 Folks, good afternoon, it's Thursday, it feels like Friday in the morning. Work is going to be assigned on, the next homework assignment will be on Tuesday, there's stuff we've got to cover today, so I figured it wasn't fair to give you a homework assignment stuff that you quite haven't done yet, so any questions before we get started? All right, so when we left off on Tuesday, we were looking at loads that we could use these symmetric encryption algorithms that we've been looking at, specifically DBS is what we looked at and we saw that if we use CBC encrypted code, which did what? Or ECB, sorry, ECB, it does what? It stores the cybertext that we mixed. What does ECB do? Yeah, so independently encrypts each of the blocks with our text with the key, whereas CBC is much better in the sense that it will, the output of the cybertext of one block is XOR with the second block before it's encrypted, so that this way you don't have the problem of if blocks are the same, they will be encrypted the same, you also don't have, well, this problem. So this is a problem when blocks of identical data are being encrypted the same and they come out, even though each individual block you may not be able to tell and go backwards to see what actual color was that, but you know that they are all the same color and using that, you can actually visually see in this great example, the outline and shape of whatever was that you were encrypting, so this is a good example for why that's bad. So DES, so what's some of the problems of DES, is it 56? So it's 2 to the 56, or any of you know what that number is, 72 quadrillion keys to try. It seems like a lot, right? So why is this a problem? What's the question? Root force, the DES key, trying all possible 2 to the 56 keys. I've got a pretty big box in it. Let's say I want to do in an hour, would you be able to do that? Probably not. What have I said a year from now? I mean it depends, right? So the time and length, right, so to try all these keys, you have to remember they're each taking commutation in order to do this, so maybe you can use a large set of computers, maybe you can get a bunch of Amazon EC2 instances and just spend a lot of money at the problem to be able to solve it quickly, but you can, and this was actually a criticism of DES from the very beginning, so from the beginning they kind of, the main criticisms you might have said in these when this was released, said hey this is not a large enough key space, like and there were some initial proposals that said well if you give me, because in the late 70s they said if you give me 20 million dollars I can make a machine that can crap a DES key in I think it was only a quarter of months, which is still pretty good, but as time goes on right computing power has gotten better and better, faster and kind of the last, well not the last, but some important developments here in the, in 1998 the EFF built a custom DES cracking hardware system for about 250,000 dollars, which is actually not a lot of money and this good brute force a key in two days, that's crazy, how much did it cost about now to build a machine like this, 10 grand, 500 bucks, 500 bucks would be a little bit longer, but it could be, it could be, it'll build a desktop true, the way these all work though they make, I mean this, it's not like a desktop machine that also does this, they custom build the decryption algorithm or whatever they're doing in the hardware so it's all, so this was, I believe this one was, I think this one was all hard, like they custom built the hardware, but they tried to use as many cheap off-the-shelf pieces like I love that they custom built the circuits, but in 2009 a group in Germany built a machine out of 120 FPGAs, so have y'all played with FPGAs before? What's a benefit of an FPGA, what does it do? I mean you can program, it's programmed with a lot, programmable logic essentially, you can, by using the different, it highly programmable into what you want it to do customizable hardware basically. Yeah so it's hardware that you can essentially flash some kind of, you can think of it as like a wrong or a program, or like a hardware design, onto it and then it will simulate that, so it's not as fast as real hardware right, so it's not as fast as designing your own custom chip because we're doing this, but it's still pretty good, and obviously so you can do this across 120 FPGA boards for only $10,000, and this is the other important thing about why using FPGA board is important, is that they're using off-the-shelf components, they didn't need to design their own hardware, they didn't need access to a chip fabrication facility, right, you just go out and you pay money by these chips, then you implement the algorithm of how to actually do this group forcing, and then you're able to practice it within two days, within, I guess the time is on here, but it's pretty quickly. So now it's even worse, I don't have, I kind of, they don't have good numbers for this, but I believe that the people who made this public abandoned machine created a new machine recently, and they now have a website where you can go and pay money to break DES keys, which is pretty cool. So what's the real attack here? Is this a flaw in the DES algorithm itself? I'd say it's almost a flaw behind cryptology, is that when you know what exactly the cryptology is doing, it's easy to reverse engineer, so that's kind of like why their secrecy behind what the algorithm of cryptography looks like, if you keep it secret, they don't know what algorithm is, but if you know the algorithm, you can specifically target, like what they did, they can specifically target the known process of how they're encrypted to. Well let's think about it in a different way, what if the key, what if it's DES, but they made DES with a key size of 256, right, good. And you're good, right? Because they're group forcing it, aren't they? Yeah, group forcing, let's actually, yeah, this is where it gets into what's possible and why, what's actually interesting. Let's see, 20, what is it, two to the 256? Let's see if it tells us something interesting. Oh, it's useless. I'd like Wolfram Alpha for this. Give you like a nice way to think about this number, or maybe not, because that doesn't actually mean anything. 