Compendium

Differential Privacy & Privacy Tech — DP, Federated Learning, ZK, Homomorphic, TEEs

16 min read

Differential Privacy & Privacy Tech

“Privacy technology” is now a catalog of distinct mathematical and engineering tools. The five most important pillars by 2026:

  1. Differential Privacy (DP) — provable bounds on what an output reveals about any one input record.
  2. Federated Learning (FL) — training without centralizing raw data.
  3. Secure Multi-Party Computation (MPC) — joint computation across mutually distrustful parties.
  4. Homomorphic Encryption (HE) — computation on encrypted data.
  5. Zero-Knowledge Proofs (ZKP) — proving statements without revealing witnesses.

Plus the deployment substrate that makes much of it tractable in production: Trusted Execution Environments (TEEs). Each pillar has its own theoretical foundation, its own production-ready libraries, its own scaled deployments (Apple Private Cloud Compute, the 2020 US Census, Zcash, Worldcoin, AWS Nitro Enclaves), and its own compliance role under GDPR/CCPA/PIPL/DPDP.

This note is the cross-cutting reference.

1. Differential Privacy

1.1 Definition

Cynthia Dwork, Frank McSherry, Kobbi Nissim, Adam Smith, “Calibrating Noise to Sensitivity in Private Data Analysis” TCC 2006.

A randomized algorithm M satisfies (ε, δ)-differential privacy if for all neighboring datasets D and D’ (differing in one record) and all S ⊆ Range(M):

Pure ε-DP is the special case δ = 0. Approximate (ε, δ)-DP allows a small failure probability δ (typically chosen ≪ 1 / |D|, e.g. 10⁻⁶ to 10⁻⁹).

Intuition: any inference an adversary can make from M(D) about a particular record is, to within a factor of e^ε, the same as without that record present at all. ε is the privacy loss budget; smaller means stronger privacy, more noise, less utility.

1.2 Mechanisms

  • Laplace mechanism (Dwork-McSherry-Nissim-Smith 2006) — for numeric queries with L1-sensitivity Δf, output f(D) + Lap(Δf / ε). Pure ε-DP.
  • Gaussian mechanism — for L2-sensitivity Δ₂f, output f(D) + N(0, σ²) where σ ≥ Δ₂f · √(2 ln(1.25 / δ)) / ε achieves (ε, δ)-DP. Composes nicely; preferred in ML.
  • Exponential mechanism (McSherry-Talwar, FOCS 2007) — for non-numeric outputs; samples r with probability ∝ exp(ε · u(D, r) / (2Δu)).
  • Randomized response (Stanley Warner, JASA 1965) — the original local-DP mechanism: a respondent flips a coin and either tells the truth or gives a fixed answer; the analyst inverts the bias.

1.3 Composition

  • Basic composition — k mechanisms each ε-DP compose to kε-DP.
  • Advanced composition (Dwork-Rothblum-Vadhan, FOCS 2010) — under (ε, δ)-DP, k-fold composition is roughly (√(2k ln(1/δ′)) · ε, kδ + δ′)-DP. The √k savings is essential for ML training over many SGD steps.
  • Rényi DP (RDP) — Ilya Mironov, “Rényi Differential Privacy” CSF 2017. RDP at order α; tight composition via simple addition of RDP budgets; converts back to (ε, δ)-DP.
  • Zero-concentrated DP (zCDP) — Bun-Steinke 2016.
  • Gaussian DP (f-DP) — Dong-Roth-Su, JRSS B 2019. Refines composition for Gaussian-like mechanisms; cleanest analytic framework for DP-SGD.

1.4 Trust models

  • Central DP — a trusted curator collects raw data and releases DP outputs. Best utility; relies on the curator.
  • Local DP (LDP) — noise added at the user’s device; the server sees only randomized responses. No trust required, but utility is much weaker.
  • Shuffle model (Bittau et al. 2017, Cheu et al. 2019) — LDP responses anonymously shuffled before reaching the analyst. Middle ground.

