Dear Professor Paar, Thank you very much for sharing your lectures on RUclips! I am learning more from you than from my professor and my tutor. Our lecturer at the University of Melbourne can't even speak proper English, let alone teaching Cryptography. I solute you, and wish you the best! You're awesome!
There are different assumptions about Oscar's capabilities. The 4 major ones are: It is always true that he knows ciphertext and does not know the key. Often it is also assumed that he knows part of the plaintext, e.g., a file header. Another assumption that is often made is that he can choose the ciphers or even the plaintext. A good crypto system should be secure against all these attacks. Re timing: This is application specific. In classical communication security settings where Oscar is listening-in on the channel, e.g., the Internet or an air link, he also has the timing information. Also in embedded systems such as a smart card, he can observe the timing behaviour in a very detailed fashion. --- Hope this helps, christof
+Introduction to Cryptography by Christof Paar dear sir, i just want to ask if i have to transfer data to another computer. what is the more secure way? is it achieved by RSA algorithm or HTTPS protocol?
Another great lecture on stream ciphers! What I find great here is that Christof Paar proves that PRNGs alone are useless for encryption unless being used as a layer in a cryptographic system, as he suggests at the end of this lecture. Although I would forget PRNGs altogether and directly focus on TRNGs and CSRNGs.
Fantastic. Just subscribed and bought the book. My own understanding towards OTP ciphers, was via Vigenère, which I thought you would touch on. I understand RC4 to basically be a key-stretched version of Vigenère part way towards an OTP. Looking forward to the rest of the series.
wenn ich gewusst hätte dass es in der bochumer university so geile profs gibt wär ich dahin gegangen :D klasse und sehr verständlich erklärt! Hat mich als Software-Engineer sehr weitergebracht ;)
This may seem a little off topic, but towards the end of the lecture when you talk about breaking the Stream Cipher using LSFRs, given the vast number of implementations of different cryptographic algorithms, how would Oscar know that he is dealing a Stream, and not a block, or an Asymmetric Cipher? Great lectures, btw, really enjoying them and learning a lot. Thank you, Professor Christof Paar!
Thanks you professor. I started course to LFSR and now i like working at home. My project research is in area of cryptography and i have many lacks to this area. Nevertheless, your courses are a good tools to starts implementing my works
Another question, again general: In every problem of Cryptanalysis, we assume Oscar has knowledge of the CipherText, and no knowledge of the Key, or the PlainText. My question is, does Oscar have any knowledge of the exact time at which Alice is sending, and the the exact time Bob is receiving the message? I realise I may be drifting slightly off topic. Thanks!
In order to compute si bits you require both plaintext and ciphertext. However unless someone was attempting to facilitate an attack on the encryption wouldn't it be reasonable to assume that the attacker (Oscar) would only have plaintext (header) or the ciphertext?
is the following correct: assuming oscar knows s1 s2 and s3 so s3=s2xp2 + s1xp1 + s0x p0 and s4 ( what oscar does not know) = s3x p2 + s2xp1 + s1xpo ( x meaning multiplication) is this equation correct then and would it not be necessary to compute p3? (or if one was to substitute p0 for x p1 for y and p2 for z? or whould there be a 4th unknown variable ?
Near the bottom of page 42, you say (about he index or clock cycle) : "i=0,1,2..." but should this really be ( i >= m ), where m is the degree? Also, reversing the numbering direction on the circuit on page 43 from the other on page 42 is confusing.
Thank you for the lecture. I have a question, you didn't discuss where the key is used by the LFSR, I guess the vector (p_0, p_1,..., p_m-1) is the key right?
Exactly, as an example we use a single LFSR as PRNG. The key are the "feedback coefficients", ie., the bits that determine which registers are connected to the XOR path.
If an LFSR of a concrete configuration has not maximum length, can it also be that there are different disconnected cycles depending on the initial state (except for all zero)?
Yes, if you have a non-maximum length LFSR, there are feedback configurations that give "weird" cycles. As an example one can look at the LFSR with the feedback polynomial x^4 +x^2+1. Depending on the initial values in the four flip-flops, thee different cycles are generated.
