feat: breaking change (unstable) (#198)

* [PUBLISHER] upload files #175 * PUSH NOTE : 3. Symmetric Key Encryption.md * PUSH NOTE : 03. Symmetric Key Cryptography (2).md * DELETE FILE : _posts/lecture-notes/modern-cryptography/2023-09-18-symmetric-key-cryptography-2.md * DELETE FILE : _posts/lecture-notes/modern-cryptography/2023-09-19-symmetric-key-encryption.md * [PUBLISHER] upload files #177 * PUSH NOTE : 3. Symmetric Key Encryption.md * PUSH NOTE : 03. Symmetric Key Cryptography (2).md * DELETE FILE : _posts/lecture-notes/modern-cryptography/2023-09-18-symmetric-key-cryptography-2.md * DELETE FILE : _posts/lecture-notes/modern-cryptography/2023-09-19-symmetric-key-encryptio.md * [PUBLISHER] upload files #178 * PUSH NOTE : 3. Symmetric Key Encryption.md * PUSH NOTE : 03. Symmetric Key Cryptography (2).md * DELETE FILE : _posts/lecture-notes/modern-cryptography/2023-09-18-symmetric-key-cryptography-2.md * [PUBLISHER] upload files #179 * PUSH NOTE : 3. Symmetric Key Encryption.md * PUSH NOTE : 03. Symmetric Key Cryptography (2).md * DELETE FILE : _posts/lecture-notes/modern-cryptography/2023-09-18-symmetric-key-cryptography-2.md * [PUBLISHER] upload files #180 * PUSH NOTE : 3. Symmetric Key Encryption.md * PUSH NOTE : 03. Symmetric Key Cryptography (2).md * DELETE FILE : _posts/lecture-notes/modern-cryptography/2023-09-18-symmetric-key-cryptography-2.md * [PUBLISHER] upload files #181 * PUSH NOTE : 3. Symmetric Key Encryption.md * PUSH NOTE : 03. Symmetric Key Cryptography (2).md * DELETE FILE : _posts/lecture-notes/modern-cryptography/2023-09-18-symmetric-key-cryptography-2.md * [PUBLISHER] upload files #182 * PUSH NOTE : 3. Symmetric Key Encryption.md * PUSH NOTE : 03. Symmetric Key Cryptography (2).md * [PUBLISHER] upload files #183 * PUSH NOTE : 3. Symmetric Key Encryption.md * PUSH NOTE : 03. Symmetric Key Cryptography (2).md * DELETE FILE : _posts/lecture-notes/modern-cryptography/2023-09-18-symmetric-key-cryptography-2.md * [PUBLISHER] upload files #184 * PUSH NOTE : 3. Symmetric Key Encryption.md * PUSH NOTE : 03. Symmetric Key Cryptography (2).md * DELETE FILE : _posts/lecture-notes/modern-cryptography/2023-09-18-symmetric-key-cryptography-2.md * [PUBLISHER] upload files #185 * PUSH NOTE : 3. Symmetric Key Encryption.md * PUSH NOTE : 03. Symmetric Key Cryptography (2).md * DELETE FILE : _posts/lecture-notes/modern-cryptography/2023-09-18-symmetric-key-cryptography-2.md * [PUBLISHER] upload files #186 * PUSH NOTE : 3. Symmetric Key Encryption.md * PUSH NOTE : 03. Symmetric Key Cryptography (2).md * [PUBLISHER] upload files #187 * PUSH NOTE : 3. Symmetric Key Encryption.md * PUSH NOTE : 14. Secure Multiparty Computation.md * DELETE FILE : _posts/Lecture Notes/Modern Cryptography/2023-09-19-symmetric-key-encryption.md * DELETE FILE : _posts/lecture-notes/modern-cryptography/2023-09-18-symmetric-key-cryptography-2.md * [PUBLISHER] upload files #188 * PUSH NOTE : 3. Symmetric Key Encryption.md * PUSH NOTE : 14. Secure Multiparty Computation.md * DELETE FILE : _posts/Lecture Notes/Modern Cryptography/2023-09-19-symmetric-key-encryption.md * chore: remove files * [PUBLISHER] upload files #197 * PUSH NOTE : 수학 공부에 대한 고찰.md * PUSH NOTE : 09. Lp Functions.md * PUSH ATTACHMENT : mt-09.png * PUSH NOTE : 08. Comparison with the Riemann Integral.md * PUSH ATTACHMENT : mt-08.png * PUSH NOTE : 04. Measurable Functions.md * PUSH ATTACHMENT : mt-04.png * PUSH NOTE : 06. Convergence Theorems.md * PUSH ATTACHMENT : mt-06.png * PUSH NOTE : 07. Dominated Convergence Theorem.md * PUSH ATTACHMENT : mt-07.png * PUSH NOTE : 05. Lebesgue Integration.md * PUSH ATTACHMENT : mt-05.png * PUSH NOTE : 03. Measure Spaces.md * PUSH ATTACHMENT : mt-03.png * PUSH NOTE : 02. Construction of Measure.md * PUSH ATTACHMENT : mt-02.png * PUSH NOTE : 01. Algebra of Sets and Set Functions.md * PUSH ATTACHMENT : mt-01.png * PUSH NOTE : Rules of Inference with Coq.md * PUSH NOTE : 블로그 이주 이야기.md * PUSH NOTE : Secure IAM on AWS with Multi-Account Strategy.md * PUSH ATTACHMENT : separation-by-product.png * PUSH NOTE : You and Your Research, Richard Hamming.md * PUSH NOTE : 10. Digital Signatures.md * PUSH ATTACHMENT : mc-10-dsig-security.png * PUSH ATTACHMENT : mc-10-schnorr-identification.png * PUSH NOTE : 9. Public Key Encryption.md * PUSH ATTACHMENT : mc-09-ss-pke.png * PUSH NOTE : 8. Number Theory.md * PUSH NOTE : 7. Key Exchange.md * PUSH ATTACHMENT : mc-07-dhke.png * PUSH ATTACHMENT : mc-07-dhke-mitm.png * PUSH ATTACHMENT : mc-07-merkle-puzzles.png * PUSH NOTE : 6. Hash Functions.md * PUSH ATTACHMENT : mc-06-merkle-damgard.png * PUSH ATTACHMENT : mc-06-davies-meyer.png * PUSH ATTACHMENT : mc-06-hmac.png * PUSH NOTE : 5. CCA-Security and Authenticated Encryption.md * PUSH ATTACHMENT : mc-05-ci.png * PUSH ATTACHMENT : mc-05-etm-mte.png * PUSH NOTE : 1. OTP, Stream Ciphers and PRGs.md * PUSH ATTACHMENT : mc-01-prg-game.png * PUSH ATTACHMENT : mc-01-ss.png * PUSH NOTE : 4. Message Authentication Codes.md * PUSH ATTACHMENT : mc-04-mac.png * PUSH ATTACHMENT : mc-04-mac-security.png * PUSH ATTACHMENT : mc-04-cbc-mac.png * PUSH ATTACHMENT : mc-04-ecbc-mac.png * PUSH NOTE : 3. Symmetric Key Encryption.md * PUSH ATTACHMENT : is-03-ecb-encryption.png * PUSH ATTACHMENT : is-03-cbc-encryption.png * PUSH ATTACHMENT : is-03-ctr-encryption.png * PUSH NOTE : 2. PRFs, PRPs and Block Ciphers.md * PUSH ATTACHMENT : mc-02-block-cipher.png * PUSH ATTACHMENT : mc-02-feistel-network.png * PUSH ATTACHMENT : mc-02-des-round.png * PUSH ATTACHMENT : mc-02-DES.png * PUSH ATTACHMENT : mc-02-aes-128.png * PUSH ATTACHMENT : mc-02-2des-mitm.png * PUSH NOTE : 18. Bootstrapping & CKKS.md * PUSH NOTE : 17. BGV Scheme.md * PUSH NOTE : 16. The GMW Protocol.md * PUSH ATTACHMENT : mc-16-beaver-triple.png * PUSH NOTE : 15. Garbled Circuits.md * PUSH NOTE : 14. Secure Multiparty Computation.md * PUSH NOTE : 13. Sigma Protocols.md * PUSH ATTACHMENT : mc-13-sigma-protocol.png * PUSH ATTACHMENT : mc-13-okamoto.png * PUSH ATTACHMENT : mc-13-chaum-pedersen.png * PUSH ATTACHMENT : mc-13-gq-protocol.png * PUSH NOTE : 12. Zero-Knowledge Proofs (Introduction).md * PUSH ATTACHMENT : mc-12-id-protocol.png * PUSH NOTE : 11. Advanced Topics.md * PUSH NOTE : 0. Introduction.md * PUSH NOTE : 02. Symmetric Key Cryptography (1).md * PUSH NOTE : 09. Transport Layer Security.md * PUSH ATTACHMENT : is-09-tls-handshake.png * PUSH NOTE : 08. Public Key Infrastructure.md * PUSH ATTACHMENT : is-08-certificate-validation.png * PUSH NOTE : 07. Public Key Cryptography.md * PUSH NOTE : 06. RSA and ElGamal Encryption.md * PUSH NOTE : 05. Modular Arithmetic (2).md * PUSH NOTE : 03. Symmetric Key Cryptography (2).md * PUSH ATTACHMENT : is-03-feistel-function.png * PUSH ATTACHMENT : is-03-cfb-encryption.png * PUSH ATTACHMENT : is-03-ofb-encryption.png * PUSH NOTE : 04. Modular Arithmetic (1).md * PUSH NOTE : 01. Security Introduction.md * PUSH ATTACHMENT : is-01-cryptosystem.png * PUSH NOTE : Search Time in Hash Tables.md * PUSH NOTE : 랜덤 PS일지 (1).md * chore: rearrange articles * feat: fix paths * feat: fix all broken links * feat: title font to palatino
2025-12-06 22:53:51 +00:00 · 2024-11-13 14:28:45 +09:00
parent c9f7af5f3d
commit 23aeb29ad8
78 changed files with 2105 additions and 2030 deletions
--- a/_posts/lecture-notes/internet-security/2023-09-11-symmetric-key-cryptography-1.md
+++ b/_posts/lecture-notes/internet-security/2023-09-11-symmetric-key-cryptography-1.md
@@ -88,17 +88,17 @@ To attack this scheme, we use frequency analysis. Calculate the frequency of eac
 #### Vigenère Cipher

