15-853: Algorithms in the Real World

Announcements

• Homework 2 graded. • Recitation tomorrow: • Eigenvalues and SVD. • HW solution discussion. • No lecture next Tuesday (November 5th). • Make-up lecture next Friday (November 8th).

15-853 Page 1 15-853:Algorithms in the Real World

Cryptography #1

15-853 Page 2 Cryptography Outline

Introduction: terminology, cryptanalysis, security Private-Key Algorithms: Rijndael, DES Number Theory

15-853 Page 3 Cryptography Outline

Introduction: – terminology – cryptanalytic attacks – security Private-Key Algorithms: Rijndael, DES Number Theory

15-853 Page 4 Some Terminology

Cryptography – the general term Cryptology – the theory Encryption – encoding (but sometimes used as general term) Cryptanalysis – breaking codes Cipher – a method or algorithm for encrypting or decrypting

15-853 Page 5 More Definitions Plaintext

Key1 Encryption Ek(m) = c Key Ciphertext Generator

Key2 Decryption Dk(c) = m

Original Plaintext

Private Key or Symmetric: Key1 = Key2

Public Key or Asymmetric: Key1 ≠ Key2 Key1 or Key2 is public depending on the protocol

15-853 Page 6 Private key encryption

k k m c m Alice Encrypt Decrypt Bob

We assume Eve knows everything about the encryption scheme Eve (except the secret key)

15-853 Page 7 What does it mean to be secure?

Attempt 1: it should be impossible for Eve to get the key.

Attempt 2: it should be impossible for Eve to recover m.

Attempt 3: impossible for Eve to recover any bit of m.

Attempt 4: regardless of any information that Eve has, c should not leak any additional information about m. ✓

15-853 Page 8 One-time pad

• Key generation: • Input: length n (in unary) • Output: uniformly random k {0,1}n • Encryption: ∈ • Input: m {0,1}n, k {0,1}n • Output: c = m k ∈ ∈ • Decryption: ⊕ • Input: c {0,1}n, k {0,1}n • Output: m = c k ∈ ∈ ⊕

15-853 Page 9 One-time pad

One-time pad is perfectly secret: • Let M, C be r.v.s for the message and ciphertext. • For every message m and ciphertext c with Pr[C=c] > 0: Pr[M = m | C = c] = Pr[M = m]

• Ciphertext contains no information about message!

15-853 Page 10 One-time pad

One-time pad is perfectly secret.

Proof: Pr[C = c | M = m] = Pr[m K = c] = Pr[K = m c] = 2-n

Pr[C = c] = Σm Pr[C = c | M = m] Pr[M = m] -n ⊕ -n ⊕ = 2 Σm Pr[M = m] = 2 Pr[M = m | C = c] = Pr[C = c | M = m] Pr[M = m] / Pr[C = c] = Pr[M = m]

Can we reuse a one-time pad? No.

15-853 Page 11 The importance of randomness

• Previous proof only works if key is truly uniformly random. • An adversary can exploit biases in randomness. • There are techniques to extract uniformly random bits from biased sources. • E.g: suppose we have a biased coin with probabilities p and 1 – p for heads and tails. • How to obtain uniformly random bits from this coin? • Flip twice: • If (heads, tails) then output 1. • If (tails, heads) then output 0. • If (heads, heads) or (tails, tails) then no output.

15-853 Page 12 Computational secrecy

• Perfect secrecy requires the key to be at least as long as the message. This is impractical! • We need to settle for a weaker definition. • Any efficient adversary succeeds in breaking the scheme with at most negligible probability. • Efficient = runs in probabilistic polynomial time (PPT). • Negligible = goes to zero faster than any inverse poly: – A positive function f is negligible if for every positive integer c, there exists Nc such that: -c f(n) < n , for all n > Nc – Denoted as f = negl(n).

