*Topics* 1. Stream Ciphers 0:15 2. Random Numbers a) RNG (Random Number Generator) 37:10 b) PRNG (Pseudo Random Number Generator) 44:00 c)CPRNG (Cryptographicly Secure Pseudo Random Number Generator) 51:30 3. One Time Pad 1:00:30 4. LCG (Linear Congruent Generator) PRNG 1:15:15
I can't believe that there are students who are sleeping / not paying attention in this class. I'm watching the video at midnight and I'm having my eyes wide open marvelling at the simple way in which Prof. Paar explains step-by-step some of the most cryptic (literally) stuff!
First time listening Professor Christoff Paar on Cryptography. Very nice lectures Great pace and way of teaching Stay blessed Professor Dr Zaheer Center for Mathematical Sciences Pakistan Istitute of Engineering and Applied Sciences Islamabad Pakistan
Mr. Paar, where did you learn everything you know? You are a highly intelligent individual, anyone can tell just based off how you teach. I'm only 15 and I'm understanding what you are teaching, you really know what you are talking about and that is shown in the way you break down these ciphers and explain them in detail.
Firstly, this lecture series is great. Super clear and concise. The slides on the website are also very helpful. Secondly, at 28:00... since we're encoding/decoding 7 (or 8) bits at a time, isn't the stream-cipher just a very small block-cipher? The "block" in this case being a single byte?
Professor Christof Paar, I don't understand why 1 + 1mod2 equals to 0 and not 2? 1mod2 equals to 1 if I'm not mistaken, hence 1 + 1 = 2. What am I missing at 19:39?
Dear Professor Paar, when I was watching your explanation on the OTP, I suddenly wondered if this is how the ancient Chinese encrypted their messages. We Chinese use characters, and the most commonly used ones are of a whopping number between 3000-5000. During war times, for secret message exchange, people write a seemingly normal message, but you need a sort of mechanism to see the original message. It's a message in a message.
Dear professor Paar, thank you for sharing. I would like to know if it is correct to say, at the beginning of the last exercise (1:22:45), that the system (attacked by Oscar) can be solved due to the Rouché-Capelli theorem. Thank you
Regarding OTP... store random mouse moves collected in an array up to the size needed to encrypt the message, each time you need a new random number array, easy. Encrypt the message one to one with the random array and you only need a random array as large as your message, so message x 2 is the final size. Embed the encrypted message in a picture using steganography. First send the key embedded in a picture with an RSA encoded password (known to the recipient). Then send the picture with an embedded encrypted message. Works better if the message is also embedded into text (ie: ipsum lorem) that will fill the whole picture, so that changed bits in the picture don't stand out. Already wrote this program, handling LF's was a problem but sorted now. A 520x520 bit picture will hold about 72k of characters.
Entanglement offers an interesting way to pass data encryption keys. Assuming entanglement systems are difficult and expensive it may not be practical to transmit data this way but the secure key is a smaller data set.
Also, could you please help me understand why we wrote 2 ^31 because we haven't talked about 31. I understand mod 2 is because there are only 2 digits - 0,1 in the set. But not sure about why to the power 31.
This (admittedly strange looking) number is simply part of the standard of the ANSI C programming language. The number is being used in the standardized function rand().
The short answer: See above, reduction modulo 2^31 is also specified in ANSI C for the rand() function. There is a very good reason behind it: computing mod 2^31 is very easy on a computer -- one simply takes the 31 least significant bits of the operand. In particular, one does not have to perform a division for computing 2^31. cheers
During the Cold War and even now One-Time Pad messages are sent to agents via clandestine shortwave radio stations known as Numbers Stations. These stations would read out the encrypted messages usually as strings of 5 digit numbers and the agent who is meant to receive one copies the numbers down and then decodes them with the OTP given. Most of these Numbers Messages cannot ever be decrypted because most agencies were very careful with not re-using keys. But eventually they ran low on resources and had to recycle whole keys and parts of keys etc. If you ever reuse a key for two different messages, then cracking both of them is child's play. Now if you reuse the same key for the same message sent with that same key then it does not matter because the numbers would be identical and you are nowhere closer to cracking it then you were when you first intercepted it.
today radio transmissions are sent in coded packets one each packet is sent on a different channel (AM or FM frequency) deciphering the header of the packet identifies the next channel. Oscar has to be in real time to even capture the data beyond a single packet. To make it more interesting trojans are also sent on other channels to create a noise level that masks the real message. Channel sequences are chosen from an OPT and cover a very broad RF spectrum.
@@gaganaggarwal7981 Well, if it is a bit stream, then I suppose the system is mod 2, because bits only have two values: 0 and 1. That was the presumption during this whole lecture, if I'm correct?
@@HeikkiKetoharju if you look at the wiki ( en.wikipedia.org/wiki/Linear_congruential_generator ) the m values are much different, though the set is small enough that you should be able to iterate over all of them. That being said, if you xor full bytes, then you're likely to discard the higher bits of the LCG output. I wonder how much more work it is to break it in such case.
At Timestamp 1:11:12 you asked us how big the key is in the example for a 400 MB movie. I'm not sure I follow how you arrived at 3.2 GBs for the encrypted file. I do understand that any key in a OTP is going to be as big if not bigger than the original message.
You are right. I just tried to convert from MByte to MBit, and multiplied the 400MByte by 8 :) I find counting the bits more instructive since the OTB is bit-oriented
Great lecture and I envy those students out there for having a lecturer as such. The lecturer we have in our university in Holland is nowhere near this lecturer, sadly of course.
What about the number stations that broadcast letters and numbers all around the world in the HF radio spectrum.? Are they using one time pads? It seems like the only thing they could be using.
1:00:00 ish I don't see how OTP meets the definition for "unconditionally secure" any finite stream. For his 400MB file has a key space of 2^3200000 right, so given " infinite resources " you could guess the key and decipher. Am I missing something? Or is he wrong? Sorry I'm a mathematician, I take definitions seriously.
