diff --git a/Notes/Cryptography/Pseudorandom Generators (PRGs)/Pseudorandom Function Generators (PRFGs).md b/Notes/Cryptography/Pseudorandom Generators (PRGs)/Pseudorandom Function Generators (PRFGs).md
new file mode 100644
index 00000000..8ab1f448
--- /dev/null
+++ b/Notes/Cryptography/Pseudorandom Generators (PRGs)/Pseudorandom Function Generators (PRFGs).md
@@ -0,0 +1,63 @@
+# Pseudorandom Functions
+In order to understand what a pseudorandom function generator (PRFG) is, one needs to understand what it means for a function to be random or pseudorandom.
+
+A truly random function $H: \{0,1\}^S \to \{0,1\}^{l_{\textit{out}}}$ is a function chosen according to the uniform distribution of all functions that take a string of length $S$ and output a string of length $\{0,1\}^{l_{\textit{out}}}$. Alternatively, a random function can be thought of as a function which outputs a random string of length $l_{\textit{out}}$ for every input $i \in \{0,1\}^S$, called an *input data block (IDB)*. This can be pictured as a table of all possible IDBs and their corresponding, at the beginning undetermined, outputs. Whenever $H$ is invoked with an IDB $i$, that IDB is looked up in the table. If its entry already has an output, then this value is directly returned. Otherwise, the function $H$ "flips a coin" $l_{\textit{out}}$ times to determine each bit of the output, fills the generated output in the table and finally returns it. Subsequent queries for the same input data block will provide the already generated output.
+
+
+
+```admonish note
+The input to a PRF may sometimes be treated as an integer between $0$ and $2^S - 1$, which can be represented as a binary string of length $S$. In these cases, it is called an *index* instead of an input data block.
+```
+
+The reason that these two notions of a random function are equivalent is that each "coin toss" can be thought of as making a step forward in search for the function $H$ which on input a specific $i$ outputs a specific output $o$. Before the first coin flip, there are $2^{l_{\text{out}}}$ possible outputs. After the first coin flip, there are $2^{l_{\text{out}} - 1}$ possible outputs - the first bit $b_0$ has been generated and the output has the form $b_0\cdots$ where the dots represent the remaining $l_{\text{out}} - 1$ bits, which are unknown. After the second flip, the output has two bits generated and $l_{\text{out}} - 2$ unknown bits - there are $2^{l_{\text{out}} - 2}$ remaining possibilities for the final output string. Each coin flip halves the number of possibilities for the output until the final flip settles on a single output. Since a function can only have a single output for a given input, deciding this output is like picking a function from all possible functions. The probability that we get a specific function $H$ is $\frac{1}{2^{l_{\text{out}}}}$ - the same as if simply choosing a function from a uniform distribution.
+
+```admonish note
+A random function is still *deterministic* in the sense that when input the same data block it will always give the same output.
+```
+
+Unfortunately, truly random functions present a great implementational challenge for classical computers due to their difficulty in obtaining true randomness. A computer cannot really "flip a coin $l_{\textit{out}}$ times" and is limited by its external [randomness sources](../Private-Key%20Cryptography/Security%20Notions/Randomness.md).
+
+This is why we have to settle for *pseudorandom functions*.
+
+```admonish danger title="Definition: Pseudorandom Function (PRF)"
+A *pseudorandom function* is an efficient algorithm $\textit{PRF}(idb: \mathbf{str}[S]) \to \mathbf{str}[l_{\textit{out}}]$ such that for every efficient distinguisher $D(\textit{func}: \textbf{function<}\mathbf{str}[S] \to \mathbf{str}[l_{\textit{out}}]\textbf{>}) \to \mathbf{bit}$ it holds that
+
+$$\left|\Pr[D(\textit{PRF}) = 1] - \Pr_{H \leftarrow_R \{0,1\}^S \to \{0,1\}^{l_{\text{out}}}}[D(H) = 1]\right| \le \epsilon(S)$$
+
+for some negligible $\epsilon$.
+```
+
+```admonish tip title="Definition Breakdown"
+The distinguisher $D(\textit{func}: \textbf{function<}\mathbf{str}[S] \to \mathbf{str}[l_{\text{out}}]\textbf{>}$ takes a function whose inputs are strings of length $S$ and which outputs a string of length $l_{\text{out}}$ and tries to determine if the function is a truly random function. This notation means that the distinguisher has *oracle access* to the function - it can freely query the function with any inputs and can inspect the resulting outputs. Sometimes, the objectively worse notation $D^f(1^S)$ is also used to denote that the distinguisher $D$ has oracle access to the function $f$.
+
+A function is pseudorandom if there is no efficient distinguisher which can tell the difference between it and a truly random function $H$ which was chosen from the uniform distribution of all functions $\{0,1\}^S \to \{0,1\}^{l_{\text{out}}}$ with non-negligible probability.
+```
+
+Pseudorandom functions are useful because they are a generalisation of [pseudorandom generators](index.md). The length of the output of a PRG must always be greater than the length of its seed, but PRFs allow for an output whose length is independent of the input data block. Mostly, however, they are useful because they produce pseudorandom strings, just like PRGs.
+
+But as with most things in cryptography, it is unknown if pseudorandom functions actually exist. The definition is quite broad in the sense that there should be absolutely no distinguisher which can tell that the function is actually not truly random - a pretty difficult thing to do. So, once again, we are forced to hope that they do exist because otherwise cryptography falls apart - we consider a given algorithm to be a pseudorandom function until someone strings along and proves us wrong. Nevertheless, we still want to make as few assumptions as possible and build the rest on top of it.
+
+```admonish question title="Assumption: Existence of a One-Bit Pseudorandom Function"
+There exists a pseudorandom function $\textit{PRF}(idb: \mathbf{str}[S]) \to \mathbf{bit}$ which outputs a single bit, i.e. $l_{\text{out}} = 1$.
+```
+
+As it turns out, such a pseudorandom function can be used to construct PRFs with any output length.
+
+# Pseudorandom Function Generators (PRFGs)
+[Pseudorandom generators](index.md) produces pseudorandom strings, while pseudorandom function generators (PRFGs) produce pseudorandom functions.
