Announcements Homework 2 graded. Recitation tomorrow: - PowerPoint PPT Presentation

Announcements • Homework 2 graded. • Recitation tomorrow: • Eigenvalues and SVD. • HW solution discussion. • No lecture next Tuesday (November 5 th ). • Make-up lecture next Friday (November 8 th ). 15-853 Page 1

15-853:Algorithms in the Real World Cryptography #1 15-853 Page 2

Cryptography Outline Introduction: terminology, cryptanalysis, security Private-Key Algorithms: Rijndael, DES Number Theory 15-853 Page 3

Cryptography Outline Introduction: – terminology – cryptanalytic attacks – security Private-Key Algorithms: Rijndael, DES Number Theory 15-853 Page 4

Some Terminology Cryptography – the general term Cryptology – the theory Encryption – encoding (but sometimes used as general term) Cryptanalysis – breaking codes Cipher – a method or algorithm for encrypting or decrypting 15-853 Page 5

More Definitions Plaintext E k (m) = c Key 1 Encryption Key Ciphertext Generator Key 2 Decryption D k (c) = m Original Plaintext Private Key or Symmetric : Key 1 = Key 2 Public Key or Asymmetric : Key 1 ≠ Key 2 Key 1 or Key 2 is public depending on the protocol 15-853 Page 6

Private key encryption k k m c m Encrypt Decrypt Alice Bob We assume Eve knows everything about the encryption scheme Eve (except the secret key) 15-853 Page 7

What does it mean to be secure? Attempt 1: it should be impossible for Eve to get the key. Attempt 2: it should be impossible for Eve to recover m. Attempt 3: impossible for Eve to recover any bit of m. Attempt 4: regardless of any information that Eve has, c should not leak any additional information about m. ✓ 15-853 Page 8

One-time pad • Key generation: • Input: length n (in unary) • Output: uniformly random k ∈ {0,1} n • Encryption: • Input: m ∈ {0,1} n , k ∈ {0,1} n • Output: c = m ⊕ k • Decryption: • Input: c ∈ {0,1} n , k ∈ {0,1} n • Output: m = c ⊕ k 15-853 Page 9

One-time pad One-time pad is perfectly secret : • Let M, C be r.v.s for the message and ciphertext. • For every message m and ciphertext c with Pr[C= c ] > 0: Pr[M = m | C = c ] = Pr[M = m ] • Ciphertext contains no information about message! 15-853 Page 10

One-time pad One-time pad is perfectly secret . Proof: Pr[C = c | M = m] = Pr[m ⊕ K = c] = Pr[K = m ⊕ c] = 2 -n Pr[C = c] = Σ m Pr[C = c | M = m] Pr[M = m] = 2 -n Σ m Pr[M = m] = 2 -n Pr[M = m | C = c] = Pr[C = c | M = m] Pr[M = m] / Pr[C = c] = Pr[M = m] Can we reuse a one-time pad? No. 15-853 Page 11

The importance of randomness • Previous proof only works if key is truly uniformly random. • An adversary can exploit biases in randomness. • There are techniques to extract uniformly random bits from biased sources. • E.g: suppose we have a biased coin with probabilities p and 1 – p for heads and tails. • How to obtain uniformly random bits from this coin? • Flip twice: • If (heads, tails) then output 1. • If (tails, heads) then output 0. • If (heads, heads) or (tails, tails) then no output. 15-853 Page 12

Computational secrecy • Perfect secrecy requires the key to be at least as long as the message. This is impractical! • We need to settle for a weaker definition . • Any efficient adversary succeeds in breaking the scheme with at most negligible probability. • Efficient = runs in probabilistic polynomial time (PPT). • Negligible = goes to zero faster than any inverse poly: – A positive function f is negligible if for every positive integer c, there exists N c such that: f(n) < n -c , for all n > N c – Denoted as f = negl(n). 15-853 Page 13

Cryptanalytic Attacks c = ciphertext messages m = plaintext messages Ciphertext Only: Attacker has multiple c s but does not know the corresponding m s Known Plaintext: Attacker knows some number of (c,m) pairs. Chosen Plaintext: Attacker gets to choose m s and generate c s before. Chosen Ciphertext: Attacker gets to choose c s and generate m s before. 15-853 Page 14

Cryptography Outline Introduction: terminology, cryptanalysis, security Private-Key Algorithms: – Block ciphers and product ciphers – Rijndael, DES Number Theory 15-853 Page 15

Private Key Algorithms Plaintext E k (M) = C Encryption Key 1 Ciphertext Decryption D k (C) = M Key 1 Original Plaintext What granularity of the message does E k encrypt? 15-853 Page 16

Private Key Algorithms Block Ciphers : blocks of bits at a time – DES (Data Encryption Standard) Banks, linux passwords (almost), SSL, kerberos, … – Blowfish (SSL as option) – IDEA (used in PGP, SSL as option) – Rijdael (AES) – the new standard 15-853 Page 17

