 Welcome to the first session of day 2 we are going to continue with the basics of cryptography in particular we will look at AES and then the Diffie-Hellman key exchange protocol and then L Gamal encryption and L Gamal signatures along the way I would also like to just briefly talk about the definition of a group which is very much used in cryptography and the definition of a field. So, one of the nice things about AES is that it is a very simple algorithm as we will soon see. So, turns out that around the end of the last century around 1995 or so it became increasingly obvious that DES the algorithm that was used for secret key cryptography for several years almost 40 years was not very secure. There were various attacks on it a brute force attacks, but also linear cryptanalysis differential cryptanalysis etcetera and there was also triple DES, but the feeling was that this had a limited time left before it became insecure there were too many attacks on it and many of them were successful. It was necessary to come up with our most secure secret key algorithm possibly with a larger block size and then there was the National Institute of Standards and Technologies in the US solicited proposals for new secret key schemes and there were many, many, many proposals and they were filtered down finally, to around 5 only and these were proposals from all around the world and of these 5 finalists the one that finally, made it was this proposal by what is called the Reindale. So, actually two different people from an academic setting that came up with this algorithm that I see some of the good things about this. So, the main selection criteria were of course, security it had to be highly secure the cost in terms of computational complexity had to be decent. So, you could not have something that takes too long to encrypt and decrypt and also there were issues like the algorithmic and implementation characteristics. So, it should be very simple to implement to write the code for it should work and should be implementable easily that is if you are writing it in assembly language for 8 bit microprocessors 32 bit microprocessors 64 bit microprocessors you could implement it easily in hardware and so on and so forth. So, there were lot of different characteristics that people were looking out for the judges were looking out for including flexibility can it support multiple block sizes and multiple key sizes and so on. And finally, this particular proposal that we call AES finally, made it in the finals. The block size is 128 bits, but you can also increase the block size. The key size could be 128, 192, 256 and so on. The number of rounds compared with des des had 16 rounds this thing has either 10 or 12 or 14 depending on whether the key size is 128, 192 or 256 respectively and does not have the Feistel structure that des for example, had. So, as mentioned before the number of rounds in AES is 10 and each round involves four different operations byte substitution row shift column mixing and sub key addition. Useful to visualize the input block. So, the block size once again at least for the most basic option is 128 bits. You can have a higher block size and higher key size, but let us just focus right now on the 128 bit option. So, it is useful to visualize the plain text and the intermediate the outputs of the intermediate stages as being 128 bits represented as a 4 by 4 byte array. So, if you are talking about a 4 by 4 byte array that is a total of 16 elements and each element is a byte or 8 bits. So, that gives you 128 bits. So, the 128 bits in the block is represented as a 4 by 4 array of bytes and each byte is 2 hex characters. What are the different steps? So, the first step now all of these different steps are rooted in mathematics primarily discrete mathematics field theory in particular. So, let us get a brief background to what is a group and then what is the field. So, let us start first with the definition of a group because we will need this in the context of Diffie-Hellman and then fields also in the context of elliptical cryptography and AES. So, the first mathematical structure or the first discrete structure is the group and basically a group is two things one is a set it could be a set of integers it could be a set of permutations it could be anything a set and a particular operator a generic operator called the group operator and this group and this operator respect the following properties closure, associativity, identity and inverse. So, basically closure is if A and B belong to the group G then A star B star is the operator it is a generic operator A star B also belongs to G, associativity for all A B and C belonging to the group G it is the case that I can associate the brackets or the parentheses either this way or I can associate it this way and I get the same result. So, this is A star in parentheses B star C close parentheses the identity there exists a unique I belonging to G such that for all A belonging to G A star I is equal to A and this is the same thing as I star A. So, for all practical purposes all the groups that we discuss in the next 10 days in cryptography all have the property of an addition to this not all the groups will have this property, but the groups that we are concerned with has this property of commutativity that is. So, not all the groups in the world have this property, but the groups of interest to us have this property of commutativity and finally, the property of the inverse for all G belonging to big G there exists an element x such that x star G is equal to the identity and this G is referred to as the inverse of x and it is denoted as x inverse if you have a multiplicative group if you have an additive group it is referred it is denoted as minus x. So, it just depends on the context. So, now these groups actually so, this is once again a set and this is an operator these groups can be finite they can be infinite for our purposes we are mostly interested in finite groups. So, for example, one example of a group that we are very interested in is something like say Z n with the operator. So, this really refers to Z n refers to the elements 0 1 2 3 write up to n minus 1. So, we can very well verify suppose for example, n is equal to 6 0 1 2 3 write up to 5 these elements form a group with the operator addition modulo n or modulo 6 in this case. So, this is one example and then you can verify that these properties hold closure if I take any two elements and I add them modulo 6 I get an element that belongs to the set. So, 3 plus 4 is 7 which is equal to 1 modulo 6 associativity 1 plus 2 plus 3 if I associate the parentheses with 1 plus 2 first I get 3 plus 3 6 and if I do it with 2 plus 3. So, 1 