feat: breaking change (unstable) (#198)

* [PUBLISHER] upload files #175

* PUSH NOTE : 3. Symmetric Key Encryption.md

* PUSH NOTE : 03. Symmetric Key Cryptography (2).md

* DELETE FILE : _posts/lecture-notes/modern-cryptography/2023-09-18-symmetric-key-cryptography-2.md

* DELETE FILE : _posts/lecture-notes/modern-cryptography/2023-09-19-symmetric-key-encryption.md

* [PUBLISHER] upload files #177

* PUSH NOTE : 3. Symmetric Key Encryption.md

* PUSH NOTE : 03. Symmetric Key Cryptography (2).md

* DELETE FILE : _posts/lecture-notes/modern-cryptography/2023-09-18-symmetric-key-cryptography-2.md

* DELETE FILE : _posts/lecture-notes/modern-cryptography/2023-09-19-symmetric-key-encryptio.md

* [PUBLISHER] upload files #178

* PUSH NOTE : 3. Symmetric Key Encryption.md

* PUSH NOTE : 03. Symmetric Key Cryptography (2).md

* DELETE FILE : _posts/lecture-notes/modern-cryptography/2023-09-18-symmetric-key-cryptography-2.md

* [PUBLISHER] upload files #179

* PUSH NOTE : 3. Symmetric Key Encryption.md

* PUSH NOTE : 03. Symmetric Key Cryptography (2).md

* DELETE FILE : _posts/lecture-notes/modern-cryptography/2023-09-18-symmetric-key-cryptography-2.md

* [PUBLISHER] upload files #180

* PUSH NOTE : 3. Symmetric Key Encryption.md

* PUSH NOTE : 03. Symmetric Key Cryptography (2).md

* DELETE FILE : _posts/lecture-notes/modern-cryptography/2023-09-18-symmetric-key-cryptography-2.md

* [PUBLISHER] upload files #181

* PUSH NOTE : 3. Symmetric Key Encryption.md

* PUSH NOTE : 03. Symmetric Key Cryptography (2).md

* DELETE FILE : _posts/lecture-notes/modern-cryptography/2023-09-18-symmetric-key-cryptography-2.md

* [PUBLISHER] upload files #182

* PUSH NOTE : 3. Symmetric Key Encryption.md

* PUSH NOTE : 03. Symmetric Key Cryptography (2).md

* [PUBLISHER] upload files #183

* PUSH NOTE : 3. Symmetric Key Encryption.md

* PUSH NOTE : 03. Symmetric Key Cryptography (2).md

* DELETE FILE : _posts/lecture-notes/modern-cryptography/2023-09-18-symmetric-key-cryptography-2.md

* [PUBLISHER] upload files #184

* PUSH NOTE : 3. Symmetric Key Encryption.md

* PUSH NOTE : 03. Symmetric Key Cryptography (2).md

* DELETE FILE : _posts/lecture-notes/modern-cryptography/2023-09-18-symmetric-key-cryptography-2.md

* [PUBLISHER] upload files #185

* PUSH NOTE : 3. Symmetric Key Encryption.md

* PUSH NOTE : 03. Symmetric Key Cryptography (2).md

* DELETE FILE : _posts/lecture-notes/modern-cryptography/2023-09-18-symmetric-key-cryptography-2.md

* [PUBLISHER] upload files #186

* PUSH NOTE : 3. Symmetric Key Encryption.md

* PUSH NOTE : 03. Symmetric Key Cryptography (2).md

* [PUBLISHER] upload files #187

* PUSH NOTE : 3. Symmetric Key Encryption.md

* PUSH NOTE : 14. Secure Multiparty Computation.md

* DELETE FILE : _posts/Lecture Notes/Modern Cryptography/2023-09-19-symmetric-key-encryption.md

* DELETE FILE : _posts/lecture-notes/modern-cryptography/2023-09-18-symmetric-key-cryptography-2.md

* [PUBLISHER] upload files #188

* PUSH NOTE : 3. Symmetric Key Encryption.md

* PUSH NOTE : 14. Secure Multiparty Computation.md

* DELETE FILE : _posts/Lecture Notes/Modern Cryptography/2023-09-19-symmetric-key-encryption.md

* chore: remove files

* [PUBLISHER] upload files #197

* PUSH NOTE : 수학 공부에 대한 고찰.md

* PUSH NOTE : 09. Lp Functions.md

* PUSH ATTACHMENT : mt-09.png

* PUSH NOTE : 08. Comparison with the Riemann Integral.md

* PUSH ATTACHMENT : mt-08.png

* PUSH NOTE : 04. Measurable Functions.md

* PUSH ATTACHMENT : mt-04.png

* PUSH NOTE : 06. Convergence Theorems.md

* PUSH ATTACHMENT : mt-06.png

* PUSH NOTE : 07. Dominated Convergence Theorem.md

* PUSH ATTACHMENT : mt-07.png

* PUSH NOTE : 05. Lebesgue Integration.md

* PUSH ATTACHMENT : mt-05.png

* PUSH NOTE : 03. Measure Spaces.md

* PUSH ATTACHMENT : mt-03.png

* PUSH NOTE : 02. Construction of Measure.md

* PUSH ATTACHMENT : mt-02.png

* PUSH NOTE : 01. Algebra of Sets and Set Functions.md

* PUSH ATTACHMENT : mt-01.png

* PUSH NOTE : Rules of Inference with Coq.md

* PUSH NOTE : 블로그 이주 이야기.md

* PUSH NOTE : Secure IAM on AWS with Multi-Account Strategy.md

* PUSH ATTACHMENT : separation-by-product.png

* PUSH NOTE : You and Your Research, Richard Hamming.md

* PUSH NOTE : 10. Digital Signatures.md

* PUSH ATTACHMENT : mc-10-dsig-security.png

* PUSH ATTACHMENT : mc-10-schnorr-identification.png

* PUSH NOTE : 9. Public Key Encryption.md

* PUSH ATTACHMENT : mc-09-ss-pke.png

* PUSH NOTE : 8. Number Theory.md

* PUSH NOTE : 7. Key Exchange.md

* PUSH ATTACHMENT : mc-07-dhke.png

* PUSH ATTACHMENT : mc-07-dhke-mitm.png

* PUSH ATTACHMENT : mc-07-merkle-puzzles.png

* PUSH NOTE : 6. Hash Functions.md

* PUSH ATTACHMENT : mc-06-merkle-damgard.png

* PUSH ATTACHMENT : mc-06-davies-meyer.png

* PUSH ATTACHMENT : mc-06-hmac.png

* PUSH NOTE : 5. CCA-Security and Authenticated Encryption.md

* PUSH ATTACHMENT : mc-05-ci.png

* PUSH ATTACHMENT : mc-05-etm-mte.png

* PUSH NOTE : 1. OTP, Stream Ciphers and PRGs.md

* PUSH ATTACHMENT : mc-01-prg-game.png

* PUSH ATTACHMENT : mc-01-ss.png

* PUSH NOTE : 4. Message Authentication Codes.md

* PUSH ATTACHMENT : mc-04-mac.png

* PUSH ATTACHMENT : mc-04-mac-security.png

* PUSH ATTACHMENT : mc-04-cbc-mac.png

* PUSH ATTACHMENT : mc-04-ecbc-mac.png

* PUSH NOTE : 3. Symmetric Key Encryption.md

* PUSH ATTACHMENT : is-03-ecb-encryption.png

* PUSH ATTACHMENT : is-03-cbc-encryption.png

* PUSH ATTACHMENT : is-03-ctr-encryption.png

* PUSH NOTE : 2. PRFs, PRPs and Block Ciphers.md

* PUSH ATTACHMENT : mc-02-block-cipher.png

* PUSH ATTACHMENT : mc-02-feistel-network.png

* PUSH ATTACHMENT : mc-02-des-round.png

* PUSH ATTACHMENT : mc-02-DES.png

* PUSH ATTACHMENT : mc-02-aes-128.png

* PUSH ATTACHMENT : mc-02-2des-mitm.png

* PUSH NOTE : 18. Bootstrapping & CKKS.md

* PUSH NOTE : 17. BGV Scheme.md

* PUSH NOTE : 16. The GMW Protocol.md

* PUSH ATTACHMENT : mc-16-beaver-triple.png

* PUSH NOTE : 15. Garbled Circuits.md

* PUSH NOTE : 14. Secure Multiparty Computation.md

* PUSH NOTE : 13. Sigma Protocols.md

* PUSH ATTACHMENT : mc-13-sigma-protocol.png

* PUSH ATTACHMENT : mc-13-okamoto.png

* PUSH ATTACHMENT : mc-13-chaum-pedersen.png

* PUSH ATTACHMENT : mc-13-gq-protocol.png

* PUSH NOTE : 12. Zero-Knowledge Proofs (Introduction).md

* PUSH ATTACHMENT : mc-12-id-protocol.png

* PUSH NOTE : 11. Advanced Topics.md

* PUSH NOTE : 0. Introduction.md

* PUSH NOTE : 02. Symmetric Key Cryptography (1).md

* PUSH NOTE : 09. Transport Layer Security.md

* PUSH ATTACHMENT : is-09-tls-handshake.png

* PUSH NOTE : 08. Public Key Infrastructure.md

* PUSH ATTACHMENT : is-08-certificate-validation.png

* PUSH NOTE : 07. Public Key Cryptography.md

* PUSH NOTE : 06. RSA and ElGamal Encryption.md

* PUSH NOTE : 05. Modular Arithmetic (2).md

* PUSH NOTE : 03. Symmetric Key Cryptography (2).md

* PUSH ATTACHMENT : is-03-feistel-function.png

* PUSH ATTACHMENT : is-03-cfb-encryption.png

* PUSH ATTACHMENT : is-03-ofb-encryption.png

* PUSH NOTE : 04. Modular Arithmetic (1).md

* PUSH NOTE : 01. Security Introduction.md

* PUSH ATTACHMENT : is-01-cryptosystem.png

* PUSH NOTE : Search Time in Hash Tables.md

* PUSH NOTE : 랜덤 PS일지 (1).md

* chore: rearrange articles

* feat: fix paths

* feat: fix all broken links

* feat: title font to palatino

_posts/lecture-notes/modern-cryptography/2023-09-05-introduction.md

@@ -28,8 +28,8 @@ Some notations first:
 - $\mathcal{M}$ is the plaintext space (messages)
 - $\mathcal{K}$ is the key space
 - $\mathcal{C}$ is the ciphertext space
-- $E: \mathcal{K} \times \mathcal{M} \rightarrow \mathcal{C}$ is the encryption algorithm (sometimes $\mathsf{Enc}_k$)
-- $D:\mathcal{K} \times \mathcal{C} \rightarrow \mathcal{M}$ is the decryption algorithm (sometimes $\mathsf{Dec}_k$)
+- $E: \mathcal{K} \times \mathcal{M} \rightarrow \mathcal{C}$ is the encryption algorithm (sometimes $\mathsf{Enc} _ k$)
+- $D:\mathcal{K} \times \mathcal{C} \rightarrow \mathcal{M}$ is the decryption algorithm (sometimes $\mathsf{Dec} _ k$)
 
 In a **symmetric cipher**, a key $k \in \mathcal{K}$ is used both for encryption and decryption, giving the following correctness requirement.
 
@@ -40,7 +40,7 @@ $$\forall k \in \mathcal{K},\, \forall m \in \mathcal{M},\, D(k, E(k, m)) = m$$
 Let $\Sigma$ be the set of lowercase english alphabets.
 
 - $\mathcal{M} = \mathcal{C} = \Sigma^\ast$, where $\Sigma^\ast$ is the [Kleene star](https://en.wikipedia.org/wiki/Kleene_star).
-- $\mathcal{K} = \mathbb{Z}_{26}$ (Caesar used $3 \in \mathcal{K}$)
+- $\mathcal{K} = \mathbb{Z} _ {26}$ (Caesar used $3 \in \mathcal{K}$)
 - $E(k, x) = x + k \pmod{26}$ for each letter $x$ of $m \in \mathcal{M}$.
 - $D(k, y) = y - k \pmod{26}$ for each letter $y$ of $c \in \mathcal{C}$.
 
@@ -50,13 +50,13 @@ This scheme is not safe since we can try all $26$ keys and find the sentence tha
 
 Guessing the key and checking the plaintext is hard to automate, since computers don't know what sentences make sense.[^1] In some cases, the message may be invalid in normal English, while the plaintext characters follow the same distribution.
 
-Let $p_i \in [0, 1]$ be the frequency of the $i$-th letter in normal English text. Then it is known that
+Let $p _ i \in [0, 1]$ be the frequency of the $i$-th letter in normal English text. Then it is known that
 
-$$ \sum_{i=0}^{25} p_i^2 \approx 0.065$$
+$$ \sum _ {i=0}^{25} p _ i^2 \approx 0.065$$
 
-Now, let $q_i \in [0, 1]$ be the frequency of the $i$-th letter in the given ciphertext. For the key $k \in \mathcal{K}$, $p_i \approx q_{i+k}$ for all $i$, since the $i$-th letter is mapped to the $(i + k)$-th letter. (Addition is done modulo $26$). So for each index $j \in [0, 25]$, we compute
+Now, let $q _ i \in [0, 1]$ be the frequency of the $i$-th letter in the given ciphertext. For the key $k \in \mathcal{K}$, $p _ i \approx q _ {i+k}$ for all $i$, since the $i$-th letter is mapped to the $(i + k)$-th letter. (Addition is done modulo $26$). So for each index $j \in [0, 25]$, we compute
 
-$$\sum_{i=0}^{25} p_i q_{i+j}$$
+$$\sum _ {i=0}^{25} p _ i q _ {i+j}$$
 
 and choose $j$ that gives the closest value to $0.065$.
 

_posts/lecture-notes/modern-cryptography/2023-09-07-otp-stream-cipher-prgs.md

@@ -56,10 +56,10 @@ For example, the shift cipher with $\mathcal{M}$ as the set of all two-letter ch
 
 The above definition is equivalent to the following.
 
-> **Definition**. An encryption scheme is **perfectly secret** if for any $m_1, m_2 \in \mathcal{M}$ and $c \in \mathcal{C}$, we have
+> **Definition**. An encryption scheme is **perfectly secret** if for any $m _ 1, m _ 2 \in \mathcal{M}$ and $c \in \mathcal{C}$, we have
 >
 > $$
-> \Pr[E(k, m_1) = c] = \Pr[E(k, m_2) = c]
+> \Pr[E(k, m _ 1) = c] = \Pr[E(k, m _ 2) = c]
 > $$
 >
 > where the probability is taken over the random choice $k \leftarrow \mathcal{K}$.
@@ -101,9 +101,9 @@ $$
 
 $$
 \begin{align*}
-	\Pr[C = c] &= \sum_{m' \in \mathcal{M}} \Pr[C = c \mid M = m'] \cdot \Pr[M = m'] \\
-	&= \sum_{m' \in \mathcal{M}} \Pr[E(k, m') = c] \cdot \Pr[M = m'] \\
-	&= \sum_{m' \in \mathcal{M}} \Pr[E(k, m) = c] \cdot \Pr[M = m'] \\
+	\Pr[C = c] &= \sum _ {m' \in \mathcal{M}} \Pr[C = c \mid M = m'] \cdot \Pr[M = m'] \\
+	&= \sum _ {m' \in \mathcal{M}} \Pr[E(k, m') = c] \cdot \Pr[M = m'] \\
+	&= \sum _ {m' \in \mathcal{M}} \Pr[E(k, m) = c] \cdot \Pr[M = m'] \\
 	&= \Pr[E(k, m) = c] = \Pr[C = c \mid M = m].
 \end{align*}
 $$
@@ -141,8 +141,8 @@ since $K$ and $M$ are independent. Given any distribution on $\mathcal{M}$, we c
 
 $$
 \begin{align*}
-\Pr[C = c] &= \sum_{m \in \mathcal{M}} \Pr[C = c \mid M = m] \cdot \Pr[M = m] \\
-&= 2^{-n} \cdot \sum_{m \in \mathcal{M}} \Pr[M = m] = 2^{-n}.
+\Pr[C = c] &= \sum _ {m \in \mathcal{M}} \Pr[C = c \mid M = m] \cdot \Pr[M = m] \\
+&= 2^{-n} \cdot \sum _ {m \in \mathcal{M}} \Pr[M = m] = 2^{-n}.
 \end{align*}
 $$
 
@@ -162,13 +162,13 @@ Thus OTP satisfies the definition of perfect secrecy.
 
 The OTP is perfectly secure, but there are some drawbacks to using the OTP in practice.
 
-First of all, OTP is perfectly secure *only for one message*. Suppose that we reuse the key $k$ for two messages $m_1$, $m_2$. Then since $c_1 = m_1 \oplus k$, $c_2 = m_2 \oplus k$, we have the following relation
+First of all, OTP is perfectly secure *only for one message*. Suppose that we reuse the key $k$ for two messages $m _ 1$, $m _ 2$. Then since $c _ 1 = m _ 1 \oplus k$, $c _ 2 = m _ 2 \oplus k$, we have the following relation
 
 $$
-c_1 \oplus c_2 = (m_1 \oplus k) \oplus (m_2 \oplus k) = m_1 \oplus m_2.
+c _ 1 \oplus c _ 2 = (m _ 1 \oplus k) \oplus (m _ 2 \oplus k) = m _ 1 \oplus m _ 2.
 $$
 
-Since the adversary can see the ciphertext, this kind of relation leaks some information about $m_1$ or $m_2$. For example, the adversary can learn exactly where the two messages differ. So if the key is reused, the scheme cannot be perfectly secret.
+Since the adversary can see the ciphertext, this kind of relation leaks some information about $m _ 1$ or $m _ 2$. For example, the adversary can learn exactly where the two messages differ. So if the key is reused, the scheme cannot be perfectly secret.
 
 Also, the key is (at least) as long as the message. This is why OTP is rarely used today. When sending a long message, two parties must communicate a very long key that is as long as the message, *every single time*! This makes it hard to manage the key.
 
@@ -223,7 +223,7 @@ The following is evident from the definition.
 > **Lemma.** A function $f : \mathbb{N} \rightarrow \mathbb{R}$ is negligible if and only if for all $c > 0$,
 >
 > $$
-> \lim_{n \rightarrow \infty} f(n) n^c = 0.
+> \lim _ {n \rightarrow \infty} f(n) n^c = 0.
 > $$
 
 In practice, about $2^{-30}$ is non-negligible since it is likely to happen over $1$ GB of data. Meanwhile, $2^{-80}$, $2^{-128}$ are negligible since it is very unlikely to happen over the life of a key.
@@ -269,7 +269,7 @@ Let $G : \lbrace 0, 1 \rbrace^s \rightarrow \lbrace 0, 1 \rbrace^n$ be a PRG and
 > **Definition.** The **PRG advantage** is defined as
 >
 > $$
-> \mathrm{Adv}_\mathrm{PRG}[\mathcal{A} , G] = \left\lvert \Pr_{k \leftarrow \left\lbrace 0, 1 \right\rbrace^s}[\mathcal{A}(G(k)) = 1] - \Pr_{r \leftarrow \left\lbrace 0, 1 \right\rbrace^n}[\mathcal{A}(r) = 1] \right\rvert.
+> \mathrm{Adv} _ \mathrm{PRG}[\mathcal{A} , G] = \left\lvert \Pr _ {k \leftarrow \left\lbrace 0, 1 \right\rbrace^s}[\mathcal{A}(G(k)) = 1] - \Pr _ {r \leftarrow \left\lbrace 0, 1 \right\rbrace^n}[\mathcal{A}(r) = 1] \right\rvert.
 > $$
 
 Intuitively, the **advantage** calculates how well $\mathcal{A}$ distinguishes $G(k)$ from truly random bit strings. Recall that $\mathcal{A}$ will output $1$ if it thinks that the given bit string is random. The first probability term is the case when $\mathcal{A}$ is given a pseudorandom string, but $\mathcal{A}$ decides that the string is random. (incorrect) The second probability term is the case when $\mathcal{A}$ is given a random string and it decides that it is indeed random. (correct) Therefore,
@@ -281,7 +281,7 @@ Intuitively, the **advantage** calculates how well $\mathcal{A}$ distinguishes $
 
 Now we can define the security of PRGs.
 
-> **Definition.** $G : \lbrace 0, 1 \rbrace^s \rightarrow \lbrace 0, 1 \rbrace^n$ is a **secure PRG** if for any efficient statistical test $\mathcal{A}$, $\mathrm{Adv}_\mathrm{PRG}[\mathcal{A}, G]$ is negligible.
+> **Definition.** $G : \lbrace 0, 1 \rbrace^s \rightarrow \lbrace 0, 1 \rbrace^n$ is a **secure PRG** if for any efficient statistical test $\mathcal{A}$, $\mathrm{Adv} _ \mathrm{PRG}[\mathcal{A}, G]$ is negligible.
 
 There are no provably secure PRGs, but we have heuristic candidates, meaning that no such efficient $\mathcal{A}$ has been found.
 
@@ -291,7 +291,7 @@ We can deduce that if a PRG is predictable, then it is insecure.
 
 > **Theorem.** Let $G$ be a PRG. If $G$ is predictable, then it is insecure.
 
-*Proof*. Let $\mathcal{A}$ be an efficient adversary (next bit predictor) that predicts $G$. Suppose that $i$ is the index chosen by $\mathcal{A}$. With $\mathcal{A}$, we construct a statistical test $\mathcal{B}$ such that $\mathrm{Adv}_\mathrm{PRG}[\mathcal{B}, G]$ is non-negligible.
+*Proof*. Let $\mathcal{A}$ be an efficient adversary (next bit predictor) that predicts $G$. Suppose that $i$ is the index chosen by $\mathcal{A}$. With $\mathcal{A}$, we construct a statistical test $\mathcal{B}$ such that $\mathrm{Adv} _ \mathrm{PRG}[\mathcal{B}, G]$ is non-negligible.
 
 ![mc-01-prg-game.png](../../../assets/img/posts/lecture-notes/modern-cryptography/mc-01-prg-game.png)
 
@@ -301,10 +301,10 @@ We can deduce that if a PRG is predictable, then it is insecure.
 2. $\mathcal{B}$ gives $x[0..i-1]$ to $\mathcal{A}$, then $\mathcal{A}$ will do some calculation and return $y$.
 3. $\mathcal{B}$ compares $x[i]$ with $y$, and returns $1$ if $x[i] = y$, $0$ otherwise.
 
-Let $W_b$ be the event that $\mathcal{B}$ outputs $1$ in experiment $b$. For $b = 0$, $\mathcal{B}$ outputs $1$ if $\mathcal{A}$ correctly guesses $x[i]$, which happens with probability $\frac{1}{2} + \epsilon$ for non-negligible $\epsilon$. As for $b = 1$, the received string is truly random. Then the values of $x[i]$ and $y$ are independent so $\Pr[W_1] = \frac{1}{2}$. Therefore,
+Let $W _ b$ be the event that $\mathcal{B}$ outputs $1$ in experiment $b$. For $b = 0$, $\mathcal{B}$ outputs $1$ if $\mathcal{A}$ correctly guesses $x[i]$, which happens with probability $\frac{1}{2} + \epsilon$ for non-negligible $\epsilon$. As for $b = 1$, the received string is truly random. Then the values of $x[i]$ and $y$ are independent so $\Pr[W _ 1] = \frac{1}{2}$. Therefore,
 
 $$
-\mathrm{Adv}_\mathrm{PRG}[\mathcal{B}, G] = \lvert \Pr[W_0] - \Pr[W_1] \rvert = \left\lvert \frac{1}{2} + \epsilon - \frac{1}{2} \right\rvert = \epsilon,
+\mathrm{Adv} _ \mathrm{PRG}[\mathcal{B}, G] = \lvert \Pr[W _ 0] - \Pr[W _ 1] \rvert = \left\lvert \frac{1}{2} + \epsilon - \frac{1}{2} \right\rvert = \epsilon,
 $$
 
 and the advantage is non-negligible.
@@ -324,14 +324,14 @@ To motivate the definition of semantic security, we consider a **security game f
 > **Definition.** Let $\mathcal{E} = (G, E, D)$ be a cipher defined over $(\mathcal{K}, \mathcal{M}, \mathcal{C})$. For a given adversary $\mathcal{A}$, we define two experiments $0$ and $1$. For $b \in \lbrace 0, 1 \rbrace$, define experiment $b$ as follows:
 >
 > **Experiment** $b$.
-> 1. The adversary computes $m_0, m_1 \in \mathcal{M}$ and sends them to the challenger.
-> 2. The challenger computes $k \leftarrow \mathcal{K}$, $c \leftarrow E(k, m_b)$ and sends $c$ to the adversary.
+> 1. The adversary computes $m _ 0, m _ 1 \in \mathcal{M}$ and sends them to the challenger.
+> 2. The challenger computes $k \leftarrow \mathcal{K}$, $c \leftarrow E(k, m _ b)$ and sends $c$ to the adversary.
 > 3. The adversary outputs a bit $b' \in \lbrace 0, 1 \rbrace$.
 >
-> Let $W_b$ be the event that $\mathcal{A}$ outputs $1$ in experiment $b$. i.e, the event that $\mathcal{A}(\mathrm{EXP}(b)) = 1$. Now define the **semantic security advantage** of $\mathcal{A}$ with respect to $\mathcal{E}$ as
+> Let $W _ b$ be the event that $\mathcal{A}$ outputs $1$ in experiment $b$. i.e, the event that $\mathcal{A}(\mathrm{EXP}(b)) = 1$. Now define the **semantic security advantage** of $\mathcal{A}$ with respect to $\mathcal{E}$ as
 >
 > $$
-> \mathrm{Adv}_\mathrm{SS}[\mathcal{A}, \mathcal{E}] = \lvert \Pr [W_0] - \Pr[W_1] \rvert.
+> \mathrm{Adv} _ \mathrm{SS}[\mathcal{A}, \mathcal{E}] = \lvert \Pr [W _ 0] - \Pr[W _ 1] \rvert.
 > $$
 
 As we understood the advantage of PRG, semantic security advantage can be understood the same way. If the advantage is closer to $1$, the better the adversary distinguishes the two experiments.
@@ -340,19 +340,19 @@ As we understood the advantage of PRG, semantic security advantage can be unders
 
 In the same way, we can define a security game for distinguishing two distributions.
 
-> **Definition.** Let $P_0$, $P_1$ be two distributions over a set $\mathcal{S}$. For any given efficient adversary $\mathcal{A}$, define experiments $0$ and $1$.
+> **Definition.** Let $P _ 0$, $P _ 1$ be two distributions over a set $\mathcal{S}$. For any given efficient adversary $\mathcal{A}$, define experiments $0$ and $1$.
 >
 > **Experiment $b$.**
-> 1. The challenger computes $x \leftarrow P_b$ and sends $x$ to the adversary.
+> 1. The challenger computes $x \leftarrow P _ b$ and sends $x$ to the adversary.
 > 2. The adversary computes and outputs a bit $b' \in \lbrace 0, 1 \rbrace$.
 >
-> Let $W_b$ the event that $\mathcal{A}$ outputs $1$ in experiment $b$. Then the advantage is defined as
+> Let $W _ b$ the event that $\mathcal{A}$ outputs $1$ in experiment $b$. Then the advantage is defined as
 >
 >  $$
->  \mathrm{Adv}[\mathcal{A}] = \lvert \Pr[W_0] - \Pr[W_1] \rvert
+>  \mathrm{Adv}[\mathcal{A}] = \lvert \Pr[W _ 0] - \Pr[W _ 1] \rvert
 >  $$
 >
-> If the advantage is negligible, we say that $P_0$ and $P_1$ are **computationally indistinguishable**, and write $P_0 \approx_c P_1$.
+> If the advantage is negligible, we say that $P _ 0$ and $P _ 1$ are **computationally indistinguishable**, and write $P _ 0 \approx _ c P _ 1$.
 
 As an example, a PRG $G$ is secure if the two distributions $G(k)$ over $k \leftarrow \lbrace 0, 1 \rbrace^s$ and $r \leftarrow \lbrace 0, 1 \rbrace^n$ are *computationally indistinguishable*.
 
@@ -360,14 +360,14 @@ As an example, a PRG $G$ is secure if the two distributions $G(k)$ over $k \left
 
 So now we can define a semantically secure encryption scheme.
 
-> **Definition.** An encryption scheme $\mathcal{E}$ is **semantically secure** if for any efficient adversary $\mathcal{A}$, its advantage $\mathrm{Adv}_\mathrm{SS}[\mathcal{A}, \mathcal{E}]$ is negligible.
+> **Definition.** An encryption scheme $\mathcal{E}$ is **semantically secure** if for any efficient adversary $\mathcal{A}$, its advantage $\mathrm{Adv} _ \mathrm{SS}[\mathcal{A}, \mathcal{E}]$ is negligible.
 
-It means that the adversary cannot distinguish whether the received message is an encryption of $m_0$ or $m_1$, even though it knows what the original messages were in the first place!
+It means that the adversary cannot distinguish whether the received message is an encryption of $m _ 0$ or $m _ 1$, even though it knows what the original messages were in the first place!
 
-Using the notion of computational indistinguishability, $\mathcal{E}$ is semantically secure if for any $m_0, m_1 \in \mathcal{M}$, the distribution of ciphertexts of $m_0$ and $m_1$ with respect to $k \leftarrow \mathcal{K}$ is computationally indistinguishable.
+Using the notion of computational indistinguishability, $\mathcal{E}$ is semantically secure if for any $m _ 0, m _ 1 \in \mathcal{M}$, the distribution of ciphertexts of $m _ 0$ and $m _ 1$ with respect to $k \leftarrow \mathcal{K}$ is computationally indistinguishable.
 
 $$
-E(K, m_0) \approx_c E(K, m_1)
+E(K, m _ 0) \approx _ c E(K, m _ 1)
 $$
 
 ## Semantic Security of the Stream Cipher
@@ -376,47 +376,47 @@ $$
 
 *Proof*. Let $\mathcal{A}$ be an efficient adversary that breaks the semantic security of $\mathcal{E}$. We will use $\mathcal{A}$ to construct a statistical test $\mathcal{B}$ that breaks the security of the PRG.
 
-Since $\mathcal{A}$ can break the semantic security of the stream cipher, for $m_0, m_1 \in \mathcal{M}$ chosen by $\mathcal{A}$, it can distinguish $m_0 \oplus G(k)$ and $m_1 \oplus G(k)$. Let $W_b$ be the event that $\mathcal{A}$ returns $1$ for $m_b \oplus G(k)$. The advantage $\mathrm{Adv}_\mathrm{SS}[\mathcal{A}, \mathcal{E}] = \lvert \Pr[W_0] - \Pr[W_1] \rvert$ is non-negligible.
+Since $\mathcal{A}$ can break the semantic security of the stream cipher, for $m _ 0, m _ 1 \in \mathcal{M}$ chosen by $\mathcal{A}$, it can distinguish $m _ 0 \oplus G(k)$ and $m _ 1 \oplus G(k)$. Let $W _ b$ be the event that $\mathcal{A}$ returns $1$ for $m _ b \oplus G(k)$. The advantage $\mathrm{Adv} _ \mathrm{SS}[\mathcal{A}, \mathcal{E}] = \lvert \Pr[W _ 0] - \Pr[W _ 1] \rvert$ is non-negligible.
 
 Define two new experiments as follows:
-1. The adversary $\mathcal{A}$ gives two messages $m_0, m_1 \in \mathcal{M}$.
+1. The adversary $\mathcal{A}$ gives two messages $m _ 0, m _ 1 \in \mathcal{M}$.
 2. The challenger draws a random string $r \leftarrow \lbrace 0, 1 \rbrace^n$.
-3. In experiment $b$, return $m_b \oplus r$.
+3. In experiment $b$, return $m _ b \oplus r$.
 4. $\mathcal{A}$ will return $b' \in \lbrace 0, 1 \rbrace$.
 
-Let $W'_b$ be the event that $\mathcal{A}$ returns $1$ for $m_b \oplus r$. Then, by triangle inequality,
+Let $W' _ b$ be the event that $\mathcal{A}$ returns $1$ for $m _ b \oplus r$. Then, by triangle inequality,
 
 $$
 \tag{2}
 \begin{align*}
-\mathrm{Adv}_\mathrm{SS}[\mathcal{A}, \mathcal{E}] &= \lvert \Pr[W_0] - \Pr[W_1] \rvert \\
-&\leq \lvert \Pr[W_0] - \Pr[W_0'] \rvert + \lvert \Pr[W_0'] - \Pr[W_1'] \rvert \\
-&\qquad + \lvert \Pr[W_1'] - \Pr[W_1] \rvert \\
-&= \lvert \Pr[W_0] - \Pr[W_0'] \rvert + \lvert \Pr[W_1'] - \Pr[W_1] \rvert.
+\mathrm{Adv} _ \mathrm{SS}[\mathcal{A}, \mathcal{E}] &= \lvert \Pr[W _ 0] - \Pr[W _ 1] \rvert \\
+&\leq \lvert \Pr[W _ 0] - \Pr[W _ 0'] \rvert + \lvert \Pr[W _ 0'] - \Pr[W _ 1'] \rvert \\
+&\qquad + \lvert \Pr[W _ 1'] - \Pr[W _ 1] \rvert \\
+&= \lvert \Pr[W _ 0] - \Pr[W _ 0'] \rvert + \lvert \Pr[W _ 1'] - \Pr[W _ 1] \rvert.
 \end{align*}
 $$
 
-The last equality holds since OTP is perfectly secure and thus $\lvert \Pr[W_0'] - \Pr[W_1'] \rvert = 0$. Since $\mathrm{Adv}_\mathrm{SS}[\mathcal{A}, \mathcal{E}]$ is non-negligible, at least one of the terms on the right hand side should also be non-negligible.
+The last equality holds since OTP is perfectly secure and thus $\lvert \Pr[W _ 0'] - \Pr[W _ 1'] \rvert = 0$. Since $\mathrm{Adv} _ \mathrm{SS}[\mathcal{A}, \mathcal{E}]$ is non-negligible, at least one of the terms on the right hand side should also be non-negligible.
 
-Without loss of generality, assume that $\lvert \Pr[W_0] - \Pr[W_0'] \rvert$ is non-negligible. This implies that $\mathcal{A}$ can distinguish $m_0 \oplus G(k)$ from $m_0 \oplus r$. Using this fact, we can construct a statistical test $\mathcal{B}$ for the PRG as follows.
+Without loss of generality, assume that $\lvert \Pr[W _ 0] - \Pr[W _ 0'] \rvert$ is non-negligible. This implies that $\mathcal{A}$ can distinguish $m _ 0 \oplus G(k)$ from $m _ 0 \oplus r$. Using this fact, we can construct a statistical test $\mathcal{B}$ for the PRG as follows.
 
 1. Challenger PRG gives a bit string $x$.
 	- In experiment $0$, challenger gives pseudorandom string $G(k)$.
 	- In experiment $1$, challenger gives truly random string $r$.
-2. Invoke $\mathcal{A}$, then $\mathcal{A}$ will send two messages $m_0, m_1 \in \mathcal{M}$.
-3. Compute $c = m_0 \oplus x$ and return $c$ to $\mathcal{A}$.
+2. Invoke $\mathcal{A}$, then $\mathcal{A}$ will send two messages $m _ 0, m _ 1 \in \mathcal{M}$.
+3. Compute $c = m _ 0 \oplus x$ and return $c$ to $\mathcal{A}$.
 4. $\mathcal{A}$ will return $b'$, and return $b'$ directly to challenger PRG.
 
-Let $Y_b$ the event that $\mathcal{B}$ returns $1$ on experiment $b$. Then, we directly see that
+Let $Y _ b$ the event that $\mathcal{B}$ returns $1$ on experiment $b$. Then, we directly see that
 
 $$
-\Pr[Y_0] = \Pr[W_0], \qquad \Pr[Y_1] = \Pr[W_0'].
+\Pr[Y _ 0] = \Pr[W _ 0], \qquad \Pr[Y _ 1] = \Pr[W _ 0'].
 $$
 
 Therefore, the PRG advantage of $\mathcal{B}$ is
 
 $$
-\mathrm{Adv}_\mathrm{PRG}[\mathcal{B}, G] = \lvert \Pr[Y_0] - \Pr[Y_1] \rvert = \lvert \Pr[W_0] - \Pr[W_0'] \rvert,
+\mathrm{Adv} _ \mathrm{PRG}[\mathcal{B}, G] = \lvert \Pr[Y _ 0] - \Pr[Y _ 1] \rvert = \lvert \Pr[W _ 0] - \Pr[W _ 0'] \rvert,
 $$
 
 which is non-negligible, so it breaks the security of the PRG.
@@ -424,7 +424,7 @@ which is non-negligible, so it breaks the security of the PRG.
 > **Corollary.** For any adversary $\mathcal{A}$ for the stream cipher $\mathcal{E}$, there exists an adversary $\mathcal{B}$ for a PRG $G$ such that
 >
 > $$
-> \mathrm{Adv}_\mathrm{SS}[\mathcal{A}, \mathcal{E}] \leq 2 \cdot \mathrm{Adv}_\mathrm{PRG}[\mathcal{B}, G].
+> \mathrm{Adv} _ \mathrm{SS}[\mathcal{A}, \mathcal{E}] \leq 2 \cdot \mathrm{Adv} _ \mathrm{PRG}[\mathcal{B}, G].
 > $$
 
 *Proof*. Use equation $(2)$ in the above proof.

_posts/lecture-notes/modern-cryptography/2023-09-12-prfs-prps-block-ciphers.md

@@ -23,7 +23,7 @@ attachment:
 
 > **Definition.** A **pseudorandom function** $F$ over $(\mathcal{K}, X, Y)$ is an efficiently computable algorithm $F : \mathcal{K} \times X \rightarrow Y$.
 
-We consider a *keyed function* $F : \mathcal{K} \times X \rightarrow Y$ where $\mathcal{K}$ denotes the key space. For $k \in \mathcal{K}$, $F_k(x) := F(k, x)$ is a function from $X$ to $Y$. Thus each key $k$ induces a distribution on functions $X \rightarrow Y$.
+We consider a *keyed function* $F : \mathcal{K} \times X \rightarrow Y$ where $\mathcal{K}$ denotes the key space. For $k \in \mathcal{K}$, $F _ k(x) := F(k, x)$ is a function from $X$ to $Y$. Thus each key $k$ induces a distribution on functions $X \rightarrow Y$.
 
 Note that $\left\lvert \mathcal{F}[X, Y] \right\lvert = \left\lvert Y \right\lvert^{\left\lvert X \right\lvert}$, but the number of PRFs is at most $\left\lvert K \right\lvert$. In practice, $\left\lvert K \right\lvert$ is very small compared to $\left\lvert Y \right\lvert^{\left\lvert X \right\lvert}$. So PRFs are chosen from a smaller space, but they should behave in the same way a (truly) random function does.
 
@@ -33,43 +33,43 @@ Let $\mathcal{F}[X, Y]$ denote the set of all functions from $X$ to $Y$. A PRF $
 > 
 > **Experiment $b$**.
 > 1. The challenger selects $f \in \mathcal{F}[X, Y]$ as follows
-> 	- If $b = 0$, choose $k \leftarrow \mathcal{K}$ and set $f = F_k = F(k, \cdot)$.
+> 	- If $b = 0$, choose $k \leftarrow \mathcal{K}$ and set $f = F _ k = F(k, \cdot)$.
 > 	- If $b = 1$, choose $f \leftarrow \mathcal{F}[X, Y]$.
 > 2. The adversary sends a sequence of queries to the challenger.
-> 	- For $i = 1, \dots, q$, send $x_i \in X$ and receive $y_i = f(x_i) \in Y$.
+> 	- For $i = 1, \dots, q$, send $x _ i \in X$ and receive $y _ i = f(x _ i) \in Y$.
 > 3. The adversary computes and outputs a bit $b' \in \left\lbrace 0, 1 \right\rbrace$.
 > 
-> Let $W_b$ be the event that $\mathcal{A}$ outputs 1 in experiment $b$. Then the **PRF-advantage** of $\mathcal{A}$ with respect to $F$ is defined as
+> Let $W _ b$ be the event that $\mathcal{A}$ outputs 1 in experiment $b$. Then the **PRF-advantage** of $\mathcal{A}$ with respect to $F$ is defined as
 > 
 > $$
-> \mathrm{Adv}_{\mathrm{PRF}}^q[\mathcal{A}, F] = \left\lvert \Pr[W_0] - \Pr[W_1] \right\lvert.
+> \mathrm{Adv} _ {\mathrm{PRF}}^q[\mathcal{A}, F] = \left\lvert \Pr[W _ 0] - \Pr[W _ 1] \right\lvert.
 > $$
 > 
-> A PRF $F$ is **secure** if $\mathrm{Adv}_{\mathrm{PRF}}^q[\mathcal{A}, F]$ is negligible for any efficient $\mathcal{A}$.
+> A PRF $F$ is **secure** if $\mathrm{Adv} _ {\mathrm{PRF}}^q[\mathcal{A}, F]$ is negligible for any efficient $\mathcal{A}$.
 
-In experiment $0$ above, the challenger returns $y_i = f(x_i)$. To answer the query $x_i$, the challenger would have to keep a lookup table for a random function $f \in \mathcal{F}[X, Y]$. Since $X$ and $Y$ are very large in practice, it is nearly impossible to create and manage such lookup tables.[^1] As a workaround, we can choose $y_i$ uniformly on each query $x_i$, assuming that $x_i$ wasn't queried before. This is possible since for any different inputs $x_i, x_j \in X$, $f(x_i)$ and $f(x_j)$ are random and independent.
+In experiment $0$ above, the challenger returns $y _ i = f(x _ i)$. To answer the query $x _ i$, the challenger would have to keep a lookup table for a random function $f \in \mathcal{F}[X, Y]$. Since $X$ and $Y$ are very large in practice, it is nearly impossible to create and manage such lookup tables.[^1] As a workaround, we can choose $y _ i$ uniformly on each query $x _ i$, assuming that $x _ i$ wasn't queried before. This is possible since for any different inputs $x _ i, x _ j \in X$, $f(x _ i)$ and $f(x _ j)$ are random and independent.
 
-Also, there are two ways that the adversary can query the challenger. The first method is the **adaptive** method, where the adversary queries each $x_i$ one by one. In this method, the adversary can *adaptively* choose the next query $x_{i+1}$ after receiving the result from the challenger.
+Also, there are two ways that the adversary can query the challenger. The first method is the **adaptive** method, where the adversary queries each $x _ i$ one by one. In this method, the adversary can *adaptively* choose the next query $x _ {i+1}$ after receiving the result from the challenger.
 
-The second method is querying all $x_i$ at once. We will consider the first method, since the adaptive method assumes greater attack power on the adversary.
+The second method is querying all $x _ i$ at once. We will consider the first method, since the adaptive method assumes greater attack power on the adversary.
 