+
+```admonish danger title="Definition: Pseudorandom Function Generator (PRFG)"
+A *pseudorandom function generator (PRFG)* is an efficient algorithm $\textit{PRFG}(seed: \textbf{str}[S]) \to \textbf{function<}\textbf{int}[0..2^S-1] \to \textbf{str}[l_{\text{out}}]\textbf{>}$ which takes a seed $s \in \{0,1\}^S$ and outputs a pseudorandom function whose input is a data block of size $S$ and whose output is a string of length $l_{\text{out}}$.
+```
+```admonish tip title="Definition Breakdown"
+A pseudorandom function generator takes a seed and produces a pseudorandom function. The resulting function takes input data blocks with the same length $S$ as the PRFG's seed and its outputs have length $l_{\text{out}}$. It is common to notate a PRF that was produced by PRFG as $f_s$ where $f$ is the function's name and $s$ is the seed used to obtain it.
+```
+
+It is important to remember that the output of a PRFG is a *function*. Specifically, a PRFG produces a function which takes inputs of the same size as the PRFG's seed. This coincidence has unfortunately led to PRFs and PRFGs commonly being mixed up. It is common to see a PRFG as a two input algorithm $\textit{PRFG}(seed: \textbf{str}[S], idb: \textbf{str}[S]) \to l_{\text{out}}$ that takes a seed $s$ *and* an input data block $i$ and acts like a pseudorandom function $f_s(i)$. In this case, $\textit{PRFG}(s,i)$ internally obtains the function $f$ from the seed $s$ and then passes it the data block $i$. Finally, the PRFG returns the output of the function $f$.
+
+```rust
+fn PRFG(seed: str[S], idb: str[S]) -> str[l_out] {
+ let f = get_function_from_seed(seed);
+ return f(idb);
+}
+```
\ No newline at end of file
diff --git a/Notes/Cryptography/Pseudorandom Generators (PRGs)/Pseudorandom Functions (PRFs).md b/Notes/Cryptography/Pseudorandom Generators (PRGs)/Pseudorandom Functions (PRFs).md
deleted file mode 100644
index 289be447..00000000
--- a/Notes/Cryptography/Pseudorandom Generators (PRGs)/Pseudorandom Functions (PRFs).md
+++ /dev/null
@@ -1,46 +0,0 @@
-# Introduction
-Pseudorandom functions (PRFs) are a generalisation of pseudorandom generators. They take a seed and an integer and produce a single bit.
-
-```admonish danger title="Definition: Pseudorandom Function (PRF)"
-A *pseudorandom function (PRF)* is an efficient algorithm $\textit{PRF}(seed: \textbf{str}[S], index: \textbf{int}[0..2^S - 1]) \to \textbf{bit}$ which takes a seed $s \in \{0,1\}^S$ of length $S$ and an integer $i \in \{0,1,...,2^S - 1\}$, called an *index*, and outputs a single bit.
-
-The seed may also be denoted as a subscript - $\textit{PRF}_s(i)$.
-```
-
-In its core, a PRF is just a function which produces a single bit at a time. However, what does the "pseudorandom" stand for in this case? The answer is that it is related to the *security* of the PRF.
-
-```admonish danger title="Definition: Security of a PRF"
-A pseudorandom function $\textit{PRF}(seed: \textbf{str}[S], index: \textbf{int}[0..2^S - 1]) \to \textbf{bit}$ is *secure* if for every seed $s$ and efficient distinguisher $D(input: \textbf{str}[t]) \to \textbf{bit}$ that has oracle access to $\textit{PRF}_s$,
-
-$$\left|\Pr_{\tau \leftarrow_R \{0,1\}^t}[D^{\textit{PRF}_s} (\tau) = 1] - \Pr_{H \leftarrow_R ([2^t] \to \{0,1\})}[D^H(\tau) = 1] \right| \le \epsilon(t)$$
-
-for some negligible $\epsilon$.
-```
-
-```admonish tip title="Definition Breakdown"
-*Oracle / Black-box* access means that the distinguisher can query $\textit{PRF}_s$ with any index $i$ and do any number of times, so long as it is polynomial in $t$ (otherwise the distinguisher itself won't be efficient). Whilst the distinguish eris free to choose the indices it queries, it neither knows nor is allowed to change the seed. A PRF is then secure if no distinguisher can tell with non-negligible probability the difference between a string that was obtain from $\textit{PRF}_s$ using some indices $i_0, i_1, ..., i_{t-1}$ and a string that was produced by concatenating sequential bits obtained from a truly random function $H$.
-```
-
-A truly random function $H(index: \textbf{int}[0..2^t - 1]) \to \textbf{bit}$ is a function which outputs a random bit for every index. Note, however, that $H$ is still deterministic - it always outputs the same bit if the same index is used. One can picture such a function as a table of all possible indices and their corresponding, at the beginning undetermined outputs. Whenever $H$ is invoked with an index $i$, that index is looked up in the table. If its entry already has an output associated, then this value is directly returned. Otherwise, the function $H$ "flips a coin" to determine if the output for this index should be 1 or 0, fills it in the table and then returns it.
-
-### PRGs from PRFs
-It is obvious that we can build a pseudorandom generator$\textit{PRG}(seed: \textbf{str}[S]) \to \textbf{str}[R]$ from a pseudorandom function by simply running the PRF for each index between $0$ and $R - 1$. In order for the constructed PRG to be secure, it is necessary that the PRF used must be, too. Recall that a secure PRG is *unpredictable*. Since the PRF is used to generate the output of the PRG one bit at a time, then the only way for the PRG to be unpredictable is if the PRF is also unpredictable.
-
-```admonish info title="PRF Unpredictability"
-A secure $\textit{PRF}_s$ is unpredictable in the sense that there is no efficient predictor algorithm $P$ which takes the bits $y[0],y[1],...,y[i]$ output by the PRF for the indices $\{0,1,...,i\} and can guess $\textit{PRG}_s(i+1)$ with probability better than $\frac{1}{2} + \epsilon$ for some negligible $\epsilon$.
-```
-
-Essentially, the unpredictability of a PRF translates directly into the unpredictability of any PRG that is built from it.
