Skip to main content

Advanced Security:  2017-2018



Schedule C1 (CS&P)Computer Science and Philosophy

Schedule C1Computer Science

Schedule C1Mathematics and Computer Science

Schedule CMSc in Computer Science



The Advanced Security course is designed to bring students towards the research boundaries in computer security, covering contemporary topics in depth. It is split into two modules, each an area of interest to members of the Computer Security research group. This year the modules will be:

 first half of term, Sadie Creese

Title to be confirmed.


Cryptography for Privacy: 8 lectures, second half of term, Michael Goldsmith

Using modern cryptography for limited release of information.

Learning outcomes

To attain a deeper understanding of certain contemporary topics in computer security, bridging the gap to research.

Cryptography for Privacy

The standard uses of cryptography are intended to allow only intended recipients to extract all of some piece of information, or to give assurance of its validity as a whole; this is a rather blunt instrument for the modern world.  As a vendor of age-restricted goods, for instance, you may wish to rely on government certification of your customer's majority, but you have no real business knowing anything more about their identity; so a passport or driving licence, or their certified electronic moral equivalents, are far from ideal from a privacy point of view.  The course covers the concepts and definitions required for more subtle uses of cryptography and related mechanisms enabling schemes that allow a verifier to be satisfied about some attribute of a supplicant based on an unforgeable credential backed by a trusted certifier, without leaking further information about the supplicant to the verifier, nor the fact of the request to the certifier.  We will also explore some of the challenges that remain, particularly at the frontier between the electronic and human worlds.


For both modules, the Computer Security course (or its equivalent).

For the Information Hiding module: basic (1st yr) probability, basic (1st yr) linear algebra. The Information Hiding practical will be in C, but only a very basic understanding of the language will be required.



Cryptography for Privacy (weeks 5-8, 2 classes, 1 practical)

Background Review of the concept of authentication and authentication protocols.  Generalisation to authentication of attributes as a goal.  Technical challenges and privacy goals. [1-2 lectures]

Mechanisms underlying the solution Introduction to homomorphic encryption.  Zero-knowledge proofs.  Secure multi-party computation. [2-3 lectures]

Attribute-Based Credentials and their applications Use cases.  Simplistic solutions.  Weaknesses.  Unforgeable derived credentials. [2-3 lectures]

Remaining chellenges in social contexts.  Abuse cases.  Forward privacy?  Possible approaches towards solutions.  [1-2 lectures]



Cryptography for Privacy

Authentication and authentication protocols.  Authentication of attributes.  Privacy goals.  Elementary homomorphic encryption.  Zero-knowledge proofs.  Secure multi-party computation.  Attribute-Based CredentialsApplications and use cases.  Simplistic and more sophisticated solutions.  Unforgeable derived credentials.  Remaining chellenges in social contexts.  Abuse cases.  Forward privacy.

Examination: both part C undergraduate and MSc students will be examined by take-home assignment over the Easter vacation. Students must answer questions on both modules.

Reading list

Cryptography for Privacy

Yehuda Lindell (2007) "Anonymous Authentication," Journal of Privacy and Confidentiality: 2(2), Article 4: PDF

Ronald L. Rivest, Adi Shamir and Yael Tauman (2001) "How to Leak a Secret," ASIACRYPT 2001, LNCS 2248, pp. 552–565: PDF

Ronald L. Rivest, Len Adleman and Michael L. Dertouzos (1978) "On data banks and privacy homomorphisms," Foundations of Secure Computations, pp. 171–182: PDF

Ronald L. Rivest, Adi Shamir and Len Adleman (1978) "A method for obtaining digital signatures and public-key cryptosystems," Communications of the ACM 21(2), pp. 120–126: PDF

Craig Gentry (2009) A fully homomorphic encryption scheme, PhD thesis, Stanford University: PDF

Craig Gentry (2009) "Fully homomorphic encryption using ideal lattices," STOC, pp. 169–178, ACM: PDF

Craig Gentry (2010) "Computing Arbitrary Functions of Encrypted Data," Communications of the ACM, 53(3), pp. 97–105: PDF available here

Nigel Smart and Frederik Vercauteren (2010) "Fully homomorphic encryption with relatively small key and ciphertext sizes," Public Key Cryprography – PKC 2010, Springer LNCS 6056, pp. 420–443: PDF available here

Jean-Sébastien Coron, Avradip Mandal, David Naccache and Mehdi Tibouchi, "Fully Homomorphic Encryption over the Integers with Shorter Public Keys," Advances in Cryptology – CRYPTO 2011, Springer LNCS 6841 pp. 487–504: PDF available here

Xiaofeng Chen, Willy Susilo, Jin Li, Duncan Wong, Jianfeng Ma, Shaohua Tang, and Qiang Tang (2015) "Efficient algorithms for secure outsourcing of bilinear pairings" Theoretical Computer Science 562, pp. 112–121: PDF available here

Zvika Brakerski and Vinod Vaikuntanathan (2011) "Efficient Fully Homomorphic Encryption from (Standard) LWE," SIAM Journal of Computing, 43(2), pp. 831–871: PDF

Craig Gentry, Shai Halevi and Nigel Smart (2012) "Fully Homomorphic Encryption with Polylog Overhead," Advances in Cryptology – EUROCRYPT 2012, Springer LNCS 7237, pp. 465–482: PDF available here