 - A polyalphabetic substitution
- Given a key length $m$, take key $k = (k_1, k_2, \dots, k_m)$.
+- Given a key length $m$, take key $k = (k _ 1, k _ 2, \dots, k _ m)$.
 - For the $i$-th letter $x$, set $j = i \bmod m$.
- Encryption is done by replacing $x$ by $x + k_{j}$.
- Decryption is done by replacing $x$ by $x - k_j$.
+- Encryption is done by replacing $x$ by $x + k _ {j}$.
+- Decryption is done by replacing $x$ by $x - k _ j$.

 To attack this scheme, find the key length by [*index of coincidence*](https://en.wikipedia.org/wiki/Index_of_coincidence). Then use frequency analysis.

 #### Hill Cipher

 - A polyalphabetic substitution
- A key is a *invertible* matrix $K = (k_{ij})_{m \times m}$ where $k_{ij} \in \mathbb{Z}_{26}$.
+- A key is a *invertible* matrix $K = (k _ {ij}) _ {m \times m}$ where $k _ {ij} \in \mathbb{Z} _ {26}$.
 - Encryption/decryption is done by multiplying $K$ or $K^{-1}$.

 This scheme is vulnerable to known plaintext attack, since the equation can be solved for $K$.
@@ -191,7 +191,7 @@ Let $m \in \left\lbrace 0, 1 \right\rbrace^n$ be the message to encrypt. Then ch
 - Encryption: $E(k, m) = k \oplus m$.
 - Decryption: $D(k, c) = k \oplus c$.

-This scheme is **provably secure**. See also [one-time pad (Modern Cryptography)](../modern-cryptography/2023-09-07-otp-stream-cipher-prgs.md#one-time-pad-(otp)).
+This scheme is **provably secure**. See also [one-time pad (Modern Cryptography)](../../modern-cryptography/2023-09-07-otp-stream-cipher-prgs/#one-time-pad-(otp)).

 ## Perfect Secrecy

@@ -201,10 +201,10 @@ This scheme is **provably secure**. See also [one-time pad (Modern Cryptography)
 > \Pr[\mathcal{M} = m \mid \mathcal{C} = c] = \Pr[\mathcal{M} = m].
 > $$
 >
-> Or equivalently, for all $m_0, m_1 \in \mathcal{M}$, $c \in \mathcal{C}$,
+> Or equivalently, for all $m _ 0, m _ 1 \in \mathcal{M}$, $c \in \mathcal{C}$,
 >
 > $$
-> \Pr[E(k, m_0) = c] = \Pr[E(k, m_1) = c]
+> \Pr[E(k, m _ 0) = c] = \Pr[E(k, m _ 1) = c]
 > $$ 
 >
 > where $k$ is chosen uniformly in $\mathcal{K}$.
@@ -223,19 +223,19 @@ since for each $m$ and $c$, $k$ is determined uniquely.

 > **Theorem.** If $(E, D)$ is perfectly secure, $\lvert \mathcal{K} \rvert \geq \lvert \mathcal{M} \rvert$.

-*Proof*. Assume not, then we can find some message $m_0 \in \mathcal{M}$ such that $m_0$ is not a decryption of some $c \in \mathcal{C}$. This is because the decryption algorithm $D$ is deterministic and $\lvert \mathcal{K} \rvert < \lvert \mathcal{M} \rvert$.
+*Proof*. Assume not, then we can find some message $m _ 0 \in \mathcal{M}$ such that $m _ 0$ is not a decryption of some $c \in \mathcal{C}$. This is because the decryption algorithm $D$ is deterministic and $\lvert \mathcal{K} \rvert < \lvert \mathcal{M} \rvert$.

-For the proof in detail, check [Shannon's Theorem (Modern Cryptography)](../modern-cryptography/2023-09-07-otp-stream-cipher-prgs.md#shannon's-theorem).
+For the proof in detail, check [Shannon's Theorem (Modern Cryptography)](../../modern-cryptography/2023-09-07-otp-stream-cipher-prgs/#shannon's-theorem).

 ### Two-Time Pad is Insecure

-It is not secure to use the same key twice. If for the key $k$ and two messages $m_1$, $m_2$,
+It is not secure to use the same key twice. If for the key $k$ and two messages $m _ 1$, $m _ 2$,

 $$
-c_1 \oplus c_2 = (k \oplus m_1) \oplus (k \oplus m_2) = m_1 \oplus m_2.
+c _ 1 \oplus c _ 2 = (k \oplus m _ 1) \oplus (k \oplus m _ 2) = m _ 1 \oplus m _ 2.
 $$

-So some information is leaked, even though we cannot actually recover $m_i$ from the above equation.
+So some information is leaked, even though we cannot actually recover $m _ i$ from the above equation.

 ## Two Types of Symmetric Ciphers

@@ -278,9 +278,9 @@ To alleviate this problem, we can combine multiple LFSRs with a $k$-input binary
 	- Not for attacks, but for error correction
 - Initialization vector (IV): $24$ bit
 - Key: $104$ bit number to build the keystream
- IV and the key is used to build the keystream $k_s$
+- IV and the key is used to build the keystream $k _ s$
 	- IV + Key is $128$ bits
- Encryption: $c = k_s \oplus (m \parallel \mathrm{CRC}(m))$
+- Encryption: $c = k _ s \oplus (m \parallel \mathrm{CRC}(m))$

 #### Encryption Process

@@ -313,7 +313,7 @@ To alleviate this problem, we can combine multiple LFSRs with a $k$-input binary
 - The key is fixed, and the period of IV is $2^{24}$.
 - Same IV leads to same key stream.
 - So if the adversary takes two frames with the same IV to obtain the XOR of two plaintext messages.
-	- $c_1 \oplus c_2 = (p_1 \oplus k_s) \oplus (p_2 \oplus k_s) = p_1 \oplus p_2$
+	- $c _ 1 \oplus c _ 2 = (p _ 1 \oplus k _ s) \oplus (p _ 2 \oplus k _ s) = p _ 1 \oplus p _ 2$
 - Since network traffic contents are predictable, messages can be recovered.
 	- We are in the link layer, so HTTP, IP, TCP headers will be contained in the encrypted payload.
 	- The header formats are usually known.
@@ -326,12 +326,12 @@ Given a bit string (defined in the specification), the sender performs long divi

