mirror of
https://github.com/calofmijuck/blog.git
synced 2025-12-06 22:53:51 +00:00
fix: broken image links have been fixed
This commit is contained in:
@@ -155,7 +155,7 @@ There are many ways of achieving security.
|
||||
|
||||
### Basics of a Cryptosystem
|
||||
|
||||
|
||||
|
||||
|
||||
- A **message** in *plaintext* is given to an **encryption algorithm**.
|
||||
- The encryption algorithm uses an **encryption key** to create a *ciphertext*.
|
||||
|
||||
@@ -63,7 +63,7 @@ $$
|
||||
|
||||
#### The Feistel Function
|
||||
|
||||
|
||||
|
||||
|
||||
The Feistel function takes $32$ bit data and divides it into eight $4$ bit chunks. Each chunk is expanded to $6$ bits using a P-box. Now, we have 48 bits of data, so apply XOR with the key for this round. Next, each $6$-bit block is compressed back to $4$ bits using a S-box. Finally, there is a (straight) permutation at the end, resulting in $32$ bit data.
|
||||
|
||||
@@ -179,7 +179,7 @@ AES, DES use fixed block size for encryption. How do we encrypt longer messages?
|
||||
|
||||
### Electronic Codebook Mode (ECB)
|
||||
|
||||
|
||||
|
||||
|
||||
- Codebook is a mapping table.
|
||||
- For the $i$-th plaintext block, we use key $k$ to encrypt and obtain the $i$-th ciphertext block.
|
||||
@@ -198,7 +198,7 @@ Since the same key is used for all blocks, once a mapping from plaintext to ciph
|
||||
|
||||
### Cipher Block Chaining Mode (CBC)
|
||||
|
||||
|
||||
|
||||
|
||||
- Two identical messages produce to different ciphertexts.
|
||||
- This prevents chosen plaintext attacks
|
||||
@@ -248,7 +248,7 @@ Since the same key is used for all blocks, once a mapping from plaintext to ciph
|
||||
|
||||
### Cipher Feedback Mode (CFB)
|
||||
|
||||
|
||||
|
||||
|
||||
- The message is treated as a stream of bits; similar to stream cipher
|
||||
- **Result of the encryption is fed to the next stage.**
|
||||
@@ -283,7 +283,7 @@ Since the same key is used for all blocks, once a mapping from plaintext to ciph
|
||||
|
||||
### Output Feedback Mode (OFB)
|
||||
|
||||
|
||||
|
||||
|
||||
- Very similar to stream cipher.
|
||||
- Initialization vector is used as a seed to generate the key stream.
|
||||
@@ -316,7 +316,7 @@ Since the same key is used for all blocks, once a mapping from plaintext to ciph
|
||||
|
||||
### Counter Mode (CTR)
|
||||
|
||||
|
||||
|
||||
|
||||
- Without chaining, we use a counter (typically incremented by $1$).
|
||||
- Counter starts from the initialization vector.
|
||||
|
||||
@@ -83,7 +83,7 @@ We have a root CA at the top. Then there are issuing CAs below. We usually reque
|
||||
|
||||
### Certificate Validation
|
||||
|
||||
[^1]
|
||||
[^1]
|
||||
|
||||
Since we have a hierarchy of CAs, certificate validation must also follow the hierarchy. When we receive a certificate, it is highly likely to be signed by an non-root CA.
|
||||
|
||||
|
||||
@@ -146,7 +146,7 @@ Here's how the client and the server establishes a connection using the TLS hand
|
||||
> 3. Use the server's public key to share a secret.
|
||||
> 4. Both parties generate a symmetric key from the shared secret.
|
||||
|
||||
[^1]
|
||||
[^1]
|
||||
|
||||
- `ServerKeyExchange`, `ClientKeyExchange` is optional. Used sometimes if Diffie-Hellman is used.
|
||||
- The actual messages and process differ for each protocol and ciphers used.
|
||||
|
||||
@@ -292,7 +292,7 @@ We can deduce that if a PRG is predictable, then it is insecure.
|
||||
|
||||
*Proof*. Let $\mathcal{A}$ be an efficient adversary (next bit predictor) that predicts $G$. Suppose that $i$ is the index chosen by $\mathcal{A}$. With $\mathcal{A}$, we construct a statistical test $\mathcal{B}$ such that $\mathrm{Adv}_\mathrm{PRG}[\mathcal{B}, G]$ is non-negligible.
|
||||
|
||||
|
||||
|
||||
|
||||
1. The challenger PRG will send a bit string $x$ to $\mathcal{B}$.
|
||||
- In experiment $0$, PRG gives pseudorandom string $G(k)$.
