| Preface |
|
xv | |
| Acknowledgments |
|
xx | |
| About this book |
|
xxi | |
| About the author |
|
xxvi | |
| About the cover illustration |
|
xxvii | |
|
Part 1 Primitives: The ingredients of cryptography |
|
|
1 | (176) |
|
|
|
3 | (22) |
|
1.1 Cryptography is about securing protocols |
|
|
4 | (1) |
|
1.2 Symmetric cryptography: What is symmetric encryption? |
|
|
5 | (2) |
|
1.3 Kerckhoffs principle: Only the key is kept secret |
|
|
7 | (3) |
|
1.4 Asymmetric cryptography: Two keys are better than one |
|
|
10 | (7) |
|
Key exchanges or how to get a shared secret |
|
|
10 | (3) |
|
Asymmetric encryption, not like the symmetric one |
|
|
13 | (2) |
|
Digital signatures, just like your pen-and-paper signatures |
|
|
15 | (2) |
|
1.5 Classifying and abstracting cryptography |
|
|
17 | (1) |
|
1.6 Theoretical cryptography vs. real-world cryptography |
|
|
18 | (1) |
|
1.7 From theoretical to practical: Choose your own adventure |
|
|
19 | (5) |
|
|
|
24 | (1) |
|
|
|
25 | (23) |
|
2.1 What is a hash function? |
|
|
25 | (3) |
|
2.2 Security properties of a hash function |
|
|
28 | (2) |
|
2.3 Security considerations for hash functions |
|
|
30 | (1) |
|
2.4 Hash functions in practice |
|
|
31 | (3) |
|
|
|
32 | (1) |
|
|
|
32 | (1) |
|
|
|
32 | (1) |
|
|
|
33 | (1) |
|
2.5 Standardized hash functions |
|
|
34 | (10) |
|
|
|
35 | (3) |
|
|
|
38 | (4) |
|
SHAKE and cSHAKE: Two extendable output functions (XOF) |
|
|
42 | (1) |
|
Avoid ambiguous hashing with TupleHash |
|
|
43 | (1) |
|
|
|
44 | (4) |
|
3 Message authentication codes |
|
|
48 | (16) |
|
3.1 Stateless cookies, a motivating example for MACs |
|
|
48 | (3) |
|
|
|
51 | (1) |
|
3.3 Security properties of a MAC |
|
|
52 | (5) |
|
Forgery of authentication tag |
|
|
53 | (1) |
|
Lengths of authentication tag |
|
|
53 | (1) |
|
|
|
54 | (1) |
|
Verifying authentication tags in constant time |
|
|
55 | (2) |
|
3.4 MAC in the real world |
|
|
57 | (1) |
|
|
|
57 | (1) |
|
|
|
57 | (1) |
|
|
|
58 | (1) |
|
|
|
58 | (1) |
|
3.5 Message authentication codes (MACs) in practice |
|
|
58 | (2) |
|
|
|
58 | (1) |
|
KMAC, a MAC based oncSHAKE |
|
|
59 | (1) |
|
3.6 SHA-2 and length-extension attacks |
|
|
60 | (4) |
|
4 Authenticated encryption |
|
|
64 | (23) |
|
|
|
65 | (1) |
|
4.2 The Advanced Encryption Standard (AES) block cipher |
|
|
66 | (4) |
|
How much security does AES provide? |
|
|
67 | (1) |
|
|
|
67 | (1) |
|
|
|
68 | (2) |
|
4.3 The encrypted penguin and the CBC mode of operation |
|
|
70 | (3) |
|
4.4 A lack of authenticity, hence AES-CBC-HMAC |
|
|
73 | (1) |
|
4.5 All-in-one constructions: Authenticated encryption |
|
|
74 | (10) |
|
What's authenticated encryption with associated data (AEAD)? |
|
|
75 | (1) |
|
|
|
76 | (5) |
|
|
|
81 | (3) |
|
4.6 Other kinds of symmetric encryption |
|
|
84 | (3) |
|
|
|
84 | (1) |
|
Nonce misuse-resistant authenticated encryption |
|
|
85 | (1) |
|
|
|
85 | (1) |
|
|
|
85 | (2) |
|
|
|
87 | (18) |
|
5.1 What are key exchanges? |
|
|
88 | (3) |
|
5.2 The Diffie-Hellman (DH) key exchange |
|
|
91 | (7) |
|
|
|
91 | (4) |
|
The discrete logarithm problem: The basis of Diffie-Hellman |
|
|
95 | (2) |
|
The Diffie-Hellman standards |
|
|
97 | (1) |
