u r great teacher Prof Christof Paar, i wiish i could be in ur classes , ur lec series helped me a lot to prepare my lectures, i m also teacher ...thanku soo much
Thank you Prof.Paar for providing a very good series of lectures .It is very helpful for the students and researchers who starts his/her carrier in cryptography. Also,thanks to his whole team.
Great lectures Dr. Paar, I managed to make it through all of them up to this point so far. I think the student at 1:07:55 was correct, XOR'ing x and x' together should yield 0 if (and only if) they are equal; maybe this isn't how it is done in practice, though?
Another superb lecture by Prof. Paar. However, I have one observation. At 1:07:30, Prof. Paar writes the following on the board: s^e = x' mod n (using modulo equivalence rather than ordinary equality "="). It would have been clearer to me, at least, if he'd have _defined_ x-prime, x' , as s^e mod n and described the test for authenticity as evaluating whether or not x' equals x mod n (explicitly noting that the test computes x mod n rather than just x.)
At 1:12:27 can't the attacker change both X and S to suit each other as in previous transmission of the public key oscar also has access to e therefore he could change S and X in such a way that S^e equals X mod n. In that scenario won't the integrity be compromised?
+Introduction to Cryptography by Christof Paar which lecture of this video series on cryptography explain DSA and ECDSA? i really need to watch videos of those chapters because my exam starts from 27th may. btw, best of luck to your nation "german football team" for the upcoming euro 2016:)
+Introduction to Cryptography by Christof Paar .. At 1:04:23, where you were explaining about RSA digital signatures, Alice sends (n,e) to Bob. Here, what if some middle man comes and alters the contents in (n,e)? If that happens there is no point in applying these Signatures right?
+anil vedala Correct. You always have to make sure that Bob has the CORRECT public key from Alice. This is a huge issue in practice. Mostly, people use certificates for this. Please have a look at my Lecture 24 from this series where I talk about this. regards, christof
Excellent lecture. But what is the protection against VW making a copy of the order and claiming they received two identical orders for the ugly car from Alice?
Hello Mr. Paar. Thank you very much for a very interesting lecture. I have a simple question outside of this lecture. We have ECDLP problem and we have ECDSA algorithm. Is that proved that breaking ECDSA as hard as solving ECDLP?
I am not totally up-to-date with DLP research. However, I am pretty sure those two problems are NOT equivalent, i.e., breaking ECDSA doesn't imply solving the ECDLP. cheers
@@introductiontocryptography4223 Thanks for the answer. Someone who will solve ECDLP can also break ECDSA. So based on your answer, it means ECDSA less hard than ECDLP.
In RSA DS, how is it that we send X (the plaintext) in the channel? Doesn't this violate confidentiality? Aren't we supposed to decrypt it into Y and then send Y?
No, not if we are doing *digital signatures*. In this case, we do not necessarily encrypt but "only" want to protect a message through a digital signature. However, in practice, one very often wants to do both, i.e., signing and encrypting. In this case, one usually uses a symmetric cipher like AES and a public-key algorithm like RSA for signing. regards, christof
I loved the way of your lecturing and I would like to thank you prof. Christof Paar! thank you my God bless you more. i liked, commented and shared your videos as reward & subscribed your channel
Thanks Professor .One basic question The size of the signature is going to be same as the message. ? For example, -The size of the signature on a 100MB document will also be 100MB
In practice, the message is hashed and it is the hash that is signed. So signatures are typically ~ equal to the size of the RSA key (modulus) More details on why you need to hash before signing. crypto.stackexchange.com/questions/12768/why-hash-the-message-before-signing-it-with-rsa
Hello, how come we need to send x as well as s? Since we're decrypting s anyway, wouldn't s alone be enough? A tampered with cypher-text would invalidate the result of the decryption of s (it would make no sense/it would be a corrupted file). So what's the benefit of sending x as well?
I assume you are referring to RSA digital signature. You are right, if you send a message with a certain structure, say a text in a given language, a change in the ciphertext would most likely result in a nonsense plaintext after decryption. This holds also for regular symmetric encryption (and we would not need signatures at all). There are several problems with this approach, however. First, you will probably need a human user decide whether the message is corrupted or not while we would prefer an automatic decision by a computer. Second, if we send non-text messages, e.g., measurement data from a sensor, it can be very difficult to decide what is valid plaintext and what's not. Hence, if we send both, x and s, for signature validation we avoid both problems.
