Course meeting times
- Thursdays at 12-14, Δ-3034
- Thursdays at 16-18, Δ-1026
According to studies information system, we should have a lecture first and a practice session afterwards. In practice, we will not really make such a distinction.
We will try to use the cameras present in the lecture rooms in Δ to enable the lectures to be followed remotely and stored on University of Tartu's BigBlueButton, in certain cases (announced in advance) alternatively here. But, as long as it is possible, we consider the in-person attendance of lectures / practice sessions as the main channel of instruction.
Since November, in-person attendance is no longer possible. The meetings will be over BBB only.
On December 10th, the second meeting will take place one hour later than normal, i.e. 17-19.
Instructors
- Peeter Laud,
peeter.laud@cyber.ee - Pille Pullonen,
pille.pullonen@cyber.ee - Alisa Pankova,
alisa.pankova@cyber.ee
Content of the course
The content of the course is not going to differ much from last year. There are plans to expand the set of constructions of zero-knowledge protocols that we study in this course.
Key-exchange protocols
- Specifying and modelling protocols. What does it mean to satisfy confidentiality / integrity properties? What properties are wanted? Symbolic model of cryptography. Some examples of protocols.
- More "advanced" properties, e.g. forward secrecy, anonymity, resistance to offline guessing attacks, resistance to DoS attacks. Observational equivalences.
- TLS (need to cover some options there, e.g. client-side certificates) and SmartID. Perhaps we'll also separately look at the Mobile-ID protocol.
- Tools for proving protocol properties. Verifpal and ProVerif.
- Relationship between symbolic and computational models.
Secure Multiparty Computation (SMC)
- Security definitions for passively secure multiparty computation protocols.
- Garbled circuits. Oblivious transfer (OT) and OT extension. Security proof in symbolic model. Tricks for reducing the communication (Free-XOR, garbled row reduction, half-gates)
- Other ways for passively secure SMC. GMW. OT-extension. Linear secret sharing schemes (Shamir's scheme, additive sharing, replicated sharing) and multiplicative LSSS. Threshold homomorphic encryption. The general idea of pre-computed multiplication triples.
- Definitions and the like for active security. Also cover some intermediate-strength properties like covert security and active-security-with-abort.
- Protocols for broadcast. Byzantine agreement. Will perhaps do a short excursion towards blockchains (to put things into context and so that students understand that many blockchain technologies are actually Byzantine agreement protocols).
- Actively secure schemes from verifiable secret sharing.
- Theory: cannot have information-theoretically secure Byzantine agreement, if 1/3 of all parties are adversarial.
- Actively secure OT.
- Making garbled circuits actively secure. Cut-and-choose.
- Making LSSS-based protocols actively secure. Linear MAC-s.
- Actively secure pre-computation (We will see, which methods to cover. Whether to go into FHE land or not). Cut-and-choose + pairwise verification.
- Active security from replicated activities. Three-party garbled circuits. Replicated parties and LSSS.
Zero-knowledge proofs
- Security definitions. ZK proofs as a form of SMC.
- Constructions. Will go through some modern constructions like Bulletproofs, STARKs, QAP-based SNARKs, ZK from MPC protocols. This will require a fair amount of time, due to the used cryptographic machinery. When discussing pairings, we may actually do a side-trip to identity-based and attribute-based cryptography.
- Active security for SMC with the help of ZK proofs.
Grading
- Homework (70%)
- Oral exam (30%)