I can't believe that there are students who are sleeping / not paying attention in this class. I'm watching the video at midnight and I'm having my eyes wide open marvelling at the simple way in which Prof. Paar explains step-by-step some of the most cryptic (literally) stuff!
*Topics* 1. Stream Ciphers 0:15 2. Random Numbers a) RNG (Random Number Generator) 37:10 b) PRNG (Pseudo Random Number Generator) 44:00 c)CPRNG (Cryptographicly Secure Pseudo Random Number Generator) 51:30 3. One Time Pad 1:00:30 4. LCG (Linear Congruent Generator) PRNG 1:15:15
First time listening Professor Christoff Paar on Cryptography. Very nice lectures Great pace and way of teaching Stay blessed Professor Dr Zaheer Center for Mathematical Sciences Pakistan Istitute of Engineering and Applied Sciences Islamabad Pakistan
Regarding OTP... store random mouse moves collected in an array up to the size needed to encrypt the message, each time you need a new random number array, easy. Encrypt the message one to one with the random array and you only need a random array as large as your message, so message x 2 is the final size. Embed the encrypted message in a picture using steganography. First send the key embedded in a picture with an RSA encoded password (known to the recipient). Then send the picture with an embedded encrypted message. Works better if the message is also embedded into text (ie: ipsum lorem) that will fill the whole picture, so that changed bits in the picture don't stand out. Already wrote this program, handling LF's was a problem but sorted now. A 520x520 bit picture will hold about 72k of characters.
Dear Professor Paar, when I was watching your explanation on the OTP, I suddenly wondered if this is how the ancient Chinese encrypted their messages. We Chinese use characters, and the most commonly used ones are of a whopping number between 3000-5000. During war times, for secret message exchange, people write a seemingly normal message, but you need a sort of mechanism to see the original message. It's a message in a message.
Mr. Paar, where did you learn everything you know? You are a highly intelligent individual, anyone can tell just based off how you teach. I'm only 15 and I'm understanding what you are teaching, you really know what you are talking about and that is shown in the way you break down these ciphers and explain them in detail.
Great lecture and I envy those students out there for having a lecturer as such. The lecturer we have in our university in Holland is nowhere near this lecturer, sadly of course.
Entanglement offers an interesting way to pass data encryption keys. Assuming entanglement systems are difficult and expensive it may not be practical to transmit data this way but the secure key is a smaller data set.
Surely the LCG is even worse for cryptography: we showed that Oscar can break it by knowing (x1,x2,x3). Even if they didn't know those values, there are only 8 possibilities so he can find 8 pairs of (A,B), exactly 1 of which is the solution. Trying them out against the rest of the ciphertext narrows down the possibilities even more. Knowing a linear generator is weak, my first impression would be to go to higher order polynomials (perhaps I'm anticipating future lectures here) -- from trying it out, solving systems of polynomial equations in n unknowns is a hard task.
Sehr gut! Very good lecture of my favorite cryptography topic! Most of the stuff lectured here I already knew, but I learned a few additional things here, such as that XOR is actually Modulo 2 (Mod2). I never realised that. I'm continuously developing my own XOR stream/block ciphers for years now. Strong OTPs can be generated by TRNGs and CSRNGs with high randomness factor on the bits. That's the best way imo. PRNGs are deterministic and crap for encryption purposes indeed, because once an attacker knows the seed he can regenerate the whole sequence of random keybits.
Hm, the definition of a PRNG as shown does not fix a pattern where only the seed depends on the secret key. The key could also be an input to later PRNG rounds. The LCG shown in particular proved problematic because a property of the assumption was that there are more plaintext bits known than the amount of unknown variables in the PRNG function.
During the Cold War and even now One-Time Pad messages are sent to agents via clandestine shortwave radio stations known as Numbers Stations. These stations would read out the encrypted messages usually as strings of 5 digit numbers and the agent who is meant to receive one copies the numbers down and then decodes them with the OTP given. Most of these Numbers Messages cannot ever be decrypted because most agencies were very careful with not re-using keys. But eventually they ran low on resources and had to recycle whole keys and parts of keys etc. If you ever reuse a key for two different messages, then cracking both of them is child's play. Now if you reuse the same key for the same message sent with that same key then it does not matter because the numbers would be identical and you are nowhere closer to cracking it then you were when you first intercepted it.
today radio transmissions are sent in coded packets one each packet is sent on a different channel (AM or FM frequency) deciphering the header of the packet identifies the next channel. Oscar has to be in real time to even capture the data beyond a single packet. To make it more interesting trojans are also sent on other channels to create a noise level that masks the real message. Channel sequences are chosen from an OPT and cover a very broad RF spectrum.
Wonderful job professor, i think that people like you allow students to progress. Congratulations. Now, i have a short question. In your book that is amazing in otp you put 3 requirements but now in your explanation you omitted the second one which say the key stream is only known to the legitimate communicating parties. I think that i will get erasmus from Valencia (Spain) just for being in your classes ajjjjajaa. THx
Firstly, this lecture series is great. Super clear and concise. The slides on the website are also very helpful. Secondly, at 28:00... since we're encoding/decoding 7 (or 8) bits at a time, isn't the stream-cipher just a very small block-cipher? The "block" in this case being a single byte?
Great Lecture Sir ...Few Doubts as Below :- 1)How Do we Get Seed Value.... 2) How Does a PRNG Developed. 3) How Do We Get The K Value Mentioned in 1.20 ....
