├── 1 - 1 - Course Overview (11 min).srt
├── 1 - 2 - What is cryptography- (15 min).srt
├── 1 - 3 - History of cryptography (19 min).srt
├── 1 - 4 - Discrete probability (Crash course) (18 min).srt
├── 1 - 5 - Discrete probability (crash course cont) (14 min).srt
├── 10 - 1 - Notation (15 min).srt
├── 10 - 2 - Fermat and Euler (18 min).srt
├── 10 - 3 - Modular e-'th roots (17 min)14.srt
├── 10 - 4 - Arithmetic algorithms (13 min).srt
├── 10 - 5 - Intractable problems (19 min).srt
├── 11 - 1 - Definitions and security (16 min).srt
├── 11 - 2 - Constructions (11 min) .srt
├── 11 - 3 - The RSA trapdoor permutation (18 min).srt
├── 11 - 4 - PKCS 1 (23 min).srt
├── 11 - 5 - Is RSA a one-way function- (17 min).srt
├── 11 - 6 - RSA in practice (14 min).srt
├── 12 - 1 - The ElGamal Public-key System (23 min).srt
├── 12 - 2 - ElGamal Security (14 min).srt
├── 12 - 3 - ElGamal Variants With Better Security (11 min).srt
├── 12 - 4 - A Unifying Theme (12 min).srt
├── 12 - 5 - Farewell   (for now) (6 min).srt
├── 2 - 1 - Information theoretic security and the one time pad (19 min).srt
├── 2 - 2 - Stream ciphers and pseudo random generators (20 min).srt
├── 2 - 3 - Attacks on stream ciphers and the one time pad (24 min).srt
├── 2 - 4 - Real-world stream ciphers (20 min).srt
├── 2 - 5 - PRG Security Definitions (25 min).srt
├── 2 - 6 - Semantic Security (16 min).srt
├── 2 - 7 - Stream ciphers are semantically secure (11 min)   [optional].srt
├── 3 - 1 - What are block ciphers- (17 min).srt
├── 3 - 2 - The Data Encryption Standard (22 min).srt
├── 3 - 3 - Exhaustive search attacks (20 min).srt
├── 3 - 4 - More attacks on block ciphers (16 min).srt
├── 3 - 5 - The AES block cipher (14 min).srt
├── 3 - 6 - Block ciphers from PRGs(12 min).srt
├── 4 - 1 - Review- PRPs and PRFs (12 min).srt
├── 4 - 2 - Modes of operation- one time key (8 min).srt
├── 4 - 3 - Security for many-time key (23 min).srt
├── 4 - 4 - Modes of operation- many time key (CBC) (16 min).srt
├── 4 - 5 - Modes of operation- many time key (CTR) (10 min).srt
├── 5 - 1 - Message Authentication Codes (16 min).srt
├── 5 - 2 - MACs Based On PRFs (10 min).srt
├── 5 - 3 - CBC-MAC and NMAC (20 min).srt
├── 5 - 4 - MAC padding (9 min).srt
├── 5 - 5 - PMAC and the Carter-Wegman MAC (16 min).srt
├── 6 - 1 - Introduction (11 min).srt
├── 6 - 2 - Generic birthday attack (16 min).srt
├── 6 - 3 - The Merkle-Damgard Paradigm (12 min).srt
├── 6 - 4 - Constructing compression functions (8 min).srt
├── 6 - 5 - HMAC (7 min).srt
├── 6 - 6 - Timing attacks on MAC verification (9 min).srt
├── 7 - 1 - Active attacks on CPA-secure encryption (13 min).srt
├── 7 - 2 - Definitions (6 min).srt
├── 7 - 3 - Chosen ciphertext attacks (12 min).srt
├── 7 - 4 - Constructions from ciphers and MACs (21 min).srt
├── 7 - 5 - Case study-  TLS (18 min).srt
├── 7 - 6 - CBC padding attacks (14 min).srt
├── 7 - 7 - Attacking non-atomic decryption (10 min).srt
├── 8 - 1 - Key Derivation (14 min).srt
├── 8 - 2 - Deterministic Encryption (15 min).srt
├── 8 - 3 - Deterministic Encryption-SIV and wide PRP (21 min).srt
├── 8 - 4 - Tweakable encryption (15 min).srt
├── 8 - 5 - Format preserving encryption (13 min).srt
├── 9 - 1 - Trusted 3rd parties (11 min).srt
├── 9 - 2 - Merkle Puzzles (11 min).srt
├── 9 - 3 - The Diffie-Hellman protocol (19 min).srt
├── 9 - 4 - Public-key encryption (11 min).srt
└── README.md


/1 - 1 - Course Overview (11 min).srt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/avalonsaber/crypto1sub/2a39f06799d474bea6364420fe5860c503224eb5/1 - 1 - Course Overview (11 min).srt


--------------------------------------------------------------------------------
/1 - 2 - What is cryptography- (15 min).srt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/avalonsaber/crypto1sub/2a39f06799d474bea6364420fe5860c503224eb5/1 - 2 - What is cryptography- (15 min).srt


--------------------------------------------------------------------------------
/1 - 3 - History of cryptography (19 min).srt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/avalonsaber/crypto1sub/2a39f06799d474bea6364420fe5860c503224eb5/1 - 3 - History of cryptography (19 min).srt


--------------------------------------------------------------------------------
/1 - 4 - Discrete probability (Crash course) (18 min).srt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/avalonsaber/crypto1sub/2a39f06799d474bea6364420fe5860c503224eb5/1 - 4 - Discrete probability (Crash course) (18 min).srt


--------------------------------------------------------------------------------
/1 - 5 - Discrete probability (crash course cont) (14 min).srt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/avalonsaber/crypto1sub/2a39f06799d474bea6364420fe5860c503224eb5/1 - 5 - Discrete probability (crash course cont) (14 min).srt


--------------------------------------------------------------------------------
/10 - 1 - Notation (15 min).srt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/avalonsaber/crypto1sub/2a39f06799d474bea6364420fe5860c503224eb5/10 - 1 - Notation (15 min).srt


--------------------------------------------------------------------------------
/10 - 2 - Fermat and Euler (18 min).srt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/avalonsaber/crypto1sub/2a39f06799d474bea6364420fe5860c503224eb5/10 - 2 - Fermat and Euler (18 min).srt


--------------------------------------------------------------------------------
/10 - 3 - Modular e-'th roots (17 min)14.srt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/avalonsaber/crypto1sub/2a39f06799d474bea6364420fe5860c503224eb5/10 - 3 - Modular e-'th roots (17 min)14.srt


--------------------------------------------------------------------------------
/10 - 4 - Arithmetic algorithms (13 min).srt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/avalonsaber/crypto1sub/2a39f06799d474bea6364420fe5860c503224eb5/10 - 4 - Arithmetic algorithms (13 min).srt


--------------------------------------------------------------------------------
/10 - 5 - Intractable problems (19 min).srt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/avalonsaber/crypto1sub/2a39f06799d474bea6364420fe5860c503224eb5/10 - 5 - Intractable problems (19 min).srt


