I love the structure of this class. It is very important to stop and wonder every now and then why we learn certain things and where is their place in the big picture. I am in a cryptography class (grad student) and this series helps me put all the pieces together. Great professor.
I am doing my masters in computer science 'information security' , thank god i find your video on DES ... it is really awesome....and fun learning to. And yes it does help when u say wake up!....:P...thank u once again..:)
Thank you very much professor for this lecture series. I was already loosing hope to pass my Introduction to Cryptography lecture, as I barely managed to complete the exercise sheets, due to not being able to follow the lecture or understand our script, but thanks to your lecture videos and textbook they have become doable again. Many thanks!
No, COPACOBANA is from the pre-GPU era :) It is essentially a bunch of FPGA (= progammable hardware devices). Some ciphers, especially DES, are very hardware friendly. On FPGAs, one achieves really high encryption rates for such ciphers. However, there are many instances where modern GPUs are better suited for code breaking, especially for public-key algorithms. regards, christof
so far, I found problems with video 1 and this lecture, I watched the video at your website its OK, but here at UA-cam I think because of maybe some youtube modification, the video is like being in rollercoaster
The interpretation of the Feistel round as a stream cipher to understand how the decryption works was really enlightening, also how the other elements work. Rather than being artistic, this seems well thought out.
Professor Paar, Thanks for your great lecture, during the explanation of decryption, it's important to make Key16, be the same as K1 decrytion, so is that mean in the decryption steps, We routes the key scheduling hardware wire in reversal order of the encryption hardware ?
Thank you Professor for such an interesting and informative lecture. I have a question re the key schedule in the decryption process. Shall I assume that the algorythm generating the keys is reversed too as opposite to the one used during the encryption? i.e. an inverse permutation followed by two 1- or 2-bit right shifts? Thank you in advance. Mauro
basically: yes :) The decryption key schedule generates the subkeys in the reverse order, i.e., it computes k16 first, then k15, ... and finally k1. The permutation PC1 and PC2 are the same in the encryption and decryption key schedule. The only thing that has to change are the shifts: one has to replace the left shifts with right shifts. One has to watch out in which rounds there is a shift by 1 position and in which there is a 2-position shift. (Remark: Note that the shifts are really rotates.) cheers
I really enjoyed this set of lectures so far and Prof. Paar is a very enthusiastic teacher with great teaching abilities. However, the only annoying thing that happens sometimes during these videos is that some of them look kinda skewed and distorted if the camera moves. I wish this could be fixed. Nonetheless, this does not degrade the reach knowledge that can be learned through these series. I hope we could see more topics by Prof. Paar. I am particularly interested in topics such as Homomorphic Encryption. It will be great to see a lecture by you on that (of course in English ;-)
a question for fellow cryptographers out there, key scheduling is only done once in ECB mode. the same key is used in that mode for each round. Can someone tell me which modes of operation require key scheduling to a point where a different key is used for each round? and in reverse order for each round for decryption? im talking with respects to CBC and CTR mode. do they both use different keys for each rounds? or the same key like ECB?
Sir , as u have explained below that IP and IP^-1 cancel out effect of each other which i think should mean L0(d) == L16(e)... can u please explain where i m going wrong...
This is the 6th lecture I've watched so far and I enjoyed all of them! Very great! However, the entire series of lectures and semester took place in 2010-2011. This was before Edward Snowden's revelations in 2013 about NSA's global espionage, so the Professor may have not known the full story and told his students only what he has been told at that time, on why the NSA and their contractor IBM have not told anyone about the DES attack vulnerability (S-Box configuration). But cypherpunks and german crypto developers like me have a different opinion or theory today... It is more likely that NSA wanted to build in a backdoor in DES on purpose in the first place, in order to be able to break in and spy on any company, bank or targeted individual who used the popular DES cipher algorithm over the last 20-30 years. Just take a look at "Heartbleed" vulnerability in SSL online encryption which was revealed this year! The NSA knew about it, didn't tell anyone and exploited it for years! This may all sound like a conspiracy theory, but seriously, today everyone knows that the U.S. government and NSA do all these surveillance and espionage operations on the internet, especially against us Germans, even if they deny it. Edward Snowden revealed it himself, so nobody will argue about that today. It's not a conspiracy theory any longer but a conspiracy fact. But alright, let's assume the story was like the Professor said, that the NSA kept the vulnerability secret in order to be safe from attacks, which I find a bit sloppy for a "National Security Agency" with a budget of billions of dollars! You think the NSA would be so stupid and let IBM develop a half-secure cipher for themselves?? No no, that sounds like plausible deniality to me. I don't believe it. I think normal cryptographers have not been told the true reason why NSA kept the vulnerability secret. That's my personal opinion. You can't trust the NSA on this. They tell you one thing, but there may be more to the story as people think. Global industrial espionage have always been a big thing. There are many cipher algorithms today on the internet which people can download and use, but which have secret backdoors embedded for the government to break in silently and read all your encrypted messages easily. So be careful! These things don't happen, because NSA made a mistake. Don't be too naive to believe such a thing! NSA does not make mistakes. They want to spy on everyone on the global internet and they know what they're doing. It is more likely that DES was a clever spy scheme or fraud by the NSA. A malicious Cipher algorithm designed on purpose by NSA! But I don't want to insult the DES developers or anyone who loves DES. All I'm saying is I don't believe the story about the secrecy of the DES attack vulnerability.