plus 2 plus 3 is 5 1 plus 5 is also 6. So, associativity trivially holds the identity of this set is 0 because I can add 0 plus 0 to anything and I get back the original number. So, 0 is the identity of the set and the inverse of the set. So, the inverse of the set is the element which I say for example, 4 plus something gives me 0 that something is minus 4 in modulo arithmetic that is the same thing as 2. So, the inverse of 4 in this particular group is 2 the inverse of 3 will be 3 and so on. So, this is one example of a group the so called additive group and finite group probably the more interesting groups are where you have the operator being multiplication modulo n. So, another example of a group would be something like. So, what is this notation? This is this notation means all the integers between 1 and p minus 1 that are relatively prime to p relatively prime to p. This for simplicity assume that p is prime. So, in that case let us take for example. So, the set z 7 star now is this a group. So, first and foremost associativity if I multiply two things together modulo 7 say 3 multiply by 4 is 12 which is actually 5 modulo 7 I can multiply any two things and I get back something in that set. Associativity again trivially holds 4 multiply by 3 multiply by 6 is the same thing as 4 multiplied by 3 multiplied by 6 and so on. So, associativity holds the identity if I multiply 4 by what will I get 4 back if I multiply 4 by 1 I get 4 back if I multiply 5 by 1 I get 5 back and so on. So, the identity element is 1 and then finally, the inverse. So, does every element in this set have an inverse. So, the inverse of 1 is 1 because 1 multiplied by 1 is 1 the inverse of 2 is it 3 is it 2 is it 4. So, 2 multiplied by 4 is 8 which is 1 modulo 7. So, the inverse of 4 will also be 2 then the inverse of 3 3 5 is a 15 which is 14 plus 1. So, the inverse of 3 is 5 and the inverse of 5 is 3 and then 6 looks like the inverse of 6 should be 6 6 multiplied by 6 is 36 which is 1 modulo 7. So, each element has an inverse. So, this is another very important group these all multiplicative groups and we will use this when we talk about Diffie-Hellman key exchange. So, these are some of the important finite groups that we consider this particular group is referred to as a prime group because the number here is a prime number. You can verify it on your own that this thing for example, does not constitute a group Z 6 star first and foremost the elements of this would be. So, if I just take Z 6 that is all the elements from. So, actually I am I will just rewrite this as Z 6 minus 0. So, this is the set 1 2 3 right up to 5. Now, this thing fails to be a group because some elements do not have an inverse for example, what is the inverse of 3? 3 multiplied by what will give me 1 modulo 6 nothing. So, this thing fails to be this particular set Z 6 Z 6 is all the elements from 0 through 5. So, Z 6 minus the 0 element that is all these elements without the 0. This thing is not a group unlike in this case this is Z 7 star that is Z 7 without the 0 and this thing forms a group, but this thing does not form a group. So, we need to understand clearly what forms a group and what is not a group. The next thing that we need to. So, this is a very brief background on groups details of this thing are in the text book there is an entire chapter on mathematical background for cryptography the basic mathematical background for cryptography. In addition to groups another very important structure is that of a field. So, very very briefly a two minute introduction to fields what is a field? It is a set just like in the case of a group you had a set and instead of just one operator you have two generic operators a plus and a star. It really depends on whoever is defining the group to define these operators it does not have to necessarily be the kind of operator that we are familiar with the plus does not have to have the same meaning as it does in simple arithmetic. So, a plus and a star for example, this set f could include things like matrices for example, and then this could be matrix operations like matrix addition and matrix multiplication. So, in the case of a group what a very simple introduction to a field is that you will find that the f together with plus this thing constitutes a group this is called the additive group of the field. And likewise if you just take f without the 0 element that is the additive identity interesting enough this also forms a group and this is called the multiplicative group of this field. The two groups of most interest to us in cryptography are groups where so there is a theorem that says that the number of elements in a field should either be a prime number or a power of a prime number. And the two fields of interest to us in cryptography are prime fields and so called binary fields where p is equal to 2. So, special case of this thing where p is equal to 2 such fields are known as binary fields. One other important thing about the field is that you have a property called distributivity besides associativity and closure and so on which are actually subsumed over here in this thing and in this you also have the property of distributivity. So, for all a b and c it is true that a star b a star b plus c is equal to. So, this property in it holds in addition to these things. So, for simplicity just think of these two things and this property of distributivity as being part of the attributes of a field. Now, a prime a prime field is simply the elements for example, z 7 this would be a prime field the elements would be 0 through 6. So, this would constitute a field with the operations being addition modulo 7 and multiplication modulo 7. So, these are the kinds of fields I am talking about when I say prime fields which are useful in cryptography and the other field which we are going to encounter very soon now are these binary fields. So, the number of elements in a binary field is always 2 to the power of an integer. So, you can have a field for example, of size 4 of size 8 of size 16, but not something of size 15. Now, the way we represent the elements of the binary field are as binary strings. So, this is one representation you can represent them as polynomials as well with binary coefficients, but one representation of the elements are binary strings of length n. So, in the context of AES the binary field that we are interested in is the so called field gf 2 raise to 8 it has 256 elements and as I mentioned before each element is a binary string of length 8. So, for example, an element of this field would be something like this and we typically represent this thing in our discussion of AES as 2 hex characters. So, this character is the number 10 and