Trance-0/NoteNextra-origin
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity

update

Browse Source
This commit is contained in:
Trance-0
2026-02-12 11:56:24 -06:00
parent c4888b796c
commit 0e28ba6261
4 changed files with 430 additions and 28 deletions
Download Patch File Download Diff File Expand all files Collapse all files

135
content/CSE4303/CSE4303_L7.md
View File

@@ -1,6 +1,6 @@
# CSE4303 Introduction to Computer Security (Lecture 7)
## Cyptography in Symmetric Systems
## Cryptography in Symmetric Systems
### Symmetric systems
@@ -13,53 +13,132 @@ Symmetric (shared-key) encryption
- Stream ciphers
- Block ciphers
#### Stream ciphers
## Stream ciphers
1. Operate on PT one bit at a time (usually), as a bit "stream"
2. Generate arbitrarily long keystream on demand
Security abstraction:
### Keystream
Keystream $G(k)$ generated from key $k$.
Encryption:
$$
E(k,m) = m \oplus G(k)
$$
Decryption:
$$
D(k,c) = c \oplus G(k)
$$
### Security abstraction
1. XOR transfers randomness of keystream to randomness of CT regardless of PTs content
2. Security depends on G being practically indistinguishable from random string and practically unpredictable
2. Security depends on $G$ being "practically" indistinguishable from random string and "practically" unpredictable
3. Idea: shouldnt be able to predict next bit of generator given all bits seen so far
Keystream $G(k)$
### Keystream $G(k)$
- Idea: shouldnt be able to predict next bit of generator given all bits seen so far
- Strategies and challenges: many!
- Idea that doesnt quite work: Linear Feedback Shift Register (LFSR)
- Choice of feedback: by algebra
- Pro: fast, statistically close to random
- Problem: susceptible to cryptanalysis (b/c linear)
- LFSR-based
- Modifications to basic LFSR:
- Use non-linear combo of multiple LFSRs
- Use controlled clocking (e.g. only cycle the LFSR when another LFSR outputs a 1)
- Etc.
- Others: mod arithmetic-based, other algebraic constructions
#### Block ciphers
#### Idea that doesnt quite work: Linear Feedback Shift Register (LFSR)
1. Operate on PT one block at a time
2. Use same key for multiple blocks (with caveats)
3. Chaining modes intertwine successive blocks of CT (or not)
- Choice of feedback: by algebra
- Pro: fast, statistically close to random
- Problem: susceptible to cryptanalysis (because linear)
View cipher as a Pseudo-Random Permutation (PRP)
#### LFSR-based modifications
- PRP defined over $(K, X)$:
- Use non-linear combo of multiple LFSRs
- Use controlled clocking (e.g. only cycle the LFSR when another LFSR outputs a 1)
- Etc.
#### Others
- Modular arithmetic-based constructions
- Other algebraic constructions
### Hazards
1. Weak PRG
2. Key re-use
3. Predictable effect of modifying CT on decrypted PT
#### Weak PRG
- Makes semantic security impossible
#### Key re-use
Suppose:
$$
E: K \times X \to X
c_1 = m_1 \oplus G(k)
$$
and
$$
c_2 = m_2 \oplus G(k)
$$
such that:
Then:
$$
c_1 \oplus c_2 = m_1 \oplus m_2
$$
1. There exists an “efficient” deterministic algorithm to evaluate $E(k,x)$.
2. The function $E( k, \cdot )$ is one-to-one.
3. There exists an “efficient” inversion algorithm $D(k,y)$.
This may be enough to recover $m_1$ or $m_2$ using natural language properties.
- i.e. a PRF that is an invertible 1-to-1 mapping from message space to
message space
##### IV (Initialization Vector)
Used to avoid key re-use:
- IV incremented per frame
- But repeats after $2^{24}$ frames
- Sometimes resets to 0
- Enough to recover key within minutes
Note:
- Happens if keystream period is too short
- Real-world example: WEP attack (802.11b)
#### Predictable modification of ciphertext
If attacker modifies ciphertext by XORing $p$:
Ciphertext becomes:
$$
(m \oplus k) \oplus p
$$
Decryption yields:
$$
m \oplus p
$$
- Affects integrity
- Not CCA-secure for integrity
### Summary: Stream ciphers
Pros
- Fast
- Memory-efficient
- No minimum PT size
Cons
- Require good PRG
- Can never re-use key
- No integrity mechanism
Note
- Integrity mechanisms exist for other symmetric ciphers (block ciphers)
- "Authenticated encryption"
Examples / Uses
- RC4: legacy stream cipher (e.g. WEP)
- ChaCha / Salsa: Android cell phone encryption (Adiantum)

