I am watching the videos intensively the last two weeks studying for a master exam, don't know if I will pass but I wish I had this introduction to cryptography earlier. Superior presentation skills, amazing awareness of the field and the perceived difficulty from the student point of view. Thank you for recording and sharing your knowledge, I watched cryptography courses in coursera, edx, udacity and two university courses, none can compare to this. again a huge thank you
This in mind-boggling, certainly at one level to understand, but what kind of mind(s) take abstract mathematics and figures out how to apply it to a Crypto problem? How does one learn to think in this manner? It's almost akin to what creative genius is required to write music that everyone agrees is a classic. I wish I had it.
when you have presented Deffie-Hellman you have said that x (the private key( should belongs to the group. when we speak about x in elliptic curve why can't it be any element other than integers and should it also belongs to the group Thank you very much. your videos really help me a lot
Hello, sir. I have a question regarding to the generalization of the cyclic group. I think for the representation of the cyclic group at 48th mins of the video, i.e. g = {a^1, a^2, ..., a^|g| = 1}, a^|g| =1 does not seem to come from fermat's little theorem as we do not have a prime modulo in the generalized case. So I think a^|g|=1 is just due to the property common to all cyclic groups, i.e we always wrap back to 1 after one cycle so that a new cycle can resume from there. In the previous lecture, you did prove this property using fermat's little theorem but only in Z*_p., where p is a prime. Do I misunderstand anything?
At 44:00 you speak of your colleague teaching the next course in Crypto. Any suggestions on where we should go after finishing your book and all of the youtube lectures?
The course in this YT channel is really an introductory course in applied cryptography. If you want more advanced crypto, I can recommend: Nigel Smart's "Cryptography Made Simple" by Springer. This book is mixture between the computational crypto that I teach and modern, abstract cryptography. Jon Katz/ Yehuda Lindell "Introduction to Modern Cryptography" -- This book is considerable more abstract than what's being taught in my intro course. But it gives you a real good introduction into modern cryptography, esp. if people want to do research in this field. The only online course I am aware of are the courses by Dan Boneh available on Coursera. Esp. his course Crypto II should provide material beyond what's taught on my channel.
@@introductiontocryptography4223 Wow! Thank you very much! I very much appreciate your time and effort. After COVID19 sometime I hope to meet you at the next crypto event. I owe you a drink just for the videos and the book. My intention is to implement a new message protocol but had no crypto background as I'm a self taught developer and so was very weak on the subject of math. Thanks again for the answer.
Thanks Sir.. It was a great experience to understand a very difficult subject (especially me) in an easy way. sometime , I wish i could attend your lectures in reality. But., anyway these lectures helped me in the great way.. Sir, you are a great teacher. Thank you. Sir , I ve a doubt, a to power 1, then 2 ...etc in lecture 13.. and in this lecture,, u wriiten alpha in this lecture as a primitive element .. is alpha and a means the same ie the primitive element ?
a does not mean primitive element in lecture 13. As stated in the videos, a primitive element (or generator), is an element of the group whose order equals the cardinality of that group.
go check out crypto-textbook.com and cryptool.org (this one is mentioned in the about section of this channel). both sites provide excellent textbooks (first is paid, second is free) that you can study from as well as a ton of superb additional resources. plenty enough to keep you busy for months if you dig that subject that much. i do. :)
Thank yo u professor Paar for this wonderful lecture series.. I never knew understanding crypto can be so easy and fun.. Really makes me sad with your constant persuasion to students to wake up.. I can give up anything to be in a class room like this.. Love your effort.. Also i would like to ask is there any similar course of yours for advanced crypto such as Blind signature, Range proofs etc??
Are there any Zed P Star groups that DO NOT contain any primitive elements? How do I find a primitive element of a cyclic group? Brute force only? How do I prove that my chosen element is a generator? Brute force only?
1) The multiplicative group of Z*p is always cyclic if p is prime. 2) finding primitive elements: Basically trial and error. BUT, we know that the possible orders of elements always divide (p-1). Hence, you take a random element and raise that only to those possible orders, i.e., you only have to do a few exponentiations using the square-and-multiply algorithm. There is another shortcut which makes it even easier and saves you exponentiation. en.wikipedia.org/wiki/Primitive_root_modulo_n#Finding_primitive_roots The best is if you do an example by hand. cheers, christof
Thank you. Prof. Paar I have read and re-read section 8.2 and my brain will not let go of this thought--- Suppose the following: My choice of p is a large prime of aprox. 2^256. (p - 1) is unfortunately the product of 2 * A * B where A, B are large primes of approx 2^128. Is factoring this particular (p - 1) too hard to find phi in a reasonable time? Are there some unfortunate choices of p that must be abandoned for practicality? or is this too unlikely to worry about? What is the worst case scenario for (p - 1) ? Also: I tried to find a 'rule of thumb' to estimate the frequency of Primitive Elements given a 'p' of 2^x without knowing phi. My brain fell out. The wikipedia article said there were many but the formula it cites relies on knowing phi. Many thanks, Alice.
In Sec 8.2 in Understanding Cryptography we talk about discrete logarithms. In order to break those you do NOT have to know (and worry) about phi(p-1). BTW, in order to make discrete logarithms secure, one should choose primes with at least 2048 bits, where 3072 and 4096 bits are preferred for long-term security. However, for other security reasons ("small subgoup attacks") one needs to exclude primes p where p-1 has only small prime factors. The general stragety for findings "good" primes p is to first find a large prime p'. Then compute p = 2 p' + 1 and check whether p is prime too. If not, try a new p'. I hope this helps. Cheers, Christof
Thank you Christof for your prompt responses to comments here. It is a privilege to be able to have a conversation with a World Class scholar so easily.
It will be a great favour for us if the theoretical crypto course is also recorded and made publicly available on youtube. By the way, your lectures are awesome, sir, and have sparked in me a deep interest in cryptography. Thanks for your lectures and also thanks for making it available to us.
ja. More exactly: The mutliplicative group of a prime field GF(p) is always cyclic, i.e., there is at least one generator. Please have a look at video 13 of this series and Theorem 8.2.2 of my book (on which the course is based), www.crypto-textbook.com. regards, christof
I had a confusion with the subgroup of GF(p) that has a prime number order where every element in that sub group is a generator. thank you very much. by the way how can I find a generator of a group or find the sub group that have a prime order ? you really are helping me a lot I wish one day I can return your favors.
I have some Question . 1) what if i don't choose primitive element? 2) If primitive element is required, how to choose the primitive element? 3) Can i Choose a composite number? How computationally difficult is it if i choose a composite number as a private key? 4) How difficult is to find the private key if i choose a prime number as a prime number? 5) How to choose private key's to make sure that it is computationally infeasible to find private key?. I would be waiting for your positive response. Kind regards,
If p is a prime, all elements in Z*_p have an order that divides p-1. For the example p=83, the possible orders must divide 82, i.e., the elements must have one of the orders 1, 41 or 82. regards, christof
would you please sir explain one related question? if P is prime no., P= 59 and considering two base no. g= 3 and g= 11. which base is suitable for the purpose? as of per my review g= 11 is suitable comparing 3. is this review is correct or wrong? regards Sikder
Professor Paar, you are an absolute gem! Your videos are helping me through a self directed cryptography course, thanks a lot!
Professor Christof Paar is an international treasure.
I am watching the videos intensively the last two weeks studying for a master exam, don't know if I will pass but I wish I had this introduction to cryptography earlier. Superior presentation skills, amazing awareness of the field and the perceived difficulty from the student point of view. Thank you for recording and sharing your knowledge, I watched cryptography courses in coursera, edx, udacity and two university courses, none can compare to this. again a huge thank you
The content is unbelievable. Cryptography + pedagogy in practice course. Prof. Paar is beyond words. Respect.
49:20, wake up, wake up, 30 secs, I promised. It's for the homework assignment. The professor really deserves better students.
Best resource on cryptography in the whole internet, thank you! Don't know how I'd manage without those in my classes.
Review of discrete logarithm problem 9:00
Diffie-Hellman problem 19:00
The Generalized DLP 45:00
Attacks 1:03:00
1:07:25 "x is never crazy, x is just ne ganze Zahl" - if only that would apply to mathematics as a whole
This in mind-boggling, certainly at one level to understand, but what kind of mind(s) take abstract mathematics and figures out how to apply it to a Crypto problem? How does one learn to think in this manner? It's almost akin to what creative genius is required to write music that everyone agrees is a classic. I wish I had it.
He is a clear fan of Elliptic curves.
Brilliantly explained, Sire!
真不错,从AES入坑,一直看了好多
you are the best.
when you have presented Deffie-Hellman you have said that x (the private key( should belongs to the group.
when we speak about x in elliptic curve why can't it be any element other than integers and should it also belongs to the group
Thank you very much. your videos really help me a lot
I'm sorry,
Did you mention any method to find a generator?
And if not, can you recommend any reference for that.
Thanks in advance
Hello, sir. I have a question regarding to the generalization of the cyclic group. I think for the representation of the cyclic group at 48th mins of the video, i.e. g = {a^1, a^2, ..., a^|g| = 1}, a^|g| =1 does not seem to come from fermat's little theorem as we do not have a prime modulo in the generalized case. So I think a^|g|=1 is just due to the property common to all cyclic groups, i.e we always wrap back to 1 after one cycle so that a new cycle can resume from there. In the previous lecture, you did prove this property using fermat's little theorem but only in Z*_p., where p is a prime. Do I misunderstand anything?
At 44:00 you speak of your colleague teaching the next course in Crypto. Any suggestions on where we should go after finishing your book and all of the youtube lectures?
The course in this YT channel is really an introductory course in applied cryptography. If you want more advanced crypto, I can recommend:
Nigel Smart's "Cryptography Made Simple" by Springer. This book is mixture between the computational crypto that I teach and modern, abstract cryptography.
Jon Katz/ Yehuda Lindell "Introduction to Modern Cryptography" -- This book is considerable more abstract than what's being taught in my intro course. But it gives you a real good introduction into modern cryptography, esp. if people want to do research in this field.
The only online course I am aware of are the courses by Dan Boneh available on Coursera. Esp. his course Crypto II should provide material beyond what's taught on my channel.
@@introductiontocryptography4223 Wow! Thank you very much! I very much appreciate your time and effort. After COVID19 sometime I hope to meet you at the next crypto event. I owe you a drink just for the videos and the book.
My intention is to implement a new message protocol but had no crypto background as I'm a self taught developer and so was very weak on the subject of math.
Thanks again for the answer.
Thanks Sir.. It was a great experience to understand a very difficult subject (especially me) in an easy way. sometime , I wish i could attend your lectures in reality. But., anyway these lectures helped me in the great way.. Sir, you are a great teacher. Thank you.
Sir , I ve a doubt, a to power 1, then 2 ...etc in lecture 13.. and in this lecture,, u wriiten alpha in this lecture as a primitive element .. is alpha and a means the same ie the primitive element ?
a does not mean primitive element in lecture 13. As stated in the videos, a primitive element (or generator), is an element of the group whose order equals the cardinality of that group.
Hi guys, I was wondering if anyone has any idea if we can find the continuation of this course, Theoretical Cryptography, online somewhere?
did you get a answer?
@@chakibbachounda1721 still waiting
go check out crypto-textbook.com and cryptool.org (this one is mentioned in the about section of this channel). both sites provide excellent textbooks (first is paid, second is free) that you can study from as well as a ton of superb additional resources. plenty enough to keep you busy for months if you dig that subject that much. i do. :)
I got an answer from Prof Paar to "what to study next" Hope it helps you.
@@Stillshot10200 How can I find that answer ?
Thank yo u professor Paar for this wonderful lecture series.. I never knew understanding crypto can be so easy and fun.. Really makes me sad with your constant persuasion to students to wake up.. I can give up anything to be in a class room like this.. Love your effort.. Also i would like to ask is there any similar course of yours for advanced crypto such as Blind signature, Range proofs etc??
jeder nur ein kreuz! .. made my day :D
In the lecture of DES, you said that your electronic passport is using 3DES but in this lecture, you said that it's using Ell. curves!
electronic passports typically use both, elliptic curves (asymmetric crypto) and 3DES as symmetric algorithm.
Are there any Zed P Star groups that DO NOT contain any primitive elements? How do I find a primitive element of a cyclic group? Brute force only? How do I prove that my chosen element is a generator? Brute force only?
1) The multiplicative group of Z*p is always cyclic if p is prime.
2) finding primitive elements: Basically trial and error. BUT, we know that the possible orders of elements always divide (p-1). Hence, you take a random element and raise that only to those possible orders, i.e., you only have to do a few exponentiations using the square-and-multiply algorithm. There is another shortcut which makes it even easier and saves you exponentiation. en.wikipedia.org/wiki/Primitive_root_modulo_n#Finding_primitive_roots
The best is if you do an example by hand.
cheers, christof
Thank you. Prof. Paar
I have read and re-read section 8.2 and my brain will not let go of this thought---
Suppose the following:
My choice of p is a large prime of aprox. 2^256.
(p - 1) is unfortunately the product of 2 * A * B where A, B are large primes of approx 2^128.
Is factoring this particular (p - 1) too hard to find phi in a reasonable time?
Are there some unfortunate choices of p that must be abandoned for practicality? or is this too unlikely to worry about?
What is the worst case scenario for (p - 1) ?
Also:
I tried to find a 'rule of thumb' to estimate the frequency of Primitive Elements given a 'p' of 2^x without knowing phi. My brain fell out. The wikipedia article said there were many but the formula it cites relies on knowing phi.
Many thanks,
Alice.
In Sec 8.2 in Understanding Cryptography we talk about discrete logarithms. In order to break those you do NOT have to know (and worry) about phi(p-1). BTW, in order to make discrete logarithms secure, one should choose primes with at least 2048 bits, where 3072 and 4096 bits are preferred for long-term security.
However, for other security reasons ("small subgoup attacks") one needs to exclude primes p where p-1 has only small prime factors. The general stragety for findings "good" primes p is to first find a large prime p'. Then compute p = 2 p' + 1 and check whether p is prime too. If not, try a new p'. I hope this helps. Cheers, Christof
thanks
Are the Theoretical Cryptography lectures also available?
Sorry, but no. The theoretical crypto course is taught by a colleague here at Ruhr Universität Bochum but they are not recorded. regards, christof
Thank you Christof for your prompt responses to comments here. It is a privilege to be able to have a conversation with a World Class scholar so easily.
It will be a great favour for us if the theoretical crypto course is also recorded and made publicly available on youtube. By the way, your lectures are awesome, sir, and have sparked in me a deep interest in cryptography. Thanks for your lectures and also thanks for making it available to us.
Does every set like {1, 2, ... p-1} where p is a prime number has at least one generator? (The operator is multiplicative.)
ja. More exactly: The mutliplicative group of a prime field GF(p) is always cyclic, i.e., there is at least one generator. Please have a look at video 13 of this series and Theorem 8.2.2 of my book (on which the course is based), www.crypto-textbook.com. regards, christof
when we consider GF(p) every element can plays the roles of a generator is this correct?
No. The generator needs to have order (p-1), and there is at least one such element. However, most elements will NOT have this order.
I had a confusion with the subgroup of GF(p) that has a prime number order where every element in that sub group is a generator. thank you very much. by the way how can I find a generator of a group or find the sub group that have a prime order ? you really are helping me a lot I wish one day I can return your favors.
34:00 Is where real math starts :D
I have some Question .
1) what if i don't choose primitive element?
2) If primitive element is required, how to choose the primitive element?
3) Can i Choose a composite number? How computationally difficult is it if i choose a composite number as a private key?
4) How difficult is to find the private key if i choose a prime number as a prime number?
5) How to choose private key's to make sure that it is computationally infeasible to find private key?. I would be waiting for your positive response.
Kind regards,
Are you still waiting? Or did you just find out the answers?
one question arises to my mind. how to prove following question?
Let g = 3 mod 83. Show that the order of g is belongs toZ*⇤p is a prime number?
If p is a prime, all elements in Z*_p have an order that divides p-1. For the example p=83, the possible orders must divide 82, i.e., the elements must have one of the orders 1, 41 or 82. regards, christof
Thanks sir
would you please sir explain one related question?
if P is prime no., P= 59 and considering two base no. g= 3 and g= 11.
which base is suitable for the purpose?
as of per my review g= 11 is suitable comparing 3. is this review is correct or wrong?
regards Sikder
P=Q ===
I don't think that a single person understands this....including the professor.