Cyber Shelf

// Comparison

Cryptography Engineering vs Serious Cryptography: Which Should You Read?

Two cybersecurity books on Cryptography, compared honestly: who each is for, what each does best, and which to read first.

Intermediate
4/52010
Cryptography Engineering

Design Principles and Practical Applications

Niels Ferguson, Bruce Schneier, Tadayoshi Kohno

A working engineer's introduction to cryptography that takes implementation pitfalls more seriously than most.

Intermediate
5/52024
Serious Cryptography

A Practical Introduction to Modern Encryption

Jean-Philippe Aumasson

Jean-Philippe Aumasson's working introduction to modern cryptography, written for engineers who need both intuition and enough mathematical depth to evaluate the choices a library is making for them.

Read this if

Engineers who need to evaluate cryptographic choices in real systems and want intuition for why the standard advice exists.
Engineers who already know what crypto to use and want to understand why it works at the primitive level. The middle book in the modern crypto stack: deeper than Real-World Cryptography, shallower than the academic textbooks.

Skip this if

Researchers needing rigor, for that, read Boneh/Shoup or Katz/Lindell. Also dated on TLS 1.3, modern AEAD norms, and post-quantum.
Beginners or readers who haven't yet decided which primitives to use; start with Wong first. Also wrong for cryptography researchers who need formal proofs.

Key takeaways

  • Almost every cryptographic disaster is an integration failure, not a primitive failure.
  • Don't roll your own, but understand enough to recognize when the library you're using is wrong.
  • Side channels are not exotic; they are the default mode of failure.
  • Modern primitives can be understood by engineers, given the right framing — Aumasson's choice to bound the math is the book's defining design decision.
  • The 2nd edition (2024) covers post-quantum cryptography (Kyber, Dilithium, SPHINCS+) at the depth a deploying engineer actually needs.
  • The chapters on hash-function attacks (length extension, multi-collisions) are the clearest in print and explain why half of the production bugs in HMAC-adjacent code happen.

How they compare

We rate Serious Cryptography higher (5/5 against 4/5 for Cryptography Engineering). For most readers, that means Serious Cryptography is the primary pick and Cryptography Engineering is a useful follow-up.

Both books target intermediate-level readers, so the choice is about topic, not difficulty.

Cryptography Engineering and Serious Cryptography both cover Cryptography, so reading them in sequence reinforces the same material from different angles.

Keep reading

Cryptography Engineering

Alternatives to Cryptography EngineeringWhat to read after Cryptography Engineering

Serious Cryptography

Alternatives to Serious CryptographyWhat to read after Serious Cryptography

Related topics

Cryptography