Curated Compendium of Cryptology (downloadable PDF's)
Cryptosystems Journal animated header graphic

Curated Cryptology Compendium
771 downloadable PDF's (49,152 pages!) & more

A curated, exhaustive collection of foundational, historical, and declassified materials, by Tony Patti.
While the focus is on FREE downloadable PDF's, also take a look at my Amazon Cryptography Books section.
(Most recently updated on May 03, 2026)
Thank you for being visitor# 3383 since January 23, 2026

I welcome additions and corrections!
It is my hope that this Compendium becomes a COMMUNITY PROJECT, a shared resource.
And I will ATTRIBUTE any ADDITIONS with your name, unless you prefer not.
Send your emails to Tony Patti at crypto@glassblower.info

Table of Contents

TitleAuthor(s)DescriptionAccess
Handbook of Applied Cryptography Alfred J. Menezes, Paul C. van Oorschot, Scott A. Vanstone The definitive professional reference for all algorithms. The chapters can be individually downloaded. There are 19 PDF's.
Alfred Menezes also offers the following free online courses on YouTube:
Take a look at his website https://cryptography101.ca/ or his YouTube channel https://www.youtube.com/@cryptography101-alfred/courses		 803-page PDF(s)
A Graduate Course in Applied Crypto Boneh & Shoup Stanford's modern curriculum; mathematically rigorous. 1130-page PDF
The Joy of Cryptography Mike Rosulek An undergraduate-level textbook introducing students to the fundamentals of provable security. The full open-access HTML version will be released in stages (with the complete book arriving July 2026), the first several chapters are live now in a new, interactive format. Includes bibliography with 222 references. LINK
Security Engineering (Third Edition 2020) Ross Anderson The 29 chapters can be individually downloaded for free.
The book is also available on Amazon (both eBook and printed formats). Recommended by Ralf Senderek. Chapters of note:
  • Chapter 5: Cryptography
  • Chapter 19: Side Channels
  • Chapter 20: Advanced Cryptographic Engineering
  • Chapter 23: Electronic and Information Warfare
  • Chapter 26: Surveillance or Privacy?
From the inside flap: In this newly revised Third Edition of Security Engineering: A Guide to Building Dependable Distributed Systems, celebrated security expert Ross Anderson updates his best-selling textbook to help you meet the challenges of the coming decade. Security Engineering became a classic because it covers not just the technical basics, such as cryptography, access controls and tamper-resistance, but also how they're used in real life. Real-world case studies - of the security of payment systems, military systems, the phone app ecosystems and now self-driving cars - demonstrate how to use security technology in practice, and what can go wrong. Filled with actionable advice and the latest research, this Third Edition brings a classic book up to date with the modern world of smartphones, cloud computing and AI. As everything gets connected to the Internet, security engineering has come to require inter-disciplinary expertise, ranging from physics to psychology and applied economics. Security Engineering is the only textbook on the market to explain all these aspects of protecting real systems, while still remaining easily accessible. 		1041-page PDF(s)
A Cryptographic Compendium John J. G. Savard (1998-2000) Interestingly, I am NOT the first person to create a Compendium!
John J. G. Savard created his 832-page Compendium (as a multi-page website and PDF) more than 25 years back!
This site contains a brief outline of the various types of cipher systems
that have been used historically, and tries to relate them to each other while avoiding a lot of mathematics. Its chapters are:
1. Introduction
2. Paper and Pencil Systems
3. Electrical and Mechanical Cipher Machines
4. Telecipher Machines
5. The Computer Era
6. Public-Key Cryptography
7. Miscellaneous Topics
You can also go directly to a complete table of contents. (which starts on PDF page# 31).
For those who are deeply intersted in true randomness, while "random" is mentioned 295 pages in these 832 pages, the only section in the Table of Contents containing "random" is "Pass Phrases and Randomness" (which is pages 743 and 744). I also see a Cryptologia article he wrote "The ECM Mark II: Design, History, and Cryptology" published July 1999. 		832-page PDF

Foundational Papers

Paper Title Author(s) Historical Significance Access
A Mathematical Theory of Communication Claude Shannon (1948) Claude Shannon’s 1948 paper is arguably the most influential work in the history of communication technology, as it essentially "invented" the concept of the bit and founded the field of Information Theory. The Bell System Technical Journal, Vol. 27, pp. 379–423, 623–656, July, October, 1948. Shannon introduced these concepts:
1. The Communication Model: He established the universal schematic for all communication systems, consisting of an information source, transmitter, channel, receiver, and destination.
2. Entropy ($H$): He defined a mathematical measure for "information" or "uncertainty," using the formula $H = -\sum p_i \log p_i$
3. Channel Capacity ($C$): He proved that for any given noisy channel, there exists a maximum rate (in bits per second) at which information can be transmitted with an arbitrarily small error rate.
4. Redundancy and Compression: He explained how we can use the statistical structure of a language (like English) to compress data.		 55-page PDF
Communication Theory of Secrecy Systems Claude Shannon (1949) Foundational paper of information theory in crypto. Published in "Bell System Technical Journal (Volume 28-4, pages 656-715, October 1949). The material in this paper appeared in a confidential report “A Mathematical Theory of Cryptography” dated Sept.1, 1946, which was declassified. 60-page PDF
New Directions in Cryptography Diffie & Hellman (1976) Introduction of Public Key Cryptography. 11-page PDF
A Method for Obtaining Digital Signatures and Public-Key Cryptosystems (TM-82) Rivest, Shamir, & Adleman (1977) The first full technical description of the RSA algorithm, published as an MIT Technical Memo (MIT/LCS/TM-82). 20-page PDF
A Description of a Single-Chip Implementation of the RSA Cipher Ronald L. Rivest (1980) Published in LAMBDA (now VLSI Design). Details the first attempt to put RSA on a single nMOS chip. 5-page PDF
A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms Taher ElGamal (1985) Provided a non-patented alternative to RSA, forming the basis for the Digital Signature Algorithm (DSA). 9-page PDF
Cryptography In An Algebraic Alphabet Lester Hill (1929) “American Mathematical Monthly”, June 1929, pages 306 - 312
The Impact of Hill’s 1929 Paper
Lester Hill’s 1929 paper, "Cryptography in an Algebraic Alphabet," was groundbreaking because it introduced the first functional "polygraphic" substitution cipher based on formal mathematics. Before Hill, most ciphers operated on single letters or small, fixed pairs (like the Playfair cipher). Hill utilized linear transformations — specifically matrix multiplication — to encrypt entire blocks of text simultaneously. By transforming a vector of plaintext letters into a vector of ciphertext letters through a secret key matrix, he ensured that the same letter would be encrypted differently depending on its position and the letters surrounding it. This mathematical approach effectively flattened the frequency distribution of the alphabet, rendering the standard frequency analysis used by codebreakers for centuries largely obsolete. It marked a definitive shift from "linguistic" cryptography to "algebraic" cryptography.
 
Hill notably used non-prime "mod 26" arithmetic because of the 26 letters of the alphabet. Although in his "Concluding Remarks" he does mention finite fields, when he writes: "It need hardly be said that if full-fledged algebraic fields are employed, the opportunities of the cryptographer are greatly extended; he then has at his disposal a perfectly smooth algebra and its associated geometries. The writer hopes to submit a further communication on this subject. [ed: see Hill's 1931 paper] But the number of marks in a finite field is necessarily either a prime or a power of a prime. If our alphabet is to be converted into a finite field, the best that can be done is to omit one letter, say j, to obtain a field of twenty-five marks; or to adjoin an additional symbol so that a field of twenty-seven marks is available. The bi-operational alphabet**2** of twenty-six letters, and the further development of its algebra, should therefore be of some importance in cryptography." 		7-page PDF
 
Text
transcribed
Concerning Certain Linear Transformation Apparatus of Cryptography Lester Hill (1931) “American Mathematical Monthly”, March 1931, pages 135 - 154.
The Expansion in the 1931 Paper
In his 1931 follow-up, "Concerning Certain Linear Transformation Apparatus of Cryptography," Hill shifted his focus from pure theory to practical, mechanical implementation. Recognizing that the matrix multiplication required for his system was too cumbersome and error-prone for manual use in the field, he detailed the design of a mechanical cipher machine (often referred to as his "Message Protector").
 
This makes sense, because in 1932 Hill was awarded US Patent# 1,845,947 entitled "Mechanical Message Protector" which mechanically implements the Hill Cipher.
 
This paper expanded on the 1929 work by diving into the complexity of ensuring "involutory" transformations—mechanical settings where the encryption and decryption processes were identical or easily reversible. He also explored more complex systems involving multiple matrices and "substitution-permutation" concepts that foreshadowed the architecture of modern block ciphers. This paper bridged the gap between abstract linear algebra and the physical hardware of the early 20th-century "machine cipher" era.
 
The concluding paragraph in this 1931 paper talks about matrices-within-matrices! Here is the quote: "In any scale S, it is easy to set up an algebra for ranges of matrices whose elements are in turn matrices, the elements of these latter being again matrices, etc. But no important cryptographic advantages seem to arise from these further complications." [This would be a great idea for a future computer program, and presumably the plaintext vector and ciphertext vectors would also be a vector of matrices!] 		21-page PDF
 
Text
transcribed
Lester Hill Revisited Chris Christensen (2014) Abstract: Lester Sanders Hill (1890–1961) is best known for the Hill cipher which he published in 1929. However, there seem to be four periods of Hill's career. First, in 1926 and 1927, Hill published a series of papers on mathematical error-detection. Hill's ideas for error-detection are similar to the ideas he used in his cipher. Next, in 1929 and 1931, Hill published two papers that describe the Hill cipher. The third period of Hill's career, from 1927 until 1960, was the time he served on the mathematics faculty of Hunter College. During his time at Hunter College, Hill seems to have had a relationship with the Navy in which he served during World War I. Finally, while teaching at Hunter College, in the 1950s, Hill wrote his “later papers” on cryptography, which were not published but were sent to Naval Communications. Link
Godzilla Crypto Tutorial Peter Gutmann 856 slides in 11 parts, of which the first 10 (+ part 0) are the tutorial itself. The 12th part is extra material which covers (dated, First Crypto War) crypto politics. Part 12 isn't officially part of the technical tutorial itself, and is now only available via the Internet Archive, so I put that into the section for the First Crypto War (below). 428-page PDF(s)
TURING AWARD LECTURE: Reflections on Trusting Trust Ken Thompson (August 1984) Recommended by Ralf Senderek. Quote from the introduction: "I thank the ACM for this award. I can't help but feel that I am receiving this honor for timing and serendipity as much as technical merit. UNIX swept into popularity with an industry-wide change from central mainframes to autonomous minis. I suspect that Daniel Bobrow would be here instead of me if he could not afford a PDP-10 and had had to "settle" for a PDP-11. Moreover, the current state of UNIX is the result of the labors of a large number of people."
Quote from the last page: "The moral is obvious. You can't trust code that you did not totally create yourself. (Especially code from companies that employ people like me.) No amount of source-level verification or scrutiny will protect you from using untrusted code. In demonstrating the possibility of this kind of attack, I picked on the C compiler. I could have picked on any program-handling program such as an assembler, a loader, or even hardware microcode. As the level of program gets lower, these bugs will be harder and harder to detect. A well-installed microcode bug will be almost impossible to detect."		 3-page PDF
Proposals for Development of an Automatic Computing Engine (ACE) Alan Turing (1945)declassified 1960 As a follow-up to the reason why the above is named "Turing Award", it is foundational to cite this Alan Turing paper. He was one of the first to describe a practical, high-speed stored-program computer that implemented his 1936 theories. (Universal Turing Maching which we now call Turing Completeness) This was his design for a physical computer (the Automatic Computing Engine). It bridges the gap between the "abstract tape" of 1936 and actual vacuum tubes and mercury delay lines. Because of the Official Secrets Act, Turing could not mention his work at Bletchley Park in his published 1940s/50s papers. However, the influence of cryptology is "hidden in plain sight" within them: In this paper, Turing mentions that his proposed computer could handle "the enumeration of groups of order 720" (see top of page# 3) which sounds like abstract math but was actually a veiled reference to the type of permutations needed to crack military codes. The number 720 is 6 factorial (6 x 5 x 4 x 3 x 2 x 1). The number of ways to arrange all 6 of the original German Naval Enigma rotors (before they added the 7th and 8th) is 720. 49-page PDF
 
Easier-to-read text on Wikisource.org
The Applications of Probability to Cryptography Alan Turing (1941) declassified 2012 The definitive record of how Alan Turing used advanced mathematics to "conquer" the uncertainty of the Enigma code. Written around 1941, it remained a state secret for 71 years until its declassification in 2012. The Invention of Information Units: In this paper, Turing introduced the "deciban"—a logarithmic unit of probability—which allowed codebreakers to add pieces of evidence together like currency rather than multiplying complex fractions. Bayesian Foundations: Turing pioneered the practical application of Bayesian inference to decode messages, creating a formal system to calculate the likelihood that a specific rotor setting was correct based on the "score" of the resulting text. The "Factor Principle": He defined the "Factor Principle," a logical shortcut that allowed the Bletchley Park "Bombes" to rapidly discard millions of incorrect permutations by identifying "factors" of evidence that contradicted the known patterns of the German language. 105-page PDF (text first,
then scans, then commentary)
Paper on Statistics of Repetitions Alan Turing (1942) declassified 2012 While Turing’s first paper provided the "scoring" system, this work focused on detection. It is essentially the mathematical blueprint for a "search algorithm" designed to find a needle in a haystack of random noise. The Problem of "Depth": The paper addresses how to determine if two different encrypted messages were sent using the same rotor settings. Turing treats this not as a linguistic problem, but as a statistical one—looking for "coincidences" in the text. The Index of Coincidence: Turing formalizes the logic of "repeats." He proves that in random gibberish, letters repeat at a predictable rate, but in a "depth" (where the same key is used), the repetition rate increases. This "statistical signature" allowed the Bombes to identify potential matches without actually knowing the German words. 4-page PDF
Critical Perspectives on Provable Security: Fifteen Years of “Another Look” Papers Neal Koblitz And Alfred Menezes Abstract. We give an overview of our critiques of “proofs” of security and a guide to our papers on the subject that have appeared over the past decade and a half. We also provide numerous additional examples and a few updates and errata. Originally written June 2019; last updated on June 2024. Recommended by Sandor LUKACS. 55-page PDF
Integrity, authentication and confidentiality in public-key cryptography (Doctoral Thesis) March 2018 Houda Ferradi Cryptography exists almost since the invention of writing. Nearly all ancient civilizations created some type of cryptic writing or cryptography. Until recently cryptography was considered as an art or as a game meant to construct, analyze and break codes. For centuries the discipline remained reserved to diplomats and military commanders. Modern cryptographic history began in the early 1900s with the advent of electrical communication technologies and the emergence of the Internet during the last twenty-five years.
 
One the main goals of modern cryptography is the designing of new cryptographic primitives and protocols. To prove the security of such algorithms, cryptographers proceed by steps: they first formally define security notions (this is done by defining a theoretical model capturing how an adversary could interact with the target system and the way in which we define "breaking" the system). We then design new schemes and prove their security within the framework of the previously designed model.
 
PDF pages 173 and 174 have some fascinating predictions, here are the bullet points, more details are in the text:
  1. An era of cryptographic thinking machines?
  2. Beyond Turing machines?
  3. Integrating cryptography and biology?
  4. An era of abstraction?
  5. A post modular-multiplication era?
  6. Redefining the adversary?
  7. An era of cryptographic sufficiency?
  8. An era of cryptographic bottlenecks?
  9. A shift in the demographics of cryptographic research?
  10. An era of fast-following agencies?
Thanks to Prof. Bill Buchanan for pointing me to this fascinating paper.		 196-page PDF
Minimal Key Lengths For Symmetric Ciphers To Provide Adequate Commercial Security Matt Blaze, Whitfield Diffie, Ronald L. Rivest, Bruce Schneier, Tsutomu Shimomura, Eric Thompson, Michael Wiener Summarizing this important 1996 paper into one sentence: Based on DES at 56 bits in 1975, the paper uses Moore's Law to calculate a 70-bit minimum for 1995, but recommends 75 bits to provide a safety margin for immediate commercial use. The Math: Moore’s Law suggests computing power doubles every 18 months. To maintain the same security level, you must add 1 bit of key length for every doubling, so the equation is: P(t) = P_0 * 2^(t/1.5) I thought it would be fun to extend the 1975-1995 calculations to the years 1965-2025. 
Year     Calculation                        Predicted Minimum (Bits)
1965    56−(10/1.5)≈56−6.6         = 49 bits
1975    Baseline (DES)                   = 56 bits
1985    56+(10/1.5)≈56+6.6        = 63 bits
1995    56+(20/1.5)≈56+13.3      = 70 bits
2005    56+(30/1.5)≈56+20          = 76 bits
2015    56+(40/1.5)≈56+26.6       = 83 bits
2025    56+(50/1.5)≈56+33.3       = 90 bits
*BUT* if we were to take the position that 56 bits was INSUFFICIENT back in 1975, and instead used all 64 bits in 8 bytes, we would have this table instead. In fact, many cryptographers at the time (most famously Whitfield Diffie and Martin Hellman in 1976) argued that 56 bits was intentionally too weak from the moment it was standardized. 
Year     Calculation                        New Minimum (Bits),Original Estimate (Bits)
1965    64−6.6                               57 bits instead of 49 bits
1975    Baseline (Stronger DES)   64 bits instead of 56 bits
1985    64+6.6                               71 bits instead of 63 bits
1995    64+13.3                             77 bits instead of 70 bits
2005    64+20                                84 bits instead of 76 bits
2015    64+26.6                             91 bits instead of 83 bits
2025    64+33.3                             97 bits instead of 90 bits

Today’s cryptosystems use much more than the 90-to-100 bits, for two primary reasons:
1. Efficiency: It is computationally "cheap" to jump to 128 or 256 bits. Since there is no significant performance penalty, we jumped far ahead of the Moore's Law "minimum."
2. Quantum Computing: The table above only considers classical brute force. Grover's Algorithm (a quantum attack) effectively halves the bit-strength of symmetric keys. To be "Quantum Resistant," a 128-bit key is reduced to 64 bits of security, which is why AES-256 is now the recommended standard for long-term security.		 Link
TREBUCHET: Fully Homomorphic Encryption [FHE] Accelerator for Deep Computation David Bruce Cousins, Yuriy Polyakov, and 22 other authors Abstract: Secure computation is of critical importance to not only the DoD, but across financial institutions, healthcare, and anywhere personally identifiable information (PII) is accessed. Traditional security techniques require data to be decrypted before performing any computation. When processed on untrusted systems the decrypted data is vulnerable to attacks to extract the sensitive information. To address these vulnerabilities Fully Homomorphic Encryption (FHE) keeps the data encrypted during computation and secures the results, even in these untrusted environments. However, FHE requires a significant amount of computation to perform equivalent unencrypted operations. To be useful, FHE must significantly close the computation gap (within 10x) to make encrypted processing practical. To accomplish this ambitious goal the TREBUCHET project is leading research and development in FHE processing hardware to accelerate deep computations on encrypted data, as part of the DARPA MTO Data Privacy for Virtual Environments (DPRIVE) program. We accelerate the major secure standardized FHE schemes (BGV, BFV, CKKS, FHEW, etc.) at >=128-bit security while integrating with the open-source PALISADE and OpenFHE libraries currently used in the DoD and in industry. We utilize a novel tile-based chip design with highly parallel ALUs optimized for vectorized 128b modulo arithmetic. The TREBUCHET coprocessor design provides a highly modular, flexible, and extensible FHE accelerator for easy reconfiguration, deployment, integration and application on other hardware form factors, such as Systemon-Chip or alternate chip areas. [recommended by Ro Cammarota] 6-page PDF
BASALISC: Programmable Hardware Accelerator for BGV Fully Homomorphic Encryption [FHE] Robin Geelen, Michiel Van Beirendonck, and 9 other authors Abstract: Fully Homomorphic Encryption (FHE) allows for secure computation on encrypted data. Unfortunately, huge memory size, computational cost and bandwidth requirements limit its practicality. We present BASALISC, an architecture family of hardware accelerators that aims to substantially accelerate FHE computations in the cloud. BASALISC is the first to implement the BGV scheme with fully-packed bootstrapping – the noise removal capability necessary for arbitrary-depth computation. It supports a customized version of bootstrapping that can be instantiated with hardware multipliers optimized for area and power. BASALISC is a three-abstraction-layer RISC architecture, designed for a 1 GHz ASIC implementation and underway toward 150mm2 die tape-out in a 12nm GF process. BASALISC's four-layer memory hierarchy includes a two-dimensional conflict-free inner memory layer that enables 32 Tb/s radix-256 NTT computations without pipeline stalls. Its conflict-resolution permutation hardware is generalized and re-used to compute BGV automorphisms without throughput penalty. BASALISC also has a custom multiply-accumulate unit to accelerate BGV key switching. The BASALISC toolchain comprises a custom compiler and a joint performance and correctness simulator. To evaluate BASALISC, we study its physical realizability, emulate and formally verify its core functional units, and we study its performance on a set of benchmarks. Simulation results show a speedup of more than 5,000× over HElib – a popular software FHE library. [recommended by Ro Cammarota] 26-page PDF

Software (Open Source, Free, Encryption, Steganography, etc.)

Two software tables follow:
1. Open Source Software on GitHub - Cryptography
2. Free Downloadable software which does Encryption, Steganography, etc.

Open Source Software on GitHub - Cryptography

The metric "LOC" is Lines-of-Code.
Data is current as of February 2026.
Software Name Primary Language Scale Metric (Approx. LOC) GitHub Stars NIST/FIPS & Description Web URL (GitHub)
Bouncy Castle Java / C# ~1,200,000 LOC 4,500 stars Bouncy Castle is a massive, multi-decade ecosystem that serves as the "Swiss Army Knife" for enterprise-grade cryptography. Founded in May 2000 by the "Legion of the Bouncy Castle" (an Australian charity), the project was born out of a need for a clean-room, open-source cryptographic provider that wasn't subject to US export restrictions of the era. It has grown from 27,000 lines of code to over 1.2 million lines, becoming the most comprehensive cryptographic provider for the Java and .NET ecosystems. Unlike many libraries that only implement a few algorithms, Bouncy Castle maintains a strict separation between its "Lightweight API" (for general use) and its "FIPS API". FIPS 140-2 Validated. Broadest support for NIST SP 800-series. GitHub
Bouncy Castle
OpenSSL C / ASM ~550,000 LOC 29,500 stars FIPS 140-2/3 Validated. Industry standard for TLS/SSL (FIPS 186-4). GitHub
OpenSSL
liboqs C ~120,000 LOC 2,800 stars PQC Standard. Implements FIPS 203 (ML-KEM) and FIPS 204 (ML-DSA). GitHub
liboqs
Libsodium C ~60,000 LOC 12,000 stars Misuse-resistant crypto focusing on modern primitives like Ed25519. GitHub
Libsodium
wolfSSL C ~150,000 LOC 2,100 stars FIPS 140-3 Validated. Leading library for PQC in embedded/IoT. GitHub
wolfSSL
CIRCL Go ~45,000 LOC 2,500 stars Cloudflare's library for FIPS 203 and Hybrid Post-Quantum KEMs. GitHub
CIRCL
Bitwarden Server C# ~450,000 LOC 18,000 stars E2E encrypted vault using PBKDF2 (SP 800-132) and AES-256 (FIPS 197). GitHub
Bitwarden
Server
VeraCrypt C / C++ ~250,000 LOC 12,000 stars Disk encryption. NIST SP 800-38E (XTS-AES) and FIPS 197 compliant. GitHub
VeraCrypt
GnuPG (GPG) C ~300,000 LOC 3,200 stars OpenPGP standard. Implements NIST SP 800-186 approved curves. GitHub
GnuPG (GPG)
WireGuard C / Go ~15,000 LOC 11,000 stars Modern VPN. Known for a lean, verifiable code base and high performance. GitHub
WireGuard
Cryptomator Java ~80,000 LOC 10,000 stars Cloud encryption tool using FIPS 197 (AES) for file-level security. GitHub
Cryptomator
CyberChef JS ~200,000 LOC 28,000 stars Comprehensive analysis tool covering nearly all NIST SP 800 ciphers. GitHub
CyberChef
Microsoft SEAL C++ ~75,000 LOC 4,800 stars Homomorphic Encryption library for lattice-based PQC research. GitHub
Microsoft SEAL
Rosenpass Rust ~10,000 LOC 1,500 stars PQC-hardened Key Exchange for WireGuard using hybrid logic. GitHub
Rosenpass
Cooper/Hill in Galois Field C ~1,500 LOC 6 stars My friend Omer Gindi implemented Cooper/Hill Cryptosystem with Affine Transformation and ciphertext expansion, in Galois Field GF(16777619) GitHub
GF(16777619)

Downloadable software (many free) which do:
Encryption, Steganography, Secure Communications, etc.

I recommend you look at https://sourceforge.net/ which has (web pages, ratings, reviews, and download counts)
for many of these programs, to make sure will meet your specific needs.
Type Software Name Strategic Description & Use Case Access
Messaging Signal Zero-Knowledge Chat: The industry standard for end-to-end encrypted messaging. Strategy: Use this for all sensitive text and voice calls; even the service provider cannot intercept your conversations. signal.org
Anonymity Tor Browser The Onion Router: Bounces your traffic through three layers of global nodes to hide your IP address. Strategy: Essential for bypassing censorship or visiting sites without leaving a digital trail of your physical location. torproject.org
Anonymity I2P (Invisible Internet Project) Darknet Network: A decentralized "network within the internet." Strategy: Unlike Tor (which is for browsing the "normal" web privately), I2P is designed for secure, anonymous file sharing and hosting within its own ecosystem. geti2p.net
Privacy OS Tails The Amnesic Incognito System: A complete operating system you run from a USB stick. Strategy: It forces all connections through Tor and leaves zero trace on the computer's hard drive once unplugged—perfect for "Burner" laptop setups. tails.net
Cloud Crypt Cryptomator Vault for the Cloud: Open-source software that encrypts folders before they reach Dropbox or Google Drive. Strategy: This ensures that even if your cloud provider is hacked, your files remain unreadable. cryptomator.org
Whole Drive BitLocker Windows Native: Built-in full disk encryption for Windows Pro users. Strategy: Use this for baseline protection of your laptop; it's less flexible than VeraCrypt but much faster to set up for daily use. microsoft.com
Whole Drive VeraCrypt Industrial Strength: The standard for encrypting entire operating systems or creating "Hidden Volumes." Use this if you need "Plausible Deniability"—it can create a hidden vault inside another vault that is mathematically impossible to prove exists. VeraCrypt is a free open source disk encryption software for Windows, Mac OSX and Linux. Brought to you by AM Crypto (https://amcrypto.jp) and based on TrueCrypt 7.1a. veracrypt.fr
Passwords KeePass Total Control: A local-only password manager. Unlike cloud-based tools, your database never leaves your device unless you move it. Strategic Tip: Place your .kdbx database on a hardware-encrypted USB for "cold storage" of your digital life.
Personally highly recommended (you will be surprised how many passwords you have!). I also find it convenient way to consolidate non-password information, for example storing credit card numbers and the associated customer service phone numbers and websites.
Why KeePass? Today, you have to remember many passwords. You need a password for a lot of websites, your e-mail account, your webserver, network logins, etc. The list is endless. Also, you should use a different password for each account, because if you would use only one password everywhere and someone gets this password, you would have a problem: the thief would have access to all of your accounts. KeePass is a free open source password manager, which helps you to manage your passwords in a secure way. You can store all your passwords in one database, which is locked with a master key. So you only have to remember one single master key to unlock the whole database. Database files are encrypted using the best and most secure encryption algorithms currently known (AES-256, ChaCha20 and Twofish). For more information, see the features page. Is it really free? Yes, KeePass is really free, and more than that: it is open source (OSI certified). You can have a look at its full source code and check whether the security features are implemented correctly. 		keepass.info
Passwords Bruce Schneier's Password Safe While I am a long-time user of Keepass (I have 645 entries in it), I can see the advantage of his "simple & secure password management" software, which you can find at https://www.pwsafe.org/ and which is FOSS (Free Open Source Software) and for Windows 7 and later, and has been downloaded more than 5 Million times. [Self-Described as] isn’t as full-featured as the others, and it DOESN'T USE THE CLOUD at all, but it’s ACTUAL ENCRYPTION with no recovery features. Bruce Schneier's
Password Safe
File/Email 7-Zip The Everyman’s Tool: Technically a file archiver, but its AES-256 implementation is world-class. Use this for sending secure email attachments; it’s the most compatible way to ensure the recipient can actually open what you send. 7-zip.org
File/Email AES Crypt Frictionless Security: Adds a dedicated "Encrypt" option to your right-click menu. Best for users who want to lock individual files (like a tax return or a contract) without learning how to manage complex "containers" or vaults. AES Crypt is available to download for a 30-day free trial. If you like it, you can buy a perpetual license that gives you access to all future updates. There are no ongoing subscription costs with AES Crypt. aescrypt.com
File/Email Encrypto Human-Centric: Designed for sharing files with others. It allows you to embed a "Password Hint" within the encrypted file itself, which helps the recipient remember the secret without you having to risk sending it via a separate message. "Encrypto lets you encrypt files before sending them to friends or coworkers. Drop a file into Encrypto, set a password, and then send it with added security." macpaw.com
File/Email PeaZip Open Source File Compression and Encryption Software (Windows, Linux, Mac, BSD). Strategic Tip: Use this when the recipient has zero technical skills; they can double-click the file and enter a password to decrypt it without installing any software. PeaZip
File/Email Gpg4win The Professional Standard: Provides full GnuPG (PGP) encryption for Windows. While it has a steeper learning curve, it is the only tool on this list that provides true "Digital Signatures" to prove a file hasn't been tampered with. gpg4win.org
Steg OpenPuff Covert Transmission: Hides files inside digital "noise" in photos or videos. Strategic Note: Use the "Carrier Chain" feature to split one secret file across 5 different regular photos for maximum concealment. OpenPuff is a professional steganography tool:
      HW seeded random number generator (CSPRNG)
      Deniable steganography
      Carrier chains (up to 256Mb of hidden data)
      Carrier bits selection level
      Modern multi-cryptography (16 algorithms)
      Multi-layered data obfuscation (3 passwords)
      X-squared steganalysis resistance
OpenPuff supports many carrier formats:
      Images (BMP, JPG, PCX, PNG, TGA)
      Audio support (AIFF, MP3, NEXT/SUN, WAV)
      Video support (3GP, MP4, MPG, VOB)
      Flash-Adobe support (FLV, SWF, PDF)
 embeddedsw.net
Steg DeepSound Auditory Stealth: DeepSound is a steganography tool and audio converter that hides secret data into audio files. The application also enables you to extract secret files directly from audio files or audio CD tracks. Hides data inside WAV or FLAC audio tracks. Since audio files are much larger than photos, you can hide significantly more data here without making the carrier file look "suspiciously" large. DeepSound
Steg Steghide Steghide is a steganography program that is able to hide data in various kinds of image- and audio-files. The color- respectivly sample-frequencies are not changed thus making the embedding resistant against first-order statistical tests. The Invisible Classic: A command-line tool that embeds data into JPEG and BMP files. It is famous for being "Steganalysis-resistant," meaning it is very difficult for automated scanners to detect that data is hidden inside. sourceforge.net
Mobile/Desktop SSE (Secret Space) Cross-Device: A unified suite for Android and PC. Ideal if you frequently need to encrypt text (like a private message) on your phone and decrypt it on your desktop, or vice versa, using the same "Paranoia" encryption standards. paranoiaworks.mobi
Destruction Eraser The "Final Step": Encryption hides data, but it doesn't always remove the original unencrypted "ghost" file from your disk. Strategy: Use Eraser to securely wipe the original file once the encrypted version is safely locked away. eraser.heidi.ie

Mathematical Cryptography

Title Author Description Access
An interesting example at the intersection of Matrix Mathematics and Cryptography (and how Artificial Intelligence can write programs) Tony Patti Implements Hill/Cooper Galois Field (GF) Matrix Affine Transformation Cryptosystem in 6 programming languages ("C", Rust, Python, Java Go/Golang, and PHP).
 
Additionally, this paper demonstrates the ability of Artificial Intelligence (A.I.) to write complete programs, in multiple languages, WHICH WORK (successfully encrypt and decrypt) using interesting mathematics.
 
