Serious Cryptography: A Practical Introduction to Modern Encryption

by Jean-Philippe Aumasson

This practical guide to modern encryption breaks down the fundamental mathematical concepts at the heart of cryptography without shying away from meaty discussions of how they work. You’ll learn about authenticated encryption, secure randomness, hash functions, block ciphers, and public-key techniques such as RSA and elliptic curve cryptography.

You’ll also learn:
- Key concepts in cryptography, such as computational security, attacker models, and forward secrecy
- The strengths and limitations of the TLS protocol behind HTTPS secure websites
- Quantum computation and post-quantum cryptography
- About various vulnerabilities by examining numerous code examples and use cases
- How to choose the best algorithm or protocol and ask vendors the right questions

Each chapter includes a discussion of common implementation mistakes using real-world examples and details what could go wrong and how to avoid these pitfalls. 

Whether you’re a seasoned practitioner or a beginner looking to dive into the field, Serious Cryptography will provide a complete survey of modern encryption and its applications.

Genres: Technology, Programming, Nonfiction, Computer Science, Technical, Hackers, Computers

313 pages, Kindle Edition

Published November 21, 2017

Reviews

[Ben Rothke · Rating 5 out of 5]

Philosopher Alfred North Whitehead noted that modern philosophy is simply a series of footnotes to Plato. When it comes to cryptography, much of it is simply footnotes to Bruce Schneier’s classic work Applied Cryptography: Protocols, Algorithms and Source Code in C.

In Serious Cryptography: A Practical Introduction to Modern Encryption, Jean-Philippe Aumasson has written not just some good footnotes to Schneier, but a valuable work on modern encryption and cryptography. A lot has changed since Applied Cryptography came out over 22 years ago and Aumasson does a good job in updating the reader.

The back-cover notes that this book is written for both seasoned practitioners and beginners looking to dive into the field. That’s true for the former, but for most beginners, this is far too intense of a book for them. This is a great resource for developers who want to know how to effectively implement encryption and cryptography in their code.

Aumasson covers all the key areas of crypto, including random numbers, block and stream ciphers, hash function, and much more. Classic protocols from RSA, Diffie-Hellman, to TLS and more are discussed.

The book makes heavy use of C++ coding, Linux scripting and college-level math. Such that the reader needs to be conversant with those area to make the most of this book. Each chapter also closes with some references to further reading for those that want to dig deeper into specific areas.

The book closes with a short chapter on Quantum and Post-Quantum and while it is not here yet, quantum crypto will revolutionize the world of cryptography when it does.

As an engineer immersed in the topic, Aumasson brings real-world experience and advice to every chapter. At 270 pages, the book does sacrifice some things for its lack of depth, but is a superb introduction to modern encryption and cryptography. For those looking to quickly get up to speed on the topics, this makes for an excellent go-to guide.

[Scott Lerch · Rating 5 out of 5]

As a cloud services software engineer this book gave me a good overview of all the common encryption and authentication protocols I interact with day to day. I now feel like I know enough to talk somewhat intelligently with the the security engineers at my company and hopefully notice the warning signs when some out-dated or insecure protocol is being used. Sometimes I got bogged down in the math and details of the protocols but I just skimmed when I was overwhelmed to get the gist. At least I know dozens of new acronyms to sound smart even if I don't know the details, right?

Two sections that were surprisingly good were the overviews of NP problems and quantum computers. The explanation of NP-complete and NP-hard problems was an excellent refresher for me with one of the best descriptions I've read. Similarly, the explanation of quantum computers was clear and concise. I now feel like I really understand what quantum computers can and more importantly cannot do.

Overall it was an excellent book and I'll probably revisit as my work intersects with the various security topics it covers.

[Jeremy Huiskamp · Rating 4 out of 5]

For an ordinary software developer, I think this was a great overview to get you situated on the cryptography landscape. The order that he built up the topics was great, and practical advice such as the "how things can go wrong" sections gave very useful perspectives.

However, cryptography is a subject with a lot of detail, and at times, I think a bit too much was packed into too short of a book. For example, the introductory chapter covered subjects like malleability and attack models too briskly, and implied that you'd need to understand them to handle the rest of the book, but then they never really surfaced again. The chapters on public key cryptography similarly tried to cover too much math in too little space for it to really be absorbable. Overall though, reading the book lead to me researching a lot of the topics on my own, which is certainly better than a book that doesn't inspire that way.