10 to the 77, right? So one followed by 77 zeros is how many times you need to try this, which is almost, you can see actually a good comparison here. It's almost, what was that, 0.1% of the total number of atoms in the visual universe, which is a pretty good comparison, right? So that's pretty large. Now let's say we did something with, let's say 512, right? I mean that's even, you would have to try, it is, this doesn't make any sense, but it is a number that they don't actually name, but it's one followed by, they just get 154 zeros, how many tries you would have to have to break that key. So in that sense, is there really any benefit of, so even if they have this algorithm itself secret, right, I mean, you think at like a nation-state level, they're going to devote all the resources they can in order to figure out this algorithm, right? And so keeping things like the key size secret, and this was obviously a standard, right? So it's literally the third letter in the acronym is the S, stands for standard, right? You can have a standard that's not open and well known. So what was the key problem then? Was it hardware limitations, where they had to keep it small or? Possibly, I mean, I guess the key problem is that the key size was so small, right? I mean, that's the key problem. And the why they made that, you could have various reasons for, right? Yeah, one I would say would probably be the hardware of the 70s was probably not, maybe it would be too slow to calculate who's a 512 bit key or something like that. So yeah, so other things, so this actually was not the only way that DES has been broken. So this was kind of the brute force method you can apply to any symmetric crypto system where if you can brute force and try to guess keys, then eventually you can break break the algorithm. So they actually discovered a new area called differential cryptanalysis, which I know almost nothing about, but they were basically able to reduce this more of a theoretical weakness in the crypto system. I think it reduced it to like two to the 52 instead of two to the 56 or something like that. But they found algorithmic weaknesses in here. And the super interesting thing was they thought, well, you know, was this actually, so there's a lot of obviously conspiracy theories around here as we talked about a little bit. But one of the things was, oh, is this something that like the NSA put into the system, right? Because we know that they made the change to the standard from what IBM actually proposed. It actually turns out that the prior version that IBM initially submitted was really vulnerable to differential cryptanalysis, which meant that something that the public didn't know until the mid 1980s, the NSA viewed back in the 70s. And so they analyzed the algorithm, knew that it was vulnerable to this, so they changed their access boxes. So it would not be vulnerable. So yeah, it's actually an instance of, it's actually very cool because you have confirmation that they actually knew this before the public did, and that they that they actually improved the algorithm based on at least this attack. And they also, there's more advances in here, linear cryptanalysis in 1993, I believe, reduced it to something like two to the 43 number of tries or guesses that you have to do to break the key. And so it was eventually withdrawn as a standard. So they obviously, you're much more worried, I think, about the first part, about the key size being too small, right? Once it starts to be in the realm of $10,000 to break this, it doesn't really offer very much effective security here. So what do you do? Your cryptosystem is broken. They get less about the key. They get less about the key. What do you want to base it on then? So either, so one way you can do it is have, as you saw, you have a key, but then you use the same text on the next portion to also affect the next block. Everyone's have a block of text that's known, but it's also speedy or the effect that it's one way rather than the other way. I mentioned everything after that just changes and makes it more and more different from what a key would have originally been. But it still all comes from the key, right? So if you still, if the key size is still small, no matter how much you try to mix the information back into itself, right? It's still, as long as you can compute that algorithm, you can try all the keys and just do that process over again because you have to be able to decrypt it, right? That's the other important thing. So it's not just encryption one way, you have to be able to decrypt it. So I can just try decrypting all keys until I get something that looks like it should be the real block. So what do you do? Bigger keys. Bigger keys? Yeah, that would be a good way to go. It actually had a couple of well, so actually what the government did is they said, okay, we want to create a new standard, we're going to call it the advanced encryption standard, and we're going to hold the competition. And so we're going to invite people to submit proposals. The proposals will all be public. We'll choose, I think it was five finalists and those we've known for, I forget it was one to three years, people will debate and evaluate the merits of the different submissions until finally they choose one. So what properties do we want in a symmetric crypto system? Big keys, yeah, or bigger, definitely, right? Yeah, but what do we have to balance that against? Why don't we just use 2048 bit keys? Time to compute, right? So there is a trade off there between, if the keys sizes are too big, then maybe the computation time takes too long. Well, if you have a massive key outside that one, it's fairly sizable to space if they're working on it as well, so then you start having space constraints. Yeah, so then you think about block sizes and you think about, yeah, the key size could maybe impact things, but it definitely would help against a brute force attack. But at the same time, you also want there to be no, even if you have a 2048 bit key, if the algorithm for whatever reason, because the way you construct it, it doesn't use the last 2000 bits, then it's fundamentally just a short key. Or if some of the output actually depends on certain bits of the key, then that tells you actually information about that. So you also need it to be sufficiently random and secure based on the key. But what about speed? Why don't we just make it slower? And I can do that, and that would be it, yeah. Well, there's some algorithms that do that, Shawwon or whatever, but if it runs the algorithm, instead of doing it 10 times, doing it 100 times, it doesn't really make it any stronger per se, but when you're trying to brute force, like when you're logging into Windows and it's computing the hash, it doesn't, like the user doesn't notice the extra two tenths of a second that it takes to run the computation to hash the password. But when you're trying to brute force, like 72 quadrillion passwords, that two tenths of a second accumulated turns into an eternity that longer than it takes. So the extra iterations of running the algorithm on itself pays off. So let's think about instead of running the algorithm on itself, because that's more of a design decision, how you would add that into an algorithm. I think the way maybe to think about it is kind of like speed of encryption, how fast is the encryption operation. So one argument would be, I actually want an inherently slow algorithm, something that actually takes a lot of computation. So if that way, if you're trying to brute force it, if it takes, let's say, two to five seconds every time you try one of these keys, you actually don't even need a huge key size in that sense, because even trying, you need a lot to actually try to break, if this was 250 milliseconds per try, you'd either need a ton of machines and or a lot of time, and probably both. So that would be very costly. Well then what's the downside there? Determine