Both are actually available online at www.crypto-textbook.com: For the slides, click Online Course->Slides, for the problem sets click Online Course->Videos. Note that the solutions for the odd-numbered problems are also on the website.
I have a question: how was it proven that you will always get ALL the numbers in the sequence and loop back to the beginning (length 2^N - 1 for N bits)?
Good question. We did NOT proof that maximum-length LFSR exist. However, what is said in the lecture that the longest sequence (= maximum lenght) that is possible is 2^n - 1. If such as sequence exist, it is easy to show that all n-bit binary numbers are generated since there are only 2^n-1 states possible with n bits if we exclude the all-zero state.
@@introductiontocryptography4223 I guess a better question now would be: how would one prove that some "multipliers" will guarantee full length periods and some won't, for a specified power of 2?
The maximal(!) period is 2^m-1. This does not mean that the period is always 2^m-1. Depending on the configuration of the pi's it may be smalle than 2^m-1. Indeed it was the intention of the example to illustrate this fact.
Why is solutions to a problem set deleted in the website? I hope someone post solutions again. Even the book doesn't seem to contain solutions to exercises. There is no good way to study without solutions as a self learner. There is no way to get feedback to working out exercises.
thank you for the series. having never had the economic opportunity to attend college, these types of openly available videos are indispensable to my desire for knowledge. I would have asked the question, does it matter if I end up using the most efficient polynomial? Isn't the point to have a long period? for instance, even if I have something like m=100, by coming up with an 'inefficient' polynomial eg, one that doesn't generate the longest sequence for m, aren't I still achieving my goal of generating a long period? Thanks!
Hey MaxB, I think you were going backward. You read high-order to low-order as left-to-right in his example diagram. And the highest order term (x^4 in this particular case) isn't associated with a p-bit, so it's just always there. The x^3 and below terms are associated w/ the p-bits. So the second-to-last output/feedback gets the x term, the last output/feedback gets the '1' term. If there had been a closed feedback wire after the first flip-flop, it would have gotten the x^3 term.
Excuse me professor. Can't we replace the multiplication with an AND gate? We say that if we have 0 for pi then the output will be 0 and when pi is 1 the output is equal to the input. So this means that we have an AND gate there.
I'm confused is when you say 2 to the m -1, you wrote it as 2 times m -1. Did you mean it as 2 to the power of m -1 or 2 times m -1 ? 1:17:20 1:27:41 52:20
I understand the LFSRs are not cryptographically secure. But how can they be made better secure using 3 LFSRs? What does that mean? Does that mean the Si used is an xor of 3 LFSRs? Is it explained in detail in the 'Understanding Cryptography' book?
What is key in this stream cipher system? I think [S0, S1,....,Sm-1] is the key. The 'm' and [P0,P1...Pi] are not part of key as only few of them exist.?
You have to use several LFSR and they have to be combined in a non-linear way. Have a look (on Wikipedia, e.g.) at the ciphers Trivium and A5 as examples how to do it. Regards, christof
Introduction to Cryptography by Christof Paar Is it not possible for someone to have a sufficiently big lookup table of all resulting pseudorandom number sequences, for multiple Pj reasonably sized seed values. Especially with the existence of supper computers and distributed computing.
Introduction to Cryptography by Christof Paar Why is it not considered proper to periodically reseed the register with a truly random sequence? I just saw that somewhere else; I thought you might have an answer, or did I just misunderstand? Thank you Professor.
All practial stream ciphers with LFSRs use more than one LFSR. Examples are the A5/1 GSM cipher or TRIVIUM, both of which use 3 LFSR. Here it is true what you state: The attacker knows the degree and the feedback coefficients p0, p1, p2 .... of the LFSRs. In However, in this very simplex example in the lecture we only use one LFSR and attacker does not know the p_i values. These values are the cryptographic key and the attackers wants to learn them. regards, christof
@@introductiontocryptography4223 Sir, we already know which set of primitive polynomials yields more length sequences(can be found on net) but we cannot use them as Oscar already knows about it.