1.5 Deployments

  • Apple (since iOS 10, 2016) — LDP for emoji and word-suggestion frequencies, Safari crash reports, Health analytics. Engineering described in “Learning with Privacy at Scale” (Apple Differential Privacy Team, ML Journal 2017).
  • Google RAPPOR — Erlingsson-Pihur-Korolova, CCS 2014. LDP for Chrome telemetry; one of the first large-scale LDP deployments.
  • Microsoft Windows Telemetry — LDP, Ding-Kulkarni-Yekhanin 2017.
  • Mozilla Firefox Origin Telemetry — Prio-style aggregation (with cryptographic VDAF later).
  • Meta Movement Range during COVID-19 — DP aggregates of mobility.
  • LinkedIn Salary Insights, Uber data publishing.
  • US Census 2020 — TopDown algorithm (Abowd et al.) under the 2020 Disclosure Avoidance System; ε ≈ 19.61 at Block Group level; significant controversy over impact on small-area statistics, redistricting, and racial demographic counts. The 2020 Census was the first major government statistical product to use formal DP.
  • IRS, NIH — Tumult Analytics deployments (commercial wrapper around OpenDP).

1.6 DP-SGD

Abadi-Chu-Goodfellow-McMahan-Mironov-Talwar-Zhang, “Deep Learning with Differential Privacy” CCS 2016. Two changes to ordinary SGD:

  1. Per-example gradient clipping to norm C.
  2. Add Gaussian noise N(0, σ²C²I) to the summed clipped gradients before the update.

Privacy accounting via the moments accountant (or modern RDP / GDP analyses) gives tight (ε, δ) bounds across all training steps. This is the foundation of practically every DP ML system.

Frameworks:

  • Opacus — PyTorch (Yousefpour et al., Meta 2020).
  • TensorFlow Privacy — Google.
  • JAX Privacy — Google DeepMind.
  • diffprivlib — IBM Research.

DP fine-tuning of LLMs — Yu, Naik, Backurs, Gopi, et al. (Microsoft Research) 2021-2023. Showed that pre-trained LLMs can be fine-tuned with reasonable utility at ε ~ 1-8, with measurable reduction in memorization of fine-tuning data.

1.7 DP analytics and synthetic data

  • PINQ — Frank McSherry SIGMOD 2009. LINQ-like DP query interface.
  • Tumult Analytics — Tumult Labs (Damien Desfontaines et al.). Commercial production-grade DP for SQL/Pandas; used by US IRS and Census follow-on releases.
  • OpenDP — Harvard + Microsoft launched 2020. Open-source DP library and tooling stack (opendp-rs, smartnoise-sdk).
  • Google DP Library — open-source C++/Go/Java DP primitives.
  • Synthetic data vendors — MOSTLY AI (Austria), Hazy (UK), Gretel.AI, MDClone, Tonic.ai (test data), Replica Analytics (acquired by Aetion 2021), Syntegra, Statice (acquired by Anonos). Most combine DP-trained generative models (GANs, VAE, marginals, autoregressive) with utility-preserving sampling.

2. Federated Learning

2.1 Concept and core algorithms

Decentralized training: data stays on devices or in silos; only model updates (or aggregated updates) cross the boundary. Brendan McMahan et al., “Communication-Efficient Learning of Deep Networks from Decentralized Data” AISTATS 2017, introduced FedAvg — clients run multiple local SGD steps, server averages weights.

Variants:

  • FedProx (Li et al. 2020) — adds proximal term for heterogeneity.
  • FedAdam, FedAdagrad, FedYogi (Reddi et al. 2021) — adaptive server optimizers.
  • FedNova (Wang et al. 2020) — normalized averaging.
  • q-FedAvg — fairness across clients.
  • Scaffold (Karimireddy et al. 2020) — variance reduction.

2.2 Deployments

  • Google Gboard — federated learning of next-word prediction since 2017 (the canonical deployment).
  • Apple Private Federated Learning — voice recognition, QuickType, Siri.
  • NVIDIA Clara FL → NVIDIA FLARE — healthcare; partners include Mass General Brigham, King’s College London.
  • WeBank FATE — Chinese federated learning consortium.
  • MELLODDY — pharma consortium (Janssen, Novartis, Boehringer Ingelheim, …).
  • Owkin — federated learning for medical research; raised significant series A/B/C and partners with hospitals globally.

2.3 Frameworks

  • Flower — open, framework-agnostic (Beutel et al.).
  • TensorFlow Federated (TFF) — Google.
  • PySyft — OpenMined.
  • FATE — WeBank.
  • FedML — University of Southern California spin-out.
  • NVIDIA FLARE.
  • OpenFL — Intel.

