Announcements
• Homework 2 graded. • Recitation tomorrow: • Eigenvalues and SVD. • HW solution discussion. • No lecture next Tuesday (November 5th). • Make-up lecture next Friday (November 8th).
15-853 Page 1 15-853:Algorithms in the Real World
Cryptography #1
15-853 Page 2 Cryptography Outline
Introduction: terminology, cryptanalysis, security Private-Key Algorithms: Rijndael, DES Number Theory
15-853 Page 3 Cryptography Outline
Introduction: – terminology – cryptanalytic attacks – security Private-Key Algorithms: Rijndael, DES Number Theory
15-853 Page 4 Some Terminology
Cryptography – the general term Cryptology – the theory Encryption – encoding (but sometimes used as general term) Cryptanalysis – breaking codes Cipher – a method or algorithm for encrypting or decrypting
15-853 Page 5 More Definitions Plaintext
Key1 Encryption Ek(m) = c Key Ciphertext Generator
Key2 Decryption Dk(c) = m
Original Plaintext
Private Key or Symmetric: Key1 = Key2
Public Key or Asymmetric: Key1 ≠ Key2 Key1 or Key2 is public depending on the protocol
15-853 Page 6 Private key encryption
k k m c m Alice Encrypt Decrypt Bob
We assume Eve knows everything about the encryption scheme Eve (except the secret key)
15-853 Page 7 What does it mean to be secure?
Attempt 1: it should be impossible for Eve to get the key.
Attempt 2: it should be impossible for Eve to recover m.
Attempt 3: impossible for Eve to recover any bit of m.
Attempt 4: regardless of any information that Eve has, c should not leak any additional information about m. ✓
15-853 Page 8 One-time pad
• Key generation: • Input: length n (in unary) • Output: uniformly random k {0,1}n • Encryption: ∈ • Input: m {0,1}n, k {0,1}n • Output: c = m k ∈ ∈ • Decryption: ⊕ • Input: c {0,1}n, k {0,1}n • Output: m = c k ∈ ∈ ⊕
15-853 Page 9 One-time pad
One-time pad is perfectly secret: • Let M, C be r.v.s for the message and ciphertext. • For every message m and ciphertext c with Pr[C=c] > 0: Pr[M = m | C = c] = Pr[M = m]
• Ciphertext contains no information about message!
15-853 Page 10 One-time pad
One-time pad is perfectly secret.
Proof: Pr[C = c | M = m] = Pr[m K = c] = Pr[K = m c] = 2-n
Pr[C = c] = Σm Pr[C = c | M = m] Pr[M = m] -n ⊕ -n ⊕ = 2 Σm Pr[M = m] = 2 Pr[M = m | C = c] = Pr[C = c | M = m] Pr[M = m] / Pr[C = c] = Pr[M = m]
Can we reuse a one-time pad? No.
15-853 Page 11 The importance of randomness
• Previous proof only works if key is truly uniformly random. • An adversary can exploit biases in randomness. • There are techniques to extract uniformly random bits from biased sources. • E.g: suppose we have a biased coin with probabilities p and 1 – p for heads and tails. • How to obtain uniformly random bits from this coin? • Flip twice: • If (heads, tails) then output 1. • If (tails, heads) then output 0. • If (heads, heads) or (tails, tails) then no output.
15-853 Page 12 Computational secrecy
• Perfect secrecy requires the key to be at least as long as the message. This is impractical! • We need to settle for a weaker definition. • Any efficient adversary succeeds in breaking the scheme with at most negligible probability. • Efficient = runs in probabilistic polynomial time (PPT). • Negligible = goes to zero faster than any inverse poly: – A positive function f is negligible if for every positive integer c, there exists Nc such that: -c f(n) < n , for all n > Nc – Denoted as f = negl(n).