|
||||
@@ -318,7 +318,7 @@ The theorem implies that if next bit predictors cannot distinguish $G$ from true
|
||||
|
||||
To motivate the definition of semantic security, we consider a **security game framework** (attack game) between a **challenger** (ex. the creator of some cryptographic scheme) and an **adversary** $\mathcal{A}$ (ex. attacker of the scheme).
|
||||
|
||||
|
||||
|
||||
|
||||
> **Definition.** Let $\mathcal{E} = (G, E, D)$ be a cipher defined over $(\mathcal{K}, \mathcal{M}, \mathcal{C})$. For a given adversary $\mathcal{A}$, we define two experiments $0$ and $1$. For $b \in \lbrace 0, 1 \rbrace$, define experiment $b$ as follows:
|
||||
>
|
||||
|
||||
@@ -118,7 +118,7 @@ This is a matter of *collisions* of $f(x_i)$, so we use the facts from the birth
|
||||
|
||||
A **block cipher** is actually a different name for PRPs. Since a PRP $E$ is a keyed function, applying $E(k, x)$ is in fact encryption, and applying its inverse is decryption.
|
||||
|
||||
|
||||
|
||||
|
||||
Block ciphers commonly have the following form.
|
||||
- A key $k$ is chosen uniformly from $\left\lbrace 0, 1 \right\rbrace^s$.
|
||||
@@ -140,7 +140,7 @@ Block ciphers commonly have the following form.
|
||||
|
||||
Since block ciphers are PRPs, we have to build an invertible function. Suppose we are given **any** functions $F_1, \dots, F_d : \left\lbrace 0, 1 \right\rbrace^n \rightarrow \left\lbrace 0, 1 \right\rbrace^n$. Can we build an **invertible** function $F : \left\lbrace 0, 1 \right\rbrace^{2n} \rightarrow \left\lbrace 0, 1 \right\rbrace^{2n}$?
|
||||
|
||||
|
||||
|
||||
|
||||
It turns out the answer is yes. Given an $2n$-bit long input, $L_0$ and $R_0$ denote the left and right halves ($n$ bits) of the input, respectively. Define
|
||||
|
||||
@@ -160,7 +160,7 @@ Note that we did not require $F_i$ to be invertible. We can build invertible fun
|
||||
|
||||
In DES, the function $F_i$ is the DES round function.
|
||||
|
||||
|
||||
|
||||
|
||||
The Feistel function takes $32$ bit data and divides it into eight $4$ bit chunks. Each chunk is expanded to $6$ bits using $E$. Now, we have 48 bits of data, so apply XOR with the key for this round. Next, each $6$-bit block is compressed back to $4$ bits using a S-box. Finally, there is a permutation $P$ at the end, resulting in $32$ bit data.
|
||||
|
||||
@@ -168,7 +168,7 @@ The Feistel function takes $32$ bit data and divides it into eight $4$ bit chunk
|
||||
|
||||
DES uses $56$ bit keys that generate $16$ rounds keys. The diagram below shows that DES has 16-round Feistel networks.
|
||||
|
||||
|
||||
|
||||
|
||||
The input goes through initial/final permutation, which are inverses of each other. These have no cryptographic significance, and just for engineering.
|
||||
|
||||
@@ -176,7 +176,7 @@ The input goes through initial/final permutation, which are inverses of each oth
|
||||
|
||||
DES is not secure, since key space and block length is too small. Thankfully, we have a replacement called the **advanced encryption standard** (AES).
|
||||
|
||||
|
||||
|
||||
|
||||
- DES key only had $56$ bits, so DES was broken in the 1990s
|
||||
- NIST standardized AES in 2001, based on Rijndael cipher
|
||||
@@ -254,7 +254,7 @@ Then the key space has increased (exponentially). As for 2DES, the key space is
|
||||
|
||||
Unfortunately, 2DES is only secure as DES, with the attack strategy called **meet in the middle**. The idea is that if $c = E(k_1, E(k_2, m))$, then $D(k_1, c) = E(k_2, m)$.
|
||||
|
||||
|
||||
|
||||
|
||||
Since we have the plaintext and the ciphertext, we first build a table of $(k, E(k_2, m))$ over $k_2 \in \mathcal{K}$ and sort by $E(k_2, m)$. Next, we check if $D(k_1, c)$ is in the table for all $k_1 \in \mathcal{K}$.
|
||||
|
||||
|
||||
@@ -131,7 +131,7 @@ Additional explanation available in [Modes of Operations (Internet Security)](..
