updates

content/CSE4303/CSE4303_E1.md

@@ -84,7 +84,7 @@ Importance of correct modeling
 - Reevaluate often
   - Threat capabilities change over time
 
-## TCP/IP network stack
+### TCP/IP network stack
 
 Local and interdomain routing
 
@@ -95,7 +95,7 @@ Domain Name System
 
 - Find IP address from symbolic name (cse.wustl.edu)
 
-### Layer Summary
+#### Layer Summary
 
 Application: the actual sending message
 Transport (TCP, UDP): segment
@@ -190,9 +190,9 @@ Integrity:
   - c) collection of plaintext/ciphertext pairs for plaintexts selected by the attacker (chosen plaintext attack: CPA)
   - d) collection of plaintext/ciphertext pairs for ciphertexts selected by the attacker (chosen ciphertext attack: CCA/CCA2)
 
-## Symmetric key cryptography
+### Symmetric key cryptography
 
-### Classical cryptography
+#### Classical cryptography
 
 Techniques: substitution and transposition
 
@@ -372,6 +372,133 @@ New attacker model for multi-use keys (e.g. multiple blocks): CPA (Chosen Plaint
 3. Trusted timestamping / blockchains
 4. Integrity check on software
 
+#### File integrity with secure read-only space
+
+- When user downloads package, can verify that contents are valid
+- $H$ collision resistant $\Rightarrow$ attacker cannot modify package without detection
+- No encryption needed (public verifiability) if publisher has secure read-only space (e.g. trusted website, social media account)
+
+#### Symmetric-crypto message authentication
+
+- Context: Assume no secure RO space (insecure channel only)
+  - Need means of message authentication
+- Idea: add tag to message
+- System: Message Authentication Code (MAC)
+- Def: a MAC $I=(S,V)$ defined over $(K,M,T)$ is a pair of algorithms:
+  - $S(k,m)$ outputs $t \in T$  // "Sign"
+  - $V(k,m,t)$ outputs `yes' or `no'  // "Verify"
+
+- Symmetric-crypto message authentication:
+  - Alice and Bob share secret key $k$
+  - Generate tag: $\text{tag} \leftarrow S(k,m)$
+  - Verify tag: $V(k,m,\text{tag}) = \texttt{yes}?$
+
+#### MAC security model
+
+- For a MAC $I=(S,V)$ and adversary $A$, define a MAC game as:
+- Def: $I=(S,V)$ is a secure MAC if for all "efficient" $A$,
+  - $\operatorname{Adv}^{\operatorname{MAC}}[A,I] = \Pr[\text{Chal. outputs }1]$
+  - is negligible
+
+- MAC game (sketch):
+  - Challenger samples $k \leftarrow K$
+  - Adversary makes queries $m_1,\ldots,m_q \in M$
+    - For each $i$, challenger returns $t_i \leftarrow S(k,m_i)$
+  - Adversary outputs a candidate forgery $(m,t)$
+  - Challenger outputs $b=1$ if:
+    - $V(k,m,t)=\texttt{yes}$ and
+    - $(m,t) \notin \{(m_1,t_1),\ldots,(m_q,t_q)\}$
+  - Otherwise challenger outputs $b=0$
+
+- MAC security example: secure PRF not sufficient
+  - Suppose $F: K \times X \to Y$ is a secure PRF with $Y=\{0,1\}^{10}$.
+  - Is the derived MAC $I_F$ a secure MAC system?
+    - No: tags are too short, anyone can guess the tag for any message
+
+#### MACs from PRFs: sufficient security condition
+
+- Thm: If $F: K \times X \to Y$ is a secure PRF and $1/|Y|$ is negligible (i.e. $|Y|$ is large), then $I_F$ is a secure MAC.
+- In particular, for every efficient MAC adversary $A$ attacking $I_F$, there exists an efficient PRF adversary $B$ attacking $F$ such that:
+  - $\operatorname{Adv}^{\operatorname{MAC}}[A, I_F] \le \operatorname{Adv}^{\operatorname{PRF}}[B, F] + 1/|Y|$
+- Therefore $I_F$ is secure as long as $|Y|$ is large, e.g. $|Y| = 2^{80}$.
+
+#### MACs from collision resistance
+
+- Let $I=(S,V)$ be a MAC for short messages over $(K,M,T)$ (e.g. AES).
+- Let $H: M_{\text{big}} \to M$.
+- Def: $I_{\text{big}}=(S_{\text{big}},V_{\text{big}})$ over $(K,M_{\text{big}},T)$ as:
+  - $S_{\text{big}}(k,m) = S(k, H(m))$
+  - $V_{\text{big}}(k,m,t) = V(k, H(m), t)$
+- Thm: If $I$ is a secure MAC and $H$ is collision resistant, then $I_{\text{big}}$ is a secure MAC.
+- Example: $S(k,m) = \operatorname{AES2\text{-}block\text{-}cbc}(k, \operatorname{SHA\text{-}256}(m))$ is a secure MAC.
+
+#### Using HMACs for confidentiality + integrity
+
+- Confidentiality:
+  - Semantic security under a CPA
