Announcements:Announcements: HW4 – DES due ThursdayHW4 – DES due Thursday

I have installed, or will install: Java, C (gcc), Python.I have installed, or will install: Java, C (gcc), Python.What other languages? Please make appointment to help install What other languages? Please make appointment to help install required softwarerequired software

Thursday: bring textbook and Maple in class.Thursday: bring textbook and Maple in class. Friday: Ch 3 written examFriday: Ch 3 written exam

Term project groups and topics due at end of week 6Term project groups and topics due at end of week 6Use ch 10 – 19 as inspirationUse ch 10 – 19 as inspiration

TodayToday Finish RijndaelFinish Rijndael RSA conceptsRSA concepts

Questions?Questions?

DTTF/NB479: DszquphsbqizDTTF/NB479: Dszquphsbqiz Day 18Day 18

1

Rijndael/AESRijndael/AESTie-ins with Galois field, Tie-ins with Galois field,

GF(2GF(288):):S-box implements z = S-box implements z =

AxAx-1-1 + b in GF(2 + b in GF(288))MixColumn multiplies by MixColumn multiplies by

a matrix in GF(2a matrix in GF(288) to ) to diffuse bitsdiffuse bits

Key schedule (next) Key schedule (next) uses S-box and uses S-box and powers in GF(2powers in GF(288) )

Wikipedia’s Wikipedia’s visuals

DecryptionDecryption

E(k) is:E(k) is:

(ARK(ARK00, BS, SR, MC, ARK, BS, SR, MC, ARK11, … BS, SR, MC, , … BS, SR, MC,

ARKARK99, BS, SR, ARK, BS, SR, ARK1010))

Each function is invertible:Each function is invertible:

ARK; IBS; ISR; IMCARK; IBS; ISR; IMC

So D(k) is:So D(k) is:

ARKARK1010, ISR, IBS, ARK, ISR, IBS, ARK99, IMC, ISR, IBS, , IMC, ISR, IBS,

… ARK… ARK11, IMC, ISR, IBS, ARK, IMC, ISR, IBS, ARK00))

Half-round structure:Half-round structure:Write E(k) = ARK, (BS, SR), (MC, ARK), … (BS, SR), (MC, ARK), (BS, SR), ARKWrite E(k) = ARK, (BS, SR), (MC, ARK), … (BS, SR), (MC, ARK), (BS, SR), ARK

(Note that last MC wouldn’t fit)(Note that last MC wouldn’t fit)D(k) = ARK, (ISR, IBS), (ARK, IMC), (ISR, IBS), … (ARK, IMC), (ISR, IBS), ARKD(k) = ARK, (ISR, IBS), (ARK, IMC), (ISR, IBS), … (ARK, IMC), (ISR, IBS), ARK

Can write:Can write:D(k) = ARK, (IBS, ISR), (IMC, IARK), … (IBS, ISR), (IMC, IARK), (IBS, ISR), ARKD(k) = ARK, (IBS, ISR), (IMC, IARK), … (IBS, ISR), (IMC, IARK), (IBS, ISR), ARK

Public-key cryptography is used to send “session” Public-key cryptography is used to send “session” keys for AES to encode messages.keys for AES to encode messages.

Do you trust 128-bit encryption now?Do you trust 128-bit encryption now?

You should, especially when keys are sent You should, especially when keys are sent using public key cryptography (next)using public key cryptography (next)

Relationship between RSA and AES in Relationship between RSA and AES in http://www.grc.com/securitynow.htm#183. (To get to the . (To get to the point, jump to 51:57; thanks to Matthew Jacobs ‘09 for point, jump to 51:57; thanks to Matthew Jacobs ‘09 for reference)reference)

Public-key CryptographyPublic-key Cryptography

Problem: how can I send my AES key Problem: how can I send my AES key without Eve intercepting it?without Eve intercepting it?Consider a scheme in which everyone Consider a scheme in which everyone publipublishes a (shes a (publipublic) method by which c) method by which messages can be encrypted and sent to messages can be encrypted and sent to them … but only the publisher can them … but only the publisher can decrypt.decrypt. Knowing how to encrypt does not reveal how Knowing how to encrypt does not reveal how

to decrypt!to decrypt!

2

RSA (Rivest – Shamir – Adelman) relies on the RSA (Rivest – Shamir – Adelman) relies on the inability to quickly factor products of large primesinability to quickly factor products of large primes

For Alice to send a message to Bob.For Alice to send a message to Bob.Bob chooses primes p,q (large, ~100 digits each)Bob chooses primes p,q (large, ~100 digits each)He publishes his public key (n,e):He publishes his public key (n,e): n = pqn = pq e, a large number such that gcd(e, (p-1)(q-1)) = 1e, a large number such that gcd(e, (p-1)(q-1)) = 1

Alice has a message m < n.Alice has a message m < n. Otherwise (if m > n), break message into chunks < nOtherwise (if m > n), break message into chunks < n

Alice sends c = mAlice sends c = mee(mod n)(mod n)Bob computes cBob computes cdd (mod n) = (m (mod n) = (mee))dd = m (mod n). = m (mod n).What does he use for d? What does he use for d?