2.4 FL composition with DP and MPC

FL alone is not strong privacy — model updates can leak training data (membership inference, gradient inversion, e.g. Geiping et al. 2020 “Inverting Gradients”). Production FL is layered:

  • DP at the client (local-DP gradient noise) or server (sample-level DP via DP-FedAvg).
  • Secure Aggregation — Bonawitz et al. CCS 2017. Cryptographic protocol where the server learns only the sum of client updates, not individual contributions. Now backed by Prio / VDAF for IETF standardization.
  • TEE-backed aggregation — Apple Private Cloud Compute is essentially this; aggregator runs in TEE.

2.5 Vertical vs horizontal FL

  • Horizontal FL — clients hold the same features for different entities (Gboard: same vocabulary, different users). The common case.
  • Vertical FL — clients hold different features for the same entities (a bank and a telco sharing entity-aligned features). Typically requires PSI plus MPC.

3. Secure Multi-Party Computation

3.1 Foundations

  • Yao’s millionaire problem (Yao 1982). Two-party computation feasibility.
  • Garbled circuits (Yao 1986). Two-party constant-round secure function evaluation; circuit garbler + evaluator.
  • GMW (Goldreich-Micali-Wigderson, STOC 1987). Multi-party with secret sharing; oblivious-transfer-based.
  • BGW / CCD (Ben-Or-Goldwasser-Wigderson, Chaum-Crépeau-Damgård, 1988). Information-theoretic with honest majority.
  • Shamir secret sharing (1979) — (t, n) threshold sharing using polynomial interpolation.
  • SPDZ family (Damgård-Pastro-Smart-Zakarias, CRYPTO 2012). Preprocessing model with authenticated additive shares; the dominant practical MPC framework for malicious security.

3.2 Implementations

  • MP-SPDZ (Marcel Keller) — most comprehensive MPC framework; supports 30+ protocols.
  • EzPC, CrypTFlow — Microsoft Research; ML-oriented MPC.
  • CrypTen — Meta/Facebook; PyTorch-style MPC.
  • TF-Encrypted — Cape Privacy origins (now Cape part of CipherMode/Capeprivacy.com).
  • Sharemind — Cybernetica (Estonia); used in real-world statistical analyses (e.g., Estonian tax data).
  • JIFF — Boston University.
  • Galois MPC, ABY, ABY3 — academic milestones (Demmler-Schneider-Zohner; Mohassel-Rindal).

3.3 Production use cases

  • Private set intersection (PSI) — joint computation of intersection without revealing non-intersecting elements. Production at Google (Password Checkup), Apple (iCloud Private Relay leak detection), Meta and Google’s ad measurement collaborations.
  • Joint advertising measurement — Google’s topics and Privacy Sandbox; Meta-Google cross-platform measurement experiments via MPC.
  • Healthcare — patient matching across institutions without revealing identities (PSI variants); MELLODDY drug discovery (combined MPC + FL).
  • Financial — anti-money-laundering screening across banks; Estonia’s e-government MPC analytics.

4. Homomorphic Encryption

4.1 Foundations

  • Partially HE — RSA (multiplicatively, 1977), ElGamal (multiplicative, 1985), Paillier (additive, 1999).
  • Somewhat HE — both additions and multiplications, but bounded depth.
  • Fully HE (FHE) — Craig Gentry’s PhD thesis, STOC 2009. “Fully Homomorphic Encryption Using Ideal Lattices”. Introduced bootstrapping — refreshing ciphertext noise via homomorphic evaluation of the decryption circuit — enabling unbounded depth.

4.2 Modern schemes

  • BFV / BGV — Brakerski-Fan-Vercauteren / Brakerski-Gentry-Vaikuntanathan. Integer plaintext arithmetic; widely used in privacy-preserving SQL and statistics.
  • CKKS — Cheon-Kim-Kim-Song, ASIACRYPT 2017. Approximate floating-point arithmetic; preferred for ML inference.
  • TFHE — Chillotti-Gama-Georgieva-Izabachène, ASIACRYPT 2016/17. Very fast bootstrapping (~10-100 ms) for binary gates; the basis of Zama’s tfhe-rs.
  • FHEW — Ducas-Micciancio 2015. Predecessor of TFHE.