Good question. This is only true for RSA digital signatures. For verfication, one can use so-called "short private exponents", ie., values "e" that are only 16 bits long or so. With them, one computes for verification: sig^e mod n Because "e" is short, this is a fast operation. In contrast, for generating the signature, one computes: m^d mod n where "m" is the (hashed) message. The operation looks similar but the value "d" is 2048 bits long or more, so that this second exponentation takes waaay longer. Again, this is a peculiar property of RSA digital signature. With many other signatures schemes, signing and verfication are roughtly equally fast (or slow). Hope that helps, christof
@Introduction to Cryptography by Christof Paar ... At 59:00, Alice sends (X,S) right? There, Is X the encrypted form of actual message or the actual message itself? If X is the actual mesage, then middle men will get to know X right? That means we are not able to maintain the confidentiality of X, which is the whole point of cryptography..
+anil vedala I think I talk about this in the video: The point of dig. sign. is NOT to provide confidentiality but integrity, authentication and non-repudiation. If your application also needs confidentiality, you have to encrypt x as well. You can always combine encryption and digital signature. regards, christof
This man single-handedly saving my semester, MVP lad.
6:45 Digital Signature
25:35 Security Services
1:00:50 RSA digital signature
I wish our Prof gave a damn about us understanding as You sir Paar do .. respect .
You should be a math professor. Great explanation, and ... you care.
u r great teacher Prof Christof Paar, i wiish i could be in ur classes , ur lec series helped me a lot to prepare my lectures, i m also teacher ...thanku soo much
Mr. Paar, you are a hero.
Thank you Prof.Paar for providing a very good series of lectures .It is very helpful for the students and researchers who starts his/her carrier in cryptography. Also,thanks to his whole team.
Many thanks to you Mr Paar ! your methode to explain lectures is awesome.
after somitra sir(IITJ, india), he is the man who can teach very well the concepts of cryptography
Why do people want to sleep in his lecture? I just don't understand.
The course is in English because of Erasmus students. Most of them are there for partying anyway, such a pity..
I set the play speed x2 and still it's easy to follow, maybe his narration is too monotonous.
@@BarrettKillz Put Erasmus students to Gulags.
Very nice sir .
And thanks to you.
Great lectures Dr. Paar, I managed to make it through all of them up to this point so far.
I think the student at 1:07:55 was correct, XOR'ing x and x' together should yield 0 if (and only if) they are equal; maybe this isn't how it is done in practice, though?
Another superb lecture by Prof. Paar. However, I have one observation.
At 1:07:30, Prof. Paar writes the following on the board: s^e = x' mod n (using modulo equivalence rather than ordinary equality "=").
It would have been clearer to me, at least, if he'd have _defined_ x-prime, x' , as s^e mod n
and described the test for authenticity as evaluating whether or not x' equals x mod n (explicitly noting that the test computes x mod n rather than just x.)
Yes
Damn, nicely done. a Fan!
Thanks Prof Best Lecturer
Thanks Mr Paar !
Think I would have failed my course because of corona, but these videos saved me
Excellent work. Congratulations. Professor Paar, would it be possible to get the English subtitles lesson? Thanks you very much.
At 1:12:27 can't the attacker change both X and S to suit each other as in previous transmission of the public key oscar also has access to e therefore he could change S and X in such a way that S^e equals X mod n. In that scenario won't the integrity be compromised?
+Introduction to Cryptography by Christof Paar
which lecture of this video series on cryptography explain DSA and ECDSA? i really need to watch videos of those chapters because my exam starts from 27th may.
btw, best of luck to your nation "german football team" for the upcoming euro 2016:)
Hi professor can you please kindly make some video lectures on hash-based digital signatures covering both OTS and MTS?
+Introduction to Cryptography by Christof Paar ..
At 1:04:23, where you were explaining about RSA digital signatures, Alice sends (n,e) to Bob. Here, what if some middle man comes and alters the contents in (n,e)? If that happens there is no point in applying these Signatures right?
+anil vedala Correct. You always have to make sure that Bob has the CORRECT public key from Alice. This is a huge issue in practice. Mostly, people use certificates for this. Please have a look at my Lecture 24 from this series where I talk about this. regards, christof
Thanks for the response. But, I presume that these kinds of attacks are very rare and yeah, I'll watch the lecture number 24
Excellent lecture. But what is the protection against VW making a copy of the order and claiming they received two identical orders for the ugly car from Alice?
