0-RTT (zero round trip time) 194
3DES (triple-DES) symmetric key 281
abstracting cryptography 17–18
AEAD (authenticated encryption with associated data) 75–76
AES (Advanced Encryption Standard) block cipher 66–70
amount of security provided by 67
AES-NI (AES New Instructions) 70
arithmetic circuits 324, 338–339
ASLR (address space layout randomization) 155
ASN.1 (Abstract Syntax Notation One) 190
asymmetric cryptographic primitive 113
asymmetric cryptography 10–16, 87, 303
why not to use RSA PKCS#1 v1.5 121–123
asymmetric password-authenticated key exchange 232–236
OPRFs (oblivious pseudorandom functions) 233–234
mutual authentication in key exchanges 239–240
post-handshake user authentication with FIDO2 240–241
AEAD (authenticated encryption with associated data) 75–76
AES (Advanced Encryption Standard) block cipher 66–70
amount of security provided by 67
AES-CBC-HMAC construction 73–74
CBC (cipher block chainging) mode of operation 70–73
encrypted penguin illustration 70–73
authenticated key exchanges 89, 132–133
verifying in constant time 55–57
BCryptGenRandom system call 159
BEAST (Browser Exploit Against SSL/TLS) attack 73
beyond birthday-bound security 80
BFT (Byzantine fault-tolerant) consensus algorithms 252–257
permissionless and censorship-resistant networks 255–257
reducing block’s size by using Merkle trees 265–267
user balances and transactions 257–259
broken cryptographic algorithm 8
CA/Browser Forum (Certification Authority Browser Forum) 187
CAs (certificate authorities) 187, 201, 284
CBC (cipher block chaining) 71
CCA2 (adaptive chosen ciphertext attack) 122
CDNs (Content Delivery Networks) 32
CertificateRequest message 239
CertificateVerify message 188, 239
classifying cryptography 17–18
committed changes to database 254
complexity of cryptography 24, 344
constant-time programming 293–294
CPace (Composable Password Authenticated Connection Establishment) 233, 245
CRLs (Certificate Revocation Lists) 195
CRS (common reference string) 334
BFT (Byzantine fault-tolerant) consensus algorithms 252–257
permissionless and censorship-resistant networks 255–257
reducing block’s size by using Merkle trees 265–267
user balances and transactions 257–259
transactions, when considered finalized 273
classifying and abstracting 17–18
theoretical vs. real-world 18–19
cryptography not an island 352
finding right cryptographic primitive or protocol is a boring job 344–345
polite standards and formal verification 345–348
responsibilities as cryptography practitioner 353–355
CRYSTALS (Cryptographic Suite for Algebraic Lattices) 314
cSHAKE (customizable SHAKE) 42–44, 59
CSPRNGs (cryptographically secure PRNGs) 155
CTAP (Client to Authenticator Protocol) 241
CVP (closest vector problem) 313
decentralized randomness beacons 164
decentralized trust 169–172, 208, 255
DEM (data encapsulation mechanism) 116
DER (Distinguished Encoding Rules) 191
DES (Data Encryption Standard) 66, 281
deterministic consensus protocol 270
DFA (differential fault analysis) 282
DH (Diffie-Hellman) key exchange 91–98
discrete logarithm problem 95–97
DH (Diffie-Hellman) key pairs 215
transactions, when considered finalized 273
Dilithium signature scheme 316–318
discrete logarithm problem 95–97
DKG (distributed key generation) 171
DOS (denial of service) attacks 58
Double Ratchet protocol 218–222
DPA (differential power analysis) 282, 291
DRBGs (deterministic random bit generators) 155
DRM (digital rights management) 280
DSA (Digital Signature Algorithm) 22, 139
DSKS (duplicate signature key selection) 149
DUF (difference unpredictable function) 78
ECDH (Elliptic Curve Diffie-Hellman) key exchange 97–105, 113, 125
ECDLP (elliptic curve discrete logarithm problem) 101
ECDSA (Elliptic Curve Digital Signature Algorithm) 139, 143–145, 257
ECIES (Elliptic Curve Integrated Encryption Scheme) 116, 126–128
EdDSA (Edwards-curve Digital Signature Algorithm) 139, 145–149
scaling trust between users with web of trust 208
encrypted penguin illustration 70–73
encrypted email, failure of 205–211
scaling trust between users with web of trust 208
Double Ratchet protocol 218–222
more user-friendly than WOT 212–215
FBE (file-based encryption) 286
FDE (full-disk encryption) 286
FFDH (Finite Field Diffie-Hellman) 94
FHE (fully homomorphic encryption) 326–332
bootstrapping as key to fully homomorphic encryption 328–330
FHE scheme based on learning with errors problem 330–332
homomorphic encryption with RSA encryption 327
types of homomorphic encryption 327–328
FIDO2 (Fast IDentity Online 2) 240–241
FIPS (Federal Information Processing Standards) 20, 67
fixed-sized compression function 37
forgery of authentication tags 53
FTS (few-time signatures) 308, 310