A final quibble is that I was expecting the TLS chapter to tie up most of the rest of the book by showing the difference between having a bunch of individual crypto primitives that are difficult to use safely, and using them together in a vetted protocol that provides a simple, usable interface to a programmer. It didn't really highlight this very well, and in fact, the chapter was so poorly edited that I started to worry about all the other mistakes that might be present in the book, making it, especially the math, harder to make sense of.

[Mitchell · Rating 3 out of 5]

Interesting book but exhausting. This has been a work book group discussion book. And frankly it really didn't lend itself to discussion - though it did inspire some discussion. Basically this is a fairly hard subject not made especially easier by this book. But some chapters were better than others. And if I were doing cryptography as a more primary part of my job it would have been more useful. The quantum chapter did a pretty good job of explaining the problem and work arounds, and problems with the workarounds. But the details itself I found impenetrable. Where the chapters on RSA and Diffie-Helman and Randomness were actually pretty good. I just remember liking Applied Cryptography a lot more.

[Stefano Ottolenghi · Rating 3 out of 5]

I think should have actually been called Coincise Cryptography. It is difficult to understand without prior knowledge, and of the topic I did not know something beforehand, I can not say I know more now. It's just too quick. Also, technical explanations are many, which is good, but again too short and with no examples for most part.

[Kerszi · Rating 4 out of 5]

Chyba to jest jedna z lepszych książek o kryptografii, które przeczytałem, ale patrząc z poziomu laika. Niestety trzeba trochę mieć pojęcia z zaawansowanej matmy, żeby wszystko zrozumieć, chociaż większość pojęć jest bardo dobrze opisana, nawet takie błahostki jak liczby pierwsze, ale kiedy autor opowiada o komputerach kwantowych, to może rozboleć głowa ;) Ogólnie w książce jest dużo przykładów. Problemy i pojęcia są dobrze opisane. Warto przeczytać, przejrzeć. Na pewno nie raz do niej wrócę.

[Jamie CULPON · Rating 5 out of 5]

This is the best English language introduction to treating cryptography and encryption as a practical matter of engineering as opposed to a “deeply mysterious” craft that lies beyond all comprehension.

My personal copy will not leave my bookshelf, but I would be happy to give my students a pdf or translation to another language if needed.

Note: I have corresponded with both the author and publisher directly in the past and have found errors in the 7th edition that may require eratta to be technically correct in future printings.*

*: I read footnotes and citations, too.

[thirtytwobirds · Rating 4 out of 5]

We went through this as a book club at work. There's some amount of handwaving in a few of the chapters (especially the last one) but overall it's a good survey of topics. The book is pretty good about covering practical things like AES and TLS instead of being entirely theoretical, which was nice for us since it's directly applicable to work.

[Kishor · Rating 5 out of 5]

Really good study resource. Easy to skim the hard math sections if that's not what you're looking for, and JP explains all the crypto building blocks in a way that sticks.

[∃Ⓐ∀ · Rating 3 out of 5]

Note: There are many areas of security and computer science that fascinate me. Some are so interesting that I make the effort to learn the math and logic behind them. Mathematical logic is probably the area of math that motivates me to study and understand math the most. However, cryptography is not one of those areas. At the risk of seeming not infosec-cool || appsec-cool, or intelligent enough: I find cryptography really f'ing boring. The reasons behind that are likely due to problems I should probably discuss with a therapist and not spend time discussing in a book review, in addition to shitty schools I went to from pre-K to 7th grade. Regardless, I mention that to highlight that I do realize that I am likely not in the target audience for this book.

With that out of the way, I will start my review.

In the preface of the book, the author mentions one of his goals was to "get you excited about crypto and teach you the fundamental concepts along the way." He also mentions that "to do anything and relevant crypto [...] you need a connection to reality." Further, in the "Who This Book is For" section, he describes "a developer who'd been exposed to crypto but still felt clueless and frustrated attempting to read abstruse textbooks and research papers." Nevertheless, I don't believe these goals were accomplished. While I found parts of some chapters illuminating, such as those on block ciphers, authenticated encryption, and TLS, I found most of the book to focus on mathematical details that I found impractical to learn. At times, it felt as if the author started a chapter to focus on practical instruction and fundamentals, but got easily carried away and ended up nerding out on mathethical details. He also includes relatively large code samples with minimal explanations.

