updates

notes.ctb_HTML/cs306--Notes--Attacks.html

@@ -142,5 +142,5 @@
 </ol>
 <li><a href="cs306--homework.html">homework</a></li>
 </ol></div>
-<div class="page"><h1><b><u>Attacks</u></b></h1>eavesdropping<br /> - Posses collection of ciphertext  -&gt; ciphertext only attack<br /> - Posses collection of plaintext/ciphertext pairs -&gt; known plaintext attack<br /> - Posses collection of plaintext/ciphertext pairs for plaintexts selected by the attack -&gt; chosen plaintext attack<br /> - Posses collection of plaintext/ciphertext pairs for plaintexts and ciphertexts selected by the attacker -&gt; chosen ciphertext attack<br /><br />        ◇ EAV-attack<br />        indistinguishability for a single message against an eavesdropper<br /><br />• An attacker may posses a collection of plaintext/ciphertext pairs for plaintexts selected by the attacker<br />Statistical Attack<br /><br />dictionary attacks<br />man in the middle attack<br />length-extension attack<br />brute force attack<br />birthday attack<br />replay attack<br /> reflection attac<br />• Reordering attack -&gt; verify the block index i<br />• Truncation attack <br />mix and match attack<br />etc...</div></div>
+<div class="page"><h1><b><u>Attacks</u></b></h1>eavesdropping<br /> - Posses collection of ciphertext  -&gt; ciphertext only attack<br /> - Posses collection of plaintext/ciphertext pairs -&gt; known plaintext attack<br /> - Posses collection of plaintext/ciphertext pairs for plaintexts selected by the attack -&gt; chosen plaintext attack<br /> - Posses collection of plaintext/ciphertext pairs for plaintexts and ciphertexts selected by the attacker -&gt; chosen ciphertext attack<br /><br />• An attacker may posses a collection of ciphertext:<br />   ◇ ciphertext only attack<br />   ◇ EAV-attack<br />      ▪indistinguishability for a single message against an eavesdropper<br />▪An attacker may posses a collection of plaintext/ciphertext pairs for plaintexts selected by the attacker<br />   ◇ Chosen plaintext attack<br />   ◇ CPA-attack<br />      ▪ indistinguishability for a single message against an eavesdropper<br /><br />• An attacker may posses a collection of plaintext/ciphertext pairs for plaintexts selected by the attacker<br />Statistical Attack<br /><br />dictionary attacks<br />man in the middle attack<br />length-extension attack<br />brute force attack<br />birthday attack<br />replay attack<br /> reflection attac<br />• Reordering attack -&gt; verify the block index i<br />• Truncation attack <br />mix and match attack<br />Alteration<br />Denial-of-service<br />Masquerading<br />Repudiation</div></div>
 </body></html>

notes.ctb_HTML/cs306--Notes--Authenticated_encryption--Authenticate-then-encrypt.html

@@ -142,5 +142,5 @@
 </ol>
 <li><a href="cs306--homework.html">homework</a></li>
 </ol></div>
-<div class="page"><h1><b><u>Authenticate-then-encrypt</u></b></h1><h3>Authenticate-then-encrypt</h3><br />• Mac<sub>km</sub>(m) -&gt; t; Enc<sub>ke</sub>(m||t) -&gt; c; send ciphertext c<br />• if Dec<sub>ke</sub>(c) = m || t ≠ fail and Vrfy<sub>km</sub>(m,t) accepts,<br />   ◇ output m<br />   ◇ else output fail<br />• insecure</div></div>
+<div class="page"><h1><b><u>Authenticate-then-encrypt</u></b></h1><a name="h3-1"></a><h3>Authenticate-then-encrypt</h3><br />• Mac<sub>km</sub>(m) -&gt; t; Enc<sub>ke</sub>(m||t) -&gt; c; send ciphertext c<br />• if Dec<sub>ke</sub>(c) = m || t ≠ fail and Vrfy<sub>km</sub>(m,t) accepts,<br />   ◇ output m<br />   ◇ else output fail<br />• insecure</div></div>
 </body></html>

notes.ctb_HTML/cs306--Notes--Authenticated_encryption--Encrypt-and-authenticate.html

