mirror of
https://github.com/calofmijuck/blog.git
synced 2025-12-06 22:53:51 +00:00
feat: fixing equations and new post (#99)
* [PUBLISHER] upload files #93 * [PUBLISHER] upload files #94 * PUSH NOTE : 03. Symmetric Key Cryptography (2).md * PUSH ATTACHMENT : is-03-ecb-encryption.png * PUSH ATTACHMENT : is-03-cbc-encryption.png * PUSH ATTACHMENT : is-03-cfb-encryption.png * PUSH ATTACHMENT : is-03-ofb-encryption.png * PUSH ATTACHMENT : is-03-ctr-encryption.png * [PUBLISHER] upload files #95 * PUSH NOTE : 03. Symmetric Key Cryptography (2).md * PUSH ATTACHMENT : is-03-feistel-function.png * PUSH ATTACHMENT : is-03-ecb-encryption.png * PUSH ATTACHMENT : is-03-cbc-encryption.png * PUSH ATTACHMENT : is-03-cfb-encryption.png * PUSH ATTACHMENT : is-03-ofb-encryption.png * PUSH ATTACHMENT : is-03-ctr-encryption.png * [PUBLISHER] upload files #96 * PUSH NOTE : 03. Symmetric Key Cryptography (2).md * PUSH ATTACHMENT : is-03-feistel-function.png * PUSH ATTACHMENT : is-03-ecb-encryption.png * PUSH ATTACHMENT : is-03-cbc-encryption.png * PUSH ATTACHMENT : is-03-cfb-encryption.png * PUSH ATTACHMENT : is-03-ofb-encryption.png * PUSH ATTACHMENT : is-03-ctr-encryption.png * [PUBLISHER] upload files #97 * [PUBLISHER] upload files #98 * style: tab to space
This commit is contained in:
GitHub
@@ -7,8 +7,8 @@ categories:
|
||||
- Internet Security
|
||||
tags:
|
||||
- security
|
||||
- network
|
||||
- lecture-note
|
||||
- cryptography
|
||||
title: 02. Symmetric Key Cryptography (1)
|
||||
date: 2023-09-11
|
||||
github_title: 2023-09-11-symmetric-key-cryptography-1
|
||||
@@ -94,7 +94,7 @@ To attack this scheme, find the key length by *index of coincidence*. Then use f
|
||||
#### Hill Cipher
|
||||
|
||||
- A polyalphabetic substitution
|
||||
- A key is a *invertible* matrix $K = (k_{ij})_{m \times m}$ where $k_{ij} \in \mathbb{Z}_{26}$.
|
||||
- A key is a *invertible* matrix $K = (k _ {ij}) _ {m \times m}$ where $k _ {ij} \in \mathbb{Z} _ {26}$.
|
||||
- Encryption/decryption is done by multiplying $K$ or $K^{-1}$.
|
||||
|
||||
This scheme is vulnerable to known plaintext attack, since the equation can be solved for $K$.
|
||||
@@ -218,7 +218,7 @@ To alleviate this problem, we can combine multiple LFSRs with a $k$-input binary
|
||||
|
||||
#### Encryption Overall
|
||||
|
||||
- Plaintext: Message +CRC
|
||||
- Plaintext: Message + CRC
|
||||
- CRC is padded to verify the integrity of the message.
|
||||
- CRC is $32$ bits
|
||||
- Not for attacks, but for error correction
|
||||
@@ -256,13 +256,17 @@ To alleviate this problem, we can combine multiple LFSRs with a $k$-input binary
|
||||
#### IV Collision
|
||||
|
||||
- The key is fixed, and the period of IV is $2^{24}$
|
||||
- Same IV leads to same keystream.
|
||||
- Same IV leads to same key stream.
|
||||
- So if the adversary takes two frames with same IV to obtain the XOR of two plaintext messages.
|
||||
- $c_1 \oplus c_2 = (p_1 \oplus k_s) \oplus (p_2 \oplus k_s) = p_1 \oplus p_2$
|
||||
- Since network traffic contents are predictable, messages can be recovered.
