Crypto Dictionary: 500 Tasty Tidbits for the Curious Cryptographer

Contents

#

2013

65537

A

A5/0

A5/1

A5/2

A5/3

A5/4

Adaptive attack

AEAD (authenticated encryption with associated data)

AES (Advanced Encryption Standard)

AES-CCM

AES-GCM

AES-GCM-SIV

AES-NI

AES-SIV

AIM (Advanced INFOSEC Machine)

AKA

AKS (Agrawal–Kayal–Saxena)

Algebraic cryptanalysis

Alice

All-or-nothing transform (AONT)

Anonymous signature

Applied Cryptography

Applied cryptography

ARC4

Argon2

ARX (Add-Rotate-XOR)

ASIACRYPT

Asymmetric cryptography

Attack

Attribute-based encryption (ABE)

Authenticated cipher

Axolotl

B

Backdoor

Backtracking resistance

Backward secrecy

Base64

BassOmatic

BB84

bcrypt

Biclique cryptanalysis

BIKE (Bit Flipping Key Encapsulation)

BIP (Bitcoin improvement proposal)

Bit Gold

Bitcoin

Black

BLAKE

BLAKE2

BLAKE3

Bleichenbacher attack

Blind signature

Block cipher

Blockchain

Blockcipher

Blowfish

BLS (Boneh-Lynn-Shacham) signature

Bob

Boolean function

Boomerang attack

BQP (bounded-error quantum polynomial time)

Braid group cryptography

Brainpool curves

Break-in recovery

Broadcast encryption

Brute-force attack

Bulletproof

Byzantine fault tolerance

C

CAESAR

Caesar’s cipher

CAVP (Cryptographic Algorithm Validation Program)

CBC (cipher block chaining)

CECPQ (combined elliptic-curve and post-quantum)

Cellular automata

Ceremony

Certificate

Certificate authority (CA)

Certificate transparency (CT)

ChaCha20

CHES (Conference on Cryptographic Hardware and Embedded Systems)

CIA

Ciphertext stealing

Clipper

CMVP (Cryptographic Module Validation Program)

Code-based cryptography

Commitment

Concurrent zero-knowledge

Consensus protocol

Control word

COPACOBANA (Cost-Optimized PArallel COde Breaker)

Cothority (collective authority)

Cryptanalysis

Cryptids

Crypto

CRYPTO

Crypto AG

Crypto period

Crypto variable

Crypto wars

Cryptobiosis

Cryptocurrency

Crypto-Gram

Cryptography

Cryptologia

Cryptology

Cryptonomicon

Cryptorchidism

Cryptovirology

CRYPTREC

CSIDH (Commutative Supersingular Isogeny Diffie–Hellman)

CTF (capture the flag)

Cube attack

Curve25519

Curve448

Cypher

D

Daemon

Davies–Meyer

Decentralized private computation

Déchiffrer

Décrypter

Deniable encryption

DES (Data Encryption Standard)

Dictionary

Dictionary attack

Differential cryptanalysis

Diffie–Hellman

Disclosure

Discrete logarithm problem

Distinguisher

Distributed randomness

Dolev–Yao model

Double ratchet

Dragonfly

DRBG (deterministic random bit generator)

DSA (Digital Signature Algorithm)

DSS (Digital Signature Standard)

DVB-CSA

E

E0

ECB (electronic codebook)

ECC

ECDLP (Elliptic-curve discrete logarithm problem)

ECDSA (Elliptic-curve DSA)

ECIES (Elliptic-curve IES)

Ed25519

EdDSA

EKMS (Electronic Key Management System)

Electronic codebook

ElGamal

Elligator

Elliptic curve

Elliptic-curve cryptography

Encipherment

End-to-end encryption (E2EE)

Enigma

Entropy

ePrint

Erathosthenes’ sieve

eSTREAM

Ethereum

Eurocrypt

Eve

E-voting

F

Factoring problem

Feedback shift register

Feistel network

Fialka (Фиалка)

Fiat–Shamir

FIPS 140-2

FIPS 140-3

Forgery

Formal verification

Format-preserving encryption

Forward secrecy

FOX

FSE (Fast Software Encryption)

Fully homomorphic encryption

Functional encryption

Future secrecy

Fuzzy extractor

G

Generalized birthday problem

GNFS (General Number Field Sieve)

