mirror of
https://github.com/calofmijuck/blog.git
synced 2025-12-06 14:53:50 +00:00
fix: broken image links have been fixed
This commit is contained in:
@@ -12,7 +12,7 @@ attachment:
|
||||
folder: assets/img/posts/Development/Kubernetes
|
||||
---
|
||||
|
||||
 _Overview of Kubernetes Architecture (출처: https://livebook.manning.com/book/kubernetes-in-action/chapter-1)_
|
||||
 _Overview of Kubernetes Architecture (출처: https://livebook.manning.com/book/kubernetes-in-action/chapter-1)_
|
||||
|
||||
기존에는 소프트웨어가 커다란 덩어리였지만 최근에는 독립적으로 작동하는 작은 **마이크로서비스**(microservice)로 나뉘고 있다. 이들은 독립적으로 동작하기 때문에, 개발하고 배포하거나 스케일링을 따로 해줄 수 있다는 장점이 있으며, 이 장점은 빠르게 변화하는 소프트웨어의 요구사항을 반영하기에 적합하다.
|
||||
|
||||
@@ -202,4 +202,4 @@ VM은 자체적으로 OS를 가지고 있기 때문에 VM을 사용하게 되면
|
||||
새로운 버전의 애플리케이션을 배포할 때 연속적인 배포를 할 수 있게 된다. 중간에 서비스를 중단하지 않아도 된다.
|
||||
|
||||
---
|
||||
[^1]: 물론 컨테이너를 씀으로 인해 발생하는 새로운 문제를 얻겠지만, 개인적으로 장점이 더 크다고 생각한다.
|
||||
[^1]: 물론 컨테이너를 씀으로 인해 발생하는 새로운 문제를 얻겠지만, 개인적으로 장점이 더 크다고 생각한다.
|
||||
|
||||
@@ -12,7 +12,7 @@ attachment:
|
||||
folder: assets/img/posts/Development/Kubernetes
|
||||
---
|
||||
|
||||
 _Running a container image in Kubernetes (출처: https://livebook.manning.com/book/kubernetes-in-action/chapter-2)_
|
||||
 _Running a container image in Kubernetes (출처: https://livebook.manning.com/book/kubernetes-in-action/chapter-2)_
|
||||
|
||||
도커와 쿠버네티스를 사용하여 간단한 애플리케이션을 배포해 보자!
|
||||
|
||||
|
||||
@@ -12,7 +12,7 @@ attachment:
|
||||
folder: assets/img/posts/Development/Kubernetes
|
||||
---
|
||||
|
||||
 _A container shouldn’t run multiple processes. (출처: https://livebook.manning.com/book/kubernetes-in-action/chapter-3)_
|
||||
 _A container shouldn’t run multiple processes. (출처: https://livebook.manning.com/book/kubernetes-in-action/chapter-3)_
|
||||
|
||||
다양한 쿠버네티스 오브젝트 (resources) 를 살펴보는 단원이다. 가장 기본이 되는 Pod 부터 시작한다. 이외의 모든 것들은 pod 를 관리하거나, pod 를 노출하거나, pod 에 의해 사용된다.
|
||||
|
||||
|
||||
@@ -12,7 +12,7 @@ attachment:
|
||||
folder: assets/img/posts/Development/Kubernetes
|
||||
---
|
||||
|
||||
 _ReplicationController recreating pods. (출처: https://livebook.manning.com/book/kubernetes-in-action/chapter-4)_
|
||||
 _ReplicationController recreating pods. (출처: https://livebook.manning.com/book/kubernetes-in-action/chapter-4)_
|
||||
|
||||
3장에서는 pod 를 직접 관리하는 방법에 대해 살펴봤다. 하지만 실무에서는 pod 의 관리가 자동으로 되길 원한다. 이를 위해 ReplicationController 나 Deployment 를 사용한다.
|
||||
|
||||
|
||||
@@ -12,7 +12,7 @@ attachment:
|
||||
folder: assets/img/posts/Development/Kubernetes
|
||||
---
|
||||
|
||||
 _Using `kubectl exec` to test out a connection to the service by running curl in one of the pods. (출처: https://livebook.manning.com/book/kubernetes-in-action/chapter-5)_
|
||||
 _Using `kubectl exec` to test out a connection to the service by running curl in one of the pods. (출처: https://livebook.manning.com/book/kubernetes-in-action/chapter-5)_
|
||||
|
||||
많은 앱들이 request (요청) 을 받아 서비스를 제공하는 형태인데, 이런 요청을 보내려면 IP 주소를 알아야 한다. 한편 Kubernetes 를 사용하게 되면 pod 의 IP 주소를 알아야 하는데, Kubernetes 의 pod 들은 굉장히 동적이므로 이들의 IP 주소를 알아낼 방법이 필요하다.
|
||||
|
||||
|
||||
@@ -12,7 +12,7 @@ attachment:
|
||||
folder: assets/img/posts/Development/Kubernetes
|
||||
---
|
||||
|
||||
 _The complete picture of dynamic provisioning of PersistentVolumes. (출처: https://livebook.manning.com/book/kubernetes-in-action/chapter-6)_
|
||||
 _The complete picture of dynamic provisioning of PersistentVolumes. (출처: https://livebook.manning.com/book/kubernetes-in-action/chapter-6)_
|
||||
|
||||
컨테이너가 재시작되면 기존 작업 내역이 모두 사라지게 될 수 있으므로, 컨테이너의 작업 내역을 저장하고 같은 pod 내의 다른 컨테이너가 함께 사용하는 저장 공간이다.
