Serious Cryptography: A Practical Introduction to Modern Encryption

by Jean-Philippe Aumasson

This practical guide to modern encryption breaks down the fundamental mathematical concepts at the heart of cryptography without shying away from meaty discussions of how they work. You’ll learn about authenticated encryption, secure randomness, hash functions, block ciphers, and public-key techniques such as RSA and elliptic curve cryptography.

You’ll also
- Key concepts in cryptography, such as computational security, attacker models, and forward secrecy
- The strengths and limitations of the TLS protocol behind HTTPS secure websites
- Quantum computation and post-quantum cryptography
- About various vulnerabilities by examining numerous code examples and use cases
- How to choose the best algorithm or protocol and ask vendors the right questions

Each chapter includes a discussion of common implementation mistakes using real-world examples and details what could go wrong and how to avoid these pitfalls.

Whether you’re a seasoned practitioner or a beginner looking to dive into the field, Serious Cryptography will provide a complete survey of modern encryption and its applications.

Genres: Technology, Programming, Computer Science, Nonfiction, Technical, Hackers, Computers

312 pages, Kindle Edition

Published November 21, 2017

About the author

Jean-Philippe (JP) Aumasson is cofounder and chief security officer of Taurus, a global provider of crypto asset management technology for financial institutions. He's also a cryptographer, author of the reference book Serious Cryptography, and co-designer of the algorithms BLAKE2, BLAKE3, SipHash, and MLH-DSA. He holds a PhD from EPFL, Switzerland, and gave research and outreach talks at major events such as Black Hat USA, and DEF CON. JP's work has been featured in Wire, Techcrunch, Ars Technica, Threatpost, and other major online magazines.

JP was described as a "luminary" and "well-regarded expert in crypt analysis"​ (sic) by journalists, and as "a classic cryptographer and quite an understandable of the sort".

https://aumasson.jp
https://twitter.com/veorq
https://taurushq.com

Reviews

[Ben Rothke · Rating 5 out of 5]

Philosopher Alfred North Whitehead noted that modern philosophy is simply a series of footnotes to Plato. When it comes to cryptography, much of it is simply footnotes to Bruce Schneier’s classic work Applied Cryptography: Protocols, Algorithms and Source Code in C.

In Serious Cryptography: A Practical Introduction to Modern Encryption, Jean-Philippe Aumasson has written not just some good footnotes to Schneier, but a valuable work on modern encryption and cryptography. A lot has changed since Applied Cryptography came out over 22 years ago and Aumasson does a good job in updating the reader.

The back-cover notes that this book is written for both seasoned practitioners and beginners looking to dive into the field. That’s true for the former, but for most beginners, this is far too intense of a book for them. This is a great resource for developers who want to know how to effectively implement encryption and cryptography in their code.

Aumasson covers all the key areas of crypto, including random numbers, block and stream ciphers, hash function, and much more. Classic protocols from RSA, Diffie-Hellman, to TLS and more are discussed.

The book makes heavy use of C++ coding, Linux scripting and college-level math. Such that the reader needs to be conversant with those area to make the most of this book. Each chapter also closes with some references to further reading for those that want to dig deeper into specific areas.

The book closes with a short chapter on Quantum and Post-Quantum and while it is not here yet, quantum crypto will revolutionize the world of cryptography when it does.

As an engineer immersed in the topic, Aumasson brings real-world experience and advice to every chapter. At 270 pages, the book does sacrifice some things for its lack of depth, but is a superb introduction to modern encryption and cryptography. For those looking to quickly get up to speed on the topics, this makes for an excellent go-to guide.

[Jeremy Huiskamp · Rating 4 out of 5]

For an ordinary software developer, I think this was a great overview to get you situated on the cryptography landscape. The order that he built up the topics was great, and practical advice such as the "how things can go wrong" sections gave very useful perspectives.

However, cryptography is a subject with a lot of detail, and at times, I think a bit too much was packed into too short of a book. For example, the introductory chapter covered subjects like malleability and attack models too briskly, and implied that you'd need to understand them to handle the rest of the book, but then they never really surfaced again. The chapters on public key cryptography similarly tried to cover too much math in too little space for it to really be absorbable. Overall though, reading the book lead to me researching a lot of the topics on my own, which is certainly better than a book that doesn't inspire that way.

A final quibble is that I was expecting the TLS chapter to tie up most of the rest of the book by showing the difference between having a bunch of individual crypto primitives that are difficult to use safely, and using them together in a vetted protocol that provides a simple, usable interface to a programmer. It didn't really highlight this very well, and in fact, the chapter was so poorly edited that I started to worry about all the other mistakes that might be present in the book, making it, especially the math, harder to make sense of.