-
-### PRFs from PRGs
-Interestingly enough, the converse direction is also true - a secure PRG can be used to construct a secure PRF. To illustrate this, we are going to show that we can use a secure pseudorandom generator $G(seed: \textbf{str}[S]) \to \textbf{str}[2S]$, which expands a seed of size $S$ into a string twice that size, to construct a secure pseudorandom function $F$.
-
----
-
-#### Further Reading
-- Alternative Definition of security
-A pseudorandom function $\textit{PRF}$ is *secure* if for every efficient adversary $\mathcal{A}$ which takes the bits $\textit{PRF}_s(0), \textit{PRF}_s(1), ..., \textit{PRF}_s(i)$, the probability that $\mathcal{A}$ can guess $\textit{PRF}_s(i+1)$ is only negligibly greater than $\frac{1}{2}$.
-
-$$\Pr_{s \leftarrow_R \mathcal{S}}[\mathcal{A}(\textit{PRF}_s(0), \textit{PRF}_s(1), ..., \textit{PRF}_s(i)) = \textit{PRF}_s(i+1))] = \frac{1}{2} + \epsilon(S)$$
-
-for some negligible $\epsilon$.
diff --git a/Notes/Cryptography/Pseudorandom Generators (PRGs)/Resources/Images/Random Function.svg b/Notes/Cryptography/Pseudorandom Generators (PRGs)/Resources/Images/Random Function.svg
new file mode 100644
index 00000000..37438cb5
--- /dev/null
+++ b/Notes/Cryptography/Pseudorandom Generators (PRGs)/Resources/Images/Random Function.svg
@@ -0,0 +1,4 @@
+
+
+
+
\ No newline at end of file
diff --git a/Notes/SUMMARY.md b/Notes/SUMMARY.md
index 31f64b8c..8eabe235 100644
--- a/Notes/SUMMARY.md
+++ b/Notes/SUMMARY.md
@@ -152,7 +152,7 @@
- [Hash Functions](Cryptography/Hash%20Functions/index.md)
- [Public-Key Cryptography](Cryptography/Public-Key%20Cryptography/index.md)
- [Pseudorandom Generators (PRGs)](Cryptography/Pseudorandom%20Generators%20(PRGs)/index.md)
- - [Pseudorandom Functions (PRFs)](Cryptography/Pseudorandom%20Generators%20(PRGs)/Pseudorandom%20Functions%20(PRFs).md)
+ - [Pseudorandom Function Generators (PRFGs)](Cryptography/Pseudorandom%20Generators%20(PRGs)/Pseudorandom%20Function%20Generators%20(PRFGs).md)
- [Private-Key Cryptography](Cryptography/Private-Key%20Cryptography/index.md)
- [Stream Ciphers](Cryptography/Private-Key%20Cryptography/Stream%20Ciphers/index.md)
- [Hardware-Oriented Stream Ciphers](Cryptography/Private-Key%20Cryptography/Stream%20Ciphers/Hardware-Oriented%20Stream%20Ciphers/index.md)
diff --git a/docs/404.html b/docs/404.html
index 12ddef13..9176a7fe 100644
--- a/docs/404.html
+++ b/docs/404.html
@@ -101,7 +101,7 @@
diff --git a/docs/Networking/Protocols/Domain Name System (DNS)/DNS Protocol.html b/docs/Networking/Protocols/Domain Name System (DNS)/DNS Protocol.html
index 190fd1f5..4f9a94a8 100644
--- a/docs/Networking/Protocols/Domain Name System (DNS)/DNS Protocol.html
+++ b/docs/Networking/Protocols/Domain Name System (DNS)/DNS Protocol.html
@@ -100,7 +100,7 @@
diff --git a/docs/Networking/Protocols/Domain Name System (DNS)/The Domain Name System.html b/docs/Networking/Protocols/Domain Name System (DNS)/The Domain Name System.html
index cca56ddd..628b7b4c 100644
--- a/docs/Networking/Protocols/Domain Name System (DNS)/The Domain Name System.html
+++ b/docs/Networking/Protocols/Domain Name System (DNS)/The Domain Name System.html
@@ -100,7 +100,7 @@
diff --git a/docs/Networking/Protocols/Domain Name System (DNS)/The in-addr.arpa Domain.html b/docs/Networking/Protocols/Domain Name System (DNS)/The in-addr.arpa Domain.html
index 15c8742e..63222964 100644
--- a/docs/Networking/Protocols/Domain Name System (DNS)/The in-addr.arpa Domain.html
+++ b/docs/Networking/Protocols/Domain Name System (DNS)/The in-addr.arpa Domain.html
@@ -100,7 +100,7 @@
diff --git a/docs/Networking/Protocols/Domain Name System (DNS)/index.html b/docs/Networking/Protocols/Domain Name System (DNS)/index.html
index b7fc07d1..2da57059 100644
--- a/docs/Networking/Protocols/Domain Name System (DNS)/index.html
+++ b/docs/Networking/Protocols/Domain Name System (DNS)/index.html
@@ -100,7 +100,7 @@
diff --git a/docs/Networking/The TCP-IP Suite and the OSI Model/(1) The Physical Layer.html b/docs/Networking/The TCP-IP Suite and the OSI Model/(1) The Physical Layer.html
index b907b7a1..4c8d67ff 100644
--- a/docs/Networking/The TCP-IP Suite and the OSI Model/(1) The Physical Layer.html
+++ b/docs/Networking/The TCP-IP Suite and the OSI Model/(1) The Physical Layer.html
@@ -100,7 +100,7 @@
diff --git a/docs/Networking/The TCP-IP Suite and the OSI Model/(2) The Datalink Layer.html b/docs/Networking/The TCP-IP Suite and the OSI Model/(2) The Datalink Layer.html
index 79dfd941..6cd358c2 100644
--- a/docs/Networking/The TCP-IP Suite and the OSI Model/(2) The Datalink Layer.html
+++ b/docs/Networking/The TCP-IP Suite and the OSI Model/(2) The Datalink Layer.html
@@ -100,7 +100,7 @@
diff --git a/docs/Networking/The TCP-IP Suite and the OSI Model/index.html b/docs/Networking/The TCP-IP Suite and the OSI Model/index.html
index c1f726b3..d97dd1d6 100644
--- a/docs/Networking/The TCP-IP Suite and the OSI Model/index.html
+++ b/docs/Networking/The TCP-IP Suite and the OSI Model/index.html
@@ -100,7 +100,7 @@
diff --git a/docs/Post Exploitation/Active Directory (AD)/Domain Data Enumeration with Bloodhound.html b/docs/Post Exploitation/Active Directory (AD)/Domain Data Enumeration with Bloodhound.html
index 4627675c..a9688622 100644
--- a/docs/Post Exploitation/Active Directory (AD)/Domain Data Enumeration with Bloodhound.html
+++ b/docs/Post Exploitation/Active Directory (AD)/Domain Data Enumeration with Bloodhound.html
@@ -100,7 +100,7 @@
diff --git a/docs/Reconnaissance/OSINT/Domain Name Enumeration.html b/docs/Reconnaissance/OSINT/Domain Name Enumeration.html
index ab2bb908..92339731 100644
--- a/docs/Reconnaissance/OSINT/Domain Name Enumeration.html
+++ b/docs/Reconnaissance/OSINT/Domain Name Enumeration.html
