Computerphile and Numberphile are a blessing. I remember my math classes in college and we were taught different things about math but we were never told what they were used for. Now after seeing these videos I literally feel like I'd actually even enjoy learning maths. It makes sense because now I know why something is useful and when it may come in handy...
There is an issue with the animation at 11:02. Matrix multiplication is not commutative, the matrix has to be multiplied from the left ( the shown multiplication is not even doable)
If you interpret the vector as a 1 dimensional tensor instead of a 4x1 matrix, the tensor contraction is at least defined for when the matrix is on either side, but still it's not commutative - you'd get a different vector than you're supposed to.
Yep, this matrix multiplication is not possible as written in the animation (4,1)*(4,4) is not correct + it was the right way around on the paper: (4,4)*(4,1) gives a (4,1) vector. Hopefully this will be fixed and re-uploaded.
Just a correction: the vector operand at 10:59 should be on the other side of the matrix. Matrix multiplication is undefined in the way you have it written because the sizes of the vector and the matrix don’t match.
Thank you for making these videos. I have been watching them for years, finding the algorithms fascinating and the explanations very easy. As a second year cs student I must say that watching this channel realy helps me now more than ever. Keep up the awesome work!
Hey computerphile, thanks to all of the team for sharing the enthusiasm of Computer Science with me and other students, it's easy to find the lectures boring so I come here often to get more insights and intuitions. Being here enables me to learn things casually.
He taught the nitty gritty, your way of teaching and breaking things up to chunks is just wow. Thankyou Man, you just won my heart. Watching this is 2024 makes sense 😄🚀
I just talked a few hours ago with a colleague about how we could use this encription on an arduino to secure the data sent to a raspberry for a project (never used it before). And now you upload this... I need to use a mic detector in my classroom. Thanks for the explanation!
You're an excellent teacher, you took something very complicated and made it easy even for someone like myself who only has A level education in maths.
Dude! you're just a legend and so clear in your explanations! What I couldn't stop noticing is the scene you're filmed in. You sitting next to a white board is absolutely identical to watching The Office!
1:46 Drawing a 4 by 4 grid 101: 1. Draw a square (roughly) 2. Draw a vertical line through the middle. 3. Draw 2 more vertical lines through the middle of each half. 4. Draw a horizontal line through the middle. 5. Draw 2 more horizontal lines through the middle of each half.
There are vastly differing ways in which the keys are generated, but the purpose of the video is the algorithm utilizing a given 128bit key. I’m no expert upon the AES so I cannot explain exactly how the key is utilized, but I’m guessing that is what dictates the matrix chosen, the number of row swaps, things like that
I think the key seeds the generation of a series of round keys using a method he says he explained in another video, and the round key is just "added" to the block after each round. (And "add" in this field means XOR)
As mathematicians will have noticed, during the mix columns animation the vector goes on the right, it's correct on the paper. Fabulous animations though as always Sean ;)
10:00 I judge the paper as more than worth it. I really appreciate your videos. Often they provide me with the inspiration for my work even when it has no direct bearing on the task at hand. I was reminded of this when you referenced Turing, because I remember watching the one on Turing operations and it making it easier for me to develop a pickle-based data storage for my app that was significantly faster [in terms of read and write times] than an SQLAlchemy-based solution. I've used the same DB in my last 3 Android apps and every time I initialize that git submodule, I say a little thank-you to Alan Turing and Computerphile for giving me the courage to try something more ambitious than a command-line tool or Django-site. Baie dankie, from Southern Africa.
Damn I can listen to him for hours, I know what is AES I have used it many times for development but I have never looked into how it actually works. Hands down the best video.
That's fine for an S-box where you expect non-linear elationship of bits. In fact you don't want some bytes to be mapped to themselves as that introduced a fixed point into the cipher construction.
@@SillyMakesVids True, but it did substitution... which was what I was referring too. Not saying this is a vulnerability of AES, but just curious why they didn't let same substitutions as the input
That's only for a part of AES's internal operation. With Enigma, a byte of the input couldn't give an identical byte as the output - which means you immediately know something about the plaintext for any ciphertext. That's not true for AES.
