He mentioned that he's doing those classes in English because of the Erasmus students in that faculty. What's more sad is that nowadays the Erasmus students care about partying and not learning useful stuff.
Dear Professor I am still not convinced by sq and mul algorithm. I agree that we can know the sequence of operations sq and mul but how ca i convince myself that now I dont need calculator.
You made a comment that the RSA parameters, d,e and n are burned into your smartcard. Why would d be burned into it? It would seem that d would be computer by the smartcard reader on the backend to verify the transaction or encryption.
Good point, I was jumping ahead a bit. On smart cards, one of the main applications of RSA is digital SIGNATURE, which is similar to RSA encryption (which is covered in this lecture) but the role of the public and private keys are swapped. In a smart card application, the reader (ATM machine or such) sends a random number to the card and asks the card to "sign" the random number. This signing takes place with the PRIVATE key "d" and n. The card then returns the signed value and the reader (again: ATM machine etc) verifies this signature using the PUBLIC key "e". This set-up has the advantage that the secret private keys are stored only on the smart card which is supposedly tamper-resistant, i.e., one can not read-out that private key. You may want to watch Lecture 18 from this series where I explain digital signatures in general and RSA signatures in particular. --- All his said: This is the reason why I said in the lecture that "d" and "n" (and sometimes also "e") are burned into the smart card. cheers.
i have been watched this lecture at 2015 (to be honest all these youtube vids) and now i am working on the same field and what a great lecture still its. a huge respect and applause for you sir.......
This may be a policy at German Universities. As an international student in Germany you have to pick up the German language, so he drops this German phrases once in a while, immediatley followed by the English translation. May be this is a didactic tool. Anyway, Cristof Paar is a very good teacher!
Just for clarification: It is almost exactly the opposite :) This is a 1st year course and I am "supposed" to teach in German. 95% of the students are actually from Germany. For that reason, I am repeating some of the more important facts in German, just to make sure that all of the students really understand what I'm saying :) regards, christof
Thats actually the first explanation i have found for this alogrithm, thanks a lot. I really dont like taking things for granted, without knowing how they are derived and most pages only state the algorithm and dont really say anthing about why its that specifiy sequence of squaring and multiplying.
Thank you for excellent video! But I have an question. When we compute a key pair whe use modulo Phi(n). But when we use the key pair to encryption or decryption we use surprisingly modulo n. This means different group of elements! How is possible it works? I suppose key d is inversion in the set Z(Phi(n)) but not in the set Z(n). Where do I mistake?
Can someone explain why Phi(n) is hard to find? If N = p * q, and Phi(n) = (p-1)(q-1), shouldn't Phi(n) be very close to N? And so brute force searching backwards from N should arrive at Phi(n)?
The probleme resides in factorisation of n. As we see, both n and Phi(n) are the multiplication's result of 2 numbers. So there is a lot of possiblities to factorise Phi(n). And with each possiblity, you have to find the best factorisation of N. You can imagine the difficulty if N is too large !!! Personnally and if we compare RSA with AES I can see that: -To decrypt a cipher text AES you have to use the brute force attack (try all possiblities of the key). And that takes more than Univers's age as Professor Paar said !! -To decrypt a cipher text RSA. you have to write n as a product of 2 prime numbers. That means you have to devide n by all prime numbers untill finding a prime number as result. That is not esay if n is too large.
Amsbrid M hmed But no, to decrypt RSA you don't have to write n as a product of 2 prime numbers. You only have to find Phi(n). That's what I'm saying. Wouldn't it be quicker to find Phi(n) (since it is "close" to N), rather than trying to factor N. Once you find Phi(n), you can compute the private key (it's the inverse of e mod phi(n)).
I see.. however let's take an example: Chosen N= 163 * 419 = 68297 So Phi(N)= 162 * 418 = 67716 I see now.. it seems with brute force attack we can guess Phi(N) and decrypt the Cipher text with the formula: X= Y^d mod Phi(N). In other hand, if this will be as simple as that. Why NSA trusts RSA ?. In addition to this, RSA Algo was a team work of 3 expert persons, they spent many years to find this algo, and all the world trusts it.
There are special algorithms, so-called primality tests, for this. They do NOT require factorization. The most popular one is probably the Miller-Rabin algorithm. Please have a look at Section 7.6.2 of our book (or Wikipedia :) regards
Watching a recent video on Prime, evidently Allison Cox created two formulas which are now used world wide to encrypt all on line transactions......... is this in fact the case? thanks
I have a doubt here...in Key generation, p and q are prime numbers and you chose phi(n) = (p-1)(q-1).. I didnt get on what basis you came to this expression. Can someone elaborate here please ?
Hi, i believe you have some severe error there.. p=3, q=11, n=33, e = 3 there seems to be more than one D.. (7,17,27) M == (M^3|33)^7|33 == (M^3|33)^17|33 == (M^3|33)^27|33 does this mean that if d is privately held by Bob, NSA with key 17 and Chinese government with key 27 can read the encoded message? :) Also note that if we would keep the e private, and would supply 7 with the message, we could create any message with other private keys 13 and 23.. (M^3|33)^7|33 == (M^13|33)^7|33 == (M^23|33)^7|33
d must satisfy the condition that e*d mod phi(N) = 1 In this case, e = 3 and phi(N) = 20 3*7 mod 20 = 21 mod 20 = 1 3*17 mod 20 = 51 mod 20 = 11 3*27 mod 20 = 81 mod 20 = 1 So while d can't be 17, it can in this case also be 27. The issue here is that the encryption key was poorly chosen. The encryption key needs to satisfy two conditions: 1. 1 < e < phi(N) 2. e must be coprime with N and phi(N) that is, gcd(N, e) and gcd(phi(N), e) are both 1. Since e = 3, it's not coprime with N (N = 33, thus gcd(33, 3) = 3), it breaks the second condition and thus compromises the security of the encryption. Paar did however excuse his choice by saying it was poor.
At 26:00 professor makes a really good point. I wrote a school paper on RSA and one of the things I was confusing the most was writing mod phi(n) instead of mod n.
Very good question. The answer is: There are *primality tests*. These do NOT factor the number in question but merely tell you whether it is a prime number or not. The easiest primality test is probably the Fermat test: en.wikipedia.org/wiki/Fermat_primality_test cheers, christof
Not sure if anyone will reply to this since the video is 3 years old but I was just curious. Is the material present in this series of lectures still applicable to whats present in 2017? I find the lectures compliment the material that I am currently learning in my current course very well but I don't want to try and put this into practice if the material is outdated. The Professor really makes the material easy to understand and I quite enjoy this series of lectures.
Good question. This is an introductory course in applied cryptography. I am quite active in the research and commercial security communities and WRT basics, surprisingly little has changed, i.e., most of the material is still very relevant. The most notable changes are that SHA-1 is slowly phased out and replaced by SHA-2 and SHA-3. I plan to put a SHA-2 lecture online at some point in the spring. What is missing in the course are some advanced topics, esp. post-quantum public key schemes. But it can be argued that they are not relevant for an intro course. Hope this helps. Cheers, christof
Great lectures by an awesome professor. I had never found a material so well balanced between mathematical depth and practical application, foundational to most real-world applications of modern cryptography. I have bought your book from Amazon, though the Kindle version because I could not wait🙂. Thanks Professor Paar!
Dear Professor, I have another question. Example1: for 31^7 mod 33 you solved it as: (-2)^7 mod 33 (where you follow that 31-33= -2 Example2: (Lecture 2) : 3^8 mod 7 you solved by 3^4.3^4 mod 7 and then 81.81mod 7 and so on.... considering this I come across another example: 26^7 mod 33 so (-7)^7 mod 33 so how to do next? should i make equivalence class of mod 33 to check good number for -7 right???
There is another way to do fast exponentiation using the binary representation of the exponent as well, and I find it easier. It simply we use the fact its binary representation is a way to indicate which powers of two when added together will yield the number, and we use the fact that multiplying the same number raised to different exponents means we add the exponents. So for the example of x^26, 26 in binary is 11010, which means we need to add 2^4 which is 16, 2^3 which is 8, and 2^1 which is 2 to get 26. So, x^26 is simply(x^16)*(x^8)*(x^4).
The inverse can be computed using the Extended Euclidean Algorithm, it is actually the coefficient "t". See the previous Lecture (Lecture 11) for the explanation.
You have to look at the definition of inverses in rings modulo n. The inverse x of a number e in such a ring is defined as: e x = 1 mod n For e=3 and n=20, the inverse turns out to be x=7. cheers, christof
The current upvote/downvote is 666/13. Both unlucky numbers. However, I think it is more appropriate to have two prime numbers so I vote we try to hit 673/13 or 677/13 since 13 is already a prime and there is not reason to downvote it any more.
Dispite of the fact that I'm 15 years old, I was able to understant everything perfectly, because of the way it was explained. Now i can start tu use RSA in my projects.
Hi Christof, I have a question regarding exercise 7.4.1. If a modular square takes 75% of the time that a modular multiplication takes and if t is the time that the multiplication takes, then for the case where e = 2^16 + 1 the time needed for the modular exponentiation would be 16*0.75 *t + t ? I ask this because I did the exercise and when trying to correct it on the internet I found that the solutions given are quite different
Enciphering HELLO WORLD using the RSA cipher, the modulus was chosen as 77, even though the magnitude of the cleartext blocks is at most 25. What problems in transmission and/or representation might this cause? This Q is killing me now....
Now I get why in Italy students actually know things after getting their degrees, if we act like that (talk, etc.) while a professor explains something, we will be gently asked to not join the entire college again for the rest of our life, probably extended to our children for some generations too.
Thanks Professor, One question from an attacker point of view I understand for a particular (n,e) there is a unique d During your lecture on RSA digital signature you have mentioned ,normally e is a small value and most of the implementations choose 3,2pow16+1 If an attacker happened to choose the same n,e which my browser is using ,will the attacker could find my private key? How it is taken care that a random " n (p,q)" ' which my browser generates will be always different from a public key generated by an attacker
i have a question please with the famous example of RSA: if p =17 and q =11 e=7 then n =187 fi(n)=160 d=23 and the plain message M=88 after encryption cipher text C=88^7 mod 187 =11 how come if we decrypt the message with the public key e=7 11^7 mod 187 = 88 (which is plain text) and private key d=23 also 11^23 mod 187 =88
11^7|187 = 11 but 11^23|187 = 11^103|187 = 11^183|187 = 88.. yes, there seems to be more keys do decrypt it.. in general M = (M^7|187)^23|187 = (M^7|187)^103|187 = (M^7|187)^183|187
Dear Professor, I try one example with following numbers: p=5,q=7,e=5,d=5. The point I want to mention here is though i chose e as 5 which is one of my prime number I admit not a good choice but my d in this case turns out to be same 5. So if my plaintext is 6 then 6^5 mod 35=6 again so i am sending ciphertext which is actually my plaintext...So can i conclude here I need to have a good choice for my e? or I should say its just a toy example of small prime numbers?
I might sound very stupid but I have a hard time understanding how did he calculate the e^(-1). Then there is the : d.e = 7.3 = 1 mod 20; but when I used online calculator to do that i got : ans = 1. Furthermore I read the comments section where Prof replied that the commenter correctly computed : d = -9. How did that happen ? There is obviously something very simple staring right at my face but I cannot see it for some reason. Any advice in what direction to look would be appreciated.
I have observed that there can be multiple values of d(private key). I am confused because I thought private key is supposed to be unique. Can somebody please explain??
That is because of the modular operation in the decryption. If the cyphertext is raised to an exponent d , and than you take mod n , the range of answers is limited to [0,n-1]. It is possible to chose another d that is larger which if you raise the cyphertext to the power of that d gives you the same result. That’s how i understand it, there’s probably also a math proof for it.
saibaba kothakapu If p and q are equal you could just take the square root of n, check to see if it's an integer, and if it is you have your factorization, ie n = sqrt(n)sqrt(n).
Great lecture. Is it correct that every x encrypted produces an unique y using e,n because x is less than n? Assume I know the type of message Alice is encrypting which is made up of just letters or numbers converted to bits. If I’m Oscar can I not work out y for each x in the full set of x using the public keys as the full set of x isn’t very big. If I store these I don’t need to use d and n to reverse any subset of x?
Yes, that works if the number of possible x (i.e. the plaintext messages) is not very large. However, in practice that attack does not work for two reasons. Mainly, in practice RSA is mostly used with "padding", which introduces randomness to the plaintext x before encryption. Please check Section 7.7 of our book www.crypto-textbook.com (or any other source) on RSA padding. Also, RSA is commonly used with 2048 bit modulus, so that there are 2^2048 possible values for x. hope that helps. cheers, christof
Thank you for your videos, Christof. You are much more 'to the point' than my lecturer and much clearer. I am using your videos as review for my finals. Again, thank you.
e = 3, d = 7, n = 33 , m = 4 c = m^e mod n = 4^3 mod 33 = 31 m = c^d mod n = 31^7 mod 33 = 4 (perfect m = 4) e = 3, d = 7, n = 33 , m = 125 c = m^e mod n = 125^3 mod 33 = 20 m = c^d mod n = 20^7 mod 33 = 26 (wrong, m = 125 not 26) How is that correct?
If it is possible to find the inverse of e given modulo phi(n) using the euclidian algorithm, why wouldn't it be possible to do the same given modulo n?
Good question, which is at the heart of RSA security. Here is the situation: The attacker knows, of course, e and n because they form the public key. In order to compute the secret key d, he/she has to know phi(n). And here is where the problem lies: For computing phi(n) one has to know the factorization of n into n= p * q, because phi(n) = (p-1) * (n-1) However, factoring n is very, very hard if n is large enough. That's why the RSA parameters must be chosen very looong. The longest n that has been factored (outside the intelligent community) was 768 bits. NSA et al. can probably factor larger numbers. For internet security, most people use currently n parameters of lenght 2048 bits. More information on RSA factoring at : en.wikipedia.org/wiki/RSA_numbers#RSA-768 cheers, christof
Brilliant lecture, thanks very much! I have a question about Squaring-and-Multiplying. What I do, basically, is square until I can't square anymore and then multiply. It appears to work: Ex.: x7 x . x = x2 x2 . x2 = x4 x4 . x4 would yield x8 and I'm looking for x7, so I multiply from now on: x4 . x2 = x6 x . x6 = x7 I tested this with values 3 and 5 for x and it seems to work. Math isn't really my strength, so if anyone could point out any errors or problems, please let me know
You picked a weird case by accident. If e=11, you have to compute the inverse of e mod 20. You correctly computed d=-9. However, since we are doing mod 20 arithmetic, d= -9 = 11 mod 20. Thus, both e and d are equal to 11. YOu can easily check that this is correct since: d * e = 11 * 11 = 121 = 1 mod 20. RSA should still work for d = e = 11. regards, christof
Great lecture, thank you. How is it that the d and e are calculated with respect to phi(n), but the encryption and decryption work with respect to modulo n? What's the mathematical connection between phi(n) and n?
The key (pun intended) is that: (x^e)^d = 1 mod n if: e d = 1 mod phi(n) In order to see this, you have to check the proof of the RSA cryptosystem. You can find it in our book but there should also be many sources on the internet. cheers, christof
@@introductiontocryptography4223 Learnmebitcoin's question along with your answer gave me a super flash of insight of a point I was always only about 90% clear on but now have it 100%.
Is that (x^e)^d=1 mod n correct or should it be (x^e)^d = x mod n. Is the original value raised to e and then that value raised to d = to the original value or have I missed something
I have a doubt. Considering the message to be encrypted is m=255, which is only 8-bits. The public key exponent, e usually has a small value like 3 or 5, whereas N would be very large (1024 bits or 2048 bits generally). Computing m^e mod N will result in m^e because both m and e are way too smaller than N. If we do this, we are just exponentiating the message by the public key exponent. Is this not a bad (insecure) encryption?
One thing that is missing is how to find the huge prime numbers p & q? Next lecture starts with Discrete logarithm. Is that skipped from lecture or is taught in later lectures?
You can can encrypt a message x up to the size of the modulus n, i.e., every x < n will work. All bytes that form x are encrypted in one step. For large message, one rarely uses public key schemes. Block ciphers are much better suited. Please note that I am only showing "schoolbook RSA" here. in practice, the message has to be "padded" before encryption. You'll find a padding scheme in Section 7.7 of my book, Understanding Cryptography. regards, christof
How could people sleep in his lecture?
He mentioned that he's doing those classes in English because of the Erasmus students in that faculty. What's more sad is that nowadays the Erasmus students care about partying and not learning useful stuff.
true and sad... 😞
Really good explanation cleared a lot of my doubts.
Great lectures ♥
Dear Professor I am still not convinced by sq and mul algorithm. I agree that we can know the sequence of operations sq and mul but how ca i convince myself that now I dont need calculator.
You made a comment that the RSA parameters, d,e and n are burned into your smartcard. Why would d be burned into it? It would seem that d would be computer by the smartcard reader on the backend to verify the transaction or encryption.
Good point, I was jumping ahead a bit. On smart cards, one of the main applications of RSA is digital SIGNATURE, which is similar to RSA encryption (which is covered in this lecture) but the role of the public and private keys are swapped. In a smart card application, the reader (ATM machine or such) sends a random number to the card and asks the card to "sign" the random number. This signing takes place with the PRIVATE key "d" and n. The card then returns the signed value and the reader (again: ATM machine etc) verifies this signature using the PUBLIC key "e". This set-up has the advantage that the secret private keys are stored only on the smart card which is supposedly tamper-resistant, i.e., one can not read-out that private key. You may want to watch Lecture 18 from this series where I explain digital signatures in general and RSA signatures in particular. --- All his said: This is the reason why I said in the lecture that "d" and "n" (and sometimes also "e") are burned into the smart card. cheers.
If I pass my exam at my university tomorrow, know that it was largely because of you, Christof. Thank you!
Did you pass?
@@kaloyanmanev He's probably doing his Ph.D. :D 5 years later
omg people slept on his class and me watching this on my spare time just cause i'm curious.
Me too ;)
i have been watched this lecture at 2015 (to be honest all these youtube vids) and now i am working on the same field and what a great lecture still its. a huge respect and applause for you sir.......
Your lectures have made it possible for me to actually enjoy learning. Thank you, Professor Paar.
learning cryptography by excellent German professor.. with cup of coffee in hand and silence of midnight .. that is the most awesome mood..
I laugh whenever he speaks in German every once in a while and I got no idea what he says.. lol
Most often he repeads the last word in german.
This may be a policy at German Universities. As an international student in Germany you have to pick up the German language, so he drops this German phrases once in a while, immediatley followed by the English translation. May be this is a didactic tool. Anyway, Cristof Paar is a very good teacher!
Just for clarification: It is almost exactly the opposite :) This is a 1st year course and I am "supposed" to teach in German. 95% of the students are actually from Germany. For that reason, I am repeating some of the more important facts in German, just to make sure that all of the students really understand what I'm saying :) regards, christof
11:45 The RSA
56:00 Fast Exponentiation
1:10:30 Square-and-Multiply Algorithm
thanks
Came for the RSA, stayed for the computation tricks!
Thats actually the first explanation i have found for this alogrithm, thanks a lot. I really dont like taking things for granted, without knowing how they are derived and most pages only state the algorithm and dont really say anthing about why its that specifiy sequence of squaring and multiplying.
16:55 2nd Chapter: RSA Algorithm
56:28 3rd Chapter: Fast Exponentiation
Thank you Professor Paar! You made the topic easy with your lot of techniques and schemes in computation. sehr gut!
Brilliant lecture. It's interesting to note that, while 'e' and 'd' are inverses in mod(phi(n)), that inverse property holds for mod(n) as well.
I was exactly looking for this, is it mentioned or proved in lecture?
Are you sure cause I followed this teachers example and didn't find it true.
m.ua-cam.com/video/oOcTVTpUsPQ/v-deo.html
Its criminal how many less view this video has....this is hands down best-detailed explanation of RSA in youtube
Thank you for excellent video! But I have an question. When we compute a key pair whe use modulo Phi(n). But when we use the key pair to encryption or decryption we use surprisingly modulo n. This means different group of elements! How is possible it works? I suppose key d is inversion in the set Z(Phi(n)) but not in the set Z(n). Where do I mistake?
Refer "understanding cryptography" book by christof paar on page 178. That should clear this doubt.
Can someone explain why Phi(n) is hard to find? If N = p * q, and Phi(n) = (p-1)(q-1), shouldn't Phi(n) be very close to N? And so brute force searching backwards from N should arrive at Phi(n)?
what is 'very close' in your mind?
Der Lukas well, close enough to be more efficient than a square root attack I guess. Close enough to be coputationally tractable to find.
The probleme resides in factorisation of n. As we see, both n and Phi(n) are the multiplication's result of 2 numbers. So there is a lot of possiblities to factorise Phi(n). And with each possiblity, you have to find the best factorisation of N. You can imagine the difficulty if N is too large !!!
Personnally and if we compare RSA with AES I can see that:
-To decrypt a cipher text AES you have to use the brute force attack (try all possiblities of the key). And that takes more than Univers's age as Professor Paar said !!
-To decrypt a cipher text RSA. you have to write n as a product of 2 prime numbers. That means you have to devide n by all prime numbers untill finding a prime number as result. That is not esay if n is too large.
Amsbrid M hmed But no, to decrypt RSA you don't have to write n as a product of 2 prime numbers. You only have to find Phi(n). That's what I'm saying. Wouldn't it be quicker to find Phi(n) (since it is "close" to N), rather than trying to factor N. Once you find Phi(n), you can compute the private key (it's the inverse of e mod phi(n)).
I see.. however let's take an example:
Chosen N= 163 * 419 = 68297
So Phi(N)= 162 * 418 = 67716
I see now.. it seems with brute force attack we can guess Phi(N) and decrypt the Cipher text with the formula: X= Y^d mod Phi(N).
In other hand, if this will be as simple as that. Why NSA trusts RSA ?. In addition to this, RSA Algo was a team work of 3 expert persons, they spent many years to find this algo, and all the world trusts it.
This is the best online class that I ever found.
These students were talking & sleeping in this class ? !
I don't know how is that possible to fall asleep in such a fantastic learning environment that prof.Paar is creating
college is for the young (and immature)
How to choose 2 random large prime number given bit length for p and q?
There are special algorithms, so-called primality tests, for this. They do NOT require factorization. The most popular one is probably the Miller-Rabin algorithm. Please have a look at Section 7.6.2 of our book (or Wikipedia :) regards
Watching a recent video on Prime, evidently Allison Cox created two formulas which are now used world wide to encrypt all on line transactions......... is this in fact the case? thanks
I have a doubt here...in Key generation, p and q are prime numbers and you chose phi(n) = (p-1)(q-1)..
I didnt get on what basis you came to this expression.
Can someone elaborate here please ?
Hi, i believe you have some severe error there..
p=3, q=11, n=33, e = 3
there seems to be more than one D.. (7,17,27)
M == (M^3|33)^7|33 == (M^3|33)^17|33 == (M^3|33)^27|33
does this mean that if d is privately held by Bob, NSA with key 17 and Chinese government with key 27 can read the encoded message? :)
Also note that if we would keep the e private, and would supply 7 with the message, we could create any message with other private keys 13 and 23..
(M^3|33)^7|33 == (M^13|33)^7|33 == (M^23|33)^7|33
d must satisfy the condition that e*d mod phi(N) = 1
In this case, e = 3 and phi(N) = 20
3*7 mod 20 = 21 mod 20 = 1
3*17 mod 20 = 51 mod 20 = 11
3*27 mod 20 = 81 mod 20 = 1
So while d can't be 17, it can in this case also be 27.
The issue here is that the encryption key was poorly chosen. The encryption key needs to satisfy two conditions:
1. 1 < e < phi(N)
2. e must be coprime with N and phi(N) that is, gcd(N, e) and gcd(phi(N), e) are both 1.
Since e = 3, it's not coprime with N (N = 33, thus gcd(33, 3) = 3), it breaks the second condition and thus compromises the security of the encryption.
Paar did however excuse his choice by saying it was poor.
44:17 It's easy to see that 64 = 31 mod 33 because 64 is 2 less than 66 (a multiple of 33). Then 33 - 2 = 31.
At 26:00 professor makes a really good point. I wrote a school paper on RSA and one of the things I was confusing the most was writing mod phi(n) instead of mod n.
this lectures I can follow. Slow and Steady, steps by steps. great. Other courses just too tough to follow,.
O
Ll
Ll
i attained nirvana when he explained the bit operation in the square and multiply method. :)
how many student in the world are passing they crypto lesson with these videos??
Intro to public-key 2:30
RSA 17:00
fast exponent 59:00
Pinned!
Thank you very much for this video series, prof. feel like i was in that classroom. lol
Now I want to learn the square and Fourier transform algorithm :D
One question, if we cannot effectively factor large numbers, how can we know p and q are primes effectively?
Very good question. The answer is: There are *primality tests*. These do NOT factor the number in question but merely tell you whether it is a prime number or not. The easiest primality test is probably the Fermat test: en.wikipedia.org/wiki/Fermat_primality_test
cheers, christof
Not sure if anyone will reply to this since the video is 3 years old but I was just curious. Is the material present in this series of lectures still applicable to whats present in 2017? I find the lectures compliment the material that I am currently learning in my current course very well but I don't want to try and put this into practice if the material is outdated.
The Professor really makes the material easy to understand and I quite enjoy this series of lectures.
Good question. This is an introductory course in applied cryptography. I am quite active in the research and commercial security communities and WRT basics, surprisingly little has changed, i.e., most of the material is still very relevant. The most notable changes are that SHA-1 is slowly phased out and replaced by SHA-2 and SHA-3. I plan to put a SHA-2 lecture online at some point in the spring. What is missing in the course are some advanced topics, esp. post-quantum public key schemes. But it can be argued that they are not relevant for an intro course. Hope this helps. Cheers, christof
Prof Parr Please add them if you can :-)
I already had youtube on ... busted I guess
Great lectures by an awesome professor. I had never found a material so well balanced between mathematical depth and practical application, foundational to most real-world applications of modern cryptography. I have bought your book from Amazon, though the Kindle version because I could not wait🙂. Thanks Professor Paar!
Dear Professor, I have another question.
Example1: for 31^7 mod 33 you solved it as:
(-2)^7 mod 33 (where you follow that 31-33= -2
Example2: (Lecture 2) : 3^8 mod 7
you solved by 3^4.3^4 mod 7 and then 81.81mod 7 and so on....
considering this I come across another example:
26^7 mod 33
so (-7)^7 mod 33 so how to do next?
should i make equivalence class of mod 33 to check good number for -7 right???
There is another way to do fast exponentiation using the binary representation of the exponent as well, and I find it easier. It simply we use the fact its binary representation is a way to indicate which powers of two when added together will yield the number, and we use the fact that multiplying the same number raised to different exponents means we add the exponents. So for the example of x^26, 26 in binary is 11010, which means we need to add 2^4 which is 16, 2^3 which is 8, and 2^1 which is 2 to get 26. So, x^26 is simply(x^16)*(x^8)*(x^4).
Can anyone help how did Professor get d=e^-1=7 mod 20!! RSA first example
The inverse can be computed using the Extended Euclidean Algorithm, it is actually the coefficient "t". See the previous Lecture (Lecture 11) for the explanation.
Thanks! It's a pity that my alma mater RWTH Aachen uses UA-cam just for PR and the lectures filmed by Video AG are available for (ex-)students only.
41:43 There is a point I don't understand: "d is the inverse of 3"(or e for that matter), how can that be? How can a constant have an inverse?
You have to look at the definition of inverses in rings modulo n. The inverse x of a number e in such a ring is defined as:
e x = 1 mod n
For e=3 and n=20, the inverse turns out to be x=7.
cheers, christof
Very Very boring and unnecessarily long
The current upvote/downvote is 666/13. Both unlucky numbers. However, I think it is more appropriate to have two prime numbers so I vote we try to hit 673/13 or 677/13 since 13 is already a prime and there is not reason to downvote it any more.
Sir, why did you choose e as like that....gcd ( e, phi(n) ) =1....and what happens to this cryptosystem when we choose e such that gcd(e,n) = 1
Dispite of the fact that I'm 15 years old, I was able to understant everything perfectly, because of the way it was explained. Now i can start tu use RSA in my projects.
Hi Christof, I have a question regarding exercise 7.4.1. If a modular square takes 75% of the time that a modular multiplication takes and if t is the time that the multiplication takes, then for the case where e = 2^16 + 1 the time needed for the modular exponentiation would be 16*0.75 *t + t ? I ask this because I did the exercise and when trying to correct it on the internet I found that the solutions given are quite different
Enciphering HELLO WORLD using the RSA cipher, the modulus was chosen as 77, even though the magnitude of the cleartext blocks is at most 25. What problems in transmission and/or representation might this cause? This Q is killing me now....
Now I get why in Italy students actually know things after getting their degrees, if we act like that (talk, etc.) while a professor explains something, we will be gently asked to not join the entire college again for the rest of our life, probably extended to our children for some generations too.
at 41:50 can anyone help me how he got e^-1 = 7 ? I thought 3^-1 would be 1/3
Please have a look at video #2 of this series, where I introduce modulo arithmetic, including how to deal with the inverse of a number. Good luck.
got top score for midterm and final exam! Thank you Professor Paar!
It is a fun to learn “fast exponent - multiply and square”
"In practice we're not doing x to the 4th, we're doing x to the really bad"
Thanks Professor,
One question from an attacker point of view
I understand for a particular (n,e) there is a unique d
During your lecture on RSA digital signature you have mentioned ,normally e is a small value and most of the implementations choose 3,2pow16+1
If an attacker happened to choose the same n,e which my browser is using ,will the attacker could find my private key?
How it is taken care that a random " n (p,q)" ' which my browser generates will be always different from a public key generated by an attacker
Lol 2007 Steve Jobs at 54:07
Fantastic lectures professor Paar! I wish I had you as my cryptography professor at university.
Can someone please fire my lecturer and put professor Paar in his place? 😭
i have a question please with the famous example of RSA:
if p =17 and q =11 e=7 then n =187 fi(n)=160 d=23
and the plain message M=88
after encryption cipher text C=88^7 mod 187 =11
how come if we decrypt the message with the public key e=7
11^7 mod 187 = 88 (which is plain text)
and private key d=23 also
11^23 mod 187 =88
11^7|187 = 11
but 11^23|187 = 11^103|187 = 11^183|187 = 88..
yes, there seems to be more keys do decrypt it..
in general M = (M^7|187)^23|187 = (M^7|187)^103|187 = (M^7|187)^183|187
".. it is not Square and Fourier Transform .."
Prof. Dr. Christof Paar
The best so far!
I didn't know that in binary 1x0=1 at 1:26:25 on the video
Dear Professor, I try one example with following numbers: p=5,q=7,e=5,d=5. The point I want to mention here is though i chose e as 5 which is one of my prime number I admit not a good choice but my d in this case turns out to be same 5. So if my plaintext is 6 then 6^5 mod 35=6 again so i am sending ciphertext which is actually my plaintext...So can i conclude here I need to have a good choice for my e? or I should say its just a toy example of small prime numbers?
Is e*d == 25 == 1 mod phi (n)?
36:00 security
Great class professor Paar. It helped me a lot.
I might sound very stupid but I have a hard time understanding how did he calculate the e^(-1). Then there is the : d.e = 7.3 = 1 mod 20; but when I used online calculator to do that i got : ans = 1. Furthermore I read the comments section where Prof replied that the commenter correctly computed : d = -9. How did that happen ? There is obviously something very simple staring right at my face but I cannot see it for some reason. Any advice in what direction to look would be appreciated.
I got the answer actually going back to the video i saw extended euclidean algorithm and i understood
I have observed that there can be multiple values of d(private key). I am confused because I thought private key is supposed to be unique. Can somebody please explain??
That is because of the modular operation in the decryption. If the cyphertext is raised to an exponent d , and than you take mod n , the range of answers is limited to [0,n-1]. It is possible to chose another d that is larger which if you raise the cyphertext to the power of that d gives you the same result. That’s how i understand it, there’s probably also a math proof for it.
this is so cool
I have one small doubt.
In RSA cryptosystem why we have to take two distinct primes p and q only ? Why can't we take same prime twice?
saibaba kothakapu If p and q are equal you could just take the square root of n, check to see if it's an integer, and if it is you have your factorization, ie n = sqrt(n)sqrt(n).
Great lecture. Is it correct that every x encrypted produces an unique y using e,n because x is less than n? Assume I know the type of message Alice is encrypting which is made up of just letters or numbers converted to bits. If I’m Oscar can I not work out y for each x in the full set of x using the public keys as the full set of x isn’t very big. If I store these I don’t need to use d and n to reverse any subset of x?
Yes, that works if the number of possible x (i.e. the plaintext messages) is not very large. However, in practice that attack does not work for two reasons. Mainly, in practice RSA is mostly used with "padding", which introduces randomness to the plaintext x before encryption. Please check Section 7.7 of our book www.crypto-textbook.com (or any other source) on RSA padding.
Also, RSA is commonly used with 2048 bit modulus, so that there are 2^2048 possible values for x. hope that helps. cheers, christof
Thank you for your videos, Christof. You are much more 'to the point' than my lecturer and much clearer. I am using your videos as review for my finals. Again, thank you.
I have never been so awake in my life ఠ_ఠ
How can I learn more about the Chinese Remainder Theorem? From whatever I googled, I could not comprehend it somehow.
MITOPENCOURSEWARES
MATH computer science
LEGENDARY!
e = 3, d = 7, n = 33 , m = 4
c = m^e mod n = 4^3 mod 33 = 31
m = c^d mod n = 31^7 mod 33 = 4 (perfect m = 4)
e = 3, d = 7, n = 33 , m = 125
c = m^e mod n = 125^3 mod 33 = 20
m = c^d mod n = 20^7 mod 33 = 26 (wrong, m = 125 not 26)
How is that correct?
you are working in modular field ( mod 33), so yes 125 is equal to 26
125 = 3*33 + 26
el famosa elite du rsa
Nice lecture
yang karena tugas dosen, mari merapat
If it is possible to find the inverse of e given modulo phi(n) using the euclidian algorithm, why wouldn't it be possible to do the same given modulo n?
Good question, which is at the heart of RSA security. Here is the situation: The attacker knows, of course, e and n because they form the public key. In order to compute the secret key d, he/she has to know phi(n). And here is where the problem lies: For computing phi(n) one has to know the factorization of n into n= p * q, because
phi(n) = (p-1) * (n-1)
However, factoring n is very, very hard if n is large enough. That's why the RSA parameters must be chosen very looong.
The longest n that has been factored (outside the intelligent community) was 768 bits. NSA et al. can probably factor larger numbers. For internet security, most people use currently n parameters of lenght 2048 bits. More information on RSA factoring at : en.wikipedia.org/wiki/RSA_numbers#RSA-768
cheers, christof
5:40 flashbang
Thank you for these lectures !
Brilliant lecture, thanks very much! I have a question about Squaring-and-Multiplying. What I do, basically, is square until I can't square anymore and then multiply. It appears to work:
Ex.: x7
x . x = x2
x2 . x2 = x4
x4 . x4 would yield x8 and I'm looking for x7, so I multiply from now on:
x4 . x2 = x6
x . x6 = x7
I tested this with values 3 and 5 for x and it seems to work. Math isn't really my strength, so if anyone could point out any errors or problems, please let me know
You can do that but as the exponent grows larger your method will become very slow. I would recommend to stick with the SAM algorithm:)
@@introductiontocryptography4223 I see, I'll be sure to stick to SAM. Thanks for your reply, Professor :)
On step 4 i choose 11 and get for d -9; then x^-9 will give a very small value that does not work mod n
Where did i go wrong ?
You picked a weird case by accident. If e=11, you have to compute the inverse of e mod 20. You correctly computed d=-9. However, since we are doing mod 20 arithmetic, d= -9 = 11 mod 20. Thus, both e and d are equal to 11. YOu can easily check that this is correct since: d * e = 11 * 11 = 121 = 1 mod 20. RSA should still work for d = e = 11. regards, christof
Why message x should be less than n ?
Could I get to know, the lecture which covers the topics chinese reminder theorem is missig or it uploades in any other classes?
Sorry, I don't have a lecture with the CRT.
Is he saying "silence" at 42.35? Do professors do that?
"Over there on the cheap seats! Yes you! Silence!"
Very helpful, thank you
How do you know that ℤn -> ℤn defined by x -> xᵉ will always be a bijection?
I think I have worked out the answer now. Any mapping that has an inverse must be a bijection.
Great lecture, thank you. How is it that the d and e are calculated with respect to phi(n), but the encryption and decryption work with respect to modulo n? What's the mathematical connection between phi(n) and n?
The key (pun intended) is that:
(x^e)^d = 1 mod n
if:
e d = 1 mod phi(n)
In order to see this, you have to check the proof of the RSA cryptosystem. You can find it in our book but there should also be many sources on the internet. cheers, christof
Thank you Christof, and thank you again for your excellent lectures.@@introductiontocryptography4223
@@introductiontocryptography4223 Learnmebitcoin's question along with your answer gave me a super flash of insight of a point I was always only about 90% clear on but now have it 100%.
Is that (x^e)^d=1 mod n correct or should it be (x^e)^d = x mod n. Is the original value raised to e and then that value raised to d = to the original value or have I missed something
Thanks for putting this up
Truly mindblowing. Thanks for the great lectures.
This Prof is very good.
@23:50 doesn't every e from { 1,2 .. Phi(n)-1) has a GCD of 1 ?
Oops .. got it
Excellent video sir.
I have a doubt. Considering the message to be encrypted is m=255, which is only 8-bits. The public key exponent, e usually has a small value like 3 or 5, whereas N would be very large (1024 bits or 2048 bits generally). Computing m^e mod N will result in m^e because both m and e are way too smaller than N. If we do this, we are just exponentiating the message by the public key exponent. Is this not a bad (insecure) encryption?
I guess you won't get m^e even if e is small your m is 255 bit long
my m is 8 bits long, the value of m is 255. Read my original comment again.
24:05 , the professor suggests to get p and q large primes.
Choose p,q ∈ {3,5} for the examples not for a real application.
You are awesome Prof..Thank you for sharing this ..
One thing that is missing is how to find the huge prime numbers p & q? Next lecture starts with Discrete logarithm. Is that skipped from lecture or is taught in later lectures?
Sorry, I am not teaching this in the lecture. Algorithms for prime-finding are included in the texbook, however, in Chapter 5. Regards, christof
Introduction to Cryptography by Christof Paar
Thanks!
Prof. Paar, how is the maximum size of the message to be encrypted by RSA? are bytes encrypted one by one?
You can can encrypt a message x up to the size of the modulus n, i.e., every x < n will work. All bytes that form x are encrypted in one step. For large message, one rarely uses public key schemes. Block ciphers are much better suited.
Please note that I am only showing "schoolbook RSA" here. in practice, the message has to be "padded" before encryption. You'll find a padding scheme in Section 7.7 of my book, Understanding Cryptography.
regards, christof
Thank you
40:00
At 1:08:03, Why does x^2^1023 * x^2^1023 = x^2^1024?
Thank you professor for a great lecture.