Cryptography

crypto does not mean blockchain#Cryptocurrency

enigma-machine
crypto-shangmi
crypto-pqc

A Crash Course in Everything Cryptographic – Noteworthy - The Journal Blog ❗!important
The Genius Math of Modern Encryption - YouTube

Crypto Forum (cfrg) ❗!important, IETF
Limited Additional Mechanisms for PKIX and SMIME (lamps) ❗!important, IETF
Cryptology ePrint Archive ❗!important
Welcome | Practical Cryptography for Developers
nakov/Practical-Cryptography-for-Developers-Book: Practical Cryptography for Developers: Hashes, MAC, Key Derivation, DHKE, Symmetric and Asymmetric Ciphers, Public Key Cryptosystems, RSA, Elliptic Curves, ECC, secp256k1, ECDH, ECIES, Digital Signatures, ECDSA, EdDSA

Course
Journey into cryptography | Computer science | Computing | Khan Academy
Cryptography I | Coursera
The Cryptopals Crypto Challenges
The Joy of Cryptography ❗!important, course
A Graduate Course in Applied Cryptography ❗!important, course
Crypto 101
ECE407/CS407: Cryptography
7 Cryptography Concepts EVERY Developer Should Know - YouTube
Secret Codes: A History of Cryptography (Part 1) - YouTube
More Secret Codes: A History of Cryptography (Part 2) - YouTube

An Overview of Cryptography

In cryptography, these entities are usually used:

Alice, Bob, Charles, Douglas: authentic users
Eve: eavesdropper
Mallory: MITM attacker
Satan: malicious user/hacker

Education Center | Explore Now | Encryption Consulting

Asymmetric Cryptography

Asymmetric Encryption: An Introduction To Asymmetric Cryptography

There are generally three things asymmetric algorithms can do:

Encrypt/decrypt
Sign/verify
Key exchange

However, not all algorithms can perform all functions:

RSA: Used for encryption, decryption, signing, and verifying.
DSA: Used for signing and verifying.
Diffie-Hellman: Used for key exchange.
ECC: Used for signing and verifying (ECDSA), key exchange (ECDH), and encryption and decryption (EC ElGamal)

Ciphertext indistinguishability

Ciphertext indistinguishability - Wikiwand
Chosen-plaintext attack - Wikiwand
Chosen-ciphertext attack - Wikiwand CCA
Adaptive chosen-ciphertext attack - Wikiwand

indistinguishability under chosen plaintext attack (IND-CPA)
indistinguishability under (non-adaptive) chosen ciphertext attack (IND-CCA1)
indistinguishability under adaptive chosen ciphertext attack (IND-CCA2)

Public-Key Cryptography Standards (PKCS)

PKCS - Wikiwand
What are Public-Key Cryptography Standards (PKCS)?
Guide to Public Key Cryptography Standards in Cyber Security | RSI Security

PKCS #1: RSA (RFC8017)
PKCS #3: Diffie–Hellman Key Agreement Standard

RFC 8018 - PKCS #5: Password-Based Cryptography Specification Version 2.1
PBKDF2 - Wikiwand

PKCS 7 - Wikiwand
RFC 2315 - PKCS #7: Cryptographic Message Syntax Version 1.5
RFC 5652 - Cryptographic Message Syntax (CMS) IETF picked up CMS

Certificate signing request - Wikiwand
RFC 2986 - PKCS #10: Certification Request Syntax Specification Version 1.7

PKCS 12 - Wikiwand
RFC 7292 - PKCS #12: Personal Information Exchange Syntax v1.1

PKCS #11

PKCS 11 - Wikiwand Cryptoki, C API to communicate with HSM or smart cards
PKCS #11 Specification Version 3.1
oasis-tcs/pkcs11: OASIS PKCS 11 TC: Repository to support version control for development of technical files associated with the OASIS PKCS11 specification

An Introduction to PKCS#11

pkcs11-spec-v3.2-wd13.docx uploaded | OASIS PKCS 11 TC

Clients

ThalesGroup/crypto11: Implement crypto.Signer and crypto.Decrypter for HSM-protected keys via PKCS#11 Go binding

Java PKCS#11 Reference Guide
SimpleMethod/PKCS11-Java-Wrapper: A comprehensive Java library for interacting with PKCS#11 (Cryptoki) compatible hardware security modules (HSMs) and smart cards. This wrapper simplifies cryptographic operations while maintaining high security standards. GPL v3

OpenSC/OpenSC: Open source smart card tools and middleware. PKCS#11/MiniDriver/Tokend LGPL v2.1

openCryptoki - An Open Source Implementation of PKCS #11 - IBM Documentation
opencryptoki/opencryptoki: PKCS#11 library and tools for Linux and AIX. Includes tokens supporting IBM crypto hardware as well as a software token.

c - OpenSC vs openCryptoKI - Stack Overflow
OpenSC is a software stack for smart cards. And it includes a PKCS#11 module. OpenCryptoki is "just" a PKCS#11 module (meaning software-only-module, except for some IBM PCI cards, apparently) that has nothing to do with (most) smart cards.