The benefit of MATRICES (the plural of matrix) is that they can be of any dimension (size). No other cryptosystem allows you to choose the level of security (i.e. key size) ranging across SIX orders of magnitude, e.g. from a 4x4 matrix = 320 key bits, to 4000x4000 matrix = 320 Million key bits!		 186-page PDF
The Elliptic Curve Cryptography (ECC) Handbook Excerpts Hankerson, Menezes, & Vanstone Direct PDF chapters from the authoritative guide on ECC implementation and curve selection. 332-page PDF
Indifferentiable Deterministic Hashing to Elliptic and Hyperelliptic Curves Reza R. Farashahi et. al. Abstract. At Crypto 2010, Brier et al. proposed the first construction of a hash function into ordinary elliptic curves that was indifferentiable from a random oracle, based on Icart’s deterministic encoding from Crypto 2009. Such a hash function can be plugged into any cryptosystem that requires hashing into elliptic curves, while not compromising proofs of security in the random oracle model. However, the proof relied on relatively involved tools from algebraic geometry, and only applied to Icart’s deterministic encoding from Crypto 2009. In this paper, we present a new, simpler technique based on bounds of character sums to prove the indifferentiability of similar hash function constructions based on essentially any deterministic encoding to elliptic curves or curves of higher genus, such as the algorithms by Shallue, van de Woestijne and Ulas, or the Icart-like encodings recently presented by Kammerer, Lercier and Renault. In particular, we get the first constructions of well-behaved hash functions to Jacobians of hyperelliptic curves. Our technique also provides more precise estimates on the statistical behavior of those deterministic encodings and the hash function constructions based on them. Additionally, we can derive pseudorandomness results for partial bit patterns of such encodings. 18-page PDF
Notes on Finite Fields (Galois Fields) J.S. Milne A rigorous 100+ page PDF manual on the math of GF(p) and GF(2^n) used in AES and modern block ciphers. 144-page PDF
Twenty Years of Attacks on the RSA Cryptosystem Dan Boneh The most comprehensive summary of attacks on RSA. Recommended by Ralf Senderek. In this survey we study the diculty of inverting the RSA function without the trapdoor. We refer to this as breaking RSA. We are interested mostly in algorithms with a substantially lower running time, namely on the order of n^c where n = log2 N and c is some small constant (less than 5, say). Such algorithms often perform well in practice on the inputs in question. Throughout the paper we refer to such algorithms as efficient. In this survey we mainly study the RSA function as opposed to the RSA cryptosystem. Loosely speaking, the dificulty of inverting the RSA function on random inputs implies that given {N, e, C} an attacker cannot recover the plaintext M. 16-page PDF
The Cryptographic Mathematics of Enigma Dr. A. Ray Miller, National Security Agency, Center for Cryptologic History (Revised Edition 2019) The Enigma cipher machine had the confidence of German forces who depended upon its security. This misplaced confidence was due in part to the large key space the machine provided. This brochure derives for the first time the exact number of theoretical cryptographic key settings and machine configurations for the Enigma cipher machine. It also calculates the number of practical key settings Allied cryptanalysts were faced with daily throughout World War II. Finally, it shows the relative contribution each component of the Enigma added to the overall strength of the machine. ULTRA [decrypted Enigma messages] was the greatest secret of World War II after the atom bomb. 28-page PDF
How Mathematicians Helped Win WWII The countries most concerned with possible attacks by the German military turned the problem of solving messages sent using this machine over to mathematicians. The Poles, the French, and the British all began to work against the Enigma machine, but it was a Polish mathematician, Marian Rejewski, who made the initial breakthroughs. He applied the permutation theory and, after numerous failed attempts, was able to determine the electric wiring of each of the rotors used by the German military in the 1930s. He was helped by the fact that German operators did not always use the machine to its full capability, thereby introducing weaknesses that could be used against it. The Poles had made a critical first step, but this did not solve the puzzle posed by the ability the machine gave the Germans to change the position of each rotor, to alter the way the rotors shifted each other, and to vary the way the plug board was used.
Many of the Poles then fled through Spain and Portugal and went to Great Britain where they served out the war continuing the fight against their German enemy. They passed on what they had learned and accomplished, making it possible for British mathematicians to take up their work. The British, led by Alan Turing, built on the initial Polish successes, but faced a more serious challenge. Just before the war began, the Germans increased the number of rotors they could choose from to select the three they would use each day, increasing the possible variations that had to be dealt with. Turing is considered one of the two or Figure 2 A view of the inside of a German naval Enigma, showing the four rotors in place. three best mathematicians of the twentieth century, and spent the entire war working in cryptanalysis. 		5-page PDF

Cryptanalysis & Attack Methodologies

Year Title Author(s) Focus Access
1956 SRH-273 Military Cryptanalytics, Part 1 of 2 By William F. Friedman (WFF) and Lambros D. Callimahos Handwritten note on the cover: "To Mr. William F. Friedman, [[ you are ]] a transcendent and venerated teacher, without whose prototypic traits in cryptanalysis this present volume could not have been written, with profound admiration and respect from a devoted pupil striving to follow in his master's footsteps. Washington, 12 May 1956 - Lambros D. Callimahos."
 
And if you look at PDF page 6, you will see, on an otherwise blank page, a Baconian Cipher, hand-printed by Lambros D. Callimahos which has this plaintext: "BACON DID NOT WRITE THIS WORK" which is a clear nod to WFF's early work at Riverbank Labs. (I show that image below, at the end of this section) For more details about "The Baconian and Trithemian ciphers" see section 53, page number 95 of this document. Page number 228 contains (an interesting) Chart 9: "Synoptic chart of cryptography" There is also a detailed Glossary on pages 231-246.		 430-page PDF
1955 SRH-274 Military Cryptanalytics, Part 2 of 2 By William F. Friedman (WFF) and Lambros D. Callimahos Preface: This text represents an extensive expansion and revision, both in scope and content, of the earlier work entitled "Military Cryptanalysis [not "Cryptanalytics"], Part II" by William F. Friedman. This expansion and revision, as indicated in the preface of the first volume of this present series, was necessitated by the considerable advancement made in the art since the publication of the original version. 724-page PDF
1990 Differential Cryptanalysis of DES-like Cryptosystems Eli Biham & Adi Shamir The first public attack that was more efficient than brute force against DES. 106-page PDF
1996 Polynomial-Time Algorithms for Prime Factorization and Discrete Logarithms on a Quantum Computer Peter Shor The "Quantum Apocalypse" paper that proved a quantum computer could break RSA/ECC. This is the "version 2" 1996 paper (at 28 pages) versus the original 11 pages conference version from 1994. 28-page PDF
2017 The First Collision for Full SHA-1 (SHAttered) Stevens, et al. The practical demonstration that SHA-1 was officially broken for digital signatures. 23-page PDF
The image below is from PDF page 6 of SRH-273 Military Cryptanalytics, Part 1 of 4

NIST’s Dual EC pseudorandom number generator

Title Author Focus / Abstract Access
On the Possibility of a Back Door in the NIST SP800-90 Dual Ec Prng Dan Shumow and Niels Ferguson (2007) This paper is recomemnded on page 95 of David Johnston's book (below).
[Slide 7 of the PDF has this content]: "The Main Point"
  • If an attacker knows d such that d*P = Q then they can easily compute e such that e*Q = P (invert mod group order)
  • If an attacker knows e then they can determine a small number of possibilities for the internal state of the Dual Ec PRNG and predict future outputs.
  • We do not know how the point Q was chosen, so we don’t know if the algorithm designer knows d or e.
 9-page PDF
On the Practical Exploitability of Dual EC in TLS Implementations Stephen Checkoway, Matthew Fredrikson, Ruben Niederhagen, Adam Everspaugh, Matthew Green, Tanja Lange, Thomas Ristenpart, Daniel J. Bernstein, Jake Maskiewicz, and Hovav Shacham (2014) Recommended by Steven M. Bellovin. Abstract: This paper analyzes the actual cost of attacking TLS implementations that use NIST’s Dual EC pseudorandom number generator, assuming that the attacker generated the constants used in Dual EC. It has been known for several years that an attacker generating these constants and seeing a long enough stretch of Dual EC output bits can predict all future outputs; but TLS does not naturally provide a long enough stretch of output bits, and the cost of an attack turns out to depend heavily on choices made in implementing the RNG and on choices made in implementing other parts of TLS. Specifically, this paper investigates OpenSSL-FIPS, Windows’ SChannel, and the C/C++ and Java versions of the RSA BSAFE library. This paper shows that Dual EC exploitability is fragile, and in particular is stopped by an outright bug in the certified Dual EC implementation in OpenSSL. On the other hand, this paper also shows that Dual EC exploitability benefits from a modification made to the Dual EC standard in 2007; from several attack optimizations introduced here; and from various proposed TLS extensions, one of which is implemented in BSAFE, though disabled in the version we obtained and studied. The paper’s attacks are implemented; benchmarked; tested against libraries modified to use new Dual EC constants; and verified to successfully recover TLS plaintext. 18-page PDF
 
18-minute YouTube video
A Systematic Analysis of the Juniper Dual EC Incident Stephen Checkoway (with others) - July 20, 2017 Recommended by Rich Salz. Stephen Checkoway was awarded the ACM/IETF networking prize in 2017. This is a youtube video of his talk. YouTube video (talk starts at 52 minutes in)
Systematic Analysis of the Juniper Dual EC Incident Stephen Checkoway, Jacob Maskiewicz, Christina Garman, Joshua Fried, Shaanan Cohney, Matthew Green, Nadia Heninger, Ralf-Philipp Weinmann, Eric Rescorla, Hovav Shacham Recommended by Steven M. Bellovin. Abstract: In December 2015, Juniper Networks announced multiple security vulnerabilities stemming from unauthorized code in ScreenOS, the operating system for their NetScreen VPN routers. The more sophisticated of these vulnerabilities was a passive VPN decryption capability, enabled by a change to one of the elliptic curve points used by the Dual EC pseudorandom number generator. In this paper, we describe the results of a full independent analysis of the ScreenOS randomness and VPN key establishment protocol subsystems, which we carried out in response to this incident. While Dual EC is known to be insecure against an attacker who can choose the elliptic curve parameters, Juniper had claimed in 2013 that ScreenOS included countermeasures against this type of attack. We find that, contrary to Juniper's public statements, the ScreenOS VPN implementation has been vulnerable since 2008 to passive exploitation by an attacker who selects the Dual EC curve point. This vulnerability arises due to apparent flaws in Juniper's countermeasures as well as a cluster of changes that were all introduced concurrently with the inclusion of Dual EC in a single 2008 release. We demonstrate the vulnerability on a real NetScreen device by modifying the firmware to install our own parameters, and we show that it is possible to passively decrypt an individual VPN session in isolation without observing any other network traffic. We investigate the possibility of passively fingerprinting ScreenOS implementations in the wild. This incident is an important example of how guidelines for random number generation, engineering, and validation can fail in practice. 12-page PDF
Dueling Over Dual_EC_DRBG: The Consequences Of Corrupting A Cryptographic Standardization Process Harvard Law Journal: Nadiya Kostyuk and Susan Landau (2022) Recommended by Jason Cooper.
ABSTRACT: In recent decades, the U.S. National Institute of Standards and Technology (NIST), which develops cryptographic standards for non-national security agencies of the U.S. government, has emerged as the de facto international source for cryptographic standards. But in 2013, Edward Snowden disclosed that the National Security Agency had subverted the integrity of a NIST cryptographic standard—the Dual_EC_DRBG—enabling easy decryption of supposedly secured communications. This discovery reinforced the desire of some public and private entities to develop their own cryptographic standards instead of relying on a U.S. government process. Yet, a decade later, no credible alternative to NIST has emerged. NIST remains the only viable candidate for effectively developing internationally trusted cryptography standards. Cryptographic algorithms are essential to security yet are hard to understand and evaluate. These technologies provide crucial security for communications protocols. Yet the protocols transit international borders; they are used by countries that do not necessarily trust each other. In particular, these nations do not necessarily trust the developer of the cryptographic standard. Seeking to understand how NIST, a U.S. government agency, was able to remain a purveyor of cryptographic algorithms despite the Dual_EC_DRBG problem, we examine the Dual_EC_DRBG situation, NIST's response, and why a non-regulatory, non-national security U.S. agency remains a successful international supplier of strong cryptographic solutions. 		61-page PDF
Dual EC: A Standardized Back Door IACR: Daniel J. Bernstein, Tanja Lange, and Ruben Niederhagen (2015) Recommended by Jason Cooper. Abstract: Dual EC is an algorithm to compute pseudorandom numbers starting from some random input. Dual EC was standardized by NIST, ANSI, and ISO among other algorithms to generate pseudorandom numbers. For a long time this algorithm was considered suspicious – the entity designing the algorithm could have easily chosen the parameters in such a way that it can predict all outputs – and on top of that it is much slower than the alternatives and the numbers it provides are more biased, i.e., not random. The Snowden revelations, and in particular reports on Project Bullrun and the SIGINT Enabling Project, have indicated that Dual EC was part of a systematic effort by NSA to subvert standards. This paper traces the history of Dual EC including some suspicious changes to the standard, explains how the back door works in real-life applications, and explores the standardization and patent ecosystem in which the standardized back door stayed under the radar. 25-page PDF

Randomness, Entropy, and Statistical Testing

Title Author Focus / Abstract Access
The DIEHARD Battery of Tests George Marsaglia (FSU) (1995) The "Grandfather" of all randomness suites. Famous for being the first to break "good" generators of the 90s. Reputation: Whimsical but brutal. Introduced the "Birthday Spacings" and "Monkey" tests. Still the baseline for academic rigor. ARCHIVE
NIST SP 800-22: A Statistical Test Suite Rukhin, et al. (NIST) (2010) The regulatory "must-pass" for all US government cryptographic modules. Reputation: The Compliance Standard. Not the most sensitive suite, but passing this is legally required for FIPS 140-2/3 certification. 131-pg PDF
The Dieharder Battery (v3.31.1+) Robert G. Brown (Duke) (2003-2026) The modern, open-source "Swiss Army Knife" for extreme-stress testing of RNGs. Reputation: The Technical Successor. It wraps Diehard, NIST, and new tests into a single modular library. The tool of choice for daily engineering. LINK 132-page PDF
NIST Overview: Random Bit Generation (RBG) Overview: The National Institute of Standards and Technology (NIST) Random Bit Generation (RBG) project focuses on the development and validation of generating random numbers that are essential for cryptographic and security applications.
SP 800-90 Series: The project provides guidelines through the SP 800-90 series, which includes recommendations on deterministic random bit generator (DRBG) mechanisms, entropy sources, and construction principles for RBGs, and has three parts:
  • SP 800-90A, Recommendation for Random Number Generation Using Deterministic Random Bit Generators, specifies mechanisms for generating random bits using deterministic methods. NIST is revising SP 800 90A to be consistent with SP 800-90C.
  • SP 800-90B, Recommendation for the Entropy Sources Used for Random Bit Generation, specifies the design principles and requirements for the entropy sources used by RBGs and the tests for the validation of entropy sources.
  • SP 800-90C, Recommendation for Random Bit Generator (RBG) Constructions, specifies constructions for the implementation of RBGs.
The following figure explains the relationship of the three parts of the series.

NIST IR 8427, Discussion on the Full Entropy Assumption of the SP 800 90 Series, provides technical discussions to support the full entropy definition used in the SP 800 90 series. 		NIST Overview
NIST SP 800-90A: Deterministic Random Bit Generators (DRBG) Elaine Barker (NIST) Specifies the approved methods for generating random bits using Hash functions and Block Ciphers. 110-page PDF
NIST SP 800-90B: Recommendation for Entropy Sources Meltem Sönmez Turan, et al. Specifies design requirements and validation tests for the physical noise/entropy sources used by RBGs. 84-page PDF
NIST SP 800-90C: Random Bit Generator (RBG) Constructions By Elaine Barker & John Kelsey.
The "blueprint" document that specifies how to combine 90A algorithms and 90B entropy into a secure system. Chapters:
  1. Introduction and Purpose
  2. General Information
  3. Accessing Entropy Source Output
  4. RBG1 Construction Based on RBGs With Physical Entropy Sources
  5. RBG2 Constructions Based on Physical and/or Non-Physical Entropy Sources
  6. RBG3 Constructions Based on the Use of Physical Entropy Sources
  7. RBGC Construction for DRBG Trees
  8. Testing
Construction Internal Entropy Source Available Randomness Source for Reseeding Prediction Resistance Full Entropy Type of Randomness Source
RBG1 No (external) No No No RBG2(P) or RBG3 or Root RBGC construction
RBG2(P) Yes Yes Optional No Physical entropy source
RBG2(NP) Yes Yes Optional No Non-physical entropy source
RBG3(XOR) or RBG3(RS) Yes Yes Yes Yes Physical entropy source
(Root) RBGC Yes Yes Optional No RBG2 or RBG3 construction or Full-entropy source
(Non-root) RBGC No Yes No No Parent RBGC construction
The Parenthetical Modifiers
  • (P) and (NP): These stand for Physical and Non-physical entropy sources. According to the table, RBG2(P) must use a physical source, while RBG2(NP) can use a non-physical source.
  • (XOR) and (RS): These describe the implementation method for RBG3. XOR means the entropy is combined with the DRBG output using an exclusive-OR operation, whereas RS means the entropy is used to Reseed the internal state.
Root vs. Non-root RBGC. The distinction here centers on whether the construction "owns" its entropy:
  • Root RBGC: Is considered a "Root" because it contains its own Internal Entropy Source. It can derive its randomness from an RBG2, RBG3, or a standalone Full-entropy source.
  • Non-root RBGC: Does not have an internal source. It is a "chained" construction that must look to a Parent RBGC for its randomness.
 160-page PDF
NIST IR 8427: Discussion on the Full Entropy Assumption of the SP 800-90 Series Darryl Buller, Aaron Kaufer, Allen Roginsky, Meltem Sönmez Turan Abstract: The NIST Special Publication (SP) 800-90 series supports the generation of high-quality random bits for cryptographic and non-cryptographic use. The security strength of a random number generator depends on the unpredictability of its outputs. This unpredictability can be measured in terms of entropy, which the NIST SP 800-90 series measures using min-entropy. A full-entropy bitstring has an amount of entropy equal to its length. Full-entropy bitstrings are important for cryptographic applications, as these bitstrings have ideal randomness properties and may be used for any cryptographic purpose. Due to the difficulty of generating and testing full-entropy bitstrings, the SP 800-90 series assumes that a bitstring has full entropy if the amount of entropy per bit is at least 1 − ε, where ε is at most 2−32. This report provides a justification for the selection of this value of ε. 19-page PDF
NIST final version of Internal Report (IR) 8446: Comparison of SP 800-90 Series and AIS 20/31 NIST January 29, 2026 by Elaine Barker, John Kelsey, Kerry McKay, Johannes Mittmann, Matthias Peter, Werner Schindler, Meltem Sönmez Turan Abstract: This report studies the cryptographic random number generation standards and guidelines written by BSI and NIST, namely AIS 20/31 and the SP 800-90 series. The aim of this report is to compare these publications, focusing on the similarities and differences of their terminology, assumptions, and requirements. This report also aims to improve the communications between all involved parties, promote a shared understanding, and reduce and resolve inconsistencies in related standards
Keywords: cryptographic random number generation; entropy; terminology; validation. Introduction: The security of cryptographic mechanisms and protocols relies on the availability of high‐ quality random numbers (e.g., to generate cryptographic keys, initialization vectors, nonces, salts, and masking values). The generation of these random numbers and validating their quality are challenging tasks. There are multiple standards to provide guidelines on generating random numbers to be used in cryptography [1–11]. These standards may differ in their assumptions, requirements, and even the definitions that they use. 		81-page PDF
NIST Internal Report (IR) 8454: Status Report on the Final Round of the NIST Lightweight Cryptography Standardization Process NIST June 2023 by Meltem Sonmez Turan, Kerry McKay, Donghoon Chang, Lawrence E. Bassham, et al Abstract: The National Institute of Standards and Technology (NIST) initiated a public standardization process to select one or more schemes that provide Authenticated Encryption with Associated Data (AEAD) and optional hashing functionalities and are suitable for constrained environments. In February 2019, 57 candidates were submitted to NIST for consideration. Among these, 56 were accepted as frst-round candidates in April 2019. After four months, NIST selected 32 of the candidates for the second round. In March 2021, NIST announced 10 fnalists – namely ASCON, Elephant, GIFT-COFB, Grain-128AEAD, ISAP, PHOTON-Beetle, Romulus, SPARKLE, TinyJAMBU, and Xoodyak – to move forward to the fnal round of the selection process. On February 7, 2023, NIST announced the decision to standardize the ASCON family for lightweight cryptography applications. This report describes the evaluation criteria and selection process, which is based on public feedback and internal review of the fnalists. 135-page PDF
NIST Interoperable Randomness Beacons Overview: The Interoperable Randomness Beacons project at NIST intends to promote the availability of trusted public randomness as a public utility. This can be used for example for auditability and transparency of services that depend on randomized processes. The project is spearheaded by the Cryptographic Technology Group in the Computer Security Division of the Information Technology Laboratory (ITL), and has counted with the participation of many collaborators over the years.
WARNING: Do NOT use Beacon generated values as cryptographic secret keys!
Randomness pulses from the NIST Randomness Beacon can be found in the NIST Beacon webpage
NIST recommendations on (pseudo)random-bit generation can be found in the NIST RBG project webpage		 NIST Link
 
NIST Link
RFC 4086: Randomness Requirements for Security Eastlake, Schiller, & Crocker The "Best Current Practice" (BCP 106) for gathering entropy and avoiding common pitfalls in software. 48-page PDF
Random Number Generators - Principles and Practices: A Guide for Engineers and Programmers David Johnston (2018) 5.0 stars (12 reviews) Random Number Generators, Principles and Practices has been written for programmers, hardware engineers, and sophisticated hobbyists interested in understanding random numbers generators and gaining the tools necessary to work with random number generators with confidence and knowledge. Using an approach that employs clear diagrams and running code examples rather than excessive mathematics, random number related topics such as entropy estimation, entro py extraction, entropy sources, PRNGs, randomness testing, distribution generation, and many others are exposed and demystified. This book was recommended to me by Christopher Bell, and I, in turn, recommend to you. Amazon
The Frequency Injection Attack on Ring-Oscillator-Based True Random Number Generators A. Theodore Markettos and Simon W. Moore (2009) at CHES (Cryptographic Hardware and Embedded Systems) conference This paper is recommended on page 25 of David Johnston's book (above). Abstract: We have devised a frequency injection attack which is able to destroy the source of entropy in ring-oscillator-based true random number generators (TRNGs). A TRNG will lock to frequencies injected into the power supply, eliminating the source of random jitter on which it relies. We are able to reduce the keyspace of a secure microcontroller based on a TRNG from 2^64 to 3300, and successfully attack a 2004 EMV (‘Chip and PIN’) payment card. We outline a realistic covert attack on the EMV payment system that requires only 13 attempts at guessing a random number that should require 2^32. The theory, three implementations of the attack, and methods of optimisation are described. 15-page PDF
Randomized Encryption Techniques Ronald L. Rivest & Alan T. Shrman January 1983. Abstract: A randomized encryplion procedure enciphers a message by randomly choosing a ciphertext from a set of ciphertexts corresponding to the message under the current encryption key. At the cost of increasing the required bandwidth, such procedures may achieve greater cryptographic security than their deterministic counterparts by increasing the apparent size of the message space, eliminating the threat of chosen p]aintext attacks, and improving the a priori statistics for the inputs to the encryption algorithms. In this paper we explore various ways of using randomization in encryption. [recommended by Sandor LUKACS] 22-page PDF
True Random Number Generators (TRNG) Mario Stipcevic & Cetin Kaya Koc A deep dive into physical entropy sources, from electronic noise to quantum-based systems. 45-page PDF
A Comprehensive Review of Quantum Random Number Generators: Concepts, Classification and the Origin of Randomness Mannalatha, et al. (2017 / 2022) A comprehensive review of the physical origins of quantum randomness. The "Bible" for understanding the difference between trusted-device and device-independent QRNGs. Essential for mapping theory to hardware. 44-page PDF
QRNG Specification Guide: First-Principles Investigation Qrypt / NIST Supplement (2014) A formal framework for evaluating QRNG hardware against NIST standards. Bridges the gap between quantum physics and NIST SP 800-90B compliance. It defines how to measure "quantum-origin" entropy in a standard way. 9-page PDF
(Not So) Random Shuffles of RC4 Ilya Mironov (2002) Most guidelines for implementation of the RC4 stream cipher recommend discarding the first 256 bytes of its output. This recommendation is based on the empirical fact that known attacks can either cryptanalyze RC4 starting at any point, or become harmless after these initial bytes are dumped. The motivation for this paper is to find a conservative estimate for the number of bytes that should be discarded in order to be safe. To this end we propose an idealized model of RC4 and analyze it applying the theory of random shuffles. Based on our analysis of the model we recommend dumping at least 512 bytesi. 16-page PDF
A Novel Proof of Shuffle: Exponentially Secure Cut-and-Choose Thomas Haines and Johannes Muller Shuffling is one of the most important techniques for privacypreserving protocols. Its applications are manifold, including, for example, e-voting, anonymous broadcast, or privacy-preserving machinelearning. For many applications, such as secure e-voting, it is crucial that the correctness of the shuffling operation be (publicly) verifiable. To this end, numerous proofs of shuffle have been proposed in the literature. Several of these proofs are actually employed in the real world. 28-page PDF
LavaRand
a hardwrae random number generator using Lava Lamps!		 SGI Quoting Wikipedia: Lavarand is a hardware random number generator designed and trademarked by Silicon Graphics (SGI) in 1996.[1][2] The system operates by digitizing the chaotic patterns of warm wax blobs oozing inside an array of lava lamps. This data is then processed with a cryptographic hash function to produce a high-quality seed for a cryptographically-secure pseudorandom number generator (CSPRNG).[1] From 1997 to 2001, SGI ran a website that demonstrated the technology.[2][3] Its visually distinct method made it a frequently cited example of entropy sourcing.[2] The concept was later revived and popularized by Cloudflare, which uses a wall of lava lamps in its office lobby as one component of its entropy-gathering system, the Wall of Entropy.[4][5] The complete method was documented in U.S. patent 5,732,138. The patent's claims are not limited to lava lamps but cover any chaotic system used in a similar manner, and its expiration allowed companies like Cloudflare to use the underlying concept without license. Wikipedia
LavaRand
Intel Digital Random Number Generator (DRNG): Software Implementation Guide (Revision 2.2) Intel® Secure Key Technology is the Intel name for the Intel® 64 and IA-32 Architecture’s instructions RDRAND and RDSEED and the underlying Digital Random Number Generator (DRNG) hardware implementation. The RDRAND instruction is used to generate high-quality keys for cryptographic protocols, and the RSEED instruction is used to seed software-based pseudorandom number generators (PRNGs).
 
This Digital Random Number Generator Software Implementation Guide provides technical information on RDRAND and RDSEED usage, including code examples and includes the following sections:
  • Section 2: Random Number Generator (RNG) Basics and Introduction to the DRNG. This section describes the nature of an RNG and its pseudo- (PRNG) and true- (TRNG) implementation variants including modern cascade construction RNGs. The DRNG's position is presented within this taxonomy.
  • Section 3: DRNG Overview. This section provides a technical overview of the DRNG including its component architecture, robustness features, manner of access, performance, and power requirements.
  • Section 4: Standards Compliance. This section describes compliance including U.S. NIST compliance for the Intel DRNG.
  • Section 5: RDRAND and RDSEED Instruction Usage. This section provides reference information on the RDRAND and RDSEED instructions and code examples showing its use. This includes platform support verification and suggestions on DRNG-based libraries.
Programmers who already understand the nature of RNGs may refer directly to section 4 for instruction references and code examples. RNG newcomers who need some review of concepts to understand the nature and significance of the DRNG can refer to section 2. Nearly all developers will want to look at section 3, which provides a technical overview of the DRNG. 		39-page PDF
"The RANGER Device" (acronym for “RAndom Number GEneratoR”) Tony Patti
Cryptosystems Journal		 The RANGER Device is based on a 4x4 array of crystal oscillators, connected to a PC via the parallel port. Each "read" of the device brings in four bits, which can optionally be XOR'd together (all 16 oscillators utilized)
CSJ V2N2
page 38+
June 1992 CSJ V3
page 71+
Dec 1994 CSJ V4
page 69+
Feb 1997 CSJ V5
page 130+
Mar 1999		 RANGER Device Link

Programming Languages for Cryptology

Language & Rank Technical Profile & Crypto Math Samples Ecosystem & Link
Rust
#1 Security		 Attributes: Memory Safe: YES | BigInt: NO | Constant-Time: YES
 
Pros: Uses a Borrow Checker to prevent memory bugs at compile-time.
Sample 1: XOR Cipher
fn xor(d: &mut [u8], k: &[u8]) {
    for (i, b) in d.iter_mut().enumerate() {
        *b ^= k[i % k.len()];
    }
}
Sample 2: Secure RAND (16 words)
use rand::Rng;
let mut rng = rand::thread_rng();
let mut Random16words: [u32; 16] = [0; 16];
rng.fill(&mut Random16words);

Rust is a favorite for modern cryptography because its "fearless concurrency" prevents data races. Rayon is the gold standard for data parallelism. It allows you to turn a sequential iterator into a parallel one with a single method change: .iter() becomes .par_iter(). Key Feature: Work-stealing scheduler that balances tasks across all CPU cores. 		- RAND: rand crate
- BIGNUM: num-bigint
- CRYPTO: RustCrypto
- Website: rust-lang.org
 
- Primary Parallel Mechanism:
Data-parallelism / Threads
- Notable Parallel Library: Rayon
- Best Parallel Use Case in Crypto:
Bulk hashing, parallelizing loops ($O(n)$ tasks).
C
#1 Performance		 Attributes: Memory Safe: NO | BigInt: NO | Constant-Time: YES
 
Pros: Foundation of OpenSSL. Maximum speed and direct CPU access.
Sample 1: XOR Cipher
void xor(unsigned char *d, int len, char *k) {
    int k_len = strlen(k);
    for (int i=0; i < len; i++) d[i] ^= k[i % k_len];
}
Sample 2: Secure RAND (16 words)
#include <openssl/rand.h>
uint32_t Random16words[16];
RAND_bytes((unsigned char *)Random16words, 16 * sizeof(uint32_t));

In C, OpenMP is often preferred for cryptography because it uses simple #pragma directives to parallelize loops without manual thread management. For more granular control (like pinning threads to specific cores for side-channel resistance), Pthreads is used. Key Feature: Extremely low overhead; direct access to hardware acceleration (AES-NI). 		- RAND: openssl/rand.h
- BIGNUM: openssl/bn.h
- CRYPTO: OpenSSL / Sodium
- Website: C Reference
 
- Primary Parallel Mechanism:
Compiler Directives / Low-level
- Notable Parallel Library: OpenMP / Pthreads
- Best Parallel Use Case in Crypto:
High-performance SIMD, GPU offloading (CUDA).
Java
#1 Enterprise		 Attributes: Memory Safe: YES | BigInt: YES | Constant-Time: PARTIAL
 
Pros: The JCE (Java Cryptography Extension) is very mature.
Sample 1: XOR Cipher
public static void xor(byte[] d, byte[] k) {
    for (int i = 0; i < d.length; i++) {
        d[i] ^= k[i % k.length];
    }
}
Sample 2: Secure RAND (16 words)
import java.security.SecureRandom;
SecureRandom sr = new SecureRandom();
int[] Random16words = new int[16];
for(int i=0; i < 16; i++) Random16words[i] = sr.nextInt();

Java’s Parallel Streams leverage the ForkJoinPool to recursively split cryptographic tasks (like encrypting a multi-gigabyte file) into smaller chunks. Key Feature: Abstracted management; the JVM handles the complexities of thread lifecycle. 		- RAND: SecureRandom
- BIGNUM: BigInteger
- CRYPTO: javax.crypto
- Website: Oracle Java
 
- Primary Parallel Mechanism:
Fork/Join Framework
- Notable Parallel Library: java.util.concurrent
- Best Parallel Use Case in Crypto:
Parallel streams for large-scale key processing.
Python
#1 Research		 Attributes: Memory Safe: YES | BigInt: YES | Constant-Time: NO
 
Pros: Best for "Crypto Math" research. Handles massive numbers natively.
Sample 1: XOR Cipher
def xor(data, key):
    return bytes([b ^ key[i % len(key)] for i, b in enumerate(data)])
Sample 2: Secure RAND (16 words)
import secrets
Random16words = [secrets.randbits(32) for _ in range(16)]

Because of the Global Interpreter Lock (GIL), Python cannot run multiple threads on multiple cores for CPU-heavy tasks. The multiprocessing module is required to spawn separate memory spaces for each core. Key Feature: Bypasses the GIL to achieve true parallelism for CPU-bound hashing. 		- RAND: secrets module
- BIGNUM: int (Native)
- CRYPTO: PyCryptodome
- Website: python.org
 
- Primary Parallel Mechanism:
Multi-process (Bypasses GIL)
- Notable Parallel Library: multiprocessing
- Best Parallel Use Case in Crypto:
CPU-bound brute-forcing or hashing.
Go (Golang)
#1 Infra		 Attributes: Memory Safe: YES | BigInt: YES | Constant-Time: YES
 
Pros: Excellent modern library. Built for the modern web (TLS).
Sample 1: XOR Cipher
func xor(d []byte, k []byte) {
    for i := range d { d[i] ^= k[i%len(k)] }
}
Sample 2: Secure RAND (16 words)
import ("crypto/rand"; "encoding/binary")
Random16words := make([]uint32, 16)
binary.Read(rand.Reader, binary.LittleEndian, &Random16words)

Go was built for concurrency. Goroutines are "lightweight threads" managed by the Go runtime. While Go is often used for I/O, the sync package and runtime.GOMAXPROCS allow it to effectively scale cryptographic computations across cores. Key Feature: Channels allow for safe communication between parallel workers without shared memory. 		- RAND: crypto/rand
- BIGNUM: math/big
- CRYPTO: crypto/...
- Website: go.dev
 
- Primary Parallel Mechanism:
CSP (Communicating Sequential Processes)
- Notable Parallel Library: Goroutines / sync
- Best Parallel Use Case in Crypto:
High-concurrency network crypto (TLS/VPN).
PHP
#1 Web		 Attributes: Memory Safe: YES | BigInt: NO | Constant-Time: YES
 
Pros: Integrated libsodium makes high-level crypto accessible.
Sample 1: XOR Cipher
function xor_cipher($d, $k) {
    for ($i = 0; $i < strlen($d); $i++) {
        $d[$i] = $d[$i] ^ $k[$i % strlen($k)];
    }
    return $d;
}
Sample 2: Secure RAND (16 words)
$Random16words = [];
for ($i = 0; $i < 16; $i++) {
    $Random16words[] = random_int(-2147483648, 2147483647);
}

Standard PHP is single-threaded. To achieve parallelism, you must use the parallel extension (the modern successor to pthreads). It requires a "Thread Safe" (ZTS) version of PHP. Key Feature: Provides a task-based API for running functions in parallel in CLI scripts. 		- RAND: random_int()
- BIGNUM: GMP / BCMath
- CRYPTO: Sodium Extension
- Website: php.net
 
- Primary Parallel Mechanism:
Shared-nothing / Async
- Notable Parallel Library: parallel (ext) / Swoole
- Best Parallel Use Case in Crypto:
Offloading heavy crypto tasks in CLI environments.

Zero-Knowledge Proofs & Interactive Systems

Year Title Author(s) Significance Access
1985 The Knowledge Complexity of Interactive Proof-Systems Goldwasser, Micali, & Rackoff The paper that invented Zero-Knowledge Proofs. Winner of the first Gödel Prize.i
 
Abstract. Usually, a proof of a theorem contains more knowledge than the mere fact that the theorem is true. For instance, to prove that a graph is Hamiltonian it suffices to exhibit a Hamiltonian tour in it; however, this seems to contain more knowledge than the single bit Hamiltonian/non-Hamiltonian. In this paper a computational complexity theory of the "knowledge" contained in a proof is developed. Zero-knowledge proofs are defined as those proofs that convey no additional knowledge other than the correctness of the proposition in question. Examples of zero-knowledge proof systems are given for the languages of quadratic residuosity and quadratic nonresiduosity. These are the first examples of zeroknowledge proofs for languages not known to be efficiently recognizable.
Key words. cryptography, zero knowledge, interactive proofs, quadratic residues		 23-page PDF
2016 Zcash Protocol Specification Daira Hopwood, et al. The most comprehensive practical application of "zk-SNARKs" in a live system.
 
