Update CSE4303_E1.md
This commit is contained in:
Trance-0
@@ -374,12 +374,13 @@ New attacker model for multi-use keys (e.g. multiple blocks): CPA (Chosen Plaint
|
||||
|
||||
## Asymmetric key cryptography
|
||||
|
||||
## Asymmetric crypto overview
|
||||
### Asymmetric crypto overview
|
||||
|
||||
- Parties: sender, recipient, attacker (eavesdropping)
|
||||
- Goal: sender encrypts a plaintext to a ciphertext using a public key; recipient decrypts using a private key.
|
||||
|
||||
#### Public-key encryption system
|
||||
|
||||
- Def: a public-key encryption system is a triple of algorithms $(G, E, D)$:
|
||||
- $G()$: randomized algorithm that outputs a key pair $(pk, sk)$
|
||||
- $E(pk, m)$: randomized algorithm that takes $m \in M$ and outputs $c \in C$
|
||||
@@ -387,9 +388,8 @@ New attacker model for multi-use keys (e.g. multiple blocks): CPA (Chosen Plaint
|
||||
- Consistency: for all $(pk, sk)$ output by $G$, for all $m \in M$,
|
||||
- $D(sk, E(pk, m)) = m$
|
||||
|
||||
## Public-key building block: trapdoor function
|
||||
|
||||
#### Trapdoor function
|
||||
|
||||
- Def: a trapdoor function $X \to Y$ is a triple of efficient algorithms $(G, F, F^{-1})$:
|
||||
- $G()$: randomized algorithm that outputs a key pair $(pk, sk)$
|
||||
- $F(pk, \cdot)$: deterministic algorithm that defines a function $X \to Y$
|
||||
@@ -397,7 +397,7 @@ New attacker model for multi-use keys (e.g. multiple blocks): CPA (Chosen Plaint
|
||||
- More precisely: for all $(pk, sk)$ output by $G$, for all $x \in X$,
|
||||
- $F^{-1}(sk, F(pk, x)) = x$
|
||||
|
||||
## Symmetric vs. asymmetric security: attacker models
|
||||
#### Symmetric vs. asymmetric security: attacker models
|
||||
|
||||
- Symmetric ciphers: two security notions for a passive attacker
|
||||
- One-time security (stream ciphers: ciphertext-only)
|
||||
@@ -410,12 +410,13 @@ New attacker model for multi-use keys (e.g. multiple blocks): CPA (Chosen Plaint
|
||||
- Implication: public-key encryption must be randomized
|
||||
- Analogous to secure block modes for block ciphers
|
||||
|
||||
## Semantic security of asymmetric crypto (IND-CPA)
|
||||
### Semantic security of asymmetric crypto (IND-CPA)
|
||||
|
||||
#### IND-CPA game for public-key encryption
|
||||
- For $b \in \{0,1\}$ define experiments $\mathrm{EXP}(0)$ and $\mathrm{EXP}(1)$:
|
||||
|
||||
- Experiment $\mathrm{EXP}(b)$:
|
||||
- For $b \in \{0,1\}$ define experiments $\operatorname{EXP}(0)$ and $\operatorname{EXP}(1)$:
|
||||
|
||||
- Experiment $\operatorname{EXP}(b)$:
|
||||
- Challenger runs $(pk, sk) \leftarrow G()$
|
||||
- Challenger sends $pk$ to adversary $A$
|
||||
- Adversary outputs $m_0, m_1 \in M$ such that $|m_0| = |m_1|$
|
||||
@@ -423,8 +424,9 @@ New attacker model for multi-use keys (e.g. multiple blocks): CPA (Chosen Plaint
|
||||
- Adversary outputs a bit $b' \in \{0,1\}$ (often modeled as outputting 1 if it "guesses $b=1$")
|
||||
|
||||
#### Semantic security (IND-CPA)
|
||||
|
||||
- Def: $E = (G, E, D)$ is semantically secure (a.k.a. IND-CPA) if for all efficient adversaries $A$,
|
||||
- $\mathrm{Adv}^{\mathrm{SS}}[A, E] = \left|\Pr[\mathrm{EXP}(0)=1] - \Pr[\mathrm{EXP}(1)=1]\right|$
|
||||
- $\operatorname{Adv}^{\operatorname{SS}}[A, E] = \left|\Pr[\operatorname{EXP}(0)=1] - \Pr[\operatorname{EXP}(1)=1]\right|$
|
||||
- is negligible
|
||||
- Note: inherently multiple-round because the attacker can always encrypt on their own using $pk$ (CPA power is "built in").
|
||||
|
||||
@@ -481,7 +483,7 @@ New attacker model for multi-use keys (e.g. multiple blocks): CPA (Chosen Plaint
|
||||
|
||||
- Hardness assumptions:
|
||||
- Discrete log problem: given $p, g, y = g^x \bmod p$, find $x$
|
||||
- Diffie-Hellman function: $\mathrm{DH}_g(g^a, g^b) = g^{ab} \bmod p$
|
||||
- Diffie-Hellman function: $\operatorname{DH}_g(g^a, g^b) = g^{ab} \bmod p$
|
||||
|
||||
## Diffie-Hellman: security notes
|
||||
|
||||
@@ -568,29 +570,7 @@ A **Feistel network** splits a block into left/right halves and iterates rounds
|
||||
|
||||
Feistel-based here: **DES, 3DES, CAMELLIA, SEED, GOST 28147-89 (and thus GOST89MAC uses a Feistel block cipher internally).**
|
||||
|
||||
### A) Cipherlist *filters / set operations- (not crypto primitives)
|
||||
|
||||
These don’t implement encryption or authentication; they just include/exclude suites.
