The first rule of cryptography is never to implement one yourself. “It’s going to get crushed to dust by anyone who knows what they’re doing”
I do believe that everyone deep down at one point in their lives has thought that Cryptography — the art of writing and solving codes — is fascinating and considered learning more about it. People want to keep secrets safe, and people want to know the secrets of others.
When I was a young child, as a game, my friends and I used to make “cipher algorithms”. These were basically just substitution ciphers with a few complicated but totally useless rules added. It’s embarrassing and quite frankly stupid, but I guess we had fun like with most childhood games. Then “life happened”, I never really got to explore cryptography.
High school came and I came across The Code Book: The Science of Secrecy from Ancient Egypt to Quantum Cryptography (affiliate link) by Simon Singh — a compellingly written book describing the highlights in the history of cryptography. The author couldn’t have phrased the book’s major theme better: “the ongoing evolutionary battle between code makers and code breakers”. The feeling of wanting to learn more about code making and breaking came back. Then “life happened”, I never really got to explore cryptography.
When Coursera launched, more than six years back, one of their first few courses was Cryptography I based on Professor Dan Boneh’s graduate course at Stanford. It’s a very short course, approximately 30 hours to complete, they say. That’s so cool! The course is less than 30 hours, “I’ll definitely take it soon!” I told myself. But, again, years went by, and again (you guessed it) “life happened”, I never really got to explore cryptography.
It’s really such a shame when “life” always “happens” and you decide, “yeah, well, while this is interesting, everything else is more important”. It’s a weird and quite sad feeling, when life gets in the way of living.
A couple weeks back, the actual details are quite blurry, I started the aforementioned short course. At this point, the course has an average rating of 4.8 stars with more than 2,400 ratings and 493 reviews, with more than 200,000 students “enrolled”. Awesome!
I chose not to get a certificate mainly because I felt that completing just 30 hours of work doesn’t really make me qualified for anything, so the certificate is pretty much 100% useless (like my childhood “cipher algorithms”). One reason people buy the certificate is because it helps them finish the course. Personally, I don’t think the psychology applies to me. I mean, it didn’t help me with gym. 😔
In my experience, what really helps the most is having an accountability partner, a classmate in this course. Not only will you have “pressure” to finish the course, you get to bounce ideas off each other, and more importantly, it’s more fun!
The course is broken down into six parts — six sets of bite-size videos with an accompanying quiz and programming assignment. There is a “final exam” after everything. The quizzes and final exam are 10–16 multiple choice items each. You can do the programming assignments in any programming language you want, as the course only verifies the output of your program given a specific input.
In my opinion, I would argue that doing quizzes is one of the most important if not the most important thing in the course. The programming assignments were my favorite and the most fun part, of course, but the quizzes really test your understanding.
This might be contrary to the traditional classroom, but I think it’s also a very good idea to discuss your thought process and have an exchange of ideas about why you think your answer to a given question is correct with a classmate before submitting. Even after discussions, I get some of my answers wrong! I wish there were more questions for each quiz.
In a nutshell, in my own words, I think cryptography is all about constructing, analyzing, and breaking systems that aim to prevent others from reading private messages. At the same time, it’s about making sure that the messages received are the message that were actually sent. Modern cryptography has actually become much more than this, such as playing a key role in decentralized systems, digital signatures, anonymous communication, anonymous digital cash and more.
“Anything that can be done with a trusted authority can also be done without.”
The objective set for us by Professor Dan Boneh was to learn how cryptography primitives work and how to use them correctly and reason about security. He recommends taking notes and pausing the videos frequently to think about the material. This is definitely helpful. Again, it really helps having an accountability partner and classmate to take this course with.
While cryptography is a tremendous tool and the basis for many security mechanisms, Dan stresses that cryptography is NOT the solution to to all security problems, is NOT reliable unless implemented and used properly, and is NOT something you should try to invent yourself. He stresses it several times.
Throughout the course, he discusses many examples of broken cryptography systems that have been deployed in the real world:
While extremely useful, cryptography is also highly brittle. The most secure cryptographic system can be rendered completely insecure by a single specification or programming error. No amount of unit testing will uncover a security vulnerability in a cryptosystem.
He proceeds to explain that we have to rely on mathematical modeling and proofs to show how that particular system satisfies the security properties, given certain plausible assumptions. He also emphasizes thats the course is about constructing practical cryptosystems given a precise security goal under precise assumptions.
The images above is the preface of the draft of the book intended to accompany this course. The course tackles Part I and the first part of Part II
I said that although I think the quizzes were the most important, the programming assignments were the most fun and of course my favorite part. Although they are “toy problems”, they helped solidify my understanding and my appreciation of the subject.
I got to decrypt “intercepted” stream ciphertext which had been encrypted by the same key (a stream cipher key should never be used more than once!). I got to implement block ciphers and basic textbook RSA from scratch. I built a toy file authentication system that simulates how you can authenticate and play video chunks as they are downloaded without having to wait for the entire file. I wrote scripts to break RSA when the public modulus were generated incorrectly (another proof that you shouldn’t implement cryptography systems yourself!). I wrote code that demonstrated the “padding oracle attack” and “meet in the middle attack”.
Here are my partner’s implementations of some cryptographic attacks in Rust.
I came across Cryptopals which involves learning Cryptography not by attending a class or reading a book but by coding solutions to problems. I look forward to spending time time doing the eight sets of challenges provided by Cryptopals.
This is a different way to learn about crypto than taking a class or reading a book. We give you problems to solve. They’re derived from weaknesses in real-world systems and modern cryptographic constructions. We give you enough info to learn about the underlying crypto concepts yourself. When you’re finished, you’ll not only have learned a good deal about how cryptosystems are built, but you’ll also understand how they’re attacked.
In summary, I found this 30-hour course informational, enjoyable and well worth my time.The programming assignments were really fun to do. It truly helps (and is much more fun!) to have an accountability partner with whom you’ll share this journey.
I chose not to get a certificate mainly because I felt that completing just 30 hours of work doesn’t really make me qualified for anything. Sadly, the second part of this course is not yet available.
I’m still at the very beginning of my cryptography journey. My next intention is to solve Cryptopals challenges which is a different way to learn about crypto.
One of the main things that pushed me to embark on this journey is feeling it’s really such a shame when “life” always “happens” and you decide, “yeah, well, while this is interesting, everything else is more important”. It’s a weird and quite sad feeling, when life gets in the way of living. I guess there was just an unfamiliar forgotten urge to just learn something for learning’s sake, and it was well worth it. ❤ ❤ ❤