Cryptography for everybody: Safe primes for RSA?

Generation of “safe” primes in CT2 using the RSA KeyGenerator component

I recently got some interesting feedback to the “Break reduced RSA” YouTube video I made some time ago. Of course I used CrypTool 2 (CT2) in that video. One viewer asked me, why we chose to generate non-safe primes, as well as if the quadratic sieve component of CT2 is able to break RSA challenge numbers. My answer to the second question: Since we have a quite old implementation of msieve (the library we use) converted to C# long ago, I don’t think the factorization algorithm is as powerful as the current state-of-the-art factorization libraries. Nevertheless, it is “good enough” to show how to break RSA (up to N in range of 2^300).

The answer to the safe prime question: Good question! I never thought of generating such numbers in CT2 and thought standard prime numbers are ok for CT2. I mean, it is a tool for education and not meant for any security purposes. Nevertheless, in real world applications you use large primes for RSA with additional requirements: They should be safe. So I updated the RSA KeyGenerator component to also allow the generation of safe primes. But are safe prime numbers still needed with RSA modules in the range of 2^2048 and above? For the current state-of-the-art of RSA factorization, you may have a look at

But what is a safe prime?

A number p is a prime number, if it is only divisible by itself and by 1. For example 13 is a prime number, or 17, or 23, … etc. A “safe prime” number p is a number, that is prime AND (p – 1) / 2 is also a prime number which we then call a Sophie Germain prime. An example for a safe prime is 23, because (23 – 1) / 2 = 11 is a Sophie Germain prime. Safe prime numbers are more resistant against some factorization methods, which could be used to factorize the RSA’s N (which is the product of two large primes p and q).

But are safe primes really needed for RSA?

I questioned that myself and found a paper by Rivest, who is the R in RSA. Already in 1999, Rivest stated that: “We find that for practical purposes using large “random” primes offers security equivalent to that obtained by using “strong” primes. Current requirements for “strong” primes do not make them any more secure than randomly chosen primes of the same size. Indeed, these requirements can lead a general audience to believe that if a prime is “strong” that it is secure and that if it isn’t “strong” then it must be “weak” and hence insecure. This simply is not true.” [1]

Rivest speaks about “strong” primes, not about safe primes. Strong primes have additional properties, from which “safe” primes fullfil one. But today, the usage of just “random” primes is good enough to keep RSA secure, since the primes are so large, that the properties for “strong” and “safe” are negligible. The “safe” property for primes was introduced to counter special factorization algorithms, like Pollard-Rho. But the modules we use today with RSA are too large to be factored with e.g. Pollard-Rho.

Nevertheless, now we have the choice in CT2 to generate either “random” or “safe” primes. Also, the RSA KeyGenerator uses a cryptographic random number generator during the generation of the RSA keys. In the CT2 workspace shown at the beginning of the blog article, we generate a 1024 bit RSA key and set the generator to “safe” prime generation. The prime test components evaluate the generated primes p and q and if both are “green” this means that the primes are safe.

You may be interested in my RSA YouTube video:

Basics of Cryptology – Part 11 (Modern Cryptography – Asymmetric Ciphers – RSA)

And you may also be interested in my “How to break reduced RSA” YouTube video:

Break (Reduced) RSA Using Factorization

[1] Rivest, Ronald L., and Robert D. Silverman. “Are Strong Primes Needed for RSA?” IN THE 1997 RSA LABORATORIES SEMINAR SERIES, SEMINARS PROCEEDINGS. 1999.


Cryptography for everybody: I updated the Transposition Analyzer in CrypTool 2 to Make it More Convenient

Today, I updated the “transposition analyzer” component of CrypTool 2 (CT2) to make its usage more convenient. The analyzer allows the cryptanalysis of ciphertexts that are encrypted using the columnar transposition cipher. It was written some time ago in the early days of CT2 by some of my commolitons when I was doing my masters.

The CrypTool 2 transposition analyzer component now supports keylength ranges

It always bugged me that you needed to restart the analyzer when you wanted to analyze different key lengths. For example, if you assumed that a ciphertext had been encrypted using a columnar transposition cipher, but you were unsure which key length had been used (e.g. between 5 and 15), you had to restart it for any of the assumed key lengths.

Now, its a matter of setting minimum and maximum key lengths, and the analyzer will test all lengths of the defined range 🙂

Btw, the transposition analyzer supports different cryptanalysis methods/heuristics: brute-force for smaller key lengths, genetic algorithm and hillclimbing for longer key lengths. Also, if you have a crib (a part of known plaintext), the crib analysis can be used.