this is 3. So, this is element A 3. So, this is just a preliminary introduction to introduce field so that we can understand how AES actually works. So, once again the block size in AES 128 bits I just mentioned that we can represent this in a matrix form a 4 by 4 matrix there are 4 elements in each row and there are 4 rows. So, all these 128 bits fit inside this. So, 16 elements and each element will be 8 bits like this. So, each element would be 2 hex characters for example, B 6 A 3 and so on and so forth and we operate on each of these elements. So, let us see what are those operations I just mentioned there is something called byte substitution there is something called column mixing shift row shift and so on and so forth. Let us look at each of those things in detail next. So, let us just back up a little bit I was talking about AES and then I just digressed to introduce these 2 important discrete structures namely the group and the field. So, I said AES encryption at least the version we are going to consider today has got 128 bits as the block size and 128 bits as the key size. There are 10 rounds in this thing each round comprises the following 4 steps byte substitution, row shift, column mixing and sub key addition. Once again it is useful to visualize the input block once again the block size is 128 bits it is useful to visualize these 128 bits as an array a 4 by 4 array of bytes each byte is 2 hex characters. So, the first step is byte substitution. So, what exactly happens over here? So, we said last yesterday's lecture that one of the important operations is substitution and the other is transposition or permutation. So, in byte substitution you have a substitution table. So, in this case the substitution table is a 16 by 16 S box or table where the i jth entry S i j. So, if I want to know what is the i jth entry i ranges from 0 through 15 and j ranges from 0 through 15. So, it is a total of 256 elements in this S box. So, it has been very carefully designed by these guys and what is the value in the i jth entry? The value there is nothing else, but suppose I want to know what is the value in the fourth row and the third column I just put 4 over here in hexadecimal and 3 in hexadecimal. So, 4 3 put it represented. So, 2 hexadecimal characters which is 8 bits and then I know that these 8 bits represents one field in the field I just talked about of 256 elements I take the inverse value of that. So, inversion is defined because the multiplicative group has an inverse by definition of a group. So, I take the inverse of that element and then I exclusive or. So, this is exclusive or with the hexadecimal value 6 3. So, this is 1 byte or 8 bits 6 3 which is 0 1 1 0 and 3 which is 0 0 1 1. So, I take the inverse of that element of this value what is i j? I is the index into the array the row index into this 16 by 16 S box and j is the column index. I concatenate the 2 of them. So, this is 4 bits because there are 16 rows. So, represent a row I need 4 bits to represent a column I need 4 bits. So, 4 bits for 4 bits is 8 bits which is an element of g f 2 raise to 8 the field of 256 elements I take the inverse of that field of that element and then I exclusive or with the element 6 3. So, i j is a concatenation of i and j represented as binary strings i j inverse is the multiplicative inverse of i j in the multiplicative group. Operations are defined in g f 2 raise to 8 and just like for a prime field I need a prime number to act as the modulus over here I need something called an irreducible polynomial and the irreducible polynomial is this value the details are in the textbook. So, we do not have time to discuss this in great detail it will take about an hour. So, I just skip the details of the actual operation of multiplication in a multiplicative group and the operation of inversion in a multiplicative group and finally, the element row 0 and column 0 I would have to put 0 and 0 over here and take the inverse of the 0 element, but there is no inverse for the 0 element. So, for that particular special case what I do is I simply substitute hexadecimal value 6 3 as the element in row 0 column 0 of the S box. So, this is my first step what is the step I have got 16 elements inside this matrix it is a 4 by 4 matrix which represents the block I have got 16 elements in that matrix. So, do not confuse between that matrix and this 16 by 16 matrix let us go back to this page. So, in this page over here I represent the 128 bits in the block as a matrix of 4 by 4 matrix and each element of this matrix is a single byte of 8 bits and now what do I do if I want. So, I have to do a substitution. So, the way I do a substitution is I take each and every of these elements and I substitute for some element from the S box. So, to obtain the elements I am going to substitute this thing by something. So, what do I do is I look at the big fat S box which has got 16 by 16 elements the S box and this is the row index. So, I take the Bth row of this matrix and then I take the 6th column of this matrix and wherever they intersect I substitute that value in this place. So, maybe I will just show it again in a picture. The first step in each round is the byte substitution step. So, what I do is I have got these 128 bits represented as a 4 by 4 matrix let us say this element is A 3. Now, what do I substitute this for? So, this is the 4 by 4 array and then I have got the 16 by 16 S box. So, what do I do is I take this A and I use it as a row index. So, the first row is row 0, the second row is row 1, the last row is row F this is row A and then number 3 over here I look at the third column. I look at the third column and I see what is the element over there and whatever is that element those two hex characters will be substituted over here. So, this is the substitution step and I will do this for each and every single element inside this array. So, that is my first step byte substitution. So, that is just a description of what I illustrated on this sheet. The second step is quite straight forward it is called row shifting. So, each element on the ith row of the state array undergoes a left circular shift of I positions. The row shift causes bytes in a column to be diffused among other columns. So, the purpose of this whole thing is basically a transposition. So, the first step was substitution the second step is transposition. So, once again in a picture. So, in the first step I substitute each of these values using the S box. In the second step I will perform a row shift. So, the first row does not get shifted, but the second row gets shifted by one position. The third row gets shifted by two positions, the fourth row by four positions and so on. So, everything