MIT 6.S976 and 18.S996 (Spring 2026)
Cryptography and Machine Learning: Foundations and Frontiers

Course Description

Cryptography offers a playbook for building trust on untrusted platforms. This course applies that playbook to modern machine learning. We will study how cryptographic modeling and tools—ranging from privacy-preserving algorithms to interactive proofs and debate protocols—can endow ML systems with privacy, verifiability, and reliability. Topics include mechanisms for data and model privacy; methods to verify average-case quality and certify worst-case correctness; and strategies for robustness and alignment across discriminative and generative models. The course will start to draw the contours of a new field at the Crypto × ML interface and identify concrete problems in trustworthy ML that benefit from cryptographic thinking and techniques.

Prerequisites: 6.1220 (Algorithms) AND 6.390 (Intro to Machine Learning); or equivalent. Alternatively, permission from the instructors.

Course Information

INSTRUCTORS	Shafi Goldwasser Email: shafi at csail dot mit dot edu
	Vinod Vaikuntanathan Email: vinodv at csail dot mit dot edu
LOCATION AND TIME	Tuesday and Thursday 11:00am-12:30pm in ~~24-115~~ 37-212.
TAs	Neekon Vafa Email: nvafa at mit dot edu Office hours: Tuesdays 7-8pm, Thursdays 4-5pm (locations TBD)
ASSIGNMENTS AND GRADING	Grading will be based on problem sets (25%), scribe notes (20%), a final project (45%) and class participation (10%). Released Problem Sets: Problem Set 1 [source] \| Released: March 13 \| Due: April 3
SCRIBING	Students are required to produce notes for one lecture in groups of 2-3 students. Since scribe notes are worth 20% of the final grade, we expect your scribe notes to be polished and high quality. Use the LaTeX template provided here, and be sure not to modify the "scribe.sty" file in your submitted notes. To sign up to scribe a lecture, refer to the spreadsheet link sent over the class email list. The final deadline to submit scribe notes is 1 week after lecture.
RESOURCES	For background on ML basics, we recommend the following free resources: Shalev-Shwartz and Ben-David Mohri, Rostamizadeh, and Talwalkar

Schedule (tentative and subject to change)

