A Modern Introduction to Cryptography

I’ve been asked some variant of this a couple of times in the past few days (here, via email, and via Signal):

How do I learn more about cryptography?

The bad news is, that’s too broad of a question for me to effectively answer for a general audience. What you already know matters a lot on how to approach this topic.

The best introduction I can point people to is, So, you want to be a Cryptographer?* | CryptoGotchas.

The author includes one of my blog posts on the matter from 2020 in their recommended reading list: How To Learn Cryptography as a Programmer - Dhole Moments

As the title says, it’s about how to start learning cryptography if you already know a little computer programming. The only thing I would add in 2025 is that you should probably skip learning “public key encryption” entirely until you’re an expert, lest you accidentally implement RSA insecurely and think you’re safe.

(Use KEMs (Key Encapsulation Mechanisms) instead. Libsodium’s crypto_box and crypto_box_seal APIs are morally equivalent to DHKEM-X25519 from HPKE.)

Post-Quantum Cryptography

Post-quantum cryptography is still being implemented and deployed in critical infrastructure. Alfred Menezes has two lecture series worth tuning into if you’re interested in this topic:

• Lattice-Based Cryptography – Cryptography 101 with Alfred Menezes
• Kyber and Dilithium – Cryptography 101 with Alfred Menezes

Aside: I do have a blog post in draft status about implementing Kyber and Dilithium, but I’m also implementing both algorithms in pure TypeScript and walking through the implementation with the blog post but as you can imagine, that takes a while to write and format. If you follow the FIPS-203 and FIPS-204 specifications from back-to-front, you’ll basically be able to predict the structure and contents of that post.

Cryptanalysis

The best way of learning is often doing. To that end, there are a few cryptography challenges worth trying at:

• https://cryptopals.com/
• https://cryptohack.org/

If you’d rather follow along someone’s breakdown of a cryptography function:

• Cryptanalysis of Meow Hash | Content
• Carnage's tech talk
• The first collision for full SHA-1
• Counter-cryptanalysis (this is why SHA1 collisions don’t break git)

Cryptography Software and/or Protocol Design

First, you should learn about JSON Web Tokens. Maybe even implement (but don’t publish) a simple JWT library, following the RFCs, and use it in a local app.

Then, and only then, you should read this next section:

It is important that you follow the prescribed pattern (read the standard first, then implement it faithfully, and finally learn about the sharp edges of the standard that you may very well get cut by), so you can learn how impactful getting this wrong is.

If you intuitively understand the importance of making your designs easy to use and hard to misuse, you can then begin designing cryptographic software or protocols. A lot of the cryptography used on the Internet isn’t misuse-resistant, and that frequently bites end users (a.k.a., probably the very people that will read this thread, and your friends).

My full-time job is to review cryptography products (both proprietary and open source) to spot design flaws and implementation errors. Some of these things can be subtle. For example: Understanding HKDF - Dhole Moments

Advanced Topics (Multi-Party Computation, Zero-Knowledge Proofs, etc.)

The best resource I’ve found to date is ZKDocs.

Designing Cryptography Primitives

If you decide you need to build your own block cipher mode, or new asymmetric-key cryptosystem, or zero-knowledge proof system, you’re either about to make a huge mistake OR you’ve long since transcended needing to read my advice on this matter.

(If the latter, I wish you the best. Make sure you share your pre-print PDF with the IACR.)

I hope you found this helpful. Happy to answer any questions anyone has.

Tbh I’m more of a developer looking to make an end to end encrypted solution. So I’ve found this resource to be great:

What do you think? Is it a good up to date guide as a developer looking to make an end to end encryption app?
My scenario is something like PyComm which I’ll start actively developing tomorrow till Saturday (and maybe Sunday). And I even have what I am planning for encryption in the readme and security limitations so I like to take suggestions especially from cryptographers and devs alike who could also look to contributing for.

Thank you, this is really useful for me. I’m studying mechanical engineering, but I’ve always had a thing for cryptography, I should start with the resources you’ve provided.

