Best practices in applied cryptography have changed drastically over the last few decades. We know that if a cryptosystem can go wrong, in practice it will go wrong. A classic example is nonce reuse, which a wide number of symmetric ciphers, signature schemes, and authentication protocols are susceptible to (see CryptoHack challenges “ProSign 3” and “Forbidden Fruit”). In response, cryptographers have come up with algorithms such as EdDSA and AES-GCM-SIV which are designed to thwart such common and catastrophic usage errors. Further, in a perfect world developers wouldn’t be touching primitives at all, but would instead be making use of modern high-level libraries with well-documented APIs and a strong set of algorithms under the hood (libsodium, pyca/cryptography, Tink).

Similarly, decades of experience of attacks against TLS, and confidence in algorithms like AES which have stood the test of time, have shown that too much interoperability and cipher agility is bad for secure protocols. Instead we should limit ourselves to the best ciphers that we know of, using authenticated encryption and ephemeral key exchanges, while encrypting and authenticating as much of the handshake as we possibly can - ideas crystallised in TLS 1.3 and taken even further in other modern protocols which completely eradicate the tricky dance of cipher and parameter negotiation.

Picture of the book

Real-World Cryptography (2021) is full of this accumulated practical wisdom, and is an excellent addition to any cryptography bookshelf. It is fun to read, fills a gap which the existing introductory books on applied cryptography don’t cover, and will remain relevant for a while. It is useful both to cryptography amateurs, as well as motivated generalist programmers who want to know the latest advice on which algorithms and protocols to use without getting lost in the maths.

The book starts with chapters on cryptographic primitives and what they provide. The focus is very much on state-of-the-art implementations of those primitives. For instance, the chapter on symmetric encryption is actually titled “Authenticated encryption”. After a high-level overview of AES, and a section on what is wrong with ECB and CBC block cipher modes, the chapter introduces the concept of authenticated encryption with associated data (AEAD) and dedicates the most space to describing AES-GCM and ChaCha20-Poly1305. Finally, the chapter ends with paragraphs on the specific challenges posed by key wrapping, disk encryption, and database encryption. The message is clear: if you need to encrypt data, then unless you’re dealing with a special case like disk encryption, AEAD ciphers are what your application should be using under the hood.

The second part of the book looks at protocols, “the recipes of cryptography”. The chapters on secure transport and end-to-end encryption dedicate the vast majority of room to TLS 1.3, the Noise protocol, and the Signal protocol. Next are intriguing chapters on hardware cryptography, cryptocurrency (Wong believes this is the first general cryptography book with such a chapter), post-quantum cryptography, and next-generation cryptography (MPCs, ZKPs, and FHE). I don’t know of any other cryptography book with such clear and intuitive introductions to these fascinating yet intimidating areas. Finally, the book concludes with a chapter on why cryptography goes wrong, which mentions resources including CryptoPals and CryptoHack (yay!).

Overall I felt the second half of the book was weaker than the first in a few places. The end-to-end encryption chapter could have been structured better: while I don’t disagree with the criticism the author has for PGP, the chapter rushes to describe the flaws of PGP before fully explaining what it is, and never mentions its more successful use-case in open source package distribution. The description of the Signal protocol that comes after is more intensely technical than other parts of the book and doesn’t follow as well as it could from the PGP section. I didn’t like that the cryptocurrency chapter had a section on Facebook’s Diem blockchain; for a second cryptocurrency after the Bitcoin section, a smart contract cryptocurrency such as Ethereum would have been a more natural choice.

It’s worth briefly comparing Real-World Cryptography to a couple other books in the field. The last applied cryptography book that I imagine a lot of developers would have read is Ferguson and Schneier’s Cryptography Engineering (2010). While still a good read, it’s now dated and even when it was published, contained large omissions such as any coverage of elliptic curve cryptography.

Real-World Cryptography is quite a lot less formal than Cryptography Engineering, for instance it doesn’t have much notation or even references. That’s not a disadvantage, in fact the style of Real-World Cryptography is very readable and intuitive, however those who prefer a highly rigorous approach might find it harder to get along with. Due to the breadth of topics covered, depth is necessarily sacrificed in a lot of places. Real-World Cryptography distinguishes itself from Cryptography Engineering and other solid reads like Serious Cryptography (2017) by avoiding theoretical cryptography and mathematics even more than those books do, and using the extra space to surface a whole bunch of practical concerns and protocols which you might only otherwise learn about by tracking down an assortment of papers and blog posts. As Wong says in the preface, “this is what I would have written to my past self in order to prepare him for the real world”. And there’s value in this book for a large audience; even those who already know a lot about cryptography will learn something from this wide-ranging tour of the field. I would recommend it to anyone who is curious about what real-world cryptography looks like in 2022 and what it could look like in the future.