BRIEF CONTENTS

Foreword by Matthew D. Green Preface

Abbreviations

Chapter 1: Encryption Chapter 2: Randomness

Chapter 3: Cryptographic Security Chapter 4: Block Ciphers

Chapter 5: Stream Ciphers Chapter 6: Hash Functions Chapter 7: Keyed Hashing

Chapter 8: Authenticated Encryption Chapter 9: Hard Problems

Chapter 10: RSA

Chapter 11: Diffie–Hellman Chapter 12: Elliptic Curves Chapter 13: TLS

Chapter 14: Quantum and Post-Quantum Index

CONTENTS IN DETAIL

FOREWORD by Matthew D. Green PREFACE

This Book’s Approach Who This Book Is For

How This Book Is Organized Fundamentals

Symmetric Crypto Asymmetric Crypto Applications

Acknowledgments

ABBREVIATIONS 1

ENCRYPTION The Basics

Classical Ciphers

The Caesar Cipher The Vigenère Cipher How Ciphers Work

The Permutation

The Mode of Operation

Why Classical Ciphers Are Insecure Perfect Encryption: The One-Time Pad

Encrypting with the One-Time Pad Why Is the One-Time Pad Secure?

Encryption Security Attack Models Security Goals Security Notions

Asymmetric Encryption

When Ciphers Do More Than Encryption Authenticated Encryption

Format-Preserving Encryption Fully Homomorphic Encryption Searchable Encryption

Tweakable Encryption How Things Can Go Wrong

Weak Cipher Wrong Model Further Reading 2

RANDOMNESS

Random or Non-Random?

Randomness as a Probability Distribution Entropy: A Measure of Uncertainty

Random Number Generators (RNGs) and Pseudorandom Number Generators (PRNGs)

How PRNGs Work Security Concerns The PRNG Fortuna

Cryptographic vs. Non-Cryptographic PRNGs The Uselessness of Statistical Tests

Real-World PRNGs

Generating Random Bits in Unix-Based Systems The CryptGenRandom() Function in Windows

A Hardware-Based PRNG: RDRAND in Intel Microprocessors How Things Can Go Wrong

Poor Entropy Sources

Insufficient Entropy at Boot Time Non-cryptographic PRNG

Sampling Bug with Strong Randomness

Further Reading 3

CRYPTOGRAPHIC SECURITY Defining the Impossible

Security in Theory: Informational Security Security in Practice: Computational Security Quantifying Security

Measuring Security in Bits Full Attack Cost

Choosing and Evaluating Security Levels Achieving Security

Provable Security Heuristic Security Generating Keys

Generating Symmetric Keys Generating Asymmetric Keys Protecting Keys

How Things Can Go Wrong Incorrect Security Proof

Short Keys for Legacy Support Further Reading

4

BLOCK CIPHERS What Is a Block Cipher?

Security Goals Block Size

The Codebook Attack How to Construct Block Ciphers

A Block Cipher’s Rounds

The Slide Attack and Round Keys Substitution–Permutation Networks

Feistel Schemes

The Advanced Encryption Standard (AES) AES Internals

AES in Action Implementing AES

Table-Based Implementations Native Instructions

Is AES Secure?

Modes of Operation

The Electronic Codebook (ECB) Mode The Cipher Block Chaining (CBC) Mode How to Encrypt Any Message in CBC Mode The Counter (CTR) Mode

How Things Can Go Wrong

Meet-in-the-Middle Attacks Padding Oracle Attacks Further Reading

5

STREAM CIPHERS How Stream Ciphers Work

Stateful and Counter-Based Stream Ciphers Hardware-Oriented Stream Ciphers

Feedback Shift Registers Grain-128a

A5/1

Software-Oriented Stream Ciphers RC4

Salsa20

How Things Can Go Wrong Nonce Reuse

Broken RC4 Implementation

Weak Ciphers Baked Into Hardware

Further Reading 6

HASH FUNCTIONS Secure Hash Functions

Unpredictability Again Preimage Resistance Collision Resistance Finding Collisions Building Hash Functions

Compression-Based Hash Functions: The Merkle–Damgård Construction

Permutation-Based Hash Functions: Sponge Functions The SHA Family of Hash Functions

SHA-1 SHA-2

The SHA-3 Competition Keccak (SHA-3)

The BLAKE2 Hash Function How Things Can Go Wrong

The Length-Extension Attack

Fooling Proof-of-Storage Protocols Further Reading

7

KEYED HASHING

Message Authentication Codes (MACs) MACs in Secure Communication Forgery and Chosen-Message Attacks Replay Attacks

