I have to say, I really like these lectures. Thank you very much for providing them publicly for all of our benefit! I watch them all the way through and continue with the next...it's great! :-)
So much better than my graduate professor. My theory is different schools don't necessarily have students that are significantly more intelligent, but the better institutions have instructors who know how to communicate the information effectively. Thanks for being organized and clear!
Kinda stumbled upon this, and just kept watching while I did the dishes 😅 Gotta say, this is perhaps the clearest explanation of the cyclic group structure that underpins the Diffie-Hellman Key Exchange algorithm. I hadn't appreciated abstract math in this context until literally right now. Also, I've known the math behind groups for years (mostly applied to the study of tensor calculus) but this is the first time I've ever seen them so effortlessly applied to cryptography! I'm a college dropout, so if I found your lectures easy to understand and deeply insightful, that's a strong sign that you really, really, know what you're doing! I think I need to look up your entire course now haha. Best wishes 🏆🙏🏽🎊 and thank you, again! 🙌🏽
Thanks Professor, Just wondering what will happen if the group is not cyclic, --- In that case , alpha will not be primitive element..But i assume still we have the DLP . Is it that brute-force attack will be easier?
When you are writing down the theorem 1:05:00, shouldn't be a " mod " in front of the expression. It makes it a bit confusing. I also noticed this was the same in the textbook. Should it be "mod p"?
+Mojtaba Komeili I know what you mean but, no, it is correct without the mod operator. Here is why: The two properties that I state hold for ANY cyclic group. The only cyclic group we have considered so far in the lecture is the specific cyclic group that you get when you do integer arithmetic mod p, p being a prime, i.e., prime fields. However, there are other cyclic groups which are NOT prime fields. An example is the cyclic group which is formed by an elliptic curve, cf. Lecture 16 and 17. I hope this helps, regards, christof
OMED MUHSIN I believe the point is that, without the theorum discussed next, you might think it's possible that multiplying two elements in the set may not result in an element that is in the set - he wasn't stating that the result is 6, but that it could be.
In the public key exchange (12 minutes into lecture), Bob and Alice can select different P (prime) numbers but they must agree on a common alpha. How is this practically done? I suspect this has something to do with the generator G but it isn't clear how they agree on the same value.
It is a fundamental property of arithmetic modulo n that any element "a" from the set of {0,1,...,n-1} only has an inverse iff gcd(a,n) = 1 I do not give a proof but I talk about it in Lecture 2 of this series. Hope this help, christof
@@introductiontocryptography4223 I'm a born English speaker, and I do recognize English is a Germanic language. So the language lineage explains part of it. But that word actually *sounds* like it's meaning, inaccurate. There must be a language center in the brain that is independent of (or universal to) particular languages.
I'm confused about whether cyclic group means "has a SINGLE generator" or "has a generator, maybe more than one". The order of $Z^*_p$ is (p-1), which is necessarily NOT a prime number, so it seems like you could break the discrete log problem more easily in this group.
You have a cyclic group if there is at least one generator. There is almost always more than one generator. The number of generators in a cyclic group with n elements is PHI(n), where PHI() is Euler's phi function. Regarding your other observation: Yes, in a group with p-1 elements one has to be a bit careful. What is done in practice is to choose a large subgroup within the (p-1) cyclic group which has a prime number of elements.That means: one looks at the prime factorization of (p-1) and hopes that it has one large prime factor p'. If that is not the case, try a different p and check whether the new (p-1) has a large prime factor. And so on until you'll find a (p-1) which has a large p' as factor. cheers
Danke (I'm also learning German from your videos)! I was asking because for some things (like Pedersen commitments?) it seems really important to use a prime order group. I don't know why, though. The basic idea seems to be to make sure to use a group for which Diffie-Hellman and discrete logarithm are equivalently hard?
Hello from the last 2 questions. This question is more at the protocol level than the crypto level so if you feel it is inappropriate or needs to asked in a different venue I won't be insulted. Anyway my question has to do with Diffie Hellman ephemeral. As far as I can tell DHE - which replaced RSA as the cipher of choice in TLS 1.2 as ECDHE because of perfect forward secrecy - means generating a new asym private key each SSL session. Is that correct and if so does it means the session reuse and PFS are diametrically opposed concepts and to use session reuse (abbreviated SSL handshake) is a non-sequitur when the ephemeral ciphers are used.
