MIT 6.5620/6.875/18.425 (Fall 2022)
Foundations of Cryptography

Course Description

The field of cryptography gives us a technical language to define important real-world problems such as security, privacy and integrity, a mathematical toolkit to construct mechanisms such as encryption, digital signatures, zero-knowledge proofs, homomorphic encryption and secure multiparty computation, and a complexity-theoretic framework to prove security using reductions that together help us enforce the rules of the road in digital interactions.

The last few years have witnessed dramatic developments in the foundations of cryptography, as well as its applications to real-world privacy and security problems. For example, cryptography is abuzz with solutions to long-standing open problems such as fully homomorphic encryption and software obfuscation that use an abundance of data for public good without compromising security.

The course will explore the rich theory of cryptography all the way from the basics to the recent developments.

Prerequisites: This is an introductory, but fast-paced, graduate course, intended for beginning graduate students and upper level undergraduates in CS and Math. We will assume fluency in algorithms (equivalent to 6.046), complexity theory (equivalent to 6.045) and discrete probability (equivalent to 6.042). Mathematical maturity and an ease with writing mathematical proofs will be assumed starting from the first lecture.

Course Information

INSTRUCTOR	Vinod Vaikuntanathan Email: vinodv at csail dot mit dot edu
LOCATION AND TIME	Monday and Wednesday 1:00-2:30pm in 1-190
TAs	Matthew Hong Email: matthong at mit dot edu Office hours: Thursday 10:30-11:30am in 5-233. Surya Mathialagan Email: smathi at mit dot edu Office hours: Monday 3-4pm in 34-302, Tuesday 10-11am in 24-323. Tina Zhang Email: tinaz at mit dot edu Office hours: Tuesday 5-6pm in 34-304, Thursday 4:15-5:15pm in 36-112.
RECITATIONS	Probability review: Friday September 9 12-1pm in 32-575 (Probability theory handout) Complexity and reductions review: Friday September 16 1-2pm in 32-G431. (Complexity theory and reductions handout) Number theory review: Friday September 30 12-1pm on Zoom (see Piazza for the link). (Number theory handout; see also Dana Angluin's high-quality and comprehensive notes.)
RESOURCES	The main references will be the course materials including lecture notes, slides and/or videos. We will also post relevant papers after every lecture. Here are a few supplementary references for the entire course material. Lecture notes Fall 2021 course website Pass-Shelat Textbooks Katz-Lindell Boneh-Shoup Goldreich Rosulek Lindell's advanced tutorial on the foundations of crypto.
PIAZZA	We will use Piazza for class communication. Our class Piazza is here. Please ask your questions there, so that other students can see the questions and answers.
ASSIGNMENTS AND GRADING	Grading will be based on the problem sets (95%) and class participation (5%). There will be 6 problem sets and your top 5 scores will count towards your grade. You have a total of 10 late days to use across the 6 psets (max of 5 late days for any single pset). You can use these late days however you like; we will use the timestamp of your Gradescope submission to calculate the number of late days. Submitting psets: You should typeset your pset answers in LaTeX. PDFs are to be submitted via Gradescope on or before 11:59:59pm ET on the due date. The Gradescope access code is available on the course information page on Piazza. Here is a LaTeX template you can use. Solutions will be posted on piazza. Released problem sets: PSET 1 (PDF) \| Released: 7 Sep, 2:30pm \| Due: 21 Sep, 11:59:59pm ET PSET 2 (PDF) \| Released: 21 Sep, 2:30pm \| Due: 5 Oct, 11:59:59pm ET PSET 3 (PDF) \| Released: 5 Oct, 3:30pm \| Due: 19 Oct, 11:59:59pm ET PSET 4 (PDF) \| Released: 19 Oct, 11:30pm \| Due: 2 Nov, 11:59:59pm ET PSET 5 (PDF) \| Released: 2 Nov, 9:30pm \| Due: 16 Nov, 11:59:59pm ET PSET 6 (PDF) \| Released: 16 Nov, 11:30pm \| Due: 7 Dec, 11:59:59pm ET
COLLABORATION POLICY	Collaboration is permitted and encouraged in smallgroups of at most three. You are free to collaborate in discussing answers, but you must write up solutions on your own, and specify in your submission the names of any collaborators. Do not copy any text from your collaborators; the writeup must be entirely your work. Additionally, you may make use of published material, provided that you acknowledge all sources used. Of course, scavenging for solutions from prior years is forbidden.

