TY - JOUR T1 - Comparative book review: Cryptography: An Introduction by V. V. Yaschenko (American Mathematical Society, 2002); Cryptanalysis of Number Theoretic Ciphers by S.S. Wagstaff, Jr. (Chapman & Hall/CRC Press, 2003); RSA and Public-Key Cryptography by R. A. JF - SIGACT News Y1 - 2005 A1 - Katz, Jonathan AB - With the growing interest in cryptography --- from students andresearchers as well as from the general public --- there has been a corresponding increase in the number of cryptography textbooks available. Many of these, however, remain somewhat mired in the past, and present cryptography from a pre-1980s point of view. Indeed, there are very few published books which even make an attempt (let alone a successful one) at covering modern cryptography. This unfortunate state of affairs results in a serious lack of books describing the fundamental advances in the field that have taken place since the mid-1980's; this is especially true at the undergraduate and beginning graduate levels, where there is a severe need for suitable texts in this area. The central contributions of modern (i.e., post-1980) cryptography include an emphasis on precise definitions, formalizations of cryptographic goals, and provably-secure constructions of higherlevel tasks (e.g., signatures) from lower-level primitives (e.g., one-way functions). Without precise definitions and rigorous proofs of security, cryptography is reduced to a "game" in which the goal is merely to design a scheme that one's friend or colleague cannot "break". Any exposition of cryptography failing to recognize and emphasize the diffierence between the former and the latter approaches misses a substantial fraction of what current cryptographic research is about, and is a disservice to the field. Sadly, however, almost all cryptography textbooks of which I am aware fall into this category. A classic example of the problems with an "ad-hoc" approach to cryptography is the following simple test I often use to discriminate "good" cryptography books from "poor" ones: flip to the section on digital signatures and see whether it is stated anywhere that "textbook RSA" signatures are completely insecure. It is a simple exercise to show that this is the case (the same holds for "textbook RSA" encryption, but it is somewhat more difficult to demonstrate), yet most books make no mention of this (central!) fact, and instead leave the reader with the impression that secure signature schemes based on the RSA problem are easy to design. Some might argue that there is no place for rigorous definitions and proofs in a book directed toward undergraduates, but I take this misconception as a thinly-guised insult to undergraduate computer science majors. Undergraduates in other majors are taught quantum mechanics, thermodynamics, analysis, and abstract algebra, to name a few, all difficult subjects that are taught rigorously (to varying degrees, perhaps). Why should an undergraduate course on cryptography be expected to be any less rigorous than these? Continuing the disappointing trend discussed above, neither of the first three books reviewed here qualify as (what I would consider) appropriate for introducing the interested reader to the field of cryptography. Cryptography: An Introduction gets a number of things right, but overall is a muddled, poorly written, and disorganized text whose intended audience is unclear. Cryptanalysis. . . is a useful book which I am glad to have on my shelf, but it fails at its stated goal of serving as a suitable text for an introductory cryptography course. It would serve better as a book on elementary number theory (with applications to cryptography, perhaps), and I wish it had been advertised and organized as such. A somewhat similar book, RSA and Public-Key Cryptography suffers from the same criticisms; furthermore, I found its treatment of number theory to be not quite on par with that in Wagstaff's book. In contrast to these, Foundations of Cryptography presents a clear and accurate picture of the foundations underlying modern cryptography; in fact, it is currently the only published book I am aware of which does so. Its primary drawback is that it is likely to be inaccessible to the beginning student; it is more appropriate for a researcher or an advanced graduate student who has previously been exposed to the basics of cryptography, either of whom would benefit from a careful reading of this book cover-to-cover. VL - 36 SN - 0163-5700 UR - http://doi.acm.org/10.1145/1067309.1067316 CP - 2 M3 - 10.1145/1067309.1067316 ER -