--------------------------------------------------------------------------------
/11 - 1 - Definitions and security (16 min).srt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/avalonsaber/crypto1sub/2a39f06799d474bea6364420fe5860c503224eb5/11 - 1 - Definitions and security (16 min).srt


--------------------------------------------------------------------------------
/11 - 2 - Constructions (11 min) .srt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/avalonsaber/crypto1sub/2a39f06799d474bea6364420fe5860c503224eb5/11 - 2 - Constructions (11 min) .srt


--------------------------------------------------------------------------------
/11 - 3 - The RSA trapdoor permutation (18 min).srt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/avalonsaber/crypto1sub/2a39f06799d474bea6364420fe5860c503224eb5/11 - 3 - The RSA trapdoor permutation (18 min).srt


--------------------------------------------------------------------------------
/11 - 4 - PKCS 1 (23 min).srt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/avalonsaber/crypto1sub/2a39f06799d474bea6364420fe5860c503224eb5/11 - 4 - PKCS 1 (23 min).srt


--------------------------------------------------------------------------------
/11 - 5 - Is RSA a one-way function- (17 min).srt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/avalonsaber/crypto1sub/2a39f06799d474bea6364420fe5860c503224eb5/11 - 5 - Is RSA a one-way function- (17 min).srt


--------------------------------------------------------------------------------
/11 - 6 - RSA in practice (14 min).srt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/avalonsaber/crypto1sub/2a39f06799d474bea6364420fe5860c503224eb5/11 - 6 - RSA in practice (14 min).srt


--------------------------------------------------------------------------------
/12 - 1 - The ElGamal Public-key System (23 min).srt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/avalonsaber/crypto1sub/2a39f06799d474bea6364420fe5860c503224eb5/12 - 1 - The ElGamal Public-key System (23 min).srt


--------------------------------------------------------------------------------
/12 - 2 - ElGamal Security (14 min).srt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/avalonsaber/crypto1sub/2a39f06799d474bea6364420fe5860c503224eb5/12 - 2 - ElGamal Security (14 min).srt


--------------------------------------------------------------------------------
/12 - 3 - ElGamal Variants With Better Security (11 min).srt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/avalonsaber/crypto1sub/2a39f06799d474bea6364420fe5860c503224eb5/12 - 3 - ElGamal Variants With Better Security (11 min).srt


--------------------------------------------------------------------------------
/12 - 4 - A Unifying Theme (12 min).srt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/avalonsaber/crypto1sub/2a39f06799d474bea6364420fe5860c503224eb5/12 - 4 - A Unifying Theme (12 min).srt


--------------------------------------------------------------------------------
/12 - 5 - Farewell   (for now) (6 min).srt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/avalonsaber/crypto1sub/2a39f06799d474bea6364420fe5860c503224eb5/12 - 5 - Farewell   (for now) (6 min).srt


--------------------------------------------------------------------------------
/2 - 1 - Information theoretic security and the one time pad (19 min).srt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/avalonsaber/crypto1sub/2a39f06799d474bea6364420fe5860c503224eb5/2 - 1 - Information theoretic security and the one time pad (19 min).srt


--------------------------------------------------------------------------------
/2 - 2 - Stream ciphers and pseudo random generators (20 min).srt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/avalonsaber/crypto1sub/2a39f06799d474bea6364420fe5860c503224eb5/2 - 2 - Stream ciphers and pseudo random generators (20 min).srt


--------------------------------------------------------------------------------
/2 - 3 - Attacks on stream ciphers and the one time pad (24 min).srt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/avalonsaber/crypto1sub/2a39f06799d474bea6364420fe5860c503224eb5/2 - 3 - Attacks on stream ciphers and the one time pad (24 min).srt


--------------------------------------------------------------------------------
/2 - 4 - Real-world stream ciphers (20 min).srt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/avalonsaber/crypto1sub/2a39f06799d474bea6364420fe5860c503224eb5/2 - 4 - Real-world stream ciphers (20 min).srt


--------------------------------------------------------------------------------
/2 - 5 - PRG Security Definitions (25 min).srt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/avalonsaber/crypto1sub/2a39f06799d474bea6364420fe5860c503224eb5/2 - 5 - PRG Security Definitions (25 min).srt


--------------------------------------------------------------------------------
/2 - 6 - Semantic Security (16 min).srt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/avalonsaber/crypto1sub/2a39f06799d474bea6364420fe5860c503224eb5/2 - 6 - Semantic Security (16 min).srt


--------------------------------------------------------------------------------
/2 - 7 - Stream ciphers are semantically secure (11 min)   [optional].srt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/avalonsaber/crypto1sub/2a39f06799d474bea6364420fe5860c503224eb5/2 - 7 - Stream ciphers are semantically secure (11 min)   [optional].srt


--------------------------------------------------------------------------------
/3 - 1 - What are block ciphers- (17 min).srt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/avalonsaber/crypto1sub/2a39f06799d474bea6364420fe5860c503224eb5/3 - 1 - What are block ciphers- (17 min).srt


--------------------------------------------------------------------------------
/3 - 2 - The Data Encryption Standard (22 min).srt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/avalonsaber/crypto1sub/2a39f06799d474bea6364420fe5860c503224eb5/3 - 2 - The Data Encryption Standard (22 min).srt


--------------------------------------------------------------------------------
/3 - 3 - Exhaustive search attacks (20 min).srt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/avalonsaber/crypto1sub/2a39f06799d474bea6364420fe5860c503224eb5/3 - 3 - Exhaustive search attacks (20 min).srt


--------------------------------------------------------------------------------
/3 - 4 - More attacks on block ciphers (16 min).srt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/avalonsaber/crypto1sub/2a39f06799d474bea6364420fe5860c503224eb5/3 - 4 - More attacks on block ciphers (16 min).srt


--------------------------------------------------------------------------------
/3 - 5 - The AES block cipher (14 min).srt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/avalonsaber/crypto1sub/2a39f06799d474bea6364420fe5860c503224eb5/3 - 5 - The AES block cipher (14 min).srt


