**Prerequisites**: Basic knowledge of algebra as covered in basic algebra courses in the Bachelor Mathematics (Sections I.1-4; II.1-3; IV.1, XIII.1-4 in Lang, "Algebra", Graduate Texts in Math. 221, Springer) and discrete probability theory (independence, conditional probabilities, expectation, Bayes' Law). It is helpful but not necessary to have some familiarity with algorithms (analyzing run time) and complexity theory.**Aim of the course:** This Master's level course provides an introduction to modern cryptography, the science of securing communication and computation against different forms of adversarial behaviors. We will start with basic concepts of cryptographic theory such as one-way functions and will see how to leverage one-wayness to generate pseudorandomness. Subsequently, we will look at different notions of symmetric-key primitives including symmetric-key encryption, message authentication codes and collision-resistant hash functions. To construct public-key encryption schemes we will build on number-theoretic and algebraic hardness assumptions. We will then move on to authentication (and beyond) and discuss digital signature schemes, sigma protocols and zero-knowledge proofs. If time permits, the final block of the course will be dedicated to the basics of secure multi-party computation.

**Rules about Homework/Exam**: There will be no mandatory homework, but exercise problems for practice will be made available. Final exam and retake will be written exams. To pass the course the grade of the final exam must be at least a 5.5.

**Lecture notes/Literature:** Lecture notes will be posted on the course homepage. The class has no required textbook. Relevant material and additional reading can be found in "Introduction to Modern Cryptography" by Jonathan Katz and Yehuda Lindell, and in "Foundations of Cryptography" by Oded Goldreich.

**Lecturers**: Lisa Kohl (Cryptology Group, CWI Amsterdam), E-mail: Lisa.Kohl(at)cwi.nl

- Docent: Lisa Kohl