+Cosmic D I hope the following helps: 1.) The seed often comes from a true random number generator. Many modern digital systems have access to some source of randomness. 2.) not sorry what you mean, sorry. 3.) This is the KEY. It must be somehow established between the two communicating parties.There are various ways of doing this in practice, i.e., using some key establishment protocol. regards, christof
+Introduction to Cryptography by Christof Paar Thanks For the same .....Sorry To say..but I could not understand deeply about anything regarding my doubts/....Could u pls Let me know some topic which can make this Clear....
Professor Christof Paar, I don't understand why 1 + 1mod2 equals to 0 and not 2? 1mod2 equals to 1 if I'm not mistaken, hence 1 + 1 = 2. What am I missing at 19:39?
Dear professor Paar, thank you for sharing. I would like to know if it is correct to say, at the beginning of the last exercise (1:22:45), that the system (attacked by Oscar) can be solved due to the Rouché-Capelli theorem. Thank you
@@gaganaggarwal7981 Well, if it is a bit stream, then I suppose the system is mod 2, because bits only have two values: 0 and 1. That was the presumption during this whole lecture, if I'm correct?
@@HeikkiKetoharju if you look at the wiki ( en.wikipedia.org/wiki/Linear_congruential_generator ) the m values are much different, though the set is small enough that you should be able to iterate over all of them. That being said, if you xor full bytes, then you're likely to discard the higher bits of the LCG output. I wonder how much more work it is to break it in such case.
If the entire key is truly random, decimal adding (adding with carry bits) will work too. However, bitwise XOR makes many things easier: It is faster, one can encrypt individual bits independently of its neighbouring bit and the security argument is easier: By intution, if an attacker sees (e.g.,) a 0 on the channel and the key bit is truly random, there is exactly a 50% chance that the plaintext bit was 0 or 1.
Dear Professor Paar, one thing is confusing me a lot that is understood than Random numbers generate by the sender applying any of define methods and one of them is CPRNG which is infeasible for anyone to generate same pattern. My question is that how receiver computes the same pattern using CPRNG or any other method for deciphering received message? What I understood is that both sender and receiver share pattern function for CPRNG using any other secure channel.
At Timestamp 1:11:12 you asked us how big the key is in the example for a 400 MB movie. I'm not sure I follow how you arrived at 3.2 GBs for the encrypted file. I do understand that any key in a OTP is going to be as big if not bigger than the original message.
You are right. I just tried to convert from MByte to MBit, and multiplied the 400MByte by 8 :) I find counting the bits more instructive since the OTB is bit-oriented
Hello Prof Parr Again thank you for the best crypto course on the web. I have a question with relation to this video. The OTP as referred to as a perfect cipher (unbreakable) however that is not my particular understanding. As I understand this and I could be wrong is that the OTP is perfect only in the following sense. For a cipher text only attack the probability of decrypting the message is exactly the same if you have or don't the ciphertext. In other words even if you have infinite computing power having the cipher text doesn't help to decrypt the message since the message space and key space are of equal (at least) or greater size (key space) every possible decryption of the message with every possible key yields a potentially valid decryption and there is no way to differentiate what the original message if is an attacker has the cipher text. It doesn't help. This only holds true for ciphertext only attacks. In other ways the OTP is actually a weak cipher. Any thoughts on this would be greatly appreciated Thank you Steve
Can you generate a random "Key Stream" then swap the keys by using Diffie-Hellman and do a new key every hour over the cell infrastructure?? Feasible or not?
+mchenoboe Exactly. The big question is: What are good CPRNGs? In practice, CPRNGs are simply strong stream ciphers. If you go to the eSTREAM web site you'll find recommendation for secure stream ciphers. (Unfortunately) I do not say much about strong stream ciphers in these lectures. Regards, christof
I'm confused because at the end of the lecture you present a stream cipher schematic that uses PRNGs and you say this is how all practical stream ciphers work. Then you continue about the LCG and conclude that this is a bad way of doing stream ciphers. What am I missing?
In 1:24:20 Oscar finds/intercepts x1, x2 and x3. You say: he(Oscar) also computes S1, S2 and S3? How can he compute them without the key? Isn't he intercepting s1, s2, s3 also? Thanks for interesting lectures!
No, he is not intercepting the s_i (they cannot be intercepted, they are internal values computed by Alice). He only sees the y_i's on the channel. But if Oscar also knows some x_i, computing the corresponding s_i is trivial since y_i = x_i + s_i mod m and thus: s_i = y_i - x_i mod m The question is what the other s_i's are that he does not know already. They can be computed via s_j = A s_j-1 + B mod m *but* Oscar needs to know A and B for this. -- And that's the point of my exercise after 1:24:20 :) hope this helps, regards, christof
@@introductiontocryptography4223 I still have a question about how to compute S1, S2, S3. y_i = x_i + s_i mod 2 (where y_i is encrypted bitwise by x_i and s_i. This is the first equation in page 40 of the book). But latter, s_i is computed as s_i = y_i + x_i mod m, i = 1,2,...300 (which is the second equation in page 40). could you explain why the computation changes from mod 2 to mod m?
