Course meeting times
- Thursdays at 14-16, Δ-1008
- Thursdays at 16-18, Δ-1008
According to studies information system, we should have a lecture first and a practice session afterwards. In practice, we will not really make such a distinction.
We will try to use the cameras present in the lecture rooms in Δ to enable the lectures to be followed remotely and stored on University of Tartu's BigBlueButton. But, as long as it is possible, we consider the in-person attendance of lectures / practice sessions as the main channel of instruction.
- Peeter Laud,
- Alisa Pankova,
- Pille Pullonen,
Content of the course
The content of the course is not going to differ much from last year. The part about zero-knowledge protocols will hopefully become more mature.
- Specifying and modelling protocols. What does it mean to satisfy confidentiality / integrity properties? What properties are wanted? Symbolic model of cryptography. Some examples of protocols.
- More "advanced" properties, e.g. forward secrecy, anonymity, resistance to offline guessing attacks, resistance to DoS attacks. Observational equivalences.
- TLS (need to cover some options there, e.g. client-side certificates) and SmartID. Perhaps we'll also separately look at the Mobile-ID protocol.
- Tools for proving protocol properties. Verifpal and ProVerif.
- Relationship between symbolic and computational models.
Secure Multiparty Computation (SMC)
- Security definitions for passively secure multiparty computation protocols.
- Garbled circuits. Oblivious transfer (OT) and OT extension. Security proof in symbolic model. Tricks for reducing the communication (Free-XOR, garbled row reduction, half-gates)
- Other ways for passively secure SMC. GMW. OT-extension. Linear secret sharing schemes (Shamir's scheme, additive sharing, replicated sharing) and multiplicative LSSS. Threshold homomorphic encryption. The general idea of pre-computed multiplication triples.
- Definitions and the like for active security. Also cover some intermediate-strength properties like covert security and active-security-with-abort.
- Protocols for broadcast. Byzantine agreement. Will perhaps do a short excursion towards blockchains (to put things into context and so that students understand that many blockchain technologies are actually Byzantine agreement protocols).
- Actively secure schemes from verifiable secret sharing.
- Theory: cannot have information-theoretically secure Byzantine agreement, if 1/3 of all parties are adversarial.
- Actively secure OT.
- Making garbled circuits actively secure. Cut-and-choose.
- Making LSSS-based protocols actively secure. Linear MAC-s.
- Actively secure pre-computation (We will see, which methods to cover. Whether to go into FHE land or not). Cut-and-choose + pairwise verification.
- Active security from replicated activities. Three-party garbled circuits. Replicated parties and LSSS.
- Security definitions. ZK proofs as a form of SMC.
- Constructions. Will go through some modern constructions like Bulletproofs, STARKs, QAP-based SNARKs, ZK from MPC protocols. This will require a fair amount of time, due to the used cryptographic machinery. When discussing pairings, we may actually do a side-trip to identity-based and attribute-based cryptography.
- Active security for SMC with the help of ZK proofs.
- Homework (70%)
- Oral exam (30%)