斯坦福密码学 I 学习笔记0：大纲

R.X. NLOS

已于 2022-06-03 11:16:05 修改

阅读量1.1k

点赞数

分类专栏： # 密码学 (斯坦福Dan Boneh) 文章标签：密码学笔记

于 2022-05-08 17:17:00 首次发布

本文链接：https://blog.csdn.net/qazwsxrx/article/details/124651046

版权

密码学 (斯坦福Dan Boneh) 专栏收录该内容

8 篇文章 9 订阅

订阅专栏

斯坦福密码学 I 学习笔记

本系列为斯坦福 Dan Boneh教授的"密码学 I"的学习笔记
课程网址: http://www.coursera.org/lecture/crypto/course-overview-lboqg

内容在CSDN、知乎和微信公众号同步更新

在这里插入图片描述

Markdown源文件暂未开源，如有需要可联系邮箱
笔记难免存在问题，欢迎联系邮箱指正

最近听了一遍斯坦福大学Dan Boneh的密码学课程，打算记录一下这门课程的一些知识点。

本文作为开篇，将首先详细地列出课程的目录。该目录共包括4级标题，精确到每页PPT。之后对课程的内容进行概述。

课程目录

0 Introduction
- 0.1 Course Overview
- 0.2 What is Cryptography
- 0.3 History of Cryptography
  - 相关书籍
  - Symmetric Ciphers
  - Few History Examples
- 0.4 Discrete Probablity
  - Basic Symbols and definitions
  - Events
  - The Union bound
  - Random Variables
  - The uniform random variable
  - Randomized algorithms
  - Recap 扼要重述
  - Independence
  - XOR
  - The birthday paradox
1 Stream Ciphers
- 1.1 理论安全和一次一密 Information Theoretic Security and The One Time Pad
  - Symmetric Ciphers: definition
  - One time Pad (Vernam 1917)
  - Infromation Theoretic Security
  - Lemma: OTP has perfect secrecy
  - Bad news about perfect secrecy
- 1.2 Stream Ciphers and Pseudo Random Generators
  - Review
  - Stream cipher: making OTP practical
  - 不可预测性：PRG must be unpredictable
  - Weak PRGs
  - Negligible and non-negligible
- 1.3 Attacks on Stream Ciphers
  - Review
  - Attack 1: two time pad is insecure !
  - Real Word example
  - A better construction
  - Yet another example: disk encryption
  - Two time pad: summary
  - Attack2: no integrity
- 1.4 Real-World Stream Ciphers
  - Old example : RC4 (1987)
  - Old example: CSS (Content Scrambling System)
  - Modern stream ciphers: estream (2008)
  - eStream: Salsa 20 (SW + HW)
  - Performance in AMD Opteron. 2.2 GHz, Linux
- 1.5 What is a secure cipher
  - 1.5.1 PRG Security Definitions
    - Definitions
    - Statistical Tests
    - Advantage
    - Secure PRGs: crypto definition
    - Easy fact: a secure PRG is unpredictable
    - Thm (Yao’82): an unpredictable PRG is secure
    - More Generally
  - 1.5.2 Semantic Security
    - What is a secure cipher?
    - Recall Shannon’s perfect secrecy
    - Semantic Security (one-time key)
    - Example: Not semantically secure
    - Example: OTP is semantically secure
  - 1.5.3 Stream ciphers are semantically secure
    - Stream ciphers are semantically secure
    - Proof of claim 2: \exist B: | PrW_0
2 Block Ciphers
- 2.1 Overview – What are Block ciphers?
  - Block ciphers: crypto work horse
  - Block Ciphers Built by iteration
  - Performance
  - Abstractly: PRPs and PRFs
  - Running examples
  - Secure PRFs
  - A Practice
  - An easy application: PRF ⇒\Rightarrow⇒ PRG
- 2.2 The Data Encryption Standard
  - 2.2.1 DES Structure
    - The Data Encryption Standard (DES)
    - DES: Core idea - Feistel Network
    - Decryption circuit
    - Theorem: security of Feistel (secure PRP) Luby-Rackoff '85
    - DES: 16 round Feistel network
    - The function F(ki,x)\mathbf{F}(k_i,x)F(ki,x)
    - The S-boxes
    - Example: a bad S-Box choice (Linear S-Box)
    - Choose the S-boxes and P-box
  - 2.2.2 Exhaustive Search Attacks
    - Exhaustive Search for block cipher key
    - DES challenge