 - CRC is actually a linear function.
 	- $\mathrm{CRC}(x \oplus y) = \mathrm{CRC}(x) \oplus \mathrm{CRC}(y)$.
-	- The remainder of $x \oplus y$ is equal to the sum of the remainders of $x$ and $y$, since $\oplus$ is effectively an addition over $\mathbb{Z}_2$.
+	- The remainder of $x \oplus y$ is equal to the sum of the remainders of $x$ and $y$, since $\oplus$ is effectively an addition over $\mathbb{Z} _ 2$.
 - CRC function doesn't have a key, so it is forgeable.
 - **RC4 is transparent to XOR**, and messages can be modified.
-	- Let $c = k_s \oplus (m \parallel \mathrm{CRC}(m))$.
+	- Let $c = k _ s \oplus (m \parallel \mathrm{CRC}(m))$.
 	- If we XOR $(x \parallel \mathrm{CRC}(x))$, where $x$ is some malicious message.
-	- $c \oplus (x \parallel \mathrm{CRC}(x)) = k_s \oplus (m\oplus x \parallel \mathrm{CRC}(m\oplus x))$.
+	- $c \oplus (x \parallel \mathrm{CRC}(x)) = k _ s \oplus (m\oplus x \parallel \mathrm{CRC}(m\oplus x))$.
 	- The receiver will decrypt and get $(m\oplus x \parallel \mathrm{CRC}(m\oplus x))$.
 	- CRC check by the receiver will succeed.

--- a/_posts/lecture-notes/internet-security/2023-09-18-symmetric-key-cryptography-2.md
+++ b/_posts/lecture-notes/internet-security/2023-09-18-symmetric-key-cryptography-2.md
@@ -48,18 +48,18 @@ attachment:

 ### Encryption

-1. From the $56$-bit key, generate $16$ different $48$ bit keys $k_1, \dots, k_{16}$.
+1. From the $56$-bit key, generate $16$ different $48$ bit keys $k _ 1, \dots, k _ {16}$.
 2. The plaintext message goes through an initial permutation.
-3. The output goes through $16$ rounds, and key $k_i$ is used in round $i$.
+3. The output goes through $16$ rounds, and key $k _ i$ is used in round $i$.
 4. After $16$ rounds, split the output into two $32$ bit halves and swap them.
 5. The output goes through the inverse of the permutation from Step 1.

-Let $L_{i-1} \parallel R_{i-1}$ be the output of round $i-1$, where $L_{i-1}$ and $R_{i-1}$ are $32$ bit halves. Also let $f$ be the Feistel function.[^1]
+Let $L _ {i-1} \parallel R _ {i-1}$ be the output of round $i-1$, where $L _ {i-1}$ and $R _ {i-1}$ are $32$ bit halves. Also let $f$ be the Feistel function.[^1]

 In each round $i$, the following operation is performed:

 $$
-L_i = R_{i - 1}, \qquad R_i = L_{i-1} \oplus f(k_i, R_{i-1}).
+L _ i = R _ {i - 1}, \qquad R _ i = L _ {i-1} \oplus f(k _ i, R _ {i-1}).
 $$

 #### The Feistel Function
@@ -85,22 +85,22 @@ The Feistel function is **not invertible.**
 Let $f$ be the Feistel function. We can define each round as a function $F$,

 $$
-F(L_i \parallel R_i) = R_i \parallel L_i \oplus f(R_i).
+F(L _ i \parallel R _ i) = R _ i \parallel L _ i \oplus f(R _ i).
 $$

 Consider a function $G$, defined as

 $$
-G(L_i \parallel R_i) = R_i \oplus f(L_i) \parallel L_i.
+G(L _ i \parallel R _ i) = R _ i \oplus f(L _ i) \parallel L _ i.
 $$

 Then, we see that

 $$
 \begin{align*}
-G(F(L_i \parallel R_i)) &= G(R_i \parallel L_i \oplus f(R_i)) \\
-&= (L_i \oplus f(R_i)) \oplus f(R_i) \parallel R_i \\
-&= L_i \parallel R_i.
+G(F(L _ i \parallel R _ i)) &= G(R _ i \parallel L _ i \oplus f(R _ i)) \\
+&= (L _ i \oplus f(R _ i)) \oplus f(R _ i) \parallel R _ i \\
+&= L _ i \parallel R _ i.
 \end{align*}
 $$

@@ -109,10 +109,10 @@ Thus $F$ and $G$ are inverses of each other, thus $f$ doesn't have to be inverti
 Also, note that

 $$
-G(L_i \parallel R_i) = F(L_i \oplus f(R_i) \parallel R_i).
+G(L _ i \parallel R _ i) = F(L _ i \oplus f(R _ i) \parallel R _ i).
 $$

-Notice that evaluating $G$ is equivalent to evaluating $F$ on a encrypted block, with their upper/lower $32$ bit halves swapped. We get $L_i \oplus f(R_i) \parallel R_i$ exactly when we swap each halves of $F(L_i \parallel R_i)$. Thus, we can use the same hardware for encryption and decryption, which is the reason for swapping each $32$ bit halves.
+Notice that evaluating $G$ is equivalent to evaluating $F$ on a encrypted block, with their upper/lower $32$ bit halves swapped. We get $L _ i \oplus f(R _ i) \parallel R _ i$ exactly when we swap each halves of $F(L _ i \parallel R _ i)$. Thus, we can use the same hardware for encryption and decryption, which is the reason for swapping each $32$ bit halves.

 ## Advanced Encryption Standard (AES)

@@ -207,13 +207,13 @@ Since the same key is used for all blocks, once a mapping from plaintext to ciph
 	- **Each previous cipher block is chained with current block**
 	- Initialization vector is used
 - Encryption
-	- Let $c_0$ be the initialization vector.
-	- $c_i = E(k, p_i \oplus c_{i - 1})$, where $p_i$ is the $i$-th plaintext block.
-	- The ciphertext is $(c_0, c_1, \dots)$.
+	- Let $c _ 0$ be the initialization vector.
+	- $c _ i = E(k, p _ i \oplus c _ {i - 1})$, where $p _ i$ is the $i$-th plaintext block.
+	- The ciphertext is $(c _ 0, c _ 1, \dots)$.
 - Decryption
-	- The first block $c_0$ contains the initialization vector.
-	- $p_i = c_{i - 1} \oplus D(k, c_i)$.
-	- The plaintext is $(p_1, p_2, \dots)$.
+	- The first block $c _ 0$ contains the initialization vector.
+	- $p _ i = c _ {i - 1} \oplus D(k, c _ i)$.
+	- The plaintext is $(p _ 1, p _ 2, \dots)$.
 - Used for bulk data encryption, authentication
 - Advantages
 	- Parallelism in decryption.
@@ -239,13 +239,13 @@ Since the same key is used for all blocks, once a mapping from plaintext to ciph
 	- **IV changes should be unpredictable**
 - On IV reuse, same message will generate the same ciphertext if key isn't changed
 - If IV is predictable, CBC is vulnerable to chosen plaintext attacks.
-	- Suppose Eve obtains $(\mathrm{IV}_1, E_k(\mathrm{IV}_1 \oplus m))$.
-	- Define Eve's new message $m' = \mathrm{IV}_{2} \oplus \mathrm{IV}_{1} \oplus g$, where
-		- $\mathrm{IV}_2$ is the guess of the next IV, and
+	- Suppose Eve obtains $(\mathrm{IV} _ 1, E _ k(\mathrm{IV} _ 1 \oplus m))$.
+	- Define Eve's new message $m' = \mathrm{IV} _ {2} \oplus \mathrm{IV} _ {1} \oplus g$, where
+		- $\mathrm{IV} _ 2$ is the guess of the next IV, and
 		- $g$ is a guess of Alice's original message $m$.
 	- Eve requests an encryption of $m'$
-		- $c' = E_k(\mathrm{IV}_2 \oplus m') = E_k(\mathrm{IV}_\mathrm{1} \oplus g)$.
-	- Then Eve can compare $c'$ and the original $c = E_k(\mathrm{IV}_\mathrm{1} \oplus m)$ to recover $m$.
+		- $c' = E _ k(\mathrm{IV} _ 2 \oplus m') = E _ k(\mathrm{IV} _ \mathrm{1} \oplus g)$.
+	- Then Eve can compare $c'$ and the original $c = E _ k(\mathrm{IV} _ \mathrm{1} \oplus m)$ to recover $m$.
 	- Useful when there are not many cases for $m$ (or most of the message is already known).

