Brilliant. I've been searching for good explanations of DES algorithm details and this is one of the best lectures I've seen. Guess I won't need my textbook anymore!
I loved to see you teach with this kind of earnesty and a high level of dedication to cryptography and towards your students & viewers too. Wish we could have more teachers like you here in India.
Professor Paar, this is my second time going through this lecture series. I cannot express my gratitude towards you in any way it would simply fall short. This is the best crypto lecture series one can have. I wish I could visit one of your lectures in person someday. Take care.
@@acid123ist oh nice, well im just a freshman who got super excited after watching The imitation Games and made it through the 5th video of these lectures.
Can't wait to continue my Master studies in Germany! Thank you Professor for these free and online lectures. I really value your enthusiasm and ability to distribute information to students.
I was facing so much difficulty to understand this from textbook, but this man cleared all my confusions. Thank you very much Sir for your hard work and dedication.
Wonderful lecture. Loved the way how the F-Function was broken down and explained. Thank you for the lectures and looking forward to your upcoming lectures.
Ok I've watched the lecture twice, now I'm going to read the chapter, then I'll code up the techniques so I really understand the material. I used this method for chapters 3 and 4. I'll be back for lecture 6 in about 2 weeks.
Agreed. I watch a lot of these between 1.5 and 2 and still understand. Then I wonder how people stay at such a slow, steady pace while lecturing...I wish my brain and speech speed worked like that. I feel like at 1.5, it's normal speed :/
From what I've read: confusion refers to making the relationship between the key and ciphertext more obscure whereas diffusion is exactly what you've explained in the lecture. So, confusion is when a cryptanalyst can deduce multiple keys from a set of ciphertexts but can't tell which of the keys was used and diffusion is when a cryptanalyst can't deduce a definitive plaintext from a ciphertext because the statistical properties of the ciphertext have been flattened, i.e. diffused. In this lecture, you say that confusion means a simple substitution that makes relationship between the plaintext and ciphertext more obscure. Is it not a different or incorrect interpretation?
That image is wrong in 47:50. bit 1 goes to 58 instead of 50 and bit 2 goes to 50 instead of 58. Same goes for IP^-1 bit 58 goes back to 2 and bit 50 goes back to 1 as you can also see from the table.
You make the statement around time mark 52:30 that bit level permutations are fast in hardware. This is counter-intuitive because crossing lots of wires on essentially a 2-D chip seems difficult to implement. Either you would need recursion or a fair amount of real estate on the chip itself.
Sir at 15:00 you explain about Shanon's confusion property where you have explained that it establishes relation between plain text & cipher text but according to this property the relation is between the key and cipher text not between plain and cipher text ! Can you please upload a video on RC4 Algorithm?
Great lectures !! I dropped acidentally and driven by private interest into the topic of cryptography. Cant stop myself learning more I think I get adicted !!! There is a verry good and knowledgable book by Simon Singh I read last night. Think there must be also a german version available. Driven by this I tried to understand the german ENIGMA machine and the history and methods of the breaking of its code. From there I wanted to know and understand more about actual math based cypher algorithms and got hooked by the history of RSA (the first unsymetrical algorithm). Cant still stop myself there seems to be unlimetet content at the net and even here on youtube. GIVE ME MORE...
hello sir,i have a doubt.i understood the concept of f function.expansion box expand the 32 bit into 48 bit.some bit connected twice .so my question is why some bit is connected only twice .we just have to make 48 bit is there any thing any single bit connected thrice or four times.if not then why???? @christofpaar
Wonderful lecture Dr. Paar! The part where they expand the plaintext from 32 bits to 48, and then go back to 32 bits in the S-boxes confuses me. How do they guarantee that they aren't losing data? It seems you could lose data if you didn't do this carefully--did I miss something? (Obviously they don't lose data, or DES would have been dropped years ago.)
These kind of lectures are difficult to find and especially how much hardwork professor has put in to teach unlike teachers and professors here who just tell the book name and chapters to study.
I don't get the point of the s-box indexing using outer bits for rows and inner bits for columns. It is just a substitution table, where every input maps to a particular output. Therefore you could just reorder the values in the table to match the index order of the input. It provides no cryptographic benefit to order them in the way that they are. It just makes it *look* like it's a more sophisticated operation than it is.
i was on twice the normal speed until 27:50 into the lecture but then i had to make it to normal coz i felt like i heard a never-heard language. I could still not understand him in the normal speed though. oh must be german, why did he change the language lol
If the sixteen 48-bit round keys scheduled for successive rounds in the encryption process for DES are replaced by successive 48-bit blocks of the 768-bit key, What would be the weak keys for this variant of DES ?