is shifted left. So, that is the transposition operation it is called row shift. So, the effect of this is that the bytes in a column are diffused amongst other columns a diffusion kind of operation. The next operation is column mixing. So, this is a very interesting operation the original state. So, the state means the four by four matrix that keeps getting operated upon and changing as we go through this different steps of this algorithm. So, the state is the input to this step this column mixing step the input is a four by four matrix that thing is pre multiplied by this four by four matrix. So, you got two four by four matrices that are multiplied this thing is multiplied by the input to the step the input to the step itself is a four by four matrix. So, that four by four matrix keeps getting transformed as we go step by step and these things this multiplication is a special kind of multiplication a field multiplication and each of these things is to be interpreted as a field element. So, these are two hex characters this is not the simple number two and three, but these are actually two hex characters. So, this really represents the field element zero zero zero zero the first hex character and the next hex character is two zero zero one zero this thing is zero zero zero and zero zero zero one one. So, this is the thing that is multiplied by the state matrix to give you the output of this round of this step. So, this step is the column mixing step now very interestingly if you go on doing these four steps again and again and again and again you will find that after a few rounds. So, a particular output the ciphertext is just being formed and a particular output will depend on all the inputs in the plain text which is a very important property called diffusion. So, this is the third step and then we have got a fourth step which is round key addition. So, each round has a separate key obtained from the original key using a key expansion algorithm again the details of this thing are in the text. So, you have the original key which is a 128 bit key and from that 128 bit key you derive ten different round keys which are going to be used for the ten different rounds. So, each of those round keys once again because it is 128 bits can be represented as a 4 by 4 matrix of bytes and you simply take the state matrix that 4 by 4 thing that has been obtained as an input to this round and you take this round key which is again a 4 by 4 matrix and you simply add the two when I say add I mean field addition which in this case happens to be the exclusive order. So, you take element by element and you exclusive order them. So, this completes the four rounds of AES. We will return to AES to look at how we can attack this using something called a side channel attack. So, we will do this probably later next week. So, with that little introduction I move on to the next part of this particular talk which is the discrete log problem and Diffie helmet. So, this is the second session on basic cryptography. We have just looked at the operation of AES and looked at all the field operations along the way we very briefly described what is a group and then what is a field. So, we now move on to a very important problem in cryptography called the discrete logarithm problem just like the factorization problem is very hard this is another problem that is very hard and upon which the security of several signature algorithms depends this is the discrete log problem we will define the problem and then we look at various applications of this. So, let P be a prime number and let G be a primitive root of P. So, just think of the set 1 2 3 4 up to P minus 1 and just let us think of with. So, this thing was going to be a group that is the set 1 2 3 up to P minus 1 with the operation multiplication modulo P. So, this is the set and this is the group and let G be a generator of this group. So, let me just define what is a generator a generator is an element of the group which can generate all the other elements by performing that operation repeatedly on itself. So, let us take an example of this. So, let us consider the group Z 7 star with the operation multiplication modulo 7 the elements of this group are now let us take some arbitrary element let us say 2. So, I start with 2 then I go on to 2 star 2 then I go on to 2 star 2 star 2 and so on and I ask myself the question have I generated all of these elements in the process. So, the first element was just 2 the second element is 4 the next element is 2 4 8 and multiply these 3 things modulo 7 and I get 1. So, I find that 2 is not a generator because now when I find a number repeated over here and this number will keep repeating. So, this is not a generator of this group let us try 3 9 is the same thing as 2. So, this is the next one is 6 multiplied by 3. So, that is 18 mod 7. So, do I get all the elements over here I get the element 3 I get the element 2 3 3's are 9 which is 2 then 2 3's are 6 6 3's are 18 mod 7 that is 4 4 3's are 12 mod 7 that is 5 5 3's are 15 mod 7 I get 1. So, I see that I get all the elements in this case. So, 3 happens to be a generator while 2 is not a generator. So, I am really referring now to elements of this type. So, first and foremost in Diffie-Helman I need to define the group something like this and I need to define a generator. So, this thing is a parameter of Diffie-Helman what we call P. So, I am really looking for groups like this where P is a prime number. So, that is the first parameter and then I am looking for the next parameter which is G a generator in this group an example of a generator is 3 ok. So, with that background let us look at how Diffie-Helman works. So, let P be a prime number and let G be a generator in this group. So, what that means is G then G star a G star G mod P G star G star G mod P and so on and so forth. So, do this 3 times do this 4 times and so on and you will soon see that you get all the elements inside that group Z P star then and only then we say G is a primitive root or G is a generator of that group. So, first and foremost we define P and we define G then the function f a which is equal to G raise to a mod P is called the modular exponentiation function with base G and modulus P. So, this particular operation you have seen before in the context of RSA this is relatively straight forward, but the reverse operation where you are given G and P and now you are given a and you want to find out. So, log of P to the base G it is inverse a is equal to log of P to the base G is called the discrete logarithm problem. So, if you are given this number over here. So, there is a misprint over here if you are given this number and you have to find out a. So, there are