Rose B I'm confused about that too. How does the reciever get the key? He mentioned something about protocol last lecture but i don't know what that means.
I guess what I don't completely understand is that if the drawback of OTP is its key length... how are LCGs better? Don't we always need to generate a stream key as long as the plain text?
Corret. But stream ciphers generate a very long stream from a SHORT key, e.g., 128 bits in length. BTW, LCGs are not good as stream ciphers as their output can be predicted if the attackers knows some outbits already. But there are cryptographically strong stream ciphers, .e.g, the finalist from the ESTREAM competition
Introduction to Cryptography by Christof Paar Hi Prof. Paar, thank you so much for the quick reply! Regarding the key length and the stream cipher length...aren't they the same from a computational point of view? I understand that for OTP we need to generate a really long key(as long as the plaintext). And for LCG we can generate a long stream cipher from a short key(128 bits for instance). But what difference does it make? We are still generating as many bits to encrypt the plaintext in both cases right?
The difference is "operational". Let's say we want to encrypt a 1MB (= 8 million bits) PDF file. For a OTP, Alice and Bob have to exchange a key "somehow" of length 8 million. These exchanges are always difficult, whether they are done manually (USB stick or so) or even more so if done with public-key cryptography. In contrast, if we use a stream cipher, Alice and Bob only exchange, say, 128 bits. This is much easier than 1 MB of key material. cheers, christof
ok, i should have watched the whole video. @Paar:are these lectures still pretty up to date? It's already been 6 years but the basics stay the same i guess. (Time flies.... :O)
Yes, the content has not changed much. I teach introduction to applied cryptography and the set of algorithms that are in the lecture series (DES, AES, RSA; DL, ECC, SHA-x,) are suprisingly stable. The one new topic is SHA-3 that I teach at Ruhr Universität Bochum. I will put this on video at some point. regards, christof
Professor Paar, do you'll explain something about CPRNG? I mean, all PRNGs explained by you are completely predictable, do you have anything to contribute about non-predictable ones? Thanks in advance
The use of the same letter s(i) to represent both the bit, i.e. state, as well as the just the rightmost bit sequence is very confusing. It would be much easier to understand if you used different letters, even more so if you named your variables creatively. Good lectures though. Thank you.
Methodenlehre Mainz I have to clarify: The students in my class are actually great. I teach in front of a large audience of 150-200 mostly first-year students. Almost everybody is quite during the 90min class which always amazes me (I sure talked more during my students years). However, I REALLY like it to be quite, and I am telling the students right away if two of them occasionally start chatting. From the videos there could be the incorrect impression that the students are particular babbly - but really the opposite is true :)
Introduction to Cryptography by Christof Paar True! You actually have an astonishingly quiet in you classroom. I was only referring to the few who need to be reminded to pay attention during such an interesting lecture. As did another commenter, I, too, find audible talking during a lecture disrespectful not only towards the lecturer but also the other students. Well, not that I kept completely still during my studies back in the days but, hey, hypocrisy and RUclips comments go together like peanut butter an jelly.
*Topics*
Recap & Lecture program 0:20
Introduction to LFSR 3:00
General LFSR 34:20
Attack against single LFSR 1:13:37
Dear Professor Paar,
Thank you very much for sharing your lectures on RUclips! I am learning more from you than from my professor and my tutor. Our lecturer at the University of Melbourne can't even speak proper English, let alone teaching Cryptography. I solute you, and wish you the best!
You're awesome!
There are different assumptions about Oscar's capabilities. The 4 major ones are: It is always true that he knows ciphertext and does not know the key. Often it is also assumed that he knows part of the plaintext, e.g., a file header. Another assumption that is often made is that he can choose the ciphers or even the plaintext. A good crypto system should be secure against all these attacks.
