COMS E6261: Advanced Cryptography

Spring 2026: Cryptography + AI

General Information Lectures and Reading Additional Resources Class Requirements Presentation Details Project Details

General Information

Instructors:

Miranda Christ (516 CSB, office hours by appointment), Email: mchrist at cs
Tal Malkin (514 CSB, office hours by appointment), Email: tal at cs

Time & Place: Thursdays 2:10pm-4:00pm, Mudd 524

Administrative Notes:
This course can be used as an elective for the PhD program in computer science and for undergraduate CS majors, and as a secondary elective for MS students in the "Foundations of Computer Science" or the "Computer Security" pathways.

Prerequisites

COMS-W4261 Introduction to Cryptography, or two 4000-level theory courses, or instructor approval. The most important prerequisite is mathematical maturity, and comfort with (preferably also strong affection for) rigorous definitions and proofs.

Course Description

This class will explore the emerging interface between cryptography and AI. Our main focus will be on cryptographic approaches to AI, asking how we can build on the last four decades of development of modern cryptography towards understanding, formulating, and achieving privacy, trust, and safety goals for AI algorithms, as their interaction with everyday public discourse continues to grow. This includes exploring cryptographic techniques that can be used either to develop privacy-preserving and safe AI, or to demonstrate attacks against it. More importantly, it also includes applying a cryptographic mindset: explicitly thinking about adversarial models, rigorously formalizing definitions and assumptions, and provably showing when they can and cannot be achieved, all while using the complex, ambiguous, and messy real world to inform our choices and argue their meaningfulness. We will also consider the other direction: how recent AI developments can help towards achieving cryptographic goals.

We will explore these topics through critical reading of recent research papers, and discussion of open problems and directions. Specific papers will be selected by the instructors based on their interests and the interests of the students taking the class. Sample topics may include privacy-preserving learning, secure inference, watermarks for generative AI, backdoors in AI models, interactive proofs and verification of model properties, cryptographic hardness of learning tasks, weight extraction, steganography, AI-based cryptography and cryptanalysis, and AI safety.

Lectures and Readings

This course is an advanced graduate level seminar, where most lectures will be given by students taking the class (with prior feedback and support from the instructors and fellow students). A typical lecture will center around a topic (e.g., watermarks for generative AI, backdoors in ML models) and involve presenting, critiquing, and discussing several papers within this topic. This plan may change as the course progresses, based on student and instructor interest.

In each lecture, we have listed papers that will be presented (self explanatory), along with papers that are optional (not the focus but will be featured in lecture), and papers that are relevant (may not be discussed in lecture, but we recommend checking them out if you're interested).

Lecture 1 (1/22):

Introduction and class overview (what is a cryptographic mindset?); Private Learning I

First lecture given by Miranda and Tal, slides available here (to those with a Columbia account). The lecture covered the following works:

InstaHide: Instance-hiding Schemes for Private Distributed Learning. Yangsibo Huang, Zhao Song, Kai Li, Sanjeev Arora.
Is Private Learning Possible with Instance Encoding?. Nicholas Carlini, Samuel Deng, Sanjam Garg, Somesh Jha, Saeed Mahloujifar, Mohammad Mahmoody, Shuang Song, Abhradeep Thakurta, Florian Tramer.
InstaHide Disappointingly Wins Bell Labs Prize, 2nd Place. Nicholas Carlini.
Deep Learning with Differential Privacy. Martín Abadi, Andy Chu, Ian Goodfellow, H. Brendan McMahan, Ilya Mironov, Kunal Talwar, Li Zhang.
VaultGemma: The world's most capable differentially private LLM. Amer Sinha and Ryan McKenna.

Question to think about: What can we do when practical defenses have no provable guarantees (and are in fact easily broken), but provable defenses are impractical?

Assignment: Make sure you have access to the gradescope page for our class. You can reach it from courseworks (left side of menu), or by adding the course on gradescope with entry code ZJP8J8. First quiz will be posted shortly!