15-853 Page 13 Cryptanalytic Attacks
c = ciphertext messages m = plaintext messages
Ciphertext Only: Attacker has multiple cs but does not know the corresponding ms Known Plaintext: Attacker knows some number of (c,m) pairs. Chosen Plaintext: Attacker gets to choose ms and generate cs before. Chosen Ciphertext: Attacker gets to choose cs and generate ms before.
15-853 Page 14 Cryptography Outline
Introduction: terminology, cryptanalysis, security Private-Key Algorithms: – Block ciphers and product ciphers – Rijndael, DES Number Theory
15-853 Page 15 Private Key Algorithms
Plaintext
Key1 Encryption Ek(M) = C Ciphertext
Key1 Decryption Dk(C) = M
Original Plaintext
What granularity of the message does Ek encrypt?
15-853 Page 16 Private Key Algorithms
Block Ciphers: blocks of bits at a time – DES (Data Encryption Standard) Banks, linux passwords (almost), SSL, kerberos, … – Blowfish (SSL as option) – IDEA (used in PGP, SSL as option) – Rijdael (AES) – the new standard
15-853 Page 17 Private Key: Block Ciphers
A Block cipher C is a function with: • Input: a key k {0,1}|k|, block x {0,1}n (with|k| ≤ n) • Output: a block y {0,1}n ∈ ∈ ∈ • Objective: should be hard to distinguish from a random permutation from {0,1}n to {0,1}n.
• We can chop long messages into blocks. • Suppose we encrypt each block as c = C(k, m). • What’s the problem with this? • Equal messages have equal encryptions! 15-853 Page 18 Private Key: Block Ciphers
Intuition: generate a “fresh” one-time pad for each block.
Counter (CTR) mode:
ctr ctr+1 ctr+2 ctr+3
C(k, ) C(k, ) C(k, )
⋅ ⋅ ⋅ m1 m2 m3
ctr c1 c2 c3
15-853 Page 19 Block cipher implementations
15-853 Page 20 Iterated Block Ciphers m key Consists of n rounds k R 1
s1 “ ” k R = the round function R 2 si = state after round i s2 th . . ki = the i round key . . . .
k R n c
15-853 Page 21 Iterated Block Ciphers: Decryption
m key Run the rounds in reverse.
k Requires that R has an R-1 1 inverse.
s1 k R-1 2
s2 ......
k R-1 n
c
15-853 Page 22 Feistel Networks
• Run with round keys in reverse order to decrypt. • Used by DES (the Data Encryption Standard)
Image: “Feistel cipher diagram” by Amirki CC BY-SA 3.0
15-853 Page 23 Substitution-Permutation network
Each round has two components: – Substitution (S-box) one-to-one mapping of subblocks. – Permutation (P-box) Mix the bits around. Both operations are invertible.
Avalanche effect: changing one bit of m affects all of c.
Image: “Substitution-Permutation Network” by GaborPete CC BY-SA 3.0 15-853 Page 24 Rijndael
Selected by AES (Advanced Encryption Standard, part of NIST) as the new private-key encryption standard. Based on an open “competition”. – Competition started Sept. 1997. – Narrowed to 5 Sept. 1999 • MARS by IBM, RC6 by RSA, Twofish by Counterplane, Serpent, and Rijndael – Rijndael selected Oct. 2000. – Official Nov. 2001 (AES page on Rijndael) Designed by Rijmen and Daemen (Dutch)
15-853 Page 25 Goals of Rijndael
Resistance against known attacks: – Differential cryptanalysis – Linear cryptanalysis – Truncated differentials – Square attacks – Interpolation attacks – Weak and related keys Speed + Memory efficiency across platforms – 32-bit processors – 8-bit processors (e.g smart cards) – Dedicated hardware Design simplicity and clearly stated security goals 15-853 Page 26 High-level overview
An iterated block cipher with – 10–14 rounds, – 128-256 bit blocks, and – 128-256 bit keys Mathematically reasonably sophisticated
15-853 Page 27 Blocks and Keys
The blocks and keys are organized as matrices of bytes. For the 128-bit case, it is a 4x4 matrix.
b b b b k k k k 0 4 8 12 0 4 8 12 b1 b5 b9 b13 k1 k5 k9 k13 b2 b6 b10 b14 k2 k6 k10 k14 b3 b7 b11 b15 k3 k7 k11 k15 Data block Key
b0, b1, …, b15 is the order of the bytes in the stream.
