Discover / Cryptography / Reading path

Cryptography reading path: from ciphers to modern secure protocols

@codesherpaIntermediate → Expert
9
Books
100
Hours
5
Stages
Not yet rated

This curriculum takes an intermediate learner from solid cryptographic foundations through the mathematics of public-key systems, into protocol design, and finally into the craft of building real-world secure systems. Each stage sharpens the vocabulary and intuition needed for the next, so no step feels like a leap in the dark.

1

Foundations & Core Concepts

Intermediate

Build a rigorous mental model of symmetric encryption, hashing, and the fundamental goals of cryptography (confidentiality, integrity, authenticity) before touching advanced math.

Study plan for this stage

Pace: 6–8 weeks, ~40–50 pages/day (Serious Cryptography first: 3–4 weeks; The Code Book second: 3–4 weeks)

Key concepts
  • Symmetric encryption primitives: block ciphers (AES), stream ciphers, and modes of operation (ECB, CBC, CTR) and why mode choice matters for security
  • Cryptographic hashing: properties (preimage resistance, collision resistance, avalanche effect) and why hash functions are not encryption
  • Authentication and integrity: MACs, HMAC, and the difference between confidentiality and authenticity
  • The three pillars of cryptographic goals: confidentiality, integrity, and authenticity, and how different primitives address each
  • Historical context and evolution of cryptography: from substitution ciphers through DES to modern AES, illustrating why cryptanalysis drives design
  • Practical security pitfalls: weak key derivation, IV reuse, unauthenticated encryption, and side-channel vulnerabilities
  • The role of randomness and nonces in cryptographic protocols and why determinism is dangerous
  • Foundational number theory and modular arithmetic concepts that underpin symmetric systems (preparation for asymmetric crypto)
You should be able to answer
  • Explain the difference between a block cipher mode (ECB vs. CBC vs. CTR) and why ECB is insecure for most real-world use cases.
  • What are the three essential properties of a cryptographic hash function, and why does collision resistance matter for digital signatures?
  • How do MACs and HMACs provide authenticity and integrity, and why is authentication separate from encryption?
  • Describe the evolution from historical ciphers (substitution, Vigenère) to DES and AES, and what cryptanalytic advances drove each transition.
  • What is the relationship between a nonce/IV and security in stream ciphers and CBC mode, and what happens if you reuse one?
  • Given a scenario (e.g., encrypting a password database, securing a message in transit), identify which cryptographic primitive(s) you need and why.
Practice
  • Implement AES encryption/decryption in your language of choice using a standard library (e.g., PyCryptodome, OpenSSL); encrypt the same plaintext with ECB and CBC modes and visually compare the ciphertexts to understand mode differences.
  • Write a simple hash collision detector: generate random inputs, compute their SHA-256 hashes, and verify that no collisions occur in a large sample; document the avalanche effect by showing how a single-bit change in input completely changes the hash.
  • Implement HMAC from scratch (or using a library) to authenticate a message; verify that tampering with either the message or the tag breaks authentication.
  • Decrypt a historical substitution cipher (provided or from The Code Book examples) by hand or with frequency analysis; then compare the effort to breaking a single AES block to internalize the security gap.
  • Build a simple authenticated encryption scheme: combine AES-CBC with HMAC (encrypt-then-MAC pattern); test that encryption alone is not enough by attempting to forge a ciphertext without the correct tag.
  • Create a key derivation scenario: derive encryption and authentication keys from a password using PBKDF2 or scrypt; demonstrate why weak derivation (e.g., MD5 once) is insufficient.

Next up: This stage establishes the mental model that symmetric encryption and hashing are the building blocks of applied cryptography, and that real security requires combining primitives correctly; the next stage will introduce asymmetric cryptography and public-key systems, which solve the key distribution problem that symmetric systems cannot address alone.

Serious Cryptography
Jean-Philippe Aumasson · 2017 · 312 pp

A modern, accessible yet rigorous survey of symmetric ciphers, hash functions, and authenticated encryption — perfect for an intermediate reader who wants depth without drowning in proofs first.

The Code Book
Simon Singh · 1999 · 416 pp

Provides essential historical and conceptual context — from Caesar ciphers to RSA — giving the learner intuition for *why* each cryptographic idea was invented before studying it formally.

2

Mathematical Underpinnings

Intermediate

Understand the number theory and algebra behind public-key cryptography, including RSA, discrete logarithms, and elliptic curves, so that later protocol study rests on solid ground.

