The art and science of secure communication. From ancient ciphers to modern algorithms, understanding why cryptography exists and what it protects.
Every time two parties want to exchange information, they face a basic challenge: how do you keep a message secret when someone might be listening?
Alice wants to send Bob a message. The problem: Eve is listening to the channel between them. She can read, copy, or even modify anything that passes through. This is not a hypothetical. Every message you send over the internet passes through routers, switches, and cables controlled by dozens of different organizations.
Cryptography is the toolkit for solving this problem. The solutions range from surprisingly simple ideas (replace each letter with a different one) to deeply mathematical constructions that underpin every secure system on the planet. This chapter starts with the simple, then shows you why we needed the complex.
One of the oldest known encryption techniques. Julius Caesar reportedly used it to protect military messages. Shift each letter by a fixed number of positions in the alphabet.
Shift each letter by a fixed number of positions. The simplest cipher, and the easiest to break.
The Caesar cipher has only 25 possible keys (one for each shift). An attacker does not need to be clever. They just try all 25, read each result, and pick the one that makes sense. You saw this yourself in the brute force section above. Any cipher where an attacker can exhaustively try every key is fundamentally broken. Modern cryptography solves this by making the key space so astronomically large that exhaustive search becomes physically impossible.
Cryptography is not just about secrecy. It provides four distinct guarantees, each addressing a different type of threat.
Keeping information secret from unauthorized parties. When you visit your bank’s website over HTTPS, encryption ensures nobody between you and the bank can read your account details. Without confidentiality, the internet would be a postcard system where every intermediary reads every message.
Detecting unauthorized modifications to data. When you download a software update, a cryptographic digest lets you verify the file was not corrupted or tampered with during transit. Without integrity checks, an attacker could inject malware into your downloads and you would never know.
Verifying the identity of who you are communicating with. Digital certificates prove that the website you are visiting really is your bank, not an imposter. Without authentication, encryption alone is not enough, because you might be opening a secure channel directly to an attacker.
Ensuring someone cannot deny having performed an action. A digital signature on a contract proves the signer agreed to the terms. Unlike a handshake, it produces mathematical evidence that holds up even if the signer later claims they never signed.
Notice that encryption (confidentiality) is only one of the four goals. Most real-world cryptographic failures involve getting authentication or integrity wrong, not breaking the encryption itself.
Classical ciphers relied on keeping the method secret. Modern cryptography assumes the attacker knows everything about the system except the key.
The method itself must be kept secret. If an enemy learns how your cipher works, all messages are compromised.
Pen-and-paper transformations. Encoding and decoding a message takes time and is prone to human error.
Only 25 possible shifts in a Caesar cipher. An attacker can try every single one in seconds.
The system is secure even if everything except the key is public knowledge. Algorithms are open and peer-reviewed.
Security based on computational hardness problems. Breaking the cipher would require solving problems believed to be intractable.
possible keys for AES-256. Brute-forcing them would take longer than the age of the universe, even with every computer on Earth.
The simplest “modern” building block is the XOR operation (exclusive or). Unlike Caesar's addition , XOR operates directly on binary data. But before we can understand XOR, we need to understand how computers represent information in the first place.
Before we can encrypt anything digitally, we need to understand how computers represent information. Every password, message, and encryption key is ultimately just a sequence of ones and zeros.
At their core, computers are billions of tiny electrical switches. Each switch is either on or off. We represent these two states as 1 and 0. A single one or zero is called a bit, short for “binary digit.”
One bit alone can only represent two things. But group bits together and you get exponential growth: 2 bits give you 4 possible values, 3 bits give you 8, and so on. This is the same exponential growth that makes modern key spaces unbreakable. The possible keys for AES-256? That is exactly 256 bits, each one either 0 or 1.
Working with individual bits is tedious. Computers group 8 bits together into a byte. One byte can represent 256 different values (), conventionally the integers 0 through 255.
A byte is the fundamental unit of digital data. When you hear “a 32-byte key” or “a 256-bit key,” those are two ways of saying the exact same thing (). AES-128 uses a 16-byte key, AES-256 uses a 32-byte key, and a SHA-256 hash is always 32 bytes long.
Computers cannot store letters directly. Every character is assigned a number. The letter “A” is 65, “B” is 66, a space is 32. This mapping is called ASCII.
When you type “Hi” into an encryption tool, the computer sees [72, 105]. Each of those numbers fits in one byte. This is what actually gets encrypted, not the letters themselves.
Binary is precise but verbose: the byte 255 requires eight digits (11111111). Decimal is familiar but does not align neatly with byte boundaries. Hexadecimal (base 16) is the sweet spot: every byte is exactly two hex digits, from 00 to ff.
This is why cryptographic tools always show output as hex strings. A 256-bit key is 32 bytes, which is 64 hex characters. One hex digit represents 4 bits, so two hex digits represent one byte. You will see hex throughout every chapter that follows. You will also encounter Base64, a more compact encoding that maps 3 bytes to 4 characters. It is used in PEM certificates, JWTs, SSH keys, and anywhere binary data needs to live inside text.
Type text and see how computers represent it. Every character becomes a number, every number becomes bits.
Each character has an ASCII code (a standard number). That same number can be written in hexadecimal (base 16, compact) or binary (base 2, what the computer stores). These are all the same value, just different ways of writing it. Base64 does not appear here because it encodes 3 bytes at a time into 4 characters, so it cannot map to individual letters. You can see the full base64 output in the summary below.
Every concept from this point forward, key sizes, hash outputs, encrypted data, builds on this foundation. When you see “256-bit key,” you now know that means 32 bytes, 64 hex characters, and possible values. That number is what stands between an attacker and your data.
XOR (exclusive or) is the fundamental operation behind most modern encryption. A bit XORed with a key bit flips or stays the same. XOR the result with the same key, and you get the original back.
XOR each character of your message with a key. Apply the same key again and you get the original back.
Real encryption algorithms like AES are fundamentally XOR combined with substitution and permutation, repeated many rounds. The simple principle you just saw scales up into systems that protect billions of transactions every day.
This course builds your understanding from the ground up. Each chapter introduces one primitive or protocol, explained from first principles with interactive demos.
Digital fingerprints, keyed authentication, and why hash(key || message) is broken.
Where keys, nonces, and IVs come from. The foundation everything else depends on.
Block ciphers, modes of operation, and authenticated encryption. From AES to AES-GCM.
Groups, finite fields, and elliptic curves. The algebra behind public-key cryptography.
Establishing shared secrets over insecure channels.
Asymmetric encryption, hybrid schemes, and digital signatures.
Certificates, TLS, and the protocols that secure the internet.
Password storage, TOTP, passkeys, and proving who you are.
Side channels, padding oracles, key management failures, and real-world disasters.
Hash chains, Merkle trees, proof of work, and crypto beyond encryption.
Post-quantum algorithms and zero-knowledge proofs.