Slide 1MenuWhy Cryptographers should talk to laywers (1994)Key EscrowLEAFWire TapTwo Escrow AgenciesClipper SecurityClipper PoliticsWhy Cryptographers should talk to laywers (2005)Encryption Research ExemptionSaturday at the Law SchoolAdvanced Encryption StandardAES ProcessAES RequirementsAES Round 1Breaking a CipherAES Evaluation CriteriaAES Criteria TradeoffsFrom RC5 to RC6 in seven easy stepsDescription of RC6Design PhilosophyData-Dependent Rotations(1) Start with RC5Better rotation amounts?Properties B  (2B+1) should have:3. High-order bits of B  (2B+1) depend on all bits of B (diffusion)(2) Quadratic Rotation Amounts(3) Use t, not B, as xor input(4) Do two RC5’s in parallel(5) Mix up data between copiesOne Round of RC6Key Expansion (Same as RC5’s)What do /e/ have to do with cryptography?(7) Set r = 20 for high securityBlowfishKey-Dependent S-BoxesBlowfish  TwofishTwo FishChoosing AES (Table from Twofish Paper)AES Winner: Rijndael Invented by Joan Daemen and Vincent RijmenRijndael OverviewRijndael DesignRijndael RoundSlide 45Will AES survive until 2050?SummaryChargeDavid Evanshttp://www.cs.virginia.edu/evansCS588: CryptographyUniversity of VirginiaComputer ScienceLecture 10: Two Fish on the RijndaelThe algorithm might look haphazard, but we did everything for a reason. Nothing is in Twofish by chance. Anything in the algorithm that we couldn’t justify, we removed. The result is a lean, mean algorithm that is strong and conceptually simple.Bruce Schneier24 Feb 2005 University of Virginia CS 588 2Menu•Why Cryptographers should talk to laywers?–Clipper–DMCA•AES Candidates–RC6–Blowfish•AES Winner - Rijndael24 Feb 2005 University of Virginia CS 588 3Why Cryptographers should talk to laywers (1994)•1993 – AT&T markets secure telephony device•Law enforcement: US courts can authorize wire taps, must be able to decrypt•NSA proposes Clipper Chip–Secret algorithm (Skipjack), only implemented in hardware24 Feb 2005 University of Virginia CS 588 4Key Escrow•NSA has copy of special key, can get with a court order•Sender transmits E (M, k) || LEAF (“law enforcement agents’ field”)•Holder of special key can decrypt LEAF to find message key and decrypt message24 Feb 2005 University of Virginia CS 588 5LEAFLEAF = E ((E (k, u) || n || a), f ) k = message keyu = 80-bit special key (unique to chip)n = 30-bit identifier (unique to chip)a = escrow authenticatorf = 80-bit key (same on all chips)Known by FBI24 Feb 2005 University of Virginia CS 588 6Wire Tap•FBI investigating Alice, intercepts Clipper communication•Uses f to decrypt LEAF:D (E ((E (k, u) || n || a), f )) = E (k, u) || n || a•Delivers n and court order to 2 escrow agencies, obtains u•Decrypts E (k, u) to obtain message key and decrypt message24 Feb 2005 University of Virginia CS 588 7Two Escrow Agencies•Proposal didn’t specify who (one probably NSA)•Divide u so neither one can decrypt messages on their own (even if they obtain f )One gets u  X, other gets X24 Feb 2005 University of Virginia CS 588 8Clipper Security•How do you prevent criminals from transmitting wrong LEAF?–NSA solution: put it in hardware, inspect all Clipper devices•Still vulnerable to out-of-the box device24 Feb 2005 University of Virginia CS 588 9Clipper Politics•Not widely adopted, administration backed down–Secret algorithm–Public relations disaster•Didn’t involve academic cryptographers early•Proposal was rushed, in particular hadn’t figured out who would be escrow agencies•See http://www.eff.org/pub/Privacy/Key_escrow/Clipper/•Lessons learned well for AES process24 Feb 2005 University of Virginia CS 588 10Why Cryptographers should talk to laywers (2005)•Digital Millenium Copyright Act (DMCA)–Law since 1998“No person shall circumvent a technological measure that effectively controls access to a work protected under this title.”to “circumvent a technological measure” means to descramble a scrambled work, to decrypt an encrypted work, or otherwise to avoid, bypass, remove, deactivate, or impair a technological measure, without the authority of the copyright owner24 Feb 2005 University of Virginia CS 588 11Encryption Research ExemptionEncryption Research.— (1) Definitions.— For purposes of this subsection— (A) the term “encryption research” means activities necessary to identify and analyze flaws and vulnerabilities of encryption technologies applied to copyrighted works, if these activities are conducted to advance the state of knowledge in the field of encryption technology or to assist in the development of encryption products; and (B) the term “encryption technology” means the scrambling and descrambling of information using mathematical formulas or algorithms. (2) Permissible acts of encryption research.— Notwithstanding the provisions of subsection (a)(1)(A), it is not a violation of that subsection for a person to circumvent a technological measure as applied to a copy, phonorecord, performance, or display of a published work in the course of an act of good faith encryption research if— (A) the person lawfully obtained the encrypted copy, phonorecord, performance, or display of the published work; (B) such act is necessary to conduct such encryption research; (C) the person made a good faith effort to obtain authorization before the circumvention; and (D) such act does not constitute infringement under this title or a violation of applicable law other than this section, including section 1030 of title 18 and those provisions of title 18 amended by the Computer Fraud and Abuse Act of 1986. (3) Factors in determining exemption.— In determining whether a person qualifies for the exemption under paragraph (2), the factors to be considered shall include— (A) whether the information derived from the encryption research was disseminated, and if so, whether it was disseminated in a manner reasonably calculated to advance the state of knowledge or development of encryption technology, versus whether it was disseminated in a manner that facilitates infringement under this title or a violation of applicable law other than this section, including a violation of privacy or breach of security; (B) whether the person is engaged in a legitimate course of study, is employed, or is appropriately trained or experienced, in the field of encryption technology; and (C) whether the person provides the copyright owner of the work to which the