---------------------------------------------------------------- Lecture 1 - Oct 1, 2001 - ECS 227 ---------------------------------------------------------------- Today: o Introdction o Block ciphers Announcements: o everything on line: www.cs.ucdavis.edu/~rogaway o I won't spend time doing admin stuff; find it on the web ************************************************************************** // Atypical lecture - NO proofs, no security definitions 1. Introduction 1.1 What is cryptography? "communications in the presence of adversaries" [Ri90] "the study of "mathematical " systems for solving two kinds of security problems: privacy and authenticity" [DH76] 1.2 Classical vs. provable-security cryptography model Assumption \ Problem -> Defn -> Protocol -> Reduction -> Impement -> Done 1.3 Links to complexity theory We think that Pi can't We think that scheme Pi can't be solved efficiently be attacked effectively ------------------------------------------------------------ If Pi could be solved If scheme Pi could be attacked effectively, so could SAT effectively, we could ------------------------------------------------------------ to show this: reduce SAT To show this: reduce AES to to Pi: construct an algorithm Pi: construct an algorithm that solves SAT given an alg that breaks AES (say) given an that breaks Pi alg that breaks Pi. Layered look ------------------------------------------------ Systems ------------------------------------------------ Protocols ------------------------------------------------ Cryptographic Transforms: encrypt, sign, mac ------------------------------------------------ Cryptographic primitives (DES, SHA1, RSA) <- two varieties ------------------------------------------------ conf/diff & algebraic 1.4 Sample problems A. Privacy (sym, asym) B. Authenticity (sym, asym) C. Dating problem D. Commit E. SFE ************************************************************************** 2 Block ciphers 2.1 What is a block cipher? 2.2 DES a. History b. Structure 2.3 AES a. History b. Scheme m(x) = x^8 + x^4 + x^3 + x + 1 exercise: {a4} * {00} = {00} {a4} * {01} = {a4} {a4} * {02} = {13} 1010 0100 = x^7 + x^2 0000 0010 = x product: x^8 + x^3 = x^4 + x^3 + x + 1 + x^3 = x^4 + x + 1 = 0001 0011 = {13} key generation: K |--> K_0, ..., K_{10} think of input M as 4 x 4 table, down then right xor key K_0 with table change it for 10 rounds return final table. round: S-box shiftRows mixCols // omit on round 10 xor next round key S-box: Replace each byte by its inverse byte (almost) shiftRows: left shift row: 0,1,2,3 by 0,1,2,3 mixCols: treat cols as degree 3 polynomial. Mutliply by fixed polynomial a(x) = {03}x^3 + {01}x^2 + {01}x + {01} mod g(x) = x^4 + 1. This polynomial is NOT irreducibile, but it is relatively prime to a(x), so a(x) has an inverse, which (you can verify) is a'(x) = {0b}x^3 + {0d}x^2 + {09}x + {0e} What does it DO?? We'll see next time!