Cryptography

Modes of Operation - Computerphile - YouTube
ECB: simply divides a message into 16 byte blocks, preserves pattern (for experts only: ECB should never be used except in some very specific cases)
CBC: first block XORed with Initialization Vector (IV) (nonce), every other block XORed with the ciphertext of the block preceding it; however this introduces dependency on previous block and encryption cannot be parallelized
CTR: uses counter and nonce (similar to IV) per block to allow each block to be encrypted concurrently

CBC mode is suspectable to Padding oracle attack (Vaudenay Attack)
Moxie Marlinspike >> Blog >> The Cryptographic Doom Principle
Always Encrypt-then-MAC, so that verifying the MAC does not involve decryption

Counter mode transforms a block cipher into a stream cipher.

Authenticated encryption - Wikiwand GCM, CCM, protects against chosen ciphertext attack on decryption oracle
Authenticated Encryption in .NET with AES-GCM

DES

Even Triple DES (3-DES) is not recommended

Data Encryption Standard - Wikiwand
【计算机博物志】DES的生与死 - YouTube

AES

Advanced Encryption Standard - Wikiwand
Lecture 8: AES: The Advanced Encryption Standard
Protect your TCP tunnel by implementing AES encryption with Python [Tutorial] | Packt Hub

Crypto competitions: AES: the Advanced Encryption Standard
AES Explained (Advanced Encryption Standard) - Computerphile - YouTube
AES GCM (Advanced Encryption Standard in Galois Counter Mode) - Computerphile - YouTube
One Encryption Standard to Rule Them All! - Computerphile - YouTube
Almost All Web Encryption Works Like This (SP Networks) - Computerphile - YouTube
AES: How to Design Secure Encryption - YouTube

CTR mode, also known as Counter mode, is a stream cipher mode of AES encryption. With stream cipher encryption, it is not necessary to encrypt the plaintext in fixed blocks like AES in CBC mode, which encrypts data in 16-byte blocks. If the plaintext to be encrypted is smaller than the block size, padding is required to process a complete 16-byte block.

ARIA

ARIA (cipher) - Wikiwand

RFC 5794 - A Description of the ARIA Encryption Algorithm

AES-256 vs ARIA-256 | Popular Encryption Standards Comparison

Commands

opessl openssl is for proof of concept

man enc  # show ciphers

# encryption
openssl aes-256-cbc -in attack-plan.txt -out message.enc

# decryption
openssl aes-256-cbc -d -in message.enc -out plain-text.txt

# speed comparison
openssl speed -aes-256-cbc -aria-256-cbc

gpg

# encryption
gpg --cipher-algo AES256 --symmetric filename.tar.gz

# decryption
gpg --output filename.tar.gz --decrypt filename.tar.gz.gpg

AES Crypt
aescrypt

Stream Ciphers

Chacha Cipher

alternative to AES

Chacha Cipher - Computerphile - YouTube
RFC 8439 - ChaCha20 and Poly1305 for IETF Protocols
ARX cipher: add, rotate, xor

The design of Chacha20 encryption
The design of Poly1305 MAC

Asymmetric Cryptography

Public-key cryptography - Wikiwand
Asymmetric Encryption: An Introduction To Asymmetric Cryptography
Public Key crypto simply works with numbers. This means that any messages would have to be converted into a number before being encrypted.

There are generally three things asymmetric algorithms can do:

Encrypt/decrypt
Sign/verify
Key exchange

However, not all algorithms can perform all functions:

RSA: Used for encryption, decryption, signing, and verifying.
DSA: Used for signing and verifying.
Diffie-Hellman: Used for key exchange.
ECC: Used for signing and verifying (ECDSA), key exchange (ECDH), and encryption and decryption (EC ElGamal)

密码学学习笔记05公钥密码系统 - 知乎

Backdoors in Asymmetric Cryptography

Why I don’t Trust NIST P-256 | Credelius
How to manipulate curve standards: a white paper for the black hat

How the NSA (may have) put a backdoor in RSA’s cryptography: A technical primer

NIST's P-256, P-384, P-521 curves are distrusted
Curve25519, Curve448 are used by the community