Study plan for this stage

Pace: 8–10 weeks, ~40–50 pages/day (mix of text and worked examples; allow extra time for theorem proofs and problem sets)

Key concepts
  • Modular arithmetic and the structure of Z/nZ, including Fermat's Little Theorem and Euler's theorem
  • The RSA cryptosystem: key generation, encryption/decryption, and why it works mathematically
  • Primality testing and factorization algorithms (trial division, Pollard's rho, quadratic sieve concepts)
  • Discrete logarithm problem and its hardness; index calculus and baby-step giant-step algorithms
  • Elliptic curves over finite fields: group law, point addition, and order of points
  • Elliptic curve discrete logarithm problem (ECDLP) and why it is harder than integer DLP
  • Public-key cryptography foundations: one-way functions, trapdoor functions, and computational hardness assumptions
  • Chinese Remainder Theorem and its application to RSA efficiency and attacks
You should be able to answer
  • Explain why RSA encryption and decryption work correctly using Euler's theorem, and what role the totient function plays
  • Describe the discrete logarithm problem and explain why it is believed to be hard; compare its difficulty to factorization
  • Define the group law on an elliptic curve and show how point addition is computed; why is the group structure important for cryptography?
  • What is the relationship between the order of an elliptic curve and the security of elliptic curve cryptosystems?
  • Outline a primality test (e.g., trial division or a probabilistic test) and explain when and why it is used in RSA key generation
  • How does the Chinese Remainder Theorem improve RSA decryption efficiency, and what security implications does it have?
Practice
  • Implement RSA key generation: choose two primes, compute n and φ(n), select e, and find d using the extended Euclidean algorithm
  • Encrypt and decrypt a message by hand using small RSA parameters (e.g., p=61, q=53) to verify the mathematics
  • Compute discrete logarithms in small cyclic groups using baby-step giant-step algorithm; compare runtime to brute force
  • Perform point addition on an elliptic curve (e.g., y² = x³ + 2x + 2 mod 17) by hand for several points; verify closure and identity
  • Implement or trace through a primality test (trial division or Miller-Rabin) on candidate primes for RSA
  • Work through Koblitz's problem sets on modular arithmetic, quadratic residues, and the Legendre symbol to build computational fluency

Next up: Mastering these mathematical foundations—modular arithmetic, RSA, discrete logarithms, and elliptic curves—equips you to understand how real cryptographic protocols (key exchange, digital signatures, and zero-knowledge proofs) are constructed and why their security depends on the hardness of these underlying problems.

An introduction to mathematical cryptography
Jeffrey Hoffstein · 2008 · 540 pp

Covers the exact mathematical toolkit needed — modular arithmetic, lattices, elliptic curves — with worked examples that bridge pure math and cryptographic application.

A course in number theory and cryptography
Neal Koblitz · 1987 · 222 pp

A concise, proof-driven companion that deepens number-theoretic intuition; reading it after Hoffstein reinforces and extends the algebra with a more classical perspective.

3

Comprehensive Cryptography Engineering

Intermediate

Master the full landscape of modern cryptographic primitives and their correct composition — symmetric, asymmetric, MACs, signatures, and random number generation — as an integrated system.

Study plan for this stage

Pace: 8–10 weeks, ~40–50 pages/day (mix of dense technical content and worked examples)

Key concepts
  • Symmetric encryption modes (ECB, CBC, CTR, GCM) and why ECB is insecure; authenticated encryption and AEAD constructions
  • Block cipher design principles (Feistel networks, S-boxes, key schedules) and analysis of AES as the modern standard
  • Asymmetric cryptography fundamentals: RSA, discrete logarithm problem, elliptic curves, and their hardness assumptions
  • Digital signatures (RSA-PSS, DSA, ECDSA) and their security properties; signature verification as proof of authenticity and non-repudiation
  • Message authentication codes (HMAC, CBC-MAC, CMAC) and their role in ensuring integrity without encryption
  • Cryptographic hash functions (SHA-2, SHA-3) and their properties; collision resistance and preimage resistance
  • Key derivation, key agreement (Diffie-Hellman, ECDH), and secure key establishment protocols
  • Random number generation: entropy sources, PRNGs, and the critical role of randomness in cryptographic security
  • Composition and integration: how to combine primitives correctly (encrypt-then-MAC, authenticated key exchange) and common pitfalls
You should be able to answer
  • Why is ECB mode insecure for encrypting multiple blocks, and how do CBC, CTR, and GCM modes address this? What are the trade-offs between them?
  • Explain the RSA algorithm, the computational difficulty it relies on, and why padding schemes like PSS are essential for security.
  • What is the difference between a MAC and a digital signature? When would you use each, and can they be used interchangeably?
  • Describe the Diffie-Hellman key exchange protocol and explain why the discrete logarithm problem is central to its security.
  • How do you securely compose symmetric encryption, authentication, and key derivation in a real-world protocol? What are common mistakes?
  • What properties must a cryptographic hash function have, and why is collision resistance important for digital signatures?
Practice
  • Implement AES encryption/decryption in CBC and GCM modes using a cryptography library (e.g., OpenSSL, NaCl, or Python's cryptography module); compare ciphertext patterns between ECB and CBC to observe why ECB leaks information.
  • Implement HMAC-SHA256 from scratch and verify it against test vectors; then use it to authenticate a message and detect tampering.
  • Generate RSA key pairs, implement RSA encryption with OAEP padding, and sign/verify messages with PSS; compare against unpadded RSA to see why padding matters.
  • Implement or trace through an ECDH key exchange by hand (or with code) using a small elliptic curve; verify that both parties derive the same shared secret.
  • Build a simple authenticated encryption protocol: encrypt a message with AES-GCM, then decrypt and verify; intentionally corrupt the ciphertext or tag and confirm authentication fails.
  • Analyze a real-world protocol (e.g., TLS 1.2 handshake excerpt) and identify which primitives are used (symmetric cipher, hash, signature, key exchange) and why they are composed in that order.

