Cryptography (Fall 2025)
Master's Degree in Computer Science, Master's Degree in Cybersecurity, Master's Degree in Mathematics
Syllabus
The course is meant to be an introduction to modern cryptography, with a focus on provable security. Below is a tentative list of topics.
Information-Theoretic Cryptography:
- Perfect secrecy, one-time pad, Shannon's theorem.
- Perfect authentication, universal hashing, extractors, leftover-hash lemma.
Computational Security:
- One-Way Functions (OWF) and complexity theory.
- Brush-up on number theory, candidate OWF (Factoring, RSA, DL, LWE).
- Computational indistinguishability, decisional assumptions (DDH, LWE).
Symmetric Cryptography:
- Pseudorandom Generators (PRG), hard-core bits, PRG constructions.
- Pseudorandom Functions (PRF), PRF constructions, Feistel networks.
- Symmetric encryption: Definitions and constructions, modes of operation.
- Message authentication: Definitions and constructions, authenticated encryption.
- Hash functions: Random oracle model, first/second pre-image resistance, collision resistance, Merkle-Damgaard construction.
Public-Key Cryptography:
- Public-key encryption: Definitions, RSA and ElGamal cryptosystems. Cramer-Shoup encryption.
- Digital signatures: Definitions, full-domain hash, signatures from OWF, Waters' signatures.
- Identification schemes: Definitions, constructions and applications to signatures.
- Identity-based encryption and applications.
Logistics
Important: The lectures are offered exclusively in-person (with no registration taking place).
Lecture time: Tuesday (8:00am - 11:00am) and Friday (11:00am - 13:00am).
Location: Aula 1L (RM018) - Via del Castro Laurenziano 7a.
Twitter: @SapienzaCrypto.
Google Group: SapienzaCrypto.
Grading
Written exam. The written exam lasts 3 hours and consists of 3 exercises and 3 open questions. Books, notes and electronic devices are not allowed during the exam.
References
We will not follow a single book; the following textbooks are suggested as reference and for deeper study:
- [1] Daniele Venturi, Crittografia nel Paese delle Meraviglie, Springer, Collana di Informatica, 2012.
- [2] Jonathan Katz and Yehuda Lindell, Introduction to Modern Cryptography, CRC Press, Second Edition, 2014.
- [3] Jonathan Katz, Digital Signatures, Springer, 2010.
- [4] Salil P. Vadhan, Pseudorandomness, Foundations and Trends in Theoretical Computer Science, Vol. 7, Issue 1-3, 2012. Freely available here.
- [5] Jonathan Katz, Lecture Notes for a course on Advanced Topics in Cryptography, (Sping 2004). Lecture 9 and Lecture 10 are about the Cramer-Shoup PKE scheme.
- [6] Sanjit Chatterjee and Palash Sarkar, Identity-Based Encryption, Springer, 2011.
You may also find useful the following lecture notes from a past edition of the course (although not reviewed by myself):
- [7] Simone Bianco, Lecture Notes for the Cryptography Course, Sapienza University of Rome, A. Y. 2025/2026 (work in progress).
Exams
The exam dates for academic year 2025/2026 are indicated below. Please always register via Infostud.
Exam 1. Date: 13/01/26. Aula: 3L (RM018). Time: 10:00-13:00. Scores [pdf].
Exam 2. Date: 10/02/26. Aula: 3L (RM018). Time: 10:00-13:00. Scores [pdf].
Exam 3. Reserved to part-time and working students (you must make a formal request to the secretariat; registration in Infostud is still required). Date: TBA. Aula: TBA. Time: TBA. Scores [pdf].
Exam 4. Date: 09/06/26. Aula: 3L (RM018). Time: 10:00-13:00. Scores [pdf].
Exam 5. Date: 14/07/26. Aula: 3L (RM018). Time: 10:00-13:00. Scores [pdf].
Exam 6. Date: 08/09/26. Aula: 3L (RM018). Time: 10:00-13:00. Scores [pdf].
Exam 7. Reserved to part-time and working students (you must make a formal request to the secretariat; registration in Infostud is still required). Date: TBA. Aula: TBA. Time: TBA. Scores [pdf].
Announcements
20/09/2025: The course will start on September 23, 2025.
