ECS 189A: Cryptography — Course Information — Spring 2011

Your Instructor

I am Phil Rogaway. My research is in cryptography, the topic of this class. My office is 3009 Kemper, my email is, and my homepage is Office hours will be posted and kept up to date on my homepage.

Your TA

Viet Tung Hoang is the TA for the class. We only have a few hours per week of Tung’s time, so mostly he’ll be grading your homeoworks.

Class Meetings

Our course meets MWF 2:10-3:00 pm in 146 Robbins.

Four Units

This is a four-unit class. Unfortunately, because it is listed as a 189A, we have no means of making sure you sign up for the class with the correct number of units. You need to do this on your own: if you are enrolled for the class with a number of units other than four, you need to go online and change it.


Our course is currently over-enrolled. My experience is that attrition usually takes care the issue. I would expect, in the end, everyone to get in; I usually do whatever is needed to ensure that this happens. If you’re not yet properly enrolled, just make sure you’ on the waiting list and that you attend every class. We’ll figure out how to get everyone enrolled during the second week of the term.

Course Webpage

Follow the obvious link from my homepage to our class web page at It is important that you check the web page regularly. It is there that homeworks and announcements will magically appear.


I expect to lecture on some or all of the following topics: introduction - blockciphers - symmetric encryption - pseudorandom permutations and pseudorandom functions - symmetric encryption - hash functions - message authentication codes - authenticated encryption - asymmetric encryption - digital signatures entity authentication - authenticated key exchange - interactive proofs - zero knowledge - protocols. Course material is subject to change depending on my mood and depending on student interests. You should communicate with me about what you are interested in.


I intend the class to be accessible to juniors and seniors in CS, CSE, or math. I would say that having some mathematical maturity, and a bit of cleverness and the ability to communicate clearly, are prerequisites. Having taken ECS 120 (Theory of Computation) and/or ECS 122A (Algorithms) will serve you well, but I wouldn’t go so far as to say that either is necessary.

It is likely that a lot of student will come to this class from an interest in computer security. That’s great, but I want to make clear that cryptography and computer security tend to involve very different ways of thinking about problems.

Prof. Matt Bishop will be teaching a Computer Security class, ECS 153, this term. The material is complementary; there isn’t much overlap.


I’ve ordered Understanding Cryptography for the class, by Christof Paar and Jan Pelzl. I’ve never tried using it (natural enough, since I’ve never tried to teach an undergraduate cryptography class before) and can’t yet tell you yet how closely I will follow it. If I’m liking the book, and you are, we will try to cover its contents; if not, I will drift away from it, as is my usual habit.

A lot of modern cryptography isn’t well covered in books, but here are some that may be worth mentioning: (1)  Cryptography Engineering by Neils Ferguson, Bruce Schneier, and Yoshi Kohno; (2) Handbook of Applied Cryptography by Alfred Menezes, Paul van Oorschot, and Scott Vanstone (available free on-line); (3)  Introduction to Modern Cryptography by Jonathan Katz and Yehuda Lindell; (4) Foundations of Cryptography, Volume 1 and Foundations of Cryptography, Volume 2, by Oded Goldreich; (5)  Introduction to Modern Cryptography by Mihir Bellare and Phil Rogaway (course notes); and (6)  Lecture Notes on Cryptography by Shafi Goldwasser and Mihir Bellare (course notes).


I expect to base grading on approximately 35% homeworks, 30% final, and 20% oral exam, 15% classroom attendance and participation. As the last category suggests, it is important to show up.

For homework problems, you may give or receive ideas as long as you do a joint writeup for the particular problem or acknowledge who contributed ideas. If you work closely with one or more person on a problem, then you should turn in a single writeup for that problem (I will separately record your score for each problem). Sorry, late homeworks will not be accepted.

Possibly more than others, I care about the quality of your exposition; your writing is your art. Your goal is to find short, correct, and elegant, solutions. Make each sentence beautiful and make each word count.

During the second half of the course I will schedule each of you to come see me for a half-hour time slot. You can think of this oral exam as the midterm, or something in lieu of a midterm. I may ask you to read something in advance of these discussions.

There will be a standard written final.

Face blindness

In recent years I have taken to confessing up front that I probably won’t be able to recognize you if I see you outside the context of this class. Please believe that it is absolutely not personal. It doesn’t mean that I am not interested in you as a person, or even that I don’t know who you are, at some other level.

I have a new trick that simultaneously lets me call on people by name and lets me keep track of who who is/isn’t coming to class: students put a little card on their desk with their name on it. (This also helps you out, should you forget your own name.) I know it’s kind of lame, but I tried it for a class I taught last Fall, and it seemed to work pretty well.

Parting thoughts

Cryptography is a strange area—stranger than most would imagine. I hope you like this odd and arcane world.
Phil Rogaway’s homepage