Appearance
The year of Edward Snowden’s leaks about the NSA’s classified activities, a turning point in cryptography. End-to-end encryption suddenly becomes an appealing topic.
The most common RSA public exponent; large enough to not be insecure, small enough to make exponentiation fast, and of a form that optimizes implementations’ speed (65537 = 216 + 1).
One of the three encryption modes in early mobile telephony standards (GSM). A5/0 just means no encryption; therefore, the audio content from a mobile call would be received and transmitted in the clear between a mobile device and the nearest base station. It’s as secure as early TLS versions’ null cipher.
The default GSM cipher in Western countries (prior to 3G and 4G technologies) that encrypts encoded audio mobile communications. A stream cipher based on a curious mechanism involving three linear feedback shift registers irregularly clocked; so the update of a register depends on the values of certain bits in the two other registers. Sophisticated cryptanalytic attacks have broken A5/1. But in practice, the most effective attack is relatively simple: it’s a time-memory trade-off that exploits the short state of A5/1 (64 bits) and involves the precomputation of large rainbow tables. The A5/1 specification was initially confidential and unavailable to the public until it was reverse engineered in the late 1990s.
The export version of A5/1, a euphemism meaning its technical requirements include something like must be easy to break by Western nations’ intelligence agencies. Designed to be insecure, A5/2 didn’t turn out to be outrageously insecure: after being reverse engineered around the same time as A5/1, academic researchers quickly found attacks on A5/2. But these attacks were more efficient on paper than in practice.
At last, a real cipher in mobile phones. An upgrade to the do-it-yourself A5/1 that applies an algorithm already public and vetted, namely the block cipher KASUMI. KASUMI was used in 2G (along with A5/1), in 3G as A5/4 (along with SNOW 3G), and was no longer supported in 4G. A See KASUMI.
A5/3 but with a key of 128 bits instead of 64 bits; A5/4 is secure, whereas A5/3 isn’t.
An attack in which the attacker’s actions depend on what they observe during the attack and the protocol’s execution. For example, in an adaptive chosen-plaintext attack, the attacker sends plaintext messages that depend on the responses to their previous queries. In a nonadaptive attack, the list of plaintexts for which the attacker queries the ciphertexts must be predetermined.
A type of symmetric cipher that encrypts and authenticates data by producing a ciphertext as well as an authentication tag. The decryption step then only succeeds if the tag is valid, which proves that the ciphertext was created by someone who knows the key. To validate the tag, the receiving end generally computes it from the encrypted message and verifies that the computed value is identical to the one received.
The AD in AEAD refers to associated data—also called additional or auxiliary— or data that isn’t encrypted but is covered by the authentication mechanism, because it’s taken as an input when computing the authentication tag. AEAD can be realized in three ways:
With an established cipher and established MAC, such as AES in CBC mode as a cipher and HMAC-SHA-256 as a MAC. This is the traditional approach that is usually the least efficient. It’s also the most error prone because of the different ways to combine a cipher and a MAC (so-called encrypt-and-MAC, encrypt-then-MAC, and MAC-then-encrypt.
With an established cipher and ad hoc MAC or mode, such as AES-GCM and ChaCha20-Poly1305, which are currently the most popular AEADs of this type. For example, TLS 1.3. AES-SIV also belongs in this category, although it’s a bit different (a MAC-and-encrypt rather than encryptthen-MAC construction).
With a custom 2-in-1 construction, such as ACORN and AEGIS, both ciphers selected by the CAESAR competition. In these algorithms, the same internal state and logic encrypts and generates the authentication tag
The ubiquitous block cipher standardized by NIST in 2000. Designed by Belgian cryptographers Joan Daemen and Vincent Rijmen, and winner of the AES competition, its use is universal today under its various modes of operation, such as CBC, GCM, and SIV. A See Rijndael.
AES in counter-with-CBC-MAC mode, which combines the CTR encryption mode with CBC-MAC authentication. AES-CCM is a NIST standard and is supported in TLS 1.3 and several other protocols, including Bluetooth Low Energy. But it’s much less popular than its sibling AESGCM. The reason is that AES-CCM is generally slower and less convenient to use than AES-GCM. A research paper titled “A Critique of CCM” describes the limitations of the CCM mode.
AES-CCM sometimes fits better than AES-GCM in embedded platforms because it only needs an AES algorithm and no additional logic (unlike GCM’s GMAC).
AES in Galois counter mode, the most common authenticated encryption primitive at the time of writing. Also the primitive that ended the reign of HMAC authenticators. In GCM mode, a message is encrypted in CTR mode and the Galois MAC (GMAC, aka GHASH) generates an authentication tag from the ciphertext and associated data blocks. The carry-less multiplication instruction PCLMULQDQ was introduced in Intel CPUs in the 2010s to speed up GMAC computations.
AES-GCM is secure except when called twice with the same nonce on distinct messages, which can leak plaintext data and reveal the authentication key GMAC uses. This unfortunate fragility hasn’t stopped AES-GCM from being used in countless protocols (including TLS, IPSec, and SSH) and from being standardized by IEEE, ISO, and NIST. AES-GCM’s cousin AES-GCMSIV eliminates the nonce-reuse problem but isn’t yet widely supported and is a bit slower
A variant of AES-GCM where the encryption nonce is determined from the tag computed by authenticating the plaintext (and any associated data). AES-GCM-SIV’s MAC, called POLYVAL, is slightly different from GCM’s GMAC: whereas AES-GCM is of the encryptthen-MAC form, AES-GCM-SIV is a MAC-and-encrypt construction. The main benefit of AES-GCM-SIV compared to AES-GCM is that the former remains secure if a same nonce is reused—a property called misuse resistance.
Officially AES New Instructions but often called native instructions, which might be a better term. AES-NIs are CPU instructions that compute AES using hardware logic in the chip’s silicon as opposed to a combination of arithmetic operations using the chip’s ALU. When introduced by Intel in 2008, AES-NIs made AES software about 10 times faster, and as a by-product, immune to cache-timing attacks.
A See SIV-AES.
A chipset designed by Motorola in the late 1990s that includes separate FPGAs for red and black operations. Pompously advertised as one of the most revolutionary advances in cryptography, ever. The NSA uses it to protect classified and sensitive national security information. The offthe-shelf AIM didn’t include classified (Suite A) algorithms, but users could program the FPGAs to support algorithms, such as ACCORDION or BATON.
In 3GPP standards parlance, the authenticated key agreement operation between users of a cellular network and the user’s home network, which might be different from the serving network.
The AKA is very similar in 3G UMTS, 4G LTE, and 5G standards, and unlike many other key agreement protocols doesn’t use public key primitives; instead, it relies on a shared symmetric key and pseudorandom functions (except in 5G where public-key encryption is added). The AKA looks like a straightforward protocol, taking a master key and a sequence number to derive session keys (encryption, authentication, and anonymity keys) while ensuring mutual authentication, or more precisely mutual knowledge of the shared key. But despite its cryptographic boringness, AKA aims to achieve other, nontrivial goals specific to its unique environment. These goals include confidentiality of the user identity (IMSI), unlinkability of the user, authentication of the serving network (by the user and home network), and strong unreliability guarantees and resilience to unsafe pseudorandom generators.
The first deterministic primality test, as opposed to randomized ones. The 2002 research paper presenting the AKS algorithm, “PRIMES is in P,” was the first proof that the problem of primality testing is in the P complexity class, or the class of problems for which a nonrandomized polynomial-time algorithm exists. A See PRIMES.
A form of cryptanalysis where the target problem (typically key recovery, but also forgery, distinguishing, and so on) is modeled as a system of multivariate equations to which a solution is found by generic or ad hoc techniques. Algebraic cryptanalysis has been used to attack symmetric and asymmetric cryptosystems. An example target is stream ciphers based on feedback shift registers with low algebraic degree logic, giving rise to underlying equations exploitable by algebraic attacks. A See Gröbner basis.
Bob’s partner in crime, but who never met Bob in person. According to their official biography in John Gordon’s 1984 speech: “Alice and Bob have tried to defraud insurance companies, they’ve played poker for high stakes by mail, and they’ve exchanged secret messages over tapped telephones. (. . .) Alice and Bob have very powerful enemies. One of their enemies is the Tax Authority. Another is the Secret Police. This is a pity, since their favorite topics of discussion are tax frauds and overthrowing the government.” A See Bob.
A reversible transformation where you need every bit of the output to determine any bit of the input. When an encryption scheme is an AONT, the decryption key is useless to determine the plaintext if you miss some bits of the ciphertext (unless the missing bits are so few that they can be brute-forced). The OAEP construction used for RSA encryption is an example of AONT. CBC or GCM encryption modes aren’t AONTs.
A signature that doesn’t reveal the identity (public key) of the signer and therefore needs some interaction with the signer to verify it. It implies invisibility. See Invisible signature.
The 1996 book by Bruce Schneier that has been the main reference in the field for many years; it introduced many students and engineers to cryptography. Famous for its opening paragraph: “There are two kinds of cryptography in this world: cryptography that will stop your kid sister from reading your files, and cryptography that will stop major governments from reading your files. This book is about the latter.” Inevitably outdated 25 years after its publication, Applied Cryptography is still worth keeping on your shelf as long as you don’t blindly follow all of its recommendations. It’s also much less outdated than Schneier’s two prior books, E‑Mail Security and Protect Your Macintosh.
The part of cryptography that emphasizes direct applications. In contrast, theoretical cryptography is less about engineering and more about fundamental understanding and analysis. The term applied is deceiving; both applied and theoretical cryptography can (and ought to?) be equally relevant to real applications.
The original name of the RC4 stream cipher; also written as ARCFOUR. Before the reverse engineered RC4 was confirmed to be the actual RC4, it was prudently referred to as alleged RC4, which was shortened to ARC4.
A password hashing function developed during the Password Hashing Competition. Also, a de facto standard for processing passwords or any low-entropy secret to derive cryptographic keys or store a verifier in a way that prevents efficient cracking using GPUs, FPGAs, dedicated hardware, precomputed tables, or side-channel attacks.
Unlike PBKDF2, Argon2 can enforce the use of a certain amount of memory in addition to a configurable number of iterations. Unlike bcrypt, this amount of memory can be an arbitrary value rather than fixed. Unlike scrypt and the two others, Argon2 offers a user-friendly interface to easily pick time and memory parameters. It’s also a simple design that only uses the hash function BLAKE2 internally rather than a combination of all the cryptography ever designed. See bcrypt, scrypt, PBKDF2 (Password-Based Key Derivation Function 2).
An abbreviation that denotes cryptographic algorithms only doing integer additions, word bit shifts or rotations, and XORs (as opposed to, for example, algorithms using S-boxes). It was coined by cryptography and security researcher Ralf-Philipp Weinmann in 2009.
Asia’s top academic cryptography conference, held every autumn in a different location in the Asia-Pacific region since 1990. The only IACR conference that includes IACR as a substring of its name. Researchers present peer-reviewed research papers with titles such as “StructurePreserving and Re-Randomizable RCCA-Secure Public Key Encryption and Its Applications” and “Cryptanalysis of GSM Encryption in 2G/3G Networks Without Rainbow Tables.” See CHES, CRYPTO, Eurocrypt, FSE, PKC, Real World Crypto, TCC.