 ### OTP as a PRF
 
-As an example, consider the one-time pad function $F(k, x) = k \oplus x$. This function satisfies the definitions of PRFs, but it is not a secure PRF. Consider an adversary $\mathcal{A}$ that outputs $1$ if and only if $y_1 \oplus y_2 = x_1 \oplus x_2$. In experiment $0$, $\mathcal{A}$ will always output $1$, but in experiment $1$, $\mathcal{A}$ will output $1$ with probability $2^{-n}$. Thus the advantage is $1 - 2^{-n}$, which is not negligible.
+As an example, consider the one-time pad function $F(k, x) = k \oplus x$. This function satisfies the definitions of PRFs, but it is not a secure PRF. Consider an adversary $\mathcal{A}$ that outputs $1$ if and only if $y _ 1 \oplus y _ 2 = x _ 1 \oplus x _ 2$. In experiment $0$, $\mathcal{A}$ will always output $1$, but in experiment $1$, $\mathcal{A}$ will output $1$ with probability $2^{-n}$. Thus the advantage is $1 - 2^{-n}$, which is not negligible.
 
 ### PRFs and PRGs
 
-It is easy to construct PRGs from PRFs. We can simply evaluate $F$ on some distinct inputs. For example, given a seed $s$, we evaluate $F_s$ and obtain
+It is easy to construct PRGs from PRFs. We can simply evaluate $F$ on some distinct inputs. For example, given a seed $s$, we evaluate $F _ s$ and obtain
 
 $$
-G(s) = F_s(1) \parallel F_s(2) \parallel \cdots \parallel F_s(n)
+G(s) = F _ s(1) \parallel F _ s(2) \parallel \cdots \parallel F _ s(n)
 $$
 
 for any $n \in \mathbb{N}$.[^2] In fact, we can show that $G$ is secure PRG if $F$ is a secure PRF.
 
 > **Theorem.** If $F$ is a secure length preserving PRF, then $G$ in the above definition is a secure PRG.
 
-*Proof*. Suppose that $\mathcal{A}$ is an efficient PRG adversary against $G$. We construct an efficient $n$-query PRF adversary $\mathcal{B}$, that queries the challenger at $1, \dots, n$ and receives $f(1), \dots, f(n)$. $\mathcal{B}$ passes $f(1) \parallel \cdots \parallel f(n)$ to $\mathcal{A}$, and $\mathcal{B}$ outputs the output of $\mathcal{A}$. Then we see that $\mathrm{Adv}_{\mathrm{PRG}}[\mathcal{A}, G] = \mathrm{Adv}_{\mathrm{PRF}}[\mathcal{B}, F]$. So if $F$ is secure, then $G$ is secure.
+*Proof*. Suppose that $\mathcal{A}$ is an efficient PRG adversary against $G$. We construct an efficient $n$-query PRF adversary $\mathcal{B}$, that queries the challenger at $1, \dots, n$ and receives $f(1), \dots, f(n)$. $\mathcal{B}$ passes $f(1) \parallel \cdots \parallel f(n)$ to $\mathcal{A}$, and $\mathcal{B}$ outputs the output of $\mathcal{A}$. Then we see that $\mathrm{Adv} _ {\mathrm{PRG}}[\mathcal{A}, G] = \mathrm{Adv} _ {\mathrm{PRF}}[\mathcal{B}, F]$. So if $F$ is secure, then $G$ is secure.
 
 As for the converse, a PRG $G$ gives a PRF $F$ with small input length. If $G : \left\lbrace 0, 1 \right\rbrace^n \rightarrow \left\lbrace 0, 1 \right\rbrace^{n 2^m}$, we can define a PRF $F : \left\lbrace 0, 1 \right\rbrace^n \times \left\lbrace 0, 1 \right\rbrace^m \rightarrow \left\lbrace 0, 1 \right\rbrace^n$ as follows: for a seed $s \in \left\lbrace 0, 1 \right\rbrace^n$, consider $G(s)$ as a $2^m \times n$ table and set $F(s, i)$ as the $i$-th row of $G(s)$.[^3] If $G$ is a secure PRG, then PRF $F$ is also secure.
 
@@ -85,33 +85,33 @@ Similarly, a PRP $E$ is **secure** if it is **indistinguishable from a random pe
 > 
 > **Experiment $b$**.
 > 1. The challenger selects $f \in \mathcal{P}[X]$ as follows
-> 	- If $b = 0$, choose $k \leftarrow \mathcal{K}$ and set $f = E_k = E(k, \cdot)$.
+> 	- If $b = 0$, choose $k \leftarrow \mathcal{K}$ and set $f = E _ k = E(k, \cdot)$.
 > 	- If $b = 1$, choose $f \leftarrow \mathcal{P}[X]$.
 > 2. The adversary sends a sequence of queries to the challenger.
-> 	- For $i = 1, \dots, q$, send $x_i \in X$ and receive $y_i = f(x_i) \in Y$.
+> 	- For $i = 1, \dots, q$, send $x _ i \in X$ and receive $y _ i = f(x _ i) \in Y$.
 > 3. The adversary computes and outputs a bit $b' \in \left\lbrace 0, 1 \right\rbrace$.
 > 
-> Let $W_b$ be the event that $\mathcal{A}$ outputs 1 in experiment $b$. Then the **PRP-advantage** of $\mathcal{A}$ with respect to $E$ is defined as
+> Let $W _ b$ be the event that $\mathcal{A}$ outputs 1 in experiment $b$. Then the **PRP-advantage** of $\mathcal{A}$ with respect to $E$ is defined as
 > 
 > $$
-> \mathrm{Adv}_{\mathrm{PRP}}^q[\mathcal{A}, E] = \left\lvert \Pr[W_0] - \Pr[W_1] \right\lvert.
+> \mathrm{Adv} _ {\mathrm{PRP}}^q[\mathcal{A}, E] = \left\lvert \Pr[W _ 0] - \Pr[W _ 1] \right\lvert.
 > $$
 > 
-> A PRP $E$ is **secure** if $\mathrm{Adv}_{\mathrm{PRP}}^q[\mathcal{A}, E]$ is negligible for any efficient $\mathcal{A}$.
+> A PRP $E$ is **secure** if $\mathrm{Adv} _ {\mathrm{PRP}}^q[\mathcal{A}, E]$ is negligible for any efficient $\mathcal{A}$.
 
 ### PRF Switching Lemma
 
-Suppose that $\left\lvert X \right\lvert$ is sufficiently large. Then for $q$ queries of any adversary $\mathcal{A}$, it is highly probable that $f(x_i)$ are all distinct, regardless of whether $f$ is a PRF or a PRP. Thus we have the following property of PRPs.
+Suppose that $\left\lvert X \right\lvert$ is sufficiently large. Then for $q$ queries of any adversary $\mathcal{A}$, it is highly probable that $f(x _ i)$ are all distinct, regardless of whether $f$ is a PRF or a PRP. Thus we have the following property of PRPs.
 
 > **Lemma.** If $E: \mathcal{K} \times X \rightarrow X$ is a secure PRP and $\left\lvert X \right\lvert$ is sufficiently large, then $E$ is also a secure PRF.
 > 
 > For any $q$-query adversary $\mathcal{A}$,
 > 
 > $$
-> \left\lvert \mathrm{Adv}_{\mathrm{PRF}}[\mathcal{A}, E] - \mathrm{Adv}_{\mathrm{PRP}}[\mathcal{A}, E] \right\lvert \leq \frac{q^2}{2\left\lvert X \right\lvert}.
+> \left\lvert \mathrm{Adv} _ {\mathrm{PRF}}[\mathcal{A}, E] - \mathrm{Adv} _ {\mathrm{PRP}}[\mathcal{A}, E] \right\lvert \leq \frac{q^2}{2\left\lvert X \right\lvert}.
 > $$
 
-This is a matter of *collisions* of $f(x_i)$, so we use the facts from the birthday problem.
+This is a matter of *collisions* of $f(x _ i)$, so we use the facts from the birthday problem.
 
 *Proof*. Appendix A.4.
 
@@ -123,7 +123,7 @@ A **block cipher** is actually a different name for PRPs. Since a PRP $E$ is a k
 
 Block ciphers commonly have the following form.
 - A key $k$ is chosen uniformly from $\left\lbrace 0, 1 \right\rbrace^s$.
-- The key $k$ goes through *key expansion* and generates $k_1, \dots, k_n$. These are called **round keys**, where $n$ is the number of rounds.
+- The key $k$ goes through *key expansion* and generates $k _ 1, \dots, k _ n$. These are called **round keys**, where $n$ is the number of rounds.
 - The plaintext goes through $n$ rounds, where in each round, a round function and the round key is applied to the input.
 - After $n$ rounds, the ciphertext is obtained.
 
@@ -139,27 +139,27 @@ Block ciphers commonly have the following form.
 
 ### Feistel Network
 
-Since block ciphers are PRPs, we have to build an invertible function. Suppose we are given **any** functions $F_1, \dots, F_d : \left\lbrace 0, 1 \right\rbrace^n \rightarrow \left\lbrace 0, 1 \right\rbrace^n$. Can we build an **invertible** function $F : \left\lbrace 0, 1 \right\rbrace^{2n} \rightarrow \left\lbrace 0, 1 \right\rbrace^{2n}$?
+Since block ciphers are PRPs, we have to build an invertible function. Suppose we are given **any** functions $F _ 1, \dots, F _ d : \left\lbrace 0, 1 \right\rbrace^n \rightarrow \left\lbrace 0, 1 \right\rbrace^n$. Can we build an **invertible** function $F : \left\lbrace 0, 1 \right\rbrace^{2n} \rightarrow \left\lbrace 0, 1 \right\rbrace^{2n}$?
 
 ![mc-02-feistel-network.png](../../../assets/img/posts/lecture-notes/modern-cryptography/mc-02-feistel-network.png)
 
-It turns out the answer is yes. Given an $2n$-bit long input, $L_0$ and $R_0$ denote the left and right halves ($n$ bits) of the input, respectively. Define
+It turns out the answer is yes. Given an $2n$-bit long input, $L _ 0$ and $R _ 0$ denote the left and right halves ($n$ bits) of the input, respectively. Define
 
 $$
-L_i = R_{i-1}, \qquad R_i = F_i(R_{i-1}) \oplus L_{i-1}
+L _ i = R _ {i-1}, \qquad R _ i = F _ i(R _ {i-1}) \oplus L _ {i-1}
 $$
 
-for $i = 1, \dots, d$. Then we can restore $L_0$ and $R_0$ from $L_d$ and $R_d$ by applying the same operations in **reverse order**. It is easy to see that $R_{i-1}$ can be restored from $L_i$. As for $L_{i-1}$, we need a swap. Observe that
+for $i = 1, \dots, d$. Then we can restore $L _ 0$ and $R _ 0$ from $L _ d$ and $R _ d$ by applying the same operations in **reverse order**. It is easy to see that $R _ {i-1}$ can be restored from $L _ i$. As for $L _ {i-1}$, we need a swap. Observe that
 
 $$
-F_i(L_i) \oplus R_i = F_i(R_{i-1}) \oplus (F_i(R_{i-1}) \oplus L_{i-1}) = L_{i-1}.
+F _ i(L _ i) \oplus R _ i = F _ i(R _ {i-1}) \oplus (F _ i(R _ {i-1}) \oplus L _ {i-1}) = L _ {i-1}.
 $$
 
-Note that we did not require $F_i$ to be invertible. We can build invertible functions from arbitrary functions! These are called **Feistel networks**.
+Note that we did not require $F _ i$ to be invertible. We can build invertible functions from arbitrary functions! These are called **Feistel networks**.
 
-> **Theorem.** (Luby-Rackoff'85) If $F : K \times \left\lbrace 0, 1 \right\rbrace^n \rightarrow \left\lbrace 0, 1 \right\rbrace^n$ is a secure PRF, then the $3$-round Feistel using the functions $F_i=  F(k_i, \cdot)$ is a secure PRP.
+> **Theorem.** (Luby-Rackoff'85) If $F : K \times \left\lbrace 0, 1 \right\rbrace^n \rightarrow \left\lbrace 0, 1 \right\rbrace^n$ is a secure PRF, then the $3$-round Feistel using the functions $F _ i=  F(k _ i, \cdot)$ is a secure PRP.
 
-In DES, the function $F_i$ is the DES round function.
+In DES, the function $F _ i$ is the DES round function.
 
 ![mc-02-des-round.png](../../../assets/img/posts/lecture-notes/modern-cryptography/mc-02-des-round.png)
 
@@ -227,15 +227,15 @@ These 4 modules are all invertible!
 
 For DES, the S-box is the non-linear part. If the S-box is linear, then the entire DES cipher would be linear.
 
-Specifically, there would be a fixed binary matrix $B_1 \in \mathbb{Z}_2^{64 \times 64}$ and $B_2 \in \mathbb{Z}_2^{64 \times (48 \times 16)}$ such that
+Specifically, there would be a fixed binary matrix $B _ 1 \in \mathbb{Z} _ 2^{64 \times 64}$ and $B _ 2 \in \mathbb{Z} _ 2^{64 \times (48 \times 16)}$ such that
 
 $$
-\mathrm{DES}(k, m) = B_1 m \oplus B_2 \mathbf{k}
+\mathrm{DES}(k, m) = B _ 1 m \oplus B _ 2 \mathbf{k}
 $$
 
-where $\mathbf{k} \in \mathbb{Z}_2^{48 \times 16}$ is a vector of round keys.
+where $\mathbf{k} \in \mathbb{Z} _ 2^{48 \times 16}$ is a vector of round keys.
 
-Then we can attack DES with the same idea as OTP. If $c_i = B_1 m_i \oplus B_2 \mathbf{k}$, then $c_1 \oplus c_2 = B_1 (m_1 \oplus m_2)$.
+Then we can attack DES with the same idea as OTP. If $c _ i = B _ 1 m _ i \oplus B _ 2 \mathbf{k}$, then $c _ 1 \oplus c _ 2 = B _ 1 (m _ 1 \oplus m _ 2)$.
 
 Choosing the S-boxes at random results in a insecure block cipher, with high probability.
 
@@ -246,18 +246,18 @@ For DES (and AES-128), it is known that *three pairs of plaintext, ciphertext bl
 If we were to find the key by brute force, DES is easy. We can strengthen the DES algorithm by using **nested ciphers**. The tradeoff here is that these are slower than the original DES.
 
 > Define
-> - (**2DES**) $2E: \mathcal{K}^2 \times \mathcal{M} \rightarrow \mathcal{M}$ as $2E((k_1, k_2), m) = E(k_1, E(k_2, m))$.
-> - (**3DES**) $3E: \mathcal{K}^3 \times \mathcal{M} \rightarrow \mathcal{M}$ as $3E((k_1, k_2, k_3), m) = E(k_1, D(k_2, E(k_3, m)))$.[^4]
+> - (**2DES**) $2E: \mathcal{K}^2 \times \mathcal{M} \rightarrow \mathcal{M}$ as $2E((k _ 1, k _ 2), m) = E(k _ 1, E(k _ 2, m))$.
+> - (**3DES**) $3E: \mathcal{K}^3 \times \mathcal{M} \rightarrow \mathcal{M}$ as $3E((k _ 1, k _ 2, k _ 3), m) = E(k _ 1, D(k _ 2, E(k _ 3, m)))$.[^4]
 
 Then the key space has increased (exponentially). As for 2DES, the key space is now $2^{112}$, so maybe nested ciphers increase the level of security.
 
 #### $2E$ is Insecure: Meet in the Middle
 
-Unfortunately, 2DES is only secure as DES, with the attack strategy called **meet in the middle**. The idea is that if $c = E(k_1, E(k_2, m))$, then $D(k_1, c) = E(k_2, m)$.
+Unfortunately, 2DES is only secure as DES, with the attack strategy called **meet in the middle**. The idea is that if $c = E(k _ 1, E(k _ 2, m))$, then $D(k _ 1, c) = E(k _ 2, m)$.
 
 ![mc-02-2des-mitm.png](../../../assets/img/posts/lecture-notes/modern-cryptography/mc-02-2des-mitm.png)
 
-Since we have the plaintext and the ciphertext, we first build a table of $(k, E(k_2, m))$ over $k_2 \in \mathcal{K}$ and sort by $E(k_2, m)$. Next, we check if $D(k_1, c)$ is in the table for all $k_1 \in \mathcal{K}$.
+Since we have the plaintext and the ciphertext, we first build a table of $(k, E(k _ 2, m))$ over $k _ 2 \in \mathcal{K}$ and sort by $E(k _ 2, m)$. Next, we check if $D(k _ 1, c)$ is in the table for all $k _ 1 \in \mathcal{K}$.
 
 The complexity of this attack is shown as follows:
 - Space complexity: We must store $\left\lvert \mathcal{K} \right\lvert$ entries with approximately $\log \left\lvert \mathcal{M} \right\lvert$ bits. Thus we need $\left\lvert \mathcal{K} \right\lvert \log \left\lvert \mathcal{M} \right\lvert$ bits in total.
@@ -273,13 +273,13 @@ The above argument can be generalized for any scheme $(E, D)$. Thus, the $2E$ co
 
 There is another method called the **$EX$ construction** for block cipher $(E, D)$ defined over $(\mathcal{K}, \mathcal{X})$. The $EX$ construction uses a new block cipher defined as follows. Intuitively, it can be thought of as applying OTP before and after encryption.
 
-> Let $k_1 \in \mathcal{K}$ and $k_2, k_3 \in \mathcal{X}$.
-> - Encryption: $EX\left((k_1, k_2, k_3), m\right) = E(k_1, m \oplus k_2) \oplus k_3$.
-> - Decryption: $DX((k_1, k_2, k_3), c) = D(k_1, c \oplus k_3) \oplus k_2$.
+> Let $k _ 1 \in \mathcal{K}$ and $k _ 2, k _ 3 \in \mathcal{X}$.
+> - Encryption: $EX\left((k _ 1, k _ 2, k _ 3), m\right) = E(k _ 1, m \oplus k _ 2) \oplus k _ 3$.
+> - Decryption: $DX((k _ 1, k _ 2, k _ 3), c) = D(k _ 1, c \oplus k _ 3) \oplus k _ 2$.
 
 Then the new cipher $(EX, DX)$ has a key space $\mathcal{K} \times \mathcal{X}^2$, which is much larger than $\mathcal{K}$. Specifically for DESX, the key length would be $56 + 2 \times 64 = 184$ bits.
 
-As a side note, using $E(k_1, m) \oplus k_2$ or $E(k_1, m \oplus k_2)$ does not improve security, since it can be attacked with meet in the middle method. Similarly, DESX also has $184$ bit key space, but actual search space is about $56 + 64 = 120$ bits.
+As a side note, using $E(k _ 1, m) \oplus k _ 2$ or $E(k _ 1, m \oplus k _ 2)$ does not improve security, since it can be attacked with meet in the middle method. Similarly, DESX also has $184$ bit key space, but actual search space is about $56 + 64 = 120$ bits.
 
 ### Attacks on AES
 

_posts/lecture-notes/modern-cryptography/2023-09-19-symmetric-key-encryption.md

@@ -30,14 +30,14 @@ This notion can be formalized as a security game. The difference here is that we
 > **Experiment $b$.**
 > 1. The challenger fixes a key $k \leftarrow \mathcal{K}$.
 > 2. The adversary submits a sequence of queries to the challenger:
-> 	- The $i$-th query is a pair of messages $m_{i, 0}, m_{i, 1} \in \mathcal{M}$ of the same length.
-> 3. The challenger computes $c_i = E(k, m_{i, b})$ and sends $c_i$ to the adversary.
+> 	- The $i$-th query is a pair of messages $m _ {i, 0}, m _ {i, 1} \in \mathcal{M}$ of the same length.
+> 3. The challenger computes $c _ i = E(k, m _ {i, b})$ and sends $c _ i$ to the adversary.
 > 4. The adversary computes and outputs a bit $b' \in \left\lbrace 0, 1 \right\rbrace$.
 >
-> Let $W_b$ be the event that $\mathcal{A}$ outputs $1$ in experiment $b$. Then the **CPA advantage with respect to $\mathcal{E}$** is defined as
+> Let $W _ b$ be the event that $\mathcal{A}$ outputs $1$ in experiment $b$. Then the **CPA advantage with respect to $\mathcal{E}$** is defined as
 >
 > $$
-> \mathrm{Adv}_{\mathrm{CPA}}[\mathcal{A}, \mathcal{E}] = \left\lvert \Pr[W_0] - \Pr[W_1] \right\lvert
+> \mathrm{Adv} _ {\mathrm{CPA}}[\mathcal{A}, \mathcal{E}] = \left\lvert \Pr[W _ 0] - \Pr[W _ 1] \right\lvert
 > $$
 >
 > If the CPA advantage is negligible for all efficient adversaries $\mathcal{A}$, then the cipher $\mathcal{E}$ is **semantically secure against chosen plaintext attack**, or simply **CPA secure**.
@@ -48,7 +48,7 @@ The assumption that the adversary can choose any message of its choice may seem
 
 ### Deterministic Cipher is not CPA Secure
 
-Suppose that $E$ is deterministic. Then we can construct an adversary that breaks CPA security. For example, the adversary can send $(m_0, m_1)$ and $(m_0, m_2)$. Then if $b = 0$, the received ciphertext would be same, so the adversary can output $0$ and win the CPA security game.
+Suppose that $E$ is deterministic. Then we can construct an adversary that breaks CPA security. For example, the adversary can send $(m _ 0, m _ 1)$ and $(m _ 0, m _ 2)$. Then if $b = 0$, the received ciphertext would be same, so the adversary can output $0$ and win the CPA security game.
 
 Therefore, for *indistinguishability under chosen plaintext attack* (IND-CPA), encryption must produce different outputs even for the same plaintext.
 
@@ -73,15 +73,15 @@ We also formalize security for nonce-based encryption. It is basically the same
 > **Experiment $b$**.
 > 1. The challenger fixes a key $k \leftarrow \mathcal{K}$.
 > 2. The adversary submits a sequence of queries to the challenger.
-> 	- The $i$-th query is a pair of messages $m_{i, 0}, m_{i, 1} \in \mathcal{M}$ of the same length, and a nonce $n_i \in \mathcal{N} \setminus \left\lbrace n_1, \dots, n_{i-1} \right\rbrace$.
+> 	- The $i$-th query is a pair of messages $m _ {i, 0}, m _ {i, 1} \in \mathcal{M}$ of the same length, and a nonce $n _ i \in \mathcal{N} \setminus \left\lbrace n _ 1, \dots, n _ {i-1} \right\rbrace$.
 > 	- Nonces should be unique.
-> 3. The challenger computes $c_i = E(k, m_{i, b}, n_i)$ and sends $c_i$ to the adversary.
+> 3. The challenger computes $c _ i = E(k, m _ {i, b}, n _ i)$ and sends $c _ i$ to the adversary.
 > 4. The adversary computes and outputs a bit $b' \in \left\lbrace 0, 1 \right\rbrace$.
 >
-> Let $W_b$ be the event that $\mathcal{A}$ outputs $1$ in experiment $b$. Then the **CPA advantage with respect to $\mathcal{E}$** is defined as
+> Let $W _ b$ be the event that $\mathcal{A}$ outputs $1$ in experiment $b$. Then the **CPA advantage with respect to $\mathcal{E}$** is defined as
 >
 > $$
-> \mathrm{Adv}_{\mathrm{nCPA}}[\mathcal{A}, \mathcal{E}] = \left\lvert \Pr[W_0] - \Pr[W_1] \right\lvert
+> \mathrm{Adv} _ {\mathrm{nCPA}}[\mathcal{A}, \mathcal{E}] = \left\lvert \Pr[W _ 0] - \Pr[W _ 1] \right\lvert
 > $$
 >
 > If the CPA advantage is negligible for all efficient adversaries $\mathcal{A}$, then the nonce-based cipher $\mathcal{E}$ is **semantically secure against chosen plaintext attack**, or simply **CPA secure**.
@@ -130,7 +130,7 @@ We learned how to encrypt a single block. How do we encrypt longer messages with
 
 There are many ways of processing multiple blocks, this is called the **mode of operation**.
 
-Additional explanation available in [Modes of Operations (Internet Security)](../internet-security/2023-09-18-symmetric-key-cryptography-2.md#modes-of-operations).
+Additional explanation available in [Modes of Operations (Internet Security)](../../internet-security/2023-09-18-symmetric-key-cryptography-2/#modes-of-operations).
 
 ### Electronic Codebook Mode (ECB)
 
@@ -157,7 +157,7 @@ There is a security proof for CBC mode.
 > For any $q$-query adversary $\mathcal{A}$, there exists a PRP adversary $\mathcal{B}$ such that
 >
 > $$
-> \mathrm{Adv}_{\mathrm{CPA}}[\mathcal{A}, E] \leq 2 \cdot \mathrm{Adv}_{\mathrm{PRP}}[\mathcal{B}, E] + \frac{2q^2L^2}{\left\lvert X \right\lvert}.
+> \mathrm{Adv} _ {\mathrm{CPA}}[\mathcal{A}, E] \leq 2 \cdot \mathrm{Adv} _ {\mathrm{PRP}}[\mathcal{B}, E] + \frac{2q^2L^2}{\left\lvert X \right\lvert}.
 > $$
 
 *Proof*. See Theorem 5.4.[^2]
@@ -166,16 +166,16 @@ From the above theorem, note that CBC is only secure as long as $q^2L^2 \ll \lef
 
 Also, CBC mode is not secure if the adversary can predict the IV of the next message. Proceed as follows:
 
-> 1. Query the challenger for an encryption of $m_0$ and $m_1$.
-> 2. Receive $\mathrm{IV}_0, E(k, \mathrm{IV}_0 \oplus m_0)$ and $\mathrm{IV}_1, E(k, \mathrm{IV}_1 \oplus m_1)$.
-> 3. Predict the next IV as $\mathrm{IV}_2$, and set the new query pair as
+> 1. Query the challenger for an encryption of $m _ 0$ and $m _ 1$.
+> 2. Receive $\mathrm{IV} _ 0, E(k, \mathrm{IV} _ 0 \oplus m _ 0)$ and $\mathrm{IV} _ 1, E(k, \mathrm{IV} _ 1 \oplus m _ 1)$.
+> 3. Predict the next IV as $\mathrm{IV} _ 2$, and set the new query pair as
 >
 > 	$$
-> 	m_0' = \mathrm{IV}_2 \oplus \mathrm{IV}_0 \oplus m_0, \quad m_1' = \mathrm{IV}_2 \oplus \mathrm{IV}_1 \oplus m_1
+> 	m _ 0' = \mathrm{IV} _ 2 \oplus \mathrm{IV} _ 0 \oplus m _ 0, \quad m _ 1' = \mathrm{IV} _ 2 \oplus \mathrm{IV} _ 1 \oplus m _ 1
 > 	$$
 >
 > and send it to the challenger.
-> 4. In experiment $b$, the adversary will receive $E(k, \mathrm{IV}_b \oplus m_b)$. Compare this with the result of the query from (2). The adversary wins with advantage $1$.
+> 4. In experiment $b$, the adversary will receive $E(k, \mathrm{IV} _ b \oplus m _ b)$. Compare this with the result of the query from (2). The adversary wins with advantage $1$.
 
 (More on this to be added)
 
@@ -184,12 +184,12 @@ Also, CBC mode is not secure if the adversary can predict the IV of the next mes
 We can also use a **unique** nonce to generate the IV. Specifically,
 
 $$
-\mathrm{IV} = E(k_1, n)
+\mathrm{IV} = E(k _ 1, n)
 $$
 
-where $k_1$ is the new key and $n$ is a nonce. The ciphertext starts with $n$ instead of the $\mathrm{IV}$.
+where $k _ 1$ is the new key and $n$ is a nonce. The ciphertext starts with $n$ instead of the $\mathrm{IV}$.
 
-Note that if $k_1$ is the same as the key used for encrypting messages, then this scheme is insecure. See Exercise 5.14.[^2]
+Note that if $k _ 1$ is the same as the key used for encrypting messages, then this scheme is insecure. See Exercise 5.14.[^2]
 
 ### Counter Mode (CTR)
 
@@ -209,7 +209,7 @@ There is also a security proof for CTR mode.
 > For any $q$-query adversary $\mathcal{A}$ against $E$, there exists a PRF adversary $\mathcal{B}$ such that
 >
 > $$
-> \mathrm{Adv}_{\mathrm{CPA}}[\mathcal{A}, E] \leq 2\cdot\mathrm{Adv}_{\mathrm{PRF}}[\mathcal{B}, F] + \frac{4q^2L}{\left\lvert X \right\lvert}.
+> \mathrm{Adv} _ {\mathrm{CPA}}[\mathcal{A}, E] \leq 2\cdot\mathrm{Adv} _ {\mathrm{PRF}}[\mathcal{B}, F] + \frac{4q^2L}{\left\lvert X \right\lvert}.
 > $$
 
 *Proof.* Refer to Theorem 5.3.[^2]

_posts/lecture-notes/modern-cryptography/2023-09-21-macs.md

@@ -51,11 +51,11 @@ This is called **canonical verification**. All real-world MACs use canonical ver
 
 In the security definition of MACs, we allow the attacker to request tags for arbitrary messages of its choice, called **chosen-message attacks**. This assumption will allow the attacker to collect a bunch of valid $(m, t)$ pairs. In this setting, we require the attacker to forge a **new** valid message-tag pair, which is different from what the attacker has. Also, it is not required that the forged message $m$ have any meaning. This is called **existential forgery**. A MAC system is secure if an existential forgery is almost impossible. Note that we are giving the adversary much power in the definition, to be conservative.
 
-- Attacker is given $t_i \leftarrow S(k, m_i)$ for $m_1, \dots, m_q$ of his choice.
+- Attacker is given $t _ i \leftarrow S(k, m _ i)$ for $m _ 1, \dots, m _ q$ of his choice.
 	- Attacker has a *signing oracle*.
 - Attacker's goal is **existential forgery**.
-	- **MAC**: generate a *new* valid message-tag pair $(m, t)$ such that $V(k, m, t) = 1$ and $m \notin \left\lbrace m_1, \dots, m_q \right\rbrace$.
-	- **Strong MAC**: generate a *new* valid message-tag pair $(m, t)$ $V(k, m, t) = 1$ and $(m, t) \notin \left\lbrace (m_1, t_1), \dots, (m_q, t_q) \right\rbrace$.
+	- **MAC**: generate a *new* valid message-tag pair $(m, t)$ such that $V(k, m, t) = 1$ and $m \notin \left\lbrace m _ 1, \dots, m _ q \right\rbrace$.
+	- **Strong MAC**: generate a *new* valid message-tag pair $(m, t)$ $V(k, m, t) = 1$ and $(m, t) \notin \left\lbrace (m _ 1, t _ 1), \dots, (m _ q, t _ q) \right\rbrace$.
 
 For strong MACs, the attacker only has to change the tag for the attack to succeed.
 
@@ -65,15 +65,15 @@ For strong MACs, the attacker only has to change the tag for the attack to succe
 > 
 > 1. The challenger picks a random $k \leftarrow \mathcal{K}$.
 > 2. $\mathcal{A}$ queries the challenger $q$ times.
-> 	- The $i$-th signing query is a message $m_i$, and receives $t_i \leftarrow S(k, m_i)$.
+> 	- The $i$-th signing query is a message $m _ i$, and receives $t _ i \leftarrow S(k, m _ i)$.
 > 3. $\mathcal{A}$ outputs a new forged pair $(m, t)$ that is not among the queried pairs.
-> 	- $m \notin \left\lbrace m_1, \dots,m_q \right\rbrace$
-> 	- $(m, t) \notin \left\lbrace (m_1, t_1), \dots, (m_q, t_q) \right\rbrace$ (for strong MAC)
+> 	- $m \notin \left\lbrace m _ 1, \dots,m _ q \right\rbrace$
+> 	- $(m, t) \notin \left\lbrace (m _ 1, t _ 1), \dots, (m _ q, t _ q) \right\rbrace$ (for strong MAC)
 > 
 > $\mathcal{A}$ wins if $(m, t)$ is a valid pair under $k$. Let this event be $W$. The **MAC advantage** with respect to $\Pi$ is defined as
 > 
 > $$
-> \mathrm{Adv}_{\mathrm{MAC}}[\mathcal{A}, \Pi] = \Pr[W]
+> \mathrm{Adv} _ {\mathrm{MAC}}[\mathcal{A}, \Pi] = \Pr[W]
 > $$
 > 
 > and a MAC $\Pi$ is secure if the advantage is negligible for any efficient $\mathcal{A}$. In this case, we say that $\Pi$ is **existentially unforgeable under a chosen message attack**.
@@ -82,7 +82,7 @@ If a MAC is secure, the attacker learns almost nothing from the $q$ queries. i.e
 
 ### MAC Security with Verification Queries
 
-The above definition can be modified to include **verification queries**, where the adversary $\mathcal{A}$ queries $(m_j, t_j) \in \mathcal{M} \times \mathcal{T}$ and the challenger responds with $V(k, m_j, t_j)$. $\mathcal{A}$ wins if any verification query is returned with $1$ ($\texttt{accept}$).
+The above definition can be modified to include **verification queries**, where the adversary $\mathcal{A}$ queries $(m _ j, t _ j) \in \mathcal{M} \times \mathcal{T}$ and the challenger responds with $V(k, m _ j, t _ j)$. $\mathcal{A}$ wins if any verification query is returned with $1$ ($\texttt{accept}$).
 
 It can be shown that for **strong MACs**, these two definitions are equivalent. See Theorem 6.1.[^1] For (just) MACs, these are not equivalent. See Exercise 6.7.[^1]
 
@@ -113,7 +113,7 @@ This MAC is **derived from $F$**, and is deterministic. This scheme is secure as
 > For every efficient MAC adversary $\mathcal{A}$ against $\Pi$, there exists an efficient PRF adversary $\mathcal{B}$ such that
 > 
 > $$
-> \mathrm{Adv}_{\mathrm{MAC}}[\mathcal{A}, \Pi] \leq \mathrm{Adv}_{\mathrm{PRF}}[\mathcal{B}, F] + \frac{1}{\left\lvert Y \right\lvert}.
+> \mathrm{Adv} _ {\mathrm{MAC}}[\mathcal{A}, \Pi] \leq \mathrm{Adv} _ {\mathrm{PRF}}[\mathcal{B}, F] + \frac{1}{\left\lvert Y \right\lvert}.
 > $$
 
 *Proof*. See Theorem 6.2.[^1]
@@ -126,13 +126,13 @@ The above construction uses a PRF, so it is restricted to messages of fixed size
 
 ![mc-04-cbc-mac.png](../../../assets/img/posts/lecture-notes/modern-cryptography/mc-04-cbc-mac.png)
 
-> **Definition.** For any message $m = (m_0, m_1, \dots, m_{l-1}) \in \left\lbrace 0, 1 \right\rbrace^{nl}$, let $F_k := F(k, \cdot)$.
+> **Definition.** For any message $m = (m _ 0, m _ 1, \dots, m _ {l-1}) \in \left\lbrace 0, 1 \right\rbrace^{nl}$, let $F _ k := F(k, \cdot)$.
 > 
 > $$
-> S_\mathrm{CBC}(m) = F_k(F_k(\cdots F_k(F_k(m_0) \oplus m_1) \oplus \cdots) \oplus m_{l-1}).
+> S _ \mathrm{CBC}(m) = F _ k(F _ k(\cdots F _ k(F _ k(m _ 0) \oplus m _ 1) \oplus \cdots) \oplus m _ {l-1}).
 > $$
 
-$S_\mathrm{CBC}$ is similar to CBC mode encryption, but there is no intermediate output, and the IV is fixed as $0^n$.
+$S _ \mathrm{CBC}$ is similar to CBC mode encryption, but there is no intermediate output, and the IV is fixed as $0^n$.
 
 > **Theorem.** If $F : \mathcal{K} \times \left\lbrace 0, 1 \right\rbrace^n \rightarrow \left\lbrace 0, 1 \right\rbrace^n$ is a secure PRF, then **for a fixed $l$**, CBC-MAC is secure for messages $\mathcal{M} = \left\lbrace 0, 1 \right\rbrace^{nl}$.
 
@@ -144,14 +144,14 @@ For any messages *shorter than* $nl$, CBC-MAC is not secure. So the length of th
 
 To see this, consider the following **extension attack**.
 
-1. Pick an arbitrary $m_0 \in \left\lbrace 0, 1 \right\rbrace^n$.
-2. Request the tag $t = F(k, m_0)$.
-3. Set $m_1 = t \oplus m_0$ and output $(m_0, m_1) \in \left\lbrace 0, 1 \right\rbrace^{2n}$ and $t$ as the tag.
+1. Pick an arbitrary $m _ 0 \in \left\lbrace 0, 1 \right\rbrace^n$.
+2. Request the tag $t = F(k, m _ 0)$.
+3. Set $m _ 1 = t \oplus m _ 0$ and output $(m _ 0, m _ 1) \in \left\lbrace 0, 1 \right\rbrace^{2n}$ and $t$ as the tag.
 
 Then the verification works since
 
 $$
-S_\mathrm{CBC}(k, (m_0, t\oplus m_0)) = F(k, F(k, m_0) \oplus (t \oplus m_0)) = F(k, m_0) = t.
+S _ \mathrm{CBC}(k, (m _ 0, t\oplus m _ 0)) = F(k, F(k, m _ 0) \oplus (t \oplus m _ 0)) = F(k, m _ 0) = t.
 $$
 
 #### Random IV is Insecure
@@ -165,21 +165,21 @@ If we use random IV instead of $0^n$, CBC-MAC is insecure. Suppose a random IV w
 Then the verification works since
 
 $$
-S_\mathrm{CBC}(k, \mathrm{IV} \oplus m) = F(k, (\mathrm{IV} \oplus m) \oplus \mathrm{IV}) = F(k, m) = t.
+S _ \mathrm{CBC}(k, \mathrm{IV} \oplus m) = F(k, (\mathrm{IV} \oplus m) \oplus \mathrm{IV}) = F(k, m) = t.
 $$
 
 #### Disclosing Intermediate Values is Insecure
 
 If CBC-MAC outputs all intermediate values of $F(k, \cdot)$, then CBC-MAC is insecure. Consider the following attack.
 
-1. Pick an arbitrary $(m_0, m_1) \in \left\lbrace 0, 1 \right\rbrace^{2n}$.
-2. Request the computed values $(t_0, t)$, where $t_0 = F(k, m_0)$ and $t = F(k, m_1 \oplus t_0)$.
-3. Send $(m_0, m_0 \oplus t_0) \in \left\lbrace 0, 1 \right\rbrace^{2n}$ and tag $t_0$.
+1. Pick an arbitrary $(m _ 0, m _ 1) \in \left\lbrace 0, 1 \right\rbrace^{2n}$.
+2. Request the computed values $(t _ 0, t)$, where $t _ 0 = F(k, m _ 0)$ and $t = F(k, m _ 1 \oplus t _ 0)$.
+3. Send $(m _ 0, m _ 0 \oplus t _ 0) \in \left\lbrace 0, 1 \right\rbrace^{2n}$ and tag $t _ 0$.
 
 Then the verification works since
 
 $$
-S_\mathrm{CBC}(k, (m_0, m_0 \oplus t_0)) = F(k, F(k, m_0) \oplus (m_0 \oplus t_0)) = F(k, m_0) = t_0.
+S _ \mathrm{CBC}(k, (m _ 0, m _ 0 \oplus t _ 0)) = F(k, F(k, m _ 0) \oplus (m _ 0 \oplus t _ 0)) = F(k, m _ 0) = t _ 0.
 $$
 
 The lesson is that *cryptographic constructions should be implemented exactly as it was specified, without any unproven variations*.
@@ -196,15 +196,15 @@ However, this cannot be used if the length of the message is not known in advanc
 
 > **Proposition.** Appending the length of the message in CBC-MAC is insecure.
 
-*Proof*. Let $n$ be the length of a block. Query $m_1, m_2, m_1 \parallel n \parallel m_3$ and receive $3$ tags, $t_1 = E_k(E_k(m_1) \oplus n)$, $t_2 = E_k(E_k(m_2) \oplus n)$, $t_3 = E_k(E_k(t_1 \oplus m_3) \oplus 3n)$.
+*Proof*. Let $n$ be the length of a block. Query $m _ 1, m _ 2, m _ 1 \parallel n \parallel m _ 3$ and receive $3$ tags, $t _ 1 = E _ k(E _ k(m _ 1) \oplus n)$, $t _ 2 = E _ k(E _ k(m _ 2) \oplus n)$, $t _ 3 = E _ k(E _ k(t _ 1 \oplus m _ 3) \oplus 3n)$.
 
-Now forge a message-tag pair $(m_2 \parallel n \parallel (m_3 \oplus t_1 \oplus t_2), t_3)$. Then the tag is
+Now forge a message-tag pair $(m _ 2 \parallel n \parallel (m _ 3 \oplus t _ 1 \oplus t _ 2), t _ 3)$. Then the tag is
 
 $$
-E_k(E_k(\overbrace{E_k(E_k(m_2) \oplus n)}^{t_2} \oplus m_3 \oplus t_1 \oplus t_2) \oplus 3n) = E_k(E_k(t_1 \oplus m_3) \oplus 3n)
+E _ k(E _ k(\overbrace{E _ k(E _ k(m _ 2) \oplus n)}^{t _ 2} \oplus m _ 3 \oplus t _ 1 \oplus t _ 2) \oplus 3n) = E _ k(E _ k(t _ 1 \oplus m _ 3) \oplus 3n)
 $$
 
-which equals $t_3$. Note that the same logic works if the length is *anywhere* in the message, except for the beginning.
+which equals $t _ 3$. Note that the same logic works if the length is *anywhere* in the message, except for the beginning.
 
 ### Encrypt Last Block (ECBC-MAC)
 
@@ -214,12 +214,12 @@ ECBC-MAC doesn't require us to know the message length in advance, but it is rel
 
 ![mc-04-ecbc-mac.png](../../../assets/img/posts/lecture-notes/modern-cryptography/mc-04-ecbc-mac.png)
 
-> **Theorem.** Let $F : \mathcal{K} \times X \rightarrow X$ be a secure PRF. Then for any $l \geq 0$, $F_\mathrm{ECBC} : \mathcal{K}^2 \times X^{\leq l} \rightarrow X$ is a secure PRF.
+> **Theorem.** Let $F : \mathcal{K} \times X \rightarrow X$ be a secure PRF. Then for any $l \geq 0$, $F _ \mathrm{ECBC} : \mathcal{K}^2 \times X^{\leq l} \rightarrow X$ is a secure PRF.
 > 
-> For any efficient $q$-query PRF adversary $\mathcal{A}$ against $F_\mathrm{ECBC}$, there exists an efficient PRF adversary $\mathcal{B}$ such that
+> For any efficient $q$-query PRF adversary $\mathcal{A}$ against $F _ \mathrm{ECBC}$, there exists an efficient PRF adversary $\mathcal{B}$ such that
 > 
 > $$
-> \mathrm{Adv}_{\mathrm{PRF}}[\mathcal{A}, F_\mathrm{ECBC}] \leq \mathrm{Adv}_{\mathrm{PRF}}[\mathcal{B}, F] + \frac{2q^2l^2}{\left\lvert X \right\lvert}.
+> \mathrm{Adv} _ {\mathrm{PRF}}[\mathcal{A}, F _ \mathrm{ECBC}] \leq \mathrm{Adv} _ {\mathrm{PRF}}[\mathcal{B}, F] + \frac{2q^2l^2}{\left\lvert X \right\lvert}.
 > $$
 > 
 > [^2]
@@ -238,12 +238,12 @@ It is easy to see that (E)CBC is an extendable PRF.
 
