CSE 207B, Fall 2022
Applied Cryptography

  Nadia Heninger (nadiah at cs dot ucsd dot edu)
  Office hours: Tuesdays 2-3pm EBU3B 3138 or outside CSE depending on weather

  Daniel Kleber Office hours Thursdays 12:30-1:30pm EBU3B B240A
  Hayden McTavish Office hours Fridays 11:30-12:30pm EBU3B B240A

  Tuesday/Thursday 11am-12:20pm Warren Lecture Hall 2204

Class Resources:
  Gradebook on Canvas
  Q&A on Piazza


There will be no final exam.

Your grade will be your average homework score.

Course Overview

This is a course on applied cryptography, with a significant focus on cryptanalysis. Topics to be covered include


If you are a CSE graduate student, you should take CSE 202 and do well in it before taking this class. If you are a math grad student, you probably want to have taken a proof-based CS algorithms class, and you will need to be able to program in Python. If you are an undergraduate, you should have taken CSE 107 and gotten an A.

This course is independent of CSE 207A, modern cryptography. Some of the material will overlap, but neither is a prerequisite for the other.

Enrollment and waitlist

The waitlist is being processed by the department according to department rules. If you want to take this class and are still on the waitlist, you should attend the first week of lectures and turn in the first homework.

Tentative Schedule

Topic References Assignments
9/22 Introduction, one-time pad

Lecture slides
Boneh & Shoup Ch. 2.1

Further reading:
Communication theory of secrecy systems Shannon 1949
Cryptanalysis of the Lorenz cipher (video)
Did a broken random number generator in Cuba help expose a Russian espionage network? by Matt Blaze 2020
A History of US Communications Security by David Boak 1973

Homework 1 Available
9/27 PRGs and stream cipher encryption

Lecture slides
Boneh & Shoup Ch. 2.2, Ch. 3.1-3.3

Further reading/Research directions:
All Your Biases Belong To Us: Breaking RC4 in WPA-TKIP and TLS by Vanhoef and Piessens
Attacks Only Get Better: Password Recovery Attacks Against RC4 in TLS by Garman, Paterson, and Van der Merwe
On the security of RC4 in TLS and WPA by AlFardan, Bernstein, Paterson, Poettering, and Schuldt 2013
The ChaCha family of stream ciphers by Bernstein
Security analysis of pseudo-random number generators with input: /dev/random is not robust by Dodis Pointcheval Ruhault Vergnaud Wichs 2013
9/29 Block ciphers

Lecture slides
Boneh & Shoup Ch. 4.1-4.2

Further reading/Research directions:
Biclique Cryptanalysis of the Full AES by Bogdanov, Khovratovich, and Rechberger 2011
Homework 2 Available
10/4 PRFs, chosen plaintext attacks, block cipher modes of operation

Lecture slides
Boneh & Shoup Ch. 4.4, Ch. 5

Further reading/research:
Stealthy Dopant-Level Hardware Trojans by Becker, Regazzoni, Paar, Burleson 2013
Homework 1 Due
10/6 Message authentication codes and message integrity; problems with CBC mode

Lecture slides
Boneh & Shoup Ch. 6

Further reading:
Security Flaws Induced by CBC Padding Applications to SSL, IPSEC, WTLS... by Vaudenay 2002
Here come the xor ninjas by Duong and Rizzo 2011
Compression and information leakage of plaintext by Kelsey 2002
The CRIME attack by Rizzo and Duong 2012
Homework 3 Available
10/11 Hash functions

Lecture slides
Boneh & Shoup Ch. 8

Further reading/research directions:
A cryptanalytic time-memory tradeoff by Hellman 1980
Parallel collision search with cryptanalytic applications by van Oorschot and Wiener 1999
The making of Keccak by Bertoni, Daemen, Peeters, Van Assche 2015
MD5 to be considered harmful today by Sotirov, Stevens, Appelbaum, Lenstra, Molnar, Osvik, de Weger 2009
Counter-cryptanalysis by Stevens 2013
Speeding up detection of SHA-1 collision attacks using unavoidable attack conditions by Stevens and Shumow 2017
The first collision for full SHA-1 by Stevens, Bursztein, Karpman, Albertini, Markov 2017
Homework 2 Due
10/13 Hash functions, MACs, and authenticated encryption

Lecture Slides
Boneh & Shoup Ch. 8.7, 9

Further reading:
This POODLE Bites: Exploiting The SSL 3.0 Fallback by Möller, Duong, Kotowicz 2014
Homework 4 Available
10/18 Computational number theory: Modular arithmetic, groups, rings, fields, efficient algorithms and hard problems

Lecture Slides
Boneh & Shoup Appendix A.

