Announcements: HW4 – DES due Friday midnight HW4 – DES due Friday midnight Any volunteers to help config C/C# later today? Who’s using Scheme? Quiz on ch 3 postponed until after break Quiz on ch 3 postponed until after break Term project groups and topics due end of week after break Term project groups and topics due end of week after break Use ch 10 – 19 as inspiration Today Finish Rijndael Finish Rijndael RSA concepts RSA conceptsQuestions? DTTF/NB479: DszquphsbqizDay 19
Rijndael/AES Tie-ins with Galois field, GF(2 8 ): S-box implements z = Ax -1 + b in GF(2 8 ) MixColumn multiplies by a matrix in GF(2 8 ) to diffuse bits Key schedule (next) uses S-box and powers in GF(2 8 ) Wikipedia’s visuals visuals
AddRoundKey (ARK) XOR the round key with matrix d. XOR the round key with matrix d. Key schedule on next slide
Key Schedule Write original key as 4x4matrix with 4 columns: W(0), W(1), W(2), W(3). Key for round i is (W(4i), W(4i+1), W(4i+2), W(4i+3)) Other columns defined recursively: Highly non-linear. Resists attacks at finding whole key when part is known K0K0 K1K1 K , 256-bit versions similarsimilar
Decryption E(k) is: (ARK 0, BS, SR, MC, ARK 1, … BS, SR, MC, ARK 9, BS, SR, ARK 10 ) Each function is invertible: ARK; IBS; ISR; IMC So D(k) is: ARK 10, ISR, IBS, ARK 9, IMC, ISR, IBS, … ARK 1, IMC, ISR, IBS, ARK 0 ) Half-round structure: Write E(k) = ARK, (BS, SR), (MC, ARK), … (BS, SR), (MC, ARK), (BS, SR), ARK Write E(k) = ARK, (BS, SR), (MC, ARK), … (BS, SR), (MC, ARK), (BS, SR), ARK (Note that last MC wouldn’t fit) D(k) = ARK, (ISR, IBS), (ARK, IMC), (ISR, IBS), … (ARK, IMC), (ISR, IBS), ARK D(k) = ARK, (ISR, IBS), (ARK, IMC), (ISR, IBS), … (ARK, IMC), (ISR, IBS), ARK Can write: D(k) = ARK, (IBS, ISR), (IMC, IARK), … (IBS, ISR), (IMC, IARK), (IBS, ISR), ARK
Wrap-up Do you trust 128-bit encryption now? You should, especially when keys are sent using public key cryptography (next)
Public-key Cryptography Problem: how can I send my AES key without Eve intercepting it? Consider a scheme in which everyone publishes a (public) method by which messages can be encrypted and sent to them … but only the publisher can decrypt. Knowing how to encrypt does not reveal how to decrypt! Knowing how to encrypt does not reveal how to decrypt!
RSA (Rivest – Shamir – Adelman) For Alice to send a message to Bob. Bob chooses primes p,q (large, ~100 digits each) He publishes his public key (n,e): n = pq n = pq e, a large number such that gcd(e, (p-1)(q-1)) = 1 e, a large number such that gcd(e, (p-1)(q-1)) = 1 Alice has a message m < n. Otherwise (if m > n), break message into chunks n), break message into chunks < n Alice sends c = m e (mod n) Bob computes c d (mod n) = (m e ) d = m (mod n). What does he use for d?
Why does decryption work? Alice – (m) Bob Bob’s key: n = pq n = pq e: gcd(e, (p-1)(q-1)) = 1 e: gcd(e, (p-1)(q-1)) = 1 This is so d=e -1 mod (p-1)(q-1) exists This is so d=e -1 mod (p-1)(q-1) exists Alice sends c = m e (mod n) Bob computes c d (mod n) = (m e ) d = m (mod n), where d = e -1 (mod n). What does he use for d? Recall Euler’s theorem: as long as gcd(m,n) = 1 So m ed = m (mod n) iff ed = 1 (mod (n) = 1 (mod (p-1)(q-1)) So d = e -1 *mod (p-1)(q-1)
Toy example Alice – (m) Bob Bob’s key: n = pq = (13)(17) = 221 n = pq = (13)(17) = 221 e = 35: gcd(e, (p-1)(q-1)) = 1 e = 35: gcd(e, (p-1)(q-1)) = 1 d=e -1 mod 192 exists: d = __11__ d=e -1 mod 192 exists: d = __11__ m = 20 (letter t) 1-based, so leading ‘a’ = 1 not ignored 1-based, so leading ‘a’ = 1 not ignored c = m e (mod n) = _197___ c d (mod n) = _20__ Issues: How to compute (mod 221)? Efficiency is O(log e) How to compute d? Extended Euclidean alg. And why is this secure? Why can’t Eve calculate d herself?
Security Eve knows e, n, and c only To find d = e -1 (mod (n)), Eve needs to know (n) = (p-1)(q-1) If she knows n, she can factor it into p and q to find (n), right? That’s a big if, since n is ~200 digits long! Large numbers are hard to factor! Can’t just test every prime from 1.. sqrt(n) Can’t just test every prime from 1.. sqrt(n)
Security c = m e (mod n) Can Eve just compute e-th root of c? Not since mod n Not since mod n Unless we brute force, but not when n is large! Unless we brute force, but not when n is large!
Is (n) as hard to find as the factors of n? Claim: factoring n hard finding (n) hard Equivalently: (n) easy factoring n easy If I know n and (n), how can I find p, q? Hint: write n and (n) in terms of p and q. Hint: write n and (n) in terms of p and q. I will show later that finding d is as hard to find as factors of n (uses factoring). So Eve has no shortcuts to factoring!