Software implementations

softhsm/SoftHSMv2: SoftHSM version 2
SoftHSMv2 · Cloudflare SSL/TLS docs

corePKCS11: Overview
FreeRTOS/corePKCS11: Software implementation of the PKCS #11 standard.

yay -S softhsm opensc

> softhsm2-util --show-slots
Available slots:
Slot 0
    Slot info:
        Description:      SoftHSM slot ID 0x0
        Manufacturer ID:  SoftHSM project
        Hardware version: 2.6
        Firmware version: 2.6
        Token present:    yes
    Token info:
        Manufacturer ID:  SoftHSM project
        Model:            SoftHSM v2
        Hardware version: 2.6
        Firmware version: 2.6
        Serial number:
        Initialized:      no
        User PIN init.:   no
        Label:

> softhsm2-util --init-token --slot 0 --label Token1
=== SO PIN (4-255 characters) ===
Please enter SO PIN: ******
Please reenter SO PIN: ******
=== User PIN (4-255 characters) ===
Please enter user PIN: ******
Please reenter user PIN: ******
error registering mldsa44 with no hash
The token has been initialized and is reassigned to slot 491172432
A Graduate Course in Applied Cryptography
> pkcs11-tool --show-info --module /usr/lib/softhsm/libsofthsm2.so
error registering mldsa44 with no hash
Cryptoki version 2.40
Manufacturer     SoftHSM
Library          Implementation of PKCS11 (ver 2.6)
Using slot 0 with a present token (0x1d46b250)

> pkcs11-tool --list-slots --module /usr/lib/softhsm/libsofthsm2.so
error registering mldsa44 with no hash
Available slots:
Slot 0 (0x1d46b250): SoftHSM slot ID 0x1d46b250
  token label        : Token1
  token manufacturer : SoftHSM project
  token model        : SoftHSM v2
  token flags        : login required, rng, token initialized, PIN initialized, other flags=0x20
  hardware version   : 2.6
  firmware version   : 2.6
  serial num         : 628ee7169d46b250
  pin min/max        : 4/255
  uri                : pkcs11:model=SoftHSM%20v2;manufacturer=SoftHSM%20project;serial=628ee7169d46b250;token=Token1
Slot 1 (0x1): SoftHSM slot ID 0x1
  token state:   uninitialized

Classical Cryptography

Classical Cryptography - YouTube

The Unbreakable Kryptos Code - YouTube Vigenère cipher, substitution Cipher

Algorithms

Bit security measures the number of trials required to brute-force a key. 128 bit security means 2128 trials to break.

Cryptographic nonce - Wikiwand
Comparison of cryptography libraries - Wikiwand

cryptography - Do any security experts recommend bcrypt for password storage? - Information Security Stack Exchange
BCrypt Explained - DEV Community 👩‍💻👨‍💻

Computer and Network Security by Avi Kak

lukeed/salteen: A snappy and lightweight (259B) utility to encrypt and decrypt values with salt.

Hashing/Key Derivation Function

Key derivation function - Wikiwand
HKDF - Wikiwand HMAC (keyed cryptographic hash functions) are candidates KDF
Cryptographic Extraction and Key Derivation: The HKDF Scheme

KEM Combiners secure pseudorandom function (PRF)
X-Wing IND-CCA KEM
On Robust Combiners for Oblivious Transfer and Other Primitives | SpringerLink
draft-irtf-cfrg-hybrid-kems-03 - Hybrid PQ/T Key Encapsulation Mechanisms hybrid KEM schemes, security considerations

Secure Hash Algorithms - Wikiwand SHA
SHA: Secure Hashing Algorithm - Computerphile - YouTube

SHA-1 - Wikiwand
FIPS 180-1, Secure Hash Standard | CSRC

SHA-2 - Wikiwand
FIPS 180-4, Secure Hash Standard (SHS) | CSRC

SHA-3 - Wikiwand Kaccak, SHAKE
FIPS 202, SHA-3 Standard: Permutation-Based Hash and Extendable-Output Functions | CSRC
SHAKE (Sponge Function) allows for
SHA-3, Keccak and SHAKE (Sponge Function) - YouTube