4.3 Libraries

  • Microsoft SEAL — C++, supports BFV/BGV/CKKS.
  • OpenFHE — successor to PALISADE; community-driven; broad scheme support.
  • HElib — IBM Research (Halevi-Shoup); BGV with focus on bootstrapping efficiency.
  • Lattigo — Tune Insight (Switzerland), Go; CKKS focus.
  • tfhe-rs — Zama (France), Rust, Apache 2.0; TFHE-based; integrates with Concrete framework. Zama raised major funding rounds in 2023-2024 around private smart contracts and private ML.
  • Concrete / Concrete-ML — Zama; higher-level Python interfaces over tfhe-rs.
  • HEAAN — original CKKS reference implementation (Seoul National).

4.4 Deployments and performance

FHE remains slow — typical slowdown vs plaintext is 10²-10⁵×. CKKS multiplication is on the order of ms-sec for production ciphertext sizes; bootstrapping ~100-500 ms in TFHE, ~seconds in CKKS.

  • Microsoft Edge password monitor uses HE-style protocols for credential leak checks.
  • Azure Confidential Inferencing (combination of HE + TEE).
  • CipherTrust (Thales) HE products.
  • Niobium Microsystems, Cornami, Optalysys — FHE accelerator startups.
  • Intel HEXL — AVX-512 acceleration for NTT/FFT in HE workloads.
  • IBM C4-Pipe — research FHE accelerator.
  • DARPA DPRIVE program — FHE hardware acceleration.

5. Zero-Knowledge Proofs

5.1 Definitions

Goldwasser-Micali-Rackoff, “The Knowledge Complexity of Interactive Proof Systems” STOC 1985. A prover convinces a verifier that some statement is true (e.g., “I know a witness w such that R(x, w) holds”) without revealing the witness. Properties: completeness, soundness, zero-knowledge.

Goldwasser, Micali, and Rivest’s work also underlies the 2012 Turing Award (Goldwasser and Micali).

5.2 SNARKs

Succinct Non-interactive ARguments of Knowledge. Proofs are short (constant size or polylog), verification fast.

  • Groth16 (Jens Groth, EUROCRYPT 2016). Pairing-based; 3-element proofs (~200 bytes); circuit-specific trusted setup. The original deployed SNARK (Zcash Sapling, 2018).
  • PLONK (Gabizon-Williamson-Ciobotaru, 2019). Universal/updatable trusted setup; permutation argument over Lagrange basis.
  • Marlin (Chiesa et al. 2020). Universal setup variant.
  • Halo / Halo2 (Sean Bowe et al., Electric Coin Co 2020). Recursive composition without trusted setup; basis of Zcash Orchard (2022).
  • Plonky2 / Plonky3 (Polygon Zero, 2022 / 2024). FRI-based; no trusted setup; very fast prover.

5.3 STARKs

Scalable Transparent ARguments of Knowledge — Ben-Sasson-Bentov-Horesh-Riabzev, ePrint 2018. Quantum-resistant, no trusted setup, larger proofs (~100 KB) but fast verification. StarkWare (Israel) commercialized; powers StarkEx and Starknet.

5.4 Bulletproofs

Bünz-Bootle-Boneh-Poelstra-Wuille-Maxwell, IEEE S&P 2018. Range proofs in O(log n) size, no trusted setup. Used in Monero since 2018.

5.5 Deployments

  • Zcash — first major SNARK deployment; Sprout (2016) → Sapling (2018, Groth16) → Orchard (2022, Halo2).
  • Polygon zkEVM, zkSync Era (Matter Labs), Scroll, Linea (Consensys), Starknet (StarkWare), Taiko — Ethereum L2 ZK rollups.
  • Aztec / Aztec Connect — private transactions on Ethereum.
  • Mina Protocol — recursive SNARKs producing a constant-size blockchain (~22 KB regardless of history).
  • Worldcoin — uses ZK proofs (Semaphore protocol) to prove unique-human iris-hash membership without revealing the iris itself.
  • Polygon ID, Anon Aadhaar, zkPassport — identity systems.
  • TLSNotary, DECO, zkTLS — proving TLS-session contents without revealing them.
  • Risc Zero, SP1 (Succinct Labs), Nexus zkVM, Jolt, LurkzkVMs that prove arbitrary Rust/C/C++ programs. Major 2023-2025 trend.

5.6 Tooling

  • Circom + snarkjs — iden3; Circom 2; the most common circuit DSL.
  • Halo2 — Rust; ZCash + community.
  • Plonky2 / Plonky3 — Polygon Zero open source.
  • Cairo — StarkWare’s STARK-native language.
  • ZoKrates — ETH Zürich; SNARK toolkit.
  • Noir — Aztec; higher-level proving DSL.
  • arkworks — Rust ecosystem of pairing-friendly curves and proving systems.

