Your accent makes this 1000000x more entertaining.

Lecture outline: 0:01 History/Intro to AES: 2:00 Structure of AES: 18:10 Internals: Layers 32:25 ---- Each layer in detail ----- SubBytes - 52:12 ShiftRows - 1:15:45 MixCol - 1:22:40 Doesn't seem to go into the round key add step in that very much detail, though.

Professors who care about notes making are the best!

Hello, honestly say, your lecture is much, much better than my university two months lecture just about this AES stuffs. You're awesome. Clear. Exact. Specific. Understandable. I like when you said "Please silent to your students." Hopefully, you will get your good work blessed. ;)

Funny he keeps reminder the class... I would never fall asleep. Every hour with Professor Paar saves at least 10 hours of self-study.

Professor Paar, I would like to thank you for providing this series of fantastic lectures. Your teaching inspired me to purchase the book which has only heightened my interested in the subject. Lastly, I have to say that after about 2 hours of research and reading many different explanations that I found on-line, I finally figured out the "affine transformation"...that is pretty brutal without any real guidance. Again, thanks ....you are really good at what you do.

Truly awesome, very deep coverage on AES.

thank you very much "Christof Paar" you are really explained very easy and pro way.

I know absolutely nothing about any encryption, yet I watched the whole lecture. I don't know anymore now then I did before. Lol

The motivation that you gives me a lot of motivation and also an idea that made me to get involved.

Professor Paar, I just love you !

Awesome explanation, thank you! Keep up the good work, sir.

What an amazing lecture deleivered by Sir Christof. I enjoyed the lecture

This course is really helpfull i own the book, while i'm doing criptography in the Universidad Catolica del Norte, and this videos are extremely helpful, i really hope you can do a video with the key schedule and the decryption for AES, its very easy to understand the way you teach this.

Thank you very much for these lectures, they are making my life much easier

Professor Paar, s there any chance of you recording the continuation of this course? You are the best teacher I found on crypto!

Great explanation! Great accent! Loving the videos! Thank you!! -From California :)

Vielen Dank für die tollen Vorlesungen! Fantastisch zu schauen :)

Excellent lecture! I watched your galois field lecture in 2016 or so when I was doing a presentation on error correction codes and had this AES lecture on my watch later list. Finally got around to it and enjoyed it!

Thank you for this Video Lecture Pr. Christof Paar. Very helpful as a I am a Student in NYC.

Thanks for the explanation, Sir. It really helped me to understand the AES concept.

Really, you are a very good lecturer. your discussion is very interesting , simple and attractive. Thanks.

Professor Paar, thank you so much for giving these out for free. You’re one of the best instructors in the field, and you actually give a damn about your student’s understanding. Thank you!!

Thank you Sir for such an amazing Lecture Series .

Awesome! Thanks for sharing this lecture!

Hello Prof Paar It is my understanding that for any (existing) block cipher or mode that the cipher test key and therefore the round keys are exactly the same for each block that is processed by the block cipher. Is that correct? Second part of the question: If that is correct what does that say to the relative strengths of block vs stream ciphers where (in stream ciphers) the key is always being expanded by a CSPRNG with an extremely low predictability factor Thank you for this course Steve

that was a better lecture i found than others .. i found it very beneficial and detailed thank you very much

Much love to you sir! Very clear explanation! Love you!

thank you very much professor... this lecture helped me a lot to complete my project...

Great Lecturer Series,,,, Keep the good work Going

This video series is fantastic! I'm taking crypto and it's following basically this exact trajectory. Shame about those chatty cathy's in the audience

Why does it say in other places that the MixColumns multiplication uses modulo x^4+1 rather than what you've said here - modulo x^8+x^4+x^3+x+1 ???

1:08:51 ,Herr Paar: "yeah this is wrong. this is wrong. this is wrong. this is all wrong..." Me(having just finished writing everything down): NOOOOOOOO! you have got to be kidding me😭😭😭 Anyways, thank you sooo much for these lectures, absolutely fascinating. It's one of the only truly understandable courses on internet for lower-level students. Incredible, I also bought the book!!!

Thank you sir for your explanation! It helps a lot. Can you explain about Key schedule?

Sir. I would like to know about the fixed matrix of affine transformation for S-box construction in AES, What is the logic behind that matrix?

Great Lecturer series. thank you

Thank you for this lecture.

Great lecture, thanks a lot.

