maybe have a error here : "Example: Multiply EC Point by Integer":

for k = 6, G = {15,13},
P = kG = 6{15,13} = {90,78} mod 17 = {5,10}, which is not the {5,8}.

am I correct?

Hi Svetlin,

First of all, thanks for writing this book. I’ve been only reading the chapter “Asymmetric Key Cipher”, but already learned a lot. And I think it’s easy to follow!

Have a question about this particular section https://cryptobook.nakov.com/asymmetric-key-ciphers/ecc-encryption-decryption

Btw (minor thing), a typo in the sentence "if we encrypt data by a private key, we will be able to decrypt the ciphertext later by the corresponding public key”. I believe you meant the other way around.

The main thing I’m questioning is the statement "The elliptic curve cryptography (ECC) does not directly provide encryption method”.
As far as I understand, ECC is similar to the discrete log problem. The idea is also that with x, g^x is easy to commute but the reverse is hard. Therefore, we should be able to apply the very same idea as in ElGamal encryption (https://en.wikipedia.org/wiki/ElGamal_encryption) to achieve the public key encryption “directly”.

Practically, it’s probably a minor point anyway, my guess is people use ECIES more. But technically, ECC should achieve public key encryption in a straightforward way.
Thanks for your time for reading!

Best,
Yi-Hsiu

Is it possible to recover pubkey only from raw Tx?

Respected Svetlin Nakov,

I want to contribute to your project by writing code for the following :

(a) https://github.com/nakov/Practical-Cryptography-for-Developers-Book/blob/master/mac-and-key-derivation/exercises-password-encryption.md#implement-register-user

(b) https://github.com/nakov/Practical-Cryptography-for-Developers-Book/blob/master/mac-and-key-derivation/exercises-password-encryption.md#implement-register-user

(c) https://github.com/nakov/Practical-Cryptography-for-Developers-Book/blob/master/mac-and-key-derivation/exercises-password-encryption.md#implement-change-password

(d) https://github.com/nakov/Practical-Cryptography-for-Developers-Book/blob/master/mac-and-key-derivation/exercises-password-encryption.md#implement-reset-password

Kindly tell me how to contribute. I am starting to code. I hope to hear from you soon.
Thanking you in advance.

Hello, there are some confusions in chapter Secure Hash Algorithms

See SM3 algorithm under section "Other Secure Hash Functions", there are bold style applied around "Chinese goverment". What does the bold style mean? And also, SM3 algorithm is a Chinese National Standard, I would suggest to describe it as a Chinese National Standard like the description about GOST algorithm.

The second paragraph reads:

DHKE was one of the first public-key protocols, which allows two parties to exchange data securely, so that is someone sniffs the communication between the parties, the information exchanged can be revealed.

Specifically I refer to the last part:

information exchanged can be revealed

Does this not mean to say "cannot be revealed"?

Hello Svetlin!

First of all, thank you for your great work. I'm using it extensively on my current deep-dive journey into cryptography.

In the python examples for AES GCM encryption/decryption, in the print() of the encrypted message, you call the "nonce" an "IV", which are different things that have different attributes. So if I don't get it wrong, "aesIV" should be renamed to "aesNonce" in this code sample:

From what I've learned so far, when talking about an IV it is important that it is random - and, at least in many scenarios, it should be used only once per key, too - while when talking about a nonce the randomness is not the important part, but it is important that it is never, ever re-used.

Source (for example): https://crypto.stackexchange.com/questions/16000/difference-between-a-nonce-and-iv

Greetings from Germany, and stay motivated and healthy!
Daniel Albuschat

Saying something like 128-bit security requires approximately 2128 operations to crack would make it a very very inefficient security tool. I could only assume it means 2^128 operations which is completely different.

Need to superscript exponents. May be an issue elsewhere but certainly is in this page absolutely all over.

I would suggest to include google tink to the recommended libraries:
https://github.com/google/tink

Great work!

Great write ups! I'd love to see a section on the Schnorr Signature Algorithm. Would be a good lead up to EdDSA, since that's based on Schnorr.

MD5 and SHA-1 are affected by collisions. Probably modify this sentence.

You do cover this under "Secure Hash Algorithms", so the above statement somehow contradicts.