With enigma there was a one to one output. For each encryption one letter of the message got mapped to a specific letter of the output. That's how in combination with knowing a letter can't be itself they tore it apart
i spent around 5 minutes furiously scrolling through computerphile videos trying to find "how aes works" because it was in the end of the previous video, and i couldnt find it so was a bit puzzled. I found other encryption content, but not this video. Turns out this one is uploaded AFTER the last video recommending it 👍😁
If a video is 'coming soon' I'll generally put 'coming soon' next to its title in the video description (which nobody ever reads) (in the interests of clarity, I try then to update the video description (which nobody ever reads) once the forthcoming video goes live)- HTH :) Sean
@@Computerphile And the videos you produce are a breath of fresh air, and i hope to see more content from Dr Mike Pound. Really you should make videos with him atleast each month, i dont care what the topic is, its sheer joy watching content featuring him.
FYI the CNSA has recommended organizations stop using AES-128 as of January 2016 in their Algorithm Suite and Quantum Computing FAQ. If possible you should implement AES-256 to better secure from Grover’s algo
Just last week I gave a presentation on how AES works and now this video is coming out. Anyway, I liked the video and can confirm that what he was talking about is correct :)
8:29 The AES designers could also have done rotations within the 4x4 grid (e.g., b0 shifts to b1, b4 to b0, b3 to b7, etc.), which is just a 4x4 cell permutation, but they didn't.
Could you please add another video about the Key Schedule process ? Because for every round we need to use a different subKey that is created during the Key Schedule process. This is important for a full picture of the algorithm.
these videos are amazing and very helpful but please do consider to put subtitles as there are a lot of people who do watch them and are from other couintries. English subtitles would be amazing!!!thanks
Hello. Can you explain the difference between AES and Twofish? I believe that Twofish was the runner up in the competition to select the standard encryption algorithm back in 1999 (I think)
I implemented AES and RSA in C++. AES is about 800 lines. RSA is about 300 lines. The thing that makes AES fast is that its bitshifts and bitwise xors. The 2 things that make RSA slow is mod exponentiation and prime number testing. Prime number test is an O(1) problem as you only do it once. So if you have a key pair, don't throw it out of you can avoid it. The mod exponentiation has to be done repeatedly and on large numbers that aren't native to machine code, numbers that are can get up to 4kbits longs.
Thanks for this lesson. I have a question, what cipher mode is applicable in the AES encryption? By cipher mode, I meant something like ECB, CBC, CTM, GCM, etc.
i think the ones most used are GCM and CTR, as they are the most secure, sometimes u might find CBC. other modes, such as CFB, EBC or OFB are usable, but not believed to be secure
AMD and INTEL have the AESNI instructions which are AESKEYGENASSIST,AESENC,AESENCLAST,AESDEC,AESDECLAST,AESIMC,PXOR and PCLMULQDQ and make use of the 128 data busses that are part of processors in the INTEL AND AMD ranges,therefore there are no side channel attack vectors, actually the AMD A10-7800k (Kavari) can make use of the AESNI instructions so can run bitlocker very quickly.
I literally have a project due this week we need to implement aes on fpga using vhdl code, and im lost i really do understand it but just cant seem to be able to write the code
Love this video, thanks! You said that in some stages the bits are x-ored with the key. How can this operation be undone during deciphering given its not bijective?
Correct me if I'm wrong, but take (c = a^b), therefore (a = c^b) and (b = a^c) and someone knows the plaintext of the ciphertext, What is to stop someone from inverse XOR'ing (if that makes sense) the ciphertext using the knowledge of the plaintext and retrieving the round key and repeating this process to produce the original key?
the algorithm is way too complicated for someone to be able to retrieve the key knowing the plaintext and ciphertext, the steps described are used in several rounds, each time using a new extension of the original key.
@@franatrturcech8484 True, I've looked into this since my original comment. The IV helps obfuscate this as a potential weakness and as the keyround continues, both the key and original IV get lost in depth
Hello, Just to say that the content guys put forth is so much helpful in many ways.. masters really!! Only thing is sometimes its difficult to understand what they say ... not quite familiar with the accent ... please kindly make captions/subtitles available... it will help us to understand better ... Thanks in advance
If the sbox and permutations are so blazingly fast, and fully public, why do them at all? The reverse operations would be equally fast, so on the face of it, the jumbling only seems to be confusing to humans, while a computer wouldn't really care. What am I missing?
@@YKJFX right, so why not only do that, and skip the sbox and permutations (which seem fast enough to basically amount to no ops, since they are public knowledge)?
@@seventhsven Because you want to be able to reuse your secret for multiple times. I invite you to read about one time pad (only adding a secret key to the plaintext, but a different key each time) vs many time pad (same as one time pad but with the same key every time) and why it's broken. I think you are greatly underestimating what the substitution layer, the permutation layer and the mixing layers are bringing to the table. Speed has nothing to do with the properties they bring.
