Tanja Lange
Coding Theory and Cryptology
Eindhoven Institute for the Protection of Information
Department of Mathematics and Computer Science
Room MF 5.062
Technische Universiteit Eindhoven
P.O. Box 513
5600 MB Eindhoven
Netherlands

Phone: +31 (0) 40 247 4764

The easiest ways to reach me wherever I am:
e-mail:tanja@hyperelliptic.org

• This page belongs to course 2MMC10 - Cryptology. This course is offered at TU/e and aimed at students of mathematics and computer science, incl. students in the cybersecurity track/IST.

Contents

• The general structure of block ciphers, Feistel ciphers like DES, AES, the most suitable modes-of-use, e.g. CBC or OFB.
• Hash functions, Message Authentication Codes.
• The principle of public key cryptography.
• Basics of finite fields and their arithmetic
• Diffie-Hellman key exchange, El Gamal, several methods to compute discrete logarithms (baby-step giant-step method, the Pohlig-Hellman method, Pollard-rho and the index calculus method).
• Elliptic curves in different representations, cryptosystems and signature schemes based on elliptic cures.
• The RSA system for encryption and signing, generating prime numbers by means of probabilistic primality tests, primality proof, several factorization algorithms (Pollard-(p-1), Pollard-rho, the random square method, the quadratic sieve method) lattice methods for breaking special keys.
• Code-based cryptography.

Announcements

Note that one of the course requirements is algebra. I will not repeat basic background on groups, rings and fields in class. If you don't have the necessary background, take the summer and work through the "Number Theory and Algebra" script or more from my draft book Discrete Mathematics.

• Lectures at TU/e start in the week of 31 August 2026.
• The lecture slots are Tuesdays 13:30 - 15:15 (mix of rooms in Gemini Noord) and Thursdays 10:45 - 12:30 (mostly Gemini Noord 1.710).
  Students ihave requested instructions and we're making this work. The instruction slot is Tuesday 15:30 - 17:15 and for most weeks we offer the instruction in one big room with two instructors, these are mostly in Neuron. Because of the different rooms please check the timetable for the course and note that room assignments may change.
• This year the lectures will not be recorded but you can find the recordings from 2022 online. In 2021 I offered this course online and recorded the material in short videos, one video per topic. You can find those on its own YouTube Channel
• There will be weekly homeworks as an opportunity for you to check your understanding and how to formally write up things. We do not have capacity to send feedback for everybody, so please team up in groups of 2 or 3 and first discuss in your group how to solve the problem and which of your solutions to submit. The teaching assistants will send you feedback and corrections.
  Note that the homeworks do not count towards the final grade. Take this as an offer for you to check your understanding. Do not spam them with output by AI.
• Your teaching assistants this year are
  • Jonathan Levin
  • Elisa Pioldi
  You can send an email to crypto.course@tue.nl to reach both of them if you have questions.
• The exam will take place on campus on 27 Oct 2026 13:30 - 16:30..
  The best preparation for the exam is to try yourself at the old exams. We are back to the pre-Covid modality of written exams with notebook; this was not possible 2020 – 2022. This means that you should prepare your programmable calculator to cover
  • exponentiation modulo some number; use square and multiply and reduce after each multiplicationn or squaring; test your implementation with a large base and exponent
  • Chinese remainder theorem
  • inverse modulo some number via XGCD
  I do not expect that you implement LLL or elliptic curve operations, so in particular I expect to see intermediate steps in the calculations there.
There will alos be some univerity laptops with Pari-GP for you to use.

Literature

It is not necessary to purchase a book to follow the course. Previous versions of this course used Henk van Tilborg's "Fundamentals of Cryptology", Kluwer academic Publishers, Boston, 2000. But the book is out of print. A preliminary author's copy by Henk can be downloaded in pdf form here and as a mathematica worksheet here.
Other books you might find useful (in alphabetical order):

• Jean-Philippe Aumasson "Serious Cryptography", no starch press,
• Dan Boneh and Victor Shoup A Graduate Course in Applied Cryptography. Whole book is online.
• Steven Galbraith Mathematics of Public Key Cryptography, Cambridge University Press 2012. All chapters are online (even extended versions).
• Jonathan Katz and Yehuda Lindell "Introduction to Modern Cryptography", CRC Press
• Neal Koblitz "A course in Number Theory and Cryptography", Springer, 1994.
• Tanja Lange "Number Theory and Algebra" ( Chapter of draft book "Discrete Mathematics")
• Tanja Lange "Finite Fields" (Chapter of draft book "Discrete Mathematics")
• Christof Paar and Jan Pelzl "Understanding Cryptography", Springer, 2010
• Bruce Schneier "Applied Cryptography", John Wiley & Sons, 1994. This book does not have the mathematical rigor we use for this course but you might like it for background. It is getting a bit outdated, though.
• Doug Stinson "Cryptography: Theory and Practice", CRC Press, 1995

Examination

The first exam is on 27 Oct 12:30 - 16:30. The retake is on 26 Jan 18:00 - 21:00.