 #### Attacking ECBC with $\sqrt{\left\lvert X \right\lvert}$ Messages
 
-1. Make $q = \sqrt{\left\lvert X \right\lvert}$ queries using random messages $m_i \in X$ and obtain $t_i = F_\mathrm{ECBC}(k, m_i)$.
-2. With a high probability, there is a collision $t_i = t_j$ for $i \neq j$.
-3. Query for $m_i \parallel m$ and receive the tag $t$.
-4. Return a forged pair $(m_j \parallel m, t)$.
+1. Make $q = \sqrt{\left\lvert X \right\lvert}$ queries using random messages $m _ i \in X$ and obtain $t _ i = F _ \mathrm{ECBC}(k, m _ i)$.
+2. With a high probability, there is a collision $t _ i = t _ j$ for $i \neq j$.
+3. Query for $m _ i \parallel m$ and receive the tag $t$.
+4. Return a forged pair $(m _ j \parallel m, t)$.
 
-This works because ECBC is an extendable PRF. $t$ also works as a valid tag for $m_j \parallel m$.
+This works because ECBC is an extendable PRF. $t$ also works as a valid tag for $m _ j \parallel m$.
 
 So ECBC becomes insecure after signing $\sqrt{\left\lvert X \right\lvert}$ messages.
 

_posts/lecture-notes/modern-cryptography/2023-09-26-cca-security-authenticated-encryption.md

@@ -34,18 +34,18 @@ Now we define a stronger notion of security against **chosen ciphertext attacks*
 > **Experiment $b$.**
 > 1. The challenger fixes a key $k \leftarrow \mathcal{K}$.
 > 2. $\mathcal{A}$ makes a series of queries to the challenger, which is one of the following two types.
-> 	- *Encryption*: Send $m_i$ and receive $c'_i = E(k, m_i)$.
-> 	- *Decryption*: Send $c_i$ and receive $m'_i = D(k, c_i)$.
-> 	- Note that $\mathcal{A}$ is not allowed to make a decryption query for any $c_i'$.
-> 3. $\mathcal{A}$ outputs a pair of messages $(m_0^\ast , m_1^\ast)$.
-> 4. The challenger generates $c^\ast \leftarrow E(k, m_b^\ast)$ and gives it to $\mathcal{A}$.
+> 	- *Encryption*: Send $m _ i$ and receive $c' _ i = E(k, m _ i)$.
+> 	- *Decryption*: Send $c _ i$ and receive $m' _ i = D(k, c _ i)$.
+> 	- Note that $\mathcal{A}$ is not allowed to make a decryption query for any $c _ i'$.
+> 3. $\mathcal{A}$ outputs a pair of messages $(m _ 0^\ast , m _ 1^\ast)$.
+> 4. The challenger generates $c^\ast \leftarrow E(k, m _ b^\ast)$ and gives it to $\mathcal{A}$.
 > 5. $\mathcal{A}$ is allowed to keep making queries, but not allowed to make a decryption query for $c^\ast$.
 > 6. The adversary computes and outputs a bit $b' \in \left\lbrace 0, 1 \right\rbrace$.
 > 
-> Let $W_b$ be the event that $\mathcal{A}$ outputs $1$ in experiment $b$. Then the **CCA advantage with respect to $\mathcal{E}$** is defined as
+> Let $W _ b$ be the event that $\mathcal{A}$ outputs $1$ in experiment $b$. Then the **CCA advantage with respect to $\mathcal{E}$** is defined as
 > 
 > $$
-> \mathrm{Adv}_{\mathrm{CCA}}[\mathcal{A}, \mathcal{E}] = \left\lvert \Pr[W_0] - \Pr[W_1] \right\lvert.
+> \mathrm{Adv} _ {\mathrm{CCA}}[\mathcal{A}, \mathcal{E}] = \left\lvert \Pr[W _ 0] - \Pr[W _ 1] \right\lvert.
 > $$
 > 
 > If the CCA advantage is negligible for all efficient adversaries $\mathcal{A}$, then $\mathcal{E}$ is **semantically secure against a chosen ciphertext attack**, or simply **CCA secure**.
@@ -54,7 +54,7 @@ Now we define a stronger notion of security against **chosen ciphertext attacks*
 
 None of the encryption schemes already seen thus far is CCA secure.
 
-Recall a [CPA secure construction from PRF](./2023-09-19-symmetric-key-encryption.md#secure-construction-from-prf). This scheme is not CCA secure. Suppose that the adversary is given $c^\ast = (r, F(k, r) \oplus m_b)$. Then it can request a decryption for $c' = (r, s')$ for some $s'$ and receive $m' = s' \oplus F(k, r)$. Then $F(k, r) = m' \oplus s'$, so the adversary can successfully recover $m_b$.
+Recall a [CPA secure construction from PRF](../2023-09-19-symmetric-key-encryption/#secure-construction-from-prf). This scheme is not CCA secure. Suppose that the adversary is given $c^\ast = (r, F(k, r) \oplus m _ b)$. Then it can request a decryption for $c' = (r, s')$ for some $s'$ and receive $m' = s' \oplus F(k, r)$. Then $F(k, r) = m' \oplus s'$, so the adversary can successfully recover $m _ b$.
 
 In general, any encryption scheme that allows ciphertexts to be *manipulated* in a controlled way cannot be CCA secure.
 
@@ -66,14 +66,14 @@ Suppose that there is a proxy server in the middle, that forwards the message to
 
 An adversary at destination 25 wants to receive the message sent to destination $80$. This can be done by modifying the destination to $\texttt{25}$.
 
-Suppose we used CBC mode encryption. Then the first block of the ciphertext would contain the IV, the next block would contain $E(k, \mathrm{IV} \oplus m_0)$.
+Suppose we used CBC mode encryption. Then the first block of the ciphertext would contain the IV, the next block would contain $E(k, \mathrm{IV} \oplus m _ 0)$.
 
 The adversary can generate a new ciphertext $c'$ without knowing the actual key. Set the new IV as $\mathrm{IV}' =\mathrm{IV} \oplus m^\ast$ where $m^\ast$ contains a payload that can change $\texttt{80}$ to $\texttt{25}$. (This can be calculated)
 
 Then the decryption works as normal,
 
 $$
-D(k, c_0) \oplus \mathrm{IV}' = (m_0 \oplus \mathrm{IV}) \oplus \mathrm{IV}' = m_0 \oplus m^\ast.
+D(k, c _ 0) \oplus \mathrm{IV}' = (m _ 0 \oplus \mathrm{IV}) \oplus \mathrm{IV}' = m _ 0 \oplus m^\ast.
 $$
 
 The destination of the original message has been changed, even though the adversary had no information of the key.
@@ -90,12 +90,12 @@ In this case, we fix the decryption algorithm so that $D : \mathcal{K} \times \m
 > 
 > 1. The challenger picks a random $k \leftarrow \mathcal{K}$.
 > 2. $\mathcal{A}$ queries the challenger $q$ times.
-> 	- The $i$-th query is a message $m_i$, and receives $c_i \leftarrow E(k, m_i)$.
+> 	- The $i$-th query is a message $m _ i$, and receives $c _ i \leftarrow E(k, m _ i)$.
 > 3. $\mathcal{A}$ outputs a candidate ciphertext $c \in \mathcal{C}$ that is not among the ciphertexts it was given by querying.
 > 
 > $\mathcal{A}$ wins if $c$ is a valid ciphertext under $k$. i.e, $D(k, c) \neq \bot$.
 > 
-> The **CI advantage** with respect to $\mathcal{E}$ $\mathrm{Adv}_{\mathrm{CI}}[\mathcal{A}, \mathcal{E}]$ is defined as the probability that $\mathcal{A}$ wins the game. If the advantage is negligible for any efficient $\mathcal{A}$, we say that $\mathcal{E}$ provides **ciphertext integrity**. (CI)
+> The **CI advantage** with respect to $\mathcal{E}$ $\mathrm{Adv} _ {\mathrm{CI}}[\mathcal{A}, \mathcal{E}]$ is defined as the probability that $\mathcal{A}$ wins the game. If the advantage is negligible for any efficient $\mathcal{A}$, we say that $\mathcal{E}$ provides **ciphertext integrity**. (CI)
 
 If a scheme provides ciphertext integrity, then it will almost surely receive $\bot$ for some randomly generated ciphertext, and also for a valid ciphertext that was changed a little bit.
 
@@ -119,10 +119,10 @@ This theorem enables us to use AE secure schemes as a CCA secure scheme.
 
 > **Theorem.** Let $\mathcal{E} = (E, D)$ be a cipher. If $\mathcal{E}$ is AE-secure, then it is CCA-secure.
 > 
-> For any efficient $q$-query CCA adversary $\mathcal{A}$, there exists efficient adversaries $\mathcal{B}_\mathrm{CPA}$ and $\mathcal{B}_\mathrm{CI}$ such that
+> For any efficient $q$-query CCA adversary $\mathcal{A}$, there exists efficient adversaries $\mathcal{B} _ \mathrm{CPA}$ and $\mathcal{B} _ \mathrm{CI}$ such that
 > 
 > $$
-> \mathrm{Adv}_{\mathrm{CCA}}[\mathcal{A}, \mathcal{E}] \leq \mathrm{Adv}_{\mathrm{CPA}}[\mathcal{B}_\mathrm{CPA}, \mathcal{E}] + 2q \cdot \mathrm{Adv}_{\mathrm{CI}}[\mathcal{B}_\mathrm{CI}, \mathcal{E}].
+> \mathrm{Adv} _ {\mathrm{CCA}}[\mathcal{A}, \mathcal{E}] \leq \mathrm{Adv} _ {\mathrm{CPA}}[\mathcal{B} _ \mathrm{CPA}, \mathcal{E}] + 2q \cdot \mathrm{Adv} _ {\mathrm{CI}}[\mathcal{B} _ \mathrm{CI}, \mathcal{E}].
 > $$
 
 *Proof*. Check Theorem 9.1.[^1]
@@ -148,7 +148,7 @@ In **Encrypt-and-MAC**, encryption and authentication is done in parallel.
 > Given a message $m$, the sender outputs $(c, t)$ where
 > 
 > $$
-> c \leftarrow E(k_1, m), \quad t \leftarrow  S(k_2, m).
+> c \leftarrow E(k _ 1, m), \quad t \leftarrow  S(k _ 2, m).
 > $$
 
 This approach does not provide AE. In general, the tag may leak some information about the original message. This is because MACs do not care about the privacy of messages.
@@ -162,10 +162,10 @@ In **MAC-then-Encrypt**, the tag is computed and the message-tag pair is encrypt
 > Given a message $m$, the sender outputs $c$ where
 > 
 > $$
-> t \leftarrow S(k_2, m), \quad c \leftarrow E(k_1, m\parallel t).
+> t \leftarrow S(k _ 2, m), \quad c \leftarrow E(k _ 1, m\parallel t).
 > $$
 > 
-> Decryption is done by $(m, t) \leftarrow D(k_1, c)$ and then verifying the tag with $V(k_2, m, t)$.
+> Decryption is done by $(m, t) \leftarrow D(k _ 1, c)$ and then verifying the tag with $V(k _ 2, m, t)$.
 
 This is not secure either. It is known that the attacker can decrypt all traffic using a chosen ciphertext attack. (padding oracle attacks) Check Section 9.4.2.[^1]
 
@@ -176,23 +176,23 @@ In **Encrypt-then-MAC**, the encrypted message is signed, and is known to be sec
 > Given a message $m$, the sender outputs $(c, t)$ where
 > 
 > $$
-> c \leftarrow E(k_1, m), \quad t \leftarrow S(k_2, c).
+> c \leftarrow E(k _ 1, m), \quad t \leftarrow S(k _ 2, c).
 > $$
 > 
-> Decryption is done by returning $D(k_1, c)$ only if verification $V(k_2, c, t)$ succeeds.
+> Decryption is done by returning $D(k _ 1, c)$ only if verification $V(k _ 2, c, t)$ succeeds.
 
-> **Theorem.** Let $\mathcal{E} = (E, D)$ be a cipher and let $\Pi = (S, V)$ be a MAC system. If $\mathcal{E}$ is CPA secure cipher and $\Pi$ is a strongly secure MAC, then $\mathcal{E}_\mathrm{EtM}$ is AE secure.
+> **Theorem.** Let $\mathcal{E} = (E, D)$ be a cipher and let $\Pi = (S, V)$ be a MAC system. If $\mathcal{E}$ is CPA secure cipher and $\Pi$ is a strongly secure MAC, then $\mathcal{E} _ \mathrm{EtM}$ is AE secure.
 > 
-> For every efficient CI adversary $\mathcal{A}_\mathrm{CI}$ attacking $\mathcal{E}_\mathrm{EtM}$, there exists an efficient MAC adversary $\mathcal{B}_\mathrm{MAC}$ attacking $\Pi$ such that
+> For every efficient CI adversary $\mathcal{A} _ \mathrm{CI}$ attacking $\mathcal{E} _ \mathrm{EtM}$, there exists an efficient MAC adversary $\mathcal{B} _ \mathrm{MAC}$ attacking $\Pi$ such that
 > 
 > $$
-> \mathrm{Adv}_{\mathrm{CI}}[\mathcal{A}_\mathrm{CI}, \mathcal{E}_\mathrm{EtM}] = \mathrm{Adv}_{\mathrm{MAC}}[\mathcal{B}_\mathrm{MAC}, \Pi].
+> \mathrm{Adv} _ {\mathrm{CI}}[\mathcal{A} _ \mathrm{CI}, \mathcal{E} _ \mathrm{EtM}] = \mathrm{Adv} _ {\mathrm{MAC}}[\mathcal{B} _ \mathrm{MAC}, \Pi].
 > $$
 > 
-> For every efficient CPA adversary $\mathcal{A}_\mathrm{CPA}$ attacking $\mathcal{E}_\mathrm{EtM}$, there exists an efficient CPA adversary $\mathcal{B}_\mathrm{MAC}$ attacking $\mathcal{E}$ such that
+> For every efficient CPA adversary $\mathcal{A} _ \mathrm{CPA}$ attacking $\mathcal{E} _ \mathrm{EtM}$, there exists an efficient CPA adversary $\mathcal{B} _ \mathrm{MAC}$ attacking $\mathcal{E}$ such that
 > 
 > $$
-> \mathrm{Adv}_{\mathrm{CPA}}[\mathcal{A}_\mathrm{CPA}, \mathcal{E}_\mathrm{EtM}] = \mathrm{Adv}_{\mathrm{CPA}}[\mathcal{B}_\mathrm{CPA}, \mathcal{E}].
+> \mathrm{Adv} _ {\mathrm{CPA}}[\mathcal{A} _ \mathrm{CPA}, \mathcal{E} _ \mathrm{EtM}] = \mathrm{Adv} _ {\mathrm{CPA}}[\mathcal{B} _ \mathrm{CPA}, \mathcal{E}].
 > $$
 
 *Proof*. See Theorem 9.2.[^1]
@@ -201,7 +201,7 @@ In **Encrypt-then-MAC**, the encrypted message is signed, and is known to be sec
 
 #### Common Mistakes in EtM Implementation
 
-- Do not use the same key for $\mathcal{E}$ and $\Pi$. The security proof above relies on the fact that the two keys $k_1, k_2 \in \mathcal{K}$ were chosen independently. See Exercise 9.8.[^1]
+- Do not use the same key for $\mathcal{E}$ and $\Pi$. The security proof above relies on the fact that the two keys $k _ 1, k _ 2 \in \mathcal{K}$ were chosen independently. See Exercise 9.8.[^1]
 - MAC must be applied to the full ciphertext. For example, if IV is not protected by the MAC, the attacker can create a new valid ciphertext by changing the IV.
 
 [^1]: A Graduate Course in Applied Cryptography

_posts/lecture-notes/modern-cryptography/2023-09-28-hash-functions.md

@@ -29,12 +29,12 @@ But *cryptographic hash functions* are different. They should *avoid* collisions
 
 Intuitively, a function $H$ is collision resistant if it is computationally infeasible to find a collision for $H$. Formally, this can be defined also in the form of a security game.
 
-> **Definition.** Let $H$ be a hash function defined over $(\mathcal{M}, \mathcal{T})$. Given an adversary $\mathcal{A}$, the adversary outputs two messages $m_0, m_1 \in \mathcal{M}$.
+> **Definition.** Let $H$ be a hash function defined over $(\mathcal{M}, \mathcal{T})$. Given an adversary $\mathcal{A}$, the adversary outputs two messages $m _ 0, m _ 1 \in \mathcal{M}$.
 > 
-> $\mathcal{A}$ wins the game if $H(m_0) = H(m_1)$ and $m_0 \neq m_1$. The **advantage** of $\mathcal{A}$ with respect to $H$ is defined as the probability that $\mathcal{A}$ wins the game.
+> $\mathcal{A}$ wins the game if $H(m _ 0) = H(m _ 1)$ and $m _ 0 \neq m _ 1$. The **advantage** of $\mathcal{A}$ with respect to $H$ is defined as the probability that $\mathcal{A}$ wins the game.
 > 
 > $$
-> \mathrm{Adv}_{\mathrm{CR}}[\mathcal{A}, H] = \Pr[H(m_0) = H(m_1) \wedge m_0 \neq m_1].
+> \mathrm{Adv} _ {\mathrm{CR}}[\mathcal{A}, H] = \Pr[H(m _ 0) = H(m _ 1) \wedge m _ 0 \neq m _ 1].
 > $$
 > 
 > If the advantage is negligible for any efficient adversary $\mathcal{A}$, then the hash function $H$ is **collision resistant**.
@@ -59,10 +59,10 @@ Let $\Pi = (S, V)$ be a MAC scheme defined over $(\mathcal{K}, \mathcal{M}, \mat
 > 
 > If $\Pi$ is a secure MAC and $H$ is collision resistant, then $\Pi'$ is a secure MAC.
 > 
-> For any efficient adversary $\mathcal{A}$ attacking $\Pi'$, there exist a MAC adversary $\mathcal{B}_\mathrm{MAC}$ attacking $\Pi$ and an adversary $\mathcal{B}_\mathrm{CR}$ attacking $H$ such that
+> For any efficient adversary $\mathcal{A}$ attacking $\Pi'$, there exist a MAC adversary $\mathcal{B} _ \mathrm{MAC}$ attacking $\Pi$ and an adversary $\mathcal{B} _ \mathrm{CR}$ attacking $H$ such that
 > 
 > $$
-> \mathrm{Adv}_{\mathrm{MAC}}[\mathcal{A}, \Pi'] \leq \mathrm{Adv}_{\mathrm{MAC}}[\mathcal{B}_\mathrm{MAC}, \Pi] + \mathrm{Adv}_{\mathrm{CR}}[\mathcal{B}_\mathrm{CR}, H].
+> \mathrm{Adv} _ {\mathrm{MAC}}[\mathcal{A}, \Pi'] \leq \mathrm{Adv} _ {\mathrm{MAC}}[\mathcal{B} _ \mathrm{MAC}, \Pi] + \mathrm{Adv} _ {\mathrm{CR}}[\mathcal{B} _ \mathrm{CR}, H].
 > $$
 
 *Proof*. See Theorem 8.1.[^2]
@@ -83,8 +83,8 @@ Actually, the attacker doesn't have to hash that many messages. This is because
 
 Let $N$ be the size of the hash space. (If the hash is $n$ bits, then $N = 2^n$)
 
-> 1. Sample $s$ uniform random messages $m_1, \dots, m_s \in \mathcal{M}$.
-> 2. Compute $x_i \leftarrow H(m_i)$.
+> 1. Sample $s$ uniform random messages $m _ 1, \dots, m _ s \in \mathcal{M}$.
+> 2. Compute $x _ i \leftarrow H(m _ i)$.
 > 3. Find and output a collision if it exists.
 
 > **Lemma.** The above algorithm will output a collision with probability at least $1/2$ when $s \geq 1.2\sqrt{N}$.
@@ -92,7 +92,7 @@ Let $N$ be the size of the hash space. (If the hash is $n$ bits, then $N = 2^n$)
 *Proof*. We show that the probability of no collisions is less than $1/2$. The probability that there is no collision is
 
 $$
-\prod_{i=1}^{s-1}\left( 1-\frac{i}{N} \right) \leq \prod_{i=1}^{s-1} \exp\left( -\frac{i}{N} \right) = \exp\left( -\frac{s(s-1)}{2N} \right).
+\prod _ {i=1}^{s-1}\left( 1-\frac{i}{N} \right) \leq \prod _ {i=1}^{s-1} \exp\left( -\frac{i}{N} \right) = \exp\left( -\frac{s(s-1)}{2N} \right).
 $$
 
 So solving $\exp\left( -s(s-1)/2N \right) < 1/2$ for $s$ gives approximately $s \geq \sqrt{(2\log2)N} \approx 1.17 \sqrt{N}$.
@@ -113,13 +113,13 @@ The Merkle-Damgård transform gives as a way to extend our input domain of the h
 > 
 > 1. Given an input $m \in \left\lbrace 0, 1 \right\rbrace^{\leq L}$, pad $m$ so that the length of $m$ is a multiple of $l$.
 > 	- The padding block $\mathrm{PB}$ must contain an encoding of the input message length. i.e, it is of the form $100\dots00\parallel\left\lvert m \right\lvert$.
-> 2. Then partition the input into $l$-bit blocks so that $m' = m_1 \parallel m_2 \parallel \cdots \parallel m_s$.
-> 3. Set $t_0 \leftarrow \mathrm{IV} \in \left\lbrace 0, 1 \right\rbrace^n$.
-> 4. For $i = 1, \dots, s$, calculate $t_i \leftarrow h(t_{i-1}, m_i)$.
-> 5. Return $t_s$.
+> 2. Then partition the input into $l$-bit blocks so that $m' = m _ 1 \parallel m _ 2 \parallel \cdots \parallel m _ s$.
+> 3. Set $t _ 0 \leftarrow \mathrm{IV} \in \left\lbrace 0, 1 \right\rbrace^n$.
+> 4. For $i = 1, \dots, s$, calculate $t _ i \leftarrow h(t _ {i-1}, m _ i)$.
+> 5. Return $t _ s$.
 
 - The function $h$ is called the **compression function**.
-- The $t_i$ values are called **chaining values**.
+- The $t _ i$ values are called **chaining values**.
 - Note that because of the padding block can be at most $l$-bits, the maximum message length is $2^l$, but usually $l = 64$, so it is enough.
 - $\mathrm{IV}$ is fixed to some value, and is usually set to some complicated string.
 - We included the length of the message in the padding. This will be used in the security proof.
@@ -130,17 +130,17 @@ The Merkle-Damgård construction is secure.
 
 *Proof*. We show by contradiction. Suppose that an adversary $\mathcal{A}$ of $H$ found a collision for $H$. Let $H(m) = H(m')$ for $m \neq m'$. Now we construct an adversary $\mathcal{B}$ of $h$. $\mathcal{B}$ will examine $m$ and $m'$ and work its way backwards.
 
-Suppose that $m = m_1\cdots m_u$ and $m' = m_1'\cdots m_v'$. Let the chaining values be $t_i = h(t_{i-1},m_i)$ and $t_i' = h(t_{i-1}', m_i')$. Then since $H(m) = H(m')$, the very last iteration should give the same output.
+Suppose that $m = m _ 1\cdots m _ u$ and $m' = m _ 1'\cdots m _ v'$. Let the chaining values be $t _ i = h(t _ {i-1},m _ i)$ and $t _ i' = h(t _ {i-1}', m _ i')$. Then since $H(m) = H(m')$, the very last iteration should give the same output.
 
 $$
-h(t_{u-1},m_u) = h(t_{v-1}', m_v').
+h(t _ {u-1},m _ u) = h(t _ {v-1}', m _ v').
 $$
 
-Suppose that $t_{u-1} \neq t_{v-1}'$ and $m_u \neq m_v'$. Then this is a collision for $h$, so $\mathcal{B}$ returns this collision, and we are done. So suppose otherwise. Then $t_{u-1} = t_{v-1}'$ and $m_u = m_v'$. But because the last block contains the padding, the padding values must be the same, which means that the length of these two messages must have been the same, so $u = v$.
+Suppose that $t _ {u-1} \neq t _ {v-1}'$ and $m _ u \neq m _ v'$. Then this is a collision for $h$, so $\mathcal{B}$ returns this collision, and we are done. So suppose otherwise. Then $t _ {u-1} = t _ {v-1}'$ and $m _ u = m _ v'$. But because the last block contains the padding, the padding values must be the same, which means that the length of these two messages must have been the same, so $u = v$.
 
-Now we have $t_{u-1} = t_{u-1}'$, which implies $h(t_{u-2}, m_{u-1}) = h(t_{u-2}', m_{u-1}')$. We can now repeat the same process until the first block. If $\mathcal{B}$ did not find any collision then it means that $m_i = m_i'$ for all $i$, so $m = m'$. This is a contradiction, so $\mathcal{B}$ must have found a collision.
+Now we have $t _ {u-1} = t _ {u-1}'$, which implies $h(t _ {u-2}, m _ {u-1}) = h(t _ {u-2}', m _ {u-1}')$. We can now repeat the same process until the first block. If $\mathcal{B}$ did not find any collision then it means that $m _ i = m _ i'$ for all $i$, so $m = m'$. This is a contradiction, so $\mathcal{B}$ must have found a collision.
 
-By the above argument, we see that $\mathrm{Adv}_{\mathrm{CR}}[\mathcal{A}, H] = \mathrm{Adv}_{\mathrm{CR}}[\mathcal{B}, h]$.
+By the above argument, we see that $\mathrm{Adv} _ {\mathrm{CR}}[\mathcal{A}, H] = \mathrm{Adv} _ {\mathrm{CR}}[\mathcal{B}, h]$.
 
 ### Attacking Merkle-Damgård Hash Functions
 
@@ -150,7 +150,7 @@ See Joux's attack.[^2]
 
 Now we only have to build a collision resistant compression function. We can build these functions from either a block cipher, or by using number theoretic primitives.
 
-Number theoretic primitives will be shown after we learn some number theory.[^3] An example is shown in [collision resistance using DL problem (Modern Cryptography)](./2023-10-03-key-exchange.md#collision-resistance-based-on-dl-problem).
+Number theoretic primitives will be shown after we learn some number theory.[^3] An example is shown in [collision resistance using DL problem (Modern Cryptography)](../2023-10-03-key-exchange/#collision-resistance-based-on-dl-problem).
 
 ![mc-06-davies-meyer.png](../../../assets/img/posts/lecture-notes/modern-cryptography/mc-06-davies-meyer.png)
 
@@ -169,7 +169,7 @@ Due to the birthday attack, we see that this bound is the best possible.
 There are other constructions of $h$ using the block cipher. But some of them are totally insecure. These are some insecure functions.
 
 $$
-h_1(x, y) = E(y, x) \oplus y, \quad h_2(x, y) = E(x, x \oplus y) \oplus x.
+h _ 1(x, y) = E(y, x) \oplus y, \quad h _ 2(x, y) = E(x, x \oplus y) \oplus x.
 $$
 
 Also, just using $E(y, x)$ is insecure.
@@ -195,7 +195,7 @@ We needed a complicated construction for MACs that work on long messages. We mig
 
 Here are a few approaches. Suppose that a compression function $h$ is given and $H$ is a Merkle-Damgård function derived from $h$.
 
-Recall that [we can construct a MAC scheme from a PRF](./2023-09-21-macs.md#mac-constructions-from-prfs), so either we want a secure PRF or a secure MAC scheme.
+Recall that [we can construct a MAC scheme from a PRF](../2023-09-21-macs/#mac-constructions-from-prfs), so either we want a secure PRF or a secure MAC scheme.
 
 #### Prepending the Key
 
@@ -211,7 +211,7 @@ Define $S(k, m) = H(k \parallel M \parallel k)$. This can be proven to be a secu
 
 #### Two-Key Nest
 
-Define $S((k_1,k_2), m) = H(k_2 \parallel H(k_1 \parallel m))$. This can also be proven to be a secure PRF under reasonable assumptions. See Section 8.7.1.[^2]
+Define $S((k _ 1,k _ 2), m) = H(k _ 2 \parallel H(k _ 1 \parallel m))$. This can also be proven to be a secure PRF under reasonable assumptions. See Section 8.7.1.[^2]
 
 This can be thought of as blocking the length extension attack from prepending the key method.
 
@@ -219,19 +219,19 @@ This can be thought of as blocking the length extension attack from prepending t
 
 ![mc-06-hmac.png](../../../assets/img/posts/lecture-notes/modern-cryptography/mc-06-hmac.png)
 
-This is a variant of the two-key nest, but the difference is that the keys $k_1', k_2'$ are not independent. Choose a key $k \leftarrow \mathcal{K}$, and set
+This is a variant of the two-key nest, but the difference is that the keys $k _ 1', k _ 2'$ are not independent. Choose a key $k \leftarrow \mathcal{K}$, and set
 
 $$
-k_1 = k \oplus \texttt{ipad}, \quad k_2 = k\oplus \texttt{opad}
+k _ 1 = k \oplus \texttt{ipad}, \quad k _ 2 = k\oplus \texttt{opad}
 $$
 
 where $\texttt{ipad} = \texttt{0x363636}...$ and $\texttt{opad} = \texttt{0x5C5C5C}...$. Then
 
 $$
-\mathrm{HMAC}(k, m) = H(k_2 \parallel H(k_1 \parallel m)).
+\mathrm{HMAC}(k, m) = H(k _ 2 \parallel H(k _ 1 \parallel m)).
 $$
 
-The security proof given for two-key nest does not apply here, since $k_1$ and $k_2$ are not independent. With stronger assumptions on $h$, then we almost get an optimal security bound.
+The security proof given for two-key nest does not apply here, since $k _ 1$ and $k _ 2$ are not independent. With stronger assumptions on $h$, then we almost get an optimal security bound.
 
 ## The Random Oracle Model
 

_posts/lecture-notes/modern-cryptography/2023-10-03-key-exchange.md

@@ -65,20 +65,20 @@ To implement the above protocol, we need two functions $E$ and $F$ that satisfy
 
 Let $p$ be a large prime, and let $q$ be another large prime dividing $p - 1$. We typically use very large random primes, $p$ is about $2048$ bits long, and $q$ is about $256$ bits long.
 
-All arithmetic will be done in $\mathbb{Z}_p$. We also consider $\mathbb{Z}_p^\ast$ , the **unit group** of $\mathbb{Z}_p$. Since $\mathbb{Z}_p$ is a field, $\mathbb{Z}_p^\ast = \mathbb{Z}_p \setminus \left\lbrace 0 \right\rbrace$, meaning that $\mathbb{Z}_p^\ast$ has order $p-1$.
+All arithmetic will be done in $\mathbb{Z} _ p$. We also consider $\mathbb{Z} _ p^\ast$ , the **unit group** of $\mathbb{Z} _ p$. Since $\mathbb{Z} _ p$ is a field, $\mathbb{Z} _ p^\ast = \mathbb{Z} _ p \setminus \left\lbrace 0 \right\rbrace$, meaning that $\mathbb{Z} _ p^\ast$ has order $p-1$.
 
-Since $q$ is a prime dividing $p - 1$, $\mathbb{Z}_p^\ast$ has an element $g$ of order $q$.[^1] Let
+Since $q$ is a prime dividing $p - 1$, $\mathbb{Z} _ p^\ast$ has an element $g$ of order $q$.[^1] Let
 
 $$
-G = \left\langle g \right\rangle = \left\lbrace 1, g, g^2, \dots, g^{q-1} \right\rbrace \leq \mathbb{Z}_p^\ast.
+G = \left\langle g \right\rangle = \left\lbrace 1, g, g^2, \dots, g^{q-1} \right\rbrace \leq \mathbb{Z} _ p^\ast.
 $$
 
 We assume that the description of $p$, $q$ and $g$ are generated at the setup and shared by all parties. Now the actual protocol goes like this.
 
 ![mc-07-dhke.png](../../../assets/img/posts/lecture-notes/modern-cryptography/mc-07-dhke.png)
 
-> 1. Alice chooses $\alpha \leftarrow \mathbb{Z}_q$ and computes $g^\alpha$.
-> 2. Bob chooses $\beta \leftarrow \mathbb{Z}_q$ and computes $g^\beta$.
+> 1. Alice chooses $\alpha \leftarrow \mathbb{Z} _ q$ and computes $g^\alpha$.
+> 2. Bob chooses $\beta \leftarrow \mathbb{Z} _ q$ and computes $g^\beta$.
 > 3. Alice and Bob exchange $g^\alpha$ and $g^\beta$ over an insecure channel.
 > 4. Using $\alpha$ and $g^\beta$, Alice computes $g^{\alpha\beta}$.
 > 5. Using $\beta$ and $g^\alpha$, Bob computes $g^{\alpha\beta}$.
@@ -90,32 +90,32 @@ It works!
 
 The protocol is secure if and only if the following holds.
 
-> Let $\alpha, \beta \leftarrow \mathbb{Z}_q$. Given $g^\alpha, g^\beta \in G$, it is hard to compute $g^{\alpha\beta} \in G$.
+> Let $\alpha, \beta \leftarrow \mathbb{Z} _ q$. Given $g^\alpha, g^\beta \in G$, it is hard to compute $g^{\alpha\beta} \in G$.
 
 This is called the **computational Diffie-Hellman assumption**. As we will see below, this is not as strong as the discrete logarithm assumption. But in the real world, CDH assumption is reasonable enough for groups where the DL assumption holds.
 
 ## Discrete Logarithm and Related Assumptions
 
-We have used $E(x) = g^x$ in the above implementation. This function is called the **discrete exponentiation function**. This function is actually a *group isomorphism*, so it has an inverse function called the **discrete logarithm function**. The name comes from the fact that if $u = g^x$, then it can be written as '$x = \log_g u$'.
+We have used $E(x) = g^x$ in the above implementation. This function is called the **discrete exponentiation function**. This function is actually a *group isomorphism*, so it has an inverse function called the **discrete logarithm function**. The name comes from the fact that if $u = g^x$, then it can be written as '$x = \log _ g u$'.
 
 We required that $E$ must be a one-way function for the protocol to work. So it must be hard to compute the discrete logarithm function. There are some problems related to the discrete logarithm, which are used as assumptions in the security proof. They are formalized as a security game, as usual.
 
-$G = \left\langle g \right\rangle \leq \mathbb{Z}_p^\ast$ will be a *cyclic group* of order $q$ and $g$ is given as a generator. Note that $g$ and $q$ are also given to the adversary.
+$G = \left\langle g \right\rangle \leq \mathbb{Z} _ p^\ast$ will be a *cyclic group* of order $q$ and $g$ is given as a generator. Note that $g$ and $q$ are also given to the adversary.
 
 ### Discrete Logarithm Problem (DL)
 
 > **Definition.** Let $\mathcal{A}$ be a given adversary.
 > 
-> 1. The challenger chooses $\alpha \leftarrow \mathbb{Z}_q$ and sends $u = g^\alpha$ to the adversary.
-> 2. The adversary calculates and outputs some $\alpha' \in \mathbb{Z}_q$.
+> 1. The challenger chooses $\alpha \leftarrow \mathbb{Z} _ q$ and sends $u = g^\alpha$ to the adversary.
+> 2. The adversary calculates and outputs some $\alpha' \in \mathbb{Z} _ q$.
 > 
 > We define the **advantage in solving the discrete logarithm problem for $G$** as
 > 
 > $$
-> \mathrm{Adv}_{\mathrm{DL}}[\mathcal{A}, G] = \Pr[\alpha = \alpha'].
+> \mathrm{Adv} _ {\mathrm{DL}}[\mathcal{A}, G] = \Pr[\alpha = \alpha'].
 > $$
 > 
-> We say that the **discrete logarithm (DL) assumption** holds for $G$ if for any efficient adversary $\mathcal{A}$, $\mathrm{Adv}_{\mathrm{DL}}[\mathcal{A}, G]$ is negligible.
+> We say that the **discrete logarithm (DL) assumption** holds for $G$ if for any efficient adversary $\mathcal{A}$, $\mathrm{Adv} _ {\mathrm{DL}}[\mathcal{A}, G]$ is negligible.
 
 So if we assume the DL assumption, it means that DL problem is **hard**. i.e, no efficient adversary can effectively solve the DL problem for $G$.
 
@@ -123,16 +123,16 @@ So if we assume the DL assumption, it means that DL problem is **hard**. i.e, no
 
 > **Definition.** Let $\mathcal{A}$ be a given adversary.
 > 
-> 1. The challenger chooses $\alpha, \beta \leftarrow \mathbb{Z}_q$ and sends $g^\alpha, g^\beta$ to the adversary.
+> 1. The challenger chooses $\alpha, \beta \leftarrow \mathbb{Z} _ q$ and sends $g^\alpha, g^\beta$ to the adversary.
 > 2. The adversary calculates and outputs some $w \in G$.
 > 
 > We define the **advantage in solving the computational Diffie-Hellman problem for $G$** as
 > 
 > $$
-> \mathrm{Adv}_{\mathrm{CDH}}[\mathcal{A}, G] = \Pr[w = g^{\alpha\beta}].
+> \mathrm{Adv} _ {\mathrm{CDH}}[\mathcal{A}, G] = \Pr[w = g^{\alpha\beta}].
 > $$
 > 
-> We say that the **computational Diffie-Hellman (CDH) assumption** holds for $G$ if for any efficient adversary $\mathcal{A}$, $\mathrm{Adv}_{\mathrm{CDH}}[\mathcal{A}, G]$ is negligible.
+> We say that the **computational Diffie-Hellman (CDH) assumption** holds for $G$ if for any efficient adversary $\mathcal{A}$, $\mathrm{Adv} _ {\mathrm{CDH}}[\mathcal{A}, G]$ is negligible.
 
 An interesting property here is that given $(g^\alpha, g^\beta)$, it is hard to determine if $w$ is a solution to the problem. ($w \overset{?}{=} g^{\alpha\beta}$)
 
@@ -143,24 +143,24 @@ Since recognizing a solution to the CDH problem is hard, we have another assumpt
 > **Definition.** Let $\mathcal{A}$ be a given adversary. We define two experiments 0 and 1.
 > 
 > **Experiment $b$**.
-> 1. The challenger chooses $\alpha, \beta, \gamma \leftarrow \mathbb{Z}_q$ and computes the following.
+> 1. The challenger chooses $\alpha, \beta, \gamma \leftarrow \mathbb{Z} _ q$ and computes the following.
 > 
 > 	$$
-> 	u = g^\alpha, \quad v = g^\beta, \quad w_0 = g^{\alpha\beta}, \quad w_1 = g^\gamma.
+> 	u = g^\alpha, \quad v = g^\beta, \quad w _ 0 = g^{\alpha\beta}, \quad w _ 1 = g^\gamma.
 > 	$$
 > 
-> 2. The challenger sends the triple $(u, v, w_b)$ to the adversary.
+> 2. The challenger sends the triple $(u, v, w _ b)$ to the adversary.
 > 3. The adversary calculates and outputs a bit $b' \in \left\lbrace 0, 1 \right\rbrace$.
 > 
-> Let $W_b$ be the event that $\mathcal{A}$ outputs $1$ in experiment $b$. We define the **advantage in solving the decisional Diffie-Hellman problem for $G$** as
+> Let $W _ b$ be the event that $\mathcal{A}$ outputs $1$ in experiment $b$. We define the **advantage in solving the decisional Diffie-Hellman problem for $G$** as
 > 
 > $$
-> \mathrm{Adv}_{\mathrm{DDH}}[\mathcal{A}, G] = \left\lvert \Pr[W_0] - \Pr[W_1] \right\lvert.
+> \mathrm{Adv} _ {\mathrm{DDH}}[\mathcal{A}, G] = \left\lvert \Pr[W _ 0] - \Pr[W _ 1] \right\lvert.
 > $$
 > 
-> We say that the **decisional Diffie-Hellman (DDH) assumption** holds for $G$ if for any efficient adversary $\mathcal{A}$, $\mathrm{Adv}_{\mathrm{DDH}}[\mathcal{A}, G]$ is negligible.
+> We say that the **decisional Diffie-Hellman (DDH) assumption** holds for $G$ if for any efficient adversary $\mathcal{A}$, $\mathrm{Adv} _ {\mathrm{DDH}}[\mathcal{A}, G]$ is negligible.
 
-For $\alpha, \beta, \gamma \in \mathbb{Z}_q$, the triple $(g^\alpha, g^\beta, g^\gamma)$ is called a **DH-triple** if $\gamma = \alpha\beta$. So the assumption is saying that no efficient adversary can distinguish DH-triples from non DH-triples.
+For $\alpha, \beta, \gamma \in \mathbb{Z} _ q$, the triple $(g^\alpha, g^\beta, g^\gamma)$ is called a **DH-triple** if $\gamma = \alpha\beta$. So the assumption is saying that no efficient adversary can distinguish DH-triples from non DH-triples.
 
 ### Relations Between Problems
 
@@ -182,7 +182,7 @@ If we used the DL assumption and it turns out to be false, there will be an effi
 
 Suppose we want something like a secret group chat, where there are $N$ ($\geq 3$) people and they need to generate a shared secret key. It is known that $N$-party Diffie-Hellman is possible in $N-1$ rounds. Here's how it goes. The indices are all in modulo $N$.
 
-Each party $i$ chooses $\alpha_i \leftarrow \mathbb{Z}_q$, and computes $g^{\alpha_i}$. The parties communicate in a circular form, and passes the computed value to the $(i+1)$-th party. In the next round, the $i$-th party receives $g^{\alpha_{i-1}}$ and computes $g^{\alpha_{i-1}\alpha_i}$ and passes it to the next party. After $N-1$ rounds, all parties have the shared key $g^{\alpha_1\cdots\alpha_N}$.
+Each party $i$ chooses $\alpha _ i \leftarrow \mathbb{Z} _ q$, and computes $g^{\alpha _ i}$. The parties communicate in a circular form, and passes the computed value to the $(i+1)$-th party. In the next round, the $i$-th party receives $g^{\alpha _ {i-1}}$ and computes $g^{\alpha _ {i-1}\alpha _ i}$ and passes it to the next party. After $N-1$ rounds, all parties have the shared key $g^{\alpha _ 1\cdots\alpha _ N}$.
 
 Taking $\mathcal{O}(N)$ steps is impractical in the real world, due to many communications that the above algorithm requires. Researchers are looking for methods to generate a shared key in a single round. It has been solved for $N=3$ using bilinear pairings, but for $N \geq 4$ it is an open problem.
 
