Another great crypto resource (though it's really an intro course) that's out there is the Cryptography course on Coursera: https://www.coursera.org/learn/crypto. It's taught by Dan Boneh who, in addition to being a genius, also happens to be incredibly talented at explaining crypto concepts in a way that leads to deep understanding. It's a great treat watching him write out and explain different proofs from memory.
After taking these two crypto courses, I signed up for CS155 https://crypto.stanford.edu/cs155/, which is his undergrad class on security at Stanford (they were offering it through their professional center, I don't think they still offer it, which is a bummer)
The Manga Guide series has been surprisingly good in general. Not the most in depth stuff but generally quality intro texts.
Unfortunately from the preview the typesetting of the English translation in the new crypto book looks awful. Hopefully the actual content is still of good quality.
This is a class for folks trying to understand the theory behind modern cryptography rigorously; it focuses on the theoretical foundations of crypto like one way functions and PRGs and builds up from them.
This course will not teach you how to implement crypto, but the material here is incredibly important to understanding the abstractions and reasoning behind modern cryptographic constructions, and is a prerequisite to becoming good at implementation aspects of crypto.
What is a typical path for those who want to follow this as a career? Is it mostly PhDs in academia? Or governments? Or industries? How do they fall as a distribution?
I worked on the Windows crypto team for a few years. Learned a ton about this area. Most of the work, however, is plumbing. Only a tiny fraction of crypto work is actually on algorithms and that’s mostly performance related.
The interesting thing about Crypto performance tuning is that you really have to ensure that no logical path does a different amount/kind of work than another(i.e. no short circuiting). I used to not think much of it until I saw an RSA private key recovered via acoustic analysis of capacitor whine due to a short circuit condition in a function to multiply two large numbers.(this was using a recent release of openssl) To my knowledge no other area of programming really has this pitfall
If this "I saw" has any further public details, I'd absolutely love to learn more, and I'm pretty sure others would as well.
In particular, I'm especially interested in electrical or real-world attacks - such as capacitor whine! - that can be applied a weakened security situations like asymmetric logic/branching. I vaguely recall CPU voltage fuzzing is a thing, I want to go learn more about that at some point.
I couldn't find the specific lecture/demo that I went to, but I found a video by the same guy with a similar presentation elsewhere. Coincidentally he's also one of the researchers who published the original paper on Meltdown
For the crypto itself, yes. These colleagues had specialized at university and studied afterwards. For the plumbing portions, it’s mostly excruciatingly detail oriented bit manipulation combined with standard windows kernel / core development. I also read a LOT of RFCs.
Most people with full-time crypto jobs have graduate degrees in cryptography. FAANG-type tech giants hire single-digits crypto people per year. What we did at the NCC Cryptography Services practice (a team of non-PhDs working almost entirely on offensive crypto) was pretty anomalous --- and that team is now led by Thomas Pornin, who has a graduate degree in cryptography. :)
Followup: I was asked offline, with a bunch of counterexamples, whether you need to go to school to be good at crypto. I want to be clear that I'm offering career advice here, not technical advice. For the record, I have something like 2 credit hours towards an LAS bachelors from 1995 and nothing else. :)
It's just my observation that people with full-time jobs in cryptography all (with some exceptions that I think prove the rule) have graduate crypto degrees. I'll venture a guess: there are more crypto PhD's interested in jobs in industry than there are full-time crypto jobs in the industry to give them.
I think people probably underestimate just how specialized serious cryptography is as a practiced skill in the industry.
(Also: I mean "crypto" as in "cryptography". Lord knows what's going on in the Monero mines.)
Edit: see tptacek’s reply. He knows that corner of the world far better than I do.
From my external observation there are two main career paths: the math side and the coding side (djb does both, but he’s djb).
For the math side, a PhD is the most likely path to break in. If you are some kind of autodidact genius and were to publish a theoretical attack on an important crypto system, you could probably get involved without a PhD.
On the coding side apparently the best way to break into writing secure code is to first break insecure code+. I don’t know if this is a reasonable filter or not, but it seems to exist. Some people are perfectly happy to stay on the break code side of things and never move to the write code side. If you think you might like this sort of thing check out the cryptopals ctf that should be floating around.
+ meaning find a side channel, some place where a nonce is reused, etc, etc. If you find a way to factor quickly in a particular ECC ring that’s the prior paragraph.
Software security people do not generally move into full-time cryptography jobs --- or, for that matter, test much cryptography at all (more's the pity). The people who code crypto generally have crypto degrees.
I don't know if there is a typical career path here. I work in this space and see people from all over.
Working on the math side of it really does require a PhD and several published papers.
