*The Joy of Cryptography* is a textbook that I've been writing for CS427, my undergraduate course in cryptography.
It's free and will always be free (Creative Commons license), with vital support from the NSF and the Oregon State University open textbook initiative.

Yes, I know that the title is ridiculous.
All of the serious titles were already taken, and I wanted something more upbeat than *You Can't Spell Cryptography Without Cry*.
I hope you understand that **actual joy is not guaranteed.**

# Contents

**Download the current draft** (PDF, Jan 3, 2021)

Current table of contents (links are for PDFs of individual chapters):

- Preface
- Review of Concepts & Notation
- One-Time Pad
- What Is [Not] Cryptography?
- Specifics of One-Time Pad

- The Basics of Provable Security
- How to Write a Security Definition
- Formalisms for Security Definitions
- How to Demonstrate Insecurity with Attacks
- How to Prove Security with the Hybrid Technique
- How to Compare/Contrast Security Definitions

- Secret Sharing
- Definitions
- A Simple 2-out-of-2 Scheme
- Polynomial Interpolation
- Shamir Secret Sharing
- Visual Secret Sharing

- Basing Cryptography on Intractable Computations
- What Qualifies as a "Computationally Infeasible" Attack?
- What Qualifies as a "Negligible" Success Probability?
- Indistinguishability
- Birthday Probabilities & Sampling With/out Replacement

- Pseudorandom Generators
- Definition
- Pseudorandom Generators in Practice
- Application: Shorter Keys in One-Time Secret Encryption
- Contrapositive Point of View on Security Proofs
- Extending the Stretch of a PRG
- Applications: Stream Cipher & Symmetric Ratchet

- Pseudorandom Functions & Block Ciphers
- Definition
- PRFs vs PRGs; Variable-Hybrid Proofs
- Block Ciphers (Pseudorandom Permutations)
- Relating PRFs and Block Ciphers
- PRFs and Block Ciphers in Practice
- Strong Pseudorandom Permutations

- Security against Chosen Plaintext Attacks
- Limits of Deterministic Encryption
- Pseudorandom Ciphertexts
- CPA-Secure Encryption Based on PRFs

- Block Cipher Modes of Operation
- A Tour of Common Modes
- CPA Security for Variable-Length Plaintexts
- Security of OFB Mode
- Padding & Ciphertext Stealing

- Chosen Ciphertext Attacks
- Padding Oracle Attacks
- What Went Wrong?
- Defining CCA Security
- A Simple CCA-Secure Scheme

- Message Authentication Codes
- Definition
- A PRF is a MAC
- MACs for Long Messages
- Encrypt-Then-MAC

- Hash Functions
- Security Properties for Hash Functions
- Merkle-Damgård Construction
- Hash Functions vs. MACs: Length-Extension Attacks

- Authenticated Encryption & AEAD (draft)
- Definitions
- Achieving AE/AEAD
- Carter-Wegman MACs
- Galois Counter Mode for AEAD

- RSA & Digital Signatures
- "Dividing" Mod N
- The RSA Function
- Digital Signatures
- Chinese Remainder Theorem
- The Hardness of Factoring
*N*

- Diffie-Hellman Key Agreement
- Cyclic Groups
- Diffie-Hellman Key Agreement
- Decisional Diffie-Hellman Problem

- Public-Key Encryption
- Security Definitions
- One-Time Security Implies Many-Time Security
- ElGamal Encryption
- Hybrid Encryption

- Index of security definitions

# Supplementary Material

I have also provided some slide decks that visually illustrate the steps of some hybrid proofs from the text: (**At the moment, these are slightly out of sync with the text; sorry!**)

- One-time secrecy of one-time pad (§2.2)
- Security of additive 2-out-of-2 secret sharing (§3.2)
- One-time secrecy of "pseudo-one-time pad" (§5.3)
- Security of extending a PRG's stretch via a feedback construction (§5.5)
- CPA security of the classical PRF-based encryption scheme (§7.3)
- CCA security of encrypt-then-MAC (§10.4)
- CPA security public-key hybrid encryption (§14.4)

# Other

For a **second opinion**, you might want to check out these other excellent references. They are also the reason I had to choose a silly name for mine -- all the good names were taken.

- A Course in Cryptography, Rafael Pass & abhi shelat (free)
- Cryptography, An Introduction, Nigel Smart (free)
- Introduction to Modern Cryptography, Jonathan Katz & Yehuda Lindell
- Introduction to Modern Cryptography, Mihir Bellare & Phil Rogaway (free)