Re timing: This is application specific. In classical communication security settings where Oscar is listening-in on the channel, e.g., the Internet or an air link, he also has the timing information. Also in embedded systems such as a smart card, he can observe the timing behaviour in a very detailed fashion. --- Hope this helps, christof
+Introduction to Cryptography by Christof Paar dear sir, i just want to ask if i have to transfer data to another computer. what is the more secure way? is it achieved by RSA algorithm or HTTPS protocol?
+Introduction to Cryptography by Christof Paar can you send me the reference material?thank you . hhyencryption@gmail.com
HTTPS contain certificate , Certificate is use RSA algorithm to create .
I am a student in RWTH Aachen university, and I want to say you are a great lecturer. keep on good working please. Students need more people like you!
@@elama8592 I agree we love u
Another great lecture on stream ciphers! What I find great here is that Christof Paar proves that PRNGs alone are useless for encryption unless being used as a layer in a cryptographic system, as he suggests at the end of this lecture. Although I would forget PRNGs altogether and directly focus on TRNGs and CSRNGs.
In a computer engineering course in NL our homework is to read your book. I'm happy I found out that you've provided lectures. Really helps a ton!
You are an amazing teacher . Thank you so much !
I was very confused about the 'P' part, but then ex1 came and it all started to make sense. Thank you sir this was very beautiful.
Fantastic. Just subscribed and bought the book.
My own understanding towards OTP ciphers, was via Vigenère, which I thought you would touch on. I understand RC4 to basically be a key-stretched version of Vigenère part way towards an OTP.
Looking forward to the rest of the series.
Thank you professor Paar for your useful video lectures.
I stopped going to my class and studying your amazing lectures , thank you Sir
1:29:04 "the but" is known as LFSR shrinking-generator. See A5/1 cipher for example as referenced by the professor.
from IRAQ , thank you for this amazing explanation . big love
Really love how you teach..
wenn ich gewusst hätte dass es in der bochumer university so geile profs gibt wär ich dahin gegangen :D klasse und sehr verständlich erklärt! Hat mich als Software-Engineer sehr weitergebracht ;)
Nuram0 Tja, so ist das immer. Die besten Sachen entdeckt man erst viel später. ;)
i enjoyed the lecture .thumps up👍
This may seem a little off topic, but towards the end of the lecture when you talk about breaking the Stream Cipher using LSFRs, given the vast number of implementations of different cryptographic algorithms, how would Oscar know that he is dealing a Stream, and not a block, or an Asymmetric Cipher?
Great lectures, btw, really enjoying them and learning a lot.
Thank you, Professor Christof Paar!
It is always assumed that the attacker knows everything about your cipher, except the key itself.
Thanks you professor. I started course to LFSR and now i like working at home. My project research is in area of cryptography and i have many lacks to this area. Nevertheless, your courses are a good tools to starts implementing my works
These lectures are amazing !!!!!
Intro to LFSR 03:00
General LFSR 34:20
Attacks LFSR 1:13:40
Finally i understand this!
Another question, again general: In every problem of Cryptanalysis, we assume Oscar has knowledge of the CipherText, and no knowledge of the Key, or the PlainText.
My question is, does Oscar have any knowledge of the exact time at which Alice is sending, and the the exact time Bob is receiving the message? I realise I may be drifting slightly off topic.
Thanks!
In order to compute si bits you require both plaintext and ciphertext. However unless someone was attempting to facilitate an attack on the encryption wouldn't it be reasonable to assume that the attacker (Oscar) would only have plaintext (header) or the ciphertext?
also so the attacker now the first 3 letters of the original text the encrypted text and the general eqution that is used to decode?
Thanks you so much for great lectures.
Great lectures and Great professor, the problem is I didn't get it at all 🤣.
боже, благослови ютуб! Это именно то что мне было нужно!
is the following correct: assuming oscar knows s1 s2 and s3 so s3=s2xp2 + s1xp1 + s0x p0 and s4 ( what oscar does not know) = s3x p2 + s2xp1 + s1xpo ( x meaning multiplication) is this equation correct then and would it not be necessary to compute p3? (or if one was to substitute p0 for x p1 for y and p2 for z? or whould there be a 4th unknown variable ?
how it is possible having 4 flip flops if all switch are closed to end up with 5 cycles if how will the bits flow back to the first flip flop?