|
||||
|
||||
### Electronic Codebook Mode (ECB)
|
||||
|
||||
|
||||
|
||||
|
||||
- ECB mode encrypts each block with the same key.
|
||||
- Blocks are independent of each other.
|
||||
@@ -139,7 +139,7 @@ Additional explanation available in [Modes of Operations (Internet Security)](..
|
||||
|
||||
### Ciphertext Block Chain Mode (CBC)
|
||||
|
||||
|
||||
|
||||
|
||||
Let $X = \left\lbrace 0, 1 \right\rbrace^n$ and $E : \mathcal{K} \times X \rightarrow X$ be a **PRP**.
|
||||
|
||||
@@ -190,7 +190,7 @@ Note that if $k_1$ is the same as the key used for encrypting messages, then thi
|
||||
|
||||
### Counter Mode (CTR)
|
||||
|
||||
|
||||
|
||||
|
||||
Let $F : \mathcal{K} \times X \rightarrow X$ be a secure **PRF**.
|
||||
|
||||
|
||||
@@ -26,7 +26,7 @@ On the other hand, MAC fixes data that is tampered in purpose. We will also requ
|
||||
|
||||
## Message Authentication Code
|
||||
|
||||
|
||||
|
||||
|
||||
> **Definition.** A **MAC** system $\Pi = (S, V)$ defined over $(\mathcal{K}, \mathcal{M}, \mathcal{T})$ is a pair of efficient algorithms $S$ and $V$ where $S$ is a **signing algorithm** and $V$ is a **verification algorithm**.
|
||||
>
|
||||
@@ -58,7 +58,7 @@ In the security definition of MACs, we allow the attacker to request tags for ar
|
||||
|
||||
For strong MACs, the attacker only has to change the tag for the attack to succeed.
|
||||
|
||||
|
||||
|
||||
|
||||
> **Definition.** Let $\Pi = (S, V)$ be a MAC system defined over $(\mathcal{K}, \mathcal{M}, \mathcal{T})$. Given an adversary $\mathcal{A}$, the security game goes as follows.
|
||||
>
|
||||
@@ -123,7 +123,7 @@ The above construction uses a PRF, so it is restricted to messages of fixed size
|
||||
|
||||
### CBC-MAC
|
||||
|
||||
|
||||
|
||||
|
||||
> **Definition.** For any message $m = (m_0, m_1, \dots, m_{l-1}) \in \left\lbrace 0, 1 \right\rbrace^{nl}$, let $F_k := F(k, \cdot)$.
|
||||
>
|
||||
@@ -211,7 +211,7 @@ Since CBC-MAC is vulnerable to extension attacks, we encrypt the last block agai
|
||||
|
||||
ECBC-MAC doesn't require us to know the message length in advance, but it is relatively expensive in practice, since a block cipher has to be initialized with a new key.
|
||||
|
||||
|
||||
|
||||
|
||||
> **Theorem.** Let $F : \mathcal{K} \times X \rightarrow X$ be a secure PRF. Then for any $l \geq 0$, $F_\mathrm{ECBC} : \mathcal{K}^2 \times X^{\leq l} \rightarrow X$ is a secure PRF.
|
||||
>
|
||||
|
||||
@@ -83,7 +83,7 @@ The attacker shouldn't be able to create a new ciphertext that decrypts properly
|
||||
|
||||
In this case, we fix the decryption algorithm so that $D : \mathcal{K} \times \mathcal{C} \rightarrow \mathcal{M} \cup \left\lbrace \bot \right\rbrace$, where $\bot$ means that the ciphertext was rejected.
|
||||
|
||||
|
||||
|
||||
|
||||
> **Definition.** Let $\mathcal{E} = (E, D)$ be a cipher defined over $(\mathcal{K}, \mathcal{M}, \mathcal{C})$. Given an adversary $\mathcal{A}$, the security game goes as follows.
|
||||
>
|
||||
@@ -138,7 +138,7 @@ Most natural constructions of CCA secure schemes satisfy AE, so we don't need to
|
||||
|
||||
We want to combine CPA secure scheme and strongly secure MAC to get AE. Rather than focusing on the internal structure of the scheme, we want a general method to compose these two secure schemes so that we can get a AE secure scheme. We will see 3 examples.
|
||||
|
||||
|
||||
|
||||
|
||||
### Encrypt-and-MAC (E&M)
|
||||
|
||||
|
||||
@@ -106,7 +106,7 @@ Now we want to construct collision resistant hash functions that work for arbitr
|
||||
|
||||
The Merkle-Damgård transform gives as a way to extend our input domain of the hash function by iterating the function.