A See Public-key cryptography.
In the context of cryptanalysis, the demonstration of a technique, described as an algorithm, that violates a security claim made by the designers of the primitive or protocol attacked.
If Alice designs a cipher, she could claim that nobody can 1) recover the secret key with certainty if 2) they’re given a list of one billion pairs of plaintext or ciphertext. Here, point 1 is the security goal and point 2 is the attacker model. So if you determine how to recover the key with certainty with one million plaintext or ciphertext pairs, it qualifies as an attack. If you need 10 billion pairs, it doesn’t qualify as an attack. If the chance to recover the key is only 1/10, it doesn’t qualify either. The existence of an attack doesn’t necessarily imply that the attacked primitive isn’t safe to use. For example, if an attack works in 2^200 operations and the security claim was 2^256, you don’t have to worry because in reality 2^200 is as practically impossible as 2^256. Researchers often present attacks in the form of a research paper. When the attack is feasible, an actual implementation might be provided as evidence that it works
A generalization of identity-based encryption from one attribute (the identity) to more than one. It allows you to encrypt a message not to a given recipient, but to a set of attributes in such a way that only parties satisfying a valid combination of attributes can decrypt the message. ABE sounds powerful but hasn’t found many real applications. Allegedly, the reason is due to its relatively complex construction (using elliptic-curve pairings) and the need for a trusted third party (holding the master key needed to generate private keys). See Identity-based encryption.
ABE is sometimes pitched as suitable for fine-grained access control. For example, you can imagine an organization deploying ABE to encrypt sensitive documents by using attributes such as department, clearance level, and project to cryptographically enforce multilevel security and role-based access. For instance, a document might be encrypted by using a public key with the attributes {department=ENGINEERING, clearance=SECRET, project=LABRADOR}. ABE could then guarantee that if you satisfy only two of these attributes (say, your department is ENGINEERING and your clearance is SECRET but you work on the project HUSKY), you won’t be able to decrypt the document. More interestingly, ABE guarantees that you won’t be able to decrypt the document by colluding with someone on the project LABRADOR in the ENGINEERING department if they only have CONFIDENTIAL clearance.
See AEAD.
The original name of the Signal application’s end-to-end messaging protocol. See Signal protocol.
A covert feature to bypass an algorithm or protocol’s security. Trapdoors are known by users to exist; backdoors usually are not. A backdoor was once defined as a feature or defect that allows surreptitious access to data. A good backdoor must be undetectable, NOBUS (no-one-but-us, or exclusively exploitable by its architects), reusable, unmodifiable, and deniable. For these reasons, backdoors in cryptographic algorithms are difficult to design and are more easily added in implementations, especially when the internal logic isn’t open and hard to deobfuscate. The NSA backdoor in Dual_EC_DRBG is a notable exception. Unfortunately, the most interesting research about backdoors isn’t presented at IACR conferences.
Term notably used by NIST to refer to a notion similar to forward secrecy. The opposite of prediction resistance. A See Forward secrecy.
The opposite of forward secrecy: backward secrecy is the property that if an attacker compromises some secret values, future messages remain protected. If an entire system’s state is compromised— including long-term and short-term keys as well as any secret state or counter—backward secrecy is often impossible. An exception is pseudorandom generators, where uncertainty can be brought into the system via reseeding from reliable entropy sources, preventing an attacker from determining future output bits from a past snapshot of the system. In the context of secure messaging, some models assume that an attacker would compromise only certain sets of keys, but not necessarily the entire local secret state: in this case, some form of backward secrecy might be guaranteed. Forward secrecy
Often defined in an ad hoc manner, the concept of backward secrecy also appeared under the terms post-compromise security (in the context of secure messaging), break-in recovery (Signal protocol), future secrecy (Signal protocol), healing (ZRTP), and prediction resistance (NIST).
Not encryption.
A cipher initially designed by Phil Zimmermann, the creator of PGP, to encrypt data in PGP. It was found to be insecure and replaced by IDEA in 1991. As Zimmermann commented in the source code, “BassOmatic gets its name from an old Dan Aykroyd Saturday Night Live skit involving a blender and a whole fish. The BassOmatic algorithm does to data what the original BassOmatic did to the fish.”
The first quantum key distribution (QKD) construction. It was described by Bennett and Brassard in 1984 and was based on ideas from the concept of quantum money, introduced a year earlier.
A hash algorithm: it doesn’t encrypt. Defined to address the obsolescence of the 1976 crypt utility in the 1999 paper “A Future-Adaptable Password Scheme.” In this paper, the authors made the following prediction: “Failing a major breakthrough in complexity theory, these algorithms should allow password-based systems to adapt to hardware improvements and remain secure 20 years into the future.” You can argue that this prophecy was accurate, because you can tune bcrypt to be slow enough to defeat password cracking. On the other hand, bcrypt’s 4KB memory usage is now too low to prevent efficient cracking.
An attack against cryptographic algorithms that works by searching for bicliques. In graph theory, a clique is a subset of nodes that are all connected to each other. A biclique is composed of two subsets of nodes; each node from the first subset is connected to all nodes from the second. This concept was applied to refine differential attacks on AES and lead to attacks that, in theory, perform fewer operations than a bruteforce search (2126 instead of 2127). The bicliques used in this context are composed of a first set of bits from the internal state, a second set of bits from the ciphertext, and dependencies between these two sets conditioned by key bits. The idea of the attack is then to identify certain bits of the key as those for which the biclique conditions are satisfied (in terms of XOR differences).
Sounds like SIKE: also a KEM; also post-quantum, but based on a decoding problem rather than an isogeny problem. See SIKE (Supersingular Isogeny Key Encapsulation).
A misleading name, because the most famous BIPs are no longer just proposals but de facto standards that apply to more cryptocurrencies than just Bitcoin. These BIPs include:
BIP 32, which defines a tree-based mechanism to derive key pairs and addresses from a secret seed to create wallets of multiple accounts from a single secret value.
BIP 44, which assigns semantics to BIP 32 tree levels and defines a syntax for paths within this tree (consisting of purpose, coin type, account, address type, and address index).
BIP 39, which defines a representation of a secret value as a highentropy list of dictionary words, or mnemonic, which is then hashed to a seed that will be the root of a BIP 32 hierarchy of accounts.
The closest predecessor of Bitcoin.
An experiment that went out of control, for better or for worse.
NSA jargon referring to encrypted values. A black key is an encrypted key that uses, for example, a key wrapping mechanism so that it can be safely distributed on lower-security-level systems or networks. In the context of data-at-rest protection, black data is classified data that has been encrypted twice using appropriate encryption layers. A See EKMS (Electronic Key Management System).
A hash function submitted to the SHA-3 competition in 2008. It was one of five finalists but wasn’t selected (the winner was Keccak). BLAKE reuses the permutation of the ChaCha stream cipher with rotations done in the opposite directions. Some have suspected an advanced optimization, but in fact it originates from a typo in the original BLAKE specifications.
An evolution of BLAKE proposed shortly after the end of the SHA-3 competition in 2012. It was adopted in many software applications because it’s faster than SHA-2 and SHA-3. Several cryptocurrencies’ proof-of-work systems use BLAKE2.
A hash function that combines a reduced-round BLAKE2 and a Merkle tree construction, making it significantly faster than BLAKE2. BLAKE3 was announced at the Real World Crypto 2020 conference.
The epitome of a padding oracle attack. Discovered in 1998 by Daniel Bleichenbacher, this is an adaptive chosen-ciphertext attack against the PKCS#1 v1.5 RSA encryption method. Ironically, Bleichenbacher’s attack exploits safeguards against other attacks (the mandatory padding bytes) to craft another attack, which after a few million chosen-ciphertext queries allows an attacker to recover a ciphertext’s plaintext.
Typically, when a software security bug and exploit is found and disclosed, a CVE might be issued, the bug is patched, a new version of the software application is released, and users sooner or later update to the new, corrected version. Of course, not all users will or can update immediately after the new release, but most of the time they eventually do. Bleichenbacher’s attack is different because software can’t be patched to prevent it. The only effective mitigation is usually to use a different type of RSA encryption, namely PKCS#1 v2.1, aka OAEP, the evolution of the PKCS#1 standards series. This is why, although Bleichenbacher published his attack in 1998, it was still exploited 20 years later on vulnerable devices as well as in the DROWN attack on legacy TLS versions.
A signature scheme where the signer (knowing the private key) creates a signature without knowing the number signed in a way that randomizes the value that the private key operation is applied to. This is clearer in the straightforward RSA blind signature construction: d instead of using md mod N, the signer computes s 0 = m 0 where m 0 = (m · r e ) mod N where r is some random value. You can then get the real signature of m by dividing s 0 by r. Details are left as an exercise for you to complete. This construction might look familiar because it’s the same trick the blinding defense uses against side-channel attacks to prevent attackers from controlling the data the private-key operation processes.
A cipher that transforms a block of data to another block of the same length with a key as a parameter. It must be possible to decrypt the block. So the block cipher operation must be bijective (that is, one-to- one and reversible). That’s why block ciphers are also keyed permutations or pseudorandom permutations. To encrypt more than a single block, which is usually a 64-bit or 128-bit chunk, you need to use a mode of operation (using the ECB mode is usually a bad idea, CBC is better, and CTR or SIV might be even better).
Both a curse and a blessing to cryptography. Comparable to when a sub- culture goes mainstream and its pioneers miss the old days, and sadly and bitterly contemplate the newly acquired wealth of those who might not deserve it the most.
If blockchain revolutionized anything, it’s probably the practice, funding, and deployment of cryptography. Thanks to blockchains, we acquired:
A wealth of new, interesting, nontrivial problems to solve—problems more exciting than designing an nth block cipher. For example, these problems relate to consensus protocols scalability, proof-of-stake security, transactions anonymity (via zk-SNARKS or bulletproofs), cross-blockchain operations, and so on.
Innovative solutions being created not to be published at peer-reviewed conference and be later forgotten, but actually technologies being deployed at scale, challenged by real threats and engineering constraints rather than only abstract models.
Large funding available with minimal bureaucracy and formalism, bypass- ing the traditional grant application systems and its flaws (slowness, mis- placed incentives, and work overhead for researchers).
Passionate people, some without much formal education let alone a PhD, learning advanced cryptography concepts and creating new solutions to new problems, and implementing them without caring about academic rewards.
An alternative spelling of block cipher, introduced in research papers by Phillip Rogaway.
One of the most popular block ciphers in the 1990s. It owes its recogni- tion to its memorable name and to its designer Bruce Schneier.
The Blowfish cipher once made it into episodes of the television series 24. Here’s an excerpt from the show’s script: Mr. O’Brian, a short time ago one of our agents was in touch with Jack Bauer. She sent a name and address that we assume is his next destination. Unfortunately, it’s encrypted with Blowfish 148 and no one here knows how to crack that. Therefore, we need your help, please. (. . .) Show me the file.
Where’s your information? 16- or 32-bit word length? 32. Native or modified data points? Native. The designer of this algorithm built a backdoor into his code. Decryption’s a piece of cake if you know the override codes. Of course this dialogue makes little sense, and there’s no backdoor in Blowfish. Blowfish is actually a secure block cipher, despite the limitation of its 64-bit blocks, and is the core algorithm in the bcrypt password hashing scheme.
