论文
A curated list of cryptography papers, articles, tutorials and howtos for noncryptographers.
Notes¶
The goal of this list is to provide educational reading material for different levels of cryptographic knowledge. I started it because my day job onboarding engineers at Cossack Labs includes educating them in cryptographic matters and giving advise what to read on specific topics, and that involves finding the same materials repeatedly. Hopefully, it will be useful for someone else as well.
It is aimed at people who are using cryptography in higherlevel security systems to implement database encryption, secure sharing, endtoend encryption in various schemes, and should understand how it works, how it fails and how it is attacked. It is not a list of notable / important / historically important papers (although many of them are here). It is not aimed at academics (who have better grasp of what they need anyway), nor it is aimed for systematic study of wannabe cryptographers (who better follow structured approach under professional guidance).
It will be extended gradually as I find something of "musthave" value. Pull requests are very welcome.
 Introducing people to data security and cryptography.
 Simple: cryptography for nonengineers.
 Brief engineeroriented introductions.
 Specific topics.
 Hashing  important bits on modern and classic hashes.
 Secret key cryptography  all things symmetric encryption.
 Cryptanalysis  attacking cryptosystems.
 Public key cryptography: General and DLP  RSA, DH and other classic techniques.
 Public key cryptography: Ellipticcurve crypto  ECC, with focus on pratcial cryptosystems.
 Zero Knowledge Proofs  Proofs of knowledge and other nonrevealing cryptosystems.
 Math  useful math materials in cryptographic context.
 Postquantum cryptography  Cryptography in postquantum period.
 Books.
 Lectures and educational courses.
 Online crypto challenges.
The list¶
Introducing people to data security and cryptography¶
Simple: cryptography for nonengineers¶
 Nuts and Bolts of Encryption: A Primer for Policymakers.
 Keys under Doormats  Or why cryptography shouldn't be backdoored, by a allstar committee of crypto researches from around the world.
Brief introductions¶
 An Overview of Cryptography  By Gary C. Kessler.
 Using Encryption for Authentication in Large Networks  By Needham, Schroeder: this is were cryptobased auth starts.
 Communication Theory of Secrecy Systems  Fundamental cryptography paper by Claude Shannon.
General cryptographic interest¶
 Another Look at “Provable Security”  Inquiries into formalism and naive intuition behind security proofs, by Neal Koblitz et al.
 The security impact of a new cryptographic library  Introductory paper on NaCl, discussing important aspects of implementing cryptography and using it as a larger building block in security systems, by Daniel J. Bernstein, Tanja Lange, Peter Schwabe.
Specific topics¶
Hashing¶
 FIPS 1981: HMACs  The KeyedHash Message Authentication Code FIPS document.
 FIPS 202: SHA3  SHA3 Standard: PermutationBased Hash and ExtendableOutput Functions.
 Birthday problem  The best simple explanation of math behind birthday attack.
 On the Security of HMAC and NMAC Based on HAVAL, MD4, MD5, SHA0 and SHA1  Security analysis of different legacy HMAC schemes by Jongsung Kim et al.
 On the Security of Randomized CBCMAC Beyond the Birthday Paradox Limit  Security of randomized CBCMACs and a new construction that resists birthday paradox attacks and provably reaches full security, by E. Jaulmes et al.
Secret key cryptography¶
 FIPS 197  AES FIPS document.
 List of proposed operation modes of AES  Maintained by NIST.
 Recomendation for Block Cipher modes of operation: Methods and Techniques.
 Stick figure guide to AES  If stuff above was a bit hard or you're looking for a good laugh.
 Cache timing attacks on AES  Example of designing great practical attack on cipher implementation, by Daniel J. Bernstein.
 Cache Attacks and Countermeasures: the Case of AES  Side channel attacks on AES, another view, by Dag Arne Osvik, Adi Shamir and Eran Tromer.
 Salsa20 family of stream ciphers  Broad explanation of Salsa20 security cipher by Daniel J. Bernstein.
 New Features of Latin Dances: Analysis of Salsa, ChaCha, and Rumba  Analysis of Salsa20 family of ciphers, by JeanPhilippe Aumasson et al.
 ChaCha20Poly1305 Cipher Suites for Transport Layer Security (TLS)  IETF Draft of ciphersuite family, by Adam Langley et al.
 AES submission document on Rijndael  Original Rijndael proposal by Joan Daemen and Vincent Rijmen.
 Ongoing Research Areas in Symmetric Cryptography  Overview of ongoing research in secret key crypto and hashes by ECRYPT Network of Excellence in Cryptology.
 The Galois/Counter Mode of Operation (GCM)  Original paper introducing GCM, by by David A. McGrew and John Viega.
 The Security and Performance of the Galois/Counter Mode (GCM) of Operation  Design, analysis and security of GCM, and, more specifically, AES GCM mode, by David A. McGrew and John Viega.
