Trance-0/NoteNextra-origin
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity

Update CSE4303_E1.md

Browse Source
This commit is contained in:
Trance-0
2026-03-03 13:58:25 -06:00
parent 70bdce97aa
commit 1221e03ac3
1 changed files with 20 additions and 35 deletions
Download Patch File Download Diff File Expand all files Collapse all files

55
content/CSE4303/CSE4303_E1.md
View File

@@ -374,12 +374,13 @@ New attacker model for multi-use keys (e.g. multiple blocks): CPA (Chosen Plaint
## Asymmetric key cryptography ## Asymmetric key cryptography
## Asymmetric crypto overview ### Asymmetric crypto overview
- Parties: sender, recipient, attacker (eavesdropping) - Parties: sender, recipient, attacker (eavesdropping)
- Goal: sender encrypts a plaintext to a ciphertext using a public key; recipient decrypts using a private key. - Goal: sender encrypts a plaintext to a ciphertext using a public key; recipient decrypts using a private key.
#### Public-key encryption system #### Public-key encryption system
- Def: a public-key encryption system is a triple of algorithms $(G, E, D)$: - Def: a public-key encryption system is a triple of algorithms $(G, E, D)$:
- $G()$: randomized algorithm that outputs a key pair $(pk, sk)$ - $G()$: randomized algorithm that outputs a key pair $(pk, sk)$
- $E(pk, m)$: randomized algorithm that takes $m \in M$ and outputs $c \in C$ - $E(pk, m)$: randomized algorithm that takes $m \in M$ and outputs $c \in C$
@@ -387,9 +388,8 @@ New attacker model for multi-use keys (e.g. multiple blocks): CPA (Chosen Plaint
- Consistency: for all $(pk, sk)$ output by $G$, for all $m \in M$, - Consistency: for all $(pk, sk)$ output by $G$, for all $m \in M$,
- $D(sk, E(pk, m)) = m$ - $D(sk, E(pk, m)) = m$
## Public-key building block: trapdoor function
#### Trapdoor function #### Trapdoor function
- Def: a trapdoor function $X \to Y$ is a triple of efficient algorithms $(G, F, F^{-1})$: - Def: a trapdoor function $X \to Y$ is a triple of efficient algorithms $(G, F, F^{-1})$:
- $G()$: randomized algorithm that outputs a key pair $(pk, sk)$ - $G()$: randomized algorithm that outputs a key pair $(pk, sk)$
- $F(pk, \cdot)$: deterministic algorithm that defines a function $X \to Y$ - $F(pk, \cdot)$: deterministic algorithm that defines a function $X \to Y$
@@ -397,7 +397,7 @@ New attacker model for multi-use keys (e.g. multiple blocks): CPA (Chosen Plaint
- More precisely: for all $(pk, sk)$ output by $G$, for all $x \in X$, - More precisely: for all $(pk, sk)$ output by $G$, for all $x \in X$,
- $F^{-1}(sk, F(pk, x)) = x$ - $F^{-1}(sk, F(pk, x)) = x$
## Symmetric vs. asymmetric security: attacker models #### Symmetric vs. asymmetric security: attacker models
- Symmetric ciphers: two security notions for a passive attacker - Symmetric ciphers: two security notions for a passive attacker
- One-time security (stream ciphers: ciphertext-only) - One-time security (stream ciphers: ciphertext-only)
@@ -410,12 +410,13 @@ New attacker model for multi-use keys (e.g. multiple blocks): CPA (Chosen Plaint
- Implication: public-key encryption must be randomized - Implication: public-key encryption must be randomized
- Analogous to secure block modes for block ciphers - Analogous to secure block modes for block ciphers
## Semantic security of asymmetric crypto (IND-CPA) ### Semantic security of asymmetric crypto (IND-CPA)
#### IND-CPA game for public-key encryption #### IND-CPA game for public-key encryption
- For $b \in \{0,1\}$ define experiments $\mathrm{EXP}(0)$ and $\mathrm{EXP}(1)$:
- Experiment $\mathrm{EXP}(b)$: - For $b \in \{0,1\}$ define experiments $\operatorname{EXP}(0)$ and $\operatorname{EXP}(1)$:
- Experiment $\operatorname{EXP}(b)$:
- Challenger runs $(pk, sk) \leftarrow G()$ - Challenger runs $(pk, sk) \leftarrow G()$
- Challenger sends $pk$ to adversary $A$ - Challenger sends $pk$ to adversary $A$
- Adversary outputs $m_0, m_1 \in M$ such that $|m_0| = |m_1|$ - Adversary outputs $m_0, m_1 \in M$ such that $|m_0| = |m_1|$