You are just amazing sir
You are awesome. 💙
Nice useful video sir...thanks
Near the bottom of page 42, you say (about he index or clock cycle) : "i=0,1,2..." but should this really be ( i >= m ), where m is the degree? Also, reversing the numbering direction on the circuit on page 43 from the other on page 42 is confusing.
great lecture, thank you
Thank you for the lecture. I have a question, you didn't discuss where the key is used by the LFSR, I guess the vector (p_0, p_1,..., p_m-1) is the key right?
Yeah that is the key
Dear sir, May I ask in the ex 2 of LFSRs---- should we not put another MUX at the rightmost end of the circuit before the Output? Regards, Fatema
Does the cellphone and cell tower share the same seed? How are they able to decrypt?
great lecture
most important equation of the day since 1911 :P
So is the Key in the PRNG described dictate what P bits are on or off (ie) what registers are XORd together
Exactly, as an example we use a single LFSR as PRNG. The key are the "feedback coefficients", ie., the bits that determine which registers are connected to the XOR path.
*_Remark:_* the _multiplier_ in the general LFSR is an *AND gate*
but do we xor the values that are already xor'd? the eletrical eschema is a little fuzzy haha
OMFG that makes so much sense thank you!
If an LFSR of a concrete configuration has not maximum length, can it also be that there are different disconnected cycles depending on the initial state (except for all zero)?
Yes, if you have a non-maximum length LFSR, there are feedback configurations that give "weird" cycles. As an example one can look at the LFSR with the feedback polynomial x^4 +x^2+1. Depending on the initial values in the four flip-flops, thee different cycles are generated.
Is there any way we can find the lecture slides used in these classes ?? or the homework expercises ?? Great Video thanks.
Both are actually available online at www.crypto-textbook.com:
For the slides, click Online Course->Slides, for the problem sets click Online Course->Videos. Note that the solutions for the odd-numbered problems are also on the website.
I have a question: how was it proven that you will always get ALL the numbers in the sequence and loop back to the beginning (length 2^N - 1 for N bits)?
Good question. We did NOT proof that maximum-length LFSR exist. However, what is said in the lecture that the longest sequence (= maximum lenght) that is possible is 2^n - 1. If such as sequence exist, it is easy to show that all n-bit binary numbers are generated since there are only 2^n-1 states possible with n bits if we exclude the all-zero state.
@@introductiontocryptography4223 I guess a better question now would be: how would one prove that some "multipliers" will guarantee full length periods and some won't, for a specified power of 2?
Hi Mr Christof, I am wondering if you have the algorithm of a Scrambler/Descrambler module that used for the protocol like PCe express,SAS,...
MrSmourad09 Sorry, no.
Introduction to Cryptography by Christof Paar thanks not a problem
Why in example 2 ( time 1:02:00) is the period equal to 5? Isn' it period = 2^m-1=2^4-1=15?
The maximal(!) period is 2^m-1. This does not mean that the period is always 2^m-1. Depending on the configuration of the pi's it may be smalle than 2^m-1. Indeed it was the intention of the example to illustrate this fact.
please see my above question
The diagram given in the book along with mathematical description of LFSR's has incomplete and wrong labeling,as compared to what you have at 46:18
Why is solutions to a problem set deleted in the website? I hope someone post solutions again. Even the book doesn't seem to contain solutions to exercises. There is no good way to study without solutions as a self learner. There is no way to get feedback to working out exercises.
thank you for the series. having never had the economic opportunity to attend college, these types of openly available videos are indispensable to my desire for knowledge.
I would have asked the question, does it matter if I end up using the most efficient polynomial? Isn't the point to have a long period? for instance, even if I have something like m=100, by coming up with an 'inefficient' polynomial eg, one that doesn't generate the longest sequence for m, aren't I still achieving my goal of generating a long period?