6. Trusted Execution Environments

A TEE is a hardware-isolated execution context — memory encrypted, integrity-checked, attestable remotely. Privacy systems use TEEs as the production-feasible substitute when MPC/FHE are too slow.

6.1 Intel SGX

Software Guard Extensions, introduced in Skylake (2015). User-space enclaves with up to 96 MB (later 1 TB+ on Ice Lake server) of encrypted EPC memory. Remote attestation via Intel Attestation Service or DCAP.

SGX was deprecated in 11th/12th-gen consumer Intel CPUs (2021), still available on Xeon Scalable, Ice Lake, Sapphire Rapids server. Side-channel history:

  • Foreshadow / L1TF (2018) — extract enclave keys via L1 terminal fault.
  • ZombieLoad (2019) — MDS-class data sampling.
  • Plundervolt (2019-2020) — undervolt to corrupt enclave computation.
  • SgxPectre (2018) — Spectre against enclaves.
  • Æpic Leak (2022) — uninitialized data leak via APIC registers.
  • AEPIC, BronzeSync, SmashEx, etc.

6.2 Intel TDX

Trust Domain Extensions; available in 4th-gen Xeon (Sapphire Rapids, 2023) and beyond. VM-level confidential compute — the entire guest VM runs encrypted; far easier programming model than SGX enclaves.

6.3 AMD SEV / SEV-ES / SEV-SNP

Secure Encrypted Virtualization, since EPYC Naples (2017). SEV-SNP (Secure Nested Paging) since Milan (2021) adds integrity. The dominant confidential-VM platform on AMD-based clouds.

6.4 Cloud confidential computing

  • AWS Nitro Enclaves — since 2020. Isolated VMs on Nitro hypervisor; attested via Nitro KMS integration. Not encrypted in DRAM, but isolated.
  • Azure Confidential Computing — DCsv2/DCsv3 (SGX), DCasv5/DCadsv5 (SEV-SNP), DCesv5/DCadsv5 (TDX).
  • Google Cloud Confidential VMs — SEV (Compute Optimized N2D), SEV-SNP (C3D), TDX (preview).
  • OCI Confidential Computing — SEV-SNP based.

6.5 Mobile and edge TEEs

  • ARM TrustZone — secure-world / normal-world split since ARMv6; ubiquitous in mobile SoCs.
  • Apple Secure Enclave Processor (SEP) — dedicated coprocessor (A7 onward); manages Touch ID, Face ID, keychain, FileVault, hardware key store.
  • Apple Private Cloud Compute (PCC) — announced WWDC 2024. Apple-designed servers running attested confidential compute for Apple Intelligence LLM requests that exceed on-device capacity. PCC nodes are auditable: image build artifacts are published, and client requests verify attestation before sending personal context.
  • Google Titan / Pixel Tensor security cores.
  • RISC-V Keystone — open-source TEE framework for RISC-V.
  • OP-TEE — open TEE for ARM TrustZone.

6.6 Production use cases

  • Confidential databases — Microsoft SQL Server Always Encrypted with secure enclaves, Azure SQL DB, Anjuna Security, EdgelessDB + Constellation Kubernetes (Edgeless Systems), Fortanix.
  • Private ML inference — Tinfoil ML (acquired by Apple 2024), Edgeless, Hopper Confidential GPUs (H100 has confidential compute mode), NVIDIA Blackwell confidential GPUs.
  • Healthcare data clean rooms — Decentriq, Snowflake clean rooms.
  • Financial cross-org analytics — Anjuna, Fortanix multi-cloud HSM + confidential compute.
  • Crypto MPC custody / wallets — Fireblocks, Coinbase Custody (TEE-backed signing).

7. Compliance and regulation

Privacy tech does not exist in a vacuum — the regulatory frame shapes which controls are required.