two different problems the exponentiation problem where you are given P and G in both cases you are given G and P. In the first case you are given a and you need to find this entire thing in the second case once again you are given G and P, but you are given this thing and you need to find out a. So, this problem is referred to as the discrete log problem and this is infeasible if you choose the group and the generator appropriately. So, I will just repeat again you are given the prime number P and. So, you are given the group Z P star with operation multiplication module of P. So, you are given that and you are able to find a generator how exactly we will not discuss over here, but you are able to find a generator of that group Z P star. Then further more if you are given a and you are asked to find out G raise to a mod P then this operation is referred to as modular exponentiation and it is relatively straightforward using tricks like square and multiply. On the other hand if you were given this thing itself. So, the inverse that is log of f of a this is not P this is log of f of a modulo P. So, this reverse operation where you are given P and G and this thing and you are asked to find a is a difficult problem and that is referred to as the discrete log problem. So, some examples of this I am taking a set Z 29 star it is got 28 elements as you can see 2 raise to 1 2 raise to 2 and so on and that is 2 raise to 28 out there I hope it is visible. So, you take 2 raise to 1 that is 2 2 raise to 2 is 4 8 and so on and you find that this number 2 is a generator because it generates all the elements in that group Z 29 star all the 28 elements. So, you would not find a repeat out here as you go along the first one is 2 4 8 16 3 6 12 24 and so on all the elements between 1 and 28 will be encountered as we go along this circle. Now, suppose you are given the number say for example, you are given the number this is 2 raise to 1 2 3 4 5 you are given the number 5 it is easy to compute 2 raise to 5 modulo 29, but suppose you are given a number 9 then to compute this in general is infeasible. So, if you are given the number 9 to compute the number x. So, that 2 raise to x is equal to 9 modulo 29 that is the difficult problem which is called the discrete log problem especially when. So, for a small set of numbers like in this case it is easy, but when this number gets to be very large then this problem becomes infeasible. So, the discrete log problem becomes infeasible in that case and when I see this number is large I mean that you require something like a 1000 bits to represent that number. So, it is something of the order of 2 raise to 1000. So, one example which is less trivial let us suppose we have got the prime number 131. So, Z 131 star is the group with the operation multiplication modulo 131 and this happens to be a generator it is not always that g equals 2 is a generator. So, it turns out in this case that 2 is a generator then you can actually compute this by using a little program the discrete logarithm of 72 to the base 2 modulo 131 is actually 17 and the reason this is true is that 2 raise to 17 modulo 131 is 72. So, if you were given 17 then to compute this is straight forward, but if you are given 72 in general to compute this would be much less straight forward. So, this is the discrete log problem and this is modular exponentiation. So, with that brief background to the discrete log problem let us look at some of the applications. The first application which most of you are familiar with is Diffie-Hellman key exchange. Then there is also Diffie-Hellman authentication and we will also try to cover in this session a L-Gamal encryption and L-Gamal signatures. So, once again most of you are familiar with this this was an algorithm or actually a protocol the Diffie-Hellman key exchange protocol that came up in the year 1976 by these two gentlemen Diffie and Hellman. The problem is the two sides needs need to exchange a key securely. So, they need to come up with a common session key. Assume they have already agreed on a P energy if they have not agreed then A can decide on it and just send it to B. So, let us just see how this would work then. So, let us look at a picture you have got A here and you have got B over here. So, what A does is it chooses an appropriate prime number P a very large number thousands of bits long and a generator for that group and then P also chooses an ephemeral secret. So, this is her ephemeral secret A which she sends across. So, she does not actually send A she computes G raise to A mod P and sends it across. So, that A is like a private key and G raise to A mod P is like a public key. So, she sends across the parameters P G and her public key G raise to A mod P and the other party B what he does is he correspondingly chooses an integer B bring 0 and P minus 1 and then computes G raise to B mod P and sends that thing across. So, G raise to B mod P sent across and then when she receives his public key she computes G raise to B mod P to the power of her private key A this whole thing modulo P and the result that she gets is G raise to A B mod P and what he does is when he gets her public key G raise to A mod P he raises that to the power of his private key B. So, he gets the same value G raise to A B mod P and nobody knows this value except the two of them. So, this becomes the common session key that they will use to encrypt all the messages between them for the duration of the session. So, why does Diffie-Hellman key exchange work? So, the simple bit of algebra over here let us see what she computes she is got her public she is got his public key which is G raise to B mod A. So, once again his private key which he just chose and did not tell anyone about is B and he computed his public key G raise to B mod P and send it to her and then when she gets it she raises it to the power of her secret her private key. So, this is the computation she performs she takes his public key and raises it to the power of her secret and she gets G raise to A B mod P and this is exactly the same thing as the public key that she gave B and B took it and raise it to the power of his secret. So, now both sides get the same value G raise to A B mod P. So, here is a little example that you can try offline I have taken P equals 131 and generated 2 and let the secret that she chooses be the value 24. So, her public key becomes 2 raise to 24 mod 131 which is 46. So, she sends 46 to him and he chooses 17 as his secret computes 2 raise to 17 mod 131 which is 72 and he sends this to her and after receiving a B's partial key she computes the value 72 the value that she got from him raise to her private key which is 24 which she chose or