8:15 Wasn't the enigma machines main flaw the fact that a letter could not become itself, so you could take an assumption, encrypt it and compare it to the intercepted encryption, and if the letter you tried to encrypt came out the same as the letter in the encryption, you knew the key was wrong? Surely not allowing a byte to become itself once encrypted is a security flaw not an advantage, as it limits the things you have to search for, and eliminates incorrect answers?
The S-Boxes are just one part of the entire encryption process. When examining the process from start to finish it is of course possible for AES to encrypt a byte to itself. In a substitution, it is actually a possible security flaw to map a byte to itself. This creates a fixed point which could open the cipher up to, for example, invariant subspace attacks.
Generally keys are generated random and you store that key somewhere that is deemed safe. 0x0123456789ABCDEF0123456789ABCDEF That there could be your key. Now imagine it wasn't a repeating hex sequence but actually random. That would be a pretty difficult password to remember. So you either have that stored securely someplace or you can link your key to a password if you'd like. There are many hashing functions out there that will take your plain text password and generate a 128 bit hash from it. That hash would then be your key.
They are derived. Not an expert but it mostly has to do with hashing the password to the desired bit length and then you follow the key scheduling algorithm on it.
This is shockingly close to a cypher I designed knowing nothing, except instead of an intelligently designed S-box I generated unique lookup tables for each round using Fisher-Yates on a secure PRNG seeded with the key. (And that was the only way the key was used, there was no key XOR step).
@13:17 (referring to AES instructions being built-in to CPU hardware): Is this also true for Serpent, Twofish, and/or any other reputable encryption algorithms?
@@joeybf Standards for (example) of where a car's break pedal should be is non controversial. But for encryption, and especially a standard that the world will use for every manner of computer security, falls under an entirely different level of scrutiny. Governments, with their bottomless resources, will dedicate huge resources to breaking the code or finding any weakness in the code. This is likely true for huge companies, too (Microsoft, Apple, Facebook, Google, Intel, etc). All of the above would love to own a secret to compromising AES. That is why it is important to keep and support other competitors to the AES standard (not have all eggs in one basket). It is likely that many businesses will not trust AES, over the concern that their government might have a way in. It is why I asked my question in my initial comment. Cheers!
If you’re concerned by governments having a way into AES, then you’d have to be equally if not more concerned about them having a way into any of its “competitors”. But in truth, there is no “way in” to AES. One of the main tenants of cryptology is that you make your cipher know to the world so that its security can be verified by everyone. If you’re really so concerned, you can go crack open a number theory textbook and verify for yourself the mathematics that make it impenetrable.
@@jasonschuler2256 Wired Equivalent Privacy (WEP) was touted as the impenetrable standard, and used by countless billions of wireless devices. That is, until it was cracked, and is now deemed unsafe. Enter Wi-Fi Protected Access (WPA). Yet another champion of impenetrable wireless encryption standardization. That is, until it, too, was cracked, and is now deemed unsafe. Enter WPA2. Much better, but still has a vulnerability. All manner of encryption algorithms have been breached over the decades. Our military once used Indian "Code Talkers", because the finest minds of the day could not ensure that their encrypted communications were safe. History is replete with encryption standard after encryption standard found to have vulnerabilities. And whatever is the standard of the day is, is the one that will be the target of every major technology company and every government world-wide. They have resources that would make your head spin. No one single encryption scheme should be supported at the exclusion of all other encryption schemes. When the day comes that a weakness is found in Rijndael, we should have other similarly strong encryption schemes that are available for immediate use. There is simply no reason to dismiss other encryption schemes, any more than the silver medalist at the Olympics should stop competing for the gold.
@Perhaps No one ever touted WEP or WPA as impenetrable. I’ve worked as a cryptanalyst for decades, we knew they were weak when they were implemented, but there’s not really much we could do about it, as we were limited by the nature of WiFi itself. AES on the other hand has no such limitations. I mean, look at DES. No vulnerability was ever discovered in the DES algorithm. The only reason we had to switch was because computing technology eventually became fast enough to be able to brute force the 56-bit keys. But considering even 128-bit keys would take multiple millions of terabytes of memory to brute force, 256-bit AES will never be cracked. I would stake all my earthly belongings on that fact. But again, don’t take my word for it. Do the research for yourself. The information is there for you to discover. Go and do the calculations yourself!
