 So use p equals 17, q equals 19. They are the large prime numbers I chose. Well, they're not large enough for security, but just for this example. And then calculate your public and private key. What's the first step? What's the first step you're going to do? Times them together, get an n. p times q equals n. And then the next step, find the totion of n. Anyone find n? What's the value? 323. Then find the totion of n. Keep calculating. And use the shortcut. This is the important part. That is, you don't need to find the totion of n manually because it's n is two prime numbers multiplied together. The totion of n is p minus 1 times q minus 1. And the value is 2288. What's next? Find e. And there are different possible values. It has to be relatively prime with 288. I don't know all the answers. There are multiple values that are relatively prime with 288. That is the greatest common divisor of e and the totion of n equals 1. Someone said 7. Any other numbers? 3. So is 288 divisible by 3? OK, so 3 is not relatively prime. Because if 288 is divisible by 3, then the greatest common divisor is 3 in that case. What about 5? 5 is relatively prime with 288 because 288 is not divisible by 5. They don't have the same factors. 7. 7 is relatively prime. So we've got 5, 7. There are possible values of e. And there are others. We're not going to go through them all. 9 will not be because 3 is not 11 most likely. 13 is, I think. And there are others. It's not the intention to calculate them all. You just need to choose one in this case. Choose to make it a bit harder. Choose 13. So you get to select one. Let's choose 13. What's next? Find d. How do we find d? The multiplicative inverse of e. Which means when you multiply e and d together and mod by the totion of n, 288, you get 1. e times d equals 1 in mod 288. And here, again, you need to try some different values. So where e is 13, what we need is 13 times something. Mod 288 equals 1. You need to find that something. One way to make the attempts is 13 times something equals 289. Or 289 divided by 13 equals an integer. And if that doesn't give you an integer, then try 2 times 288 plus 1. 3 times 288 plus 1. You can just try different values. That one's a bit harder. Well, I can't remember the, did anyone get it? 23 was 23 times 13. We need to calculate it. We have 13 times something. What are we, 289? Actually, my calculator's not so good, it's not accurate. Let's make it easier. 13 times something equals 1 mod 288. That is, if we have 289 divided by 13, we need to get an integer. Because if 13 times something equals 289, then 289 mod the totion of n equals 1. So if 289 is divisible by 13 by an integer, then that's the answer. But it's not, you see, it's 22. There must be a multiplicative inverse, because that's the way we chose e. You have to keep trying. What about 13 times, what about if it was, is 577 divisible by 13? I'm not going to expect you to go through all of it, because 577 mod 288 is 1, I hope, because 288 times 2 is 576. So 577 mod 288 will be a remainder of 1, which is just 289 plus 288. And if that doesn't give you an integer here, then you add another 288. But I'll give you the answer, because it takes some time to calculate. 133, I calculated. 133 times 13 mod 288 is 1, try again. So e is 13. If d is 133, we get 1729. If you then mod by our torsion of n, which is 288, you get 1. So there is a d. It's just not obvious to calculate straight away. There are algorithms that will do that for you automatically. So if d equals 133, we can use RSA. What's next? Well, we've generated our key pair, because a key pair, in fact, is three values. One of them is repeated. E, d, and n are the values that we need, because we use them for our RSA encryption and decryption. So now, let's say that that was my key pair. I generated this. I chose p and q, 17 and 19. I calculated n. I didn't tell you what my p and q were. I didn't tell you what d was. But I tell you that e equals 13 and n equals 323. So I tell you my public key. My public key is e and n. And then you want to send me a message. And you want that message to be confidential. That message is 22, encrypt. Find the ciphertext. At least work out the equation for the ciphertext. We'll use a calculator to solve it. Normally, we denote the public key as both e and n and the private key as d and n. But the one thing that must be private is d. Even though we say n is part of the private key, the private value is d, because n is public in the public key. But it's quite common to denote n as part of the private key as well, because we use that when we use the value of d. So now for confidentiality, someone wants to send me a message. That's my public key and my corresponding private key. Then what do you do? c equals the message 22. What do we do with m? We use the public key. So when you send me a message, you use my public key. That is, you use my value of e and n. You take 22 to the message and raise it to the power of 13 and mod by n. Anyone have the answer? Anyone have a calculator that will calculate it? 71. Sounds close. What do we