Now the most used texbook for introductory cryptography courses in both mathematics and computer science, the Third Edition builds upon previous editions by offering several new sections, topics, and exercises. The authors present the core principles of modern cryptography, with emphasis on formal definitions, rigorous proofs of security.

1. Introduction. 2. Perfectly Secret Encryption. 3. Private-Key Encryption. 4. Message Authentication Codes. 5. CCA-Security and Authenticated Encryption. 6. Hash Functions and Applications. 7. Practical Constructions of Symmetric-Key Primitives. 8. *Theoretical Constructions of Symmetric-Key Primitives. 9. Number Theory and Cryptographic Hardness Assumptions. 10. *Algorithms for Factoring and Computing Discrete Logarithms. 11. Key Management and the Public-Key Revolution. 12. Public-Key Encryption. 13. Digital Signature Schemes. 14. *Post-Quantum Cryptography. 15. *Advanced Topics in Public-Key Encryption.

The organization is quite natural, and aligns well with my course. My course covers the topics in exactly the same order as in Katz and Lindell, except that we skip some sections due to time constraints. I actually find Chapter 1 (Introduction) among the strongest aspects of this book. It does an excellent job discussing historical cryptography, explaining the motivation behind "modern cryptography," and introducing the non-expert to some of the basic concepts on which the rest of the contents of the book are built. I think this is an excellent textbook, and I can find very little fault with it. As I mentioned above, a possible suggestion is to add some more modern topics (lattice crypto, code-based crypto, FHE, obfuscation etc.) On the other hand, as an introductory textbook, it is perhaps also fine without those more advanced and more modern topics. - Gorjan AlagicI find Chapters 2 and 5 to be the best. Both for its clarity. Chapter 2 is clear on certain details that, in my view, make the material much easier to understand than other treatments I have come across. E.g., clearly clarifying that when we consider the notion of "secret," we address the case only that one single message is sent. Not multiple messages. This really helps one quickly understand the technical details and proofs. Similarly, Chapter 5 on hash functions, in my view, is tricky to present. E.g., it must be clear that one is not dealing with a particular instance of a collision, but really finding collisions. This distinction is made very clearly in this book.- Mahesh Tripunitara