 ### Cipher Feedback Mode (CFB)
@@ -260,13 +260,13 @@ Since the same key is used for all blocks, once a mapping from plaintext to ciph
 	- Same requirements on the IV as CBC mode.
 	- Should be randomized, and should not be predictable.
 - Encryption
-	- Let $c_0$ be the initialization vector.
-	- $c_i = p_i \oplus E(k, c_{i - 1})$, where $p_i$ is the $i$-th plaintext block.
-	- The ciphertext is $(c_0, c_1, \dots)$.
+	- Let $c _ 0$ be the initialization vector.
+	- $c _ i = p _ i \oplus E(k, c _ {i - 1})$, where $p _ i$ is the $i$-th plaintext block.
+	- The ciphertext is $(c _ 0, c _ 1, \dots)$.
 - Decryption
-	- The first block $c_0$ contains the initialization vector.
-	- $p_i = c_i \oplus E(k, c_{i - 1})$. The same module is used for decryption!
-	- The plaintext is $(p_1, p_2, \dots)$.
+	- The first block $c _ 0$ contains the initialization vector.
+	- $p _ i = c _ i \oplus E(k, c _ {i - 1})$. The same module is used for decryption!
+	- The plaintext is $(p _ 1, p _ 2, \dots)$.
 - Advantages
 	- Appropriate when data arrives in bits/bytes (similar to stream cipher)
 	- Only encryption module is needed.
@@ -294,15 +294,15 @@ Since the same key is used for all blocks, once a mapping from plaintext to ciph
 	- Encryption/decryption are both parallelizable after key stream is calculated.
 	- Key stream generation cannot be parallelized.
 - Encryption
-	- Let $s_0$ be the initialization vector.
-	- $s_i = E(k, s_{i - 1})$ where $s_i$ is the $i$-th key stream.
-	- $c_i = p_i \oplus s_i$.
-	- The ciphertext is $(s_0, c_1, \dots)$.
+	- Let $s _ 0$ be the initialization vector.
+	- $s _ i = E(k, s _ {i - 1})$ where $s _ i$ is the $i$-th key stream.
+	- $c _ i = p _ i \oplus s _ i$.
+	- The ciphertext is $(s _ 0, c _ 1, \dots)$.
 - Decryption
-	- The first block $s_0$ contains the initialization vector.
-	- $s_i = E(k, s_{i - 1})$. The same module is used for decryption.
-	- $p_i = c_i \oplus s_i$.
-	- The plaintext is $(p_1, p_2, \dots)$.
+	- The first block $s _ 0$ contains the initialization vector.
+	- $s _ i = E(k, s _ {i - 1})$. The same module is used for decryption.
+	- $p _ i = c _ i \oplus s _ i$.
+	- The plaintext is $(p _ 1, p _ 2, \dots)$.
 - Note: IV and successive encryptions act as an OTP generator.
 - Advantages
 	- There is no error propagation. $1$ bit error in ciphertext only affects $1$ bit in the plaintext.
@@ -311,8 +311,8 @@ Since the same key is used for all blocks, once a mapping from plaintext to ciph
 	- Only encryption module is needed.
 - Limitations
 	- Key streams should not have repetitions.
-		- We would have $c_i \oplus c_j = p_i \oplus p_j$.
-		- Size of each $s_i$ should be large enough.
+		- We would have $c _ i \oplus c _ j = p _ i \oplus p _ j$.
+		- Size of each $s _ i$ should be large enough.
 	- If attacker knows the plaintext and ciphertext, plaintext can be modified.
 		- Same as in OTP.

@@ -325,9 +325,9 @@ Since the same key is used for all blocks, once a mapping from plaintext to ciph
 	- Highly parallelizable.
 	- Can decrypt from any arbitrary position.
 - Counter should not be repeated for the same key.
-	- Suppose that the same counter $ctr$ is used for encrypting $m_0$ and $m_1$.
-	- Encryption results are: $(ctr, E(k, ctr) \oplus m_0), (ctr, E(k, ctr) \oplus m_1)$.
-	- Then the attacker can obtain $m_0 \oplus m_1$.
+	- Suppose that the same counter $ctr$ is used for encrypting $m _ 0$ and $m _ 1$.
+	- Encryption results are: $(ctr, E(k, ctr) \oplus m _ 0), (ctr, E(k, ctr) \oplus m _ 1)$.
+	- Then the attacker can obtain $m _ 0 \oplus m _ 1$.

 ## Modes of Operations Summary

--- a/_posts/lecture-notes/internet-security/2023-09-25-modular-arithmetic-1.md
+++ b/_posts/lecture-notes/internet-security/2023-09-25-modular-arithmetic-1.md
@@ -107,7 +107,7 @@ allows us to reduce the size of the numbers before exponentiation.

 ## Modular Arithmetic

-For modulus $n$, **modular arithmetic** is operation on $\mathbb{Z}_n$.
+For modulus $n$, **modular arithmetic** is operation on $\mathbb{Z} _ n$.

 ### Residue Classes

@@ -136,10 +136,10 @@ Thus, $R$ is an **equivalence relation** and each residue class $[k]$ is an **eq
 We write the set of residue classes modulo $n$ as

 $$
-\mathbb{Z}_n = \left\lbrace \overline{0}, \overline{1}, \overline{2}, \dots, \overline{n-1} \right\rbrace.
+\mathbb{Z} _ n = \left\lbrace \overline{0}, \overline{1}, \overline{2}, \dots, \overline{n-1} \right\rbrace.
 $$

-Note that $\mathbb{Z}_n$ is closed under addition and multiplication.
+Note that $\mathbb{Z} _ n$ is closed under addition and multiplication.

 ### Identity

@@ -149,7 +149,7 @@ Note that $\mathbb{Z}_n$ is closed under addition and multiplication.
 > \forall a \in S,\, a * e = e * a = a.
 > $$

-In $\mathbb{Z}_n$, the additive identity is $0$, the multiplicative identity is $1$.
+In $\mathbb{Z} _ n$, the additive identity is $0$, the multiplicative identity is $1$.

 ### Inverse

@@ -169,7 +169,7 @@ $$

 The inverse exists if and only if $\gcd(a, n) = 1$.

-> **Lemma**. For $n \geq 2$ and $a \in \mathbb{Z}$, its inverse $a^{-1} \in \mathbb{Z}_n$ exists if and only if $\gcd(a, n) = 1$.
+> **Lemma**. For $n \geq 2$ and $a \in \mathbb{Z}$, its inverse $a^{-1} \in \mathbb{Z} _ n$ exists if and only if $\gcd(a, n) = 1$.

 *Proof*. We use the extended Euclidean algorithm. There exists $u, v \in \mathbb{Z}$ such that

@@ -223,7 +223,7 @@ Basically, we use the Euclidean algorithm and solve for the remainder (which is

 #### Calculating Modular Multiplicative Inverse

-We can use the extended Euclidean algorithm to find modular inverses. Suppose we want to calculate $a^{-1}$ in $\mathbb{Z}_n$. We assume that the inverse exist, so $\gcd(a, n) = 1$.
+We can use the extended Euclidean algorithm to find modular inverses. Suppose we want to calculate $a^{-1}$ in $\mathbb{Z} _ n$. We assume that the inverse exist, so $\gcd(a, n) = 1$.

 Therefore, we use the extended Euclidean algorithm and find $x, y \in \mathbb{Z}$ such that

@@ -231,7 +231,7 @@ $$
 ax + ny = 1.
 $$

-Then $ax \equiv 1 - ny \equiv 1 \pmod n$, thus $x$ is the inverse of $a$ in $\mathbb{Z}_n$.
+Then $ax \equiv 1 - ny \equiv 1 \pmod n$, thus $x$ is the inverse of $a$ in $\mathbb{Z} _ n$.

 [^1]: Note that in C standards, `(a / b) * b + (a % b) == a`.
 [^2]: $a$ and $b$ are in the same coset of $\mathbb{Z}/n\mathbb{Z}$.
--- a/_posts/lecture-notes/internet-security/2023-10-04-modular-arithmetic-2.md
+++ b/_posts/lecture-notes/internet-security/2023-10-04-modular-arithmetic-2.md
@@ -90,7 +90,7 @@ For even better (maybe faster) results, we need the help of elementary number th
 > a^{p-1} \equiv 1 \pmod p.
 > $$

-*Proof*. (Using group theory) The statement can be rewritten as follows. For $a \neq 0$ in $\mathbb{Z}_p$, $a^{p-1} = 1$ in $\mathbb{Z}_p$. Since $\mathbb{Z}_p^\ast$ is a (multiplicative) group of order $p-1$, the order of $a$ should divide $p-1$. Therefore, $a^{p-1} = 1$ in $\mathbb{Z}_p$.
+*Proof*. (Using group theory) The statement can be rewritten as follows. For $a \neq 0$ in $\mathbb{Z} _ p$, $a^{p-1} = 1$ in $\mathbb{Z} _ p$. Since $\mathbb{Z} _ p^\ast$ is a (multiplicative) group of order $p-1$, the order of $a$ should divide $p-1$. Therefore, $a^{p-1} = 1$ in $\mathbb{Z} _ p$.