Lecture 2 (1/29):

Adversarial examples and backdoors

Presentation 1: the exciting world of adversarial examples

Present: Madry lecture notes: Adversarial Examples and Misclassification Attacks
Optional: Explaining and Harnessing Adversarial Examples. Ian J. Goodfellow, Jonathon Shlens, Christian Szegedy.
Optional: Adversarial Examples Are Not Bugs, They Are Features. Andrew Ilyas, Shibani Santurkar, Dimitris Tsipras, Logan Engstrom, Brandon Tran, Aleksander Madry.
Relevant: Adversarially Robust Learning Could Leverage Computational Hardness. Sanjam Garg, Somesh Jha, Saeed Mahloujifar, Mohammad Mahmoody.

Presentation 2: backdoors

Present: Planting Undetectable Backdoors in Machine Learning Models. Shafi Goldwasser, Michael P. Kim, Vinod Vaikuntanathan, Or Zamir.
Relevant: Injecting Undetectable Backdoors in Obfuscated Neural Networks and Language Models. Alkis Kalavasis, Amin Karbasi, Argyris Oikonomou, Katerina Sotiraki, Grigoris Velegkas, Manolis Zampetakis.
Relevant: Backdoor defense, learnability and obfuscation. Paul Christiano, Jacob Hilton, Victor Lecomte, Mark Xu.
Relevant: Oblivious Defense in ML Models: Backdoor Removal without Detection. Shafi Goldwasser, Jonathan Shafer, Neekon Vafa, Vinod Vaikuntanathan.
Relevant: ImpNet: Imperceptible and blackbox-undetectable backdoors in compiled neural networks. Eleanor Clifford, Ilia Shumailov, Yiren Zhao, Ross Anderson, Robert Mullins.

Lecture 3 (2/5):

Private learning II

Papers TBA.

Lecture 4 (2/12):

Watermarks

Presentation 1: hash-based LLM watermarks

Present: Undetectable Watermarks for Language Models. Miranda Christ, Sam Gunn, Or Zamir.
Optional: A Watermark for Large Language Models. John Kirchenbauer, Jonas Geiping, Yuxin Wen, Jonathan Katz, Ian Miers, Tom Goldstein.
Optional: Scott Aaronson's watermark, as described on his blog. Scott Aaronson.

Presentation 2: pseudorandom-code-based watermarks

Present: Pseudorandom Error-Correcting Codes. Miranda Christ and Sam Gunn.
Optional: An Undetectable Watermark for Generative Image Models. Sam Gunn, Xuandong Zhao, Dawn Song.
Relevant: Robust Distortion-free Watermarks for Language Models. Rohith Kuditipudi, John Thickstun, Tatsunori Hashimoto, Percy Liang.
Relevant: Edit Distance Robust Watermarks via Indexing Pseudorandom Codes. Noah Golowich, Ankur Moitra.
Relevant: Ideal Pseudorandom Codes. Omar Alrabiah, Prabhanjan Ananth, Miranda Christ, Yevgeniy Dodis, Sam Gunn.
Relevant: Improved Pseudorandom Codes from Permuted Puzzles. Miranda Christ, Noah Golowich, Sam Gunn, Ankur Moitra, Daniel Wichs.
Relevant: Separating Pseudorandom Codes from Local Oracles. Nico Döttling, Anne Müller, Mahesh Sreekumar Rajasree.
Relevant: Black-Box Crypto is Useless for Pseudorandom Codes. Sanjam Garg, Sam Gunn, Mingyuan Wang.
Relevant: Watermarks in the Sand: Impossibility of Strong Watermarking for Generative Models. Hanlin Zhang, Benjamin L. Edelman, Danilo Francati, Daniele Venturi, Giuseppe Ateniese, Boaz Barak.

