diff --git a/.github/copilot-instructions.md b/.github/copilot-instructions.md new file mode 100644 index 0000000..a872f01 --- /dev/null +++ b/.github/copilot-instructions.md @@ -0,0 +1,5 @@ +# Copilot Instructions + +This repository uses a single shared set of agent instructions. + +See `../CLAUDE.md`. diff --git a/AGENTS.md b/AGENTS.md new file mode 100644 index 0000000..1b51c42 --- /dev/null +++ b/AGENTS.md @@ -0,0 +1,5 @@ +# Agent Instructions + +This repository uses a single shared set of agent instructions. + +See `CLAUDE.md`. diff --git a/applied-hash/commitments/.gitignore b/applied-hash/commitments/.gitignore new file mode 100644 index 0000000..31a3e79 --- /dev/null +++ b/applied-hash/commitments/.gitignore @@ -0,0 +1,6 @@ +ltxobj/ +notes.pdf +slides.pdf +bibsp.sty +crypto.bib + diff --git a/applied-hash/commitments/Makefile b/applied-hash/commitments/Makefile new file mode 100644 index 0000000..3c1f14b --- /dev/null +++ b/applied-hash/commitments/Makefile @@ -0,0 +1,37 @@ +.PHONY: all +all: notes.pdf slides.pdf + +LATEXFLAGS+= -shell-escape + +SRC+= preamble.tex +SRC+= abstract.tex contents.tex + +DEPENDS+= bibsp.sty +DEPENDS+= crypto.bib + +FIGS+= + +notes.pdf: notes.tex +notes.pdf: ${SRC} ${DEPENDS} $(addprefix fig/,${FIGS}) + +slides.pdf: slides.tex +slides.pdf: ${SRC} ${DEPENDS} $(addprefix fig/,${FIGS}) + + +$(addprefix fig/, ${FIGS}): + ${MAKE} -C $(dir $@) $(notdir $@) + + +.PHONY: clean +clean: + ${RM} notes.pdf slides.pdf + +.PHONY: distclean +distclean: + ${MAKE} -C fig clean + + +INCLUDE_MAKEFILES=../../makefiles +include ${INCLUDE_MAKEFILES}/tex.mk +INCLUDE_BIBSP=../../bibsp +include ${INCLUDE_BIBSP}/bibsp.mk diff --git a/course-overview/abstract.tex b/applied-hash/commitments/abstract.tex similarity index 100% rename from course-overview/abstract.tex rename to applied-hash/commitments/abstract.tex diff --git a/applied-hash/commitments/contents.tex b/applied-hash/commitments/contents.tex new file mode 100644 index 0000000..2226962 --- /dev/null +++ b/applied-hash/commitments/contents.tex @@ -0,0 +1,335 @@ +\mode* + +\section[Hash functions]{What was a hash function now again?} + +\begin{frame} + \begin{definition}[One-way function\footfullcite{GoldreichFOC-1}] + \begin{itemize} + \item Let \(h\colon \{0,1\}^*\to \{0,1\}^*\). + \item \(h\) is \emph{one-way} if + \begin{enumerate} + \item there exists an efficient algorithm \(A\) such that \(A(x) + = h(x)\); + \item for every efficient algorithm \(A^\prime\), every positive + polynomial \(p(\cdot)\) and all sufficiently large \(n\)'s + \[\Prob{A^\prime(h(x), 1^n) \in h^{-1}(h(x))} < \frac{1}{p(n)}\] + \end{enumerate} + \end{itemize} + \end{definition} +\end{frame} + +\begin{frame} + \begin{definition}[Preimage resistance (one way)] + \begin{description} + \item[Input] hash function~\(H\), value~\(y\). + \item[Output] Any \(x\) such that \(H(x) = y\). + \end{description} + \end{definition} + + \begin{definition}[Second preimage resistance (weak collision resistance)] + \begin{description} + \item[Input] hash function~\(H\), value \(x\). + \item[Output] Any value \(x'\) such that \(H(x) = H(x')\). + \end{description} + \end{definition} + + \begin{definition}[Collision resistance (strong collision resistance)] + \begin{description} + \item[Input] hash function~\(H\). + \item[Output] Any two \(x, x'\) such that \(H(x) = H(x')\). + \end{description} + \end{definition} +\end{frame} + + +\section{Commitments} + +\begin{frame} + \begin{example}[Guess a number] + \begin{itemize} + \item Eve chooses a secret number/message \(m\). + \item Alice will guess \(m\). + \item Eve must \emph{commit} to \(m\) before Alice starts guessing. + \item Eve will try to cheat if she can. + \end{itemize} + \end{example} + + \begin{exercise}[Try first] + Design a protocol. + + \begin{description} + \item[Hiding] Alice should not learn \(m\) from the