@@ -196,7 +196,7 @@ The adversary will impersonate Bob when communicating with Alice, and will do th
 
 ## Collision Resistance Based on DL Problem
 
-Suppose that the DL problem is hard on the group $G = \left\langle g \right\rangle$, with prime order $q$. Choose an element $h \in G$, and define a hash function $H : \mathbb{Z}_q \times \mathbb{Z}_q \rightarrow G$ as
+Suppose that the DL problem is hard on the group $G = \left\langle g \right\rangle$, with prime order $q$. Choose an element $h \in G$, and define a hash function $H : \mathbb{Z} _ q \times \mathbb{Z} _ q \rightarrow G$ as
 
 $$
 H(\alpha, \beta) = g^\alpha h^\beta.
@@ -215,19 +215,19 @@ The idea was to use *puzzles*, which are problems that can be solved with some e
 ![mc-07-merkle-puzzles.png](../../../assets/img/posts/lecture-notes/modern-cryptography/mc-07-merkle-puzzles.png)
 
 > Let $\mathcal{E} = (E, D)$ be a block cipher defined over $(\mathcal{K}, \mathcal{M})$.
-> 1. Alice chooses random pairs $(k_i, s_i) \leftarrow \mathcal{K} \times \mathcal{M}$ for $i = 1, \dots, L$.
-> 2. Alice constructs $L$ puzzles, defined as a triple $(E(k_i, s_i), E(k_i, i), E(k_i, 0))$.
+> 1. Alice chooses random pairs $(k _ i, s _ i) \leftarrow \mathcal{K} \times \mathcal{M}$ for $i = 1, \dots, L$.
+> 2. Alice constructs $L$ puzzles, defined as a triple $(E(k _ i, s _ i), E(k _ i, i), E(k _ i, 0))$.
 > 3. Alice randomly shuffles these puzzles and sends them to Bob.
-> 4. Bob picks a random puzzle $(c_1, c_2, c_3)$ and solves the puzzle by **brute force**, trying all $k \in \mathcal{K}$ until some $D(k, c_3) = 0$ is found.
+> 4. Bob picks a random puzzle $(c _ 1, c _ 2, c _ 3)$ and solves the puzzle by **brute force**, trying all $k \in \mathcal{K}$ until some $D(k, c _ 3) = 0$ is found.
 > 	- If Bob finds two different keys, he indicates Alice that the protocol failed and they start over.
-> 5. Bob computes $l = D(k, c_2)$ and $s = D(k, c_1)$, sends $l$ to Alice.
-> 6. Alice will locate the $l$-th puzzle and set $s = s_l$.
+> 5. Bob computes $l = D(k, c _ 2)$ and $s = D(k, c _ 1)$, sends $l$ to Alice.
+> 6. Alice will locate the $l$-th puzzle and set $s = s _ l$.
 
 If successful, Alice and Bob can agree on a secret message $s \in \mathcal{M}$. It can be seen that Alice has to do $\mathcal{O}(L)$, Bob has to do $\mathcal{O}(\left\lvert \mathcal{K} \right\lvert)$ amount of work.
 
 For block ciphers, we commonly set $\mathcal{K}$ large enough so that brute force attacks are infeasible. So for Merkle puzzles, we reduce the key space. For example, if we were to use AES-128 as $\mathcal{E}$, then we can set the first $96$ bits of the key as $0$. Then the search space would be reduced to $2^{32}$, which is feasible for Bob.
 
-Now consider the adversary who obtains all puzzles $P_i$ and the value $l$. To obtain the secret message $s_l$, adversary has to locate the puzzle $P_l$. But since the puzzles are in random order, the adversary has to solve all puzzles until he finds $P_l$. Thus, the adversary must spend time $\mathcal{O}(L\left\lvert \mathcal{K} \right\lvert)$ to obtain $s$. So we have a quadratic gap here.
+Now consider the adversary who obtains all puzzles $P _ i$ and the value $l$. To obtain the secret message $s _ l$, adversary has to locate the puzzle $P _ l$. But since the puzzles are in random order, the adversary has to solve all puzzles until he finds $P _ l$. Thus, the adversary must spend time $\mathcal{O}(L\left\lvert \mathcal{K} \right\lvert)$ to obtain $s$. So we have a quadratic gap here.
 
 ### Performance Issues
 
@@ -241,5 +241,5 @@ It is unknown whether we can get a better gap (than quadratic) using a general s
 
 To get exponential gaps, we need number theory.
 
-[^1]: By Cauchy's theorem, or use the fact that $\mathbb{Z}_p^\ast$ is commutative. Finite commutative groups have a subgroup of every order that divides the order of the group.
+[^1]: By Cauchy's theorem, or use the fact that $\mathbb{Z} _ p^\ast$ is commutative. Finite commutative groups have a subgroup of every order that divides the order of the group.
 [^2]: R. Impagliazzo and S. Rudich. Limits on the provable consequences of one-way permutations. In Proceedings of the Symposium on Theory of Computing (STOC), pages 44–61, 1989.

_posts/lecture-notes/modern-cryptography/2023-10-05-number-theory.md

@@ -22,15 +22,15 @@ github_title: 2023-10-05-number-theory
 
 Let $n$ be a positive integer and let $p$ be prime.
 
-> **Notation.** Let $\mathbb{Z}$ denote the set of integers. We will write $\mathbb{Z}_n = \left\lbrace 0, 1, \dots, n - 1 \right\rbrace$.
+> **Notation.** Let $\mathbb{Z}$ denote the set of integers. We will write $\mathbb{Z} _ n = \left\lbrace 0, 1, \dots, n - 1 \right\rbrace$.
 
 > **Definition.** Let $x, y \in \mathbb{Z}$. $\gcd(x, y)$ is the **greatest common divisor** of $x, y$. $x$ and $y$ are relatively prime if $\gcd(x, y) = 1$.
 
-> **Definition.** The **multiplicative inverse** of $x \in \mathbb{Z}_n$ is an element $y \in \mathbb{Z}_n$ such that $xy = 1$ in $\mathbb{Z}_n$.
+> **Definition.** The **multiplicative inverse** of $x \in \mathbb{Z} _ n$ is an element $y \in \mathbb{Z} _ n$ such that $xy = 1$ in $\mathbb{Z} _ n$.
 
-> **Lemma.** $x \in \mathbb{Z}_n$ has a multiplicative inverse if and only if $\gcd(x, n) = 1$.
+> **Lemma.** $x \in \mathbb{Z} _ n$ has a multiplicative inverse if and only if $\gcd(x, n) = 1$.
 
-> **Definition.** $\mathbb{Z}_n^\ast$ is the set of invertible elements in $\mathbb{Z}_n$. i.e, $\mathbb{Z}_n^\ast = \left\lbrace x \in \mathbb{Z}_n : \gcd(x, n) = 1 \right\rbrace$.
+> **Definition.** $\mathbb{Z} _ n^\ast$ is the set of invertible elements in $\mathbb{Z} _ n$. i.e, $\mathbb{Z} _ n^\ast = \left\lbrace x \in \mathbb{Z} _ n : \gcd(x, n) = 1 \right\rbrace$.
 
 > **Lemma.** (Extended Euclidean Algorithm) For $x, y \in \mathbb{Z}$, there exists $a, b \in \mathbb{Z}$ such that $ax + by = \gcd(x, y)$.
 
@@ -58,21 +58,21 @@ Let $G$ be a group.
 
 > **Definition.** $G$ is **cyclic** if there exists $g \in G$ such that $G = \left\langle g \right\rangle$.
 
-> **Theorem.** $\mathbb{Z}_p^\ast$ is cyclic.
+> **Theorem.** $\mathbb{Z} _ p^\ast$ is cyclic.
 
-*Proof*. $\mathbb{Z}_p$ is a finite field, so $\mathbb{Z}_p^\ast = \mathbb{Z}_p \setminus \left\lbrace 0 \right\rbrace$ is cyclic.
+*Proof*. $\mathbb{Z} _ p$ is a finite field, so $\mathbb{Z} _ p^\ast = \mathbb{Z} _ p \setminus \left\lbrace 0 \right\rbrace$ is cyclic.
 
 > **Theorem.** If $G$ is a finite group, then $g^{\left\lvert G \right\lvert} = 1$ for all $g \in G$. i.e, $\left\lvert g \right\lvert \mid \left\lvert G \right\lvert$.
 
 *Proof*. Consider $\left\langle g \right\rangle \leq G$, then the result follows from Lagrange's theorem.
 
-> **Corollary.** (Fermat's Little Theorem) If $x \in \mathbb{Z}_p^\ast$, $x^{p-1} = 1$.
+> **Corollary.** (Fermat's Little Theorem) If $x \in \mathbb{Z} _ p^\ast$, $x^{p-1} = 1$.
 
-*Proof*. $\mathbb{Z}_p^\ast$ has $p-1$ elements.
+*Proof*. $\mathbb{Z} _ p^\ast$ has $p-1$ elements.
 
-> **Corollary.** (Euler's Generalization) If $x \in \mathbb{Z}_n^\ast$, $x^{\phi(n)} = 1$.
+> **Corollary.** (Euler's Generalization) If $x \in \mathbb{Z} _ n^\ast$, $x^{\phi(n)} = 1$.
 
-*Proof*. $\mathbb{Z}_n^\ast$ has $\phi(n)$ elements, where $\phi(n)$ is the Euler's totient function.
+*Proof*. $\mathbb{Z} _ n^\ast$ has $\phi(n)$ elements, where $\phi(n)$ is the Euler's totient function.
 
 ---
 
@@ -82,7 +82,7 @@ There are group-specific algorithms that exploit the algebraic features of the g
 
 ## Baby Step Giant Step Method (BSGS)
 
-Let $G = \left\langle g \right\rangle$, where $g \in G$ has order $q$. $q$ need not be prime for this method. We are given $u = g^\alpha$, $g$, and $q$. Our task is to find $\alpha \in \mathbb{Z}_q$.
+Let $G = \left\langle g \right\rangle$, where $g \in G$ has order $q$. $q$ need not be prime for this method. We are given $u = g^\alpha$, $g$, and $q$. Our task is to find $\alpha \in \mathbb{Z} _ q$.
 
 Set $m = \left\lceil \sqrt{q} \right\rceil$. $\alpha$ is currently unknown, but by the division algorithm, there exists integers $i,j$ such that $\alpha = i \cdot m + j$ and $0\leq i, j < m$. Then $u = g^\alpha = g^{i\cdot m + j} = g^{im} \cdot g^j$. Therefore,
 
@@ -108,35 +108,35 @@ Let $G$ be a cyclic group of composite order $n$. First, we start with a simple
 
 Let $G = \left\langle g \right\rangle$ be a cyclic group of order $q^e$.[^1] ($q > 1$, $e \geq 1$) We are given $g,q, e$ and $u = g^\alpha$ and we will find $\alpha$. ($0 \leq \alpha < q^e)$
 
-For each $f = 0, \dots, e$, define $g_f = g^{(q^f)}$. Then
+For each $f = 0, \dots, e$, define $g _ f = g^{(q^f)}$. Then
 
 $$
-(g_f)^{(q^{e-f})} = g^{(q^f) \cdot (q^{e-f})} = g^{(q^e)} = 1.
+(g _ f)^{(q^{e-f})} = g^{(q^f) \cdot (q^{e-f})} = g^{(q^e)} = 1.
 $$
 
-So $g_f$ generates a cyclic subgroup of order $q^{e-f}$. In particular, $g_{e-1}$ generates a cyclic subgroup of order $q$. Using this fact, we will reduce the given problem into a discrete logarithm problem on a group having smaller order $q$.
+So $g _ f$ generates a cyclic subgroup of order $q^{e-f}$. In particular, $g _ {e-1}$ generates a cyclic subgroup of order $q$. Using this fact, we will reduce the given problem into a discrete logarithm problem on a group having smaller order $q$.
 
-We proceed with recursion on $e$. If $e = 1$, then $\alpha \in \mathbb{Z}_q$, so we have nothing to do. Suppose $e > 1$. Choose $f$ so that $1 \leq f \leq e-1$. We can write $\alpha = i\cdot q^f + j$, where $0 \leq i < q^{e-f}$ and $0 \leq j < g^f$. Then
+We proceed with recursion on $e$. If $e = 1$, then $\alpha \in \mathbb{Z} _ q$, so we have nothing to do. Suppose $e > 1$. Choose $f$ so that $1 \leq f \leq e-1$. We can write $\alpha = i\cdot q^f + j$, where $0 \leq i < q^{e-f}$ and $0 \leq j < g^f$. Then
 
 $$
-u = g^\alpha = g^{i \cdot q^f + j} = (g_f)^i \cdot g^j.
+u = g^\alpha = g^{i \cdot q^f + j} = (g _ f)^i \cdot g^j.
 $$
 
-Since $g_f$ has order $q^{e-f}$, exponentiate both sides by $q^{e-f}$ to get
+Since $g _ f$ has order $q^{e-f}$, exponentiate both sides by $q^{e-f}$ to get
 
 $$
-u^{(q^{e-f})} = (g_f)^{q^{e-f} \cdot i} \cdot g^{q^{e-f} \cdot j} = (g_{e-f})^j.
+u^{(q^{e-f})} = (g _ f)^{q^{e-f} \cdot i} \cdot g^{q^{e-f} \cdot j} = (g _ {e-f})^j.
 $$
 
-Now the problem has been reduced to a discrete logarithm problem with base $g_{e-f}$, which has order $q^f$. We can compute $j$ using algorithms for discrete logarithms.
+Now the problem has been reduced to a discrete logarithm problem with base $g _ {e-f}$, which has order $q^f$. We can compute $j$ using algorithms for discrete logarithms.
 
 After finding $j$, we have
 
 $$
-u/g^j = (g_f)^i
+u/g^j = (g _ f)^i
 $$
 
-which is also a discrete logarithm problem with base $g_f$, which has order $q^{e-f}$. We can compute $i$ that satisfies this equation. Finally, we can compute $\alpha = i \cdot q^f + j$. We have reduced a discrete logarithm problem into two smaller discrete logarithm problems.
+which is also a discrete logarithm problem with base $g _ f$, which has order $q^{e-f}$. We can compute $i$ that satisfies this equation. Finally, we can compute $\alpha = i \cdot q^f + j$. We have reduced a discrete logarithm problem into two smaller discrete logarithm problems.
 
 To get the best running time, choose $f \approx e/2$. Let $T(e)$ be the running time, then
 
@@ -147,23 +147,23 @@ $$
 The $\mathcal{O}(e\log q)$ term comes from exponentiating both sides by $q^{e-f}$. Solving this recurrence gives
 
 $$
-T(e) = \mathcal{O}(e \cdot T_{\mathrm{base}} + e\log e \log q),
+T(e) = \mathcal{O}(e \cdot T _ {\mathrm{base}} + e\log e \log q),
 $$
 
-where $T_\mathrm{base}$ is the complexity of the algorithm for the base case $e = 1$. $T_\mathrm{base}$ is usually the dominant term, since the best known algorithm takes $\mathcal{O}(\sqrt{q})$.
+where $T _ \mathrm{base}$ is the complexity of the algorithm for the base case $e = 1$. $T _ \mathrm{base}$ is usually the dominant term, since the best known algorithm takes $\mathcal{O}(\sqrt{q})$.
 
 Thus, computing the discrete logarithm in $G$ is only as hard as computing it in the subgroup of prime order.
 
 ### General Case: Pohlig-Hellman Algorithm
 
-Let $G = \left\langle g \right\rangle$ be a cyclic group of order $n = q_1^{e_1}\cdots q_r^{e_r}$, where the factorization of $n$ into distinct primes $q_i$ is given. We want to find $\alpha$ such that $g^\alpha = u$.
+Let $G = \left\langle g \right\rangle$ be a cyclic group of order $n = q _ 1^{e _ 1}\cdots q _ r^{e _ r}$, where the factorization of $n$ into distinct primes $q _ i$ is given. We want to find $\alpha$ such that $g^\alpha = u$.
 
-For $i = 1, \dots, r$, define $q_i^\ast = n / q_i^{e_i}$. Then $u^{q_i^\ast} = (g^{q_i^\ast})^\alpha$, where $g^{q_i^\ast}$ will have order $q_i^{e_i}$ in $G$. Now compute $\alpha_i$ using the algorithm for the prime power case.
+For $i = 1, \dots, r$, define $q _ i^\ast = n / q _ i^{e _ i}$. Then $u^{q _ i^\ast} = (g^{q _ i^\ast})^\alpha$, where $g^{q _ i^\ast}$ will have order $q _ i^{e _ i}$ in $G$. Now compute $\alpha _ i$ using the algorithm for the prime power case.
 
-Then for all $i$, we have $\alpha \equiv \alpha_i \pmod{q_i^{e_i}}$. We can now use the Chinese remainder theorem to recover $\alpha$. Let $q_r$ be the largest prime, then the running time is bounded by
+Then for all $i$, we have $\alpha \equiv \alpha _ i \pmod{q _ i^{e _ i}}$. We can now use the Chinese remainder theorem to recover $\alpha$. Let $q _ r$ be the largest prime, then the running time is bounded by
 
 $$
-\sum_{i=1}^r \mathcal{O}(e_i T(q_i) + e_i \log e_i \log q_i) = \mathcal{O}(T(q_r) \log n + \log n \log \log n)
+\sum _ {i=1}^r \mathcal{O}(e _ i T(q _ i) + e _ i \log e _ i \log q _ i) = \mathcal{O}(T(q _ r) \log n + \log n \log \log n)
 $$
 
 group operations. Thus, we can conclude the following.
@@ -173,17 +173,17 @@ group operations. Thus, we can conclude the following.
 ### Consequences
 
 - For a group with order $n = 2^k$, the Pohlig-Hellman algorithm will easily compute the discrete logarithm, since the largest prime factor is $2$. The DL assumption is false for this group.
-- For primes of the form $p = 2^k + 1$, the group $\mathbb{Z}_p^\ast$ has order $2^k$, so the DL assumption is also false for these primes.
+- For primes of the form $p = 2^k + 1$, the group $\mathbb{Z} _ p^\ast$ has order $2^k$, so the DL assumption is also false for these primes.
 - In general, $G$ must have at least one large prime factor for the DL assumption to be true.
 - By the Pohlig-Hellman algorithm, discrete logarithms in groups of composite order is a little harder than groups of prime order. So we often use a prime order group.
 
 ## Information Leakage in Groups of Composite Order
 
-Let $G = \left\langle g \right\rangle$ be a cyclic group of composite order $n$. We suppose that $n = n_1n_2$, where $n_1$ is a small prime factor.
+Let $G = \left\langle g \right\rangle$ be a cyclic group of composite order $n$. We suppose that $n = n _ 1n _ 2$, where $n _ 1$ is a small prime factor.
 
-By the Pohlig-Hellman algorithm, the adversary can compute $\alpha_1 \equiv \alpha \pmod {n_1}$ by computing the discrete logarithm of $u^{n_2}$ with base $g^{n_2}$.
+By the Pohlig-Hellman algorithm, the adversary can compute $\alpha _ 1 \equiv \alpha \pmod {n _ 1}$ by computing the discrete logarithm of $u^{n _ 2}$ with base $g^{n _ 2}$.
 
-Consider $n_1 = 2$. Then the adversary knows whether $\alpha$ is even or not.
+Consider $n _ 1 = 2$. Then the adversary knows whether $\alpha$ is even or not.
 
 > **Lemma.** $\alpha$ is even if and only if $u^{n/2} = 1$.
 
@@ -191,7 +191,7 @@ Consider $n_1 = 2$. Then the adversary knows whether $\alpha$ is even or not.
 
 This lemma can be used to break the DDH assumption.
 
-> **Lemma.** Given $u = g^\alpha$ and $v = g^\beta$, $\alpha\beta \in \mathbb{Z}_n$ is even if and only if $u^{n/2} = 1$ or $v^{n/2} = 1$.
+> **Lemma.** Given $u = g^\alpha$ and $v = g^\beta$, $\alpha\beta \in \mathbb{Z} _ n$ is even if and only if $u^{n/2} = 1$ or $v^{n/2} = 1$.
 
 *Proof*. $\alpha\beta$ is even if and only if either $\alpha$ or $\beta$ is even. By the above lemma, this is equivalent to $u^{n/2} = 1$ or $v^{n/2} = 1$.
 
@@ -205,15 +205,15 @@ If $\gamma$ was chosen uniformly, then the adversary wins with probability $1/2$
 
 The above process can be generalized to any groups with small prime factor. See Exercise 16.2[^2] Thus, this is another reason we use groups of prime order.
 
-- DDH assumption does not hold in $\mathbb{Z}_p^\ast$, since its order $p-1$ is always even.
-- Instead, we use a prime order subgroup of $\mathbb{Z}_p^\ast$ or prime order elliptic curve group.
+- DDH assumption does not hold in $\mathbb{Z} _ p^\ast$, since its order $p-1$ is always even.
+- Instead, we use a prime order subgroup of $\mathbb{Z} _ p^\ast$ or prime order elliptic curve group.
 
 ## Summary of Discrete Logarithm Algorithms
 
 |Name|Time Complexity|Space Complexity|
 |:-:|:-:|:-:|
 |BSGS|$\mathcal{O}(\sqrt{q})$|$\mathcal{O}(\sqrt{q})$|
-|Pohlig-Hellman|$\mathcal{O}(\sqrt{q_\mathrm{max}}$|$\mathcal{O}(1)$|
+|Pohlig-Hellman|$\mathcal{O}(\sqrt{q _ \mathrm{max}}$|$\mathcal{O}(1)$|
 |Pollard's Rho|$\mathcal{O}(\sqrt{q})$|$\mathcal{O}(1)$|
 
 - In generic groups, solving the DLP requires $\Omega(\sqrt{q})$ operations.
@@ -222,14 +222,14 @@ The above process can be generalized to any groups with small prime factor. See
 
 ## Candidates of Discrete Logarithm Groups
 
-We need groups of order prime, and we cannot use $\mathbb{Z}_p^\ast$ as itself. We have two candidates.
+We need groups of order prime, and we cannot use $\mathbb{Z} _ p^\ast$ as itself. We have two candidates.
 
-- Use a subgroup of $\mathbb{Z}_p^\ast$ having prime order $q$ such that $q \mid (p-1)$ as in Diffie-Hellman.
+- Use a subgroup of $\mathbb{Z} _ p^\ast$ having prime order $q$ such that $q \mid (p-1)$ as in Diffie-Hellman.
 - Elliptic curve group modulo $p$.
 
-### Reduced Residue Class $\mathbb{Z}_p^\ast$
+### Reduced Residue Class $\mathbb{Z} _ p^\ast$
 
-There are many specific algorithms for discrete logarithms on $\mathbb{Z}_p^\ast$.
+There are many specific algorithms for discrete logarithms on $\mathbb{Z} _ p^\ast$.
 
 - Index-calculus
 - Elliptic-curve method
@@ -248,9 +248,9 @@ Compare this with symmetric ciphers such as AES, where doubling the key size squ
 
 All sizes are in bits. Thus we need a very large prime, for example $p > 2^{2048}$, for security these days.
 
-### Elliptic Curve Group over $\mathbb{Z}_p$
+### Elliptic Curve Group over $\mathbb{Z} _ p$
 
-Currently, the best-known attacks are generic attacks, so we can use much smaller parameters than $\mathbb{Z}_p^\ast$. Often the groups have sizes about $2^{256}$, $2^{384}$, $2^{512}$.
+Currently, the best-known attacks are generic attacks, so we can use much smaller parameters than $\mathbb{Z} _ p^\ast$. Often the groups have sizes about $2^{256}$, $2^{384}$, $2^{512}$.
 
 [^1]: We didn't require $q$ to be prime!
 [^2]: A Graduate Course in Applied Cryptography

_posts/lecture-notes/modern-cryptography/2023-10-19-public-key-encryption.md

@@ -51,39 +51,39 @@ The following notion of security is only for an eavesdropping adversary.
 >
 > **Experiment** $b$.
 > 1. The challenger computes $(pk, sk) \la G()$ and sends $pk$ to the adversary.
-> 2. The adversary chooses $m_0, m_1 \in \mc{M}$ of the same length, and sends them to the challenger.
-> 3. The challenger computes $c \la E(pk, m_b)$ and sends $c$ to the adversary.
+> 2. The adversary chooses $m _ 0, m _ 1 \in \mc{M}$ of the same length, and sends them to the challenger.
+> 3. The challenger computes $c \la E(pk, m _ b)$ and sends $c$ to the adversary.
 > 4. $\mc{A}$ outputs a bit $b' \in \braces{0, 1}$.
 >
-> Let $W_b$ be the event that $\mc{A}$ outputs $1$ in experiment $b$. The **advantage** of $\mc{A}$ with respect to $\mc{E}$ is defined as
+> Let $W _ b$ be the event that $\mc{A}$ outputs $1$ in experiment $b$. The **advantage** of $\mc{A}$ with respect to $\mc{E}$ is defined as
 >
 > $$
-> \Adv[SS]{\mc{A}, \mc{E}} = \abs{\Pr[W_0] - \Pr[W_1]}.
+> \Adv[SS]{\mc{A}, \mc{E}} = \abs{\Pr[W _ 0] - \Pr[W _ 1]}.
 > $$
 >
-> $\mc{E}$ is **semantically secure** if $\rm{Adv}_{\rm{SS}}[\mc{A}, \mc{E}]$ is negligible for any efficient $\mc{A}$.
+> $\mc{E}$ is **semantically secure** if $\rm{Adv} _ {\rm{SS}}[\mc{A}, \mc{E}]$ is negligible for any efficient $\mc{A}$.
 
-Note that $pk$ is sent to the adversary, and adversary can encrypt any message! Thus, encryption must be randomized. Otherwise, the adversary can compute $E(pk, m_b)$ for each $b$ and compare with $c$ given from the challenger.
+Note that $pk$ is sent to the adversary, and adversary can encrypt any message! Thus, encryption must be randomized. Otherwise, the adversary can compute $E(pk, m _ b)$ for each $b$ and compare with $c$ given from the challenger.
 
 ### Semantic Security $\implies$ CPA
 
 For symmetric ciphers, semantic security (one-time) did not guarantee CPA security (many-time). But in public key encryption, semantic security implies CPA security. This is because *the attacker can encrypt any message using the public key*.
 
-First, we check the definition of CPA security for public key encryption. It is similar to that of symmetric ciphers, compare with [CPA Security for symmetric key encryption (Modern Cryptography)](./2023-09-19-symmetric-key-encryption.md#cpa-security).
+First, we check the definition of CPA security for public key encryption. It is similar to that of symmetric ciphers, compare with [CPA Security for symmetric key encryption (Modern Cryptography)](../2023-09-19-symmetric-key-encryption/#cpa-security).
 
 > **Definition.** For a given public-key encryption scheme $\mc{E} = (G, E, D)$ defined over $(\mc{M}, \mc{C})$ and given an adversary $\mc{A}$, define experiments 0 and 1.
 >
 > **Experiment $b$.**
 > 1. The challenger computes $(pk, sk) \la G()$ and sends $pk$ to the adversary.
 > 2. The adversary submits a sequence of queries to the challenger:
-> 	- The $i$-th query is a pair of messages $m_{i, 0}, m_{i, 1} \in \mc{M}$ of the same length.
-> 3. The challenger computes $c_i = E(pk, m_{i, b})$ and sends $c_i$ to the adversary.
+> 	- The $i$-th query is a pair of messages $m _ {i, 0}, m _ {i, 1} \in \mc{M}$ of the same length.
+> 3. The challenger computes $c _ i = E(pk, m _ {i, b})$ and sends $c _ i$ to the adversary.
 > 4. The adversary computes and outputs a bit $b' \in \braces{0, 1}$.
 >
-> Let $W_b$ be the event that $\mc{A}$ outputs $1$ in experiment $b$. Then the **CPA advantage with respect to $\mc{E}$** is defined as
+> Let $W _ b$ be the event that $\mc{A}$ outputs $1$ in experiment $b$. Then the **CPA advantage with respect to $\mc{E}$** is defined as
 >
 > $$
-> \Adv[CPA]{\mc{A}, \mc{E}} = \abs{\Pr[W_0] - \Pr[W_1]}.
+> \Adv[CPA]{\mc{A}, \mc{E}} = \abs{\Pr[W _ 0] - \Pr[W _ 1]}.
 > $$
 >
 > If the CPA advantage is negligible for all efficient adversaries $\mc{A}$, then $\mc{E}$ is **semantically secure against chosen plaintext attack**, or simply **CPA secure**.
@@ -95,71 +95,71 @@ We formally prove the following theorem.
 > For any $q$-query CPA adversary $\mc{A}$, there exists an SS adversary $\mc{B}$ such that
 >
 > $$
-> \rm{Adv}_{\rm{CPA}}[\mc{A}, \mc{E}] = q \cdot \rm{Adv}_{\rm{SS}}[\mc{B}, \mc{E}].
+> \rm{Adv} _ {\rm{CPA}}[\mc{A}, \mc{E}] = q \cdot \rm{Adv} _ {\rm{SS}}[\mc{B}, \mc{E}].
 > $$
 
 *Proof*. The proof uses a hybrid argument. For $j = 0, \dots, q$, the *hybrid game* $j$ is played between $\mc{A}$ and a challenger that responds to the $q$ queries as follows:
 
-- On the $i$-th query $(m_{i,0}, m_{i, 1})$, respond with $c_i$ where
-	- $c_i \la E(pk, m_{i, 1})$ if $i \leq j$.
-	- $c_i \la E(pk, m_{i, 0})$ otherwise.
+- On the $i$-th query $(m _ {i,0}, m _ {i, 1})$, respond with $c _ i$ where
+	- $c _ i \la E(pk, m _ {i, 1})$ if $i \leq j$.
+	- $c _ i \la E(pk, m _ {i, 0})$ otherwise.
 
-So, the challenger in hybrid game $j$ encrypts $m_{i, 1}$ in the first $j$ queries, and encrypts $m_{i, 0}$ for the rest of the queries. If we define $p_j$ to be the probability that $\mc{A}$ outputs $1$ in hybrid game $j$, we have
+So, the challenger in hybrid game $j$ encrypts $m _ {i, 1}$ in the first $j$ queries, and encrypts $m _ {i, 0}$ for the rest of the queries. If we define $p _ j$ to be the probability that $\mc{A}$ outputs $1$ in hybrid game $j$, we have
 
 $$
-\Adv[CPA]{\mc{A}, \mc{E}} = \abs{p_q - p_0}
+\Adv[CPA]{\mc{A}, \mc{E}} = \abs{p _ q - p _ 0}
 $$
 
 since hybrid $q$ is precisely experiment $1$, hybrid $0$ is experiment $0$. With $\mc{A}$, we define $\mc{B}$ as follows.
 
 1. $\mc{B}$ randomly chooses $\omega \la \braces{1, \dots, q}$.
 2. $\mc{B}$ obtains $pk$ from the challenger, and forwards it to $\mc{A}$.
-3. For the $i$-th query $(m_{i, 0}, m_{i, 1})$ from $\mc{A}$, $\mc{B}$ responds as follows.
-	- If $i < \omega$, $c \la E(pk, m_{i, 1})$.
+3. For the $i$-th query $(m _ {i, 0}, m _ {i, 1})$ from $\mc{A}$, $\mc{B}$ responds as follows.
+	- If $i < \omega$, $c \la E(pk, m _ {i, 1})$.
 	- If $i = \omega$, forward query to the challenger and forward its response to $\mc{A}$.
-	- Otherwise, $c_i \la E(pk, m_{i, 0})$.
+	- Otherwise, $c _ i \la E(pk, m _ {i, 0})$.
 4. $\mc{B}$ outputs whatever $\mc{A}$ outputs.
 
-Note that $\mc{B}$ can encrypt queries on its own, since the public key is given. Define $W_b$ as the event that $\mc{B}$ outputs $1$ in experiment $b$ in the semantic security game. For $j = 1, \dots, q$, we have that
+Note that $\mc{B}$ can encrypt queries on its own, since the public key is given. Define $W _ b$ as the event that $\mc{B}$ outputs $1$ in experiment $b$ in the semantic security game. For $j = 1, \dots, q$, we have that
 
 $$
-\Pr[W_0 \mid \omega = j] = p_{j - 1}, \quad \Pr[W_1 \mid \omega = j] = p_j.
+\Pr[W _ 0 \mid \omega = j] = p _ {j - 1}, \quad \Pr[W _ 1 \mid \omega = j] = p _ j.
 $$
 
-In experiment $0$ with $\omega = j$, $\mc{A}$ receives encryptions of $m_{i, 1}$ in the first $j - 1$ queries and receives encryptions of $m_{i, 1}$ for the rest of the queries. The second equation follows similarly.
+In experiment $0$ with $\omega = j$, $\mc{A}$ receives encryptions of $m _ {i, 1}$ in the first $j - 1$ queries and receives encryptions of $m _ {i, 1}$ for the rest of the queries. The second equation follows similarly.
 
 Then the SS advantage can be calculated as
 
 $$
 \begin{aligned}
-\Adv[SS]{\mc{B}, \mc{E}} &= \abs{\Pr[W_0] - \Pr[W_1]} \\
-&= \frac{1}{q} \abs{\sum_{j=1}^q \Pr[W_0 \mid \omega = j] - \sum_{j = 1}^q \Pr[W_1 \mid \omega = j]} \\
-&= \frac{1}{q} \abs{\sum_{j=1}^q (p_{j-1} - p_j)} \\
+\Adv[SS]{\mc{B}, \mc{E}} &= \abs{\Pr[W _ 0] - \Pr[W _ 1]} \\
+&= \frac{1}{q} \abs{\sum _ {j=1}^q \Pr[W _ 0 \mid \omega = j] - \sum _ {j = 1}^q \Pr[W _ 1 \mid \omega = j]} \\
+&= \frac{1}{q} \abs{\sum _ {j=1}^q (p _ {j-1} - p _ j)} \\
 &= \frac{1}{q} \Adv[CPA]{\mc{A}, \mc{E}}.
 \end{aligned}
 $$
 
 ## CCA Security for Public Key Encryption
 
-We also define CCA security for public key encryption, which models a wide spectrum of real-world attacks. The definition is also very similar to that of symmetric ciphers, compare with [CCA security for symmetric ciphers (Modern Cryptography)](./2023-09-26-cca-security-authenticated-encryption.md#cca-security).
+We also define CCA security for public key encryption, which models a wide spectrum of real-world attacks. The definition is also very similar to that of symmetric ciphers, compare with [CCA security for symmetric ciphers (Modern Cryptography)](../2023-09-26-cca-security-authenticated-encryption/#cca-security).
 
 > **Definition.** Let $\mc{E} = (G, E, D)$ be a public-key encryption scheme over $(\mc{M}, \mc{C})$. Given an adversary $\mc{A}$, define experiments $0$ and $1$.
 >
 > **Experiment $b$.**
 > 1. The challenger computes $(pk, sk) \la G()$ and sends $pk$ to the adversary.
 > 2. $\mc{A}$ makes a series of queries to the challenger, which is one of the following two types.
-> 	- *Encryption*: Send $(m_{i_,0}, m_{i, 1})$ and receive $c'_i \la E(pk, m_{i, b})$.
-> 	- *Decryption*: Send $c_i$ and receive $m'_i \la D(sk, c_i)$.
-> 	- Note that $\mc{A}$ is not allowed to make a decryption query for any $c_i'$.
-> 3. $\mc{A}$ outputs a pair of messages $(m_0^\ast , m_1^\ast)$.
-> 4. The challenger generates $c^\ast \la E(pk, m_b^\ast)$ and gives it to $\mc{A}$.
+> 	- *Encryption*: Send $(m _ {i _ ,0}, m _ {i, 1})$ and receive $c' _ i \la E(pk, m _ {i, b})$.
+> 	- *Decryption*: Send $c _ i$ and receive $m' _ i \la D(sk, c _ i)$.
+> 	- Note that $\mc{A}$ is not allowed to make a decryption query for any $c _ i'$.
+> 3. $\mc{A}$ outputs a pair of messages $(m _ 0^\ast , m _ 1^\ast)$.
+> 4. The challenger generates $c^\ast \la E(pk, m _ b^\ast)$ and gives it to $\mc{A}$.
 > 5. $\mc{A}$ is allowed to keep making queries, but not allowed to make a decryption query for $c^\ast$.
 > 6. The adversary computes and outputs a bit $b' \in \left\lbrace 0, 1 \right\rbrace$.
 >
-> Let $W_b$ be the event that $\mc{A}$ outputs $1$ in experiment $b$. Then the **CCA advantage with respect to $\mc{E}$** is defined as
+> Let $W _ b$ be the event that $\mc{A}$ outputs $1$ in experiment $b$. Then the **CCA advantage with respect to $\mc{E}$** is defined as
 >
 > $$
-> \rm{Adv}_{\rm{CCA}}[\mc{A}, \mc{E}] = \left\lvert \Pr[W_0] - \Pr[W_1] \right\lvert.
+> \rm{Adv} _ {\rm{CCA}}[\mc{A}, \mc{E}] = \left\lvert \Pr[W _ 0] - \Pr[W _ 1] \right\lvert.
 > $$
 >
 > If the CCA advantage is negligible for all efficient adversaries $\mc{A}$, then $\mc{E}$ is **semantically secure against a chosen ciphertext attack**, or simply **CCA secure**.
@@ -176,7 +176,7 @@ Similarly, 1CCA security implies CCA security, as in the above theorem. So to sh
 
 ### Active Adversaries in Symmetric vs Public Key
 
-In symmetric key encryption, we studied [authenticated encryption (AE)](./2023-09-26-cca-security-authenticated-encryption.md#authenticated-encryption-(ae)), which required the scheme to be CPA secure and provide ciphertext integrity. In symmetric key settings, AE implied CCA.
+In symmetric key encryption, we studied [authenticated encryption (AE)](../2023-09-26-cca-security-authenticated-encryption/#authenticated-encryption-(ae)), which required the scheme to be CPA secure and provide ciphertext integrity. In symmetric key settings, AE implied CCA.
 
 However in public-key schemes, adversaries can always create new ciphertexts using the public key, which makes the original definition of ciphertext integrity unusable. Thus we directly require CCA security.
 
@@ -187,24 +187,24 @@ Symmetric key encryptions are significantly faster than public key encryption, s
 Generate $(pk, sk)$ for the public key encryption, and generate a symmetric key $k$. For the message $m$, encrypt it as
 
 $$
-(c, c_S) \la \big( E(pk, k), E_S(k, m) \big)
+(c, c _ S) \la \big( E(pk, k), E _ S(k, m) \big)
 $$
 
-where $E_S$ is the symmetric encryption algorithm, $E$ is the public-key encryption algorithm. The receiver decrypts $c$ and recovers $k$ that can be used for decrypting $c_S$. This is a form of **hybrid encryption**. We are *encapsulating* the key $k$ inside a ciphertext, so we call this **key encapsulation mechanism** (KEM).
+where $E _ S$ is the symmetric encryption algorithm, $E$ is the public-key encryption algorithm. The receiver decrypts $c$ and recovers $k$ that can be used for decrypting $c _ S$. This is a form of **hybrid encryption**. We are *encapsulating* the key $k$ inside a ciphertext, so we call this **key encapsulation mechanism** (KEM).
 
 We can use public-key schemes for KEM, but there are dedicated constructions for KEM which are more efficient. The dedicated algorithms does the key generation and encryption in one-shot.
 
-> **Definition.** A KEM $\mc{E}_\rm{KEM}$ consists of a triple of algorithms $(G, E_\rm{KEM}, D_\rm{KEM})$.
+> **Definition.** A KEM $\mc{E} _ \rm{KEM}$ consists of a triple of algorithms $(G, E _ \rm{KEM}, D _ \rm{KEM})$.
 >
 > - The key generation algorithm generates $(pk, sk) \la G()$.
-> - The encapsulation algorithm generates $(k, c_\rm{KEM}) \la E_\rm{KEM}(pk)$.
-> - The decapsulation algorithm generates $k \la D_\rm{KEM}(sk, c_\rm{KEM})$.
+> - The encapsulation algorithm generates $(k, c _ \rm{KEM}) \la E _ \rm{KEM}(pk)$.
+> - The decapsulation algorithm generates $k \la D _ \rm{KEM}(sk, c _ \rm{KEM})$.
 
-Note that $E_\rm{KEM}$ only takes the public key as a parameter. The correctness condition is that for any $(pk, sk) \la G()$ and any $(k, c_\rm{KEM}) \la E_\rm{KEM}(pk)$, we must have $k \la D_\rm{KEM}(sk, c_\rm{KEM})$.
+Note that $E _ \rm{KEM}$ only takes the public key as a parameter. The correctness condition is that for any $(pk, sk) \la G()$ and any $(k, c _ \rm{KEM}) \la E _ \rm{KEM}(pk)$, we must have $k \la D _ \rm{KEM}(sk, c _ \rm{KEM})$.
 
 Using the KEM, the symmetric key is automatically encapsulated during encryption process.
 
-> **Definition.** A KEM scheme is secure if any efficient adversary cannot distinguish between $(c_\rm{KEM}, k_0)$ and $(c_\rm{KEM}, k_1)$, where $k_0$ is generated by $E(pk)$, and $k_1$ is chosen randomly from $\mc{K}$.
+> **Definition.** A KEM scheme is secure if any efficient adversary cannot distinguish between $(c _ \rm{KEM}, k _ 0)$ and $(c _ \rm{KEM}, k _ 1)$, where $k _ 0$ is generated by $E(pk)$, and $k _ 1$ is chosen randomly from $\mc{K}$.
 
 Read more about this in Exercise 11.9.[^1]
 
@@ -212,57 +212,57 @@ Read more about this in Exercise 11.9.[^1]
 
 We introduce a public-key encryption scheme based on the hardness of discrete logarithms.
 
-> **Definition.** Suppose we have two parties Alice and Bob. Let $G = \left\langle g \right\rangle$ be a cyclic group of prime order $q$, let $\mc{E}_S = (E_S, D_S)$ be a symmetric cipher.
+> **Definition.** Suppose we have two parties Alice and Bob. Let $G = \left\langle g \right\rangle$ be a cyclic group of prime order $q$, let $\mc{E} _ S = (E _ S, D _ S)$ be a symmetric cipher.
 >
-> 1. Alice chooses $sk = \alpha \la \Z_q$, computes $pk = g^\alpha$ and sends $pk$ to Bob.
-> 2. Bob also chooses $\beta \la \Z_q$ and computes $k = h^\beta = g^{\alpha\beta}$.
-> 3. Bob sends $\big( g^\beta, E_S(k, m) \big)$ to Alice.
-> 4. Alice computes $k = g^{\alpha\beta} = (g^\beta)^\alpha$ using $\alpha$ and recovers $m$ by decrypting $E_S(k, m)$.
+> 1. Alice chooses $sk = \alpha \la \Z _ q$, computes $pk = g^\alpha$ and sends $pk$ to Bob.
+> 2. Bob also chooses $\beta \la \Z _ q$ and computes $k = h^\beta = g^{\alpha\beta}$.
+> 3. Bob sends $\big( g^\beta, E _ S(k, m) \big)$ to Alice.
+> 4. Alice computes $k = g^{\alpha\beta} = (g^\beta)^\alpha$ using $\alpha$ and recovers $m$ by decrypting $E _ S(k, m)$.
 