I love this professors’ classes. I’m stuck on the 6 bit to 4 transformation with the s boxes tough in the sense that you lose information. If it sometimes maps to the same 4 bit number, how can you inverse the operation to decrypt. I mean e.g. 08 could point to multiple 6 bit patterns….
Good observation. You are right, one cannot inverse the S-Box because of the 6bit-to-4bit mapping. HOWEVER, due to the way a Feistel network operates, one does not have to inverse the S-Box for decrypting. Rather, for decrypting the receiver merely needs to re-compute the same S-Box, again in the "forward" direction. Please have a look at the blackboard drawing starting at 36:26 where I (try to) explain this fact.
I liked all of Christof Paar's lectures which I watched so far! Great stuff and thumbs UP! However, the entire series of lectures and semester was recorded and took place in 2010-2011. This was before Edward Snowden's revelations in 2013 about NSA's global espionage, so the Professor may have not known the full story and told his students only what he has been told at that time, on why the NSA and their contractor IBM have not told anyone about the DES attack vulnerability (S-Box configuration). But cypherpunks and german crypto developers like me have a different opinion or theory today... It is more likely that NSA wanted to build in a backdoor in DES on purpose in the first place, in order to be able to break in and spy on any company, bank or targeted individual who used the popular DES cipher algorithm over the last 20-30 years. Just take a look at "Heartbleed bug" vulnerability in SSL online encryption which was revealed this year! The NSA knew about it, didn't tell anyone and exploited it for years! This may all sound like a conspiracy theory, but seriously, today everyone knows that the U.S. government and NSA do all these surveillance and espionage operations on the internet, especially against us Germans, even if they deny it. Edward Snowden revealed it himself, so nobody will argue about it today. It's not a conspiracy theory any longer but a conspiracy fact. But alright, let's assume the story was like the Professor said, that the NSA kept the vulnerability secret in order to be safe from attacks, which I find a bit sloppy for a "National Security Agency" with a budget of billions of dollars! You think the NSA would be so stupid and let IBM develop a half-secure cipher for themselves?? No no, that sounds like plausible deniality to me. I don't believe it. I think normal cryptographers have not been told the true reason why NSA kept the vulnerability secret. That's my personal opinion. You can't trust the NSA on this. They tell you one thing, but there may be more to the story as people think. Global industrial espionage has always been a big thing for any government or big corporation. There are many cipher algorithms today on the internet which people can download and use, but which have secret backdoors embedded for the government or spy corporations to break in silently and read all your encrypted messages easily. So be careful! These things don't happen, because NSA made a mistake. Don't be too naive to believe such a thing! NSA does not make mistakes. They want to spy on everyone on the global internet and they know what they're doing. It is more likely that DES was a clever spy scheme or fraud by the NSA. A malicious Cipher algorithm designed on purpose by NSA! But I don't want to insult the DES developers or anyone who loves DES. All I'm saying is I don't believe the story about the secrecy of the DES attack vulnerability.
These lectures are amazing, thank you for making this understandable in a pleasurable way :) If I am to learn this from my local professor I'd probably jump off the building, my face melted from infectious autism.
+Evram Hany It depends on your application. Often, you can just fill them with dummy bits, e.g., all zeros. The receiver has to decrypt everything received and can discard the dummy bits after decryption. In many real-world protocols you have to send in the beginning header information about the total length of bits or bytes that you are encrypting and sending. This way, the receiver will know which of the received bits are dummy bits. I hope this helps. regards, christof
really good teaching, I think it's hard to find explanations like this on the internet, and for free, thank you.
Even my own cryptography teacher doesn't give so much explanations
Top notch lecture. Clear, concise, extremely helpful and great fun. Professors of the world, please take a note.
Please have a look at Lecture 16 and 17 of this series where I introduce elliptic curve cryptography. Good luck!
Danke
Introduction to Cryptography by Christof Paar
Thanks sir.
danke professor. You have been amazing
Thanks :)
Pro tip: you can watch series at Flixzone. I've been using it for watching a lot of movies these days.
Brilliant. I've been searching for good explanations of DES algorithm details and this is one of the best lectures I've seen. Guess I won't need my textbook anymore!
Really appreciate this lecturer because this is the best explanation I have found on DES. Thank you for put it on youtube ❤🙏🙏
I actually watch these for fun, it's not my specialist topic but I've spent 7.5hours so far and enjoying it!
Such a great professor. The way he teaches and breaks down this subject is just awesome. Thank you
The first professor I've ever met, who allows sleeping in classes
Es mejor que duerman y no molesten a los demás. Nadie está obligado a aprender.