Schedule (tentative and subject to change)

Lecture	Topic
	Module 1.
Lecture 1 (Wed Sep 7) HW #1 out	Resources: Slides, Slides (PDF) and lecture video. Topics covered: Introduction to cryptography. Secure Communication and Shannon’s definitions of perfect secrecy. The One-time pad construction. Shannon’s lower bound. Recommended reading: Communication Theory of Secrecy Systems by Claude Shannon The Cryptographic Lens: Visions of our Past and Future by Shafi Goldwasser \| Slides
Lecture 2 (Mon Sep 12)	Resources: Slides, Slides (PDF) and lecture video. Topics covered: How to circumvent Shannon’s lower bound: the computational adversary. Definition of computational security. The definition of pseudorandom generators (PRG). Pseudorandom generators imply (stateful) secret-key encryption. Recommended reading: New Directions in Cryptography by Whitfield Diffie and Martin Hellman
Lecture 3 (Wed Sep 14)	Resources: Slides, Slides (PDF) and lecture video. Topics covered: The Hybrid Argument. An application: PRG length extension. The notion of pseudorandom functions: Definition, motivation, discussion and comparison with PRGs. PRFs imply secret-key encryption. Recommended reading: How to Generate Cryptographically Strong Sequences of Pseudo-random Bits by Manuel Blum and Silvio Micali How To Construct Random Functions by Oded Goldreich, Shafi Goldwasser, and Silvio Micali
Lecture 4 (Mon Sep 19)	Resources: Slides (PDF) and lecture video. Topics covered: Formal definition of PRF security. The Goldreich-Goldwasser-Micali (GGM) PRF construction. Definition of IND-CPA secure encryption. Recommended reading: Pseudorandom Functions: Three Decades Later by Andrej Bogdanov and Alon Rosen. Advanced reading: Cryptographic Limitations on Learning Boolean Formulae and Finite Automata by Michael Kearns and Leslie Valiant. Natural Proofs by Alexander Razborov and Steven Rudich
Lecture 5 (Wed Sep 21) HW #1 due, HW #2 out	Resources: Slides (PDF) and lecture video. Topics covered: Identification protocols. Authentication and message-authentication codes (MAC). Chosen ciphertext secure symmetric key encryption. Recommended reading: XOR MACs: New Methods for Message Authentication Using Finite Pseudorandom Functions by Mihir Bellare, Roch Guerin, Phillip Rogaway.
Lecture 6 (Mon Sep 26)	Resources: Slides, Slides (PDF) and lecture video. Topics covered: One-way functions and its properties. Hard core bits and PRG. Goldreich-Levin theorem. Recommended reading: A generic hardcore predicate for any one-way function Oded Goldreich and Leonid Levin
Lecture 7 (Wed Sep 28)	Resources: Slides, Slides (PDF) and lecture video. Topics covered: Goldreich-Levin Theorem (contd.) A TCS perspective on GL theorem: local list decoding (if time permits). Advanced reading List Decoding: Algorithms and Applications by Madhu Sudan. (See Page 3 for a construction of hardcore predicates from any list-decodable code.) A Pseudorandom Generator from any One-way Function by Johan Hastad, Russell Impagliazzo, Leonid A. Levin, Michael Luby. Characterizing Pseudoentropy and Simplifying Pseudorandom Generator Constructions by Salil Vadhan and Colin Jia Zheng.
	Module 2.
Lecture 8 (Mon Oct 3)	Resources: Slides, Slides (PDF) and video. Topics covered: Merkle's key exchange protocol Public-key encryption. Definition of security: IND-CPA. Overview of group theory and number theory. Recommended reading Lecture Notes on the Complexity of Some Problems in Number Theory by Dana Angluin. Probabilistic Encryption by Shafi Goldwasser and Silvio Micali. A Method for Obtaining Digital Signatures and Public-Key Cryptosystems by R.L. Rivest, A. Shamir, and L. Adleman New Directions in Cryptography by Whitefield Diffie and Martin E. Hellman. Secure Communications Over Insecure Channels by Ralph C. Merkle Talk on history of public key cryptography mentioned in lecture: The Growth of Cryptography by Ronald L. Rivest, at the 2011 Killian Lecture.
