In contrast to many introductory cryptography texts, this one concentrates on the theory of cryptography: what is in fact meant by security? How can security be measured? What are the conditions under which a cryptosystem (or hash function, or any other cryptographic primitive) can be said to be secure?

The book is in three sections: the first consists of two short chapters and is introductory and discursive; the second (chapters 3 to 7) investigates security as applied to secret-key cryptography; and the third discusses public key cryptography.

The language of probability pervades this text, as it should. For example, suppose one of two messages is encrypted and the ciphertext passed to an “adversary.” If the adversary cannot determine which of the two plaintexts corresponds to the ciphertext with probability greater than 1/2, the system is “perfectly secure.” A slightly weaker definition, but more useful in practice, is to define security as the probability of the adversary choosing the correct plaintext being no greater than 1/2 + negl(*n*), where negl is a “negligible function” (one that is asymptotically less than the reciprocal of any positive polynomial, such as 2^{-n}), and *n* is a parameter defined in terms of the lengths of the plaintext and ciphertext.

There are discussions on security based on information held by the adversary: chosen plaintext attack (CPA)-secure and chosen ciphertext attack (CCA)-secure. It is shown, for example, what it means for a cryptosystem to be secure against such an attack.

The five chapters of the Part 2 expand upon this definition (which is very clearly and precisely stated) and its ramifications to hash functions, secret-key systems, encryption modes, and other cryptographic primitives. Chapters 6 and 7 introduce some practical systems: the data encryption standard (DES) and its variants; the advanced encryption standard (AES); the hash functions MD5 and SHA-0 to SHA-3; and pseudorandom generators.

Although DES might seem to have been discussed to death in pretty much every cryptography text published in the last few decades, the authors provide here a refreshingly different approach: one in which the various building blocks (in particular the Feistel structure) are each carefully analyzed for the security they provide. This means, for example, that there can be a discussion on attacking DES with fewer rounds, as well as an (optional) section on differential and linear cryptanalysis.

The text also clearly differentiates theoretical from practical attacks. The birthday attack for hash functions, in its most theoretical form, requires a great deal of memory, which is noted to be “in general, a scarcer resource than time.” For such an attack to be practical, some means must be found to minimize the storage requirements, which leads to “small-space birthday attacks.” This is in fact only a small part of the text, but it nicely illustrates the book’s structure, its attention to detail, and its rigor.

The second half of the text investigates public-key cryptography, again defining security probabilistically, and very carefully showing how that definition can be used to show that a public-key system is secure. One example, which neatly sums up the flavor of the book, is theorem 11.8, which states: “If the DDH problem is hard relative to *G*, then the El Gamal encryption scheme is CPA-secure.” Here *G* is the polynomial-time algorithm that outputs a description of a cyclic group of order *n* and a generator, over which the El Gamal system is defined. DDH is the decisional Diffie-Hellman problem, and its “hardness” is again carefully described using probability.

A particularly elegant example is the RSA cryptosystem, which would seem to be secure simply because of the difficulty of factoring large numbers. But this is not true; since RSA is deterministic (same input produces the same output), in its basic form it is trivially insecure against a chosen plaintext attack. This raises the question: how secure is RSA? This text carefully investigates security assumptions and foundations (using the random oracle model) to precisely define how a public-key system can be said to be secure.

Examples of cryptosystems are scattered throughout the book--DES, AES, RSA, El Gamal, Rabin, Paillier, and Goldwasser-Micali, for example--but in fact these are not the main aim of the text. This text is not a compendium of cryptosystems, with a nod in the direction of their security, but instead sits at a more profoundly fundamental level. It is, as the authors are careful to point out, a text about the theory of modern cryptography.

Cryptography can be an abstruse science: notationally complex and with definitions requiring particular precision and care. A cryptosystem can’t be said to be “secure” without a firm foundation as to the meaning of security, and the context in which it is being applied. It is easy for authors to be confused in their discussions and imprecise in their reasoning. I think that Katz and Lindell have done a remarkable job in maintaining clarity and rigor, without sacrificing approachability. The text is even pleasantly chatty and discursive when needed.

The authors aim to be “accessible,” and I think the text is so, given the subtlety of its material. For a course of study, it would be suited to upper undergraduate or beginning postgraduate students: a mathematics student (or indeed, anybody else with some mathematics background) wishing to come to grips with modern cryptographic theory could do a great deal worse than this text.

More reviews about this item: Amazon