  • GDPR — General Data Protection Regulation (EU 2018). Principles: lawfulness, fairness, purpose limitation, data minimization, accuracy, storage limitation, integrity/confidentiality, accountability. Six lawful bases: consent, contract, legal obligation, vital interests, public task, legitimate interests. Rights: access, rectification, erasure (“right to be forgotten”), restriction, portability, objection, automated decision-making. Fines: up to €20M or 4% global annual turnover, whichever higher. DPIA (Data Protection Impact Assessment) required for high-risk processing. See data-privacy-regulation.
  • CCPA / CPRA — California Consumer Privacy Act / Privacy Rights Act. CCPA effective Jan 2020; CPRA expansion effective Jan 2023; new California Privacy Protection Agency (CPPA) as enforcer.
  • State laws — Virginia VCDPA, Colorado CPA, Connecticut CTDPA, Utah UCPA, Texas TDPSA, Oregon, Florida, Tennessee, Iowa, Indiana, Montana, Delaware, New Jersey, Washington (My Health My Data) — substantially overlapping but distinct.
  • LGPD — Brazil 2020, similar to GDPR.
  • PIPL — China 2021. Strong data-localization, cross-border transfer requirements, and security assessments for “important data.”
  • DPDP Act — India 2023. Notice and consent based.
  • UK DPA 2018 + UK GDPR. Post-Brexit divergence under review.
  • Adequacy decisions — EU recognizing Switzerland, UK, Japan, South Korea, etc. as having “adequate” protection for transfer.
  • SCCs (Standard Contractual Clauses) — post Schrems II (CJEU 2020) which invalidated Privacy Shield; new modular SCCs adopted June 2021.
  • EU-US Data Privacy Framework — July 2023, succeeded Privacy Shield. Schrems already challenging in CJEU.
  • Sectoral US laws — HIPAA (health), GLBA (financial), FERPA (education), COPPA (children).

8. PETs (privacy-enhancing technologies) vendor landscape

  • Tumult Labs — DP for analytics; clients include IRS, US Census follow-ons.
  • OpenDP — Harvard + Microsoft consortium.
  • Mostly AI, Hazy, Gretel, MDClone, Tonic.ai, Replica Analytics, Syntegra — synthetic data.
  • Duality Technologies — HE + MPC for regulated industries (financial, pharma).
  • Inpher — secret-sharing-based MPC; analytics.
  • Cape Privacy (now Capeprivacy.com) — secure ML.
  • Zama — open-source FHE (tfhe-rs, Concrete); private smart contracts.
  • Anjuna Security — confidential compute.
  • Fortanix — confidential computing + multi-cloud HSM + DSM.
  • Edgeless Systems — Constellation Kubernetes, EdgelessDB, Marblerun service mesh.
  • Decentriq — confidential clean rooms for advertising, healthcare.
  • Privitar (acquired Informatica 2023) — de-identification + DP.
  • DataFleets (acquired LiveRamp 2021) — federated.
  • OpenMined — open-source PETs community (PySyft, PyGrid).
  • Worldcoin / Tools for Humanity — ZK-identity at scale.
  • Trail of Bits, NCC Group, Cure53, Galois — privacy and crypto audits.

9. Open research frontiers

  • DP for foundation models — DP pretraining (DP-Adam at LLM scale, Anil-Ghazi et al. 2022); DP fine-tuning with LoRA/adapters; memorization auditing.
  • Auditing real-world DP claims — empirical lower bounds via membership-inference attacks (Jagielski-Ullman-Oprea 2020; Steinke-Nasr-Jagielski 2023 “Privacy Auditing with One Run”).
  • Cryptographic ML inference at scale — combining MPC + HE + TEEs to make LLM-class inference private at acceptable latency.
  • ZKML — Zero-Knowledge ML — proving model inferences (Modulus Labs, EZKL, Giza Tech).
  • Fully composable PETs stacks — Tinfoil, Anthropic / Apple Private Cloud Compute architecture pattern (TEE + remote attestation + transparency logs).
  • Quantum-resistant ZKPs — STARKs and FRI-based SNARKs already are; preparing for post-quantum migration.

10. Where to learn

  • Dwork-Roth, The Algorithmic Foundations of Differential Privacy, Foundations and Trends 2014. Free PDF.
  • Vadhan, The Complexity of Differential Privacy, 2017.
  • Boneh-Shoup, A Graduate Course in Applied Cryptography. Free book; covers MPC, HE, ZKP foundations.
  • Goldreich, Foundations of Cryptography (two volumes).
  • Evans-Kolesnikov-Rosulek, A Pragmatic Introduction to Secure Multi-Party Computation, 2018. Free monograph.
  • The Zama Bootcamp, NSA’s GenSchool, MIT 6.5610.

Key conferences: TCC, CRYPTO, EUROCRYPT, ASIACRYPT, CCS, S&P, USENIX Security, NDSS, PETS (Privacy Enhancing Technologies Symposium), PoPETs.

Adjacent

Graph View