From 69174f2157e86e1feab1e169d7ddd8227bd04dbe Mon Sep 17 00:00:00 2001 From: Trance-0 <60459821+Trance-0@users.noreply.github.com> Date: Tue, 3 Mar 2026 15:52:01 -0600 Subject: [PATCH] updates --- content/CSE4303/CSE4303_E1.md | 149 +++++++++++++++++-- content/Math4202/Exam_reviews/Math4202_E1.md | 28 +++- 2 files changed, 165 insertions(+), 12 deletions(-) diff --git a/content/CSE4303/CSE4303_E1.md b/content/CSE4303/CSE4303_E1.md index 52e2829..59c980f 100644 --- a/content/CSE4303/CSE4303_E1.md +++ b/content/CSE4303/CSE4303_E1.md @@ -84,7 +84,7 @@ Importance of correct modeling - Reevaluate often - Threat capabilities change over time -## TCP/IP network stack +### TCP/IP network stack Local and interdomain routing @@ -95,7 +95,7 @@ Domain Name System - Find IP address from symbolic name (cse.wustl.edu) -### Layer Summary +#### Layer Summary Application: the actual sending message Transport (TCP, UDP): segment @@ -190,9 +190,9 @@ Integrity: - c) collection of plaintext/ciphertext pairs for plaintexts selected by the attacker (chosen plaintext attack: CPA) - d) collection of plaintext/ciphertext pairs for ciphertexts selected by the attacker (chosen ciphertext attack: CCA/CCA2) -## Symmetric key cryptography +### Symmetric key cryptography -### Classical cryptography +#### Classical cryptography Techniques: substitution and transposition @@ -372,6 +372,133 @@ New attacker model for multi-use keys (e.g. multiple blocks): CPA (Chosen Plaint 3. Trusted timestamping / blockchains 4. Integrity check on software +#### File integrity with secure read-only space + +- When user downloads package, can verify that contents are valid +- $H$ collision resistant $\Rightarrow$ attacker cannot modify package without detection +- No encryption needed (public verifiability) if publisher has secure read-only space (e.g. trusted website, social media account) + +#### Symmetric-crypto message authentication + +- Context: Assume no secure RO space (insecure channel only) + - Need means of message authentication +- Idea: add tag to message +- System: Message Authentication Code (MAC) +- Def: a MAC $I=(S,V)$ defined over $(K,M,T)$ is a pair of algorithms: + - $S(k,m)$ outputs $t \in T$ // "Sign" + - $V(k,m,t)$ outputs `yes' or `no' // "Verify" + +- Symmetric-crypto message authentication: + - Alice and Bob share secret key $k$ + - Generate tag: $\text{tag} \leftarrow S(k,m)$ + - Verify tag: $V(k,m,\text{tag}) = \texttt{yes}?$ + +#### MAC security model + +- For a MAC $I=(S,V)$ and adversary $A$, define a MAC game as: +- Def: $I=(S,V)$ is a secure MAC if for all "efficient" $A$, + - $\operatorname{Adv}^{\operatorname{MAC}}[A,I] = \Pr[\text{Chal. outputs }1]$ + - is negligible + +- MAC game (sketch): + - Challenger samples $k \leftarrow K$ + - Adversary makes queries $m_1,\ldots,m_q \in M$ + - For each $i$, challenger returns $t_i \leftarrow S(k,m_i)$ + - Adversary outputs a candidate forgery $(m,t)$ + - Challenger outputs $b=1$ if: + - $V(k,m,t)=\texttt{yes}$ and + - $(m,t) \notin \{(m_1,t_1),\ldots,(m_q,t_q)\}$ + - Otherwise challenger outputs $b=0$ + +- MAC security example: secure PRF not sufficient + - Suppose $F: K \times X \to Y$ is a secure PRF with $Y=\{0,1\}^{10}$. + - Is the derived MAC $I_F$ a secure MAC system? + - No: tags are too short, anyone can guess the tag for any message + +#### MACs from PRFs: sufficient security condition + +- Thm: If $F: K \times X \to Y$ is a secure PRF and $1/|Y|$ is negligible (i.e. $|Y|$ is large), then $I_F$ is a secure MAC. +- In particular, for every efficient MAC adversary $A$ attacking $I_F$, there exists an efficient PRF adversary $B$ attacking $F$ such that: + - $\operatorname{Adv}^{\operatorname{MAC}}[A, I_F] \le \operatorname{Adv}^{\operatorname{PRF}}[B, F] + 1/|Y|$ +- Therefore $I_F$ is secure as long as $|Y|$ is large, e.g. $|Y| = 2^{80}$. + +#### MACs from collision resistance + +- Let $I=(S,V)$ be a MAC for short messages over $(K,M,T)$ (e.g. AES). +- Let $H: M_{\text{big}} \to M$. +- Def: $I_{\text{big}}=(S_{\text{big}},V_{\text{big}})$ over $(K,M_{\text{big}},T)$ as: + - $S_{\text{big}}(k,m) = S(k, H(m))$ + - $V_{\text{big}}(k,m,t) = V(k, H(m), t)$ +- Thm: If $I$ is a secure MAC and $H$ is collision resistant, then $I_{\text{big}}$ is a secure MAC. +- Example: $S(k,m) = \operatorname{AES2\text{-}block\text{-}cbc}(k, \operatorname{SHA\text{-}256}(m))$ is a secure MAC. + +#### Using HMACs for confidentiality + integrity + +- Confidentiality: + - Semantic security under a CPA + - Encryption secure against eavesdropping only +- Integrity: + - Existential unforgeability under a CPA + - CBC-MAC, HMAC + - Hash functions +- Confidentiality + integrity: + - CCA security + - Secure against tampering + - Method: Authenticated Encryption (AE) + - Encryption + MAC, in correct form + +#### Authenticated Encryption: security defs + +- An authenticated encryption system $(E,D)$ is a cipher where: + - $E: K \times M \times N \to C$ + - $D: K \times C \times N \to M \cup$ cipher text rejected +- Security: the system must provide + - semantic security under a CPA attack, and + - ciphertext integrity: attacker cannot create new ciphertexts that decrypt properly + +#### Ciphertext integrity + +- Let $(E,D)$ be a cipher with message space $M$. +- Def: $(E,D)$ has ciphertext integrity if for all "efficient" $A$, + - $\operatorname{Adv}^{\operatorname{CI}}[A,E] = \Pr[\text{Chal. outputs }1]$ + - is negligible + +- Security model: ciphertext integrity (sketch): + - Challenger samples $k \leftarrow K$ + - Adversary makes encryption queries $m_1,\ldots,m_q \in M$ + - For each $i$, challenger returns $c_i \leftarrow E(k,m_i)$ + - Adversary outputs a ciphertext $c$ + - Challenger outputs $b=1$ if: + - $D(k,c) \ne \bot$ and + - $c \notin \{c_1,\ldots,c_q\}$ + - Otherwise challenger outputs $b=0$ + +#### Authenticated encryption implies CCA security + +- Thm: Let $(E,D)$ be a cipher that provides AE. Then $(E,D)$ is CCA secure. +- In particular, for any $q$-query efficient adversary $A$, there exist efficient $B_1,B_2$ such that: + - $\operatorname{Adv}^{\operatorname{CCA}}[A,E] \le 2q \cdot \operatorname{Adv}^{\operatorname{CI}}[B_1,E] + \operatorname{Adv}^{\operatorname{CPA}}[B_2,E]$ +- Interpretation: CCA advantage is $\le O(\text{CT-integrity advantage}) + \text{CPA advantage}$. + +- AE implication: authenticity + - Attacker cannot fool Bob into thinking a message was sent from Alice + - If attacker cannot create a valid ciphertext $c \notin \{c_1,\ldots,c_q\}$, then whenever $D(k,c) \ne \bot$ Bob knows the message is from someone who knows $k$ (but it could be a replay) + +- DS construction example: signing a certificate + +### Comparison: integrity/authentication approaches + +- 1) Collision resistant hashing: need a read-only public space + - Allows public verification if the hash is published in a small read-only public space +- 2) MACs: must compute a new MAC for every client/user + - Must manage a long-term secret key per user to verify MACs (depending on application) + - Typically useful when one party signs, one verifies +- 3) Digital signatures: must manage a long-term secret key + - E.g. vendor's signature on software is shipped with software + - Allows software to be downloaded from an untrusted distribution site + - Public-key verification/rejection works, provided public key distribution is trustworthy + - Typically useful when one party signs, many verify + ## Asymmetric key cryptography ### Asymmetric crypto overview @@ -430,7 +557,7 @@ New attacker model for multi-use keys (e.g. multiple blocks): CPA (Chosen Plaint - is negligible - Note: inherently multiple-round because the attacker can always encrypt on their own using $pk$ (CPA power is "built in"). -## RSA cryptosystem: overview +### RSA cryptosystem: overview - Setup: - $n = pq$, with $p$ and $q$ primes @@ -469,7 +596,7 @@ New attacker model for multi-use keys (e.g. multiple blocks): CPA (Chosen Plaint - Notes (as commonly stated in lectures): - 1024-bit RSA is within reach; 2048-bit is recommended usage -## Diffie-Hellman key exchange (informal) +### Diffie-Hellman key exchange (informal) - Fix a large prime $p$ (e.g., 2000 bits) - Fix an integer $g \in \{1,\ldots,p\}$ @@ -485,14 +612,14 @@ New attacker model for multi-use keys (e.g. multiple blocks): CPA (Chosen Plaint - Discrete log problem: given $p, g, y = g^x \bmod p$, find $x$ - Diffie-Hellman function: $\operatorname{DH}_g(g^a, g^b) = g^{ab} \bmod p$ -## Diffie-Hellman: security notes +#### Diffie-Hellman: security notes - As described, the protocol is insecure against active attacks: - A man-in-the-middle (MiTM) can insert themselves and create 2 separate secure sessions - Fix idea: need a way to bind identity to a public key - In practice: web of trust (e.g., GPG) or Public Key Infrastructure (PKI) -## Implementing trapdoor functions securely +### Implementing trapdoor functions securely - Never encrypt by applying $F$ directly to plaintext: - Deterministic: cannot be semantically secure @@ -503,7 +630,7 @@ New attacker model for multi-use keys (e.g. multiple blocks): CPA (Chosen Plaint - $E(pk, m)$: output $c \leftarrow F(pk, m)$ - $D(sk, c)$: output $F^{-1}(sk, c)$ -## Public-key encryption from TDFs +### Public-key encryption from TDFs - Components: - $(G, F, F^{-1})$: secure TDF $X \to Y$ @@ -528,7 +655,7 @@ New attacker model for multi-use keys (e.g. multiple blocks): CPA (Chosen Plaint - If $(G, F, F^{-1})$ is a secure TDF, $(E_s, D_s)$ provides authenticated encryption, and $H$ is modeled as a random oracle, then $(G, E, D)$ is CCA-secure in the random oracle model (often denoted CCA-RO). - Extension exists to reach full CCA (outside the RO idealization). -## Wrapup: symmetric vs. asymmetric systems +### Wrapup: symmetric vs. asymmetric systems - Symmetric: faster, but key distribution is hard - Asymmetric: slower, but key distribution/management is easier @@ -537,7 +664,7 @@ New attacker model for multi-use keys (e.g. multiple blocks): CPA (Chosen Plaint - Exchange symmetric keys using an asymmetric scheme - Authenticate public keys (PKI or web of trust) -## Key exchange: summary +### Key exchange: summary - Symmetric-key encryption challenges: - Key storage: one per user pair, $O(n^2)$ total for $n$ users diff --git a/content/Math4202/Exam_reviews/Math4202_E1.md b/content/Math4202/Exam_reviews/Math4202_E1.md index 4f2801c..f5bfd97 100644 --- a/content/Math4202/Exam_reviews/Math4202_E1.md +++ b/content/Math4202/Exam_reviews/Math4202_E1.md @@ -78,6 +78,27 @@ An $m$-dimensional **manifold** is a topological space $X$ that is 2. Second countable: With a countable basis 3. Local euclidean: Each point of $x$ of $X$ has a neighborhood that is homeomorphic to an open subset of $\mathbb{R}^m$. +
+Example of space that is not a manifold but satisfies part of the definition + +Non-hausdorff: + +Consider the set with two origin $\mathbb{R}\setminus\{0\}$. with $\{p,q\}$, and the topology defined over all the open intervals that don't contain the origin, with set of the form $(-a,0)\cup \{p\}\cup (0,a)$ for $a\in \mathbb{R}$ and $(-a,0)\cup \{q\}\cup (0,a)$. + +--- + +Non-second-countable: + +Consider the long line $\mathbb{R}\times [0,1)$ + +--- + +Non-local-euclidean: + +Any 1-dimensional CW complex (graph) that has a vertex with 3 or more edges connected to it will be Hausdorff and second-countable, but not locally Euclidean at those vertices. + +
+ #### Whitney's Embedding Theorem If $X$ is a compact $m$-manifold, then $X$ can be imbedded in $\mathbb{R}^N$ for some positive integer $N$. @@ -97,6 +118,12 @@ Let $\{U_i\}_{i=1}^n$ be a finite open cover of a normal space $X$ (Every pair o Then there exists a partition of unity dominated by $\{U_i\}_{i=1}^n$. +#### Definition of paracompact space + +Locally finite: $\forall x\in X$, $\exists$ open $x\in U$ such that $U$ only intersects finitely many open sets in $\mathcal{B}$. + +A space $X$ is paracompact if every open cover $A$ of $X$ has a **locally finite** refinement $\mathcal{B}$ of $A$ that covers $X$. + ### Homotopy #### Definition of homotopy equivalent spaces @@ -128,7 +155,6 @@ Two pathes $f$ and $f'$ are path homotopic if The $\simeq$, $\simeq_p$ are both equivalence relations. - #### Definition for product of paths Given $f$ a path in $X$ from $x_0$ to $x_1$ and $g$ a path in $X$ from $x_1$ to $x_2$.