@@ -423,8 +424,9 @@ New attacker model for multi-use keys (e.g. multiple blocks): CPA (Chosen Plaint
- Adversary outputs a bit $b' \in \{0,1\}$ (often modeled as outputting 1 if it "guesses $b=1$") - Adversary outputs a bit $b' \in \{0,1\}$ (often modeled as outputting 1 if it "guesses $b=1$")
#### Semantic security (IND-CPA) #### Semantic security (IND-CPA)
- Def: $E = (G, E, D)$ is semantically secure (a.k.a. IND-CPA) if for all efficient adversaries $A$, - Def: $E = (G, E, D)$ is semantically secure (a.k.a. IND-CPA) if for all efficient adversaries $A$,
- $\mathrm{Adv}^{\mathrm{SS}}[A, E] = \left|\Pr[\mathrm{EXP}(0)=1] - \Pr[\mathrm{EXP}(1)=1]\right|$ - $\operatorname{Adv}^{\operatorname{SS}}[A, E] = \left|\Pr[\operatorname{EXP}(0)=1] - \Pr[\operatorname{EXP}(1)=1]\right|$
- is negligible - is negligible
- Note: inherently multiple-round because the attacker can always encrypt on their own using $pk$ (CPA power is "built in"). - Note: inherently multiple-round because the attacker can always encrypt on their own using $pk$ (CPA power is "built in").
@@ -481,7 +483,7 @@ New attacker model for multi-use keys (e.g. multiple blocks): CPA (Chosen Plaint
- Hardness assumptions: - Hardness assumptions:
- Discrete log problem: given $p, g, y = g^x \bmod p$, find $x$ - Discrete log problem: given $p, g, y = g^x \bmod p$, find $x$
- Diffie-Hellman function: $\mathrm{DH}_g(g^a, g^b) = g^{ab} \bmod p$ - Diffie-Hellman function: $\operatorname{DH}_g(g^a, g^b) = g^{ab} \bmod p$
## Diffie-Hellman: security notes ## Diffie-Hellman: security notes
@@ -568,29 +570,7 @@ A **Feistel network** splits a block into left/right halves and iterates rounds
Feistel-based here: **DES, 3DES, CAMELLIA, SEED, GOST 28147-89 (and thus GOST89MAC uses a Feistel block cipher internally).** Feistel-based here: **DES, 3DES, CAMELLIA, SEED, GOST 28147-89 (and thus GOST89MAC uses a Feistel block cipher internally).**
### A) Cipherlist *filters / set operations- (not crypto primitives) ### Key exchange and authentication selectors (not symmetric encryption, not MAC)
These dont implement encryption or authentication; they just include/exclude suites.
- **COMPLEMENTOFDEFAULT** — (selection) picks suites in `ALL` that are not enabled by default (notably RC4/anonymous, depending on build).
- **ALL** — (selection) all suites except `eNULL`, in a default preference order (OpenSSL-defined ordering).
- **COMPLEMENTOFALL** — (selection) suites excluded from `ALL` (currently `eNULL`).
- **HIGH / MEDIUM / LOW** — (selection) groups suites by effective key strength class (OpenSSL policy buckets).
- **TLSv1.2 / TLSv1.0 / SSLv3** — (selection) restricts to suites whose *minimum supported protocol version- is at least that value.
- **SUITEB128 / SUITEB128ONLY / SUITEB192** — (selection) enforces "Suite B"-style constraints: only very specific ECDHE-ECDSA-AES-GCM suites and curves/hashes.
- **CBC** — (mode selector) selects suites using **CBC mode** for symmetric encryption (confidentiality only unless paired with a MAC).
---
### B) "No encryption" / "no authentication" flags
- **eNULL, NULL** — **encryption/decryption: none**; **cipher method: N/A**; core idea: the record payload is not encrypted at all (plaintext).
- **aNULL** — **authentication: none** (no peer authentication); **cipher method: N/A**; core idea: uses anonymous key agreement (no cert/signature), enabling MITM.
- **ADH / AECDH** — **authentication: none**; **cipher method: N/A**; core idea: anonymous (EC)DH establishes a shared secret but without identity binding → MITM-friendly.
---
### C) Key exchange and authentication selectors (not symmetric encryption, not MAC)
These describe *how keys are negotiated- and/or *how the peer is authenticated*, not whether payload is a block/stream cipher. These describe *how keys are negotiated- and/or *how the peer is authenticated*, not whether payload is a block/stream cipher.
