Hacker News new | past | comments | ask | show | jobs | submit login
Crypto 101 – Introductory course on cryptography (crypto101.io)
514 points by febin on Dec 28, 2018 | hide | past | favorite | 67 comments

+1 for the fact that the "get book" button on linked site just downloads the pdf.

Thanks, for the comment. I wouldn't have bothered with this otherwise. Normally a "Download our PDF|Whitepaper|Whatever" is a 100% sure way to make me close a site immediately nowadays - and this is what I did. Just stumbled upon your comment because the tab was still open and it was the first comment.

VirusTotal seems to be cool with the file too, so that's how it should be.


You can get the org mode plaintext source here: https://github.com/crypto101/book.

It doesn't read as well as the PDF because there's a ton of illustrations and _something_ has to render them.

I find it amusing that you wrote the book using org-mode but the README using ResT.

> Normally a "Download our PDF|Whitepaper|Whatever" is a 100% sure way to make me close a site immediately nowadays

I don't know what I was doing clicking on it to begin with, usually a surefire way to get a fresh copy of MacKeeper or something

Hi! I'm the author. Happy to answer questions.

It seems that the downloadable pdf doesn't have a couple of tweaks that have landed in master (https://github.com/crypto101/book). Any plans to generate a slightly updated version ?

PS: Thanks for your work ! Watched your talk and it was a nice quick primer. Glad you turned it into a book with more detail.

Sure, I should get around to that :-) Really I'd like to make a docker image or similarly repeatable environment that can do builds -- right now it's way too tied to my own environment.

Also: I'm not sure org-mode -> TeX was a great idea.

I used to use org-mode exporting to reveal.js for doing slides. Unfortunately this turned out to be a bit of a pain to get everything set up, especially when collaborating with people who for some have failed to embrace the One True Religion^H Editor. So in the end I changed to using Markdown and pandoc to convert to reveal.js.

As a bonus, using pandoc to convert my org sources to markdown worked reasonably well.

Yep, I took exactly the same path. Still use org-reveal sometimes but pandoc is really great and anything-to-anything :)

I use www.leanpub.com for this and love them. They make publishing trivial, give you all the freedom and only take a small cut.

I looked at them before and they couldn’t do the illustration generation I needed, but maybe with some preprocessing on my side and some on theirs :)

This looks fantastic! Thank you for putting this out. And thank you for posting this.

Hi lvh,

Do you intend to complete this book at some indeterminate point in the future?

Is there anything that any of us can do to help make it happen?

I'm not sure what "complete" would entail :) For example: would a description of Noise be in scope? I think so but I'm not sure. People come up with new cool stuff that's useful to median developers on the regular (say, NMR) that feels like it ought to be added/updated. So I think it's forever a WIP and that's OK since I'm not really printing the book?

Thank you for writing this book! I recently used this book to brush up on crypto fundamentals for some interviews and found it really valuable. I was even able to implement a padding oracle attack after only knowing it in theory for a very long time. I was also wondering if you had any plans to complete. Right now, there are 36 TODO's in the book. Not all of them need further explanation and can be left as an exercise but some of them might be useful to dig into. Regardless, it is still awesome!

I definitely want to work on it more but I think completion goals are going to be at a chapter level maybe -- there'll always be stuff to add :)

would a description of Noise be in scope?

Yessss! Utterly selfishly: things like 'Noise Protocol Matrix' or 'Nonce misuse resistance 101' are actually closer to your target than XOR diagrams that people can already find on wikipedia.

I don’t know if you picked those judiciously or if I did but those are two blog posts I did actually write :)

Oh, picked quite intentionally from things you actually wrote, yes :)

I read the book, it is well written, accessible and pretty accurate. I think it's worth a skim even just to learn more about something you vaguely know but you can't explain in your own words.

I'm glad you feel that way, because I'm honestly embarrassed by how shoddy my old writing is. (I'm the author.)

There is also a cryptography course from Udacity: https://www.udacity.com/course/applied-cryptography--cs387

Cryptography 1 by Stanford on Coursera is really good too : https://www.coursera.org/learn/crypto

In the “secure computation” part, do you learn how to do such computation or is it just another explanation of what it is?