|
||||
|
||||
|
||||
@@ -12,7 +12,7 @@ attachment:
|
||||
folder: assets/img/posts/Development/Kubernetes
|
||||
---
|
||||
|
||||
 _Combining a ConfigMap and a Secret to run your fortune-https pod (출처: https://livebook.manning.com/book/kubernetes-in-action/chapter-7)_
|
||||
 _Combining a ConfigMap and a Secret to run your fortune-https pod (출처: https://livebook.manning.com/book/kubernetes-in-action/chapter-7)_
|
||||
|
||||
거의 대부분의 앱은 설정(configuration)이 필요하다. 개발 서버, 배포 서버의 설정 사항 (접속하려는 DB 서버 주소 등)이 다를 수도 있고, 클라우드 등에 접속하기 위한 access key 가 필요하거나, 데이터를 암호화하는 encryption key 도 설정해야하는 경우가 있다. 이러한 경우에 해당 값들을 도커 이미지 자체에 넣어버리면 보안 상 취약하고, 또 설정 사항을 변경하는 경우 이미지를 다시 빌드해야하는 등 불편함이 따른다.
|
||||
|
||||
|
||||
@@ -12,7 +12,7 @@ attachment:
|
||||
folder: assets/img/posts/Development/Kubernetes
|
||||
---
|
||||
|
||||
 _Using the files from the default-token Secret to talk to the API server (출처: https://livebook.manning.com/book/kubernetes-in-action/chapter-8)_
|
||||
 _Using the files from the default-token Secret to talk to the API server (출처: https://livebook.manning.com/book/kubernetes-in-action/chapter-8)_
|
||||
|
||||
### 주요 내용
|
||||
|
||||
|
||||
@@ -12,7 +12,7 @@ attachment:
|
||||
folder: assets/img/posts/Development/Kubernetes
|
||||
---
|
||||
|
||||
 _Rolling update of Deployments (출처: livebook.manning.com/book/kubernetes-in-action/chapter-9)_
|
||||
 _Rolling update of Deployments (출처: livebook.manning.com/book/kubernetes-in-action/chapter-9)_
|
||||
|
||||
### 주요 내용
|
||||
|
||||
|
||||
@@ -12,7 +12,7 @@ attachment:
|
||||
folder: assets/img/posts/Development/Kubernetes
|
||||
---
|
||||
|
||||
 _A stateful pod may be rescheduled to a different node, but it retains the name, hostname, and storage. (출처: https://livebook.manning.com/book/kubernetes-in-action/chapter-10)_
|
||||
 _A stateful pod may be rescheduled to a different node, but it retains the name, hostname, and storage. (출처: https://livebook.manning.com/book/kubernetes-in-action/chapter-10)_
|
||||
|
||||
### 주요 내용
|
||||
|
||||
|
||||
@@ -12,7 +12,7 @@ attachment:
|
||||
folder: assets/img/posts/Development/Kubernetes
|
||||
---
|
||||
|
||||
 _The chain of events that unfolds when a Deployment resource is posted to the API server (출처: https://livebook.manning.com/book/kubernetes-in-action/chapter-11)_
|
||||
 _The chain of events that unfolds when a Deployment resource is posted to the API server (출처: https://livebook.manning.com/book/kubernetes-in-action/chapter-11)_
|
||||
|
||||
### 주요 내용
|
||||
|
||||
|
||||
@@ -12,7 +12,7 @@ attachment:
|
||||
folder: assets/img/posts/Development/Kubernetes
|
||||
---
|
||||
|
||||
 _Roles grant permissions, whereas RoleBindings bind Roles to subjects (출처: https://livebook.manning.com/book/kubernetes-in-action/chapter-12)_
|
||||
 _Roles grant permissions, whereas RoleBindings bind Roles to subjects (출처: https://livebook.manning.com/book/kubernetes-in-action/chapter-12)_
|
||||
|
||||
### 주요 내용
|
||||
|
||||
|
||||
@@ -12,7 +12,7 @@ attachment:
|
||||
folder: assets/img/posts/Development/Kubernetes
|
||||
---
|
||||
|
||||
 _A pod with hostNetwork: true uses the node's network interfaces instead of its own. (출처: https://livebook.manning.com/book/kubernetes-in-action/chapter-13)_
|
||||
 _A pod with hostNetwork: true uses the node's network interfaces instead of its own. (출처: https://livebook.manning.com/book/kubernetes-in-action/chapter-13)_
|
||||
|
||||
### 주요 내용
|
||||
|
||||
|
||||
@@ -12,7 +12,7 @@ attachment:
|
||||
folder: assets/img/posts/Development/Kubernetes
|
||||
---
|
||||
|
||||
 _The Scheduler only cares about requests, not actual usage. (출처: https://livebook.manning.com/book/kubernetes-in-action/chapter-14)_
|
||||
 _The Scheduler only cares about requests, not actual usage. (출처: https://livebook.manning.com/book/kubernetes-in-action/chapter-14)_