At 8:32 he shifts the rows. However, since you already know how many steps you shift per row, isn’t it easy to crack it? Just reverse the process. Could someone tell me what I’m missing here?
@@zarifatai both the column mix and row shift are reversible processes, they do nothing in terms of actually securing the data, the purpose would be just adding more diffusion (spreading out the data)
I do not understand the column mixing portion of it. If it over flows during addition and subtraction, it would make it nearly impossible to reverse correct?
You should make a video about chacha20 and salsa20 encryption algorithms. They're modern, much faster and are not vulnerable to side-channel attacks like cache-timing attacks.
Computerphile and Numberphile are a blessing. I remember my math classes in college and we were taught different things about math but we were never told what they were used for. Now after seeing these videos I literally feel like I'd actually even enjoy learning maths. It makes sense because now I know why something is useful and when it may come in handy...
i dint know Numberphile , l did need some motivation to study math... thanks
It's because this is also Nottingham University
Before I watched this video I had no idea how AES worked. Now I've watched it and still have no idea how it works.
Same goes for me
AES works by mixing stuff up a lot.
@@cafeinst😂ikr, it's hard for u to figure if aes mixes it up or u just too cool to think clearly
😂
But that’s not because its not well explained, it’s just a topic that is difficult to understand
I knew what AES is for over 8 years but today I learned how it works
That's exactly the same for me :) :P
same.. lol. I felt like a bot using it for so long without knowing how it really works...
Same to you 😂
There is an issue with the animation at 11:02. Matrix multiplication is not commutative, the matrix has to be multiplied from the left ( the shown multiplication is not even doable)
Just came to write this
If you interpret the vector as a 1 dimensional tensor instead of a 4x1 matrix, the tensor contraction is at least defined for when the matrix is on either side, but still it's not commutative - you'd get a different vector than you're supposed to.
yes, A*B!=B*A
I was writing the same comment and then saw yours. Yeah!!! this mistake is confusing.....
Yep, this matrix multiplication is not possible as written in the animation (4,1)*(4,4) is not correct + it was the right way around on the paper:
(4,4)*(4,1) gives a (4,1) vector. Hopefully this will be fixed and re-uploaded.
Just a correction: the vector operand at 10:59 should be on the other side of the matrix. Matrix multiplication is undefined in the way you have it written because the sizes of the vector and the matrix don’t match.
I love his explanations but these videos give me the feeling that camera-man just randomly bursts in to Mikes office and asks him random questions.
which is prob what happened
in the first seconds of the video I thought it was a scene from The Office lol
@@firezdog Lol totally what happened with the preprinted diagrams and all.
LOL
how's that a bad thing?
Absolutely love the way Mr. Pound teaches. Can listen for hours together. Waiting for many more such interesting videos.
Dr Pound.
Thank you for making these videos. I have been watching them for years, finding the algorithms fascinating and the explanations very easy. As a second year cs student I must say that watching this channel realy helps me now more than ever. Keep up the awesome work!
Hey computerphile, thanks to all of the team for sharing the enthusiasm of Computer Science with me and other students, it's easy to find the lectures boring so I come here often to get more insights and intuitions. Being here enables me to learn things casually.
I just want to say this is a great description of Galois fields in practical use. I learned it from textbooks way back when, and it was mind boggling.
0:36
Encryption
2:34
XOR
2:55
Process.
3:20
Rounds of encryption.
7:40
Byte replacement.
8:33
Row shifting.
13:00
AES errors and CPU.
He taught the nitty gritty, your way of teaching and breaking things up to chunks is just wow. Thankyou Man, you just won my heart. Watching this is 2024 makes sense 😄🚀
I just talked a few hours ago with a colleague about how we could use this encription on an arduino to secure the data sent to a raspberry for a project (never used it before). And now you upload this... I need to use a mic detector in my classroom. Thanks for the explanation!
You're an excellent teacher, you took something very complicated and made it easy even for someone like myself who only has A level education in maths.
I literally just learned this yesterday in my cryptography class. Great refresher Dr. Pound!
Dude! you're just a legend and so clear in your explanations! What I couldn't stop noticing is the scene you're filmed in. You sitting next to a white board is absolutely identical to watching The Office!
1:46 Drawing a 4 by 4 grid 101:
1. Draw a square (roughly)
2. Draw a vertical line through the middle.
3. Draw 2 more vertical lines through the middle of each half.
4. Draw a horizontal line through the middle.
5. Draw 2 more horizontal lines through the middle of each half.
6. Look at your grid and ask yourself how you screwed it up this bad.
"Captain, this vessel seems to be emitting a Galois Field. It has rendered our sensors completely inoperative."
