The Joy of Cryptography

Click to preview

For Instructors

Request Resources

Digital Exam/Desk Copy Print Desk Copy

An Undergraduate Course in Provable Security

by Rosulek

Click here to preview

Instructor Requests

Digital Exam/Desk Copy Print Desk Copy Ancillaries

This accessible textbook provides a comprehensive introduction to the algorithms that keep our digital lives safe—how they work, what makes them different, and why they are secure. Mike Rosulek focuses on provable security—the process of defining what it means to be secure and mathematically proving security properties—to demystify the study of cryptography. Writing with clarity and humor, Rosulek covers basic building blocks before moving to symmetric-key encryption and authentication, public-key cryptography, and advanced topics. Employing a novel pseudocode-based approach to learning provable security and security proofs, The Joy of Cryptography empowers anyone with a small amount of programming experience to reason formally about security properties.

Uses pseudocode-based reasoning to make provable security accessible to undergraduates
Focuses on proven methods used in practice today
Offers rigorous treatment of symmetric-key and public-key encryption and authentication
Includes advanced material on encrypted messaging, post-quantum cryptography, and zero-knowledge proofs
Features ancillary resources

Expand/Collapse All
Contents (pg. vii)
Preface (pg. xiii)
Message to students (pg. xiv)
Message to teachers (pg. xvii)
Acknowledgments (pg. xix)
Unconditional Cryptography (pg. 1)
1. One-Time Pad and the Provable Security Mindset (pg. 3)
1.1. Defining the problem (pg. 4)
1.2. One-time pad (pg. 6)
1.3. How to formalize an attack scenario (pg. 8)
1.4. How to define and prove security of OTP (pg. 12)
1.5. How to interpret a security proof (pg. 13)
1.6. Limitations of security proofs (pg. 15)
1.7. What’s so special about XOR? (pg. 17)
2. Rudiments of Provable Security (pg. 25)
2.1. Attack scenarios as libraries (pg. 25)
2.2. Interchangeable libraries (pg. 28)
2.3. How to distinguish two libraries (pg. 33)
2.4. How to prove that two libraries are interchangeable (pg. 37)
2.5. Abstract cryptographic primitives (pg. 42)
2.6. Modular cryptographic constructions (pg. 45)
2.7. ★ "Real-or-random" vs. "left-or-right" (pg. 49)
3. ★ Secret Sharing (pg. 61)
3.1. Defining secret sharing (pg. 62)
3.2. 2-out-of-2 secret sharing (pg. 65)
3.3. Polynomial interpolation (pg. 68)
3.4. Multiplicative inverses modulo a prime (pg. 72)
3.5. Shamir secret sharing (pg. 78)
Pseudorandomness (pg. 85)
4. Modern Computational Cryptography (pg. 87)
4.1. The concrete approach to provable security (pg. 88)
4.2. The asymptotic approach to provable security (pg. 91)
4.3. Indistinguishability (pg. 95)
4.4. The bad-event technique (pg. 98)
4.5. Birthday probabilities (pg. 105)
5. Pseudorandom Generators (pg. 117)
5.1. Defining pseudorandomness (pg. 118)
5.2. Do PRGs exist? (pg. 121)
5.3. Application: Pseudo-OTP (pg. 124)
5.4. How to extend a PRG’s stretch (pg. 127)
5.5. How to attack pseudorandomness (pg. 130)
6. Pseudorandom Functions (pg. 141)
6.1. Motivating and defining PRFs (pg. 142)
6.2. How to attack PRFs (pg. 144)
6.3. An example proof involving PRFs (pg. 148)
6.4. Building a PRG from a PRF: The CTR construction (pg. 153)
6.5. ★ Building a PRF from a PRG: The GGM construction (pg. 158)
6.6. PRFs for long inputs: The CBC-MAC construction (pg. 166)
7. Pseudorandom Permutations (pg. 181)
7.1. Defining PRPs (pg. 182)
7.2. Comparing PRPs and PRFs, and the switching lemma (pg. 184)
7.3. How to construct a PRP: The Feistel construction (pg. 186)
7.4. PRPs in theory and practice (pg. 194)
7.5. ★ Strong PRPs (pg. 198)
Symmetric-Key Encryption (pg. 203)
8. Chosen-Plaintext Attacks Against Encryption (pg. 205)
8.1. Definitions and leaking the plaintext length (pg. 206)
8.2. Deterministic encryption (pg. 209)
8.3. A randomized encryption scheme based on PRFs (pg. 210)