Next up: This stage equips you with deep understanding of individual cryptographic primitives and their secure composition, preparing you to analyze and design complete cryptographic systems, protocols, and applications in the next stage.

Cryptography engineering
Niels Ferguson · 2010 · 384 pp

Written by leading practitioners, this book teaches not just *what* primitives exist but *how* to choose, combine, and implement them safely — a critical bridge from theory to engineering.

Introduction to modern cryptography
Jonathan Katz · 2007 · 603 pp

Provides the formal, provable-security definitions (semantic security, CPA/CCA security) that underpin everything; reading it here solidifies the 'why it's secure' reasoning behind the engineering choices.

4

Protocols & Applied Systems

Expert

Understand how cryptographic primitives are assembled into real-world protocols (TLS, SSH, key exchange, PKI) and learn to analyze their security properties and failure modes.

Study plan for this stage

Pace: 8–10 weeks, ~40–50 pages/day (mix of dense technical content and practical examples)

Key concepts
  • TLS/SSL handshake mechanics: cipher suite negotiation, certificate validation, session establishment, and key derivation
  • SSH protocol architecture: authentication methods (password, public-key, agent forwarding), channel multiplexing, and secure tunneling
  • Diffie-Hellman and ECDH key exchange: mathematical foundations, parameter selection, and vulnerability to weak primes and implementation flaws
  • Public Key Infrastructure (PKI): certificate chains, trust anchors, revocation mechanisms (CRL, OCSP), and certificate validation pitfalls
  • Protocol composition and state machine design: how primitives combine, timing attacks, side-channel leaks, and common failure modes
  • Real-world deployment challenges: legacy algorithm support, downgrade attacks, configuration errors, and cryptographic agility
  • Authentication protocols: mutual authentication, replay attack prevention, and session binding in multi-party scenarios
  • Cryptographic protocol analysis: threat modeling, formal verification concepts, and identifying weaknesses in published protocols
You should be able to answer
  • Walk through a complete TLS 1.3 handshake: what cryptographic operations occur at each step, and what security properties does each step establish?
  • Explain the differences between SSH public-key authentication and password authentication, including how each resists man-in-the-middle attacks.
  • Why are weak Diffie-Hellman parameters (small primes, small subgroup orders) dangerous, and how do they enable practical attacks on TLS and SSH?
  • Describe the PKI trust model: how does a client validate a server certificate, and what are the failure modes when certificate validation is skipped or misconfigured?
  • What is a downgrade attack, and how have protocols like TLS and SSH been vulnerable to them? How do modern versions mitigate this?
  • Compare the security properties of session resumption mechanisms in TLS (session tickets vs. session IDs) and explain their trade-offs.
  • How do timing attacks and side-channel leaks manifest in protocol implementations, and what defenses are practical in real systems?
Practice
  • Implement a simplified TLS-like handshake in code (Python/Rust): exchange ephemeral keys, derive session keys, and verify a self-signed certificate. Document each step's security purpose.
  • Analyze a real TLS packet capture (using Wireshark): identify the handshake messages, cipher suite selection, certificate chain, and key exchange parameters. Explain what each field protects.
  • Set up SSH with public-key authentication and agent forwarding; configure it with restricted key permissions and examine the security implications of each setting.
  • Audit a certificate chain: fetch a real website's certificate, verify the chain to a root CA, check expiration and key usage extensions, and test what happens when you modify the chain.
  • Perform a Diffie-Hellman parameter audit: generate weak primes (e.g., small p, small subgroup order) and demonstrate how an attacker can recover shared secrets or force downgrade.
  • Write a threat model for a custom authentication protocol (e.g., mutual TLS with additional application-layer checks): identify attack vectors (MITM, replay, side-channel) and propose mitigations.
  • Compare TLS 1.2 and TLS 1.3 handshakes side-by-side: trace the differences in round trips, key derivation, and forward secrecy guarantees.
  • Implement certificate pinning in a client application and test its resilience to certificate rotation, MITM attacks, and misconfiguration.

