i have been watched this lecture at 2015 (to be honest all these youtube vids) and now i am working on the same field and what a great lecture still its. a huge respect and applause for you sir.......
Thats actually the first explanation i have found for this alogrithm, thanks a lot. I really dont like taking things for granted, without knowing how they are derived and most pages only state the algorithm and dont really say anthing about why its that specifiy sequence of squaring and multiplying.
Great lectures by an awesome professor. I had never found a material so well balanced between mathematical depth and practical application, foundational to most real-world applications of modern cryptography. I have bought your book from Amazon, though the Kindle version because I could not wait🙂. Thanks Professor Paar!
Dispite of the fact that I'm 15 years old, I was able to understant everything perfectly, because of the way it was explained. Now i can start tu use RSA in my projects.
Thank you for your videos, Christof. You are much more 'to the point' than my lecturer and much clearer. I am using your videos as review for my finals. Again, thank you.
At 26:00 professor makes a really good point. I wrote a school paper on RSA and one of the things I was confusing the most was writing mod phi(n) instead of mod n.
He mentioned that he's doing those classes in English because of the Erasmus students in that faculty. What's more sad is that nowadays the Erasmus students care about partying and not learning useful stuff.
There is another way to do fast exponentiation using the binary representation of the exponent as well, and I find it easier. It simply we use the fact its binary representation is a way to indicate which powers of two when added together will yield the number, and we use the fact that multiplying the same number raised to different exponents means we add the exponents. So for the example of x^26, 26 in binary is 11010, which means we need to add 2^4 which is 16, 2^3 which is 8, and 2^1 which is 2 to get 26. So, x^26 is simply(x^16)*(x^8)*(x^4).
Watching a recent video on Prime, evidently Allison Cox created two formulas which are now used world wide to encrypt all on line transactions......... is this in fact the case? thanks
Thank you for excellent video! But I have an question. When we compute a key pair whe use modulo Phi(n). But when we use the key pair to encryption or decryption we use surprisingly modulo n. This means different group of elements! How is possible it works? I suppose key d is inversion in the set Z(Phi(n)) but not in the set Z(n). Where do I mistake?
Not sure if anyone will reply to this since the video is 3 years old but I was just curious. Is the material present in this series of lectures still applicable to whats present in 2017? I find the lectures compliment the material that I am currently learning in my current course very well but I don't want to try and put this into practice if the material is outdated. The Professor really makes the material easy to understand and I quite enjoy this series of lectures.
Good question. This is an introductory course in applied cryptography. I am quite active in the research and commercial security communities and WRT basics, surprisingly little has changed, i.e., most of the material is still very relevant. The most notable changes are that SHA-1 is slowly phased out and replaced by SHA-2 and SHA-3. I plan to put a SHA-2 lecture online at some point in the spring. What is missing in the course are some advanced topics, esp. post-quantum public key schemes. But it can be argued that they are not relevant for an intro course. Hope this helps. Cheers, christof
Hi Christof, I have a question regarding exercise 7.4.1. If a modular square takes 75% of the time that a modular multiplication takes and if t is the time that the multiplication takes, then for the case where e = 2^16 + 1 the time needed for the modular exponentiation would be 16*0.75 *t + t ? I ask this because I did the exercise and when trying to correct it on the internet I found that the solutions given are quite different
I have a doubt here...in Key generation, p and q are prime numbers and you chose phi(n) = (p-1)(q-1).. I didnt get on what basis you came to this expression. Can someone elaborate here please ?
Thanks Professor, One question from an attacker point of view I understand for a particular (n,e) there is a unique d During your lecture on RSA digital signature you have mentioned ,normally e is a small value and most of the implementations choose 3,2pow16+1 If an attacker happened to choose the same n,e which my browser is using ,will the attacker could find my private key? How it is taken care that a random " n (p,q)" ' which my browser generates will be always different from a public key generated by an attacker
Very good question. The answer is: There are *primality tests*. These do NOT factor the number in question but merely tell you whether it is a prime number or not. The easiest primality test is probably the Fermat test: en.wikipedia.org/wiki/Fermat_primality_test cheers, christof
Can someone explain why Phi(n) is hard to find? If N = p * q, and Phi(n) = (p-1)(q-1), shouldn't Phi(n) be very close to N? And so brute force searching backwards from N should arrive at Phi(n)?