Good point. That's almost a paradox of the OTP: It seems one could brute-force a (finite) OTP. If you use short messages, say 8 bit, that would be even trivial. BUT: To stay with the 8 bit example, you would get 256 answers, but you will not know which one of those is the correct one. You will only be able to distinguish the correct one from all the others if you already know the plaintext anyway. Same goes with a 400MB message.
@@introductiontocryptography4223 Thank you sir for your reply. I have a B.S. in Theoretical Mathematics but my Computer Science is mostly self taught. I definitely have some thinking to do. (It still seems, after the message is sent, Oscar has the Cypher text and knows the key space -> Oscar does have the plaintext byte, I guess the problem is he also has 255 garbage bytes........so, it seems to me we have to make one further assumption to meet the definition: that is, Oscar does not know what he's looking for (i.e. if he was after a char he can narrow it down to ........ every char ....... nm. I think I'm starting to get it. I have a lot of thinking to do. It's clearly secure, after 60ish bytes your going to need some quantum or alien help, it just seems like a true Turing machine would know more and more as the conversation progresses. ...... OK I'm going to leave the thinking in my head lol. Again, thank you for validating my question was at least worthy if consideration, I would love to have a conversation with you someday; but I have a lot to learn over many years before I would have anything significant to add (computer science wise, if you want to talk about classical physics, organic chemistry, or mathematics, I'm down!)
OK I think I get it.......no I don't nm, wait yes I do! "Unconditionally secure" does not mean "unhackable." Given an infinite number of infinitely fast Turing Machines, more and more of the garbage text will be recognizable as garbage. Eventually Oscar could narrow it down more and more (again hypothetically, with more resources than physics would probably allow) and if Alice and Bob talk enough, Oscar will know the conversation *but he will not know the next bit the sent, because he doesn't know that bits key bit and that is the definition* Cool, good lectures man. Thank you for inspiring me to think more about it.
Forget my last comment, even if Oscar can narrow down more and more garbage text, he also gains every possible plausible text. So I think I was wrong when I said "Unconditionally secure != unhackable" Now I think I get it. *think, never sure*
If the entire key is truly random, decimal adding (adding with carry bits) will work too. However, bitwise XOR makes many things easier: It is faster, one can encrypt individual bits independently of its neighbouring bit and the security argument is easier: By intution, if an attacker sees (e.g.,) a 0 on the channel and the key bit is truly random, there is exactly a 50% chance that the plaintext bit was 0 or 1.
Surely the LCG is even worse for cryptography: we showed that Oscar can break it by knowing (x1,x2,x3). Even if they didn't know those values, there are only 8 possibilities so he can find 8 pairs of (A,B), exactly 1 of which is the solution. Trying them out against the rest of the ciphertext narrows down the possibilities even more. Knowing a linear generator is weak, my first impression would be to go to higher order polynomials (perhaps I'm anticipating future lectures here) -- from trying it out, solving systems of polynomial equations in n unknowns is a hard task.
In 1:24:20 Oscar finds/intercepts x1, x2 and x3. You say: he(Oscar) also computes S1, S2 and S3? How can he compute them without the key? Isn't he intercepting s1, s2, s3 also? Thanks for interesting lectures!
No, he is not intercepting the s_i (they cannot be intercepted, they are internal values computed by Alice). He only sees the y_i's on the channel. But if Oscar also knows some x_i, computing the corresponding s_i is trivial since y_i = x_i + s_i mod m and thus: s_i = y_i - x_i mod m The question is what the other s_i's are that he does not know already. They can be computed via s_j = A s_j-1 + B mod m *but* Oscar needs to know A and B for this. -- And that's the point of my exercise after 1:24:20 :) hope this helps, regards, christof
@@introductiontocryptography4223 I still have a question about how to compute S1, S2, S3. y_i = x_i + s_i mod 2 (where y_i is encrypted bitwise by x_i and s_i. This is the first equation in page 40 of the book). But latter, s_i is computed as s_i = y_i + x_i mod m, i = 1,2,...300 (which is the second equation in page 40). could you explain why the computation changes from mod 2 to mod m?
Sehr gut! Very good lecture of my favorite cryptography topic! Most of the stuff lectured here I already knew, but I learned a few additional things here, such as that XOR is actually Modulo 2 (Mod2). I never realised that. I'm continuously developing my own XOR stream/block ciphers for years now. Strong OTPs can be generated by TRNGs and CSRNGs with high randomness factor on the bits. That's the best way imo. PRNGs are deterministic and crap for encryption purposes indeed, because once an attacker knows the seed he can regenerate the whole sequence of random keybits.
Hm, the definition of a PRNG as shown does not fix a pattern where only the seed depends on the secret key. The key could also be an input to later PRNG rounds. The LCG shown in particular proved problematic because a property of the assumption was that there are more plaintext bits known than the amount of unknown variables in the PRNG function.
Dear Professor Paar, one thing is confusing me a lot that is understood than Random numbers generate by the sender applying any of define methods and one of them is CPRNG which is infeasible for anyone to generate same pattern. My question is that how receiver computes the same pattern using CPRNG or any other method for deciphering received message? What I understood is that both sender and receiver share pattern function for CPRNG using any other secure channel.
thanks for your interest. Unfortunately, There is no follow-up course. However, my current plan is to release 2 new lectures on post-quantum crypto, which I plan to teach in the "Sommersemester" of 2025. If things work out, I will release them ca. July '25.
40:49 did he mean to say chaotic natural processes (I think there are random natural processes on the quantum scale but I'm not sure. I know more classical)
+mchenoboe Exactly. The big question is: What are good CPRNGs? In practice, CPRNGs are simply strong stream ciphers. If you go to the eSTREAM web site you'll find recommendation for secure stream ciphers. (Unfortunately) I do not say much about strong stream ciphers in these lectures. Regards, christof
I'm confused because at the end of the lecture you present a stream cipher schematic that uses PRNGs and you say this is how all practical stream ciphers work. Then you continue about the LCG and conclude that this is a bad way of doing stream ciphers. What am I missing?