if you have shortcuts. So if you were able to shortcut that really long algorithm with a much shorter one, then you just lost all that security you thought you were gaining. Right? So A, it would be hard to prove that there are no other efficient ways of calculating what you were doing. So I think of it as, if you had some operation where you just multiply the number by two over and over again, and you're thinking, okay, multiplication is a slow operation, but we know there actually exists bit shifts which are incredibly fast, right? So that's, that's definitely part of it. So A, like how to design that even is a difficult problem, which I don't think we actually have, I don't know if there's necessarily good answers for that, but even if we assume, so if we assume it's correct and there are no ways to bypass it, is it a desirable property? The two and a half seconds is a pretty long time, so that, maybe that particular number that you threw out at. 0.25, so it's your number basically, 0.215 milliseconds, so like 0.25 seconds, right? Maybe that's not too bad, because that's efficient, maybe that's just too long for some people to wait for their cash to get calculated. Right, so I think, I think the way to think about it, anybody else have any thoughts on this? So the way, kind of to think about it, there's also you have to think about adoption, right? Just because you're proposing some standard doesn't mean that people actually are going to use it, right? And so they think, wow, if I implement this algorithm, yes, great, my encryption from your device to my server will be encrypted and nobody will be able to know what we're saying. If that impacts my users and if let's say Amazon is implementing this and they realize it's going to cost them 25% in sales or something, they're not going to do it, right? And they'll just use whatever the basic easiest, like no encryption algorithm basically thing. Or if they want to claim that they're doing it, they do something old like DES, so they can say that they're encrypting your data, it could be easily breakable. So that's actually, yeah, so it's an interesting thing, because there are certain circumstances where you want a cryptographic operation to take a long time so you can prevent something like brute forcing. Kind of where I've seen people and talking to people, they actually want, they want the crypto algorithms to be as fast as possible, the basic primitive, things like this, like AES or DG, I mean not DES anymore, but they're thinking about AES, you want something that's actually as fast as possible, so that A, it's actually cheap to implement so that you can have low-powered devices actually implemented because it's fast, it uses not a lot of processing power, but it still has really good security guarantees, right? You still get the good security guarantees. And then if you want, in certain places, if you want to add a delay built into an algorithm, you can add that in using these as a base. Cool. And this is actually something I've seen, I don't know, I'm just trying to think actually now how much I can say, I think it's probably fine-ish, but I know one, I know of a company who specifically got cryptographic operations added to test suites of a language, so that way the measurements and the speed ups of those crypto operations would be improved over time, right? So rather than if you're trying to have some library and it has some functions, if you're not measuring and trying to improve the performance there, you'll never do it. And so they've got crypto-primitives added to the library into the metrics so that that way the team would be incentivized to actually improve the crypto performance, which is better for everyone, because it removes kind of these arguments for not doing secure communications. So AES, anybody Dutch? I believe these are Dutch people who can pronounce this or just kind of pronounce this because they're really good linguists. Reindal, cool. Standardized in 2001, there is, I guess, there's a five, I flipped around a little bit. So five-year process with 15 competing designs, so it's actually a pretty tough procedure. So the interesting thing here is the block size didn't change too much, so the block of data that we're encrypting is only 128 bits. But on the flip side, you now actually have a choice of key size. You can do a key size from 128, 192, or 256-bit key size, whatever you actually want to do. And the other cool thing, so what was DES allowed to be used for by the government? Yes, sensitive but unclassified information, right? So, but the cool thing was that the government actually said that the design and strength of all key lengths of the ADS algorithm, so this is all key lengths, so it actually, they're saying that it doesn't actually matter, are sufficient to protect classified information up to the secret level. Top secret information will require use of either the 192 or 256 key lengths. And obviously they're saying like, if you actually are going to use this, it needs to be reviewed by us. Can't just use some algorithm and claim that you properly secured some secret data. So I think that's kind of, and that's interesting, right, because this shows that actually, and I guess you could say maybe this is like a public thing that they say, so again, everybody to use this standard and then actually use something different internally, but I would say it's probably not the case. But this is kind of a good vouch of support in favor of this ADS standard that they actually, I mean, if the government's using it for secret and top secret information, your information is most likely not as important, so you're probably fine. And other cool things, so Intel actually extended X86 and has put this, put ADS as a primitive in hardware, so your CPU can actually do ADS computations in the chip. And so when you think about, well, why would they do this? You could always do it in software, right? By putting in the chip, it's faster, usually lower energy cost, and it's usually much better. And then the, usually you would not do ADS yourself, you'd call out to a library, so all the library has to do is figure out if the CPU is running on capacity as extension or not, and then use the super fast forward operations, which is good for everyone. Any questions? We're not going to go into ADS again and look at all the S boxes and everything. I mean, it's a standard, you can go look at that, but we did it once, I don't think it's necessary again. If you're like super sad about that, I guess let me know and maybe I'll do it next time. I can keep clicking, but nothing's happening. All right, cool. So now we get to the most secure, symmetric encryption algorithm you can possibly have, and this is something that I actually hinted at before. So this is the idea, it's called a one-time cat. The idea is you have a key that is the same size as the message being sent. You absorb the key with the message, you never reuse the key. All right, so this is one time, so you have to actually not use the key, you have to destroy and forget the key so that an adversary cannot recover it. And what's