RFC 6194 - Security Considerations for the SHA-0 and SHA-1 Message-Digest Algorithms 💀 deprecated
RFC 6234 - US Secure Hash Algorithms (SHA and SHA-based HMAC and HKDF) SHA-2
RFC 5869 - HMAC-based Extract-and-Expand Key Derivation Function (HKDF)
RFC 7693 - The BLAKE2 Cryptographic Hash and Message Authentication Code (MAC)

SP 800-56C Rev. 2, Recommendation for Key-Derivation Methods in Key-Establishment Schemes | CSRC
SP 800-108 Rev. 1, Recommendation for Key Derivation Using Pseudorandom Functions | CSRC
SP 800-227, Recommendations for Key-Encapsulation Mechanisms | CSRC

Key Derivation Functions vs. Password Hashing Schemes - Cryptography Stack Exchange
encryption - What is the difference between Key Derivation Function and (salted) Hash? - Information Security Stack Exchange

Storing password/Password hashing

the (password) hashing function should be relatively expensive to calculate in case of brute-force attacks
it takes a password, a salt, and a cost factor as inputs then generate a password hash for storage

How To Safely Store A Password | codahale.com bcrypt
Secure Salted Password Hashing - How to do it Properly
The difference between Encryption, Hashing and Salting
Best practices for password hashing and storage - draft-ietf-kitten-password-storage expired 2022-03-31
Serious Security: How to store your users’ passwords safely – Naked Security
How Dropbox securely stores your passwords | Dropbox Tech Blog
Salt (cryptography) - Wikiwand

scrypt - Wikiwand
RFC 7914 - The scrypt Password-Based Key Derivation Function

bcrypt - Wikiwand
Bcrypt, a Popular Password Hashing Algorithm, Starts Its Long Goodbye | WIRED

PBKDF2 - Wikiwand
PBKDF2 Hashing Algorithm. Before moving into the PBKDF2 hashing… | by Nishothan Vettivel | Medium
PBKDF2 and Encrypting Data. What keeps your wireless access point… | by Prof Bill Buchanan OBE FRSE | Jan, 2025 | Medium
RFC 2898 - PKCS #5: Password-Based Cryptography Specification Version 2.0

multiformats/multihash: Self describing hashes - for future proofing

Argon2 - Wikiwand
P-H-C/phc-winner-argon2: The password hash Argon2, winner of PHC
How to enable Argon2 KDF in Bitwarden - gHacks Tech News

Authenticity

Hash vs. Message Authentication Code | Baeldung on Computer Science

MAC ~= hashing with shared key
less prune to replay attack

Message authentication code - Wikiwand MAC
Hash-based message authentication code - Wikiwand HMAC, hash with secret key
Moxie Marlinspike >> Blog >> The Cryptographic Doom Principle Encrypt-then-MAC
Mandatory Access Control

HMAC - Wikiwand
Securing Stream Ciphers (HMAC) - Computerphile - YouTube
RFC 2104 - HMAC: Keyed-Hashing for Message Authentication

If both encryption and authentication are required, consider authenticated encryption and authenticated encryption with associated data (AEAD), such as AES-GCM.

draft-irtf-cfrg-aead-limits-10 - Usage Limits on AEAD Algorithms

Digital Signatures: encrypt a known data (nonce or message hash) with sender's private key
Certificate Authorities: a trusted third party that will digitally sign and publish the public key bound to a user or entity

Implementation

Most TLS library provides crypto layer
openssl
openssl#Alternate Implementations

The Linux Crypto API for user applications
This is slower than OpenSSL

Welcome to pyca/cryptography — Cryptography documentation
pyca/cryptography: cryptography is a package designed to expose cryptographic primitives and recipes to Python developers.

PyNaCl: Python binding to the libsodium library — PyNaCl documentation
pyca/pynacl: Python binding to the Networking and Cryptography (NaCl) library
Introduction | libsodium
jedisct1/libsodium: A modern, portable, easy to use crypto library.