Hello Prof Parr Again thank you for the best crypto course on the web. I have a question with relation to this video. The OTP as referred to as a perfect cipher (unbreakable) however that is not my particular understanding. As I understand this and I could be wrong is that the OTP is perfect only in the following sense. For a cipher text only attack the probability of decrypting the message is exactly the same if you have or don't the ciphertext. In other words even if you have infinite computing power having the cipher text doesn't help to decrypt the message since the message space and key space are of equal (at least) or greater size (key space) every possible decryption of the message with every possible key yields a potentially valid decryption and there is no way to differentiate what the original message if is an attacker has the cipher text. It doesn't help. This only holds true for ciphertext only attacks. In other ways the OTP is actually a weak cipher. Any thoughts on this would be greatly appreciated Thank you Steve
Can you generate a random "Key Stream" then swap the keys by using Diffie-Hellman and do a new key every hour over the cell infrastructure?? Feasible or not?
Great Lecture Sir ...Few Doubts as Below :- 1)How Do we Get Seed Value.... 2) How Does a PRNG Developed. 3) How Do We Get The K Value Mentioned in 1.20 ....
+Cosmic D I hope the following helps: 1.) The seed often comes from a true random number generator. Many modern digital systems have access to some source of randomness. 2.) not sorry what you mean, sorry. 3.) This is the KEY. It must be somehow established between the two communicating parties.There are various ways of doing this in practice, i.e., using some key establishment protocol. regards, christof
+Introduction to Cryptography by Christof Paar Thanks For the same .....Sorry To say..but I could not understand deeply about anything regarding my doubts/....Could u pls Let me know some topic which can make this Clear....
Professor paar, At 13:45, the equation doesn't seem correct. Xi+Si+(Si*mod2)= Xi+2Si*mod2, doesn't make sense Si and Si*mod2 are not the same how can you add them together to make 2Si*mod2 ?
So that means we are not able to recover the original bits in stream cipher as the original one was Xi and after encryption and decryption we get Xi*mod2.
Dear Prof, Please which university are you lecturing at Germany university, Please i want contact you directly on Information Security(Data & Cryptography)
finishing up the explanation of stream ciphers for cell phone communications he states the exiting encryption flips the 0 to a 1 and then the receiving decryption flips the 1 back to a 0. According to the XOR Gate, this should only happen in ~50% of the bits where the other 50% are flipped once and then unchanged at the receiving end.. I'm very confused by this because he makes it a point to state it several times and asks us to pay attention, then goes and states that it is flipped at both ends. Did he make a mistake or am I just not getting it? Nobody in the comments has even mentioned this so I must be an idiot because I'm not getting it.
Sorry if I was not totally clear in the lecture: A plaintext bit is either flipped during encryption (s_i bit = 1) or not (s_i bit = 0). If it is flipped during encryption it is also flipped (ie. "flipped back" to its original state) during the decryption, which happens upon receiving the cipher text. .
@@introductiontocryptography4223 Thank you. These are great lectures on the topic. Best I've been able to find, honestly. I thank you for taking the time to respond as well. It's greatly appreciated.
Nice lecture...as always. One question, though. If S, A and B are strings of bits then why is this still called a 'stream' cipher? Why not a simple block cipher? Thank you.
professor I have one question about LCG we can compute A and B values by A = (s2-s3)(s1-s2)^-1 mod m B = s2 - s1(s2-s3)(s1-s2)^-1 mod m but what if the case where there does not exist a (s1-s2)^-1 in modulo m?
Hi Professor I'd like to know that if we can get authentication through only nonce in a protocol? for example A------->B: N(a) B-------->A: {N(a),N(b)} K(ab) Do we have mutual authentication ? Thanks
Assuming Alice and Bob share the same key that is only known to them, Alice knows after decryption of the message that the message originated from Bob. N(b) is currently not used in your protocol. regards, christof
Hello Prof..Thanks for the amazing lecture series.. I had couple of questions on OTP.. 1. Even though the key size would be "huge" in case of OTP but theoretically with infinite computational resources, it would still be possible to break it [ 2^3.2G computers can do it in 1 step]. 2. Further, if the message size is really small (16 bytes), wouldn't OTP be a weak algo in that case ?
Good point. This is a (well-known) paradox of the OTP. You are absolutely right, if the message size is small, one can of course try all possible OTP keys. The point here is, however, that you will NOT be able to tell when you have found the correct key UNLESS you know the plaintext already. Very good observation, though. hope this helps, christof
+Introduction to Cryptography by Christof Paar ..Thanks Prof for the response.. If I got you right, decryption would produce just a stream of bits and hence one could never tell if it were the right key (unless the original plain text was a meaningful english sentence/paragraph for which u don't need to actually KNOW the plain text)
Almost correct: Let's assum the plaintext were a 6-letter ASCII string, e.g., ATTACK. If the adversary performs an exhaustive key search he would generate "ATTACK". But he would also generate "attack" and "SECRET" and "peace!" and "turkey" and "pay50$". Thus, unless he knows a priory what the plaintext is, he will not know what the correct one is.
Introduction to Cryptography by Christof Paar Yeah..that's quite possible given the richness of a language :).. However, I feel probability of this collision would reduce as the input text becomes longer.. Thanks again Prof...
The keyspace grows, with the length of the message, it's always as big as the space of possible messages. For Exampe: If you have ciphertext of 100 bits lenght, there are 2^100 possible chiphertexts. The key is an equaly long string of random bits, so there are 2^100 keys, and every key leads to a different Plaintext. That means you can get any Plaintext of equal lenght. And because the key is truly random, all the plaintexts are equaly likely.