"...our tensors..." surely? 🙈
This man is one of the most interesting people I have ever had the pleasure of listening to. Kudos!
Yes, been excited for more AES since the last video! Always love when you discuss cryptography on this channel.
a lecture of 1.5 hours didn't understand it , just watched this video understood it in 14 min , TY you saved my semester .
itd be insane if he actually encrypted a message going to all of those steps
not much was talked about the generation and usage of the key
They have done other videos on key generation, presumably it just uses any of the other standards for that.
All these keys and I can never find my own 🤔
There are vastly differing ways in which the keys are generated, but the purpose of the video is the algorithm utilizing a given 128bit key. I’m no expert upon the AES so I cannot explain exactly how the key is utilized, but I’m guessing that is what dictates the matrix chosen, the number of row swaps, things like that
@@SirFancyPants21 the key only matters for the XOR functions, where you add the round key
I think the key seeds the generation of a series of round keys using a method he says he explained in another video, and the round key is just "added" to the block after each round. (And "add" in this field means XOR)
1.5M subscribers! Great job guys :D
As mathematicians will have noticed, during the mix columns animation the vector goes on the right, it's correct on the paper.
Fabulous animations though as always Sean ;)
Dr. Mike makes all the logics so charming and interesting. What a pleasure to listen to the logics through him!!
10:00 I judge the paper as more than worth it. I really appreciate your videos. Often they provide me with the inspiration for my work even when it has no direct bearing on the task at hand. I was reminded of this when you referenced Turing, because I remember watching the one on Turing operations and it making it easier for me to develop a pickle-based data storage for my app that was significantly faster [in terms of read and write times] than an SQLAlchemy-based solution. I've used the same DB in my last 3 Android apps and every time I initialize that git submodule, I say a little thank-you to Alan Turing and Computerphile for giving me the courage to try something more ambitious than a command-line tool or Django-site. Baie dankie, from Southern Africa.
Very well explained. Thank you so much for taking the time to record and post this!
This is a blessing, couldnt be explained more clearly. Could we see an ElGamal cipher video please.
Love you guys.
Damn I can listen to him for hours, I know what is AES I have used it many times for development but I have never looked into how it actually works. Hands down the best video.
Great job on explaining it guys! Thank you for making these for free!
OMG we just ended the semester and AES was covered in one of my modules! Wish i had this video a while back...Thanks for the upload though :)
You can tell this stuff makes him very happy. I have no clue how this works after watching this, but I'm happy for him. 🤷🏾♀️
Dr. Mike rocking! Best Man for teaching things with Humor!
I just want to know everything he knows ._.
8:01 - No byte can become itself? Wasn't that the CRUX of how the enigma machine was defeated?
The Enigma machine didn't do permutation.
That's fine for an S-box where you expect non-linear elationship of bits. In fact you don't want some bytes to be mapped to themselves as that introduced a fixed point into the cipher construction.
@@SillyMakesVids
True, but it did substitution... which was what I was referring too. Not saying this is a vulnerability of AES, but just curious why they didn't let same substitutions as the input
That's only for a part of AES's internal operation. With Enigma, a byte of the input couldn't give an identical byte as the output - which means you immediately know something about the plaintext for any ciphertext. That's not true for AES.
With enigma there was a one to one output. For each encryption one letter of the message got mapped to a specific letter of the output.
That's how in combination with knowing a letter can't be itself they tore it apart
This is the only channel on RUclips which I have the notifications turned on.
Love computerphile 😍
Thank you guys, your explanation is really helpful here, since it wasn't clear how all of this essentially works.
i spent around 5 minutes furiously scrolling through computerphile videos trying to find "how aes works" because it was in the end of the previous video, and i couldnt find it so was a bit puzzled. I found other encryption content, but not this video. Turns out this one is uploaded AFTER the last video recommending it 👍😁
If a video is 'coming soon' I'll generally put 'coming soon' next to its title in the video description (which nobody ever reads) (in the interests of clarity, I try then to update the video description (which nobody ever reads) once the forthcoming video goes live)- HTH :) Sean
@@Computerphile And the videos you produce are a breath of fresh air, and i hope to see more content from Dr Mike Pound. Really you should make videos with him atleast each month, i dont care what the topic is, its sheer joy watching content featuring him.