|
||||
- We are in the link layer, so HTTP, IP, TCP headers will be contained in the encrypted payload.
|
||||
- The header formats are usually known.
|
||||
|
||||
#### CRC Algorithm
|
||||
|
||||
Given a bit string (defined in the specification), the sender performs long division on the data. The remainder is the result of the CRC, which is appended to the data. The receiver will check by performing long division, and the remainder should be $0$ if there were no bit errors during transmission.
|
||||
|
||||
### Message Modification
|
||||
|
||||
- CRC is actually a linear function.
|
||||
|
||||
@@ -13,7 +13,7 @@ title: 03. Symmetric Key Cryptography (2)
|
||||
date: 2023-09-18
|
||||
github_title: 2023-09-18-symmetric-key-cryptography-2
|
||||
image:
|
||||
path: /assets/img/posts/Lecture Notes/Internet Security/is-03-ecb-encryption.png
|
||||
path: /assets/img/posts/Lecture Notes/Internet Security/is-03-feistel-function.png
|
||||
attachment:
|
||||
folder: assets/img/posts/Lecture Notes/Internet Security
|
||||
---
|
||||
@@ -47,22 +47,27 @@ attachment:
|
||||
|
||||
### Encryption
|
||||
|
||||
(Diagram)
|
||||
- From the $56$-bit key, generate $16$ different $48$ bit keys $k_1, \dots, k_{16}$.
|
||||
1. Initially, input goes through the P-box.
|
||||
2. The output goes through $16$ rounds, and in the round $i$, key $k_i$ is used.
|
||||
3. After $16$ rounds, split the output into two $32$ bit halves and swap them.
|
||||
4. The output goes through the inverse of the P-box from Step 1.
|
||||
1. From the $56$-bit key, generate $16$ different $48$ bit keys $k_1, \dots, k_{16}$.
|
||||
2. The plaintext message goes through the P-box.
|
||||
3. The output goes through $16$ rounds, and in the round $i$, key $k_i$ is used.
|
||||
4. After $16$ rounds, split the output into two $32$ bit halves and swap them.
|
||||
5. The output goes through the inverse of the P-box from Step 1.
|
||||
|
||||
Let $L_{i-1} \parallel R_{i-1}$ be the output of round $i-1$, where $L_{i-1}$ and $R_{i-1}$ are $32$ bit halves. Also let $f$ be the Mangler function.
|
||||
Let $L_{i-1} \parallel R_{i-1}$ be the output of round $i-1$, where $L_{i-1}$ and $R_{i-1}$ are $32$ bit halves. Also let $f$ be the Feistel function.
|
||||
|
||||
In each round $i$,
|
||||
- $L_i = R_{i - 1}$
|
||||
- $R_i = L_{i-1} \oplus f(k_i, R_{i-1})$
|
||||
|
||||
#### Mangler Function
|
||||
$$
|
||||
L_i = R_{i - 1}, \qquad R_i = L_{i-1} \oplus f(k_i, R_{i-1})
|
||||
$$
|
||||
|
||||
*Is the Mangler function invertible?*
|
||||
#### The Feistel Function
|
||||
|
||||
|
||||
|
||||
The Feistel function takes $32$ bit data and divides it into eight $4$ bit chunks. Each chunk is expanded to $6$ bits using a P-box. Now, we have 48 bits of data, so apply XOR with the key for this round. Next, each $6$-bit block is compressed back to $4$ bits using a S-box. Finally, there is a (straight) permutation at the end, resulting in $32$ bit data.
|
||||
|
||||
The Feistel function is **not invertible.**
|
||||
|
||||
### Questions
|
||||
|
||||
@@ -72,12 +77,11 @@ In each round $i$,
|
||||
- Not for security, but for engineering purposes, see below.
|
||||
- Is DES invertible?
|
||||
- Yes, message should be decrypted.
|
||||
|
||||
But a Mangler function is *not invertible*, since it sends $4$ bits to $6$ bits during the evaluation process. Then how is decryption possible?
|
||||
- But the Feistel function is not invertible, since it sends $4$ bits to $6$ bits during the evaluation process. Then how is decryption possible?