[Dmitry · Rating 4 out of 5]

Парадокс: книга хорошая, и в то же время я не могу с чистым сердцем ее рекомендовать. Там написаны умные вещи, я определенно узнал из нее не просто много, а даже больше, чем рассчитывал. Она вполне плавно вводит в тему, напоминая базовые понятия типа что такое группа в алгебре, вероятность, классы сложности задач. Помимо классических тем(блочныепотоковыехэшиrsa и т д), которые будут в любой книге, здесь были и эллиптические кривые, и даже квантовые алгоритмы, и объяснение, почему на курсе универсальной прикладной алгебры нам рассказывали про решетки, но курс вели люди с кафедры криптографии. Разобраны самые разные алгоритмы и атаки на них(padding oracle attack это ваще жестб) НО
В книжке всего 300+ страниц. Это значит, что материал чудовищно спрессован в каждой главе(за одним исключением*). С какого-то момента мы с чатгпт тупо читали книгу вдвоем, потому что я не настолько умный, чтобы по одному абзацу восстановить цепочку мыслей, на которые так-то люди годы потратили. Конспект из-за этого выглядит просто как набор не связанных друг с другом предложений.
В общем, оценку ставлю хорошую, но я вас предупредил

*Автор книги еще и создатель какой-то хэш-функции(SipHash или BLAKE), поэтому глава про хэш-функции написана в утомительных подробностях и была мною скипнута

[Scott Lerch · Rating 5 out of 5]

As a cloud services software engineer this book gave me a good overview of all the common encryption and authentication protocols I interact with day to day. I now feel like I know enough to talk somewhat intelligently with the the security engineers at my company and hopefully notice the warning signs when some out-dated or insecure protocol is being used. Sometimes I got bogged down in the math and details of the protocols but I just skimmed when I was overwhelmed to get the gist. At least I know dozens of new acronyms to sound smart even if I don't know the details, right?

Two sections that were surprisingly good were the overviews of NP problems and quantum computers. The explanation of NP-complete and NP-hard problems was an excellent refresher for me with one of the best descriptions I've read. Similarly, the explanation of quantum computers was clear and concise. I now feel like I really understand what quantum computers can and more importantly cannot do.

Overall it was an excellent book and I'll probably revisit as my work intersects with the various security topics it covers.

[Mitchell Friedman · Rating 3 out of 5]

Interesting book but exhausting. This has been a work book group discussion book. And frankly it really didn't lend itself to discussion - though it did inspire some discussion. Basically this is a fairly hard subject not made especially easier by this book. But some chapters were better than others. And if I were doing cryptography as a more primary part of my job it would have been more useful. The quantum chapter did a pretty good job of explaining the problem and work arounds, and problems with the workarounds. But the details itself I found impenetrable. Where the chapters on RSA and Diffie-Helman and Randomness were actually pretty good. I just remember liking Applied Cryptography a lot more.

[Stefano Ottolenghi · Rating 3 out of 5]

I think should have actually been called Coincise Cryptography. It is difficult to understand without prior knowledge, and of the topic I did not know something beforehand, I can not say I know more now. It's just too quick. Also, technical explanations are many, which is good, but again too short and with no examples for most part.

[Kostiantyn Minkov · Rating 4 out of 5]

The TLS section was a little disappointing, but in general the book is well structured and provides solid ground for understanding cryptography and a math behind it (but don’t expect it to be a fundamental zero-to-hero one).

[Kerszi · Rating 4 out of 5]

Chyba to jest jedna z lepszych książek o kryptografii, które przeczytałem, ale patrząc z poziomu laika. Niestety trzeba trochę mieć pojęcia z zaawansowanej matmy, żeby wszystko zrozumieć, chociaż większość pojęć jest bardo dobrze opisana, nawet takie błahostki jak liczby pierwsze, ale kiedy autor opowiada o komputerach kwantowych, to może rozboleć głowa ;) Ogólnie w książce jest dużo przykładów. Problemy i pojęcia są dobrze opisane. Warto przeczytać, przejrzeć. Na pewno nie raz do niej wrócę.

[Jamie CULPON · Rating 5 out of 5]

This is the best English language introduction to treating cryptography and encryption as a practical matter of engineering as opposed to a “deeply mysterious” craft that lies beyond all comprehension.

My personal copy will not leave my bookshelf, but I would be happy to give my students a pdf or translation to another language if needed.

Note: I have corresponded with both the author and publisher directly in the past and have found errors in the 7th edition that may require eratta to be technically correct in future printings.*

*: I read footnotes and citations, too.