    - Strengthening DES against ex. search – Method 1: Triple-DES
    - Why not double DES?
    - Meet in the middle attack
    - Strengthening DES against ex. search – Method 2: DESX
  - 2.2.3 More attacks on Block Ciphers
    - Attacks on the implementation
    - Linear and differential attacks
    - Linear attacks
    - Lesson
    - Quantum attacks
    - Quantum exhaustive search
- 2.3 AES and other constructions
  - 2.3.1 The AES Block Cipher
    - The AES process
    - AES is a Subs-Perm network (not Feistel)
    - AES-128 schematic
    - The round function
    - Example: Javascript AES
    - AES in hardware
    - Attacks
  - 2.3.2 Block Ciphers From PRGs
    - Can we build a PRF from a PRG?
    - Extending a PRG:
    - A quick Proof: G1G_1G1 is a secure PRG:
    - Extending more:
    - Extending even more: the GGM PRF
    - Secure block cipher from a PRG
- 2.4 How to use Block Ciphers 1: one-time key
  - 2.4.1 Review:PRPs and PRFs
    - Abstractly: PRPs and PRFs
    - Secure PRFs
    - Secure PRF: definition
    - Secure PRP
    - Practice: secure PRF
    - Example secure PRPs
    - Practice: Secure PRP
    - PRF Switching Lemma
    - Final Note
  - 2.4.2 Models of Operation: One-time Key
    - Using PRPs and PRFs
    - Incorrect use of a PRP
    - Semantic Security (One-time key)
    - ECB is not Semantically Secure
    - Secure Construction 1
    - Det. counter-mode security
- 2.5 How to use Block Ciphers 2: many-time Key
  - 2.5.1 Security for Many-Time Key (CPA Security)
    - Semantic Security for many-time key (CPA security)
    - Ciphers insecure under CPA
    - Solution 1: randomized encryption
    - Solution 2: nonce-based Encryption
    - CPA security for nonce-based encryption
  - 2.5.2 Modes of Operation: Many Time Key (CBC)
    - Construction 1: CBC with random IV
    - Decryption circuit
    - CBC: CPA Analysis
    - An example
    - Warning: an attack on CBC with rand. IV
    - Construnction 1’: nonce-based CBC
    - An example Crypto API (open SSL)
    - A CBC technicality: padding
  - 2.5.3 Modes of Operation: Many Time Key (CTR)
    - Construction 2: rand. ctr-mode
    - Construction 2‘: nonce ctr-mode
    - rand ctr-mode (rand. IV): CPA analysis
    - An axample
    - Comparison: ctr VS. CBC
    - Summary
3 Message Integrity
- 3.1 Message Integrity: Definitions
  - 3.1.1 Message Authentication Codes
    - Message Integrity
    - Message integrity: MACs
    - Integrity requires a secret key
    - Secure MACs
    - Example on the MAC security
    - Example: Protecting system files
  - 3.1.2 MAC beasd on PRFs
    - Review: Secure MAC
    - Secure PRF ⇒\Rightarrow⇒ Secure MAC
    - A bad example
    - Security
    - Proof Sketch
    - Examples
    - Truncating MACs based on PRFs
- 3.2 Message Integrity 2: Construction (Squential MAC Construction)
  - 3.2.1 CBC-MAC and NMAC
    - MACs and PRFs
    - Construction 1: CBC-MAC
    - Construction 2: NMAC (nested MAC)
    - Why the last encryption step in ECBC-MAC and NMAC?
    - ECBC-MAC and NMAC analysis
    - An example
    - The security bounds are tight: an attack
    - Comparison
  - 3.2.2 MAC padding
    - Recall ECBC-MAC
    - CBC MAC padding: What if msg. len. is not multiple of block-size
    - CBC MAC padding