Abstract. Zcash is an implementation of the Decentralized Anonymous Payment scheme Zerocash, with security xes and improvements to performance and functionality. It bridges the existing transparent payment scheme used by Bitcoin with a shielded payment scheme secured by zero-knowledge succinct non-interactive arguments of knowledge (zk-SNARKs). It attempted to address the problem of mining centralization by use of the Equihash memory-hard proof-of-work algorithm.
Keywords: anonymity, applications, cryptographic protocols, electronic commerce and payment, nancial privacy, proof of work, zero knowledge. 		229-page PDF
2024 SoK (Systemization of Knowledge): Zero-Knowledge Range Proofs Miranda Christ, Foteini Baldimtsi, Konstantinos Kryptos Chalkias, et al. Zero-knowledge range proofs (ZKRPs) allow a prover to convince a verifier that a secret value lies in a given interval. ZKRPs have numerous applications: from anonymous credentials and auctions, to confidential transactions in cryptocurrencies. At the same time, a plethora of ZKRP constructions exist in the literature, each with its own trade-offs. In this work, we systematize the knowledge around ZKRPs. We create a classification of existing constructions based on the underlying building techniques, and we summarize their properties. We provide comparisons between schemes both in terms of properties as well as efficiency levels, and construct a guideline to assist in the selection of an appropriate ZKRP for different application requirements. Finally, we discuss a number of interesting open research problems. 18-page PDF
2026 Zero Knowledge (About) Encryption: A Comparative Security Analysis of Three Cloud-based Password Managers Matteo Scarlata, Giovanni Torrisi, Matilda Backendal, and Kenneth G. Paterson Abstract: Zero Knowledge Encryption is a term widely used by vendors of cloud-based password managers. Although it has no strict technical meaning, the term conveys the idea that the server, who stores encrypted password vaults on behalf of users, is unable to learn anything about the contents of those vaults. The security claims made by vendors imply that this should hold even if the server is fully malicious. This threat model is justified in practice by the high sensitivity of vault data, which makes password manager servers an attractive target for breaches (as evidenced by a history of attacks). We examine the extent to which security against a fully malicious server holds true for three leading vendors who make the Zero Knowledge Encryption claim: Bitwarden, LastPass and Dashlane. Collectively, they have more than 60 million users and 23% market share. We present 12 distinct attacks against Bitwarden, 7 against LastPass and 6 against Dashlane. The attacks range in severity, from integrity violations of targeted user vaults to the complete compromise of all the vaults associated with an organisation. The majority of the attacks allow recovery of passwords. We have disclosed our findings to the vendors and remediation is underway. 28-page PDF

Side-Channel Analysis & Hardware Attacks

Year Title Description Access
1996 Timing Attacks on Implementations of Diffie-Hellman, RSA, DSS Paul C. Kocher. Proved you can steal a secret key just by measuring how long a CPU takes to calculate. 10-page PDF
1999 Differential Power Analysis (DPA) Kocher, Jaffe, & Jun. Showed that a key could be extracted by monitoring the power consumption of a smart card. 10-page PDF
Execution Isolation SoK (Systemization of Knowledge): Hardware Security Support for Trustworthy Execution In recent years, there have emerged many new hardware mechanisms for improving the security of our computer systems. Hardware offers many advantages over pure software approaches: immutability of mechanisms to software attacks, better execution and power efficiency and a smaller interface allowing it to better maintain secrets. This has given birth to a plethora of hardware mechanisms providing trusted execution environments (TEEs), support for integrity checking and memory safety and widespread uses of hardware roots of trust. 18-page PDF
Side-Channels SoK (Systemization of Knowledge): Design Tools for Side-Channel-Aware Implementations Side-channel attacks that leak sensitive information through a computing device’s interaction with its physical environment have proven to be a severe threat to devices’ security, particularly when adversaries have unfettered physical access to the device. Traditional approaches for leakage detection measure the physical properties of the device. Hence, they cannot be used during the design process and fail to provide root cause analysis. An alternative approach that is gaining traction is to automate leakage detection by modeling the device. The demand to understand the scope, benefits, and limitations of the proposed tools intensifies with the increase in the number of proposals. 16-page PDF
PCB Security SoK: A Security Architect's View of Printed Circuit Board Attacks (2025) Many recent papers have proposed novel electrical measurements or physical inspection technologies for defending printed circuit boards (PCBs) and PCB assemblies (PCBAs) against tampering. As motivation, these papers frequently cite Bloomberg News’ “The Big Hack”, video game modchips, and “interdiction attacks” on IT equipment. We find this trend concerning for two reasons. First, implementation errors and security architecture are rarely discussed in recent PCBA security research, even though they were the root causes of these commonly-cited attacks and most other attacks that have occurred or been proposed by researchers. This suggests that the attacks may be poorly understood. Second, if we assume that novel countermeasures and validation methodologies are tailored to these oft-cited attacks, then significant recent work has focused on attacks that can already be mitigated instead of on open problems. 19-page PDF
May 2024 Deep Learning Enhanced Side Chanel Analysis on CRYSTALS-Kyber Abstract—The combination of Deep-learning (DL) and Sidechannel analysis (SCA) has been proven by several attacks targeting symmetric key cryptography implementations such as AES. This paper aims to demonstrate the effectiveness of DL in attacking a Post Quantum CRYSTALS-Kyber implementation to recover the private key. We propose a CNN model with additional ciphertext knowledge to attack each 12-bit coefficient of the polynomial vector representing the private key. 9-page PDF

Secret Sharing: The Threshold of Trust

Year Title Author Description Access
1979 How to Share a Secret Adi Shamir The "Algebraic" foundation for Threshold Cryptography. Introduced (k, n) threshold schemes using Lagrange polynomial interpolation. It allows a secret to be split into n pieces, where any k pieces can reconstruct it, but k-1 reveals nothing. [recommended by Sandor LUKACS] 2-page PDF
1979 Safeguarding Cryptographic Keys G.R. Blakley The "Geometric" alternative to Shamir’s "Algebraic" method. While Shamir used polynomials, Blakley used Hyperplanes in n-dimensional space. The secret is the point where the planes intersect. 6-page PDF
1991 Non-Interactive and Information-Theoretic Secure VSS Torben P. Pedersen Introduced the "Pedersen Commitment." Solves the problem: "How do I know the dealer didn't give me a fake share?" This allows participants to verify their shares are valid without revealing them. 12-page PDF
1995 Proactive Secret Sharing: How to Cope with Perpetual Leakage Herzberg, et al. Introduced "Share Refreshing." Crucial for long-lived secrets. It allows nodes to create new shares of the same secret periodically, so an attacker can't slowly collect shares over years. 14-page PDF
1993 Secret Sharing Made Short Hugo Krawczyk Optimized sharing for massive files (e.g., sharing a 1GB file). Shamir’s scheme makes each share as large as the secret. Krawczyk combined Encryption + Reed-Solomon codes to make shares much smaller and more efficient. 11-page PDF

Steganography & Covert Communications

Year Title Author(s) Focus Access
2019 Deep Learning in steganography and steganalysis from 2015 to 2018 Marc CHAUMONT For almost 10 years, the detection of a hidden message in an image has been mainly carried out by the computation of Rich Models (RM), followed by classification using an Ensemble Classifier (EC). In 2015, the first study using a convolutional neural network (CNN) obtained the first results of steganalysis by Deep Learning approaching the performances of the two-step approach (EC + RM). Between 2015-2018, numerous publications have shown that it is possible to obtain improved performances, notably in spatial steganalysis, JPEG steganalysis, Selection-Channel-Aware steganalysis, and in quantitative steganalysis. 46-page PDF
1998 Exploring Steganography: Seeing the Unseen Johnson & Jajodia The seminal IEEE paper defining digital steganography techniques. Introduced the world to LSB (Least Significant Bit) insertion and the concept of "stego-images" vs. "cover-images." 4-page PDF
2001 Defending Against Statistical Steganalysis Niels Provos Introduced the "OutGuess" algorithm to defeat statistical detection. A turning point in the field where hiders began using statistical corrections to make hidden data look like natural digital noise. 14-page PDF
2021 A Survey on Image Encryption using Chaos-based Techniques Veena and Ramakrishna Encryption methods such as AES (Advanced Encryption Standard), DES (Data Encryption Standard), etc. cannot be used for image encryption as images contain a huge amount of redundant data, a high correlation between neighboring pixels and size of the image is very large. Chaosbased techniques have suitable properties that are required for image encryption. The properties include sensitivity to initial conditions, pseudorandom number, ergodicity, and density of periodic orbits. 6-page PDF
2025 Comprehensive Review of Cryptography and Steganography Algorithms (2025) Halima Abbas Assied Ahmed Essilin This paper explores the benefits and challenges associated with the combination of cryptography and steganography and identify the potential vulnerabilities of current image steganography techniques and improve overall security of covert communication systems. Cryptography and Steganography provide a multi-layered defense against prospective threats. Encryption protects the privacy of information, whereas steganography adds another layer of obscurity, making it difficult for adversaries to identify and intercept sensitive data. 18-page PDF
2022 An Enhanced Steganography Network for Concealing Secret Image Data Chen, Xing, Sun, Yan, and Cheng Explains "Encoder-Decoder" networks that hide a whole secret image inside a cover image using skip-connections. 15-page PDF
2013 Invisible Writing Made Visible James Cameron - GPO History Talk on May 29, 2013 GPO is the U.S. Government Pubishing Office.
(name changed in 2014 from Government Printing Office)
During the Second World War, from late 1942 to mid-1946, the United States experienced an unprecedented influx of almost half a million German, Italian, and Japanese prisoners of war. They were in a position to damage the war effort through attempts to escape and, based on experience from World War I, the possibility of espionage. Since the Geneva Convention mandated that prisoners of war could write home, significant information on prisoners’ location and activities could be transmitted through the use of invisible inks made from such common substances as lemon juice, milk, washing soda, baking soda, starch, even urine. The War Department turned to GPO’s paper chemists for an answer. GPO’s Division of Tests and Technical Controls was set up in the 1920s to monitor and improve the quality of paper, inks, adhesives, typemetal, and other vital components of printing and binding work. After extensive tests, GPO’s experts developed a paper base with a silicate or clay coating. The coating contained a powder or dyestuff that would react to moisture, or any acid water solution, by turning green. The paper was called Sensicoat. Sensicoat’s heavy 56-pound weight and high cost were negative factors, so GPO developed a lighter, uncoated, and more economical paper, Analith. When it went into production, secret messages to the Axis were greatly reduced. German intelligence noted the change and took action. American sensors began to notice something very interesting about packages of food and clothing addressed to German prisoners as 1944 passed its halfway mark. A small amount of putty-like material, about the size of a kitchen match head, began to turn up in various places of concealment. Repeated tests showed that the material was a dry ink. After several conferences with the Bureau of Censorship, GPO chemists began work on a new paper, bearing in mind that it would have to retain its sensitivity to fluids as well as add sensitivity to dry inks. The result was a coated sheet with both. By 1945, more than 29 million sheets of the new stationery had been ordered at $1.04 per thousand. GPO had blocked a potentially dangerous flow of information to America’s enemies. It was an achievement shrouded in wartime secrecy, but one gratefully acknowledged by those who knew about the technical challenges.
This document was recommended by Jon Paul.
[This text also appears on page 99 of the 164-page PDF "Keeping America Informed" here. 		12-page PDF

Network Anonymity & Traffic Analysis

Focus Area Primary SoK/Survey PDF Title Direct PDF Source Link Core Contribution
Foundational Survey On Anonymity in an Electronic Society: A Survey of Anonymous Communication Systems The past two decades have seen a growing interest in methods for anonymous communication on the Internet, both from the academic community and the general public. Several system designs have been proposed in the literature, of which a number have been implemented and are used by diverse groups, such as journalists, human rights workers, the military, and ordinary citizens, to protect their identities on the Internet. In this work, we survey the previous research done to design, develop, and deploy systems for enabling private and anonymous communication on the Internet. 35-page PDF
Encrypted Traffic SoK (Systemization of Knowledge): Decoding the Enigma of Encrypted Network Traffic Classifiers (2025) The adoption of modern encryption protocols such as TLS 1.3 has significantly challenged traditional network traffic classification (NTC) methods. As a consequence, researchers are increasingly turning to machine learning (ML) approaches to overcome these obstacles. This paper analyses ML-based NTC studies by developing a taxonomy of their design choices, benchmarking suites, and prevalent assumptions impacting classifier performance. Through this systematization, we demonstrate widespread reliance on outdated datasets, oversights in design choices, and the consequences of unsubstantiated assumptions. 18-page PDF
Dataset Linkage SoK (Systemization of Knowledge): Managing risks of linkage attacks on data privacy Novel attacks on dataset privacy are usually met with the same range of responses: surprise that a route to information gain exists from information previously thought to be safe; disputes around the viability or validity of the attack in real-world contexts; and, in the case of the computer science community, a drive to produce techniques that provably protect against the new class of attack. 20-page PDF
Metadata Privacy SoK (Systemization of Knowledge): Secure Messaging Motivated by recent revelations of widespread state surveillance of personal communication, many solutions now claim to offer secure and private messaging. This includes both a large number of new projects and many widely adopted tools that have added security features. The intense pressure in the past two years to deliver solutions quickly has resulted in varying threat models, incomplete objectives, dubious security claims, and a lack of broad perspective on the existing cryptographic literature on secure communication 18-page PDF
Differential Privacy SoK (Systemization of Knowledge): Differential Privacies Shortly after it was first introduced in 2006, differential privacy became the flagship data privacy definition. Since then, numerous variants and extensions were proposed to adapt it to different scenarios and attacker models. In this work, we propose a systematic taxonomy of these variants and extensions. We list all data privacy definitions based on differential privacy, and partition them into seven categories, depending on which aspect of the original definition is modified. These categories act like dimensions: variants from the same category cannot be combined, but variants from different categories can be combined to form new definitions. 27-page PDF
Secure Messaging SoK (Systemization of Knowledge):: Secure Messaging Motivated by recent revelations of widespread state surveillance of personal communication, many products now claim to offer secure and private messaging. This includes both a large number of new projects and many widely adopted tools that have added security features. The intense pressure in the past two years to deliver solutions quickly has resulted in varying threat models, incomplete objectives, dubious security claims, and a lack of broad perspective on the existing cryptographic literature on secure communication. 25-page PDF

The First Crypto War (1977-1999): Law & Policy

Year Event The Outcome Significance Access
1977 The Meyer Letter (to IEEE) "I have noticed in the past months that various IEEE Groups have been publishing and exporting technical articles on encryption and cryptology --- a technical field which is covered by Federal Regulations, viz: ITAR (International Traffic in Arms Regulations, 22 CFR 121-128)." 6-page PDF
1977 NSA FOIA re: The Meyer Letter Academic chill followed by Senate oversight. An NSA employee (Joseph Meyer) sent a letter to the IEEE warning that publishing crypto research might violate international arms-export laws (ITAR). 19-page PDF
1988 The Computer Security Act of 1987 NBS (now NIST) gained authority over civilian security. Formalized the struggle between the NSA and civilian agencies over who sets encryption standards for the public. 7-page PDF
1991 Senate Bill S.266 (Key Escrow) The "inciting incident" for PGP. Contained a non-binding resolution that equipment manufacturers should allow the government to obtain plaintext. Prompted Phil Zimmermann to release PGP. LINK
1991 Why I Wrote PGP Phil Zimmermann The moral defense of democratizing "military-grade" encryption for the common citizen. LINK
1993 A Cypherpunk's Manifesto Eric Hughes Defined the movement's goal: "Privacy is necessary for an open society in the electronic age." LINK
1993 The Clipper Chip Announcement Defeated by public outcry and technical flaws. The White House's attempt to bake a "backdoor" into every phone and computer. ARCHIVE
1994 The Cyphernomicon Timothy C. May A massive, foundational FAQ exploring the social and political effects of strong crypto. LINK
April 15, 1996 Bernstein v. United States
Opinion by US District Judge Marilyn Hall Patel		 This is the "source code is speech for the purposes of the First Amendment" ruling.
(see page 27 of the decision)
US District Judge Marilyn Hall Patel ruled that software source code is protected by the First Amendment.
(you might also like to see my one-page summary of both Bernstein decisions, published at
Cryptosystems Journal Volume 4 page 119)		 32-page PDF
May 6, 1999 Bernstein v. United States
Decision before: BRIGHT,* B. FLETCHER, and T.G. NELSON, Circuit Judges. 		The government defendants appeal the grant of summary judgment to the plaintiff, Professor Daniel J. Bernstein (“Bernstein”), enjoining the enforcement of certain Export Administration Regulations (“EAR”) that limit Bernstein's ability to distribute encryption software. We find that the EAR regulations (1) operate as a prepublication licensing scheme that burdens scientific expression, (2) vest boundless discretion in government officials, and (3) lack adequate procedural safeguards. Consequently, we hold that the challenged regulations constitute a prior restraint on speech that offends the First Amendment. Although we employ a somewhat narrower rationale than did the district court, its judgment is accordingly affirmed. Findlaw Link
December 9, 1996 Bernstein v. United States
Memorandum and Order by US District Judge Marilyn Hall Patel		 "The thread running through all these cases is that prior restraints on speech and publication are the most serious and the least tolerable infringement on First Amendment rights."
(see page 13 of the decision)
"A prior restraint, by contrast and by definition has an immediate an irreversible sanction. If it can be said that a threat of criminal or civil sanction after publication "chills" speech, prior restraint "freezes" it at least for the time." (see page 13 of the decision)
"The court reiterates its previous conclusion that source code is speech. Bernstein, 922 F. Supp. at 1436. Software relating to encryption is simply a topic of speech employed by some scientists involved in applied research. Hence, Snuffle is speech afforded the full protection of the First Amendment not because it enables encryption, but because it is itself speech." (see page 16 of the decision)
"The ITAR scheme, a paradigm of standardless discretion, fails on every count. This court finds nothing in the ITAR that places even minimal limits on the discretion of the licensor and hence nothing to alleviate the danger of arbitrary or discriminatory licensing decisions." (see page 20 of the decision)
US District Judge Marilyn Hall Patel ruled that "the ITAR licensing system as applied to Category XIII(B) acts as an unconstitutional prior restraint in violation of the First Amendment.
(see page 23 of the decision)		 41-page PDF
1996 The PGP Investigation (Phil Zimmermann) Charges dropped after three years. The US government tried to jail Zimmermann for "exporting munitions" when he posted PGP online. ESSAY
1996 Executive Order 13026 Commercialized Crypto. President Clinton moved crypto from the "Munitions List" (State Dept) to the Commerce Dept. 3-page PDF
1997 The Risks of Key Recovery, Key Escrow, and Trusted Third-Party Encryption Hal Abelson, Ross Anderson, Steven M. Bellovin, Josh Benaloh, Matt Blaze, Whitfield Diffie, John Gilmore, Peter G. Neumann, Ronald L. Rivest, Jerey I. Schiller, Bruce Schneier Abstract: A variety of \key recovery," \key escrow," and \trusted third-party" encryption requirements have been suggested in recent years by government agencies seeking to conduct covert surveillance within the changing environments brought about by new technologies. This report examines the fundamental properties of these requirements and attempts to outline the technical risks, costs, and implications of deploying systems that provide government access to encryption keys. 20-page PDF
1998 Chaffing and Winnowing: Confidentiality without Encryption Ronald L. Rivest
Confidentiality without Encryption		 Novel techniques for confidentiality are interesting in part because of the current debate about cryptographic policy as to whether law enforcement should be given when authorized surreptitious access to the plaintext of encrypted messages. The usual technique proposed for such access is “key recovery,” where law enforcement has a “back door’’ that enables them to recover the decryption key. Winnowing does not employ encryption, and so does not have a “decryption key.” Thus, the usual arguments in favor of “key recovery’’ don’t apply very well for winnowing. As usual, the policy debate about regulating technology ends up being obsoleted by technological innovations. Trying to regulate confidentiality by regulating encryption closes one door and leaves two open (steganography and winnowing). [recommended by Sandor LUKACS] 6-page PDF
1998 The EFF DES Cracker ("Deep Crack") Proved 56-bit DES was obsolete. The EFF built a $250k machine that cracked a DES key in 56 hours, debunking government claims that DES was "secure enough" for the public. ARCHIVE
1998 The Wassenaar Arrangement Global Export Control. A 42-nation agreement to control the export of "dual-use" technologies like encryption. 156-page PDF
1999 Clinton Admin. Export Relaxation End of the "First Crypto War." Following the September 16 announcement, most restrictions on exporting strong (128-bit+) encryption were dropped, moving crypto from "Munitions" to "Commerce." LINK
1999 Growing Development of Foreign Encryption Products in the Face of U. S. Export Regulations Hoffman, Balenson, et al. The "First Crypto War" data that forced the 2000 export reforms. The original study modeled by Schneier. It showed 805 products existed outside the US in 1999, making US export controls "futile." See also the follow-up 2016 report by Bruce Schneier, below. 31-page PDF
2003 Crypto Politics and Export Controls Peter Gutmann History of crypto politics, digital telephony, Clipper, Fortezza and Skipjack, post-Clipper crypto politics, US export controls, effects of export controls, legal challenges, French and Russian controls, non-US controls (Wassenaar), Menwith Hill, Echelon, blind signal demodulation, undersea cable tapping, European parliament reports on Echelon, Echelon and export controls, Cloud Cover, UK DTI proposals, various GAK issues. The Internet Archive captured 12 times between April 2003 and August 2006. 71 slides on 36 PDF pages. 36-page PDF
2007 (declassification) No Such Agency NSA Cryptologic Almanac 50th Anniversary Series Traditionally, NSA maintained a very low public profile, characterized particularly by an aversion to media exposure. For the early decades of its existence, most seniors at the Agency argued that any public discussion of cryptology served only to heighten the security awareness of target nations, and was to be avoided as much as possible. This was the era when loca] jokes had it that the initials NSA stood for "No Such Agency," or, alternately, "Never Say Anything." These two peripherally related articles discuss in a general way how cryptologic history "went public," then how the National Security Agency transformed from "No Such Agency" to "Nothing Sacred Anymore." (10-page PDF)
2016 A Worldwide Survey of Encryption Products Bruce Schneier, et al. Proven evidence that "The Crypto Wars" cannot be won via export bans. Identified 865 encryption products from 55 countries, proving that foreign non-US encryption is robust and ubiquitous. [recommended by Sandor LUKACS] 23-page PDF
1988 Cryptosystems Journal Volume 1 Number 1: One-Time-Pad Cryptosystem (31 pages)
Number 2: Cooper's Cryptosystem (39 pages)
Number 3: Baconian Cryptosystem (59 pages)		 31-page PDF
39-page PDF
59-page PDF
1989
1992		 Cryptosystems Journal Volume 2 Number 1: Galois Field Cryptosystems (123 pages)
Number 2: The SUMMIT Cryptosystem (118 pages) 		123-page PDF
118-page PDF
1994 Cryptosystems Journal Volume 3 PEAK Cryptosystem (156 pages) 156-page PDF
1997 Cryptosystems Journal Volume 4 APEX Cryptosystem (274 pages) 274-page PDF
1999 Cryptosystems Journal Volume 5 Crypto-Chat Cryptosystem (399 pages) 399-page PDF
2001 Encryption Export Controls Jeanne J. Grimmett Restrictive export licensing regulations have raised constitutional concerns, some arguing that they impose a prior restraint on speech in violation of the First Amendment. Federal courts have both upheld and dismissed First Amendment challenges to export controls, the outcome generally turning on whether the court viewed the encryption item and its export as essentially expressive or functional. 26-page PDF
2012 Encryption and Globalization Peter Swire and Kenesa Ahmad During the 1990s, encryption was one of the most hotly debated areas of technology law and policy. Law enforcement and security agencies initially supported limits on the export of strong encryption for national security reasons. In 1999, however, the administration shifted position to allow largely unrestricted export of encryption technologies. Encryption law and policy discussions largely faded from view. Recently, encryption is again resurfacing as a major point of policy discussion. Changes to Indian and Chinese laws regarding encryption technologies have raised questions of international trade, national security, and communications security. There are key lessons learned from the U.S. experience that are highly relevant when the debate shifts from one country to a globalized setting. However, since the U.S. encryption question was settled in 1999, a new generation of policy makers, lawyers, and technologists has emerged with little or no experience in the area of encryption policy. This Article seeks to fll an important gap in the literature, and to inform the debate on encryption policies in the face of increasing globalization. By examining the relevant history, technology, law, and policy, this Article explains why it is vital to assure the widespread and global availability of strong encryption for our data and communications. 66-page PDF
2017 Encryption and the Press Clause D. Victoria Baranetsky Almost twenty years ago, a hostile debate over whether government could regulate encryption—later named the Crypto Wars—seized the country. At the center of this debate stirred one simple question: is encryption protected speech? This issue touched all branches of government percolating from Congress, to the President, and eventually to the federal courts. In a waterfall of cases, several United States Court of Appeals appeared to reach a consensus that encryption was protected speech under the First Amendment, and with that the Crypto Wars appeared to be over, until now. Nearly twenty years later, the Crypto Wars have returned. Following recent mass shootings, law enforcement has once again questioned the legal protection for encryption and tried to implement “backdoor” techniques to access messages sent over encrypted channels. In the case, Apple v. FBI, the agency tried to compel Apple to grant access to the iPhone of a San Bernardino shooter. The case was never decided, but the legal arguments briefed before the court were essentially the same as they were two decades prior. Apple and amici supporting the company argued that encryption was protected speech. While these arguments remain convincing, circumstances have changed in ways that should be reflected in the legal doctrines that lawyers use. Unlike twenty years ago, today surveillance is ubiquitous, and the need for encryption is no longer felt by a seldom few. Encryption has become necessary for even the most basic exchange of information given that most Americans share “nearly every aspect of their lives—from the mundane to the intimate” over the Internet, as stated in a recent Supreme Court opinion [Riley v. California, 134 S. Ct. 2473, 2490 (2014)]. 58-page PDF
2003 Crypto Politics and Export Controls Peter Gutmann History of crypto politics, digital telephony, Clipper, Fortezza and Skipjack, post-Clipper crypto politics, US export controls, effects of export controls, legal challenges, French and Russian controls, non-US controls (Wassenaar), Menwith Hill, Echelon, blind signal demodulation, undersea cable tapping, European parliament reports on Echelon, Echelon and export controls, Cloud Cover, UK DTI proposals, various GAK issues. The Internet Archive captured 12 times between April 2003 and August 2006. 71 slides on 36 PDF pages. 36-page PDF
2015 Surreptitiously Weakening Cryptographic Systems Bruce Schneier, Matthew Fredrikson, Tadayoshi Kohno, Thomas Ristenpart Abstract: Revelations over the past couple of years highlight the importance of understanding malicious and surreptitious weakening of cryptographic systems. We provide an overview of this domain, using a number of historical examples to drive development of a weaknesses taxonomy. This allows comparing different approaches to sabotage. We categorize a broader set of potential avenues for weakening systems using this taxonomy, and discuss what future research is needed to provide sabotage-resilient cryptography.
Recommended by Sandor LUKACS. 		26-page PDF

Cryptology-themed MOVIES

I include movies where the plot involves nuclear launch sequences, the ultimate "high-stakes" application of cryptography and code verification.
In these films, the "code" isn't just a password; it’s an authentication string (often called an Emergency Action Message or EAM)
that must match a physical key or a code held in a "sealed authenticator" (the literal "Red Box").
Year Length Title Plot Description & Cast Access
1952 103 min The Thief A Cold War thriller with no dialogue. A nuclear physicist uses microdot photography and one-time pads to leak secrets to Soviet handlers.
Cast: Ray Milland, Martin Gabel.		 IMDB
6.7 stars
1963 113 min Charade A classic mystery involving a hunt for missing money. The plot features steganography involving rare stamps hidden in plain sight.
Cast: Cary Grant, Audrey Hepburn.		 IMDB
7.8 stars
1964 93 min Dr. Strangelove or: How I Learned to Stop Worrying and Love the Bomb A rogue general orders a strike. The crew can only be recalled via a three-letter prefix code known only to him. The plot hinges on the CRM 114 discriminator, which prevents the plane from receiving any signals that don't start with the secret code.
Cast: Peter Sellers.		 IMDB
8.3 stars
1964 112 min Fail Safe A mechanical failure sends a "Go" signal to a bomber squadron. The film focuses on the "Fail Safe" boxes—sealed devices that activate and display a digital attack code. Once the code is sent, the crew is trained to ignore all voice communications as "enemy deception."
Cast: Henry Fonda.		 IMDB
8.1 stars
1968 148 min Where Eagles Dare An elite team infiltrates a Nazi fortress. The mission relies heavily on radio transmission codes and double-agent deceptions.
Cast: Richard Burton, Clint Eastwood.		 IMDB
7.6 stars
1968 100 min Sebastian An Oxford professor runs a massive, all-female codebreaking department for the British government. The plot shows manual decryption techniques and the mental toll of pattern recognition.
Cast: Dirk Bogarde, Susannah York.		 IMDB
6.1 stars
1970 144 min Tora! Tora! Tora! A dual-perspective look at Pearl Harbor. A major subplot follows US intelligence (OP-20-G) as they break the Japanese "PURPLE" cipher using a duplicate machine, intercepting the 14-part message that signaled the attack.
Cast: Martin Balsam, Jason Robards.
Warning: War violence.		 IMDB
7.1 stars
1970 93 min Colossus: The Forbin Project A supercomputer designed to control the US nuclear arsenal develops its own sentience and links with a Soviet counterpart. Crypto elements: Features binary communication between machines, the creation of a private machine language/cipher that humans cannot decode, and the brute-force takeover of global launch systems.
Cast: Eric Braeden, Susan Clark.		 IMDB
7.1 stars
1975 117 min Three Days of the Condor A CIA analyst (Redford) specializes in scanning world literature for hidden codes. When his entire unit is assassinated, he must use his analytical decoding skills to uncover a "company within the company."
Cast: Robert Redford, Faye Dunaway.		 IMDB
7.4 stars
1979 107 min Sekret Enigmy
(The Enigma Secret)		 Subtitled (Polish). The definitive historical account from the Polish perspective. It details how Marian Rejewski used group theory and mathematics to reverse-engineer the Enigma years before the British began their work at Bletchley.
Cast: Piotr Fronczewski.		 IMDB
6.5 stars
1983 114 min WarGames A young hacker accidentally accesses a military supercomputer. He uses wardialing and password cracking via social engineering to bypass security.
Cast: Matthew Broderick, Ally Sheedy.		 IMDB
7.1 stars
1983 127 min The Day After Features a highly realistic Minuteman II launch sequence. Crypto elements: Shows the reception of an Emergency Action Message (EAM), the two-man authentication of codes from a sealed red safe, and the synchronized turning of launch keys. The officers in the missile silo receive a coded string over a teletype. They must open a literal red safe (which requires two different keys) to pull out the authenticator cards to match the code. A major plot point involves the Electromagnetic Pulse (EMP) after the high-altitude blasts, which destroy all electronics.
Cast: Jason Robards, John Lithgow.
Warning: Extremely disturbing imagery/Nuclear devastation.		 IMDB
7.0 stars
1983 94 min A Christmas Story Features the most famous depiction of a Substitution Cipher in pop culture. The protagonist uses a Little Orphan Annie Secret Society Decoder Pin to decrypt a broadcast message.
Cast: Peter Billingsley, Melinda Dillon, Darren McGavin		 IMDB
7.9 stars
1985 131 min The Falcon and the Snowman Based on a true story. A defense contractor employee with access to the "Black Vault" steals encrypted satellite communications and sells them to the Soviets via his drug-dealing friend.
Cast: Timothy Hutton, Sean Penn.
Warning: Drug use (the "Snowman" is a cocaine dealer), strong language, and themes of treason.		 IMDB
6.8 stars
1984 101 min Cloak & Dagger A young boy is given an Atari cartridge containing top-secret military encryption plans. He must evade spies while using his knowledge of "spycraft" games to survive.
Cast: Henry Thomas, Dabney Coleman.		 IMDB
6.6 stars
1990 100 min By Dawn's Early Light Features the most realistic depiction of Emergency Action Messages (EAMs). Codes are verified using sealed authenticator cards (the "biscuit") to confirm the identity of the President (codenamed "Condor"). B-52 / Looking Glass.
Cast: Powers Boothe, James Earl Jones.		 IMDB
6.9 stars
1992 126 min Sneakers A team of "pen testers" is tasked with recovering a "black box." It is revealed to be a universal decryption device based on breakthroughs in prime factorization.
Cast: Robert Redford, Sidney Poitier.
 IMDB
7.1 stars
1995 116 min Crimson Tide A mutiny occurs over an incomplete EAM. The plot focuses on the sealed authentication system and the requirement for "two-man" verification of the encrypted launch string before the Captain's key can be used.
Cast: Denzel Washington, Gene Hackman.		 IMDB
7.4 stars
1996 108 min Broken Arrow A rogue pilot steals two nukes. The plot involves PAL (Permissive Action Link) codes — the internal security codes required to arm the warheads — and a remote "kill switch" that uses encrypted frequencies.
Cast: John Travolta, Christian Slater.		 IMDB
6.1 stars
1997 126 min Good Will Hunting While a drama, it features a pivotal sequence where the NSA tries to recruit a genius to break advanced ciphers. The "NSA Monologue" explicitly details the geopolitical consequences of cryptanalysis.
Cast: Matt Damon, Robin Williams.		 IMDB
8.3 stars
1998 132 min Enemy of the State While more about surveillance, the film features NSA cryptanalysts using satellite-based decryption and steganography to track a lawyer who accidentally receives evidence of a political murder.
Cast: Will Smith, Gene Hackman, Jon Voight.		 IMDB
7.3 stars
1998 111 min Mercury Rising The film revolves around a nine-year-old boy who inadvertently cracks "Mercury," a top-secret NSA cipher designed to be an unbreakable cryptographic shield for the government’s global operations. By solving what was meant to be an unhackable wall via a simple puzzle magazine, the child highlights the high-stakes fragility of national security when faced with an unexpected leap in human pattern recognition.
Bruce Willis, Miko Hughes, Alec Baldwin		 IMDB
6.1 stars
2000 116 min U-571 American sailors disguise themselves to board a German U-boat. Their primary goal is the capture of the Enigma machine (rotors) and naval codebooks. While the capture of Enigma machines was a real and vital part of the war (notably the British capture of U-110 and the American capture of U-505), this specific movie is a fictionalized "what if" story.
Cast: Matthew McConaughey, Harvey Keitel.		 IMDB
6.6 stars
2001 119 min Enigma Bletchley Park cryptanalysts work to break the "Shark" cipher used by U-boats after the Germans unexpectedly change their codebooks.
Cast: Dougray Scott, Kate Winslet, Saffron Burrows.		 IMDB
6.4 stars
2001 135 min A Beautiful Mind A dramatization of John Nash's life. It features intense sequences of Nash attempting to break Soviet ciphers by finding patterns in seemingly random magazine and newspaper text.
Cast: Russell Crowe, Ed Harris.		 IMDB
8.2 stars
2002 134 min Windtalkers Focuses on the Navajo Code Talkers in WWII, whose language served as an unbreakable oral cipher that the Japanese could never decode.
Cast: Nicolas Cage, Adam Beach, Peter Stormare.		 IMDB
6.1 stars
2002 124 min The Sum of All Fears A neo-Nazi group attempts to spark war between the US and Russia. Crypto elements: Features a remote server infiltration to download encrypted files and nuclear forensics where scientists "decode" the isotopic signature of a plutonium core to trace its origin to a specific US laboratory (Savannah River).
Cast: Ben Affleck, Morgan Freeman.
Warning: Nuclear violence, intense themes.		 IMDB
6.5 stars
2004 131 min National Treasure The plot utilizes an Ottendorf Cipher (book cipher) using the Silence Dogood letters and invisible ink on the back of the Declaration of Independence.
Cast: Nicolas Cage, Diane Kruger.		 IMDB
6.9 stars
2007 157 min Zodiac Chronicles the true hunt for a killer who taunts police with homophonic substitution ciphers. In a homophonic substitution, one letter can be represented by multiple different symbols.
  • The 408-Cipher (Solved 1969): This was a "Pure" Homophonic Substitution Cipher. It was solved by a high school teacher and his wife using a "crib" (guessing the word "KILL").
  • The 340-Cipher (Solved 2020): This was much harder because it was a Homophonic Substitution plus a Transposition Cipher. The killer wrote the message out, then scrambled the positions of the symbols in a diagonal pattern. This is why it took 51 years to solve.i
Cast: Jake Gyllenhaal, Robert Downey Jr.
Warning: Killings, pervasive language, drug material, and brief sexual images. (The "lake scene" is famously disturbing). 		IMDB
7.7 stars
2013 131 min White House Down A paramilitary group seizes the White House to initiate a nuclear strike. Crypto elements: An ex-NSA hacker brute-forces NORAD's command-and-control servers; plot hinges on biometric authentication (handprint) and stolen launch codes to authorize an ICBM strike from an Ohio silo.
Cast: Channing Tatum, Jamie Foxx.		 IMDB
6.3 stars
2008 118 min Eagle Eye Two strangers are manipulated by an NSA supercomputer (ARIIA) that monitors every digital device in the world. Crypto elements: Features real-time biometric tracking, the remote hacking of urban infrastructure, and the bypassing of military encryption to trigger a high-level assassination.
Cast: Shia LaBeouf, Michelle Monaghan.
Warning: Intense action violence, language.		 IMDB
6.6 stars
2014 114 min The Imitation Game Biopic of Alan Turing. Focuses on the creation of the "Christopher" Bombe machine to automate the cryptanalysis of Enigma.
Cast: Benedict Cumberbatch, Keira Knightley.i
Warning: Sexual references, mature thematic material (historical persecution/chemical castration), and historical smoking.		 IMDB
8.0 stars
2014 114 min Citizenfour A real-life thriller filmed in real-time as Edward Snowden leaks NSA documents. Features PGP encryption, the use of a "magic mantle" (privacy blanket) to hide passwords from overhead cameras, and technical details on metadata collection.
Cast: Edward Snowden, Glenn Greenwald.		 IMDB
8.0 stars
2016 134 min Snowden The NSA's illegal surveillance techniques are leaked to the public by one of the agency's employees, Edward Snowden, in the form of thousands of classified documents distributed to the press. A dramatization of the NSA leaks. Highlights the "Epic Shelter" backup program and the technical bypasses used to exfiltrate encrypted government data using a hidden SD card.
Cast: Joseph Gordon-Levitt, Shailene Woodley.		 IMDB
7.3 stars
2018 139 min Under the Silver Lake A young man in Los Angeles searches for a missing neighbor, uncovering a massive conspiracy involving hobo code symbols, Morse code in menus, Zodiac-style ciphers, and hidden messages in pop songs and cereal boxes.
Cast: Andrew Garfield, Riley Keough.
Warning: Strong sexual content, graphic nudity, violence, language, and drug use. 		IMDB
6.5 stars
2019 112 min Official Secrets The true story of a GCHQ translator who receives an encrypted NSA memo requesting illegal surveillance on UN diplomats to "blackmail" them into supporting the Iraq War.
Cast: Keira Knightley, Matt Smith.		 IMDB
7.3 stars
2019 138 min Midway Highlighting the role of Commander Joseph Rochefort and his team at Station HYPO. They use traffic analysis and a "water shortage" ruse to confirm that the Japanese code for "AF" was Midway, leading to a strategic ambush.
Cast: Ed Skrein, Patrick Wilson.
Warning: War violence.		 IMDB
6.7 stars
2025 112 min A House of Dynamite A modern look at "Decision Time." The President must use the Gold Codes (found on the "biscuit" card) to authenticate a retaliatory strike against a ticking clock, highlighting the speed of modern digital authentication.
Cast: Idris Elba, Rebecca Ferguson, Gabriel Basso.		 IMDB
6.4 stars
2025 123 min The Amateur A modern addition: a CIA cryptologist (Malek) working in the basement of Langley uses his decoding and technical skills to track down terrorists after his wife is killed and his agency refuses to help.
Cast: Rami Malek, Rachel Brosnahan, Jon Bernthal.		 IMDB
6.5 stars