Welcome to PyCryptodome’s documentation pycryptodome provides Crypto package (to replace PyCrypto), pycryptodomex provides Cryptodome package
Legrandin/pycryptodome: A self-contained cryptographic library for Python

AES instruction set - Wikiwand

Key Exchange

Key Exchange Problems - Computerphile - YouTube
RFC 9142 - Key Exchange (KEX) Method Updates and Recommendations for Secure Shell (SSH)

End to End Encryption (E2EE) - Computerphile - YouTube
How Signal Instant Messaging Protocol Works (& WhatsApp etc) - Computerphile - YouTube

SP 800-56A Rev. 3, Recommendation for Pair-Wise Key-Establishment Schemes Using Discrete Logarithm Cryptography | CSRC
SP 800-56B Rev. 2, Recommendation for Pair-Wise Key-Establishment Using Integer Factorization Cryptography | CSRC

Non-Interactive Key Exchange (NIKE)

no challenges are presented to be validated
Random oracle - Wikiwand

Understanding Non-Interactive Key Exchange in Cryptography !🔐🌐 | by Samuel Guxegdsa | Medium only sends a single, asynchronous message from each party
Non-Interactive Key Exchange | SpringerLink
Non-Interactive Key Exchange
Cryptographic algorithms as interactive and non-interactive proofs | by Filza | Xord | Medium

Diffie–Hellman key exchange

PKCS #3: Diffie-Hellman Key-Agreement Standard
Intro to PKCS #3: Diffie-Hellman Key Agreement Standard – wolfSSL

Diffie–Hellman key exchange - Wikiwand
Elliptic-curve Diffie–Hellman - Wikiwand

RFC 7919 - Negotiated Finite Field Diffie-Hellman Ephemeral Parameters for Transport Layer Security (TLS)
RFC 8422 - Elliptic Curve Cryptography (ECC) Cipher Suites for Transport Layer Security (TLS) Versions 1.2 and Earlier

Secret Key Exchange (Diffie-Hellman) - Computerphile - YouTube
Diffie Hellman -the Mathematics bit- Computerphile - YouTube
Diffie-Hellman Key Exchange: How to Share a Secret - YouTube

Double Ratchet Messaging Encryption - Computerphile - YouTube Extended Triple Diffie–Hellman (X3DH)
Signal >> Specifications >> The X3DH Key Agreement Protocol

Signal's protocol, requires identity key
Post-Quantum Extended Diffie–Hellman - Wikiwand
Cryspen | An Analysis of Signal's PQXDH

[2501.09568] Quantum Diffie-Hellman key exchange Quantum system

Internet Key Exchange (IKE)

used by many technologies that are protected by IPsec, e.g.L VPN, SFTP, SSH and Point-to-Point Protocol (PPP).

IPsec - Wikiwand
Internet Key Exchange - Wikiwand
What is Internet Key Exchange (IKE) and How Does It Work? | Definition from TechTarget
what is Internet Key Exchange Protocol Version 2 (IKEv2)? - Phind

RFC 4306 - Internet Key Exchange (IKEv2) Protocol
RFC 8784 - Mixing Preshared Keys in the Internet Key Exchange Protocol Version 2 (IKEv2) for Post-quantum Security
RFC 9242 - Intermediate Exchange in the Internet Key Exchange Protocol Version 2 (IKEv2) allow large-sized keys
RFC 9370 - Multiple Key Exchanges in the Internet Key Exchange Protocol Version 2 (IKEv2) allows multiple rounds of key exchanges
Internet Key Exchange Version 2 (IKEv2) Parameters

SIGMA: The ‘SIGn-and-MAc’ Approach to Authenticated Diffie-Hellman and Its Use in the IKE Protocols | SpringerLink

Quantum Security Made Easy with RFC 8784 Standard | Palo Alto Networks intermediate solution using preshared keys IDs, hiding the DH parameters
Palo Alto Networks Extends Support for Quantum Safe VPN with RFC 9242, RFC 9370 Standards, and Hybrid KEYs | Palo Alto Networks

PQC Keyex

tldr.fail

draft-ietf-tls-hybrid-design-12 - Hybrid key exchange in TLS 1.3 ❗!important, define the way multiple keys (traditional and next gen) are packed in TLS extension structs, allows key reuse (or duplication?) in ClientHello
draft-ietf-tls-ecdhe-mlkem-00 - Post-quantum hybrid ECDHE-MLKEM Key Agreement for TLSv1.3 ❗!important, X25519MLKEM768, SecP256r1MLKEM768, and SecP384r1MLKEM1024
draft-irtf-cfrg-hybrid-kems-03

Post Quantum Cryptography: A short update. | LinkedIn 2024-12

Cloudflare enabled PQC for their customers as described in a 2023 blog. That handles the server side.
Post-Quantum Key Agreement at Cloudflare Modern browsers support X25519MLKEM768 in TLS
https://blog.cloudflare.com/post-quantum-to-origins/ 2023-09
https://blog.cloudflare.com/post-quantum-for-all/ 2022-10
https://blog.cloudflare.com/making-protocols-post-quantum/ 2022-02, KEX in TLS and KEMTLS for auth
https://blog.cloudflare.com/pq-2024/ 2024-03,❗!important, history, KEX and signature
https://developers.cloudflare.com/ssl/post-quantum-cryptography/pqc-support/

