A Graduate Course in Cryptography

Assuming that you already took an undergraduate course in cryptography, you may still be left in the dark when reading current papers. The reason for this is, of course, that you need to take a graduate course as well to get acquainted with Modern Cryptography. There are two ways to approach this task: reading a textbook (or two), or watching a series of advanced lectures. Obviously, you can do both simultaneously for greater fun and profit.

The Textbook Approach

[BS] is one of the best textbooks to start your journey into advanced cryptography. As said previously, this is IMHO the ideal book for readers who have already taken an undergraduate course on cryptography and who wish to pursue their quest into advanced topics.

After finished reading [BS], you may try to read some papers. However, you'll quickly find out that many of those papers are using terminology and making assumptions that you still don't really nor fully understand. The reason for this is that you lack some basic definitional foundations. Modern Cryptography has become very formalized over the years, and cryptologists nowadays rely heavily on strict formalisms (definitions and theorems), since this is the only way to mathematically prove the properties of the cryptographic constructions that they invent and investigate. An ideal graduate book on Modern Cryptography is [KL15], hands down, no questions asked. Katz/Lindell is the reference textbook of this field, and pretty much required reading by all aspiring cryptologists.

I hesitate to recommend textbooks on Theoretical Cryptography for a graduate course at this point, but what the heck! As already explained, cryptography has turned from an engineering discipline into real science. In particular, cryptography has made its way into Theoretical Computer Science as a branch of its own. Remarkably many Turing Award winners were cryptologists, which illustrates the impressive impact of Theoretical Cryptography on the theoretical computer science community as a whole. The founder of this revolution is Oded Goldreich with his seminal two volumes textbook [FOC]. Read it after Boneh/Shoup and Katz/Lindell, you'll appreciate it more once you have this level of maturity.

The Advanced Lectures Approach

Reading textbooks is fine, but it can also be very rewarding and entertaining to watch lectures on those advanced topics. It not only makes the dry material spring to life, lectures often give a different perspective, which helps trememdously digesting the somewhat dry textbooks and even dryer papers. Especially if you're lucky enough to watch talks by the researchers themselves, you'll quickly come to appreciate what is really important to them (and to you), i.e. what the take aways are, and what is mere technical details.

There are three kinds of advanced lectures/talks that you can find on YouTube:

  • Talks at Conferences. These are usually very high level and to a grad student, they are at best supplementary material. Researchers will have already submitted their paper(s) to the conference organizers, and are now presenting their results to the general cryptologists audience. While interesting, you may have trouble to follow them at this point.
  • Tutorials at Crypto Schools. Some faculties which specialize in cryptology as well as some big companies like Microsoft and Google organize every now and then special events called crypto schools. Attendees are usually grad students, and the lecturers are researchers from all over the world who are invited to talk about their domain of expertise. A crypto school is typically centered around a particular topic, and the lectures are structured in such a way as to explore the current state of the art of that topic in a tutorials like fashion. If a crypto school was kind enough to publish the lectures and slides on YouTube, go grab 'em while they're online (youtube-dl is your friend!), and watch then. It is best to watch then sequentially, as usually later lectures assume that you've attended the previous classes. The talks will mention the papers they're covering, so go grab them too, and have a look at them.
  • Full University Courses. Unlike crypto schools, which focus on one big topic, full University courses cover more ground. But save for that, they are structured in a similar manner. If you have the time to watch a whole semester or two semesters, then by all means, go for it! It is time well spent.

Whatever talk/lecture you decide to watch, remember to read the corresponding papers too. You won't become an expert just by passive listening. Active learning means also to follow some leads, even when not explicitely told to: most papers refer to earlier work, so spend some time to read about those as well.

Finally, nothing beats practice: you can't claim to have fully mastered a topic if you can't explain it yourself. An excellent self-test is to implement a cryptographic protocol in code (in Python, C++, whatever): unless you've really grasped the gist of the topic, you won't be able to even come up with a prototype.

An Intermediary Course on Cryptography

Prof. Jonathan Katz, one of the authors of [KL15] gave a 48-parts course on Cryptography at Coursera, which haṕpens to be available on YouTube:

The course is intermediary, in the sense that it goes somewhat deeper than Prof. Paar's introduction, but it isn't as advanced as MIT's 6.875, which has a much more theoretical flavor to it.

There's also another interesting, but not crypto-related course on security, but let's not dwell on that. If you prefer a more advanced presentation on Computer Systems Security, MIT course 6.858 (Spring 2014) (all videos) is for you.

An Advanced Lecture Worth Watching

It is difficult to come up with a good full University course on advanced cryptography which is also free / open access to everyone. Stanford's Dan Boneh did one MOOC, but unfortunatly, it is on Coursera only (but check out this inofficial playlist). Nowadays, most good courses are behind paywalls or only accessible to enrolled students. Still, here's one example of the excellent course 6.875 on Cryptography taught at MIT by well-known cryptologists Shafi Goldwasser and Vinod Vaikuntanathan. This playlist too isn't MIT OCW, so download all of them now, as long as they are online. Somewhat older lecture notes are also available[GB08]

Here is a list of the covered topics:

  1. L1. Introduction, Perfect Secrecy, One-Time Pad (Shafi Goldwasser)
  2. L2. One-Way Functions (Shafi Goldwasser)
  3. L3. Number Theory (Vinod Vaikuntanathan)
  4. L4. Hardcore Bits (Vinod Vaikuntanathan)
  5. L5. Hardcore Bits form One-Way Functions (Vinod Vaikuntanathan)
  6. L6. Pseudorandom Generators (Vinod Vaikuntanathan)
  7. L7. Pseudorandom Functions (Vinod Vaikuntanathan)
  8. L8. Trapdoor Functions (Vinod Vaikuntanathan)
  9. L9. Public Key Encryption (Shafi Goldwasser)
  10. L10. Public Key Encryption II (Vinod Vaikuntanathan)
  11. L11. Learning With Errors (Vinod Vaikuntanathan)
  12. L12. Zero Knowledge I (Vinod Vaikuntanathan)
  13. L13. Zero Knowledge II (Vinod Vaikuntanathan)
  14. L14. Zero Knowledge Proofs for NP (Omer Paneth)
  15. L15. Message Authentication Codes, Digital Signatures (Vinod Vaikuntanathan)
  16. L16. MACs, Digital Signatures II (Vinod Vaikuntanathan)
  17. L17. Hash Functions, Random Oracles (Vinod Vaikuntanathan)
  18. L18. (missing?)
  19. L19. Oblivious Transfer, Two Party Computation (Vinod Vaikuntanathan)
  20. L20. Garbled Circuits (Omer Paneth)
  21. L21. BGW MPC, Malicious Adversaries (Shafi Goldwasser)
  22. L22. MPC in the Malicious Setting (Prabhanjan Ananth)
  23. L23. Fully Homomorphic Encryption (Vinod Vaikuntanathan)
  24. L24. Fully Homomorphic Encryption II, Private Information Retrieval (Vinod Vaikuntanathan)

To get an idea, here's the first lecture by Shafi Goldwasser:

Literature