Announcements:

1
DTTF/NB479 Dszquphsbqiz Day 19

• Announcements
• HW4 DES due Friday midnight
• Any volunteers to help config C/C later today?
• Whos using Scheme?
• Quiz on ch 3 postponed until after break
• Term project groups and topics due end of week
  after break
• Use ch 10 19 as inspiration
• Today
• Finish Rijndael
• RSA concepts
• Questions?

2
Rijndael/AES

• Tie-ins with Galois field, GF(28)
• S-box implements z Ax-1 b in GF(28)
• MixColumn multiplies by a matrix in GF(28) to
  diffuse bits
• Key schedule (next) uses S-box and powers in
  GF(28)
• Wikipedias visuals

3
AddRoundKey (ARK)

• XOR the round key with matrix d.
• Key schedule on next slide

4
Key Schedule
Write original key as 4x4matrix with 4 columns
W(0), W(1), W(2), W(3). Key for round i is
(W(4i), W(4i1), W(4i2), W(4i3))

K1
K10
K0
Other columns defined recursively
Highly non-linear. Resists attacks at finding
whole key when part is known
192-, 256-bit versions similar
5
Decryption

• E(k) is
• (ARK0, BS, SR, MC, ARK1, BS, SR, MC, ARK9, BS,
  SR, ARK10)
• Each function is invertible
• ARK IBS ISR IMC
• So D(k) is
• ARK10, ISR, IBS, ARK9, IMC, ISR, IBS, ARK1,
  IMC, ISR, IBS, ARK0)

• Half-round structure
• Write E(k) ARK, (BS, SR), (MC, ARK), (BS,
  SR), (MC, ARK), (BS, SR), ARK
• (Note that last MC wouldnt fit)
• D(k) ARK, (ISR, IBS), (ARK, IMC), (ISR, IBS),
  (ARK, IMC), (ISR, IBS), ARK
• Can write
• D(k) ARK, (IBS, ISR), (IMC, IARK), (IBS,
  ISR), (IMC, IARK), (IBS, ISR), ARK

6
Wrap-up

• Do you trust 128-bit encryption now?
• You should, especially when keys are sent using
  public key cryptography (next)

7
Public-key Cryptography

• Problem how can I send my AES key without Eve
  intercepting it?
• Consider a scheme in which everyone publishes a
  (public) method by which messages can be
  encrypted and sent to them but only the
  publisher can decrypt.
• Knowing how to encrypt does not reveal how to
  decrypt!

8
RSA (Rivest Shamir Adelman)

• For Alice to send a message to Bob.
• Bob chooses primes p,q (large, 100 digits each)
• He publishes his public key (n,e)
• n pq
• e, a large number such that gcd(e, (p-1)(q-1))
  1
• Alice has a message m lt n.
• Otherwise (if m gt n), break message into chunks lt
  n
• Alice sends c me(mod n)
• Bob computes cd (mod n) (me)d m (mod n).
• What does he use for d?

9
Why does decryption work?

• Alice (m) ? Bob
• Bobs key
• n pq
• e gcd(e, (p-1)(q-1)) 1
• This is so de-1 mod (p-1)(q-1) exists
• Alice sends c me(mod n)
• Bob computes cd (mod n) (me)d m (mod n),
  where d e-1 (mod n).
• What does he use for d?

• Recall Eulers theorem
• as long as gcd(m,n) 1
• So med m (mod n) iff ed 1 (mod f(n)
  1 (mod (p-1)(q-1))
• So d e-1 mod (p-1)(q-1)

10
Toy example

• Alice (m) ? Bob
• Bobs key
• n pq (13)(17) 221
• e 35 gcd(e, (p-1)(q-1)) 1
• de-1 mod 192 exists d __11__
• m 20 (letter t)
• 1-based, so leading a 1 not ignored
• c me(mod n) _197___
• cd (mod n) _20__

• Issues
• How to compute 2035(mod 221)?
• Efficiency is O(log e)
• How to compute d?
• Extended Euclidean alg.
• And why is this secure?
• Why cant Eve calculate d herself?

11
Security

• Eve knows e, n, and c only
• To find d e-1 (mod f(n)),Eve needs to know
  f(n) (p-1)(q-1)
• If she knows n, she can factor it into p and q to
  find f(n), right?
• Thats a big if, since n is 200 digits long!
• Large numbers are hard to factor!
• Cant just test every prime from 1 .. sqrt(n)

12
Security

• c me (mod n)
• Can Eve just compute e-th root of c?
• Not since mod n
• Unless we brute force, but not when n is large!

13
Is f(n) as hard to find as the factors of n?

• Claim factoring n hard ? finding f(n) hard
• Equivalently f(n) easy ? factoring n easy
• If I know n and f(n), how can I find p, q?
• Hint write n and f(n) in terms of p and q.
• I will show later that finding d is as hard to
  find as factors of n (uses factoring).
• So Eve has no shortcuts to factoring!