Announcements • Homework 2 graded. • Recitation tomorrow: • Eigenvalues and SVD. • HW solution discussion. • No lecture next Tuesday (November 5th). • Make-up lecture next Friday (November 8th). 15-853 Page 1 15-853:Algorithms in the Real World Cryptography #1 15-853 Page 2 Cryptography Outline Introduction: terminology, cryptanalysis, security Private-Key Algorithms: Rijndael, DES Number Theory 15-853 Page 3 Cryptography Outline Introduction: – terminology – cryptanalytic attacks – security Private-Key Algorithms: Rijndael, DES Number Theory 15-853 Page 4 Some Terminology Cryptography – the general term Cryptology – the theory Encryption – encoding (but sometimes used as general term) Cryptanalysis – breaking codes Cipher – a method or algorithm for encrypting or decrypting 15-853 Page 5 More Definitions Plaintext Key1 Encryption Ek(m) = c Key Ciphertext Generator Key2 Decryption Dk(c) = m Original Plaintext Private Key or Symmetric: Key1 = Key2 Public Key or Asymmetric: Key1 ≠ Key2 Key1 or Key2 is public depending on the protocol 15-853 Page 6 Private key encryption k k m c m Alice Encrypt Decrypt Bob We assume Eve knows everything about the encryption scheme Eve (except the secret key) 15-853 Page 7 What does it mean to be secure? Attempt 1: it should be impossible for Eve to get the key. Attempt 2: it should be impossible for Eve to recover m. Attempt 3: impossible for Eve to recover any bit of m. Attempt 4: regardless of any information that Eve has, c should not leak any additional information about m. ✓ 15-853 Page 8 One-time pad • Key generation: • Input: length n (in unary) • Output: uniformly random k {0,1}n • Encryption: ∈ • Input: m {0,1}n, k {0,1}n • Output: c = m k ∈ ∈ • Decryption: ⊕ • Input: c {0,1}n, k {0,1}n • Output: m = c k ∈ ∈ ⊕ 15-853 Page 9 One-time pad One-time pad is perfectly secret: • Let M, C be r.v.s for the message and ciphertext. • For every message m and ciphertext c with Pr[C=c] > 0: Pr[M = m | C = c] = Pr[M = m] • Ciphertext contains no information about message! 15-853 Page 10 One-time pad One-time pad is perfectly secret. Proof: Pr[C = c | M = m] = Pr[m K = c] = Pr[K = m c] = 2-n Pr[C = c] = Σm Pr[C = c | M = m] Pr[M = m] -n ⊕ -n ⊕ = 2 Σm Pr[M = m] = 2 Pr[M = m | C = c] = Pr[C = c | M = m] Pr[M = m] / Pr[C = c] = Pr[M = m] Can we reuse a one-time pad? No. 15-853 Page 11 The importance of randomness • Previous proof only works if key is truly uniformly random. • An adversary can exploit biases in randomness. • There are techniques to extract uniformly random bits from biased sources. • E.g: suppose we have a biased coin with probabilities p and 1 – p for heads and tails. • How to obtain uniformly random bits from this coin? • Flip twice: • If (heads, tails) then output 1. • If (tails, heads) then output 0. • If (heads, heads) or (tails, tails) then no output. 15-853 Page 12 Computational secrecy • Perfect secrecy requires the key to be at least as long as the message. This is impractical! • We need to settle for a weaker definition. • Any efficient adversary succeeds in breaking the scheme with at most negligible probability. • Efficient = runs in probabilistic polynomial time (PPT). • Negligible = goes to zero faster than any inverse poly: – A positive function f is negligible if for every positive integer c, there exists Nc such that: -c f(n) < n , for all n > Nc – Denoted as f = negl(n). 15-853 Page 13 Cryptanalytic Attacks c = ciphertext messages m = plaintext messages Ciphertext Only: Attacker has multiple cs but does not know the corresponding ms Known Plaintext: Attacker knows some number of (c,m) pairs. Chosen Plaintext: Attacker gets to choose ms and generate cs before. Chosen Ciphertext: Attacker gets to choose cs and generate ms before. 15-853 Page 14 Cryptography Outline Introduction: terminology, cryptanalysis, security Private-Key Algorithms: – Block ciphers and product ciphers – Rijndael, DES Number Theory 15-853 Page 15 Private Key Algorithms Plaintext Key1 Encryption Ek(M) = C Ciphertext Key1 Decryption Dk(C) = M Original Plaintext What granularity of the message does Ek encrypt? 