|
||||
|
||||
- **COMPLEMENTOFDEFAULT** — (selection) picks suites in `ALL` that are not enabled by default (notably RC4/anonymous, depending on build).
|
||||
- **ALL** — (selection) all suites except `eNULL`, in a default preference order (OpenSSL-defined ordering).
|
||||
- **COMPLEMENTOFALL** — (selection) suites excluded from `ALL` (currently `eNULL`).
|
||||
- **HIGH / MEDIUM / LOW** — (selection) groups suites by effective key strength class (OpenSSL policy buckets).
|
||||
- **TLSv1.2 / TLSv1.0 / SSLv3** — (selection) restricts to suites whose *minimum supported protocol version- is at least that value.
|
||||
- **SUITEB128 / SUITEB128ONLY / SUITEB192** — (selection) enforces "Suite B"-style constraints: only very specific ECDHE-ECDSA-AES-GCM suites and curves/hashes.
|
||||
- **CBC** — (mode selector) selects suites using **CBC mode** for symmetric encryption (confidentiality only unless paired with a MAC).
|
||||
|
||||
---
|
||||
|
||||
### B) "No encryption" / "no authentication" flags
|
||||
|
||||
- **eNULL, NULL** — **encryption/decryption: none**; **cipher method: N/A**; core idea: the record payload is not encrypted at all (plaintext).
|
||||
- **aNULL** — **authentication: none** (no peer authentication); **cipher method: N/A**; core idea: uses anonymous key agreement (no cert/signature), enabling MITM.
|
||||
- **ADH / AECDH** — **authentication: none**; **cipher method: N/A**; core idea: anonymous (EC)DH establishes a shared secret but without identity binding → MITM-friendly.
|
||||
|
||||
---
|
||||
|
||||
### C) Key exchange and authentication selectors (not symmetric encryption, not MAC)
|
||||
### Key exchange and authentication selectors (not symmetric encryption, not MAC)
|
||||
|
||||
These describe *how keys are negotiated- and/or *how the peer is authenticated*, not whether payload is a block/stream cipher.
|
||||
|
||||
@@ -610,12 +590,15 @@ These describe *how keys are negotiated- and/or *how the peer is authenticated*,
|
||||
|
||||
---
|
||||
|
||||
### D) Symmetric encryption / AEAD (this is where "block vs stream" applies)
|
||||
### Symmetric encryption / AEAD (this is where "block vs stream" applies)
|
||||
|
||||
#### AES family
|
||||
|
||||
- **AES128 / AES256 / AES** — **encryption/decryption**; **block cipher**; core algorithm: AES is an SPN (substitution–permutation network) of repeated SubBytes/ShiftRows/MixColumns/AddRoundKey rounds.
|
||||
- **AESGCM** — **both encryption + message authentication (AEAD)**; **both** (AES block cipher used in counter mode + auth); core algorithm: encrypt with AES-CTR and authenticate with GHASH over ciphertext/AAD to produce a tag.
|
||||
- **AES-GCM** — **both encryption + message authentication (AEAD)**; **both** (AES block cipher used in counter mode + auth); core algorithm: encrypt with AES-CTR and authenticate with GHASH over ciphertext/AAD to produce a tag.
|
||||
- **AES-ECB**: Functionality is encryption/decryption (confidentiality only) using a block cipher mode; core algorithm encrypts each 128-bit plaintext block independently under the same key, which deterministically leaks patterns because equal plaintext blocks map to equal ciphertext blocks.
|
||||
- **AES-CBC**: Functionality is encryption/decryption (confidentiality only) using a block cipher mode; core algorithm XORs each plaintext block with the previous ciphertext block (starting from a fresh unpredictable IV) before AES-encrypting, which hides repetitions but requires correct IV handling and padding for non-multiple-of-block messages.
|
||||
- **AES-OFB** — **encryption**; both (stream-like); repeatedly AES-encrypts an internal state to generate a keystream and XORs it with plaintext, where the state evolves independently of the plaintext/ciphertext.
|
||||
- **AESCCM / AESCCM8** — **both encryption + message authentication (AEAD)**; **both**; core algorithm: compute CBC-MAC then encrypt with CTR mode, with 16-byte vs 8-byte tag length variants.
|
||||
|
||||
#### ARIA family
|
||||
@@ -647,7 +630,7 @@ These describe *how keys are negotiated- and/or *how the peer is authenticated*,
|
||||
|
||||
---
|
||||
|
||||
### E) Hash / MAC / digest selectors (message authentication side)
|
||||
### Hash / MAC / digest selectors (message authentication side)
|
||||
|
||||
These are not "ciphers" but are used for integrity/authentication (often as HMAC, PRF, signatures).
|
||||
|
||||
@@ -656,3 +639,5 @@ These are not "ciphers" but are used for integrity/authentication (often as HMAC
|
||||
- **SHA256 / SHA384** — **message authentication component** (HMAC / TLS PRF / signatures); **N/A**; core algorithm: SHA-2 family Merkle–Damgård hashes with different word sizes/output lengths (256-bit vs 384-bit).
|
||||
- **GOST94** — **message authentication component** (HMAC based on GOST R 34.11-94); **N/A**; core algorithm: builds an HMAC tag by hashing inner/outer padded key with the message using the GOST hash.
|
||||
- **GOST89MAC** — **message authentication**; **block-cipher-based MAC (so "block" internally)**; core algorithm: computes a MAC using the GOST 28147-89 block cipher in a MAC mode (cipher-based chaining). *(Feistel internally via GOST 28147-89)*
|
||||
|
||||
> Latest version of cheatsheet distilled from this note.
|
||||
|
||||
Reference in New Issue
Block a user