|
||||
|
||||
### Decryption
|
||||
|
||||
Let $f$ be the Mangler function. We can define each round as a function $F$,
|
||||
Let $f$ be the Feistel function. We can define each round as a function $F$,
|
||||
|
||||
$$
|
||||
F(L_i \parallel R_i) = R_i \parallel L_i \oplus f(R_i).
|
||||
@@ -122,7 +126,7 @@ so evaluating the decryption round is actually equivalent to running the encrypt
|
||||
Each round consists of the following:
|
||||
- **SubBytes**: byte substitution, 1 S-box on every byte
|
||||
- **ShiftRows**: permutes bytes between groups and columns
|
||||
- **MixColumns**: mix columns by using matrix multiplication in $\mathbf{GF}(2^8)$.
|
||||
- **MixColumns**: mix columns by using matrix multiplication in $\mathrm{GF}(2^8)$.
|
||||
- **AddRoundKey**: XOR with round key
|
||||
|
||||
The first and last rounds are a little different.
|
||||
@@ -233,7 +237,14 @@ Since the same key is used for all blocks, once a mapping from plaintext to ciph
|
||||
- No IVs should be reused under the same key
|
||||
- IV changes should be unpredictable
|
||||
- On IV reuse, same message will generate the same ciphertext if key isn't changed
|
||||
- If IV is predictable, CBC is vulnerable to chosen plaintext attacks
|
||||
- If IV is predictable, CBC is vulnerable to chosen plaintext attacks.
|
||||
- Define Eve's new message $m' = \mathrm{IV} _ {\mathrm{E}} \oplus \mathrm{IV} _ {\mathrm{A}} \oplus g$, where
|
||||
- $\mathrm{IV} _ \mathrm{A}$ and $\mathrm{IV} _ \mathrm{E}$ are Alice and Eve's IVs
|
||||
- $g$ is a guess of Alice's original message $m$.
|
||||
- Since Eve can encrypt any message, $m'$ can be encrypted.
|
||||
- $c' = E _ k(\mathrm{IV} _ \mathrm{E} \oplus m') = E _ k(\mathrm{IV} _ \mathrm{A} \oplus g)$.
|
||||
- Then Eve can compare $c'$ and the original $c = E _ k(\mathrm{IV} _ \mathrm{A} \oplus m)$ to recover $m$.
|
||||
- Useful when there are not many cases for $m$ (or most of the message is already known).
|
||||
|
||||
### Cipher Feedback Mode (CFB)
|
||||
|
||||
@@ -292,13 +303,13 @@ Since the same key is used for all blocks, once a mapping from plaintext to ciph
|
||||
- The plaintext is $(p_1, p_2, \dots)$.
|
||||
- Note: IV and successive encryptions act as an OTP generator.
|
||||
- Advantages
|
||||
- There is no error propagation. 1 bit error in ciphertext only affects 1 bit in the plaintext.
|
||||
- There is no error propagation. $1$ bit error in ciphertext only affects $1$ bit in the plaintext.
|
||||
- Key streams can be generated in advance.
|
||||
- Fast when parallelized.
|
||||
- Only encryption module is needed.
|
||||
- Limitations
|
||||
- Key streams should not have repetitions.
|
||||
- We would have $c_i \oplus c_{i+1} = p_i \oplus p_{i + 1}$.
|
||||
- We would have $c_i \oplus c_j = p_i \oplus p_j$.
|
||||
- Size of each $s_i$ should be large enough.
|
||||
- If attacker knows the plaintext and ciphertext, plaintext can be modified.
|
||||
- Same as in OTP.
|
||||
@@ -307,7 +318,7 @@ Since the same key is used for all blocks, once a mapping from plaintext to ciph
|
||||
|
||||
|
||||
|
||||
- Without chaining, we use a counter (typically incremented by 1).
|
||||
- Without chaining, we use a counter (typically incremented by $1$).
|
||||
- Counter starts from the initialization vector.
|
||||
- Highly parallelizable.
|
||||
- Can decrypt from any arbitrary position.