another thing I didn't put on here that needs to be true about the key? Well, let's think about this. The one-time pad is provably secure if and only if what conditions hold. Okay, before I get everybody to understand how this works, it's pretty, it's just the excellent thing that we saw that the key is now instead of only five bytes or eight bytes is the exact size of the message. Yeah, okay. The key is random, right? Well, you tell me, if it's not random, is it going to be secure? No, it has to be random, but it's got to be truly random, not maybe kind of sort of random, not generated from a pseudo-random number generator, not by trying to decipher something and taking the ciphertext outputs because you can't still don't know that those are actually random. You really need a truth and also there's this story and I don't think I don't know if it's 100% true, but I've heard that the Germans were able to break some of the British messages because they would use, they would have people who would pick letters out of a random set of letters to use as keys and their thought was that you'd be more likely to use a letter that you liked in some sense and were familiar with, used a lot more frequently, so you would actually be pulling and using E's more than Z's and it turned out that was actually the case. It's like sometimes the people would like throw a letter back and like grab a new letter and so they added kind of human bias into this supposedly random process, they're able to break some messages because of that. What else do we need to be true? Yeah? Correct, let's assume we do that now for now. So we need to get, so the keys, so just like all symmetric algorithms, we both need to have the key. What else do we need? Yeah, we can't actually reuse the path, right, the key, right? If we reuse the key over and over and if they recover our message then they can easily excel or find the key and then break the other messages that are all encrypted with that same key. It's kind of part of the definition but it must be as long as the plain text, right? If we have a key that's shorter than the plain text and we end up repeating it, then we're actually doing what? So the fourth one is the key is kept completely secret so this would include transmission from one part into the other and this would also include after the fact. So after the key is used it needs to be actually destroyed. So the story is the way this actually worked during wartime so some of the countries in World War II use this with their secret agents. They would have, so they would be transmitting like books of huge number of random letters, right? So this was the path, this is literally where the name comes from and then there'd be some kind of scheme to decide how to decipher the message. So maybe you would use this certain row on this certain day or you would just, if we were constantly communicating, we'd use the first one for the first message and then we break that off and destroy it and then use the second one for the second message and that would be our process. And so yeah, there's always crazy stories you can read about it about like they, and you can hide these pads all kinds of places. Apparently there's this type of paper you can use that burns instantly and leaves no ash behind so that's what they use to like write these pads on. They have special paper that you can easily tear off each pad after you used it so you can destroy it. And it's provably, so actually, so do you believe the claim that it's provably secure? It seems kind of counterintuitive because you think like nothing can possibly be secure. Because we just saw like AES, DES, right, and brute force the keys and break that. You believe it, why? Well, because if the key is truly random, it's the same length of the plain text. Then without the key, basically all you have is a string of digits a certain length and there's no one-to-one correspondence with a length and a message. So there's like, there's no way, why can't you use brute force? More than one different message. There's more than one different logical combination of characters for any given length. Yeah, let's look at this. So if we do something like hello, a completely random output. So I'm not even going to make, we'll just say it's like A, B, C, D, E, right, that outputs like alpha, beta, I'm running out of Greek letters that I can do. So there's some completely random key, completely random cycle text. So this is exactly the point. So we know that the message is hello and we know, so the person we're communicating with has the key. So they can take the key, perform the operation, do the X-Aware and get back hello. So they know that that is exactly that message. So now let's think, and it seems counterintuitive, right? Because you can think, okay, well, it's only a five by key, right? That's actually just two to the fifth, which is not a whole, that's not actually a crazy amount of, I don't know, it's eight to the fifth, so if I say it's whatever, it doesn't matter. This is not a very large number, right? You could easily try all those possible combinations. And you will actually try, when you're doing this, the key A, B, C, D, E, which will give you hello. But the problem is, have you know that that's not the cycle, that this is actually the message and it's not, because you're trying all possible keys, right? Have you know it's not any of the other possible five letter words or any possible five letter thing, including spaces, because you probably have spaces in here, right? So the problem is that essentially it'd be, you have no information to guide you on out of all this possible cybertext, what's the actual message? So this is kind of where that derives from. But there's proofs of all of these, you can go look it up, but it makes sense. It has huge, significant downsides, especially on a computer, right? So truly random, getting true randomness on a computer is difficult, although there are better ways of doing that now. Having the key things on the plaintext, that's easy. Key never reused in the polar part, because that's kind of easy. But keeping the key completely secret is difficult, right? So you need to communicate this with somebody else. You need to end up, entire point, I think I've about this before, if you're able to communicate to them something that's the size of the message or more, and you think you can do that securely, why not use that channel to actually communicate with them, right? So provably secure was probably good with like type of paper stuff, is not so good, no. Or we need different ways, basically, is thinking about it. So what are, so now we're kind of looked at all the aspects of symmetric crypto systems. What's, so what's one of the drawbacks? D, yeah, this is the main problem, right? Because, and this is kind of goes like the same thing with a one-time path, right? If we have a secure channel that you and I can communicate on, and we are 100% sure nobody can know what we're saying, why don't we talk on that channel, right? So this is the key part, right, is the key problem is how to securely transfer keys. Are