@@ -142,5 +142,5 @@
 </ol>
 <li><a href="cs306--homework.html">homework</a></li>
 </ol></div>
-<div class="page"><h1><b><u>Encrypt-and-authenticate</u></b></h1><h3>Encrypt-and-authenticate</h3><br />• Enc<sub>ke</sub>(m) -&gt; c; Mac<sub>km</sub>(m) -&gt; t; send ciphertext (c, t)<br />• if Dec<sub>ke</sub>(c) ≠ fail and Vrfy<sub>km</sub>(m,t) accepts<br />   ◇ output m<br />   ◇ else output fail<br />• Insecure<br />   ◇ MAC tag t may leak information about m<br />   ◇ if MAC is deterministic (CBC-MAC) then Π<sub>AE</sub> is not CPA-secure<br /></div></div>
+<div class="page"><h1><b><u>Encrypt-and-authenticate</u></b></h1><a name="h3-1"></a><h3>Encrypt-and-authenticate</h3><br />• Enc<sub>ke</sub>(m) -&gt; c; Mac<sub>km</sub>(m) -&gt; t; send ciphertext (c, t)<br />• if Dec<sub>ke</sub>(c) ≠ fail and Vrfy<sub>km</sub>(m,t) accepts<br />   ◇ output m<br />   ◇ else output fail<br />• Insecure<br />   ◇ MAC tag t may leak information about m<br />   ◇ if MAC is deterministic (CBC-MAC) then Π<sub>AE</sub> is not CPA-secure<br /></div></div>
 </body></html>

notes.ctb_HTML/cs306--Notes--Authenticated_encryption--Encrypt-then-authenticate.html

@@ -142,5 +142,5 @@
 </ol>
 <li><a href="cs306--homework.html">homework</a></li>
 </ol></div>
-<div class="page"><h1><b><u>Encrypt-then-authenticate</u></b></h1><h3>Encrypt-then-authenticate</h3><br />• Enc<sub>ke</sub>(m) -&gt; c; Mac<sub>km</sub>(c) -&gt;t; send ciphertext (c, t)<br />• if Vrfy<sub>km</sub>(c,t) accepts then<br />   ◇ output Dec<sub>ke</sub>(c) = m,<br />   ◇ else output fail<br />• secure scheme as long as Π<sub>M</sub> is a strong MAC</div></div>
+<div class="page"><h1><b><u>Encrypt-then-authenticate</u></b></h1><a name="h3-1"></a><h3>Encrypt-then-authenticate</h3><br />• Enc<sub>ke</sub>(m) -&gt; c; Mac<sub>km</sub>(c) -&gt;t; send ciphertext (c, t)<br />• if Vrfy<sub>km</sub>(c,t) accepts then<br />   ◇ output Dec<sub>ke</sub>(c) = m,<br />   ◇ else output fail<br />• secure scheme as long as Π<sub>M</sub> is a strong MAC</div></div>
 </body></html>

notes.ctb_HTML/cs306--Notes--Authenticated_encryption.html

@@ -142,5 +142,5 @@
 </ol>
 <li><a href="cs306--homework.html">homework</a></li>
 </ol></div>
-<div class="page"><h1><b><u>Authenticated encryption</u></b></h1><h2>Authenticated encryption constructions</h2><br />• CPA-secure encryption scheme Π<sub>E</sub>=(Enc, Dec)<br />• a secure MAC Π<sub>M</sub> = (MAC, Vrfy)<br />• instantiated using independent secret keys k<sub>e</sub>, k<sub>m</sub><br />• order matters<br />• secrecy and integrity is protected<br /><br />• Possible attacks:<br />   ◇ reordering attack - counters can be used to eliminate reordering/replays<br />   ◇ reflection attack - directional bit can be used to eliminate reflections<br />   ◇ replay attack - c = Enc<sub>k</sub>(b<sub>a-&gt;b</sub> || ctr<sub>A,b</sub> || m); ctr<sub>A,B</sub>++<br /></div></div>
+<div class="page"><h1><b><u>Authenticated encryption</u></b></h1><a name="h2-1"></a><h2>Authenticated encryption constructions</h2><br />• CPA-secure encryption scheme Π<sub>E</sub>=(Enc, Dec)<br />• a secure MAC Π<sub>M</sub> = (MAC, Vrfy)<br />• instantiated using independent secret keys k<sub>e</sub>, k<sub>m</sub><br />• order matters<br />• secrecy and integrity is protected<br /><br />• Possible attacks:<br />   ◇ reordering attack - counters can be used to eliminate reordering/replays<br />   ◇ reflection attack - directional bit can be used to eliminate reflections<br />   ◇ replay attack - c = Enc<sub>k</sub>(b<sub>a-&gt;b</sub> || ctr<sub>A,b</sub> || m); ctr<sub>A,B</sub>++<br /></div></div>
 </body></html>

