I can't believe that there are students who are sleeping / not paying attention in this class. I'm watching the video at midnight and I'm having my eyes wide open marvelling at the simple way in which Prof. Paar explains step-by-step some of the most cryptic (literally) stuff!
*Topics* 1. Stream Ciphers 0:15 2. Random Numbers a) RNG (Random Number Generator) 37:10 b) PRNG (Pseudo Random Number Generator) 44:00 c)CPRNG (Cryptographicly Secure Pseudo Random Number Generator) 51:30 3. One Time Pad 1:00:30 4. LCG (Linear Congruent Generator) PRNG 1:15:15
First time listening Professor Christoff Paar on Cryptography. Very nice lectures Great pace and way of teaching Stay blessed Professor Dr Zaheer Center for Mathematical Sciences Pakistan Istitute of Engineering and Applied Sciences Islamabad Pakistan
Mr. Paar, where did you learn everything you know? You are a highly intelligent individual, anyone can tell just based off how you teach. I'm only 15 and I'm understanding what you are teaching, you really know what you are talking about and that is shown in the way you break down these ciphers and explain them in detail.
Firstly, this lecture series is great. Super clear and concise. The slides on the website are also very helpful. Secondly, at 28:00... since we're encoding/decoding 7 (or 8) bits at a time, isn't the stream-cipher just a very small block-cipher? The "block" in this case being a single byte?
Dear Professor Paar, when I was watching your explanation on the OTP, I suddenly wondered if this is how the ancient Chinese encrypted their messages. We Chinese use characters, and the most commonly used ones are of a whopping number between 3000-5000. During war times, for secret message exchange, people write a seemingly normal message, but you need a sort of mechanism to see the original message. It's a message in a message.
Dear professor Paar, thank you for sharing. I would like to know if it is correct to say, at the beginning of the last exercise (1:22:45), that the system (attacked by Oscar) can be solved due to the Rouché-Capelli theorem. Thank you
Regarding OTP... store random mouse moves collected in an array up to the size needed to encrypt the message, each time you need a new random number array, easy. Encrypt the message one to one with the random array and you only need a random array as large as your message, so message x 2 is the final size. Embed the encrypted message in a picture using steganography. First send the key embedded in a picture with an RSA encoded password (known to the recipient). Then send the picture with an embedded encrypted message. Works better if the message is also embedded into text (ie: ipsum lorem) that will fill the whole picture, so that changed bits in the picture don't stand out. Already wrote this program, handling LF's was a problem but sorted now. A 520x520 bit picture will hold about 72k of characters.
Entanglement offers an interesting way to pass data encryption keys. Assuming entanglement systems are difficult and expensive it may not be practical to transmit data this way but the secure key is a smaller data set.
During the Cold War and even now One-Time Pad messages are sent to agents via clandestine shortwave radio stations known as Numbers Stations. These stations would read out the encrypted messages usually as strings of 5 digit numbers and the agent who is meant to receive one copies the numbers down and then decodes them with the OTP given. Most of these Numbers Messages cannot ever be decrypted because most agencies were very careful with not re-using keys. But eventually they ran low on resources and had to recycle whole keys and parts of keys etc. If you ever reuse a key for two different messages, then cracking both of them is child's play. Now if you reuse the same key for the same message sent with that same key then it does not matter because the numbers would be identical and you are nowhere closer to cracking it then you were when you first intercepted it.
today radio transmissions are sent in coded packets one each packet is sent on a different channel (AM or FM frequency) deciphering the header of the packet identifies the next channel. Oscar has to be in real time to even capture the data beyond a single packet. To make it more interesting trojans are also sent on other channels to create a noise level that masks the real message. Channel sequences are chosen from an OPT and cover a very broad RF spectrum.
Great lecture and I envy those students out there for having a lecturer as such. The lecturer we have in our university in Holland is nowhere near this lecturer, sadly of course.
@@gaganaggarwal7981 Well, if it is a bit stream, then I suppose the system is mod 2, because bits only have two values: 0 and 1. That was the presumption during this whole lecture, if I'm correct?