A signature scheme that leverages elliptic-curve pairings, allowing sig- natures to be shorter than ECDSA and Schnorr signatures. The reason is that each signature consists of a single group element. That is, for a similar security level as a 512-bit ECDSA signature, a BLS signature would be only 256 bits long. BLS signatures have the useful property of supporting aggregation, whereby multiple public keys and signatures can be combined into a single public key and a single signature, and batch verification can be done efficiently.
Combined with distributed key generation, you can use BLS signatures to build threshold signature schemes, which proved useful in cryptocurrency applications to distribute transaction signatures.
Subversive stockbroker and Alice’s co-conspirator. See Alice.
A function whose arguments are binary values (that is, either 0 or 1), and that returns a single 0 or 1 bit. For example, f(a, b, c) = a + b + ac + bc
Boolean functions look dumb until you notice that you could describe any operation—for instance, a hash function—in terms of only Boolean functions. For example, each bit in the output of a hash function is a Boolean function of the input bits. Such functions only exist in the mathematical ether; they’re not explicit most of the time. It’s practically impossible to compute their polyno- mial form, let alone to implement and calculate them. Nonetheless, there are countless research papers about Boolean func- tions and their security properties: the reason is that when you break a cryptographic hash or block cipher into pieces (meaning rounds and their sub- components), you’ll encounter Boolean functions of a more manageable size— for example, the Boolean functions associated with S-boxes mapping 4-bit blocks to 4-bit blocks. Understanding Boolean functions and their properties, such as nonlinearity and algebraic immunity, has proved critical for designing secure ciphers and breaking weak ones.
A differential cryptanalysis technique in which you first throw a pair of plaintexts with a given difference into the cipher. You then obtain two ciphertexts and set another difference in these two ciphertexts to obtain two new ciphertexts. Finally, you catch the plaintexts obtained by decrypting them. The boomerang attack is essentially a trick to exploit differential characteristics that only cover part of the cipher. BQP (bounded-error quantum polynomial time) The class of problems that quantum algorithms, and therefore a hypo- thetical quantum computer, can efficiently solve. BQP contains prob- lems that classical computers can solve efficiently but also problems that today’s computers cannot. The latter are problems for which a superpolynomial quantum speedup exists.
The most remarkable of the BQP problems, as far as cryptography is con- cerned, is called the hidden subgroup problem (HSP). In particular, cryptogra- phers care about its version for commutative (or Abelian) finite groups. We could solve the following problems if HSP for Abelian groups is easy:
Find p and q given N = pq
Find e given x, p, and x e mod p
You recognized these problems—factoring and discrete logarithm—whose hardness is necessary to the security of RSA and elliptic-curve cryptography.
An attempt to build a new type of public-key cryptography using non- commutative groups of elements. Such elements can be viewed as braids with a fixed number of strands, and group operations are com- putationally efficient. As a side benefit, braid group cryptosystems were expected to be resistant to quantum algorithms. But none of the pro- posed key agreement schemes proved very cryptographically valuable due to their insufficient security.
Elliptic curves designed by the German Federal information security authority (Bundesamt für Sicherheit in der Informationstechnik, or BSI). Brainpool curves have some suboptimal security properties, but unlike other standards, they provide a 512-bit curve (rather than a 521-bit one).
A notion similar to backward secrecy and indistinguishable from future secrecy. The term was coined in the context of the Signal protocol. See Backward secrecy.
A type of encryption where the same ciphertext is broadcast to a set of receivers so only authorized ones can decrypt it, and receivers can be revoked to no longer decrypt it. Challenges of broadcast encryption are to be secure against collusion of receivers and to minimize ciphertext and keys’ lengths.
Although broadcast encryption was motivated by pay-TV content protection, it was never deployed: the reasons are mainly due to the prohibitive length of ciphertexts or keys and general unsuitability to receivers’ security model, where broadcast encryption only addresses a small part of the problems related to piracy. But broadcast encryption has been used in the AACS content protection scheme used for Blu-ray discs. However, it turned out to be of limited effectiveness against piracy, because the content decryption key (which was protected by broadcast encryption) could be extracted from software players.
A type of attack that attempts to recover a secret by consecutively try- ing all the possible values of that secret. You can start a brute-force attack against most ciphers. But as long as the secret is long enough, the attack will never terminate (unless you’re impossibly lucky), because there are too many values to try.
A zero-knowledge proof proposed as an efficient range proof for cryp- tocurrencies. The major advantage of bulletproofs is that they don’t require a trusted setup. Specifically, they don’t need an initialization of the parameters, or rules of the game, which must be trusted for the pro- tocol to be secure. Bulletproofs are notably used in Monero. See Range proof.
An umbrella term for a class of consensus protocols that don’t directly rely on mining and proof-of-something. pBFT (and variants thereof) and Tendermint are such protocols; they work by having a fixed number of hosts working together to reliably maintain a common state while dis- tributing trust across hosts.
The Competition for Authenticated Encryption: Security, Applicability, and Robustness, a non-NIST cryptographic competition that took place from 2014 to 2019. Partially funded by but not supervised by NIST, CAESAR identified new authenticated ciphers for several use cases, including lightweight applications (resource constrained environments), high-performance applications, and defense in depth.
Of the three use cases defined in the CAESAR competition, defense in depth is probably the least obvious to readers. It was also the most interesting in terms of cryptographic engineering, because it was defined as addressing the follow- ing needs:
Authenticity despite nonce repetition
Limited privacy damage from nonce repetition
Authenticity despite release of unverified plaintexts
Limited privacy damage from release of unverified plaintexts
Robustness in more scenarios, such as huge amounts of data
An ancient cipher that encrypts a message by shifting each of its letters by three positions, so ABC becomes EFG, CAESAR becomes FDHVDU, and so on. Needless to say, Caesar’s cipher isn’t very secure. CAVP (Cryptographic Algorithm Validation Program) NIST’s process to assess that an algorithm’s implementation conforms to the standard specification of that algorithm. Prerequisite of a crypto- graphic module’s validation through CMVP in the context of FIPS 140-2 certification. CAVP is essentially about checking test vectors, whereas CMVP covers the other FIPS 140-2 evaluation criteria. See CMVP (Cryptographic Module Validation Program)
A mode of operation for block ciphers that has nothing to do with block- chains. CBC encrypts a series of blocks P i to ciphertext blocks C i by com- puting C i = Enc(K, P i ⊕ C i–1 ), for i = 1, . . . , n. The initial value of (IV) is C 0 , which should be unpredictable to guarantee semantic security. CBC has the useful property that decryption is parallelizable (whereas encryption isn’t). Unfortunately, CBC is vulnerable to padding oracle attacks.
A hybrid key agreement scheme including an elliptic-curve and a post- quantum scheme. CECPQ was developed by Google as a way to hedge TLS connections against the risks of quantum computing. The first version, CECPQ1, combined X25519 with the lattice-based scheme NewHope, and was deployed in 2016 for a few months in the Chrome Canary browser. Announced in 2019, CECPQ2 replaces NewHope with the NTRU-based scheme HRSS, and the variant CECPQ2b uses the isogeny-based scheme SIKE.
Useless in cryptography. It’s a source of many bad papers.
A procedure during which important keys, secrets, or sensitive parame- ters are generated. A ceremony includes procedural and technical secu- rity controls to provide assurance about the keys’ secure generation and backup—and thus about the software, hardware, processes, and people involved. It’s more than picking an acceptable PRNG, which is actually the easiest part. For example, a ceremony involves participants with well-defined roles (such as auditors and operators), a predefined sequence of operations (known as a script or storybook), and the writing of detailed minutes.
Ceremonies are typically held to generate root keys of certificate authorities or master keys (seeds) of blockchain wallets in financial institutions. They are then called key ceremonies. Ceremonies can also be called trusted setups when they aim to generate parameters of a zero- knowledge proof system.
The source of many troubles, including encoding formats, parsing bugs, unrenewed expired certificates, broken chains, untrusted authorities, self signatures, revocation lists, and so on. But often it’s the least-bad solution we have.
A trusted third party in public-key infrastructures, or the type of com- ponent that cryptographers try to avoid but inevitably must live with. A CA is the entity you must ultimately trust when verifying the validity of a certificate, because the CA can issue certificates as well as intermediate signing certificates. If the CA is compromised, it might grant certificates to malicious entities to perform phishing or man-in- the-middle attacks. Even some blockchain platforms that claim to be fully decentralized and distributed ultimately rely on a CA.
A Google initiative that reduces the risk from rogue or compromised CAs by creating a public log of certificates being issued. Certificate transpar- ency makes it easier for the domain owner to know whether certificates have been issued for their domain. CT is a kind of public ledger, but it’s not a blockchain and has been criticized by blockchain advocates.
ChaCha20 A variant of the Salsa20 stream cipher that is currently one of the most used stream ciphers in the world. This is because it’s supported in recent TLS and SSH versions and is the default cipher in many protocols, such as WireGuard.
ChaCha20 was first proposed on the eSTREAM project’s discussion forum in a post that began like this: I have an idea for improving Salsa20. Obviously, the result isn’t an eSTREAM candidate, but I’m curious what people think. The short post, which didn’t attract much interest, described ChaCha20 as potentially having better diffusion and performance. ChaCha20 did turn out to be slightly faster than Salsa20, thanks to a better use of vectorized SIMD instructions and to better withstand cryptanalysis than its parent algorithm.
The most real-world conference of all IACR conferences before Real World Crypto existed. It’s held every year in a different location. Researchers pres- ent peer-reviewed research papers with titles such as “Electromagnetic Information Extortion from Electronic Devices Using Interceptor, Its Countermeasure” and “Make Some Noise. Unleashing the Power of Convolutional Neural Networks for Profiled Side-Channel Analysis.” See Asiacrypt, CRYPTO, Eurocrypt, FSE, PKC, Real World Crypto, TCC.
The three cardinal principles of information security: confidentiality, integrity, and availability. The cryptographer’s version of the principles replaces availability with authenticity.
A technique to encrypt with a block cipher in CBC mode such that the ciphertext is of the same bit length as the plaintext. Instead of pad- ding the last plaintext block with fixed values, as in PKCS#7 padding, it appends ciphertext bytes from the previous blocks to obtain a full block. It also strips off said bytes of the previous encrypted block to retain the original message size. This trick only works if the message is longer than one block. Standardized by NIST in three different ver- sions (CS1, CS2, and CS3), ciphertext stealing is rarely used in practice, because most of the time a small overhead is acceptable.
A simple solution proposed for a complex problem: the Clipper chip aimed to enable encrypted communications for US citizens and busi- nesses while allowing full interception by authorized parties (namely, government and law enforcement). Proposed in the early 1990s by the NSA, the Clipper chip was part of a key escrow architecture where each chip’s secret keys would also be shared with US Federal agencies. This has been called a backdoor, but strictly speaking isn’t really one because the door’s existence wasn’t a secret. In addition to its questionable security architecture, the Clipper chip suffered from a poor technical execution and included a number of security flaws, which helped its opponents halt the project.