3

Why does decryption work? Why does decryption work?

Alice – (m) Alice – (m) Bob BobBob’s key: Bob’s key:

n = pq n = pq e: gcd(e, (p-1)(q-1)) = 1e: gcd(e, (p-1)(q-1)) = 1 This is so This is so

d=ed=e-1-1 mod (p-1)(q-1) exists mod (p-1)(q-1) exists

Alice sends c = mAlice sends c = mee(mod (mod n)n)Bob computes cBob computes cdd (mod n) (mod n) = (m= (mee))dd = m (mod n), = m (mod n), where where d = ed = e-1-1 (mod (p-1)(q-1)). (mod (p-1)(q-1)).

Recall Euler’s theorem:Recall Euler’s theorem:

as long as gcd(m,n) = 1as long as gcd(m,n) = 1

So mSo meded = m (mod n) = m (mod n) iff ed = 1 (mod iff ed = 1 (mod (n) (n) = 1 (mod (p-1)(q-1)) = 1 (mod (p-1)(q-1))

So d = eSo d = e-1-1 mod (p-1)(q-1) mod (p-1)(q-1)

)(mod1)( nm n

4

Toy example Toy example

Alice has (m) Alice has (m) Bob Bob

Bob’s key: Bob’s key: n = pq = (13)(17) = 221n = pq = (13)(17) = 221 e = 35: gcd(e, (p-1)(q-1)) = 1e = 35: gcd(e, (p-1)(q-1)) = 1 d=ed=e-1-1 mod 192 exists: mod 192 exists:

d = ____d = ____

m = 20 (letter t)m = 20 (letter t) 1-based1-based, so leading ‘a’ = 1 not , so leading ‘a’ = 1 not

ignoredignored

c = mc = mee(mod n) = ____(mod n) = ____

ccdd (mod n) = ___ (mod n) = ___

Issues: Issues: How How does Alice compute does Alice compute

20203535(mod 221)?(mod 221)?

Modular exponentiationModular exponentiation

Efficiency is O(log e)Efficiency is O(log e)

How How does Bob compute d?does Bob compute d?

Extended Euclidean alg.Extended Euclidean alg.

Efficiency is O(log n)Efficiency is O(log n)

And why is this secure? And why is this secure? Why can’t Eve calculate d Why can’t Eve calculate d

herself?herself?

11

197

20

5-7

The security if RSA lies in the The security if RSA lies in the difficulty of factoring large numbersdifficulty of factoring large numbers

Eve knows e, n, and c onlyEve knows e, n, and c only

To find d = eTo find d = e-1-1 (mod (mod (n)),(n)),Eve needs to know Eve needs to know (n) = (p-1)(q-1)(n) = (p-1)(q-1)

If she knows n, she can factor it into p and q If she knows n, she can factor it into p and q to find to find (n), right?(n), right?

That’s a big That’s a big ifif, since n is ~200 digits long in , since n is ~200 digits long in practice!practice!

Large numbers are Large numbers are hard hard to factor!to factor! Can’t just test every prime from 1 .. sqrt(n)Can’t just test every prime from 1 .. sqrt(n)

8

c = mc = mee (mod n) (mod n)

Can Eve just compute e-th root of c?Can Eve just compute e-th root of c? Not since mod nNot since mod n Unless we brute force, but not when n is Unless we brute force, but not when n is

large!large!

The security if RSA lies in the The security if RSA lies in the difficulty of factoring large numbersdifficulty of factoring large numbers

Is Is (n) as hard to find as the factors of n?(n) as hard to find as the factors of n?

Claim: Claim: factoring n hard factoring n hard finding finding (n) hard(n) hard

Hint: write n and Hint: write n and (n) in terms of p and q.(n) in terms of p and q.

Next week: finding d is as hard to do as finding Next week: finding d is as hard to do as finding the factors of nthe factors of n

So Eve has no shortcuts to factoring!So Eve has no shortcuts to factoring!

You will need your computer with Maple on it next You will need your computer with Maple on it next class to do a real example of RSAclass to do a real example of RSA

Today I demo’ed in Matlab.Today I demo’ed in Matlab.

Unfortunately, Matlab can’t generate large Unfortunately, Matlab can’t generate large primes quickly. primes quickly.

Maple’s nextprime method works wellMaple’s nextprime method works well