[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[taler-anastasis] branch master updated: small fixes
|
From: |
gnunet |
|
Subject: |
[taler-anastasis] branch master updated: small fixes |
|
Date: |
Mon, 01 Jun 2020 09:44:12 +0200 |
This is an automated email from the git hooks/post-receive script.
dennis-neufeld pushed a commit to branch master
in repository anastasis.
The following commit(s) were added to refs/heads/master by this push:
new a4914d4 small fixes
a4914d4 is described below
commit a4914d415b00458b1701d04d8f3dba494e4353e9
Author: Dennis Neufeld <dennis.neufeld@students.bfh.ch>
AuthorDate: Mon Jun 1 07:44:05 2020 +0000
small fixes
---
doc/thesis/related_work.tex | 26 ++++++++++++++------------
1 file changed, 14 insertions(+), 12 deletions(-)
diff --git a/doc/thesis/related_work.tex b/doc/thesis/related_work.tex
index ab9ece5..72e9172 100644
--- a/doc/thesis/related_work.tex
+++ b/doc/thesis/related_work.tex
@@ -9,27 +9,28 @@ Hash functions "compress a string of arbitrary length to a
string of fixed lengt
\item second pre-image resistance
\item collision resistance
\end{itemize}
-Pre-image resistance, also called "one way property", means that for a given
hash function H and a hash value H(x), it is computationally infeasible to find
x \cite{SG2012}.
-The second pre-image resistance is described by following: For a given hash
function H and a hash value H(x), it is computationally infeasible to find x
and x' such that H(x) = H(x') \cite{SG2012}.
-The definition of collision resistance slightly differs from the second
pre-image resistance: For a given hash function H, it is computationally
infeasible to find a pair (x,y) such that H(x) = H(y) \cite{SG2012}.\\
-
-There are several applications for cryptographic hash functions. For example
you can store the hash value of a pass-phrase instead of the pass-phrase itself
in a computer to protect the pass-phrase. Another important application is
verification of message integrity: Before and after transmission of a message
you can calculate the hash values of it and compare them to determine if the
message changed during transmission.
+Pre-image resistance, also called "one way property", means that for a given
hash function H and a hash value H(x), it is computationally infeasible to find
x \cite{SG2012}.\\
+The second pre-image resistance is described by following: For a given hash
function H and a hash value H(x), it is computationally infeasible to find x
and x' such that H(x) = H(x') \cite{SG2012}.\\
+The definition of collision resistance slightly differs from the second
pre-image resistance: For a given hash function H, it is computationally
infeasible to find a pair (x, y) such that H(x) = H(y) \cite{SG2012}.\\
+Besides these security requirements, a cryptographic hash function should also
behave as a random function. This means that although a hash function is purely
deterministic, the output must not be predictable.\\
+There are several applications for cryptographic hash functions. For example
you can store the hash value of a pass-phrase instead of the pass-phrase itself
in a computer to protect the pass-phrase. Another important application is
verification of message integrity: Before and after transmission of a message
you can calculate the hash values of it and compare them to determine if the
message changed during transmission.\\
In Anastasis we use SHA-512 for hashing data.
\subsubsection{HMAC}
-When it comes to integrity of messages during communication of two parties
over an insecure channel Keyed-Hash Message Authentication Codes (HMAC) are
used as check values. An HMAC function is based on a hash function and takes
two arguments, a key K and a message M:
+When it comes to integrity of messages during communication of two parties
over an insecure channel Keyed-Hash Message Authentication Codes (HMAC) are
used as check values. An HMAC function is based on a hash function and takes
two arguments, a key K and a message M:\\
HMAC\textsubscript{K}(M) = H(K $\oplus$ opad,H(K $\oplus$ ipad, M)) with
"ipad" and "opad" being constants which fill up the key K to the blocksize of
the hash function \cite{BCK1996}. The blocksize of a modern hash function like
SHA-512 is 64 Byte.\\
In Anastasis we use HMACs to achieve verifiability.
\subsubsection{HKDF}
-A HKDF is a key derivation function (KDF) based on a HMAC. A KDF "is a basic
and essential component of crypto-
+A HKDF is a key derivation function (KDF) based on HMAC. A KDF "is a basic and
essential component of crypto-
graphic systems: Its goal is to take a source of initial keying material,
usually containing some good amount of randomness, but not distributed
uniformly or for which an attacker has some partial knowledge, and derive from
it one or more cryptographically strong secret keys" \cite{krawczyk2010}.\\
Anastasis uses HKDFs to derive symmetric keys for encryption purposes.
\subsubsection{Argon2}
Hash functions like SHA-512 are very fast to compute. Therefor passwords
stored in a hashed form are vulnerable to dictionary attacks with new hardware
architectures like FPGAs \cite{trimberger2012} and dedicated ASIC
\cite{madurawe2006} modules. But those architectures "experience difficulties
when operating on large amount of memory" \cite{BDK2016}.\\
-Argon2 is a memory-hard function that won the Password Hashing Competition in
2015. It minimizes time-memory tradeoff \cite{stamp2003} and thus maximizes the
costs to implement an ASIC for given CPU computing time \cite{BDK2016}. Aside
from the fact that Argon2 makes dictionary attacks much harder, we use Argon2
for another feature too: Memory-hard schemes like Argon2 are very useful for
key derivation from low-entropy sources \cite{BDK2016}.\\
+Argon2 is a memory-hard function that won the Password Hashing Competition in
2015. It minimizes time-memory tradeoff \cite{stamp2003} and thus maximizes the
costs to implement an ASIC for given CPU computing time \cite{BDK2016}. Aside
from the fact that Argon2 makes dictionary attacks much harder, Argon2 can be
used for another feature too: Memory-hard schemes like Argon2 are very useful
for key derivation from low-entropy sources \cite{BDK2016}.\\
+
Argon2 is used in Anastasis to derive an identifier for the user from some
low-entropy material.