get? We add 22 to the power of 13, mod 323, 71. Again, 22 is our message. Raise it to the power of our public value e, which is 13. And then mod by our modulus n, which is 323. So here we're using the public key, e and n, 71. So that's the ciphertext. That's what you would send me. Oh, sorry. What do I do when I receive 71? I receive this message, 71, from you. What do I do with it? I want to get the original message back. I decrypt using the same equation, but different values. So I want to find what m is. I take the ciphertext, 71. And now I use the other key in the pair. You use the public key. I use the corresponding private key. That is the value of d, 71 to the power of 133. And the same value, n. And try it on your calculator. You should get 22 back. Check. Anyone get it? 22, can you show me on your calculator? OK. So here we used e, and here we used d. Other than that, the operations are the same. That's the ordering of which we use the keys. 71 to the power of 133, mod, what do we get? 323, our ciphertext to the power of the private value d, mod, n. Gives 22, which is what we expect. So that's just a simple example of with small values using RSA. The simple step or the steps for generating the key. I gave you the values of p and q in this case. You need to choose, in general, choose random, choose large prime numbers. Any questions on how to do that in the quiz next week? You should be able to do it quickly in the quiz. Yep. There will be a quiz next week. You may have to do questions like this. But you may have other questions as well. I would not, I'll try in a quiz, I would not ask you to, I would not give a question which takes a long time. That is, you have to, especially this part. In this case, in this question, it takes a bit of time to find the value of d. I'll try to choose numbers which you'll find the value of d either after one or one, two, or three attempts. Okay? That's not the point to make it long, but just to understand the steps. I may not even ask you to do all the steps. Okay, there's an example in RSA. Some of the things that I mentioned before the break, what did I say? And I couldn't remember. So just a few other things. I said that there's something called AES-NI. NI, so this is a feature of Intel CPUs. So most recent Intel CPUs support this. And NI means new instruction. What it is is a set of instructions that perform some of the AES operations. If you remember back to DES, not AES, we didn't cover it in detail, but DES, we had different operations in each round. We had XORs, we had S-boxes and different operations. Well, there are in the Intel CPU, there are instructions that do specific operations in AES. It just speeds up by using hardware to do the AES operations instead of software. What else did we mention that I want to just recap before we move on? I said, we said something about the speed. To give you some indicator. So here, this is the length of the number N that we're trying to factor into P and Q. With RSA, the challenge is, given a large N, find P and Q. If I give you in the quiz question, next week, break RSA and I give you the value of N, you may be able to factor it into P and Q. If I gave you N equals 323, I think some of you would find that the prime factors of 323 are our 17 and 19, okay? So you can factor 323 into 17 and 19. But now take a, not a three digit number, but take a 200 or 300 digit number, maybe 700 bits is N and factor that into P and Q. And this is how long some different algorithms take. So if it's N is 600 bits long, this is, it's not so clear here, I can't even read it. This is 10 to the power of six, MIPS years. MIPS is millions of instructions per second, okay? MIPS, millions of instructions per second. This is 10 to the power of six, that is one million, millions of instructions per second, years. Now, to get that a bit more meaningful, and of course, if we go up in the length of N, we see it goes up to 10 to the power of 12 and much higher. I just looked up some data. How fast are current computers? This is not to remember, but just to give an indicator. An Intel i7 CPU is about 128 bits and 8,000 MIPS, that is at peak performance, it can do about 128,000 million instructions per second. This is millions of instructions per second. How many years that we, if we do that many instructions per second, how many years will it take? So maybe a better example, RSA 768, which was a 768 bit value somewhere in here. Someone solved it in, this was in 2009. They factored this number, a 768 bit value of N into its prime factors, P and Q. It took them about the equivalent using one CPU, just one core, it took them 2,000 years. Or the equivalent of, that is with a 768 bit value of N, if they had just one CPU, it would take 2,000 years. Of course, they had more than one CPU, one core. They had multiple computers factoring over a long period of time. And it took them, I think, in the order of, I think in their case, the first time they did it in the order of two years. So instead of 2,000 years, by increasing the number of computers, they can reduce the real time. But