AES: How to Design Secure Encryption 

It would be really interesting to explain some of the candidates that didn't make it. For example show why some of the rejected algorithms weren't secure.

Finally a simple enough yet comprehensive explanation of AES. I always wondered how this algorithm worked and you layed it out so well!

The use of the little robots is so engaging! SubBytes is oddly adorable in their mannerisms :D

The clever use of graphics to illustrate the processes elevates the learning experience to a whole new level! Very well done!

Great! Now continue with why simple AES encryption (ECB) is not enough in case of messages longer than 128bits. That's why cipher mode such as CBC exists.

The underlying round function of AES also has the nice property of generalisation, namely, it can easily be adapted to a public key one or a hashing function just by modifying how the key modifies the input in AddRoundKey.

this is like the only video explaining AES that i totally understand XD Also the visualize with box make my brain learn faster Good video as always, thanks you and the robots so much

Back in '95 I designed a password encryption algorithm based on XOR (exclusive or) logic. The company, AT&T NCR was sutilably impressed.

Ironically almost all cipher modes still use one-time pads as shown in the beginning, and we use AES or other keyed mixing algorithms to generate a consistent but unique random key stream. I guess it was concluded that diffusion of the plaintext isn't a useful property in the end. This only works securely if each message starts with a unique "initialisation vector" aka "nonce" though, to ensure each one-time pad sequence for each key-message pair is unique and can't be statistically analysed

I can't say how grateful I am, cause I was breaking my head to find good videos which I could understand easily, algorithm like MD5 and Sha 256 which teaches me and not just the same old crap. Thank you ❤❤

I love how you used 'robots' to describe functions, and the way you arranged them at the end!

Great video! Very clear explanation. Would've loved to hear more about how key expansion works

Best channel on youtube. Videos are always so clear and great subject matter.

I haven't posted a single comment for a few years probably, but this video works so well for me that I have to say - very good explanation and thank you for this vid :)

The Galaxy Cipher Machine: Unbreakable encryption using the Kaliko encryption method. Set up: A disc cipher machine on a spindle, the discs are like checkers in that they have notches to fit into each other. 1st wheel is the set disc with the numbers 1-80 scrambled, etched around the side, and on the top edge are three alphabets, scrambled the same, with two empty spaces to make 80 digits around the top. Each letter on the top is over a number on the side. There are 26 body discs, each having two rows (top and bottom) of 1-80 on their sides. The first message is a four number code: 1234. This is first a security check. The number 23 on the disc, 4 to the right, plus 1, gives you the security response. For the set up: The number one represents which set disc is to be used. The 23 is the number on the set disc that is under the letter on the top "E". This letter is the first body disc to be put on the spindle under the set disc. Depending on what the users invented for themselves, an even number goes left, odd/right. So the order of the body discs is the E first, then of right for the rest of the letter order for the discs. The body discs are like checkers in that they have notches for them to fit into each other. There is a dot on the bottom of the set disc somewhere between two numbers, and a dot on each side of each body disc as well. The last number of the 1234, the 4, is how many (left or right) notches to shift the discs as they are being put on using the dots as beginning points. 4 was invented to mean right for the dots so each disc has their dots spaced 4 notches to the right of the one above it. It is also decided/invented which discs go on up-side down. Once all discs are in place a tightening bolt is screwed on the spindle to secure the discs. Operation: In the coded message sent, the first 30 numbers are still part of the set up. The message follows after them. In these 30 numbers you have invented the pattern that if there are two number 6s in the 5th, 13th, 18th, and 29th numbers, the message is authentic. If there are more or less than two number 6s the message is bogus and is disregarded. In the first 30 numbers, you take the 4th and 9th numbers to know which algorithms to use, in this case both numbers are 12,34. You have invented at least 10 algorithms. The first message letter is O. Find an O on the top of the set disc in one of the alphabets (using another alphabet for the next O), and go down to the number below it on the edge, say 57. Now the first four algorithms are made up by the two users of the machines so they can be anything their imaginations can come up with. Like, from 57, down five discs to the top row of 1-80 where the number is 32, find 32 on the bottom row and go down 7 more discs and do the same, then go straight up to the set disc. 2nd algorithm is a diagonal angling down to the right 8 discs to the lower number on that disc-46, then finding the 46 on the top row, and straight up the to the top set disc. 3rd algorithm is another imaginative pattern ending at the top number 78 on the set disc. 4th algorithm now has a sleeve that fits over the machine with holes randomly drilled into its side lining up with each disc's number lines, 15 holes per line. Now look again to the first 30 numbers and see the 18th and the 62nd numbers are 36, and 84. So now the 78 is lined up with the 3rd disc's top number 6 hole, this shows the number 69 in the bottom number row hole 8. This continues for 4 discs to the last number 51 that is sent in to the other communicating person. (36, 84 is third disc, holes 6 and 8, for 4 discs)They run it all backwards to find the letter O. Throughout the sent message there are many OOs. The pattern invented is that you go six numbers beyond the OO to see if there is a number 5 in that number (75). If there is, you know it is a body disc shift. The other number is how many notches to shift each dot.(Odd numbers one way, even the other). Do this at least once every message. If there is a 2 in that number (27) it means to replace the set disc with another one, in this case the number 7 set disc. You replace the old one and just line up the dots of the new set disc directly over the dot beneath it on the first body disc. Do this at least once every message for both set and body discs. Another code invented tells you to change the entire order of the set up with a 4 digit set up number following it. Another code tells you to change the number of algorithms to use. Golden rules: 1) Never use the same set up code more than once. 2) Always send at least 15 phony messages for every one authentic message. 3) Always shift both the set disc and body discs at least once every message. This cipher machine has ever changing/shifting number patterns, an infinite number of invented algorithms that are used in different orders, a large number of algorithms to constantly change, and every set of machines has a different operation. Each operating set of machines have virgin discs no other machines have. This cipher machine cannot be broken, not even by the largest computers in the world if used correctly. The confirmation that a code has been broken is that the message appears. With a 500 letter message, if 500 GCMs are used where each machine only encrypts one letter, there is no confirmation the letter that comes up when trying to break it is the actual letter that is in the message. Every letter has a machine with different discs, different algorithms, and different operators encrypting it. So the most any attempt to break the code can do is acknowledge that each letter position could be any of the letters in the entire alphabet (A-Z). To write out the possibilities on paper would be to have an entire alphabet under letter position #1, then another one under #2, an so on. In the end there would be 500 alphabets in a row as the only clue to what the message says. A wall of alphabets. Its like telling the hackers there are 500 letters in the message and the words are in the dictionary. With this small bit of information it is IMPOSSIBLE to even begin to try to find the message. Not even the biggest computer in the world, working on it for 10,000 years could find the message. This encryption form is called KALIkO ENCRYPTION, it is unbreakable, and is perfectly suited for the Galaxy Cipher Machine.

Loved that this guy has not stopped yet!! Thanku so much sir

Wow, a very informative and easily understandable explanation! Well done!

Started watching this channel and immediately recognized the voice from CS50 🤣 love your lectures, thank you!

Great explanation with great animation, as always.

Your videos are consistently great. I wish you would do them full time.

Really excellent presentation! Thanks.

Great explanation- Seriously underrated channel. Happy I discovered you today. Subbed 😊

Amazing channel. Thank you!

Excellent explanation and animations!

Beautiful explanation

The best explanation of aes I've ever heard

This is such a concise explanation and the animation is so cute! Thank you so much for your hard work!

Excellent tutorial. Thanks

Thank you very much, the explanation was great

Great easy explanation

8:45 Any block cipher that is always able to turn the encrypted data back to normal is just a big substitution cipher where for an input of any block combination it will substitute a different block combination.

Great explanation!!

You are one of my favourite teachers on cs50❤❤❤❤❤

Excellent work 👏👏👏

Damn ! That's some good ass content, i can research for days and wouldn't come close to underestand stuff like that

Amazing video !

Thank you!

The best way to explaine ever ... thank you

I like your explanation of how the XOR gate works, I've never thought of it like that, thank you :D

Great Video

You couldn’t of uploaded this at a better time

such a nice content you don't see everyday on youtube nowadays :)

Nice video !😀

great video

thank you

Nice explanation. Can you add a followup to how many rounds are chosen, with regards to full diffusion in N rounds and bidirectional impossible differential cryptanalysis?

very informative video, thanks! do you plan to make a video about the fact that some encryption can be reversed via the same exact key? (i mean the technical requirements for that).

Amazing explanation. Really appreciate the background on confusion and diffusion. Really puts context behind each step!

Yay!, We got a new video 🎉

I love this kind of video please do more...

Cool video but i wish it showed the decryption step. As is, AES seems like a fancy hash. I cant fathom how youd do all of that backward again!

Yeay, a new video to learn from Brian. Thank you!

Thanks for this cute video that lays out the subject so well, which I've found to be interesting but intimidating. The li'l robots are 👌

I loved thisñ

9:25 Knew those values looked familiar :)

Great job

Amazing Brian

Are you planning to do a video like this about TLS? I'd be perfect.

Thank you goddammit

Kesini gegara direkom mbak luth

Another condition you need to add to make the system at 2:41 "perfectly secure" is that the key needs to be strong. In particular, I think it should have high entropy over all suitably short intervals. How short depends on how much the adversary knows about the plaintext. If the attacker knows absolutely nothing about the plaintext (i.e. considers it to be just random bits with no apparent meaning), then this isn't a problem. But that scenario isn't realistic--usually the plaintext has some obvious structure that the attacker is capable of predicting and recognizing (such as being English sentences), so a randomly chosen OTP key that just happens to contain a low-entropy burst can reveal a burst of information about the plaintext. Modern ciphers like AES avoid that issue by mixing up the bits instead of only XORing them with a (pseudo)random sequence.

How to decrypt all this sounds like a nightmare. Is AES key also an clue for how many rounds it took and what was shifted?

Interesting. Why is the substitution important for confusion? Wouldn't just applying the round keys do a similar job?

If I am correct, key is weakest point of that security system. It is in need to deliver it somehow to encrypet message reciever.

I'd love to see a video explaining how quantum computers break encryption standards, and how other algorithms can work to protect against quantum computing.

It's funny that XOR-OTP is 100% guaranteed secure, but AES is only secure in practice, not in theory. Nobody knows if AES has some *hidden vulnerability* that reduces its effective security by orders of magnitude. Some small vulnerabilities have been found, but they reduce the effective security by ~5 key bits, not half of all bits

Men, youuuu arrrrre awesome ❤

Great video. One note, it's pronounced RHINE-dahl, not RAIN-dahl.

Wait, at about 10:10 it occurred to me that the process sounds a lot like a neural network, with sequences of linear and nonlinear transformations!

0:35 The phrase "One algorithm - Rijndael - won the competition" does sound like "One algorithm reigned all - won the competition". I cannot imagine this is an accident. Well done!

👌

By hearing his voice was about to comment its brian from CS50 then in description foind out ohh its him 😅

can you make an animation about JWT authentication tokens? i still cant wrap my head around using it for logging in and logging out!

4:16 One really non-performant way to do it with just the simple XOR algorithm is to make the key an transcendental number that can be computed one digit at a time, then send a second piece of data for what digit you're on and so long as they don't know the transcendental number you can iterate through the digits of your number forever without them being any wiser this will of course be limited by how accurately you're computing and the number of bits used to tell the digit you're on, and you'd have to come up with a new transcendental number each time you want a new key.

How is the key sent to the person you want to be able to “read” the message?

Seems like mix columns is pretty similar to the key expansion?

good animation :)

why can't AES be generalized to higher sizes, like 512 bytes or 1024 etc etc?

Best of the best

The robots look like they're Wall-E and Eve's kids

Do for Boyer moore algorithm like Fighting

Please upload java course +dsa

My brain has a very strong confusion algorithm

When it won the NIST contest, Rijndael reigned all.

"I'm gonna go get the papers, get the papers."

is the narrator from CS50?

But how to share the key between the two actors ?

6:56 multiple xor lol

12:41 The cyclic group with 256 elements is not a field since 256 is not prime.

The best thing is that the target is confusion

How to decrypt with key (or without 😏)

Now I know AES mix and modifies the bits and bytes of data, and thus it's very secure. I wonder how can we decrypt it...

and that's faster than rsa??? It already looks so expensive to run

The biggest issue with making an AES I would say is the "S" section. Need to stop knowing the AES from working as the sole needed tool to break through it.

The explanation is good but without explaining the reversing operation it's seems just as hashing and not encrypting

I was some day trying to serch up this stuff and i culdnt find anything usful so thanks wery much

You didn't mention the IV at all. How does CTR block chaining work exactly? It's almost magical, makes the block cipher behave exactly like a stream cipher.

I still don't know why no one has made an encryption schema using recursive fractal patterns as the keys. A seed, a fractal equation and a number of iterations could make a passwordless login system more secure than quantum encryption.

In the encryption example at around 2:14, another way to do it, since it's using binary, XOR the two bits, since the XOR gate works in a way that could work as a controlled not, ie. you can choose whether or not a bit is affected by a not gate.