Dear Professor Paar, Thank you very much for sharing your lectures on KZbin! I am learning more from you than from my professor and my tutor. Our lecturer at the University of Melbourne can't even speak proper English, let alone teaching Cryptography. I solute you, and wish you the best! You're awesome!

*Topics* Recap & Lecture program 0:20 Introduction to LFSR 3:00 General LFSR 34:20 Attack against single LFSR 1:13:37

There are different assumptions about Oscar's capabilities. The 4 major ones are: It is always true that he knows ciphertext and does not know the key. Often it is also assumed that he knows part of the plaintext, e.g., a file header. Another assumption that is often made is that he can choose the ciphers or even the plaintext. A good crypto system should be secure against all these attacks. Re timing: This is application specific. In classical communication security settings where Oscar is listening-in on the channel, e.g., the Internet or an air link, he also has the timing information. Also in embedded systems such as a smart card, he can observe the timing behaviour in a very detailed fashion. --- Hope this helps, christof

In a computer engineering course in NL our homework is to read your book. I'm happy I found out that you've provided lectures. Really helps a ton!

Another great lecture on stream ciphers! What I find great here is that Christof Paar proves that PRNGs alone are useless for encryption unless being used as a layer in a cryptographic system, as he suggests at the end of this lecture. Although I would forget PRNGs altogether and directly focus on TRNGs and CSRNGs.

You are an amazing teacher . Thank you so much !

I was very confused about the 'P' part, but then ex1 came and it all started to make sense. Thank you sir this was very beautiful.

I stopped going to my class and studying your amazing lectures , thank you Sir

Thank you professor Paar for your useful video lectures.

Fantastic. Just subscribed and bought the book. My own understanding towards OTP ciphers, was via Vigenère, which I thought you would touch on. I understand RC4 to basically be a key-stretched version of Vigenère part way towards an OTP. Looking forward to the rest of the series.

This may seem a little off topic, but towards the end of the lecture when you talk about breaking the Stream Cipher using LSFRs, given the vast number of implementations of different cryptographic algorithms, how would Oscar know that he is dealing a Stream, and not a block, or an Asymmetric Cipher? Great lectures, btw, really enjoying them and learning a lot. Thank you, Professor Christof Paar!

1:29:04 "the but" is known as LFSR shrinking-generator. See A5/1 cipher for example as referenced by the professor.

from IRAQ , thank you for this amazing explanation . big love

Thanks you professor. I started course to LFSR and now i like working at home. My project research is in area of cryptography and i have many lacks to this area. Nevertheless, your courses are a good tools to starts implementing my works

Another question, again general: In every problem of Cryptanalysis, we assume Oscar has knowledge of the CipherText, and no knowledge of the Key, or the PlainText. My question is, does Oscar have any knowledge of the exact time at which Alice is sending, and the the exact time Bob is receiving the message? I realise I may be drifting slightly off topic. Thanks!

wenn ich gewusst hätte dass es in der bochumer university so geile profs gibt wär ich dahin gegangen :D klasse und sehr verständlich erklärt! Hat mich als Software-Engineer sehr weitergebracht ;)

1:05:47 - I did not completely understand why the polynomial was x^4 + x + 1. In my eyes it would have been x^4 + x^3 + 1

Intro to LFSR 03:00 General LFSR 34:20 Attacks LFSR 1:13:40

Thank you for the lecture. I have a question, you didn't discuss where the key is used by the LFSR, I guess the vector (p_0, p_1,..., p_m-1) is the key right?

These lectures are amazing !!!!!

thank you for the series. having never had the economic opportunity to attend college, these types of openly available videos are indispensable to my desire for knowledge. I would have asked the question, does it matter if I end up using the most efficient polynomial? Isn't the point to have a long period? for instance, even if I have something like m=100, by coming up with an 'inefficient' polynomial eg, one that doesn't generate the longest sequence for m, aren't I still achieving my goal of generating a long period? Thanks!

most important equation of the day since 1911 :P

Really love how you teach..

I'm confused is when you say 2 to the m -1, you wrote it as 2 times m -1. Did you mean it as 2 to the power of m -1 or 2 times m -1 ? 1:17:20 1:27:41 52:20

Does the cellphone and cell tower share the same seed? How are they able to decrypt?

Thanks you so much for great lectures.

боже, благослови ютуб! Это именно то что мне было нужно!

Because you are awsem i will buy your book , unfortunantly there is only one Christof Paar in the world .