Lecture 9 (Wed Oct 5) HW #2 due, HW #3 out	Resources: Slides, Slides (PDF) and video. Topics covered: Discrete Log Asssumption. Diffie-Hellman key exchange. Diffie-Hellman/El Gamal encryption. Recommended reading (same as last lecture). Advanced reading: Generating Random Factored Numbers, Easily by Adam Kalai.
No lecture (Mon Oct 10) Indigenous Peoples' Day
Lecture 10 (Wed Oct 12)	Resources: Slides, Slides (PDF), video. Topics covered: Trapdoor functions. RSA, trapdoor permutations and another public-key cryptosystem. QRA, Goldwasser-Micali and Homomorphism. Recommended reading: Probabilistic Encryption by Shafi Goldwasser and Silvio Micali. Advanced reading: A Minimalist Proof of the Law of Quadratic Reciprocity by Bogdan Veklych.
Lecture 11 (Mon Oct 17)	Resources: Slides, Slides (PDF), Video. Topics covered: Digital Signatures: Definition. Lamport's One-time Signature Scheme. Advanced reading: Goldwasser-Micali-Rivest Signature Scheme by Shafi Goldwasser, Silvio Micali, and Ron Rivest. Two Remarks Concerning the Goldwasser-Micali-Rivest Signature Scheme by Oded Goldreich Universal One-way Hash Functions and their Cryptographic Applications by Moni Naor and Moti Yung.
Lecture 12 (Wed Oct 19) HW #3 due, HW #4 out	Resources: Slides, Slides (PDF), Video. Topics covered: Collision-resistant hash functions. Many-time, stateful, signature schemes. Naor-Yung construction: stateless EUF-CMA-secure signature schemes. Advanced reading: Universal One-way Hash Functions and their Cryptographic Applications by Moni Naor and Moti Yung. SPHINCS: Practical stateless hash-based signatures. by Bernstein et al. (a modern version of the signature scheme from this lecture.) Post-Quantum Cryptography by NIST. See also: SPHINCS+
Lecture 13 (Mon Oct 24)	Resources: Video and slides, slides (PDF). Topics covered: Instantiation of collision-resistant hash functions from discrete log. Direct construction of digital signatures from RSA. The hash-and-sign paradigm and the random oracle heuristic. Variants of digital signatures. Advanced reading: One-Way Functions are Necessary and Sufficient for Secure Signatures by John Rompel.
	Module 3.
Lecture 14 (Wed Oct 26)	Resources: Video, slides, slides (PDF). Topics covered: Zero knowledge I, definitions and examples. Recommended reading: The Knowledge Complexity of Interactive Proof Systems by Shafi Goldwasser, Silvio Micali, and Charles Rackoff.
Lecture 15 (Mon Oct 31)	Resources: Video, slides, slides (PDF). Topics covered: Zero knowledge II: Zero Knowledge Proofs for all of NP. Recommended reading: ZK for NP by Oded Goldreich, Silvio Micali, and Avi Wigderson.
Lecture 16 (Wed Nov 2) HW #4 due, HW #5 out	Resources: Video, slides, slides (PDF). Recommended reading: How to Prove Yourself by Amos Fiat and Adi Shamir. On Defining Proofs of Knowledge by Mihir Bellare and Oded Goldreich. E-mail and the unexpected power of interaction by Laszlo Babai. A history of the PCP Theorem by Ryan O'Donnell. Advanced reading: Efficient Signature Generation by Smart Cards by C.P. Schnorr. On the Composition of Zero-Knowledge Proof Systems by Oded Goldreich and Hugo Krawczyk. Constant-round ZK for NP by Oded Goldreich and Ariel Kahan.
Lecture 17 (Mon Nov 7)	Resources: Video, slides, slides (PDF). Topics covered: Succinct (Zero Knowledge) Argument Systems. Tools: Merkle Trees, Probabilistically Checkable Proofs . Kilian's Protocol.
	Module 5.
Lecture 18 (Wed Nov 9)	Lecture Cancelled You can watch the Lecture 18 video from Fall 2022 here. The slides are here (PDF).
