[taler-anastasis] branch master updated: modified related work

[gnunet]

This is an automated email from the git hooks/post-receive script.

dennis-neufeld pushed a commit to branch master
in repository anastasis.

The following commit(s) were added to refs/heads/master by this push:
     new c0fdc96  modified related work
c0fdc96 is described below

commit c0fdc9637ef45f0343be6bae4a79904b936dac8f
Author: Dennis Neufeld <dennis.neufeld@students.bfh.ch>
AuthorDate: Tue Jun 2 10:09:12 2020 +0000

    modified related work
---
 doc/thesis/bibliothek.bib   | 53 +++++++++++++++++++++++++++++++++++++++++++++
 doc/thesis/related_work.tex | 51 +++++++++++++++++++++++++++----------------
 doc/thesis/thesis.tex       |  1 +
 3 files changed, 86 insertions(+), 19 deletions(-)

diff --git a/doc/thesis/bibliothek.bib b/doc/thesis/bibliothek.bib
index f4a3200..6be73ec 100644
--- a/doc/thesis/bibliothek.bib
+++ b/doc/thesis/bibliothek.bib
@@ -199,4 +199,57 @@
   journal={San Jose State University, Department of Computer Science},
   year={2003}
 }
+@article{vadhan2012,
+  title={Pseudorandomness},
+  author={Vadhan, Salil P and others},
+  journal={Foundations and Trends{\textregistered} in Theoretical Computer 
Science},
+  volume={7},
+  number={1--3},
+  pages={1--336},
+  year={2012},
+  publisher={Now Publishers, Inc.}
+}
+@inproceedings{nielsen2002,
+  title={A threshold pseudorandom function construction and its applications},
+  author={Nielsen, Jesper Buus},
+  booktitle={Annual International Cryptology Conference},
+  pages={401--416},
+  year={2002},
+  organization={Springer}
+}
+@article{GGM1986,
+  author = {Goldreich, Oded and Goldwasser, Shafi and Micali, Silvio},
+  title = {How to Construct Random Functions},
+  year = {1986},
+  issue_date = {Oct. 1986},
+  publisher = {Association for Computing Machinery},
+  address = {New York, NY, USA},
+  volume = {33},
+  number = {4},
+  issn = {0004-5411},
+  url = {https://doi.org/10.1145/6490.6503},
+  doi = {10.1145/6490.6503},
+  journal = {J. ACM},
+  month = aug,
+  pages = {792–807},
+  numpages = {16}
+}
+@article{RK2011,
+  title={Designing an algorithm with high Avalanche Effect},
+  author={Ramanujam, Sriram and Karuppiah, Marimuthu},
+  journal={IJCSNS International Journal of Computer Science and Network 
Security},
+  volume={11},
+  number={1},
+  pages={106--111},
+  year={2011}
+}
+@inproceedings{GJW2011,
+  title={SHA-512/256},
+  author={Gueron, Shay and Johnson, Simon and Walker, Jesse},
+  booktitle={2011 Eighth International Conference on Information Technology: 
New Generations},
+  pages={354--358},
+  year={2011},
+  organization={IEEE}
+}
+
 
diff --git a/doc/thesis/related_work.tex b/doc/thesis/related_work.tex
index 72e9172..6401f32 100644
--- a/doc/thesis/related_work.tex
+++ b/doc/thesis/related_work.tex
@@ -2,20 +2,30 @@
 \subsection{Prerequisites}
 This chapter explains some important cryptographic functions and why they are 
useful for Anastasis.
 