40:49 did he mean to say chaotic natural processes (I think there are random natural processes on the quantum scale but I'm not sure. I know more classical)
Hi Professor, i love security so find your videos a great way to go above curriculum and prepare for a undergrad in computer science. I was thinking isn't it possible to change the key values after each byte is encrypted with a LCG. This way any attacker knowing the first few bits would find it very difficult to get anywhere into the data. My idea is similar to some public key encryption. Using some trap door function to generate a new key (A,B). The idea uses an elliptical curve on both PRNGs that will compute a new key. If point (A,B) is x, it will compute x^m (mod m). This new point will be the corresponding A and B values for the next 8 bit Si values. For the next 8 bits, it would compute x^m+1 (mod m) and so on. This way knowing A and B from the first byte will not allow you to obtain the next A,B key without knowing the equation or having some prior idea of what the message is. The simultaneous attack breaks down if you get s8 and s9 as the A B values will be different. Is this a practical solution?
Rosenberg, not Rosental! A married couple who was spying for the Soviets. In the east block countries it was of course denied. in Budapest there was (is) a street, named atfer them: Rosenberg hàzaspàr utca. In German: Rosenberg ehepaar strasse In English: Rosenberg couple street.
1:12:30 I don't understand why key length should be 8 times longer than the file to be encrypted. I thought the key length could just be the same as the file length.
the key does not have to be 8 times longer; the prof just converted the key size into gigabits (presumably because key lengths are commonly given in bits rather than bytes), hence the times 8.
Dear Prof, Please which university are you lecturing at Germany university, Please i want contact you directly on Information Security(Data & Cryptography)
Couldn't you brute force the OTP keystream bits? At the end of the day is either 1 or 0 and 100 bits would be 2^100 possibilities, why cant you try everyone and see which plaintext makes sense,
Good question. Brute-forcing an OTP is almost a paradox, as it seems to be feasible. But the answer in short is: no, it does not work. The problem is as follows: In order to do a brute-force attack, you need to know when you actually found the correct key. This is only possible with the OTP if you KNOW the plaintext that you are looking for already. But if you know the plaintext anyway, you do not need to brute-force the OTP-encrypted ciphertext. Here is an example. Assume a plaintext consisting of 4 ASCII letters, i.e., 32 bits. Brute-force takes, thus, 2^32 steps. This is easy and takes a few seconds on a laptop. Assume the plaintext that was encrypted is "sell". You'll certainly find "sell" but also "sold", "dive", "duck", "2qfu" (and all your favorite 4-letter swearing words too :) You will not be able to do distinguish "sell" from all the other decrypted texts that you produce. Hope this helps.
Hi Professor I'd like to know that if we can get authentication through only nonce in a protocol? for example A------->B: N(a) B-------->A: {N(a),N(b)} K(ab) Do we have mutual authentication ? Thanks
Assuming Alice and Bob share the same key that is only known to them, Alice knows after decryption of the message that the message originated from Bob. N(b) is currently not used in your protocol. regards, christof
Hello Prof..Thanks for the amazing lecture series.. I had couple of questions on OTP.. 1. Even though the key size would be "huge" in case of OTP but theoretically with infinite computational resources, it would still be possible to break it [ 2^3.2G computers can do it in 1 step]. 2. Further, if the message size is really small (16 bytes), wouldn't OTP be a weak algo in that case ?
Good point. This is a (well-known) paradox of the OTP. You are absolutely right, if the message size is small, one can of course try all possible OTP keys. The point here is, however, that you will NOT be able to tell when you have found the correct key UNLESS you know the plaintext already. Very good observation, though. hope this helps, christof
+Introduction to Cryptography by Christof Paar ..Thanks Prof for the response.. If I got you right, decryption would produce just a stream of bits and hence one could never tell if it were the right key (unless the original plain text was a meaningful english sentence/paragraph for which u don't need to actually KNOW the plain text)
Almost correct: Let's assum the plaintext were a 6-letter ASCII string, e.g., ATTACK. If the adversary performs an exhaustive key search he would generate "ATTACK". But he would also generate "attack" and "SECRET" and "peace!" and "turkey" and "pay50$". Thus, unless he knows a priory what the plaintext is, he will not know what the correct one is.
Introduction to Cryptography by Christof Paar Yeah..that's quite possible given the richness of a language :).. However, I feel probability of this collision would reduce as the input text becomes longer.. Thanks again Prof...
The keyspace grows, with the length of the message, it's always as big as the space of possible messages. For Exampe: If you have ciphertext of 100 bits lenght, there are 2^100 possible chiphertexts. The key is an equaly long string of random bits, so there are 2^100 keys, and every key leads to a different Plaintext. That means you can get any Plaintext of equal lenght. And because the key is truly random, all the plaintexts are equaly likely.
professor I have one question about LCG we can compute A and B values by A = (s2-s3)(s1-s2)^-1 mod m B = s2 - s1(s2-s3)(s1-s2)^-1 mod m but what if the case where there does not exist a (s1-s2)^-1 in modulo m?
Nice lecture...as always. One question, though. If S, A and B are strings of bits then why is this still called a 'stream' cipher? Why not a simple block cipher? Thank you.
1:00:00 ish I don't see how OTP meets the definition for "unconditionally secure" any finite stream. For his 400MB file has a key space of 2^3200000 right, so given " infinite resources " you could guess the key and decipher. Am I missing something? Or is he wrong? Sorry I'm a mathematician, I take definitions seriously.
Good point. That's almost a paradox of the OTP: It seems one could brute-force a (finite) OTP. If you use short messages, say 8 bit, that would be even trivial. BUT: To stay with the 8 bit example, you would get 256 answers, but you will not know which one of those is the correct one. You will only be able to distinguish the correct one from all the others if you already know the plaintext anyway. Same goes with a 400MB message.
@@introductiontocryptography4223 Thank you sir for your reply. I have a B.S. in Theoretical Mathematics but my Computer Science is mostly self taught. I definitely have some thinking to do. (It still seems, after the message is sent, Oscar has the Cypher text and knows the key space -> Oscar does have the plaintext byte, I guess the problem is he also has 255 garbage bytes........so, it seems to me we have to make one further assumption to meet the definition: that is, Oscar does not know what he's looking for (i.e. if he was after a char he can narrow it down to ........ every char ....... nm. I think I'm starting to get it. I have a lot of thinking to do. It's clearly secure, after 60ish bytes your going to need some quantum or alien help, it just seems like a true Turing machine would know more and more as the conversation progresses. ...... OK I'm going to leave the thinking in my head lol. Again, thank you for validating my question was at least worthy if consideration, I would love to have a conversation with you someday; but I have a lot to learn over many years before I would have anything significant to add (computer science wise, if you want to talk about classical physics, organic chemistry, or mathematics, I'm down!)
OK I think I get it.......no I don't nm, wait yes I do! "Unconditionally secure" does not mean "unhackable." Given an infinite number of infinitely fast Turing Machines, more and more of the garbage text will be recognizable as garbage. Eventually Oscar could narrow it down more and more (again hypothetically, with more resources than physics would probably allow) and if Alice and Bob talk enough, Oscar will know the conversation *but he will not know the next bit the sent, because he doesn't know that bits key bit and that is the definition* Cool, good lectures man. Thank you for inspiring me to think more about it.
Forget my last comment, even if Oscar can narrow down more and more garbage text, he also gains every possible plausible text. So I think I was wrong when I said "Unconditionally secure != unhackable" Now I think I get it. *think, never sure*
I set my alarm for the middle of the night to watch these so I can literally follow his instruction to "go back to sleep"
"The next 120 seconds, are going to be very important in your life!"
I can't believe that there are students who are sleeping / not paying attention in this class. I'm watching the video at midnight and I'm having my eyes wide open marvelling at the simple way in which Prof. Paar explains step-by-step some of the most cryptic (literally) stuff!
Lit me right now xd
*Topics*
1. Stream Ciphers 0:15
2. Random Numbers
a) RNG (Random Number Generator) 37:10
b) PRNG (Pseudo Random Number Generator) 44:00
c)CPRNG (Cryptographicly Secure Pseudo Random Number Generator) 51:30
3. One Time Pad 1:00:30
4. LCG (Linear Congruent Generator) PRNG 1:15:15
Tells someone to shut up 5:54
Tq very much dear for providing info
Thank you so much for sharing this course for free. You are such an amazing professor. Academic needs more talents like you. Thank you sir
Many thanks to Prof. Paar for the most interesting lectures
I even learn few German words as a side benifit of the lectures
...
These lectures are so good! They make a perfect pair with the crypto-textbook. The most fascinating course I've had so far in my studies.
Thanks a lot for these wonderful lectures! I have seen many engineering online lectures, but the way you teach is very educational and exceptional.
studying Crypto for CCNA Cyber Ops, these lectures are amazing. I'm learning so much, great job Professor
I like the way you are teaching. :) I wish I could attend your classes!!!
Better think about what you wish for...
@@Tentix trust me, I really want to attend his classes.
you already are
Why take german and cryptography, when you can learn them both at the same time? (lol) Great Lecture by the way.
haha..
am a beginner crypto learner.
are you a beginner?
Yes
me tooo
First time listening Professor Christoff Paar on Cryptography.
Very nice lectures
Great pace and way of teaching
Stay blessed Professor
Dr Zaheer
Center for Mathematical Sciences
Pakistan Istitute of Engineering and Applied Sciences
Islamabad
Pakistan
Right when you wrote down the symbol for modulo 2, I knew XOR was going to come up.
*k*
@@Integralsouls What a crazy response to a 4 year old comment.
Thank you. You really make this subject fascinating.
Regarding OTP... store random mouse moves collected in an array up to the size needed to encrypt the message, each time you need a new random number array, easy. Encrypt the message one to one with the random array and you only need a random array as large as your message, so message x 2 is the final size. Embed the encrypted message in a picture using steganography. First send the key embedded in a picture with an RSA encoded password (known to the recipient). Then send the picture with an embedded encrypted message. Works better if the message is also embedded into text (ie: ipsum lorem) that will fill the whole picture, so that changed bits in the picture don't stand out. Already wrote this program, handling LF's was a problem but sorted now. A 520x520 bit picture will hold about 72k of characters.
Dear Professor Paar, when I was watching your explanation on the OTP, I suddenly wondered if this is how the ancient Chinese encrypted their messages. We Chinese use characters, and the most commonly used ones are of a whopping number between 3000-5000. During war times, for secret message exchange, people write a seemingly normal message, but you need a sort of mechanism to see the original message. It's a message in a message.
good question but still Chinese government controls Chinese people in a good way.
@@pandalanhukuk804 Good Answer but looks like you are suffering fake news.
Stream ciphers 0:01
Random number generators(RNG) 37:20
OTP 1:00:30
LCG 1:15:20
Professor Paar,
in 55:40 when you say that is computationally infeasible to construct Sn, you mean Si+n right? i.e the next key after Si+n-1
exactly.
Mr. Paar, where did you learn everything you know? You are a highly intelligent individual, anyone can tell just based off how you teach. I'm only 15 and I'm understanding what you are teaching, you really know what you are talking about and that is shown in the way you break down these ciphers and explain them in detail.
53:50 lol, for the viewer thats a conundrum
That took me way to long...
I'm your die hard fan already!! Great Lecture!
Thank you so much for this course and also for the books which is an easy to read great information place !
Great lecture and I envy those students out there for having a lecturer as such. The lecturer we have in our university in Holland is nowhere near this lecturer, sadly of course.
This man is an American hero
I am sorry I was actually doing RUclips while listening to you professor.
Entanglement offers an interesting way to pass data encryption keys. Assuming entanglement systems are difficult and expensive it may not be practical to transmit data this way but the secure key is a smaller data set.
thank you sir for all this information your teaching methods are good too
Awsome lecture...thank you sir...
Surely the LCG is even worse for cryptography: we showed that Oscar can break it by knowing (x1,x2,x3). Even if they didn't know those values, there are only 8 possibilities so he can find 8 pairs of (A,B), exactly 1 of which is the solution. Trying them out against the rest of the ciphertext narrows down the possibilities even more. Knowing a linear generator is weak, my first impression would be to go to higher order polynomials (perhaps I'm anticipating future lectures here) -- from trying it out, solving systems of polynomial equations in n unknowns is a hard task.
Sehr gut! Very good lecture of my favorite cryptography topic!
Most of the stuff lectured here I already knew, but I learned a few additional things here, such as that XOR is actually Modulo 2 (Mod2). I never realised that.
I'm continuously developing my own XOR stream/block ciphers for years now.
Strong OTPs can be generated by TRNGs and CSRNGs with high randomness factor on the bits. That's the best way imo. PRNGs are deterministic and crap for encryption purposes indeed, because once an attacker knows the seed he can regenerate the whole sequence of random keybits.
Hm, the definition of a PRNG as shown does not fix a pattern where only the seed depends on the secret key. The key could also be an input to later PRNG rounds. The LCG shown in particular proved problematic because a property of the assumption was that there are more plaintext bits known than the amount of unknown variables in the PRNG function.
Excellent teaching! Professor!!
Great information! Learning this becoming much more fun and meaningful. Thank you!
What a nice teacher! Was fuer einen Mensch...
During the Cold War and even now One-Time Pad messages are sent to agents via clandestine shortwave radio stations known as Numbers Stations.
These stations would read out the encrypted messages usually as strings of 5 digit numbers and the agent who is meant to receive one copies the numbers down and then decodes them with the OTP given.
Most of these Numbers Messages cannot ever be decrypted because most agencies were very careful with not re-using keys. But eventually they ran low on resources and had to recycle whole keys and parts of keys etc. If you ever reuse a key for two different messages, then cracking both of them is child's play.
Now if you reuse the same key for the same message sent with that same key then it does not matter because the numbers would be identical and you are nowhere closer to cracking it then you were when you first intercepted it.
today radio transmissions are sent in coded packets one each packet is sent on a different channel (AM or FM frequency) deciphering the header of the packet identifies the next channel. Oscar has to be in real time to even capture the data beyond a single packet. To make it more interesting trojans are also sent on other channels to create a noise level that masks the real message. Channel sequences are chosen from an OPT and cover a very broad RF spectrum.
Great lecture again, would have loved to see some more practical examples of OTP and LCG. And any real life applications of OTP.
Legendary as always...
Great lectures, Christof!
thank you for the great video
amazing lecture. hope i have a lecturer like you in my college...Thanks for uploading videos.
Thank you so much for this amazing lecture !
wonderful lectures
I wasn't paying attention but was listening to the lecture, and at 5:58 he stops and says "Hello!", I thought he said that to me lol
Wonderful job professor, i think that people like you allow students to progress. Congratulations. Now, i have a short question. In your book that is amazing in otp you put 3 requirements but now in your explanation you omitted the second one which say the key stream is only known to the legitimate communicating parties.
I think that i will get erasmus from Valencia (Spain) just for being in your classes ajjjjajaa. THx
Firstly, this lecture series is great. Super clear and concise. The slides on the website are also very helpful.
Secondly, at 28:00... since we're encoding/decoding 7 (or 8) bits at a time, isn't the stream-cipher just a very small block-cipher? The "block" in this case being a single byte?
30:18 I love how he corrects his grammar mistake by himself lol. I just adore him.
I noticed that too 😌😩🥺
Great Lecture Sir ...Few Doubts as Below :-
1)How Do we Get Seed Value....
2) How Does a PRNG Developed.
3) How Do We Get The K Value Mentioned in 1.20 ....
+Cosmic D I hope the following helps:
1.) The seed often comes from a true random number generator. Many modern digital systems have access to some source of randomness.
2.) not sorry what you mean, sorry.
3.) This is the KEY. It must be somehow established between the two communicating parties.There are various ways of doing this in practice, i.e., using some key establishment protocol.
regards, christof
+Introduction to Cryptography by Christof Paar Thanks For the same .....Sorry To say..but I could not understand deeply about anything regarding my doubts/....Could u pls Let me know some topic which can make this Clear....
Thanks Prof... it was Amazing lecture
Excellent lectures!
u r amazing teacher ,, thanks from turkey by palestinen engineer
Professor Christof Paar, I don't understand why 1 + 1mod2 equals to 0 and not 2? 1mod2 equals to 1 if I'm not mistaken, hence 1 + 1 = 2. What am I missing at 19:39?
I think it should be (x+s)mod2. After this everything makes sense. Also in the shift cipher, if we do (x+k)mod26, it gives the desired results.
Someone correct me if I am wrong. Please. I too am learning.
no you are right the answer is 2 but 2 isn't in the Z2 set its either 0 or 1 so 2 is equivalent to 0 because 2=2mod2 which is 0 .i hope helped :D
read this pdf " An Encryption Algorithm Based on ASCII Value of Data".
Dear professor Paar, thank you for sharing.
I would like to know if it is correct to say, at the beginning of the last exercise (1:22:45), that the system (attacked by Oscar) can be solved due to the Rouché-Capelli theorem.
Thank you
1:25:37
why isn't mod(m) an unknown?
Thank you very much for this wonderful lecture
No, the 2 unknows are A and B. We assume that the modulus m is known. (Sorry, I should have included m in the list "Oscar knows ..." Cheers, Christof
@@introductiontocryptography4223 How Oscar will know 'm' if he is just having the information about the header of a file?
@@gaganaggarwal7981 Well, if it is a bit stream, then I suppose the system is mod 2, because bits only have two values: 0 and 1. That was the presumption during this whole lecture, if I'm correct?
@@HeikkiKetoharju if you look at the wiki ( en.wikipedia.org/wiki/Linear_congruential_generator ) the m values are much different, though the set is small enough that you should be able to iterate over all of them. That being said, if you xor full bytes, then you're likely to discard the higher bits of the LCG output. I wonder how much more work it is to break it in such case.
and also to add, thanks for uploading these! I'm trying to find how mathematics is used in cryptology.
learn python. last equation could be done in python by modelling A and B as 2 lists [((si * a) + b) for a,b in zip(A,B)]
I cant type it out correctly now do math using python libraries pandas, NumPy, scipy
Excellent lectures.
Preciate it brother
very practical lectures....thank you
Why is binary bitwise XOR preferred over decimal adding? Is it just because it's faster to compute or are there security advantages too?
If the entire key is truly random, decimal adding (adding with carry bits) will work too. However, bitwise XOR makes many things easier: It is faster, one can encrypt individual bits independently of its neighbouring bit and the security argument is easier: By intution, if an attacker sees (e.g.,) a 0 on the channel and the key bit is truly random, there is exactly a 50% chance that the plaintext bit was 0 or 1.
Dear Professor Paar, one thing is confusing me a lot that is understood than Random numbers generate by the sender applying any of define methods and one of them is CPRNG which is infeasible for anyone to generate same pattern. My question is that how receiver computes the same pattern using CPRNG or any other method for deciphering received message? What I understood is that both sender and receiver share pattern function for CPRNG using any other secure channel.
At Timestamp 1:11:12 you asked us how big the key is in the example for a 400 MB movie. I'm not sure I follow how you arrived at 3.2 GBs for the encrypted file. I do understand that any key in a OTP is going to be as big if not bigger than the original message.
You are right. I just tried to convert from MByte to MBit, and multiplied the 400MByte by 8 :)
I find counting the bits more instructive since the OTB is bit-oriented
beautifully explained..!
thank you sir :)
So Oscar gets some plaintext, xi, from file header info but wouldn't he need the encrypted counterpart, yi, in order to calculate the operator, Si?
Oscar intercepts everything that passes through the insecure channel of communication between Alice and Bob, so he does have the y's
Hello Prof Parr
Again thank you for the best crypto course on the web. I have a question with relation to this video. The OTP as referred to as a perfect cipher (unbreakable) however that is not my particular understanding. As I understand this and I could be wrong is that the OTP is perfect only in the following sense. For a cipher text only attack the probability of decrypting the message is exactly the same if you have or don't the ciphertext. In other words even if you have infinite computing power having the cipher text doesn't help to decrypt the message since the message space and key space are of equal (at least) or greater size (key space) every possible decryption of the message with every possible key yields a potentially valid decryption and there is no way to differentiate what the original message if is an attacker has the cipher text. It doesn't help. This only holds true for ciphertext only attacks. In other ways the OTP is actually a weak cipher. Any thoughts on this would be greatly appreciated
Thank you
Steve
Did you find your answer?
thank you man
Can you generate a random "Key Stream" then swap the keys by using Diffie-Hellman and do a new key every hour over the cell infrastructure?? Feasible or not?
55:40 This should be S_(i+n) rather than S_n, shouldn't it?
Enjoying your lectures. I am purchasing your textbook, which other books/textbooks would you recommend over Cyber Security?
Can we say that LCG uses Affine Cipher after getting seed value from PRNG? It looks like S2 = A. S1 + B where A and B are part of Key.
Great lecture, you lost me at the end, :-) Many thanks
GREAT LECTURE SIR THANK YOU
Why should the One Time Pad ( Key stream bits) be used only once for it to be secure?