Confusion = substitution. Diffusion = transposition. This makes instant sense to classical cipher fans.
I loved to see you teach with this kind of earnesty and a high level of dedication to cryptography and towards your students & viewers too. Wish we could have more teachers like you here in India.
@@mritunjaymusale True
Professor Paar, this is my second time going through this lecture series. I cannot express my gratitude towards you in any way it would simply fall short. This is the best crypto lecture series one can have. I wish I could visit one of your lectures in person someday. Take care.
Hey I am also Indian Im just curious for what purpose were you learning cryptography Im doing it for fun.
@@creativegiant148 i had netsec crypto in my masters
@@acid123ist oh nice, well im just a freshman who got super excited after watching The imitation Games and made it through the 5th video of these lectures.
And sleep in class. Forgive me, please.
Sir , That was One of the Best lecture i have learn in youtube ... Thanks for it .
you are doing a very nice job
keep it up :) ....
seriously, you explain far better than my teacher.
I would recommend my friends to go through your lectures of crypto....
THANKS...
Can't wait to continue my Master studies in Germany! Thank you Professor for these free and online lectures. I really value your enthusiasm and ability to distribute information to students.
You are a good man because you shared this knowledge with the world, Thank you Sir.
Grossartig Lekteur. Ich liebe die bewegende Wandtafeln. Thank you for the lecture, great moving synchronized blackboards...
I was facing so much difficulty to understand this from textbook, but this man cleared all my confusions. Thank you very much Sir for your hard work and dedication.
29:24 ''If you do youtube on your laptop, it's like the biggest wasted 90 minutes of your life.''
Well, fuck
31:38 the best part of the lesson, OMG what a good teacher !!!! "It´s perfect, because it´s wrong"
as someone learning both cryptography and german, this is such a helpful lecture :)
Wonderful lecture. Loved the way how the F-Function was broken down and explained. Thank you for the lectures and looking forward to your upcoming lectures.
Thank you very much sir, you earned me my 10 marks of presentation :)
00:00 DES Intro
24:19 Feistel Network
42:54 DES Internals
Ok I've watched the lecture twice, now I'm going to read the chapter, then I'll code up the techniques so I really understand the material. I used this method for chapters 3 and 4. I'll be back for lecture 6 in about 2 weeks.
i would give my 100% attention and focus every single second of his lecture class if i would be in that class
Tip: You can watch this video at 1.5x speed and still understand.
+Kaustubh Ghanekar thank man. true!
Agreed. I watch a lot of these between 1.5 and 2 and still understand. Then I wonder how people stay at such a slow, steady pace while lecturing...I wish my brain and speech speed worked like that. I feel like at 1.5, it's normal speed :/
Useful AND practical.
I do it too 😂 but when you turn to normal it's like he speek tooo slowly
you must not be taking any notes
Thank you so much. Your explanation was beautiful and you made DES so simple and easy. Beautiful lecture
Thank you so much! Much better explanation of DES than my professor..
Thank you very much for sharing. It means a lot for the those of us in the disadvantage part of the world.
Really hats off professor . I can understand easily and also i m watching continuously dis lectures makes very helpful to learn
you are really a master of Cryptography!!!!
thank you for this material, the slides are really good and the way you explain this is so friendly.
I do not understand how someone can sleep during such a beautiful lecture?!
this is my food for thought for partial unemployment days, great lectures!
Awesome Lecture Christof, gave the trivia as well as the concept of DES. Thank you for uploading.
Great lecture on encryptology! many,many thanks to prof Paar
THE LECTURE MADE MY CONCEPT CRYSTAL CLEAR.THANKS A LOT SIR.THAT UNIVERSITY WOULD BE LUCKY WHERE YOU ARE TEACHING.
Thank you for uploading this,,,No one does the explanation better than you,,,,
Awesome explanations, you are awesome Sir. Thanks for sharing your knowledge with us with no cost.
Really great explanation ! Helped me out a lot in understanding DES
Christof is a great lecturer.
I really enjoyed this. Very clear and well illustrated.
My english is not perfect but I would said to thanks to this teacher. THANKS
I was attentive through out the video. thank you so much for the great explanation.
Thnx from Albania. I liked the explanation and I'm so excited that I'm going to write my own DES code. :)
Very nice and interesting video! I wish we had professors like you in my university !
I love the way he says "that's it for today thank you very much"
DES intro 0:00
Feistel networks 24:30
DES internals 43:00
Very helpful. Thanks for making it public.
Well Yes! the SBoxes can be rearrange into a simple vector so that the 6-bit input directly address the appropriate SBox vector element.
