technical see the announcement →

Handbook of Applied Cryptography

Handbook of Applied Cryptography · Alfred J. Menezes, Paul C. van Oorschot & Scott A. Vanstone ·800 pages

The rigorous academic reference for applied cryptography — block/stream ciphers, cipher modes (ECB/CBC/CTR/GCM), hash functions (birthday bound, collision resistance), RSA (OAEP/PSS), DH/ECDH, ECC, digital signatures (DSA/ECDSA/EdDSA), authentication protocols, key establishment, and cryptographic attack taxonomy.

Capabilities (10)
  • Select correct cipher mode: AES-GCM for AEAD, CBC+HMAC for legacy, never ECB
  • Explain RSA key generation, OAEP padding, and why textbook RSA is broken
  • Explain Diffie-Hellman and ECDH key agreement from first principles
  • Compare ECC curves: P-256 vs Curve25519 security and implementation trade-offs
  • Choose correct signature scheme: Ed25519 > ECDSA (RFC 6979) > DSA
  • Apply HMAC correctly and explain why MAC-then-encrypt is broken
  • Explain hash function security properties and birthday bound
  • Choose password hashing: Argon2id > scrypt > bcrypt, never MD5/SHA-1
  • Describe hybrid encryption pattern (ECDH + HKDF + AES-GCM)
  • Classify attacks: ciphertext-only, known-plaintext, chosen-ciphertext, IND-CCA2
forged 2026-03-27
How to use

Install this skill and Claude can recommend the correct cryptographic primitive for any security requirement, explain why specific constructions are broken (ECB mode, textbook RSA, MAC-then-encrypt, DSA k-reuse), trace the hybrid encryption pattern step by step, and classify attack scenarios into the correct security model to frame what defense is required

Why it matters

Cryptography failures are among the most consequential security vulnerabilities — broken cipher modes, padding oracle vulnerabilities, and weak signature implementations have caused real-world breaches; engineers who understand crypto from first principles can evaluate library defaults critically and recognize dangerous API choices before they ship

Example use cases
  • Evaluating a proposed AES-CBC-without-MAC encryption scheme and explaining the specific padding oracle and bit-flipping attacks it is vulnerable to, with the correct replacement design
  • Analyzing an ECDSA implementation for nonce reuse across two signatures sharing the same k value and deriving the private key using the lattice attack relationship for a CTF crypto challenge
  • Designing a hybrid encryption scheme for encrypting files to a recipient's public key — specifying ECDH key agreement, HKDF derivation, and AES-256-GCM authenticated encryption with correct nonce handling

Handbook of Applied Cryptography Skill

Core Security Goals

  1. Confidentiality: keep content secret from unauthorized parties
  2. Data integrity: detect unauthorized modification (insertion, deletion, substitution)
  3. Authentication: verify identity of entity or data origin
  4. Non-repudiation: prevent denial of previous commitments

Symmetric-Key Encryption

Stream Ciphers

Encrypt one bit/byte at a time using a pseudorandom keystream:

ciphertext[i] = plaintext[i] XOR keystream[i]
  • Keystream generated from key (and IV) via PRNG
  • Examples: RC4 (broken), ChaCha20 (secure), A5/1 (GSM, broken)
  • Key requirement: never reuse a keystream — two-time pad reveals XOR of plaintexts

Block Ciphers

Encrypt fixed-size blocks (e.g., 128 bits for AES):

DES (Data Encryption Standard):

  • 56-bit key, 64-bit block, 16 Feistel rounds
  • Broken by exhaustive key search; use 3DES or AES

AES (Advanced Encryption Standard):

  • 128/192/256-bit key, 128-bit block, 10/12/14 rounds
  • SubBytes → ShiftRows → MixColumns → AddRoundKey

Block Cipher Modes

ModeIV RequiredParallel EncryptParallel DecryptError Propagation
ECBNoYesYesPer-block
CBCYesNoYes2 blocks
CTRYes (nonce)YesYesPer-bit
GCMYes (nonce)YesYesAuthenticated

Never use ECB — identical plaintext blocks → identical ciphertext blocks (penguin attack).

Prefer GCM (Galois/Counter Mode) — provides both confidentiality and integrity (AEAD).

Hash Functions

A hash function H: {0,1}* → {0,1}^n must satisfy:

  1. Preimage resistance (one-way): given h, hard to find m such that H(m) = h
  2. Second preimage resistance: given m, hard to find m' ≠ m with H(m) = H(m')
  3. Collision resistance: hard to find any pair (m, m') where m ≠ m' and H(m) = H(m')

Birthday bound: expect collision after ~2^(n/2) random inputs → 128-bit hash gives ~2^64 collision security.

HashOutputStatus
MD5128-bitBroken (collisions found)
SHA-1160-bitBroken (SHAttered 2017)
SHA-256256-bitSecure
SHA-3 (Keccak)256/512-bitSecure, different construction
BLAKE2/BLAKE3VariableSecure, very fast

HMAC (Hash-based MAC)

HMAC(K, m) = H((K ⊕ opad) || H((K ⊕ ipad) || m))

Provides authentication + integrity. HMAC-SHA256 is the standard choice.

