Part 1. Primitives: The ingredients of cryptography
1.1 Cryptography is about securing protocols
1.2 Symmetric cryptography: What is symmetric encryption?
1.3 Kerckhoff’s principle: Only the key is kept secret
1.4 Asymmetric cryptography: Two keys are better than one
Key exchanges or how to get a shared secret
Asymmetric encryption, not like the symmetric one
Digital signatures, just like your pen-and-paper signatures
1.5 Classifying and abstracting cryptography
1.6 Theoretical cryptography vs. real-world cryptography
1.7 From theoretical to practical: Choose your own adventure
2.2 Security properties of a hash function
2.3 Security considerations for hash functions
2.4 Hash functions in practice
2.5 Standardized hash functions
SHAKE and cSHAKE: Two extendable output functions (XOF)
Avoid ambiguous hashing with TupleHash
3 Message authentication codes
3.1 Stateless cookies, a motivating example for MACs
3.3 Security properties of a MAC
Verifying authentication tags in constant time
3.5 Message authentication codes (MACs) in practice
3.6 SHA-2 and length-extension attacks
4.1 What’s a cipher?
4.2 The Advanced Encryption Standard (AES) block cipher
How much security does AES provide?
4.3 The encrypted penguin and the CBC mode of operation
4.4 A lack of authenticity, hence AES-CBC-HMAC
4.5 All-in-one constructions: Authenticated encryption
What’s authenticated encryption with associated data (AEAD)?
4.6 Other kinds of symmetric encryption
Nonce misuse-resistant authenticated encryption
5.2 The Diffie-Hellman (DH) key exchange
The discrete logarithm problem: The basis of Diffie-Hellman
5.3 The Elliptic Curve Diffie-Hellman (ECDH) key exchange
How does the Elliptic Curve Diffie-Hellman (ECDH) key exchange work?
The standards for Elliptic Curve Diffie-Hellman
5.4 Small subgroup attacks and other security considerations
6 Asymmetric encryption and hybrid encryption
6.1 What is asymmetric encryption?
6.2 Asymmetric encryption in practice and hybrid encryption
Key exchanges and key encapsulation
6.3 Asymmetric encryption with RSA: The bad and the less bad
Asymmetric encryption with RSA-OAEP
6.4 Hybrid encryption with ECIES
7 Signatures and zero-knowledge proofs
How to sign and verify signatures in practice
A prime use case for signatures: Authenticated key exchanges
A real-world usage: Public key infrastructures
7.2 Zero-knowledge proofs (ZKPs): The origin of signatures
Schnorr identification protocol: An interactive zero-knowledge proof
Signatures as non-interactive zero-knowledge proofs
7.3 The signature algorithms you should use (or not)
RSA PKCS#1 v1.5: A bad standard
The Elliptic Curve Digital Signature Algorithm (ECDSA)
The Edwards-curve Digital Signature Algorithm (EdDSA)
7.4 Subtle behaviors of signature schemes
Substitution attacks on signatures
8.2 Slow randomness? Use a pseudorandom number generator (PRNG)
8.3 Obtaining randomness in practice
8.4 Randomness generation and security considerations
8.8 Decentralize trust with threshold cryptography
Part 2. Protocols: The recipes of cryptography
9.1 The SSL and TLS secure transport protocols
9.2 How does the TLS protocol work?
How TLS 1.3 encrypts application data
9.3 The state of the encrypted web today
9.4 Other secure transport protocols
9.5 The Noise protocol framework: A modern alternative to TLS
10.1 Why end-to-end encryption?
10.2 A root of trust nowhere to be found
10.3 The failure of encrypted email
PGP or GPG? And how does it work?
