Serious Cryptography

Serious Cryptography
A Practical Introduction to Modern Encryption
Jean-Philippe Aumasson
November 2017, 312 pp.

This practical guide to modern encryption breaks down the fundamental mathematical concepts at the heart of cryptography without shying away from meaty discussions of how they work. You’ll learn about authenticated encryption, secure randomness, hash functions, block ciphers, and public-key techniques such as RSA and elliptic curve cryptography.

You'll also learn:

  • Key concepts in cryptography, such as computational security, attacker models, and forward secrecy
  • The strengths and limitations of the TLS protocol behind HTTPS secure websites
  • Quantum computation and post-quantum cryptography
  • About various vulnerabilities by examining numerous code examples and use cases
  • How to choose the best algorithm or protocol and ask vendors the right questions

Each chapter includes a discussion of common implementation mistakes using real-world examples and details what could go wrong and how to avoid these pitfalls.

Whether you’re a seasoned practitioner or a beginner looking to dive into the field, Serious Cryptography will provide a complete survey of modern encryption and its applications.

Author Bio 

Jean-Philippe Aumasson is Principal Research Engineer at Kudelski Security, an international cybersecurity company based in Switzerland. He has authored more than 40 research ­articles in the field of cryptography and cryptanalysis and designed the widely used hash functions BLAKE2 and SipHash. He speaks regularly at information security conferences and has presented at Black Hat, DEF CON, Troopers, and ­Infiltrate.

Table of contents 

Foreword by Matthew D. Green
Chapter 1: Encryption
Chapter 2: Randomness
Chapter 3: Cryptographic Security
Chapter 4: Block Ciphers
Chapter 5: Stream Ciphers
Chapter 6: Hash Functions
Chapter 7: Keyed Hashing
Chapter 8: Authenticated Encryption
Chapter 9: Hard Problems
Chapter 10: RSA
Chapter 11: Diffie-Hellman
Chapter 12: Elliptic Curves
Chapter 13: TLS
Chapter 14: Quantum and Post-Quantum

View the detailed Table of Contents
View the Index


On page 32, the caption for Listing 2-3 is incorrect. The script shows the evolution of /dev/random, not /dev/urandom.

On page 70, in the second paragraph under "Ciphertext Stealing," the sentence "The last, incomplete ciphertext block is made up of the first blocks from the previous ciphertext block . . ." should instead say "The last, incomplete ciphertext block is made up of the first bits from the previous ciphertext block . . ."

On page 73, step 1 of the meet-in-the-middle attack has the equation C = E(K_2E(K _1P)). This equation should instead be C = E(K_2, (E(K_1, P).

On page 73, in the last paragraph, 2^56 elements of 15 bytes each should come out to 1 exabyte, not 128 petabytes.

On page 92, in the first paragraph of the RC4 section, Wireless Equivalent Privacy should be Wired Equivalent Privacy. The acronym list should also reflect this change.

On page 107, the SHA-256 hash values for a, b, and c are incorrect. They should be replaced with the following:
SHA-256("a") = ca978112ca1bbdcafac231b39a23dc4da786eff8147c4e72b9807785afee48bb
SHA-256("b") = 3e23e8160039594a33894f6564e1b1348bbd7a0088d42c4acb73eeaed59c009d
SHA-256("c") = 2e7d2c03a9507ae265ecf5b5356885a53393a2029d241394997265a1a25aefc6

On page 152, the sentence beginning "To authenticate the ciphertext, GCM uses a Wegman–Carter MAC (see Chapter 7) to authenticate the ciphertext..." should instead say "To authenticate the ciphertext, GCM uses a Wegman–Carter MAC (see Chapter 7)..."

On page 154, the equation for T_2 should be T_2 = GHASH(H, A_2, C_2) + AES(K, N || 0).

On page 181, Listing 10-1 is incorrect. It should be replaced with the following:
sage: p = random_prime(2^32); p
sage: q = random_prime(2^32); q
sage: n = p*q; n
sage: phi = (p-1)*(q-1); phi
sage: e = random_prime(phi); e
sage: d = xgcd(e, phi)[1]; d
sage: mod(d*e, phi)

On page 189, in the second paragraph, the sentence "Here’s how this works: because S can be written as (R^eM)^d = R^edM^d, and because R^ed = R is equal to Red = R (by definition)..." should instead be "Here's how this works: because S can be written as (R^eM)^d = R^edM^d, and because R^ed = R (by definition)..."

On page 243, the paragraph starting with "Note, however, that TLS 1.3 supports many options and extensions . . ." should be deleted. The information is repeated in the note below.