ECS 227 - Course Information - Fall 2003


Our course meets Mondays and Wednesdays from 6:10-7:30 pm in 70 Soc Sci (the building on campus that looks least like it could have anything to do with the social social sciences or humanities). Please try not to miss lectures; the material may not be accessible any other way.

Office Hours

My office is 3063 Kemper. Office hours are posted on the web, or by appointment, or by no appointment (if you drop by and I'm not too busy, I'll talk with you).

Course Webpage

Most everything will be collected on-line. Go to my homepage at and follow the classes link to the ECS 227 - Modern Cryptography - Spring 2005 web page.


I expect to lecture on some or all of the following topics: introduction - blockciphers - symmetric encryption - pseudorandom permutations and pseudorandom functions - one-way functions - pseudorandom generators - symmetric encryption - hash functions - message authentication codes - authenticated encryption - asymmetric encryption - digital signatures - authenticated key exchange - interactive proofs - zero knowledge. Course material is subject to change depending on how fast or slow I go, and depending on student interests. You should communicate with me about what you are interested in.


You need to have some mathematical maturity to take this class; most especially, you need to be able to understand what is (and what is not) a mathematically meaningful definition. Though we don't use a lot of tools, we sometimes use rather subtle definitions and proofs. Courses like ECS 222A (Algorithms) and ECS 120 (Theory of Computation) are good for building up the necessary maturity and should be taken as nominal prerequisites. Graduate standing in mathematics is a fine substitute, though you may wish you had heard of things like "Turing machines" before. It is the student's responsibility to make sure s/he is not "in too deep". I would say that this course is appropriate to first-year grad students with a good background, and with an interest and some ability in theory. It might not be appropriate to a first-year grad student with minimal math skills or theory background.

Class notes

There is no assigned text, and no published text gives a treatment similar to ours. Instead, you can use the evolving course notes by Mihir Bellare and me.

The notes will change as the quarter progresses, so I suggest that you do not print out any section before we discuss it in class.

If you're interested to have in hand an actual, finished book, I can recommend two. One is [Menezes, van Oorschot, Vanstone], which is available free on-line. It is heavy on methods and light on theory, but it useful. Then there is the two-volume book by Oded Goldreich (Volume 1) (Volume 2) that gives a scientific treatment of cryptography, but with sensibilities rather different from my own.


There will be occasional homework assignments. Homeworks should be typeset in LaTeX. Late homeworks will not be accepted. You may not consult any old homework solutions in preparing your homework. Please acknowledge the source of any ideas, whether it be a book, a paper, a colleague, or an apple tree (avoid durian and jackfruit trees).

You may share ideas with someone else as long as you acknowledge them. If you work with one or more person closely then you should turn in a single writeup. I myself believe that working closely with other students tends to lead to an inferior understanding of course material, but I don't forbid it, both because it is impractical and because some students honestly believe that they learn more working with a friend.


You must read a paper in the provable-security tradition of cryptography, understand it, and then write something about it. Alternatively, you must do some small research project of your own: anything novel that touches on provable-security cryptography. Projects are due the last day of class. Writeups need not be long; about 2-4 pages should do. But they should be beautiful: meticulously written, nicely typeset (LaTeX, please), and preferably with some interesting or semi-interesting idea.

If you have any doubt if your envisioned paper/project is OK, talk to me, and do so more than two weeks before the project is due. If you are reading a research paper, going with one of mine or Mihir Bellare makes a particularly safe choice, but this is certainly not required.

I won't discuss the projects in class. You're on your own to remember that you have to do this, and to budget your time appropriately.


There's no midterm, but there's a sort-of final. I prefer to call it a discussion. You'll come in to my office for about 25 minutes to chat. During this time I'll try to ascertain how much you got out of the class. Don't be worried about it; it ain't a big deal. But it helps me understand what students are and are not understanding, and what they are and are not interested in.


Unfortunately, I am required to give grades, which will be based on what has already been mentioned: attendance, homeworks, your project, and our final discussion. This is a non-required graduate class, so I expect students to be here because they're genuinely interested in learning the material.

Research in cryptography

You may treat this class as your "invitation" for doing research in cryptography, a most unusual and wonderful subject. Welcome!
Phil Rogaway's homepage