Upcoming Topics

Papers and topics to be covered later in the semester (schedule TBD). Email us if you want to sign up!

Private learning II: cryptographic tools such as MPC, FHE; federated learning
Filtering (determining whether model outputs are harmful)
Watermarking AI-generated content
Verifiable learning (can we outsource training and ensure that the model given to us is safe to use?)
Unlearning (after we've trained a model, can we make it "forget" points it was trained on?
Weight extraction (given query access to a model, can we reconstruct its weights?)
Cryptographic hardness of ML tasks (can neural networks be collision-resistant functions?)
[Your suggestion here!]

Additional Resources

Below are additional resources you may find helpful.

MIT machine learning lecture notes
Course webpage for a similar course being taught at MIT this semester, by Shafi Goldwasser and Vinod Vaikuntanathan.
Applications of Crypto to ML: a talk given by Nicholas Carlini at the Simons Institute.

Class Requirements

Students will be expected to read papers for each class, participate in discussion, and present one or two papers. There will also be short quizzes for each topic. Every student should complete a research project on any topic of their choice related to cryptography, subject to instructor approval. Students may work on their research project individually or in a group.

The class requirements and their relative weight in the grade are as follows:

Lecture Presentation and Support (40%): Weekly meetings will typically be divided into two lectures of about 50 minutes each (including discussion), and most lectures will be delivered by students. For each lecture there will typically be one student in charge of presenting the paper(s) and leading the discussion, and one student supporting the presenter. Every student is expected to take the role of a presenter twice and the role of a supporter twice throughout the semester. See additional details on lecture presentations below.
Quizzes (10%): Every week, there will be a short, quiz on gradescope. This is meant to check that students have been paying attention and reflect on the take-home messages of the lecture, not very time consuming. The quiz should be taken individually by every student, without collaboration.
Attendance, Participation, Homework (10%): Students are expected to be present in lectures (physically, but not only), and are encouraged to participate. There may also be a small number (between 0 and 2, likely closer to 0) of homeworks.
Project (40%): Every student should complete a research project on any cryptographic of their choice, subject to instructor approval. See additional details on project requirements below.

Overall, we plan to grade (very) generously, but what you get from the class in terms of the class goals—learning of and exposure to the topics covered, research, and teaching—is proportional to how much you put into it (and for the learning part, also proportional to how much your fellow students and teaching staff put into the teaching part). We hope for an intimate, fun class, where everyone puts forth their best effort.

Lecture Presentation Details

The team of presenter(s) and supporter(s) will work together to thoroughly understand the assigned paper(s), and plan how to teach it effectively. Motivation and context, as well as definitions, proofs, techniques, and open problems, are all important—the team, with guidance and feedback from the teaching staff, should plan the right balance in teaching their particular topic to the class.

Presenter(s): have to read the paper carefully, think about the right way to teach it to the audience, how to structure their presentation, what to include and not include in the given time (some papers may be quite long), what the main message is, and determine the mechanism they prefer (slides or blackboard). They should also lead the discussion and answer student questions during the lecture.
Supporters(s): have to read the paper carefully, and meet with presenters prior to their lecture to go over the presentation and give feedback and suggestions. Supporters should be generally available over email to answer presenters' questions prior to the lecture, and prepared to help answer students' questions during the lecture and participate in discussion.
Support from instructors: the team will receive an email with detailed instructions and recommendations from an instructor a week before their presentation. The team will then need to meet with the other instructor a day or two prior to their presentation for practice and feedback.
Materials: the team should also provide materials for rest of the class, in the form of notes or slides summarizing the lecture (again with feedback from the teaching staff).

Project Details

Students may work on their research project individually or in pairs. If you would like to have a bigger group, or to collaborate with others outside the class (e.g., other professors or fellow students), you may do so subject to instructor approval, provided that all your collaborators know and approve (and are mentioned in your report), and that you're not getting double credit for the same work (and of course, we will hold you accountable for your project).

