In this Help Net Security interview, Jean-Philippe Aumasson, discusses the writing and research process for Serious Cryptography, his latest book. With a career steeped in research and practical cryptography, Aumasson offers a rare glimpse into the efforts required to distill complex concepts into accessible knowledge for a broad audience.
Can you share the depth of the research that went into this project? How much time did you dedicate to research before starting the actual writing?
The first edition, published in 2017, took about two and a half years to complete. I spent an average of five hours on each page, excluding the work from my editor, No Starch Press.
Researching a chapter was essential before writing the first line of text. It allowed me to distill the topics to their essence to explain them as clearly as possible to readers. I also had to find the most accurate and up-to-date sources to refresh my knowledge and cite the most relevant articles and books. That was a lot of reading!
The second edition, published in 2024, was more challenging than I anticipated, as I updated each chapter to reflect the latest scientific research and engineering developments. I added a new chapter about the advanced techniques used in blockchain technologies, like proof of work, multi-party signatures, and zero-knowledge proofs. This is by far the chapter that required the most research and reading. It’s also the most technical chapter of the book, which a friend called the “final boss.”
Could you walk us through your writing process? How did you decide what content was essential to include and what to leave out?
One challenge with technical books is avoiding content that might become obsolete within six months of publication. This is especially true if you include how-to guides on using software applications or libraries that might become incompatible with new versions. The book doesn’t include walkthroughs on using cryptographic software utilities, which can easily be found online or through tools like GPT. However, these guides don’t explain what’s happening under the hood cryptographically—they’re just recipes people copy and paste at their own risk.
Instead, I focused on fundamental and timeless concepts like secure encryption, randomness, computational hardness, and the security notions applicable to zero-knowledge proofs. I covered established standards for the ciphers and protocols but didn’t cover legacy algorithms like DES or the MD5 hash function. I preferred to discuss state-of-the-art designs such as the Ed25519 signature scheme, the BLAKE3 hash function, and the post-quantum schemes standardized by NIST in 2024.
As for the writing process, it’s truly a team effort. I start by submitting a draft to my editor, who provides feedback, suggests changes, and rewrites some sentences. After a few iterations, the book goes through rigorous technical review, proofreading, and quality checks. We ensure consistency in terminology and notation throughout the book, clear figures, and all hyperlinks work correctly.
Were there any unexpected challenges or surprises during the writing process?
The writing process required discipline and commitment, but overall, it went smoothly. I was fortunate to benefit from the excellent editing at No Starch Press, where the team sometimes challenged my text’s style, technical depth, and structure. The only mild annoyance was my choice of word processing software, which struggled when there were too many tracked changes and red ink.
What core insights do you hope readers will take away from this book?
I want to convey the fundamental principles of cryptography with minimal jargon and mathematical formalism to make it accessible to the widest audience. For example, what does it mean for a cipher to be secure? What constitutes safe randomness? How to define protocol security?
I also want to raise awareness about the pitfalls of cryptography usage and implementation. After conducting many cryptography code audits and design reviews, I’ve become familiar with the most common vulnerabilities and design flaws. I’m sharing this experience in the book, and to that end, each chapter includes a final section titled “What could go wrong?” that provides examples of real cryptographic vulnerabilities.
We’re curious about your current reading list, particularly any technical books. What have been some standout reads for you over the past year?
I tend to read more technical articles than books, which I usually browse or consult to answer specific questions. I regularly consult the latest cryptography preprint articles. I also follow the research about topics such as quantum computing engineering, software exploitation, trusted execution environments, and other topics related to information security.
My recent reading has little to do with cryptography or computers; they’re the novels Cities of the Plain and Outer Dark by the late Cormac McCarthy.