MIT 6.S976 and 18.S996 (Spring 2026)
Cryptography and Machine Learning: Foundations and Frontiers

Course Description

Cryptography offers a playbook for building trust on untrusted platforms. This course applies that playbook to modern machine learning. We will study how cryptographic modeling and tools—ranging from privacy-preserving algorithms to interactive proofs and debate protocols—can endow ML systems with privacy, verifiability, and reliability. Topics include mechanisms for data and model privacy; methods to verify average-case quality and certify worst-case correctness; and strategies for robustness and alignment across discriminative and generative models. The course will start to draw the contours of a new field at the Crypto × ML interface and identify concrete problems in trustworthy ML that benefit from cryptographic thinking and techniques.

Prerequisites: 6.1220 (Algorithms) AND 6.390 (Intro to Machine Learning); or equivalent. Alternatively, permission from the instructors.

Course Information

INSTRUCTORS	Shafi Goldwasser Email: shafi at csail dot mit dot edu
	Vinod Vaikuntanathan Email: vinodv at csail dot mit dot edu
LOCATION AND TIME	Tuesday and Thursday 11:00am-12:30pm in ~~24-115~~ 37-212.
TAs	Neekon Vafa Email: nvafa at mit dot edu Office hours: Tuesdays 7-8pm, Thursdays 4-5pm (virtual this week)
	Liyan Chen Email: cliyan at mit dot edu
ASSIGNMENTS AND GRADING	Grading will be based on problem sets (25%), scribe notes (20%), a final project (45%) and class participation (10%). Released Problem Sets: Problem Set 1 [source] \| Released: March 13 \| Due: April 3
SCRIBING	Students are required to produce notes for one lecture in groups of 2-3 students. Since scribe notes are worth 20% of the final grade, we expect your scribe notes to be polished and high quality. Use the LaTeX template provided here, and be sure not to modify the "scribe.sty" file in your submitted notes. To sign up to scribe a lecture, refer to the spreadsheet link sent over the class email list. The final deadline to submit scribe notes is 1 week after lecture.
RESOURCES	For background on ML basics, we recommend the following free resources: Shalev-Shwartz and Ben-David Mohri, Rostamizadeh, and Talwalkar

Schedule (tentative and subject to change)

