awesome-awesomeness/html/cryptopapers.html

<h1 id="awesome-crypto-papers-awesome">Awesome Crypto Papers <a
href="https://github.com/sindresorhus/awesome"><img
src="https://raw.githubusercontent.com/sindresorhus/awesome/d2005375894e77d69827b0e3c17073bbf6f062d7/media/badge.svg"
alt="Awesome" /></a></h1>
<p>A curated list of <a
href="https://en.wikipedia.org/wiki/Cryptography">cryptography</a>
papers, articles, tutorials and howtos for non-cryptographers.</p>
<p align="center">
<img src="https://github.com/pFarb/awesome-crypto-papers/blob/master/awesome-felix-big.jpg" style="width: 50%">
</p>
<h3 id="notes">Notes</h3>
<p>The goal of this list is to provide educational reading material for
different levels of cryptographic knowledge. I started it because my day
job onboarding engineers at <a
href="https://www.cossacklabs.com">Cossack Labs</a> includes educating
them in cryptographic matters and giving advise what to read on specific
topics, and that involves finding the same materials repeatedly.
Hopefully, it will be useful for someone else as well.</p>
<p>It is aimed at people who are using cryptography in higher-level
security systems to implement database encryption, secure sharing,
end-to-end encryption in various schemes, and should understand how it
works, how it fails and how it is attacked. It is not a list of notable
/ important / historically important papers (although many of them are
here). It is not aimed at academics (who have better grasp of what they
need anyway), nor it is aimed for systematic study of wanna-be
cryptographers (who better follow structured approach under professional
guidance).</p>
<p>It will be extended gradually as I find something of “must-have”
value. Pull requests are very welcome.</p>
<h2 id="contents">Contents</h2>
<ul>
<li><a
href="#introducing-people-to-data-security-and-cryptography">Introducing
people to data security and cryptography</a>.
<ul>
<li><a href="#simple-cryptography-for-non-engineers">Simple:
cryptography for non-engineers</a>.</li>
<li><a href="#brief-engineer-oriented-introductions">Brief
engineer-oriented introductions</a>.</li>
</ul></li>
<li><a href="#specific-topcs">Specific topics</a>.
<ul>
<li><a href="#hashing">Hashing</a> - important bits on modern and
classic hashes.</li>
<li><a href="#secret-key-cryptography">Secret key cryptography</a> - all
things symmetric encryption.</li>
<li><a href="#cryptanalysis">Cryptanalysis</a> - attacking
cryptosystems.</li>
<li><a href="#public-key-cryptography-general-and-dlp">Public key
cryptography: General and DLP</a> - RSA, DH and other classic
techniques.</li>
<li><a href="#public-key-cryptography-elliptic-curve-crypto">Public key
cryptography: Elliptic-curve crypto</a> - ECC, with focus on pratcial
cryptosystems.</li>
<li><a href="#zero-knowledge-proofs">Zero Knowledge Proofs</a> - Proofs
of knowledge and other non-revealing cryptosystems.</li>
<li><a href="#math">Math</a> - useful math materials in cryptographic
context.</li>
<li><a href="#post-quantum-cryptography">Post-quantum cryptography</a> -
Cryptography in post-quantum period.</li>
</ul></li>
<li><a href="#books">Books</a>.</li>
<li><a href="#lectures-and-educational-courses">Lectures and educational
courses</a>.</li>
<li><a href="#online-crypto-challenges">Online crypto
challenges</a>.</li>
</ul>
<h2 id="the-list">The list</h2>
<h3
id="introducing-people-to-data-security-and-cryptography">Introducing
people to data security and cryptography</h3>
<h4 id="simple-cryptography-for-non-engineers">Simple: cryptography for
non-engineers</h4>
<ul>
<li><a
href="https://www.cs.princeton.edu/~felten/encryption_primer.pdf">Nuts
and Bolts of Encryption: A Primer for Policymakers</a>.</li>
<li><a
href="https://dspace.mit.edu/bitstream/handle/1721.1/97690/MIT-CSAIL-TR-2015-026.pdf">Keys
under Doormats</a> - Or why cryptography shouldn’t be backdoored, by a
all-star committee of crypto researches from around the world.</li>
</ul>
<h4 id="brief-introductions">Brief introductions</h4>
<ul>
<li><a
href="http://web.archive.org/web/20220918232416/https://www.garykessler.net/library/crypto.html">An
Overview of Cryptography</a> - By Gary C. Kessler.</li>
<li><a
href="http://inst.eecs.berkeley.edu/~cs268/sp02/cached_papers/needham.pdf">Using
Encryption for Authentication in Large Networks</a> - By Needham,
Schroeder: this is were crypto-based auth starts.</li>
<li><a
href="http://web.archive.org/web/20201112040412/http://netlab.cs.ucla.edu/wiki/files/shannon1949.pdf">Communication
Theory of Secrecy Systems</a> - Fundamental cryptography paper by Claude
Shannon.</li>
</ul>
<h4 id="general-cryptographic-interest">General cryptographic
interest</h4>
<ul>
<li><a href="https://eprint.iacr.org/2004/152.pdf">Another Look at
“Provable Security”</a> - Inquiries into formalism and naive intuition
behind security proofs, by Neal Koblitz et al.</li>
<li><a href="https://cryptojedi.org/papers/coolnacl-20120725.pdf">The
security impact of a new cryptographic library</a> - Introductory paper
on NaCl, discussing important aspects of implementing cryptography and
using it as a larger building block in security systems, by Daniel J.