@@ -100,7 +100,7 @@
diff --git a/docs/Reconnaissance/OSINT/Instagram User Enumeration.html b/docs/Reconnaissance/OSINT/Instagram User Enumeration.html
index 51aa14cb..4d5d452d 100644
--- a/docs/Reconnaissance/OSINT/Instagram User Enumeration.html
+++ b/docs/Reconnaissance/OSINT/Instagram User Enumeration.html
@@ -100,7 +100,7 @@
diff --git a/docs/Reverse Engineering/Reverse Engineering with Ghidra/Creating a Project and Loading a Binary.html b/docs/Reverse Engineering/Reverse Engineering with Ghidra/Creating a Project and Loading a Binary.html
index bcf8f430..8d6bf7cd 100644
--- a/docs/Reverse Engineering/Reverse Engineering with Ghidra/Creating a Project and Loading a Binary.html
+++ b/docs/Reverse Engineering/Reverse Engineering with Ghidra/Creating a Project and Loading a Binary.html
@@ -100,7 +100,7 @@
One might think that T<2S is also a requirement, because otherwise the algorithm GenT will execute more than 2S steps and would thus require more than 2S seeds for all these steps which means that it will start repeating seeds, thus making it predictable. However, the requirement that T is polynomial takes care of that - for a given S, the constants required to make the polynomial p(S) greater than 2S are so ridiculously huge and grow so mind-bogglingly fast that they can be considered infinite. Besides, it is unlikely that you want to produce a googol bits from a 128-bit seed.
In order to understand what a pseudorandom function generator (PRFG) is, one needs to understand what it means for a function to be random or pseudorandom.
+
A truly random function H:{0,1}Sโ{0,1}loutโ is a function chosen according to the uniform distribution of all functions that take a string of length S and output a string of length {0,1}loutโ. Alternatively, a random function can be thought of as a function which outputs a random string of length loutโ for every input iโ{0,1}S, called an input data block (IDB). This can be pictured as a table of all possible IDBs and their corresponding, at the beginning undetermined, outputs. Whenever H is invoked with an IDB i, that IDB is looked up in the table. If its entry already has an output, then this value is directly returned. Otherwise, the function H "flips a coin" loutโ times to determine each bit of the output, fills the generated output in the table and finally returns it. Subsequent queries for the same input data block will provide the already generated output.
+
+
-
Definition: Pseudorandom Function (PRF)
-
+
Note
+
-
A pseudorandom function (PRF) is an efficient algorithm PRF(seed:str[S],index:int[0..2Sโ1])โbit which takes a seed sโ{0,1}S of length S and an integer iโ{0,1,...,2Sโ1}, called an index, and outputs a single bit.
-
The seed may also be denoted as a subscript - PRFsโ(i).
+
The input to a PRF may sometimes be treated as an integer between 0 and 2Sโ1, which can be represented as a binary string of length S. In these cases, it is called an index instead of an input data block.
-
In its core, a PRF is just a function which produces a single bit at a time. However, what does the "pseudorandom" stand for in this case? The answer is that it is related to the security of the PRF.
-
+
The reason that these two notions of a random function are equivalent is that each "coin toss" can be thought of as making a step forward in search for the function H which on input a specific i outputs a specific output o. Before the first coin flip, there are 2loutโ possible outputs. After the first coin flip, there are 2loutโโ1 possible outputs - the first bit b0โ has been generated and the output has the form b0โโฏ where the dots represent the remaining loutโโ1 bits, which are unknown. After the second flip, the output has two bits generated and loutโโ2 unknown bits - there are 2loutโโ2 remaining possibilities for the final output string. Each coin flip halves the number of possibilities for the output until the final flip settles on a single output. Since a function can only have a single output for a given input, deciding this output is like picking a function from all possible functions. The probability that we get a specific function H is 2loutโ1โ - the same as if simply choosing a function from a uniform distribution.
+
-
Definition: Security of a PRF
-
+
Note
+
-
A pseudorandom function PRF(seed:str[S],index:int[0..2Sโ1])โbit is secure if for every seed s and efficient distinguisher D(input:str[t])โbit that has oracle access to PRFsโ,
A random function is still deterministic in the sense that when input the same data block it will always give the same output.
+
+
+
Unfortunately, truly random functions present a great implementational challenge for classical computers due to their difficulty in obtaining true randomness. A computer cannot really "flip a coin loutโ times" and is limited by its external randomness sources.
+
This is why we have to settle for pseudorandom functions.
+
+
+
Definition: Pseudorandom Function (PRF)
+
+
+
+
A pseudorandom function is an efficient algorithm PRF(idb:str[S])โstr[loutโ] such that for every efficient distinguisher D(func:function<str[S]โstr[loutโ]>)โbit it holds that
Oracle / Black-box access means that the distinguisher can query PRFsโ with any index i and do any number of times, so long as it is polynomial in t (otherwise the distinguisher itself won't be efficient). Whilst the distinguish eris free to choose the indices it queries, it neither knows nor is allowed to change the seed. A PRF is then secure if no distinguisher can tell with non-negligible probability the difference between a string that was obtain from PRFsโ using some indices i0โ,i1โ,...,itโ1โ and a string that was produced by concatenating sequential bits obtained from a truly random function H.