 Here is an elementary proof not using group theory.

@@ -117,7 +117,7 @@ For direct calculation, we use the following formula.
 > **Lemma.** For $n \in \mathbb{N}$, the following holds.
 >
 > $$
-> \phi(n) = n \cdot \prod_{p \mid n} \left( 1 - \frac{1}{p} \right)
+> \phi(n) = n \cdot \prod _ {p \mid n} \left( 1 - \frac{1}{p} \right)
 > $$
 >
 > where $p$ is a prime number dividing $n$.
@@ -131,31 +131,31 @@ So to calculate $\phi(n)$, we need to **factorize** $n$. From the formula above,

 ### Reduced Set of Residues

-Let $n \in \mathbb{N}$. The **complete set of residues** was denoted $\mathbb{Z}_n$ and
+Let $n \in \mathbb{N}$. The **complete set of residues** was denoted $\mathbb{Z} _ n$ and

 $$
-\mathbb{Z}_n = \left\lbrace 0, 1, \dots, n-1 \right\rbrace.
+\mathbb{Z} _ n = \left\lbrace 0, 1, \dots, n-1 \right\rbrace.
 $$

 We also often use the **reduced set of residues**.

-> **Definition.** The **reduced set of residues** is the set of residues that are relatively prime to $n$. We denote this set as $\mathbb{Z}_n^\ast$.
+> **Definition.** The **reduced set of residues** is the set of residues that are relatively prime to $n$. We denote this set as $\mathbb{Z} _ n^\ast$.
 >
 > $$
-> \mathbb{Z}_n^\ast = \left\lbrace a \in \mathbb{Z}_n \setminus \left\lbrace 0 \right\rbrace : \gcd(a, n) = 1 \right\rbrace.
+> \mathbb{Z} _ n^\ast = \left\lbrace a \in \mathbb{Z} _ n \setminus \left\lbrace 0 \right\rbrace : \gcd(a, n) = 1 \right\rbrace.
 > $$

 Then by definition, we have the following result.

-> **Lemma.** $\left\lvert \mathbb{Z}_n^\ast \right\lvert = \phi(n)$.
+> **Lemma.** $\left\lvert \mathbb{Z} _ n^\ast \right\lvert = \phi(n)$.

-We can also show that $\mathbb{Z}_n^\ast$ is a multiplicative group.
+We can also show that $\mathbb{Z} _ n^\ast$ is a multiplicative group.

-> **Lemma.** $\mathbb{Z}_n^\ast$ is a multiplicative group.
+> **Lemma.** $\mathbb{Z} _ n^\ast$ is a multiplicative group.

-*Proof*. Let $a, b \in \mathbb{Z}_n^\ast$. We must check if $ab \in \mathbb{Z}_n^\ast$. Since $\gcd(a, n) = \gcd(b, n) = 1$, $\gcd(ab, n) = 1$. This is because if $d = \gcd(ab, n) > 1$, then a prime factor $p$ of $d$ must divide $a$ or $b$ and also $n$. Then $\gcd(a, n) \geq p$ or $\gcd(b, n) \geq p$, which is a contradiction. Thus $ab \in \mathbb{Z}_n^\ast$.
+*Proof*. Let $a, b \in \mathbb{Z} _ n^\ast$. We must check if $ab \in \mathbb{Z} _ n^\ast$. Since $\gcd(a, n) = \gcd(b, n) = 1$, $\gcd(ab, n) = 1$. This is because if $d = \gcd(ab, n) > 1$, then a prime factor $p$ of $d$ must divide $a$ or $b$ and also $n$. Then $\gcd(a, n) \geq p$ or $\gcd(b, n) \geq p$, which is a contradiction. Thus $ab \in \mathbb{Z} _ n^\ast$.

-Associativity holds trivially, as a subset of $\mathbb{Z}_n$. We also have an identity element $1$, and inverse of $a \in \mathbb{Z}_n^\ast$ exists since $\gcd(a, n) = 1$.
+Associativity holds trivially, as a subset of $\mathbb{Z} _ n$. We also have an identity element $1$, and inverse of $a \in \mathbb{Z} _ n^\ast$ exists since $\gcd(a, n) = 1$.

 Now we can prove Euler's generalization.

@@ -167,13 +167,13 @@ Now we can prove Euler's generalization.
 > a^{\phi(n)} \equiv 1 \pmod n.
 > $$

-*Proof*. Since $\gcd(a, n) = 1$, $a \in \mathbb{Z}_n^\ast$. Then $a^{\left\lvert \mathbb{Z}_n^\ast \right\lvert} = 1$ in $\mathbb{Z}_n$. By the above lemma, we have the desired result.
+*Proof*. Since $\gcd(a, n) = 1$, $a \in \mathbb{Z} _ n^\ast$. Then $a^{\left\lvert \mathbb{Z} _ n^\ast \right\lvert} = 1$ in $\mathbb{Z} _ n$. By the above lemma, we have the desired result.

-*Proof*. (Elementary) Set $f : \mathbb{Z}_n^\ast \rightarrow \mathbb{Z}_n^\ast$ as $x \mapsto ax \bmod n$, then the rest of the reasoning follows similarly as in the proof of Fermat's little theorem.
+*Proof*. (Elementary) Set $f : \mathbb{Z} _ n^\ast \rightarrow \mathbb{Z} _ n^\ast$ as $x \mapsto ax \bmod n$, then the rest of the reasoning follows similarly as in the proof of Fermat's little theorem.

 Using the above result, we remark an important result that will be used in RSA.

-> **Lemma.** Let $n \in \mathbb{N}$. For $a, b \in \mathbb{Z}$ and $x \in \mathbb{Z}_n^\ast$, if $a \equiv b \pmod{\phi(n)}$, then $x^a \equiv x^b \pmod n$.
+> **Lemma.** Let $n \in \mathbb{N}$. For $a, b \in \mathbb{Z}$ and $x \in \mathbb{Z} _ n^\ast$, if $a \equiv b \pmod{\phi(n)}$, then $x^a \equiv x^b \pmod n$.

 *Proof*. $a = b + k\phi(n)$ for some $k \in \mathbb{Z}$. Then

@@ -192,44 +192,44 @@ by Euler's generalization.
 > - $(\mathsf{G3})$ $G$ has an **identity** element $e$ such that $e * a = a * e = a$ for all $a \in G$.
 > - $(\mathsf{G4})$ There is an **inverse** for every element of $G$. For each $a \in G$, there exists $x \in G$ such that $a * x = x * a = e$. We write $x = a^{-1}$ in this case.

-$\mathbb{Z}_n$ is an additive group, and $\mathbb{Z}_n^\ast$ is a multiplicative group.
+$\mathbb{Z} _ n$ is an additive group, and $\mathbb{Z} _ n^\ast$ is a multiplicative group.