I have a question: how was it proven that you will always get ALL the numbers in the sequence and loop back to the beginning (length 2^N - 1 for N bits)?

When he gives an assignment to the class, you can skip to 23:10, nothing important happens in the time

In order to compute si bits you require both plaintext and ciphertext. However unless someone was attempting to facilitate an attack on the encryption wouldn't it be reasonable to assume that the attacker (Oscar) would only have plaintext (header) or the ciphertext?

Great lectures and Great professor, the problem is I didn't get it at all 🤣.

The diagram given in the book along with mathematical description of LFSR's has incomplete and wrong labeling,as compared to what you have at 46:18

Near the bottom of page 42, you say (about he index or clock cycle) : "i=0,1,2..." but should this really be ( i >= m ), where m is the degree? Also, reversing the numbering direction on the circuit on page 43 from the other on page 42 is confusing.

Dear sir, May I ask in the ex 2 of LFSRs---- should we not put another MUX at the rightmost end of the circuit before the Output? Regards, Fatema

i enjoyed the lecture .thumps up👍

Finally i understand this!

is the following correct: assuming oscar knows s1 s2 and s3 so s3=s2xp2 + s1xp1 + s0x p0 and s4 ( what oscar does not know) = s3x p2 + s2xp1 + s1xpo ( x meaning multiplication) is this equation correct then and would it not be necessary to compute p3? (or if one was to substitute p0 for x p1 for y and p2 for z? or whould there be a 4th unknown variable ?

also so the attacker now the first 3 letters of the original text the encrypted text and the general eqution that is used to decode?

*_Remark:_* the _multiplier_ in the general LFSR is an *AND gate*

Why in example 2 ( time 1:02:00) is the period equal to 5? Isn' it period = 2^m-1=2^4-1=15?

So is the Key in the PRNG described dictate what P bits are on or off (ie) what registers are XORd together

If an LFSR of a concrete configuration has not maximum length, can it also be that there are different disconnected cycles depending on the initial state (except for all zero)?

Dear Mr Paar, Do you plan to introduce the beautiful Post Quantum Cryptography, please ?

Excuse me professor. Can't we replace the multiplication with an AND gate? We say that if we have 0 for pi then the output will be 0 and when pi is 1 the output is equal to the input. So this means that we have an AND gate there.

how it is possible having 4 flip flops if all switch are closed to end up with 5 cycles if how will the bits flow back to the first flip flop?

You are just amazing sir

Nice useful video sir...thanks

The use of the same letter s(i) to represent both the bit, i.e. state, as well as the just the rightmost bit sequence is very confusing. It would be much easier to understand if you used different letters, even more so if you named your variables creatively. Good lectures though. Thank you.

great lecture, thank you

I understand the LFSRs are not cryptographically secure. But how can they be made better secure using 3 LFSRs? What does that mean? Does that mean the Si used is an xor of 3 LFSRs? Is it explained in detail in the 'Understanding Cryptography' book?

I guess what I don't completely understand is that if the drawback of OTP is its key length... how are LCGs better? Don't we always need to generate a stream key as long as the plain text?

Is there any way we can find the lecture slides used in these classes ?? or the homework expercises ?? Great Video thanks.

very nice lecture

A good cryptography is where you advertise how you encrypt right ? Then OSCAR knows the P values and degree right ?

@42:40 is should read B=0*A=0?!? blackboard says B=0*B=0

You are awesome. 💙

Hi Mr Christof, I am wondering if you have the algorithm of a Scrambler/Descrambler module that used for the protocol like PCe express,SAS,...

great lecture

Professor Paar, do you'll explain something about CPRNG? I mean, all PRNGs explained by you are completely predictable, do you have anything to contribute about non-predictable ones? Thanks in advance

hi sir do you know about safer k64 .

Very useful. Danke. 7 to go ..

Love it...

I always how the key can be delivered to the other person without having to physicaly deliver the key

Whet different between stream cipher and block cipher

is the jpj of the equation the s values multiplie by p switch/multiplier?

I do watch youtube during your lecture, I am sorry!

Thank you

This is a lecture and not theatre. So why can't the cameraman fix the board?

Perhaps, the lecture could have been edited...

das ist gut danke

DANKE

THANX SIR

Thanks

Thanx!

How does the oscar know the degree m

plz increase sound..

37:00

You made a spelling error. You spelled theoretically as "theoritically"

Why do people sit and talk at a lecture? Fucking disrespectful.

Dab on the haters

cringe baby

If those babbling children in the classroom are to be responsible for shaping the future of cryptography, we may as well abandon all hope.