Could you please provide the information regarding the confidentiality and integrity algorithms EEA3 and EIA3 or ZUC?

how do you get B' ? Oh, got it. It is the inverse of A^(-1)=B', such that AxB'=1. And B' to be computed using Euclidean Algoth. Once B' is found B can be computed, and actually it is on that table from the book, right?

Really good!! Thanks :D

easy to understand, thanks professor

Hello Professor, I have a question on key length. As per AES, it can be 128, 192 or 256 bits. What would be the deciding factor to choose the key length? And w.r.t cost i assume 192 and 256 key lengths cost more. Am i right?

Question: I might not be understanding this correctly but how does AES ensure that at the end of 14 rounds, it hasnt done enough bit flips that is now the original unencrypted byte? Also thank you for this video.

thank you good sir, great lecture very helpful.

Dear Professor, You have not discuss decryption and key schedule (I mean the way you done for DES) I hope we can see some video too. Thank you so much for such an interesting lecture.

It might be a dumb question, but I wonder: If you enter the same plaintext with the same key in an AES, you always get the same cyphertext, right? Then would it be possible to make a block cypher which always give different cyphertexts even if the plaintext and the key stay the same? Would such a cypher be decrypteable by Bob? Thanks again for the amazing lectures! You're so clear that even a total newbie like me can understand (I think)

I aware of the fact that AES is more secure and stuff, but I've used DM5 in my school project coz it's simple to implement in java app. Any thoughts on DM5 algorithm?

I love these and thank you for sharing them. I will say I disagree about the statement at 17:25 though about AES being generally secure because the agencies use it. What was later found since this time period was that AES has this property where some keys are strong and others are weak. There were certain attacks possible with poorly chosen keys and of course the NSA requires their own use of AES to get keys provided from a central key authority within the NSA. This key authority then only provides strong keys for their internal use and if laymen use AES they lack the knowledge of how to select these extra strong keys. Now that future attacks such as Invariant Subspace were discovered we can see how clever this was. So the statement at 17:25 I highly disagree with and we learned that this kind of logic fails with new side-channel and mathematical attacks. The simple use of an algorithm by the government means nothing unless you also can use their key selection processes. They are willing to bless subpar implementations and utilize those weaknesses against others while shielding themselves. Otherwise excellent lecture.

This is helpful! thank you

why is the number of rounds required for aes 128 bit algorithm equal to 10?is there any formula for it?

Man, you rock;-) Thanks a lot!

Beautiful teaching... there is ans for every "why?"

I'm 14 and I could understand this perfectly and also I can encrypt and decrypt in aes, if someone failed this it's because they are not willing to learn.

Professor is there any explanation for key expansion for AES available.

sir ,can u explain me how u caluculated inverse substitution layer

Professor u didn't do the last topic so where can I find the decryption part, it's really important to me Professor, as I am not in any University, your lectures are my only way to learn

This course is from 2010 but I'm in 2019 is there anything that has changed in cryptography in the past decade or is this course enough

I'm confused. He says that you simply XOR the MixCol output with the key. This paper says that key addition is more involved than : engineering.purdue.edu/kak/compsec/NewLectures/Lecture8.pdf Does anyone know the reason for the discrepancy?

Well done lecture. Enjoyed it.

Wirklich klasse! Mich hätten ein paar mehr Hintergrundinfos zum Design von AES interessiert. Ich weiss nun genau, wie es funktionniert, aber verschiedene Design-Entscheidungen (warum 10 Runden, und nicht 9 oder 11?) erscheinen weiterhin willkürlich. Sehr gut fand ich z.B. den Exkurs über die Diffusion.. Es kann natürlich sein, dass die Hintergründe einfach zu kompliziert für eine 90 minütige Vorlesung sind.

Can anyone tell me where can I find a book that has to do with C# and encryption : something like this " Encryption Programming in C# " sorry for my bad english

This is really helpful!

still i am having doubt in s-box functionality...

You can skip the history bit by going to 18:20

Great lecture! Got a bit lost around the SBOX explaination part

Thank you for the video, but a few questions if you don't mind. i) How to you find the inverse of a hex number; we were given A = C2 with inv B' = 2F but I should like to know how we work this out. ii) in the affine mapping we have the matrix constant, reading down the rows of the matrix (in hex) we have 8F, C7, E3, F1 and then each one reversed (so to speak) F8, 7C, 3E and 1F. All I can see here is that each row includes five 1s and three 0s, but what is the thinking behind this choice? Could we move them, or change them, without loss of security? iii) lastly, a similar question to (ii), what is the reason behind the choice of the vector constant? Could it be any vector constant? Your answers would be very helpful and much appreciated. I have tried to find the answers online but to no avail... My thanks in advance...

