update

2026-02-12 11:56:24 -06:00
parent c4888b796c
commit 0e28ba6261
4 changed files with 430 additions and 28 deletions
--- a/content/CSE4303/CSE4303_L7.md
+++ b/content/CSE4303/CSE4303_L7.md
@@ -1,6 +1,6 @@
 # CSE4303 Introduction to Computer Security (Lecture 7)
-## Cyptography in Symmetric Systems
+## Cryptography in Symmetric Systems
 ### Symmetric systems
@@ -13,53 +13,132 @@ Symmetric (shared-key) encryption
  - Stream ciphers
  - Block ciphers
-#### Stream ciphers
+## Stream ciphers
 1. Operate on PT one bit at a time (usually), as a bit "stream"
 2. Generate arbitrarily long keystream on demand
-Security abstraction:
+### Keystream
 Keystream $G(k)$ generated from key $k$.
 Encryption:
 $$
 E(k,m) = m \oplus G(k)
 $$
 Decryption:
 $$
 D(k,c) = c \oplus G(k)
 $$
 ### Security abstraction
 1. XOR transfers randomness of keystream to randomness of CT regardless of PT’s content
-2. Security depends on G being “practically” indistinguishable from random string and “practically” unpredictable
+2. Security depends on $G$ being "practically" indistinguishable from random string and "practically" unpredictable
 3. Idea: shouldn’t be able to predict next bit of generator given all bits seen so far
-Keystream $G(k)$
+### Keystream $G(k)$
 - Idea: shouldn’t be able to predict next bit of generator given all bits seen so far
 - Strategies and challenges: many!
 - Idea that doesn’t quite work: Linear Feedback Shift Register (LFSR)
  - Choice of feedback: by algebra
  - Pro: fast, statistically close to random
  - Problem: susceptible to cryptanalysis (b/c linear)
  - LFSR-based
 - Modifications to basic LFSR:
  - Use non-linear combo of multiple LFSRs
  - Use controlled clocking (e.g. only cycle the LFSR when another LFSR outputs a 1)
  - Etc.
 - Others: mod arithmetic-based, other algebraic constructions
-#### Block ciphers
+#### Idea that doesn’t quite work: Linear Feedback Shift Register (LFSR)
-1. Operate on PT one block at a time
+- Choice of feedback: by algebra
-2. Use same key for multiple blocks (with caveats)
+- Pro: fast, statistically close to random
-3. Chaining modes intertwine successive blocks of CT (or not)
+- Problem: susceptible to cryptanalysis (because linear)
-View cipher as a Pseudo-Random Permutation (PRP)
+#### LFSR-based modifications
- PRP defined over $(K, X)$:
+- Use non-linear combo of multiple LFSRs
 - Use controlled clocking (e.g. only cycle the LFSR when another LFSR outputs a 1)
 - Etc.
 #### Others
 - Modular arithmetic-based constructions
 - Other algebraic constructions
 ### Hazards
 1. Weak PRG
 2. Key re-use
 3. Predictable effect of modifying CT on decrypted PT
 #### Weak PRG
 - Makes semantic security impossible
 #### Key re-use
 Suppose:
 $$
-E: K \times X \to X
+c_1 = m_1 \oplus G(k)
 $$
 and
 $$
 c_2 = m_2 \oplus G(k)
 $$
-such that:
+Then:
 $$
 c_1 \oplus c_2 = m_1 \oplus m_2
 $$
-1. There exists an “efficient” deterministic algorithm to evaluate $E(k,x)$.
+This may be enough to recover $m_1$ or $m_2$ using natural language properties.