+
The distinguisher D(func:function<str[S]โstr[loutโ]> takes a function whose inputs are strings of length S and which outputs a string of length loutโ and tries to determine if the function is a truly random function. This notation means that the distinguisher has oracle access to the function - it can freely query the function with any inputs and can inspect the resulting outputs. Sometimes, the objectively worse notation Df(1S) is also used to denote that the distinguisher D has oracle access to the function f.
+
A function is pseudorandom if there is no efficient distinguisher which can tell the difference between it and a truly random function H which was chosen from the uniform distribution of all functions {0,1}Sโ{0,1}loutโ with non-negligible probability.
-
A truly random function H(index:int[0..2tโ1])โbit is a function which outputs a random bit for every index. Note, however, that H is still deterministic - it always outputs the same bit if the same index is used. One can picture such a function as a table of all possible indices and their corresponding, at the beginning undetermined outputs. Whenever H is invoked with an index i, that index is looked up in the table. If its entry already has an output associated, then this value is directly returned. Otherwise, the function H "flips a coin" to determine if the output for this index should be 1 or 0, fills it in the table and then returns it.
It is obvious that we can build a pseudorandom generatorPRG(seed:str[S])โstr[R] from a pseudorandom function by simply running the PRF for each index between 0 and Rโ1. In order for the constructed PRG to be secure, it is necessary that the PRF used must be, too. Recall that a secure PRG is unpredictable. Since the PRF is used to generate the output of the PRG one bit at a time, then the only way for the PRG to be unpredictable is if the PRF is also unpredictable.
-
+
Pseudorandom functions are useful because they are a generalisation of pseudorandom generators. The length of the output of a PRG must always be greater than the length of its seed, but PRFs allow for an output whose length is independent of the input data block. Mostly, however, they are useful because they produce pseudorandom strings, just like PRGs.
+
But as with most things in cryptography, it is unknown if pseudorandom functions actually exist. The definition is quite broad in the sense that there should be absolutely no distinguisher which can tell that the function is actually not truly random - a pretty difficult thing to do. So, once again, we are forced to hope that they do exist because otherwise cryptography falls apart - we consider a given algorithm to be a pseudorandom function until someone strings along and proves us wrong. Nevertheless, we still want to make as few assumptions as possible and build the rest on top of it.
+
-
PRF Unpredictability
-
+
Assumption: Existence of a One-Bit Pseudorandom Function
+
-
A secure PRFsโ is unpredictable in the sense that there is no efficient predictor algorithm P which takes the bits y[0],y[1],...,y[i] output by the PRF for the indices {0,1,...,i}andcanguess\textit{PRG}_s(i+1)withprobabilitybetterthan\frac{1}{2} + \epsilonforsomenegligible\epsilon.
+
There exists a pseudorandom function PRF(idb:str[S])โbit which outputs a single bit, i.e. loutโ=1.
-
Essentially, the unpredictability of a PRF translates directly into the unpredictability of any PRG that is built from it.
Interestingly enough, the converse direction is also true - a secure PRG can be used to construct a secure PRF. To illustrate this, we are going to show that we can use a secure pseudorandom generator G(seed: \textbf{str}[S]) \to \textbf{str}[2S],whichexpandsaseedofsizeSintoastringtwicethatsize,toconstructasecurepseudorandomfunctionF.
Alternative Definition of security
-A pseudorandom function \textit{PRF}isโsecureโifforeveryefficientadversary\mathcal{A}whichtakesthebits\textit{PRF}_s(0), \textit{PRF}_s(1), ..., \textit{PRF}_s(i),theprobabilitythat\mathcal{A}canguess\textit{PRF}_s(i+1)isonlynegligiblygreaterthan\frac{1}{2}.PrsโRโSโ[A(PRFsโ(0),PRFsโ(1),...,PRFsโ(i))=PRFsโ(i+1))]=21โ+ฯต(S)forsomenegligible\epsilon$.
-
+
As it turns out, such a pseudorandom function can be used to construct PRFs with any output length.
Pseudorandom generators produces pseudorandom strings, while pseudorandom function generators (PRFGs) produce pseudorandom functions.
+
+
+
Definition: Pseudorandom Function Generator (PRFG)
+
+
+
+
A pseudorandom function generator (PRFG) is an efficient algorithm PRFG(seed:str[S])โfunction<int[0..2Sโ1]โstr[loutโ]> which takes a seed sโ{0,1}S and outputs a pseudorandom function whose input is a data block of size S and whose output is a string of length loutโ.
+
+
+
+
+
Definition Breakdown
+
+
+
+
A pseudorandom function generator takes a seed and produces a pseudorandom function. The resulting function takes input data blocks with the same length S as the PRFG's seed and its outputs have length loutโ. It is common to notate a PRF that was produced by PRFG as fsโ where f is the function's name and s is the seed used to obtain it.
+
+
+
It is important to remember that the output of a PRFG is a function. Specifically, a PRFG produces a function which takes inputs of the same size as the PRFG's seed. This coincidence has unfortunately led to PRFs and PRFGs commonly being mixed up. It is common to see a PRFG as a two input algorithm PRFG(seed:str[S],idb:str[S])โloutโ that takes a seed sand an input data block i and acts like a pseudorandom function fsโ(i). In this case, PRFG(s,i) internally obtains the function f from the seed s and then passes it the data block i. Finally, the PRFG returns the output of the function f.
Private-key cryptography uses the same secret key for both encryption and decryption. It is important that modern cryptography is usually concerned entirely with the encryption and decryption of binary data, i.e. binary strings. That is why both the message, the key and the encrypted message are represented as binary strings of 1s and 0s.
A private-key encryption scheme has an algorithm for encryption and decryption. The message to be encrypted is called the plaintext and the resulting string after encryption is called the ciphertext.