 ## Chinese Remainder Theorem (CRT)

-> **Theorem.** Let $n_1, \dots, n_k$ be integers greater than $1$, and let $N = n_1n_2\cdots n_k$. If $n_i$ are pairwise relatively prime, then the system of equations $x \equiv a_i \pmod {n_i}$ has a unique solution modulo $N$.
+> **Theorem.** Let $n _ 1, \dots, n _ k$ be integers greater than $1$, and let $N = n _ 1n _ 2\cdots n _ k$. If $n _ i$ are pairwise relatively prime, then the system of equations $x \equiv a _ i \pmod {n _ i}$ has a unique solution modulo $N$.
 >
 > *(Abstract Algebra)* The map
 >
 > $$
-> x \bmod N \mapsto (x \bmod n_1, \dots, x \bmod n_k)
+> x \bmod N \mapsto (x \bmod n _ 1, \dots, x \bmod n _ k)
 > $$
 >
 >  defines a ring isomorphism
 >
 > $$
->  \mathbb{Z}_N \simeq \mathbb{Z}_{n_1} \times \mathbb{Z}_{n_2} \times \cdots \times \mathbb{Z}_{n_k}.
+>  \mathbb{Z} _ N \simeq \mathbb{Z} _ {n _ 1} \times \mathbb{Z} _ {n _ 2} \times \cdots \times \mathbb{Z} _ {n _ k}.
 > $$

-*Proof*. (**Existence**) Let $N_i = N/n_i$. Then $\gcd(N_i, n_i) = 1$. By the extended Euclidean algorithm, there exist integers $M_i, m_i$ such that $M_iN_i + m_in_i= 1$. Now set
+*Proof*. (**Existence**) Let $N _ i = N/n _ i$. Then $\gcd(N _ i, n _ i) = 1$. By the extended Euclidean algorithm, there exist integers $M _ i, m _ i$ such that $M _ iN _ i + m _ in _ i= 1$. Now set

 $$
-x = \sum_{i=1}^k a_i M_i N_i.
+x = \sum _ {i=1}^k a _ i M _ i N _ i.
 $$

-Then $x \equiv a_iM_iN_i \equiv a_i(1 - m_in_i) \equiv a_i \pmod {n_i}$ for all $i = 1, \dots, k$.
+Then $x \equiv a _ iM _ iN _ i \equiv a _ i(1 - m _ in _ i) \equiv a _ i \pmod {n _ i}$ for all $i = 1, \dots, k$.

-(**Uniqueness**) Suppose that we have two distinct solutions $x, y$ modulo $N$. $x, y$ are solutions to $x \equiv a_i \pmod {n_i}$, so $n_i \mid (x - y)$ for all $i$. Therefore we have
+(**Uniqueness**) Suppose that we have two distinct solutions $x, y$ modulo $N$. $x, y$ are solutions to $x \equiv a _ i \pmod {n _ i}$, so $n _ i \mid (x - y)$ for all $i$. Therefore we have

 $$
-\mathrm{lcm}(n_1, \dots, n_k) \mid (x - y).
+\mathrm{lcm}(n _ 1, \dots, n _ k) \mid (x - y).
 $$

-But $n_i$ are pairwise relatively prime, so $\mathrm{lcm}(n_1, \dots, n_k) = N$ and $N \mid (x-y)$. Hence $x \equiv y \pmod N$.
+But $n _ i$ are pairwise relatively prime, so $\mathrm{lcm}(n _ 1, \dots, n _ k) = N$ and $N \mid (x-y)$. Hence $x \equiv y \pmod N$.

 *Proof*. (**Abstract Algebra**) The above uniqueness proof shows that the map

 $$
-x \bmod N \mapsto (x \bmod n_1, \dots, x \bmod n_k)
+x \bmod N \mapsto (x \bmod n _ 1, \dots, x \bmod n _ k)
 $$