Bernstein, Tanja Lange, Peter Schwabe.</li>
</ul>
<hr>
<h3 id="specific-topics">Specific topics</h3>
<h4 id="hashing">Hashing</h4>
<ul>
<li><a
href="http://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.198-1.pdf">FIPS
198-1: HMACs</a> - The Keyed-Hash Message Authentication Code FIPS
document.</li>
<li><a
href="http://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.202.pdf">FIPS 202:
SHA3</a> - SHA-3 Standard: Permutation-Based Hash and Extendable-Output
Functions.</li>
<li><a href="https://en.wikipedia.org/wiki/Birthday_problem">Birthday
problem</a> - The best simple explanation of math behind <a
href="https://en.wikipedia.org/wiki/Birthday_attack">birthday
attack</a>.</li>
<li><a href="https://eprint.iacr.org/2006/187.pdf">On the Security of
HMAC and NMAC Based on HAVAL, MD4, MD5, SHA-0 and SHA-1</a> - Security
analysis of different legacy HMAC schemes by Jongsung Kim et al. </li>
<li><a href="https://eprint.iacr.org/2001/074">On the Security of
Randomized CBC-MAC Beyond the Birthday Paradox Limit</a> - Security of
randomized CBC-MACs and a new construction that resists birthday paradox
attacks and provably reaches full security, by E. Jaulmes et al.</li>
</ul>
<h4 id="secret-key-cryptography">Secret key cryptography</h4>
<ul>
<li><a
href="http://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.197.pdf">FIPS
197</a> - AES FIPS document.</li>
<li><a
href="http://csrc.nist.gov/groups/ST/toolkit/BCM/modes_development.html">List
of proposed operation modes of AES</a> - Maintained by NIST.</li>
<li><a
href="http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-38a.pdf">Recomendation
for Block Cipher modes of operation: Methods and Techniques</a>.</li>
<li><a
href="http://www.moserware.com/2009/09/stick-figure-guide-to-advanced.html">Stick
figure guide to AES</a> - If stuff above was a bit hard or you’re
looking for a good laugh.</li>
<li><a href="http://cr.yp.to/antiforgery/cachetiming-20050414.pdf">Cache
timing attacks on AES</a> - Example of designing great practical attack
on cipher implementation, by Daniel J. Bernstein.</li>
<li><a href="https://eprint.iacr.org/2005/271.pdf">Cache Attacks and
Countermeasures: the Case of AES</a> - Side channel attacks on AES,
another view, by Dag Arne Osvik, Adi Shamir and Eran Tromer.</li>
<li><a href="https://cr.yp.to/snuffle/salsafamily-20071225.pdf">Salsa20
family of stream ciphers</a> - Broad explanation of Salsa20 security
cipher by Daniel J. Bernstein.</li>
<li><a href="https://eprint.iacr.org/2007/472.pdf">New Features of Latin
Dances: Analysis of Salsa, ChaCha, and Rumba</a> - Analysis of Salsa20
family of ciphers, by Jean-Philippe Aumasson et al.</li>
<li><a
href="https://tools.ietf.org/html/draft-ietf-tls-chacha20-poly1305-04">ChaCha20-Poly1305
Cipher Suites for Transport Layer Security (TLS)</a> - IETF Draft of
ciphersuite family, by Adam Langley et al.</li>
<li><a
href="https://csrc.nist.gov/csrc/media/projects/cryptographic-standards-and-guidelines/documents/aes-development/rijndael-ammended.pdf#page=1">AES
submission document on Rijndael</a> - Original Rijndael proposal by Joan
Daemen and Vincent Rijmen.</li>
<li><a
href="https://web.archive.org/web/20220209130448/https://www.ecrypt.eu.org/ecrypt1/documents/D.STVL.3-2.5.pdf">Ongoing
Research Areas in Symmetric Cryptography</a> - Overview of ongoing
research in secret key crypto and hashes by ECRYPT Network of Excellence
in Cryptology.</li>
<li><a