Further reading:
A Computational Introduction to Number Theory and Algebra, Ch. 3, 6 by Shoup
Fast multiplication and its applications by Bernstein
Homework 3 Due
10/20 Diffie-Hellman, elementary discrete log cryptanalysis

Lecture Slides
New Directions in Cryptography by Diffie and Hellman 1976
Boneh & Shoup Ch. 10
HAC Ch. 3.6
On Diffie-Hellman Key Agreement with Short Exponents by van Oorschot and Wiener
Homework 5 Available
Chinese Remainder Theorem, Pohlig-Hellman algorithm, public-key cryptography, RSA

Lecture Slides
Boneh & Shoup Ch. 11
A method for obtaining digital signatures and public-key cryptography by Rivest, Shamir, and Adleman 1978

Further reading:
A personal view of average-case complexity by Impagliazzo 1995
Homework 4 Due
10/27 Elementary factoring algorithms and RSA cryptanalysis

Lecture Slides
Boneh & Shoup Ch. 12

Further reading/Research directions:
Why Textbook ElGamal and RSA Encryption Are Insecure by Boneh, Joux, and Nguyen 2000
Chosen Ciphertext Attacks Against Protocols Based on the RSA Encryption Standard PKCS #1 by Bleichenbacher 1998
DROWN: Breaking TLS using SSLv2 by Aviram et al. 2016
Mining Your Ps and Qs: Detection of Widespread Weak Keys in Network Devices by Heninger, Durumeric, Wustrow, and Halderman 2012
Random number generator enhancements for Linux 5.17 and 5.18 by Donenfeld
Homework 6 Available
11/1 Digital signatures

Lecture Slides
Boneh & Shoup Ch. 13
11/3 Elliptic curve cryptography

Lecture Slides
Boneh & Shoup Ch. 15

Further reading/Research directions:
A riddle wrapped in an enigma by Koblitz and Menezes 2015
Curve25519: new Diffie-Hellman speed records by Bernstein 2006
Homework 5 Due
11/8 Authenticated Key Exchange; TLS

Lecture Slides
Boneh & Shoup Ch. 21

Further reading/research directions:
A Messy State of the Union: Taming the Composite State Machines of TLS by Beurdouche, Barghavan, Delignat-Lavaud, Fournet, Kohlweiss, Pironti, Strub, and Zinzindohoue 2015
SMACK: State Machine AttaCKs against TLS
Triple Handshakes and Cookie Cutters: Breaking and Fixing Authentication over TLS by Bhargavan et al. 2014
A Cross-Protocol Attack on the TLS Protocol by Mavrogiannopoulos, Vercauteren, Velichkov, Preneel 2012
Homework 6 Due
Homework 7 Available
11/10 Random number generation

Lecture Slides
Further reading/research directions:
An Analysis of the NIST SP 800-90A Standard by Woodage and Shumow 2019
Security Analysis of Pseudo-Random Number Generators with Input: /dev/random is not Robust by Dodis et al. 2013
When Private Keys are Public: Results from the 2008 Debian OpenSSL Vulnerability by Yilek et al. 2009
Authentication Failures in NIST version of GCM by Joux
Nonce-Disrespecting Adversaries: Practical Forgery Attacks on GCM in TLS by Bock et al. 2016
On the Practical Exploitability of Dual EC in TLS Implementations by Checkoway et al. 2014
A Systematic Analysis of the Juniper Dual EC Incident by Checkoway et al. 2016
Cryptanalytic Attacks on Pseudorandom Number Generators by Kelsey Schneier Wagner and Hall 1998
Practical state recovery attacks against legacy RNG implementations by Cohney Green Heninger 2018
Homework 6 Due - Extended
11/15 Index calculus for factoring and discrete log

Lecture Slides
Imperfect Forward Secrecy: How Diffie-Hellman Fails in Practice by Adrian, Bhargavan, Durumeric, Gaudry, Green, Halderman, Heninger, Springall, Thome, Valenta, VanderSloot, Wustrow, Zanella-Beguelin, Zimmermann

Further reading:
A new index calculus algorithm with complexity L(1/4 + o(1)) in small characteristic by Joux 2013
A quasi-polynomial algorithm for discrete logarithm in finite fields of small characteristic by Barbulescu Gaudry Joux and Thome 2013
11/17 More index calculus for factoring and discrete log Homework 7 Due
11/22 Lecture canceled
11/29 Lattice-based cryptanalysis

Lecture Slides
Daniele Micciancio lecture notes 1 2
Oded Regev lecture notes
Factoring Polynomials with Rational Coefficients by Lenstra Lenstra and Lovasz 1982
The two faces of lattices in cryptology by Nguyen 2001
Using LLL-reduction for solving RSA and factorization problems: a survey by May 2007
Homework 8 Available
12/1 More lattice-based cryptanalysis

Lecture Slides
Recovering cryptographic keys from partial information, by example by De Micheli and Heninger 2020

Further reading/research directions:

Hardness of computing the most significant bits of secret keys in Diffie-Hellman and related schemes by Boneh and Venkatesan 1996
Cryptanalysis of RSA with private key d less than N0.292 by Boneh and Durfee 2000
The Return of Coppersmith's Attack: Practical Factorization of Widely Used RSA Moduli by Nemec, Sys, Svenda, Klinec, and Matyas 2017
Biased Nonce Sense: Lattice Attacks against Weak ECDSA Signatures in Cryptocurrencies by Breitner and Heninger 2019
12/7 Homework 8 Due


There will be approximately eight homework assignments, each involving both programming and written exercises. Many of the programming exercises have been inspired by the Cryptopals challenges. Of course I expect you to produce your own independent implementations. But if you're really enthusiastic and want more fun exercises, you are more than welcome to work through the Cryptopals challenges yourself.