Lecture 19 (Mon Nov 14)	Resources: Video, slides, slides (PDF). Topics covered: Lattices, Learning with Errors (LWE). LWE-based Cryptography: Secret-key and Public-key Encryption, Collision-Resistant Hashing. Fully Homomorphic Encryption. A Construction of FHE from the LWE assumption. Advanced reading: On Lattices, Learning with Errors, Random Linear Codes, and Cryptography by Oded Regev. Efficient Fully Homomorphic Encryption from (Standard) LWE by Zvika Brakerski and Vinod Vaikuntanathan. Homomorphic Encryption from Learning with Errors: Conceptually-Simpler, Asymptotically-Faster, Attribute-Based by Craig Gentry, Amit Sahai and Brent Waters. Hardness of LWE on General Entropic Distributions by Zvika Brakerski and Nico Döttling. Homomorphic Encryption: from Private-Key to Public-Key by Ron Rothblum.
Lecture 20 (Wed Nov 16) HW #5 due, HW #6 out	Resources: Video, slides, slides (PDF). Topics covered: Fully Homomorphic Encryption continued: The Bootstrapping Theorem, and Circular Security. Open Problems in FHE Research.
	Module 6.
Lecture 21 (Mon Nov 21)	Resources: Video, Slides, slides (PDF). Topics covered: Oblivious Transfer. Private Information Retrieval. Recommended reading: How to Exchange and Generate Secrets by Andrew Chi-Chih Yao Private Information Retrieval by Benny Chor, Oded Goldreich, Eyal Kushilevitz, and Madhu Sudan
No Lecture (Wed Nov 23) Thanksgiving Break
Lecture 22 (Mon Nov 28)	Resources: Video, Slides, slides (PDF). Topics covered: Secure Two-Party Computation. The Goldreich-Micali-Wigderson Protocol. Recommended reading: Draft of A Chapter on General Protocols from Volume 2 of Foundations of Cryptography, by Oded Goldreich Advanced reading: Bar-Ilan Winter School on MPC
Lecture 23 (Wed Nov 30)	Resources: Video, Slides, slides (PDF). Topics covered: Secret-Sharing. Secure Multiparty Computation. Recommended reading: How To Play Any Mental Game by Oded Goldreich, Silvio Micali, and Avi Wigderson Extending Oblivious Transfers Efficiently by Yuval Ishai, Joe Kilian, Kobbi Nissim, and Erez Petrank Correlated Pseudorandomness and the Complexity of Private Computations by Donald Beaver Simplified VSS and Fast-track Multiparty Computations with Applications to Threshold Cryptography by Rosario Gennaro, Michael O. Rabin, and Tal Rabin Completeness Theorems for Non-Cryptographic Fault-Tolerant Distributed Computation by Michael Ben-Or, Shafi Goldwasser, and Avi Wigderson NIST Kick-Starts ‘Threshold Cryptography’ Development Effort
Lecture 24 (Mon Dec 5)	Resources: Video, slides (keynote), slides (PDF). Topics covered: Program Obfuscation and Applications. Advanced reading: On the (Im)possibility of Obfuscating programs, Boaz Barak, Oded Goldreich, Rusell Impagliazzo, Steven Rudich, Amit Sahai, Salil Vadhan, and Ke Yang. How to Use Indistinguishability Obfuscation: Deniable Encryption, and More, Amit Sahai and Brent Waters. Indistinguishability Obfuscation from Well-Founded Assumptions, Aayush Jain, Huijia Lin and Amit Sahai.
Lecture 25 (Wed Dec 7) HW #6 due	Resources: Video, slides, slides (PDF). Topics covered: Yao's Garbled Circuits. Advanced reading: Original paper: How to generate and exchange secrets by Andrew Chi-Chih Yao. Note that Yao described the garbled circuit construction in the talk that year at FOCS, but did not really publish it in this (or any) paper. A full proof (and description) of Yao's protocol's security: A Proof of Security of Yao’s Protocol for Two-Party Computation by Yehuda Lindell Benny Pinkas. Randomized Encoding: Garbled Circuits as Randomized Encodings of Functions: a Primer by Benny Applebaum. Garbled circuit size optimization: Improved Garbled Circuit: Free XOR Gates and Applications by Vladimir Kolesnikov and Thomas Schneider. Two Halves Make a Whole Reducing Data Transfer in Garbled Circuits using Half Gates by Samee Zahur, Mike Rosulek, and David Evans. Three Halves Make a Whole? Beating the Half-Gates Lower Bound for Garbled Circuits by Mike Rosulek and Lawrence Roy.
Lecture 26 (Mon Dec 12)	Resources: Video. Topics covered: Quantum Cryptography.
Lecture 27 (Wed Dec 14)	Topics covered: Grand Challenges in Cryptography. Crypto AMA with Vinod and the TAs.