
A Graduate Course in Applied Cryptography - throw0101a
https://crypto.stanford.edu/~dabo/cryptobook/
======
pthreads
Related to this, in case anyone is wondering if Cryptography II course by Dan
Boneh will ever be offered on Coursera (It's been listed forever but without a
start date). He mentioned that it will but most likely after this book is
finished.

~~~
hwestiii
I’ll believe it when I see it. I took the I course (which was excellent) 6 or
7 years ago and gave up on II after the third or fourth cancellation. Should
also be goo if it ever actually happens.

~~~
bradleyjg
Duke Nukem Forever finally came out 14 years later, so maybe we are half way
there.

~~~
tialaramex
That seems like an ill omen because DNF was not only years late it was also
not very good when it shipped.

I think people are hoping for Cryptography II to be more Terminator 2 than
Duke Nukem Forever in terms of sequels.

------
chrispeel
Chapter 16 focuses on post-quantum crypto, including lattices. I see that it
(and chapter 17) remains unfinished. Boneh certainly knows lattice tools; it's
interesting to me that he nor his students do not seem to be in a hurry to
work on lattice-based crypto. Perhaps this is a signal that they aren't
worried that a quantum computer capable of cracking current systems will
arrive anytime soon.

~~~
hailwren
I think, generally, the concern with quantum resistant cryptography is that,
like homomorphic encryption schemes, it’s unworkably slow right now.

~~~
craftinator
Have quantum computers managed to break any sort of cryptography at this
point? Even schemes that have been broken by classical computers? I have heard
so much speculation on this, for over a decade now, but I haven't seen
anything close to application. Can anyone provide insight on this?

~~~
mcpherrinm
We haven't gotten quantum computers to do anything faster than classical
computers, except possibly contrived problems designed to be fast on quantum
computers.

We have factored some small numbers on quantum computers but nothing a
classical one couldn't do in a split second.
[https://en.wikipedia.org/wiki/Integer_factorization_records](https://en.wikipedia.org/wiki/Integer_factorization_records)
/ [https://arxiv.org/abs/1805.10478](https://arxiv.org/abs/1805.10478)

~~~
jason13579
Quantum Computing is now at the stage that standard ICs have been at in the
early sixties. Back than, chips where made of of a few dozen transistors and
couldn’t really do anything. It will take a while for quantum computers to
really become a threat to cryptography, though at some point they definitely
will (in my opinion).

Regarding the „except possibly contrived problems designed to be fast on
quantum computers“ part: That’s their entire purpose. They cannot and will
never be faster for all applications compared to a classical computer. They
are designed to solve some very special problems efficiently, such as solving
dlog and RSA using Shor‘s algorithm or database search using Grover.

~~~
buzzkillington
What's Moore's law like for quantum computers?

~~~
c1own
We have Neven's law: [https://www.quantamagazine.org/does-nevens-law-describe-
quan...](https://www.quantamagazine.org/does-nevens-law-describe-quantum-
computings-rise-20190618/) which states that quantum computers are getting
_doubly-exponentially_ better relative to classical computers. First, they are
exponentially better than classical computers. Second, they are getting
exponentially better. Hence, Neven's law. One needs to define "better"
formally (with number of qubits, gate fidelities, coherence times,...) to
graph progress, but the idea is that they can do more.

~~~
wbl
BQP is not NP. There is an exponential speedup for very few interesting
problems.

------
marknadal
A useful primer for those un-initiated:

Cartoon Cryptography

1min animated series that explains cryptography with cooking analogies

[https://gun.eco/docs/Cartoon-Cryptography](https://gun.eco/docs/Cartoon-
Cryptography)

~~~
bscphil
> Most websites you use today have fake security. When you log onto their
> service, your password gets sent up to their proprietary servers. There they
> check to see if it is correct and grant you access to your data.

> Sure, their servers might be in a top secret location. But the problem is
> that they know your password. Which means any bad actor, like a rogue
> employee, a hacker, or a government agency can snoop on your data without
> you knowing.

What on earth?

~~~
c1own
So... my understanding---please correct me if I'm wrong---is that the current
practice is to send the password in plaintext to the server over a TLS
connection. While this might not be the coolest way to do this (there might be
something like a ZK-proof) it is the standard way. Also, why is it not okay
for the person who controls the server on the other end to have a plaintext
copy of your password? We hash passwords to protect against a 3rd party who
gets a data dump, not against people who control the servers. (If you control
the servers, you can change the protocol!)

~~~
tialaramex
It's not OK for two reasons, one a tiny bit paranoid the other much less so

1\. The server operator might accuse you of doing something offering as proof
a record that "you" logged in, but actually they knew the password so it was
them.

This seems kind of silly if the server is a forum about a video game you like
and the consequence of the alleged wrong doing is a permanent ban. But if the
server is your bank, and the consequence is they convince a jury you tried to
commit fraud and you go to jail when actually their employee has stolen your
money using access to your password... that's pretty serious.

2\. People re-use passwords. They know they shouldn't, but they do anyway. So
"of course" the operator of "Puppy Fan Forum" knows your password, but it's
also the password for your Amazon account, and next thing you know there's
$1000 of dog treats billed to your credit card going to the operator's home in
Ohio.

~~~
c1own
Sorry for the late reply.

1\. This is actually good news. It provides deniability. You can, for
instance, do something bad and then claim that the owner did it.

2\. People _really_ shouldn't reuse passwords, but I see your point.

------
auiya
If it's anything like the one they teach at Georgia Tech, this is a quite
difficult course. Boneh's a great instructor though.

~~~
wan23
It just so happens that I just started the Georgia Tech course this week. What
topics would you say are the most difficult? Any tips?

~~~
bitL
Number theory.

~~~
brintnc
This. I went into my 400 level cryptography class with 0 Number Theory
knowledge as it wasn't a prerequisite. Big mistake, it should've been. My
lowest grade in college and I still busted my ass.

That being said, it was incredibly interesting and I do not regret it.

~~~
auiya
Ditto, I ended up taking the course twice.

------
stblack
I would love to see a diff between this version and the prior version (Version
4, Sep. 30, 2017) which I've consulted extensively.

I wish this book was in a public git, TBH.

------
thecleaner
Side Note - I really admire Stanford's commitment to open education. The
professors there have released so much high quality material for free.

~~~
techsin101
Links?

------
HenryKissinger
How much cryptography is actually used in commercial applications? Having
hundreds of pages of arcane (but highly interesting!) theory is great, but if
it's not applied to real systems, like in banking, then its usefulness is
limited, to say the least.

Edit: I don't know why I'm being downvoted.

~~~
CiPHPerCoder
All of Part I and sections 10-15 of Part II are deployed ubiquitously in most
of the world today. As is section 22 of Part III (WireGuard, WPA3, TLS, etc.
use AKEs).

The rest of it appears to consist of "areas that theoretical cryptographers
are refining in preparation for real world use". This is the stuff that will
be deployed in the real world come 2030.

So, to answer your question: More than half of it is actually used today, and
at least 80% of it will be used soon. If you're going to take a course in
this, it's better to be ahead of the curve than behind it. (Otherwise, we'll
all be suffering through textbook RSA ad nauseum.)

~~~
HenryKissinger
That's a lot more than I expected.

~~~
CiPHPerCoder
There's a conference going on right now at Columbia University in New York
called _Real World Cryptography_ if you're interested in seeing what the
state-of-the-art looks like for real-world deployment.

[https://twitter.com/realworldcrypto](https://twitter.com/realworldcrypto)

[https://rwc.iacr.org](https://rwc.iacr.org)

------
kalos
I think many of us would be happy for a paragraph on EdDSA!

------
idiot900
Many years ago I took a class taught by Victor Shoup, which I found extremely
difficult but overall a great experience. Really smart guy.

------
mister_hn
Time ago there was a free course promoted also by Nikko Hipponen on
Cryptography and that was really well done.

------
bitL
What's the price via SCPD? Usual $5200?

~~~
motivic
A 4-credit course is $5000 and a 3-credit course is $3900 (don't ask me why
the cost per credit for each are not the same). There is also a one-time $200
transcript service fee.

With that said, if your employer has an educational plan that can cover the
cost, then it is definitely worth pursuing. I am working on a AI graduate
certificate and have just completed CS 221. The level of rigor in instruction
and course work is far better than any online MOOC course I've taken.

------
ianai
At 900 pages I can’t help but be humbled.