|
||||
|
||||
@@ -0,0 +1,235 @@
|
||||
---
|
||||
share: true
|
||||
toc: true
|
||||
math: true
|
||||
categories:
|
||||
- Lecture Notes
|
||||
- Internet Security
|
||||
tags:
|
||||
- lecture-note
|
||||
- security
|
||||
- cryptography
|
||||
title: 04. Modular Arithmetic (1)
|
||||
date: 2023-09-25
|
||||
github_title: 2023-09-25-modular-arithmetic-1
|
||||
---
|
||||
|
||||
**Number theory** is a branch of mathematics devoted primarily to the study of the integers. **Modular arithmetic** is heavily used in cryptography.
|
||||
|
||||
## Divisibility
|
||||
|
||||
> **Definition.** Let $a, b, c \in \mathbb{Z}$ such that $a = bc$. Then,
|
||||
>
|
||||
> 1. $b$ and $c$ are said to **divide** $a$, and are called **factors** of $a$.
|
||||
> 2. $a$ is said to be a **multiple** of $b$ and $c$.
|
||||
|
||||
> **Notation.** For $a, b \in \mathbb{Z}$, we write $a \mid b$ if $a$ divides $b$. If not, we write $a \nmid b$.
|
||||
|
||||
These are simple lemmas for checking divisibility.
|
||||
|
||||
> **Lemma.** Let $a, b, c \in \mathbb{Z}$.
|
||||
>
|
||||
> 1. If $a \mid b$ and $a \mid c$, then $a \mid (b + c)$.
|
||||
> 2. If $a \mid b$, then $a \mid bc$.
|
||||
> 3. If $a \mid b$ and $b \mid c$, then $a \mid c$.
|
||||
|
||||
## Prime Numbers
|
||||
|
||||
> **Definition.** Integer $n \geq 2$ is **prime** if it is only divisible by $1$ and itself. If it is not prime, then it is **composite**.
|
||||
|
||||
Note that $1$ is neither prime nor composite.
|
||||
|
||||
### Primality Tests
|
||||
|
||||
It is hard to verify if some given number is prime. Many encryption schemes heavily rely on this fact.
|
||||
|
||||
The following is a simple algorithm to check if a given integer is prime.
|
||||
|
||||
```c
|
||||
bool naive_prime_test(int n) {
|
||||
if (n < 2) {
|
||||
return false;
|
||||
}
|
||||
|
||||
for (int i = 2; i < sqrt(n); ++i) {
|
||||
if (n % i == 0) {
|
||||
return false;
|
||||
}
|
||||
}
|
||||
return true;
|
||||
}
|
||||
```
|
||||
|
||||
However, this algorithm has complexity $\mathcal{O}(\sqrt{n})$, which is slow. We have better algorithms like Fermat's test, Miller-Rabin test, Pollard's rho algorithm... (Not covered in this lecture)
|
||||
|
||||
## Division Algorithm
|
||||
|
||||
> **Theorem.** (Euclidean Division) For $a, b \in \mathbb{Z}$ with $b \neq 0$, there exist unique integers $q, r$ with $0 \leq r < \left\lvert b \right\rvert$ such that $a = bq + r$.
|
||||
|
||||
*Proof.* [By induction](https://en.wikipedia.org/wiki/Euclidean_division#Proof).
|
||||
|
||||
Other proofs use the well-ordering principle.
|
||||
|
||||
## Modulo Operation
|
||||
|
||||
There are two ways to think about 'mod': as a function, and as a congruence.
|
||||
|
||||
### Modulo as a Function
|
||||
|
||||
As a function, $a \bmod b$ return the remainder of $a$ divided by $b$. This operation is commonly denoted `%` in many programming languages.[^1]
|
||||
|
||||
### Modulo as a Congruence
|
||||
|
||||
As a congruence, it means that $a, b$ are in the same *equivalence class*.[^2]
|
||||
|
||||
> **Definition.** For $a, b, n \in \mathbb{Z}$ and $n \neq 0$, $a \equiv b \pmod n$ if and only if $n \mid (a - b)$.
|
||||
|
||||
Properties of modulo operation.