15-853 Page 13 Cryptanalytic Attacks

c = ciphertext messages m = plaintext messages

Ciphertext Only: Attacker has multiple cs but does not know the corresponding ms Known Plaintext: Attacker knows some number of (c,m) pairs. Chosen Plaintext: Attacker gets to choose ms and generate cs before. Chosen Ciphertext: Attacker gets to choose cs and generate ms before.

15-853 Page 14 Cryptography Outline

Introduction: terminology, cryptanalysis, security Private-Key Algorithms: – Block ciphers and product ciphers – Rijndael, DES Number Theory

15-853 Page 15 Private Key Algorithms

Plaintext

Key1 Encryption Ek(M) = C Ciphertext

Key1 Decryption Dk(C) = M

Original Plaintext

What granularity of the message does Ek encrypt?

15-853 Page 16 Private Key Algorithms

Block Ciphers: blocks of bits at a time – DES (Data Encryption Standard) Banks, linux passwords (almost), SSL, kerberos, … – Blowfish (SSL as option) – IDEA (used in PGP, SSL as option) – Rijdael (AES) – the new standard

15-853 Page 17 Private Key: Block Ciphers

A Block cipher C is a function with: • Input: a key k {0,1}|k|, block x {0,1}n (with|k| ≤ n) • Output: a block y {0,1}n ∈ ∈ ∈ • Objective: should be hard to distinguish from a random permutation from {0,1}n to {0,1}n.

• We can chop long messages into blocks. • Suppose we encrypt each block as c = C(k, m). • What’s the problem with this? • Equal messages have equal encryptions! 15-853 Page 18 Private Key: Block Ciphers

Intuition: generate a “fresh” one-time pad for each block.

Counter (CTR) mode:

ctr ctr+1 ctr+2 ctr+3

C(k, ) C(k, ) C(k, )

⋅ ⋅ ⋅ m1 m2 m3

ctr c1 c2 c3

15-853 Page 19 Block cipher implementations

15-853 Page 20 Iterated Block Ciphers m key Consists of n rounds k R 1

s1 “ ” k R = the round function R 2 si = state after round i s2 th . . ki = the i round key . . . .

k R n c

15-853 Page 21 Iterated Block Ciphers: Decryption

m key Run the rounds in reverse.

k Requires that R has an R-1 1 inverse.

s1 k R-1 2

s2 ......

k R-1 n

15-853 Page 22 Feistel Networks

• Run with round keys in reverse order to decrypt. • Used by DES (the Data Encryption Standard)

Image: “Feistel cipher diagram” by Amirki CC BY-SA 3.0

15-853 Page 23 Substitution-Permutation network

Each round has two components: – Substitution (S-box) one-to-one mapping of subblocks. – Permutation (P-box) Mix the bits around. Both operations are invertible.

Avalanche effect: changing one bit of m affects all of c.

Image: “Substitution-Permutation Network” by GaborPete CC BY-SA 3.0 15-853 Page 24 Rijndael

Selected by AES (Advanced Encryption Standard, part of NIST) as the new private-key encryption standard. Based on an open “competition”. – Competition started Sept. 1997. – Narrowed to 5 Sept. 1999 • MARS by IBM, RC6 by RSA, Twofish by Counterplane, Serpent, and Rijndael – Rijndael selected Oct. 2000. – Official Nov. 2001 (AES page on Rijndael) Designed by Rijmen and Daemen (Dutch)

15-853 Page 25 Goals of Rijndael

Resistance against known attacks: – Differential cryptanalysis – Linear cryptanalysis – Truncated differentials – Square attacks – Interpolation attacks – Weak and related keys Speed + Memory efficiency across platforms – 32-bit processors – 8-bit processors (e.g smart cards) – Dedicated hardware Design simplicity and clearly stated security goals 15-853 Page 26 High-level overview

An iterated block cipher with – 10–14 rounds, – 128-256 bit blocks, and – 128-256 bit keys Mathematically reasonably sophisticated

15-853 Page 27 Blocks and Keys

The blocks and keys are organized as matrices of bytes. For the 128-bit case, it is a 4x4 matrix.

b b b b  k k k k   0 4 8 12   0 4 8 12   b1 b5 b9 b13   k1 k5 k9 k13      b2 b6 b10 b14  k2 k6 k10 k14      b3 b7 b11 b15   k3 k7 k11 k15  Data block Key

b0, b1, …, b15 is the order of the bytes in the stream.