FYI the CNSA has recommended organizations stop using AES-128 as of January 2016 in their Algorithm Suite and Quantum Computing FAQ. If possible you should implement AES-256 to better secure from Grover’s algo
Was hoping this would come out
Woow
I was thinking of this TODAY and this vid comes out !
Plus its Mike Pound
Great video. I'm shocked that they still have music rule paper! Gives me nightmares of the IBM band printers I used to have to deal with on a S/38 :)
The interview part looks like The Office lol
Just last week I gave a presentation on how AES works and now this video is coming out. Anyway, I liked the video and can confirm that what he was talking about is correct :)
8:30 Why is it called Shifting the Rows? As, it's a Row Rotation instead.
Just before my security exam, thanks!!
8:29 The AES designers could also have done rotations within the 4x4 grid (e.g., b0 shifts to b1, b4 to b0, b3 to b7, etc.), which is just a 4x4 cell permutation, but they didn't.
Best explanation I've found so far. Thank you.
Thanks prof. Can you explain about the Authentication tag using in AES GCM? What is the different between GCM tag and authentication tag? Thank you
this video is a lot better than the last video I watched
Idk y but this guy is fun to watch. Like ik some of these concepts and he just makes me understand them more
Could you please add another video about the Key Schedule process ? Because for every round we need to use a different subKey that is created during the Key Schedule process. This is important for a full picture of the algorithm.
these videos are amazing and very helpful but please do consider to put subtitles as there are a lot of people who do watch them and are from other couintries. English subtitles would be amazing!!!thanks
Hello. Can you explain the difference between AES and Twofish? I believe that Twofish was the runner up in the competition to select the standard encryption algorithm back in 1999 (I think)
this guy is a genius at so many different topics !
The most secure feature when it comes to the AES standard is its matrix being column-major.
Can you explain the iv? (Initialisation vector) and why having a unique iv helps?
I implemented AES and RSA in C++. AES is about 800 lines. RSA is about 300 lines. The thing that makes AES fast is that its bitshifts and bitwise xors. The 2 things that make RSA slow is mod exponentiation and prime number testing. Prime number test is an O(1) problem as you only do it once. So if you have a key pair, don't throw it out of you can avoid it. The mod exponentiation has to be done repeatedly and on large numbers that aren't native to machine code, numbers that are can get up to 4kbits longs.
wow, funky, nice to learn how ASE works, and also love Dr Mike's presentation style.
G
Thanks for this lesson. I have a question, what cipher mode is applicable in the AES encryption?
By cipher mode, I meant something like ECB, CBC, CTM, GCM, etc.
i think the ones most used are GCM and CTR, as they are the most secure, sometimes u might find CBC. other modes, such as CFB, EBC or OFB are usable, but not believed to be secure
Don't the shift rows and mix columns operations combine into mixing the diagonals?
I've been waiting for this one!!
Brilliant explanation. A very helpful video for beginners who wish to learn the AES algorithm.
A separate video on the MDS matrix, with full example, would be nice. Haven't seen a clear example yet.
In the Galois Field, multiplication and inverse are not opposites, multiplication by n and multiplication by inverse of n are
Wow, this is beautifully explained!
How does this one guy know such a ridiculous amount about all this stuff, honestly really impressive
this is amazing i always wanted to learn the mechanics about AES
Keep doing these types of videos, I love them!
My professor Joan Daemen co-invented this cipher, really cool to be taught by one of the best!
Absolutely great way to share, great job!
AMD and INTEL have the AESNI instructions which are AESKEYGENASSIST,AESENC,AESENCLAST,AESDEC,AESDECLAST,AESIMC,PXOR and PCLMULQDQ and make use of the 128 data busses that are part of processors in the INTEL AND AMD ranges,therefore there are no side channel attack vectors, actually the AMD A10-7800k (Kavari) can make use of the AESNI instructions so can run bitlocker very quickly.
“Does this ever go wrong?”
[nervous grin] “How so?” [tugs at collar] 😂🤣😂🤣
Thank you for this amazing video about AES...congrats
The guy is a Brit of the classical sense from another generation. Love it.
I literally have a project due this week we need to implement aes on fpga using vhdl code, and im lost i really do understand it but just cant seem to be able to write the code
Which University are you studying in? What kind of course are u taking that has this kind of project? I would love to take such a course!
Best of luck!!! Debugging in VHDL is awful :(
@@yashbansod5628 Electrical/Computer engineering presumably. Any school with that kind of program would have projects like that.