The probleme resides in factorisation of n. As we see, both n and Phi(n) are the multiplication's result of 2 numbers. So there is a lot of possiblities to factorise Phi(n). And with each possiblity, you have to find the best factorisation of N. You can imagine the difficulty if N is too large !!! Personnally and if we compare RSA with AES I can see that: -To decrypt a cipher text AES you have to use the brute force attack (try all possiblities of the key). And that takes more than Univers's age as Professor Paar said !! -To decrypt a cipher text RSA. you have to write n as a product of 2 prime numbers. That means you have to devide n by all prime numbers untill finding a prime number as result. That is not esay if n is too large.
Amsbrid M hmed But no, to decrypt RSA you don't have to write n as a product of 2 prime numbers. You only have to find Phi(n). That's what I'm saying. Wouldn't it be quicker to find Phi(n) (since it is "close" to N), rather than trying to factor N. Once you find Phi(n), you can compute the private key (it's the inverse of e mod phi(n)).
I see.. however let's take an example: Chosen N= 163 * 419 = 68297 So Phi(N)= 162 * 418 = 67716 I see now.. it seems with brute force attack we can guess Phi(N) and decrypt the Cipher text with the formula: X= Y^d mod Phi(N). In other hand, if this will be as simple as that. Why NSA trusts RSA ?. In addition to this, RSA Algo was a team work of 3 expert persons, they spent many years to find this algo, and all the world trusts it.
There are special algorithms, so-called primality tests, for this. They do NOT require factorization. The most popular one is probably the Miller-Rabin algorithm. Please have a look at Section 7.6.2 of our book (or Wikipedia :) regards
Great lecture, thank you. How is it that the d and e are calculated with respect to phi(n), but the encryption and decryption work with respect to modulo n? What's the mathematical connection between phi(n) and n?
The key (pun intended) is that: (x^e)^d = 1 mod n if: e d = 1 mod phi(n) In order to see this, you have to check the proof of the RSA cryptosystem. You can find it in our book but there should also be many sources on the internet. cheers, christof
@@introductiontocryptography4223 Learnmebitcoin's question along with your answer gave me a super flash of insight of a point I was always only about 90% clear on but now have it 100%.
Is that (x^e)^d=1 mod n correct or should it be (x^e)^d = x mod n. Is the original value raised to e and then that value raised to d = to the original value or have I missed something
Enciphering HELLO WORLD using the RSA cipher, the modulus was chosen as 77, even though the magnitude of the cleartext blocks is at most 25. What problems in transmission and/or representation might this cause? This Q is killing me now....
Hi, i believe you have some severe error there.. p=3, q=11, n=33, e = 3 there seems to be more than one D.. (7,17,27) M == (M^3|33)^7|33 == (M^3|33)^17|33 == (M^3|33)^27|33 does this mean that if d is privately held by Bob, NSA with key 17 and Chinese government with key 27 can read the encoded message? :) Also note that if we would keep the e private, and would supply 7 with the message, we could create any message with other private keys 13 and 23.. (M^3|33)^7|33 == (M^13|33)^7|33 == (M^23|33)^7|33
d must satisfy the condition that e*d mod phi(N) = 1 In this case, e = 3 and phi(N) = 20 3*7 mod 20 = 21 mod 20 = 1 3*17 mod 20 = 51 mod 20 = 11 3*27 mod 20 = 81 mod 20 = 1 So while d can't be 17, it can in this case also be 27. The issue here is that the encryption key was poorly chosen. The encryption key needs to satisfy two conditions: 1. 1 < e < phi(N) 2. e must be coprime with N and phi(N) that is, gcd(N, e) and gcd(phi(N), e) are both 1. Since e = 3, it's not coprime with N (N = 33, thus gcd(33, 3) = 3), it breaks the second condition and thus compromises the security of the encryption. Paar did however excuse his choice by saying it was poor.
You have to look at the definition of inverses in rings modulo n. The inverse x of a number e in such a ring is defined as: e x = 1 mod n For e=3 and n=20, the inverse turns out to be x=7. cheers, christof
Brilliant lecture, thanks very much! I have a question about Squaring-and-Multiplying. What I do, basically, is square until I can't square anymore and then multiply. It appears to work: Ex.: x7 x . x = x2 x2 . x2 = x4 x4 . x4 would yield x8 and I'm looking for x7, so I multiply from now on: x4 . x2 = x6 x . x6 = x7 I tested this with values 3 and 5 for x and it seems to work. Math isn't really my strength, so if anyone could point out any errors or problems, please let me know
I have a doubt. Considering the message to be encrypted is m=255, which is only 8-bits. The public key exponent, e usually has a small value like 3 or 5, whereas N would be very large (1024 bits or 2048 bits generally). Computing m^e mod N will result in m^e because both m and e are way too smaller than N. If we do this, we are just exponentiating the message by the public key exponent. Is this not a bad (insecure) encryption?
Dear Professor I am still not convinced by sq and mul algorithm. I agree that we can know the sequence of operations sq and mul but how ca i convince myself that now I dont need calculator.
Dear Professor, I have another question. Example1: for 31^7 mod 33 you solved it as: (-2)^7 mod 33 (where you follow that 31-33= -2 Example2: (Lecture 2) : 3^8 mod 7 you solved by 3^4.3^4 mod 7 and then 81.81mod 7 and so on.... considering this I come across another example: 26^7 mod 33 so (-7)^7 mod 33 so how to do next? should i make equivalence class of mod 33 to check good number for -7 right???
Great lecture. Is it correct that every x encrypted produces an unique y using e,n because x is less than n? Assume I know the type of message Alice is encrypting which is made up of just letters or numbers converted to bits. If I’m Oscar can I not work out y for each x in the full set of x using the public keys as the full set of x isn’t very big. If I store these I don’t need to use d and n to reverse any subset of x?
Yes, that works if the number of possible x (i.e. the plaintext messages) is not very large. However, in practice that attack does not work for two reasons. Mainly, in practice RSA is mostly used with "padding", which introduces randomness to the plaintext x before encryption. Please check Section 7.7 of our book www.crypto-textbook.com (or any other source) on RSA padding. Also, RSA is commonly used with 2048 bit modulus, so that there are 2^2048 possible values for x. hope that helps. cheers, christof
One thing that is missing is how to find the huge prime numbers p & q? Next lecture starts with Discrete logarithm. Is that skipped from lecture or is taught in later lectures?
I might sound very stupid but I have a hard time understanding how did he calculate the e^(-1). Then there is the : d.e = 7.3 = 1 mod 20; but when I used online calculator to do that i got : ans = 1. Furthermore I read the comments section where Prof replied that the commenter correctly computed : d = -9. How did that happen ? There is obviously something very simple staring right at my face but I cannot see it for some reason. Any advice in what direction to look would be appreciated.
Dear Professor, I try one example with following numbers: p=5,q=7,e=5,d=5. The point I want to mention here is though i chose e as 5 which is one of my prime number I admit not a good choice but my d in this case turns out to be same 5. So if my plaintext is 6 then 6^5 mod 35=6 again so i am sending ciphertext which is actually my plaintext...So can i conclude here I need to have a good choice for my e? or I should say its just a toy example of small prime numbers?
i have a question please with the famous example of RSA: if p =17 and q =11 e=7 then n =187 fi(n)=160 d=23 and the plain message M=88 after encryption cipher text C=88^7 mod 187 =11 how come if we decrypt the message with the public key e=7 11^7 mod 187 = 88 (which is plain text) and private key d=23 also 11^23 mod 187 =88
11^7|187 = 11 but 11^23|187 = 11^103|187 = 11^183|187 = 88.. yes, there seems to be more keys do decrypt it.. in general M = (M^7|187)^23|187 = (M^7|187)^103|187 = (M^7|187)^183|187
You made a comment that the RSA parameters, d,e and n are burned into your smartcard. Why would d be burned into it? It would seem that d would be computer by the smartcard reader on the backend to verify the transaction or encryption.
Good point, I was jumping ahead a bit. On smart cards, one of the main applications of RSA is digital SIGNATURE, which is similar to RSA encryption (which is covered in this lecture) but the role of the public and private keys are swapped. In a smart card application, the reader (ATM machine or such) sends a random number to the card and asks the card to "sign" the random number. This signing takes place with the PRIVATE key "d" and n. The card then returns the signed value and the reader (again: ATM machine etc) verifies this signature using the PUBLIC key "e". This set-up has the advantage that the secret private keys are stored only on the smart card which is supposedly tamper-resistant, i.e., one can not read-out that private key. You may want to watch Lecture 18 from this series where I explain digital signatures in general and RSA signatures in particular. --- All his said: This is the reason why I said in the lecture that "d" and "n" (and sometimes also "e") are burned into the smart card. cheers.
saibaba kothakapu If p and q are equal you could just take the square root of n, check to see if it's an integer, and if it is you have your factorization, ie n = sqrt(n)sqrt(n).
I have observed that there can be multiple values of d(private key). I am confused because I thought private key is supposed to be unique. Can somebody please explain??
That is because of the modular operation in the decryption. If the cyphertext is raised to an exponent d , and than you take mod n , the range of answers is limited to [0,n-1]. It is possible to chose another d that is larger which if you raise the cyphertext to the power of that d gives you the same result. That’s how i understand it, there’s probably also a math proof for it.
If it is possible to find the inverse of e given modulo phi(n) using the euclidian algorithm, why wouldn't it be possible to do the same given modulo n?
Good question, which is at the heart of RSA security. Here is the situation: The attacker knows, of course, e and n because they form the public key. In order to compute the secret key d, he/she has to know phi(n). And here is where the problem lies: For computing phi(n) one has to know the factorization of n into n= p * q, because phi(n) = (p-1) * (n-1) However, factoring n is very, very hard if n is large enough. That's why the RSA parameters must be chosen very looong. The longest n that has been factored (outside the intelligent community) was 768 bits. NSA et al. can probably factor larger numbers. For internet security, most people use currently n parameters of lenght 2048 bits. More information on RSA factoring at : en.wikipedia.org/wiki/RSA_numbers#RSA-768 cheers, christof
You can can encrypt a message x up to the size of the modulus n, i.e., every x < n will work. All bytes that form x are encrypted in one step. For large message, one rarely uses public key schemes. Block ciphers are much better suited. Please note that I am only showing "schoolbook RSA" here. in practice, the message has to be "padded" before encryption. You'll find a padding scheme in Section 7.7 of my book, Understanding Cryptography. regards, christof
You picked a weird case by accident. If e=11, you have to compute the inverse of e mod 20. You correctly computed d=-9. However, since we are doing mod 20 arithmetic, d= -9 = 11 mod 20. Thus, both e and d are equal to 11. YOu can easily check that this is correct since: d * e = 11 * 11 = 121 = 1 mod 20. RSA should still work for d = e = 11. regards, christof
i have a question please i'm working on an application and i want to know is it the sender who generate the public key and the receiver generate private key or the receiver will generate the both ??? thanks
sender has public key of all like Alice public key, rohan's public key, john now he wants to send to alice he selects Alice Public key and encrypts the message now Alice decrypts with her private key . private key is generated locally by each participant
The inverse can be computed using the Extended Euclidean Algorithm, it is actually the coefficient "t". See the previous Lecture (Lecture 11) for the explanation.
d is also approximately 2048 bits. e can be chosen as a short number, for instance, e = 17 is popular in practice. This allows for fast encryption (or signing, if RSA is used as digital signature). Note that e is the public key and known by everybody. Choosing e as a short number does NOT weaken RSA.
Now I get why in Italy students actually know things after getting their degrees, if we act like that (talk, etc.) while a professor explains something, we will be gently asked to not join the entire college again for the rest of our life, probably extended to our children for some generations too.
The current upvote/downvote is 666/13. Both unlucky numbers. However, I think it is more appropriate to have two prime numbers so I vote we try to hit 673/13 or 677/13 since 13 is already a prime and there is not reason to downvote it any more.
e = 3, d = 7, n = 33 , m = 4 c = m^e mod n = 4^3 mod 33 = 31 m = c^d mod n = 31^7 mod 33 = 4 (perfect m = 4) e = 3, d = 7, n = 33 , m = 125 c = m^e mod n = 125^3 mod 33 = 20 m = c^d mod n = 20^7 mod 33 = 26 (wrong, m = 125 not 26) How is that correct?
This may be a policy at German Universities. As an international student in Germany you have to pick up the German language, so he drops this German phrases once in a while, immediatley followed by the English translation. May be this is a didactic tool. Anyway, Cristof Paar is a very good teacher!
Just for clarification: It is almost exactly the opposite :) This is a 1st year course and I am "supposed" to teach in German. 95% of the students are actually from Germany. For that reason, I am repeating some of the more important facts in German, just to make sure that all of the students really understand what I'm saying :) regards, christof