GitHub - samuel-lucas6/Cryptography-Guidelines: Guidance on implementing cryptography as a developer.

This also seems like a good resource, thanks.

I don’t necessarily agree with the ordering of symmetric ciphers.

AES-CTR+HMAC doesn’t give you AEAD, and attempting to turn it into AEAD can be dangerous but it’s still safer than trying to use XSalsa20-Poly1305 (which also isn’t exposed by libsodium etc. as an AEAD mode), but does commit to the key. Every general-purpose computer (and most mobile phones) support hardware accelerated AES these days. If you’re on exceptionally bad hardware, you can use BearSSL’s bitsliced implementation (which is also in PQClean).

It’s not a bad starting point, but it could use an update.

Are you available for hire for security audits outside of your full time job? Not looking for a quote, just wondering if you freelance outside of your primary position.

Lastly, do you feel you need to know the math behind cryptography extremely well, or just “good enough” to apply cryptography to programming?

I see thank you, even the ones in the section folder I presume you disagree right?

Lastly, do you agree with my planning options for encryption? (Considering being limited by the cryptography library)

Are you available for hire for security audits outside of your full time job? Not looking for a quote, just wondering if you freelance outside of your primary position.

Towards the end of last year, I started offering timeboxed one-hour critiques, which can consist of a very surface-level security review (which the two I’ve done so far has mostly been used for “here’s a Level of Effort estimate for a pentest”). I don’t really promote this much.

I see thank you, even the ones in the section folder I presume you disagree right?

No, I only read the README file, and my disagreement is a bit nitpicky. All of the options Samuel Lucas listed are good in general, but the ordering is different than what I would choose.

Lastly, do you agree with my planning options for encryption? (Considering being limited by the cryptography library)

From the README:

X25519 key exchange with Ed25519 Signing with Padded RSA Combining the key exchange and signing.

I don’t understand what you want “Padded RSA” for?

• Ed25519 gives you a secure digital signature, which is typically used to build authenticated key exchanges.
• X25519 can be used to create a secure KEM (see: HPKE, specifically with X25519)

How are you planning to manage your keys? As I mentioned here, key management (both for your secret keys and your public keys) is the real hard problem.

Alright I get it. very good to get insight from someone like you.

Since you ask. Padded RSA (Planning for 3072-bit RSA-OAEP) for encryption and decryption of content, Basically planning to use Hybrid encryption using these 3. (Not sure if there are other option that can use Asymmetric encryption that can handle data like RSA)

Management of key. Hmm I would be planning to use PFS so private keys rotate in the memory rather (basically key gets generated then deleted, rotate as it goes on that way). I’ll plan so that the server only ever sends public keys and encrypted content while the private keys remain Just in the client’s memory when in the process of encrypting and decrypting…
Sorry if I misunderstanding something here btw, this is my first time approaching cryptography properly so. Maybe I just really need to educate myself better than this… I don’t need personal lecturing even if actually I prefer that but proper resources would go a long way indeed.

Since you ask. Padded RSA (Planning for 3072-bit RSA-OAEP) for encryption and decryption of content

You don’t want to use RSA for content encryption.

This is why I said above:

The only thing I would add in 2025 is that you should probably skip learning “public key encryption” entirely until you’re an expert, lest you accidentally implement RSA insecurely and think you’re safe.

Using X25519 gives you a solid KEM. Use the symmetric key that both sides of the KEM spits out and use it with a symmetric key.

Generally you want AEAD for your symmetric encryption, and you should populate the AAD field with some context information. This AAD feature exists to authenticate your access patterns, which is necessary in order to prevent confused deputy attacks.

(There are cases where AEAD is not necessary, but you should assume it is unless you can prove it isn’t.)

I’ll take it into consideration…

Right now the project is in phase 1 so essentially everything is running unencrypted for now.

If it is possible I would appreciate to umm reaching you out if Maybe I’m still concerned about something or stuff like that. Eg. Maybe to see how I can approach symmetrically encrypting instead for example…