02 — Cryptography Fundamentals

Concepts, vocabulary, adversary models, principles, and security definitions. Prerequisite for understanding all the other files in the compendium.


1. Basic vocabulary

Term Definition
Plaintext (P, M) Cleartext message.
Ciphertext (C) Encrypted message.
Key (k) Shared secret (symmetric) or public/private pair (asymmetric).
Encryption (\(E_k\)) Function that transforms P into C using k.
Decryption (\(D_k\)) Inverse function.
Cipher Encryption/decryption algorithm (e.g., AES, ChaCha20).
Mode of operation Way of applying a block cipher to messages larger than one block (e.g., CBC, GCM).
Cryptosystem The set cipher + mode + key management protocol.
Scheme Same as cryptosystem; more common in academic literature.
Primitive Basic building block (AES, SHA-256, RSA).
Construction Combination of primitives to achieve a goal (e.g., HMAC, AES-GCM).
MAC Message Authentication Code — tag that proves authenticity.
AEAD Authenticated Encryption with Associated Data — encryption + MAC + extra data authenticated without being encrypted.
KDF Key Derivation Function — derives keys from secretspasswordskey material.
PRF / PRP Pseudorandom Function / Pseudorandom Permutation.
CSPRNG Cryptographically Secure Pseudorandom Number Generator.
Entropy Measure of unpredictability. In bits: \(H(X) = -sum p_i log_2 p_i\).
Nonce Number used once — need not be secret, must not repeat with the same key.
IV Initialization Vector — similar to a nonce, requirements vary by mode.
Salt Public random value appended so that the same password produces different hashes.
Pepper Fixed secret applied to all hashes in a system; not stored with the hash.
Tag (T) Output of a MAC or AEAD.
Forward secrecy Compromising the current key does not reveal past traffic.
Post-compromise security (PCS) After a state compromise, security recovers with a new key exchange.
Deniability The receiver cannot prove to third parties that a message came from the sender.

2. Kerckhoffs's principles (1883)

Auguste Kerckhoffs, La Cryptographie Militaire (Journal des Sciences Militaires, vol. IX, 1883):

  1. The system must be practically, if not mathematically, indecipherable.
  2. It must not require secrecy; it may fall into enemy hands without inconvenience. ⭐ — the canonical principle.
  3. Its key must be communicable and memorizable without notes, and changeable at will.
  4. It must be applicable to telegraphic correspondence.
  5. It must be portable, and its use must not require more than one person.
  6. The system must be easy to use, with no mental strain or knowledge of a long list of rules.

Bruce Schneier's modern restatement: "Security through obscurity is no security". Shannon's restatement: "The enemy knows the system".


3. Shannon's principles (1949)

Claude Shannon, Communication Theory of Secrecy Systems (Bell System Technical Journal 28, 1949):

Perfect secrecy

A cipher has perfect secrecy if for all P, P', and C:

\[\Pr[E_k(P) = C] = \Pr[E_k(P') = C]\]

The ciphertext gives no information about the plaintext. Shannon's theorem: perfect secrecy requires \(|K| \geq |M|\) — a key at least as long as the message. The One-Time Pad is the only practical realization, with a truly random key, of the same size, used once.

Confusion and diffusion

  • Confusion: the relationship between key and ciphertext must be complex and non-linear. Each ciphertext bit depends on many key bits.
  • Diffusion: the relationship between plaintext and ciphertext must be spread out. One plaintext bit affects many ciphertext bits (avalanche).

Modern block ciphers alternate layers of substitution (S-boxes — confusion) and permutation/mixing (P-boxes or matrix multiplication — diffusion). SPN structure (Substitution-Permutation Network — AES) or Feistel (DES).


4. Adversary models

In increasing order of power:

Acronym Name What the adversary can do
COA Ciphertext-Only Attack Sees only ciphertexts. Weakest model.
KPA Known-Plaintext Attack Sees (P, C) pairs collected passively.
CPA Chosen-Plaintext Attack Can request encryption of plaintexts of its choice.
CCA1 Non-adaptive Chosen-Ciphertext (lunchtime) Can request decryption before seeing the challenge.
CCA2 Adaptive Chosen-Ciphertext Can request decryption at any time, except of the challenge ciphertext.
Authenticated CCA CCA with integrity Modern model: the oracle only responds if the MAC verifies.