    - CMAC (NIST standard)
- 3.3 More constructions (Parallel or One-time MAC): PMAC and the Carter Wegman MAC
  - Construction 3: PMAC - Parallel MAC
  - PAC: Analysis
  - PMAC is incremental
    - One time MAC (analog of one time pad)
    - One-time MAC: an example
    - One-time MAC ⇒\Rightarrow⇒ Many-time MAC
    - Construction HMAC (Hash-MAC)
    - Further reading
- 3.4 Collision Ressistance 1: What is a collision resistant function
  - 3.4.1 Introduction
    - Recap: message integrity
    - Collision Resistance
    - MACs from Collision Resistance
    - MACs from Collision Resistance
    - Protecting file integity using C.R. hash
  - 3.4.2 Generic birthday attack
    - Generic attack on C.R. functions
    - The birthday paradox
    - Generic attack
    - Sample C.R. hash functions:
- 3.5 Collision Resistance 2: constructions
  - 3.5.1 The Merkle-Damgard Paradigm
    - Collision resistance: review
    - The Merkle-Damgard iterated construction
    - MD collision resistanace
  - 3.5.2 Constructing Compression Functions
    - The Merkle-Damgard iterated construction
    - Comopression function from a block cipher
    - Other block cipher constructions
    - Case study: SHA-256
    - Provable compression function
- 3.6 A MAC from a hash function
  - 3.6.1 HMAC: a MAC from SHA-256
    - The Merkle-Damgard iterated construction
    - MAC from a Merkle-Damgard Hash Function
    - Standardized method: HMAC (Hash-MAC)
    - HMAC properties
  - 3.6.2 Timing attacks on MAC verification
    - Warning: verification timing attacks
    - Warning: verification timing attacks
    - Defnese #1
    - Defense #2
4 Authenticated Encryption
- 4.1 Authenticated encryption: Why is it so important?
  - 4.1.1 Active attacks on CPA-Secure Encryption
    - Recap: the story so far
    - Sample tampering attacks
    - An attack using only network access
    - The lesson
  - 4.1.2 Definitions
    - Goals
    - Ciphertext integrity
    - Authenticated encryption
    - Implication 1: authenticity authenticity 真实性，可靠性
    - Implication 2
  - 4.1.3 Chosen Ciphertext Attacks
    - Example chosen ciphertext attacks
    - Chosen ciphertext security
    - Chosen ciphertext security: definition
    - Authenticated enc. ⇒\Rightarrow⇒ CCA security
    - Proof by pictures
    - Conclusion according to AE⇒CCAsecurityAE \Rightarrow CCA securityAE⇒CCAsecurity
- 4.2 Standard AE (authenticated encryption) constructions
  - Some history
  - Combiing MAC and ENC (CCA)
  - A.E. Theorems
  - Standards (at a high level)
  - An example API (OpenSSL)
  - MAC Security: an example
  - OCB: a direct construction from a PRP
  - Performance
- 4.3 Authenticated Encryption 3: potfalls
  - 4.3.1 Case Study: TLS 1.2
    - The TLS Record Protocol (TLS 1.2)
    - TLS record: encryption (CBC AES-128, HMAC-SHA1)
    - TLS record: decryption (CBC AES-128, HMAC-SHA1)
    - Bugs in older versions (prior to TLS 1.1)
    - 802.11b WEP: how not to do it
    - Active attacks
  - 4.3.2 CBC padding attacks
    - Recap
    - The TLS record protocol (CBC encryption)
    - Padding oracle
    - Padding oracle via timing OpenSSL
    - Using a padding oracle
    - IMAP over TLS
    - Lesson
  - 4.3.3 Attacking Non-Atomic Decryption
    - SSH Binary Packet Protocol