-As a concrete example, set $E_S(k, m) = k \cdot m$ and $D_S(k, c) = k^{-1} \cdot c$. The correctness property automatically holds. Therefore,
+As a concrete example, set $E _ S(k, m) = k \cdot m$ and $D _ S(k, c) = k^{-1} \cdot c$. The correctness property automatically holds. Therefore,
 
-- $G$ outputs $sk = \alpha \la \Z_q$, $pk = h = g^\alpha$.
-- $E(pk, m) = (c_1, c_2) \la (g^\beta, h^\beta \cdot m)$ where $\beta \la \Z_q$.
-- $D(sk, c) = c_2 \cdot (c_1)^{-\alpha} = m$.
+- $G$ outputs $sk = \alpha \la \Z _ q$, $pk = h = g^\alpha$.
+- $E(pk, m) = (c _ 1, c _ 2) \la (g^\beta, h^\beta \cdot m)$ where $\beta \la \Z _ q$.
+- $D(sk, c) = c _ 2 \cdot (c _ 1)^{-\alpha} = m$.
 
 ### Security of ElGamal Encryption
 
-> **Theorem.** If the DDH assumption holds on $G$, and the symmetric cipher $\mc{E}_S = (E_S, D_S)$ is semantically secure, then the ElGamal encryption scheme $\mc{E}_\rm{EG}$ is semantically secure.
+> **Theorem.** If the DDH assumption holds on $G$, and the symmetric cipher $\mc{E} _ S = (E _ S, D _ S)$ is semantically secure, then the ElGamal encryption scheme $\mc{E} _ \rm{EG}$ is semantically secure.
 >
-> For any SS adversary $\mc{A}$ of $\mc{E}_\rm{EG}$, there exist a DDH adversary $\mc{B}$, and an SS adversary $\mc{C}$ for $\mc{E}_S$ such that
+> For any SS adversary $\mc{A}$ of $\mc{E} _ \rm{EG}$, there exist a DDH adversary $\mc{B}$, and an SS adversary $\mc{C}$ for $\mc{E} _ S$ such that
 >
 > $$
-> \Adv[SS]{\mc{A}, \mc{E}_\rm{EG}} \leq 2 \cdot \Adv[DDH]{\mc{B}, G} + \Adv[SS]{\mc{C}, \mc{E}_S}.
+> \Adv[SS]{\mc{A}, \mc{E} _ \rm{EG}} \leq 2 \cdot \Adv[DDH]{\mc{B}, G} + \Adv[SS]{\mc{C}, \mc{E} _ S}.
 > $$
 
-*Proof Idea*. For any $m_0, m_1 \in G$ and random $\gamma \la \Z_q$,
+*Proof Idea*. For any $m _ 0, m _ 1 \in G$ and random $\gamma \la \Z _ q$,
 
 $$
-E_S(g^{\alpha\beta}, m_0) \approx_c E_S(g^{\gamma}, m_0) \approx_c E_S(g^\gamma, m_1) \approx_c E_S(g^{\alpha\beta}, m_1).
+E _ S(g^{\alpha\beta}, m _ 0) \approx _ c E _ S(g^{\gamma}, m _ 0) \approx _ c E _ S(g^\gamma, m _ 1) \approx _ c E _ S(g^{\alpha\beta}, m _ 1).
 $$
 
-The first two and last two ciphertexts are computationally indistinguishable since the DDH problem is hard. The second and third ciphertexts are also indistinguishable since $\mc{E}_S$ is semantically secure.
+The first two and last two ciphertexts are computationally indistinguishable since the DDH problem is hard. The second and third ciphertexts are also indistinguishable since $\mc{E} _ S$ is semantically secure.
 
 *Proof*. Full proof in Theorem 11.5.[^1]
 
-Note that $\beta \la \Z_q$ must be chosen differently for each encrypted message. This is the randomness part of the encryption, since $pk = g^\alpha, sk =\alpha$ are fixed.
+Note that $\beta \la \Z _ q$ must be chosen differently for each encrypted message. This is the randomness part of the encryption, since $pk = g^\alpha, sk =\alpha$ are fixed.
 
 ### Hashed ElGamal Encryption
 
-**Hashed ElGamal encryption** scheme is a variant of the original ElGamal scheme, where we use a hash function $H : G \ra \mc{K}$, where $\mc{K}$ is the key space of $\mc{E}_S$.
+**Hashed ElGamal encryption** scheme is a variant of the original ElGamal scheme, where we use a hash function $H : G \ra \mc{K}$, where $\mc{K}$ is the key space of $\mc{E} _ S$.
 
 The only difference is that we use $H(g^{\alpha\beta})$ as the key.[^2]
 
-> 1. Alice chooses $sk = \alpha \la \Z_q$, computes $pk = g^\alpha$ and sends $pk$ to Bob.
-> 2. Bob also chooses $\beta \la \Z_q$ and computes $h^\beta = g^{\alpha\beta}$**, and sets $k = H(g^{\alpha\beta})$.**
-> 3. Bob sends $\big( g^\beta, E_S(k, m) \big)$ to Alice.
-> 4. Alice computes $g^{\alpha\beta} = (g^\beta)^\alpha$ using $\alpha$, **computes $k = H(g^{\alpha\beta})$** and recovers $m$ by decrypting $E_S(k, m)$.
+> 1. Alice chooses $sk = \alpha \la \Z _ q$, computes $pk = g^\alpha$ and sends $pk$ to Bob.
+> 2. Bob also chooses $\beta \la \Z _ q$ and computes $h^\beta = g^{\alpha\beta}$**, and sets $k = H(g^{\alpha\beta})$.**
+> 3. Bob sends $\big( g^\beta, E _ S(k, m) \big)$ to Alice.
+> 4. Alice computes $g^{\alpha\beta} = (g^\beta)^\alpha$ using $\alpha$, **computes $k = H(g^{\alpha\beta})$** and recovers $m$ by decrypting $E _ S(k, m)$.
 
 This is also semantically secure, under the random oracle model.
 
-> **Theorem.** Let $H : G \ra \mc{K}$ be modeled as a random oracle. If the CDH assumption holds on $G$ and $\mc{E}_S$ is semantically secure, then the hashed ElGamal scheme $\mc{E}_\rm{HEG}$ is semantically secure.
+> **Theorem.** Let $H : G \ra \mc{K}$ be modeled as a random oracle. If the CDH assumption holds on $G$ and $\mc{E} _ S$ is semantically secure, then the hashed ElGamal scheme $\mc{E} _ \rm{HEG}$ is semantically secure.
 
-*Proof Idea*. Given a ciphertext $\big( g^\beta, E_S(k, m) \big)$ with $k = H(g^{\alpha\beta})$, the adversary learns nothing about $k$ unless it constructs $g^{\alpha\beta}$. This is because we modeled $H$ as a random oracle. If the adversary learns about $k$, then this adversary breaks the CDH assumption for $G$. Thus, if CDH assumption holds for the adversary, $k$ is completely random, so the hashed ElGamal scheme is secure by the semantic security of $\mc{E}_S$.
+*Proof Idea*. Given a ciphertext $\big( g^\beta, E _ S(k, m) \big)$ with $k = H(g^{\alpha\beta})$, the adversary learns nothing about $k$ unless it constructs $g^{\alpha\beta}$. This is because we modeled $H$ as a random oracle. If the adversary learns about $k$, then this adversary breaks the CDH assumption for $G$. Thus, if CDH assumption holds for the adversary, $k$ is completely random, so the hashed ElGamal scheme is secure by the semantic security of $\mc{E} _ S$.
 
 *Proof*. Refer to Theorem 11.4.[^1]
 
@@ -272,7 +272,7 @@ Since the hashed ElGamal scheme is semantically secure, it is automatically CPA
 
 > **Definition.** Let $G = \left\langle g \right\rangle$ be a cyclic group of prime order $q$. Let $\mc{A}$ be a given adversary.
 >
-> 1. The challenger chooses $\alpha, \beta \la \Z_q$ and sends $g^\alpha, g^\beta$ to the adversary.
+> 1. The challenger chooses $\alpha, \beta \la \Z _ q$ and sends $g^\alpha, g^\beta$ to the adversary.
 > 2. The adversary makes a sequence of **DH-decision oracle queries** to the challenger.
 > 	- Each query has the form $(v, w) \in G^2$, challenger replies with $1$ if $v^\alpha = w$, replies $0$ otherwise.
 > 3. The adversary calculates and outputs some $w \in G$.
@@ -289,7 +289,7 @@ This is also known as **gap-CDH**. Intuitively, it says that even if we have a D
 
 ### CCA Security of Hashed ElGamal
 
-> **Theorem.** If the gap-CDH assumption holds on $G$ and $\mc{E}_S$ provides AE and $H : G \ra \mc{K}$ is a random oracle, then the hashed ElGamal scheme is CCA secure.
+> **Theorem.** If the gap-CDH assumption holds on $G$ and $\mc{E} _ S$ provides AE and $H : G \ra \mc{K}$ is a random oracle, then the hashed ElGamal scheme is CCA secure.
 
 *Proof*. See Theorem 12.4.[^1] (very long)
 
@@ -320,15 +320,15 @@ Since $m^{p-1} = 1 \bmod p$, $m^{ed} = m \bmod N$ (holds trivially if $p \mid m$
 
 But this scheme is not CPA secure, since it is deterministic and the ciphertext is malleable. For instance, one can choose two messages to be $1$ and $2$. Then the ciphertext is easily distinguishable.
 
-Also, ciphertext is malleable by the **homomorphic property**. If $c_1 = m_1^e \bmod N$ and $c_2 = m_2^e \bmod N$, then set $c =c_1c_2 = (m_1m_2)^e \bmod N$, which is an encryption of $m_1m_2$.
+Also, ciphertext is malleable by the **homomorphic property**. If $c _ 1 = m _ 1^e \bmod N$ and $c _ 2 = m _ 2^e \bmod N$, then set $c =c _ 1c _ 2 = (m _ 1m _ 2)^e \bmod N$, which is an encryption of $m _ 1m _ 2$.
 
 #### Attack on KEM
 
-Assume that the textbook RSA is used as KEM. Suppose that $k$ is $128$ bits, and the attacker sees $c = k^e \bmod N$. With high probability ($80\%$), $k = k_1 \cdot k_2$ for some $k_1, k_2 < 2^{64}$. Using the homomorphic property, $c = k_1^e k_2^e \bmod N$, so the following attack is possible.
+Assume that the textbook RSA is used as KEM. Suppose that $k$ is $128$ bits, and the attacker sees $c = k^e \bmod N$. With high probability ($80\%$), $k = k _ 1 \cdot k _ 2$ for some $k _ 1, k _ 2 < 2^{64}$. Using the homomorphic property, $c = k _ 1^e k _ 2^e \bmod N$, so the following attack is possible.
 
-1. Build a table of $c\cdot k_2^{-e}$ for $0 \leq k_2 < 2^{64}$.
-2. For each $1 \leq k_1 < 2^{64}$, compute $k_1^e$ to check if it is in the table.
-3. Output a match $(k_1, k_2)$.
+1. Build a table of $c\cdot k _ 2^{-e}$ for $0 \leq k _ 2 < 2^{64}$.
+2. For each $1 \leq k _ 1 < 2^{64}$, compute $k _ 1^e$ to check if it is in the table.
+3. Output a match $(k _ 1, k _ 2)$.
 
 The attack has complexity $\mc{O}(2^{n/2})$ where $n$ is the key length.
 
@@ -390,35 +390,35 @@ The RSA assumption says that the RSA problem is hard, which implies that RSA is
 
 ### The RSA Problem
 
-> **Definition.** Let $\mc{T}_\rm{RSA} = (G, F, I)$ the RSA trapdoor function scheme. Given an adversary $\mc{A}$,
+> **Definition.** Let $\mc{T} _ \rm{RSA} = (G, F, I)$ the RSA trapdoor function scheme. Given an adversary $\mc{A}$,
 >
-> 1. The challenger chooses $(pk, sk) \la G()$ and $x \la \Z_N$.
+> 1. The challenger chooses $(pk, sk) \la G()$ and $x \la \Z _ N$.
 > 	- $pk = (N, e)$, $sk = (N, d)$.
 > 2. The challenger computes $y \la x^e \bmod N$ and sends $pk$ and $y$ to the adversary.
-> 3. The adversary computes and outputs $x' \in \Z_N$.
+> 3. The adversary computes and outputs $x' \in \Z _ N$.
 >
 > The adversary wins if $x = x'$. The advantage is defined as
 >
 > $$
-> \rm{Adv}_{\rm{RSA}}[\mc{A}, \mc{T_\rm{RSA}}] = \Pr[x = x'].
+> \rm{Adv} _ {\rm{RSA}}[\mc{A}, \mc{T _ \rm{RSA}}] = \Pr[x = x'].
 > $$
 >
 > We say that the **RSA assumption** holds if the advantage is negligible for any efficient $\mc{A}$.
 
 ## RSA Public Key Encryption (ISO Standard)
 
-- Let $(E_S, D_S)$ be a symmetric encryption scheme over $(\mc{K}, \mc{M}, \mc{C})$ that provides AE.
-- Let $H : \Z_N^{\ast} \ra \mc{K}$ be a hash function.
+- Let $(E _ S, D _ S)$ be a symmetric encryption scheme over $(\mc{K}, \mc{M}, \mc{C})$ that provides AE.
+- Let $H : \Z _ N^{\ast} \ra \mc{K}$ be a hash function.
 
 The RSA public key encryption is done as follows.
 
 - Key generation is the same.
 - Encryption
-	1. Choose random $x \la \Z_N^{\ast}$ and let $y = x^e \bmod N$.
-	2. Compute $c \la E_S(H(x), m)$.
+	1. Choose random $x \la \Z _ N^{\ast}$ and let $y = x^e \bmod N$.
+	2. Compute $c \la E _ S(H(x), m)$.
 	3. Output $c' = (y, c)$.
 - Decryption
-	- Output $D_S(H(y^d), c)$.
+	- Output $D _ S(H(y^d), c)$.
 
 This works because $x = y^d \bmod N$ and $H(y^d) = H(x)$. In short, this uses RSA trapdoor function as a **key exchange mechanism**, and the actual encryption is done by symmetric encryption.
 

_posts/lecture-notes/modern-cryptography/2023-10-26-digital-signatures.md

@@ -22,10 +22,10 @@ attachment:
 ## Digital Signatures
 
 > **Definition.** A **signature scheme** $\mc{S} = (G, S, V)$ is a triple of efficient algorithms, where $G$ is a **key generation** algorithm, $S$ is a **signing** algorithm, and $V$ is a **verification** algorithm.
-> 
+>
 > - A probabilistic algorithm $G$ outputs a pair $(pk, sk)$, where $sk$ is called a secret **signing key**, and $pk$ is a public **verification key**.
 > - Given $sk$ and a message $m$, a probabilistic algorithm $S$ outputs a **signature** $\sigma \la S(sk, m)$.
-> - $V$ is a deterministic algorithm that outputs either $\texttt{{accept}}$ or $\texttt{reject}$ for $V(pk, m, \sigma)$.
+> - $V$ is a deterministic algorithm that outputs either $\texttt{accept}$ or $\texttt{reject}$ for $V(pk, m, \sigma)$.
 
 The correctness property requires that all signatures generated by $S$ is always accepted by $V$. For all $(pk, sk) \la G$ and $m \in \mc{M}$,
 
@@ -60,20 +60,20 @@ The definition is similar to the [secure MAC](../2023-09-21-macs/#secure-mac-unf
 ![mc-10-dsig-security.png](../../../assets/img/posts/lecture-notes/modern-cryptography/mc-10-dsig-security.png)
 
 > **Definition.** Let $\mc{S} = (G, S, V)$ be a signature scheme defined over $(\mc{M}, \Sigma)$. Given an adversary $\mc{A}$, the game goes as follows.
-> 
+>
 > 1. The challenger generates $(pk, sk) \la G()$ and sends $pk$ to $\mc{A}$.
 > 2. $\mc{A}$ makes a series of *signing queries* to the challenger.
-> 	- Each query is a message $m_i \in \mc{M}$, the challenger responds with $\sigma_i \la S(sk, m_i)$.
+> 	- Each query is a message $m _ i \in \mc{M}$, the challenger responds with $\sigma _ i \la S(sk, m _ i)$.
 > 3. $\mc{A}$ computes and outputs a candidate forgery pair $(m, \sigma) \in \mc{M} \times \Sigma$.
-> 	- $m \notin \left\lbrace m_1, \dots, m_q \right\rbrace$.
-> 	- $(m, \sigma) \notin \left\lbrace (m_1, \sigma_1), \dots, (m_q, \sigma_q) \right\rbrace$. (strong)
-> 
+> 	- $m \notin \left\lbrace m _ 1, \dots, m _ q \right\rbrace$.
+> 	- $(m, \sigma) \notin \left\lbrace (m _ 1, \sigma _ 1), \dots, (m _ q, \sigma _ q) \right\rbrace$. (strong)
+>
 > $\mc{A}$ wins if $V(pk, m, \sigma) = \texttt{accept}$, let this event be $W$. The advantage of $\mc{A}$ with respect to $\mc{S}$ is defined as
-> 
+>
 > $$
-> \rm{Adv}_{\rm{SIG}}[\mc{A}, \mc{S}] = \Pr[W].
+> \rm{Adv} _ {\rm{SIG}}[\mc{A}, \mc{S}] = \Pr[W].
 > $$
-> 
+>
 > If the advantage is negligible for all efficient adversaries $\mc{A}$, the signature scheme $S$ is (strongly) **secure**. $\mc{S}$ is **existentially unforgeable under a chosen message attack**.
 
 - We do not make verification queries, since the adversary can always check any signature.
@@ -108,11 +108,11 @@ $$
 This is often called the **hash-and-sign paradigm**, and the new signature scheme is also secure.
 
 > **Theorem.** Suppose that $\mc{S}$ is a secure signature scheme and $H$ is a collision resistant hash function. Then $\mc{S}'$ is a secure signature.
-> 
-> If $\mc{A}$ is an adversary attacking $\mc{S}'$, then there exist an adversary $\mc{B}_\mc{S}$ attacking $\mc{S}$ and an adversary $\mc{B}_H$ attacking $H$ such that
-> 
+>
+> If $\mc{A}$ is an adversary attacking $\mc{S}'$, then there exist an adversary $\mc{B} _ \mc{S}$ attacking $\mc{S}$ and an adversary $\mc{B} _ H$ attacking $H$ such that
+>
 > $$
-> \rm{Adv}_{\rm{SIG}}[A, \mc{S}'] \leq \rm{Adv}_{\rm{SIG}}[\mc{B}_\mc{S}, \mc{S}] + \rm{Adv}_{\rm{CR}}[\mc{B}_H, H].
+> \rm{Adv} _ {\rm{SIG}}[A, \mc{S}'] \leq \rm{Adv} _ {\rm{SIG}}[\mc{B} _ \mc{S}, \mc{S}] + \rm{Adv} _ {\rm{CR}}[\mc{B} _ H, H].
 > $$
 
 *Proof*. The proof is identical to the theorem for MACs.
@@ -135,16 +135,16 @@ Here are some possible attacks.
 	- Just return $(\sigma^e, \sigma)$ for some $\sigma$. Then it passes verification.
 - Attack using the homomorphic property.
 	- Suppose we want to forge a message $m$.
-	- Pick $m_1 \in \Z_N^{\ast}$ and set $m_2 = m\cdot m_1^{-1} \bmod N$.
+	- Pick $m _ 1 \in \Z _ N^{\ast}$ and set $m _ 2 = m\cdot m _ 1^{-1} \bmod N$.
 	- Query signatures for both messages and multiply the responses.
-		- $\sigma = \sigma_1 \cdot \sigma_2 = m_1^e \cdot m^e \cdot m_1^{-e} = m^e \bmod N$.
+		- $\sigma = \sigma _ 1 \cdot \sigma _ 2 = m _ 1^e \cdot m^e \cdot m _ 1^{-e} = m^e \bmod N$.
 	- Then $(m, \sigma)$ is a valid pair.
 
 Because of the second attack, the textbook RSA signature is **universally forgeable**. This property is used to create **blind signatures**, where the signer creates a signature without any knowledge about the message. See Exercise 13.15.[^1]
 
 ### RSA Full Domain Hash Signature Scheme
 
-Given a hash function $H : \mc{M} \ra \mc{Y}$, the **RSA full domain hash** signature scheme $\mc{S}_\rm{RSA-FDH}$ is defined as follows.
+Given a hash function $H : \mc{M} \ra \mc{Y}$, the **RSA full domain hash** signature scheme $\mc{S} _ \rm{RSA-FDH}$ is defined as follows.
 
 - Key generation: $pk = (N, e)$ and $sk = (N, d)$ are chosen to satisfy $d = e^{-1} \bmod \phi(N)$ for $N = pq$.
 - Sign: $S(sk, m) = H(m)^d \bmod N$.
@@ -152,25 +152,25 @@ Given a hash function $H : \mc{M} \ra \mc{Y}$, the **RSA full domain hash** sign
 
 This scheme is now secure.
 
-> **Theorem.** If the hash function $H$ is modeled as a random oracle, and the RSA assumptions holds, then $\mc{S}_\rm{RSA-FDH}$ is a secure signature scheme.
-> 
+> **Theorem.** If the hash function $H$ is modeled as a random oracle, and the RSA assumptions holds, then $\mc{S} _ \rm{RSA-FDH}$ is a secure signature scheme.
+>
 > For any $q$-query adversary $\mc{A}$ against hashed RSA, there exists an adversary $\mc{B}$ solving the RSA problem such that
-> 
+>
 > $$
-> \rm{Adv}_{\rm{SIG}}[\mc{A}, \mc{S}_\rm{RSA-FDH}] \leq q \cdot \rm{Adv}_{\rm{RSA}}[\mc{B}].
+> \rm{Adv} _ {\rm{SIG}}[\mc{A}, \mc{S} _ \rm{RSA-FDH}] \leq q \cdot \rm{Adv} _ {\rm{RSA}}[\mc{B}].
 > $$
 
 ### Full Domain Hash Signature Scheme
 
-The following is a description of a **full domain hash** scheme $\mc{S}_\rm{FDH}$, constructed from trapdoor permutation scheme $\mc{T} = (G, F, I)$.
+The following is a description of a **full domain hash** scheme $\mc{S} _ \rm{FDH}$, constructed from trapdoor permutation scheme $\mc{T} = (G, F, I)$.
 
 - Key generation: $(pk, sk) \la G()$.
 - Sign: $S(sk, m)$ returns $\sigma \la I(sk, H(m))$.
 - Verify: $V(pk, m, \sigma)$ returns $\texttt{accept}$ if and only if $F(pk, \sigma) = H(m)$.
 
-This scheme $\mc{S}_\rm{FDH} = (G, S, V)$ is secure if $\mc{T}$ is a **one-way trapdoor permutation** and $H$ is a random oracle.
+This scheme $\mc{S} _ \rm{FDH} = (G, S, V)$ is secure if $\mc{T}$ is a **one-way trapdoor permutation** and $H$ is a random oracle.
 
-> **Theorem.** Let $\mc{T} = (G,F,I)$ be a one-way trapdoor permutation defined over $\mc{X}$. Let $H : \mc{M} \ra \mc{X}$ be a hash function, modeled as a random oracle. Then the derived FDH signature scheme $\mc{S}_\rm{FDH}$ is a secure signature scheme.
+> **Theorem.** Let $\mc{T} = (G,F,I)$ be a one-way trapdoor permutation defined over $\mc{X}$. Let $H : \mc{M} \ra \mc{X}$ be a hash function, modeled as a random oracle. Then the derived FDH signature scheme $\mc{S} _ \rm{FDH}$ is a secure signature scheme.
 
 *Proof*. See Theorem 13.3.[^1]
 
@@ -182,26 +182,26 @@ This one uses discrete logarithms.
 
 This scheme is originally from the **Schnorr identification protocol**.
 
-Let $G = \left\langle g \right\rangle$ be a cyclic group of prime order $q$. We consider an interaction between two parties, prover $P$ and a verifier $V$. The prover has a secret $\alpha \in \Z_q$ and the verification key is $u = g^\alpha$. **$P$ wants to convince $V$ that he knows $\alpha$, but does not want to reveal $\alpha$**.
+Let $G = \left\langle g \right\rangle$ be a cyclic group of prime order $q$. We consider an interaction between two parties, prover $P$ and a verifier $V$. The prover has a secret $\alpha \in \Z _ q$ and the verification key is $u = g^\alpha$. **$P$ wants to convince $V$ that he knows $\alpha$, but does not want to reveal $\alpha$**.
 
 ![mc-10-schnorr-identification.png](../../../assets/img/posts/lecture-notes/modern-cryptography/mc-10-schnorr-identification.png)
 
-The protocol $\mc{I}_\rm{sch} = (G, P, V)$ works as follows.
+The protocol $\mc{I} _ \rm{sch} = (G, P, V)$ works as follows.
 
-> 1. A **secret key** $\alpha \la \Z_q$ and **verification key** $u \la g^\alpha$ is generated. The prover $P$ has $\alpha$ and the verifier $V$ has $u$.
-> 2. $P$ computes a random $\alpha_t \la \Z_q$, and sends $u_t \la g^{\alpha_t}$ to $V$.
-> 3. $V$ chooses a random $c \la \Z_q$ and sends it to $P$.
-> 4. $P$ computes $\alpha_z \la \alpha_t + \alpha c \in \Z_q$ and sends it to $V$.
-> 5. $V$ checks if $g^{\alpha_z} = u_t \cdot u^c$. Accept if and only if it is equal.
+> 1. A **secret key** $\alpha \la \Z _ q$ and **verification key** $u \la g^\alpha$ is generated. The prover $P$ has $\alpha$ and the verifier $V$ has $u$.
+> 2. $P$ computes a random $\alpha _ t \la \Z _ q$, and sends $u _ t \la g^{\alpha _ t}$ to $V$.
+> 3. $V$ chooses a random $c \la \Z _ q$ and sends it to $P$.
+> 4. $P$ computes $\alpha _ z \la \alpha _ t + \alpha c \in \Z _ q$ and sends it to $V$.
+> 5. $V$ checks if $g^{\alpha _ z} = u _ t \cdot u^c$. Accept if and only if it is equal.
 
-- $u_t$ is the **commitment** sent to the verifier.
+- $u _ t$ is the **commitment** sent to the verifier.
 - $c$ is the **challenge** sent to the prover.
-	- If $P$ can predict the challenge, $P$ can choose $\alpha_t$ and $\alpha_z$ so that verifier accepts it.
-- $\alpha_z$ is the **response** sent to the verifier.
+	- If $P$ can predict the challenge, $P$ can choose $\alpha _ t$ and $\alpha _ z$ so that verifier accepts it.
+- $\alpha _ z$ is the **response** sent to the verifier.
 
 We must check a few things.
 
-- **Correctness**: If $P$ has the correct $\alpha$, then $g^{\alpha_z} = g^{\alpha_t} \cdot (g^\alpha)^c = u_t \cdot u^c$.
+- **Correctness**: If $P$ has the correct $\alpha$, then $g^{\alpha _ z} = g^{\alpha _ t} \cdot (g^\alpha)^c = u _ t \cdot u^c$.
 - **Soundness**: If $P$ does not have the correct $\alpha$, it is reject with probability $1 - \frac{1}{q}$.
 	- We can repeat this many times then the probability of reject is $1 - \frac{1}{q^n} \ra 1$.
 	- Thus $q$ (the size of the challenge space) must be large.
@@ -214,32 +214,32 @@ We must check a few things.
 
 We *transform* the above protocol to a signature scheme.[^2] We need a hash function $H : \mc{M} \times G \ra \mc{C}$, modeled as a random oracle. The protocol originally involves interaction between two parties, but a signature is computed by a single party. Intuitively, $H$ will play the role of the verifier.
 
-The **Schnorr signature scheme** $\mc{S}_\rm{sch} = (G, S, V)$ is defined as follows.
+The **Schnorr signature scheme** $\mc{S} _ \rm{sch} = (G, S, V)$ is defined as follows.
 
-- Key generation: a **secret key** $sk = \alpha \la \Z_q$ and **public key** $pk = u \la g^\alpha$ is generated.
-- Sign: $S(sk, m)$ outputs $\sigma = (u_t, \alpha_z)$ where
-	- Choose random $\alpha_t \la \Z_q$ and set $u_t \la g^{\alpha_t}$.
-	- **Compute $c \la H(m, u_t)$** and set $\alpha_z \la \alpha_t + \alpha c$.
-- Verify: $V(pk, m, \sigma)$ outputs $\texttt{accept}$ if and only if $g^{\alpha_z} = u_t \cdot u^c$.
-	- $c \la H(m, u_t)$ can be computed and $u$ is known.
+- Key generation: a **secret key** $sk = \alpha \la \Z _ q$ and **public key** $pk = u \la g^\alpha$ is generated.
+- Sign: $S(sk, m)$ outputs $\sigma = (u _ t, \alpha _ z)$ where
+	- Choose random $\alpha _ t \la \Z _ q$ and set $u _ t \la g^{\alpha _ t}$.
+	- **Compute $c \la H(m, u _ t)$** and set $\alpha _ z \la \alpha _ t + \alpha c$.
+- Verify: $V(pk, m, \sigma)$ outputs $\texttt{accept}$ if and only if $g^{\alpha _ z} = u _ t \cdot u^c$.
+	- $c \la H(m, u _ t)$ can be computed and $u$ is known.
 
-Since $H$ is being modeled as a random oracle, the signer cannot predict the value of the challenge $c$. Also, $c$ must take both $m$ and $u_t$ as input, since without $m$, the signature is not related to $m$ (the signature has no $m$ term inside it). On the other hand, without $u_t$, then the scheme is insecure since the Schnorr identification protocol is HVZK. See Exercise 19.12.[^1]
+Since $H$ is being modeled as a random oracle, the signer cannot predict the value of the challenge $c$. Also, $c$ must take both $m$ and $u _ t$ as input, since without $m$, the signature is not related to $m$ (the signature has no $m$ term inside it). On the other hand, without $u _ t$, then the scheme is insecure since the Schnorr identification protocol is HVZK. See Exercise 19.12.[^1]
 
 > **Theorem.** If $H$ is modeled as a random oracle and Schnorr's identification protocol is secure, then Schnorr's signature scheme is also secure.
 
 *Proof*. See Theorem 19.7.[^1]
 
-Note that $\alpha \la \Z_q$ must be chosen randomly every time.
+Note that $\alpha \la \Z _ q$ must be chosen randomly every time.
 
 ## Digital Signature Algorithm
 
-Schnorr's scheme was protected by a patent, so NIST opted for a ad-hoc signature scheme based on a prime order subgroup of $\Z_p^{\ast}$. This algorithm eventually became the **Digital Signature Algorithm** (DSA). The standard was updated to support elliptic curve groups over a finite field, resulting in **ECDSA**.
+Schnorr's scheme was protected by a patent, so NIST opted for a ad-hoc signature scheme based on a prime order subgroup of $\Z _ p^{\ast}$. This algorithm eventually became the **Digital Signature Algorithm** (DSA). The standard was updated to support elliptic curve groups over a finite field, resulting in **ECDSA**.
 
 ## Public Key Infrastructure
 
 How would you trust public keys? We introduce **digital certificates** for this.
 
-Read in [public key infrastructure (Internet Security)](../../internet-security/2023-10-16-pki).
+Read in [public key infrastructure (Internet Security)](../../internet-security/2023-10-16-pki/).
 
 [^1]: A Graduate Course in Applied Cryptography
 [^2]: By using the [Fiat-Shamir transform](../2023-11-07-sigma-protocols/#the-fiat-shamir-transform).

_posts/lecture-notes/modern-cryptography/2023-10-31-advanced-topics.md

@@ -54,10 +54,10 @@ Suppose Alice wants to commit a message $m$. She computes $(c, o) \la C(m)$, and
 
 The scheme must satisfy the following properties. First, the commitment must open to a single message. This is called the **binding** property. Next, the commitment must not reveal any information about the message. This is called the **hiding** property.
 
-> **Definition.** A commitment scheme $\mc{C} = (C, V)$ is **binding** if for every efficient adversary $\mc{A}$ that outputs a $5$-tuple $(c, m_1, o_1, m_2, o_2)$, the probability
+> **Definition.** A commitment scheme $\mc{C} = (C, V)$ is **binding** if for every efficient adversary $\mc{A}$ that outputs a $5$-tuple $(c, m _ 1, o _ 1, m _ 2, o _ 2)$, the probability
 > 
 > $$
-> \Pr[m_1 \neq m_2 \land V(m_1, c, o_1) = V(m_2, c, o_2) = \texttt{{accept}}]
+> \Pr[m _ 1 \neq m _ 2 \land V(m _ 1, c, o _ 1) = V(m _ 2, c, o _ 2) = \texttt{{accept}}]
 > $$
 > 
 > is negligible.
@@ -67,14 +67,14 @@ The hiding property is defined as a security game.
 > **Definition.** Let $\mc{C} = (C, V)$ be a commitment scheme. Given an adversary $\mc{A}$, define two experiments.
 > 
 > **Experiment $b$**.
-> 1. $\mc{A}$ sends $m_0, m_1 \in \mc{M}$ to the challenger.
-> 2. The challenger computes $(c, o) \la C(m_b)$ and sends $c$ to $\mc{A}$.
+> 1. $\mc{A}$ sends $m _ 0, m _ 1 \in \mc{M}$ to the challenger.
+> 2. The challenger computes $(c, o) \la C(m _ b)$ and sends $c$ to $\mc{A}$.
 > 3. $\mc{A}$ computes and outputs $b' \in \braces{0, 1}$.
 > 
-> Let $W_b$ be the event that $\mc{A}$ outputs $1$ in experiment $b$. The **advantage** of $\mc{A}$ with respect to $\mc{C}$ is defined as
+> Let $W _ b$ be the event that $\mc{A}$ outputs $1$ in experiment $b$. The **advantage** of $\mc{A}$ with respect to $\mc{C}$ is defined as
 > 
 > $$
-> \Adv{\mc{A}, \mc{C}} = \abs{\Pr[W_0] - \Pr[W_1]}.
+> \Adv{\mc{A}, \mc{C}} = \abs{\Pr[W _ 0] - \Pr[W _ 1]}.
 > $$
 > 
 > If the advantage is negligible for all efficient adversaries $\mc{A}$, then the commitment scheme $\mc{C}$ has the **hiding** property.
@@ -98,24 +98,24 @@ However, it may be feasible to find another $k' \in \mc{K}'$ such that $D(k, c)
 
 To commit a bit, we can use a secure PRG. The following is due to Naor.
 
-> Let $G : \mc{S} \ra \mc{R}$ be a secure PRG where $\left\lvert \mc{R} \right\lvert \geq \left\lvert \mc{S} \right\lvert^3$ and $\mc{R} = \braces{0, 1}^n$. Suppose that Bob wants to commit a bit $b_0 \in \braces{0, 1}$.
+> Let $G : \mc{S} \ra \mc{R}$ be a secure PRG where $\left\lvert \mc{R} \right\lvert \geq \left\lvert \mc{S} \right\lvert^3$ and $\mc{R} = \braces{0, 1}^n$. Suppose that Bob wants to commit a bit $b _ 0 \in \braces{0, 1}$.
 > 
 > 1. Alice chooses a random $r \in \mc{R}$ and sends it to Bob.
-> 2. Bob chooses a random $s \in \mc{S}$ and computes $c \la C(s, r, b_0)$, where
+> 2. Bob chooses a random $s \in \mc{S}$ and computes $c \la C(s, r, b _ 0)$, where
 > 
 > 	$$
-> 	C(s, r, b_0) = \begin{cases} G(s) & (b_0 = 0) \\ G(s) \oplus r & (b_0 = 1). \end{cases}
+> 	C(s, r, b _ 0) = \begin{cases} G(s) & (b _ 0 = 0) \\ G(s) \oplus r & (b _ 0 = 1). \end{cases}
 > 	$$
 > 
 > 	Then Bob outputs $(c, s)$ as the commitment and the opening string.
-> 3. During opening, Bob sends $(b_0, s)$ to Alice.
-> 4. Alice accepts if and only if $C(s, r, b_0) = c$.
+> 3. During opening, Bob sends $(b _ 0, s)$ to Alice.
+> 4. Alice accepts if and only if $C(s, r, b _ 0) = c$.
 
-Correctness is obvious, since Alice recomputes $C(s, r, b_0)$.
+Correctness is obvious, since Alice recomputes $C(s, r, b _ 0)$.
 
 The hiding property follows since $G(s)$ and $G(s) \oplus r$ are indistinguishable if $G$ is a secure PRG.
 
-The binding property follows if $1 / \left\lvert \mc{S} \right\lvert$ is negligible. For Bob to open $c$ as both $0$ and $1$, he must find two seeds $s_0, s_1 \in \mc{S}$ such that $c = G(s_0) = G(s_1) \oplus r$. Then $r = G(s_0) \oplus G(s_1)$. There are at most $\left\lvert \mc{S} \right\lvert^2$ possible $r \in \mc{R}$ values that this can happen. The probability that Alice chooses such $r$ is
+The binding property follows if $1 / \left\lvert \mc{S} \right\lvert$ is negligible. For Bob to open $c$ as both $0$ and $1$, he must find two seeds $s _ 0, s _ 1 \in \mc{S}$ such that $c = G(s _ 0) = G(s _ 1) \oplus r$. Then $r = G(s _ 0) \oplus G(s _ 1)$. There are at most $\left\lvert \mc{S} \right\lvert^2$ possible $r \in \mc{R}$ values that this can happen. The probability that Alice chooses such $r$ is
 
 $$
 \left\lvert \mc{S} \right\lvert^2 / \left\lvert \mc{R} \right\lvert \leq \left\lvert \mc{S} \right\lvert^2 / \left\lvert \mc{S} \right\lvert^3 = 1 / \left\lvert \mc{S} \right\lvert
@@ -129,30 +129,30 @@ The downside of the above protocol is that it has to be interactive.
 
 A bit commitment scheme can be used for a **coin flipping protocol**. Suppose that Alice and Bob are flipping coins, when they are physically distant from each other.
 
-> 1. Bob chooses a random bit $b_0 \la \braces{0, 1}$.
+> 1. Bob chooses a random bit $b _ 0 \la \braces{0, 1}$.
 > 2. Execute the commitment protocol.
-> 	- Alice obtains a commitment string $c$ of $b_0$.
+> 	- Alice obtains a commitment string $c$ of $b _ 0$.
 > 	- Bob keeps an opening string $o$.
-> 3. Alice chooses a random bit $b_1 \la \braces{0, 1}$, and sends it to Bob.
-> 4. Bob reveals $b_0$ and $s$ to Alice, she verifies that $c$ is valid.
-> 5. The final outcome is $b = b_0 \oplus b_1$.
+> 3. Alice chooses a random bit $b _ 1 \la \braces{0, 1}$, and sends it to Bob.
+> 4. Bob reveals $b _ 0$ and $s$ to Alice, she verifies that $c$ is valid.
+> 5. The final outcome is $b = b _ 0 \oplus b _ 1$.
 
-After step $2$, Alice has no information about $b_0$ because of the hiding property. Her choice of $b_1$ is unbiased, and cannot affect the final outcome. Next, in step $4$, $b_0$ cannot be manipulated by the binding property.
+After step $2$, Alice has no information about $b _ 0$ because of the hiding property. Her choice of $b _ 1$ is unbiased, and cannot affect the final outcome. Next, in step $4$, $b _ 0$ cannot be manipulated by the binding property.
 
-Thus, $b_0$ and $b_1$ are both random, so $b$ is either $0$ or $1$ each with probability $1/2$.[^1]
+Thus, $b _ 0$ and $b _ 1$ are both random, so $b$ is either $0$ or $1$ each with probability $1/2$.[^1]
 
 ### Commitment Scheme from Hashing
 
-> Let $H : \mc{X} \ra \mc{Y}$ be a collision resistant hash function, where $\mc{X} = \mc{M} \times \mc{R}$. $\mc{M}$ is the message space, and $\mc{R}$ is a finite nonce space. For $m \in \mc{M}$, the derived commitment scheme $\mc{C}_H = (C, V)$ is defined as follows.
+> Let $H : \mc{X} \ra \mc{Y}$ be a collision resistant hash function, where $\mc{X} = \mc{M} \times \mc{R}$. $\mc{M}$ is the message space, and $\mc{R}$ is a finite nonce space. For $m \in \mc{M}$, the derived commitment scheme $\mc{C} _ H = (C, V)$ is defined as follows.
 > 
 > - $C(m)$: choose random $o \la \mc{R}$, set $c = H(m, o)$ and output $(c, o)$.
 > - $V(m, c, o)$: output $\texttt{accept}$ if and only if $c = H(m, o)$.
 
 Correctness is obvious.
 
-The binding property follows since $H$ is collision resistant. If it is easy to find a $5$-tuple $(c, m_1, o_1, m_2, o_2)$ such that $c = H(m_1, o_1) = H(m_2, o_2)$, $H$ is not collision resistant.
+The binding property follows since $H$ is collision resistant. If it is easy to find a $5$-tuple $(c, m _ 1, o _ 1, m _ 2, o _ 2)$ such that $c = H(m _ 1, o _ 1) = H(m _ 2, o _ 2)$, $H$ is not collision resistant.
 
-The hiding property follows if $H$ is modeled as a random oracle, or has a property called **input hiding**. For adversarially chosen $m_1, m_2 \in \mc{M}$ and random $o \la \mc{R}$, the distributions of $H(m_1, o)$ and $H(m_2, o)$ are computationally indistinguishable.
+The hiding property follows if $H$ is modeled as a random oracle, or has a property called **input hiding**. For adversarially chosen $m _ 1, m _ 2 \in \mc{M}$ and random $o \la \mc{R}$, the distributions of $H(m _ 1, o)$ and $H(m _ 2, o)$ are computationally indistinguishable.
 
 Additionally, this scheme is **non-malleable** if $H$ is modeled as a random oracle and $\mc{Y}$ is sufficiently large.[^2]
 
@@ -160,14 +160,14 @@ Additionally, this scheme is **non-malleable** if $H$ is modeled as a random ora
 
 > Let $G = \left\langle g \right\rangle$ be a cyclic group of prime order $q$. Let $h$ be chosen randomly from $G$.
 > 
-> - $C(m)$: choose random $o \la \mathbb{Z}_q$ and $c \la g^m h^o$ and return $(c, o)$.
+> - $C(m)$: choose random $o \la \mathbb{Z} _ q$ and $c \la g^m h^o$ and return $(c, o)$.
 > - $V(m, c, o)$: output $\texttt{accept}$ if and only if $c = g^m h^o$.
 