--------------------------------------------------------------------------------
/3 - 6 - Block ciphers from PRGs(12 min).srt:
--------------------------------------------------------------------------------
  1 | 1
  2 | 00:00:00,000 --> 00:00:04,388
  3 | 本节我们研究是否可以从更简单的原型
  4 | In this segment we ask whether we can
  5 | build block ciphers from simpler
  6 | 
  7 | 2
  8 | 00:00:04,388 --> 00:00:09,456
  9 | 比如伪随机数发生器，来构建分组密码
 10 | 答案是肯定的。一开始
 11 | primitives like pseudo random generators.
 12 | The answer is yes. So to begin with, let's
 13 | 
 14 | 3
 15 | 00:00:09,456 --> 00:00:14,215
 16 | 我们研究是否可以从伪随机数发生器
 17 | 构建伪随机函数
 18 | ask whether we can build pseudo random
 19 | functions as opposed to pseudo random
 20 | 
 21 | 4
 22 | 00:00:14,215 --> 00:00:18,789
 23 | 而不是伪随机置换。我们能否由PRG构建PRF？
 24 | permutations from a pseudo random
 25 | generator. Can we build a PRF from a PRG?
 26 | 
 27 | 5
 28 | 00:00:18,789 --> 00:00:23,873
 29 | 尽管我们的最终目标是构建一个分组密码
 30 | 本质上是个PRP
 31 | Our ultimate goal though is to build a
 32 | block cipher which is a PRP. And we'll get
 33 | 
 34 | 6
 35 | 00:00:23,873 --> 00:00:29,130
 36 | 我们最后会实现之。好，现在我们构建一个PRF
 37 | 我们从PRG开始
 38 | to that at the end. Okay, for now we build
 39 | a PRF. So let's start with a PRG that
 40 | 
 41 | 7
 42 | 00:00:29,130 --> 00:00:34,590
 43 | 这个PRG输出长度是输入长度的两倍，其种子就是密钥空间K里的元素
 44 | doubles its inputs so the seeds for the
 45 | PRG is an element in K and the output is
 46 | 
 47 | 8
 48 | 00:00:34,590 --> 00:00:39,420
 49 | 输出实际上是K里的两个元素
 50 | 这里我们有发生器的机制
 51 | actually two elements in K. So here we
 52 | have a schematic of the generator, that
 53 | 
 54 | 9
 55 | 00:00:39,420 --> 00:00:44,296
 56 | 取输入为C和K，然后输出两个K中元素
 57 | basically takes his input of C and K, and
 58 | outputs two elements, in K as its output.
 59 | 
 60 | 10
 61 | 00:00:44,296 --> 00:00:48,992
 62 | 这个安全的意义是什么？
 63 | And now what does it mean for this purity
 64 | to be secure, recall this means that
 65 | 
 66 | 11
 67 | 00:00:48,992 --> 00:00:52,965
 68 | 记得其意义是输出与一个K^2中的随机元素
 69 | essentially the output is
 70 | indistinguishable from a random element
 71 | 
 72 | 12
 73 | 00:00:52,965 --> 00:00:58,355
 74 | 不可区分。其实根据PRG，是非常容易定义
 75 | inside of K squared. Now it turns out that
 76 | it's very easy to define basically what's
 77 | 
 78 | 13
 79 | 00:00:58,355 --> 00:01:03,455
 80 | PRF中的一位的。PRF中的一位
 81 | called a one bit PRF from this PRG. So
 82 | what's a one bit PRF is basically a PRF
 83 | 
 84 | 14
 85 | 00:01:03,455 --> 00:01:08,360
 86 | 就是说PRF的定义域只有一位。好
 87 | 这个PRF只取一位作为输入
 88 | who's domain is only one bit. Okay, so
 89 | it's a PRF that just takes one bit as
 90 | 
 91 | 15
 92 | 00:01:08,360 --> 00:01:13,461
 93 | 好，我们说，如果输入位X是0
 94 | input. Okay, and the way we'll do it is
 95 | we'll say is if the input bit X is zero
 96 | 
 97 | 16
 98 | 00:01:13,461 --> 00:01:18,627
 99 | 我会用左边的输出；如果输入位X是1
100 | I'll put the left output and if the input
101 | bit X is one then I'll put the right
102 | 
103 | 17
104 | 00:01:18,627 --> 00:01:23,678
105 | 我会用右边的PRF输出。好，我们写成符号的形式
106 | output of the PRF. Okay, in symbols we
107 | basically have what we wrote here. Now it
108 | 
109 | 18
110 | 00:01:23,678 --> 00:01:28,523
111 | 现在很直接地就看成，事实上如果G是个安全PRG
112 | is straightforward to show, that in fact G
113 | is a secure PRG, then this one bit PRF is
114 | 
115 | 19
116 | 00:01:28,523 --> 00:01:32,901
117 | 那么这个一位PRF也是安全的。大家想一想
118 | in fact a secure PRF. If you think about
119 | it for a second, this really is
120 | 
121 | 20
122 | 00:01:32,901 --> 00:01:37,571
123 | 这其实是废话，把同样的事情说了两遍
124 | tautology. Its really just stating the
125 | same thing twice. So I will leave it for
126 | 
127 | 21
128 | 00:01:37,571 --> 00:01:42,241
129 | 我留给大家思考，说服自己
130 | you to think about this briefly and see
131 | and convince yourself that in fact this
132 | 
133 | 22
134 | 00:01:42,241 --> 00:01:46,853
135 | 这个定理是正确的。真正的问题是
136 | 我们能否构建一个PRF
137 | theorem is true. The real question is
138 | whether we can build a PRF, that actually
139 | 
140 | 23
141 | 00:01:46,853 --> 00:01:51,756
142 | 它的定义域比一位多。理想情况下，
143 | 我们让定义域为128位
144 | has a domain that is bigger than one bit.
145 | Ideally we would like the domain to be 128
146 | 
147 | 24
148 | 00:01:51,756 --> 00:01:56,425
149 | 就像AES一样。那么问题是我们能否
150 | bits, just say as AES has. So
151 | the question is can we build 128 bit PRF
152 | 
153 | 25
154 | 00:01:56,425 --> 00:02:01,197
155 | 由一个伪随机数发生器，构建一个128位PRF？
156 | 我们来看能不能取得进展
157 | from a pseudo random generator. Well so
158 | let's see if we can make progress. So the
159 | 
160 | 26
161 | 00:02:01,197 --> 00:02:05,970
162 | 那么我们要做的第一件事是，从一个PRG出发
163 | first thing we're gonna do is we're gonna
164 | say, well again, let's start with a PRG
165 | 
166 | 27
167 | 00:02:05,970 --> 00:02:10,863
168 | 这个PRG将输入长度翻倍，我们看能否构造一个PRG接受四倍输入
169 | that doubles its input, let's see if we can
170 | build a PRG that quadruples its inputs.
171 | 
172 | 28
173 | 00:02:10,863 --> 00:02:15,797
174 | 好吧？它从K映射到K^4，而不是K到K^2，好
175 | Okay? So it goes from K to K to the fourth
176 | instead of K to K squared. Okay, so let's
177 | 
178 | 29
179 | 00:02:15,797 --> 00:02:20,809
180 | 那么我们来看怎么做的。我们从一个初始的PRG开始
181 | see how to do this. So here we start with
182 | our original PRG that just doubles its
183 | 
184 | 30
185 | 00:02:20,809 --> 00:02:25,884
186 | 扩充它的输入，记住这是个PRG
187 | inputs, now remember that the fact that
188 | this is a PRG means that the output of the
189 | 
190 | 31
191 | 00:02:25,884 --> 00:02:30,771
192 | 意味着它的输出和K中的两个随机值不可区分
193 | PRG is indistinguishable from two random
194 | values in K. Well, if the output looks
195 | 
196 | 32
197 | 00:02:30,771 --> 00:02:35,847
198 | 如果输出和K中的两个随机值看上去很像
199 | 我们可以对这两个输出再次使用发生器
200 | like two random values in K, we can simply
201 | apply the generator again to those two
202 | 
203 | 33
204 | 00:02:35,847 --> 00:02:40,358
205 | 那么我们说，对左边的输出应用一次发生器
206 | outputs. So let's say we apply the
207 | generator once to the left output, and
208 | 
209 | 34
210 | 00:02:40,358 --> 00:02:45,342
211 | 对右边也应用一次。我们称这四元组的输出
212 | once to the rights outputs. And we are
213 | going to call the output of that, this
214 | 
215 | 35
216 | 00:02:45,342 --> 00:02:50,448
217 | 为G1K。我写下这个发生器生成的符号
218 | quadruple of elements, we are, are going
219 | to call that G1K. And I wrote down in
220 | 
221 | 36
222 | 00:02:50,448 --> 00:02:55,554
223 | 但大家可以从这幅图里看到
224 | symbols what this generator does, but you
225 | can see basically from this figure,
226 | 
227 | 37
228 | 00:02:55,554 --> 00:03:00,862
229 | 发生器到底做了什么。现在我们有一个
230 | 从K到K^4的发生器
231 | exactly how the generator works. So now
232 | that we have a generator from K to K to
233 | 