NIST’s process for validating cryptographic modules submitted to the FIPS 140-2 certification. To be evaluated within CMVP, a cryptographic component must implement at least one NIST-standard algorithm. See CAVP (Cryptographic Algorithm Validation Program)
Post-quantum schemes relying on hardness of decoding a linear code with insufficient information. Many code-based schemes are variants of the 1978 McEliece construction, whose public key describes a random linear code. The encryption process consists of encoding a message while adding some errors to the codeword. Decryption is possible due to a trapdoor that converts the codeword into another code for which decoding is doable. The submission Classic McEliece to NIST’s post-quantum competi- tion in 2017 is almost identical to McEliece’s 1978 scheme.
Also known as bit commitment, a protocol in which a prover temporar- ily hides a message that cannot be changed. The prover does this by publishing some value that doesn’t reveal the value committed (a fea- ture called the hiding property) and must also prevent the prover from revealing a different value than the one committed (called the binding property). The term bit commitment initially referred to coin-flipping protocols in which you commit only one bit. But it’s now used for values of any size. The hash values that security people mysteriously post on Twitter so they can claim prior discovery of some 0-day vulnerability are basic commitments.
Zero-knowledge proofs secure in concurrent settings, that is, when the attacker can observe and disrupt multiple independent executions of the proof protocol.
An old concept from the field of distributed computing that became cool again due to its role in blockchain systems.
A secret key used to encrypt audio and video content in pay-TV sys- tems. This key is 48 bits long in legacy systems, 64 bits long in less old ones, and 128 bits long in the latest generation. Although 48 bits might seem ridiculously short, when the key is changed every 5 or 10 seconds, it can be long enough.
An academic proof of concept of an FPGA-based DES cracker. Created in approximately 2007, COPACOBANA is capable of breaking a 56-bit DES key within a week in a cost-effective way.
A framework for creating decentralized protocols where an operation involves multiple parties so none has greater authority than the others. You can use cothorities to perform operations, such as threshold signa- ture, consensus, or distributed public randomness generation. Although it sounds very blockchain-y, few blockchains have used cothorities.
The practice of analyzing cryptographic algorithms to break them—that is, violate their security assumptions—or to understand why they can- not be broken.
Animals like bigfoots, unicorns, the Kraken, or the Mongolian death worm. As rare as good cryptography software.
Shorthand for cryptography and sometimes for cryptocurrency. Use in the latter sense tends to irritate orthodox cryptographers who rally under the banner “crypto is for cryptography.”
The top academic cryptography conference held every summer since 1981 in Santa Barbara, California. Researchers present peer- reviewed papers with titles such as “iO Without Multilinear Maps: New Paradigms via Low-Degree Weak Pseudorandom Generators and Security Amplification” and “Seedless Fruit Is the Sweetest: Random Number Generation, Revisited.” See Asiacrypt, CHES, Eurocrypt, FSE, PKC, Real World Crypto, TCC.
The “Swiss” company known for literally being owned by the CIA and German intelligence between 1970 and 1994. It allowed the agencies to read the secret communications of several world governments.
Governments from Middle Eastern, African, and South American countries would buy encryption equipment from the neutral, supposedly trustworthy Swiss firm, worried that American vendors would spy on them. Unbeknownst to the governments, backdoors in the equipment allowed US intelligence to read all their communications. The NSA deputy director of operations once described the benefits of the operation as follows, allegedly in the late 1980s: The mere idea that we might lose any portion of the technical gain and, more importantly, the intelligence made possible by MINERVA is unthinkable . . . (MINERVA was the codename for Crypto AG.) Few technical details about the actual backdoors and their exploitation are publicly known. But we do know that, starting in the mid-1960s, Crypto AG’s encryption algorithms began relying on feedback shift registers (FSRs).
Interestingly, the NSA used a backdoor technique that consists of choos- ing parameters in such a way that the output of the stream cipher created from the FSRs is partially predictable because of the existence of short cycles of pat- terns. In the context of linear FSRs, you can easily achieve this by picking char- acteristic polynomials with certain properties. The story of Crypto AG is fascinating, from its foundation in 1952 by Swedish inventor Boris Hagelin to its early ties with the US government and its more recent personalizable encryption machines in the 2000s.
The lifetime of a key in some key management systems, such as the NSA’s EKMS. In pay-TV systems, the crypto period is the time during which the same control word (that is, the secret key) is used to encrypt audio and video content. Typical crypto periods are 5 and 10 seconds. These periods might seem short, but they’re not short enough to pre- vent some control-word sharing attacks, whereby the key from one legitimate subscriber is distributed to a large number of pirate boxes.
The original name for cryptographic keys in the NSA. It was in use until the director of the NSA decided the agency should use the word key instead.
A bellicose term referring to the open disagreements and debates between the US government (and governments of some other Western countries) on the one hand and activists, including researchers and privacy advocates, on the other. The governments wanted more con- trol and surveillance capabilities, typically via proprietary algorithms, export control regulations, key escrow mechanisms, and so on; the lat- ter parties pleading in favor of the right to develop and use any crypto- graphic mechanism as a way to support privacy rights.
Nothing to do with cryptography but fascinating nonetheless: a near- death state that certain living organisms can enter in response to adverse conditions. When danger subsides, the organisms can return to their original metabolic state. The tardigrade, sometimes used as an allegory for strong cryptography, can enter into cryptobiosis.
See Crypto.
The monthly cryptography digest by Bruce Schneier published since 1998.
See Cryptology.
Probably the oldest scholarly journal about cryptography; published since 1977.
See Cryptography.
A 1,000-page novel that references cryptography on about every other page. It was written by Neal Stephenson and was published in 1999. It’s not very Lovecraftian, despite what its title might suggest. Unlike other books in which the crypto is mostly made up and laughably unrealistic, Cryptonomicon relies on historical facts and genuine cryptographic techniques. Readers might remember the cipher Solitaire (which Bruce Schneier created for the book) and the van Eck phreaking technique. See Solitaire.
The Cryptonomicon is also a fictional book in the real book: They know enough, in other words, to understand that the Cryptonomicon is terribly important, and they have the wit to take the measures neces- sary to keep it safe. Some of them actually consult it from time to time, and use its wisdom to break Nipponese messages, or even solve whole cryptosystems. (. . .) the Cryptonomicon states that zeta functions are even today being used in cryptography, as sequence generators.
A condition better kept confidential.
Popularized by the 2004 book Malicious Cryptography: Exposing Cryptovirology. The book describes cryptovirology as “the dark side of cryptography—that device developed to defeat Trojan horses, viruses, password theft, and other cyber-crime (. . .) the art of turning the very methods designed to protect your data into a means of subverting it.” See Kleptography.
The Japanese government’s Cryptography Research and Evaluation Commit tees in charge of establishing official cryptography recommendations.
As of 2020, CRYPTREC’s top tier is its e-Government Recommended Ciphers list, which includes the usual public-key schemes, AES and its usual modes, and the SHA-2 hash functions. In addition to AES, it recommends the block cipher Camellia, as well as the stream cipher KCipher-2. The middle tier, or the Candidate Recommended Ciphers list, notably includes the five block ciphers CIPHERUNICORN, CLEFIA, Hierocrypt, MISTY1, and SC2000. It also includes the SHA-3 hash functions and XOFs, as well as the ChaCha20-Poly1305 authenticated cipher. The lower tier, the Monitored Ciphers List, is a polite way of referring to algorithms you should avoid and includes the usual suspects: SHA-1 and 3DES (but not MD5), as well as RIPEMD160.
Pronounced seaside, the oldest isogeny-based scheme, revisited for efficiency. Also the only post-quantum scheme to have attracted some interest despite a well-known subexponential quantum attack. The proposed parameters “provide relatively little quantum security,” in the words of its cryptanalysts; however, its defenders point to its unique applications in the post-quantum arena, such as static key exchange. It’s not the same as SIDH. See Diffie–Hellman, Post-quantum cryptography.
A popular competition in the information security community. In the last 15 years, the crypto challenges presented in CTFs have evolved from Vigenère ciphers and visual puzzles to tasks involving state- of-the-art research. For example, participants in the 2020 edition of PlaidCTF had to break an isogeny-based cryptosystem (SIDH) and solve a multivariate system of equations.
A type of higher-order differential cryptanalysis technique, described in 2008 to attack lightweight stream ciphers. The cube refers to the com- bination of bits over which to compute the higher-order differential, extending the notion of a 3D cube to arbitrary dimensions.
In any cryptographic function, each output bit can be expressed as the result of evaluating a polynomial whose input terms are the input bits. If the function is cryptographically strong—and indistinguishable from a random function—this polynomial has exponentially more terms than the number of input bits and so is practically impossible to determine. But if the function is cryptographically weak, that polynomial might be much simpler, with few terms, and only terms of low algebraic degree (that is, a sum of values that are either input bits or products of two or three input bits). In this case, attackers could use a variant of differential cryptanalysis to determine these terms. Eventually, the attacker could solve the equations to determine the value of secret key bits. This is what cube attacks do. They were first applied to stream ciphers, which often rely on operations with low algebraic complexity, and thus might lead to cryptographic transforms of low algebraic degree.
A reliable alternative to standardized elliptic curves, albeit some- what clumsily named: 25519 doesn’t refer to the number 25519, but to 2 255 − 19, the number of elements in the finite field that Curve25519 is defined over. As a result, there are three types of cryptographers: the twenty-five five nineteen ones, the two five five nineteen ones, and the two five five one nine ones. Fortunately, the curve’s technical design is much better than its name thanks to its parameters optimized for speed and safe implementation, as well as its absence of unexplained constants, unlike in NIST curves. You can use Curve25519 for Diffie–Hellman key agreement, signa- ture, or encryption (via ECIES). See Ed25519, X25519.
A lesser-known little sibling of Curve25519. It provides 224-bit security instead of 128-bit security due to its use of a finite field with 2 448 − 2 224 − 1 elements. Its signature and Diffie–Hellman primitives, Ed448 and X448, are supported in TLS 1.3. See Curve25519.
Alternative spelling of cipher used in pop culture. Its use is considered heresy in academic literature.
A misspelling of the last name of Joan Daemen, who co-designed AES and SHA-3.
The most common technique to create a compression function from a block cipher (or keyed permutation). It’s used, for example, in MD5, SHA-1, and SHA-2. Instead of using the block cipher to encrypt as Enc(K, M), you use it to compress a message block M and a hash value H to obtain the new hash value Enc(M, H) ⊕ H, where M acts as the cipher’s key. Alone, a compression function is a bit useless, but it’s easy to turn it into a proper hash function, using, for example, the Merkle– Damgård construction. In practice, there’s no legitimate reason to build your own hash from a block cipher (as an exercise, figure out why it’s a bad idea to do so with AES in Davies–Meyer mode); yet the possible use of block ciphers to construct hash functions motivated cryptanalysts to investigate known-key and chosen-key attacks.
A combination of trusted execution and private blockchain token transfer.
French for to decrypt when you have the key.
French for to decrypt when you don’t have the key and thus must use cryptanalysis.
Randomized public-key encryption where the encrypting party, if coerced to reveal the plaintext and randomness used, can choose dif- ferent valid combinations of plaintext and randomness, thus preventing self-incrimination. Deniable encryption can also loosely refer to systems where differ- ent keys can decrypt to different legitimate-looking plaintexts, again to dissimulate the real plaintext. Although motivated by potential real-world problems, deniable encryption is usually not the solution to such problems.