href="https://web.archive.org/web/20221007191258/https://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.694.695&amp;rep=rep1&amp;type=pdf">The
Galois/Counter Mode of Operation (GCM)</a> - Original paper introducing
GCM, by by David A. McGrew and John Viega.</li>
<li><a href="https://eprint.iacr.org/2004/193.pdf">The Security and
Performance of the Galois/Counter Mode (GCM) of Operation</a> - Design,
analysis and security of GCM, and, more specifically, AES GCM mode, by
David A. McGrew and John Viega.</li>
<li><a
href="https://www.iacr.org/archive/fse2015/85400168/85400168.pdf">GCM
Security Bounds Reconsidered</a> - An analysis and algorithm for nonce
generation for AES GCM with higher counter-collision probability, by
Yuichi Niwa, Keisuke Ohashi, Kazuhiko Minematsu, Tetsu Iwata.</li>
<li><a href="https://eprint.iacr.org/2019/806.pdf">Proxy-Mediated
Searchable Encryption in SQL Databases Using Blind Indexes</a> - An
overview of existing searchable encryption schemes, and analysis of
scheme built on AES-GCM, blind index and bloom filter by Eugene
Pilyankevich, Dmytro Kornieiev, Artem Storozhuk.</li>
<li><a
href="https://link.springer.com/content/pdf/10.1007/3-540-48071-4_36.pdf">DES
is not a group</a> - Old but gold mathematical proof that the set of DES
permutations (encryption and decryption for each DES key) is not closed
under functional composition. That means that multiple DES encryption is
not equivalent to single DES encryption and means that the size of the
subgroup generated by the set of DES permutations is greater than
10^2499, which is too large for potential attacks on DES, which would
exploit a small subgroup.</li>
</ul>
<h4 id="cryptanalysis">Cryptanalysis</h4>
<ul>
<li><a
href="https://web.archive.org/web/20220710225943/https://www.ecrypt.eu.org/stream/papersdir/2007/010.pdf">Differential
Cryptanalysis of Salsa20/8</a> - A great example of stream cipher
cryptanalysis, by Yukiyasu Tsunoo et al.</li>
<li><a href="https://eprint.iacr.org/2008/263">Slide Attacks on a Class
of Hash Functions</a> - Applying slide attacks (typical cryptanalysis
technique for block ciphers) to hash functions, M. Gorski et al.</li>
<li><a
href="https://www.schneier.com/academic/archives/2000/01/self-study_course_in.html">Self-Study
Course in Block Cipher Cryptanalysis</a> - Attempt to organize the
existing literature of block-cipher cryptanalysis in a way that students
can use to learn cryptanalytic techniques and ways to break new
algorithms, by Bruce Schneier.</li>
<li><a href="http://crypto.junod.info/phdthesis.pdf">Statistical
Cryptanalysis of Block Ciphers</a> - By Pascal Junod.</li>
<li><a
href="https://web.archive.org/web/20220929023539/http://www.cs.technion.ac.il/users/wwwb/cgi-bin/tr-info.cgi/2006/PHD/PHD-2006-04">Cryptanalysis
of block ciphers and protocols</a> - By Elad Pinhas Barkan.</li>
<li><a href="https://eprint.iacr.org/2019/1492.pdf">Too much crypto</a>
- Analysis of number of rounds for symmetric cryptography primitives,
and suggestions to do fewer rounds, by Jean-Philippe Aumasson.</li>
<li><a
href="https://iacr.org/archive/eurocrypt2005/34940019/34940019.pdf">How
to Break MD5 and Other Hash Functions</a> - A 2005 paper about modular
differential collision attack on MD5, MD4 and other hash functions, by
Xiaoyun Wang and Hongbo Yu.</li>
<li><a
href="https://www.iacr.org/archive/fse2012/75490447/75490447.pdf">New
attacks on Keccak-224 and Keccak-256</a> - A 2012 paper about using the
combination of differential and algebraic techniques for collision