Private Key: Block Ciphers A Block cipher C is a function with: • Input : a key k ∈ {0,1} |k| , block x ∈ {0,1} n (with|k | ≤ n) • Output : a block y ∈ {0,1} n • Objective : should be hard to distinguish from a random permutation from {0,1} n to {0,1} n . • We can chop long messages into blocks. • Suppose we encrypt each block as c = C(k, m). • What’s the problem with this? • Equal messages have equal encryptions! 15-853 Page 18

Private Key: Block Ciphers Intuition: generate a “fresh” one-time pad for each block. Counter (CTR) mode: ctr+2 ctr+3 ctr ctr+1 C(k, ⋅ ) C(k, ⋅ ) C(k, ⋅ ) m 2 m 3 m 1 ctr c 1 c 2 c 3 15-853 Page 19

Block cipher implementations 15-853 Page 20

Iterated Block Ciphers m key Consists of n rounds k 1 R s 1 R = the “ round ” function k 2 R s i = state after round i s 2 k i = the i th round key . . . . . . k n R c 15-853 Page 21

Iterated Block Ciphers: Decryption Run the rounds in reverse. m key Requires that R has an k 1 R -1 inverse. s 1 k 2 R -1 s 2 . . . . . . k n R -1 c 15-853 Page 22

Feistel Networks • Run with round keys in reverse order to decrypt. • Used by DES (the Data Encryption Standard) Image: “Feistel cipher diagram” by Amirki CC BY-SA 3.0 15-853 Page 23

Substitution-Permutation network Each round has two components: – Substitution (S-box) one-to-one mapping of subblocks. – Permutation (P-box) Mix the bits around. Both operations are invertible. Avalanche effect: changing one bit of m affects all of c. Image: “Substitution-Permutation Network” by GaborPete CC BY-SA 3.0 15-853 Page 24

Rijndael Selected by AES (Advanced Encryption Standard, part of NIST) as the new private-key encryption standard. Based on an open “ competition ” . – Competition started Sept. 1997. – Narrowed to 5 Sept. 1999 • MARS by IBM, RC6 by RSA, Twofish by Counterplane, Serpent, and Rijndael – Rijndael selected Oct. 2000. – Official Nov. 2001 (AES page on Rijndael) Designed by Rijmen and Daemen (Dutch) 15-853 Page 25

Goals of Rijndael Resistance against known attacks: – Differential cryptanalysis – Linear cryptanalysis – Truncated differentials – Square attacks – Interpolation attacks – Weak and related keys Speed + Memory efficiency across platforms – 32-bit processors – 8-bit processors (e.g smart cards) – Dedicated hardware Design simplicity and clearly stated security goals 15-853 Page 26

High-level overview An iterated block cipher with – 10–14 rounds, – 128-256 bit blocks, and – 128-256 bit keys Mathematically reasonably sophisticated 15-853 Page 27

Blocks and Keys The blocks and keys are organized as matrices of bytes. For the 128-bit case, it is a 4x4 matrix.     b b b b k k k k 0 4 8 12 0 4 8 12      b b b b   k k k k  1 5 9 13 1 5 9 13     b b b b k k k k     2 6 10 14 2 6 10 14     b b b b k k k k     3 7 11 15 3 7 11 15 Data block Key b 0 , b 1 , …, b 15 is the order of the bytes in the stream. 15-853 Page 28

Galois Fields in Rijndael Uses GF(2 8 ) over bytes. The irreducible polynomial is: M(x) = x 8 + x 4 + x 3 + x + 1 or 100011011 or 0x11B Also uses degree 3 polynomials with coefficients from GF(2 8 ). These are kept as 4 bytes (used for the columns) The polynomial used as a modulus is: M(x) = 00000001x 4 + 00000001 or x 4 + 1 Not irreducible, but we only need to find inverses of polynomials that are relatively prime to it. 15-853 Page 29

Each round Key i 0 out 3 + in . 2 . 1 Rotate Mix Byte Rows columns substitution The inverse runs the steps and rounds backwards. Each step must be reversible! 15-853 Page 30

Byte Substitution Non linear : y = b -1 (done over GF(2 8 )) Linear: z = Ay + B (done over GF(2), i.e ., binary)   1    1    1 0 0 0 1 1 1 1     0     1 1 0 0 0 1 1 1     0 = = A   B 1 1 1 0 0 0 1 1   0     1 1 1 1 0 0 0 1     1         1    0   To invert the substitution: y = A -1 (z - B) (the matrix A is nonsingular) b = y -1 (over GF(2 8 )) 15-853 Page 31

Mix Columns a 0 a 1 For each column a in data block a 2 a 3 compute b(x) = (a 3 x 3 +a 2 x 2 +a 1 x+a 0 )(3x 3 +x 2 +x+2) mod x 4 +1 where coefficients are taken over GF(2 8 ). b 0 where b(x)=b 3 x 3 +b 2 x 2 +b 1 x+b 0 New column b is b 1 b 2 b 3 15-853 Page 32