that's the order of magnitude that we're talking about. That's the most recent one that was solved. Generally considered now, 1,024 bits considered secure for now. 2,048 bits is recommended for using RSA to be secure in the future. And it's considered that it's unbreakable with any known technique. Just some numbers to indicate that if we use a large enough N, it's practically impossible to break. What other examples? What if we use larger values? Can our calculator deal with it? Of course, you need to be careful when you calculate using RSA, even these small values that your calculator, whether it's a handheld calculator or a computer calculator, actually has the precision to perform the operations. Because when we have a large M and we raise it to a large number, maybe we'll run out of precision in our calculator. So just be careful if you're doing some practical tests or some tasks at home or for homework that sometimes the calculators are not precise enough. For example, actually I don't have an example, but if we take a large number, a large M, for example, and raise it to a large value of D, let's see how good my calculator is. Okay, again, we'll go back in a minute. So my calculator could calculate it in some period of time, but it says it's 10 to the power of 70,000. It doesn't remember those 70,000 digits there. Okay, it would not be accurate enough to then take the modulus and get the answer. So sometimes you need special software or different algorithms to do the power and the mod together. And some software will do it, others will not. You've seen me before use something called BC on the command line. Zoom in. BC is just a calculator on the command line, but it's arbitrary precision. So it's better for calculating the power and modulus for large numbers. We'll see some other examples later, but let's see, it's not as good as others. Okay, it will, all right, it doesn't make much sense here, but it gives the exact number here. Whereas my other calculator, my graphical calculator, would just record 10 to the power of 70,000 and something. It wouldn't record all of the precise values. Here in BC, it will record the exact number, and therefore when we do the mod, in theory we can get the precise answer. So just be careful, sometimes your calculator will not handle the numbers we're dealing with. And when we deal with real numbers with RSA, again, it takes some time and you need efficient algorithms to calculate. Another example, before we look at Diffie-Hellman, OpenSSL supports RSA key generation. So let's generate some keys with OpenSSL. And you don't need to remember these, I'll provide you a link to where this is written up, but I'll just demonstrate the generation of an RSA key. And we'll look at that key. So OpenSSL, there are different functions it has, but it has a generic operation to generate a private key, gen P key. And it works for different algorithms. It works for RSA, DSS and others. So we can select an algorithm. I wanna use RSA. And you can specify different options for your private key, minus P key, OPT for options. And I know these, I've looked them up in advance, they're not easy to remember. One of the options is to specify the RSA key generation, the number of bits, 2048 in my case. That is, how long is N? So that's the main indicator of the performance or the strength of RSA is the number of bits. So I'm gonna use a 2048 length value. And the other one we can specify as an option is the value of our public exponent, E, that is. That is the number we raised to a power which is made public, the public exponent, it's called in OpenSSL. And as we said, that value can be small and we can use the same value. And in this example, I'll just use three. So when you generate your key, you can also use three. You can use a different number, but three is one of the ones which is known, it's small and therefore can be efficient. And so that will generate my private key and I wanna output to a file, let's call it PRIV. And there's a particular file format, I'll just call it .pm. That's not so important yet. So just some options to generate my RSA key pair and let's see, it takes a little bit of time. Well, about one second, okay, it generates what it did then is it chose the two prime numbers, P and Q. So what it did is it really chose large random numbers and then test if it's prime, if it's not prime, if it's found to be composite then try another large random number. And there's multiple tests and there's a high confidence that it will be prime after multiple tests and then it does that for Q. Then it calculated N, the totion of N, selected an E, calculated D and saved those values in a file, this PRIV.pm. Let's look at the file. It's a text file or ASCII content, but it's encoded. So if I just display that file on the screen, it looks like some random characters. I'll zoom out so it's a bit, that's it there. In fact, it's not encrypted. This is my private key. It's not encrypted, it's just a different encoding. It's a base 64 encoding. You know you have ASCII encoding, a way to map the letters to binary