15-853 Page 16 Private Key Algorithms Block Ciphers: blocks of bits at a time – DES (Data Encryption Standard) Banks, linux passwords (almost), SSL, kerberos, … – Blowfish (SSL as option) – IDEA (used in PGP, SSL as option) – Rijdael (AES) – the new standard 15-853 Page 17 Private Key: Block Ciphers A Block cipher C is a function with: • Input: a key k {0,1}|k|, block x {0,1}n (with|k| ≤ n) • Output: a block y {0,1}n ∈ ∈ ∈ • Objective: should be hard to distinguish from a random permutation from {0,1}n to {0,1}n. • We can chop long messages into blocks. • Suppose we encrypt each block as c = C(k, m). • What’s the problem with this? • Equal messages have equal encryptions! 15-853 Page 18 Private Key: Block Ciphers Intuition: generate a “fresh” one-time pad for each block. Counter (CTR) mode: ctr ctr+1 ctr+2 ctr+3 C(k, ) C(k, ) C(k, ) ⋅ ⋅ ⋅ m1 m2 m3 ctr c1 c2 c3 15-853 Page 19 Block cipher implementations 15-853 Page 20 Iterated Block Ciphers m key Consists of n rounds k R 1 s1 “ ” k R = the round function R 2 si = state after round i s2 th . ki = the i round key . k R n c 15-853 Page 21 Iterated Block Ciphers: Decryption m key Run the rounds in reverse. k Requires that R has an R-1 1 inverse. s1 k R-1 2 s2 . k R-1 n c 15-853 Page 22 Feistel Networks • Run with round keys in reverse order to decrypt. • Used by DES (the Data Encryption Standard) Image: “Feistel cipher diagram” by Amirki CC BY-SA 3.0 15-853 Page 23 Substitution-Permutation network Each round has two components: – Substitution (S-box) one-to-one mapping of subblocks. – Permutation (P-box) Mix the bits around. Both operations are invertible. Avalanche effect: changing one bit of m affects all of c. Image: “Substitution-Permutation Network” by GaborPete CC BY-SA 3.0 15-853 Page 24 Rijndael Selected by AES (Advanced Encryption Standard, part of NIST) as the new private-key encryption standard. Based on an open “competition”. – Competition started Sept. 1997. – Narrowed to 5 Sept. 1999 • MARS by IBM, RC6 by RSA, Twofish by Counterplane, Serpent, and Rijndael – Rijndael selected Oct. 2000. – Official Nov. 2001 (AES page on Rijndael) Designed by Rijmen and Daemen (Dutch) 15-853 Page 25 Goals of Rijndael Resistance against known attacks: – Differential cryptanalysis – Linear cryptanalysis – Truncated differentials – Square attacks – Interpolation attacks – Weak and related keys Speed + Memory efficiency across platforms – 32-bit processors – 8-bit processors (e.g smart cards) – Dedicated hardware Design simplicity and clearly stated security goals 15-853 Page 26 High-level overview An iterated block cipher with – 10–14 rounds, – 128-256 bit blocks, and – 128-256 bit keys Mathematically reasonably sophisticated 15-853 Page 27 Blocks and Keys The blocks and keys are organized as matrices of bytes. For the 128-bit case, it is a 4x4 matrix. b b b b k k k k 0 4 8 12 0 4 8 12 b1 b5 b9 b13 k1 k5 k9 k13 b2 b6 b10 b14 k2 k6 k10 k14 b3 b7 b11 b15 k3 k7 k11 k15 Data block Key b0, b1, …, b15 is the order of the bytes in the stream. 15-853 Page 28 Galois Fields in Rijndael Uses GF(28) over bytes. The irreducible polynomial is: M(x) = x8 + x4 + x3 + x + 1 or 100011011 or 0x11B Also uses degree 3 polynomials with coefficients from GF(28). These are kept as 4 bytes (used for the columns) The polynomial used as a modulus is: M(x) = 00000001x4 + 00000001 or x4 + 1 Not irreducible, but we only need to find inverses of polynomials that are relatively prime to it. 15-853 Page 29 Each round Keyi 0 3 in . + out . 2 1 Rotate Mix Byte Rows columns substitution The inverse runs the steps and rounds backwards. Each step must be reversible! 15-853 Page 30 Byte Substitution Non linear: y = b-1 (done over GF(28)) Linear: z = Ay + B (done over GF(2), i.e., binary) 1 1 0 0 0 1 1 1 1 1 0 1 1 0 0 0 1 1 1 0 A = 1 1 1 0 0 0 1 1 B = 0 1 1 1 1 0 0 0 1 1 1 0 To invert the substitution: y = A-1(z - B) (the matrix A is nonsingular) b = y-1 (over GF(28)) 15-853 Page 31 Mix Columns a0 a For each column a in data block 1 a2 a3 3 2 3 2 4 compute b(x) = (a3x +a2x +a1x+a0)(3x +x +x+2) mod x +1 where coefficients are taken over GF(28). b0 New column b is where b(x)=b x3+b x2+b x+b b1 3 2 1 0 b2 b3 15-853 Page 32 Implementation Using xj mod (x4 + 1) = x(j mod 4) 3 2 3 2 4 (a3x +a2x +a1x+a0)(3x +x +x+2) mod x +1 = (2a0+3a1+a2+a3) + (a0+2a1+3a2+a3)x + 2 (a0+a1+2a2+3a3)x + 2 3 1 1 (3a +a +a +2a )x3 0 1 2 3 1 2 3 1 C = Therefore, b = C • a 1 1 2 3 3 1 1 2 M(x) is not irreducible, but the rows of C and M(x) are coprime, so the transform can be inverted.