Lecture	Topic
	Module 1: Introduction to the Course and ML/Crypto Basics
Lecture 1 (Tue Feb 3)	Overview of the course. Resources: Shafi's slides (presented in class) Vinod's slides (from TCC 2025)
Lecture 2 (Thu Feb 5)	Guest Lecturer: Jonathan Shafer ML basics: Classification, Regression, Generation; Access models to data. Resources: Shalev-Shwartz and Ben-David Mohri, Rostamizadeh, and Talwalkar
Lecture 3 (Tue Feb 10)	Guest Lecturer: Jonathan Shafer ML basics (contd.) Resources: Scribe notes
Lecture 4 (Thu Feb 12)	Crypto basics: Secure communication, one-time pads, pseudorandomness (computational indistinguishability). Resources: Slides Shannon: Communication Theory of Secrecy Systems Diffie-Hellman: New Directions in Cryptography Rivest-Shamir-Adleman: A Method for Obtaining Digital Signatures and Public-Key Cryptosystems Goldwasser-Micali: Probabilistic Encryption & How To Play Mental Poker Keeping Secret All Partial Information Blum-Micali: How to Generate Cryptographically Strong Sequences of Pseudorandom Bits Goldreich-Goldwasser-Micali: How to Construct Random Functions Blum-Furst-Kearns-Lipton: Cryptographic Primitives Based on Hard Learning Problems Kearns-Valiant: Cryptographic Limitations on Learning Boolean Formulae and Finite Automata
No Lecture (Tue Feb 17)	No classes
Lecture 5 (Thu Feb 19)	Crypto basics, continued: Pseudo Random Functions, LPN, learning impossibility based on cryptographic hardness Resources: Slides Shannon: Communication Theory of Secrecy Systems Diffie-Hellman: New Directions in Cryptography Rivest-Shamir-Adleman: A Method for Obtaining Digital Signatures and Public-Key Cryptosystems Goldwasser-Micali: Probabilistic Encryption & How To Play Mental Poker Keeping Secret All Partial Information Blum-Micali: How to Generate Cryptographically Strong Sequences of Pseudorandom Bits Goldreich-Goldwasser-Micali: How to Construct Random Functions Blum-Furst-Kearns-Lipton: Cryptographic Primitives Based on Hard Learning Problems Kearns-Valiant: Cryptographic Limitations on Learning Boolean Formulae and Finite Automata Klivans-Sherstov: Cryptographic Hardness for Learning Intersections of Halfspaces Jonathan Shafer (Video): Lecture on Connections between Learning and Cryptography
	Module 2: Watermarking
Lecture 6 (Tue Feb 24)	MIT Closure--Class Canceled
Lecture 7 (Thu Feb 26)	Watermarking: problem definition, digital signatures, classical approaches, watermarking LLM outputs. Resources: Handwritten notes Christ-Gunn-Zamir: Undetectable Watermarks for Language Models Kirchenbauer et al.: A Watermark for Large Language Models Mitchell et al.: DetectGPT: Zero-Shot Machine-Generated Text Detection using Probability Curvature Afchar et al.: A Fourier Explanation of AI-Music Artifacts Odena et al.: Deconvolution and Checkerboard Artifacts GPTZero
Lecture 8 (Tue Mar 3)	Watermarking: pseudorandom codes and robust watermarking; open problems. Resources: Handwritten notes Christ-Gunn: Pseudorandom Error-Correcting Codes Golowich-Moitra: Edit Distance Robust Watermarks via Indexing Pseudorandom Codes Christ-Golowich-Gunn-Moitra-Wichs: Improved Pseudorandom Codes from Permuted Puzzles Gunn-Zhao-Song: An Undetectable Watermark for Generative Image Models
	Module 3: Verification
Lecture 9 (Thu Mar 5)	Guest Lecturer: Adam Kalai Hallucinations and how to mitigate them. Resources: Slides Kalai-Nachum-Vempala-Zhang: Why Language Models Hallucinate
Lecture 10 (Tue Mar 10)	Verification: crypto tools, interactive proofs, zero knowledge. Resources: Slides
Lecture 11 (Thu Mar 12)	Guest Lecturer: Jonathan Shafer PAC verification: how to verify properties of models? Resources: Slides Mutreja-Shafer: PAC Verification of Statistical Algorithms
Lecture 12 (Tue Mar 17)	Self-proving LLM, modify interactive proofs to the learning setting. Resources: Shafi's slides Goldwasser-Micali-Rackoff: The Knowledge Complexity of Interactive Proof Systems Goldreich-Micali-Wigderson: Proofs that yield nothing but their validity or all languages in NP have zero-knowledge proof systems Lund-Fortnow-Karloff-Nisan: Algebraic methods for interactive proof systems Shamir: IP = PSPACE
Lecture 13 (Thu Mar 19)	Guest Lecturer: Orr Paradise Self-proving LLM (contd.) Resources: Orr's slides
Lecture 14 (Tue Mar 31)	Guest Lecturer: Cameron Freer Lean: a different take on verification.
	Module 4: Robustness and Alignment
Lecture 15 (Thu Apr 2)	Guest Lecturer: Sam Hopkins Robust statistics.
Lecture 16 (Tue Apr 7)	Backdoors in ML.
Lecture 17 (Thu Apr 9)	Backdoors in ML.
Lecture 18 (Tue Apr 14)	Alignment.
	Module 5: Privacy and Security
Lecture 19 (Thu Apr 16)	Privacy: Overview
Lecture 20 (Tue Apr 21)	Model Stealing I
Lecture 21 (Thu Apr 23)	Model Stealing II
Lecture 22 (Tue Apr 28)	Cryptographic Techniques: Homomorphic Encryption, Private Information Retrieval.
Lecture 23 (Thu Apr 30)	Encrypted Matrix-Vector Products via Trapdoored Matrices.
Lecture 24 (Tue May 5)	Guest Lecturer: Alexandra Henzinger Cryptographic techniques, continued: Private Search.
	Module 6: Project Presentations
Lecture 25 (Thu May 7)	Project presentations.
Lecture 26 (Tue May 12)	Project presentations.