Stream ciphers avail themselves of pseudorandom generators (PRGs) in order to allow for messages with a length arbitrarily larger than the key's. Under the hood, they are nothing more than the One-Time Pad paired with a pseudorandom generator.
However, this means that the adversary A can distinguish between a string XOR-ed with the output of the generator and a string XOR-ed with a truly random string which contradicts the security of Gen.
Hardware-oriented stream ciphers are designed to be run on dedicated hardware. They typically work on the bit-level, since hardware can be custom-tailored to be more efficient with these operations. Almost all hardware stream ciphers are built upon a concept called feedback shift registers (FSRs).
An FSR is comprised of a bit array, called a register, which is equipped with an update feedback function, denoted as f, which takes a bit array and produces a single bit based on it. Each update alters the register and produces a single output bit. Given a current register state, Riโ, the subsequent state will be this:
Whilst filtered FSRs are stronger than LFSRs, their underlying partial linearity makes them vulnerable to complex attacks such as algebraic attacks, cube attacks, and fast correlation attacks.
The Advanced Encryption Standard (AES) is an encryption standard which has been ubiquitously adopted due to its security and has been standardised by NIST. It is comprised of three symmetric block ciphers which all take blocks of size 128 bits and output blocks of the same size. AES has three versions depending on the length of the key it can take. These are AES-128, AES-192, and AES-256, for 128-, 192-, and 256-bit keys, respectively. While the different AES versions may use a different length for the initial key, all round keys derived from it will still be the same size as the block - 128 bits.
The key length also determines the number of rounds that each 128-bit block goes through:
A padding oracle attack abuses padding validation information in order to decrypt an arbitrary message. In order for it to work, it requires a padding oracle. A padding oracle is any system which, given a ciphertext, behaves differently depending on whether the decrypted plaintext has valid padding or not. For the sake of simplicity, you can think of it as a sending an arbitrary ciphertext to a server and it returning "Success" when the corresponding plaintext has valid padding, and spitting out "Failure" otherwise. Note that the ciphertexts you query the oracle with need not have meaningful plaintexts behind them and you will not even be generating them by encryption, but rather crafting them in a custom manner in order to exploit the information from the oracle.
A non-conforming message is a message whose length is not evenly divisible by the block size. For example, you might have a message of size 18 bytes and a block size of 16 bytes. In this case, there are two main ways to resolve the issue.
Padding allows for the encryption of messages of arbitrary lengths, even ones which are shorter than a single block. It is used to expand a message in order to fill a complete block by appending bytes to the plaintext and it is a highly standardised procedure.
It's all well and good with block ciphers when encrypting messages whose length matches the block size, but what happens if we want to encrypt a plaintext that is longer than a single block? Well, here comes the use of a mode of operation. If the message is longer than the block size, then it must be split into blocks of the desired size. From then on, the mode of operation describes how each of the blocks is encrypted and how the resulting ciphertexts are combined into the final output.
This is the simplest mode of operation you could think of. It encrypts each plaintext block independently and then just concatenates the resulting ciphertexts.
The definition given for a valid private-key encryption scheme specifies what functions can be used for encryption and decryption, but says nothing about how secure those functions should be. For example, the trivial encryption function Enckโ(m)=m which simply encrypts a plaintext to itself is a valid private-key encryption function but is far from secure.
Defining what makes a private-key encryption scheme secure is a bit tricky.
The notion of perfect secrecy exists thanks to the father of information theory - Claude Shannon and provides security against a limited variant of the ciphertext-only attack where the adversary is presented with only a single ciphertext - no more, no less. Shannon realised that for a cipher to be invulnerable to a COA attack, the ciphertext must not reveal anything about the plaintext.
The aforementioned relationship between the key and message lengths is just a corollary of this. This is a profound fact which limits the practicality of perfect secrecy. For example, if one wanted to securely transmit a 1 GB file using a perfectly secret encryption scheme, then they would also require a 1 GB key!
Perfect Secrecy turns out to be an achievable yet impractical goal because it requires the key to be at least as long as the message to be encrypted which poses huge logistical problems when the message is longer that a few hundred bits (pretty much always). So we seek a relaxed definition for security which allows us to use keys shorter than the message but is still reasonable and as close to perfect secrecy as possible.
Let's consider again the scenario where we choose one from two plaintexts m1โ,m2โ encrypted with the same, unknown to Eve key k and Eve tries to guess which plaintext we chose. Without having the ciphertext of the chosen message, the probability that Eve guesses correctly is 21โ. If the cipher used is perfectly secret, then this is true even after Eve sees the ciphertext c of the chosen message. However, if the key used is shorter than the message, even by a single bit, then the adversary Eve can first pick a random key and decrypt the ciphertext with it. The probability that she chose the correct key and the decryption resulted in one of the messages m1โ or m2โ (i.e. Eve now knows which plaintext was used to obtain the ciphertext) is โฃKโฃ1โ=2n1โ. If Eve did not guess the key correctly and Deckโ(c) is neither equal to m1โ nor m2โ, then Eve can, as before, just guess randomly which message was used with probability 21โ. This strategy can be implemented by the following algorithm:
Randomness is the mainstay of modern cryptography. Designing ciphers is no trifling task and it is also important how a cipher's security is achieved. Essentially, an encryption scheme consists of three things - an encryption function, a decryption function and a key. One might think that a good way to ensure the cipher cannot be broken is to simply conceal the encryption and decryption process - after all, if the adversary does not know what they are breaking, how can they break it?
Unfortunately, if the cipher does get broken (and it will by dint of reverse engineering), an entirely different cipher needs to be conceived because the previous one relied on security by obscurity. Quite the predicament, isn't it?
Every private-key encryption scheme (yes, even perfectly secret ones) can be broken in the sense that you can find whether a ciphertext c corresponds to m1โ or m2โ simply by trying all possible keys - an approach called a brute force attack.
def BruteForce(ciphertext, plaintext1, plaintext2):
for key in [0..2^n - 1]:
@@ -5889,7 +5921,7 @@
The One-Time Pad (OTP) or also known as the Vernam Cipher is the most famous (and perhaps the only remotely useful) perfectly secret cipher. It uses a plaintext and a key with the same length and produces a ciphertext also with that length. The mainstay of this cipher is the XOR operation. Encryption simply XORs the key with the plaintext and decryption XORs the ciphertext with the key to retrieve the plaintext.