attacks on SHA-3, by Itai Dinur, Orr Dunkelman, Adi Shamir.</li>
<li><a
href="https://www.iacr.org/archive/fse2011/67330297/67330297.pdf">A
Single-Key Attack on the Full GOST Block Cipher</a> - An attack
(“Reflection-Meet-inthe-Middle Attack”) on GOST block cipher that allows
to recover key with 2^225 computations and 2^32 known plaintexts, by
Takanori Isobe.</li>
<li><a href="http://www.cs.bc.edu/~straubin/crypto2017/heys.pdf">Intro
to Linear &amp; Differential Cryptanalysis</a> - A beginner-friendly
paper explaining and demonstrating techniques for linear and
differential cryptanalysis.</li>
<li><a
href="https://mega-awry.io/pdf/mega-malleable-encryption-goes-awry.pdf">MEGA:
Malleable Encryption Goes Awry</a> - Proof-of-concept versions of
attacks on MEGA data storage. Showcasing their practicality and
exploitability. <a href="https://mega-awry.io/">Official
webpage</a>.</li>
</ul>
<h4 id="public-key-cryptography-general-and-dlp">Public key
cryptography: General and DLP</h4>
<ul>
<li><a
href="https://www-ee.stanford.edu/~hellman/publications/24.pdf">New
Directions in Cryptography</a> - Seminal paper by Diffie and Hellman,
introducing public key cryptography and key exchange/agreement
protocol.</li>
<li><a href="https://tools.ietf.org/html/rfc2631">RFC 2631:
Diffie-Hellman Key Agreement</a> - An explanation of the Diffie-Hellman
methon in more engineering terms.</li>
<li><a href="https://people.csail.mit.edu/rivest/Rsapaper.pdf">A Method
for Obtaining Digital Signatures and Public-Key Cryptosystems</a> -
Original paper introducing RSA algorithm.</li>
<li><a href="http://www.di-mgt.com.au/rsa_alg.html">RSA Algorithm</a> -
Rather education explanation of every bit behind RSA.</li>
<li><a
href="http://www.ralphmerkle.com/1974/PuzzlesAsPublished.pdf">Secure
Communications Over Insecure Channels</a> - Paper by R. Merkle, predated
“New directions in cryptography” though it was published after it. The
Diffie-Hellman key exchange is an implementation of such a Merkle
system.</li>
<li><a
href="https://web.archive.org/web/20230902163042/https://www.cs.huji.ac.il/~dolev/pubs/dolev-yao-ieee-01056650.pdf">On
the Security of Public Key Protocols</a> - Dolev-Yao model is a formal
model, used to prove properties of interactive cryptographic
protocols.</li>
<li><a
href="https://github.com/arupmondal-cs/Crypto-Research/blob/master/Secret%20Sharing/shamirturing.pdf">How
to Share a Secret</a> - A safe method for sharing secrets.</li>
<li><a
href="http://crypto.stanford.edu/~dabo/pubs/papers/RSA-survey.pdf">Twenty
Years of Attacks on the RSA Cryptosystem</a> - Great inquiry into
attacking RSA and it’s internals, by Dan Boneh.</li>
<li><a
href="http://crypto.stanford.edu/~dabo/papers/ssl-timing.pdf">Remote
timing attacks are practical</a> - An example in attacking practical
crypto implementationby D. Boneh, D. Brumley.</li>
<li><a href="https://eprint.iacr.org/2005/307.pdf">The Equivalence
Between the DHP and DLP for Elliptic Curves Used in Practical
Applications, Revisited</a> - by K. Bentahar.</li>
<li><a href="https://eprint.iacr.org/2021/1492.pdf">SoK:
Password-Authenticated Key Exchange – Theory, Practice, Standardization
and Real-World Lessons</a> - History and classification of the PAKE
algorithms.</li>
<li><a href="https://eprint.iacr.org/2022/048.pdf">RSA, DH and DSA in
the Wild</a> - Collection of implementation mistakes which lead to
exploits of assymetric cryptography.</li>
</ul>
<h4 id="public-key-cryptography-elliptic-curve-crypto">Public key
