I was recently asked via email about some good resources for learning about cryptography and thought I should share a padded-out version of my reply here. I hope this is useful.

Firstly, you don’t need a computer science or maths degree to learn about cryptography. Those types of qualifications will significantly speed up the learning process when it comes to more advanced topics and may be required for very advanced topics, but in many cases, the maths behind cryptography is not necessarily important to learn. If you’re a developer, then you shouldn’t be focused on the maths. You don’t need to learn about mathematical proofs and theoretical cryptography. Ignore people telling you otherwise because they’re speaking rubbish.

Books

I’d recommend Real-World Cryptography as a first read because it’s beginner friendly and doesn’t require a mathematical background. It explains a lot of the core concepts and discusses modern algorithms, like ChaCha20-Poly1350 and AES-GCM, in enough detail. It certainly doesn’t cover everything, but that’s good because you shouldn’t jump straight into the deep end anyway.

Another less mathematical book is Everyday Cryptography. This is a much larger book covering more topics and has very positive reviews. There’s also a free eBook called Crypto 101, which is recommended by the author of Monocypher. It’s meant to offer an introduction to cryptography for programmers of all ages and skill levels, but it’s still being written and contains some missing sections.

Some other highly regarded books include Serious CryptographyCryptography Engineering, and Understanding Cryptography. I believe these contain noticeably more mathematical notation than the other books I’ve mentioned, so they’re probably best for more intermediate readers.

Finally, Crypto Dictionary offers a light read and will help you learn some fun facts. However, some of the definitions aren’t really definitions, some terms/algorithms have been skipped over, and it intentionally doesn’t contain much detail. This should not be your first or second read.

Courses

The course I’ve seen recommended everywhere is Cryptography I by Dan Boneh from Stanford University, but I’d strongly advise against taking this course if you’re a beginner or someone who doesn’t have a maths background. It’s also very theoretical rather than applied, which is a shame because applied cryptography is far more important for most people.

Another course that may be less mathematical is the Introduction to Applied Cryptography course from the University of Colorado, although I haven’t looked into it enough to be sure.

There are also recorded lectures from MITRuhr University Bochum, and Middle East Technical University. Plus, some universities share their notes/assignments publicly. However, these are likely more mathematical.

Lastly, a bunch of recommended computer science courses can be found on the Open Source Computer Science Degree list.

Blogs/Websites

Forums

You can ask questions related to cryptography on Cryptography Stack Exchange and Reddit via r/crypto. However, I would use these as a last resort because some answers may be inaccurate and mathematical in nature rather than summarised in layman’s terms. Books are a much safer bet when it comes to locating reliable information.

Programming

Learning by doing works well. I agree with Soatok’s recommendations and would suggest progressing through the following steps over time:

  1. Create simple demos of common tasks (e.g. file encryption, password hashing, key derivation, key exchange, etc) using misuse resistant/hard-to-misuse APIs from Tinklibsodium, and Monocypher, with Tink being the easiest. Be sure to read the relevant documentation before coding anything. A nice libsodium cheat sheet can be found here.
  2. Implement existing protocols, such as the Noise One-Way Handshake Patterns, a port of Minisign to another language, and Signal’s X3DH key agreement protocol.
  3. Design custom protocols and constructions, such as file formats for an encryption tool, XChaCha20-BLAKE3-SIV, and a committing BLAKE3 AEAD.
  4. Code the simpler/less error-prone existing cryptographic primitives, such as HKDFHMACChaCha20, and BLAKE2Always review your code against the specification and test your code using the provided test vectors.
  5. Complete as many Cryptopals and CryptoHack challenges as possible in a programming language of your choice.
  6. Code the more complex/error-prone existing cryptographic primitives, such as Poly1305 and Elligator. This is very tricky to get right. Ideally, get someone else to check such implementations.
  7. Design new cryptographic primitives. This is extremely difficult and best left to highly experienced professionals in academia because even they design insecure algorithms.

Good luck.