fully homomorphic encryptions 328
Gaussian elimination algorithm 313
GDPR (General Data Protection Regulation) 203
general-purpose ZKPs (zero-knowledge proofs) 322
GPG (GNU Privacy Guard) 205–207
Grover and Shor’s algorithms 303–304
HSMs (hardware security modules) 283–285
leakage-resilient cryptography 291–296
constant-time programming 293–294
modern cryptography attacker model 278–279
smart cards and secure elements 281–283
TEE (trusted execution environment) 288–289
TPMs (Trusted Platform Modules) 285–288
many-times signatures with XMSS and SPHINCS+ 308–311
OTS (one-time signatures) with Lamport signatures 305–306
WOTS (Winternitz one-time signatures) 307
security considerations for 30–31
standardized hash functions 34–44
avoiding ambiguous hashing with TupleHash 43–44
heuristic-based constructions 17
HKDF (HMAC-based key derivation function) 57, 164–168
HMAC (hash-based message authentication code) 51, 58–59, 74
HOTP (HMAC-based one-time password) algorithm 237
HSMs (hardware security modules) 283–285, 289
HSTS (HTTP Strict Transport Security) 195
HTTP (Hypertext Transfer Protocol) 178
HTTPS (Hypertext Transfer Protocol Secure) 178
HVZK (honest verifier zero-knowledge) model 137
IETF (Internet Engineering Task Force) 21, 178
indistinguishable from random 156
iO (indistinguishability obfuscation) 280
IVs (initialization vectors) 71
KDF (key derivation function) 125, 165, 217, 234
KEM (key encapsulation mechanism) 116
key exchanges 10–12, 112–113, 182
authenticated, as use case for signatures 132–133
DH (Diffie-Hellman) key exchange 91–98
discrete logarithm problem 95–97
ECDH (Elliptic Curve Diffie-Hellman) key exchange 98–105
elliptic curve overview 98–101
forward-secure key exchanges and TLS 184–185
small subgroup attacks 105–108
KMS (Key Management Service) 350
lattice-based cryptography 311–318
Dilithium signature scheme 316–318
LWE (learning with errors) 313–314
leakage-resilient cryptography 291–296
constant-time programming 293–294
LWE (learning with errors) 313–314
MACs (message authentication codes) 74, 90, 131
forgery of authentication tag 53
lengths of authentication tag 53–54
verifying authentication tags in constant time 55–57
SHA-2 and length-extension attacks 60–62
MA-DH (Manually Authenticated Diffie-Hellman) 247
many-times signatures, with XMSS and SPHINCS+ 308–311
Merkle–Damgård construction 36
message/payload authentication 227
message key substitution attacks 149
MFA (multi-factor authentication) 241
MGF (mask generation function) 124
MITM (man-in-the-middle) attacks 12, 43, 89, 132, 278, 301
MLS (Messaging Layer Security) 224
Montgomery ladder’s algorithm 294
MPC (multi-party computation), secure 322–326
PSI (private set intersection) 323–324
mTLS (mutually-authenticated TLS) 186
mutually authenticated connections 242
mutually-authenticated key exchanges 90, 133
FHE (fully homomorphic encryption) 326–332
bootstrapping as key to fully homomorphic encryption 328–330
FHE scheme based on learning with errors problem 330–332
homomorphic encryption with RSA encryption 327
types of homomorphic encryption 327–328
MPC (multi-party computation), secure 322–326
PSI (private set intersection) 323–324
ZKPs (zero-knowledge proofs), general-purpose 332–342
bilinear pairings to improve homomorphic commitments 336–337
from programs to polynomials 338
homomorphic commitments to hide parts of proof 336
R1CS (rank-1 constraint system) 339
Noise protocol framework 197–200
non-authenticated encryption 84
nonce misuse-resistant authenticated encryption 85
non-interactive key exchanges 215
OAEP (Optimal Asymmetric Encryption Padding) 123, 142
OCSP (Online Certificate Status Protocol) 196
OPRFs (oblivious pseudorandom functions) 233–234, 323
origin/entity/identity authentication 227
OTR (Off-The-Record) communication 211
OTS (one-time signatures) with Lamport signatures 305–306
password hashing algorithm 229
mutual authentication in key exchanges 239–240
post-handshake user authentication with FIDO2 240–241
asymmetric password-authenticated key exchange 232–236
OPRFs (oblivious pseudorandom functions) 233–234
SSO (single sign-on) and password managers 231–232
PBFT (Practical BFT) algorithm 255
PCS (post-compromise security) 157, 212
pending changes to database 254
PGP (Pretty Good Privacy) 205–207, 210–211
physical unclonable functions 287
PKCS (Public Key Cryptography Standards) 22
PKCS#11 (Public Key Cryptography Standard 11) 284
PKI (public key infrastructure) 228, 254
plaintext-awareness property 124
many-times signatures with XMSS and SPHINCS+ 308–311
OTS (one-time signatures) with Lamport signatures 305–306
WOTS (Winternitz one-time signatures) 307
lattice-based cryptography 311–318
Dilithium signature scheme 316–318