Pseudorandom Functions (PRFs) PRF Security

Why PRFs Are Stronger Than MACs

Creating Keyed Hashes from Unkeyed Hashes The Secret-Prefix Construction

The Secret-Suffix Construction The HMAC Construction

A Generic Attack Against Hash-Based MACs Creating Keyed Hashes from Block Ciphers: CMAC

Breaking CBC-MAC Fixing CBC-MAC Dedicated MAC Designs

Poly1305 SipHash

How Things Can Go Wrong

Timing Attacks on MAC Verification When Sponges Leak

Further Reading 8

AUTHENTICATED ENCRYPTION Authenticated Encryption Using MACs

Encrypt-and-MAC MAC-then-Encrypt Encrypt-then-MAC Authenticated Ciphers

Authenticated Encryption with Associated Data Avoiding Predictability with Nonces

What Makes a Good Authenticated Cipher?

AES-GCM: The Authenticated Cipher Standard GCM Internals: CTR and GHASH

GCM Security GCM Efficiency

OCB: An Authenticated Cipher Faster than GCM OCB Internals

OCB Security

OCB Efficiency

SIV: The Safest Authenticated Cipher?

Permutation-Based AEAD How Things Can Go Wrong

AES-GCM and Weak Hash Keys AES-GCM and Small Tags

Further Reading 9

HARD PROBLEMS Computational Hardness

Measuring Running Time

Polynomial vs. Superpolynomial Time Complexity Classes

Nondeterministic Polynomial Time NP-Complete Problems

The P vs. NP Problem The Factoring Problem

Factoring Large Numbers in Practice Is Factoring NP-Complete?

The Discrete Logarithm Problem What Is a Group?

The Hard Thing How Things Can Go Wrong

When Factoring Is Easy

Small Hard Problems Aren’t Hard Further Reading

10 RSA

The Math Behind RSA

The RSA Trapdoor Permutation RSA Key Generation and Security

Encrypting with RSA

Breaking Textbook RSA Encryption’s Malleability Strong RSA Encryption: OAEP

Signing with RSA

Breaking Textbook RSA Signatures The PSS Signature Standard

Full Domain Hash Signatures RSA Implementations

Fast Exponentiation Algorithm: Square-and-Multiply Small Exponents for Faster Public-Key Operations The Chinese Remainder Theorem

How Things Can Go Wrong

The Bellcore Attack on RSA-CRT Sharing Private Exponents or Moduli Further Reading

11

DIFFIE–HELLMAN

The Diffie–Hellman Function The Diffie–Hellman Problems

The Computational Diffie–Hellman Problem The Decisional Diffie–Hellman Problem More Diffie–Hellman Problems

Key Agreement Protocols

An Example of Non-DH Key Agreement Attack Models for Key Agreement Protocols Performance

Diffie–Hellman Protocols

Anonymous Diffie–Hellman Authenticated Diffie–Hellman Menezes–Qu–Vanstone (MQV) How Things Can Go Wrong

Not Hashing the Shared Secret

Legacy Diffie–Hellman in TLS Unsafe Group Parameters

Further Reading 12

ELLIPTIC CURVES What Is an Elliptic Curve?

Elliptic Curves over Integers Adding and Multiplying Points Elliptic Curve Groups

The ECDLP Problem

Diffie–Hellman Key Agreement over Elliptic Curves Signing with Elliptic Curves

Encrypting with Elliptic Curves Choosing a Curve

NIST Curves Curve25519 Other Curves

How Things Can Go Wrong

ECDSA with Bad Randomness

Breaking ECDH Using Another Curve Further Reading

13 TLS

Target Applications and Requirements The TLS Protocol Suite

The TLS and SSL Family of Protocols: A Brief History TLS in a Nutshell

Certificates and Certificate Authorities The Record Protocol

The TLS Handshake Protocol TLS 1.3 Cryptographic Algorithms

TLS 1.3 Improvements over TLS 1.2 Downgrade Protection

Single Round-Trip Handshake Session Resumption

The Strengths of TLS Security Authentication

Forward Secrecy

How Things Can Go Wrong

Compromised Certificate Authority Compromised Server

Compromised Client Bugs in Implementations Further Reading

14

QUANTUM AND POST-QUANTUM How Quantum Computers Work

Quantum Bits Quantum Gates Quantum Speed-Up

Exponential Speed-Up and Simon’s Problem The Threat of Shor’s Algorithm

Shor’s Algorithm Solves the Factoring Problem

Shor’s Algorithm and the Discrete Logarithm Problem Grover’s Algorithm

Why Is It So Hard to Build a Quantum Computer?

Post-Quantum Cryptographic Algorithms Code-Based Cryptography

Lattice-Based Cryptography Multivariate Cryptography Hash-Based Cryptography How Things Can Go Wrong

Unclear Security Level

Fast Forward: What Happens if It’s Too Late?

Implementation Issues Further Reading

INDEX