Table of Contents for

Serious Cryptography

CONTENTS IN DETAIL

FOREWORD by Matthew D. Green

PREFACE

This Book’s Approach

Who This Book Is For

How This Book Is Organized

Fundamentals

Symmetric Crypto

Asymmetric Crypto

Applications

Acknowledgments

ABBREVIATIONS

1
ENCRYPTION

The Basics

Classical Ciphers

The Caesar Cipher

The Vigenère Cipher

How Ciphers Work

The Permutation

The Mode of Operation

Why Classical Ciphers Are Insecure

Perfect Encryption: The One-Time Pad

Encrypting with the One-Time Pad

Why Is the One-Time Pad Secure?

Encryption Security

Attack Models

Security Goals

Security Notions

Asymmetric Encryption

When Ciphers Do More Than Encryption

Authenticated Encryption

Format-Preserving Encryption

Fully Homomorphic Encryption

Searchable Encryption

Tweakable Encryption

How Things Can Go Wrong

Weak Cipher

Wrong Model

Further Reading

2
RANDOMNESS

Random or Non-Random?

Randomness as a Probability Distribution

Entropy: A Measure of Uncertainty

Random Number Generators (RNGs) and Pseudorandom Number Generators (PRNGs)

How PRNGs Work

Security Concerns

The PRNG Fortuna

Cryptographic vs. Non-Cryptographic PRNGs

The Uselessness of Statistical Tests

Real-World PRNGs

Generating Random Bits in Unix-Based Systems

The CryptGenRandom() Function in Windows

A Hardware-Based PRNG: RDRAND in Intel Microprocessors

How Things Can Go Wrong

Poor Entropy Sources

Insufficient Entropy at Boot Time

Non-cryptographic PRNG

Sampling Bug with Strong Randomness

Further Reading

3
CRYPTOGRAPHIC SECURITY

Defining the Impossible

Security in Theory: Informational Security

Security in Practice: Computational Security

Quantifying Security

Measuring Security in Bits

Full Attack Cost

Choosing and Evaluating Security Levels

Achieving Security

Provable Security

Heuristic Security

Generating Keys

Generating Symmetric Keys

Generating Asymmetric Keys

Protecting Keys

How Things Can Go Wrong

Incorrect Security Proof

Short Keys for Legacy Support

Further Reading

4
BLOCK CIPHERS

What Is a Block Cipher?

Security Goals

Block Size

The Codebook Attack

How to Construct Block Ciphers

A Block Cipher’s Rounds

The Slide Attack and Round Keys

Substitution–Permutation Networks

Feistel Schemes

The Advanced Encryption Standard (AES)

AES Internals

AES in Action

Implementing AES

Table-Based Implementations

Native Instructions

Is AES Secure?

Modes of Operation

The Electronic Codebook (ECB) Mode

The Cipher Block Chaining (CBC) Mode

How to Encrypt Any Message in CBC Mode

The Counter (CTR) Mode

How Things Can Go Wrong

Meet-in-the-Middle Attacks

Padding Oracle Attacks

Further Reading

5
STREAM CIPHERS

How Stream Ciphers Work

Stateful and Counter-Based Stream Ciphers

Hardware-Oriented Stream Ciphers

Feedback Shift Registers

Grain-128a

A5/1

Software-Oriented Stream Ciphers

RC4

Salsa20

How Things Can Go Wrong

Nonce Reuse

Broken RC4 Implementation

Weak Ciphers Baked Into Hardware

Further Reading

6
HASH FUNCTIONS

Secure Hash Functions

Unpredictability Again

Preimage Resistance

Collision Resistance

Finding Collisions

Building Hash Functions

Compression-Based Hash Functions: The Merkle–Damgård Construction

Permutation-Based Hash Functions: Sponge Functions

The SHA Family of Hash Functions

SHA-1

SHA-2

The SHA-3 Competition

Keccak (SHA-3)

The BLAKE2 Hash Function

How Things Can Go Wrong

The Length-Extension Attack

Fooling Proof-of-Storage Protocols

Further Reading

7
KEYED HASHING

Message Authentication Codes (MACs)

MACs in Secure Communication

Forgery and Chosen-Message Attacks

Replay Attacks

Pseudorandom Functions (PRFs)

PRF Security

Why PRFs Are Stronger Than MACs

Creating Keyed Hashes from Unkeyed Hashes

The Secret-Prefix Construction

The Secret-Suffix Construction

The HMAC Construction

A Generic Attack Against Hash-Based MACs

Creating Keyed Hashes from Block Ciphers: CMAC

Breaking CBC-MAC

Fixing CBC-MAC

Dedicated MAC Designs

Poly1305

SipHash

How Things Can Go Wrong

Timing Attacks on MAC Verification

When Sponges Leak

Further Reading

8
AUTHENTICATED ENCRYPTION

Authenticated Encryption Using MACs

Encrypt-and-MAC

MAC-then-Encrypt

Encrypt-then-MAC

Authenticated Ciphers

Authenticated Encryption with Associated Data

Avoiding Predictability with Nonces

What Makes a Good Authenticated Cipher?