320
content/CSE4303/CSE4303_L8.md Normal file
View File

@@ -0,0 +1,320 @@
# CSE4303 Introduction to Computer Security (Lecture 8)
## Block ciphers
1. Operate on PT one block at a time
2. Use same key for multiple blocks (with caveats)
3. Chaining modes intertwine successive blocks of CT (or not)
## Security abstraction
View cipher as a Pseudo-Random Permutation (PRP)
### Background: Pseudo-Random Function (PRF)
Defined over $(K,X,Y)$:
$$
F : K \times X \to Y
$$
Such that there exists an efficient algorithm to evaluate $F(k,x)$.
Let:
- $\text{Funs}[X,Y]$ = set of all functions from $X$ to $Y$
- $S_F = \{ F(k,\cdot) \mid k \in K \}$
Intuition:
A PRF is secure if a random function in $\text{Funs}[X,Y]$ is indistinguishable from a random function in $S_F$.
Adversarial game:
- Challenger samples $k \leftarrow K$
- Or samples $f \leftarrow \text{Funs}[X,Y]$
- Adversary queries oracle with $x \in X$
- Receives either $F(k,x)$ or $f(x)$
- Must distinguish
Goal: adversarys advantage negligible
## PRP Definition
Defined over $(K,X)$:
$$
E : K \times X \to X
$$
Such that:
1. Efficient deterministic algorithm to evaluate $E(k,x)$
2. $E(k,\cdot)$ is one-to-one
3. Efficient inversion algorithm $D(k,y)$ exists
i.e., a PRF that is an invertible one-to-one mapping from message space to message space
## Secure PRP
Let $\text{Perms}[X]$ be all permutations on $X$.
Intuition:
A PRP is secure if a random permutation in $\text{Perms}[X]$ is indistinguishable from a random element of:
$$
S_E = \{ E(k,\cdot) \mid k \in K \}
$$
Adversarial game:
- Challenger samples $k \leftarrow K$
- Or $\pi \leftarrow \text{Perms}[X]$
- Adversary queries $x \in X$
- Receives either $E(k,x)$ or $\pi(x)$
- Must distinguish
Goal: negligible advantage
## Block cipher constructions
### Feistel network
Given:
$$
f_1, \dots, f_d : \{0,1\}^n \to \{0,1\}^n
$$
Build invertible function:
$$
F : \{0,1\}^{2n} \to \{0,1\}^{2n}
$$
Let input be split into $(L_0, R_0)$.
Round $i$:
$$
L_i = R_{i-1}
$$
$$
R_i = L_{i-1} \oplus f_i(R_{i-1})
$$
#### Invertibility
$$
R_{i-1} = L_i
$$
$$
L_{i-1} = R_i \oplus f_i(L_i)
$$
Thus Feistel is invertible regardless of whether $f_i$ is invertible.
### LubyRackoff Theorem (1985)
If $f$ is a secure PRF, then 3-round Feistel is a secure PRP.
### DES (Data Encryption Standard) — 1976
- 16-round Feistel network
- 64-bit block size
- 56-bit key
- Round functions:
$$
f_i(x) = F(k_i, x)
$$
Round function uses:
- S-box (substitution box) — non-linear
- P-box (permutation box)
To invert: use keys in reverse order.
Problem: 56-bit keyspace too small today (brute-force feasible).
### SubstitutionPermutation Network (SPN)
Rounds of:
- Substitution (S-box layer)
- Permutation (P-layer)
- XOR with round key
All layers invertible.
### AES (Advanced Encryption Standard) — 2000
- 10 substitution-permutation rounds (128-bit key version)
- 128-bit block size
Each round includes:
- ByteSub (1-byte S-box)
- ShiftRows
- MixColumns
- AddRoundKey
Key sizes:
- 128-bit