RSA

crypto-rsa-example

RSA (cryptosystem) - Wikiwand
How does RSA work? – Hacker Noon

PKCS 1 - Wikiwand
RFC 8017 - PKCS #1: RSA Cryptography Specifications Version 2.2

RSA Signing is Not RSA Decryption optimal asymmetric encryption padding (OAEP) is used for pre/post-processing before RSA

Prime Numbers & RSA Encryption Algorithm - Computerphile - YouTube
Breaking RSA - Computerphile - YouTube
The RSA Encryption Algorithm (1 of 2: Computing an Example) - YouTube
The RSA Encryption Algorithm (2 of 2: Generating the Keys) - YouTube
How prime numbers protect your privacy #SoME2 - YouTube

Generate two large co-prime numbers, p and q.
Find n = pq and phi = (p-1) (q-1)
Select e such that 1 < e < phi, and e is coprime of phi
Find d, which is the multiplicative inverse of e modulo phi.
The couple (e, n) is the public key
The couple (d, n) is the private key
Ciphertext c = m^e mod n
Plaintext m = c^d mod n
RSA keypair is actually a trio of numbers e, n and d related such that m^de%n=m
public key: (e, n), private key: d
s = h^d%n, s = signature, h = hash of message m
To verify, check if s^e%n equals h

Pretty Good Privacy (PGP) and Digital Signatures | Linux Journal

Passive SSH Key Compromise via Lattices | Proceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security

Elliptic Curve Cryptography (ECC)

ANSI X9.62-2005_317.pdf The Elliptic Curve Digital Signature Algorithm
FIPS 186-5, Digital Signature Standard (DSS) | CSRC P-192, P-256, P-384 curves
RFC 5639 - Elliptic Curve Cryptography (ECC) Brainpool Standard Curves and Curve Generation avoid potential patent issues associated other ECC curves

RFC 6979 - Deterministic Usage of the Digital Signature Algorithm (DSA) and Elliptic Curve Digital Signature Algorithm (ECDSA)
RFC 6605 - Elliptic Curve Digital Signature Algorithm (DSA) for DNSSEC
A (Relatively Easy To Understand) Primer on Elliptic Curve Cryptography
Elliptic Curve Cryptography: a gentle introduction - Andrea Corbellini
how does ECDSA works - Phind
Paul Miller — Learning fast elliptic-curve cryptography
ECDSA: Elliptic Curve Signatures | Practical Cryptography for Developers
EdDSA and Ed25519 | Practical Cryptography for Developers
Elliptic Curves over Finite Fields | By RareSkills – RareSkills basic ZKP

RFC 8032 - Edwards-Curve Digital Signature Algorithm (EdDSA)
EdDSA Keys and Signatures

Ed25519: high-speed high-security signatures highly efficient algo with strengh similar to RSA with ~3000-bit keys
A Deep dive into Ed25519 Signatures

ECDSA vs EdDSA - Sefik Ilkin Serengil EdDSA is more effient and secure than ECDSA
cryptography - SSH Key: Ed25519 vs RSA - Information Security Stack Exchange

age

FiloSottile/age: A simple, modern and secure encryption tool (and Go library) with small explicit keys, no config options, and UNIX-style composability.

Ciphertext indistinguishability

Ciphertext indistinguishability - Wikiwand
Chosen-plaintext attack - Wikiwand
Chosen-ciphertext attack - Wikiwand CCA
Adaptive chosen-ciphertext attack - Wikiwand

indistinguishability under chosen plaintext attack (IND-CPA)
indistinguishability under (non-adaptive) chosen ciphertext attack (IND-CCA1)
indistinguishability under adaptive chosen ciphertext attack (IND-CCA2)

These are useful for proving the protocol is Universal Composable.
Universal composability - Wikipedia
Universally Composable Security: A New Paradigm for Cryptographic Protocols
encryption - What is universal composability guaranteeing, specifically? Where does it apply, and where does it not? - Cryptography Stack Exchange

Algorithms

Bit security measures the number of trials required to brute-force a key. 128 bit security means 2128 trials to break.

Cryptographic nonce - Wikiwand
Comparison of cryptography libraries - Wikiwand

Computer and Network Security by Avi Kak

Hashing/Key Derivation Function

Key derivation function - Wikiwand
HKDF - Wikiwand HMAC (keyed cryptographic hash functions) are candidates KDF
Cryptographic Extraction and Key Derivation: The HKDF Scheme

KEM Combiners secure pseudorandom function (PRF)
X-Wing IND-CCA KEM
On Robust Combiners for Oblivious Transfer and Other Primitives | SpringerLink
draft-irtf-cfrg-hybrid-kems-03 - Hybrid PQ/T Key Encapsulation Mechanisms hybrid KEM schemes, security considerations

Secure Hash Algorithms - Wikiwand SHA
SHA: Secure Hashing Algorithm - Computerphile - YouTube

SHA-1 - Wikiwand
FIPS 180-1, Secure Hash Standard | CSRC

SHA-2 - Wikiwand
FIPS 180-4, Secure Hash Standard (SHS) | CSRC
SHA2 Fatal Flaw? (Hash Length Extension Attack) - Computerphile - YouTube
Coding a SHA2 Length Extension Attack - Computerphile - YouTube

SHA-3 - Wikiwand Kaccak, SHAKE
FIPS 202, SHA-3 Standard: Permutation-Based Hash and Extendable-Output Functions | CSRC
SHAKE (Sponge Function) allows for hashing arbitrary length input and generating arbitrary length output
SHA-3, Keccak and SHAKE (Sponge Function) - YouTube

RFC 6194 - Security Considerations for the SHA-0 and SHA-1 Message-Digest Algorithms 💀 deprecated
RFC 6234 - US Secure Hash Algorithms (SHA and SHA-based HMAC and HKDF) SHA-2
RFC 5869 - HMAC-based Extract-and-Expand Key Derivation Function (HKDF)
RFC 7693 - The BLAKE2 Cryptographic Hash and Message Authentication Code (MAC)
RFC 4418 - UMAC: Message Authentication Code using Universal Hashing UHASH is very efficient on 32-bits CPU (embedded systems)

SP 800-56C Rev. 2, Recommendation for Key-Derivation Methods in Key-Establishment Schemes | CSRC
SP 800-108 Rev. 1, Recommendation for Key Derivation Using Pseudorandom Functions | CSRC
SP 800-227, Recommendations for Key-Encapsulation Mechanisms | CSRC

Key derivation function - Wikiwand
Key Derivation Functions vs. Password Hashing Schemes - Cryptography Stack Exchange
encryption - What is the difference between Key Derivation Function and (salted) Hash? - Information Security Stack Exchange

Storing password/Password hashing

the (password) hashing function should be relatively expensive to calculate in case of brute-force attacks
it takes a password, a salt, and a cost factor as inputs then generate a password hash for storage

How To Safely Store A Password | codahale.com bcrypt
Secure Salted Password Hashing - How to do it Properly
The difference between Encryption, Hashing and Salting
Best practices for password hashing and storage - draft-ietf-kitten-password-storage expired 2022-03-31
Serious Security: How to store your users’ passwords safely – Naked Security
How Dropbox securely stores your passwords | Dropbox Tech Blog
Salt (cryptography) - Wikiwand

cryptography - Do any security experts recommend bcrypt for password storage? - Information Security Stack Exchange
BCrypt Explained - DEV Community 👩‍💻👨‍💻

scrypt - Wikiwand
RFC 7914 - The scrypt Password-Based Key Derivation Function

bcrypt - Wikiwand
Bcrypt, a Popular Password Hashing Algorithm, Starts Its Long Goodbye | WIRED

PBKDF2 - Wikiwand
PBKDF2 Hashing Algorithm. Before moving into the PBKDF2 hashing… | by Nishothan Vettivel | Medium
PBKDF2 and Encrypting Data. What keeps your wireless access point… | by Prof Bill Buchanan OBE FRSE | Jan, 2025 | Medium
RFC 2898 - PKCS #5: Password-Based Cryptography Specification Version 2.0

lukeed/salteen: A snappy and lightweight (259B) utility to encrypt and decrypt values with salt.

