Serious Cryptography

Serious Cryptography

A Practical Introduction to Modern Encryption
by Jean-Philippe Aumasson
November 2017, 312 pp.
ISBN-13: 
978-1-59327-826-7


Download Chapter 4: Block Ciphers

This practical guide to modern encryption breaks down the fundamental mathematical concepts at the heart of cryptography without shying away from meaty discussions of how they work. You’ll learn about authenticated encryption, secure randomness, hash functions, block ciphers, and public-key techniques such as RSA and elliptic curve cryptography.

You'll also learn:

  • Key concepts in cryptography, such as computational security, attacker models, and forward secrecy
  • The strengths and limitations of the TLS protocol behind HTTPS secure websites
  • Quantum computation and post-quantum cryptography
  • About various vulnerabilities by examining numerous code examples and use cases
  • How to choose the best algorithm or protocol and ask vendors the right questions

Each chapter includes a discussion of common implementation mistakes using real-world examples and details what could go wrong and how to avoid these pitfalls.

Whether you’re a seasoned practitioner or a beginner looking to dive into the field, Serious Cryptography will provide a complete survey of modern encryption and its applications.

Author Bio 

Jean-Philippe Aumasson is Principal Research Engineer at Kudelski Security, an international cybersecurity company based in Switzerland. He has authored more than 40 research ­articles in the field of cryptography and cryptanalysis and designed the widely used hash functions BLAKE2 and SipHash. He speaks regularly at information security conferences and has presented at Black Hat, DEF CON, Troopers, and ­Infiltrate.

Table of contents 

Foreword by Matthew D. Green
Preface
Abbreviations
Chapter 1: Encryption
Chapter 2: Randomness
Chapter 3: Cryptographic Security
Chapter 4: Block Ciphers
Chapter 5: Stream Ciphers
Chapter 6: Hash Functions
Chapter 7: Keyed Hashing
Chapter 8: Authenticated Encryption
Chapter 9: Hard Problems
Chapter 10: RSA
Chapter 11: Diffie-Hellman
Chapter 12: Elliptic Curves
Chapter 13: TLS
Chapter 14: Quantum and Post-Quantum

View the detailed Table of Contents
View the Index

Reviews 

“A superb introduction to modern encryption and cryptography. For those looking to quickly get up to speed on the topics, this makes for an excellent go-to guide.”
Ben Rothke, RSA Conference

“It's really a love letter to cryptography.”
Nadim Kobeissi

“For those who really want to understand how cryptography works, and who need to use it in practice, I thoroughly recommend Serious Cryptography.”
Martijn Grooten, Virus Bulletin

“Impressive in its breadth...the state of the art in applied cryptography is distilled here in a mere 282 pages.”
Federico Lucifredi, The Hub

Updates 

On page 4, in the first paragraph, the sentence "A cryptanalyst can then deduce that the key’s length is either nine or a value divisible by nine (that is, three)." should instead say "A cryptanalyst can then deduce that the key’s length is either nine or a value that divides nine (that is, three)."

On page 13, the last sentence of the second paragraph under "Semantic Security and Randomized Encryption: IND-CPA" should say "Decryption​ ​remains deterministic, however, because given ​​​D​​​​​(K, R, ​C), you should always​ ​get P, regardless of the value of R."

On page 14, in the second paragraph under "Achieving Semantically Secure Encryption," all instances of "DRBG(K, R)" should instead be "DRBG(K || R)"

On page 28, the S_k+624 equation should use the constant 0x7fffffff instead of 0xffffffff.

On page 32, the caption for Listing 2-3 is incorrect. The script shows the evolution of /dev/random, not /dev/urandom.

On page 70, in the second paragraph under "Ciphertext Stealing," the sentence "The last, incomplete ciphertext block is made up of the first blocks from the previous ciphertext block . . ." should instead say "The last, incomplete ciphertext block is made up of the first bits from the previous ciphertext block . . ."

On page 73, the second paragraph shows the equation E(K_1, E(K_2, P)). This equation should instead be E(K_2, E(K_1, P)).

On page 73, in the last paragraph, 2^56 elements of 15 bytes each should come out to 1 exabyte, not 128 petabytes.

On page 84, the state values after "Repeating the operation four times...," should be the following:
0 1 1 1
1 1 1 0
1 1 0 0
0 0 0 1
And the subsequent paragraph should say "And as you can see, the state after six updates is the same as the initial one, demonstrating that we’re in a period-6 cycle and proving that the LFSR’s period isn’t the maximal value of 15."

On page 92, in the first paragraph of the RC4 section, Wireless Equivalent Privacy should be Wired Equivalent Privacy. The acronym list should also reflect this change.

On page 100, in the third paragraph, the sentence "The brute-forcing takes 2^36 operations, a computation that dwarfs the unrealistic 2^220 * 2^31 = 2^251 trials..." should instead say "The brute-forcing takes 2^36 operations, a computation that is dwarfed by the unrealistic 2^220 * 2^31 = 2^251 trials..."

On page 107, the SHA-256 hash values for a, b, and c are incorrect. They should be replaced with the following:
SHA-256("a") = ca978112ca1bbdcafac231b39a23dc4da786eff8147c4e72b9807785afee48bb
SHA-256("b") = 3e23e8160039594a33894f6564e1b1348bbd7a0088d42c4acb73eeaed59c009d
SHA-256("c") = 2e7d2c03a9507ae265ecf5b5356885a53393a2029d241394997265a1a25aefc6

On page 147, in the paragraph under "Encrypt-then-MAC," the sentence "If the values are equal, the plaintext is computed as P = D(K1, C); if they are not equal, the plaintext is discarded." should instead say "If the values are equal, the plaintext is computed as P = D(K1, C); if they are not equal, the ciphertext is discarded."