cryptography: Elliptic-curve crypto</h4>
<ul>
<li><a
href="http://andrea.corbellini.name/2015/05/17/elliptic-curve-cryptography-a-gentle-introduction/">Elliptic
Curve cryptography: A gentle introduction</a>.</li>
<li><a
href="http://blog.oleganza.com/post/162861219668/eli5-how-digital-signatures-actually-work">Explain
me like I’m 5: How digital signatures actually work</a> - EdDSA
explained with ease and elegance.</li>
<li><a
href="http://andrea.corbellini.name/2015/05/23/elliptic-curve-cryptography-finite-fields-and-discrete-logarithms/">Elliptic
Curve Cryptography: finite fields and discrete logarithms</a>.</li>
<li><a href="https://www.johannes-bauer.com/compsci/ecc/">Detailed
Elliptic Curve cryptography tutorial</a>.</li>
<li><a
href="http://andrea.corbellini.name/2015/05/30/elliptic-curve-cryptography-ecdh-and-ecdsa/">Elliptic
Curve Cryptography: ECDH and ECDSA</a>.</li>
<li><a
href="http://andrea.corbellini.name/2015/06/08/elliptic-curve-cryptography-breaking-security-and-a-comparison-with-rsa/">Elliptic
Curve Cryptography: breaking security and a comparison with
RSA</a>.</li>
<li><a href="http://eprint.iacr.org/2008/390.pdf">Elliptic Curve
Cryptography: the serpentine course of a paradigm shift</a> - Historic
inquiry into development of ECC and it’s adoption.</li>
<li><a
href="http://blog.bjrn.se/2015/07/lets-construct-elliptic-curve.html">Let’s
construct an elliptic curve: Introducing Crackpot2065</a> - Fine example
of building up ECC from scratch.</li>
<li><a href="http://www.hyperelliptic.org/EFD/">Explicit-Formulas
Database</a> - For many elliptic curve representation forms.</li>
<li><a href="https://cr.yp.to/ecdh/curve25519-20060209.pdf">Curve25519:
new Diffie-Hellman speed records</a> - Paper on Curve25519.</li>
<li><a
href="http://delta.cs.cinvestav.mx/~francisco/arith/julio.pdf">Software
implementation of the NIST elliptic curves over prime fields</a> -
Pracitcal example of implementing elliptic curve crypto, by M. Brown et
al.</li>
<li><a href="https://ed25519.cr.yp.to/ed25519-20110926.pdf">High-speed
high-security signatures</a> - Seminal paper on EdDSA signatures on
ed25519 curve by Daniel J. Bernstein et al.</li>
<li><a
href="https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-186.pdf">Recommendations
for Discrete Logarithm-Based Cryptography: Elliptic Curve Domain
Parameters (NIST SP 800-186)</a> - Official NIST guide how securely
implement elliptic curves. It also includes math shortcuts,
optimizations and possible security risk of wrong algorithm
implementation. <a
href="https://csrc.nist.gov/pubs/sp/800/186/final">(February
2023)</a></li>
<li><a href="https://eprint.iacr.org/2019/023.pdf">Biased Nonce Sense:
Lattice Attacks against Weak ECDSA Signatures in Cryptocurrencies</a> -
Computing private keys by analyzing and exploiting biases in ECDSA
nonces.</li>
<li><a href="https://eprint.iacr.org/2020/728.pdf">Minerva: The curse of
ECDSA nonces</a> - Exploiting timing/bit-length leaks for recovering
private keys from ECDSA signatures</li>
<li><a href="https://eprint.iacr.org/2020/615.pdf">LadderLeak: Breaking
ECDSA With Less Than One Bit Of Nonce Leakage</a> - Breaking 160-bit
curve ECDSA using less than one bit leakage.</li>
</ul>
<h4 id="zero-knowledge-proofs">Zero Knowledge Proofs</h4>
<ul>
<li><a href="https://cseweb.ucsd.edu/~mihir/papers/pok.pdf">Proofs of
knowledge</a> - A pair of papers which investigate the notions of proof
of knowledge and proof of computational ability, M. Bellare and O.