 Correctness is obvious.
 
-The binding property follows from the DL assumption. If an adversary finds $m_1, m_2$, $o_1, o_2$ such that $c = g^{m_1} h^{o_1} = g^{m_2} h^{o_2}$, then $h = g^{(m_2 - m_1)/(o_1 - o_2)}$, solving the discrete logarithm problem for $h$.
+The binding property follows from the DL assumption. If an adversary finds $m _ 1, m _ 2$, $o _ 1, o _ 2$ such that $c = g^{m _ 1} h^{o _ 1} = g^{m _ 2} h^{o _ 2}$, then $h = g^{(m _ 2 - m _ 1)/(o _ 1 - o _ 2)}$, solving the discrete logarithm problem for $h$.
 
-The hiding property follows since $h$ is uniform in $G$ and $o$ is also uniform in $\mathbb{Z}_q$. Then $g^m h^o$ is uniform in $G$, not revealing any information.
+The hiding property follows since $h$ is uniform in $G$ and $o$ is also uniform in $\mathbb{Z} _ q$. Then $g^m h^o$ is uniform in $G$, not revealing any information.
 
 ## Post Quantum Cryptography
 
@@ -193,7 +193,7 @@ But factorization and discrete logarithms are not safe. The core idea is that a
 
 ### Quantum Factorization
 
-Let $n \in \mathbb{Z}$ and $0\neq g \in \mathbb{Z}_n$. Let $\gamma_g : \mathbb{Z} \ra \mathbb{Z}_n$ be defined as $\gamma_g(\alpha) = g^\alpha$. This function is periodic, since $g^{\phi(n)} = 1$ by Euler's generalization. Also, the order of $g$ will certainly divide the period.
+Let $n \in \mathbb{Z}$ and $0\neq g \in \mathbb{Z} _ n$. Let $\gamma _ g : \mathbb{Z} \ra \mathbb{Z} _ n$ be defined as $\gamma _ g(\alpha) = g^\alpha$. This function is periodic, since $g^{\phi(n)} = 1$ by Euler's generalization. Also, the order of $g$ will certainly divide the period.
 
 Thus, find a period $p$, and let $t$ be the smallest positive integer such that $g^{p/2^t} \neq 1$. Then $\gcd(n, g^{p/2^t} - 1)$ is a non-trivial factor of $n$ with probability about $1/2$ over the choice of $g$. See Exercise 16.10.[^3]
 
@@ -218,5 +218,5 @@ This period can be found in $\mc{O}(\log^3 q)$ time. The DL assumption is false
 (Detailed explanation to be added...)
 
 [^1]: There is one caveat. Bob gets to know the final result before Alice. If the outcome is not what he desired, he could abort the protocol in some way, like sending an invalid $c$, and go over the whole process again.
-[^2]: A commitment scheme is **malleable** if a commitment $c = (c_1, c_2)$ of a message $m$ can be transformed into a commitment $c' = (c_1, c_2 + \delta)$ of a message $m + \delta$.
+[^2]: A commitment scheme is **malleable** if a commitment $c = (c _ 1, c _ 2)$ of a message $m$ can be transformed into a commitment $c' = (c _ 1, c _ 2 + \delta)$ of a message $m + \delta$.
 [^3]: A Graduate Course in Applied Cryptography.

_posts/lecture-notes/modern-cryptography/2023-11-02-zkp-intro.md

@@ -84,7 +84,7 @@ We define these formally.
 > **Definition.** Let $\mc{R} \subset \mc{X} \times \mc{Y}$ be a relation. A statement $y \in \mc{Y}$ is **true** if $(x, y) \in \mc{R}$ for some $x \in \mc{X}$. The set of true statements
 > 
 > $$
-> L_\mc{R} = \braces{y \in \mc{Y} : \exists x \in \mc{X},\; (x, y) \in \mc{R}}
+> L _ \mc{R} = \braces{y \in \mc{Y} : \exists x \in \mc{X},\; (x, y) \in \mc{R}}
 > $$
 > 
 > is called the **language** defined by $\mc{R}$.
@@ -103,10 +103,10 @@ But how do we define *zero knowledge*? What is *knowledge*? If the verifier lear
 > **Definition.** We say that a protocol is **honest verifier zero knowledge** (HVZK) if there exists an efficient algorithm $\rm{Sim}$ (simulator) on input $x$ such that the output distribution of $\rm{Sim}(x)$ is indistinguishable from the distribution of the verifier's view.
 > 
 > $$
-> \rm{Sim}(x) \approx \rm{View}_V[P(x, y) \lra V(x)]
+> \rm{Sim}(x) \approx \rm{View} _ V[P(x, y) \lra V(x)]
 > $$
 
-For every verifier $V^{\ast}$, possibly dishonest, there exists a simulator $\rm{Sim}$ such that $\rm{Sim}(x)$ is indistinguishable from the verifier's view $\rm{View}_{V^{\ast}}[P(x, y) \leftrightarrow V^{\ast}(x)]$.
+For every verifier $V^{\ast}$, possibly dishonest, there exists a simulator $\rm{Sim}$ such that $\rm{Sim}(x)$ is indistinguishable from the verifier's view $\rm{View} _ {V^{\ast}}[P(x, y) \leftrightarrow V^{\ast}(x)]$.
 
 If the proof is *zero knowledge*, the adversary can simulate conversations on his own without knowing the secret. Meaning that the adversary learns nothing from the conversation.
 

_posts/lecture-notes/modern-cryptography/2023-11-07-sigma-protocols.md

@@ -56,7 +56,7 @@ The **soundness** property says that it is infeasible for any prover to make the
 > 1. The adversary chooses a statement $y^{\ast} \in \mc{Y}$ and gives it to the challenger.
 > 2. The adversary interacts with the verifier $V(y^{\ast})$, where the challenger plays the role of verifier, and the adversary is a possibly *cheating* prover.
 > 
-> The adversary wins if $V(y^{\ast})$ outputs $\texttt{accept}$ but $y^{\ast} \notin L_\mc{R}$. The advantage of $\mc{A}$ with respect to $\Pi$ is denoted $\rm{Adv}_{\rm{Snd}}[\mc{A}, \Pi]$ and defined as the probability that $\mc{A}$ wins the game.
+> The adversary wins if $V(y^{\ast})$ outputs $\texttt{accept}$ but $y^{\ast} \notin L _ \mc{R}$. The advantage of $\mc{A}$ with respect to $\Pi$ is denoted $\rm{Adv} _ {\rm{Snd}}[\mc{A}, \Pi]$ and defined as the probability that $\mc{A}$ wins the game.
 > 
 > If the advantage is negligible for all efficient adversaries $\mc{A}$, then $\Pi$ is **sound**.
 
@@ -81,7 +81,7 @@ We also require that the challenge space is large, the challenger shouldn't be a
 > For every efficient adversary $\mc{A}$,
 > 
 > $$
-> \rm{Adv}_{\rm{Snd}}[\mc{A}, \Pi] \leq \frac{1}{N}
+> \rm{Adv} _ {\rm{Snd}}[\mc{A}, \Pi] \leq \frac{1}{N}
 > $$
 > 
 > where $N$ is the size of the challenge space.
@@ -112,24 +112,24 @@ The Schnorr identification protocol is actually a sigma protocol. Refer to [Schn
 > The pair $(P, V)$ is a sigma protocol for the relation $\mc{R} \subset \mc{X} \times \mc{Y}$ where
 > 
 > $$
-> \mc{X} = \bb{Z}_q, \quad \mc{Y} = G, \quad \mc{R} = \left\lbrace (\alpha, u) \in \bb{Z}_q \times G : g^\alpha = u \right\rbrace.
+> \mc{X} = \bb{Z} _ q, \quad \mc{Y} = G, \quad \mc{R} = \left\lbrace (\alpha, u) \in \bb{Z} _ q \times G : g^\alpha = u \right\rbrace.
 > $$
 > 
-> The challenge space $\mc{C}$ is a subset of $\bb{Z}_q$.
+> The challenge space $\mc{C}$ is a subset of $\bb{Z} _ q$.
 
-The protocol provides **special soundness**. If $(u_t, c, \alpha_z)$ and $(u_t, c', \alpha_z')$ are two accepting conversations with $c \neq c'$, then we have
+The protocol provides **special soundness**. If $(u _ t, c, \alpha _ z)$ and $(u _ t, c', \alpha _ z')$ are two accepting conversations with $c \neq c'$, then we have
 
 $$
-g^{\alpha_z} = u_t \cdot u^c, \quad g^{\alpha_z'} = u_t \cdot u^{c'},
+g^{\alpha _ z} = u _ t \cdot u^c, \quad g^{\alpha _ z'} = u _ t \cdot u^{c'},
 $$
 
-so we have $g^{\alpha_z - \alpha_z'} = u^{c - c'}$. Setting $\alpha^{\ast} = (\alpha_z - \alpha_z') /(c - c')$ satisfies $g^{\alpha^{\ast}} = u$, solving the discrete logarithm and $\alpha^{\ast}$ is a proof.
+so we have $g^{\alpha _ z - \alpha _ z'} = u^{c - c'}$. Setting $\alpha^{\ast} = (\alpha _ z - \alpha _ z') /(c - c')$ satisfies $g^{\alpha^{\ast}} = u$, solving the discrete logarithm and $\alpha^{\ast}$ is a proof.
 
-As for HVZK, the simulator chooses $\alpha_z \la \bb{Z}_q$, $c \la \mc{C}$ randomly and sets $u_t = g^{\alpha_z} \cdot u^{-c}$. Then $(u_t, c, \alpha_z)$ will be accepted. *Note that the order doesn't matter.* Also, the distribution is same, since $c$ and $\alpha_z$ are uniform over $\mc{C}$ and $\bb{Z}_q$ and the choice of $c$ and $\alpha_z$ determines $u_t$ uniquely. This is identical to the distribution in the actual protocol.
+As for HVZK, the simulator chooses $\alpha _ z \la \bb{Z} _ q$, $c \la \mc{C}$ randomly and sets $u _ t = g^{\alpha _ z} \cdot u^{-c}$. Then $(u _ t, c, \alpha _ z)$ will be accepted. *Note that the order doesn't matter.* Also, the distribution is same, since $c$ and $\alpha _ z$ are uniform over $\mc{C}$ and $\bb{Z} _ q$ and the choice of $c$ and $\alpha _ z$ determines $u _ t$ uniquely. This is identical to the distribution in the actual protocol.
 
 ### Dishonest Verifier
 
-In case of dishonest verifiers, $V$ may not follow the protocol. For example, $V$ may choose non-uniform $c \in \mc{C}$ depending on the commitment $u_t$. In this case, the conversation from the actual protocol and the conversation generated by the simulator will have different distributions.
+In case of dishonest verifiers, $V$ may not follow the protocol. For example, $V$ may choose non-uniform $c \in \mc{C}$ depending on the commitment $u _ t$. In this case, the conversation from the actual protocol and the conversation generated by the simulator will have different distributions.
 
 We need a different distribution. The simulator must also take the verifier's actions as input, to properly simulate the dishonest verifier.
 
@@ -137,8 +137,8 @@ We need a different distribution. The simulator must also take the verifier's ac
 
 The original protocol can be modified so that the challenge space $\mc{C}$ is smaller. Completeness property is obvious, and the soundness error grows, but we can always repeat the protocol.
 
-As for zero knowledge, the simulator $\rm{Sim}_{V^{\ast}}(u)$ generates a verifier's view $(u, c, z)$ as follows.
-- Guess $c' \la \mc{C}$. Sample $z' \la \bb{Z}_q$ and set $u' = g^{z'}\cdot u^{-c'}$. Send $u'$ to $V^{\ast}$.
+As for zero knowledge, the simulator $\rm{Sim} _ {V^{\ast}}(u)$ generates a verifier's view $(u, c, z)$ as follows.
+- Guess $c' \la \mc{C}$. Sample $z' \la \bb{Z} _ q$ and set $u' = g^{z'}\cdot u^{-c'}$. Send $u'$ to $V^{\ast}$.
 - If the response from the verifier $V^{\ast}(u')$ is $c$ and $c \neq c'$, restart.
 	- $c = c'$ holds with probability $1 / \left\lvert \mc{C} \right\lvert$, since $c'$ is uniform.
 - Otherwise, output $(u, c, z) = (u', c', z')$.
@@ -155,22 +155,22 @@ But in most cases, it is enough to assume honest verifiers, as we will see soon.
 
 This one is similar to Schnorr protocol. This is used for proving the representation of a group element.
 
-Let $G = \left\langle g \right\rangle$ be a cyclic group of prime order $q$, let $h \in G$ be some arbitrary group element, fixed as a system parameter. A **representation** of $u$ relative to $g$ and $h$ is a pair $(\alpha, \beta) \in \bb{Z}_q^2$ such that $g^\alpha h^\beta = u$.
+Let $G = \left\langle g \right\rangle$ be a cyclic group of prime order $q$, let $h \in G$ be some arbitrary group element, fixed as a system parameter. A **representation** of $u$ relative to $g$ and $h$ is a pair $(\alpha, \beta) \in \bb{Z} _ q^2$ such that $g^\alpha h^\beta = u$.
 
 **Okamoto's protocol** for the relation
 
 $$
-\mc{R} = \bigg\lbrace \big( (\alpha, \beta), u \big) \in \bb{Z}_q^2 \times G : g^\alpha h^\beta = u \bigg\rbrace
+\mc{R} = \bigg\lbrace \big( (\alpha, \beta), u \big) \in \bb{Z} _ q^2 \times G : g^\alpha h^\beta = u \bigg\rbrace
 $$
 
 goes as follows.
 
 ![mc-13-okamoto.png](../../../assets/img/posts/lecture-notes/modern-cryptography/mc-13-okamoto.png)
 
-> 1. $P$ computes random $\alpha_t, \beta_t \la \bb{Z}_q$ and sends commitment $u_t \la g^{\alpha_t}h^{\beta_t}$ to $V$.
+> 1. $P$ computes random $\alpha _ t, \beta _ t \la \bb{Z} _ q$ and sends commitment $u _ t \la g^{\alpha _ t}h^{\beta _ t}$ to $V$.
 > 2. $V$ computes challenge $c \la \mc{C}$ and sends it to $P$.
-> 3. $P$ computes $\alpha_z \la \alpha_t + \alpha c$, $\beta_z \la \beta_t + \beta c$ and sends $(\alpha_z, \beta_z)$ to $V$.
-> 4. $V$ outputs $\texttt{accept}$ if and only if $g^{\alpha_z} h^{\beta_z} = u_t \cdot u^c$.
+> 3. $P$ computes $\alpha _ z \la \alpha _ t + \alpha c$, $\beta _ z \la \beta _ t + \beta c$ and sends $(\alpha _ z, \beta _ z)$ to $V$.
+> 4. $V$ outputs $\texttt{accept}$ if and only if $g^{\alpha _ z} h^{\beta _ z} = u _ t \cdot u^c$.
 
 Completeness is obvious.
 
@@ -182,22 +182,22 @@ Completeness is obvious.
 
 The **Chaum-Pederson protocol** is for convincing a verifier that a given triple is a DH-triple.
 
-Let $G = \left\langle g \right\rangle$ be a cyclic group of prime order $q$. $(g^\alpha, g^\beta, g^\gamma)$ is a DH-triple if $\gamma = \alpha\beta$. Then, the triple $(u, v, w)$ is a DH-triple if and only if $v = g^\beta$ and $w = u^\beta$ for some $\beta \in \bb{Z}_q$.
+Let $G = \left\langle g \right\rangle$ be a cyclic group of prime order $q$. $(g^\alpha, g^\beta, g^\gamma)$ is a DH-triple if $\gamma = \alpha\beta$. Then, the triple $(u, v, w)$ is a DH-triple if and only if $v = g^\beta$ and $w = u^\beta$ for some $\beta \in \bb{Z} _ q$.
 
 The Chaum-Pederson protocol for the relation
 
 $$
-\mc{R} = \bigg\lbrace \big( \beta, (u, v, w) \big) \in \bb{Z}_q \times G^3 : v = g^\beta \land w = u^\beta \bigg\rbrace
+\mc{R} = \bigg\lbrace \big( \beta, (u, v, w) \big) \in \bb{Z} _ q \times G^3 : v = g^\beta \land w = u^\beta \bigg\rbrace
 $$
 
 goes as follows.
 
 ![mc-13-chaum-pedersen.png](../../../assets/img/posts/lecture-notes/modern-cryptography/mc-13-chaum-pedersen.png)
 
-> 1. $P$ computes random $\beta_t \la \bb{Z}_q$ and sends commitment $v_t \la g^{\beta_t}$, $w_t \la u^{\beta_t}$ to $V$.
+> 1. $P$ computes random $\beta _ t \la \bb{Z} _ q$ and sends commitment $v _ t \la g^{\beta _ t}$, $w _ t \la u^{\beta _ t}$ to $V$.
 > 2. $V$ computes challenge $c \la \mc{C}$ and sends it to $P$.
-> 3. $P$ computes $\beta_z \la \beta_t + \beta c$, and sends it to $V$.
-> 4. $V$ outputs $\texttt{accept}$ if and only if $g^{\beta_z} = v_t \cdot v^c$ and $u^{\beta_z} = w_t \cdot w^c$.
+> 3. $P$ computes $\beta _ z \la \beta _ t + \beta c$, and sends it to $V$.
+> 4. $V$ outputs $\texttt{accept}$ if and only if $g^{\beta _ z} = v _ t \cdot v^c$ and $u^{\beta _ z} = w _ t \cdot w^c$.
 
 Completeness is obvious.
 
@@ -213,22 +213,22 @@ Schnorr, Okamoto, Chaum-Pedersen protocols look similar. They are special cases
 
 ### Sigma Protocol for RSA
 
-Let $(n, e)$ be an RSA public key, where $e$ is prime. The **Guillou-Quisquater** (GQ) protocol is used to convince a verifier that he knows an $e$-th root of $y \in \bb{Z}_n^{\ast}$.
+Let $(n, e)$ be an RSA public key, where $e$ is prime. The **Guillou-Quisquater** (GQ) protocol is used to convince a verifier that he knows an $e$-th root of $y \in \bb{Z} _ n^{\ast}$.
 
 The Guillou-Quisquater protocol for the relation
 
 $$
-\mc{R} = \bigg\lbrace (x, y) \in \big( \bb{Z}_n^{\ast} \big)^2 : x^e = y \bigg\rbrace
+\mc{R} = \bigg\lbrace (x, y) \in \big( \bb{Z} _ n^{\ast} \big)^2 : x^e = y \bigg\rbrace
 $$
 
 goes as follows.
 
 ![mc-13-gq-protocol.png](../../../assets/img/posts/lecture-notes/modern-cryptography/mc-13-gq-protocol.png)
 
-> 1. $P$ computes random $x_t \la \bb{Z}_n^{\ast}$ and sends commitment $y_t \la x_t^e$ to $V$.
+> 1. $P$ computes random $x _ t \la \bb{Z} _ n^{\ast}$ and sends commitment $y _ t \la x _ t^e$ to $V$.
 > 2. $V$ computes challenge $c \la \mc{C}$ and sends it to $P$.
-> 3. $P$ computes $x_z \la x_t \cdot x^c$ and sends it to $V$.
-> 4. $V$ outputs $\texttt{accept}$ if and only if $x_z^e = y_t \cdot y^c$.
+> 3. $P$ computes $x _ z \la x _ t \cdot x^c$ and sends it to $V$.
+> 4. $V$ outputs $\texttt{accept}$ if and only if $x _ z^e = y _ t \cdot y^c$.
 
 Completeness is obvious.
 
@@ -244,29 +244,29 @@ Using the basic sigma protocols, we can build sigma protocols for complex statem
 
 The construction is straightforward, since we can just prove both statements.
 
-Given two sigma protocols $(P_0, V_0)$ for $\mc{R}_0 \subset \mc{X}_0 \times \mc{Y}_0$ and $(P_1, V_1)$ for $\mc{R}_1 \subset \mc{X}_1 \times \mc{Y}_1$, we construct a sigma protocol for the relation $\mc{R}_\rm{AND}$ defined on $(\mc{X}_0 \times \mc{X}_1) \times (\mc{Y}_0 \times \mc{Y}_1)$ as
+Given two sigma protocols $(P _ 0, V _ 0)$ for $\mc{R} _ 0 \subset \mc{X} _ 0 \times \mc{Y} _ 0$ and $(P _ 1, V _ 1)$ for $\mc{R} _ 1 \subset \mc{X} _ 1 \times \mc{Y} _ 1$, we construct a sigma protocol for the relation $\mc{R} _ \rm{AND}$ defined on $(\mc{X} _ 0 \times \mc{X} _ 1) \times (\mc{Y} _ 0 \times \mc{Y} _ 1)$ as
 
 $$
-\mc{R}_\rm{AND} = \bigg\lbrace \big( (x_0, x_1), (y_0, y_1) \big) : (x_0, y_0) \in \mc{R}_0 \land (x_1, y_1) \in \mc{R}_1 \bigg\rbrace.
+\mc{R} _ \rm{AND} = \bigg\lbrace \big( (x _ 0, x _ 1), (y _ 0, y _ 1) \big) : (x _ 0, y _ 0) \in \mc{R} _ 0 \land (x _ 1, y _ 1) \in \mc{R} _ 1 \bigg\rbrace.
 $$
 
-Given a pair of statements $(y_0, y_1) \in \mc{Y}_0 \times \mc{Y}_1$, the prover tries to convince the verifier that he knows a proof $(x_0, x_1) \in \mc{X}_0 \times \mc{X}_1$. This is equivalent to proving the AND of both statements.
+Given a pair of statements $(y _ 0, y _ 1) \in \mc{Y} _ 0 \times \mc{Y} _ 1$, the prover tries to convince the verifier that he knows a proof $(x _ 0, x _ 1) \in \mc{X} _ 0 \times \mc{X} _ 1$. This is equivalent to proving the AND of both statements.
 
-> 1. $P$ runs $P_i(x_i, y_i)$ to get a commitment $t_i$. $(t_0, t_1)$ is sent to $V$.
+> 1. $P$ runs $P _ i(x _ i, y _ i)$ to get a commitment $t _ i$. $(t _ 0, t _ 1)$ is sent to $V$.
 > 2. $V$ computes challenge $c \la C$ and sends it to $P$.
-> 3. $P$ uses the challenge for both $P_0, P_1$, obtains response $z_0$, $z_1$, which is sent to $V$.
-> 4. $V$ outputs $\texttt{accept}$ if and only if $(t_i, c, z_i)$ is an accepting conversation for $y_i$.
+> 3. $P$ uses the challenge for both $P _ 0, P _ 1$, obtains response $z _ 0$, $z _ 1$, which is sent to $V$.
+> 4. $V$ outputs $\texttt{accept}$ if and only if $(t _ i, c, z _ i)$ is an accepting conversation for $y _ i$.
 
 Completeness is clear.
 
-> **Theorem.** If $(P_0, V_0)$ and $(P_1, V_1)$ provide special soundness and are special HVZK, then the AND protocol $(P, V)$ defined above also provides special soundness and is special HVZK.
+> **Theorem.** If $(P _ 0, V _ 0)$ and $(P _ 1, V _ 1)$ provide special soundness and are special HVZK, then the AND protocol $(P, V)$ defined above also provides special soundness and is special HVZK.
 
-*Proof*. For special soundness, let $\rm{Ext}_0$, $\rm{Ext}_1$ be the knowledge extractor for $(P_0, V_0)$ and $(P_1, V_1)$, respectively. Then the knowledge extractor $\rm{Ext}$ for $(P, V)$ can be constructed straightforward. For statements $(y_0, y_1)$, suppose that $\big( (t_0, t_1), c, (z_0, z_1) \big)$ and $\big( (t_0, t_1), c', (z_0', z_1') \big)$ are two accepting conversations. Feed $\big( y_0, (t_0, c, z_0), (t_0, c', z_0') \big)$ to $\rm{Ext}_0$, and feed $\big( y_1, (t_1, c, z_1), (t_1, c', z_1') \big)$ to $\rm{Ext}_1$.
+*Proof*. For special soundness, let $\rm{Ext} _ 0$, $\rm{Ext} _ 1$ be the knowledge extractor for $(P _ 0, V _ 0)$ and $(P _ 1, V _ 1)$, respectively. Then the knowledge extractor $\rm{Ext}$ for $(P, V)$ can be constructed straightforward. For statements $(y _ 0, y _ 1)$, suppose that $\big( (t _ 0, t _ 1), c, (z _ 0, z _ 1) \big)$ and $\big( (t _ 0, t _ 1), c', (z _ 0', z _ 1') \big)$ are two accepting conversations. Feed $\big( y _ 0, (t _ 0, c, z _ 0), (t _ 0, c', z _ 0') \big)$ to $\rm{Ext} _ 0$, and feed $\big( y _ 1, (t _ 1, c, z _ 1), (t _ 1, c', z _ 1') \big)$ to $\rm{Ext} _ 1$.
 
-For special HVZK, let $\rm{Sim}_0$ and $\rm{Sim}_1$ be simulators for each protocol. Then the simulator $\rm{Sim}$ for $(P, V)$ is built by using $(t_0, z_0) \la \rm{Sim}_0(y_0, c)$ and $(t_1, z_1) \la \rm{Sim}_1(y_1, c)$. Set
+For special HVZK, let $\rm{Sim} _ 0$ and $\rm{Sim} _ 1$ be simulators for each protocol. Then the simulator $\rm{Sim}$ for $(P, V)$ is built by using $(t _ 0, z _ 0) \la \rm{Sim} _ 0(y _ 0, c)$ and $(t _ 1, z _ 1) \la \rm{Sim} _ 1(y _ 1, c)$. Set
 
 $$
-\big( (t_0, t_1), (z_0, z_1) \big) \la \rm{Sim}\big( (y_0, y_1), c \big).
+\big( (t _ 0, t _ 1), (z _ 0, z _ 1) \big) \la \rm{Sim}\big( (y _ 0, y _ 1), c \big).
 $$
 
 We have used the fact that the challenge is used for both protocols.
@@ -275,83 +275,83 @@ We have used the fact that the challenge is used for both protocols.
 
 However, OR-proof construction is difficult. The prover must convince the verifier that either one of the statement is true, but **should not reveal which one is true.**
 
-If the challenge is known in advance, the prover can cheat. We exploit this fact. For the proof of $y_0 \lor y_1$, do the real proof for $y_b$ and cheat for $y_{1-b}$.
+If the challenge is known in advance, the prover can cheat. We exploit this fact. For the proof of $y _ 0 \lor y _ 1$, do the real proof for $y _ b$ and cheat for $y _ {1-b}$.
 
-Suppose we are given two sigma protocols $(P_0, V_0)$ for $\mc{R}_0 \subset \mc{X}_0 \times \mc{Y}_0$ and $(P_1, V_1)$ for $\mc{R}_1 \subset \mc{X}_1 \times \mc{Y}_1$. We assume that these both use the same challenge space, and both are special HVZK with simulators $\rm{Sim}_0$ and $\rm{Sim}_1$.
+Suppose we are given two sigma protocols $(P _ 0, V _ 0)$ for $\mc{R} _ 0 \subset \mc{X} _ 0 \times \mc{Y} _ 0$ and $(P _ 1, V _ 1)$ for $\mc{R} _ 1 \subset \mc{X} _ 1 \times \mc{Y} _ 1$. We assume that these both use the same challenge space, and both are special HVZK with simulators $\rm{Sim} _ 0$ and $\rm{Sim} _ 1$.
 
-We combine the protocols to form a sigma protocol for the relation $\mc{R}_\rm{OR}$ defined on $\big( \braces{0, 1} \times (\mc{X}_0 \cup \mc{X}_1) \big) \times (\mc{Y}_0\times \mc{Y}_1)$ as
+We combine the protocols to form a sigma protocol for the relation $\mc{R} _ \rm{OR}$ defined on $\big( \braces{0, 1} \times (\mc{X} _ 0 \cup \mc{X} _ 1) \big) \times (\mc{Y} _ 0\times \mc{Y} _ 1)$ as
 
 $$
-\mc{R}_\rm{OR} = \bigg\lbrace \big( (b, x), (y_0, y_1)  \big): (x, y_b) \in \mc{R}_b\bigg\rbrace.
+\mc{R} _ \rm{OR} = \bigg\lbrace \big( (b, x), (y _ 0, y _ 1)  \big): (x, y _ b) \in \mc{R} _ b\bigg\rbrace.
 $$
 
-Here, $b$ denotes the actual statement $y_b$ to prove. For $y_{1-b}$, we cheat.
+Here, $b$ denotes the actual statement $y _ b$ to prove. For $y _ {1-b}$, we cheat.
 
-> $P$ is initialized with $\big( (b, x), (y_0, y_1) \big) \in \mc{R}_\rm{OR}$ and $V$ is initialized with $(y_0, y_1) \in \mc{Y}_0 \times \mc{Y}_1$. Let $d = 1 - b$.
+> $P$ is initialized with $\big( (b, x), (y _ 0, y _ 1) \big) \in \mc{R} _ \rm{OR}$ and $V$ is initialized with $(y _ 0, y _ 1) \in \mc{Y} _ 0 \times \mc{Y} _ 1$. Let $d = 1 - b$.
 > 
-> 1. $P$ computes $c_d \la \mc{C}$ and $(t_d, z_d) \la \rm{Sim}_d(y_d, c_d)$.
-> 2. $P$ runs $P_b(x, y_b)$ to get a real commitment $t_b$ and sends $(t_0, t_1)$ to $V$.
+> 1. $P$ computes $c _ d \la \mc{C}$ and $(t _ d, z _ d) \la \rm{Sim} _ d(y _ d, c _ d)$.
+> 2. $P$ runs $P _ b(x, y _ b)$ to get a real commitment $t _ b$ and sends $(t _ 0, t _ 1)$ to $V$.
 > 3. $V$ computes challenge $c \la C$ and sends it to $P$.
-> 4. $P$ computes $c_b \la c \oplus c_d$, feeds it to $P_b(x, y_b)$ obtains a response $z_b$.
-> 5. $P$ sends $(c_0, z_0, z_1)$ to $V$.
-> 6. $V$ computes $c_1 \la c \oplus c_0$, and outputs $\texttt{accept}$ if and only if $(t_0, c_0, z_0)$ is an accepting conversation for $y_0$ and $(t_1, c_1, z_1)$ is an accepting conversation for $y_1$.
+> 4. $P$ computes $c _ b \la c \oplus c _ d$, feeds it to $P _ b(x, y _ b)$ obtains a response $z _ b$.
+> 5. $P$ sends $(c _ 0, z _ 0, z _ 1)$ to $V$.
+> 6. $V$ computes $c _ 1 \la c \oplus c _ 0$, and outputs $\texttt{accept}$ if and only if $(t _ 0, c _ 0, z _ 0)$ is an accepting conversation for $y _ 0$ and $(t _ 1, c _ 1, z _ 1)$ is an accepting conversation for $y _ 1$.
 
 Step $1$ is the cheating part, where the prover chooses a challenge, and generates a commitment and a response from the simulator.
 
 Completeness follows from the following.
-- $c_b = c \oplus c_{1-b}$, so $c_1 = c \oplus c_0$ always holds.
-- Both conversations $(t_0, c_0, z_0)$ and $(t_1, c_1, z_1)$ are accepted.
-	- An actual proof is done for statement $y_b$.
-	- For statement $y_{1-b}$, the simulator always outputs an accepting conversation.
+- $c _ b = c \oplus c _ {1-b}$, so $c _ 1 = c \oplus c _ 0$ always holds.
+- Both conversations $(t _ 0, c _ 0, z _ 0)$ and $(t _ 1, c _ 1, z _ 1)$ are accepted.
+	- An actual proof is done for statement $y _ b$.
+	- For statement $y _ {1-b}$, the simulator always outputs an accepting conversation.
 
-$c_b = c \oplus c_d$ is random, so $P$ cannot manipulate the challenge. Also, $V$ checks $c_1 = c \oplus c_0$.
+$c _ b = c \oplus c _ d$ is random, so $P$ cannot manipulate the challenge. Also, $V$ checks $c _ 1 = c \oplus c _ 0$.
 
-> **Theorem.** If $(P_0, V_0)$ and $(P_1, V_1)$ provide special soundness and are special HVZK, then the OR protocol $(P, V)$ defined above also provides special soundness and is special HVZK.
+> **Theorem.** If $(P _ 0, V _ 0)$ and $(P _ 1, V _ 1)$ provide special soundness and are special HVZK, then the OR protocol $(P, V)$ defined above also provides special soundness and is special HVZK.
 
-*Proof*. For special soundness, suppose that $\rm{Ext}_0$ and $\rm{Ext}_1$ are knowledge extractors. Let
+*Proof*. For special soundness, suppose that $\rm{Ext} _ 0$ and $\rm{Ext} _ 1$ are knowledge extractors. Let
 
 $$
-\big( (t_0, t_1), c, (c_0, z_0, z_1) \big), \qquad \big( (t_0, t_1), c', (c_0', z_0', z_1') \big)
+\big( (t _ 0, t _ 1), c, (c _ 0, z _ 0, z _ 1) \big), \qquad \big( (t _ 0, t _ 1), c', (c _ 0', z _ 0', z _ 1') \big)
 $$
 
-be two accepting conversations with $c \neq c'$. Define $c_1 = c \oplus c_0$ and $c_1' = c' \oplus c_0'$. Since $c \neq c'$, it must be the case that either $c_0 \neq c_0'$ or $c_1 \neq c_1'$. Now $\rm{Ext}$ will work as follows.
+be two accepting conversations with $c \neq c'$. Define $c _ 1 = c \oplus c _ 0$ and $c _ 1' = c' \oplus c _ 0'$. Since $c \neq c'$, it must be the case that either $c _ 0 \neq c _ 0'$ or $c _ 1 \neq c _ 1'$. Now $\rm{Ext}$ will work as follows.
 
-- If $c_0 \neq c_0'$, output $\bigg( 0, \rm{Ext}_0\big( y_0, (t_0, c_0, z_0), (t_0, c_0', z_0') \big) \bigg)$.
-- If $c_1 \neq c_1'$, output $\bigg( 1, \rm{Ext}_1\big( y_1, (t_1, c_1, z_1), (t_1, c_1', z_1') \big) \bigg)$.
+- If $c _ 0 \neq c _ 0'$, output $\bigg( 0, \rm{Ext} _ 0\big( y _ 0, (t _ 0, c _ 0, z _ 0), (t _ 0, c _ 0', z _ 0') \big) \bigg)$.
+- If $c _ 1 \neq c _ 1'$, output $\bigg( 1, \rm{Ext} _ 1\big( y _ 1, (t _ 1, c _ 1, z _ 1), (t _ 1, c _ 1', z _ 1') \big) \bigg)$.
 
 Then $\rm{Ext}$ will extract the knowledge.
 
-For special HVZK, define $c_0 \la \mc{C}$, $c_1 \la c \oplus c_0$. Then run each simulator to get
+For special HVZK, define $c _ 0 \la \mc{C}$, $c _ 1 \la c \oplus c _ 0$. Then run each simulator to get
 
 $$
-(t_0, z_0) \la \rm{Sim}_0(y_0, c_0), \quad (t_1, z_1) \la \rm{Sim}_1(y_1, c_1).
+(t _ 0, z _ 0) \la \rm{Sim} _ 0(y _ 0, c _ 0), \quad (t _ 1, z _ 1) \la \rm{Sim} _ 1(y _ 1, c _ 1).
 $$
 
 Then the simulator for $(P, V)$ outputs
 
 $$
-\big( (t_0, t_1), (c_0, z_0, z_1) \big) \la \rm{Sim}\big( (y_0, y_1), c \big).
+\big( (t _ 0, t _ 1), (c _ 0, z _ 0, z _ 1) \big) \la \rm{Sim}\big( (y _ 0, y _ 1), c \big).
 $$
 
-The simulator just simulates for both of the statements and returns the messages as in the protocol. $c_b$ is random, and the remaining values have the same distribution since the original two protocols were special HVZK.
+The simulator just simulates for both of the statements and returns the messages as in the protocol. $c _ b$ is random, and the remaining values have the same distribution since the original two protocols were special HVZK.
 
 ### Example: OR of Sigma Protocols with Schnorr Protocol
 
-Let $G = \left\langle g \right\rangle$ be a cyclic group of prime order $q$. The prover wants to convince the verifier that he knows the discrete logarithm of either $h_0$ or $h_1$ in $G$.
+Let $G = \left\langle g \right\rangle$ be a cyclic group of prime order $q$. The prover wants to convince the verifier that he knows the discrete logarithm of either $h _ 0$ or $h _ 1$ in $G$.
 
-Suppose that the prover knows $x_b \in \bb{Z}_q$ such that $g^{x_b} = h_b$.
+Suppose that the prover knows $x _ b \in \bb{Z} _ q$ such that $g^{x _ b} = h _ b$.
 
-> 1. Choose $c_{1-b} \la \mc{C}$ and call simulator of $1-b$ to obtain $(u_{1-b}, z_{1-b}) \la \rm{Sim}_{1-b}$.
-> 2. $P$ sends two commitments $u_0, u_1$.
-> 	- For $u_b$, choose random $y \la \bb{Z}_q$ and set $u_b = g^y$.
-> 	- For $u_{1-b}$, use the value from the simulator.
+> 1. Choose $c _ {1-b} \la \mc{C}$ and call simulator of $1-b$ to obtain $(u _ {1-b}, z _ {1-b}) \la \rm{Sim} _ {1-b}$.
+> 2. $P$ sends two commitments $u _ 0, u _ 1$.
+> 	- For $u _ b$, choose random $y \la \bb{Z} _ q$ and set $u _ b = g^y$.
+> 	- For $u _ {1-b}$, use the value from the simulator.
 > 3. $V$ sends a single challenge $c \la \mc{C}$.
-> 4. Using $c_{1-b}$, split the challenge into $c_0$, $c_1$ so that they satisfy $c_0 \oplus c_1 = c$. Then send $(c_0, c_1, z_0, z_1)$ to $V$.
-> 	- For $z_b$, calculate $z_b \la y + c_b x$.
-> 	- For $z_{1-b}$, use the value from the simulator.
-> 5. $V$ checks if $c = c_0 \oplus c_1$. $V$ accepts if and only if $(u_0, c_0, z_0)$ and $(u_1, c_1, z_1)$ are both accepting conversations.
+> 4. Using $c _ {1-b}$, split the challenge into $c _ 0$, $c _ 1$ so that they satisfy $c _ 0 \oplus c _ 1 = c$. Then send $(c _ 0, c _ 1, z _ 0, z _ 1)$ to $V$.
+> 	- For $z _ b$, calculate $z _ b \la y + c _ b x$.
+> 	- For $z _ {1-b}$, use the value from the simulator.
+> 5. $V$ checks if $c = c _ 0 \oplus c _ 1$. $V$ accepts if and only if $(u _ 0, c _ 0, z _ 0)$ and $(u _ 1, c _ 1, z _ 1)$ are both accepting conversations.
 
-- Since $c, c_{1-b}$ are random, $c_b$ is random. Thus one of the proofs must be valid.
+- Since $c, c _ {1-b}$ are random, $c _ b$ is random. Thus one of the proofs must be valid.
 
 ### Generalized Constructions
 
@@ -376,7 +376,7 @@ Intuitively, it is hard to create a valid proof of a false statement.
 
 > **Definition.** Let $\Phi = (G, V)$ be a non-interactive proof system for $\mc{R} \subset \mc{X} \times \mc{Y}$ with proof space $\mc{PS}$. An adversary $\mc{A}$ outputs a statement $y^{\ast} \in \mc{Y}$ and a proof $\pi^{\ast} \in \mc{PS}$ to attack $\Phi$.
 > 
-> The adversary wins if $V(y^{\ast}, \pi^{\ast}) = \texttt{accept}$ and $y^{\ast} \notin L_\mc{R}$. The advantage of $\mc{A}$ with respect to $\Phi$ is defined as the probability that $\mc{A}$ wins, and is denoted as $\rm{Adv}_{\rm{niSnd}}[\mc{A}, \Phi]$.
+> The adversary wins if $V(y^{\ast}, \pi^{\ast}) = \texttt{accept}$ and $y^{\ast} \notin L _ \mc{R}$. The advantage of $\mc{A}$ with respect to $\Phi$ is defined as the probability that $\mc{A}$ wins, and is denoted as $\rm{Adv} _ {\rm{niSnd}}[\mc{A}, \Phi]$.
 > 
 > If the advantage is negligible for all efficient adversaries $\mc{A}$, $\Phi$ is **sound**.
 
@@ -390,10 +390,10 @@ The basic idea is **using a hash function to derive a challenge**, instead of a
 
 > **Definition.** Let $\Pi = (P, V)$ be a sigma protocol for a relation $\mc{R} \subset \mc{X} \times \mc{Y}$. Suppose that conversations $(t, c, z) \in \mc{T} \times \mc{C} \times \mc{Z}$. Let $H : \mc{Y} \times \mc{T} \rightarrow \mc{C}$ be a hash function.
 > 
-> Define the **Fiat-Shamir non-interactive proof system** $\Pi_\rm{FS} = (G_\rm{FS}, V_\rm{FS})$ with proof space $\mc{PS} = \mc{T} \times \mc{Z}$ as follows.
+> Define the **Fiat-Shamir non-interactive proof system** $\Pi _ \rm{FS} = (G _ \rm{FS}, V _ \rm{FS})$ with proof space $\mc{PS} = \mc{T} \times \mc{Z}$ as follows.
 > 
-> - For input $(x, y) \in \mc{R}$, $G_\rm{FS}$ runs $P(x, y)$ to obtain a commitment $t \in \mc{T}$. Then computes the challenge $c = H(y, t)$, which is fed to $P(x, y)$, obtaining a response $z \in \mc{Z}$. $G_\rm{FS}$ outputs $(t, z) \in \mc{T} \times \mc{Z}$.
-> - For input $\big( y, (t, z) \big) \in \mc{Y} \times (\mc{T} \times \mc{Z})$, $V_\rm{FS}$ verifies that $(t, c, z)$ is an accepting conversation for $y$, where $c = H(y, t)$.
+> - For input $(x, y) \in \mc{R}$, $G _ \rm{FS}$ runs $P(x, y)$ to obtain a commitment $t \in \mc{T}$. Then computes the challenge $c = H(y, t)$, which is fed to $P(x, y)$, obtaining a response $z \in \mc{Z}$. $G _ \rm{FS}$ outputs $(t, z) \in \mc{T} \times \mc{Z}$.
+> - For input $\big( y, (t, z) \big) \in \mc{Y} \times (\mc{T} \times \mc{Z})$, $V _ \rm{FS}$ verifies that $(t, c, z)$ is an accepting conversation for $y$, where $c = H(y, t)$.
 
 Any sigma protocol can be converted into a non-interactive proof system. Its completeness is automatically given by the completeness of the sigma protocol.
 