Scaling trust between users with the web of trust
10.4 Secure messaging: A modern look at end-to-end encryption with Signal
More user-friendly than the WOT: Trust but verify
X3DH: the Signal protocol’s handshake
Double Ratchet: Signal’s post-handshake protocol
10.5 The state of end-to-end encryption
11.1 A recap of authentication
11.2 User authentication, or the quest to get rid of passwords
One password to rule them all: Single sign-on (SSO) and password managers
Don’t want to see their passwords? Use an asymmetric password-authenticated key exchange
One-time passwords aren’t really passwords: Going passwordless with symmetric keys
Replacing passwords with asymmetric keys
11.3 User-aided authentication: Pairing devices using some human help
Symmetric password-authenticated key exchanges with CPace
Was my key exchange MITM’d? Just check a short authenticated string (SAS)
12 Crypto as in cryptocurrency?
12.1 A gentle introduction to Byzantine fault-tolerant (BFT) consensus algorithms
A problem of resilience: Distributed protocols to the rescue
A problem of trust? Decentralization helps
A problem of scale: Permissionless and censorship-resistant networks
How Bitcoin handles user balances and transactions
Mining BTCs in the digital age of gold
Forking hell! Solving conflicts in mining
Reducing a block’s size by using Merkle trees
12.3 A tour of cryptocurrencies
12.4 DiemBFT: A Byzantine fault-tolerant (BFT) consensus protocol
Safety and liveness: The two properties of a BFT consensus protocol
A round in the DiemBFT protocol
How much dishonesty can the protocol tolerate?
When are transactions considered finalized?
The intuitions behind the safety of DiemBFT
13.1 Modern cryptography attacker model
13.2 Untrusted environments: Hardware to the rescue
White box cryptography, a bad idea
They’re in your wallet: Smart cards and secure elements
Banks love them: Hardware security modules (HSMs)
Trusted Platform Modules (TPMs): A useful standardization of secure elements
Confidential computing with a trusted execution environment (TEE)
13.3 What solution is good for me?
13.4 Leakage-resilient cryptography or how to mitigate side-channel attacks in software
Don’t use the secret! Masking and blinding
14.1 What are quantum computers and why are they scaring cryptographers?
Quantum mechanics, the study of the small
From the birth of quantum computers to quantum supremacy
The impact of Grover and Shor’s algorithms on cryptography
Post-quantum cryptography, the defense against quantum computers
14.2 Hash-based signatures: Don’t need anything but a hash function
One-time signatures (OTS) with Lamport signatures
Smaller keys with Winternitz one-time signatures (WOTS)
Many-times signatures with XMSS and SPHINCS+
14.3 Shorter keys and signatures with lattice-based cryptography
Learning with errors (LWE), a basis for cryptography?
Kyber, a lattice-based key exchange
Dilithium, a lattice-based signature scheme
14.4 Do I need to panic?
15 Is this it? Next-generation cryptography
15.1 The more the merrier: Secure multi-party computation (MPC)
Private set intersection (PSI)
15.2 Fully homomorphic encryption (FHE) and the promises of an encrypted cloud
An example of homomorphic encryption with RSA encryption
The different types of homomorphic encryption
Bootstrapping, the key to fully homomorphic encryption
An FHE scheme based on the learning with errors problem
15.3 General-purpose zero-knowledge proofs (ZKPs)
Homomorphic commitments to hide parts of the proof
Bilinear pairings to improve our homomorphic commitments
Where does the succinctness come from?
Programs are for computers; we need arithmetic circuits instea
An arithmetic circuit to a rank-1 constraint system (R1CS)
It takes two to evaluate a polynomial hiding in the exponent
16 When and where cryptography fails
16.1 Finding the right cryptographic primitive or protocol is a boring job
16.2 How do I use a cryptographic primitive or protocol? Polite standards and formal verification
16.3 Where are the good libraries?
16.4 Misusing cryptography: Developers are the enemy
16.5 You’re doing it wrong: Usable security
16.6 Cryptography is not an island
16.7 Your responsibilities as a cryptography practitioner, don’t roll your own crypto
Appendix. Answers to exercises