|
||||
|
||||
> **Lemma.** Suppose that $a \equiv b \pmod n$ and $c \equiv d \pmod n$. Then, the following hold.
|
||||
>
|
||||
> 1. $a + c \equiv (b + d) \pmod n$.
|
||||
> 2. $ac \equiv bd \pmod n$.
|
||||
> 3. $a^k \equiv b^k \pmod n$.
|
||||
> 4. $a \equiv (a \bmod n) \pmod n$.
|
||||
|
||||
*Proof.* Trivial. :)
|
||||
|
||||
The last one is very useful in computing. For example, if $a, b$ are very large integers, using the identity
|
||||
|
||||
$$
|
||||
(a + b)^k \equiv ((a + b) \bmod n)^k \pmod n
|
||||
$$
|
||||
|
||||
allows us to reduce the size of the numbers before exponentiation.
|
||||
|
||||
## Modular Arithmetic
|
||||
|
||||
For modulus $n$, **modular arithmetic** is operation on $\mathbb{Z}_n$.
|
||||
|
||||
### Residue Classes
|
||||
|
||||
For each positive integer $n$, we can partition $\mathbb{Z}$ into $n$ cells according to whether the remainder is $0, 1, 2, \dots, n - 1$ when the integer is divided by $n$. These cells are the **residue classes modulo $n$ in $\mathbb{Z}$**.
|
||||
|
||||
We write each residue class as follows.
|
||||
|
||||
$$
|
||||
\overline{k} = [k] = \left\lbrace m \in \mathbb{Z} : m \bmod n = k\right\rbrace
|
||||
$$
|
||||
|
||||
Consider the relation
|
||||
|
||||
$$
|
||||
R = \left\lbrace (a, b) : a \equiv b \pmod m \right\rbrace \subset \mathbb{Z} \times \mathbb{Z}
|
||||
$$
|
||||
|
||||
then $R$ has the following properties.
|
||||
|
||||
- **Reflexive**: $\forall a \in \mathbb{Z}$, $(a, a) \in R$.
|
||||
- **Symmetric**: $\forall a, b \in \mathbb{Z}$, if $(a, b) \in R$, then $(b, a) \in R$.
|
||||
- **Transitive**: $\forall a, b, c \in \mathbb{Z}$, if $(a, b), (b, c) \in R$ then $(a, c) \in R$.
|
||||
|
||||
Thus, $R$ is an **equivalence relation** and each residue class $[k]$ is an **equivalence class**.
|
||||
|
||||
We write the set of residue classes modulo $n$ as
|
||||
|
||||
$$
|
||||
\mathbb{Z}_n = \left\lbrace \overline{0}, \overline{1}, \overline{2}, \dots, \overline{n-1} \right\rbrace.
|
||||
$$
|
||||
|
||||
Note that $\mathbb{Z}_n$ is closed under addition and multiplication.
|
||||
|
||||
### Identity
|
||||
|
||||
> **Definition.** For a binary operation $\ast$ defined on a set $S$, $e$ is the **identity** if
|
||||
>
|
||||
> $$
|
||||
> \forall a \in S,\, a * e = e * a = a.
|
||||
> $$
|
||||
|
||||
In $\mathbb{Z}_n$, the additive identity is $0$, the multiplicative identity is $1$.
|
||||
|
||||
### Inverse
|
||||
|
||||
> **Definition.** For a binary operation $\ast$ defined on a set $S$, let $e$ be the identity. $x$ is the **inverse of $a$** if
|
||||
>
|
||||
> $$
|
||||
> x * a = a * x = e.
|
||||
> $$
|
||||
>
|
||||
> We write $x = a^{-1}$.
|
||||
|
||||
In the language of modular arithmetic, $x$ is the inverse of $a$ if
|
||||
|
||||
$$
|
||||
ax \equiv 1 \pmod n.
|
||||
$$
|
||||
|
||||
The inverse exists if and only if $\gcd(a, n) = 1$.
|
||||
|
||||
> **Lemma**. For $n \geq 2$ and $a \in \mathbb{Z}$, its inverse $a^{-1} \in \mathbb{Z}_n$ exists if and only if $\gcd(a, n) = 1$.