Then Google deployed default support for PQC in desktop Chrome installs for TLS 1.3 and QUIC and on Google's servers. Few people seem to have had problems (or even noticed)!
Chromium Blog: Protecting Chrome Traffic with Hybrid Kyber KEM
Chromium Blog: Advancing Our Amazing Bet on Asymmetric Cryptography performance
Google Online Security Blog: Post-Quantum Cryptography: Standards and Progress

Apple's New iMessage, Signal, & Post-Quantum Crypto | CSA
Blog - iMessage with PQ3: The new state of the art in quantum-secure messaging at scale - Apple Security Research
Signal >> Blog >> Quantum Resistance and the Signal Protocol

Go Post-Quantum with Caddy | Sam Burns' Tech Blog
cloudflare/go: Go with Cloudflare experimental patches

Homomorphic Encryption

ciphertext that can be processed or analyzed

Homomorphic encryption - Wikiwand
Homomorphic Encryption: How It Works | Splunk
What Is Homomorphic Encryption?

3 Homomorphic Encryption Trends for 2025

Block Ciphers

contrast "stream ciphers", where encrypted strings are the same length as the plaintext

Symmetric-key algorithm - Wikiwand

Lecture3 Lecture 3: Block Ciphers and the Data Encryption Standard

Anatomy of a password disaster – Adobe’s giant-sized cryptographic blunder – Naked Security study of Adobe's leaked password database

Feistel Cipher - Computerphile - YouTube

Modes of operation

Block cipher mode of operation - Wikiwand

Block ciphers, as the name suggests, encrypts blocks. The methods of segmenting data into blocks is called "modes of operation".

Modes of Operation - Computerphile - YouTube
ECB: simply divides a message into 16 byte blocks, preserves pattern (for experts only: ECB should never be used except in some very specific cases)
CBC: first block XORed with Initialization Vector (IV) (nonce), every other block XORed with the ciphertext of the block preceding it; however this introduces dependency on previous block and encryption cannot be parallelized
CTR: uses counter and nonce (similar to IV) per block to allow each block to be encrypted concurrently

CBC mode is suspectable to Padding oracle attack (Vaudenay Attack)
Moxie Marlinspike >> Blog >> The Cryptographic Doom Principle
Always Encrypt-then-MAC, so that verifying the MAC does not invole decryption

Authenticated encryption - Wikiwand GCM, CCM, protects against chosen ciphertext attack on decryption oracle
Authenticated Encryption in .NET with AES-GCM

DES

Even Triple DES (3-DES) is not recommended

Data Encryption Standard - Wikiwand
【计算机博物志】DES的生与死 - YouTube

AES

Advanced Encryption Standard - Wikiwand
Lecture 8: AES: The Advanced Encryption Standard
Protect your TCP tunnel by implementing AES encryption with Python [Tutorial] | Packt Hub

Crypto competitions: AES: the Advanced Encryption Standard
AES Explained (Advanced Encryption Standard) - Computerphile - YouTube
AES GCM (Advanced Encryption Standard in Galois Counter Mode) - Computerphile - YouTube
One Encryption Standard to Rule Them All! - Computerphile - YouTube
Almost All Web Encryption Works Like This (SP Networks) - Computerphile - YouTube
AES: How to Design Secure Encryption - YouTube

CTR mode, also known as Counter mode, is a stream cipher mode of AES encryption. With stream cipher encryption, it is not necessary to encrypt the plaintext in fixed blocks like AES in CBC mode, which encrypts data in 16-byte blocks. If the plaintext to be encrypted is smaller than the block size, padding is required to process a complete 16-byte block.

Commands

opessl openssl is for proof of concept

man enc  # show ciphers

# encryption
openssl aes-256-cbc -in attack-plan.txt -out message.enc

# decryption
openssl aes-256-cbc -d -in message.enc -out plain-text.txt

gpg

# encryption
gpg --cipher-algo AES256 --symmetric filename.tar.gz

# decryption
gpg --output filename.tar.gz --decrypt filename.tar.gz.gpg

AES Crypt
aescrypt

Stream Ciphers

Chacha Cipher

alternative to AES

Chacha Cipher - Computerphile - YouTube
RFC 8439 - ChaCha20 and Poly1305 for IETF Protocols
ARX cipher: add, rotate, xor

Public Key Cryptography

Public-key cryptography - Wikiwand
Public Key crypto simply works with numbers. This means that any messages would have to be converted into a number before being encrypted.