AES-GCM: The Authenticated Cipher Standard

GCM Internals: CTR and GHASH

GCM Security

GCM Efficiency

OCB: An Authenticated Cipher Faster than GCM

OCB Internals

OCB Security

OCB Efficiency

SIV: The Safest Authenticated Cipher?

Permutation-Based AEAD

How Things Can Go Wrong

AES-GCM and Weak Hash Keys

AES-GCM and Small Tags

Further Reading

9
HARD PROBLEMS

Computational Hardness

Measuring Running Time

Polynomial vs. Superpolynomial Time

Complexity Classes

Nondeterministic Polynomial Time

NP-Complete Problems

The P vs. NP Problem

The Factoring Problem

Factoring Large Numbers in Practice

Is Factoring NP-Complete?

The Discrete Logarithm Problem

What Is a Group?

The Hard Thing

How Things Can Go Wrong

When Factoring Is Easy

Small Hard Problems Aren’t Hard

Further Reading

10
RSA

The Math Behind RSA

The RSA Trapdoor Permutation

RSA Key Generation and Security

Encrypting with RSA

Breaking Textbook RSA Encryption’s Malleability

Strong RSA Encryption: OAEP

Signing with RSA

Breaking Textbook RSA Signatures

The PSS Signature Standard

Full Domain Hash Signatures

RSA Implementations

Fast Exponentiation Algorithm: Square-and-Multiply

Small Exponents for Faster Public-Key Operations

The Chinese Remainder Theorem

How Things Can Go Wrong

The Bellcore Attack on RSA-CRT

Sharing Private Exponents or Moduli

Further Reading

11
DIFFIE–HELLMAN

The Diffie–Hellman Function

The Diffie–Hellman Problems

The Computational Diffie–Hellman Problem

The Decisional Diffie–Hellman Problem

More Diffie–Hellman Problems

Key Agreement Protocols

An Example of Non-DH Key Agreement

Attack Models for Key Agreement Protocols

Performance

Diffie–Hellman Protocols

Anonymous Diffie–Hellman

Authenticated Diffie–Hellman

Menezes–Qu–Vanstone (MQV)

How Things Can Go Wrong

Not Hashing the Shared Secret

Legacy Diffie–Hellman in TLS

Unsafe Group Parameters

Further Reading

12
ELLIPTIC CURVES

What Is an Elliptic Curve?

Elliptic Curves over Integers

Adding and Multiplying Points

Elliptic Curve Groups

The ECDLP Problem

Diffie–Hellman Key Agreement over Elliptic Curves

Signing with Elliptic Curves

Encrypting with Elliptic Curves

Choosing a Curve

NIST Curves

Curve25519

Other Curves

How Things Can Go Wrong

ECDSA with Bad Randomness

Breaking ECDH Using Another Curve

Further Reading

13
TLS

Target Applications and Requirements

The TLS Protocol Suite

The TLS and SSL Family of Protocols: A Brief History

TLS in a Nutshell

Certificates and Certificate Authorities

The Record Protocol

The TLS Handshake Protocol

TLS 1.3 Cryptographic Algorithms

TLS 1.3 Improvements over TLS 1.2

Downgrade Protection

Single Round-Trip Handshake

Session Resumption

The Strengths of TLS Security

Authentication

Forward Secrecy

How Things Can Go Wrong

Compromised Certificate Authority

Compromised Server

Compromised Client

Bugs in Implementations

Further Reading

14
QUANTUM AND POST-QUANTUM

How Quantum Computers Work

Quantum Bits

Quantum Gates

Quantum Speed-Up

Exponential Speed-Up and Simon’s Problem

The Threat of Shor’s Algorithm

Shor’s Algorithm Solves the Factoring Problem

Shor’s Algorithm and the Discrete Logarithm Problem

Grover’s Algorithm

Why Is It So Hard to Build a Quantum Computer?

Post-Quantum Cryptographic Algorithms

Code-Based Cryptography

Lattice-Based Cryptography

Multivariate Cryptography

Hash-Based Cryptography

How Things Can Go Wrong

Unclear Security Level

Fast Forward: What Happens if It’s Too Late?

Implementation Issues

Further Reading

INDEX