values. This is a different encoding, which is being used to send binary data across the network. So it's an encoding, not encryption. OpenSSL has a way to show it in a user-friendly way. That's not so easy for me to look at. It's an operation to view the values, take the input my private key and output to a text display. So this is the encoded form of my private key containing all those values. We'll see in a moment. I'm just going to display it in a user-friendly manner and just display one screen at a time. Okay, that's the same as before and now it provides a nicer view. So the first thing is the modulus here. It's given in hexadecimal. You can convert it to binary. So there's the modulus there. That was determined by P times Q. The public exponent, E, that's three. I chose that in this example. And the calculated private exponent, that's D. So we have N, E and D. And note that D is very large, okay? It's almost as large as N in this case. So it's almost 2048 bits long and that's desirable. We want for security D to be large and that's one reason for choosing a small E. Normally with a small E, you get a large D because E and D are multiplicative inverses. Then my private key, open SSL, actually stores other values. So we have, what do we have? So far we have N, E and D. So in fact, it says it's my private key but it also stores E. So in fact, stores my public values as well. But it stores also my primes, P and Q. So prime one and prime two, they're called. So they are the large prime numbers which were chosen by the software in this case and recorded there. So it has P and Q. And finally it stores some other values called exponent one, exponent two and coefficient. These values are not needed but they are stored because they can be used to make the decryption using the private key using D faster. As remember, when we take some value and raise it to power of D mod N, D is very large and it takes a lot of time to take some large number, raise it to the power of another large number mod N. There are some algorithms that can simplify this calculation and the algorithms rely on some other values and those other values are stored also with my private key. They're called exponent one, exponent two and the coefficient. We're not gonna explain how they used. You can see online different sources explaining them. I haven't written down somewhere. Maybe I do, maybe I don't. If I don't have them written down I'll show you another time. No, I don't. Exponent one and exponent two are some operation on D, I think mod P minus one and exponent two D mod Q minus one and the coefficient also uses P and Q. They are simply used to perform this calculation in a faster manner. Instead of having to perform the direct operation there are multiple steps and it turns out those steps using these sort of subvalues can be implemented faster than that one step. So it's for performance, not for security. They're not needed, but they're commonly used. That's my private key. Of course I would not show you that because that's private to me, especially the values of these and the primes should be kept secret and of course the private exponent should be kept secret. The values of N and E, I can show you because they can be public. The others should be kept private or secret. And OpenSSL can then generate a public key from this and I could save that in a file and then send it to you or post on a website such that anyone can see my public key and then you could encrypt, again using OpenSSL or other software and send me ciphertext. So just an example with OpenSSL and generating the key. Any questions on RSA? That brings us to the end of that topic. Another public key cryptography algorithm is the Diffie-Hellman Key Exchange algorithm. And we'll start to go through that this afternoon. Remember the two people, Diffie and Hellman, they are the people who publicly, or the first to publish public key cryptography. They're the two guys that invented public key cryptography, at least made it public. There were some security organizations that did it before them, but it wasn't published. And there's an algorithm that they developed for exchanging keys. So this is different from what we've seen all along. We've seen RSA can be used for encryption, for confidentiality. I have some plain text, I encrypt it, I send the ciphertext so that no one can see the plain text. RSA we've seen also can be used for authentication. I have a message, I authenticate it by signing it using my private key. I send that signed message and the receiver verifies it using my public key. So RSA provides those two services. Diffie-Hellman Key Exchange is about exchanging a secret. Remember with DES, AES, even RC4, they both use one secret at both the source and destination, there's one secret key. The problem with them is how do we get that secret? How does the destination know what the secret is? Well, Diffie-Hellman Key Exchange is a way for exchanging a secret using public key cryptography. Let's see how it works. So it's not for secrecy of data, so we're not encrypting anything. All we're doing is