At the end of the course, students will acquire knowledge of the main cryptographic techniques used in security protocols and will understand how they satisfy usual security definitions. In detail: • Knowledge of basic security principles • Knowledge of common security definitions in modern cryptographic (perfect secrecy, computational secrecy) • Knowledge of main cryptographic techniques using symmetric and asymmetric keys • Knowledge of cryptographic hash functions and related authentication techniques • Knowledge of main security protocols for key management, authentication, message confidentiality Moreover, they should acquire the ability to choose and employ the most adequate cryptographic tools according to the security scenario and application needs, and the ability to evaluate the security of a specific protocol. In detail: • Ability to evaluate if a protocol satisfies a given security definition • Ability to design a security protocol providing confidentiality and authentication • Ability to assess the weaknesses of an existing protocol

The students are expected to know the following concepts: • Probability theory, random variables, conditional probability Regarding labs, the students are expected to have a basic knowledge of Python programming language.

Security definitions and scenarios (0.3 CFU – 3h theory) • Confidentiality, integrity, availability, authentication, non-repudiation • Kerckhoff's principle • Attack models Security models (1.2 CFU – 9h theory + 3h lab) • Examples on historical ciphers • Perfect secrecy, Shannon theorem, unicity distance • Computational secrecy Symmetric key cryptography (0.9 CFU – 6h theory + 3h lab) • Pseudorandom generators and pseudorandom functions, stream ciphers and block ciphers • Modes of operation • Practical algorithms (AES, Salsa20, ChaCha20) Asymmetric key cryptography (1.2 CFU – 9h theory + 3h lab) • Basic notions on number theory • One-way functions, trapdoor functions, factorization, discrete logarithm • Practical algorithms (RSA, Diffie-Hellman, Elliptic Curve) • Quantum-safe cryptography Authentication and integrity (0.9 CFU – 6h theory + 3h lab) • Hash functions (SHA2, SHA3) • Message authentication codes and authenticated encryption (HMAC, AES-GCM, ChaCha20-Poly1305) • Digital signatures (RSA, Schnorr, DSA/ECDSA) Security protocols (1.5 CFU – 9h theory – 6h lab) • Key distribution and management, public-key certificates (X.509), public-key infrastructures • Authentication protocols (passwords, second factors, challenge-response, FIDO/WebAuthn) • Transport Layer Security

The course is based on lectures (42 hours) and computer labs (18 hours). Computer labs will be organized in the different areas of the course, including basic security principles, symmetric and asymmetric cryptography, authentication, security protocols. Each computer lab will last at least 3 hours. Some more complex activities may be distributed over the span of 2 labs. Students will use their own laptop. During computers labs, students will implement the algorithms discussed during lectures using Python and will test them in different application scenarios. Students are organized in groups of no more than three people. For each computer lab, the group must write a report; reports are evaluated and concur to determine the final grade.

Available material includes the slides used during the lectures, video recording of lectures, and the material for the computer labs. The material will be available on the web. Reference textbooks: • William Stallings, “Cryptography and Network Security: Principles and Practice”, Pearson, 2016. • Jonathan Katz, Yehuda Lindell, “Introduction to Modern Cryptography”, Chapman and Hall/CRC, 2014. Additional readings: • Alfred J. Menezes, Paul C. van Oorschot and Scott A. Vanstone, “Handbook of Applied Cryptography”, CRC Press, 2001.

Lecture slides; Lab exercises; Video lectures (previous years);

Exam: Compulsory oral exam; Group essay;

The final exam is an oral exam typically consisting of three open questions covering different course topics. Students cannot use books, slides, notes, online resources, or any other teaching materials during the exam. The questions aims at assessing students' understanding of main security principles and security definitions and their knowledge of the different cryptographic algorithms, by evaluating the ability to describe technological solutions, their merits and limitation, their applicability to practical scenarios. The students are evaluated depending on the difficulty of the topic and the level of correctness, clarity, accurate terminology of their answers. In some cases, the contents of the lab reports may be also discussed during the oral exam. Reports should be delivered to the course instructor at least a week before the date of the first exam. Evaluation of the reports is based on their clarity, technical correctness, ability of the students to properly describe and comment the results of the experiments. Reports should not merely list results, but demonstrate understanding of the concepts learned during the course. Reports are also used to assess students' ability to evaluate merits and weakness of different security solutions. Student self-assessment will also be used to generate the computer lab score, i.e. students are going to score the contribution of other students in the same group towards achieving the objectives of the computer labs; sending self-assessments to the course instructor is mandatory in order to obtain a score for the computer labs. The final grade depends on the score of the oral exam (up to 25 points) and on the evaluation of the reports of the computer labs (up to 6 additional points). A perfect oral exam with perfect lab reports is evaluated 30/30 cum laude; the minimum mark students have to achieve in order to pass the exam is 18/30.

In addition to the message sent by the online system, students with disabilities or Specific Learning Disorders (SLD) are invited to directly inform the professor in charge of the course about the special arrangements for the exam that have been agreed with the Special Needs Unit. The professor has to be informed at least one week before the beginning of the examination session in order to provide students with the most suitable arrangements for each specific type of exam.