|
||||
|
||||
### 주요 내용
|
||||
|
||||
|
||||
@@ -12,7 +12,7 @@ attachment:
|
||||
folder: assets/img/posts/Development/Kubernetes
|
||||
---
|
||||
|
||||
 _How the autoscaler obtains metrics and rescales the target deployment (출처: https://livebook.manning.com/book/kubernetes-in-action/chapter-15)_
|
||||
 _How the autoscaler obtains metrics and rescales the target deployment (출처: https://livebook.manning.com/book/kubernetes-in-action/chapter-15)_
|
||||
|
||||
### 주요 내용
|
||||
|
||||
|
||||
@@ -12,7 +12,7 @@ attachment:
|
||||
folder: assets/img/posts/Development/Kubernetes
|
||||
---
|
||||
|
||||
 _A pod is only scheduled to a node if it tolerates the node’s taints. (출처: https://livebook.manning.com/book/kubernetes-in-action/chapter-16)_
|
||||
 _A pod is only scheduled to a node if it tolerates the node’s taints. (출처: https://livebook.manning.com/book/kubernetes-in-action/chapter-16)_
|
||||
|
||||
### 주요 내용
|
||||
|
||||
|
||||
@@ -12,7 +12,7 @@ attachment:
|
||||
folder: assets/img/posts/Development/Kubernetes
|
||||
---
|
||||
|
||||
 _Resources in a typical application (출처: https://livebook.manning.com/book/kubernetes-in-action/chapter-17)_
|
||||
 _Resources in a typical application (출처: https://livebook.manning.com/book/kubernetes-in-action/chapter-17)_
|
||||
|
||||
### 주요 내용
|
||||
|
||||
|
||||
@@ -12,7 +12,7 @@ attachment:
|
||||
folder: assets/img/posts/Development/Kubernetes
|
||||
---
|
||||
|
||||
 _API Server Aggregation (출처: https://livebook.manning.com/book/kubernetes-in-action/chapter-18)_
|
||||
 _API Server Aggregation (출처: https://livebook.manning.com/book/kubernetes-in-action/chapter-18)_
|
||||
|
||||
### 주요 내용
|
||||
|
||||
|
||||
@@ -10,7 +10,7 @@ image:
|
||||
path: /assets/img/posts/blog-logo.png
|
||||
---
|
||||
|
||||
 _New blog logo_
|
||||
 _New blog logo_
|
||||
|
||||
오래 전, Github Pages가 불편하다는 이유로 티스토리로 옮겼었다.
|
||||
근데 어쩌다 보니 결국 다시 돌아오게 되었다.
|
||||
@@ -65,7 +65,7 @@ image:
|
||||
|
||||
Obsidian을 Github과 연동하기 위해 [Obsidian Github Publisher](https://github.com/ObsidianPublisher/obsidian-github-publisher) 플러그인을 사용할 수 있다.
|
||||
|
||||
{: .shadow } _플러그인 설정 화면: 어느 폴더에 어떤 이름으로 파일을 업로드할지 설정할 수 있다._
|
||||
{: .shadow } _플러그인 설정 화면: 어느 폴더에 어떤 이름으로 파일을 업로드할지 설정할 수 있다._
|
||||
|
||||
이 플러그인을 사용하면 Obsidian의 문서 중에서 `share: true` 로 마킹된 문서들을 레포에 저장할 수 있게 된다. 그렇다면 블로그 글을 Obsidian에서 작성하고, 플러그인을 이용해 레포에 push하게 되면, 자동으로 빌드/배포가 이뤄져서 블로그에 반영되는 것을 확인할 수 있을 것이다.
|
||||
|
||||
@@ -103,4 +103,4 @@ Git은 version control system이기 때문에, 이미지가 버전에 따라 영
|
||||
시간될 때 댓글 기능도 붙이고, 과거 글도 몇 개 복원하고, 테마도 더 수정할 계획이다.
|
||||
|
||||
[^1]: 공부 빼고 다 재미있을 시기 아니겠는가?
|
||||
[^2]: S3는 $0.025/GB라서 부담되는 가격이 아니고, CloudFront는 매달 데이터 전송 1TB까지 무료였다.
|
||||
[^2]: S3는 $0.025/GB라서 부담되는 가격이 아니고, CloudFront는 매달 데이터 전송 1TB까지 무료였다.
|
||||
|
||||
@@ -155,7 +155,7 @@ There are many ways of achieving security.
|
||||
|
||||
### Basics of a Cryptosystem
|
||||
|
||||
|
||||
|
||||
|
||||
- A **message** in *plaintext* is given to an **encryption algorithm**.
|
||||
- The encryption algorithm uses an **encryption key** to create a *ciphertext*.
|
||||
|
||||
@@ -63,7 +63,7 @@ $$
|
||||
|
||||
#### The Feistel Function
|
||||
|
||||
|
||||
|
||||
|
||||
The Feistel function takes $32$ bit data and divides it into eight $4$ bit chunks. Each chunk is expanded to $6$ bits using a P-box. Now, we have 48 bits of data, so apply XOR with the key for this round. Next, each $6$-bit block is compressed back to $4$ bits using a S-box. Finally, there is a (straight) permutation at the end, resulting in $32$ bit data.
|
||||
|
||||
@@ -179,7 +179,7 @@ AES, DES use fixed block size for encryption. How do we encrypt longer messages?
|
||||
|
||||
### Electronic Codebook Mode (ECB)
|
||||
|
||||
|
||||
|
||||
|
||||
- Codebook is a mapping table.