The first modern block cipher, standardized by NIST’s predecessor, the National Bureau of Standards. It’s broken by linear cryptanalysis more efficiently than brute force if you can find 2 43 plaintext/ciphertext pairs. If not, it’s now broken by design because of its too short keys.
A worthless book now that the internet exists.
An attack that guesses passwords based on a list of words. Passwords have low entropy because they’re often composed of dictionary words and common proper nouns. An attacker can build a list of candidate passwords, ranked in order of popularity, and try them one after another, or in parallel, to find the password that hashes to the value they obtained from some password hash database.
The class of cryptanalysis techniques that study the propagation of dif- ferences throughout internal computations to exploit some pattern or statistical bias in the output. Most of the attacks on symmetric crypto- graphic algorithms (block ciphers, hash functions, and so on) are some type of differential cryptanalysis. The differences exploited might be taken between two input values or between more than two, as in higher-order cryptanalysis and its variants (integral cryptanalysis, cube attacks, and so on). A related tech- nique, linear cryptanalysis, looks a bit different but is ultimately related to differential cryptanalysis. In addition, linear attacks often imply the possibility of pure differential attacks.
Lots of people working in cryptography have no deep concern with real application issues. They are trying to discover things clever enough to write papers about. —Whitfield Diffie A fairly simple mathematical trick that is behind most key agreement protocols, and that indirectly powers many more cryptosystems. You'll often find security proofs relying on the hardness of the Diffie–Hellman problem (given g a and g b , find g ab ) or variants thereof. The decisional Diffie–Hellman problem (DDH) was called a “gold mine” by cryptographer Dan Boneh, and was leveraged to build encryp- tion schemes (such as the Cramer–Shoup construction) as well as com- plex protocols such as threshold signature schemes. See New Directions in Cryptography.
More effective when the vulnerability is named with a clever acro- nym and accompanied by a nifty website, including a Q&A and a logo. Researchers first took this approach to tell the world about Heartbleed; then they used it to describe subsequent attacks on SSL/TLS. This allowed them to better communicate the new vulnerability (and spend less time responding to emails from journalists). Notable examples include:
BREACH Browser Reconnaissance and Exfiltration via Adaptive Compression of Hypertext
CRIME Compression Ratio Info-leak Made Easy
DROWN Decrypting RSA with Obsolete and Weakened eNcryption
POODLE Padding Oracle On Downgraded Legacy Encryption
ROBOT Return Of Bleichenbacher’s Oracle Threat
The problem of finding d in y = x d mod p for a prime p, or in dG = P in elliptic-curve groups of points. The discrete logarithm problem is now the most important computational problem in cryptography, before fac- toring, because Diffie–Hellman–like protocols have become more com- mon than RSA and Paillier cryptosystems.
An algorithm used in attacks against a scheme’s indistinguishability. For example, if you find a statistical bias in the output of a pseudo random generator, that bias would serve as a distinguisher, thereby breaking the PRNG.
Randomness generated by a group of parties that don’t necessarily trust each other; therefore, they don’t want any party to be capable of influ- encing the outcome. In this context, a simple protocol such as perform- ing an XOR of each participant’s random contribution isn’t secure. The reason is that the last contributor can set their value to one that, when XORed with the combination of all previous values, produces the result they want to be returned. Publishing commitments in advance partially addresses the problem.
The first formal model for defining cryptographic protocols. Also a symbolic framework for describing and analyzing their security. Cryptographers sometimes refer to the Dolev–Yao model when they mean the active attacker adversarial model—that is, the model wherein the attacker can eavesdrop, intercept, and modify data transmitted. But the Dolev–Yao model is more than that: it’s a general symbolic framework to describe and analyze protocols’ security.
A subprotocol of the Signal messaging protocol. It determines each message’s unique keys in such a way that an attacker who knows the message keys at a given time can determine neither past nor future message keys, thereby providing forward secrecy and some form of backward secrecy. See Signal protocol.
The double ratchet is a highly stateful protocol. It’s called double because it combines two techniques:
The symmetric-key ratchet, which maintains a hash chain from which mes- sage keys are derived.
The Diffie–Hellman ratchet, which performs Diffie–Hellman key exchanges with ephemeral key pairs to make future states unpredictable.
PAKE defined for the authentication standard EAP-pwd used in the Wi-Fi security suite WPA3. Attackers can bypass implementations of Dragonfly by exploiting the timing side channels in the hash-to-curve operations. See PAKE (password-authenticated key agreement).
An oxymoronic-sounding term referring to a component that deter- ministically generates a long string of random-looking bits when given some actually random value (called a seed, a key, or sometimes just entropy). An operating system’s random generator usually includes an entropy extraction mechanism that generates some unpredictable bits from some analog source and pushes these bits to an entropy pool from which a DRBG takes its seed. A DRBG is different from a PRNG; the terms PRBG and DRNG are rarely used. See Pseudorandom generator (PRNG).
The public-key signature scheme designed and patented by the NSA. It was standardized as part of the DSS (Digital Signature Standard) in 1991. This choice drew some criticism to which NIST responded as fol- lows in the magazine Federal Computer Week: NIST made the final choice. We obtained technical assistance from NSA, and we received technical inputs from others as well, but [NIST] made the final choice. At the time, the criticisms of DSA were about its efficiency, incom- pleteness (it didn’t specify a hash function), risk of patent infringement, and security. See DSS (Digital Signature Standard).
The name of the NIST standard about digital signatures; not a single algorithm. In 1982, NIST (then called the NBS) published a “Solicitation for Public Key Cryptographic Algorithms.” NIST later did the same for block ciphers and hash functions, resulting in the AES and SHA-3 standards. In 1987, NIST cancelled the DSS project upon request from the NSA. The standardization effort later resumed, leading to several standards established in 1991, including the NSA-designed DSA. DSS is also the abbreviation of the sodium trimethylsilylpropane sulfonate chemical compound, which is somehow related to cryptography.
The Common Scrambling Algorithm: an algorithm standardized by the Digital Video Broadcasting consortium to protect video content in pay- TV systems, typically by encrypting MPEG transport stream packets. See Control word.
The first version of the DVB-CSA standard, called CSA1, combines a stream cipher and a block cipher, and has a 48-bit key. CSA2 is similar but has a longer key of 64 bits. If these key sizes sound short to you, keep in mind that for most live content, the key usually changes every 5 or 10 seconds. CSA3 is very different. Although its full design isn’t public, it’s known to combine AES with another (patented) block cipher running in some unusual operation mode. Additionally, it includes components designed to prevent software emulation. Per its design, CSA3 should run in dedicated hardware circuits only, like those found in the systems-on-chip of set-top boxes.
A stream cipher used in Bluetooth. Broken in theory but not in practice. The more recent Bluetooth Low Energy standard uses AES-CCM instead.
The most obvious way to use a block cipher, where each block is pro- cessed independently of the others. ECB is the most robust mode against repeated IVs and nonces. But everybody knows ECB is insecure because you can see the penguin.
An acronym for either elliptic-curve cryptography or error-correcting code, depending on the context; confusion between the two can lead to unfortunate situations. See Elliptic-curve cryptography.
Arguably the most important computational problem as far as crypto- graphic security is concerned: given the points P and xP, find the num- ber x, where multiplication happens in the group of an elliptic curve over a finite field. Elliptic-curve schemes have replaced many instances of RSA or classical Diffie–Hellman, for example, in the TLS 1.3 standard.
The elliptic-curve counterpart of DSA, whose security requires the hardness of ECDLP, but is not totally equivalent to it. As far as we know, ECDLP’s hardness only implies ECDSA’s security (unforgeability) in the generic group model, which is an abstraction of ECDSA but not exactly ECDSA See DSA (Digital Signature Algorithm).
Many people first learned about the ECDSA algorithm after attackers discov- ered that the PlayStation 3 used a weak implementation of it. The implementa- tion’s nonce—an argument supposed to be unique for each signature, typically by being chosen at random—remained the same, allowing the attackers to eas- ily retrieve the private key. (Spoiler: the key was 46 DC EA D3 17 FE 45 D8 09 23 EB 97 E4 95 64 10 D4 CD B2 C2.) Those who missed the PS3 hack later discovered ECDSA as the signa- ture algorithm in Bitcoin and Ethereum, where ECDSA keys were sometimes also compromised because of repeated or biased nonces in flawed wallet software.
The elliptic-curve version of the IES public-key encryption scheme. Like IES, ECIES is a hybrid encryption scheme, therefore it needs a symmet- ric cipher to actually encrypt messages.
See IES (Integrated Encryption Scheme).
EdDSA signatures using Curve25519’s Edwards representation rather than the Montgomery format used by X25519, which causes developers a lot of headaches. See Curve25519, EdDSA.
A deterministic elliptic-curve signature scheme based on Schnorr’s scheme. The main alternative to the ECDSA standard. In its purest form, it’s resilient to non-collision-resistant hash functions and is famously used by Ed25519.
A legacy key management system designed by NSA to secure communi- cations for the US Army and other organizations.
If you thought key management for web applications was hard, wait until you have to do it in an environment with different classification levels, networks, device types, data management policies, and staff training. The following (incomplete) list of EKMS key abbreviations illustrates the complexity of managing keys in its target environments:
AEK: Algorithmic encryption key
KEK: Key encryption key
KPK: Key production key
OWK: Over the wire key
TEK: Traffic encryption key
TrKEK: Transmission key encryption key
TSK: Transmission security key
The system classifies keys depending on their role (operational, maintenance, or test). Operational keys, in turn, can have a variety of different attributes: they can be emergency contingency keys, joint theater keys, or allied keys, among others.
A cipher, in archaic NSA parlance. For example: “Electronic codebooks, such as the Advanced Encryption Standard, are both widely used and difficult to attack cryptanalytically.”
For many years, the only public-key encryption scheme used and taught in crypto classes other than RSA. Introduced in the 1985 article “A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms,” which modestly started with the following abstract:
A new signature scheme is proposed together with an implementation of the Diffie–Hellman key distribution scheme that achieves a public key cryptosystem. The security of both systems relies on the difficulty of computing discrete logarithms over finite fields. ECDSA eventually overshadowed the signature scheme, and currently, ElGamal encryption is rarely used. Instead, cryptographers use ECIES except in applications in which the message must be directly public-key-encrypted (as in some e-voting systems). The in-the-exponent variant of ElGamal encryption has two inter- esting properties: it is additively homomorphic, and decryption is impos- sible (unless you solve a discrete logarithm problem). Despite the latter suboptimal property, this version proved useful in threshold signature schemes.
A method of encoding elliptic-curve points as random-looking strings to make public keys indistinguishable from encrypted data.
Not an ellipsis, not a curved line. A set of points on the plane whose (x, y) coordinates satisfy the curve’s equation, which usually has the form y 2 = x 3 + ax + b, where a and b are fixed parameters. Crypto graphic applications only work with points whose coordinates belong to some finite field; therefore, the curve has a finite set of points.
Elliptic curves were, of course, discovered before cryptography, and mathema- ticians studied them much earlier. For example, elliptic curves played a role in the proof of Fermat’s Last Theorem. Cryptography takes advantage of the fact that an elliptic curve’s points happen to form a group structure with respect to a geometrically defined group operation, denoted as point addition. For well-chosen curve types, the equivalent of the discrete logarithm problem becomes difficult in such groups, which is why these curves prove useful in public-key cryptography.