Videos

The videos from this course appear on TU/e's Yuja page. Note that this page requires a TU/e account to log in and shows lectures from multiple years and that there are some differences between the course versions; I taught the course with recordings in 2022 and 2019 and my colleague Andreas Hülsing taught it in 2018, so you can get different explanations.
For the 2021 edition of the course I recorded a lot of short videos which you can find on the YouTube Channel.
The course page for 2021 has short descriptions of all videos, slides, and no-cookie links to the YouTube videos. Watch them from there if you're on a low-cookie diet.

Class notes & exercises

This section is extended through the course with notes of what happened in class and links to blackboard pictures.

01 Sep 2026
First lecture, followed by exercise session.

What's next?

• To find out how crypto is used in practice take 2DMI10 - Applied Cryptography taught by Andreas Hülsing in Q2.
• 2DMI00 - Cryptographic protocols by Berry Schoenmakers covers more advanced crypto, building on the primitives RSA, DL and symmetric crypto that we covered in this course.
• If you want to learn more about post-quantum cryptography make sure to take the MasterMath course Selected Areas in Cryptology. The course is given in Spring 2027 by Lorenzo Grassi and Marc Stevens.
• Coding theory is another application area for finite fields and discrete math in general. Alberto Ravagnani will offer a semester-long course on Coding Theory in Spring.
• If you want to understand how quantum computers break RSA and ECC and what else they can do, we now offer a local course in Quantum Computing by Subhasree Patro.
• Finally, to defend against quantum computers, we're working on Post-Quantum Cryptography.

Old exams

Old exams by me:

• Exam from 04 Feb 2025 here
• Exam from 29 Oct 2024 here
• Exam from 23 Jan 2024 here
• Exam from 30 Oct 2023 here
• Exam from Jan 24, 2023 here.
  This was another online exam under the same conditions as below.
• Exam from 01 Nov 2022 here
  This was another online exam under the same conditions as below.
  The values are n=8802480753545133742961614830369231016786934739808948821413906980918012852299263049997643868903076370469472928300916191513
  h(m)=84382310455796615550407481393886585806223820180906281913225649154728756027652
  s=7678423411571991838207630428856799461357777327526663279512861135218978467269521732475043119537044221598589640922989519745
• Exam from Jan 25, 2022 here.
  This was another online exam under the same conditions as below.
• Exam from 02 Nov 2021 here
  This was another online exam under the same conditions as below.
• Exam from Jan 19, 2021 here.
  This was another online exam under the same conditions as below.
• Exam from Oct 27, 2020 here.
  This was an open-book open-Internet exam so the last exercise doesn't give as many details as normally. The inspiration this time was The Long and Winding Path to Secure Implementation of GlobalPlatform SCP10, though that system was worse than what I made out of it (apart from having a longer key).
  
• Exam from Jan 21, 2020 here.
  
• Exam from Oct 29, 2019 here.
  
• Exam from Jan 23, 2018 here.
  
• Exam from Oct 31, 2017, here.
  
• Exam from Jan 24, 2017, here.
  
• Exam from Dec 14, 2016, here. Note that the g in exercise 3b is the same as in exercise 2, i.e. g=3. The curve equation in exercise 6b is y^2=x^3-3x+5.
  
• Exam from Nov 01, 2016, here.
  
• Exam from Jan 19 2016, here.
  
• Exam from Oct 27 2015, here.
  
• Exam from Apr 14 2015, here.
  
• Exam from Jan 27 2015, here.
  
• Exam from Apr 15 2013, here.
  
• Exam from Jan 28 2014, here.
  
• Exam from Apr 13 2012, here.
  
• Exam from Jan 27 2012, here.
  
• Exam from Apr 28 2011, here.
  
• Exam from Jan 28 2011, here.
  Note that in exercise 5 the definition of P_A should be [a]P.
  
• Exam from Jan 21 2011: here.
  
• Practice exam 2010/2011: here.
  
• Exam from Apr 15 2010, here.
  
• Exam from Jan 29 2010: here.
  
• Practice exam 2009/2010: here.
  

• Second exam for students from Eindhoven and the TRU/e security master and first for MasterMath, Jan 25, 2019, here
• First exam for students from Eindhoven and the TRU/e security master Oct 30, 2018, here.

• 2WC00_2003_Nov.pdf
• 2WC00_2004_Jan.pdf
• 2WC00_2004_Nov.pdf
• 2WC00_2005_Jan.pdf
• 2WC00_2005_Nov.pdf
• 2WC00_2006_Febr.pdf
• 2WC00_2007_Maart.pdf