+\subsubsection{Pseudo random generator (PRG)}
+A pseudo random generator is an algorithm producing a sequence of bits for 
which there is no efficient algorithm to distinguish it from a truly random 
sequence \cite{vadhan2012}. The algorithm "takes as input a short, perfectly 
random seed" \cite{vadhan2012} which determines the output value.
+
+\subsubsection{Pseudo random function (PRF)}
+A pseudo random function PRF(k, m) takes two arguments, a secret key k and 
some data m, and returns an output that is unpredictable as long the secret key 
k is unknown to an attacker and is a random value \cite{nielsen2002}.\\
+PRFs can be constructed using PRGs \cite{GGM1986}.
+
 \subsubsection{Hash function}
 Hash functions "compress a string of arbitrary length to a string of fixed 
length [...]" \cite{Preneel1999}. The output of a hash function often is called 
a "hash".  Hash functions in general should be very fast to compute. 
Cryptographic hash functions need to fulfil additional security requirements 
which are called:
 \begin{itemize}
        \item pre-image resistance
        \item second pre-image resistance
        \item collision resistance
+       \item pseudo randomness
+       \item avalanche effect
 \end{itemize}
-Pre-image resistance, also called "one way property", means that for a given 
hash function H and a hash value H(x), it is computationally infeasible to find 
x \cite{SG2012}.\\
-The second pre-image resistance is described by following: For a given hash 
function H and a hash value H(x), it is computationally infeasible to find x 
and x' such that H(x) = H(x') \cite{SG2012}.\\
-The definition of collision resistance slightly differs from the second 
pre-image resistance: For a given hash function H, it is computationally 
infeasible to find a pair (x, y) such that H(x) = H(y) \cite{SG2012}.\\
-Besides these security requirements, a cryptographic hash function should also 
behave as a random function. This means that although a hash function is purely 
deterministic, the output must not be predictable.\\
+Pre-image resistance, also called "one way property", means that for a given 
hash function H and a hash value H(x), it is computationally infeasible to find 
x \cite{SG2012}. For example, since in Anastasis we derive the key to encrypt 
the personal details required for user authentication (e.g. the mobile phone 
number for authentication via SMS) using functions based on hash functions (see 
HKDF), it is very important that you cannot derive the corresponding input 
values from the key.\\
+The second pre-image resistance is described by following: For a given hash 
function H and a hash value H(x), it is computationally infeasible to find x 
and x' such that H(x) = H(x') \cite{SG2012}. In Anastasis hash functions also 
are involved in signing our so called recovery document. Hence an attacker 
should not be able to create a malicious recovery document with the same hash 
value as the original one.\\ 
+The definition of collision resistance slightly differs from the second 
pre-image resistance: For a given hash function H, it is computationally 
infeasible to find a pair (x, y) such that H(x) = H(y) \cite{SG2012}. As we are 
using HKDFs for deriving keys in Anastasis, an attacker should not be able to 
find some other input values also leading to the same keys we use.\\
+A cryptographic hash function should also behave as a pseudo random function. 
This means that although a hash function is purely deterministic, the output 
must not be predictable.\\
+The avalanche effect describes the property of an algorithm that causes a 
significant change of the output value, usually a bit flipping of more than 
half the output is desired, if the input is changed slightly (for example, 
flipping a single bit) \cite{RK2011}. The more bits are flipping in the output 
value the higher the entropy of the randomness of the hash function.
 
-There are several applications for cryptographic hash functions. For example 
you can store the hash value of a pass-phrase instead of the pass-phrase itself 
in a computer to protect the pass-phrase. Another important application is 
verification of message integrity: Before and after transmission of a message 
you can calculate the hash values of it and compare them to determine if the 
message changed during transmission.\\
-In Anastasis we use SHA-512 for hashing data.
+There are several applications for cryptographic hash functions. For example 
you can store the hash value of a passphrase instead of the passphrase itself 
in a computer to protect the passphrase. Another important application is 
verification of message integrity: Before and after transmission of a message 
you can calculate the hash values of it and compare them to determine if the 
message changed during transmission.\\
+In Anastasis we use SHA-512 \cite{GJW2011} for fast hash functions.
 
 \subsubsection{HMAC}
 When it comes to integrity of messages during communication of two parties 
over an insecure channel Keyed-Hash Message Authentication Codes (HMAC) are 
used as check values. An HMAC function is based on a hash function and takes 
two arguments, a key K and a message M:\\
@@ -25,25 +35,28 @@ In Anastasis we use HMACs to achieve verifiability.
 \subsubsection{HKDF}
 A HKDF is a key derivation function (KDF) based on HMAC. A KDF "is a basic and 
essential component of crypto-
 graphic systems: Its goal is to take a source of initial keying material, 
usually containing some good amount of randomness, but not distributed 
uniformly or for which an attacker has some partial knowledge, and derive from 
it one or more cryptographically strong secret keys" \cite{krawczyk2010}.\\
-Anastasis uses HKDFs to derive symmetric keys for encryption purposes.
+Anastasis uses HKDFs based on SHA-512 to derive symmetric keys for encryption 
purposes.
 