Thanks!
gigachad
1:05:47 - I did not completely understand why the polynomial was x^4 + x + 1. In my eyes it would have been x^4 + x^3 + 1
Hey MaxB, I think you were going backward. You read high-order to low-order as left-to-right in his example diagram. And the highest order term (x^4 in this particular case) isn't associated with a p-bit, so it's just always there. The x^3 and below terms are associated w/ the p-bits. So the second-to-last output/feedback gets the x term, the last output/feedback gets the '1' term. If there had been a closed feedback wire after the first flip-flop, it would have gotten the x^3 term.
Love it...
Very useful. Danke. 7 to go ..
Thanx!
Excuse me professor. Can't we replace the multiplication with an AND gate? We say that if we have 0 for pi then the output will be 0 and when pi is 1 the output is equal to the input. So this means that we have an AND gate there.
Yes, exactly. Multiplication mod 2 is identical to a logical AND operation. Cheers
I'm confused is when you say 2 to the m -1, you wrote it as 2 times m -1. Did you mean it as 2 to the power of m -1 or 2 times m -1 ?
1:17:20
1:27:41
52:20
you're right, I misspoke. Should be "2 times m minus 1"
good catch :9
@@introductiontocryptography4223 Thanks for your prompt reply !
didn't expect to get a reply since this video is made long ago 😃
very nice lecture
hi sir do you know about safer k64 .
DANKE
I understand the LFSRs are not cryptographically secure. But how can they be made better secure using 3 LFSRs? What does that mean? Does that mean the Si used is an xor of 3 LFSRs? Is it explained in detail in the 'Understanding Cryptography' book?
What is key in this stream cipher system? I think [S0, S1,....,Sm-1] is the key. The 'm' and [P0,P1...Pi] are not part of key as only few of them exist.?
You have to use several LFSR and they have to be combined in a non-linear way. Have a look (on Wikipedia, e.g.) at the ciphers Trivium and A5 as examples how to do it. Regards, christof
Introduction to Cryptography by Christof Paar Is it not possible for someone to have a sufficiently big lookup table of all resulting pseudorandom number sequences, for multiple Pj reasonably sized seed values. Especially with the existence of supper computers and distributed computing.
Introduction to Cryptography by Christof Paar Why is it not considered proper to periodically reseed the register with a truly random sequence? I just saw that somewhere else; I thought you might have an answer, or did I just misunderstand?
Thank you Professor.
THANX SIR
Thank you
A good cryptography is where you advertise how you encrypt right ? Then OSCAR knows the P values and degree right ?
All practial stream ciphers with LFSRs use more than one LFSR. Examples are the A5/1 GSM cipher or TRIVIUM, both of which use 3 LFSR. Here it is true what you state: The attacker knows the degree and the feedback coefficients p0, p1, p2 .... of the LFSRs. In However, in this very simplex example in the lecture we only use one LFSR and attacker does not know the p_i values. These values are the cryptographic key and the attackers wants to learn them. regards, christof
Hardware architecture and Implementation of LFSR based Toeplitz hash function?
@@introductiontocryptography4223 Sir, we already know which set of primitive polynomials yields more length sequences(can be found on net) but we cannot use them as Oscar already knows about it.
Whet different between stream cipher and block cipher
Stream cipher works with individual bits and block cipher works with groups of bits at a time.
das ist gut danke
I always how the key can be delivered to the other person without having to physicaly deliver the key
Rose B
I'm confused about that too. How does the reciever get the key?
He mentioned something about protocol last lecture but i don't know what that means.
@@bananian Diffie Helman Maybe?
Thanks
is the jpj of the equation the s values multiplie by p switch/multiplier?
Dear Mr Paar,
Do you plan to introduce the beautiful Post Quantum Cryptography, please ?
I am not 100% sure, but there is a chance that I develop 1-2 lectures on PQC, which I would teach in the summer of 2022. regards, christof
I guess what I don't completely understand is that if the drawback of OTP is its key length... how are LCGs better? Don't we always need to generate a stream key as long as the plain text?