234 | 38
235 | 00:03:00,862 --> 00:03:06,170
236 | 我们有了一个两位的PRF
237 | the fourth, We actually get a two bit PRF.
238 | Namely, what we will do is, we will say,
239 | 
240 | 39
241 | 00:03:06,170 --> 00:03:11,410
242 | 给定两位，00,01,10或11，会确定
243 | given two bits, 00, 01, 10 or 11, will
244 | imply output the appropriate block that
245 | 
246 | 40
247 | 00:03:11,410 --> 00:03:16,070
248 | G1K输出的合适的分组。好，现在我们有了
249 | 一个有4种可能输入的PRF
250 | the output of G1K. Okay, so now we can
251 | basically have a PRF that takes four
252 | 
253 | 41
254 | 00:03:16,070 --> 00:03:21,061
255 | 而不是像前面那样，只有两种可能输入了
256 | possible inputs as opposed to just two
257 | possible inputs as before. So the question
258 | 
259 | 42
260 | 00:03:21,061 --> 00:03:26,113
261 | 那么问题是为什么这个G1是安全的？
262 | 为什么这是个安全的PRG？
263 | you should be asking me is why is this G1
264 | case secure? Why is it a secure PRG? That
265 | 
266 | 43
267 | 00:03:26,113 --> 00:03:30,611
268 | 那就是为什么这个四元组输出与
269 | 随机序列不可被区分
270 | is why is this quadruple of outputs
271 | indistinguishable from random. And so
272 | 
273 | 44
274 | 00:03:30,611 --> 00:03:35,664
275 | 我们来快速证明一下，以图的形式
276 | let's do a quick proof of this, we'll just
277 | do a simple proof by pictures. So here's
278 | 
279 | 45
280 | 00:03:35,664 --> 00:03:40,408
281 | 这是我们的发生器，我们试图证明其安全性
282 | our generator that we want to prove is
283 | secure. And what that means is that we
284 | 
285 | 46
286 | 00:03:40,408 --> 00:03:45,399
287 | 这意味着我们想证明这个分布是与
288 | want to argue that this distribution is
289 | indistinguishable from a random four-tuple
290 | 
291 | 47
292 | 00:03:45,399 --> 00:03:49,292
293 | K^4中的随机四元组不可区分。好
294 | 我们的目标是证明
295 | in K to the fourth. Okay so our goal is to
296 | prove that these two are
297 | 
298 | 48
299 | 00:03:49,292 --> 00:03:53,887
300 | 这两个是不可区分的。好，一步一步来
301 | indistinguishable. Well let's do it one
302 | step at a time. We know that the generator
303 | 
304 | 49
305 | 00:03:53,887 --> 00:03:58,028
306 | 我们知道这个发生器是安全的，因此第一层的输出
307 | is a secure generator, therefore in fact
308 | the output of the first level is
309 | 
310 | 50
311 | 00:03:58,028 --> 00:04:02,453
312 | 与随机不可区分。换句话说，如果我们用
313 | indistinguishable from random. In other
314 | words, if we replace the first level by
315 | 
316 | 51
317 | 00:04:02,453 --> 00:04:06,991
318 | 真随机字符串来替换第一层，这两个是从
319 | 密钥空间里随机选取的
320 | truly random strings, these two are truly
321 | random picked in the key space, then no
322 | 
323 | 52
324 | 00:04:10,267 --> 00:04:11,359
325 | 那么没有有效的攻击可以区分这两个分布
326 | efficient adversary should be able to
327 | distinguish these two distributions. In
328 | 
329 | 53
330 | 00:04:11,359 --> 00:04:15,954
331 | 事实上，如果大家可以区分这两个分布
332 | fact, if you could distinguish these two
333 | distributions, it's easy to show that you
334 | 
335 | 54
336 | 00:04:15,954 --> 00:04:20,768
337 | 容易证明大家可以破解最初的PRG。好
338 | 大家看得出我们进行替换的原因
339 | would break the original PRG. Okay, but
340 | essentially you see that the reason we can
341 | 
342 | 55
343 | 00:04:20,768 --> 00:04:25,581
344 | 我们之所以可以用真随机值来替换G的输出
345 | do this replacement, we can replace the
346 | output of G, with truly random values, is
347 | 
348 | 56
349 | 00:04:25,581 --> 00:04:30,578
350 | 是因为PRG的定义所致，PRG的输出
351 | exactly because of the definition of the
352 | PRG, which says the output of the PRG is
353 | 
354 | 57
355 | 00:04:30,578 --> 00:04:35,391
356 | 和随机不可区分。所以我们也可以把随机数放在那
357 | indistinguishable from random, so we might
358 | as well just put random there, and no
359 | 
360 | 58
361 | 00:04:35,391 --> 00:04:40,265
362 | 没有有效的攻击可以区分这两个分布
363 | efficient adversary can distinguish the
364 | resulting two distributions. Okay, so far
365 | 
366 | 59
367 | 00:04:40,265 --> 00:04:45,018
368 | 目前都还不错，现在我们要对左边做同样的事情
369 | so good, but now we can do the same thing
370 | again to the left hand side. In other
371 | 
372 | 60
373 | 00:04:45,018 --> 00:04:49,710
374 | 换句话说，我们可以用真随机替换这两个伪随机输出
375 | words, we can replace these two pseudo
376 | random outputs, by truly random outputs.
377 | 
378 | 61
379 | 00:04:49,710 --> 00:04:53,925
380 | 还是因为发生器G是安全的，没有有效的攻击
381 | And again because the generator G is
382 | secure, no efficient adversary can tell
383 | 
384 | 62
385 | 00:04:54,091 --> 00:04:57,807
386 | 可以区分这两个分布。但不同的是
387 | the difference between these two
388 | distributions. But differently, if an
389 | 
390 | 63
391 | 00:04:57,807 --> 00:05:02,077
392 | 如果一个攻击者可以区分这两个分布
393 | adversary can distinguish these two
394 | distributions, then we would also give an
395 | 
396 | 64
397 | 00:05:02,077 --> 00:05:06,707
398 | 我们也可以给出一个对发生器G的攻击
399 | 最后，我们最后再做一次
400 | attack on the generator G. And now finally
401 | we're gonna do this one last time. We're
402 | 
403 | 65
404 | 00:05:06,707 --> 00:05:11,280
405 | 我们用真随机对替换掉这一伪随机对
406 | gonna replace this pseudo random pair by a
407 | truly random pair, and lo and behold we
408 | 
409 | 66
410 | 00:05:11,280 --> 00:05:15,672
411 | 现在我们获得了我们想要的分布
412 | get the actual distribution that we were
413 | shooting for, we would get a distribution
414 | 
415 | 67
416 | 00:05:15,672 --> 00:05:19,851
417 | 我们获得了一个由4个独立分组构成的分布
418 | that is really made of four independent
419 | blocks. And so now we have proved this
420 | 
421 | 68
422 | 00:05:19,851 --> 00:05:23,279
423 | 我们已经证明了这个转换，这两是不可区分的
424 | transition basically that these two
425 | indistinguishable, these two
426 | 
427 | 69
428 | 00:05:23,279 --> 00:05:27,243
429 | 这两是不可区分的，这两是不可区分的
430 | indistinguishable, and these two
431 | indistinguishable, and therefore these two
432 | 
433 | 70
434 | 00:05:27,243 --> 00:05:31,475
435 | 因此这两是不可区分的，记为我们想证明的
436 | are indistinguishable, which is what we
437 | wanted to prove. Okay so this is kind of
438 | 
439 | 71
440 | 00:05:31,475 --> 00:05:35,760
441 | 这是证明的大致想法，严格证明之并不难
442 | the high level idea for the proof, it is
443 | not too difficult to make this rigorous,
444 | 
445 | 72
446 | 00:05:35,760 --> 00:05:39,792
447 | 不过我只想告诉大家证明的直观想法
448 | but I just wanted to show you kinda
449 | intuition for how the proof works. Well,
450 | 
451 | 73
452 | 00:05:39,792 --> 00:05:44,363
453 | 如果我们可以扩张发生器的输出
454 | if we were able to extend the generators
455 | outputs once, there's nothing preventing
456 | 
457 | 74
458 | 00:05:44,363 --> 00:05:48,822
459 | 我们当然可以再做一次，于是就有一发生器G1
460 | us from doing it again so here is a
461 | generator G1 that outputs four elements in
462 | 
463 | 75
464 | 00:05:48,822 --> 00:05:53,337
465 | 输出密钥空间里的四个元素。记住这里的输出
466 | the key space. And remember the output
467 | here is indistinguishable from our random
468 | 
469 | 76
470 | 00:05:53,337 --> 00:05:57,909
471 | 与随机四元组不可区分，即为所证
472 | 我们完全可以再次应用这个发生器
473 | four tuple, that's what we just proved.