I have a side-channel question! 😁 I am wondering what kind of video CODEC is used after text mark added. It reminds me strong magnetic fields effect on analog TVs!
sir,at 24 minute one of them ask some question and you answered in german and said that it is exacellent observation or remarl.can you pklz tell me in english.
(Sorry for falling back to German once in a while. The 100+ students in the room are all 1st year students and I am "not really" supposed to teach in English :) What I said was in summary: One can certainly merge PC-1, the Left Shifts and PC-2. This would give us a single permutation whose output would be subkey k1. However, the merged permutation that give us k2 would be different. And the one of k3 would be different too, etc. Thus, we would need 16 different permutations. Rather than having 16 different permutation tables, it is easier to have just one PC-2 which generates all 16 subkeys together with the Left Shifts. Hope this helps. cheers, christof
Thanku sir for the quick response and it's really ok sir german is your native language m concern for that observation because if u r saying that's something excellent I should know that 😊well thanks again
56 bits instead of 64 it is because the ASCII was at the time coded in 7 bits as a signed byte. It is only after during the 90's that the 8th bit was used to encode special characters related to specific language and was dependent of the language of the OS. Clearly, you do not want a cipher being dependent of the locale.
Hey, great class. I am taking cryptography class here in New York: thank god you do give this lecture mostly in English. You are god sent. But my question is, is the textbook that you use in English? if so, could you tell me the title so I can get it, please. Thank you.
+Elvis Machuca The class uses "Understanding Cryptography" by Jan Pelzl and myself. The lectures closely follow the textbook (or vice versa :)) and it is reasonably priced. Please visit www.crypto-textbook.com for more information. You may also want to have a look at the book's reviews at Amazon.com, people seem to really like the book. regards, christof
+Introduction to Cryptography by Christof Paar thank you, I hoping to understand how to put together the key schedule. I seem to have gotten lost along the way, and I am not getting the right number of its when I try to encrypt.
+Elvis Machuca for instance where I got lost is, when putting together the feistel function and the key schedule, is like along the code I wrote, I seem to put missed placed something
it is possible to merge the shifts into the permutations, but then you'll need 16 different permuatation tables (one for each round key), which is not as memory efficient as 1 permutation table and 2 left shift operations. that's why they don't combine them here.
24:15 Can anyone tell me what he Dr. Paar says here? I understood he's saying that software allows us to do all permutations at once. But I'm not sure. Thanks in advance. I'm learning Crypto and German at the same time xd.
The (correct) answer that one of the student gave was/is: We could actually merge PC-1, the Left Shifts LS_i and PC-2 into one permutation that maps 64 bits to 48 bits. However, for each round we would need an individual permutation of this type, i.e., there would be a key permuation KP1, KP2, ..., KP16. They could be precomputed, of course, but there would not be any real advantage to it. And extra storage...
How is the S-box compression reversed? Expanding the string from 4 bits to 6 bits via the table gives 4 possible values. How is the correct value chosen?
Good question. You never have to reverse the S-box. During the decryption phase, you just have to re-compute the S-Box. Note that the actual encryption does NOT take place with the S-Boxes. Rather, the data is encrypted using the XOR operation. cheers, christof
In the encryption, we have IP in the beginning and IP^-1 in the end which means that the initial permutation has been sort of cancelled by the inverse of initial permutation. Why do we need IP and IP^-1 in the decryption if the effect of permutation has been nullified during the encryption? Maybe I am missing something here. Thanks for your time in reading my question (and hopefully answering it).😃
Good point, IP and IP^-1 do NOT serve any security purpose. Most likely they were introduced to make the mapping for incoming data in blocks of 8 bits into blocks of 64 bits as needed for DES easier. --- Remember that DES was designed in the early 1970s where 8-bit buses where state of the art :)
@@introductiontocryptography4223 Many thanks for your answer. I understand your point. Now that I have got your attention, let me also ask about the lecture notes on your follow-up class "Implementation of Cryptographic Schemes" which you mentioned in the comment section of lecture 24. You said that they can be downloaded at: www.emsec.ruhr-uni-bochum.de/teaching/literature/ However this link gives an error 404. Could you fix that please (by updating the link maybe).
Using an index origin of 1 for bit mapping really throws a curve! (i.e. bit 1 to 64 instead of the more natural 0 to 63). Maybe FORTRAN forced this convention?
+Elvis Machuca If you have a look at the figure at 6:00 you'll see how PC-2 works. Its input are the 56 bits after the LS shifts. The output of PC-2 is the round key k_i. PC-1 is, unfortunately, not visible in the video (but in the book :)). Its input is the 56bit key of DES, but you have to add a parity bit at every 8th bit location, so that the total input length to PC-1 is 64 bit. NOTE that 8 bits are partity bits which are removed by PC-1, i.e, there are only 56 bits which form the key. regards, christof
If you look at the schema at 16:40, the key of 56 bits is splitted in two equal parts (C0 and D0) of size 28 bits (56/2). If you perform 28 left rotation on an entry of size 28 bits, you come back at the initial value, so C0=C16 and D0=D16
So the reason we can do the decryption is that at the end of the key scheduler we have rotated all the bits a full time (28 shifts), thus K0 is the same now as K16 ..This is why we have done 28 bit shifts in total so we have fully shifted the register where the key value is?
Yes, you are correct, at the end of the key schedule the C and D registers have each been rotatet by 28 bit positions. Thus, C16 is identical to C0 and D16 to D0. This makes decryption *easier*. Please not that it would still be possible to do the decryption *without* this property. In this case, the decrypting party could initially simply execute the encryption key schedule, and store the subkeys k1, ..., k16. Then, one could run the decrypting algorithm using the stored subkeys. --- This is how it is done with AES and many other modern block ciphers.
Why can't we merge the left shifts of the Cs and Ds into one left shift? We could easily generate 16 permutations that way, I don't get why we have to split the 56 bits in half before doing LS?
Good thought. However, the "left shifts" are not actually shifts but rotations. These rotations happens WITHIN the left 28 bits and WITHIN the right 28 bits. That's why we need to split the 56 bit of the key. But you are right, one can generate 16 permutations, each of which computes one subkey (= round key) from the original 56 key bits. The drawback of this is that one has to store those 56 permutations and to compute them. In most applications it is simplier easy to compute them the way it is presented in the lecture. But again, there is nothing wrong with generating 16 permutations and using those.
Could you please explain the answer of the question regarding having PC-2 and LS separately and not combining them to do the job. The discussion was in German for about a minutes. Have no understanding of German language. Sorry...
Sorry for the late reply. --- One could combine PC-2 and LS in a single 56-to-48 permutation. However, that would then require 16 different permutations which need to be stored. The beauty of the PC-2 and LS approach is that the subkeys can be computed on the fly since both operations are very fast relatively to computing the actual round function.
+Introduction to Cryptography by Christof Paar Can you explain the part of concatenation between the left and right sides of the sub key Ki, i mean the pc2, wich bits are droped and in what order do we place the 2 sides?
my answer was: Yes, you can merge LS and PC-2 into one permutation, but then you would need 16 different of these merged permutations. Re PC-2: Just look a Wikipedia etc for the PC-2 table. != means not equal to
DES Initial Permutation can help in diffusion as most plain text that would be encrypted is binary representation of asci code and we have only 26 english charachters that means at the entry only the right part 4 bits change a lot but the left part mostly the least significant bit can change from time to time, but with IP the changes touch the left and the right part.? in later video you state that you have met with creator of DES and he told you it was only engineering and circuit design so you can ignore my comment :), by the way your channel is a hidden gem (Edited)
Here is the gist of the discussion (in German :) --- One *can* generate k1 with a single permutation directly from the original key. One can also generate k2 that way. And k3 and ... The drawback is that this would require 16 different permutations. The way it is normally done in the key schedule is much more resource efficient: We have a very regular structure where we only need Left Shift and PC-2, rather than 16 different permutation tables.
This is the first semester of our B.Sc. program in IT Security. This is a quite popular program with about 150-200 new students every fall. I teach at Ruhr University Bochum, a large public university in North-Western Germany.
7 років тому+3
I study Science Computer too, and our classes are very poor in details, I'm really thankful for your teaching, well done!
We are using "Understanding Cryptography" by Jan Pelzl and myself. The course is actually based on this book. Please have a look at www.crypto-textbook.com for more information and resources. regards, christof
Hi , professor chrisof paar . Let say the K=00010011 00110100 01010111 0111001 10011011 10111100 11011111 11110001 how do we know the K+ how it generate from 64 bit key to 56 permutation key ? Beside , this course is undergraduate or postgraduate currently i have just finished my diploma if this is undergraduate programme , what is this programme ? Computer Science ? or Computer Science with computer security ? Thanks
You have to look at PC-1 ("permutec choice 1"). It is easy to find on the Internet. PC-1 describes which 8 bits are dropped. This is a first-year course in our Bachelor program in IT security. The program is a mixture of security, cryptography, computer science and computer hardware. It is taught at Ruhr University Bochum in Germany.
Professor when one of student ask a question about why they didnt combine PS-2 with a LS and you translate the answer in German :( why professor :( please tell in english here
also, die Antwort ist wie folgt... Just kidding, here it is in English: Alternatively, one COULD combine PS-2 with the left shift (and with PS-1). This would then be a single permutation which give round key, say, k1. HOWEVER, one would then need another special permutation which computes k2. And one for k3, and k4, ... The DES designer came up with a very elegant way of computing k1...k16 with one single permuation PS-2 which is used over and over again together with LS. regards, christof
Vielen Dank Professor :) I really like when you mention german along with english it lets me to get few german words :) actually I was also curious about the joke someone made and you reply in german :D (i guess at around 1:00:50 ) but its ok :) thank you so much Professor
I find it rather disturbing that you in every lecture, often several times, have to ask the students to be quiet. This is supposed to be a university; not a kindergarten.
I know universities where its totally normal for the students to talk all the time. I am a student myself and I don't understand that at all. If I plan to not pay attention at all I would not visit the lecture....but then again I have no attendance rate or something. But then again at my uni also some teacher complain. some teachers want it to be completly dead silent. So even if you just ask a costudent for an eraser, they would already complain ... So there's that. And with a classroom of 200 people I understand that he wants the class to be quiet or else it soon gets really really loud ...
It is a German University. That's normal here. The interested guys are sitting in the front rows and the rest is sitting in the back and chatting about the next party. University is free and if you lack of money the government will support you.
Don't worry, after sec 35 I switch to English:) It happened in one or two other videos too that I forgot to teach in English for the first minute or so. --- I am glad the videos are of help for some people.
I did just panic for the first 10 seconds in German.. Thank you for your effort appreciated
lol same
I love the structure of this class. It is very important to stop and wonder every now and then why we learn certain things and where is their place in the big picture. I am in a cryptography class (grad student) and this series helps me put all the pieces together. Great professor.
I am doing my masters in computer science 'information security' , thank god i find your video on DES ... it is really awesome....and fun learning to. And yes it does help when u say wake up!....:P...thank u once again..:)
Key schedule 3:30
DES decrypt 25:50
DES security 51:00
DES alternatives 1:03:00
Thank you very much professor for this lecture series. I was already loosing hope to pass my Introduction to Cryptography lecture, as I barely managed to complete the exercise sheets, due to not being able to follow the lecture or understand our script, but thanks to your lecture videos and textbook they have become doable again. Many thanks!
Thank you so much for providing great lectures series free of cost.
The best teacher i have ever seen in my life THANK YOU A LOT
Thanks a lot for sharing lectures this way, greetings from Argentina!~
No, COPACOBANA is from the pre-GPU era :) It is essentially a bunch of FPGA (= progammable hardware devices). Some ciphers, especially DES, are very hardware friendly. On FPGAs, one achieves really high encryption rates for such ciphers. However, there are many instances where modern GPUs are better suited for code breaking, especially for public-key algorithms. regards, christof
so far, I found problems with video 1 and this lecture, I watched the video at your website its OK, but here at UA-cam I think because of maybe some youtube modification, the video is like being in rollercoaster
Dr paar I m going to start my Ms research in cryptography. Your lectures are very helpful. Greetings from Pakistan.
Thank you professor its really good to enjoy your lecture. I will do my best in exam with help of you lectures
Great tutorial on DES! Many Thanks!
The interpretation of the Feistel round as a stream cipher to understand how the decryption works was really enlightening, also how the other elements work. Rather than being artistic, this seems well thought out.
Very interesting! Excited to learn about AES next :D
Thankuu sir.. well explained... now I'm very much interested in cryptography. .. greetings from India.. !!!
Very well explained. Thank you sir.
Thanks was very helpful for me!
thanks for your lectures!!! very exciting and interesting:)
Professor Paar, Thanks for your great lecture, during the explanation of decryption, it's important to make Key16, be the same as K1 decrytion, so is that mean in the decryption steps, We routes the key scheduling hardware wire in reversal order of the encryption hardware ?
Thanks for uploading teacher
3:22 cool effect of DES.
Do you mean that the video has gone thru a DES encode-decode to get that "wavy" video effect??
great lecture. thanks!
Thank you Professor for such an interesting and informative lecture. I have a question re the key schedule in the decryption process. Shall I assume that the algorythm generating the keys is reversed too as opposite to the one used during the encryption? i.e. an inverse permutation followed by two 1- or 2-bit right shifts? Thank you in advance. Mauro
basically: yes :) The decryption key schedule generates the subkeys in the reverse order, i.e., it computes k16 first, then k15, ... and finally k1. The permutation PC1 and PC2 are the same in the encryption and decryption key schedule. The only thing that has to change are the shifts: one has to replace the left shifts with right shifts. One has to watch out in which rounds there is a shift by 1 position and in which there is a 2-position shift.
(Remark: Note that the shifts are really rotates.)
cheers
Nice Class, thanks so much
I really enjoyed this set of lectures so far and Prof. Paar is a very enthusiastic teacher with great teaching abilities. However, the only annoying thing that happens sometimes during these videos is that some of them look kinda skewed and distorted if the camera moves. I wish this could be fixed.
Nonetheless, this does not degrade the reach knowledge that can be learned through these series. I hope we could see more topics by Prof. Paar. I am particularly interested in topics such as Homomorphic Encryption. It will be great to see a lecture by you on that (of course in English ;-)
a question for fellow cryptographers out there,
key scheduling is only done once in ECB mode. the same key is used in that mode for each round.
Can someone tell me which modes of operation require key scheduling to a point where a different key is used for each round? and in reverse order for each round for decryption? im talking with respects to CBC and CTR mode. do they both use different keys for each rounds? or the same key like ECB?
Thank you professor
Sir , as u have explained below that IP and IP^-1 cancel out effect of each other which i think should mean L0(d) == L16(e)... can u please explain where i m going wrong...
Beatiful!
This is the 6th lecture I've watched so far and I enjoyed all of them! Very great!
However, the entire series of lectures and semester took place in 2010-2011. This was before Edward Snowden's revelations in 2013 about NSA's global espionage, so the Professor may have not known the full story and told his students only what he has been told at that time, on why the NSA and their contractor IBM have not told anyone about the DES attack vulnerability (S-Box configuration). But cypherpunks and german crypto developers like me have a different opinion or theory today... It is more likely that NSA wanted to build in a backdoor in DES on purpose in the first place, in order to be able to break in and spy on any company, bank or targeted individual who used the popular DES cipher algorithm over the last 20-30 years. Just take a look at "Heartbleed" vulnerability in SSL online encryption which was revealed this year! The NSA knew about it, didn't tell anyone and exploited it for years! This may all sound like a conspiracy theory, but seriously, today everyone knows that the U.S. government and NSA do all these surveillance and espionage operations on the internet, especially against us Germans, even if they deny it. Edward Snowden revealed it himself, so nobody will argue about that today. It's not a conspiracy theory any longer but a conspiracy fact.
But alright, let's assume the story was like the Professor said, that the NSA kept the vulnerability secret in order to be safe from attacks, which I find a bit sloppy for a "National Security Agency" with a budget of billions of dollars! You think the NSA would be so stupid and let IBM develop a half-secure cipher for themselves?? No no, that sounds like plausible deniality to me. I don't believe it. I think normal cryptographers have not been told the true reason why NSA kept the vulnerability secret. That's my personal opinion. You can't trust the NSA on this. They tell you one thing, but there may be more to the story as people think. Global industrial espionage have always been a big thing. There are many cipher algorithms today on the internet which people can download and use, but which have secret backdoors embedded for the government to break in silently and read all your encrypted messages easily. So be careful! These things don't happen, because NSA made a mistake. Don't be too naive to believe such a thing! NSA does not make mistakes. They want to spy on everyone on the global internet and they know what they're doing. It is more likely that DES was a clever spy scheme or fraud by the NSA. A malicious Cipher algorithm designed on purpose by NSA! But I don't want to insult the DES developers or anyone who loves DES. All I'm saying is I don't believe the story about the secrecy of the DES attack vulnerability.
You didn't understand, DES is safe to the attack. It was deemed unsafe later with the technologic advances. You are right on the spying tho
I have a side-channel question! 😁 I am wondering what kind of video CODEC is used after text mark added. It reminds me strong magnetic fields effect on analog TVs!
sir,at 24 minute one of them ask some question and you answered in german and said that it is exacellent observation or remarl.can you pklz tell me in english.
(Sorry for falling back to German once in a while. The 100+ students in the room are all 1st year students and I am "not really" supposed to teach in English :)
What I said was in summary: One can certainly merge PC-1, the Left Shifts and PC-2. This would give us a single permutation whose output would be subkey k1. However, the merged permutation that give us k2 would be different. And the one of k3 would be different too, etc. Thus, we would need 16 different permutations.
Rather than having 16 different permutation tables, it is easier to have just one PC-2 which generates all 16 subkeys together with the Left Shifts. Hope this helps. cheers, christof
Thanku sir for the quick response and it's really ok sir german is your native language m concern for that observation because if u r saying that's something excellent I should know that 😊well thanks again
@@introductiontocryptography4223 thank you for the explanation, and for uploading these lectures 🙏
thanks Professor :D
Very good lecture.
But, as people have commented, the camera distortions are somewhat annoying.
thanks professor
what other books do you recommend ?
After about the 3rd lecture, I bought his book.
56 bits instead of 64 it is because the ASCII was at the time coded in 7 bits as a signed byte. It is only after during the 90's that the 8th bit was used to encode special characters related to specific language and was dependent of the language of the OS. Clearly, you do not want a cipher being dependent of the locale.
Is COPACOBANA using gpu computing? What language does it use?
trivial commrmt, but i love the german! wonderful lecture (not just because of the accent)
Hey, great class. I am taking cryptography class here in New York: thank god you do give this lecture mostly in English. You are god sent. But my question is, is the textbook that you use in English? if so, could you tell me the title so I can get it, please.
Thank you.
+Elvis Machuca The class uses "Understanding Cryptography" by Jan Pelzl and myself. The lectures closely follow the textbook (or vice versa :)) and it is reasonably priced. Please visit www.crypto-textbook.com for more information. You may also want to have a look at the book's reviews at Amazon.com, people seem to really like the book. regards, christof
+Introduction to Cryptography by Christof Paar thank you, I hoping to understand how to put together the key schedule. I seem to have gotten lost along the way, and I am not getting the right number of its when I try to encrypt.
+Elvis Machuca for instance where I got lost is, when putting together the feistel function and the key schedule, is like along the code I wrote, I seem to put missed placed something
48:20 Why Ki is replaced by K16, because it is in reverse order? Can you explain that part again? Ty
At the end of the round 16 during encryption a swap happens using IP^-1, Why don't we swap during the round 1 of decryption using IP?
this made me lot of counfusing also!!!
What was the answer to the question that why we should not merge left shift into PC to make them a single permutation?
it is possible to merge the shifts into the permutations, but then you'll need 16 different permuatation tables (one for each round key), which is not as memory efficient as 1 permutation table and 2 left shift operations. that's why they don't combine them here.
Viele danke, mein Freunde. :) Leide die Deutsche in diese Video ist zu schwer für mich :p
@@hansen1101 wont be hardware friendly also
Thanks
3:20 trippy af
thanks !
24:15 Can anyone tell me what he Dr. Paar says here? I understood he's saying that software allows us to do all permutations at once. But I'm not sure. Thanks in advance. I'm learning Crypto and German at the same time xd.
The (correct) answer that one of the student gave was/is:
We could actually merge PC-1, the Left Shifts LS_i and PC-2 into one permutation that maps 64 bits to 48 bits. However, for each round we would need an individual permutation of this type, i.e., there would be a key permuation KP1, KP2, ..., KP16. They could be precomputed, of course, but there would not be any real advantage to it. And extra storage...
It makes more sense now. Thanks a lot for both your reply and your lecture Dr. Paar! I found them very useful. Grüssen aus Mexiko!
I think if L and R start from 0 to 15 then in 'end of encryption' L15 is the last. And at decryption L0 (not L1) is L15.
How is the S-box compression reversed? Expanding the string from 4 bits to 6 bits via the table gives 4 possible values. How is the correct value chosen?
Good question. You never have to reverse the S-box. During the decryption phase, you just have to re-compute the S-Box. Note that the actual encryption does NOT take place with the S-Boxes. Rather, the data is encrypted using the XOR operation. cheers, christof
How does the descriptor know what exactly k16 is in its first round?
In the encryption, we have IP in the beginning and IP^-1 in the end which means that the initial permutation has been sort of cancelled by the inverse of initial permutation. Why do we need IP and IP^-1 in the decryption if the effect of permutation has been nullified during the encryption? Maybe I am missing something here. Thanks for your time in reading my question (and hopefully answering it).😃
Good point, IP and IP^-1 do NOT serve any security purpose. Most likely they were introduced to make the mapping for incoming data in blocks of 8 bits into blocks of 64 bits as needed for DES easier. --- Remember that DES was designed in the early 1970s where 8-bit buses where state of the art :)
@@introductiontocryptography4223 Many thanks for your answer. I understand your point. Now that I have got your attention, let me also ask about the lecture notes on your follow-up class "Implementation of Cryptographic Schemes" which you mentioned in the comment section of lecture 24. You said that they can be downloaded at: www.emsec.ruhr-uni-bochum.de/teaching/literature/
However this link gives an error 404. Could you fix that please (by updating the link maybe).
Using an index origin of 1 for bit mapping really throws a curve! (i.e. bit 1 to 64 instead of the more natural 0 to 63). Maybe FORTRAN forced this convention?
another question, what goes into PC-1 and PC-2, and how do you apply them to the key?
+Elvis Machuca If you have a look at the figure at 6:00 you'll see how PC-2 works. Its input are the 56 bits after the LS shifts. The output of PC-2 is the round key k_i. PC-1 is, unfortunately, not visible in the video (but in the book :)). Its input is the 56bit key of DES, but you have to add a parity bit at every 8th bit location, so that the total input length to PC-1 is 64 bit. NOTE that 8 bits are partity bits which are removed by PC-1, i.e, there are only 56 bits which form the key. regards, christof
Hi professor,
Thank you so much for such an informative lecture.
I didn't understand why Co=C16 at 17:47?
I did not understand the logic used here
If you look at the schema at 16:40, the key of 56 bits is splitted in two equal parts (C0 and D0) of size 28 bits (56/2). If you perform 28 left rotation on an entry of size 28 bits, you come back at the initial value, so C0=C16 and D0=D16
So the reason we can do the decryption is that at the end of the key scheduler we have rotated all the bits a full time (28 shifts), thus K0 is the same now as K16 ..This is why we have done 28 bit shifts in total so we have fully shifted the register where the key value is?
Yes, you are correct, at the end of the key schedule the C and D registers have each been rotatet by 28 bit positions. Thus, C16 is identical to C0 and D16 to D0. This makes decryption *easier*.
Please not that it would still be possible to do the decryption *without* this property. In this case, the decrypting party could initially simply execute the encryption key schedule, and store the subkeys k1, ..., k16. Then, one could run the decrypting algorithm using the stored subkeys. --- This is how it is done with AES and many other modern block ciphers.
Why can't we merge the left shifts of the Cs and Ds into one left shift? We could easily generate 16 permutations that way, I don't get why we have to split the 56 bits in half before doing LS?
Good thought. However, the "left shifts" are not actually shifts but rotations. These rotations happens WITHIN the left 28 bits and WITHIN the right 28 bits. That's why we need to split the 56 bit of the key.
But you are right, one can generate 16 permutations, each of which computes one subkey (= round key) from the original 56 key bits. The drawback of this is that one has to store those 56 permutations and to compute them. In most applications it is simplier easy to compute them the way it is presented in the lecture. But again, there is nothing wrong with generating 16 permutations and using those.
Could you please explain the answer of the question regarding having PC-2 and LS separately and not combining them to do the job. The discussion was in German for about a minutes. Have no understanding of German language. Sorry...
Sorry for the late reply. --- One could combine PC-2 and LS in a single 56-to-48 permutation. However, that would then require 16 different permutations which need to be stored. The beauty of the PC-2 and LS approach is that the subkeys can be computed on the fly since both operations are very fast relatively to computing the actual round function.
+Introduction to Cryptography by Christof Paar Can you explain the part of concatenation between the left and right sides of the sub key Ki, i mean the pc2, wich bits are droped and in what order do we place the 2 sides?
Good lecture sir :) greetings from India (Y)
What was the answer that you gave at 24:17, please I wanna know and in PC-2 which 8 bits are dropped and at 48:56 doesn't '!=' means 'not equal to'
my answer was: Yes, you can merge LS and PC-2 into one permutation, but then you would need 16 different of these merged permutations.
Re PC-2: Just look a Wikipedia etc for the PC-2 table.
!= means not equal to
Thank you professor as I don't go to any University so u r my only hope
DES Initial Permutation can help in diffusion as most plain text that would be encrypted is binary representation of asci code and we have only 26 english charachters that means at the entry only the right part 4 bits change a lot but the left part mostly the least significant bit can change from time to time, but with IP the changes touch the left and the right part.?
in later video you state that you have met with creator of DES and he told you it was only engineering and circuit design so you can ignore my comment :), by the way your channel is a hidden gem
(Edited)
The fabric of universe got curved many times :)
why is the screen shaking like woaahh!
anybody knows what the professor was answering in german at 24:44 ? and he was like "very good question"
nevermind i found the comment
Can someone please translate what he said at 24:16 to english, i had the same question in my head, but i dont speak german.
Here is the gist of the discussion (in German :) --- One *can* generate k1 with a single permutation directly from the original key. One can also generate k2 that way. And k3 and ... The drawback is that this would require 16 different permutations. The way it is normally done in the key schedule is much more resource efficient: We have a very regular structure where we only need Left Shift and PC-2, rather than 16 different permutation tables.
30:06
is this a first semester science computer class? a little bit advanced...
This is the first semester of our B.Sc. program in IT Security. This is a quite popular program with about 150-200 new students every fall. I teach at Ruhr University Bochum, a large public university in North-Western Germany.
I study Science Computer too, and our classes are very poor in details, I'm really thankful for your teaching, well done!
what is the book they are using
We are using "Understanding Cryptography" by Jan Pelzl and myself. The course is actually based on this book. Please have a look at www.crypto-textbook.com for more information and resources. regards, christof
Hi , professor chrisof paar . Let say the K=00010011 00110100 01010111 0111001 10011011 10111100 11011111 11110001 how do we know the K+ how it generate from 64 bit key to 56 permutation key ? Beside , this course is undergraduate or postgraduate currently i have just finished my diploma if this is undergraduate programme , what is this programme ? Computer Science ? or Computer Science with computer security ? Thanks
Solved , but can you please answer the second question ?
Thanks
You have to look at PC-1 ("permutec choice 1"). It is easy to find on the Internet. PC-1 describes which 8 bits are dropped.
This is a first-year course in our Bachelor program in IT security. The program is a mixture of security, cryptography, computer science and computer hardware. It is taught at Ruhr University Bochum in Germany.
Professor when one of student ask a question about why they didnt combine PS-2 with a LS and you translate the answer in German :( why professor :( please tell in english here
also, die Antwort ist wie folgt... Just kidding, here it is in English:
Alternatively, one COULD combine PS-2 with the left shift (and with PS-1). This would then be a single permutation which give round key, say, k1. HOWEVER, one would then need another special permutation which computes k2. And one for k3, and k4, ...
The DES designer came up with a very elegant way of computing k1...k16 with one single permuation PS-2 which is used over and over again together with LS. regards, christof
Vielen Dank Professor :) I really like when you mention german along with english it lets me to get few german words :) actually I was also curious about the joke someone made and you reply in german :D (i guess at around 1:00:50 ) but its ok :) thank you so much Professor
He was encrypted for the first 10 seconds
is it just me, or is the video skewing as the camera moves or boards moves
anyways, like the rest of the comments, this video is very good
Is the video shaking or am I drunk?
Who decided to use Warp Stabilizer on an entire video like this
wake up =))
Worry about your German because I can't understand what you explained in that language
I find it rather disturbing that you in every lecture, often several times, have to ask the students to be quiet. This is supposed to be a university; not a kindergarten.
confirm! what a strange university!
That's what happens when you have zero tuition fees I suppose.
I know universities where its totally normal for the students to talk all the time.
I am a student myself and I don't understand that at all.
If I plan to not pay attention at all I would not visit the lecture....but then again I have no attendance rate or something.
But then again at my uni also some teacher complain. some teachers want it to be completly dead silent.
So even if you just ask a costudent for an eraser, they would already complain ...
So there's that. And with a classroom of 200 people I understand that he wants the class to be quiet or else it soon gets really really loud ...
It is a German University. That's normal here. The interested guys are sitting in the front rows and the rest is sitting in the back and chatting about the next party. University is free and if you lack of money the government will support you.
Professor plz don't shift to German!! Please think about ur international Students too!! Thank you..
Don't worry, after sec 35 I switch to English:) It happened in one or two other videos too that I forgot to teach in English for the first minute or so. --- I am glad the videos are of help for some people.
Introduction to Cryptography by Christof Paar awesome work ... Thanks for the video
Keine Sorgen! Ich lerne viele Deutsche mit den Videos auch heheheh
It's sad just how much the professor has to stop and try to get the students' attention