announcements: hw4 – des due friday midnight hw4 – des due friday midnight any volunteers to...
Post on 21-Dec-2015
219 views
TRANSCRIPT
Announcements:Announcements: HW4 – DES due Friday midnightHW4 – DES due Friday midnight
Any volunteers to help config C/C# later today?Any volunteers to help config C/C# later today?Who’s using Scheme?Who’s using Scheme?
Quiz on ch 3 postponed until after breakQuiz on ch 3 postponed until after break Term project groups and topics due end of week after breakTerm project groups and topics due end of week after break
Use ch 10 – 19 as inspirationUse ch 10 – 19 as inspiration
TodayToday Finish RijndaelFinish Rijndael RSA conceptsRSA concepts
Questions?Questions?
DTTF/NB479: DszquphsbqizDTTF/NB479: Dszquphsbqiz Day 19Day 19
Rijndael/AESRijndael/AESTie-ins with Galois field, Tie-ins with Galois field,
GF(2GF(288):):S-box implements z = S-box implements z =
AxAx-1-1 + b in GF(2 + b in GF(288))MixColumn multiplies by MixColumn multiplies by
a matrix in GF(2a matrix in GF(288) to ) to diffuse bitsdiffuse bits
Key schedule (next) Key schedule (next) uses S-box and uses S-box and powers in GF(2powers in GF(288) )
Wikipedia’s Wikipedia’s visualsvisuals
AddRoundKey (AddRoundKey (ARKARK))
XOR the round key XOR the round key with matrix d. with matrix d.
Key schedule on next slideKey schedule on next slide
ikde
Key ScheduleKey Schedule
)43(...)5()4()3()2()1()0( WWWWWWW
Write original key as 4x4matrix with 4 columns: W(0), W(1), W(2), W(3). Key for round i is (W(4i), W(4i+1), W(4i+2), W(4i+3))
Other columns defined recursively:
otherwiseiW
iifiWTiWiW
)1(
|4))1(()4()(
)2()00000010()(
))((
0
0
0
)(
)(
84/)4( GFinir
iWT
ir
h
g
f
e
d
c
b
a
iW
i
Sbox
Highly non-linear. Resists attacks at finding whole key when part is known
K0K1 K10
192-, 256-bit versions similar
DecryptionDecryptionE(k) is:E(k) is:
(ARK(ARK00, BS, SR, MC, ARK, BS, SR, MC, ARK11, … BS, SR, , … BS, SR,
MC, ARKMC, ARK99, BS, SR, ARK, BS, SR, ARK1010))
Each function is invertible:Each function is invertible:
ARK; IBS; ISR; IMCARK; IBS; ISR; IMC
So D(k) is:So D(k) is:
ARKARK1010, ISR, IBS, ARK, ISR, IBS, ARK99, IMC, ISR, IBS, , IMC, ISR, IBS,
… ARK… ARK11, IMC, ISR, IBS, ARK, IMC, ISR, IBS, ARK00))
Half-round structure:Half-round structure:Write E(k) = ARK, (BS, SR), (MC, ARK), … (BS, SR), (MC, ARK), (BS, SR), ARKWrite E(k) = ARK, (BS, SR), (MC, ARK), … (BS, SR), (MC, ARK), (BS, SR), ARK
(Note that last MC wouldn’t fit)(Note that last MC wouldn’t fit)D(k) = ARK, (ISR, IBS), (ARK, IMC), (ISR, IBS), … (ARK, IMC), (ISR, IBS), ARKD(k) = ARK, (ISR, IBS), (ARK, IMC), (ISR, IBS), … (ARK, IMC), (ISR, IBS), ARK
Can write:Can write:D(k) = ARK, (IBS, ISR), (IMC, IARK), … (IBS, ISR), (IMC, IARK), (IBS, ISR), ARKD(k) = ARK, (IBS, ISR), (IMC, IARK), … (IBS, ISR), (IMC, IARK), (IBS, ISR), ARK
Wrap-upWrap-up
Do you trust 128-bit encryption now?Do you trust 128-bit encryption now?
You should, especially when keys are sent You should, especially when keys are sent using public key cryptography (next)using public key cryptography (next)
Public-key CryptographyPublic-key Cryptography
Problem: how can I send my AES key Problem: how can I send my AES key without Eve intercepting it?without Eve intercepting it?Consider a scheme in which everyone Consider a scheme in which everyone publishes a (public) method by which publishes a (public) method by which messages can be encrypted and sent to messages can be encrypted and sent to them … but only the publisher can them … but only the publisher can decrypt. decrypt. Knowing how to encrypt does not reveal how Knowing how to encrypt does not reveal how
to decrypt!to decrypt!
