CY1: Applied Cryptography | CS Concentrations

About this course

Understand and correctly apply the cryptographic primitives that underpin secure communication, authentication, and data protection.

Course format. Thirteen weeks, four contact hours each: a two-hour lecture (concepts and theory) and a two-hour practice session. The course is project-based; teams carry one running project end to end and present it three times, in weeks 5, 8, and 13.

What you will build

Built a rigorous applied-cryptography library in Python from big-integer arithmetic primitives up to authenticated key exchange, with AES-GCM AEAD, RSA-OAEP, ECDH, EdDSA, and a hybrid post-quantum KEM via liboqs, each increment backed by test vectors and a demonstrated attack on a naive variant.

Expected outcomes

Explain the algebraic foundations of cryptography: groups, rings, finite fields, and modular arithmetic.
State and apply the hardness assumptions underpinning modern crypto: factoring, discrete log, and CDH/DDH.
Formalize security definitions such as IND-CPA, IND-CCA, and existential unforgeability, and reason with reduction proofs.
Construct and analyze symmetric primitives: block ciphers, modes of operation, and authenticated encryption.
Build public-key schemes including RSA, ElGamal, and elliptic-curve cryptography from their mathematical structure.
Design hash functions, MACs, and digital signatures, and argue their collision and forgery resistance.
Implement authenticated key exchange and reason about PKI, certificates, and trust models.
Identify and exploit common protocol pitfalls: nonce reuse, padding oracles, and timing leaks.
Apply provable-security reasoning to evaluate whether a construction meets its claimed guarantees.
Evaluate post-quantum candidates and migration paths against classical schemes.

Key topics

Symmetric & public-key crypto
Hashing & digital signatures
Key exchange & PKI
Protocol design pitfalls

Theoretical foundations

The concepts and results this course rests on.

group theory, finite fields, and modular arithmetic
computational hardness assumptions: factoring, discrete log, CDH and DDH
one-way functions and trapdoor permutations
IND-CPA and IND-CCA indistinguishability security games
reductionist security proofs and the random oracle model
existential unforgeability under chosen-message attack
lattice problems and post-quantum hardness

Prerequisites

This is a Year-3 course. It assumes the mandatory CS core: data structures and algorithms, operating systems, computer networks, databases, software engineering, and the core mathematics (linear algebra, probability and statistics, calculus, discrete mathematics). It additionally requires the specific prior courses listed below.

Course-specific prerequisites:

Discrete mathematics and number-theory basics
Algorithms
Probability

Weekly schedule 13 weeks · lecture + practice

Foundations

Wk 1

Number theory and algebraic structures

LectureCover modular arithmetic, the Euclidean algorithm, groups, rings, finite fields, and Euler's theorem as the language of cryptography.

PracticeImplement modular exponentiation, GCD, and modular inverse, and benchmark them on large integers.

ProjectSet up the crypto library skeleton and a tested big-integer modular arithmetic core.

WatchModular Arithmetic and Historical Ciphers (Christof Paar) · Number Theory for PKC: Euclidean Algorithm, Euler's Phi and Euler's Theorem (Christof Paar)

Wk 2

Hardness assumptions and security definitions

LectureIntroduce one-way functions, the factoring and discrete-log problems, CDH/DDH, and formal indistinguishability-based security definitions.

PracticeBuild a discrete-log toy solver and measure how runtime scales to motivate the hardness assumption.

ProjectAdd a primitives interface and a security-definition test harness to the library.

WatchThe Generalized Discrete Log Problem and the Security of Diffie-Hellman (Christof Paar)

Symmetric cryptography

Wk 3

Block ciphers and modes of operation

LectureAnalyze pseudorandom permutations, the AES structure, and CBC, CTR, and GCM modes with their security properties.

PracticeWrap a vetted AES implementation, implement CTR and CBC modes, and write known-answer tests.

ProjectIntegrate AES with multiple modes into the library with passing test vectors.

WatchAdvanced Encryption Standard (AES) (Christof Paar) · Modes of Operation for Block Ciphers (Christof Paar)

Wk 4

Authenticated encryption and MACs

LectureDefine IND-CCA security, present HMAC and GMAC, and explain encrypt-then-MAC and AEAD constructions.

PracticeImplement HMAC and an encrypt-then-MAC AEAD wrapper, then attack a deliberately broken MAC-then-encrypt variant.

ProjectAdd authenticated encryption with associated data and negative-test the broken variant.

WatchMessage Authentication Codes (MAC) and HMAC (Christof Paar)

Wk 5

Hash functions and the random oracle modelPresentation

LectureCover collision, preimage, and second-preimage resistance, Merkle-Damgard and sponge constructions, and the random oracle heuristic.