I know the “what” of this but not the “how”. If this teaches me what I need in order to go and actually implement it myself then I am interested.

A resource I found really helpful was a fantastic classroom-setting lecture series Introduction to Cryptography by Christof Paar[0] .

[0]: https://www.youtube.com/watch?v=2aHkqB2-46k

Seconded, I am working my way through this course and its fantastic, specially if you also do all the homework problems.

Cool, thanks!

BTW why is EPUB mentioned but not available?

(I'm the author.)

Because it's not a priority for me and I never got the org -> epub generation flow working correctly. In particular, the book has a lot of illustrations, and getting illustrations right across a ton of ebook readers is quite complicated. To wit: they all support different formats and to get it more or less compatible you have to guess what the approx DPI is for most of those devices and then rasterize the vector imagery.

If someone gets it to work I'd be much obliged, it just hasn't been a priority for me :)

I see.

> what the approx DPI is for most of those devices and then rasterize the vector imagery

As far as I know you can use SVG illustrations in EPUB.

Alternatively you probably could rasterize to a redundant resolution and rely on the viewer app to downscale the pictures to fit the page width.

You can, but at least a few years ago most cheap readers would horribly mess that up (usually not render it at all). And those that didn’t were typically nice enough that they could just render the PDF correctly ;)

I skimmed through it this morning and was genuinely surprised by its accessibility.

The concepts are as I remember from my cryptography course in college, and is a great refresher!

Thank you!

FYI: I just put the PDF on my Kindle Paperwhite and it actually looks like a regular ebook in terms of font size and readability so far.

Oh interesting. I recently got "Applied Cryptography" in one of the nostarchpress sales. I expected it to be turbo technical and way outside my league but popped it open on a whim one day. So far it's incredibly accessible, does anyone have thoughts on that versus this course? Worth taking the course after I finish Applied cryptography?

Incidentally, Applied Cryptography is often critiqued for making crypto seemingly easy and incredibly accessible, which led to some people implementing very nice fails. For practical purposes the later Cryptography Engineering book is probably a better choice.

That's an interesting point. However, I am not interested in implementing/engineering cryptography (ever), just having a decent idea of what's going on. Is this still a failure of the book I should watch out for?

Yes! It hasn't gotten better. I wrote Crypto 101 for a reason -- there are a number of problems I have with both the approach, and even if the approach were good, it's horribly outdated now.

Serious Cryptography is also good and modern.

Do you mean "Serious Cryptography"? Applied Cryptography isn't a No Starch Press book.

No, I do mean Applied Cryptography. I may have picked it up in a humble bundle sale in hindsight.

Gotcha. Serious Cryptography is good. Applied Cryptography is... not. Except insofar Latacora making stickers that make fun of it and people printing t-shirts to benefit charities is good of course :-)

It's also good for historical interest. It was a great book for its time. Now it's horribly outdated, even Schneier recommends against using it for anything other than learning about the state of academic cryptography in the '90s. Which is important, but not relevant to modern cryptography.

Applied Cryptography is terrible.


No Starch's "Serious Cryptography", the JP Aumasson book, is strong.

I recall you saying that "Cryptography Engineering" was much better than AC somewhere.

Do you recommend Serious Cryptography over that?

Both books have their strengths. If I had to pick one, it'd be Serious Cryptography, since it's much more up-to-date than Cryptography Engineering is.

Part of our current Humble Bundle, too.

No, Applied Cryptography isn’t “terrible”, but treat it as a starting point. It will help you understand more advanced references (like the linked blog post).

No, Applied Cryptography is actively misleading. I can't say it any better than that linked post does.

Too late to edit: I believe I actually picked up "Applied Cryptography" in a Humble Bundle sale.

Thanks for this. I just finished the XOR stuff and can't wait to read more!

I just watched the talk on that page, it was fantastic! Especially for dump developers like myself who never studied actual CS or math. Thanks for sharing.

Started reading it, pretty good so far!

Only thing, why did you choose to introduce block cipher modes in the stream cipher chapter? This makes little sense to me.