8.4. An example chosen-plaintext attack (pg. 214)
8.5. Block cipher modes (pg. 215)
8.6. Non-block-aligned plaintexts (pg. 224)
8.7. ★ Nonce-based encryption (pg. 228)
9. Chosen-Ciphertext Attacks Against Encryption (pg. 245)
9.1. Format-oracle attacks and malleability (pg. 246)
9.2. Defining security against chosen-ciphertext attacks (pg. 251)
9.3. Chosen-ciphertext attack strategies (pg. 255)
9.4. Message authentication codes (pg. 261)
9.5. Encrypt-then-MAC (pg. 267)
9.6. Authenticated encryption and associated data (pg. 273)
Hashing (pg. 293)
10. Collision-Resistant Hash Functions (pg. 295)
10.1. Defining collision resistance (pg. 296)
10.2. Hash functions in the real world (pg. 300)
10.3. Composing collision-resistant functions (pg. 303)
10.4. The Merkle-Damgård construction (pg. 306)
10.5. PRFs from Merkle-Damgård: Length extension, NMAC, and HMAC (pg. 310)
11. ★ Universal Hash Functions (pg. 325)
11.1. Defining universal hash functions (pg. 326)
11.2. Universal hash paradigm for PRFs (pg. 330)
11.3. CBC-MAC is a UHF (pg. 333)
11.4. Poly-UHF: An unconditionally secure UHF (pg. 342)
12. Random Oracles and Other Idealized Models (pg. 355)
12.1. Defining the random oracle model (pg. 356)
12.2. Using random oracles (pg. 361)
12.3. ★ The ideal permutation model (pg. 367)
12.4. ★ The ideal cipher model (pg. 376)
Asymmetric-Key Cryptography (pg. 389)
13. Key Exchange (pg. 391)
13.1. Cyclic groups (pg. 391)
13.2. Diffie-Hellman key exchange (pg. 398)
13.3. Key exchange in the abstract (pg. 403)
13.4. ★ Elliptic curves (pg. 404)
14. Public-Key Encryption (pg. 419)
14.1. Security definitions for PKE (pg. 419)
14.2. One-time vs. many-time encryption (pg. 422)
14.3. El Gamal encryption (pg. 426)
14.4. The Fujisaki-Okamoto construction (pg. 431)
14.5. Hybrid encryption (pg. 441)
14.6. Key encapsulation (pg. 444)
15. RSA (pg. 457)
15.1. Arithmetic modulo a composite (pg. 457)
15.2. The RSA function and RSA assumption (pg. 462)
15.3. Building a KEM from RSA (pg. 467)
15.4. ★ Chinese remainder theorem (pg. 474)
16. Digital Signatures (pg. 489)
16.1. Security definitions for digital signatures (pg. 490)
16.2. Signatures from RSA (pg. 492)
16.3. Common signature idioms (pg. 507)
Advanced Topics (pg. 521)
17. Encrypted Messaging and Ratcheting (pg. 523)
17.1. Forward secrecy and the symmetric ratchet (pg. 524)
17.2. Post-compromise secrecy and the asymmetric ratchet (pg. 528)
17.3. The double ratchet and the Signal protocol (pg. 530)
17.4. Group messaging and MLS (pg. 535)
18. Authenticated Key Exchange (pg. 545)
18.1. Defining the problem (pg. 546)
18.2. Authenticating with signatures (pg. 550)
18.3. Authenticating implicitly (pg. 557)
18.4. Authenticated key exchange in practice (pg. 562)
19. Zero-Knowledge Proofs (pg. 569)
19.1. The Schnorr identification protocol (pg. 570)
19.2. Sigma protocols (pg. 575)
19.3. More examples of sigma protocols (pg. 578)
19.4. Noninteractive proofs and signatures (pg. 586)
20. Post-Quantum Cryptography (pg. 601)
20.1. Capabilities of quantum computing (pg. 602)
20.2. The learning-with-errors problem (pg. 604)
20.3. Key exchange from LWE (pg. 610)
Appendix (pg. 623)
A. Math Review (pg. 625)
A.1. Strings (pg. 625)
A.2. Probability (pg. 626)
A.3. Modular arithmetic (pg. 630)
A.4. Exponents and logarithms (pg. 635)
A.5. Big-𝑂 (pg. 635)
A.6. Linear algebra (pg. 636)
B. A Crash Course in Binary Finite Fields (pg. 641)
Bibliography (pg. 647)
Index (pg. 673)

Mike Rosulek

Mike Rosulek is Professor in the School of Electrical Engineering and Computer Science at Oregon State University and author of over 60 peer-reviewed publications on cryptography, with a special focus on interactive protocols.

eTextbook

Go paperless today! Available online anytime, nothing to download or install.

Features

Bookmarking
Note taking
Highlighting

I have an access code.

Browser	Version
Chrome (Recommended)	Latest
Firefox	Latest
Edge	Latest
Safari	Latest

For Instructors

Request Resources