|
||||
|
||||
|
||||
|
||||
|
||||
> **Definition.** Let $h : \left\lbrace 0, 1 \right\rbrace^n \times \left\lbrace 0, 1 \right\rbrace^l \rightarrow \left\lbrace 0, 1 \right\rbrace^n$ be a hash function. The **Merkle-Damgård function derived from $h$** is a function $H$ that works as follows.
|
||||
>
|
||||
@@ -151,7 +151,7 @@ Now we only have to build a collision resistant compression function. We can bui
|
||||
|
||||
Number theoretic primitives will be shown after we learn some number theory.[^3] An example is shown in [collision resistance using DL problem (Modern Cryptography)](../2023-10-03-key-exchange#collision-resistance-based-on-dl-problem).
|
||||
|
||||
|
||||
|
||||
|
||||
> **Definition.** Let $\mathcal{E} = (E, D)$ be a block cipher over $(\mathcal{K}, X, X)$ where $X = \left\lbrace 0, 1 \right\rbrace^n$. The **Davies-Meyer compression function derived from $E$** maps inputs in $X \times \mathcal{K}$ to outputs in $X$, defined as follows.
|
||||
>
|
||||
@@ -216,7 +216,7 @@ This can be thought of as blocking the length extension attack from prepending t
|
||||
|
||||
### HMAC
|
||||
|
||||
|
||||
|
||||
|
||||
This is a variant of the two-key nest, but the difference is that the keys $k_1', k_2'$ are not independent. Choose a key $k \leftarrow \mathcal{K}$, and set
|
||||
|
||||
|
||||
@@ -74,7 +74,7 @@ $$
|
||||
|
||||
We assume that the description of $p$, $q$ and $g$ are generated at the setup and shared by all parties. Now the actual protocol goes like this.
|
||||
|
||||
|
||||
|
||||
|
||||
> 1. Alice chooses $\alpha \leftarrow \mathbb{Z}_q$ and computes $g^\alpha$.
|
||||
> 2. Bob chooses $\beta \leftarrow \mathbb{Z}_q$ and computes $g^\beta$.
|
||||
@@ -189,7 +189,7 @@ Taking $\mathcal{O}(N)$ steps is impractical in the real world, due to many comm
|
||||
|
||||
We assumed that the adversary only eavesdrops, but if the adversary carries out active attacks, then DHKE is not enough. The major problem is the lack of **authentication**. Alice and Bob are exchanging keys, but they both cannot be sure that there are in fact communicating with the other. An attacker can intercept messages and impersonate Alice or Bob. This attack is called a **man in the middle attack**, and this attack works on any key exchange protocol that lacks authentication.
|
||||
|
||||
|
||||
|
||||
|
||||
The adversary will impersonate Bob when communicating with Alice, and will do the same for Bob by pretending to be Alice. The values of $\alpha, \beta$ that Alice and Bob chose are not leaked, but the adversary can decrypt anything in the middle and obtain the plaintext.
|
||||
|
||||
@@ -211,7 +211,7 @@ Before Diffie-Hellman, Merkle proposed an idea for secure key exchange protocol
|
||||
|
||||
The idea was to use *puzzles*, which are problems that can be solved with some effort.
|
||||
|
||||
|
||||
|
||||
|
||||
> Let $\mathcal{E} = (E, D)$ be a block cipher defined over $(\mathcal{K}, \mathcal{M})$.
|
||||
> 1. Alice chooses random pairs $(k_i, s_i) \leftarrow \mathcal{K} \times \mathcal{M}$ for $i = 1, \dots, L$.
|
||||
|
||||
@@ -45,7 +45,7 @@ Public key $pk$ will be publicized. After Alice obtains $pk$, she can use it to
|
||||
|
||||
The following notion of security is only for an eavesdropping adversary.
|
||||
|
||||
|
||||
|
||||
|
||||
> **Definition.** Let $\mc{E} = (G, E, D)$ be a public key encryption scheme defined over $(\mc{M}, \mc{C})$. For an adversary $\mc{A}$, we define two experiments.
|
||||
>
|
||||
|
||||
@@ -57,7 +57,7 @@ $$
|
||||
|
||||
The definition is similar to the [secure MAC](../2023-09-21-macs/#secure-mac-unforgeability). The adversary can perform a **chosen message attack**, but cannot create an **existential forgery**.
