediate feedback on your work.
In this lab project, you will design and implement a secure password manager application. You'll learn about secure password storage techniques, key derivation functions, and encryption methods for sensitive data. The lab will guide you through implementing features such as master password protection, secure password generation, and encrypted storage. You'll also analyze potential vulnerabilities in your system and implement countermeasures to protect against common attacks like password cracking and memory scraping.
This lab project focuses on building a secure messaging application implementing end-to-end encryption. You'll work with cryptographic libraries to implement key exchange protocols, message encryption, and authentication mechanisms. The lab covers essential features like perfect forward secrecy, deniability, and secure group messaging. You'll also explore practical challenges such as key verification, metadata protection, and secure key storage on devices. By the end of this lab, you'll understand the cryptographic foundations behind modern secure messaging platforms like Signal.
In this lab project, you will design and formally verify a Transport Layer Security (TLS)-like protocol using ProVerif, a formal verification tool for cryptographic protocols. This represents your first opportunity to apply formal methods to verify the security properties of a complete cryptographic protocol—one that provides confidentiality, integrity, and authentication for network communications. By designing and verifying this protocol, you'll gain practical experience with cryptographic protocol design, formal verification, and security property specification. Future lab assignments will build upon these skills by incorporating more complex cryptographic protocols and verification scenarios.
In this lab project, you will design and implement a zero-knowledge battleship game using RISC Zero, a zero-knowledge virtual machine (zkVM). This represents your first opportunity to apply zero-knowledge proofs to build a complete cryptographic protocol—one that allows players to validate their moves without revealing the entire game state. Zero-knowledge battleship demonstrates how players can validate that their guesses produced the correct result (hit vs. no hit) while learning nothing about the opponent's board except what is explicitly revealed through gameplay. By building this game, you'll gain practical experience with zero-knowledge proofs, zkVMs, and cryptographic protocol design.
In this lab project, you will explore the practical challenges of migrating existing systems to post-quantum cryptography. You'll work with NIST's standardized post-quantum algorithms, integrating ML-KEM (Kyber) for key encapsulation and ML-DSA (Dilithium) for digital signatures. This lab guides you through hybrid approaches that combine classical and post-quantum algorithms, ensuring security against both current and future quantum threats. You will start by choosing a target protocol that you wish to devise a post-quantum migration strategy for. Then, you'll analyze performance impacts, message size increases, and integration challenges when replacing pre-quantum primitives (such as RSA or ECDH) with quantum-resistant alternatives. By completing this lab, you'll gain practical experience in implementing post-quantum designs, developing migration strategies for existing systems, and evaluating the trade-offs between different post-quantum algorithm choices for various use cases.
Take the opportunity to propose and develop your own cryptographic project based on your interests and the concepts covered in the course! You might implement a novel protocol, create a secure application, perform a cryptanalysis of an existing system, or conduct formal verification of a protocol. Your proposal should include your project goals, the cryptographic primitives or techniques you'll explore, implementation details, and how you'll evaluate its security properties. This self-directed project allows you to delve deeper into an area of applied cryptography that particularly interests you while demonstrating your understanding of the course material in a creative and practical context.
The Key Exchange is an optional weekly gathering intended to provide additional career training for students intending to become researchers or career professionals in cryptography. Once a week, we will come together to discuss cutting-edge research papers, work on our presentation skills by practicing presenting complex ideas, develop scientific writing skills, and explore career paths in cryptography. Whether you're debugging your first encryption algorithm or designing novel protocols, The Key Exchange provides a supportive environment where questions are encouraged, mistakes become learning opportunities, and everyone has something valuable to contribute. The only prerequisite is your curiosity!
Theme: Reading and Understanding Research
Join us for collaborative discussions of seminal and cutting-edge cryptography papers. Learn efficient paper reading strategies (abstract → contributions → methodology → conclusion), practice identifying key contributions and limitations, and engage in collaborative annotation. We'll sometimes explore classics but more often react to the most recent papers from CRYPTO/Eurocrypt/CCS, and accessible papers with clear practical applications.
Skills developed: Critical analysis, technical reading comprehension, identifying research gaps
Theme: Communicating Complex Ideas
Practice your presentation skills with 15-minute talks on cryptographic topics, followed by constructive peer feedback. Topics include explaining cryptographic constructions, analyzing recent attacks or vulnerabilities, presenting lab project progress, or proposing research ideas. We'll also have "lightning talks" for 3-minute research pitches and practice with visual aids and demos.
Skills developed: Public speaking, slide design, handling Q&A, time management
Theme: Scientific Writing and Documentation
Develop your technical writing through collaborative exercises and peer review sessions. Projects include abstract writing for imaginary papers, blog posts explaining crypto concepts, security audit reports, and research proposals. We'll also cover LaTeX tutorials for papers and security disclosure writing practices.
Skills developed: Technical writing clarity, academic writing style, documentation best practices, peer review skills
Theme: Professional Development and Pathways
Explore cryptography career paths with industry guest speakers (virtual or in-person), graduate school application workshops, interview preparation sessions, and portfolio/CV reviews. Topics include career paths in cryptography, industry vs. academia decisions, required skills for different roles, and networking strategies.
Skills developed: Professional networking, interview skills, career planning, industry awareness
Experience a full academic conference simulation where students present "papers" complete with program committee, reviews, and awards. Professional attire encouraged, with a keynote by faculty or guest speaker. This immersive experience provides insight into the academic conference process and helps build presentation confidence.