|
||||
|
||||
*Proof*. We use the Extended Euclidean Algorithm. There exists $u, v \in \mathbb{Z}$ such that
|
||||
|
||||
$$
|
||||
au + nv = \gcd(a, n).
|
||||
$$
|
||||
|
||||
($\impliedby$) If $\gcd(a, n) = 1$, then $au + nv = 1$, so $au = 1 - nv \equiv 1 \pmod n$. Thus $a^{-1} = u$.
|
||||
|
||||
($\implies$) Suppose that $x = a^{-1}$ exists. Then $ax \equiv 1 \pmod n$, so $ax = 1 + kn$ for some $n \in \mathbb{Z}$. Then $ax - nk = 1$. $\gcd(a, n)$ must divide the LHS, so $\gcd(a, n) = 1$.
|
||||
|
||||
## Euclidean Algorithm
|
||||
|
||||
### Greatest Common Divisor
|
||||
|
||||
> **Definition.** Let $a, b \in \mathbb{Z} \setminus \left\lbrace 0 \right\rbrace$ . The **greatest common divisor** of $a$ and $b$ is the largest integer $d$ such that $d \mid a$ and $d \mid b$. We write $d = \gcd(a, b)$.
|
||||
|
||||
> **Definition.** If $\gcd(a, b) = 1$, we say that $a$ and $b$ are **relatively prime**.
|
||||
|
||||
### Euclidean Algorithm
|
||||
|
||||
Euclidean Algorithm is an efficient way to find $\gcd(a, b)$. It relies on the following lemma.
|
||||
|
||||
> **Lemma.** For $a, b \in \mathbb{Z}$ and $b \neq 0$, $\gcd(a, b) = \gcd(b, a \bmod b)$.
|
||||
|
||||
*Proof*. By the division algorithm, there exists $q, r \in \mathbb{Z}$ such that $a = bq + r$. Here, $r = a \bmod b$.
|
||||
|
||||
Let $d = \gcd(a, b)$. Then $d \mid a$ and $d \mid b$, so $d \mid (a - bq)$. Thus $d \leq \gcd(b, r)$. Conversely, let $d' = \gcd(b, r)$. Then $d' \mid b$ and $d' \mid (a - bq)$, so $d' \mid a$. Thus $d' \leq \gcd(a, b)$. Thus $d = d'$.
|
||||
|
||||
The following code computes the greatest common divisor.
|
||||
|
||||
```c
|
||||
int gcd(int a, int b) {
|
||||
if (b == 0) {
|
||||
return a;
|
||||
} else {
|
||||
return gcd(b, a % b);
|
||||
}
|
||||
}
|
||||
```
|
||||
|
||||
### Extended Euclidean Algorithm
|
||||
|
||||
We can extend the Euclidean algorithm to compute $u, v \in \mathbb{Z}$ such that
|
||||
|
||||
$$
|
||||
ua + vb = \gcd(a, b).
|
||||
$$
|
||||
|
||||
Basically, we use the Euclidean algorithm and solve for the remainder (which is the $\gcd$).
|
||||
|
||||
#### Calculating Modular Multiplicative Inverse
|
||||
|
||||
We can use the extended Euclidean algorithm to find modular inverses. Suppose we want to calculate $a^{-1}$ in $\mathbb{Z}_n$. We assume that the inverse exist, so $\gcd(a, n) = 1$.
|
||||
|
||||
Therefore, we use the extended Euclidean algorithm and find $x, y \in \mathbb{Z}$ such that
|
||||
|
||||
$$
|
||||
ax + ny = 1.
|
||||
$$
|
||||
|
||||
Then $ax \equiv 1 - ny \equiv 1 \pmod n$, thus $x$ is the inverse of $a$ in $\mathbb{Z}_n$.
|
||||
|
||||
[^1]: Note that in C standards, `(a / b) * b + (a % b) == a`.
|
||||
[^2]: $a$ and $b$ are in the same coset of $\mathbb{Z}/n\mathbb{Z}$.
|
||||
Reference in New Issue
Block a user