|
||||
- For the $i$-th plaintext block, we use key $k$ to encrypt and obtain the $i$-th ciphertext block.
|
||||
@@ -198,7 +198,7 @@ Since the same key is used for all blocks, once a mapping from plaintext to ciph
|
||||
|
||||
### Cipher Block Chaining Mode (CBC)
|
||||
|
||||
|
||||
|
||||
|
||||
- Two identical messages produce to different ciphertexts.
|
||||
- This prevents chosen plaintext attacks
|
||||
@@ -248,7 +248,7 @@ Since the same key is used for all blocks, once a mapping from plaintext to ciph
|
||||
|
||||
### Cipher Feedback Mode (CFB)
|
||||
|
||||
|
||||
|
||||
|
||||
- The message is treated as a stream of bits; similar to stream cipher
|
||||
- **Result of the encryption is fed to the next stage.**
|
||||
@@ -283,7 +283,7 @@ Since the same key is used for all blocks, once a mapping from plaintext to ciph
|
||||
|
||||
### Output Feedback Mode (OFB)
|
||||
|
||||
|
||||
|
||||
|
||||
- Very similar to stream cipher.
|
||||
- Initialization vector is used as a seed to generate the key stream.
|
||||
@@ -316,7 +316,7 @@ Since the same key is used for all blocks, once a mapping from plaintext to ciph
|
||||
|
||||
### Counter Mode (CTR)
|
||||
|
||||
|
||||
|
||||
|
||||
- Without chaining, we use a counter (typically incremented by $1$).
|
||||
- Counter starts from the initialization vector.
|
||||
|
||||
@@ -83,7 +83,7 @@ We have a root CA at the top. Then there are issuing CAs below. We usually reque
|
||||
|
||||
### Certificate Validation
|
||||
|
||||
[^1]
|
||||
[^1]
|
||||
|
||||
Since we have a hierarchy of CAs, certificate validation must also follow the hierarchy. When we receive a certificate, it is highly likely to be signed by an non-root CA.
|
||||
|
||||
|
||||
@@ -146,7 +146,7 @@ Here's how the client and the server establishes a connection using the TLS hand
|
||||
> 3. Use the server's public key to share a secret.
|
||||
> 4. Both parties generate a symmetric key from the shared secret.
|
||||
|
||||
[^1]
|
||||
[^1]
|
||||
|
||||
- `ServerKeyExchange`, `ClientKeyExchange` is optional. Used sometimes if Diffie-Hellman is used.
|
||||
- The actual messages and process differ for each protocol and ciphers used.
|
||||
|
||||
@@ -292,7 +292,7 @@ We can deduce that if a PRG is predictable, then it is insecure.
|
||||
|
||||
*Proof*. Let $\mathcal{A}$ be an efficient adversary (next bit predictor) that predicts $G$. Suppose that $i$ is the index chosen by $\mathcal{A}$. With $\mathcal{A}$, we construct a statistical test $\mathcal{B}$ such that $\mathrm{Adv}_\mathrm{PRG}[\mathcal{B}, G]$ is non-negligible.
|
||||
|
||||
|
||||
|
||||
|
||||
1. The challenger PRG will send a bit string $x$ to $\mathcal{B}$.
|
||||
- In experiment $0$, PRG gives pseudorandom string $G(k)$.
|
||||
@@ -318,7 +318,7 @@ The theorem implies that if next bit predictors cannot distinguish $G$ from true
|
||||
|
||||
To motivate the definition of semantic security, we consider a **security game framework** (attack game) between a **challenger** (ex. the creator of some cryptographic scheme) and an **adversary** $\mathcal{A}$ (ex. attacker of the scheme).
|
||||
|
||||
|
||||
|
||||
|
||||
> **Definition.** Let $\mathcal{E} = (G, E, D)$ be a cipher defined over $(\mathcal{K}, \mathcal{M}, \mathcal{C})$. For a given adversary $\mathcal{A}$, we define two experiments $0$ and $1$. For $b \in \lbrace 0, 1 \rbrace$, define experiment $b$ as follows:
|
||||
>
|
||||
|
||||
@@ -118,7 +118,7 @@ This is a matter of *collisions* of $f(x_i)$, so we use the facts from the birth
|
||||
|
||||
A **block cipher** is actually a different name for PRPs. Since a PRP $E$ is a keyed function, applying $E(k, x)$ is in fact encryption, and applying its inverse is decryption.
|
||||
|
||||
|
||||
|
||||
|
||||
Block ciphers commonly have the following form.
|
||||
- A key $k$ is chosen uniformly from $\left\lbrace 0, 1 \right\rbrace^s$.
|
||||
@@ -140,7 +140,7 @@ Block ciphers commonly have the following form.
|
||||
|
||||
Since block ciphers are PRPs, we have to build an invertible function. Suppose we are given **any** functions $F_1, \dots, F_d : \left\lbrace 0, 1 \right\rbrace^n \rightarrow \left\lbrace 0, 1 \right\rbrace^n$. Can we build an **invertible** function $F : \left\lbrace 0, 1 \right\rbrace^{2n} \rightarrow \left\lbrace 0, 1 \right\rbrace^{2n}$?
|
||||
|
||||
|
||||
|
||||
|
||||
It turns out the answer is yes. Given an $2n$-bit long input, $L_0$ and $R_0$ denote the left and right halves ($n$ bits) of the input, respectively. Define
|
||||
|
||||
@@ -160,7 +160,7 @@ Note that we did not require $F_i$ to be invertible. We can build invertible fun
|
||||
|
||||
In DES, the function $F_i$ is the DES round function.
