[ { "path": ".gitignore", "content": "*.nav\n*.out\n*.snm\n*.toc\n*.log\n*.aux\n*.swp\n*.vrb\n*.gz\n*.DS_Store\n.vscode/*\n*.fls\n*.fdb_latexmk\n*tikz-test.pdf" }, { "path": "LICENSE.txt", "content": "Attribution-ShareAlike 4.0 International\n\n=======================================================================\n\nCreative Commons Corporation (\"Creative Commons\") is not a law firm and\ndoes not provide legal services or legal advice. Distribution of\nCreative Commons public licenses does not create a lawyer-client or\nother relationship. Creative Commons makes its licenses and related\ninformation available on an \"as-is\" basis. Creative Commons gives no\nwarranties regarding its licenses, any material licensed under their\nterms and conditions, or any related information. Creative Commons\ndisclaims all liability for damages resulting from their use to the\nfullest extent possible.\n\nUsing Creative Commons Public Licenses\n\nCreative Commons public licenses provide a standard set of terms and\nconditions that creators and other rights holders may use to share\noriginal works of authorship and other material subject to copyright\nand certain other rights specified in the public license below. The\nfollowing considerations are for informational purposes only, are not\nexhaustive, and do not form part of our licenses.\n\n Considerations for licensors: Our public licenses are\n intended for use by those authorized to give the public\n permission to use material in ways otherwise restricted by\n copyright and certain other rights. Our licenses are\n irrevocable. Licensors should read and understand the terms\n and conditions of the license they choose before applying it.\n Licensors should also secure all rights necessary before\n applying our licenses so that the public can reuse the\n material as expected. Licensors should clearly mark any\n material not subject to the license. This includes other CC-\n licensed material, or material used under an exception or\n limitation to copyright. More considerations for licensors:\n\twiki.creativecommons.org/Considerations_for_licensors\n\n Considerations for the public: By using one of our public\n licenses, a licensor grants the public permission to use the\n licensed material under specified terms and conditions. If\n the licensor's permission is not necessary for any reason--for\n example, because of any applicable exception or limitation to\n copyright--then that use is not regulated by the license. Our\n licenses grant only permissions under copyright and certain\n other rights that a licensor has authority to grant. Use of\n the licensed material may still be restricted for other\n reasons, including because others have copyright or other\n rights in the material. A licensor may make special requests,\n such as asking that all changes be marked or described.\n Although not required by our licenses, you are encouraged to\n respect those requests where reasonable. More_considerations\n for the public:\n\twiki.creativecommons.org/Considerations_for_licensees\n\n=======================================================================\n\nCreative Commons Attribution-ShareAlike 4.0 International Public\nLicense\n\nBy exercising the Licensed Rights (defined below), You accept and agree\nto be bound by the terms and conditions of this Creative Commons\nAttribution-ShareAlike 4.0 International Public License (\"Public\nLicense\"). To the extent this Public License may be interpreted as a\ncontract, You are granted the Licensed Rights in consideration of Your\nacceptance of these terms and conditions, and the Licensor grants You\nsuch rights in consideration of benefits the Licensor receives from\nmaking the Licensed Material available under these terms and\nconditions.\n\n\nSection 1 -- Definitions.\n\n a. Adapted Material means material subject to Copyright and Similar\n Rights that is derived from or based upon the Licensed Material\n and in which the Licensed Material is translated, altered,\n arranged, transformed, or otherwise modified in a manner requiring\n permission under the Copyright and Similar Rights held by the\n Licensor. For purposes of this Public License, where the Licensed\n Material is a musical work, performance, or sound recording,\n Adapted Material is always produced where the Licensed Material is\n synched in timed relation with a moving image.\n\n b. Adapter's License means the license You apply to Your Copyright\n and Similar Rights in Your contributions to Adapted Material in\n accordance with the terms and conditions of this Public License.\n\n c. BY-SA Compatible License means a license listed at\n creativecommons.org/compatiblelicenses, approved by Creative\n Commons as essentially the equivalent of this Public License.\n\n d. Copyright and Similar Rights means copyright and/or similar rights\n closely related to copyright including, without limitation,\n performance, broadcast, sound recording, and Sui Generis Database\n Rights, without regard to how the rights are labeled or\n categorized. For purposes of this Public License, the rights\n specified in Section 2(b)(1)-(2) are not Copyright and Similar\n Rights.\n\n e. Effective Technological Measures means those measures that, in the\n absence of proper authority, may not be circumvented under laws\n fulfilling obligations under Article 11 of the WIPO Copyright\n Treaty adopted on December 20, 1996, and/or similar international\n agreements.\n\n f. Exceptions and Limitations means fair use, fair dealing, and/or\n any other exception or limitation to Copyright and Similar Rights\n that applies to Your use of the Licensed Material.\n\n g. License Elements means the license attributes listed in the name\n of a Creative Commons Public License. The License Elements of this\n Public License are Attribution and ShareAlike.\n\n h. Licensed Material means the artistic or literary work, database,\n or other material to which the Licensor applied this Public\n License.\n\n i. Licensed Rights means the rights granted to You subject to the\n terms and conditions of this Public License, which are limited to\n all Copyright and Similar Rights that apply to Your use of the\n Licensed Material and that the Licensor has authority to license.\n\n j. Licensor means the individual(s) or entity(ies) granting rights\n under this Public License.\n\n k. Share means to provide material to the public by any means or\n process that requires permission under the Licensed Rights, such\n as reproduction, public display, public performance, distribution,\n dissemination, communication, or importation, and to make material\n available to the public including in ways that members of the\n public may access the material from a place and at a time\n individually chosen by them.\n\n l. Sui Generis Database Rights means rights other than copyright\n resulting from Directive 96/9/EC of the European Parliament and of\n the Council of 11 March 1996 on the legal protection of databases,\n as amended and/or succeeded, as well as other essentially\n equivalent rights anywhere in the world.\n\n m. You means the individual or entity exercising the Licensed Rights\n under this Public License. Your has a corresponding meaning.\n\n\nSection 2 -- Scope.\n\n a. License grant.\n\n 1. Subject to the terms and conditions of this Public License,\n the Licensor hereby grants You a worldwide, royalty-free,\n non-sublicensable, non-exclusive, irrevocable license to\n exercise the Licensed Rights in the Licensed Material to:\n\n a. reproduce and Share the Licensed Material, in whole or\n in part; and\n\n b. produce, reproduce, and Share Adapted Material.\n\n 2. Exceptions and Limitations. For the avoidance of doubt, where\n Exceptions and Limitations apply to Your use, this Public\n License does not apply, and You do not need to comply with\n its terms and conditions.\n\n 3. Term. The term of this Public License is specified in Section\n 6(a).\n\n 4. Media and formats; technical modifications allowed. The\n Licensor authorizes You to exercise the Licensed Rights in\n all media and formats whether now known or hereafter created,\n and to make technical modifications necessary to do so. The\n Licensor waives and/or agrees not to assert any right or\n authority to forbid You from making technical modifications\n necessary to exercise the Licensed Rights, including\n technical modifications necessary to circumvent Effective\n Technological Measures. For purposes of this Public License,\n simply making modifications authorized by this Section 2(a)\n (4) never produces Adapted Material.\n\n 5. Downstream recipients.\n\n a. Offer from the Licensor -- Licensed Material. Every\n recipient of the Licensed Material automatically\n receives an offer from the Licensor to exercise the\n Licensed Rights under the terms and conditions of this\n Public License.\n\n b. Additional offer from the Licensor -- Adapted Material.\n Every recipient of Adapted Material from You\n automatically receives an offer from the Licensor to\n exercise the Licensed Rights in the Adapted Material\n under the conditions of the Adapter's License You apply.\n\n c. No downstream restrictions. You may not offer or impose\n any additional or different terms or conditions on, or\n apply any Effective Technological Measures to, the\n Licensed Material if doing so restricts exercise of the\n Licensed Rights by any recipient of the Licensed\n Material.\n\n 6. No endorsement. Nothing in this Public License constitutes or\n may be construed as permission to assert or imply that You\n are, or that Your use of the Licensed Material is, connected\n with, or sponsored, endorsed, or granted official status by,\n the Licensor or others designated to receive attribution as\n provided in Section 3(a)(1)(A)(i).\n\n b. Other rights.\n\n 1. Moral rights, such as the right of integrity, are not\n licensed under this Public License, nor are publicity,\n privacy, and/or other similar personality rights; however, to\n the extent possible, the Licensor waives and/or agrees not to\n assert any such rights held by the Licensor to the limited\n extent necessary to allow You to exercise the Licensed\n Rights, but not otherwise.\n\n 2. Patent and trademark rights are not licensed under this\n Public License.\n\n 3. To the extent possible, the Licensor waives any right to\n collect royalties from You for the exercise of the Licensed\n Rights, whether directly or through a collecting society\n under any voluntary or waivable statutory or compulsory\n licensing scheme. In all other cases the Licensor expressly\n reserves any right to collect such royalties.\n\n\nSection 3 -- License Conditions.\n\nYour exercise of the Licensed Rights is expressly made subject to the\nfollowing conditions.\n\n a. Attribution.\n\n 1. If You Share the Licensed Material (including in modified\n form), You must:\n\n a. retain the following if it is supplied by the Licensor\n with the Licensed Material:\n\n i. identification of the creator(s) of the Licensed\n Material and any others designated to receive\n attribution, in any reasonable manner requested by\n the Licensor (including by pseudonym if\n designated);\n\n ii. a copyright notice;\n\n iii. a notice that refers to this Public License;\n\n iv. a notice that refers to the disclaimer of\n warranties;\n\n v. a URI or hyperlink to the Licensed Material to the\n extent reasonably practicable;\n\n b. indicate if You modified the Licensed Material and\n retain an indication of any previous modifications; and\n\n c. indicate the Licensed Material is licensed under this\n Public License, and include the text of, or the URI or\n hyperlink to, this Public License.\n\n 2. You may satisfy the conditions in Section 3(a)(1) in any\n reasonable manner based on the medium, means, and context in\n which You Share the Licensed Material. For example, it may be\n reasonable to satisfy the conditions by providing a URI or\n hyperlink to a resource that includes the required\n information.\n\n 3. If requested by the Licensor, You must remove any of the\n information required by Section 3(a)(1)(A) to the extent\n reasonably practicable.\n\n b. ShareAlike.\n\n In addition to the conditions in Section 3(a), if You Share\n Adapted Material You produce, the following conditions also apply.\n\n 1. The Adapter's License You apply must be a Creative Commons\n license with the same License Elements, this version or\n later, or a BY-SA Compatible License.\n\n 2. You must include the text of, or the URI or hyperlink to, the\n Adapter's License You apply. You may satisfy this condition\n in any reasonable manner based on the medium, means, and\n context in which You Share Adapted Material.\n\n 3. You may not offer or impose any additional or different terms\n or conditions on, or apply any Effective Technological\n Measures to, Adapted Material that restrict exercise of the\n rights granted under the Adapter's License You apply.\n\n\nSection 4 -- Sui Generis Database Rights.\n\nWhere the Licensed Rights include Sui Generis Database Rights that\napply to Your use of the Licensed Material:\n\n a. for the avoidance of doubt, Section 2(a)(1) grants You the right\n to extract, reuse, reproduce, and Share all or a substantial\n portion of the contents of the database;\n\n b. if You include all or a substantial portion of the database\n contents in a database in which You have Sui Generis Database\n Rights, then the database in which You have Sui Generis Database\n Rights (but not its individual contents) is Adapted Material,\n\n including for purposes of Section 3(b); and\n c. You must comply with the conditions in Section 3(a) if You Share\n all or a substantial portion of the contents of the database.\n\nFor the avoidance of doubt, this Section 4 supplements and does not\nreplace Your obligations under this Public License where the Licensed\nRights include other Copyright and Similar Rights.\n\n\nSection 5 -- Disclaimer of Warranties and Limitation of Liability.\n\n a. UNLESS OTHERWISE SEPARATELY UNDERTAKEN BY THE LICENSOR, TO THE\n EXTENT POSSIBLE, THE LICENSOR OFFERS THE LICENSED MATERIAL AS-IS\n AND AS-AVAILABLE, AND MAKES NO REPRESENTATIONS OR WARRANTIES OF\n ANY KIND CONCERNING THE LICENSED MATERIAL, WHETHER EXPRESS,\n IMPLIED, STATUTORY, OR OTHER. THIS INCLUDES, WITHOUT LIMITATION,\n WARRANTIES OF TITLE, MERCHANTABILITY, FITNESS FOR A PARTICULAR\n PURPOSE, NON-INFRINGEMENT, ABSENCE OF LATENT OR OTHER DEFECTS,\n ACCURACY, OR THE PRESENCE OR ABSENCE OF ERRORS, WHETHER OR NOT\n KNOWN OR DISCOVERABLE. WHERE DISCLAIMERS OF WARRANTIES ARE NOT\n ALLOWED IN FULL OR IN PART, THIS DISCLAIMER MAY NOT APPLY TO YOU.\n\n b. TO THE EXTENT POSSIBLE, IN NO EVENT WILL THE LICENSOR BE LIABLE\n TO YOU ON ANY LEGAL THEORY (INCLUDING, WITHOUT LIMITATION,\n NEGLIGENCE) OR OTHERWISE FOR ANY DIRECT, SPECIAL, INDIRECT,\n INCIDENTAL, CONSEQUENTIAL, PUNITIVE, EXEMPLARY, OR OTHER LOSSES,\n COSTS, EXPENSES, OR DAMAGES ARISING OUT OF THIS PUBLIC LICENSE OR\n USE OF THE LICENSED MATERIAL, EVEN IF THE LICENSOR HAS BEEN\n ADVISED OF THE POSSIBILITY OF SUCH LOSSES, COSTS, EXPENSES, OR\n DAMAGES. WHERE A LIMITATION OF LIABILITY IS NOT ALLOWED IN FULL OR\n IN PART, THIS LIMITATION MAY NOT APPLY TO YOU.\n\n c. The disclaimer of warranties and limitation of liability provided\n above shall be interpreted in a manner that, to the extent\n possible, most closely approximates an absolute disclaimer and\n waiver of all liability.\n\n\nSection 6 -- Term and Termination.\n\n a. This Public License applies for the term of the Copyright and\n Similar Rights licensed here. However, if You fail to comply with\n this Public License, then Your rights under this Public License\n terminate automatically.\n\n b. Where Your right to use the Licensed Material has terminated under\n Section 6(a), it reinstates:\n\n 1. automatically as of the date the violation is cured, provided\n it is cured within 30 days of Your discovery of the\n violation; or\n\n 2. upon express reinstatement by the Licensor.\n\n For the avoidance of doubt, this Section 6(b) does not affect any\n right the Licensor may have to seek remedies for Your violations\n of this Public License.\n\n c. For the avoidance of doubt, the Licensor may also offer the\n Licensed Material under separate terms or conditions or stop\n distributing the Licensed Material at any time; however, doing so\n will not terminate this Public License.\n\n d. Sections 1, 5, 6, 7, and 8 survive termination of this Public\n License.\n\n\nSection 7 -- Other Terms and Conditions.\n\n a. The Licensor shall not be bound by any additional or different\n terms or conditions communicated by You unless expressly agreed.\n\n b. Any arrangements, understandings, or agreements regarding the\n Licensed Material not stated herein are separate from and\n independent of the terms and conditions of this Public License.\n\n\nSection 8 -- Interpretation.\n\n a. For the avoidance of doubt, this Public License does not, and\n shall not be interpreted to, reduce, limit, restrict, or impose\n conditions on any use of the Licensed Material that could lawfully\n be made without permission under this Public License.\n\n b. To the extent possible, if any provision of this Public License is\n deemed unenforceable, it shall be automatically reformed to the\n minimum extent necessary to make it enforceable. If the provision\n cannot be reformed, it shall be severed from this Public License\n without affecting the enforceability of the remaining terms and\n conditions.\n\n c. No term or condition of this Public License will be waived and no\n failure to comply consented to unless expressly agreed to by the\n Licensor.\n\n d. Nothing in this Public License constitutes or may be interpreted\n as a limitation upon, or waiver of, any privileges and immunities\n that apply to the Licensor or You, including from the legal\n processes of any jurisdiction or authority.\n\n\n=======================================================================\n\nCreative Commons is not a party to its public\nlicenses. Notwithstanding, Creative Commons may elect to apply one of\nits public licenses to material it publishes and in those instances\nwill be considered the “Licensor.” The text of the Creative Commons\npublic licenses is dedicated to the public domain under the CC0 Public\nDomain Dedication. Except for the limited purpose of indicating that\nmaterial is shared under a Creative Commons public license or as\notherwise permitted by the Creative Commons policies published at\ncreativecommons.org/policies, Creative Commons does not authorize the\nuse of the trademark \"Creative Commons\" or any other trademark or logo\nof Creative Commons without its prior written consent including,\nwithout limitation, in connection with any unauthorized modifications\nto any of its public licenses or any other arrangements,\nunderstandings, or agreements concerning use of licensed material. For\nthe avoidance of doubt, this paragraph does not form part of the\npublic licenses.\n\nCreative Commons may be contacted at creativecommons.org.\n" }, { "path": "Makefile", "content": "\nTEX = pdflatex\n\nOPT= -output-directory pdf\n\nBUILD = ${TEX} ${OPT} $< ; ${TEX} ${OPT} $< ;\n\nSRCS := $(wildcard source/*.tex)\nPDFS := $(SRCS:source/%.tex=pdf/%.pdf)\n\nall: ${PDFS}\n\npdf/%.pdf : source/%.tex\n\t${BUILD}\n\n.PHONY: all clean \n\ngallery.pdf: #misc/gallery/gallery.tex\n\tsh misc/gallery/gen-gallery.sh > misc/gallery/gallery.tex;\n\t${TEX} -output-directory misc/gallery misc/gallery/gallery.tex\n\nclean:\n\t/bin/rm -rf *.log *.nav *.out *.snm *.synctex.gz *.toc *.aux tikz/*.log *.vrb\n\tcd source && /bin/rm -rf *.log *.nav *.out *.snm *.synctex.gz *.toc *.aux *.vrb\n\tcd pdf && /bin/rm -rf *.log *.nav *.out *.snm *.synctex.gz *.toc *.aux *.vrb\n\tcd homework && /bin/rm -rf *.log *.nav *.out *.snm *.synctex.gz *.toc *.aux *.vrb\n" }, { "path": "README.md", "content": "## Cryptography Course Slides\n\n[![made-with-latex](https://img.shields.io/badge/Made%20with-LaTeX-1f425f.svg)](https://www.latex-project.org/) [![CC BY-SA 4.0][cc-by-sa-shield]][cc-by-sa]\n\nYu Zhang, Harbin Insitute of Technology, 2011, 2012, 2014, 2015, 2016, 2017, 2018, 2019, 2020, 2021, 2022, 2023, 2024\n\n- New! 2024.04 增加了实验指导书,在[lab](lab/)目录下\n- New! 2024.04 增加了中文PPT,在[slides-Chinese](slides-Chinese/)目录下\n- New! 2020.12 Alice, Bob, Evil and Charlie have new avatars\n- New! 2020.09 增加了中文课程讲义,在[notes-Chinese](notes-Chinese/)目录下\n\n## Requirement for compiling slides\n\n* Developed with [MacTeX](https://www.tug.org/mactex/)\n* run `make` to compile slides, which will be in [/pdf](/pdf)\n* run `make gallery.pdf` to generate [the gallery of tikz diagrams](/misc/gallery/gallery.pdf)\n\n## References\n* Textbook: [Introduction to Modern Cryptography](http://www.cs.umd.edu/~jkatz/imc.html) by Jonathan Katz and Yehuda Lindell\n* MOOC: [Cryptography @Coursera (Stanford)](https://crypto.stanford.edu/~dabo/courses/OnlineCrypto/) by Prof. Dan Boneh\n\n## License\n\nThis work is licensed under a [Creative Commons Attribution-ShareAlike 4.0 International License][cc-by-sa].\n\n[![CC BY-SA 4.0][cc-by-sa-image]][cc-by-sa]\n\n[cc-by-sa]: http://creativecommons.org/licenses/by-sa/4.0/\n[cc-by-sa-image]: https://licensebuttons.net/l/by-sa/4.0/88x31.png\n[cc-by-sa-shield]: https://img.shields.io/badge/License-CC%20BY--SA%204.0-lightgrey.svg\n\n" }, { "path": "homework/amspset.cls", "content": "% AMS Dept HW class file\n% v0.05 by Eric Harley, 07 Sept 2005\n% forked from HMC Math dept HW class file v0.04, 07 Sept 2005 developed by Eric J. Malm.\n%%% IDENTIFICATION --------------------------------------------------------\n\\NeedsTeXFormat{LaTeX2e}[1995/01/01]\n\\ProvidesClass{amspset}\n [2005/09/07 v0.05 AMS Dept problem set class]\n\n%%% INITIAL CODE ----------------------------------------------------------\n%% Flag for compilation to PDF\n\\newif\\ifpdfh\n\\ifx\\pdfoutput\\undefined\n \\pdffalse\n\\else\n \\pdfoutput = 1\n \\pdftrue\n\\fi\n\n%%% DECLARATION OF OPTIONS ------------------------------------------------\n%% Header Options: header*, no header\n\\newif\\ifamspset@header\n\n% no header block in upper right hand corner\n\\DeclareOption{noheader}{%\n \\amspset@headerfalse%\n}\n\n% do print header block\n\\DeclareOption{header}{%\n \\amspset@headertrue%\n}\n\n%% Font Options: palatino*, cm\n\\newif\\ifamspset@palatino\n\n% use palatino fonts\n\\DeclareOption{palatino}{%\n \\amspset@palatinotrue%\n}\n\n% use compuer modern fonts\n\\DeclareOption{cm}{%\n \\amspset@palatinofalse%\n}\n\n%% Problem Boxing: boxed*, unboxed\n\\newif\\ifamspset@boxed\n\n% box problem statements\n\\DeclareOption{boxed}{%\n \\amspset@boxedtrue%\n}\n \n% don't box problem statements\n\\DeclareOption{unboxed}{%\n \\amspset@boxedfalse%\n}\n \n% pass remaining options to article class\n\\DeclareOption*{\\PassOptionsToClass{\\CurrentOption}{article}}\n\n%%% EXECUTION OF OPTIONS --------------------------------------------------\n%% default to:\n% including header, \n% loading mathpazo package for palatino fonts,\n% boxing problem statements\n\\ExecuteOptions{header,palatino,boxed}\n\n\\ProcessOptions\n\n%%% PACKAGE LOADING -------------------------------------------------------\n%% based on std article class\n\\LoadClass{article}\n\n%% Font loading: Palatino text/math fonts\n\\ifamspset@palatino\n \\RequirePackage{mathpazo}\n\\fi\n\n%% AMSLaTeX math environments and symbols\n\\RequirePackage{amsmath}\n\\RequirePackage{amssymb}\n\n%% boxed minipage for boxed problem environment\n\\RequirePackage{boxedminipage}\n\n%%% MAIN CODE -------------------------------------------------------------\n%% Tell dvips/pdflatex correct page size\n\\ifpdfh\n \\AtBeginDocument{%\n \\setlength{\\pdfpageheight}{\\paperheight}%\n \\setlength{\\pdfpagewidth}{\\paperwidth}%\n }\n\\else\n \\AtBeginDvi{\\special{papersize=\\the\\paperwidth,\\the\\paperheight}}%\n\\fi\n\n\n%% Problem set environments\n% boxed problem environment\n\\newenvironment{problem}[1][]{%\n \\ifamspset@boxed\\def\\amspset@probenv{boxed}\\else\\def\\amspset@probenv{}\\fi%\n \\bigskip% put space before problem statement box %\n \\noindent\\begin{\\amspset@probenv minipage}{\\columnwidth}%\n \\def\\@tempa{#1}%\n \\ifx\\@tempa\\empty\\else%\n \\amspset@probformat{#1}\\hspace{0.5em}%\n \\fi%\n}{%\n \\end{\\amspset@probenv minipage}%\n}\n% display optional argument to problem in bold\n\\let\\amspset@probformat\\textbf\n\n% solution environment with endmark and optional argument\n\\newenvironment{solution}[1][]{%\n \\begin{trivlist}%\n \\def\\@tempa{#1}%\n \\ifx\\@tempa\\empty%\n \\item[]%\n \\else%\n \\item[\\hskip\\labelsep\\relax #1]%\n \\fi%\n}{%\n \\mbox{}\\penalty10000\\hfill\\amspset@endmark%\n \\end{trivlist}%\n}\n\n% default endmark is small black square\n\\def\\amspset@endmark{\\ensuremath{\\scriptscriptstyle\\blacksquare}}\n\n%% Problem set list, for top of document\n\\newcommand{\\problemlist}[1]{\\begin{center}\\large\\sffamily{#1}\\end{center}}\n\n%% commands for upper-right id header block\n\\newcommand{\\headerblock}{%\n\\begin{flushright}\n\\mbox{\\amspset@name}\\protect\\\\\n\\mbox{\\amspset@class}\\protect\\\\\n\\mbox{\\amspset@assignment}\\protect\\\\\n\\amspset@duedate%\n\\ifx\\amspset@extraline\\empty\\else\\protect\\\\\\amspset@extraline\\fi%\n\\end{flushright}%\n}\n\n% put id header block at start of document\n\\ifamspset@header\\AtBeginDocument{\\headerblock}\\fi\n\n% internal state for headerblock\n\\def\\amspset@name{}\n\\def\\amspset@class{}\n\\def\\amspset@assignment{}\n\\def\\amspset@duedate{}\n\\def\\amspset@extraline{}\n\n% commands to set header block info\n\\newcommand{\\name}[1]{\\def\\amspset@name{#1}}\n\\newcommand{\\class}[1]{\\def\\amspset@class{#1}}\n\\newcommand{\\assignment}[1]{\\def\\amspset@assignment{#1}}\n\\newcommand{\\duedate}[1]{\\def\\amspset@duedate{#1}}\n\\newcommand{\\extraline}[1]{\\def\\amspset@extraline{#1}}\n\n%Yu's custermization\n\n\\providecommand{\\abs}[1]{\\lvert#1\\rvert}\n" }, { "path": "homework/hw1.tex", "content": "\\documentclass[11pt]{article}\n\n% set 1-inch margins in the document\n\\usepackage[margin=1in]{geometry}\n\\usepackage{amsthm}\n\\theoremstyle{definition}\n\n% include this if you want to import graphics files with /includegraphics\n\\usepackage{graphicx}\n\n% info for header block in upper right hand corner\n\n\\newtheorem{problem}{Problem}\n\n\\title{HIT --- Cryptography --- Homework 1}\n\n\\begin{document}\n\n\\maketitle\n\n\\begin{problem}\nShow that the shift, Mono-Alphabetic sub., and Vigen\\`{e}re ciphers are all trivial to break using a known-plaintext attack. How much known plaintext (how many characters) is needed to completely recover the key for each of the ciphers? (show how to break the cipher)\n\\end{problem}\n\n\\begin{problem}\nShow that the shift, Mono-Alphabetic sub., and Vigen\\`{e}re ciphers are all trivial to break using a chosen-plaintext attack. How much plaintext (how many characters) must be encrypted to completely recover the key? (show your chosen plaintext) \n\\end{problem}\n\n\\begin{problem}\nProve or refute: For every encryption scheme that is perfectly secret it holds that for every distribution over the message space $\\mathcal{M}$, every $m, m' \\in \\mathcal{M}$, and every $c \\in \\mathcal{C}$:\n\\[ \\Pr[M=m | C=c] = \\Pr[M=m'|C=c].\n\\]\n\\end{problem}\n\n\\begin{problem}\nStudy conditions under which the shift, mono-alphabetic sub., and Vigen\\`{e}re cipher ciphers are perfectly secret:\n\\begin{itemize}\n\\item (a) Prove that if only a single character is encrypted, then the shift cipher is perfectly secret.\n\\item (b) What is the largest plaintext space $M$ you can find for which the mono-alphabetic sub. cipher provides perfect secrecy?\n\\item (c) Show how to use the Vigen\\`{e}re cipher to encrypt any word of length $t$ so that perfect secrecy is obtained (note: you can choose the length of the key). Prove your answer.\n\\end{itemize}\n\\end{problem}\n\n\\begin{problem}\nIn the one-time pad encryption scheme, it can sometimes happen that the key is the all-zero string. In this case, the encryption of a message $m$ is given by $m \\oplus 0^{l} = m$ and therefore the ciphertext is identical to the message!\n\\begin{itemize}\r\\item (a) Do you think the one-time pad scheme should be modified so that the all-zero key is not used? Explain.\r\\item (b) Explain how it is possible that the one-time pad is perfectly secure even though the above situation can occur with non-zero probability.\r\n\\end{itemize}\n\\end{problem}\n\n\\end{document}\n" }, { "path": "homework/hw2.tex", "content": "\\documentclass[11pt]{article}\n\n% set 1-inch margins in the document\n\\usepackage[margin=1in]{geometry}\n\\usepackage{amsthm}\n\\theoremstyle{definition}\n\n% include this if you want to import graphics files with /includegraphics\n\\usepackage{graphicx}\n\n% info for header block in upper right hand corner\n\n\\newtheorem{problem}{Problem}\n\n\\title{HIT --- Cryptography --- Homework 2}\n\n\\begin{document}\n\n\\maketitle\n\n\\begin{problem}\nAssuming the existence of a variable output-length pseudorandom generator, present a construction of variable-length encryption scheme, and prove that your construction has indistinguishable encryptions in the presence of an eavesdropper. {\\small Hint: the construction of secure fixed-length encryption scheme also holds here.}\n\\end{problem}\n\n\\begin{problem}\nAssume $f(s)$ and $f'(s)$ are PRGs. Is $g(s)=f(s) \\oplus f'(s)$ also necessarily a PRG? How about $g(s)=f(s) \\oplus s$?\n\\end{problem}\n\n\\begin{problem}\nAssuming the existence of a pseudorandom function, prove that there exists an encryption scheme that has indistinguishable multiple encryptions in the presence of an eavesdropper, but is not CPA-secure.\n{\\small Hint: You will need to use the fact that in a CPA the adversary can choose its queries to the encryption oracle adaptively (i.e., new query may be constructed from previous queries).}\n\\end{problem}\n\n%\\begin{problem}\n%Present formulas for decryption of all the different modes of operation for encryption: ECB, CBC, OFB, CTR. For which modes can decryption be parallelized?\n%\\end{problem}\n\n\\begin{problem}\nPresent a construction of a variable output-length pseudorandom generator from any pseudorandom function. Prove that your construction satisfies Definition: `a variable output-length pseudorandom generator'.\n\\end{problem}\n\n\\begin{problem}\nShow that the CBC mode do not yield CPA-secure encryption in the case that the $IV$ is predicable. {\\small Hint: The messages presented by the adversary could be constructed from the predicable $IV$ and previous queries.}\n\\end{problem}\n\n\\begin{problem}\nShow that the CBC, OFB and CTR modes do not yield CCA-secure encryption schemes (regardless of F). {\\small Hint: If one bit of Ciphertext is flipped, so does one bit of Plaintext.}\n\\end{problem}\n\n\\begin{problem}\nShow how to learn whether the length of message is 1 bytes with the padding-oracle attack. \n\\end{problem}\n\n\\end{document}\n" }, { "path": "homework/hw3.tex", "content": "\\documentclass[11pt]{article}\n\n% set 1-inch margins in the document\n\\usepackage[margin=1in]{geometry}\n\\usepackage{amsthm}\n\\usepackage{amsmath}\n\\usepackage{amssymb,amsfonts}\n\\theoremstyle{definition}\n\n% include this if you want to import graphics files with /includegraphics\n\\usepackage{graphicx}\n\\providecommand{\\abs}[1]{\\lvert#1\\rvert}\n\n% info for header block in upper right hand corner\n\n\\newtheorem{problem}{Problem}\n\n\\title{HIT --- Cryptography --- Homework 3}\n\n\\begin{document}\n\n\\maketitle\n\n\\begin{problem}\nIn our attack on a 1-round substitution-permutation network, we considered a block length of 64 bits and a network with 16 $S$-boxes that each take a 4-bit input. \n\\begin{enumerate}\n\\item Repeat the analysis for the case of 8 $S$-boxes, each taking an 8-bit input. What is the complexity of the attack now?\n\\item Repeat the analysis again with a 128-bit block length and 16 $S$-boxes that each take an 8-bit input.\n\\item Does the $S$-boxes length make any difference? Does the block length make any difference?\n\\end{enumerate}\n\\end{problem}\n\n\\begin{problem}\nShow that DES has the property that $DES_k(x) = \\overline{DES_{\\overline{k}}(\\overline{x})}$ for every key $k$ and input $x$ (where $\\overline{z}$ denotes the bitwise complement of $z$). This is called the complementarity property of $DES$.\n\\end{problem}\n\n\\begin{problem}\nIs the addition function $f(x, y) = x + y$ (where $|x| = |y|$ and $x$ and $y$ are interpreted as natural numbers) a one-way function?\n\\end{problem}\n\n\\begin{problem}\nLet $f_{1}(x)$ and $f_{2}(x)$ be one-way functions. Is $f(x) = (f_{1}(x), f_{2}(x))$ necessarily a one-way function? Prove your answers.\n\\end{problem}\n\n\\begin{problem}\nLet $f$ be a one-way function. Is $g(x) = f(f(x))$ necessarily a one-way function? What about $g(x) = (f(x),f(f(x)))$? Prove your answers.\n\\end{problem}\n\n\\end{document}" }, { "path": "homework/hw4.tex", "content": "\\documentclass[11pt]{article}\n\n% set 1-inch margins in the document\n\\usepackage[margin=1in]{geometry}\n\\usepackage{amsthm}\n\\usepackage{amsmath}\n\\usepackage{amssymb,amsfonts}\n\\theoremstyle{definition}\n\n% include this if you want to import graphics files with /includegraphics\n\\usepackage{graphicx}\n\\providecommand{\\abs}[1]{\\lvert#1\\rvert}\n\n% info for header block in upper right hand corner\n\n\\newtheorem{problem}{Problem}\n\n\\title{HIT --- Cryptography --- Homework 4}\n\n\\begin{document}\n\n\\maketitle\n\n\\begin{problem}\nLet $F$ be a pseudorandom function. Show that the following MAC for messages of length $2n$ is insecure: The shared key is a random $k\\in \\{0,1\\}^n$. To authenticate a message $m_1\\| m_2$ with $\\abs{m_1} =\\abs{m_2} = n$, compute the tag $\\langle F_k(m_1), F_k(F_k(m_2))\\rangle$. \n\\end{problem}\n\n\\begin{problem}\nLet $(\\mathsf{Gen},H)$ be a collision-resistant hash function. Is $(\\mathsf{Gen},\\hat{H})$ defined by $(\\hat{H}^s(x) \\overset{\\text{def}}{=} H^s(H^s(x))$ necessarily collision resistant? Prove your answer. \n\\end{problem}\n\n\\begin{problem}\nFor each of following modifications to the Merkle-Damg\\r{a}rd transform, determine whether the result is collision resistant or not. If yes, provide a proof; if not, demonstrate an attack. {\\small Hint: you may use two facts on hash function: (1) $h(x) = x$ is collision resistant. Although $x$ is leaked, there is no collision. (2) A crhf $h$ can be constructed from another crhf $g$ by letting $h(x) = x\\|0$ for $x = 0$ and letting $h(x) = g(x)\\|1$ for $x \\ne 0$. }\n\\begin{enumerate}\n\\item Modify the construction so that the input length is not included at all (i.e, output $z_B$ and not $z_{B+1} = h^s(z_B\\| L)$).\n\\item Modify the construction so that instead of outputting $z = h^s(z_B\\| L)$, the algorithm outputs $z_B\\|L$\n\\item Instead of using an $IV$, just start the computation from $x_1$. That is, define $z_1 := x_1$ and then compute $z_i := h^s(z_{i-1}\\|x_i)$ for $i=2,\\dotsc,B+1$ and output $z_{B+1}$ as before.\n\\item Instead of using a fixed $IV$, set $z_0 := L$ and then compute $z_i := h^s(z_{i-1}\\|x_i)$ for $i=1,\\dotsc,B$ and output $z_B$.\n\\end{enumerate}\n\\end{problem}\n\\begin{problem}\nWe have learned that CCA-secure encryption schemes can be constructed by Enc-then-MAC in the class. Is there any other way to achieve CCA-secure scheme but without MAC? For example, (1) do you think the following scheme is CCA-secure? And why?\n\\begin{itemize}\n\\item message $m \\in \\{0,1 \\}^{n/2}$ and key $k \\in \\{0,1 \\}^{n}$. In encryption, choose a random string $r \\gets \\{0,1 \\}^{n/2}$ and ciphertext $c := F_{k}(r\\| m)$, where $F$ is a strong PRP.\n\\end{itemize}\nFurthermore, no matter what is your answer to the above question, (2) do you think CCA-security implies secure Authenticated Encryption (A.E.)? And why?\n\\end{problem}\n\\begin{problem}\nShow a message transmission scheme that achieves authentication communication (with integrity and authenticity) but is not a secure A.E (without confidentiality).\n\\end{problem}\n\\end{document}" }, { "path": "homework/hw5.tex", "content": "\\documentclass[11pt]{article}\n\n% set 1-inch margins in the document\n\\usepackage[margin=1in]{geometry}\n\\usepackage{amsthm}\n\\usepackage{amsmath}\n\\usepackage{amssymb,amsfonts}\n\\theoremstyle{definition}\n\n% include this if you want to import graphics files with /includegraphics\n\\usepackage{graphicx}\n\\providecommand{\\abs}[1]{\\lvert#1\\rvert}\n\n% info for header block in upper right hand corner\n\n\\newtheorem{problem}{Problem}\n\n\\title{HIT --- Cryptography --- Homework 5}\n\n\\begin{document}\n\n\\maketitle\n\n%\\begin{problem}\n%This question concerns the Euler phi function.\n%\\begin{enumerate}\n%\\item Let $p$ be a prime and $e \\ge 1$ an integer. Show that $\\phi(p^e) = p^{e-1}(p-1)$.\n%\\item Let $p,q$ be relatively prime. Show that $\\phi(pq) = \\phi(p)\\cdot \\phi(q)$. (You may use the Chinese remainder theorem.)\n%\\item Prove Theorem: $N = \\prod_ip_i^{e_i}$, $\\{p_i\\}$ are distinct primes, $\\phi(N) = \\prod_ip_i^{e_i-1}(p_i-1)$.\n%\\end{enumerate}\n%\\end{problem}\n\n\\begin{problem}\nCompute $[101^{4,800,000,023} \\bmod 35]$ (by hand).\n\\end{problem}\n\n\\begin{problem}\nLet $N=pq$ be a product of two distinct primes. Show that if $\\phi(N)$ and $N$ are known, then it is possible to compute $p$ and $q$ in polynomial time.\n\\end{problem}\n\n\\begin{problem}\nFor an RSA public key $\\langle N, e \\rangle$, we have an algorithm $\\mathcal{A}$ that always correctly computes $LSB(x)$ given $[ x^e \\mod N]$. Design an algorithm that computes $x$ from $[ x^e \\mod N]$.\n\\end{problem}\n\n\\begin{problem}\nConsider the following key-exchange protocol:\n\\begin{enumerate}\n\\item Alice chooses $k,r \\gets \\{0,1\\}^n$ at random, and sends $s:=k\\oplus r$ to Bob.\n\\item Bob chooses $t \\gets \\{0,1\\}^n$ at random and sends $u := s\\oplus t$ to Alice.\n\\item Alice computes $w := u\\oplus r$ and sends $w$ to Bob.\n\\item Alice outputs $k$ and Bob computes $w \\oplus t$.\n\\end{enumerate}\nShow that Alice and Bob output the same key. Analyze the security of the scheme (i.e. either prove its security or show a concrete attack by an eavesdropper).\n\\end{problem}\n\n\\begin{problem}\nConsider the following public-key encryption scheme. The public key is $(\\mathbb{G},q,g,h)$ and the private key is $x$, generated exactly as in the El Gamal encryption scheme. In order to encrypt a bit $b$, the sender does the following:\n\\begin{itemize}\n\\item If $b=0$ then choose a random $y \\gets \\mathbb{Z}_q$ and compute $c_1= g^y$ and $c_2=h^y$. The ciphertext is $\\langle c_1,c_2\\rangle$.\n\\item If $b=1$ then choose independent random $y,z \\gets \\mathbb{Z}_q$ and compute $c_1= g^y$ and $c_2=g^z$, and set the ciphertext is $\\langle c_1,c_2\\rangle$.\n\\end{itemize}\n(a) Show that it is possible to decrypt efficiently given knowledge of $x$. (b) Prove that this encryption scheme is CPA-secure if the decisional Diffie-Hellman problem is hard relative to $\\mathcal{G}$\n\\end{problem}\n\n\\begin{problem}\nThe natural way of applying hybrid encryption to the El Gamal encryption scheme is as follows. The public key is $pk = \\langle \\mathbb{G},q,g,h\\rangle $ as in the El Gamal scheme, and to encrypt a message $m$ the sender chooses random $k \\gets \\{0,1\\}^n$ and sends\n\\[ \\langle g^r, h^r\\cdot k, \\mathsf{Enc}_k(m)\\rangle, \\]\nwhere $r\\gets \\mathbb{Z}_q$ is chosen at random and $\\mathsf{Enc}$ represents a private-key encryption scheme. Suggest an improvement that results in a shorter ciphertext containing only a \\emph{single} group element followed by a private-key encryption of $m$.\n\\end{problem}\n\n\\begin{problem}\nFor each of the following variants of the definition of security for signatures, state whether textbook RSA is secure and prove your answer: \n\\begin{itemize}\n\\item (a) In this first variant, the experiment is as follows: the adversary is given the public key $pk$ and a random message $m$. The adversary is then allowed to query the signing oracle once on a single message that does not equal $m$. Following this, the adversary outputs a signature $\\sigma$ and succeeds if $\\mathsf{Vrfy}_{pk}(m,\\sigma)=1$. As usual, security is said to hold if the adversary can succeed in this experiment with at most negligible probability.\t\n\\item (b) The second variant is as above, except that the adversary is not allowed to query the signing oracle at all.\n\\end{itemize}\n\\end{problem}\n\n\\begin{problem}\nConsider the Lamport one-time signature scheme. Describe an adversary who obtains signatures on two messages of its choice and can then forge signatures on any message it likes.\n\\end{problem}\n\n\\end{document}" }, { "path": "homework/hw6.tex", "content": "\\documentclass[11pt]{article}\n\n% set 1-inch margins in the document\n\\usepackage[margin=1in]{geometry}\n\\usepackage{amsthm}\n\\usepackage{amsmath}\n\\usepackage{amssymb,amsfonts}\n\\theoremstyle{definition}\n\n% include this if you want to import graphics files with /includegraphics\n\\usepackage{graphicx}\n\\providecommand{\\abs}[1]{\\lvert#1\\rvert}\n\n% info for header block in upper right hand corner\n\n\\newtheorem{problem}{Problem}\n\n\\title{HIT --- Cryptography --- Homework 6}\n\n\\begin{document}\n\n\\maketitle\n\n\\begin{problem}\nWe have almost finished the course. Let's put things together to design a secure communication system for \na multi-player on-line game platform, such as the DOTA or the SanGuoSha. Communications are among players with or without a centric server.\nIn your report, please describe the threats your system may face, the cryptographic requirements and the corresponding constructions to satisfy the requirements. The description of threat may look like this:\n\\begin{itemize}\n\\item In on-line gaming, one player may eavesdrop the messages between another player and the centric server, which can happen when two players are within the same LAN. Then the eavesdropping player may learn something which should be confidential, such as the current position of the other on the map in the DOTA, or cards in the other's hand in the SanGuoSha.\n\\end{itemize}\nPlease present at least two other threats besides the above example. If the threat you proposed is novel and different with others, and you give a reasonable design to avoid or detect the threat, you will be awarded 5 extra points.\\\\\n\nNow let's make on-line gaming fair-play!