@17:52 In definition of confusion, it should be relation between key and ciphertext obsured.
Great lectures, very clear explanation! Nice job! Thank you
This was amazing! wish we had teachers like you in india
Great teacher ! very good explanations. Thank you very much.
Pleasant class. Thank you, professor!
From what I've read: confusion refers to making the relationship between the key and ciphertext more obscure whereas diffusion is exactly what you've explained in the lecture. So, confusion is when a cryptanalyst can deduce multiple keys from a set of ciphertexts but can't tell which of the keys was used and diffusion is when a cryptanalyst can't deduce a definitive plaintext from a ciphertext because the statistical properties of the ciphertext have been flattened, i.e. diffused.
In this lecture, you say that confusion means a simple substitution that makes relationship between the plaintext and ciphertext more obscure. Is it not a different or incorrect interpretation?
Spot on. The lectures are great, but the explanation of confusion is rather confusing ;-)
Thanks, Christof. Very well explanied.
That image is wrong in 47:50. bit 1 goes to 58 instead of 50 and bit 2 goes to 50 instead of 58. Same goes for IP^-1 bit 58 goes back to 2 and bit 50 goes back to 1 as you can also see from the table.
There are some football players known as genius. And know I guess I know who to call genius in teaching. :-) Thank you Mr. Paar.
Lecture so brilliant and helpful, thanks a lot prof.
Thank you Professor, great lectures
Thanks for the lecture, From India :)
You make the statement around time mark 52:30 that bit level permutations are fast in hardware. This is counter-intuitive because crossing lots of wires on essentially a 2-D chip seems difficult to implement. Either you would need recursion or a fair amount of real estate on the chip itself.
To my knowledge, the bit permutations can be achieved in standard ICs quite easily using standard metal routing. regards, christof
very helpful, the teaching is great too good job.
This is such an amazing course, but could you help me to add a subtitle for each lesson to people who hasnt a good skill in english
i believe i can fly
sooo before you go
@@fahmiramadhan7166 hey yoshii masi idup kamu
Sir at 15:00 you explain about Shanon's confusion property where you have explained that it establishes relation between plain text & cipher text but according to this property the relation is between the key and cipher text not between plain and cipher text !
Can you please upload a video on RC4 Algorithm?
Great lectures !!
I dropped acidentally and driven by private interest into the topic of cryptography.
Cant stop myself learning more I think I get adicted !!!
There is a verry good and knowledgable book by Simon Singh I read last night.
Think there must be also a german version available.
Driven by this I tried to understand the german ENIGMA machine and the history and methods of the breaking of its code.
From there I wanted to know and understand more about actual math based cypher algorithms and got hooked by the history of RSA (the first unsymetrical algorithm).
Cant still stop myself there seems to be unlimetet content at the net and even here on youtube.
GIVE ME MORE...
Volker Schmidt
Omg i came here from numberphile's video on the Enigma!
@@bananian same here
Very nice explanation sir. I really enjoyed your lecture.
hello sir,i have a doubt.i understood the concept of f function.expansion box expand the 32 bit into 48 bit.some bit connected twice .so my question is why some bit is connected only twice .we just have to make 48 bit is there any thing any single bit connected thrice or four times.if not then why???? @christofpaar
Wonderful lecture Dr. Paar! The part where they expand the plaintext from 32 bits to 48, and then go back to 32 bits in the S-boxes confuses me. How do they guarantee that they aren't losing data? It seems you could lose data if you didn't do this carefully--did I miss something? (Obviously they don't lose data, or DES would have been dropped years ago.)
These kind of lectures are difficult to find and especially how much hardwork professor has put in to teach unlike teachers and professors here who just tell the book name and chapters to study.
Amazing. That is what should proffer looks like
Just bought this guys book thanks for das buche!!!
I think there is a mistake at 1:20:27 8 is 0100 not 1000 but this is the greatest lecture about des
You're an amazing lecturer!
I don't get the point of the s-box indexing using outer bits for rows and inner bits for columns. It is just a substitution table, where every input maps to a particular output. Therefore you could just reorder the values in the table to match the index order of the input. It provides no cryptographic benefit to order them in the way that they are. It just makes it *look* like it's a more sophisticated operation than it is.
Superb lecture. Thank you
Best explanation ...!!!
i was on twice the normal speed until 27:50 into the lecture but then i had to make it to normal coz i felt like i heard a never-heard language. I could still not understand him in the normal speed though.
oh must be german, why did he change the language lol
to explain something. he says, I switch to german for a bit
If the sixteen 48-bit round keys scheduled for successive rounds in the encryption process for DES are replaced by successive 48-bit blocks of the 768-bit key, What would be the weak keys for this variant of DES ?