474 | And so there's nothing preventing us from
475 | 
476 | 77
477 | 00:05:57,909 --> 00:06:02,480
478 | 所以我们会拿着这个发生器，应用于
479 | applying the generator again. So we'll
480 | take the generator apply it to this random
481 | 
482 | 78
483 | 00:06:02,480 --> 00:06:07,221
484 | 这个看起来像是随机的东西。我们应该可以获得
485 | 这个看起来像是随机的东西
486 | looking thing and we should be able to get
487 | this random looking thing. This pair over
488 | 
489 | 79
490 | 00:06:07,221 --> 00:06:11,511
491 | 这对看起来像是随机的。我们可以做同样的事情
492 | here that's random looking. And we can do
493 | the same thing again, and again, and
494 | 
495 | 80
496 | 00:06:11,511 --> 00:06:16,405
497 | 一次又一次。现在我们也已经构建了一个新的发生器
498 | 可以输出K^8里的元素
499 | again. And now basically we've built a new
500 | generator that outputs elements in K to
501 | 
502 | 81
503 | 00:06:16,405 --> 00:06:21,261
504 | 而不是K^4里的元素，其证明
505 | the eighth, as opposed to K to the fourth.
506 | And again the proof of security is very
507 | 
508 | 82
509 | 00:06:21,261 --> 00:06:26,056
510 | 也与我刚刚给大家的非常一致
511 | much the same as the one I just showed you
512 | essentially you gradually change the
513 | 
514 | 83
515 | 00:06:26,056 --> 00:06:30,612
516 | 把输出变成真随机。所以我们把这转变成真随机
517 | outputs into truly random outputs. So we
518 | would change this to a truly random
519 | 
520 | 84
521 | 00:06:30,612 --> 00:06:35,168
522 | 然后这里，然后那里，然后这里，然后那里，等等
523 | output, then this, then that, then this,
524 | then that and so on and so forth. Until
525 | 
526 | 85
527 | 00:06:35,168 --> 00:06:39,724
528 | 最终我们获得了真随机的字符串
529 | finally we get something that's truly
530 | random and therefore the original two
531 | 
532 | 86
533 | 00:06:39,724 --> 00:06:44,396
534 | 所以我们开始用G2K的两个分布
535 | 与真随机不可区分。好的
536 | distributions we started with G2K and
537 | truly random are indistinguishable. Okay,
538 | 
539 | 87
540 | 00:06:44,396 --> 00:06:49,325
541 | 目前还不错。现在我们有一个发生器，输出K^8中元素
542 | so far so good. So now we have a generator
543 | that outputs elements in K to the eighth.
544 | 
545 | 88
546 | 00:06:49,325 --> 00:06:54,016
547 | 如果我们获得了3位PRF，换句话说
548 | Now if we do that basically we get a three
549 | bit PRF. In other words, at zero, zero,
550 | 
551 | 89
552 | 00:06:54,016 --> 00:06:58,884
553 | 在000处，这个PRF会输出这个分组，等等
554 | zero this PRF would output this block, and
555 | so on and so forth until one, one, one it
556 | 
557 | 90
558 | 00:06:58,884 --> 00:07:03,163
559 | 直到111它会输出这个分组。现在，有趣的是
560 | would output this block. Now the
561 | interesting thing is that in fact this PRF
562 | 
563 | 91
564 | 00:07:03,163 --> 00:07:07,695
565 | 事实上这个PRF是容易计算的。例如
566 | 假设我们想计算PRF在101处的值
567 | is easy to compute. For example, suppose
568 | we wanted to compute the PRF at the point
569 | 
570 | 92
571 | 00:07:07,695 --> 00:07:11,948
572 | 好，这是个3位PRF。好，101
573 | one zero one. Okay, it's a three bit PRF.
574 | Okay so one zero one. How would we do
575 | 
576 | 93
577 | 00:07:11,948 --> 00:07:16,536
578 | 我们该怎么办？我们从这个初始密钥K开始
579 | that? Well basically we would start from
580 | the original key K. And now we would apply
581 | 
582 | 94
583 | 00:07:16,536 --> 00:07:20,620
584 | 现在我们应用发生器G，但我们只关心G输出的右边
585 | the generator G but we would only pay
586 | attention to the right output of G,
587 | 
588 | 95
589 | 00:07:20,620 --> 00:07:25,040
590 | 因为第一位是1。然后我们再次应用发生器
591 | because the first bit is one. And then we
592 | will apply the generator again, but we
593 | 
594 | 96
595 | 00:07:25,040 --> 00:07:29,516
596 | 但我们只关注发生器输出的左边
597 | would only pay attention to the left of
598 | the output of the generator because the
599 | 
600 | 97
601 | 00:07:29,516 --> 00:07:33,864
602 | 因为第二位是0。然后我们再次应用这个发生器
603 | second bit is zero. And then we would
604 | apply the generator again and only pay
605 | 
606 | 98
607 | 00:07:33,864 --> 00:07:38,588
608 | 只关注右边，因为第三位是1
609 | attention to the right outputs because the
610 | third bit is one and that would be the
611 | 
612 | 99
613 | 00:07:38,588 --> 00:07:43,140
614 | 那也是最终输出。好，大家可以看到
615 | 这就是101的情况
616 | final output. Right, so you can see that,
617 | that lead us to 101, and in fact because
618 | 
619 | 100
620 | 00:07:43,140 --> 00:07:47,461
621 | 事实上因为整个发生器是伪随机的
622 | the entire generator is pseudo
623 | random, we know that, in particular that,
624 | 
625 | 101
626 | 00:07:47,461 --> 00:07:52,796
627 | 我们知道这里的输出也是伪随机的。好
628 | 这就给了我们一个3位PRF
629 | this output here is pseudo random. Okay,
630 | so this gives us a three bit PRF. Well, if
631 | 
632 | 102
633 | 00:07:52,796 --> 00:07:58,632
634 | 如果它工作3次，它也完全可以工作N次
635 | it worked three times, there's no reason
636 | why it can't work N times. And so if we
637 | 
638 | 103
639 | 00:07:58,632 --> 00:08:03,501
640 | 如果我们反复应用这个转换
641 | 我们就可以到达GGMPRF
642 | apply this transformation again and again,
643 | we arrive at what's called a GGMPRF. GGM
644 | 
645 | 104
646 | 00:08:03,501 --> 00:08:07,956
647 | GGM是指Goldreich, Goldwasser和Micali
648 | stands for Goldreich, Goldwasser and
649 | Micali these are the inventors of
650 | 
651 | 105
652 | 00:08:07,956 --> 00:08:12,528
653 | 他们是这个PRF的发明者。这个PRF如下工作
654 | this PRF and the way it works is as
655 | follows. So we start off with a generator
656 | 
657 | 106
658 | 00:08:12,528 --> 00:08:17,279
659 | 我们从一个输出长度是输入长度两倍的PRG出发
660 | 我们来构建一个PRF，其定义域很大
661 | just doubles its outputs, and now we're
662 | able to build a PRF that acts on a large
663 | 
664 | 107
665 | 00:08:17,279 --> 00:08:22,236
666 | 为｛0,1｝^N。N可以是128甚至更大
667 | domain mainly a domain of size zero one to
668 | the N, where N could be as big as 128 or even
669 | 
670 | 108
671 | 00:08:22,236 --> 00:08:26,897
672 | 我们看，假设我们有｛0,1｝^N里的输入
673 | more. So let's see, suppose we're given an
674 | input in 01 to the N, let me show you how
675 | 
676 | 109
677 | 00:08:26,897 --> 00:08:31,274
678 | 我来展示如何计算这个PRF。现在大家有个好想法
679 | to evaluate the PRF. Well by now you
680 | should actually have a good idea for how
681 | 
682 | 110
683 | 00:08:31,274 --> 00:08:35,480
684 | 从最初的密钥开始
685 | to do it. Essentially we start from the
686 | original key and then we apply the
687 | 
688 | 111
689 | 00:08:35,480 --> 00:08:40,255
690 | 应用发生器根据X0位来选择左边或右边
691 | generator and we take either the left or
692 | the right side depending on the bit X0 and
693 | 
694 | 112
695 | 00:08:40,255 --> 00:08:44,746
696 | 然后我们得到了下一密钥K1
697 | 我们再次应用发生器
698 | then we arrive at the next key, K1. And
699 | then we apply the generator again and we
700 | 
701 | 113
702 | 00:08:44,746 --> 00:08:49,444
703 | 根据X1位来选择左边或右边，得到下一个密钥
704 | take the left or the right side depending
705 | on X1 and we arrive at the next key. And
706 | 
707 | 114
708 | 00:08:49,444 --> 00:08:54,730
709 | 然后我们反复这样操作，直到得到输出
710 | then we do this again and again, until