Next up: This stage equips you to recognize how cryptographic primitives fail in real protocols and to design or audit systems defensively; the next stage will deepen your ability to formalize security properties, prove protocol correctness, and handle emerging threats like post-quantum cryptography.

Cryptography and Network Security
William Stallings · 2002 · 748 pp

A thorough reference for network-layer protocols — TLS, IPsec, Kerberos, PKI — that shows exactly how the primitives from earlier stages are wired together in deployed systems.

Real-World Cryptography
David Wong · 2021

Focuses on modern, actively-used constructions (ChaCha20, noise protocol, zero-knowledge proofs, TLS 1.3) and is best read here, when the reader can appreciate the design trade-offs with full background.

5

Mastery: Secure System Design & Frontiers

Expert

Synthesize everything into the ability to design, audit, and reason about the security of complete cryptographic systems, and gain exposure to post-quantum and advanced topics.

Study plan for this stage

Pace: 12–16 weeks, ~40–50 pages/day (with deep review of case studies and design patterns)

Key concepts
  • End-to-end system design: integrating multiple cryptographic primitives (symmetric, asymmetric, hash functions, authentication) into cohesive protocols
  • Real-world threat modeling and attack surfaces: identifying where cryptography fits within broader security architectures and what it cannot protect against
  • Protocol analysis and common pitfalls: recognizing implementation flaws, side-channel vulnerabilities, and design mistakes in actual systems
  • Key management lifecycle: generation, storage, rotation, escrow, and revocation in operational environments
  • Authentication and non-repudiation: designing systems where identity and accountability are cryptographically enforced
  • Cryptographic standards and regulatory compliance: understanding why certain algorithms are mandated or deprecated in practice
  • Hybrid cryptosystems and performance trade-offs: balancing security guarantees with computational and bandwidth constraints
  • Emerging threats and algorithm agility: recognizing when cryptographic choices become obsolete and designing systems that can adapt
You should be able to answer
  • How would you design a complete secure communication system for a financial institution, and what cryptographic primitives would you choose at each layer (transport, application, storage)?
  • What are the key differences between cryptographic security and operational security, and why is a mathematically perfect cipher still vulnerable in a poorly designed system?
  • Given a real-world protocol (e.g., TLS, PGP, or a custom system), how would you systematically identify potential cryptographic and implementation weaknesses?
  • How do you design a key management system that balances security (minimizing key exposure) with operational necessity (allowing legitimate access and recovery)?
  • What makes certain algorithms (like DES or MD5) unsuitable for new systems, and how should you approach algorithm selection and deprecation in a long-lived system?
  • How would you architect a system to remain secure against future threats, including the potential emergence of quantum computers?
Practice
  • Design a complete secure email system: specify algorithms for encryption, signing, key exchange, and key storage; document threat model and justify each choice against realistic adversaries
  • Audit a real protocol (analyze TLS 1.3, Signal Protocol, or WireGuard documentation): identify the cryptographic components, trace data flows, and document assumptions and potential failure modes
  • Implement a hybrid encryption system: combine RSA/ECDH for key establishment with AES for bulk encryption; handle key derivation, authentication, and error cases
  • Create a key management scenario: design a system for generating, storing, rotating, and revoking keys for a multi-user application; document procedures and failure recovery
  • Analyze a cryptographic failure case study: research a real vulnerability (e.g., Heartbleed, WPA2 KRACK, or a protocol flaw); explain the cryptographic and implementation root causes
  • Design a migration strategy: plan how to transition a system from deprecated algorithms (e.g., SHA-1, RSA-2048) to modern alternatives while maintaining backward compatibility and security

Next up: This stage equips you to architect and reason about complete cryptographic systems in the real world; the next stage would deepen specialized expertise in either post-quantum cryptography, formal verification of protocols, or advanced implementation topics like hardware security modules and side-channel resistance.

Applied Cryptography
Bruce Schneier · 1994 · 784 pp

A canonical reference covering an enormous breadth of protocols and techniques; at this final stage the reader can use it as a professional reference and appreciate its historical design decisions critically.

Discussion

Keep reading

Paths that share books, cover the same subject, or open a related topic.

More on Unity game development

Unity game development reading path: from first scene to a shipped game

Beginner8books54 hrs4 stages
More on Amazon Web Services (AWS)

Learn AWS in order: a reading path from core services to the cloud

Beginner9books70 hrs5 stages