Introduction to cryptography

I teach Introduction to cryptography [NDMI100] in the winter semester of 2019/2020. The lecture will cover the basics of both theoretical and practical cryptography, focusing on protocols currently used in the Internet.

Lectures are scheduled on Wednesdays from 14:00 in S8.

If you want to contact me and consult anything, you are welcome to visit me in room S322 or to write me an e-mail to

date topics
9. 10. Cryptographic primitives: symmetric and asymmetric ciphers, hash functions, random generators. Protocols and roles. Kerckhoffs principle. Simple protocols: multi-party communication, signatures, message authentication codes, hybrid ciphers, challenge-response authentication. Designing an auction protocol: padding, nonces, sequence numbers, session IDs, signatures. Know your enemy. Basic types of cryptographic attacks. Security level. Puzzle: How to toss a coin over a phone call?
16. 10. Different kinds of "Birthday attacks". One-time pad and Vernam's cipher. Perfect security and its limits. Secret sharing and threshold schemes (construction with polynomials). Commitment using hash functions.
23. 10. Introduction to symmetric ciphers. Block ciphers: trivial examples, an attempt to define security, ideal block ciphers. General constructions: iterated ciphers, substitution-permutation networks, Feistel networks. DES: history, structure, key schedule, critique, work-arounds (3-DES). Similarly for AES a.k.a. Rijndael. Puzzle: Why is the security level of 2-DES only 57 bits?
30. 10. How to (mis)use a block cipher: padding, modes ECB, CBC, OFB, and CTR; ciphertext stealing. Information leaks in CBC and OFB/CTR. Padding oracle attacks on CBC. Stream ciphers: LFSR-based constructions, Trivium.
6. 11. Stream ciphers: RC4, ChaCha20. Hash functions: requirements, Merkle-Damgård construction by iterating compression function. How to obtain a compression function: Davies-Meyer construction from a block cipher, MD5, SHA-1, SHA-2. Sponge functions: principle and analysis for random permutations.
13. 11. Plan: Sponge functions: Keccak, SHA-3, SHAKE-n and others. Birthday attacks on hash functions. Parallel hashing: Merkle trees, Sakura. Symmetric signatures (MACs): construction from hash functions (HMAC), different ways of combining a MAC with a cipher. Information-theoretic MAC from 2-independent linear functions or from polynomials; practical applications: GCM mode, Poly1305. Generating random bits: pseudo-random generators from symmetric ciphers, physical randomness (LavaRand, circular oscillators, …), combining both – Fortuna, RDRAND, /dev/random.


This page is maintained by Martin Mareš