|
5.3 The Elliptic Curve Diffie-Hellman (ECDH) key exchange |
|
|
98 | (7) |
|
What's an elliptic curve? |
|
|
98 | (4) |
|
How does the Elliptic Curve Diffie-Hellman (ECDH) key exchange work? |
|
|
102 | (1) |
|
The standards for Elliptic Curve Diffie-Hellman |
|
|
103 | (2) |
|
6 A Small subgroup attacks and other security considerations |
|
|
105 | (24) |
|
6.1 Asymmetric encryption and hybrid encryption |
|
|
109 | (1) |
|
6.1 What is asymmetric encryption? |
|
|
110 | (1) |
|
6.2 Asymmetric encryption in practice and hybrid encryption |
|
|
111 | (6) |
|
Key exchanges and key encapsulation |
|
|
112 | (1) |
|
|
|
113 | (4) |
|
6.3 Asymmetric encryption with RSA: The bad and the less bad |
|
|
117 | (9) |
|
|
|
117 | (4) |
|
Why not to use RSA PKCS#1 v1.5 |
|
|
121 | (2) |
|
Asymmetric encryption with RSA-OAEP |
|
|
123 | (3) |
|
6.4 Hybrid encryption with ECIES |
|
|
126 | (3) |
|
7 Signatures and zero-knowledge proofs |
|
|
129 | (23) |
|
|
|
130 | (4) |
|
How to sign and verify signatures in practice |
|
|
131 | (1) |
|
A prime use case for signatures: Authenticated key exchanges |
|
|
132 | (1) |
|
A real-world usage: Public key infrastructures |
|
|
133 | (1) |
|
7.2 Zero-knowledge proofs (ZKPs): The origin of signatures |
|
|
134 | (4) |
|
Schnorr identification protocol: An interactive zero-knowledge proof |
|
|
134 | (3) |
|
Signatures as non-interactive zero-knowledge proofs |
|
|
137 | (1) |
|
7.3 The signature algorithms you should use (or not) |
|
|
138 | (11) |
|
RSA PKCS#1 v1.5: A bad standard |
|
|
139 | (3) |
|
RSA-PSS: A better standard |
|
|
142 | (1) |
|
The Elliptic Curve Digital Signature Algorithm (ECDSA) |
|
|
143 | (2) |
|
The Edwards-curve Digital Signature Algorithm (EdDSA) |
|
|
145 | (4) |
|
7.4 Subtle behaviors of signature schemes |
|
|
149 | (3) |
|
Substitution attacks on signatures |
|
|
149 | (1) |
|
|
|
150 | (2) |
|
|
|
152 | (25) |
|
|
|
153 | (2) |
|
8.2 Slow randomness? Use a pseudorandom number generator (PRNG) |
|
|
155 | (3) |
|
8.3 Obtaining randomness in practice |
|
|
158 | (3) |
|
8.4 Randomness generation and security considerations |
|
|
161 | (2) |
|
|
|
163 | (1) |
|
8.6 Key derivation with HKDF |
|
|
164 | (4) |
|
8.7 Managing keys and secrets |
|
|
168 | (1) |
|
8.8 Decentralize trust with threshold cryptography |
|
|
169 | (8) |
|
Part 2 Protocols: The recipes |
|
|
|
|
|
177 | (24) |
|
9.1 The SSL and TLS secure transport protocols |
|
|
177 | (4) |
|
|
|
178 | (1) |
|
|
|
179 | (2) |
|
9.2 How does the TLS protocol work? |
|
|
181 | (13) |
|
|
|
181 | (13) |
|
How TLS 1.3 encrypts application data |
|
|
194 | (1) |
|
9.3 The state of the encrypted web today |
|
|
194 | (3) |
|
9.4 Other secure transport protocols |
|
|
197 | (1) |
|
9.5 The Noise protocol framework: A modern alternative to TLS |
|
|
197 | (4) |
|
The many handshakes of Noise |
|
|
198 | (1) |
|
|
|
199 | (2) |
|
|
|
201 | (25) |
|
10.1 Why end-to-end encryption? |
|
|
202 | (1) |
|
10.2 A root of trust nowhere to be found |
|
|
203 | (2) |
|
10.3 The failure of encrypted email |
|
|
205 | (6) |
|
PGP or GPG? And how does it work? |
|
|
205 | (3) |
|
Scaling trust between users with the web of trust |
|
|
208 | (1) |
|