\n\\end{problem}\n\\end{document}" }, { "path": "misc/gallery/frame.tex", "content": "% presentation\n\n%\\documentclass{beamer}\n%\\usetheme[height=7mm]{Rochester}\n%\\usecolortheme{rose}\n\n% handout\n\n\\documentclass[handout]{beamer}\n\\usepackage{pgfpages} \\pgfpagesuselayout{16 on 1}[a4paper,landscape]\n\n%\\documentclass[mathserif]{article}\n%\\usepackage{beamerarticle}\n\n\\usepackage{amsmath}\n\\usepackage{amssymb,amsfonts}\n\\usepackage[T1]{fontenc}\n\\usepackage{lmodern}\n\\usepackage{tikz}\n\\usepackage{comment}\n\\usepackage{simpsons}\n\\usepackage{marvosym}\n\\usepackage{color}\n\\usepackage{multirow}\n\\usepackage{pgffor}\n\\usepackage{pgfplots}\n\\usepackage[slide,algoruled,titlenumbered,vlined,noend,linesnumbered,]{algorithm2e}\n\n% handout\n%\\usefonttheme{structurebold}\n\n\\setbeamertemplate{footline}[frame number]\n\\setbeamertemplate{navigation symbols}{}\n\\setbeamerfont{smallverb}{size*={73}}\n\\usefonttheme[onlymath]{serif}\n\\setbeamertemplate{theorems}[numbered]\n\\newtheorem{construction}[theorem]{Construction}\n\\newtheorem{proposition}[theorem]{Proposition}\n\n%\\AtBeginSection[] { \n% \\begin{frame} \n% \\frametitle{Content} \n% \\tableofcontents[currentsection]\n% \\end{frame} \n% \\addtocounter{framenumber}{-1} \n%}\n\n\\usetikzlibrary[shapes.arrows]\n\\usetikzlibrary{shapes.geometric}\n\\usetikzlibrary{backgrounds}\n\\usetikzlibrary{positioning}\n\\usetikzlibrary{calc}\n\\usetikzlibrary{intersections}\n\\usetikzlibrary{fadings}\n\\usetikzlibrary{decorations.footprints}\n\\usetikzlibrary{patterns}\n\\usetikzlibrary{shapes.callouts}\n\\usetikzlibrary{fit}\n%handout\n\n\\providecommand{\\abs}[1]{\\lvert#1\\rvert}\n\n%\\tikzset{every picture/.style={line width=1pt,show background rectangle},background rectangle/.style={fill=blue!10,rounded corners=2ex}}\n\n\\newcommand{\\Bob}[3]{ \\begin{scope}[shift={(#1,#2)},scale=#3]\n \\draw (0,0) circle (0.95 and 1);\n \\fill (-0.3,-0.1) circle (0.1);\n \\fill (+0.3,-0.1) circle (0.1);\n \\draw (0.35,-0.5) arc (-70:-110: 1 and 0.4);\n \\draw (-0.3,0.5) arc (-10:-80: 0.8 and 0.8);\n \\draw (-0.5,0.8) arc (190:255: 2 and 1);\n \\draw (-0.7,0.9) -- +(0.2,-0.09) -- +(0.25,0.2);\n \\end{scope} }\n \n\\newcommand{\\Alice}[3]{ \\begin{scope}[shift={(#1,#2)},scale=#3]\n \\draw (0,0) circle (0.95 and 1);\n \\fill (-0.3,-0.1) circle (0.1);\n \\fill (+0.3,-0.1) circle (0.1);\n \\draw (0.35,-0.5) arc (-70:-110: 1 and 0.4);\n \\draw (0.3,1.3) arc (20:-100: 1.4 and 1);\n \\draw (0.5,1.3) arc (150:260: 1 and 1);\n \\draw (0.41,1.3) circle (0.35);\n \\end{scope} }\n\n \\newcommand{\\Evil}[3]{ \\begin{scope}[shift={(#1,#2)},scale=#3]\n \\draw (0,0) circle (0.95 and 1);\n \\fill (-0.1,-0.1) -- +(-0.2,-0.1) -- +(-0.4,0.2); %eye\n \\fill (0.1,-0.1) -- +(0.2,-0.1) -- +(0.4,0.2);\n \\draw (0.35,-0.5) arc (-70:-110: 1 and 0.4);\n %\\fill (0.3,-0.5) -- +(-0.1,-0.2) -- +(-0.2,-0.02);\n %\\fill (-0.3,-0.5) -- +(0.1,-0.2) -- +(0.2,-0.02);\n \\fill (0.3,0.7) -- +(0.5,0.4) -- +(0.4,-0.2); % horn\n \\fill (-0.3,0.7) -- +(-0.5,0.4) -- +(-0.4,-0.2);\n %\\draw (0.3,1.3) arc (20:-100: 1.4 and 1);\n %\\draw (0.5,1.3) arc (150:260: 1 and 1);\n %\\draw (0.41,1.3) circle (0.35);\n \\end{scope} }\n\n\\newcommand{\\Charlie}[3]{ \\begin{scope}[shift={(#1,#2)},scale=#3]\n \\draw (0,0) circle (0.95 and 1);\n \\filldraw[fill=black!20] (-0.35,-0.1) circle (0.25);\n \\filldraw[fill=black!20] (+0.35,-0.1) circle (0.25);\n %\\draw (0.9,0.2) to [bend left] (-0.9,0.2);\n \\draw (0.2,0) to [bend left] (-0.2,0);\n\n\n %\\draw (0.3,0.7) to [bend right] (-0.3,0.7);\n %\\draw (0.4,0.5) to [bend right] (-0.4,0.5);\n %\\draw (0.35,-0.5) arc (-70:-110: 1 and 0.4);\n \\draw (-0.7,-0.6) to [bend right] (0,-0.6) to [bend right] (0.7,-0.6) to [bend right] (0,-0.5) to [bend right] cycle ;\n %\\draw (0.3,1.3) arc (20:-100: 1.4 and 1);\n %\\draw (0.5,1.3) arc (150:260: 1 and 1);\n %\\draw (0.41,1.3) circle (0.35);\n \\end{scope} }\n\n\\author{Yu Zhang}\n\\institute{HIT/CST/NIS}\n\\date[Crypt'12S]{Cryptography, Spring, 2012}\n\n%\\input{1introduction.tex}\n%\\input{2perfectlysecret.tex}\n%\\input{3privatekey.tex}\n" }, { "path": "misc/gallery/gallery.tex", "content": "\\input{misc/gallery/frame.tex}\n\\begin{document}\n\\begin{frame} \\frametitle{1outof2}\n\\begin{figure}\n\\begin{center}\n\\input{tikz/1outof2.tex}\n\\end{center}\n\\end{figure}\n\\end{frame}\n\\begin{frame} \\frametitle{3ballot}\n\\begin{figure}\n\\begin{center}\n\\input{tikz/3ballot.tex}\n\\end{center}\n\\end{figure}\n\\end{frame}\n\\begin{frame} \\frametitle{3parties-DHKE}\n\\begin{figure}\n\\begin{center}\n\\input{tikz/3parties-DHKE.tex}\n\\end{center}\n\\end{figure}\n\\end{frame}\n\\begin{frame} \\frametitle{3parties-JOUX}\n\\begin{figure}\n\\begin{center}\n\\input{tikz/3parties-JOUX.tex}\n\\end{center}\n\\end{figure}\n\\end{frame}\n\\begin{frame} \\frametitle{CBC-MAC}\n\\begin{figure}\n\\begin{center}\n\\input{tikz/CBC-MAC.tex}\n\\end{center}\n\\end{figure}\n\\end{frame}\n\\begin{frame} \\frametitle{CBC-small}\n\\begin{figure}\n\\begin{center}\n\\input{tikz/CBC-small.tex}\n\\end{center}\n\\end{figure}\n\\end{frame}\n\\begin{frame} \\frametitle{CBC}\n\\begin{figure}\n\\begin{center}\n\\input{tikz/CBC.tex}\n\\end{center}\n\\end{figure}\n\\end{frame}\n\\begin{frame} \\frametitle{CCA-PKCS}\n\\begin{figure}\n\\begin{center}\n\\input{tikz/CCA-PKCS.tex}\n\\end{center}\n\\end{figure}\n\\end{frame}\n\\begin{frame} \\frametitle{CCA}\n\\begin{figure}\n\\begin{center}\n\\input{tikz/CCA.tex}\n\\end{center}\n\\end{figure}\n\\end{frame}\n\\begin{frame} \\frametitle{CMAC}\n\\begin{figure}\n\\begin{center}\n\\input{tikz/CMAC.tex}\n\\end{center}\n\\end{figure}\n\\end{frame}\n\\begin{frame} \\frametitle{CTR}\n\\begin{figure}\n\\begin{center}\n\\input{tikz/CTR.tex}\n\\end{center}\n\\end{figure}\n\\end{frame}\n\\begin{frame} \\frametitle{DESkey}\n\\begin{figure}\n\\begin{center}\n\\input{tikz/DESkey.tex}\n\\end{center}\n\\end{figure}\n\\end{frame}\n\\begin{frame} \\frametitle{DHkey}\n\\begin{figure}\n\\begin{center}\n\\input{tikz/DHkey.tex}\n\\end{center}\n\\end{figure}\n\\end{frame}\n\\begin{frame} \\frametitle{Davies-Meyer}\n\\begin{figure}\n\\begin{center}\n\\input{tikz/Davies-Meyer.tex}\n\\end{center}\n\\end{figure}\n\\end{frame}\n\\begin{frame} \\frametitle{ECB}\n\\begin{figure}\n\\begin{center}\n\\input{tikz/ECB.tex}\n\\end{center}\n\\end{figure}\n\\end{frame}\n\\begin{frame} \\frametitle{ElGamal}\n\\begin{figure}\n\\begin{center}\n\\input{tikz/ElGamal.tex}\n\\end{center}\n\\end{figure}\n\\end{frame}\n\\begin{frame} \\frametitle{HMAC}\n\\begin{figure}\n\\begin{center}\n\\input{tikz/HMAC.tex}\n\\end{center}\n\\end{figure}\n\\end{frame}\n\\begin{frame} \\frametitle{IBE}\n\\begin{figure}\n\\begin{center}\n\\input{tikz/IBE.tex}\n\\end{center}\n\\end{figure}\n\\end{frame}\n\\begin{frame} \\frametitle{KDC}\n\\begin{figure}\n\\begin{center}\n\\input{tikz/KDC.tex}\n\\end{center}\n\\end{figure}\n\\end{frame}\n\\begin{frame} \\frametitle{MDtransform}\n\\begin{figure}\n\\begin{center}\n\\input{tikz/MDtransform.tex}\n\\end{center}\n\\end{figure}\n\\end{frame}\n\\begin{frame} \\frametitle{MS-PPTP}\n\\begin{figure}\n\\begin{center}\n\\input{tikz/MS-PPTP.tex}\n\\end{center}\n\\end{figure}\n\\end{frame}\n\\begin{frame} \\frametitle{Miyaguchi-Preneel}\n\\begin{figure}\n\\begin{center}\n\\input{tikz/Miyaguchi-Preneel.tex}\n\\end{center}\n\\end{figure}\n\\end{frame}\n\\begin{frame} \\frametitle{NMAC}\n\\begin{figure}\n\\begin{center}\n\\input{tikz/NMAC.tex}\n\\end{center}\n\\end{figure}\n\\end{frame}\n\\begin{frame} \\frametitle{OAEP-plus}\n\\begin{figure}\n\\begin{center}\n\\input{tikz/OAEP-plus.tex}\n\\end{center}\n\\end{figure}\n\\end{frame}\n\\begin{frame} \\frametitle{OAEP}\n\\begin{figure}\n\\begin{center}\n\\input{tikz/OAEP.tex}\n\\end{center}\n\\end{figure}\n\\end{frame}\n\\begin{frame} \\frametitle{OFB}\n\\begin{figure}\n\\begin{center}\n\\input{tikz/OFB.tex}\n\\end{center}\n\\end{figure}\n\\end{frame}\n\\begin{frame} \\frametitle{OWF}\n\\begin{figure}\n\\begin{center}\n\\input{tikz/OWF.tex}\n\\end{center}\n\\end{figure}\n\\end{frame}\n\\begin{frame} \\frametitle{SAEP-plus}\n\\begin{figure}\n\\begin{center}\n\\input{tikz/SAEP-plus.tex}\n\\end{center}\n\\end{figure}\n\\end{frame}\n\\begin{frame} \\frametitle{SIV-CTR}\n\\begin{figure}\n\\begin{center}\n\\input{tikz/SIV-CTR.tex}\n\\end{center}\n\\end{figure}\n\\end{frame}\n\\begin{frame} \\frametitle{TDES}\n\\begin{figure}\n\\begin{center}\n\\input{tikz/TDES.tex}\n\\end{center}\n\\end{figure}\n\\end{frame}\n\\begin{frame} \\frametitle{VCBC-MAC}\n\\begin{figure}\n\\begin{center}\n\\input{tikz/VCBC-MAC.tex}\n\\end{center}\n\\end{figure}\n\\end{frame}\n\\begin{frame} \\frametitle{alice}\n\\begin{figure}\n\\begin{center}\n\\input{tikz/alice.tex}\n\\end{center}\n\\end{figure}\n\\end{frame}\n\\begin{frame} \\frametitle{attack-spn}\n\\begin{figure}\n\\begin{center}\n\\input{tikz/attack-spn.tex}\n\\end{center}\n\\end{figure}\n\\end{frame}\n\\begin{frame} \\frametitle{authentication}\n\\begin{figure}\n\\begin{center}\n\\input{tikz/authentication.tex}\n\\end{center}\n\\end{figure}\n\\end{frame}\n\\begin{frame} \\frametitle{baby-giant}\n\\begin{figure}\n\\begin{center}\n\\input{tikz/baby-giant.tex}\n\\end{center}\n\\end{figure}\n\\end{frame}\n\\begin{frame} \\frametitle{bilinear-map}\n\\begin{figure}\n\\begin{center}\n\\input{tikz/bilinear-map.tex}\n\\end{center}\n\\end{figure}\n\\end{frame}\n\\begin{frame} \\frametitle{birthdayattack}\n\\begin{figure}\n\\begin{center}\n\\input{tikz/birthdayattack.tex}\n\\end{center}\n\\end{figure}\n\\end{frame}\n\\begin{frame} \\frametitle{blindsignature}\n\\begin{figure}\n\\begin{center}\n\\input{tikz/blindsignature.tex}\n\\end{center}\n\\end{figure}\n\\end{frame}\n\\begin{frame} \\frametitle{cPRF}\n\\begin{figure}\n\\begin{center}\n\\input{tikz/cPRF.tex}\n\\end{center}\n\\end{figure}\n\\end{frame}\n\\begin{frame} \\frametitle{certificates}\n\\begin{figure}\n\\begin{center}\n\\input{tikz/certificates.tex}\n\\end{center}\n\\end{figure}\n\\end{frame}\n\\begin{frame} \\frametitle{chain-sig}\n\\begin{figure}\n\\begin{center}\n\\input{tikz/chain-sig.tex}\n\\end{center}\n\\end{figure}\n\\end{frame}\n\\begin{frame} \\frametitle{cipher-stealing}\n\\begin{figure}\n\\begin{center}\n\\input{tikz/cipher-stealing.tex}\n\\end{center}\n\\end{figure}\n\\end{frame}\n\\begin{frame} \\frametitle{coinflipping}\n\\begin{figure}\n\\begin{center}\n\\input{tikz/coinflipping.tex}\n\\end{center}\n\\end{figure}\n\\end{frame}\n\\begin{frame} \\frametitle{collision}\n\\begin{figure}\n\\begin{center}\n\\input{tikz/collision.tex}\n\\end{center}\n\\end{figure}\n\\end{frame}\n\\begin{frame} \\frametitle{combination}\n\\begin{figure}\n\\begin{center}\n\\input{tikz/combination.tex}\n\\end{center}\n\\end{figure}\n\\end{frame}\n\\begin{frame} \\frametitle{compute-sec}\n\\begin{figure}\n\\begin{center}\n\\input{tikz/compute-sec.tex}\n\\end{center}\n\\end{figure}\n\\end{frame}\n\\begin{frame} \\frametitle{constructD}\n\\begin{figure}\n\\begin{center}\n\\input{tikz/constructD.tex}\n\\end{center}\n\\end{figure}\n\\end{frame}\n\\begin{frame} \\frametitle{des}\n\\begin{figure}\n\\begin{center}\n\\input{tikz/des.tex}\n\\end{center}\n\\end{figure}\n\\end{frame}\n\\begin{frame} \\frametitle{desx}\n\\begin{figure}\n\\begin{center}\n\\input{tikz/desx.tex}\n\\end{center}\n\\end{figure}\n\\end{frame}\n\\begin{frame} \\frametitle{differential}\n\\begin{figure}\n\\begin{center}\n\\input{tikz/differential.tex}\n\\end{center}\n\\end{figure}\n\\end{frame}\n\\begin{frame} \\frametitle{digitalsignature}\n\\begin{figure}\n\\begin{center}\n\\input{tikz/digitalsignature.tex}\n\\end{center}\n\\end{figure}\n\\end{frame}\n\\begin{frame} \\frametitle{dining}\n\\begin{figure}\n\\begin{center}\n\\input{tikz/dining.tex}\n\\end{center}\n\\end{figure}\n\\end{frame}\n\\begin{frame} \\frametitle{doubleE}\n\\begin{figure}\n\\begin{center}\n\\input{tikz/doubleE.tex}\n\\end{center}\n\\end{figure}\n\\end{frame}\n\\begin{frame} \\frametitle{ePRG}\n\\begin{figure}\n\\begin{center}\n\\input{tikz/ePRG.tex}\n\\end{center}\n\\end{figure}\n\\end{frame}\n\\begin{frame} \\frametitle{ecdhke}\n\\begin{figure}\n\\begin{center}\n\\input{tikz/ecdhke.tex}\n\\end{center}\n\\end{figure}\n\\end{frame}\n\\begin{frame} \\frametitle{elgamal-con}\n\\begin{figure}\n\\begin{center}\n\\input{tikz/elgamal-con.tex}\n\\end{center}\n\\end{figure}\n\\end{frame}\n\\begin{frame} \\frametitle{ellipticcurve}\n\\begin{figure}\n\\begin{center}\n\\input{tikz/ellipticcurve.tex}\n\\end{center}\n\\end{figure}\n\\end{frame}\n\\begin{frame} \\frametitle{encryptionwithpf}\n\\begin{figure}\n\\begin{center}\n\\input{tikz/encryptionwithpf.tex}\n\\end{center}\n\\end{figure}\n\\end{frame}\n\\begin{frame} \\frametitle{encryptionwithpg}\n\\begin{figure}\n\\begin{center}\n\\input{tikz/encryptionwithpg.tex}\n\\end{center}\n\\end{figure}\n\\end{frame}\n\\begin{frame} \\frametitle{feistel-prp}\n\\begin{figure}\n\\begin{center}\n\\input{tikz/feistel-prp.tex}\n\\end{center}\n\\end{figure}\n\\end{frame}\n\\begin{frame} \\frametitle{feistel}\n\\begin{figure}\n\\begin{center}\n\\input{tikz/feistel.tex}\n\\end{center}\n\\end{figure}\n\\end{frame}\n\\begin{frame} \\frametitle{hash}\n\\begin{figure}\n\\begin{center}\n\\input{tikz/hash.tex}\n\\end{center}\n\\end{figure}\n\\end{frame}\n\\begin{frame} \\frametitle{hcp}\n\\begin{figure}\n\\begin{center}\n\\input{tikz/hcp.tex}\n\\end{center}\n\\end{figure}\n\\end{frame}\n\\begin{frame} \\frametitle{hs-reduce-1}\n\\begin{figure}\n\\begin{center}\n\\input{tikz/hs-reduce-1.tex}\n\\end{center}\n\\end{figure}\n\\end{frame}\n\\begin{frame} \\frametitle{hs-reduce-2}\n\\begin{figure}\n\\begin{center}\n\\input{tikz/hs-reduce-2.tex}\n\\end{center}\n\\end{figure}\n\\end{frame}\n\\begin{frame} \\frametitle{hybrid-enc-proof}\n\\begin{figure}\n\\begin{center}\n\\input{tikz/hybrid-enc-proof.tex}\n\\end{center}\n\\end{figure}\n\\end{frame}\n\\begin{frame} \\frametitle{hybrid-encrypt}\n\\begin{figure}\n\\begin{center}\n\\input{tikz/hybrid-encrypt.tex}\n\\end{center}\n\\end{figure}\n\\end{frame}\n\\begin{frame} \\frametitle{hybrideg}\n\\begin{figure}\n\\begin{center}\n\\input{tikz/hybrideg.tex}\n\\end{center}\n\\end{figure}\n\\end{frame}\n\\begin{frame} \\frametitle{hybridproof}\n\\begin{figure}\n\\begin{center}\n\\input{tikz/hybridproof.tex}\n\\end{center}\n\\end{figure}\n\\end{frame}\n\\begin{frame} \\frametitle{identification-schnorr}\n\\begin{figure}\n\\begin{center}\n\\input{tikz/identification-schnorr.tex}\n\\end{center}\n\\end{figure}\n\\end{frame}\n\\begin{frame} \\frametitle{identification}\n\\begin{figure}\n\\begin{center}\n\\input{tikz/identification.tex}\n\\end{center}\n\\end{figure}\n\\end{frame}\n\\begin{frame} \\frametitle{integrity}\n\\begin{figure}\n\\begin{center}\n\\input{tikz/integrity.tex}\n\\end{center}\n\\end{figure}\n\\end{frame}\n\\begin{frame} \\frametitle{interlock}\n\\begin{figure}\n\\begin{center}\n\\input{tikz/interlock.tex}\n\\end{center}\n\\end{figure}\n\\end{frame}\n\\begin{frame} \\frametitle{keyed-func}\n\\begin{figure}\n\\begin{center}\n\\input{tikz/keyed-func.tex}\n\\end{center}\n\\end{figure}\n\\end{frame}\n\\begin{frame} \\frametitle{linear}\n\\begin{figure}\n\\begin{center}\n\\input{tikz/linear.tex}\n\\end{center}\n\\end{figure}\n\\end{frame}\n\\begin{frame} \\frametitle{mac}\n\\begin{figure}\n\\begin{center}\n\\input{tikz/mac.tex}\n\\end{center}\n\\end{figure}\n\\end{frame}\n\\begin{frame} \\frametitle{macforge-exp}\n\\begin{figure}\n\\begin{center}\n\\input{tikz/macforge-exp.tex}\n\\end{center}\n\\end{figure}\n\\end{frame}\n\\begin{frame} \\frametitle{macwithprf}\n\\begin{figure}\n\\begin{center}\n\\input{tikz/macwithprf.tex}\n\\end{center}\n\\end{figure}\n\\end{frame}\n\\begin{frame} \\frametitle{man-in-middle}\n\\begin{figure}\n\\begin{center}\n\\input{tikz/man-in-middle.tex}\n\\end{center}\n\\end{figure}\n\\end{frame}\n\\begin{frame} \\frametitle{meet-in-middle}\n\\begin{figure}\n\\begin{center}\n\\input{tikz/meet-in-middle.tex}\n\\end{center}\n\\end{figure}\n\\end{frame}\n\\begin{frame} \\frametitle{multiple-enc-exp}\n\\begin{figure}\n\\begin{center}\n\\input{tikz/multiple-enc-exp.tex}\n\\end{center}\n\\end{figure}\n\\end{frame}\n\\begin{frame} \\frametitle{owff}\n\\begin{figure}\n\\begin{center}\n\\input{tikz/owff.tex}\n\\end{center}\n\\end{figure}\n\\end{frame}\n\\begin{frame} \\frametitle{owfover}\n\\begin{figure}\n\\begin{center}\n\\input{tikz/owfover.tex}\n\\end{center}\n\\end{figure}\n\\end{frame}\n\\begin{frame} \\frametitle{padding-oracle-lastbyte}\n\\begin{figure}\n\\begin{center}\n\\input{tikz/padding-oracle-lastbyte.tex}\n\\end{center}\n\\end{figure}\n\\end{frame}\n\\begin{frame} \\frametitle{padding-oracle-null}\n\\begin{figure}\n\\begin{center}\n\\input{tikz/padding-oracle-null.tex}\n\\end{center}\n\\end{figure}\n\\end{frame}\n\\begin{frame} \\frametitle{padding-oracle}\n\\begin{figure}\n\\begin{center}\n\\input{tikz/padding-oracle.tex}\n\\end{center}\n\\end{figure}\n\\end{frame}\n\\begin{frame} \\frametitle{pgfD}\n\\begin{figure}\n\\begin{center}\n\\input{tikz/pgfD.tex}\n\\end{center}\n\\end{figure}\n\\end{frame}\n\\begin{frame} \\frametitle{pgfMAC}\n\\begin{figure}\n\\begin{center}\n\\input{tikz/pgfMAC.tex}\n\\end{center}\n\\end{figure}\n\\end{frame}\n\\begin{frame} \\frametitle{pnp}\n\\begin{figure}\n\\begin{center}\n\\input{tikz/pnp.tex}\n\\end{center}\n\\end{figure}\n\\end{frame}\n\\begin{frame} \\frametitle{prg-distinguisher}\n\\begin{figure}\n\\begin{center}\n\\input{tikz/prg-distinguisher.tex}\n\\end{center}\n\\end{figure}\n\\end{frame}\n\\begin{frame} \\frametitle{prg-sparse}\n\\begin{figure}\n\\begin{center}\n\\input{tikz/prg-sparse.tex}\n\\end{center}\n\\end{figure}\n\\end{frame}\n\\begin{frame} \\frametitle{pri-cpa-exp}\n\\begin{figure}\n\\begin{center}\n\\input{tikz/pri-cpa-exp.tex}\n\\end{center}\n\\end{figure}\n\\end{frame}\n\\begin{frame} \\frametitle{pri-eav-exp}\n\\begin{figure}\n\\begin{center}\n\\input{tikz/pri-eav-exp.tex}\n\\end{center}\n\\end{figure}\n\\end{frame}\n\\begin{frame} \\frametitle{private-key}\n\\begin{figure}\n\\begin{center}\n\\input{tikz/private-key.tex}\n\\end{center}\n\\end{figure}\n\\end{frame}\n\\begin{frame} \\frametitle{public-key}\n\\begin{figure}\n\\begin{center}\n\\input{tikz/public-key.tex}\n\\end{center}\n\\end{figure}\n\\end{frame}\n\\begin{frame} \\frametitle{qr-qnr}\n\\begin{figure}\n\\begin{center}\n\\input{tikz/qr-qnr.tex}\n\\end{center}\n\\end{figure}\n\\end{frame}\n\\begin{frame} \\frametitle{rabinOT}\n\\begin{figure}\n\\begin{center}\n\\input{tikz/rabinOT.tex}\n\\end{center}\n\\end{figure}\n\\end{frame}\n\\begin{frame} \\frametitle{reduction-prg}\n\\begin{figure}\n\\begin{center}\n\\input{tikz/reduction-prg.tex}\n\\end{center}\n\\end{figure}\n\\end{frame}\n\\begin{frame} \\frametitle{reduction}\n\\begin{figure}\n\\begin{center}\n\\input{tikz/reduction.tex}\n\\end{center}\n\\end{figure}\n\\end{frame}\n\\begin{frame} \\frametitle{schnorr-signature}\n\\begin{figure}\n\\begin{center}\n\\input{tikz/schnorr-signature.tex}\n\\end{center}\n\\end{figure}\n\\end{frame}\n\\begin{frame} \\frametitle{schnorr}\n\\begin{figure}\n\\begin{center}\n\\input{tikz/schnorr.tex}\n\\end{center}\n\\end{figure}\n\\end{frame}\n\\begin{frame} \\frametitle{spn}\n\\begin{figure}\n\\begin{center}\n\\input{tikz/spn.tex}\n\\end{center}\n\\end{figure}\n\\end{frame}\n\\begin{frame} \\frametitle{ssl}\n\\begin{figure}\n\\begin{center}\n\\input{tikz/ssl.tex}\n\\end{center}\n\\end{figure}\n\\end{frame}\n\\begin{frame} \\frametitle{suf-mac}\n\\begin{figure}\n\\begin{center}\n\\input{tikz/suf-mac.tex}\n\\end{center}\n\\end{figure}\n\\end{frame}\n\\begin{frame} \\frametitle{synchronizedmode}\n\\begin{figure}\n\\begin{center}\n\\input{tikz/synchronizedmode.tex}\n\\end{center}\n\\end{figure}\n\\end{frame}\n\\begin{frame} \\frametitle{tdp-cca1}\n\\begin{figure}\n\\begin{center}\n\\input{tikz/tdp-cca1.tex}\n\\end{center}\n\\end{figure}\n\\end{frame}\n\\begin{frame} \\frametitle{tdp-cca2}\n\\begin{figure}\n\\begin{center}\n\\input{tikz/tdp-cca2.tex}\n\\end{center}\n\\end{figure}\n\\end{frame}\n\\begin{frame} \\frametitle{tdp-cpa}\n\\begin{figure}\n\\begin{center}\n\\input{tikz/tdp-cpa.tex}\n\\end{center}\n\\end{figure}\n\\end{frame}\n\\begin{frame} \\frametitle{tdp-pk}\n\\begin{figure}\n\\begin{center}\n\\input{tikz/tdp-pk.tex}\n\\end{center}\n\\end{figure}\n\\end{frame}\n\\begin{frame} \\frametitle{threepass}\n\\begin{figure}\n\\begin{center}\n\\input{tikz/threepass.tex}\n\\end{center}\n\\end{figure}\n\\end{frame}\n\\begin{frame} \\frametitle{tls13hs}\n\\begin{figure}\n\\begin{center}\n\\input{tikz/tls13hs.tex}\n\\end{center}\n\\end{figure}\n\\end{frame}\n\\begin{frame} \\frametitle{toy-OT}\n\\begin{figure}\n\\begin{center}\n\\input{tikz/toy-OT.tex}\n\\end{center}\n\\end{figure}\n\\end{frame}\n\\begin{frame} \\frametitle{transmission}\n\\begin{figure}\n\\begin{center}\n\\input{tikz/transmission.tex}\n\\end{center}\n\\end{figure}\n\\end{frame}\n\\begin{frame} \\frametitle{trapdoor}\n\\begin{figure}\n\\begin{center}\n\\input{tikz/trapdoor.tex}\n\\end{center}\n\\end{figure}\n\\end{frame}\n\\begin{frame} \\frametitle{tree-sig}\n\\begin{figure}\n\\begin{center}\n\\input{tikz/tree-sig.tex}\n\\end{center}\n\\end{figure}\n\\end{frame}\n\\begin{frame} \\frametitle{worldofpk}\n\\begin{figure}\n\\begin{center}\n\\input{tikz/worldofpk.tex}\n\\end{center}\n\\end{figure}\n\\end{frame}\n\\begin{frame} \\frametitle{zkp-commitment}\n\\begin{figure}\n\\begin{center}\n\\input{tikz/zkp-commitment.tex}\n\\end{center}\n\\end{figure}\n\\end{frame}\n\\begin{frame} \\frametitle{zkp-hanmilton}\n\\begin{figure}\n\\begin{center}\n\\input{tikz/zkp-hanmilton.tex}\n\\end{center}\n\\end{figure}\n\\end{frame}\n\\begin{frame} \\frametitle{zkp-rsa}\n\\begin{figure}\n\\begin{center}\n\\input{tikz/zkp-rsa.tex}\n\\end{center}\n\\end{figure}\n\\end{frame}\n\\begin{frame} \\frametitle{zkp}\n\\begin{figure}\n\\begin{center}\n\\input{tikz/zkp.tex}\n\\end{center}\n\\end{figure}\n\\end{frame}\n\\end{document}\n" }, { "path": "misc/gallery/gen-gallery.sh", "content": "echo '\\input{misc/gallery/frame.tex}'\necho '\\\\begin{document}'\nfor a in `ls -1 tikz/*.tex`\ndo a=`echo $a | sed 's/^.*\\/\\(.*\\).tex/\\1/'`\necho '\\\\begin{frame} \\\\frametitle{'${a}'}'\necho '\\\\begin{figure}'\necho '\\\\begin{center}'\necho '\\input{tikz/'${a}'.tex}'\necho '\\end{center}'\necho '\\end{figure}'\necho '\\end{frame}'\ndone\necho '\\end{document}'\n" }, { "path": "misc/tikztest/tikz-test.tex", "content": "\\input{../../source/header/main.tex}\n%\\input{header/main.tex}\n\\begin{document}\n\\begin{frame}\\frametitle{Tikz Test}\n\\begin{figure}\n\\begin{center}\n\\input{../../tikz/zkp-hanmilton}\n\\end{center}\n\\end{figure}\n\\end{frame}\n\\end{document}\n" }, { "path": "notes-Chinese/0 课程介绍.md", "content": "# 课程介绍\n\n本课程讲义需结合幻灯片和参考教材学习。中文讲义大体可以看作是英文幻灯片的翻译,其区别主要在于:\n\n- 中文讲义不包含英文幻灯片中图片\n- 中文讲义对英文幻灯片中一小部分内容只有简单的占位性的文字\n- 中文讲义对英文幻灯片的部分内容有解释性补充\n\n信息化重塑了人类社会,形成了信息社会,而密码学是保护信息社会中人类信息活动的理论基础。\n\n1. 在本课程中,我们学习密码学原理,内容包含实现信息安全所需要的应用数学知识,但不包含如何实现相关方案。\n2. 密码学是一个庞大的工具,作为许多安全机制的基础,用于保护通信和计算安全。\n\n - 其应用包括,保护Web流量的HTTPS,保护Wifi的WPA2/3,数字内容保护,比特币等。\n - 然而,密码学无法解决所有安全问题,并且只有在其被正确地实现和使用时才是可靠的。\n - 值得强调的是,我们不应该自己发明密码学,而是尽量用现成的。在后面的课程中会学习为何如此。\n3. 本课程目的是学习什么是严格的信息安全,如何严格地保护信息,以及数学与工程是如何互动的。\n4. 密码学成果中很多都归功于图灵奖得主们。我们将学习这些研究成果。\n - (思考)我们以这些科学家为榜样!同时,意识到我们在信息安全基础研究方面的差距。\n - (思考)姚期智老师回国任教,培养未来的科学家。\n5. 本课程大纲包括古典密码学与完美保密,私钥(对称)加密,消息认证码(MAC),分组(块)密码,单向函数(OWF),数论,整数分解,离散对数,密钥管理,公钥(非对称)密码学,数字签名,陷门函数(TPD),随机预言机(ROM),(神奇的)密码学协议等。\n6. 本课程大纲组织结构(中文)如图所示,可分为四大部分:安全思想,基础理论/假设,安全定义,以及如何根据基础理论/假设来实现安全定义的密码学体制。\n7. 教材、幻灯片课件与交流方式\n - 参考教材为Jonathan Katz和Yehuda Lindell合著的IMC(Introduction to Mordern Cryptography)的第3版。\n - 课件和作业在GitHub上,随着课程开展会不定期更新。https://github.com/YuZhang/cryptography\n - 在Coursera上有斯坦福大学Dan Boneh教授的英文慕课,建议大家学习。\n - 请大家加入本课程的QQ群进行学习交流。\n - 为什么用英文教材和课件?因为未来我们将与英文的密码学资料打交道。密码学知识成果最初是英文书写的,最好的密码学学习资料也是英文的,而且密码学工具也是英文。为了更易于理解和交流,我们上课用汉语。为此,配套了中文讲义(对,正是您在阅读的这个)。\n8. 本课程考核包括两部分:作业占4%x5=20%,期末考试占80%。\n\n - 根据期末成绩的最高分,优秀作业有可能(只是可能)被奖励额外5%。\n\n - 建议认真研读参考教材IMC,自己做作业(否则很难理解密码学核心思想),当然更不要抄袭作业。" }, { "path": "notes-Chinese/1 导论.md", "content": "# 导论\n\n1. 在本节课程中,我们学习密码学导论,包括对称加密基本概念、古典密码学和现代密码学基本原则。我们通过学习这些可在直觉上被理解的,古典的加密方案和破解方法,建立对加密和安全的直观概念,从而理解现代密码学基本原则为什么是合理的和必要的。\n2. 目录\n3. 密码学概念\n\n - 密码学的英文单词来自两个希腊单词:kryptos,意为“隐藏,保密”,和graphin,意为“书写”,即秘写。\n - 密码学在简明牛津字典中定义为书写或破解代码(code)的艺术。其中,Code(代码)是一个预先编排好的符号的系统,特别用于确保消息传输中的秘密。另外中文中“密码”相关的英文单词还包括password(口令)、cipher(加密方案)、key(密钥)。这些术语要注意区分。\n - 现在密码学的开端在1980年代。那时在美国以DES、公钥密码学等为代表的成果相继出现,并且在美国密码学也从军用转变为民用。整个信息技术也是起步于上世纪八零年代的美国,包括个人计算机以及互联网。密码学的发展得益于个人计算机和互联网的发展。在互联网这个开放环境下安全通信的需求催生了密码学研究和大规模应用。\n - 参考教材IMC中对现代密码学定义:用于保护数字信息,系统和分布式计算免于敌对攻击的数学技术的科学研究。本课程主要是学习如何保护信息。\n4. 什么是密码学?(思考)\n\n - 漫画:在美国,密码学曾经被作为武器而被禁止出口\n - 目前各国对密码学产品进出口都有严格限制\n - 《中华人民共和国密码法》\n - 第二条:本法所称密码,是指采用特定变换的方法对信息等进行加密保护、安全认证的技术、产品和服务。\n - 第七条:核心密码、普通密码用于保护国家秘密信息,核心密码保护信息的最高密级为绝密级,普通密码保护信息的最高密级为机密级。核心密码、普通密码属于国家秘密。\n5. 私钥加密(private key encryption)设定\n\n - 目标是构造一个加密方案,用于在预先共享了私钥(对称密钥)的双方之间进行保密通信。\n - 隐含一个假设:存在某种方法,以保密的方式来分享一个密钥。\n - 磁盘加密相当于同一个人在不同的时刻间通信。\n6. Alice和Bob\n\n - Alice和Bob是密码学领域最出名的人,他们首次出现在1978年的著名的RSA论文,《A Method for Obtaining Digital Signatures and Public-key Cryptosystems》(一种产生数字签名和公开密钥系统的方法)。有关Alice和Bob的[参考资料](https://en.wikipedia.org/wiki/Alice_and_Bob)。\n7. 加密的词法\n\n - 什么是加密方案?下面是一个形式化的描述。其中的符号与表达比较符合直觉。\n\n - 作为发送者的Alice,向作为接收者的Bob,发送一个消息。该消息使用一个对称密钥加密。敌手(Adversary)窃听密文(窃听者通常命名为Eve),尝试获得明文。\n\n - **key** 密钥 $k \\in \\mathcal{K}$, **plaintext (or message)** 明文或消息 $m \\in \\mathcal{M}$, **ciphertext** 密文 $c \\in \\mathcal{C}$\n - 用小写字母表示一个具体信息,用花体大写字母表示一个集合\n - **Key-generation Algorithm** 密钥生成算法 $k \\gets \\mathsf{Gen}$\n - 用左箭头\"$\\leftarrow$\"表示随机生成结果的赋值\n - **Encryption Algorithm** 加密算法 $c:= \\mathsf{Enc}_k(m)$\n - 用冒号加等号“$:=$”表示“deterministic assignment”(确定性赋值),类似程序设计中的等号\n - **Decryption Algorithm** 解密算法 $m:= \\mathsf{Dec}_k(c)$\n - **Encryption scheme** 加密方案: $\\Pi = (\\mathsf{Gen}, \\mathsf{Enc}, \\mathsf{Dec})$\n - 密钥生成算法也是加密方案的一部分!\n - **Basic correctness requirement** 基本正确性要求 : $\\mathsf{Dec}_k(\\mathsf{Enc}_k(m)) = m$\n - 对一个明文使用一个密钥加密后,再用同一个密钥解密,应该得到相同的明文。\n - 等号“=”表示“相等”,“是”\n8. 保护密钥还是隐瞒算法?\n\n - 加密方案的“秘密”包括两部分:加密/解密算法和密钥,那么我们应该保密什么?\n - 更容易维护一个短密钥的秘密\n - 在密钥暴露的情况下,对于诚实方,更换密钥更容易\n - 在许多人彼此通信的情况下,更容易采用相同算法,不同密钥\n - **Kerchhoffs原则** (**柯克霍夫原则**):加密方法一定不必是秘密,即便落入敌手也必无不妥\n - **香农箴言**:敌人了解系统\n9. 为什要“开放密码学设计”?\n\n - 发表的设计经过公开检验会更强健(类似在提倡开源软件时,所给出的一个优点)\n - 相对于被攻击者发现,由有道德的黑客来发现安全缺陷会更好\n - 即便不公开,代码逆向工程(或被工业间谍泄漏)也构成了严重的安全威胁\n - 使标准的建立成为可能\n - 即使成为标准也不意味着安全:Dual EC是一个标准化的后门\n - Dual EC曾经与其他算法一起被NIST, ANSI和ISO标准化来产生随机数\n - 斯诺登披露,以及在关于Bullrun项目和SIGINT使能项目的报告中已经表明,Dual EC是NSA颠覆标准的系统化工作的一部分。\n - 路透社报道,NSA在一笔交易中向RSA公司支付了1千万美元,用于将Dual EC设置为BSafe软件中优先或者缺省的数字生成方法。\t\n10. 攻击场景\n\n - 除了窃听密文(称为COA),敌手还有其它手段(敌手能力)\n\n - **Ciphertext-only (COA)** 唯密文: 敌手只观察密文\n \n - **Known-plaintext (KPA)** 已知明文: 敌手获知同一密钥下的若干明文/密文对\n \n - **Chosen-plaintext (CPA)** 选择明文: 敌手有获得所选择明文加密(获得该明文的密文)的能力\n \n - **Chosen-ciphertext (CCA)** 选择密文: 敌手有获得所选择的**其它密文**解密(获得该密文的明文)的能力\n \n - 被动攻击: COA KPA,由于不是所有密文都是机密的\n \n - 主动攻击: CPA CCA,当敌手能够加密/解密任何其所希望的信息\n\n11. 历史上的加密方案及其密码分析(Cryptanalysis)\n\n - 下面学习古典密码,目的是了解加密并没有想象的复杂,但设计安全的加密是很困难的。同时,理解一些密码学设计的基本原则,并思考一个问题:如何确定一个加密方案是安全的?\n\n - 凯撒加密方案(Caesar's Cipher):凯撒将机密消息加密书写,这是将字母表中字母顺序改变使得没有一个单词可以被理解。若有人要解密,则他必须将字母表中第四个字母,即D,替换成A,并且对其它字母也这么做。\n - $\\mathsf{Enc}(m)=m+3\\mod 26$\n - 例子:明文`begintheattacknow`,采用凯撒加密的密文是什么?\n - 其弱点是什么?怎么改进?\n\n12. 移位加密(Shift Cipher)\n\n - $\\mathsf{Enc}_k(m)=m+k\\mod 26$\n - $\\mathsf{Dec}_k(c)=c-k\\mod 26$\n - 例子:解密`EHJLQWKHDWWDFNQRZ`\n - 弱点: 是什么? 怎么改进?\n - **充足密钥空间原则**:任何安全加密方案必须具有一个经受住穷举搜索的密钥空间\n - 问题:如何在穷举过程中自动化地确定密钥?\n\n13. 重合指数(Index of Coincidence)方法(寻找密钥 $k$)\n\n - 如何自动确定解密出来的是英文原文?\n\n - 重合指数$I$是两个随机挑选(挑选后放回)字母相同的概率\n\n - 令 $p_i$表示英文文本中第$i$个字母的概率\n\n $$ I \\overset{\\text{def}}{=}\\sum_{i=0}^{25} p_i^2 $$\n\n - 例子:计算`apple`的重合指数?\n\n - 先计算字符在字符串中出现的比例,a、l和e都是1/5,p是2/5\n\n - 重合指数$=3\\times \\left( \\frac{1}{5}\\right)^2 + \\left( \\frac{2}{5}\\right)^2 = \\frac{7}{25}$\n\n - 根据统计,对于足够长的英文文本,其重合指数为0.065。\n\n - 当每个字母以相同频率出现时,重合指数为$26 \\times \\frac{1}{26}^2 = \\frac{1}{26} = 0.038$\n\n - 这里可以看出英文中字母频率分布是不均匀的\n\n - 对于 $j = 0, 1, \\dotsc , 25$, 设$q_j$为密文中第 $j$ 个字母的概率,定义一个带参数$s$的重合指数\n\n $$ I_s \\overset{\\text{def}}{=}\\sum_{i=0}^{25} p_i \\cdot q_{i+s} $$\n\n - $q_{i+s}$ 就是明文第 $i$ 个字母被移位 $s$ 个后所得到字母在密文中的概率\n\n - 问题:当得到$I_s = 0.065$时就找到了密钥$k$?\n - 当$s=k$为密钥时,重合指数最大,因为平方和大于乘积的和,$a^2 + b^2 > 2ab$\n - 例如,将凯撒密码当成$k=3$的移位密码,a被替换成D,D在密文中的概率与a在明文中的概率是一样的。当$k=3$时,$p_0$就是明文中a的概率,$q_{0+3}$就是密文中D的概率,此时,$p_0 = q_3$。\n\n - **这不正是大数据(足够的英文)+人工智能(是否是英文)吗!?**\n\n14. 单表替换加密(Mono-Alphabetic Substitution)\n\n - 思想:将每个字母以任意方式映射到一个不同字母\n - 优点:密钥空间足够大 $\\approx 2^{88}$。如何计算的?\n - 缺点:是什么?怎么改进?\n - 明文`abcdefghijklmnopqrstuvwxyz`\n - 密文`XEUADNBKVMROCQFSYHWGLZIJPT`\n - 明文`tellhimaboutme` ,密文是什么?\n\n15. 利用统计模式来攻击\n\n 1. 将密文中字母的频率制表,得到每个密文字母的频率\n 2. 与英文文本中字符频率比较(英文文本中字母频率)\n 3. 猜测频率最高的字母对应e,如此猜测其他字母\n 4. 挑选“合理的”明文,但并不简单\n\n16. 一个密文例子,人眼很难看出个所以然来\n\n17. 一个频率分析的例子\n\n - 计数,猜,试错\n\n18. 一个频率分析出的明文,《金甲虫》小说片段\n\n19. 维吉尼亚(多表移位)加密 (Vigenere (poly-alphabetic shift) Cipher)\n\n - 思想:通过将明文中相同字母的不同出现映射到密文中不同字母,以此抹平密文中统计分布。\n - 加密:$c_i=m_i+k_{[i\\bmod t]}$, $t$ 是 $k$ 的长度(周期)\n - 密码分析:\n - 需要发现 $t$;这曾经很难。\n - 若 $t$ 已知,则需要知道解密是否“合理”,但当$t > 15$时,蛮力破解 ($26^t$) 不可行;因为密钥中每一个字母都是移位加密的密钥,可以用重合指数来一个一个字母猜密钥。\n\n20. Kasiski的方法(寻找周期 $t$)\n\n - 多表移位加密在2百多年内未被有效破解,直到...\n - 识别出长度2或3的重复模式,猜想这些重复应该是由于相同的明文片段被相同密钥片段加密的结果;\n - 那么,假设密钥中没有重复模式,则这些重复出现之间的距离应该是密钥长度 $t$ 的倍数;\n - 那么,假设明文中重复模式是随机的,则密钥长度 $t$ 是所有重复出现间距离的最大公约数;\n - 但重复出现也可能是巧合,有没有更有效的方法?\n\n21. 重合指数法(寻找周期 $t$)\n\n - 对于 $\\tau = 1, 2, \\dotsc$ 作为猜测的周期,$c_1, c_{1+\\tau}, c_{1+2\\tau}, \\dotsc$,是密文中以$\\tau$为固定间隔的字符集合;\n\n - $q_i$ 是该字符集合中第 $i$ 个字母出现的概率,计算该以$\\tau$为固定间隔字符集合的重合指数等于\n\n $$ I_\\tau \\overset{\\text{def}}{=}\\sum_{i=0}^{25} q_i^2 $$\n\n - 若 $\\tau = t$, 那么 $I_\\tau \\approx ?$ \n\n - 通过遍历 $\\tau$ 来寻找 $t$, 若 $\\tau = t$, 则使用了同一个密钥的移位加密所得到的密文 $c_1, c_{1+t}, c_{1+2t}, \\dotsc$,其中相同的明文字母被映射为相同的密文字母,因此,重合指数$I_\\tau$与明文的相同。\n\n - 否则, 认为固定间隔字符集中字符的概率都是相同的,$q_i \\approx \\frac{1}{26}$ 并且\n\n $$ I_\\tau \\approx \\sum_{i=0}^{25} \\left(\\frac{1}{26}\\right)^2 \\approx 0.038 $$\n\n - 此时,假设所挑选出的密文是由明文字母被某个密钥中随机的字母映射所得到的,还假设密钥足够长且其中字母足够多样,则密文中每个字母出现是充分随机的,即出现概率为1/26,(在完美保密部分会进一步学习)。\n\n - 确定周期后,再次使用重合指数法寻找密钥中每个位置 $i$ 的字符 $k_i$.\n\n - 古典密码学最终都被破解说明一个道理:\n\n - 任意敌手原则 (Arbitrary Adversary Principle):对于一类具有指定能力的敌手们,对于其中任意一个敌手,安全必须被确保。换句话说,安全与否只考虑敌手能力,不受敌手具体策略左右。\n\n22. 密码分析(作业)\n\n - 在COA下,对密文的需求与密钥空间规模有关。多表移位 > 单表替换 > 移位\n - 在KPA下,很容易破解。\n - 通过古典密码学到的教训:\n - 充分密钥空间原则\n - 设计加密方案是一项艰巨的任务\n - 复杂性不意味着安全\n - 任意敌手原则\n - 从上述古典密码学历史中可以认识到一个道理:从提出一个加密方案,到被该方案被破解,再到针对破解方法提出一个新加密方案,这种“打补丁式”的路线难以保证安全。那么,我们该如何研究密码学呢?\n - 凯撒无密钥,增加密钥得到移位密码\n - 移位密码密钥空间太小,增加替换变化程度得到单表替换\n - 单表替换中字母频率不变,增加位置因素得到多表替换\n - 多表替换中周期间隔的字母频率不变,怎么改造?\n\n23. 现代密码学原则:定义,假设,证明\n\n 1. 安全和威胁模型的严格定义的形式化\n 2. 当一个加密方案的安全依赖于无法证明的假设时,这个假设必须被精确地描述并且尽可能地小\n 3. 加密方案应该带有一个基于以上定义和假设对安全性的严格证明\n\n24. 原则1,对精确定义的形式化\n\n - 如何形式化私钥加密的安全?\n - 已知密文,没有敌手能够找到密钥, $\\mathsf{Enc}_k(m)=m$\n - 没有敌手能够找到与密文所对应的明文,$\\mathsf{Enc}_k(m)=m_{0}\\| \\mathsf{AES}_k(m)$,其中$m_0$表示第一个比特\n - 没有敌手能够确定与密文所对应的明文中任意字符,$m=1000$, 但有人能知道 $ 800 < m < 1200$\n - 没有敌手能够从密文中获得关于明文的任何有意义的信息,但如何定义“有意义”?\n\n25. 原则1,如何定义\n\n - 根据图灵对计算的定义,需要直觉,证明定义等价,用该定义来解决例子。\n - 后面将学习很多密码学相关定义,大家体会。\n\n26. 原则2,依赖于精确的假设\n\n - 大多数密码学构造不能够被无条件的证明安全。\n - 换句话说,当假设为真,则构造安全。\n - 假设需要验证,方案需要比较,证明需要假设。\n - 简单,低级的假设容易被研究,拒绝和修正。\n\n27. 原则3,安全性的严格证明\n\n - 安全性需要否定式证明,如何证明没有人能破解?如何证明“地球上没有龙”?\n - 规约法(Reduction):给定假设X很难是真,则根据定义构造Y是安全的。\n - 证明:将难题X的问题规约到破解Y的问题。\n - 这里X中每个问题都是难题,假设其无法解决。\n - 规约的意思是,可以将每个X中的问题转换为一个破解Y的问题,并且若一个破解Y的问题有答案,则可以由此答案构造一个对X中该问题的解。这里试图证明对Y的破解问题比X中问题要难。假设X中问题无法解决,而破解Y比X中问题还难,则破解Y也不可能。\n\n28. 总结\n\n - 密码学保护信息、事务和计算安全\n - Kerckhoffs原则,开放密码学设计\n - 凯撒、移位、单表替换、多表替换\n - 蛮力,字母频率,Kasiski方法,重合指数(IC)\n - 充分密钥空间原则\n - 任意敌手原则\n - 严格证明安全\n\n \n\n " }, { "path": "notes-Chinese/10 密码学协议动物园.md", "content": "# 10 密码学协议动物园\n\n1. 本节学习密码学协议。这些协议以之前学习的密码学知识为基础实现了一些“奇妙”的事情!\n2. 动物园地图\n - 密码学协议种类繁多,应用广泛。\n3. 目录:略\n4. 协议:\n - **通信协议**是为了一个特定目的的数字消息格式与交换规则的形式化描述\n - 协议之于通信,如算法之于计算\n - 每个人必须知道并同意服从协议\n - 无歧义:每个步骤必须被明确定义且无误解的可能\n - 完备性:对每个可能的情况都必须有一个明确的行为\n - 密码学协议:除了上述属性,还应该不可能比协议中说明的做的更多或者知道的更多\n5. 协议类型\n - 仲裁协议:一个仲裁者是一个公正的可信第三方,帮助完成协议\n - 审判协议:一个法官是也是一个公正的可信第三方。与仲裁者不同,其不直接参与协议,而是来审判协议是否正确执行\n - 自强制协议:最佳的协议类型。协议本身保证公平性。\n - 例子:两人平分蛋糕协议。先分蛋糕的人后选。\n6. 对协议的攻击\n - 被动攻击:攻击者不影响协议,例如窃听\n - 主动攻击:攻击者更改协议以获得优势\n - 作弊者:攻击者是协议中的一方\n - 被动作弊者:按照协议执行,但试图获得比协议所设定的更多的信息\n - 主动作弊者:在协议进程中干扰协议来作弊\n7. 三次传递协议\n - 目的:两方之间无共享密钥下的保密通信\n - 类比:两人同一个箱子来传递一个秘密,该箱子可以上锁\n - 第一步,Alice将秘密放进箱子里,并上一把只有Alice自己有钥匙的锁,发送给Bob\n - 第二步,Bob收到箱子后,也无法打开箱子;在箱子上又上一把只有Bob自己能打开的锁,并发送给Alice\n - 第三步,Alice收到箱子后,打开自己之前上的锁,并发送给Bob;Bob收到箱子后打开自己上的锁,得到秘密\n - 这个方案需要加密方案具有一个性质:$\\mathsf{Dec}_{k_1}(\\mathsf{Enc}_{k_2}(\\mathsf{Enc}_{k_1}(m))) = \\mathsf{Enc}_{k_2}(m)$;用两个密钥分别加密两次后,用任意一个密钥解密,得到另一个密钥加密的密文\n - Shamir协议:$p$ 是一个素数,生成 $e,d$ 满足$\\gcd(e,p-1)=1$ 并且 $ed \\equiv 1 \\pmod{p-1}$;加密$c = m^e$,满足上面的性质。\n - 弱点:中间人攻击,也叫水桶小队攻击。\n - Alice并不能确定和其通信的真的是Bob本人,Bob也不能确定对方是Alice。中间人攻击可以伪装成双方,与双方分别进行三次传递协议,与双方分别传递一个秘密,而双方并不知情。中间人可以获得Alice发给Bob的秘密,也可以伪造一个秘密发给Bob。\n8. 中间人攻击\n - 在一个新场景,通信双方交换彼此公钥并传递密文,也存在一种中间人攻击。攻击者与受害双方分别独立建立连接,并且在双方之间中继消息,使得双方以为在和彼此通信。\n - 敌手在中间用自己的密钥来执行协议,交换后的明文没有变化,而Alice和Bob都无法发现他们实际上是在于攻击者通信。\n9. 互锁协议\n - 介绍一种抵御上面的中间人攻击的方法,并不需要对双方身份进行鉴别。\n - 这是由Ron Rivest和Adi Shamir提出的,思路是将两个要交换的密文分成两部分,分别先交换密文的一半,然后再交换另一半。\n - 敌手收到一半密文后,因为没有得到整个密文,无法用自己的密钥解密的原本的明文,无法传递密文的一半。如果敌手自己产生一个明文,加密并发送,那么就无法最终令诚实方收到原本的消息。与其他身份鉴别方案结合,可以发现攻击者。\n10. 双线性映射\n - 三个循环群之间存在一个关系,称为双线性映射(也叫双线性配对):两个群中两个元素的对可以被有效映射到第三个群中的元素。前两个群是同一个群,其中的两个元素$aP$和$bP$可以被有效映射到第三个群中的元素$P^{ab}$。由此,得到$G_1$中一对元素$aP$和$bP$与另一对元素$P$和$abP$将映射到$G_2$中的同一个元素。\n - 定理:若映射是有效的,则在$G_1$中的判断式DH问题,即给定$aP$和$bP$,判定一个元素是否是$abP$,就是一个容易的问题,因为可以判断一对元素$(P,cP)$是否映射到$e(P,P)^{ab}$。\n - Weil和Tate配对是两个常用的双线性映射,其中$G_1$是椭圆曲线群,$G_2$是有限域。\n11. Jounx密钥交换协议\n - Jounx的一轮、三方密钥协商协议,其中Alice计算密钥$e(bP, cP)^a = e(P, P)^{abc}$;\n - 双线性DH(BDH)假设:给定$\\left$,计算$e(P, P)^{abc}$是难题;\n - 定理:给定BDH假设,Jounx协议是安全的。\n12. 基于身份的加密\n - IBE:不使用数字证书来实现公钥分发,直接用接收方的ID作为公钥,例如,直接用接收方的email地址作为其公钥。需要一个可信第三方来协助,即密钥生成中心KGC;\n - 接收方从KGC获得自己私钥;发送方需要预先获得KGC的公钥,但不再需要接收方的数字证书。\n - 优点:TTP在生成用户的私钥后可以被去掉,不需要PKI来分发密钥\n - 弱点:单点失效,隐式的密钥托管\n13. Boneh-Franklin的IBE方案\n - 由Boneh和Franklin两人在2001年提出的IBE方案。\n - KGC负责产生一个全局公钥$sP$和私钥$s$,并为用户$A$生成一个私钥$d_{A} = sH_1(A)$\n - 用户私钥由KGC私钥和其身份得到\n - 加密:$\\mathsf{Enc}(sP, A, m) = \\left< rP, m\\oplus H_2(e(H_1(A), sP)^r)\\right>$,$c = (u, v)$\n - 用户公钥由KGC公钥和其身份得到\n - 解密:接收方从KGC获得其私钥$d_{A} = sH_1(A)$,并解密$\\mathsf{Dec}(d_{A}, u, v) = v \\oplus H_2(e(d_A, u)).$ \n - 根据私钥无法获知$s$,因为这是一个离散对数问题\n - 正确性:$e(d_A, u) = e(sH_1(A), rP) = e(H_1(A), P)^{sr} = e(H_1(A), sP)^r$\n14. 盲签名\n - 签名者在看不见消息的情况下对消息签名;\n - 类比隔着一个信封对一个文件盖一个钢印,然后打开信封,文件上有钢印;\n - Chaum的盲签名方案:\n - Alice将消息加密后发给签名者,类比于将文件装进了信封;\n - 签名者对密文签名,类比于隔着信封盖钢印;\n - Alice将加密消息的签名处理后得到原消息的签名,发送给Bob,类比于打开信封,发送带钢印的文件。\n15. 群签名\n - 群签名是一种签名方案,一组人中某一个人的签名可以被公开验证是这组人中的某一个人签的,但不能确认到底是谁签的。这组人中有一个组长,他可以确认并证明是谁签的。\n - 有效性:群成员的签名可被验证有效;\n - 不可伪造:只有群成员可以进行有效签名;\n - 匿名性:不知道具体是谁签的;\n - 可追踪:群主可以知道是谁签的;\n - 不可关联:不能判断两个签名是否是同一个人签的;\n - 可开脱:不能伪造其他成员的签名,可以证明不是自己签的;\n - 一个简单的群签名方案:组长负责生成所有公私钥对,并发给每个组员一对。使用一个未被使用过的私钥来签名,并用所有公钥来验证。这个方案满足以上性质。\n16. 环签名\n - 环签名是一种特殊的群签名,但其中不需要组长,并且无法确认到底是谁签的。\n - 基于双线性映射可以实现环签名。签名者用其他人的公钥和自己的私钥来签名,验证时需要使用所有人的公钥。\n17. 秘密分享\n - 一个秘密在一组人中共享,每个人持有秘密的一部分,但当手里的秘密的份数没有达到某个阈值的时候,没有人能还原秘密;而当秘密的份数达到了某个阈值时,可以还原出秘密。\n - 例子,一个三维空间中的一个点,可以被分解为三个面;\n - 例子,中国剩余定理中将秘密分解为各个素数的群中元素;\n18. Shamir的秘密分享\n - 利用一个线性多项式来分享秘密。秘密是该多项式中常数项,每一份秘密是该多项式的一个点。一个$t$次多项式,至少需要$t+1$个点来确定常数项,即秘密。\n - 例子,将一个2次多项式中的秘密分成6份,至少用3份可以恢复秘密。敌手如果有两个小秘密(两个点),但至少有3个未知数,包括$a_1$、$a_2$和$m_1 - m_2$,因此无法求解出任何未知数。\n - 优点:实现了信息论的安全\n - 缺点:每份秘密的正确性无法验证\n19. 门限密码学\n - 在一个(t, n)门限加密方案中,需要至少n个参与方中的t个小秘密才可以解密密文或签名消息。\n - 利用Elgamal加密方案可以实现一个门限加密方案。采用Shamir的秘密分享方案令私钥 $s = \\Sigma_i s_i\\cdot \\lambda_i$ ,其中$s_i = f(i)$是小秘密;$\\lambda_i$ 是拉格朗日系数,是公开信息;并且公开发布 $h_i = g^{s_i}$ 。\n - 其中,公开$h_i$是用于后面验证秘密持有者持有小秘密$s_i$,即一个离散对数问题的解,并且用这个小秘密来对密文进行解密;\n - 加密:按照普通的Elgamal加密方案加密$(c_1, c_2) = (g^y, h^y \\cdot m)$,$y$为新的随机数;\n - 解密:秘密持有者 $i$用自己的小秘密来解密,输出 $d_i = c_1^{s_i}$ 和一个关于 $\\log_gh_i = \\log_{c_1} d_i$ 的零知识证明(后面会介绍);\n - 这里秘密持有者利用自己的小秘密来实现解密,但不泄漏小秘密;同时,证明自己是秘密持有者;\n - 解密出消息 $ m = c_2/\\Pi_i d_i^{\\lambda_i} $,因为$c_2/\\Pi_i d_i^{\\lambda_i} = c_2/\\Pi_i c_1^{s_i\\cdot \\lambda_i} = c_2/c_1^{\\Sigma_i s_i\\cdot \\lambda_i} = c_2/c_1^s=m$。\n20. 承诺方案\n - 互联网上掷硬币:利用哈希函数实现对承诺的绑定(binding),即信息和承诺一一对应,承诺后不能改变信息;和隐藏(hiding),即承诺本身不泄漏信息;\n - 掷硬币并对结果做出承诺:随机选择一个比特$b$为掷硬币结果,将$h = \\mathsf{Hash}(b\\|r)$作为承诺发送给对方;其中,$r$为随机串;这个承诺具有绑定和隐藏的功能;\n - 收到承诺的一方给出自己猜测的结果;此时,仍不知道实际结果,但条件是哈希函数需要隐藏信息;\n - 掷硬币一方揭示结果,由于抗碰撞性质,只能揭示$b\\| r$,否则会被对方利用收到的承诺来识破;\n21. 零知识证明\n - 一种交互式证明,其中证明方成功说服验证方:证明方知道某事,但同时除了该陈述外,不泄漏任何其他信息\n - 完备性:如果陈述是真的,那么诚实的验证方可以被诚实的证明方说服\n - 有效性:如果陈述是假的,那么没有作弊的证明方可以说服诚实的验证方\n - 存在性:如果单项函数存在,则存在对任意NP问题的零知识证明\n - 西格玛协议:分三轮:声明(承诺),挑战,响应\n22. 一个玩具例子\n - 有一个环形山洞,山洞有一个入口,从A和B两条路可以进入洞内;在内部有一个魔法门,魔法门可以用一个咒语开启\n - Alice知道开启魔法门的咒语,并想向Bob证明,步骤分三步:\n - 声明(承诺):Alice随机选择一条路进入山洞内部并藏起来,Bob不知道Alice的选择;Bob站在洞口\n - 挑战:Bob向洞内大喊:“请从A/B方向出来”\n - 响应:根据Bob的挑战和Alice当时进入山洞的选择,Alice可以利用咒语开启魔法门,或者直接从洞中出来\n - 以上游戏重复多次,如果Alice的次次都通过挑战,那么Bob可以相信Alice知道咒语\n - 为什么这是零知识证明?\n - 表面的原因:这个游戏中对Bob有意义的唯一知识——魔法门咒语,Bob始终不知道\n - 更本质的原因:知道魔法门咒语和读心术(Alice预知验证者Bob给出挑战)之间不可区分\n23. 汉弥尔顿环路的零知识证明\n - 汉弥尔顿环路是一个NPC问题:给定一个图,给出一个经过所有节点一次的环路。证明者知道一个图的汉弥尔顿环路;\n - 声明(承诺):首先,证明者将图重新做标记:将节点重新编号,并构造邻接矩阵(行列表示节点,两点之间有连接时置1,否则置0);将原节点编号和新编号对应关系(N个箱子,N为图中节点数量)以及新邻接矩阵(N*(N-1)/2个箱子)加密,全部发送给验证者\n - 挑战:验证者从两个挑战问题中随机选择一个,一是打开被加密消息中所有箱子,以揭示其与原图是同一个图;二是打开被加密的邻接矩阵中一个汉弥尔顿环路,但不打开原节点编号和新编号对应关系的箱子\n - 第一个挑战可以令验证者确认证明者的确对图做重新标记\n - 第二个挑战可以令验证者确认证明者的确知道一个环路,但泄漏给验证者答案\n - 响应:证明者根据挑战,或者揭示所有箱子,或者揭示一个汉弥尔顿环路\n - 零知识:知道汉弥尔顿环路和预知挑战问题之间不可区分\n24. 零知识证明和承诺\n - 模拟范式:当一件事Y本来就可以从X得到,那么通过Y并不会从X额外获得什么;这个范式用于保证验证者不会通过证明过程额外知道其他知识;\n - 在关于是否知道RSA私钥的零知识证明中,验证者给一个密文C后,让证明者给出对应明文M,来验证证明者知道私钥\n - 当没有承诺协议时,验证者可能在不知道明文M时直接给出一个密文C,而证明者返回的消息M令验证者额外知道了M;\n - 当加入承诺后时,证明者在给出M之前,先给出对M的承诺,即不泄漏M,又对后面给出的M作出承诺;在验证者提供M后,证明者知道验证者已经知道M了,根据上面的模拟范式可知,之后验证者获得的M对于验证者也不是新信息。\n25. Schnorr协议\n - 之前在数字签名中学习过的Schnorr身份认证协议就是一个对离散对数问题的零知识证明\n - 知道离散对数的解和预知挑战之间不可区分\n26. 破解RSA能力的零知识证明\n - 知道RSA问题的解和操纵挑战c之间不可区分\n27. 健忘传输\n - 健忘传输:发送者不知道信息是否被传递\n - 社会学家百万富翁问题:判断两个数(各自的工资)是否相同,但不暴露工资(如果两人相同,则知道对方工资)\n - **1** Bob准备4个有锁的建议箱(上面有投递口)并标记上工资数额\n - **2** Bob销毁所有建议箱的钥匙,除了那个标记为他自己工资的箱子的钥匙\n - **3** Alice将“YES”的纸条放进标记为她自己工资的箱子中,将“NO”的纸条放进其他箱子中\n - **4** Bob打开标记他自己工资的箱子,可以(也可以不)将纸条与Alice分享\n - 健忘传输:Alice一共发送了4个消息,但不知道Bob得到其中哪一个消息\n28. Rabin的健忘传输协议\n - Alice向Bob发送消息,但不知道Bob是否可以解密并获得该消息\n - 1 Alice将消息$m$用RSA加密后发送给Bob,内容为$N, e, m^e \\mod N$\n - 2 Bob将一个随机的二次剩余发送给Alice,内容为$x^2 \\mod N$\n - 3 Alice求$x^2$的平方根$y$,这是本身是一个难题;由于Alice可以分解$N$,所以可计算出来,并将$y$发送给Bob\n - 4 如果$y \\neq ± x$,Bob可以计算出$m$,即得到消息\n - 这个方案的原理在于,当$y \\neq ± x$时,$y^2 - x^2 = 0$且$(y-x)$或$(y+x)$中有$N$的因子,Bob可以利用$\\gcd(y-x,N)$将$N$分解,并计算出解密密钥$d$;由于每个二次剩余有四个根,因此,Bob有1/2的机会分解$N$并得到消息;但是,Alice并不知道$y \\neq ± x$是否成立,也就不清楚Bob是否能得到消息\n29. 二选一健忘传输\n - 二选一健忘传输:发送者发送了两个消息,知道接收者收到了两个消息中的一个,但不知道具体是哪一个;接收者只能随机地收到两个消息中的一个\n - 1 Alice将公钥和两个随机数发送给Bob,内容为$N, e, x_0, x_1$\n - 2 Bob随机生成一个比特$b$和一个随机数$k$,计算$v = x_b + k^e$并发送给Alice\n - 3 Alice尝试计算$k$,$k_0 = (v - x_0)^d$,$k_1 = (v-x_1)^d$,其中有一个是$k$,但Alice不知道是哪个;接着,将消息$m_0$和$m_1$分别用$k_0$和$k_1$加密得到$k_0 + m_0$和$k_1 + m_1$,发送给Bob\n - 4 Bob用$k$从中解密出一个消息$m_b$\n30. 安全多方计算\n - 一群人用大家的输入共同计算一个函数,但保留各自输入的隐私\n - 密码学家午餐问题:一群密码学家在饭后判断是否有人买单,但不知道每个人是否买单;至多有一个人买单,如果买单,则输入为1,否则为0,这是一个布尔或的多方安全计算问题\n - 密码学家围坐在一个圆桌,相邻的人共同协商一个比特的秘密\n - 每个密码学家喊出一个消息:三个比特的异或值,包括自己是否买单的一个比特,和相邻的人协商的两个比特\n - 这一步使得每个密码学家是否买单是保密的,相邻的人也无法推测出来\n - 最后,每个人将所有密码学家喊出的消息异或,就得到了一个布尔或;如果结果为1,则说明有人买单;否则,还没有人买单;\n - 这是因为相邻的人协商的秘密都出现了2次,异或为0;每个人自己是否买单的比特都出了1次,当至多有一个1时,其“异或”结果与“或”的结果相同\n31. 同态加密\n - 两个密文操作后,得到新密文;新密文解密后得到对应两个明文操作后的结果,即$\\mathsf{Dec}_{sk}(c_1\\circ c_2)=m_1\\circ m_2$.\n - Elgamal加密方案是乘法的同态加密方案\n - Pailier加密方案是加法的同态加密方案\n - 应用:投票,计票,但不暴露投票内容\n - 第一个支持加法和乘法的完全同台加密方案在2009年由Craig Gentry提出\n32. 端到端投票系统\n - 端到端投票系统\n - 投票:投票到投票机\n - 张贴:将票公开到公告烂\n - 计票:根据公告栏由选举官计票\n\n - 安全目标\n - 端到端可验证性:任何投票者确信按意愿投票,按投票来张贴,按张贴来计票\n - 隐私:没人知道投了什么票,甚至投票者也无法说服其他人她投了什么票;隐私意味着抗强迫!\n33. 三票投票法\n - 原理:按行选,按列投\n - 每个投票者投三张票,每行是一个候选人,每列是一张票。每行做1或2个标记,选谁就做2个标记,不选谁就做1个标记。不能不做,也不能做3个标记。\n - 每张票有唯一的ID。所有票公布在PBB上。\n - 投票者将任意一张票的拷贝作为收据带回家。收据用对照PBB做完整性检查。\n - 是否是安全的端到端投票?\n34. 量子密码学\n - 利用量子物理学规律的密码学\n - 量子物理学规律:超态,相干,纠缠,不可测\n35. 量子密码学现状\n - 并未证明量子计算机比经典图灵机强\n - 有多项式时间的算法用量子计算机解决难问题:整数分解,离散对数\n - 一些问题还没有多项式时间量子算法,例如NPC问题,一些单项函数求逆,对称加密和MAC\n36. 量子密钥分发\n - BB84 QKD,由**Bennett和Brassard (1984)**发明,利用光子偏振状态来在公开信道上传递消息,并可以发现窃听者\n - 利用光子偏振的方向来表达信息,分为+和x两种基(Basis),其中\n - +: 竖线表示0,横线表示1\n - x:撇表示0,捺表示1\n - 用与制备基相同的测量基来测量,则得到原始光子偏振方向;否则,得到随机的方向\n - 首先,Alice产生随机比特串,并用随机生成的一组制备基来产生相应的带偏振的光子,发送给Bob\n - 然后,Bob产生随机测量基来测量光子偏振,得到一个比特串\n - 最后,Alice和Bob公开自己的制备基和测量基,将使用了相同基处理和得到的部分比特串作为密钥的一部分;为了检查是否有人窃听,也就是在传递信道中对光子偏振测量;Alice和Bob分配公开一段相同基下得到的比特串,如果相同说明中间没有人窃听;如果敌手窃听,则会影响量子传输过程,光子被其他的基测量后会改变偏振方向,从而被监测发现\n37. 总结:克拉克三定律之一:任何足够先进的技术和魔法是不可区分的。\n\n\n\n" }, { "path": "notes-Chinese/2 完美保密.md", "content": "# 完美保密加密\n\n1. 在本节课程中,我们学习信息论意义上的安全——完美保密。完美保密的安全在信息论上是无需前提假设的,但其存在实践上的局限性,是完美中的不完美。本节将学习若干“等价”的完美保密定义,从中体会看似不同的定义却存在相同的本质,并且体会理解对同一个概念,从不同的角度去定义,对理解和应用这个概念是至关重要的。\n\n2. 目录\n\n3. 回顾加密词法\n\n - 以小写字母表示一个具体值,用花体字母表示一个集合,用大写字母表示随机变量\n\n - 密钥,明文,密文分别为$k \\in \\mathcal{K}, m \\in \\mathcal{M}, c \\in \\mathcal{C}$.\n - 密钥生成,加密算法,解密算法分别为$k \\gets \\mathsf{Gen}, c:= \\mathsf{Enc}_k(m), m:= \\mathsf{Dec}_k(c)$.\n - 加密方案: $\\Pi = (\\mathsf{Gen}, \\mathsf{Enc}, \\mathsf{Dec})$.\n - 随机变量: $K, M, C$ 对应密钥,明文,密文.\n - 概率: $\\Pr[K=k], \\Pr[M=m], \\Pr[C=c]$,随机变量为某一个具体值的概率\n\n4. 完美保密(**Perfect Secrecy**)定义\n\n - 直觉:**一个加密方案是安全的,那么敌手在获得密文后,密文应该对敌手猜测明文没有任何帮助。**敌手是知道明文本来的概率分布,例如,敌手知道明文是一个真或假问题的答案:真、假,并且知道两种答案的概率。敌手也知道加密方案。敌手要根据密文确定明文中的答案。如果加密方案是安全的,则密文应该对敌手猜测答案没有任何效果。\n\n - 换句话说,根据密文来猜测答案和不知道密文猜测答案对敌手来说是一样的。从概率的角度看,在获得密文后的某个明文后验似然(posteriori likehood)应该与该明文被发送的先验概率(priori probability)没有差别。\n\n - 定义:在$\\mathcal{M}$上$\\Pi$是完美保密的,若对于$\\mathcal{M}$上的任意概率分布, $\\forall m \\in \\mathcal{M}$ 与 $\\forall c \\in \\mathcal{C}$ , 且 $\\Pr[C = c] > 0$:\n\n $$ \\Pr[M=m | C=c] = \\Pr[M=m]. $$\n\n - 上面的公式表示,给定密文的条件下,明文的概率分布与预先知道的相同,即知道密文对猜测明文没有帮助。\n\n - 下面看一个例子,这个方案是完美保密的吗?For $\\mathcal{M}=\\mathcal{K} = \\{ 0,1 \\} , \\mathsf{Enc}_k(m)= m \\oplus k$. 这里的$\\oplus$是异或。\n\n - 尽管这个方案看起来很简单(可能是最简单的),但答案是肯定的,是完美保密。下面我们来证明。\n\n5. 一比特上的完美保密\n\n - 这里假设$\\mathcal{M}$上的概率分布是$\\Pr[M=1] = p$和$\\Pr[M=0]= 1-p$,计算$ \\Pr[M=1 | C=0] $。\n - 这里的例子个与课件不同的,课件上是计算$ \\Pr[M=1 | C=1] $\n - 注意:加密事件逻辑是从明文和密钥得到密文,而不是相反的。\n \n - 根据贝叶斯定理:\n \n $$ \\Pr[M=1 | C=0] = \\Pr[C=0 | M=1] \\cdot \\Pr[M=1] / \\Pr[C=0]$$ \n \n $$ = \\Pr[M \\oplus K =0 | M=1] \\cdot p / (\\Pr[C=0 | M=1] \\cdot \\Pr[M=1]+\\Pr[C=0 | M=0] \\cdot \\Pr[M=0]) $$\n \n $$ = \\Pr[1 \\oplus K = 0] \\cdot p / (\\Pr[1 \\oplus K = 0] \\cdot p +\\Pr[0 \\oplus K = 0] \\cdot (1-p)) $$\n \n $$ = \\frac{1}{2} p / (\\frac{1}{2}p + \\frac{1}{2}(1-p)) = p = \\Pr[M=1]$$\n \n - 注意:$\\Pr[1 \\oplus K = 0] = \\frac{1}{2} \\neq \\Pr[M=1, C=0] = p \\cdot \\frac{1}{2}$\n \n - 这里需要理解到,只要密钥是均匀随机的,密文的概率分布不受明文的概率分布的影响(注意密文不独立于明文,而是由明文和密钥一起决定的),密文不会携带明文的统计模式,从而安全。\n \n6. 完美保密定义的等价公式\n\n - 在完美保密加密方案中,密文的先验概率等于其后验概率,即$ \\Pr[C=c | M=m] = \\Pr[C=c]$。\n - 这个从之前例子中可以体会到,无论是什么明文被加密,密文出现的概率不变。\n - 从右到左证明:\n - 两边同时乘以$\\Pr[M=m]/\\Pr[C=c]$,得到\n - $ \\Pr[C=c | M=m] \\cdot \\Pr[M=m] / \\Pr[C=c] = \\Pr[M=m]$\n - 应用贝叶斯定理,左边等于 $ \\Pr[M=m | C=c] \\cdot \\Pr[C=c] / \\Pr[C=c] = \\Pr[M=m | C=c]$\n - 得到完美保密定义:$\\Pr[M=m \\| C=c] = \\Pr[M=m]$\n - 从左到右证明略。\n - 从另一个方向思考,在完美保密中,密文出现概率根据明文概率分布和密钥概率分布以及加密算法可以预先计算。给定任意明文,对加密结果的预期与预先计算结果是一样。\n\n7. 完美不可区分性(**Perfect Indistinguishability**)\n\n - $\\Pr[C=c | M=m_0] = \\Pr[C=c | M=m_1]$\n - 在完美保密加密方案中,任意两个明文加密后为相同密文的概率是相同的。换句话说,无论用什么明文,加密后得到相同密文的概率是相同的。证明见幻灯片。\n - 不可区分是什么意思?任意明文加密成某个密文的概率都相同,攻击者无法区分出密文是由哪个明文加密得到的,具体见后面的窃听者不可区分实验。\n\n8. 一次一密(**One-Time Pad (Vernam’s Cipher)**)\n\n - 将明文以比特串的形式与相同长度的密钥按位异或得到密文。解密时将密文与密钥按比特异或得到明文。这种加密方案称为“一次一密”。\n - 是一种完美保密的加密方案,道理和前面给出的一个比特异或加密的例子一样。证明见幻灯片。\n - 问题:除了一次一密,还有没有其它实现完美保密的方案?\n\n9. 完美保密的局限性\n\n - 很容易观察到一次一密加密方案中密钥需要和明文一样长,难以存储和分享。把比特串长度换一个表达方式,换成比特串数量——比特串所构成空间的规模,意味着密钥数量需要和明文数量一样多。\n - 那如果密钥长度比明文短,或者说密钥数量比明文少,能否实现完美保密?答案是否定的。要实现完美保密一定需要密钥空间大于等于明文空间,即$|\\mathcal{K}| \\ge |\\mathcal{M}|$。\n - 采用反证法证明,假设密钥数量比明文数量少$|\\mathcal{K}| < |\\mathcal{M}|$,则不可能实现完美保密。\n - 将从一个密文$c$解密得到的所有明文集合,表示为$\\mathcal{M}(c) \\overset{\\text{def}}{=} \\{ \\hat{m} | \\hat{m} = \\mathsf{Dec}_k(c)\\ \\text{for some}\\ \\hat{k} \\in \\mathcal{K} \\}$。\n - 对于一个密钥$k$,最多有个一个明文$m$使得$m = \\mathsf{Dec}_k(c)$。这是因为如果有多个明文的话,就根本不是一个加密方案。\n - 因此,从一个密文解密出来的明文数量不会超过密钥数量,也就不超过明文总数: $|\\mathcal{M}(c)|\\le |\\mathcal{K}| < |\\mathcal{M}|$.\n - 那么,一定存在一个明文$m'$是无法由$c$解密出来的,即 $\\Pr[M=m'|C=c] = 0 \\neq \\Pr[M = m']$。因此,不是完美保密。\n - 尽管有这个局限性,但一次一密也可以用在实践中,例如美国和苏联之间的“Red line”。\n\n10. 二次加密:真实世界案例\n\n - $ c\\oplus c'=(m\\oplus k)\\oplus (m'\\oplus k)=m\\oplus m'. $ \n - 如果一个密钥用了两次,那么敌手会得到两次明文的异或值,这显然不是完美保密了,而且根据异或值结合之前学习的自然语言统计模式分析可以破解出明文。\n - 一个例子真实世界例子是,在MS-PPTP协议中,通信双方采用同一个密钥来加密双向相互发送的两个消息。\n - 改进方法是双方各两个方向(分别作为源和目的)的通信使用不同的密钥。\n\n11. 香农定理(**Shannon’s Theorem**)\n\n - 前面的完美保密相关定义的可操作性不高,原因是不容易直接获得明文概率分布。香农定理使得完美保密的可操作性得到了很大提高。\n - 当明文空间、密钥空间和密文空间规模相同时,加密方案是完美保密的,当且仅当满足两个条件:\n - (1)每个密钥是从密钥空间中均匀随机生成的;\n - (2)对于任意明文和密文对,存在唯一的密钥使得该明文加密成该密文。\n - 证明见幻灯片。\n\n12. 香农定理的例题\n\n - 请根据香农定理来分析。这里从更通用的形式来了解一次一密。\n - **讲义中通常不给出例题答案**\n\n13. 窃听不可区分实验(**Eavesdropping Indistinguishability Experiment**)\n\n 这里引入**密码学中最重要的思想实验**:存在一个挑战者,挑战敌手不能破解加密方案,并配合敌手做一个实验。\n\n 1. 敌手根据自己的策略选择两个不同的长度相同的明文,并发送给挑战者;\n\n 2. 挑战者随机挑选其中一个明文,并新生成一个密钥,用加密方案来加密选中的明文,得到密文(称为一个挑战),并将密文发送给敌手;\n 3. 敌手根据收到的密文,猜测哪一个明文被加密了。如果猜对了,则敌手在这次实验中成功。\n\n 实验中的一个重点在于实验可重复足够多次。每次实验中挑战者都是生成新的密钥。\n\n14. 敌手不可区分(**Adversarial Indistinguishability**)\n\n - 下面给出一个新的完美保密的定义:对于完美保密的加密方案,在窃听不可区分实验中,任意敌手成功的概率等于1/2。\n - 1/2是敌手采用瞎猜策略时成功的概率。因此,完美保密也意味着任意敌手在实验中不会获得比瞎猜更好的结果,或者说敌手获得密文后也不会比瞎猜策略获得更大的优势。后面还会反复学习这一概念。\n - 直觉理解为什么是敌手不可区分是一个完美保密的等价定义:\n - 无论明文如何分布,也无论敌手如何挑选两个明文,在实验中由挑战者随机二选一,明文空间缩减为二,每个明文被选中的概率为1/2。\n - 如果加密方案是完美保密的,则敌手获得密文后猜测明文的后验似然也是1/2。\n - 如果加密方案不是完美保密的,则意味着敌手可以利用某个明文和密文获得比瞎猜更大的优势,则敌手成功的概率不等于1/2。\n - 例题:其中$\\|$表示比特串连接,LSB表示最低有效位(the least significant bit)。如果你觉得是完美保密,请指出其和一次一密的关系;否则,请说明在不可区分实验中敌手如何成功。\n\n15. 总结\n\n - 完美保密 = 完美不可区分 = 敌手不可区分\n - 知道密文对猜测明文没有帮助\n - 给定明文对推测密文没有帮助\n - 任意明文加密成某个密文的概率是相同的\n - 完美保密是可获得的。一次一密。\n - 香农定理(可操作的完美保密)" }, { "path": "notes-Chinese/3.1 私钥加密与伪随机性-第一部分.md", "content": "# 私钥加密与伪随机性 第一部分\n\n1. 在本节课程中,我们学习计算安全下的私钥加密和伪随机性的第一部分。我们会学习一个完整的现代密码学研究过程,从定义到假设,再到一个密码学方案,最后使用规约法来证明其安全性。\n\n2. 目录:密码学的计算方法论,计算安全加密的定义,伪随机性,规约法,构造安全的加密方案\n\n3. 计算安全思想\n\n - 完美保密局限性在于密钥需要很长,而且如果密钥不够长,则不能达到完美保密。Kerchhoffs提出另一个原则:**一个加密方案如果不是数学上,那必须是实践上不可破解的。** 不同于在完美保密部的信息论上的安全,计算安全放松了安全条件来追求实践中的安全,使得密钥相对于明文可以很短。\n - 计算安全:\n - 敌手在**可行的时间**内运行,破解密码的时间是有限的\n - 敌手以**非常小的概率**成功,能成功但可能性很小\n\n4. 放松条件的必要性\n\n 为什么相对于完美保密,要放松对安全的需求。考虑之前的不可区分实验,\n\n - 为了对抗蛮力攻击,需要限定敌手的能力;因为只要给了充足的时间来遍历$|\\mathcal{K}|$,蛮力攻击一定会成功;\n - 为了对抗随机猜测,需要允许小到可忽略的**(negligible)**成功概率;因为瞎猜也有$1/|\\mathcal{K}|$概率成功;\n\n5. 具体法与渐进法\n\n - 具体法:限定时间和成功的概率为具体值;一个加密方案是$(t,\\varepsilon)$-安全的,如果对任意敌手以时间 $t$ 运行,成功破解方案的概率最多是 $\\varepsilon$。\n - 具体法的问题是缺乏规律性,无法描述密钥长度、时间和成功概率之间的关系。\n - 渐进法:计算复杂性理论使用是与输入规模$n$有关的函数来表示时间或空间复杂性。例如,快速排序算法的时间复杂性是$O(n\\cdot \\log n)$,其中$n$是问题的规模,这里是排序元素的个数。\n - 具体法和渐进法的区别之一是,一个是点,一个是线。\n\n6. P=NP?\n\n - 如何定义“可行的时间”和“非常小的概率”?答案来自计算复杂性理论,理论上认为一个搜索问题(例如,获得密钥)是相对简单的,如果解决该问题算法的时间复杂性为问题规模参数$n$的多项式;而需要非多项式(包括指数)时间复杂性来解决的问题是难以被实际解决的。\n - 在计算复杂性理论中,问题可分为两类:\n - 一类可解的问题,称为P(polynomial time)问题,是指能够在问题规模的多项式时间内由确定性图灵机解决的问题;\n - 另一类包含P问题的更大范围的NP(nondeterministic polynomial time)问题,不能确定是否在多项式时间内可以解决,但能够在多项式时间内验证一个答案是否正确的问题;尽管理论上用非确定性图灵机可在多项式时间解决,但非确定性图灵机还无法实现;\n - 在NP问题中,包含一类相似的难题,尚未找到多项式时间算法,但这些问题中的一个若被解决了,则其它也能被解决,称为NP完全问题(NP-Complete);与NP完全问题一样难或更难的问题,称为NP难问题(NP-Hard);\n - 科学家们相信NP问题集合不同于P问题集合,在NP问题中有一些难题无法在多项式时间内解决,即P$\\neq$NP;\n - 在一部穿越电视剧《天才基本法》中,一个情节是:P=NP被证明真成立。\n - 加密与计算复杂性:1955年,约翰·纳什在其给NSA的信中说,他猜测破解一个复杂的代码需要密钥长度指数的时间。如果如此,则意味着P$\\neq$NP,因为解决问题所需时间不是多项式的,而验证答案是多项式的。\n - 因此,将多项式时间认为是“可行的时间”,而非多项式的指数时间被认为是“不可行的”;\n - 非常小的概率定义为,比任何多项式分之一都小。\n\n7. 有效的计算\n\n - 一个算法是多项式时间的(polynomial time),如果存在一个多项式使得对于任意输入,算法都在该多项式步骤内结束。\n - 一个算法可以在多项式时间内以任何多项式时间算法作为子例程来运行;\n - 概率(probabilistic)算法有“掷硬币”的能力。其中,随机数生成器应该是为密码学用途来设计的,而不是C语言里的`random()`。相反地,没有随机性的算法就是确定性的;\n - 开放问题:概率性的敌手比确定性的敌手更强大吗?$\\mathcal{P} = \\mathcal{BPP}$ (限定错误的概率多项式)?\n\n8. 可忽略的成功概率\n\n - 一个函数$f$是可忽略的,若对于任意多项式$p(\\cdot)$,存在一个$N$使得对于所有整数$n>N$,$f(n) < \\frac{1}{p(n)}$。\n\n9. 渐进方法(Asymptotic)\n\n - 根据上面的基础,采用渐进方法来定义安全,所谓“渐进”是指不研究一个参数固定的问题的复杂性,而是研究时间复杂性随着问题参数$n$的变化而变化的规律;\n - 问题X(破解加密方案)是难的,若X不能由任何多项式时间算法以时间$t$解决,除非以可忽略的概率$\\varepsilon$;\n - $t$和$\\varepsilon$都描述为安全参数$n$(通常是密钥长度)的函数;\n - 注意:安全是对足够大的$n$值来说的;\n - 例如,例子中随着$n$的增加,破解的复杂性随密钥空间指数增加,加密方案更难破解。\n\n10. 定义私钥加密方案\n\n - 回顾私钥加密相关定义\n\n11. 窃听不可区分实验\n\n - 在窃听不可区分实验中,敌手和挑战者之间进行一个思维实验。敌手根据安全参数产生两个相同长度的不同消息,并发送给挑战者;挑战者根据安全参数生成密钥,并对随机选择的一个消息进行加密,将挑战密文发送给敌手。敌手输出一个比特,来表示对被加密消息的猜测,若猜对,则实验成功。\n - 一个敌手$\\mathcal{A}$与一个挑战者$\\mathcal{C}$进行3轮交互:\n 1. $\\mathcal{A}$选择两个长度相同、内容不同明文$m_0, m_1$,并发送给$\\mathcal{C}$;\n 2. $\\mathcal{C}$根据密钥生成算法生成一个新密钥$k$,随机生成一个比特$b$并挑选一个明文$m_b$,加密$\\mathsf{Enc}_k(m_b)$后得到挑战密文$c$,并发送给$\\mathcal{A}$;\n 3. $\\mathcal{A}$输出对所加密明文的猜测$b'$,若$b=b'$,则$\\mathcal{A}$成功;否则,失败;\n - 这与之前在完美保密中的不可区分实验类似的,区别在于本实验不是无条件的,而是输入“安全参数”,该参数将作用于安全定义。窃听不可区分实验既用在了信息论安全定义,也用在了计算安全定义,这就在两者之间建立了联系。\n12. 私钥加密安全定义\n\n - 一个加密方案在出现窃听者时是不可区分加密,若对于任意概率多项式时间的敌手,存在一个可忽略函数,使得不可区分实验成功概率与1/2相比(两者间的差异)是可忽略的。\n - 其中,多项式时间和可忽略都是对于“安全参数”的函数。\n13. 理解不可区分性的定义\n\n - 一次一密方案在出现窃听者时是否是不可区分的?\n - 若一个敌手一直在实验中失败,该方案是安全的吗?\n - 在两个连续窃听不可区分实验中,使用同一个密钥的概率有多大?\n - 若从密文中猜测到消息中最低比特的概率是3/4,该方案是安全的吗?\n - 若从密文中猜测到消息中最低3个比特的概率是3/8,该方案是安全的吗?\n- 相关性:$X$和$Z$的分布不可区分,$Y$和$Z$的分布不可区分,那么$X$和$Y$的分布是不可区分的吗?\n14. 语义安全(semantic security)\n\n - 之前在导论部分有一个问题:如何定义不泄漏“meaningful”的信息。下面引入语义安全的概念来解决这个问题。\n - 直觉:没有关于明文的任何有意义的信息泄漏\n - 关于明文的信息用明文的函数来表示,$h(m)$表示敌手预先了解的关于明文的外部信息,$f(m)$表示敌手希望获取的关于明文的有意义的信息\n - 定义:加密方案是窃听者出现时**语义安全的**,如果对于任意敌手,任意明文分布,任意函数$f$和$h$,一个敌手根据密文和$h(m)$获得$f(m)$,另一个敌手只根据$h(m)$获得$f(m)$,这两个敌手成功的概率之间的差异是可以忽略的\n - 定理:一个私钥加密方案是窃听者不可区分的,当且仅当该方案是语义安全的。\n - 证明略。直觉上,从右到左:若敌手能够在不可区分实验中成功(不是不可区分的),则意味着根据密文获得了关于区分明文的某些信息(不是语义安全);反之,若敌手能够获得关于明文的某些信息(不是语义安全),那么可以利用这些信息来区分明文(不是不可区分的)。\n15. 伪随机性概念(Pseudorandomness)\n\n - 回顾之前完美保密的局限性,密钥长度需要和明文一样长才安全;计算安全中放松了安全的定义,那密钥能不能短一些,或者说能不能放松对随机性的要求,产生足够长但不完全随机的密钥?下面我们来学习伪随机性概念。\n - 真随机性不能由一个可描述的机制产生。这里的“可描述的机制”显然是不包括“掷骰子”,而是指确定性的机制;\n - 伪随机对于不知道其机制的观察者来说看起来是真的随机;\n - 一个固定的字符串谈不上是否随机/伪随机,随机/伪随机指的是产生字符串的**过程**;\n - 问题:能否绝对地证明随机性?不能,因为我们可能是不知道其机制的观察者。\n16. 区分器(Distinguisher):统计测试\n\n - 一类判断是否随机的务实的方法是,从一个随机生成器中得到多个随机序列并进行一套统计测试。\n - 例如,序列中0和1的数量之差不应该太大,最大连续0的长度不应该太长等等。\n - 伪随机性意味着**下一比特不可预测**(next-bit unpredictable),通过所有下一比特测试等且仅当通过所有统计测试。(这是姚期智的贡献)\n - 问题是难以确定多少测试才足够?\n17. 定义伪随机性的直觉\n\n - 直觉:从一个短的真随机种子生成一个长的随机串,这个伪随机串与真随机串是不可区分的。\n - 这是不是和图灵测试类似?\n - 区分器输入一个比特串,输出1位比特。*注意:该比特不一定表示输入的串是否是随机的。*\n18. 伪随机生成器**(Pseudorandom Generator)**定义\n\n - 一个确定性的多项式时间算法$G : \\{0,1\\}^n \\to \\{0,1\\}^{\\ell(n)}$是一个伪随机生成器(PRG),如果:\n - 延展:$\\forall n, \\ell(n) > n$。只有生成更长的串才有意义,否则可以直接从种子中复制一段输出;\n - 伪随机:对于任意PPT区分器$D$,$\\left|\\Pr[D(r)=1] - \\Pr[D(G(s))=1]\\right| \\le \\mathsf{negl}(n)$。其中,$r$是随机的,种子$s$随机的,$\\ell(\\cdot)$是延展因子。这里的意思是输出不同结果的概率差可以忽略,如果有一个区分器始终输出1,则两个概率都是1,差为0;另外,输出1并不需要表示特定含义,改成输出0也可以。\n - 存在性:若单向函数存在或$\\mathcal{P} \\ne \\mathcal{NP}$,则PRG存在。后面我们会进一步学习。\n19. 真实案例\n\n - C语言的`random()`\n - Netscape早期版本的漏洞https://people.eecs.berkeley.edu/~daw/papers/ddj-netscape.html\n- 从这两个例子可以看出来,输出都是可预测的。\n20. 关于PRG的一些问题\n\n - 利用下一比特不可预测,还有PRG的不可区分实验定义可以解决这些问题。\n21. 充分种子空间\n\n - 稀疏输出:当扩展因子为$2n$时,在长度为$2n$的串中只会产生$2^{-n}$。\n - 蛮力攻击:给定无穷的时间,通过枚举所有种子来产生所有串,能以较高的概率区分出伪随机串。\n - 充分种子空间:种子必须长来抵抗蛮力攻击。\n22. 不充分的随机性\n\n - 2008年,为了避免一个编译警告,Debian的一个发布版本中误删了一行代码,引起OpenSSL中关于随机生成器的漏洞。\n23. 规约法(**Reduction**)\n\n - 规约法是将一个问题A变换为另一个问题B。变换的意思可以理解为,A可以通过解决B来解决。\n - 规约$A \\le_m B$:$A$可规约为B,如果B的解存在并且给定该解时A可解,其中$m$表示映射规约;这里可以将规约理解为A对B的子函数调用,除了子函数B是一个黑盒,解决A的步骤都应该是明确的。\n - 解决A不能比解决B更难,因为A可以通过解决B来得到解决。\n - 例题,测量矩形面积可规约到测量矩形边长;计算一个数的平方可规约到两个数乘积,相反可以规约吗?\n24. 规约证明\n\n - 我们现在站在敌手的角色来思考,希望解决“破解”加密方案这个问题,并且在此之前我们已经知道有个一“假设”问题是不可解决的;\n - 为了证明一个加密方案$\\Pi$在假设$X$下是安全的,就是证明“破解”问题不可解。\n - 将解决“假设”$X$问题的算法$\\mathcal{A}'$规约到“破解”$\\Pi$的算法$\\mathcal{A}$。如果加密方案可以被破解,则假设问题也可以解决。然而,由于假设问题是难以解决的,这导致矛盾,说明加密方案不可以被破解。\n - 先令一个概率多项式时间的算法$\\mathcal{A}$能够以概率$\\varepsilon(n)$破解$\\Pi$ ;\n - 假设:一个问题$X$是难以解决的,即不存在多项式时间算法来解决$X$;$\\mathcal{A}'$是一个解决$X$的概率算法;\n - 规约:解决假设问题$X$可以通过破解加密方案$\\Pi$,即将$\\mathcal{A}'$规约到$\\mathcal{A}$,$\\mathcal{A}'$通过以$\\mathcal{A}$作为子函数可以以概率$1/p(n)$有效地解决问题$X$;\n - 矛盾:若加密方案可以被有效破解,即$\\varepsilon(n)$是不可忽略的,则$\\mathcal{A}'$可以以不可忽略的概率$\\varepsilon(n)/p(n)$解决问题$X$,这与假设矛盾,因而$\\varepsilon(n)$一定是可忽略的。\n25. 一个规约法证明PRG的例子\n\n - 假设$F$是PRG,证明$G$也是PRG。\n - 问题A:如何区分$F$;问题B:如何区分$G$;\n - 从A规约到B:区分$F$的算法输入按位取反后作为区分$G$的算法输入,区分$G$的算法输出作为区分$F$的算法输出。\n26. 一个规约法证明PRG的例子(续)\n\n - 由此,建立了不可区分定义中概率的联系。\n27. 一个安全的定长加密方案\n\n - $|G(k)| = \\ell(|k|)$, $m \\in \\{0,1\\}^{\\ell(n)}$, 一个PRG以长度为$n$的密钥作为种子,输出与明文相同长度的pad;\n - $\\mathsf{Gen}$: $k \\in \\{0,1\\}^n$,密钥作为种子,长度小于明文长度;\n - $\\mathsf{Enc}$: $c := G(k)\\oplus m$,加密方法和一次一密一样;\n - $\\mathsf{Dec}$: $m := G(k)\\oplus c$,解密也是;\n - 定理:该定长加密方案是窃听下不可区分的。\n - 直觉上,这个方案和一次一密是类似的,除了密钥更短并且用伪随机生成器生成的比特串来与明文异或。因为伪随机对于任何敌手都可以认为是真随机,所以对于敌手而言,该方案与一次一密是一样的。由此,我们得到了一个安全的加密方案,同时避免了一次一密的最大局限性——密钥过长。\n28. 证明不可区分加密方案\n\n - 思路:区分伪随机性为难题假设,破解加密方案为规约的子函数。针对伪随机生成器$G$的区分器$D$以$\\mathcal{A}$为子函数,使得当$\\mathcal{A}$破解了$\\Pi$则$D$可以区分出$G$,与$G$的伪随机性矛盾。注意这里我们用了符号$\\tilde{\\Pi}$来表示$\\Pi$的一个变体,来刻画加密方案中可能使用了真随机串来加密;\n - 回顾针对伪随机生成器的区分器$D$的问题是,输入一个串$w$,输出一个比特;这里关键问题是输出的比特从何而来?\n - 将$D$规约到$\\mathcal{A}$。回顾窃听者不可区分实验中,$\\mathcal{A}$与一个挑战者进行3轮交互:\n 1. $\\mathcal{A}$选择两个不同明文$m_0, m_1$,并发送给挑战者;\n 2. 