+  - Encryption secure against eavesdropping only
+- Integrity:
+  - Existential unforgeability under a CPA
+  - CBC-MAC, HMAC
+  - Hash functions
+- Confidentiality + integrity:
+  - CCA security
+  - Secure against tampering
+  - Method: Authenticated Encryption (AE)
+  - Encryption + MAC, in correct form
+
+#### Authenticated Encryption: security defs
+
+- An authenticated encryption system $(E,D)$ is a cipher where:
+  - $E: K \times M \times N \to C$
+  - $D: K \times C \times N \to M \cup$ cipher text rejected
+- Security: the system must provide
+  - semantic security under a CPA attack, and
+  - ciphertext integrity: attacker cannot create new ciphertexts that decrypt properly
+
+#### Ciphertext integrity
+
+- Let $(E,D)$ be a cipher with message space $M$.
+- Def: $(E,D)$ has ciphertext integrity if for all "efficient" $A$,
+  - $\operatorname{Adv}^{\operatorname{CI}}[A,E] = \Pr[\text{Chal. outputs }1]$
+  - is negligible
+
+- Security model: ciphertext integrity (sketch):
+  - Challenger samples $k \leftarrow K$
+  - Adversary makes encryption queries $m_1,\ldots,m_q \in M$
+    - For each $i$, challenger returns $c_i \leftarrow E(k,m_i)$
+  - Adversary outputs a ciphertext $c$
+  - Challenger outputs $b=1$ if:
+    - $D(k,c) \ne \bot$ and
+    - $c \notin \{c_1,\ldots,c_q\}$
+  - Otherwise challenger outputs $b=0$
+
+#### Authenticated encryption implies CCA security
+
+- Thm: Let $(E,D)$ be a cipher that provides AE. Then $(E,D)$ is CCA secure.
+- In particular, for any $q$-query efficient adversary $A$, there exist efficient $B_1,B_2$ such that:
+  - $\operatorname{Adv}^{\operatorname{CCA}}[A,E] \le 2q \cdot \operatorname{Adv}^{\operatorname{CI}}[B_1,E] + \operatorname{Adv}^{\operatorname{CPA}}[B_2,E]$
+- Interpretation: CCA advantage is $\le O(\text{CT-integrity advantage}) + \text{CPA advantage}$.
+
+- AE implication: authenticity
+  - Attacker cannot fool Bob into thinking a message was sent from Alice
+  - If attacker cannot create a valid ciphertext $c \notin \{c_1,\ldots,c_q\}$, then whenever $D(k,c) \ne \bot$ Bob knows the message is from someone who knows $k$ (but it could be a replay)
+
+- DS construction example: signing a certificate
+
+### Comparison: integrity/authentication approaches
+
+- 1) Collision resistant hashing: need a read-only public space
+  - Allows public verification if the hash is published in a small read-only public space
+- 2) MACs: must compute a new MAC for every client/user
+  - Must manage a long-term secret key per user to verify MACs (depending on application)
+  - Typically useful when one party signs, one verifies
+- 3) Digital signatures: must manage a long-term secret key
+  - E.g. vendor's signature on software is shipped with software
+  - Allows software to be downloaded from an untrusted distribution site
+  - Public-key verification/rejection works, provided public key distribution is trustworthy
+  - Typically useful when one party signs, many verify
+
 ## Asymmetric key cryptography
 
 ### Asymmetric crypto overview
@@ -430,7 +557,7 @@ New attacker model for multi-use keys (e.g. multiple blocks): CPA (Chosen Plaint
   - is negligible
 - Note: inherently multiple-round because the attacker can always encrypt on their own using $pk$ (CPA power is "built in").
 
-## RSA cryptosystem: overview
+### RSA cryptosystem: overview
 
 - Setup:
   - $n = pq$, with $p$ and $q$ primes
@@ -469,7 +596,7 @@ New attacker model for multi-use keys (e.g. multiple blocks): CPA (Chosen Plaint
   - Notes (as commonly stated in lectures):
     - 1024-bit RSA is within reach; 2048-bit is recommended usage
 
-## Diffie-Hellman key exchange (informal)
+### Diffie-Hellman key exchange (informal)
 
 - Fix a large prime $p$ (e.g., 2000 bits)
 - Fix an integer $g \in \{1,\ldots,p\}$
@@ -485,14 +612,14 @@ New attacker model for multi-use keys (e.g. multiple blocks): CPA (Chosen Plaint
   - Discrete log problem: given $p, g, y = g^x \bmod p$, find $x$
   - Diffie-Hellman function: $\operatorname{DH}_g(g^a, g^b) = g^{ab} \bmod p$
 
