MIT 6.5620/6.875/18.425 (Fall 2023)
Foundations of Cryptography

Course Description

The field of cryptography gives us a technical language to define important real-world problems such as security, privacy and integrity, a mathematical toolkit to construct mechanisms such as encryption, digital signatures, zero-knowledge proofs, homomorphic encryption and secure multiparty computation, and a complexity-theoretic framework to prove security using reductions. Together, they help us enforce the rules of the road in digital interactions.

The last few years have witnessed dramatic developments in the foundations of cryptography, as well as its applications to real-world privacy and security problems. For example, cryptography is abuzz with solutions to long-standing open problems such as fully homomorphic encryption and software obfuscation that use an abundance of data for public good without compromising security.

The course will explore the rich theory of cryptography all the way from the basics to the recent developments.

Prerequisites: This is an introductory, but fast-paced, graduate course, intended for beginning graduate students and upper level undergraduates in CS and Math. We will assume fluency in algorithms (equivalent to 6.046), complexity theory (equivalent to 6.045) and discrete probability (equivalent to 6.042). Mathematical maturity and an ease with writing mathematical proofs will be assumed starting from the first lecture.

Course Information

INSTRUCTOR Vinod Vaikuntanathan
Email: vinodv at csail dot mit dot edu
Office hours: Fridays, 4-5pm. Location: 32-G696.
LOCATION AND TIME Monday and Wednesday 1:00-2:30pm in 1-190
TAs Chirag Falor
Email: cfalor at mit dot edu
Office hours: Sun 11-12 noon. Location: 24-307.

Neekon Vafa
Email: nvafa at mit dot edu
Office hours: Tuesdays 5:30-7:30pm. Location: 36-155.

Hanshen Xiao
Email: hsxiao at mit dot edu
Office hours: Mon 4-6 pm. Location: 36-155.
RECITATIONS Probability review: Friday, September 8, 4-5:30pm in 4-159.
Probability theory handout | Video
Complexity and reductions review: Friday, September 15, 4-5:30pm in 4-159.
Complexity theory and reductions handout, updated | Video
Number theory review: Friday, October 6, 4-5:30pm in 4-159.
Number theory handout | Dana Angluin's notes | Keith Conrad's note on the cyclicity of Zp*
RESOURCES The main references will be the course materials including lecture notes, slides and/or videos. We will also post relevant papers after every lecture. Here are a few supplementary references for the entire course material.

Lecture notes
  1. Fall 2022 course website
  2. Mike Rosulek's book "The Joy of Cryptography"
  3. Goldreich's "Foundations of Cryptography" Volumes 1 and 2
Textbooks
  1. Katz-Lindell
  2. Boneh-Shoup
  3. Pass-Shelat book
  4. Lindell's advanced tutorial on the foundations of crypto.
PIAZZA We will use Piazza for class communication. Our class Piazza is here. Please ask your questions there, so that other students can see the questions and answers.
ASSIGNMENTS AND GRADING Grading will be based on the problem sets, midterm exam, and class participation. There will be 6 problem sets and your top 5 scores will count towards your grade. You have a total of 10 late days to use across the 6 psets (max of 5 late days for any single pset). You can use these late days however you like; we will use the timestamp of your Gradescope submission to calculate the number of late days.

Submitting psets:
  • You should typeset your pset answers in LaTeX.
  • PDFs are to be submitted via Gradescope on or before 11:59:59pm ET on the due date. The Gradescope access code is available on the course information page on Piazza.
  • Solutions will be posted on piazza.

Released problem sets:
  • PSET 1 (PDF), (Source) | Released: Sep 06, 11:59pm | Due: Sep 20, 11:59pm ET
  • PSET 2 (PDF), (Source) | Released: Sep 20, 11:59pm | Due: Oct 04, 11:59pm ET
  • PSET 3 (PDF), (Source) | Released: Oct 04, 11:59pm | Due: Oct 18, 11:59pm ET
  • PSET 4 (PDF), (Source) | Released: Oct 18, 11:59pm | Due: Nov 08, 11:59pm ET (Because of the midterm, you have three weeks instead of the usual two.)
  • PSET 5 (PDF), (Source) | Released: Nov 9, 11:59pm | Due: Nov 20, 11:59pm ET (Because of the Thanksgiving, HW5 is due 2 days earlier than usual.)
  • PSET 6 (PDF), (Source) | Released: Nov 20, 11:59pm | Due: Dec 4, 11:59pm ET
COLLABORATION POLICY Collaboration is permitted and encouraged in small groups of at most three students. You are free to collaborate in discussing answers, but you must write up solutions on your own, and must specify in your submission the names of any collaborators. Do not copy any text from your collaborators; the writeup must be entirely your work. Do not write down solutions on a board and copy it verbatim into Latex; again, the writeup must be entirely your own words and your own work and should demonstrate clear understanding of the solution. Additionally, you may make use of published material, provided that you acknowledge all sources used. Of course, scavenging for solutions from prior years is forbidden.

Schedule (tentative and subject to change)



Lecture Topic
Module 1: Basics and Private-Key Cryptography
Lecture 1 (Wed Sep 6)
HW #1 out
Resources:
Slides, Slides (PDF), and lecture video.

Topics covered:
  • Introduction to cryptography.
  • Secure Communication and Shannon’s definitions of perfect secrecy.
  • The One-time pad construction.
  • Shannon’s lower bound.

Recommended reading:
Lecture 2 (Mon Sep 11) Resources:
Slides, Slides (PDF), and lecture video.

Topics covered:
  • How to circumvent Shannon’s lower bound: the computational adversary.
  • Definition of computational security.
  • The definition of pseudorandom generators (PRG).
  • Pseudorandom generators imply (stateful) secret-key encryption.