Reference:
https://en.wikipedia.org/wiki/MD5#Collision_vulnerabilities
https://security.googleblog.com/2017/02/announcing-first-sha1-collision.html

I think there is a typo in the following two sections:

https://cryptobook.nakov.com/encryption-symmetric-and-asymmetric.html?q=#private-keys

Message encryption and signing is done by a private key.

Shouldn't this be "Message decryption and signing is done by a private key." ?

https://cryptobook.nakov.com/encryption-symmetric-and-asymmetric.html?q=#public-keys

Message decryption and signature verification is done by the public key.

And shouldn't this be "Message encryption and signature verification is done by the public key." ?

Under the "How does it work" section, it says:

P1 = s * G = (r + h * privKey) mod q * G = r * G + h * privKey * G = R + h * pubKey

The last step seems erroneous. The privKey is converted into pubKey without any obvious mathematical operation. Is that correct? If so, I think some additional steps would need to be there for clarity.

(PS thanks for writing this!)

security level : 125.8 < 127.8,
why the EdDSA is more secure than ECDSA?

@nakov , This is an excellent book and I really appreciate such great efforts to make software developers aware of modern crypto.

Here, I just want to give some suggestions:

1. In the crypto library recommendation part, I found it is not complete, some of the popular libraries have not been considered yet, such as OpenSSL, and its python wrapper pyOpenSSL etc. As a Python developer, I am still wondering which one to choose (pyOpenSSL or pycryptodomex or something else?). For Java I would go with Bouncy Castle.

2. Would you mind to add some homomorphic encryption explanations to this book? At least Paillier system as Partial homomorphic encryption system is a good one. As well as somewhat homomorphic encryption schemes and fully homomorphic schemes such as BGV and CKKS?

Thanks

Regarding ECDSA, I found this to work for the latest release of pycoin:

https://cryptobook.nakov.com/digital-signatures/ecdsa-sign-verify-examples#ecdsa-sign-verify-using-the-secp-256-k1-curve-and-sha-3-256

from pycoin.ecdsa.secp256k1 import secp256k1_generator
import hashlib, secrets

def sha3_256Hash(msg):
hashBytes = hashlib.sha3_256(msg.encode("utf8")).digest()
print(f'msgHash={hashBytes.hex()}')
return int.from_bytes(hashBytes, byteorder="big")

def signECDSAsecp256k1(msg, privKey):
msgHash = sha3_256Hash(msg)
signature = secp256k1_generator.sign(privKey, msgHash)
return signature

def verifyECDSAsecp256k1(msg, signature, pubKey):
msgHash = sha3_256Hash(msg)
valid = secp256k1_generator.verify(pubKey, msgHash, signature)
return valid

ECDSA sign message (using the curve secp256k1 + SHA3-256)

msg = "Message for ECDSA signing"
privKey = secrets.randbelow(secp256k1_generator.order())
signature = signECDSAsecp256k1(msg, privKey)
print("Message:", msg)
print("Private key:", hex(privKey))
print("Signature: r=" + hex(signature[0]) + ", s=" + hex(signature[1]))

ECDSA verify signature (using the curve secp256k1 + SHA3-256)

pubKey = secp256k1_generator * privKey
valid = verifyECDSAsecp256k1(msg, signature, pubKey)
print("\nMessage:", msg)
print("Public key: (" + hex(pubKey[0]) + ", " + hex(pubKey[1]) + ")")
print("Signature valid?", valid)

ECDSA verify tampered signature (using the curve secp256k1 + SHA3-256)

msg = "Tampered message"
valid = verifyECDSAsecp256k1(msg, signature, pubKey)
print("\nMessage:", msg)
print("Signature (tampered msg) valid?", valid)

Cheers!

Mark von der Lieth

I've recently pick-up the book. It looks very informative. Thanks.

I was reading through the chapter about Hash functions and was wondering if there's a duplication of the text about Cryptographic hash function. It's being mentioned on top and then again in the same form later under the Cryptographic hash functions with the same example and code.