Public-key cryptography relying on elliptic curves and related hardness problems (the discrete logarithm, or a variant thereof). Elliptic-curve cryptography can do almost everything that legacy public-key cryptog- raphy can do, in a way that is often faster and uses shorter keys. That includes encryption, key agreement, and signature. In addition, you can use it for more exotic cryptographic schemes due to its support of pairings.
See Pairing-based cryptography.
A synonym of encryption with emphasis on the act and operations carried out during the encryption process. To encipher, like the French verb chiffrer, comes from the Arabic صفر (sifr, the digit zero), whereas to encrypt, like the verb crypter, comes from the Greek kryptos (concealed, secret).
Encryption is said to be end-to-end when only the dedicated recipient(s) can decrypt the messages. It sounds straightforward but is actually an arduous engineering problem. As usual in cryptography, the hard part of such a system is key management and distribution, not the actual encryption, which is why many E2EE systems need a central server. Many E2EE systems also rely on trust-but-verify mechanisms and are only end-to-end as long as par- ticipants perform some manual verification, such as checking a conver- sation’s fingerprint.
In addition, E2EE systems sometimes ultimately rely on a central CA to enable trusted TLS connections (which you can think of as sim- ply end-to-end encryption over the transport layer rather than the application layer).
The electromechanical encryption machine used by the Nazis during World War II. The Enigma was analyzed by Polish and British cryptana- lysts, including Alan Turing, using techniques that researchers would later rediscover and call differential cryptanalysis, related-key attacks, and side-channel attacks.
A notion introduced around 1865 by Rudolf Clausius, arguably the founder of modern thermodynamics. But entropy wasn’t named until three years after his first formalization of the second law of thermo- dynamics (which states that entropy, at a microscopic level, cannot decrease in a closed system). Claude Shannon’s concept of information entropy came much later in his famous 1948 paper. Cryptography uses information entropy to assess a cryptosystem’s security by quantifying its amount of uncertainty.
Officially the Cryptology ePrint Archive, at https://eprint.iacr.org/. A web- site where cryptography researchers can post their papers online prior to formal, double-blind, peer-reviewed publication and be sure they’ll be noticed. Most cryptography researchers check the new papers pub- lished on ePrint at least once a week. Erathosthenes’ sieve A method of enumerating all prime numbers up to some upper bound; a 2,000-year-old algorithm typically taught in high school. It was redis- covered during the Black Hat 2019 conference.
A cryptography competition, officially a project, organized by the EU-funded ECRYPT project between 2004 and 2008. Of the 34 submit- ted ciphers, eight made it to the final portfolio, which included two categories: software (those with 128-bit keys) and hardware (those with 80-bit keys). By far the most successful design from eSTREAM is Salsa20, a cipher that later evolved to ChaCha20, which became central to the BLAKE family of hash functions. Of the other portfolio ciphers, Trivium and Grain (or variants thereof) are used in niche applications, and F-FCSR was broken.
See Grain, Salsa20, Trivium.
An important blockchain platform for decentralized applications, such as tokens. Ethereum has led to some of the most interesting cryptog- raphy research and open problems, based on novel challenges faced by their unique decentralized deployment, adversarial model, and Turing- complete functionality. For example, consider the following, all of which are admittedly more exciting than yet another new block cipher: proof- of-stake security, smart contract formal verification, atomic swaps, and sharding.
Europe’s largest academic cryptography conference, held every spring in a different European location since 1987. Researchers present peer- reviewed research papers with titles such as “Indistinguishability Obfuscation Without Multilinear Maps: New Methods for Bootstrapping and Instantiation” and “A Quantum-Proof Non-Malleable Extractor with Application to Privacy Amplification Against Active Quantum Adversaries.” See Asiacrypt, CHES, CRYPTO, FSE, PKC, Real World Crypto, TCC.
Alice and Bob’s nemesis. See Alice, Bob.
A topic that cryptographers like to publish papers about but don’t like to see deployed in reality because it’s perceived as unacceptably risky. E-voting is nonetheless cryptographically fascinating. It involves non- trivial cryptography, such as homomorphic encryption schemes used to encrypt ballots and aggregate them in a privacy-preserving way, and noninteractive zero-knowledge proofs, which are used to prove a vote’s correctness.
Given n = pq, find the primes p and q. Easy to solve if you have a large enough quantum computer.
An array of values, usually bits or bytes, that updates by shifting the values over and then filling the empty slot with the result of some func- tion of the previous state’s values. Historically, this cipher mechanism came after electromechanical machines and preceded modern ciphers. It’s still used in some hardware-oriented algorithms and in the mobile communication standard SNOW 3G. There are two kinds of feedback shift registers. In linear ones (LFSRs), this update function is linear, which renders the output predict- able but can also provide guarantees that the period of LFSR is maxi- mal. In nonlinear ones (NFSRs), after a few cycles of updates, the output values are highly nonlinear functions of the initial state, but guaran- tees on the period are difficult to compute. Concretely, linear update functions only do additions, whereas nonlinear ones do additions and multiplications. A good design strategy is to combine LFSRs and NFSRs. See Grain, SNOW 3G, Trivium.
A method of constructing a block cipher from a smaller block cipher or hash function. It works by splitting the message block in two halves, L and R, and updating it by repeatedly replacing (L, R) with (R, L ⊕ f(R)), where f() is the smaller function and can take a secret value as a param- eter. Feistel network is sometimes called Luby–Rackoff construction after the researchers who formally analyzed its security. The XOR operation can be replaced by another group operation. See DES (Data Encryption Standard), Lucifer.
The Soviet counterpart to the Enigma machine created after World War II. Unlike Western encryption machines, Фиалка supported Cyrillic characters.
A set of security requirements for cryptographic modules (software or hardware), established by NIST in 2001. It’s been superseded by FIPS 140-3 since 2019.
When a vendor says “We are FIPS 140-2 certified,” the statement can have one of two meanings: “We have applied for the certification,” or, ideally, “We have received the certification.” The latter case can also have different meanings:
Level 1: Correctness of the FIPS-approved algorithms.
Level 2: Level 1 plus some tamper evidence—for example, the ability to detect physical attacks after they occur by observing broken seals on the box.
Level 3: Level 2 plus some tamper detection—for example, the platform’s ability to detect physical attacks in real time and reset itself to factory mode if it believes it’s under attack. This level also includes some physical isolation and stronger authentication.
Level 4: Level 3 plus some stronger tamper detection with the guarantee that the module will detect most physical attack attempts and reset itself when under attack (for instance, by zeroizing secrets).
It’s worth noting that FIPS 140-2 doesn’t measure a system’s resilience to physi- cal attacks so much as the system’s ability to detect them. This acknowledges that most systems are vulnerable to physical attacks given the right equipment. Additionally, the fact that a system is FIPS 140-2 certified doesn’t mean that it’s perfectly secure. The reason is that 1) FIPS 140-2 is limited by its scope and by the definition of the security requirements of each of its levels, and 2) even in a certified product, the certification usually only applies the cryptographic module (and sometimes only parts of it). In other words, if some application calls a FIPS 140-2 Level 3 module to encrypt some message, and the applica- tion’s software has a flaw that leaks said plaintext, don’t blame the certification.
New version of FIPS 140-2 since 2019. It introduces requirements against noninvasive attacks and the concepts of Normal Operation and Degraded Operation, among others. See FIPS 140-2.
An attack whose goal is not to recover some secret but to create a sup- posedly hard-to-generate value without the knowledge of some secret. Unforgeability is the corresponding security notion and is most com- monly associated with signatures and MACs. More generally, unforge- ability must apply to any scheme for which an attacker should have trouble creating a valid output. These include ciphertexts in authentica- tion encryption and zero-knowledge proof protocol transcripts. Sometimes forgeability is a desirable property (for example, to achieve deniability.
A form of testing that relies on mathematical guarantees. Applied to security protocols, formal verification includes symbolic and computa- tional verification techniques, which assess whether a protocol satisfies properties such as confidentiality and authentication. Another example is programming languages that can certify that an implementation is functionally correct with respect to a specification, or that it’s free of certain classes of side channels. High-assurance applications often receive some sort of formal veri- fication, such as the Common Criteria security evaluation framework’s EAL7 assurance level. Still, don’t be fooled into thinking formal verifica- tion means proof that everything about a crypto implementation is secure.
A type of encryption that produces a ciphertext with the same format as the original message. For example, the format-preserving encryption of a 16-digit credit card number would produce another 16-digit num- ber. Format-preserving encryption is often useful for encrypting data- base entries whose field type must have a specific format, such as social security numbers, IP addresses, and ZIP codes. Although the problem sounds simple, it requires sophisticated techniques, especially for the more general problem of creating ciphers from arbitrary domains of values.
Forward secrecy The notion that something remains secure if something else is compromised at a later time. What counts as something, something else, and a later time depends on the context. Forward secrecy is usually a relevant security notion for key agreement protocols, secure messaging proto- cols (and their ratchetting mechanisms), pseudorandom generators, pseudorandom functions, MACs, and other stateful objects. It’s usually easier to achieve forward secrecy than backward secrecy, because it’s easier to erase the past than to make the future unpredictable (in cryptography, at least). See Backward secrecy.
See IDEA NXT.
A conference focused on the design and cryptanalysis of symmetric cryptography primitives, including slow and hardware-oriented hash functions. FSE is sometimes viewed as an applied cryptography confer- ence, despite the fact that it rarely focuses on real-world algorithms, let alone real-world attacks. Researchers present peer-reviewed papers with titles such as “Improving the MILP-Based Security Evaluation Algorithm Against Differential/Linear Cryptanalysis Using a Divide-and-Conquer Approach” and “Low AND Depth and Efficient Inverses: A Guide on S-boxes for Low-Latency Masking.” See Asiacrypt, CHES, CRYPTO, Eurocrypt, PKC, Real World Crypto, TCC.
See Homomorphic encryption.
A type of cryptographic scheme that looks like magic: when designed for some function f(), decrypting Enc(M) yields not M but f(M). But like many of the magic cryptographic schemes, it’s of limited use in practice, because it can efficiently support only simple functionalities. To build functional encryption schemes, cryptographers can use the trick of leveraging indistinguishability obfuscation: in other words, the decryption process that finds f(M) would consist of an obfuscated pro- gram that first retrieves M and then computes f(M) without ever expos- ing M.
A term coined in the context of the Signal protocol to refer to a notion similar to backward secrecy. Indistinguishable from break-in recovery. See Backward secrecy.
A scheme for extracting the value of some high-entropy secret from multiple noisy readings, each with different random errors, to derive a key. This might sound a lot like an error-correcting code, but it’s dif- ferent: first, the value read is not a codeword (which has redundancy in it and thus is suboptimal entropy), but instead is a value of potentially maximal entropy; second, the value is not read once but multiple times; and third, the enrollment data used to decode the secret must not leak information about said secret. Therefore, you can store it without pri- vacy leaks.
You might find fuzzy extractors used in biometric authentication applications, which have to extract a value that uniquely identifies an individual. These applications typically must extract this value from noisy measurements and without relying on a database of sensitive data, such as data about each individual. Conversely, in a traditional approach to authentication, you would compare a new measurement to a registered one to identify a person.