挑战者生成密钥,并随机挑选一个明文$m_b$加密后得到挑战密文$c$,并发送给$\\mathcal{A}$;\n 3. $\\mathcal{A}$输出对所加密明文的猜测$b'$,若$b=b'$,则$\\mathcal{A}$成功;否则,失败;\n - 区分器$D$成为窃听不可区分实验中的挑战者,特别之处在于:在第2步,不需要生成密钥,而是直接以输入串$w$作为pad来加密,$c := w \\oplus m_b$;根据$w$的两种可能,分两种情况:\n - 当$w$是由$G$生成的,即伪随机串,则$c$就是加密方案$\\Pi$中密文,$\\mathcal{A}$面对的就是$\\Pi$;\n - 当$w$是真随机串,则$c$不同于加密方案$\\Pi$中密文,而与一次一密中一样,$\\mathcal{A}$面对的就是$\\tilde{\\Pi}$一次一密;\n - 回答前面关于$D$输出什么的问题:破解加密方案的$\\mathcal{A}$成功时,$D$输出1;否则,$D$输出0。\n29. 证明不可区分加密方案(续)\n\n - 规约完毕,证明$\\mathcal{A}$在实验中成功的概率是可忽略的\n - 当$w$为真随机串$r$,就是一次一密,$\\Pr[D(r)=1] = \\Pr[\\mathsf{PrivK}^{\\mathsf{eav}}_{\\mathcal{A},\\tilde{\\Pi}}(n)=1]=\\frac{1}{2}$;\n - 当$w$为伪随机串$G(k)$,$\\Pr[D(G(k))=1] = \\Pr[\\mathsf{PrivK}^{\\mathsf{eav}}_{\\mathcal{A},\\Pi}(n)=1] = \\frac{1}{2} + \\varepsilon(n)$;\n - 根据伪随机生成器定义,上下两个公式相减,$\\left|\\Pr[D(r)=1] - \\Pr[D(G(k))=1]\\right| = \\varepsilon(n) \\le \\mathsf{negl}(n)$;\n - 所以$\\varepsilon(n)$是可忽略的,即$\\Pi$是窃听者不可区分的。\n - 小结:通过规约将$\\mathcal{A}$的不可区分实验成功的概率与$D$的区分器实验输出1的概率建立等式;分析输入真随机串时$D$输出1的概率(即不可区分实验成功概率)是1/2;根据PRG的定义,输入伪随机串时$D$输出1的概率(1/2+$\\varepsilon(n)$)与输入真随机串时$D$输出1的概率(1/2)的差异时可忽略的。\n30. 处理变长消息\n\n - 对于一个变长输出的伪随机生成器,前面的加密方案和安全性都成立;这是作业,其中一个关键是条件2,短串是长串的前缀。\n31. 计算安全与信息安全\n\n - 敌手:PPT窃听者,无限算力窃听者;\n - 定义:不可区分性$\\frac{1}{2} + \\mathsf{negl}$,不可区分性 $\\frac{1}{2}$;\n - 假设:伪随机,随机;\n - 密钥:短随机串,长随机串;\n - 构造:异或pad,异或pad;\n - 证明:规约法,概率论;\n\n" }, { "path": "notes-Chinese/3.2 私钥加密与伪随机性 第二部分.md", "content": "# 私钥加密与伪随机性 第二部分\n\n1. 本节课学习另外两种私钥加密安全理论:选择明文攻击(CPA)下不可区分性、选择密文攻击(CCA)下不可区分性以及相关的密码学原语、假设、构造和证明。这些攻击更好的刻画了现实世界中敌手的能力,相应的密码学方案也是目前真正在实际使用的。\n\n2. 目录:流加密与CPA,CPA安全加密方案,操作模式,CCA安全加密方案\n\n3. 流加密方案(Stream Cipher)\n\n - 首先介绍当有多个消息需要被传递时,如何利用之前学习的基于PRG的加密方案来保护消息。\n - 思路:受一次一密方案的启发,通过将变长消息与密钥的异或来加密\n - 流加密方案:通过将多个消息“拼成”一个消息,与伪随机的比特流(密钥流)异或来加密\n - 密钥流:由一个变长的伪随机生成器产生\n - 优点:逻辑简单,比分组密码更快\n - 缺点:难以做到安全\n \n4. 采用流加密方案的安全多重加密\n\n - 同步模式:用一个流中不同部分分别加密各个消息;\n - 异步模式:以密钥和初始向量一起作为输入来产生流,每个明文的加密采用相同的密钥和不同的初始向量\n - **初始向量(Initial Vector)**,$IV$是随机选取的并且是公开的;其生成是随机的并不受控制,但生成后并不保密;密钥的生成是随机的并不受控制,但生成后也要保密。\n - 两种模式差异:\n - 同步模式适合持续通信场景,例如语音;异步模式适合间断通信场景,例如即时消息。\n\n5. 流密码的安全性\n\n 1. 现状:没有标准化和流行的方案,安全性仍有疑问,例如在802.11中WEP协议的RC4,线性反馈移位寄存器(Linear Feedback Shift Registers);\n 2. 警告:不要使用任何流加密方案,如果一定需要的话,采用由分组加密方案构造的。\n 3. eStream项目致力于设计安全的流密码\n\n6. 相关密钥:真实世界例子\n\n - 用于多重加密的密钥(初始向量和密钥对)必须是独立的。否则,前面的攻击就会生效;\n - 对于802.11b WEP的若干攻击:\n - WEP为异步模式,$\\mathsf{Enc}(m_i) := \\left< IV_i, G(IV_i\\|k) \\oplus m_i\\right>$\n - $IV$长度为24比特,在$2^{24} \\approx$ 16M 帧后$IV$会产生重复;\n - 在一些WiFi网卡上,在电源重启后$IV$重置为0;\n - $IV_i = IV_{i-1} + 1$. 对于RC4,在40,000帧后可以恢复 $k$ ;\n\n7. 多重加密(Multiple Encryptions)\n\n - 在一次一密中,一个密钥不可以用于对多个消息的加密;否则,就是不安全的。如果敌手能够获得用同一个密钥加密后的多个密文,则之前的方案都是不安全的;为此,我们需要新的加密方案来防御这样的攻击。\n - 多个明文的加密实验$\\mathsf{PrivK}^{\\mathsf{mult}}_{\\mathcal{A},\\Pi}(n)$,当一次加密多个明文时,窃听者敌手能够区分出两组明文吗?\n - 一个敌手$\\mathcal{A}$与一个挑战者$\\mathcal{C}$进行3轮交互:\n 1. $\\mathcal{A}$选择两个长度相同、内容不同明文向量$\\vec{M}_0=(m_0^1,\\dots,m_0^t)$, $\\vec{M}_1=(m_1^1,\\dots,m_1^t)$,其中两个向量中同一位置的明文长度相同$\\forall i, |m_0^i| = |m_1^i|$,发送给$\\mathcal{C}$;\n 2. $\\mathcal{C}$根据密钥生成算法生成一个新密钥$k \\gets \\mathsf{Gen}(1^n)$,一个随机比特$b \\gets \\{0,1\\}$。对向量$\\vec{M}_b$中每个明文加密 $c^i \\gets \\mathsf{Enc}_k(m_b^i)$ 得到一个密文向量 $\\vec{C}=(c^1,\\dots,c^t)$ ,并发送给$\\mathcal{A}$;\n 3. $\\mathcal{A}$输出对所加密明文向量的猜测$b'$,若$b=b'$,则$\\mathcal{A}$成功;否则,失败;\n - 这与之前的单个消息不可区分实验类似的,区别在于*用同一个密钥加密的多个消息*。敌手可以获得多个明文的密文,比单个明文不可区分实验中的敌手有更强的能力。\n\n8. 多重加密安全定义\n\n - $\\Pi$ 是**窃听者出现时不可区分的多重加密方案**,如果任意PPT的敌手$\\mathcal{A}$, 存在可忽略的函数$\\mathsf{negl}$ 使得\n\n $ \\Pr\\left[\\mathsf{PrivK}^{\\mathsf{mult}}_{\\mathcal{A},\\Pi}(n)=1\\right] \\le \\frac{1}{2} + \\mathsf{negl}(n).$\n\n - 根据这个定义,来分析迄今学习的密码学方案是否是多重加密不可区分的?\n\n9. 攻击确定性加密方案\n\n - 问题:如果一个加密方案中加密算法是确定性的,即同一个明文会被同一个密钥加密成同一个密文,那么该加密方案是多重加密安全的吗?\n - 攻击:对于确定性加密方案,敌手可以构造$m_0^1 = m_0^2$ 并且 $m_1^1 \\neq m_1^2$,然后当$c^1 = c^2$,输出 $b'=0$,否则 $b'=1$。\n - 因此,确定性加密方案不是多重加密安全的,我们需要新的密码学原语来防御多重加密攻击。接下来,我们介绍一种更强的攻击,其涵盖了多重加密攻击。只要防御了这个新定义的攻击,也就同时防御了多重加密攻击。\n\n10. 选择明文攻击(**Chosen-Plaintext Attacks (CPA)**)(思考)\n\n - 敌手具有获得其所选择明文对应的密文的能力。\n\n - 第二次世界大战中的例子:美国海军密码分析学家相信密文“AF”表示日语中的“中途岛”;但美国将军不认为中途岛会遭到攻击;美国海军密码分析学家发送了一个明文,中途岛淡水供给不足;日本军队截获的明文,并发送了一段密文,“AF”淡水不足;美国军队派出三艘航空母舰并且取胜。\n\n - 这里例子里,美国海军密码分析学家选择了明文并得到了密文。\n\n\n11. CPA安全实验\n\n - CPA不可区分实验 $\\mathsf{PrivK}^{\\mathsf{cpa}}_{\\mathcal{A},\\Pi}(n)$:\n 1. 挑战者生成密钥 $k \\gets \\mathsf{Gen}(1^n)$;(这里与窃听者不可区分实验相比,密钥的生成提前了,这是为了下一步提供加密预言机)\n 2. $\\mathcal{A}$ 被给予输入 $1^n$ 和对加密函数 $\\mathsf{Enc}_k(\\cdot)$的**预言机访问(oracle access)** $\\mathcal{A}^{\\mathsf{Enc}_k(\\cdot)}$ ,输出相同长度 $m_0, m_1$ ;\n 3. 挑战者生成随机比特 $b \\gets \\{0,1\\}$,将挑战密文 $c \\gets \\mathsf{Enc}_k(m_b)$ 发送给 $\\mathcal{A}$;\n 4. $\\mathcal{A}$ 继续对 $\\mathsf{Enc}_k(\\cdot)$的预言机的访问,输出$b'$;如果$b' = b$,则$\\mathcal{A}$成功$\\mathsf{PrivK}^{\\mathsf{cpa}}_{\\mathcal{A},\\Pi}=1$,否则 0。\n - 敌手对加密函数预言机访问是指,敌手以任意明文作为输入,可以从预言机得到对应密文。此处,密钥是已经提前生成的,因此才能通过加密函数预研机得到密文,但仍对敌手保密。预言机是一个形象的比喻,它是一个黑盒,只接收输入并返回输出;访问者不需要了解其内部构造。\n - 该实验与窃听者不可区分实验的区别在于,敌手可访问加密预言机,在实验过程中始终可以,包括在产生两个明文阶段,以及在收到挑战密文后猜测被加密明文阶段,获得任意明文被同一密钥加密的密文;而且密文是逐个获得,可以根据之前的明文和密文对来“适应性地”构造新的查询。\n - CPA敌手比多重加密的敌手更“强大”,因为多重加密敌手是可以一次性地获得一组密文,而CPA敌手可以根据已经获得的明文和密文“多次适应性地”再次获得密文。\n\n12. CPA安全\n\n - $\\Pi$ 是CPA不可区分加密方案 (CPA安全的),如果任意概率多项式时间算法$\\mathcal{A}$,存在可忽略的函数$\\mathsf{negl}$使得,\n\n $ \\Pr\\left[\\mathsf{PrivK}^{\\mathsf{cpa}}_{\\mathcal{A},\\Pi}(n)=1\\right] \\le \\frac{1}{2} + \\mathsf{negl}(n)$\n\n - 定理:CPA安全也是多重加密安全的。证明略。直觉上,CPA敌手比多重加密敌手更强大。\n\n - 之前的方案也难以实现CPA安全;\n\n - 多重加密安全意味着CPA安全?(作业)显然是否定的。那么,思考两种安全定义的区别成为解题的关键。\n\n13. 伪随机函数(**Pseudorandom Function**)概念\n\n - 为了实现CPA安全,之前的PRG提供的随机性不够用了,需要新的数学工具为加密提供额外的随机性。为此引入伪随机函数(PRF),是对伪PRG的泛化:PRG从一个种子生成一个随机串,PRF从一个key生成一个函数;\n - 带密钥的函数**Keyed function** $F : \\{0,1\\}^* \\times \\{0,1\\}^* \\to \\{0,1\\}^*$ \n - $F_k : \\{0,1\\}^* \\to \\{0,1\\}^*$, $F_k(x) \\overset{\\text{def}}{=} F(k,x)$\n - 两个输入到一个输出,看上去像,但不是加密函数;输入key,得到一个一输入到一输出的函数;\n - 查表**Look-up table** $f$: $\\{0,1\\}^n \\to \\{0,1\\}^n$ 需要多少比特信息存储? \n - 查表是一个直接描述输入与输出间映射的表格,一个条目对应一个输入与一个输出;当该映射是随机产生的,是一个真随机函数;\n - 函数族**Function family** $\\mathsf{Func}_n$: 包含所有函数 $\\{0,1\\}^n \\to \\{0,1\\}^n$. $|\\mathsf{Func}_n| = 2^{n\\cdot2^n}$\n - 一个PRF是函数族中一个子集,key确定下的PRF是函数族中一个元素,一个查表是函数族中一个元素;\n - 长度保留**Length Preserving**: $\\ell_{key}(n) = \\ell_{in}(n) = \\ell_{out}(n) = n$;密钥长度与函数输入、输出长度相同为$n$;没有特殊说明时,只讨论长度保留的函数;\n\n14. 伪随机函数定义\n\n - 直觉上,一个PRF生成的带密钥的函数与从函数族中随机选择的真随机函数(查表)之间是不可区分的;然而,一个真随机函数具有指数长度,无法“预先生成”,只能“on-the-fly”(边运行、边生成)的使用,引入一个对函数$\\mathcal{O}$的确定性的预言机访问(oracle access)$D^\\mathcal{O}$。\n - 这里的预言机是一个抽象的函数。访问预言机,就是给出任意输入,得到该函数的输出。访问预言机的能力不包括了解正在访问的预言机具体内部构造。\n - 一个带密钥的函数是一个伪随机函数(PRF),对任意PPT区分器$D$,$\\left|\\Pr[D^{F_k(\\cdot)}(1^n)=1] - \\Pr[D^{f(\\cdot)}(1^n)=1]\\right| \\le \\mathsf{negl}(n)$,其中$f$是$\\mathsf{Func}_n$中随机函数。\n - 这里区分器$D$是一个算法,可以访问预言机,但并不知道预言机背后是什么。\n - 这里不可区分性关键是,对真随机查表和伪随机函数,区分器输出相同结果概率的差异。区分器输出1或0本身没有,也无需,有特定语义。\n - PRF和PRG的关系在后面会学习,可以由PRG来构造PRF。\n\n15. PRF例题\n\n - 问题一个固定长度的一次一密方案是一个PRF吗?\n - 对于一个PRF,在密钥保密和没有预言机访问时,给指定输入,能以不可忽略的概率猜测输出相关信息吗?\n - 如果是PRF,则给出该函数与查表的相似性;否则,给出一个区分器可以区分出该函数不是随机的。\n\n16. 以PRF实现CPA安全\n\n - 新随机串 $r$,每次新生成一个随机串;\n - $F_k(r)$: $|k| = |m| = |r| = n$. 长度保留;\n - $\\mathsf{Gen}$: $k \\in \\{0,1\\}^n$.\n - $\\mathsf{Enc}$: $s := F_k(r)\\oplus m$, $c := \\left$. 密文包括两部分新随机串,以及异或输出;\n - $\\mathsf{Dec}$: $m := F_k(r)\\oplus s$. \n - 定理:上述方案是CPA安全的。\n\n17. 从PRF到CPA安全的证明\n\n - 思路:从PRF的区分器算法$\\mathcal{D}$规约到加密方案敌手算法$\\mathcal{A}$,区分器$\\mathcal{D}$作为敌手$\\mathcal{A}$的挑战者,敌手$\\mathcal{A}$实验成功时区分器$\\mathcal{D}$输出1。分两种情况,当输入真随机函数$f$时,相当于一次一密;当输入伪随机函数$F_k$时,为加密方案。\n - 规约:$\\mathcal{D}$输入预言机,输出一个比特;$\\mathcal{A}$的加密预言机访问通过$\\mathcal{D}$的预言机$\\mathcal{O}$来提供,$c := \\left$;$\\mathcal{D}$输出1,当$\\mathcal{A}$在实验中成功。\n - 这里有两个预言机:$\\mathcal{D}$访问的预言机$\\mathcal{O}$,$\\mathcal{A}$访问的加密预言机$\\mathsf{Enc}_k$,后者不能直接访问前者的预言机。\n\n18. 从PRF到CPA安全的证明(续)\n\n - 考虑真随机函数$f$的情况,分析不可区分实验成功概率$\\Pr[\\mathsf{PrivK}_{\\mathcal{A},\\tilde{\\Pi}}^{\\mathsf{cpa}}(n) = 1] = \\Pr[\\mathsf{Break}]$。敌手$\\mathcal{A}$访问加密预言机可以获得多项式$q(n)$个明文与密文对的查询结果并得到随机串和pad$\\{ \\left< r_i, f(r_i) \\right> \\}$;当收到挑战密文$c=\\left$时,根据之前查询结果中随机串是否与挑战密文中随机串相同,分为两种情况:\n - 当有相同随机串时,根据$r$可以得到$f(r_c)$,$m_b=f(r_c)\\oplus s$,但这种情况发生的概率$q(n)/2^n$是可忽略的;\n - 当没有相同随机串时,输出是随机串,相当于一次一密,成功概率=1/2;\n\n - $ \\Pr[D^{F_k(\\cdot)}(1^n)=1] = \\Pr[\\mathsf{PrivK}_{\\mathcal{A},\\Pi}^{\\mathsf{cpa}}(n) = 1] = \\frac{1}{2} + \\varepsilon(n). $\n - $ \\Pr[D^{f(\\cdot)}(1^n)=1] = \\Pr[\\mathsf{PrivK}_{\\mathcal{A},\\tilde{\\Pi}}^{\\mathsf{cpa}}(n) = 1] = \\Pr[\\mathsf{Break}] \\le \\frac{1}{2} + \\frac{q(n)}{2^n}. $\n - $\\Pr[D^{F_k(\\cdot)}(1^n)=1] - \\Pr[D^{f(\\cdot)}(1^n)=1] \\ge \\varepsilon(n) - \\frac{q(n)}{2^n}.$ 根据伪随机函数定义,$\\varepsilon(n)$ 是可忽略的.\n - 小结:通过规约将$\\mathcal{A}$的不可区分实验成功的概率与$D$的区分器实验输出1的概率建立等式;分析输入真随机函数预言机时$D$输出1的概率(即不可区分实验成功概率)是1/2+一个可忽略函数;根据PRF的定义,输入伪随机函数预言机时$D$输出1的概率(1/2+$\\varepsilon(n)$)与输入真随机函数预言机时$D$输出1的概率(1/2)的差异时可忽略的。\n\n19. CPA安全例题\n - $\\mathsf{Enc}_k(m) = PRG(k\\|r) \\oplus m $, $r$ 是新的随机串。这是CPA安全的吗?\n - 从PRF到CPA安全:变长消息\n - 对于任意长度消息 $m = m_1, \\dots , m_{\\ell}$,$ c := \\left< r_1, F_k(r_1) \\oplus m_1, r_2, F_k(r_2) \\oplus m_2, \\dots, r_\\ell, F_k(r_\\ell) \\oplus m_\\ell\\right> $\n - 推论:如果$F$是一个 PRF,那么 $\\Pi$ 对任意长度消息是 CPA 安全的。\n - 问题:这个方案有什么缺点?\n - 有效性: $|c| = 2|m|$. 密文长度是明文长度的二倍,并且需要大量的真随机串。\n20. 伪随机排列(**Pseudorandom Permutations**)\n\n - 为了提高对任意长度消息加密的效率,以及更高级的加密基础工具,学习伪随机排列PRP的概念;\n\n - 双射 **Bijection**: $F$ 是一到一的(一个输入对应一个唯一输出)且满射(覆盖输出集中每个元素);\n\n - 排列 **Permutation**: 一个从一个集合到自身的双射函数;\n\n - 带密钥的排列 **Keyed permutation**: $\\forall k, F_k(\\cdot)$是排列;类似带密钥的函数;\n\n - $F$ 是一个双射 $\\iff F^{-1}$ 是一个双射;函数和逆函数都是双射;\n\n - 定义:一个有效的带密钥的排列 $F$ 是PRP,如果对于任意PPT的区分器$D$,\n\n $ \\left|\\Pr[D^{F_k(\\cdot),F_k^{-1}(\\cdot)}(1^n)=1] - \\Pr[D^{f(\\cdot),f^{-1}(\\cdot)}(1^n)=1]\\right| \\le \\mathsf{negl}(n) $\n\n - 问题:一个PRP也是一个PRF吗?\n\n21. PRP例题\n\n - 对1比特的PRP、PRF的分析;\n - 交换引理:如果 $F$ 是一个 PRP 并且 $\\ell_{in} (n) \\ge n$,那么 $F$ 也是一个 PRF。\n - 一个随机排列和一个查表是不可取分的,PRP和随机排列不可取分,因此,PRP和查表是不可取分的。\n\n22. 操作模式概念(**Modes of Operation**)\n\n - 操作模式是使用PRP或PRF来加密任意长度消息的方法;\n - 操作模式是从PRP或PRF来构造一个PRG的方法;\n - 将一个消息分成若干等长的块(分组,block),每个块以相似方式处理;\n\n23. **Electronic Code Book (ECB)** 模式\n\n - 在窃听者出现时,是否是不可区分的?\n - $F$ 可以是任意PRF吗?\n\n24. 对ECB的攻击\n\n - 为什么仍然可以识别企鹅?\n\n25. **Cipher Block Chaining (CBC)**模式\n\n - $IV$初始向量,一个新的随机串;\n - 是CPA的吗?可并行化吗?F可以是任意PRF吗?\n\n26. **Output Feedback (OFB) Mode**模式\n\n - 是CPA安全吗?可并行化吗?F可以是任意PRF吗?\n\n27. **Counter (CTR) Mode**模式\n\n - $ctr$是一个初始向量,并且逐一增加;\n - 是CPA安全吗?可并行化吗?F可以是任意PRF吗?\n\n28. CTR模式是CPA安全\n\n - 定理:如果$F$是一个PRF,那么随机CTR模式是CPA安全的。\n - 证明:其安全性与之前基于PRF的CPA安全证明类似,从PRF的伪随机假设规约到CPA安全加密方案。其中,对$ctr$的安全性直觉在于,$ctr$也是在加密前不可预测的,且每个块所用$ctr$都是不同的;\n - 当加密预言机是由真随机查表构成时,敌手多次访问加密预言机得到的$ctr$序列与挑战密文的$ctr$序列之间有重叠的概率$\\frac{2q(n)^2}{2^n}$是可以忽略的;若没有重叠,则相当于一次一密;\n\n29. CTR模式是CPA安全(续)\n\n - 规约与之前证明基于PRF的CPA安全加密方案一样,证明过程也类似。\n\n30. 初始向量不应该可预测\n\n - 如果$IV$是可预测的,那么CBC/OFB/CTR模式不是CPA安全的。\n - 为什么?(作业)\n - 在SSL/TLS 1.0中的漏洞:记录$\\#i$的$IV$是上一个记录$\\#(i-1)$的密文块。\n - OpenSSL中API:需要用户输入$IV$,但$IV$应在函数内实现。当$IV$不充分随机时不安全。\n\n31. 非确定性加密\n\n - 有三种通用的实现CPA安全的非确定性加密方法:\n - 随机化的:$r$随机生成,如构造5;需要更多熵,长密文\n - 有状态的:$r$为计数器,如CTR模式;需要通信双方同步计数器\n - 基于Nonce的:$r$只用一次;需要保证只用一次,长密文\n\n32. 选择密文攻击 **Chosen-Ciphertext Attacks (CCA)**\n\n - CCA不可区分实验 $\\mathsf{PrivK}^{\\mathsf{cca}}_{\\mathcal{A},\\Pi}(n)$:\n\n 1. 挑战者生成密钥 $k \\gets \\mathsf{Gen}(1^n)$;(为了下一步的预言机)\n 2. $\\mathcal{A}$ 被给予输入 $1^n$ 和对加密函数 $\\mathsf{Enc}_k(\\cdot)$和解密函数$\\mathsf{Dec}_k(\\cdot)$的**预言机访问(oracle access)** $\\mathcal{A}^{\\mathsf{Enc}_k(\\cdot)}$ 和 $\\mathcal{A}^{\\mathsf{Dec}_k(\\cdot)}$,输出相同长度 $m_0, m_1$ ;\n 3. 挑战者生成随机比特 $b \\gets \\{0,1\\}$,将挑战密文 $c \\gets \\mathsf{Enc}_k(m_b)$ 发送给 $\\mathcal{A}$;\n 4. $\\mathcal{A}$ 继续对除了挑战密文$c$之外的预言机的访问,输出$b'$;如果$b' = b$,则$\\mathcal{A}$成功$\\mathsf{PrivK}^{\\mathsf{cca}}_{\\mathcal{A},\\Pi}=1$,否则 0。\n\n 定义:一个加密方案是CCA安全的,如果实验成功的概率与1/2的差异是可忽略的。\n\n33. 理解CCA安全\n\n - 在现实世界中,敌手可以通过影响被解密的内容来实施CCA。如果通信没有认证,那么敌手可以以通信参与方的身份来发送特定密文。下一页有具体真实案例。\n\n - CCA安全性意味着“non-malleability”(不可锻造性,即改变但不毁坏),不能修改密文来获得新的有效密文。\n\n - 之前的方案中没有CCA安全,因为都不是不可锻造。\n\n - 对基于PRF的CPA安全加密方案的CCA攻击:\n\n - $\\mathcal{A}$ 获得挑战密文 $c = \\left$,并且查询与$c$只相差了一个翻转的比特的密文$c'$,那么\n\n $m' = c' \\oplus F_k(r)$ 应该与 $m_{b}$ 除了什么之外都相同?\n\n - 问题:上述操作模式也不是CCA安全的(作业)\n\n - 由此,可以总结出CCA下敌手的常用策略:\n\n - 修改挑战密文$c$为$c'$,并查询解密预言机得到$m'$\n - 根据关系,由$m'$来猜测被加密明文$m_b$\n\n34. Padding-Oracle(填充预言机)攻击真实案例\n\n - CAPTCHA服务商为Web网站提供验证用户是否为人类的服务。为此,一个CAPTCHA服务器与Web服务器间事先共享一个密钥$k$,服务工作原理如下:\n 1. 当Web服务器验证用户是否为人类时,生成一个消息$w$并以$k$加密,向用户发送一个密文$Enc_k(w)$;\n 2. 用户将密文$Enc_k(w)$转发给CAPTCHA服务器;(可实施填充预言机攻击)\n 3. CAPTCHA服务器用密钥$k$将密文解密,根据解密结果返回给用户信息:一个由$w$生成的图像,或者坏填充错误;\n 4. 用户根据图像获得 $w$ 并将 $w$ 发送给Web服务器。\n - 在第2步,当恶意用户可以利用CAPTCHA服务器会返回给用户坏填充错误这一漏洞,来实施填充错误攻击。\n\n35. Padding-Oracle(填充预言机)攻击\n\n - 在PKCS #5 padding(填充)标准中,为了将一个消息的长度“填充”到块长度的整数倍,在最后一个块中填充$b$个字节的$b$;必要时,添加一个哑块(dummy block,不包含消息的一个填充块)。存在一种攻击手段:当填充错误时,解密服务器返回一个“坏填充错误”,这相当于提供了一个解密预言机,最终可以获得整个明文;\n - 具体攻击原理:\n - 更改密文(包含$IV$部分)并发送给解密服务器;\n - 一旦触发了“坏填充错误”,则说明对密文的更改导致了填充部分内容的更改;否则,对密文的更改导致了原明文部分的更改;\n - 通过仔细修改密文来控制填充部分,从而获得消息长度和内容。\n\n36. 填充预言机攻击:获得消息长度\n\n - 攻击的第一步判断消息是否为空:在单个块的CBC中,通过更改$IV$的首个字节,攻击者能够获知是否$m$是否为空。因为如果$m$是空的话,更改$IV$首个字节将更改解密出的填充内容,解密服务器就会返回坏填充错误(1比特信息),具体分析如下:\n - 如果$m$是空的,那么明文会添加一个哑块$\\{b\\}^b$;\n - PRP的输入为$IV\\oplus \\{b\\}^b$;设$IV$的首个字节为$x$,则PRP的输入为$(x \\oplus b) \\| (\\{\\cdot\\}^{b-1} \\oplus \\{b\\}^{b-1})$;\n - 将$IV$的首个字节从$x$改成$y$变为 $y \\| (\\{\\cdot\\}^{b-1})$,不改变$c_1$解密得到的PRP的输入不会变,而解密出的明文会改变为 $(x \\oplus y \\oplus b) \\| \\{b\\}^{b-1}$;\n - 上述明文首个字节一定不是$b$,这是填充格式错误,会触发服务器返回错误;\n - 如果上面的尝试没有触发错误,那么说明消息非空;下一步,发现消息长度是否为1字节,方法与上一步一样,区别在于只改变$IV$的第2个字节;如此继续,获得消息的长度;(作业)\n\n37. 填充预言机攻击:获得消息内容\n\n - 一旦获得消息的长度,也就知道了填充的长度$b$,采用下面的方法来获得消息的最后一个字节内容,进而获得整个消息;\n - 更改密文中倒数第二块,来获得消息的最后一个字节$s$;\n - 明文的最后一个块 $m_{last} = \\cdots s \\| \\{b\\}^{b}$,密文的倒数第二个块 $c_{last-1} = \\cdots t \\| \\{\\cdot \\}^{b} $;\n - 最后一块的PRP输入为$c_{last-1} \\oplus m_{last} = \\cdots (s \\oplus t) \\| (\\{b\\}^b \\oplus \\{\\cdot \\}^{b}) $;\n - 敌手更改 $c_{last-1}$ 为 $c_{last-1}' = \\cdots u \\| (\\{\\cdot \\}^{b} \\oplus \\{b\\}^{b} \\oplus \\{b+1\\}^{b}) $;其中,$u$是敌手猜测的某个字节;\n - 解密获得最后一块明文$m'_{last} = c_{last-1} \\oplus m_{last} \\oplus c_{last-1}' = \\cdots (s \\oplus t \\oplus u)\\| \\{ b+1 \\}^b$; \n - 如果没有返回坏填充错误,那么意味着填充了$b+1$个字节的$b+1$,所以 $s \\oplus t \\oplus u = (b+1)$ ,而 $s = t \\oplus u \\oplus (b+1) $ 。\n\n38. 总结\n\n - 略\n\n \n\n" }, { "path": "notes-Chinese/4 伪随机排列的实践构造-块密码.md", "content": "# 4 伪随机排列实践构造(块密码/分组密码)\n\n1. 本节学习如何设计一个PRP(伪随机排列)。通过一个经典的加密方案DES来学习PRP的构造和相关安全分析。此外,简要介绍当前广泛使用的AES。\n\n2. 目录:替换-置换网络、Feistel网络、DES、增加密钥长度、AES、差分分析与线性分析\n\n3. 块(分组)密码(**Block Ciphers**)\n - 块密码 $F : \\{0,1\\}^n \\times \\{0,1\\}^\\ell \\to \\{0,1\\}^\\ell$. 是一个带密钥的函数。\n \n $F_k : \\{0,1\\}^\\ell \\to \\{0,1\\}^\\ell$, $F_k(x) \\overset{\\text{def}}{=} F(k,x)$. \n \n $n$ 是密钥长度, $\\ell$ 是块长度.\n \n - 构造是启发式的,而非被证明了的;\n \n - 注意:虽然有“密码”二字,但在实践中,块密码被当作是一个PRP,而非加密方案;在之前AES的提案召集中要求,算法输出的范围应该与输入块的随机排列是不可区分的;\n \n - 方案被认为是“优秀的”,如果已知的最佳攻击具有的时间复杂性与蛮力搜索密钥大致相当\n \n - 一个$n=112$的加密方案,可以在$2^{56}$时间内被破解是不安全的;\n - 在渐进设定中,尽管$2^{\\frac{n}{2}}$是指数,但与上面的例子一样,实际可能不安全;\n \n4. 漫画\n\n - 略\n\n5. 混淆-扩散范式(**The Confusion-Diffusion Paradigm**)\n\n - 目标:构造“简洁”的看上去随机的排列;强调“简洁”的原因在于直接存储随机排列所需的空间太大,需要 $2^{n\\cdot 2^n}$ 比特;\n - 为此,香农提出了一种实现伪随机排列的方法——混淆-扩散范式;\n - 混淆:令密钥和密文的关系尽可能地复杂和难懂;一个大的随机排列$F_k(x)$可以由若干小随机排列$f_i(x_i)$来构造,将一个大输入分为若干小输入,$F_k(x) = f_1(x_1)f_2(x_2) \\cdots f_{i}(x_{i})$;\n - 扩散:在明文统计特征中的冗余性在密文统计特征被消去;其中,统计“冗余性”是指明文中一部分信息可以从密文中获得;\n\n6. 替换-置换网络(**Substitution-Permutation Network**)\n\n - 一种混淆-扩散范式的设计是替换-置换网络(SPN),如图所示:\n 1. 明文首先与密钥混合(例如,异或);进行混淆\n 2. 经过S盒的替换操作;进行混淆\n 3. 经过P盒的置换操作;进行扩散\n 4. 进入下一轮\n - 一个关键点是在结尾需要有一次密钥混淆操作,否则最后一轮替换和置换操作对于加密都是无效的;\n\n7. 设计原则1——S盒的可逆性\n\n - S盒必须是可逆的,否则块密码不是排列;这可以从SPN构造中观察到,其中密钥混合(异或)和P盒(置换)都是排列操作,为了令SPN是排列,那剩下的S盒必须是可逆的;\n - 定理:令$F$为一个带密钥的函数,该函数由一个SPN定义,其中的S盒是1对1的且满射。无论密钥生成方案和轮次,$F_k$是对于任意$k$都是一个排列;\n\n8. 设计原则2——雪崩效应(**Avalanche Effect**)\n\n - 雪崩效应:改变输入的一个比特影响输出的每个比特;\n - 严格雪崩条件:一个输入比特取补,每个输出比特都有50%的概率改变;\n - 比特独立条件:对于任意$i, j, k$,当改变一个输入比特$i$时,输出比特 $j$ 和 $k$ 应该独立改变;\n - S盒:改变1比特输入会改变至少2比特输出;\n - P盒:每个S盒的输出都被扩散到下一轮的不同S盒;\n - 问题:对于4比特的S盒,改变输入的1个比特,在经过$R$轮的SPN后,影响输出的$2^R$个比特;\n\n9. 一个针对块密码的KPA框架\n\n - KPA:知道同一密钥下的若干明文/密文对;\n - 分析步骤:\n 1. 观察明文、密文、密钥之间的关系;\n 2. 设计基于上面关系的$t$比特的测试;\n 3. 搜索$k$比特空间;一个猜测的密钥通过测试的概率为$2^{-t}$;\n 1. 这里具有一般性。\n 4. 用$p$对明文/密文对来确定密钥的期望是$2^{k-pt}$;期望足够小就可以,例如$2^{-10}$;\n - 分析16比特密钥的一轮SPN下的KPA:\n - 尽管这个例子“简单”得缺乏意义,但可以展示上述框架如何应用;\n - 之前提到的一个关键点是在结尾需要有一次密钥混淆操作,否则最后一轮替换和置换操作都是无效的。**因此,这个结构并不是一个完整的一轮SPN。在教材的第二版在这方面存在一个修正。**这里我们沿用第一版的内容,因为更容易理解,并且不影响对缩减了轮次的SPN存在弱点的分析。\n - 关系:PT $\\oplus$ Key $\\oplus$ Input-of-$S$-boxes $=$ 0;其中,根据SPN的可逆性,S盒输入可以通过密文得到;\n - 测试:$t=16$ 比特,因为Input-of-$S$-boxes $=$ PT $\\oplus$ Key;\n - 搜索:密钥空间$k=16$比特;通过测试的概率是$2^{-16}$;\n - 确定:使用$p=1$对明文/密文对来确定密钥,期望为$1$;\n\n10. 攻击轮次减少的SPN(作业)\n\n - 攻击一个1轮SPN:64比特块,128比特密钥(2个64比特子密钥),16x4比特的S盒,以及用异或来实现密钥混合;\n\n - 根据图中关系可以观察到,根据明文和密文知道的20个比特,密钥中未知的20个比特,以及4个比特来比较;\n\n - 猜测20比特密钥:第一个子密钥的16比特,第二个子密钥的4个比特;\n\n - 通过4比特测试的概率$2^{-4}$;\n\n - 需要8对明文/密文对来确定密钥使得期望小于1,期望$2^{20-4\\times 8}$;\n\n - 破解的复杂性为$8\\cdot 2^{20} \\cdot 16= 2^{27} \\ll 2^{128}$ ,其中,8是明文/密文对数,16是S盒数量(因为每次猜测只覆盖1个S盒对应的第2个子密钥中4个比特);\n\n\n11. Feistel网络\n\n - 为了构造排列,要求SPN网络中S盒是可逆的,这对S盒的设计提出了要求;那么,能不能放松对S盒设计需求,同时保留排列的?\n - Feistel网络可以满足上面的需求:从若干非可逆组件构造一个可逆函数;\n - $L_i := R_{i-1}$ 并且 $R_i := L_{i-1} \\oplus f_i(R_{i-1})$;\n - 求逆: $L_{i-1} :=\\ ?$\n - Luby-Rackoff定理:无论mangler函数$f_i{}$和轮次,对于任意$k$,$F_k$是一个排列;\n\n12. Feistel网络的例题\n\n - 问题:当输入($L_0, R_0$)是下面两个情况中之一时,一个$r$轮Feistel网络的输出是什么?\n - 每个轮函数输出都是$0$,无论输入是什么;\n - 每个轮函数输出都是一个恒等函数,即输入和输出相同;\n\n13. DES设计\n\n - 16轮的Feistel网络;64位块;56位密钥,48位子密钥 (64位密钥带有8个校验位)\n - 密钥编排: 56 bits $\\xrightarrow[\\text{left rotation, PC}]{\\text{divided into two halves}}$ 48 bits.\n - 以初始排列开始 ($IP$) 以 $IP^{-1}$ 结束;\n - 轮函数 $f$ 是一个 32位 I/O 的不可逆函数;\n - $f_i$ 由mangler函数 $\\hat{f}_i$ 和子密钥 $k_i$ 来确定;\n - $S$盒是 4 到1 函数,将6位映射为4位;\n\n14. DES算法概览\n\n - 略\n\n15. DES的Mangler函数\n\n - 略\n\n16. DES中S盒例子\n\n - 略\n\n17. 密钥编排\n\n - 略\n\n18. 弱密钥\n\n - 弱密钥:DES的密钥编排会产生相同的子密钥\n - 半弱密钥:产生两个不同的子密钥\n - 这些情况发生时,应该更换密钥\n\n19. DES编年史\n\n - DES经历了一个从成为加密标准到安全性不足、到安全性增强、到被彻底破解的历程;\n\n - [1973] NBS (NIST) 发布标准召集公告;\n - [1974] DES 在联邦政府公告发布; \n - [1977] DES 被发布为 FIPS PUB 46;\n - [1990] $2^{47}$ 个明文的CPA下差分分析; \n - [1997] DESCHALL 项目公开破解DES;\n - [1998] EFF(电子前沿基金会)的Deep Crack在56小时内花费\\$250,000破解DES;\n - [1999] 三重 DES\n - [2001] AES 在 FIPS PUB 197 发布;\n - [2004] DES标准 FIPS PUB 46-3 被撤销;\n - [2006] COPACOBANA 在9天内花费1万美元破解DES;\n - [2008] RIVYERA 在1天内破解 DES;\n - [2016] Hashcat用8块GTX 1080Ti在2天内破解DES;\n - [2017] 利用CPA攻击,针对一个特定明文在25秒内获得密钥;\n\n20. 双重加密\n\n - 为了弥补DES密钥长度不足的缺点,增强加密安全性有两种思路:从内部修改 vs. 黑盒构造;\n - 从内部修改不可行,因为即使以最小的方式修改DES,也将失去我们已经从DES获得的信心;\n - 双重加密:$y = F'_{k_1,k_2}(x) \\overset{\\text{def}}{=} F_{k_2}(F_{k_1}(x))$;\n - 密钥长度乘2会更安全吗?\n\n21. 中间相遇攻击(**The Meet-In-the-Middle Attack**)\n\n - 双重加密在**中间相遇攻击(MITM)**下并不比原本的DES更安全;\n\n - 在已知明文攻击(KPA)下,从输入方向输入一个明文,通过一次DES加密,猜测不同密钥来得到一组中间值,保存这些密钥和中间值对;从输出方向反向输入一个密文,通过一个DES解密,猜测不同密钥来得到另一组中间值,也保存这些密钥和中间值对;这两组中间值中相同的为$z_0$,相应的两个密钥$k_1$和$k_2$就可能是实际密钥。\n - $z_0 = F_{k_1}(x) = F^{-1}_{k_2}(y) \\iff y = F'_{k_1,k_2}(x)$.\n - 密钥对 $(k_1,k_2)$ 满足上面等式的概率为 $2^{-n}$;因为中间值有$2^n$中可能;\n - 这样的密钥对数量为 $2^{2n}/2^n = 2^n$;这是密钥对数量乘以满足等式的概率;\n - 用另两个明文/密文对,密钥对的期望数量为 $2^{n}/2^{2n}=2^{-n}$. 足够小,因此剩下的就是密钥!\n - $\\mathcal{O}(2^n)$ 时间复杂性并且 $\\mathcal{O}(2^n)$ 空间复杂性,这是一种典型的空间换时间的设计;\n - 可见,双重DES在时间复杂性上与DES没有区别。\n\n22. DESX(XEX模式)\n\n - 为了增强DES并对抗中间相遇攻击,DESX通过**密钥白化**来增加有效密钥长度;\n - **白化(whitening)**:一个**xor-enc-xor(XEX)**模式,用部分密钥来与输入和输出进行异或;\n - DESX:$k = (k_1,k_2,k_3), |k_1|=|k_3|=64, |k_2|=56$;\n - 加密 $y = k_3\\oplus F_{k_2}(x \\oplus k_1)$;\n - 解密 $x = k_1\\oplus F^{-1}_{k_2}(y \\oplus k_3)$;\n - 安全性:$|k|=184$,在MITM攻击下,破解所需时间 $2^{64+56}$;原因在于,为了获得中间值需要从输入或输出中一个方向猜测2个密钥;\n\n23. 三重加密(**Triple Encryption**)\n\n - 三重DES **Triple-DES (3DES)**:以连续的加密,解密,加密三个DES来加密明文,根据密钥选择分三种情况:\n - $k_1 = k_2 = k_3$: 相当于一次DES,向后兼容,即采用该方案的通信方可以与采用普通DES的通信方互相通信;\n - $k_1 \\neq k_2 \\neq k_3$: 在MITM攻击下,破解时间为 $2^{2n}$ ;这与DESX类似,某个方向需要猜测两个密钥;\n - $k_1 = k_3 \\neq k_2$: 只有两个不同密钥,用一个I/O对的破解时间为 $2^{2n}$ ; 用$2^{n}$个I/O对的破解时间为 $2^n$;\n - 安全性更强,但块长度仍然不变并且更慢;\n\n24. 高级加密标准 AES(**The Advanced Encryption Standard**)\n\n - 1997年,NIST召集高级加密标准 AES提案;\n - 2001年,J. Daemen 和 V. Rijmen设计的Rijndael成为AES;\n - AES是第一个用于绝密信息的公开可用密码;\n - 设计目标不仅包括安全,还包括有效性和灵活性等;\n - 128位块长度,128,192,或256位密钥;\n - 并非一个Feistel结构,而是一个SPN;\n - 对于减少轮次的变体只有非简单的攻击:\n - 对于 6/10轮的128位密钥,$2^{27}$ 时间;\n - 对于 8/12轮的192位密钥,$2^{188}$ 时间;\n - 对于 8/14轮的 256位密钥,$2^{204}$ 时间;\n\n25. AES概览\n\n - 动画\n\n26. SM4(思考)\n\n - 我国商用密码标准SM4是分组密码的国家标准,用于无线局域网和TLS。\n - SM4由吕述望老师主要开发,2006年解密,2012年由国家密码局发布。\n - SM1以芯片实现,和SM7用于轻量级场景,也都是对称加密方案,都保密,未公开。\n - 问题:为什么这些国密标准不公开,或者很晚才公开?\n\n27. 线性密码分析(**Linear Cryptanalysis**)\n\n - 下面内容来自于“[A Tutorial on Linear and Differential Cryptanalysis](https://www.engr.mun.ca/~howard/PAPERS/ldc_tutorial.pdf)”\n\n - 针对DES的密码学分析的重点是分析S盒,因为S盒是DES中唯一的非线形部分,输入和输出之间关系被有意地设计成难以简单描述;线性分析就是要通过分析来寻找输入和输出之间的线性关系,从而破解加密方案;\n\n - 在输入和输出之间的线性分析:对于随机选择的输入$x$和密钥$k$,有 $y=F_k(x)$,在比特位置 $i_1, ... ,i_\\ell$ 与 $i_1', ... , i_\\ell'$ 之间存在**偏差(bias)** $p$ , 之所以称为“偏差”,是与“正常”概率$\\frac{1}{2}$相比而言;\n\n $ \\Pr [x_{i_1} \\oplus \\cdots \\oplus x_{i_\\ell} \\oplus y_{i_1'} \\oplus \\cdots \\oplus y_{i_\\ell'} = 0] = p+\\frac{1}{2}. $\n\n 线性关系就是指这些比特的异或值的统计结果与随机值之间存在偏差,**无论异或结果为0还是为1**,重点在于这些位置比特之间存在线形关系。\n\n - 当偏差较大时,如极端情况$p=\\frac{1}{2}$,可以认为输入中若干位置异或值等于输出中若干位置异或值;\n\n - 采用KPA(无需CPA)进行线性分析攻击的步骤:\n\n 1. 构造S盒的线性近似表(linear approximation table),从而穿透S盒;\n 2. 构造带有较大偏差的$r$轮SPN的前$r-1$轮的线性近似关系,从而建立了明文和最后一轮输入的线性关系;\n 3. 根据已知的最后一轮输入和输出提取最后一轮的子密钥中若干比特,这部分密钥满足上一步建立的线性近似关系;\n\n28. 一个对S盒进行线性分析的例子\n\n - 以一个4位到4位的S盒为例,图中表格按列分为三个部分:$X$各比特值,$Y$各比特值,线性关系($X$中若干比特异或值,$Y$中若干比特异或值,本例子中列出了3组);按行共16行,每行对应一个$X$值,内容包括(由S盒决定的)相应的$Y$值和线性关系;\n - 以第一行为例,$X=0000$,根据S盒构造可知$Y = 1110$;第一组线性关系,$X_2 \\oplus X_3 = 0 \\oplus 0 = 0$,$Y_1 \\oplus Y_3 \\oplus Y_4 = 1 \\oplus 1 \\oplus 0 = 0$;\n - 统计$X_2 \\oplus X_3 $等于$Y_1 \\oplus Y_3 \\oplus Y_4 $的情况,一共12个;偏差为$12 - 16/2 = 4$;\n\n29. 一个线性分布表的例子\n\n - 将$X$/$Y$中选择的比特位置表示为一个16进制整数来作为行号/列号,其中选中的位置为1,未选中的为0;例如,$X_2 \\oplus X_3 $中选择了第2、3比特,表示为0110 = 6;$Y_1 \\oplus Y_3 \\oplus Y_4 $中选择了第1、3、4位,表示为1011 = B;\n - 根据此前对S盒的线性分析结果在表格中填入偏差;例如,$(6, B)=4$;\n - 至此,我们可以认为S盒被“穿透了”:找到了S盒上输入与输出的线性关系;\n\n30. 一个线性密码分析的例子\n\n 1. 从上向下,第一轮S盒线性分析结果为$S_{1,2}$: $x_1 \\oplus x_3 \\oplus x_4 = y_2$;其中,S盒输入$x_1, x_3, x_4$为明文和第一轮子密钥中$p_5, p_7, p_8$和$k_{1,5}, k_{1,7}, k_{1,8}$的异或值;\n\n 2. 第2轮S盒线性分析结果为$S_{2,2}$: $x_2 = y_2 \\oplus y_4$,输出的2个比特影响最后一轮的2个S盒输入$u_{3,6}, u_{3,14}$。\n\n 3. 将输入、密钥和最后一轮S盒输入间关系表达出来:$ p_5 \\oplus p_7 \\oplus p_8 \\oplus k_{1,5} \\oplus k_{1,7} \\oplus k_{1,8} \\oplus k_{2,6} \\oplus k_{3,6} \\oplus k_{3,14} = u_{3,6} \\oplus u_{3,14} $,\n\n 其中,密钥比特异或部分$\\Sigma{k} = k_{1,5} \\oplus k_{1,7} \\oplus k_{1,8} \\oplus k_{2,6} \\oplus k_{3,6} \\oplus k_{3,14}$ 是由密钥决定的一个固定的值。根据前面线性关系的含义,无论$\\Sigma{k}$是0还是1,都有一个线性关系$ p_5 \\oplus p_7 \\oplus p_8 = u_{3,6} \\oplus u_{3,14} $;\n\n 4. 从SPN的输出反向分析,$u_{3,6} \\oplus u_{3,14} $ 由密文和第4个子密钥的所有偶数位异或值决定;\n\n 5. 猜测第4个子密钥的所有偶数位,满足上面线性关系的就可能是真的密钥;需要$2^8$时间;\n\n 6. 重复上面的过程,逐渐获得所有密钥;\n\n31. 差分密码分析(**Differential Cryptanalysis**)\n\n - 与线性分析类似,但分析的是特定输入差异 $\\Delta_X$ 产生特定输出差异 $\\Delta_Y$ 的概率 $p \\gg 2^{-n}$,\n\n $x_1\\oplus x_2=\\Delta_X$, $F_k(x_1) \\oplus F_k(x_2)=\\Delta_Y$ 的概率 $p$.\n\n - 当$p$远大于随机概率$2^{-n}$时,可以认为输入差异与输出差异间存在关系;\n\n - 这个攻击需要通过CPA进行,因为需要构造特定输入差异,攻击步骤:\n - 构造S盒的差分分布表(difference distribution table)穿透S盒;\n - 构造带有较大偏差的$r$轮SPN的前$r-1$轮的差分特征,从而建立了明文和最后一轮输入的差分特征关系;\n - 根据已知的最后一轮输入和输出提取最后一轮的子密钥中若干比特,这部分密钥满足上一步建立的差分特征关系;\n\n32. 一个对S盒进行差分分析的例子\n\n - 以一个4位到4位的S盒为例,图中表格按列分为三个部分:$X$各比特值,$Y$各比特值,差分结果($\\Delta_X$下的$\\Delta_Y$,本例子中列出了3组);按行共16行,每行对应一个$X$值,内容包括(由S盒决定的)相应的$Y$值和$\\Delta_Y$值;\n - 以第一行第一列为例,$X=0000$,根据S盒构造可知$Y = 1110$;根据$\\Delta_X = 1011$,可知 $X' = \\Delta_X \\oplus X = 1011$,进而得到 $Y' = 1100$ ,有 $\\Delta_Y = Y \\oplus Y' = 0010$;\n - 统计不同$\\Delta_X$时$\\Delta_Y$各个值的频率,找出频率较高的情况,例如0010出现了8次;\n\n33. 一个差分分布表的例子\n\n - 将$\\Delta_X$和$\\Delta_Y$用16进制整数来表示,作为行号/列号,其中填入出现频率;例如,$\\Delta X = 1011 = B, \\Delta Y = 0010 = 2$,出现了8次,于是 $(B, 2) = 8$;\n - 至此,我们可以认为S盒被“穿透了”:找到了S盒上差分特征;\n\n34. 一个差分密码分析的例子\n\n - 与线性分析时类似,可以得到$\\Delta_P$与$\\Delta_U$间关系,而不需要关心中间子密钥;\n - 同样从SPN的输出反向分析,猜测第4个子密钥的所有偶数位,满足上面差分特征的就可能是真的密钥;需要$2^8$时间;\n - 重复上面的过程,逐渐获得所有密钥;\n\n35. 块密码补充\n\n - 块长度应该足够大;\n - 块密码不能抵御消息篡改;\n - Padding:填充n个内容为n的字节,或哑块;\n - 流密码 与 分组密码:流密码更快但安全性更低,应该采用块密码的“流密码模式”;\n\n36. 总结\n\n 略;\n\n" }, { "path": "notes-Chinese/5 伪随机对象的理论构造.md", "content": "# 5 伪随机对象的理论构造\n\n1. 本节学习如何设计基于单向函数存在的假设从理论上构造PRG、PRF、PRP这三个伪随机对象。\n\n2. 目录:单向函数(One-Way Function),从OWF到PRP\n\n3. 概览\n - 现代密码学的贡献之一是,单向函数的存在等价于所有(有意义的)私钥密码学的存在;\n - 我们学习一系列密码学对象的构造过程:从OWF构造核心断言(HCP),构造RPG,构造PRF,构造PRP,构造安全私钥加密方案,而安全私钥加密方案就是一个OWF,从而形成一个闭环;\n \n4. 单向函数(**One-Way Functions (OWF)**)\n\n - 单向函数是一个正向易于计算(多项式时间),而逆向难以计算(无多项式时间);\n - 下面的单向函数定义是由姚期智提出的;\n - 求逆实验 $\\mathsf{Invert}_{\\mathcal{A},f}(n)$:\n 1. 随机产生输入 $x \\gets \\{0,1\\}^n$. 计算 $y := f(x)$. *注:挑战$y$是由随机产生的$x$得到的,而不是直接随机挑选一个$y$;*\n 2. $\\mathcal{A}$ 以 $1^n$ 和 $y$ (挑战)作为输入,并输出 $x'$.\n 3. 实验成功 $\\mathsf{Invert}_{\\mathcal{A},f}(n) = 1$ ,如果 $f(x')=y$, 否则 0. *注:这里不需要$x'= x$;*\n\n5. OWF/OWP的定义 [Yao]\n\n - 定义:多项式时间算法 $M_f$ 和 $\\mathcal{A}$.\n\n 一个函数 $f\\;:\\; \\{0,1\\}^* \\to \\{0,1\\}^*$ 是单向函数,如果满足:\n\n 易于计算: $\\exists$ $M_f$: $\\forall x, M_f(x) = f(x)$. *注:这里说明计算不需要用原本的函数,只要结果相同就可以*\n\n 难以求逆: $\\forall$ $\\mathcal{A}$, $\\exists\\;\\mathsf{negl}$ 使得,$\\Pr[\\mathsf{Invert}_{\\mathcal{A},f}(n)=1] \\le \\mathsf{negl}(n)$ 或者 $\\Pr_{\\substack{x \\gets \\{0,1\\}^n}}[\\mathcal{A}(f(x)) \\in f^{-1}(f(x))] \\le \\mathsf{negl}(n). $ \n\n - *注:后半部分是难以求逆的另一种表达*\n\n6. 若干候选的单向函数\n\n - 乘法与分解(**Multiplication and factoring**):$f_{\\mathsf{mult}}(x,y)=(xy,\\|x\\|,\\|y\\|)$, $x$ 和 $y$ 是相同长度的质数;*注:后面会学习RSA问题*\n - 模平方和平方根(**Modular squaring and square roots**):$f_{\\mathsf{square}}(x)=x^2\\bmod N$;*注:也被应用于公钥密码学*\n - 离散指数与对数(**Discrete exponential and logarithm**):$f_{g,p}(x)=g^x\\bmod p$;*注:后面将学习DH密钥交换协议*\n - 子集和问题(**Subset sum problem**):$f(x_1,\\dotsc,x_n,J)=(x_1,\\dotsc,x_n,\\sum_{j \\in J} x_j)$;*注:子集和问题判定是否存在一个子集中元素之和为给定的值*\n - 密码学安全哈希函数(**Cryptographically secure hash functions**):稍后会学习;\n\n7. 单向函数例题\n\n - 单向函数的理由在于,如果$f'$不是单向的,那么$f$也不是;\n - 不是单向函数的理由在于,$f'$可以容易求逆;\n - 另外,要注意求逆实验是从随机挑选的$x$得到$y$,并不能直接指定$y$;\n\n8. 核心断言 **Hard-Core Predicates (HCP)**\n\n - 一个函数 $\\mathsf{hc}\\; : \\; \\{0,1\\}^* \\to \\{0,1\\}$ 是一个函数$f$的核心断言( **hard-core predicate**),如果\n - (1) $\\mathsf{hc}$ 可在多项式时间计算;\n - (2) $\\forall$ 概率多项式时间 $\\mathcal{A}$, $\\exists\\; \\mathsf{negl}$ 使得 $ \\Pr_{\\substack{x \\gets \\{0,1\\}^n}}[\\mathcal{A}(f(x)) = \\mathsf{hc}(x)] \\le \\frac{1}{2} + \\mathsf{negl}(n). $\n - *注:核心断言可以理解为根据函数的输出最难推断的关于输入的一个比特信息,任意敌手算法与随机猜测相比几乎没有差异。*\n\n9. 对于任意OWF的HCP [Goldreich and Levin]\n\n - 定理:$f$是一个OWF。那么,存在一个OWF $g$ 并与 $g$ 伴随着一个HCP $gl$。\n - 问题: $\\mathsf{gl}(x) = \\bigoplus^{n}_{i=1} x_i$ 是任意OWF的HCP吗? 答案是否定的,例如一个单向函数输出的最后一个比特就是输入按位异或的结果;\n - 证明:$g(x,r) \\overset{\\text{def}}{=} (f(x), r)$, for $|x| = |r|$, 并定义 $ \\mathsf{gl}(x,r) \\overset{\\text{def}}{=} \\bigoplus^{n}_{i=1} x_i \\cdot r_i $。 其中,$r$ 是一个随机串。\n - *说明:$\\mathsf{gl}$就是从$x$中随机选择若干比特异或结果作为核心断言。即便敌手根据输出推断出$x$中若干比特的信息,但仍不能推断出(由$r$来)随机挑选的任意若干比特信息(核心断言),否则意味着敌手可以求出整个$x$。*\n\n10. 从OWP到PRG:Blum-Micali Generator\n\n - 定理:$f$ 是一个OWP并且 $\\mathsf{hc}$ 是一个 $f$ 的 HCP 。那么,$G(s) \\overset{\\text{def}}{=} (f(s), \\mathsf{hc}(s))$ 构造了一个 PRG 带有扩展因子 $\\ell(n) = n+1$,并且 $\\forall$ 多项式 $p(n) > n$, $\\exists$ 一个 PRG 带有扩展因子 $\\ell(n) = p(n)$。\n - 定理成立的理由有两点:\n - 因为$f$为排列(这很重要,不能是非排列的函数),那么当$s$随机生成时,$f(s)$也是均匀随机的,$G(s)$的头部也就是随机的;\n - 根据$f(s)$难以推断核心断言$\\mathsf{hc}(s)$,这正是伪随机生成器的伪随机性的判断依据:下一比特不可预测性。\n\n11. 从PRG到PRF [Goldreich, Goldwasser, Micali]\n\n - 定理:如果存在一个PRG带有扩展因子$\\ell(n) = 2n$,那么存在一个PRF。\n - $F_k(x_1x_2\\cdots x_n) = G_{x_n}(\\cdots(G_{x_2}(G_{x_1}(k)))\\cdots), G(s)=(G_0(s),G_1(s)).$\n - 以密钥$k$为PRG的种子生成随机串,并将该随机串对半分为两个子串$G_0(s),G_1(s)$;再以每个子串作为种子分别生成两个新的子串;由此,构造一个以密钥(种子)为根的二叉树,每个叶子节点对应伪随机函数的一个输出,从输入到输出的映射就是从根到叶子的一条分支,根据输入每个比特值来选择分叉:0为左,1为右;\n - 例如,$F_k(011) = G_1(G_1(G_0(k)))$;以$k$为根,根据第一个比特选择左分支,接着选择右分支,右分支。\n - PRF随机性来自于PRG的随机性。\n\n12. 从PRF到PRP [Lucy, Rackoff]\n\n - Feistel网络可以将一个$n$比特的PRF转变为一个$2n$比特的PRP,有以下定理\n - 定理:一个3轮的Feistel网络可将一个PRF转变为一个PRP。\n - 定理:一个4轮的Feistel网络可将一个PRP转变为一个strong PRP。\n - 说明:\n - 首先,Feistel网络本身特性是排列,因此证明上述定理成立的关键在于,证明伪随机性;伪随机性来自与每轮的mangler函数是PRF,其输出是一个独立的随机值。\n - 对于为什么至少需要3轮?首先可以观察到如果只有1轮,则不是伪随机的,因为$R_0$被直接输出为$L_1$;如果只有2轮,也不是随机的,因为只改变$L_0$来翻转1个比特,那么$R_2$也只翻转1个比特。当3轮时,上述两个情况不会发生,并且输出结果$L_3, R_3$都是经过了PRF结果得到的。\n\n13. 必要的假设\n\n - 前面的理论说明OWP的存在是安全加密方案的充分条件,同时我们还可以证明OWP的存在也是安全加密方案的必要条件。\n - 定理:假设存在OWP,那么存在PRG,PRF,PRP和CCA安全私钥加密方案。\n - 如何构造CCA安全的加密方案将在后面学习。\n - 命题:如果存在窃听者不可区分私钥加密方案,那么存在一个OWF。\n - 证明:$f(k,m,r) \\overset{\\text{def}}{=} (\\mathsf{Enc}_k(m,r),m)$,其中 $|k|=n, |m|=2n, |r|=\\ell(n)$。\n - 从破解加密方案问题$\\mathcal{A}'$规约到单向函数求逆问题$\\mathcal{A}$。规约的关键之一在于将挑战密文和一个明文 $c\\|m_0$ 作为$\\mathcal{A}$求逆的输入。当求拟成功时,$\\mathcal{A}'$输出0;否则,输出1。当$m_0$被加密,则破解加密方案意味着可求逆;当$m_1$被加密,则破解加密方案意味着没有成功求逆,概率为$1-1/2^n$。\n\n14. 总结\n\n - OWF意味着安全私钥加密方案,安全私钥加密方案意味着OWF。\n\n" }, { "path": "notes-Chinese/6 消息认证码与抗碰撞哈希函数.md", "content": "# 6 消息认证码与抗碰撞哈希函数\n\n1. 本节学习用于保护信息的完整性和真实性的消息认证码(MAC)和抗碰撞的哈希函数(CRHF)。\n\n2. 目录:MAC、构建安全MAC、CBC-MAC、CRHF、HMAC、信息论上MAC。\n\n3. 完整性与真实性(**Integrity and Authentication**)\n - 敌手篡改传输中的密文(或明文)是对完整性的攻击;敌手伪装成Alice发送密文(或明文)是对真实性(认证)的攻击;\n - 上述两种攻击可以归结为对真实性(认证)的攻击,消息是由敌手构造并发出的;\n - 注意,这里的真实性是指消息的来源是来自接受者所预期的发送者,不是指内容的真假!\n \n4. MAC的词法(**Message Authentication Code**)\n - 密钥 $k$, 标签(tag) $t$, 一个比特 $b$ 为有效的 (valid}) ,如果 $b=1$; 或 无效的 ​(invalid}​) ,如果 $b=0$.\n - 密钥生成 **Key-generation** 算法 $k \\gets \\mathsf{Gen}(1^n), |k| \\ge n$.\n - 标签生成 **Tag-generation** 算法 $t \\gets \\mathsf{Mac}_k(m)$.\n - 验证 **Verification** 算法 $b:= \\mathsf{Vrfy}_k(m,t)$.\n - 消息认证码 **Message authentication code**: $\\Pi = (\\mathsf{Gen}, \\mathsf{Mac}, \\mathsf{Vrfy})$.\n - 基本正确性需求 **Basic correctness requirement **: $\\mathsf{Vrfy}_k(m,\\mathsf{Mac}_k(m)) = 1$.\n - 注:不同于加密方案,MAC并不需要从标签得到密文。\n \n5. MAC安全\n - 直觉上,没有敌手能够伪造一个**从未被发送过的新消息**的有效标签。这里“新消息”是为了排除“重放攻击”。\n - 重放攻击(Replay attack):敌手记录并发送之前的消息和标签,从而发送了一个伪造的消息并带有有效的标签;为了避免重放攻击,可以通过两种非密码学的方法。\n - 序列号:接收方需要记录之前的序列号,从而发现序列号较小(或曾经接收过的)的旧消息;\n - 时间戳:双方维护时钟同步,从而发现晚与当前时钟的旧消息;\n - 这两种方法都不依赖于密码学,因此,防御重放攻击不需要在密码学的范畴内考虑。\n - 存在性不可伪造(**Existential unforgeability**):不能伪造任何消息的标签,一个都不能伪造。\n - 存在性伪造 **Existential forgery**: 至少伪造一个消息的标签。\n - 选择性伪造 **Selective forgery**: 实施攻击前选择一个消息,并伪造该消息的标签。\n - 全域性伪造 **Universal forgery**: 伪造任意给定的消息的标签。\n - 最强的安全目标是阻止最弱的敌手造成的后果。\n - 适应性选择消息攻击(**Adaptive chosen-message attack (CMA)**):敌手在攻击过程中始终具有获得任意消息的有效标签的能力,即访问标签生成预言机;\n \n6. 定义MAC安全\n - 消息认证实验 $\\mathsf{Macforge}_{\\mathcal{A},\\Pi }(n)$ 在挑战者和敌手之间:\n 1. 挑战者生成密钥 $k \\gets \\mathsf{Gen}(1^n)$.\n 2. 敌手 $\\mathcal{A}$ 具有访问标签生成算法$\\mathsf{Mac}_k(\\cdot)$的预言机的能力,并输出 $(m,t)$. 对预言机查询的消息集合为 $\\mathcal{Q}$ 。\n 3. $\\mathsf{Macforge}_{\\mathcal{A},\\Pi }(n)=1 \\iff$ $\\mathsf{Vrfy}_k(m,t)=1$ $\\land$ $m \\notin \\mathcal{Q}$. 敌手成功,如果输出的消息和标签通过了验证,并且输出的消息是从未向预言机查询过的新消息。\n - 定义:一个 MAC $\\Pi$ 是在适应性CMA下的存在性不可伪造 (**existentially unforgeable under an adaptive CMA**),如果 $\\forall$ PPT $\\mathcal{A}$, $\\exists$ $\\mathsf{negl}$ 使得: $ \\Pr [\\mathsf{Macforge}_{\\mathcal{A},\\Pi }(n)=1] \\le \\mathsf{negl}(n). $\n \n7. 真实例子\n\n - WEP 802.11 MAC中的漏洞有两点\n - 一是存在不同消息的CRC32可能是一样的情况,而且这种情况很容易给出。那么,敌手可以查询一个消息$m$并得到对应的标签$t$;然后,输出另一个与所查询消息$m$具有相同CRC32值的新消息$m'$,以及查到的标签$t$。\n - 二是敌手可以查询一个消息$m'$并获得标签$(r, t')$,由此计算得到$F(k,r) = t'\\oplus \\mathsf{CRC32}(m')$;输出一个新消息$m$以及标签$t = (r, F(k,r)\\oplus\\mathsf{CRC32}(m))$。\n - 上述漏洞展现了攻击MAC的两种常用手段:一是找到两个消息得到相同的中间结果,从而以一个消息的标签作为另一个新消息的标签;二是利用对一个/多个消息的标签来获得构造标签所需的信息,从而构造一个新消息的标签。\n \n8. 例题\n\n - 如果认为是安全的,则要用反证法证明,若新方案不安全,则原方案也不安全;\n - 如果认为是不安全的,则给出一个新消息和对应的标签;\n\n9. MAC应用\n\n - Web cookie:Web服务器在发给浏览器的cookie中包含自己生成的MAC标签,来阻止攻击者伪造其他用户的cookie;\n - TCP SYN cookie:在TCP三次握手中,服务器在其发给客户端的初始序列号中包含一个服务器生成的MAC标签,来避免保留握手状态,从而防御SYN Flooding DDoS攻击;\n - 临时一次口令:用户发送给服务器的临时登录口令为一个MAC标签$p=\\mathsf{Mac}_k(T)$,其中$k$为原始口令,$T$为当前时间(按半分钟取整);敌手窃听了之前的临时口令也无法伪造未来的临时口令;\n\n10. 构造安全MAC\n\n\t- 基于PRF构造安全MAC\n\t\t- $F$ 是 PRF. $|m| = n$.\n \t- $\\mathsf{Gen}(1^n)$: $k \\gets \\{0,1\\}^n$ .\n \t- $\\mathsf{Mac}_k(m)$: $t := F_k(m)$.\n \t- $\\mathsf{Vrfy}_k(m,t)$: $1 \\iff t \\overset{?}{=} F_k(m)$.\n - 定理:如果 $F$ 是一个PRF,那么上述构造是安全的固定长度 MAC。\n - 引理:如果 $F$ 是一个 PRF,那么 $F^t_k(m) = F_k(m)[1,\\dots,t]$ 也是一个PRF。\n - 注:这个引理说明部分输出仍保留伪随机性。引理成立的原因在于,如果根据更短的输出可以区分出伪随机函数,那么根据原长度输出也可以区分出伪随机函数了。\n11. 证明基于PRF的安全MAC\n\n - 证明思路是从PRF的区分器算法$D$规约到伪造标签的敌手算法$\\mathcal{A}$。$D$作为$\\mathcal{A}$的挑战者,用$D$要区分的预言机作为$\\mathcal{A}$的标签生成预言机;当$\\mathcal{A}$伪造标签成功时,$D$输出1。\n\n12. 证明基于PRF的安全MAC(续)\n\n - 如果是真随机 $f$ 被使用 $t=f(m)$ 是均匀随机的.\n\n $ \\Pr[D^{f(\\cdot)}(1^n)=1] = \\Pr[\\mathsf{Macforge}_{\\mathcal{A},\\tilde{\\Pi}}(n) = 1] \\le 2^{-n}.$\n\n - 如果 $F_k$ 被使用,那么就是在执行实验 $\\mathsf{Macforge}_{\\mathcal{A},\\Pi}(n)$. \n\n $ \\Pr[D^{F_k(\\cdot)}(1^n)=1] = \\Pr[\\mathsf{Macforge}_{\\mathcal{A},\\Pi}(n) = 1] = \\varepsilon(n).$\n\n - 根据PRF的定义有,$ \\left| \\Pr[D^{F_k(\\cdot)}(1^n)=1] - \\Pr[D^{f(\\cdot)}(1^n)=1] \\right| \\ge \\varepsilon(n) - 2^{-n}. $\n\n13. 扩展到变长消息\n\n - 对于变长消息,下面的建议是安全的吗?\n - 建议1:将所有块异或后,对结果进行认证:$t := \\mathsf{Mac}_k'(\\oplus_i m_i)$;\n - 建议2:对每个块分别认证,$t_i := \\mathsf{Mac}_k'(m_i)$;\n - 建议3:对每个块连带一个序列号一起认证, $t_i := \\mathsf{Mac}_k'(i\\| m_i)$.\n\n14. 构造固定长度的CBC-MAC\n\n - 为了构造用于变长消息的MAC,先学习固定长度的CBC-MAC,其与CBC结构类似,做了两处改变:\n - 改动1:将初始向量IV改为0;如果不这样改动,则敌手查询 $m_1$ 并获得 $(IV, t_1)$;然后,输出 $m_1' = IV' \\oplus IV \\oplus m_{1}$ 并且 $t' = (IV',t_1)$,一个有效的标签。\n - 改动2:标签只包括最后一个块的输出;如果不这样改动,则敌手查询 $m_i$ 并得到 $t_i$;然后,输出 $m_i' = t_{i-1}' \\oplus t_{i-1} \\oplus m_{i}$ 以及 $t_{i}' = t_i$,一个有效的标签。\n\n15. 构造固定长度的CBC-MAC(续)\n\n - 定理:如果$F$是一个PRF,那么上面的构造就是一个安全的固定长度MAC。\n - 这个构造不能用于变长消息,因为对于一个块的消息$m$和标签$t$,敌手可以在其后添加一个块$m\\oplus t$并且输出标签$t$。\n\n16. 安全变长MAC\n\n - 有三种方法可以将CBC-MAC改造为用于变长消息的MAC,都可以防御上面在结尾添加新块的攻击。\n - 输入长度密钥分离:$k_{\\ell} := F_k(\\ell)$, 用 $k_{\\ell}$ 作为 CBC-MAC 的密钥。不同长度下采用不同密钥,追加新块后长度变化,之前的标签无法利用。\n - 在开头添加长度:在CBC-MAC的明文$m$前添加一个长度块$|m|$。不同长度下消息有不同的初始块,追加新块后长度变化,之前的标签无法利用。\n - 加密末块输出(ECBC-MAC):采用两个密钥$k_1, k_2$。用$k_1$和CBC-MAC计算出 $t$,然后输出 $\\hat{t} := F_{k_2}(t)$。输出结果被加密,之前的标签无法利用。\n\n17. MAC填充(**Padding**)\n\n - 与加密类似,为了将消息长度与块长度对齐,MAC中也需要在消息中填充。为了安全性,需要保证填充是可逆的,即不同的消息在填充后也应该不同!\n - $m_0\\neq m_1 \\Rightarrow \\mathsf{pad}(m_0) \\neq \\mathsf{pad}(m_1).$\n - ISO的填充标准:用“100...00”填充,并按需填充哑块。\n - 如果不填充哑块,则会导致什么?\n - CMAC(Cipher-based MAC):不填充哑块,不加密最后一块的输出,密钥包括三个 $k, k_1, k_2$\n - $k$用于CBC-MAC;\n - $k_1$ 和 $k_2$ 与最后一块消息异或来阻止利用最后一块输出;\n - 用$k_1$ 和 $k_2$ 来区分是否添加了哑块。\n\n18. 定义哈希函数(**Hash Function**)\n\n - 一个哈希函数 (压缩函数) 是一对PPT算法 $(\\mathsf{Gen}, H)$ 满足以下条件:\n - 一个密钥 $s \\gets \\mathsf{Gen}(1^n)$, $s$ 不保密.\n - $H^s(x) \\in \\{0,1\\}^{\\ell(n)}$, 其中 $x \\in \\{0,1\\}^*$ 且 $\\ell$ 为多项式。\n - 若 $H^s$ 只在 $x \\in \\{0,1\\}^{\\ell'(n)}$ 上定义并且 $\\ell'(n) > \\ell(n)$,那么 $(\\mathsf{Gen}, H)$ 是固定长度的哈希函数。\n - 上面的定义说明,哈希函数将长消息转变为短消息。\n\n19. 定义抗碰撞(**Collision Resistance**)\n\n - 碰撞(**Collision**):$x \\neq x'$ 并且 $H(x) = H(x')$。\n\n - 抗碰撞(**Collision Resistance**):对于任意PPT算法,找到碰撞是不可能的。\n\n - 碰撞发现实验$\\mathsf{Hashcoll}_{\\mathcal{A},\\Pi}(n)$:\n\n - $s \\gets \\mathsf{Gen}(1^n)$.\n\n - 敌手 $\\mathcal{A}$ 输入 $s$ ,输出 $x, x'$. *注:敌手有$s$,意味着可以访问哈希函数*\n\n - $\\mathsf{Hashcoll}_{\\mathcal{A},\\Pi}(n) =1 \\iff x\\ne x' \\land H^s(x) = H^s(x')$.\n\n - 哈希函数 $\\Pi$ ($\\mathsf{Gen}$, $H^s$) 是抗碰撞的,如果$\\forall$ ppt $\\mathcal{A}$, $\\exists\\;\\mathsf{negl}$ 使得\n\n $ \\Pr[\\mathsf{Hashcoll}_{\\mathcal{A},\\Pi}(n)=1] \\le \\mathsf{negl}(n).$\n\n20. 哈希函数安全的更弱的概念\n\n - 抗碰撞(Collision resistance): 难以找到 $(x, x'), x' \\ne x$ 使得 $H(x) = H(x')$.\n - 抗二次原像 (Second pre-image resistance): 给定 $s$ 和 $x$, 难以发现 $x' \\ne x$ 使得 $H^s(x') = H^s(x)$.\n - 抗原像 (Pre-image resistance): 给定 $s$ 和 $y = H^s(x)$, 难以发现 $x'$ 使得 $H^s(x')=y$.\n - 攻击越难,反过来可以防范这种攻击的安全性就越弱。\n\n21. 关于CRHF的问题\n\n - 如果认为不是,那么请给出一个碰撞;\n - 如果认为是,则用反证法证明找到了$H'$的碰撞意味着$H$的碰撞。\n\n22. 哈希函数的应用\n\n - 文件指纹和去重(Fingerprinting 和 Deduplication):识别一个文件,用于病毒指纹识别,去重复,P2P文件共享;\n - 默克尔树 (Merkle Tree):构造多个文件或一个文件多个部分的指纹,从而定位有问题的文件或者文件中的部分;\n - 口令哈希(Password Hashing):$(salt, H(salt, pw))$,缓解明文口令泄漏风险;\n - 密钥派生(Key Derivation):从一个高熵(但不必均匀随机)的共享秘密中派生一个密钥;\n - 承诺方案(Commitment Scheme):将一个承诺与一份信息绑定,隐藏承诺的信息;例如,互联网上掷硬币。\n\n23. 生日问题\n\n - 生日问题:“如果一群人中有两个人的生日是同一天的概率有1/2,这群人数有多少?”。答案是23。这与我们平时的认知差异,也被称作“生日悖论”。具体计算见教材附件。\n - 这个问题意味着哈希函数的输出需要足够长,否则敌手可能通过蛮力枚举来发现碰撞。\n - 在现实攻击中,找到有意义的消息的碰撞对于攻击者来说更有价值。这对攻击者来说并不是难题,可以很容易的构造足够数量的、有意义的消息来实施攻击。对消息中一个单词的替换,所构造明文的数量翻番。\n\n24. MD变换(**Merkle-Damgård Transform**)\n\n - 从定长哈希函数$(\\mathsf{Gen}, h)$ ($2\\ell$ bits $\\to \\ell$ bits, $\\ell = \\ell(n)$)构造变长哈希函数 CRHF $(\\mathsf{Gen}, H)$ :\n - $\\mathsf{Gen}$: 不变\n - $H$: 密钥 $s$ 与串 $x \\in \\{0,1\\}^*$, $L=|x|< 2^{\\ell}$:\n - $B := \\lceil \\frac{L}{\\ell} \\rceil$ (块数)。 用0填充。 $\\ell$-位的块 $x_1,\\dotsc,x_B$。最后一块是长度 $x_{B+1} := L$, $L$ 以 $\\ell$ 位编码,这是必要的,因为只用0填充会导致不同消息的输入是一样的。\n - $z_0 := IV = 0^\\ell$。 对于 $i=1,\\dotsc,B+1$, 计算 $z_i := h^s(z_{i-1}\\| x_i)$。\n\n25. MD变换的安全性\n\n - 定理:如果$h$是定长CRHF,那么$H$也是CRHF。\n - 证明:思路是$H$上的碰撞意味着$h$上的碰撞,而$h$是不会被找到碰撞的。两个消息 $x \\ne x'$ ,长度分别为 $L$ 和 $L'$ ,块数分别为$B$ 和 $B'$,使得 $H^s(x) = H^s(x')$。 有两种情况:\n - $L \\ne L'$: $z_B\\| L \\ne z_{B'}\\| L'$;长度不同,意味着最后一个哈希函数$h$的输入不同,但输出相同,发现碰撞。\n - $L = L'$: $z_{i^*-1}\\| x_{i^*} \\ne z_{i^*-1}'\\| x_{i^*}'$;长度相同,意味着中间某一块的输入不同,但输出相同,发现碰撞。\n - 因此,必定有 $x \\neq x'$ 使得 $h^s(x) = h^s(x')$。\n - 作业中有关于MD变换的变体的安全性分析问题。\n\n26. 从分组密码构造CRHF\n\n - 可以从块密码来构造CRHF,例如Davies-Meyer方法 (SHA-1/2, MD5) $h_{i} = F_{m_{i}}(h_{i-1}) \\oplus h_{i-1}$,或者 Miyaguchi-Preneel 方法 (Whirlpool) $h_{i} = F_{h_{i-1}}(m_{i}) \\oplus h_{i-1} \\oplus m$。\n - 定理:如果$F$是一个理想的加密方案,那么Davies-Meyer构造得到一个CRHF。*注:理想的加密方案参考后面要学习的随机预言机模型。目前,没有找到$F$是强伪随机排列下该方法是CRHF的证明。*\n - 对于这个定理不做严格证明,而是回答两个问题:\n - 如果 $h_{i} = F_{m_{i}}(h_{i-1})$ ,不与 $h_{i-1}$ 异或,会如何?敌手尝试以相同的$h_i$和不同的$m_i$对$F$求逆。\n - 如果 $F$ 不是理想的,而是 $\\exists x, F_k(x)=x$,会如何?敌手输入不同$m_i$,但都得到0;\n\n27. SHA-1和MD5\n\n - 曾将广泛采用的哈希函数SHA1和MD5都已经被破解。对于128位的MD5,找到碰撞需要$2^{20.96}$;对于160位的SHA1,找到碰撞需要$2^{51}$。\n\n28. Hash-and-MAC\n\n - 有了CRHF,一个自然的想法是:先将任意长度消息哈希,然后通过PRF对哈希值做MAC,实现任意长度消息MAC。$F_k(H(m))$\n - 这个方案的安全性分两种情况分析:当不同消息得到相同哈希值时,这意味着碰撞发生;否则,意味着MAC标签被伪造。\n\n29. NMAC\n\n - 使用CRHF(MD变换)来构造MAC,而不需要用PRF\n - 之所以需要开头的密钥,是为了在哈希函数为弱抗碰撞性时也保障安全;如果哈希函数是CRHF,则不需要开头的密钥\n - 缺点:需要修改哈希函数(MD变换中初始向量)\n\n30. HMAC(基于哈希的MAC)\n\n - 以MD变换为基础构造一个安全的MAC。在开头和结尾以两个不同密钥作为哈希函数输入。\n - 不需要修改哈希函数。\n - $\\mathsf{Gen}(1^n)$: 输出 $(s, k)$. $s \\gets \\widetilde{\\mathsf{Gen}}, k \\gets \\{0,1\\}^n$ u.a.r;\n - $\\mathsf{Mac}_{s,k}(m)$: $t := H_{IV}^s\\Big((k \\oplus \\mathsf{opad}) \\| H_{IV}^s\\big((k \\oplus \\mathsf{ipad}) \\| m\\big)\\Big)$\n - $\\mathsf{Vrfy}_{s,k}(m,t)$: $1 \\iff t \\overset{?}{=} \\mathsf{Mac}_{s,k}(m)$\n\n31. HMAC安全性\n\n - 定理:$G(k) \\overset{\\text{def}}{=} h^s(IV\\| (k\\oplus \\mathsf{opad})) \\| h^s(IV\\| (k\\oplus \\mathsf{ipad})) = k_1\\| k_2$ 。其中,$h$是CRHF。如果$G$是PRG,那么HMAC是安全的。\n - 在HMAC之前,其他不安全的方案包括:\n - $H^s(k\\| x)$ 存在长度扩展攻击弱点。 在获得$H^s(k\\| x)$和消息长度后,敌手能够获得新消息 $x \\| x'$ 的有效标签 $H^s(k\\| x \\| x')$ 。因为$H^s(k\\| x)$的输出标签$t$和$x'$作为哈希函数的输入直接得到输出。\n - $H^s(x\\| k)$: 在一个弱哈希函数上的碰撞会导致MAC上碰撞。回顾NMAC中需要开头的密钥来支持弱抗碰撞的情况。\n - $H^s(k\\| x\\| k)$: 也存在一些已知的弱点,即使使用两个不同的密钥。\n - $H^s(k \\| H^s(k \\| x))$:这是NMAC和HMAC的情况\n\n32. HMAC结语\n\n - HMAC是基于NMAC的改进,是工业标准(RFC2104),HMAC比CBC-MAC更快;\n\n - 验证计时攻击:\n\n - Keyczar密码学库(Python):\n\n - `def Verify(key, msg, sig_bytes): `\n\n $\\qquad$ `return HMAC(key, msg) == sig_bytes`\n\n - 存在问题是上述比较是按字节匹配,通过观察函数返回时间可以判断相同字节的数量,从而按字节猜测标签内容。\n\n - 在Xbox 360中,相邻字节上被验证拒绝的时间差有2.2毫秒.\n\n - 不要自己实现密码学!\n\n33. 信息论上MAC安全定义\n\n - 不可能达到“完美的、不可伪造的”MAC,因为算力无限制的敌手可以至少以$1/2^{|t|}$ 的概率输出一个有效的标签。为此,对敌手查询MAC预言机的次数需要加以限制,下面分析只允许敌手查询一次MAC预言机的情况。\n - 一次消息认证实验 $\\mathsf{Macforge}^{\\mathsf{1-time}}_{\\mathcal{A},\\Pi }$: 敌手查询一次MAC预言机后输出消息和标签,\n - $k \\gets \\mathsf{Gen}$.\n - $\\mathcal{A}$ 输出一个消息 $m'$并且获得一个标签 $t' \\gets \\mathsf{Mac}_k(m')$, 然后输出 $(m,t)$.\n - $\\mathsf{Macforge}^{\\mathsf{1-time}}_{\\mathcal{A},\\Pi }=1 \\iff$ $\\mathsf{Vrfy}_k(m,t)=1$ $\\land$ $m \\neq m'$. \n - 定义:一个MAC $\\Pi$ 是一次$\\varepsilon$-安全的(one-time $\\varepsilon$-secure),如果 $\\forall$ ppt $\\mathcal{A}$: $\\Pr [\\mathsf{Macforge}^{\\mathsf{1-time}}_{\\mathcal{A},\\Pi}=1] \\le \\varepsilon.$\n - 这里$\\varepsilon$应该为$1/2^{|t|}$,才能达到之前的信息论安全。信息论安全的MAC在允许敌手查询MAC预言机若干次之后,成功伪造MAC的概率应该不大于$1/2^{|t|}$。\n\n34. 理解信息论MAC安全\n\n - 假设敌手算法是确定性的,其最合理的步骤如下:\n - (1)选择的$m'$是固定的,查询得到$t'$;\n - (2)根据$m'$和$t'$确定$k$的所有可能集合$\\mathcal{K}(t')$,从中选择一个$k^*$;\n - (3)选择输出$m$是固定的,根据$k^*$计算$t$并输出。\n - 问题:$\\mathcal{K}(t')$太大或太小会如何?\n - 设想如果根据第一次消息和标签能够唯一确定密钥$k$,那么敌手一定可以成功伪造;反之,如果不能唯一确定密钥,并且密钥可能的范围$\\mathcal{K}(t')$充分大,那么敌手就难以成功伪造。从另一个角度,需要第一次查询获得的一个对消息和标签与敌手伪造另一个新消息的标签这两个事件之间是充分独立的。密钥空间太大也不安全,因为令$(m, t)$是有效标签密钥集合也更大,其概率也增大。\n\n35. 信息论上MAC的构造\n\n - 一个函数 $h$: $\\mathcal{K} \\times \\mathcal{M} \\to \\mathcal{T}$ 是一个强全域函数(**Strongly Universal Function (SUF)**),如果对于所有不同的 $m, m' \\in \\mathcal{M}$ 以及所有 $t, t' \\in \\mathcal{T}$, 以下成立: $ \\Pr [h_k(m) = t \\land h_k(m') = t'] = 1 / |\\mathcal{T}|^2 $,其中概率来自均匀选择的 $k \\in \\mathcal{K}$.\n - 为了实现一次$1/2^{|t|}$-安全的MAC,需要一个新的数学对象,不同输入会独立产生不同的输出,输入间任何差异都会导致输出之间是完全独立的。将函数的这种性质称为:“成对独立的,**pairwise-independent**” 或者 “成对不可预测,**pairwise-unpredictable**”。\n - SUF是具有上面性质的函数,下一页证明\n - 信息论安全MAC构造:\n - 令 $h$: $\\mathcal{K} \\times \\mathcal{M} \\to \\mathcal{T}$ 为一个SUF.\n - $\\mathsf{Gen}$: $k \\gets \\{0,1\\}^n$ u.a.r.\n - $\\mathsf{Mac}_k(m)$: $t := h_k(m)$.\n - $\\mathsf{Vrfy}_k(m,t)$: $1 \\iff t \\overset{?}{=} h_k(m)$. (如果 $m \\notin \\mathcal{M}$,那么输出 0.)\n\n36. 构造一个SUF\n\n - 定理:对于任意质数 $P$,函数 $h$ 是一个SUF: $ h_{a,b}(m) \\overset{\\mathsf{def}}{=} [ a \\cdot m + b \\mod p] $\n - 证明:$h_{a,b}(m) = t$ 且 $h_{a,b}(m') = t'$,只有当 $a \\cdot m + b = t \\mod p$ 且 $a \\cdot m' + b = t' \\mod p$. 我们有 $a = [(t-t') \\cdot (m - m')^{-1} \\mod p]$ 且 $b = [t - a \\cdot m \\mod p]$,这意味着存在一个唯一的密钥 $(a, b)$。由于存在 $|\\mathcal{T}|^2$ 个密钥,$ \\Pr [h_k(m) = t \\land h_k(m') = t'] = \\frac{1}{|\\mathcal{T}|^2}$。\n\n37. 来自SUF的MAC的安全性\n\n - 定理:如果 $h$ 是一个 SUF,构造是一个 $1/|\\mathcal{T}|-$安全MAC.\n - 证明:假设敌手算法是确定性的,不失一般性可以固定$m'$并遍历所有可能的$t'$,敌手以$(m', t')$作为输入并输出$(m, t)$。根据SUF的定义,可以得到敌手成功的概率为$1/|\\mathcal{T}|$。\n\n38. 信息论MAC的局限性\n\n - 任意 $\\ell$次 $2^{-n}$-安全 MAC 需要密钥长度至少为 $(\\ell +1) \\cdot n$. \n - 定理:令 $\\Pi$ 为一次 $2^{-n}$-安全 MAC,其中所有密钥长度相同。那么,密钥必须具有$2n$长度。\n - 证明:直觉上,每对消息和标签成立需要$2^n$个密钥,才能保证 $2^{-n}$-安全。一共2对,需要$2^{2n}$。\n - 令 $\\mathcal{K}(t') \\overset{\\mathsf{def}}{=} \\{ k | \\mathsf{Vrfy}_k(m', t') = 1\\}$,即所有由所查询消息得到标签的密钥集合。对于任意 $t'$, $|\\mathcal{K}(t')| \\leq 2^{-n} \\cdot |\\mathcal{K}|$。 否则,敌手$\\mathcal{A}$从全体密钥集合中随机挑选一个密钥得到 $(m, t)$ 是一个有效标签的概率至少为 $|\\mathcal{K}(t')|/|\\mathcal{K}|> 2^{-n}$,这与安全要求矛盾。 $\\mathcal{A}$有无限算力可以根据从第一次查询中得到对应的密钥集合$\\mathcal{K}(t')$,从中选择一个密钥$k^*$,并输出一个新消息$m$的有效标签的概率是至少 $\\frac{1}{|\\mathcal{K}(t')|}$。固定$m'$遍历所有标签$t'$计算敌手成功概率为: $\\sum_{t'} \\Pr [\\mathsf{Mac}_k(m') = t'] \\cdot \\frac{1}{|\\mathcal{K}(t')|} \\geq \\sum_{t'} \\Pr [\\mathsf{Mac}_k(m') = t'] \\cdot \\frac{2^n}{|\\mathcal{K}|} = \\frac{2^n}{|\\mathcal{K}|} $ 。由于概率至多 $2^{-n}$, $|\\mathcal{K}| \\geq 2^{2n}$。由于所有密钥具有相同长度,每个密钥的长度至少是 $2n$。\n\n39. 总结\n\n - 认证意味着存在不可伪造\n - 用PRF来实现安全MAC\n - 用带密钥的CRHF来实现安全MAC\n - 信息论MAC安全需要非常、非常长的密钥\n\n\n\n" }, { "path": "notes-Chinese/7 CCA安全与认证加密.md", "content": "# 7 CCA安全与认证加密\n\n1. 本节学习用于抵抗CCA攻击的加密方案以及同时保证通信机密性和真实性的认证加密方案。\n\n2. 目录:CCA安全加密,认证加密,确定性加密,密钥派生函数。\n\n3. 回顾CCA不可区分实验\n\n - CCA不可区分实验 $\\mathsf{PrivK}^{\\mathsf{cca}}_{\\mathcal{A},\\Pi}(n)$:\n \t1. 挑战者生成密钥 $k \\gets \\mathsf{Gen}(1^n)$;(为了下一步的预言机)\n \t2. $\\mathcal{A}$ 被给予输入 $1^n$ 和对加密函数 $\\mathsf{Enc}_k(\\cdot)$和解密函数$\\mathsf{Dec}_k(\\cdot)$的**预言机访问(oracle access)** $\\mathcal{A}^{\\mathsf{Enc}_k(\\cdot)}$ 和 $\\mathcal{A}^{\\mathsf{Dec}_k(\\cdot)}$,输出相同长度 $m_0, m_1$ ;\n \t3. 挑战者生成随机比特 $b \\gets \\{0,1\\}$,将挑战密文 $c \\gets \\mathsf{Enc}_k(m_b)$ 发送给 $\\mathcal{A}$;\n \t4. $\\mathcal{A}$ 继续对除了挑战密文$c$之外的预言机的访问,输出$b'$;如果$b' = b$,则$\\mathcal{A}$成功$\\mathsf{PrivK}^{\\mathsf{cca}}_{\\mathcal{A},\\Pi}=1$,否则 0。\n - 定义:一个加密方案是CCA安全的,如果实验成功的概率与1/2之间的差异是可忽略的。\n\n4. 消息传递方案\n - 我们先不直接处理CCA安全,而是研究一个比CCA更安全的通信场景,其中引入了之前学习的真实性要求;\n - CCA安全与消息的真实性有关,下面学习同时保护消息机密性和真实性的消息传递方案。\n - 密钥生成(**Key-generation**) 算法输出 $k \\gets \\mathsf{Gen'}(1^n)$. $k = (k_1,k_2)$. $k_1 \\gets \\mathsf{Gen}_E(1^n)$, $k_2 \\gets \\mathsf{Gen}_M(1^n)$.\n - 消息传递(**Message transmission** )算法由 $\\mathsf{Enc}_{k_1}(\\cdot)$ 和 $\\mathsf{Mac}_{k_2}(\\cdot)$ 生成,输出 $c \\gets \\mathsf{EncMac'}_{k_1,k_2}(m)$.\n - 解密(**Decryption**)算法由 $\\mathsf{Dec}_{k_1}(\\cdot)$ 和 $\\mathsf{Vrfy}_{k_2}(\\cdot)$ 生成,输出 $m \\gets \\mathsf{Dec}'_{k_1,k_2}(c)$ 或 $\\bot$.\n - 正确性需求: $\\mathsf{Dec}'_{k_1,k_2}(\\mathsf{EncMac}'_{k_1,k_2}(m)) = m$.\n - 注:在消息传递方案中,消息被加密并且被MAC。在解密算法中,当密文没有通过真实性验证时,输出空(可以理解为“报错”);这意味着未认证的密文无法解密。\n\n5. 定义安全消息传递\n - 先定义保护真实性的认证通信,然后定义同时保护机密性和真实性的认证加密。\n - 安全消息传递实验(**secure message transmission**) $\\mathsf{Auth}_{\\mathcal{A},\\Pi'}(n)$:\n - $k = (k_1,k_2) \\gets \\mathsf{Gen}'(1^n)$.\n - $\\mathcal{A}$ 输入 $1^n$ 和对 $\\mathsf{EncMac'}_k$的预言机访问,并输出 $c \\gets \\mathsf{EncMac'}_{k}(m)$.\n - $m := \\mathsf{Dec}'_k(c)$. $\\mathsf{Auth}_{\\mathcal{A},\\Pi'}(n) = 1 \\iff m \\ne \\bot \\land\\; m \\notin \\mathcal{Q}$.\n - 定义:$\\Pi'$ 实现认证通信( **authenticated communication**),如果 $\\forall$ ppt $\\mathcal{A}$, $\\exists\\; \\mathsf{negl}$ 使得,$ \\Pr[\\mathsf{Auth}_{\\mathcal{A},\\Pi'}(n) = 1] \\le \\mathsf{negl}(n). $\n - 定义:$\\Pi'$ 是安全的认证加密(**secure Authenticated Encryption (A.E.)**), 如果其既是CCA安全的也是实现了认证通信。\n - 问题:CCA安全意味着A.E.吗?(作业)\n\n6. 关于认证加密的例题\n - 如果认为是安全的,那么利用反证法证明;\n - 如果认为是不安全的,那么或者可以伪造消息,或者破解明文;\n\n7. 加密和认证组合\n - 加密和认证如何组合来同时保护机密性和真实性?\n - 加密并认证(**Encrypt-and-authenticate**) (例如, SSH):$ c \\gets \\mathsf{Enc}_{k_1}(m),\\; t \\gets \\mathsf{Mac}_{k_2}(m).$\n - 先认证后加密(**Authenticate-then-encrypt**) (例如, SSL):$ t \\gets \\mathsf{Mac}_{k_2}(m),\\; c \\gets \\mathsf{Enc}_{k_1}(m\\| t).$\n - 先加密后认证(**Encrypt-then-authenticate**) (例如, IPsec):$ c \\gets \\mathsf{Enc}_{k_1}(m),\\; t \\gets \\mathsf{Mac}_{k_2}(c). $\n\n8. 分析组合的安全性\n - 采用全或无(All-or-nothing)分析,即一种组合方案要么在全部情况下都是安全的,要么只要存在一个不安全的反例就被认为是不安全的;\n - 加密并认证: $\\mathsf{Mac}'_k(m) = (m, \\mathsf{Mac}_k(m))$. \n - 这表明,认证可能泄漏消息。\n - 先认证后加密: \n - 一个例子:\n - $\\mathsf{Trans}: 0 \\to 00; 1 \\to 10/01$; \n - $\\mathsf{Enc}'$ 采用CTR模式; $c = \\mathsf{Enc}'(\\mathsf{Trans}(m\\| \\mathsf{Mac}(m)))$.\n - 将 $c$ 的前两个比特翻转并且验证密文是否有效。$10/01 \\to 01/10 \\to 1$, $00 \\to 11 \\to \\bot$.\n - 明文为1时,不改变明文;明文为0时,解密无效\n - 如果可以有效解密,则意味着消息的第一比特是1,否则是0; \n - 对于任何MAC,这都不是CCA安全的;\n - 这个例子表明,缺乏完整性保护时,敌手可解密,而密文是否有效也价值1个比特的信息。\n - 先加密后认证: 解密: 如果 $\\mathsf{Vrfy}(\\cdot) = 1$, 那么 $\\mathsf{Dec}(\\cdot)$; 否则,输出 $\\bot$。下面来证明。\n\n9. 构造AE/CCA安全的加密方案\n\n - 思想:令解密预言机没用。AE/CCA =CPA-then-MAC。\n - $\\Pi_E = (\\mathsf{Gen}_E, \\mathsf{Enc}, \\mathsf{Dec})$, $\\Pi_M = (\\mathsf{Gen}_M, \\mathsf{Mac}, \\mathsf{Vrfy})$. $\\Pi'$:\n - $\\mathsf{Gen}'(1^n)$: $k_1 \\gets \\mathsf{Gen}_E(1^n)$ and $k_2 \\gets \\mathsf{Gen}_M(1^n)$\n - $\\mathsf{Enc}'_{k_1,k_2}(m)$: $c \\gets \\mathsf{Enc}_{k_1}(m)$, $t \\gets \\mathsf{Mac}_{k_2}(c)$ and output $\\left< c,t \\right>$\n - $\\mathsf{Dec}'_{k_1,k_2}(\\left< c,t \\right>) = \\mathsf{Dec}_{k_1}(c)\\ \\text{if}\\ \\mathsf{Vrfy}_{k_2}(c,t) \\overset{?}{=} 1;\\ \\text{otherwise}\\ \\bot$\n - 加密时,先加密后对密文做认证;解密时,先验证,若未通过验证,则输出空,否则解密。\n\n10. AE/CCA安全加密方案证明\n\n - 定理:如果 $\\Pi_E$ 是CPA安全的私钥加密方案并且 $\\Pi_M$ 是一个安全的MAC,那么构造 $\\Pi'$ 是CCA安全的。\n\n - 证明:$\\mathsf{VQ}$ (有效查询): $\\mathcal{A}$ 向预言机$\\mathsf{Dec}'$提交一个新查询并且 $\\mathsf{Vrfy}=1$。*注:VQ表示敌手向预言机查询可经过验证并解密。*\n\n - $ \\Pr[\\mathsf{PrivK}^{\\mathsf{cca}}_{\\mathcal{A},\\Pi'}(n)=1] \\le \\Pr[\\mathsf{VQ}] + \\Pr[\\mathsf{PrivK}^{\\mathsf{cca}}_{\\mathcal{A},\\Pi'}(n)=1 \\land \\overline{\\mathsf{VQ}}] $\n\n - 我们需要证明以下:\n\n - $\\Pr[\\mathsf{VQ}]$ 是可忽略的;敌手无法利用解密预言机获得有效查询;\n\n - $\\Pr[\\mathsf{PrivK}^{\\mathsf{cca}}_{\\mathcal{A},\\Pi'}(n)=1 \\land \\overline{\\mathsf{VQ}}] \\le \\frac{1}{2} + \\mathsf{negl}(n)$;在无法利用解密预言机时难以破解加密方案。\n\n11. 证明敌手无法利用解密预言机获得有效查询\n\n - 思路:将 $\\mathcal{A}_M$ (有预言机 $\\mathsf{Mac}_{k_2}(\\cdot)$攻击 $\\Pi_M$ ) 规约到 $\\mathcal{A}$。\n - $\\mathcal{A}_M$以 $\\mathcal{A}$ 为子函数来运行。$\\mathcal{A}$ 将产生$q(n)$个解密预言机查询,$\\mathcal{A}_M$ 预先从中均匀随机选择一个编号 $i \\gets \\{1,\\dotsc,q(n)\\}$,并将该查询作为输出的伪造;\n - 当$\\mathcal{A}$以$m$查询加密预言机时, $\\mathcal{A}_M$ 产生加密密钥并以加密预言机的角色先计算密文$c$,然后用密文查询MAC预言机并将$\\left$返回给$\\mathcal{A}$;\n - 当$\\mathcal{A}$以$\\left$查询解密预言机时,如果这是第 $i$ 个查询,那么$\\mathcal{A}_M$ 输出$\\left$并停止;否则,如果这是曾经在加密预言机查询过的,$\\mathcal{A}_M$ 返回明文,否则,返回$\\bot$(因为只要$\\mathsf{VQ}$未发生,就应该返回$\\bot$);\n - $\\mathsf{Macforge}_{\\mathcal{A}_M,\\Pi_M }(n)=1$ 的条件是,只有当 $\\mathsf{VQ}$ 发生并且 $\\mathcal{A}_M$ 正确地猜测了 $i$ (概率为 $1/q(n)$)。