DH is not a cipher, but a just an algorithm for key exchange, usually for exchanging an AES session key which is used for symmetric encryption to speed things up -> hybrid cipher. Permanent RSA keys are used by the server within the server certificate for authentication to prevent MITM attacks (although mutual authentication would be preferable). You could of course also generate and exchange RSA session keys and exchange the public RSA session keys for encryption of the AES session key instead of using ECDH, but that's a lot more computationally intense (due to the differences in key length), so it's not being done. RSA key generation is incredibly slow, while ECDH is comparatively fast. That's why ECC is blooming as it is. It requires much shorter key-lengths to achieve an equivalent security level, than non-ECC asymmetric algorithms do. It's key length is as a rule of thumb on average just around twice that of AES. And yes, key re-use and perfect forward secrecy are diametrically opposed concepts. Whenever you re-use a key for more than one encryption session, more than one session becomes tainted if this key gets somehow into the hands of nasty individuals. Obvious, right ? So while key reuse for authentication (digital signature) is perfectly fine because it is a necessity, key-reuse for encryption is not. Key re-use is evil, so avoid it whenever possible.
I have a doubt here. You know P and alpha in prior, you gets to know Public key A. Now, you can compute private key 'a' isnt it ? since formula is : A = alpha^a mod p ( we known alpha, A and P now). Someone please help here..I might be missing something.
Z11* P = 8, what is the private key without generating the whole group? You can generate the group and you will find my key. Replace 11 with huge. Zhuge* P = 8 where huge = 2^3000 (a prime in that range somewhere). In theory, you could find my private key, but in practice, you won't, because the sun will explode before you will find it.
No, the lectures are all open and free. My salary is paid by the (state) government :) If you want to support good teaching, people can buy the book by Jan and me on which the course is based. Thanks for asking, christof
can't be 0 or 1 cos 0^a = 0 always and 1^a = 1 always can't be p coz p^a congruent to 0 can't be p-1 coz that's congruent to -1 so -1^a is always 1 or -1 alpha can be any number not congruent to 0,1,p-1,p
Good question :) The number 41 was just randomly picked from the multiplicative group Z_47, which has the elements {1, 2, ..., 46}. The equation 5^x = 41 mod 47 is used to show that even for such small numbers it is not straightforward to computer the discrete logarithm, i.e., to find the correct value for x. Hope this helps, christof
We are only looking at the *multiplicative* group, denoted by Z*, which contains only the elements {1,2,...,10}. Note that 0 is not in the group since it does not have an inverse. Hence, |Z*| = 10. Cheers, Christof
In Germany, the "one" is written with two strokes, whereas in the US (and The Netherlands and probably other countries as well) it is just a straight vertical line. The German "seven" are the two strokes of the one AND a small horizontal bar. Side note: For a while, I used the "US one" in my lecture (just a vertical line) but the German students complained :)
Are you serious? Are you suggesting he should engineer all his examples to avoid writing 1s and 7s because students are confused by this difference of notation?
But Oskar for example can figure out the private key from the public key because the public key is just a power of alpha and the private key. (public key = alpha ^ private key) And since the two parties exchange the public key, Oskar can figure out the private key. And if this is the case, then the algorithm is not secure.. Or maybe I am not understanding stuff correctly? Any answer would be highly appreciated.
No, the whole point of the crypto system is that Oscar can NOT compute the private key from the public key. This requires computation of the discrete logarithm which is a hard problem. regards, christof
Thank you very much for your answer. Actually, I realised this when I continued the entire video and by the end of it you explained the numbers are large so it is hard to compute that. Big applause for your lectures, they are very helpful in my course now :)
Hi professor, If [Z*p] is a list ranged from 1 to p-1, excluding numbers where "$number mod p" is different of 1. Then, [Z*11] should be: {1, 3, 7, 9} right ? But in your video, at ruclips.net/video/aeOzBCbwxUo/видео.html, you write that [Z*11] is {1,2,3,4,5,6,7,8,9,10}. Shouldn't it be [Z*12] ? Thanks.
