Introduction to cryptography

I teach Introduction to cryptography [NDMI100] in the winter semester of 2020/2021. The lecture will cover the basics of both theoretical and practical cryptography, focusing on protocols currently used in the Internet.

The lectures will be held online on Wednesdays from 12:20. You should have received a Zoom link by e-mail.

If you want to consult anything, please write an e-mail to and we will discuss possibilities.

date topics recording
7. 10. Cryptographic primitives: symmetric and asymmetric ciphers, hash functions, random generators. Protocols and roles. Kerckhoffs principle. Simple protocols: multi-party communication, signatures, hybrid ciphers, challenge-response authentication. Puzzle: How to toss a coin over a phone call? How to build an auction protocol? video board
14. 10. Commitment using hash functions. Designing an auction protocol: padding, nonces, sequence numbers, signatures, session IDs. Know your enemy. Basic types of cryptographic attacks. Security level. Different kinds of "Birthday attacks". One-time pad and Vernam's cipher. video board
21. 10. Perfect security and its limits. Secret sharing and threshold schemes (construction with polynomials). Introduction to symmetric ciphers. Block ciphers: trivial examples, an attempt to define security, ideal block ciphers. General constructions: iterated ciphers, substitution-permutation networks, Feistel networks. DES: history, structure. video board
28. 10. No lecture today, choose your own holiday :)
4. 11. DES: key schedule, critique, work-arounds (3-DES). AES a.k.a. Rijndael: history, structure, critique. Further AES finalists: Serpent and Twofish. How to (mis)use a block cipher: padding, modes ECB, CBC, CTR, and OFB; ciphertext stealing. Puzzle: Why is the security level of 2-DES only 57 bits? video board
11. 11. Information leaks in CBC and CTR modes. Padding oracle attacks on CBC. Stream ciphers (briefly): LFSR-based constructions, eSTREAM project, Trivium, RC4, ChaCha20. Hash functions: requirements. video board
18. 11. Hash functions: Merkle-Damgård construction by iterating compression function. How to obtain a compression function: Davies-Meyer construction from a block cipher. Birthday attacks on hash functions. Examples: MD5, SHA-1, SHA-2. Sponge functions: principle and analysis for random permutations. video board
25. 11. Hash functions: Keccak, SHA-3, SHAKE-n and others. Parallel hashing: Merkle trees, Sakura. Symmetric signatures (MACs): construction from hash functions (KMAC and HMAC), different ways of combining a MAC with a cipher. CBC-MAC. Information-theoretic MAC from 2-independent linear functions or from polynomials. video board
2. 12. Plan: Practical polynomial MACs: GCM mode, Poly1305. Generating random bits: pseudo-random generators from symmetric ciphers, physical randomness (LavaRand, circular oscillators, …), combining both – Fortuna, RDRAND, /dev/random. Putting all symmetric cryptography together: a secure channel. Basics of algorithmic number theory: Complexity of arithmetics. Euclid's algorithm and Bézout's coefficients. Multiplicative group modulo N. Little Fermat's and Euler's theorem. Lagrange's theorem on subgroups. Chinese remainder theorem and its constructive version. Computing Euler's function.


This page is maintained by Martin Mareš