When scribing notes, please use this preamble. This sample file illustrates how to use it.

**[Jan 26: Lecture 1]**

Computational indistinguishability. Secure computation. Defining secure multi-party computation in the semi-honest setting, and secure two-party computation in the malicious setting.**References:**- Computational indistinguishability: Katz-Lindell, Chapter 8, Goldreich, Chapter 3
- Surveys of secure computation: Canetti 2006, Lindell-Pinkas 2008, Archer et al. 2018, Lindell 2020
- Definitions of secure computation: Goldreich, Chapter 7, Canetti 2000 (journal version).

**[Jan 28: Lecture 2]**

Hybrid worlds and sequential/modular composition. The oblivious-transfer (OT) functionality and semi-honest OT.**References:**Canetti 2000 [journal version] (composition), Goldreich, Chapter 7 (OT)

Class presentation | lecture notes (latex source)

**[Feb 2: Lecture 3]**

The GMW protocol for semi-honest secure two-party computation.**References:**Goldreich, Chapter 7

Class presentation | lecture notes

**[Feb 4: Lecture 4]**

The GMW protocol for semi-honest secure multi-party computation. Yao's garbled-circuit approach for constant-round, semi-honest, secure two-party computation.**References:**Lindell-Pinkas 2009

Class presentation

**[Feb 9: Lecture 5]**

Improved circuit-garbling techniques.**References:**- Garbling syntax/security
- Improved garbling techniques: free-XOR, Pinkas et al., Bellare et al., half gates, Guo et al., free-if
- You may also find these notes on garbled circuits useful

**[Feb 11: Lecture 6]**

The BMR protocol for constant-round, semi-honest, secure multi-party computation. The BGW protocol for semi-honest, perfectly secure multi-party computation.**References:**- BMR protocol: Rogaway's thesis, Pragmatic MPC, Section 3.5
- BGW protocol: Asharov-Lindell 2014

**[Feb 16: Lecture 7]**

The BGW protocol for semi-honest, perfectly secure multi-party computation. Beaver triples.**References:**- BGW protocol: Asharov-Lindell 2014
- Beaver triples: Beaver '92

**[Feb 18: Lecture 8]**

Class canceled due to snow.

**[Feb 23: Lecture 9]**

OT preprocessing and extension. Defining malicious security in the two-party setting. Zero-knowledge proofs and witness indistinguishability; proofs of knowledge.**References:**- OT extension: Ishai et al. 2003
- Defining malicious security: Goldreich, Chapter 7
- Zero knowledge: Katz lecture notes, Lindell 2012, Goldreich, Chapter 4, Goldreich 2010, Lindell 2016

**[Feb 25: Lecture 10]**

Zero-knowledge proofs and witness indistinguishability; proofs of knowledge.**References:**Katz lecture notes, Lindell 2012, Goldreich, Chapter 4, Goldreich 2010, Lindell 2016

Class presentation

**[Mar 2: Lecture 11]**

The Goldreich-Kahan and Feige-Shamir protocols.**References:**Feige-Shamir (ZK argument of knowledge), Goldreich-Kahan (ZK proof), Katz lecture notes

Class presentation

**[Mar 4: Lecture 12]**

The no-honest-majority GMW compiler. Defining secure multi-party computation in the malicious setting.**References:**- The GMW compiler: Goldreich, Chapter 7
- Coin tossing: Lindell 2003
- Notions of agreement, fairness, and guaranteed output delivery: Goldwasser-Lindell 2002, Cohen-Lindell 2014

**[Mar 9: Lecture 13] -- Midterm out**

The honest-majority GMW compiler. Byzantine agreement/broadcast.**References:**- The GMW compiler: Goldreich, Chapter 7
- Broadcast: Katz notes on broadcast/Byzantine agreement

**[Mar 11: Lecture 14]**

Universal composability: feasibility and impossibility. Efficient secure two-party computation. Efficient secure multi-party computation. Practical considerations.**References (more to come):**- Universal composability: Canetti 2001 (journal version), Canetti 2006, Canetti-Fischlin, CLOS
- Efficient secure two-party computation: Lindell-Pinkas 2007, Lindell 2013, Wang et al.
- Efficient secure multi-party computation: Wang et al.

**[Mar 23: Lecture 15]**

Efficient secure multi-party computation. Practical considerations.**References (more to come):**

**[Mar 25: Lecture 16]**

Efficient ZKPoKs from secure computation.**References (more to come):**MPC-in-the-head (journal version), Jawurek et al., Frederiksen et al.

**[Mar 30: Lecture 17]**

Oblivious algorithms, oblivious RAM, and secure computation in the RAM model of computation.**References (more to come):**Gordon et al.

**[Apr 1: Lecture 18]**

Fully homomorphic encryption (FHE) and extensions/applications.**References (more to come):**

**[Apr 6: Lecture 19]**

**[Apr 8: Lecture 20]**

**[Apr 13: Lecture 21]**

**[Apr 15: Lecture 22]**

**[Apr 20: Lecture 23]**

**[Apr 22: Lecture 24]**

**[Apr 27: Lecture 25]**

**[Apr 29: Lecture 26]**

**[May 4: Lecture 27]**

**[May 6: Lecture 28]**

**[May 11: Lecture 29]**

**[May 14: Final exam due]**

The final exam will be a take-home exam.

Malicious OT (extension) protocols: Asharov et al., Keller et al., Masny-Rindal, Büscher et al., Guo et al.

Practical considerations

Oblivious transfer

Chou-Orlandi

Pragmatic MPC

Distributed point functions (DPFs)

Implementations of semi-honest secure two-party computation.

Implementations of multi-party computation with semi-honest security.

OT.

More efficient cut-and-choose in the two-party setting.

The IPS compiler.

The Damgard-Orlandi protocol for malicious MPC without honest majority.