MIT 6.S976 and 18.S996 (Spring 2026)
Cryptography and Machine Learning: Foundations and Frontiers

Course Description

Cryptography offers a playbook for building trust on untrusted platforms. This course applies that playbook to modern machine learning. We will study how cryptographic modeling and tools—ranging from privacy-preserving algorithms to interactive proofs and debate protocols—can endow ML systems with privacy, verifiability, and reliability. Topics include mechanisms for data and model privacy; methods to verify average-case quality and certify worst-case correctness; and strategies for robustness and alignment across discriminative and generative models. The course will start to draw the contours of a new field at the Crypto × ML interface and identify concrete problems in trustworthy ML that benefit from cryptographic thinking and techniques.

Prerequisites: 6.1220 (Algorithms) AND 6.390 (Intro to Machine Learning); or equivalent. Alternatively, permission from the instructors.

Course Information

INSTRUCTORS	Shafi Goldwasser Email: shafi at csail dot mit dot edu
	Vinod Vaikuntanathan Email: vinodv at csail dot mit dot edu
LOCATION AND TIME	Tuesday and Thursday 11:00am-12:30pm in ~~24-115~~ 37-212.
TAs	Neekon Vafa Email: nvafa at mit dot edu
ASSIGNMENTS AND GRADING	Grading will be based on problem sets (25%), scribe notes (20%), a final project (45%) and class participation (10%).
SCRIBING	Students are required to produce notes for one lecture in groups of 2-3 students. Since scribe notes are worth 20% of the final grade, we expect your scribe notes to be polished and high quality. Use the LaTeX template provided here, and be sure not to modify the "scribe.sty" file in your submitted notes. (It is OK to use custom macros in your .tex file, but please use the existing macros as much as possible.) To sign up to scribe a lecture, refer to the spreadsheet link sent over the class email list.
RESOURCES	For background on ML basics, we recommend the following free resources: Shalev-Shwartz and Ben-David Mohri, Rostamizadeh, and Talwalkar

Schedule (tentative and subject to change)

Lecture	Topic
	Module 1: Introduction to the Course and ML/Crypto Basics
Lecture 1 (Tue Feb 3)	Overview of the course. Resources: Shafi's Slides (presented in class) Vinod's Slides (from TCC 2025)
Lecture 2 (Thu Feb 5)	Guest Lecturer: Jonathan Shafer ML basics: Classification, Regression, Generation; Access models to data. Resources: Shalev-Shwartz and Ben-David Mohri, Rostamizadeh, and Talwalkar
Lecture 3 (Tue Feb 10)	Guest Lecturer: Jonathan Shafer ML basics (contd.) Resources: Jonathan's handwritten notes
Lecture 4 (Thu Feb 12)	Crypto basics: Secure communication, one-time pads, pseudorandomness (computational indistinguishability). Resources: Slides Shannon: Communication Theory of Secrecy Systems Diffie-Hellman: New Directions in Cryptography Rivest-Shamir-Adleman: A Method for Obtaining Digital Signatures and Public-Key Cryptosystems Goldwasser-Micali: Probabilistic Encryption & How To Play Mental Poker Keeping Secret All Partial Information Blum-Micali: How to Generate Cryptographically Strong Sequences of Pseudorandom Bits Goldreich-Goldwasser-Micali: How to Construct Random Functions Blum-Furst-Kearns-Lipton: Cryptographic Primitives Based on Hard Learning Problems Kearns-Valiant: Cryptographic Limitations on Learning Boolean Formulae and Finite Automata
No Lecture (Tue Feb 17)	No classes
Lecture 5 (Thu Feb 19)	Crypto basics, continued: pseudorandom generators (one-time pad) and functions (encryption, MAC), private-key encryption Resources: Shannon: Communication Theory of Secrecy Systems Diffie-Hellman: New Directions in Cryptography Rivest-Shamir-Adleman: A Method for Obtaining Digital Signatures and Public-Key Cryptosystems Goldwasser-Micali: Probabilistic Encryption & How To Play Mental Poker Keeping Secret All Partial Information Blum-Micali: How to Generate Cryptographically Strong Sequences of Pseudorandom Bits Goldreich-Goldwasser-Micali: How to Construct Random Functions Blum-Furst-Kearns-Lipton: Cryptographic Primitives Based on Hard Learning Problems Kearns-Valiant: Cryptographic Limitations on Learning Boolean Formulae and Finite Automata
	Module 2: Watermarking
Lecture 6 (Tue Feb 24)	Watermarking: problem definition, digital signatures, classical approaches, watermarking LLM outputs.
Lecture 7 (Thu Feb 26)	Watermarking: pseudorandom codes and robust watermarking; open problems.
	Module 3: Verification
Lecture 8 (Tue Mar 3)	Guest Lecturer: Adam Kalai Hallucinations and how to mitigate them.
Lecture 9 (Thu Mar 5)	Verification: crypto tools, interactive proofs, zero knowledge.
Lecture 10 (Tue Mar 10)	PAC verification: how to verify properties of models?
Lecture 11 (Thu Mar 12)	Self-proving LLM, modify interactive proofs to the learning setting.
Lecture 12 (Tue Mar 17)	Self-proving LLM (contd.)
Lecture 13 (Thu Mar 19)	Lean: a different take on verification.
	Module 4: Robustness and Alignment
Lecture 14 (Tue Mar 31)	Robust statistics (in training).
Lecture 15 (Thu Apr 2)	Backdoors in ML.
Lecture 16 (Tue Apr 7)	Backdoors in ML.
Lecture 17 (Thu Apr 9)	Alignment.
Lecture 18 (Tue Apr 14)	Alignment: Inference-time Compute
	Module 5: Privacy and Security
Lecture 19 (Thu Apr 16)	Privacy 1: differential privacy, copyright protection.
Lecture 20 (Tue Apr 21)	Privacy 2: machine unlearning.
Lecture 21 (Thu Apr 23)	Privacy 3: model stealing.
Lecture 22 (Tue Apr 28)	Privacy 3: model stealing (continued)
Lecture 23 (Thu Apr 30)	Privacy 4: cryptographic techniques, Homomorphic Encryption, Private Information Retrieval. ML techniques, embeddings.
Lecture 24 (Tue May 5)	Cryptographic techniques, continued. Federated learning.
	Module 6: Special Topics and Projects
Lecture 25 (Tue May 7)	Crypto for ML efficiency.
Lecture 26 (Tue May 12)	Project presentations.