cryptography, especially end-to-end encryption

- ["Selected Papers in Anonymity"](https://www.freehaven.net/anonbib/) * [ ] Abadi and Rogaway (2001), ["Reconciling Two Views of Cryptography"](https://courses.cs.washington.edu/courses/cse590q/03au/abadi00reconciling.pdf) * [x] Abdalla et al. (2001), ["DHIES: An Encryption Scheme based on the Diffie-Hellman Problem"](https://web.cs.ucdavis.edu/~rogaway/papers/dhies.pdf) * [ ] Abe et al. (2007), ["Tag-KEM/DEM: A New Framework for Hybrid Encryption"](https://link.springer.com/article/10.1007/s00145-007-9010-x) * [ ] Alwen et al. (2020), ["Analyzing the HPKE Standard"](https://eprint.iacr.org/2020/1499) * [x] An (2001), ["Authenticated Encryption in the Public-Key Setting: Security Notions and Analyses"](https://eprint.iacr.org/2001/079) * [ ] Ari and Brainard (1999), ["Client Puzzles: A Cryptographic Countermeasure against Connection Depletion Attacks"](http://www.arijuels.com/wp-content/uploads/2013/09/JB99.pdf) - [ ] Bamberger et al. (2022), "Verification Dilemmas, Law, and the Promise of Zero-Knowledge Proofs" * [ ] Barak (2021), ["An Intensive Introduction to Cryptography"](https://intensecrypto.org/) * [ ] Beck et al. (2019), ["Automating the Development of Chosen Ciphertext Attacks"](https://eprint.iacr.org/2019/958.pdf) * [ ] Bellare et al. (1999), ["Relations among Notions of Security for Public-Key Encryption Schemes"](https://www.di.ens.fr/david.pointcheval/Documents/Papers/1998_crypto.pdf) * [ ] Bellare et al. (2014), ["Security of Symmetric Encryption against Mass Surveillance"](https://eprint.iacr.org/2014/438) * [ ] Bellare et al. (2020), ["Reimagining Secret Sharing: Creating a Safer and More Versatile Primitive by Adding Authenticity, Correcting Errors, and Reducing Randomness Requirements"](https://eprint.iacr.org/2020/800.pdf) * [ ] Bernstein et al. (2015), ["Dual EC: A Standardized Back Door"](https://eprint.iacr.org/2015/767) * [ ] Boneh and Shoup (2023), ["A Graduate Course in Applied Cryptography"](https://toc.cryptobook.us) * [ ] Bjørstad and Dent (2005), ["Building Better Signcryption Schemes with Tag-KEMs"](https://eprint.iacr.org/2005/405) * [ ] Canetti et al. (1997), ["Deniable Encryption"](https://eprint.iacr.org/1996/002)[^1] * [ ] Canetti (2001), "Universally Composable Security: A New Paradigm for Cryptographic Protocols"[^2] * [ ] Chan and Rogaway (2019), ["Anonymous AE"](https://eprint.iacr.org/2019/1033) * [ ] Chan and Rogaway (2022), ["On Committing Authenticated Encryption"](https://eprint.iacr.org/2022/1260) * [ ] Cheval et al. (2022), ["Hash Gone Bad: Automated Discovery of Protocol Attacks That Exploit Hash Function Weaknesses"](https://eprint.iacr.org/2022/1314) * [x] Chou and Orlandi (2015), ["The Simplest Protocol for Oblivious Transfer"](https://eprint.iacr.org/2015/267.pdf) * [ ] Das et al. (2007), ["Anonymity Trilemma: Strong Anonymity, Low Bandwidth Overhead, Low Latency—Choose Two"](https://eprint.iacr.org/2017/954) * [ ] Dent (2005), ["Hybrid Signcryption Schemes with Outsider Security"](https://cogentcryptography.com/papers/outer.pdf) * [ ] Dent (2009), ["Hybrid Cryptography"](https://eprint.iacr.org/2004/210.pdf) * [ ] Diffie (1988), ["The First Ten Years of Public-Key Cryptography"](https://cr.yp.to/bib/1988/diffie.pdf) * [ ] Diffie and Hellman (1977), "New Directions in Cryptography" * [ ] Dolev and Yao (1983), ["On the Security of Public Key Protocols"](http://www.cs.huji.ac.il/~dolev/pubs/dolev-yao-ieee-01056650.pdf) * [ ] Haber and Pinkas (2001), ["Securely Combining Public-Key Cryptosystems"](https://static.aminer.org/pdf/20170130/pdfs/ccs/osakzu1jb67tm0oqfvyqgea9j5lsxevz.pdf) * [ ] Hale and Komlo (2022), ["On End-to-End Encryption"](https://eprint.iacr.org/2022/449) * [ ] Fenske and Johnson (2023), ["Security Notions for Fully Encrypted Protocols"](https://www.petsymposium.org/foci/2023/foci-2023-0004.pdf) ([via](https://github.com/net4people/bbs/issues/383)) * [ ] Fenske and Johnson (2024), ["Bytes to Schlep? Use a FEP: Hiding Protocol Metadata with Fully Encrypted Protocols"](https://arxiv.org/abs/2405.13310) ([via](https://github.com/net4people/bbs/issues/383)) * [ ] Goldwasser (2015), ["Cryptographic Assumptions: A Position Paper"](https://eprint.iacr.org/2015/907.pdf)[^3] * [ ] Kerckhoffs (1883), [*Military Cryptography: or, Ciphers Used in Time of War*](https://militarycryptography.xyz/book/lcm.pdf) * [ ] Kobeissi (2021), ["An Analysis of the the ProtonMail Cryptographic Architecture"](https://eprint.iacr.org/2018/1121.pdf) * [ ] Kuhn et al. (2021), ["Plausible Deniability for Anonymous Communication"](https://www.intellisec.org/pubs/2021-wpes.pdf) * [x] Lai et al. (2020), ["Compact, Efficient and UC-Secure Isogeny-Based Oblivious Transfer"](https://eprint.iacr.org/2020/1012.pdf) * [ ] Lowe (1997), [“A Hierarchy of Authentication Specifications”](https://conferences.computer.org/sp/pdfs/csf/1997/1997-lowe-hierarchy.pdf) * [ ] Martínez et al. (2010), ["A Comparison of the Standardized Versions of ECIES"](https://ieeexplore.ieee.org/abstract/document/5604194) * [ ] Nowak (2007), ["A Framework for Game-Based Security Proofs"](https://eprint.iacr.org/2007/199) * [ ] Patton and Shrimpton (2019), [“Security in the Presence of Key Reuse: Context-Separable Interfaces and Their Applications”](https://eprint.iacr.org/2019/519) * [ ] Raghunathan (2011), ["Proofs in Cryptography"](https://crypto.stanford.edu/~ananthr/docs/crypto-proofs.pdf) * [x] Rivest (1998), ["Chaffing and Winnowing: Confidentiality without Encryption"](https://people.csail.mit.edu/rivest/pubs/Riv98a.pdf) * [ ] Rogaway (2015), ["The Moral Character of Cryptographic Work"](https://eprint.iacr.org/2015/1162.pdf) * [ ] Rogaway and Shrimpton (2007), ["Deterministic Authenticated-Encryption: A Provable-Security Treatment of the Key-Wrap Problem"](https://web.cs.ucdavis.edu/~rogaway/papers/keywrap.pdf) * [ ] Rogaway and Zhang (2018), ["Onion-AE: Foundations of Nested Encryption"](https://eprint.iacr.org/2018/126) * [ ] Rosulek (2021), [*The Joy of Cryptography*](https://joyofcryptography.com) * [ ] Shoup (2006), ["Sequences of Games: A Tool for Taming Complexity in Security Proofs"](https://eprint.iacr.org/2004/332.pdf) * [ ] Steele and Wood (2023), [“New Cryptography at the IETF”](https://datatracker.ietf.org/meeting/118/materials/slides-118-saag-new-cryptography-at-the-ietf-00) * [ ] Thormaker (2021), ["On Using the Same Key Pair for Ed25519 and X25510-based KEM"](https://eprint.iacr.org/2021/509.pdf) * [ ] Yadav et al. (2023), ["Cryptographic Deniability: A Multi-perspective Study of User Perceptions and and Expectations"](https://www.usenix.org/system/files/usenixsecurity23-yadav.pdf) * [ ] Unger (2001), [*End-to-End Encrypted Group Messaging with Insider Security*](https://uwspace.uwaterloo.ca/handle/10012/17196) ## Authentication and key agreement - [ ] Alwen et al. (2023), ["The Pre-Shared Key Modes of HPKE"](https://eprint.iacr.org/2023/1480) - [ ] Alwen et al. (2024), ["How Multi-Recipient KEMs Can Help the Deployment of Post-Quantum Cryptography"](https://pqshield.com/wp-content/uploads/2024/09/how-multi-recipient-kems.pdf) * [x] Barnes et al. (2022), ["Hybrid Public Key Encryption"](https://datatracker.ietf.org/doc/html/rfc9180) (RFC 9180) - [ ] Campagna and Petcher (2020), ["Security of Hybrid Key Encapsulation"](https://eprint.iacr.org/2020/1364) * [ ] Cremers et al. (2023), ["Keeping Up with the KEMs: Stronger Security Notions for KEMs and Automated Analyses of KEM-based Protocols"](https://eprint.iacr.org/2023/1933) * [ ] Coijanovic et al. (2025), ["Sabot: Efficient and Strongly Anonymous Bootstrapping of Communication Channels"](https://eprint.iacr.org/2025/971) * [ ] Connolly (2024), ["How to Hold KEMs"](https://durumcrustulum.com/2024/02/24/how-to-hold-kems/) * [ ] der Have (2022), ["The X3DH Protocol: A Proof of Security"](https://www.cs.ru.nl/bachelors-theses/2021/Ferran_van_der_Have___4104145___The_X3DH_Protocol_-_A_Proof_of_Security.pdf) * [ ] Dowling et al. (2022), ["Strongly Anonymous Ratcheted Key Exchange"](https://eprint.iacr.org/2022/1187.pdf) * [ ] Gajland et al. (2024), ["Ring Signatures for Deniable AKEM: Gandalf's Fellowship"](https://eprint.iacr.org/2024/890) * [ ] Gajland et al. (2025), ["Shadowfax: Combiners for Deniability"](https://eprint.iacr.org/2025/154) * [ ] Lynch and Meadows (2004), ["Sound Approximations to Diffe-Hellman Using Rewrite Rules"](https://link.springer.com/chapter/10.1007/978-3-540-30191-2_21) * [ ] Madden (2021), ["From KEMs to Protocols"](https://neilmadden.blog/2021/04/08/from-kems-to-protocols/) * [ ] NIST (2024), FIPS 203, "Module-Lattice-Based Key-Encapsulation Mechanism Standard"](https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.203.pdf) * NIST (forthcoming), SP 800-227, "Recommendations for Key-Encapsulation Mechanisms" * [ ] Perrin (2018), ["The Noise Protocol Framework"](https://noiseprotocol.org/noise.html) * [ ] Poettering et al. (2021), ["SoK: Game-based Security Models for Group Key Exchange"](https://eprint.iacr.org/2021/305.pdf) * [ ] Riepel and Rösling (2025), ["Basic Definitions, Constructions, and Proofs for Unilateral Authenticated Key Exchange"](https://github.com/charlie-j/fm-crypto-lib/blob/9c6c23045f1f16f2f0253c9a16aac83d9f427865/Notes/computational/main.pdf) * [ ] Smart (2004), ["Efficient Key Encapsulation to Multiple Parties"](https://sci-hub.st/10.1007/978-3-540-30598-9_15) - [ ] Syverson and Traudt (2019), ["Self-Authenticating Traditional Domain Names"](https://blog.pastly.net/papers/secdev19-satdomains.pdf) * [x] Unger and Goldberg (2015), ["Deniable Key Exchanges for Secure Messaging"](http://www.cypherpunks.ca/~iang/pubs/dake-ccs15.pdf) ### Key derivation and combination - [ ] Aviram et al. (2022), ["Practical (Post-Quantum) Key Combiners from One-Wayness and Applications to TLS"](https://eprint.iacr.org/2022/065.pdf) - [ ] Backendal et al. (2023), ["When Messages Are Keys: Is HMAC a Dual-PRF?"](https://eprint.iacr.org/2023/861.pdf)**** - [ ] Bindel et al. (2018), ["Hybrid Key Encapsulation Mechanisms and Authenticated Key Exchange"](https://eprint.iacr.org/2018/903.pdf) - [ ] Campagna and Petcher (2020), ["Security of Hybrid Key Encapsulation"](https://assets.amazon.science/c2/a3/473dcc4149c6bc47002da7460dcc/security-of-hybrid-key-encapsulation.pdf) - [ ] Giacon et al. (2018), ["KEM Combiners"](https://eprint.iacr.org/2018/024) - [ ] Krawczyk and Eronen (2010), ["HMAC-based Extract-and-Expand Key Derivation Function (HKDF)"](https://datatracker.ietf.org/doc/html/rfc5869) (RFC 5869) - [ ] Ricci et al. (2024), ["Hybrid Keys in Practice: Combining Classical, Quantum, and Post-Quantum Cryptography"](https://ieeexplore.ieee.org/stamp/stamp.jsp?arnumber=10430098) ## Messaging - [ ] Facebook (2023), ["Messenger End-to-End Encryption Overview"](https://engineering.fb.com/wp-content/uploads/2023/12/MessengerEnd-to-EndEncryptionOverview_12-6-2023.pdf) - [x] Albrecht et al. (2022), ["Four Attacks and a Proof for Telegram"](https://eprint.iacr.org/2023/469) - [ ] Basin et al. (2024), ["A Formal Analysis of the iMessage PQ3 Messaging Protocol"](https://security.apple.com/assets/files/A_Formal_Analysis_of_the_iMessage_PQ3_Messaging_Protocol_Basin_et_al.pdf) - [ ] Beck et al. (2021), ["Fuzzy Message Detection"](https://eprint.iacr.org/2021/089) - [ ] Cremers et al. (2022), ["Formal Analysis of Session-Handling in Secure Messaging: Lifting Security from Sessions to Conversations"](https://eprint.iacr.org/2022/1710) - [ ] Cohn-Gordon et al. (2018), ["On-Ends-to-Ends Encryption"](https://dl.acm.org/doi/pdf/10.1145/3243734.3243747) - [ ] Dodis et al. (2019), ["Fast Message Franking: From Invisible Salamanders to Encryptment"](https://eprint.iacr.org/2019/016) - [ ] Delaune et al. (2017), ["Formal Verification of Protocols based on Short Authenticated Strings"](https://inria.hal.science/hal-01528607/document) - [ ] Fiedler and Janson (2024), ["A Deniability Analysis of Signal's Initial Handshake PQXDH"](https://eprint.iacr.org/2022/1260) - [ ] Kleppmann et al. (2018), ["From Secure Messaging to Secure Collaboration"](https://link.springer.com/chapter/10.1007/978-3-030-03251-7_21) - [ ] Linker et al. (2024), ["A Formal Analysis of Apple’s iMessage PQ3 Protocol"](https://eprint.iacr.org/2024/1395) - [ ] Liu and Tromer (2022), ["Oblivious Message Retrieval"](https://eprint.iacr.org/2021/1256.pdf) - [ ] Liu et al. (2023), ["Group Oblivious Message Retrieval"](https://eprint.iacr.org/2023/534) - [x] Liu et al. (2024), ["Oblivious Message Retrieval"](https://www.computer.org/csdl/proceedings-article/sp/2024/313000a115/1Ub23ocBmKI) - [ ] Pasini (2009), ["Secure Communication Using Authenticated Channels"](https://secu.famillepasini.ch/files/2009/phd/pasini_phd_thesis.pdf) * [ ] Rösler et al. (2021), ["More is Less: On the End-to-End Security of Group Chats in Signal, WhatsApp, and Threema"](https://eprint.iacr.org/2017/713.pdf) * [ ] Seres et al. (2021), ["The Effect of False Positives: Why Fuzzy Message Detection Leads to Fuzzy Privacy Guarantees?"](https://eprint.iacr.org/2021/1180) * [ ] Unger et al. (2015), ["SoK: Secure Messaging"](https://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=7163029) * [ ] Unger (2021), ["End-to-End Encrypted Group Messaging with Insider Security"](https://uwspace.uwaterloo.ca/items/0bef20b7-6996-4801-b0a1-e9096bab8c8d) * [ ] Vaudenay (2005), ["Secure Communication over Insecure Channels based on Short Authenticated Strings"](https://link.springer.com/content/pdf/10.1007/11535218_19.pdf) * [x] Wang et al. (2024), ["Should We Chat, Too? Security Analysis of WeChat’s MMTLS Encryption Protocol"](https://citizenlab.ca/2024/10/should-we-chat-too-security-analysis-of-wechats-mmtls-encryption-protocol/) * [ ] Yadav et al. (2022), [“Automatic Detection of Fake Key Attacks in Secure Messaging”](https://dl.acm.org/doi/10.1145/3548606.3560588) ## Private information retrieval (PIR) - [ ] Mahdavi and Kerschbaum (2022), ["# Constant-weight PIR: Single-round Keyword PIR via Constant-weight Equality Operators"](https://www.usenix.org/conference/usenixsecurity22/presentation/mahdavi) ## Quantum/post-quantum cryptography * [ ] Bannerjee et al. (2024), ["Post-Quantum Cryptography for Engineers"](https://datatracker.ietf.org/doc/html/draft-ietf-pquip-pqc-engineers-04) * [ ] Castryck et al. (2018), ["CSIDH: An Efficient Post-Quantum Commutative Group Action"](https://eprint.iacr.org/2018/383.pdf) * [ ] Connolly (2024), ["Going Post Quantum"](https://archive.org/details/oscw-2024-deirdre-connolly-going-post-quantum) * [ ] Schmieg (2024), ["PQC for Non-Cryptographers"](https://keymaterial.net/2024/08/30/pqc-for-non-cryptographers/) - [ ] Young et