 GCM Security Bounds Reconsidered  An analysis and algorithm for nonce generation for AES GCM with higher countercollision probability, by Yuichi Niwa, Keisuke Ohashi, Kazuhiko Minematsu, Tetsu Iwata.
 ProxyMediated Searchable Encryption in SQL Databases Using Blind Indexes  An overview of existing searchable encryption schemes, and analysis of scheme built on AESGCM, blind index and bloom filter by Eugene Pilyankevich, Dmytro Kornieiev, Artem Storozhuk.
Cryptanalysis¶
 Differential Cryptanalysis of Salsa20/8  A great example of stream cipher cryptanalysis, by Yukiyasu Tsunoo et al.
 Slide Attacks on a Class of Hash Functions  Applying slide attacks (typical cryptanalysis technique for block ciphers) to hash functions, M. Gorski et al.
 SelfStudy Course in Block Cipher Cryptanalysis  Attempt to organize the existing literature of blockcipher cryptanalysis in a way that students can use to learn cryptanalytic techniques and ways to break new algorithms, by Bruce Schneier.
 Statistical Cryptanalysis of Block Ciphers  By Pascal Junod.
 Cryptanalysis of block ciphers and protocols  By Elad Pinhas Barkan.
 Too much crypto  Analysis of number of rounds for symmetric cryptography primitives, and suggestions to do fewer rounds, by JeanPhilippe Aumasson.
 How to Break MD5 and Other Hash Functions  A 2005 paper about modular differential collision attack on MD5, MD4 and other hash functions, by Xiaoyun Wang and Hongbo Yu.
 New attacks on Keccak224 and Keccak256  A 2012 paper about using the combination of differential and algebraic techniques for collision attacks on SHA3, by Itai Dinur, Orr Dunkelman, Adi Shamir.
 A SingleKey Attack on the Full GOST Block Cipher  An attack ("ReflectionMeetintheMiddle Attack") on GOST block cipher that allows to recover key with 2^225 computations and 2^32 known plaintexts, by Takanori Isobe.
 Intro to Linear & Differential Cryptanalysis  A beginnerfriendly paper explaining and demonstrating techniques for linear and differential cryptanalysis.
 MEGA: Malleable Encryption Goes Awry  Proofofconcept versions of attacks on MEGA data storage. Showcasing their practicality and exploitability. Official webpage.
Public key cryptography: General and DLP¶
 New Directions in Cryptography  Seminal paper by Diffie and Hellman, introducing public key cryptography and key exchange/agreement protocol.
 RFC 2631: DiffieHellman Key Agreement  An explanation of the DiffieHellman methon in more engineering terms.
 A Method for Obtaining Digital Signatures and PublicKey Cryptosystems  Original paper introducing RSA algorithm.
 RSA Algorithm  Rather education explanation of every bit behind RSA.
 Secure Communications Over Insecure Channels  Paper by R. Merkle, predated "New directions in cryptography" though it was published after it. The DiffieHellman key exchange is an implementation of such a Merkle system.
 On the Security of Public Key Protocols  DolevYao model is a formal model, used to prove properties of interactive cryptographic protocols.
 How to Share a Secret  A safe method for sharing secrets.
 Twenty Years of Attacks on the RSA Cryptosystem  Great inquiry into attacking RSA and it's internals, by Dan Boneh.
 Remote timing attacks are practical  An example in attacking practical crypto implementationby D. Boneh, D. Brumley.
 The Equivalence Between the DHP and DLP for Elliptic Curves Used in Practical Applications, Revisited  by K. Bentahar.
 SoK: PasswordAuthenticated Key Exchange – Theory, Practice, Standardization and RealWorld Lessons  History and classification of the PAKE algorithms.
 RSA, DH and DSA in the Wild  Collection of implementation mistakes which lead to exploits of assymetric cryptography.
Public key cryptography: Ellipticcurve crypto¶
 Elliptic Curve cryptography: A gentle introduction.
 Explain me like I'm 5: How digital signatures actually work  EdDSA explained with ease and elegance.
 Elliptic Curve Cryptography: finite fields and discrete logarithms.
 Detailed Elliptic Curve cryptography tutorial.
 Elliptic Curve Cryptography: ECDH and ECDSA.
 Elliptic Curve Cryptography: breaking security and a comparison with RSA.
 Elliptic Curve Cryptography: the serpentine course of a paradigm shift  Historic inquiry into development of ECC and it's adoption.
 Let's construct an elliptic curve: Introducing Crackpot2065  Fine example of building up ECC from scratch.
 ExplicitFormulas Database  For many elliptic curve representation forms.
 Curve25519: new DiffieHellman speed records  Paper on Curve25519.
 Software implementation of the NIST elliptic curves over prime fields  Pracitcal example of implementing elliptic curve crypto, by M. Brown et al.
 Highspeed highsecurity signatures  Seminal paper on EdDSA signatures on ed25519 curve by Daniel J. Bernstein et al.