first message. + \item[Binding] Eve should not be able to change \(m\) after Alice starts + guessing. + \end{description} + + What could Eve send before the game starts? + \end{exercise} + + \ltnote{% + \textbf{Try-first--tell-later}: We start with a concrete two-party fairness + problem. + + \textbf{Critical aspects}: two different goals (hiding vs binding). + + \textbf{Variation pattern}: Generalization. + } +\end{frame} + +\begin{frame} + \begin{block}{Hash functions and \acp{MAC}} + \begin{itemize} + \item Both take a long input and output a short string. + \item We will use them to \emph{lock in} a value now and \emph{reveal} it + later. + \end{itemize} + \end{block} +\end{frame} + +\begin{frame} + \begin{block}{Solution attempt 1: hash only (no randomness)} + Eve sends \(c = \Hash[m]\). + + Later, Eve reveals \(m\) and Alice checks \(\Hash[m] \stackrel?= c\). + \end{block} +\end{frame} + +\begin{frame} + \begin{description} + \item[Binding] looks plausible (needs collision resistance). + \item[Hiding] fails if \(m\) is guessable (brute force). + \end{description} +\end{frame} + +\begin{frame} + \begin{block}{Solution attempt 2: hash + randomness} + Eve samples fresh randomness \(r\) and sends + \[c = \Hash[\Encode(r,m)].\] + + Later, Eve reveals \((m,r)\). Alice checks + \(\Hash[\Encode(r,m)] \stackrel?= c\). + \end{block} +\end{frame} + +\begin{frame} + \begin{description} + \item[Binding] still relates to collision resistance. + \item[Hiding] improves if \(r\) has high entropy. + \end{description} + + \ltnote{% + \textbf{Variation pattern}: Contrast. + + We vary one critical aspect: add randomness \(r\). The protocol structure is + otherwise invariant. + } +\end{frame} + +\begin{frame} + \begin{block}{Solution attempt 3: \ac{MAC} with one-time key} + Eve samples fresh randomness \(r\) and sends the tag + \[t = \Mac[r][m].\] + + Later, Eve reveals \((m,r)\). Alice checks \(\Mac[r][m] \stackrel?= t\). + \end{block} +\end{frame} + +\begin{frame} + \begin{description} + \item[Hiding] Alice cannot test guesses without knowing \(r\). + \item[Binding] Eve cannot easily find \(m'\neq m\) with the same tag. + \end{description} +\end{frame} + +\begin{frame} + \begin{definition}[Commitment scheme] + A commitment scheme has two algorithms: + \begin{description} + \item[\Commit] take a message \(m\), output a commitment \(c\). + \item[\Open] reveal information that convinces the verifier that \(c\) + corresponds to \(m\). + \end{description} + \end{definition} + + \begin{definition}[Security goals] + \begin{description} + \item[Hiding] seeing \(c\) should not reveal \(m\). + \item[Binding] after seeing \(c\), it should be hard to open it to a + different message \(m'\neq m\). + \end{description} + \end{definition} +\end{frame} + +\begin{frame} + \begin{block}{Hiding vs binding: extremes} + \begin{description} + \item[Perfectly binding, not hiding] send \(m\) directly. + \item[Perfectly hiding, not binding] send a random \(c\) independent of + \(m\). + \end{description} + + A useful commitment needs \emph{both}: hiding for the guesser and binding for + fairness. + \end{block} + + \ltnote{% + \textbf{Variation pattern}: Contrast. + + We contrast the two extreme failure modes to make the tension between the + goals visible. + } +\end{frame} + +\begin{frame} + \begin{remark}[Comparison: OTP and perfect secrecy] + \begin{description} + \item[OTP] perfectly hiding: \(c = m \oplus k\) with fresh random key \(k\). + \item[Commitment] must be both hiding and binding. + \end{description} + + The OTP achieves perfect secrecy because the ciphertext distribution is + independent of \(m\). By contrast, a commitment cannot be independent of + \(m\), otherwise it would not bind. + \end{remark} +\end{frame} + +\begin{frame} + \begin{exercise} + In the hash-based constructions, which hash property relates most to