[thirtytwobirds · Rating 4 out of 5]

We went through this as a book club at work. There's some amount of handwaving in a few of the chapters (especially the last one) but overall it's a good survey of topics. The book is pretty good about covering practical things like AES and TLS instead of being entirely theoretical, which was nice for us since it's directly applicable to work.

[Kishor · Rating 5 out of 5]

Really good study resource. Easy to skim the hard math sections if that's not what you're looking for, and JP explains all the crypto building blocks in a way that sticks.

[∃Ⓐ∀ · Rating 3 out of 5]

Note: There are many areas of security and computer science that fascinate me. Some are so interesting that I make the effort to learn the math and logic behind them. Mathematical logic is probably the area of math that motivates me to study and understand math the most. However, cryptography is not one of those areas. At the risk of seeming not infosec-cool || appsec-cool, or intelligent enough: I find cryptography really f'ing boring. The reasons behind that are likely due to problems I should probably discuss with a therapist and not spend time discussing in a book review, in addition to shitty schools I went to from pre-K to 7th grade. Regardless, I mention that to highlight that I do realize that I am likely not in the target audience for this book.

With that out of the way, I will start my review.

In the preface of the book, the author mentions one of his goals was to "get you excited about crypto and teach you the fundamental concepts along the way." He also mentions that "to do anything and relevant crypto [...] you need a connection to reality." Further, in the "Who This Book is For" section, he describes "a developer who'd been exposed to crypto but still felt clueless and frustrated attempting to read abstruse textbooks and research papers." Nevertheless, I don't believe these goals were accomplished. While I found parts of some chapters illuminating, such as those on block ciphers, authenticated encryption, and TLS, I found most of the book to focus on mathematical details that I found impractical to learn. At times, it felt as if the author started a chapter to focus on practical instruction and fundamentals, but got easily carried away and ended up nerding out on mathethical details. He also includes relatively large code samples with minimal explanations.

Some concepts could have been taught more simply than others. For instance, I initially struggled to understand cipher modes, and I had to search for stripped-down explanations online as the book jumped too quickly from a fundamental explanation to what I perceived to be unnecessary and impractical details.

Overall, I admit this was a difficult book for me to read and stick to, and I often lost motivation to continue reading (and at times my only motivation to continue reading was to get it over with or get to more practical chapters such as the one on TLS). While, as I've mentioned, I am likely not in the target audience due to my disinterest in many details, I think the book reads not as one written by an educator but by someone more used to having discussions on cryptography with other cryptography enthusiasts and researchers.

[Daniel · Rating 4 out of 5]

As someone who has taken multiple "introduction to cryptography courses" (undergrad, grad and online), and fancies himself as both interested, and wanting to work in (or at least adjacent), cryptography, I found this book to be useful. Similar to how A Tour of C++ is to the gargantuan The C++ Programming Language, Serious Cryptography provides an overview of seemingly all of the major topics in cryptography and how they fit together, without going into much depth on any of them, sometimes only giving half a page to something that is its own research area. The book is akin to someone describing what tools are in their toolbox, and loosely what they're for, without describing how each works. The outcome of this, I hope, is that fewer people will "view all the world as a nail" when only aware of their hammers.

As someone already familiar with the concepts covered, I found the book to be an excellent reminder of what else is out there and a good resource for identifying how to dig into these other topics should I need to dig deeper. In the few places where something was completely new, I found the explanations to be too shallow for me to feel much more than confused, and so I doubt this book would be a good first crypto book for someone interested in the field, but I do think it should be 'required reading' for someone before they start adding cryptographic bits to their products. Its structure in particular will hopefully prevent someone from learning just enough to implement yet another AES in ECB mode and thinking they're done and dusted.

In summary, great for getting excited about the field and probably as preparation for an exam or interview, but only an accompanying resource for someone really interested in the topic.

[Warren Mcpherson · Rating 5 out of 5]

Great introduction to the most important ideas in contemporary cryptography. The author has a deep knowledge of the subject matter and clearly communicates the crux of the most critical issues.
The book is written for programmers, there are some basic mathematics and algorithms used to illustrate the main ideas. But, descriptions do not directly depend on the experience or knowledge of the reader. It is not a textbook.
Topics have been well chosen, keeping the book a reasonable size but covering the critical topics that inform contemporary technology. He covers practical issues like encryption, security assessment, and authentication. There are also chapters on critical abstractions like randomness, hashing, and hard mathematical problems. These inform descriptions of important algorithms. There is also an insightful discussion of what to expect from quantum computers.
The book has develops a good feel for the scope of the subject. There are many references that can serve as starting points for further investigation into topics of most interest to you.
This would be an excellent book to read before starting a course on cryptography because it develops a sense of the main ideas and their significance. People at many levels of understanding will find something to learn.