But besides simply just updating the component, I fixed a few bugs and generally improved the C# code a bit 🙂

If you want to see how to use the transposition analyzer of CT2, I created a video about it in the past:

Break a Columnar Transposition Cipher

Probably, I will also create a new video about columnar transposition ciphers and the updated transposition analyzer in the near future.

We published some years ago a paper about cryptanalysis of the columnar transposition cipher in Cryptologia [1].

Finally, if you want to simply encrypt or decrypt using the columnar transposition cipher, you may have a look at the nice implementation in CrypToolOnline:

[1] Lasry, George, Nils Kopal, and Arno Wacker. “Cryptanalysis of columnar transposition cipher with long keys.” Cryptologia 40.4 (2016): 374-398.


Cryptography for everybody: I Created a Text-Based AES-Like Cipher – A Cipher Built Using Only Classical Ciphers

Can you build a cipher with the structure of the Advanced Encryption Standard (AES), our current standard modern symmetric cipher, but only use classical ciphers? I asked myself this question when I implemented AES in C# as a preparation for my upcoming AES videos on my YouTube channel in 2021.

AES’ structure (10 rounds for AES-128) consists of 4 different building blocks:
1) AddRoundKey,
2) SubBytes,
3) ShiftRows, and
4) MixColumns:

AES structure

The AddRoundKey building block adds a round key to the state array of 16 bytes (or plain and/or ciphertext) using XOR. The SubBytes building block substitutes each byte using AES’ S-Box, the ShiftRows building block performs a shift of the rows of the state array, and the MixColumns building block mixes the columns of the state array by multiplying each “vector” with an invertible matrix in the finite field GF(2^8).

When I implemented each of these four steps, I was reminded of some classical ciphers: AddRoundKey reminded me of an additive cipher, SubBytes reminded me of a simple substitution cipher, MixColumns reminded me of a transposition cipher, and the matrix multiplication finally reminded me of a Hill cipher.

Thus, I changed the inputs (plaintext and key) and the output (ciphertext) of the AES to simple text (just letters from A to Z), exchanged AddRoundKey with an additive cipher (using MOD 26), exchanged SubBytes by SubBigrams (a bigram substitution cipher), I kept ShiftRows as it was, and exchanged MixColumns with a 4×4 Hillcipher (also using MOD 26). The “TextAES” was born :-).

To also allow decryption, I computed the inverse S-Box (an inverse lookup table for the bigram substitution cipher) and an inverse matrix for the Hill cipher.

I kept the key expansion more or less as it was, but with text, and also used the bigram substitution and replaced its round constants by “AAAA”,”BAAA”,”CAAA”, etc.

Finally, I was convinced that you can create an AES-like cipher using only classical ciphers :-).

If you are interested in details of this self-made crazy cipher, have a look at the video I made about it:

I Created a Text-Based AES-Like Cipher

If you are interested in details of the real AES, you may also have a look at my other two videos about AES and AES key schedule:

AES – The Advanced Encryption Standard Explained
AES – Key Schedule/Key Expansion Explained

Also, if you want to play with my source code in C# of AES and TextAES, you can find it freely available on GitHub:

Finally, here is the original publication of AES:
Daemen, Joan, and Vincent Rijmen. The design of Rijndael. Vol. 2. New York: Springer-verlag, 2002.


Cryptography for everybody: Perceptual Hashing to Compare Images

Some years ago, I supervised a bachelor project with the topic “image processing” at the University of Kassel (when I was working for the “Applied Information Security” group). The bachelor students had to implement image processing components in CrypTool 2.

One result of the project was the so called “ImageHash” component. One of my students implemented the “block hash” by Steinebach [1]. It is a robust (or perceptual) hash function, that allows to use it for the search for images in image databases, even when the image is different (e.g. resized or modified) from the original.

This hash algorithm works in four steps:
Step 1: Grayscale: Colors (RGB) are converted to grayscale (0x00 to 0xFF)
Step 2: Resize: Image is resized to target size e.g. 16×16 pixels
Step 3: Flip: Image is flipped horizontally and vertically until the brightest quarter of the image is in the top left corner
Step 4: Binarize: Convert grayscale pixels to black and white pixels using a threshold

In the following image, an example image is hashed using these four steps:

The four steps of the block hash algorithm

I still like the component and think it was a good addition to CrypTool 2. Clearly, the bachelor students got good grades for the project. Other results were the “Image processor”, the “Transcripor”, and the “Watermark Creator” in CrypTool 2 :-).