Hierarchy: COA ⊂ KPA ⊂ CPA ⊂ CCA1 ⊂ CCA2.

Security definitions IND-* / SUF-* / EUF-*

Acronym Meaning Applicable to
IND-CPA Indistinguishability under CPA Ciphers
IND-CCA2 Indistinguishability under adaptive CCA Ciphers (modern standard)
NM-CCA2 Non-malleability under adaptive CCA Equivalent to IND-CCA2
EUF-CMA Existential Unforgeability under Chosen-Message Attack Signatures and MACs
SUF-CMA Strong Unforgeability (cannot forge a new tag even for an already-signed msg) Modern signatures

IND-CPA game (intuition):

  1. The adversary chooses two messages \(m_0\), \(m_1\) of the same size.
  2. The challenger draws a random \(b \in \{0,1\}\) and sends \(C = E_k(m_b)\).
  3. The adversary tries to guess \(b\).
  4. The cipher is IND-CPA secure if \(\Pr[\text{adv guesses}] - 1/2\) is negligible in \(\lambda\).

5. One-way and trapdoor functions

Type Definition
One-way function (OWF) \(f: X to Y\) easy to compute, hard to invert. It is not known whether they exist; their existence would imply \(P neq NP\).
Trapdoor one-way function An OWF that has an easy inverse given a secret (trapdoor). Basis of RSA, ECC, lattice-based.
PRP Pseudorandom permutation indistinguishable from a random permutation. AES is assumed to be a PRP.
PRF Pseudorandom function. Block cipher = PRP; a PRP is a PRF (with negligible gap by the PRP/PRF switching lemma).
Collision-resistant hash Hard to find \(x neq y\) with \(H(x) = H(y)\).

6. Theoretical models

Random Oracle Model (ROM)

Bellare + Rogaway (CCS '93). We treat a hash as an ideal random function: each new query returns a uniformly random value. ROM proofs give a heuristic guarantee — a scheme secure in the ROM may be secure with a real hash, but it is not guaranteed (Canetti-Goldreich-Halevi 1998 showed artificial counterexamples).

Standard Model

No idealized oracles. Proofs are harder but more convincing. Schemes like RSA-OAEP, Cramer-Shoup, Boneh-Boyen have standard-model versions.

Generic Group Model

The adversary can only use group operations (multiplication, exponentiation) without exploiting the representation. Used to prove lower bounds (Shoup 1997, Maurer 2005).

Universal Composability (UC)

Canetti 2001. A framework for proving compositional security: if F is UC-secure, it is secure within any larger protocol. Ideal for multi-party protocols.


7. Cryptography hierarchy

Symmetric vs asymmetric

Aspect Symmetric Asymmetric
Key Same for encrypt and decrypt Public/private pair
Speed ~1000× faster Slower
Distribution Problematic (needs a secure channel) Solved (publishes the public key)
Practical use Bulk encryption Key exchange + signature
Hybrid TLS does this: asymmetric exchanges a symmetric key, symmetric encrypts data

By purpose

  • Confidentiality: encryption (AES, ChaCha20, RSA-OAEP, ECIES).
  • Integrity: hash, MAC (HMAC, KMAC, Poly1305, CMAC).
  • Authenticity: MAC, digital signature.
  • Non-repudiation: digital signature (not MAC — anyone with the MAC key can forge).
  • Freshness: nonces, timestamps, sequence numbers.
  • Anonymity: ring signatures, group signatures, mix-nets.
  • Computational privacy: FHE, MPC, ZKP.

8. Security levels

Conventionally measured in bits — meaning: the best known attack takes \(2^n\) operations.