Bletchley Park & Cryptanalytic Bombes

TitleAuthorDescriptionAccess
General Report on Tunny Newmanry Dept. Technical story of breaking Lorenz and Colossus. LINK
Turing's Treatise on the Enigma (Prof's Book) Alan Turing Turing's personal notes on cryptanalysis. 117-page PDF
Newmanry History Donald Michie The history of machine codebreaking in WWII. 105-page PDF
The First Americans: The 1941 US Codebreaking Mission to Bletchley Park David Sherman, National Security Agency, Center for Cryptologic History (2016 second printing) In late January 1941, ten months before Pearl Harbor and America’s entry into World War II, a four-person US military delegation slipped onto the British battleship HMS King George V, which was anchored in the Chesapeake Bay off Annapolis, Maryland. Wearing civilian clothes, carrying diplomatic passports, and armed with the cover story of being Canadians, the four officers—the US Navy’s Prescott Currier and Robert Weeks and their US Army companions Leo Rosen and Abraham Sinkov, the group’s leader—were bound for a British installation so secret that for three decades after the war’s end in 1945 it remained unknown to the general public in both Great Britain and the United States. This was Bletchley Park, the United Kingdom’s wartime codebreaking establishment located on a former country estate an hour’s train ride north of London. 64-page PDF
Solving the ENIGMA: History of the Cryptanalytic Bombe Jennifer Wilcox, National Security Agency, Center for Cryptologic History (Revised Edition 2024) As the German military grew in the late 1920s, it began looking for a better way to secure its communications. It found the answer in a new cryptographic machine called the Enigma. The Germans believed the encryption generated by the machine to be unbreakable. With a theoretical number of ciphering possibilities of 3×10^114, their belief was not unjustified.1 However, they never reached that theoretical level of security. Nor did they count on the cryptanalytic abilities of their adversaries.
Since the German cipher clerk determined the initial rotor settings, they had to be sent to the intended recipient in the clear—that is, unenciphered. The first three letters of the code group, sent unenciphered, told the receiver where to set the rotors. The following six letters were the ciphered letters (repeated) of the settings for the rest of the message. They were sent twice to avoid garbles in transmission. For example, the clerk might send HIT in the clear. The receiver set his Enigma rotors to read HIT through the windows and then typed the next six letters in the message, KOSRLB. These were the indicators. The letters that lit up (LERLER) told him where to reset his rotors. Changing his rotor settings to read LER through the windows, the receiver now decrypted the rest of the message. Because the clerk made up his own six-letter settings, the Polish cryptanalysts could occasionally guess the settings. 		60-page PDF
The Secret of Adam and Eve Jennifer Wilcox In May 1943, Adam and Eve only resembled what their descendents would become: huge gray machines standing seven feet high, ten feet long, and two feet wide. But Adam and Eve were merely components, motors, and wire spread across workhorses and mounted in cabinets in Building 26 of the National Cash Register Company in Dayton, Ohio. Like the machines they preceded, they held nearly 400 vacuum tubes, 64 individually wired bakelite rotors, and innumerable feet of wire. They were the first of their kind, the U.S. Navy's Cryptanalytic Bombes, and they were about to change history. For three months, 800 U.S. Navy officers, sailors, and WAVES worked day and night to construct the Bombes; for what purpose, they did not know. Clearly the machines were important. So important that the U.S. Navy actually approved and assigned an engineer of German descent with relatives still in Germany to design the machine. Everyone assigned to the project was sworn to secrecy, but only a few actually knew the secret.i Over the course of the war 121 U.S. Navy cryptanalytic Bombes would be built by Navy personnel at Dayton's National Cash Register Company and shipped to the Navy's Communications Annex in Washington, D.C. 3-page PDF

NSA Declassified Manuals & Books (National Security Agency)

TitleAuthorDescriptionAccess
The Friedman Lectures on Cryptology (1965) William F. Friedman (SRH-004) 6 Lectures, plus 2 Appendices 187-page PDF
Codes and Ciphers (Cryptology) William F. Friedman Reprint of Friedman's Article In Encyclopedia Britannica 9-page PDF
Military Cryptanalysis: Part I: Monoalphabetic Substitution Systems William F. Friedman Superceded by SRH-273 Military Cryptanalytics, Part 1 of 2 76-page PDF
Military Cryptanalysis: Part II: Simpler Varieties of Polyalphabetic Substitution Systems William F. Friedman Superceded by SRH-274 Military Cryptanalytics, Part 2 of 2 66-page PDF
Military Cryptanalysis: Part III: Simpler Varieties of Aperiodic Substitution Systems William F. Friedman By the late 50s and early 60s, the world was moving toward sophisticated rotor machines and early electronic encryption. The "pencil and paper" methods of Part III were becoming less relevant to modern high-level signals. 64-page PDF
Military Cryptanalysis: Part IV: Transposition and Fractionating Systems William F. Friedman By the late 50s and early 60s, the world was moving toward sophisticated rotor machines and early electronic encryption. The "pencil and paper" transposition methods of Part IV were becoming less relevant to modern high-level signals. 112-page PDF
Articles on Cryptography and Cryptanalysis Reprinted from the Signal Corps Bulletin Foreward by William F. Friedman With a view to providing useful collateral literature for students interested in cryptography and cryptanalysis, the articles on these subjects which, with one exception, have appeared from time to time in the various issues of the Signal Corps Bulletin, have here been collected and reprinted in a single publication. 322-page PDF
American Cryptology during the Cold War: Book I: The Struggle for Centralization 1945-1960 Thomas R. Johnson The Early Postwar Period (1945-1952). Declassified internal history. 299-page PDF
American Cryptology during the Cold War: Book II: Centralization Wins, 1960-1972 Thomas R. Johnson Centralization Arrives (1952-1960). Detailed agency formation. 369-page PDF
American Cryptology during the Cold War: Book III: Retrenchment and Reform, 1972-1980 Thomas R. Johnson Retrenchment and Reform (1960-1972). Impact of the 1960s. 271-page PDF
American Cryptology during the Cold War: Book IV: Cryptologic Rebirth, 1981-1989 Thomas R. Johnson Cryptologic Giant Steps (1972-1989). Modern era transitions. 233-page PDF
History of the Signal Security Agency (Volume One): Organization (1939-1945) Army Security Agency 604-page PDF
History of the Signal Security Agency (Volume Two): The General Cryptanalytic Problems (1947) Army Security Agency 500-page PDF
A History of U.S. Communications Security (The Boak Lectures), Consolidated Volume I David G. Boak High-quality 94-page consolidated scan of the primary COMSEC indoctrination lectures. 94-page PDF
A History of U.S. Communications Security (The Boak Lectures), Volume II David G. Boak The standalone second volume focusing on machine ciphers and Cold War COMSEC. 61-page PDF
Military Cryptanalytics, Part I (Friedman & Callimahos) Friedman & Callimahos The massive (400+ page) textbook used at the NSA. Contains the "Nature of Cryptology" chapters. 435-page PDF
Military Cryptanalytics, Part II (The Advanced Course) Lambros D. Callimahos Focuses on periodic polyalphabetic substitution and the reconstruction of complex machine systems. 242-page PDF
NSA's Key Role in Major Developments in Computer Science (Parts 1 & 2) 7-page PDF
History of NSA General-Purpose Electronic Digital Computers; 1964 105-page PDF
Cryptology’s Role in the Early Development of Computer Capabilities in the United States 40-page PDF
NSA Directors: The Selection and Confirmation Process 38-page PDF
Showcase of the National Security Agency The National Cryptologic Museum: A 10-Year Anniversary Retrospective 13-page PDF
Tale of the Tape 3-page PDF
Rare Books in the National Cryptologic Museum 8-page PDF
The Origins of NSA 7-page PDF
NSA 50th Anniversary Brochure 26-page PDF
NSA 60th Anniversary Book 124-page PDF
Lambros D. Callimahos: Guru and Flautist (Oral History) NSA History Center Declassified interview/biography detailing the creation of his legendary training methods. 19-page PDF
TM 32-220: Basic Cryptography (1950) Department of the Army 192-page foundational manual on manual cipher systems and security procedures. 192-page PDF
TM 32-221: Advanced Cryptography (1954) Department of the Army The declassified follow-up to 32-220, focusing on complex systems and traffic analysis. 111-page PDF
FM 34-40-2: Basic Cryptanalysis (1990) Department of the Army Standard field manual for solving monoalphabetic and polyalphabetic systems. 363-page PDF
DoD 5200.28-STD: Trusted Computer System Evaluation Criteria (Orange Book) Department of Defense The 1985 "Bible" of secure systems. Defined the A1 through D levels of computer trustworthiness. 116-page PDF
NCSC-TG-005: Trusted Network Interpretation (Red Book) National Computer Security Center The 1987 extension of the Orange Book for networks; introduces cryptographic separation concepts. 299-page PDF
From the Ground Up: American Cryptology during World War I Betsy Rohaly Smoot, National Security Agency, Center for Cryptologic History, Series II: World War I, Volume 2 (2023) Author's Note: When I came to work in the Center for Cryptologic History in 2007, I was surprised to find that there was no complete written account of American cryptology in World War I. I was disappointed with the few books available on the subject, and I vowed to produce a book that would better explain the subject for both practitioners of SIGINT and the public—that is, the book I had hoped to read. This book, however, is not exhaustive; there are still more details available in the records of these organizations, and I encourage others to explore the source material to add to the story. 414-page PDF
APPENDIX A: Cryptologists of World War I: From the Ground Up: American Cryptology during World War I Betsy Rohaly Smoot (2023) The human factor—the elusive “right stuff” in abilities, background, and personality—played a role in the selection of personnel for American cryptologic work during World War I. These people have been mostly anonymous to us, and we know very little about many of them except for some basic details of their birth and death. Few of the hundreds wrote of their experience and few were remembered in print by others. Approximately 650 men would serve with the American Expeditionary Forces (AEF) in cryptologic positions; about 450 men (and women) would serve in such positions in the United States. These workers came from across the United States—academics, lawyers, businessmen, clerks, engineers, telegraphers, and others. They were old and young, coming from well-established careers and just starting out in life. Some of the men recruited for the technical work of signal collection were already serving in the army or were in the Signal Corps reserve, but far more were working in the commercial telephone and telegraph industry. Radio was the “cyber” of 1917. The technology was new, and amateur radio buffs were the smart young (and not so young) geeks of that time. 92-page PDF
Origins of the Navajo Code Talkers Years after the Pacific War, the world would learn of the courage and bravery of a dedicated group of Navajo Indians who provided a pricefess advantage to their country at a crucial time. They would come to be known as the "Code Talkers." This is the story of how they came to be and the vital role they played in helping thousands of Marines to return home at war's end. 2-page PDF
Secret Messengers: Disseminating SIGINT in the Second World War: The Story of the British SLUs and American SSOs Dr. David Abrutat, GCHQ Departmental Historian & Dr. David Hatch, NSA Historian, Center for Cryptologic History (2025) It has been over a century since cryptologic cooperation began between the United States and Great Britain, and that relationship has indeed been special even before the American entry into World War II. The closeness of that bond extends to our respective history programs: the Center for Cryptologic History at NSA and the Departmental History office at GCHQ. Secret Messengers represents a key milestone. It is the first instance where we have joined hands to formally publish any aspect of our combined history. I believe that it is the first of many more to come. 62-page PDF
Sharing the Burden: Women in Cryptology during World War II Jennifer Wilcox, National Security Agency, Center for Cryptologic History, Printed 2018, Reprinted 2013 Women who joined the military relieved men by working in noncombatant positions. Cryptography was one of the most vital of these “sit-down” jobs. The Army and Navy had sizeable cryptographic offices; however, even they were small compared to their eventual size at the height of the war. The Army’s Signal Intelligence Service had 331 people, military and civilian, when Pearl Harbor was attacked on December 7, 1941. The Navy’s communications security section (OP-20-G) had 730 people, Navy personnel and civilians who worked in radio intelligence, cryptography, and security. Their work involved cryptanalysis, cryptographic development and security, and laboratory work for photographic services and special inks. The SIS worked closely with the Second Signal Service Battalion, which provided radio intelligence.9 Only those women meeting higher qualifications were admitted into cryptologic work. Women in the Army had to meet officer qualifications, as well as have strong mathematics or language skills. The Navy competed with the Army for women with similar qualifications and offered officer status for cryptographers. However, both services placed a higher value on a woman’s integrity than on her skills. A woman with the right qualifications, but not trained in cryptography, could learn the skills. But a woman whose loyalty was in question, no matter how qualified, could not be selected for this highly classified work. 25-page PDF
The Invisible Cryptologists: African-Americans, WWII-1956 Jeannette Williams with Yolande Dickerson, Researcher, National Security Agency, Center for Cryptologic History (Revised Edition 2024) The Center for Cryptologic History celebrates Black History Month 2024 with a revised edition of the groundbreaking book, The Invisible Cryptologists: African Americans, WWII to 1956. When originally published, Invisible Cryptologists became the seminal work on early African American contributions to the field of cryptology. Future generations of NSA employees will be able to learn about the experiences of these pioneers with the release of this revised edition. As a reflection of America’s broader story, the accounts of the first African American employees at NSA reveal the systemic challenges our predecessors confronted. These trailblazers joined the cryptologic field during a time when Jim Crow laws governed the District of Columbia and the intelligence apparatus was segregated. Not only did these cryptologic pioneers face outright discrimination outside of work, but their work opportunities were limited and their professional advancement stifled. 68-page PDF
German Cipher Machines of World War II David P. Mowry, National Security Agency, Center for Cryptologic History (Revised Edition 2014) Along with breaking the Japanese diplomatic cryptosystem usually referred to as “PURPLE,” probably the greatest example of Allied cryptanalytic success in World War II was the breaking of the German ENIGMA machine. This cryptodevice was used by all of the German armed forces as the primary cryptosystem for all units below Army level or the equivalent. As D-Day approached, other German cryptodevices, the SZ-42 and the various T-52 machines, assumed great importance since they were used by the higher commands of the German armed forces. Many references to these German machines in the histories fail to provide information on what they looked like or how they worked. Another group of cryptodevices, those invented by Fritz Menzer for the Abwehr (Counterintelligence), have received little or no notice in the literature and are unknown to the public. This brochure is an attempt to remedy both lacks. 36-page PDF
Pearl Harbor Revisited: United States Navy Communications Intelligence 1924-1941 (Series IV: World War II | Volume 6) Frederick D. Parker, National Security Agency, Center for Cryptologic History (Third Edition 2013) Mr. Parker’s monograph is the first in a series treating the U.S. Navy’s communications intelligence (COMINT) efforts in the Pacific during World War II. A second volume, also by Mr. Parker (A Priceless Advantage: U.S. Navy Communications Intelligence and the Battles of Coral Sea, Midway, and the Aleutians), was recently published. 93-page PDF
A Priceless Advantage: U.S. Navy Communications Intelligence and the Battles of Coral Sea Midway and the Aleutians Frederick D. Parker, National Security Agency, Center for Cryptologic History, Reissued 2017 with a new introduction The Center for Cryptologic History is pleased to reissue one of its earliest works, Fred Parker’s 1993 study, A Priceless Advantage: U.S. Navy Communications Intelligence and the Battles of Coral Sea, Midway, and the Aleutians, to commemorate the 75th anniversary of these important World War II battles. Th is is the second time that CCH has chosen to reprint it, the last being in 2011. While the layout and design of the previous edition were in need of a refresh, Mr. Parker’s research and writing stand the test of time.
As NSA Historians Henry Shorreck and David Hatch have noted in the previous introductions to this work, Mr. Parker’s real talent was his ability to connect the far-flung cryptologic threads leading to Coral Sea and Midway in a way that had not been done earlier. Prior to this work, World War II histories, when they talked about cryptology at all, tended to focus upon its impact to a particular battle or event. Mr. Parker’s monograph brilliantly paints a picture of the meticulous work performed by cryptologists in Hawaii, Washington, DC, and elsewhere, and how they provided Admiral Nimitz with this “priceless advantage.” While these cryptologic efforts paid obvious rewards with respect to the outcome at Midway, Mr. Parker also pays particular homage to how groundbreaking this work was in the months preceding the Coral Sea engagement. Furthermore, his treatment of the attack on the Aleutian Islands, often neglected, is fascinating. 		96-page PDF
The Battle of Midway How Cryptology enabled the United States to turn the tide in the Pacific War. Patrick D. Weadon The Breaking of JN-25 (Japanese Code)
Breaking the Japanese code known to Americans as JN-25 was daunting. It consisted of approximately 45,000 five-digit numbers, each number representing a word or phrase. For transmission, the five-digit numbers were super-enciphered using an additive table. Breaking the code meant using mathematical analysis to strip off the additive, then analyzing usage patterns over time, determining the meaning of the five-digit numbers. This complex process presented a challenge to the officers and men of Station Hypo, but Rochefort and his staff were able to make progress because the system called for the repetitive use of the additive tables.
AF Is Short of Water
In an effort to alleviate any doubt, in mid-May the commanding officer of the Midway installation was instructed to send a message in the clear indicating that the installation's water distillation plant had suffered serious damage and that fresh water was needed immediately. Shortly after the transmission, an intercepted Japanese intelligence report indicated that "AF is short of water." Armed with this information, Nimitz began to draw up plans to move his carriers to a point northeast of Midway where they would lie in wait. Once positioned, they could stage a potentially decisive nautical ambush of Yamamoto's massive armada. 		3-page PDF
American Signal Intelligence in Northwest Africa and Western Europe (Series IV World War II Volume 1) (2010) George F. Howe, National Security Agency Dr. Howe’s book deals primarily with organizational matters for providing SIGINT support in combat. Thus, the reader will not find stories of high-level cryptanalysis underlying big decisions by famous leaders. In my estimation, by concentrating on the less flashy aspects of wartime support in favor of the background work, Dr. Howe has again added a dimension of great worth to our knowledge of SIGINT and of the war. Since the distribution of ULTRA was limited to a small number of officers and civilian leaders, the bulk of SIGINT support to the warfighter came from tactical SIGINT units working at or near the front lines. Dr. Howe has restored to us essential details about the organization, maintenance, deployment, and service of the military cryptologic units that undergirded the ULTRA effort and supported combat forces directly. 278-page PDF
West Wind Clear: Cryptology and the Winds Message Controversy - A Documentary History Robert J. Hanyok and David P. Mowry, National Security Agency, Center for Cryptologic History (2008) In the seemingly never-ending debate over the 7 December 1941 Japanese attack on Pearl Harbor, one of the significant topics of contention pressed by some revisionist and conspiracy writers, historians, and critics of the conventional view of the attack and the Roosevelt administration’s role in it has been the phenomenon of the so-called “Winds Message” (hereafter referred to as Winds message). In the years after World War II, several writers and scholars and a few politicians espoused the position that this message was a clear warning that the Japanese were going to attack the U.S. fleet at Pearl Harbor. They have also argued that, beyond the simple fact of the occurrence of the Winds message, the contents and importance of this message had been revealed to senior American civilian and military leaders. They have contended further that the failure by Washington to warn the army and naval commands at Pearl Harbor, even though the former had intercepted the warning, made the ensuing calamitous attack inevitable. After the attack, the claims continue, high-level government officials participated in, or oversaw, a destruction of the evidence that such a warning had been received. The two commanders in Hawaii at the time, Admiral Husband Kimmel and Lieutenant General Walter Short, both claimed in later statements during their testimony before the Joint Congressional Committee reviewing the attack that if they had had knowledge of the Winds message they could have prepared for an attack.1 To some adherents of this claim, the Winds message had acquired a near mythic status within the larger controversy over Pearl Harbor. 352-page PDF
Eavesdropping on Hell: Historical Guide to Western Communications Intelligence and the Holocaust 1939-1945 Robert J. Hanyok, National Security Agency, Center for Cryptologic History Even with the releases of the 1990s, the U.S. government still held back significant collections of U.S. government records about the Holocaust. But the remaining wartime records, and those from the postwar period that relate to the Holocaust and to Nazi and other Axis power war crimes will soon be declassified and released thanks to the efforts of the United States Interagency Working Group on Nazi War Crimes (IWG). Established in January 1999 in accordance with the Nazi War Crimes Disclosure Act (P.L. 105-246), the IWG was charged with locating, inventorying, and recommending for declassification all classified Nazi war criminal records held by the United States government. The act was amended in 2000 to include declassification of U.S. government records pertaining to Japanese war crimes and war criminals.7 Many of the records that were released under the aegis of the Disclosure Act were from U.S. intelligence agencies. Hopefully, the release of these records will help dispel those claims and charges made over the years by some scholars and Holocaust survivors that “there had to be more records” or that the intelligence agencies were “holding back records.” 172-page PDF
Cryptologic Aspects of German Intelligence Activities in South America during World War II (Series IV World War II Volume 11) David P. Mowry, National Security Agency, Center for Cryptologic History (2011) This is the first of a two-part history of German clandestine activities in South America in World War II. In this first volume, the author, Mr. David Mowry, identifies and presents a thorough account of German intelligence organizations engaged in clandestine work in South America, and a wellresearched, detailed report of the U.S. response to the perceived threat. This perception was, as Mr. Mowry alludes to in his conclusions, far greater than any actual danger. Mr. Mowry’s conclusions, in general, are somewhat understated. It seems fairly clear from the evidence that the Germans never expected a great deal from their agents in South America or even in the United States in World War II. 104-page PDF
American Cryptology: Two Centuries of Tradition National Security Agency: History and Publications Staff Although the National Security Agency is only thirty years old (established by order of President Harry S. Truman in 1952), the functions it performs have been part of human history for thousands of years. The need to safeguard one's own communications while attempting to produce intelligence from foreign communications has long been a recognized part of governmental activity. In the American experience, cryptologic efforts can be traced to the very beginnings of the American nation. George Washington employed Elbridge Gerry Oater Vice President of the United States) to solve the suspected cryptograms of a Tory spy, Dr. Benjamin Church. Thomas Jefferson included the making of codes and ciphers among his many interests, putting his efforts to use in both private correspondence and public business. One of his inventions, the cipher wheel, has been described as being in "the front rank" of cryptologic inventions. 4-page PDF
Revolutionary Secrets: The Secret Communications of the American Revolution Jennifer Wilcox, National Security Agency: Center for Cryptologic History (2012) Communication plays an important role in both a country’s diplomacy and its wars. Keeping those communications secret and understanding the adversary’s communications can make the crucial difference in a leader’s actions and abilities. At the time of the American Revolution, both the British commanders and the American rebels practiced a variety of methods to keep their written communications secret. Both turned to invisible inks, hidden messages, and secret writing in the form of ciphers and codes. 57-page PDF
Masked Dispatches: Cryptograms and Cryptology in American History, 1775–1900 Ralph E. Weber, National Security Agency: Center for Cryptologic History (2013) Foreword: This is an examination of codes and ciphers as they figured in American history prior to the twentieth century, prior to the era of wireless or radio communication and the advent of the electronic age. It forms a backdrop for understanding modern cryptology and the role of cryptology (notwithstanding its traditional secrecy) in the growth of this nation. Our guide is Dr. Ralph E. Weber of Marquette University, whose 1979 United States Diplomatic Codes and Ciphers, 1775–1938 (Chicago: Precedent Publishing) established him in the forefront of students of this arcane subject. Cryptology—the art and science of code-making (cryptography) and code-breaking (cryptanalysis)—depends on the prevailing state of technology and the perception of threat:
  • Technology determines the means of communications. Technology also provides the means for protecting and the means of exploiting intercepted communications.
  • Perception of threat depends upon a number of considerations, such as the estimated degree of risk, or the damage that might occur, should an unintended recipient become privy to the contents of the communication.
222-page PDF
Listening to the Rumrunners: Radio Intelligence during Prohibition David P. Mowry, National Security Agency: Center for Cryptologic History (2014) Most Americans are aware of the era of lawlessness in this country that began with the passage of the Eighteenth Amendment to the Constitution in 1919. The institution of Prohibition brought with it major law enforcement problems, whose effects continue to be felt today. Few people, however, are aware of the major role played by communications intelligence in the enforcement of the Prohibition laws. The files of the United States Coast Guard (USCG) and the Federal Communications Commission (FCC), including the files of the Radio Division of the Department of Commerce, show that radio was used on a large scale in connection with rum-running activities. The radio operations of the rum-running organizations were, in fact, comparable in size, technical skill, and organization with the radio operation that would be conducted by enemy agents in World War II. 44-page PDF
The Voynich Manuscript: An Elegant Enigma M. E. D'Impcrio (1978) The fact remains that in spite of all the papers that others have written about the manuscript. there is, to my knowledge, no complete survey of all the approaches, ideas, backgrround information and analytic studies that have accumulated over the nearlv fiftv-five years since the manuscript was discovered by Wilfrid M. Voynich 1n 1912. Most of rhe papers have been written either to advance or to refute a particular theory, providing in passing a brief glance at others efforts, pr1marily to sweep them out of the way. 141-page PDF
The Cipher Disk This simple device has a distinguished history. Ever since its first invention it has been repeatedly re-invented in forms only slightly different from the original. Its story shows that man has sought to put the wheel to use in secret communications wherever possible, even as he also does in mechanics. As invented in Italy sometime before 1470, it had similar concentric disks with the exception that one contained a "mixed" {scrambled) alphabet Also, in some of the earlier versions, one of the two alphabets was composed of arbitrary symbols in lieu of conventional characters. The appeal of the disk lay in the fact that with it, encipherment and decipherment could be performed without carrying bulky or compromising written materials. The cipher disk came into large· scale use in the United States for the first time in the Civil War. The Federals' Chief Signal Officer patented a version of it, very similar to the original Italian disk, for use in flag signaling. Since his flag stations w~re within the view of Confederate signalmen as often as not he prescribed frequent changes of setting. About a half- century later the U.S. Army adopted a simplified version, very similar to this device, in which one alphabet was "standard" and the other "reverse-standard." Although technically this was a step backward, there were compensating advantages since the regularity of the alphabets tended to reduce error. During the period of the First World War and for several years afterward, the Army issued the disk in this form to units that needed a cipher which could be carried and used easily and which would give a few hours· protection to tactical messages. In using this device you could leave the two disks in the same setting for an entire message, thus producing the simplest possible cryptogram. Or their setting could be changed with every letter of the message and if the pattern of the setting· changes were complex enough, you would have an extremely secure cipher. 3-page PDF

NSA Vietnam

Additional Information
TitleAccess
Spartans in Darkness: American SIGINT and the Indochina War, 1945-1975 Declassified and approved for release by NSA on 21 December 2007. The Vietnam War has been the subject of countless memoirs, histories, and adventure tales, yet a critical aspect of the war has been lacking in what has been written so far. Even monographs on the role of intelligence in the war do not treat the signals intelligence (SIGINT) and information systems security (INFOSEC) aspects of the war, or do so only in the most superficial ways. Robe1t Hanyok's meticulously researched and richly dctailed history of cryptology in the Vietnam War fills this void. It provides a grand perspective of these most secret aspects of the war, and answers many of the questions historians ask about it. 522-page PDF
PURPLE DRAGON: The Origin and Development of the United States OPSEC Program (Series VI The NSA Period Volume 2) Operations Security (OPSEC) as a concept is probably as old as war $tself. Nevertheless, the fact that poor OPSEC practices have been costly in loss of human life and lost objectives in every American war demonstrates that, despite its venerated age, Operations Security/as a doctrine needs Fto be learned afresh by each generation. It is imperative that those with responsibility for/ military activities understand that observation of Operations Security principles is as essential an ingredient to victory as any of theother tools of war./ To the extent possible, these lessons should be learned in peacetime -- experience in recent c:.onflicts shows there is unlikely Jo be a period of grace once a military emergency occurs and troops arec6mmitted to combat. <redacted> in PURPLE DRAGON: The Origin and Developmertt of the United States OPSEC Program has given us a superb monograph about the genesis of Operations Security during the Vietnam War. 106-page PDF
Working Against the Tide (COMSEC Monitoring and Analysis): Part One by: Hiram M. Wolfe, I II, ASA; Raymond P. Schmidt, NAVSECGRU; Thomas N. Thompson, AFSS; June 1970i
Important as it is in peacetime, communications security becomes even more important in wartime. Ultimately, we must reckon wartime failure to secure communications against a background of U.S. casualties and of battles won and lost. As it did in World War II and the Korean War, the United States in Southeast Asia has failed to provide communications security of a sufficiently high degree to deny tactical advantages to the enemy. Once more the United States has lost men and materiel as a result. Working Against the Tide is the story of the attempts of U.S. COMSEC monitors and analysts to bring security to the voluminous wartime communications. As the title suggests, it is not a success story. It outlines, instead, the problems confronting COMSEC specialists in dealing with communication-prone Americans at all levels of command. It gives insight into and documentation for the damage done to the United States and her allies as the enemy's SIGINT organization capitalized on American laxity in communications security. The story describes the technology applied in Southeast Asia to overcome COMSEC deficiencies and the manner in which that technology evolved during the war-particularly as monitoring adapted to a new methodology termed COMSEC surveillance. It further tells of U.S. attempts to apply monitoring knowledge in communications cover and deception operations against the enemy. The volume contains, finally, useful lessons for all who must communicate in wartime. 		193-page PDF
Southeast Asia: In the Shadow of War (to the Gulf of Tonkin) by William D. Gerhard, Jue 1969.
The publication of this volume marks the inauguration of a series that will tell the story of the cryptologic community in the Vietnam War. The series began as a result of a proposal, made to me in the spring of 1967 by Maj. Gen. Charles J. Denholm, CGUSASA, that a NSA-SCA team be formed to prepare a complete, historical documentation of SIGINT operations in support of U.S. military operations in Southeast Asia. After Rear Adm. Ralph E. Cook, COMNAVSECGRU, and Maj. Gen. Louis E. Coira, CUSAFSS, gave me their views on and concurrence in the proposed work, I asked the chief of my Reporting and Information Element, <redacted>to assume respons1b1ltty for the project. To my mind, the NSA-SCA team's first offering, In the Shadow of War, well launches the project by documenting our joint involvement in Southeast Asia <redacted>. -- Marshall S. Carter, Lieutant General, U.S. Army, Director, NSA 		162-page PDF
The History of Traffic Analysis: World War I - Vietnam by Donald A. Borrmann, William T. Kvetkas, Charles V. Brown, Michael J. Flatley, and Robert Hunt. Center for Cryptologic History, National Security Agency 2013 60-page PDF
Essential Matters: A History of the Cryptographic Branch of the People's Army of Viet Nam, 1945-1975, with Supplement on Cryptography in the Border Guard, 1959-1989 by David W. Gaddy, Center for Cryptologic History, National Security Agency 1994, Reprinted 2017. came to NSA as a new college graduate in 1953. Without telling him anything about the prospective job, the NSA recruiter mysteriously asked him if he liked puzzles or chess. Gaddy was soon offered a position and began his career at Arlington Hall, Virginia. After six months of language training, he was assigned to the division that targeted the Viet Minh, the Vietnamese communist resistance to the French and then the Americans. Decades later, he would recall the difficulty of the Vietnamese language in an oral history. There were no VietnameseEnglish dictionaries in the early 1950s. NSA linguists in search of meaning had to initially look up words in a Vietnamese-French dictionary, then consult a French-English dictionary. 182-page PDF