notes.ctb_HTML/cs306--Notes--Block_Cipher_Modes--CBC--Chained_CBC.html

@@ -142,5 +142,5 @@
 </ol>
 <li><a href="cs306--homework.html">homework</a></li>
 </ol></div>
-<div class="page"><h1><b><u>Chained CBC</u></b></h1><h3>Chained CBC</h3><br />• Uses last block ciphertext as IV of next message<br />• not CPA-secure<br /></div></div>
+<div class="page"><h1><b><u>Chained CBC</u></b></h1><a name="h3-1"></a><h3>Chained CBC</h3><br />• Uses last block ciphertext as IV of next message<br />• not CPA-secure<br /></div></div>
 </body></html>

notes.ctb_HTML/cs306--Notes--Block_Cipher_Modes--CBC.html

@@ -142,5 +142,5 @@
 </ol>
 <li><a href="cs306--homework.html">homework</a></li>
 </ol></div>
-<div class="page"><h1><b><u>CBC</u></b></h1><h3>CBC: Cipher Block Chaining</h3><br />• ECB produces the same ciphertext on the same ciphertext under the same key<br />• The ciphertext of the previous block can be mixed with the plaintext of the current block (XOR). an initial vector is used as the initial ciphertext<br />• Previous ciphertext block is combined with current plaintext block C[i] = E<sub>k</sub>(C[i-1]⊕P[i])<br />• C[-1] = IV; a random block separately transmitted encrypted<br />• decryption: P[i] = C[i-1]⊕D<sub>k</sub>(C[i])<br /><img src="images\21-1.png" alt="images\21-1.png" /><br /><br /><img src="images\21-2.png" alt="images\21-2.png" /></div></div>
+<div class="page"><h1><b><u>CBC</u></b></h1><a name="h3-1"></a><h3>CBC: Cipher Block Chaining</h3><br />• ECB produces the same ciphertext on the same ciphertext under the same key<br />• The ciphertext of the previous block can be mixed with the plaintext of the current block (XOR). an initial vector is used as the initial ciphertext<br />• Previous ciphertext block is combined with current plaintext block C[i] = E<sub>k</sub>(C[i-1]⊕P[i])<br />• C[-1] = IV; a random block separately transmitted encrypted<br />• decryption: P[i] = C[i-1]⊕D<sub>k</sub>(C[i])<br /><img src="images\21-1.png" alt="images\21-1.png" /><br /><br /><img src="images\21-2.png" alt="images\21-2.png" /></div></div>
 </body></html>

notes.ctb_HTML/cs306--Notes--Block_Cipher_Modes--CTR.html

@@ -142,5 +142,5 @@
 </ol>
 <li><a href="cs306--homework.html">homework</a></li>
 </ol></div>
-<div class="page"><h1><b><u>CTR</u></b></h1><br /><h3>CTR - Counter Mode</h3><br />• CTR uniform<br />• message length doesn't need to be multiple of n<br />• resembles synchronized stream-cipher mode<br />• CPA-secure if F<sub>k</sub> is PRF<br />• no need for F<sub>k</sub> to be invertible<br />• parallelizable<br /><img src="images\29-1.png" alt="images\29-1.png" /><br /></div></div>
+<div class="page"><h1><b><u>CTR</u></b></h1><a name="h3-1"></a><h3>CTR - Counter Mode</h3><br />• CTR uniform<br />• message length doesn't need to be multiple of n<br />• resembles synchronized stream-cipher mode<br />• CPA-secure if F<sub>k</sub> is PRF<br />• no need for F<sub>k</sub> to be invertible<br />• parallelizable<br /><img src="images\29-1.png" alt="images\29-1.png" /><br /></div></div>
 </body></html>

