Students are expected to acquire: • knowledge of the mathematical foundations, e.g. modular arithmetic, needed to understand the cryptographic algorithms as explained in official standards such as NIST SP-Recommendations or FIPS. • knowledge of symmetric cryptography primitives like Block Ciphers, Stream Ciphers, and Hash Functions; • knowledge of the asymmetric cryptosystems used, for instance, for exchanging keys or building Public Key Cryptography; • knowledge of the main protocols used in different fields like Commitments, (Blind) Digital Signatures, SRP, and SAE; • knowledge of the main programming libraries for implementing cryptography algorithms both in C and Python; • abilities to discern the correct cryptographic algorithms to use, depending on the field of application; • abilities to discover flaws in basic cryptographic protocols and when the cryptographic primitives are misused; • knowledge about the main classes of attacks against the presented cryptographic algorithm; • abilities to mount basic attacks in Python.

Basics of programming in C. Basics of computer security. Basics of linear algebra as in courses of "Linear Algebra and Geometry" of the first year of the Bachelor.

Basics of Cryptography and Cryptanalysis: • Confidentiality, Authentication, Integrity and Nonrepudiation. • (Gen, Enc, Dec), the key distribution problem and concept of crypto primitives. • Computationally infeasibility. Brute Force • Kerckhoff's principle. • Attacks models: COA, KPA, CPA, CCA. • Indistinguishability goals IND. Cryptographic programming: • use of cryptographic primitives in C; • use of cryptographic primitives in Python; • mounting basic attacks against symmetric ciphers, hash functions, and the RSA cryptosystem. Basics of Modular Arithmetic and Elliptic curves. • Calculations in rings of remainders modulo n. The (mod n) notation. • Calculations in Galois fields modulo a polynomial G. • Algorithm to compute the inverse: Euclidean extended and Kuttaka. • Chinese Remainder Theorem (CRT). Euler's Totient function. • Equations of first and second order (mod n). Quadratic residues. Euler's criterion. • Finite and cyclic groups, generators and order. Lagrange's theorem. Fermat's little theorem. • Discrete logarithm problem. • Elliptic curves: definition and construction of the addition law. Symmetric Cryptography: • Block-Ciphers: Feistel and SP-networks. DES, AES; • Operations Modes: ECB, CBC, CTR, OFB, CFB, GCM, CCM; • Stream-Ciphers and PRNG: o ARX algorithms: RC4, Salsa, and Chacha20. o Permutation algorithm: Keccak Sponge PRNG • Hash Functions: o Merkle-Damgεrd construction. o ARX: SHA1, SHA2 o Permutation based: Keccak Sponge, SHA3 o Birthday's paradox • Message Authentication Codes (MAC). Length extensions attack and HMAC. Asymmetric Cryptography: • DH Key Exchange on finite fields. • DH on elliptic curves. • RSA. Rabin. ElGamal. Hybrid Encryption, KEM/DEM Paradigm. • Protocols: Commitments, (Blind) Digital Signatures, SAE, and SRP.

The course consists of a total of 40 hours of lessons and 20 hours of exercises structured and distributed into 14 weeks. Each week's lesson has a precise list of arguments from the course topics (see above). Weekly, the list of arguments for the lessons is given in advance to the students in a PDF file available on the portale della didattica "material didactic". Such a PDF file contains the theory, examples, exercises, hyperlinks to web places, Python code, historical notes, and appendixes that the teacher will explain during the lesson. Recordings of lectures and screenshots of explanations of previous years are also available on the portale della didattica "material didactic". The exercises are divided into two parts. The first weeks will be devoted to presenting how to write cryptography code correctly using the C programming language. The second part will present how to mount attacks against (weakly designed) cryptographic systems using Python. The exercises adopt the Flipped Classroom learning paradigm. Videos presenting the exercises' topics will provide material to examine individual subjects in depth. Videos will be introduced with face-to-face classes presenting the learning objectives, the approach, and the methodology. After each part, dedicated face-to-face classes will allow students to self-assess their preparation level and readiness to sit the exam.

Serious Cryptography: A Practical Introduction to Modern Encryption Jean-Philippe Aumasson, No Starch Press, 2018. Understanding Cryptography, A Textbook for Students and Practitioners Paar, Christof, Pelzl, Jan, Springer-Verlag, 2010. Applied Cryptography: Protocols, Algorithms and Source Code in C Bruce Schneier, Wiley; 20th Anniversary edition,2015.

Lecture slides; Lecture notes; Exercises; Video lectures (previous years);

Exam: Optional oral exam; Computer-based written test in class using POLITO platform;

The exam aims to verify the level of knowledge and abilities acquired (see Expected learning outcomes) for the topics listed in the official teaching program, the ability to apply theory, the related calculation methods and IT methods. The evaluations are expressed out of thirty. The exam is passed if the score is at least 18/30. The evaluation is composed of two independent parts: the evaluation of the theoretical part, which accounts for up to 21 points, and the evaluation of the practical part, which accounts for up to 12 points. The exam is a written test using the PC consisting of four theoretical closed-ended exercises and two to five open- or closed-ended practical exercises on the topics in the teaching program. It may be supplemented with an oral test at the teacher's discretion. It includes calculation exercises that require the need to choose and apply the most appropriate cryptographic / IT tools for its resolution, but also theoretical concepts, which require the student's ability to build a logical chain by applying in sequence the theoretical results seen in class. Finally, it assesses the ability to mount basic attacks against cryptographic algorithms. The written test lasts up to 100 minutes. Every exercise is assigned a score. The total score of the four theoretical closed-ended exercises is 21 points, and there is no penalization for wrong answers. The two to five open- or closed-ended practical exercises are evaluated individually for a nine-point score. Up to five points are granted if students successfully solve challenges in an ad hoc CryptoCTF. The sum of CTF and exercise points is capped at 12 points. Alternatively, selected voluntary students can replace the open-ended practical exercises with individual homework related to the course's practical arguments, delivering a written report. In this case, the topics are agreed upon with the teacher. To obtain honours, i.e. 30 e Lode, the sum of the open-ended and closed-ended/homework points must exceed 30 points. During the exam, it is not allowed to keep and consult notebooks, books, exercise sheets, forms, and personal calculators. The platform calculator will be made available to students. An example of an exam test is available on the moodle.polito.it platform on the "Portale della Didattica". The exam results are communicated on the teaching portal, along with the date students can view the assignment and ask for clarification.

In addition to the message sent by the online system, students with disabilities or Specific Learning Disorders (SLD) are invited to directly inform the professor in charge of the course about the special arrangements for the exam that have been agreed with the Special Needs Unit. The professor has to be informed at least one week before the beginning of the examination session in order to provide students with the most suitable arrangements for each specific type of exam.