-## Diffie-Hellman: security notes
+#### Diffie-Hellman: security notes
 
 - As described, the protocol is insecure against active attacks:
   - A man-in-the-middle (MiTM) can insert themselves and create 2 separate secure sessions
 - Fix idea: need a way to bind identity to a public key
   - In practice: web of trust (e.g., GPG) or Public Key Infrastructure (PKI)
 
-## Implementing trapdoor functions securely
+### Implementing trapdoor functions securely
 
 - Never encrypt by applying $F$ directly to plaintext:
   - Deterministic: cannot be semantically secure
@@ -503,7 +630,7 @@ New attacker model for multi-use keys (e.g. multiple blocks): CPA (Chosen Plaint
   - $E(pk, m)$: output $c \leftarrow F(pk, m)$
   - $D(sk, c)$: output $F^{-1}(sk, c)$
 
-## Public-key encryption from TDFs
+### Public-key encryption from TDFs
 
 - Components:
   - $(G, F, F^{-1})$: secure TDF $X \to Y$
@@ -528,7 +655,7 @@ New attacker model for multi-use keys (e.g. multiple blocks): CPA (Chosen Plaint
   - If $(G, F, F^{-1})$ is a secure TDF, $(E_s, D_s)$ provides authenticated encryption, and $H$ is modeled as a random oracle, then $(G, E, D)$ is CCA-secure in the random oracle model (often denoted CCA-RO).
   - Extension exists to reach full CCA (outside the RO idealization).
 
-## Wrapup: symmetric vs. asymmetric systems
+### Wrapup: symmetric vs. asymmetric systems
 
 - Symmetric: faster, but key distribution is hard
 - Asymmetric: slower, but key distribution/management is easier
@@ -537,7 +664,7 @@ New attacker model for multi-use keys (e.g. multiple blocks): CPA (Chosen Plaint
   - Exchange symmetric keys using an asymmetric scheme
   - Authenticate public keys (PKI or web of trust)
 
-## Key exchange: summary
+### Key exchange: summary
 
 - Symmetric-key encryption challenges:
   - Key storage: one per user pair, $O(n^2)$ total for $n$ users

content/Math4202/Exam_reviews/Math4202_E1.md

@@ -78,6 +78,27 @@ An $m$-dimensional **manifold** is a topological space  $X$ that is
 2. Second countable: With a countable basis
 3. Local euclidean: Each point of $x$ of $X$ has a neighborhood that is homeomorphic to an open subset of $\mathbb{R}^m$.
 
+<details>
+<summary>Example of space that is not a manifold but satisfies part of the definition</summary>
+
+Non-hausdorff:
+
+Consider the set with two origin $\mathbb{R}\setminus\{0\}$. with $\{p,q\}$, and the topology defined over all the open intervals that don't contain the origin, with set of the form $(-a,0)\cup \{p\}\cup (0,a)$ for $a\in \mathbb{R}$ and $(-a,0)\cup \{q\}\cup (0,a)$.
+
+---
+
+Non-second-countable:
+
+Consider the long line $\mathbb{R}\times [0,1)$
+
+---
+
+Non-local-euclidean:
+
+Any 1-dimensional CW complex (graph) that has a vertex with 3 or more edges connected to it will be Hausdorff and second-countable, but not locally Euclidean at those vertices.
+
+</details>
+
 #### Whitney's Embedding Theorem
 
 If $X$ is a compact $m$-manifold, then $X$ can be imbedded in $\mathbb{R}^N$ for some positive integer $N$.
@@ -97,6 +118,12 @@ Let $\{U_i\}_{i=1}^n$ be a finite open cover of a normal space $X$ (Every pair o
 
 Then there exists a partition of unity dominated by $\{U_i\}_{i=1}^n$.
 
+#### Definition of paracompact space
+
+Locally finite: $\forall x\in X$, $\exists$ open $x\in U$ such that $U$ only intersects finitely many open sets in $\mathcal{B}$.
+
+A space $X$ is paracompact if every open cover $A$ of $X$ has a **locally finite** refinement $\mathcal{B}$ of $A$ that covers $X$.
+
 ### Homotopy
 
 #### Definition of homotopy equivalent spaces
@@ -128,7 +155,6 @@ Two pathes $f$ and $f'$ are path homotopic if
 
 The $\simeq$, $\simeq_p$ are both equivalence relations.
 
-
 #### Definition for product of paths
 
 Given $f$ a path in $X$ from $x_0$ to $x_1$ and $g$ a path in $X$ from $x_1$ to $x_2$.