Key discovery is a real issue |
|
|
208 | (2) |
|
|
|
210 | (1) |
|
10.4 Secure messaging: A modern look at end-to-end encryption with Signal |
|
|
211 | (11) |
|
More user-friendly than the WOT: Trust but verify |
|
|
212 | (3) |
|
X3DH: the Signal protocol's handshake |
|
|
215 | (3) |
|
Double Ratchet: Signal's post-handshake protocol |
|
|
218 | (4) |
|
10.5 The state of end-to-end encryption |
|
|
222 | (4) |
|
|
|
226 | (25) |
|
11.1 A recap of authentication |
|
|
227 | (1) |
|
11.2 User authentication, or the quest to get rid of passwords |
|
|
228 | (14) |
|
One password to rule them all: Single sign-on (SSO) and password managers |
|
|
231 | (1) |
|
Don't want to see their passwords? Use an asymmetric password-authenticated key exchange |
|
|
232 | (4) |
|
One-time passwords aren't really passwords: Going passwordless with symmetric keys |
|
|
236 | (3) |
|
Replacing passwords with asymmetric keys |
|
|
239 | (3) |
|
11.3 User-aided authentication: Pairing devices using some human help |
|
|
242 | (9) |
|
|
|
244 | (1) |
|
Symmetric password-authenticated key exchanges with CPace |
|
|
245 | (1) |
|
Was my key exchange MITM'd? Just check a short authenticated string (SAS) |
|
|
246 | (5) |
|
12 Crypto as in cryptocurrency? |
|
|
251 | (26) |
|
12.1 A gentle introduction to Byzantine fault-tolerant (BFT) consensus algorithms |
|
|
252 | (5) |
|
A problem of resilience: Distributed protocols to the rescue |
|
|
252 | (2) |
|
A problem of trust? Decentralization helps |
|
|
254 | (1) |
|
A problem of scale: Permissionless and censorship-resistant networks |
|
|
255 | (2) |
|
12.2 How does Bitcoin work? |
|
|
257 | (10) |
|
How Bitcoin handles user balances and transactions |
|
|
257 | (2) |
|
Mining BTCs in the digital age of gold |
|
|
259 | (4) |
|
Forking hell! Solving conflicts in mining |
|
|
263 | (2) |
|
Reducing a block's size by using Merkle trees |
|
|
265 | (2) |
|
12.3 A tour of cryptocurrencies |
|
|
267 | (2) |
|
|
|
267 | (1) |
|
|
|
267 | (1) |
|
|
|
268 | (1) |
|
|
|
268 | (1) |
|
|
|
268 | (1) |
|
12.4 DiemBFT: A Byzantine fault-tolerant (BFT) consensus Protocol |
|
|
269 | (8) |
|
Safety and liveness: The two properties of a BFT consensus protocol |
|
|
269 | (1) |
|
A round in the DiemBFT protocol |
|
|
270 | (1) |
|
How much dishonesty can the protocol tolerate? |
|
|
270 | (1) |
|
The DiemBFT rules of voting |
|
|
271 | (2) |
|
When are transactions considered finalized? |
|
|
273 | (1) |
|
The intuitions behind the safety of DiemBFT |
|
|
273 | (4) |
|
|
|
277 | (21) |
|
13.1 Modern cryptography attacker model |
|
|
278 | (1) |
|
13.2 Untrusted environments: Hardware to the rescue |
|
|
279 | (10) |
|
White box cryptography, a bad idea |
|
|
280 | (1) |
|
They're in your wallet: Smart cards and secure elements |
|
|
281 | (2) |
|
Banks love them: Hardware security modules (HSMs) |
|
|
283 | (2) |
|
Trusted Platform Modules (TPMs): A useful standardization of secure elements |
|
|
285 | (3) |
|
Confidential computing with a trusted execution environment (TEE) |
|
|
288 | (1) |
|
13.3 What solution is good for me? |
|
|
289 | (2) |
|
13.4 Leakage-resilient cryptography or how to mitigate side-channel attacks in software |