15-853 Page 28 Galois Fields in Rijndael

Uses GF(28) over bytes. The irreducible polynomial is: M(x) = x8 + x4 + x3 + x + 1 or 100011011 or 0x11B

Also uses degree 3 polynomials with coefficients from GF(28). These are kept as 4 bytes (used for the columns) The polynomial used as a modulus is: M(x) = 00000001x4 + 00000001 or x4 + 1 Not irreducible, but we only need to find inverses of polynomials that are relatively prime to it.

15-853 Page 29 Each round

Keyi

0 3 in . + out . 2 1 Rotate Mix Byte Rows columns substitution

The inverse runs the steps and rounds backwards. Each step must be reversible!

15-853 Page 30 Byte Substitution

Non linear: y = b-1 (done over GF(28)) Linear: z = Ay + B (done over GF(2), i.e., binary) 1   1 0 0 0 1 1 1 1 1     0 1 1 0 0 0 1 1 1     0 A = 1 1 1 0 0 0 1 1 B =     0 1 1 1 1 0 0 0 1   1        1   0 To invert the substitution: y = A-1(z - B) (the matrix A is nonsingular) b = y-1 (over GF(28))

15-853 Page 31 Mix Columns

a0 a For each column a in data block 1 a2 a3

3 2 3 2 4 compute b(x) = (a3x +a2x +a1x+a0)(3x +x +x+2) mod x +1 where coefficients are taken over GF(28).

b0 New column b is where b(x)=b x3+b x2+b x+b b1 3 2 1 0 b2 b3

15-853 Page 32 Implementation Using xj mod (x4 + 1) = x(j mod 4)

3 2 3 2 4 (a3x +a2x +a1x+a0)(3x +x +x+2) mod x +1

= (2a0+3a1+a2+a3) + (a0+2a1+3a2+a3)x + 2 (a0+a1+2a2+3a3)x + 2 3 1 1 (3a +a +a +2a )x3   0 1 2 3 1 2 3 1 C =   Therefore, b = C • a 1 1 2 3   3 1 1 2

M(x) is not irreducible, but the rows of C and M(x) are coprime, so the transform can be inverted. 15-853 Page 33 Generating the round keys

+ + + +

Words corresponding to columns of the key

b1 b2 b b f = 2 3 + b3 b4 b4 b1 rotate sub byte consti 15-853 Page 34 Performance

Performance: (64-bit AMD Athlon 2.2Ghz, 2005, Open SSL):

Algorithm Bits/key Mbits/sec DES-cbc 56 399 Blowfish-cbc 128 703 Rijndael-cbc 128 917

Hardware implementations go up to 32 Gbits/sec

15-853 Page 35 Cryptography Outline

Introduction: terminology, cryptanalysis, security Private-Key Algorithms: Rijndael, DES Number Theory – Groups

15-853 Page 36 Groups

A Group (G,*,I) is a set G with operator * such that: 1. Closure. For all a,b ∈ G, a * b ∈ G 2. Associativity. For all a,b,c ∈ G, a*(b*c) = (a*b)*c 3. Identity. There exists I ∈ G, such that for all a ∈ G, a*I=I*a=a 4. Inverse. For every a ∈ G, there exist a unique element b ∈ G, such that a*b=b*a=I An Abelian or Commutative Group is a Group with the additional condition 5. Commutativity. For all a,b ∈ G, a*b=b*a

15-853 Page 37 Examples of groups

– Integers, Reals or Rationals with Addition – The nonzero Reals or Rationals with Multiplication – Non-singular n x n real matrices with Matrix Multiplication – Permutations over n elements with composition [0→1, 1→2, 2→0] o [0→1, 1→0, 2→2] = [0→0, 1→2, 2→1]

We will only be concerned with finite groups, I.e., ones with a finite number of elements.

