CS783: Theoretical Foundations of Cryptography

⌂

Private communication, secure and verifiable computation

Instructor: Chethan Kamath (ckamath at cse dot iitb dot ac dot in)
Teaching assistants: Sarthak Sharma (23M0789) and Nivesh Aggarwal (22b0912)
Timing and venue: Slot 10 (14:00-15:25, Tuesdays and Fridays) at CC105
Contact hours: After lectures, and by appointment (via e-mail)
Announcements and online discussion: Moodle

[+]

Course Details

Description

Cryptography is the science of securely carrying out tasks (e.g., secret communication) in an adversarial setting. In this course, we intend to broadly study certain foundational tasks in cryptography, with an emphasis on precise modelling of the adversary's capabilities and goal -- the security model -- and formally proving security in this model -- the security proof. The tasks we will cover will range from basic ones likes secure communication to more advanced ones like program obfuscation (see below for detailed syllabus). For each task, we will discuss the real-world motivation, go through the process of modelling security, and discuss constructions with security proofs. At the end of the course, you will have learnt how to model security for a certain task (e.g., secret communication), design a scheme for this task and then formally prove security of this scheme in the security model.

Grading and Attendance (tentative)

Weightage	Towards
35%	Final
30%	Mid-term
30%	Two quizzes (towards the end of Modules I and III)
5%	Class participation, pop-quiz

Attendance is not mandatory (but encouraged)

There will be six ungraded assignments to help you with quizzes and exams.

Prerequisites

Discrete structures and probability theory are soft prerequisites. This course will have a theoretical flavour, and thus we will expect some mathematical maturity.

Who can credit?

The course is open to (all PGs) and (UGs in third and fourth years). Since there is a considerable overlap with CS406, anyone who took that course is not eligible to credit.

[+]

Lectures (Tentative)

#	Date	Slides	Details
L1	30/Jul	[↓]	Topics covered Logistics Overview of the course
Module I: Secure Communication in the Shared-Key Setting
L2	02/Aug	[↓]	Topics covered Task 1: secret communication in presence of eavesdroppers Classical ciphers Perfect secrecy and one-time pad
L3	06/Aug	[↓]	Topics covered Sub-task 1.a: secret communication of long message in presence of eavesdroppers Shannon's impossibility and how to bypass it Pseudo-random generators (PRGs) Security reduction
A1	07/Aug	[↓]	Assignment 1
L4	09/Aug	[↓]	Topics covered Length-Extension of PRG Hybrid argument Pseudorandomness vs unpredictability
L5	13/Aug	[↓]	Topics covered Sub-task 1.b: secret communication of multiple messages in presence of eavesdroppers Pseudorandom functions (PRFs) PRF from PRG: Goldreich-Goldwasser-Micali construction CPA-secret communication using PRF
A2	14/Aug	[↓]	Assignment 2
L6	16/Aug	[↓]	Topics covered Hardness vs pseudorandomness One-way function Hard-core predicates Goldreich-Levin hard-core predicate
L7	20/Aug	[↓]	Topics covered Task 2: secret communication in presence of active adversaries Integrity and authentication Message authentication code (MAC) CCA security and CPA to CCA via MAC
Q1	23/Aug		Quiz 1: 08:30-09:30 in CC103
Module II: Secure Communication in the Public-Key Setting
L8	23/Aug	[↓]	Topics covered Task 3: establish a shared key (key exchange) Basic group theory Diffie-Hellman key-exchange protocol Decisional Diffie-Hellman problem
L9	27/Aug	[↓]	Topics covered Task 4: secret communication in the public-key setting Public-key encryption (PKE) Some number theory ElGamal and Goldwasser-Micali PKE
SQ1	30/Aug		Solving session for Quiz 1
L10	03/Sep	[↓]	Task 4 in the presence of quantum adversaries Basic quantum computing Learning with errors (LWE) and lattices Quantum-secure PKE from LWE
L11	06/Sep	[↓]	Topics covered Task 5: Integrity and authentication in public-key setting Digital signatures One-time signatures
A3	06/Sep	[↓]	Assignment 3
L12	10/Sep	[↓]	Topics covered Sub-task 5.a: signing long messages Hash functions and collision resistance Domain extension: Merkle-Damgård and Merkle Trees
L13	13/Sep	[↓]	Topics covered Trapdoor permutations (TDP) and its applications PKE from TDP Signatures via invert-then-sign Random oracle model
M	19/Sep		Mid-term exam: 08:30-10:30 in LH301
Module III: Secure Computation
L14	24/Sep	[↓]	Topics covered Interactive proof systems Defining zero-knowledge (ZK): the simulation paradigm Honest-verifer ZK proof for graph (non-)isomorphism and quadratic (non-)residuosity
SM	27/Sep		Solving session for Mid-term
L15	01/Oct	[↓]	Topics covered Malicious-verifier ZK proof Commitment scheme Zero-knowledge for NP: Blum's protocol
L16	04/Oct	[↓]	Topics covered Proofs of Knowledge Schnorr's identification protocol Non-interactive ZK and Fiat-Shamir Transform
A4	04/Oct	[↓]	Assignment 4
L17	08/Oct	[↓]	Topics covered Task 6: private multi-party computation of functions (MPC) Extending the simulation paradigm Secret sharing Perfectly-private MPC for linear functions
L18	11/Oct	[↓]	Topics covered Impossibility of perfectly-private 2PC for general functions Oblivious transfer Computationally-private 2PC for general functions: GMW protocol
A5	11/Oct	[↓]	Assignment 5
L19	15/Oct	[↓]	Topics covered Task 7.a: private outsourcing of computation Homomorphic encryption Fully homomorphic encryption from LWE: GSW construction
Q2	18/Oct		Quiz 2: 08:25-09:25 in KR225
L20	18/Oct	[↓]	Topics covered Task 7.b: verifiable outsourcing of computation Succinct non-interactive arguments (SNARG) Pietrzak's protocol
Module IV: Some Advanced Tasks
L21	22/Oct	[↓]	Topics covered Fully black-box reductions Black-box separations Separating OWF from OWP
SQ2	25/Oct		Solving session for Quiz 2
L22	29/Oct	[↓]	Topics covered Task 8: program obfuscation Virtual black-box (VBB) obfuscation Impossibility of VBB obfuscation for general programs
H	01/Nov		No lecture (Diwali holiday)
L23	05/Nov	[↓]	Topics covered Indistinguishability obfuscation (IO) How to use IO PKE from PRG
A6	06/Nov	[↓]	Assignment 6
L24	08/Nov	[↓]	Topics covered Boosting for IO Constructing IO for \(\mathbf{NC}^1\): what do we know?
F	19/Nov		Final exam: 08:30-11:30 in TBD

[+]

Resources

Below you can find the list of resources relevant to this course. The list of per-lecture resources (e.g., further reading) can be found at the end of the respective lecture slide.

Textbooks

Introduction to Modern Cryptography, by Jonathan Katz and Yehuda Lindell, which we will mostly follow for the first two modules
Foundations of Cryptography, Volumes I and II by Oded Goldreich, which we will mostly follow for the third module
The Joy of Cryptography, by Mike Rosulek

Related Courses

Foundations of Cryptography (MIT6875) by Vinod Vaikuntanathan, the structure and syllabus of which we will largely follow
Cryptography (CS406) by Manoj Prabhakaran

Background Material

Basic probability theory can be found in §A.3 of Katz-Lindell. The first recitation in MIT6875 is another resource.
Basic number theory can be found in §B of Katz-Lindell. The third recitation in MIT6875 is another resource.
Basic computational complexity can be found in the second recitation in MIT6875.