generated in this step. So, she computes this value mod 131 which is 13 this is the secret that she comes up with and he comes up with exactly the same secret because he takes the value received from her which is 46 the value that she gave him and he takes it and raises that value to his private key 17 which he generated in this step. So, 46 raise to 17 mod 131 is 13 both sides have agreed on a common secret which they will use to encrypt all messages between them for the duration of this session. So, let us look at a possible attack on the Diffie-Hellman key exchange protocol. So, she computes A as before and she computes G raise to A mod P she sends the parameters P G the prime number the generator and G raise to A mod P across to him. Now, there is a man in the middle attack over here the attacker stands in the middle notice what he is doing he captures the entire message there is an active attack not just a passive attack he captures the message and replaces G raise to A mod P with his own G raise to C mod P. So, he chooses a C he computes G raise to C mod P and he replaces G raise to A mod P with G raise to C mod P and he sends the same thing across to him. He innocently does this does what A did chooses a B computes G raise to B mod P and sends it across once again the attacker is an action he intercepts that G raise to B mod P and replaces it with G raise to C mod P. So, what happens is she thinks that the G raise to C mod P came from B, but actually what B intended to send was G raise to B mod P and that was modified by the attacker and replaced by G raise to C mod P. So, she takes G raise to C mod P and raises it to the power of her private key. So, she gets G raise to A C mod P and he does exactly the same thing at that end he computes his secret as G raise to B C mod P. So, the secrets that this one and this one have computed are completely different. So, guess what happens after this now every single message goes from him from her to him, but it again is intercepted by this guy. So, what he does is he gets the message now this is encrypted with the key that he knows which is G raise to A C mod P. This is G raise to A C mod P and he has also computed the same value, because he has taken the G raise to A mod P that she sent and raised it to the power of his secret C. So, he gets G raise to A C mod P and every single message that is encrypted with that key he intercepts he decrypts he reads it and re encrypt maybe modifies it and re encrypts it with the key that he shares between him and B which is G raise to B C mod P. So, re encrypts it and sends it across. So, it is a very active attack, because he is doing a lot of work intercepting decrypting, modifying and re encrypting and sending it back the same thing when you receive something from him and so on and so forth. So, this is a standard man in the middle attack. So, one question is what can we do about this attack how can we prevent this attack. So, the way to prevent this is to authenticate whatever parameters are being sent. So, perhaps digitally sign all the parameters that are being sent by A and the parameters being sent by B all of this message needs to be digitally signed by A. So, that B can verify it whatever is B sending should be digitally signed by B. So, that A can verify it then the man in the middle attack will not be possible. So, that kind of a scheme is known as authenticated Diffie-Helman key exchange. So, from key exchange to authentication. So, we can use this idea of the discrete log to actually do to do encryption. So, once again you have a large prime P and a generator in this group Z P star with operation multiplication modulo P. Now, what is the private key in this case and what is the public key. So, an L gamma private key is an integer A. So, choose some random integer A between 1 and P minus 1. Once again the value of P is a very very large integer which requires about 1000 bits for example, to represent it is a very large integer which occupies 1000 bits at least 1000 could be 1000s. So, that is her private key that she chooses the corresponding public key is a triplet where you have got the parameters the prime number the generator and alpha where alpha is obtained from G raise to A mod P. So, this is the public key of this person with corresponding private key A. Now, let us see how encryption would work L gamma encryption where we make use of this idea of the discrete log. So, once again P G and alpha is the public key of A this triplet to encrypt a message M to be sent to A. So, B wants to send this message encrypted with her public key he wants to send it to her. So, what he does is he chooses a random number R lying between 1 and P minus 1 for security reasons that number has to be relatively prime to P minus 1. You can show that if you do not have this condition satisfied they could be a security lapse and then B computes two integers very interesting the ciphertext is now two integers not just one integer as an RSA. The first integer is G raise to R mod P and the second integer is it has to obviously use the public key of A. So, B uses alpha from A's public key. So, this whole thing is given by A to B possibly in the form of a certificate and B pulls out the alpha use it over here. So, he has generated this random number R uses the same random number R and as an index he chooses alpha from her public key. So, alpha to the power of R multiplies it by his message and then reduces it modulo P and that is the second constituent of the ciphertext. So, the first one is C 1 and the second one is C 2 B sends the ciphertext C 1 C 2 to A. Now, the interesting question is how would you decrypt this? So, actually it is very straightforward something tells you that to decrypt it you need to use the private key. So, A will have to use a private key which is little a. So, to decrypt the ciphertext C 1 C 2 A uses a private key little a and computes. So, the first part of the message was if you recall G raise to R. So, G raise to R now to the power of minus A a private key and then multiplied by C 2 the second part of the message of the ciphertext which was the message multiplied by her public key raise to the power of R. So, that is C 2. So, this is what we state this operation we state will help to recover the message M. Let us see why this works C 1 to the power of minus A multiplied by C 2 mod P this is nothing else, but G raise to R mod P raise to the power of minus A that is this stuff and the second thing is nothing else, but what he computed which is M times alpha raise to R mod P. So, this thing is G raise to minus A R if you use the laws of modulo arithmetic G raise to minus A R and then this thing is alpha do not forget is G raise to A. So, I