LWE (learning with errors) 313–314
pre-image resistance property 28
PRNGs (pseudorandom number generators) 155–159
PSI (private set intersection) 323–324
public key infrastructures 133
QKD (quantum key distribution) 301
QR (Quarter Round) function 82
QRNGs (quantum random number generators) 300
impact of Grover and Shor’s algorithms on cryptography 303–304
quantum-resistant algorithms 298
quantum-resistant cryptography 304
R1CS (rank-1 constraint system) 339
decentralizing trust with threshold cryptography 169–172
key derivation with HKDF 164–168
managing keys and secrets 168–169
PRNG (pseudorandom number generator) for slow randomness 155–158
security considerations 161–163
rewards, in Bitcoin mining 262
RFCs (Request For Comments) 22, 178
asymmetric encryption with 117–126
RSA PKCS#1 v1.5 121–123, 139–142
S/MIME (Secure/Multipurpose Internet Mail Extensions) 209
SAML (Security Assertion Markup Language 2.0) 232
SAS (short authenticated strings) 246
scaling to groups of larger membership 224
Schnorr identification protocol 134, 136–137
Schrödinger’s cat experiment 300
second pre-image resistance 26
secure cryptographic algorithms 7
Noise protocol framework 197–200
SSL secure transport protocol 178–179
state of encrypted web today 194–197
TLS secure transport protocol 181–194
authentication and web public key infrastructure 186–189
authentication via X.509 certificates 190–193
avoiding key exchanges 193–194
forward-secure key exchanges and 184–185
how TLS 1.3 encrypts application data 194
pre-shared keys and session resumption in 193–194
security through obfuscation 280
security through obscurity 8, 280
SHA-1 (Secure Hash Algorithm 1) 35
Shor and Grover’s algorithms 303–304
Double Ratchet protocol 218–222
more user-friendly than WOT 212–215
public key infrastructures and 133
ECDSA (Elliptic Curve Digital Signature Algorithm) 143–145
EdDSA (Edwards-curve Digital Signature Algorithm) 145–149
RSA PKCS#1 v1.5 standard 139–142
signing and verifying in practice 131
ZKPs (zero-knowledge proofs) and 134–138
Schnorr identification protocol 134–137
signatures as non-interactive zero-knowledge proofs 137–138
single point of failure 171, 252
SIV (synthetic initialization vector) 85
small subgroup attacks 105–108
smart cards and secure elements 281–283
SMTP (Simple Mail Transfer Protocol) 209
SPA (simple power analysis) attack 291
SPHINCS+ signature scheme 308, 310–311
SRP (Secure Remote Password) 232
SSH (Secure Shell) protocol 197, 213, 240
SSL (Secure Sockets Layer) protocol 178–179
SSS (Shamir’s Secret Sharing) 170
standardized hash functions 34–44
avoiding ambiguous hashing with TupleHash 43–44
SVP (shortest vector problem) 312
symmetric cryptographic primitives 113
symmetric cryptography 5–6, 303
nonce misuse-resistant authenticated encryption 85
TCG (Trusted® Computing Group) 285
TCP (Transmission Control Protocol) 178
TDE (transparent data encryption) 86
TEEs (trusted execution environments) 288–290
theoretical cryptography 18, 345
threshold cryptography 169–172, 322
threshold distributed keys 164
TLS secure transport protocol 181–194
authentication and web public key infrastructure 186–189
authentication via X.509 certificates 190–193
avoiding key exchanges 193–194
forward-secure key exchanges and 184–185
how TLS 1.3 encrypts application data 194
pre-shared keys and session resumption in 193–194
TOFU (trust on first use) 212, 227
TOTP (time-based one-time password) algorithm 237
TPMs (Trusted Platform Modules) 285–288
TRNGs (true random number generators) 155
decentralizing with threshold cryptography 169–172
scaling trust between users with web of trust 208
unauthenticated key exchanges 89, 185
asymmetric password-authenticated key exchange 232–236
SSO (single sign-on) and password managers 231–232
symmetric password-authenticated key exchanges with CPace 245–246
UTXOs (Unspent Transaction Outputs) 258
VRFs (verifiable random functions) 163
WebAuthn (Web Authentication) 241
web PKI (web public key infrastructure) 133, 187
WOTS (Winternitz one-time signatures) 307
WPA (Wi-Fi Protected Access) 197
X3DH (Extended Triple Diffie-Hellman) 212, 215–217
XML (Extensible Markup Language) 232
XMPP (Extensible Messaging and Presence Protocol) 211
XMSS (extended Merkle signature scheme) 308–311
XOFs (extendable output functions) 42–43, 124, 168
ZKPs (zero-knowledge proofs) 134–138, 268, 332–342
bilinear pairings to improve homomorphic commitments 336–337
homomorphic commitments to hide parts of proof 336
R1CS (rank-1 constraint system) 339
Schnorr identification protocol 134–137
signatures as non-interactive zero-knowledge proofs 137–138
zk-SNARKs (Zero-Knowledge Succinct Non-Interactive Argument of Knowledge) 334–336