- 192-bit
- 256-bit
Currently de facto standard symmetric-key cipher (e.g. TLS/SSL).
## Block cipher modes
### Challenge
Encrypt PTs longer than one block using same key while maintaining security.
### ECB (Electronic Codebook)
Encrypt blocks independently:
$$
c_i = E(k, m_i)
$$
Problem:
If $m_1 = m_2$, then:
$$
c_1 = c_2
$$
Not semantically secure.
#### Formal non-security argument
Two-block challenge:
- Adversary submits:
- $m_0 = \text{"Hello World"}$
- $m_1 = \text{"Hello Hello"}$
- If $c_1 = c_2$, output 0; else 1
Advantage = 1
### CPA model (Chosen Plaintext Attack)
Attacker:
- Sees many PT/CT pairs under same key
- Can submit arbitrary PTs
Definition:
$$
\text{Adv}_{CPA}[A,E] =
\left|
\Pr[\text{EXP}(0)=1] - \Pr[\text{EXP}(1)=1]
\right|
$$
Must be negligible.
ECB fails CPA security.
### Moral
If same secret key is used multiple times, given same PT twice, encryption must produce different CT outputs.
## Secure block modes
### Idea
Augment key with:
- Per-block nonce
- Or chaining data from prior blocks
### CBC (Cipher Block Chaining)
$$
c_1 = E(k, m_1 \oplus IV)
$$
$$
c_i = E(k, m_i \oplus c_{i-1})
$$
IV must be random/unpredictable.
### CFB (Cipher Feedback)
Uses previous ciphertext as input feedback into block cipher.
### OFB (Output Feedback)
$$
s_i = E(k, s_{i-1})
$$
$$
c_i = m_i \oplus s_i
$$
Can pre-compute keystream.
Acts like stream cipher.
### CTR (Counter Mode)
$$
c_i = m_i \oplus E(k, \text{nonce} \| \text{counter}_i)
$$
Encryption and decryption parallelizable.
Nonce must be unique.
### GCM (Galois Counter Mode)
- Most popular ("AES-GCM")
- Provides authenticated encryption
- Confidentiality + integrity
## Nonce-based semantic security
Encryption:
$$
c = E(k, m, n)
$$
Adversarial experiment:
- Challenger picks $k$
- Adversary submits $(m_{i,0}, m_{i,1})$ and nonce $n_i$
- Receives $c_i = E(k, m_{i,b}, n_i)$
- Nonces must be distinct
Definition:
$$
\text{Adv}_{nCPA}[A,E] =
\left|
\Pr[\text{EXP}(0)=1] - \Pr[\text{EXP}(1)=1]
\right|
$$
In practice:
- CBC: IV must be random
- CTR/GCM: nonce must be unique but not necessarily random
## Symmetric Encryption Summary
### Stream Ciphers
- Rely on secure PRG
- No key re-use
- Fast
- Low memory
- Less robust
- No built-in integrity
### Block Ciphers
- Rely on secure PRP
- Allow key re-use across blocks (secure mode required)
- Provide authenticated encryption in some modes (e.g. GCM)
- Slower
- Higher memory
- More robust
- Used in most practical secure systems (e.g. TLS)

1
content/CSE4303/CSE4303_L9.md Normal file
View File

@@ -0,0 +1 @@
# CSE4303 Introduction to Computer Security (Lecture 9)

2
content/CSE4303/_meta.js
View File

@@ -10,4 +10,6 @@ export default {
CSE4303_L5: "Introduction to Computer Security (Lecture 5)",
CSE4303_L6: "Introduction to Computer Security (Lecture 6)",
CSE4303_L7: "Introduction to Computer Security (Lecture 7)",
CSE4303_L8: "Introduction to Computer Security (Lecture 8)",
CSE4303_L9: "Introduction to Computer Security (Lecture 9)",
}