Wonderful job professor, i think that people like you allow students to progress. Congratulations. Now, i have a short question. In your book that is amazing in otp you put 3 requirements but now in your explanation you omitted the second one which say the key stream is only known to the legitimate communicating parties. I think that i will get erasmus from Valencia (Spain) just for being in your classes ajjjjajaa. THx
Couldn't you brute force the OTP keystream bits? At the end of the day is either 1 or 0 and 100 bits would be 2^100 possibilities, why cant you try everyone and see which plaintext makes sense,
Good question. Brute-forcing an OTP is almost a paradox, as it seems to be feasible. But the answer in short is: no, it does not work. The problem is as follows: In order to do a brute-force attack, you need to know when you actually found the correct key. This is only possible with the OTP if you KNOW the plaintext that you are looking for already. But if you know the plaintext anyway, you do not need to brute-force the OTP-encrypted ciphertext. Here is an example. Assume a plaintext consisting of 4 ASCII letters, i.e., 32 bits. Brute-force takes, thus, 2^32 steps. This is easy and takes a few seconds on a laptop. Assume the plaintext that was encrypted is "sell". You'll certainly find "sell" but also "sold", "dive", "duck", "2qfu" (and all your favorite 4-letter swearing words too :) You will not be able to do distinguish "sell" from all the other decrypted texts that you produce. Hope this helps.
Please visit the companion website of our textbook www.cryptotextbook.com and click Online Courses -> Videos. You'll find a comprehensive problem set for each video. The solution to the odd-numbered problems are also on the website. Cheers, christof
Hi Professor, i love security so find your videos a great way to go above curriculum and prepare for a undergrad in computer science. I was thinking isn't it possible to change the key values after each byte is encrypted with a LCG. This way any attacker knowing the first few bits would find it very difficult to get anywhere into the data. My idea is similar to some public key encryption. Using some trap door function to generate a new key (A,B). The idea uses an elliptical curve on both PRNGs that will compute a new key. If point (A,B) is x, it will compute x^m (mod m). This new point will be the corresponding A and B values for the next 8 bit Si values. For the next 8 bits, it would compute x^m+1 (mod m) and so on. This way knowing A and B from the first byte will not allow you to obtain the next A,B key without knowing the equation or having some prior idea of what the message is. The simultaneous attack breaks down if you get s8 and s9 as the A B values will be different. Is this a practical solution?
The lecture closely follows the book (or vice versa :) "Understanding Cryptography". You may want to have a look at the companion website, www.crypto-textbook.com. It is moderately priced and has excellent reviews on Amazon. regards, christof
I set my alarm for the middle of the night to watch these so I can literally follow his instruction to "go back to sleep"
*Topics*
1. Stream Ciphers 0:15
2. Random Numbers
a) RNG (Random Number Generator) 37:10
b) PRNG (Pseudo Random Number Generator) 44:00
c)CPRNG (Cryptographicly Secure Pseudo Random Number Generator) 51:30
3. One Time Pad 1:00:30
4. LCG (Linear Congruent Generator) PRNG 1:15:15
Tells someone to shut up 5:54
Tq very much dear for providing info
Thank you so much for sharing this course for free. You are such an amazing professor. Academic needs more talents like you. Thank you sir
"The next 120 seconds, are going to be very important in your life!"
Many thanks to Prof. Paar for the most interesting lectures
I even learn few German words as a side benifit of the lectures
...
I can't believe that there are students who are sleeping / not paying attention in this class. I'm watching the video at midnight and I'm having my eyes wide open marvelling at the simple way in which Prof. Paar explains step-by-step some of the most cryptic (literally) stuff!
Lit me right now xd
These lectures are so good! They make a perfect pair with the crypto-textbook. The most fascinating course I've had so far in my studies.
studying Crypto for CCNA Cyber Ops, these lectures are amazing. I'm learning so much, great job Professor
First time listening Professor Christoff Paar on Cryptography.
Very nice lectures
Great pace and way of teaching
Stay blessed Professor
Dr Zaheer
Center for Mathematical Sciences
Pakistan Istitute of Engineering and Applied Sciences
Islamabad
Pakistan
Thanks a lot for these wonderful lectures! I have seen many engineering online lectures, but the way you teach is very educational and exceptional.
Stream ciphers 0:01
Random number generators(RNG) 37:20
OTP 1:00:30
LCG 1:15:20
Professor Paar,
in 55:40 when you say that is computationally infeasible to construct Sn, you mean Si+n right? i.e the next key after Si+n-1
exactly.
Mr. Paar, where did you learn everything you know? You are a highly intelligent individual, anyone can tell just based off how you teach. I'm only 15 and I'm understanding what you are teaching, you really know what you are talking about and that is shown in the way you break down these ciphers and explain them in detail.
Firstly, this lecture series is great. Super clear and concise. The slides on the website are also very helpful.
Secondly, at 28:00... since we're encoding/decoding 7 (or 8) bits at a time, isn't the stream-cipher just a very small block-cipher? The "block" in this case being a single byte?
Why take german and cryptography, when you can learn them both at the same time? (lol) Great Lecture by the way.
haha..
am a beginner crypto learner.
are you a beginner?
Yes
me tooo
Professor Christof Paar, I don't understand why 1 + 1mod2 equals to 0 and not 2? 1mod2 equals to 1 if I'm not mistaken, hence 1 + 1 = 2. What am I missing at 19:39?
I think it should be (x+s)mod2. After this everything makes sense. Also in the shift cipher, if we do (x+k)mod26, it gives the desired results.
Someone correct me if I am wrong. Please. I too am learning.
no you are right the answer is 2 but 2 isn't in the Z2 set its either 0 or 1 so 2 is equivalent to 0 because 2=2mod2 which is 0 .i hope helped :D
Dear Professor Paar, when I was watching your explanation on the OTP, I suddenly wondered if this is how the ancient Chinese encrypted their messages. We Chinese use characters, and the most commonly used ones are of a whopping number between 3000-5000. During war times, for secret message exchange, people write a seemingly normal message, but you need a sort of mechanism to see the original message. It's a message in a message.
good question but still Chinese government controls Chinese people in a good way.
@@pandalanhukuk804 Good Answer but looks like you are suffering fake news.
I like the way you are teaching. :) I wish I could attend your classes!!!
Better think about what you wish for...
@@Tentix trust me, I really want to attend his classes.
you already are
Dear professor Paar, thank you for sharing.