|
||||
|
||||
|
||||
|
||||
|
||||
The Feistel function takes $32$ bit data and divides it into eight $4$ bit chunks. Each chunk is expanded to $6$ bits using $E$. Now, we have 48 bits of data, so apply XOR with the key for this round. Next, each $6$-bit block is compressed back to $4$ bits using a S-box. Finally, there is a permutation $P$ at the end, resulting in $32$ bit data.
|
||||
|
||||
@@ -168,7 +168,7 @@ The Feistel function takes $32$ bit data and divides it into eight $4$ bit chunk
|
||||
|
||||
DES uses $56$ bit keys that generate $16$ rounds keys. The diagram below shows that DES has 16-round Feistel networks.
|
||||
|
||||
|
||||
|
||||
|
||||
The input goes through initial/final permutation, which are inverses of each other. These have no cryptographic significance, and just for engineering.
|
||||
|
||||
@@ -176,7 +176,7 @@ The input goes through initial/final permutation, which are inverses of each oth
|
||||
|
||||
DES is not secure, since key space and block length is too small. Thankfully, we have a replacement called the **advanced encryption standard** (AES).
|
||||
|
||||
|
||||
|
||||
|
||||
- DES key only had $56$ bits, so DES was broken in the 1990s
|
||||
- NIST standardized AES in 2001, based on Rijndael cipher
|
||||
@@ -254,7 +254,7 @@ Then the key space has increased (exponentially). As for 2DES, the key space is
|
||||
|
||||
Unfortunately, 2DES is only secure as DES, with the attack strategy called **meet in the middle**. The idea is that if $c = E(k_1, E(k_2, m))$, then $D(k_1, c) = E(k_2, m)$.
|
||||
|
||||
|
||||
|
||||
|
||||
Since we have the plaintext and the ciphertext, we first build a table of $(k, E(k_2, m))$ over $k_2 \in \mathcal{K}$ and sort by $E(k_2, m)$. Next, we check if $D(k_1, c)$ is in the table for all $k_1 \in \mathcal{K}$.
|
||||
|
||||
|
||||
@@ -131,7 +131,7 @@ Additional explanation available in [Modes of Operations (Internet Security)](..
|
||||
|
||||
### Electronic Codebook Mode (ECB)
|
||||
|
||||
|
||||
|
||||
|
||||
- ECB mode encrypts each block with the same key.
|
||||
- Blocks are independent of each other.
|
||||
@@ -139,7 +139,7 @@ Additional explanation available in [Modes of Operations (Internet Security)](..
|
||||
|
||||
### Ciphertext Block Chain Mode (CBC)
|
||||
|
||||
|
||||
|
||||
|
||||
Let $X = \left\lbrace 0, 1 \right\rbrace^n$ and $E : \mathcal{K} \times X \rightarrow X$ be a **PRP**.
|
||||
|
||||
@@ -190,7 +190,7 @@ Note that if $k_1$ is the same as the key used for encrypting messages, then thi
|
||||
|
||||
### Counter Mode (CTR)
|
||||
|
||||
|
||||
|
||||
|
||||
Let $F : \mathcal{K} \times X \rightarrow X$ be a secure **PRF**.
|
||||
|
||||
|
||||
@@ -26,7 +26,7 @@ On the other hand, MAC fixes data that is tampered in purpose. We will also requ
|
||||
|
||||
## Message Authentication Code
|
||||
|
||||
|
||||
|
||||
|
||||
> **Definition.** A **MAC** system $\Pi = (S, V)$ defined over $(\mathcal{K}, \mathcal{M}, \mathcal{T})$ is a pair of efficient algorithms $S$ and $V$ where $S$ is a **signing algorithm** and $V$ is a **verification algorithm**.
|
||||
>
|
||||
@@ -58,7 +58,7 @@ In the security definition of MACs, we allow the attacker to request tags for ar
|
||||
|
||||
For strong MACs, the attacker only has to change the tag for the attack to succeed.
|
||||
|
||||
|
||||
|
||||
|
||||
> **Definition.** Let $\Pi = (S, V)$ be a MAC system defined over $(\mathcal{K}, \mathcal{M}, \mathcal{T})$. Given an adversary $\mathcal{A}$, the security game goes as follows.
|
||||
>
|
||||
@@ -123,7 +123,7 @@ The above construction uses a PRF, so it is restricted to messages of fixed size
|
||||
|
||||
### CBC-MAC
|
||||
|
||||
|
||||
|
||||
|
||||
> **Definition.** For any message $m = (m_0, m_1, \dots, m_{l-1}) \in \left\lbrace 0, 1 \right\rbrace^{nl}$, let $F_k := F(k, \cdot)$.
|
||||
>
|
||||
@@ -211,7 +211,7 @@ Since CBC-MAC is vulnerable to extension attacks, we encrypt the last block agai
|
||||
|
||||
ECBC-MAC doesn't require us to know the message length in advance, but it is relatively expensive in practice, since a block cipher has to be initialized with a new key.
|
||||
|
||||
|
||||
|
||||
|
||||
> **Theorem.** Let $F : \mathcal{K} \times X \rightarrow X$ be a secure PRF. Then for any $l \geq 0$, $F_\mathrm{ECBC} : \mathcal{K}^2 \times X^{\leq l} \rightarrow X$ is a secure PRF.