PracticeTeam presentation: each team defends its project specification, threat model, and chosen security definitions before the class.

ProjectFreeze the project specification document approved at the milestone review.

WatchHash Functions (Christof Paar) · SHA-3 Hash Function (Christof Paar)

Public-key cryptography

Wk 6

RSA: construction and attacks

LectureDerive RSA from Euler's theorem, prove correctness, and survey attacks: small exponents, common modulus, and padding oracles.

PracticeImplement textbook RSA, then exploit it with a Bleichenbacher-style padding oracle on a vulnerable endpoint.

ProjectAdd OAEP-padded RSA encryption and a regression test that the padding oracle is closed.

WatchThe RSA Cryptosystem and Efficient Exponentiation (Christof Paar)

Wk 7

Discrete-log systems and ElGamal

LecturePresent cyclic groups, ElGamal encryption, the DDH assumption, and semantic security reductions.

PracticeImplement ElGamal over a safe prime group and verify the homomorphic property experimentally.

ProjectIntegrate ElGamal encryption with parameter validation into the library.

WatchDiffie-Hellman Key Exchange and the Discrete Log Problem (Christof Paar) · ElGamal Encryption Scheme (Christof Paar)

Wk 8

Elliptic-curve cryptographyPresentation

LectureIntroduce the group law on elliptic curves, ECDH, and the elliptic-curve discrete-log problem and its efficiency advantages.

PracticeTeam presentation: interim demo of the working crypto library with a live encryption and decryption walkthrough.

ProjectAdd an ECDH key-agreement module and present the interim build.

WatchIntroduction to Elliptic Curves (Christof Paar) · Elliptic Curve Cryptography (ECC) (Christof Paar)

Signatures and integrity

Wk 9

Digital signatures and unforgeability

LectureDefine existential unforgeability under chosen-message attack and analyze RSA-PSS, ECDSA, and EdDSA.

PracticeImplement ECDSA signing and verification and demonstrate the catastrophic nonce-reuse key-recovery attack.

ProjectAdd EdDSA signatures and a deterministic-nonce safeguard to the library.

WatchDigital Signatures and Security Services (Christof Paar) · ElGamal Digital Signature (Christof Paar)

Key exchange and PKI

Wk 10

Authenticated key exchange and PKI

LectureCover Diffie-Hellman, man-in-the-middle threats, certificates, chains of trust, and forward secrecy.

PracticeBuild an authenticated Diffie-Hellman handshake and a minimal certificate verifier with chain validation.

ProjectAdd a handshake protocol and certificate-chain verification to the library.

WatchMan-in-the-Middle Attack, Certificates and PKI (Christof Paar)

Protocols and pitfalls

Wk 11

Protocol design and common pitfalls

LectureAnalyze replay, reflection, downgrade, and timing attacks, and the principles of robust protocol design.

PracticeRun a constant-time review, fix a timing leak in the project, and verify with statistical timing measurement.

ProjectHarden the protocol layer against replay and timing side channels.

Advanced topics

Wk 12

Provable security and post-quantum cryptography

LectureWalk through full reduction proofs and survey lattice-based and post-quantum standards and migration strategy.

PracticeIntegrate a post-quantum KEM via liboqs and design a hybrid classical-plus-PQ key exchange.

ProjectAdd a hybrid post-quantum key-exchange option to the library.

Capstone

Wk 13

Final integration and defensePresentation

LectureReview the full cryptographic stack, security arguments, and threat coverage across the project.

PracticeTeam presentation: final demonstration with oral defense of design choices, security proofs, and known limitations.

ProjectDeliver the complete, tested cryptographic library with documentation and security rationale.

AI tools in this course.

Students lean on AI coding assistants to scaffold and refactor the teaching crypto library, turning math from the lectures into tested Python: prompting for big-integer routines, AES modes, or an ECDH module, then asking the assistant to explain why a draft is not constant-time. They generate Wycheproof-style test vectors and edge cases with AI, and use it to write the attack scripts that break naive variants such as the textbook-RSA padding oracle or a nonce-reuse ECDSA bug. AI is also used to read reduction proofs critically and to compare an implementation against the PyCryptodome and pyca reference, but every AI-suggested primitive is checked against official test vectors before it enters the library, since a plausible-looking but wrong crypto construction is the central risk the course teaches students to catch.

Student project

Teams build a small but rigorous applied-cryptography library from arithmetic primitives up to authenticated protocols. Each increment is backed by a security argument, test vectors, and at least one demonstrated attack on a naive variant. The capstone is a coherent, documented library defended with provable-security reasoning.