al. (2024), ["Societal Implications of Quantum Technologies through a Technocriticism of Quantum Key Distribution"](https://firstmonday.org/ojs/index.php/fm/article/view/13571) ## Signatures - [ ] An et al. (2002), ["On the Security of Joint Signature and Encryption"](https://www.iacr.org/archive/eurocrypt2002/23320080/adr.pdf) - [ ] Krawczyk (2001), ["The Order of Encryption and Authentication for Protecting Communications: or, How Secure Is SSL?"](https://www.iacr.org/archive/crypto2001/21390309.pdf) * [ ] Paterson et al. (2011), [“On the Joint Security of Encryption and Signature, Revisited”](https://eprint.iacr.org/2011/486.pdf) ## Specifications - [ ] [EasyCrypt](https://github.com/EasyCrypt/easycrypt) - [ ] [hacspec](https://github.com/hacspec/hacspec), superseded by [hax](https://github.com/hacspec/hax) - [ ] Erbsen et al. (2019), ["Simple High-Level Code for Cryptographic Arithmetic—with Proofs, without Compromises"](http://adam.chlipala.net/papers/FiatCryptoSP19/FiatCryptoSP19.pdf) - [ ] Sullivan and Wood (2023), [“Guidelines for Writing Cryptography Specifications”](https://datatracker.ietf.org/doc/draft-irtf-cfrg-cryptography-specification/) ## Testing - [ ] Costa et al. (2022), ["Asserting the Correctness of Shor Implementations Using Metamorphic Testing"](https://dl.acm.org/doi/abs/10.1145/3549036.3562062) - [ ] Pugh et al. (2019), ["Systematic Testing of Lightweight Cryptographic Implementations"](https://csrc.nist.gov/CSRC/media/Events/lightweight-cryptography-workshop-2019/documents/papers/systematic-testing-of-lightweight-crypto-lwc2019.pdf) - [ ] ["Developing Effective Test Strategies for Cryptographic Algorithm Implementations"](https://csrc.nist.gov/CSRC/media/Presentations/systematic-testing-of-lightweight-cryptographic-im/images-media/sesssion11-raunak-systematic-testing.pdf) - [ ] Pugh et al. (2019), ["Systematic Testing of Post-Quantum Cryptographic Implementations Using Metamorphic Testing"](https://dl.acm.org/doi/abs/10.1109/MET.2019.00009) - [ ] Wolf and Schönwälder (2021), ["Applying Metamorphic Testing to Homomorphic Cryptography"](https://ieeexplore.ieee.org/document/9477673) ## Transparency, verification, auditing - [ ] Brandt et al., (2024), ["A Formal Treatment of Key Transparency Systems with Scalability Improvements"](https://eprint.iacr.org/2024/1938) - [ ] Cheval et al. (2023), ["Automatic Verification of Transparency Protocols"](https://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=10190509) - [ ] Hu et al. (2021), ["Merkle^2: A Low-Latency Transparency Log System"](https://eprint.iacr.org/2021/453) - [ ] Len et al. (2023), ["OPTIKS: An Optimized Key Transparency System"](https://eprint.iacr.org/2023/1515) - [x] Linker (2024), ["Formal Verification of Transparency Systems"](https://datatracker.ietf.org/doc/slides-interim-2024-keytrans-01-sessa-formal-verification-of-transparency-systems/) - [ ] Meiklejohn et al. (2020), ["Think Global, Act Local: Gossip and Client Audits in Verifiable Data Structures"](https://arxiv.org/abs/2011.04551) - [ ] Melara et al. (2014), ["CONIKS: Bringing Key Transparency to End Users"](https://eprint.iacr.org/2014/1004) - [ ] Miller et al. (2014), ["Authenticated Data Structures, Generically"](https://dl.acm.org/doi/10.1145/2535838.2535851) - [ ] Valsorda (2024), ["Modern Transparency Logs"](https://www.youtube.com/watch?v=SOfOe_z37jQ) [^1]: Rivest (1998), "Chaffing and Winnowing" [^2]: Unger and Goldberg (2015), ["Deniable Key Exchanges for Secure Messaging"](http://www.cypherpunks.ca/~iang/pubs/dake-ccs15.pdf) [^3]: Rogaway (2015), ["The Moral Character of Cryptographic Work"](https://web.cs.ucdavis.edu/~rogaway/papers/moral-fn.pdf)