\n - $ \\Pr [\\mathsf{Macforge}_{\\mathcal{A}_M,\\Pi_M }(n)=1] \\ge \\Pr[\\mathsf{VQ}]/q(n).$\n\n12. 证明在无法利用解密预言机时难以破解加密方案\n\n - 思路:将 $\\mathcal{A}_E$ (以 $\\mathsf{Enc}_{k_1}(\\cdot)$ 预言机来攻击 $\\Pi_E$ ) 规约到 $\\mathcal{A}$。\n\n - $\\mathcal{A}_E$ 以 $\\mathcal{A}$ 为子函数来运行。 $\\mathcal{A}_E$ 扮演 $\\mathcal{A}$ 的加密预言机和解密预言机方法与 $\\mathcal{A}_M$ 的类似;\n\n - 实验 $\\mathsf{PrivK}^{\\mathsf{cpa}}_{\\mathcal{A}_E,\\Pi_E}$ 与实验 $\\mathsf{PrivK}^{\\mathsf{cca}}_{\\mathcal{A},\\Pi'}$ 的运行一样, $\\mathcal{A}_E$ 输出与 $\\mathcal{A}$ 一样的 $b'$ ;\n\n - $\\Pr[\\mathsf{PrivK}^{\\mathsf{cpa}}_{\\mathcal{A}_E,\\Pi_E}(n)=1 \\land \\overline{\\mathsf{VQ}}] = \\Pr[\\mathsf{PrivK}^{\\mathsf{cca}}_{\\mathcal{A},\\Pi'}(n)=1 \\land \\overline{\\mathsf{VQ}}]$;\n\n $ \\Pr [\\mathsf{PrivK}^{\\mathsf{cpa}}_{\\mathcal{A}_E,\\Pi_E }(n)=1] \\ge \\Pr[\\mathsf{PrivK}^{\\mathsf{cca}}_{\\mathcal{A},\\Pi'}(n)=1 \\land \\overline{\\mathsf{VQ}}] $。\n\n13. 认证加密理论与实践\n\n - 定理:$\\Pi_E$ 是CPA安全的并且 $\\Pi_M$ 是一个带有唯一标签的安全MAC(强安全MAC),那么由先加密后认证得到的 $\\Pi'$ 是安全的。*注:强安全MAC是指一个消息只有一个有效标签*\n - GCM (Galois/Counter Mode): 先CTR加密,然后做 Galois MAC. (RFC4106/4543/5647/5288 on IPsec/SSH/TLS)\n - EAX: 先CTR 加密,然后 CMAC(Cipher-based MAC)。\n - 定理:先认证后加密方法是安全的,如果 $\\Pi_E$ 是CTR模式或者CBC模式。\n - CCM (Counter with CBC-MAC): 先 CBC-MAC 后 CTR 加密。 (802.11i, RFC3610)\n - OCB (Offset Codebook Mode): 将MAC整合到加密中。 (是CCM, EAX的2倍快)\n - 上述方案都支持 AEAD (A.E. with associated data): 部分是明文并且整个消息被认证。这在实践中是很常用的,例如一个IP报文需要加密,但IP头部需要以明文方式传输。\n\n14. 安全消息传递补充\n\n - 认证可能泄漏消息;*注:完整性不同于机密性*\n - 安全消息传递意味着CCA安全性,但反之未必;\n - 不同安全目标应该采用不同的密钥;否则,可能泄漏消息,例如 $\\mathsf{Mac}_k(c)=\\mathsf{Dec}_k(c)$。\n - 实现可能摧毁理论上的安全性:\n - Padding Oracle 攻击(TLS 1.0): 解密返回两种类型错误: padding error,MAC error;敌手通过猜测来获得最后一字节,如果没有padding错误;参考之前在CCA部分学习的Padding Oracle攻击;\n - 攻击非原子解密(SSH Binary Packet Protocol):解密时,分三步 (1)解密消息长度; (2)读取长度所表明的包数; (3) 检查MAC;敌手针对这种非原子解密过程,实施攻击分三步 (1)发送密文 $c$;(2)发送 $l$ 个包直到“MAC error”发生;(3)获得密文对应的明文 $l = \\mathsf{Dec}(c)$。\n\n15. 确定性CPA安全(**Deterministic CPA Security**)\n\n - 应用:在加密数据库索引后,检索时需要加密明文来检索密文;在磁盘加密中,密文大小需要与明文一样大。但之前学习的CPA安全加密都是非确定性的,而且密文比明文长。\n - 确定性加密(Deterministic encryption):相同的消息在相同密钥下被加密为相同的密文。\n - 问题:这样能实现CPA安全吗?答案是不可能,因为CPA安全意味着非确定性加密,密文长于明文。于是,我们需要新的安全定义。\n - 确定性CPA安全(Deterministic CPA Security): 如果从来不用相同的密钥加密同一个消息两次,实现CPA安全,即密钥和消息对$\\left$ 是唯一的。\n - 这里引入新的条件:消息是可重复的,密钥也可重复,但同一密钥不能重复加密同一消息。这是为了实现CPA而做出的必要改变。相当于获得确定性下CPA安全的同时,丧失同一个消息被同一个密文加密多次的能力。\n - 一个PRP就是固定长度的确定性CPA安全加密方案。\n - 确定性认证加密(Deterministic Authenticated Encryption,DAE):与上面的确定性CPA安全概念类似。\n\n16. 在变长加密中的一个常见错误\n\n - 常见错误:在 CBC/CTR 模式中采用固定的$IV$。这虽然是确定性的,但是不安全。\n - 敌手能够查询 $(m_{q1}, m_{q2})$ 并且得到 $(c_{q1}, c_{q2})$;然后输出明文:$ IV\\oplus c_{q1} \\oplus m_{q2}$ 并且期待密文: $c_{q2}$。注:第一个PRF的输入就是$ IV\\oplus IV\\oplus c_{q1} \\oplus m_{q2} = c_{q1} \\oplus m_{q2}$ \n - 下面介绍三种变长明文的CPA安全的确定性加密方案。\n\n17. 合成初始向量法(**Synthetic** IV **(SIV)**)\n\n - 思路:保持初始向量对敌手仍是不可预测的,但是由明文和密钥确定的。\n - 合成初始向量 SIV :对同一对$\\left$使用一个固定的 $IV$ ,用明文通过PRF生成SIV,再用另一个密钥加密;\n - 一个PRF $F$,和一个 CPA安全 $\\Pi:(\\mathsf{Enc}_k(r,m), \\mathsf{Dec}_k(r,s))$;\n - 生成两个密钥 $(k_1,k_2) \\gets \\mathsf{Gen}$; 得到合成初始向量 $SIV \\gets F_{k_1}(m)$;以SIV做为IV来加密 $c = \\left$;\n - 采用SIV-CTR可以实现 DAE:MAC标签 $t := SIV$ ,然后应用 $CTR_{k_2}$。\n\n18. 宽块PRP(**Wide Block PRP**)\n\n - 思路:因为一个PRP本身是确定性CPA安全,因此,构造一个大的PRP来加密。\n - 宽块PRP就是PRP,从较短的PRP(例如AES)构造一个更长的块大小,和消息一样大(例如磁盘上一个扇区)。\n - PRP-based DAE: $\\mathsf{Enc}_k(m\\| 0^{\\ell})$。在解密中$\\mathsf{Dec}$,如果后半部分明文 $\\neq 0^{\\ell}$,输出 $\\perp$。\n - 窄块(Narrow block)可能泄漏信息,由于有一些块相同时,可能泄漏信息。\n - 标准: IEEE P1619.2 中 CBC-mask-CBC (CMC) 和 ECB-mask-ECB (EME) 。\n - 代价:由于两轮加密比SIV方法慢两倍。\n\n19. 可调加密(**Tweakable Encryption**)\n\n - 思路:从密钥生成不同的密钥,一次一密\n - 无扩展加密(Encryption without expansion): 明文空间与密文空间相同 $\\mathcal{M} = \\mathcal{C}$ 意味着没有完整性保护的确定性加密,例如磁盘加密。\n - Tweak是一个类似初始向量的值,在同一密钥下,不同的tweak构造不同的PRP。每一个块采用不同的tweak。\n - 可调块密码(Tweakable block ciphers):用一个密钥生成许多PRP $\\mathcal{K} \\times \\mathcal{T} \\times \\mathcal{X} \\to \\mathcal{X}$, $\\mathcal{T}$ 是tweak集合。\n - 一种简单的解决方法:以一个Tweak $t$来生成密钥 $k_t = F_k(t), t=1,\\dots,\\ell$,但要加密两次效率不高,需要更有效的方法。\n\n20. XTS\n\n - XTS:XEX(Xor-Encrypt-Xor)-based tweaked-codebook mode with ciphertext stealing。 (XTS-AES, NIST SP 800-38E)\n - XEX: $c = F_k(m\\oplus x)\\oplus x$,其中在 Galois 域上 $x=F_k(I)\\otimes 2^j$ ,在扇区 $I$中块 $j$ 对应的tweak是 $(I,j)$ 。\n - Ciphertext stealing (CTS):无需填充(padding),没有扩展。\n\n21. 密钥派生函数(**Key Derivation Function (KDF)**)\n\n - 密钥派生函数(Key Derivation Function,KDF):从一个秘密的原密钥 $sk$ 产生许多密钥;\n - 对于均匀随机的 $sk$:$F$ 是 PRF, $ctx$ 是标识应用的唯一串,$\\mathsf{KDF}(sk,ctx,l) = \\left.$\n - 对于非均匀随机的 $sk$:提取并扩展范式 \n - 提取(extract): HKDF $k \\gets \\mathsf{HMAC}(salt,sk)$, $salt$(盐)是一个随机数。用盐来向密钥添加熵。\n - 扩展(expand):与上面均匀随机情况一样。\n\n22. 基于口令的KDF(**Password-Based KDF, PBKDF**)\n\n - 密钥延展(Key stretching)增加测试密钥的时间 (使用较慢的哈希函数)。\n - 密钥加强(Key strengthening)增加密钥的长度和随机性 (使用盐)。\n - PKCS\\#5 (PBKDF1):$H^{(c)}(pwd\\|salt)$, 哈希函数迭代 $c$ 次。\n - 敌手攻击,或者尝试被加强的密钥 (更大的密钥空间),或者尝试初始密钥 (每个密钥花费更长时间)。\n\n23. IV,Nonce,Counter,Tweak和Salt\n\n - IV:密码学原语的输入,提供随机性。\n - nonce:用来标记一次通信的只使用一次的一个数。\n - counter:一个连续的数,用作nonce或IV。\n - tweak:在一个密码中对每个块只用一次的输入。\n - salt:随机比特,用于创建一个函数的输入。\n\n24. 总结\n\n - 略\n\n" }, { "path": "notes-Chinese/8.1 公钥加密理论.md", "content": "# 8.1 公钥加密理论\n\n1. 本节学习用于保护信息的完整性和真实性的消息认证码(MAC)和抗碰撞的哈希函数(CRHF)。\n\n2. 目录:公钥加密的定义和安全,陷门排列,选择密文攻击安全,在随机预言机模型中从陷门排列到公钥加密。\n\n3. 私钥密码学局限性\n\n - 密钥分发需要通信各方在物理上会面;\n - $U$个用户的密钥的数量 $\\Theta(U^2)$;\n - 开放系统的安全通信:基于私钥密码学的解决方案无法充分处理开放系统中的安全通信问题,在开放系统中通信各方不能物理上会面,或只能暂时交互;\n - 注:私钥密码学中的一个核心问题就是密钥分发与管理问题。\n\n4. **Needham-Schroeder 协议**\n\n - *Needham–Schroeder Symmetric Key Protocol*:在开放网络中双方通过一个可信的第三方建立一个会话密钥(session key);\n - 密钥分发中心(Key Distribution Center,KDC)作为可信的第三方(Trusted Third Party,TTP),与通信双方Alice和Bob在事前分别建立了对称密钥;\n - KDC根据Alice的请求,生成一个新的 $k$ 会话密钥(session key),分别用与Alice和Bob分别共享的密钥来加密并发送给Alice;$E_{Bob}(k)$ 作为一个来访问Bob所需的凭证(ticket);\n - 用于MIT's Kerberos 协议 (in Windows);\n - 优点:每一方只需要存储一个密钥;不需要更新通信双方密钥(因为采用新的会话密钥);\n - 弱点:单点失效,一旦KDC被破坏,则整个系统都不安全。\n\n5. Merkle难题(无需可信第三方的密钥交换)\n\n - Alice准备 $2^{32}$ 个难题 $\\mathsf{Puzzle}_i$,并且发送给Bob;难题如下:\n\n $\\mathsf{Puzzle}_i \\gets \\mathsf{Enc}_{(0^{96}\\|p_i)}(\\text{``Puzzle \\#''} x_i \\| k_i),$,其中 $\\mathsf{Enc}$ 是 128位加密,$p_i \\gets \\{0,1\\}^{32}$ 并且 $x_i,k_i \\gets \\{0,1\\}^{128}$。\n\n 注:每个难题中明文包括一个随机数和一个密钥,用一个密钥加密;\n\n - Bob随机选择一个难题 $\\mathsf{Puzzle}_j$,并且在 $2^{32}$ 时间内猜测 $p_j$ ,获得 $x_j,k_j$ 并将 $x_j$ 发送给 Alice。\n\n - Alice 按照$x_j$查询谜题,并且使用 $k_j$ 作为密钥。\n\n - 敌手需要 $2^{32+32}$ 时间,是诚实方所需时间复杂性的二次方。\n\n - 在诚实方和敌手之间存在更好的差距吗?如果将加密方法看作是一个黑盒预言机,那么二次差距是最好的。\n\n - Merkle难题的缺点是谜题数量太大,获得密钥的代价太大;\n\n - 注:Merkle当时是UC的一名本科生,这是他的一门课程设计申请。\n\n6. 公钥革命\n\n - 在1976年,Whitfield Diffie 和 Martin Hellman 发表了 “New Directions in Cryptography” (密码学的新方向)。在这篇论文中,提出公钥加密方案、陷门(Trap door)和数字签名等概念。[论文原文链接](https://ee.stanford.edu/%7Ehellman/publications/24.pdf)\n - 非对称(Asymmetric)或公钥(public-key)加密方案:\n - 公钥(Public key)作为加密密钥;(注:接收方产生,发送方持有)\n - 私钥(Private key)作为解密密钥; (注:接收方产生,接收方持有)\n - 公钥原语(Public-key primitives):\n - 公钥加密(Public-key encryption)\n - 数字签名(Digital signatures) (不可抵赖性,non-repudiation)\n - 交互式密钥交换(Interactive key exchange)\n - 优点:\n - 在公开信道上密钥分发\n - 减少保存大量密钥的需求\n - 使得在开放系统的安全成为可能\n - 缺点:慢两到三个数量级,针对公钥分发的主动攻击\n - 注:如何保证Alice得到的公钥真的是Bob的公钥?\n\n7. 公钥加密定义\n\n - 密钥生成(Key-generation)算法: $(pk,sk) \\gets \\mathsf{Gen}$, 密钥长度 $\\ge n$;\n - 明文空间: $\\mathcal{M}$ 与 $pk$ 相关;(注:公钥加密方案通常以数学难题为基础,明文与公钥之间并不完全独立)\n - 加密(Encryption)算法: $c \\gets \\mathsf{Enc}_{pk}(m)$.\n - 解密(Decryption)算法:$m:= \\mathsf{Dec}_{sk}(c)$, 或者输出 $\\perp$.\n - 需求:$\\Pr[\\mathsf{Dec}_{sk}(\\mathsf{Enc}_{pk}(m)) = m] \\ge 1 - \\mathsf{negl}(n)$. (注:公钥加密方案通常以数学难题为基础,存在解密不成功的可能。)\n\n8. 对窃听者的安全 = CPA\n\n - 由于公钥是公开的,敌手不仅能窃听,而且能够加密任意明文。\n - 在敌手和挑战者间窃听不可区分实验 $\\mathsf{PubK}^{\\mathsf{eav}}_{\\mathcal{A},\\Pi}(n)$:\n - 挑战者生成密钥 $(pk,sk) \\gets \\mathsf{Gen}(1^n)$。\n - 敌手 $\\mathcal{A}$ 被给予 $\\mathbf{pk}$ 以及 $\\mathbf{\\mathsf{Enc}_{pk}(\\cdot)}$ 预言机的访问,输出相同长度的 $m_0, m_1$ 。 \n - 挑战者随机生成 $b \\gets \\{0,1\\}$。将挑战密文 $c \\gets \\mathsf{Enc}_{pk}(m_b)$ 发送给敌手 $\\mathcal{A}$。\n - $\\mathcal{A}$ 继续访问预言机 $\\mathbf{\\mathsf{Enc}_{pk}(\\cdot)}$ 并且输出 $b'$。\n - 如果 $b' = b$,$\\mathcal{A}$ 成功 $\\mathsf{PubK}^{\\mathsf{eav}}_{\\mathcal{A},\\Pi}=1$,否则 0。\n - 定义:$\\Pi$ 是 CPA-secure, 如果 $\\forall$ ppt $\\mathcal{A}$, $\\exists$ $\\mathsf{negl}$ 使得 $\\Pr\\left[\\mathsf{PubK}^{\\mathsf{cpa}}_{\\mathcal{A},\\Pi}(n)=1\\right] \\le \\frac{1}{2} + \\mathsf{negl}(n)$。\n\n9. 公钥加密的安全属性\n\n - 对称加密可以加密32比特消息,产生32比特密文,例如,使用一次一密。在公钥系统中能够做到同样的吗?\n - 一个确定性的公钥加密方案在窃听者出现时是安全的?\n - 如果 $\\Pi$ 在窃听者出现时是安全的,那么 $\\Pi$ 也是CPA安全的? 是否是多重加密安全的?\n - 完美保密的公钥加密是可能的吗?(注:不可能)\n\n10. 密钥长度比较\n\n NIST(美国国家标准技术研究所)推荐可比较的密钥长度 (按比特) 。NIST 认为一个112比特的有效密钥长度直到2030年是可接受的,但是推荐 128 比特或更长的密钥。\n\n | 对称密钥(AES) | RSA/DH | ECC |\n | --------------- | ------ | ---- |\n | 56 | 512 | 112 |\n | 80 | 1024 | 160 |\n | 112 | 2048 | 224 |\n | 128 | 3072 | 256 |\n | 192 | 7680 | 384 |\n | 256 | 15360 | 512 |\n\n11. 混合加密(**Hybrid Encryption**)构造\n\n - 为了加速加密,采用私钥加密方案 $\\Pi'$ (数据封装机制,data-encapsulation mechanism, DEM) 与公钥加密方案 $\\Pi$ (密钥封装机制, key-encapsulation mechanism, KEM) 一起。\n - $\\Pi^{\\mathsf{hy}} = (\\mathsf{Gen}^{\\mathsf{hy}}, \\mathsf{Enc}^{\\mathsf{hy}}, \\mathsf{Dec}^{\\mathsf{hy}})$:\n - $\\mathsf{Gen}^{\\mathsf{hy}}$: $(pk,sk) \\gets \\mathsf{Gen}(1^n)$. *注:只需提前生成公钥加密方案所需密钥*\n - $\\mathsf{Enc}^{\\mathsf{hy}}$: $pk$ and $m$. \n - $k \\gets \\{0,1\\}^n$. *注:生成私钥加密密钥*\n - $c_1 \\gets \\mathsf{Enc}_{pk}(k)$, $c_2 \\gets \\mathsf{Enc}'_{k}(m)$. *注:用公钥加密的公钥加密私钥加密密钥,用私钥加密密钥加密消息。*\n - $\\mathsf{Dec}^{\\mathsf{hy}}$: $sk$ and $\\langle c_1,c_2\\rangle$.\n - $k := \\mathsf{Dec}_{sk}(c_1)$. *注:用公钥加密中私钥解密获得私钥加密密钥*\n - $m := \\mathsf{Dec}'_k(c_2)$. *注:用私钥加密密钥获得明文*\n - 问题:混合加密方案是公钥加密还是私钥加密?\n\n12. 混合加密安全\n\n - 定理:如果 $\\Pi$ 是一个CPA安全的公钥加密方案,并且 $\\Pi'$ 是窃听者不可区分的私钥加密方案,那么 $\\Pi^{\\mathsf{hy}}$ 是CPA安全的公钥加密方案。\n - 这里对于私钥加密方案的安全性要求只是窃听者不可区分的,不要求是CPA安全的,因为*私钥加密密钥是每次加密时随机产生的新密钥*,私钥加密的加密预言机提供的结果无法被利用。\n - 整个方案安全证明的思路是利用各方案之间不可区分性,以及不可区分性所具有的传递性(transitiviy)。\n - 目标是证明 (1)$\\langle pk,\\mathsf{Enc}_{pk}(k),\\mathsf{Enc}_{k}'(m_0)\\rangle$ 与(2) $\\langle pk,\\mathsf{Enc}_{pk}(k),\\mathsf{Enc}_{k}'(m_1)\\rangle$ 之间对于不同明文的不可区分性。为此,先观察(1) $\\langle pk,\\mathsf{Enc}_{pk}(k),\\mathsf{Enc}_{k}'(m_0)\\rangle$ 与(3) $\\langle pk,\\mathsf{Enc}_{pk}(0^n),\\mathsf{Enc}_{k}'(m_0)\\rangle$ 之间对于不同公钥加密明文(私钥加密密钥)之间由于公钥加密方案不可区分性也是不可区分的;同理,(2)$\\langle pk,\\mathsf{Enc}_{pk}(k),\\mathsf{Enc}_{k}'(m_1)\\rangle$ 与(4) $\\langle pk,\\mathsf{Enc}_{pk}(0^n),\\mathsf{Enc}_{k}'(m_1)\\rangle$ 之间也是不可区分的。(3)$\\langle pk,\\mathsf{Enc}_{pk}(0^n),\\mathsf{Enc}_{k}'(m_0)\\rangle$ 与(4) $\\langle pk,\\mathsf{Enc}_{pk}(0^n),\\mathsf{Enc}_{k}'(m_1)\\rangle$ 之间由于私钥加密方案不可区分性也是不可区分的。最后,根据不可区分性所具有的传递性,证明混合加密方案的不可区分性。\n\n13. 混合加密范式应用\n\n - 共享文件访问,Alice用自己的对称密钥加密文件,Bob的公钥加密对称密钥\n - 密钥托管,Alice用托管服务器的公钥加密对称密钥,领导从托管服务器获得私钥来解锁\n\n14. 陷门函数(**Trapdoor Function**)\n\n - 陷门函数(Trapdoor function): 易于计算,在缺乏特定信息(陷门)时难以求逆,即带有陷门的单向函数。\n - 1982年,姚期智在论文《Theory and Applications of Trapdoor Functions》中提出,从任意陷门函数中可构造一个公钥加密方案。\n\n15. 函数族(**Families of Functions**)\n\n - $\\Pi = (\\mathsf{Gen}, \\mathsf{Samp}, f)$ 是一个函数组,如果:\n - 参数生成(Parameter-generation)算法: $I \\gets \\mathsf{Gen}(1^n)$。参数$I$定义了定义域(domain)$\\mathcal{D}_I$和值域(range)$\\mathcal{D}_R$。注:这里产生了一个具体的函数参数。\n - 采样(sampling)算法: $x \\gets \\mathsf{Samp}(I)$,均匀随机地产生一个$x$。\n - 确定性赋值(evaluation)算法: $y := f_I(x)$。\n - 这里强调采样算法是因为后面要学习的数论难题的输入是要满足某些条件的。\n\n16. 陷门排列族\n\n - 一组多项式时间算法 $\\Pi = (\\mathsf{Gen}, \\mathsf{Samp}, f, \\mathsf{Inv})$ 是一个陷门排列族(family of trapdoor permutations,TDP),如果:\n - 参数生成(parameter generation)算法 $\\mathsf{Gen}$, 输入 $1^n$,输出 $(I,\\mathsf{td})$ 有 $|I| \\ge n$。其中, $(I, \\mathsf{td})$ 定义了集合 $\\mathcal{D}_I = \\mathcal{D}_{\\mathsf{td}}$。注:陷门排列族是一个函数集合,参数生成算法产生一个具体陷门排列所需的参数。\n - $\\mathsf{Gen}_I$ 只输出 $I$。$(\\mathsf{Gen}_I, \\mathsf{Samp}, f)$ 是 OWP。其中的$\\mathsf{Samp}$是采样函数,用于获得函数的输入$x \\gets \\mathcal{D}_I$。\n - 一个确定性求逆算法 $\\mathsf{Inv}$,对于 $\\forall (I,\\mathsf{td})$ 并且 $\\forall x \\in \\mathcal{D}_{I}$, $ \\mathsf{Inv}_{\\mathsf{td}}(f_I(x))=x$。*注:可求逆*\n - 核心断言:确定性多项式时间算法 $\\mathsf{hc}$ 是$\\Pi$ 的一个核心断言(hard-core predicate),如果 $\\forall$ ppt $\\mathcal{A}$,$\\exists$ $\\mathsf{negl}$ 使得 $ \\Pr[\\mathcal{A}(I,f_I(x)) = \\mathsf{hc}_I(x)] \\le \\frac{1}{2} +\\mathsf{negl}(n)$。\n - 定理:给定一个陷门排列族$\\Pi = (\\mathsf{Gen}, \\mathsf{Samp}, f, \\mathsf{Inv})$,则存在一个带有核心断言的陷门排列族$\\widehat{\\Pi} = (\\widehat{\\mathsf{Gen}}, \\mathsf{Samp}, f, \\mathsf{Inv})$。注:证明与单向函数部分关于核心断言的定理类似。\n\n17. TDP例题\n\n - 如果答案是肯定的,则需要反证法证明,$f'$若不是TDP,那么$f$也不是;\n - 如果答案是否定的,则需要给出一个有效的求逆方法。\n\n18. 从TDP到公钥加密方案\n\n - 从一个带有核心断言$\\mathsf{hc}$的陷门排列族$\\widehat{\\Pi} = (\\widehat{\\mathsf{Gen}}, \\mathsf{Samp}, f, \\mathsf{Inv})$来构造一个公钥加密方案:\n - $\\mathsf{Gen}$: $(I, \\mathsf{td}) \\gets \\widehat{Gen}$ 输出公钥 $I$ 和私钥 $\\mathsf{td}$。\n - $\\mathsf{Enc}$: 输入 $I$ 和 $m \\in \\{0,1\\}$,选择一个 $x\\gets \\mathcal{D}_I$ 并且输出 $\\langle f_I(x), \\mathsf{hc}_I(x)\\oplus m \\rangle$。\n - $\\mathsf{Dec}$: 输入 $\\mathsf{td}$ 和 $\\langle y, m'\\rangle$,计算 $x:= f^{-1}_I(y)$ 并且输出 $\\mathsf{hc}_I(x)\\oplus m'$。\n - 定理:如果 $\\widehat{\\Pi}=(\\widehat{Gen},f)$ 是 TDP,并且 $\\mathsf{hc}$ 是$\\widehat{\\Pi}$的 HCP ,那么构造 $\\Pi$ 是 CPA安全的。\n - 问题:这个方案是安全的吗?$\\mathsf{Enc}_{I}(m) = f_I(m)$, $\\mathsf{Dec}_{\\mathsf{td}}(c) = f^{-1}_I(c)$。\n\n19. 证明\n\n - $\\mathsf{hc}_I(x)$ 是伪随机的。将 $\\mathcal{A}_{\\mathsf{hc}}$ for $\\mathsf{hc}$ 规约到 $\\mathcal{A}$ for $\\Pi$。\n - $\\Pr[\\mathcal{A}_{\\mathsf{hc}}(I,f_I(x))=\\mathsf{hc}_I(x)] = $ $\\frac{1}{2}\\cdot (\\Pr[b'=b|z=\\mathsf{hc}_I(x)]+\\Pr[b'\\neq b|z\\neq \\mathsf{hc}_I(x)]).$\n - 上面的公式的含义是 $\\mathcal{A}_{\\mathsf{hc}}$成功得到核心断言包含两种情况:\n - 当$z$是核心断言,则$\\mathcal{A}$面对的是方案$\\Pi$,$\\mathcal{A}$成功($b'=b$),输出的$z$就是核心断言;\n - 当$z$不是核心断言,则$\\mathcal{A}$面对的挑战密文与$\\Pi$中是相反的,$\\mathcal{A}$失败($b'\\neq b$),输出的$\\overline{z}$就是核心断言;\n\n20. 证明(续)\n\n - $\\Pr[b'=b|z=\\mathsf{hc}_I(x)] = \\Pr[\\mathsf{PubK}^{\\mathsf{eav}}_{\\mathcal{A},\\Pi}(n)=1]=\\varepsilon(n)$。 *注:$\\mathcal{A}$实验成功。*\n - 如果 $z \\neq \\mathsf{hc}_I(x)$, $m' = m_b\\oplus \\overline{\\mathsf{hc}}_I(x) = m_{\\overline{b}}\\oplus \\mathsf{hc}_I(x)$,这意味着 $m_{\\overline{b}}$ 被加密了。\n - $\\Pr[b'=b|z\\neq \\mathsf{hc}_I(x)] = \\Pr[\\mathsf{PubK}^{\\mathsf{eav}}_{\\mathcal{A},\\Pi}(n)=0]=1-\\varepsilon(n)$。 *注:$\\mathcal{A}$实验失败了。*\n - $\\Pr[b'\\neq b|z\\neq \\mathsf{hc}_I(x)] =\\varepsilon(n)$。\n - $\\Pr[\\mathcal{A}_{\\mathsf{hc}}(I,f_I(x))=\\mathsf{hc}_I(x)] = \\frac{1}{2}\\cdot (\\varepsilon(n)+\\varepsilon(n)) = \\varepsilon(n)$。 *注:根据上一页的公式。*\n - 至此,我们学习了基于陷门排列的公钥加密方案,但只能加密一个比特,如何加密一个更长的明文?后面学习随机预言机模型设定下的公钥加密方案。\n\n21. 在公钥设定中CCA情景\n\n - CCA\n - 敌手 $\\mathcal{A}$ 观察由 $\\mathcal{S}$ 发送给 $\\mathcal{R}$ 的密文 $c$ 。\n - $\\mathcal{A}$ 以$\\mathcal{S}$ 或自己的名义发送 $c'$ 给 $\\mathcal{R}$ 。\n - $\\mathcal{A}$ 根据从 $c'$ 中解密出的 $m'$ 来推断 $m$。\n - 情景\n - 用口令来登陆在线银行:试错,从银行反馈中获得信息。\n - 邮件回复中包含解密出的文本的引用。\n - 密文的可锻造性,例如,在拍卖中将其他人的出价翻倍。\n\n22. 对CCA/CCA2的安全定义\n\n - CCA/CCA2 不可区分实验 $\\mathsf{PubK}^{\\mathsf{cca}}_{\\mathcal{A},\\Pi}(n)$:\n - $(pk,sk) \\gets \\mathsf{Gen}(1^n)$.\n - $\\mathcal{A}$ 给定输入 $pk$ 和预言机访问 $\\mathsf{Dec}_{sk}(\\cdot)$,输出相同长度的 $m_0, m_1$ 。\n - $b \\gets \\{0,1\\}$。挑战密文 $c \\gets \\mathsf{Enc}_{pk}(m_b)$ 给 $\\mathcal{A}$。\n - 在CCA2中,$\\mathcal{A}$ 除了 $c$ 之外还可以访问 $\\mathsf{Dec}_{sk}(\\cdot)$,并输出$b'$ 。注:CCA 也被称作午餐攻击。CCA2 也被称为适应性的 CCA。\n - 如果 $b' = b$,那么 $\\mathcal{A}$ 成功, $\\mathsf{PrivK}^{\\mathsf{cca}}_{\\mathcal{A},\\Pi}=1$,否则 0。\n - $\\Pi$ 是 CCA/CCA2安全的,如果 $\\forall$ ppt $\\mathcal{A}$, $\\exists$ $\\mathsf{negl}$ 使得 $ \\Pr\\left[\\mathsf{PubK}^{\\mathsf{cca}}_{\\mathcal{A},\\Pi}(n)=1\\right] \\le \\frac{1}{2} + \\mathsf{negl}(n)$.\n\n23. 例题\n\n - 略\n\n24. CCA2安全加密技术进展\n\n - 零知识证明(Zero-Knowledge Proof):复杂并不可实践。(例如,Dolev-Dwork-Naor)\n - 随机预言机模型(Random Oracle model):有效,但并不踏实 (将 CRHF 当作 RO)。 (例如,RSA-OAEP 和 Fujisaki-Okamoto)\n - DDH(决策性Diffie-Hellman)假设和UOWHF(全域单向哈希函数):大小扩展2倍,但可以在没有RO和ZKP场景下证明安全 (例如,Cramer-Shoup system)。\n - CCA2安全意味着明文感知(Plaintext-aware):敌手在不知道明文的情况下,不能产生有效的密文。\n - 开放问题:如何构造一个与“书本上RSA”一样有效的,基于RSA问题的CCA2安全的方案。\n\n25. 随机预言机模型(**Random Oracle Model,ROM**)\n\n - 为了在实践中实现CPA安全和CCA安全的公钥加密方案,引入了一个更强大的随机对象,称为随机预言机(Random Oracle Model)。\n - 随机预言机(RO):一个真随机函数($H$)对每个可能的查询回答一个随机应答。\n - 一致性:如果$H$曾经在运行中为一个输入 $x$ 输出 $y$,那么它一直对相同的输入输出相同的答案。\n - 无人“知道”整个函数 $H$。\n - 随机预言机模型(ROM):存在一个公开的RO。与此相对的,不存在RO的情况,称作标准模型。\n - 方法论:在ROM中构造可证明的安全。\n 1. 在ROM中,一个方案被设计并被证明是安全的。\n 2. 将 $H$ 用一个哈希函数 $\\hat{H}$,例如 SHA256。\n - 无人严格地声明随机预言机存在。\n - 存在某些方案,在ROM中被证明是安全的,但无论如何将随机预言机实例化都不是安全的。\n - 使用ROM,很容易实现可证明安全,同时通过正确的实例化来保持高效。\n\n26. ROM的简单例子\n\n - 由于RO “强大的随机性”,其可以充当或构造之前学习过得密码学原语,包括为单向函数、抗碰撞哈希函数、伪随机函数等。\n\n - 一个 RO 将 $n_1$ 比特输入映射为 $n_2$ 比特输出。\n\n - RO 作为 OWF,进行如下实验:\n\n 1. 选择一个RO $H$ ;\n\n 2. 选择一个随机的 $x \\in \\{0,1\\}^{n_1}$ ,并且赋值 $y := H(x)$ ;\n\n 3. 敌手 $\\mathcal{A}$ 被给予 $y$,如果输出 $x'$: $H(x')=y$,则成功;\n\n 解释:如果敌手成功求逆,则意味着敌手“事先”询问过RO;\n\n - RO 作为 CRHF,进行如下实验:\n\n 1. 选择一个RO $H$ ;\n\n 2. 敌手 $\\mathcal{A}$ 成功,如果其输出 $x, x'$ 满足 $H(x)=H(x')$ ,但是 $x\\neq x'$;\n\n 解释:如果敌手找到碰撞,则意味着$H$不是随机的,因为两个随机输出不可能相同。\n\n - 从一个RO构造PRF : $n_1=2n$, $n_2=n$.\n\n - $ F_k(x) \\overset{\\text{def}}{=} H(k\\| x),$ $|k|=|x|=n.$\n\n 解释:如果$F$不是伪随机的,则$H$也可以与真随机相区分。\n\n27. CPA安全\n\n - 思路:PubK CPA = PrivK + (Secret Key = TDP + RO) \n - 实现CPA安全的公钥加密方案,可以基于一个安全的私钥加密方案,其中私钥加密的密钥由RO得到,通过TDP传递生成密钥所用的随机量;\n - 构造:\n - $\\mathsf{Gen}$: $pk = I$, $sk = \\mathsf{td}$.\n - $\\mathsf{Enc}$: $r \\gets \\{0,1\\}^*$, 输出 $\\langle c_1= f_I(r), c_2 = \\mathsf{H}(r)\\oplus m\\rangle$.\n - $\\mathsf{Dec}$: $r := f^{-1}_{\\mathsf{td}}(c_1)$, 输出 $\\mathsf{H}(r)\\oplus c_2$.\n - 定理:如果 $f$ 是 TDP, 并且 $H$ 是 RO,则构造是 CPA 安全的。\n - 解释:私钥加密方案只需要是窃听下安全,因为每次加密都是概率性的,每次私钥加密密钥都是重新生成的。该方案不是CCA安全的,因为篡改密文可以直接影响明文。\n - 用RO的必要性:由于$r$的部分信息可能通过TPD泄漏,如果以一个PRG来替换掉RO,则由于种子的部分信息已知,PRG的输出也不在是伪随机的,加密方案也不再安全。\n \n28. 基于私钥加密的CCA安全\n\n - 思路:PubK CCA = PrivK CCA + (Secret Key = TPD + RO)\n - 实现CCA安全的公钥加密方案,可以基于一个CCA安全的私钥加密方案,其中私钥加密密钥由RO得到,通过TDP传递生成密钥所用的随机量;\n - 构造:\n - $\\Pi'$ 是一个安全私钥加密方案。\n - $\\mathsf{Gen}$: $pk = I$, $sk = \\mathsf{td}$.\n - $\\mathsf{Enc}$: $k := H(r), r \\gets D_I$, 输出 $\\langle c_1= f_I(r), c_2 = \\mathsf{Enc}'_k(m)\\rangle$.\n - $\\mathsf{Dec}$: $r := f^{-1}_{\\mathsf{td}}(c_1)$, $k:=H(r)$, 输出 $\\mathsf{Dec}'_k(c_2)$.\n - 定理:如果 $f$ 是 TDP,$\\Pi'$ 是 CCA 安全的,并且 $H$ 是 RO,那么构造是 CCA 安全的。\n - 解释:公钥加密方案的CCA安全性来自私钥加密方案的CCA安全性。\n\n29. 在ROM中基于TPD的CCA安全\n\n - 思路:PubK CCA = TDP + 2 RO (一个用于加密,一个用于MAC)\n - 实现CCA安全的公钥加密方案,可以通过RO来构造一个CPA安全的公钥加密方案,以明文和密文一起作为输入来生成MAC标签。\n - 构造:\n - $\\mathsf{Gen}$: $pk = I$, $sk = \\mathsf{td}$\n - $\\mathsf{Enc}$: $r \\gets D_I$,输出 $\\langle c_1=f_I(r), c_2 = H(r)\\oplus m, c_3=G(c_2\\|m)\\rangle$\n - $\\mathsf{Dec}$: $r := f^{-1}_{\\mathsf{td}}(c_1)$, $m := H(r)\\oplus c_2$。如果 $G(c_2\\|m) = c_3$ 输出 $m$,否则 $\\perp$。\n - 定理:如果 $f$ 是 TDP,$G,H$ 是 RO,那么构造是 CCA 安全的。\n - 解释:其CCA安全性在于对密文的任何篡改,都无法通过MAC验证。\n\n30. 私钥加密 vs. 公钥加密\n\n | | 私钥加密 | 公钥加密 |\n | ----------- | :------: | :------: |\n | 密钥 | 双方 | 接收者 |\n | 最弱攻击 | 窃听者 | CPA |\n | 概率性 | CPA/CCA | 一直 |\n | 对CPA的假设 | OWF | TDP |\n | 对CCA的假设 | OWF | TDP+RO |\n | 效率 | 快 | 慢 |\n\n \n\n\n\n" }, { "path": "notes-Chinese/8.2 RSA问题与加密.md", "content": "# 8.2 RSA问题与加密\n\n1. 本节学习第一个也是目前应用最广泛的公钥加密方案RSA。\n\n2. 目录:RSA问题,针对“书本上RSA”加密的攻击,实践中的RSA加密。\n\n3. RSA概览\n \n - RSA: Ron Rivest, Adi Shamir and Leonard Adleman, 三位作者于1977年发表RSA加密方案。\n - RSA问题: 给定 $N = pq$ (两个不同的大质数的乘积) 并且 $y \\in \\mathbb{Z}^*_N$,计算 $y^{-e}$,即$y$模$N$下的$e$次方根。\n - 开放问题:RSA问题比分解 $N$ 更容易吗?\n - RSA相关标准: PKCS\\#1 (RFC3447/8017), ANSI X9.31, IEEE 1363\n - 密钥长度:1,024 到 4,096 比特\n - 已知最强的公开密码学分析:768比特密钥已经被破解 \n - RSA挑战赛:破解 RSA-2048 来赢得 \\$200,000 USD\n - 密钥长度比较 :3072比特RSA密钥安全强度相当于128比特对称密钥\n \n4. 书本上的RSA\n\n - 构造:\n - $\\mathsf{Gen}$: 输入 $1^n$ 运行 $\\mathsf{GenRSA}(1^n)$ 产生 $N,e,d$。 $pk = \\langle N,e \\rangle$ 和 $sk = \\langle N,d \\rangle$。\n - $\\mathsf{Enc}$: 输入 $pk$ 和 $m \\in \\mathbb{Z}^*_N$,获得密文 $c:= [m^e \\bmod N]$.\n - $\\mathsf{Dec}$: 输入 $sk$ 和 $m \\in \\mathbb{Z}^*_N$,获得明文 $m:= [c^d \\bmod N]$.\n - 不安全性:由于“书本上的RSA”是确定性的,在我们已经提出的任何安全定义下都是不安全的。\n - 下面学习问题:如何产生 $N,e,d$? 什么是 $\\mathbb{Z}^*_N$? 如何计算 $m^e \\bmod N$? 这个难题是TDP? 为什么很难?\n - 参考教材:《A Computational Introduction to Number Theory and Algebra》(Version 2) Victor Shoup。\n\n5. 质数与模算术\n\n - 整数集合 $\\mathbb{Z}$, $a,b,c \\in \\mathbb{Z}$。\n - $a$ 整除 $b$: $a \\mid b$ 如果 $\\exists c, ac=b$ (否则 $a \\nmid b$). $b$ 是 $a$ 的倍数。如果 $a \\notin \\{1,b\\}$,那么 $a$ 是 $b$ 的因子。 \n - $p > 1$ 是质数(素数),如果其没有因子;否则,是合数。\n - $\\forall a,b$, $\\exists$ 商 $q$, 余数 $r$: $a=qb+r$, 且 $0\\le r < b$。\n - 最大公因子 $\\gcd(a,b)$ 是最大的整数 $c$ 使得 $c\\mid a$ 且 $c\\mid b$。 $\\gcd(0,b)=b$, $\\gcd(0,0)$未定义。\n - $a$ 和 $b$ 是互质,如果 $\\gcd(a,b)=1$。\n - 余数 $r= [a\\bmod N] = a - b\\lfloor a/b\\rfloor $ 并且 $r1$, 一个随机选择的 $n$ 比特数为质数的概率至少 $c/n$。\n - 对于问题2,如果 $N$ 是质数,那么Miller-Rabin质性测试始终输出质数。如果 $N$ 是合数,那么算法输出质数的概率至多 $2^{-t}$。\n\n15. 产生RSA问题\n\n - 令 $\\mathsf{GenModulus}(1^n)$ 为一个概率多项式时间算法,输入 $1^n$, 输出 $(N,p,q)$ ,其中 $N=pq$, 并且 $p,q$ 是 $n$ 比特质数,除了有可忽略的概率失败。\n - 产生RSA问题算法简述:\n 1. 由$\\mathsf{GenModulus}(1^n)$ 产生 $(N,p,q)$ ;\n 2. 计算$\\phi(N) := (p-1)(q-1)$;\n 3. 寻找一个$e$,使得$\\gcd(e,\\phi(N))=1$;\n 4. 计算$d := [e^{-1} \\bmod \\phi(N)]$;\n 5. 返回 $N,e,d$\n\n16. RSA假设\n\n - RSA实验 $\\mathsf{RSAinv}_{\\mathcal{A},\\mathsf{GenRSA}}(n)$:\n 1. 运行 $\\mathsf{GenRSA}(1^n)$ 来产生 $(N,e,d)$。\n 2. 选择 $y \\gets \\mathbb{Z}^*_N$。\n 3. 敌手 $\\mathcal{A}$ 给定 $N,e,y$, 并输出 $x \\in \\mathbb{Z}^*_N$.\n 4. $\\mathsf{RSAinv}_{\\mathcal{A},\\mathsf{GenRSA}}(n)=1$ ,实验成功,如果 $x^e \\equiv y \\pmod N$,否则实验失败 0 。\n - 定义:RSA问题相对于$\\mathsf{GenRSA}$是难的,如果 $\\forall$ PPT算法 $\\mathcal{A}$, $\\exists$ $\\mathsf{negl}$ 使得,$ \\Pr[\\mathsf{RSAinv}_{\\mathcal{A},\\mathsf{GenRSA}}(n) = 1] \\le \\mathsf{negl}(n). $\n\n17. 构造陷门排列\n\n - 用 $\\mathsf{GenRSA}$ 来定义一个排列族:\n - $\\mathsf{Gen}$: 输入 $1^n$, 运行 $\\mathsf{GenRSA}(1^n)$ 来产生 $(N,e,d)$ 并且 $I=\\langle N,e \\rangle, \\mathsf{td}=d$, 令 $\\mathcal{D}_I = \\mathcal{D}_{\\mathsf{td}} = \\mathbb{Z}^*_N$.\n - $\\mathsf{Samp}$: 输入 $I$, 挑选一个随机元素 $x$ of $\\mathbb{Z}^*_N$.\n - $f_{I}(x) = [ x^e \\bmod N]$.\n - 确定性求逆算法 $\\mathsf{Inv}_{\\mathsf{td}}(y) = [ y^d \\bmod N]$.\n - 将RSA问题规约到陷门排列求逆问题。\n\n18. 回顾“书本上的RSA”\n\n - 略\n\n19. 攻击带有小$e$的“书本上的RSA”\n\n - 小 $e$ 和 小 $m$ 令模算术失去作用,不再是难题。\n - 如果 $e=3$ 并且 $m < N^{1/3}$,那么 $c = m^3$ 并且 $m=$ ?\n - 在混合加密中,1024比特 RSA 与 128比特 AES。\n - 当小$e$ 被使用时通用攻击:\n - $e=3$, 同一个消息 $m$ 被发送给 3 个不同的接收者。\n - $c_1= [ m^3 \\bmod N_1]$, $c_2= [ m^3 \\bmod N_2]$, $c_3= [ m^3 \\bmod N_3]$.\n - $N_1,N_2,N_3$ 互质, 并且 $N^*=N_1N_2N_3$,使用中国剩余定理可知,$\\exists$ 唯一的 $\\hat{c} < N^*$:\n - $\\hat{c} \\equiv c_1 \\pmod{N_1}$, $\\hat{c} \\equiv c_2 \\pmod{N_2}$, $\\hat{c} \\equiv c_3 \\pmod{N_3}$.\n - $\\hat{c} \\equiv m^3 \\pmod{N^*}$. 由于 $m^3 < N^*$, $m = \\hat{c}^{1/3}$.\n\n20. 对恢复明文的二次改进\n\n - 如果 $1 \\le m < \\mathcal{L} = 2^{\\ell}$, 存在一个算法可以在 $\\sqrt{\\mathcal{L}}$ 时间恢复 $m$ 。\n - 思路:$ c \\equiv m^e = (r\\cdot s)^e = r^e\\cdot s^e \\pmod N $\n - 算法:\n - 输入:公钥 $\\langle N,e \\rangle$; 密文 $c$; 参数 $\\ell$\n - 输出:$m < 2^{\\ell}$ 使得 $m^e \\equiv c \\pmod N$\n - $T := 2^{\\alpha \\ell}$ //$\\frac{1}{2} < \\text{constant}\\; \\alpha <1$\n - For{$r=1$ to $T$} {$x_r := [c/r^e \\bmod N]$}\n - sort pairs $\\{ (r,x_r)\\}^T_{r=1}$ by $x_r$ \n - For $s=1$ to $T$\n - If $[s^e \\bmod N] \\overset{?}{=} x_r$ for some $r$\n - Return $[r\\cdot s \\bmod N]$\n - Return fail\n\n21. 共模攻击\n\n - 共模攻击使用相同的模数 $N$.\n - 情况1:多个用户带有自己的密钥。每个用户可以以自己的 $e,d$ 计算 $\\phi(N)$ ,然后找到其他人的 $d$.\n - 情况2:用两个公钥为同一个消息加密。\n - 假设 $\\gcd(e_1,e_2)=1$, $c_1 \\equiv m^{e_1}$ and $c_2 \\equiv m^{e_2} \\pmod N$. $\\exists X,Y$ 使得 $Xe_1 + Ye_2 = 1$ (贝祖定理).\n - $ c_1^X\\cdot c_2^Y \\equiv m^{Xe_1}m^{Ye_2} \\equiv m^1 \\pmod N. $\n - $N = 15, e_{1} = 3, e_{2} = 5, c_{1} = 8, c_{2} = 2, m = ?$ \n\n22. 对“书本上RSA”的CCA\n\n - 使用CCA恢复消息:敌手 $\\mathcal{A}$ 选择一个随机数 $r \\gets \\mathbb{Z}^*_N$ 并计算 $c' = [r^e\\cdot c \\bmod N]$,使用CCA获得 $m'$ 。那么,$m= ?$\n - 在拍卖中讲价格翻倍:$c = [m^e \\bmod N]$. $c'= [2^ec \\bmod N]$.\n\n23. RSA实现问题\n\n - 将二进制串编码为 $\\mathbb{Z}^*_N$ 中元素: $\\ell = \\|N\\|$。任意长度为$\\ell - 1$ 的二进制串 $m$ 可以被看作是 $Z_N$ 中元素。尽管 $m$ 不在 $Z_N^*$ 中,RSA 仍工作。\n - $e$ 的选择:$e=3$ 或小 $d$ 都是坏选择。 推荐 $e=65537=2^{16}+1$\n - 使用中国剩余定理来加速解密:$ [c^d \\bmod N] \\leftrightarrow ([c^d \\bmod p],[c^d \\bmod q]). $\n - 假设一个 $n$ 比特整数指数预算需要 $n^3$ 操作。RSA 解密花费 $(2n)^3=8n^3$,其中使用中国剩余定理需要 $2n^3$。\n\n24. Padded RSA\n\n - 思路:添加随机性来改进安全\n - 构造:\n - 令 $\\ell$ 为一个函数,对所有 $n$, $\\ell(n) \\le 2n-2$,为被加密的消息长度。\n - $\\mathsf{Gen}$: 输入 $1^n$, 运行 $\\mathsf{GenRSA}(1^n)$ 来产生 $(N,e,d)$. 输出 $pk = \\langle N,e \\rangle$ 和 $sk = \\langle N,d \\rangle$。\n - $\\mathsf{Enc}$: 输入 $m \\in \\{0,1\\}^{\\ell(n)}$, 选择随机串 $r \\gets \\{0,1\\}^{\\|N\\| - \\ell(n)-1}$. 输出 $c:=[(r\\|m)^e \\bmod N]$。*注:填充随机串后加密*\n - $\\mathsf{Dec}$: 计算 $\\hat{m} := [c^d \\bmod N]$, 并输出 $\\hat{m}$ 中的低$\\ell(n)$个比特。*注:这部分为明文*\n - $\\ell$ 不应该太大 (理论上的 $r$ 太小) 也不应该太小 (实践中的 $m$ 太小)。\n - 定理:如果RSA问题相对于$\\mathsf{GenRSA}$ 是难的,那么基于 $\\ell(n)=\\mathcal{O}(\\log n)$ 的构造是CPA安全的。\n - 证明:与对称加密中CPA安全方案类似。\n\n25. 对RSA的实现攻击\n\n - 对HTTPS中PKCS1 v1.5的简化的CCA攻击 [Bleichenbacher]\n - 服务器对给定的密文来应答明文的最高有效位是否等于1 (版本号) 。攻击者发送 $c' = (2^{r})^{e}\\cdot c$。如果收到 $Yes$,那么明文中第$(r+1)$最高有效位= ?\n - 防御:处理格式不正确的消息和格式正确的消息的方式应该是不可区分的。[RFC 5246]\n\n26. PKCS #1 v2.1 (RSAES-OAEP)\n\n - 最优非对称加密填充(Optimal Asymmetric Encryption Padding,OAEP): 将长度 $n/2$ 的 $m$ 编码为长度 $2n$ 的消息 $\\hat{m}$ 。 $G, H$ 是随机预言机。\n - RSA-OAEP在ROM下是CCA安全的。(当RO实例化后可能不安全)\n - CPA攻击下,敌手不知道$r$,则$m$被完美保护;若要知道 $r$,则必须知道$s$,这不可能。\n - CCA攻击下,无法有效进行解密查询,因为在应答前会检查明文中“00...0”。\n - 局限性:这个方案对RSA是安全的,但对其他TDP可能不是。\n\n27. OAEP改进\n\n - OAEP+对所有TDP都是CCA安全的\n - SAEP+更简单填充,同样安全\n\n28. 对RSA的实现攻击(续)\n\n - 计时攻击:[Kocher et al. 1997] 计算 $c^d$ 所消耗的时间可能泄漏 $d$。 (需要高解析时钟)\n - 能耗攻击:[Kocher et al. 1999] 为计算$c^d$ 智能卡消耗的能量可能泄漏$d$。\n - 防御:将密文和随机数 $r$ 绑定,解密 $r^{e}\\cdot c$。\n - 密钥生成问题:(在 OpenSSL RSA 密钥生成过程中):\n - 相同的 $p$ 由多个设备产生 (源自启动时的低熵),但是不同的 $q$ (源自额外的随机性).\n - 问题: 不同设备的 $N_1,N_2$ , $\\gcd(N_1,N_2) = ?$\n - 实验结果: 可分解 0.4% 的公开的HTTPS密钥。\n\n29. 对RSA的故障攻击\n\n - 故障攻击:在解密过程中 $c^d\\bmod N$ 发生的计算机故障可能泄漏 $d$ 。\n\n - 之前提到过使用中国剩余定理来加速解密:\n\n $ [c^d \\bmod N] \\leftrightarrow ([m_p \\equiv c^d \\pmod p],[m_q \\equiv c^d \\pmod q])$\n\n - 假设在计算 $m_q$ 时发生错误,但在计算 $m_p$ 时没有错误。\n - $m' \\equiv c^d \\pmod p$, $m' \\not \\equiv c^d \\pmod q$。\n - $(m')^e \\equiv c \\pmod p$, $(m')^e \\not \\equiv c \\pmod q$\n - $\\gcd((m')^e-c, N)=\\ ? $\n - 防御:检查输出 (但减慢 10% )。\n\n30. 总结\n\n - RSA问题是TPD,但书本上RSA加密不安全,RSA-OAEP在ROM下是CCA安全的。\t\n\n\n\n\n\n" }, { "path": "notes-Chinese/8.3 DH问题与加密.md", "content": "# 8.3 DH问题与加密\n\n1. 本节学习基于循环群上离散对数问题的DH问题及Elgamal加密方案。\n\n2. 目录:循环群与离散对数,DH假设和应用,Elgamal加密方案。\n\n3. 循环群(Cyclic Groups)与生成元(Generators)\n\n - $\\mathbb{G}$ 是一个群并且一个元素 $g \\in \\mathbb{G}$通过运算生成一个子群 $ \\langle g \\rangle \\overset{\\text{def}}{=} \\{ g^0,g^1,\\dotsc,\\} = \\{ g^0,g^1,\\dotsc, g^{i-1}\\}$。\n - $g$ 的阶是最小的正整数 $i$ 令 $g^i=1$。\n - $\\mathbb{G}$ 是一个循环群(cyclic group)如果 $\\exists\\;g$ 有阶 $m = |\\mathbb{G}|$. $\\langle g \\rangle = \\mathbb{G}$, $g$ 是 $\\mathbb{G}$ 的生成元。注:循环群中存在一个元素通过指数运算可生成整个群中每个元素。\n - 例题: 乘法下的$\\mathbb{Z}_6^*$, $\\mathbb{Z}_7^*$,或 $\\mathbb{Z}_8^*$ 是循环群吗? 找到生成元。\n\n4. 离散对数\n\n - 如果 $\\mathbb{G}$ 是阶为 $q$ 的循环群,那么 $\\exists$ 生成元 $g \\in \\mathbb{G}$ 使得 $\\{ g^0,g^1,\\dotsc,g^{q-1}\\} = \\mathbb{G}$。\n - $\\forall h \\in \\mathbb{G}$, $\\exists$ 唯一的 $x \\in \\mathbb{Z}_q$ 使得 $g^x = h$。\n - $x= \\log_gh$ 是以$g$为底$h$的离散对数(discrete logarithm)。\n - 如果 $g^{x'}=h$, 那么 $\\log_gh = [x' \\bmod q]$。\n - $\\log_g1=0$ 并且 $\\log_g(h_1\\cdot h_2) = [(\\log_gh_1+\\log_gh_2) \\bmod q]$。\n\n5. 离散对数算法概览\n\n - 给定一个生成元 $g \\in \\mathbb{G}$ 并且 $y \\in \\langle g \\rangle$,求 $x$ 使得 $g^x=y$.\n - 蛮力: $\\mathcal{O}(q)$, $q = \\mathsf{ord}(g)$ 是 $\\langle g\\rangle$ 的阶。\n - Baby-step/giant-step [Shanks]: $\\mathcal{O}(\\sqrt{q}\\cdot \\mathsf{polylog}(q))$.\n - Pohlig-Hellman算法:当 $q$ 有较小因子。\n - Index calculus 法: $\\mathcal{O}(\\exp{(\\sqrt{n\\cdot \\log n})})$.\n - 已知最好的算法是通用数域筛法:$\\mathcal{O}(\\exp(n^{1/3}\\cdot(\\log n)^{2/3}))$.\n - 椭圆曲线群 vs. $\\mathbb{Z}_p^*$: 在保证安全性相同的同时,更高效。(1024-bit $\\mathbb{Z}_p^*$ 和 132-bit 椭圆曲线都需要 $2^{66}$ 步来破解。)\n\n6. 使用质数阶群\n\n - 定理:如果 $\\mathbb{G}$ 是质数阶,那么 $\\mathbb{G}$ 是循环群。除单位元外,所有 $g \\in \\mathbb{G}$ 是生成元。\n - 根据拉格朗日定理,任意元素的阶都等于群的阶。\n - **拉格朗日定理**:子群阶可以整除群阶。$\\langle g \\rangle$ 是 $\\mathbb{G}$ 子群,并且 $|\\langle g \\rangle| \\mid |\\mathbb{G}|$。\n - 思路:由一个子群可以派生覆盖了整个群的若干子集,这些子集的阶与子群相同,并且这些子集彼此不相交。\n - 设群$\\mathbb{G}$的子群$H$,陪集(coset)$gH$($g$和$H$中每个元素$h$运算构成的集合)和子群$H$的阶相同。\n - 子群的任意两个陪集$g_1H$和$g_2H$。\n - 或者相同,如果$g_1^{-1}g_2 \\in H$。$g_1(g_1^{-1}g_2 )h \\in g_1H$,$g_2h \\in g_1H$。\n - 或者没有交集,如果$g_1^{-1}g_2 \\notin H$。采用反证法,如果有交集,则$g_1h_1 = g_2h_2$,$g_1^{-1}g_2 = h_1h_2^{-1} \\in H$,矛盾。\n - 因此,群可以划分为任意子群的若干不相交陪集,每个陪集阶相同,群的阶就是子群的整数倍。\n - 推荐参考:https://brilliant.org/wiki/lagranges-theorem/\n - 离散对数问题在质数阶群上是最难的。 \n - 在质数阶群上找一个生成元很简单。\n - 任何非零指数在以质数阶为模下都可逆。\n - DDH问题是难题的必要条件是 $\\mathsf{DH}_g(h_1,h_2)$ 与群中随机元素之间是不可区分的。在质数阶群上这基本成立。\n\n7. 产生质数阶(子)群\n\n - 如果 $p$ 是质数,那么 $\\mathbb{Z}^*_p$ 是乘法群。\n - $y \\in \\mathbb{Z}^*_p$ 是模$p$下的二次剩余(quadratic residue modulo),如果 $\\exists x \\in \\mathbb{Z}^*_p$ 使得 $x^2 \\equiv y \\pmod p$\n - 例题:$\\mathbb{Z}_{7}^{*}$ 下的二次剩余?\n - QR集合是一个子群(满足群条件),阶为 $(p-1)/2$,因为 $x^2 \\equiv (p-x)^2 \\pmod p$。\n - $p$ 是一个强质数(strong prime),如果 $p=2q+1$ 且 $q$ 是质数。\n - 强质数下的二次剩余子群是一个循环群,因为群的阶是质数。\n - 循环群生成算法:产生一个强质数$p$,阶为$q=(p-1)/2$,随机选择一个$x \\in \\mathbb{Z}^*_p$,得到生成元$g=x^2$,输出$p, q, g$。\n\n8. 离散对数假设\n\n - 离散对数(discrete logarithm)实验 $\\mathsf{DLog}_{\\mathcal{A},\\mathcal{G}}(n)$:\n - 运行一个群生成算法 $\\mathcal{G}(1^n)$ 来产生 $(\\mathbb{G},q,g)$,其中 $\\mathbb{G}$ 是阶为 $q$ ( $\\|q\\|=n$) 的循环群,并且 $g$ 是 $\\mathbb{G}$ 的生成元。\n - 挑选一个 $h \\gets \\mathbb{G}$. ($x' \\gets \\mathbb{Z}_q$ and $h := g^{x'}$)\n - 敌手 $\\mathcal{A}$ 给定 $\\mathbb{G}, q, g, h$,并且输出 $x \\in \\mathbb{Z}_q$.\n - 实验成功 $\\mathsf{DLog}_{\\mathcal{A},\\mathcal{G}}(n) = 1$,如果 $g^x = h$, 否则 0 。\n - 定义:离散对数问题相对于群$\\mathcal{G}$是难的,如果 $\\forall$ ppt 算法 $\\mathcal{A}$, $\\exists$ $\\mathsf{negl}$ 使得 $ \\Pr[\\mathsf{DLog}_{\\mathcal{A},\\mathcal{G}}(n)=1] \\le \\mathsf{negl}(n).$\n\n9. DH假设\n\n - 计算性DH(Computational Diffie-Hellman, CDH)问题:$ \\mathsf{DH}_g(h_1,h_2) \\overset{\\text{def}}{=} g^{\\log_gh_1\\cdot \\log_gh_2} $\n - 判断性DH(Decisional Diffie-Hellman, DDH))问题:区分 $\\mathsf{DH}_g(h_1,h_2)$ 与一个随机的群元素 $h'$.\n - 定义:DDH问题与$\\mathcal{G}$相关的是难的,如果 $\\forall$ ppt $\\mathcal{A}$, $\\exists$ $\\mathsf{negl}$ 使得 $ |\\Pr[\\mathcal{A}(\\mathbb{G},q,g,g^x,g^y,g^z)=1] - \\Pr[\\mathcal{A}(\\mathbb{G},q,g,g^x,g^y,g^{xy})=1]|\\le \\mathsf{negl}(n). $\n - DL, CDH 和 DDH 的难解性:DDH 比 CDH 和 DL 容易。\n\n10. 安全密钥交换实验\n\n - 密钥交换实验(key-exchange experiment) $\\mathsf{KE}^{\\mathsf{eav}}_{\\mathcal{A},\\Pi}(n)$:\n\n 1. 双方持有安全参数 $1^n$ 执行协议 $\\Pi$。 $\\Pi$ 执行的结果为对话记录 (transcript) $\\mathsf{trans}$ 包含双方发送的所有消息,以及各方都输出的密钥 $k$ 。\n 2. 选择一个随机比特 $b \\gets \\{0,1\\}$ 。 如果 $b=0$ 那么选择 $\\hat{k} \\gets \\{0,1\\}^n$ u.a.r;如果 $b=1$ 那么令 $\\hat{k} :=k$。\n 3. 敌手 $\\mathcal{A}$ 给定 $\\mathsf{trans}$ 和 $\\hat{k}$, 并且输出一个比特 $b'$。\n 4. $\\mathsf{KE}^{\\mathsf{eav}}_{\\mathcal{A},\\Pi}(n)=1$ 如果 $b'=b$, 否则 0 。\n\n - 定义:一个密钥交换协议 $\\Pi$ 在出现窃听者攻击下是安全的,如果 $\\forall$ ppt $\\mathcal{A}$, $\\exists$ $\\mathsf{negl}$ 使得\n\n $ \\Pr[\\mathsf{KE}^{\\mathsf{eav}}_{\\mathcal{A},\\Pi}(n) = 1] < \\frac{1}{2} + \\mathsf{negl}(n). $\n\n11. DH密钥交换协议\n\n - $\\widehat{\\mathsf{KE}}^{\\mathsf{eav}}_{\\mathcal{A},\\Pi}$ 表示一个实验,其中如果 $b=0$ ,敌手被给予 $\\hat{k} \\gets \\mathbb{G}$。\n - 定理:如果DDH问题与$\\mathcal{G}$相关是难的,那么DH 密钥交换协议 $\\Pi$ 在出现窃听者时是安全的 (对应改动的实验 $\\widehat{\\mathsf{KE}}^{\\mathsf{eav}}_{\\mathcal{A},\\Pi}$)。 \n - 不安全性:在主动的敌手,中间人,攻击下是不安全的 (Man-In-The-Middle)。敌手在中间与双方分别通信,通信双方无法发现在与敌手通信,敌手可以与双方分别协商出密钥。\n\n12. 证明\n\n - $\\Pr \\left[ \\widehat{\\mathsf{KE}}^{\\mathsf{eav}}_{\\mathcal{A},\\Pi} =1\\right] $ $= \\frac{1}{2}\\cdot \\Pr\\left[ \\widehat{\\mathsf{KE}}^{\\mathsf{eav}}_{\\mathcal{A},\\Pi} =1 | b=1\\right] + \\frac{1}{2}\\cdot \\Pr\\left[ \\widehat{\\mathsf{KE}}^{\\mathsf{eav}}_{\\mathcal{A},\\Pi} =1 | b=0\\right] $\n - 如果 $b=1$, 那么给真密钥;否则给随机的 $g^z$.\n - $= \\frac{1}{2}\\cdot \\Pr\\left[ \\mathcal{A}(g^x,g^y,g^{xy})=1 \\right] + \\frac{1}{2}\\cdot \\Pr\\left[ \\mathcal{A}(g^x,g^y,g^z)=0 \\right] $\n - $= \\frac{1}{2}\\cdot \\Pr\\left[ \\mathcal{A}(g^x,g^y,g^{xy})=1 \\right] + \\frac{1}{2}\\cdot (1-\\Pr\\left[ \\mathcal{A}(g^x,g^y,g^z)=1 \\right]) $\n - $= \\frac{1}{2} + \\frac{1}{2}\\cdot \\left( \\Pr\\left[ \\mathcal{A}(g^x,g^y,g^{xy})=1 \\right] - \\Pr\\left[ \\mathcal{A}(g^x,g^y,g^z)=1 \\right] \\right) $\n - $ \\le \\frac{1}{2} + \\frac{1}{2}\\cdot \\mathsf{negl}(n) %\\left| \\Pr\\left[ \\mathcal{A}(g^x,g^y,g^{xy})=1 \\right] - \\Pr\\left[ \\mathcal{A}(g^x,g^y,g^z)=1 \\right] \\right| $\n\n13. DHKE例子\n\n - $\\mathbb{G} = \\mathbb{Z}^*_{11}$ ;二次剩余循环群的阶 $q = ?$\n - 二次剩余子群 ?\n - $g = 3$ 是生成元吗?\n - 如果 $x = 3$ 且 $y = 4$,Bob发给Alice消息是?\n - Alice 如何计算密钥?\n - Bob 如何计算密钥? \n\n14. 三方密钥交换\n\n - DH基于的KE在2轮实现三方密钥交换,Key$=g^{abc}$。\n - Joux's KE 在 1 轮实现三方密钥交换。在 bilinear map中,Key$=e(P,P)^{abc}$ 。\n - 开放问题:如何在一轮中在4方之间交换密钥?\n\n15. 完美保密私钥加密引理\n\n - 引理:$\\mathbb{G}$ 是有限群并且 $m\\in \\mathbb{G}$ 是任意元素。那么选择随机 $k \\gets \\mathbb{G}$ 并令 $c := m\\cdot k$ ,将得到与随机选择的 $c \\gets \\mathbb{G}$ 相同的分布,即 $\\forall g \\in \\mathbb{G}$: $ \\Pr[m\\cdot k = g] = 1/|\\mathbb{G}| $。\n - 证明:$g \\in \\mathbb{G}$ 是任意的,那么 $\\Pr[m\\cdot k = g] = \\Pr[k = m^{-1}\\cdot g] $。由于 $k$ 均匀随机选择,选择 $k$ 的概率与一个固定元素 $m^{-1}\\cdot g$ 相同,都是 $1/|\\mathbb{G}$|。\n - 注:这是一种完美保密的私钥加密方案,将一个元素(明文)与另一个元素(密钥)的运算得到第三个元素(密文),与之前一个字母的移位密码是完美保密是类似的。\n\n16. Elgamal加密方案\n\n - 一个算法 $\\mathcal{G}$, 输入 $1^n$, 输出一个循环群 $\\mathbb{G}$, 其阶为 $q$ ($\\|q\\| = n$), 并且生成元为 $g$。\n - 构造:\n - $\\mathsf{Gen}$: 运行 $\\mathcal{G}(1^n)$ 来产生 $(\\mathbb{G},q,g)$。一个随机的 $x \\gets \\mathbb{Z}_q$ 和 $h := g^x$。 $pk = \\langle \\mathbb{G},q,g,h \\rangle$ 并且 $sk = \\langle \\mathbb{G},q,g,x \\rangle$。\n - $\\mathsf{Enc}$: 一个随机 $y \\gets \\mathbb{Z}_q$ 并且输入 $\\langle c_1, c_2 \\rangle = \\langle g^y, h^y\\cdot m\\rangle$。\n - $\\mathsf{Dec}$: $m:=c_2/c_1^x$。\n - 定理:如果DDH问题与$\\mathcal{G}$相关是难的,那么Elgamal加密方案是CPA安全。\n\n17. Elgamal加密例子\n\n - 加密前首先对明文进行二进制串编码:\n - 在模一个强质数 $p = (2q+1)$ 的二次剩余子群中,\n - 一个串 $\\hat{m} \\in \\{0,1\\}^{n-1}$, $n = \\|q\\|$。\n - 将 $\\hat{m}$ 映射到被加密的明文 $m = [(\\hat{m}+1)^2 \\bmod p]$。\n - 这里的加1是为了保证在消息为“0”时,明文也在这个乘法群里\n - 映射是一对一且可逆的。\n - 例子,略。\n\n18. 证明\n\n - 思路:通过将DDH问题的算法$D$规约到窃听者算法$\\mathcal{A}$来证明 $\\Pi$ 在窃听者出现时是安全的。\n - 将 $\\Pi$ 改造为 $\\tilde{\\Pi}$: 加密是通过随机选择的 $y \\gets \\mathbb{Z}_q$ 和 $z \\gets \\mathbb{Z}_q$ 然后输出密文:$ \\langle g^y, g^z\\cdot m\\rangle$。\n - $\\tilde{\\Pi}$ 不是一个加密方案.\n - $g^y$ 独立于 $m$。\n - $g^z\\cdot m$ 是独立于 $m$ 的随机元素 (之前的私钥加密引理)。\n - 实验成功概率与完美保密加密方案中是相同的。 $\\Pr\\left[\\mathsf{PubK}^{\\mathsf{eav}}_{\\mathcal{A},\\tilde{\\Pi}}(n)=1\\right] = \\frac{1}{2}.$\n\n19. 证明(续一)\n\n - 将DDH问题的算法$D$规约到窃听者算法$\\mathcal{A}$。\n\n20. 证明(续二)\n\n - 情况1: $g_3 = g^z$, 密文是 $\\langle g^y, g^z\\cdot m_b\\rangle$.\n\n $ \\Pr[D(g^x,g^y,g^z)=1] = \\Pr\\left[\\mathsf{PubK}^{\\mathsf{eav}}_{\\mathcal{A},\\tilde{\\Pi}}(n)=1\\right] = \\frac{1}{2}. $\n\n - 情况2: $g_3 = g^{xy}$, 密文是 $\\langle g^y, g^{xy}\\cdot m_b\\rangle$.\n\n $ \\Pr[D(g^x,g^y,g^{xy})=1] = \\Pr\\left[\\mathsf{PubK}^{\\mathsf{eav}}_{\\mathcal{A},\\Pi}(n)=1\\right] = \\varepsilon(n). $\n\n - 由于DDH问题是难的,\n\n $ \\mathsf{negl}(n) \\ge |\\Pr[D(g^x,g^y,g^z)=1] - \\Pr[D(g^x,g^y,g^{xy})=1]| =|\\frac{1}{2}-\\varepsilon(n)|. $\n\n21. Elgamal加密中CCA\n\n - Elgamal不是CCA安全的。\n - 例题:构造明文 $m\\cdot m'$ 的密文。\n - 给定 $pk=\\langle g, h\\rangle$, $c = \\langle c_1, c_2\\rangle$, $c_1=g^y$, $c_2=h^y\\cdot m$,\n - 方法1:计算 $c_2' := c_2\\cdot m'$, 和 $c' = \\langle c_1, c_2'\\rangle$. $ \\frac{c_2'}{c_1^x} = ? $ \n - 方法2:计算 $c_1'' := c_1\\cdot g^{y''}$, 和 $c_2'' := c_2\\cdot h^{y''}\\cdot m'$。\n - $ c_1''=g^y\\cdot g^{y''} = g^{y+y''}\\;\\text{and}\\; c_2''= ? $ \n - 所以 $c''=\\langle c_1'',c_2''\\rangle$ 是 $m\\cdot m'$ 的密文。\n\n22. Elgamal实现问题\n\n - 共享公开参数:$\\mathcal{G}$ 产生参数 $\\mathbb{G},q,g$。\n - 这些参数可以只产生一次并且为所有人所使用(''once-and-for-all'')。\n - 可以被多个接收者使用。\n - 每个接收者必须选择各自的保密数值 $x$ 并且发布他们自己的公钥包含 $h=g^x$。\n - 参数共享:在 Elgamal 的情况下,公开参数可以被共享。在 RSA 情况下,参数可以被共享吗?\n\n23. 椭圆曲线密码学\n\n - 在椭圆曲线群上构造的离散对数问题\n - 其他密码学上的应用在1985年被提出\n - 类比离散对数,DH密钥交换,ElGamal加密和DSA,在椭圆曲线上有,ECDL,ECDHKE,ElGamal ECC,ECDSA\n - 比自然数域上更有效,密钥长度是所需蛮力搜索指数长度的二倍。\n - 二倍的原因是,离散对数问题的蛮力搜索所需指数长度是群阶指数长度的一半\n\n24. 椭圆曲线群\n\n - 椭圆曲线群是在一个有限域中的一个平面代数曲线上的点之间“加法”操作\n - 在有限域中取模是关键,单位元是无穷远点\n\n25. 在椭圆曲线点上做加法构成循环群\n\n - 每条直线和曲线有三个交点\n - 一条直线与曲线的切点算2次\n - 垂直线上,无穷远点计做一个点\n - 点上的加法\n - 三点成一线,三点之和为无穷远点\n - 密钥生成\n - 私钥是$d$,公钥为$dP$\n\n26. ECDHKE的一个例子\n\n - 计算ECDHKE的密钥,这里枚举了生成元为(3,4)的所有指数结果\n - Alice的密钥为$a = 4$,收到(2,7)\n - Alice密钥计算是从(2,7)开始,向后数3个点(乘4=加3次)\n - Bob密钥计算是从(4,10)开始(因为$a=4$),向后数2个点(因为$b=3$)\n\n27. 实践中的椭圆曲线密码系统\n\n - P256有一定风险,被揭露有NSA的后门;\n - Curve25519更安全高效,其中常数选择有充分的解释;\n\n28. 总结\n\n - DHKE,ElGamal加密来自于CDH,DDH问题,后者来自于在指数阶群上的离散对数问题\n - 椭圆曲线密码学更有效并且被广泛使用\n\n\n\n" }, { "path": "notes-Chinese/9 数字签名.md", "content": "# 9 数字签名\n\n1. 本节学习公钥密码学中用于保护信息完整性和真实性的数字签名。\n\n2. 目录:数字签名定义、RSA签名、来自离散对数问题的数字签名、一次签名方案、证书与公钥基础设施。\n\n3. 数字签名概览\n \n - 数字签名(Digital signature)是一个数学方案用来证明一个数字消息的真实性/完整性。\n - 数字签名允许一个签名者(Signer)$S$ 用其自己的私钥来“签名”(sign)一个消息,并且任何知道 $S$ 的公钥的人可以验证(verify)其真实性/完整性。\n - 与MAC相比,数字签名是:\n - 公开可验证的(publicily verifiable);\n - 可转移的(transferable);\n - 不可抵赖(non-repudiation);\n - 但速度慢。\n - 问题:数字签名和手写签名的区别是什么?\n - 数字签名**不是**公钥加密的逆。\n \n4. 数字签名方案词法\n\n - 签名 $\\sigma$, 比特 $b$ 表示有效( $\\mathsf{valid}$)如果 $b=1$; 无效($\\mathsf{invalid}$)如果 $b=0$。\n - 密钥生成算法(Key-generation):$(pk,sk) \\gets \\mathsf{Gen}(1^n), |pk|,|sk| \\ge n$。\n - 签名(Signing)算法:$\\sigma \\gets \\mathsf{Sign}_{sk}(m)$。\n - 验证(Verification)算法:$b:= \\mathsf{Vrfy}_{pk}(m,\\sigma)$。\n - 基本正确性要求: $\\mathsf{Vrfy}_{pk}(m,\\mathsf{Sign}_{sk}(m)) = 1$。\n\n5. 定义签名安全\n\n - 安全数字签名定义与安全MAC类似,敌手难以伪造一个“新消息”的签名。\n - 签名实验 $\\mathsf{Sigforge}_{\\mathcal{A},\\Pi }(n)$:\n 1. 挑战者生成密钥对 $(pk,sk) \\gets \\mathsf{Gen}(1^n)$。\n 2. 敌手 $\\mathcal{A}$ 给予输入 $1^n$ 以及对签名预言机的访问 $\\mathsf{Sign}_{sk}(\\cdot)$,然后输出 $(m,\\sigma)$。 $\\mathcal{Q}$ 是对预言机的查询的集合。\n 3. 实验成功 $\\mathsf{Sigforge}_{\\mathcal{A},\\Pi }(n)=1 \\iff$ $\\mathsf{Vrfy}_{pk}(m,\\sigma)=1$ $\\land$ $m \\notin \\mathcal{Q}$. \n - 一个签名方案 $\\Pi$ 是在适应性选择消息攻击下的存在性不可伪造(existentially unforgeable under an adaptive CMA),如果 $\\forall$ PPT $\\mathcal{A}$, $\\exists$ $\\mathsf{negl}$ 使得: $ \\Pr [\\mathsf{Sigforge}_{\\mathcal{A},\\Pi }(n)=1] \\le \\mathsf{negl}(n).$\n - 问题:在MAC和数字签名中敌手能力的差别是什么?如果敌手不限制算力为PPT会如何?\n\n6. “书本上RSA”的不安全性\n\n - 构造:\n - $\\mathsf{Gen}$: on input $1^n$ run $\\mathsf{GenRSA}(1^n)$ to obtain $N,e,d$. $pk = \\langle N,e \\rangle$ and $sk = \\langle N,d \\rangle$.\n - $\\mathsf{Sign}$: on input $sk$ and $m \\in \\mathbb{Z}^*_N$, $\\sigma:= [m^d \\bmod N]$.\n - $\\mathsf{Vrfy}$: on input $pk$ and $m \\in \\mathbb{Z}^*_N$, $m \\overset{?}{=} [\\sigma^e \\bmod N]$.\n - 无消息攻击(no-message attack):\n - 选择一个任意 $\\sigma \\in \\mathbb{Z}^*_N$ 并且计算 $m := [\\sigma^e \\bmod N]$。输出伪造签名 $(m,\\sigma)$。\n - 例子:$pk = \\left<15, 3\\right>,\\ \\sigma = 2,\\ m = ?\\ m^{d} = ?$\n - 任意消息攻击(Forging a signature on an arbitrary message):为了伪造 $m$ 的签名,选择一个随机的 $m_1$,令 $m_2 := [m/m_1 \\bmod N]$,查询预言机获得消息 $m_1, m_2$ 的签名 $\\sigma_1, \\sigma_2$ 。\n - 问题:$\\sigma := [\\underline{\\qquad} \\bmod N]$ 是 $m$ 的一个有效签名。\n\n7. 哈希(Hashed)RSA签名\n\n - 思路:用哈希函数来打破消息和签名之间的的强代数关系\n - RSA-FDH 签名方案:随机预言机作为一个全域哈希(Full Domain Hash,FDH)),其定义域大小为 RSA 的模数 $N-1$。(PKCS \\#1 v2.1)\n - 目前实际使用哈希RSA数字签名方案:\n - $\\mathsf{Gen}$: 一个哈希函数 $H : \\{0,1\\}^* \\to \\mathbb{Z}_N^*$ 作为公钥的一部分。\n - $\\mathsf{Sign}$: $\\sigma := [H(m)^d \\bmod N]$.\n - $\\mathsf{Vrfy}$: $\\sigma^e \\overset{?}{=} H(m) \\bmod N$.\n - 如果 $H$ 无法有效求逆,那么无消息攻击和伪造任意消息的签名都是难的。\n - 无消息攻击:敌手无法求逆\n - 任意消息攻击:$\\sigma_2$ 与$\\sigma$没有关系\n - 不安全性:没有已知函数 $H$ 使得哈希RSA签名是安全的。\n\n\n
\n \n
\n\n8. Schnorr签名概览\n\n - Schnorr签名展现了签名,身份识别和零知识证明之间的联系\n - 该方案是Schnorr身份识别协议的非交互版本,而后者是一个对离散对数问题的解的交互式零知识证明\n - 安全:在ROM下和离散对数难题假设下,将Fiat-Shamir变换应用于Schnorr身份识别协议\n - 应用于多重签名,门限签名和盲签名,这些技术被广泛应用于密码学货币\n\n
\n \n
\n\n9. Schnorr身份认证方案\n\n - 证明者公开地证明其知道一个离散对数问题的解,通过一个三轮的西格玛协议\n 1. 证明者持有一个离散对数问题$g^x = y$的私钥部分$x$,生成$k \\gets \\mathbb{Z}_q$; $I := g^k$,并将$I$发送给验证者。\n - *注:这个$k$就是 $\\mathsf{st}$, 后面用来隐藏私钥$x$;*\n 2. 验证者生成 $r \\gets \\mathbb{Z}_q$,并将$r$发送给证明者。\n - *注:随机的$r$不能被预测,并且在$I$之后产生;原因见下面* \n 3. 证明者生成 $s := [rx + k \\mod q]$,并将$s$发送给证明者。\n - *注:用$x$生成应答,并用$k$隐藏$x$;*\n 4. 验证者验证$\\mathcal{V}(pk, r, s) = g^s \\cdot y^{-r} \\overset{?}{=} I$。*注:$g^s \\cdot y^{-r} = g^{rx+k} g^{-rx} = g^k$*\n - 这里$r$不能被预测,且在收到$I$之后被生成。否则,不知道$x$的敌手可以假装知道$x$。方法是随便产生一个$s$,在第一步将$I = g^s \\cdot y^{-r}$发送给验证者,并且用$s$做第3步响应。\n - 问题:为什么一个更简单的协议不安全?\n - 验证者生成一个随机数$r$,并计算$g^r$将其发送给证明者;证明者计算$g^{rx}$并公开结果;验证者通过比较$y^r \\overset{?}{=} g^{rx}$来判断证明者是否知道$x$。这种身份认证方案安全吗?\n - 答案是不安全。这个协议可以用DH密钥交换来理解。Alice向Bob证明她知道$x$的过程,就是在密钥交换完成后,Alice公开密钥$g^{xr}$。\n\n10. Schnorr身份认证方案证明\n\n - 定理:如果离散对数是难的,那么Schnorr身份认证方案是安全的。\n - 思路:如果攻击身份认证方案的敌手可以成功使得 $g^s \\cdot y^{-r} = I$,那么离散对数问题可以被解决。敌手将实验过程“倒带”,在两次实验中使用相同的$I$。\n - 证明:将求$y$的逆的算法 $\\mathcal{A}'$ 规约到攻击Schnorr方案的$\\mathcal{A}$:\n - $\\mathcal{A}'$ 作为验证者并运行 $\\mathcal{A}$ 作为证明者,$\\mathcal{A}'$回答$\\mathcal{A}$的查询。\n - 当 $\\mathcal{A}$ 输出 $I$, $\\mathcal{A}'$ 选择 $r_1 \\in \\mathbb{Z}_q$ 并且发送给 $\\mathcal{A}$,后者以 $s_1$ 应答。\n - 再一次运行 $\\mathcal{A}$ ,将 $r_2 \\in \\mathbb{Z}_q$ 发送给 $\\mathcal{A}$ ,后者其应答 $s_2$。\n - 如果 $g^{s_1} \\cdot h^{-r_1} = I$ 并且 $g^{s_2} \\cdot h^{-r_2} = I$ 并且 $r_1 \\neq r_2$ 那么输出 $x = [ (s_1 - s_2)\\cdot (r_1 - r_2)^{-1} \\mod q]$,否则输出空。\n\n
\n \n