 Recommendations for Discrete LogarithmBased Cryptography: Elliptic Curve Domain Parameters (NIST SP 800186)  Official NIST guide how securely implement elliptic curves. It also includes math shortcuts, optimizations and possible security risk of wrong algorithm implementation. (February 2023)
 Biased Nonce Sense: Lattice Attacks against Weak ECDSA Signatures in Cryptocurrencies  Computing private keys by analyzing and exploiting biases in ECDSA nonces.
 Minerva: The curse of ECDSA nonces  Exploiting timing/bitlength leaks for recovering private keys from ECDSA signatures
 LadderLeak: Breaking ECDSA With Less Than One Bit Of Nonce Leakage  Breaking 160bit curve ECDSA using less than one bit leakage.
Zero Knowledge Proofs¶
 Proofs of knowledge  A pair of papers which investigate the notions of proof of knowledge and proof of computational ability, M. Bellare and O. Goldreich.
 How to construct zeroknowledge proof systems for NP  Classic paper by Goldreich, Micali and Wigderson.
 Proofs that yield nothing but their validity and a Methodology of Cryptographic protocol design  By Goldreich, Micali and Wigderson, a relative to the above.
 A Survey of Noninteractive Zero Knowledge Proof System and Its Applications.
 How to Prove a Theorem So No One Else Can Claim It  By Manuel Blum.
 Information Theoretic Reductions among Disclosure Problems  Brassau et al.
 Knowledge complexity of interactive proof systems  By GoldWasser, Micali and Rackoff. Defining computational complexity of "knowledge" within zero knowledge proofs.
 A Survey of ZeroKnowledge Proofs with Applications to Cryptography  Great intro on original ZKP protocols.
 Zero Knowledge Protocols and Small Systems  A good intro into Zero knowledge protocols.
 MultiTheorem Preprocessing NIZKs from Lattices  Construction of noninteractive zeroknowledge (NIZK) proofs using latticebased preprocessing models, by Sam Kim and David J. Wu.
Key Management¶
 Recommendation for Key Management – Part 1: General  Methodologically very relevant document on goals and procedures of key management.
Math¶
 PRIMES is in P  Unconditional deterministic polynomialtime algorithm that determines whether an input number is prime or composite.
Postquantum cryptography¶
 Postquantum cryptography  dealing with the fallout of physics success  Brief observation of mathematical tasks that can be used to build cryptosystems secure against attacks by postquantum computers.
 Postquantum cryptography  Introduction to postquantum cryptography.
 Postquantum RSA  Daniel Bernshtein's insight how to save RSA in postquantum period.
 MAYO: Practical PostQuantum Signatures from OilandVinegar Maps  The Oil and Vinegar signature scheme, proposed in 1997 by Patarin, is one of the oldest and bestunderstood multivariate quadratic signature schemes. It has excellent performance and signature sizes. This paper is about enhancing this algorithm in usage in the postquantum era. Official website.
Books¶
That seems somewhat out of scope, isn't it? But these are books only fully available online for free. Read them as a sequence of papers if you will.
 A Graduate Course in Applied Cryptography  By Dan Boneh and Victor Shoup. A wellbalanced introductory course into cryptography, a bit of cryptanalysis and cryptographyrelated security.
 Analysis and design of cryptographic hash functions, MAC algorithms and block ciphers  Broad overview of design and cryptanalysis of various ciphers and hash functions, by Bart Van Rompay.
 CrypTool book  Predominantly mathematically oriented information on learning, using and experimenting cryptographic procedures.
 Handbook of Applied Cryptography  By Alfred J. Menezes, Paul C. van Oorschot and Scott A. Vanstone. Good classical introduction into cryptography and ciphers.
 The joy of Cryptography  By Mike Rosulek. A lot of basic stuff covered really well. No ECC.
 A Computational Introduction to Number Theory and Algebra  By Victor Shoup, excellent starters book on math universally used in cryptography.
Lectures and educational courses¶
 Understanding cryptography: A textbook for Students and Practitioners  Textbook, great lectures and problems to solve.
 Crypto101  Crypto 101 is an introductory course on cryptography, freely available for programmers of all ages and skill levels.
 A Course in Cryptography  Lecture notes by Rafael Pass, Abhi Shelat.
 Lecture Notes on Cryptography  Famous set of lectures on cryptography by Shafi Goldwasser (MIT), M. Bellare (University of California).
 Introduction to Cryptography by Christof Paar  Video course by Christof Paar (University of Bochum in Germany). In english.
 Cryptography I  Stanford University course on Coursera, taught by prof. Dan Boneh. Cryptography II is still in development.
Online crypto challenges¶
Not exactly papers, but crypto challenges are awesome educational material.

MTC3  xipher contest with more than 200 challenges of different levels, a moderated forum, and a halloffame.
License¶
To the extent possible under law, author has waived all copyright and related or neighboring rights to this work.