am just substituting G raise to A and then raising it to the power of R. So, I get G raise to A R and then this M is over here G raise to minus A R G raise to A R cancel out and I just get M mod P and that is the original message M. So, this is how decryption works case of the El Gamal system. So, there are some questions is El Gamal secure. So, what is one possible way. So, now you can think of some very smart ways of recovering the private key or the message from the cipher text. So, one idea that comes to mind is I know that C 2 is equal to M times alpha to the power of R C 2 was M times alpha to the power of R. So, what I do is I just write it down as I just put M on once the other side and I get M is equal to C 2 to the power of alpha raise to the power of minus R and how do I get R I know that R is the related to C 1. So, these two things are part of the cipher text. So, I know that C 1 is G raise to R mod P and I solve the discrete log problem and I try to recover R. Once I recover R I use it over here I know C 2 I know her public key and now I have recovered R from this. So, I do this operation and I get the message M. So, this is what the hacker thinks where is the hacker wrong the hacker thinks he can just obtain M using this solving the discrete log problem. So, that is precisely what we have said from the beginning the discrete log problem is very hard it is very infeasible if you choose the appropriate large group. So, in that appropriate large group it is virtually impossible to solve the discrete log problem if I know this I know this and I know this it is impossible to get R R is the discrete log of C 1 to the base G modulo P that problem is impossible. So, it was impossible for me to get R how can I compute this and get back the key. So, the hacker cannot get M only the person with knowledge of the private key little A can obtain the value of M as shown before in the previous slide. We were talking about El Gamal encryption and we were trying to hack into the scheme and we found that one hack involved computing the discrete log which is infeasible. Let us consider a second hack which is based on the vulnerability over here is the way this protocol is implemented. If you use the same random number repeatedly then there is a chance of being able to obtain the ciphertext let us see why. So, these are the two equations we wrote down now suppose I use the same random number twice. So, I have two different messages M and M prime and now I have got two pairs of ciphertext C 1 prime and C 2 prime. So, let us see the things that I know I know what is P I know what is G and I can see the ciphertext. Now let us suppose I know that this is equal to this. So, the software that does the encryption has used the same random number twice. So, even though the messages are different. So, this value C 2 is different from this value C 2 prime this message M is different from M prime. However, C 1 is the same as C 1 prime that probably suggests that they are using the same random number. Now I know what is C 2 and C 2 prime and I would like to find out as a hacker what is the value of M prime. Let us suppose the hypothetical case where I also know M such an attack is known as a known plain text attack where I happen to know one or more message ciphertext pairs. So, let us suppose I happen to know the value of M the question is is it possible to know the value of M prime on the assumption that the software is buggy and uses the same random number repeatedly. So, now I am trying to find out M prime given that I know C 2 and given that the random number that was chosen for both the encryptions is the same. So, if I look at this equation C 2 is equal to M times alpha to the power of r mod p and this alpha raise to the power of r is the same thing. So, I can write down from here alpha raise to r is equal to C 2 M inverse mod p and this is the same thing as looking at this thing alpha raise to r is C 2 prime M prime inverse. Now, if you look at these two equations we know this we know this and we know this therefore, I can find out M prime inverse and I can find out M prime. So, M prime is equal to C 2 prime times C 2 inverse times M. So, this is the attack knowing the ciphertext which I always know. So, I can always tap into the line and find the values of the ciphertexts. The thing is I want to find out what is this message M prime that the at the victim has just encrypted and sent I am assuming a known plain text attack where I happen to know the value of M for this encryption. So, now from this equation I get alpha raise to r is equal to C 2 times M inverse and from this equation alpha raise to r is equal to C 2 prime times M prime inverse. So, I equate these two and I am able to solve for M. So, for M prime M prime is equal to C 2 prime times C 2 inverse times M. So, the model of the story is do not repeat the same random number twice. Recall once again that I use a random number in computing the ciphertext C 1 is equal to G raise to r I am talking about this r G raise to r and C 2 is equal to M to the power of the public key to the power of r do not repeat this random number twice in two different encryption. So, this is in words what I just explain on the sheet of paper and this is a simple example. Let P be 131 and the generator be 2 just choose a private key a chooses a private key a equals 97 a public key is 2 raise to 97 mod 131 which is 14 let the message to be sent be 75. Now, the sender chooses a random number let us say it is 33 and then he does exactly those computations G raise to r. So, 2 raise to 33 mod 131 which is 103 and this thing M is 75 alpha is 14 and the random number is the same thing over here 33 and this is 51. So, the ciphertext corresponding to the message 75 these two numbers 103 and 51. So, Elgamal encryption actually doubles the amount of space for the ciphertext and then we simply perform this thing algebraically c 1 to the power of minus a. So, to in order to decrypt the private key is necessary. So, the private key is 97 the 103 to the power of minus 97 multiplied by 51 mod 131 and the answer is 75. So, you recover the original message ok. And the final thing about the discrete log can be use it to actually perform to generate and to verify signatures. So, how do we do that? Once again let a be the private key of this person a and let her public key be the different parameters prime number the generator and alpha where alpha is equal to G raise to a mod p. To sign a message M she does the following she computes the hash of the message H of M we talked about the cryptographic hash yesterday. So, she computes H of M then once again she chooses a random number r such that r is relatively prime to p minus 1. She