Some concepts could have been taught more simply than others. For instance, I initially struggled to understand cipher modes, and I had to search for stripped-down explanations online as the book jumped too quickly from a fundamental explanation to what I perceived to be unnecessary and impractical details.

Overall, I admit this was a difficult book for me to read and stick to, and I often lost motivation to continue reading (and at times my only motivation to continue reading was to get it over with or get to more practical chapters such as the one on TLS). While, as I've mentioned, I am likely not in the target audience due to my disinterest in many details, I think the book reads not as one written by an educator but by someone more used to having discussions on cryptography with other cryptography enthusiasts and researchers.

[Naessens · Rating 3 out of 5]

Every chapter has the same structure : the subject is introduced, explained. Then the author concludes by the proper ways of implementing the theoretical algorithms, the possible attacks and two sections titled "how things can go wrong" and "further reading".

Chapter 1 introduces vocabulary and illustrates with two historical basis encryption schemes : Ceasar's cipher and Vigenère's cipher. I disagree with the way the cryptanalysis of Vigenère's cipher is presented, because it omits the fact that a particular word must be repeatead at the good position (which depends on the key length) in the plaintext for its letter to be encoded with the same code, thus allowing to use the frequencies of letters in language for deciphering the ciphertext. Anyway, it continues by presenting different types of attack. Generally, I find the author explains in details simple things but goes quickly over more complicated stuff. That remains true for most part of the book.

Chapter 2 is about randomness. It defines the different type of randomness, what is pseudo randomness, how random numbers are generated in computers. My only complaint would be about the sample codes. The C code examples do not look good (omg "goto" statement in a C function). IMO the use of pseudo code would have been sufficient to present the algorithms.
In chapter 3, which is built upon the randomness concept in the previous chapter, readers are introduced to a way of defining security in the context of cryptography.

Chapters 4 to 8 deal with symmetric key cryptography : block ciphers, stream ciphers, hash functions, keyed-hashs and authenticated ciphers are successively described. This progression is logical as most of the time a chapter covers a flaw of the previous chapter subject. But as a consequence, I also find these chapters are more and more complex.
The most difficult part in my opinion is to understand the vulnerabilities of ciphers or hashes. I find the explanations of the possible attacks are too generic.
Hashes seems to be one of the author's favourite topics given the several references to his contributions in this domain as well as the extra effort he put into the related chapters.

In chapter 9, the author comes back to a subject I am more familiar with : computational complexity. Maybe this is the reason why I find he over-explained things in this chapter and the progression was easier. Nevertheless, this is an important topic and a pre-requisite for the following chapters about public-key cryptography.
Chapter 10 may be the best explanation of RSA I have read so far. The author starts with an introduction of this popular public-key that looks like most of description of RSA. But then, he explains all the subtle and small breaches in the simple design which allows him to present padding, signing and strong encryption. He also explains a lot of the math used to implement efficiently RSA. In the end, a secure implementation of RSA seems to be a lot of work.

Chapter 11 could have been intervened with chapter 10 as the Diffie-Hellman scheme was anterior to RSA. The author presents several protocols (hashing, authentication, etc...) that aimed to solve the shortcomings of a simple Diffie-Hellman implementation. In this respect the structure of this chapter looks a lot like the one about RSA.

I was looking forward to chapter 12 as its subject is elliptic curve cryptography which I have wanted to learn for a long time. I find the presentation of elliptic curves and then the explanation of the associated cryptography scheme are clear.

Chapter 13 is an introduction to the TLS protocol used to make secure connection on computer networks. Needless to say, it re-uses a lot of concepts presented in the previous chapters. As the author writes, TLS is very complex and a single chapter cannot cover it. In fact, TLS version 1.2 was so complex, engineers and security experts decide to clean the standard and come up with a new specification TLS 1.3 which is more secure and should be easier to implement.

