Lecture notes from 6.857, taught by Prof. Ronald L. Rivest. Some lecture notes are exactly the ones posted on the 6.857 course website

- Lecture 1: Introduction
- Lecture 2: (Cancelled):
- Lecture 3: Security principles and Growth of crypto
- Lecture 4: One-time pad
- Lecture 5: Hash functions I: random oracle model (ROM), one-way, collision-resistance, target collision resistance, preimage attack, second preimage attack, pseudo-randomness, non-malleability, hashed passwords, digital signatures, commitment schemes
- Lecture 6: Hash functions II: puzzles, Hashcash (’97), Merkle’s public-key crypto using puzzles, Merkle-Damgaard construction, Davies-Meyer construction, MD5
- Lecture 7: Cryptocurrencies: atoms vs. bits, Bitcoin, public ledger, multiple-in multiple out (MIMO) transactions,
- Lecture 8: Ciphers I: Shamir’s secret sharing, block ciphers, DES, AES
- Lecture 9: Ciphers II: ideal block cipher, modes of operation, electronic codebook mode (ECB), counter mode (CTR), cipher-block chaining mode (CBC), cipher feedback mode (CFB), indistinguishability under chosen-ciphertext attack (IND-CCA), unbalanced feistel encryption
- Lecture 10: Stream ciphers: RC4, Spritz, ChaCha
- Lecture 11: Message authentication codes: HMAC, CBC-MAC, PRF-MAC, One-time MAC (OTMac), authenticated encryption with associated data (AEAD), EAX mode, encrypt-then-MAC, finite fields and number theory
- Lecture 12: Crypto math I: primality testing, one-time MAC, the Totient function (phi), divisors, greatest common divisor (GCD), (Extended) Euclid’s algorithm, order of group elements, generators, Fermat’s little theorem, Lagrange’s theorem, why we pick safe primes
- Lecture 13: Crypto math II: group theory review, Diffie-Hellman key-exchange, Zp
*, Zn*, Qp, Qn - Lecture 14: Public key crypto I: commitment schemes, Pedersen commitments, ElGamal, Decisional Diffie-Hellman (DDH) problem
- Lecture 15: Public key crypto II: IND-CCA2 security Cramer-Shoup, RSA, making RSA IND-CCA2-secure, other RSA security aspects
- Lecture 16: Digital signatures: hash and sign, RSA PKCS, RSA PSS, ElGamal, Digital Signature Algorithm (DSA)
- Lecture 17: Bilinear maps: gap groups, bilinear maps, Boneh-Lynn-Shacham (BLS) signatures, 3-way key agreement (Joux), identity-based encryption (IBE)
- Lecture 18: Zero knowledge proofs: zero-knowledge proofs (ZKPs), interactive proofs, Sudoku, 3-colorability, graph isomorphism, Hamiltonian cycle, discrete log
- Lecture 19:
**Computing on encrypted data***guest lecture*by Vinod Vaikuntanathan: - Lecture 20: Electronic voting: public voting, paper ballots, lever machines, punch cards, optical scan, Direct Recording by Electronics (DRE), Voter Verified Paper Audit Trail (VVPAT), DRE+VVPAT, vote by mail, internet voting (oh dear God), voting requirements, security threats, end-to-end voting security, Twin (Rivest and Smith), Scantegrity (Chaum et al)

Papers we read in 6.857 (directory here):

- Bitcoin, Satoshi Nakamoto
- Research Perspectives and Challenges for Bitcoin and Cryptocurrencies, Princeton University
- AES Proposal: Rijndael
- How to share a secret, Adi Shamir
- The EAX mode of operation
- Secure communications over insecure channels, Ralph Merkle
- New paradigms for constructing symmetric encryption schemes secure under CCA, via Unbalanced Feistel Encryption
- Unlinkable serial transactions: Protocol and applications
- A method for obtaining digital signatures and public-key cryptosystems, Rivest, Shamir, Adleman
- Twenty years of attacks on the RSA cryptosystem, Dan Boneh
- New directions in cryptography, Diffie-Hellman
- Cramer-Shoup cryptosystem
- ElGamal cryptosystem
- FIPS PUB 186-4: Digital Signature Standard (DSS)
- Sequences of Games: A Tool for Taming Complexity in Security Proofs
- Cryptographic Hash-Function Basics: Definitions, Implications, and Separations for Preimage Resistance, Second-Preimage Resistance, and Collision Resistance, Phillip Rogaway

- Spritz slides
- How to choose an authenticated encryption mode, Matthew Green
- Intro to Bilinear Maps
- How to Explain Zero-Knowledge Protocols to Your Children

- Lecture 6: MD5 drawing