@@ -409,12 +409,12 @@ By modeling the hash function as a random oracle, we can show that:
 
 ### Soundness of the Fiat-Shamir Transform
 
-> **Theorem.** Let $\Pi$ be a sigma protocol for a relation $\mc{R} \subset \mc{X} \times \mc{Y}$, and let $\Pi_\rm{FS}$ be the Fiat-Shamir non-interactive proof system derived from $\Pi$ with hash function $H$. If $\Pi$ is sound and $H$ is modeled as a random oracle, then $\Pi_\rm{FS}$ is also sound.
+> **Theorem.** Let $\Pi$ be a sigma protocol for a relation $\mc{R} \subset \mc{X} \times \mc{Y}$, and let $\Pi _ \rm{FS}$ be the Fiat-Shamir non-interactive proof system derived from $\Pi$ with hash function $H$. If $\Pi$ is sound and $H$ is modeled as a random oracle, then $\Pi _ \rm{FS}$ is also sound.
 > 
-> Let $\mc{A}$ be a $q$-query adversary attacking the soundness of $\Pi_\rm{FS}$. There exists an adversary $\mc{B}$ attacking the soundness of $\Pi$ such that
+> Let $\mc{A}$ be a $q$-query adversary attacking the soundness of $\Pi _ \rm{FS}$. There exists an adversary $\mc{B}$ attacking the soundness of $\Pi$ such that
 > 
 > $$
-> \rm{Adv}_{\rm{niSnd^{ro}}}[\mc{A}, \Pi_\rm{FS}] \leq (q + 1) \rm{Adv}_{\rm{Snd}}[\mc{B}, \Pi].
+> \rm{Adv} _ {\rm{niSnd^{ro}}}[\mc{A}, \Pi _ \rm{FS}] \leq (q + 1) \rm{Adv} _ {\rm{Snd}}[\mc{B}, \Pi].
 > $$
 
 *Proof Idea*. Suppose that $\mc{A}$ produces a valid proof $(t^{\ast}, z^{\ast})$ on a false statement $y^{\ast}$. Without loss of generality, $\mc{A}$ queries the random oracle at $(y^{\ast}, t^{\ast})$ within $q+1$ queries. Then $\mc{B}$ guesses which of the $q+1$ queries is the relevant one. If $\mc{B}$ guesses the correct query, the conversation $(t^{\ast}, c, z^{\ast})$ will be accepted and $\mc{B}$ succeeds. The factor $q+1$ comes from the choice of $\mc{B}$.
@@ -452,23 +452,23 @@ $n$ voters are casting a vote, either $0$ or $1$. At the end, all voters learn t
 
 We can use the [multiplicative ElGamal encryption](../2023-10-19-public-key-encryption/#the-elgamal-encryption) scheme in this case. Assume that a trusted vote tallying center generates a key pair, keeps $sk = \alpha$ to itself and publishes $pk = g^\alpha$.
 
-Each voter encrypts the vote $b_i$ and the ciphertext is
+Each voter encrypts the vote $b _ i$ and the ciphertext is
 
 $$
-(u_i, v_i) = (g^{\beta_i}, h^{\beta_i} \cdot g^{b_i})
+(u _ i, v _ i) = (g^{\beta _ i}, h^{\beta _ i} \cdot g^{b _ i})
 $$
 
-where $\beta_i \la\bb{Z}_q$. The vote tallying center aggregates all ciphertexts my multiplying everything. No need to decrypt yet. Then
+where $\beta _ i \la\bb{Z} _ q$. The vote tallying center aggregates all ciphertexts my multiplying everything. No need to decrypt yet. Then
 
 $$
-(u^{\ast}, v^{\ast}) = \left( \prod_{i=1}^n g^{\beta_i}, \prod_{i=1}^n h^{\beta_i} \cdot g^{b_i} \right) = \big( g^{\beta^{\ast}}, h^{\beta^{\ast}} \cdot g^{b^{\ast}} \big),
+(u^{\ast}, v^{\ast}) = \left( \prod _ {i=1}^n g^{\beta _ i}, \prod _ {i=1}^n h^{\beta _ i} \cdot g^{b _ i} \right) = \big( g^{\beta^{\ast}}, h^{\beta^{\ast}} \cdot g^{b^{\ast}} \big),
 $$
 
-where $\beta^{\ast} = \sum_{i=1}^n \beta_i$ and $b^{\ast} = \sum_{i=1}^n b_i$. Now decrypt $(u^{\ast}, v^{\ast})$ and publish the result $b^{\ast}$.[^4]
+where $\beta^{\ast} = \sum _ {i=1}^n \beta _ i$ and $b^{\ast} = \sum _ {i=1}^n b _ i$. Now decrypt $(u^{\ast}, v^{\ast})$ and publish the result $b^{\ast}$.[^4]
 
-Since the ElGamal scheme is semantically secure, the protocol is also secure if all voters follow the protocol. But a dishonest voter can encrypt $b_i = -100$ or some arbitrary value.
+Since the ElGamal scheme is semantically secure, the protocol is also secure if all voters follow the protocol. But a dishonest voter can encrypt $b _ i = -100$ or some arbitrary value.
 
-To fix this, we can make each voter prove that the vote is valid. Using the [Chaum-Pedersen protocol for DH-triples](../2023-11-07-sigma-protocols/#the-chaum-pedersen-protocol-for-dh-triples) and the [OR-proof construction](../2023-11-07-sigma-protocols/#or-proof-construction), the voter can submit a proof that the ciphertext is either a encryption of $b_i = 0$ or $1$. We can also apply the Fiat-Shamir transform here for efficient protocols, resulting in non-interactive proofs.
+To fix this, we can make each voter prove that the vote is valid. Using the [Chaum-Pedersen protocol for DH-triples](../2023-11-07-sigma-protocols/#the-chaum-pedersen-protocol-for-dh-triples) and the [OR-proof construction](../2023-11-07-sigma-protocols/#or-proof-construction), the voter can submit a proof that the ciphertext is either a encryption of $b _ i = 0$ or $1$. We can also apply the Fiat-Shamir transform here for efficient protocols, resulting in non-interactive proofs.
 
 [^1]: The message flows in a shape that resembles the greek letter $\Sigma$, hence the name *sigma protocol*.
 [^2]: A Graduate Course in Applied Cryptography.

_posts/lecture-notes/modern-cryptography/2023-11-09-secure-mpc.md

@@ -20,10 +20,10 @@ github_title: 2023-11-09-secure-mpc
 Suppose we have a function $f$ that takes $n$ inputs and produces $m$ outputs.
 
 $$
-(y_1, \dots, y_m) = f(x_1, \dots, x_n).
+(y _ 1, \dots, y _ m) = f(x _ 1, \dots, x _ n).
 $$
 
-$N$ parties $P_1, \dots, P_N$ are trying to evaluate this function with a protocol. Each $x_i$ is submitted by one of the parties, and each output $y_j$ will be given to one or more parties.
+$N$ parties $P _ 1, \dots, P _ N$ are trying to evaluate this function with a protocol. Each $x _ i$ is submitted by one of the parties, and each output $y _ j$ will be given to one or more parties.
 
 In **secure multiparty computation** (MPC), we wish to achieve some security functionalities.
 
@@ -35,27 +35,27 @@ Security must hold even if there is any adversarial behavior in the party.
 
 ### Example: Secure Summation
 
-Suppose we have $n$ parties $P_1, \dots, P_n$ with private values $x_1, \dots, x_n$. We would like to *securely* compute the sum $s = x_1 + \cdots + x_n$.
+Suppose we have $n$ parties $P _ 1, \dots, P _ n$ with private values $x _ 1, \dots, x _ n$. We would like to *securely* compute the sum $s = x _ 1 + \cdots + x _ n$.
 
 > 1. Choose $M$ large enough so that $M > s$.
-> 2. $P_1$ samples $r \la \Z_M$ and computes $s_1 = r + x_1 \pmod M$ and sends it to $P_2$.
-> 3. In the same manner, $P_i$ computes $s_i = s_{i-1} + x_i \pmod M$ and sends it to $P_{i+1}$.
-> 4. As the final step, $s_n$ is returned to $P_1$, where he outputs $s = s_n - r \pmod M$.
+> 2. $P _ 1$ samples $r \la \Z _ M$ and computes $s _ 1 = r + x _ 1 \pmod M$ and sends it to $P _ 2$.
+> 3. In the same manner, $P _ i$ computes $s _ i = s _ {i-1} + x _ i \pmod M$ and sends it to $P _ {i+1}$.
+> 4. As the final step, $s _ n$ is returned to $P _ 1$, where he outputs $s = s _ n - r \pmod M$.
 
 This protocol seems secure since $r$ is a random noise added to the actual partial sum. But the security actually depends on how we model adversarial behavior.
 
-Consider the case where parties $P_2$ and $P_4$ team up (collusion). These two can share information between them. They have the following:
+Consider the case where parties $P _ 2$ and $P _ 4$ team up (collusion). These two can share information between them. They have the following:
 
-- $P_2$ has $s_1$, $s_2$, $x_2$.
-- $P_4$ has $s_3$, $s_4$, $x_4$.
+- $P _ 2$ has $s _ 1$, $s _ 2$, $x _ 2$.
+- $P _ 4$ has $s _ 3$, $s _ 4$, $x _ 4$.
 
-Using $s_2$ and $s_3$, they can compute $x_3 = s_3 - s_2$ and obtain the input of $P_3$. This violates privacy. Similarly, if $P_i$ and $P_j$ team up, the can compute the partial sum
+Using $s _ 2$ and $s _ 3$, they can compute $x _ 3 = s _ 3 - s _ 2$ and obtain the input of $P _ 3$. This violates privacy. Similarly, if $P _ i$ and $P _ j$ team up, the can compute the partial sum
 
 $$
-s_{j - 1} - s_{i} = x_{i+1} + \cdots + x_{j-1}
+s _ {j - 1} - s _ {i} = x _ {i+1} + \cdots + x _ {j-1}
 $$
 
-which leaks information about the inputs of $P_{i+1}, \dots, P_{j-1}$.
+which leaks information about the inputs of $P _ {i+1}, \dots, P _ {j-1}$.
 
 ## Modeling Adversaries for Multiparty Computation
 
@@ -100,8 +100,8 @@ Thus, a secure protocol must provide security in the real world that is equivale
 	- If we show the existence of a simulator, a real world adversary's ability is the same as an adversary in the ideal world.
 
 > **Definition.** Let $\mc{A}$ be the set of parties that are corrupted, and let $\rm{Sim}$ be a simulator algorithm.
-> - $\rm{Real}(\mc{A}; x_1, \dots, x_n)$: each party $P_i$ runs the protocol with private input $x_i$. Let $V_i$ be the final view of $P_i$. Output $\braces{V_i : i \in \mc{A}}$.
-> - $\rm{Ideal}_\rm{Sim}(x_1, \dots, x_n)$: output $\rm{Sim}(\mc{A}; \braces{(x_i, y_i) : i \in \mc{A}})$.
+> - $\rm{Real}(\mc{A}; x _ 1, \dots, x _ n)$: each party $P _ i$ runs the protocol with private input $x _ i$. Let $V _ i$ be the final view of $P _ i$. Output $\braces{V _ i : i \in \mc{A}}$.
+> - $\rm{Ideal} _ \rm{Sim}(x _ 1, \dots, x _ n)$: output $\rm{Sim}(\mc{A}; \braces{(x _ i, y _ i) : i \in \mc{A}})$.
 > 
 > A protocol is **secure against semi-honest adversaries** if there exists a simulator such that for every subset of corrupted parties $\mc{A}$, its views in the real and ideal worlds are indistinguishable.
 
@@ -109,7 +109,7 @@ Thus, a secure protocol must provide security in the real world that is equivale
 
 This is a building block for building any MPC.
 
-Suppose that the sender has data $m_1, \dots, m_n \in \mc{M}$, and the receiver has an index $i \in \braces{1, \dots, n}$. The sender wants to send exactly one message and hide others. Also, the receiver wants to hide which message he received.
+Suppose that the sender has data $m _ 1, \dots, m _ n \in \mc{M}$, and the receiver has an index $i \in \braces{1, \dots, n}$. The sender wants to send exactly one message and hide others. Also, the receiver wants to hide which message he received.
 
 This problem is called 1-out-of-$n$ **oblivious transfer** (OT).
 
@@ -119,70 +119,70 @@ We show an example of 1-out-of-2 OT using the ElGamal encryptions scheme. We use
 
 It is known that $k$-out-of-$n$ OT is constructible from 1-out-of-2 OTs.
 
-> Suppose that the sender Alice has messages $x_0, x_1 \in \braces{0, 1}\conj$, and the receiver Bob has a choice $\sigma \in \braces{0, 1}$.
+> Suppose that the sender Alice has messages $x _ 0, x _ 1 \in \braces{0, 1}\conj$, and the receiver Bob has a choice $\sigma \in \braces{0, 1}$.
 > 
-> 1. Bob chooses $sk = \alpha \la \Z_q$ and computes $h = g^\alpha$, and chooses $h' \la G$.
-> 2. Bob sets $pk_\sigma = h$ and $pk_{1-\sigma} = h'$ and sends $(pk_0, pk_1)$ to Alice.
-> 3. Alice encrypts each $x_i$ using $pk_i$, obtains two ciphertexts.
-> 	- $\beta_0, \beta_1 \la \Z_q$.
-> 	- $c_0 = \big( g^{\beta_0}, H(pk_0^{\beta_0}) \oplus x_0 \big)$, $c_1 = \big( g^{\beta_1}, H(pk_1^{\beta_1}) \oplus x_1 \big)$.
-> 4. Alice sends $(c_0, c_1)$ to Bob.
-> 5. Bob decrypts $c_\sigma$ with $sk$ to get $x_\sigma$.
+> 1. Bob chooses $sk = \alpha \la \Z _ q$ and computes $h = g^\alpha$, and chooses $h' \la G$.
+> 2. Bob sets $pk _ \sigma = h$ and $pk _ {1-\sigma} = h'$ and sends $(pk _ 0, pk _ 1)$ to Alice.
+> 3. Alice encrypts each $x _ i$ using $pk _ i$, obtains two ciphertexts.
+> 	- $\beta _ 0, \beta _ 1 \la \Z _ q$.
+> 	- $c _ 0 = \big( g^{\beta _ 0}, H(pk _ 0^{\beta _ 0}) \oplus x _ 0 \big)$, $c _ 1 = \big( g^{\beta _ 1}, H(pk _ 1^{\beta _ 1}) \oplus x _ 1 \big)$.
+> 4. Alice sends $(c _ 0, c _ 1)$ to Bob.
+> 5. Bob decrypts $c _ \sigma$ with $sk$ to get $x _ \sigma$.
 
 Correctness is obvious.
 
-Alice's view contains the following: $x_0, x_1, pk_0, pk_1, c_0, c_1$. Among these, $pk_0, pk_1$ are the received values from Bob. But these are random group elements, so she learns nothing about $\sigma$. The simulator can choose two random group elements to simulate Alice.
+Alice's view contains the following: $x _ 0, x _ 1, pk _ 0, pk _ 1, c _ 0, c _ 1$. Among these, $pk _ 0, pk _ 1$ are the received values from Bob. But these are random group elements, so she learns nothing about $\sigma$. The simulator can choose two random group elements to simulate Alice.
 
-Bob's view contains the following: $\sigma, \alpha, g^\alpha, h', c_0, c_1, x_\sigma$. He only knows one private key, so he only learns $x_\sigma$, under the DL assumption. (He doesn't have the discrete logarithm for $h'$) The simulator must simulate $c_0, c_1$, so it encrypts $x_\sigma$ with $pk_\sigma$, and as for $x_{1-\sigma}$, a random message is encrypted with $pk_{1-\sigma}$. This works because the encryption scheme is semantically secure, meaning that it doesn't reveal any information about the underlying message.
+Bob's view contains the following: $\sigma, \alpha, g^\alpha, h', c _ 0, c _ 1, x _ \sigma$. He only knows one private key, so he only learns $x _ \sigma$, under the DL assumption. (He doesn't have the discrete logarithm for $h'$) The simulator must simulate $c _ 0, c _ 1$, so it encrypts $x _ \sigma$ with $pk _ \sigma$, and as for $x _ {1-\sigma}$, a random message is encrypted with $pk _ {1-\sigma}$. This works because the encryption scheme is semantically secure, meaning that it doesn't reveal any information about the underlying message.
 
 The above works for **semi-honest** parties. To prevent malicious behavior, we fix the protocol a bit.
 
 > 1. Alice sends a random $w \la G$ first.
 > 2. Bob must choose $h$ and $h'$ so that $hh' = w$. $h$ is chosen the same way, and $h' = wh\inv$ is computed.
 > 
-> The remaining steps are the same, except that Alice checks if $pk_0 \cdot pk_1 = w$.
+> The remaining steps are the same, except that Alice checks if $pk _ 0 \cdot pk _ 1 = w$.
 
-Bob must choose $h, h'$ such that $hh' = w$. If not, Bob can choose $\alpha' \la \Z_q$ and set $h' = g^{\alpha'}$, enabling him to decrypt both $c_0, c_1$, revealing $x_0, x_1$. Under the DL assumption, Bob cannot find the discrete logarithm of $h'$, which prevents malicious behavior.
+Bob must choose $h, h'$ such that $hh' = w$. If not, Bob can choose $\alpha' \la \Z _ q$ and set $h' = g^{\alpha'}$, enabling him to decrypt both $c _ 0, c _ 1$, revealing $x _ 0, x _ 1$. Under the DL assumption, Bob cannot find the discrete logarithm of $h'$, which prevents malicious behavior.
 
 ### 1-out-of-$n$ OT Construction from ElGamal Encryption
 
-Let $m_1, \dots, m_n \in \mc{M}$ be the messages to send, and let $i$ be an index. We will use ElGamal encryption on a cyclic group $G = \span{g}$ of prime order, with a hash function and a semantically secure symmetric cipher $(E_S, D_S)$.
+Let $m _ 1, \dots, m _ n \in \mc{M}$ be the messages to send, and let $i$ be an index. We will use ElGamal encryption on a cyclic group $G = \span{g}$ of prime order, with a hash function and a semantically secure symmetric cipher $(E _ S, D _ S)$.
 
-> 1. Alice chooses $\beta \la \Z_q$, computes $v \la g^\beta$ and sends $v$ to Bob.
-> 2. Bob chooses $\alpha \la \Z_q$, computes $u \la g^\alpha v^{-i}$ and sends $u$ to Alice.
+> 1. Alice chooses $\beta \la \Z _ q$, computes $v \la g^\beta$ and sends $v$ to Bob.
+> 2. Bob chooses $\alpha \la \Z _ q$, computes $u \la g^\alpha v^{-i}$ and sends $u$ to Alice.
 > 3. For $j = 1, \dots, n$, Alice computes the following.
-> 	- Compute $u_j \la u \cdot v^j = g^\alpha v^{j-i}$ as the public key for the $j$-th message.
-> 	- Encrypt $m_j$ as $(g^\beta, c_j)$, where $c_j \la E_S\big( H(g^\beta, u_j^\beta), m_j \big)$.
-> 4. Alice sends $(c_1, \dots, c_n)$ to Bob.
-> 5. Bob decrypts $c_i$ as follows.
+> 	- Compute $u _ j \la u \cdot v^j = g^\alpha v^{j-i}$ as the public key for the $j$-th message.
+> 	- Encrypt $m _ j$ as $(g^\beta, c _ j)$, where $c _ j \la E _ S\big( H(g^\beta, u _ j^\beta), m _ j \big)$.
+> 4. Alice sends $(c _ 1, \dots, c _ n)$ to Bob.
+> 5. Bob decrypts $c _ i$ as follows.
 > 	- Compute symmetric key $k \la H(v, v^\alpha)$ where $v = g^\beta$ from step $1$.
-> 	- $m_i \la D_S(k, c_i)$.
+> 	- $m _ i \la D _ S(k, c _ i)$.
 
-Note that all ciphertexts $c_j$ were created from the same ephemeral key $\beta \in \Z_q$.
+Note that all ciphertexts $c _ j$ were created from the same ephemeral key $\beta \in \Z _ q$.
 
-For correctness, we check that Bob indeed receives $m_i$ from the above protocol. Check that $u_i = u\cdot v^i = g^\alpha v^0 = g^\alpha$, then $u_i^\beta = g^{\alpha\beta} = v^\alpha$. Since $c_i = E_S\big( H(g^\beta, u_i^\beta), m_i \big) = E_S\big( H(v, v^\alpha), m_i \big)$, the decryption gives $m_i$.
+For correctness, we check that Bob indeed receives $m _ i$ from the above protocol. Check that $u _ i = u\cdot v^i = g^\alpha v^0 = g^\alpha$, then $u _ i^\beta = g^{\alpha\beta} = v^\alpha$. Since $c _ i = E _ S\big( H(g^\beta, u _ i^\beta), m _ i \big) = E _ S\big( H(v, v^\alpha), m _ i \big)$, the decryption gives $m _ i$.
 
-Now is this oblivious? All that Alice sees is $u = g^\alpha v^{-i}$ from Bob. Since $\alpha \la \Z_q$, $u$ is uniformly distributed over elements of $G$. Alice learns no information about $i$.
+Now is this oblivious? All that Alice sees is $u = g^\alpha v^{-i}$ from Bob. Since $\alpha \la \Z _ q$, $u$ is uniformly distributed over elements of $G$. Alice learns no information about $i$.
 
-As for Bob, we need the **CDH assumption**. Suppose that Bob can query $H$ on two different ciphertexts $c_{j_1}, c_{j_2}$. Then he knows
+As for Bob, we need the **CDH assumption**. Suppose that Bob can query $H$ on two different ciphertexts $c _ {j _ 1}, c _ {j _ 2}$. Then he knows
 
 $$
-u_{j_1}^\beta/u_{j_2}^\beta = v^{\beta(j_1 - j_2)},
+u _ {j _ 1}^\beta/u _ {j _ 2}^\beta = v^{\beta(j _ 1 - j _ 2)},
 $$
 
-and by raising both to the $(j_1 - j_2)\inv$ power (inverse in $\Z_q$), he can compute $v^\beta = g^{\beta^2}$. Thus, Bob has computed $g^{\beta^2}$ from $g^\beta$, and this breaks the CDH assumption.[^1] Thus Bob cannot query $H$ on two points, and is unable to decrypt two ciphertexts. He only learns $m_i$.
+and by raising both to the $(j _ 1 - j _ 2)\inv$ power (inverse in $\Z _ q$), he can compute $v^\beta = g^{\beta^2}$. Thus, Bob has computed $g^{\beta^2}$ from $g^\beta$, and this breaks the CDH assumption.[^1] Thus Bob cannot query $H$ on two points, and is unable to decrypt two ciphertexts. He only learns $m _ i$.
 
 ### OT for Computing $2$-ary Function with Finite Domain
 
 We can use an OT for computing a $2$-ary function with finite domain.
 
-Let $f : X_1 \times X_2 \ra Y$ be a deterministic function with $X_1$, $X_2$ both finite. There are two parties $P_1, P_2$ with inputs $x_1, x_2$, and they want to compute $f(x_1, x_2)$ without revealing their input.
+Let $f : X _ 1 \times X _ 2 \ra Y$ be a deterministic function with $X _ 1$, $X _ 2$ both finite. There are two parties $P _ 1, P _ 2$ with inputs $x _ 1, x _ 2$, and they want to compute $f(x _ 1, x _ 2)$ without revealing their input.
 
-Then we can use $1$-out-of-$\abs{X_2}$ OT to securely compute $f(x_1, x_2)$. Without loss of generality, suppose that $P_1$ is the sender.
+Then we can use $1$-out-of-$\abs{X _ 2}$ OT to securely compute $f(x _ 1, x _ 2)$. Without loss of generality, suppose that $P _ 1$ is the sender.
 
-$P_1$ computes $y_x =f(x_1, x)$ for all $x \in X_2$, resulting in $\abs{X_2}$ messages. Then $P_1$ performs 1-out-of-$\abs{X_2}$ OT with $P_2$. The value of $x_2$ will be used as the choice of $P_2$, which will be oblivious to $P_1$.[^2]
+$P _ 1$ computes $y _ x =f(x _ 1, x)$ for all $x \in X _ 2$, resulting in $\abs{X _ 2}$ messages. Then $P _ 1$ performs 1-out-of-$\abs{X _ 2}$ OT with $P _ 2$. The value of $x _ 2$ will be used as the choice of $P _ 2$, which will be oblivious to $P _ 1$.[^2]
 
 This method is inefficient, so we have better methods!
 
-[^1]: Given $g^\alpha, g^\beta$, compute $g^{\alpha + \beta}$. Then compute $g^{\alpha^2}, g^{\beta^2}, g^{(\alpha+\beta)^2}$, and obtain $g^{2\alpha\beta}$. Exponentiate by $2\inv \in \Z_q$ to find $g^{\alpha\beta}$.
-[^2]: Can $P_1$ learn the value of $x_2$ from the final output $y_{x_2} = f(x_1, x_2)$?
+[^1]: Given $g^\alpha, g^\beta$, compute $g^{\alpha + \beta}$. Then compute $g^{\alpha^2}, g^{\beta^2}, g^{(\alpha+\beta)^2}$, and obtain $g^{2\alpha\beta}$. Exponentiate by $2\inv \in \Z _ q$ to find $g^{\alpha\beta}$.
+[^2]: Can $P _ 1$ learn the value of $x _ 2$ from the final output $y _ {x _ 2} = f(x _ 1, x _ 2)$?

_posts/lecture-notes/modern-cryptography/2023-11-14-garbled-circuits.md

@@ -35,20 +35,20 @@ A **garbled circuit** is an *encrypted circuit*, with a pair of keys for each wi
 
 The garbler first encrypts the circuit. First, assign two keys, called **garbled values**, to each wire of the circuit.
 
-Suppose we have an AND gate, where $C = \rm{AND}(A, B)$. For the wire $A$, the garbler assigns $A_0, A_1$, each for representing the bit $0$ and $1$. Note that this mapping is known only to the garbler. Similar process is done for wires $B$ and $C$.
+Suppose we have an AND gate, where $C = \rm{AND}(A, B)$. For the wire $A$, the garbler assigns $A _ 0, A _ 1$, each for representing the bit $0$ and $1$. Note that this mapping is known only to the garbler. Similar process is done for wires $B$ and $C$.
 
 Then we have the following garbled values, as in columns 1 to 3. Now, encrypt the values of $C$ with a semantically secure scheme $E$, and obtain the $4$th column. Then, permute the rows in random order so that it is indistinguishable.
 
 |$A$|$B$|$C$|$C = \rm{AND}(A, B)$|
 |:-:|:-:|:-:|:-:|
-|$A_0$|$B_0$|$C_0$|$E(A_0 \parallel B_0, C_0)$|
-|$A_0$|$B_1$|$C_0$|$E(A_0 \parallel B_1, C_0)$|
-|$A_1$|$B_0$|$C_0$|$E(A_1 \parallel B_0, C_0)$|
-|$A_1$|$B_1$|$C_1$|$E(A_1 \parallel B_1, C_1)$|
+|$A _ 0$|$B _ 0$|$C _ 0$|$E(A _ 0 \parallel B _ 0, C _ 0)$|
+|$A _ 0$|$B _ 1$|$C _ 0$|$E(A _ 0 \parallel B _ 1, C _ 0)$|
+|$A _ 1$|$B _ 0$|$C _ 0$|$E(A _ 1 \parallel B _ 0, C _ 0)$|
+|$A _ 1$|$B _ 1$|$C _ 1$|$E(A _ 1 \parallel B _ 1, C _ 1)$|
 
-For evaluation, the **last column** will be given to the other party as the representation of the **garbled gate**. The inputs will be given as $A_x$ and $B_y$, but the evaluator will have no idea about the actual value of $x$ and $y$, hiding the actual input value. Although he doesn't know the underlying bit values, the evaluator is able to compute $C_z$ where $z = x \land y$. Similarly, the evaluator will not know whether $z$ is $0$ or $1$, hiding the output or intermediate values.
+For evaluation, the **last column** will be given to the other party as the representation of the **garbled gate**. The inputs will be given as $A _ x$ and $B _ y$, but the evaluator will have no idea about the actual value of $x$ and $y$, hiding the actual input value. Although he doesn't know the underlying bit values, the evaluator is able to compute $C _ z$ where $z = x \land y$. Similarly, the evaluator will not know whether $z$ is $0$ or $1$, hiding the output or intermediate values.
 
-The above *garbling* process is done for all gates. For the last output gate, the garbler keeps a **output translation table** to himself, that maps $0$ to $C_0$ and $1$ to $C_1$. This is used for recovering the bit, when the evaluation is done and the evaluator sends the final garbled value.
+The above *garbling* process is done for all gates. For the last output gate, the garbler keeps a **output translation table** to himself, that maps $0$ to $C _ 0$ and $1$ to $C _ 1$. This is used for recovering the bit, when the evaluation is done and the evaluator sends the final garbled value.
 
 > In summary, given a boolean circuit,
 > 1. Assign garbled values to all wires in the circuit.
@@ -60,13 +60,13 @@ Note that the evaluator learns nothing during the evaluation.
 
 There is a slight problem here. In some encryption schemes, a ciphertext can be decrypted by an incorrect key. If the above encryptions are in arbitrary order, how does the evaluator know if he decrypted the correct one?
 
-One method is to add **redundant zeros** to the $C_k$. Then the last column would contain $E\big( A_i \pll B_j, C_k \pll 0^n \big)$. Then when the evaluator decrypts these ciphertexts, the probability of getting redundant zeros with an incorrect key would be negligible. But with this method, all four ciphertexts have to be decrypted in the worst case.
+One method is to add **redundant zeros** to the $C _ k$. Then the last column would contain $E\big( A _ i \pll B _ j, C _ k \pll 0^n \big)$. Then when the evaluator decrypts these ciphertexts, the probability of getting redundant zeros with an incorrect key would be negligible. But with this method, all four ciphertexts have to be decrypted in the worst case.
 
-Another method is adding a bit to signal which ciphertext to decrypt. This method is called **point-and-permute**. The garbler chooses a random bit $b_A$ for each wire $A$. Then when drawing $A_0, A_1$, set the first bit (MSB) to $b_A$ and $1 - b_A$, respectively. Next, the ciphertexts are sorted in the order of $b_A$ and $b_B$. Then the evaluator can exploit this information during evaluation.
+Another method is adding a bit to signal which ciphertext to decrypt. This method is called **point-and-permute**. The garbler chooses a random bit $b _ A$ for each wire $A$. Then when drawing $A _ 0, A _ 1$, set the first bit (MSB) to $b _ A$ and $1 - b _ A$, respectively. Next, the ciphertexts are sorted in the order of $b _ A$ and $b _ B$. Then the evaluator can exploit this information during evaluation.
 
 For example, if the evaluator has $X$ and $Y$ such that $\rm{MSB}(X) = 0$ and $\rm{MSB}(Y) = 1$, then choose the second ($01$ in binary) ciphertext entry to decrypt.
 
-This method does not reduce security, since the bits $b_A$, $b_B$ are random. Also, now the evaluator doesn't have to decrypt all four ciphertexts, reducing the evaluation load.
+This method does not reduce security, since the bits $b _ A$, $b _ B$ are random. Also, now the evaluator doesn't have to decrypt all four ciphertexts, reducing the evaluation load.
 
 ## Protocol Description
 
@@ -75,8 +75,8 @@ This method does not reduce security, since the bits $b_A$, $b_B$ are random. Al
 > 1. Alice garbles the circuit, generating garbled values and gates.
 > 2. Garbled gate tables and the garbled values of Alice's inputs are sent to Bob.
 > 3. For Bob's input wire $B$, Alice and Bob run an 1-out-of-2 OT protocol.
-> 	- Alice provides $B_0$ and $B_1$ to the OT.
-> 	- Bob inputs his input bit $b$ to the OT, and Bob now has $B_b$.
+> 	- Alice provides $B _ 0$ and $B _ 1$ to the OT.
+> 	- Bob inputs his input bit $b$ to the OT, and Bob now has $B _ b$.
 > 4. Bob has garbled values for all input wires, so evaluates the circuit.
 > 5. Bob sends the final garbled output to Alice.
 > 6. Alices uses the output translation table to recover the final result bit.
@@ -85,9 +85,9 @@ Note that OT can be done in *parallel*, reducing the round complexity.
 
 ### Why is OT Necessary?
 
-Suppose Alice gave both $B_0$ and $B_1$ to Bob. Bob doesn't know which one represents $0$ or $1$, but he can just run the evaluation for both inputs.
+Suppose Alice gave both $B _ 0$ and $B _ 1$ to Bob. Bob doesn't know which one represents $0$ or $1$, but he can just run the evaluation for both inputs.
 
-Suppose we have a $2$-input AND gate $C = \rm{AND}(A, B)$. Bob already has $A_x$ from Alice, so he evaluates for both $B_0$ and $B_1$, obtaining $C_{x\land 0}$ and $C_{x \land 1}$. If these are the same, Bob learns that $x = 0$. If different, $x = 1$.
+Suppose we have a $2$-input AND gate $C = \rm{AND}(A, B)$. Bob already has $A _ x$ from Alice, so he evaluates for both $B _ 0$ and $B _ 1$, obtaining $C _ {x\land 0}$ and $C _ {x \land 1}$. If these are the same, Bob learns that $x = 0$. If different, $x = 1$.
 
 So we need an OT to make sure that Bob only learns one of the garbled values.
 
@@ -106,11 +106,11 @@ So we need an OT to make sure that Bob only learns one of the garbled values.
 
 ## Summary of Yao's Protocol
 
-Let $f$ be a given public function that Alice and Bob want to compute, in circuit representation. Let $(x_1, \dots, x_n)$ and $(y_1, \dots, y_m)$ be inputs provided by Alice and Bob, respectively.
+Let $f$ be a given public function that Alice and Bob want to compute, in circuit representation. Let $(x _ 1, \dots, x _ n)$ and $(y _ 1, \dots, y _ m)$ be inputs provided by Alice and Bob, respectively.
 
 Alice generates a garbled circuit $G(f)$ by assigning garbled values for each wire. Then gives Bob $G(f)$ and the garbled values of her inputs. Then Alice and Bob run several OTs in parallel for the garbled values of Bob's inputs.
 
-Bob computes $G(f)$ and obtains a key of $f(x_1, \dots, x_n, y_1, \dots, y_m)$, which is sent to Alice and Alice recovers the final result.
+Bob computes $G(f)$ and obtains a key of $f(x _ 1, \dots, x _ n, y _ 1, \dots, y _ m)$, which is sent to Alice and Alice recovers the final result.
 
 ## Proof of Security (Semi-honest)
 
@@ -126,9 +126,9 @@ In the OT-hybrid model, we assume an ideal OT. In this case, Alice receives no m
 
 This case is harder to show. The simulator must construct a fake garbled circuit that is indistinguishable to the real one. But the simulator doesn't know the inputs of Alice, so it cannot generate a real circuit.
 
-Bob's view contains his inputs $(y_1, \dots, y_m)$ and the final output $z = (z_1, \dots, z_k)$. Thus, the simulator generates a fake garbled circuit that **always** outputs $z$. To do this, the garbled values for the wires can be chosen randomly, and use them for encryption keys. But the encrypted message is fixed to the (intermediate) output. For instance, make the gate table consists of $E\big( A_i \pll B_j, C_0 \big)$ for fixed $C_0$. In this way, the simulator can control the values of output wires and get $z$ for the final output.
+Bob's view contains his inputs $(y _ 1, \dots, y _ m)$ and the final output $z = (z _ 1, \dots, z _ k)$. Thus, the simulator generates a fake garbled circuit that **always** outputs $z$. To do this, the garbled values for the wires can be chosen randomly, and use them for encryption keys. But the encrypted message is fixed to the (intermediate) output. For instance, make the gate table consists of $E\big( A _ i \pll B _ j, C _ 0 \big)$ for fixed $C _ 0$. In this way, the simulator can control the values of output wires and get $z$ for the final output.
 
-The output translation tables can be generated using this method. An entry of the table would be $(z_i, C_0)$ where $C_0$ is the garbled value used for generating the gate table. As for $1-z_i$, any random garbled value can be used.
+The output translation tables can be generated using this method. An entry of the table would be $(z _ i, C _ 0)$ where $C _ 0$ is the garbled value used for generating the gate table. As for $1-z _ i$, any random garbled value can be used.
 
 Lastly for communicating garbled values, Alice's input wires can be set to any two garbled values of the wire. Bob's input wires should be simulated by the simulator of the OT, which will result in any one of the two values on the wire.
 
@@ -141,15 +141,15 @@ For each wire of the circuit, two random *super-seeds* (garbled values) are used
 For example, for input wire $A$, let
 
 $$
-A_0 = a_0^1 \pll \cdots \pll a_0^n, \quad A_1 = a_1^1 \pll \cdots \pll a_1^n,
+A _ 0 = a _ 0^1 \pll \cdots \pll a _ 0^n, \quad A _ 1 = a _ 1^1 \pll \cdots \pll a _ 1^n,
 $$
 
-where $a_0^k, a_1^k$ are seeds generated by party $P_k$.
+where $a _ 0^k, a _ 1^k$ are seeds generated by party $P _ k$.
 
-Then for garbling gates, the super-seeds of the output wire is encrypted by the super-seeds of the input wires. As an example, suppose that we use $A_b = a_b^1 \pll \cdots \pll a_b^n$ to encrypt an output value $B$. Then we could use a secure PRG $G$ and set
+Then for garbling gates, the super-seeds of the output wire is encrypted by the super-seeds of the input wires. As an example, suppose that we use $A _ b = a _ b^1 \pll \cdots \pll a _ b^n$ to encrypt an output value $B$. Then we could use a secure PRG $G$ and set
 
 $$
-B \oplus G(a_b^1) \oplus \cdots \oplus G(a_b^n)
+B \oplus G(a _ b^1) \oplus \cdots \oplus G(a _ b^n)
 $$
 
 as the garbled value.

_posts/lecture-notes/modern-cryptography/2023-11-16-gmw-protocol.md

@@ -23,7 +23,7 @@ There are two types of MPC protocols, **generic** and **specific**. Generic prot
 
 ## GMW Protocol
 
-The **Goldreich-Micali-Wigderson** (GMW) **protocol** is a designed for evaluating boolean circuits. In particular, it can be used for XOR and AND gates, which corresponds to addition and multiplication in $\Z_2$. Thus, the protocol can be generalized for evaluating arbitrary arithmetic circuits.
+The **Goldreich-Micali-Wigderson** (GMW) **protocol** is a designed for evaluating boolean circuits. In particular, it can be used for XOR and AND gates, which corresponds to addition and multiplication in $\Z _ 2$. Thus, the protocol can be generalized for evaluating arbitrary arithmetic circuits.
 
 We assume semi-honest adversaries and static corruption. The GMW protocol is known to be secure against any number of corrupted parties. We also assume that any two parties have private channels for communication.
 
@@ -36,22 +36,22 @@ The protocol can be broken down into $3$ phases.
 
 ### Input Phase
 
-Suppose that we have $n$ parties $P_1, \dots, P_n$ with inputs $x_1, \dots, x_n \in \braces{0, 1}$. The inputs are bits but they can be generalized to inputs over $\Z_q$ where $q$ is prime.
+Suppose that we have $n$ parties $P _ 1, \dots, P _ n$ with inputs $x _ 1, \dots, x _ n \in \braces{0, 1}$. The inputs are bits but they can be generalized to inputs over $\Z _ q$ where $q$ is prime.
 
-> Each party $P_i$ shares its input with other parties as follows.
-> 
-> 1. Choose random $r_{i, j} \la \braces{0, 1}$ for all $j \neq i$ and send $r_{i, j}$ to $P_j$.
-> 2. Set $r_{i, i} = x_i + \sum_{i \neq j} r_{i, j}$.
+> Each party $P _ i$ shares its input with other parties as follows.
+>
+> 1. Choose random $r _ {i, j} \la \braces{0, 1}$ for all $j \neq i$ and send $r _ {i, j}$ to $P _ j$.
+> 2. Set $r _ {i, i} = x _ i + \sum _ {i \neq j} r _ {i, j}$.
 
-Then we see that $x_i = \sum_{j = 1}^n r_{i, j}$. Each party has a **share** of $x_i$, which is $r_{i, j}$. We have a notation for this,
+Then we see that $x _ i = \sum _ {j = 1}^n r _ {i, j}$. Each party has a **share** of $x _ i$, which is $r _ {i, j}$. We have a notation for this,
 
 $$
-[x_i] = (r_{i, 1}, \dots, r_{i, n}).
+[x _ i] = (r _ {i, 1}, \dots, r _ {i, n}).
 $$
 
-It means that $r_{i, 1}, \dots, r_{i, n}$ are shares of $x_i$.
+It means that $r _ {i, 1}, \dots, r _ {i, n}$ are shares of $x _ i$.
 
-After this phase, each party $P_j$ has $n$ shares $r_{1, j}, \dots, r_{n,j}$, where each is a share of $x_i$.
+After this phase, each party $P _ j$ has $n$ shares $r _ {1, j}, \dots, r _ {n,j}$, where each is a share of $x _ i$.
 
 ### Evaluation Phase
 
@@ -67,10 +67,10 @@ $$
 
 each party can simply add all the input shares.
 
-If $y = x_1 + \cdots + x_n$, then party $P_j$ will compute $y_j = \sum_{i=1}^n r_{i, j}$, which is a share of $y$, $[y] = (y_1, \dots, y_n)$. It can be checked that
+If $y = x _ 1 + \cdots + x _ n$, then party $P _ j$ will compute $y _ j = \sum _ {i=1}^n r _ {i, j}$, which is a share of $y$, $[y] = (y _ 1, \dots, y _ n)$. It can be checked that
 
 $$
-y = \sum_{j=1}^n y_j = \sum_{j=1}^n \sum_{i=1}^n r_{i, j}.
+y = \sum _ {j=1}^n y _ j = \sum _ {j=1}^n \sum _ {i=1}^n r _ {i, j}.
 $$
 
 #### Evaluating AND Gates
@@ -78,20 +78,20 @@ $$
 AND gates are not as simple as XOR gates. If $c = ab$,
 
 $$
-c = \paren{\sum_{i=1}^n a_i} \paren{\sum_{j=1}^n b_j} = \sum_{i=1}^n a_ib_i + \sum_{1 \leq i < j \leq n} (a_ib_j + a_j b_i).
+c = \paren{\sum _ {i=1}^n a _ i} \paren{\sum _ {j=1}^n b _ j} = \sum _ {i=1}^n a _ ib _ i + \sum _ {1 \leq i < j \leq n} (a _ ib _ j + a _ j b _ i).
 $$
 
-The first term can be computed internally by each party. The problem is the second term. $P_i$ doesn't know the values of $a_j$ and $b_j$. Therefore, we need some kind of interaction between $P_i$ and $P_j$, but no information should be revealed. We can use an OT for this.
+The first term can be computed internally by each party. The problem is the second term. $P _ i$ doesn't know the values of $a _ j$ and $b _ j$. Therefore, we need some kind of interaction between $P _ i$ and $P _ j$, but no information should be revealed. We can use an OT for this.
 