Working on the implementation requires mostly a healthy sense of paranoia and willingness to really pay attention to the details. After that it really is about experience, practice and lots and lots of code review.
If you think you're interested in doing this and you're in the NYC area, I would be happy to chat with you. We do have a few openings. I have contact info in my profile.
I have a graduate degree in mathematics and my field of study is cryptography. I will echo what another commenter said about there being more cryptographers than there are positions available in industry to work on "hard" cryptography. As a result, approximately all cryptographers - both applied and theoretical - have graduate degrees. Successful cryptographers without such degrees (like Moxie Marlinspike) are extraordinarily rare.
There are basically three sectors which will hire people to predominantly work on cryptography.
1. First and foremost you have academia and the public sector. You can try to get tenure at a university or you can join the NSA. This has a healthy mix of applied and theoretical work.
2. Second you can join an industrial research lab. The biggest ones are Microsoft Research, IBM Research, Galois Inc and Google Research. For the most part you'll be working on publishable research with an eye towards things that can be shipped in some way. Isogeny cryptography originally came out of Microsoft in the early 2000s and Craig Gentry (the person who invented the first working example of fully homomorphic encryption) now works at IBM.
3. Third you can join a security consulting firm which is either focused on cryptanalysis or which has a division dedicated to it. The most well known in this arena would be NCC Cryptography Services, Riscure and Cryptography Research (now a division of Rambus).
This is kind of a continuum. You won't get tenure as an academic researcher without a PhD and it will be hard to get into the NSA without one as well. Likewise the top industrial research labs only rarely hire people without PhDs to be research scientist (though it can and does happen). It is comparatively easier to work in cryptography in the consulting industry: I know several people working in side channel research at Riscure who have "only" an MSc, and NCC employs consultants in Cryptography Services who don't have an MSc or PhD.
If you're interested in cryptography as a career path, the most valuable way to pursue that is to be someone with a graduate degree in mathematics who has significant expertise in implementation, performance and cryptanalysis. In particular it's very lucrative to be competent in side channel analysis and hardware optimization. With the exception of speculative blue sky research projects like indistinguishability obfuscation, multiparty computation, homomorphic encryption and post-quantum public-key cryptography, most work to actually be done is in implementation, implementation auditing and implementation optimization. We already have secure designs for most common use cases in AES and ChaCha; working on verifying a given implementation or removing the ways mistakes can be made is much more important.
If you are interested in the boring part, so not how algorithms are invented and implemented, but more on the real world usage, I have written a blog "Commercial Cryptographic Key Management in 2018", where I am explaining a little bit about the hardware, people and processes behind it.
https://www.malgregator.com/key-management.html
a word of warning.
off the page textbook crypto examples are not a good crypto scheme
you have to think like a bank robber to start securing your bank.
if you think like a banker then you will try to cut costs and corners to make revenue.
addendum
> Anyone, from the most clueless amateur to the best cryptographer, can create an algorithm that he himself can't break. It's not even hard. What is hard is creating an algorithm that no one else can break, even after years of analysis. And the only way to prove that is to subject the algorithm to years of analysis by the best cryptographers around.
good crypto cant be broken by knowing the algo thats why closed proprietary crypto is POS
addendum 2 )
this makes the case for open source so there are multiple perspectives rather than ECHO CHAMBERS bcz when it comes down to it you can talk yourself into thinking anything is great when it is your own pet theory.
BTW im working around the posting too fast BS so thats why the addendums to parent post.
=================================
ALSO off topic but, concerning:
Detecting Screen Content via Remote Acoustic Side Channels
every time a pixel changes it makes a UHF+ EMF chirp
every time a bus channel makes a bit state transition it makes a UHF+ chirp if you evesdrop the EMF radiation preserve it and analyse your data then you can reconstruct EVERYTHING that the hardware is doing not just the display screen.
Although be wary of how far even that can take you. As Bruce Schneier has said[0]:
> Anyone, from the most clueless amateur to the best cryptographer, can create an algorithm that he himself can't break. It's not even hard. What is hard is creating an algorithm that no one else can break, even after years of analysis. And the only way to prove that is to subject the algorithm to years of analysis by the best cryptographers around.
> If I have any contribution to this, it's to generalize it to security systems and not just to cryptographic algorithms. Because anyone can design a security system that he cannot break, evaluating the security credentials of the designer is an essential aspect of evaluating the system's security.
After taking these two crypto courses, I signed up for CS155 https://crypto.stanford.edu/cs155/, which is his undergrad class on security at Stanford (they were offering it through their professional center, I don't think they still offer it, which is a bummer)