there any other problems? Yeah. There's no. Right, so you can brute force the keys, you can do a lot of kind of stuff. There's an issue we have talked about, about integrity. So we actually haven't touched integrity at all, right, about how to ensure that the message that you sent actually didn't get damaged. So if you think about a huge file, if I end up, I don't know, randomly flipping some bits and that messes up the decryption, or maybe I'm going to give you half of a file, right? Because I altered the message in some way. You want some way of knowing that, but that's not necessarily inherent to symmetric crypto systems themselves, that we'll see. It also, okay, cool. So this led to a new branch of cryptography. So this was a problem that people were thinking about already in the 70s, is how to do this, what they call asymmetric crypto systems. So how can we actually solve this core problem of modern, modern back then, of symmetric crypto systems where we both need to share the key, right? So how can we actually encrypt information without requiring a secure shared secret key and actually at first glance, this seems kind of crazy and weird, right? Like, how can you possibly do this? Because if an adversary can see all of our communication, how can we still even communicate properly? And the idea, the goal is to basically get everyone in the system, everyone who wants to talk has two keys. And this is, I'm going to use this notation throughout all of this. So the idea is you have a public key. So I didn't introduce Alice and Bob yet. So the two classic parties who want to communicate with each other in almost all crypto systems are Alice and Bob. They want to talk to each other. And so you have a public key of Alice and a public key of Bob. They each know that. You also have two secret keys. The other way, and actually I kind of prefer this terminology is public key cryptography. And before we dive into how it actually works, like how the underlying math works, I think it's really important, actually it's really important about these systems is knowing at a high level why they work and what they do and what they're good for and what they're not good for. So the idea is imagine that we have some box, a locked box, a box, let's say with a lock on it, right? So traditional symmetric crypto system would be this lock is either locked or unlocked. You have one key that you can put in the box and you can, if it's locked, you turn to unlocked. If it's unlocked, you turn to locked, right? That's pretty standard. You have a key. This key provides access to the data. So it's slightly changed the situation a little bit and we'll use it. We'll say now we have a lock that has three different, so three different modes. So on the far left, A is locked, straight up B is unlocked, and C is locked. I don't know why you built it like this. I'm sure it could possibly, I'm sure it could be possible. Actually I'm fairly certain that this could be pretty easily built. Questions? Pretty simple. So let's think, if the box is in the unlocked state, it opens. If it didn't either lock states, it closes. So with our same key design, if one key is able to move this around arbitrarily, we have our symmetric system, right? To be able to open the box, if it's in unlocked state, you need this key. So the idea is what about splitting these operations so that you have one key that only can lock clockwise and another key that can own, not lock, sorry, because that's misleading necessarily. You have one key that can only turn the lock clockwise and one key that can only turn the lock counterclockwise. So we'll assume we have these two keys. The one on the left turns it counterclockwise and the one on the right turns it to the right. But how does this change things now? I mean the situation has changed, right? You now cannot have a key to move in any arbitrary direction. So let's think about a state. So let's say I had the key on the right which can turn things to the right and let's say the box is in the unlocked state. I put something in the box and then I close the box and turn my key to the right. So now the lock in this box is now in the C state. Can I open the box with that key? No, I can't, right? That key only goes to the right. It actually doesn't unlock the door. But what about the other key? What about the key on the left? Now the key on the left can actually unlock the door. Unlock the box, right? The key on the left can actually turn counterclockwise which can turn it back to the unlocked state, open it up and look at it. So if we think about this as the key on the left is the public key and the key on the right is the secret key. This actually mirrors a public key crypto system incredibly well. So the key on the left. So when we say public key we mean literally everyone in the world knows about it. So this would be let's think about if this box was on that table there. How would be fun to build this? Let's say the box is there. It's my box. We use the A for added now. And so the public key, I give everyone in this room a copy of this public key, right? You all have copies. You can turn this lock always counterclockwise to the left. I keep the secret key and I don't share it with anyone. I keep it on a chain around my neck and it's always with me and I never take it off. It's my key and I never let anyone look at it or I'm very secretive when I unlock it, right? I keep this key 100% hidden and I never show it with anyone. So let's say you have a message that you want to send me in the box and you want it for me to be the only one to read that message. How would you do it? Assume the box is in the unlock state. And then now what happens? So now we've done that. So remember the box is sitting in the middle of the room, right? If you put the message in there you've locked it, you've turned it to the left so you put it in state A, right? How do you know that none of the other people in the class can actually unlock and can read that message? Their key can only turn left, right? None of your keys can actually turn right to turn this lock into an unlocked state. So now when I want to read the message, what do I do? Well, I put my key in which is in the locked position and my key goes to the right so I can unlock it, I can open it, and then I can read the message, right? And I'm the only person who can do that because I have the secret key. Cool, good question. So let's say the question was what's the point of having states C and B or C in this case. So in this case we just talked about, right? All that we would need is A and B, right? So that is what's state C. So let's say that the box is in an unlocked state and I'm going to put, well, I say that I will put the exam answers or something, I don't know, some code for extra credit points, whatever you actually want. Now I think exam answers better before the test. I'll put exam answers in the box before the test. So you come across the box. How do you know that what's in the box I put in there and one of your prankster classmates isn't trying to feed you false information about what's going to be on the test, right? Because