god made woman to wash dishes bro

I liked that Facebook comment too. So casual yet drives home the point.

OMED MUHSIN I believe the point is that, without the theorum discussed next, you might think it's possible that multiplying two elements in the set may not result in an element that is in the set - he wasn't stating that the result is 6, but that it could be.

You have a cyclic group if there is at least one generator. There is almost always more than one generator. The number of generators in a cyclic group with n elements is PHI(n), where PHI() is Euler's phi function. Regarding your other observation: Yes, in a group with p-1 elements one has to be a bit careful. What is done in practice is to choose a large subgroup within the (p-1) cyclic group which has a prime number of elements.That means: one looks at the prime factorization of (p-1) and hopes that it has one large prime factor p'. If that is not the case, try a different p and check whether the new (p-1) has a large prime factor. And so on until you'll find a (p-1) which has a large p' as factor. cheers

Danke (I'm also learning German from your videos)! I was asking because for some things (like Pedersen commitments?) it seems really important to use a prime order group. I don't know why, though. The basic idea seems to be to make sure to use a group for which Diffie-Hellman and discrete logarithm are equivalently hard?

DH is not a cipher, but a just an algorithm for key exchange, usually for exchanging an AES session key which is used for symmetric encryption to speed things up -> hybrid cipher. Permanent RSA keys are used by the server within the server certificate for authentication to prevent MITM attacks (although mutual authentication would be preferable). You could of course also generate and exchange RSA session keys and exchange the public RSA session keys for encryption of the AES session key instead of using ECDH, but that's a lot more computationally intense (due to the differences in key length), so it's not being done. RSA key generation is incredibly slow, while ECDH is comparatively fast. That's why ECC is blooming as it is. It requires much shorter key-lengths to achieve an equivalent security level, than non-ECC asymmetric algorithms do. It's key length is as a rule of thumb on average just around twice that of AES. And yes, key re-use and perfect forward secrecy are diametrically opposed concepts. Whenever you re-use a key for more than one encryption session, more than one session becomes tainted if this key gets somehow into the hands of nasty individuals. Obvious, right ? So while key reuse for authentication (digital signature) is perfectly fine because it is a necessity, key-reuse for encryption is not. Key re-use is evil, so avoid it whenever possible.

+Mojtaba Komeili I know what you mean but, no, it is correct without the mod operator. Here is why: The two properties that I state hold for ANY cyclic group. The only cyclic group we have considered so far in the lecture is the specific cyclic group that you get when you do integer arithmetic mod p, p being a prime, i.e., prime fields. However, there are other cyclic groups which are NOT prime fields. An example is the cyclic group which is formed by an elliptic curve, cf. Lecture 16 and 17. I hope this helps, regards, christof

OK, I see now. Thanks a lot, this clarified the matter for me.

No, the lectures are all open and free. My salary is paid by the (state) government :) If you want to support good teaching, people can buy the book by Jan and me on which the course is based. Thanks for asking, christof

you would be surprised. science does not usually pay that well.

Z11* P = 8, what is the private key without generating the whole group? You can generate the group and you will find my key. Replace 11 with huge. Zhuge* P = 8 where huge = 2^3000 (a prime in that range somewhere). In theory, you could find my private key, but in practice, you won't, because the sun will explode before you will find it.

It is a fundamental property of arithmetic modulo n that any element "a" from the set of {0,1,...,n-1} only has an inverse iff gcd(a,n) = 1 I do not give a proof but I talk about it in Lecture 2 of this series. Hope this help, christof

Thank you Professor@@introductiontocryptography4223

Erratum is the singular

@@modato97 pfff latin-lover

Good question :) The number 41 was just randomly picked from the multiplicative group Z_47, which has the elements {1, 2, ..., 46}. The equation 5^x = 41 mod 47 is used to show that even for such small numbers it is not straightforward to computer the discrete logarithm, i.e., to find the correct value for x. Hope this helps, christof

شد حيلك يا حوس

We are only looking at the *multiplicative* group, denoted by Z*, which contains only the elements {1,2,...,10}. Note that 0 is not in the group since it does not have an inverse. Hence, |Z*| = 10. Cheers, Christof

yes prof i got it. thanks. i am following all your lectures

"ungenau" which translates to "inaccurate", "imprecise" or "vague" :)

@@introductiontocryptography4223 I'm a born English speaker, and I do recognize English is a Germanic language. So the language lineage explains part of it. But that word actually *sounds* like it's meaning, inaccurate. There must be a language center in the brain that is independent of (or universal to) particular languages.

can't be 0 or 1 cos 0^a = 0 always and 1^a = 1 always can't be p coz p^a congruent to 0 can't be p-1 coz that's congruent to -1 so -1^a is always 1 or -1 alpha can be any number not congruent to 0,1,p-1,p

No, the whole point of the crypto system is that Oscar can NOT compute the private key from the public key. This requires computation of the discrete logarithm which is a hard problem. regards, christof

Thank you very much for your answer. Actually, I realised this when I continued the entire video and by the end of it you explained the numbers are large so it is hard to compute that. Big applause for your lectures, they are very helpful in my course now :)

In Germany, the "one" is written with two strokes, whereas in the US (and The Netherlands and probably other countries as well) it is just a straight vertical line. The German "seven" are the two strokes of the one AND a small horizontal bar. Side note: For a while, I used the "US one" in my lecture (just a vertical line) but the German students complained :)

use a different example. 39 instead of 41 then better. no complaint.

Are you serious? Are you suggesting he should engineer all his examples to avoid writing 1s and 7s because students are confused by this difference of notation?

@@introductiontocryptography4223 ahaha

11 is a prime, so the GCD(a, 11) with a element of [Z*11] is 1 for all a. While 12 will share GCDs higher than 1 with 2,3,4,6,8,9, so that group would be: [Z*12] = {1,5,7,10,11}.

ccc.de