binding? + \end{exercise} +\end{frame} + +\begin{frame} + \begin{remark}[Intuition: why the properties hold] + \begin{description} + \item[Binding] If Alice can open \(c\) as \((m, r)\) and also as + \((m', r')\) with \(m\neq m'\), then she found a collision: + \(\Hash[\Encode(r,m)] = \Hash[\Encode(r',m')]\). + \item[Hiding] If \(r\) is fresh and unpredictable, then \(c\) does not + reveal \(m\) (informally: it looks like a random hash output). + \end{description} + \end{remark} + + \ltnote{% + \textbf{Variation pattern}: Fusion + + Here we tie together two critical aspects at the same time: + (1) collision resistance \(\Rightarrow\) binding, and + (2) randomness/entropy \(\Rightarrow\) hiding. + + Students need both in view simultaneously to reason about who can cheat and + how. + } +\end{frame} + +\begin{frame} + \begin{example}[Coin flipping over the network] + \begin{enumerate} + \item Alice chooses a random bit \(a\) and randomness \(r\). + She sends \(c = \Hash[\Encode(r,a)]\). + \item Bob chooses a random bit \(b\) and sends \(b\). + \item Alice opens by sending \((a, r)\). Result is \(a\oplus b\). + \end{enumerate} + \end{example} + + \begin{exercise} + Who could cheat if (1) hiding failed? (2) binding failed? + \end{exercise} + + \ltnote{% + \textbf{Variation pattern}: Contrast + + We contrast two failure modes: \enquote{hiding fails} vs \enquote{binding + fails}. Invariant: the same protocol. + + This makes it clear that the two security goals benefit different parties. + } +\end{frame} + +\begin{frame} + \begin{exercise}[Try first] + Alice commits to \((r,m)\) by sending the string + \(\Encode(r)\concat\Encode(m)\). + + \begin{itemize} + \item What could go wrong if \(\Encode\) is just + \enquote{write the bits with no delimiter and no length}? + \item Can you find two different pairs \((r,m)\neq(r',m')\) that yield the + same concatenation? + \end{itemize} + \end{exercise} +\end{frame} + +\begin{frame} + \begin{remark}[Encoding must be unambiguous] + Two common fixes: + \begin{description} + \item[Length-prefix] Encode as + \(\Encode(r,m)=\langle |r|,r,m\rangle\) (store the bit-length of \(r\) first). + \item[Structured format] Use a canonical serialization (e.g., CBOR/ASN.1/ + Protocol Buffers) with domain separation. + \end{description} + + In practice, prefer a standard commitment/serialization rather than inventing + one. + \end{remark} +\end{frame} + +\begin{frame} + \begin{remark}[Pitfalls and good practice] + \begin{itemize} + \item Use fresh randomness \(r\) for every commitment. + \item Ensure \(r\) has enough entropy (think: at least 128 bits). + \item Use an unambiguous encoding of \((r, m)\) before hashing. + \item Avoid ad-hoc constructions in real systems; use standard schemes. + \end{itemize} + \end{remark} + + \ltnote{% + \textbf{Design note}: This stays at the level of \enquote{practical red + flags}, not a fully formal treatment. + + For an applied crypto course it is enough that students can recognize when a + commitment is obviously unsafe (low entropy, reusing randomness, ambiguous + serialization). + } +\end{frame} + +\section{Keyed hash functions} + +\begin{frame} + \begin{block}{How this relates to \ac{HMAC}} + \begin{description} + \item[\ac{HMAC}] integrity/authenticity with a shared secret key \(k\). + \item[Commitment] use public verification: anyone can check an opening. + \end{description} + \end{block} + + + \ltnote{% + \textbf{Variation pattern}: Contrast. + + Students compare \enquote{shared secret key} (HMAC) with \enquote{randomness + revealed later} (commitment). + } +\end{frame} + +\begin{frame} + \begin{exercise} + If you \emph{did} share a secret key with the verifier, would you still need + randomness \(r\) to hide the message? + \end{exercise} +\end{frame} + +\begin{frame} + \begin{remark}[Take-away] + \begin{itemize} + \item Commitments are \emph{not} encryption and \emph{not} MACs. + \item Hash-based commitments are simple: + \(c = \Hash[\Encode(r,m)]\) with an unambiguous encoding. + \item Binding \(\approx\) collision resistance; hiding \(\approx\) + high-entropy randomness \(r\). + \end{itemize} + \end{remark} +\end{frame} + diff --git a/applied-hash/commitments/fig/Makefile b/applied-hash/commitments/fig/Makefile new file mode 100644 index 0000000..d2d980e --- /dev/null +++ b/applied-hash/commitments/fig/Makefile @@ -0,0 +1,11 @@ +.PHONY: all +all: + + +.PHONY: clean +clean: + true + + +INCLUDE_MAKEFILES=../../../makefiles +include ${INCLUDE_MAKEFILES}/doc.mk diff --git a/applied-hash/commitments/notes.tex b/applied-hash/commitments/notes.tex new file mode 100644 index 0000000..3b7dabd --- /dev/null +++ b/applied-hash/commitments/notes.tex @@ -0,0 +1,35 @@ +\documentclass{article} + +\usepackage[hyphens]{url} +\usepackage[hidelinks]{hyperref} + +\input{preamble.tex} + +\usepackage[noamsthm,notheorems]{beamerarticle} +\setjobnamebeamerversion{slides} + +%\usepackage{authblk} +%\let\institute\affil + +% The beamerarticle package + didactic/beamer already provide theorem-like +% environments. Re-declaring them breaks with the newer TeX Live releases. + +\begin{document} +\title{% + Applied Hash Functions: Commitments +} +\author{Daniel Bosk} +\institute{% + KTH EECS +} + +\maketitle + +\begin{abstract} + \input{abstract.tex} +\end{abstract} + +\input{contents.tex} + +\printbibliography +\end{document} diff --git a/applied-hash/commitments/preamble.tex b/applied-hash/commitments/preamble.tex new file mode 100644 index 0000000..b674cb7 --- /dev/null +++ b/applied-hash/commitments/preamble.tex @@ -0,0 +1,48 @@ +\usepackage[utf8]{inputenc} +\usepackage[T1]{fontenc} +\usepackage[british]{babel} +\usepackage{booktabs} + +\usepackage[all]{foreign} +\renewcommand{\foreignfullfont}{} +\renewcommand{\foreignabbrfont}{} + +\usepackage{newclude} +\usepackage{import} + +\usepackage[strict]{csquotes} +\usepackage[single]{acro} + +\usepackage[natbib,style=alphabetic,maxbibnames=99]{biblatex} +\addbibresource{crypto.bib} + +\usepackage[marginparmargin=outer]{didactic} + +\usepackage{subcaption} + +\usepackage[noend]{algpseudocode} +\usepackage{xparse} + +\let\email\texttt + +\usepackage{minted} +\setminted{autogobble,fontsize=\footnotesize} + +\usepackage{amsmath} +\usepackage{amssymb} +\usepackage{mathtools} +\usepackage{amsthm} +\usepackage{unique} +\DeclareMathOperator{\powerset}{\mathcal{P}} + +\usepackage[binary-units]{siunitx} + +\usepackage{bibsp} + +% Crypto notation (see writing-crypto) +\NewAlgorithm{\Encode}{Encode} +\NewAlgorithm{\Commit}{Commit} +\NewAlgorithm{\Open}{Open} +\NewFunction{\Hash}{H} +\NewFunction{\Mac}{Mac} +%\DeclareMathOperator{\concat}{\Vert} diff --git a/applied-hash/commitments/slides.tex b/applied-hash/commitments/slides.tex new file mode 100644 index 0000000..47713ec --- /dev/null +++ b/applied-hash/commitments/slides.tex @@ -0,0 +1,118 @@ +\documentclass[ignoreframetext]{beamer} +\input{preamble.tex} + +\usetheme{Berlin} +\setbeamertemplate{footline}%{miniframes theme} +{% + \begin{beamercolorbox}[colsep=1.5pt]{upper separation line foot} + \end{beamercolorbox} + \begin{beamercolorbox}[ht=2.5ex,dp=1.125ex,% + leftskip=.3cm,rightskip=.3cm plus1fil]{author in head/foot}% + \leavevmode{\usebeamerfont{author in head/foot}\insertshortauthor}% + \hfill% + {\usebeamerfont{institute in head/foot}\usebeamercolor[fg]{institute in head/foot}\insertshortinstitute}% + \end{beamercolorbox}% + \begin{beamercolorbox}[ht=2.5ex,dp=1.125ex,% + leftskip=.3cm,rightskip=.3cm plus1fil]{title in head/foot}% + {\usebeamerfont{title in head/foot}\insertshorttitle} \hfill \insertframenumber% + \end{beamercolorbox}% + \begin{beamercolorbox}[colsep=1.5pt]{lower separation line foot} + \end{beamercolorbox} +} +\setbeamercovered{transparent} +\setbeamertemplate{bibliography