The best (nonquantum) algorithm for factoring large integers.
The USSR national standard block cipher designed in the 1970s and included in the GOST 28147-89 standard series. Whereas the American DES cipher, designed in the same era, uses keys that are only 64 bits long, GOST works with 256-bit keys and comes with customizable S-boxes. Constructed as a Feistel network like DES, GOST hasn’t been meaningfully broken, although research papers have described some attacks against it that perform fewer than 2 256 operations. Russian authorities officially deprecated GOST in 2019. Its successor is the block cipher Кузнечик (Kuznyechik).
A family of minimalistic hardware-oriented stream ciphers: Grain (80-bit key), Grain 128, and Grain 128a (128-bit key).
A canonical representation of a system of multivariate equations. Computing a Gröbner basis for a multivariate system is one of the pos- sible definitions of “solving” it, because it can be used, for example, to find its numeric solutions. The general problem of computing Gröbner bases is NP-hard. The actual time and memory required to compute one for a specific system of equations, as found in multivariate cryptography or in algebraic cryptanalysis, is usually large and hard to estimate: but when it’s not, it produces spectacular cryptanalyses.
A signature scheme involving a group of potential signers. Any group member can issue a signature on behalf of the group, and a verifier can learn the identity of the group members but not of the actual signer. There’s an exception: groups must work with a trusted entity, called the group manager, which can trace signatures back to their original signer. Ring signatures don’t have this traceability property or the need for a group manager. See Ring signature.
Grover’s algorithm A quantum algorithm that in theory can break symmetric ciphers in O(2 n/2 ) instead of O(2 n ) complexity, where n is the key length.
You might think that, as a result of Grover’s algorithm, ciphers with a 128-bit key would have only 64-bit security. But in reality, breaking a cipher wouldn’t become quadratically more cost-efficient, because of various reasons, includ- ing the following:
Running Grover’s algorithm to break, say, AES would require a quantum implementation of AES, which is much slower and more costly than any conventional implementation.
Grover’s algorithm doesn’t appear to scale the way classical brute force does, in the sense that it can’t distribute computations across multiple units or attack multiple instances simultaneously.
The O() asymptotic notation hides constant factors that might prove non- negligible in reality.
A key concept in the theoretical definition of one-way functions and permutations: for some one-way function f(), a hardcore predicate is some bit of information about an input x that is easy to compute from x but hard from f(x). By definition, you should be able to find a hardcore predicate for any given one-way function and its permutations.
The simplest cryptographic object, and at first glance, the dumbest operation ever. A hash function takes a single input of any type, format, or size, and returns a single output that is a fixed size and looks totally unrelated to its input. Yet equipped with such a trivial tool, you can con- struct secure symmetric ciphers, pseudorandom generators, key deriva- tion functions, and even public-key signatures, as well as a variety of security protocols.
The most secure but slowest form of post-quantum cryptography. You can use hash functions to create various cryptographic objects, such as stream ciphers or pseudorandom generators. But when you hear hash- based cryptography, it refers to public-key signatures built from only hash functions.
Simple hash-based signatures, as proposed by Lamport, Merkle, and Winternitz in the late 1970s, have severe shortcomings. For example, you can use them only a limited number of times or only on very short messages. Like many problems in computer science, researchers have addressed the problem of scaling hash-based signatures by throw- ing trees, trees, and even more trees at it. This has notably led to the SPHINCS and XMSS designs. See SPHINCS, XMSS.
The bug in OpenSSL that revived interest in the security of TLS and its implementation. Ultimately, Heartbleed led to a safer OpenSSL, as well as the TLS 1.3 protocol.
A type of signature that reintroduces randomness as a defense against fault attacks. Fault attacks affect signature schemes, such as EdDSA and deterministic ECDSA, that don’t need a random or unique value to be secure. (By contrast, ECDSA requires a fresh secret random value per signature.) Such derandomized signature schemes protect against poor randomness but have been shown to be vulnerable to fault attacks that partially exploit their determinism. Hedged signatures aim to correct this without allowing lower-quality randomness to reduce the scheme’s security. Such hedged signatures include the XEdDSA variant, as well as the post-quantum schemes qTESLA and Picnic2.
A family of multivariate public-key schemes, including encryption and signature schemes. As modestly stated in the 1996 paper that intro- duced it, “the security of HFE is not proved but apparently it seems to be related to the problem of solving a system of multivariate quadratic equations over a finite field.”
For many developers, a synonym of MAC. Strictly speaking, however, an HMAC isn’t a MAC but a way to construct a MAC from a hash function. For example, you can construct a MAC atop SHA-256, which is called HMAC-SHA-256. Keep in mind that HMACs are not the only— and not necessarily the best—ways of constructing MACs.
An encryption that satisfies Dec(Enc(M 1 ) ⦾ Enc(M 2 )) = M 1 ⦿ M 2 for some operators ⦾ and ⦿ that might be identical or distinct, and are usually some type of addition or multiplication. For example, encrypting a message with textbook RSA by doing M d mod n for some message M is homomorphic with respect to multiplication: the product of two ciphertexts is the ciphertext of the product of the plaintexts. Homomorphism can be a security issue and a feature, depend- ing on the context. For example, certain e-voting systems leverage the homomorphic property of Paillier’s cryptosystem to aggregate ballots without decrypting them individually. Fully homomorphic encryption is a more general and powerful property but is also harder to realize: a fully homomorphic encryption can be homomorphic with respect to any operation performed on the ciphertext instead of just a single group operation.
A mostly forgotten block cipher submitted in 1998 to the AES competi- tion. Its designer called it “the first Omni-Cipher: It can encrypt any blocksize with any keysize.”
Unconventional yet innovative, HPC had several unique features as it was:
The first tweakable block cipher (the tweak was then called the spice or the secondary key)
Optimized for 64-bit architectures and the fastest of all AES candidates on these
Able to support any key and block size
Composed of five subciphers: HPC-Tiny, -Short, -Medium, -Long, and Extended
The so-called spice anticipated some of the future needs for a tweak. As the specification comments: HPC’s spice is an important protection for short-block encryption: The spice can be different for every bit field, preventing dictionary attacks. In addition, HPC’s designer foresaw that one of the main applications of encryption would be online videos: The most important future application for encryption will be for video com- munications, on stock hardware, which will be 64-bit machines. The Hasty Pudding Cipher is the fastest cipher for bulk encryption on 64-bit machines. (. . .) Performance in video applications is so important that HPC should be the primary AES choice. Although it remains unbroken—only equivalent keys were found—HPC wasn’t selected as the AES and didn’t even make it to the second round. Its unortho- dox design and lack of formal security arguments probably didn’t play in its favor.
Hardware equipment dedicated to running cryptographic operations and other security tasks. HSMs can come in different form factors, such as rack servers or USB dongles. HSMs don’t necessarily run crypto- graphic operations using dedicated hardware (as in a dedicated silicon circuit). Actually, most of the time, they run all cryptography in soft- ware, executed by some general-purpose processor. The S in HSM refers to the functionality it implements; it doesn’t necessarily mean the HSM is more secure than a normal computer.
See QUIC (Quick UDP Internet Connections).
Like elliptic-curve cryptography but using a higher-dimensional object: the Jacobian of a hyperelliptic curve. We can’t explain what a Jacobian is in terms of anything else that is familiar to most readers, to paraphrase Richard Feynman. The main advantage of hyperelliptic curves is that, owing to the additional dimensions, the same finite field generates larger groups than it would with an elliptic curve. This strength is also a weakness: when the number of dimensions becomes too high (usually more than three), discrete logarithms become easier.
Cryptographers’ union, a nonprofit that organizes the largest aca- demic cryptography conferences and manages the reference preprint platform ePrint.
A 64-bit block cipher from the early 1990s. One of the rare block ciphers that uses the Lai–Massey construction, not a Feistel or substitution– permutation network. Despite a rather heuristic design approach, IDEA resisted crypt- analysis for years. The first attack against it that proved potentially faster than brute force didn’t appear until 2012. (This was a biclique attack with 2 126 operations.) IDEA is one of the few ciphers that uses integer multiplication oper- ations, which has some security benefits but makes protecting against side-channel attacks difficult.
A block cipher with little similarity to IDEA except for their shared Lai– Massey construction. Also like IDEA, it was designed for the Mediacrypt AG company and patented. Initially named and published as FOX, IDEA NXT proved very useful in antipiracy initiatives, not only because of its cryptographic merits.
A means of sending an encrypted message without knowing someone’s public key. For instance, when Alice wants to send an encrypted mes- sage to Bob but doesn’t know his public key, identity-based encryption (IBE) allows her to compute it using the name Bob and some master public key. The only caveat is that IBE requires a trusted third party, called the key server, which knows some master private key and uses it to generate users’ private keys. Bob therefore needs to authenticate to the key server, proving that he’s the real Bob, to receive his private key.
A public-key encryption scheme that doesn’t involve a public-key encryption primitive. Instead, the sender chooses a random key pair, computes a Diffie–Hellman shared secret between the fresh private key and the recipient’s public key, derives a symmetric key from it, and encrypts the message with some authenticated cipher. Neither party performs a public-key operation to encrypt the data.
In the Dolev–Yao model, an archetypal attacker who can transmit data but not receive it. Or in Dolev and Yao’s own words, “one who only initi- ates conversations (and does not rely on being spoken to.)”
Cryptographer Moti Yung once said, “When a software engineer says [a security engineering problem] is impossible, that really just means it’s cryptographically interesting.”
A differential attack that exploits abnormally unlikely events rather than abnormally likely ones. Differential cryptanalysis generally exploits patterns of unusually high probability that occur in the differences between outputs and inputs with a specific difference. Impossible differential attacks exploit the opposite type of pattern, namely those that have zero chance of being observed under certain conditions. If cryptanalysts notice these patterns, they can deduce that the condition doesn’t hold. This information could help recover a cipher’s secret key or subkey.
Indistinguishability of ciphertexts under chosen-ciphertext attacks. The strongest security notion for encryption schemes (both public- key and symmetric-key schemes). The chosen-ciphertext might intui- tively make little sense in practice. The reason is that you’ll rarely find systems where attackers can decrypt any ciphertexts they want, but encryption that can do more can do less. In addition, there are cases in which you do have a decryption oracle, such as some DRM systems.
Indistinguishability of ciphertexts under chosen-plaintext attacks. Also known as semantic security. It’s the idea that a ciphertext shouldn’t reveal anything about a plaintext other than its approximate length, even to an active attacker capable of retrieving the ciphertext corre- sponding to the plaintexts of their choice. IND-CPA is the standard security notion for symmetric encryp- tion. For example, block ciphers in CTR or in CBC mode are secure if the underlying block cipher is secure, and if CTR nonces are unique or CBC initial values are unpredictable. That’s a lot of ifs, which in practice can lead to security flaws in otherwise IND-CPA schemes.
Property belonging to a transaction, or series thereof, that is time- stamped implicitly or explicitly and cannot be backdated or otherwise altered. Cryptographic ledger mechanisms, such as blockchains, can often address this problem.