On page 152, the sentence beginning "To authenticate the ciphertext, GCM uses a Wegman–Carter MAC (see Chapter 7) to authenticate the ciphertext..." should instead say "To authenticate the ciphertext, GCM uses a Wegman–Carter MAC (see Chapter 7)..."

On page 154, the equation for T_2 should be T_2 = GHASH(H, A_2, C_2) + AES(K, N || 0).

On page 165, in the fourth paragraph, where it says "when we say that an algorithm takes time in the order of n^3 operations (which is quadratic complexity)," it should instead say "when we say that an algorithm takes time in the order of n^3 operations (which is cubic complexity)."

On page 181, the last sentence of the first paragraph should say "(One year prior to RSA, Diffie and Hellman had introduced the concept of public-key cryptography, but their scheme was unable to perform public-key signatures.)"

On page 182, in the second paragraph under "The Math Behind RSA," the sentence "We say that these numbers form a group, denoted Z^*_n, and call the multiplicative group of integer modulo n." should instead say "We say that these numbers form a group, denoted Z^*_n, and call it the multiplicative group of integers modulo n."

On page 182, in the second paragraph under "The Math Behind RSA," the sentence "More precisely, RSA works on the numbers..." should be deleted.

On page 183, the last sentence of the second paragraph starting with "In other words..." should be deleted.

On page 184, Listing 10-1 is incorrect. It should be replaced with the following:
sage: p = random_prime(2^32); p
1103222539
sage: q = random_prime(2^32); q
17870599
sage: n = p*q; n
19715247602230861
sage: phi = (p-1)*(q-1); phi
19715246481137724
sage: e = random_prime(phi); e
13771927877214701
sage: d = xgcd(e, phi)[1]; d
15417970063428857
sage: mod(d*e, phi)
1

On page 189, in the fourth paragraph under "The PSS Signature Standard," the sentence "Although similar to PSS, OAEP has only been proven secure for encryption, not for signature." should instead say "Although similar to PSS, OAEP has only been proven secure for encryption, not for signatures."

On page 189, in the second paragraph, the sentence "Here’s how this works: because S can be written as (R^eM)^d = R^edM^d, and because R^ed = R is equal to Red = R (by definition)..." should instead be "Here's how this works: because S can be written as (R^eM)^d = R^edM^d, and because R^ed = R (by definition)..."

On page 191, in the third paragraph under "RSA Implementations," the sentence "The function EncryptOAEP() takes a hash value, a PRNG, a public key, a message, and a label (an optional parameter of OAEP), and returns a signature and an error code." should instead say "The function EncryptOAEP() takes a hash function, a PRNG, a public key, a message, and a label (an optional parameter of OAEP), and returns a signature and an error code."

On page 195, in the first paragraph under "The Chinese Remainder Theorem," the sentence "The most common trick to speed up decryption and signature verification (that is, the computation of y^d mod n) is the Chinese remainder theorem (CRT)." should instead read "The most common trick to speed up decryption and signature generation (that is, the computation of y^d mod n) is the Chinese remainder theorem (CRT)."

On page 196, in the first paragraph, the sentence "To apply this formula to our example and recover our x mod 1155, we take the arbitrary values 2, 1, 6, and 8; we compute P(3), P(5), P(7), and P(8); and then we add them together to get the following expression:" should instead say "To apply this formula to our example and recover our x mod 1155, we take the arbitrary values 2, 1, 6, and 8; we compute P(3), P(5), P(7), and P(11); and then we add them together to get the following expression:"

On page 215, in the first paragraph, the equation g^4 = 13 should instead be g^4 = 3.

On page 215, the sentence "The TLS protocol is the security behind HTTPS secure websites as well as the secure mail transfer protocol (SMTP)." should instead read "The TLS protocol is the security behind HTTPS secure websites as well as the Simple Mail Transfer Protocol (SMTP)."

On page 221, the second sentence in the first paragraph under "Adding Two Point" should read "and R is the reflection of this point with respect to the x-axis."

On page 227, the second equation on the page should be wr = rk / (h + rd ) = v

On page 227, the fifth equation on the page should be u + vd = hk / (h + rd ) + drk / (h + rd ) = (hk + drk ) / (h + rd ) = k (h + dr ) / (h + rd ) = k

On page 239, the last sentence in the first paragraph should read "The organization that issued certificate 1 (GeoTrust) granted permission to Google Internet Authority to issue a certificate (certificate 0) for the domain name www.google.com, thereby transferring trust to Google Internet Authority."

On page 243, the paragraph starting with "Note, however, that TLS 1.3 supports many options and extensions . . ." should be deleted. The information is repeated in the note below.

On page 254, the end of the first equation should be "= (|0> + |1>) / √2." The end of the second equation should be "|Ф> = (i/√2, –1/√2)."

On page 260, the first paragraph under "Shor's Algorithm and the Discrete Logarithm Problem" should read "The challenge in the discrete logarithm problem is to find x, given y = g^x mod p, for some known numbers g and p. Solving this problem takes an exponential amount of time on a classical computer, but Shor's algorithm lets you find x easily thanks to its efficient period-finding technique."

On page 264, the arrow placement for figure 14-5 is slightly inaccurate. Please refer to the below figure instead: