Did you pass?

@@kaloyanmanev He's probably doing his Ph.D. :D 5 years later

thanks

I was exactly looking for this, is it mentioned or proved in lecture?

Are you sure cause I followed this teachers example and didn't find it true. m.kzbin.info/www/bejne/pYDGhYmKpbqmhrM

Me too ;)

He mentioned that he's doing those classes in English because of the Erasmus students in that faculty. What's more sad is that nowadays the Erasmus students care about partying and not learning useful stuff.

true and sad... 😞

O

Ll

Ll

I don't know how is that possible to fall asleep in such a fantastic learning environment that prof.Paar is creating

college is for the young (and immature)

Refer "understanding cryptography" book by christof paar on page 178. That should clear this doubt.

Yes, that works if the number of possible x (i.e. the plaintext messages) is not very large. However, in practice that attack does not work for two reasons. Mainly, in practice RSA is mostly used with "padding", which introduces randomness to the plaintext x before encryption. Please check Section 7.7 of our book www.crypto-textbook.com (or any other source) on RSA padding. Also, RSA is commonly used with 2048 bit modulus, so that there are 2^2048 possible values for x. hope that helps. cheers, christof

Pinned!

The key (pun intended) is that: (x^e)^d = 1 mod n if: e d = 1 mod phi(n) In order to see this, you have to check the proof of the RSA cryptosystem. You can find it in our book but there should also be many sources on the internet. cheers, christof

​Thank you Christof, and thank you again for your excellent lectures.@@introductiontocryptography4223

@@introductiontocryptography4223 Learnmebitcoin's question along with your answer gave me a super flash of insight of a point I was always only about 90% clear on but now have it 100%.

Is that (x^e)^d=1 mod n correct or should it be (x^e)^d = x mod n. Is the original value raised to e and then that value raised to d = to the original value or have I missed something

There are special algorithms, so-called primality tests, for this. They do NOT require factorization. The most popular one is probably the Miller-Rabin algorithm. Please have a look at Section 7.6.2 of our book (or Wikipedia :) regards

Good question. This is an introductory course in applied cryptography. I am quite active in the research and commercial security communities and WRT basics, surprisingly little has changed, i.e., most of the material is still very relevant. The most notable changes are that SHA-1 is slowly phased out and replaced by SHA-2 and SHA-3. I plan to put a SHA-2 lecture online at some point in the spring. What is missing in the course are some advanced topics, esp. post-quantum public key schemes. But it can be argued that they are not relevant for an intro course. Hope this helps. Cheers, christof

Prof Parr Please add them if you can :-)

Sorry, I don't have a lecture with the CRT.

I got the answer actually going back to the video i saw extended euclidean algorithm and i understood

Is e*d == 25 == 1 mod phi (n)?

I guess you won't get m^e even if e is small your m is 255 bit long

my m is 8 bits long, the value of m is 255. Read my original comment again.

24:05 , the professor suggests to get p and q large primes. Choose p,q ∈ {3,5} for the examples not for a real application.

You have to look at the definition of inverses in rings modulo n. The inverse x of a number e in such a ring is defined as: e x = 1 mod n For e=3 and n=20, the inverse turns out to be x=7. cheers, christof

Good question, which is at the heart of RSA security. Here is the situation: The attacker knows, of course, e and n because they form the public key. In order to compute the secret key d, he/she has to know phi(n). And here is where the problem lies: For computing phi(n) one has to know the factorization of n into n= p * q, because phi(n) = (p-1) * (n-1) However, factoring n is very, very hard if n is large enough. That's why the RSA parameters must be chosen very looong. The longest n that has been factored (outside the intelligent community) was 768 bits. NSA et al. can probably factor larger numbers. For internet security, most people use currently n parameters of lenght 2048 bits. More information on RSA factoring at : en.wikipedia.org/wiki/RSA_numbers#RSA-768 cheers, christof

You can do that but as the exponent grows larger your method will become very slow. I would recommend to stick with the SAM algorithm:)

@@introductiontocryptography4223 I see, I'll be sure to stick to SAM. Thanks for your reply, Professor :)

Very good question. The answer is: There are *primality tests*. These do NOT factor the number in question but merely tell you whether it is a prime number or not. The easiest primality test is probably the Fermat test: en.wikipedia.org/wiki/Fermat_primality_test cheers, christof

sender has public key of all like Alice public key, rohan's public key, john now he wants to send to alice he selects Alice Public key and encrypts the message now Alice decrypts with her private key . private key is generated locally by each participant

yes i get it thanks a lot for your explanation :) :)

I think I have worked out the answer now. Any mapping that has an inverse must be a bijection.

That is because of the modular operation in the decryption. If the cyphertext is raised to an exponent d , and than you take mod n , the range of answers is limited to [0,n-1]. It is possible to chose another d that is larger which if you raise the cyphertext to the power of that d gives you the same result. That’s how i understand it, there’s probably also a math proof for it.

You can can encrypt a message x up to the size of the modulus n, i.e., every x < n will work. All bytes that form x are encrypted in one step. For large message, one rarely uses public key schemes. Block ciphers are much better suited. Please note that I am only showing "schoolbook RSA" here. in practice, the message has to be "padded" before encryption. You'll find a padding scheme in Section 7.7 of my book, Understanding Cryptography. regards, christof

Thank you

Sorry, I am not teaching this in the lecture. Algorithms for prime-finding are included in the texbook, however, in Chapter 5. Regards, christof

Introduction to Cryptography by Christof Paar Thanks!

You picked a weird case by accident. If e=11, you have to compute the inverse of e mod 20. You correctly computed d=-9. However, since we are doing mod 20 arithmetic, d= -9 = 11 mod 20. Thus, both e and d are equal to 11. YOu can easily check that this is correct since: d * e = 11 * 11 = 121 = 1 mod 20. RSA should still work for d = e = 11. regards, christof

Oops .. got it

11^7|187 = 11 but 11^23|187 = 11^103|187 = 11^183|187 = 88.. yes, there seems to be more keys do decrypt it.. in general M = (M^7|187)^23|187 = (M^7|187)^103|187 = (M^7|187)^183|187

Please have a look at video #2 of this series, where I introduce modulo arithmetic, including how to deal with the inverse of a number. Good luck.

Good point, I was jumping ahead a bit. On smart cards, one of the main applications of RSA is digital SIGNATURE, which is similar to RSA encryption (which is covered in this lecture) but the role of the public and private keys are swapped. In a smart card application, the reader (ATM machine or such) sends a random number to the card and asks the card to "sign" the random number. This signing takes place with the PRIVATE key "d" and n. The card then returns the signed value and the reader (again: ATM machine etc) verifies this signature using the PUBLIC key "e". This set-up has the advantage that the secret private keys are stored only on the smart card which is supposedly tamper-resistant, i.e., one can not read-out that private key. You may want to watch Lecture 18 from this series where I explain digital signatures in general and RSA signatures in particular. --- All his said: This is the reason why I said in the lecture that "d" and "n" (and sometimes also "e") are burned into the smart card. cheers.

d is also approximately 2048 bits. e can be chosen as a short number, for instance, e = 17 is popular in practice. This allows for fast encryption (or signing, if RSA is used as digital signature). Note that e is the public key and known by everybody. Choosing e as a short number does NOT weaken RSA.

thank you very much sir

d must satisfy the condition that e*d mod phi(N) = 1 In this case, e = 3 and phi(N) = 20 3*7 mod 20 = 21 mod 20 = 1 3*17 mod 20 = 51 mod 20 = 11 3*27 mod 20 = 81 mod 20 = 1 So while d can't be 17, it can in this case also be 27. The issue here is that the encryption key was poorly chosen. The encryption key needs to satisfy two conditions: 1. 1 < e < phi(N) 2. e must be coprime with N and phi(N) that is, gcd(N, e) and gcd(phi(N), e) are both 1. Since e = 3, it's not coprime with N (N = 33, thus gcd(33, 3) = 3), it breaks the second condition and thus compromises the security of the encryption. Paar did however excuse his choice by saying it was poor.

what is 'very close' in your mind?

Der Lukas well, close enough to be more efficient than a square root attack I guess. Close enough to be coputationally tractable to find.

The probleme resides in factorisation of n. As we see, both n and Phi(n) are the multiplication's result of 2 numbers. So there is a lot of possiblities to factorise Phi(n). And with each possiblity, you have to find the best factorisation of N. You can imagine the difficulty if N is too large !!! Personnally and if we compare RSA with AES I can see that: -To decrypt a cipher text AES you have to use the brute force attack (try all possiblities of the key). And that takes more than Univers's age as Professor Paar said !! -To decrypt a cipher text RSA. you have to write n as a product of 2 prime numbers. That means you have to devide n by all prime numbers untill finding a prime number as result. That is not esay if n is too large.

Amsbrid M hmed But no, to decrypt RSA you don't have to write n as a product of 2 prime numbers. You only have to find Phi(n). That's what I'm saying. Wouldn't it be quicker to find Phi(n) (since it is "close" to N), rather than trying to factor N. Once you find Phi(n), you can compute the private key (it's the inverse of e mod phi(n)).

I see.. however let's take an example: Chosen N= 163 * 419 = 68297 So Phi(N)= 162 * 418 = 67716 I see now.. it seems with brute force attack we can guess Phi(N) and decrypt the Cipher text with the formula: X= Y^d mod Phi(N). In other hand, if this will be as simple as that. Why NSA trusts RSA ?. In addition to this, RSA Algo was a team work of 3 expert persons, they spent many years to find this algo, and all the world trusts it.

saibaba kothakapu If p and q are equal you could just take the square root of n, check to see if it's an integer, and if it is you have your factorization, ie n = sqrt(n)sqrt(n).

MITOPENCOURSEWARES MATH computer science

The inverse can be computed using the Extended Euclidean Algorithm, it is actually the coefficient "t". See the previous Lecture (Lecture 11) for the explanation.

"Over there on the cheap seats! Yes you! Silence!"

you are working in modular field ( mod 33), so yes 125 is equal to 26 125 = 3*33 + 26

Most often he repeads the last word in german.

This may be a policy at German Universities. As an international student in Germany you have to pick up the German language, so he drops this German phrases once in a while, immediatley followed by the English translation. May be this is a didactic tool. Anyway, Cristof Paar is a very good teacher!

Just for clarification: It is almost exactly the opposite :) This is a 1st year course and I am "supposed" to teach in German. 95% of the students are actually from Germany. For that reason, I am repeating some of the more important facts in German, just to make sure that all of the students really understand what I'm saying :) regards, christof