## Pointers

- For introduction to symbolic model of cryptography and the key-exchange protocols, see Handbook of Applied Cryptography, Chapter 12
- For Ï€-calculus, start from the Wikipedia article on it. In the lecture, we presented the "reduction semantics". Also, check out Robin Milner's introductory paper and the FAQ by Jeannette M. Wing (referenced from the Wikipedia page)
- ProVerif's page is here. The lectures covered the details from the manual of ProVerif, as well as some of the papers listed on the page, including the papers presented / appeared at CSFW 2001, ESOP 2004, S&P 2004, LICS 2005. There is a more recent survey.
- For password-authenticated key exchange, start from the Wikipedia page.
- You will find the paper about Smart-ID here. AFAIK, clone detection does not have a good description there.
- TLS 1.3 is specified in RFC 8446. Poly1305 is described here. The Galois counter mode is specified here. General principles of constructing authenticated encryption schemes are studies here.
- Our treatment of secure multiparty computation in general leads back to Chapter 7 of Oded Goldreich's Foundations of Cryptography book series. This one also covers the oblivious transfer based evaluation of Boolean circuits (originally from here, including the OT protocol based on trapdoor one-way permutations).
- The basics of passively secure garbled circuits are adequately described in their Wikipedia page. This page also includes pointers to papers about optimizations, some of which were covered in the lecure. The security of the Free-XOR technique is discussed here.
- This paper is about one of the (passively secure) OT protocols we mentioned in the lecture. It references papers about other protocols on the lecture slides. But for Rabin's OT, see here.
- This paper is about the relationship of symbolic and computational cryptography; we used these techniques to argue about the security of garbled circuits.
- Homomorphic encryption obviously has its own Wikipedia page, and so does Paillier's scheme, which has a pretty good technical write-up. The construction of a secure multiparty computation protocol from an additively homomorphic threshold encryption system is described here.
- OT extension (with passive security) is described in Yuval Ishai et al., Extending Oblivious Transfers Efficiently, CRYPTO 2003.
- Secret sharing: a survey referenced by this Wikipedia page; Shamir's original paper; Boolean formulas as access structure; replicated secret sharing; Verifiable secret sharing and Feldman's scheme; proactive secret sharing.
- Pedersen's commitments were introduced here, together with a verifiable secret sharing scheme.
- Using replicated secret sharing in multiplication protocols is described here. This is the original paper about doing multiplication with data shared with Shamir's scheme.
- Multiplication triples were introduced here.
- Our treatment of maliciously secure garbled circuits follows the papers by Yehuda Lindell (and Benny Pinkas) at EUROCRYPT 2007 (An Efficient Protocol for Secure Two-Party Computation in the Presence of Malicious Adversaries), TCC 2011 (Secure Two-Party Computation via Cut-and-Choose Oblivious Transfer; also in Journal of Cryptology), and CRYPTO 2013 (Fast Cut-and-Choose Based Protocols for Malicious and Covert Adversaries).
- Our treatment of maliciously secure OT extension comes from Gilad Asharov et al., More Efficient Oblivious Transfer Extensions, Journal of Cryptology, 2017.
- Universal composability was concurrently introduced here and here.
- Covert security was introduced here.
- The protocols and impossibility results we presented for Broadcast, trace back to this classic reference.
- The construction of an actively secure, robust multiparty computation protocol from Shamir's secret sharing is described in Cramer's and DamgÃ¥rd's course notes.
- SPDZ-related references are given at the end of the slide deck.
- The references for actively secure multiparty computation protocols based on replication are also given at the end of the slide deck.
- Obtaining active security by verifying the computations of the parties is described here, or in Chapter 4 of Alisa's PhD thesis.
- Zero-knowledge protocols are also described in Oded Goldreich's Foundations of Cryptography, Chapter 4. A collection of links with emphasis to recent developments is here.
- For Sigma-protocols, see Ivan DamgÃ¥rd's course notes.
- Our treatment of universally composable zero-knowledge protocols, including the ideal functionality, and Omega-protocols, follows these papers.
- The Fiat-Shamir heuristic was introduced in the context of turning identification schemes into signature schemes. Our treatment of universally composable non-interactive zero knowledge follows this paper.
- ZK from Garbled Circuits
- ZK from doing MPC in the head
- zk-SNARKs
- bulletproofs