Cryptography facilitates the secure communication between different parties. However, sometimes the meaning of "security" changes. It is often the case that we are not so much concerned with the contents of the message being exposed to an adversary than we are concerned with whether the party sending the message really are who they say and whether or not the message was modified by an adversary somewhere along the way.
IPv4 is the most widely used version of the internet protocol and facilitates the delivery of datagrams across an internetwork. Not only does this protocol identify a particular network interface, but it also provides routing which is required when the source and destination lie in different networks.
Every device which has a network interface used for data transfer at the network layer will have at least one IP address - one for every interface. Additionally, a single interface may have multiple IP addresses if it is multihomed. Lower-level network equipment such as repeaters, bridges and switches don't require IP addresses because they operate solely at layer 2.
Subnetting is an extension of the classful addressing scheme. It strives to solve some of its problems by introducing a three-level hierarchy. It divides networks into subnets (sub-networks) each of which contains a number of hosts. This gives rise to the two main advantages:
Flexibility - each organisation can customise the number of subnets and hosts per subnet to better suit its physical network structure.
This was the original addressing scheme devised for IP which divided the IP address space into classes, each dedicated to specific uses. Certain classes would be devoted to large networks on the Internet, while others would be assigned to smaller organisation, and yet others would be reserved for special purposes. Needless to say, this system has outlived its usefulness due to the huge number of hosts connected to the Internet at present day. Nevertheless, one should still be able to understand it.
Low Granularity - a lot of the IP addresses space is wasted because of the existence of only three possible network sizes - classes A, B and C. Suppose an organisation had a network with only 1,000 hosts. It would be assigned an entire class B network (these are two many hosts to fit into a class C network) which would result in the wasting of nearly 64,000 possible IP addresses!
This is the contemporary IP addressing scheme, which completely does away with the separation between IP networks into classes. It is particularly flexible because it allows network blocks of arbitrary size, however, it does come with added complexity.
The premise behind CIDR is to do away with classes entirely and instead let the cusp between the network and host ID vary arbitrarily.
The dividing line between the Network and Host IDs is specified via the slash notation: x.x.x.x/y where the number after the slash specifies the number of bits that are used for the Network ID.
Packets at the network layer are referred to as datagrams. The IP protocol takes date from the transport layer and encapsulates it by adding to it an IP header. Once this header is added, the packet becomes an IP datagram. This datagram is then passed onto the data link layer.
An IP datagram is divided into an IP header and a payload. The latter contains the transport-layer data which was passed to the network layer, while the former contain information about the datagram itself.
The IEEE 802.11 standard defines the structure of datalink frames in wireless networks. These frames have a more complicated structure than Ethernet ones.
The existence of the last 6 fields in the MAC header is contingent on the type of the frame.
Management frames render the service of managing the Service Set. They have 3 addresses in their MAC header, which is 24 bytes in size for 802.11a/b/g/, and 28 bytes for 802.11n (additional 4 bytes for the HT Control field). Their type in the Frame Control is indicated by 00. Moreover, management frames are never forwarded to the DS, so they have the FromDS and ToDS bits set to 0 in their Frame Control.
The source and destination MAC addresses are self-explanatory. The third address is the BSS ID which can either be the MAC of the AP or a wildcard value (for probe requests). If 802.11n is used, there is also an HT Control field in the MAC header. The frame body (payload) is comprised of fixed-size fields and variable-size information elements.
When 802.11 authentication is complete, the station and AP will move onto to the association phase. The purpose of this exchange is for the station to obtain an Association Identifier (AID). This is achieved by the client sending an Association Request to the AP which then responds with an Association Response.
After the association phase, a second authentication may occur depending on whether a protocol like WPA is set up.
A deassociation frame typically contains only a Reason Code field, although it may be augmented by vendor-specific MFIEs following this reason code. The last element (if present and if it is not the reason code itself) is used with 802.11w.
The authentication phase follows the discovery phase. Note that this is not the same authentication phase as the one which establishes encryption in WPA2. The latter is built on top of this system, which in turn only pertains to Open System Authentication and Shared-Key Authentication.
The purpose of this phase is to only check and confirm and the station which wants to join the network matches the capabilities required. Shared-Key Authentication was introduced as an extension to this phase in order to enable WEP encryption.
It is paramount to note that if more complex authentication, such as that required by WPA, is used, then OSA is used first and any advanced authentication procedures occur after the association phase.
Before connecting to a wireless network, a client needs to be aware of its existence and parameters. This can either be achieved in two ways - passive and active scanning.
Passive scanning is when the client goes through all available channels in turn and listens for beacon frames from the APs in the area. The time spent on each channel is defined by the device's driver.
Active scanning is when the client sends probe requests to each channel in turn in order to discover what networks are available on it.
Before a device can send traffic to an AP it needs to be authenticated and associated with that access point. This is done via a 4-way handshake:
First, the client sends an Authentication Request frame. The AP then returns an Authentication Response. If authentication is allowed by the AP, the client can now send the Association Request, to which the AP will response with an Association Response stating whether or not the association was successful.
WPA, WPA2, and WPA3 are consecutive versions of the most-widely used WiFi security standard today. All versions support two authentication modes:
Personal Mode - this mode uses a pre-shared key (PSK) for authentication and is commonly referred to as WPA-PSK. This is typically utilised in home and small office networks. The PSK is derived from the WiFi network's password and its SSID, but is actually never sent over the air for security reasons. Instead, it is used for the derivation of other encryption keys.
WPA3 is the successor to WPA2 introduced in 2018 and uses GCMP. Furthermore, it now mandates Protected Management Frames (PMF) to protect 802.11 management frames from eavesdropping and forging. Moreover, the 4-way handshake in Personal Mode is protected by Simultaneous Authentication of Equals (SAE) and forward secrecy is used to prevent save-now-decrypt-later attacks of frames.
Encryption and Message Integrity Checking are paramount to the world of wireless networks, since the radio signals sent by a device are received by every other device in range.