The first stage of the project will consist of literature study of the selected area, and tentative identification of the problem you would like to address (what you'd hope to achieve). Over the semester you will refine this goal, state a concrete research result you hope to obtain, and work towards it. Identifying a problem to pursue, making it well-defined, and coming up with a plan towards addressing it, is your responsibility. However, you are allowed and encouraged to discuss your ideas with (and receive feedback from) the instructors, TA, and fellow students, at all stages (you may also incorporate others' ideas in your project, as long as they are ok with it, you give them proper credit, and the project also reflects appropriate effort by each member of the group).

Note that the research problem you choose to work on does not have to be an open problem that is stated in some paper or identified by an expert in the field -- it can be a problem of your own invention. It can also be an extension of a known result to new, unknown settings. The final report does not need to be a publishable result, nor must it conclude in successful resolution. One of the main goals of this course is to invoke interesting research ideas, and give you a taste of the research process. We encourage interesting projects that might end up unsuccessful (as long as all attempts are well documented and make sense overall), over a successful resolution of a trivial problem.

While we expect that most projects will not end with a publishable result, given the nature of research and the time alotted, some might (and have before). We suggest that you approach this optimistically: propose a concrete research problem, and attack it with the goal of solving it. In your final report, describe either your new result, or your attempt, where you reached, and what would be the next steps you would try if given more time.

Specific milestones required include a proposal, progress report, and final report, as well as project presentations at the end. Details for the expectations and time line will be posted here soon.

Overall, there are two main goals for a project in this class, and your final report should demonstrate you have progressed on both (although the ratio between the two can vary).

Acquiring a substantial body of knowledge about the topic of your project. This will involve closely and carefully reading literature on your specific topic (likely to be several papers). You should demonstrate this aspect of your project in the "background" section(s) of your final report, which should be a clear synthesis and exposition in your own words of what you have learned.
Gaining research experience in this area; i.e. make a serious effort to contribute to the state of knowledge on your project topic by (i) identifying an interesting open question or direction for future research related to your project topic; (ii) coming up with a plausible approach to make progress; and (iii) working towards delivering on your approach. You should demonstrate this aspect of your project by explaining in detail your efforts towards (i), (ii) and (iii) in the rest of your final report.

The ratio of (1) to (2) may vary significantly between different projects. There are some projects that might involve relatively less background; in that case you will be expected to spend more time, and give more evidence of time well spent on the progress made and your successful/unsuccessful attempts. For other projects, you will need to acquire more extensive background.

There is no minimum (or maximum) number of papers you have to read or pages that you have to write, though we will try to guide students towards comparable (and reasonable) amount of work to complete your project. The expectation from a group will be calibrated to the group size, but the rule of thumb is: make an honest effort, start early, do not hesitate to request feedback.

More information, deadlines, and suggested topics and resources for projects will be provided soon.

Academic Honesty

We expect that the primary goal of everyone in the class is to learn (we can imagine no other reason that you would be in this class). Hopefully this means that there will be no focus on grades (which we can tolerate but discourage in this class), and no issues of dishonesty (which we absolutely will not tolerate). In particular, students should take the quizzes on their own, and be sure to provide appropriate citations for all sources used in their project reports, as well as acknowledgements to other people who contributed (just as you should do in any academic publishing).

As in every CS class, students are expected to adhere to the academic honesty policy of the CS department. This policy has been passed by the faculty of the Department and approved by the school deans.

AI Policy

We require that all original text (e.g., on your slides and in your final project) is written by you. Cosmetic use of AI, for proofreading/grammar is acceptable. We say "original text" because your slides and project may include definitions or theorems from relevant papers, with proper attribution. Otherwise, we allow any use of AI: to help with coding, understanding papers, etc. However, we believe that struggling with difficult material is very important in building research skills. We encourage you to use your best judgment (about what will best help your learning) when using AI.