|
||||
|
||||
|
||||
|
||||
|
||||
> **Definition.** Let $\mc{S} = (G, S, V)$ be a signature scheme defined over $(\mc{M}, \Sigma)$. Given an adversary $\mc{A}$, the game goes as follows.
|
||||
>
|
||||
@@ -184,7 +184,7 @@ This scheme is originally from the **Schnorr identification protocol**.
|
||||
|
||||
Let $G = \left\langle g \right\rangle$ be a cyclic group of prime order $q$. We consider an interaction between two parties, prover $P$ and a verifier $V$. The prover has a secret $\alpha \in \Z_q$ and the verification key is $u = g^\alpha$. **$P$ wants to convince $V$ that he knows $\alpha$, but does not want to reveal $\alpha$**.
|
||||
|
||||
|
||||
|
||||
|
||||
The protocol $\mc{I}_\rm{sch} = (G, P, V)$ works as follows.
|
||||
|
||||
|
||||
@@ -28,7 +28,7 @@ attachment:
|
||||
|
||||
## Identification Protocol
|
||||
|
||||
|
||||
|
||||
|
||||
> **Definition.** An **identification protocol** is a triple of algorithms $\mc{I} = (G, P, V)$ satisfying the following.
|
||||
>
|
||||
|
||||
@@ -27,7 +27,7 @@ The previous [3-coloring example](../2023-11-02-zkp-intro/#example-3-coloring) c
|
||||
|
||||
> **Definition.** An **effective relation** is a binary relation $\mc{R} \subset \mc{X} \times \mc{Y}$, where $\mc{X}$, $\mc{Y}$, $\mc{R}$ are efficiently recognizable finite sets. Elements of $\mc{Y}$ are called **statements**. If $(x, y) \in \mc{R}$, then $x$ is called a **witness for** $y$.
|
||||
|
||||
|
||||
|
||||
|
||||
> **Definition.** Let $\mc{R} \subset \mc{X} \times \mc{Y}$ be an effective relation. A **sigma protocol** for $\mc{R}$ is a pair of algorithms $(P, V)$ satisfying the following.
|
||||
>
|
||||
@@ -107,7 +107,7 @@ Also note that **the simulator is free to generate the messages in any convenien
|
||||
|
||||
The Schnorr identification protocol is actually a sigma protocol. Refer to [Schnorr identification protocol (Modern Cryptography)](../2023-10-26-digital-signatures/#the-schnorr-identification-protocol) for the full description.
|
||||
|
||||
|
||||
|
||||
|
||||
> The pair $(P, V)$ is a sigma protocol for the relation $\mc{R} \subset \mc{X} \times \mc{Y}$ where
|
||||
>
|
||||
@@ -165,7 +165,7 @@ $$
|
||||
|
||||
goes as follows.
|
||||
|
||||
|
||||
|
||||
|
||||
> 1. $P$ computes random $\alpha_t, \beta_t \la \bb{Z}_q$ and sends commitment $u_t \la g^{\alpha_t}h^{\beta_t}$ to $V$.
|
||||
> 2. $V$ computes challenge $c \la \mc{C}$ and sends it to $P$.
|
||||
@@ -192,7 +192,7 @@ $$
|
||||
|
||||
goes as follows.
|
||||
|
||||
|
||||
|
||||
|
||||
> 1. $P$ computes random $\beta_t \la \bb{Z}_q$ and sends commitment $v_t \la g^{\beta_t}$, $w_t \la u^{\beta_t}$ to $V$.
|
||||
> 2. $V$ computes challenge $c \la \mc{C}$ and sends it to $P$.
|
||||
@@ -223,7 +223,7 @@ $$
|
||||
|
||||
goes as follows.
|
||||
|
||||
|
||||
|
||||
|
||||
> 1. $P$ computes random $x_t \la \bb{Z}_n^{\ast}$ and sends commitment $y_t \la x_t^e$ to $V$.
|
||||
> 2. $V$ computes challenge $c \la \mc{C}$ and sends it to $P$.
|
||||
|
||||
@@ -148,7 +148,7 @@ Indeed, $z_1, z_2$ are shares of $z$.[^2] See also Exercise 23.5.[^3]
|
||||
|
||||
Now, in the actual computation of AND gates, proceed as follows.
|
||||
|
||||
|
||||
|
||||
|
||||
> Each $P_i$ has a share of inputs $a_i, b_i$ and a Beaver triple $(x_i, y_i, z_i)$.
|
||||
> 1. Each $P_i$ computes $u_i = a_i + x_i$, $v_i = b_i + y_i$.
|
||||
|
||||
Reference in New Issue
Block a user