Serious Cryptography

Serious Cryptography

Serious Cryptography

by 
Jean-Philippe Aumasson
ISBN-13: 
978-1-59327-826-7
November 2017, 312 pp.


Download Chapter 4: Block Ciphers

This practical guide to modern encryption breaks down the fundamental mathematical concepts at the heart of cryptography without shying away from meaty discussions of how they work. You’ll learn about authenticated encryption, secure randomness, hash functions, block ciphers, and public-key techniques such as RSA and elliptic curve cryptography.

You'll also learn:

  • Key concepts in cryptography, such as computational security, attacker models, and forward secrecy
  • The strengths and limitations of the TLS protocol behind HTTPS secure websites
  • Quantum computation and post-quantum cryptography
  • About various vulnerabilities by examining numerous code examples and use cases
  • How to choose the best algorithm or protocol and ask vendors the right questions

Each chapter includes a discussion of common implementation mistakes using real-world examples and details what could go wrong and how to avoid these pitfalls.

Whether you’re a seasoned practitioner or a beginner looking to dive into the field, Serious Cryptography will provide a complete survey of modern encryption and its applications.

Author Bio 

Jean-Philippe Aumasson is Principal Research Engineer at Kudelski Security, an international cybersecurity company based in Switzerland. He has authored more than 40 research ­articles in the field of cryptography and cryptanalysis and designed the widely used hash functions BLAKE2 and SipHash. He speaks regularly at information security conferences and has presented at Black Hat, DEF CON, Troopers, and ­Infiltrate.

Reviews 

“A superb introduction to modern encryption and cryptography. For those looking to quickly get up to speed on the topics, this makes for an excellent go-to guide.”
Ben Rothke, RSA Conference

Table of contents 

Foreword by Matthew D. Green
Preface
Abbreviations
Chapter 1: Encryption
Chapter 2: Randomness
Chapter 3: Cryptographic Security
Chapter 4: Block Ciphers
Chapter 5: Stream Ciphers
Chapter 6: Hash Functions
Chapter 7: Keyed Hashing
Chapter 8: Authenticated Encryption
Chapter 9: Hard Problems
Chapter 10: RSA
Chapter 11: Diffie-Hellman
Chapter 12: Elliptic Curves
Chapter 13: TLS
Chapter 14: Quantum and Post-Quantum

View the detailed Table of Contents
View the Index

Updates 

On page 4, in the first paragraph, the sentence "A cryptanalyst can then deduce that the key’s length is either nine or a value divisible by nine (that is, three)." should instead say "A cryptanalyst can then deduce that the key’s length is either nine or a value that divides nine (that is, three)."

On page 13, the last sentence of the second paragraph under "Semantic Security and Randomized Encryption: IND-CPA" should say "Decryption​ ​remains deterministic, however, because given ​​​D​​​​​(K, R, ​C), you should always​ ​get P, regardless of the value of R."

On page 14, in the second paragraph under "Achieving Semantically Secure Encryption," all instances of "DRBG(K, R)" should instead be "DRBG(K || R)"

On page 28, the S_k+624 equation should use the constant 0x7fffffff instead of 0xffffffff.

On page 32, the caption for Listing 2-3 is incorrect. The script shows the evolution of /dev/random, not /dev/urandom.

On page 70, in the second paragraph under "Ciphertext Stealing," the sentence "The last, incomplete ciphertext block is made up of the first blocks from the previous ciphertext block . . ." should instead say "The last, incomplete ciphertext block is made up of the first bits from the previous ciphertext block . . ."

On page 73, the second paragraph shows the equation E(K_1, E(K_2, P)). This equation should instead be E(K_2, E(K_1, P)).

On page 73, in the last paragraph, 2^56 elements of 15 bytes each should come out to 1 exabyte, not 128 petabytes.

On page 92, in the first paragraph of the RC4 section, Wireless Equivalent Privacy should be Wired Equivalent Privacy. The acronym list should also reflect this change.

On page 100, in the third paragraph, the sentence "The brute-forcing takes 2^36 operations, a computation that dwarfs the unrealistic 2^220 * 2^31 = 2^251 trials..." should instead say "The brute-forcing takes 2^36 operations, a computation that is dwarfed by the unrealistic 2^220 * 2^31 = 2^251 trials..."