NSA Secure Voice Communications

TitleAuthorDescriptionAccess
SIGSALY Story Patrick D. Weadon Efforts to create a secure voice system had existed since the 1920s. Some progress had been made, but as with the A-3, no device was able to offer complete security. In the early 1940's however, the situation began to improve. Bell Telephone Laboratories, under the direction of A. B. Clark (who later headed up the research and development effort at the fledgling NSA), and assisted by British mathematician Alan Turing, began work on what would become known as "the Green Hornet." The design of the system was based on earlier 1930s-era research on the transforming of voice signals into digital data. The device earned the nickname for the buzzing noise heard by someone attempting to eavesdrop on the conversation. The "buzz" closely resembled the theme song of the popular serial radio show of the time that went by the same title. In time, however, it acquired the more formal moniker of SIGSALY.
The device's success in protecting voice communications was due to a new development known as "pulse code modulation," the predecessor of such present-day innovations as digital voice, data and video transmission. It also was one of the earliest applications of spread spectrum technology, which was key to its effective operation. The U.S. Army awarded the first contract for the device in 1942; formal deployment followed in 1943. The SIGSALY terminal was massive. Consisting of 40 racks of equipment, it weighed over 50 tons, and featured two turntables which were synchronized on both the sending and the receiving end by an agreed upon timing signal from the U.S. Naval Observatory.		 5-page PDF
The Start of the Digital Revolution: SIGSALY Secure Digital Voice Communications in World War II J.V. Boone and R.R. Peterson, National Security Agency, Center for Cryptologic History (2000) This contains a more detailed explanation of the engineering aspects of SIGSALY (than the 5-page document above). A 1983 review of this remarkable system for the Institute of Electrical and Electronic Engineers (IEEE) attributes no fewer than eight "firsts" to SIGSALY. They are as follows:
1) The first realization of enciphered telephony
2) The first quantized speech transmission
3) The first transmission of speech by Pulse Code Modulation (PCM)
4) The first use of companded PCM
5) The first examples of multilevel Frequency Shift Keying (FSK)
6) The first useful realization of speech bandwidth compression
7) The first use of FSK - FDM (Frequency Shift Keying-Frequency Division Multiplex) as a viable transmission method over a fading medium
8) The first use of a multilevel "eye pattern" to adjust the sampling intervals (a new, and important, instrumentation technique)		 24-page PDF
A History of Secure Voice Coding: Insights Drawn from the Career of One of the Earliest Practitioners of the Art of Speech Coding JOSEPH P. CAMPBELL, JR., and RICHARD A. DEAN From Page 1: "Thomas E. Tremain was the U.S. government’s senior speech scientist. He was a recognized leader and an expert in speech science. Tom’s work spanned five decades of state-of-theart modem and speech coding innovations that are the basis of virtually every U.S. and NATO modem and speech coding standard. His efforts have been critical to U.S. and NATO tactical and strategic secure communications programs."
From page 2: "Tom’s most significant contribution to voice coding was in seeing the possibilities of digital signal processing for voice. In an era when the state of the art was analog tuned circuits, Tom imagined a change to computer-based processing of speech – a radical shift in thinking. Tom pioneered this new approach, again collaborating with Bell Labs, to develop the Linear Predictive Coding (LPC) generation of voice coders. Tom’s predecessors and contemporaries never quite understood how the deck of punched cards he carried down the hall to a Honeywell computer was ever going to result in a vocoder. Tom developed the subtle techniques necessary to load and invert a matrix in real time in the fixed-point arithmetic necessary for such an operation." 		7-page PDF
Rebuilding a Piece of the First Digital Voice Scrambler This 1943 analog-to-digital converter helped make an unbreakable code Jon D. Paul, in IEEE Spectrum, January 25, 2019 In the years before World War II, German intelligence could decode band-scrambled U.S. radiotelephone conferences. After Pearl Harbor, an unbreakable speech scrambler was developed with top priority, and by 1943, it was deployed. Known as SIGSALY, the device pioneered many advances critical to modern digital media technologies, including spread-spectrum communications and the first use of pulse-code modulation (PCM) to transmit speech.
 
SIGSALY was top secret, so even today information about the details of its construction are hard to come by. I’ve spent 20 years researching the history of digital technology and digital media, especially SIGSALY. I searched IEEE and U.S. National Security Agency (NSA) journals, and Bell Telephone Laboratories patents. Finally, I found Lieut. Donald Mehl, a WWII SIGSALY technician, who gave me invaluable assistance. In 2015, I realized that it might be possible to re-create a key element of SIGSALY—the quantizer—using vintage parts.
 
SIGSALY was unbreakable because, unlike earlier analog systems, it scrambled voices by using a one-time random digital encryption key. Before a digital key can be applied, a speaker’s voice must first be converted from analog to digital, thus the quantizer.		 IEEE Link
SIGSALY Analog-to-Digital Converter Construction and Debugging Unexpected interactions forced design fixes Jon D. Paul, in IEEE Spectrum, January 25, 2019 Circuits that use tube electronics like thyratrons can be alien to engineers raised in the solid-state era. For example, these circuits require high voltages to operate, and power must be supplied to heat filaments. This complicates design, construction, and debugging. But if you want to understand how electrical engineers got it done before semiconductors became ubiquitous, then taking the plunge into the world of tubes can be very educational. This supplement to my February Hands On article contains additional information about how I re-created the SIGSALY analog-to-digital converter—and actually got it working. IEEE Link
Fishbowl (secure phone) Quoting Wikipedia: Fishbowl is a mobile phone architecture developed by the U.S. National Security Agency (NSA) to provide a secure Voice over IP (VoIP) capability using commercial grade products that can be approved to communicate classified information. It is the first phase of NSA's Enterprise Mobility Architecture. According to a presentation at the 2012 RSA Conference by Margaret Salter, a Technical Director in the Information Assurance Directorate, "The plan was to buy commercial components, layer them together and get a secure solution. It uses solely commercial infrastructure to protect classified data." Government employees were reportedly testing 100 of the phones as of the announcement.[1]
 
The initial version was implemented using Google's Android operating system, modified to ensure central control of the phone's configuration at all times.
 
To minimize the chance of compromise, the phones use two layers of encryption protocols, IPsec and Secure Real-time Transport Protocol (SRTP), and employ NSA's Suite B encryption and authentication algorithms.
 
The phones are locked down in many ways. While they use commercial wireless channels, all communications must be sent through an enterprise-managed server. No direct voice calls are allowed, except for 9-1-1 emergency calls. Only NSA approved applications from the NSA enterprise app store can be installed. NSA has published a 100-page overview specification for the Mobility Capability Package.[2] In tandem with the Capability Package there are a series of Protection Profiles.[3] These Protection Profiles list out the requirements a commercial product must meet to be used in the mobile phone architecture. 		Wikipedia
  Grokipedia
  42-page PDF (DTIC)  
Mobile Access Capability Package (version 2.1) This Commercial Solutions for Classified (CSfC) Capability Package (CP) describes how to protect classified data (including Voice and Video) in Mobile Access Solutions transiting Wired Networks, Domestic Cellular Networks, and Wireless Networks to include Government Private Cellular Networks and Government Private Wi-Fi networks. Version 2.1 - 26 June 2018 116-page PDF
COMMERCIAL SOLUTIONS for CLASSIFIED (CSfC) Mobile Access Capability Package 2.7.0 The Commercial Solutions for Classified (CSfC) Program within the National Security Agency’s (NSA) Cybersecurity Directorate (CSD), publishes Capability Packages (CPs) to provide configurations that empower NSA customers to implement secure solutions using independent, layered Commercial Offthe-Shelf (COTS) products. The CPs are product-neutral and describe system-level solution frameworks documenting security and configuration requirements for customers and/or Integrators.
 
The NSA delivers this CSfC Mobile Access (MA) CP to meet the demand for mobile data in transit solutions (including Voice and Video) using approved cryptographic algorithms and National Information Assurance Partnership (NIAP) evaluated components. These algorithms, known as the Commercial National Security Algorithm (CNSA) suite, are used to protect classified data using layers of COTS products. In MA CP Version 2.1 and future versions, the Key Management Requirements have been relocated from this CP to a separate CSfC Key Management Requirements Annex. MA CP Version 2.7.0 takes lessons learned from solution support, a testing environment, and a CSfC Initial Solution that implemented secure voice and data capabilities using the CNSA suite, modes of operation, standards, and protocols. 		128-page PDF

NSA - Snowden

TitleDescriptionAccess
Edward Snowden written responses to question by members of the European Parliament, March 2014 12-page PDF
 
Link
A Crisis of Accountability: A global analysis of the impact of the Snowden revelations (June 2014) The Snowden disclosures have triggered a noticeable shift in thinking across the world toward increased awareness of the importance of accountability, transparency and the rule of law with regard to both the activities of security agencies and the value of privacy. This shift - in many parts of the world - has empowered civil society, created a resurgence of interest in legal protections and sensitised media to key issues that have hitherto escaped public scrutiny at any substantial level. 78-page PDF
EFF: Bullrun / SIGINT Enabling: The "Black Budget" description of the project to influence/weaken commercial encryption. Quoting text from this document:
  • "(TS//SI//REL TO USA, FVEY) Insert vulnerabilities into commercial encryption systems, IT systems, networks, and endpoint communications devices used by targets."
  • "Continue relationships with commercial IT partners and capitalize on new opportunities, including the enabling of cryptography used by the [redacted] governments; enable the encryption being used in a high interest satellite signal, which allows access to the communications being carried on a commercial satellite provider."
  • "(TS//SI//REL TO USA, FVEY) Make gains in enabling decryption and Computer Network Exploitation (CNE) access to fourth generation/Long Term Evolution (4G/LTE) networks via enabling. [CCP 00009]"
  • "(TS//SI//NF) Shape the worldwide commercial cryptography marketplace to make it more tractable to advanced cryptanalytic capabilities being developed by NSA/CSS. [CCP_00090]"
3-page PDF
GCHQ Briefing on the Bullrun Program An internal briefing explaining the "fragile" nature of their decryption capabilities.
"The ability to exploit targets' encrypted communications is extremely fragile and is often enabled through sensitive ECI programmes. The need to take additional measures to protect that capability en recognised. Currently, virtually all decryption is carried out by PTD [redacted] processing with decrypts going to the liB in the NOCON Col; some decrypts are placed in the ENDUE Col due to the sensitivity or fragility of the exploitation capability."
"To achieve this, NSA has introduced the BULLRUN Col to protect our abilities to defeatthe encryption used in network communication technologies. This covers both the "fact of' a capability against a specific technology and resulting decrypts (which may be either plaintext or metadata (events). GCHQ is also introducing BULLRUN. (CSEC, DSD and GCSB are expected to do likewise.)" 		4-page PDF
Der Spiegel, 29 December 2013: Tailored Access Operations (TAO) The "Spy Catalog" of hardware implants for intercepting iPhones, servers, and routers. From page 3: "COTTONMOUTH-I (CM-I) is a Universal Serial Bus (USB) hardware implant which will provide a wireles bridge into a target network, as well as the ability to load exploit software onto target PC's." 3-page PDF
SURVEILLE Paper on Mass Surveillance by the National Security Agency (NSA) of the United States of America Contents
1. Introduction
2. Piecemeal information on NSA mass surveillance
3. A brief word on spying
4. Structure of the Internet
5. U.S. as Internet Hub
6. NSA surveillance technologis
6.1 Cable tapping
6.2 PRISM
6.3 Decryption, or circumventing encryption
6.3.a Defeating encryption
6.3.b FOXACID
6.4 Analysis tools and databases
7. Conclusion		 31-page PDF
The Guardian: NSA Prism program slides Prism, according to the Snowden documents, is the biggest single contributor to the NSA's intelligence reports. As a 'downstream' program, it collects data from Google, Facebook, Apple and others 11-page PDF
ACLU: The 2013 Top Secret court order forcing Verizon to hand over daily phone metadata. FISA (Foreign Intelligence Surveillance Act of 1978) Section 215 Primary Order (partially redacted) 17-page PDF
EFF: XKeyscore Presentation The full 32-slide training deck for the tool that searches "nearly everything" online. 32-page PDF
The Guardian: Boundless Informant NSA explainer: full document text: This is a 3-page FAQ 3-page PDF
ACLU: UPSTREAM Powerpoint Slide Primary training slide showing how the NSA taps fiber-optic cables (trans-oceanic fiber cables) as data "flows past." 1-page PDF
EPIC: Dates when PRISM Collection began for each Provider (Microsoft, Yahoo, Google, Facebook, YouTube, Skype, AOL, Apple) 3-page PDF
Coalition Letter to NIST (and The President, and Office of Science and Technology Policy, and Commerce Dept.) November 20, 2014.
We, the undersigned companies and civil society organizations, are writing to re-emphasize the importance of creating a process for establishing secure and resilient encryption standards, free from back doors or other known vulnerabilities. NIST is currently preparing the final version of its Cryptographic Standards and Guidelines Development Process. In order to restore trust and re-commit itself to the promotion of innovation and industrial competitiveness, NIST must make a strong statement ensuring independence, security, and integrity. Below we renew our initial recommendations for the finalization of this document, add additional recommendations in support of an open and accountable NIST, and call on NIST to conduct outreach with members of civil society and privacy experts to establish an ongoing dialogue on these important matters.
 
In September 2013, the public learned that the National Security Agency (NSA) abused its consultative authority with NIST to artificially lower encryption standards. In the wake of these revelations, civil society has repeatedly called on NIST to increase transparency and accountability in its encryption standards-setting process. These activities by the NSA have already had a measurable impact on the U.S. economy and have resulted in the global distrust of U.S.-led encryption standards.3 While we commend you on the progress made so far, we urge that much more must be done to restore the public’s trust in the agency and to ensure that secure communications tools and technologies are built on solid foundations. 		5-page PDF
Coalition Letter to The President May 19, 2015.
We the undersigned represent a wide variety of civil society organizations dedicated to protecting civil liberties, human rights, and innovation online, as well as technology companies, trade associations, and security and policy experts. We are writing today to respond to recent statements by some Administration officials regarding the deployment of strong encryption technology in the devices and services offered by the U.S. technology industry. Those officials have suggested that American companies should refrain from providing any products that are secured by encryption, unless those companies also weaken their security in order to maintain the capability to decrypt their customers’ data at the government’s request. Some officials have gone so far as to suggest that Congress should act to ban such products or mandate such capabilities.
 
We urge you to reject any proposal that U.S. companies deliberately weaken the security of their products. We request that the White House instead focus on developing policies that will promote rather than undermine the wide adoption of strong encryption technology. Such policies will in turn help to promote and protect cybersecurity, economic growth, and human rights, both here and abroad. 		6-page PDF
U.S. House of Representative Permanent Select Committee on Intelligence (HPSCI) Review of the Unauthorized Disclosures of Former National Security Agency Contractor Edward Snowden September 15, 2016. Original markings: TOP SECRET//HCS-O-P/SI-G/TK//ORCON/NOFORN (partially redacted) 38-page PDF
Privacy and Civil Liberties Oversight Board (PCLOB) Report on the Surveillance Program Operated Pursuant to Section 702 of the Foreign Intelligence Surveillance Act JULY 2, 2014 To balance the HPSCI (pro-intelligence) perspective, the PCLOB Section 702 Report is the definitive legal and privacy-focused counter-weight. The "Gold Standard" independent analysis of the PRISM program’s legality and privacy impact. 196-page PDF
Unclassified Report on the President's Surveillance Program (July 10, 2009) Prepared by thе Offices of Inspectors General (OIG) of thе: Department Of Defense, Department Of Justice, Central Intelligence Agency, National Security Agencү, Office Of The Director Of National Intelligencе. From page 6: "The Department of Justice's Office of Legal Counsel reviewed this information to assess whether there was "a sufficient factual basis demonstrating a threat of terrorist attacks in the United States for it to continue to be reasonable under the standards of the Fourth Amendment for the President to [continue] to authorize the warrantless searches involved" in the program." 43-page PDF
Surreptitiously Weakening Cryptographic Systems Written by: Bruce Schneier, Matthew Fredrikson, Tadayoshi Kohno, Thomas Ristenpart (2015)
Abstract: Revelations over the past couple of years highlight the importance of understanding malicious and surreptitious weakening of cryptographic systems. We provide an overview of this domain, using a number of historical examples to drive development of a weaknesses taxonomy. This allows comparing different approaches to sabotage. We categorize a broader set of potential avenues for weakening systems using this taxonomy, and discuss what future research is needed to provide sabotage-resilient cryptography. 		26-page PDF

NSA Zero Trust

TitleDateDescriptionAccess
National Security Agency Cybersecurity Technical Report: Zero Trust Implementation Guideline: Primer January 2026 Executive Summary: Zero Trust (ZT) represents a fundamental enhancement in cybersecurity. Rather than relying on perimeter defenses, ZT emphasizes continuous authentication and authorization of every User/Person Entity (PE), device/Non-Person Entity (NPE), and application, operating under the principles of “never trust, always verify” and “assume breach.” This approach is critical for safeguarding sensitive data, systems, and services against increasingly sophisticated cyber threats. 150-page PDF
National Security Agency Cybersecurity Technical Report: Zero Trust Implementation Guideline: Discovery Phase January 2026 Executive Summary: As mandated by Executive Order (EO) 14028, the United States Government (USG) developed several ZT strategies to achieve ZT. These strategies include frameworks, guidelines, and maturity models designed to assist organizations in implementing ZT. 155-page PDF
Zero Trust Implementation Guideline: Phase One Jan 30, 2026 The National Security Agency (NSA) is releasing Phase One and Phase Two of the Zero Trust Implementation Guidelines (ZIGs) to outline the activities needed to achieve the Department of War (DoW)-defined Target-level Zero Trus t (ZT) maturity. Phase One details 36 activities organizations can use to build upon or further refine their environment to establish a secure foundation that supports 30 ZT capabilities specific to this phase. 368-page PDF
Zero Trust Implementation Guideline: Phase Two Jan 30, 2026 The National Security Agency (NSA) is releasing Phase One and Phase Two of the Zero Trust Implementation Guidelines (ZIGs) to outline the activities needed to achieve the Department of War (DoW)-defined Target-level Zero Trust (ZT) maturity. Phase Two details 41 activities that initiate the integration of core ZT solutions within the component environment. These activities enable 34 capabilities specific to this phase. 416-page PDF

NSA Cryptologic History - Special Series

NumberTitleDescriptionAccess
Special Series Number 1 THE JOINT SOBE PROCESSING CENTER, 1961 - 1971, A Brief Overview of a Successful_ Experiment [redacted] have done a great service to the Agency in putting together this informal history of the Joint Sobe Processing Center. They and all chose who contributed to this work should receive a special expression of thanks from all cryptologic professionals -- both those who served with JSPC and those who are here given the opportunity to learn in some detail about this unique experiment. This work is being published as the first volume of the United States Cryptologic History Special Series which will include, in additin to informal histories, special histories that fall outside the province of the formal chronological histories -- such as the history of the Technical Research Ships.
 
The ten year life span of the JSPC was preceded by seven years of discussion. coordination and compromise on the concept of a theater Sigint processing center in the Pacifif under the operational control of the Director, NSA. Thus the idea was born not long after the esublishmenc of NSA from the loose confederation of the Armed Forces Security Agency. (additional copy available here.		 45-page PDF
Special Series Number 2 Technical Research Ships, 1956-1969 NSA National Cryptologic School Press
"The record of the Technical Research Ships is an important chapter in U.S. cryptologic history. These seaborne Sigint platforms made unique and highly valuable contributions, posed unusual management and control problems, and were caught in tragic international incidents that hastened the abandonment of the program."		 60-page PDF
Special Series Number 3 Space Surveillance SIGINT Program "The Space Surveillance Sigint Program came into existence in the early 1960s when both the United States and the Soviet Union were racing to get satellites launched and were preparing for unmanned and manned exploration of outer space. As with many programs, technology advances at such a rapid rate that policy governing its use is often left far behind. So it was with the SSS program: the capability to exploit signals emanating from foreign space vehicles existed, but a program for managing this collection activity was very much needed. 56-page PDF
Special Series Number 4 Operation REGAL: The Berlin Tunnel Operation REGAL is another volume in the United States Cryptologic History Special Report Series produced by the NSA History and Publications Division. REGAL was the codename for the Berlin Tunnel, a U.S. intelligence community operation conducted during the mid-1950s which was designed to intercept Soviet and East German comm unications. 34-page PDF
Special Series Number 5 Essential Matters: A History of the Cryptographic Branch of the People's Army of Viet Nam, 1945-1975, with Supplement on Cryptography in the Border Guard, 1959-1989 by David W. Gaddy, Center for Cryptologic History, National Security Agency 1994, Reprinted 2017. came to NSA as a new college graduate in 1953. Without telling him anything about the prospective job, the NSA recruiter mysteriously asked him if he liked puzzles or chess. Gaddy was soon offered a position and began his career at Arlington Hall, Virginia. After six months of language training, he was assigned to the division that targeted the Viet Minh, the Vietnamese communist resistance to the French and then the Americans. Decades later, he would recall the difficulty of the Vietnamese language in an oral history. There were no VietnameseEnglish dictionaries in the early 1950s. NSA linguists in search of meaning had to initially look up words in a Vietnamese-French dictionary, then consult a French-English dictionary. 182-page PDF
Special Series Number 6 It Wasn't All Magic: The Early Struggle to Automate Cryptanalysis, 1930s-1960s From page 1: "Just as my book was published, I was asked to come to the National Security Agency. One purpose of my year in residence was to see if it was possible to write a complete history of computers at the Agency. The goal was a monograph that covered the entire life of NSA and its predecessors. The thought of finally being able to see the many highly classified documents that had been withheld from me more than balanced the pledge I had to give: I had to promise to refrain from publishing without the approval ofNSA’s censors." 359-page PDF
Special Series Number 7 The Dawn of American Cryptology, 1900–1917 By David A. Hatch, National Security Agency: Center for Cryptologic History (2019)
Chapter 1: The Dawn of American Communications Intelligence
Chapter 2: The Baconian Cipher
Chapter 3: The “Hindu Conspiracy” Trials
Chapter 4: The Secret War with Mexico
Chapter 5: The Punitive Expedition
80-page PDF
Special Series Number 8 The Foreign Missile and Space Telemetry Collection Story - The First 50 Years Part One: The 1950s and 1960s By Richard L. Bernard
The primacy topic of this document is telemetry collection against foreign missiles, satellites, and space vehicles. All chapters in the document contain information on telemetry collection systems planning, operational targeting, and collection coordination, with some discussion of field processing, national-level processing and analysis, and intelligence results. Emphasis is on Telemetry Intelligence (TELINT), now called Foreign Instrumentation Signals Intelligence (FISINT) collection, with limited mentions of activities in other interrelated "INT's" as necessary to put the TELINT information into proper context. Each chapter (usually a 10-year period has a table showing significant events, a photograph of each collection site/asset the first time it is discussed, and selected geographic portrayals. 		41-page PDF
Special Series Number 9 The Foreign Missile and Space Telemetry Collection Story - The First 50 Years Part Two:: The 1970s, 1980s, and 1990s By Richard L. Bernard
Throughout this document the reader may be confused by the fact that identical projects, locations, or missions will have several names. Primarily as a security measure, but often to assign short titles or cover names consistent within a participating organization, different names were assigned to the same effort.		 50-page PDF
Special Series Number 10 The Neglected Giant: Agnes Meyer Driscoll Although Agnes May Meyer, later Agnes May Driscoll, was the Navy’s principal cryptanalyst of many years, spent over 40 years in cryptology, became a member of the Cryptologic Hall of Honor, and has principal credit for personally breaking two major codes/ciphers, she was curiously neglected during her career and after. Because she achieved historical significance both as Agnes Meyer and after her marriage, as Agnes Driscoll, historians have referred to her as Agnes Mey¬ er Driscoll. However, there is no evidence this author can discover that she ever used that name herself; all her postmarriage personnel forms are as Agnes May Driscoll. This paper will refer hereafter to her as Meyer before her marriage and Driscoll after. 69-page PDF
Special Series Number 11 Issues in British and American Signals Intelligence 1919-1932 John Ferris, National Security Agency, Center for Cryptologic History. Histories of cryptology often end up a bit skewed. Much of the previous writing on COMINT in those early decades has centered on its military development and on military use. However, COMINT, even from those first years, has been as important in the diplomatic and economic sectors of many countries as it has been in military affairs. In addition, historians of cryptology in any era tend to be a bit parochial, and often write about COMINT as if it existed in a vacuum. Professor John Ferris of the University of Calgary, who served as a scholar in residence at the Center for Cryptologic History from 2008 to 2009, has avoided both of these pitfalls. His articles in this volume add immeasurably to our understanding of the role of COMINT in the opening days of World War One, and its development in the next decade. His research has brought to light previously unknown but important episodes from this formative period, and, better still, with his wide-ranging knowledge about non-COMINT intelligence and about diplomacy, he has placed this new material in the proper context. 72-page PDF
Special Series Number 12 The First Americans: The 1941 US Codebreaking Mission to Bletchley Park David Sherman, National Security Agency, Center for Cryptologic History (2016 second printing). In late January 1941, ten months before Pearl Harbor and America’s entry into World War II, a four-person US military delegation slipped onto the British battleship HMS King George V, which was anchored in the Chesapeake Bay off Annapolis, Maryland. Wearing civilian clothes, carrying diplomatic passports, and armed with the cover story of being Canadians, the four officers—the US Navy’s Prescott Currier and Robert Weeks and their US Army companions Leo Rosen and Abraham Sinkov, the group’s leader—were bound for a British installation so secret that for three decades after the war’s end in 1945 it remained unknown to the general public in both Great Britain and the United States. This was Bletchley Park, the United Kingdom’s wartime codebreaking establishment located on a former country estate an hour’s train ride north of London. 64-page PDF
Special Series Number 13 Ann's War: One Woman's Journey to the Codebreaking Victory over Japan By David Sherman, NSA Center for Cryptologic History (2019)
Thousands of American women entered government service during World War II to serve their country in its time of need and take advantage of newly created career opportunities that men in uniform had left behind. Few stayed on throughout the Cold War, and only one advanced through the cryptologic civilian ranks to become N SA’s deputy director. Ann Caracristi. Those who knew Caracristi have remembered her as humble, hardworking, and professional. Those who didn’t know her often see her as a towering female figure from the World War II generation who somehow advanced magnificently through the NSA civilian ranks. Caracristi dedicated more than 60 years to US national security efforts, proving herself time and again as both a technical cryptanalyst and senior leader in what was then a male-dominated profession. She never relished being singled out later as the “first female” this or that. She did her job for a reason, and that reason was not for personal accolades.		 64-page PDF
Special Series Number 14 "Give to Ferner": The Untold Story of an American Master Cryptanalyst By Brenda J. McIntire, NSA Center for Cryptologic History (2023)
In July 1936, a young college graduate from Alliance, Ohio, began working for the US Army in Washington, DC. He was joining an organization that would play a critical role in assuring America’s security during the coming global war and beyond. Without ever firing a shot on a battlefield, this man personally enabled numerous attacks and defenses in a most secret war: a war fought not with kinetic weapons but with weapons of the mind. The man was Robert Orestes Ferner, and the battlefield was the realm of cryptology.		 60-page PDF
Special Series
CRISIS COLLECTION
Volume 1		 Attack on a Sigint Collector, the U.S.S. Liberty By William D. Gerhard and Henry W. Millington (1981)
The Israeli attack on the U.S.S. Liberty some 14 years ago was, indeed, a wrenching experience for U.S. Sigint agencies. The loss, particularly in the case of those Sigint specialists who gave their lives or were wounded, was difficult to accept. The knowledge that the tragedy resulted not only from Israeli miscalculation but also from faulty U.S. communications practices was even more difficult to accept. The passage of time has made it possible for the authors to reexamine the Liberty incident objectively and answer a number of persistent questions. The authors accordingly set forth the technical rationale for the Liberty mission, the particulars of the Israeli miscalculation, the details of the American communications failures, a narrative of the attack and of attempts to minimize the compromise of cryptologic materials, and the lessons to be learned from the event. Finally, this is also an account of the way the U.S. Sigint agencies organized their response to requirements brought on by a crisis situation. As such, it has much to offer the student of U.S. cryptologic operations. 		83-page PDF
Special Series
CRISIS COLLECTION
Volume 2		 The Suez Crisis: A Brief Comint History The Suez Crisis is another addition to the Special Series Crisis Collection published by the NSA History and Publications Division. The Suez crisis of 1966 is an interesting study of US. intelligence, especially its Sigint aspect, during a "brushfire” situation. The crisis presented United States policymakers with a unique intelligence dilemma. Two U.S, allies, Britain and France, opposed American policy objectives. Working with Israel, they conspired to take the Suez Canal and preserve their influence in the area. This study, by [redacted] provides remarkable Insights into Anglo-American relations, US. relations with Egypt, France, and Israel, and American concerns over the Soviet Union and its reaction to the crisis. The study is based on a review of over three thousand intercepted messages. 42-page PDF
Special Series
CRISIS COLLECTION
Volume 3		 The National Security Agency and the EC-121 Shootdown [Author Redacted] 1989.
On 15 April 1969 a North Korean MIG-21 shot down a U.S. Navy EC-121 reconnaissance aircraft over the Sea of Japan. This is a study of the role NSA played in the crisis. It traces the origin and purposes of the flight, NSA’s response to the shootdown, the aftermath investigations, and the resulting changes in the U.S. aerial reconnaissance program, warning procedures, and the development of the National Sigint Operations Center (NSOC). 		64-page PDF
Special Series
CRISIS COLLECTION
Volume 4		 The Falklands, 1982: An American Perspective [Author Redacted] (1991)
Special Series
CRISIS COLLECTION
Volume 5		 Shield and Storm: The Cryptologic Community During the Desert Operations
Special Series
CRISIS COLLECTION
Volume 6		 Supporting the Desert Warriors: The Role of the National Security Agency's Information Systems Security Organization in Operation DESERT SHIELD/DESERT STORM
Special Series
CRISIS COLLECTION
Volume 7		 The Capture of the USS Pueblo and Its Effect on SIGINT Operations The story of the Pueblo incident of 1968 is inherently a distasteful one for intelligence professionals, but the factors which make it unpleasant at the same time make it imperative reading. The lessons to be learned from failed operations in general and this incident in particular are many and should be widely studied throughout the intelligence community so that we may prevent similar disasters from occurring in the future. Indeed, as the present monograph makes clear, the components of the intelligence community conducted reviews, postmortems, and “lessons learned" exercises of many types in the aftermath of the Pueblo incident and made numerous beneficial changes in the policy and procedure as a result. What we must recognize, however, is that the lessons to be learned go beyond the mechanical, i.e., that intelligence officers must remain flexible in their thinking and skeptical in their approach to any problem. It is arguable that some of the fundamental problems in the case of the Pueblo were the great haste to get the operation under way and an unwillingness to challenge preconceived assumptions about the way operations should be conducted. This was compounded by a failure to communicate fully to all who needed to know about the operation - and by a failure to communicate candidly when problems or doubts appeared. 255-page PDF
Special Series
CRISIS COLLECTION
Volume 8		 The Soviet Invasion of Afghanistan: A Cryptologic History Interesting that the cover page shows the original classification markings as:
upporing the Desert Warriors: The Role of the National Security Agency's Information Systems Security Organization in Operation DESERT SHIELD/DESERT STORM The study of history is important to any profession, and the study of cryptologic history is especially important for Signals Intelligence and Information Security professionals. Considering that this business is characterized by the constraining effects of anonymity and the rapid pace of changes in technology, it is all the more essential that each professional have the sense of perspective and the sense of pride that only institutional memory can provide. Vera Filby's A Cryptologic History of the Soviet Invasion of Afghanistan, published by the Center for Cryptologic History, is a notable contribution to professional reading about Signals Intelligence. In fact, I believe it is destined to become a "classic" in the library of cryptologic literature. Here's why. On the one hand, this monograph provides an exciting description of one of NSA's great success stories of the 1970s - the insight SIGINT afforded policymakers into an unexpected and destabilizing Soviet military action. It opens to us a clear example of how SIGINT made a real difference in United States policy and diplomacy. Even more important for professional literature, this monograph unfolds for the reader a thorough case study of a SIGINT problem as it was worked from its inception through successful exploitation, until NSA could furnish this crucial support to policymakers. While the monograph is clear about the importance of technological advances, it emphasizes that technology alone is insufficient to accomplish the cryptologic mission, that the decisive factor in success is the individual - that is, the individual who has the ability to approach the problem at hand in a creative way and to use technology, analytic expertise, and the resources of the SIGINT system in new and forceful ways. 		85-page PDF

NSA/CCH/NCM Special Research Histories (SRH)

Thanks to Maurice Onraet for suggesting this section.