02/10/2025: Due to the national strike announced for tomorrow, the lecture on October 3 will be exceptionally remote at this link.
30/10/2025: The lecture on 04/11/2025 will not take place.
13/11/2025: Due to the transportations strike announced for tomorrow, the lecture on November 14 will take place in person but also exceptionally be streamed at this link.
27/11/2025: Due to the transportations strike announced for tomorrow, the lecture on November 28 will be exclusively remote at this link.
03/12/2025: The students are invited to express their preference about the last topic to be covered in the final lectures of the course. Please vote only once using this link.
11/12/2025: Due to the national strike announced for tomorrow, the lecture on December 12 will take place in person but also exceptionally be streamed at at this link.
Lectures
| Date | Topics | References |
|---|---|---|
| Lecture 1 23/09/25 | Overview of the course. Definition of secret-key encryption (SKE). Definition of perfect secrecy. The one-time pad and Shannon's impossibility result. | [PDF] |
| Lecture 2 26/09/25 | Equivalent notions of perfect secrecy. Definition of statistically-secure (one-time) MACs. | [PDF] |
| Lecture 3 30/09/25 | Constructions of pairwise independent hash functions and one-time statistically secure MACs. Randomness extraction. Impossibility of randomness extraction from a single min-entropy source. Definition of seeded extractors. | [PDF] |
| Lecture 4 03/10/25 | Leftover hash lemma. Beginning of computational security. | [PDF] |
| Lecture 5 07/10/25 | Definition and examples of one-way functions. Definition of pseudorandom generators (PRGs). Proof that one bit of stretch implies unbounded polynomial stretch. Constructions of real-world PRGs. | [PDF] |
| Lecture 6 10/10/25 | Hard-core predicates and the Goldreich-Levin theorem. | [PDF] |
| Lecture 7 14/10/25 | Definition of one-time computationally secure and chosen-plaintext attacks (CPA) secure SKE. Construction of one-time computationally secure SKE from any PRG. Definition of pseudorandom functions (PRFs). | [PDF] |
| Lecture 8 17/10/25 | Constructing PRFs from OWFs: The GGM construction and its proof of security. | [PDF] |
| Lecture 9 21/10/25 | Modes of operation for SKE. CPA security of the CTR mode. Definition of universal unforgeability under chosen-message attacks (UFCMA) for MACs. | [PDF] |
| Lecture 10 24/10/25 | Proof that PRFs imply UFCMA MACs for FIL messages. Domain extension for MACs. Universal hashing and CBC-MAC. | [PDF] |
| Lecture 11 28/10/25 | Definition of CCA security for SKE. Combining encryption and authentication. | [PDF] |
| Lecture 12 31/10/25 | Exercises. | [PDF] |
| Lecture 13 07/11/25 | Blockciphers: DES and AES. Feistel networks and substitution-permutation networks. | [PDF] |
| Lecture 14 11/11/25 | Collision-resistant hash functions. The Merklee-Damgaard paradigm. Building compression functions. | [PDF] |
| Lecture 15 14/11/25 | Brush-up on number theory. | [PDF] |
| Lecture 16 18/11/25 | The Diffie-Hellmann key exchange. Symmetric cryptography using number theory. | [PDF] |
| Lecture 17 21/11/25 | Public-key encryption. The ElGamal PKE. | [PDF] |
| Lecture 18 25/11/25 | RSA PKE. Digital signatures and universal unforgeability under chosen-message attacks. Public key infrastructures. Full-domain hash signatures and the random oracle model. | [PDF] |
| Lecture 19 28/11/25 | Identification schemes and passive security. The Schnorr protocol. Definitions of honest-verifier zero knowledge and special soundness. | [PDF] |
| Lecture 20 02/12/25 | Proof that honest-verifier zero knowledge and special soundness imply passive security. Fiat-Shamir signatures. | [PDF] |
| Lecture 21 05/12/25 | Lattices. The short integer solution (SIS) problem and the learning with errors (LWE) problem. | [PDF] |
| Lecture 22 09/12/25 | Regev's PKE. Lattice trapdoors. Signatures from lattices. | [PDF] |
| Lecture 23 12/12/25 | Identity-based encryption: definitions and constructions. | [PDF] |