Thanks, for the comment. I wouldn't have bothered with this otherwise.
Normally a "Download our PDF|Whitepaper|Whatever" is a 100% sure way to make me close a site immediately nowadays - and this is what I did. Just stumbled upon your comment because the tab was still open and it was the first comment.
VirusTotal seems to be cool with the file too, so that's how it should be.
It seems that the downloadable pdf doesn't have a couple of tweaks that have landed in master (https://github.com/crypto101/book). Any plans to generate a slightly updated version ?
PS: Thanks for your work ! Watched your talk and it was a nice quick primer. Glad you turned it into a book with more detail.
Sure, I should get around to that :-) Really I'd like to make a docker image or similarly repeatable environment that can do builds -- right now it's way too tied to my own environment.
Also: I'm not sure org-mode -> TeX was a great idea.
I used to use org-mode exporting to reveal.js for doing slides. Unfortunately this turned out to be a bit of a pain to get everything set up, especially when collaborating with people who for some have failed to embrace the One True Religion^H Editor. So in the end I changed to using Markdown and pandoc to convert to reveal.js.
As a bonus, using pandoc to convert my org sources to markdown worked reasonably well.
I'm not sure what "complete" would entail :) For example: would a description of Noise be in scope? I think so but I'm not sure. People come up with new cool stuff that's useful to median developers on the regular (say, NMR) that feels like it ought to be added/updated. So I think it's forever a WIP and that's OK since I'm not really printing the book?
Thank you for writing this book! I recently used this book to brush up on crypto fundamentals for some interviews and found it really valuable. I was even able to implement a padding oracle attack after only knowing it in theory for a very long time. I was also wondering if you had any plans to complete. Right now, there are 36 TODO's in the book. Not all of them need further explanation and can be left as an exercise but some of them might be useful to dig into. Regardless, it is still awesome!
Yessss! Utterly selfishly: things like 'Noise Protocol Matrix' or 'Nonce misuse resistance 101' are actually closer to your target than XOR diagrams that people can already find on wikipedia.
I read the book, it is well written, accessible and pretty accurate. I think it's worth a skim even just to learn more about something you vaguely know but you can't explain in your own words.
Because it's not a priority for me and I never got the org -> epub generation flow working correctly. In particular, the book has a lot of illustrations, and getting illustrations right across a ton of ebook readers is quite complicated. To wit: they all support different formats and to get it more or less compatible you have to guess what the approx DPI is for most of those devices and then rasterize the vector imagery.
If someone gets it to work I'd be much obliged, it just hasn't been a priority for me :)
You can, but at least a few years ago most cheap readers would horribly mess that up (usually not render it at all). And those that didn’t were typically nice enough that they could just render the PDF correctly ;)
Oh interesting. I recently got "Applied Cryptography" in one of the nostarchpress sales. I expected it to be turbo technical and way outside my league but popped it open on a whim one day. So far it's incredibly accessible, does anyone have thoughts on that versus this course? Worth taking the course after I finish Applied cryptography?
Incidentally, Applied Cryptography is often critiqued for making crypto seemingly easy and incredibly accessible, which led to some people implementing very nice fails. For practical purposes the later Cryptography Engineering book is probably a better choice.
That's an interesting point. However, I am not interested in implementing/engineering cryptography (ever), just having a decent idea of what's going on. Is this still a failure of the book I should watch out for?
Yes! It hasn't gotten better. I wrote Crypto 101 for a reason -- there are a number of problems I have with both the approach, and even if the approach were good, it's horribly outdated now.
Gotcha. Serious Cryptography is good. Applied Cryptography is... not. Except insofar Latacora making stickers that make fun of it and people printing t-shirts to benefit charities is good of course :-)
It's also good for historical interest. It was a great book for its time. Now it's horribly outdated, even Schneier recommends against using it for anything other than learning about the state of academic cryptography in the '90s. Which is important, but not relevant to modern cryptography.
No, Applied Cryptography isn’t “terrible”, but treat it as a starting point. It will help you understand more advanced references (like the linked blog post).
