1 
2017.08.24 
 introduction to the course
 negligible and noticeable functions
 (uniform and nonuniform) probabilistic polynomial time algorithms
 oneway functions

Textbooks:
 Foundations of Cryptography, Volume 1
 § 2.2 , Oneway functions: definitions
 Introduction to Modern Cryptography
 § 7.1, Oneway functions
Papers:
Videos:

2 
2017.08.29 
 fixing values of oneway functions
 composition of oneway functions
 hardness amplification: from weak to strong oneway functions

Textbooks:
 Foundations of Cryptography, Volume 1
 § 2.3, Weak oneway functions imply strong ones
Videos:

3 
2017.08.31 
 universal oneway functions
 hardcore predicates
 Goldreich–Levin predicate

Lecture notes:
Textbooks:
 Foundations of Cryptography, Volume 1
 § 2.4.1, Universal oneway function
 § 2.5, Hardcore predicates
 Introduction to Modern Cryptography
 § 7.3, Hardcore predicates from oneway functions
Videos:

4 
2017.09.05 
 statistical vs computational indistinghuishability of distributions
 hybrid argument
 pseudorandomness generators (PRGs)
 oneway permutations imply PRGs with 1bit expansion

Lecture notes:
Textbooks:
 Foundations of Cryptography, Volume 1
 § 3.1, Motivating discussion
 § 3.2, Computational indistinguishability
 § 3.3.1, Standard definition of pseudorandom generators
 § 3.4, Constructions based on oneway permutations
 Introduction to Modern Cryptography
 § 7.8, Computational indistinguishability
 § 7.4, Constructing pseudorandom generators
Videos:

5 
2017.09.07 
 PRGs evaluated on independent seeds
 PRGs with 1bit expansion imply PRGs with polynomial expansion
 pseudorandom functions

Lecture notes:
Textbooks:
 Foundations of Cryptography, Volume 1
 § 3.3.2, Increasing the expansion factor
 § 3.6, Pseudorandom functions
 Introduction to Modern Cryptography
 § 7.5, Constructing pseudorandom functions
Videos:

6 
2017.09.12 
 PRGs imply pseudorandom functions
 pseudorandom permutations
 Feistel permutations

Lecture notes:
Textbooks:
 Foundations of Cryptography, Volume 1
 § 3.6, Pseudorandom functions
 § 3.7, Pseudorandom permutations
 Introduction to Modern Cryptography
 § 7.5, Constructing pseudorandom functions
 § 7.6, Constructing (strong) pseudorandom permutations
Videos:
Papers:

7 
2017.09.14 
 Luby–Rackoff construction of pseudorandom permutations
 commitment schemes
 oneway permutations imply 1bit commitment schemes

Lecture notes:
Textbooks:
 Foundations of Cryptography, Volume 1
 § 3.7, Pseudorandom permutations
 § 4.4.1, Commitment schemes
Papers:

8 
2017.09.19 
 1bit commitment schemes imply multibit commitment schemes
 intro to encryption schemes
 singlemessage perfect message indistinguishability
 onetime pad and its limitations
 singlemessage computational message indistinguishability

Lecture notes:
Textbooks:
 Foundations of Cryptography, Volume 2
 § 5.1, The basic setting
 § 5.2, Definitions of security
 Introduction to Modern Cryptography
 § 2, Perfectly secret encryption
 § 3.1, Computational security
 § 3.2, Defining computationally secure encryption
Papers:
Videos:

9 
2017.09.21 
 equivalence of message indistinguishability and semantic security
 shrinking onetime pad's key with PRGs
 multimessage computational message indistinguishability
 security against chosen plaintext attacks

Lecture notes:
Textbooks:
 Foundations of Cryptography, Volume 2
 § 5.3.3, Privatekey encryption schemes
 § 5.4.3, Chosen plaintext attack
 Introduction to Modern Cryptography
 § 3.3, Constructing secure encryption schemes
 § 3.4, Stronger security notions
Papers:
Videos:

10 
2017.09.26 
 PRFs imply security against chosen plaintext attacks
 modes of encryption
 security against CPA vs CCA1 vs CCA2