Goldreich.</li>
<li><a href="https://www.wisdom.weizmann.ac.il/~oded/gmw1.html">How to
construct zero-knowledge proof systems for NP</a> - Classic paper by
Goldreich, Micali and Wigderson.</li>
<li><a
href="http://www.math.ias.edu/~avi/PUBLICATIONS/MYPAPERS/GMW86/GMW86.pdf">Proofs
that yield nothing but their validity and a Methodology of Cryptographic
protocol design</a> - By Goldreich, Micali and Wigderson, a relative to
the above.</li>
<li><a href="https://www.hindawi.com/journals/tswj/2014/560484/">A
Survey of Noninteractive Zero Knowledge Proof System and Its
Applications</a>.</li>
<li><a
href="https://web.archive.org/web/20211122040931/https://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.469.9048&amp;rep=rep1&amp;type=pdf">How
to Prove a Theorem So No One Else Can Claim It</a> - By Manuel
Blum.</li>
<li><a
href="https://web.archive.org/http://crypto.cs.mcgill.ca/~crepeau/BCR86.pdf">Information
Theoretic Reductions among Disclosure Problems</a> - Brassau et al.</li>
<li><a
href="https://github.com/manjunath5496/Shafi-Goldwasser-Publications/blob/master/1989-siamjc.pdf">Knowledge
complexity of interactive proof systems</a> - By GoldWasser, Micali and
Rackoff. Defining computational complexity of “knowledge” within zero
knowledge proofs.</li>
<li><a href="http://www.austinmohr.com/work/files/zkp.pdf">A Survey of
Zero-Knowledge Proofs with Applications to Cryptography</a> - Great
intro on original ZKP protocols.</li>
<li><a
href="https://web.archive.org/web/20220211100630/https://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.26.585&amp;rep=rep1&amp;type=pdf">Zero
Knowledge Protocols and Small Systems</a> - A good intro into Zero
knowledge protocols.</li>
<li><a
href="https://link.springer.com/chapter/10.1007%2F978-3-319-96881-0_25">Multi-Theorem
Preprocessing NIZKs from Lattices</a> - Construction of non-interactive
zero-knowledge (NIZK) proofs using lattice-based preprocessing models,
by Sam Kim and David J. Wu.</li>
</ul>
<h4 id="key-management">Key Management</h4>
<ul>
<li><a
href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57pt1r4.pdf">Recommendation
for Key Management – Part 1: General</a> - Methodologically very
relevant document on goals and procedures of key management.</li>
<li><a
href="https://link.springer.com/content/pdf/10.1007/s00145-001-0009-4.pdf">Selecting
Cryptographic Key Sizes</a> - Classic paper from 1999 with guidelines
for the determination of key sizes for symmetric cryptosystems, RSA,
ECC, by Arjen K. Lenstra and Eric R. Verheul.</li>
</ul>
<h4 id="math">Math</h4>
<ul>
<li><a
href="https://www.cse.iitk.ac.in/users/manindra/algebra/primality_v6.pdf">PRIMES
is in P</a> - Unconditional deterministic polynomial-time algorithm that
determines whether an input number is prime or composite.</li>
</ul>
<h4 id="post-quantum-cryptography">Post-quantum cryptography</h4>
<ul>
<li><a href="https://eprint.iacr.org/2017/314.pdf">Post-quantum
cryptography - dealing with the fallout of physics success</a> - Brief
observation of mathematical tasks that can be used to build
cryptosystems secure against attacks by post-quantum computers.</li>
<li><a
href="https://web.archive.org/web/20210510200628/https://www.researchgate.net/profile/Nicolas-Sendrier-2/publication/226115302_Code-Based_Cryptography/links/540d62d50cf2df04e7549388/Code-Based-Cryptography.pdf">Post-quantum
cryptography</a> - Introduction to post-quantum cryptography.</li>
<li><a href="https://cr.yp.to/papers/pqrsa-20170419.pdf">Post-quantum
RSA</a> - Daniel Bernshtein’s insight how to save RSA in post-quantum
period.</li>
<li><a href="https://eprint.iacr.org/2021/1144.pdf">MAYO: Practical
Post-Quantum Signatures from Oil-and-Vinegar Maps</a> - The Oil and
Vinegar signature scheme, proposed in 1997 by Patarin, is one of the
oldest and best-understood multivariate quadratic signature schemes. It