TitlePublisherSourceAccess
SRH-001-001 Historical Background of the Signal Security Agency Volume 1: Codes and Ciphers prior to World War 1 Army Security Agency 1946 Crypto Museum Library - Google Drive 142-page PDF
SRH-001-002 Historical Background of the Signal Security Agency Volume 2: World War 1 Army Security Agency 1946 Crypto Museum Library - Google Drive 223-page PDF
SRH-001-003 Historical Background of the Signal Security Agency Volume 3: The Peace 1919-1939 Army Security Agency 1946 Crypto Museum Library - Google Drive 319-page PDF
SRH-002 War Secrets in the Ether By Wilhelm F. Flicke, Translated by Ray W. Pettengill Crypto Museum Library - Google Drive 319-page PDF
SRH-003 Influence of U.S. Cryptologic Organizations on the Digiatal Computer Industry National Security Agency 1977 Crypto Museum Library - Google Drive 41-page PDF
SRH-005 Use of CX-MSS Ultra By the US War Department United States War Department Crypto Museum Library - Google Drive 86-page PDF
SRH-006 Synthesis in Experiences in the Use of ULTRA Intelligence by U.S. Army Field Commands in the European Theater of Operations Army Security Agency (ASA) Crypto Museum Library - Google Drive 29-page PDF
SRH-007 Staff Study on Converter M-325 (Short Title: SIGFOY) Army Security Agency (ASA) Crypto Museum Library - Google Drive 11-page PDF
SRH-009 Battle of the Atlantic, Volume One: Allied Communications Intelligence US Navy, Director of Naval Communications (OP-20-G) Crypto Museum Library - Google Drive 233-page PDF
SRH-008 Battle of the Atlantic, Volume Two: U-Boat Operations US Navy, Director of Naval Communications (OP-20-G) Crypto Museum Library - Google Drive 401-page PDF
SRH-010 History of Converter M-325 U.S. Army Signal Security Agency (SSA) Crypto Museum Library - Google Drive 48-page PDF
SRH-011-001 (Volume 1) The Role of Communication Intelligence in Submarine Warfare in the Pacific (January 1943-October 1943) Chief of Naval Operations (1945) Radio Intelligence Publication Number 340. (R.I.P. 340)< /td> Crypto Museum Library - Google Drive 210-page PDF
SRH-011-002 (Volume 2) The Role of Communication Intelligence in Submarine Warfare in the Pacific (January 1943-October 1943) Chief of Naval Operations (1945) Radio Intelligence Publication Number 341. (R.I.P. 341) Crypto Museum Library - Google Drive 216-page PDF
SRH-011-003 (Volume 3) The Role of Communication Intelligence in Submarine Warfare in the Pacific (January 1943-October 1943) Chief of Naval Operations (1945) Radio Intelligence Publication Number 342. (R.I.P. 342) Crypto Museum Library - Google Drive 276-page PDF
SRH-011-004 (Volume 4) The Role of Communication Intelligence in Submarine Warfare in the Pacific (January 1943-October 1943) Chief of Naval Operations (1945) Radio Intelligence Publication Number 343. (R.I.P. 343) Crypto Museum Library - Google Drive 187-page PDF
SRH-011-005 (Volume 5) The Role of Communication Intelligence in Submarine Warfare in the Pacific (January 1943-October 1943) Chief of Naval Operations (1945) Radio Intelligence Publication Number 344. (R.I.P. 344) Crypto Museum Library - Google Drive 411-page PDF
SRH-011-006 (Volume 6) The Role of Communication Intelligence in Submarine Warfare in the Pacific (January 1943-October 1943) Chief of Naval Operations (1946) Crypto Museum Library - Google Drive 371-page PDF
SRH-011-007 (Volume 7) The Role of Communication Intelligence in Submarine Warfare in the Pacific (January 1943-October 1943) Chief of Naval Operations (1946) Crypto Museum Library - Google Drive 115-page PDF
SRH-011-008 (Volume 8) The Role of Communication Intelligence in Submarine Warfare in the Pacific (January 1943-October 1943) Chief of Naval Operations (1945) Crypto Museum Library - Google Drive 323-page PDF
SRH-012-001 (Volume 1) The Role of Radio Intelligence in the American-Japanese Naval War (August 1941-June 1942). Covers the pre-war period and the Pearl Harbor disaster. Ensign (later Lieutenant) John V. Connorton, US Naval Reserves Crypto Museum Library - Google Drive 365-page PDF
SRH-012-002 (Volume 2) The Role of Radio Intelligence in the American-Japanese Naval War (August 1941-June 1942). Details the Battle of Midway and the Aleutian Islands campaign. Ensign (later Lieutenant) John V. Connorton, US Naval Reserves Crypto Museum Library - Google Drive 436-page PDF
SRH-012-003 (Volume 3) The Role of Radio Intelligence in the American-Japanese Naval War (August 1941-June 1942). Focus on the Solomon Islands campaign and the Guadalcanal operations. Ensign (later Lieutenant) John V. Connorton, US Naval Reserves Crypto Museum Library - Google Drive 675-page PDF
SRH-012-004 (Volume 4) The Role of Radio Intelligence in the American-Japanese Naval War (August 1941-June 1942) Focus on the Solomon Islands campaign and the Guadalcanal operations. Ensign (later Lieutenant) John V. Connorton, US Naval Reserves Crypto Museum Library - Google Drive 834-page PDF
SRH-013 ULTRA: History of U.S. Strategic Air Force Europe vs. German Air Forces William P. Bundy, Major U.S. Army Signal Corps. During the war, Bundy was a key member of the American contingent at Bletchley Park, where he worked in "Hut 3" as a specialist in the tactical and strategic application of ULTRA intelligence for field commands. Crypto Museum Library - Google Drive 386-page PDF
SRH-014 Final Report of the Radio Intelligence Section, General Staff - General Headquarters American Expeditionary Forces (AEF) War Department, Office of the Chief Signal Officer, Signal Intelligence Section, War Plans and Training Division.
Forward: The report contained herein was prepared by Lt. Col. Frank Moonnan, G.S., in December 1918, when he was Chief of the Radio Intelligence Section, General Staff, General Headquarters, American Expeditionary Forces. No changes, additions, or deletions have been made therein.
This report merits most careful study by signal intelligence personnel.
Jun 25, 1934.
WILLIAM F. FRIEDMAN, Cryptanalyst,
Chief of Signal Intelligence Section,
Office of the Chief Signal Officer.		 Crypto Museum Library - Google Drive 59-page PDF
SRH-015 Notes on German Fuel Position (March 31, 1945) War Department General Staff, Military Intelligence Division G-2i
[from the top of the first page] During recent months SHAEF's notes on the German fuel position have been so full of errors of fact and logic that, because of our obligation to present "Ultra" failthfully and without distortion, we have added copious footnotes before including the SHAEF notes in the ES. These footnotes have been of two types: (i) the actual "Ultra" message which had been used by SHAEF as the basis for comments or conclusions, or other "Ultra" evidence tending to modify or contradict a SHAEF conclusion; and (ii) quotations or statements tending to modify some particularly unreasoned SHAEF statement."		 Crypto Museum Library - Google Drive 44-page PDF
SRH-016 Need for New Legislation Against Unauthorized Disclosures of Communications Intelligence Activities (June 9, 1944) Lt.(jg) John V. Connorton, USNR and Lt. Floyd W. Tomkins, Jr., AUS
Chapter I outlines the great need for continued security pre~autions in handling the special in.formation derived from communication intelligence activities. In Chapter II the story of the modern development of cryptography, cryptanalysis and traffic analysis is told to demonstrate the· increasing complexity of codes ~nd ciphers during the past generation, and the consequent difficulties of deriving intelligence therefrom. This fact has necessitated the influx of a large number of persons into U.S. Army and Na val Communic a tion Intelligence organization~ since the carefully selected few of pre-war times could not cope with the tremendously increased traffic. Rapid expansion has made the problem of continued security even more pressing now than ever before. A detailed story of the _publicity leaks , concerning the success of communication intelligence in various nations has been outlined to cover the post-war period from 1920 to 1930, the Yardley era from 1931 up to the outbreak of the American-Japanese war, and finally, the present period in which the mos _t dangerous publicity leaks have occurred. Numerous instances have been cited to indicate the great need for improved legislation to protect the security of communication intelligence activities in the United States. Chapter III discusses the effects of publicity leaks on United States• cryptanalysis and ~raffle analysis, with particular reference to Japanese security precautions after Yard ley's disclosures in 1931, and with special emphasis on the developments resulting from the unfortunate publicity concerning the Battle of Midway. 		Crypto Museum Library - Google Drive 112-page PDF
SRH-017 Allied Strategic Air Force Target Planning(circa August 1945) United States Strategic Air Forces in Europe (USSTAF)
Stratceic planning requires a comprehensive knowledge of the enemy, involving geographic, economic, social ond political factors as well as the strength, capabilities and plans of his fighting forces. Planning offensive programmes for the Allied strategic air forces against Germany was no exception to this rule, and it is not surprising to find that Ultra was only one of a number of intelligence sources which contributed to an understanding of the probleus faced by Allied air commanders. Obviously only occasional pieces of Ultra intelligence were relevant to the problems of weighing the relative importance and vulnerability of such items as steel, anti-friction bearings, abrasives, coal, electric power plants, railways, and water transportation systems in Germany's war production scheme. 		Crypto Museum Library - Google Drive 66-page PDF
SRH-018 Collection of Japanese Diplomatic Messages (June 12, 1938 - January 21, 1942) Department of the Army Intelligence Files (G-2) and the Signals Intelligence Service (SIS) Crypto Museum Library - Google Drive 98-page PDF
SRH-019 Blockade-Running Between Europe and the Far East by Submarines, 1942-44 Department of the Army Intelligence Files (G-2) and the Signals Intelligence Service (SIS) Crypto Museum Library - Google Drive 34-page PDF
SRH-020 Narrative: Combat Intelligence Center - Joint Intelligence Center - Pacific Ocean Area US Pacific Fleet Crypto Museum Library - Google Drive 26-page PDF
SRH-021 Controlled Agent Communications Activities 1944-1945 This material, prepared for use by controlled agents, was originated by the Special Section, Joint Security Control, of the Joint Chiefs of Staff. Decryptions of the ensuing communications were provided by the US Coast Guard operating as a part of the US Navy (OP-20-G) [since 1941]. Crypto Museum Library - Google Drive 463-page PDF
SRH-022 ULTRA and the U.S. Seventh Army The report summarizes the experience of the Seventh U.S. Army in the use of ULTRA intelligence between August 1944 and May 1945. Crypto Museum Library - Google Drive 7-page PDF
SRH-023 Part 1 of 2: Reports by U.S. Army ULTRA Representatives with Army Field Commands in the European Theatre of Operations A study of the history of ULTRA intelligence during the European War is now being made at "War Station" by a joint Anglo-American team. One purpose of the project is a critical examination of the techniques and organization which were employed, designed (i) to record for future use the lessons learned and the methods which were efficient and workable, and (ii) to recommend ways in which the value of the intelligence could have been exploited more fully. Crypto Museum Library - Google Drive 68-page PDF
SRH-023 Part 2 of 2: Reports by U.S. Army ULTRA Representatives with Army Field Commands in the European Theatre of Operations See above for description. Crypto Museum Library - Google Drive 120-page PDF
SRH-024 Battle of the Atlantic, Volume 3: German Naval Communication Intelligence, Compromise of Allied Ciphers The section on the "Compromise of Allied Ciphers" is one of the most sobering chapters for Allied historians. It details how, while the Allies were famously breaking the German Enigma code (Ultra), the Germans were simultaneously breaking British and Allied naval codes with devastating success:
1. The "B-Dienst" Success
The document focuses on the B-Dienst (Beobachtungsdienst), the German Naval Intelligence Service. While the Allies relied on advanced electromechanical "Bombes" to crack Enigma, the B-Dienst relied on world-class linguistic analysis and "hand-cranked" cryptanalysis to break Allied codes.
2. Which Ciphers Were Compromised?
The "compromise" specifically refers to several iterations of the British Naval Cipher used to coordinate Atlantic convoys:
  • Naval Cipher No. 3: This was the primary code used for communication between Allied naval authorities and convoy escorts. The B-Dienst broke this so effectively that during parts of 1942 and early 1943, they were reading Allied messages faster than the intended Allied recipients.
  • Naval Cipher No. 5: Introduced to replace the compromised No. 3, but the B-Dienst eventually made inroads here as well, though with less total "mastery" than they had over the earlier versions.
  • Merchant Navy Code: Used by the merchant ships themselves. This was frequently compromised, allowing U-boats to know the exact "noon positions" and course changes of slow-moving convoys.
3. The Consequences: "The Blackout"
The document explains that this compromise led to the "Great Blackout" of 1942. Because the Germans knew where the convoys were going, they could position "Wolfpacks" (U-boat groups) directly in their path.
Convoy Rerouting: The Allies would send a message to reroute a convoy to avoid U-boats; the B-Dienst would read that message and move the U-boats to the new location.
Casualties: This intelligence superiority is a major reason why 1942 was the most disastrous year of the war for Allied shipping losses.
4. Why Were They Compromised?
SRH-024 highlights several systemic failures:
  • Overuse: The Allies used the same codebooks for too long, giving German cryptanalysts a massive "library" of intercepted text to compare and solve.
  • Insecure Indicators: The way the "keys" for the day were transmitted was flawed, allowing the Germans to identify the starting settings for the codes.
  • Predictable Content: Naval messages often followed rigid formats (e.g., "Requesting escort for...") which provided "cribs"—known pieces of text that act as a skeleton key for the rest of the message.
Crypto Museum Library - Google Drive 145-page PDF
SRH-025 Battle of the Atlantic, Volume 4: Technical Intelligence from Allie Communications Intelligence (COMINT) The "cat-and-mouse" game of wartime technology—specifically how the Allies used intercepted German signals to understand and defeat new U-boat hardware.
1. The Radar War (The GSR Struggle)
massive portion of this document is dedicated to the German GSR (German Search Receiver).
The Metox: Early in the war, the Germans used a receiver called the Metox to detect Allied radar pulses, giving U-boats enough time to dive before an airplane spotted them.
The Centimeter Crisis: SRH-025 describes the German panic when the Allies switched to centimeter-wavelength radar (10cm and 3cm).
The old German receivers couldn't "hear" this high-frequency radar, leading to U-boats being attacked with no warning.
2. The "Schnorchel" (Snorkel)
SRH-025 provides the intelligence community's assessment of the Snorkel, which allowed U-boats to run their diesel engines while submerged.
The document analyzes how Allied communications intelligence (COMINT) helped pilots identify the tiny radar signature of a snorkel head or the heat/exhaust signature left on the surface, largely neutralizing what the Germans hoped would be a "war-winning" invisibility tool.
3. Weapons Intelligence: Torpedoes and Flak
The report details technical data gleaned from "reading the enemy's mail" regarding:
Acoustic Torpedoes (Gnat/Zaunkönig): How the Allies learned about German torpedoes that homed in on propeller sounds and subsequently developed "Foxer" noisemakers to decoy them.
Anti-Aircraft Improvements: Reports on the increasing heavy armament (Flak) being put on U-boat decks to fight back against Allied "Liberator" and "Sunderland" aircraft. 		Crypto Museum Library - Google Drive 110-page PDF
SRH-026 Marshal Letter To Eisenhower on the Use of ULTRA Intelligence - March 15, 1944 "You are undoubtedly aware of the supreme importance which the War Department attaches to 1ntell1gence known as "Ultra". This 1ntell1gence is secured by the British frora reading German enciphered radio commun1cat1ons. The attaohed Tab sets forth the basis uoon which German "Ultra" intelligence is made available to American f1eld commands. Pleasa give this matter your personal attantlon, and take all necessary steps to insure that the security regulations governing the dissem1nat1on of "Ultra" 1nte111gence are meticulously observed. The arrangements desoribed 1n the attached Tab are to be fully carried out." Crypto Museum Library - Google Drive 6-page PDF
SRH-027-001 The "Magic" Background of Pearl Harbor: Volume 1 (February 14, 1941 - May 12, 1941) "The Department of Defense is releasing for public use and research this multi-volume study giving the "MAGIC" or communications intelligence background of the 1941 Pearl Harbor disaster. In its review of classified records pursuant to E.O. 11652, the Department of Defense decided that it was in the public interest to declassify the intelligence which the U.S. obtained from the communications of its World War II enemies. This study contains a major part of the communications intelligence which the U.S. derived from intercepted Japanese communications during 1941.
The documentation presented here is both voluminous and significant. The large volume of intelligence concerning Japanese secret plans, policies, and activities which U.S. cryptologic specialists produced will augment the information already available on Pearl Harbor from Congressional and other public hearings. Of particular importance in this study is the correlation of the intelligence with the discussions of Secretary of State Hull and Japanese Ambassador Nomura in the critical months before Pearl Harbor. Scholars no doubt will find new challenges in this voluminous intelligence information. as they examine not only the decisions made by the U.S. but also the intelligence which influenced and occasionally prompted those decisions." 		Crypto Museum Library - Google Drive 282-page PDF
SRH-027-002 The "Magic" Background of Pearl Harbor: Volume 2 (May 12, 1941 - August 6, 1941) See description in SRH-027-001 above Crypto Museum Library - Google Drive 222-page PDF
SRH-027-003 The "Magic" Background of Pearl Harbor: Volume 2: Appendix See description in SRH-027-001 above Crypto Museum Library - Google Drive 611-page PDF
SRH-027-006 The "Magic" Background of Pearl Harbor: Volume 4: (October 17, 1941 - December 7, 1941) See description in SRH-027-001 above Crypto Museum Library - Google Drive 611-page PDF
SRH-028 Code and Signal Memoranda, Navy Department Code and Signal Section Navy Department, Code and Signal Section, Division of Operations, 1917.
Table of Contents:
  • Code & Signal Memorandum No. 1 (C and S Memo 1) CSP 103: pages 1-12
  • Code & Signal Memorandum No. 2 (C and S Memo 2) CSP 121: pages 13-28
  • Code & Signal Memorandum No. 3 (C and S Memo 3) CSP 130: pages 29-33
Particularly interesting is "CSP 130" which details "the two principal causes of the compromising of codes and ciphers:"
  1. Capture of books and the work of secret agens, and
  2. enemy's ability to reconstruct codes and ciphers from intercepted messages.
Underlined on page 32 is this: "It can not, therefore, be too strongly impressed upon officers who draft messages that one careless officer in drafting and coding messages can give the enemy more help toward solving codes and cipers than is afforded by hundreds of properly drafted messages." 		Crypto Museum Library - Google Drive 36-page PDF
SRH-029 Brief History of the Signal Intelligence Service By William F. Friedman (WFF) on June 29, 1942
Starts with this sentence: "Prior to June 1917 no department of the Government conducted cryptanalytic activities whatsoever."
 
Ends with this paragraph: "Finally, if we are not to repeat once more the mistakes made at the close of the last ware in respect to signal intelligence work, every effort should be made to place the present organization on the most firm, permanent foundation it is possible to erect. The service should not be considered as merely an appendage to the functions performed by the Signal Corps only in time of war but as a permanent service that operates on a large scale in peace time as well as in war time." 		Crypto Museum Library - Google Drive 19-page PDF
SRH-030 A History of the Code and Cipher Section during the First World War By Major Herbert O. Yardley, 1919
Starts with: "When war was declared, neither the War Department nor any other department of the Government posessed even a rudimentary organization for attack on codes and ciphers. Colonel Van Deman [[ Colonel Ralph Van Deman, who is widely considered the "Father of American Military Intelligence." ]] recognized however, that such an organization was absolutely indispensable and immediately began a search for experts to form it and train the necessary personnel."		 Crypto Museum Library - Google Drive 13-page PDF
SRH-031 Trip Reports Concerning Use of ULTRA In the Mediterranean Theatre, 1943-1944 By Major James D. Fellers, Air Corps.
"An estimated 8,000 miles were travelled. The principal purpose of the mission was to observe and study the methods of handling special intelligence in the field by operational commands." 		Crypto Museum Library - Google Drive 143-page PDF
SRH-032 Reports By U.S. Army Ultra Representatives with Field Commands in the Southwest Pacific, Pacific Ocean, and China Burma India Theaters of Operations, 1944-1945 Table of Contents has three sections:
  • Special Security Representative (SSR) Armed Forces, Pacific (AFPAC)
  • Special Security Representative (SSR) Pacific Ocean Areas (POA)
  • Special Security Operations, China Burma India Theater (CBI)
Crypto Museum Library - Google Drive 90-page PDF
SRH-033 History of the Operations of Special Security Officers (attached to field commands), 1943-1945 "The Special Security Officer (SSO) system was organized for the purpose of providing a means of rapid and secure dissemination of Ultra intelligence to operating commands." Crypto Museum Library - Google Drive 7-page PDF
SRH-034 Marshall Letter to MacArthur on the Use of ULTRA Intelligence, May 23, 1944 (and related correspondence) Table of Contents:
  • Marshall Letter to MacArthur
  • Bissell Letter to Menzies
  • Marshall Letter to Buckner
  • Regulation for Maintaining the Security of Special Intelligence in the Pacific and Asiatic Theaters
Crypto Museum Library - Google Drive 22-page PDF
SRH-035 History of the Special Branch, MIS, War Department, 1942-1944 Starts with: "When the United States entered World War II, it had made a haphazard beginning in the field of signal intelligence." Crypto Museum Library - Google Drive 65-page PDF
SRH-036 Radio Intelligence in World War II_ Tactical Operation in the Pacific Ocean Areas, January 1943 The "Summary" is on pages 1 through 30 inclusive, the bulk of the document is an Appendix from pages 94 thorugh 684 inclusive.
"It has been the purpose of this study to display the role of radio intelligence in the military operations in the Pacific Ocean area in World War II. The problem has been approached through a study of the dispatches based on radio intelligence sent out by CinCPac to his subordinate commands." 		Crypto Museum Library - Google Drive 695-page PDF
SRH-037 Reports Received by U.S. War Department on Use of ULTRA in the European Theater, World War II Table of Contents:
  • Volume, Security, Use, and Dissemination of Ultra, by Brigadier E. T. Williams, 5 Oct 1945 (pages 1-15)
  • The use of "U" in the Mediterranean and Northwest Aftrican theaters of war by Group Captain R. H. Humphreys, October 1945 (pages 16-33)
 Crypto Museum Library - Google Drive 40-page PDF
SRH-038 A selection of Papers Pertaining to Herbert O. Yardley For example, page 3 is a memo from, recommending promotion from First Lieutenant to Captain, including because "He is brought into contact with officers of much higher rank and his own lack of rank tends to create situations of difficulty and embarrassment." Crypto Museum Library - Google Drive 192-page PDF
SRH-057 This is Our War Delivered at Arlington Hall Station LECTURE SERIES "THIS IS OUR WAR" Deiivered at Arlington Hall Station in the Autumn of 1943. By Ambassador Joseph C. Grew, Brigadier General J.V. Matejka, Major General William D. Styer, Rear Admiral Joseph R. Redman, Lieutenant Colonel E. F. Cook, Commissioner Arthur S. Fleming, Mr. Byron Price, Mr. Charles P. Taft, Mr. Hugh H. Clegg
ARMY SECURITY AGENCY, WASHINGTON D.C.
The lectures in this volme were transcribed in the Historical Unit from recordings made at the time (Septeaber and October 1943) when they were given at Arlington Hall Station. The series, "This is Our War", was sponsored by the Chief Signal Officer, Major General Harry C. Ingles in the interests of morale-building.		 Crypto Museum Library - Google Drive 209-page PDF
SRH-058 The Legendary William F. Friedman by Lambros D. Callimahos Crypto Museum Library - Google Drive 11-page PDF
SRH-237 Geiger Muller Counter For Detection of Radioactive Secret Ink 1941-1945 The use of radio-active substances in secret inks has been known in this country for some time. The addressee of a letter containing a message written with such an ink places the sheet flat against a piece of photographic film for a time. Radiation from the ink exposes corresponding portions of the film so that when developed, the film contains the message in visible form.
 
In its almost two years of service (in Laboratory Branch) the equipment has developed no troubles of any kind. It has been found, however, that its operation is interfered with by the electrical disturbances caused on the power line by the operation of Electromatic typewriters. Although the difficulty has been cured by the making of a simple change in the typewriter wiring, it would be desirable, in any future models, to attempt to make them less sensitive to electrical noise on the power line.
 
Investigations conducted since the end of hostilities in Europe have indicated that no radio-active inks were ever used by the Germans. However, since that fact was not previously known, it would have been most negligent not to have assumed that they would use such inks.		 Crypto Museum Library - Google Drive 35-page PDF
SRH-261-001 Analysis of a Mechanico-Electrical Cryptograph, Part 1 of 2 By William F. Friedman (WFF) 1934.
Nature of investigation. In the latter part of 1923, a crytographic machine called the "Hebern Electric Super-Code" was submitted to the Chief Signal Officer for examination and consideration relative to .its suitability for use in the military service. The usual claims for indecipherability were made for this machine, which had also been submitted to another Government department interested in such deviees, and had already been most favorably considered for adoption into their service. This investigation was undertaken with a view to determining the merits of the device, more especially as to whether the degree of secrecy afforded by its use is sufficient to warrant further consideration as to its suitability for adoption in the military service. Preliminary statement of results. A cursory examination of the machine soon showed tha t it was worthy of the closest study. It is the smallest, most compact, and rugged device of its kind, considering the degree of secrecy which it is possible to achieve by its use. The latter factor seemed to be considerably higher than that afforded by any other machine heretofore examined, excepting the Printing Telegraph Cipher Machine, which, in its present form, is much bulkier and not at all suitable for use in the theater of war below Army Headquarters. As a device for use in the field, the machine herein described seemed more nearly to fulfill the necessary requirements than any other machine ever studied by the writer.		 Crypto Museum Library - Google Drive 69-page PDF
SRH-261-002 Analysis of a Mechanico-Electrical Cryptograph, Part 2 of 2 "It was desired that the test be of the utmost severity, exceeding in severity what could be expected from an attack under the most favorable conditions. With this in view, there was furnished, with the machine, 55 messages with plain text and 110 messages without the equivalent plain text; also the general system employed in setting up message indicators." Crypto Museum Library - Google Drive 68-page PDF
SRH-267 History of Engineering Research Associates 2 . Background Facts. The U. S. Naval Computing Machine Laboratory was established in Dayton, Ohio, in November 1942, for the design and development of special electronic equipment for Communication Intelligence purposes. The laboratory occupied a building on the grounds of the National Cash Register Company and the activities of the laboratory were implemented by Navy development contracts with that company. The Bureau of Ships furnished the Officer- in-Charge of this laboratory, Captain Ralph I. Meader, USNR, who performed this duty as a member of Code 945 of BUSHIPS on additional duty. Capt . Meader maintained for BUSHIPS and NCML the closest per sonal liaison with the Chief of Naval Operations (Op- 20) in order to translate the specialized technical requiremeRts· of CNO as quickly and efficiently as possible into practical equipments and in order to handle highly classified technical information through direct and secure channels involving a minimum number of persons .
 
13. Final Arrangements and Negotiations . After this point had been reached, the Northwestern Aeronautical Corporation became the definite vehicle for the creation of this organization capable of performing the C. I . research program. An arrangement was worked out within the Northwestern Aeronautical Corporation for the financial support of a new private research organization, named Engineering Research Associates, Incorporated. 		Crypto Museum Library - Google Drive 28-page PDF
 
Wikipedia
ERA
SRH-273 Military Cryptanalytics, Part 1 of 2 (see in Cryptanalysis section above)
SRH-274 Military Cryptanalytics, Part 2 of 2 (see in Cryptanalysis section above)
SRH-282 Military Cryptanalysis Part 1 of 4: Monoalphabetic Substitution Systems" 1938 by William F. Friedman (WFF). It is assumed that the student has studied the two preceding texts written by the same author and forming part of this series, viz, Elementary ·Military Cryp- tography, and Adt·anced MilitanJ Cryptography. These texts deal exclusively with cnjptography as defined therein; that is, with the various types of ciphers and codes, their principles of con- struction, and their employment in cryptographing and decryptographing messages. Particular emphasis was placed upon such means and methods as are practicable for military usage. It is also assumed that the student has firmly in mind the technically precise, special nomenclature employed in those texts, for the terms and definitions therein will all be used in the present text, with essentially the same significances. If this is not the case, it is recommended that the student review his preceding work, in order to regain a familiarity with the specific meanings assigned to t.he terms used therein. There will be no opportunity herein to repeat this information and unless he understands clearly the significance of the terms employed, his progress will be retarded. This text constitutes the first of a series of te:rts on cryptanalysis. Crypto Museum Library - Google Drive 145-page PDF
SRH-331 General Solution for the ADFGVX CIPHER SYSTEM During the World War [World War One], the Germans employed a combined substitution-transposition system known as the "ADFGVX cipher" because the ciphertext consisted solely of the letters, A, D, F, G, V, X. At the close of the war there were three methods of solution, dependent upon special cases involving:
(a) Finding two messages with similar beginnings;
(b) Finding two messages with similar endings;
(c) Finding several messages which were enciphered by means of completely filled rectangles (the "exact factor" method). 		21-page PDF
SRH-337 Course in Cryptography by General Marcel Givierge Translated from the original French "Cours de Cryptographie", US Government Printing Office 1934.
This books is scanned with two printed pages per scanned page
(in other words, pages 162 and 163 are on the same scanned page# 86).		 Crypto Museum Library - Google Drive 164-page PDF
SRH-338 Manual of Cryptography by General Luigi Sacco. Translated from the original "Manuale di Crittografia". US Government Printing Office 1941 Crypto Museum Library - Google Drive 110-page PDF
SRH-345 Elements of Cryptanalysis Training Pamphlet No. 3 May 1923 The material contained in this pamphlet forms the basis of a course in Military Codes and Ciphers given at The Signal School, Camp Alfred Vail, New Jersey, by Capt. W. F. Friedman, Sig. O. R. C., cryptanalyst in the Office of the Chief Signal Officer. This course is intended to give a brief exposition of the general subject of military cryptography, to show how and why certain types of cryptograms are solved so readily, and to point out and exmplify the various rules and precautions that shoudl be observed in order to maintain the secrecy of our communications. Crypto Museum Library - Google Drive 85-page PDF
SRH-349 The Achievments of the Signal Security Agency in World War II With the cessation of hostilities in August 1945 the necessity for keeping secret many technological advances made by the Armed Forces during the conflict no longer existed and as a result extensive, if not complete, publicity could be given to them. Crypto Museum Library - Google Drive 113-page PDF
SRH-350 Elementary Course in Probability Second Edition Feb 1957 By Office of Research and Development, Mathematical Research Division, February 1957
Crypto Museum Library - Google Drive 166-page PDF
SRH-357 History, Signal Intelligence Division (ETO) June 1942-July 1945 Starts with: Listed below are the pertinent facts in the history and development of the Signal Intelligence Division as they occurred. Crypto Museum Library - Google Drive 235-page PDF
SRH-359A Tabs to History Of Converter M-134-C Volume 1 Crypto Museum Library - Google Drive 243-page PDF
SRH-360 History of Invention and Development of the Mark II ECM Electric Cipher Machine 1943 by Captain L. F. Stafford, US Navy.
The Mark II ECM was developed by the Navy with the aid of Mr. W. F. Friedman and Mr. F. B. Rowlett of this Agency. 		Crypto Museum Library - Google Drive 189-page PDF
SRH-364 History of the Signal Security Agency
Volume 1 of 3, 1939-1945		 Volume One (Organization) of the History of the Signal Security Agency relates the story of the development of the Agency in World War II (1939-1945). In order that the reader might have a better understanding of the period under discussion, however, it was decided at the time this volume was planned to introduce the main body of the text with an introductory chapter on the origin of the Signal Intelligence Service and its development prior to World War II. Chapter I therefore begins with the year 1917. Crypto Museum Library - Google Drive 604-page PDF
SRH-361 History of the Signal Security Agency
Volume 2 of 3, The General Cryptanalytic Problems		 Chapters in the Table of Contents include:
  • Japanese Diplomatic Systems
  • The Japanese Military Attache Systems
  • German Diplomatic Systems
  • The Italian Systems
  • The French Systems
  • The Swiss Systems
  • The Spanish and Spanish-American Systems
  • The Portugese and Brazilian Systems
Crypto Museum Library - Google Drive 500-page PDF
SRH-362 History of the Signal Security Agency
Volume 3 of 3, 1942-1945		 Chief, Army Security Agency, 1947
The early planning and organization of the history of B-II of which this volume is the end product, was directed by Lieutenant Karl Elmquist, who began the project in the autumn of 1944.		 Crypto Museum Library - Google Drive 424-page PDF
SRH-366 The History of Army Strip Cipher Devices (July 1934 - October 1947) By Army Security Agency 1948
The beginning of the Table of Contents includes::
2. Cipher Device M-94
Invention by Thomas Jefferson
Invention by Etienne Bazeries
Invention by Parker Hitt
Invention by Major J. C. Mauborgne
3. Parker Hitt's Flat Strip Cipher Device
4. Development Modems M-136 and M-137
5. Cipher Device M-138
6. Cipher Device M-138-A
7. Overcoming the Aluminum Shortage
8. Distribution of Strip Systems
9. Security of Strip Cipher Systems
 Crypto Museum Library - Google Drive 310-page PDF
SRH-412 Military Cryptanalysis Part 3 of 4: Simpler Varieties of Aperiodic Substitution Systems 1939 by William F. Friedman (WFF). The text immediately preceding this devoted itself almost exclusively to polyalphabetic substitution systems of the type called repeating-key ciphers. It was seen how a regularity in the employment of a limited number of alphabets results in the manifestation of periodicity br cyclic phenomena. in the cryptogram, by means of which the latter may be solved. The difficulty in solution is directly correlated with the type and number of cipher alphabets employed in specific examples.
 