@@ -610,12 +590,15 @@ These describe *how keys are negotiated- and/or *how the peer is authenticated*,
--- ---
### D) Symmetric encryption / AEAD (this is where "block vs stream" applies) ### Symmetric encryption / AEAD (this is where "block vs stream" applies)
#### AES family #### AES family
- **AES128 / AES256 / AES** — **encryption/decryption**; **block cipher**; core algorithm: AES is an SPN (substitutionpermutation network) of repeated SubBytes/ShiftRows/MixColumns/AddRoundKey rounds. - **AES128 / AES256 / AES** — **encryption/decryption**; **block cipher**; core algorithm: AES is an SPN (substitutionpermutation network) of repeated SubBytes/ShiftRows/MixColumns/AddRoundKey rounds.
- **AESGCM** — **both encryption + message authentication (AEAD)**; **both** (AES block cipher used in counter mode + auth); core algorithm: encrypt with AES-CTR and authenticate with GHASH over ciphertext/AAD to produce a tag. - **AES-GCM** — **both encryption + message authentication (AEAD)**; **both** (AES block cipher used in counter mode + auth); core algorithm: encrypt with AES-CTR and authenticate with GHASH over ciphertext/AAD to produce a tag.
- **AES-ECB**: Functionality is encryption/decryption (confidentiality only) using a block cipher mode; core algorithm encrypts each 128-bit plaintext block independently under the same key, which deterministically leaks patterns because equal plaintext blocks map to equal ciphertext blocks.
- **AES-CBC**: Functionality is encryption/decryption (confidentiality only) using a block cipher mode; core algorithm XORs each plaintext block with the previous ciphertext block (starting from a fresh unpredictable IV) before AES-encrypting, which hides repetitions but requires correct IV handling and padding for non-multiple-of-block messages.
- **AES-OFB** — **encryption**; both (stream-like); repeatedly AES-encrypts an internal state to generate a keystream and XORs it with plaintext, where the state evolves independently of the plaintext/ciphertext.
- **AESCCM / AESCCM8** — **both encryption + message authentication (AEAD)**; **both**; core algorithm: compute CBC-MAC then encrypt with CTR mode, with 16-byte vs 8-byte tag length variants. - **AESCCM / AESCCM8** — **both encryption + message authentication (AEAD)**; **both**; core algorithm: compute CBC-MAC then encrypt with CTR mode, with 16-byte vs 8-byte tag length variants.
#### ARIA family #### ARIA family
@@ -647,7 +630,7 @@ These describe *how keys are negotiated- and/or *how the peer is authenticated*,
--- ---
### E) Hash / MAC / digest selectors (message authentication side) ### Hash / MAC / digest selectors (message authentication side)
These are not "ciphers" but are used for integrity/authentication (often as HMAC, PRF, signatures). These are not "ciphers" but are used for integrity/authentication (often as HMAC, PRF, signatures).
@@ -656,3 +639,5 @@ These are not "ciphers" but are used for integrity/authentication (often as HMAC
- **SHA256 / SHA384** — **message authentication component** (HMAC / TLS PRF / signatures); **N/A**; core algorithm: SHA-2 family MerkleDamgård hashes with different word sizes/output lengths (256-bit vs 384-bit). - **SHA256 / SHA384** — **message authentication component** (HMAC / TLS PRF / signatures); **N/A**; core algorithm: SHA-2 family MerkleDamgård hashes with different word sizes/output lengths (256-bit vs 384-bit).
- **GOST94** — **message authentication component** (HMAC based on GOST R 34.11-94); **N/A**; core algorithm: builds an HMAC tag by hashing inner/outer padded key with the message using the GOST hash. - **GOST94** — **message authentication component** (HMAC based on GOST R 34.11-94); **N/A**; core algorithm: builds an HMAC tag by hashing inner/outer padded key with the message using the GOST hash.
- **GOST89MAC** — **message authentication**; **block-cipher-based MAC (so "block" internally)**; core algorithm: computes a MAC using the GOST 28147-89 block cipher in a MAC mode (cipher-based chaining). *(Feistel internally via GOST 28147-89)* - **GOST89MAC** — **message authentication**; **block-cipher-based MAC (so "block" internally)**; core algorithm: computes a MAC using the GOST 28147-89 block cipher in a MAC mode (cipher-based chaining). *(Feistel internally via GOST 28147-89)*
> Latest version of cheatsheet distilled from this note.