that would be good for them because they can put false information in there then you'll think that's what's going to be on the test. You'll study that and be completely wrong and you'll fail and I don't really know how to curve really but you know maybe you don't like that person. Right? So if I wanted to send some kind of message to, and this is an important point, I'm not sending a message to any one of you directly but if I want to make some kind of message that you, one of you knows is absolutely from me, right? Undisputedly. I take the box which is unlocked, I put the exam notes in it and then I use my key to turn to the box to state C and then I leave the box there. Now any of you, whoever comes to that box and wants to know this message in here wasn't actually from the professor, does this actually contain what the professor said but did this come from the professor, right? You would be able to tell that by A, verifying that it's locked and then putting your key in and twisting it one to unlock state and that would tell you that yes absolutely Adam's the only person who could have done that, right? And therefore this message, this is my golden ticket, I don't have to study for the exam, I have all the answers. Questions? I'm up with this I couldn't say. It's a cool blog post, somebody else came up with this, I thought it was a good idea to try. And so public, essentially the crypto system acted this way where you can encrypt some information with the public key and so okay actually let's think about it in terms of this for a second, right? So the idea is I can take some piece of data, I can encrypt it with the public key and then who's the only, what's the key that can actually decrypt that? The secret, yeah the private key or the secret key, right? And then the flip side is also true if I have a message and I encrypt it with my secret key, who can decrypt it? Anybody with the public key? But you know at that point that actually came from me. What should be true about these two keys? Should not be the same, definitely, right? If they're the same, hey if they're the same we're just in symmetric crypto and I'm literally giving you all the key and maybe you just, they're not right enough to know which one's right or something. Try turning it right. Right what else should be true about the keys? There shouldn't be any way to derive one from the other. I should not, because you all have the copy of this public key, right? So you should not be able to look at the structure and look at the grooves in the key to be able to try to derive and determine the secret key. Anything else? Can you see true? So they're great, so public key and the other really good thing is that this works both ways, right? So if we exchange public keys, anyone can like assume everyone here does everyone else's public keys, well then you don't have to worry about an adversary ever for intercepting that because it doesn't matter. You don't have to have a confidential channel to exchange public keys and so if we ever want to talk to each other we encrypt some message with the other person's public key and then we send it to them and then bam when they get that nobody else can actually derive the contents of that message. So the two main things that this allows is confidentiality. So it actually allows us to encrypt, it's just like symmetric key encryption, but it allows us confidentiality in that the messages that we're sending if we've encrypted with somebody's private key, public key, only the person with that private key can decrypt it. The other thing it actually allows that symmetric key crypto doesn't really is non-repudiation, right? So this was the idea that you can actually tell that I was the person who wrote that message, right? I can't say oh no no hey whoa if the exam is different, right, on exam day and you're like hey I got these answers and I verified this was from your key, but what's up? You could get justifiably angry at me if I promised that it would not and you would say I could I can't at that point say those aren't the correct answers they didn't or I can't say those answers didn't come from me because you can show me that actually no well the box that kind of the box destroys the fact that it was that way but yeah it doesn't happen like here so it's not a perfect analogy. But it requires that it's easy to generate the public and the private keys but it's hard to either generate s well it's hard to generate the secret key the private key given the the public key. Each party must keep s private and we have to assume as we go through these everybody knows so we talk about two parties mainly but it doesn't really matter but both parties Alice and Bob know each other's public key for right now including our adversary Eve who's the eavesdropper who wants to learn about the this conversation everybody knows Eve knows literally everyone in the world should know so how do we so at a high level how do we encrypt these things and how do we think about so if we think that Alice wants to send a message and to Bob what does she do yes Alice must use Bob's public key to encrypt the message and that's going to return some psychrotex she can then send that psychrotex to Bob then what does Bob do to read that message uses his private key on that psychrotex and what does he get back the point text yeah it's like magic and so what does Bob know for certain at this point Alice is trusted because who else could have crafted this message public key was just everyone on earth including Eve the adversary right so Eve could actually have just created a message encrypted with Bob's public key Bob gets it and he says oh great message right so Bob doesn't know who the message necessarily came from but what does Bob know he knows that it was intended for him and that it was not intended for anyone else right because only one person can actually decrypt I say person of course I know I said I think the person who has access to the secret key right whoever has access to Bob's private key can decrypt that message yeah but if Bob runs the decryption and it produces something how does he know whether or not it's junk or a legitimate message going back to our path correct you'd have that goes more to I don't know what I'm actually talking about that but there are all kinds of schemes that do this like this is more gets into more like practical real-world crypto systems which will not really touch on but yeah they have schemes for you have padding specified you have even some you can include some known specific like prepent things the message and then a post padding that you always add and so you check that those paddings are the same there's other ways to do that too that we'll talk about so yeah but it's definitely a real practical concern right because yeah how do you know maybe I just sent you my favorite right the numbers that I generated right exactly you'd be super happy cool so Eve what can Eve do so what does Eve know in this scenario Eve those bold public keys the public key of Alice and the public key of Bob what else does he know the ciphertext right the