@@HeikkiKetoharju if you look at the wiki ( en.wikipedia.org/wiki/Linear_congruential_generator ) the m values are much different, though the set is small enough that you should be able to iterate over all of them. That being said, if you xor full bytes, then you're likely to discard the higher bits of the LCG output. I wonder how much more work it is to break it in such case.
Surely the LCG is even worse for cryptography: we showed that Oscar can break it by knowing (x1,x2,x3). Even if they didn't know those values, there are only 8 possibilities so he can find 8 pairs of (A,B), exactly 1 of which is the solution. Trying them out against the rest of the ciphertext narrows down the possibilities even more. Knowing a linear generator is weak, my first impression would be to go to higher order polynomials (perhaps I'm anticipating future lectures here) -- from trying it out, solving systems of polynomial equations in n unknowns is a hard task.
Great Lecture Sir ...Few Doubts as Below :- 1)How Do we Get Seed Value.... 2) How Does a PRNG Developed. 3) How Do We Get The K Value Mentioned in 1.20 ....
+Cosmic D I hope the following helps: 1.) The seed often comes from a true random number generator. Many modern digital systems have access to some source of randomness. 2.) not sorry what you mean, sorry. 3.) This is the KEY. It must be somehow established between the two communicating parties.There are various ways of doing this in practice, i.e., using some key establishment protocol. regards, christof
+Introduction to Cryptography by Christof Paar Thanks For the same .....Sorry To say..but I could not understand deeply about anything regarding my doubts/....Could u pls Let me know some topic which can make this Clear....
Hello Prof Parr Again thank you for the best crypto course on the web. I have a question with relation to this video. The OTP as referred to as a perfect cipher (unbreakable) however that is not my particular understanding. As I understand this and I could be wrong is that the OTP is perfect only in the following sense. For a cipher text only attack the probability of decrypting the message is exactly the same if you have or don't the ciphertext. In other words even if you have infinite computing power having the cipher text doesn't help to decrypt the message since the message space and key space are of equal (at least) or greater size (key space) every possible decryption of the message with every possible key yields a potentially valid decryption and there is no way to differentiate what the original message if is an attacker has the cipher text. It doesn't help. This only holds true for ciphertext only attacks. In other ways the OTP is actually a weak cipher. Any thoughts on this would be greatly appreciated Thank you Steve
Dear Professor Paar, one thing is confusing me a lot that is understood than Random numbers generate by the sender applying any of define methods and one of them is CPRNG which is infeasible for anyone to generate same pattern. My question is that how receiver computes the same pattern using CPRNG or any other method for deciphering received message? What I understood is that both sender and receiver share pattern function for CPRNG using any other secure channel.
Sehr gut! Very good lecture of my favorite cryptography topic! Most of the stuff lectured here I already knew, but I learned a few additional things here, such as that XOR is actually Modulo 2 (Mod2). I never realised that. I'm continuously developing my own XOR stream/block ciphers for years now. Strong OTPs can be generated by TRNGs and CSRNGs with high randomness factor on the bits. That's the best way imo. PRNGs are deterministic and crap for encryption purposes indeed, because once an attacker knows the seed he can regenerate the whole sequence of random keybits.
Hm, the definition of a PRNG as shown does not fix a pattern where only the seed depends on the secret key. The key could also be an input to later PRNG rounds. The LCG shown in particular proved problematic because a property of the assumption was that there are more plaintext bits known than the amount of unknown variables in the PRNG function.
Wonderful job professor, i think that people like you allow students to progress. Congratulations. Now, i have a short question. In your book that is amazing in otp you put 3 requirements but now in your explanation you omitted the second one which say the key stream is only known to the legitimate communicating parties. I think that i will get erasmus from Valencia (Spain) just for being in your classes ajjjjajaa. THx
At Timestamp 1:11:12 you asked us how big the key is in the example for a 400 MB movie. I'm not sure I follow how you arrived at 3.2 GBs for the encrypted file. I do understand that any key in a OTP is going to be as big if not bigger than the original message.