711 | finally we are arrive at the output. So we
712 | 
713 | 115
714 | 00:08:54,730 --> 00:08:59,818
715 | 我们已经处理了所有位，得到了函数的输出
716 | have processed all end bits, and we arrive
717 | at the output of this function. And
718 | 
719 | 116
720 | 00:08:59,818 --> 00:09:05,170
721 | 用之前同样的方法，我们可以证明其安全性
722 | basically we can prove security again
723 | pretty much along the same lines as we did
724 | 
725 | 117
726 | 00:09:05,170 --> 00:09:10,324
727 | 我们可以证明如果G是个安全的PRG
728 | before, and we can show that if G is a
729 | secure PRG, then in fact we get a secure
730 | 
731 | 118
732 | 00:09:10,324 --> 00:09:14,917
733 | 事实上我们可以获得一个安全的PRF
734 | 定义在｛0,1｝^N上的，一个非常大的定义域
735 | PRF, on 01 to the N, on a very large
736 | domain. So that's fantastic. Now we have
737 | 
738 | 119
739 | 00:09:14,917 --> 00:09:19,064
740 | 很神奇。现在我们有一个可证实安全的PRF
741 | we have essential, we have a PRF that's
742 | provably secure, assuming that the
743 | 
744 | 120
745 | 00:09:19,064 --> 00:09:23,495
746 | 以安全的发生器为前提。这个发生器
747 | underlying generator is secure, and the
748 | generator is supposedly much easier to
749 | 
750 | 121
751 | 00:09:23,495 --> 00:09:28,153
752 | 比一个实际的PRF更容易构造。事实上
753 | 他可以工作的分组可以是很大
754 | build than an actual PRF. And in fact it
755 | works on blocks that can be very large, in
756 | 
757 | 122
758 | 00:09:28,153 --> 00:09:33,296
759 | 特别地，｛0,1｝^128，这是我们想要的
760 | particular, 01 to the 128th, which is what
761 | we needed. So you might ask well why isn't
762 | 
763 | 123
764 | 00:09:33,296 --> 00:09:39,122
765 | 大家可能会问，为什么这个在实际中没有被用到？
766 | 原因是，它的速度很慢
767 | this thing being used in practice? And the
768 | reason is, that it's actually fairly slow.
769 | 
770 | 124
771 | 00:09:39,122 --> 00:09:44,597
772 | 设想一下，我们使用Salsa发生器
773 | So imagine we plug in as a generator we
774 | plug in the Salsa generator. So now to
775 | 
776 | 125
777 | 00:09:44,597 --> 00:09:50,142
778 | 现在来计算这个PRF在某个128位输入的值
779 | 我们必须运行Salsa发生器128次
780 | evaluate this PRF at a 128 bit inputs, we
781 | would basically have to run the Salsa
782 | 
783 | 126
784 | 00:09:50,142 --> 00:09:55,617
785 | 一次只对应一位输入。然后我们获得了
786 | generator 128 times. One time per bit of
787 | the input. But then we would get a PRF
788 | 
789 | 127
790 | 00:09:55,617 --> 00:10:01,513
791 | 一个PRF，其运行时间却是原版Salsa的128倍
792 | that's 128 times slower than the original
793 | Salsa. And that's much, much, much slower
794 | 
795 | 128
796 | 00:10:01,513 --> 00:10:06,227
797 | 这比AES慢太多太多。AES是一个启发性（未经证实）的PRF
798 | 但它我们这的要快很多
799 | than AES. AES is a heuristic PRF. But
800 | nevertheless it's much faster then what we
801 | 
802 | 129
803 | 00:10:06,227 --> 00:10:10,585
804 | 尽管这个构造很优雅
805 | just got here. And so even though this is
806 | a very elegant construction, it's not used
807 | 
808 | 130
809 | 00:10:10,585 --> 00:10:14,522
810 | 实际构造伪随机函数时却不实用
811 | in practice to build pseudo random
812 | functions although in a week we will be
813 | 
814 | 131
815 | 00:10:14,522 --> 00:10:18,915
816 | 虽然本周我们还要使用这个构造
817 | 来构建一个信息完整性的机制
818 | using this type of construction to build a
819 | message integrity mechanism. So the last
820 | 
821 | 132
822 | 00:10:18,915 --> 00:10:23,183
823 | 最后一步，现在我们构建了一个PRF
824 | step, is basically now that we've built a
825 | PRF, the questions is whether we can
826 | 
827 | 133
828 | 00:10:23,183 --> 00:10:27,729
829 | 问题是我们能否构建分组密码。换句话说
830 | actually build the block cypher. In other
831 | words, can we actually build a secure PRP
832 | 
833 | 134
834 | 00:10:27,729 --> 00:10:32,054
835 | 我们能否从一个安全的PRG构建一个安全的PRP呢？
836 | 我们目前所做的都是不可逆的情况
837 | from a secure PRG. Everything we've done
838 | so far is not reversible. Again if you
839 | 
840 | 135
841 | 00:10:32,054 --> 00:10:36,600
842 | 如果大家看这里的构造，给定最后输出
843 | 我们是不能解密的
844 | look at this construction here, we can't
845 | decrypt basically given the final outputs.
846 | 
847 | 136
848 | 00:10:36,600 --> 00:10:40,535
849 | 不可能回去，至少我们不知道怎么回去
850 | It is not possible to go back or at least
851 | we don't know how to go back the, the
852 | 
853 | 137
854 | 00:10:40,535 --> 00:10:44,520
855 | 回到最初的输入。所以现在问题是
856 | original inputs. So now the question of
857 | interest is so can we actually solve the
858 | 
859 | 138
860 | 00:10:44,520 --> 00:10:48,654
861 | 我们能不能解决最初的问题？我们能否
862 | 根据安全PRG构建一个分组密码？
863 | problem we wanted solve initially? Mainly,
864 | can we actually build a block cipher from
865 | 
866 | 139
867 | 00:10:48,654 --> 00:10:53,540
868 | 那么大家想一想，记下答案
869 | a secure PRG? So I'll let you think about
870 | this for a second, and mark the answer. So
871 | 
872 | 140
873 | 00:10:53,540 --> 00:10:57,718
874 | 当然我希望大家的答案是肯定的
875 | of course I hope everyone said the answer
876 | is yes and you already have all the
877 | 
878 | 141
879 | 00:10:57,718 --> 00:11:01,896
880 | 大家已经万事俱备了。特别地
881 | 大家已经知道了如何从一个伪随机数发生器
882 | ingredients to do it. In particular, you
883 | already know how to build a PRF from a
884 | 
885 | 142
886 | 00:11:01,896 --> 00:11:06,395
887 | 构建一个PRF。我们说了一旦有了PRF
888 | pseudo random generator. And we said that
889 | once we have a PRF we can plug it into the
890 | 
891 | 143
892 | 00:11:06,395 --> 00:11:10,573
893 | 我们可以使用Luby-Rackoff构造法
894 | 记得是一个三回合的Feistel网络
895 | Luby-Rackoff construction, which if you
896 | remember, is just a three-round Feistel.
897 | 
898 | 144
899 | 00:11:10,573 --> 00:11:14,750
900 | 我们说了如果大家有了安全的PRF
901 | 就可以利用三回合Feistel
902 | So we said that if you plug a secure PRF
903 | into a three-round Feistel, you get a
904 | 
905 | 145
906 | 00:11:14,750 --> 00:11:19,044
907 | 就可以得到一个安全的PRP。所以
908 | 将两者结合起来，我们就能从一个伪随机数发生器
909 | secure PRP. So combining these two
910 | together, basically gives us a secure PRP
911 | 
912 | 146
913 | 00:11:19,044 --> 00:11:23,328
914 | 得到一个安全的PRP，它可被证明是安全的
915 | from a pseudo random generator. And this
916 | is provably secure as long as the
917 | 
918 | 147
919 | 00:11:23,328 --> 00:11:28,075
920 | 只要支持它的发生器是安全的。那么这个
921 | 结果很美，但很不幸
922 | underlying generator is secure. So it's a
923 | beautiful result but unfortunately again
924 | 
925 | 148
926 | 00:11:28,075 --> 00:11:32,475
927 | 它也不实用，因为它比类似于AES的
928 | 启发性构造要慢很多
929 | it's not used in practice because it's
930 | considerably slower than heuristics
931 | 
932 | 149
933 | 00:11:32,475 --> 00:11:36,725
934 | 好，本章完结
935 | constructions like AES. Okay so
936 | this completes our module on constructing
937 | 
938 | 150
939 | 00:11:36,725 --> 00:11:40,456
940 | 我们构造了伪随机置换和函数
941 | pseudo random permutations, and pseudo
942 | random functions. And then in the next
943 | 
944 | 151
945 | 00:11:40,456 --> 00:11:44,287
946 | 下一章中我们讨论在正常加密中如何使用它们
947 | module we're gonna talk about how to use
948 | these things to do proper encryption.
949 | 