Finally, chapter 14 is about quantum computers and quantum cryptography. First, the author explains how computers works, which hard computational problems could be solved faster with quantum computing (in short, symmetric key cipher are almost OK, most of public-key cryptography isn't) and which algorithms may be used to ensure privacy and secrecy in a world where quantum machines would be available.
And this is it, no conclusion, no recap !

Overall, I find the book well organized. However, it is rather an introduction than a complete reference to cryptography. Actually, most of the chapters would require a complete book to be covered exhaustively.

Pros :
- the structure of chapters, especially the "further reading" part rich in references for readers interested in going into the matter in depth.
- the logical progression of the book, chapters are in a logical order.
Cons :
- sometimes the author covers quickly complicated ideas whereas at other times he over-explains simpler things.
- I wish the cryptanalysis part, the attacks had been described in more details.
- the mix of programming languages for code samples. In my opinion, the author should have stick to one language or even use pseudo-code.

[Daniel · Rating 4 out of 5]

As someone who has taken multiple "introduction to cryptography courses" (undergrad, grad and online), and fancies himself as both interested, and wanting to work in (or at least adjacent), cryptography, I found this book to be useful. Similar to how A Tour of C++ is to the gargantuan The C++ Programming Language, Serious Cryptography provides an overview of seemingly all of the major topics in cryptography and how they fit together, without going into much depth on any of them, sometimes only giving half a page to something that is its own research area. The book is akin to someone describing what tools are in their toolbox, and loosely what they're for, without describing how each works. The outcome of this, I hope, is that fewer people will "view all the world as a nail" when only aware of their hammers.

As someone already familiar with the concepts covered, I found the book to be an excellent reminder of what else is out there and a good resource for identifying how to dig into these other topics should I need to dig deeper. In the few places where something was completely new, I found the explanations to be too shallow for me to feel much more than confused, and so I doubt this book would be a good first crypto book for someone interested in the field, but I do think it should be 'required reading' for someone before they start adding cryptographic bits to their products. Its structure in particular will hopefully prevent someone from learning just enough to implement yet another AES in ECB mode and thinking they're done and dusted.

In summary, great for getting excited about the field and probably as preparation for an exam or interview, but only an accompanying resource for someone really interested in the topic.

[Warren Mcpherson · Rating 5 out of 5]

Great introduction to the most important ideas in contemporary cryptography. The author has a deep knowledge of the subject matter and clearly communicates the crux of the most critical issues.
The book is written for programmers, there are some basic mathematics and algorithms used to illustrate the main ideas. But, descriptions do not directly depend on the experience or knowledge of the reader. It is not a textbook.
Topics have been well chosen, keeping the book a reasonable size but covering the critical topics that inform contemporary technology. He covers practical issues like encryption, security assessment, and authentication. There are also chapters on critical abstractions like randomness, hashing, and hard mathematical problems. These inform descriptions of important algorithms. There is also an insightful discussion of what to expect from quantum computers.
The book has develops a good feel for the scope of the subject. There are many references that can serve as starting points for further investigation into topics of most interest to you.
This would be an excellent book to read before starting a course on cryptography because it develops a sense of the main ideas and their significance. People at many levels of understanding will find something to learn.

[Angie · Rating 3 out of 5]

For what was supposed to be a "practical" introduction, the book turned out to be pretty tedious, not that much in terms of mathematical concepts but in the way of writing. It IS an overview - an extensive look on a number of areas crucial to the topic, but also quite a detailed one. In fact, while (of course) I considered it much easier to read than most academic books on cryptography, I felt like it was too in-depth at times (where details could have been omitted by a simple ref). On the other hand, it also failed to achieve consistency inbetween sections by almost completely disregarding the logical bonds connecting the topics. It also failed to demonstrate the practicals of cryptography, as it was mostly theory talks. Properly speaking, except for the very first few chapters, it was like a showcase of different crypto algorithms - one just as lifeless and uninformative as reading Wikipedia pages on that particular topic. The author tried really hard to squeeze out the very essentials, but what has been put altogether does not satisfy the criteria for a "book" in that sense, more like a handbook.

