Table of Contents

Preface xv

Acknowledgments xx

About this book xxi

About the author xxvi

About the cover illustration xxvii

Part 1 Primitives: The Ingredients of Cryptography 1

1 Introduction 3

1.1 Cryptography is about securing protocols 4

1.2 Symmetric cryptography: What is symmetric encryption? 5

1.3 Kerckhoff's principle: Only the key is kept secret 7

1.4 Asymmetric cryptography: Two keys are better than one 10

Key exchanges or how to get a shared secret 10

Asymmetric encryption, not like the symmetric one 13

Digital signatures, just like your pen-and-paper signatures 15

1.5 Classifying and abstracting cryptography 17

1.6 Theoretical cryptography vs. real-world cryptography 18

1.7 From theoretical to practical: Choose your own adventure 19

1.8 A word of warning 24

2 Hash functions 25

2.1 What is a hash function? 25

2.2 Security properties of a hash function 28

2.3 Security considerations for hash functions 30

2.4 Hash functions in practice 31

Commitments 32

Subresource integrity 32

BitTorrent 32

Tor 33

2.5 Standardized hash functions 34

The SHA-2 hash function 35

The SHA-3 hash function 38

SHAKE and cSHAKE: Two extendable output functions (XOF) 42

Avoid ambiguous hashing with TupleHash 43

2.6 Hashing passwords 44

3 Message authentication codes 48

3.1 Stateless cookies, a motivating example for MACs 48

3.2 An example in code 51

3.3 Security properties of a MAC 52

Forgery of authentication tag 53

Lengths of authentication tag 53

Replay attacks 54

Verifying authentication tags in constant time 55

3.4 MAC in the real world 57

Message authentication 57

Deriving keys 57

Integrity of cookies 58

Hash tables 58

3.5 Message authentication codes (MACs) in practice 58

HMAC, a hash-based MAC 58

KMAQ a MAC based on cSHAKE 59

3.6 SHA-2 and length-extension attacks 60

4 Authenticated encryption 64

4.1 What's a cipher? 65

4.2 The Advanced Encryption Standard (AES) block cipher 66

How much security does AES provide? 67

The interface of AES 67

The internals of AES 68

4.3 The encrypted penguin and the CBC mode of operation 70

4.4 A lack of authenticity, hence AES-CBC-HMAC 73

4.5 All-in-one constructions: Authenticated encryption 74

What's authenticated encryption with associated data (AEAD)? 75

The AES-GCM AEAD 76

ChaCha20-Polyl305 81

4.6 Other kinds of symmetric encryption 84

Key wrapping 84

Nonce misuse-resistant authenticated encryption 85

Disk encryption 85

Database encryption 85

5 Key exchanges 87

5.1 What are key exchanges? 88

5.2 The Diffie-Hellman (DH) key exchange 91

Group theory 91

The discrete logarithm problem: The basis of Diffie-Hellman 95

The Diffie-Hellman standards 97

5.3 The Elliptic Curve Diffie-Hellman (ECDH) key exchange 98

What's an elliptic curve? 98

How does the Elliptic Curve Diffie-Hellman (ECDH) key exchange work? 102

The standards for Elliptic Curve Diffie-Hellman 103

5.4 Small subgroup attacks and other security considerations 105

6 Asymmetric encryption and hybrid encryption 109

6.1 What is asymmetric encryption? 110

6.2 Asymmetric encryption in practice and hybrid encryption 111

Key exchanges and key encapsulation 112

Hybrid encryption 113

6.3 Asymmetric encryption with RSA: The bad and the less bad 117

Textbook RSA 117

Why not to use RSA PKCSM#1 v1.5 121

Asymmetric encryption with RSA-OAEP 123

6.4 Hybrid encryption with ECIES 126

7 Signatures and zero-knowledge proofs 129

7.1 What is a signature? 130

How to sign and verify signatures in practice 131

A prime use case for signatures: Authenticated key exchanges 132

A real-world usage: Public key infrastructures 133

7.2 Zero-knowledge proofs (ZKPs): The origin of signatures 134

Schnorr identification protocol: An interactive zero-knowledge proof 134

Signatures as non-interactive zero-knowledge proofs 137

7.3 The signature algorithms you should use (or not) 138

RSA PKCS#1 v1.5: A bad standard 139

RSA-PSS: A better standard 142

The Elliptic Curve Digital Signature Algorithm (ECDSA) 143

The Edwards-curve Digital Signature Algorithm (EdDSA) 145

7.4 Subtle behaviors of signature schemes 149

Substitution attacks on signatures 149

Signature malleability 150

8 Randomness and secrets 152

8.1 What's randomness? 153

8.2 Slow randomness? Use a pseudorandom number generator (PRNG) 155

8.3 Obtaining randomness in practice 158

8.4 Randomness generation and security considerations 161

8.5 Public randomness 163

8.6 Key derivation with HKDF 164

8.7 Managing keys and secrets 168

8.8 Decentralize trust with threshold cryptography 169

Part 2 Protocols: The Recipes of Cryptography 175

9 Secure transport 177

9.1 The SSL and TLS secure transport protocols 177

From SSL to TLS 178

Using TLS in practice 179

9.2 How does the TLS protocol work? 181

The TLS handshake 181

How TLS 1.3 encrypts application data 194

9.3 The state of the encrypted web today 194

9.4 Other secure transport protocols 197

9.5 The Noise protocol framework: A modern alternative to TLS 197

The many handshakes of Noise 198

A handshake with Noise 199

10 End-to-end encryption 201

10.1 Why end-to-end encryption? 202

10.2 A root of trust nowhere to be found 203

10.3 The failure of encrypted email 205

PGP or GPG? And how does it work? 205