I would expect only being introduced on the top and later explain in detail. Is this by choice done like that?

from pycoin.ecdsa import generator_secp256k1, sign, verify
import hashlib, secrets

ImportError Traceback (most recent call last)
in
----> 1 from pycoin.ecdsa import generator_secp256k1, sign, verify
2 import hashlib, secrets
3
4 def sha3_256Hash(msg):
5 hashBytes = hashlib.sha3_256(msg.encode("utf8")).digest()

ImportError: cannot import name 'generator_secp256k1'

At the third paragraph on the section Preface, there is a typo on the acronym.

From this book you will learn how to use cryptographic algorithms and cryptosystems like hashes, MAC codes and key derivation functions (KFD)

Here, KFD should be KDF.

Hi

Is it possible to offer the pdf version for download?

thanks

Hi @nakov! Your book is really nice work! What do you think about translations it to the other languages?

In the PRNG exercise, the solution is based on the following calculation, where n is the iteration number:

1 + HMAC-SHA256(n, seed) % 10

However, n can be represented a number of different ways, depending on

• Whether it should be an encoded string value (e.g. similar to the example given in https://cryptobook.nakov.com/secure-random-generators/pseudo-random-numbers-examples)
• Whether it's big or little-endian
• Whether it's signed or unsigned

When implementing the exercise, I struggled with trying a number of different representations until I finally figured out that the byte representation was supposed to be unencoded and unsigned. It might be good to include a note about this in the exercise.

This crucial difference is missing in the text and it treats KDFs as if they were PBKDFs, possibly confusing coders - the target audience.

KDF is a key derivation function in general - for example for deriving round keys - and designed to be fast. PBKDFs are designed to be brute force resilient and therefore to be slow. It's literally stated in /mac-and-key-derivation/hmac-and-key-derivation, that SHA is not a good [PB]KDF, which is true, but it's perfectly correct and used as KDF - like in WhisperMessage (Signal, WhatsApp, ...)

Cool book!
By the way chat gpt solves your problems super well!

Here my 5 cents:

In

Should it be 5^4 mod 23 = 4 instead of 54 mod 23 = 4?

Same here

Should it be 5^3 mod 23 = 10 instead of 53 mod 23 = 10?
See also
https://www.wolframalpha.com/input?i=5%5E4+mod+23

Regards stefan

in cipher block modes: iv

The size of the IV should be the same as the cipher block size, e.g. 128-bits for AES, Serpent and Camellia.

not every block mode requires that the sizeof(iv) = sizeof(cipher block), for instance:

• gcm and ccm accept variable IV size and some libraries suggest different recommended IV size (12bytes for [aes|aria|camellia]+[gcm|ccm] where block size is 16bytes)

• aes+ecb may be used without any IV (size=0, IV is not being used internally), but other ciphers like [camellia|des|3des|blowfish|aria]+ecb requires that sizeof(iv) = sizeof(cipher block)

asymmetric-key-ciphers: README.md: EIS => IES

The example Python code for the Scrypt key derivation algorithm contains a wrong module name (current: pyscrypt, should be scrypt).

Page:

https://cryptobook.nakov.com/mac-and-key-derivation/scrypt

Current code:

import pyscrypt

salt = b'aa1f2d3f4d23ac44e9c5a6c3d8f9ee8c'
passwd = b'p@$Sw0rD~7'
key = pyscrypt.hash(passwd, salt, 2048, 8, 1, 32)
print("Derived key:", key.hex())

Code should be:

import scrypt

salt = b'aa1f2d3f4d23ac44e9c5a6c3d8f9ee8c'
passwd = b'p@$Sw0rD~7'
key = scrypt.hash(passwd, salt, 2048, 8, 1, 32)
print("Derived key:", key.hex())

from pycoin.ecdsa import generator_secp256k1, sign, verify
import hashlib, secrets

def sha3_256Hash(msg):
hashBytes = hashlib.sha3_256(msg.encode("utf8")).digest()
return int.from_bytes(hashBytes, byteorder="big")

def signECDSAsecp256k1(msg, privKey):
msgHash = sha3_256Hash(msg)
signature = sign(generator_secp256k1, privKey, msgHash)
return signature

def verifyECDSAsecp256k1(msg, signature, pubKey):
msgHash = sha3_256Hash(msg)
valid = verify(generator_secp256k1, pubKey, msgHash, signature)
return valid

i think the example code is broken or outdated. i cant import sign or verify at all

it looks d is -300 instead of 300.

thank you for this math-free cryptography book!