\n\n11. Schnorr签名方案\n\n - 根据Fiat-shamir变换,可以用Schnorr身份认证方案来构造数字签名方案,签名者自己运行身份识别协议\n - $\\mathsf{Gen}$: $(\\mathcal{G}, q, g) \\gets \\mathcal{G}(1^n)$。选择 $x \\in \\mathbb{Z}_q$ 并且令 $y := g^x$。私钥为 $x$ 而公钥为 $(\\mathcal{G}, q, g, y)$。一个函数 $H : \\{0,1\\}^* \\to \\mathbb{Z}_q$。\n - $\\mathsf{Sign}$: 输入 $x$ 和 $m \\in \\{0,1\\}^*$,执行以下操作\n - 计算 $I := g^k$, 其中一个均匀的 $k \\in \\mathbb{Z}_q$;\n - 计算 $r := H(I, m)$;\n - 计算 $s := [ rx + k \\mod q]$;\n - 输出签名 $(r, s)$。\n - $\\mathsf{Vrfy}$: 计算 $I := g^s \\cdot y^{-r}$ 并且输出 $1 \\iff H(I, m) \\overset{?}{=} r$。\n\n12. DSS/DSA(数字签名标准/算法)\n\n - NIST从1994年到2013年颁布的数字签名标准(Digital Signature Standard,DSS) 使用数字签名算法(Digital Signature Algorithm,DSA),该算法是一个ElGamal签名方案的变体。DSS中还包括椭圆曲线数字签名算法(Elliptic Curve Digital Signature Algorithm,ECDSA)和 RSA签名算法。\n - 这两种算法基于相同的算法抽象:基于身份认证方案的签名方案。\n - 构造:\n - $\\mathsf{Gen}$: $(\\mathbb{G},q,g) \\gets \\mathcal{G}$. 两个哈希函数 $H, F : \\{0,1\\}^* \\to \\mathbb{Z}_q$. \n - $x \\gets \\mathbb{Z}_q$ 和 $y:= g^x $.\n - $pk = \\langle \\mathbb{G},q,g,y,H,F\\rangle$. $sk=\\langle \\mathbb{G},q,g,x,H,F\\rangle$.\n - $\\mathsf{Sign}$: $k\\gets \\mathbb{Z}^*_q$ 并且 $r:= F(g^k) $, $s:= (H(m)+xr)\\cdot k^{-1}$. 输出 $(r,s)$.\n - $\\mathsf{Vrfy}$: 输出 $1 \\iff r \\overset{?}{=} F(g^{H(m)\\cdot s^{-1}}y^{r\\cdot s^{-1}}).$\n - DSA中验证的正确性?\n\n13. DSS/DSA安全性\n\n - 不安全性:DSS的安全性依赖于离散对数问题的难解性,尚未有基于离散对数假设的DSS安全性证明。\n - $k$ 的熵、保密和唯一性是安全性的关键。\n - 情况1:如果$k$是可预测的,那么$x$将泄漏,因为$s:= (H(m)+xr)\\cdot k^{-1}$中只有$x$是未知的。\n - 情况2:如果同一个$k$被用于同一私钥下的两个不同签名,那么$k$和$x$都将泄漏。问题:如何做?\n - 该攻击曾在2010年用于对Sony PlayStation (PS3) 提取私钥。\n\n14. 一次签名(OTS)\n\n - 下面学习不基于数论假设,而是基于哈希函数来构造安全的数字签名方案。\n\n - 一次签名(One-Time Signature,OTS): 在一种较弱的攻击场景下,一个秘密只用于一个消息签名。\n\n - 模拟一次签名场景,敌手最多只允许查询一次签名预言机,之后需要给出新消息和签名。\n\n - OTS实验 $\\mathsf{Sigforge}_{\\mathcal{A},\\Pi }^{\\text{1-time}}(n)$:\n\n - $(pk,sk) \\gets \\mathsf{Gen}(1^n)$.\n - $\\mathcal{A}$ 输入 $1^n$ 和对 $\\mathsf{Sign}_{sk}(\\cdot)$的一次查询 $m'$ ,并且输出 $(m,\\sigma)$, $m \\neq m'$。\n - $\\mathsf{Sigforge}_{\\mathcal{A},\\Pi }^{\\text{1-time}}(n)=1 \\iff \\mathsf{Vrfy}_{pk}(m,\\sigma)=1$. \n\n - 一个签名方案 $\\Pi$ 在单个消息攻击下是存在性不可伪造的,如果 $\\forall$ PPT $\\mathcal{A}$,$\\exists$ $\\mathsf{negl}$ 使得:\n\n $ \\Pr [\\mathsf{Sigforge}_{\\mathcal{A},\\Pi }^{\\text{1-time}}(n)=1] \\le \\mathsf{negl}(n).$\n\n15. Lamport的OTS (1979)\n\n - 思路:从单向函数构造OTS;每个比特为一个映射 。\n - 构造:\n - $f$ 是一个OWF。抗碰撞哈希函数也是属于OWF。\n - $\\mathsf{Gen}$: 输入 $1^n$,对于 $i \\in \\{1,\\dotsc, \\ell\\}$:\n - 选择随机的两个函数输入 $x_{i,0}, x_{i,1} \\gets \\{0,1\\}^n$;\n - 计算 $y_{i,0} := f(x_{i,0})$ 和 $y_{i,1} := f(x_{i,1})$。\n - 构成2个2xn的矩阵,$x_{i,j}$构成的矩阵是私钥,$y_{i,j}$构成的矩阵是公钥。\n - $\\mathsf{Sign}$: $m = m_1\\cdots m_{\\ell}$, 输出 $\\sigma = (x_{1,m_1},\\dotsc,x_{\\ell,m_{\\ell}})$。根据消息中每个比特的值(0或1)来选择$x_{i,j}$,得到的一个向量为签名。\n - $\\mathsf{Vrfy}$: $\\sigma = (x_1,\\dotsc,x_{\\ell})$,输出 $1 \\iff$ 对于所有 $i$,$f(x_i) = y_{i,m_i}$。对消息的每个比特\n - 定理:如果 $f$ 是 OWF,$\\Pi$ 是长度为 $\\ell$ 的消息的OTS。\n\n16. Lamport的OTS例子\n\n - 略\n\n17. Lamport的OTS安全性证明\n\n - 思路:如果 $m \\neq m'$,那么 $\\exists i^*, m_{i*} = b^* \\neq m'_{i*}$。因此,为了伪造一个消息至少要对一个$y_{i^*,b^*}$求逆。 \n - 证明:将对$y$求逆的 $\\mathcal{I}$ 算法规约到攻击 $\\Pi$的 $\\mathcal{A}$ 算法:\n - $\\mathcal{I}$算法构造 $pk$:选择 $i^* \\gets \\{1,\\dotsc,\\ell\\}$ 并且 $b^* \\gets \\{0,1\\}$,令 $y_{i^*,b^*} := y$。对于 $i \\neq i^*$ $y_{i,b} := f(x_{i,b})$;\n - 在公钥中随机选择一个位置$(i^*,b^*)$,将待求逆的$y$放在该位置;对于其它位置,正常构造公私钥对。\n - $\\mathcal{A}$算法查询 $m'$:如果 $m_{i_*}' = b^*$,则停止。否则,返回 $\\sigma = (x_{1,m'_1},\\dots,x_{\\ell,m'_{\\ell}})$;\n - 如果$\\mathcal{A}$ 的查询正好落在位置$(i^*,b^*)$,而该位置的$x_{i^*,b^*}$本应该是$y$对应的$x$,是未知的,终止实验。否则,正常返回签名。\n - 当 $\\mathcal{A}$ 输出 $(m,\\sigma)$,$\\sigma=(x_1,\\dotsc,x_{\\ell})$,如果 $\\mathcal{A}$ 在 $(i^*,b^*)$输出了一个伪造的值,并且有 $\\mathsf{Vrfy}_{pk}(m,\\sigma)=1$ 且 $m_{i^*} =b^* \\neq m'_{i^*}$,那么输出 $x_{i^*,b^*}$;\n - 通过验证并且在$y$对应位置上输出签名,说明 $\\mathcal{A}$ 输出的签名满足 $f(x_{i,m_i}) = y_{i,m_i}$。\n - $ \\Pr[\\mathcal{I}\\;\\; \\text{succeeds} ] \\ge \\frac{1}{2\\ell}\\Pr[\\mathcal{A}\\;\\; \\text{succeeds}] $ \n - 这是因为位置正好在特定位置满足条件的概率是$\\frac{1}{2\\ell}$.\n\n18. 有状态签名方案\n\n - 思路:为了对任意数量的消息签名,可以从旧状态中获得新的密钥并以此来实现和OTS一样的效果\n - 定义:有状态签名方案(Stateful signature scheme)\n - 密钥生成算法:$(pk,sk,s_0) \\gets \\mathsf{Gen}(1^n)$。 $s_0$ 是初始状态。\n - 签名算法:$(\\sigma,s_i) \\gets \\mathsf{Sign}_{sk,s_{i-1}}(m)$。\n - 验证算法:$b:= \\mathsf{Vrfy}_{pk}(m,\\sigma)$.\n - 一个简单的有状态OTS签名方案:独立产生 $(pk_i,sk_i)$,令 $pk := (pk_1,\\dotsc,pk_{\\ell})$ 并且 $sk := (sk_1,\\dotsc,sk_{\\ell})$。 从状态 $1$ 开始,用 $sk_s$ 签第 $s$ 个消息,用 $pk_s$ 来验证,并且更新状态到 $s+1$。\n - 安全性:每个密钥只签了一个消息。\n - 弱点:消息数量上届 $\\ell$ 必须事先确定。\n\n19. 链式签名\n\n - 思路:按需随时产生密钥并且对密钥链签名,解决消息数量有上限的问题。\n - 最初使用一个公钥 $pk_1$,用 $sk_i$ 来对每个当前消息 $m_i$ 和下一个公钥 $pk_{i+1}$ 签名 : $\\sigma_i \\gets \\mathsf{Sign}_{sk_i}(m_i\\| pk_{i+1}),$ 输出 $\\langle pk_{i+1},\\sigma_i \\rangle$, 并且用 $pk_i$ 验证 $\\sigma_i$,签名 $(pk_{i+1},\\sigma_i,\\{m_j,pk_{j+1},\\sigma_j\\}^{i-1}_{j=1})$。\n - 弱点:仍然有状态,包括之前签过的所有消息,效率低,需要揭示之前所有消息才能验证当前消息。\n\n20. 树式签名\n\n - 思路:减少所需维护状态,构造一个密钥树,树上的一个分支是为每个消息生成一个密钥链并且对这个链签名。\n - 根据按消息中的比特构造一个二叉树,根为 $\\varepsilon$ (空串),叶子为消息 $m$,并且内部节点为密钥对 $(pk_w,sk_w)$,其中 $w$ 是 $m$ 的前缀。\n - 每个节点 $pk_w$ 负责对其子节点公钥 $pk_{w0}\\| pk_{w1}$ 或消息 $w$ 来签名。\n\n21. 无状态签名\n\n - 思路:用确定的随机性来模拟树的状态。\n - 使用PRF $F$ 和两个密钥 $k,k'$ 来产生 $pk_w,sk_w$:\n 1. 计算 $r_w := F_k(w)$。\n 2. 计算 $(pk_w,sk_w) := \\mathsf{Gen}(1^n;r_w)$, 用 $r_w$ 作为随机硬币。\n 3. $k'$ 用于产生 $r_w'$ ,后者在产生签名 $\\sigma_w$ 时使用。\n - 如果 OWF 存在,那么 $\\exists$ OTS (对于任意长度消息)。\n - 定理:如果 OWF 存在,那么 $\\exists$ (无状态) 安全签名方案。\n\n22. 证书\n\n - 从之前的方案中可以观察到,一种安全地分发公钥的方法是对该公钥做一个数字签名。\n - 对一个公钥的数字签名被称为,数字证书(Certificate);专门签发数字证书的机构被称为,证书权威机构(Certificate Authority,CA),CA是一个可信的第三方,其公钥($pk_C$)被所有相信CA的主体所持有。\n - 一个数字证书 $ \\mathsf{cert}_{C\\to B} \\overset{\\text{def}}{=} \\mathsf{Sign}_{sk_C}(\\text{`Bob's key is } pk_B\\text{'})$,表示 CA 用其私钥($sk_C$)给一个主体 Bob 签发的数字证书,其中消息内容包括:主体的身份(Bob)和该主体所持的公钥($pk_B$)。其本质是**绑定一个身份和一个公钥。**\n - Bob 将自己的公钥提交给 CA,然后收到证书,最后将自己的公钥和证书一起发送给通信的另一个方。\n - 一个问题是 CA 的公钥是如何分发的?通常随应用程序一起分发,例如浏览器中内置了全世界约170个左右的CA的公钥。在DNSSEC中,递归服务器软件中内置了DNS根的公钥。\n - 另一个问题:CA如何知道收到的公钥是否是Bob的?需要采用其它渠道,例如一个CA “Let's Encrypt” 通过证明域名的所有权来识别证书申请者的身份。\n\n23. 公钥基础设施(PKI)\n\n - 单一 CA: 被所有人信任。\n - 优点:简单\n - 缺点:单点失效\n - 多重CA:被所有人信任。\n - 优点:鲁棒\n - 缺点:水桶定律\n - 授权与证书链(Delegation,certificate chains):信任可以被传递。\n - 优点:减轻根 CA 的负担\n - 缺点:难以管理,水桶定律 \n - 信任网(Web of trust):没有信任的中心,例如,PGP。\n - 优点:可靠,草根级 \n - 缺点:难以管理,难以对信任作出保证\n\n24. TLS 1.3 握手协议\n\n - 目的:客户端与认证的服务器之间产生密钥\n - 要求:客户端具有可信第三方的公钥,服务器具有由可信第三方发布的服务器公钥证书\n - 协议主要步骤包括:\n - 双方发送Hello消息,交换随机参数,各自DHKE公钥,同时也对所用的密码学套件和协议版本号进行协商;\n - 分别根据交换信息根据DHKE生成共享秘密,进一步根据共享秘密和所有消息的哈希值派生出共享密钥\n - 以下的消息都用上一步生成的对称密钥加密\n - server端发送公钥证书,和用该公钥对应私钥来签名之前传递的消息(trans),以证明自己是证书的持有者;发送Finished结束消息,其中包含之前所有消息的HMAC;根据发送的所有消息和共享密钥生成应用密钥\n - client验证证书和签名,并生成应用密钥\n\n25. 无效化证书\n\n - 当私钥泄漏发生时,需要更换公私钥对,并将之前旧的公钥证书无效化。\n\n - 过期法(Expiration):在证书中包含一个过期时间,待过期后自动作废。\n\n $\\mathsf{cert}_{C \\to B} \\overset{\\text{def}}{=} \\mathsf{Sign}_{sk_C}(\\text{`bob's key is}\\; pk_B \\text{'},\\; \\text{date}). $\n\n - 撤销/召回法(Revocation): 显式地撤销证书。\n\n $\\mathsf{cert}_{C \\to B} \\overset{\\text{def}}{=} \\mathsf{Sign}_{sk_C}(\\text{`bob's key is}\\; pk_B \\text{'},\\; \\text{\\#\\#\\#}). $\n\n 其中的 ### 表示证书的序列号。\n\n 累积撤销:CA 产生证书撤销列表(Certificate revocation list,CRL)包含所有被撤销证书的序列号,并且带着当前日期一起签名。 \n\n26. 独占所有权(Exclusive Ownership)\n\n - 独占所有权:给定任意公钥的签名,没有敌手能够使得该签名可以被另一个不同的公钥验证。\n - 重复签名公钥选择攻击:\n - 一个签名由Bob的公钥验证有效,是否意味着Bob用其私钥产生了该签名?\n - 不能。例如,Bob的用密钥对$(e=1, d=1)$ 和 $N = \\sigma - m$。可以通过任意消息的“书本上RSA签名”的验证,$\\sigma^e \\mod N = \\sigma \\mod (\\sigma - m) = m$。\n - 该攻击曾被用来在域名的所有权上欺骗Let‘s Encrypt系统,以骗取对一个域名所有权的认证。\n - 防御:在验证之前检查公钥。\n\n27. 签名加密(Signcryption)\n\n - 一群人相互直接通信,每个人生成两对密钥:$(ek, dk)$表示加密公钥和解密私钥;$(vk, sk)$表示验证公钥和签名私钥。大家知道彼此的两个公钥。当一个发送者$S$向接收者$R$发送一个消息$m$时,如何在CCA攻击下同时保证通信的机密性(其他人不能知道消息$m$)和完整性(接受者$R$确信消息来自发送者$S$)?\n - 提示:下面的问题的关键在于“完整性”,即是否能能够伪装为其他人发送消息。\n - “先加密后认证”:消息 $\\left< S, c \\leftarrow \\mathsf{Enc}_{ek_R}(m), \\mathsf{Sign}_{sk_S}(c) \\right>$ 是否安全?\n - 注:消息中包含发送者身份是必要的,因为接收者需要用发送者的验证公钥来验证签名;消息中不包含接收者身份,因为接收者默认收到的消息都是发给自己的(直接通信,不存在中转)。\n - 完整性有问题,发送者被伪造。因为敌手$A$可以将原签名替换成自己的身份和签名,$\\left< A, c \\leftarrow \\mathsf{Enc}_{ek_R}(m), \\mathsf{Sign}_{sk_A}(c) \\right>$ ,欺骗接收者将$A$当作消息的发送者。\n - “先认证再加密”:先签名,$\\sigma \\leftarrow \\mathsf{Sign}_{sk_S}(m)$,然后发送消息 $\\left< S, \\mathsf{Enc}_{ek_R}(m\\| \\sigma) \\right>$ 是否安全?\n - 完整性有问题,发送者被伪造。因为敌手$A$可以将原来发送给自己的消息解密后重新用另一个人$R'$的加密公钥加密(不改变签名部分)后发送给$R'$,使得$R'$误认为是$S$给他发的消息。\n - 正确的方法是将身份应作为消息的一部分:签名中包含接收者身份 $\\sigma \\leftarrow \\mathsf{Sign}_{sk_S}(m \\| R)$ ;加密消息中包含发送者身份 $\\left< S, \\mathsf{Enc}_{ek_R}(S\\| m \\| \\sigma) \\right>$。接收者解密后,提取发送者身份和接受者身份并验证。\n - 这里的关键之一是签名将消息,发送者,接收者绑定在一起\n - 当将身份和消息一起加密时,先加密后认证的方法也可以保证安全。\n\n28. 总结\n\n - 数字签名提供了公开可验证的真实性和完整性\n - 签名与只有某人知道的某物有关,这件事是可以公开验证的\n - 签名用来将对一个公钥的信任转化为对其签名数据的信任\n\n\n\n\n\n" }, { "path": "notes-Chinese/README.md", "content": "# 密码学原理课程讲义\n\n这个讲义是辅助材料,不能替代英文教材!当讲义、幻灯片与教材不一致时,以教材为准。\n\n这是与幻灯片搭配的中文讲义,每个讲义中的数字编号与幻灯片中页码是相同的。\n\n为了正确显示讲义中的公式,请下载Markdown文件到本地,并使用支持Markdown Math的软件来阅读。\n\n一种方法是使用[Typora](https://www.typora.io/),并开启配置中的Markdown -- Syntax Support -- Inline Math。\n\n![配置截图](http://support.typora.io/media/math/Snip20180818_2.png)\n\n另一种方法是使用VSCode,需要安装Markdown+Mach扩展。\n\n" }, { "path": "source/0intro.tex", "content": "\\input{source/header/main.tex}\n\n\\title{Cryptography Principles}\n\n\\begin{document}\n\\maketitle\n\\begin{frame}\\frametitle{What cryptography is and is not}\nCryptography is:\n\\begin{itemize}\n\\item A tremendous tool\n\\item The basis for many security mechanisms\n\\item Secure communication/computation: \n\\begin{itemize}\n\\item web traffic: HTTPS (SSL/TLS)\n\\item wireless traffic: Wifi (WPA2/3), 5G (AES-128 CTR), Bluetooth (SAFER+)\n\\item encrypting files on disk: EFS, TrueCrypt\n\\item digital rights management: Apple's FairPlay, console games \n\\item cryptocurrency: bitcoin\n\\end{itemize}\n\\end{itemize}\nCryptography is \\textbf{NOT}:\n\\begin{itemize}\n\\item The solution to all security problems\n\\item Reliable unless implemented and used properly\n\\item Something you should try to invent yourself\t\n\\end{itemize}\n\\end{frame}\n\\begin{frame}\\frametitle{Purposes}\n\\begin{itemize}\n\\item Learn what the rigorous information security is\n\\item Learn how to secure information rigorously\n\\item Learn how mathematics interplays with engineering\n\\end{itemize}\n\\end{frame}\n\\begin{frame}\\frametitle{We will learn from Turing Award recipients}\n\\begin{itemize}\n\\item{1983} S. A. Cook\n\\item{1995} M. Blum\n\\item{2000} A. Yao\n\\item{2002} R. Rivest, A. Shamir, L. Adleman\n\\item{2012} S. Micali, S. Goldwasser\n\\item{2013} L. Lamport\n\\item{2015} M. E. Hellman, W. Diffie\n\\end{itemize}\t\n\\end{frame}\n\\begin{frame}\\frametitle{Outline}\n\\begin{itemize}\n\\item Classic cryptography, Perfect Secrets\n\\item Private Key Encryption, MAC, Block Cipher, OWF\n\\item Number Theory, Factoring and Discrete Log\n\\item Key Management, Public Key, Digital Signature\n\\item TPD, Random Oracle Model\n\\item Cryptographic Protocols (Many magics here)\n\\end{itemize}\n\\end{frame}\n\\begin{frame}\\frametitle{Syllabus [in Chinese]}\n\\begin{figure}\n\\begin{center}\n\\includegraphics[width=100mm]{pic/syllabus} \n\\end{center}\n\\end{figure}\n\\end{frame}\n\\begin{frame}\\frametitle{Textbooks, Slides, \\& Contact}\n\\begin{description} \n\\item[Textbook:] \\textbf{Introduction to Modern Cryptography (3rd Ed.)}, \\emph{Jonathan Katz and Yehuda Lindell} %, Chapman \\& Hall/CRC.\n%\\item \\textbf{Applied Cryptography: Protocols, Algorithms, and Source Code in C}, \\emph{Bruce Schneier}, John Wiley \\& Sons. (Eng. \\& Chi.)\n\\item[MOOC:] Stanford Dan Boneh's Cryptography @Coursera\n\\item[Slides:] https://github.com/YuZhang/cryptography\n\\item[QQ group:] 672373987 for 2023\n\\end{description}\n\\end{frame}\n\\begin{frame}\\frametitle{Grades}\n\\begin{itemize}\n\\item Composition:\n\\begin{itemize}\n\\item[Homework:] 4 $\\times$ 5 = 20\\% (Homework 1$\\sim$5)\n\\item[Final Exam:] 80\\%\n\\item[Extra:] 5\\% for outstanding homework (Homework 1$\\sim$6)\n\\end{itemize}\n\\item How to score high:\n\\begin{itemize}\n\\item Read the textbook IMC\n\\item Do homework by yourself\n\\item \\alert{No Plagiarism!} \n\\end{itemize}\n\\end{itemize}\n\\end{frame}\n\\end{document}\n" }, { "path": "source/10protocols.tex", "content": "\\input{source/header/main.tex}\n\n\\title{A Quick Tour of \\\\ Cryptographic Protocols Zoo}\n\n\\begin{document} \n\\maketitle\n\\begin{frame}\\frametitle{What's in the zoo?}\n\\begin{figure}\n\\begin{center}\n\\includegraphics[width=105mm]{pic/zoo-cn.pdf}\n\\end{center}\n\\end{figure}\n\\end{frame}\n\\begin{frame}\n\\frametitle{Outline}\n\\tableofcontents\n\\end{frame}\n\\section{Protocols}\n\\begin{frame}\\frametitle{Protocols (Animals)}\n\\begin{itemize}\n\\item \\textbf{Communications protocol} is a formal description of digital message formats and the rules for exchanging those messages for a specific purpose.\n\\begin{itemize}\n\\item Protocols are to communications what algorithms are to computations\n\\item Everyone must know it and agree to follow it\n\\end{itemize}\n\\item \\textbf{Unambiguous}: each step must be well defined and there must be no chance of a misunderstanding\n\\item \\textbf{Complete}: there must be a specified action for every possible situation\n\\item \\textbf{Cryptographic protocol}: Additionally, it should not be possible to do more or learn more than what is specified in the protocol\n\\end{itemize}\n\\end{frame}\n\\begin{frame}\\frametitle{Protocol Types}\n\\begin{itemize}\n\\item \\textbf{Arbitrated protocols}: An arbitrator is a disinterested third party trusted to complete a protocol.\n\\item \\textbf{Adjudicated protocols}: An adjudicator is also a disinterested and trusted third party. Unlike an arbitrator, he is not directly involved in every protocol unless .\n\\item \\textbf{Self-enforcing protocols}: the best type of protocol. The protocol itself guarantees fairness.\n\\end{itemize}\n\\begin{exampleblock}{How to split a cake equally between two kids?}\\end{exampleblock}\n\\end{frame}\n\\begin{frame}\\frametitle{Attacks against Protocols}\n\\begin{itemize}\n\\item \\textbf{Passive attacks}: the attacker does not affect the protocol.\n\\item \\textbf{Active attacks}: the attacker alters the protocol to his own advantage.\n\\end{itemize}\n\\textbf{Cheater}: the attacker could be one of the parties involved in the protocol.\n\\begin{itemize}\n\\item \\textbf{Passive cheaters}: follow the protocol, but try to obtain more information than the protocol intends them to.\n\\item \\textbf{Active cheaters}: disrupt the protocol in progress in an attempt to cheat.\n\\end{itemize}\n\\end{frame}\n\\section{Three-Pass Protocol and Interlock Protocol}\n\\begin{frame}\\frametitle{Three-Pass Protocol}\n\\textbf{Purpose}: communication without shared keys\\\\\n\\textbf{Requirement}: $\\mathsf{Dec}_{k_1}(\\mathsf{Enc}_{k_2}(\\mathsf{Enc}_{k_1}(m))) = \\mathsf{Enc}_{k_2}(m)$\\\\\n\\textbf{Shamir Protocol}: $p$ is a prime, find $e,d$ with $\\gcd(e,p-1)=1$ and $ed \\equiv 1 \\pmod{p-1}$\n\n\\begin{figure}\n\\begin{center}\n\\input{tikz/threepass}\n\\end{center}\n\\end{figure}\n$c_2^{d_B} = c_1^{d_A\\cdot d_B} = c^{e_B\\cdot d_A\\cdot d_B} = m^{e_A\\cdot e_B\\cdot d_A\\cdot d_B} = m^{e_Ad_A\\cdot e_Bd_B} = m$\n\\textbf{Weakness}: insecurity under the man-in-the-middle attack\n\\end{frame}\n\\begin{frame}\\frametitle{The Man-In-The-Middle Attack}\nAlso called \\textbf{bucket-brigade attack}: A form of active eavesdropping in which the attacker makes independent connections with the victims and relays messages between them, making them believe that they are talking directly to each other\n\\begin{figure}\n\\begin{center}\n\\input{tikz/man-in-middle}\n\\end{center}\n\\end{figure}\n\\end{frame}\n\\begin{frame}\\frametitle{Interlock Protocol}\n\\textbf{Purpose}: foil the man-in-the-middle attack.\n\\begin{figure}\n\\begin{center}\n\\input{tikz/interlock}\n\\end{center}\n\\end{figure}\n\\end{frame}\n\\section{Pairing and Identity-Based Encryption}\n\\begin{frame}\\frametitle{Bilinear Maps}\n\\begin{itemize}\n\\item Two cyclic groups: $G_1$ with $+$ and generator $P$, $G_2$ with $\\times$.\n\\item \\textbf{Bilinear map} $e: G_1 \\times G_1 \\to G_2$ with $e(aP, bP)=e(P,P)^{ab}$. \n\\item \\textbf{Theorem}: When $e$ is efficient, the Decisional Diffie-Helman is easy in $G_1$, as $e(aP, bP) = e(P, P)^{ab} = e(P, abP)$.\n\\item The Weil and Tate pairings are bilinear maps. $G_1$ is an elliptic-curve group and $G_2$ is a finite field.\n\\end{itemize}\n\\begin{figure}\n\\begin{center}\n\\input{tikz/bilinear-map}\n\\end{center}\n\\end{figure}\n\\end{frame}\n\\begin{frame}\\frametitle{Jounx's Key Agreement Protocol}\n\\begin{figure}\n\\begin{center}\n\\input{tikz/3parties-JOUX}\n\\end{center}\n\\end{figure}\n\\begin{itemize}\n\\item Recall Jounx's one-round, 3-party key agreement protocol, where\nAlice computes the key $e(bP, cP)^a = e(P, P)^{abc}$.\n\\item \\textbf{Bilinear Diffie-Helman (BDH) Assumption}: computing $e(P, P)^{abc}$ is hard given $\\left$.\n\\item \\textbf{Theorem}: Given BDH assumption, Jounx's is secure.\n\\end{itemize}\n\\end{frame}\n\\begin{frame}\\frametitle{Identity-Based Encryption}\n\\begin{itemize}\n\\item \\textbf{IBE}: Anyone can directly use receiver's ID ($A$) as the pubic key with help of a TTP, aka KGC (Key Generation Center). The receiver obtains its private key from KGC.\n\\item \\textbf{Strength}: TTP could be removed for a finite number of users, no need for PKI.\n\\item \\textbf{Weakness}: Single-point-of-failure, implicit key escrow.\n\\end{itemize}\n\\begin{figure}\n\\begin{center}\n\\input{tikz/IBE}\n\\end{center}\n\\end{figure}\n\\end{frame}\n\\begin{frame}\\frametitle{Boneh-Franklin's IBE Scheme}\n\\textbf{Boneh-Franklin's IBE Scheme} (2001):\n\\begin{itemize}\n\\item \\textbf{KGC} generates a global public key $pk = sP$ and $sk = s$.\n\\item \\textbf{Encryption}: $\\mathsf{Enc}(sP, A, m) = \\left< rP, m\\oplus H_2(e(H_1(A), sP)^r)\\right>$, where $r$ is a random string, $H_1$ and $H_2$ are random oracles.\n\\item \\textbf{Decryption}: The receiver obtains its private key $d_{A} = sH_1(A)$ from KGC. \n $\\mathsf{Dec}(d_{A}, u, v) = v \\oplus H_2(e(d_A, u)).$ \\\\\n\\item \\textbf{Correctness}: $e(d_A, u) = e(sH_1(A), rP) = e(H_1(A), P)^{sr} = e(H_1(A), sP)^r$.\n\\end{itemize}\n\\end{frame}\n\\section{Blind/Group/Ring Signatures}\n\\begin{frame}\\frametitle{Blind Signature}\n\\textbf{Blind signature} is a form of digital signature in which the message is blinded before it is signed.\\\\\n\\textbf{Chaum's blind signature}: Alice asks for Signer to sign $m$ blindly and then sends to Bob\n\\begin{figure}\n\\begin{center}\n\\input{tikz/blindsignature}\n\\end{center}\n\\end{figure}\n\\[s \\equiv s'r^{-1} \\equiv m'^dr^{-1} \\equiv (mr^e)^dr^{-1} \\equiv m^d.\\]\n\\end{frame}\n\\begin{frame}\\frametitle{Group Signature}\n\\textbf{Group Signature}: allowing a member of a group to anonymously sign a message on behalf of the group (with a group manager)\n\\begin{itemize}\n\\item \\textbf{Soundness}: valid sigs by members verify correctly\n\\item \\textbf{Unforaeable}: only members can create valid sigs\n\\item \\textbf{Anonymity}: signer can be determined only by manager\n\\item \\textbf{Traceability}: manager can trace which member signed\n\\item \\textbf{Unlinkability}: cannot tell if two sigs were from same signer\n\\item \\textbf{Exculpability}: cannot forge a sig for other/non members\n\\end{itemize}\n\\textbf{A trivial group signature with trusted GM [Chaum (1991)]}:\\\\\n\\begin{itemize}\n\\item \\textbf{KeyGen}: GM generates a secret key list for each member and publishes all of public keys\n\\item \\textbf{Sign}: sign with an unused secret key\n\\item \\textbf{Verify}: try all of public keys\n\\end{itemize}\n\\end{frame}\n%\\begin{comment}\n\\begin{frame}\\frametitle{Ring Signature}\n\\textbf{Ring Signature}: Group signature without group manager, and:\n\\begin{itemize}\n\\item cannot revoke the anonymity of an individual signature\n\\item any group of users can be a group without additional setup\n\\end{itemize}\n\\textbf{A ring signature based on bilinear map} [Boneh et al. (2003)]:\\\\\n%$q-$order cyclic groups: $G_1$ with $+$ and generator $P$, $G_2$ with $\\times$, bilinear map $e: G_1 \\times G_1 \\to G_2$ such that $e(aP, bP)=e(P,P)^{ab}$, \n%hash function $H: \\{0,1\\}^* \\to G_1$.\n\\begin{itemize}\n\\item \\textbf{KeyGen}: for member $U_i$: $sk=x_i \\gets Z_q, pk = Y_i = x_iP$.\n\\item \\textbf{Sign}: message $m$ with $(\\sigma_i), i=1,\\cdots, n$ by $U_k$:\n\\[\\text{for } i\\neq k, a_i \\gets Z_q, \\sigma_i = a_iP;\\quad \\sigma_k = \\frac{1}{x_k}(H(m)-\\Sigma_{j\\neq k}a_jY_j)\\]\n\\item \\textbf{Verify}:\n\\[ e(H(m),P) = \\Pi_ie(Y_i, \\sigma_i) \\]\n\\end{itemize}\n\\end{frame}\n%\\end{comment}\n\\section{Secret Sharing/Threshold Crytpography}\n\\begin{frame}\\frametitle{Secret Sharing}\n\\textbf{Purpose}: distribute a secret amongst a group of $n$ participants, each of whom is allocated a share of the secret. The secret can be reconstructed only when a sufficient number of shares $t$ are combined together. It is called $(t, n)$-\\textbf{threshold scheme}.\n\\newline\n\n\\textbf{Blakley's scheme}: any $n$ nonparallel $n$-dimensional hyperplanes intersect at a specific point.\n\n \\begin{minipage}[t]{0.32\\linewidth} \n \\centering \n \\includegraphics[width=30mm]{pic/Secretsharing-1} \n \\end{minipage}% \n \\begin{minipage}[t]{0.32\\linewidth} \n \\centering \n \\includegraphics[width=30mm]{pic/Secretsharing-2} \n \\end{minipage}\n \\begin{minipage}[t]{0.32\\linewidth} \n \\centering \n \\includegraphics[width=30mm]{pic/Secretsharing-3} \n \\end{minipage} \n\n\\textbf{Chinese remainder theorem}: the shares of secret are generated by reduction modulo some relatively prime integers, and the secret is recovered by solving the system of congruences using the CRT.\n\\end{frame}\n\\begin{frame}\\frametitle{Shamir's Secret Sharing}\nAdi Shamir ``How to share a secret'', Comm. of ACM, 1979.\\\\\n$t$ points define a polynomial of degree $t-1$, $f(x) = a_0 + a_1x + a_2x^2 + \\cdots + a_{t-1}x^{t-1}$, where $a_0$ is the secret $S$, and $a_i$ for $i \\neq 0$ is chosen randomly. Choose $n$ points $(x_i, f(x_i))$ for $i = 1, \\dots, n$ and send one point to each party.\n\\begin{exampleblock}{An example of Shamir's secret sharing with $(t=3, n=6)$}\n$f(x)= 1234 + 166x + 94x^2 \\mod 1613$, where $S = 1234$.\\\\\n6 points: $(1, 1494), (2, 329), (3, 965), (4, 176), (5, 1188), (6, 755)$. \\\\\nAttacker has 2 points $(1, 1494)$ and $(2, 329)$ and try to learn $S$.\\\\\n$1419 = S + a_1 + a_2 - 1613m_1 $, $329 = S + 2a_1 + 4a_2 - 1613m_2$,\\\\\n$448 = a_1 + 3 a_2 + 1613(m_1 - m_2)$, $(m_1-m_2)$ could be any integer.\\\\\nThere are infinite possible values of $a_1$ and $a_2$, so that $S$ is secured.\n\\end{exampleblock}\n\\textbf{Strength:} information theoretic security, extensible for $n$ \n\\textbf{Weakness}: Issue with the verification of correctness of the retrieved shares (verifiable secret sharing).\n\\end{frame}\n\\begin{frame}\\frametitle{Threshold Cryptography}\n\\textbf{$(t,n)$-threshold scheme}: at least $t$ of parties can efficiently decrypt/sign the ciphertext, while less than $t$ have no useful information\\\\\n\n\\textbf{Threshold Elgamal Cryptosystem}:\n\\begin{itemize}\n\\item \\textbf{Key sharing}: $sk = s, pk=h=g^s$. Party $i$ obtains a share $s_i$ with Shamir's scheme ($(t, n)$-threshold secret sharing) such that $s = \\Sigma_i s_i\\cdot \\lambda_i$ with public info $\\lambda_i$ and publishes $h_i = g^{s_i}$\n\\item \\textbf{Enc}: $y \\gets \\mathbb{Z}_q$, $\\left=\\left$\n\\item \\textbf{Dec}: Party $i$ outputs $d_i = c_1^{s_i}$ and ZKP of $\\log_gh_i = \\log_{c_1} d_i$\n\\[ m = c_2/\\Pi_i d_i^{\\lambda_i} \\]\n$c_2/\\Pi_i d_i^{\\lambda_i} = c_2/\\Pi_i c_1^{s_i\\cdot \\lambda_i} = c_2/c_1^{\\Sigma_i s_i\\cdot \\lambda_i} = c_2/c_1^s=m$\n\\end{itemize}\n\\end{frame}\n\\section{Commitment Scheme}\n\\begin{frame}\\frametitle{Commitment Scheme}\n\\textbf{Commitment scheme} allows one to commit to a value (which can not be changed later, \\textbf{binding}) while keeping it hidden (\\textbf{hiding}), with the ability to reveal the committed value\n\\newline\n\\textbf{Coin flipping over telephone} [Manuel Blum]:\n\\begin{figure}\n\\begin{center}\n\\input{tikz/coinflipping}\n\\end{center}\n\\end{figure}\n\\alert{Q1: Is $\\mathsf{Hash}$ as CRHF enough for hiding? \\\\\nQ2: Is it possible to achieve info.-theoretically binding and info.-theoretically hiding at the same time?}\n\\end{frame}\n\\section{Zero Knowledge Proofs}\n\\begin{frame}\\frametitle{Zero-Knowledge Proof}\nO. Goldreich, S. Micali, A. Wigderson, ``How to Play ANY Mental Game,'' ACM Conference on Theory of Computing, 1987\n\\begin{itemize}\n\\item \\textbf{Interactive proof system} is an abstract machine that models computation as the exchange of messages between two parties: verifier and prover\n\\item \\textbf{Proof of knowledge}: an interactive proof in which \\textbf{prover} succeeds convincing \\textbf{verifier} that it knows something\n\\item \\textbf{Zero-knowledge proof (ZKP)}: an interactive proof \\emph{without revealing anything other than the veracity of the statement}\n\\begin{itemize}\n\\item \\textbf{Completeness}: if the statement is true, the honest ``verifier'' will be convinced by an honest prover\n\\item \\textbf{Soundness}: if the statement is false, no cheating prover can convince the honest verifier\n\\item \\textbf{Existence}: If OWF exists, ZKP exists for any NP-set\n\\end{itemize}\n\\item \\textbf{$\\Sigma$-protocol}: ZKP in 3 rounds: announcement (commitment), challenge, and response\n\\end{itemize}\n\\end{frame}\n\\begin{frame}\\frametitle{A Toy Example of ZKP}\nAlice {\\color{red} \\LARGE \\Ladiesroom} proves to Bob {\\color{blue} \\LARGE \\Gentsroom} that she knows the secret word used to open a magic door in a circular cave.\n\\begin{figure}\n\\begin{center}\n\\input{tikz/zkp}\n\\end{center}\n\\end{figure}\n\\alert{Q: If Alice does not know the secret word, what kind of magic could she master to cheat Bob?}\n\\end{frame}\n\\begin{frame}\\frametitle{ZKP on Hanmilton Cycle}\nZKP for a solution of Hanmilton Cycle (NPC). [Blum (1986)] \\\\\n\\textbf{Prover} relabels the graph (1) randomly, encrypts the randomly relabeld graph (2) with $N + N*(N-1)/2$ boxes (3), and sends them to verifier. \\\\\n\\textbf{Verifier} asks only one question: either (a) show the relabelled graph is valid by openning all boxes (3); or (b) show one Hanmilton cycle by openning the boxes on the cycle (4).\n\\begin{figure}\n\\begin{center}\n\\input{tikz/zkp-hanmilton}\n\\end{center}\n\\end{figure}\n\\end{frame}\n\\begin{frame}\\frametitle{ZKP and Commitment}\nThe simulation paradigm: by seeing Y , a party learns no more than X if Y can be efficiently generated given only X.\\\\\nA simple example: without commitment, the verifier learns the message given a ciphertext. With commitment, the prover can check whether the verifier already knows the message.\n\\begin{figure}\n\\begin{center}\n\\input{tikz/zkp-commitment}\n\\end{center}\n\\end{figure} \n\\end{frame}\n\\begin{frame}\\frametitle{Schnorr Protocol}\nWe have learned a ZKP as an identification scheme. Recall \\textbf{Schnorr protocol}: Alice proves to Bob the knowledge of $x=\\log_gy$ in the discrete log problem.\n\\begin{figure}\n\\begin{center}\n\\input{tikz/schnorr}\n\\end{center}\n\\end{figure}\nIf Alice can foresee $c$, Alice can cheat with $t=g^s/y$ when $c=1$.\n\\end{frame}\n\\begin{frame}\\frametitle{ZKP of the Ability to Break RSA}\n\\textbf{Purpose}: Alice convinces Bob that she knows Charlie's private key $d$ for RSA problem $\\langle N,e,d \\rangle$, but she doesn't want to tell Bob $d$\n\\begin{figure}\n\\begin{center}\n\\input{tikz/zkp-rsa}\n\\end{center}\n\\end{figure}\nIf Alice can manipulate $c$, Alice can cheat with $c = m^e$.\n\\end{frame}\n\\section{Oblivious Transfer}\n\\begin{frame}\\frametitle{Oblivious Transfer}\n\\textbf{Oblivious transfer (OT)} protocol: a sender remains oblivious as to whether or which info has been transferred. \\\\\n\\footnotesize A toy example of \\textbf{Socialist Millionaires Problem}: Alice (\\$3M) and Bob (\\$2M) wonder whether they makes the same money, while keeping their salaries secret. \\href{http://twistedoakstudios.com/blog/Post3724_explain-it-like-im-five-the-socialist-millionaire-problem-and-secure-multi-party-computation}{\\alert{[source link]}}\n\\begin{columns}\n\\begin{column}{6cm}\n\\begin{figure}\n\\begin{center}\n\\input{tikz/toy-OT}\n\\end{center}\n\\end{figure}\n\\end{column}\n\\begin{column}{6cm}\n\\footnotesize\n\\begin{enumerate}\n\\item Bob prepares 4 lockable suggestion boxes marked w/ salaries.\n\\item Bob destroys the keys except for the box marked w/ his salary.\n\\item Alice puts a paper ``YES'' into the box marked w/ her salary, ``NO'' for the others.\n\\item Bob open the box and may (or may not) share the paper with Alice.\n\\end{enumerate}\n\\end{column}\n\\end{columns}\n\\alert{Alice sends 4 papers to Bob, but is oblivious to which paper Bob gets.}\n\\end{frame}\n\\begin{frame}\\frametitle{Rabin's OT Protocol}\n\\textbf{Rabin's OT protocol}: Alice is not sure about whether Bob receives the message. RSA problem $\\langle N, e, d\\rangle $.\n\\begin{figure}\n\\begin{center}\n\\input{tikz/rabinOT}\n\\end{center}\n\\end{figure}\nIf $y \\neq \\pm x$, then Bob can factorize $N$ with $\\gcd(y-x,N)$ and find $d$. Since every quadratic residue modulo $N$ has four square roots, Bob can learn $m$ with probability $\\frac{1}{2}$.\n\\end{frame}\n\\begin{frame}\\frametitle{1-out-of-2 Oblivious Transfer}\n\\textbf{1-out-of-2 OT}: the sender has two messages $m_0$ and $m_1$, and the receiver wishes to receive $m_b$, without the sender learning $b$, while the sender ensures that the receiver receive only one message. \\\\\n\\textbf{Privacy}: What is retrieved by the receiver is protected, while the sender only reveals one of two messages.\n\\begin{figure}\n\\begin{center}\n\\input{tikz/1outof2}\n\\end{center}\n\\end{figure}\n\\end{frame}\n\\section{Secure Multi-Party Computation and Homomorphic Enc.}\n\\begin{frame}\\frametitle{Secure Multi-Party Computation}\n\\textbf{Secure multi-party computation (MPC)}: enable parties to jointly compute a function over their inputs, while at the same time keeping these inputs private\\\\\n\\textbf{Dining Cryptographers Problem}: how to perform a secure MPC of the boolean-OR function [David Chaum (1988)]\n\\begin{columns}\n\\begin{column}{4cm}\n\\begin{figure}\n\\begin{center}\n\\input{tikz/dining}\n\\end{center}\n\\end{figure}\n\\end{column}\n\\begin{column}{6cm}\n\\begin{itemize}\n\\item at most one {\\color{red} \\LARGE \\Gentsroom} (1), other {\\color{blue} \\LARGE \\Gentsroom} (0)\n\\item every two adjacent people establish a shared one-bit secret\n\\item everyone shouts the XOR of two shared secrets and its own bit\n\\item output the XOR of all of what everyone shouts. If $1$, there is a {\\color{red} \\LARGE \\Gentsroom}, otherwise there is none\n\\end{itemize}\n\\end{column}\n\\end{columns}\n\\end{frame}\n\\begin{frame}\\frametitle{Homomorphic Encryption}\n\\begin{itemize}\n\\item \\textbf{Homomorphic Encryption} with $\\circ$: $\\mathsf{Dec}_{sk}(c_1\\circ c_2)=m_1\\circ m_2$. \n\\item Elgamal encryption is homomorphic with $\\times$: $\\left\\cdot \\left = \\left$\n\\item Paillier scheme is homomorphic with $+$: $\\mathsf{Enc}_N(m_1) \\cdot \\mathsf{Enc}_N(m_2) = \\mathsf{Enc}_N([m_1+m_2 \\bmod N])$.\n\\item \\textbf{Application}: voting without learning any individual votes.\n\\[c_i := [(1+N)^{v_i}\\cdot r^N \\bmod N^2], v_i \\in \\{0,1\\}\\]\n\\[c^* := [\\Pi_{i} c_i \\bmod N^2], v^* = \\Sigma_{i} v_i \\]\n\\item First \\textbf{Fully} homomorphic with $\\times$ and $+$ by Craig Gentry (2009).\n\\end{itemize}\n\\end{frame}\n\\section{End-to-End Voting}\n\\begin{frame}\\frametitle{End-to-End Voting System}\n\\textbf{End-to-End Voting System}:\n\\begin{enumerate}\n\\item \\textbf{Cast}: Voter casts ballot at Voting Machine (VM) %, and gets a copy as ``receipt''\n\\item \\textbf{Post}: Ballots are posted on Public Bulletin Board (PBB)\n\\item \\textbf{Count}: Tally is computed by election officials (EO) from PBB\n\\end{enumerate}\n\\textbf{Security goals}:\n\\begin{itemize}\n\\item \\textbf{End-to-End Verifiability}: any voter gets assurance that \\textbf{cast as intended}, \\textbf{post as cast}, and \\textbf{counted as posted};\n\\item \\textbf{Privacy}: no one knows what the voter cast; even the voter can not convince others what she cast; privacy also means \\textbf{coercion-resistance};\n\\end{itemize}\n\\end{frame}\n\\begin{frame}\\frametitle{ThreeBallot [Rivest (2006)] w/o Crypto}\nPhilosophy: \"vote by rows, cast by columns\"\n\\begin{figure}\n\\begin{center}\n\\input{tikz/3ballot}\n\\end{center}\n\\end{figure}\n\\begin{itemize}\n\\item Each voter casts three plaintext ballots.\n\\item Each row has 1 or 2 marks. Not 0, not 3.\n\\item Each ballot should have a unique ID.\n\\item All three cast ballots go on PBB.\n\\item Voter takes home copy of arbitrarily-chosen one as receipt.\n\\item Receipt serves as integrity check on PBB.\n\\item \\alert{Does threeballot achieve e2e verifiability and privacy?}\n\\end{itemize}\n\\end{frame}\n\\section{Quantum Cryptography}\n\\begin{frame}\\frametitle{Why Quantum Cryptography?}\nQuantum cryptography taps the natural uncertainty of the quantum world\n\\begin{itemize}\n\\item \\textbf{Superposition}: object doesn't have definite properties (location, speed) but has probabilities over them\n\\item \\textbf{Interference}: probabilities can be negative\n\\item \\textbf{Entanglement}: properties of many particles can be correlated\n\\item \\textbf{Measurement}: object's properties collapse to definite value when measured, collapsing also properties of other entangled objects\n\\end{itemize}\n\\end{frame}\n\\begin{frame}\\frametitle{State-of-the-Art of Quantum Cryptography}\n\\begin{itemize}\n\\item (Unsurprisingly) there is \\textbf{no proof} that quantum computers are more powerful than classical computers/Boolean circuits/Turing machines\n\\item There are \\textbf{polynomial} algorithms (e.g., Shor's algorithm) for quantum computers solving problems unknown to be solvable classically in poly-time: factoring and discrete logs\n\\item There are \\textbf{hard} problem with no quantum poly-time algorithm: NPC, inverting many candidate OWF, private key encryption and signature schemes\n\\end{itemize}\n\\end{frame}\n\\begin{frame}[fragile]\\frametitle{Quantum Key Distribution}\n\\textbf{Purpose}: Using photon polarization states to transmit the information in a public channel against eavesdroppers\n\n\\begin{exampleblock}{BB84 protocol: C. H. Bennett and G. Brassard (1984)}\n{\\centering\t\n\\begin{tabular}{|c|c|c|} \\hline\nBasis & \\verb#0# & \\verb#1# \\\\ \\hline\n\\verb#+# & \\verb#|# & \\verb#-# \\\\ \\hline\n\\verb#x# & \\verb#/# & \\verb#\\# \\\\ \\hline\n\\end{tabular}\t\n\\begin{tabular}{|r|c|} \\hline\nAlice's random bits & \\verb#01101001# \\\\ \\hline\nAlice's random sending basis & \\verb#++x+xxx+# \\\\ \\hline\nPhoton polarization Alice sends & \\verb#|-\\|\\//-# \\\\ \\hline\nBob's random measuring basis & \\verb#+xxx+x++# \\\\ \\hline\nPhoton polarization Bob measures & \\verb#|/\\/-/--# \\\\ \\hline\nShared secret key & \\verb#0 1 0 1# \\\\ \\hline\n\\end{tabular}\n}\n\\begin{itemize}\n\\item Two bases are public\n\\item Eavesdropping would change the photon polarization states\n\\item Check for the presence of eavesdropping by comparing a subset of shared bit string\n\\end{itemize}\n\\end{exampleblock}\n\\end{frame}\n\n\\begin{frame}\\frametitle{Summary}\nOne of Clarke’s three laws: \\it{Any sufficiently advanced technology is indistinguishable from magic.}\n\n\\end{frame}\n\\end{document}\n" }, { "path": "source/11summary.tex", "content": "\\input{source/header/main.tex}\n\n\\title{Closing Remarks}\n\\begin{document}\n\t\\maketitle\t\n\\begin{comment}\n\\begin{frame}\\frametitle{Introduction}\n\\begin{itemize}\n\\item Modern cryptography secures information, transactions and computations.\n\\item Kerckhoffs's principle \\& Open cryptographic design.\n\\item Caesar's, shift, Mono-Alphabetic sub., Vigen\\`{e}re.\n\\item Brute force, letter frequency, Kasiski's, IC.\n\\item Sufficient key space principle.\n\t\t\\item Arbitrary adversary principle.\n\t\t\\item Rigorously proven security.\n\t\\end{itemize}\n\\end{frame}\n\\begin{frame}\\frametitle{Perfect Secrets}\n\\begin{itemize}\n\\item Perfect secrecy $=$ Perfect indistinguishability $=$ Adversarial indistinguishability.\n\\item Perfect secrecy is attainable. The One-Time Pad (Vernam's cipher).\n\\item Shannon's theorem.\n\\end{itemize}\n\\end{frame}\n\\begin{frame}\\frametitle{Computational Security vs. Info.-theoretical Security}\n\\begin{center}\n\\begin{tabular}{|c|c|c|} \\hline\n & \\textbf{Computational} & \\textbf{Info.-theoretical} \\\\ \\hline\n\\textbf{Adversary} & \\textsc{ppt} & no limited \\\\ \n & eavesdropping & eavesdropping\\\\ \\hline \n\\textbf{Definition} & indistinguishable & indistinguishable \\\\ \n & $\\frac{1}{2} + \\mathsf{negl}$ & $\\frac{1}{2}$ \\\\ \\hline\n\\textbf{Assumption} & pseudorandom & random \\\\ \\hline\n\\textbf{Key}\t & short random str. & long random str.\\\\ \\hline\n\\textbf{Construction} & XOR pad & XOR pad \\\\ \\hline \n\\textbf{Prove} & reduction & - \\\\ \\hline\n\\end{tabular}\t\n\\end{center}\n\\end{frame}\n\\begin{frame}\\frametitle{Private-Key Encryption}\n\\begin{itemize}\n\\item Asymptotic approach, proof of reduction, indistinguishable.\n\\item PRG, PRF, PRP, stream cipher, block cipher.\n\\item Security/construction against eavesdropping/CPA.\n\\item EBC, CBC, OFB, CTR.\n\\end{itemize}\n\\end{frame}\n\\begin{frame}\\frametitle{Block Cipher}\n\\begin{itemize}\n\\item Block cipher is PRP.\n\\item confusion \\& diffusion, SPN, Feistel network, avalanche effect.\n\\item DES, 3DES, AES.\n\\item reduced round, meet-in-the-middle, differential and linear cryptanalysis. \n\\end{itemize}\n\\end{frame}\n\\begin{frame}\\frametitle{MAC}\n\\begin{itemize}\n\\item adaptive CMA, replay attack, birthday attack.\n\\item existential unforgeability, collision resistance.\n\\item CBC-MAC, CRHF, Merkle-Damg\\r{a}rd transform, NMAC, HMAC. \n\\end{itemize}\n\\end{frame}\n\\begin{frame}\\frametitle{CCA, AE}\n\\begin{itemize}\n\\item CCA-secure, AE, det. enc., det. CPA-secure, DAE.\n\\item Enc-then-auth, KDF, SIV, wide block cipher, tweakable encryption.\n\\item SIV-CTR, PBKDF, salt, enc. w/o expansion, CTS.\n\\end{itemize}\n\\end{frame}\n\\begin{frame}\\frametitle{OWF}\n\\begin{itemize}\n\\item OWF implies secure private-key encryption scheme and MAC.\n\\item Secure private-key encryption scheme/MAC implies OWF.\n\\end{itemize}\n\\end{frame}\n\\begin{frame}\\frametitle{Number Theory, RSA}\n\\begin{itemize}\n\\item Primes, modular arithmetic.\n\\item Miller-Rabin primality testing.\n\\item Factoring, Pollard's $p-1$ and $\\rho$ methods.\n\\item $e^{\\mathsf{th}}$-root modulo $N$, RSA.\n\\end{itemize}\n\\end{frame}\n\\begin{frame}\\frametitle{Public-key Encryption, RSA}\n\\begin{itemize}\n\\item eavesdropper=CPA, CCA/CCA2 in public-key encryptions.\n\\item hybrid argument, multiple encryptions.\n\\item hybrid encryption, ``textbook RSA'', padded RSA, PKCS.\n\\item small $e$, common modulus attacks, CCA, faults attack.\n\\end{itemize}\n\\end{frame}\n\\begin{frame}\\frametitle{DL, CDH/DDH}\n\\begin{itemize}\n\\item cyclic group, discrete log., baby-step/giant-step\n\\item CDH, DDH, DHKE protocol.\n\\item Elgamal encryption, sharing public parameters.\n\\end{itemize}\n\\end{frame}\n\\begin{frame}\\frametitle{TPD, ROM, and More}\n\\begin{itemize}\n\\item public key encryption from tpd\n\\item random oracle model vs. standard model\n\\item CPA/CCA in ROM, RSA-FDH\n\\item Coldwasser-Micali, Rabin, Paillier (homomorphic with $+$), elliptic curve.\n\\end{itemize}\n\\end{frame}\n\\begin{frame}\\frametitle{Digital Signature}\n\\begin{itemize}\n\\item Textbook RSA, Hashed RSA, Hash-and-Sign, DSS.\n\\item Lamport's OTS/Stateful/Chain-based/Tree-based/Stateless.\n\\item Certificates, PKI, CA, Web-of-trust, Invalidation.\n\\end{itemize}\n\\end{frame}\n\\begin{frame}\\frametitle{Cryptographic Protocols}\n\\begin{itemize}\n\\item Man-in-the-middle attack, interlock protocol.\n\\item Shamir three pass protocol.\n\\item Blind signature.\n\\item Secret sharing.\n\\item Commitment scheme, coin flipping.\n\\item Interactive proof, Schnorr protocol, Zero knowledge proofs\n\\item Oblivious transfer, Rabin's, 1-out-of-2.\n\\item Multi-party computation, dining cryptographers problem.\n\\item Quantum cryptography, BB84.\n\\end{itemize}\n\\end{frame}\n\\end{comment}\n\n\\begin{frame}\\frametitle{Syllabus [in Chinese]}\n\\begin{figure}\n\\begin{center}\n\\includegraphics[width=100mm]{pic/syllabus} \n\\end{center}\n\\end{figure}\n\\end{frame}\n\\begin{frame}\\frametitle{One more thing, we will read comics [xkcd:177]}\n\\begin{figure}\n\\begin{center}\n\\includegraphics[width=100mm]{pic/term} \n\\end{center}\n\\end{figure}\n\\end{frame}\n\\begin{frame}\\frametitle{Provable Security}\n\\begin{itemize}\n\\item A proof of security never proves security in an absolute sense, it relates security to an unproven assumption that some computational problem is hard.\n\\item The quality of a security reduction should not be ignored -- it matters how tight it is, and how strong the underlying assumption is.\n\\item A security reduction only proves something in a particular model specifying what the adversary has access to and can do.\n\\end{itemize}\n\\end{frame}\n\\begin{frame}\\frametitle{Crypto Pitfalls}\nCrypto deceptively simple\n\\begin{itemize}\n\\item Why does it so often fail?\n\\end{itemize}\nImportant to distinguish various issues:\n\\begin{enumerate}\n\\item Bad cryptography/implementations/design, etc.\n\\item Good cryptography can be `circumvented' by adversaries operating `outside the model'\n\\item Even the best cryptography only shifts the weakest point of failure to elsewhere in your system\n\\item Systems are complex: key management; social engineering; insider attacks\n\\end{enumerate}\nAvoid the first; be aware of 2-4.\n\\end{frame}\n\\begin{frame}\\frametitle{Bad Implementation Example: Heartbleed}\n \\begin{minipage}[t]{0.49\\linewidth} \n \\centering \n \\includegraphics[width=50mm]{pic/heartbleed1} \n \\end{minipage}% \n \\begin{minipage}[t]{0.49\\linewidth} \n \\centering \n \\includegraphics[width=50mm]{pic/heartbleed2} \n \\end{minipage}\n\\end{frame}\n\\begin{frame}\\frametitle{Crypto is difficult to get right}\n\\begin{itemize}\n\\item Must be implemented correctly\n\\item Must be integrated from the beginning, not added on ``after the fact''\n\\item Need expertise; ``a little knowledge can be a dangerous thing''\n\\item Can't be secured by Q/A, only (at best) through penetration testing and dedicated review of the code by security experts\n\\end{itemize}\n\\end{frame}\n\\begin{frame}\\frametitle{General Recommendation}\n\\begin{itemize}\n\\item Use only standardized algorithms and protocols\n\\item No security through obscurity!\n\\item Use primitives for their intended purpose\n\\item Don't implement your own crypto\n\\item If your system cannot use ``off-the-shelf'' crypto components, re-think your system\n\\item If you really need something new, have it designed and/or evaluated by an expert\n\\item Don't use the same key for multiple purposes\n\\item Use good random-number generation\n\\end{itemize}\n\\end{frame}\n\\begin{frame}\\frametitle{Crypto Libraries}\n\\begin{itemize}\n\\item Use existing, high-level crypto libraries: \ncryptlib, NaCl, Google's Keyczar, Mozilla's NSS, OpenSSL \n\\item Avoid low-level libraries (like JCE, crypto++, GnuPG, OpenPGP) - too much possibility of mis-use\n\\item Avoid writing your own low-level crypto\n\\end{itemize}\n\\end{frame}\n\\begin{frame}\\frametitle{Beware of Snake Oil}\n\\textbf{Snake Oil}: bogus commercial cryptographic products.\n\\begin{itemize}\n\\item \\textbf{Secret system}: security through obscurity\n\\item \\textbf{Technobabble}: since cryptography is complicated\n\\item \\textbf{Unbreakable}: a sure sign of snake oil\n\\item \\textbf{One-time pads}: a flawed implementation\n\\item \\textbf{Unsubstantiated ``bit'' claims}: key lengths are not directly comparable\n\\end{itemize}\n\\end{frame}\n\\begin{frame}\\frametitle{What cryptography can and can't do}\n``No one can guarantee 100\\% security. But we can work toward 100\\% risk acceptance. $\\dots$ Strong cryptography can withstand targeted attacks up to a point--the point at which it becomes easier to get the information some other way. $\\dots$ The good news about cryptography is that we already have the algorithms and protocols we need to secure our systems. The bad news is that that was the easy part; implementing the protocols successfully requires considerable expertise. $\\dots$ \nSecurity is different from any other design requirement, because functionality does not equal quality.''\n\\newline\n\n-- By Bruce Schneier 1997\n\\end{frame}\n\\begin{frame}\\frametitle{Rubber-hose Cryptanalysis}\n\\begin{figure}\n\\begin{center}\n\\includegraphics[width=100mm]{pic/rubberhose} \n\\end{center}\n\\end{figure}\n\\end{frame}\n\\begin{frame}\\frametitle{A Good Wish}\n``No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honour and reputation. Everyone has the right to the protection of the law against such interference or attacks.''\n\\newline\n\n-- Article 12 Universal Declaration of Human Rights\n\\end{frame}\n\\begin{frame}\\frametitle{Grades}\n\\begin{itemize}\n\\item Composition:\n\\begin{itemize}\n\\item[Homework:] 4 $\\times$ 5 = 20\\% (Homework 1$\\sim$5)\n\\item[Final Exam:] 80\\%\n\\item[Extra:] 5\\% for outstanding homework (Homework 1$\\sim$6)\n\\end{itemize}\n\\item How to score high:\n\\begin{itemize}\n\\item Read the textbook IMC\n\\item Do homework by yourself\n\\item \\alert{No Plagiarism! Otherwise, -10 point penalty each time.} \n\\end{itemize}\n\\end{itemize}\n\\end{frame}\n\\end{document}\n" }, { "path": "source/12backup.tex", "content": "\\input{source/header/main.tex}\n\n\\title{More on Public-Key Cryptography}\n\n\\begin{document}\n\\maketitle\n\\begin{frame}\n\\frametitle{Outline}\n\\tableofcontents\n\\end{frame}\n\n\\section{Primes and Factoring}\n\\begin{frame}\\frametitle{Integer Factorization/Factoring}\n\\begin{quote}\n``The problem of distinguishing prime numbers from composite numbers and of resolving the later into their prime factors is known to be one of the most important and useful in arithmetic.'' -- Gauss (1805)\n\\end{quote}\n\nThe ``hardest'' numbers to factor seem to be those having only large prime factors.\n\\begin{itemize}\n\\item The best-known algorithm is the \\textbf{general number field sieve} [Pollard] with time $\\mathcal{O}(\\exp(n^{1/3}\\cdot(\\log n)^{2/3}))$.\n\\item RSA Factoring Challenge: RSA-768 (232 digits)\n\\begin{itemize}\n\\item Two years on hundreds of machines (2.2GHz/2GB, 1500 years)\n\\item Factoring a 1024-bit integer: about 1000 times harder.\n\\end{itemize}\n\\end{itemize}\n\\end{frame}\n\\begin{frame}\\frametitle{Generating Random Primes}\n\\begin{algorithm}[H]\n\\SetKwInOut{Input}{input}\n\\SetKwInOut{Output}{output}\n\\SetKw{KwB}{break}\n\\SetKw{KwH}{halt}\n\\DontPrintSemicolon\n\\caption{Generating a random prime}\n\\Input{Length $n$; parameter $t$}\n\\Output{A random $n$-bit prime}\n\\BlankLine\n\\For{$i = 1$ \\KwTo $t$}{\n $p' \\gets \\{0,1\\}^{n-1}$\\;\n $p := 1\\| p'$\\;\n \\lIf{$p$ is prime}{\\Return $p$}\\;\n}\n\\Return fail\n\\end{algorithm}\nTo show its efficiency, we need understand two issues:\n\\begin{itemize}\n\\item the probability that a randomly-selected $n$-bit integer is prime.\n\\item how to efficiently test whether a given integer $p$ is prime.\n\\end{itemize}\n\\end{frame}\n\\begin{frame}\\frametitle{The Distribution of Prime}\n\\begin{theorem}[Prime number theorem]\n$\\exists$ a constant $c$ such that, $\\forall n>1$, a randomly selected $n$-bit number is prime with probability at least $c/n$.\n\\end{theorem}\nThe probability that a prime is \\emph{not} chosen in $t = n^2/c$ iterations is\n\\[ \\left( 1-\\frac{c}{n} \\right)^t = \\left( \\left( 1-\\frac{c}{n} \\right)^{n/c} \\right)^n \\le \\left( e^{-1} \\right)^n = e^{-n}.\n\\]\nThe algorithm will fail with a negligible probability.\n\\end{frame}\n\\begin{frame}\\frametitle{Testing Primality}\n\\begin{itemize}\n\\item \\textbf{Trial division}: Divide $N$ by $a=2,3,\\dotsc,\\sqrt{N}.$\n\\item \\textbf{Probabilistic algorithm for approximately computing}:\n\\begin{itemize}\n\\item Atlantic City algorithm with two-sided error. \n\\item Monte Carlo algorithm with one-sided error.\n\\item Las Vegas algorithm with zero-sided error.\n\\end{itemize}\n\\item \\textbf{Fermat primality test}: $a^{N-1} \\equiv 1 \\pmod N$.\n\\item $a$ is a \\textbf{witness} that $N$ is composite if $a^{N-1} \\not \\equiv 1 \\pmod N$.\n\\item $a$ is a \\textbf{liar} if $N$ is composite and $a^{N-1} \\equiv 1 \\pmod N$.\n\\item \\textbf{Carmichael numbers}: composite numbers without witnesses.\n\\end{itemize}\n\\begin{theorem}\nIf $\\exists$ a witness, then at least half the elements of $\\mathbb{Z}_N^*$ are witnesses.\n\\end{theorem}\n\\end{frame}\n\\begin{frame}\\frametitle{The Miller-Rabin Primality Test}\n$N-1=2^ru$, $u$ is odd. $a \\in \\mathbb{Z}^*_N$ is a \\textbf{strong witness} if\n\\begin{enumerate}\n\\item $a^u \\neq \\pm 1$, and\n\\item $a^{2^iu} \\neq -1$ for $i\\in\\{1,\\dotsc,r-1\\}$.\n\\end{enumerate}\n\\begin{lemma}\n$x \\in \\mathbb{Z}^*$ is a \\textbf{square root of 1 modulo} $N$ if $x^2 \\equiv 1 \\pmod N$. If $N$ is an odd prime then the only $x$ are $[\\pm 1 \\bmod N]$.\n\\end{lemma}\n\\begin{theorem}\n$N$ is an odd, composite number that is not a prime power. Then at least half the elements of $\\mathbb{Z}^*_N$ are strong witnesses.\n\\end{theorem}\n\\begin{theorem}\nIf $N$ is prime, then the Miller-Rabin test always outputs ``prime''. If $N$ is composite, then the algorithm outputs ``prime'' with probability at most $2^{-t}\\;$\\footnote{Actually, it is at most $4^{-t}$.}.\n\\end{theorem}\n\\end{frame}\n\\begin{frame}\\frametitle{Describing The Algorithm}\n\\begin{algorithm}[H]\n\\SetKwInOut{Input}{input}\n\\SetKwInOut{Output}{output}\n\\SetKw{KwC}{compute}\n\\SetKw{KwL}{LOOP}\n\\DontPrintSemicolon\n\\caption{The Miller-Rabin primality test}\n\\Input{Integer $N>2$ and parameter $t$}\n\\Output{A decision as to wether $N$ is prime or composite}\n\\BlankLine\n\n\\lIf{$N$ is a perfect power}{\\Return ``composite''}\n\\KwC $r\\ge 1$ and $u$ odd such that $N-1 = 2^ru$\\;\n\\KwL: \\For{$s = 1$ \\KwTo $t$}{\n $a \\gets \\{2,\\dotsc,N-2\\}$\\;\n $x = a^u \\bmod N$\\;\n \\lIf{$x = \\pm 1$}{do next \\KwL}\n \\For{$i = 1$ \\KwTo $r$} {\n $x = x^2 \\bmod N$\\;\n \\lIf{$x = -1 $}{do next \\KwL}\n% \\lIf{$x = 1 $}{\\Return ``composite''}\\;\n }\n \\Return ``composite''\\;\n}\n\\Return ``prime''\n\\end{algorithm}\n\\end{frame}\n\\begin{frame}\\frametitle{Examples of Primality Tests}\n\\begin{exampleblock}{Liars in Fermat primality test}\n$2^{340} \\equiv 1 \\pmod {341}$, but $341 = 11\\cdot 31$.\\\\ \n$5^{560} \\equiv 1 \\pmod {561}$, but $561 = 3\\cdot 11\\cdot 17$.\\\\\nCarmichael numbers $< 10000$: \\\\ \n561, 1105, 1729, 2465, 2821, 6601, 8911.\n\\end{exampleblock}\n\\begin{exampleblock}{Examples of Miller-Rabin test}\nCarmichael number $1729=7\\cdot 13\\cdot 19$. \\\\$1729-1 = 1728 = 2^6\\cdot 27$. So $r = 6, u = 27$. $a=671$.\n\\begin{align*}\n671^{27} &\\equiv 1084 \\pmod {1729} \\\\\n671^{27\\cdot 2} &\\equiv 1065 \\pmod {1729}\\\\\n671^{27\\cdot 2^2} &\\equiv 1 \\pmod {1729}\\\\\n\\end{align*}\n\n\\end{exampleblock}\n\\end{frame}\n\\begin{frame}\\frametitle{Algorithms for Factoring}\n\\begin{itemize}\n\\item \\textbf{Factoring} $N=pq$. $p,q$ are of the same length $n$.\n\\item \\textbf{Trial division}: $\\mathcal{O}(\\sqrt{N}\\cdot \\mathsf{polylog}(N))$.\n\\item \\textbf{Pollard's $p-1$} method: effective when $p-1$ has ``small'' prime factors.\n\\item \\textbf{Pollard's rho} method: $\\mathcal{O}(N^{1/4}\\cdot \\mathsf{polylog}(N))$.\n\\item \\textbf{Quadratic sieve} algorithm [Carl Pomerance]: sub-exponential time $\\mathcal{O}(\\exp(\\sqrt{n\\cdot \\log n}))$.\n\\item The best-known algorithm is the \\textbf{general number field sieve} [Pollard] with time $\\mathcal{O}(\\exp(n^{1/3}\\cdot(\\log n)^{2/3}))$.\n\\end{itemize}\n\\end{frame}\n\\begin{frame}\\frametitle{Pollard's $p-1$ Method}\n\\textbf{Idea}: Fermat's little theorem: $y = x^{(p-1)\\cdot k} \\equiv 1 \\pmod p$. Then $(y-1) \\equiv 0 \\pmod p$ and $p \\mid (y-1)$. So $p = \\gcd(y-1,N)$. To make the exponent a large multiple of $(p-1)$:\n\\[ M = lcm(\\{ i | i \\le B \\}) = \\prod_{\\text{prime}\\;i \\le B}i^{\\lfloor \\log_iB \\rfloor}.\\]\nIf $p-1$ has only ``small'' factors, then the bound $B$ will be small.\n\\begin{algorithm}[H]\n\\SetKwInOut{Input}{input}\n\\SetKwInOut{Output}{output}\n\\SetKw{KwC}{compute}\n\\SetKw{KwL}{LOOP}\n\\DontPrintSemicolon\n\\caption{Pollard's $p-1$ algorithm for factoring}\n\\Input{Integer $N$}\n\\Output{A non-trivial factor of $N$}\n\\BlankLine\n\n$x \\gets \\mathbb{Z}^*_N$\\;\n$y := [x^M \\bmod N]$\\;\n$p := \\gcd(y-1,N)$\\;\n\\lIf{$p \\notin \\{1,N\\}$}{\\Return $p$}\n\\end{algorithm}\n\\end{frame}\n\\begin{frame}\\frametitle{Pollard's Rho ($\\rho$) Method}\n\\textbf{Idea}: Using the improved birthday attack\\footnote{Floyd's cycle-finding algorithm (the ``tortoise and the hare'' algorithm).} to find $x,x'$ such that $x \\neq x' \\land x \\equiv x' \\pmod p$. Then $p \\mid (x-x')$, $p = \\gcd(x-x',N)$.\n$F(x) = x^2+b$, where $b \\not \\equiv 0,-2 \\pmod N$.\n\\begin{algorithm}[H]\n\\SetKwInOut{Input}{input}\n\\SetKwInOut{Output}{output}\n\\SetKw{KwC}{compute}\n\\SetKw{KwL}{LOOP}\n\\DontPrintSemicolon\n\\caption{Pollard's rho algorithm for factoring}\n\\Input{Integer $N$}\n\\Output{A non-trivial factor of $N$}\n\\BlankLine\n\n$x_0 \\gets \\mathbb{Z}^*_N$\\;\n\\For{$i=1$ \\KwTo $2^{n/2}$}{\n$x_i := [F(x_{i-1}) \\bmod N]$\\;\n$x_{2i} := [F(F(x_{2i-2})) \\bmod N]$\\;\n$p := \\gcd(x_{2i}-x_i,N)$\\;\n\\lIf{$p \\notin \\{1,N\\}$}{\\Return $p$}\n}\n\\end{algorithm}\n\\end{frame}\n\\begin{frame}\\frametitle{Proof of Pollard's $\\rho$ Method}\n\\begin{lemma}\nLet $x_1,\\dotsc$ be a sequence with $x_m \\equiv F(x_{m-1}) \\pmod N$. $F$ satisfies that $x \\equiv x' \\pmod N \\implies F(x) \\equiv F(x') \\pmod N$. If $x_I \\equiv x_J\\pmod p$ with $I < J$, then $\\exists$ $i < J$ such that $x_{i} \\equiv x_{2i} \\pmod p$.\n\\end{lemma}\n\\begin{figure}\n\\begin{center}\n\\input{tikz/birthdayattack}\n\\end{center}\n\\end{figure}\n\\begin{proof}\nSee the proof of improved birthday attack.