|
|
291 | (7) |
|
Constant-time programming |
|
|
293 | (1) |
|
Don't use the secret! Masking and blinding |
|
|
294 | (1) |
|
What about fault attacks? |
|
|
295 | (3) |
|
14 Post-quantum cryptography |
|
|
298 | (23) |
|
14.1 What are quantum computers and why are they scaring cryptographers? |
|
|
299 | (6) |
|
Quantum mechanics, the study of the small |
|
|
299 | (3) |
|
From the birth of quantum computers to quantum supremacy |
|
|
302 | (1) |
|
The impact of Grover and Shor's algorithms on cryptography |
|
|
303 | (1) |
|
Post-quantum cryptography, the defense against quantum computers |
|
|
304 | (1) |
|
14.2 Hash-based signatures: Don't need anything but a hash function |
|
|
305 | (6) |
|
One-time signatures (OTS) with Lamport signatures |
|
|
305 | (2) |
|
Smaller keys with Winternitz one-time signatures (WOTS) |
|
|
307 | (1) |
|
Many-times signatures with XMSS and SPHINCS+ |
|
|
308 | (3) |
|
14.3 Shorter keys and signatures with lattice-based cryptography |
|
|
311 | (7) |
|
|
|
311 | (2) |
|
Learning with errors (LWE), a basis for cryptography? |
|
|
313 | (1) |
|
Kyber, a lattice-based key exchange |
|
|
314 | (2) |
|
Dilithium, a lattice-based signature scheme |
|
|
316 | (2) |
|
|
|
318 | (3) |
|
15 Is this it? Next-generation cryptography |
|
|
321 | (22) |
|
15.1 The more the merrier: Secure multi-party computation (MPC) |
|
|
322 | (4) |
|
Private set intersection (PSI) |
|
|
323 | (1) |
|
|
|
324 | (2) |
|
|
|
326 | (1) |
|
15.2 Fully homomorphic encryption (FHE) and the promises of an encrypted cloud |
|
|
326 | (6) |
|
An example of homomorphic encryption with RSA encryption |
|
|
327 | (1) |
|
The different types of homomorphic encryption |
|
|
327 | (1) |
|
Bootstrapping, the key to fully homomorphic encryption |
|
|
328 | (2) |
|
An FHE scheme based on the learning with errors problem |
|
|
330 | (2) |
|
|
|
332 | (1) |
|
15.3 General-purpose zero-knowledge proofs (ZKPs) |
|
|
332 | (11) |
|
|
|
335 | (1) |
|
Homomorphic commitments to hide parts of the proof |
|
|
336 | (1) |
|
Bilinear pairings to improve our homomorphic commitments |
|
|
336 | (1) |
|
Where does the succinctness come from? |
|
|
337 | (1) |
|
From programs to polynomials |
|
|
338 | (1) |
|
Programs are for computers; we need arithmetic circuits instead |
|
|
338 | (1) |
|
An arithmetic circuit to a rank-1 constraint system (R1CS) |
|
|
339 | (1) |
|
From R1CS to a polynomial |
|
|
340 | (1) |
|
It takes two to evaluate a polynomial hiding in the exponent |
|
|
340 | (3) |
|
16 When and where cryptography fails |
|
|
343 | (14) |
|
16.1 Finding the right cryptographic primitive or protocol is a boring job |
|
|
344 | (1) |
|
16.2 How do I use a cryptographic primitive or protocol? Polite standards and formal verification |
|
|
345 | (3) |
|
16.3 Where are the good libraries? |
|
|
348 | (1) |
|
16.4 Misusing cryptography: Developers are the enemy |
|
|
349 | (2) |
|
16.5 You're doing it wrong: Usable security |
|
|
351 | (1) |
|
16.6 Cryptography is not an island |
|
|
352 | (1) |
|
16.7 Your responsibilities as a cryptography practitioner, don't roll your own crypto |
|
|
353 | (4) |
| Appendix Answers to exercises |
|
357 | (4) |
| Index |
|
361 | |
