
How Not to Learn Cryptography (2014) - lucas-piske
http://esl.cs.brown.edu/blog/how-not-to-learn-cryptography/
======
zeroxfe
I've been working through the Cryptopals Crypto challenges
([https://cryptopals.com](https://cryptopals.com)) over the last month-and-a-
half (almost done with Set 6), and they've been extremely educational.

Attacks that I thought were just "theoretical" turned out to be very practical
(sometimes even quite simple.) I've always known that one shouldn't roll their
own crypto because there's so many ways to shoot yourself -- but holy hell,
executing some of these attacks really drive the point through.

(Also, I've learned more number theory in the last few weeks than in my whole
life!)

If anyone's interested, I've been solving them in Go (which turned out to be
surprisingly convenient for many reasons), and my solutions (so far) are here:
[https://github.com/0xfe/cryptopals](https://github.com/0xfe/cryptopals).

~~~
loup-vaillant
Cryptopals strikes me as a very good way of scaring people from not only
inventing, but also _implementing_ their own crypto. It seems it's primary
effect is to make people confident enough to repeat the "don't roll your own
crypto" mantra to anyone who would listen.

Some people however don't really have a choice. "Just Libsodium" doesn't work
on anything smaller than a Raspberry-Pi, or pretty much any embedded system
out there. There are alternatives out there (shameless plug:
[https://monocypher.org](https://monocypher.org)), but sometimes your only
choice is to code and optimise it yourself.

Sometimes, your only reasonable choice is to implement your own crypto. And I
can tell from experience, a few weeks of full time learning is enough to not
shoot yourself in the foot. The trick is to learn the right things (not
everybody can spend a few weeks with Dan Boneh), but if you limit yourself to
simple primitives like Chacha20 and Curve25519, it's not that hard. (Fun fact:
I did _not_ spend a few weeks with Dan Boneh, and I _did_ shoot myself in the
foot once.)

Because let's be honest: you don't need to know all the attacks to protect
yourself from them. What you need to know is the relevant _classes_ of
attacks, and how to void them. For instance, all timing attacks are stopped if
your code runs in constant time (which in practice mostly means without
secret-dependent branches and without secret-dependent indices).

~~~
tptacek
What's rough about implementing your own crypto is that sometimes you screw it
up, as you well know. When you screw up an attack, nobody suffers. Not so for
novel implementations of primitives that you provide to others.

~~~
tialaramex
Looking at Cryptopals in particular it's not ideal that you need to get
through dozens of other exercises before you finally email off to the authors
and start to run into problems concerning today's fan favourites like Elliptic
curve DH.

I'm at home even more than usual now (for obvious reasons) but even then I
suspect I will get distracted before I get as far as say, Challenge 42 which
is - though still relevant and I get that it makes sense to drum that in -
ancient history by today's standards, let alone Set 8.

As a result Cryptopals feels like it recapitulates history from the point
where the authors got into the industry and so may unintentionally mislead. I
remember your surprise when it turned out Microsoft hadn't done the necessary
checks for a curve based signature algorithm and so they'd actually been
shipping code that would accept bogus signatures. My instinct is that
Cryptopals challenges would be more effective (but might make some people
involved less comfortable) if they rearranged some of the 21st century attacks
on those "fan favourite" algorithms into earlier sets instead of accumulating
them in Set 8.

I dunno maybe this is like complaining that my school maths textbook (first
written in the 1940s I swear I'm not that old) assumes you'll use log tables
rather than a calculator. But the Cryptopals challenge site clearly doesn't
seem to _think_ it's a historic artefact, so it shouldn't act like one.

~~~
psanford
Set 8 questions can be found here:
[https://toadstyle.org/cryptopals/](https://toadstyle.org/cryptopals/)

~~~
tialaramex
Thank you, it's unlikely I'll get that far (yesterday I wanted to do six
things, it is now 0240 and I am starting the first one...) but even if I don't
end up using it somebody else might.

------
colmmacc
I don't think you need even an undergraduate education in mathematics to get
into cryptography; for many people it's the other way around. Cryptography can
be a great motivator to learn the underlying math. Concepts that may have
seemed too abstract to be useful suddenly become practical tools that help you
build something that solves a real problem.

I love my colleagues who have come from cryptography research programs; they
are awesome! But the majority of my colleagues working on cryptography in
practice come from software and security engineering backgrounds. You might
think that is just a dividing line between folks who design and analyze
cryptography, and those who implement it, but I don't think so. I've seen
folks from both backgrounds be able to work on cryptography design and
implementation.