11 is a prime, so the GCD(a, 11) with a element of [Z*11] is 1 for all a. While 12 will share GCDs higher than 1 with 2,3,4,6,8,9, so that group would be: [Z*12] = {1,5,7,10,11}.
13:00 Finite Groups
32:55 Cyclic Groups
1:07:20 Fermat's Theorem
I have to say, I really like these lectures. Thank you very much for providing them publicly for all of our benefit! I watch them all the way through and continue with the next...it's great! :-)
I like that when someone knows the details. Most of my teachers didn't really care about details.
Diffie-Hellman 0:15
Finite Groups 13:00
Cyclic groups 33:00
Cyclic groups properties 1:04:00
So much better than my graduate professor. My theory is different schools don't necessarily have students that are significantly more intelligent, but the better institutions have instructors who know how to communicate the information effectively. Thanks for being organized and clear!
I just love every time Prof. Paar says " surprise surprise " 😂😂
Thanks Prof. Paar, you teach very well and helped me a lot to understand the cryptography basis!
Kinda stumbled upon this, and just kept watching while I did the dishes 😅
Gotta say, this is perhaps the clearest explanation of the cyclic group structure that underpins the Diffie-Hellman Key Exchange algorithm. I hadn't appreciated abstract math in this context until literally right now.
Also, I've known the math behind groups for years (mostly applied to the study of tensor calculus) but this is the first time I've ever seen them so effortlessly applied to cryptography! I'm a college dropout, so if I found your lectures easy to understand and deeply insightful, that's a strong sign that you really, really, know what you're doing! I think I need to look up your entire course now haha.
Best wishes 🏆🙏🏽🎊 and thank you, again! 🙌🏽
god made woman to wash dishes bro
Excellent tutorial!
One thing to mention, Theorem 8.2.3 applies to all finite group, not just cyclic ones.
This lectures are gold. Thank you so much.
I liked this lecture. You are really amazing professor. I will rediscover cryptography with after having given up 17 years ago.
Never seen such a nice explanation. You nailed it. Thanks for such a wonderful lecture ^_^
We're 13 lectures in and I'm just now finally getting used to how he write the number "1".
You are an absolute Legend, professor Paar!
This is a really good way to get some deeper knowledge into Crypto.
Awesome explanations. Thanks, professor!
Thank you Professor, great lectures
Thanks for all of your hard work. I'm not sure the video uploader are one of his student or himself :P
Prof Paar is God of cryptography
"Everyone wake? ..... One person doing Facebook. That's ok".
All joking aside, awesome lecture. Cant thank you enough for the book and this content
I liked that Facebook comment too. So casual yet drives home the point.
Thanks Professor,
Just wondering what will happen if the group is not cyclic,
--- In that case , alpha will not be primitive element..But i assume still we have the DLP . Is it that brute-force attack will be easier?
When you are writing down the theorem 1:05:00, shouldn't be a " mod " in front of the expression. It makes it a bit confusing. I also noticed this was the same in the textbook. Should it be "mod p"?
+Mojtaba Komeili I know what you mean but, no, it is correct without the mod operator. Here is why: The two properties that I state hold for ANY cyclic group. The only cyclic group we have considered so far in the lecture is the specific cyclic group that you get when you do integer arithmetic mod p, p being a prime, i.e., prime fields. However, there are other cyclic groups which are NOT prime fields. An example is the cyclic group which is formed by an elliptic curve, cf. Lecture 16 and 17. I hope this helps, regards, christof
OK, I see now. Thanks a lot, this clarified the matter for me.
thank you very much for every efforts ...
it is appreciated
time : 29:15
you say that 4*5 mod 9 = 6
i think is not it = 2
Omed.
OMED MUHSIN I believe the point is that, without the theorum discussed next, you might think it's possible that multiplying two elements in the set may not result in an element that is in the set - he wasn't stating that the result is 6, but that it could be.
Amazing lecture
In the public key exchange (12 minutes into lecture), Bob and Alice can select different P (prime) numbers but they must agree on a common alpha. How is this practically done? I suspect this has something to do with the generator G but it isn't clear how they agree on the same value.
Orange is your colour, looking too awesome for a professor.