|
||||
>
|
||||
|
||||
@@ -83,7 +83,7 @@ The attacker shouldn't be able to create a new ciphertext that decrypts properly
|
||||
|
||||
In this case, we fix the decryption algorithm so that $D : \mathcal{K} \times \mathcal{C} \rightarrow \mathcal{M} \cup \left\lbrace \bot \right\rbrace$, where $\bot$ means that the ciphertext was rejected.
|
||||
|
||||
|
||||
|
||||
|
||||
> **Definition.** Let $\mathcal{E} = (E, D)$ be a cipher defined over $(\mathcal{K}, \mathcal{M}, \mathcal{C})$. Given an adversary $\mathcal{A}$, the security game goes as follows.
|
||||
>
|
||||
@@ -138,7 +138,7 @@ Most natural constructions of CCA secure schemes satisfy AE, so we don't need to
|
||||
|
||||
We want to combine CPA secure scheme and strongly secure MAC to get AE. Rather than focusing on the internal structure of the scheme, we want a general method to compose these two secure schemes so that we can get a AE secure scheme. We will see 3 examples.
|
||||
|
||||
|
||||
|
||||
|
||||
### Encrypt-and-MAC (E&M)
|
||||
|
||||
|
||||
@@ -106,7 +106,7 @@ Now we want to construct collision resistant hash functions that work for arbitr
|
||||
|
||||
The Merkle-Damgård transform gives as a way to extend our input domain of the hash function by iterating the function.
|
||||
|
||||
|
||||
|
||||
|
||||
> **Definition.** Let $h : \left\lbrace 0, 1 \right\rbrace^n \times \left\lbrace 0, 1 \right\rbrace^l \rightarrow \left\lbrace 0, 1 \right\rbrace^n$ be a hash function. The **Merkle-Damgård function derived from $h$** is a function $H$ that works as follows.
|
||||
>
|
||||
@@ -151,7 +151,7 @@ Now we only have to build a collision resistant compression function. We can bui
|
||||
|
||||
Number theoretic primitives will be shown after we learn some number theory.[^3] An example is shown in [collision resistance using DL problem (Modern Cryptography)](../2023-10-03-key-exchange#collision-resistance-based-on-dl-problem).
|
||||
|
||||
|
||||
|
||||
|
||||
> **Definition.** Let $\mathcal{E} = (E, D)$ be a block cipher over $(\mathcal{K}, X, X)$ where $X = \left\lbrace 0, 1 \right\rbrace^n$. The **Davies-Meyer compression function derived from $E$** maps inputs in $X \times \mathcal{K}$ to outputs in $X$, defined as follows.
|
||||
>
|
||||
@@ -216,7 +216,7 @@ This can be thought of as blocking the length extension attack from prepending t
|
||||
|
||||
### HMAC
|
||||
|
||||
|
||||
|
||||
|
||||
This is a variant of the two-key nest, but the difference is that the keys $k_1', k_2'$ are not independent. Choose a key $k \leftarrow \mathcal{K}$, and set
|
||||
|
||||
|
||||
@@ -74,7 +74,7 @@ $$
|
||||
|
||||
We assume that the description of $p$, $q$ and $g$ are generated at the setup and shared by all parties. Now the actual protocol goes like this.
|
||||
|
||||
|
||||
|
||||
|
||||
> 1. Alice chooses $\alpha \leftarrow \mathbb{Z}_q$ and computes $g^\alpha$.
|
||||
> 2. Bob chooses $\beta \leftarrow \mathbb{Z}_q$ and computes $g^\beta$.
|
||||
@@ -189,7 +189,7 @@ Taking $\mathcal{O}(N)$ steps is impractical in the real world, due to many comm
|
||||
|
||||
We assumed that the adversary only eavesdrops, but if the adversary carries out active attacks, then DHKE is not enough. The major problem is the lack of **authentication**. Alice and Bob are exchanging keys, but they both cannot be sure that there are in fact communicating with the other. An attacker can intercept messages and impersonate Alice or Bob. This attack is called a **man in the middle attack**, and this attack works on any key exchange protocol that lacks authentication.
|
||||
|
||||
|
||||
|
||||
|
||||
The adversary will impersonate Bob when communicating with Alice, and will do the same for Bob by pretending to be Alice. The values of $\alpha, \beta$ that Alice and Bob chose are not leaked, but the adversary can decrypt anything in the middle and obtain the plaintext.
|
||||
|
||||
@@ -211,7 +211,7 @@ Before Diffie-Hellman, Merkle proposed an idea for secure key exchange protocol
|
||||
|
||||
The idea was to use *puzzles*, which are problems that can be solved with some effort.
|
||||
|
||||
|
||||
|
||||
|
||||
> Let $\mathcal{E} = (E, D)$ be a block cipher defined over $(\mathcal{K}, \mathcal{M})$.
|
||||
> 1. Alice chooses random pairs $(k_i, s_i) \leftarrow \mathcal{K} \times \mathcal{M}$ for $i = 1, \dots, L$.
|
||||
|
||||
@@ -45,7 +45,7 @@ Public key $pk$ will be publicized. After Alice obtains $pk$, she can use it to
|
||||
|
||||
The following notion of security is only for an eavesdropping adversary.