~~~
vsareto
IANAC but would the lattice stuff or the other post-quantum stuff require it?
"Not having a solid math education" might be a condition with an expiration
date if so.

~~~
colmmacc
I'm saying that working on Cryptography can also be a solid math education.
You can start with very basic high-school math; primes and finite fields,
extend to algebra, formal logic, information theory, codes, probability,
elliptic curves, isogenies, lattices. They can build on one another, but by
actually building some things. It's a great way to learn.

------
barbegal
This seems to boil down to:

> If you can, just get a Ph.D. at a place with a good crypto group (remember
> that Ph.D.'s in computer science are effectively free)

Which I'm not sure is great advice except for someone who wants a full time
career in cryptography. And if you want a career in cryptography it's fairly
obvious that the most well trodden root is via a PhD (which is definitely not
free when you compare it to how much you could be earning in industry with a
compsci or math degree)

~~~
thevirtuoso1973
Can anyone elaborate on how CS Ph.D.'s are 'free'? Does this apply to UK
universities?

I'm aware of scholarships but I'm not from an under-represented background nor
am I a genius. I suppose the student loan would cover the costs but I don't
consider that free.

~~~
tialaramex
I've dropped out of a PhD programme in the UK (many years ago) so perhaps I
can help.

It is usual for PhD students to have tuition and a small stipend for their
living expenses paid for by government. The government knows perfectly well it
needs some supply of researchers, the old ones eventually die so you need to
train new ones and a PhD course is how you do that.

A particular university Computer Science department might have say, six slots
this year for PhD students. It needs not only the money (which you could if
you're wealthy just pay for yourself) but also experienced staff willing to
supervise these students which may be a more limiting factor. If it has eight
capable applicants versus six slots then yes, you might get refused, but it's
rare for there to be a huge imbalance between the number of applicants and
available slots such that you'd need to be a "genius".

If you have a good (say first or upper second honours) undergraduate degree in
the same or closely related area, and you can find a PhD topic and a doctoral
supervisor, in Computer Science they can probably make the money happen.

You will not be wealthy (the stipend is small), but you should be too busy to
notice and you're hanging out with other students who haven't got any money
anyway.

------
non-entity
> (1) developing mathematical maturity;

This has stopped me from learning so many things at this point it's not even
funny.

~~~
markus_zhang
Math maturity is probably unavoidable for some of the topics out there. But
there are so many more in CS that don't require a ton of it.

~~~
ruang
Best courses for mathematical maturity besides the standard CS ones? I'm
thinking Algebra, or maybe Real Analysis.

~~~
markus_zhang
Yeah both are good. Basically anything that forces you to prove a lot of
theorems that look trivial (but are not easy to prove) is good because they
build up a system from small theorems. Back in school we use Rudin for Real
Analysis and it's a good textbook. But I'd recommend taking a class if you are
still in university because Math is a bit tricky for self study IMO. If you
already graduated maybe follow some MOOC.

I'd actually recommend Number theory if you want more fun or if you are
interested in Cryptography which is related to CS. Elementary Number Theory
throws you tons of questions that even a toddler can understand but you might
hit bam head on walls for nights to prove them.

~~~
ruang
Thanks, I'm doing a Masters now and I was planning on taking Number Theory and
Abstract Algebra next term. I took mathematical cryptography this term and it
got me interested in more related math.

~~~
markus_zhang
That's pretty much enough for anyone who wants to have Math Maturity. Good
luck!

------
xtajv
tl;dr:

To learn about some cryptography fundamentals:

* Read Katz & Lindell's Introduction to Modern Cryptography

* If you're missing math background, read Timothy Gowers' blog

* Supplement: Take Jonathan Katz' and Dan Boneh's MOOCS (links in post)

To get to the point where you can "design/analyze crypto protocols" (and maybe
know what you're doing):

* Read Oded Goldreich's Foundations of Cryptography (Volumes 1&2)

* Try to have quasi-intelligent conversations with real cryptographers (advice for this in blog post)

* Get a PhD somewhere with a good crypto program

edit: formatting

~~~
wegs
"Applied Cryptography" is the best-written book on this topic that I know of.
Author is a brilliant communicator. Esp. the section on cryptographic
protocols should be required reading for any computer scientist. It's not
overly rigorous or mathematical, and has a lot of informality and humor, so
it's a fairly light read. You don't need a lot of mathematical maturity to
read it (and reading things like this helps develop mathematical maturity).

Unfortunately, the 2nd edition adds "50% more words, 7 more chapters, and over
1600 new references." I thought the first edition was better in length. It was
novel-length, and reads as well as a novel. Going from long-ish novel to
short-ish trilogy makes this somewhat less readable. But c'est la vie.

------
anvarik
well that page is not even on https

~~~
hmwhy
Glad to see that I'm not the only one triggered by the irony. :p

~~~
machrider
I was really amused by this. Also if you _try_ to visit over HTTPS, it serves
up an expired certificate.

------
anaphor
I can't figure out who wrote this article, and the site doesn't really make it
clear if it's one person's blog or not. Anyone know?

Edit: someone else answered already
[https://news.ycombinator.com/item?id=23386815](https://news.ycombinator.com/item?id=23386815)

------
kragen
Who is this by? There doesn't seem to be an author listed at either the
beginning or the end.

~~~
lucas-piske
Hi kragen. It was written by one of the Lab's directors. Here is a link to his
page: [http://cs.brown.edu/~seny](http://cs.brown.edu/~seny)

~~~
kragen
Thank you!