RSA (Rivest – Shamir – Adelman)RSA (Rivest – Shamir – Adelman)
For Alice to send a message to Bob.For Alice to send a message to Bob.Bob chooses primes p,q (large, ~100 digits each)Bob chooses primes p,q (large, ~100 digits each)He publishes his public key (n,e):He publishes his public key (n,e): n = pq n = pq e, a large number such that gcd(e, (p-1)(q-1)) = 1e, a large number such that gcd(e, (p-1)(q-1)) = 1
Alice has a message m < n.Alice has a message m < n. Otherwise (if m > n), break message into chunks < nOtherwise (if m > n), break message into chunks < n
Alice sends c = mAlice sends c = mee(mod n)(mod n)Bob computes cBob computes cdd (mod n) = (m (mod n) = (mee))dd = m (mod n). = m (mod n).What does he use for d? What does he use for d?
Why does decryption work? Why does decryption work?
Alice – (m) Alice – (m) Bob BobBob’s key: Bob’s key:
n = pq n = pq e: gcd(e, (p-1)(q-1)) = 1e: gcd(e, (p-1)(q-1)) = 1 This is so This is so
d=ed=e-1-1 mod (p-1)(q-1) exists mod (p-1)(q-1) exists
Alice sends c = mAlice sends c = mee(mod (mod n)n)Bob computes cBob computes cdd (mod n) (mod n) = (m= (mee))dd = m (mod n), = m (mod n), where d = ewhere d = e-1-1 (mod n). (mod n).What does he use for d?What does he use for d?
Recall Euler’s theorem:Recall Euler’s theorem:
as long as gcd(m,n) = 1as long as gcd(m,n) = 1
So mSo meded = m (mod n) = m (mod n) iff ed = 1 (mod iff ed = 1 (mod (n) (n) = 1 (mod (p-1)(q-1)) = 1 (mod (p-1)(q-1))
So d = eSo d = e-1-1 *mod (p-1)(q-1) *mod (p-1)(q-1)
)(mod1)( nm n
Toy example Toy example
Alice – (m) Alice – (m) Bob Bob
Bob’s key: Bob’s key: n = pq = (13)(17) = 221n = pq = (13)(17) = 221 e = 35: gcd(e, (p-1)(q-1)) = 1e = 35: gcd(e, (p-1)(q-1)) = 1 d=ed=e-1-1 mod 192 exists: mod 192 exists:
d = __11__d = __11__
m = 20 (letter t)m = 20 (letter t) 1-based1-based, so leading ‘a’ = 1 not , so leading ‘a’ = 1 not
ignoredignored
c = mc = mee(mod n) = _197___(mod n) = _197___
ccdd (mod n) = _20__ (mod n) = _20__
Issues: Issues: How to compute How to compute
20203535(mod 221)?(mod 221)?
Efficiency is O(log e)Efficiency is O(log e)
How to compute d?How to compute d?
Extended Euclidean alg.Extended Euclidean alg.
And why is this secure? And why is this secure? Why can’t Eve calculate d Why can’t Eve calculate d
herself?herself?
SecuritySecurity
Eve knows e, n, and c onlyEve knows e, n, and c only
To find d = eTo find d = e-1-1 (mod (mod (n)),(n)),Eve needs to know Eve needs to know (n) = (p-1)(q-1)(n) = (p-1)(q-1)
If she knows n, she can factor it into p and If she knows n, she can factor it into p and q to find q to find (n), right?(n), right?
That’s a big That’s a big ifif, since n is ~200 digits long!, since n is ~200 digits long!
Large numbers are Large numbers are hard hard to factor!to factor! Can’t just test every prime from 1 .. sqrt(n)Can’t just test every prime from 1 .. sqrt(n)
SecuritySecurity
c = mc = mee (mod n) (mod n)
Can Eve just compute e-th root of c?Can Eve just compute e-th root of c? Not since mod nNot since mod n Unless we brute force, but not when n is Unless we brute force, but not when n is
large!large!
Is Is (n) as hard to find as the factors of n?(n) as hard to find as the factors of n?
Claim: factoring n hard Claim: factoring n hard finding finding (n) hard(n) hardEquivalently: Equivalently: (n) easy (n) easy factoring n easy factoring n easy
If I know n and If I know n and (n), how can I find p, q?(n), how can I find p, q? Hint: write n and Hint: write n and (n) in terms of p and q.(n) in terms of p and q.
I will show later that finding d is as hard to find I will show later that finding d is as hard to find as factors of n (uses factoring).as factors of n (uses factoring).So Eve has no shortcuts to factoring!So Eve has no shortcuts to factoring!