There's plenty of vhdl/verilog implementations of Aes online. Look them up and learn from them
VHDL was a true nightmare to me. I passed but really don't remember much. Best of luck dude!
Love this video, thanks!
You said that in some stages the bits are x-ored with the key. How can this operation be undone during deciphering given its not bijective?
Just found the answer to my own question: if the key is known, then XOR can be inverted of course.
Hell yes! Two in a row!
Correct me if I'm wrong, but take (c = a^b), therefore (a = c^b) and (b = a^c) and someone knows the plaintext of the ciphertext, What is to stop someone from inverse XOR'ing (if that makes sense) the ciphertext using the knowledge of the plaintext and retrieving the round key and repeating this process to produce the original key?
the algorithm is way too complicated for someone to be able to retrieve the key knowing the plaintext and ciphertext, the steps described are used in several rounds, each time using a new extension of the original key.
@@franatrturcech8484 True, I've looked into this since my original comment. The IV helps obfuscate this as a potential weakness and as the keyround continues, both the key and original IV get lost in depth
Hello,
Just to say that the content guys put forth is so much helpful in many ways.. masters really!!
Only thing is sometimes its difficult to understand what they say ... not quite familiar with the accent ...
please kindly make captions/subtitles available... it will help us to understand better ... Thanks in advance
Very interesting video! Thanks for the insights.
If the sbox and permutations are so blazingly fast, and fully public, why do them at all? The reverse operations would be equally fast, so on the face of it, the jumbling only seems to be confusing to humans, while a computer wouldn't really care. What am I missing?
You're missing the fact that a secret key is added in for each round of the encryption.
@@YKJFX right, so why not only do that, and skip the sbox and permutations (which seem fast enough to basically amount to no ops, since they are public knowledge)?
@@seventhsven Because you want to be able to reuse your secret for multiple times. I invite you to read about one time pad (only adding a secret key to the plaintext, but a different key each time) vs many time pad (same as one time pad but with the same key every time) and why it's broken. I think you are greatly underestimating what the substitution layer, the permutation layer and the mixing layers are bringing to the table. Speed has nothing to do with the properties they bring.
8:15 Wasn't the enigma machines main flaw the fact that a letter could not become itself, so you could take an assumption, encrypt it and compare it to the intercepted encryption, and if the letter you tried to encrypt came out the same as the letter in the encryption, you knew the key was wrong? Surely not allowing a byte to become itself once encrypted is a security flaw not an advantage, as it limits the things you have to search for, and eliminates incorrect answers?
The S-Boxes are just one part of the entire encryption process. When examining the process from start to finish it is of course possible for AES to encrypt a byte to itself.
In a substitution, it is actually a possible security flaw to map a byte to itself. This creates a fixed point which could open the cipher up to, for example, invariant subspace attacks.
Did you know why the XOR sign has a cross? because it gives output only when it is not sure
So many steps were skipped. Why skip the replacement field or the key expansion?
Matrix Multiplication isn't commutative and the operation shown in the animation in undefined since it's 4x1 times 4x4 rather than 4x4 x 4x1
You are great sir the way of explanation is very nice thanks sir ☺️ for AES explanation
After watching this video im asking myself can you better have not the grid but only one key or the other way around?
5:10 correction: there is no finite field with just 10 elements. 8, 9 and 11 are possible but not 10. (In general only powers of primes are possible)
I was about to ask this, I was thinking "wait, is that possible or am I being slow today?"
Well, he said between 0 and 10. Sounds like 11 elements to me. 🙂
@@JNCressey: Ah, yes, you're right. Sounds like time for me to get some food...
When Computerphile is more math-oriented than Sixty Symbols...
As long as it doesn't overtake Numberphile we're still in the green. :)
Amazing. Very well explained. thank you for expanding my knowledge!
very well explained but can you explain me how AES is combine with CBC or others Block ciphers mode because I am very confuse about it
Just curious. How is a key generated or chosen? Does it comes from a user's password?
Generally keys are generated random and you store that key somewhere that is deemed safe.
0x0123456789ABCDEF0123456789ABCDEF
That there could be your key. Now imagine it wasn't a repeating hex sequence but actually random. That would be a pretty difficult password to remember. So you either have that stored securely someplace or you can link your key to a password if you'd like.
There are many hashing functions out there that will take your plain text password and generate a 128 bit hash from it. That hash would then be your key.
They can be! Using something called a password based key derivation function (PBKDF).
