There will be no assigned textbook for this class (there are not really any suitable texts). However, the presentation will most closely match the "style" of the book

It is my intention to make the course accessible to students who have not taken cryptography before. However, students who take no other cryptography course will miss out on some fundamental aspects of cryptography that are covered in the survey course, but not covered here. Also, students who have not had a prior course in cryptography may miss out on some of the context of what we discuss in this class (i.e., an understanding of why a particular problem is important, or how it relates to other results). Finally, students who have not previously taken a course in

There are no official prerequisites for the course, but mathematical maturity (especially comfortability with proofs and the ability to think abstractly) is assumed.

- Regular attendance
- Scribing lecture notes (in latex) for multiple lectures (the number of lectures to be scribed by each student will depend on how many students take the class; I expect that each student will scribe about 4-6 lectures)
- There will be a midterm and a final
*only for those students taking the course for grad credit*

For further information about the scribing, see here.

**Instructor:**Jonathan Katz (jkatz AT cs). Office: 3225 AV Williams.**Office hours:**by appointment.- The course meets Tuesday and Thursday from 9:30 - 10:45 in CSIC 3120

- Preliminaries
- One-way functions and trapdoor permutations
- Hard-core predicates; the existence of a hard-core bit for every one-way permutation
- Rigorous definition of security for public-key encryption, and a construction of secure public-key encryption from trapdoor permutations

- Chosen-ciphertext security for public-key encryption
- Definitions and motivation: two "flavors" of chosen-ciphertext security
- Interactive proofs and zero-knowledge interactive proofs (briefly and informally, for now)
- Non-interactive zero-knowledge (NIZK) proofs: definitions and a construction based on trapdoor permutations
- The Naor-Yung construction of a "CCA1-secure" public-key encryption scheme
- The Dolev-Dwork-Naor construction of a "CCA2-secure" public-key encryption scheme
- Other constructions of CCA2-secure encryption based on general assumptions (???)
- Non-interactive zero-knowledge proofs of knowledge (???)
- Non-malleable NIZK (???)
- The Cramer-Shoup encryption scheme
- Chosen-ciphertext security in the random oracle model

- Interactive (zero-knowledge) proofs and proofs of knowledge
- Interactive proofs in more detail
- Zero-knowledge proofs and proofs of knowledge: definitions and constructions
- Constant-round zero-knowledge proofs of knowledge
- Other concerns (non-malleability, concurrency, etc.) (???)

- Secure distributed computation
- Information-theoretically secure computation (???)
- Two-party and multi-party secure computation (???)
- Byzantine agreement (???)
- Threshold cryptography (???)

- Other topics based on student interest.