we're trying to get a secret from one spot to another, so from one user to another user, without anyone else discovering that secret. That's the challenge here. We've mentioned this in previous class. How do I get a secret from one user to another user? I write it down on a piece of paper and give it to them. How do we do it across a network? If I send this secret in an email unencrypted, then potentially someone can intercept that email and see my secret. That's not secure. If I send that secret, I could encrypt it and send the encrypted secret in an email. How do I do that? Okay, I have a secret, I choose it, I want to send it to someone. I cannot send it in the clear because someone could intercept, so one thing I could do is encrypt that secret and send the ciphertext in the email. Would that work? How could I do that? What do I encrypt it with? I could encrypt it using RSA, for example, and use, if I want to send the message to you, I would use your public key to encrypt and send the ciphertext to you and you would use your private key to decrypt. So that's one way for exchanging secrets and it's a key uber, the important use of RSA to exchange secrets. Diffie-Hellman's another way. It doesn't use RSA, it uses its own algorithm for exchanging secrets, for getting one secret from A to B. It's the security of it, the strength of it is based upon the fact that discrete logarithms are hard to solve in that when we use modular arithmetic, we can easily calculate exponentials but doing inverse, the inverse of an exponential in modular arithmetic is a discrete logarithm and calculating discrete logarithms is hard. With large enough numbers, it's practically impossible. That's where the security comes into it. Here's the algorithm. Let's quickly explain it and then demonstrate with an example. There are some public, what's called global public elements, two numbers. Globally, public means everyone knows them. So if I want to exchange a secret with someone else, we must use the same values of these two parameters and they can be public in that everyone can know them. Q and alpha. Q is a prime number. Alpha is a number less than Q and a primitive root of Q. We've spoken about primitive roots when we looked at number theory. We'll see an example again to remind you. So let's say I choose Q, I find alpha, a primitive root in mod Q, and I tell you and at the same time I tell everyone. Everyone knows those two values, they're public. It's not a problem. And there's two users, A and B. We both want to have a secret and we're going to exchange messages across a network and no one else should be able to find out that secret and the steps are quite easy. User A, select some private value, X of A or X subscript A. I select some private value, any number, as long as it's less than Q. And I calculate a public value Y and the way I calculate it is I take the alpha, raise to the power of my X mod by Q and you do the same thing. The other user B chooses some other random value X less than Q and calculates a Y, YB in the exact same manner. Take their X, alpha to the power of their X mod Q. Alpha and Q are the same that both users. XA and XB will be different because we choose them independently. And we calculate Y, A and YB. Y, A and YB are public in that anyone can know the values. What we do is we send them publicly across a network. So we can send them in an email. Don't have to be encrypted, I can yell them out, tell you my value of Y, A is this and you would tell me your value of Y, B. Everyone else would hear them. Once we get the other person's value of Y, each user calculates K as the other user's Y, raise to the power of my X mod Q and the user B takes user A's Y, raise to the power of their X mod Q and it turns out you get the same value of K at both sides. And we'll show that if someone intercepts our messages and they know Q, they know alpha, they know Y, A and YB, so they know those four public values, it's practically impossible for them to determine K so long as we use large enough numbers. Let's try and give an example to show that. Let's find my example. So the values of Q and alpha are chosen by one of the users and made public to everyone. So I will choose the values of Q and alpha to get started, I'll choose small values so we can calculate. So Q is a prime number. I'm gonna choose Q equal to 103, okay? So we choose a prime number and then we choose alpha, which is a primitive root of Q. Remember a primitive root is when we take that number and raise it to the power one, mod Q, raise it to the power of two, to the power of three, to the power of four, up to alpha to the power of 102 and all of the answers will be distinct, will be different numbers. If that's true, then it's a primitive root. I don't have an easy way to calculate in that without manually trying them, but I just looked up on a table to have the, let's see if I can find one. So here's just a website, Mathworld from Wolfram and it describes primitive roots, but I just looked up, it has a table of some of the primitive roots of different numbers. So it's zoom in, it's