15-853 Page 28 Galois Fields in Rijndael
Uses GF(28) over bytes. The irreducible polynomial is: M(x) = x8 + x4 + x3 + x + 1 or 100011011 or 0x11B
Also uses degree 3 polynomials with coefficients from GF(28). These are kept as 4 bytes (used for the columns) The polynomial used as a modulus is: M(x) = 00000001x4 + 00000001 or x4 + 1 Not irreducible, but we only need to find inverses of polynomials that are relatively prime to it.
15-853 Page 29 Each round
Keyi
0 3 in . + out . 2 1 Rotate Mix Byte Rows columns substitution
The inverse runs the steps and rounds backwards. Each step must be reversible!
15-853 Page 30 Byte Substitution
Non linear: y = b-1 (done over GF(28)) Linear: z = Ay + B (done over GF(2), i.e., binary) 1 1 0 0 0 1 1 1 1 1 0 1 1 0 0 0 1 1 1 0 A = 1 1 1 0 0 0 1 1 B = 0 1 1 1 1 0 0 0 1 1 1 0 To invert the substitution: y = A-1(z - B) (the matrix A is nonsingular) b = y-1 (over GF(28))
15-853 Page 31 Mix Columns
a0 a For each column a in data block 1 a2 a3
3 2 3 2 4 compute b(x) = (a3x +a2x +a1x+a0)(3x +x +x+2) mod x +1 where coefficients are taken over GF(28).
b0 New column b is where b(x)=b x3+b x2+b x+b b1 3 2 1 0 b2 b3
15-853 Page 32 Implementation Using xj mod (x4 + 1) = x(j mod 4)
3 2 3 2 4 (a3x +a2x +a1x+a0)(3x +x +x+2) mod x +1
= (2a0+3a1+a2+a3) + (a0+2a1+3a2+a3)x + 2 (a0+a1+2a2+3a3)x + 2 3 1 1 (3a +a +a +2a )x3 0 1 2 3 1 2 3 1 C = Therefore, b = C • a 1 1 2 3 3 1 1 2
M(x) is not irreducible, but the rows of C and M(x) are coprime, so the transform can be inverted. 15-853 Page 33 Generating the round keys
f
+ + + +
Words corresponding to columns of the key
b1 b2 b b f = 2 3 + b3 b4 b4 b1 rotate sub byte consti 15-853 Page 34 Performance
Performance: (64-bit AMD Athlon 2.2Ghz, 2005, Open SSL):
Algorithm Bits/key Mbits/sec DES-cbc 56 399 Blowfish-cbc 128 703 Rijndael-cbc 128 917
Hardware implementations go up to 32 Gbits/sec
15-853 Page 35 Cryptography Outline
Introduction: terminology, cryptanalysis, security Private-Key Algorithms: Rijndael, DES Number Theory – Groups
15-853 Page 36 Groups
A Group (G,*,I) is a set G with operator * such that: 1. Closure. For all a,b ∈ G, a * b ∈ G 2. Associativity. For all a,b,c ∈ G, a*(b*c) = (a*b)*c 3. Identity. There exists I ∈ G, such that for all a ∈ G, a*I=I*a=a 4. Inverse. For every a ∈ G, there exist a unique element b ∈ G, such that a*b=b*a=I An Abelian or Commutative Group is a Group with the additional condition 5. Commutativity. For all a,b ∈ G, a*b=b*a
15-853 Page 37 Examples of groups
– Integers, Reals or Rationals with Addition – The nonzero Reals or Rationals with Multiplication – Non-singular n x n real matrices with Matrix Multiplication – Permutations over n elements with composition [0→1, 1→2, 2→0] o [0→1, 1→0, 2→2] = [0→0, 1→2, 2→1]
We will only be concerned with finite groups, I.e., ones with a finite number of elements.