|
||||
|
||||
|
||||
|
||||
|
||||
> **Definition.** Let $\mc{E} = (G, E, D)$ be a public key encryption scheme defined over $(\mc{M}, \mc{C})$. For an adversary $\mc{A}$, we define two experiments.
|
||||
>
|
||||
|
||||
@@ -57,7 +57,7 @@ $$
|
||||
|
||||
The definition is similar to the [secure MAC](../2023-09-21-macs/#secure-mac-unforgeability). The adversary can perform a **chosen message attack**, but cannot create an **existential forgery**.
|
||||
|
||||
|
||||
|
||||
|
||||
> **Definition.** Let $\mc{S} = (G, S, V)$ be a signature scheme defined over $(\mc{M}, \Sigma)$. Given an adversary $\mc{A}$, the game goes as follows.
|
||||
>
|
||||
@@ -184,7 +184,7 @@ This scheme is originally from the **Schnorr identification protocol**.
|
||||
|
||||
Let $G = \left\langle g \right\rangle$ be a cyclic group of prime order $q$. We consider an interaction between two parties, prover $P$ and a verifier $V$. The prover has a secret $\alpha \in \Z_q$ and the verification key is $u = g^\alpha$. **$P$ wants to convince $V$ that he knows $\alpha$, but does not want to reveal $\alpha$**.
|
||||
|
||||
|
||||
|
||||
|
||||
The protocol $\mc{I}_\rm{sch} = (G, P, V)$ works as follows.
|
||||
|
||||
|
||||
@@ -28,7 +28,7 @@ attachment:
|
||||
|
||||
## Identification Protocol
|
||||
|
||||
|
||||
|
||||
|
||||
> **Definition.** An **identification protocol** is a triple of algorithms $\mc{I} = (G, P, V)$ satisfying the following.
|
||||
>
|
||||
|
||||
@@ -27,7 +27,7 @@ The previous [3-coloring example](../2023-11-02-zkp-intro/#example-3-coloring) c
|
||||
|
||||
> **Definition.** An **effective relation** is a binary relation $\mc{R} \subset \mc{X} \times \mc{Y}$, where $\mc{X}$, $\mc{Y}$, $\mc{R}$ are efficiently recognizable finite sets. Elements of $\mc{Y}$ are called **statements**. If $(x, y) \in \mc{R}$, then $x$ is called a **witness for** $y$.
|
||||
|
||||
|
||||
|
||||
|
||||
> **Definition.** Let $\mc{R} \subset \mc{X} \times \mc{Y}$ be an effective relation. A **sigma protocol** for $\mc{R}$ is a pair of algorithms $(P, V)$ satisfying the following.
|
||||
>
|
||||
@@ -107,7 +107,7 @@ Also note that **the simulator is free to generate the messages in any convenien
|
||||
|
||||
The Schnorr identification protocol is actually a sigma protocol. Refer to [Schnorr identification protocol (Modern Cryptography)](../2023-10-26-digital-signatures/#the-schnorr-identification-protocol) for the full description.
|
||||
|
||||
|
||||
|
||||
|
||||
> The pair $(P, V)$ is a sigma protocol for the relation $\mc{R} \subset \mc{X} \times \mc{Y}$ where
|
||||
>
|
||||
@@ -165,7 +165,7 @@ $$
|
||||
|
||||
goes as follows.
|
||||
|
||||
|
||||
|
||||
|
||||
> 1. $P$ computes random $\alpha_t, \beta_t \la \bb{Z}_q$ and sends commitment $u_t \la g^{\alpha_t}h^{\beta_t}$ to $V$.
|
||||
> 2. $V$ computes challenge $c \la \mc{C}$ and sends it to $P$.
|
||||
@@ -192,7 +192,7 @@ $$
|
||||
|
||||
goes as follows.
|
||||
|
||||
|
||||
|
||||
|
||||
> 1. $P$ computes random $\beta_t \la \bb{Z}_q$ and sends commitment $v_t \la g^{\beta_t}$, $w_t \la u^{\beta_t}$ to $V$.
|
||||
> 2. $V$ computes challenge $c \la \mc{C}$ and sends it to $P$.
|
||||
@@ -223,7 +223,7 @@ $$
|
||||
|
||||
goes as follows.
|
||||
|
||||
|
||||
|
||||
|
||||
> 1. $P$ computes random $x_t \la \bb{Z}_n^{\ast}$ and sends commitment $y_t \la x_t^e$ to $V$.
|
||||
> 2. $V$ computes challenge $c \la \mc{C}$ and sends it to $P$.
|
||||
|
||||
@@ -148,7 +148,7 @@ Indeed, $z_1, z_2$ are shares of $z$.[^2] See also Exercise 23.5.[^3]
|
||||
|
||||
Now, in the actual computation of AND gates, proceed as follows.
|
||||
|
||||
|
||||
|
||||
|
||||
> Each $P_i$ has a share of inputs $a_i, b_i$ and a Beaver triple $(x_i, y_i, z_i)$.
|
||||
> 1. Each $P_i$ computes $u_i = a_i + x_i$, $v_i = b_i + y_i$.