GOST

Grain

Gröbner basis

Group signature

Grover’s algorithm

H

Hardcore predicate

Hash function

Hash-based cryptography

Heartbleed

Hedged signature

HFE (Hidden Field Equations)

HMAC (Hash-based MAC)

Homomorphic encryption

HPC (Hasty Pudding Cipher)

HSM (hardware security module)

HTTP/3

Hyperelliptic-curve cryptography

I

IACR (International Association for Cryptologic Research)

IDEA (International Data Encryption Algorithm)

IDEA NXT

Identity-based encryption

IES (Integrated Encryption Scheme)

Impatient saboteur

Impossibility

Impossible differential attack

IND-CCA

IND-CPA

Indelibility

Indifferentiability

Indistinguishability

Indistinguishability obfuscation (iO)

Information-theoretic security

INT-CTXT

Invisible signature

IOTA

IPES (Improved Proposed Encryption Standard)

IPSec

ISO standard

Isogeny-based cryptography

J

Journal of Cryptology (JoC)

K

KASUMI

Keccak

KeeLoq

KEM (key encapsulation mechanism)

Kerberos

Kerckhoffs’ principles

Key derivation function (KDF)

Key escrow

Key management

Key wrapping

Kleptography

Known-key attack

Kupyna (Купина)

L

Laconic zero-knowledge proof

Lai–Massey

Lamport signature

Lattice-based cryptography

Le Chiffre

Leakage-resilient cryptography

Learning with errors (LWE)

Length extension attack

Length-preserving encryption

LFSR (linear feedback shift register)

Lightweight cryptography

Linear cryptanalysis

Linkability

LM hash

Luby–Rackoff

Lucifer

M

MAC (message authentication code)

MAGENTA

Malleability

Manger attack

Man-in-the-middle

MASH (Modular Arithmetic Secure Hash)

McEliece encryption scheme

MD4

MD5

MDC (Message Digest Cipher)

MDC-2 (Modification Detection Code 2)

Meet-in-the-middle

Merkle puzzle

Merkle tree

Merkle–Damgård construction

Mersenne twister

Message franking

Miller–Rabin

MINERVA

Mining

Misuse resistance

Mixnet

MQV (Menezes–Qu–Vanstone)

Multicollision

Multi-party computation (MPC)

Multivariate cryptography

N

NBS (National Bureau of Standards)

NESSIE (New European Schemes for Signatures, Integrity, and Encryption)

New Directions in Cryptography

NFSR (nonlinear feedback shift register)

NIST (National Institute of Standards and Technology)

NIZK (non-interactive zero-knowledge)

Noekeon

Noise

Nonce

Non-committing encryption

Non-outsourceability

Non-slanderability

NSA (National Security Agency)

NT hash

NTRU (Nth degree Truncated polynomial Ring Units)

Null cipher

O

OAEP (Optimal Asymmetric Encryption Padding)

Oblivious key management system (OKMS)

Oblivious PRF (OPRF)

Oblivious RAM (ORAM)

Oblivious transfer

Obscurity

OCB (offset codebook mode)

One-time pad

One-way function

Onion-AE

OPAQUE

OpenSSL

Oracle

OTR (Off-the-Record)

P

Padding oracle attack

Paillier cryptosystem

Pairing

Pairing-based cryptography

PAKE (password-authenticated key exchange)

Paradigm

Password hash function

PBKDF2 (Password-Based Key Derivation Function 2)

PCT (Private Communications Technology)

PEP (Plaintext equivalence proof)

Perfect forward secrecy

Permutation-based cryptography

PES (Proposed Encryption Standard)

PET (Plaintext equivalence test)

PFS

PGP (Pretty Good Privacy)

Photuris

Picnic

PKC

PKCS (Public Key Cryptography Standards)

Poly1305

Polynomial complexity

Post-compromise security

Post-quantum cryptography

Post-quantum RSA

Prediction resistance

Preimage

PRESENT

PRIMES

Privacy-preserving

Private information retrieval (PIR)