multiformats/multihash: Self describing hashes - for future proofing

Argon2 - Wikiwand
P-H-C/phc-winner-argon2: The password hash Argon2, winner of PHC
How to enable Argon2 KDF in Bitwarden - gHacks Tech News

Authenticity

Hash vs. Message Authentication Code | Baeldung on Computer Science

MAC ~= hashing with shared key
less prune to replay attack

Message authentication code - Wikiwand MAC
Hash-based message authentication code - Wikiwand HMAC, hash with secret key
Moxie Marlinspike >> Blog >> The Cryptographic Doom Principle Encrypt-then-MAC
Mandatory Access Control

HMAC - Wikiwand
Securing Stream Ciphers (HMAC) - Computerphile - YouTube
RFC 2104 - HMAC: Keyed-Hashing for Message Authentication

If both encryption and authentication are required, consider authenticated encryption and authenticated encryption with associated data (AEAD), such as AES-GCM.

draft-irtf-cfrg-aead-limits-10 - Usage Limits on AEAD Algorithms

Digital Signatures: encrypt a known data (nonce or message hash) with sender's private key
Certificate Authorities: a trusted third party that will digitally sign and publish the public key bound to a user or entity

Implementation

Most TLS library provides crypto layer
openssl
openssl#Alternate Implementations

openssl

The Linux Crypto API for user applications
This is slower than OpenSSL

Welcome to pyca/cryptography — Cryptography documentation
pyca/cryptography: cryptography is a package designed to expose cryptographic primitives and recipes to Python developers.

NaCl
Introduction | libsodium
jedisct1/libsodium: A modern, portable, easy to use crypto library.

PyNaCl: Python binding to the libsodium library — PyNaCl documentation
pyca/pynacl: Python binding to the Networking and Cryptography (NaCl) library

cryptlib Encryption Toolkit
cryptlib/cryptlib: cryptlib security toolkit

Welcome to PyCryptodome’s documentation pycryptodome provides Crypto package (to replace PyCrypto), pycryptodomex provides Cryptodome package
Legrandin/pycryptodome: A self-contained cryptographic library for Python

AES instruction set - Wikiwand

Key Exchange

Key Exchange Problems - Computerphile - YouTube
RFC 9142 - Key Exchange (KEX) Method Updates and Recommendations for Secure Shell (SSH)

End to End Encryption (E2EE) - Computerphile - YouTube
How Signal Instant Messaging Protocol Works (& WhatsApp etc) - Computerphile - YouTube

SP 800-56A Rev. 3, Recommendation for Pair-Wise Key-Establishment Schemes Using Discrete Logarithm Cryptography | CSRC
SP 800-56B Rev. 2, Recommendation for Pair-Wise Key-Establishment Using Integer Factorization Cryptography | CSRC

Non-Interactive Key Exchange (NIKE)

no challenges are presented to be validated
Random oracle - Wikiwand

Understanding Non-Interactive Key Exchange in Cryptography !🔐🌐 | by Samuel Guxegdsa | Medium only sends a single, asynchronous message from each party
Non-Interactive Key Exchange | SpringerLink
Non-Interactive Key Exchange
Cryptographic algorithms as interactive and non-interactive proofs | by Filza | Xord | Medium

Diffie–Hellman key exchange

Diffie–Hellman key exchange - Wikiwand
Elliptic-curve Diffie–Hellman - Wikiwand
Implementation of Diffie-Hellman Algorithm - GeeksforGeeks

Traditional DH:

one party choose and announce g, p
party A choose secret a and announce public key A = g^a mod p
party B choose secret b and announce public B = g^b mod p
party A compute B^a mod p, party B compute A^b mod p
the number should be the same (note B^a = A^b = g^ab in mod p group) and can be used as session key (or pre-master key)

ECDH:

party A choose secret key d_a, public key H_a on Elliptic-curve with base point G
party B choose secret key d_b, public key H_b on Elliptic-curve with the same base point G
the public keys H_a and H_b are announced
party A compute d_a*H_b, party B compute d_b*H_a,
the number should be the same (note d_a*H_b = d_a*(d_b*G) = d_b*(d_a*G) = d_b*H_a) and can be used as session key (or pre-master key)