I would like to know if it is correct to say, at the beginning of the last exercise (1:22:45), that the system (attacked by Oscar) can be solved due to the Rouché-Capelli theorem.
Thank you
53:50 lol, for the viewer thats a conundrum
That took me way to long...
Regarding OTP... store random mouse moves collected in an array up to the size needed to encrypt the message, each time you need a new random number array, easy. Encrypt the message one to one with the random array and you only need a random array as large as your message, so message x 2 is the final size. Embed the encrypted message in a picture using steganography. First send the key embedded in a picture with an RSA encoded password (known to the recipient). Then send the picture with an embedded encrypted message. Works better if the message is also embedded into text (ie: ipsum lorem) that will fill the whole picture, so that changed bits in the picture don't stand out. Already wrote this program, handling LF's was a problem but sorted now. A 520x520 bit picture will hold about 72k of characters.
55:40 This should be S_(i+n) rather than S_n, shouldn't it?
Entanglement offers an interesting way to pass data encryption keys. Assuming entanglement systems are difficult and expensive it may not be practical to transmit data this way but the secure key is a smaller data set.
Professor Christof Paar, at 50:18, how did you get the value of Si + 1? is it just a random value or is it a constant or a derivated value
I'm asking about the value 1103515245
Also, could you please help me understand why we wrote 2 ^31 because we haven't talked about 31. I understand mod 2 is because there are only 2 digits - 0,1 in the set. But not sure about why to the power 31.
This (admittedly strange looking) number is simply part of the standard of the ANSI C programming language. The number is being used in the standardized function rand().
The short answer: See above, reduction modulo 2^31 is also specified in ANSI C for the rand() function. There is a very good reason behind it: computing mod 2^31 is very easy on a computer -- one simply takes the 31 least significant bits of the operand. In particular, one does not have to perform a division for computing 2^31. cheers
During the Cold War and even now One-Time Pad messages are sent to agents via clandestine shortwave radio stations known as Numbers Stations.
These stations would read out the encrypted messages usually as strings of 5 digit numbers and the agent who is meant to receive one copies the numbers down and then decodes them with the OTP given.
Most of these Numbers Messages cannot ever be decrypted because most agencies were very careful with not re-using keys. But eventually they ran low on resources and had to recycle whole keys and parts of keys etc. If you ever reuse a key for two different messages, then cracking both of them is child's play.
Now if you reuse the same key for the same message sent with that same key then it does not matter because the numbers would be identical and you are nowhere closer to cracking it then you were when you first intercepted it.
today radio transmissions are sent in coded packets one each packet is sent on a different channel (AM or FM frequency) deciphering the header of the packet identifies the next channel. Oscar has to be in real time to even capture the data beyond a single packet. To make it more interesting trojans are also sent on other channels to create a noise level that masks the real message. Channel sequences are chosen from an OPT and cover a very broad RF spectrum.
1:25:37
why isn't mod(m) an unknown?
Thank you very much for this wonderful lecture
No, the 2 unknows are A and B. We assume that the modulus m is known. (Sorry, I should have included m in the list "Oscar knows ..." Cheers, Christof
@@introductiontocryptography4223 How Oscar will know 'm' if he is just having the information about the header of a file?
@@gaganaggarwal7981 Well, if it is a bit stream, then I suppose the system is mod 2, because bits only have two values: 0 and 1. That was the presumption during this whole lecture, if I'm correct?
@@HeikkiKetoharju if you look at the wiki ( en.wikipedia.org/wiki/Linear_congruential_generator ) the m values are much different, though the set is small enough that you should be able to iterate over all of them. That being said, if you xor full bytes, then you're likely to discard the higher bits of the LCG output. I wonder how much more work it is to break it in such case.
Right when you wrote down the symbol for modulo 2, I knew XOR was going to come up.
*k*
@@Integralsouls What a crazy response to a 4 year old comment.
Thank you. You really make this subject fascinating.
At Timestamp 1:11:12 you asked us how big the key is in the example for a 400 MB movie. I'm not sure I follow how you arrived at 3.2 GBs for the encrypted file. I do understand that any key in a OTP is going to be as big if not bigger than the original message.
You are right. I just tried to convert from MByte to MBit, and multiplied the 400MByte by 8 :)
I find counting the bits more instructive since the OTB is bit-oriented
Great lecture and I envy those students out there for having a lecturer as such. The lecturer we have in our university in Holland is nowhere near this lecturer, sadly of course.
What about the number stations that broadcast letters and numbers all around the world in the HF radio spectrum.? Are they using one time pads? It seems like the only thing they could be using.
1:00:00 ish I don't see how OTP meets the definition for "unconditionally secure" any finite stream. For his 400MB file has a key space of 2^3200000 right, so given " infinite resources " you could guess the key and decipher. Am I missing something? Or is he wrong? Sorry I'm a mathematician, I take definitions seriously.
Good point. That's almost a paradox of the OTP: It seems one could brute-force a (finite) OTP. If you use short messages, say 8 bit, that would be even trivial. BUT: To stay with the 8 bit example, you would get 256 answers, but you will not know which one of those is the correct one. You will only be able to distinguish the correct one from all the others if you already know the plaintext anyway. Same goes with a 400MB message.
@@introductiontocryptography4223 Thank you sir for your reply. I have a B.S. in Theoretical Mathematics but my Computer Science is mostly self taught. I definitely have some thinking to do.
(It still seems, after the message is sent, Oscar has the Cypher text and knows the key space -> Oscar does have the plaintext byte, I guess the problem is he also has 255 garbage bytes........so, it seems to me we have to make one further assumption to meet the definition: that is, Oscar does not know what he's looking for (i.e. if he was after a char he can narrow it down to ........ every char ....... nm. I think I'm starting to get it. I have a lot of thinking to do.
It's clearly secure, after 60ish bytes your going to need some quantum or
alien help, it just seems like a true Turing machine would know more and more as the conversation progresses. ...... OK I'm going to leave the thinking in my head lol.
Again, thank you for validating my question was at least worthy if consideration, I would love to have a conversation with you someday; but I have a lot to learn over many years before I would have anything significant to add (computer science wise, if you want to talk about classical physics, organic chemistry, or mathematics, I'm down!)