\n\\end{proof}\nAccording to the lemma of birthday problem, given a sequence of length $O(N^{1/4})$, find such pair with probability $1/4$.\n\\end{frame}\n\\begin{frame}\\frametitle{Example of Pollard's $p-1$ and $\\rho$ methods}\n\\begin{exampleblock}{Factorizing $N=5917$ with Pollard's $p-1$ method}\nChoose $B=5$, $M=lcm(1,2,3,4,5)=60$.\\\\\nFor $x=2$, $y \\equiv x^M \\equiv 2^{60} \\equiv 3417 \\pmod{5917}$.\\\\\n$p = gcd(y-1,N) = \\gcd(3416,5917) = 61$.\n\\end{exampleblock}\n\\begin{exampleblock}{Factorizing $N=8051$ with Pollard's $\\rho$ method}\n$f(x) = x^2+1$, $x_0=2$.\\\\\n\\begin{center}\n\\begin{tabular}{|c|c|c|c|} \\hline\n$i$ & $x_i$ & $x_{2i}$ & $\\gcd(x_{2i}-x_i,N)$ \\\\ \\hline\n1 & 5 & 26 & 1 \\\\\n2 & 26 & 7474 & 1 \\\\\n3 & 677 & 871 & 97 \\\\ \\hline\n\\end{tabular}\t\n\\end{center}\n\\end{exampleblock}\n\\end{frame}\n\\begin{frame}\\frametitle{The Quadratic Sieve Algorithm}\n\\textbf{Idea}: Find $x,y$ with $x^2 \\equiv y^2 \\pmod N$ and $x \\not \\equiv \\pm y \\pmod N$. $x^2-y^2 \\equiv 0 \\pmod N\\implies (x+y)(x-y) \\equiv 0 \\pmod N$.\\\\\n$\\gcd(x+y,N)$ and $\\gcd(x-y,N)$ will give $p$.\\\\\n\\textbf{Finding congruence of squares}: \\\\\n%Find $x_i^2 \\equiv y_i \\pmod N$ for $i=1,2,\\dotsc,r$ and $y_1y_2\\cdots y_r = c^2$. \\\\\n%$(x_1x_2\\cdots x_r)^2 \\equiv y_1y_2\\cdots y_r = c^2 \\pmod N$.\\\\\n\\begin{enumerate}\n\\item Choose a factor base $B = \\{p_1,\\dotsc,p_k\\}$ of prime numbers. \n\\item Use `\\textbf{sieve theory}' to find $\\ell = k+1$ distinct $x_1,\\dotsc,x_\\ell$ for which $[x_i^2 \\bmod N]$ decompose into the elements of $B$: $x_i^2 \\equiv \\prod^k_{j=1} p_j^{e_j} \\pmod N$.\n\\item Write $x_i^2$ as an exponent vector $\\langle e_{i,1},\\dotsc,e_{i,k}\\rangle \\pmod 2$.\n\\item Find the addition of vectors = the zero vector $\\pmod 2$.\\\\\n$X=\\{x_{\\ell_1},\\dotsc,x_{\\ell_n}\\}$. $\\forall i$, $E_i = \\sum_{j=1}^ne_{\\ell_j,i} \\equiv 0 \\pmod 2$.\n\\item Find a pair: $x = \\prod_{i=1}^nx_{\\ell_i} \\not \\equiv y=\\prod_{i=1}^kp_i^{E_i/2} \\pmod N$. \n\\end{enumerate}\n\\end{frame}\n\\begin{frame}\\frametitle{Example of Quadratic Sieve Algorithm}\n\\begin{exampleblock}{Factorizing $N=377753$ with quadratic sieve algorithm}\n$B = \\{2,13,17,23,29\\}$.\n\\begin{align*}\n620^2 &\\equiv 17^2\\cdot 23 \\pmod N\\\\\n621^2 &\\equiv 2^4\\cdot 17\\cdot 29 \\pmod N\\\\\n645^2 &\\equiv 2^7\\cdot 13\\cdot 23 \\pmod N\\\\\n655^2 &\\equiv 2^3\\cdot 13\\cdot 17\\cdot 29 \\pmod N\n\\end{align*}\n\\[ [620\\cdot 621\\cdot 645\\cdot 655 \\bmod N]^2 \\equiv [2^7\\cdot 13\\cdot 17^2\\cdot 23\\cdot 29\\bmod N]^2 \\]\n\\[ \\implies 127194^2 \\equiv 45335^2 \\pmod N,\\]\nComputing $\\gcd(127194-45335,377753)=751$.\n\\end{exampleblock}\n\\end{frame}\n\\section{Discrete Logarithm Algorithms}\n\\begin{frame}\\frametitle{Overview of Discrete Logarithm Algorithms}\n\\begin{itemize}\n\\item Given a generator $g \\in \\mathbb{G}$ and $y \\in \\langle g \\rangle$, find $x$ such that $g^x=y$.\n\\item \\textbf{Brute force}: $\\mathcal{O}(q)$, $q = \\mathsf{ord}(g)$ is the order of $\\langle g\\rangle$.\n\\item \\textbf{Baby-step/giant-step} method [Shanks]: $\\mathcal{O}(\\sqrt{q}\\cdot \\mathsf{polylog}(q))$.\n\\item \\textbf{Pohlig-Hellman} algorithm: when $q$ has small factors.\n\\item \\textbf{Index calculus} method: $\\mathcal{O}(\\exp{(\\sqrt{n\\cdot \\log n})})$.\n\\item The best-known algorithm is the \\textbf{general number field sieve} with time $\\mathcal{O}(\\exp(n^{1/3}\\cdot(\\log n)^{2/3}))$.\n\\item Elliptic curve groups vs. $\\mathbb{Z}_p^*$: more efficient for the honest parties, but that are equally hard for an adversary to break.\\\\ (Both 1024-bit $\\mathbb{Z}_p^*$ and 132-bit elliptic curve need $2^{66}$ steps.)\n\\end{itemize}\n\\end{frame}\n\\begin{frame}\\frametitle{The Baby-Step/Giant-Step Algorithm}\n\\begin{figure}\n\\begin{center}\n\\input{tikz/baby-giant}\n\\end{center}\n\\end{figure}\n\\begin{algorithm}[H]\n\\SetKwInOut{Input}{input}\n\\SetKwInOut{Output}{output}\n\\SetKw{KwC}{compute}\n\\SetKw{KwS}{sort}\n\\DontPrintSemicolon\n\\caption{The baby-step/giant-step algorithm}\n\\Input{$g \\in \\mathbb{G}$ and $y \\in \\langle g \\rangle$; $q=\\mathsf{ord}(g)$ ($t := \\lfloor \\sqrt{q}\\rfloor$)}\n\\Output{$\\log_g y$}\n\\BlankLine\n\n\\lFor{$i = 0$ \\KwTo $\\lfloor q/t \\rfloor$}{\\KwC $g_i := g^{i\\cdot t}$ \\tcc*[f]{giant steps}}\n\\KwS the pairs $(i,g_i)$ by $g_i$\\;\n\\For{$i = 0$ \\KwTo $t$}{\n\\KwC $y_i := y\\cdot g^i$ \\tcc*[f]{baby steps}\\;\n\\lIf{$y_i = g_k$ for some $k$}{\\Return $[kt-i \\bmod q]$}\n}\n\\end{algorithm}\nThe time complexity is $\\mathcal{O}(\\sqrt{q}\\cdot \\mathsf{polylog}(q))$.\n\\end{frame}\n\\begin{frame}\\frametitle{Example of Baby-Step/Giant-Step Algorithm}\n\\begin{exampleblock}{In $\\mathbb{Z}^*_{29}$, $q=28$, $g=2$, $y=17$.}\n$t=5$, compute the giant steps:\n\\[2^0=1,\\; 2^5=3,\\; 2^{10}=9,\\; 2^{15}=27,\\; 2^{20}=23,\\; 2^{25}=11. \\]\ncompute the baby steps:\n\\[17\\cdot 2^0=17,\\; 17\\cdot 2^1=5,\\; 17\\cdot 2^2=10,\\]\n\\[ 17\\cdot 2^3=20,\\; 17\\cdot 2^4=11,\\; 17\\cdot 2^5=22.\\]\n$2^{25}=11=17\\cdot 2^4$. So $\\log_2 17=25-4=21$.\n\\end{exampleblock}\n\n\\end{frame}\n\\begin{frame}\\frametitle{The Pohlig-Hellman Algorithm}\n\\textbf{Idea}: when $q$ is known and has small factors, reduces the discrete logarithm instance to multiple instances in groups of smaller order.\n\\newline\n\nAccording to CRT: If $q=\\prod^k_{i=1}q_i$ and $\\forall i\\neq j, \\gcd(q_i,q_j)=1$, then\n\\[ \\mathbb{Z}_q \\simeq \\mathbb{Z}_{q_1} \\times \\cdots \\times \\mathbb{Z}_{q_k}\\; \\text{and}\\; \\mathbb{Z}^*_q \\simeq \\mathbb{Z}^*_{q_1} \\times \\cdots \\times \\mathbb{Z}^*_{q_k} \\]\n\\[(g_i)^x\\overset{\\text{def}}{=} \\left( g^{q/q_i} \\right)^x = (g^x)^{q/q_i} = y^{q/q_i}\\; \\text{for}\\; i=1,\\dotsc,k.\\]\nWe have $k$ instances in $k$ smaller groups, $\\mathsf{ord}(g_i) = q_i.\\;$ \\footnote{If $p \\mid q$, then $\\mathsf{ord}(g^p)=q/p$.}\\\\\nUse any other algorithm to solve $\\log_{g_i} (y^{q/q_i})$.\\\\\nAnswers are $\\{x_i\\}^k_{i=1}$ for which $g_i^{x_i} \\equiv y^{q/q_i} \\equiv g_i^x$. \\\\\n$\\forall i,\\;x \\equiv x_i \\pmod{q_i}$. $x \\bmod q$ is uniquely determined (CRT). \\\\\nThe time complexity is $\\mathcal{O}(\\max_i\\{\\sqrt{q_i}\\}\\cdot \\mathsf{polylog}(q))$.\n\\end{frame}\n\\begin{frame}\\frametitle{Example of Pohlig-Hellman Algorithm}\n\\begin{exampleblock}{In $\\mathbb{Z}^*_{31}$, $q=30=5\\cdot 3 \\cdot 2$, $g=3$, $y=26=g^x$.}\n\\begin{alignat*}{3}\n(g^{30/5})^x & = y^{30/5} & \\implies (3^{6})^x\\;\\, & = 26^{6} & \\implies 16^x & \\equiv 1 \\\\\n(g^{30/3})^x & = y^{30/3} & \\implies (3^{10})^x & = 26^{10} & \\implies 25^x & \\equiv 5 \\\\\n(g^{30/2})^x & = y^{30/2} & \\implies (3^{15})^x & = 26^{15} & \\implies 30^x & \\equiv 30 \n\\end{alignat*}\n\\[ x \\equiv 0 \\pmod 5,\\; x \\equiv 2 \\pmod 3, x \\equiv 1 \\pmod 2, \\]\nso $x \\equiv 5 \\pmod{30}$.\n\\end{exampleblock}\n\\end{frame}\n\\begin{frame}\\frametitle{The Index Calculus Method}\n\\textbf{Idea}: find a relatively small factor base and build a system of $\\ell$ linear equations related to $g$; find a linear equation related to $y$; solve $\\ell+1$ linear equations to give $\\log_g y$.\n\\begin{enumerate}\n\\item for $\\mathbb{Z}^*_p$, choose a base $B = \\{p_1,\\dotsc,p_k\\}$ of prime numbers. \n\\item find $\\ell \\ge k$ distinct $x_1,\\dotsc,x_\\ell$ for which $[g^{x_i} \\bmod p]$ decompose into the elements of $B$: $g^{x_i} \\equiv \\prod^k_{j=1} p_j^{e_j} \\pmod p$.\n\\item $\\ell$ equations: $x_i = \\sum^k_{j=1}e_{i,j}\\cdot \\log_g(p_{j}) \\pmod{p-1}$.\n\\item find $x^*$ for which $[g^{x^*}\\cdot y \\bmod p]$ can be factored.\n\\item new equation: $x^* + \\log_gy = \\sum^k_{j=1}e^*_{j}\\cdot \\log_g(p_j) \\pmod{p-1}$.\n\\item Use linear algebra to solve equations and give $\\log_gy$. \n\\end{enumerate}\nThe time complexity is identical to that of the quadratic sieve.\n\\end{frame}\n\\begin{frame}\\frametitle{Example of Index Calculus Method}\n\\begin{exampleblock}{$p=101$, $g=3$ and $y=87$. $B=\\{2,5,13\\}$.}\n$3^{10} \\equiv 65 \\pmod {101}$ and $65 = 5\\cdot 13$. Similarly, $3^{12} \\equiv 80 = 2^4 \\cdot 5 \\pmod {101}$ and $3^{14} \\equiv 13 \\pmod {101}$. The linear equations:\n\\begin{align*}\nx_1 = 10 &\\equiv \\log_3 5 + \\log_3 13 \\pmod{100}\\\\\nx_2 = 12 &\\equiv 4\\cdot \\log_3 2 + \\log_3 5 \\pmod{100}\\\\\nx_3 = 14 &\\equiv \\log_3 13 \\pmod{100}.\n\\end{align*}\nWe also have $x^*=5$, $3^5\\cdot 87 \\equiv 32 \\equiv 2^5 \\pmod{101}$, or\n\\[5+\\log_3 87 \\equiv 5\\cdot \\log_3 2 \\pmod{100}.\\]\nAdding the 2nd and 3rd equations and subtracting the 1st, we derive $4\\cdot \\log_3 2 \\equiv 16 \\pmod{100}$. So $\\log_3 2$ is 4, 29, 54, or 79. Trying all shows that $\\log_3 2 = 29$. The last equation gives $\\log_3 87 = 40$.\n\\end{exampleblock}\n\\end{frame}\n\\section{More Public-key Schemes}\n\\begin{frame}\\frametitle{Additional Public-key Schemes}\n\\begin{itemize}\n\\item \\textbf{Goldwasser-Micali} based on deciding quadratic residuosity problem. (first scheme proven to be CPA-secure)\n\\item \\textbf{Rabin}: based on the computing square root problem. (security equivalent to the hardness of factoring)\n\\item \\textbf{Paillier}: based on the decisional composite residuosity problem. (efficient and homomorphic)\n\\item \\textbf{Elliptic curve}: forms a cyclic group with DH problem (efficient).\n\\end{itemize}\n\\end{frame}\n\\begin{frame}\\frametitle{Quadratic Residues Modulo a Prime}\n\\begin{itemize}\n\\item $y \\in \\mathbb{G}$ is a \\textbf{quadratic residue (qr)} if $\\exists x \\in \\mathbb{G}$ with $x^2 = y$. Otherwise, $y$ is a \\textbf{quadratic non-residue (qnr)}.\n\\item In an abelian group, the set of qr forms a subgroup.\n\\item In $\\mathbb{Z}_p^*$, $p> 2$ is prime, every qr has two square roots.\n\\item The set of qr/qnr is $\\mathcal{QR}_p$/$\\mathcal{QNR}_p$,\n$\\abs{\\mathcal{QR}_p}= \\abs{\\mathcal{QNR}_p} = \\frac{p-1}{2}$.\n\\item $\\mathcal{J}_p(x)$ is \\textbf{Jacobi symbol} of $x$ modulo $p$:\n\n\\[\n \\mathcal{J}_p(x) \\overset{\\mathsf{def}}{=} \\left\\{ \n \\begin{array}{l l}\n +1 & \\quad \\text{if $x$ is a qr}\\\\\n -1 & \\quad \\text{if $x$ is not a qr}\\\\\n \\end{array} \\right .\n\\]\n\\item $\\mathcal{J}_p(x) = x ^{\\frac{p-1}{2}} \\bmod p$.\n\\item $\\mathcal{J}_p(xy) = \\mathcal{J}_p(x)\\cdot \\mathcal{J}_p(y)$.\n\\end{itemize}\n\\end{frame}\n\\begin{frame}\\frametitle{Quadratic Residues Modulo a Composite}\n\\begin{itemize}\n\\item $N = pq$, $p,q$ distinct primes, in Chinese Remainder Theorem: \n$x \\in \\mathbb{Z}_N^*$ with $ x \\leftrightarrow (x_p,x_q) = ([x \\bmod p], [x \\bmod q])$.\n\\item $x$ is a qr mod $N$ $\\iff$ $x_p$/$x_q$ are qr mod $p$/$q$.\n\\item $x$ is a qr mod $N$ $\\iff \\mathcal{J}_p(x) = \\mathcal{J}_q(x) = +1$.\n\\item Qr $x$ has 4 roots: $(\\pm x_p, \\pm x_q)$, so $\\frac{\\abs{\\mathcal{QR}_N}}{\\abs{Z_N^*}} = \\frac{\\abs{\\mathcal{QR}_p}\\abs{\\mathcal{QR}_q}}{\\abs{Z_N^*}}=\\frac{1}{4}$.\n\\item $\\mathcal{J}_N(x) \\overset{\\mathsf{def}}{=} \\mathcal{J}_p(x) \\cdot \\mathcal{J}_q(x)$. $\\mathcal{J}_N(xy) = \\mathcal{J}_N(x)\\cdot \\mathcal{J}_N(y)$.\n\\item $\\mathcal{QNR}_N^{+1}(x) \\overset{\\mathsf{def}}{=} \\{ x | x \\text{ is qnr, but } \\mathcal{J}_N(x) = +1\\}$.\n%\\item $[xy \\bmod N] \\in \\mathcal{QR}_N \\text{ if } x,y \\in \\mathcal{QR}_N \\text { or } \\mathcal{QNR}_N^{+1}$.\n%\\item $[xy \\bmod N] \\in \\mathcal{QNR}_N^{+1} \\text{ if } x \\in \\mathcal{QR}_N \\text{ and } y \\in \\mathcal{QNR}_N^{+1}$.\n\\end{itemize}\n\\begin{figure}\n\\begin{center}\n\\input{tikz/qr-qnr.tex}\n\\end{center}\n\\end{figure}\n\\end{frame}\n\\begin{frame}\\frametitle{Goldwasser-Micali Scheme}\n\\begin{itemize}\n\\item \\textbf{Deciding quadratic residuosity (DQR)} of $x$, where $x$ is randomly chosen from $\\mathcal{J}_N^{+1}$ ($\\mathcal{QR}_N$ and $\\mathcal{QNR}_N^{+1}$).\n\\item For DQR, no solution is better than factoring $N$.\n\\end{itemize}\n\\begin{construction}\n\\begin{itemize}\n\\item $\\mathsf{Gen}$: $(N,p,q)$, $z \\gets \\mathcal{QNR}_N^{+1}$. $pk = \\left$ and $sk=\\left$.\n\\item $\\mathsf{Enc}$: $m\\in \\{0,1\\}$, $x\\gets \\mathbb{Z}_N^*$, output $c := [z^m\\cdot x^2 \\bmod N]$.\n\\item $\\mathsf{Dec}$: If $c$ is a qr, output $0$; otherwise $1$.\n\\end{itemize}\n\\end{construction}\nGoldwasser-Micali scheme is CPA-secure if DQR problem is hard.\n\\end{frame}\n\\begin{frame}\\frametitle{Computing Square Roots mod a Prime}\n\\begin{algorithm}[H]\n\\SetKwInOut{Input}{input}\n\\SetKwInOut{Output}{output}\n\\SetKw{KwC}{compute}\n\\SetKw{KwS}{sort}\n\\SetKw{KwCA}{case}\n\\DontPrintSemicolon\n\\caption{computing square root of a prime}\n\\Input{Prime $p$; quadratic residue $a \\in \\mathbb{Z}^*_p$}\n\\Output{A square root of $a$}\n\\BlankLine\n\n\\KwCA $p=3 \\bmod 4$:\n\\Return $[a^{\\frac{p+1}{4}} \\bmod p]$\\;\n\\KwCA $p=1 \\bmod 4$:\nlet $b$ be a qnr modulo $p$\\;\n\\KwC $l$ and $m$ odd with $2^\\ell\\cdot m = \\frac{p-1}{2}$\\;\n$r := 2^\\ell$, $r' := 0$\\;\n\\For{$i = \\ell$ \\KwTo $1$}{ $r := r/2$, $r' := r'/2$\\tcc*[f]{maintain $a^r\\cdot b^{r'}=1 \\bmod p$}\\;\n\\lIf{$a^r\\cdot b^{r'} = -1 \\bmod p$}{$r' := r' + 2^\\ell \\cdot m$}\n}\n\\tcc{now $r=m$, $r'$ is even, and $a^r\\cdot b^{r'}=1 \\bmod p$}\n\\Return $\\left[ a^{\\frac{r+1}{2}}\\cdot b^{\\frac{r'}{2}} \\bmod p\\right]$\\;\n\\end{algorithm}\n\\end{frame}\n\\begin{frame}\\frametitle{Rabin Scheme}\n\\begin{itemize}\n\\item \\textbf{Computing square roots (CSR)} of qr mod $N$ is \\textbf{proven to be hard} if factoring $N$ is hard.\n\\item $N=pq$ is a \\textbf{Blum integer} if $p \\ne q$ and $p \\equiv q \\equiv 3 \\bmod 4$.\n\\item $\\mathcal{QR}$ for Blum integer can form TDP.\n\\end{itemize}\n\\begin{construction}\n\\begin{itemize}\n\\item $\\mathsf{Gen}$: Blum integer $N=pq$, $pk = N$ and $sk=\\left$.\n\\item $\\mathsf{Enc}$: $m\\in \\{0,1\\}$, $x\\gets \\mathcal{QR}_N$, output $c := \\left< [x^2 \\bmod N],\\mathsf{lsb}(x)\\oplus m\\right>$.\n\\item $\\mathsf{Dec}$: Input $\\left$. $x=c^{1/2}$, output $\\mathsf{lsb}(x)\\oplus c'$.\n\\end{itemize}\n\\end{construction}\nRabin scheme is CPA-secure if factoring problem is hard.\n\\end{frame}\n\\begin{frame}\\frametitle{Paillier Scheme}\n\\begin{itemize}\n\\item $\\mathbb{Z}_N\\times \\mathbb{Z}_N^* \\simeq \\mathbb{Z}_{N^2}^*$ with $f(a,b)=[(1+N)^a\\cdot b^N \\bmod N^2]$.\n\\item $\\mathsf{Res}(N^2)$ is the set of $N$th residue mod $N^2$: $\\{(0,b) | b \\in \\mathbb{Z}_N^*\\}$.\n\\item \\textbf{Decisional composite residuosity (DCR)} problem is to distinguish a random element of $\\mathbb{Z}_{N^2}^*$ from one of $\\mathsf{Res}(N^2)$. \n\\end{itemize}\n\\begin{construction}\n\\begin{itemize}\n\\item $\\mathsf{Gen}$: $(N,p,q)$, $pk = N$ and $sk=\\left$.\n\\item $\\mathsf{Enc}$: $m\\in \\mathbb{Z}_N$, $r\\gets \\mathbb{Z}_N^*$, output $c := [(1+N)^m\\cdot r^N \\bmod N^2]$.\n\\item $\\mathsf{Dec}$: output $\\left[ \\frac{[c^{\\phi(N)} \\bmod N^2]-1}{N}\\cdot \\phi(N)^{-1} \\bmod N\\right]$.\n\\end{itemize}\n\\end{construction}\n$c^{\\phi(N)} \\bmod N^2 \\leftrightarrow (m,r)^{\\phi(N)} = (m\\cdot {\\phi(N)}, r^{\\phi(N)}).$ \\\\\nPaillier scheme is CPA-secure if DCR problem is hard.\n\\end{frame}\n\\end{document}\n" }, { "path": "source/1introduction.tex", "content": "\\input{source/header/main.tex}\n\n\\title{Introduction}\n\n\\begin{document}\n\\maketitle\n\\begin{frame}\n\\frametitle{Outline}\n\\tableofcontents\n\\end{frame}\n\\section{Cryptography and Modern Cryptography}\n\\begin{frame}\\frametitle{What is Cryptography?}\n\\begin{itemize}\n\\item \\textbf{Cryptography}: from Greek \\emph{krypt\\'os}, ``hidden, secret''; and \\emph{gr\\'{a}phin}, ``writing''\n\\item \\textbf{Cryptography}: the art of writing or solving codes.\\\\ (Concise oxford dictionary 2006)\n\\item \\textbf{Codes}: a system of prearranged signals, especially used to ensure secrecy in transmitting messages. \\\\ (\\emph{code word} in cryptography)\n\\item \\textbf{1980s}: from Classic to Modern; from Military to Everyone\n\\item \\textbf{Modern cryptography}: the scientific study of mathematical techniques for securing digital information, systems, and distributed computations against adversarial attacks\n\\end{itemize}\n\\end{frame}\n\\begin{frame}\\frametitle{What is cryptography? [xkcd:504]}\n\\begin{figure}\n\\begin{center}\n\\includegraphics[width=100mm]{pic/legal} \n\\end{center}\n\\end{figure}\n\\end{frame}\n\\section{The Setting of Private-Key Encryption}\n\\begin{frame}\\frametitle{Private-Key Encryption}\n\\begin{itemize}\n\\item \\textbf{Goal}: to construct \\textbf{ciphers} (encryption schemes) for providing secret communication between two parties sharing \\textbf{private-key} (the symmetric-key) in advance\n\\item \\textbf{Implicit assumption}: there is some way of initially sharing a key in a secret manner\n\\item \\textbf{Disk encryption}: the same user at different points in time\n\\end{itemize}\n\\end{frame}\n\\begin{frame}\\frametitle{Alice, Bob [xkcd:1323]}\nChanging the names would be easier, but if you're not comfortable lying, try only making friends with people named Alice, Bob, Carol, etc.\n\\begin{figure}\n\\begin{center}\n\\includegraphics[width=45mm]{pic/alice-bob} \n\\end{center}\n\\end{figure}\n\\end{frame}\n\\begin{frame}\\frametitle{The Syntax of Encryption}\n\\begin{figure}\n\\begin{center}\n\\input{tikz/private-key}\n\\end{center}\n\\end{figure}\n\\begin{itemize}\n\\item key $k \\in \\mathcal{K}$, plaintext (or message) $m \\in \\mathcal{M}$, ciphertext $c \\in \\mathcal{C}$\n\\item \\textbf{Key-generation} algorithm~$k \\gets \\mathsf{Gen}$\n\\item \\textbf{Encryption} algorithm~$c:= \\mathsf{Enc}_k(m)$\n\\item \\textbf{Decryption} algorithm~$m:= \\mathsf{Dec}_k(c)$\n\\item \\textbf{Encryption scheme}: $\\Pi = (\\mathsf{Gen}, \\mathsf{Enc}, \\mathsf{Dec})$\n\\item \\textbf{Basic correctness requirement}: $\\mathsf{Dec}_k(\\mathsf{Enc}_k(m)) = m$\n\\end{itemize}\n\\end{frame}\n\\begin{frame}\\frametitle{Securing Key vs Obscuring Algorithm}\n\\begin{itemize}\n\\item Easier to maintain secrecy of a short key\n\\item In case the key is exposed, easier for the honest parties to change the key\n\\item In case many pairs of people, easier to use the same algorithm, but different keys\n\\end{itemize}\n\\begin{alertblock}{Kerckhoffs's principle}\n\\begin{quote}\nThe cipher method must not be required to be secret, and it must be able to fall into the hands of the enemy without inconvenience.\n\\end{quote}\t\n\\end{alertblock}\n\\begin{alertblock}{Shannon's maxim}\n\t\\begin{quote}\n\t\tThe enemy knows the system.\n\t\\end{quote}\t\n\\end{alertblock}\n\\end{frame}\n\\begin{frame}\\frametitle{Why ``Open Cryptographic Design''}\n\\begin{itemize}\n\\item Published designs undergo public scrutiny are to be stronger\n\\item Better for security flaws to be revealed by ``ethical hackers''\n\\item Reverse engineering of the code (or leakage by industrial espionage) poses a serious threat to security\n\\item Enable the establishment of standards.\n\\end{itemize}\n\\begin{exampleblock}{Dual EC: A Standardized Back Door}\n\t``Dual EC was standardized by NIST, ANSI, and ISO among other algorithms to generate pseudorandom numbers.'' ``The Snowden revelations, and in particular reports on Project Bullrun and the SIGINT Enabling Project, have indicated that Dual EC was part of a systematic effort by NSA to subvert standards.'' ``Reuters reported that NSA paid RSA ``\\$10 million in a deal that set [Dual EC] as the preferred, or default, method for number generation in the BSafe software.''''\t\n\\end{exampleblock}\n\\end{frame}\n\\begin{frame}\\frametitle{Attack Scenarios}\t\n\\begin{itemize}\n\\item \\textbf{Ciphertext-only}: the adversary just observes ciphertext\n\\item \\textbf{Known-plaintext}: the adversary learns pairs of plaintexts/ciphertexts under the same key\n\\item \\textbf{Chosen-plaintext}: the adversary has the ability to obtain the encryption of plaintexts of its choice\n\\item \\textbf{Chosen-ciphertext}: the adversary has the ability to obtain the decryption of \\textbf{other} ciphertexts of its choice\n\\item \\textbf{Passive attack}: COA KPA\n\\begin{itemize}\n\\item because not all ciphertext are confidential\n\\end{itemize}\n\\item \\textbf{Active attack}: CPA CCA\n\\begin{itemize}\n\\item when to encrypt/decrypt whatever an adversary wishes?\n\\end{itemize}\n\\end{itemize}\t\n\\end{frame}\n\\section{Historical Ciphers and Their Cryptanalysis}\n\\begin{comment}\n\t\\begin{frame}\\frametitle{Why We Learn Broken Ciphers?}\n\t\\begin{itemize}\n\t\\item To understand the weaknesses of an ``ad-hoc'' approach\n\t\\item To learn that ``simple'' approaches are unlikely to succeed\n\t\\item To feel that ``we are smart enough to do some crypt-analyzing''\n\t\\end{itemize}\n\t\\end{frame}\n\\end{comment}\n\n\\begin{frame}[fragile]\\frametitle{Caesar's Cipher}\n\\begin{quote}\nIf he had anything confidential to say, he wrote it in cipher, that is, by so changing the order of the letters of the alphabet, that not a word could be made out. If anyone wishes to \\alert{decipher} these, and get at their meaning, he must \\alert{substitute the fourth letter of the alphabet, namely D, for A}, and so with the others\n\n\\rightline{--Suetonius,``Life of Julius Caesar''}\n\\end{quote}\n\\begin{itemize}\n\t\\item $\\mathsf{Enc}(m)=m+3\\mod 26$ \\footnote{In fact the quote indicates that decryption involved rotating letters of the alphabet forward 3 positions, $\\mathsf{Dec}(c)=c+3\\mod 26$}\n\t\\item \\textbf{Weakness}: ? %\\alert{What is the key?}\n\\end{itemize}\n\\begin{exampleblock}{Example}\n\\verb|begintheattacknow|\n%\\verb|EHJLQWKHDWWDFNQRZ|\n\\end{exampleblock}\n\\end{frame}\n\\begin{frame}[fragile]\\frametitle{Shift Cipher}\n\\begin{itemize}\n\\item $\\mathsf{Enc}_k(m)=m+k\\mod 26$\n\\item $\\mathsf{Dec}_k(c)=c-k\\mod 26$\n\\item \\textbf{Weakness}: ? %Fragile under \\textbf{Brute-force attack} (exhaustive search)\n\\end{itemize}\n\\begin{exampleblock}{Example: Decipher the string}\t\n\\verb|EHJLQWKHDWWDFNQRZ|\n\\end{exampleblock}\n\\begin{alertblock}{Sufficient Key Space Principle}\nAny secure encryption scheme must have a key space that is not vulnerable to exhaustive search.\\footnote{If the plaintext space is larger than the key space.}\n\\end{alertblock}\n\\end{frame}\n\\begin{frame}\\frametitle{Index of Coincidence (IC) Method (to find $k$)}\n\\textbf{How to automatically determine that the deciphered text makes sense?}\n\n\\textbf{Index of Coincidence (IC)}: the probability that two randomly selected letters (pick-then-return) will be identical.\n\nLet $p_i$ denote the probability of $i$th letter in English text.\n\\[I \\overset{\\text{def}}{=}\\sum_{i=0}^{25} p_i^2 \\]\n\\begin{exampleblock}{Example}\nWhat's the IC of `apple'?\n\\end{exampleblock}\n\nFor a long English text, the IC is $\\approx 0.065$.\nFor $j = 0, 1, \\dotsc , 25$, $q_j$ is the probability of $j$th letter in the ciphertext.\n\\[I_s \\overset{\\text{def}}{=}\\sum_{i=0}^{25} p_i \\cdot q_{i+s}\\]\n\\alert{Q: For shift cipher, if $s = k$, then $I_s \\approx$ ?}\n\\end{frame}\n\n\\begin{frame}[fragile]\\frametitle{Mono-Alphabetic Substitution}\n\\begin{itemize}\n\\item \\textbf{Idea}: To map each character to a different one in an arbitrary manner\n\\item \\textbf{Strength}: Key space is large $\\approx 2^{88}$. \\alert{Q: how to count?}\n\\item \\textbf{Weakness}: ? %The mapping of each letter is fixed\n\\end{itemize}\n\\begin{exampleblock}{Example}\n\\verb|abcdefghijklmnopqrstuvwxyz|\\\\\n\\verb|XEUADNBKVMROCQFSYHWGLZIJPT|\n\nPlaintext: \\verb|tellhimaboutme|\\\\\nCiphertext: \\verb|??????????????|\n\\end{exampleblock}\n\\end{frame}\n\\begin{frame}[fragile]\\frametitle{Attack with Statistical Patterns}\n\\begin{enumerate}\n\\item Tabulate the frequency of letters in the ciphertext\n\\item Compare it to those in English text\n\\item Guess the most frequent letter corresponds to \\verb|e|, and so on\n\\item Choose the plaintext that does ``make sense'' (Not trivial)\n\\end{enumerate}\n\\begin{table}\n\\begin{center}\n\\caption{Average letter frequencies for English-language text}\n\\begin{tabular}{|cc|cc|cc|cc|cc|} \\hline\ne & 12.7\\% & t & 9.1\\% & a & 8.2\\% & o & 7.5\\% & i & 7.0\\%\\\\\nn & 6.7\\% & \\_ & 6.4\\% & s & 6.3\\% & h & 6.1\\% & r & 6.0\\%\\\\\nd & 4.3\\% & l & 4.0\\% & c & 2.8\\% & u & 2.8\\% & m & 2.4\\%\\\\\nw & 2.4\\% & f & 2.2\\% & g & 2.0\\% & y & 2.0\\% & p & 1.9\\%\\\\\nb & 1.5\\% & v & 1.0\\% & k & 0.8\\% & j & 0.2\\% & x & 0.2\\%\\\\\nq & 0.1\\% & z & 0.1\\% & & & & & &\\\\ \\hline\n\\end{tabular}\n\\end{center}\n\\end{table}\n\\end{frame}\n\\begin{frame}[fragile]\\frametitle{Example of Frequency Analysis (Ciphertext)}\n\\begin{verbatim}\nLIVITCSWPIYVEWHEVSRIQMXLEYVEOIEWHRXEXIPFEMVEWHKVS\nTYLXZIXLIKIIXPIJVSZEYPERRGERIMWQLMGLMXQERIWGPSRIH\nMXQEREKIETXMJTPRGEVEKEITREWHEXXLEXXMZITWAWSQWXSWE\nXTVEPMRXRSJGSTVRIEYVIEXCVMUIMWERGMIWXMJMGCSMWXSJO\nMIQXLIVIQIVIXQSVSTWHKPEGARCSXRWIEVSWIIBXVIZMXFSJX\nLIKEGAEWHEPSWYSWIWIEVXLISXLIVXLIRGEPIRQIVIIBGIIHM\nWYPFLEVHEWHYPSRRFQMXLEPPXLIECCIEVEWGISJKTVWMRLIHY\nSPHXLIQIMYLXSJXLIMWRIGXQEROIVFVIZEVAEKPIEWHXEAMWY\nEPPXLMWYRMWXSGSWRMHIVEXMSWMGSTPHLEVHPFKPEZINTCMXI\nVJSVLMRSCMWMSWVIRCIGXMWYMX\n\\end{verbatim}\n\\end{frame}\n\\begin{frame}[fragile]\\frametitle{Example of Frequency Analysis (Analysis)}\nCount and Guess, Trial and Error.\n\\begin{table}\n\\begin{center}\n\\caption{Analysis Steps}\n\\begin{tabular}{|r|l|} \\hline\nCiphertext & Plaintext \\\\ \\hline\n\\alert{I} & \\alert{e} \\\\\n\\alert{XLI} & \\alert{the} \\\\\n\\alert{E} & \\alert{a} \\\\\n\\alert{R}tate & \\alert{s}tate \\\\\natthatt\\alert{MZ}e & atthatt\\alert{im}e \\\\\nhe\\alert{V}e & he\\alert{r}e \\\\\nremar\\alert{A} & remar\\alert{k} \\\\ \\hline\n\\end{tabular}\n\\end{center}\n\\end{table}\n\\end{frame}\n\\begin{frame}[fragile]\\frametitle{Example of Frequency Analysis (Plaintext)}\n\\begin{quote}\nHereupon Legrand arose, with a grave and stately air, and brought me the beetle\nfrom a glass case in which it was enclosed. It was a beautiful scarabaeus, and, at\nthat time, unknown to naturalists -- of course a great prize in a scientific point\nof view. There were two round black spots near one extremity of the back, and a\nlong one near the other. The scales were exceedingly hard and glossy, with all the\nappearance of burnished gold. The weight of the insect was very remarkable, and,\ntaking all things into consideration, I could hardly blame Jupiter for his opinion\nrespecting it.\n\n\\rightline{--Edgar Allan Poe's ``The Gold-Bug''}\n\\end{quote}\n\\end{frame}\n\n\\begin{frame}[fragile]\\frametitle{Vigen\\`{e}re (poly-alphabetic shift) Cipher}\n\\begin{itemize}\n\\item \\textbf{Idea}: To ``smooth out'' the distribution in the ciphertext by mapping different instances of the same letter in the plaintext to different ones in the ciphertext\n\\item \\textbf{Encryption}: $c_i=m_i+k_{[i\\bmod t]}$, $t$ is the length (period) of $k$\n\\item \\textbf{Cryptanalysis}: Need find $t$; if $t$ is known, need know whether the decryption ``makes sense'', but brute force ($26^t$) is infeasible for $t > 15$\n\\end{itemize}\n\\begin{exampleblock}{Example (Key is `cafe')}\n\\begin{description}[Ciphertext]\n\\item[Plaintext] \\verb|tellhimaboutme| \\\\\n\\item[Key] \\verb|cafecafecafeca| \\\\\n\\item[Ciphertext] \\verb|??????????????| %\\verb|WFRQKJSFEPAYPF|\n\\end{description}\n\\end{exampleblock}\n\\end{frame}\n\\begin{frame}[fragile]\\frametitle{Kasiski's Method (to find $t$)}\n\\begin{itemize}\n\\item To identify repeated patterns of length 2 or 3\n\\item The distance between such appearances is a multiple of $t$\n\\item $t$ is the greatest common divisor of all the distances\n\\end{itemize}\n\\begin{exampleblock}{Example (Key is `beads')}\n\\begin{semiverbatim}\nthemanandthewomanretrievedtheletterfromthepostoffice\nbeadsbeadsbeadsbeadsbeadsbeansdeadsbeadsbeadsbeadbea\nVMFQTPFOH\\alert{MJJ}XSFCSSIMTNFZXFYISEIYUIKHWPQ\\alert{MJJ}QSLVTGJKGF\n\\end{semiverbatim}\n\\end{exampleblock}\n\\end{frame}\n\\begin{frame}\\frametitle{Index of Coincidence (IC) Method (to find $t$)}\nFor $\\tau = 1, 2, \\dotsc$, $q_i$ is the probability of $i$th letter in $c_1, c_{1+\\tau}, c_{1+2\\tau}, \\dotsc$, IC is\n\\[I_\\tau \\overset{\\text{def}}{=}\\sum_{i=0}^{25} q_i^2\\]\n\\alert{If $\\tau = t$, then $I_\\tau \\approx ?$} ; otherwise $q_i \\approx \\frac{1}{26}$ and\n\\[I_\\tau \\approx \\sum_{i=0}^{25} \\left(\\frac{1}{26}\\right)^2 \\approx 0.038\\]\nThen reuse IC method to find $k_i$.\n\\begin{alertblock}{Arbitrary Adversary Principle}\nSecurity must be guaranteed for any adversary within the class of adversaries having the specified power\n\\end{alertblock}\n\\end{frame}\n\\begin{frame}\\frametitle{Cryptanalytic Attacks (homework assignment)}\n\\begin{itemize}\n\\item Under COA, the requirement for ciphertext related to the size of the key space. Vig\\`{e}nere > mono-alphabetic sub. > shift\n\\item Under KPA, trivially broken.\n\\end{itemize}\n\\begin{alertblock}{Lessons learned}\n\\begin{itemize}\n\\item Sufficient key space principle\n\\item Designing secure cipher is a hard task\n\\item Complexity does not imply security (then what does?)\n\\item Arbitrary adversary principle\n\\end{itemize}\n\\end{alertblock}\n\\end{frame}\n\\section{The Basic Principles of Modern Cryptography}\n\\begin{frame}\\frametitle{Three Main Principles of Modern Cryptography}\n\\begin{enumerate}\n\\item The formulation of a rigorous \\textbf{definition} of security / threat model\n\\item When the security of a cipher relies on an unproven \\textbf{assumption}, this assumption must be precisely stated and be as minimal as possible\n\\item Cipher should be accompanied by a rigorous \\textbf{proof} of security with the above definition and the above assumption\n\\end{enumerate}\n\\end{frame}\n\\begin{frame}\\frametitle{Why Principle 1 -- Formulation of Exact Definitions}\n\\begin{exampleblock}{Q: how would you formalize the security for private-key encryption?}\n\\begin{enumerate}\n\\item \\emph{No adversary can find the secret key when given a ciphertext.}\\\\\n$\\mathsf{Enc}_k(m)=m$\n\\item \\emph{No adversary can find the plaintext that corresponds to the ciphertext.}\\\\\n$\\mathsf{Enc}_k(m)=m_{0}\\| \\mathsf{AES}_k(m)$\n\\item \\emph{No adversary can determine any character of the plaintext that corresponds to the ciphertext.}\\\\\n$m=1000$, someone can learn $ 800 < m < 1200$\n\\item \\emph{No adversary can derive any meaningful information about the plaintext from the ciphertext.}\\\\\nCould you define so-called `meaningful'?\n\\end{enumerate}\n\\emph{\\alert{Definitions of security should suffice for all potential applications.}}\n\\end{exampleblock}\n\\end{frame}\n\\begin{frame}\\frametitle{Why Principle 1 -- How to define}\n%\\begin{exampleblock}{General Form}\n%A cryptographic scheme for a given \\textbf{task} is secure if no adversary of a specified \\textbf{power} can achieve a specified \\textbf{break}\n%\\end{exampleblock}\n\nHow To Define Security -- Lesson From Alan Turing\n\\begin{itemize}\n\\item What's computation?\\footnote{Q: Any ``mathematical proof that there exist well-defined problems that computers cannot solve''? A: Halting Problem in computability theory}\n\\begin{enumerate}\n\\item A direct appeal to \\textbf{intuition}\n\\item A \\textbf{proof of the equivalence} of two definitions\\\\ (The new one has a greater intuitive appeal)\n\\item Giving \\textbf{examples} solved using a definition\n\\end{enumerate}\n\\item Additional method for security: \\textbf{Test of time}\n\\end{itemize}\n\\end{frame}\t\n\\begin{frame}\\frametitle{Principle 2 -- Reliance on Precise Assumptions}\nMost cryptographic constructions \\textbf{cannot be proven secure unconditionally}\n\\begin{itemize}\n\t\\item \\textbf{Why?} \n\t\\begin{enumerate}\n\t\t\\item Validation of the assumption\n\t\t\\item Comparison of schemes\n\t\t\\item Facilitation of proofs of security\n\t\\end{enumerate}\n\t\\textbf{The construction is secure if the assumption is true.}\n\t\\item \\textbf{How?} \n\t\\begin{enumerate}\n\t\t\\item old, so well tested\n\t\t\\item simple and lower-level, so easy to study, refute \\& correct\n\t\\end{enumerate}\n\\end{itemize}\n\\end{frame}\n\\begin{frame}\\frametitle{Principle 3 -- Rigorous Proofs of Security}\n\\begin{itemize}\n\\item \\textbf{Why?} Proofs are more desirable in computer security than in other fields.\n\\item \\textbf{The reductionist approach}: \n\\begin{theorem}\tGiven that Assumption X is true, Construction Y is secure according to the given definition.\n\\end{theorem}\n\\begin{proof} Reduce the problem given by X to the problem of breaking Y.\n\\end{proof}\n\\item \\textbf{Ad-hoc approaches}: for those who need a ``quick and dirty'' solution, or who are just simply unaware.\n\\end{itemize}\n\\end{frame}\n\\begin{frame}\\frametitle{Summary}\n\\begin{itemize}\n\\item Cryptography secures information, transactions and computations\n\\item Kerckhoffs's principle \\& Open cryptographic design\n\\item Caesar's, shift, Mono-Alphabetic sub., Vigen\\`{e}re\n\\item Brute force, letter frequency, Kasiski's, IC\n\\item Sufficient key space principle\n\\item Arbitrary adversary principle\n\\item Rigorously proven security\n\\end{itemize}\n\\end{frame}\n\\end{document}\n\n" }, { "path": "source/2perfectlysecret.tex", "content": "\\input{source/header/main.tex}\n\n\\title{Perfectly Secret Encryption}\n\n\\begin{document}\n\\maketitle\n\\begin{frame}\\frametitle{Outline}\n\\tableofcontents\n\\end{frame}\n\\section{Definitions and Basic Properties}\n\\begin{frame}\\frametitle{Recall The Syntax of Encryption}\n\\begin{figure}\n\\begin{center}\n\\input{tikz/private-key}\n\\end{center}\n\\end{figure}\n\\begin{itemize}\n\\item $k \\in \\mathcal{K}, m \\in \\mathcal{M}, c \\in \\mathcal{C}$.\n\\item $k \\gets \\mathsf{Gen}, c:= \\mathsf{Enc}_k(m), m:= \\mathsf{Dec}_k(c)$.\n\\item \\textbf{Encryption scheme}: $\\Pi = (\\mathsf{Gen}, \\mathsf{Enc}, \\mathsf{Dec})$.\n\\item \\textbf{Random Variable}: $K, M, C$ for key, plaintext, ciphertext.\n\\item \\textbf{Probability}: $\\Pr[K=k], \\Pr[M=m], \\Pr[C=c].$\n\\item \\alert{What's the basic correctness requirement?}\n\\end{itemize}\n\\end{frame}\n\\begin{frame}\\frametitle{Definition of `Perfect Secrecy'}\n\\textbf{Intuition}: An adversary knows the probability distribution over $\\mathcal{M}$. $c$ should have no effect on the knowledge of the adversary; the a \\emph{posteriori} likelihood that some $m$ was sent should be no different from the a \\emph{priori} probability that $m$ would be sent. \n\\begin{definition}\n$\\Pi$ over $\\mathcal{M}$ is \\textbf{perfectly secret} if for every probability distribution over $\\mathcal{M}$, $\\forall m \\in \\mathcal{M}$ and $\\forall c \\in \\mathcal{C}$ for which $\\Pr[C = c] > 0$:\n\\[ \\Pr[M=m | C=c] = \\Pr[M=m].\\]\n\\end{definition}\n\\textbf{Simplify}: non-zero probabilities for $\\forall m \\in \\mathcal{M}$ and $\\forall c \\in \\mathcal{C}$.\\\\\n\n\\begin{exampleblock}{Is the below scheme perfectly secret?}{ For $\\mathcal{M}=\\mathcal{K} = \\{ 0,1 \\} , \\mathsf{Enc}_k(m)= m \\oplus k$.}\\end{exampleblock}\n\\end{frame}\n\n\\begin{frame}\\frametitle{Perfect Secrecy On One Bit}\n\n\\begin{exampleblock}{XORing one bit is perfectly secret.}\nLet $\\Pr[M=1] = p$ and $\\Pr[M=0] = 1-p$.\nLet us consider a case that $M=1$ and $C=1$.\n\\[ \\Pr[M=1 | C=1] = \\Pr[C=1 | M=1 ] \\cdot \\Pr[ M=1 ] / \\Pr[C=1] \\]\n\\[ = \\frac{\\Pr[K = 1\\oplus 1] \\cdot p }{ \\Pr[C=1 | M=1] \\cdot \\Pr[M=1] + \\Pr[C=1 | M=0] \\cdot \\Pr[M=0]} \\]\n\\[ = \\frac{1/2 \\cdot p }{ 1/2 \\cdot p + 1/2 \\cdot (1-p)} = p = \\Pr[M=1] \\]\nWe can do the same for other cases.\n\\end{exampleblock}\nNote that $\\Pr[M=1 | C=1] \\neq \\Pr[M=1, C=1] = \\Pr[C=1 | M=1] \\cdot \\Pr[M=1] = 1/2 \\cdot p$.\n\\end{frame}\n\n\\begin{frame}\\frametitle{An Equivalent Formulation}\n\\begin{lemma} \\label{lem:ps} \n$\\Pi$ over $\\mathcal{M}$ is perfectly secret $\\iff$ for every probability distribution over $\\mathcal{M}$, $\\forall m \\in \\mathcal{M}$ and $\\forall c \\in \\mathcal{C}$:\n\\[ \\Pr[C=c | M=m] = \\Pr[C=c].\\]\n\\end{lemma}\n\\begin{proof}\n$\\Leftarrow$: Multiplying both sides by $\\Pr[M=m]/\\Pr[C=c]$, then use Bayes' Theorem.\n\\footnote{If $\\Pr[B]\\neq 0$ then $ \\Pr[A|B] \\cdot \\Pr[B]= \\Pr[B|A] \\cdot \\Pr[A]) $} \\\\\n$ \\Pr[C=c | M=m] \\cdot \\Pr[M=m] / \\Pr[C=c] = \\Pr[M=m]$\\\\\n$ \\Pr[M=m | C=c] \\cdot \\Pr[C=c] / \\Pr[C=c] = \\Pr[M=m | C=c]$\n$\\Rightarrow$: Multiplying both sides by $\\Pr[C=c]/\\Pr[M=m]$, then use Bayes' Theorem.\n\\end{proof}\n\\end{frame}\n\\begin{frame}\\frametitle{Perfect Indistinguishability}\n\\begin{lemma}\\label{lem:pi}\n$\\Pi$ over $\\mathcal{M}$ is perfectly secret $\\iff$ for every probability distribution over $\\mathcal{M}$, $\\forall m_0, m_1 \\in \\mathcal{M}$ and $\\forall c \\in \\mathcal{C}$:\n\\[ \\Pr[C=c | M=m_0] = \\Pr[C=c | M=m_1].\\]\n\\end{lemma}\n\\begin{proof}\n$\\Rightarrow$: By Lemma \\ref{lem:ps}: $\\Pr[C=c | M=m] = \\Pr[C=c]$. \\\\\n$\\Leftarrow$: $p \\overset{\\text{def}}{=} \\Pr[C=c | M=m_0]$.\n\\[\n\\begin{split}\n\t\\Pr[C=c] &= \\sum_{m \\in \\mathcal{M}} \\Pr[C=c|M=m] \\cdot \\Pr[M=m] \\\\\n\t&= \\sum_{m \\in \\mathcal{M}} p \\cdot \\Pr[M=m] = p = \\Pr[C=c|M=m_0].\n\\end{split}\n\\]\n\\end{proof}\n\\end{frame}\n\\section{The One-Time Pad (Vernam's Cipher)}\n\\begin{frame}\\frametitle{One-Time Pad (Vernam's Cipher)}\n\\begin{itemize}\n\t\\item $\\mathcal{M} = \\mathcal{K} = \\mathcal{C} = \\{0,1\\}^{\\ell}$.\n\t\\item $\\mathsf{Gen}$ chooses a $k$ randomly with probability exactly $2^{-\\ell}$.\n\t\\item $c := \\mathsf{Enc}_k(m) = k \\oplus m$. \n\t\\item $m := \\mathsf{Dec}_k(c) = k \\oplus c$. \n\\end{itemize}\n\\begin{theorem}\nThe one-time pad encryption scheme is perfectly-secret.\n\\end{theorem}\n\\begin{proof}\n\\[\\begin{split} \\Pr[C=c|M=m] &= \\Pr[M \\oplus K=c|M=m] \\\\\n&= \\Pr[m \\oplus K=c] = \\Pr[K = m \\oplus c] = 2^{-\\ell}.\n\\end{split}\n\\]\nThen Lemma \\ref{lem:pi}: $\\Pr[C=c | M=m_0] = \\Pr[C=c | M=m_1]$.\n\\end{proof}\n\\end{frame}\n\\section{Limitations of Perfect Secrecy}\n\\begin{frame}\\frametitle{Limitations of OTP and Perfect Secrecy}\nKey $k$ is as long as $m$, difficult to store and share $k$.\n\\begin{theorem}\nLet $\\Pi$ be perfectly-secret over $\\mathcal{M}$, and let $\\mathcal{K}$ be determined by $\\mathsf{Gen}$. Then $|\\mathcal{K}|\\ge |\\mathcal{M}|$. \n\\end{theorem}\n\\begin{proof}\nAssume $|\\mathcal{K}| < |\\mathcal{M}|$.\n$\\mathcal{M}(c) \\overset{\\text{def}}{=} \\{ \\hat{m} | \\hat{m} = \\mathsf{Dec}_k(c)\\ \\text{for some}\\ \\hat{k} \\in \\mathcal{K} \\}$. Since for one $k$, there is at most one $m$ such that $m = \\mathsf{Dec}_k(c)$, $|\\mathcal{M}(c)|\\le |\\mathcal{K}| < |\\mathcal{M}|$. So $\\exists m' \\notin \\mathcal{M}(c)$. Then\n\\[ \\Pr[M=m'|C=c] = 0 \\neq \\Pr[M = m'] \\]\nand so not perfectly secret.\n\\end{proof}\n\\end{frame}\n\\begin{frame}\\frametitle{Two Time Pad: Real World Cases}\nOnly used once for the same key, otherwise\n\\[c\\oplus c'=(m\\oplus k)\\oplus (m'\\oplus k)=m\\oplus m'.\\]\nLearn $m$ from $m\\oplus m'$ due to the redundancy of language.\n\\begin{exampleblock}{MS-PPTP (Win NT)}\n\\begin{figure}\n\\begin{center}\n\\input{tikz/MS-PPTP.tex}\n\\end{center}\n\\end{figure}\nImprovement: use two keys for C-to-S and S-to-C separately.\n\\end{exampleblock}\n\\end{frame}\n\\section{Shannon's Theorem}\n\\begin{frame}\\frametitle{Shannon's Theorem}\n\\begin{theorem}\nFor $|\\mathcal{M}| = |\\mathcal{K}| = |\\mathcal{C}|$, $\\Pi$ is perfectly secret $\\iff$\n\\begin{enumerate}\n\\item Every $k \\in \\mathcal{K}$ is chosen with probability $1/|\\mathcal{K}|$ by $\\mathsf{Gen}$.\n\\item $\\forall m \\in \\mathcal{M}$ and $\\forall c \\in \\mathcal{C}$, $\\exists$ unique $k \\in \\mathcal{K}$: $c := \\mathsf{Enc}_k(m)$.\n\\end{enumerate}\n\\end{theorem}\n\\begin{proof}\n$\\Leftarrow$: $\\Pr[C=c|M=m]=1/|\\mathcal{K}|$, use Lemma \\ref{lem:pi}. \\\\\n$\\Rightarrow (2)$: At least one $k$, otherwise $\\Pr[C=c|M=m]=0$; \\\\\nat most one $k$, because $\\{\\mathsf{Enc}_k(m)\\}_{k\\in \\mathcal{K}} = \\mathcal{C}$ and $|\\mathcal{K}| = |\\mathcal{C}|$.\\\\\n$\\Rightarrow (1)$: $k_i$ is such that $\\mathsf{Enc}_{k_i}(m_i)=c$.\n\\[ \\begin{split}\n\\Pr[M = m_i] &= \\Pr[M=m_i|C=c] \\\\\n &= \\left( \\Pr[C =c|M=m_i] \\cdot \\Pr[M = m_i] \\right) / \\Pr[C=c] \\\\\n &= \\left( \\Pr[K=k_i] \\cdot \\Pr[M = m_i] \\right) / \\Pr[C=c],\n\\end{split}\n\\]\nso $\\Pr[K=k_i] = \\Pr[C = c] = 1/|\\mathcal{K}|$.\n\\end{proof}\n\\end{frame}\n\n\\begin{frame}\\frametitle{Application of Shannon's Theorem}\n\\begin{exampleblock}{Is the below scheme perfectly secret?}\nLet $\\mathcal{M} = \\mathcal{C} = \\mathcal{K} = \\{ 0, 1, 2,\\dots , 255 \\} $\\\\\n$\\mathsf{Enc}_k(m) = m + k \\mod 256$\\\\\n$\\mathsf{Dec}_k(c) = c - k \\mod 256$\n\\end{exampleblock}\n\\end{frame}\n\\section{Eavesdropping Indistinguishability}\n\\begin{frame}\\frametitle{Eavesdropping Indistinguishability Experiment}\n$\\mathsf{PrivK}^{\\mathsf{eav}}_{\\mathcal{A},\\Pi}$ denote a \\textbf{priv}ate-\\textbf{k}ey encryption experiment for a given $\\Pi$ over $\\mathcal{M}$ and an \\textbf{eav}esdropping adversary $\\mathcal{A}$.\n\\begin{enumerate}\n\t\\item $\\mathcal{A}$ outputs a pair of messages $m_0, m_1 \\in \\mathcal{M}$.\n\t\\item $k \\gets \\mathsf{Gen}$, a random bit $b \\gets \\{0,1\\}$ is chosen. Then $c \\gets \\mathsf{Enc}_k(m_b)$ is given to $\\mathcal{A}$.\n\t\\item $\\mathcal{A}$ outputs a bit $b'$\n\t\\item If $b' = b$, $\\mathcal{A}$ succeeded $\\mathsf{PrivK}^{\\mathsf{eav}}_{\\mathcal{A},\\Pi}=1$, otherwise 0.\n\\end{enumerate}\n\\begin{figure}\n\\begin{center}\n\\input{tikz/pri-eav-exp.tex}\n\\end{center}\n\\end{figure}\n\\end{frame}\n\\begin{frame}\\frametitle{Adversarial Indistinguishability}\n\\begin{definition}\n$\\Pi$ over $\\mathcal{M}$ is \\textbf{perfectly secret} if for every $\\mathcal{A}$ it holds that\n\\[ \\Pr[\\mathsf{PrivK}^{\\mathsf{eav}}_{\\mathcal{A},\\Pi}=1] = \\frac{1}{2}.\\]\n\\end{definition}\n\\begin{exampleblock}{Which in the below schemes are perfectly secret?}\n\\begin{itemize}\n\\item $\\mathsf{Enc}_{k,k'}(m)= \\mathsf{OTP}_k(m) \\| \\mathsf{OTP}_{k'}(m)$\n\\item $\\mathsf{Enc}_{k}(m)= reverse(\\mathsf{OTP}_k(m))$\n\\item $\\mathsf{Enc}_{k}(m)= \\mathsf{OTP}_k(m) \\| k$\n%To break semantic security, an attacker would read the secret key from the challenge ciphertext and use it to decrypt the challenge ciphertext. Basically, any ciphertext reveals the secret key.\n\\item $\\mathsf{Enc}_{k}(m)= \\mathsf{OTP}_k(m) \\| \\mathsf{OTP}_k(m) $\n\\item $\\mathsf{Enc}_{k}(m)= \\mathsf{OTP}_{0^{n}}(m)$\n%To break semantic security, an attacker would ask for the encryption of $0^n$ and $1^n$ and can easily distinguish EXP(0) from EXP(1) because it knows the secret key, namely 0n.\n\\item $\\mathsf{Enc}_{k}(m)= \\mathsf{OTP}_k(m) \\| LSB(m)$\n%To break semantic security, an attacker would ask for the encryption of $0^n$ and $0^{n-1}1$ and can distinguish EXP(0) from EXP(1).\n\\end{itemize}\n\\end{exampleblock}\n\\end{frame}\n\n\\begin{frame}\\frametitle{Summary}\n\\begin{itemize}\n\\item Perfect secrecy $=$ Perfect indistinguishability $=$ Adversarial indistinguishability\n\\item Perfect secrecy is attainable. The One-Time Pad (Vernam's cipher)\n\\item Shannon's theorem\n\\end{itemize}\t\n\\end{frame}\n\\end{document}\n" }, { "path": "source/3.1privatekey.tex", "content": "\\input{source/header/main.tex}\n\n\\title{Private-Key Encryption and Pseudorandomness (Part I)}\n\n\\begin{document}\n\\maketitle\n\\begin{frame}\n\\frametitle{Outline}\n\\tableofcontents\n\\end{frame}\n\\section{A Computational Approach to Cryptography}\n\\begin{frame}\\frametitle{Idea of Computational Security}\nComputational security vs. Information-theoretical security\n\\begin{alertblock}{Kerckhoffs's Another Principle}\nA [cipher] must be practically, if not mathematically, indecipherable.\n\\end{alertblock}\n\\begin{itemize}\n\t\\item Information-theoretical security: Perfect secrecy. \\\\\n\t\\alert{Q: what's the limitation of perfect secrecy?}\n\t\\item Computational security: \n\\begin{itemize}\n\t\\item Only preserved against adversaries that run in a \\textbf{feasible amount of time}.\n\t\\item Adversaries can succeed with some \\textbf{very small probability}.\n\\end{itemize}\n\\end{itemize} \n\\end{frame}\n\\begin{frame}\\frametitle{Necessity of the Relaxations}\nLimit the power of adversary (against brute force with pr. 1 in time linear in $|\\mathcal{K}|$) and allow a negligible probability (against random guess with pr. $1/|\\mathcal{K}|$).\n\\begin{figure}\n\\begin{center}\n\\input{tikz/compute-sec.tex}\n\\end{center}\n\\end{figure}\n\\end{frame}\n\\begin{frame}\\frametitle{Concrete Approach and Asymptotics}\n\\textbf{Concrete Approach}: A scheme is $(t,\\varepsilon)$-\\textbf{secure} if every adversary running for time at most $t$ succeeds in breaking the scheme with probability at most $\\varepsilon$.\n\\begin{exampleblock}{Example}\n\\textbf{Optimal security}: when the key has length $n$, an adversary running in time $t$ can succeed with probability at most $t/2^n$.\n\\begin{tabular}{ll}\n$t=2^{80}$ & $2^{20}$ 1GHz CPUs run 35 years. \\\\\n$n=128$ & $2^{170}$ atoms in the planet. \\\\\n$\\varepsilon=2^{-48}$ & once every 100 years with probability $2^{-30}/\\text{sec}$. \\\\\n\\end{tabular}\n\\end{exampleblock}\n%\\begin{itemize}\n%\\item But one may ask: What is the success probability of running for 10 years? Does the key length matter? \n%\\end{itemize}\n\\textbf{Asymptotics}: A method of describing limiting behavior. Given the input size of a problem, $n$, the time complexity is $f(n)$. \\\\\nFor example, the time complexity of quick sort for $n$ numbers is $O(n\\cdot \\log n)$.\n\\end{frame}\n\\begin{frame}\\frametitle{$\\mathcal{P} = \\mathcal{NP}$ ?}\n\\begin{figure}\n\\begin{center}\n\\input{tikz/pnp}\n\\end{center}\n\\end{figure}\n\\centerline{The majority of computer scientists believe $\\mathcal{P} \\ne \\mathcal{NP}$.}\n\\centerline{\\alert{\\emph{This is very dangerous!}}} \n\\end{frame}\n\\begin{frame}[fragile]\\frametitle{Efficient Computation}\n\\begin{itemize}\n\\item An algorithm $A$ runs in \\textbf{polynomial time} if there exists a polynomial $p(\\cdot)$ such that,\n for every input $x \\in {0,1}^*$, $A(x)$ terminates within at most $p(|x|)$ steps. \\\\\n \\alert{Q: is $n!$ polynomial? is $\\log n$ polynomial?}\n\\item $A$ can run another \\textsc{ppt} $A'$ as a sub-routine in polynomial-time.\\\\\n \\alert{Q: $f(x) = x^{2} $, is $g(x) = \\frac{x^{3}}{f(x)}$ polynomial?}\n\\item A \\textbf{probabilistic} algorithm has the capability of ``tossing coins''.\\\\\nRandom number generators should be designed for cryptographic use, not \\verb|random()| in C. \n\\item \\alert{Open question}: Does probabilistic adversaries are more powerful than deterministic ones? \n$\\mathcal{P} = \\mathcal{BPP}$ ? \n\\end{itemize}\n\\end{frame}\n\\begin{frame}\\frametitle{Negligible Success Probability}\n\\begin{itemize}\n\\item A function $f$ is \\textbf{negligible} if for every polynomial $p(\\cdot)$\nthere exists an $N$ such that for all integers $n > N$ it holds that $f(n) < \\frac{1}{p(n)}$.\n\\item \\alert{Q: is $\\left( \\frac{3}{n} \\right)^{9}$ negligible? is $\\frac{n^{2}}{2^{n}}$ negligible?}\n\\item \\alert{Q: is $ \\mathsf{negl}_1(n)+\\mathsf{negl}_2(n)$ negligible?}\n\\item \\alert{Q: is $ poly(n)\\cdot\\mathsf{negl}(n)$ negligible?}\n%\\item Problem $\\mathsf{X}$ is \\emph{hard} if $\\mathsf{X}$ cannot be solved by any polynomial-time algorithm except with negligible probability.\n\\end{itemize}\n\\end{frame}\n\\begin{frame}\\frametitle{Asymptotic Approach}\nProblem $\\mathsf{X}$ (breaking the scheme) is \\emph{hard} if $\\mathsf{X}$ cannot be solved by any polynomial-time algorithm for time $t$ except with negligible probability $\\varepsilon$.