Thank you!!!

Great lecture

Couldn't understand what he said about decryption at the very end. Is it explained in other video or simply left behind?

very nice and helpful :) thank you for all ur lectures...they are very enlightening and make the topics so easily understandable compared to the complex chapters in the cryptography books

sorry, but i couldn't really catch your last sentence, where would decryption be done? (:

Sir In 1.10.50 why the inverse of Ai (1100 0010) is Bi(0010 1111)? Should't be Bi = (0011 1101)? I mean for example a bit 1 in Ai become 0 in Bi?

Q: Where does all that sexy Extension Field stuff from last lecture come into play? A: In the S-boxes 59:00

Mix Columns in AES Would someone please explain how the number of XOR gates are 3 and 11 respectively for the following: Number of XOR gates needed for constant 02 multiplication in GF(2 power 8) is 3 Number of XOR gates needed for constant 03 multiplication in GF(2 power 8) is 11

Good Job!

Sir you are the best

Intro to AES 2:00 Structure of AES 18:10 Internals of AES 32:25

awesome lecture

Thank you very much

Some silliness... AES-Variant 1 : Double-AES with a twist ... *Init :* Let Key2 = SHA1 of (Key1 XORed with previous blocks plaintext) *Round 1 :* Perform AES with Key1 *Do the twist ...* Take the 128 (8x16) table of bits - to be two separate bitfields of 64 bits (8x8) Rotate both bitfields clockwise 90 degrees *Round 2 :* Perform AES with Key 2 AES-Variant 2 : AES-512/infested *Init :* Let Key1 and Key2 be halves of the 512bit key Then, For block 0... *Round 1:* Perform AES-256 with Key1 Take the 128 (8x16) table of bits - to be two separate bitfields of 64 bits (8x8) *Langtons Ants round :* _(do nothing, yet)_ *Round 2:* Perform AES-256 with Key2 Use the first 128 bytes of sent plaintext (Block 0) as a random IV ... for both sides to define the positions and states of 16 Langton Ants. 8 in each 8x8 field. These first bytes are sunk by the receiving side, thus never make it out of the decoder. Actual message passing will begin in block 1. Now, for all subsequent blocks ... *Round 1:* Perform AES-256 with Key1 Take the 128 (8x16) table of bits - to be two separate bitfields of 64 bits (8x8) *Langtons Ants round :* with 8 ants in each 8x8 bitfield, let them wander 'n' times corrupting the field. (++ see note) *Round 2:* Perform AES-256 with Key2 Actual messages begin from Block1, once Ants are active (++ Important Note) In this system, the langtons ants live in the stored bitfield of the previous block, but duplicate their bit-flipping to the bitfield of the current block. This prevents the ants from permutating data in a way that the the recipient cannot know _(thus avoiding a one-way function)._ By using the previous round as the langtons playground, and duplicating their bit-flipping antics in the current bitfield, both sides ants can remain synchronised using data both sides already know. Neither of these are actual security algorithms, but they're fun : ) I doubt either scheme weakens AES - but then, I'm not a cryptographer... so, y'know... don't trust 'em, they might cause some unknown weakness compared to regular AES. Especially the first one. The second one, though, I have a lot of faith in ; ) But neither of these are serious proposals... ... I'm just a guy who dreams up weird code when he's drunk... oh, and has a peculiar fascination for Langtons Ants : )

addictive course to someone new to cryptography..

Very Helpful

Very well explain sir thak you sir

thank you very much sir!!!!!!!!!

What would be the case if the input byte has no inverse, which would be the case if the input byte is the same as the mod polynomial? the remainder would be Zero.

Thank you.

good explanation

cant easily understand substitution layer sir can u explain this more frequently

hi sir thank u for the lecture sir it is very helpful..... but I want to know some disadvantage of aes and how can these disadvantages can be overcome but joining some other algorithm with this algorithm... can u respond to my question sir.....

it is very helpfull

Thanks a lot

When does decryption start?

1:14:50 "this is really complicated in a very clear mathematical way" :D

Nice!

thank u very much sir

super professor

so simple, easy to understand and interesting lectures. one thing that didnt get is that in which university it is recorded it looks like american but the lecturer is talking in german too.

Waiting for the Decryption part. Although I know it, continuity is the reason I'm asking for it.

how to find the a inverse if anyone had got it please explain i am stuck