Winter 2023

**Lectures**: Tuesday & Thursday, 9:30am-10:50am (Room CSE 4258)**Instructor**: Daniele Micciancio**Office Hour**: Tuesday 1:30pm-2:30pm, CSE 4214**Discussion Board**: piazza, self sign up using (encrypted) access code “ekjqgx6gxxy” (come to class to get decryption key)

CSE208 is an **advanced**, **graduate
level** course in cryptography, and assumes a solid background in
cryptography, as provided, for example, by the introductory graduate
cryptography course CSE207. The most important course prerequisite is a
working understanding of the definitional/theoretical security framework
of modern cryptography, i.e., how to rigorously formulate security
requirements, and anlyze candidate cryptographic constructions with
respect to them. Familiarity with a number of common cryptographic
primitives, like public key encryption, digital signatures, hash
functions and commitment schemes is also assumed.

Building on what you have already learned in your introductory crypto course, CSE208 explores more complex primitives and protocols, which typically combine cryptography with some form of general purpose comptuation, like zero knowledge proof systems, functional encryption, forms of verifiable computation, secure two-party and multi-party computation, and fully homomorphic encryption.

In Winter 2023, the course will focus on **Fully Homomorphic
Encryption (FHE)**, i.e., encryption schemes that allow the
evaluation of arbitrary functions on encrypted data.

The course has no textbook. Reading/study material for the course will consist of lecture notes (mostly slides from lecture), research papers and surveys. Anything below the line is material from a previous edition of the course, which you can use as a reference and or take a peek at what we may be doing next. But this quarter the course will a bit different. As we progress through the course, past material will be updated and moved above the line, and new material may be posted.

Lecture notes:

**Course Introduction (slides)****Fully Homomorphic Encryption from the Ground Up**: slides from invited talk at Eurocrypt 2019. See motivations/applications pp.1-9. If you want to watch the whole talk, you can find it hereSupplemental reading: some magazine articles with informal presentation of FHE

**Computing arbitrary functions on encrypted data**(Gentry, CACM 2010 [preface])**Computing Blindfolded: New Developments in Fully Homomorphic Encryption**(Vaikuntanathan, FOCS 2011)**Fully Homomorphic Encryption: Cryptography’s Holy Grail**(Wu, XRDS 2015)

Lecture notes:

**Defining FHE (slides)****Fully Homomorphic Encryption, 10 Years Later: Definitions and Open Problems**: slides from talk at Simons Instititue 10th Anniversary Symposium, 2022 video. There is also a slightly longer talk from FHE.org at video slidesLecture notes:

**Bootstrapping (slides)**Lecture notes:

**“Fully Composable Homomorphic Encryption”**(class handout)Homework 1: Due Tue. Jan 31, in class

For more information about circular (in)security, see the following papers and references therein:

- Circular Security Is Complete for KDM Security (Kitagawa & Matsuda, Asiacrypt 2020)
- Separating Semantic and Circular Security for Symmetric-Key Bit Encryption from the Learning with Errors Assumption (Goyal, Koppula & Waters, Eurocrypt 2017)
- Separating IND-CPA and Circular Security for Unbounded Length Key Cycles (Goyal, Koppula & Waters, PKC 2017)
- Circular Security Separations for Arbitrary Length Cycles from LWE (Koppula & Waters, CRYPTO 2016)
- Three’s Compromised Too: Circular Insecurity for Any Cycle Length from (Ring-)LWE (Alamati & Peikert, CRYPTO 2016)

Papers:

**The LWE Problem**(Regev, CCC 2010, invited survey)**Homomorphic Encryption: from Private-Key to Public-Key**(R. Rothblum, TCC 2011)**How to encrypt with the LPN problem**(Gilbert, Robshaw, Seurin, ICALP 2008)

Papers:

**Additively Homomorphic Encryption with d-Operand Multiplications**(Aguilar, Gaborit & Herranz, Crypto 2010)**Efficient Fully Homomorphic Encryption from (Standard) LWE**(Brakerski & Vaikuntanathan, FOCS 2011 / SIAM J. Computing 2014)**(Leveled) Fully Homomorphic Encryption without Bootstrapping**(Brakerski, Gentry & Vaikuntanathan - ITCS 2012 / ToCT 2014)**Fully Homomorphic Encryption without Modulus Switching from Classical GapSVP**(Brakerski - Crypto 2012)**Homomorphic Encryption from Learning with Errors: Conceptually-Simpler, Asymptotically-Faster, Attribute-Based**(Gentry, Sahai & Waters, Crypto 2013)

- Ring LWE (slides)
- FHEW slides
- FHEW paper (Ducas & Micciancio, Eurocrypt 2015)
- FHEW survey
- FHEW++ (Micciancio & Sorrell, ICALP 2018)

**Fundamentals of Fully Homomorphic Encryption - A Survey**(Brakerski, in “Providing Sound Foundations for Cryptography”, ACM books, 2019)**Homomorphic Encryption**(Halevi, in “Tutorials on the Foundations of Cryptography”, 2017)