OK I think I get it.......no I don't nm, wait yes I do! "Unconditionally secure" does not mean "unhackable." Given an infinite number of infinitely fast Turing Machines, more and more of the garbage text will be recognizable as garbage. Eventually Oscar could narrow it down more and more (again hypothetically, with more resources than physics would probably allow) and if Alice and Bob talk enough, Oscar will know the conversation *but he will not know the next bit the sent, because he doesn't know that bits key bit and that is the definition*
Cool, good lectures man. Thank you for inspiring me to think more about it.
Forget my last comment, even if Oscar can narrow down more and more garbage text, he also gains every possible plausible text. So I think I was wrong when I said "Unconditionally secure != unhackable"
Now I think I get it. *think, never sure*
thank you sir for all this information your teaching methods are good too
Hello,sorry but a stupid question but why 8*400??not 400 isnt one key stream bit required for encrypting one bit of the message?? 1:11:37
This man is an American hero
I'm your die hard fan already!! Great Lecture!
Why is binary bitwise XOR preferred over decimal adding? Is it just because it's faster to compute or are there security advantages too?
If the entire key is truly random, decimal adding (adding with carry bits) will work too. However, bitwise XOR makes many things easier: It is faster, one can encrypt individual bits independently of its neighbouring bit and the security argument is easier: By intution, if an attacker sees (e.g.,) a 0 on the channel and the key bit is truly random, there is exactly a 50% chance that the plaintext bit was 0 or 1.
Surely the LCG is even worse for cryptography: we showed that Oscar can break it by knowing (x1,x2,x3). Even if they didn't know those values, there are only 8 possibilities so he can find 8 pairs of (A,B), exactly 1 of which is the solution. Trying them out against the rest of the ciphertext narrows down the possibilities even more. Knowing a linear generator is weak, my first impression would be to go to higher order polynomials (perhaps I'm anticipating future lectures here) -- from trying it out, solving systems of polynomial equations in n unknowns is a hard task.
1:00:00 Chapter 3 - One Time Pad
In 1:24:20 Oscar finds/intercepts x1, x2 and x3. You say: he(Oscar) also computes S1, S2 and S3? How can he compute them without the key? Isn't he intercepting s1, s2, s3 also? Thanks for interesting lectures!
No, he is not intercepting the s_i (they cannot be intercepted, they are internal values computed by Alice). He only sees the y_i's on the channel. But if Oscar also knows some x_i, computing the corresponding s_i is trivial since
y_i = x_i + s_i mod m
and thus:
s_i = y_i - x_i mod m
The question is what the other s_i's are that he does not know already. They can be computed via
s_j = A s_j-1 + B mod m
*but* Oscar needs to know A and B for this. -- And that's the point of my exercise after 1:24:20 :)
hope this helps, regards, christof
@@introductiontocryptography4223 I still have a question about how to compute S1, S2, S3.
y_i = x_i + s_i mod 2 (where y_i is encrypted bitwise by x_i and s_i. This is the first equation in page 40 of the book).
But latter, s_i is computed as
s_i = y_i + x_i mod m, i = 1,2,...300 (which is the second equation in page 40).
could you explain why the computation changes from mod 2 to mod m?
Excellent teaching! Professor!!
Sehr gut! Very good lecture of my favorite cryptography topic!
Most of the stuff lectured here I already knew, but I learned a few additional things here, such as that XOR is actually Modulo 2 (Mod2). I never realised that.
I'm continuously developing my own XOR stream/block ciphers for years now.
Strong OTPs can be generated by TRNGs and CSRNGs with high randomness factor on the bits. That's the best way imo. PRNGs are deterministic and crap for encryption purposes indeed, because once an attacker knows the seed he can regenerate the whole sequence of random keybits.
Hm, the definition of a PRNG as shown does not fix a pattern where only the seed depends on the secret key. The key could also be an input to later PRNG rounds. The LCG shown in particular proved problematic because a property of the assumption was that there are more plaintext bits known than the amount of unknown variables in the PRNG function.
Thank you Professor, great lectures
Dear Professor Paar, one thing is confusing me a lot that is understood than Random numbers generate by the sender applying any of define methods and one of them is CPRNG which is infeasible for anyone to generate same pattern. My question is that how receiver computes the same pattern using CPRNG or any other method for deciphering received message? What I understood is that both sender and receiver share pattern function for CPRNG using any other secure channel.
Was there a follow up course. Can that also be shared please. Thankyou so much
thanks for your interest. Unfortunately, There is no follow-up course. However, my current plan is to release 2 new lectures on post-quantum crypto, which I plan to teach in the "Sommersemester" of 2025. If things work out, I will release them ca. July '25.
40:49 did he mean to say chaotic natural processes
(I think there are random natural processes on the quantum scale but I'm not sure. I know more classical)
We learned that LCGs/PRNGs wouldn't work at the end of lecture for getting the Si, but what would work? A CPRNG?
+mchenoboe Exactly. The big question is: What are good CPRNGs? In practice, CPRNGs are simply strong stream ciphers. If you go to the eSTREAM web site you'll find recommendation for secure stream ciphers. (Unfortunately) I do not say much about strong stream ciphers in these lectures. Regards, christof
I'm confused because at the end of the lecture you present a stream cipher schematic that uses PRNGs and you say this is how all practical stream ciphers work. Then you continue about the LCG and conclude that this is a bad way of doing stream ciphers. What am I missing?
What a nice teacher! Was fuer einen Mensch...
Hello Prof Parr
Again thank you for the best crypto course on the web. I have a question with relation to this video. The OTP as referred to as a perfect cipher (unbreakable) however that is not my particular understanding. As I understand this and I could be wrong is that the OTP is perfect only in the following sense. For a cipher text only attack the probability of decrypting the message is exactly the same if you have or don't the ciphertext. In other words even if you have infinite computing power having the cipher text doesn't help to decrypt the message since the message space and key space are of equal (at least) or greater size (key space) every possible decryption of the message with every possible key yields a potentially valid decryption and there is no way to differentiate what the original message if is an attacker has the cipher text. It doesn't help. This only holds true for ciphertext only attacks. In other ways the OTP is actually a weak cipher. Any thoughts on this would be greatly appreciated
Thank you
Steve
Did you find your answer?