just a table. It says in the first column is the number and the second column is the smallest primitive root. There are multiple primitive roots of some numbers, but it gives just one primitive root. So for example, a primitive root of 19 is two and then we have more numbers. A primitive root of 54 is five. There may be others, but it's just given one example. What we do is choose a prime number. I chose 103 and this table tells me a primitive root of 103 is five. There are others, but five is one that we can use. So I will use my prime number Q as 103 and alpha as five in this case. You could check that, what you would do and you can do it in software. You calculate five to the power of one, mod 103. Five to the power of two, mod 103. Five to the power of three, mod 103 and keep going. Up to five to the power of 102, mod 103. You calculate all those values and the set of answers would be distinct values. No answer would repeat. That's the definition of the primitive root. So the answer here would not repeat in the set of the answers. We'd get the values. So the set of values would be from one up to 102 in some different order. Let's go back to our Diffie-Hulman Key Exchange. So Q chosen to be a prime number 103 and let's use alpha equal to five. So user A, let's do both sides. User A chooses some value of XA and it needs to be less than 103. I need two volunteers. One volunteer, anyone else? Two volunteers. You can be A and you're B. Choose a number less than 103. It's easy, any number less than 103. 19. So these are the two users and they're doing this separately. So this is on one computer and then the other user. So user A chose 19. I'll record this. And at the same time we'll do user B and see what user B does. User B, what do you choose? Anything. 21, okay? So they choose those numbers randomly. Independently, they could be the same number but unlikely, especially if we have large numbers, okay? Normally Q is very large and therefore when you choose a number between one and a large number, two people are not gonna choose the same number. So they've chosen their values independently and then they each calculate their value of Y and they use the same algorithm. We take alpha, raise it to the power of our X and mod by Q. So five to the power of 19, mod 103. User A, do you know the answer? Answer? Can someone help her? Five to the power of 19, mod 103. Okay, need a calculator. I'll help. Five to the power of 19, mod 103. 86, okay. And user B does the same thing at their side. What did we get? 86 and user B does, they calculate their YB. That's a lowercase B. Which is five, the same value of alpha to the power of 21, mod 103, the same Q. And the answer? 19. 19, 19, okay. Slow writer, that's okay. Okay, so they calculate those values independently. They haven't exchanged anything yet. They both know the same Q and alpha. Now they send each other their values of Y. Okay, so user A sends 86 to user B and similar B sends back their value. 19. So that's the first communications. They could have communicated before to exchange Q and alpha, but they do not exchange X just the values of Y. And now they calculate their values of K. Let's call it K A. So user A takes the received value of Y. So user A takes YB, 90 in our case. They just received 90. And they raise it to the power of their private value X. So user A uses the received value 90, raise it to the power of 19 and mod by Q. So again, when we receive the value 90, which is YB, the public value of user B, we take that, raise it to the power of our private value X and mod by Q. And our calculator tells us, calculator, Mr. Calculator, please. 37, good. So you need a calculator to get that one. User B follows the same steps. They calculate KB. They take the received value 86, raise it to their private value 21. That's a one. And mod by 103. Magically, what do they get? 37. They get the same value. We'll show later why it's quite easy mathematics to see that they'll always get the same value. But first, let's summarize what happened. Q and Alpha are public. They are known. Let's say at the start, the two users exchanged Q and Alpha. Everyone knows. X is, let's say, randomly chosen independently at each side. You don't tell anyone your value of X. You calculate Y and both users exchange their values of Y. So we say Y is a public value, X is a private value. And then calculate the value of K independently using the other person's Y, your X, mod by Q. And the other person does that using what the value of Y they received, mod, this is 21, they're X, mod 103. Sorry, 86 to the power of 21, mod 103. And you'll get the same value. And that's the secret. The secret is 37 in this case. The goal of this is to get a secret at both users, A and B. They know a secret, the same secret, and no one else knows the secret. And what can a malicious user do? Well, you need to consider what the malicious user knows. What is known is Q, Alpha, they are public. And what's exchanged across the network? Well, what is communicated? The 86 and 90 are known. That is Y, A and Y, B are known by the malicious user. So the challenge is then given those four values, find 37. Try it. So there's two things we need to cover. We may not cover them today, but why do we always get the same value K at both sides? We'll have a look at that shortly. And more importantly, why is this secure? Why can't someone else come along and discover 37? So let's look at that. What do we know? So now we'll consider the malicious user, the attacker. We know Alpha equals five. We know Q equals 103. And the malicious user also knows what was sent across the network, which is, what do we have? Y, A, what was that? 90, is that right? 