--------------------------------------------------------------------------------
/4 - 1 - Review- PRPs and PRFs (12 min).srt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/avalonsaber/crypto1sub/2a39f06799d474bea6364420fe5860c503224eb5/4 - 1 - Review- PRPs and PRFs (12 min).srt


--------------------------------------------------------------------------------
/4 - 2 - Modes of operation- one time key (8 min).srt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/avalonsaber/crypto1sub/2a39f06799d474bea6364420fe5860c503224eb5/4 - 2 - Modes of operation- one time key (8 min).srt


--------------------------------------------------------------------------------
/4 - 3 - Security for many-time key (23 min).srt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/avalonsaber/crypto1sub/2a39f06799d474bea6364420fe5860c503224eb5/4 - 3 - Security for many-time key (23 min).srt


--------------------------------------------------------------------------------
/4 - 4 - Modes of operation- many time key (CBC) (16 min).srt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/avalonsaber/crypto1sub/2a39f06799d474bea6364420fe5860c503224eb5/4 - 4 - Modes of operation- many time key (CBC) (16 min).srt


--------------------------------------------------------------------------------
/4 - 5 - Modes of operation- many time key (CTR) (10 min).srt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/avalonsaber/crypto1sub/2a39f06799d474bea6364420fe5860c503224eb5/4 - 5 - Modes of operation- many time key (CTR) (10 min).srt