Scaling trust between -users with the web of trust 208

Key discovery is a real issue 208

If not PGP, then what? 210

10.4 Secure messaging: A modern look at end-to-end encryption with Signal 211

More user-friendly than the WOT: Trust but verify 212

X3DH: the Signal protocol's handshake 215

Double Ratchet: Signal's post-handshake protocol 218

10.5 The state of end-to-end encryption 222

11 User authentication 226

11.1 A recap of authentication 227

11.2 User authentication, or the quest to get rid of passwords 228

One password to rule them all: Single sign-on (SSO) and password managers 231

Don't want to see their passwords? Use an asymmetric password-authenticated key exchange 232

One-time passwords aren't really passwords: Going passwordless with symmetric keys 236

Replacing passwords with asymmetric keys 239

11.3 User-aided authentication: Pairing devices using some human help 242

Pre-shared keys 244

Symmetric password-authenticated key exchanges with CPace 245

Was my key exchange MITM'd? Just check a short authenticated string (SAS) 246

12 Crypto as in cryptocurrency? 251

12.1 A gentle introduction to Byzantine fault-tolerant (BFT) consensus algorithms 252

A problem of resilience: Distributed protocols to the rescue 252

A problem of trust? Decentralization helps 254

A problem of scale: Permissionless and censorship-resistant networks 255

12.2 How does Bitcoin work? 257

How Bitcoin handles user balances and transactions 257

Mining BTCs in the digital age of gold 259

Forking hell! Solving conflicts in mining 263

Reducing a block's size by using Merkle trees 265

12.3 A tour of cryptocurrencies 267

Volatility 267

Latency 267

Blockchain size 268

Confidentiality 268

Energy efficiency 268

12.4 DiemBFT: A Byzantine fault-tolerant (BFT) consensus protocol 269

Safety and liveness: The two properties of a BFT consensus protocol 269

A round in the DiemBFT protocol 270

How much dishonesty can the protocol tolerate? 270

The DiemBFT rules of voting 271

When are transactions considered finalized? 273

The intuitions behind the safety of DiemBFT 273

13 Hardware cryptography 277

13.1 Modern cryptography attacker model 278

13.2 Untrusted environments: Hardware to the rescue 279

White box cryptography, a bad idea 280

They're in your wallet: Smart cards and secure elements 281

Banks love them: Hardware security modules (HSMs) 283

Trusted Platform Modules (TPMs): A useful standardization of secure elements 285

Confidential computing with a trusted execution environment (TEE) 288

13.3 What solution is good for me? 289

13.4 Leakage-resilient cryptography or how to mitigate side-channel attacks in software 291

Constant-time programming 293

Don't use the secret! Masking and blinding 294

What about fault attacks? 295

14 Post-quantum cryptography 298

14.1 What are quantum computers and why are they scaring cryptographers? 299

Quantum mechanics, the study of the small 299

From the birth of quantum computers to quantum supremacy 302

The impact of Grover and Shor's algorithms on cryptography 303

Post-quantum cryptography, the defense against quantum computers 304

14.2 Hash-based signatures: Don't need anything but a hash function 305

One-time signatures (OTS) with Lamport signatures 305

Smaller keys with Winternitz one-time signatures (WOTS) 307

Many-times signatures with XMSS and SPHLNCS+ 308

14.3 Shorter keys and signatures with lattice-based cryptography 311

What's a lattice? 311

Learning with errors (LWE), a basis for cryptography? 313

Kyber, a lattice-based key exchange 314

Dilithium, a lattice-based signature scheme 316

14.4 Do I need to panic? 318

15 Is this it? Next-generation cryptography 321

15.1 The more the merrier: Secure multi-party computation (MPC) 322

Private set intersection (PSI) 323

General-purpose MPC 324

The state of MPC 326

15.2 Fully homomorphic encryption (FHE) and the promises of an encrypted cloud 326

An example of homomorphic encryption with RSA encryption 327

The different types of homomorphic encryption 327

Bootstrapping, the key to fully homomorphic encryption 328

An FHE scheme based on the learning with errors problem 330

Where is it used? 332

15.3 General-purpose zero-knowledge proofs (ZKPs) 332

How zk-SNARKs work 335

Homomorphic commitments to hide parts of the proof 336

Bilinear pairings to improve our homomorphic commitments 336

Where does the succinctness come from? 337

From programs to polynomials 338

Programs are for computers; we need arithmetic circuits instead 338

An arithmetic circuit to a rank-1 constraint system (R1CS) 339

From R1CS to a polynomial 340

It takes two to evaluate a polynomial hiding in the exponent 340

16 When and where cryptography fails 343

16.1 Finding the right cryptographic primitive or protocol is a boring job 344

16.2 How do I use a cryptographic primitive or protocol? Polite standards and formal verification 345

16.3 Where are the good libraries? 348

16.4 Misusing cryptography: Developers are the enemy 349

16.5 You're doing it wrong; Usable security 351

16.6 Cryptography is not an island 352

16.7 Your responsibilities as a cryptography practitioner, don't roll your own crypto 353

Appendix Answers to exercises 357

Index 361