crypto-is-cool
A list of cryptography books, papers, blog posts, presentations, and Q&A answers.
Books
As the list goes on, the books become increasingly more complicated and mathematical. The first few books are most suitable for developers, and several of the below are free.
- Real-World Cryptography by David Wong
- Crypto 101 by lvh
- Cryptography Engineering by Niels Ferguson, Bruce Schneier, and Tadayoshi Kohno
- Crypto Dictionary by Jean-Philippe Aumasson
- Everyday Cryptography by Keith Martin
- Serious Cryptography by Jean-Philippe Aumasson
- Understanding Cryptography by Christof Paar and Jan Pelzl
- The Joy of Cryptography by Mike Rosulek
- Introduction to Modern Cryptography by Jonathan Katz and Yehuda Lindell
- A Graduate Course in Applied Cryptography by Dan Boneh and Victor Shoup
AEADs
Commitment
Papers
- KIVR: Context-Committing Authenticated Encryption Using Plaintext Redundancy and Application to GCM and Variants
- Flexible Authenticated Encryption
- The Landscape of Committing Authenticated Encryption
- Key Committing Security of AEZ
- Context Discovery and Commitment Attacks How to Break CCM, EAX, SIV, and More
- Flexible Password-Based Encryption: Securing Cloud Storage and Provably Resisting Partitioning-Oracle Attacks
- Authenticated Encryption with Key Identification
- On Committing Authenticated-Encryption
- Efficient Schemes for Committing Authenticated Encryption
- Actually Good Encryption? Confusing Users by Changing Nonces
- How to Abuse and Fix Authenticated Encryption Without Key Commitment
- Partitioning Oracle Attacks
- Key Committing AEADs
- Fast Message Franking: From Invisible Salamanders to Encryptment
- Message Franking via Committing Authenticated Encryption
- Security of Symmetric Primitives under Incorrect Usage of Keys
Presentations
- RWC 2023 - Session on Advanced Encryption
- Asiacrypt 2022 Session on Practical Cryptography 2 - AEAD-KI
- Efficient Schemes for Committing Authenticated Encryption
- USENIX Security '22 - How to Abuse and Fix Authenticated Encryption Without Key Commitment
- Partitioning Oracle Attacks
- USENIX Security '21 - Partitioning Oracle Attacks
- Hunting Invisible Salamanders: Cryptographic (in)Security with Attacker-Controlled Keys
- Fast Message Franking From Invisible Salamanders to Encryptment
- Message Franking via Committing Authenticated Encryption
IETF
- Encrypt-then-MAC for Committing AEAD (cAEAD)
- The AEGIS family of authenticated encryption algorithms
- Properties of AEAD algorithms
- The OPAQUE Asymmetric PAKE
- [Cfrg] Potential vulnerabilities with OPAQUE
Blogs
- How do I add key commitment to my AEAD scheme in 2023?
- Pa(dding|rtitioning) oracles, and another hot take on PAKEs
- Designing New Cryptography for Non-Standard Threat Models
- Why I have settled on XChaCha20+Blake3 as the AE suite of choice for my projects
- Threema: Three Strikes, You’re Out
- Invisible Salamanders in AES-GCM-SIV
- When a KEM is not enough
- Lucid Multi-Key Deputies Require Commitment
- libsodium Robustness
- Improved client-side encryption: Explicit KeyIds and key commitment
Q&A
- How do I add key commitment to my AEAD scheme in 2023?
- Do I need a key committing AEAD to be random key robust?
- Understanding the impact of partitioning oracle attacks on stream ciphers
- Understanding the impact of partitioning oracle attacks on production deployments of ChaCha/Salsa
- My breakdown on Partition Oracle Attacks
- Encrypting h(k) for defeating partition oracle attacks
- Do CCM and EAX provide key commitment?
- Encrypt-then-HMAC with a single key is secure?
- Streaming Interface for authenticated encryption?