Craig Gentry, Shai Halevi and Nigel Smart (2012) "Better Bootstrapping in Fully Homomorphic Encryption," Public Key Cryptography – PKC 2012, Springer LNCS 7293, pp. 1–16: PDF available here

Zvika Brakerski, Craig Gentry and Vinod Vaikuntanathan (2011) "Fully homomorphic encryption without bootstrapping", ACM Transactions on Computation Theory (TOCT) - Special issue on innovations in theoretical computer science 2012 - Part II, 6(3), July 2014: PDF

Zvika Brakerski, Craig Gentry, and Vinod Vaikuntanathan (2012) "(Leveled) fully homomorphic encryption without bootstrapping," Innovations in Theoretical Computer Science (ITCS '12), ACM: PDF available here

Jean-Jacques Quisquater, Louis C. Guillou and Thomas A. Berson (1990) "How to Explain Zero-Knowledge Protocols to Your Children", Advances in Cryptology – CRYPTO '89, Springer LNCS 435, pp. 628–631: PDF

Shimon Even, Oded Goldreich and Abraham Lempel (1985) "A Randomized Protocol for Signing Contracts", Communications of the ACM, 28(6), pp. 637–647: PDF available here

Andrew Yao (1982) "Protocols for secure computations", FOCS 2013, pp. 160–164: PDF

Ioannis Ioannidis and Ananth Grama (2003) "An efficient protocol for Yao's Millionaires' Problem", HICCS '03: PDF

Indrajit Ray and Indrakshi Ray (2002) "Fair exchange in e-commerce", ACM SIGecom Exchange 3(2), pp. 9–17: PDF

Henning Pagnia and Felix C. Gärtner (1999) "On the impossibility of fair exchange without a trusted third party," Technische Universität Darmstadt Technical Report TUD–BS–1999–02: PDF

Michael J. Fischer, Nancy A. Lynch and Michael S. Paterson (1985) "Impossibility of Distributed Consensus with One Faulty Process," Journal of the ACM, 32(2), pp. 374–382: PDF

Matthew K. Franklin and Michael K. Reiter (1997) "Fair Exchange with a semi-trusted third party," CCS '97, pp 1–6: PDF

N. Asokan, Victor Shoup and Michael Waidner (1998) "Asynchronous protocols for optimistic fair exchange," IEEE Symposium on Research in Security and Privacy, pp. 86–99: PDF; Fixed by Vitaly Shmatikov and John C. Mitchell (2000) "Analysis of a Fair Exchange Protocol", NDSS 2000: PDF

Manuel Blum (1983) "How to exchange (secret) keys," ACM TOCS 1(2), pp. 175–193: PDF

Dahlia Malkhi, Noam Nisan, Benny Pinkas and Yaron Sella (2004) "Fairplay – A Secure Two-Party Computation System," 13th USENIX Security Symposium, pp. 287–302: PDF

Chaum, David (1982) "Blind signatures for untraceable payments," Crypto 82, LNCS 1440, pp. 199–203: PDF

Claus P. Schnorr (1991) "Efficient signature generation for smart cards," Journal of Cryptology, 4(3), pp. 239–252: PDF

Jan Camenisch and Ivan Damgård (2000) "Verifiable encryption, group encryption, and their applications to group signatures and signature sharing schemes," ASIACRYPT 2000, Springer LNCS 1976, pp. 331–345: PDF

Jan Camenisch and Anna Lysyanskaya (2002) "A signature scheme with efficient protocols," SCN 2002, Springer LNCS 2576: PDF

Jan Camenisch and Victor Shoup (2003) "Practical verifiable encryption and decryption of discrete logarithms," CRYPTO 2003, Springer LNCS 2729 pp. 126–144:PDF

Ivan Damgård and Eiichiro Fujisaki (2002) "An integer commitment scheme based on groups with hidden order," ASIACRYPT 2002, Springer LNCS 2501: PDF

Jan Camenisch et al (2010) Specification of the Identity Mixer Cryptographic Library (Version 2.3.0), IBM Zurich Technical Report RZ 3730: Available via this link

Hemanta Maji, Manoj Prabhakaran and Mike Rosulek (2011) "Attribute-based signatures.'' Topics in Cryptology–CT-RSA 2011, Springer Berlin Heidelberg, pp. 376–392: PDF

Ali El Kaafarani, Liqun Chen, Essam Ghadaï and James Davenport (2014) "Attribute-Based Signatures with User-Controlled Linkability," CANS 2014, Springer LNCS 8813, pp. 256–269: PDF

Xavier Boyen (2007) "Mesh signatures." Advances in Cryptology–EUROCRYPT 2007. Springer Berlin Heidelberg, pp. 210–227: PDF

Gergely Alpár and Bart Jacobs (2013) "Credential design in attribute-based identity management," 3rd TILTing Perspectives Conference, pp. 189–204: PDF

John Kubiatowicz, David Bindel, Yan Chen, Steven Czerwinski, Patrick Eaton, Dennis Geels, Ramakrishna Gummadi, Sean Rhea, Hakim Weatherspoon, Westley Weimer, Chris Wells and Ben Zhao (2000) "Oceanstore: An architecture for global-scale persistent storage." ACM Sigplan Notices 35(11), pp. 190–201: PDF

A more gentle introduction to some of the concepts...

Xun Yi, Russell Paulet and Elisa Bertino (2014) Homomorphic Encryption and Applications, Springer, ISBN 978–3–319–1228–1