|
| 1 | +\documentclass[psamsfonts]{amsart} |
| 2 | + |
| 3 | +%-------Packages--------- |
| 4 | +\usepackage{amssymb,amsfonts} |
| 5 | +\usepackage{enumerate} |
| 6 | +\usepackage[margin=1in]{geometry} |
| 7 | +\usepackage{amsthm} |
| 8 | +\usepackage{theorem} |
| 9 | +\usepackage{verbatim} |
| 10 | +\usepackage{tikz} |
| 11 | +\usetikzlibrary{shapes,arrows} |
| 12 | + |
| 13 | +\bibliographystyle{plain} |
| 14 | + |
| 15 | +\voffset = -10pt |
| 16 | +\headheight = 0pt |
| 17 | +\topmargin = -20pt |
| 18 | +\textheight = 690pt |
| 19 | + |
| 20 | +%--------Meta Data: Fill in your info------ |
| 21 | +\title{6.857 \\ |
| 22 | +Network and Computer Security \\ |
| 23 | +Lecture 5} |
| 24 | + |
| 25 | +\author{Lecturer: Ronald Rivest\\ |
| 26 | +Scribe: John Wang} |
| 27 | + |
| 28 | +\begin{document} |
| 29 | + |
| 30 | +\maketitle |
| 31 | + |
| 32 | +\section{Hash Function Applications} |
| 33 | + |
| 34 | +\subsection{Password Storage} |
| 35 | + |
| 36 | +System stores $h(pw)$ rather than $pw$ itself. System might also store username, salt, etc. |
| 37 | + |
| 38 | +\subsection{File Modification Detector} |
| 39 | + |
| 40 | +You want to monitor to detect when files have been changed. For each file, store $h(F)$ securely. You can check to see if the files have been modified by recomputing the hash. Provides detection (not prevention). |
| 41 | + |
| 42 | +\subsection{Digital Signatures (hash and sign)} |
| 43 | + |
| 44 | +\begin{itemize} |
| 45 | + \item $PK_A$ is Alice's public key (for signature verification). |
| 46 | + \item $SK_A$ is Alice's secret key (for signing). |
| 47 | + \item Signing: $\sigma = sign(SK_A, m)$ and $\sigma$ is Alice's signature on message. |
| 48 | + \item Verification: $verify(M, \sigma, PK_A) \in \{true, false\}$. |
| 49 | +\end{itemize} |
| 50 | + |
| 51 | +Idea: computing $h(m)$ is fast, so sign $h(m)$ instead of signing $m$. We do $sign(m, SK_A) = sign(m', SK_A)$ if $h(m) = h(m')$. |
| 52 | + |
| 53 | +Problem is that if $h(m) = h(m')$, then asking Alice to sign $m$, her signature $\sigma$ is also a signature for $m'$. |
| 54 | + |
| 55 | +\subsection{Commitments} |
| 56 | + |
| 57 | +Alice has value $x$ which is her bid. She computes $C(x)$ and gives auctioneer $C(x)$, which is her sealed bid. When bidding is over, Alice should be able to open $C(x)$ to reveal $x$. |
| 58 | + |
| 59 | +Want these properties: |
| 60 | +\begin{itemize} |
| 61 | + \item Binding: Alice should not be able to open $C(x)$ in more than one way. |
| 62 | + \item Secrecy: Anyone seeing $C(x)$ should have no information about $x$. |
| 63 | + \item Non-malleability: Anyone seeing $C(x)$ shouldn't be able to come up with a related bid, e.g. $C(x+1)$. |
| 64 | +\end{itemize} |
| 65 | + |
| 66 | +Let's try $C(x) = h(\textrm{username} || x || r)$ where $r$ is a random value which is secret to Alice. To make sure that the hash function satisfies all of the above properties, we need to have collision resistance (for binding), one-wayness (for secrecy, but we need a little more, we don't want to leak at any information on $x$), and non-malleability. |
| 67 | + |
| 68 | +To open the bid, everyone sends in their bids once the auction is over, and you check to make sure the messages hash to their commitment value. |
| 69 | + |
| 70 | +\subsection{Merkle Tree} |
| 71 | + |
| 72 | +Authenticate a collection of objects $x_1, x_2, \ldots, x_n$. You go up the tree, computing hash values of two children below it. The hash value at the top of the tree is the root value. To check if some $x$ is a member of the collection, then you must get $x$'s brother, and you can compute up the tree if you are also given the other values of the nodes. |
| 73 | + |
| 74 | +We have to have target collision resistance (to make sure you can't find another value that leads to the root hash), also collision resistance because maybe the guy making the tree made another tree as well. |
| 75 | + |
| 76 | +\section{Merkle-Damgard Construction} |
| 77 | + |
| 78 | +Start off the machine with a state of all zeros. Then you concatenate $m_1$ with the current state and hash this. This results in a new state $c_1$, and you concatenate $m_2$ with it and hash to result in $c_2$. Keep doing this for some number of iterations until you get $h(m)$ which is some partition of $c_n$. |
| 79 | + |
| 80 | +Common design pattern for function $f$ is $f(c_{i-1}, m) = C_{i-1} \oplus E(m_i, c_{i-1})$ where $m_i$ is the key and $c_{i-1}$ is the message. |
| 81 | + |
| 82 | +\section{Keccak} |
| 83 | + |
| 84 | +This is an iterative algorithm and there are two components to the state. The width is composed of $r + c$. You first take $r \oplus m_1$ and send that as well as $c$ copied over to $f$, where $f$ is a permutation of $\{0,1\}^{c + r} \rightarrow \{0,1\}^{c + r}$. It's a random looking object, and it's also public. One we've finished with all the message parts, then $h(m)$ is just $r$ from the output state. |
| 85 | + |
| 86 | +The compression is happening at the xor. |
| 87 | + |
| 88 | +\end{document} |
0 commit comments