[Chris Austin · Rating 4 out of 5]

This was an excellent refresher on modern cryptography, with just enough math and implementation details to make it tangible while remaining fairly approachable.

I need to find a book that covers more applied cryptography in different contexts, e.g. VPNs using SHA-1 and AES-CBC sounds terrible to me, but I don't have enough information to know whether that's acceptable in this context.

I actually had stress dreams because I was reading this every night before bed - in one I dreamed that I had used an IV of 0 in a system I deployed a decade ago and the idea was so disturbing that it woke me.

A few areas were beyond my current math skills (I could use more modular arithmetic from number theory), but those were still approachable even if I had to trust the explanation instead of fully grokking it. The math behind linear feedback shift registers had a confusing element that I haven't quite worked through yet. The post-quantum section was interesting, though the math portion was beyond me.

I've taken Dan Boneh's cryptography class on Coursera before, which was excellent, though I started to forget a lot of the material after a few years.

[Kursad Albayraktaroglu · Rating 5 out of 5]

I really enjoyed this book : I believe "Serious Cryptography" is the introductory cryptography book for the 2020s - with its clear, logical organization, insightful examples, and coverage of the latest trends and standards; Aumasson's book does a great job of conveying basic and intermediate concepts of its challenging subject.

Most people interested in cryptography had started their journeys by reading Bruce Schneier's "Applied Cryptography". While still a great book, it has been a while since it has been updated to reflect the latest developments in this rapidly changing area. "Serious Cryptography" would be a great supplement to Schneier's work for anyone getting up to speed with the current state of the art in cryptography.

The book has ample code examples in Python, and occasionally refers the user to use open-source software tools such as SageMath and OpenSSL to understand the math behind the algorithms covered. Each chapter is complete with a very useful and comprehensive reading list of related papers, publications and Web sites. As I mentioned, many of the latest developments in the area are covered and the book's coverage of some of the more challenging concepts such as elliptic curves, authenticated ciphers such as AES-GCM and post-quantum cryptography is excellent.

Highly recommended for anyone interested in the subject.

[Bilal · Rating 4 out of 5]

This is a fairly complete introduction to modern cryptography, and to the most commonly encountered cryptographic functions in today’s computer networking systems. The organization is primarily topical and loosely sequential. The presentation is supported in the form of logical operations and operational block diagrams, and with occasional code blocks; however, there are no expository examples. This style of presentation makes it a suitable textbook to support a set of lectures, but for fast self-learning I do not find this style efficient. For fast self-learning I prefer the more strongly sequential exposition provided by Joshua Holden in The Mathematics of Secrets; which I would follow with this one for a bit more formalism and completeness.

[sine · Rating 3 out of 5]

The content was well chosen and most of the time, easy to read. But some topics were overcomplicated (like CRT) and the book contains a *huge* amount of typos.

Some of them are crucial for understanding the ciphers, so you need at least to consult the wiki, like I did. The mathematical formulas use occasionally inconsistent notation, often mistaking superscript with subscript, or n with N. If you haven't already read some cryptography textbook, I consider it too confusing to begin with. But otherwise, I was expecting also more advanced stuffs, not only mentioning that they exists. Overall I rate this book as good and I learned some new things, just it was nothing special.

[Travis · Rating 3 out of 5]

Read as part of a book club at work. It didn't spark much in the way of discussion, but I feel like I'd have liked it less if I wasn't reading it as a group. I found the parts of the book focussing on how encryption can be attacked to be the most compelling, other parts felt like they either dove straight into deep math or lacked depth (and somehow, occasionally, both at the same time). Since we read it as a group it gave us some opportunities to seek out different explanations on the same topic from elsewhere, which I appreciated. The order that the topics in the book were organized was well thought out.

[Simmoril · Rating 5 out of 5]

JP Aumasson's book is definitely the most modern and comprehensive survey of cryptography topics that I have read. While this book will by no means make you a cryptographer, it does provide a good starting point for understanding the most important topics in the subject as well as resources for diving deeper into each of the topics. Aumasson strikes a decent-ish balance between superficial descriptions of nuanced topics and letting the reader get mired in the technical details of the math. This book should absolutely be required reading for anyone looking to expand their knowledge of cryptography and cryptographic systems.

