Warning: This is the spring 2022 course website.
The latest CS355 website is online here.

Course Schedule

Specific topics and suggested readings are subject to change as the quarter progresses.

Date	Topic and Readings
Foundations of cryptography
Monday, March 28 (Alex) [notes]	Topics: Logistics & Course Overview Merkle Puzzles Readings: Probability cheat-sheet Merkle’s project proposal
Wednesday, March 30 (Alex) [notes]	Topics: Relationship between symmetric primitives: OWFs, PRGs, PRFs, block ciphers Blum-Micali PRG construction Goldreich-Goldwasser-Micali (GGM) PRF construction Readings: Luca Trevisan’s lecture notes Boneh-Shoup (§3.4,§4.4,§4.6)
Monday, April 4 (Wilson) [notes]	Topics: Commitment schemes The random oracle model Readings: Boneh-Shoup (§8.10.2: RO model, §8.8: sponge construction) “Random Oracles are Practical” [Bellare, Rogoway CCS'93] “Coin Flipping By Telephone” [Blum, CRYPTO'81]
Cryptanalysis
Wednesday, April 6 (Neil) [notes]	Topics: GCD attack on RSA keys Infineon attack Readings: Mining Your Ps and Qs - Widespread Weak Keys in Network Devices, by Nadia Heninger, Zakir Durumeric, Eric Wustrow, and J. Alex Halderman (USENIX Security 2012) The Return of Coppersmith’s Attack: Practical Factorization of Widely Used RSA Moduli, by Matus Nemec, Marek Sys, Petr Svenda, Dusan Klinec, and Vashek Matyas (CCS 2017) Linux removes insecure randomness and rolls back.
Friday, April 8	Problem Set 1 due at 5pm via Gradescope
Monday, April 11 (Alex) [notes]	Topics: Generic d-log attacks: Baby-Step Giant-Step, Pollard Rho, Shoup’s lower bound A non-generic attack: Index calculus Readings: Chapters 13, 14, and 15 in Galbraith’s book The Past, evolving Present and Future of Discrete Logarithm by Joux, Odlyzko and Pierrot Notes for Lectures 10 and 11 of Sutherland’s class at MIT “Lower Bounds for Discrete Logarithms and Related Problems,” Victor Shoup
Elliptic-curve cryptography
Wednesday, April 13 (Wilson) [notes]	Topics: Introduction to elliptic curves Readings: Boneh-Shoup (Chapter 15) Elliptic Curve Cryptosystems, by Neal Koblitz
Monday, April 18 (Wilson) [notes]	Topics: Pairings-based cryptography: 3-party key-exchange, short signatures, hashing to elliptic curves Readings: Short Signatures from the Weil Pairing, by Dan Boneh, Ben Lynn, and Hovav Shacham (Asiacrypt 2001) Identity-Based Encryption from the Weil Pairing, By Dan Boneh and Matthew Franklin (Crypto 2001). This paper is quite approachable and enjoyable to read
Zero knowledge proofs
Wednesday, April 20 (Alex) [notes]	Topics: Interactive proofs Zero knowledge Readings: IP = PSPACE (lecture)(original proof)(better proof) ZK for Hamiltonian cycles ZK 3-colorings, in detail (§7.2) Just for fun: Knuth on Hamiltonian paths and cycles
Friday, April 22	Problem Set 2 due at 5pm via Gradescope
Monday, April 25 (Wilson) [notes]	Topics: Sigma protocols Readings: Boneh-Shoup, Chapter 19 Benny Pinkas, Sigma Protocols (slides, video) Hazay and Lindell, Efficient Secure Two-Party Protocols, Chapter 6
Wednesday, April 27 (Neil) [notes]	Topics: Non-interactive zero-knowledge Fiat-Shamir heuristic Readings: Susan Hohenberger’s lecture notes on Fiat-Shamir Boneh-Shoup (Section 19.1, 20.3)
Monday, May 2 (Alex) [notes]	Topics: Succinct Non-interactive Arguments (SNARGs) from PCPs Polynomial commitments Arithmetic circuits and constraints Readings: Polynomial Commitments, by Kate, Zaverucha, and Goldberg (Asiacrypt 2010) Alessandro Chiesa’s class on proof systems Justin Thaler’s book Several blog posts give an accessible explanation of zkSNARKs
Wednesday, May 4 (Wilson) [notes]	Topics (Lecture Notes): Polynomial Commitment + IOP = SNARG * mini-protocols: polynomial equality, vanishing polynomials, and univariate sum-check * Marlin-Lite: a SNARG for R1CS-SAT Readings: Proofs, Arguments, and Zero Knowledge by Justin Thaler (esp. Section 9) Aurora: Transparent succinct arguments for R1CS by Ben-Sasson, Chiesa, Riabzev, Spooner, Virza, and Ward (EUROCRYPT 2019) Marlin: Preprocessing zkSNARKs with Universal and Updatable SRS by Chiesa, Hu, Maller, Mishra, Vesely, Ward (EUROCRYPT 2020)
Friday, May 6	Problem Set 3 due at 5pm via Gradescope
Multi-party computation
Monday, May 9 (Alex) [notes]	Topics: Oblivious transfer Two-party computation: Yao’s garbled circuits Readings: A Proof of Security of Yao’s Protocol for Two-Party Computation (§1 and §4 p. 12-15), by Lindell and Pinkas
Wednesday, May 11 (Neil) [notes]	Topics: Secret-sharing Multi-Party Computation Readings: How to Share a Secret, by Adi Shamir (CACM 1979) Boneh-Shoup, Section 11.6.1 A Pragmatic Introduction to Secure Multi-Party Computation, by Evans et al. (Chapters 2 and 3) Nigel Smart’s slides on MPC and Secret Sharing
Monday, May 16 (Neil) [notes]	Topics: Private Information Retrieval Readings Ryan Henry, Tutorial on PIR Ostrovsky and Skeith, A Survey of Single-Database PIR This sequence of papers gives a beautiful and very efficient computational two-server PIR
Wednesday, May 18 (Alex) [notes]	Topics: Differential privacy Readings: Two great surveys: The Algorithmic Foundations of Differential Privacy, by Cynthia Dwork and Aaron Roth Differential Privacy: A Survey of Results, by Cynthia Dwork
Friday, May 20	Problem Set 4 due at 5pm via Gradescope
Lattice cryptography
Monday, May 23 (Neil) [notes]	Topics: The learning with errors (LWE) problem Regev encryption Readings: A Decade of Lattice Cryptography (Sections 4.2 and 5.2.1), by Chris Peikert
Wednesday, May 25 (Wilson) [notes]	Topics: Fully homomorphic encryption (FHE), part 1 Readings: Boaz Barak, An Intensive Introduction to Cryptography (Chapter 17) Shai Halevi, Homomorphic Encryption
Monday, May 30 (--)	Memorial Day: no class
Wednesday, June 1 (Wilson) [notes]	Topics: Fully homomorphic encryption (FHE), part 2 Course wrap-up Readings: A Decade of Lattice Cryptography (Section 6.1), by Chris Peikert
Friday, June 3	Problem Set 5 due at 5pm via Gradescope

Warning: This is the spring 2022 course website. The latest CS355 website is online here.

Warning: This is the spring 2022 course website.
The latest CS355 website is online here.