(A teaser.)

In preparing the second edition, we have made a concerted effort to *integrate **a more practical perspective* while retaining a rigorous approach. This is reflected in a number of changes and additions we have made:

- We have increased our coverage of
*stream ciphers*, introducing them as variant of pseudorandom generators, discussing stream-cipher modes of operation, and describing modern stream-cipher design principles and examples. - We have emphasized the importance of
*authenticated encryption*, and have included a discussion of secure communication sessions. - We have moved our treatment of hash functions into its own chapter, added coverage of some standard applications of cryptographic hash functions, and describe hash-function design principles and widely used constructions.
- We have also improved our treatment of birthday attacks (covering small-space birthday attacks), and added a discussion of rainbow tables and time/space tradeoffs for function inversion. We have augmented our discussion of differential cryptanalysis, including a worked example.
- After much consideration, we have decided to introduce the random-oracle model much earlier in the book. This allows us to give a proper treatment of standardized, widely used public-key encryption and signature schemes in later chapters instead of relegating those important schemes to a forgotten chapter at the end of the book.
- We have strengthened our coverage of elliptic-curve cryptography, and have added a discussion of its impact on recommended key lengths.
- In the chapter on public-key encryption, we introduce the KEM/DEM paradigm as a natural way to do hybrid encryption. Among other schemes, we cover DHIES/ECIES as well as RSS PKCS #1 v1.5 and~2.0.
- In the chapter on digital signatures, we now cover the construction of signatures from identification schemes using the Fiat-Shamir transform, with the Schnorr signature scheme as a prototypical example. We have also improved our coverage of DSA/ECDSA. We include brief discussions of SSL/TLS and signcryption, both of which serve as nice culminations of everything covered up to that point.
- In the “advanced topics” chapter, we have amplified our treatment of homomorphic encryption, and included sections on secret sharing and threshold encryption.

Beyond the above, we have also gone over the entire book carefully to make extensive corrections as well as smaller adjustments (including more worked examples) to improve the exposition. Several additional exercises have also been added.

(The new edition should be out next year.)

With all of those additions, has the book doubled in size?

By:

GASARCHon May 20, 2014at 12:16 pm

Not quite. =) We added about 50 pages.

By:

jonkatzon May 20, 2014at 4:10 pm

Sounds good. In addition to authenticated encryption I would really like to see treatment of AEAD, broader coverage of Carter-Wegman style MACs, optimized constructions like OCB, PMAC etc.

By:

Adamon May 22, 2014at 12:04 pm

(sigh) We simply couldn’t fit everything in, unfortunately.

- No treatment of AEAD (a bit specialized right now, and no room for a proper treatment)

- We do mention OCB/PMAC, etc., but chose not to cover them for lack of space.

- We did add a section on Carter-Wegman MACs! (On the other hand, I am not aware of any practical use of these for cryptographic purposes.)

By:

jonkatzon May 22, 2014at 3:13 pm

Can’t HMAC be viewed as an instance of Carter-Wegman?

By:

Adamon June 2, 2014at 7:22 pm

Not exactly. Depends also what you mean by “Carter-Wegman MACs.” What I meant was information-theoretically secure one-time MACs using pairwise-independent hashing.

By:

jonkatzon June 2, 2014at 8:24 pm

Oh, I meant PRF(Hash(m)).

By:

Adamon June 3, 2014at 11:13 pm

maybe add UOWHFs and their constructions from one-way permutations (Naor-Yung) to the “theoretical constructions…” section as well, as they’re quite symmetric to PRGs and the proof is very elegant.

By:

Yu Yuon June 4, 2014at 11:37 am

Does PRF(Hash(m)) really go back to Wegman-Carter? To my recollection, they only consider information-theoretic security. It is true that they have a similar construction in the i.t. setting, but the proof seems sufficiently different from what you need in the computational setting.

By:

jonkatzon June 6, 2014at 10:00 am

Yu, I do include a writeup of Naor-Yung in my “Digital Signatures” book. =)

We didn’t include it in the “Intro to Crypto” book, though. We would have to define and motivate UOWHFs, and we don’t currently use them anywhere else in the book (and the only place it would make sense to introduce them is the section on signatures from hash functions). Maybe next time, though…

By:

jonkatzon June 6, 2014at 10:02 am

I guess CW only did the i.t. setting, and their approach was adapted to the computational setting in several works. My understanding is the resulting MACs are quite fast.

By:

Adamon June 8, 2014at 8:44 pm