- AES-GCM ciphertext that deciphers under two keys
- Key Committing AES-GCM
- What is the mathematical property stating that it is hard to find a collision in the AES algorithm?
AEGIS
Papers
- AEGIS: A Fast Authenticated Encryption Algorithm (v1.1)
- Adding more parallelism to the AEGIS authenticated encryption algorithms
- MILP-based security evaluation for AEGIS/Tiaoxin-346/Rocca
- Guess-and-Determine Attacks on AEGIS
- Weak Keys in Reduced AEGIS and Tiaoxin
- Analyzing the Linear Keystream Biases in AEGIS
- Linear Biases in AEGIS Keystream
- Can Caesar Beat Galois?
IETF
- draft-irtf-cfrg-aegis-aead - The AEGIS family of authenticated encryption algorithms
- Draft source and issue tracker
- Reference implementations
- AEGIS-128X and AEGIS-256X
- AEGIS-128L and AEGIS-256 MAC
Presentations
- IETF 117
- FSE 2022 - Weak Keys in Reduced AEGIS and Tiaoxin
- FSE 2020 - Analyzing the Linear Keystream Biases in AEGIS
- IETF 113
- DIAC 2016
Q&A
- Should we use the new CAESAR competition ciphers?
- Lack of response to CAESAR competition
- Rationale for NORX/Ketje/Keyak not being chosen for the CAESAR final portfolio
- Side-channel vulnerability of AEGIS naive AES implementation
Rocca/Rocca-S
Papers
- Rocca: An Efficient AES-based Encryption Scheme for Beyond 5G (Full version)
- MILP-based security evaluation for AEGIS/Tiaoxin-346/Rocca
- Cryptanalysis of Rocca and Feasibility of Its Security Claim
- Differential Fault Attack on Rocca
- Efficient Design Strategies Based on the AES Round Function
IETF
Presentations
- IETF 116 - Update on Encryption algorithm Rocca-S
- FSE 2023 - Cryptanalysis of Rocca and Feasibility of Its Security Claim
- IETF 115 - Encryption algorithm Rocca-S
- FSE 2022 - Rocca: An Efficient AES-based Encryption Scheme for Beyond 5G
Ascon
Papers
- Ascon v1.2. Submission to NIST
- Status Update on Ascon v1.2
- Ascon v1.2. Submission to the CAESAR Competition
- Ascon Publications
- Cryptology ePrint Archive
Blogs
Q&A
- What are the drawbacks of "lightweight crypto"?
- CAESAR finalists: Lightweight case (Ascon vs ACORN)
- Is ASCON cipher broken?
- Rationale for NORX/Ketje/Keyak not being chosen for the CAESAR final portfolio
- What is the lightest cipher that provides AES like security?
Presentations
- LWC 2022 – Security
- LWC 2022 – Implementation
- FSE 2022 - Bounds for the Security of Ascon against Differential and Linear Cryptanalysis
- FSE 2022 - Misuse-Free Key-Recovery and Distinguishing Attacks on 7-Round Ascon
- FSE 2022 - Diving Deep into the Weak Keys of Round Reduced Ascon
- CARDIS 2020 - A Fast and Compact RISC-V Accelerator for Ascon and Friends
- LWC 2020
- LWC 2019
- NIST Lightweight Cryptography Workshop 2019 - Distinguishers for ASCON, DryGASCON, SHAMASH
- DIAC 2016
- DIAC 2015
- 22nd Crypto Day 2015
- CECC 2015
- CT-RSA 2015
- DIAC 2014
ChaCha20-Poly1305
Papers
- The Security of ChaCha20-Poly1305 in the Multi-user Setting
- A Security Analysis of the Composition of ChaCha20 and Poly1305
IETF
Blogs
- Do the ChaCha: better mobile performance with cryptography
- It takes two to ChaCha (Poly)
- ChaCha20 and Poly1305 for TLS
- libsodium - ChaCha20-Poly1305
Q&A
- What happens if a nonce is reused in ChaCha20-Poly1305?
- Does ChaCha20-Poly1305 need random nonce?
