If you would like to use my video lectures, slides or lecture notes as a secondary source or a primary source in your course, please send me an email message. I will be happy to arrange a meeting with you, to tell you about my experience teaching applied cryptography over the past 30 years, and we can have a discussion about the curriculum, exercises, projects, and tests for your course. If you use any of the resources (videos, slides or lecture notes) on this web page in your classes, please do provide your students a link to my page (cryptography101.ca).

• Symmetric-key encryption: classical ciphers, one-time pad, stream ciphers (ChaCha20), block ciphers (Triple-DES, AES), modes of operation.
• Hash functions and data integrity: Hash functions (SHA256), parallel collision search, message authentication codes (CBC-MAC, HMAC).
• Authenticated encryption: Encrypt-then-MAC, AES-GCM.
• Public-key encryption: RSA, elliptic curves.
• Signature schemes: RSA, ECDSA.
• Key establishment: Elliptic Curve Diffie-Hellman key agreement (ECDH).
• Key management: Certification authorities, public-key infrastructures.
• Deployed cryptography: GSM security, AWS Key Management Service, Transport Layer Security (TLS), Bluetooth security, Signal protocol (WhatsApp).

On successful completion of this course, students will:

• Understand the fundamental cryptographic building blocks of symmetric-key encryption, message authentication, authenticated encryption, hash functions, public-key encryption, and signatures;
• Appreciate the challenges with assessing the security of these building blocks;
• Examine case studies of how these cryptographic building blocks are used to secure large-scale applications;
• Understand why key management is an essential process that underpins the security of many applications.

Legend for slide numbers

• Bx: Applied Cryptography 101: Building blocks
• Dx: Applied Cryptography 101: Real-World Deployments
• Kx: Kyber and Dilithium

Lecture schedule (with slide numbers)

• Introduction
  • 1: B3-B23: Course preview
• Symmetric-key encryption
  • 2: B26-B42: Symmetric-key encryption (basic notions)
  • 3: B43-B55: Polyalphabetic ciphers, one-time pad, stream ciphers, ChaCha20
  • 4: B56-B71: History of block ciphers, NSA, DES, Double-DES
  • 5: B72-B83: Meet-in-the-middle attack, Triple-DES, SPN
  • 6: B84-B103: AES, performance, modes of operation
• Hash functions
  • 7: B106-B116: Hash functions, properties
  • 8: B117-B126: Relationships between properties
  • 9: B127-B136: Generic attacks
  • 10: B137-1B44: VW parallel, iterated hash functions
  • 11: B145-B159: MD5, SHA-1, SHA256
• MAC schemes and authenticated encryption
  • 12: B162-B174: MACs, security definition, generic attacks, GSM
  • 13: B175-B192: CBC-MAC, HMAC, KDF, authenticated encryption
  • 14: B193-B207: AE security definition, CTR, GMAC, AES-GCM
  • 15: D77-D92: AWS KMS
  • 16: D93-D97: AWS KMS
• Public-key cryptography
  • 17: B210-B227: Intro to public-key cryptography
  • 18: B228-B237: Number theory background
  • 19: B238-B246: Algorithmic number theory
• RSA
  • 20: B249-B256: Basic RSA encryption and signatures
  • 21: B257-B268: Integer factorization
  • 22: B269-B278: PKE security definition, RSA-OAEP, RSA-KEM
  • 23: B279-B288: PKCS #1 v1.5 RSA signatures
• Elliptic curve cryptography
  • 24: B289-B300: Bleichenbacher’s attack, elliptic curves
  • 25: B301-B307: Elliptic curve group law
  • 26: B308-B323: ECDLP, why ECC?, NIST curves
  • 27: B324-B331: NIST primes, unauthenticated ECDH
  • 28: B332-B338: Authenticated ECDH, ECDSA
• Applications
  • 29: B339-B334: ECDSA k-reusage, Sony Playstation, ECDSA signature verification
  • 30: D56-D76: Bluetooth security
  • 31: D16-D35: Key management, PKI
  • 32: D36-D37: TLS, public-key management in TLS
  • 33: D98-D107: Signal
  • 34: D108-D116: Signal
• Post-quantum cryptography
  • 35: K8-K21: Introduction to post quantum cryptography
• Wrap-up
  • 36: The future of cryptography

Optional topics

Here are some topics that can be skipped to save lecture time without losing any continuity in the lectures. The video numbers are for the “Applied Cryptography 101: Building Blocks” lectures.

• V3b: relationships between PR, 2PR, CR. (Can be skipped or skimmed, especially if your students are not interested in security proofs.)
• V3c: VW parallel collision search. (It’s a nice illustration of how to minimize storage in an attack, and how to parallelize an attack, but can be skipped in the interest of time.)
• V6a: Merkle puzzles. (Very cute, but mostly of historical interest.)
• V6c: Algorithmic number theory. (I mostly cover this because many computer science students don’t fully absorb the notion of polynomial-time in their algorithms course. The notion is easy to convey with algorithms for basic integer operations.)
• V7e: PKCS #1 v1.5 RSA signatures. (Very cute attack, and a good lesson for developers, but can be skipped.)
• V8c: Modular reduction. (This gives students a taste of how integer arithmetic is implemented in practice, but is not essential to the course.)
• V8e: ECDSA. (It’s more important to cover ECDH than ECDSA. Students will have seen a concrete example of a signature scheme in the RSA chapter.)