Algorithm Security level Notes
3DES (168-bit key) 112 bit Deprecated by NIST after 2023
AES-128 128 bit Standard; strong classical resistance
AES-256 256 bit (classical) / 128 bit (Grover) Post-quantum viable
RSA-2048 ~112 bit Minimum acceptable; 3072+ recommended
RSA-3072 128 bit Equivalent to classical AES-128
RSA-15360 256 bit Impractical in practice; use ECC
ECC P-256 128 bit Current TLS standard
ECC P-384 192 bit CNSA suite
ECC P-521 256 bit
Curve25519 128 bit Bernstein 2006
Curve448 224 bit
Ed25519 128 bit EdDSA
SHA-256 128 bit collision / 256 bit preimage
SHA-512 256 bit collision / 512 bit preimage
SHA-3-256 same as SHA-256

Equivalence rule (classical, NIST SP 800-57):

Symmetric RSA DH ECC
80 1024 1024 160
112 2048 2048 224
128 3072 3072 256
192 7680 7680 384
256 15360 15360 521

9. Randomness generation

Entropy sources

  • Hardware: ring oscillators, thermal noise, shot noise, Intel RDRAND, ARM TRNG.
  • OS pooling: Linux getrandom(2), /dev/urandom, /dev/random; macOS SecRandomCopyBytes; Windows BCryptGenRandom.
  • User input: keyboard and mouse timing — relevant at initial boot and in VMs.

CSPRNGs

  • AES-CTR DRBG (NIST SP 800-90A) — AES output in CTR mode.
  • HMAC-DRBG (NIST SP 800-90A) — popular.
  • Hash-DRBG (NIST SP 800-90A).
  • Fortuna (Schneier, 2003) — used in FreeBSD.
  • ChaCha20-based — Linux since 4.8 (2016).
  • DualECDRBG ❌ — the original NIST SP 800-90A included it. NSA backdoor suspected and later confirmed (Snowden); removed in 2014.

Rules

  • Never use Math.random(), rand(), random(), srand(time()).
  • Always use the OS cryptographic API (getrandom, BCryptGenRandom).
  • Seed carefully after boot — cloned VMs, embedded, and IoT are vulnerable (Mining Your Ps and Qs, Heninger et al. 2012; ROCA).

10. Modern design principles

"Don't roll your own crypto"

Implementing primitives is easy; implementing them securely (no side-channels, no subtle bugs) is extremely hard. Use audited libraries:

  • libsodium (high-level, secure by default).
  • NaCl (predecessor of libsodium, DJB).
  • BoringSSL (Google's fork of OpenSSL).
  • OpenSSL 3.x (with the FIPS provider when required).
  • Tink (Google, high-level).
  • Ring (Rust, fork of BoringSSL).
  • age (file encryption, Filippo Valsorda).

Constant-time

All code that touches a secret must execute in time independent of the secret: no branches on a secret, no table lookups indexed by a secret, no variable-time multiplications on old CPUs. Bernstein is the evangelist. AES-NI helps (dedicated instructions).

Misuse-resistance

APIs should make incorrect use hard:

  • NaCl/libsodium — only crypto_secretbox (authenticated), no raw ECB.
  • AES-GCM-SIV (Gueron-Lindell) — degrades gracefully under nonce reuse.
  • Tink — versioned keysets, built-in rotation.

Defense in depth

Redundant layers. E.g.: TLS + HSTS + HPKP (legacy) / CT (Certificate Transparency); LUKS + dm-verity; signed binaries + boot guard.

Hybrid (classical + PQC)

Combine an established classical algorithm + a new PQC one. An attack must break both. Standard during the transition (X25519MLKEM768 = X25519 ⊕ ML-KEM-768).


11. Proof methods

Method How it works
Reduction proof Shows that breaking the scheme implies breaking a hard problem (factoring, DLP, LWE). The modern standard.
Hybrid argument A sequence of nearly-indistinguishable games; total difference ≤ the sum.
Game-based proof Defines a security game; proves the adversary's advantage is negligible.
Simulation-based proof A simulator produces an indistinguishable distribution without the secret. Used in ZKP, MPC, UC.