- Is ChaCha20 alone sufficient for securing data-at-rest?
- Stream cipher padding
- Should I include the ciphertext length in an AAD when using Chacha20+Poly1205 AEAD?
- Is streaming API to ChaCha20-Poly1305 possible or recommended against?
- chacha20-poly1305 padding and length encoding
- Understanding ChaCha20-Poly1305 AEAD
- NIST LWC finalists (AEAD) vs ChaCha20-Poly1305
XChaCha20-Poly1305
IETF
Blogs
Q&A
- Which version of ChaCha is more secure?
- XChaCha20-Poly1305 vs Plain ChaCha20-Poly1305 performance
- Largest message size for XChaCha20-Poly1305
- Is XChaCha20-Poly1305 nonce misuse-resistant?
- Is XChacha20 - Poly1305 Quantum resistant?
MACs
HMAC/NMAC
Papers
- Keying Hash Functions for Message Authentication
- Message Authentication using Hash Functions - The HMAC Construction
- New Proofs for NMAC and HMAC: Security without Collision-Resistance
- FIPS PUB 198-1 - The Keyed-Hash Message Authentication Code (HMAC)
- NIST SP 800-107 - Recommendation for Applications Using Approved Hash Algorithms
- When Messages are Keys: Is HMAC a dual-PRF?
- (The exact security of) Message Authentication Codes
- The Exact PRF-Security of NMAC and HMAC
- To Hash or Not to Hash Again? (In)differentiability Results for H^2 and HMAC
- Generic Related-key Attacks for HMAC
- Forgery and Partial Key-Recovery Attacks on HMAC and NMAC Using Hash Collisions
- On Authentication with HMAC and Non-Random Properties
- On the Security of HMAC and NMAC Based on HAVAL, MD4, MD5, SHA-0 and SHA-1
- Multiple forgery attacks against Message Authentication Codes
- On the Security of Iterated Message Authentication Codes
- MDx-MAC and Building Fast MACs from Hash Functions
IETF
- RFC 2104 - HMAC: Keyed-Hashing for Message Authentication
- RFC 6151 - Updated Security Considerations for the MD5 Message-Digest and the HMAC-MD5 Algorithms
Blogs
- Canonicalization Attacks Against MACs and Signatures
- Multiple input MACs
- The Subtle Hazards of Real-World Cryptography
- HMAC Wear-Out?
Q&A
- Why is h(m||k) insecure?
- Attacks of the MAC construction H(m∥k) for common hashes H?
- Why is H(k∥x) not a secure MAC construction?
- Why does a broken hash function undermine an HMAC?
- Is HMAC-MD5 considered secure for authenticating encrypted data?
- Is HMAC-MD5 still secure for commitment or other common uses?
- Why is HMAC-SHA1 still considered secure?
- Is HMAC prone to birthday attacks?
- Length of truncated HMAC output
- Why is a HMAC using a 32bit tag not prone to birthday attacks?
- CMAC vs HMAC security strength
- Is the tag in a MAC scheme a fixed size?
- The difference between MACs vs. HMACs vs. PRFs
- Is there any good attack model of HMAC?
- Equivalent key size between HMAC and AES?
- With HMAC, can an attacker recover the key, given many known plaintext/tag pairs?
- Which MAC scheme is quantum resistant?
- Can I use HMAC-SHA1 in counter mode to make a stream cipher?
- What is the security strength of an n-bit HMAC?
- Security of N bit HMAC
- Purpose of outer key in HMAC
- Keys in HMAC and NMAC
- What do the magic numbers 0x5c and 0x36 in the opad/ipad calc in HMAC do?
- When using AES-256 in combination with HMAC-SHA, should we use SHA-256 or SHA-512?
- Should HMAC-SHA3 be preferred over H(C(k,M))?
- Should HMAC or NMAC or plain Keccak be used for a secure MAC?
- Is HMAC needed for a SHA-3 based MAC?
- Can the HMAC of a pre-hash be considered equivalent to an HMAC of the message?