 is injective. By pigeonhole principle, this map must also be surjective. This map is also a ring homomorphism, by the properties of modular arithmetic. We have a ring isomorphism.
@@ -260,19 +260,19 @@ int chinese_remainder_theorem(vector<int>& remainder, vector<int>& modulus) {
 }
 ```

-The `modular_inverse` function uses the extended Euclidean algorithm to find $M_i$ in the proof. For large moduli and many equations, $N_i = N / n_i$ results in a very large number, which is hard to handle (if your language has integer overflow) and takes longer to compute.
+The `modular_inverse` function uses the extended Euclidean algorithm to find $M _ i$ in the proof. For large moduli and many equations, $N _ i = N / n _ i$ results in a very large number, which is hard to handle (if your language has integer overflow) and takes longer to compute.

 A better way is to construct the solution **inductively**. Find a solution for the first two equations,

 $$
 \begin{array}{c}
-x \equiv a_1 \pmod{n_1} \\
-x \equiv a_2 \pmod{n_2}
-\end{array} \implies x \equiv a_{1, 2} \pmod{n_1n_2}
+x \equiv a _ 1 \pmod{n _ 1} \\
+x \equiv a _ 2 \pmod{n _ 2}
+\end{array} \implies x \equiv a _ {1, 2} \pmod{n _ 1n _ 2}
 $$

-and using the result, add the next equation $x \equiv a_3 \pmod{n_3}$ and find a solution.[^1]
+and using the result, add the next equation $x \equiv a _ 3 \pmod{n _ 3}$ and find a solution.[^1]

-Lastly, the ring isomorphism actually tells us a lot and is quite effective for computation. Since the two rings are *isomorphic*, operations in $\mathbb{Z}_N$ can be done independently in each $\mathbb{Z}_{n_i}$ and then merged back to $\mathbb{Z}_N$. $N$ was a large number, so computations can be much faster in $\mathbb{Z}_{n_i}$. Specifically, we will see how this fact is used for computations in RSA.
+Lastly, the ring isomorphism actually tells us a lot and is quite effective for computation. Since the two rings are *isomorphic*, operations in $\mathbb{Z} _ N$ can be done independently in each $\mathbb{Z} _ {n _ i}$ and then merged back to $\mathbb{Z} _ N$. $N$ was a large number, so computations can be much faster in $\mathbb{Z} _ {n _ i}$. Specifically, we will see how this fact is used for computations in RSA.

 [^1]: I have an implementation in my repository. [Link](https://github.com/calofmijuck/BOJ/blob/4b29e0c7f487aac3186661176d2795f85f0ab21b/Codes/23000/23062.cpp#L38).
--- a/_posts/lecture-notes/internet-security/2023-10-04-rsa-elgamal.md
+++ b/_posts/lecture-notes/internet-security/2023-10-04-rsa-elgamal.md
@@ -51,7 +51,7 @@ This is an explanation of *textbook* RSA encryption scheme.

 ### RSA Encryption and Decryption

-Suppose we want to encrypt a message $m \in \mathbb{Z}_N$.
+Suppose we want to encrypt a message $m \in \mathbb{Z} _ N$.

 - **Encryption**
 	- Using the public key $(N, e)$, compute the ciphertext $c = m^e \bmod N$.
@@ -106,13 +106,13 @@ $e, d$ are still chosen to satisfy $ed \equiv 1 \pmod {\phi(N)}$. Suppose we wan

 We will also use the Chinese remainder theorem here.

-Since $\gcd(m, N) \neq 1$ and $N = pq$, we have $p \mid m$. So if we compute in $\mathbb{Z}_p$, we will get $0$,
+Since $\gcd(m, N) \neq 1$ and $N = pq$, we have $p \mid m$. So if we compute in $\mathbb{Z} _ p$, we will get $0$,

 $$
 c^d \equiv m^{ed} \equiv 0^{ed} \equiv 0 \pmod p.
 $$

-We also do the computation in $\mathbb{Z}_q$ and get
+We also do the computation in $\mathbb{Z} _ q$ and get

 $$
 c^d \equiv m^{ed} \equiv m^{1 + k\phi(N)} \equiv m\cdot (m^{q-1})^{k(p-1)} \equiv m \cdot 1^{k(p-1)} \equiv m \pmod q.
@@ -122,15 +122,15 @@ Here, we used the fact that $m^{q-1} \equiv 1 \pmod q$. This holds because if $p

 Therefore, from $c^d \equiv 0 \pmod p$ and $c^d \equiv (m \bmod q) \pmod q$, we can recover a unique solution $c^d \equiv m \pmod N$.

-Now we must argue that the recovered solution is actually equal to the original $m$. But what we did above was showing that $m^{ed}$ and $m$ in $\mathbb{Z}_N$ are mapped to the same element $(0, m \bmod q)$ in $\mathbb{Z}_p \times \mathbb{Z}_q$. Since the Chinese remainder theorem tells us that this mapping is an isomorphism, $m^{ed}$ and $m$ must have been the same elements of $\mathbb{Z}_N$ in the first place.
+Now we must argue that the recovered solution is actually equal to the original $m$. But what we did above was showing that $m^{ed}$ and $m$ in $\mathbb{Z} _ N$ are mapped to the same element $(0, m \bmod q)$ in $\mathbb{Z} _ p \times \mathbb{Z} _ q$. Since the Chinese remainder theorem tells us that this mapping is an isomorphism, $m^{ed}$ and $m$ must have been the same elements of $\mathbb{Z} _ N$ in the first place.

-Notice that we did not require $m$ to be relatively prime to $N$. Thus the RSA encryption scheme is correct for any $m \in \mathbb{Z}_N$.
+Notice that we did not require $m$ to be relatively prime to $N$. Thus the RSA encryption scheme is correct for any $m \in \mathbb{Z} _ N$.

 ## Correctness of RSA with Fermat's Little Theorem

 Actually, the above argument can be proven only with Fermat's little theorem. In the above proof, the Chinese remainder theorem was used to transform the operation, but for $N = pq$, the situation is simple enough that this theorem is not necessarily required.

-Let $M = m^{ed} - m$. We have shown above only using Fermat's little theorem that $p \mid M$ and $q \mid M$, for any choice of $m \in \mathbb{Z}_N$. Then since $N = pq = \mathrm{lcm}(p, q)$, we have $N \mid M$, so $m^{ed} \equiv m \pmod N$. Hence the RSA scheme is correct.
+Let $M = m^{ed} - m$. We have shown above only using Fermat's little theorem that $p \mid M$ and $q \mid M$, for any choice of $m \in \mathbb{Z} _ N$. Then since $N = pq = \mathrm{lcm}(p, q)$, we have $N \mid M$, so $m^{ed} \equiv m \pmod N$. Hence the RSA scheme is correct.

 So we don't actually need Euler's generalization for proving the correctness of RSA...?! In fact, the proof given in the original paper of RSA used Fermat's little theorem.

@@ -138,42 +138,42 @@ So we don't actually need Euler's generalization for proving the correctness of

 This is an inverse problem of exponentiation. The inverse of exponentials is logarithms, so we consider the **discrete logarithm of a number modulo $p$**.

-Given $y \equiv g^x \pmod p$ for some prime $p$, we want to find $x = \log_g y$. We set $g$ to be a generator of the group $\mathbb{Z}_p$ or $\mathbb{Z}_p^\ast$, since if $g$ is the generator, a solution always exists.
+Given $y \equiv g^x \pmod p$ for some prime $p$, we want to find $x = \log _ g y$. We set $g$ to be a generator of the group $\mathbb{Z} _ p$ or $\mathbb{Z} _ p^\ast$, since if $g$ is the generator, a solution always exists.

-Read more in [discrete logarithm problem (Modern Cryptography)](../modern-cryptography/2023-10-03-key-exchange.md#discrete-logarithm-problem-(dl)).
+Read more in [discrete logarithm problem (Modern Cryptography)](../../modern-cryptography/2023-10-03-key-exchange/#discrete-logarithm-problem-(dl)).

 ## ElGamal Encryption

 This is an encryption scheme built upon the hardness of the DLP.

 > 1. Let $p$ be a large prime.
-> 2. Select a generator $g \in \mathbb{Z}_p^\ast$.
-> 3. Choose a private key $x \in \mathbb{Z}_p^\ast$.
+> 2. Select a generator $g \in \mathbb{Z} _ p^\ast$.
+> 3. Choose a private key $x \in \mathbb{Z} _ p^\ast$.
 > 4. Compute the public key $y = g^x \pmod p$.
 > 	- $p, g, y$ will be publicly known.
 > 	- $x$ is kept secret.

 ### ElGamal Encryption and Decryption

-Suppose we encrypt a message $m \in \mathbb{Z}_p^\ast$.
+Suppose we encrypt a message $m \in \mathbb{Z} _ p^\ast$.

-> 1. The sender chooses a random $k \in \mathbb{Z}_p^\ast$, called *ephemeral key*.
-> 2. Compute $c_1 = g^k \pmod p$ and $c_2 = my^k \pmod p$.
-> 3. $c_1, c_2$ are sent to the receiver.
-> 4. The receiver calculates $c_1^x \equiv g^{xk} \equiv y^k \pmod p$, and find the inverse $y^{-k} \in \mathbb{Z}_p^\ast$.
-> 5. Then $c_2y^{-k} \equiv m \pmod p$, recovering the message.
+> 1. The sender chooses a random $k \in \mathbb{Z} _ p^\ast$, called *ephemeral key*.
+> 2. Compute $c _ 1 = g^k \pmod p$ and $c _ 2 = my^k \pmod p$.
+> 3. $c _ 1, c _ 2$ are sent to the receiver.
+> 4. The receiver calculates $c _ 1^x \equiv g^{xk} \equiv y^k \pmod p$, and find the inverse $y^{-k} \in \mathbb{Z} _ p^\ast$.
+> 5. Then $c _ 2y^{-k} \equiv m \pmod p$, recovering the message.

 The attacker will see $g^k$. By the hardness of DLP, the attacker is unable to recover $k$ even if he knows $g$.

 #### Ephemeral Key Should Be Distinct

-If the same $k$ is used twice, the encryption is not secure. Suppose we encrypt two different messages $m_1, m_2 \in \mathbb{Z}_p^\ast$. The attacker will see $(g^k, m_1y^k)$ and $(g^k, m_2 y^k)$. Then since we are in a multiplicative group $\mathbb{Z}_p^\ast$, inverses exist. So
+If the same $k$ is used twice, the encryption is not secure. Suppose we encrypt two different messages $m _ 1, m _ 2 \in \mathbb{Z} _ p^\ast$. The attacker will see $(g^k, m _ 1y^k)$ and $(g^k, m _ 2 y^k)$. Then since we are in a multiplicative group $\mathbb{Z} _ p^\ast$, inverses exist. So

 $$
-m_1y^k \cdot (m_2 y^k)^{-1} \equiv m_1m_2^{-1} \equiv 1 \pmod p
+m _ 1y^k \cdot (m _ 2 y^k)^{-1} \equiv m _ 1m _ 2^{-1} \equiv 1 \pmod p
 $$

-which implies that $m_1 \equiv m_2 \pmod p$, leaking some information.
+which implies that $m _ 1 \equiv m _ 2 \pmod p$, leaking some information.

 [^1]: If one of the primes is small, factoring is easy. Therefore we require that $p, q$ both be large primes.