notes.ctb_HTML/cs306--Notes--Block_Cipher_Modes--ECB.html

@@ -142,5 +142,5 @@
 </ol>
 <li><a href="cs306--homework.html">homework</a></li>
 </ol></div>
-<div class="page"><h1><b><u>ECB</u></b></h1><br /><h3>ECB: Electronic Code Book</h3><br />• Block P[i] encrypted into ciphertext block C[i] = E<sub>k</sub>(P[i])<br />• Block P[i] decrypted into ciphertext block M[i] = D<sub>k</sub>(C[i])<br /><img src="images\20-1.png" alt="images\20-1.png" /><br />• Strengths<br />   ◇ Simple<br />   ◇ Parallel encryptions<br />   ◇ Tolerates loss or damage<br />• Weaknesses<br />   ◇ Documents and images are not suitable since patterns in the plaintext are repeated in the ciphertext<br /><img src="images\20-2.png" alt="images\20-2.png" /><br /><br />• deterministic - not CPA secure<br />• not EAV-secure<br /><img src="images\20-3.png" alt="images\20-3.png" /></div></div>
+<div class="page"><h1><b><u>ECB</u></b></h1><a name="h3-1"></a><h3>ECB: Electronic Code Book</h3><br />• Block P[i] encrypted into ciphertext block C[i] = E<sub>k</sub>(P[i])<br />• Block P[i] decrypted into ciphertext block M[i] = D<sub>k</sub>(C[i])<br /><img src="images\20-1.png" alt="images\20-1.png" /><br />• Strengths<br />   ◇ Simple<br />   ◇ Parallel encryptions<br />   ◇ Tolerates loss or damage<br />• Weaknesses<br />   ◇ Documents and images are not suitable since patterns in the plaintext are repeated in the ciphertext<br /><img src="images\20-2.png" alt="images\20-2.png" /><br /><br />• deterministic - not CPA secure<br />• not EAV-secure<br /><img src="images\20-3.png" alt="images\20-3.png" /></div></div>
 </body></html>

notes.ctb_HTML/cs306--Notes--Block_Cipher_Modes--OFB.html

@@ -142,5 +142,5 @@
 </ol>
 <li><a href="cs306--homework.html">homework</a></li>
 </ol></div>
-<div class="page"><h1><b><u>OFB</u></b></h1><br /><h3>OFB - Output Feedback</h3><br />• IV uniform<br />• message length doesn't need to be multiple of n<br />• resembles synchronizes stream-cipher mode<br />• stateful variant (chaining) is secure<br />• CPA-secure if F<sub>k</sub> is PRF<br /><img src="images\28-1.png" alt="images\28-1.png" /></div></div>
+<div class="page"><h1><b><u>OFB</u></b></h1><a name="h3-1"></a><h3>OFB - Output Feedback</h3><br />• IV uniform<br />• message length doesn't need to be multiple of n<br />• resembles synchronizes stream-cipher mode<br />• stateful variant (chaining) is secure<br />• CPA-secure if F<sub>k</sub> is PRF<br /><img src="images\28-1.png" alt="images\28-1.png" /></div></div>
 </body></html>

notes.ctb_HTML/cs306--Notes--Encryption--asymmetric--algorithms--RSA.html

@@ -142,5 +142,5 @@
 </ol>
 <li><a href="cs306--homework.html">homework</a></li>
 </ol></div>
-<div class="page"><h1><b><u>RSA</u></b></h1><h2>RSA Algorithm</h2><br />General case<br />• Setup (run by a given user)<br />   ◇ n = p * q, with p and q primes<br />   ◇ e relatively prime to Φ(n) = (p - 1)(q - 1)<br />   ◇ d inverse of e in Z<sub>Φ(n)</sub><br />• Keys<br />   ◇ public key is K<sub>pk</sub> = (n, e)<br />   ◇ private key is K<sub>sk</sub> = d<br />• Encryption<br />   ◇ C = M<sup>e</sup> mod n for plaintext M in Z<sub>n</sub><br />• Decryption<br />   ◇ M = C<sup>d</sup> mod n<br /><img src="images\75-1.png" alt="images\75-1.png" /><br /><img src="images\75-2.png" alt="images\75-2.png" /><br /><br /><h3>Security</h3><br />• Sign the hash<br />• Current practice is using 2048-bit long RSA keys (617 decimal digits)<br />• Plain RSA is deteministic<br />• homomorphic<br /><br /><h3>Issues</h3><br />• Requires various algorithms<br />   ◇ Generation of random numbers<br />   ◇ primality testing<br />   ◇ computation of the GCD<br />   ◇ Computation of the multiplicative inverse<br /><br /><h3>Real-world usage</h3><br />• Randomized RSA<br />   ◇ To encrypt message M under an RSA public key (e, n) generate a new random session AES key K, compute ciphertext as [K<sup>e</sup> mod n, AES<sub>k</sub>(m)]<br />   ◇ prevents an adversary distinguishing two encryptions of the same M since K is chosen at random every time encryption takes place<br />• Optimal Asymmetric Encryption Padding (OAEP)<br />   ◇ roughly to encrypt M , choose random r, encode M as M' = [X = M ⊕ H<sub>1</sub>(r), Y = r ⊕ H<sub>2</sub>(X)] where H<sub>1</sub> and H<sub>2</sub> are cryptographic hash functions, then encrypt it as (M')<sup>e</sup> mod n</div></div>
+<div class="page"><h1><b><u>RSA</u></b></h1><a name="h2-1"></a><h2>RSA Algorithm</h2><br />General case<br />• Setup (run by a given user)<br />   ◇ n = p * q, with p and q primes<br />   ◇ e relatively prime to Φ(n) = (p - 1)(q - 1)<br />   ◇ d inverse of e in Z<sub>Φ(n)</sub><br />• Keys<br />   ◇ public key is K<sub>pk</sub> = (n, e)<br />   ◇ private key is K<sub>sk</sub> = d<br />• Encryption<br />   ◇ C = M<sup>e</sup> mod n for plaintext M in Z<sub>n</sub><br />• Decryption<br />   ◇ M = C<sup>d</sup> mod n<br /><img src="images\75-1.png" alt="images\75-1.png" /><br /><img src="images\75-2.png" alt="images\75-2.png" /><br /><br /><a name="h3-1"></a><h3>Security</h3><br />• Sign the hash<br />• Current practice is using 2048-bit long RSA keys (617 decimal digits)<br />• Plain RSA is deteministic<br />• homomorphic<br /><br /><a name="h3-2"></a><h3>Issues</h3><br />• Requires various algorithms<br />   ◇ Generation of random numbers<br />   ◇ primality testing<br />   ◇ computation of the GCD<br />   ◇ Computation of the multiplicative inverse<br /><br /><a name="h3-3"></a><h3>Real-world usage</h3><br />• Randomized RSA<br />   ◇ To encrypt message M under an RSA public key (e, n) generate a new random session AES key K, compute ciphertext as [K<sup>e</sup> mod n, AES<sub>k</sub>(m)]<br />   ◇ prevents an adversary distinguishing two encryptions of the same M since K is chosen at random every time encryption takes place<br />• Optimal Asymmetric Encryption Padding (OAEP)<br />   ◇ roughly to encrypt M , choose random r, encode M as M' = [X = M ⊕ H<sub>1</sub>(r), Y = r ⊕ H<sub>2</sub>(X)] where H<sub>1</sub> and H<sub>2</sub> are cryptographic hash functions, then encrypt it as (M')<sup>e</sup> mod n</div></div>
 </body></html>