- Does having more than one HMAC provide more information to the attacker?
- Side channel security of HMAC in software
- [Cfrg] Related keys in HMAC
Poly1305
Papers
IETF
Blogs
- The design of Poly1305
- libsodium One-time authentication
- A state-of-the-art message-authentication code
- A Go implementation of Poly1305 that makes sense
Q&A
- Security level of Poly1305 and GMAC
- Poly1305-AES vs AES-GCM
- What happened to Poly1305AES? Is it obsolete?
- Can Poly1305-AES be used with AES-256?
- Why is Poly1305 popular given its 'sudden death' properties?
- Which algorithm has better performance (HMAC, UMAC, and Poly1305)?
- Why not use chacha derivatives (BLAKE, rumba) to make an HMAC for use with chacha? Why use poly1305?
- Do Carter–Wegman MACs allow key reuse if the MAC tag is kept secret?
- What is the function of the secret key “r” in Poly1305?
- Are poly1305 authenticators distinguishable from random data?
- Is Poly1305 an information-theoretically secure MAC?
- Does Poly1305 have weak keys like GCM/GHASH?
KDFs
HKDF
Papers
- Cryptographic Extraction and Key Derivation: The HKDF Scheme
- Backdoored Hash Functions: Immunizing HMAC and HKDF
IETF
Blogs
- Understanding HKDF
- How to use HKDF to derive new keys
- Securing HKDF - backdoor resistance using salts
Q&A
- What is the difference between KDFs for key derivation vs password stretching?
- Key Derivation Functions vs. Password Hashing Schemes
- Why use HKDF for key derivation even it's not time demanding?
- Why do we even need HKDF's?
- How is HKDF-Expand better than a simple hash?
- Choosing between simple Hash and HKDF to derive the second key used for MAC
- Is HMAC a suitable substitute for HKDF?
- Differences between HMAC and HKDF in a specific case
- Is the output of HKDF uniformly distributed, if my input is not?
- Which risks are associated with deriving multiple keys from the same DH secret Z?
- can 32 byte shared secret can be given as input to HKDF-SHA512?
- Applications in which you should/shouldn't use a salt with HKDF
- What information to include is the 'info' input for HKDF?
- HKDF: ikm, salt and info values
- HKDF: Difference between salt and info
- HKDF 'salt' and 'info' parameters: Can they be secrets? Should they be?
- What are the typical input lengths for KDFs?
- Minimum length of salt and info for HKDF
- Can salt for HKDF be hardcoded within a program
- Generating keys with HKDF from Diffie Hellman agreement
- Deriving 2 keys using HKDF
- multiple keys via HKDF - whats better, one or two applications of HKDF-extract
- repeated use of HKDF-extract on the same PRK
- How many different keys can be derived with HKDF before two outputs are identical?
- Strength of key derived from a hash function considering the birthday attack
- Calculate the complexity of HKDF with a 96bit salt and a 128bit key?
- HKDF Bit Security
- Security of HKDF when part of output is exposed
- Is HKDF one-way, namely given
Koit's hard to guessKi? - Use of HKDF to get shorter key than digest size
- How to use HKDF to combine two keys
- Maximum output of HKDF
- HKDF-Expand max output length
- Why does HKDF use HMAC(salt, key) instead of HMAC(key, salt)?
- Why does the RFC version of HKDF-Expand start the counter at 1?
- Can someone clarify two things about the HKDF by Krawczyk?
- Difference between RFC-5869 (HKDF) and SP800-108 (Nist's HMAC-based KDF spec)?
- Faster alternative to HKDF
- PBKDF vs HKDF for pretty long key
- Use of PBKDF2 when no access to HKDF?
- Is PBKDF2 with 1 iteration acceptable for a simple random key expansion?
- Would it be better to use HKDF or SCrypt for deriving a child key?
- How is key rotation defined?
- Why derive keys from a master key instead of generating random keys?
- How to securely combine multiple sources of entropy?