Academic Year 2023/2024 - Docente: Dario CATALANO

Risultati di apprendimento attesi

Nowadays data controllers must design information systems that provide the highest possible privacy guarantees. A fundamental enabler to achieve this is cryptography.

This class is intended to provide an introduction to the main concepts of modern cryptography and their usage to protect data e build secure systems. The main focus will be on constructions of various building blocks, such as encryption schemes, message authentication codes and digital signatures. We will try to understand what properties we expect from these objects, how to define these properties and how to construct schemes that realize them. We will also focus on schemes that are widely used in practice. These include, for instance, AES, SHA, HMAC and RSA. However, rather than using these tools as black box, we will show how they are built and the security level they provide. No programming will be required for this class.

The goals of this course, in terms of expected results, are

  1. Knowledge and understanding (Conoscenza e capacità di comprensione). Students will learn the fundamental ideas and principles underlying modern cryptography and modern secure systems.
  2. Applying knowledge and understanding (Capacità di applicare conoscenza e comprensione). On completion, the student will be able to securely use cryptographic tools like encryption schema and digital signatures and to understand their exact role in secure systems.
  3. Making judgements (Autonomia di giudizio). By studying concrete examples and common mistakes students will learn how to use solutions that providee high security guarantees.
  4. Communication skills (Abilità comunicative). On completion, students will acquire communication skills that will allow them to fluently communicate using the technical language of computer security.
  5. Learning skills (Capacità di apprendimento). On completion, students will acquire methodologies that will allow them to securely deal with problems that require the usage of secure solutions.

Course Structure

Lecture based (via slides). 

Should teaching be carried out in mixed mode or remotely, it may be necessary to introduce changes with respect to previous statements, in line with the programme planned and outlined in the syllabus.

Required Prerequisites

Basics of Discrete math

Basics of Algorithms

Attendance of Lessons

Not mandatory but strongly suggested

Detailed Course Content

Introduction to the main ideas of this class.

Source: Cap 1 from [1]

A look back: Classical Ciphers and One Time Pad. Shift cipher and substitution cipher. Cryptanalysis of the substitution cipher. Perfect Security. The substitution cipher does not guarantee perfect security. One time pad. One time pad provides perfect perfect security.

Source: Cap 2 from [1]

Block Ciphers – AES The blockcipher Rijndael.  Pseudorandom functions and relations to block ciphers. AES in practice. Birthday Paradox.  

Source: Cap 3,4 from [1]

Symmetric encryption: Modes of operation. ECB, CBC$, CTRC and CTR$. Security notions for

 symmetric encryption.

Source: Cap 5 from [1]

Integrity and Hash functions. Collision resistant hash functions. Generic attacks to collision resistance. SHA3.

Source: Cap 6 from [1]

Message Authentication. Notion of security for MACs. The PRF as a MAC paradigm. CBC-MAC. HMAC.

Source: Cap 7 from [1]

Intro to asymmetric cryptography. One way functions and Trapdoor (one-way) functions. Number theory basics. Discrete logarithms. Computation Diffie Hellman problem and Key Exchange. Factoring and RSA.

Source: Cap 9, 10 from [1], relevant parts from [2]

Asymmetric encryption. Notions of security for asymmetric cryptosystems. The El-Gamal encryption scheme. Homomorphic Encryption (basics). RSA-OAEP.

Source: Cap 11 from [1] and slides

Digital Signatures. A notion of security for digital signatures. The Hash then invert paradigm for digital signatures. Digital Signatures in practice.

Source: Cap 12 from [1].

Bonus Applications: Differential Privacy basics and Bitcoin 

Source: Slides and Chapter 2 of [4]

Textbook Information

[1] M. Bellare, P. Rogaway “Introduction to Modern Cryptography” Scaricabile da

[2] V. Shoup A Computational Introduction to Number Theory and Algebra Scaricabile da

[3] J. Katz, Y. Lindell “Introduction to Modern Cryptography” CRC press

[4] A. Miller, A. Narayanan, E. Felten, J. Bonneau, and S. Goldfeder “Bitcoin and Cryptocurrency Technologies: A Comprehensive Introduction”. Princeton University Press.

Course Planning

 SubjectsText References
1Some classical ciphers and their cryptanalysis. Perfect Security and One time pad. Cap 2 from [1]
2Block Cipher and AESCap 3,4 from [1]
3Symmetric Encryption Cap 5 from [1]
4Integrity and Hash Functions Cap 6 from [1]
5Message Authentication Cap 7 from [1]
6Intro to Asymmetric Cryptography. One way Functions and Trapdoor Functions. Discrete Logarithms, Factoring and RSA.Cap 9, 10 from [1], relevant parts from [2]
7Asymmetric encryption. The El-Gamal encryption scheme. Homomorphic Encryption (basics). RSA-OAEP.Cap 11 from [1] and slides
8Bitcoin. How Bitcoin achieves decentralization. Proof of Work. Cap 2 from [4]

Learning Assessment

Learning Assessment Procedures

The exam consists in a written test followed by an oral exam. The written test typically consists in 5 (open) questions. 

To pass the written part one should get a minimum of 18. 

Midterms: There might be the possibility of a midterm exam followed by a final exam. The midterm covers the part on asymmetric encryption whereas the final will be on PK cryptaography and Bitcoin. 

Learning assessment may also be carried out on line, should the conditions require it.

Examples of frequently asked questions and / or exercises

  • Exercises on the crypto primitives (example: show that a given encryption scheme is not secure by providing an attack)
  • Algorithms (ex: presenta and explain some of the algorithms studied in class)