Accordingly, the first part of this text will be devoted to an examination of certain of the very simple varieties of aperiodic, polyalphabetic substitution systems; after this, methods of extending or lengthening short mnemonic keys, and systems using lengthy keys will be studied. 		Crypto Museum Library - Google Drive 117-page PDF
SRH-413 Military Cryptanalysis Part 4 of 4: Transposition and Fractionating Systems 1941 by William F. Friedman (WFF). Introductory remarks concerning transposition ciphers. As stated in a previous text, transposition ciphers are roughly analogous to "jigsaw puzzles" in that all the pieces of which the original is composed are present but are merely disarranged. The pieces into which the picture forming th~ basis of a jigsaw puzzle may be divided are usually quite irregular in size and shape; the greater the amount of irregularity, as a rule, the greater the difficulty in reas- sembling the pieces in proper order. In this respect, too, transposition ciphers are analogous to jigsaw puzzles, for the greater the amount of distortion to which the plain text is subjected in the transposition process, the more difficult becomes the solution. Crypto Museum Library - Google Drive 194-page PDF

NSA Internal Periodicals & Technical Journals

Series Name Era/Year Scope / Focus Access
Cryptolog: The Journal of Technical Health 1974–1997 NSA Operations Directorate. The "underground" technical exchange for NSA analysts. A massive 136-issue collection (4,400+ pages) declassified in 2012. It contains the most candid technical writing ever released by the agency.
01 02 03 04 05 06 07 08 09 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 		4400-page PDF ARCHIVE
NSA Cryptologic Quarterly (Volume 33) 2014-01 Center for Cryptologic History 80-page PDF
NSA Cryptologic Quarterly (Volume 34) 2015-01 Center for Cryptologic History 71-page PDF
NSA Cryptologic Quarterly (Volume 36) 2017-03 Center for Cryptologic History 68-page PDF
NSA Cryptologic Quarterly (Volume 38) 2019-01 Center for Cryptologic History 72-page PDF
NSA Cryptologic Quarterly (Volume 40) 2021-01 Center for Cryptologic History 86-page PDF
NSA Cryptologic Quarterly (Volume 41) 2023-02 Center for Cryptologic History 40-page PDF
NSA Cryptologic Quarterly (Volume 42) 2024-01 Center for Cryptologic History 50-page PDF
NSA Technical Journal 1956–1980 Formal academic-style papers on high-level mathematical and engineering breakthroughs. ARCHIVE
Cryptologic Spectrum 1969–1981 Bridge journal covering "softer" aspects like history, linguistics, and management. "Ask Zelda" Declassified Documents ARCHIVE

NSA Cryptologic Almanac Articles (many are 50th Anniversary)

ARCHIVE

NSA CryptoComics

Web link to NSA CryptoComics
CryptoComics #017: The Gold Bug
NSA CryptoComic
The Gold Bug
1-page PDF
CryptoComics 016 – Solving Purple
NSA CryptoComic
Solving Purple
1-page PDF
CryptoComics 015 – Red Carnation
NSA CryptoComic
Red Carnation
2-page PDF
CryptoComics 015 – “Louie”
NSA CryptoComic
“Louie”
3-page PDF
CryptoComics 014 – America’s First Spy Story
NSA CryptoComic
America’s First Spy Story
4-page PDF
CryptoComics 012 – From the Ambassador
NSA CryptoComic
From the Ambassador
4-page PDF
CryptoComics 011 – A Noble Life
NSA CryptoComic
A Noble Life
5-page PDF
CryptoComics 010 – First African American Cryptologists
NSA CryptoComic
First African American Cryptologistsi
2-page PDF
CryptoComics 009 – Civil War Signal Security
NSA CryptoComic
Civil War Signal Security
3-page PDF
CryptoComics 008 – A Revolution in Communications
NSA CryptoComic
A Revolution in Communications
2-page PDF
CryptoComics 007 – Beneath the Surface
NSA CryptoComic
Beneath the Surface
1-page PDF
CryptoComics 006 – Critical Communications
NSA CryptoComic
Critical Communications
1-page PDF
CryptoComics 005 – GuadalCanal
NSA CryptoComic
GuadalCanal
1-page PDF
CryptoComics 004 – Teaching an Old General New Tricks
NSA CryptoComic
Teaching an Old General New Tricks
2-page PDF
CryptoComics 003 – The Juanita Moody Story
NSA CryptoComic
The Juanita Moody Story
2-page PDF
CryptoComics 002 – The Unbreakable Kryha Machine
NSA CryptoComic
The Unbreakable Kryha Machine
1-page PDF
CryptoComics 001 – NSOC
NSA CryptoComic
NSOC
(National Security Operations Center)
1-page PDF
Gangplank News (book) Final Edition June 25, 1919 page 90
Gangplank News (book) Final Edition June 25, 1919 page 90.
Cartoon drawn by Albin O'Loane, a prolific cartoonist for the American Expeditionary Forces (AEF) during WWI.
The arrow points directly to the soldier's concave stomach. "Slum" was the universal soldier-slang for Slumgullion stew,
a notorious army staple made of whatever meat and vegetables were available, usually thinned out with water.
It was the 1919 equivalent of saying someone is "built like a cup of instant noodles."
When the MP "Whiskey" says he wants to be a "lineman with a wireless telegraph company," he’s making a classic "soldier's dream" joke.
A lineman’s job is to climb poles and fix wires; if there are no wires (wireless),
he can just sit on the ground and lean against a post all day—exactly as he is doing in the drawing.

NSA/CCH Calendars

2026 Center for Cryptologic History Digital Calendar
2026 NSA/CCH
Center for Cryptologic History
Digital Calendar
14-page PDF
(these are "double" pages)
2025 Center for Cryptologic History Digital Calendar
2025 NSA/CCH
Center for Cryptologic History
Digital Calendar
27-page PDF
2024 Center for Cryptologic History Calendar
2024 NSA/CCH
Center for Cryptologic History
Digital Calendar
28-page PDF
2023 Center for Cryptologic History Calendar
2023 NSA/CCH
Center for Cryptologic History
Digital Calendar
28-page PDF
The Center for Cryptologic History 2022 Digital Calendar
2022 NSA/CCH
Center for Cryptologic History
Digital Calendar
28-page PDF
The Center for Cryptologic History 2021 Digital Calendar
2021 NSA/CCH
Center for Cryptologic History
Digital Calendar
28-page PDF

NIST Publications and Technical Standards FIPS and SP (Special Publication)

IDStandard TitleTopicAccess
NIST Cryptographic Technology Group (CTG) The Cryptographic Technology (CT) Group’s work in cryptographic mechanisms addresses topics such as hash algorithms, symmetric and asymmetric cryptographic techniques, key management, authentication, and random number generation. Strong cryptography is used to improve the security of information systems and the information they process. Users then take advantage of the availability of secure applications in the marketplace made possible by the appropriate use of standardized, high quality cryptography.i The CTG is essentially the "brain trust" for American (and often global) cryptographic standards. NIST CTG Link
NIST Cybersecurity White Paper CSWP 39 Considerations for Achieving Crypto Agility: Strategies and Practices Abstract: Cryptographic (crypto) agility refers to the capabilities needed to replace and adapt cryptographic algorithms in protocols, applications, software, hardware, firmware, and infrastructures while preserving security and ongoing operations. This white paper provides an in-depth survey of current approaches to achieving crypto agility. It discusses challenges and trade-offs and identifies approaches for providing operational mechanisms to achieve crypto agility. It also highlights critical working areas that require additional consideration. 46-page PDF
NIST Special Publication 800-38A Recommendation for Block 2001 Edition Cipher Modes of Operation: Methods and Techniques This publication provides recommendations regarding modes of operation to be used with symmetric key block cipher algorithms. This recommendation specifies five confidentiality modes of operation for symmetric key block cipher algorithms, such as the algorithm specified in FIPS Pub. 197, the Advanced Encryption Standard (AES) [2]. The modes may be used in conjunction with any symmetric key block cipher algorithm that is approved by a Federal Information Processing Standard (FIPS). The five modes—the Electronic Codebook (ECB), Cipher Block Chaining (CBC), Cipher Feedback (CFB), Output Feedback (OFB), and Counter (CTR) modes—can provide data confidentiality. 66-page PDF
NIST Special Publication 800-38B Recommendation for Block Cipher Modes of Operation: The CMAC Mode for Authentication This publication is the second Part in a series of Recommendations regarding modes of operation of symmetric key block ciphers. This Recommendation specifies a message authentication code (MAC) algorithm that is based on a symmetric key block cipher. This cipher-based MAC is abbreviated CMAC, analogous to the abbreviation for the hash function-based MAC, HMAC, that is standardized in FIPS Pub. 198 [4]. CMAC may be appropriate for information systems in which an approved block cipher is more readily available than an approved hash function. 21-page PDF
NIST Special Publication 800-38C Recommendation for Block Cipher Modes of Operation: The CCM Mode for Authentication and Confidentiality This publication is the third Part in a series of Recommendations regarding modes of operation of symmetric key block cipher algorithms. This Recommendation specifies an algorithm, Counter with Cipher Block Chaining-Message Authentication Code [1], abbreviated CCM, that can provide assurance of the confidentiality and authenticity of data. CCM is based on an approved symmetric key block cipher algorithm whose block size is 128 bits, such as the Advanced Encryption Standard (AES) algorithm currently specified in Federal Information Processing Standard (FIPS) Pub. 197 [2]; thus, CCM cannot be used with the Triple Data Encryption Algorithm [3], whose block size is 64 bits. CCM can be considered a mode of operation of the block cipher algorithm. As with other modes of operation, a single key to the block cipher must be established beforehand among the parties to the data; thus, CCM should be implemented within a well-designed key management structure. The security properties of CCM depend, at a minimum, on the secrecy of the key. 27-page PDF
NIST Special Publication 800-38D Recommendation for Block Cipher Modes of Operation: Galois/Counter Mode (GCM) and GMAC This publication is the fourth Part in a series of Recommendations regarding modes of operation of symmetric key block ciphers. This Recommendation specifies an algorithm called Galois/Counter Mode (GCM) for authenticated encryption with associated data. GCM is constructed from an approved symmetric key block cipher with a block size of 128 bits, such as the Advanced Encryption Standard (AES) algorithm that is specified in Federal Information Processing Standard (FIPS) Pub. 197 [2]. Thus, GCM is a mode of operation of the AES algorithm. 39-page PDF
NIST Special Publication 800-38E Recommendation for Block Cipher Modes of Operation: The XTS-AES Mode for Confidentiality on Storage Devices This publication is the fifth Part in a series of Recommendations regarding modes of operation of symmetric key block ciphers. The XTS-AES algorithm is a mode of operation of the Advanced Encryption Standard (AES) [1] algorithm. The Security in Storage Working Group (SISWG) of the P1619 Task Group of the Institute of Electrical and Electronics Engineers, Inc (IEEE) developed and specified XTS-AES in IEEE Std. 1619-2007 [2]. This Recommendation approves the XTS-AES mode as specified in that standard, subject to one additional requirement on the lengths of the data units, which is discussed in Section 4 below. 12-page PDF
NIST Special Publication 800-38F Recommendation for Block Cipher Modes of Operation: Methods for Key Wrapping This publication is the sixth part in a series of Recommendations regarding the modes of operation of block ciphers. The purpose of this part is to provide approved methods for key wrapping, i.e., the protection of cryptographic keys. This Recommendation specifies a deterministic authenticated-encryption mode of operation of the Advanced Encryption Standard (AES) block cipher [3]. The mode is called AES Key Wrap, abbreviated as KW in this Recommendation. Although KW can be used in conjunction with any reversible padding scheme, a variant of KW with an internal padding scheme is also specified to promote interoperability. 32-page PDF
NIST Special Publication 800-38G Recommendation for Block Cipher Modes of Operation: Methods for Format-Preserving Encryption This publication is the seventh part in a series of Recommendations regarding the modes of operation of block cipher algorithms. The purpose of this part is to provide approved methods for format-preserving encryption (FPE). Format-preserving encryption (FPE) is designed for data that is not necessarily binary. In particular, given any finite set of symbols, like the decimal numerals, a method for FPE transforms data that is formatted as a sequence of the symbols in such a way that the encrypted form of the data has the same format, including the length, as the original data. Thus, an FPEencrypted SSN would be a sequence of nine decimal digits. 28-page PDF
NIST Special Publiction 800-57 Recommendation for Key Management Best Practices. Abstract: This Recommendation provides cryptographic key-management guidance. It consists of three parts. Part 1 provides general guidance and best practices for the management of cryptographic keying material, including definitions of the security services that may be provided when using cryptography and the algorithms and key types that may be employed, specifications of the protection that each type of key and other cryptographic information requires and methods for providing this protection, discussions about the functions involved in key management, and discussions about a variety of key-management issues to be addressed when using cryptography. Part 2 provides guidance on policy and security planning requirements for U.S. government agencies. Part 3 provides guidance when using the cryptographic features of current systems. 171-page PDF
NIST Special Publication 800-67 Recommendation forthe Triple Data Encryption Algorithm (TDEA) Block Cipher The Triple Data Encryption Algorithm (TDEA) is an approved cryptographic algorithm as required by Federal Information Processing Standard (FIPS) 140-2, Security Requirements for Cryptographic Modules. TDEA specifies both the DEA cryptographic engine employed by TDEA and the TDEA algorithm itself. This Recommendation provides a description of a mathematical algorithm for cryptographically protecting binary coded information (e.g., using encryption and authentication). The algorithm described in this recommendation specifies cryptographic operations that are based on a binary number called a key. 35-page PDF
NIST Special Publication 800-107 Recommendation for Applications Using Approved Hash Algorithms A hash algorithm is used to map a message of arbitrary length to a fixed-length message digest. Federal Information Processing Standard (FIPS) 180-4, the Secure Hash Standard (SHS) [FIPS 180-4], specifies seven approved hash algorithms: SHA-1, SHA-224, SHA256, SHA-384, SHA-512, SHA-512/224 and SHA-512/256. This Recommendation provides security guidelines for supporting the required or desired security strengths of several cryptographic applications that employ the approved hash functions specified in FIPS 180-4, such as digital signature applications specified in FIPS 186-3 [FIPS 186-3], Keyed-hash Message Authentication Codes (HMACs) specified in FIPS 198-1 [FIPS 198-1] and Hash-based Key Derivation Functions specified in SP 800- 56A [SP 800-56A] and SP 800-56B [SP 800-56B]. While the use of hash functions in HMAC-based key derivation functions is specified in SP 800-56C [SP 800-56C] and SP 800-108 [SP 800-108], these documents sufficiently address the security aspects of their use, so discussions of SP 800-56C and SP 800-108 are not included herein 25-page PDF
NIST Special Publication 800-208 Recommendation for Stateful Hash-Based Signature Schemes This publication supplements FIPS 186 [4] by specifying two additional digital signature schemes, both of which are stateful hash-based signature (HBS) schemes: the Leighton-Micali Signature (LMS) system and the eXtended Merkle Signature Scheme (XMSS), along with their multi-tree variants, the Hierarchical Signature System (HSS) and multi-tree XMSS (XMSSMT). All of the digital signature schemes specified in FIPS 186 will be broken if largescale quantum computers are ever built. The security of the stateful HBS schemes in this publication depends only on the security of the underlying hash functions—in particular, the infeasibility of finding a preimage or a second preimage—and it is believed that the security of hash functions will not be broken by the development of large-scale quantum computers. 59-page PDF
FIPS 46-3 Data Encryption Standard (DES) The 1977 block cipher standard that launched modern cryptography. Now withdrawn but historically vital. Abstract: This Recommendation provides cryptographic key-management guidance. It consists of three parts. Part 1 provides general guidance and best practices for the management of cryptographic keying material, including definitions of the security services that may be provided when using cryptography and the algorithms and key types that may be employed, specifications of the protection that each type of key and other cryptographic information requires and methods for providing this protection, discussions about the functions involved in key management, and discussions about a variety of key-management issues to be addressed when using cryptography. Part 2 provides guidance on policy and security planning requirements for U.S. government agencies. Part 3 provides guidance when using the cryptographic features of current systems. 27-page PDF
FIPS 140-2 Security Requirements for Cryptographic Modules This standard specifies the security requirements for a cryptographic module utilized within a security system protecting sensitive information in computer and telecommunication systems (including voice systems) as defined in Section 5131 of the Information Technology Management Reform Act of 1996, Public Law 104-106.
Security Level 1 provides the lowest level of security.
Security Level 2 enhances the physical security mechanisms of a Security Level 1 cryptographic module by adding the requirement for tamper-evidence, which includes the use of tamper-evident coatings or seals or for pick-resistant locks on removable covers or doors of the module.
In addition to the tamper-evident physical security mechanisms required at Security Level 2, Security Level 3 attempts to prevent the intruder from gaining access to CSPs held within the cryptographic module.
Security Level 4 provides the highest level of security defined in this standard. At this security level, the physical security mechanisms provide a complete envelope of protection around the cryptographic module with the intent of detecting and responding to all unauthorized attempts at physical access. Penetration of the cryptographic module enclosure from any direction has a very high probability of being detected, resulting in the immediate zeroization of all plaintext CSPs. Security Level 4 cryptographic modules are useful for operation in physically unprotected environments. 		69-page PDF
FIPS 140-3 Security Requirements for Cryptographic Modules This standard specifies the security requirements that will be satisfied by a cryptographic module utilized within a security system protecting sensitive but unclassified information (hereafter referred to as sensitive information). 11-page PDF
FIPS 140-3 Implementation Guide Implementation Guidance for FIPS 140-3 and the Cryptographic Module Validation Program This Implementation Guidance document is issued and maintained by the U.S. Government's National Institute of Standards and Technology (NIST) and the Canadian Centre for Cyber Security (CCCS), which serve as the validation authorities of the Cryptographic Module Validation Program (CMVP) for their respective governments. 218-page PDF
FIPS 186-5 Digital Signature Standard (DSS) Standard including ECDSA (Elliptic Curve Digital Signature Algorithm) [see Chapter 6]. Abstract: This standard specifies a suite of algorithms that can be used to generate a digital signature. Digital signatures are used to detect unauthorized modifications to data and to authenticate the identity of the signatory. In addition, the recipient of signed data can use a digital signature as evidence in demonstrating to a third party that the signature was, in fact, generated by the claimed signatory. This is known as non-repudiation since the signatory cannot easily repudiate the signature at a later time. 86-page PDF
FIPS 197 Advanced Encryption Standard (AES) In 2000, NIST announced the selection of the Rijndael block cipher family as the winner of the Advanced Encryption Standard (AES) competition. Block ciphers are the foundation for many cryptographic services, especially those that provide assurance of the confdentiality of data. Three members of the Rijndael family are specifed in this Standard: AES-128, AES-192, and AES-256. Each of them transforms data in blocks of 128 bits, and the numerical suffx indicates the bit length of the associated cryptographic keys. 46-page PDF
FIPS 198-1 The Keyed-Hash Message Authentication Code (HMAC) Providing a way to check the integrity of information transmitted over or stored in an unreliable medium is a prime necessity in the world of open computing and communications. Mechanisms that provide such integrity checks based on a secret key are usually called message authentication codes (MACs). Typically, message authentication codes are used between two parties that share a secret key in order to authenticate information transmitted between these parties. This Standard defines a MAC that uses a cryptographic hash function in conjunction with a secret key. This mechanism is called HMAC [HMAC]. HMAC shall use an Approved cryptographic hash function [FIPS 180-3]. HMAC uses the secret key for the calculation and verification of the MACs. 13-page PDF
FIPS 202 SHA-3 Hash Standard Abstract: This Standard specifies the Secure Hash Algorithm-3 (SHA-3) family of functions on binary data. Each of the SHA-3 functions is based on an instance of the KECCAK algorithm that NIST selected as the winner of the SHA-3 Cryptographic Hash Algorithm Competition. This Standard also specifies the KECCAK-p family of mathematical permutations, including the permutation that underlies KECCAK, in order to facilitate the development of additional permutation-based cryptographic functions. The SHA-3 family consists of four cryptographic hash functions, called SHA3-224, SHA3-256, SHA3-384, and SHA3-512, and two extendable-output functions (XOFs), called SHAKE128 and SHAKE256. Hash functions are components for many important information security applications, including 1) the generation and verification of digital signatures, 2) key derivation, and 3) pseudorandom bit generation. The hash functions specified in this Standard supplement the SHA-1 hash function and the SHA-2 family of hash functions that are specified in FIPS 180-4, the Secure Hash Standard. 37-page PDF
FIPS 205 Stateless Hash-Based Digital Signature Standard (PQC) Direct PDF of the finalized SLH-DSA standard. Abstract: This standard specifies the stateless hash-based digital signature algorithm (SLH-DSA). Digital signatures are used to detect unauthorized modifications to data and to authenticate the identity of the signatory. In addition, the recipient of signed data can use a digital signature as evidence in demonstrating to a third party that the signature was, in fact, generated by the claimed signatory. This is known as non-repudiation since the signatory cannot easily repudiate the signature at a later time. SLH-DSA is based on SPHINCS+, which was selected for standardization as part of the NIST Post-Quantum Cryptography Standardization process.
Keywords: computer security; cryptography; digital signatures; Federal Information Processing Standards; hash-based signatures; post-quantum; public-key cryptography.		 61-page PDF
NIST Internal Report NIST IR 8214C NIST First Call for Multi-Party Threshold Schemes.
 
By Luís T. A. N. Brandão and René Peralta.		 Abstract: This is the NIST Threshold Call, calling for public submissions of multi-party threshold schemes, and other related crypto-systems, to support the United States’ National Institute of Standards and Technology (NIST) in gathering a public body of reference materials on advanced cryptography. In a threshold scheme, a reference cryptographic primitive (e.g., signing, encryption, decryption, key generation) is computed in a distributed manner, while its private/secret key is or becomes secret-shared across various parties. The threshold schemes submitted in reply to this call will be interchangeable with a reference nonthreshold primitive of interest, in the sense that their outputs can be used interchangeably in a subsequent operation. The primitives of interest are organized into various categories, across two classes: Class N, for selected NIST-specified primitives; and Class S, for special primitives that are not specified by NIST but are threshold friendly or have useful functional features. The scope of Class S also includes fully-homomorphic encryption, zero-knowledge proofs, and auxiliary gadgets. This document specifies submission phases, and the requirements for submitting a package, including a technical specification, a reference implementation, and a report on experimental evaluation. A subsequent phase of public analysis will support the elaboration of a characterization report, which may help assess new interests beyond the cryptographic techniques currently standardized by NIST, and may include recommendations for future processes.

Cryptographic Mailing Lists & Communities

Group / List Name Type Focus / Culture Access
Cryptographers and Cryptanalysts LinkedIn Group Unique community of more than 17,000 cryptography-enthusiasts, founded 2011 JOIN
Cryptography @ Metzdowd Mailing List The "birthplace of Bitcoin." Focused on technical and political impacts.
Archives go back to March 2001.		 JOIN/ARCHIVE
CFRG (Crypto Forum Research Group) IETF / IRTF The bridge between theory and practice for Internet standards. JOIN
NIST PQC-Forum Mailing List The official discussion hub for the Post-Quantum Cryptography transition. JOIN
Modern Crypto (Curves/Messaging) Mailing List Highly technical lists focused on Elliptic Curves and secure messaging. LINK

Expert Cryptographer's Blogs

Blog / Site Name Author / Group Primary Focus Access
ASecuritySite.com Prof. Bill Buchanan OBE Comprehensive live labs for PQC, ZK-Snarks, and Elliptic Curve math with Python/C# code. LINK
When Bob Met Alice (Medium) Prof. Bill Buchanan OBE Daily deep-dives into modern crypto news, PQC migration, and historical protocol analysis. LINK
A Few Thoughts on Cryptographic Engineering Matthew Green Critical analysis of real-world protocol flaws (iMessage, Zoom) and US crypto-policy. LINK
Schneier on Security Bruce Schneier The "journal of record" for security industry news, cryptanalysis, and technical policy. LINK
JP Aumasson's Blog Jean-Philippe Aumasson Focused on the engineering of hashing (BLAKE2) and symmetric primitives. LINK
Peter Gutmann's Research Home Peter Gutmann (Uni. of Auckland) The definitive resource on X.509 certificate "hell," secure data deletion, and PKI design. LINK

Post-Quantum Cryptography (PQC) Era: Strategy & Standards

Year Publication / Document Issuing Body Focus / Impact Access
2025 (last update) Frequently Asked Questions (FAQ) about Post-Quantum Cryptography NIST This Frequently Asked Questions (FAQ) resource is designed to offer answers to questions about the need to secure electronic information with post-quantum cryptography. NIST FAQ Link
2025 (last update) Post-Quantum Cryptography (PQC) Overview NIST NIST’s Post-Quantum Cryptography (PQC) project leads the national and global effort to secure electronic information against the future threat of quantum computers—machines that may be years or decades away but could eventually break many of today’s widely used cryptographic systems. Through a multi-year international competition involving industry, academia, and governments, NIST released the principal three PQC standards in 2024 and is developing additional standards to serve as backups or alternatives. Organizations should begin applying these standards now to migrate their systems to quantum-resistant cryptography. NIST Overview Link
November 2024 Transition to Post-Quantum Cryptography Standards NIST IR 8547 ipd Cryptographic algorithms are vital for safeguarding confidential electronic information from unauthorized access. For decades, these algorithms have proved strong enough to defend against attacks using conventional computers that attempt to defeat cryptography. However, future quantum computing may be able to break these algorithms, rendering data and information vulnerable. Countering this future quantum capability requires new cryptographic methods that can protect data from both current conventional computers and the quantum computers of tomorrow. These methods are referred to as post-quantum cryptography (PQC). 29-page PDF
December 2024 The Commercial National Security Algorithm Suite 2.0 and Quantum Computing FAQ NSA These frequently asked questions (FAQ) and answers are intended to clarify Commercial National Security Algorithm Suite 2.0 (CNSA 2.0) requirements for National Security Systems (NSS) and recommend guidance for the Department of Defense (DoD) and the Defense Industrial Base (DIB). This information may be useful more generally, especially for those who interact with NSS, DoD, or DIB systems. 21-page PDF
June 2025 Post Quantum Cryptography Buyer’s Guide GSA (General Services Administration) The Post-Quantum Cryptography (PQC) Buyer’s Guide for federal agencies is a resource designed to assist agencies in their efforts to prepare systems to protect sensitive data from potential attacks by future quantum computers. Once quantum computing becomes available, it will be capable of breaking much of the public-key cryptography currently used on digital systems jeopardizing civilian and military communications, undermining supervisory and control systems, and defeating security protocols for most internet-based financial transactions. This Guide is a resource that will enable agencies to safeguard existing systems from both classical and quantum computer based attacks and ensure the confidentiality and integrity of data communications. 35-page PDF
2024 IBM Quantum Development Roadmap (2024–2033) IBM Research Detailed timeline for error correction and the path to "Blue Jay" (2,000 logical qubits). LINK
2025 Transitioning to Quantum-Safe Cryptography on IBM Z IBM Redbooks The "migration bible" for protecting mainframe and high-transaction financial data. 232-page PDF
2025 IBM & CSA: Secure the Post-Quantum Future IBM / Cloud Security Alliance A global report on enterprise PQC readiness and the "Quantum-Safe Readiness Index." LINK
2023 Introduction to Quantum Cryptography (Lecture Notes) Thomas Vidick The essential mathematical foundation for Quantum Key Distribution (QKD). 21-page PDF
2024 FIPS 203: ML-KEM (Kyber) NIST First Finalized PQC Standard. 56-page PDF
2024 FIPS 204: Module-Lattice-Based Digital Signature Standard NIST (PQC) Direct PDF of the finalized ML-DSA signature standard. 65-page PDF
2022 CNSA Suite 2.0 (National Security Mandate) NSA Mandates the transition for all US National Security Systems to PQC by 2035. 21-page PDF
2025 CISA Insights: Preparing Critical Infrastructure CISA / DHS Roadmap for 16 sectors (Energy, Finance, etc.) to defend against "Harvest Now, Decrypt Later." 3-page PDF
2021 SoK (Systemization of Knowledge): How (not) to Design and Implement Post-Quantum Cryptography Howe, Prest, and Apon Post-quantum cryptography has known a Cambrian explosion in the last decade. What started as a very theoretical and mathematical area has now evolved into a sprawling research field, complete with side-channel resistant embedded implementations, large scale deployment tests and standardization efforts. This study systematizes the current state of knowledge on post-quantum cryptography. Compared to existing studies, we adopt a transversal point of view and center our study around three areas: (i) paradigms, (ii) implementation, (iii) deployment. Our point of view allows to cast almost all classical and post-quantum schemes into just a few paradigms. We highlight trends, common methodologies, and pitfalls to look for and recurrent challenges. 42-page PDF

Internet RFC (cryptography-related)

A Request for Comments (RFC) is a publication in a series from the principal technical development and standards-setting bodies for the Internet, most prominently the Internet Engineering Task Force (IETF). An RFC is authored by individuals or groups of engineers and computer scientists in the form of a memorandum describing methods, behaviors, research, or innovations applicable to the working of the Internet and Internet-connected systems. It is submitted either for peer review or to convey new concepts, information, or, occasionally, engineering humor.

1. Internet RFC: Core Cryptographic Primitives

RFC Number Date Title URL
RFC 1321 April 1992 The MD5 Message-Digest Algorithm (Legacy/Insecure) 21-page PDF
RFC 4880 Nov 2007 OpenPGP Message Format (Email & Identity Encryption) 90-page PDF
RFC 6234 May 2011 US Secure Hash Algorithms (SHA and SHA-based HMAC) 127-page PDF
RFC 8017 Nov 2016 PKCS #1: RSA Cryptography Specifications Version 2.2 78-page PDF
RFC 7748 Jan 2016 Elliptic Curves for Security (Curve25519 and Curve448) 22-page PDF
RFC 8032 Jan 2017 Edwards-Curve Digital Signature Algorithm (EdDSA) 60-page PDF
RFC 9380 Aug 2023 Hashing to Elliptic Curves (Deterministic mapping)
Many cryptographic protocols require a procedure that encodes an arbitrary input, e.g., a password, to a point on an elliptic curve. This procedure is known as hashing to an elliptic curve, where the hashing procedure provides collision resistance and does not reveal the discrete logarithm of the output point. Prominent examples of cryptosystems that hash to elliptic curves include password-authenticated key exchanges, Identity-Based Encryption, Boneh-Lynn-Shacham signatures, Verifiable Random Functions, and Oblivious Pseudorandom Functions. Unfortunately for implementors, the precise hash function that is suitable for a given protocol implemented using a given elliptic curve is often unclear from the protocol's description. Meanwhile, an incorrect choice of hash function can have disastrous consequences for security. This document aims to bridge this gap by providing a comprehensive set of recommended algorithms for a range of curve types. Each algorithm conforms to a common interface: it takes as input an arbitrary-length byte string and produces as output a point on an elliptic curve. 		145-page PDF

2. Internet RFC: Public Key Infrastructure (PKI)

RFC Number Date Title URL
RFC 5280 May 2008 X.509 PKI Certificate and CRL Profile 151-page PDF
RFC 6960 June 2013 X.509 Internet PKI Online Certificate Status Protocol (OCSP) 41-page PDF
RFC 8555 March 2019 ACME Protocol (Automated Certificate Management) 95-page PDF

3. Internet RFC: Major Security Protocols

RFC Number Date Title URL
RFC 4301 Dec 2005 Security Architecture for the Internet Protocol (IPsec) 101-page PDF
RFC 7296 Oct 2014 Internet Key Exchange Protocol Version 2 (IKEv2) 142-page PDF
RFC 8446 Aug 2018 The Transport Layer Security (TLS) Protocol Version 1.3 160-page PDF

4. Internet RFC: Best Practices & Post-Quantum

RFC Number Date Title URL
RFC 4086 June 2005 Randomness Requirements for Security 48-page PDF
RFC 7696 Nov 2015 Guidelines for Cryptographic Algorithm Agility 19-page PDF
RFC 9858 Oct 2025 Parameter Sets for HSS/LMS Hash-Based Signatures (PQC) 25-page PDF

XKCD: Cryptography & Security

Wikipedia page about XKCD
Comic # Title The "Core Truth" URL
XKCD 538 Security The very famous "Wrench" comic. Explains that a $5 wrench (rubber-hose cryptanalysis) is more effective than a $1M RSA crack. XKCD 538
XKCD 936 Password Strength Introduces "correcthorsebatterystaple"—arguing that length and entropy beat complex character substitutions. XKCD 936
XKCD 1181 Encryption A look at the frustration of PGP/GPG and the difficulty of secure key exchange for average users. XKCD 1181
XKCD 1354 Heartbleed The definitive visual explanation of the OpenSSL Heartbleed buffer over-read vulnerability. XKCD 1354
XKCD 1553 Public Key A joke about the literal interpretation of "Public Keys" being kept in public places. XKCD 1553
XKCD 1286 Encrypted A humorous take on the realization that "encrypted" doesn't always mean "secure" if the password is "1234". XKCD 1286
XKCD 2030 Voting Software A scathing look at why cryptographers and engineers don't trust electronic voting. XKCD 2030

RFCs directly related to XKCD Comics

XKCD # Related RFC Connection URL
XKCD 936 RFC 4086 The technical standard for calculating the "Entropy" bits shown in the comic. RFC 4086
XKCD 936
XKCD 936 RFC 7997 Explicitly uses "Correct Horse Battery Staple" as a sample password. RFC 7997
XKCD 936
XKCD 1181 RFC 4880 Defines the "BEGIN PGP" headers and ASCII armor blocks shown in the panels. RFC 4880
XKCD 1181
XKCD 1354 RFC 6520 Defines the TLS Heartbeat Extension—the specific code that contained the "Heartbleed" bug. RFC 6520
XKCD 1354

Periodicals

Periodical Description Access
Cryptologia [quoting Wikipedia] "Cryptologia is a journal in cryptography published six times per year since January 1977. Its remit is all aspects of cryptography, with a special emphasis on historical aspects of the subject. The founding editors were Brian J. Winkel, David Kahn, Louis Kruh, Cipher A. Deavours and Greg Mellen. The current Editor-in-Chief is Craig Bauer. The journal was initially published at the Rose-Hulman Institute of Technology. In July 1995, it moved to the United States Military Academy, and was then published by Taylor & Francis since the January 2006 issue (Volume 30, Number 1)."
[self-described as] Only scholarly journal in the world dealing with all aspects of cryptology such as the history, technology and effects of communications intelligence." 		Link
Journal of Cryptology [quoting Wikipedia] "The Journal of Cryptology (ISSN 0933-2790) is a scientific journal in the field of cryptology and cryptography. The journal is published quarterly by the International Association for Cryptologic Research (IACR). Its editor-in-chief is Vincent Rijmen." IACR members can access JoC articles for free. The Journal of Cryptology started with volume 1 in 1988, and currently consists of four issues per year. It is published by Springer. IACR members receive a subscription to the Journal of Cryptology. Subscriptions are available to non-members directly from Springer. Link
Crypto-Gram Newsletter "Since 1998, CRYPTO-GRAM has been a free monthly newsletter providing summaries, analyses, insights, and commentaries on security technology." Crypto-Gram is a free monthly email digest of posts from Bruce Schneier’s Schneier on Security blog. Link
 
Crypto-Gram Archives
IACR Cryptology ePrint Archive The Cryptology ePrint Archive provides rapid access to recent research in cryptology. Papers have been placed here by the authors and did not undergo any refereeing process other than verifying that the work seems to be within the scope of cryptology and meets some minimal acceptance criteria and publishing conditions. Link
arXiv [Quoting Wikipedia] "arXiv (pronounced as "archive"—the X represents the Greek letter chi) is an open-access repository of electronic preprints and postprints (known as e-prints) approved for posting after moderation, but not peer reviewed. It consists of scientific papers in the fields of mathematics, physics, astronomy, electrical engineering, computer science, quantitative biology, statistics, mathematical finance, and economics, which can be accessed online. In many fields of mathematics and physics, almost all scientific papers are self-archived on the arXiv repository before publication in a peer-reviewed journal. Some publishers also grant permission for authors to archive the peer-reviewed postprint. Begun on August 14, 1991, arXiv.org passed the half-million-article milestone on October 3, 2008, had hit a million by the end of 2014[4][5] and two million by the end of 2021.[6][7] As of November 2024, the submission rate is about 24,000 articles per month. arXiv Cryptography and Security

Encryption Products and CMVP (Cryptographic Module Validation Program)

See also Hoffman's 1999 report and Schneier's 2016 report both of which are included in the "First Crypto War" section, above.

Year Publication / PDF Author Significance Access
2006 Cryptographic Processors: A Survey Ross Anderson & S. Skorobogatov The definitive guide to hardware security modules (HSMs). A technical history of "tamper-resistant" crypto hardware, from military cipher machines to modern smartcards and ATM PIN pads. 19-page PDF
2024 Commercial Solutions for Classified (CSfC) List National Security Agency The "Approved" list for hardware and software encryption. NSA's official list of commercial products (VPNs, WLAN, File Encryption) that are approved for protecting classified data. WEB ARCHIVE
2024 FIPS 140-3 Cryptographic Module Manual NIST / CMVP The rulebook for validating every modern crypto product. Defines the security requirements for any "Validated" hardware/software product (Level 1 to Level 4). 90-page PDF
Cryptographic Module Validation Program CMVP Entropy Source Validation Search You can search on the following fields:
  • Certificate Number
  • Vendor
  • Implementation Name
  • Description
  • Noise Source Classificationi (All, Physical, Non-Physical)
  • Reuse Status (All, Open for Reuse, Reuse restricted to vendor)
  • Validation Date (from, to)
CMVP Search
Examples from the CMVP Validation Search (above)
Entropy Certificate #E4 Cisco Systems The Cisco TRNG Core, running on the TAm 2.0 chip 8-page PDF
Entropy Certificate #E10 DocuSign Quantis IDQ6MC1 chip 12-page PDF
Entropy Certificate #E14 Apple Apple corecrypto physical entropy source 9-page PDF
Entropy Certificate #E27 AMD ring oscillators 9-page PDF
Entropy Certificate #E63 ID QUANTIQUE SA IDQ QRNG Chip 27-page PDF
Entropy Certificate #E81 Samsung Electronics Samsung TRNG 6-page PDF
Entropy Certificate #E102 Rambus EIP130 TRNG Entropy Source 6-page PDF
Entropy Certificate #E179 Intel Intel® DRNG 4 Entropy Source 17-page PDF
Entropy Certificate #E201 Nvidia Nvidia Random Number Generator (NVRNG) 13-page PDF
Entropy Certificate #E306 Intel Intel® Digital Random Number Generator SP800-90B 16-page PDF

Cipher Machines and Devices

Year Name Image Description & Strength Wikipedia
c. 486 BC Scytale Scytale A Spartan transposition cipher using a wooden staff. Strength: Very weak; security relies entirely on the secrecy of the cylinder's diameter. Wikipedia
1467 Alberti Disk Alberti Disk The first polyalphabetic cipher device. Strength: Strong for the Renaissance; it defeated simple frequency analysis by using multiple alphabets. Wikipedia
c. 1795 Jefferson Disk Jefferson Disk A wheel cipher using 36 disks. Strength: High; it was secure enough to be reinvented as the M-94 and used by the US until WWII. Wikipedia
1870 Wheatstone Cryptograph Wheatstone Cryptograph Principal parts of the Wheatstone Cryptograph. The large upper gear has 27 teeth and the lower gear has 26 teeth. Both gears intermesh with the small gear so that the large, lower gear goes around one revolution plus one character (27 total characters) for every revolution of the upper gear. The upper gear is fixed to the axle, which is also attached to the large hand. The lower gear has an inner protrusion that attaches to the small hand. Website
1917 Hebern Rotor Hebern Machine The first electromechanical rotor machine. Strength: Moderate; vulnerable to statistical methods if the rotor wiring is known or guessed. Wikipedia
1922 M-94 Cipher Device M-94 The M-94 was cryptographic equipment used by the United States Army, consisting of several lettered discs arranged as a cylinder. It was also employed by the US Navy, under the name CSP 488. The device was conceived by Colonel Parker Hitt and then developed by Major Joseph Mauborgne in 1917; based on a system invented by Thomas Jefferson and Etienne Bazeries. Officially adopted in 1922, it remained in use until circa 1942, when it was replaced by more complex and secure electromechanical rotor machines, particularly the M-209.[1] Wikipedia
1923 Enigma Enigma German rotor machine with a plugboard. Strength: High but flawed; its "no-self-encipherment" rule was a critical mathematical weakness. Wikipedia
1937 Typex Typex British version of the Enigma with extra rotors. Strength: Very high; significantly more secure than German models and never broken during the war. Wikipedia
1930 Japanese RED (Type A) RED Japanese diplomatic machine based on the Kryha principle. Strength: Moderate; broken by the US using manual "linguistic" cryptanalysis. Wikipedia
1939 Japanese PURPLE (Type B) PURPLE High-level Japanese machine using telephone stepping switches. Strength: Very High; broken only after the US built a mechanical "analog" from scratch. Wikipedia
1939 M-209 M-209 Portable mechanical field device by Hagelin. Strength: Tactical; it provided field-grade security that was breakable but time-consuming. Wikipedia
1940 SIGABA SIGABA US high-level rotor system with complex stepping. Strength: Extremely high; it remained completely unbroken by Axis powers. Wikipedia
1940 Lorenz SZ40 Lorenz SZ42 German teleprinter stream cipher. Strength: Exceptional; broken by Bletchley Park using the Colossus computer. Wikipedia
1943 SIGSALY (Speech Scrambler) SIGSALY SIGSALY (also known as the X System, Project X, Ciphony I, and the Green Hornet) was a secure speech system used in World War II for the highest-level Allied communications. It pioneered a number of digital communications concepts, including the first transmission of speech using pulse-code modulation. The name SIGSALY was not an acronym, but a cover name that resembled an acronym—the SIG part was common in Army Signal Corps names (e.g., SIGABA). The prototype was called the "Green Hornet" after the radio show The Green Hornet, because it sounded like a buzzing hornet, resembling the show's theme tune, to anyone trying to eavesdrop on the conversation. Wikipedia
1947 NEMA NEMA Swiss post-war Enigma variant with 10 rotors. Strength: Stronger than wartime Enigma due to irregular rotor stepping mechanisms. Wikipedia
1952 KL-7 (ADONIS) KL-7 Offline rotor machine for US/NATO. Strength: Very high; used for Top Secret traffic until the early 1980s. Wikipedia
1956 Fialka Fialka Fialka (M-125) is the name of a Cold War-era Soviet cipher machine. A rotor machine, the device uses 10 rotors, each with 30 contacts along with mechanical pins to control stepping. It also makes use of a punched card mechanism. Fialka means "violet" in Russian. Information regarding the machine was quite scarce until c. 2005 because the device had been kept secret.[1] Wikipedia
c. 1970 Datotek DH-26 Datotek DH-26 DH-26 was an electronic handheld cipher machine, for the encryption and decryption of text-based messages, developed by Datotek in Dallas (Texas, USA) in 1977, and introduced in April 1978. It was one of the first electronic microprocessor-based pocket encryption devices. It is housed in a plastic case and is quite similar to the pocket calculators of the era, such as the ones from HP. CryptoMuseum

If you are interested in cipher machines and devices, a virtual trip to the Crypto Museum website
(described in more detail below) is highly recommended

The Crypto Museum website is a virtual museum in The Netherlands, that can only be visited on the internet. However, we do have a physical collection, and regularly organise exhibitions, events and lectures, in cooperation with other organisations. The main goal of Crypto Museum is to preserve history. This is done by collecting, restoring and describing historical cipher machines – such as the well-known Enigma machine – spy radio sets, intercept receivers and and other espionage-related items. For a detailed explanation of why we do this, please read our mission statement. Many of the items described on this website are part of the Crypto Museum collection, but some have only crossed our path briefly, or are impossible to obtain. Whenever possible, we have tried to describe the equipment to the best of our abilities. Crypto Museum website

Foundational Cryptographic Patents (USA)

Year Patent No. Invention / Machine Inventor(s) Access
NSA Patent Portfolio - Technology Transfer Program (2019, version 6)
 56-page PDF
1900 US 657,586 Cipher Code System (Telegraphic Compression) Elmer Cassel 4-page PDF
1917 US 1,310,719 Secret Signaling System (Vernam Cipher) Gilbert Vernam 8-page PDF
1919 US 1,310,719 Secret Signaling System (Vernam Cipher / One-Time Pad) Gilbert S. Vernam 8-page PDF
1924 US 1,510,441 Electric Coding Machine (The First Rotor Machine) Edward H. Hebern 20-page PDF
1928 US 1,657,411 Ciphering Machine (The Enigma Machine) Arthur Scherbius 7-page PDF
1932 US 1,845,947 Mechanical Message Protector (The Hill Cipher Machine) Lester S. Hill 10-page PDF
1944
1959		 US 2,877,565 "Electrical Cryptograph" by William F. Friedman
Filing Date: August 11, 1944. Issue Date: March 17, 1959. Why the 15-Year Delay?
While Friedman filed the application in 1944 (at the height of WWII), the patent was immediately placed under a Secrecy Order. Even though the M-325 was discontinued in 1946 due to operational reliability issues, the underlying cryptographic principles and rotor designs were considered too sensitive for public disclosure. The Secrecy Order was not lifted until the late 1950s, allowing the patent to finally be granted in 1959. This patent is the legal "blueprint" for the hardware discussed in SRH-007 and SRH-010. While the SRH documents focus on the history and use of the machine, the patent provides the actual mechanical and electrical diagrams of how the rotors stepped and the circuits completed. 		7-page PDF
1960 US 2,964,856 Cryptographic Device (SIGABA / ECM Mark II) Friedman, et al. 5-page PDF
1980 US 4,200,770 Cryptographic Apparatus and Method (Diffie-Hellman) Hellman, Diffie, & Merkle 10-page PDF
1983 US 4,405,829 Cryptographic Communications System (RSA) Rivest, Shamir, & Adleman 20-page PDF
1991 US 4,995,082 Method for Identifying Subscribers and Verifying Electronic Signatures (Schnorr Signature) Claus P. Schnorr 11-page PDF
1996 US 5,732,138 Method for seeding a pseudo-random number generator with a cryptographic hash of a digitization of a chaotic system [Cloudflare LavaRand] Landon Curt NollRobert G. MendeSanjeev Sisodiya 12-page PDF
2000 US 6,081,597 Public Key Cryptosystem (NTRU - First Lattice PQC) Hoffstein, Pipher, Silverman 41-page PDF
2013 US 8,515,058 Fully Homomorphic Encryption (Gentry's FHE) Craig B. Gentry 48-page PDF
2016 US 9,246,675 Cryptographic Systems using Pairing with Errors (LWE) Jintai Ding 11-page PDF

Amazon Books

Year Title Author Stars (reviews) as of 2026 Brief Description Link
1967 The Codebreakers: The Comprehensive History of Secret Communication from Ancient Times to the Internet David Kahn 4.6 stars
(249 reviews)		 The classic 1,000-page historical epic of secret communication, from ancient times to the Cold War. Personally recommended -- was my introduction to cryptology. Amazon
2021 Real-World Cryptography David Wong 4.6 stars
(95 reviews)		 Focuses on the cryptographic techniques that drive web APIs, secure messaging, and blockchain technologies. Full disclosure: I was one of 81 reviewers of draft chapters of David's book, providing feedback prior to publishcation. Amazon
2020 Security Engineering (Third Edition 2020) Ross Anderson 4.8 stars
(255 reviews)		 Chapters can also be individually downloaded for free, see above. Amazon
eTextbook or Hardcover
1996 Applied Cryptography Bruce Schneier 4.5 stars
(133 reviews)		 Commonly known as the "Bible of Cryptography," it provides a comprehensive survey of modern protocols and algorithms. Amazon
2018 Random Number Generators - Principles and Practices: A Guide for Engineers and Programmers David Johnston 5.0 stars
(12 reviews)		 Random Number Generators, Principles and Practices has been written for programmers, hardware engineers, and sophisticated hobbyists interested in understanding random numbers generators and gaining the tools necessary to work with random number generators with confidence and knowledge. Using an approach that employs clear diagrams and running code examples rather than excessive mathematics, random number related topics such as entropy estimation, entropy extraction, entropy sources, PRNGs, randomness testing, distribution generation, and many others are exposed and demystified. This book was recommended to me by Christopher Bell, and I, in turn, recommend to you. Amazon
1999 The Code Book Simon Singh 4.6 stars
(2,197 reviews)		 A gripping historical narrative that traces the evolution of secrecy from Mary, Queen of Scots, to quantum crypto. Amazon
2010 Cryptography Engineering Niels Ferguson, et al. 4.6 stars
(205 reviews)		 A practical guide focused on the "how-to" of implementing secure systems without making common design errors. Amazon
2017 Serious Cryptography
First Edition		 Jean-Philippe Aumasson 4.7 stars
(432 reviews)		 A modern, practical introduction to encryption, covering everything from hash functions to post-quantum crypto. Amazon
2024 Serious Cryptography
Second Edition		 Jean-Philippe Aumasson 4.5 stars
(48 reviews)		 This thoroughly revised and updated edition of the bestselling introduction to modern cryptography breaks down fundamental mathematical concepts without shying away from meaty discussions of how they work. In this practical guide, you’ll gain immeasurable insight into topics like authenticated encryption, secure randomness, hash functions, block ciphers, and public-key techniques such as RSA and elliptic curve cryptography. You’ll find coverage of topics like:
  • The basics of computational security, attacker models, and forward secrecy
  • The strengths and limitations of the TLS protocol behind HTTPS secure websites
  • Quantum computation and post-quantum cryptography
  • How algorithms like AES, ECDSA, Ed25519, Salsa20, and SHA-3 work
  • Advanced techniques like multisignatures, threshold signing, and zero-knowledge proofs
Amazon
2018 History of Cryptography and Cryptanalysis: Codes, Ciphers, and Their Algorithms John F. Dooley 4.6 stars
(11 reviews)		 This is how Prof. Dooley starts out his Chapter 10 on page 167, and I think this praise is well deserved: “Modern cryptology rests on the shoulders of three men of rare talents. William Friedman, Lester Hill, and Claude Shannon moved cryptology from an esoteric, mystical, strictly linguistic realm into the world of mathematics and statistics. Once Friedman, Hill, and Shannon placed cryptology on firm mathematical ground, other mathematicians and computer scientists developed the new algorithms to do digital encryption in the computer age.” Amazon
1982 The Puzzle Palace James Bamford 4.3 stars
(360 reviews)		 The groundbreaking book that first pulled back the curtain on the NSA's existence, headquarters, and global eavesdropping. Amazon
2001 Body of Secrets James Bamford 4.4 stars
(407 reviews) 		A massive follow-up detailing the NSA's history from the Cold War through the 1990s, including the USS Liberty incident. Amazon
2008 The Shadow Factory James Bamford 4.3 stars
(413 reviews) 		Examines the NSA's transformation after 9/11 and the build-out of the massive data centers used for domestic surveillance. Amazon
2023 Spyfail James Bamford 4.2 stars
(198 reviews) 		A modern look at the "collapse" of U.S. counterintelligence and how foreign powers have successfully infiltrated American systems. Amazon
2011 Ghost in the Wires Kevin Mitnick 4.5 stars
(4,430 reviews)		 The thrilling memoir of the world’s most famous hacker and his high-stakes game of cat-and-mouse with the FBI. Amazon
2021 The Art of Invisibility Kevin Mitnick 4.5 stars
(2,757 reviews)		 A proactive guide to digital privacy, teaching how to protect your data in an age of constant surveillance. Amazon
2009 Understanding Cryptography: A Textbook for Students and Practitioners Paar & Pelzl 4.6 stars
(408 reviews)		 Highly recommended for students; it breaks down complex math into accessible, modular lessons for engineers. Amazon
2014 Countdown to Zero Day: Stuxnet and the Launch of the World's First Digital Weapon Kim Zetter 4.5 stars
(2,387 reviews)		 The definitive account of the Stuxnet virus—the world's first digital weapon used for physical destruction. Amazon
2020 Sandworm Andy Greenberg 4.6 stars
(3,170 reviews)		 A terrifying look at the Kremlin’s most dangerous hackers and the new era of global cyber warfare. Amazon
1990 The Cuckoo's Egg Cliff Stoll 4.6 stars
(3,137 reviews)		 The true story of an astronomer who caught a Soviet-backed hacker by tracking a 75-cent accounting error. Amazon
2019 The Woman Who Smashed Codes Jason Fagone 4.5 stars
(6,672 reviews)		 The biography of Elizebeth Smith Friedman, the unsung heroine who pioneered modern cryptanalysis. Also the wife of William F. Friedman. Amazon
2020 Cryptography: The Key to Digital Security Keith M. Martin 4.4 stars
(85 reviews)		 A non-technical explanation of how cryptography protects our everyday digital lives. Amazon
2023 Cryptography and Network Security (8th Edition) William Stallings 4.4 stars
(61 reviews)		 The most widely used university textbook, balancing mathematical theory with practical network defense. Available in two versions:
  • US: The standard North American university text. Includes full-color diagrams and the default end-of-chapter problem sets.
  • Global: The authorized international adaptation (e.g. metric units). Features the same core theory but with updated case studies and global formatting.
 US
version
 
Global
version
2019 Code Girls Liza Mundy 4.4 stars
(6,743 reviews)		 The untold story of the 10,000 American women who moved to D.C. to crack Axis codes during WWII. Amazon
2001 Crypto Steven Levy 4.6 stars
(196 reviews)		 The narrative history of the "Crypto Rebels" who fought the government to make strong encryption public. Amazon
2011 Hacking: The Art of Exploitation Jon Erickson 4.6 stars
(1,574 reviews) 		A technical deep-dive into how exploits work, emphasizing the creative problem-solving side of security. Amazon
2024 Modern Cryptography: The Practical Guide to Securing Data Sandip Dholakia 4.5 stars
(7 reviews)		 Security professionals, you know encryption is essential to protect your data. In this book, learn about the fundamental concepts of cryptography—and then apply them! Explore algorithms for symmetric and asymmetric cryptography and see how to use encryption strategies to enforce storage and network security. Put modern cryptography principles to work in real-world scenarios: cloud environments, cryptocurrency, artificial intelligence, quantum computing, and more. Build the cryptography skills you need to manage today’s security threats!
  • Use symmetric and asymmetric cryptography to protect your data
  • Work with hash functions, digital signatures, MAC, PKI, and encryption key management
  • Learn about homomorphic encryption, post-quantum encryption, cloud encryption, and other applications of modern cryptography
Amazon
2025 Post-Quantum Ready: The Executive Guide to Surviving Cryptographic Collapse and Building a Crypto-Agile Future Elizabeth Green 5.0 stars
(1 review)		 Are your encryption systems ready for the quantum era?
Quantum computing threatens to expose your data by breaking the cryptographic foundation of every modern business—and faster than most leaders realize. In Post-Quantum Ready, cybersecurity strategist and Fast Company contributor Elizabeth Green delivers a clear, actionable guide for C-level executives, CISOs, and security leaders preparing for Q-Day: the day quantum computers make today’s encryption obsolete. Whether you’re a cybersecurity leader, technology executive, policy advisor, or forward-thinking board member, this book delivers the strategic insight and practical steps needed to protect your organization in the post-quantum future.		 Amazon
2020 Cryptography: The Key to Digital Security, How It Works, and Why It Matters Keith Martin 4.4 stars
(85 reviews)		 A nuts-and-bolts explanation of cryptography from a leading expert in information security. Despite its reputation as a language only of spies and hackers, cryptography plays a critical role in our everyday lives. Though often invisible, it underpins the security of our mobile phone calls, credit card payments, web searches, internet messaging, and cryptocurrencies―in short, everything we do online. Increasingly, it also runs in the background of our smart refrigerators, thermostats, electronic car keys, and even the cars themselves. As our daily devices get smarter, cyberspace―home to all the networks that connect them ― grows. Amazon
1998 Selections from Cryptologia: History, People, and Technology Cipher A. Deavours, Louis Kruh, David Kahn, Editor Greg Mellen, Editor Brian J. Winkel 5.0 stars
(3 reviews)		 This is a collection of articles and professional papers from Cryptologia, a journal which focuses on the history and technology of cryptology. The volume offers personal accounts of crypto personalities, scholarly papers on the origins of cryptology, the inadequacy of cryptanalysis, and much more. Articles from Historica include: the unsolved messages of Pearl Harbor; Roosevelt, MAGIC and ULTRA; and diplomatic cryptanalysis in World War II. Articles from Technologia include: Viet Cong SIGINT and US army COMSEC in Vietnam; a World War II German radio army field cipher and how it was broken; and information on the history of the Siemens and Halske T52 cipher machines. Amazon

Glossary (Terms and Definitions)

Note: the initial version of this Glossary was copied from NIST SP 800-90A "Deterministic Random Bit Generators" (pages 3-10), and NIST SP 800-90B Recommendation for the Entropy Sources used for Random Bit Generation (pages 60-66).
Term Definition
AES Advanced Encryption Standard, as specified in [FIPS 197]
Algorithm A clearly specified mathematical process for computation; a set of rules that, if followed, will give a prescribed result.
Approved FIPS-approved, NIST-Recommended and/or validated by the Cryptographic Algorithm Validation Program (CAVP).
Approved entropy source An entropy source that has been validated as conforming to [SP 800-90B].
Backtracking Resistance An RBG provides backtracking resistance relative to time T if it provides assurance that an adversary that has knowledge of the state of the RBG at some time(s) subsequent to time T (but incapable of performing work that matches the claimed security strength of the RBG) would be unable to distinguish between observations of ideal random bitstrings and (previously unseen) bitstrings that are output by the RBG at or prior to time T. In particular, an RBG whose design allows the adversary to "backtrack" from the initially-compromised RBG state(s) to obtain knowledge of prior RBG states and the corresponding outputs (including the RBG state and output at time T) would not provide backtracking resistance relative to time T. (Contrast with prediction resistance.)
Biased A value that is chosen from a sample space is said to be biased if one value is more likely to be chosen than another value. Contrast with unbiased.
Bitstring A bitstring is an ordered sequence of 0’s and 1’s.
Bitwise Exclusive-Or An operation on two bitstrings of equal length that combines corresponding bits of each bitstring using an exclusive-or operation.
Block Cipher A symmetric-key cryptographic algorithm that transforms one block of information at a time using a cryptographic key. For a block cipher algorithm, the length of the input block is the same as the length of the output block.
Consuming Application The application (including middleware) that uses random numbers or bits obtained from an approved random bit generator.
Cryptographic Key (Key) A parameter that determines the operation of a cryptographic function, such as:
1. The transformation from plaintext to ciphertext and vice versa,
2. The generation of keying material, or
3. A digital signature computation or verification
Deterministic Algorithm An algorithm that, given the same inputs, always produces the same outputs.
Deterministic Random Bit Generator (DRBG) An RBG that includes a DRBG mechanism and (at least initially) has access to a randomness source. The DRBG produces a sequence of bits from a secret initial value called a seed, along with other possible inputs. A DRBG is often called a Pseudorandom Number (or Bit) Generator. Contrast with NRBG.
DRBG Mechanism The portion of an RBG that includes the functions necessary to instantiate and uninstantiate the RBG, generate pseudorandom bits, (optionally) reseed the RBG and test the health of the the DRBG mechanism.
DRBG Mechanism Boundary A conceptual boundary that is used to explain the operations of a DRBG mechanism and its interaction with and relation to other processes. (See min-entropy.)
Entropy A measure of the disorder, randomness or variability in a closed system. Min-entropy is the measure used in this Recommendation.
Entropy Input An input bitstring that provides an assessed minimum amount of unpredictability for a DRBG mechanism. (See min-entropy.)
Entropy Source A combination of a noise source (e.g., thermal noise or hard drive seek times), health tests, and an optional conditioning component. The entropy source produces random bitstrings to be used by an RBG.
Equivalent Process Two processes are equivalent if, when the same values are input to each process, the same output is produced.
Exclusive-or A mathematical operation; the symbol ⊕, defined as:
0 ⊕ 0 = 0
1 ⊕ 0 = 1
0 ⊕ 1 = 1
1 ⊕ 1 = 0
Equivalent to binary addition without carry.
FIPS Federal Information Processing Standard.
Fresh Entropy A bitstring output from an entropy source, an NRBG or a DRBG that has access to a Live Entropy Source that is being used to provide prediction resistance.
Full Entropy For the purposes of this Recommendation, a source of full-entropy bitstrings serves as a practical approximation to a source of ideal random bitstrings of the same length (see ideal random sequence).
Hash Function A (mathematical) function that maps values from a large (possibly very large) domain into a smaller range. The function satisfies the following properties:
1. (One-way) It is computationally infeasible to find any input that maps to any pre-specified output;
2. (Collision free) It is computationally infeasible to find any two distinct inputs that map to the same output.
Health Testing Testing within an implementation immediately prior to or during normal operation to determine that the implementation continues to perform as implemented and as validated.
HMAC Keyed-Hash Message Authentication Code, as specified in [FIPS 198].
Ideal Random Bitstring See Ideal Random Sequence. (below)
Ideal Random Sequence Each bit of an ideal random sequence is unpredictable and unbiased, with a value that is independent of the values of the other bits in the sequence. Prior to the observation of the sequence, the value of each bit is equally likely to be 0 or 1, and the probability that a particular bit will have a particular value is unaffected by knowledge of the values of any or all of the other bits. An ideal random sequence of n bits contains n bits of entropy.
IID Independent and Identically Distributed. A quality of a sequence of random variables where each element of the sequence has the same probability distribution as the other elements, and all elements are mutually independent.
Implementation An implementation of an RBG is a cryptographic device or portion of a cryptographic device that is the physical embodiment of the RBG design, for example, some code running on a computing platform.
Implementation Testing for Validation Testing by an independent and accredited party to ensure that an implementation of this Recommendation conforms to the specifications of this Recommendation.
Instantiation of an RBG An instantiation of an RBG is a specific, logically independent, initialized RBG. One instantiation is distinguished from another by a “handle” (e.g., an identifying number).
Internal State The collection of stored information about a DRBG instantiation. This can include both secret and non-secret information. Compare to working state.
Key See Cryptographic Key. (above)
Live Entropy Source An approved entropy source (see [SP 800-90B]) that can provide an RBG with bits having a specified amount of entropy immediately upon request or within an acceptable amount of time, as determined by the user or application relying upon that RBG.
Min-entropy The min-entropy (in bits) of a random variable X is the largest value m having the property that each observation of X provides at least m bits of information (i.e., the min-entropy of X is the greatest lower bound for the information content of potential observations of X). The min-entropy of a random variable is a lower bound on its entropy. The precise formulation for min-entropy is −(log2 max p_i) for a discrete distribution having n possible outputs with probabilities p_1,…, p_n. Min-entropy is often used as a worst-case measure of the unpredictability of a random variable. Also see [SP 800-90B].
NIST National Institute of Standards and Technology.
Non-Deterministic Random Bit Generator (Non-deterministic RBG) (NRBG) An RBG that always has access to an entropy source and (when working properly) produces output bitstrings that have full entropy. Often called a True Random Number (or Bit) Generator. (Contrast with a deterministic random bit generator).
Nonce A time-varying value that has at most a negligible chance of repeating, e.g., a random value that is generated anew for each use, a timestamp, a sequence number, or some combination of these.
Personalization String An optional string of bits that is combined with a secret entropy input and (possibly) a nonce to produce a seed.
Prediction Resistance An RBG provides prediction resistance relative to time T if it provides assurance that an adversary with knowledge of the state of the RBG at some time(s) prior to T (but incapable of performing work that matches the claimed security strength of the RBG) would be unable to distinguish between observations of ideal random bitstrings and (previously unseen) bitstrings output by the RBG at or subsequent to time T. In particular, an RBG whose design allows the adversary to step forward from the initially compromised RBG state(s) to obtain knowledge of subsequent RBG states and the corresponding outputs (including the RBG state and output at time T) would not provide prediction resistance relative to time T. (Contrast with backtracking resistance.)
Pseudorandom A process (or data produced by a process) is said to be pseudorandom when the outcome is deterministic, yet also effectively random, as long as the internal action of the process is hidden from observation. For cryptographic purposes, “effectively” means “within the limits of the intended cryptographic strength.”
Pseudorandom Number Generator See Deterministic Random Bit Generator.
Random Number For the purposes of this Recommendation, a value in a set that has an equal probability of being selected from the total population of possibilities and, hence, is unpredictable. A random number is an instance of an unbiased random variable, that is, the output produced by a uniformly distributed random process.
Random Bit Generator (RBG) A device or algorithm that outputs a sequence of binary bits that appears to be statistically independent and unbiased. An RBG is either a DRBG or an NRBG.
Randomness Source A component of a DRBG (which consists of a DRBG mechanism and a randomness source) that outputs bitstrings that are used as entropy input by the DRBG mechanism. The randomness source can be an entropy source or an RBG.
Reseed To acquire additional bits that will affect the internal state of the DRBG mechanism.
Secure Channel A path for transferring data between two entities or components that ensures confidentiality, integrity and replay protection, as well as mutual authentication between the entities or components. The secure channel may be provided using approved cryptographic, physical or procedural methods, or a combination thereof. Sometimes called a trusted channel.
Security Strength A number associated with the amount of work (that is, the number of operations of some sort) that is required to break a cryptographic algorithm or system in some way. In this Recommendation, the security strength is specified in bits and is a specific value from the set {112, 128, 192, 256}. If the security strength associated with an algorithm or system is S bits, then it is expected that (roughly) 2S basic operations are required to break it.
Seed Noun: A string of bits that is used as input to a DRBG mechanism. The seed will determine a portion of the internal state of the DRBG, and its entropy must be sufficient to support the security strength of the DRBG. Verb: To acquire bits with sufficient entropy for the desired security strength. These bits will be used as input to a DRBG mechanism to determine a portion of the initial internal state.
Also see reseed.
Seedlife The length of the seed period.
Seed Period The period of time between instantiating or reseeding a DRBG with one seed and reseeding that DRBG with another seed.
Sequence An ordered set of quantities.
Shall Used to indicate a requirement of this Recommendation. "Shall" may be coupled with "not" to become "shall not."
Should Used to indicate a highly desirable feature for a DRBG mechanism that is not necessarily required by this Recommendation. "Should" may be coupled with "not" to become "should not."
Source of Randomness See Randomness Source.
String See Bitstring.
Unbiased A value that is chosen from a sample space is said to be unbiased if all potential values have the same probability of being chosen. Contrast with biased.
Uninstantiate The termination of a DRBG instantiation.
Unpredictable In the context of random bit generation, an output bit is unpredictable if an adversary has only a negligible advantage (that is, essentially not much better than chance) in predicting it correctly.
Working State A subset of the internal state that is used by a DRBG mechanism to produce pseudorandom bits at a given point in time. The working state (and thus, the internal state) is updated to the next state prior to producing another string of pseudorandom bits.

Miscellaneous (not yet categorized)

Title Author & Year Description Access
The Signal Service in the European War of 1914-1918 Raymond Edward Priestley, 1921 Published in 1921, The Signal Service in the European War of 1914 to 1918 (France) by Raymond Edward Priestley (later Sir Raymond Priestley) is considered the definitive historical account of British military communications during the Great War. What makes it noteworthy isn't just the technical data, but its candid description of how the Signal Service evolved from a tiny, ignored branch into the "nervous system" of the entire army—often by deliberately breaking the traditional rules of the chain of command. This book is famous for documenting the transition from "Signallers as servants" to "Signallers as specialists." Priestley details how the publication of S.S. 148 was the turning point. 432-page PDF
Military Signal Corps Manual U.S. Army (1918) Detailed technical orders for telegraph/radio security and "Secret Service" signals. See pages 480-484 which covers "Telegraph Code Books and Ciphers". "Part 3" is "Technical Instruction and Apparatus", "Part 4" is "Transmission". 595-page PDF
An Historical and Analytical Bibliography of the Literature of Cryptology Joseph S. Galland (1945) "This volume is a register of the most important works that have been written, not only on the subject of cryptography, but also on its manifestations in related fields."
 
Please note the Dedication: "This volume is dedicated to Lieutenant Colonel William F. Friedman ... as a token of appreciation for the many contributions he has made to the science of cryptology." This book is in alphabetical order by the last name of the author, and there are 4 or 5 entries per page, and this book has 209 numbered pages with entries, so between 800 and 1000 entries! 		231-page PDF

 
And after all that work, now time for something fun, written by Vint Cerf, for Christmas 1985. 

Network Working Group                                            V. Cerf
Request for Comments: 968                                            MCI
                                                           December 1985

                    'Twas the Night Before Start-up'


STATUS OF THIS MEMO

   This memo discusses problems that arise and debugging techniques used
   in bringing a new network into operation.  Distribution of this memo
   is unlimited.

DISCUSSION

   Twas the night before start-up and all through the net,
     not a packet was moving; no bit nor octet.
   The engineers rattled their cards in despair,
     hoping a bad chip would blow with a flare.
   The salesmen were nestled all snug in their beds,
     while visions of data nets danced in their heads.
   And I with my datascope tracings and dumps
     prepared for some pretty bad bruises and lumps.
   When out in the hall there arose such a clatter,
     I sprang from my desk to see what was the matter.

   There stood at the threshold with PC in tow,
     An ARPANET hacker, all ready to go.
   I could see from the creases that covered his brow,
     he'd conquer the crisis confronting him now.
   More rapid than eagles, he checked each alarm
     and scrutinized each for its potential harm.

   On LAPB, on OSI, X.25!
     TCP, SNA, V.35!

   His eyes were afire with the strength of his gaze;
     no bug could hide long; not for hours or days.
   A wink of his eye and a twitch of his head,
     soon gave me to know I had little to dread.
   He spoke not a word, but went straight to his work,
     fixing a net that had gone plumb berserk;
   And laying a finger on one suspect line,
     he entered a patch and the net came up fine!

   The packets flowed neatly and protocols matched;
     the hosts interfaced and shift-registers latched.
   He tested the system from Gateway to PAD;
     not one bit was dropped; no checksum was bad.
   At last he was finished and wearily sighed
     and turned to explain why the system had died.
   I twisted my fingers and counted to ten;
     an off-by-one index had done it again...

   Vint Cerf
   December 1985