Public-Key Cryptography

Mathematical Hardness Assumptions

ProblemBasisUsed In
Integer factorizationFactor n = pqRSA
Discrete log (mod p)Find x from g^x mod pDH, ElGamal, DSA
Elliptic curve DLFind k from k·G on ECECDH, ECDSA

RSA

Key generation:

  1. Choose primes p, q; compute n = pq, φ(n) = (p-1)(q-1)
  2. Choose e with gcd(e, φ(n)) = 1 (common: e = 65537)
  3. Compute d = e^(-1) mod φ(n)
  4. Public key: (n, e); Private key: d

Operations:

Encrypt: c = m^e mod n
Decrypt: m = c^d mod n
Sign:    s = m^d mod n
Verify:  m = s^e mod n

Padding requirement: RSA is textbook-broken without padding. Use:

  • PKCS#1 v2.1 OAEP for encryption
  • PKCS#1 v2.1 PSS for signatures

Key sizes: 2048-bit minimum (2030+), prefer 3072-bit or 4096-bit.

Diffie-Hellman Key Exchange

Public params: prime p, generator g
Alice: a = random; A = g^a mod p  → sends A
Bob:   b = random; B = g^b mod p  → sends B
Shared secret: Alice = B^a mod p = Bob = A^b mod p = g^(ab) mod p

Vulnerabilities:

  • Man-in-the-middle if not authenticated (use signed DH = TLS)
  • Small subgroup attacks (use safe primes where p = 2q+1)
  • Logjam: use 2048-bit groups minimum

Elliptic Curve Cryptography (ECC)

Operations on curve y² = x³ + ax + b over finite field F_p.

Point addition is the group operation. Scalar multiplication k·G is efficient; finding k from k·G is hard (ECDLP).

CurveBitsSecurity equivalent
P-256256~RSA-3072
P-384384~RSA-7680
Curve25519255~RSA-3072

Prefer Curve25519/Ed25519 — designed to avoid implementation pitfalls (no cofactor issues, constant-time friendly).

Digital Signatures

DSA (Digital Signature Algorithm)

Based on ElGamal over Z_p. Key points:

  • Uses ephemeral k per signature — if k reused or predictable, private key leaks
  • PlayStation 3 was broken because k was constant

ECDSA

Same structure as DSA but over elliptic curves.

  • Vulnerable to same k-reuse attack
  • RFC 6979: deterministic k generation (recommended)

EdDSA (Ed25519)

  • Deterministic by design — no random k needed
  • Faster than ECDSA, more resistant to implementation errors
  • Preferred over ECDSA for new systems

Authentication Protocols

Challenge-Response

  1. Verifier sends random challenge r
  2. Prover computes HMAC(K, r) and returns it
  3. Verifier checks — proves knowledge of K without revealing it

Zero-Knowledge Proofs

Prover convinces verifier they know a secret without revealing the secret. Fiat-Shamir heuristic converts interactive ZK proofs to non-interactive (used in Schnorr signatures).

Key Establishment

Key Transport vs Key Agreement

  • Key transport: one party generates key, encrypts it for the other (RSA-KEM)
  • Key agreement: both parties contribute to the key (DH, ECDH)

Certificate Infrastructure (PKI)

  1. CA issues X.509 certificate binding public key to identity
  2. Certificate chain: Leaf → Intermediate CA → Root CA
  3. Certificate revocation: CRL (batch) or OCSP (real-time)

Hybrid Encryption Pattern

1. Generate ephemeral asymmetric keypair
2. Perform DH/ECDH → shared secret
3. Derive symmetric key: K = HKDF(shared_secret, salt, info)
4. Encrypt data: AES-GCM(K, data)
5. Send: ephemeral public key + encrypted data + authentication tag

This is the basis of TLS 1.3, Signal Protocol, NaCl.

Attack Classes

AttackTargetDefense
Ciphertext-onlyRecover key/plaintext from ciphertextStrong cipher
Known-plaintextAttacker has plaintext-ciphertext pairsCipher security
Chosen-plaintextAttacker can encrypt chosen messagesIND-CPA security
Chosen-ciphertextAttacker can decrypt chosen ciphertextsIND-CCA2 security
Side-channelTiming, power, EM emissionsConstant-time implementations
Birthday attackHash collisionsUse ≥256-bit hash
Meet-in-the-middleDouble encryptionUse 3DES or AES

IND-CCA2 (indistinguishable under adaptive chosen-ciphertext attack) is the gold standard for encryption security.

Practical Decision Tree

Symmetric encryption:
  Authenticated? YES → AES-256-GCM or ChaCha20-Poly1305
  Legacy block cipher? → CBC with HMAC (encrypt-then-MAC)
  Never: ECB, unauthenticated CTR, RC4

Hash:
  General purpose → SHA-256 or BLAKE2
  Password hashing → Argon2id (memory-hard), scrypt, bcrypt
  Never: MD5, SHA-1 for security

Public key:
  Key exchange → ECDH with Curve25519 (X25519)
  Signatures → Ed25519 (preferred) or ECDSA with RFC 6979
  Legacy RSA → RSA-OAEP (encrypt) / RSA-PSS (sign), 2048-bit minimum

MAC:
  → HMAC-SHA256 or Poly1305
← All skills technical skills →