has excellent performance and signature sizes. This paper is about
enhancing this algorithm in usage in the post-quantum era. <a
href="https://pqmayo.org/">Official website</a>.</li>
</ul>
<hr>
<h3 id="books">Books</h3>
<p>That seems somewhat out of scope, isn’t it? But these are books only
fully available online for free. Read them as a sequence of papers if
you will.</p>
<ul>
<li><a href="https://crypto.stanford.edu/~dabo/cryptobook/">A Graduate
Course in Applied Cryptography</a> - By Dan Boneh and Victor Shoup. A
well-balanced introductory course into cryptography, a bit of
cryptanalysis and cryptography-related security.</li>
<li><a
href="https://web.archive.org/web/20220209130435/https://www.esat.kuleuven.be/cosic/publications/thesis-16.pdf">Analysis
and design of cryptographic hash functions, MAC algorithms and block
ciphers</a> - Broad overview of design and cryptanalysis of various
ciphers and hash functions, by Bart Van Rompay.</li>
<li><a
href="https://www.cryptool.org/en/ctp-documentation/ctbook">CrypTool
book</a> - Predominantly mathematically oriented information on
learning, using and experimenting cryptographic procedures.</li>
<li><a href="https://cacr.uwaterloo.ca/hac/">Handbook of Applied
Cryptography</a> - By Alfred J. Menezes, Paul C. van Oorschot and Scott
A. Vanstone. Good classical introduction into cryptography and
ciphers.</li>
<li><a href="http://web.engr.oregonstate.edu/~rosulekm/crypto/">The joy
of Cryptography</a> - By Mike Rosulek. A lot of basic stuff covered
really well. No ECC.</li>
<li><a href="http://www.shoup.net/ntb/">A Computational Introduction to
Number Theory and Algebra</a> - By Victor Shoup, excellent starters book
on math universally used in cryptography.</li>
</ul>
<hr>
<h3 id="lectures-and-educational-courses">Lectures and educational
courses</h3>
<ul>
<li><a href="http://www.crypto-textbook.com/">Understanding
cryptography: A textbook for Students and Practitioners</a> - Textbook,
great lectures and problems to solve.</li>
<li><a href="https://www.crypto101.io/">Crypto101</a> - Crypto 101 is an
introductory course on cryptography, freely available for programmers of
all ages and skill levels.</li>
<li><a
href="https://www.cs.cornell.edu/courses/cs4830/2010fa/lecnotes.pdf">A
Course in Cryptography</a> - Lecture notes by Rafael Pass, Abhi
Shelat.</li>
<li><a href="https://cseweb.ucsd.edu/~mihir/papers/gb.pdf">Lecture Notes
on Cryptography</a> - Famous set of lectures on cryptography by Shafi
Goldwasser (MIT), M. Bellare (University of California).</li>
<li><a href="https://www.youtube.com/watch?v=2aHkqB2-46k">Introduction
to Cryptography by Christof Paar</a> - Video course by Christof Paar
(University of Bochum in Germany). In english.</li>
<li><a href="https://www.coursera.org/learn/crypto">Cryptography I</a> -
Stanford University course on Coursera, taught by prof. Dan Boneh. <a
href="https://www.coursera.org/learn/crypto2">Cryptography II</a> is
still in development.
<hr></li>
</ul>
<h3 id="online-crypto-challenges">Online crypto challenges</h3>
<p>Not exactly papers, but crypto challenges are awesome educational
material.</p>
<ul>
<li><p><a href="https://cryptohack.org/">CryptoHack</a></p></li>
<li><p><a href="https://cryptopals.com/">Cryptopals crypto
challenges</a>.</p></li>
<li><p><a href="https://id0-rsa.pub/">id0-rsa crypto
challenges</a>.</p></li>
<li><p><a href="https://www.mysterytwisterc3.org/en/">MTC3</a> - xipher
contest with more than 200 challenges of different levels, a moderated
forum, and a hall-of-fame.</p></li>
</ul>
<h2 id="license">License</h2>
<p><a href="https://creativecommons.org/publicdomain/zero/1.0/"><img
src="http://mirrors.creativecommons.org/presskit/buttons/88x31/svg/cc-zero.svg"
alt="CC0" /></a></p>
<p>To the extent possible under law, author has waived all copyright and
related or neighboring rights to this work.</p>