They are derived. Not an expert but it mostly has to do with hashing the password to the desired bit length and then you follow the key scheduling algorithm on it.
as a cyber security student... this was as informative as it was confusing lol
that is to say I learned a lot from this video but I am leaving with just as many new questions as I had coming in.
This is shockingly close to a cypher I designed knowing nothing, except instead of an intelligently designed S-box I generated unique lookup tables for each round using Fisher-Yates on a secure PRNG seeded with the key. (And that was the only way the key was used, there was no key XOR step).
Awesome explanation! Thank you!
Biggest fan guys! Keep up the great work!!
@13:17 (referring to AES instructions being built-in to CPU hardware):
Is this also true for Serpent, Twofish, and/or any other reputable encryption algorithms?
No, AFAIK it's only AES. Which makes sense because that was the point of having a standard, everyone can focus on just that
@@joeybf Standards for (example) of where a car's break pedal should be is non controversial. But for encryption, and especially a standard that the world will use for every manner of computer security, falls under an entirely different level of scrutiny.
Governments, with their bottomless resources, will dedicate huge resources to breaking the code or finding any weakness in the code.
This is likely true for huge companies, too (Microsoft, Apple, Facebook, Google, Intel, etc).
All of the above would love to own a secret to compromising AES. That is why it is important to keep and support other competitors to the AES standard (not have all eggs in one basket). It is likely that many businesses will not trust AES, over the concern that their government might have a way in. It is why I asked my question in my initial comment.
Cheers!
If you’re concerned by governments having a way into AES, then you’d have to be equally if not more concerned about them having a way into any of its “competitors”.
But in truth, there is no “way in” to AES. One of the main tenants of cryptology is that you make your cipher know to the world so that its security can be verified by everyone. If you’re really so concerned, you can go crack open a number theory textbook and verify for yourself the mathematics that make it impenetrable.
@@jasonschuler2256 Wired Equivalent Privacy (WEP) was touted as the impenetrable standard, and used by countless billions of wireless devices.
That is, until it was cracked, and is now deemed unsafe.
Enter Wi-Fi Protected Access (WPA). Yet another champion of impenetrable wireless encryption standardization. That is, until it, too, was cracked, and is now deemed unsafe.
Enter WPA2. Much better, but still has a vulnerability.
All manner of encryption algorithms have been breached over the decades. Our military once used Indian "Code Talkers", because the finest minds of the day could not ensure that their encrypted communications were safe.
History is replete with encryption standard after encryption standard found to have vulnerabilities. And whatever is the standard of the day is, is the one that will be the target of every major technology company and every government world-wide. They have resources that would make your head spin.
No one single encryption scheme should be supported at the exclusion of all other encryption schemes. When the day comes that a weakness is found in Rijndael, we should have other similarly strong encryption schemes that are available for immediate use. There is simply no reason to dismiss other encryption schemes, any more than the silver medalist at the Olympics should stop competing for the gold.
@Perhaps No one ever touted WEP or WPA as impenetrable. I’ve worked as a cryptanalyst for decades, we knew they were weak when they were implemented, but there’s not really much we could do about it, as we were limited by the nature of WiFi itself.
AES on the other hand has no such limitations. I mean, look at DES. No vulnerability was ever discovered in the DES algorithm. The only reason we had to switch was because computing technology eventually became fast enough to be able to brute force the 56-bit keys. But considering even 128-bit keys would take multiple millions of terabytes of memory to brute force, 256-bit AES will never be cracked. I would stake all my earthly belongings on that fact.
But again, don’t take my word for it. Do the research for yourself. The information is there for you to discover. Go and do the calculations yourself!
At 8:32 he shifts the rows. However, since you already know how many steps you shift per row, isn’t it easy to crack it? Just reverse the process. Could someone tell me what I’m missing here?
You are missing the key, if you have the key you're exactly right, you just reverse the process
@@zoranhacker Ah, okay. Thanks. But what's the point of shifting the rows then?
@@zarifatai both the column mix and row shift are reversible processes, they do nothing in terms of actually securing the data, the purpose would be just adding more diffusion (spreading out the data)
spreading it out makes it harder to just guess the key and crack it
Shifting disrupts patterns that could otherwise be exploited in cases like where the attacker knows part of the plain text.
I do not understand the column mixing portion of it. If it over flows during addition and subtraction, it would make it nearly impossible to reverse correct?
You should make a video about chacha20 and salsa20 encryption algorithms. They're modern, much faster and are not vulnerable to side-channel attacks like cache-timing attacks.