[Angie · Rating 3 out of 5]

For what was supposed to be a "practical" introduction, the book turned out to be pretty tedious, not that much in terms of mathematical concepts but in the way of writing. It IS an overview - an extensive look on a number of areas crucial to the topic, but also quite a detailed one. In fact, while (of course) I considered it much easier to read than most academic books on cryptography, I felt like it was too in-depth at times (where details could have been omitted by a simple ref). On the other hand, it also failed to achieve consistency inbetween sections by almost completely disregarding the logical bonds connecting the topics. It also failed to demonstrate the practicals of cryptography, as it was mostly theory talks. Properly speaking, except for the very first few chapters, it was like a showcase of different crypto algorithms - one just as lifeless and uninformative as reading Wikipedia pages on that particular topic. The author tried really hard to squeeze out the very essentials, but what has been put altogether does not satisfy the criteria for a "book" in that sense, more like a handbook.

[Chris Austin · Rating 4 out of 5]

This was an excellent refresher on modern cryptography, with just enough math and implementation details to make it tangible while remaining fairly approachable.

I need to find a book that covers more applied cryptography in different contexts, e.g. VPNs using SHA-1 and AES-CBC sounds terrible to me, but I don't have enough information to know whether that's acceptable in this context.

I actually had stress dreams because I was reading this every night before bed - in one I dreamed that I had used an IV of 0 in a system I deployed a decade ago and the idea was so disturbing that it woke me.

A few areas were beyond my current math skills (I could use more modular arithmetic from number theory), but those were still approachable even if I had to trust the explanation instead of fully grokking it. The math behind linear feedback shift registers had a confusing element that I haven't quite worked through yet. The post-quantum section was interesting, though the math portion was beyond me.

I've taken Dan Boneh's cryptography class on Coursera before, which was excellent, though I started to forget a lot of the material after a few years.

[Adrian · Rating 3 out of 5]

The book delivered on the basic theory of cryptograhpy and how general well know encryption schemes work (SHA256,MDN, TLS) and how they work.

That being said even though the author announced the book won't be too math heavy , i felt that he brought quite a lot of linear algebra into discussion.
I was expecting him to focus on these algos as black boxes , and what you as an interface consumer of them should look at , when using or parametrizing them.

It was not really the case.
Anyway i understood why prime numbers matter and how prime number factorization is the corneratone of cryptography.

That being said the book last chapter was SPECTACULAR
I finally understood quantum algorhitms! Never anticipated they are based on numerical methods (matrix transformations)

I feel this book could've been a 4 if it was a bit trimmed of the formal mathematical demonstrations.

[Kursad Albayraktaroglu · Rating 5 out of 5]

I really enjoyed this book : I believe "Serious Cryptography" is the introductory cryptography book for the 2020s - with its clear, logical organization, insightful examples, and coverage of the latest trends and standards; Aumasson's book does a great job of conveying basic and intermediate concepts of its challenging subject.

Most people interested in cryptography had started their journeys by reading Bruce Schneier's "Applied Cryptography". While still a great book, it has been a while since it has been updated to reflect the latest developments in this rapidly changing area. "Serious Cryptography" would be a great supplement to Schneier's work for anyone getting up to speed with the current state of the art in cryptography.

The book has ample code examples in Python, and occasionally refers the user to use open-source software tools such as SageMath and OpenSSL to understand the math behind the algorithms covered. Each chapter is complete with a very useful and comprehensive reading list of related papers, publications and Web sites. As I mentioned, many of the latest developments in the area are covered and the book's coverage of some of the more challenging concepts such as elliptic curves, authenticated ciphers such as AES-GCM and post-quantum cryptography is excellent.

Highly recommended for anyone interested in the subject.

[Bilal · Rating 4 out of 5]

This is a fairly complete introduction to modern cryptography, and to the most commonly encountered cryptographic functions in today’s computer networking systems. The organization is primarily topical and loosely sequential. The presentation is supported in the form of logical operations and operational block diagrams, and with occasional code blocks; however, there are no expository examples. This style of presentation makes it a suitable textbook to support a set of lectures, but for fast self-learning I do not find this style efficient. For fast self-learning I prefer the more strongly sequential exposition provided by Joshua Holden in The Mathematics of Secrets; which I would follow with this one for a bit more formalism and completeness.