Can you generate a random "Key Stream" then swap the keys by using Diffie-Hellman and do a new key every hour over the cell infrastructure?? Feasible or not?
At 1:00:00 how do the cell phone and the tower has the same key?
Both keys are the same if they are symmetric keys.
The type they are public-key encryption where both keys are different.
Great Lecture Sir ...Few Doubts as Below :-
1)How Do we Get Seed Value....
2) How Does a PRNG Developed.
3) How Do We Get The K Value Mentioned in 1.20 ....
+Cosmic D I hope the following helps:
1.) The seed often comes from a true random number generator. Many modern digital systems have access to some source of randomness.
2.) not sorry what you mean, sorry.
3.) This is the KEY. It must be somehow established between the two communicating parties.There are various ways of doing this in practice, i.e., using some key establishment protocol.
regards, christof
+Introduction to Cryptography by Christof Paar Thanks For the same .....Sorry To say..but I could not understand deeply about anything regarding my doubts/....Could u pls Let me know some topic which can make this Clear....
Thank you so much for this course and also for the books which is an easy to read great information place !
Great lectures, Christof!
30:18 I love how he corrects his grammar mistake by himself lol. I just adore him.
I noticed that too 😌😩🥺
Why should the One Time Pad ( Key stream bits) be used only once for it to be secure?
Great lecture again, would have loved to see some more practical examples of OTP and LCG. And any real life applications of OTP.
Professor paar,
At 13:45, the equation doesn't seem correct. Xi+Si+(Si*mod2)= Xi+2Si*mod2, doesn't make sense Si and Si*mod2 are not the same how can you add them together to make 2Si*mod2 ?
There is misunderstanding, I am afraid. "mod 2" is an operator that always appies to the entire equation.
Introduction to Cryptography by Christof Paar okay if it applies to the entire equation shouldn't the final answer be Xi*mod2 instead of Xi ?
It is Xi mod 2. Please note the " symbol at the of the line.
So that means we are not able to recover the original bits in stream cipher as the original one was Xi and after encryption and decryption we get Xi*mod2.
How can the proof be extended to mod N?
So Oscar gets some plaintext, xi, from file header info but wouldn't he need the encrypted counterpart, yi, in order to calculate the operator, Si?
Oscar intercepts everything that passes through the insecure channel of communication between Alice and Bob, so he does have the y's
What is m in (mod m)? Whatever modulo the situation calls for? i.e. mod2 for binary, mod26 for Shift cipher etc? Or is m specific to this lecture?
Can we say that LCG uses Affine Cipher after getting seed value from PRNG? It looks like S2 = A. S1 + B where A and B are part of Key.
I wasn't paying attention but was listening to the lecture, and at 5:58 he stops and says "Hello!", I thought he said that to me lol
I am sorry I was actually doing TH-cam while listening to you professor.
When Christof teaches that CSPRNG, it is in-feasible to compute Sn+i and not Sn.. right?
Great information! Learning this becoming much more fun and meaningful. Thank you!
Legendary as always...
and also to add, thanks for uploading these! I'm trying to find how mathematics is used in cryptology.
learn python. last equation could be done in python by modelling A and B as 2 lists [((si * a) + b) for a,b in zip(A,B)]
I cant type it out correctly now do math using python libraries pandas, NumPy, scipy
in the very end .... isn't "m" in mod-m unknown as well? so there are 3 variables A, B and m
sorry i see that this was answered below
would oscar know the modulas in the linear congruence RNG?
Dear Prof, Please which university are you lecturing at Germany university, Please i want contact you directly on Information Security(Data & Cryptography)
finishing up the explanation of stream ciphers for cell phone communications he states the exiting encryption flips the 0 to a 1 and then the receiving decryption flips the 1 back to a 0. According to the XOR Gate, this should only happen in ~50% of the bits where the other 50% are flipped once and then unchanged at the receiving end.. I'm very confused by this because he makes it a point to state it several times and asks us to pay attention, then goes and states that it is flipped at both ends. Did he make a mistake or am I just not getting it? Nobody in the comments has even mentioned this so I must be an idiot because I'm not getting it.
Ok, I went back and starting from 25:40 he explains the other pair of 2 bytes. On with the show!
Sorry if I was not totally clear in the lecture: A plaintext bit is either flipped during encryption (s_i bit = 1) or not (s_i bit = 0). If it is flipped during encryption it is also flipped (ie. "flipped back" to its original state) during the decryption, which happens upon receiving the cipher text. .
@@introductiontocryptography4223
Thank you. These are great lectures on the topic. Best I've been able to find, honestly. I thank you for taking the time to respond as well. It's greatly appreciated.
Nice lecture...as always. One question, though. If S, A and B are strings of bits then why is this still called a 'stream' cipher? Why not a simple block cipher? Thank you.
Steam ciphers are always vulnerable to bit flipping, because each bit of plaintext is XORed with a single bit of your stream.
read this pdf " An Encryption Algorithm Based on ASCII Value of Data".
Enjoying your lectures. I am purchasing your textbook, which other books/textbooks would you recommend over Cyber Security?
where do i get homeworks ?(in general is it posible to get them here?
amazing lecture. hope i have a lecturer like you in my college...Thanks for uploading videos.
professor I have one question about LCG
we can compute A and B values by
A = (s2-s3)(s1-s2)^-1 mod m
B = s2 - s1(s2-s3)(s1-s2)^-1 mod m
but what if the case where there does not exist a (s1-s2)^-1 in modulo m?
Jung Ki MIN I was wondering exactly the same!
i wonder if the Zodiac Cipher is a kind of One-Time-Pad
Hi Professor
I'd like to know that if we can get authentication through only nonce in a protocol? for example
A------->B: N(a)
B-------->A: {N(a),N(b)} K(ab)
Do we have mutual authentication ?