15-853 Page 38 Key properties of finite groups
Notation: aj ≡ a * a * a * … j times Definition: the order of g ∈ G is the smallest positive integer m such that gm = I Definition: a group G is cyclic if there is a g ∈ G such that order(g) = |G| Definition: an element g ∈ G of order |G| is called a generator or primitive element of G.
15-853 Page 39 Groups based on modular arithmetic
The group of positive integers modulo a prime p * Zp ≡ {1, 2, 3, …, p-1} *p ≡ multiplication modulo p * Denoted as: (Zp , *p) Required properties 1. Closure. Yes. 2. Associativity. Yes. 3. Identity. 1. 4. Inverse. Yes. * Example: Z7 = {1,2,3,4,5,6} 1-1 = 1, 2-1 = 4, 3-1 = 5, 6-1 = 6
15-853 Page 40 Other properties
* |Zp | = (p-1) By Fermat’s little theorem: a(p-1) = 1 (mod p) * Example of Z7 x x2 x3 x4 x5 x6 1 1 1 1 1 1 2 4 1 2 4 1 3 2 6 4 5 1 Generators 4 2 1 4 2 1 5 4 6 2 3 1 6 1 6 1 6 1
For all p the group is cyclic. 15-853 Page 41 What if n is not a prime?
The group of positive integers modulo a non-prime n
Zn ≡ {1, 2, 3, …, n-1}, n not prime
*p ≡ multiplication modulo n Required properties? 1. Closure. ? 2. Associativity. ? 3. Identity. ? 4. Inverse. ? How do we fix this?
15-853 Page 42 Groups based on modular arithmetic
The multiplicative group modulo n * Zn ≡ {m : 1 ≤ m < n, gcd(n,m) = 1} * ≡ multiplication modulo n * Denoted as (Zn , *n) Required properties: • Closure. Yes. • Associativity. Yes. • Identity. 1. • Inverse. Yes. * Example: Z15 = {1,2,4,7,8,11,13,14} 1-1 = 1, 2-1 = 8, 4-1 = 4, 7-1 = 13, 11-1 = 11, 14-1 = 14
15-853 Page 43 The Euler Phi Function
* φ(n) = Ζn = n ∏(1−1/ p) p|n If n is a product of two primes p and q, then φ(n) = pq(1−1/ p)(1−1/ q) = ( p −1)(q −1)
Fermat-Euler Theorem: φ (n) * a = 1 (modn) for a ∈ Ζn Or for n = pq ( p−1)(q−1) * a = 1 (modn) for a ∈ Ζ pq This will be very important in RSA!
15-853 Page 44 Generators
* Example of Z10 : {1, 3, 7, 9}
x x2 x3 x4 1 1 1 1 Generators 3 9 7 1 7 9 3 1 9 1 9 1
e e For n = (2, 4, p , 2p ), p an odd prime, Zn is cyclic
15-853 Page 45 Operations we will need
Multiplication: a*b (mod n) – Can be done in O(log2 n) bit operations, or better Power: ak (mod n) – The power method O(log n) steps, O(log3 n) bit ops fun pow(a,k) = if (k = 0) then 1 else if (k mod 2 = 1) then a * (pow(a,k/2))2 else (pow(a, k/2))2 Inverse: a-1 (mod n) – Euclids algorithm O(log n) steps, O(log3 n) bit ops
15-853 Page 46 Discrete Logarithms
* If g is a generator of Zn , then for all y there is a unique x (mod φ(n)) such that – y = gx mod n This is called the discrete logarithm of y and we use the notation
– x = logg(y) In general finding the discrete logarithm is conjectured to be hard…as hard as factoring.
15-853 Page 47