[Travis · Rating 3 out of 5]

Read as part of a book club at work. It didn't spark much in the way of discussion, but I feel like I'd have liked it less if I wasn't reading it as a group. I found the parts of the book focussing on how encryption can be attacked to be the most compelling, other parts felt like they either dove straight into deep math or lacked depth (and somehow, occasionally, both at the same time). Since we read it as a group it gave us some opportunities to seek out different explanations on the same topic from elsewhere, which I appreciated. The order that the topics in the book were organized was well thought out.

[Alan · Rating 5 out of 5]

JP Aumasson's book is definitely the most modern and comprehensive survey of cryptography topics that I have read. While this book will by no means make you a cryptographer, it does provide a good starting point for understanding the most important topics in the subject as well as resources for diving deeper into each of the topics. Aumasson strikes a decent-ish balance between superficial descriptions of nuanced topics and letting the reader get mired in the technical details of the math. This book should absolutely be required reading for anyone looking to expand their knowledge of cryptography and cryptographic systems.

[Michal · Rating 2 out of 5]

This book is a great overview of cryptography. I was mostly glad for "how things can go wrong" sections at the end of each chapter. The only problem I had with this book is it tried to cover a lot of math details on a few pages. One page was "kindergarten" math, and on the other already mathematical constructs I didn't understand. I can recommend it for understanding key concepts of cryptography, but due to only few examples and not all complex problems explained in depth, don't expect you will deeply understand crypto or that you will perfectly know practical usages. It's really just introduction.

[Zhi Han · Rating 5 out of 5]

This book is, despite its name, a brief intro into the field of cryptography. It focuses on the practical side and structures around the basic concepts of attack models and how things can go wrong. It is a very interesting quick read. It touches briefly on the recent progress including TLS 1.3 and post-quantum cryptography.

Instead of reading this book by itself, I would recommend combine this book with a more theoretical book or lecture. In my case I went through a cryptography class in coursera, as I read along this book. This way I get to be exposed to a small amount of the theoretical discussion, e.g., going through some discussion of crypto strength. Otherwise I would find the discussion in this book a little weak and less engaging.

[Damian · Rating 4 out of 5]

This book covers everything one should know about cryptography, both beginners and advanced practicioners. All concepts are properly explained, although for someone who hasn't practiced it even one day - a bit challenging. I have built concepts maps in order to memorize how it works and then practiced by using basic examples. After reading it (and using many other online sources) I must say I came to understand all the basics of cryptography and can successfuly judge myself whether an encryption is secure enough or not.

[Nate Bate · Rating 5 out of 5]

I have been unusually busy the last few months which means that I have not gotten my normal reading done, and that also means my reading of this book was very fractured. I ended up settling for more of an overview read. As the subtitle of the book reads, this is a practical book. It is heavy on the mechanics of Cryptography. I look at this as more of a reference book that I will go to when ever I have a question in the future. Although it is practical, it is written accessibly for must dedicated, interested readers.

[Yestin · Rating 5 out of 5]

I really enjoyed this book. I already knew much of the foundations and everyday details but not much of the real maths or the attacker centric parts. The maths was a little heavy at times, even though it was mostly kept simple enough for any reader to grasp. This book is an excellent introduction into practical cryptography and I highly recommend it. Already bought myself the paperback edition to use as a reference.

[Mehdi · Rating 4 out of 5]

This book really covers practical and modern cryptography in a short and readable manner.
Of course it could have included much more content or examples etc, but I think it's a unique book in cryptography field and I think it would be better if the reader has some high level knowledge about cryptography before reading this book, as it's not a beginner's book. I also like the fact that author skips advanced theoretical math to appear to non-academics and engineers

[Alex · Rating 5 out of 5]

An excellent practical reference on the topic. Covers all the core areas of modern cryptography in a useful level of detail, with enough math to be helpful without miring the discussion in proofs. (Such books have their use as well; I read the bulk of this *after* reading most of such a proof-based text, so this has served as a good review of much of the same material.) Recommended for anyone interested in the topic, as it is approachable even without much theoretical background.

[Makmild]

My opinion this book is require some knowledge about math and code before reading but if I already in tech field this not hard to get the point because content have arrange well, the structure is easy to apply for use. I like ‘further reading’ so much.

BTW For me, who not good in math or coding this book is so hard to understand but I can get some idea and have another book to read in the future.

[John Christopher · Rating 4 out of 5]

I had to read this book for college (cybersecurity), and while it’s not an easy read, especially for an introduction to the subject, it’s very informative. It covers important topics like asymmetric and symmetric cryptography, block ciphers, and hashing in a detailed and technical way, with some code examples included. It also touches on how cryptography is used in electronics and hardware-based encryption a little bit, which is really cool.