It actually makes a lot of sense for practical purposes. This probably looks strange to you because most introductory cryptography texts strictly segregate stream and block ciphers. The standard pedagogical style bifurcates modern symmetric encryption into one of these two categories and talks about things like synchronization, on-the-fly encryption, speed, error correction, etc. between the two.

In point of fact, there isn't as significant a difference between the two in active research and industry. Many (most?) stream ciphers actually use blocks internally. For example, Salsa (and its spiritual successor, ChaCha) both use blocks and rounds. From one legitimate perspective, a block cipher mode enabling streaming encryption is a generalization of a stream cipher.

When you develop a stream cipher without a block system internally[1], you're trying to remove the versatility of block cipher modes in exchange for (hopefully significant) improvements in speed and efficiency. This is very difficult to do while maintaining security. At the end of the day there are only so many ways to do confusion and diffusion.


1. For example see Sosemanuk, which internally uses a linear feedback shift register and finite state machine.

> Many (most?) stream ciphers actually use blocks internally.

I don't think there have been any new designs for a good while that didn't. RC4 is, I think, the last actual stream cipher that saw widespread use (apart from designed-as-broken telco crypto). The same observation can be made for classified crypto, where they used to use bit-stream ciphers like Walburn or Saville (efficient, relatively low gate count hardware implementation) but pivoted to block ciphers since the ~80s.

Most of the eSTREAM finalists (http://www.ecrypt.eu.org/stream/index.html) are not block-based. I think only Salsa20 matches that description.

More generally, I think the distinction between a "block-based stream cipher" and a block cipher (or permutation) mode is the degree to which you abstract away the block cipher. Personally I wouldn't put them together. Counter mode completely abstracts away the cipher, assuming it is an idealized pseudorandom function; sponge-based modes also abstract away the permutation as ideal in most cases; stream ciphers usually do not do this, and use weaker (but still sometimes block-based) primitives to generate output. There are, for example, sponge modes that use very few rounds past the initialization, which makes them more streamy than spongy. So their cryptanalysis is often different.

> More generally, I think the distinction between a "block-based stream cipher" and a block cipher (or permutation) mode is the degree to which you abstract away the block cipher.

Just to make sure I understand you correctly, for example:

- CTR: definitely a stream cipher, and a synchronous one at that

- CBC: maybe a little like a stream cipher (you're e.g. exposed to the block width, and also less like most stream ciphers because asynchronous)

- AEZ: extremely not (because you're exposed to round counts)

That makes perfect sense to me, since that's where I felt the analogy started getting tenuous :)

> I don't think there have been any new designs for a good while that didn't.

Every entry in CAESAR that I've studied is either based on a block cipher or a hash function. A lot of them use AES internally, but others (MORUS, NORX) used their own designs.

There are no RC4-esque stream ciphers being taken seriously these days, for good reason.

Well, technically it's a question of block size? I'm not aware of any cipher with less than single bit size... And often you'd want byte size at least?

I suppose you could design a cipher that worked on partial bits... But it's difficult to see why...

Because the book tries to produce a narrative where new features are introduced out of obvious necessity: in this case, encrypting more than a block. And you can do that with modes of operations or "native" stream ciphers. Essentially I'm handwaving and pretending that e.g. AESCTR is just a stream cipher :-)

Chapter 6 is block ciphers, Chapter 7 is stream ciphers.

Also, the first lines in chapter 7: Let’s try to build a stream cipher using the tools we already have. Since we already have block ciphers, we could simply divide an incoming stream into different blocks, and encrypt each block...

How does this compare to Crypto 1 on Coursera?


What would you have preferred to see that wouldn't make it "superficial"?

AES explanation before DES? Why? It doesn't make any sense.

... because the only way to introduce ciphers is, what, chronologically? Why? And why does that make it superficial?


> Man, that's nice you have written a book, now plant a tree, have a baby, and relax... take a constructive review on your work. Use it to improve that version.

Your feedback isn't really actionable. How is the author supposed to use anything about your feedback to "improve that version"?

The purpose of the book is explicitly to mint developers who can responsibly build cryptographic features, not mint cryptographers -- so a detailed look at e.g. differential cryptanalysis is pretty clearly out of scope. AES is pretty much a perfect PRP and that's all you oughta care about.

You've said literally nothing that could be considered constructive.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact