Excellent explanations Sir. Your explanations have helped me to learn many nook and corners of cryptography, starting from Symmetric/Asymmetric ciphers, key agreement, digest functions and how such cryptosystems are used over the wire, clubbed with my understanding of networking and studying about the TLS handshake(which actually does everything necessary covering the four tenets of cryptography), including algorithms as part of the cipher suites. Took over one and a half years going through your lectures, scanning through rfc's etc. Really! Thumbs Up! You deserve a salute!
Excellent lecture! Thank you Prof. Christof Paar. The way that you define a lane as a word makes it slightly easier to understand the formula compared to the specified documentation in the FIPS-202
Thank you for your consistent effort and detailed explanations, Professor Christof. Watched your videos detailing the workings of RSA and Extended-EA for an Mathematics Exploration report which will constitute 20% of my IB Math Grade. Your explanations and clarity have helped me understand what seemed to be an incredibly abstract and complex series of theorems and formulae. I sincerely appreciate your work and dedication to producing tutorials for free, so that the rest of the world may be able to benefit from your teaching. Thank you once again.
the constants for the rho step are the triangular numbers going by the order of the pi permutation, modulo 64. in addition, the iota constants are actually determined by setting bits 1, 2, 4, 8, 16, 32, 64 of each number to the output of an LFSR, in sequence.
Wonderful presentation, as all the others are! Question on technology making the current rounds in Cryptographic domain: Are you planning to offer video courses on "Differential Privacy" and "Homomorphic Encryption", both focused on Privacy which is becoming a very sought after area currently? My problem with the current internet content (both video and text) is that it is overly mathematical, which I don't mind if explained properly and less abstractly. I am hoping that you can offer the courses without overwhelming us with abstract theoretical math, but geared towards actual algorithms which we can understand at a basic level. We can then take it to actual implementation at hardware and software level. Thank you again for all your efforts.
Excellent lecture like always Professor Paar. I just had a thought, in the movie "Swordfish" Hugh Jackman was a hacker and in the first 'crypto scene' he was operating on cubes to break the cipher. I think back in the day (this is early 2000s) they already visioned an algorithm in crypto that was to be 3-dimensional :D
Dear Christof, thank you for your course. I have a question related to use of SHA3 as a PRNG as you propose in the lecture. You suggest that one can simply continue to squeeze the sponge and take the part of the block. But this looks deeply concerning since the bits such a generator outputs are feeded back again into the F function of the next iteration. So in case we want to use this approach in an CSPRNG we are baisically giving an attacker a pretty large portion of the state of the generator for free. This looks pretty dangerous. Is this secure because the part of the generator state is not revealed? Even if so I still think I would rather run a Hash DRBG as proposed by NIST based on SHA3 rather than this....... What do you think?
Good consideration but the SHA-3 sponge construction is exactly designed so that you *can* squeeze out r bits securely in every iteration if you run it as PRNG. Even though the attackers has the r state bits, there are c capacity bits that are not revealed to him/her. The smallest standardized number for c is c=512 (where r=1088). Note that the f function in SHA-3 performs 24 iterations which is sufficient to prevent attacks. --- I am not a symmetric cryptographer myself. If you want to get deeper into the security consideration of sponge constructions, I would suggest that you start with the excellent page that the Keccek team maintains: keccak.team/sponge_duplex.html cheers, christof
where i can find this additional chapter of the book there is no link provided for that. it would be of great help if it can be provided. thanking you sir for the effort
Hi, For Rho and Pie step - Does this rotation in Rho step takes places 25 times and then move forward to pie step? or is it r[0,0] -> pie step and again r[0,1] pie step. Thank you.
For the teta step. I want to know if I have to do the operations with a copy of A (the state) after I xor with A of origin Or do the operations directly on A ? Because if we make directly on A modifies the previous elements of the slice, they will have an impact on the calculation of the elements which succeed them.
Hello Professor, In SHA-3, when considering X0, what is the other input for XOR ? As per block diagram, its coming from r. Assuming r is a register, what contents should we be assuming? Thanks and Regards, Srinivas
There are actually independet of each other and it does not matter too much which one you watch first. It is a bit more natural to watch them in the order 21, and then 21 (update). regards, christof
I am looking forward to starting my masters studies at RUB, but I was wondering if it is common practice for Profs at RUB to write everything on the blackboard? The Profs at my current Uni just project their slides and also upload them for the students which makes preparing for the lecture and studying for exams very pleasant.
@@introductiontocryptography4223 I, for one, really love that you do this on a blackboard. Watching you build up and draw each part step by step is so much better than looking at a fixed slideshow.
The SHA-3 extension chapter is on the companion site of our textbook: Go to www.crypto-textbook.com -> Sample Chapter and scroll down to "Extension Chapter", after Chapter 11. Good luck with learning crypto, christof
Thank you very much for this! Helped me a lot in my studies... However, I believe the reason for your "mistake" in the Iota-subfunction, is because it is split into 2 algorithms, where the last of these is responsible for the round-constant and not the Iota algorithm in general, which is why you had noted table 1.4 and not 1.5. So a piece of the puzzle seems to be missing from this lecture... But a great lecture nontheless!
Professor Paar is a true legend. I am proud to have learnt Crypto from him at UMASS Amherst
Excellent explanations Sir. Your explanations have helped me to learn many nook and corners of cryptography, starting from Symmetric/Asymmetric ciphers, key agreement, digest functions and how such cryptosystems are used over the wire, clubbed with my understanding of networking and studying about the TLS handshake(which actually does everything necessary covering the four tenets of cryptography), including algorithms as part of the cipher suites. Took over one and a half years going through your lectures, scanning through rfc's etc.
Really! Thumbs Up! You deserve a salute!
Did not expect an upload on this channel after 3 years, much appreciated!
i really feel good when i listen to you prof. i watched you lectures while i was preparing my PhD, and now i am PhD and still watching your lectures
Congratulations on that
This is a wonderful video! THANK YOU so much Christof Paar, you are doing the world a great justice by sharing this with us!!!
Excellent lecture! Thank you Prof. Christof Paar.
The way that you define a lane as a word makes it slightly easier to understand the formula compared to the specified documentation in the FIPS-202
Thank you for your consistent effort and detailed explanations, Professor Christof. Watched your videos detailing the workings of RSA and Extended-EA for an Mathematics Exploration report which will constitute 20% of my IB Math Grade. Your explanations and clarity have helped me understand what seemed to be an incredibly abstract and complex series of theorems and formulae. I sincerely appreciate your work and dedication to producing tutorials for free, so that the rest of the world may be able to benefit from your teaching. Thank you once again.
Studying SHA-3 for a cryptography final. Your explanation is fantastic. Thank you for sharing your lecture.
Thank you for sharing your knowledge for free sir, appreciate it!
Crypto 314 nice yt channel u got too
This is way clearer than my professors have assed 25min explanation. Thank you.
I finally undestood sponge function. I is hard to understand it fully just by looking at the scheme, explanation of Christof helps a lot.
the constants for the rho step are the triangular numbers going by the order of the pi permutation, modulo 64. in addition, the iota constants are actually determined by setting bits 1, 2, 4, 8, 16, 32, 64 of each number to the output of an LFSR, in sequence.
Thanks for the update! Good to see that you are still supporting young minds on crypto.
Long waited lecture ...thanks Prof. Paar!
Thank you Professor, great lectures.
Wow, new video! Much appreciated! Please post more!
Wonderful presentation, as all the others are!
Question on technology making the current rounds in Cryptographic domain: Are you planning to offer video courses on "Differential Privacy" and "Homomorphic Encryption", both focused on Privacy which is becoming a very sought after area currently?
My problem with the current internet content (both video and text) is that it is overly mathematical, which I don't mind if explained properly and less abstractly. I am hoping that you can offer the courses without overwhelming us with abstract theoretical math, but geared towards actual algorithms which we can understand at a basic level.
We can then take it to actual implementation at hardware and software level. Thank you again for all your efforts.
There is one mistake on 1:37:20 you should not add the constant but xor it with the [0, 0] element
Excellent lecture like always Professor Paar. I just had a thought, in the movie "Swordfish" Hugh Jackman was a hacker and in the first 'crypto scene' he was operating on cubes to break the cipher. I think back in the day (this is early 2000s) they already visioned an algorithm in crypto that was to be 3-dimensional :D
This is quite a sweet video, nice work man.
At 40:00 it's not clear what the initial value of the b=r,c register is.
Dear Christof, thank you for your course. I have a question related to use of SHA3 as a PRNG as you propose in the lecture. You suggest that one can simply continue to squeeze the sponge and take the part of the block. But this looks deeply concerning since the bits such a generator outputs are feeded back again into the F function of the next iteration. So in case we want to use this approach in an CSPRNG we are baisically giving an attacker a pretty large portion of the state of the generator for free. This looks pretty dangerous. Is this secure because the part of the generator state is not revealed? Even if so I still think I would rather run a Hash DRBG as proposed by NIST based on SHA3 rather than this....... What do you think?
Good consideration but the SHA-3 sponge construction is exactly designed so that you *can* squeeze out r bits securely in every iteration if you run it as PRNG. Even though the attackers has the r state bits, there are c capacity bits that are not revealed to him/her. The smallest standardized number for c is c=512 (where r=1088). Note that the f function in SHA-3 performs 24 iterations which is sufficient to prevent attacks. --- I am not a symmetric cryptographer myself. If you want to get deeper into the security consideration of sponge constructions, I would suggest that you start with the excellent page that the Keccek team maintains: keccak.team/sponge_duplex.html
cheers, christof
where i can find this additional chapter of the book there is no link provided for that. it would be of great help if it can be provided. thanking you sir for the effort
I miss these live lectures :( All online now
Happy Birthday to your Son Sir!!!!
Seriously excellent video. My only complaint is that the audio is a little too quiet.
"This is pretty dramatic" -> Wins the internet today ! :D
Hi,
For Rho and Pie step - Does this rotation in Rho step takes places 25 times and then move forward to pie step? or is it r[0,0] -> pie step and again r[0,1] pie step.
Thank you.
Any programming explanation of these lessons. Or any resources to learn programming for these lecture. Any helps
For the teta step. I want to know if I have to do the operations with a copy of A (the state) after I xor with A of origin
Or do the operations directly on A ?
Because if we make directly on A modifies the previous elements of the slice, they will have an impact on the calculation of the elements which succeed them.
Hello Professor,
In SHA-3, when considering X0, what is the other input for XOR ? As per block diagram, its coming from r. Assuming r is a register, what contents should we be assuming?
Thanks and Regards,
Srinivas
SHA3 clearly explained.
@30:49, shouldn't the third row be 767 instead of 768?
Oh, never mind, it was corrected.
Are there going to be more videos? Has some other course started?
Sponge construction starts at @20:44
Should I watch the "Lecture 21" video before this "Lecture 21 (update)" or is this a replacement?
There are actually independet of each other and it does not matter too much which one you watch first. It is a bit more natural to watch them in the order 21, and then 21 (update). regards, christof
I am looking forward to starting my masters studies at RUB, but I was wondering if it is common practice for Profs at RUB to write everything on the blackboard? The Profs at my current Uni just project their slides and also upload them for the students which makes preparing for the lecture and studying for exams very pleasant.
Most courses are NOT taught with blackboard (and many of my professor colleagues make fun of me :)
@@introductiontocryptography4223 I, for one, really love that you do this on a blackboard. Watching you build up and draw each part step by step is so much better than looking at a fixed slideshow.
sir when will you upload next lecture
nicely explained.
Anyone found that PDF for the extension chapter?
excellent speaker!
truly appreciated, thanx sir
Good evening Pro. christof
I have a question What is a problem with using serial number as a password? from security aspects
Is there is a problem?
hi, did anyone know how gf multiplication operation done ?
that -> sät ... usw. Ist es denn zuviel verlangt, wenn man im 21. Jahrhundert eine halbwegs korrekte Aussprache erwartet? So was kann man üben.
How can I get extension chapter pdf?
The SHA-3 extension chapter is on the companion site of our textbook: Go to www.crypto-textbook.com -> Sample Chapter and scroll down to "Extension Chapter", after Chapter 11. Good luck with learning crypto, christof
@@introductiontocryptography4223 thankyou professor 🙂
31:23 Keccak
Oscar was here.
Why? The video repeats?
Professor Christof you look more grey then your last video ..... and is that a vold spot I see !
Bravou🔔🥀👍🙏💟
24:26
Thank you very much for this! Helped me a lot in my studies... However, I believe the reason for your "mistake" in the Iota-subfunction, is because it is split into 2 algorithms, where the last of these is responsible for the round-constant and not the Iota algorithm in general, which is why you had noted table 1.4 and not 1.5. So a piece of the puzzle seems to be missing from this lecture... But a great lecture nontheless!
Before proof after proof sha dis algorithms.
P-SHA-333=π
I guess coming prepared would be better.. You can explain this in 15minutes.
We do go get your video on the subject?