computes x is equal to G raise to r mod p just like in the case of encryption the case of signatures to this thing is computed the first part of the signature. And the second number she computes y as the hash of the message minus she takes a private key a multiplies it by this component of the signature performs this and then multiplies that by the inverse of the random number mod of p minus 1. So, note this over here that is not p, but it is p minus 1. And now the signature is the pair x and y now the question is. So, this is signature generation notice that she has used her private key anytime you sign you have to use your private key. So, she is used a private key and then to verify it the verifier will use the corresponding public key. So, x and y were the two components of the message what the other guy that is b does is he takes the x raises it to the power of y then takes her public key raises it to the power of x. So, x and y the two components of the signature and reduces this modulo p and then verifies whether this thing is the same as g to the power of the hash of the message. And you can try and do it on your own otherwise c section 8.3.2 of the text for proof of y this verification equation holds. So, what does he have to do I want to make sure that this is really the signature of a on this document m the document is m the message is m what I should do is I should compute the receiver or the verifier must compute h of m raise g to the power of h of m. And see whether this thing mod p is the same thing as the two components of the signature pull them out x the raise to the power of y multiplied by her public key alpha which is typically contain in a certificate to the power of x and see whether this thing reduced modulo p is the same thing as this this thing reduced modulo p. If it is the case then we say the signature has been verified it is an authentic signature. So, with this I will end the discussion of the discrete log there were some questions that had come from the remote sites I will also try to answer them maybe I can do some of them right away. So, one question was about I have written I have used the notation z 7 and then z 7 star what is the difference between these two things and how many elements are there in z 7 and z 7 star. So, usually this notation z 7 really refers to the set of elements. So, there are 7 elements in this z 7 star does not include the 0. So, it is got only 6 elements. So, I just want to point out that this thing is a special case of z this thing need not always be prime I mean I can consider for a group I can consider an arbitrary number n here arbitrary integer n, but then I have to use the correct definition the definition of this thing is all the integers x lying between 1 and n minus 1 such that GCD of x and n is equal to 1 as an example of this I can define z 8 star and z 8 star with the operation multiplication modulo 8 is also a group. So, this thing will be 1 I cannot put 2 over there because it has to be the GCD has to be 1. So, choose all the numbers between 1 and 7 that are relatively prime to 8. So, 2 is not relatively prime 3 is 4 is not 5 is 6 is not 7 is. So, these are the elements 1, 3, 5 and 7. So, this also forms a group it does not have to be prime, but if I put a prime number then the elements of that set will be everything from 1 to p minus 1 while here you would be skipping some of the elements. So, how many elements in z 7 star the answer is 6 how many elements in z 7 the answer is 7 how many elements in z 8 the answer is 8 elements how many elements in z 8 star answer is 4. In fact, when we considered RSA when we talked about RSA z n star where n is the modulus which is the product p multiplied by q z n star is precisely the cardinality of this set is precisely this thing phi or phi of n which is p minus 1 times q minus 1. In this special case the n is the product of 2 prime ok there was another question about the multiplicative inverse in the set z 7 star I made a mistake as I was writing. So, I will just clarify that the inverses. So, this is not there the inverse of 1 the inverse of 2 2 multiplied by 4 is 1 it is actually 8, but reduced modulus 7 it is 1 likewise the inverse of 4 is 2 they have to be inverses of each other the inverse of 3 is it 3 no is it 5 yes 3 5 is a 15 which is 1 modulus 7 likewise here 3 and I by mistake I put 1 over here 6 multiplied by what gives me 1 6 multiplied by 6 is 36 which is 1. So, the inverse of 6 is not 1, but it is 6 the inverse of 1 is 1 ok then there was another question this is from the remote sites there was another question of how many rounds are necessary in a secret key cipher. So, we have seen that in the case of des there are 16 rounds in the case of AES you can have 10 you can have 12 you can have 14 and so on. So, why 10 and why not 8 why not 6 and the answer is this thing the number of rounds this is a security parameter ask yourself the question we know how des works suppose I have a hypothetical des which is your just two rounds a two round AES construct this give this as an example or exercise to your students ask them to look at the vulnerabilities in two round AES is it vulnerable if so to what extent is three round AES vulnerable if so to what extent. So, you will find that as you increase the number of rounds the amount of diffusion increases and pretty much then you will find the cipher text is dependent on every single value of the plain text this is a very important statement that the each bit of the cipher text take any bit of the cipher text bit 5 it is dependent on all the bits of the plain text if you use say for example, three rounds and four rounds. So, the more rounds use the more the diffusion of course, there is a tradeoff which I mentioned on the first day in the first lecture one important security principle is a tradeoff between security and performance. So, I might get more performance by increasing the number of rounds, but at the cost of security. So, the incremental improvement in security is very little and I have got to pay a heavy price in terms of performance. So, I stop at some number and after some research I figure out that probably the safe number to stop at in terms of number of rounds is 10. So, that is why the standard has 10 rounds in the case of AES and in the case of des perhaps they were a little paranoid the number of rounds is 16. Once again you can give this as an exercise to your students ask them to look at the vulnerabilities in two round des and see whether you can crack two round des hypothetical security cipher. So, I think we are running out of time a little bit there is a presentation on wire shock. So, I will stop over here and continue later on with this slide.