ciphertext has to be transmitted somehow right and we assume that Eve can see anything that's transmitted right so you had to transmit the public keys Eve can see that and you had to transmit the ciphertext Eve can see that so if Eve takes the ciphertext and decrypts it with the public key of Alice what does that do and she takes the ciphertext and she decrypts it with the public key of Bob what does that do also nothing it would be gibberish right so what does Eve know at this point nothing she may well yeah she can't even necessarily verify that the message is intended for Bob right it's kind of you think about two parties talking to each other yes you would see that they one person one IP address whenever communicate another IP address let's say this message was just left on some public forum somewhere right and then Bob actually knew to go check for that and could see that actually this is not gibberish this is a message destined for me right because he can check with this public his private key so Eve doesn't even necessarily know who the message is intended for unless she sees some other information cool it's pretty easy that's it it's not even scary so non-repudiation so Alice wants to make some statement and such that everyone knows that it's from Alice right she wants to make a statement and stand by it let's say she wants to tell Bob to I mean the classic scenario for this is Alice wants to tell Bob Bob's a broker Alice wants to tell him to buy a thousand shares of of Fubar I was going to make a company about whatever right so if Fubar stock tanks like a thousand percent or something gets his worthless Alice can't sue Bob and say hey I never asked you to make that order what did you what are you talking about somebody wants to you know that's a spoofed email like nobody actually sent that message right so Alice and Bob probably wants that and will say hey I only will do these orders if you send me it in a way that I know that you actually made the order so what does Alice do then she uses what she uses her secret key to encrypt the message to get some psychrotex and then what does Bob get how does Bob verify that this message came from Alice user public key right so Bob can use the public key of the psychrotex to get the message and Bob can store the psychrotex and the message together because anybody here can actually do this encryption operation right so what does actually Bob know for certain at this point yeah someone Alice's secret key created a message it wasn't necessarily directed towards Bob Bob doesn't necessarily know that it was to him the message itself can say hey Bob XYZ like buy this stop right but he he doesn't have a way to prove that it was actually directed towards him so what does what can Eve do with this so remember what does even know even as both public keys and the psychrotex so what can Eve do she can also decrypt the message right so Eve can decrypt the message Eve can decrypt the psychrotex turn into a message right and so the idea here is this kind of scenario would be you want to make some kind of public statement that you don't care who reads it right confidentiality is important what's important is the fact that only one person can read that what if you want both make sense right so in this one maybe the better scenario for this just non-repudiation is you want to make some grandiose claim that you think I don't know some prediction like somebody's going to win the let's say these super bowl this year or something right so you could make that prediction you can encrypt it with your secret key you put a time stamp in there somewhere to prove what time you actually made that prediction and then you would publish it somewhere publicly so everyone had the time stamp and then that way once that comes true anyone can see your psychrotex and say you can say look I actually predicted that this was the case way back when of course you could also make like 32 predictions and then you'd be right one of the times well I guess in that case as long as you published all of those somebody could look at that and say like actually you made all of these claims so prediction is worthless but anyways Alice so now Alice wants to send a message to Bob and to only Bob and so that he can verify that it's actually from her right so that Alice Bob knows that it only came from Alice so how would you do this encrypt so take the message encrypt it with her secret key which means blood definitely came from Alice and then do what encrypt it with Bob's public key which means what only Bob can decrypt it why does the other way not work right why can't I do how to decrypt this so it's encrypted with first the secret key of Alice so to get off that layer what do you do the public key of Alice right so you do that and then he decrypt the other layer with what is secret key to get the message all right think about that we're gonna keep this keep thinking about that so Bob in this scenario right just does the reverse so first takes the ciphertext decrypts it with how did I flip these we gotta do decrypt it with the secret key of Bob and then decrypts that with the public key of Alice to get the message yes okay so then what does Bob know for certain at this point so I'll fix this in a second but this should be I don't know for certain at this point such as for him and only him it's from Alice and nobody else knows the contents of this message so what does Eve know at this point yeah nothing right she has ciphertext because it's been encrypted with the outer layers box public key so the only thing that can decrypt this is Bob's public key right so Bob's the only one you think of it like an envelope right Bob's the only one who can take off that first layer of the envelope so now let's go here and think why not this yes I mean the message is still secret but it's not really confidential in the fact that everybody would know that Alice sent a message to Bob yes so A you could test so anyone can use the public key of Alice in order to get off that outer layer right nobody can actually change what's inside there right so everyone can say yes this message is coming from Alice right which could maybe not be a desirable property but what can that need do at that point she can re-encrypt it with her secret key so now you have a valid message for Bob that now is validly coming from Eve so maybe the contents of this message is send the person that sent this to you a million dollars right so Eve takes that says throws away Alice's secret encryption of the outer layer and then encrypts with her public key her private key and then sends it to Bob and now Bob has to give her a million dollars because he thinks it's from her so idea is by allowing these layers to be peeled off by anyone you definitely don't want that that's why the last thing you should do is if you want the message to be confidential and not knowing to be able to tamper with it or doing these kinds of things you need to actually encrypt that properly okay so this is kind of a high level overview of public key crypto systems at like the high level now we'll look at kind of the development