notes.ctb_HTML/cs306--Notes--Encryption--asymmetric--algorithms.html

@@ -142,5 +142,5 @@
 </ol>
 <li><a href="cs306--homework.html">homework</a></li>
 </ol></div>
-<div class="page"><h1><b><u>algorithms</u></b></h1><br /></div></div>
+<div class="page"><h1><b><u>algorithms</u></b></h1></div></div>
 </body></html>

notes.ctb_HTML/cs306--Notes--Encryption--asymmetric--hybrid_encryption.html

@@ -142,5 +142,5 @@
 </ol>
 <li><a href="cs306--homework.html">homework</a></li>
 </ol></div>
-<div class="page"><h1><b><u>hybrid encryption</u></b></h1><h2>ybrid encryption</h2><br /><img src="images\69-1.png" alt="images\69-1.png" /><br />• reduces public-key crypto to secret-key crypto<br />• better performance<br />• apply public-key encryption on random key k<br />• use k for secret-key encryption of m<br />•<img src="images\69-2.png" alt="images\69-2.png" /><br />• Using KEM/DEM approach<br />   ◇ encapsulate secret key k into c<br />   ◇ use k for secret-key encryption of m<br />   ◇ KEM: key-encapsulation mechanism - Encaps<br />   ◇ DEM: data encapsulation machanism - Enc'<br />   ◇ KEM/DEM scheme<br />      ▪ CPA-secure if KEM is CPA-secure and Enc' is EAV-secure<br />      ▪ CCA-secure if KEM and Enc' are CCA-secure</div></div>
+<div class="page"><h1><b><u>hybrid encryption</u></b></h1><a name="h2-1"></a><h2>Hybrid encryption</h2><br /><img src="images\69-1.png" alt="images\69-1.png" /><br />• reduces public-key crypto to secret-key crypto<br />• better performance<br />• apply public-key encryption on random key k<br />• use k for secret-key encryption of m<br />•<img src="images\69-2.png" alt="images\69-2.png" /><br />• Using KEM/DEM approach<br />   ◇ encapsulate secret key k into c<br />   ◇ use k for secret-key encryption of m<br />   ◇ KEM: key-encapsulation mechanism - Encaps<br />   ◇ DEM: data encapsulation machanism - Enc'<br />   ◇ KEM/DEM scheme<br />      ▪ CPA-secure if KEM is CPA-secure and Enc' is EAV-secure<br />      ▪ CCA-secure if KEM and Enc' are CCA-secure</div></div>
 </body></html>