 2. The function $E( k, \cdot )$ is one-to-one.
 3. There exists an “efficient” inversion algorithm $D(k,y)$.
- i.e. a PRF that is an invertible 1-to-1 mapping from message space to
+##### IV (Initialization Vector)
 message space
 Used to avoid key re-use:
 - IV incremented per frame
 - But repeats after $2^{24}$ frames
 - Sometimes resets to 0
 - Enough to recover key within minutes
 Note:
 - Happens if keystream period is too short
 - Real-world example: WEP attack (802.11b)
 #### Predictable modification of ciphertext
 If attacker modifies ciphertext by XORing $p$:
 Ciphertext becomes:
 $$
 (m \oplus k) \oplus p
 $$
 Decryption yields:
 $$
 m \oplus p
 $$
 - Affects integrity
 - Not CCA-secure for integrity
 ### Summary: Stream ciphers
 Pros
 - Fast
 - Memory-efficient
 - No minimum PT size
 Cons
 - Require good PRG
 - Can never re-use key
 - No integrity mechanism
 Note
 - Integrity mechanisms exist for other symmetric ciphers (block ciphers)
 - "Authenticated encryption"
 Examples / Uses
 - RC4: legacy stream cipher (e.g. WEP)
 - ChaCha / Salsa: Android cell phone encryption (Adiantum)
--- a/content/CSE4303/CSE4303_L8.md
+++ b/content/CSE4303/CSE4303_L8.md
@@ -0,0 +1,320 @@
 # CSE4303 Introduction to Computer Security (Lecture 8)
 ## Block ciphers
 1. Operate on PT one block at a time  
 2. Use same key for multiple blocks (with caveats)  
 3. Chaining modes intertwine successive blocks of CT (or not)  
 ## Security abstraction
 View cipher as a Pseudo-Random Permutation (PRP)
 ### Background: Pseudo-Random Function (PRF)
 Defined over $(K,X,Y)$:
 $$
 F : K \times X \to Y
 $$
 Such that there exists an efficient algorithm to evaluate $F(k,x)$.
 Let:
 - $\text{Funs}[X,Y]$ = set of all functions from $X$ to $Y$  
 - $S_F = \{ F(k,\cdot) \mid k \in K \}$  
 Intuition:
 A PRF is secure if a random function in $\text{Funs}[X,Y]$ is indistinguishable from a random function in $S_F$.
 Adversarial game:
 - Challenger samples $k \leftarrow K$  
 - Or samples $f \leftarrow \text{Funs}[X,Y]$  
 - Adversary queries oracle with $x \in X$  
 - Receives either $F(k,x)$ or $f(x)$  
 - Must distinguish  
 Goal: adversary’s advantage negligible  
 ## PRP Definition
 Defined over $(K,X)$:
 $$
 E : K \times X \to X
 $$
 Such that:
 1. Efficient deterministic algorithm to evaluate $E(k,x)$  
 2. $E(k,\cdot)$ is one-to-one  
 3. Efficient inversion algorithm $D(k,y)$ exists  
 i.e., a PRF that is an invertible one-to-one mapping from message space to message space  
 ## Secure PRP
 Let $\text{Perms}[X]$ be all permutations on $X$.
 Intuition:
 A PRP is secure if a random permutation in $\text{Perms}[X]$ is indistinguishable from a random element of:
 $$
 S_E = \{ E(k,\cdot) \mid k \in K \}
 $$
 Adversarial game:
 - Challenger samples $k \leftarrow K$  
 - Or $\pi \leftarrow \text{Perms}[X]$  
 - Adversary queries $x \in X$  
 - Receives either $E(k,x)$ or $\pi(x)$  
 - Must distinguish  
 Goal: negligible advantage  
 ## Block cipher constructions
 ### Feistel network
 Given:
 $$
 f_1, \dots, f_d : \{0,1\}^n \to \{0,1\}^n
 $$
 Build invertible function:
 $$
 F : \{0,1\}^{2n} \to \{0,1\}^{2n}
 $$
 Let input be split into $(L_0, R_0)$.
 Round $i$:
 $$
 L_i = R_{i-1}
 $$
 $$
 R_i = L_{i-1} \oplus f_i(R_{i-1})
 $$
 #### Invertibility
 $$
 R_{i-1} = L_i
 $$
 $$
 L_{i-1} = R_i \oplus f_i(L_i)
 $$
 Thus Feistel is invertible regardless of whether $f_i$ is invertible.
 ### Luby–Rackoff Theorem (1985)
 If $f$ is a secure PRF, then 3-round Feistel is a secure PRP.
 ### DES (Data Encryption Standard) — 1976
 - 16-round Feistel network  
 - 64-bit block size  
 - 56-bit key  
 - Round functions:
 $$
 f_i(x) = F(k_i, x)
 $$
 Round function uses:
 - S-box (substitution box) — non-linear  
 - P-box (permutation box)  
 To invert: use keys in reverse order.
 Problem: 56-bit keyspace too small today (brute-force feasible).
 ### Substitution–Permutation Network (SPN)
 Rounds of:
 - Substitution (S-box layer)  
 - Permutation (P-layer)  
 - XOR with round key  
 All layers invertible.
 ### AES (Advanced Encryption Standard) — 2000
 - 10 substitution-permutation rounds (128-bit key version)  
 - 128-bit block size  
 Each round includes:
 - ByteSub (1-byte S-box)  
 - ShiftRows  
 - MixColumns  
 - AddRoundKey  
 Key sizes:
 - 128-bit  
 - 192-bit  
 - 256-bit  
 Currently de facto standard symmetric-key cipher (e.g. TLS/SSL).