You are right. I just tried to convert from MByte to MBit, and multiplied the 400MByte by 8 :) I find counting the bits more instructive since the OTB is bit-oriented
In 1:24:20 Oscar finds/intercepts x1, x2 and x3. You say: he(Oscar) also computes S1, S2 and S3? How can he compute them without the key? Isn't he intercepting s1, s2, s3 also? Thanks for interesting lectures!
No, he is not intercepting the s_i (they cannot be intercepted, they are internal values computed by Alice). He only sees the y_i's on the channel. But if Oscar also knows some x_i, computing the corresponding s_i is trivial since y_i = x_i + s_i mod m and thus: s_i = y_i - x_i mod m The question is what the other s_i's are that he does not know already. They can be computed via s_j = A s_j-1 + B mod m *but* Oscar needs to know A and B for this. -- And that's the point of my exercise after 1:24:20 :) hope this helps, regards, christof
@@introductiontocryptography4223 I still have a question about how to compute S1, S2, S3. y_i = x_i + s_i mod 2 (where y_i is encrypted bitwise by x_i and s_i. This is the first equation in page 40 of the book). But latter, s_i is computed as s_i = y_i + x_i mod m, i = 1,2,...300 (which is the second equation in page 40). could you explain why the computation changes from mod 2 to mod m?
If the entire key is truly random, decimal adding (adding with carry bits) will work too. However, bitwise XOR makes many things easier: It is faster, one can encrypt individual bits independently of its neighbouring bit and the security argument is easier: By intution, if an attacker sees (e.g.,) a 0 on the channel and the key bit is truly random, there is exactly a 50% chance that the plaintext bit was 0 or 1.
Professor Christof Paar, I don't understand why 1 + 1mod2 equals to 0 and not 2? 1mod2 equals to 1 if I'm not mistaken, hence 1 + 1 = 2. What am I missing at 19:39?
Can you generate a random "Key Stream" then swap the keys by using Diffie-Hellman and do a new key every hour over the cell infrastructure?? Feasible or not?
+mchenoboe Exactly. The big question is: What are good CPRNGs? In practice, CPRNGs are simply strong stream ciphers. If you go to the eSTREAM web site you'll find recommendation for secure stream ciphers. (Unfortunately) I do not say much about strong stream ciphers in these lectures. Regards, christof
I'm confused because at the end of the lecture you present a stream cipher schematic that uses PRNGs and you say this is how all practical stream ciphers work. Then you continue about the LCG and conclude that this is a bad way of doing stream ciphers. What am I missing?
Hello Prof..Thanks for the amazing lecture series.. I had couple of questions on OTP.. 1. Even though the key size would be "huge" in case of OTP but theoretically with infinite computational resources, it would still be possible to break it [ 2^3.2G computers can do it in 1 step]. 2. Further, if the message size is really small (16 bytes), wouldn't OTP be a weak algo in that case ?
Good point. This is a (well-known) paradox of the OTP. You are absolutely right, if the message size is small, one can of course try all possible OTP keys. The point here is, however, that you will NOT be able to tell when you have found the correct key UNLESS you know the plaintext already. Very good observation, though. hope this helps, christof
+Introduction to Cryptography by Christof Paar ..Thanks Prof for the response.. If I got you right, decryption would produce just a stream of bits and hence one could never tell if it were the right key (unless the original plain text was a meaningful english sentence/paragraph for which u don't need to actually KNOW the plain text)
Almost correct: Let's assum the plaintext were a 6-letter ASCII string, e.g., ATTACK. If the adversary performs an exhaustive key search he would generate "ATTACK". But he would also generate "attack" and "SECRET" and "peace!" and "turkey" and "pay50$". Thus, unless he knows a priory what the plaintext is, he will not know what the correct one is.
Introduction to Cryptography by Christof Paar Yeah..that's quite possible given the richness of a language :).. However, I feel probability of this collision would reduce as the input text becomes longer.. Thanks again Prof...
The keyspace grows, with the length of the message, it's always as big as the space of possible messages. For Exampe: If you have ciphertext of 100 bits lenght, there are 2^100 possible chiphertexts. The key is an equaly long string of random bits, so there are 2^100 keys, and every key leads to a different Plaintext. That means you can get any Plaintext of equal lenght. And because the key is truly random, all the plaintexts are equaly likely.
Nice lecture...as always. One question, though. If S, A and B are strings of bits then why is this still called a 'stream' cipher? Why not a simple block cipher? Thank you.
Hi Professor, i love security so find your videos a great way to go above curriculum and prepare for a undergrad in computer science. I was thinking isn't it possible to change the key values after each byte is encrypted with a LCG. This way any attacker knowing the first few bits would find it very difficult to get anywhere into the data. My idea is similar to some public key encryption. Using some trap door function to generate a new key (A,B). The idea uses an elliptical curve on both PRNGs that will compute a new key. If point (A,B) is x, it will compute x^m (mod m). This new point will be the corresponding A and B values for the next 8 bit Si values. For the next 8 bits, it would compute x^m+1 (mod m) and so on. This way knowing A and B from the first byte will not allow you to obtain the next A,B key without knowing the equation or having some prior idea of what the message is. The simultaneous attack breaks down if you get s8 and s9 as the A B values will be different. Is this a practical solution?
40:49 did he mean to say chaotic natural processes (I think there are random natural processes on the quantum scale but I'm not sure. I know more classical)
Dear Prof, Please which university are you lecturing at Germany university, Please i want contact you directly on Information Security(Data & Cryptography)
Hi Professor I'd like to know that if we can get authentication through only nonce in a protocol? for example A------->B: N(a) B-------->A: {N(a),N(b)} K(ab) Do we have mutual authentication ? Thanks
Assuming Alice and Bob share the same key that is only known to them, Alice knows after decryption of the message that the message originated from Bob. N(b) is currently not used in your protocol. regards, christof
Also, could you please help me understand why we wrote 2 ^31 because we haven't talked about 31. I understand mod 2 is because there are only 2 digits - 0,1 in the set. But not sure about why to the power 31.
This (admittedly strange looking) number is simply part of the standard of the ANSI C programming language. The number is being used in the standardized function rand().
The short answer: See above, reduction modulo 2^31 is also specified in ANSI C for the rand() function. There is a very good reason behind it: computing mod 2^31 is very easy on a computer -- one simply takes the 31 least significant bits of the operand. In particular, one does not have to perform a division for computing 2^31. cheers
Please visit the companion website of our textbook www.cryptotextbook.com and click Online Courses -> Videos. You'll find a comprehensive problem set for each video. The solution to the odd-numbered problems are also on the website. Cheers, christof
Couldn't you brute force the OTP keystream bits? At the end of the day is either 1 or 0 and 100 bits would be 2^100 possibilities, why cant you try everyone and see which plaintext makes sense,
Good question. Brute-forcing an OTP is almost a paradox, as it seems to be feasible. But the answer in short is: no, it does not work. The problem is as follows: In order to do a brute-force attack, you need to know when you actually found the correct key. This is only possible with the OTP if you KNOW the plaintext that you are looking for already. But if you know the plaintext anyway, you do not need to brute-force the OTP-encrypted ciphertext. Here is an example. Assume a plaintext consisting of 4 ASCII letters, i.e., 32 bits. Brute-force takes, thus, 2^32 steps. This is easy and takes a few seconds on a laptop. Assume the plaintext that was encrypted is "sell". You'll certainly find "sell" but also "sold", "dive", "duck", "2qfu" (and all your favorite 4-letter swearing words too :) You will not be able to do distinguish "sell" from all the other decrypted texts that you produce. Hope this helps.
professor I have one question about LCG we can compute A and B values by A = (s2-s3)(s1-s2)^-1 mod m B = s2 - s1(s2-s3)(s1-s2)^-1 mod m but what if the case where there does not exist a (s1-s2)^-1 in modulo m?
1:00:00 ish I don't see how OTP meets the definition for "unconditionally secure" any finite stream. For his 400MB file has a key space of 2^3200000 right, so given " infinite resources " you could guess the key and decipher. Am I missing something? Or is he wrong? Sorry I'm a mathematician, I take definitions seriously.
Good point. That's almost a paradox of the OTP: It seems one could brute-force a (finite) OTP. If you use short messages, say 8 bit, that would be even trivial. BUT: To stay with the 8 bit example, you would get 256 answers, but you will not know which one of those is the correct one. You will only be able to distinguish the correct one from all the others if you already know the plaintext anyway. Same goes with a 400MB message.
@@introductiontocryptography4223 Thank you sir for your reply. I have a B.S. in Theoretical Mathematics but my Computer Science is mostly self taught. I definitely have some thinking to do. (It still seems, after the message is sent, Oscar has the Cypher text and knows the key space -> Oscar does have the plaintext byte, I guess the problem is he also has 255 garbage bytes........so, it seems to me we have to make one further assumption to meet the definition: that is, Oscar does not know what he's looking for (i.e. if he was after a char he can narrow it down to ........ every char ....... nm. I think I'm starting to get it. I have a lot of thinking to do. It's clearly secure, after 60ish bytes your going to need some quantum or alien help, it just seems like a true Turing machine would know more and more as the conversation progresses. ...... OK I'm going to leave the thinking in my head lol. Again, thank you for validating my question was at least worthy if consideration, I would love to have a conversation with you someday; but I have a lot to learn over many years before I would have anything significant to add (computer science wise, if you want to talk about classical physics, organic chemistry, or mathematics, I'm down!)
OK I think I get it.......no I don't nm, wait yes I do! "Unconditionally secure" does not mean "unhackable." Given an infinite number of infinitely fast Turing Machines, more and more of the garbage text will be recognizable as garbage. Eventually Oscar could narrow it down more and more (again hypothetically, with more resources than physics would probably allow) and if Alice and Bob talk enough, Oscar will know the conversation *but he will not know the next bit the sent, because he doesn't know that bits key bit and that is the definition* Cool, good lectures man. Thank you for inspiring me to think more about it.
Forget my last comment, even if Oscar can narrow down more and more garbage text, he also gains every possible plausible text. So I think I was wrong when I said "Unconditionally secure != unhackable" Now I think I get it. *think, never sure*
finishing up the explanation of stream ciphers for cell phone communications he states the exiting encryption flips the 0 to a 1 and then the receiving decryption flips the 1 back to a 0. According to the XOR Gate, this should only happen in ~50% of the bits where the other 50% are flipped once and then unchanged at the receiving end.. I'm very confused by this because he makes it a point to state it several times and asks us to pay attention, then goes and states that it is flipped at both ends. Did he make a mistake or am I just not getting it? Nobody in the comments has even mentioned this so I must be an idiot because I'm not getting it.
Sorry if I was not totally clear in the lecture: A plaintext bit is either flipped during encryption (s_i bit = 1) or not (s_i bit = 0). If it is flipped during encryption it is also flipped (ie. "flipped back" to its original state) during the decryption, which happens upon receiving the cipher text. .
@@introductiontocryptography4223 Thank you. These are great lectures on the topic. Best I've been able to find, honestly. I thank you for taking the time to respond as well. It's greatly appreciated.
Rosenberg, not Rosental! A married couple who was spying for the Soviets. In the east block countries it was of course denied. in Budapest there was (is) a street, named atfer them: Rosenberg hàzaspàr utca. In German: Rosenberg ehepaar strasse In English: Rosenberg couple street.
Professor paar, At 13:45, the equation doesn't seem correct. Xi+Si+(Si*mod2)= Xi+2Si*mod2, doesn't make sense Si and Si*mod2 are not the same how can you add them together to make 2Si*mod2 ?
So that means we are not able to recover the original bits in stream cipher as the original one was Xi and after encryption and decryption we get Xi*mod2.