Lecture notes:
Textbooks:
 Foundations of Cryptography, Volume 2
 § 5.4.4, Chosen ciphertext attack
 Introduction to Modern Cryptography
 § 3.5, Constructing CPAsecure encryption schemes
 § 3.6, Modes of operation
 § 3.7, Chosenciphertext attacks
Papers:
Videos:

11 
2017.09.28 
 message authentication codes
 constructions based on PRFs
 CPA security and MACs imply CCA2 security

Lecture notes:
Textbooks:
 Foundations of Cryptography, Volume 2
 § 6.1, The setting and definitional issues
 § 6.3, Constructions of message authentication schemes
 § 6.1.5.1, Augmenting the attack with a verification oracle
 Introduction to Modern Cryptography
 § 4.1, Message integrity
 § 4.2, Message authentication codes  definitions
 § 4.3, Constructing secure message authentication codes
 § 4.4, CBCMAC
Papers:
Videos:

12 
2017.10.03 
 CPA security and MACs imply CCA2 security
 combining CPA security and MACs in other (insecure) ways
 collisionresistant functions
 Merkle–Damgård transform

Lecture notes:
Textbooks:
 Foundations of Cryptography, Volume 2
 § 6.2.3, Constructing collisionfree hashing functions
 Introduction to Modern Cryptography
 § 4.5, Authenticated encryption
 § 5.1.1, Collision resistance
 § 5.2, Domain extension: the Merkle–Damgård transform
 § 5.4, Generic attacks on hash functions
Papers:
Videos:

13 
2017.10.05 
 intro to publickey cryptography
 publickey encryption schemes
 trapdoor oneway permutations
 TOWPs imply publickey encryption schemes
 RSA as a TOWP

Lecture notes:
Textbooks:
 Foundations of Cryptography, Volume 2
 § 5.1.1, Privatekey versus publickey schemes
 § 5.1.2, The syntax of encryption schemes
 § 5.3.4, Publickey encryption schemes
 § 5.5.1, On using encryption schemes
 Introduction to Modern Cryptography
 § 11.1, Publickey encryption  an overview
 § 11.2, Definitions
 § 11.5, RSA encryption
 § 13.1, Publickey encryption from trapdoor permutations
Papers:

14 
2017.10.10 
 hybrid encryption
 DDH assumption (and where it might hold)
 ElGamal encryption scheme
 DDH assumption for quadratic residues

Lecture notes:
Textbooks:
 Foundations of Cryptography, Volume 2
 § 5.5.3, On some popular schemes
 Introduction to Modern Cryptography
 § 8.3, Cryptographic assumptions in cyclic groups
 § 11.3, Hybrid encryption and the KEM/DEM paradigm
 § 11.4, CDH/DDHbased encryption
Papers:

15 
2017.10.12 
 CCA2 security in the asymmetric setting
 CCA2 security in the random oracle model

Lecture notes:
Textbooks:
 Introduction to Modern Cryptography
 § 11.5.5, A CCASecure KEM in the randomoracle model
Papers:

16 
2017.10.17 
 definition of signature schemes
 onetime signatures
 hashthensign paradigm
 key refreshing

Lecture notes:
Textbooks:
 Foundations of Cryptography, Volume 2
 § 6.1, The setting and definitional issues
 § 6.2, Lengthrestricted signature scheme
 § 6.4.1, Onetime signature schemes
 Introduction to Modern Cryptography
 § 12.1, Digital signatures  an overview
 § 12.2, Definitions
 § 12.2, The hashandsign paradigm
 § 12.6.1, Lamport's signature scheme
 § 12.6.2, Chainbased signatures
Papers:

17 
2017.10.19 
 from onetime signatures to full security
 signatures in the random oracle model
 signcryption

Lecture notes:
Textbooks:
 Foundations of Cryptography, Volume 2
 § 6.4.2, From onetime signature schemes to general ones
 Introduction to Modern Cryptography
 § 12.4.2, RSAFDH
 § 12.6.3, Treebased signatures
 § 12.9, Signcryption
Papers:

18 
2017.10.24 
 interactive proofs
 graph nonisomorphism is in IP
 honestverifier zero knowledge
 graph isomorphism is in HVZKIP

Lecture notes:
Textbooks:
 Foundations of Cryptography, Volume 1
 § 4.1, Zeroknowledge proofs: motivation
 § 4.2, Interactive proof systems
 § 4.3, Zeroknowledge proofs: definitions
Papers:
Videos:

19 
2017.10.26 
 (maliciousverifier) zero knowledge
 graph isomorphism is in ZKIP
 computational zero knowledge for graph 3coloring

Lecture notes:
Textbooks:
 Foundations of Cryptography, Volume 1
 § 4.1, Zeroknowledge proofs: motivation
 § 4.2, Interactive proof systems
 § 4.3, Zeroknowledge proofs: definitions
Papers:
Videos:

20 
2017.10.31 
 computational zero knowledge for graph 3coloring (continued)

Lecture notes:
Textbooks:
 Foundations of Cryptography, Volume 1
 § 4.4, Zeroknowledge proofs for NP
Papers:

21 
2017.11.02 
 zero knowledge proof of knowledge for discrete logarithms
 zero knowledge is not closed under parallel composition
 witness indistinguishability
 parallel composition for witness indistinguishability
 from witness indistinguishability to zero knowledge

Lecture notes:
Textbooks:
 Foundations of Cryptography, Volume 1
 § 4.5.4, ZeroKnowledge and parallel Composition
 § 4.6, Witness indistinguishability and hiding
Papers:

22 
2017.11.07 
 VBB obfuscation for TMs and circuits
 impossibility of VBB obfuscation

Lecture notes:
Papers:

23 
2017.11.09 
 indistinguishability obfuscation (iO)
 witness encryption
 iO implies witness encryption
 iO and OWFs imply publickey encryption
 bestpossible obfuscation (BPO)
 VBBO implies BPO
 BPO vs IO

Lecture notes:
Papers:
Videos:

24 
2017.11.14 
 iO amplification: from NC1 to all circuits
 iO and coRP != NP implies OWFs

Lecture notes:
Papers:
 Candidate indistinguishability obfuscation and functional encryption for all circuits (by Sanjam Garg, Craig Gentry, Shai Halevi, Mariana Raykova, Amit Sahai, and Brent Waters)
 There is no indistinguishability obfuscation in Pessiland (by Tal Moran and Alon Rosen)
 Oneway functions and (im)perfect obfuscation (by Ilan Komargodski, Tal Moran, Moni Naor, Rafael Pass, Alon Rosen, and Eylon Yogev)
Videos:

25 
2017.11.16 
 iO and coRP != NP implies OWFs
 VBB implies OWFs
 differinginputs obfuscation
 extractable witness encryption

Papers:
 On the (im)possibility of obfuscating programs (by Boaz Barak, Oded Goldreich, Russell Impagliazzo, Steven Rudich, Amit Sahai, Salil Vadhan, and Ke Yang)
 Oneway functions and (im)perfect obfuscation (by Ilan Komargodski, Tal Moran, Moni Naor, Rafael Pass, Alon Rosen, and Eylon Yogev)
 Differinginputs obfuscation and applications (by Prabhanjan Ananth, Dan Boneh, Sanjam Garg, Amit Sahai, and Mark Zhandry)
 On Extractability (a.k.a. DifferingInputs) Obfuscation (by Elette Boyle, KaiMin Chung, and Rafael Pass)
Videos:

26 
2017.11.21 
 algorithms for computing discrete logarithms
 babystep giantstep algorithm
 Pohlig–Hellman algorithm
 Shoup's lower bound for generic algorithms

Lecture notes
Textbooks:
 Introduction to Modern Cryptography
 § 8.2 Algorithms for computing discrete logarithms
 § 8.2.1, The babystep/giantstep algorithm
 § 8.2.2, The Pohlig–Hellman algorithm
Papers:

X 
2017.11.23 
No class.

No class.

27 
2017.11.28 
 definition of SNARGs in the randomoracle model
 definition of PCPs
 statement of PCP Theorem: NP ⊆ PCP[O(log n), O(1)]
 construction of SNARGs from PCPs

Papers:
New York Times article about the PCP Theorem:

28 
2017.11.30 
 exponentialsize PCP for 3SAT
 testing linearity (statement only)
 3SAT ⊆ PCP_{1,0.5}[poly(n),O(1)]_{{0,1}}
 good query complexity, bad proof length

Lecture notes:
Papers:
New York Times article about ZCash, which uses linear PCPs within zkSNARKs:
