
Handbook of Applied Cryptography (2001) - sirsar
http://cacr.uwaterloo.ca/hac/
======
ReidZB
I'm an aspiring cryptographer and this book is hands-down one of the best
references for applied cryptography out there today. Don't let the date fool
you; cryptography is an area where maturity is well appreciated.

It's also fantastic that the whole thing is available online, but believe me
when I say that the text is well worth the price if you ever find yourself
needing a good cryptography reference. Some other good references are
_Introduction to Modern Cryptography_ by Katz and Lindell, _Foundations of
Cryptography_ by Goldreich (both volumes), and _The Codebreakers_ by Kahn (for
history of cryptography).

There are other good references, of course, but I find myself referring to the
ones above the most. However, I am naturally biased towards texts that take a
theory-based approach.

~~~
tptacek
I guess you could argue that the advent of quantum computing is making
everything old, like McEliece, new again. But I disagree with your premise.
This book was written at a time when elliptic curves were more useful as a
factoring method than as a cryptographic design tool.

Modern concepts, algorithms, and constructions that a designer might not have
at their disposal if they rely on Menezes:

* Elliptic curve cryptography, which is supplanting RSA (and Rabin) and conventional DH, both of which are looking increasingly sketchy in 2013.

* Secure RSA padding for encryption (OAEP) and signatures (PSS), or, really, any discussions of the problems that motivate those formats --- Menezes does point out that you don't want to use low-public-exponent RSA with repeated messages, but a modern take on RSA would say that you don't ever want to send repeated messages at all.

* Counter mode, which is presented briefly as a small tweak to OFB mode with no description of its pitfalls; CTR is the second-most popular mode used today and increasingly the first choice of new systems.

* Modern bulk encryption --- XEX, XTS, &c.

* Encrypt-then-MAC (Menezes presents the opposite); in fact, modern crypto is at pains to ensure that encryption and integrity are co-specified and interoperate safely; a designer could be forgiven for reading Menezes and not including explicit integrity checks at all.

* The authenticated encryption modes CCM, GCM, EAX, and OCB.

* Modern CSPRNGs, including entropy collection and management and handling the cold-start problem.

* Any discussion of side channel attacks (in fact, Menezes predates Vaudenay and Bleichenbachers block cipher and RSA [respectively] error side channels so doesn't even discuss padding oracles).

It's _not_ true that robust cryptography appreciates maturity. The ~twenty
years since Menezes wrote HOAC haven't just been spent inventing whizz-bang
new toys, but also in finding new ways to break the old toys. You're not
always OK if you eschew the new stuff for the "mature" stuff; some of the
mature tools are perilous to work with now.

That's an annoying thing about working with crypto (and a fun thing about
breaking it) --- designers have to know what parts of the literature they need
to adopt, like safe RSA padding schemes, and what parts they need to hold off
on, like homomorphic encryption.

For what it's worth: I like Menezes a lot as a resource for practicing
attacks. Menezes also does a much better job on theory than even _Practical
Cryptography_ (which is a great book, and probably the only crypto book most
people should own). It's a good book. Just be careful working from it.

(I'm not trying to call you out; I just think this is a fun thing to talk
about.)

~~~
pbsd
> RSA (and Rabin) and conventional DH, both of which are looking increasingly
> sketchy in 2013.

May I ask why you say this? (Not agreeing nor disagreeing, just curious.)

~~~
sillysaurus
Elliptic curve cryptography isn't vulnerable to quantum computing. _EDIT: This
is mistaken. I was thinking of lattice-based cryptography, which isn 't
currently vulnerable to quantum computing._

In the video game Final Fantasy, there's a spell called "Doom" which places a
countdown over your head. When it reaches 0, you die.

RSA is Doomed in exactly that sense: it's just a matter of time before RSA
offers zero security, whereas elliptic curve cryptography remains (for now)
unbroken.

~~~
pbsd
It is [1]. Quantum computers, using Shor's algorithm, polynomially break any
specialization of the abelian hidden subgroup problem; see [2] for a fairly
complete list.

Whatever reason to prefer elliptic curves over integer factorization or
discrete log-based schemes must be classical.

[1]
[http://arxiv.org/abs/quantph/0301141](http://arxiv.org/abs/quantph/0301141)

[2] [http://pqcrypto.org/quantum.html](http://pqcrypto.org/quantum.html)

~~~
sillysaurus
Oh.

Then which (if any) algorithm is currently believed to be safe from quantum
computing?

I think I was thinking of lattice-based cryptography.

~~~
tptacek
There's a bunch of them. There's no known quantum algorithm for quickly
decoding binary linear codes, so McEliece is one. The Clostest Vector Problem
in linear algebra is another trapdoor that may be QC-resistent.

You didn't ask, but it's worth saying: block ciphers, stream ciphers and hash
functions aren't thought to be fundamentally threatened by QC the way IFP and
DLP number theoretic cryptosystems are.

------
autodidakto
mkdir HoAC_tmp

cd HoAC_tmp

wget -r -np -l 1 -A pdf
[http://cacr.uwaterloo.ca/hac/](http://cacr.uwaterloo.ca/hac/) -nd

pdftk toc3.pdf chap1.pdf chap2.pdf chap3.pdf chap4.pdf chap5.pdf chap6.pdf
chap7.pdf chap8.pdf chap9.pdf chap10.pdf chap11.pdf chap12.pdf chap13.pdf
chap14.pdf chap15.pdf appendix.pdf references.pdf index.pdf cat output
"../Handbook of Applied Crytopgraphy.pdf"

cd ..

~~~
malandrew
Install pdftk from here first:

[http://www.pdflabs.com/tools/pdftk-the-pdf-
toolkit/](http://www.pdflabs.com/tools/pdftk-the-pdf-toolkit/)

~~~
SkyMarshal
It's in most linux repos too.

------
thiagoc
All-in-one pdf:
[http://aws.thiagoc.net/HoAC.pdf](http://aws.thiagoc.net/HoAC.pdf)