 \subsubsection{Argon2}
-Hash functions like SHA-512 are very fast to compute. Therefor passwords 
stored in a hashed form are vulnerable to dictionary attacks with new hardware 
architectures like FPGAs \cite{trimberger2012} and dedicated ASIC 
\cite{madurawe2006} modules. But those architectures "experience difficulties 
when operating on large amount of memory" \cite{BDK2016}.\\
-Argon2 is a memory-hard function that won the Password Hashing Competition in 
2015. It minimizes time-memory tradeoff \cite{stamp2003} and thus maximizes the 
costs to implement an ASIC for given CPU computing time \cite{BDK2016}. Aside 
from the fact that Argon2 makes dictionary attacks much harder, Argon2 can be 
used for another feature too: Memory-hard schemes like Argon2 are very useful 
for key derivation from low-entropy sources \cite{BDK2016}.\\
+Hash functions like SHA-512 are designed to be very fast. Therefor passwords 
being stored using this kind of hash are vulnerable to dictionary attacks with 
new hardware architectures like FPGAs \cite{trimberger2012} and dedicated ASIC 
\cite{madurawe2006} modules. But those architectures "experience difficulties 
when operating on large amount of memory" \cite{BDK2016}.\\
+In contrast to standard hash functions there are functions designed to be 
memory-hard. Argon2 is such a memory-hard function that won the Password 
Hashing Competition in 2015. It minimizes time-memory tradeoff \cite{stamp2003} 
and thus maximizes the costs to implement an ASIC for given CPU computing time 
\cite{BDK2016}. Aside from the fact that Argon2 makes dictionary attacks much 
harder, Argon2 can be used for another feature too: Memory-hard schemes like 
Argon2 are very useful for key  [...]
 
 Argon2 is used in Anastasis to derive an identifier for the user from some 
low-entropy material.
 
 
 \subsection{Secret sharing}
 Secret splitting, also known as secret sharing, is a technique for 
distributing a secret amongst multiple recipients. This is achieved by 
assigning a share of the secret to each recipient. By combining a sufficient 
number of those shares, it is possible to reconstruct the secret.
-In a secret sharing theme the recipients of a share often are called 
\textit{players}. The figure who gives a share of the secret to the players is 
called \textit{dealer}.
+In a secret sharing theme the recipients of a share often are called 
\textit{players}. The figure who gives a share of the secret to the players is 
called \textit{dealer}.\\
+In Anastasis the user is the trusted dealer who splits the secret and also 
reconstructs it.
 
 \subsubsection{Shamir's Secret Sharing}
 The algorithm "Shamir's Secret Sharing" is one of the most well known secret 
sharing scheme. It „divide[s] data D into n pieces in such a way that D is 
easily reconstructible from any k pieces, but even complete knowledge of k - 1 
pieces reveals absolutely no information about D“ \cite{shamir_sharing}.\\
-Shamir’s simple secret sharing scheme has two key limitations. First, it 
requires a trusted dealer who initially generates the secret to be distributed, 
and second the shares are not verifiable during reconstruction. Therefore, 
malicious shareholders could submit corrupt shares to prevent the system from 
reconstructing the secret -- without these corrupt shareholders being 
detectable as malicious. Furthermore, the dealer distributing the shares could 
be corrupt and distribute some incons [...]
+Shamir’s simple secret sharing scheme has two key limitations. First, it 
requires a trusted dealer who initially generates the secret to be distributed, 
and second the shares are not verifiable during reconstruction. Therefore, 
malicious shareholders could submit corrupt shares to prevent the system from 
reconstructing the secret -- without these corrupt shareholders being 
detectable as malicious. Furthermore, the dealer distributing the shares could 
be corrupt and distribute some incons [...]
+Despite this, Shamir's Secret Sharing is inflexible because the "k out of 
n"-design and also is very inefficient for big n. For Anastasis we need a more 
flexible solution allowing other cases too. The user of Anastasis should be 
able to decide himself which combinations of \textit{players} shall be used. 
FIXME
 
 \subsubsection{Verifiable Secret Sharing}
-Verifiability can be achieved by using so called commitment schemes like the 
Pederson commitment. It allows „to distribute a secret to n persons such that 
each person can verify that he has received correct information about the 
secret without talking with other persons“ \cite{pedersen_sharing_0}. In his 
paper „A Practical Scheme for Non-interactive Verifiable Secret Sharing“ 
\cite{feldman_sharing}, Paul Feldman  combines the two schemes Shamir Secret 
Sharing and Pederson commitment. His [...]
+Verifiability can be achieved by using so called commitment schemes like the 
Pederson commitment. It allows „to distribute a secret to n persons such that 
each person can verify that he has received correct information about the 
secret without talking with other persons“ \cite{pedersen_sharing_0}. In his 
paper „A Practical Scheme for Non-interactive Verifiable Secret Sharing“ 
\cite{feldman_sharing}, Paul Feldman  combines the two schemes Shamir Secret 
Sharing and Pederson commitment. His [...]
+Because in Anastasis we have a trusted dealer, the shares must not be verified 
and therefor we don't use VSS.
 