    - An attack on the enc. length field (simplified)
    - Lesson
    - Further reading about Authenticated Encryption
- 4.4 Odds and Ends: Key Derivation
  - Deriving many keys from one
  - When source key is uniform
  - Whay if source key is not uniform
  - Extract-then-Expand paradigm
  - HKDF: a KDF from HMAC
  - Passwaord-Based KDF (PBKDF)
- 4.5 Odds and Ends 2: Searching on encrypted data
  - 4.5.1 Deterministic Encryption
    - The need for det. Encryption
    - Problem: Deterministic encryption cannot be CPA secure
    - A solution: the case of unique messages
    - Deterministic CPA Security
    - A common Mistake
  - 4.5.2 Determinisic Encryption: SIV and Wide PRP
    - Deterministic encryption
    - Consturction 1: Synthetic IV (SIV)
    - Ensuring ciphertext integrity
    - Det. Auth. Enc. (DAE) for free
    - Construcion 2: just use a PRP
    - EME: constructing a wide block PRP
    - PRP-based Det. Authenticated Enc.
- 4.6 Disk Encryption and Creditcard encryption
  - 4.6.1 Tweakable Encryption
    - Disk encryption: no expansion
    - Tweakable block ciphers
    - Secure tweakable block ciphers
    - Example 1: the trivial construction
    - 1. The XTS tweakable block cipher R’04
    - Disk encryption using XTS
    - Summary
  - 4.6.2 Format Preserving Encryption
    - Encrypting credit card numbers
    - Format preserving encryption (FPE)
    - Step 1: from {0,1}n\{0,1 \}^{n}{0,1}n to {0,1}t\{0,1 \}^{t}{0,1}t (t<n)
    - Step 2: from {0,1}t\{0,1 \}^{t}{0,1}t to {0,1,2 ,… ,s-1}
    - Security
    - Further reading
5 Basic Key Exchange
- 5.1 Basic Key Exchange 1: problem statement
  - 5.1.1 Truested 3rd parties
    - Key management
    - A better solution
    - Generating keys: a toy protocol
    - Generating keys: a toy protocol
    - Toy protocol: insecure against active attacks
    - Key question:
  - 5.1.2 Merkle Puzzles
    - Key exchange without an online TTP??
    - Merkle Puzzles (1974)
    - Impossibility Result
- 5.2 Basic key exchange 2: two solutions
  - 5.2.1 The Diffie-Hellman Protocol
    - The Diffie-Hellman Protocol
    - Security
    - How hard is the DH function mod p?
    - Insecure against man-in-the middle
    - Another look at DH
    - An open problem: Can we do this for more than two party?
  - 5.2.2 Public-Key Encryption
    - Establishing a shared secret
    - Public key encryption
    - Public key encryption
    - Semantci Security
    - Establishing a shared secret
    - Security
    - Insecure against man in the middle
    - Public key encryption: Constructions
    - Further readings
- 5.3 Number Theory 1: modular arithmetic
  - 5.3.1 Notation
    - Background
    - Notation
    - Modular arithmetic
    - Greatset common divisor
    - Modular inversion
    - Modular inversion
    - More notation
    - Solving modular linear equations
  - 5.3.2 Fermat and Euler
    - Review
    - Fermat’s theorem (1640)
    - Aplication: generating random primes
    - The structure of (Zp)∗(\mathcal{Z}_{p})^{*}(Zp)∗
    - Order 阶数
    - Euler’s generalization of Fermat
  - 5.3.3 Modular e’th Roots
    - Modular e’th roots
    - The easy case: gcd(e, p-1) = 1
    - The case e=2: square roots
    - Euler’s theorem
    - Computing square roots mod p
    - Solving quadratic equations mod p
