The Joy of Cryptography
Undergraduate textbook by Mike Rosulek

The Joy of Cryptography is a textbook that I've been writing for CS427, my undergraduate course in cryptography.

What's so special about it?

It's free and will always be free (Creative Commons license)! It is supported by the Oregon State University open textbook initiative.

The pedagogical approach is anchored in formal definitions/proof of security, but in a way that I believe is more accessible than what is "traditional" in crypto. All security definitions are written in a unified and simplified "game-based" style. For an example of what security definitions look like in this style, see the index of security definitions (which will make more sense after reading chapters 2 & 4). For example proofs of security in this style, see the supplementary material below.

It contains over 120 exercises.


Everything here is in draft form. This will become evident as you read through the text. Still, I've been successful using the text as the primary reference in an actual course.

My course CS427 is only a 10-week course. For that reason, much important material is still missing from the text!

"The Joy of Cryptography" is a silly title, but all the sensible titles were already taken. It was at least better than "You Can't Spell Cryptography without Cry". Anyway, actual joy not guaranteed.


Download the current draft (PDF, Jan 22, 2018)

Current table of contents (links are for PDFs of individual chapters):

  1. Foreword
  2. Review of Concepts & Notation
  3. One-Time Pad
    • One-Time Pad Definition
    • Properties of One-Time Pad
  4. The Basics of Provable Security
    • Reasoning about Information Hiding via Code Libraries
    • A General-Purpose Security Definition for Encryption
    • How to Prove Security with the Hybrid Technique
    • How to Demonstrate Insecurity with Attacks
  5. Secret Sharing
    • Definitions
    • A Simple 2-out-of-2 Scheme
    • Polynomial Interpolation
    • Shamir Secret Sharing
    • Visual Secret Sharing
  6. Basing Cryptography on Limits of Computation
    • Polynomial-Time Computation
    • Negligible Probabilities
    • Indistinguishability
    • Sampling with Replacement & the Birthday Bound
  7. Pseudorandom Generators
    • Definition
    • Application: Shorter Keys in One-Time-Secret Encryption
    • Taking the Contrapositive Point-of-View
    • Extending the Stretch of a PRG
  8. Pseudorandom Functions
    • Definition
    • Attacking Insecure PRFs
    • A Theoretical Construction of a PRF from a PRG
  9. Pseudorandom Permutations
    • Definitions
    • Switching Lemma
    • Feistel Ciphers
    • Strong Pseudorandom Permutations
  10. Security against Chosen Plaintext Attacks
    • Implications of CPA Security
    • Pseudorandom Ciphertexts
    • CPA-Secure Encryption from PRFs
  11. Block Cipher Modes of Operation
    • Common Modes
    • CPA Security for Variable-Length Plaintexts
    • Security of OFB Mode
    • Padding & Ciphertext Stealing
  12. Chosen Ciphertext Attacks
    • Padding Oracle Attacks
    • What Went Wrong?
    • Defining CCA Security
    • CCA Insecurity of Block Cipher Modes
    • A Simple CCA-Secure Scheme
  13. Message Authentication Codes
    • Security Definition
    • A PRF is a MAC
    • CBC-MAC
    • Encrypt-Then-MAC
  14. Hash Functions
    • Defining Security
    • Hash-Then-MAC
    • Merkle-Damgård Construction
    • Length-Extension Attacks
  15. The RSA Function
    • Modular Arithmetic & Number Theory
    • The RSA Function
    • Chinese Remainder Theorem
    • The Hardness of Factoring N
    • Malleability of RSA, and Applications
  16. Diffie-Hellman Key Agreement
    • Cyclic Groups
    • Diffie-Hellman Key Agreement
    • Decisional Diffie-Hellman Problem
  17. Public-Key Encryption
    • Security Definitions
    • One-Time Security Implies Many-Time Security
    • ElGamal Encryption
    • Hybrid Encryption
  18. Index of security definitions

Supplementary Material

I have also provided some slide decks that visually illustrate the steps of some hybrid proofs from the text: And an interactive padding oracle attack demo:


For a second opinion, you might want to check out these other excellent references. They are also the reason I had to choose a silly name for mine -- all the good names were taken.