\n\\begin{itemize}\n\\item $t, \\varepsilon$ are described as functions of \\textbf{security parameter} $n$ (usually, the length of key).%\\item Probability is \\textbf{negligible}: smaller than any inverse polynomial $n^{-b}$ for constant $b$.\n\\item \\alert{Caution}: `Security' for large enough values of $n$.\n\\end{itemize}\n\\begin{exampleblock}{Example}\n``Breaking the scheme'' with probability $2^{40}\\cdot 2^{-n}$ in $n^3$ minutes.\n\\begin{tabular}{ll}\n$n \\le 40$ & 6 weeks with probability 1. \\\\\n$n=50$ & 3 months with probability $1/1000$. \\\\\n$n=500$ & more than 200 years with probability $2^{-500}$. \\\\\n\\end{tabular}\\\\\n\n\\alert{Q: Under Moore's Law, who has more advantages? Adversary or Alice?} \n\\end{exampleblock}\n\\end{frame}\n\n%\\begin{frame}\\frametitle{Remarks on The Asymptotic Approach}\n%\\begin{itemize}\n%\\item The longer the key, the higher the security.\n%\\item Increasing $n$ to defend against increases in computing power.\n%\\item Convention: algorithm input is $1^n$. (a string of $n$ 1's)\n%\\end{itemize}\n%\\begin{exampleblock}{Example}\n%\\begin{tabular}{r|r|rr}\n% & Honest party & \\multicolumn{2}{|c}{Adversary} \\\\\t\\hline\n%& $10^6 \\cdot n^2$ & $10^8 \\cdot n^4$ & $2^{20-n}$ \\\\\n%1GHz $n=50$ & 2.5 sec. & 1 week & $2^{-30}$ \\\\\n%16GHz $n=500$ & 0.625 sec. & 16 week & $2^{-80}$ \\\\\n%\\end{tabular}\n%\n%\\alert{Q: For a bigger $n$, is it harder or easier to break the cipher?}\n%\\end{exampleblock}\n%\\end{frame}\n\\section{Defining Computationally-Secure Encryption}\n\\begin{frame}\\frametitle{Defining Private-key Encryption Scheme}\n\\begin{figure}\n\\begin{center}\n\\input{tikz/private-key}\n\\end{center}\n\\end{figure}\nA \\textbf{Private-key encryption scheme} $\\Pi$ is a tuple of \\textsc{ppt} $(\\mathsf{Gen, Enc, Dec})$\n\\begin{itemize}\n\\item $k \\gets \\mathsf{Gen}(1^n), |k|\\ge n$ (security parameter). \\\\\n $\\mathsf{Gen}(1^n)$ chooses $k \\gets \\{0,1\\}^n$ uniformly at random (\\textbf{\\emph{u.a.r}})\n\\item $c \\gets \\mathsf{Enc}_k(m), m \\in \\{0,1\\}^*$ (all finite-length binary strings). \\\\\n \\textbf{Fixed-length} if $m \\in \\{0,1\\}^{\\ell(n)}$\n\\item $m := \\mathsf{Dec}_k(c)$\n\\item $\\mathsf{Dec}_k(\\mathsf{Enc}_k(m)) = m$\n\\end{itemize}\n\\end{frame}\n\\begin{frame}\\frametitle{Eavesdropping Indistinguishability Experiment}\nThe eavesdropping indistinguishability experiment $\\mathsf{PrivK}^{\\mathsf{eav}}_{\\mathcal{A},\\Pi}(n)$:\n\\begin{enumerate}\n\t\\item $\\mathcal{A}$ is given input $1^n$, outputs $m_0, m_1$ of the same length\n\t\\item $k \\gets \\mathsf{Gen}(1^n)$, a random bit $b \\gets \\{0,1\\}$ is chosen. Then $c \\gets \\mathsf{Enc}_k(m_b)$ (challenge ciphertext) is given to $\\mathcal{A}$\n\t\\item $\\mathcal{A}$ outputs $b'$. If $b' = b$, $\\mathsf{PrivK}^{\\mathsf{eav}}_{\\mathcal{A},\\Pi}=1$, otherwise 0\n\\end{enumerate}\n\\begin{figure}\n\\begin{center}\n\\input{tikz/pri-eav-exp.tex}\n\\end{center}\n\\end{figure}\n\\end{frame}\n\\begin{frame}\\frametitle{Defining Private-key Encryption Security}\n\\begin{definition}\\label{def:ind}\n$\\Pi$ has \\textbf{indistinguishable encryptions in the presence of an eavesdropper} if $\\forall$ \\textsc{ppt} $\\mathcal{A}$, $\\exists$ a negligible function $\\mathsf{negl}$ such that\n\\[ \\Pr\\left[\\mathsf{PrivK}^{\\mathsf{eav}}_{\\mathcal{A},\\Pi}(n)=1\\right] \\le \\frac{1}{2} + \\mathsf{negl}(n),\n\\]\nwhere the probability it taken over the random coins used by $\\mathcal{A}$.\n\\end{definition}\n\\end{frame}\n\\begin{frame}\\frametitle{Understanding Definition of Indistinguishability}\n%\\begin{exampleblock}{Is the OTP scheme indistinguishable in the presence of an eavesdropper?}\n%\\end{exampleblock}\n\\begin{exampleblock}{If an adversary always fails in the experiments, is the scheme secure?}\n\\end{exampleblock}\n\\begin{exampleblock}{What's the probability of using the same key in two successive eavesdropping indistinguishability experiments?}\n\\end{exampleblock}\n\\begin{exampleblock}{If the lowest bit of message can be guessed from the ciphertext with probability $\\frac{3}{4}$, is the scheme secure?}\n%Q: what are two messages provided by the adversary?\\\\\n%Q: what is the probability of success in this indistinguishability experiment?\n\\end{exampleblock}\n\\begin{exampleblock}{If the lowest 3 bits of message can be guessed from the ciphertext with probability $\\frac{3}{8}$, is the scheme secure?}\n\\end{exampleblock}\n\\begin{exampleblock}{Correlation: If the distributions of ($X$ and $Z$) and ($Y$ and $Z$) are indistinguishable, are $X$ and $Y$ also indistinguishable?}\n\\end{exampleblock}\n%\\begin{enumerate}\n%\\item \\textbf{No single bit} can be guessed in a randomly-chosen plaintext with probability significantly better than $1/2$.\n%\\[ \\Pr[\\mathcal{A}(1^n,\\mathsf{Enc}_k(m))=m^i] \\le \\frac{1}{2} + \\mathsf{negl}(n).\n%\\]\n%where $m^i$ is the $i$th bit of $m$, $\\mathcal{A}(\\cdot)$ outputs the guess.\n%\\item \\textbf{No function of plaintext} can be learned regardless of the \\emph{a priori} distribution over the plaintext. \\\\\n%$\\forall\\;\\mathcal{A}$, $\\exists\\;\\mathcal{A'}$, $\\forall\\;f$ and $\\forall\\;S \\in \\{0,1\\}^*$,\n%\\[ \\left| \\Pr[\\mathcal{A}(1^n,\\mathsf{Enc}_k(m)) = f(m)] - \\Pr[\\mathcal{A}'(1^n) = f(m)] \\right| \\le \\mathsf{negl}(n),\n%\\]\n%where $m \\in S_n \\overset{\\text{def}}{=} S \\cap \\{0,1\\}^n$.\n%\\end{enumerate}\n\\end{frame}\n\\begin{frame}\\frametitle{Semantic Security}\n\\textbf{Intuition}: No partial information leaks.\n\\begin{definition}\n$\\Pi$ is \\textbf{semantically secure in the presence of an eavesdropper} if $\\forall$ \\textsc{ppt} $\\mathcal{A}$, $\\exists \\mathcal{A'}$ such that $\\forall$ distribution $X = (X_1, \\dots)$ and $\\forall f, h$,\n\\[ \\left|\\Pr[\\mathcal{A}(1^n,\\mathsf{Enc}_k(m),h(m))=f(m)]-\\Pr[\\mathcal{A}'(1^n,h(m))=f(m)]\\right| \n\\]\n\\[ \\le \\mathsf{negl}(n).\n\\]\nwhere $m$ is chosen according to $X_n$, $h(m)$ is external information.\n\\end{definition}\n\\begin{theorem}\nA private-key encryption scheme has \\textbf{indistinguishable} encryptions in the presence of an eavesdropper $\\iff$ it is \\textbf{semantically secure} in the presence of an eavesdropper.\n\\end{theorem}\n\\end{frame}\n\\section{Pseudorandomness}\n\\begin{frame}\\frametitle{Conceptual Points of Pseudorandomness}\n\\begin{itemize}\n\\item True randomness can not be generated by a describable mechanism\n\\item Pseudorandom looks truly random for the observers who don't know the mechanism \n\\item No fixed string can be ``random'' or ``pseudorandom'' which refers to the properties of the process used to generate a string\n\\item \\alert{Q: is it possible to definitively prove randomness?}\n\\end{itemize}\n\\begin{figure}\n\\begin{center}\n\\includegraphics[width=100mm]{pic/random-color} \n\\end{center}\n\\end{figure}\n\\end{frame}\n\\begin{frame}\\frametitle{Distinguisher: Statistical Tests}\nThe pragmatic approach is to take many sequences of random numbers from a given generator and subject them to a battery of statistical tests.\\footnote{State-of-the-art: NIST Special Publication 800-22 ``\\emph{A Statistical Test Suite for Random and Pseudorandom Number Generators for Cryptographic Applications}''}\n\\begin{exampleblock}{}\n\\begin{itemize}\n\\item $D(x)=0$ if $\\left| \\#0(x) - \\#1(x)\\right| \\le 10\\cdot \\sqrt{n}$\n\\item $D(x)=0$ if $\\left| \\#00(x) - n/4\\right| \\le 10\\cdot \\sqrt{n}$\n\\item $D(x)=0$ if $\\text{max-run-of-}0(x) \\le 10\\cdot \\log{n}$\n\\end{itemize}\n\\end{exampleblock}\nPseudorandomness means being \\textbf{next-bit unpredictable},\\\\\n$G$ passes all next bit tests $\\iff$ $G$ passes all statistical tests.\nHow many tests shall we need?\n\\end{frame}\n\\begin{frame}\\frametitle{Intuition for Defining Pseudorandom}\n\\textbf{Intuition}: Generate a long string from a short truly random seed, and the pseudorandom string is indistinguishable from truly random strings.\n\\begin{figure}\n\\begin{center}\n\\input{tikz/prg-distinguisher.tex}\n\\end{center}\n\\end{figure}\n\\end{frame}\n\\begin{frame}\\frametitle{Definition of Pseudorandom Generators}\n\\begin{definition}\\label{def:pg}\nA deterministic polynomial-time algorithm $G : \\{0,1\\}^n \\to \\{0,1\\}^{\\ell(n)}$ is a \\textbf{pseudorandom generator (PRG)} if\n\\begin{enumerate}\n\\item (Expansion:) $\\forall n, \\ell(n) > n$.\n\\item (Pseudorandomness): $\\forall\\;$ \\textsc{ppt} distinguishers $D$,\n\\[ \\left|\\Pr[D(r)=1] - \\Pr[D(G(s))=1]\\right| \\le \\mathsf{negl}(n),\n\\]\nwhere $r$ is chosen \\emph{u.a.r} from $\\{0,1\\}^{\\ell(n)}$, the \\textbf{seed} $s$ is chosen \\emph{u.a.r} from $\\{0,1\\}^n$. $\\ell(\\cdot)$ is the \\textbf{expansion factor} of $G$.\n\\end{enumerate}\n\\end{definition}\n\\begin{itemize}\n\\item \\textbf{Existence}: Under the weak assumption that \\emph{one-way functions} exists, or $\\mathcal{P} \\ne \\mathcal{NP}$\n\\end{itemize}\n\\end{frame}\n\\begin{frame}[fragile]\\frametitle{Real World Cases}\n\\begin{exampleblock}{glibc random()}\n$r[i] = (r[i-3] + r[i-31])\\%2^{32}$\n\\end{exampleblock}\n\\begin{exampleblock}{Netscape (by reverse-engineering)}\n%mklcpr(x)\n%return ((0xDEECE66D * x + 0x2BBB62DC) >> 1);\n\\begin{verbatim}\nglobal variable seed; \nRNG_CreateContext();\n (seconds, microseconds) = time of day;\n pid = process ID; ppid = parent process ID;\n a = mklcpr(microseconds);\n b = mklcpr(pid + seconds + (ppid << 12));\n seed = MD5(a, b);\nRNG_GenerateRandomBytes()\n x = MD5(seed);\n seed = seed + 1;\n return x;\\end{verbatim}\n\\end{exampleblock}\n\\end{frame}\n\\begin{frame}\\frametitle{Problems On PRG}\n\\begin{exampleblock}{$F$ is PRG. Is $G$ PRG?}\n\\begin{itemize}\n\\item $G(s)$ is such that $XOR(G(s)) = 1$\n%\\item $G(s)=F(0)$\n\\item $G(s)=F(s)\\| 0$\n\\item $G(s)=F(s\\oplus 1^{\\abs{s}})$\n\\item $G(s)=F(s)\\| F(s)$\n\\item $G(s\\| s')=F(s)\\| F(s')$\n\\item $G(s)=F(s\\|0)$\n\\item $G: s \\gets \\{0,1\\}^{20}, G(s) = F(s)$\n\\end{itemize}\n\\end{exampleblock}\n\\end{frame}\n\\begin{frame}\\frametitle{Sufficient Seed Space}\n\\begin{figure}\n\\begin{center}\n\\input{tikz/prg-sparse}\n\\end{center}\n\\end{figure}\n\\begin{itemize}\n\\item \\textbf{Sparse outputs}: In the case of $\\ell(n)=2n$, only $2^{-n}$ of strings of length $2n$ occurs.\n\\item \\textbf{Brute force attack}: Given an unlimited amount of time, one can distinguish $G(s)$ from $r$ with a high probability by generating all strings with all seeds.\n\\[ \\left|\\Pr[D(r)=1] - \\Pr[D(G(s))=1]\\right| \\ge 1-2^{-n} \\]\n\\item \\textbf{Sufficient seed space}: $s$ must be long enough against brute force attack.\n\\end{itemize}\n\\end{frame}\n\\begin{frame}\\frametitle{Bad Randomness [xkcd:424]}\nIn 2008, the Debian project announced that a vulnerability in the OpenSSL package. The bug was caused by the removal of the line of code from md\\_rand.c. (CVE-2008-0166)\n\\begin{figure}\n\\begin{center}\n\\includegraphics[width=60mm]{pic/holes} \n\\end{center}\n\\end{figure}\n\\end{frame}\n\\section{Proof By Reduction}\n\\begin{frame}\\frametitle{Reduction (Complexity)}\nA \\textbf{reduction} is a transformation of one problem $A$ into another problem $B$.\n\\newline\n\n\\textbf{Reduction} $A \\le_m B$ \\footnote{$m$ means the mapping reduction.} : $A$ is \\textbf{reducible} to $B$ if solutions to $B$ exist and whenever given the solutions $A$ can be solved. \\newline\n\nSolving $A$ \\textbf{cannot be harder} than solving $B$.\n\\begin{exampleblock}{Example}\n\\begin{itemize}\n\\item ``measure the area of a rectangle'' $\\le_m$ ``measure the length and width of rectangle''\n\\item ``calculate $x^2$'' $\\le_m$ ``calculate $x \\times y$''\n\\end{itemize}\n\\end{exampleblock}\n\\end{frame}\n\\begin{frame}\\frametitle{Proofs of Reduction}\n\\begin{figure}\n\\begin{center}\n\\input{tikz/reduction}\n\\end{center}\n\\end{figure}\n\\begin{itemize}\n\\item A \\textsc{ppt} $\\mathcal{A}$ can break $\\Pi$ with probability $\\varepsilon(n)$.\n\\item \\textbf{Assumption}: Problem $\\mathsf{X}$ is \\emph{hard} to solve.\n\\item \\textbf{Reduction}: Reduce $\\mathcal{A}'$ to $\\mathcal{A}$. $\\mathcal{A'}$ solves $\\mathsf{x}$ efficiently with probability $1/p(n)$, running $\\mathcal{A}$ as a sub-routine. \n\\item \\textbf{Contradiction}: If $\\varepsilon(n)$ is non-negligible, then $\\mathcal{A'}$ solves $\\mathsf{X}$ efficiently with non-negligible probability $\\varepsilon(n)/p(n)$.\n\\end{itemize}\n\\end{frame}\n\\begin{frame}\\frametitle{An Example of Proof By Reduction}\n\\begin{exampleblock}{If $F(s)$ is PRG, so is $G(s)=F(s)\\oplus 1^{\\abs{n}}$ ?}\n\\begin{itemize}\n\\item Problem A (Assumption): to distinguish $F(s)$ from $r$\n\\item Problem B (Break the scheme): to distinguish $G(s)$ from $r$\n\\end{itemize}\n\\textbf{Idea}: Reduce A to B. As $F(s)$ is distinguishable, so is $G(s)$.\n\\begin{figure}\n\\begin{center}\n\\input{tikz/reduction-prg}\n\\end{center}\n\\end{figure}\n\\end{exampleblock}\n\\end{frame}\n\\begin{frame}\\frametitle{An Example of Proof By Reduction (Cont.)}\n\\begin{exampleblock}{If $F(s)$ is PRG, so is $G(s)=F(s)\\oplus 1^{\\abs{n}}$ ?}\n\\[ \\Pr[D'(F(s))=1]=\\Pr[D(G(s)=F(s)\\oplus 1^n)=1] \\]\n\\[ \\Pr[D'(r)=1]=\\Pr[D(r\\oplus 1^n)=1]=\\Pr[D(r)=1] \\]\n\\[ \\begin{split}\n\\mathsf{negl} &\\ge \\Pr[D'(F(s))=1] - \\Pr[D'(r)=1] \\\\\n &= \\Pr[D(G(s))=1] - \\Pr[D(r)=1]\n\\end{split} \\]\nAccording to the definition of PRG, $G(s)$ is a PRG.\n\\end{exampleblock}\n\\end{frame}\n\\section{Constructing Secure Encryption Schemes}\n\\begin{frame}\\frametitle{A Secure Fixed-Length Encryption Scheme}\n\\begin{columns}[t]\n\\begin{column}{4cm}\n\\begin{figure}\n\\begin{center}\n\\input{tikz/encryptionwithpg}\n\\end{center}\n\\end{figure}\n\\end{column}\n\\begin{column}{6cm}\n\\begin{construction}\\label{con:fl}\n\\begin{itemize}\n\\item $|G(k)| = \\ell(|k|)$, $m \\in \\{0,1\\}^{\\ell(n)}$.\n\\item $\\mathsf{Gen}$: $k \\in \\{0,1\\}^n$.\n\\item $\\mathsf{Enc}$: $c := G(k)\\oplus m$.\n\\item $\\mathsf{Dec}$: $m := G(k)\\oplus c$.\n\\end{itemize}\n\\end{construction}\n\\begin{theorem}\\label{the:flt}\nThis fixed-length encryption scheme has indistinguishable encryptions in the presence of an eavesdropper.\n\\end{theorem}\n\\end{column}\n\\end{columns}\n\\end{frame}\n\\begin{frame}\\frametitle{Proof of Indistinguishable Encryptions}\n\\textbf{Idea}: Use $\\mathcal{A}$ to construct $D$ for $G$, so that $D$ distinguishes $G$ when $\\mathcal{A}$ breaks $\\tilde{\\Pi}$. Since $D$ cannot distinguish $G$, so that $\\mathcal{A}$ cannot break $\\tilde{\\Pi}$.\n\\begin{proof}\n\\begin{figure}\n\\begin{center}\n\\input{tikz/constructD}\n\\end{center}\n\\end{figure}\n\\[ \\Pr[D(w)=1] = \\Pr[\\mathsf{PrivK}^{\\mathsf{eav}}_{\\mathcal{A},\\tilde{\\Pi}}(n)=1] \\]\n\\end{proof}\n\\end{frame}\n\\begin{frame}\\frametitle{Proof of Indistinguishable Encryptions (Cont.)}\n\\begin{proof}\nTo prove $ \\varepsilon(n) \\overset{\\text{def}}{=} \\Pr[\\mathsf{PrivK}^{\\mathsf{eav}}_{\\mathcal{A},\\Pi}(n)=1] - \\frac{1}{2} $ is negligible.\\\\\n(1) If $w$ is $r$ chosen \\emph{u.a.r}, then $\\tilde{\\Pi}$ is OTP. \\[\\Pr[D(r)=1] = \\Pr[\\mathsf{PrivK}^{\\mathsf{eav}}_{\\mathcal{A},\\tilde{\\Pi}}(n)=1]=\\frac{1}{2};\\] \\\\\n(2) If $w$ is $G(k)$, then $\\tilde{\\Pi} = \\Pi$. \n\\[ \\Pr[D(G(k))=1] = \\Pr[\\mathsf{PrivK}^{\\mathsf{eav}}_{\\mathcal{A},\\Pi}(n)=1] = \\frac{1}{2} + \\varepsilon(n). \\]\\\\\nUse Definition \\ref{def:pg}: \n\\[ \\left|\\Pr[D(r)=1] - \\Pr[D(G(k))=1]\\right| = \\varepsilon(n) \\le \\mathsf{negl}(n).\n\\] \n\\end{proof}\n\\end{frame}\n\\begin{frame}\\frametitle{Handling Variable-Length Messages (homework)}\n\\begin{definition}\\label{def:vlpg}\nA \\textbf{deterministic} polynomial-time algorithm $G$ is a \\textbf{variable output-length pseudorandom generator} if\n\\begin{enumerate}\n\\item $G(s, 1^{\\ell})$ outputs a string of length $\\ell > 0$, where $s$ is a string.\n\\item $G(s, 1^{\\ell})$ is a prefix of $G(s, 1^{\\ell'})$, $\\ell' > \\ell$.\\footnote{for technical reasons to prove security.}\n\\item $G_{\\ell}(s) \\overset{\\text{def}}{=} G(s,1^{\\ell(|s|)})$. Then $\\forall \\ell(\\cdot)$, $G_{\\ell}$ is a PRG with expansion factor $\\ell$.\n\\end{enumerate}\n\\end{definition}\nBoth Construction \\ref{con:fl} and Theorem \\ref{the:flt} hold here.\n\\end{frame}\n\\begin{frame}\\frametitle{Computational Security vs. Info.-theoretical Security}\n\\begin{center}\n\\begin{tabular}{|c|c|c|} \\hline\n & \\textbf{Computational} & \\textbf{Info.-theoretical} \\\\ \\hline\n\\textbf{Adversary} & \\textsc{ppt} & no limited \\\\ \n & eavesdropping & eavesdropping\\\\ \\hline \n\\textbf{Definition} & indistinguishable & indistinguishable \\\\ \n & $\\frac{1}{2} + \\mathsf{negl}$ & $\\frac{1}{2}$ \\\\ \\hline\n\\textbf{Assumption} & pseudorandom & random \\\\ \\hline\n\\textbf{Key}\t & short random str. & long random str.\\\\ \\hline\n\\textbf{Construction} & XOR pad & XOR pad \\\\ \\hline \n\\textbf{Prove} & reduction & prob. theory \\\\ \\hline\n\\end{tabular}\t\n\\end{center}\n\\end{frame}\n\\end{document}\n" }, { "path": "source/3.2privatekey.tex", "content": "\\input{source/header/main.tex}\n\n\\title{Private-Key Encryption and Pseudorandomness (Part II)}\n\n\\begin{document}\n\\maketitle\n\\begin{frame}\n\\frametitle{Outline}\n\\tableofcontents\n\\end{frame}\n\\section{Stream Ciphers And Chosen-Plaintext Attacks}\n\\begin{frame}\\frametitle{Stream Ciphers}\n\\begin{columns}[t]\n\\begin{column}{4cm}\n\\begin{figure}\n\\begin{center}\n\\input{tikz/encryptionwithpg}\n\\end{center}\n\\end{figure}\n\\end{column}\n\\begin{column}{7cm}\n\\begin{itemize}\n\\item \\textbf{Idea}: Generalization of one-time pad\n\\item \\textbf{Stream cipher}: Enc. by XORing with pseudorandom stream (keystream)\n\\item \\textbf{Multiple messages}: Be concatenated into a single one and encrypted\n\\item \\textbf{Keystream}: Generated by a variable-length PRG\n\\item \\textbf{Strength}: Faster than block cipher\n\\item \\textbf{Weakness}: Difficult to be secure\n\\end{itemize}\n\\end{column}\n\\end{columns}\n\\end{frame}\n\\begin{frame}\\frametitle{Secure Multiple Encryptions Using a Stream Cipher}\n\\begin{figure}\n\\begin{center}\n\\input{tikz/synchronizedmode}\n\\end{center}\n\\end{figure}\n\\textbf{Initial vector} $IV$ is chosen \\emph{u.a.r} and public\\\\\n\\alert{Q: which mode is better in your opinion?}\n\\end{frame}\n\\begin{frame}\\frametitle{Questionable Security}\n\\begin{itemize}\n\\item \\textbf{State of the art}: No standardized and popular one. Security is questionable, e.g., RC4 in WEP protocol in 802.11, Linear Feedback Shift Registers (LFSRs) used in A5/1 for GSM.\n\\end{itemize}\n\\begin{figure}\n\\begin{center}\n\\includegraphics[width=50mm]{pic/A5-1_GSM_cipher} \n\\end{center}\n\\end{figure}\n\\begin{alertblock}{WARNING}\nDon't use any stream cipher. If necessary, construct one from a block cipher.\n\\end{alertblock}\n\\begin{itemize}\n\\item eStream project worked on secure stream ciphers. Salsa20/12 is a promising candidate.\n\\end{itemize}\n\\end{frame}\n\\begin{frame}\\frametitle{Related Keys: Real World Cases}\nKeys (the $IV$-key pair) for multiple enc. must be independent\n\\begin{exampleblock}{Attacks on 802.11b WEP}\nUnsynchronized mode: $\\mathsf{Enc}(m_i) := \\left< IV_i, G(IV_i\\|k) \\oplus m_i\\right>$\\\\\n\\begin{itemize}\n\\item Length of $IV$ is 24 bits, repeat $IV$ after $2^{24} \\approx$ 16M frames\n\\item On some WiFi cards, $IV$ resets to $0$ after power cycle\n\\item $IV_i = IV_{i-1} + 1$. For RC4, recover $k$ after 40,000 frames\n\\end{itemize}\n\\end{exampleblock}\n\\end{frame}\n\\begin{frame}\\frametitle{Security for Multiple Encryptions}\nThe multiple-message eavesdropping experiment $\\mathsf{PrivK}^{\\mathsf{mult}}_{\\mathcal{A},\\Pi}(n)$:\n\\begin{enumerate}\n\t\\item $\\mathcal{A}$ is given input $1^n$, outputs $\\vec{M}_0=(m_0^1,\\dots,m_0^t)$, $\\vec{M}_1=(m_1^1,\\dots,m_1^t)$ with $\\forall i, |m_0^i| = |m_1^i|$.\n\t\\item $k \\gets \\mathsf{Gen}(1^n)$, a random bit $b \\gets \\{0,1\\}$ is chosen. Then $c^i \\gets \\mathsf{Enc}_k(m_b^i)$ and $\\vec{C}=(c^1,\\dots,c^t)$ is given to $\\mathcal{A}$.\n\t\\item $\\mathcal{A}$ outputs $b'$. If $b' = b$, $\\mathsf{PrivK}^{\\mathsf{mult}}_{\\mathcal{A},\\Pi}=1$, otherwise 0.\n\\end{enumerate}\n\\begin{figure}\n\\begin{center}\n\\input{tikz/multiple-enc-exp.tex}\n\\end{center}\n\\end{figure}\n\\end{frame}\n\\begin{frame}\\frametitle{Definition of Multi-Encryption Security}\n\\begin{definition}\\label{def:sme}\n$\\Pi$ has \\textbf{indistinguishable multiple encryptions in the presence of an eavesdropper} if $\\forall$ \\textsc{ppt} $\\mathcal{A}$, $\\exists$ $\\mathsf{negl}$ such that\n\\[ \\Pr\\left[\\mathsf{PrivK}^{\\mathsf{mult}}_{\\mathcal{A},\\Pi}(n)=1\\right] \\le \\frac{1}{2} + \\mathsf{negl}(n).\n\\]\n\\end{definition}\n\\begin{exampleblock}{Question:}\nDoes any cipher we have learned so far have indistinguishable multiple encryptions in the presence of an eavesdropper?\n\\end{exampleblock}\n\\end{frame}\n\\begin{frame}\\frametitle{Attack On Deterministic Multiple Encryptions}\n\\begin{exampleblock}{Generally, if $\\Pi$'s encryption function is \\textbf{deterministic}, i.e., a plaintext will be always encrypted into the same ciphertext with the same key, is $\\Pi$ multiple-encryption-secure?}\nFor the deterministic encryption, the adversary may generate $m_0^1 = m_0^2$ and $m_1^1 \\neq m_1^2$, and then outputs $b'=0$ if $c^1 = c^2$, otherwise $b'=1$.\n\\end{exampleblock}\n\\end{frame}\n\\begin{frame}\\frametitle{Chosen-Plaintext Attacks (CPA)}\n\\textbf{CPA}: the adversary has the ability to obtain the encryption of plaintexts of its choice\n\\begin{exampleblock}{A story in WWII}\n\\begin{itemize}\n\\item Navy cryptanalysts believe the ciphertext ``AF'' means ``Midway island'' in Japanese messages\n\\item But the general did not believe that Midway island would be attacked\n\\item Navy cryptanalysts sent a plaintext that the freshwater supplies at Midway island were low\n\\item Japanese intercepted the plaintext and sent a ciphertext that ``AF'' was low in water\n\\item The US forces dispatched three aircraft carriers and won\n\\end{itemize}\n\\end{exampleblock}\n\\end{frame}\n\\begin{frame}\\frametitle{CPA Indistinguishability Experiment}\nThe CPA indistinguishability experiment $\\mathsf{PrivK}^{\\mathsf{cpa}}_{\\mathcal{A},\\Pi}(n)$:\n\\begin{enumerate}\n\t\\item $k \\gets \\mathsf{Gen}(1^n)$\n\t\\item $\\mathcal{A}$ is given input $1^n$ and \\textbf{oracle access} $\\mathcal{A}^{\\mathsf{Enc}_k(\\cdot)}$ to $\\mathsf{Enc}_k(\\cdot)$, outputs $m_0, m_1$ of the same length\n\t\\item $b \\gets \\{0,1\\}$. Then $c \\gets \\mathsf{Enc}_k(m_b)$ is given to $\\mathcal{A}$\n\t\\item $\\mathcal{A}$ \\textbf{continues to have oracle access} to $\\mathsf{Enc}_k(\\cdot)$, outputs $b'$\n\t\\item If $b' = b$, $\\mathcal{A}$ succeeded $\\mathsf{PrivK}^{\\mathsf{cpa}}_{\\mathcal{A},\\Pi}=1$, otherwise 0\n\\end{enumerate}\n\\begin{figure}\n\\begin{center}\n\\input{tikz/pri-cpa-exp.tex}\n\\end{center}\n\\end{figure}\n\\end{frame}\n\\begin{frame}\\frametitle{Definition of CPA Security}\n\\begin{definition}\\label{def:cap-ind}\n$\\Pi$ has \\textbf{indistinguishable encryptions under a CPA (CPA-secure)} if $\\forall$ \\textsc{ppt} $\\mathcal{A}$, $\\exists$ $\\mathsf{negl}$ such that\n\\[ \\Pr\\left[\\mathsf{PrivK}^{\\mathsf{cpa}}_{\\mathcal{A},\\Pi}(n)=1\\right] \\le \\frac{1}{2} + \\mathsf{negl}(n).\n\\]\n\\end{definition}\n\\begin{itemize}\n\\item \\alert{Q: Is any cipher we have learned so far CPA-secure? Why?}\n\\end{itemize}\n\\begin{proposition}\nAny private-key encryption scheme that is CPA-secure also is \\textbf{multiple-encryption-secure}.\n\\end{proposition}\n\\begin{itemize}\n\\item \\alert{Q: Does \\textbf{multiple-encryption-security} mean CPA-security?} (homework)\n%\\item \\textbf{Fixed-length} CPA-secure encryption scheme can be used to construct a \\textbf{arbitrary-length} CPA-secure one quite easily.\n\\end{itemize}\n\\end{frame}\n\\section{CPA-Security From Pseudorandom Functions}\n\\begin{frame}\\frametitle{Concepts on Pseudorandom Functions}\n\\begin{figure}\n\\begin{center}\n\\input{tikz/keyed-func.tex}\n\\end{center}\n\\end{figure}\n\\begin{itemize}\n\\item \\textbf{Keyed function} $F : \\{0,1\\}^* \\times \\{0,1\\}^* \\to \\{0,1\\}^*$ \\\\\n$F_k : \\{0,1\\}^* \\to \\{0,1\\}^*$, $F_k(x) \\overset{\\text{def}}{=} F(k,x)$\n\\item \\textbf{Look-up table $f$}: $\\{0,1\\}^n \\to \\{0,1\\}^n$ with size \\alert{ = ? bits} %$n\\cdot2^n$.\n\\item \\textbf{Function family $\\mathsf{Func}_n$}: all functions $\\{0,1\\}^n \\to \\{0,1\\}^n$. $|\\mathsf{Func}_n| = 2^{n\\cdot2^n}$\n\\item \\textbf{Length Preserving}: $\\ell_{key}(n) = \\ell_{in}(n) = \\ell_{out}(n)$\n\\end{itemize}\n\\end{frame}\n\\begin{frame}\\frametitle{Definition of Pseudorandom Function}\n\\textbf{Intuition}: A PRF $F$ generates a function $F_k$ that is indistinguishable from truly random selected function $f$ (look-up table) in $\\mathsf{Func}_n$.\\\\ However, the function has \\textbf{exponential length}. Give $D$ the deterministic \\textbf{oracle access $D^{\\mathcal{O}}$} to the functions $\\mathcal{O}$.\n\\begin{definition}\nAn efficient length-preserving, keyed function $F$ is a \\textbf{pseudorandom function (PRF)} if\n$\\forall\\;$ \\textsc{ppt} distinguishers $D$,\n\\[ \\left|\\Pr[D^{F_k(\\cdot)}(1^n)=1] - \\Pr[D^{f(\\cdot)}(1^n)=1]\\right| \\le \\mathsf{negl}(n),\n\\]\nwhere $f$ is chosen \\emph{u.a.r} from $\\mathsf{Func}_n$.\n\\end{definition}\n%\\textbf{PRG vs. PRF}:\n%\\begin{itemize}\n%\\item Pseudorandomness over a set of strings vs. a set of functions.\n%\\item A PRG --- an instance of keyed PRF.\n%\\end{itemize}\n%\\textbf{Existence}: if PRG exists. In practice, block ciphers may be PRF.\n\\end{frame}\n\\begin{frame}\\frametitle{Questions}\n\\begin{exampleblock}{Q: Is the fixed-length OTP a PRF?}\\end{exampleblock}\n\\begin{exampleblock}{Q: Without knowing the key and the oracle access, could anyone learn something about the output from the input with a non-negligible probability?} \n\\end{exampleblock}\n\\begin{exampleblock}{Let $F: \\{0,1\\}^{n} \\times \\{0,1\\}^{n} \\to \\{0,1\\}^{n}$ be a PRF. Is $G$ a PRF?}\n\\begin{enumerate}\n\\item $G((k_{1},k_{2}), x) = F(k_{1},x) \\| F(k_{2},x)$\n\\item $G(k,x) = F(k, x\\oplus 1^{n})$\n\\item $ G(k,x) = \\left\\{ \n \\begin{array}{l l}\n F(k,x) & \\quad \\text{when}\\ x \\neq 0^{n}\\\\\n 0^{n} & \\quad \\text{otherwise}\\\\\n \\end{array} \\right. $\n\\item $ G(k,x) = \\left\\{ \n \\begin{array}{l l}\n F(k,x) & \\quad \\text{when}\\ x \\neq 0^{n}\\\\\n k & \\quad \\text{otherwise}\\\\\n \\end{array} \\right. $\n\\item $G(k,x) = F(k,x)\\bigoplus F(k, x\\oplus 1^{n})$\n\\end{enumerate}\n\\end{exampleblock}\n\\end{frame}\n\\begin{frame}\\frametitle{CPA-Security from Pseudorandom Function}\n\\begin{columns}[t]\n\\begin{column}{4cm}\n\\begin{figure}\n\\begin{center}\n\\input{tikz/encryptionwithpf}\n\\end{center}\n\\end{figure}\n\\end{column}\n\\begin{column}{6cm}\n\\begin{construction}\\label{con:cpa}\n\\begin{itemize}\n\\item Fresh random string $r$.\n\\item $F_k(r)$: $\\abs{k} = \\abs{m} = \\abs{r} = n$.\n\\item $\\mathsf{Gen}$: $k \\in \\{0,1\\}^n$.\n\\item $\\mathsf{Enc}$: $s := F_k(r)\\oplus m$, $c := \\left$.\n\\item $\\mathsf{Dec}$: $m := F_k(r)\\oplus s$.\n\\end{itemize}\n\\end{construction}\n\\begin{theorem}\\label{thm:prf}\nIf $F$ is a PRF, this fixed-length encryption scheme $\\Pi$ is CPA-secure.\n\\end{theorem}\n\\end{column}\n\\end{columns}\n\\end{frame}\n\\begin{frame}\\frametitle{Proof of CPA-Security from PRF}\n\\textbf{Idea}: First, analyze the security in an idealized world where $f$ is used in $\\tilde{\\Pi}$; next, claim that if $\\Pi$ is insecure when $F_k$ was used then this would imply $F_k$ is not PRF by reduction.\n\\begin{proof}\nReduce $D$ to $\\mathcal{A}$:\n\\begin{figure}\n\\begin{center}\n\\input{tikz/pgfD}\n\\end{center}\n\\end{figure}\n\\end{proof}\n\\end{frame}\n\\begin{frame}\\frametitle{Proof of CPA-Security from PRF (Cont.)}\n\\begin{proof}\nAnalyze $\\Pr[\\mathsf{Break}]$, $\\mathsf{Break}$ means $\\mathsf{PrivK}_{\\mathcal{A},\\tilde{\\Pi}}^{\\mathsf{cpa}}(n) = 1$: \\\\\n$\\mathcal{A}$ makes $q(n)$ queries and collects $\\{ \\left< r_i, f(r_i) \\right> \\}$, as $c_i = \\left< r_i, s_i \\right>$, and $f(r_i) = s_i \\oplus m_i$, for $i=1,\\dots,q(n)$.\\\\\nThe challenge $c=\\left$. \\\\\n\\begin{itemize}\n\\item $\\mathsf{Repeat}$: $r_c \\in \\{ r_i \\}$ with probability $\\frac{q(n)}{2^n}$. $\\mathcal{A}$ can know $m_b$.\n\\item $\\overline{\\mathsf{Repeat}}$: As OTP, $\\Pr[\\mathsf{Break}]=\\frac{1}{2}$ \n\\end{itemize}\n\\[\n\\begin{split}\n\t\\Pr[\\mathsf{Break}] & =\\Pr[\\mathsf{Break} \\land \\mathsf{Repeat}] + \\Pr[\\mathsf{Break} \\land \\overline{\\mathsf{Repeat}}] \\\\\n\t&\\le \\Pr[\\mathsf{Repeat}] + \\Pr[\\mathsf{Break} | \\overline{\\mathsf{Repeat}}] \\\\\n\t&\\le \\frac{q(n)}{2^n} + \\frac{1}{2}.\n\\end{split}\n\\]\n\n{\\footnotesize \n$ \\Pr[D^{F_k(\\cdot)}(1^n)=1] = \\Pr[\\mathsf{PrivK}_{\\mathcal{A},\\Pi}^{\\mathsf{cpa}}(n) = 1] = \\frac{1}{2} + \\varepsilon(n). $\n$ \\Pr[D^{f(\\cdot)}(1^n)=1] = \\Pr[\\mathsf{PrivK}_{\\mathcal{A},\\tilde{\\Pi}}^{\\mathsf{cpa}}(n) = 1] = \\Pr[\\mathsf{Break}] \\le \\frac{1}{2} + \\frac{q(n)}{2^n}. $\n$\\Pr[D^{F_k(\\cdot)}(1^n)=1] - \\Pr[D^{f(\\cdot)}(1^n)=1] \\ge \\varepsilon(n) - \\frac{q(n)}{2^n}.$\n$\\varepsilon(n)$ is negligible.\n}\n\\end{proof}\n\\end{frame}\n\\begin{frame}\\frametitle{Questions on CPA-security}\n\\begin{exampleblock}{Q: $G$ is a PRG. Is this scheme CPA-secure?}\n$\\mathsf{Enc}_k(m) = r, G(k\\|r) \\oplus m $, where $r$ is a fresh random string.\n\\end{exampleblock}\n\\begin{exampleblock}{CPA-Security from PRF for Arbitrary-Length Messages}\n\\begin{itemize}\n\\item For arbitrary-length messages, $m = m_1, \\dots , m_{\\ell}$\n\\[ c := \\left< r_1, F_k(r_1) \\oplus m_1, r_2, F_k(r_2) \\oplus m_2, \\dots, r_\\ell, F_k(r_\\ell) \\oplus m_\\ell\\right>\n\\]\n\\begin{corollary}\nIf $F$ is a PRF, then $\\Pi$ is CPA-secure for arbitrary-length messages.\n\\end{corollary}\n\\item What is the shortcoming of this scheme? \n\\end{itemize}\n\\end{exampleblock}\n\\end{frame}\n\\section{Modes of Operation}\n\\begin{frame}\\frametitle{Pseudorandom Permutations}\n\\begin{itemize}\n\\item \\textbf{Bijection}: $F$ is one-to-one and onto\n\\item \\textbf{Permutation}: A bijective function from a set to itself\n\\item \\textbf{Keyed permutation}: $\\forall k, F_k(\\cdot)$ is permutation\n\\item $F$ is a bijection $\\iff F^{-1}$ is a bijection\n\\end{itemize}\n\\begin{definition}\nAn efficient, keyed permutation $F$ is a \\textbf{strong pseudorandom permutation (PRP)} if\n$\\forall\\;$ \\textsc{ppt} distinguishers $D$,\n\\[ \\left|\\Pr[D^{F_k(\\cdot),F_k^{-1}(\\cdot)}(1^n)=1] - \\Pr[D^{f(\\cdot),f^{-1}(\\cdot)}(1^n)=1]\\right| \\le \\mathsf{negl}(n),\n\\]\nwhere $f$ is chosen \\emph{u.a.r} from the set of permutations on $n$-bit strings.\n\\end{definition}\n\\begin{alertblock}{If $F$ is a PRP then is it a PRF?}\n\\end{alertblock}\n\\end{frame}\n\\begin{frame}\\frametitle{Questions}\n\\begin{exampleblock}{Let $X = \\{ 0,1\\}$ (1 bit), answer the following questions.}\n\\begin{enumerate}\n\\item What are the functions in the permutation over $X$?\n\\item $K = \\{0, 1\\}$, what is the simplest permutation $F(k, x)$ over $X$? \n\\item Is your $F$ a secure PRP?\n\\item Is your $F$ a secure PRF?\n\\item What if $X = \\{ 0,1\\}^{128}$ and $K = \\{0, 1\\}^{128}$?\n\\item Could you give a (or another) PRP over $X = \\{ 0,1\\}^{128}$?\n\\end{enumerate}\n\\end{exampleblock}\n\\begin{proposition}{Switching Lemma:}\nIf $F$ is a PRP and additionally $\\ell_{in} (n) \\ge n$, then $F$ is also a PRF.\n\\end{proposition}\nA random lookup table and a random permutation are indistinguishable. So PRP is also PRF.\n\\end{frame}\n\\begin{frame}\\frametitle{PRF, PRP, PRG, and Modes of Operation}\n\\textbf{Modes of Operation:}\n\\begin{itemize} \n\\item A way of encrypting arbitrary-length messages using a PRP or PRF\n\\item A way of constructing a PRG from a PRP or PRF\n\\end{itemize}\nWe will learn how to construct a PRF/PRP from a PRG later.\n\\end{frame}\n\\begin{frame}\\frametitle{Electronic Code Book (ECB) Mode}\n\\begin{figure}\n\\begin{center}\n\\input{tikz/ECB}\n\\end{center}\n\\end{figure}\n\\begin{itemize}\n\\item \\alert{Q: is it indistinguishable in the presence of an eavesdropper?}\n\\item \\alert{Q: can $F$ be any PRF?}\n\\end{itemize}\n\\end{frame}\n\\begin{frame}\\frametitle{Attack on ECB mode}\n\\begin{figure}\n\\begin{center}\n\\includegraphics[width=100mm]{pic/ecb} \n\\end{center}\n\\end{figure}\n\\end{frame}\n\\begin{frame}\\frametitle{Cipher Block Chaining (CBC) Mode}\n\\begin{figure}\n\\begin{center}\n\\input{tikz/CBC}\n\\end{center}\n\\end{figure}\n\\begin{itemize}\n\\item $IV$: initial vector, a fresh random string.\n\\item \\alert{Q: is it CPA-secure? what if $IV$ is always $0$?}\n\\item \\alert{Q: is the encryption parallelizable, i.e., outputting $c_{2}$ before getting $c_{1}$?}\n\\item \\alert{Q: can $F$ be any PRF?}\n\\end{itemize}\n\\end{frame}\n\\begin{frame}\\frametitle{Output Feedback (OFB) Mode}\n\\begin{figure}\n\\begin{center}\n\\input{tikz/OFB}\n\\end{center}\n\\end{figure}\n\\begin{itemize}\n\\item \\alert{Q: is it CPA-secure?}\n\\item \\alert{Q: is the encryption parallelizable?}\n\\item \\alert{Q: can $F$ be any PRF?}\n\\end{itemize}\n\\end{frame}\n\\begin{frame}\\frametitle{Counter (CTR) Mode}\n\\begin{figure}\n\\begin{center}\n\\input{tikz/CTR}\n\\end{center}\n\\end{figure}\n\\begin{itemize}\n\\item $ctr$ is an $IV$\n\\item \\alert{Q: is it CPA-secure?}\n\\item \\alert{Q: is the encryption parallelizable?}\n\\item \\alert{Q: can $F$ be any PRF?}\\end{itemize}\n\\end{frame}\n\\begin{frame}\\frametitle{CTR Mode Is CPA-secure}\n\\begin{theorem}\nIf $F$ is a PRF, then randomized CTR mode is CPA-secure.\n\\end{theorem}\n\\begin{proof}\nThe message length and the number of query are $q(n)$. \\\\\n\\textbf{Overlap}: the sequence for the challenge overlaps the sequences for the queries from the adversary.\\\\\n$\\mathsf{ctr}^*$: $\\mathsf{ctr}$ in the challenge. $\\mathsf{ctr}_i$: $\\mathsf{ctr}$ in the queries, $i = 1,\\dots,q(n)$.\\\\\n$\\mathsf{Overlap}$: $\\mathsf{ctr}_i-q(n) < \\mathsf{ctr}^* < \\mathsf{ctr}_i + q(n)$.\\\\\n\\[\\Pr[\\mathsf{Overlap}] \\le \\frac{2q(n)-1}{2^n} \\cdot q(n)\\]\n\\end{proof}\n\\end{frame}\n\\begin{frame}\\frametitle{Proof of CPA-secure CTR Mode (Cont.)}\n\\begin{proof}\nSee proof of theorem \\ref{thm:prf}.\n(1) Analyze $\\mathsf{Break}$ : $\\mathsf{PrivK}_{\\mathcal{A},\\tilde{\\Pi}}^{\\mathsf{cpa}}(n)=1$.\n\\[\n\\begin{split}\n\t\\Pr[\\mathsf{Break}] & =\\Pr[\\mathsf{Break} \\land \\mathsf{Overlap}] + \\Pr[\\mathsf{Break} \\land \\overline{\\mathsf{Overlap}}] \\\\\n\t&\\le \\Pr[\\mathsf{Overlap}] + \\Pr[\\mathsf{Break} | \\overline{\\mathsf{Overlap}}] \\\\\n\t&\\le \\frac{2q(n)^2}{2^n} + \\frac{1}{2}.\n\\end{split}\n\\]\n(2) Reduce $D$ to $\\mathcal{A}$\n\\[ \\Pr[D^{f(\\cdot)}(1^n)=1]=\\Pr[\\mathsf{PrivK}_{\\mathcal{A},\\tilde{\\Pi}}^{\\mathsf{cpa}}(n)=1] \\le \\frac{2q(n)^2}{2^n} + \\frac{1}{2}\n\\]\n\\[\\Pr[D^{F_k(\\cdot)}(1^n)=1]=\\Pr[\\mathsf{PrivK}_{\\mathcal{A},\\Pi}^{\\mathsf{cpa}}(n)=1] \\le \\frac{1}{2} + \\varepsilon(n)\n\\]\n\\[ \\text{If } F \\text{ is PRP}, \\varepsilon(n) \\text{ is negligible.}\n\\]\n\\end{proof}\n\\end{frame}\n\\begin{frame}[fragile]\\frametitle{$IV$ Should Not Be Predictable}\nIf $IV$ is predictable, then CBC mode is not CPA-secure.\\\\\n\\alert{Q: Why? (homework)}\n\\begin{exampleblock}{Bug in SSL/TLS 1.0}\n$IV$ for record $\\#i$ is last CT block of record $\\#(i-1)$.\n\\end{exampleblock}\n\\begin{exampleblock}{API in OpenSSL}\n\\verb#void AES_cbc_encrypt (# \\\\\n\\verb# const unsigned char *in,# \\\\\n\\verb# unsigned char *out,# \\\\\n\\verb# size_t length,# \\\\\n\\verb# const AES_KEY *key,# \\\\\n\\verb# unsigned char *ivec, # \\alert{\\textbf{User supplies $IV$}} \\\\\n\\verb# AES_ENCRYPT or AES_DECRYPT);# \\\\\n\\end{exampleblock}\n\\end{frame}\n%\\begin{frame}\\frametitle{PRP/PRF Switching Lemma (FYI)}\n%\\begin{lemma}\n%$\\forall\\;$ \\textsc{ppt} distinguishers $D$,\n%\\[ \\left|\\Pr[D^{f}=1] - \\Pr[D^{p}=1]\\right| \\le \\frac{q^{2}}{2^{n+1}},\n%\\]\n%where $f$/$p$ is chosen \\emph{u.a.r} from the set of functions/permutations on $n$-bit strings.\n%\\end{lemma}\n%\\begin{exampleblock}\n%\\end{exampleblock}\n%\\end{frame}\n\\begin{frame}\\frametitle{Non-deterministic Encryption}\nThree general methods of non-deterministic encryption for CPA security.\\\\\n$\\mathsf{Enc}$: $s := F_k(r)\\oplus m$, $c := \\left$.\n\\begin{itemize}\n\\item \\textbf{Randomized}: $r$ is chosen $u.a.r$, as Construction \\ref{con:cpa}\n\\begin{itemize}\n\\item more entropy needed, and long ciphertext\n\\end{itemize}\n\\item \\textbf{Stateful}: $r$ is a counter, like CTR mode\n\\begin{itemize}\n\\item synchronization on the counter between two parties\n\\end{itemize}\n\\item \\textbf{Nonce-based}: $r$ is a nonce (number used only once)\n\\begin{itemize}\n\\item make sure that nonces are distinct , and long ciphertext\n\\end{itemize}\n\\end{itemize}\n\\end{frame}\n\\section{Security Against Chosen-Ciphertext Attacks (CCA)}\n\\begin{frame}\\frametitle{Security Against CCA}\nThe CCA indistinguishability experiment $\\mathsf{PrivK}^{\\mathsf{cca}}_{\\mathcal{A},\\Pi}(n)$:\n\\begin{enumerate}\n\t\\item $k \\gets \\mathsf{Gen}(1^n)$.\n\t\\item $\\mathcal{A}$ is given input $1^n$ and oracle access $\\mathcal{A}^{\\mathsf{Enc}_k(\\cdot)}$ and $\\mathcal{A}^{\\mathsf{Dec}_k(\\cdot)}$, outputs $m_0, m_1$ of the same length.\n\t\\item $b \\gets \\{0,1\\}$. $c \\gets \\mathsf{Enc}_k(m_b)$ is given to $\\mathcal{A}$.\n\t\\item $\\mathcal{A}$ continues to have oracle access \\alert{\\textbf{except for $c$}}, outputs $b'$.\n\t\\item If $b' = b$, $\\mathcal{A}$ succeeded $\\mathsf{PrivK}^{\\mathsf{cca}}_{\\mathcal{A},\\Pi}=1$, otherwise 0.\n\\end{enumerate}\n\\begin{definition}\n$\\Pi$ has \\textbf{indistinguishable encryptions under a CCA (CCA-secure)} if $\\forall$ \\textsc{ppt} $\\mathcal{A}$, $\\exists$ $\\mathsf{negl}$ such that\n\\[ \\Pr\\left[\\mathsf{PrivK}^{\\mathsf{cca}}_{\\mathcal{A},\\Pi}(n)=1\\right] \\le \\frac{1}{2} + \\mathsf{negl}(n).\n\\]\n\\end{definition}\n\\end{frame}\n\\begin{frame}\\frametitle{Understanding CCA-security}\n\\begin{itemize}\n\\item In real world, the adversary might conduct CCA by influencing what gets decrypted\n\\begin{itemize}\n\\item If the communication is not authenticated, then an adversary may send certain ciphertexts on behalf of the honest party\n\\end{itemize}\n\\item CCA-security implies ``\\textbf{non-malleability}''\n\\item None of the above scheme is CCA-secure\n\\end{itemize}\n\\begin{exampleblock}{CCA against Construction \\ref{con:cpa}}\n$\\mathcal{A}$ gives $m_{0}, m_{1}$ and gets $c = \\left$, \nand then queries $c'$ which is the same with $c$ except that a single bit is flipped. \nThe $m' = c' \\oplus F_k(r)$ should be the same with $m_{b}$ \\alert{except \\underline{$\\qquad$}?}\n\\end{exampleblock}\n\\alert{Q: Show that the above modes (CBC, OFB and CTR) are also not CCA-secure. (homework)}\n\\end{frame}\n\\begin{frame}\\frametitle{Padding-Oracle Attacks: Real-world Case}\nPadding-oracle attacks are originally published in 2002. It can be used to automatically obtain the CAPTCHA text, as CAPTCHA server will return an error (as decryption oracle) when deciphering the CT of a CAPTCHA text received from a user.\n\\begin{figure}\n\\begin{center}\n\\input{tikz/padding-oracle}\n\\end{center}\n\\end{figure}\n\\end{frame}\n\\begin{frame}\\frametitle{Padding-Oracle Attacks}\n\\textbf{PKCS \\#5 Padding}: append $b$ bytes of $b$ to the message in order to make the total length a multiple of the block length (append a dummy block if needed). The decryption server will return a \\textbf{Bad Padding Error} for incorrect padding.\\\\\n\\textbf{Padding-Oracle Attacks}: \n\\begin{itemize}\n\t\\item modify the ciphertext (including $IV$) and send it to the server.\n\t\\item Triggering a \\textbf{Bad Padding Error} means the modification is on the padding part. Otherwise, the modification is on the plaintext part.\n\t\\item By carefully manipulating the ciphertext to control the padding part, the attacker can learn the length and the content of the plaintext.\n\\end{itemize}\n\\end{frame}\n\\begin{frame}\\frametitle{Padding-Oracle Attacks: Learning the length}\n\\begin{figure}\n\\begin{center}\n\\input{tikz/padding-oracle-null}\n\\end{center}\n\\end{figure}\n\\begin{itemize}\n\\item In a one-block CBC, by modifying the 1st byte of $IV$, attacker can learn whether $m$ is NULL. If yes, error will occur. \n\\item append $\\{b\\}^b$ as a dummy block if $m$ is NULL\n\\item change the 1st byte of $IV$ from $x$ to $y$, get decrypted block $(x \\oplus y \\oplus b) \\| \\{b\\}^{b-1}$, and trigger an error\n\\item If no error, learn whether $m$ is 1 byte by modifying the 2nd byte of $IV$ and so on\n\\end{itemize}\n\\end{frame}\n\\begin{frame}\\frametitle{Padding-Oracle Attacks: Learning the content}\n\\begin{figure}\n\\begin{center}\n\\input{tikz/padding-oracle-lastbyte}\n\\end{center}\n\\end{figure}\n\\begin{itemize}\n\\item Once learn the length of $m$, learn the last byte of $m$ ($s$) by modifying the one before the last block in the ciphertext\n\\item $m_{last} = \\cdots s \\| \\{b\\}^{b}$, $c_{last-1} = \\cdots t \\| \\{\\cdot \\}^{b} $\n\\item modify $c_{last-1}$ to $c_{last-1}' = \\cdots u \\| (\\{\\cdot \\}^{b} \\oplus \\{b\\}^{b} \\oplus \\{b+1\\}^{b}) $\n\\item \\alert{Q: If no padding error, then $s$ = ?}\n% s ^ t = u ^ (b+1), s= u ^ (b+1) ^ t\n\\end{itemize}\n\\end{frame}\n\\begin{frame}\\frametitle{Summary}\n\\begin{itemize}\n\\item Definitions: CPA, CCA (padding-oracle attack)\n\\item Primitives: PRG, PRF, PRP\n\\item Constructions: stream cipher, block cipher, EBC, CBC, OFB, CTR\n\\end{itemize}\n\\end{frame}\n\\end{document}\n" }, { "path": "source/4blockcipher.tex", "content": "\\input{source/header/main.tex}\n\n\\title{Practical Constructions of Pseudorandom Permutations (Block Ciphers)}\n\n\\begin{document}\n\\maketitle\n\\begin{frame}\n\\frametitle{Outline}\n\\tableofcontents\n\\end{frame}\n\\section{Substitution-Permutation Networks}\n\\begin{frame}\\frametitle{Block Ciphers}\n\\begin{itemize}\n\\item \\textbf{Block Cipher} $F : \\{0,1\\}^n \\times \\{0,1\\}^\\ell \\to \\{0,1\\}^\\ell$. \\\\\n$F_k : \\{0,1\\}^\\ell \\to \\{0,1\\}^\\ell$, $F_k(x) \\overset{\\text{def}}{=} F(k,x)$. \\\\\n$n$ is key length, $\\ell$ is block length.\n\\item Constructions are \\textbf{heuristic}, not proofed.\n\\item Considered as \\textbf{PRP} in practice, not encryption scheme.\n\\begin{itemize}\n\\item In the call for proposals for AES: \n\\emph{The extent to which the algorithm output is indistinguishable from a random permutation on the input block.}\n\\end{itemize}\n\\item Is ``\\textbf{good}'' if the best known attack has time complexity roughly \\textbf{equivalent to a brute-force search for the key}.\n\\begin{itemize}\n\\item A cipher with $n=112$ which can be broken in time $2^{56}$ is insecure.\n\\item In a non-asymptotic setting, $2^{n/2}$ may be insecure.\n\\end{itemize}\n\\end{itemize}\n\\end{frame}\n\\begin{frame}\\frametitle{Comics On Blockcipher [xkcd:153]}\nMy cryptosystem is like any Feistel cipher, except in the S-Boxes we simply take the bitstring down, flip it, and reverse it.\n\\begin{figure}\n\\begin{center}\n\\includegraphics[width=70mm]{pic/sbox-talk} \n\\end{center}\n\\end{figure}\n\\end{frame}\n\\begin{frame}\\frametitle{The Confusion-Diffusion Paradigm}\n\t\\begin{itemize}\n\t\\item \\textbf{Goal}: Construct \\emph{concise} random-looking permutations.\n\t\\begin{itemize}\n\t\\item \\alert{Q: a block length of $n$ bits require \\underline{\\qquad} bits for its representation.} %$\\log(2^n!) \\approx n\\cdot 2^n $\n\t\\end{itemize}\n\t\\item \\textbf{Confusion}: making the relationship between the key and the ciphertext as complex and involved as possible. \\\\\n\tConstruct a large random-looking permutation $F$ from smaller random permutations ${f_i}$. $F_k(x) = f_1(x_1)f_2(x_2) \\cdots f_{i}(x_{i})$\n\t\\item \\textbf{Diffusion}: the redundancy in the statistics of the plaintext is dissipated in the statistics of the ciphertext.\n\t\\item \\textbf{Product cipher} combines multiple transformations.\n\t\\end{itemize}\n\\end{frame}\n\\begin{frame}\\frametitle{A Substitution-Permutation Network}\n\\begin{figure}\n\\begin{center}\n\\input{tikz/spn}\n\\end{center}\n\\end{figure}\n\\end{frame}\n\\begin{frame}\\frametitle{Design Principle 1 -- Invertibility of The $S$-boxes}\n$S$-boxes must be invertible, otherwise the block cipher will not be a permutation.\n\\begin{proposition}\nLet $F$ be a keyed function defined by a SPN in which the $S$-boxes are all one-to-one and onto. The regardless of the key schedule and the number of rounds, $F_k$ is a permutation for any choice of $k$.\n\\end{proposition}\n\\end{frame}\n\\begin{frame}\\frametitle{Design Principle 2 -- The Avalanche Effect}\n\\begin{itemize}\n\\item \\textbf{Avalanche effect}: changing a single bit of the input affects every bit of the output.\n\\item \\textbf{Strict avalanche criterion}: a single input bit is complemented, each of the output bits changes with a 50\\% probability.\n\\item \\textbf{Bit independence criterion}: output bits $j$ and $k$ should change independently when any single input bit $i$ is inverted, for all $i$, $j$ and $k$.\n\\item $S$-box: changing a single bit of the input changes at least two bits in the output.\n\\item $P$-box: the output bits of any given $S$-box are spread into different $S$-boxes in the next round.\n\\item \\alert{Q: For 4-bit $S$-boxes, changing 1 bit of the input affects \\underline{\\qquad} bits of the output after $R$ rounds of SPN.}\n\\end{itemize}\n%\\begin{exampleblock}{}\n%For 4-bit $S$-boxes, changing 1 bit of the input affects $2^R$ bits of the output after $R$ rounds of SPN.\n%\\end{exampleblock}\n\\end{frame}\n\\begin{frame}\\frametitle{A Framework for KPA against Block Ciphers}\n\\textbf{KPA}: know some plaintext/ciphertext pairs under the same key.\n\\begin{enumerate}\n\\item Observe relationship between PT/CT and $k$ bits of the key. \n\\item Design a test on $t$ bits based on the above relationship.\n\\item Search in $k$-bit space; a guess passes test with pr. $2^{-t}$.\n\\item Use $p$ PT/CT pairs to determine the key with exp. $2^{k-(p)t}$.\n\\end{enumerate}\n\\begin{exampleblock}{KPA against 1-round w/o final key-mixing w/ $16$-bit key}\n\\begin{description}\n\\item[Relationship] PT $\\oplus$ Key $\\oplus$ Input-of-$S$-boxes $=$ 0.\n\\item[Test] on $t=16$ bits: Input-of-$S$-boxes $=$ PT $\\oplus$ Key.\n\\item[Search] in $k=16$ bit space; passing test with pr. $1/2^{16}$.\n\\item[Determine] the key with $p=1$ PT/CT pair and exp. $1$.\n\\end{description}\n\\end{exampleblock}\n\\end{frame}\n\\begin{frame}\\frametitle{Attacks on Reduced-Round SPNs (Homework)}\nAttack on a 1-round SPN: 64-bit block, 128-bit key (2 $\\times$ 64-bit sub-keys), 16 $\\times$ 4-bit $S$-boxes.\n\\begin{figure}\n\\begin{center}\n\\input{tikz/attack-spn.tex}\n\\end{center}\n\\end{figure}\n\\begin{itemize}\n\\item Guessing 20 bits: 16 bits of the 1st sub-key, 4 bits of the 2nd.\n\\item Guess passes the 4-bit test with pr. $1/2^4$ ($1/2^n$ for $n$-bit test).\n\\item Use 8 I/O pairs to determine the key (with exp. $2^{20 - 4\\times 8}$).\n\\item Break with complexity $8\\cdot 2^{20} \\cdot 16= 2^{27} \\ll 2^{128}$ (16 $S$-boxes).\n\\end{itemize}\n\\end{frame}\n\\section{Feistel Networks}\n\\begin{frame}\\frametitle{Feistel Networks}\n\\begin{columns}[t]\n\\begin{column}{4cm}\n\\begin{figure}\n\\begin{center}\n\\input{tikz/feistel}\n\\end{center}\n\\end{figure}\n\\end{column}\n\\begin{column}{6cm}\n\\begin{itemize}\n\\item \\textbf{Idea}: Construct an invertible function from non-invertible components.\n%\\item \\textbf{Round function} $f_i(R) \\overset{def}{=} \\hat{f}_i(k_i,R)$ ($\\hat{f}_i$ mangler function).