    - Computing e’th roots mod N?
- 5.4 Number Theory: easy and hard problems
  - 5.4.1 Arithmetic algorithms
    - Representing bignums
    - Arithmetic
    - Exponentiation
    - The repeated squaring alg.
    - Running times
  - 5.4.2 Intractable Problems
    - Easy problem
    - Intractable problems with primes
    - DLOG: more generally
    - Computing Dlog in ZP∗\mathcal{Z}^{*}_{P}ZP∗
    - An application: Collision resistance
    - Intractable problems with composites
    - The factoring problem
    - Futuer reading
6 Public-Encryption
- 6.1 Public Key Encryption from Trapdoor Permutations
  - 6.1.1 Definitions and Security
    - Public key encryption
    - Applicaions
    - Public key encryption
    - Semantci Security (as a quick review)
    - Relation to symmetric cipher security
    - Security against active attacks
    - (pub-key) Chosen Ciphertext Security: definition
  - 6.1.2 Constructions
    - Trapdoor functions (TDF)
    - Secure Trapdoor Functions (TDFs)
    - Public-key encryption from TDFs
    - Incorrect use of a Trapdoor Function (TDF)
- 6.2 Public Key Encryption from Trapdoor Permutations: RSA
  - 6.2.1 The RSA Trapdoor Permutation
    - Review: Trapdoor permutations
    - Review: arithmetic mod composites
    - The RSA trapdoor permutation
    - The RSA assumption
    - Review: RSA pub-key encryption
    - Textbook RSA is insecure
    - A simple attack on textbook RSA
  - 6.2.2 PKCS 1
    - RSA encryption in practice
    - PKCS 1 V1.5
    - Attack on PKCS 1 v1.5 (Bleichenbacher 1998)
    - Baby Bleichenbacher
    - HTTPS Defense (RFC 5246)
    - PKCS v 2.0: OAEP
    - OAEP Improvements
    - Subtleties in implementing OAEP
- 6.3 Public Key Encryption from Trapdoor Permutations: Attacks
  - 6.3.1 Is RSA a One-Way Function?
    - Is RSA a one-way permutation?
    - Shortcuts?
    - How Not to improve RSA’s performance
    - Wiener’s attack
  - 6.3.2 RSA in Practice
    - RSA with Low public exponent
    - Key Lengths
    - Implementation attacks
    - An example Fault Attack on RSA (CRT)
    - RSA Key Generation Trouble Heninger et al. / Lenstra et al.
    - Further reading
- 6.4 Public Key Encryption From Diffie-Hellman: EIGamal
  - 6.4.1 The EIGamal Public-key system
    - Recap: public key encryption (Gen, E, D) & Applications
    - Constructions
    - Review: the Diffie-Hellman protocol
    - EIGamal: converting to pub-key enc.
    - The EIGamal system (a modern view)
    - EIGamal performance
  - 6.4.2 EIGamal Security
    - Computational Diffie-Hellman Assumption
    - Hash Diffie-Hellman Assumption
    - EIGamal is sem. secure under Hash-DH
    - EIGamal chosen ciphertext security?
    - EIGamal chosen ciphertext security
  - 6.4.3 EIGamal Variants With Better Security
    - Review: EIGamal Encryption
    - EIGamal Chosen Ciphertext Security
    - Variants: twin EIGamal CKS’ 08
    - Chosen ciphertext security
    - EIGamal security without random oracles
    - Further reading
- 6.5 Public Key Encryption: Summary
  - 6.5.1 A unifying Theme
    - One-way function
    - Ex. 1: Generic one-way functions
    - Ex 2: The DLOG one-way function
    - Ex.3 The RSA one-way function
    - Summary
  - 6.5.2 Farewell (For Now)
    - Quick Review: primiteves
    - Remaining Core Topics (Part 2)