Recommended reading:
Lecture 3 (Wed Sep 13) Resources:
Slides, Slides (PDF), and lecture video.

Topics covered:
  • The Hybrid Argument.
  • An application: PRG length extension.
  • The notion of pseudorandom functions: Definition, motivation, discussion and comparison with PRGs.
  • PRFs imply secret-key encryption.

Recommended reading:
Lecture 4 (Mon Sep 18) Resources:
Slides, Slides (PDF), and lecture video.

Topics covered:
  • Formal definition of PRF security.
  • The Goldreich-Goldwasser-Micali (GGM) PRF construction.
  • Definition of IND-CPA secure encryption.

Recommended reading:
Advanced reading:
Lecture 5 (Wed Sep 20)
HW #1 due, HW #2 out
Resources:
Slides, Slides (PDF), and lecture video.

Topics covered:
  • Identification protocols.
  • Authentication and message-authentication codes (MAC).
  • Chosen ciphertext secure symmetric key encryption.
Recommended reading:
Lecture 6 (Mon Sep 25) Resources:
Slides, Slides (PDF), and lecture video.

Topics covered:
  • One-way functions and its properties.
  • Hard core bits and PRG.
  • Goldreich-Levin theorem.
Recommended reading: Advanced reading
Lecture 7 (Wed Sep 27) Resources:
Slides, Slides (PDF), and lecture video.

Topics covered:
  • Goldreich-Levin Theorem (contd.)
  • A TCS perspective on GL theorem: local list decoding (if time permits).
Module 2: Public-Key Cryptography
Lecture 8 (Mon Oct 2) Public-Key Cryptography I: Key Exchange

Resources:
Slides, Slides (PDF) and lecture video.

Advanced reading:
Lecture 9 (Wed Oct 4)
HW #2 due, HW #3 out
Public-Key Cryptography II: Key Exchange

Resources:
Slides, Slides (PDF) and lecture video.

Advanced reading:
No lecture (Mon Oct 9)
Indigenous Peoples' Day
Lecture 10 (Wed Oct 11) Public-Key Cryptography III

Resources:
Slides, Slides (PDF) and lecture video.
Lecture 11 (Mon Oct 16) Digital Signatures I

Resources:
Slides, Slides (PDF) and lecture video.

Recommended reading:
Lecture 12 (Wed Oct 18)
HW #3 due, HW #4 out
Digital Signatures II (+Collision-Resistant Hash Functions) .

Resources:
Slides, Slides (PDF) and lecture video.
Lecture 13 (Mon Oct 23)
Digital Signatures III

Resources:
Slides, Slides (PDF) and lecture video.

Recommended reading: Advanced reading:
Midterm (Wed Oct 25)
No class. Midterm Exam 7-9pm in 1-190, covering material upto (and including) Lecture 12
Module 3: Zero Knowledge
Lecture 14 (Mon Oct 30) Zero knowledge I: Definitions and Examples.

Resources:
Slides, Slides (PDF) and lecture video.

Recommended reading:
Lecture 15 (Wed Nov 1)
Zero knowledge II: NP in ZK

Resources:
Slides, Slides (PDF) and lecture video.

Recommended reading: Advanced reading:
Lecture 16 (Mon Nov 6) Zero knowledge III: Non-Interactive ZK and Applications

Resources:
Slides, Slides (PDF) and lecture video.

Recommended reading: Advanced reading:
Module 4: Secure Computation
Lecture 17 (Wed Nov 8)
HW #4 due, HW #5 out
Secure Computation. Tools: Secret Sharing and Oblivious Transfer

Resources:
Slides, Slides (PDF) and lecture video.
Lecture 18 (Mon Nov 13) Goldreich-Micali-Wigderson (GMW) Secure Two-Party and Multi-Party Computation Protocol.

Resources:
Slides, Slides (PDF) and lecture video.

Recommended reading:
  • Chapter 7 of Oded Goldreich's "Foundations of Cryptography" (Volume 2)
Advanced reading:
Lecture 19 (Wed Nov 15)
Secure Two-Party Computation (Continued), Malicious Security.

Resources:
Slides, Slides (PDF) and lecture video.

Advanced reading:
Lecture 20 (Mon Nov 20)
HW #5 due, HW #6 out
Yao's Garbled Circuits.

Resources:
Slides, Slides (PDF) and lecture video.

Recommended reading:
Lecture 21 (Wed Nov 22)
Merkle Trees and Oblivious RAM. [Given by TA Neekon Vafa]

Resources:
Slides (Keynote), Slides (PDF) and lecture video.
Lecture 22 (Mon Nov 27)
Fully Homomorphic Encryption (Part 1)

Resources:
Slides, Slides (PDF) and lecture video.
Lecture 23 (Wed Nov 29) Fully Homomorphic Encryption (Part 2)

Resources:
Slides, Slides (PDF) and lecture video. [Same slides as last lecture.]
Lecture 24 (Mon Dec 4)
HW #6 due
Succinct ZK arguments.

Resources:
Lecture video.

Recommended reading:
Module 5: Advanced Topics
Lecture 25 (Wed Dec 6)
Program Obfuscation

Resources:
Main slides (Keynote), Main slides (PDF), Part 2 slides (Powerpoint), Part 2 slides (PDF) and lecture video.

Recommended reading: Advanced reading:
Lecture 26 (Mon Dec 11) Guest Lecture: Tina Zhang on Quantum Cryptography

Resources:
Lecture video.
Lecture 27 (Wed Dec 13) Guest Lecture: Rahul Ilango on The Complexity-Theoretic Foundations of Cryptography

Resources:
Lecture video.