Please don't post insinuations about astroturfing, shilling, brigading, foreign agents, and the like. It degrades discussion and is usually mistaken. If you're worried about abuse, email hn@ycombinator.com and we'll look at the data.
Please don't complain about tangential annoyances—e.g. article or website formats, name collisions, or back-button breakage. They're too common to be interesting.
idk, i think it’s as worth mentioning as the writing style, which a lot of the comments are about. and i think they’re fair — don’t mind the style myself
Math Academy is awesome, I'm fully hooked, but, repeating something I wrote elsewhere: it is a bleak existential confrontation with your ineptitude with fractions.
I'm signing up like, oh, I have a lot of gaps I can fill in with calculus, and it's like, no, you got a lot of gaps you need to fill in with simplifying cube root expressions. The best is every once in awhile it double checks to make sure I still know what multiplication is, with like Dick and Jane bought 10 apples problems. I have given it no reason to believe otherwise! But I trust the algorithm.
Also, I go too fast through them and do stuff in my head that I should write down and make dumb mistakes, and when I get the "Incorrect" I'm like, yeah, I see exactly the dumb thing I did, let's move on, and it's like, no, let's do a next problem that's real nice and easy to make sure you get this and I'm like "stop patronizing me motherfucker".
Cryptography Engineering definitely does not hold up. It predates (almost willfully, given the chronology) modern notions of AEAD, key derivation, random number generation, and elliptic curve asymmetric cryptography.
The standard recommendation these days is Aumasson's Serious Cryptography. I like David Wong's Real-World Cryptography as well.
I really enjoyed the book and it certainly helped me, but it's also the only cryptography book I've ever read. I appreciate you challenging my suggestion!
I just checked and it has been a whooping 12 years since I purchased/read the book, so I retract my recommendation.
Sorry, you're right, I should have been less clinical about this. Practical Cryptography (which is essentially the exact same book by the same authors) was also the first cryptography book that clicked in any meaningful way for me, and really lit me up about the prospect of finding vulnerabilities in cryptosystems.
I would actively recommend against using it as a guide in 2025. But you're not crazy to have liked it before. Funny enough, 12 years ago, I wrote a blog post about this:
I read the beginning of the post and it looks quite interesting. I'll read the rest tomorrow when my mind is sharper.
I checked my blog and I also wrote a post about some crypto related things shortly after I purchased the book. It's a post about a bug in the JDK that I stumbled across, which I am certain I would not have understood without Bruce's book:
I am a lot more cynical about Schneier's influence on the practice of cryptography engineering today than I was when he and Ferguson (who I am not cynical about at all) wrote the book back in 2003.
We ran these challenges at Matasano with the public, under a system where you could only get the next 8 challenges after demonstrating that you'd solved the previous 8, after I wrote an internal guide for our consultants on the cryptographic vulnerabilities they should be capable of addressing on engagements. What you're reading there is basically an internal README. They got very popular (many, many people have solved all of them without additional prompting), but we didn't really invest any extra time in cleaning them up or refining their pedagogy.
I'm blown away by the response. In Sean and Alex's defense (especially Sean's), the writing got better in set 7 and, especially, set 8, which Sean was really careful about and which is clearly the crown jewel of the whole series.
Exploitable mathematical structure arising purely from the concept of an iterated cipher is probably what Nick meant there by "an actual mathematical break". SHACAL-2 is also an iterated cipher with a relatively simple round structure.
Pretty much all block ciphers (and therefore their derivative constructions) are iterated.
The SHACAL-2 permutation though is much more mathematically unstructured than AES. It's an augmented ARX unbalanced Feistel design (w/ additional non-linearities). Hard to imagine you could reconstruct any usable mathematical structure in that mess. It also has a strong key schedule which is not vulnerable to related-key attacks (AES is) which is by design due to its hashing application. 512-bit key space too which allows for easy nonce integration.
Most block ciphers iterate the same round function, but this regularity is destroyed by using distinct round keys in each round.
The only vulnerabilities of the iterated construction appear when a weak method is used for generating the round keys from the cipher key (i.e. when the so-called key schedule is weak), so that there are predictable relationships between the round keys.
There exists an alternative (and equivalent) construction for a block cipher, when the same key is introduced in all rounds, but in this case all the round functions must be different from each other (instead of iterating the same function).
Ironically, the reason SHA2 isn't reachable by the attacks that broke SHA1 is the simplicity of the SHA1 message schedule, which was also by design due to its hashing application.
SHA1 has a sloppy key/msg schedule. They could have just done a random permutation of words and been safe - it would have even been cheaper than what the ended up doing. Such as what BLAKE does.
Side channels aren't block cipher cryptanalysis. There's some very basic side channel stuff in Cryptopals, but modern side channel analysis is primarily microarchitectural, which is a significant change in focus, and someone should do a standalone resource on that.
That's not true, there are plenty of side-channel attacks that fall squarely within the realm of block cipher cryptanalysis. Examples include Differential Fault Analysis (DFA), Correlation Power Analysis (CPA) and more.
It's true that practical side-channel leaks on software block cipher implementations tend to be microarchitectural (e.g. cache timing), but that's only because the "easier" attacks are already mitigated or considered out of scope (e.g. no physical access).
David Wong hasn't been at NCC Cryptography for a long time, so I assume we'll be waiting a long time before we get to Linear and Differential cryptanalysis, but if that's a thing you're interested in, what you want is the Heys tutorial:
Interestingly enough, the Square attack (otherwise more generally known as integral cryptanalysis) is much more powerful than regular linear or differential cryptanalysis when applied to the AES.
Well, I mean, it's a self-parodying site, since almost every common domain you type into it fails the test. People calling you out for flunking on that site are saying something important about themselves, not about your security practice.
https://news.ycombinator.com/newsguidelines.html
reply