On page 107, the SHA-256 hash values for a, b, and c are incorrect. They should be replaced with the following:
SHA-256("a") = ca978112ca1bbdcafac231b39a23dc4da786eff8147c4e72b9807785afee48bb
SHA-256("b") = 3e23e8160039594a33894f6564e1b1348bbd7a0088d42c4acb73eeaed59c009d
SHA-256("c") = 2e7d2c03a9507ae265ecf5b5356885a53393a2029d241394997265a1a25aefc6

On page 147, in the paragraph under "Encrypt-then-MAC," the sentence "If the values are equal, the plaintext is computed as P = D(K1, C); if they are not equal, the plaintext is discarded." should instead say "If the values are equal, the plaintext is computed as P = D(K1, C); if they are not equal, the ciphertext is discarded."

On page 152, the sentence beginning "To authenticate the ciphertext, GCM uses a Wegman–Carter MAC (see Chapter 7) to authenticate the ciphertext..." should instead say "To authenticate the ciphertext, GCM uses a Wegman–Carter MAC (see Chapter 7)..."

On page 154, the equation for T_2 should be T_2 = GHASH(H, A_2, C_2) + AES(K, N || 0).

On page 165, in the fourth paragraph, where it says "when we say that an algorithm takes time in the order of n^3 operations (which is quadratic complexity)," it should instead say "when we say that an algorithm takes time in the order of n^3 operations (which is cubic complexity)."

On page 181, the last sentence of the first paragraph should say "(One year prior to RSA, Diffie and Hellman had introduced the concept of public-key cryptography, but their scheme was unable to perform public-key signatures.)"

On page 182, in the second paragraph under "The Math Behind RSA," the sentence "We say that these numbers form a group, denoted Z^*_n, and call the multiplicative group of integer modulo n." should instead say "We say that these numbers form a group, denoted Z^*_n, and call it the multiplicative group of integers modulo n."

On page 182, in the second paragraph under "The Math Behind RSA," the sentence "More precisely, RSA works on the numbers..." should be deleted.

On page 183, the last sentence of the second paragraph starting with "In other words..." should be deleted.

On page 184, Listing 10-1 is incorrect. It should be replaced with the following:
sage: p = random_prime(2^32); p
1103222539
sage: q = random_prime(2^32); q
17870599
sage: n = p*q; n
19715247602230861
sage: phi = (p-1)*(q-1); phi
19715246481137724
sage: e = random_prime(phi); e
13771927877214701
sage: d = xgcd(e, phi)[1]; d
15417970063428857
sage: mod(d*e, phi)
1

On page 189, in the fourth paragraph under "The PSS Signature Standard," the sentence "Although similar to PSS, OAEP has only been proven secure for encryption, not for signature." should instead say "Although similar to PSS, OAEP has only been proven secure for encryption, not for signatures."

On page 189, in the second paragraph, the sentence "Here’s how this works: because S can be written as (R^eM)^d = R^edM^d, and because R^ed = R is equal to Red = R (by definition)..." should instead be "Here's how this works: because S can be written as (R^eM)^d = R^edM^d, and because R^ed = R (by definition)..."

On page 191, in the third paragraph under "RSA Implementations," the sentence "The function EncryptOAEP() takes a hash value, a PRNG, a public key, a message, and a label (an optional parameter of OAEP), and returns a signature and an error code." should instead say "The function EncryptOAEP() takes a hash function, a PRNG, a public key, a message, and a label (an optional parameter of OAEP), and returns a signature and an error code."

On page 195, in the first paragraph under "The Chinese Remainder Theorem," the sentence "The most common trick to speed up decryption and signature verification (that is, the computation of y^d mod n) is the Chinese remainder theorem (CRT)." should instead read "The most common trick to speed up decryption and signature generation (that is, the computation of y^d mod n) is the Chinese remainder theorem (CRT)."

On page 196, in the first paragraph, the sentence "To apply this formula to our example and recover our x mod 1155, we take the arbitrary values 2, 1, 6, and 8; we compute P(3), P(5), P(7), and P(8); and then we add them together to get the following expression:" should instead say "To apply this formula to our example and recover our x mod 1155, we take the arbitrary values 2, 1, 6, and 8; we compute P(3), P(5), P(7), and P(11); and then we add them together to get the following expression:"

On page 215, in the first paragraph, the equation g^4 = 13 should instead be g^4 = 3.

On page 215, the sentence "The TLS protocol is the security behind HTTPS secure websites as well as the secure mail transfer protocol (SMTP)." should instead read "The TLS protocol is the security behind HTTPS secure websites as well as the Simple Mail Transfer Protocol (SMTP)."

On page 243, the paragraph starting with "Note, however, that TLS 1.3 supports many options and extensions . . ." should be deleted. The information is repeated in the note below.

On page 264, the arrow placement for figure 14-5 is slightly inaccurate. Please refer to the below figure instead: