## Course meeting times

- Tuesdays at 12-14, Liivi 2-612
- Wednesdays at 12-14, Liivi 2-612

According to studies information system, we should have lectures on Tuesdays and practice sessions on Wednesdays. In practice, we will not really make such a distinction.

## Instructors

- Peeter Laud,
`peeter.laud@cyber.ee`

- Alisa Pankova,
`alisa.pankova@cyber.ee`

- Pille Pullonen,
`pille.pullonen@cyber.ee`

## Content of the course

### Key-exchange protocols

- Specifying and modelling protocols. What does it mean to satisfy confidentiality / integrity properties? What properties are wanted? Symbolic model of cryptography. Some examples of protocols.
- More "advanced" properties, e.g. forward secrecy, anonymity, resistance to offline guessing attacks, resistance to DoS attacks. Observational equivalences.
- TLS (need to cover some options there, e.g. client-side certificates) and SmartID. Perhaps we'll also separately look at the Mobile-ID protocol.
- Tools for proving protocol properties. ProVerif (most likely). Or Tamarin.
- Relationship between symbolic and computational models.

### Secure Multiparty Computation (SMC)

- Security definitions for passively secure multiparty computation protocols.
- Garbled circuits. Oblivious transfer (OT) and OT extension. Security proof in symbolic model. Tricks for reducing the communication (Free-XOR, garbled row reduction, half-gates)
- Other ways for passively secure SMC. GMW. OT-extension. Linear secret sharing schemes (Shamir's scheme, additive sharing, replicated sharing) and multiplicative LSSS. Threshold homomorphic encryption. The general idea of pre-computed multiplication triples.
- Definitions and the like for active security. Also cover some intermediate-strength properties like covert security and active-security-with-abort.
- Protocols for broadcast. Byzantine agreement. Will perhaps do a short excursion towards blockchains (to put things into context and so that students understand that many blockchain technologies are actually Byzantine agreement protocols).
- Actively secure schemes from verifiable secret sharing.
- Theory: cannot have information-theoretically secure Byzantine agreement, if 1/3 of all parties are adversarial.
- Actively secure OT.
- Making garbled circuits actively secure. Cut-and-choose.
- Making LSSS-based protocols actively secure. Linear MAC-s.
- Actively secure pre-computation (We will see, which methods to cover. Whether to go into FHE land or not). Cut-and-choose + pairwise verification.
- Active security from replicated activities. Three-party garbled circuits. Replicated parties and LSSS.

### Zero-knowledge proofs

- Security definitions. ZK proofs as a form of SMC.
- Constructions. Will go through some modern constructions like Bulletproofs and QAP-based SNARKs. This will require a fair amount of time, due to the used cryptographic machinery. When discussing pairings, may actually do a side-trip to identity-based cryptography.
- Active security for SMC with the help of ZK proofs.

## Grading

- Homework (70%)
- Oral exam (30%)