--------------------------------------------------------------------------------
/5 - 1 - Message Authentication Codes (16 min).srt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/avalonsaber/crypto1sub/2a39f06799d474bea6364420fe5860c503224eb5/5 - 1 - Message Authentication Codes (16 min).srt


--------------------------------------------------------------------------------
/5 - 2 - MACs Based On PRFs (10 min).srt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/avalonsaber/crypto1sub/2a39f06799d474bea6364420fe5860c503224eb5/5 - 2 - MACs Based On PRFs (10 min).srt


--------------------------------------------------------------------------------
/5 - 3 - CBC-MAC and NMAC (20 min).srt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/avalonsaber/crypto1sub/2a39f06799d474bea6364420fe5860c503224eb5/5 - 3 - CBC-MAC and NMAC (20 min).srt


--------------------------------------------------------------------------------
/5 - 4 - MAC padding (9 min).srt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/avalonsaber/crypto1sub/2a39f06799d474bea6364420fe5860c503224eb5/5 - 4 - MAC padding (9 min).srt


--------------------------------------------------------------------------------
/5 - 5 - PMAC and the Carter-Wegman MAC (16 min).srt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/avalonsaber/crypto1sub/2a39f06799d474bea6364420fe5860c503224eb5/5 - 5 - PMAC and the Carter-Wegman MAC (16 min).srt


--------------------------------------------------------------------------------
/6 - 1 - Introduction (11 min).srt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/avalonsaber/crypto1sub/2a39f06799d474bea6364420fe5860c503224eb5/6 - 1 - Introduction (11 min).srt


--------------------------------------------------------------------------------
/6 - 2 - Generic birthday attack (16 min).srt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/avalonsaber/crypto1sub/2a39f06799d474bea6364420fe5860c503224eb5/6 - 2 - Generic birthday attack (16 min).srt


--------------------------------------------------------------------------------
/6 - 3 - The Merkle-Damgard Paradigm (12 min).srt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/avalonsaber/crypto1sub/2a39f06799d474bea6364420fe5860c503224eb5/6 - 3 - The Merkle-Damgard Paradigm (12 min).srt


--------------------------------------------------------------------------------
/6 - 4 - Constructing compression functions (8 min).srt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/avalonsaber/crypto1sub/2a39f06799d474bea6364420fe5860c503224eb5/6 - 4 - Constructing compression functions (8 min).srt


--------------------------------------------------------------------------------
/6 - 5 - HMAC (7 min).srt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/avalonsaber/crypto1sub/2a39f06799d474bea6364420fe5860c503224eb5/6 - 5 - HMAC (7 min).srt


--------------------------------------------------------------------------------
/6 - 6 - Timing attacks on MAC verification (9 min).srt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/avalonsaber/crypto1sub/2a39f06799d474bea6364420fe5860c503224eb5/6 - 6 - Timing attacks on MAC verification (9 min).srt


--------------------------------------------------------------------------------
/7 - 1 - Active attacks on CPA-secure encryption (13 min).srt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/avalonsaber/crypto1sub/2a39f06799d474bea6364420fe5860c503224eb5/7 - 1 - Active attacks on CPA-secure encryption (13 min).srt


--------------------------------------------------------------------------------
/7 - 2 - Definitions (6 min).srt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/avalonsaber/crypto1sub/2a39f06799d474bea6364420fe5860c503224eb5/7 - 2 - Definitions (6 min).srt


--------------------------------------------------------------------------------
/7 - 3 - Chosen ciphertext attacks (12 min).srt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/avalonsaber/crypto1sub/2a39f06799d474bea6364420fe5860c503224eb5/7 - 3 - Chosen ciphertext attacks (12 min).srt


--------------------------------------------------------------------------------
/7 - 4 - Constructions from ciphers and MACs (21 min).srt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/avalonsaber/crypto1sub/2a39f06799d474bea6364420fe5860c503224eb5/7 - 4 - Constructions from ciphers and MACs (21 min).srt


--------------------------------------------------------------------------------
/7 - 5 - Case study-  TLS (18 min).srt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/avalonsaber/crypto1sub/2a39f06799d474bea6364420fe5860c503224eb5/7 - 5 - Case study-  TLS (18 min).srt


--------------------------------------------------------------------------------
/7 - 6 - CBC padding attacks (14 min).srt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/avalonsaber/crypto1sub/2a39f06799d474bea6364420fe5860c503224eb5/7 - 6 - CBC padding attacks (14 min).srt


--------------------------------------------------------------------------------
/7 - 7 - Attacking non-atomic decryption (10 min).srt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/avalonsaber/crypto1sub/2a39f06799d474bea6364420fe5860c503224eb5/7 - 7 - Attacking non-atomic decryption (10 min).srt


--------------------------------------------------------------------------------
/8 - 1 - Key Derivation (14 min).srt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/avalonsaber/crypto1sub/2a39f06799d474bea6364420fe5860c503224eb5/8 - 1 - Key Derivation (14 min).srt


--------------------------------------------------------------------------------
/8 - 2 - Deterministic Encryption (15 min).srt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/avalonsaber/crypto1sub/2a39f06799d474bea6364420fe5860c503224eb5/8 - 2 - Deterministic Encryption (15 min).srt


--------------------------------------------------------------------------------
/8 - 3 - Deterministic Encryption-SIV and wide PRP (21 min).srt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/avalonsaber/crypto1sub/2a39f06799d474bea6364420fe5860c503224eb5/8 - 3 - Deterministic Encryption-SIV and wide PRP (21 min).srt


--------------------------------------------------------------------------------
/8 - 4 - Tweakable encryption (15 min).srt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/avalonsaber/crypto1sub/2a39f06799d474bea6364420fe5860c503224eb5/8 - 4 - Tweakable encryption (15 min).srt


--------------------------------------------------------------------------------
/8 - 5 - Format preserving encryption (13 min).srt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/avalonsaber/crypto1sub/2a39f06799d474bea6364420fe5860c503224eb5/8 - 5 - Format preserving encryption (13 min).srt


--------------------------------------------------------------------------------
/9 - 1 - Trusted 3rd parties (11 min).srt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/avalonsaber/crypto1sub/2a39f06799d474bea6364420fe5860c503224eb5/9 - 1 - Trusted 3rd parties (11 min).srt


--------------------------------------------------------------------------------
/9 - 2 - Merkle Puzzles (11 min).srt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/avalonsaber/crypto1sub/2a39f06799d474bea6364420fe5860c503224eb5/9 - 2 - Merkle Puzzles (11 min).srt


--------------------------------------------------------------------------------
/9 - 3 - The Diffie-Hellman protocol (19 min).srt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/avalonsaber/crypto1sub/2a39f06799d474bea6364420fe5860c503224eb5/9 - 3 - The Diffie-Hellman protocol (19 min).srt


--------------------------------------------------------------------------------
/9 - 4 - Public-key encryption (11 min).srt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/avalonsaber/crypto1sub/2a39f06799d474bea6364420fe5860c503224eb5/9 - 4 - Public-key encryption (11 min).srt


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | # crypto1sub
2 | Subtitles for Coursera Crypto I, the very first version.
3 | 


--------------------------------------------------------------------------------