15-853 Page 38 Key properties of finite groups

Notation: aj ≡ a * a * a * … j times Definition: the order of g ∈ G is the smallest positive integer m such that gm = I Definition: a group G is cyclic if there is a g ∈ G such that order(g) = |G| Definition: an element g ∈ G of order |G| is called a generator or primitive element of G.

15-853 Page 39 Groups based on modular arithmetic

The group of positive integers modulo a prime p * Zp ≡ {1, 2, 3, …, p-1} *p ≡ multiplication modulo p * Denoted as: (Zp , *p) Required properties 1. Closure. Yes. 2. Associativity. Yes. 3. Identity. 1. 4. Inverse. Yes. * Example: Z7 = {1,2,3,4,5,6} 1-1 = 1, 2-1 = 4, 3-1 = 5, 6-1 = 6

15-853 Page 40 Other properties

* |Zp | = (p-1) By Fermat’s little theorem: a(p-1) = 1 (mod p) * Example of Z7 x x2 x3 x4 x5 x6 1 1 1 1 1 1 2 4 1 2 4 1 3 2 6 4 5 1 Generators 4 2 1 4 2 1 5 4 6 2 3 1 6 1 6 1 6 1

For all p the group is cyclic. 15-853 Page 41 What if n is not a prime?

The group of positive integers modulo a non-prime n

Zn ≡ {1, 2, 3, …, n-1}, n not prime

*p ≡ multiplication modulo n Required properties? 1. Closure. ? 2. Associativity. ? 3. Identity. ? 4. Inverse. ? How do we fix this?

15-853 Page 42 Groups based on modular arithmetic

The multiplicative group modulo n * Zn ≡ {m : 1 ≤ m < n, gcd(n,m) = 1} * ≡ multiplication modulo n * Denoted as (Zn , *n) Required properties: • Closure. Yes. • Associativity. Yes. • Identity. 1. • Inverse. Yes. * Example: Z15 = {1,2,4,7,8,11,13,14} 1-1 = 1, 2-1 = 8, 4-1 = 4, 7-1 = 13, 11-1 = 11, 14-1 = 14

15-853 Page 43 The Euler Phi Function

* φ(n) = Ζn = n ∏(1−1/ p) p|n If n is a product of two primes p and q, then φ(n) = pq(1−1/ p)(1−1/ q) = ( p −1)(q −1)

Fermat-Euler Theorem: φ (n) * a = 1 (modn) for a ∈ Ζn Or for n = pq ( p−1)(q−1) * a = 1 (modn) for a ∈ Ζ pq This will be very important in RSA!

15-853 Page 44 Generators

* Example of Z10 : {1, 3, 7, 9}

x x2 x3 x4 1 1 1 1 Generators 3 9 7 1 7 9 3 1 9 1 9 1

e e For n = (2, 4, p , 2p ), p an odd prime, Zn is cyclic

15-853 Page 45 Operations we will need

Multiplication: a*b (mod n) – Can be done in O(log2 n) bit operations, or better Power: ak (mod n) – The power method O(log n) steps, O(log3 n) bit ops fun pow(a,k) = if (k = 0) then 1 else if (k mod 2 = 1) then a * (pow(a,k/2))2 else (pow(a, k/2))2 Inverse: a-1 (mod n) – Euclids algorithm O(log n) steps, O(log3 n) bit ops

15-853 Page 46 Discrete Logarithms

* If g is a generator of Zn , then for all y there is a unique x (mod φ(n)) such that – y = gx mod n This is called the discrete logarithm of y and we use the notation

– x = logg(y) In general finding the discrete logarithm is conjectured to be hard…as hard as factoring.

15-853 Page 47