We learned that LCGs/PRNGs wouldn't work at the end of lecture for getting the Si, but what would work? A CPRNG?
+mchenoboe Exactly. The big question is: What are good CPRNGs? In practice, CPRNGs are simply strong stream ciphers. If you go to the eSTREAM web site you'll find recommendation for secure stream ciphers. (Unfortunately) I do not say much about strong stream ciphers in these lectures. Regards, christof
I'm confused because at the end of the lecture you present a stream cipher schematic that uses PRNGs and you say this is how all practical stream ciphers work. Then you continue about the LCG and conclude that this is a bad way of doing stream ciphers. What am I missing?
Great lecture! :)
1:00:00 Chapter 3 - One Time Pad
In 1:24:20 Oscar finds/intercepts x1, x2 and x3. You say: he(Oscar) also computes S1, S2 and S3? How can he compute them without the key? Isn't he intercepting s1, s2, s3 also? Thanks for interesting lectures!
No, he is not intercepting the s_i (they cannot be intercepted, they are internal values computed by Alice). He only sees the y_i's on the channel. But if Oscar also knows some x_i, computing the corresponding s_i is trivial since
y_i = x_i + s_i mod m
and thus:
s_i = y_i - x_i mod m
The question is what the other s_i's are that he does not know already. They can be computed via
s_j = A s_j-1 + B mod m
*but* Oscar needs to know A and B for this. -- And that's the point of my exercise after 1:24:20 :)
hope this helps, regards, christof
@@introductiontocryptography4223 I still have a question about how to compute S1, S2, S3.
y_i = x_i + s_i mod 2 (where y_i is encrypted bitwise by x_i and s_i. This is the first equation in page 40 of the book).
But latter, s_i is computed as
s_i = y_i + x_i mod m, i = 1,2,...300 (which is the second equation in page 40).
could you explain why the computation changes from mod 2 to mod m?
40:49 did he mean to say chaotic natural processes
(I think there are random natural processes on the quantum scale but I'm not sure. I know more classical)
He's soooo good!
Hi Professor, i love security so find your videos a great way to go above curriculum and prepare for a undergrad in computer science. I was thinking isn't it possible to change the key values after each byte is encrypted with a LCG. This way any attacker knowing the first few bits would find it very difficult to get anywhere into the data. My idea is similar to some public key encryption. Using some trap door function to generate a new key (A,B). The idea uses an elliptical curve on both PRNGs that will compute a new key. If point (A,B) is x, it will compute x^m (mod m). This new point will be the corresponding A and B values for the next 8 bit Si values. For the next 8 bits, it would compute x^m+1 (mod m) and so on. This way knowing A and B from the first byte will not allow you to obtain the next A,B key without knowing the equation or having some prior idea of what the message is. The simultaneous attack breaks down if you get s8 and s9 as the A B values will be different. Is this a practical solution?
If you have a trapdoor function why not use that to generate key bits and drop the LCG entirely?
What is m in (mod m)? Whatever modulo the situation calls for? i.e. mod2 for binary, mod26 for Shift cipher etc? Or is m specific to this lecture?
Hello,sorry but a stupid question but why 8*400??not 400 isnt one key stream bit required for encrypting one bit of the message?? 1:11:37
What are other examples that cellphone as stream ciphers? If anyone of you know, let me know thanks!
Spre session sir... 15sep'22
When Christof teaches that CSPRNG, it is in-feasible to compute Sn+i and not Sn.. right?
Rosenberg, not Rosental!
A married couple who was spying for the Soviets. In the east block countries it was of course denied.
in Budapest there was (is) a street, named atfer them: Rosenberg hàzaspàr utca.
In German: Rosenberg ehepaar strasse
In English: Rosenberg couple street.
1:12:30
I don't understand why key length should be 8 times longer than the file to be encrypted. I thought the key length could just be the same as the file length.
the key does not have to be 8 times longer; the prof just converted the key size into gigabits (presumably because key lengths are commonly given in bits rather than bytes), hence the times 8.
Dear Prof, Please which university are you lecturing at Germany university, Please i want contact you directly on Information Security(Data & Cryptography)
i wonder if the Zodiac Cipher is a kind of One-Time-Pad
Thank you
would oscar know the modulas in the linear congruence RNG?
Couldn't you brute force the OTP keystream bits? At the end of the day is either 1 or 0 and 100 bits would be 2^100 possibilities, why cant you try everyone and see which plaintext makes sense,
Good question. Brute-forcing an OTP is almost a paradox, as it seems to be feasible. But the answer in short is: no, it does not work. The problem is as follows: In order to do a brute-force attack, you need to know when you actually found the correct key. This is only possible with the OTP if you KNOW the plaintext that you are looking for already. But if you know the plaintext anyway, you do not need to brute-force the OTP-encrypted ciphertext.
Here is an example. Assume a plaintext consisting of 4 ASCII letters, i.e., 32 bits. Brute-force takes, thus, 2^32 steps. This is easy and takes a few seconds on a laptop. Assume the plaintext that was encrypted is "sell". You'll certainly find "sell" but also "sold", "dive", "duck", "2qfu" (and all your favorite 4-letter swearing words too :) You will not be able to do distinguish "sell" from all the other decrypted texts that you produce. Hope this helps.
Hi Professor
I'd like to know that if we can get authentication through only nonce in a protocol? for example
A------->B: N(a)
B-------->A: {N(a),N(b)} K(ab)
Do we have mutual authentication ?