Thanks
Assuming Alice and Bob share the same key that is only known to them, Alice knows after decryption of the message that the message originated from Bob. N(b) is currently not used in your protocol. regards, christof
Hello Prof..Thanks for the amazing lecture series..
I had couple of questions on OTP..
1. Even though the key size would be "huge" in case of OTP but theoretically with infinite computational resources, it would
still be possible to break it [ 2^3.2G computers can do it in 1 step].
2. Further, if the message size is really small (16 bytes), wouldn't OTP be a weak algo in that case ?
Good point. This is a (well-known) paradox of the OTP. You are absolutely right, if the message size is small, one can of course try all possible OTP keys. The point here is, however, that you will NOT be able to tell when you have found the correct key UNLESS you know the plaintext already.
Very good observation, though.
hope this helps, christof
+Introduction to Cryptography by Christof Paar ..Thanks Prof for the response.. If I got you right, decryption would produce just a stream of bits and hence one could never tell if it were the right key (unless the original plain text was a meaningful english sentence/paragraph for which u don't need to actually KNOW the plain text)
Almost correct: Let's assum the plaintext were a 6-letter ASCII string, e.g., ATTACK. If the adversary performs an exhaustive key search he would generate "ATTACK". But he would also generate "attack" and "SECRET" and "peace!" and "turkey" and "pay50$". Thus, unless he knows a priory what the plaintext is, he will not know what the correct one is.
Introduction to Cryptography by Christof Paar Yeah..that's quite possible given the richness of a language :)..
However, I feel probability of this collision would reduce as the input text becomes longer..
Thanks again Prof...
The keyspace grows, with the length of the message, it's always as big as the space of possible messages.
For Exampe: If you have ciphertext of 100 bits lenght, there are 2^100 possible chiphertexts. The key is an equaly long string of random bits, so there are 2^100 keys, and every key leads to a different Plaintext. That means you can get any Plaintext of equal lenght.
And because the key is truly random, all the plaintexts are equaly likely.
Wonderful job professor, i think that people like you allow students to progress. Congratulations. Now, i have a short question. In your book that is amazing in otp you put 3 requirements but now in your explanation you omitted the second one which say the key stream is only known to the legitimate communicating parties.
I think that i will get erasmus from Valencia (Spain) just for being in your classes ajjjjajaa. THx
Couldn't you brute force the OTP keystream bits? At the end of the day is either 1 or 0 and 100 bits would be 2^100 possibilities, why cant you try everyone and see which plaintext makes sense,
Good question. Brute-forcing an OTP is almost a paradox, as it seems to be feasible. But the answer in short is: no, it does not work. The problem is as follows: In order to do a brute-force attack, you need to know when you actually found the correct key. This is only possible with the OTP if you KNOW the plaintext that you are looking for already. But if you know the plaintext anyway, you do not need to brute-force the OTP-encrypted ciphertext.
Here is an example. Assume a plaintext consisting of 4 ASCII letters, i.e., 32 bits. Brute-force takes, thus, 2^32 steps. This is easy and takes a few seconds on a laptop. Assume the plaintext that was encrypted is "sell". You'll certainly find "sell" but also "sold", "dive", "duck", "2qfu" (and all your favorite 4-letter swearing words too :) You will not be able to do distinguish "sell" from all the other decrypted texts that you produce. Hope this helps.
Excellent lectures.
53:52 Christof Paar: "don't do TH-cam at this moment"
Me watching this on TH-cam: 😦
What are other examples that cellphone as stream ciphers? If anyone of you know, let me know thanks!
where can i get the homeworks?
great lecture by the way
Please visit the companion website of our textbook www.cryptotextbook.com and click Online Courses -> Videos. You'll find a comprehensive problem set for each video. The solution to the odd-numbered problems are also on the website. Cheers, christof
can't you try all possible cypher streams to decrypt the messege?
Sure, for a relatively long message, It would take you the lifetime of the universe.
@@TheGenerationGapPodcast thx
Excellent lectures!
u r amazing teacher ,, thanks from turkey by palestinen engineer
sorry small question how did you get the 8 when you multiply by 400 megabites?
I want to convert from megaBYTES to megaBITS. Since there are 8 bits in 1 Byte, I have to multiply by 8 :) regards, christof
Thank you
Hi Professor, i love security so find your videos a great way to go above curriculum and prepare for a undergrad in computer science. I was thinking isn't it possible to change the key values after each byte is encrypted with a LCG. This way any attacker knowing the first few bits would find it very difficult to get anywhere into the data. My idea is similar to some public key encryption. Using some trap door function to generate a new key (A,B). The idea uses an elliptical curve on both PRNGs that will compute a new key. If point (A,B) is x, it will compute x^m (mod m). This new point will be the corresponding A and B values for the next 8 bit Si values. For the next 8 bits, it would compute x^m+1 (mod m) and so on. This way knowing A and B from the first byte will not allow you to obtain the next A,B key without knowing the equation or having some prior idea of what the message is. The simultaneous attack breaks down if you get s8 and s9 as the A B values will be different. Is this a practical solution?
If you have a trapdoor function why not use that to generate key bits and drop the LCG entirely?
Thanks Prof... it was Amazing lecture
very practical lectures....thank you
are lecture notes available online?
The lecture closely follows the book (or vice versa :) "Understanding Cryptography". You may want to have a look at the companion website, www.crypto-textbook.com. It is moderately priced and has excellent reviews on Amazon. regards, christof
Awsome lecture...thank you sir...
can somone please explain how the A and B were solved in the linear congruental rng equation?
Algebraic substitution? He just didnt show the intermediate steps.
Thank you so much for this amazing lecture !
Sir,I m self learning with the help of your videos,can u share the weekly assignment!! Question or anything!!?
Got it thanks sir❤️😎 👍
GREAT LECTURE SIR THANK YOU
54:00 a contradiction! How can I stop watching YT and look that way, are you on LBRY?!That would be awesome.