86, 86. And they also know Y, B, which is 90. They know that because it was sent across the network or across some communications medium, no encryption. It's public. So now given those values, find K. So if you look at the equations, so the user also knows the algorithm. So I'll write down some of the equations that we have. For example, we know that K and K, A and K, B are the same. So K is, for example, Y, B. That's Y, B to the X, A, mod Q. That's one part of the equation. The other one is Y, A to the X, B, mod Q. And they also know what is Y, B. The equation for Y, B, which is known, is alpha to the X, B. That's a B, mod Q. And in fact, there's two other equations for the equivalent, but Y, A, X, B and alpha to the X, A equals Y, B, but just from the other user's perspective. The challenge now is for the attacker to give them this known information, find K. What do they do? What do they need to do? To find K, Y, B is known, Q is known, is X, A known? No, so there's an unknown. If we have an equation, we have two unknowns. We need to find out, if we find X, A, then we can easily find K. So the first step then is find X, A. Because once we get X, A, Q, a K can be calculated. So how do we find X, A? And I'll write down another equation that is known from the other side. Y, A equals alpha X, A, mod Q. So the challenge is to find X, A. Focus on this equation. An equation with four variables, what's known? Q is known, the attacker knows Q. Alpha is known, and Y, A is known. Y, A is 86, alpha is five, and Q is 103. So here we have an equation with four variables, three known values. We want to find the unknown value. How do we find X, A? Or what's the inverse of this equation? What's the operation? Here we have an exponential in modular arithmetic. The inverse of exponential is a logarithm, a discrete logarithm. Remember back, let's try that again. A discrete log, our base is alpha. Our mod is Q of Y, A. And the answer to that discrete log will be X, A. That's clear. Remember the discrete logarithm, the inverse of exponential. And the same as our normal arithmetic. We want to find the exponent. We want to find X, A, so we take the logarithm. The base is alpha, mod Q of Y, A gives us X, A, the exponent, so that's the inverse operation. So now the challenge for the attacker is to calculate a discrete logarithm. If they can do that, they will find X, A. And once they find X, A, they can easily calculate K and they know the secret. But you know that if we use large enough numbers, discrete logarithms are too hard to solve. They're even with a small alpha, if we have a large Q and large values of our X and subsequently Y, solving the discrete logarithm is practically impossible. And that's where the security of this Diffie-Hellman-Key exchange comes in. So long as we use large enough numbers, even though the attacker knows alpha, Q, Y, A and Y, B, they will not be able to find X, A because it takes too long to find a, to solve the discrete logarithm. And if they can't find X, A, they won't be able to find K and hence it's secret. You could solve it in this case, because our numbers are small. You could try different approaches. You could use software, you could try a brute force approach. So you know alpha is five, you know Q is 103, Y, A is 86. When we take alpha and raise it to some power, five raised to some power, mod 86, sorry, mod 90 gives 86, just try different values of X, A and eventually you'll find the right one. But if we have large enough numbers, solving this is too hard. And hence K is secret. So that's why Diffie-Hellman works. It's quite simple. It's a way to exchange secret, a secret between two users. Yep. What's the part doing it too long? Too hard, I mean too long. That is, if you have large enough numbers and you set your computer or computers to solve this, it will take you thousands of years, okay? Too long. Or there's not enough compute power to solve it. Same with all the ciphers we talk about. When I say too hard, I mean practically, even with supercomputers, it's gonna take thousands of years to solve, okay? That's about the security of Diffie-Hellman. The other thing we skipped over is, why do we get K at both sides to be the same? You can solve that, I'm sure. So in Diffie-Hellman, check and see why when A calculates K and when B calculates K, they'll always get the same value. There's some simple rearrangements of the mathematics and to see that. I will not attempt to describe it because we're out of time. Okay.