item}[text] + +\AtBeginSection[]{% + \begin{frame} + \tableofcontents[currentsection] + \end{frame} +} + +\ProvideDocumentEnvironment{assumption}{o}{% + \IfValueTF{#1}{% + \begin{block}{Assumption: #1} + }{% + \begin{block}{Assumption} + } +}{% + \end{block} +} + +\ProvideDocumentEnvironment{protocol}{o}{% + \IfValueTF{#1}{% + \begin{block}{Protocol: #1} + }{% + \begin{block}{Protocol} + } +}{% + \end{block} +} + +\ProvideDocumentEnvironment{remark}{o}{% + \IfValueTF{#1}{% + \begin{alertblock}{Note: #1} + }{% + \begin{alertblock}{Note} + } +}{% + \end{alertblock} +} + +\ProvideDocumentEnvironment{idea}{o}{% + \IfValueTF{#1}{% + \begin{block}{Idea: #1} + }{% + \begin{block}{Idea} + } +}{% + \end{block} +} + +\ProvideDocumentEnvironment{question}{o}{% + \setbeamercolor{block body}{bg=orange!15,fg=black} + \setbeamercolor{block title}{bg=orange,fg=white} + \setbeamercolor{local structure}{fg=orange} + \IfValueTF{#1}{% + \begin{block}{Question: #1} + }{% + \begin{block}{Question} + } +}{% + \end{block} +} + +\ProvideDocumentEnvironment{exercise}{o}{% + \setbeamercolor{block body}{bg=yellow!10,fg=black} + \setbeamercolor{block title}{bg=yellow,fg=black} + \setbeamercolor{local structure}{fg=yellow} + \IfValueTF{#1}{% + \begin{block}{Exercise: #1} + }{% + \begin{block}{Exercise} + } +}{% + \end{block} +} + + +\begin{document} +\title{% + Applied Hash Functions: Commitments +} +\author{Daniel Bosk} +\institute{% + KTH EECS +} + +\begin{frame} + \maketitle +\end{frame} + +\mode +\input{contents.tex} +\mode* + +\begin{frame}[allowframebreaks] + \printbibliography +\end{frame} +\end{document} diff --git a/modules/module.mk b/modules/module.mk index bc94fe3..db786ce 100644 --- a/modules/module.mk +++ b/modules/module.mk @@ -1,5 +1,7 @@ COURSE ?= tilkry26 +LINK ?= mkdir -p $(dir $@) && ln -f $< $@ || cp $< $@ + STAMPDIR := .pushed.d # Backwards compat: old push stamps (unused). @@ -18,6 +20,8 @@ pull-assignments: pull-quizzes: +push-slides: ${SLIDES} + PUSH_STAMPDIR_PAGES := .pushed-pages.d PUSH_STAMPDIR_ASSIGNMENTS := .pushed-assignments.d PUSH_STAMPDIR_QUIZZES := .pushed-quizzes.d diff --git a/modules/week-1/Makefile b/modules/week-1/Makefile index 8921cd6..86b2241 100644 --- a/modules/week-1/Makefile +++ b/modules/week-1/Makefile @@ -16,8 +16,19 @@ ASSIGNMENTS += assignments/implement-aes-kattis.md ASSIGNMENTS += assignments/aes-presentation.md ASSIGNMENTS += assignments/optional-cryptopals.md +COURSE_DIR ?= $(HOME)/public_html/tilkry + +SLIDES += ${COURSE_DIR}/intro-slides.pdf +SLIDES += ${COURSE_DIR}/ciphers-slides.pdf + include ../module.mk +${COURSE_DIR}/intro-slides.pdf: lecture-intro/slides.pdf + ${LINK} + +${COURSE_DIR}/ciphers-slides.pdf: lecture-ciphers/slides.pdf + ${LINK} + # Note: Canvas treats module/page selectors as regexes. .PHONY: pull-pages pull-pages: diff --git a/modules/week-1/lecture-ciphers.html b/modules/week-1/lecture-ciphers.html index 96f7fa5..2023b8d 100644 --- a/modules/week-1/lecture-ciphers.html +++ b/modules/week-1/lecture-ciphers.html @@ -5,12 +5,12 @@ front_page: false editing_roles: teachers modules: -- Week 1 (calendar week 3) +- Week 1 ---

Content

High level description of ciphers, simple ciphers, and standards. Attacks on simple ciphers. High level description and intuition behind the construction of modern ciphers.

Slides

-

tilkry23_lec02_ciphers.pdf

+

ciphers-slides.pdf

diff --git a/modules/week-1/lecture-intro.html b/modules/week-1/lecture-intro.html index 482fec8..6ecf4cd 100644 --- a/modules/week-1/lecture-intro.html +++ b/modules/week-1/lecture-intro.html @@ -5,12 +5,12 @@ front_page: false editing_roles: teachers modules: -- Week 1 (calendar week 3) +- Week 1 ---

Content

An introduction to the course. Short overview of the topics covered.

-

slides-tilkry25-intro.pdf

+

intro-slides.pdf

Resources from previous years