\n\\item $L_i := R_{i-1}$ and $R_i := L_{i-1} \\oplus f_i(R_{i-1})$\n\\item \\alert{\\textbf{Inverting}: $L_{i-1} :=\\ ?$} %R_i \\oplus f_i(R_{i-1}) = R_i \\oplus f_i(L_i)$.\n\\item \\textbf{Decryption}: Operate with sub-keys in reverse order.\n\\end{itemize}\n\\begin{proposition}\n\\textbf{Luby-Rackoff Theorem}: Regardless of the mangler functions $\\{\\hat{f}_i\\}$ and the number of rounds, $F_k$ is a permutation for any choice of $k$.\n\\end{proposition}\n\\end{column}\n\\end{columns}\n\\end{frame}\n\\begin{frame}\\frametitle{Examples}\n\\begin{exampleblock}{What is the output of an $r$-round Feistel network when the input is $(L_0, R_0)$ in each of the following two cases:}\n(a) Each round function $F$ outputs all $0$s, regardless of the input.\\\\\n(b) Each round function $F$ is the identity function.\n\\end{exampleblock}\n\\end{frame}\n\\section{DES -- The Data Encryption Standard}\n\\begin{frame}\\frametitle{The Design of DES}\n\\begin{itemize}\n\\item 16-round Feistel network.\n\\item 64-bit block\n\\item 56-bit key, 48-bit sub-key. (64bit key with 8 check bits)\n\\item Key schedule: 56 bits $\\xrightarrow[\\text{left rotation, PC}]{\\text{divided into two halves}}$ 48 bits.\n\\item Begin with Initial Permutation ($IP$) and end with $IP^{-1}$.\n\\item Round function $f$ is non-invertible with 32-bit I/O.\n\\item $f_i$ is determined by mangler function $\\hat{f}_i$ and sub-key $k_i$.\n\\item $S$-box is a 4-to-1 function, mapping 6-bit to 4-bit.\n\\end{itemize}\n\\end{frame}\n\\begin{frame}\\frametitle{Overview of DES}\n\\begin{algorithm}[H]\n\\SetKwInOut{Input}{input}\n\\SetKwInOut{Output}{output}\n\\SetKw{KwK}{KeySchedule}\n\\SetKw{KwC}{compute}\n\\DontPrintSemicolon\n\\caption{$\\mathsf{DES}$}\n\\Input{key $k$, message $m$}\n\\Output{ciphertext $c$}\n\\BlankLine\n$(k_{1},\\dots,k_{16}) \\gets KeySchedule(k)$\\;\n$m \\gets IP(m)$\\;\nParse $m$ as $L_{0}\\| R_{0}$\\;\n\\For{$r=1$ \\KwTo 16}{\n$L_{r} \\gets R_{r-1}$\\;\n$R_{r} \\gets f(k_{r},R_{r-1})\\oplus L_{r-1}$\\;\n}\n$c \\gets IP^{-1}(L_{16}\\| R_{16})$\\;\n\\Return $c$\\;\n\\end{algorithm}\n\\end{frame}\n\\begin{frame}\\frametitle{The DES Mangler Function}\n\\begin{figure}\n\\begin{center}\n\\input{tikz/des}\n\\end{center}\n\\end{figure}\n\\end{frame}\n\\begin{frame}[fragile]\\frametitle{An $S$-box in DES}\n\\begin{exampleblock}{An $S$-box}\t\nInput: $b_{0,1,...,5}=011001$\\\\\nOutput: $S[b_{0,5}][b_{1,2,3,4}]=S[01][1100]=S[1][12]=9=1001$\n\\begin{semiverbatim}\n 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15\n +--------------------------------------------------------------------------------------------------+\n0 | 14 4 13 1 2 15 11 8 3 10 6 12 5 9 0 7 |\n1 | 0 15 7 4 14 2 13 1 10 6 12 11 \\alert{9} 5 3 8 |\n2 | 4 1 14 8 13 6 2 11 15 12 9 7 3 10 5 0 |\n3 | 15 12 8 2 4 9 1 7 5 11 3 14 10 0 6 13 |\n +--------------------------------------------------------------------------------------------------+\n\\end{semiverbatim}\n\\end{exampleblock}\n\\end{frame}\n\\begin{frame}\\frametitle{Key Schedule}\n\\begin{figure}\n\\begin{center}\n\\input{tikz/DESkey}\n\\end{center}\n\\end{figure}\nBits of shift is 1 or 2 in different rounds.\n\\end{frame}\n\\begin{frame}[fragile]\\frametitle{Weak Keys of DES}\n\\begin{itemize}\n\\item \\textbf{Weak keys}: makes the cipher behave in some undesirable way--producing \\emph{identical} sub-keys.\n\\begin{exampleblock}{Weak keys (Key with check bits : key w/o check bits)}\n\\begin{semiverbatim}\t\n01010101 01010101 : 0000000 0000000\nFEFEFEFE FEFEFEFE : FFFFFFF FFFFFFF\nE0E0E0E0 F1F1F1F1 : FFFFFFF 0000000\n1F1F1F1F 0E0E0E0E : 0000000 FFFFFFF\n\\end{semiverbatim}\n\\end{exampleblock}\n\\item \\textbf{Semi-weak keys}: producing only two different sub-keys.\\\\ A pair of semi-weak keys $k_1, k_2$: $F_{k_1}(F_{k_2}(M))=M$.\n\\begin{exampleblock}{Semi-weak key pairs (2 of total 6 pairs)}\n\\begin{semiverbatim}\t\n011F011F 010E010E & 1F011F01 0E010E01\n01E001E0 01F101F1 & E001E001 F101F101\n\\end{semiverbatim}\n\\end{exampleblock}\n\\end{itemize}\n\\end{frame}\n\\begin{comment}\n\\begin{frame}\\frametitle{Attacks on Reduced-Round Variants of DES}\n\\textbf{1-round (48-bit key)}: \\\\\n$S$-box is 4-to-1, so 4 possible values for each 6-bit key.\\\\\n\\# of possible keys: $4^{48/6} = 2^{16}$. \\\\\nSo a guess passes test with pr. $2^{-(48-16)}$.\\\\\nUse another I/O pair to determine the key (with exp. $2^{-16}$).\n\\newline\n\n\\textbf{2-round}: $L_0\\|R_0, L_2\\|R_2$ are known I/O pair.\n\\begin{columns}[C]\n\\column{.5\\textwidth}\n\\begin{figure}\n\\begin{center}\n\\input{tikz/feistel2.tex}\n\\end{center}\n\\end{figure}\n\\column{.5\\textwidth}\n\\[\n\\begin{split}\n\tL_1 &= R_0 \\\\\n\tR_1 &= L_0 \\oplus f_1(R_0) \\\\\n\tL_2 &= R_1 = L_0 \\oplus f_1(R_0) \\\\\n\tR_2 &= L_1 \\oplus f_2(R_1). \\\\\n\tf_1(R_0) &= L_0 \\oplus L_2 \\\\\n\tf_2(L_2) &= R_2 \\oplus R_0\n\\end{split}\n\\]\n\\end{columns}\nSo we know I/O pairs of both $f_1$ and $f_2$. \\\\\nBreak in time $2\\cdot 2^{16}$ as two 1-round with two I/O pairs.\n\\end{frame}\n\\begin{frame}\\frametitle{Attacks on Reduced-Round Variants of DES (Cont.)}\n\\textbf{3-round}:\n\\begin{columns}[C]\n\\column{.4\\textwidth}\n\\begin{figure}\n\\begin{center}\n\\input{tikz/feistel3.tex}\n\\end{center}\n\\end{figure}\n\\column{.6\\textwidth}\nWithout I/O pairs of any $f$, we know the inputs of $f_1$ and $f_3$ and the XOR of their outputs $ (L_0 \\oplus L_2) \\oplus (L_2 \\oplus R_3) = L_0 \\oplus R_3.$\n\\newline\n\n\\textbf{Idea}: The left/right half of the key affects the inputs only to the first/last four $S$-boxes. Brute-force needs $2\\cdot 2^{28}$.\n\\end{columns}\n\\begin{itemize}\n\\item Check 16-bit XOR of outputs of four $S$-boxes on one half.\n\\item $2^{28}/2^{16}=2^{12}$ guesses on half-key pass check (with pr. $2^{-16}$).\n\\item Use another I/O pair to test $2^{12+12}$ keys (with exp. $2^{24-16\\times 2}$).\n\\item Totally, $2\\cdot 2^{28} + 2^{24} < 2^{30}$ time and $2\\cdot 2^{12}$ space.\n\\end{itemize}\n\\end{frame}\n\\end{comment}\n\\begin{frame}\\frametitle{Chronology of DES}\n\\begin{description}\n\\item[1973] NBS (NIST) publishes a call for a standard.\n\\item[1974] DES is published in the Federal Register.\n\\item[1977] DES is published as FIPS PUB 46.\n\\item[1990] Differential cryptanalysis with CPA of $2^{47}$ plaintexts. \n\\item[1997] DESCHALL Project breaks DES in public.\n\\item[1998] EFF's Deep Crack breaks DES in 56hr at \\$250,000.\n\\item[1999] Triple DES.\n\\item[2001] AES is published in FIPS PUB 197.\n\\item[2004] FIPS PUB 46-3 is withdrawn.\n\\item[2006] COPACOBANA breaks DES in 9 days at \\$10,000.\n\\item[2008] RIVYERA breaks DES within one day.\n\\item[2016] 8 GTX 1080 Ti GPUs in 2 days.\n\\item[2017] CPA for a single plaintext in 25 seconds.\n\\end{description}\n\\end{frame}\n\\section{Increasing the Key Length of a Block Cipher}\n\\begin{frame}\\frametitle{Double Encryption}\n\\begin{itemize}\n\\item \\textbf{Internal tampering vs. Black-box constructions}: by modifying DES -- in even the smallest way -- we lose the confidence we have gained in DES.\n\\item \\textbf{Double encryption}: $y = F'_{k_1,k_2}(x) \\overset{\\text{def}}{=} F_{k_2}(F_{k_1}(x))$.\n\\end{itemize}\n\\begin{figure}\n\\begin{center}\n\\input{tikz/doubleE}\n\\end{center}\n\\end{figure}\n\\end{frame}\n\\begin{frame}\\frametitle{The Meet-In-the-Middle Attack}\n\\begin{figure}\n\\begin{center}\n\\input{tikz/meet-in-middle}\n\\end{center}\n\\end{figure}\n\\begin{itemize}\n\\item $z_0 = F_{k_1}(x) = F^{-1}_{k_2}(y) \\iff y = F'_{k_1,k_2}(x)$.\n\\item Key pair $(k_1,k_2)$ satisfies the equation with probability $2^{-n}$.\n\\item The number of such key pairs is $2^{2n}/2^n = 2^n$.\n\\item With another two I/O pairs, the expected number of key pairs is $2^{n}/2^{2n}=2^{-n}$. So that is it!\n\\item $\\mathcal{O}(2^n)$ time and $\\mathcal{O}(2^n)$ space.\n\\end{itemize}\n\\end{frame}\n%\\begin{comment}\n\\begin{frame}\\frametitle{DESX}\n\\begin{figure}\n\\begin{center}\n\\input{tikz/desx.tex}\n\\end{center}\n\\end{figure}\n\\textbf{Whitening}: XORing Input/Output with partial keys.\\\\\n\\textbf{DESX}:\n\\[k = (k_1,k_2,k_3), \\abs{k_1}=\\abs{k_3}=64, \\abs{k_2}=56\\]\n\\[y = k_3\\oplus F_{k_2}(x \\oplus k_1)\\]\n\\[x = k_1\\oplus F^{-1}_{k_2}(y \\oplus k_3)\\]\n\\newline\n\n\\textbf{Security}: $\\abs{k}=184$, but break in time $2^{64+56}$.\n\\end{frame}\n%\\end{comment}\n\\begin{frame}\\frametitle{Triple Encryption}\n\\begin{figure}\n\\begin{center}\n\\input{tikz/TDES}\n\\end{center}\n\\end{figure}\n\\begin{itemize}\n\\item $k_1 = k_2 = k_3$: a single $F$ with backward compatibility.\n\\item $k_1 \\neq k_2 \\neq k_3$: time $2^{2n}$ under the meet-in-the-middle attack.\n\\item $k_1 = k_3 \\neq k_2$: time $2^{2n}$ with 1 I/O pair; time $2^{n}$ with $2^n$ pair.\n\\item \\textbf{Triple-DES} (3DES): strong, but small block length and slow.\n\\end{itemize}\n\\end{frame}\n\\section{AES -- The Advanced Encryption Standard}\n\\begin{frame}\\frametitle{AES -- The Advanced Encryption Standard}\n\\begin{itemize}\n\\item In 1997, NIST calls for AES.\n\\item In 2001, Rijndael [J. Daemen \\& V. Rijmen] becomes AES.\n\\item The first publicly accessible cipher for top secret information.\n\\item Not only security, also efficiency and flexibility, etc.\n\\item 128-bit block length and 128-, 192-, or 256-bit keys.\n\\item Not a Feistel structure, but a SPN.\n\\item Only non-trivial attacks are for reduced-round variants.\n\\begin{itemize}\n\\item $2^{27}$ on 6-round of 10-round for 128-bit keys.\n\\item $2^{188}$ on 8-round of 12-round for 192-bit keys.\n\\item $2^{204}$ on 8-round of 14-round for 256-bit keys. \n\\end{itemize}\n\\end{itemize}\n\\end{frame}\n%\\begin{frame}\\frametitle{The AES Construction}\n%\\textbf{State}: 4-by-4 array of bytes. The initial state is the plaintext.\n%\\begin{enumerate}\n%\\item \\textbf{AddRoundKey}: state XORed with the 128-bit sub-key.\n%\\item \\textbf{SubBytes}: each byte replaced according to a single $S$-box.\n%\\item \\textbf{ShiftRows}: each row cyclically shifted. \n%\\item \\textbf{MixColumns}: each column multiplied by a matrix.\n%\\end{enumerate}\n%\\end{frame}\n\\begin{frame}\\frametitle{Overview of AES}\n\\begin{algorithm}[H]\n\\SetKwInOut{Input}{input}\n\\SetKwInOut{Output}{output}\n\\SetKw{KwK}{KeySchedule}\n\\SetKw{KwC}{compute}\n\\DontPrintSemicolon\n\\caption{$\\mathsf{AES}$}\n\\Input{key $k$, message $m$}\n\\Output{ciphertext $c$}\n\\BlankLine\n$(k_{1},\\dots,k_{10}) \\gets Expand(k)$\\;\n$s \\gets m\\oplus k_{0}$\\;\n\\For{$r=1$ \\KwTo 10}{\n$s \\gets SubBytes(s)$\\;\n$s \\gets ShiftRows(s)$\\;\n\\lIf{$r \\le 9 $}{$s \\gets MixColumns(s)$}\n$s \\gets s\\oplus k_{R}$\\;}\n\\Return $c \\gets s$\\;\n\\end{algorithm}\nSee \\href{https://formaestudio.com/rijndaelinspector/archivos/Rijndael_Animation_v4_eng-html5.html}{\\beamergotobutton{an animation of Rijndael}}!\n\\end{frame}\n\\begin{frame}\\frametitle{SM4}\n\\begin{itemize}\n\t\\item ShangMi 4 (SM4): a block cipher ``Information security technology—SM4 block cipher algorithm'', in the Chinese National Standard for Wireless LAN WAPI and used with TLS\n\t\\item Mainly developed by Lv Shuwang, declassified in 2006, published by State Cryptography Administration in 2012, and became a national standard (GB/T 32907-2016) in 2016\n\t\\item SM1 (in-chip) and SM7 (lightweight) are also block ciphers, but are not published.\n\\end{itemize}\n\\begin{figure}\n\t\\begin{center}\n\t\t\\fbox{\\includegraphics[width=70mm]{pic/SM4_round} }\n\t\\end{center}\n\t\\end{figure}\n\n\\end{frame}\n%\\begin{comment}\n\\section{Differential and Linear Cryptanalysis -- A Brief Look}\n\\begin{frame}\\frametitle{Linear Cryptanalysis}\nReference: ``A Tutorial on Linear and Differential Cryptanalysis'' \\url{www.engr.mun.ca/~howard/PAPERS/ldc_tutorial.pdf}\n\\begin{itemize}\n\\item Linear relationships between the input and output: \\\\\nthe bit positions $i_1, ... ,i_\\ell$ and $i_1', ... , i_\\ell'$ have \\textbf{bias} $p$ if for randomly-chosen input $x$ and key $k$, it holds that $y=F_k(x)$,\n\\[ \\Pr [x_{i_1} \\oplus \\cdots \\oplus x_{i_\\ell} \\oplus y_{i_1'} \\oplus \\cdots \\oplus y_{i_\\ell'} = 0] = p+\\frac{1}{2}.\n\\]\n\\item Not require CPA, KPA are sufficient.\n\\item Attack steps:\n\\begin{enumerate}\n\\item Construct the linear approximation table of $S$-boxes.\n\\item Construct a linear approximation of the first $r-1$ rounds with a big bias.\n\\item Extracting sub-key bits of last round that satisfies the linear approximation well.\n\\end{enumerate}\n\\end{itemize}\n\\end{frame}\n\\begin{frame}\\frametitle{An Example of Linear Analysis of $S$-box}\n\\begin{figure}\n\\begin{center}\n\\includegraphics[width=100mm]{pic/linear-sbox} \n\\end{center}\n\\end{figure}\n\\end{frame}\n\\begin{frame}\\frametitle{An Example of Linear Distribution Table}\n\\begin{figure}\n\\begin{center}\n\\includegraphics[width=100mm]{pic/linear-table} \n\\end{center}\n\\end{figure}\n$x_{2}\\oplus x_{3} = y_{1}\\oplus y_{3} \\oplus y_{4}$ for 12 times, the bias is $12 - 8 =4$ times\n$x_{2}\\oplus x_{3}: 0110 = 6,\\quad y_{1}\\oplus y_{3} \\oplus y_{4}: 1011=B$, so $(6, B) =4$\n\\end{frame}\n\\begin{frame}\\frametitle{An Example of Linear Cryptanalysis}\n\\begin{figure}\n\\begin{center}\n\\input{tikz/linear}\n\\end{center}\n\\end{figure}\n\\end{frame}\n\\begin{frame}\\frametitle{Differential Cryptanalysis}\n\\begin{itemize}\n\\item Specific differences $\\Delta_x$ in the input that lead to specific differences $\\Delta_y$ in the output with probability $p \\gg 2^{-n}$.\n\\item $x_1\\oplus x_2=\\Delta_x$, $F_k(x_1) \\oplus F_k(x_2)=\\Delta_y$ with probability $p$.\n\\item This can be exploited by CPA.\n\\item Attack steps:\n\\begin{enumerate}\n\\item Construct the difference distribution table of $S$-boxes.\n\\item Construct a differential characteristics of the first $r-1$ rounds with a big bias.\n\\item Extracting sub-key bits of last round that satisfies the differential characteristics well.\n\\end{enumerate}\n\\end{itemize}\n\\end{frame}\n\\begin{frame}\\frametitle{An Example of Differential Analysis of $S$-box}\n\\begin{figure}\n\\begin{center}\n\\includegraphics[width=100mm]{pic/difference-sbox} \n\\end{center}\n\\end{figure}\n\\end{frame}\n\\begin{frame}\\frametitle{An Example of Differential Distribution Table}\n\\begin{figure}\n\\begin{center}\n\\includegraphics[width=100mm]{pic/difference-table} \n\\end{center}\n\\end{figure}\n$\\Delta X = 1011 = B, \\Delta Y = 0010 = 2$ for 8 times, so $(B, 2) = 8$\n\\end{frame}\n\\begin{frame}\\frametitle{An Example of Differential Cryptanalysis}\n\\begin{figure}\n\\begin{center}\n\\input{tikz/differential}\n\\end{center}\n\\end{figure}\n\\end{frame}\n%\\end{comment}\n\\begin{frame}\\frametitle{Remarks on Block Ciphers}\n\\begin{itemize}\n\\item \\textbf{Block length} should be sufficiently large\n\\item \\textbf{Message tampering} is not with message confidentiality\n\\item \\textbf{Padding}: TLS: For $n>0$, $n$ byte pad is $n,n,\\dots,n$\nIf no pad needed, add a dummy block\n\\item \\textbf{Stream ciphers vs. block ciphers}: \n\\begin{itemize}\n\\item Steam ciphers are faster but have lower security\n\\item It is possible to use block ciphers in ``stream-cipher mode''\n\\end{itemize}\n\\end{itemize}\n\\begin{exampleblock}{Performance: Crypto++ 5.6, AMD Opetron 2.2GHz}\n\\begin{center}\n\\begin{tabular}{|c|c|c|} \\hline\n & \\textbf{Block/key size} & \\textbf{Speed MB/sec} \\\\ \\hline\n\\textbf{RC4} & & 126 \\\\ \n\\textbf{Salsa20/12} & & 643 \\\\ \n\\textbf{Sosemanuk} & & 727 \\\\ \n\\textbf{3DES}\t & 64/168 & 13 \\\\\n\\textbf{AES-128} & 128/128 & 109 \\\\ \\hline \n\\end{tabular}\t\n\\end{center}\n\\end{exampleblock}\n\\end{frame}\n\\begin{frame}\\frametitle{Summary}\n\\begin{itemize}\n\\item Goal: Block cipher is PRP\n\\item Constructions: confusion \\& diffusion, SPN, Feistel network, avalanche effect.\n\\item Standards: DES, 3DES, AES, SM4\n\\item Cryptanalysis: reduced round, meet-in-the-middle, differential and linear cryptanalysis. \n\\end{itemize}\n\\end{frame}\n\\end{document}\n" }, { "path": "source/5owf.tex", "content": "\\input{source/header/main.tex}\n\n\\title{Theoretical Constructions of Pseudorandom Objects}\n\n\\begin{document}\n\\maketitle\n\\begin{frame}\n\\frametitle{Outline}\n\\tableofcontents\n\\end{frame}\n\\section{One-Way Functions}\n\\begin{frame}\\frametitle{Overview}\n\\begin{figure}\n\\begin{center}\n\\input{tikz/owfover}\n\\end{center}\n\\end{figure}\n\\begin{alertblock}{One of contributions of modern cryptography}\nThe existence of one-way functions is equivalent to the existence of all (non-trivial) private-key cryptography.\n\\end{alertblock}\n\\end{frame}\n\\begin{frame}\\frametitle{One-Way Functions (OWF)}\n\\begin{figure}\n\\begin{center}\n\\input{tikz/OWF}\n\\end{center}\n\\end{figure}\nThe inverting experiment $\\mathsf{Invert}_{\\mathcal{A},f}(n)$:\n\\begin{enumerate}\n\\item Choose input $x \\gets \\{0,1\\}^n$. Compute $y := f(x)$.\n\\item $\\mathcal{A}$ is given $1^n$ and $y$ as input, and outputs $x'$.\n\\item $\\mathsf{Invert}_{\\mathcal{A},f}(n) = 1$ if $f(x')=y$, otherwise 0.\n\\end{enumerate}\n\n\\end{frame}\n\\begin{frame}\\frametitle{Definitions of OWF/OWP [Yao]}\nFor polynomial-time algorithm $M_f$ and $\\mathcal{A}$.\n\\begin{definition}\nA function $f\\;:\\; \\{0,1\\}^* \\to \\{0,1\\}^*$ is \\textbf{one-way} if:\n\\begin{enumerate}\n\\item (Easy to compute): $\\exists$ $M_f$: $\\forall x, M_f(x) = f(x)$.\n\\item (Hard to invert): $\\forall$ $\\mathcal{A}$, $\\exists\\;\\mathsf{negl}$ such that\n\\[ \\Pr[\\mathsf{Invert}_{\\mathcal{A},f}(n)=1] \\le \\mathsf{negl}(n). \\]\nor\n\\[ \\Pr_{\\substack{x \\gets \\{0,1\\}^n}}[\\mathcal{A}(f(x)) \\in f^{-1}(f(x))] \\le \\mathsf{negl}(n). \\]\n\\end{enumerate}\n\\end{definition}\n\\begin{definition}\nLet $f\\;:\\; \\{0,1\\}^* \\to \\{0,1\\}^*$ be length-preserving, and $f_n$ be the restriction of $f$ to the domain $\\{0,1\\}^n$. A OWP $f$ is a \\textbf{one-way permutation} if $\\forall n$, $f_n$ is a bijection.\n\\end{definition}\n\\end{frame}\n\\begin{comment}\n\\begin{frame}\\frametitle{Families of Functions}\n\\begin{figure}\n\\begin{center}\n\\input{tikz/owff}\n\\end{center}\n\\end{figure}\n\\begin{definition}\n$\\Pi = (\\mathsf{Gen}, \\mathsf{Samp}, \\mathsf{f})$ is a \\textbf{family of functions} if:\n\\begin{enumerate}\n\\item \\textbf{Parameter-generation} algorithm: $I \\gets \\mathsf{Gen}(1^n)$.\n\\item \\textbf{sampling} algorithm: $x \\gets \\mathsf{Samp}(I)$.\n\\item The deterministic \\textbf{evaluation} algorithm: $y := f_I(x)$.\n\\end{enumerate}\n\\end{definition}\n\\end{frame}\n%\\begin{frame}\\frametitle{Families of Function and Permutation}\n%\\begin{definition}\n%$\\Pi = (\\mathsf{Gen}, \\mathsf{Samp}, \\mathsf{f})$ of \\textsc{ppt} algorithms is a \\textbf{family of functions} if:\n%\\begin{enumerate}\n%\\item \\textbf{Parameter-generation} algorithm $\\mathsf{Gen}$, on input $1^n$, outputs parameters $I$ with $\\abs{I} \\ge n$. $I$ defines the domain $\\mathcal{D}_I$ and the range $\\mathcal{R}_I$, of a function $f_I$.\n%\\item \\textbf{sampling} algorithm $\\mathsf{Samp}$, on input $I$, outputs a uniformly distributed element of $\\mathcal{D}_I$.\n%\\item The deterministic \\textbf{evaluation} algorithm $f$, on input $I$ and $x \\in \\mathcal{D}_I$, outputs an element $y \\in \\mathcal{R}_I$. $y := f_I(x)$.\n%\\end{enumerate}\n%$\\Pi$ is a \\textbf{family of permutations} if for each value of $I$ output by $\\mathsf{Gen}(1^n)$, it holds that $\\mathcal{D}_I = \\mathcal{R}_I$ and the function $f_I\\;:\\;\\mathcal{D}_I \\to \\mathcal{D}_I$ is a bijection.\n%\\end{definition}\n%\\end{frame}\n\\begin{frame}\\frametitle{Families of OWF and OWP}\nThe inverting experiment $\\mathsf{Invert}_{\\mathcal{A},\\Pi}(n)$:\n\\begin{enumerate}\n\\item $\\mathsf{Gen}(1^n)$ obtains $I$, $\\mathsf{Samp}(I)$ obtains a random $x \\gets \\mathcal{D}_I$. $y := f_I(x)$.\n\\item $\\mathcal{A}$ is given $I$ and $y$ as input, and outputs $x'$.\n\\item $\\mathsf{Invert}_{\\mathcal{A},\\Pi}(n) = 1$ if $f_I(x')=y$, and 0 otherwise.\n\\end{enumerate}\n\\begin{definition}\na function/permutation family $\\Pi$ is \\textbf{one-way} if $\\forall$ \\textsc{ppt} $\\mathcal{A}$, $\\exists\\; \\mathsf{negl}$ such that\n\\[ \\Pr[\\mathsf{Invert}_{\\mathcal{A},\\Pi}(n)=1] \\le \\mathsf{negl}(n). \\] \n\\end{definition}\n\\end{frame}\n\\end{comment}\n\\begin{frame}\\frametitle{Candidate One-Way Function}\n\\begin{itemize}\n\\item \\textbf{Multiplication and factoring}:\\\\\n$f_{\\mathsf{mult}}(x,y)=(xy,\\|x\\|,\\|y\\|)$, $x$ and $y$ are equal-length primes.\n\\item \\textbf{Modular squaring and square roots}:\\\\\n$f_{\\mathsf{square}}(x)=x^2\\bmod N$.\n\\item \\textbf{Discrete exponential and logarithm}:\\\\\n$f_{g,p}(x)=g^x\\bmod p$.\n\\item \\textbf{Subset sum problem}:\\\\\n$f(x_1,\\dotsc,x_n,J)=(x_1,\\dotsc,x_n,\\sum_{j \\in J} x_j)$.\n\\item \\textbf{Cryptographically secure hash functions}:\\\\\nPractical solutions for one-way computation.\n\\end{itemize}\n\\end{frame}\n\\begin{frame}{Examples}\n\\begin{exampleblock}{$f:\\ \\{0,1\\}^{128} \\to \\{0,1\\}^{128}$ is a OWF. Is $f'$ OWF?}\n\\begin{itemize}\n\\item $f'(x) = f(x)\\| x$\n%\\item $f'(x) = f(x)\\oplus 1^{\\abs{x}}$\n\\item $f'(x\\|x') = f(x)\\|x'$\n\\item $f'(x) = f(x) \\oplus f(x)$\n\\item $ f'(x) = \\left\\{ \n \\begin{array}{l l}\n f(x) & \\quad \\text{if $x[0,1,2,3] \\neq 1010$}\\\\\n x & \\quad \\text{otherwise}\\\\\n \\end{array} \\right. $\n\\item $ f'(x) = \\left\\{ \n \\begin{array}{l l}\n f(x) & \\quad \\text{if $x \\neq 1010\\|0^{124}$}\\\\\n x & \\quad \\text{otherwise}\\\\\n \\end{array} \\right. $\n\\item more examples in homework\n\\end{itemize}\n\\end{exampleblock}\n\\end{frame}\n\\begin{frame}\\frametitle{Hard-Core Predicates (HCP) [Blum-Micali]}\n\\begin{figure}\n\\begin{center}\n\\input{tikz/hcp}\n\\end{center}\n\\end{figure}\n\\begin{definition}\nA function $\\mathsf{hc}\\; : \\; \\{0,1\\}^* \\to \\{0,1\\}$ is a \\textbf{hard-core predicate of a function} $f$ if (1) $\\mathsf{hc}$ can be computed in polynomial time, and (2) $\\forall$ \\textsc{ppt} $\\mathcal{A}$, $\\exists\\; \\mathsf{negl}$ such that\n\\[ \\Pr_{\\substack{x \\gets \\{0,1\\}^n}}[\\mathcal{A}(f(x)) = \\mathsf{hc}(x)] \\le \\frac{1}{2} + \\mathsf{negl}(n). \\]\n\\end{definition}\n\\end{frame}\n\\begin{frame}\\frametitle{A HCP for Any OWF}\n\\begin{theorem}\n$f$ is OWF. Then $\\exists$ an OWF $g$ along with an HCP $\\mathsf{gl}$ for $g$. If $f$ is a permutation then so is $g$.\n\\end{theorem}\n\\begin{alertblock}{}\n\\alert{Q: is $\\mathsf{gl}(x) = \\bigoplus^{n}_{i=1} x_i$ the HCP of any OWF?}\n\\end{alertblock}\n\\begin{proof}\n$g(x,r) \\overset{\\text{def}}{=} (f(x), r)$, for $\\abs{x} = \\abs{r}$, and define\n\\[ \\mathsf{gl}(x,r) \\overset{\\text{def}}{=} \\bigoplus^{n}_{i=1} x_i \\cdot r_i. \\]\n$r$ is generated uniformly at random. [Goldreich and Levin]\n\\end{proof}\n\\end{frame}\n\\section{From OWF to PRP}\n\\begin{frame}\\frametitle{PRG from OWP: Blum-Micali Generator}\n\\begin{theorem}\n$f$ is an OWP and $\\mathsf{hc}$ is an HCP of $f$. Then $G(s) \\overset{\\text{def}}{=} (f(s), \\mathsf{hc}(s))$ constitutes a PRG with expansion factor $\\ell(n) = n+1$, then $\\forall$ polynomial $p(n) > n$, $\\exists$ a PRG with expansion factor $\\ell(n) = p(n)$.\n\\end{theorem}\n\\begin{figure}\n\\begin{center}\n\\input{tikz/ePRG}\n\\end{center}\n\\end{figure}\n%\\[ G(s) = (f^{p'(n)}(s),\\mathsf{hc}_{[p'(n)-1]}(f^{[p'(n)-1]}(s)),\\dotsc,\\mathsf{hc}_0(s)), \\]\n%is a PRG with expansion factor $p(n) = n + p'(n)$.\n\\end{frame}\n\\begin{frame}\\frametitle{PRF from PRG [Goldreich, Goldwasser, Micali]}\n\\begin{theorem}\nIf $\\exists$ a PRG with expansion factor $\\ell(n) = 2n$, then $\\exists$ a PRF.\n\\end{theorem}\n$G(k) = G_{0}(k)\\| G_{1}(k)$\n\\begin{figure}\n\\begin{center}\n\\input{tikz/cPRF}\n\\end{center}\n\\end{figure}\n\\[F_k(x_1x_2\\cdots x_n) = G_{x_n}(\\cdots(G_{x_2}(G_{x_1}(k)))\\cdots), G(s)=(G_0(s),G_1(s)).\\]\n\\end{frame}\n\\begin{frame}\\frametitle{PRP from PRF [Lucy, Rackoff]}\n\\begin{columns}[c]\n\\column{.5\\textwidth}\n\\begin{figure}\n\\begin{center}\n\\input{tikz/feistel-prp}\n\\end{center}\n\\end{figure}\n\\column{.5\\textwidth}\n$F^{(r)}$ is an $r$-round Feistel network with the mangler function $F$.\n\\begin{theorem}\nIf $F$ is a length-preserving PRF, then $F^{(3)}$ is a PRP, and $F^{(4)}$ is a strong PRP, \nthat maps $2n$-bit strings to $2n$-bit strings (and uses a key of length $3n$ and $4n$).\n\\end{theorem}\n\\alert{Show that 1- or 2-round Feistel network is not a PRF.}\n\\end{columns}\n\\end{frame}\n\\begin{frame}\\frametitle{Necessary Assumptions}\n\\begin{theorem}\nAssume that $\\exists$ OWP. Then $\\exists$ PRG, PRF, strong PRP, and CCA-secure private-key encryption schemes.\n\\end{theorem}\n\\begin{proposition}\nIf $\\exists$ a private-key encryption scheme that has indistinguishable encryptions in the presence of an eavesdropper, then $\\exists$ an OWF.\n\\end{proposition}\n\\begin{proof}\n$f(k,m,r) \\overset{\\text{def}}{=} (\\mathsf{Enc}_k(m,r),m)$, where $\\abs{k}=n, \\abs{m}=2n, \\abs{r}=\\ell(n)$. See the textbook for details.\n\\end{proof}\n\\end{frame}\n\\begin{frame}\\frametitle{Summary}\n\\begin{itemize}\n\\item OWF implies secure private-key encryption scheme\n\\item Secure private-key encryption scheme implies OWF\n\\end{itemize}\n\\end{frame}\n\\end{document}\n" }, { "path": "source/6mac-crhf.tex", "content": "\\input{source/header/main.tex}\n\n\\title{Message Authentication Codes and Collision-Resistant Hash Functions}\n\n\\begin{document}\n\\maketitle\n\\begin{frame}\n\\frametitle{Outline}\n\\tableofcontents\n\\end{frame}\n\\section{Message Authentication Codes (MAC) -- Definitions}\n\\begin{frame}\\frametitle{Integrity and Authentication}\n\\begin{figure}\n\\begin{center}\n\\input{tikz/integrity}\n\\input{tikz/authentication}\n\\end{center}\n\\end{figure}\n\\end{frame}\n\\begin{frame}\\frametitle{The Syntax of MAC}\n\\begin{figure}\n\\begin{center}\n\\input{tikz/mac}\n\\end{center}\n\\end{figure}\n\\begin{itemize}\n\\item key $k$, tag $t$, a bit $b$ means $\\mathsf{valid}$ if $b=1$; $\\mathsf{invalid}$ if $b=0$.\n\\item \\textbf{Key-generation} algorithm~$k \\gets \\mathsf{Gen}(1^n), \\abs{k} \\ge n$.\n\\item \\textbf{Tag-generation} algorithm~$t \\gets \\mathsf{Mac}_k(m)$.\n\\item \\textbf{Verification} algorithm~$b:= \\mathsf{Vrfy}_k(m,t)$.\n\\item \\textbf{Message authentication code}: $\\Pi = (\\mathsf{Gen}, \\mathsf{Mac}, \\mathsf{Vrfy})$.\n\\item \\textbf{Basic correctness requirement}: $\\mathsf{Vrfy}_k(m,\\mathsf{Mac}_k(m)) = 1$.\n\\end{itemize}\n\\end{frame}\n\\begin{frame}\\frametitle{Security of MAC}\n\\begin{itemize}\n\\item \\textbf{Intuition}: No adversary should be able to generate a \\textbf{valid} tag on any ``\\textbf{new}'' message\\footnote{A stronger requirement is concerning \\emph{new message/tag pair}.} that was not previously sent.\n\\item \\textbf{Replay attack}: Copy a message and tag previously sent. (\\textbf{excluded by only considering ``new'' message})\n\\begin{itemize}\n\\item Sequence numbers: receiver must store the previous ones.\n\\item Time-Stamps: sender/receiver maintain synchronized clocks.\n\\end{itemize}\n\\item \\textbf{Existential unforgeability}: \\textbf{Not} be able to forge a valid tag on \\textbf{any} message.\n\\begin{itemize}\n\\item \\textbf{Existential forgery}: \\emph{at least one} message.\n\\item \\textbf{Selective forgery}: message chosen \\emph{prior} to the attack.\n\\item \\textbf{Universal forgery}: \\emph{any} given message.\n\\end{itemize}\n\\item \\textbf{Adaptive chosen-message attack (CMA)}: be able to obtain tags on \\emph{any} message chosen adaptively \\emph{during} its attack.\n\\end{itemize}\n\\end{frame}\n\\begin{frame}\\frametitle{MAC Applications \\footnote{from The Joy of Cryptography}}\n\\begin{itemize}\n\\item \\textbf{Browser cookie}: includes a MAC tag of the user's account generated by the web server, against the attacker forging others' cookies.\n\\item \\textbf{TCP SYN cookie}: The server's initial sequence number includes a MAC tag of the client's IP address, port number and some other values generated by the server, against ``half-open'' DDoS attack in TCP handshake.\n\\item \\textbf{Timed one-time passwords}: $p=\\mathsf{Mac}_k(T)$, where $k$ is the key shared between the user and the service provider, $T$ is the current date $+$ time (usually rounded to the nearest 30 seconds.) The attacker who learns the current $p$ can not gain access to your account in the future.\n\\end{itemize}\n\\end{frame}\n\\begin{frame}\\frametitle{Definition of MAC Security}\nThe message authentication experiment $\\mathsf{Macforge}_{\\mathcal{A},\\Pi }(n)$:\n\\begin{enumerate}\n\\item $k \\gets \\mathsf{Gen}(1^n)$.\n\\item $\\mathcal{A}$ is given input $1^n$ and oracle access to $\\mathsf{Mac}_k(\\cdot)$, and outputs $(m,t)$. $\\mathcal{Q}$ is the set of queries to its oracle.\n\\item $\\mathsf{Macforge}_{\\mathcal{A},\\Pi }(n)=1 \\iff$ $\\mathsf{Vrfy}_k(m,t)=1$ $\\land$ $m \\notin \\mathcal{Q}$. \n\\end{enumerate}\n\\begin{figure}\n\\begin{center}\n\\input{tikz/macforge-exp.tex}\n\\end{center}\n\\end{figure}\n\\begin{definition}\nA MAC $\\Pi$ is \\textbf{existentially unforgeable under an adaptive CMA} if $\\forall$ \\textsc{ppt} $\\mathcal{A}$, $\\exists$ $\\mathsf{negl}$ such that:\n$ \\Pr [\\mathsf{Macforge}_{\\mathcal{A},\\Pi }(n)=1] \\le \\mathsf{negl}(n). $\n\\end{definition}\n\\end{frame}\n\\begin{frame}\\frametitle{Real World Case}\n\\begin{exampleblock}{The 802.11b Insecure MAC\\footnote{from \nBonehShoup v0.5 p.234}}\nConsider a variant of WiFi encryption in 802.11b WEP (Wired Equivalent Privacy). Let $F$ be a PRF with a 32-bit length output. Let CRC32 be an error-detecting code outputting a 32-bit string. Define the following MAC scheme:\n\\[ S(k, m) := ( r \\gets \\{ 0,1 \\}^n, t \\gets F(k, r) \\oplus \\mathsf{CRC32}(m) )\n\\]\n\\[ V(k, m, (r, t)) := 1 \\quad \\mathsf{if} \\quad t = F(k, r) \\oplus \\mathsf{CRC32}(m) \n\\]\n\\begin{itemize}\n\\item Different messages may have the same CRC32 output.\n\\item Attacker can learn $F(k, r)$ from a valid tag, and then output $(m', (r, F(k, r) \\oplus \\mathsf{CRC32}(m')))$.\n\\end{itemize}\n\\end{exampleblock}\n\\end{frame}\n\\begin{frame}\\frametitle{Questions}\n\\begin{exampleblock}{Suppose $\\left$ are CMA-secure, are $\\left$ secure?}\n\\begin{itemize}\n%\\item Suppose an attacker can find $m_{0} \\neq m_{1}$ s.t. $t_{0} = t_{1}$ for $\\frac{1}{8}$.\n%\\item Suppose tag is always $32$ bits long.\n\\item $S'_{k}(m) = (S_{k}(m),m)$, \n$V'_{k}(m,(t_{1},t_{2})) = V_{k}(m,t_{1}) \\land t_{2} = m$\n\\item $S'_{k_{1},k_{2}}(m) = (S_{k1}(m),S_{k_{2}}(m))$\\\\\n$V'_{k_{1},k_{2}}(m,(t_{1},t_{2})) = V_{k1}(m,t_{1}) \\land V_{k_{2}}(m,t_{2})$\n\\item $S'_{k}(m) = (S_{k}(m),S_{k}(m))$\\\\\n$ V'_{k}(m,(t_{1},t_{2})) = \\left\\{\n \\begin{array}{l l}\n V_{k}(m,t_{1}) & \\quad \\text{if $t_{1}=t_{2}$}\\\\\n 0 & \\quad \\text{otherwise}\\\\\n \\end{array} \\right. $\n\\item $S'_{k}(m) = (S_{k}(m),S_{k}(0^{n}))$\\\\\n$ V'_{k}(m,(t_{1},t_{2})) = V_{k}(m,t_{1}) \\land V_{k}(0^{n},t_{2})$\n\\item $S'_{k}(m) = S_{k}(m)$, \n$ V'_{k}(m,t) = \\left\\{ \n \\begin{array}{l l}\n V_{k}(m,t) & \\quad \\text{if $m \\neq 0^{n}$}\\\\\n 1 & \\quad \\text{otherwise}\\\\\n \\end{array} \\right. $\n\\item $S'_{k}(m) = S_{k}(m)\\ \\text{without the LSB}$ \\\\\n$V'_{k}(m,t) = V_{k}(m,t\\| 0)\\ \\lor \\ V_{k}(m,t\\| 1)$\n\\end{itemize}\n\\end{exampleblock}\n\\end{frame}\n\n\\section{Constructing Secure MAC}\n\\begin{frame}\\frametitle{Constructing Secure MAC}\n\\begin{columns}[c]\n\\column{.4\\textwidth}\n\\begin{figure}\n\\begin{center}\n\\input{tikz/macwithprf}\n\\end{center}\n\\end{figure}\n\\column{.6\\textwidth}\n\\begin{construction}\n\\begin{itemize}\n\\item $F$ is PRF. $\\abs{m} = n$.\n\\item $\\mathsf{Gen}(1^n)$: $k \\gets \\{0,1\\}^n$ \\emph{u.a.r}.\n\\item $\\mathsf{Mac}_k(m)$: $t := F_k(m)$.\n\\item $\\mathsf{Vrfy}_k(m,t)$: $1 \\iff t \\overset{?}{=} F_k(m)$.\n\\end{itemize}\n\\end{construction}\n\\begin{theorem}\\label{thm:mac}\nIf $F$ is a PRF, Construction is a secure fixed-length MAC.\n\\end{theorem}\n\\end{columns}\n\\begin{lemma}\n\\textbf{Truncating MACs based on PRFs}:\nIf $F$ is a PRF, so is $F^t_k(m) = F_k(m)[1,\\dots,t]$.\n\\end{lemma}\n\\end{frame}\n\\begin{frame}\\frametitle{Proof of Secure MAC from PRF}\n\\textbf{Idea}: Show $\\Pi$ is secure unless $F_k$ is not PRF by reduction. \n\\begin{proof}\n$D$ distinguishes $F_k$; $\\mathcal{A}$ attacks $\\Pi$. \n\\begin{figure}\n\\begin{center}\n\\input{tikz/pgfMAC}\n\\end{center}\n\\end{figure}\n\\end{proof}\n\\end{frame}\n\\begin{frame}\\frametitle{Proof of Secure MAC from PRF (Cont.)}\n\\begin{proof}\n(1) If true random $f$ is used, $t=f(m)$ is uniformly distributed.\n\\[ \\Pr[D^{f(\\cdot)}(1^n)=1] = \\Pr[\\mathsf{Macforge}_{\\mathcal{A},\\tilde{\\Pi}}(n) = 1] \\le 2^{-n}.\\]\n(2) If $F_k$ is used, conduct the experiment $\\mathsf{Macforge}_{\\mathcal{A},\\Pi}(n)$. \n\\[ \\Pr[D^{F_k(\\cdot)}(1^n)=1] = \\Pr[\\mathsf{Macforge}_{\\mathcal{A},\\Pi}(n) = 1] = \\varepsilon(n).\\]\nAccording to the definition of PRF,\n\\[ \\left| \\Pr[D^{F_k(\\cdot)}(1^n)=1] - \\Pr[D^{f(\\cdot)}(1^n)=1] \\right| \\ge \\varepsilon(n) - 2^{-n}. \\]\n\\end{proof}\n\\end{frame}\n\\begin{frame}\\frametitle{Extension to Variable-Length Messages}\n\\begin{exampleblock}{For variable-length messages, would the following suggestions be secure?}\n\\begin{itemize}\n\\item \\textbf{Suggestion 1}: XOR all the blocks together and authenticate the result. $t := \\mathsf{Mac}_k'(\\oplus_i m_i)$.\n\\item \\textbf{Suggestion 2}: Authenticate each block separately. $t_i := \\mathsf{Mac}_k'(m_i)$.\n\\item \\textbf{Suggestion 3}: Authenticate each block along with a sequence number. $t_i := \\mathsf{Mac}_k'(i\\| m_i)$.\n%\\item \\textbf{Weakness}: forgeable, changing the order, dropping blocks.\n\\end{itemize}\n\\end{exampleblock}\n%\\item \\textbf{Countermeasure}: add information. \n%\\begin{itemize}\n%\\item random ``\\textbf{message identifier}'' provides randomness; prevents combination.\n%\\item \\textbf{sequence number} prevents reordering.\n%\\item the \\textbf{length} of message prevents dropping/appending.\n%\\end{itemize}\n%\\end{itemize}\n\\end{frame}\n\\begin{comment}\n\\begin{frame}\\frametitle{Constructing Secure Variable-Length MAC}\n\\begin{construction}\n\\begin{itemize}\n\\item $\\Pi' = (\\mathsf{Gen}', \\mathsf{Mac}', \\mathsf{Vrfy}')$ be a fixed-length MAC.\n\\item $\\mathsf{Gen}$: is identical to $\\mathsf{Gen}'$.\n\\item $\\mathsf{Mac}$: $m$ of length $\\ell < 2^{n/4}$ and of $d$ blocks $m_1,\\dotsc,m_d $ of length $n/4$ (padded with 0s); $r \\gets \\{0,1\\}^{n/4}$.\\\\\nFor $i=1,\\dotsc,d$, $t_i \\gets \\mathsf{Mac}_k'(r\\| \\ell\\| i\\| m_i)$, $i$ and $\\ell$ are uniquely encoded as strings of length $n/4$.\\\\\nOutput $t:=\\left$.\n\\item $\\mathsf{Vrfy}$: Input $m$ of $d'$ blocks and check $d'=d$.\\\\\nOutput $1 \\iff \\mathsf{Vrfy}_k'(r\\| \\ell\\| i\\| m_i, t_i)=1$ for $1\\le i \\le d$.\n\\end{itemize}\n\\end{construction}\n\\begin{theorem}\nIf $\\Pi'$ is a secure fixed-length MAC, Construction is a secure MAC.\n\\end{theorem}\n\\end{frame}\n\\begin{frame}\\frametitle{Proof of Secure Variable-Length MAC}\n\\textbf{Intuition}: The extra information prevents all possible attacks.\n\\begin{proof}\n\\begin{description}\n\\item[$\\mathsf{Repeat}$]: the same identifier $r$ is used twice by oracle $\\mathcal{O}$. \n\\item[$\\mathsf{Forge}$]: at least one new block $r\\| \\ell\\| i\\| m_i$ is forged. \n\\item[$\\mathsf{Break}$]: $\\mathsf{Macforge}_{\\mathcal{A},\\Pi }(n)=1, \\Pr[\\mathsf{Break}]=\\varepsilon(n)$. \n\\end{description}\n\\[\n\\begin{split}\n\t\\Pr[\\mathsf{Break}] =& \\Pr[\\mathsf{Break} \\land \\mathsf{Repeat}] + \\Pr[\\mathsf{Break} \\land \\overline{\\mathsf{Repeat}} \\land \\overline{\\mathsf{Forge}}] \\\\\n\t&+ \\Pr[\\mathsf{Break} \\land \\overline{\\mathsf{Repeat}} \\land \\mathsf{Forge}].\n\\end{split}\n\\]\nTo prove the below statements:\n\\begin{enumerate}\n\\item $\\Pr[\\mathsf{Break} \\land \\mathsf{Repeat}] \\le \\Pr[\\mathsf{Repeat}] \\le \\mathsf{negl}(n)$.\n\\item $\\Pr[\\mathsf{Break} \\land \\overline{\\mathsf{Repeat}} \\land \\overline{\\mathsf{Forge}}] = 0$.\n\\item For $\\Pi'$, $\\Pr[\\mathsf{Break}'] = \\Pr[\\mathsf{Break} \\land \\mathsf{Forge}] \\ge \\Pr[\\mathsf{Break} \\land \\overline{\\mathsf{Repeat}} \\land \\mathsf{Forge}] \\ge \\varepsilon(n) - \\mathsf{negl}(n)$.\n\\end{enumerate}\n\\end{proof}\n\\end{frame}\n\\begin{frame}\\frametitle{Proof of Secure Variable-Length MAC (Cont.)}\n\\begin{proof}\n\\begin{enumerate}\n\\item $r \\gets \\{0,1\\}^{\\frac{n}{4}}$. By ``brithday bound'', $\\Pr[\\mathsf{Repeat}] \\le q(n)^2/2^{\\frac{n}{4}}$.\n\\item If $\\mathsf{Repeat}$ does not occur, $\\mathsf{Break}$ implies $\\mathsf{Forge}$. \\\\\n$\\mathcal{A}$ finally outputs $(m,t), t:=\\left$.\n\\begin{itemize}\n\\item $r$ is new, then $r\\| \\ell\\| i\\| m_i$ is new.\n\\item $r$ is used exactly once, then the queried message $m' \\neq m$. \n\\begin{itemize}\n\\item $\\ell' \\neq \\ell$, then $r\\| \\ell\\| i\\| m_i$ is new.\n\\item $\\ell' = \\ell$, then $\\exists\\; m_i' \\neq m_i$, so $r\\| \\ell\\| i\\| m_i'$ is new.\n\\end{itemize}\n\\end{itemize}\nSo the block is new, $\\mathsf{Forge}$ occurs.\n\\item Reduce $\\mathcal{A}'$ to $\\mathcal{A}$: $\\mathcal{A}'$ attacks $\\Pi'$ with $\\mathcal{A}$ as a sub-routine and answer the queries of $\\mathcal{A}$ with $\\mathcal{A}'$'s own oracle. $\\mathcal{A}$ output $(m,t)$; $\\mathcal{A}'$ parses it and output a new block $(r\\| \\ell\\| i\\| m_i, t_i)$ if possible.\n\\end{enumerate}\n\\end{proof}\n\\end{frame}\n\\end{comment}\n\\section{CBC-MAC}\n\\begin{frame}\\frametitle{Constructing Fixed-Length CBC-MAC}\n\\begin{columns}[c]\n\\column{.5\\textwidth}\n\\begin{figure}\n\\begin{center}\n\\input{tikz/CBC-small}\n\\end{center}\n\\end{figure}\n\\column{.5\\textwidth}\n\\begin{figure}\n\\begin{center}\n\\input{tikz/CBC-MAC}\n\\end{center}\n\\end{figure}\n\\end{columns}\nModify CBC encryption into CBC-MAC:\n\\begin{itemize}\n\\item Change random $IV$ to encrypted fixed $0^{n}$,\\emph{otherwise}:\\\\\n\\alert{Q: query $m_1$ and get $(IV, t_1)$; output $m_1' = IV' \\oplus IV \\oplus m_{1}$ and $t' =$ \\underline{$\\qquad $}.} %(IV',t_1)$.\n\\item Tag only includes the output of the final block,\\emph{otherwise}:\\\\\n\\alert{Q: query $m_i$ and get $t_i$; output $m_i' = t_{i-1}' \\oplus t_{i-1} \\oplus m_{i}$ and $t_{i}' = $ \\underline{$\\qquad$}.}%$t_i$.\n\\end{itemize}\n\\end{frame}\n\\begin{frame}\\frametitle{Constructing Fixed-Length CBC-MAC (Cont.)}\n\\begin{construction}\n\\begin{itemize}\n\\item a PRF $F$ and a length function $\\ell$. $\\abs{m} = \\ell(n)\\cdot n$.\n$\\ell=\\ell(n)$. $m = m_1,\\dotsc,m_{\\ell}$.\n\\item $\\mathsf{Gen}(1^n)$: $k \\gets \\{0,1\\}^n$ \\emph{u.a.r}.\n\\item $\\mathsf{Mac}_k(m)$: $t_i := F_k(t_{i-1}\\oplus m_i), t_0=0^n$. Output $t = t_\\ell$.\n\\item $\\mathsf{Vrfy}_k(m,t)$: $1 \\iff t \\overset{?}{=} \\mathsf{Mac}_k(m)$.\n\\end{itemize}\n\\end{construction}\n\\begin{theorem}\nIf $F$ is a PRF, Construction is a secure \\textbf{fixed-length} MAC.\n\\end{theorem}\n\\textbf{Not} for \\textbf{variable-length} message:\\\\\n\\alert{Q: For one-block message $m$ with tag $t$, adversary can append a block \\underline{$\\qquad$} and output tag $t$.} %$t\\oplus m$\n\\end{frame}\n\\begin{frame}\\frametitle{Secure Variable-Length MAC}\n\\begin{itemize}\n\\item \\textbf{Input-length key separation}: $k_{\\ell} := F_k(\\ell)$, use $k_{\\ell}$ for CBC-MAC.\n\\item \\textbf{Length-prepending}: Prepend $m$ with $|m|$, then use CBC-MAC.\n\\begin{figure}\n\\begin{center}\n\\input{tikz/VCBC-MAC}\n\\end{center}\n\\end{figure}\n\\item \\textbf{Encrypt last block (ECBC-MAC)}: Use two keys $k_1, k_2$. Get $t$ with $k_1$ by CBC-MAC, then output $\\hat{t} := F_{k_2}(t)$.\n\\end{itemize}\n\\alert{Q: To authenticate a voice stream, which approach do you prefer?}\n\\end{frame}\n\\begin{comment}\n\\begin{frame}{Brute-force Attack against CBC-MAC}\nQuery $2^{\\abs{t}/2}$ message to find $m \\neq m'$ and $t = t'$.\n\\newline\n\n\\textbf{Extension property} of ECBC-MAC:\n\\[ \\forall x,y,z: F_k(x)=F_k(y) \\Rightarrow F_k(x\\|z)=F_k(y\\|z). \\]\n\nSo the tag of $m\\|w$ is the same with that of $m'\\|w$.\n\\newline\n\nLesson: the tag space should be enough large.\\\\\nImprovement: Add a random string $r$, and output $(r, \\mathsf{Mac}_{k'}(t\\|r))$ instead of $t$.\n\\end{frame}\n\\end{comment}\n\\begin{frame}\\frametitle{MAC Padding}\nPadding must be invertible!\\[ m_0\\neq m_1 \\Rightarrow \\mathsf{pad}(m_0) \\neq \\mathsf{pad}(m_1). \\]\n\\textbf{ISO}: pad with ``100\\dots00''. Add dummy block if needed.\\\\\n\\alert{Q: What if no dummy block?} \\\\\n\\textbf{CMAC (Cipher-based MAC from NIST)}: key$=(k,k_1,k_2)$.\n\\begin{figure}\n\\begin{center}\n\\input{tikz/CMAC}\n\\end{center}\n\\end{figure}\n\\begin{itemize}\n\\item No final encryption: extension attack thwarted by keyed XOR.\n\\item No dummy block: ambiguity resolved by use of $k_1$ or $k_2$.\n\\end{itemize}\n\\end{frame}\n\\section{Collision-Resistant Hash Functions}\n\\begin{frame}\\frametitle{Defining Hash Function}\n\\begin{figure}\n\\begin{center}\n\\input{tikz/hash}\n\\end{center}\n\\end{figure}\n\\begin{definition}\nA \\textbf{hash function (compression function)} is a pair of \\textsc{ppt} algorithms $(\\mathsf{Gen}, H)$ satisfying:\n\\begin{itemize}\n\\item a key $s \\gets \\mathsf{Gen}(1^n)$, $s$ is \\textbf{not kept secret}.\n\\item $H^s(x) \\in \\{0,1\\}^{\\ell(n)}$, where $x \\in \\{0,1\\}^*$ and $\\ell$ is polynomial.\n\\end{itemize}\nIf $H^s$ is defined only for $x \\in \\{0,1\\}^{\\ell'(n)}$ and $\\ell'(n) > \\ell(n)$, then $(\\mathsf{Gen}, H)$ is a \\textbf{fixed-length} hash function.\n\\end{definition}\n\\end{frame}\n\\begin{frame}\\frametitle{Defining Collision Resistance}\n\\begin{itemize}\n\\item \\textbf{Collision} in $H$: $x \\neq x'$ and $H(x) = H(x')$.\n\\item \\textbf{Collision Resistance}: infeasible for any \\textsc{ppt} alg. to find.\n\\end{itemize}\nThe collision-finding experiment $\\mathsf{Hashcoll}_{\\mathcal{A},\\Pi}(n)$:\n\\begin{enumerate}\n\\item $s \\gets \\mathsf{Gen}(1^n)$.\n\\item $\\mathcal{A}$ is given $s$ and outputs $x, x'$.\n\\item $\\mathsf{Hashcoll}_{\\mathcal{A},\\Pi}(n) =1 \\iff x\\ne x' \\land H^s(x) = H^s(x')$.\n\\end{enumerate}\n\\begin{definition}\n$\\Pi$ ($\\mathsf{Gen}$, $H^s$) is \\textbf{collision resistant} if $\\forall$ \\textsc{ppt} $\\mathcal{A}$, $\\exists\\;\\mathsf{negl}$ such that\n\\[ \\Pr[\\mathsf{Hashcoll}_{\\mathcal{A},\\Pi}(n)=1] \\le \\mathsf{negl}(n).\n\\]\n\\end{definition}\n\\end{frame}\n%\\begin{comment}\n\\begin{frame}\\frametitle{Weaker Notions of Security for Hash Functions}\n\\begin{figure}\n\\begin{center}\n\\input{tikz/collision}\n\\end{center}\n\\end{figure}\n\\begin{itemize}\n\\item \\textbf{Collision resistance}: It is hard to find $(x, x'), x' \\ne x$ such that $H(x) = H(x')$.\n\\item \\textbf{Second pre-image resistance}: Given $s$ and $x$, it is hard to find $x' \\ne x$ such that $H^s(x') = H^s(x)$.\n\\item \\textbf{Pre-image resistance}: Given $s$ and $y = H^s(x)$, it is hard to find $x'$ such that $H^s(x')=y$.\n\\end{itemize}\n\\end{frame}\n\\begin{frame}{Applications of Hash Functions}\n\\begin{itemize}\n\\item \\textbf{Fingerprinting and Deduplication}: $H(alargefile)$ for virus fingerprinting, deduplication, P2P file sharing\n\\item \\textbf{Merkle Trees}: $H(H(H(file1), H(file2)), H(H(file3), H(file4)))$ fingerprinting multiple files / parts of a file\n\\item \\textbf{Password Hashing}: $(salt, H(salt, pw))$ mitigating the risk of leaking password stored in the clear \n\\item \\textbf{Key Derivation}: $H(secret)$ deriving a key from a high-entropy (but not necessarily uniform) shared secret\n\\item \\textbf{Commitment Schemes}: $H(info)$ hiding the commited info; binding the commitment to a info\n\\end{itemize}\n\\end{frame}\n\\begin{frame}{Questions}\n\\begin{exampleblock}{$H$ is CRHF. Is $H'$ CRHF?}\n\\begin{itemize}\n\\item $H'(m) = H(m) \\oplus H(m)$\n\\item $H'(m) = H(m)\\| H(0)$\n\\item $H'(m) = H(m\\| 0)$\n\\item $H'(m) = H(m[0,\\dots,\\abs{m}-2])$\n\\item $H'(m) = H(m)\\oplus H(m\\oplus 1^{\\abs{m}})$ % H(000) = H(111)\n\\item $H'(m) = H(m)[0,\\dots,\\abs{H(m)}-2]$ % truncating is dangerous; two messages have different hash values which have only one difference in the last bit.\n\\end{itemize}\n\\end{exampleblock}\n\\end{frame}\n\n%\\end{comment}\n%\\begin{frame}\\frametitle{Applications of Hash Functions}\n%\\begin{itemize}\n%\\item \\textbf{digital signatures}:CRHF\n%\\item \\textbf{information authentication/integrity check}\n%\\item \\textbf{protection of passwords}: pre-image resistant.\n%\\item \\textbf{confirmation of knowledge/commitment}: CRHF\n%\\item \\textbf{pseudo-random string generation/key derivation}\n%\\item \\textbf{micropayments (e.g. micromint)}\n%\\item \\textbf{construction of MACs, stream/block ciphers}\n%\\end{itemize}\n%\\end{frame}\n\\begin{frame}\\frametitle{The ``Birthday'' Problem}\n\\begin{exampleblock}{The ``Birthday'' Problem}\n\\textbf{Q}: ``\\emph{What size group of people do we need to take such that with probability $1/2$ some pair of people share a birthday?}''\n\\textbf{A}: 23.\n\\end{exampleblock}\n\\begin{lemma}\nChoose $q$ elements \\emph{u.a.r} from a set of size $N$, the probability that $\\exists \\; i \\ne j$ with $y_i = y_j$ is $\\mathsf{coll}(q,N)$, then \n$ \\mathsf{coll}(q,N) \\le \\frac{q^2}{2N} $.\n%\\[ \\mathsf{coll}(q,N) \\ge \\frac{q(q-1)}{4N}\\quad \\text{if}\\; q \\le \\sqrt{2N}.\n%\\]\n%\\[ \\mathsf{coll}(q,N) = \\Theta(q^2/N)\\quad \\text{if}\\; q < \\sqrt{N}.\n%\\]\n\\end{lemma}\n\\begin{exampleblock}{How many different meaningful sentences are below?}\nIt is \\textbf{hard/difficult/challenging/impossible} to \\textbf{imagine/believe} that we will \\textbf{find/locate/hire} another \\textbf{employee/person} having similar \\textbf{abilities/skills/character} as Alice. She has done a \\textbf{great/super} job.\n\\end{exampleblock}\n\\alert{A principle: The length of hash value should be long enough.}\n\\end{frame}\n%\\begin{frame}\\frametitle{A Generic ``Birthday'' Attack}\n%\\begin{itemize}\n%\\item \\textbf{Birthday Attack}: $H : \\{0,1\\}^* \\to \\{0,1\\}^\\ell$. Choose $q$ distinct inputs $x_1,\\dotsc,x_q \\in \\{0,1\\}^{2\\ell}$, check whether any of two $y_i := H(x_i)$ are equal.\n%\\item \\textbf{Birthday problem}: Choose $y_1,\\dotsc,y_q \\gets \\{0,1\\}^{\\ell}$ \\emph{u.a.r}, $\\mathsf{coll}(q,2^{\\ell}) = ?$\n%\\item Collision occurs with a high probability when $\\mathcal{O}(q) = \\mathcal{O}(2^{\\ell/2})$.\n%\\item To let time $T > 2^{\\ell/2}$, then $\\ell = 2\\log T$ at least.\n%\\item Work only for collision resistance, no generic attacks for 2nd pre-image or pre-image resistance better than $2^\\ell$.\n%\\item Require too much space $\\mathcal{O}(2^{\\ell/2})$.\n%\\end{itemize}\n%\\end{frame}\n\\begin{comment}\n\\begin{frame}\\frametitle{Improved Birthday Attack}\n\\begin{algorithm}[H]\n\\SetKwInOut{Input}{input}\n\\SetKwInOut{Output}{output}\n\\SetKw{KwB}{break}\n\\SetKw{KwH}{halt}\n\\DontPrintSemicolon\n\\caption{Improved birthday attack}\n\\Input{A hash function $H : \\{0, 1\\}^*\\to \\{0, 1\\}^\\ell$}\n\\Output{Distinct $x, x'$ with $H(x) = H(x')$}\n\\BlankLine\n$x_0 \\gets \\{0,1\\}^{\\ell+1}$, $x' := x := x_0$\\;\n\\For{$i = 1$ \\KwTo $2^{\\ell/2} +1$}{\n $x := H(x)$, $x' := H(H(x'))$\n \\tcp{$x = H^i(x_0)$, $x' = H^{2i}(x_0)$}\n \\lIf{$x=x'$}{\\KwB}\\;\n}\n\\lIf{$x\\ne x'$}{\\Return fail}\\;\n$x' := x$, $x := x_0$\\;\n\\For{$j=1$ \\KwTo $i$}{\n \\lIf{$H(x)=H(x')$}{\\Return $x, x'$ and \\KwH}\\;\n \\lElse{$x := H(x), x' := H(x')$}\n \\tcp{$x = H^j(x_0)$, $x' = H^{j+i}(x_0)$}\n}\n\\end{algorithm}\n\\end{frame}\n\\begin{frame}\\frametitle{Proof of Improved Birthday Attack}\n\\begin{lemma}\nLet $x_1,\\dotsc,x_q$ be a sequence of values with $x_m = H(x_{m-1})$. If $x_I =x_J$ with $I < J$, then $\\exists\\; i