He doesn't really start till minute 12.
Hello Mr. Paar. Thank you very much for a very interesting lecture. I have a simple question outside of this lecture. We have ECDLP problem and we have ECDSA algorithm. Is that proved that breaking ECDSA as hard as solving ECDLP?
I am not totally up-to-date with DLP research. However, I am pretty sure those two problems are NOT equivalent, i.e., breaking ECDSA doesn't imply solving the ECDLP. cheers
@@introductiontocryptography4223 Thanks for the answer. Someone who will solve ECDLP can also break ECDSA. So based on your answer, it means ECDSA less hard than ECDLP.
Thanks so much!!
Any programming explanation of these lessons. Or any resources to learn programming for these lecture. Any helps
In RSA DS, how is it that we send X (the plaintext) in the channel? Doesn't this violate confidentiality? Aren't we supposed to decrypt it into Y and then send Y?
No, not if we are doing *digital signatures*. In this case, we do not necessarily encrypt but "only" want to protect a message through a digital signature. However, in practice, one very often wants to do both, i.e., signing and encrypting. In this case, one usually uses a symmetric cipher like AES and a public-key algorithm like RSA for signing. regards, christof
Yes, I understand. Thank you, Professor.
I loved the way of your lecturing and I would like to thank you prof. Christof Paar! thank you my God bless you more. i liked, commented and shared your videos as reward & subscribed your channel
Professor Paar you amazing teacher you should make cryptography courses available on Coursera platform.
Thanks Professor .One basic question
The size of the signature is going to be same as the message. ? For example, -The size of the signature on a 100MB document will also be 100MB
I think if you are going to use RSA for digital signature, it will be.....!!
In practice, the message is hashed and it is the hash that is signed. So signatures are typically ~ equal to the size of the RSA key (modulus)
More details on why you need to hash before signing. crypto.stackexchange.com/questions/12768/why-hash-the-message-before-signing-it-with-rsa
Hello, how come we need to send x as well as s? Since we're decrypting s anyway, wouldn't s alone be enough? A tampered with cypher-text would invalidate the result of the decryption of s (it would make no sense/it would be a corrupted file). So what's the benefit of sending x as well?
I assume you are referring to RSA digital signature. You are right, if you send a message with a certain structure, say a text in a given language, a change in the ciphertext would most likely result in a nonsense plaintext after decryption. This holds also for regular symmetric encryption (and we would not need signatures at all). There are several problems with this approach, however. First, you will probably need a human user decide whether the message is corrupted or not while we would prefer an automatic decision by a computer. Second, if we send non-text messages, e.g., measurement data from a sensor, it can be very difficult to decide what is valid plaintext and what's not. Hence, if we send both, x and s, for signature validation we avoid both problems.
I see. I guess the redundancy was resolved later with HMAC. :) Thank you, Prof. Paar!
Thanks
prof u didnt say why we just need a few bit to verify the signature
'caue the result should be 1 or 0 . So we need just 1 bit.
Fun. 👏
I don't get why verification is less costly than signature?
Good question. This is only true for RSA digital signatures. For verfication, one can use so-called "short private exponents", ie., values "e" that are only 16 bits long or so. With them, one computes for verification:
sig^e mod n
Because "e" is short, this is a fast operation. In contrast, for generating the signature, one computes:
m^d mod n
where "m" is the (hashed) message. The operation looks similar but the value "d" is 2048 bits long or more, so that this second exponentation takes waaay longer.
Again, this is a peculiar property of RSA digital signature. With many other signatures schemes, signing and verfication are roughtly equally fast (or slow).
Hope that helps, christof
@Introduction to Cryptography by Christof Paar ...
At 59:00, Alice sends (X,S) right? There, Is X the encrypted form of actual message or the actual message itself? If X is the actual mesage, then middle men will get to know X right? That means we are not able to maintain the confidentiality of X, which is the whole point of cryptography..
+anil vedala I think I talk about this in the video: The point of dig. sign. is NOT to provide confidentiality but integrity, authentication and non-repudiation. If your application also needs confidentiality, you have to encrypt x as well. You can always combine encryption and digital signature. regards, christof
Thank you for the response. It is clear now.
Ojala estuviera subtitulado
Surprise Surprise 54:23
Very low rate of information..