@@ -39,14 +40,16 @@ In a secret sharing theme the recipients of a share often
are called \textit{pla
\subsubsection{Shamir's Secret Sharing}
The algorithm "Shamir's Secret Sharing" is one of the most well known secret
sharing scheme. It „divide[s] data D into n pieces in such a way that D is
easily reconstructible from any k pieces, but even complete knowledge of k - 1
pieces reveals absolutely no information about D“ \cite{shamir_sharing}.\\
-Shamir’s simple secret sharing scheme has two key limitations. First, it
requires a trusted dealer who initially generates the secret to be distributed,
and second the shares are not verifiable during reconstruction. Therefore,
malicious shareholders could submit corrupt shares to prevent the system from
reconstructing the secret -- without these corrupt shareholders being
detectable as malicious. Furthermore, the dealer distributing the shares could
be corrupt and distribute some incons [...]
+Shamir’s simple secret sharing scheme has two key limitations. First, it
requires a trusted dealer who initially generates the secret to be distributed,
and second the shares are not verifiable during reconstruction. Therefore,
malicious shareholders could submit corrupt shares to prevent the system from
reconstructing the secret -- without these corrupt shareholders being
detectable as malicious. Furthermore, the dealer distributing the shares could
be corrupt and distribute some incons [...]
\subsubsection{Verifiable Secret Sharing}
-Verifiability can be achieved by using so called commitment schemes like the
Pederson commitment. It allows „to distribute a secret to n persons such that
each person can verify that he has received correct information about the
secret without talking with other persons“ \cite{pedersen_sharing_0}. In his
paper „A Practical Scheme for Non-interactive Verifiable Secret Sharing“, Paul
Feldman combines the two algorithms above. His algorithm for verifiable secret
sharing, short VSS, allows [...]
+Verifiability can be achieved by using so called commitment schemes like the
Pederson commitment. It allows „to distribute a secret to n persons such that
each person can verify that he has received correct information about the
secret without talking with other persons“ \cite{pedersen_sharing_0}. In his
paper „A Practical Scheme for Non-interactive Verifiable Secret Sharing“
\cite{feldman_sharing}, Paul Feldman combines the two schemes Shamir Secret
Sharing and Pederson commitment. His [...]
\subsubsection{Distributed Key Generation}
Distributed key generation algorithms, short DKG, solve the problem of needing
a trustworthy dealer by relying on a threshold of honest persons. Contrary to
the above-mentioned schemes, in distributed key generation algorithms every
participant is involved in key generation.\\
-The Pederson DKG is such „a secret sharing scheme without a mutually trusted
authority“ \cite{pedersen_sharing_5.2}. Basically, this DKG works as follows:
First, each involved party generates a pre-secret and distributes it to all
parties using the verifiable secret sharing scheme of Feldman. Afterwards, each
party recombines the received shares, including its own pre-secret, to a share
of the main secret. The main secret can be reconstructed by summing up each
recombination of the share [...]
+The Pederson DKG is such „a secret sharing scheme without a mutually trusted
authority“ \cite{pedersen_sharing_5.2}. Basically, this DKG works as follows: \\
+First, each involved party generates a pre-secret and distributes it to all
parties using the verifiable secret sharing scheme of Feldman.\\
+Afterwards, each party recombines the received shares, including its own
pre-secret, to a share of the main secret. The main secret can be reconstructed
by summing up each recombination of the shared pre-secrets.
\subsubsection{MIDATA}
MIDATA is a project that aims to give patients back control over their medical
data and to enable them to share their data only with those they trust. In case
the patient lost his device running the MIDATA application and his
MIDATA-password, MIDATA build in a key recovery system using the Shamir Secret
Sharing Scheme mentioned above. In their case a few "persons working at MIDATA
have generated a public-private key pair (Recovery key) on their own computer.
They keep the private recover [...]
@@ -56,7 +59,6 @@ In our opinion the security of MIDATA is broken in two ways:
\item It is not clear which channel the persons working for MIDATA use
for their decisions and activities regarding the key recovery. The channel
could be vulnerable. For example, an attacker could illegitimately trigger a
recovery process via e-mail if it is the chosen channel.
\end{enumerate}
-
\subsubsection{Key sharing in Anastasis}
For Anastasis we do not need a DKG because the dealer is the user himself and
therefore, he is fully trustworthy. But we need verifiability. In our case we
achieve verifiability by using HMACs. Furthermore, for our purposes the
above-mentioned algorithms are inadequate because we are dealing with a
manageable number of sharing parties and we need a more flexible solution.
--
To stop receiving notification emails like this one, please contact
gnunet@gnunet.org.
| [Prev in Thread] |
Current Thread |
[Next in Thread] |
- [taler-anastasis] branch master updated: small fixes,
gnunet <=