Proof of burn

Proof of catalytic space

Proof of human work

Proof of replication

Proof of reserve

Proof of security

Proof of sequential work

Proof of space

Proof of spacetime

Proof of stake

Proof of storage

Proof of useful work

Proof of work

Provable security

Provably secure

Proxy re-encryption

Pseudo-random

Pseudorandom function (PRF)

Pseudorandom number generator (PRNG)

Pseudorandom permutation (PRP)

Public-key cryptography

PUF (physically unclonable function)

Puncturable encryption

Puncturable pseudorandom function (PPRF)

Q

Quantum computer

Quantum cryptography

Quantum encryption

Quantum key distribution

Quantum signature

QUIC (Quick UDP Internet Connections)

R

Rabin cryptosystem

Rainbow tables

Random bits

Random oracle

Randomness

Range proof

RC4

RC5

RC6

Real world

Real World Crypto (RWC)

Rectangle attack

Related-key attack

Research papers

Revocation

Rijndael

Ring signature

RIPEMD-160

Rivest–Shamir–Adleman

ROBOT (Return Of Bleichenbacher’s Oracle Threat)

ROS

RSA

Rubber-hose cryptanalysis

Rumba20

S

SAEP (Simplified OAEP)

Salsa20

Sandwich attack

S-box

Scalar

sci.crypt

Scrambler

scrypt

Searchable encryption

secp256k1

Secret sharing

Security

Security proof

Semantic security

Serious Cryptography

Serpent

SHA-0

SHA-1

SHA-2

SHA-3

SHA-3 competition

SHACAL

Shamir’s secret database

Shor’s algorithm

SHS (Secure Hash Standard)

Side channel

Side-channel attack

Sigaba

Signal protocol

Signature

Signcryption

SIKE (Supersingular Isogeny Key Encapsulation)

SIMECK

SIMON

SipHash

SIV-AES

Skipjack

Slide attack

SM

Smart contract

Snake-oil

SNARK (succinct non-interactive argument of knowledge)

SNIP (secret-shared non-interactive proof)

SNOW 3G

Solitaire

SPECK

SPEKE (Simple Password Exponential Key Exchange)

SPHINCS

Sponge function

SRP (Secure Remote Password)

SSH (Secure Shell)

SSL (Secure Socket Layer)

STARK (scalable transparent arguments of knowledge)

Steganography

Stream cipher

Substitution-permutation network (SPN)

Suck

Sugar beet auctions

Suite A

SUPERCOP

Superpolynomial complexity

SVP (shortest vector problem)

Symmetric-key cryptography

T

TCC

Test vectors

Threefish

Threshold encryption

Threshold secret-sharing

Threshold signature

Time AI™

Time-lock encryption

Time-lock puzzle

Timing attack

TLS (Transport Layer Security)

Tor

Traitor tracing

Transfinite cryptography

Trapdoor

Triple DES

Trivium

True random number generator (TRNG)

Trusted third party

Tweakable block cipher

Twitter

Twofish

U

Undeniable signature

Universal composability

Universal hash function

Updatable encryption

V

Verifiable delay function (VDF)

Verifiable random function (VRF)

Verifiable unpredictable function (VUF)

Vigenère cipher

VSH (Very Smooth Hash)

W

Wallet

Watermarking

White-box cryptography

Winternitz signature

WireGuard

X

X25519

X3DH

XMSS (eXtended Merkle Signature Scheme)

XOF (extendable output function)

XOR

XOR encryption

Z

Zerocash

ZKP (zero-knowledge proof)

ZRTP

Index of Terms

CRYPTO DICTIONARY

500 Tasty Tidbits for the Curious Cryptographer

by Jean-Philippe Aumasson

CRYPTO DICTONARY. Copyright © 2021 by Jean-Philippe Aumasson

All rights reserved. No part of this work may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying, recording, or by any information storage or retrieval system, without the prior written permission of the copyright owner and the publisher.

ISBN-13: 978-1-7185-0140-9 (print)

ISBN-13: 978-1-7185-0141-6 (ebook)

Publisher: William Pollock

Execuitve Editor: Barbara Yien

Production Editor: Paula Williamson

Developmental Editors: Frances Saux and Athabasca Witschi

Cover Illustration: Rick Reese

Interior Design and Composition: Maureen Forys, Happenstance Type-O-Rama

Technical Reviewer: Pascal Junod

Copyeditor: Anne Marie Walker

Proofreader: James Fraleigh

For information on book distributors or translations, please contact No Starch Press, Inc. directly:

No Starch Press, Inc.