The output is wrongly mapped in the ppt at 54:15
i learned a lot from this tutorial Thanks
I love this professors’ classes. I’m stuck on the 6 bit to 4 transformation with the s boxes tough in the sense that you lose information. If it sometimes maps to the same 4 bit number, how can you inverse the operation to decrypt. I mean e.g. 08 could point to multiple 6 bit patterns….
Good observation. You are right, one cannot inverse the S-Box because of the 6bit-to-4bit mapping. HOWEVER, due to the way a Feistel network operates, one does not have to inverse the S-Box for decrypting. Rather, for decrypting the receiver merely needs to re-compute the same S-Box, again in the "forward" direction. Please have a look at the blackboard drawing starting at 36:26 where I (try to) explain this fact.
I liked all of Christof Paar's lectures which I watched so far! Great stuff and thumbs UP!
However, the entire series of lectures and semester was recorded and took place in 2010-2011. This was before Edward Snowden's revelations in 2013 about NSA's global espionage, so the Professor may have not known the full story and told his students only what he has been told at that time, on why the NSA and their contractor IBM have not told anyone about the DES attack vulnerability (S-Box configuration). But cypherpunks and german crypto developers like me have a different opinion or theory today... It is more likely that NSA wanted to build in a backdoor in DES on purpose in the first place, in order to be able to break in and spy on any company, bank or targeted individual who used the popular DES cipher algorithm over the last 20-30 years. Just take a look at "Heartbleed bug" vulnerability in SSL online encryption which was revealed this year! The NSA knew about it, didn't tell anyone and exploited it for years! This may all sound like a conspiracy theory, but seriously, today everyone knows that the U.S. government and NSA do all these surveillance and espionage operations on the internet, especially against us Germans, even if they deny it. Edward Snowden revealed it himself, so nobody will argue about it today. It's not a conspiracy theory any longer but a conspiracy fact.
But alright, let's assume the story was like the Professor said, that the NSA kept the vulnerability secret in order to be safe from attacks, which I find a bit sloppy for a "National Security Agency" with a budget of billions of dollars! You think the NSA would be so stupid and let IBM develop a half-secure cipher for themselves?? No no, that sounds like plausible deniality to me. I don't believe it. I think normal cryptographers have not been told the true reason why NSA kept the vulnerability secret. That's my personal opinion. You can't trust the NSA on this. They tell you one thing, but there may be more to the story as people think. Global industrial espionage has always been a big thing for any government or big corporation. There are many cipher algorithms today on the internet which people can download and use, but which have secret backdoors embedded for the government or spy corporations to break in silently and read all your encrypted messages easily. So be careful! These things don't happen, because NSA made a mistake. Don't be too naive to believe such a thing! NSA does not make mistakes. They want to spy on everyone on the global internet and they know what they're doing. It is more likely that DES was a clever spy scheme or fraud by the NSA. A malicious Cipher algorithm designed on purpose by NSA! But I don't want to insult the DES developers or anyone who loves DES. All I'm saying is I don't believe the story about the secrecy of the DES attack vulnerability.
confusion refers to making
the relationship between the ciphertext and the symmetric
key u wrote the other way rnd
Even at 1:19:47 it should be second column not third in the ppt..
thank you from Brazil
student: what's encryption?
professor: 27:50
sir you teach great !
I wonder if the S-Boxes can be rearranged so that the lookup can be direct, without all that bit0-bit5 and bit4-bot3-bit2-bit1 nonsense.
thank you sir for these great lecture.
Can we use 3DES in EED mode with K1,K1,K2 keys? how will the strength differ in finding the keys in terms of EDE and EED mode?
Very good lesson!
may I ask, what's is the algorithm that makes the subkeys for every round and where do I find the S-BOXS 2 to 8?
These lectures are amazing, thank you for making this understandable in a pleasurable way :) If I am to learn this from my local professor I'd probably jump off the building, my face melted from infectious autism.
Thanks for an awesome lecture !
Why the initial permutation is performed when it gets reversed at the end??
please DR ..... how does DES deal with extra bytes where these bytes couldn't construct a block ??
+Evram Hany It depends on your application. Often, you can just fill them with dummy bits, e.g., all zeros. The receiver has to decrypt everything received and can discard the dummy bits after decryption.
In many real-world protocols you have to send in the beginning header information about the total length of bits or bytes that you are encrypting and sending. This way, the receiver will know which of the received bits are dummy bits. I hope this helps. regards, christof
did they find the German video? We want to know!
Thanks so much, I loved it!