Property of a construction, such as of a hash function, that is guaran- teed to lead to a secure primitive if the building blocks have no security flaw. In the context of hash functions, we talk of indifferentiability from a random oracle, meaning that if the underlying compression function or permutation is ideal, the hash function has as many structural proper- ties as a random oracle: that is, none.
The property in which something that isn’t really random appears the same as something that is actually random. If the two are indistin- guishable, you cannot extract information from the not-really-random thing. In the case of encryption, the not-really-random thing is the ciphertext, and the information you’re unable to extract is about the plaintext. Indistinguishability applies to other cryptographic function- alities as well.
The mathematization of the intuitive concept of software obfuscation. In cryptography, as in software security, the obfuscation process takes as input a program and produces a second program that in some sense hides how the first program works: its internal variables, secret argu- ments, and so on. Unlike in software security, cryptography sees a pro- gram as one of the possible abstract representations, most commonly a Boolean circuit with AND, OR, and NOT gates. iO can be seen as a raw encoding of the input–output relations that hides its implementation details, such as subprocedures or intermedi- ate variables. The notion of indistinguishability is just a formal way to express the idea that, given obfuscations of two distinct yet equivalent programs, an attacker shouldn’t be able to identify which of the pro- grams is which. Although iO sounds like the solution to many problems, in practice it’s not because of its high complexity and inefficiency.
Integrity of ciphertexts. The security notion, applicable to authenti- cated encryption schemes, that it should be practically impossible for an attacker to create a valid ciphertext, even if they know many valid ciphertexts for messages of their choice. A related theorem: if an authenticated cipher is IND-CPA and INT- CTXT, it’s also IND-CCA. I leave it to you to Google the proof for this result.
A public-key signature that cannot be identified as valid or invalid unless the signer has agreed to reveal that information. An invisible sig- nature might appear to make the signature anonymous (that is, because the signature doesn’t reveal the signer’s identity or public key), but this isn’t necessarily the case. Consider this counterexample: if you addi- tionally sign the signature with a noninvisible signature scheme, the scheme remains invisible but is clearly not anonymous. See Anonymous signature, Undeniable signature.
By its own definition, a blockchain with no blocks and no chain. Probably the most mocked blockchain platform, because it has made some unfortunate cryptographic choices, such as designing a new hash function. Cryptography enthusiasts and IOTA supporters have posted hun- dreds of inflammatory tweets about IOTA’s questionable design choices. Here is a very brief summary of the debate: the crypto enthusiasts yelled, “IOTA is broken because its signature scheme is broken.” In response, IOTA fans responded, “IOTA isn’t broken because it can’t be exploited.” There is some truth to both sides.
An alternative name for the IDEA block cipher. See IDEA.
One of the major open secure channel protocols along with TLS and SSH. Despite its widespread use, it remains much less known in the cryptography community and among engineers. Indeed, you don’t need to understand IPSec if you’re developing mobile or web applications. Also, its design and subprotocols look cryptographically boring. A product of DARPA- and NSA-sponsored efforts that began in the 1970s, IPSec nonetheless remains the standard for network layer security. In addition, its design and implementations have proven more robust than early SSL and TLS versions except for the weak IKEv1 subprotocol.
Buy this definition for $180. Please note that a paper format is currently unavailable.
The youngest class of post-quantum cryptography methods; initiated in the early 2000s. An isogeny is a function that maps points of an elliptic curve to points of another elliptic curve and that satisfies specific math- ematical properties. You can then draw a graph whose nodes are elliptic curves and whose edges are isogenies between them, and walk through this graph in a pseudorandom way. After throwing a lot of cool math at the study of these objects—graph theory, quaternion algebras, and so on—you end up with hard computational problems that you can use for crypto applications.
Cryptography’s Nature minus the publication fees.
A variant of the 1995 block cipher MISTY1; used in 3G telecommu- nications standards as the A5/3 cipher. KASUMI is broken, because a practical key-recovery attack exists. KASUMI is also not broken, because said attack requires chosen-ciphertext queries in the related- key model, which isn’t realistic.
The hash function family standardized as SHA-3; it is built from a single permutation according to the sponge function framework. Keccak’s permutation performs a clever combination of XORs and logical ANDs. It’s also optimized for efficiency and easily scales to different widths. The original Keccak design and its sponge mode have led to several other algorithms. See Permutation-based cryptography.
The most expensive broken cipher ever. One of the rare block ciphers to rely on a feedback shift register.
A public-key encryption scheme designed to encrypt and decrypt short, fixed-size chunks of data; commonly used to encapsulate a symmetric key. You can think of a KEM as a key agreement in which one party gets to choose the key; a KEM’s encryption function picks a random symmetric key and encrypts it, whereas the KEM’s decryption func- tion decrypts it to recover the symmetric key. It can then continue to decrypt any data encrypted using that key with some symmetric primitives.
The ancestor of single sign-on systems, designed in the late 1980s to provide secure authentication and authorization to MIT’s distrib- uted computing platform Athena. Admittedly an elder technology, Kerberos is one of the security protocols that relatively few people know despite its major impact and the fact that it’s still used in many places, such as in the Radius authentication protocol. Indeed, in spite of its old age, Kerberos remains a decently secure protocol. It imple- ments often forgotten concepts, such as not trusting any party until they’re authenticated and not exposing passwords in clear. It has some limitations; for instance, Kerberos must rely on a trusted third party. But then again, how many security protocols ultimately don’t? Sometimes known as a protocol that uses only symmetric cryptogra- phy, Kerberos can also support public-key crypto, as well as various authentication forms, such as one-time passwords, hardware tokens, and biometrics.
The origin of the Kerberos protocol’s name is best explained by the god- dess Athena in her conversation with Euripides (as reproduced on MIT’s Kerberos site):
Euripides: (. . .) You know, I think we have a solid basis on which to imple- ment the Charon Authentication System.
Athena: Perhaps. Anyway, I don’t like the name Charon.
Euripides: You don’t? Since when?
Athena: I’ve never liked it, because the name doesn’t make sense. I was talking to my Uncle Hades about it the other day, and he suggested another name, the name of his three-headed watchdog.
Euripides: Oh, you mean Cerberus.
Athena: Bite your tongue Rip! Cerberus indeed . . .
Euripides: Er, isn’t that the name?
Athena: Yeah, if you happen to be a Roman! I’m a Greek goddess, he’s a Greek watchdog, and his name is Kerberos, Kerberos with a K.
Euripides: Okay, okay, don’t throw thunderbolts. I’ll buy the name. Actually, it has a nice ring to it. Adios Charon and hello to Kerberos.
The six principles, or desiderata, of security established by the 19th- century Dutch cryptographer Auguste Kerckhoffs in his article “La cryptographie militaire” (in French).
Of the six principles in Kerckhoffs’ paper, only the second is commonly known as Kerckhoffs’ principle. But all six deserve our attention. Let’s exam- ine them here:
The system must be practically, if not mathematically, indecipherable. Today’s equivalent would also include systems that are virtually inde- cipherable by mathematical means, as when security proofs guarantee practical security under some hardness assumptions.
It must not be required to be secret, and it must be able to fall into the hands of the enemy without inconvenience. All serious cryptographers should fol- low this . . . except when they shouldn’t. Indeed, in rare exceptions, mak- ing the algorithm secret (via custom design, secret S-boxes, secret tweak input, and/or secret personalization values) contributes significantly to the security of a system.
Its key must be communicable and retainable without the help of written notes, and changeable or modifiable at the will of the correspondents. Key distribution, revocation, and rotation remain among the most challenging problems in cryptography, and the source of many perils.
It must be applicable to telegraphic correspondence. Sorry, Kerckhoffs; the problem of email encryption is still practically unsolved.
Apparatus and documents must be portable, and its usage and function must not require the concourse of several people. This goal is the opposite of that of protocols, such as distributed key generation and threshold encryption.
Finally, it is necessary, given the circumstances that command its application, that the system be easy to use, requiring neither mental strain nor the knowl- edge of a long series of rules to observe. Simplicity has rarely been a major concern in cryptographic designs, although it ought to be.
Key derivation function (KDF) A function that hashes stuff to obtain a key. A simple hash function doesn’t always do the trick, because the stuff to be hashed typically includes a combination of secret and nonsecret values. A KDF’s inter- face helps process these values securely to avoid collisions between different sets of stuff. There is another reason hash functions aren’t sufficient: a KDF must often generate keys of arbitrary size, whereas most hash functions generate values of a fixed size. A special case arises whenever the key can’t be just any string of bits (as in the case of a symmetric key) but a public/private key pair. In those situations, rather than generating the key pair as part of the KDF, you would generally use a second algorithm to deterministically create a key pair from a seed. Last but not least, when the stuff’s secret is a password, pass- phrase, or other low-entropy value, you need a special kind of KDF, called a password hash function. These have some additional security requirements. See Password hash function.
The idea of entrusting an organization or entity with the custody of secret keys and therefore the rights associated with them, for example, to decrypt communications. As told by the European Council in a meeting in May 1998: The Council Resolution of 17 January 1995 recognised that lawfully authorised interception of communications is an important tool for the investigation of serious crime. The Council notes that law enforce- ment agencies may require lawful access to encryption keys, without the knowledge of the user of the cryptographic service, in order to maintain this capability. To this end, the Council recognises that one possible approach amongst others, which might meet law enforcement interests, might be the promotion of confidentiality services which involve the depositing of an encryption key or other information with a third party. Such services are often known as “key escrow” or “key recovery” services. Law enforcement agencies may also require law- ful access to encryption keys where it is necessary to decrypt material which has been seized as part of a criminal investigation. In principle, key escrow sounds easy and a fair solution to real problems. But in practice, key escrow raises a lot of procedural, techno- logical, and political problems, and its benefits might not be worth the additional cost and risks, depending on your metric. See Key management.
The single hardest problem in cryptography. Key management won’t be solved by quantum computers or with an NP oracle.
To symmetric cryptography, what KEMs are to public-key cryptography.
A term coined to refer to cryptography used in malware and other unholy applications, particularly when their aim is to steal infor- mation in a covert way; for example, via subliminal channels or obfuscation.
An adversarial model that assumes the attacker already knows the secret key of some symmetric cipher. Therefore, the attack’s goal isn’t to recover a key but to identify structural properties that the attacker might exploit when the cipher is used in a hash function or some other construction where its key might not be secret.
The Ukrainian national hash function standard; established in 2014 and named after the plant Polygonatum multiflorum. Kupyna is based on a fairly unusual compression function construction: given a message block M and an initial hash value H, the next hash value is computed as H ⊕ Perm 1 (M) ⊕ Perm 2 (M ⊕ H), where Perm 1 and Perm 2 are permuta- tions similar to AES with no key and a wider state.
An interactive proof protocol where the prover sends very few bits to the verifier.
A secure way to build a block cipher, although much less common than the Feistel substitution-permutation networks. The Lai–Massey con- struction is notably used by IDEA and FOX.
The first hash-based signature scheme, and in its original form, the sim- plest signature scheme ever: to sign a one-bit message, you’d first gener- ate a private key composed of two random values K 0 and K 1 . Then you’d share the public key (Hash(K 0 ), Hash(K 1 )). To sign the message 0, you’d attach K 0 as a signature, and you’d attach K 1 otherwise. This works, but it’s not very useful, because 1) a key pair can sign only one message, and 2) the key size is proportional to that of the message.