Lecture	Topic
	Module 1: Introduction to the Course and ML/Crypto Basics
Lecture 1 (Tue Feb 3)	Overview of the course. Resources: Shafi's Slides (presented in class) Vinod's Slides (from TCC 2025)
Lecture 2 (Thu Feb 5)	Guest Lecturer: Jonathan Shafer ML basics: Classification, Regression, Generation; Access models to data. Resources: Shalev-Shwartz and Ben-David Mohri, Rostamizadeh, and Talwalkar
Lecture 3 (Tue Feb 10)	Guest Lecturer: Jonathan Shafer ML basics (contd.) Resources: Scribe notes
Lecture 4 (Thu Feb 12)	Crypto basics: Secure communication, one-time pads, pseudorandomness (computational indistinguishability). Resources: Slides Shannon: Communication Theory of Secrecy Systems Diffie-Hellman: New Directions in Cryptography Rivest-Shamir-Adleman: A Method for Obtaining Digital Signatures and Public-Key Cryptosystems Goldwasser-Micali: Probabilistic Encryption & How To Play Mental Poker Keeping Secret All Partial Information Blum-Micali: How to Generate Cryptographically Strong Sequences of Pseudorandom Bits Goldreich-Goldwasser-Micali: How to Construct Random Functions Blum-Furst-Kearns-Lipton: Cryptographic Primitives Based on Hard Learning Problems Kearns-Valiant: Cryptographic Limitations on Learning Boolean Formulae and Finite Automata
No Lecture (Tue Feb 17)	No classes
Lecture 5 (Thu Feb 19)	Crypto basics, continued: Pseudo Random Functions, LPN, learning impossibility based on cryptographic hardness Resources: Slides Shannon: Communication Theory of Secrecy Systems Diffie-Hellman: New Directions in Cryptography Rivest-Shamir-Adleman: A Method for Obtaining Digital Signatures and Public-Key Cryptosystems Goldwasser-Micali: Probabilistic Encryption & How To Play Mental Poker Keeping Secret All Partial Information Blum-Micali: How to Generate Cryptographically Strong Sequences of Pseudorandom Bits Goldreich-Goldwasser-Micali: How to Construct Random Functions Blum-Furst-Kearns-Lipton: Cryptographic Primitives Based on Hard Learning Problems Kearns-Valiant: Cryptographic Limitations on Learning Boolean Formulae and Finite Automata Klivans-Sherstov: Cryptographic Hardness for Learning Intersections of Halfspaces Jonathan Shafer (Video): Lecture on Connections between Learning and Cryptography
	Module 2: Watermarking
Lecture 6 (Tue Feb 24)	MIT Closure--Class Canceled
Lecture 7 (Thu Feb 26)	Watermarking: problem definition, digital signatures, classical approaches, watermarking LLM outputs. Resources: Handwritten notes Christ-Gunn-Zamir: Undetectable Watermarks for Language Models Kirchenbauer et al.: A Watermark for Large Language Models Mitchell et al.: DetectGPT: Zero-Shot Machine-Generated Text Detection using Probability Curvature Afchar et al.: A Fourier Explanation of AI-Music Artifacts Odena et al.: Deconvolution and Checkerboard Artifacts GPTZero
Lecture 8 (Tue Mar 3)	Watermarking: pseudorandom codes and robust watermarking; open problems. Resources: Handwritten notes Christ-Gunn: Pseudorandom Error-Correcting Codes Golowich-Moitra: Edit Distance Robust Watermarks via Indexing Pseudorandom Codes Christ-Golowich-Gunn-Moitra-Wichs: Improved Pseudorandom Codes from Permuted Puzzles Gunn-Zhao-Song: An Undetectable Watermark for Generative Image Models
	Module 3: Verification
Lecture 9 (Thu Mar 5)	Guest Lecturer: Adam Kalai Hallucinations and how to mitigate them. Resources: Slides Kalai-Nachum-Vempala-Zhang: Why Language Models Hallucinate
Lecture 10 (Tue Mar 10)	Verification: crypto tools, interactive proofs, zero knowledge. Resources: Slides
Lecture 11 (Thu Mar 12)	Guest Lecturer: Jonathan Shafer PAC verification: how to verify properties of models? Resources: Slides Mutreja-Shafer: PAC Verification of Statistical Algorithms
Lecture 12 (Tue Mar 17)	Self-proving LLM, modify interactive proofs to the learning setting.
Lecture 13 (Thu Mar 19)	Guest Lecturer: Orr Paradise Self-proving LLM (contd.)
Lecture 14 (Tue Mar 31)	Guest Lecturer: Cameron Freer Lean: a different take on verification.
	Module 4: Robustness and Alignment
Lecture 15 (Thu Apr 2)	Robust statistics (in training).
Lecture 16 (Tue Apr 7)	Backdoors in ML.
Lecture 17 (Thu Apr 9)	Backdoors in ML.
Lecture 18 (Tue Apr 14)	Alignment.
	Module 5: Privacy and Security
Lecture 19 (Thu Apr 16)	Privacy 1: differential privacy, copyright protection.
Lecture 20 (Tue Apr 21)	Privacy 2: machine unlearning.
Lecture 21 (Thu Apr 23)	Privacy 3: model stealing.
Lecture 22 (Tue Apr 28)	Privacy 3: model stealing (continued)
Lecture 23 (Thu Apr 30)	Privacy 4: cryptographic techniques, Homomorphic Encryption, Private Information Retrieval. ML techniques, embeddings.
Lecture 24 (Tue May 5)	Cryptographic techniques, continued. Federated learning.
	Module 6: Special Topics and Projects
Lecture 25 (Thu May 7)	Crypto for ML efficiency.
Lecture 26 (Tue May 12)	Project presentations.