Thanks
Assuming Alice and Bob share the same key that is only known to them, Alice knows after decryption of the message that the message originated from Bob. N(b) is currently not used in your protocol. regards, christof
in the very end .... isn't "m" in mod-m unknown as well? so there are 3 variables A, B and m
sorry i see that this was answered below
Hello Prof..Thanks for the amazing lecture series..
I had couple of questions on OTP..
1. Even though the key size would be "huge" in case of OTP but theoretically with infinite computational resources, it would
still be possible to break it [ 2^3.2G computers can do it in 1 step].
2. Further, if the message size is really small (16 bytes), wouldn't OTP be a weak algo in that case ?
Good point. This is a (well-known) paradox of the OTP. You are absolutely right, if the message size is small, one can of course try all possible OTP keys. The point here is, however, that you will NOT be able to tell when you have found the correct key UNLESS you know the plaintext already.
Very good observation, though.
hope this helps, christof
+Introduction to Cryptography by Christof Paar ..Thanks Prof for the response.. If I got you right, decryption would produce just a stream of bits and hence one could never tell if it were the right key (unless the original plain text was a meaningful english sentence/paragraph for which u don't need to actually KNOW the plain text)
Almost correct: Let's assum the plaintext were a 6-letter ASCII string, e.g., ATTACK. If the adversary performs an exhaustive key search he would generate "ATTACK". But he would also generate "attack" and "SECRET" and "peace!" and "turkey" and "pay50$". Thus, unless he knows a priory what the plaintext is, he will not know what the correct one is.
Introduction to Cryptography by Christof Paar Yeah..that's quite possible given the richness of a language :)..
However, I feel probability of this collision would reduce as the input text becomes longer..
Thanks again Prof...
The keyspace grows, with the length of the message, it's always as big as the space of possible messages.
For Exampe: If you have ciphertext of 100 bits lenght, there are 2^100 possible chiphertexts. The key is an equaly long string of random bits, so there are 2^100 keys, and every key leads to a different Plaintext. That means you can get any Plaintext of equal lenght.
And because the key is truly random, all the plaintexts are equaly likely.
But a OTP can be broken if it is used more than once.
professor I have one question about LCG
we can compute A and B values by
A = (s2-s3)(s1-s2)^-1 mod m
B = s2 - s1(s2-s3)(s1-s2)^-1 mod m
but what if the case where there does not exist a (s1-s2)^-1 in modulo m?
Jung Ki MIN I was wondering exactly the same!
niceee... I wish u explained one time pad better :) I hope I do the rest as well :)
Nice lecture...as always. One question, though. If S, A and B are strings of bits then why is this still called a 'stream' cipher? Why not a simple block cipher? Thank you.
Steam ciphers are always vulnerable to bit flipping, because each bit of plaintext is XORed with a single bit of your stream.
How can somebody even dislike this video, logically you understand the stuff or you don't, but dislike !!
thanks
1:00:00 ish I don't see how OTP meets the definition for "unconditionally secure" any finite stream. For his 400MB file has a key space of 2^3200000 right, so given " infinite resources " you could guess the key and decipher. Am I missing something? Or is he wrong? Sorry I'm a mathematician, I take definitions seriously.
Good point. That's almost a paradox of the OTP: It seems one could brute-force a (finite) OTP. If you use short messages, say 8 bit, that would be even trivial. BUT: To stay with the 8 bit example, you would get 256 answers, but you will not know which one of those is the correct one. You will only be able to distinguish the correct one from all the others if you already know the plaintext anyway. Same goes with a 400MB message.
@@introductiontocryptography4223 Thank you sir for your reply. I have a B.S. in Theoretical Mathematics but my Computer Science is mostly self taught. I definitely have some thinking to do.
(It still seems, after the message is sent, Oscar has the Cypher text and knows the key space -> Oscar does have the plaintext byte, I guess the problem is he also has 255 garbage bytes........so, it seems to me we have to make one further assumption to meet the definition: that is, Oscar does not know what he's looking for (i.e. if he was after a char he can narrow it down to ........ every char ....... nm. I think I'm starting to get it. I have a lot of thinking to do.
It's clearly secure, after 60ish bytes your going to need some quantum or
alien help, it just seems like a true Turing machine would know more and more as the conversation progresses. ...... OK I'm going to leave the thinking in my head lol.
Again, thank you for validating my question was at least worthy if consideration, I would love to have a conversation with you someday; but I have a lot to learn over many years before I would have anything significant to add (computer science wise, if you want to talk about classical physics, organic chemistry, or mathematics, I'm down!)
OK I think I get it.......no I don't nm, wait yes I do! "Unconditionally secure" does not mean "unhackable." Given an infinite number of infinitely fast Turing Machines, more and more of the garbage text will be recognizable as garbage. Eventually Oscar could narrow it down more and more (again hypothetically, with more resources than physics would probably allow) and if Alice and Bob talk enough, Oscar will know the conversation *but he will not know the next bit the sent, because he doesn't know that bits key bit and that is the definition*
Cool, good lectures man. Thank you for inspiring me to think more about it.
Forget my last comment, even if Oscar can narrow down more and more garbage text, he also gains every possible plausible text. So I think I was wrong when I said "Unconditionally secure != unhackable"
Now I think I get it. *think, never sure*