• Applied Cryptography 101: Building Blocks
• Applied Cryptography 101: Real-World Deployments
• Kyber and Dilithium

Draft chapters from Textbook of Applied Cryptography

• Stream ciphers
• Public-key cryptography
• RSA
• Elliptic curve cryptography
• Public-key certificates and infrastructure
• Cryptographic systems in practice [TLS 1.3, Bluetooth]

See the Exercises sections in the book chapters above.

• The threat of quantum computers: Shor’s algorithm Grover’s search, fault-tolerant quantum computers.
• Hash-based signature schemes: Lamport, Winternitz, Merkle trees, Leighton-Micali, SPHINCS+.
• Latttice-based cryptosystems: Kyber KEM, Dilithium signatures, Number-Theoretic Transform (NTT).
• Mathematics of lattice-based cryptography: lattices, SIS, ring-SIS, module-SIS, LWE, ring-LWE, module-LWE.
• Lattice basis reduction: Gram-Schmidt orthogonalization, Gauss’s algorithm, LLL algorithm and improvements.

On successful completion of this course, students will:

• Appreciate the threat of quantum computers to public-key cryptography.
• Understand how standardized hash-based signature schemes (LMS and SPHINCS+) work.
• Understand how standardized lattice-based cryptosystems (Kyber and  Dilithium) work. 
• Learn the basic properties of lattices, and understand the connection between lattices and the SIS and LWE problems.
• Understand the LLL lattice basis algorithm, and appreciate its importance in assessing the security of lattice-based cryptosystems.

Legend

• Hash: Hash-based signature schemes course
• Kyber: Kyber and Dilithium course
• Lattices: Mathematics of lattice-based cryptography course
• LLL: Lattice basis reduction course

Lecture schedule (with video numbers)

• Introduction
  • Introduction to post-quantum cryptography: Kyber-V1a
• Hash-based signature schemes
  These schemes require very little cryptography or mathematics background, and are quite intuitive.
  • Introduction: Hash-V1
  • Hash functions: Hash-V2
  • Lamport signatures: Hash-V3 and Hash-V4
  • Leighton-Micali signatures: Hash-V5
  • SPHINCS+: Hash-V6
• Kyber KEM
  This is a lattice-based key encapsulation mechanism (KEM) that has been standardized and is already being used in practice. To understand how the scheme works, one does not need any knowledge about lattices. The only mathematics that is used is arithmetic with polynomials whose coefficients are integers modulo a prime p.
  • Mathematical prerequisites: Kyber-V1b
  • Kyber public-key encryption: Kyber-V2a
  • Kyber KEM: Kyber-V2d
• Dilithium signature scheme
  This is a lattice-based key signature scheme that has been standardized and is already being used in practice. To understand how the scheme works, one does not need any knowledge about lattices. The only mathematics that is used is arithmetic with polynomials whose coefficients are integers modulo a prime p.
  • Dilithium signatures (without signature compression): Kyber-V3a and Kyber-V3b.
• Mathematics of lattice-based cryptography
  • Short Integer Solutions (SIS) problem: Lattices-V2
  • Learning With Errors (LWE) problem: Lattices-V3
  • Introduction to lattices: Lattices-V4
  • SIS/LWE and lattices: Lattices-V5
• Lattice basis reduction
  • Introduction to lattices: LLL-V1
  • Gauss’s algorithm: LLL-V2
  • Gram-Schmidt orthogonalization: LLL-V3
  • LLL algorithm: LLL-V4
  • Cryptographic applications: LLL-V5

Advanced topics

Here are some advanced topics not included in the above list.

• Kyber public-key compression: Kyber-V2b and Kyber-V2c
  (considerable details needed for a modest decrease in public-key size)
• Dilithium signature compression: Kyber-V3c and Kyber-V3d
  (considerable details needed for a modest decrease in signature size)
• Number-theoretic transform: Kyber-V4a and Kyber-V4d
  (only relevant for fast implementations of Kyber and Dilithium)
• Ring-SIS and Ring-LWE: Lattices-V6
  (describes the ring versions of SIS and LWE, and explains why they are considered to be lattice problems)
• Module-SIS and Module-LWE: Lattices-V7
  (describes the module versions of SIS and LWE, and explains why they are considered to be lattice problems)
• LLL improvements (including BKZ): LLL-V6

• Hash: Hash-Based Signature Schemes
• Kyber: Kyber and Dilithium
• Lattices: The Mathematics of Lattice-Based Cryptography
• LLL: Lattice Basis Reduction

• Post-quantum cryptography
  (draft chapter from Textbook of Applied Cryptography)
• A gentle introduction to lattice-based cryptography

See the Exercises sections in the lecture notes.