The Joy of Cryptography

The Joy of Cryptography is a textbook that I've been writing for CS427, my undergraduate course in cryptography.

## What's so special about it?

It's free and will always be free (Creative Commons license)! It is supported by the Oregon State University open textbook initiative.

The pedagogical approach is anchored in formal definitions/proof of security, but in a way that I believe is more accessible than what is "traditional" in crypto. All security definitions are written in a unified and simplified "game-based" style. For an example of what security definitions look like in this style, see the index of security definitions (which will make more sense after reading chapters 2 & 4). For example proofs of security in this style, see the supplementary material below.

It contains over 120 exercises.

## Disclaimers:

Everything here is in draft form. This will become evident as you read through the text. Still, I've been successful using the text as the primary reference in an actual course.

My course CS427 is only a 10-week course. For that reason, much important material is still missing from the text!

"The Joy of Cryptography" is a silly title, but all the sensible titles were already taken. It was at least better than "You Can't Spell Cryptography without Cry". Anyway, actual joy not guaranteed.

# Contents​

1. Preface
2. Review of Concepts & Notation
• What Is [Not] Cryptography?
4. The Basics of Provable Security
• Generalizing and Abstracting One-Time Pad
• Towards an Abstract Security Definition
• Provable Security Fundamentals
• How to Prove Security with the Hybrid Technique
• How to Demonstrate Insecurity with Attacks
5. Secret Sharing
• Definitions
• A Simple 2-out-of-2 Scheme
• Polynomial Interpolation
• Shamir Secret Sharing
• Visual Secret Sharing
6. Basing Cryptography on Intractable Computations
• What Qualifies as a "Computationally Infeasible" Attack?
• What Qualifies as a "Negligible" Success Probability?
• Indistinguishability
• Birthday Probabilities & Sampling With/out Replacement
7. Pseudorandom Generators
• Definition
• Pseudorandom Generators in Practice
• Application: Shorter Keys in One-Time Secret Encryption
• Contrapositive Point of View on Security Proofs
• Extending the Stretch of a PRG
• Applications: Stream Cipher & Symmetric Ratchet
8. Pseudorandom Functions & Block Ciphers
• Definition
• PRFs vs PRGs; Variable-Hybrid Proofs
• Block Ciphers (Pseudorandom Permutations)
• Relating PRFs and Block Ciphers
• PRFs and Block Ciphers in Practice
• Strong Pseudorandom Permutations
9. Security against Chosen Plaintext Attacks
• Limits of Deterministic Encryption
• Pseudorandom Ciphertexts
• CPA-Secure Encryption Based on PRFs
10. Block Cipher Modes of Operation
• A Tour of Common Modes
• CPA Security for Variable-Length Plaintexts
• Security of OFB Mode
11. Chosen Ciphertext Attacks
• What Went Wrong?
• Defining CCA Security
• A Simple CCA-Secure Scheme
12. Message Authentication Codes
• Definition
• A PRF is a MAC
• MACs for Long Messages
• Encrypt-Then-MAC
13. Hash Functions
• Security Properties for Hash Functions
• Merkle-Damgård Construction
• Hash Functions vs. MACs: Length-Extension Attacks
14. The RSA Function
• Modular Arithmetic & Number Theory
• The RSA Function
• Chinese Remainder Theorem
• The Hardness of Factoring N
• Malleability of RSA, and Applications
15. Diffie-Hellman Key Agreement
• Cyclic Groups
• Diffie-Hellman Key Agreement
• Decisional Diffie-Hellman Problem
16. Public-Key Encryption
• Security Definitions
• One-Time Security Implies Many-Time Security
• ElGamal Encryption
• Hybrid Encryption
17. Authenticated Encryption & AEAD (draft)
• Definitions