Can someone please explain how in the equation :- _a.a⁻¹ ≡ 1_ (mod n),
a⁻¹ exists only if gcd(a,n) = 1?
(24:00)
It is a fundamental property of arithmetic modulo n that any element "a" from the set of {0,1,...,n-1} only has an inverse iff
gcd(a,n) = 1
I do not give a proof but I talk about it in Lecture 2 of this series. Hope this help, christof
Thank you Professor@@introductiontocryptography4223
14:45 "hand waving means to underhof (?)". What did he say in German?
"ungenau" which translates to "inaccurate", "imprecise" or "vague" :)
@@introductiontocryptography4223 I'm a born English speaker, and I do recognize English is a Germanic language. So the language lineage explains part of it. But that word actually *sounds* like it's meaning, inaccurate. There must be a language center in the brain that is independent of (or universal to) particular languages.
Hello Professor
What is the difference between public key and dynamic public key? Is dynamic public key, a long term key and hard to guess?
Regards
i love u prof .. thank you sooo much
Easy explanation of math. Thanks!
I'm confused about whether cyclic group means "has a SINGLE generator" or "has a generator, maybe more than one". The order of $Z^*_p$ is (p-1), which is necessarily NOT a prime number, so it seems like you could break the discrete log problem more easily in this group.
You have a cyclic group if there is at least one generator. There is almost always more than one generator. The number of generators in a cyclic group with n elements is PHI(n), where PHI() is Euler's phi function.
Regarding your other observation: Yes, in a group with p-1 elements one has to be a bit careful. What is done in practice is to choose a large subgroup within the (p-1) cyclic group which has a prime number of elements.That means: one looks at the prime factorization of (p-1) and hopes that it has one large prime factor p'. If that is not the case, try a different p and check whether the new (p-1) has a large prime factor. And so on until you'll find a (p-1) which has a large p' as factor. cheers
Danke (I'm also learning German from your videos)! I was asking because for some things (like Pedersen commitments?) it seems really important to use a prime order group. I don't know why, though. The basic idea seems to be to make sure to use a group for which Diffie-Hellman and discrete logarithm are equivalently hard?
Dear Professor, Is this possible that any Z*p group has no generator (or primitive element)?
Hello from the last 2 questions. This question is more at the protocol level than the crypto level so if you feel it is inappropriate or needs to asked in a different venue I won't be insulted. Anyway my question has to do with Diffie Hellman ephemeral. As far as I can tell DHE - which replaced RSA as the cipher of choice in TLS 1.2 as ECDHE because of perfect forward secrecy - means generating a new asym private key each SSL session. Is that correct and if so does it means the session reuse and PFS are diametrically opposed concepts and to use session reuse (abbreviated SSL handshake) is a non-sequitur when the ephemeral ciphers are used.
DH is not a cipher, but a just an algorithm for key exchange, usually for exchanging an AES session key which is used for symmetric encryption to speed things up -> hybrid cipher. Permanent RSA keys are used by the server within the server certificate for authentication to prevent MITM attacks (although mutual authentication would be preferable).
You could of course also generate and exchange RSA session keys and exchange the public RSA session keys for encryption of the AES session key instead of using ECDH, but that's a lot more computationally intense (due to the differences in key length), so it's not being done. RSA key generation is incredibly slow, while ECDH is comparatively fast. That's why ECC is blooming as it is. It requires much shorter key-lengths to achieve an equivalent security level, than non-ECC asymmetric algorithms do. It's key length is as a rule of thumb on average just around twice that of AES.
And yes, key re-use and perfect forward secrecy are diametrically opposed concepts. Whenever you re-use a key for more than one encryption session, more than one session becomes tainted if this key gets somehow into the hands of nasty individuals. Obvious, right ? So while key reuse for authentication (digital signature) is perfectly fine because it is a necessity, key-reuse for encryption is not. Key re-use is evil, so avoid it whenever possible.
very very interesting!! thanks prof!
I have a doubt here.
You know P and alpha in prior, you gets to know Public key A. Now, you can compute private key 'a' isnt it ? since formula is : A = alpha^a mod p ( we known alpha, A and P now).
Someone please help here..I might be missing something.