here because it's actually pretty interesting and how this came about look at some algorithms so we can get a feel for how they actually can accomplish this fact that you have these two different keys but we won't spend a ton of time on this also because it's so super interesting there was a person I guess you call him now a scientist in the 1800s William Stanley Jevons who wrote a book called the principles of science and in there it was super cool now like I had to stop and think about how amazing the world is that you actually have a scanned copy of his book that you can go look at at archive.org and so you have all the text of his book and so this text is super interesting because he says the same difficulty arises in many scientific processes so he started something else he says given any two numbers we may by a simple and infallible process obtain their product right what's that saying we can multiply two letters together two numbers two numbers together easily right everyone agreed multiplication super easy he then says but it is quite another matter what a large number is given to determine its factors right so if I give you a large number and I say what are all the numbers less than that that evenly divide this number that's not so simple of a problem then he says can the reader and this is super interesting he's talking to us as readers from 1874 can the readers say what two numbers multiplied together will produce the number whatever this is eight billion six super interesting right so you think like well why can't you tell that it's just a number you should be able to is it an even number because then the game would be over that would be pretty easy right you just say it's two of them divided by two whatever that is right and then the next line is really interesting he says I think it's unlikely that anyone but myself will ever know a challenge for there are two large prime numbers oh for they are so he's talking about the factors so the only two factors of this number obviously except for one one is not fun there are two large prime numbers so each of the factors are prime numbers so what does that mean that we know about this number itself it's not prime because it only has two factors but then what we know about those factors they don't have any factors which means the overall number has no other factors but besides those two numbers right so those two numbers would be only numbers less than this really large number that evenly divide the big number that makes sense so in order to find that you would essentially have to try every number less than eight billion I mean there are more faster ways to do this you obviously try every odd number and there's other ways but you need to actually try to calculate this and so he says there are two large prime numbers and can only be rediscovered by trying in succession a long series of prime divisors until the right one be fallen upon I should write like this the work would probably occupy a good computer for many weeks this is also super interesting because he's what kind of computer is he talking about human like the actual human computers who literally compute things right so it's crazy I mean yeah I was originally only going to cut this off and I kept reading and I was like man this is too interesting so this way saying the work would probably occupy a good computer for many weeks but it did not occupy me many minutes to multiply the two factors together right he's saying he got two prime large prime numbers right then once he had these two prime numbers it was trivial for him to multiply them together in order to get this eight million number right but in order to then go backwards and derive what were those two factors in his estimation would take someone many weeks to actually do this similarly there's no direct process for discovering whether any numbers of prime or not is only that's probably not super interesting because there are better ways than I think they knew about that to test whether numbers were prime but anyways so the point is this kind of this is the central idea behind all public I mean not this specific factorization this idea that mathematically there are some operations that are easy to do right multiplication taking two numbers multiply them together you've literally been doing this well I don't make any judgments about people but for a long time let's say right you can do this you didn't even do it by hand I'm sure I mean he definitely did not use a computer to do this right you could calculate whatever if I gave you like a six to six digit numbers it would probably be annoying but you could probably calculate the multiplication there right but going backwards right the reverse of that is actually an incredibly difficult process right so if I gave you just this large number going backwards is hard of course this person didn't invent public key crypto right this is just an interesting observation that he makes and so what happened is in 1976 this was noted the core problem of symmetric crypto systems they had to increase this key so Diffie and Helman actually published a way to exchange keys without ever exchanging the actual key itself so we'll look at the algorithm probably Tuesday but we may go through there but this was only used to exchange keys so basically as we'll see we go through a process calculate some numbers do expect representation and then the end just based on the information we shared publicly we both derived the same secret value which now we can use to encrypt like an AES AES conversation or something like that but it's not a scheme to send arbitrary data or try to encrypt arbitrary data just a way to start sending keys and so in 1977 these are super famous names I mean actually all of these Diffie Helman uh Rivas Shamir and oh Leonard sorry Leonard Helman they created a an algorithm and I guess it's important maybe to point out that they weren't um so full of themselves A it was called that after the fact in reference to this so the RSA parts come from the first letter of all their last days actually the super interesting part is this was discovered so this is another instance that we know of of the classified government world being ahead of the public sector so in 1970 a British cryptographer James Ellis at GCHQ conceived of this idea of non-secret encryption of trying to like how could you actually do that but he didn't have a good way to implement this and to actually build something I could do this and so his colleague Clifford Cox who was a British cryptographer actually implemented RSA in 1973 and the public didn't actually know about it as I believe until 1993 or something like that so it's kind of this weird thing of I don't know you could get into like scientific philosophy like like the philosophy of science debates about who should get credit for this discovery right because these British cryptographers obviously did it earlier but you know they didn't know about this right so so yes but it's an interesting look at kind of how ahead the government organizations were okay and on Tuesday we'll dive into the home exchange