Today, I also createad a YouTube video about perceptual hashing. Here, I also show the “ImageHash” component of CrypTool 2 . You may watch it here:

Perceptual Hashing To Compare Images


[1] Steinebach, Martin. “Robust hashing for efficient forensic analysis of image sets .” International Conference on Digital Forensics and Cyber Crime. Springer, Berlin, Heidelberg, 2011

Cryptography for everybody: The Straddling Checkerboard Cipher and Che Guevara

Today, Prof. Esslinger and I updated two templates, which are part of CrypTool 2 (CT2). Regularly, we update templates to improve their quality. A template is a pre-built graphical program (CT2 workspace) which demonstrates a cryptographic method, e.g. a cipher or a cryptographic protocol. Right now, we have about 250 templates in CrypTool 2.

We updated the “Straddling Checkerboard” cipher template as well as the “Che Guevara” cipher template, which also contains the Straddling Checkerboard cipher component for encryption.

The re-worked Che Guevara cipher template in CrypTool 2

Che Guevara, 14 June 1928 – 9 October 1967

To create his cipher, Che Guevara used a cascade of two ciphers:
(1) he encrypted his text using the Straddling Checkerboard cipher, turning his plaintext into digits and
(2) he applied a one-time-pad.

In the template shown above, we have six different inputs: four for the straddling checkerboard: plaintext, key, alphabet, row and column assignments. Two for Vernam: an additional alphabet consisting only of digits and a one-time pad.

Actually, all inputs for the Straddling Checkerboard cipher could be kept constant or even published, since security is given as long as the one-time pad is kept secret.

If you want to know how to create a straddling checkerboard cipher in CrypTool 2, you can watch my video about it:

The Straddling Checkerboard Cipher Explained

I hope you enjoy the Straddling Checkerboard cipher template and the Che Guevara cipher template of CrypTool 2. If you want to test these, you need the current nightly build available here:


Cryptography for everybody: Basics of Cryptology Series (correct ordering)

In 2020 I started my “Basics of Cryptology” series on my “Cryptography for everybody” YouTube channel.

Right now, the series consists of 23 different videos. The videos cover topics from the beginnings of cryptology and basic terminology up to modern cryptology (e.g. RSA and AES).

While creating the series I jumped with the focus and created videos, as the topics came into my mind. Thus, today, I tried to order the videos to a “correct” order. Here is my current list 🙂

Clearly, you can just watch the videos as they are present in the YouTube playlist 🙂
Maybe, in the future, I will create a single long video, a new playlist, or maybe even re-create all videos. When I started creating my videos, my YouTube channel was new and I had not so much experience as I have now.

Nevertheless, I hope you’ll find my videos in that series interesting and helpful. If you have any questions, ideas, or wishes, feel free to write below this blogpost or directly below my videos in the comment section 🙂


Cryptography for everybody: Let’s Create Our Own Homophonic Substitution Cipher

In our newest video on “Cryptography for everybody”, we create a homophonic substitution cipher using CrypTool 2.

The “Substitution component” of CrypTool 2 allows to create substitution ciphers. For that, we implemented an easy-to-use syntax based on plaintext and ciphertext alphabets. An “alphabet” is just a string (some text), which consists of our “symbols”. A symbol can be one or more UTF-8 characters.

Example (simple shift cipher):
– Plaintext alphabet=”ABCDEFG…Z”
– Ciphertext alphabet=”BCDEFGH…A”

Providing these two alphabets to the substitution component would create a simple shift cipher, where each letter of the plaintext alphabet is shifted one to the left in our corresponding ciphertext alphabet. In the substitution component, letters are substituted based on their corresponding positions in the given alphabets. The first letter of the plaintext alphabet is substituted by the first letter of the ciphertext alphabet, the second by the second, etc.

But the substitution component is much more powerful. It allows also to create alphabets consisting of “words” and also allows alternative substitutions to create “homophones”.

Example (homophonic substitution cipher):
– Plaintext alphabet=”ABCDEFG…Z”
– Ciphertext alphabet=”[01|02][03|04]…[999|555]”

In this example, the letter A can be substituted by either 01 or 02. The brackets tell the substitution component that it should use everything inside the brackets as a single ciphertext symbol. The pipe symbol tells the component that we want to create alternatives. Using this syntax, we are able to create a homophonic substitution cipher, where one plaintext letter will be replaced by one of the defined homophones.

But we are not only limited to use simple two or three digit combinations. We can also create mappings like [MAXIMILIAN] in the plaintext alphabet and [1001] in the ciphertext alphabet. Doing so, we can create so-called nomenclators. How this can be done in CrypTool 2 is part of the linked YouTube video. So if you are interested in more details, you should have a look at this 🙂

If you are interested in downloading the newest version of CrypTool 2 (I always recommend the nightly build, since it contains the newest components) go to