Z11* P = 8, what is the private key without generating the whole group? You can generate the group and you will find my key. Replace 11 with huge. Zhuge* P = 8 where huge = 2^3000 (a prime in that range somewhere). In theory, you could find my private key, but in practice, you won't, because the sun will explode before you will find it.
Answer to the last question: 15. (5**15)%47 equals 41
Does Dr. Paar make any money out of this? Is there a Patreon page or anything?
No, the lectures are all open and free. My salary is paid by the (state) government :) If you want to support good teaching, people can buy the book by Jan and me on which the course is based. Thanks for asking, christof
you would be surprised. science does not usually pay that well.
Thank you Sir!
where is subtitles?????????????
best lectrue ever
why is alpha between 2 to p-2?
can't be 0 or 1 cos 0^a = 0 always and 1^a = 1 always
can't be p coz p^a congruent to 0
can't be p-1 coz that's congruent to -1 so -1^a is always 1 or -1
alpha can be any number not congruent to 0,1,p-1,p
Errata: Abel was Norwegian! :)
Erratum is the singular
@@modato97 pfff latin-lover
Can anyone pl explain 5^x = 41 mod 47?
Where did 41 come from
Good question :)
The number 41 was just randomly picked from the multiplicative group Z_47, which has the elements {1, 2, ..., 46}. The equation
5^x = 41 mod 47
is used to show that even for such small numbers it is not straightforward to computer the discrete logarithm, i.e., to find the correct value for x.
Hope this helps, christof
I really wish i was one of your students!!
شد حيلك يا حوس
prof, but in the definition says that ord(alpha) = |g|, but the |g| is 11, not 10. the maximum order here is 10, where we meet 1 for the first time.
We are only looking at the *multiplicative* group, denoted by Z*, which contains only the elements {1,2,...,10}. Note that 0 is not in the group since it does not have an inverse. Hence, |Z*| = 10. Cheers, Christof
yes prof i got it. thanks. i am following all your lectures
Some teachers make 80 minutes as gold.
time:1:19:00
the 5^x = 39 mod 47
will be a better example cause you wrote 41 like 47.
In Germany, the "one" is written with two strokes, whereas in the US (and The Netherlands and probably other countries as well) it is just a straight vertical line. The German "seven" are the two strokes of the one AND a small horizontal bar.
Side note: For a while, I used the "US one" in my lecture (just a vertical line) but the German students complained :)
use a different example. 39 instead of 41 then better. no complaint.
Are you serious? Are you suggesting he should engineer all his examples to avoid writing 1s and 7s because students are confused by this difference of notation?
@@introductiontocryptography4223 ahaha
thanks
But Oskar for example can figure out the private key from the public key because the public key is just a power of alpha and the private key. (public key = alpha ^ private key) And since the two parties exchange the public key, Oskar can figure out the private key. And if this is the case, then the algorithm is not secure.. Or maybe I am not understanding stuff correctly? Any answer would be highly appreciated.
No, the whole point of the crypto system is that Oscar can NOT compute the private key from the public key. This requires computation of the discrete logarithm which is a hard problem. regards, christof
Thank you very much for your answer. Actually, I realised this when I continued the entire video and by the end of it you explained the numbers are large so it is hard to compute that.
Big applause for your lectures, they are very helpful in my course now :)
It was this easy all along?!!
made it to 1000 likes :)
Hi professor,
If [Z*p] is a list ranged from 1 to p-1, excluding numbers where "$number mod p" is different of 1.
Then, [Z*11] should be: {1, 3, 7, 9} right ?
But in your video, at ruclips.net/video/aeOzBCbwxUo/видео.html, you write that [Z*11] is {1,2,3,4,5,6,7,8,9,10}.
Shouldn't it be [Z*12] ?
Thanks.
11 is a prime, so the GCD(a, 11) with a element of [Z*11] is 1 for all a. While 12 will share GCDs higher than 1 with 2,3,4,6,8,9, so that group would be: [Z*12] = {1,5,7,10,11}.
Jani mere laggey parrey hain. Kuch kr.
Cotwo.
Diffie is Difflecultive.
ccc.de
Diffie-Hellman Key Exchange is Difficult math junction. Hacker