[Daniel Q · Rating 3 out of 5]

As the title says, this book tries to explain modern encryption at an introductory level with a practical point of view. The catch, in my opinion, is that modern encryption is based on somewhat complicated math. This mean that you will see a lot "this is beyond the scope of this book". I ended up finding too swallow the chapters about things I already knew and too confusing the chapters about things new to me. The author sure knows about what he is talking about and the "what can go wrong" sections are good. It is also (at this point) an up-to-date book (but I really didn't like the last chapter about quantum computers and post-quantum cryptography).

[Michal · Rating 2 out of 5]

This book is a great overview of cryptography. I was mostly glad for "how things can go wrong" sections at the end of each chapter. The only problem I had with this book is it tried to cover a lot of math details on a few pages. One page was "kindergarten" math, and on the other already mathematical constructs I didn't understand. I can recommend it for understanding key concepts of cryptography, but due to only few examples and not all complex problems explained in depth, don't expect you will deeply understand crypto or that you will perfectly know practical usages. It's really just introduction.

[Zhi Han · Rating 5 out of 5]

This book is, despite its name, a brief intro into the field of cryptography. It focuses on the practical side and structures around the basic concepts of attack models and how things can go wrong. It is a very interesting quick read. It touches briefly on the recent progress including TLS 1.3 and post-quantum cryptography.

Instead of reading this book by itself, I would recommend combine this book with a more theoretical book or lecture. In my case I went through a cryptography class in coursera, as I read along this book. This way I get to be exposed to a small amount of the theoretical discussion, e.g., going through some discussion of crypto strength. Otherwise I would find the discussion in this book a little weak and less engaging.

[Damian · Rating 4 out of 5]

This book covers everything one should know about cryptography, both beginners and advanced practicioners. All concepts are properly explained, although for someone who hasn't practiced it even one day - a bit challenging. I have built concepts maps in order to memorize how it works and then practiced by using basic examples. After reading it (and using many other online sources) I must say I came to understand all the basics of cryptography and can successfuly judge myself whether an encryption is secure enough or not.

[Nate Bate · Rating 5 out of 5]

I have been unusually busy the last few months which means that I have not gotten my normal reading done, and that also means my reading of this book was very fractured. I ended up settling for more of an overview read. As the subtitle of the book reads, this is a practical book. It is heavy on the mechanics of Cryptography. I look at this as more of a reference book that I will go to when ever I have a question in the future. Although it is practical, it is written accessibly for must dedicated, interested readers.

[Yestin · Rating 5 out of 5]

I really enjoyed this book. I already knew much of the foundations and everyday details but not much of the real maths or the attacker centric parts. The maths was a little heavy at times, even though it was mostly kept simple enough for any reader to grasp. This book is an excellent introduction into practical cryptography and I highly recommend it. Already bought myself the paperback edition to use as a reference.

[Mehdi · Rating 4 out of 5]

This book really covers practical and modern cryptography in a short and readable manner.
Of course it could have included much more content or examples etc, but I think it's a unique book in cryptography field and I think it would be better if the reader has some high level knowledge about cryptography before reading this book, as it's not a beginner's book. I also like the fact that author skips advanced theoretical math to appear to non-academics and engineers

[Alex · Rating 5 out of 5]

An excellent practical reference on the topic. Covers all the core areas of modern cryptography in a useful level of detail, with enough math to be helpful without miring the discussion in proofs. (Such books have their use as well; I read the bulk of this *after* reading most of such a proof-based text, so this has served as a good review of much of the same material.) Recommended for anyone interested in the topic, as it is approachable even without much theoretical background.

[Makmild]

My opinion this book is require some knowledge about math and code before reading but if I already in tech field this not hard to get the point because content have arrange well, the structure is easy to apply for use. I like ‘further reading’ so much.

BTW For me, who not good in math or coding this book is so hard to understand but I can get some idea and have another book to read in the future.

[Andrew Douma · Rating 5 out of 5]

I've read Jean-Philippe's copy on cryptography back to back twice now and frequently use it as a reference given its straightforward explanations of details that matter and practical advice on what to use when. Currently relying on it to understand what makes a hashing algorithm performant or secure (why is BLAKE3 faster and more secure than SHA3?)