 \subsubsection{Distributed Key Generation}
 Distributed key generation algorithms, short DKG, solve the problem of needing 
a trustworthy dealer by relying on a threshold of honest persons. Contrary to 
the above-mentioned schemes, in distributed key generation algorithms every 
participant is involved in key generation.\\
@@ -51,20 +64,20 @@ The Pederson DKG is such „a secret sharing scheme without a 
mutually trusted a
 First, each involved party generates a pre-secret and distributes it to all 
parties using the verifiable secret sharing scheme of Feldman.\\ 
 Afterwards, each party recombines the received shares, including its own 
pre-secret, to a share of the main secret. The main secret can be reconstructed 
by summing up each recombination of the shared pre-secrets.
 
-\subsubsection{MIDATA}
-MIDATA is a project that aims to give patients back control over their medical 
data and to enable them to share their data only with those they trust. In case 
the patient lost his device running the MIDATA application and his 
MIDATA-password, MIDATA build in a key recovery system using the Shamir Secret 
Sharing Scheme mentioned above. In their case a few "persons working at MIDATA 
have generated a public-private key pair (Recovery key) on their own computer. 
They keep the private recover [...]
-In our opinion the security of MIDATA is broken in two ways:
+\subsection{MIDATA}
+MIDATA is a project that aims to give patients back control over their medical 
data and to enable them to share their data only with those they trust 
\footnote{\url{https://www.midata.coop/}}. In case the patient lost his device 
running the MIDATA-application and his MIDATA-password, MIDATA build in a key 
recovery system using the Shamir Secret Sharing Scheme mentioned above. In 
their case a few "persons working at MIDATA have generated a public-private key 
pair (Recovery key) on their o [...]
+The security of MIDATA as described in ASDHJGSADJGH is broken in two ways:
 \begin{enumerate}
-       \item The password is constructed at the server, not at the patients 
device. An administrator of the server can read the recovered password.
-       \item It is not clear which channel the persons working for MIDATA use 
for their decisions and activities regarding the key recovery. The channel 
could be vulnerable. For example, an attacker could illegitimately trigger a 
recovery process via e-mail if it is the chosen channel.
+       \item The password is reconstructed at the server, not at the patients 
device. An administrator of the server can theoretically access the recovered 
password at that time. A correct use of Shamir Secret Sharing scheme would 
reconstruct the password.
+       \item It is not clear which authentication methods the persons working 
for MIDATA use for their decisions and activities regarding the key recovery. 
The business process used here could be vulnerable. For example, an attacker 
could use social engineering to illegitimately trigger a recovery process via 
e-mail if it is the chosen authentication method.
 \end{enumerate}
 
 \subsubsection{Key sharing in Anastasis}
-For Anastasis we do not need a DKG because the dealer is the user himself and 
therefore, he is fully trustworthy. But we need verifiability. In our case we 
achieve verifiability by using HMACs. Furthermore, for our purposes the 
above-mentioned algorithms are inadequate because we are dealing with a 
manageable number of sharing parties and we need a more flexible solution. 
+FIXMEFor Anastasis we do not need a DKG because the dealer is the user himself 
and therefore, he is fully trustworthy. But we need verifiability. In our case 
we achieve verifiability by using HMACs. Furthermore, for our purposes the 
above-mentioned algorithms are inadequate because we are dealing with a 
manageable number of sharing parties and we need a more flexible solution. FIXME
 
 
 \subsection{Authentication}
-Anastasis is using standard authentication procedures to authorize its users. 
There are several authentication methods available, a short overview of the 
methods is presented here. 
+Anastasis is designed to use a wide range of authentication methods to 
authenticate its users. There are several authentication methods available, a 
short overview of the methods is presented here. 
 
 \subsubsection{Password authentication}
 Password authentication is the most widely used authentication procedure. But 
as studies show the procedure has its problems 
\cite{authentication_methods_review}. The handling of the passwords is done 
poorly, like storage or transmission. Additionally, the user must remember his 
password, therefore the password is limited to the capabilities of the user. 
diff --git a/doc/thesis/thesis.tex b/doc/thesis/thesis.tex
index 08612b1..38a1556 100644
--- a/doc/thesis/thesis.tex
+++ b/doc/thesis/thesis.tex
@@ -20,6 +20,7 @@
 \addbibresource{bibliothek.bib}
 
 \usepackage{abstract}
+\usepackage{hyperref}
 \usepackage{graphicx}
 \usepackage{listings}
 \lstset{language=C,

-- 
To stop receiving notification emails like this one, please contact
gnunet@gnunet.org.