I just watched the talk on that page, it was fantastic! Especially for dump developers like myself who never studied actual CS or math.
Thanks for sharing.
It actually makes a lot of sense for practical purposes. This probably looks strange to you because most introductory cryptography texts strictly segregate stream and block ciphers. The standard pedagogical style bifurcates modern symmetric encryption into one of these two categories and talks about things like synchronization, on-the-fly encryption, speed, error correction, etc. between the two.
In point of fact, there isn't as significant a difference between the two in active research and industry. Many (most?) stream ciphers actually use blocks internally. For example, Salsa (and its spiritual successor, ChaCha) both use blocks and rounds. From one legitimate perspective, a block cipher mode enabling streaming encryption is a generalization of a stream cipher.
When you develop a stream cipher without a block system internally[1], you're trying to remove the versatility of block cipher modes in exchange for (hopefully significant) improvements in speed and efficiency. This is very difficult to do while maintaining security. At the end of the day there are only so many ways to do confusion and diffusion.
_______________________________
1. For example see Sosemanuk, which internally uses a linear feedback shift register and finite state machine.
> Many (most?) stream ciphers actually use blocks internally.
I don't think there have been any new designs for a good while that didn't. RC4 is, I think, the last actual stream cipher that saw widespread use (apart from designed-as-broken telco crypto). The same observation can be made for classified crypto, where they used to use bit-stream ciphers like Walburn or Saville (efficient, relatively low gate count hardware implementation) but pivoted to block ciphers since the ~80s.
More generally, I think the distinction between a "block-based stream cipher" and a block cipher (or permutation) mode is the degree to which you abstract away the block cipher. Personally I wouldn't put them together. Counter mode completely abstracts away the cipher, assuming it is an idealized pseudorandom function; sponge-based modes also abstract away the permutation as ideal in most cases; stream ciphers usually do not do this, and use weaker (but still sometimes block-based) primitives to generate output. There are, for example, sponge modes that use very few rounds past the initialization, which makes them more streamy than spongy. So their cryptanalysis is often different.
> More generally, I think the distinction between a "block-based stream cipher" and a block cipher (or permutation) mode is the degree to which you abstract away the block cipher.
Just to make sure I understand you correctly, for example:
- CTR: definitely a stream cipher, and a synchronous one at that
- CBC: maybe a little like a stream cipher (you're e.g. exposed to the block width, and also less like most stream ciphers because asynchronous)
- AEZ: extremely not (because you're exposed to round counts)
That makes perfect sense to me, since that's where I felt the analogy started getting tenuous :)
> I don't think there have been any new designs for a good while that didn't.
Every entry in CAESAR that I've studied is either based on a block cipher or a hash function. A lot of them use AES internally, but others (MORUS, NORX) used their own designs.
There are no RC4-esque stream ciphers being taken seriously these days, for good reason.
Well, technically it's a question of block size? I'm not aware of any cipher with less than single bit size... And often you'd want byte size at least?
I suppose you could design a cipher that worked on partial bits... But it's difficult to see why...
Because the book tries to produce a narrative where new features are introduced out of obvious necessity: in this case, encrypting more than a block. And you can do that with modes of operations or "native" stream ciphers. Essentially I'm handwaving and pretending that e.g. AESCTR is just a stream cipher :-)
Chapter 6 is block ciphers, Chapter 7 is stream ciphers.
Also, the first lines in chapter 7:
Let’s try to build a stream cipher using the tools we already have. Since we already have block ciphers, we could simply divide an incoming stream into different blocks, and encrypt each block...
> Man, that's nice you have written a book, now plant a tree, have a baby, and relax... take a constructive review on your work. Use it to improve that version.
Your feedback isn't really actionable. How is the author supposed to use anything about your feedback to "improve that version"?
The purpose of the book is explicitly to mint developers who can responsibly build cryptographic features, not mint cryptographers -- so a detailed look at e.g. differential cryptanalysis is pretty clearly out of scope. AES is pretty much a perfect PRP and that's all you oughta care about.