|
||||
|
||||
@@ -13,7 +13,7 @@ attachment:
|
||||
folder: assets/img/posts/Mathematics/Measure Theory
|
||||
---
|
||||
|
||||
|
||||
|
||||
|
||||
르벡 적분을 공부하기 위해서는 먼저 집합의 ‘길이’ 개념을 공부해야 합니다. 그리고 집합의 ‘길이’ 개념을 확립하기 위해서는 집합 간의 연산과 이에 대한 구조가 필요합니다.
|
||||
|
||||
|
||||
@@ -13,7 +13,7 @@ attachment:
|
||||
folder: assets/img/posts/Mathematics/Measure Theory
|
||||
---
|
||||
|
||||
|
||||
|
||||
|
||||
이제 본격적으로 집합을 재보도록 하겠습니다. 우리가 잴 수 있는 집합들부터 시작합니다. $\mathbb{R}^p$에서 논의할 건데, 이제 여기서부터는 $\mathbb{R}$의 구간의 열림/닫힘을 모두 포괄하여 정의합니다. 즉, $\mathbb{R}$의 구간이라고 하면 $[a, b], (a, b), [a, b), (a, b]$ 네 가지 경우를 모두 포함합니다.
|
||||
|
||||
|
||||
@@ -17,7 +17,7 @@ attachment:
|
||||
|
||||
Construction of measure 증명에서 추가로 참고할 내용입니다.
|
||||
|
||||
|
||||
|
||||
|
||||
**명제.** $A$가 열린집합이면 $A \in \mathfrak{M}(\mu)$ 이다. 또한 $A^C \in \mathfrak{M}(\mu)$ 이므로, $F$가 닫힌집합이면 $F \in \mathfrak{M}(\mu)$ 이다.
|
||||
|
||||
|
||||
@@ -155,7 +155,7 @@ $$s(x) = \sum_ {i=1}^{n} c_i \chi_ {E_i}(x).$$
|
||||
|
||||
여기서 $E_i$에 measurable 조건이 추가되면, 정의에 의해 $\chi_ {E_i}$도 measurable function입니다. 따라서 모든 measurable simple function을 measurable $\chi_ {E_i}$의 linear combination으로 표현할 수 있습니다.
|
||||
|
||||
|
||||
|
||||
|
||||
아래 정리는 simple function이 Lebesgue integral의 building block이 되는 이유를 잘 드러냅니다. 모든 함수는 simple function으로 근사할 수 있습니다.
|
||||
|
||||
|
||||
@@ -121,7 +121,7 @@ $$\int f \,d{\mu} = \sup\left\lbrace \int h \,d{\mu}: 0\leq h \leq f, h \text{ m
|
||||
|
||||
$f$보다 작은 measurable simple function의 적분값 중 상한을 택하겠다는 의미입니다. $f$보다 작은 measurable simple function으로 $f$를 근사한다고도 이해할 수 있습니다. 또한 $f$가 simple function이면 Step 2의 정의와 일치하는 것을 알 수 있습니다.
|
||||
|
||||
|
||||
|
||||
|
||||
$f \geq 0$ 가 measurable이면 증가하는 measurable simple 함수열 $s_n$이 존재함을 지난 번에 보였습니다. 이 $s_n$에 대하여 적분값을 계산해보면
|
||||
|
||||
|
||||
@@ -19,7 +19,7 @@ attachment:
|
||||
|
||||
먼저 단조 수렴 정리(monotone convergence theorem, MCT)입니다. 이 정리에서는 $f_n \geq 0$ 인 것이 매우 중요합니다.
|
||||
|
||||
|
||||
|
||||
|
||||
**정리.** (단조 수렴 정리) $f_n: X \rightarrow[0, \infty]$ 가 measurable이고 모든 $x \in X$ 에 대하여 $f_n(x) \leq f_ {n+1}(x)$ 라 하자.
|
||||
|
||||
|
||||
@@ -149,7 +149,7 @@ $$[f] = \lbrace g \in \mathcal{L}^{1}(E, \mu) : f \sim g\rbrace.$$
|
||||
|
||||
마지막 수렴정리를 소개하고 수렴정리와 관련된 내용을 마칩니다. 지배 수렴 정리(dominated convergence theorem, DCT)로 불립니다.
|
||||
|
||||
|
||||
|
||||
|
||||
**정리.** (지배 수렴 정리) Measurable set $E$와 measurable function $f$에 대하여, $\lbrace f_n\rbrace$이 measurable function의 함수열이라 하자. $E$의 거의 모든 점 위에서 극한 $f(x) = \displaystyle\lim_ {n \rightarrow\infty} f_n(x)$ 가 $\overline{\mathbb{R}}$에 존재하고 (점별 수렴) $\lvert f_n \rvert \leq g \quad \mu$-a.e. on $E$ ($\forall n \geq 1$) 를 만족하는 $g \in \mathcal{L}^{1}(E, \mu)$ 가 존재하면,
|
||||
|
||||
|
||||
@@ -13,7 +13,7 @@ attachment:
|
||||
folder: assets/img/posts/Mathematics/Measure Theory
|
||||
---
|
||||
|
||||
|
||||
|
||||
|
||||
## Comparison with the Riemann Integral
|
||||
|
||||
|
||||
@@ -13,7 +13,7 @@ attachment:
|
||||
folder: assets/img/posts/Mathematics/Measure Theory
|
||||
---
|
||||
|
||||
{: .w-50}
|
||||
{: .w-50}
|
||||
|
||||
## Integration on Complex Valued Function
|
||||
|
||||
|
||||
Reference in New Issue
Block a user