Message integrity checking ensures that a frame has not been tampered with by an adversary - the message sent by a device should be the same message received by the recipient.
This is a special domain used for reverse DNS lookups. In the in-addr.arpa domain, IP addresses are represented as a sequence of four decimal numbers separated by dots. The suffix of in-addr.arpa is appended to the IP address. In this domain, however, IP address octets are read from right to left, but the contents of the octets are not. For example, in order to do a reverse lookup on 172.217.169.174, you would use 174.169.217.172.in-addr.arpa. This domain is used for reverse lookups on IPv4 addresses.
For IPv6 addresses, the ip6.arpa domain is used. The address is represented by hex digits in reverse order - each digit looking like a domain name. For example, to do a reverse look up on 2001:db8::567:89ab, you would use b.a.9.8.7.6.5.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa.
Computers connected to the Internet have a numerical identifier - called an Internet Protocol Address (IP Address) - which is used to communicate with this machine. However, remembering a 32-bit number for each computer you want to connect to - even if it's formatted nicely into four separate sections - isn't practical at all. As such, a systematic way of resolving this issue was a created - a sort of lookup table for IP addresses, known as the Domain Name System.
The Domain Name System (or DNS for short) is a decentrialised database which provides answers to queries for domain names. Such a query is for example "What is the IP address of google.com? " When such a request is sent out, it will go through the DNS and eventually return with an IP address (if such was found). This saves the average user from having to remember a myriad different IPs for each website they want to visit.
SNMP is a protocol which renders the service of providing monitoring of devices connected to a network. It can provide information such as online status, network bandwith, and even temperature.
SNMP versions 1 and 2 avail themselves of the so-called community strings. It is important to know that agents reply to SNMP requests only if they are accompanied by the appropriate community string, which is akin to a password. Every community string is associated with a set of permissions. These can be either read-only or read-write.
The Leightweight Directory Access Protocol (LDAP) is a protocol used to facilitate the communication with directory services such as OpenLDAP or Active Directory. These act as repositories for user information by storing credentials, users, groups, etc. Because of this, LDAP can also be used for the authentication and authorisation of users.
What makes LDAP easy to use is that it operates with its data in a plain text format called the LDAP Data Interchange Format (LDIF).
This protocol works on TCP port 389. Its secure variation (LDAPS) runs on TCP port 636 and establishes a TLS/SSL connection.
The Network Time Protocol (NTP) is a protocol for clock synchronisation across computer systems. Its existence is paramount in order to pinpoint events occurring at a certain moment within a network. Devices with unsynchronised clocks will report that the event transpired at different times thus making it very difficult to figure out the actual time of occurrence.
The File Transfer Protocol (FTP) is an application layer protocol which allows for the sharing of files within a network. It uses TCP as its underlying transport-layer protocol and follows a typical client-server model where the FTP client is typically called the user.
Unlike most other TCP-based protocols, FTP utilises more than a single connection. When a user connects to a server, an FTP control connection is opened. Afterwards, data connections are established for every subsequent data transfer. The control connection is utilised for passing commands from the user to the server as well the command response from the server back to the client. A data connection is terminated once the file transfer it was established for is complete.
The third digit is what indicates the specific message type. Each functional group can have 10 different reply codes for each reply type given by the first digit.
The Address Resolution Protocol (ARP) serves a method for converting between layer 3 (IP) and layer 2 (MAC) addresses. Whilst applications communicate logically at layer 3, the actual data is transmitted via layers 1 and 2 and so even if the application only knows the destination's IP address, in order for communication to take place, the destination's MAC address is also required.
This is where ARP comes in. However, its naming convention is a bit confusing. The Source is always the device which seeks another host's hardware address, whilst the Destination is always the host whose MAC address is being sought.
A computer network is a network which allows for the exchange of resources and information between devies connected to the network. These device span a range of types, sizes, and functions.
The Physical layer is the lowest layer in the OSI model. It provides the electrical, mechanical, or electromagnetic means by which data is physically transferred between hosts. At the core of the Physical layer lie interfaces and mediums. Interfaces are what allow devices to send receive data, while mediums are what the data travels through between interfaces. Data at the physical layer is transmitted in bits, not bytes, hence why internet speeds are typically measured in multiples of bits per seconds or bps.
An outdoor bridge is used to connect networks over large distances without a physical cable. This is achieved by APs with special directional antennas.
There are two major standards which govern how data is transmitted at the datalink layer. The first on is a protocol called Ethernet and it describes the transfer of data in wired LANs. It is defined in the IEEE 802.3 standard.
The second one is the IEEE 802.11 WLAN standard and it describes how data is transferred in wireless networks over WiFi.
Subnetting is a way to logically divide a network into smaller subnetworks. The devices that belong to the same subnet are identified by identical most-significant bits in their local IP addresses.
A local IP address is divided into two parts - the network number (routing prefix) and the host identifier (rest field). The former is what identifies the network that the IP address belongs to and is shared by devices in the same subnet. The rest field identifies the actual host on the network.
Every IPv4 address is 32 bits in length, however, the size of the network number and the host identifier is variable and is defined for each subnet by the subnet mask. The subnet mask also takes the form of an IPv4 address which is read entirely left to right. Essentially, the bits from the subnet mask that are set to 1 indicate the bits from the IP address are the network number. The bits in the subnet mask that are set to 0 indicate the bits from the IP address which represent the host identifier.
Virtual LANs provide the means for logically separating a LAN at Layer 2 and can be thought of as the Layer 2 counterpart to the Layer 3 subnets. The reasons to do this are typically bandwidth- and security-related and have to do with broadcast frames.
Imagine the following LAN, without VLANs configured:
- 
- 
- 
- 
- /Resources/Images/Random%20Function.svg)
/Internet%20Protocol%20v4%20(IPv4)/Resources/Images/Network%20and%20Host%20ID.svg)
/Resources/Images/WLAN_Frame.svg)
/Management%20Frames/Resources/Images/Management_Frame.svg)
/Management%20Frames/Resources/Images/WiFi_authentication_association.svg)
/Management%20Frames/Resources/Images/Deauthentication_Frame.svg)