245 8th Street, San Francisco, CA 94103

phone: 1-415-863-9900; [email protected]

www.nostarch.com

The Library of Congress Control Number is: 2020946022

No Starch Press and the No Starch Press logo are registered trademarks of No Starch Press, Inc. Other product and company names mentioned herein may be the trademarks of their respective owners. Rather than use a trademark symbol with every occurrence of a trademarked name, we are using the names only in an editorial fashion and to the benefit of the trademark owner, with no intention of infringement of the trademark.

The information in this book is distributed on an As Is basis, without warranty. While every precaution has been taken in the preparation of this work, neither the author nor No Starch Press, Inc. shall have any liability to any person or entity with respect to any loss or damage caused or alleged to be caused directly or indirectly by the information contained in it.

À Melina

About the Author

Jean-Philippe (JP) Aumasson is the Chief Security Officer and cofounder of Taurus Group, a Swiss financial tech company specializing in digital assets infrastructure. Since 2006, he has authored more than 60 research articles in the field of cryptography and designed the widely used cryptographic algorithms BLAKE2 and SipHash. The author of the acclaimed book Serious Cryptography (No Starch Press, 2017), he speaks regularly at information security and technology conferences.

About the Technical Reviewer

Pascal Junod has worked in applied (and less applied) cryptography for a living since 1999, both in the academic and industrial worlds. He holds a master’s in computer science from ETH Zurich and a PhD in cryptography from EPF Lausanne. In his spare time, he loves trail running, white-water kayaking, reading books, and caring about his family.

Preface

I promise nothing complete; because any human thing supposed to be complete must for that very reason infallibly be faulty. I shall not pretend to a minute anatomical description of the various species, or—in this space at least—to much of any description. My object here is simply to project the draught of a systematization of cetology. I am the architect, not the builder.

—Herman Melville, in Moby Dick (Chapter XXXII)

Crypto Dictionary is quite different from my previous book. Its format and lighter tone might make it look less serious, but its seriousness lies in its breadth of treatment. Whereas Serious Cryptography covered applied crypto’s fundamentals, or less than 10 percent of all there is to know in the field, this dictionary has the pretension of covering at least 75 percent of cryptography’s realm.

The unhurried, gradual, and relatively deep exposition in Serious Cryptography is replaced with a less headache-inducing structure filled with concise, direct definitions. This coffee-table book form intends to expose the richness of cryptography, including its exotic and underappreciated corners, to share knowledge and be a gateway to a better appreciation of the science of secrecy.

As the epigraph hints, Crypto Dictionary isn’t an attempt to deliver a real dictionary that would comprehensively and consistently cover cryptography’s diverse areas. You might not find your favorite protocol or cipher and will probably be surprised by the absence of certain terms that I purposefully omitted or just didn’t think of. But you’ll find many of the major notions and algorithms that cryptographers encounter today, as well as an opinionated selection of terms that I found of practical, theoretical, historical, or anecdotal interest.

Seasoned cryptographers might observe that the book isn’t very egalitarian. Although I attempted to cover all streets and alleys of cryptography evenly, certain neighborhoods are inevitably more equally treated than others due to my biases, experience, interests, and variable inspiration. I hope this heterogeneity won’t be perceived as unfairness, because that was definitely not my intention.

For example, I chose not to list individuals or software components; instead, the book focuses on the concepts and cryptographic objects that people created and that engineers implemented, which I believe are of greater interest. In accordance with the no-software rule, I didn’t include the Signal application, yet I did include the Signal protocol. But this rule suffered one exception, which you’ll find between the letters N and P.

This dictionary doesn’t pretend to provide a precise description of the various protocols, algorithms, and other cryptologic notions. Crypto Dictionary isn’t an encyclopedia and doesn’t aim to be a modern version of the venerable Handbook of Applied Cryptography. Readers who seek, for example, a formal definition of attribute-based cryptography or a detailed specification of AES will find plenty of references online.

Most definitions are actual definitions, but they vary in how informative they are. I didn’t strive for a consistent level of detail and deliberately just minimally explained certain terms—including some of the most established ones—or