12. Who trusts what (chain of trust)

Layer Trusts
Application TLS library
TLS library CA root store
CA Validation procedures + HSM + audit
HSM Hardware vendor + FIPS 140-3 / CC EAL certification
Certification NIST, CSE-CST, BSI, ANSSI
OS RNG Kernel + hardware (IntelAMDARM)
Kernel Boot chain (UEFI Secure Boot → shim → grub → kernel)
UEFI OEM signing keys + Boot Guard fuses
Fuses Chip manufacturer

Each link is a possible point of compromise. Confidential Computing tries to shorten the chain by isolating the workload from the host.


13. Cultural differences: "American" vs "European" cryptography

Tradition Characteristics
NIST/NSA (US) Formal standards (FIPS), open competitions (AES, SHA-3, PQC), DSA, P-256384521 (Brainpool/NIST curves), historical state-actor influence (Dual_EC).
ECRYPT/ENISA (EU) eSTREAM, NESSIE, ENISA recommendations; Brainpool curves; preference for European algorithms (Serpent, Twofish, Camellia in some suites).
GOST (RU) GOST 28147-89 (64-bit block cipher), Kuznyechik (GOST R 34.12-2015), Streebog (hash).
SM (CN) SM2 (Chinese curve), SM3 (hash), SM4 (block cipher). Mandatory in some Chinese government applications.
Bernstein school Curve25519, Ed25519, ChaCha20, Poly1305, SipHash, BLAKE; constant-time design, patent-free, simple to implement.

14. Relevant standards

Body Standard Scope
NIST FIPS 140-3 Requirements for cryptographic modules
NIST FIPS 186-5 Digital signatures (DSA, RSA, ECDSA, EdDSA)
NIST FIPS 197 AES
NIST FIPS 198-1 HMAC
NIST FIPS 202 SHA-3
NIST FIPS 203 ML-KEM
NIST FIPS 204 ML-DSA
NIST FIPS 205 SLH-DSA
NIST SP 800-38A–G Modes (ECB, CBC, CFB, OFB, CTR, CCM, GCM, KW, XTS)
NIST SP 800-56ABC Key establishment
NIST SP 800-90ABC RNG
NIST SP 800-131A Algorithm transitions
NIST SP 800-208 Stateful hash signatures (XMSS, LMS)
IETF RFC 8446 TLS 1.3
IETF RFC 7748 X25519/X448
IETF RFC 8032 EdDSA
IETF RFC 9180 HPKE
IETF RFC 9420 MLS
IETF RFC 7539 → 8439 ChaCha20-Poly1305
IETF RFC 2104 HMAC
IETF RFC 5869 HKDF
IETF RFC 9106 Argon2
ISO/IEC 18033-3 Block ciphers
ISO/IEC 9797-1/2 MACs
ISO/IEC 10118 Hash functions
ISO/IEC 11770 Key management

15. Essential bibliography

  • Katz + Lindell, Introduction to Modern Cryptography, CRC Press, 3rd ed. 2020 — the standard undergraduate/graduate text.
  • Boneh + Shoup, A Graduate Course in Applied Cryptography — free at toc.cryptobook.us.
  • Menezes, van Oorschot, Vanstone, Handbook of Applied Cryptography (CRC) — a technical classic, free at cacr.uwaterloo.ca/hac/.
  • Schneier, Applied Cryptography, 1996 (dated but a cultural reference).
  • Aumasson, Serious Cryptography, No Starch Press 2017 — a modern practical reference.
  • Ferguson + Schneier + Kohno, Cryptography Engineering, Wiley 2010.
  • Bernstein, Lange, et al., Post-Quantum Cryptography, Springer 2009 (handbook).
  • Goldreich, Foundations of Cryptography, 2 volumes Cambridge — theoretical, dense.

Online

  • IACR ePrint Archive: eprint.iacr.org
  • Real World Crypto Symposium proceedings
  • CFRG (Crypto Forum Research Group) IETF
  • Cryptography Stack Exchange (community Q&A)
  • David Wong, Real-World Cryptography (Manning 2021)
  • Filippo Valsorda blog filippo.io
  • Trail of Bits blog, NCC Group Cryptography Services