Requirements

Build a working system, not a set of disconnected exercises.
Be original: a new system that solves a real problem, not a re-implementation of a tutorial or course demo.
Show real depth: real data, real users or realistic load, and engineering trade-offs that are measured rather than assumed.
Carry one running project from specification to a deployed, defensible result across the whole term.
Work in a team of three or four and defend the design at each of the three presentations (weeks 5, 8, and 13).

Example projects

Secure messaging primitiveEncrypted file vaultMini certificate authorityPassword-authenticated key exchange toolHybrid post-quantum channelSignature-based update verifierThreshold signature demoConstant-time crypto toolkit

Assessment & grading

Grading is project-based, with no written exam. Teams of three or four present one running project three times.

Component	What it covers	Weight
Project · Specification	Presentation 1 (week 5): problem, objectives, and architecture	20%
Project · Interim	Presentation 2 (week 8): the working system demonstrated live	30%
Project · Final	Presentation 3 (week 13): end-to-end demo with oral defense	50%

Tools & platforms

Python: implementation language for the teaching library
PyCryptodome: vetted primitives for comparison and wrapping
OpenSSL: reference implementation and certificate tooling
SageMath: number-theory and elliptic-curve experimentation
cryptography (pyca): modern high-level crypto APIs
liboqs: post-quantum KEM and signature implementations
Hashcat: hash-cracking to motivate strength requirements
dudect: constant-time leakage testing for timing attacks
GMP: high-performance big-integer arithmetic
pytest: test-vector and regression test harness

Free online courses

Existing free, video-based courses this course can build on, for self-study or as a teaching basis.

CourseraCryptography I
Dan Boneh, Stanford; free audit, comprehensive
YouTubeIntroduction to Cryptography
Christof Paar, Ruhr University, 24 lectures

In Hebrew · בעברית

אוניברסיטת בר-אילן, YouTubeקריפטוגרפיה - סדרת הרצאות של פרופ' יהודה לינדל (הרצאה 1)
הרצאה ראשונה בסדרת קורס קריפטוגרפיה מלאה בעברית של פרופ' יהודה לינדל, חוקר הצפנה מוביל.
אוניברסיטת בר-אילן, YouTubeקריפטוגרפיה - הרצאה 3 - פרופ' יהודה לינדל
המשך סדרת ההרצאות בעברית בקריפטוגרפיה באותו ערוץ.
אוניברסיטת תל אביב, חמישי בקמפוסקריפטוגרפיה, לא רק הצפנה
הרצאה נגישה בעברית המסבירה מה זו קריפטוגרפיה מעבר להצפנה.

Primary literature

Seminal works to read for graduate-level depth.

PaperNew Directions in Cryptography
Whitfield Diffie, Martin Hellman, 1976
PaperA Method for Obtaining Digital Signatures and Public-Key Cryptosystems
Ronald Rivest, Adi Shamir, Leonard Adleman, 1978
PaperProbabilistic Encryption
Shafi Goldwasser, Silvio Micali, 1984
PaperRandom Oracles Are Practical: A Paradigm for Designing Efficient Protocols
Mihir Bellare, Phillip Rogaway, 1993
PaperFIPS 197: Advanced Encryption Standard (AES)
NIST, 2001
PaperCurve25519: New Diffie-Hellman Speed Records
Daniel J. Bernstein, 2006

References

Books and resources link to an online or publisher page.

TextbookIntroduction to Modern Cryptography
Jonathan Katz, Yehuda Lindell, 2020, Canonical provable-security textbook (3rd edition).
TextbookA Graduate Course in Applied Cryptography
Dan Boneh, Victor Shoup, 2023, Free official online edition.
TextbookHandbook of Applied Cryptography
Alfred Menezes, Paul van Oorschot, Scott Vanstone, 1996, Free official site.
TextbookCryptography Engineering: Design Principles and Practical Applications
Niels Ferguson, Bruce Schneier, Tadayoshi Kohno, 2010
TextbookThe Joy of Cryptography
Mike Rosulek, 2021, Free official online text.
DocumentationFIPS 186-5: Digital Signature Standard (DSS)
NIST, 2023
DocumentationSP 800-56A Rev. 3: Pair-Wise Key-Establishment Using Discrete Logarithm Cryptography
NIST, 2018
TextbookSerious Cryptography, 2nd Edition
Jean-Philippe Aumasson, 2024

Role in each concentration

Concentration	Role
Intelligent Software Systems	Elective
Networking & Cyber Security	Core · Semester 1
AI & Robotics	Elective
AI and Quantum Computing for Finance	Elective
Immersive Systems & Game Development	Elective
Defense Technologies & Autonomous Systems	Core · Semester 1

← SE7 · Design of AI-based & Data-Intensive Systems CY2 · Network Security →