 ## Block cipher modes
 ### Challenge
 Encrypt PTs longer than one block using same key while maintaining security.
 ### ECB (Electronic Codebook)
 Encrypt blocks independently:
 $$
 c_i = E(k, m_i)
 $$
 Problem:
 If $m_1 = m_2$, then:
 $$
 c_1 = c_2
 $$
 Not semantically secure.
 #### Formal non-security argument
 Two-block challenge:
 - Adversary submits:
  - $m_0 = \text{"Hello World"}$  
  - $m_1 = \text{"Hello Hello"}$  
 - If $c_1 = c_2$, output 0; else 1  
 Advantage = 1  
 ### CPA model (Chosen Plaintext Attack)
 Attacker:
 - Sees many PT/CT pairs under same key  
 - Can submit arbitrary PTs  
 Definition:
 $$
 \text{Adv}_{CPA}[A,E] =
 \left|
 \Pr[\text{EXP}(0)=1] - \Pr[\text{EXP}(1)=1]
 \right|
 $$
 Must be negligible.
 ECB fails CPA security.
 ### Moral
 If same secret key is used multiple times, given same PT twice, encryption must produce different CT outputs.
 ## Secure block modes
 ### Idea
 Augment key with:
 - Per-block nonce  
 - Or chaining data from prior blocks  
 ### CBC (Cipher Block Chaining)
 $$
 c_1 = E(k, m_1 \oplus IV)
 $$
 $$
 c_i = E(k, m_i \oplus c_{i-1})
 $$
 IV must be random/unpredictable.
 ### CFB (Cipher Feedback)
 Uses previous ciphertext as input feedback into block cipher.
 ### OFB (Output Feedback)
 $$
 s_i = E(k, s_{i-1})
 $$
 $$
 c_i = m_i \oplus s_i
 $$
 Can pre-compute keystream.
 Acts like stream cipher.
 ### CTR (Counter Mode)
 $$
 c_i = m_i \oplus E(k, \text{nonce} \| \text{counter}_i)
 $$
 Encryption and decryption parallelizable.
 Nonce must be unique.
 ### GCM (Galois Counter Mode)
 - Most popular ("AES-GCM")  
 - Provides authenticated encryption  
 - Confidentiality + integrity  
 ## Nonce-based semantic security
 Encryption:
 $$
 c = E(k, m, n)
 $$
 Adversarial experiment:
 - Challenger picks $k$  
 - Adversary submits $(m_{i,0}, m_{i,1})$ and nonce $n_i$  
 - Receives $c_i = E(k, m_{i,b}, n_i)$  
 - Nonces must be distinct  
 Definition:
 $$
 \text{Adv}_{nCPA}[A,E] =
 \left|
 \Pr[\text{EXP}(0)=1] - \Pr[\text{EXP}(1)=1]
 \right|
 $$
 In practice:
 - CBC: IV must be random  
 - CTR/GCM: nonce must be unique but not necessarily random  
 ## Symmetric Encryption Summary
 ### Stream Ciphers
 - Rely on secure PRG  
 - No key re-use  
 - Fast  
 - Low memory  
 - Less robust  
 - No built-in integrity  
 ### Block Ciphers
 - Rely on secure PRP  
 - Allow key re-use across blocks (secure mode required)  
 - Provide authenticated encryption in some modes (e.g. GCM)  
 - Slower  
 - Higher memory  
 - More robust  
 - Used in most practical secure systems (e.g. TLS)  
--- a/content/CSE4303/CSE4303_L9.md
+++ b/content/CSE4303/CSE4303_L9.md
@@ -0,0 +1 @@
 # CSE4303 Introduction to Computer Security (Lecture 9)
--- a/content/CSE4303/_meta.js
+++ b/content/CSE4303/_meta.js
@@ -10,4 +10,6 @@ export default {
    CSE4303_L5: "Introduction to Computer Security (Lecture 5)",
    CSE4303_L6: "Introduction to Computer Security (Lecture 6)",
    CSE4303_L7: "Introduction to Computer Security (Lecture 7)",
    CSE4303_L8: "Introduction to Computer Security (Lecture 8)",
    CSE4303_L9: "Introduction to Computer Security (Lecture 9)",
 }
		`@@ -0,0 +1 @@`
							`# CSE4303 Introduction to Computer Security (Lecture 9)`