Corret. But stream ciphers generate a very long stream from a SHORT key,
e.g., 128 bits in length.
BTW, LCGs are not good as stream ciphers as
their output can be predicted if the attackers knows some outbits
already. But there are cryptographically strong stream ciphers, .e.g,
the finalist from the ESTREAM competition
Introduction to Cryptography by Christof Paar Hi Prof. Paar, thank you so much for the quick reply!
Regarding the key length and the stream cipher length...aren't they the same from a computational point of view?
I understand that for OTP we need to generate a really long key(as long as the plaintext). And for LCG we can generate a long stream cipher from a short key(128 bits for instance). But what difference does it make? We are still generating as many bits to encrypt the plaintext in both cases right?
The difference is "operational". Let's say we want to encrypt a 1MB (= 8 million bits) PDF file.
For a OTP, Alice and Bob have to exchange a key "somehow" of length 8 million. These exchanges are always difficult, whether they are done manually (USB stick or so) or even more so if done with public-key cryptography.
In contrast, if we use a stream cipher, Alice and Bob only exchange, say, 128 bits. This is much easier than 1 MB of key material.
cheers, christof
Ah I think I understand now. Thank you so much sir!
Cheers! Charles
Hi Professor, you say "in contrast, if we use a stream cipher...", I thought OTP *is* a stream cipher? Thanks,
@42:40 is should read B=0*A=0?!?
blackboard says B=0*B=0
ok, i should have watched the whole video.
@Paar:are these lectures still pretty up to date?
It's already been 6 years but the basics stay the same i guess.
(Time flies.... :O)
Yes, the content has not changed much. I teach introduction to applied cryptography and the set of algorithms that are in the lecture series (DES, AES, RSA; DL, ECC, SHA-x,) are suprisingly stable. The one new topic is SHA-3 that I teach at Ruhr Universität Bochum. I will put this on video at some point. regards, christof
When he gives an assignment to the class, you can skip to 23:10, nothing important happens in the time
Because you are awsem i will buy your book , unfortunantly there is only one Christof Paar in the world .
How does the oscar know the degree m
The professor said that even if Oscar doesn't know m, given that this attack is so fast, he can just find m by brute-force
37:00
Professor Paar, do you'll explain something about CPRNG? I mean, all PRNGs explained by you are completely predictable, do you have anything to contribute about non-predictable ones? Thanks in advance
The use of the same letter s(i) to represent both the bit, i.e. state, as well as the just the rightmost bit sequence is very confusing. It would be much easier to understand if you used different letters, even more so if you named your variables creatively. Good lectures though. Thank you.
This is a lecture and not theatre. So why can't the cameraman fix the board?
plz increase sound..
I do watch youtube during your lecture, I am sorry!
Perhaps, the lecture could have been edited...
Dab on the haters
You made a spelling error. You spelled theoretically as "theoritically"
Why do people sit and talk at a lecture? Fucking disrespectful.
Pharap Sama It's disrespectful. Not ALL students are like that. Respect the teacher and other students.
cringe baby
If those babbling children in the classroom are to be responsible for shaping the future of cryptography, we may as well abandon all hope.
Methodenlehre Mainz
I have to clarify: The students in my class are actually great. I teach in front of a large audience of 150-200 mostly first-year students. Almost everybody is quite during the 90min class which always amazes me (I sure talked more during my students years). However, I REALLY like it to be quite, and I am telling the students right away if two of them occasionally start chatting. From the videos there could be the incorrect impression that the students are particular babbly - but really the opposite is true :)
Introduction to Cryptography by Christof Paar True! You actually have an astonishingly quiet in you classroom. I was only referring to the few who need to be reminded to pay attention during such an interesting lecture. As did another commenter, I, too, find audible talking during a lecture disrespectful not only towards the lecturer but also the other students. Well, not that I kept completely still during my studies back in the days but, hey, hypocrisy and RUclips comments go together like peanut butter an jelly.