 [^2]: There is a quantum polynomial time (BQP) algorithm for integer factorization. See [Shor's algorithm](https://en.wikipedia.org/wiki/Shor%27s_algorithm).
--- a/_posts/lecture-notes/internet-security/2023-10-09-public-key-cryptography.md
+++ b/_posts/lecture-notes/internet-security/2023-10-09-public-key-cryptography.md
@@ -15,7 +15,7 @@ date: 2023-10-09
 github_title: 2023-10-09-public-key-cryptography
 ---

-In symmetric key cryptography, we have a problem with key sharing and management. More info in the first few paragraphs of [Key Exchange (Modern Cryptography)](../modern-cryptography/2023-10-03-key-exchange.md).
+In symmetric key cryptography, we have a problem with key sharing and management. More info in the first few paragraphs of [Key Exchange (Modern Cryptography)](../../modern-cryptography/2023-10-03-key-exchange/).

 ## Public Key Cryptography

@@ -32,7 +32,7 @@ These keys are created to be used in **trapdoor one-way functions**.

 A **one-way function** is a function that is easy to compute, but hard to compute the pre-image of any output. Here are some common examples.

- *Cryptographic hash functions*: [Hash Functions (Modern Cryptography)](../modern-cryptography/2023-09-28-hash-functions.md#collision-resistance).
+- *Cryptographic hash functions*: [Hash Functions (Modern Cryptography)](../../modern-cryptography/2023-09-28-hash-functions/#collision-resistance).
 - *Factoring a large integer*: It is easy to multiply to integers even if they're large, but factoring is very hard.
 - *Discrete logarithm problem*: It is easy to exponentiate a number, but it is hard to find the discrete logarithm.

@@ -80,14 +80,14 @@ But a problem still remains. How does one verify that this key is indeed from th

 ## Diffie-Hellman Key Exchange

-Choose a large prime $p$ and a generator $g$ of $\mathbb{Z}_p^\ast$. The description of $g$ and $p$ will be known to the public.
+Choose a large prime $p$ and a generator $g$ of $\mathbb{Z} _ p^\ast$. The description of $g$ and $p$ will be known to the public.

-> 1. Alice chooses some $x \in \mathbb{Z}_p^\ast$ and sends $g^x \bmod p$ to Bob.
-> 2. Bob chooses some $y \in \mathbb{Z}_p^\ast$ and sends $g^y \bmod p$ to Alice.
+> 1. Alice chooses some $x \in \mathbb{Z} _ p^\ast$ and sends $g^x \bmod p$ to Bob.
+> 2. Bob chooses some $y \in \mathbb{Z} _ p^\ast$ and sends $g^y \bmod p$ to Alice.
 > 3. Alice and Bob calculate $g^{xy} \bmod p$ separately.
 > 4. Eve can see $g^x \bmod p$, $g^y \bmod p$ but cannot calculate $g^{xy} \bmod p$.

-Refer to [Diffie-Hellman Key Exchange (Modern Cryptography)](../modern-cryptography/2023-10-03-key-exchange.md#diffie-hellman-key-exchange-(dhke)).
+Refer to [Diffie-Hellman Key Exchange (Modern Cryptography)](../../modern-cryptography/2023-10-03-key-exchange/#diffie-hellman-key-exchange-(dhke)).

 ## Message Integrity

--- a/_posts/lecture-notes/internet-security/2023-10-18-tls.md
+++ b/_posts/lecture-notes/internet-security/2023-10-18-tls.md
@@ -74,42 +74,42 @@ To defend this attack, we can use [encrypt-then-MAC (Modern Cryptography)](../..

 We will perform a **chosen ciphertext attack** to fully recover the plaintext.

-Suppose that we obtain a ciphertext $(\mathrm{IV}, c_1, c_2)$, which is an encryption of two blocks $m = m_0 \parallel m_1$, including the padding. By the CBC encryption algorithm we know that
+Suppose that we obtain a ciphertext $(\mathrm{IV}, c _ 1, c _ 2)$, which is an encryption of two blocks $m = m _ 0 \parallel m _ 1$, including the padding. By the CBC encryption algorithm we know that

 $$
-c_1 = E_k(m_0 \oplus \mathrm{IV}), \qquad c_2 = E_k(m_1 \oplus c_1).
+c _ 1 = E _ k(m _ 0 \oplus \mathrm{IV}), \qquad c _ 2 = E _ k(m _ 1 \oplus c _ 1).
 $$

-We don't know exactly how many padding bits there were, but it doesn't matter. We brute force by **changing the last byte of $c_1$** and requesting the decryption of the modified ciphertext $(\mathrm{IV}, c_1', c_2)$.
+We don't know exactly how many padding bits there were, but it doesn't matter. We brute force by **changing the last byte of $c _ 1$** and requesting the decryption of the modified ciphertext $(\mathrm{IV}, c _ 1', c _ 2)$.

-The decryption process of the last block is $c_1 \oplus D_k(c_2)$, so by changing the last byte of $c_1$, we hope to get a decryption result that ends with $\texttt{0x01}$. Then the last byte $\texttt{0x01}$ will be treated as a padding and padding errors will not occur. So we keep trying until we don't get a padding error.[^1]
+The decryption process of the last block is $c _ 1 \oplus D _ k(c _ 2)$, so by changing the last byte of $c _ 1$, we hope to get a decryption result that ends with $\texttt{0x01}$. Then the last byte $\texttt{0x01}$ will be treated as a padding and padding errors will not occur. So we keep trying until we don't get a padding error.[^1]

-Now, suppose that we successfully changed the last byte of $c_1$ to $b$, so that the last byte of $(c_1[0\dots6] \parallel b) \oplus D_k(c_2)$ is $\texttt{0x01}$. Next, we change the second-last bit $c_1[6]$ and request the decryption and hope to get an output that ends with $\texttt{0x0202}$. The last two bytes will also be treated as a padding and we won't get a padding error.
+Now, suppose that we successfully changed the last byte of $c _ 1$ to $b$, so that the last byte of $(c _ 1[0\dots6] \parallel b) \oplus D _ k(c _ 2)$ is $\texttt{0x01}$. Next, we change the second-last bit $c _ 1[6]$ and request the decryption and hope to get an output that ends with $\texttt{0x0202}$. The last two bytes will also be treated as a padding and we won't get a padding error.

-We repeat the above process until we get a modified ciphertext $c_1' \parallel c_2$, where the decryption result ends with $8$ bytes of $\texttt{0x08}$. Then now we know that
+We repeat the above process until we get a modified ciphertext $c _ 1' \parallel c _ 2$, where the decryption result ends with $8$ bytes of $\texttt{0x08}$. Then now we know that

 $$
-c_1' \oplus D_k(c_2) = \texttt{0x08}^8.
+c _ 1' \oplus D _ k(c _ 2) = \texttt{0x08}^8.
 $$

-Then we can recover $D_k(c_2) = c_1' \oplus \texttt{0x08}^8$, and then since $m_1 = c_1 \oplus D_k(c_2)$,
+Then we can recover $D _ k(c _ 2) = c _ 1' \oplus \texttt{0x08}^8$, and then since $m _ 1 = c _ 1 \oplus D _ k(c _ 2)$,

 $$
-m_1 = c_1 \oplus D_k(c_2) = c_1 \oplus c_1' \oplus \texttt{0x08}^8,
+m _ 1 = c _ 1 \oplus D _ k(c _ 2) = c _ 1 \oplus c _ 1' \oplus \texttt{0x08}^8,
 $$

-allowing us to recover the whole message $m_1$.
+allowing us to recover the whole message $m _ 1$.

-Now to recover $m_0$, we modify the $\mathrm{IV}$ using the same method as above. This time, we do not use $c_2$ and request a decryption of $(\mathrm{IV}', c_1)$ only. If some $\mathrm{IV}'$ gives a decryption result that ends with $8$ bytes of $\texttt{0x08}$, we have that
+Now to recover $m _ 0$, we modify the $\mathrm{IV}$ using the same method as above. This time, we do not use $c _ 2$ and request a decryption of $(\mathrm{IV}', c _ 1)$ only. If some $\mathrm{IV}'$ gives a decryption result that ends with $8$ bytes of $\texttt{0x08}$, we have that

 $$
-\mathrm{IV}' \oplus D_k(c_1) = \texttt{0x08}^8.
+\mathrm{IV}' \oplus D _ k(c _ 1) = \texttt{0x08}^8.
 $$

-Similarly, we recover $m_0$ by
+Similarly, we recover $m _ 0$ by

 $$
-m_0 = \mathrm{IV} \oplus D_k(c_1) = \mathrm{IV} \oplus \mathrm{IV}' \oplus \texttt{0x08}^8.
+m _ 0 = \mathrm{IV} \oplus D _ k(c _ 1) = \mathrm{IV} \oplus \mathrm{IV}' \oplus \texttt{0x08}^8.
 $$

 ## Hashed MAC (HMAC)
@@ -119,13 +119,13 @@ Let $H$ be a has function. We defined MAC as $H(k \parallel m)$ where $k$ is a k
 Choose a key $k \leftarrow \mathcal{K}$, and set

 $$
-k_1 = k \oplus \texttt{ipad}, \quad k_2 = k\oplus \texttt{opad}
+k _ 1 = k \oplus \texttt{ipad}, \quad k _ 2 = k\oplus \texttt{opad}
 $$

 where $\texttt{ipad} = \texttt{0x363636}...$ and $\texttt{opad} = \texttt{0x5C5C5C}...$. Then

 $$
-\mathrm{HMAC}(k, m) = H(k_2 \parallel H(k_1 \parallel m)).
+\mathrm{HMAC}(k, m) = H(k _ 2 \parallel H(k _ 1 \parallel m)).
 $$

 ## TLS Details
@@ -157,7 +157,7 @@ Here's how the client and the server establishes a connection using the TLS hand

 - Client sends the TLS protocol version and cipher suites that it supports.
 	- The version is the highest version supported by the client.
- A random number $N_c$ for generating the secret is sent.
+- A random number $N _ c$ for generating the secret is sent.
 - A session ID may be sent if the client wants to resume an old session.

 #### ServerHello
@@ -165,7 +165,7 @@ Here's how the client and the server establishes a connection using the TLS hand
 - Server sends the TLS version and cipher suite to use.
 	- The TLS version will be the highest version supported by both parties.
 	- The server will pick the strongest cryptographic algorithm offered by the client.
- The server also sends a random number $N_s$.
+- The server also sends a random number $N _ s$.

 #### Certificate/ServerKeyExchange

@@ -177,10 +177,10 @@ Here's how the client and the server establishes a connection using the TLS hand

 #### ClientKeyExchange

- Client sends *premaster secret* (PMS) $secret_c$.
+- Client sends *premaster secret* (PMS) $secret _ c$.
 	- This is encrypted with server's public key.
 	- This secret key material will be used to generate the secret key.
- Both parties derive a shared **session key** from $N_c$, $N_s$, $secret_c$.
+- Both parties derive a shared **session key** from $N _ c$, $N _ s$, $secret _ c$.
 	- If the protocol is correct, the same key should be generated.

 #### Finished