-> For every pair of parties $(P_i, P_j)$, perform the following.
-> 
-> 1. $P_i$ chooses a random bit $s_{i, j}$ and computes all possible values of $a_ib_j + a_jb_i + s_{i, j}$. These values are used in the OT.
-> 2. $P_i$ and $P_j$ run a $1$-out-of-$4$ OT.
-> 3. $P_i$ keeps $s_{i, j}$ and $P_j$ receives $a_ib_j + a_jb_i + s_{i, j}$.
+> For every pair of parties $(P _ i, P _ j)$, perform the following.
+>
+> 1. $P _ i$ chooses a random bit $s _ {i, j}$ and computes all possible values of $a _ ib _ j + a _ jb _ i + s _ {i, j}$. These values are used in the OT.
+> 2. $P _ i$ and $P _ j$ run a $1$-out-of-$4$ OT.
+> 3. $P _ i$ keeps $s _ {i, j}$ and $P _ j$ receives $a _ ib _ j + a _ jb _ i + s _ {i, j}$.
 
-- If $a_ib_j + a_jb_i$ is exposed to any party, it reveals information about other party's share.
-- These are bits, so $P_i$ and $P_j$ get to keep a share of $a_ib_j + a_jb_i$. If these aren't bits, then $s_{i, j} - a_ib_j - a_jb_i$ must be computed for inputs to the OT.
-- Since $a_j, b_j \in \braces{0, 1}$, it is possible to compute all possible values, and use them in the OT. $(a_j, b_j)$ will be used as the choice of $P_j$.
+- If $a _ ib _ j + a _ jb _ i$ is exposed to any party, it reveals information about other party's share.
+- These are bits, so $P _ i$ and $P _ j$ get to keep a share of $a _ ib _ j + a _ jb _ i$. If these aren't bits, then $s _ {i, j} - a _ ib _ j - a _ jb _ i$ must be computed for inputs to the OT.
+- Since $a _ j, b _ j \in \braces{0, 1}$, it is possible to compute all possible values, and use them in the OT. $(a _ j, b _ j)$ will be used as the choice of $P _ j$.
 
 ### Output Phase
 
@@ -107,17 +107,17 @@ A shallow circuit is better for GMW protocols. However, shallow circuits may end
 
 ## Security Proof
 
-We show the case when there are $n-1$ corrupted parties.[^1] Let $P_i$ be the honest party and assume that all others are corrupted. We will construct a simulator.
+We show the case when there are $n-1$ corrupted parties.[^1] Let $P _ i$ be the honest party and assume that all others are corrupted. We will construct a simulator.
 
-Let $(x_1, \dots, x_n)$ be inputs to the function, and let $[y] = (y_1, \dots, y_n)$ be output shares. The adversary's view contains $y$, and all $x_j$, $y_j$ values except for $x_i$ and $y_i$.
+Let $(x _ 1, \dots, x _ n)$ be inputs to the function, and let $[y] = (y _ 1, \dots, y _ n)$ be output shares. The adversary's view contains $y$, and all $x _ j$, $y _ j$ values except for $x _ i$ and $y _ i$.
 
-To simulate the input phase, choose random shares to be communicated, both for $P_i \ra P_j$ and $P_j \ra P_i$. The shares were chosen randomly, so they are indistinguishable to the real protocol execution.
+To simulate the input phase, choose random shares to be communicated, both for $P _ i \ra P _ j$ and $P _ j \ra P _ i$. The shares were chosen randomly, so they are indistinguishable to the real protocol execution.
 
 For the evaluation phase, XOR gates can be computed internally, so we only consider AND gates.
-- When $P_j$ is the receiver, choose a random bit as the value learned from the OT. Since the OT contains possible values of $a_ib_j + a_jb_i + s_{i, j}$ and they are random, the random bit is equivalent.
-- When $P_j$ is the sender, choose $s_{i, j}$ randomly and compute all $4$ possible values following the protocol.
+- When $P _ j$ is the receiver, choose a random bit as the value learned from the OT. Since the OT contains possible values of $a _ ib _ j + a _ jb _ i + s _ {i, j}$ and they are random, the random bit is equivalent.
+- When $P _ j$ is the sender, choose $s _ {i, j}$ randomly and compute all $4$ possible values following the protocol.
 
-Lastly, for the output phase, the simulator has to simulate the message $y_i$ from $P_i$. Since the final output $y$ is known and $y_j$ ($j \neq i$) is known, $y_i$ can be computed from the simulator.
+Lastly, for the output phase, the simulator has to simulate the message $y _ i$ from $P _ i$. Since the final output $y$ is known and $y _ j$ ($j \neq i$) is known, $y _ i$ can be computed from the simulator.
 
 We see that the distribution of the values inside the simulator is identical to the view in the real protocol execution.
 
@@ -129,20 +129,20 @@ We see that the distribution of the values inside the simulator is identical to
 
 ### Beaver Triple Sharing
 
-When Beaver triples are shared, $[x] = (x_1, x_2)$ and $[y] = (y_1, y_2)$ are chosen so that
+When Beaver triples are shared, $[x] = (x _ 1, x _ 2)$ and $[y] = (y _ 1, y _ 2)$ are chosen so that
 
 $$
- 
+
 \tag{$\ast$}
-z = z_1 + z _2 = (x_1 + x_2)(y_1 + y_2) = x_1y_1 + x_1y_2 + x_2y_1 + x_2y_2.
+z = z _ 1 + z _ 2 = (x _ 1 + x _ 2)(y _ 1 + y _ 2) = x _ 1y _ 1 + x _ 1y _ 2 + x _ 2y _ 1 + x _ 2y _ 2.
 $$
 
-> 1. Each party $P_i$ chooses random bits $x_i, y_i$. Now they must generate $z_1, z_2$ so that the values satisfy equation $(\ast)$ above.
-> 2. $P_1$ chooses a random bit $s$ and computes all $4$ possible values of $s + x_1y_2 + x_2y_1$.
-> 3. $P_1$ and $P_2$ run a $1$-out-of-$4$ OT.
-> 4. $P_1$ keeps $z_1 = s + x_1y_1$, $P_2$ keeps $z_2 = (s + x_1y_2 + x_2y_1) + x_2y_2$.
+> 1. Each party $P _ i$ chooses random bits $x _ i, y _ i$. Now they must generate $z _ 1, z _ 2$ so that the values satisfy equation $(\ast)$ above.
+> 2. $P _ 1$ chooses a random bit $s$ and computes all $4$ possible values of $s + x _ 1y _ 2 + x _ 2y _ 1$.
+> 3. $P _ 1$ and $P _ 2$ run a $1$-out-of-$4$ OT.
+> 4. $P _ 1$ keeps $z _ 1 = s + x _ 1y _ 1$, $P _ 2$ keeps $z _ 2 = (s + x _ 1y _ 2 + x _ 2y _ 1) + x _ 2y _ 2$.
 
-Indeed, $z_1, z_2$ are shares of $z$.[^2] See also Exercise 23.5.[^3]
+Indeed, $z _ 1, z _ 2$ are shares of $z$.[^2] See also Exercise 23.5.[^3]
 
 ### Evaluating AND Gates with Beaver Triples
 
@@ -150,17 +150,17 @@ Now, in the actual computation of AND gates, proceed as follows.
 
 ![mc-16-beaver-triple.png](../../../assets/img/posts/lecture-notes/modern-cryptography/mc-16-beaver-triple.png)
 
-> Each $P_i$ has a share of inputs $a_i, b_i$ and a Beaver triple $(x_i, y_i, z_i)$.
-> 1. Each $P_i$ computes $u_i = a_i + x_i$, $v_i = b_i + y_i$.
-> 2. $P_i$ shares $u_i, v_i$ to $P_{3-i}$ and receives $u_{3-i}, v_{3-i}$ from $P_{3-i}$.
-> 3. Each party now can compute $u = u_1 + u_2$, $v = v_1 + v_2$.
-> 4. $P_1$ computes $c_1 = uv + uy_1 + vx_1 + z_1$, $P_2$ computes $c_2 = uy_2 + vx_2 + z_2$.
+> Each $P _ i$ has a share of inputs $a _ i, b _ i$ and a Beaver triple $(x _ i, y _ i, z _ i)$.
+> 1. Each $P _ i$ computes $u _ i = a _ i + x _ i$, $v _ i = b _ i + y _ i$.
+> 2. $P _ i$ shares $u _ i, v _ i$ to $P _ {3-i}$ and receives $u _ {3-i}, v _ {3-i}$ from $P _ {3-i}$.
+> 3. Each party now can compute $u = u _ 1 + u _ 2$, $v = v _ 1 + v _ 2$.
+> 4. $P _ 1$ computes $c _ 1 = uv + uy _ 1 + vx _ 1 + z _ 1$, $P _ 2$ computes $c _ 2 = uy _ 2 + vx _ 2 + z _ 2$.
 
 Note that
 
 $$
 \begin{aligned}
-c = c_1 + c_2 &= uv + u(y_1 + y_2) + v(x_1 + x_2) + (z_1 + z_2) \\
+c = c _ 1 + c _ 2 &= uv + u(y _ 1 + y _ 2) + v(x _ 1 + x _ 2) + (z _ 1 + z _ 2) \\
 &= uv + uy + vx + xy \qquad (\because z = xy)  \\
 &= u(v + y) + x(v + y) \\
 &= (u + x)(v + y) = ab
@@ -187,11 +187,11 @@ $$
 
 and $uv$ is public, so any party can include it in its share.
 
-Also note that $u_i, v_i$ does not reveal any information about $x_i, y_i$. Essentially, they are *one-time pad* encryptions of $x_i$ and $y_i$ since $a_i, b_i$ were chosen randomly. No need for OTs during actual computation.
+Also note that $u _ i, v _ i$ does not reveal any information about $x _ i, y _ i$. Essentially, they are *one-time pad* encryptions of $x _ i$ and $y _ i$ since $a _ i, b _ i$ were chosen randomly. No need for OTs during actual computation.
 
 ### Reusing Beaver Triples?
 
-**Beaver triples are to be used only once!** If $u_1 = a_1 + x_1$ and $u_1' = a_1' + x_1$, then $u_1 + u_1' = a_1 + a_1'$, revealing information about $a_1 + a_1'$.
+**Beaver triples are to be used only once!** If $u _ 1 = a _ 1 + x _ 1$ and $u _ 1' = a _ 1' + x _ 1$, then $u _ 1 + u _ 1' = a _ 1 + a _ 1'$, revealing information about $a _ 1 + a _ 1'$.
 
 Thus, before the online phase, a huge amount of Beaver triples are shared to speed up the computation. This can be done efficiently using [OT extension](../2023-11-16-gmw-protocol/#ot-extension) described below.
 
@@ -217,65 +217,65 @@ There is a technique called **OT extension**, that allows us to obtain many OT i
 
 This protocol will extend $n$ OTs to $m$ OTs, where $m \gg n$.
 
-- Sender has inputs $\paren{x_i^0, x_i^1}$ for $i = 1, \dots, m$.
-- Receiver has choice vector $\sigma = (\sigma_1, \dots, \sigma_m) \in \braces{0, 1}^m$.
-	- After the protocol, the receiver will get $x_i^{\sigma_i}$ for $i = 1, \dots, m$.
+- Sender has inputs $\paren{x _ i^0, x _ i^1}$ for $i = 1, \dots, m$.
+- Receiver has choice vector $\sigma = (\sigma _ 1, \dots, \sigma _ m) \in \braces{0, 1}^m$.
+	- After the protocol, the receiver will get $x _ i^{\sigma _ i}$ for $i = 1, \dots, m$.
 
 > **First phase.**
-> 
-> 1. The receiver samples $n$ random strings $T_1, \dots, T_n \la \braces{0, 1}^m$ of length $m$.
-> 2. The receiver prepares pairs $\paren{T_i, T_i \oplus \sigma}$ for $i = 1, \dots, n$ and plays *sender in base OT*.
-> 3. The sender chooses random $s = (s_1, \dots, s_n) \in \braces{0, 1}^n$.
-> 4. The sender plays *receiver in base OT* with input $s_i$ for $i = 1, \dots, n$.
+>
+> 1. The receiver samples $n$ random strings $T _ 1, \dots, T _ n \la \braces{0, 1}^m$ of length $m$.
+> 2. The receiver prepares pairs $\paren{T _ i, T _ i \oplus \sigma}$ for $i = 1, \dots, n$ and plays *sender in base OT*.
+> 3. The sender chooses random $s = (s _ 1, \dots, s _ n) \in \braces{0, 1}^n$.
+> 4. The sender plays *receiver in base OT* with input $s _ i$ for $i = 1, \dots, n$.
 
 In the first phase, the roles are temporarily switched.
 
 - The receiver chose $n$ random $m$-bit vectors, now has a $m\times n$ bit matrix $T$.
-- For the $i$-th base OT, the receiver inputs $T_i$ or $T_i \oplus \sigma$. Therefore, if $s_i = 0$, the sender gets $T_i$. If $s_i = 1$, then sender gets $T_i \oplus \sigma$.
-- Suppose that the sender gets $Q_i \in \braces{0, 1}^m$ in the $i$-th base OT. The sender will also have a $m \times n$ bit matrix $Q$.
+- For the $i$-th base OT, the receiver inputs $T _ i$ or $T _ i \oplus \sigma$. Therefore, if $s _ i = 0$, the sender gets $T _ i$. If $s _ i = 1$, then sender gets $T _ i \oplus \sigma$.
+- Suppose that the sender gets $Q _ i \in \braces{0, 1}^m$ in the $i$-th base OT. The sender will also have a $m \times n$ bit matrix $Q$.
 
 $$
-Q_i = \begin{cases} T_i  & (s_i = 0)  \\
-	T_i \oplus \sigma  & (s_i = 1).
+Q _ i = \begin{cases} T _ i  & (s _ i = 0)  \\
+	T _ i \oplus \sigma  & (s _ i = 1).
 \end{cases}
 $$
 
 **Now consider each row separately!** Let $A[k]$ be the $k$-th row of matrix $A$.
 
-If $\sigma_j = 0$, the XOR operation in $T_i \oplus \sigma$ has no effect on the $j$-th element (row), so the $j$-th element of $T_i \oplus \sigma$ and $T_i$ are the same. Thus, we have $Q[j] = T[j]$.
+If $\sigma _ j = 0$, the XOR operation in $T _ i \oplus \sigma$ has no effect on the $j$-th element (row), so the $j$-th element of $T _ i \oplus \sigma$ and $T _ i$ are the same. Thus, we have $Q[j] = T[j]$.
 
-On the other hand, suppose that $\sigma_j = 1$ and consider each element of $Q[j]$. The $i$-th element is the $j$-th element of $Q_i$. If $s_i = 0$, then $Q_i = T_i$, so the $j$-th element (row) is the same as the $j$-th element of $T_i$. If $s_i = 1$, then $Q_i = T_i \oplus \sigma$, so the $j$-th element is flipped. Thus, $Q[j] = T[j] \oplus s$.
+On the other hand, suppose that $\sigma _ j = 1$ and consider each element of $Q[j]$. The $i$-th element is the $j$-th element of $Q _ i$. If $s _ i = 0$, then $Q _ i = T _ i$, so the $j$-th element (row) is the same as the $j$-th element of $T _ i$. If $s _ i = 1$, then $Q _ i = T _ i \oplus \sigma$, so the $j$-th element is flipped. Thus, $Q[j] = T[j] \oplus s$.
 
 $$
-Q[j] = \begin{cases} T[j] & (\sigma_j = 0)  \\
-T[j] \oplus s & (\sigma_j = 1).
+Q[j] = \begin{cases} T[j] & (\sigma _ j = 0)  \\
+T[j] \oplus s & (\sigma _ j = 1).
 \end{cases}
 $$
 
 > **Second phase.** To perform the $j$-th transfer $(j = 1, \dots, m)$,
-> 
-> 1. The sender sends $y_j^0 = H(j, Q[j]) \oplus x_j^0$ and $y_j^1 = H(j, Q[j] \oplus s) \oplus x_j^1$.
-> 2. The receiver computes $H(j, T[j]) \oplus y_j^{\sigma_j}$.
+>
+> 1. The sender sends $y _ j^0 = H(j, Q[j]) \oplus x _ j^0$ and $y _ j^1 = H(j, Q[j] \oplus s) \oplus x _ j^1$.
+> 2. The receiver computes $H(j, T[j]) \oplus y _ j^{\sigma _ j}$.
 
-If $\sigma_j = 0$, then the sender gets
+If $\sigma _ j = 0$, then the sender gets
 
 $$
-H(j, T[j]) \oplus y_j^0 = H(j, T[j]) \oplus H(j, Q[j]) \oplus x_j^0 = x_j^0.
+H(j, T[j]) \oplus y _ j^0 = H(j, T[j]) \oplus H(j, Q[j]) \oplus x _ j^0 = x _ j^0.
 $$
 
-If $\sigma_j = 1$,
+If $\sigma _ j = 1$,
 
 $$
-H(j, T[j]) \oplus y_j^1 = H(j, T[j]) \oplus H(j, Q[j] \oplus s) \oplus x_j^1 = x_j^1.
+H(j, T[j]) \oplus y _ j^1 = H(j, T[j]) \oplus H(j, Q[j] \oplus s) \oplus x _ j^1 = x _ j^1.
 $$
 
 We have just shown correctness.
 
 ### Security Proof of OT Extension
 
-Intuitively, the sender receives either $T_i$ or $T_i \oplus \sigma$. But $T_i$ are chosen randomly, so it hides $\sigma$, revealing no information.
+Intuitively, the sender receives either $T _ i$ or $T _ i \oplus \sigma$. But $T _ i$ are chosen randomly, so it hides $\sigma$, revealing no information.
 
-As for the receiver, the values $(x_j^0, x_j^1)$ are masked by a hash function, namely $H(j, Q[j])$ and $H(j, Q[j] \oplus s)$. The receiver can compute $H(j, T[j])$, which equals *only one of them* but since receiver has no information about $s$, prohibiting the receiver from computing the other mask.
+As for the receiver, the values $(x _ j^0, x _ j^1)$ are masked by a hash function, namely $H(j, Q[j])$ and $H(j, Q[j] \oplus s)$. The receiver can compute $H(j, T[j])$, which equals *only one of them* but since receiver has no information about $s$, prohibiting the receiver from computing the other mask.
 
 ### Performance of OT Extension
 
@@ -286,5 +286,5 @@ One may concern that we have to send a lot of information for each of the $n$ OT
 Hence, with OT extensions, we can perform millions of OTs efficiently, which can be used especially for computing many Beaver triples during preprocessing.
 
 [^1]: Intuitively, it may seem that proving security for $n-1$ corrupted parties would be the hardest. However, security for $n-1$ corrupted parties does not imply security for $n-2$ corrupted parties, in general.
-[^2]: There is a variant of sharing Beaver triples, where a dealer generates all $x_i, y_i, z_i$ and gives them to each party.
+[^2]: There is a variant of sharing Beaver triples, where a dealer generates all $x _ i, y _ i, z _ i$ and gives them to each party.
 [^3]: A Graduate Course in Applied Cryptography.

_posts/lecture-notes/modern-cryptography/2023-11-23-bgv-scheme.md

@@ -73,26 +73,26 @@ This is a sample scheme, which is insecure.
 
 > Choose parameters $n$ and $q$ as security parameters.
 > 
-> 1. Set secret key $\bf{s} = (s_1, \dots, s_n) \in \Z^n$.
-> 2. For message $m \in \Z_q$, encrypt it as follows.
-> 	- Randomly choose $\bf{a} = (a_1, \dots, a_n) \la \Z_q^n$.
+> 1. Set secret key $\bf{s} = (s _ 1, \dots, s _ n) \in \Z^n$.
+> 2. For message $m \in \Z _ q$, encrypt it as follows.
+> 	- Randomly choose $\bf{a} = (a _ 1, \dots, a _ n) \la \Z _ q^n$.
 > 	- Compute $b = -\span{\bf{a}, \bf{s}} + m \pmod q$.
-> 	- Output ciphertext $\bf{c} = (b, \bf{a}) \in \Z_q^{n+1}$.
+> 	- Output ciphertext $\bf{c} = (b, \bf{a}) \in \Z _ q^{n+1}$.
 > 3. To decrypt $\bf{c}$, compute $m = b + \span{\bf{a}, \bf{s}} \pmod q$.
 
-Correctness is trivial. Also, this encryption algorithm has the *additive homomorphism* property. If $b_1, b_2$ are encryptions of $m_1, m_2$, then
+Correctness is trivial. Also, this encryption algorithm has the *additive homomorphism* property. If $b _ 1, b _ 2$ are encryptions of $m _ 1, m _ 2$, then
 
 $$
-b_1 = -\span{\bf{a}_1, \bf{s}} + m_1, \quad b_2 = -\span{\bf{a}_2, \bf{s}} + m_2
+b _ 1 = -\span{\bf{a} _ 1, \bf{s}} + m _ 1, \quad b _ 2 = -\span{\bf{a} _ 2, \bf{s}} + m _ 2
 $$
 
-in $\Z_q$. Thus,
+in $\Z _ q$. Thus,
 
 $$
-b_1 + b_2 = -\span{\bf{a}_1 + \bf{a}_2, \bf{s}} + m_1 + m_2.
+b _ 1 + b _ 2 = -\span{\bf{a} _ 1 + \bf{a} _ 2, \bf{s}} + m _ 1 + m _ 2.
 $$
 
-Decrypting the ciphertext $(b_1 + b_2, \bf{a}_1 + \bf{a}_2)$ will surely give $m_1 + m_2$.
+Decrypting the ciphertext $(b _ 1 + b _ 2, \bf{a} _ 1 + \bf{a} _ 2)$ will surely give $m _ 1 + m _ 2$.
 
 But this scheme is not secure. After $n$ queries, the plaintext-ciphertext pairs can be transformed into a linear system of equations
 
@@ -100,16 +100,16 @@ $$
 \bf{b} = -A \bf{s} + \bf{m},
 $$
 
-where $\bf{a}_i$ are in the rows of $A$. This system can be solved for $\bf{s}$ with non-negligible probability.[^2]
+where $\bf{a} _ i$ are in the rows of $A$. This system can be solved for $\bf{s}$ with non-negligible probability.[^2]
 
 ## Lattice Cryptography
 
 Recall that schemes like RSA and ElGamal rely on the hardness of computational problems. The hardness of those problems make the schemes secure. There are other (known to be) *hard* problems using **lattices**, and recent homomorphic encryption schemes use **lattice-based** cryptography.
 
-> **Definition.** For $\bf{b}_i \in \Z^n$ for $i = 1, \dots, n$, let $B = \braces{\bf{b}_1, \dots, \bf{b}_n}$ be a basis. The set
+> **Definition.** For $\bf{b} _ i \in \Z^n$ for $i = 1, \dots, n$, let $B = \braces{\bf{b} _ 1, \dots, \bf{b} _ n}$ be a basis. The set
 > 
 > $$
-> L = \braces{\sum_{i=1}^n a_i\bf{b}_i : a_i \in \Z}
+> L = \braces{\sum _ {i=1}^n a _ i\bf{b} _ i : a _ i \in \Z}
 > $$
 > 
 > is called a **lattice**. The set $B$ is a basis over $L$.
@@ -128,16 +128,16 @@ for a small error $\bf{e}$, the problem is to find the closest lattice point $B\
 
 It is known that all (including quantum) algorithms for solving BDD have costs $2^{\Omega(n)}$.
 
-This problem is easy when we have a *short* basis, where the angles between vectors are closer to $\pi/2$. For example, given $\bf{t}$, find $a_i \in \R$ such that
+This problem is easy when we have a *short* basis, where the angles between vectors are closer to $\pi/2$. For example, given $\bf{t}$, find $a _ i \in \R$ such that
 
 $$
-\bf{t} = a_1 \bf{b}_1 + \cdots a_n \bf{b}_n
+\bf{t} = a _ 1 \bf{b} _ 1 + \cdots a _ n \bf{b} _ n
 $$
 
 and return $B\bf{u}$ as
 
 $$
-B\bf{u} = \sum_{i=1}^n \lfloor a_i \rceil \bf{b}_i.
+B\bf{u} = \sum _ {i=1}^n \lfloor a _ i \rceil \bf{b} _ i.
 $$
 
 Then this $B\bf{u} \in L$ is pretty close to $\bf{t} \notin L$.
@@ -146,28 +146,28 @@ Then this $B\bf{u} \in L$ is pretty close to $\bf{t} \notin L$.
 
 This is the problem we will mainly use for homomorphic schemes.
 
-Let $\rm{LWE}_{n, q, \sigma}(\bf{s})$ denote the LWE distribution, where
+Let $\rm{LWE} _ {n, q, \sigma}(\bf{s})$ denote the LWE distribution, where
 - $n$ is the number of dimensions,
 - $q$ is the modulus,
 - $\sigma$ is the standard deviation of error.
 
-Also $D_\sigma$ denotes the discrete gaussian distribution with standard deviation $\sigma$.
+Also $D _ \sigma$ denotes the discrete gaussian distribution with standard deviation $\sigma$.
 
-> Let $\bf{s} = (s_1, \dots, s_n) \in \Z_q^n$ be a secret.
+> Let $\bf{s} = (s _ 1, \dots, s _ n) \in \Z _ q^n$ be a secret.
 > 
-> - Sample $\bf{a} = (a_1, \dots, a_n) \la \Z_q^n$ and $e \la D_\sigma$.
+> - Sample $\bf{a} = (a _ 1, \dots, a _ n) \la \Z _ q^n$ and $e \la D _ \sigma$.
 > - Compute $b = \span{\bf{a}, \bf{s}} + e \pmod q$.
-> - Output $(b, \bf{a}) \in \Z_q^{n+1}$.
+> - Output $(b, \bf{a}) \in \Z _ q^{n+1}$.
 > 
 > This is called a **LWE instance**.
 
 ### Search LWE Problem
 
-> Given many samples from $\rm{LWE}_{n, q, \sigma}(\bf{s})$, find $\bf{s}$.
+> Given many samples from $\rm{LWE} _ {n, q, \sigma}(\bf{s})$, find $\bf{s}$.
 
 ### Decisional LWE Problem (DLWE)
 
-> Distinguish two distributions $\rm{LWE}_{n, q, \sigma}(\bf{s})$ and $U(\Z_q^{n+1})$.
+> Distinguish two distributions $\rm{LWE} _ {n, q, \sigma}(\bf{s})$ and $U(\Z _ q^{n+1})$.
 
 It is known that the two versions of LWE problem are **equivalent** when $q$ is a prime bounded by some polynomial in $n$.
 
@@ -175,17 +175,17 @@ LWE problem can be turned into **assumptions**, just like the DL and RSA problem
 
 ## The BGV Scheme
 
-**BGV scheme** is by Brakerski-Gentry-Vaikuntanathan (2012). The scheme is defined over the finite field $\Z_p$ and can perform arithmetic in $\Z_p$.
+**BGV scheme** is by Brakerski-Gentry-Vaikuntanathan (2012). The scheme is defined over the finite field $\Z _ p$ and can perform arithmetic in $\Z _ p$.
 
 > Choose security parameters $n$, $q$ and $\sigma$. It is important that $q$ is chosen as an **odd** integer.
 > 
 > **Key Generation**
-> - Set secret key $\bf{s} = (s_1, \dots, s_n) \in \Z^n$.
+> - Set secret key $\bf{s} = (s _ 1, \dots, s _ n) \in \Z^n$.
 > 
 > **Encryption**
-> - Sample $\bf{a} \la \Z_q^n$ and $e \la D_\sigma$.
+> - Sample $\bf{a} \la \Z _ q^n$ and $e \la D _ \sigma$.
 > - Compute $b = -\span{\bf{a}, \bf{s}} + m + 2e \pmod q$.
-> - Output ciphertext $\bf{c} = (b, \bf{a}) \in \Z_q^{n+1}$.
+> - Output ciphertext $\bf{c} = (b, \bf{a}) \in \Z _ q^{n+1}$.
 > 
 > **Decryption**
 > - Compute $r = b + \span{\bf{a}, \bf{s}} \pmod q$.
@@ -206,16 +206,16 @@ $$
 Under the LWE assumption, it can be proven that the scheme is semantically secure, i.e,
 
 $$
-E(\bf{s}, 0) \approx_c E(\bf{s}, 1).
+E(\bf{s}, 0) \approx _ c E(\bf{s}, 1).
 $$
 
 ### Addition in BGV
 
 Addition is easy!
 
-> Let $\bf{c} = (b, \bf{a})$ and $\bf{c}' = (b', \bf{a}')$ be encryptions of $m, m' \in \braces{0, 1}$. Then, $\bf{c}_\rm{add} = \bf{c} + \bf{c}'$ is an encryption of $m + m'$.
+> Let $\bf{c} = (b, \bf{a})$ and $\bf{c}' = (b', \bf{a}')$ be encryptions of $m, m' \in \braces{0, 1}$. Then, $\bf{c} _ \rm{add} = \bf{c} + \bf{c}'$ is an encryption of $m + m'$.
 
-*Proof*. Decrypt $\bf{c}_\rm{add} = (b + b', \bf{a} + \bf{a}')$. If
+*Proof*. Decrypt $\bf{c} _ \rm{add} = (b + b', \bf{a} + \bf{a}')$. If
 
 $$
 r = b + \span{\bf{a}, \bf{s}} = m + 2e \pmod q
@@ -230,10 +230,10 @@ $$
 then we have
 
 $$
-r_\rm{add} = b + b' + \span{\bf{a} + \bf{a}', \bf{s}} = r + r' = m + m' + 2(e + e') \pmod q.
+r _ \rm{add} = b + b' + \span{\bf{a} + \bf{a}', \bf{s}} = r + r' = m + m' + 2(e + e') \pmod q.
 $$
 
-If $\abs{r + r'} < q/2$, then $m + m' = r_\rm{add} \pmod 2$.
+If $\abs{r + r'} < q/2$, then $m + m' = r _ \rm{add} \pmod 2$.
 
 ### Multiplication in BGV
 
@@ -241,10 +241,10 @@ If $\abs{r + r'} < q/2$, then $m + m' = r_\rm{add} \pmod 2$.
 
 For multiplication, we need **tensor products**.
 
-> **Definition.** Let $\bf{a} = (a_1, \dots, a_n)^\top, \bf{b} = (b_1, \dots, b_n)^\top$ be vectors. Then the **tensor product** $\bf{a} \otimes \bf{b}$ is a vector with $n^2$ dimensions such that
+> **Definition.** Let $\bf{a} = (a _ 1, \dots, a _ n)^\top, \bf{b} = (b _ 1, \dots, b _ n)^\top$ be vectors. Then the **tensor product** $\bf{a} \otimes \bf{b}$ is a vector with $n^2$ dimensions such that
 > 
 > $$
-> \bf{a} \otimes \bf{b} = \big( a_i \cdot b_j \big)_{1 \leq i, j \leq n}.
+> \bf{a} \otimes \bf{b} = \big( a _ i \cdot b _ j \big) _ {1 \leq i, j \leq n}.
 > $$
 
 We will use the following property.
@@ -255,12 +255,12 @@ We will use the following property.
 > \span{\bf{a}, \bf{b}} \cdot \span{\bf{c}, \bf{d}} = \span{\bf{a} \otimes \bf{c}, \bf{b} \otimes \bf{d}}.
 > $$
 
-*Proof*. Denote the components as $a_i, b_i, c_i, d_i$.
+*Proof*. Denote the components as $a _ i, b _ i, c _ i, d _ i$.
 
 $$
 \begin{aligned}
-\span{\bf{a} \otimes \bf{c}, \bf{b} \otimes \bf{d}} &= \sum_{i=1}^n\sum_{j=1}^n a_ic_j \cdot b_id_j \\
-&= \paren{\sum_{i=1}^n a_ib_i} \paren{\sum_{j=1}^n c_j d_j} =  \span{\bf{a}, \bf{b}} \cdot \span{\bf{c}, \bf{d}}.
+\span{\bf{a} \otimes \bf{c}, \bf{b} \otimes \bf{d}} &= \sum _ {i=1}^n\sum _ {j=1}^n a _ ic _ j \cdot b _ id _ j \\
+&= \paren{\sum _ {i=1}^n a _ ib _ i} \paren{\sum _ {j=1}^n c _ j d _ j} =  \span{\bf{a}, \bf{b}} \cdot \span{\bf{c}, \bf{d}}.
 \end{aligned}
 $$
 
@@ -281,26 +281,26 @@ $$
 we have that
 
 $$
-r_\rm{mul} = rr' = (m + 2e)(m' + 2e') = mm' + 2e\conj \pmod q.
+r _ \rm{mul} = rr' = (m + 2e)(m' + 2e') = mm' + 2e\conj \pmod q.
 $$
 
-So $mm' = r_\rm{mul} \pmod 2$ if $e\conj$ is small.
+So $mm' = r _ \rm{mul} \pmod 2$ if $e\conj$ is small.
 
-However, to compute $r_\rm{mul} = rr'$ from the ciphertext,
+However, to compute $r _ \rm{mul} = rr'$ from the ciphertext,
 
 $$
 \begin{aligned}
-r_\rm{mul} &= rr' = (b + \span{\bf{a}, \bf{s}})(b' + \span{\bf{a}', \bf{s}}) \\
+r _ \rm{mul} &= rr' = (b + \span{\bf{a}, \bf{s}})(b' + \span{\bf{a}', \bf{s}}) \\
 &= bb' + \span{b\bf{a}' + b' \bf{a}, \bf{s}} + \span{\bf{a} \otimes \bf{a}', \bf{s} \otimes \bf{s}'}.
 \end{aligned}
 $$
 
-Thus we define $\bf{c}_\rm{mul} = (bb', b\bf{a}' + b' \bf{a}, \bf{a} \otimes \bf{a}')$, then this can be decrypted with $(1, \bf{s}, \bf{s} \otimes \bf{s})$ by the above equation.
+Thus we define $\bf{c} _ \rm{mul} = (bb', b\bf{a}' + b' \bf{a}, \bf{a} \otimes \bf{a}')$, then this can be decrypted with $(1, \bf{s}, \bf{s} \otimes \bf{s})$ by the above equation.
 
 > Let $\bf{c} = (b, \bf{a})$ and $\bf{c}' = (b', \bf{a}')$ be encryptions of $m, m'$. Then,
 > 
 > $$
-> \bf{c}_\rm{mul} = \bf{c} \otimes \bf{c}' = (bb', b\bf{a}' + b' \bf{a}, \bf{a} \otimes \bf{a}')
+> \bf{c} _ \rm{mul} = \bf{c} \otimes \bf{c}' = (bb', b\bf{a}' + b' \bf{a}, \bf{a} \otimes \bf{a}')
 > $$
 > 
 > is an encryption of $mm'$ with $(1, \bf{s}, \bf{s} \otimes \bf{s})$.
@@ -319,58 +319,58 @@ The multiplication described above has two major problems.
 
 ### Dimension Reduction
 
-First, we reduce the ciphertext dimension. In the ciphertext $\bf{c}_\rm{mul} = (bb', b\bf{a}' + b' \bf{a}, \bf{a} \otimes \bf{a}')$, $\bf{a} \otimes \bf{a}'$ is causing the problem, since it must be decrypted with $\bf{s} \otimes \bf{s}'$.
+First, we reduce the ciphertext dimension. In the ciphertext $\bf{c} _ \rm{mul} = (bb', b\bf{a}' + b' \bf{a}, \bf{a} \otimes \bf{a}')$, $\bf{a} \otimes \bf{a}'$ is causing the problem, since it must be decrypted with $\bf{s} \otimes \bf{s}'$.
 
 Observe that the following dot product is calculated during decryption.
 
 $$
-\tag{1} \span{\bf{a} \otimes \bf{a}', \bf{s} \otimes \bf{s}'} = \sum_{i = 1}^n \sum_{j=1}^n a_i a_j' s_i s_j.
+\tag{1} \span{\bf{a} \otimes \bf{a}', \bf{s} \otimes \bf{s}'} = \sum _ {i = 1}^n \sum _ {j=1}^n a _ i a _ j' s _ i s _ j.
 $$
 
 The above expression has $n^2$ terms, so they have to be manipulated. The idea is to switch these terms as encryptions of $\bf{s}$, instead of $\bf{s} \otimes \bf{s}'$.
 
-Thus we use encryptions of $s_is_j$ by $\bf{s}$. If we have ciphertexts of $s_is_j$, we can calculate the expression in $(1)$ since this scheme is *homomorphic*. Then the ciphertext can be decrypted only with $\bf{s}$, as usual. This process is called **relinearization**, and the ciphertexts of $s_i s_j$ are called **relinearization keys**.
+Thus we use encryptions of $s _ is _ j$ by $\bf{s}$. If we have ciphertexts of $s _ is _ j$, we can calculate the expression in $(1)$ since this scheme is *homomorphic*. Then the ciphertext can be decrypted only with $\bf{s}$, as usual. This process is called **relinearization**, and the ciphertexts of $s _ i s _ j$ are called **relinearization keys**.
 
 #### First Attempt
 
 > **Relinearization Keys**: for $1 \leq i, j \leq n$, perform the following.
-> - Sample $\bf{u}_{i, j} \la \Z_q^{n}$ and $e_{i, j} \la D_\sigma$.
-> - Compute $v_{i, j} = -\span{\bf{u}_{i, j}, \bf{s}} + s_i s_j + 2e_{i, j} \pmod q$.
-> - Output $\bf{w}_{i, j} = (v_{i, j}, \bf{u}_{i, j})$.
+> - Sample $\bf{u} _ {i, j} \la \Z _ q^{n}$ and $e _ {i, j} \la D _ \sigma$.
+> - Compute $v _ {i, j} = -\span{\bf{u} _ {i, j}, \bf{s}} + s _ i s _ j + 2e _ {i, j} \pmod q$.
+> - Output $\bf{w} _ {i, j} = (v _ {i, j}, \bf{u} _ {i, j})$.
 > 
-> **Linearization**: given $\bf{c}_\rm{mul} = (bb', b\bf{a}' + b' \bf{a}, \bf{a} \otimes \bf{a}')$ and $\bf{w}_{i, j}$ for $1 \leq i, j \leq n$, output the following.
+> **Linearization**: given $\bf{c} _ \rm{mul} = (bb', b\bf{a}' + b' \bf{a}, \bf{a} \otimes \bf{a}')$ and $\bf{w} _ {i, j}$ for $1 \leq i, j \leq n$, output the following.
 > 
 > $$
-> \bf{c}_\rm{mul}^\ast = (b_\rm{mul}^\ast, \bf{a}_\rm{mul}^\ast) = (bb', b\bf{a}' + b'\bf{a}) + \sum_{i=1}^n \sum_{j=1}^n a_i a_j' \bf{w}_{i, j} \pmod q.
+> \bf{c} _ \rm{mul}^\ast = (b _ \rm{mul}^\ast, \bf{a} _ \rm{mul}^\ast) = (bb', b\bf{a}' + b'\bf{a}) + \sum _ {i=1}^n \sum _ {j=1}^n a _ i a _ j' \bf{w} _ {i, j} \pmod q.
 > $$
 
-Note that the addition $+$ is the addition of two $(n+1)$-dimensional vectors. By plugging in $\bf{w}_{i, j} = (v_{i, j}, \bf{u}_{i, j})$, we actually have
+Note that the addition $+$ is the addition of two $(n+1)$-dimensional vectors. By plugging in $\bf{w} _ {i, j} = (v _ {i, j}, \bf{u} _ {i, j})$, we actually have
 
 $$
-b_\rm{mul}^\ast = bb' + \sum_{i=1}^n \sum_{j=1}^n a_i a_j' v_{i, j}
+b _ \rm{mul}^\ast = bb' + \sum _ {i=1}^n \sum _ {j=1}^n a _ i a _ j' v _ {i, j}
 $$
 
 and
 
 $$
-\bf{a}_\rm{mul}^\ast = b\bf{a}' + b'\bf{a} + \sum_{i=1}^n \sum_{j=1}^n a_i a_j' \bf{u}_{i, j}.
+\bf{a} _ \rm{mul}^\ast = b\bf{a}' + b'\bf{a} + \sum _ {i=1}^n \sum _ {j=1}^n a _ i a _ j' \bf{u} _ {i, j}.
 $$
 
-Now we check correctness. $\bf{c}_\rm{mul}^\ast$ should decrypt to $mm'$ with only $\bf{s}$.
+Now we check correctness. $\bf{c} _ \rm{mul}^\ast$ should decrypt to $mm'$ with only $\bf{s}$.
 
 $$
 \begin{aligned}
-b_\rm{mul}^\ast + \span{\bf{a}_\rm{mul}^\ast, \bf{s}} &= bb' + \sum_{i=1}^n \sum_{j=1}^n a_i a_j' v_{i, j} +  \span{b\bf{a}' + b'\bf{a}, \bf{s}} + \sum_{i=1}^n \sum_{j=1}^n a_i a_j' \span{\bf{u}_{i, j}, \bf{s}} \\
-&= bb' + \span{b\bf{a}' + b'\bf{a}, \bf{s}} + \sum_{i=1}^n \sum_{j=1}^n a_i a_j' \paren{v_{i, j} + \span{\bf{u}_{i, j}, \bf{s}}}.
+b _ \rm{mul}^\ast + \span{\bf{a} _ \rm{mul}^\ast, \bf{s}} &= bb' + \sum _ {i=1}^n \sum _ {j=1}^n a _ i a _ j' v _ {i, j} +  \span{b\bf{a}' + b'\bf{a}, \bf{s}} + \sum _ {i=1}^n \sum _ {j=1}^n a _ i a _ j' \span{\bf{u} _ {i, j}, \bf{s}} \\
+&= bb' + \span{b\bf{a}' + b'\bf{a}, \bf{s}} + \sum _ {i=1}^n \sum _ {j=1}^n a _ i a _ j' \paren{v _ {i, j} + \span{\bf{u} _ {i, j}, \bf{s}}}.
 \end{aligned}
 $$
 
-Since $v_{i, j} + \span{\bf{u}_{i, j}, \bf{s}} = s_i s_j + 2e_{i, j} \pmod q$, the above expression further reduces to
+Since $v _ {i, j} + \span{\bf{u} _ {i, j}, \bf{s}} = s _ i s _ j + 2e _ {i, j} \pmod q$, the above expression further reduces to
 
 $$
 \begin{aligned}
-&= bb' + \span{b\bf{a}' + b'\bf{a}, \bf{s}} + \sum_{i=1}^n \sum_{j=1}^n a_i a_j' \paren{s_i s_j + 2e_{i, j}} \\
-&= bb' + \span{b\bf{a}' + b'\bf{a}, \bf{s}} + \span{\bf{a} \otimes \bf{a}', \bf{s} \otimes \bf{s}'} + 2\sum_{i=1}^n\sum_{j=1}^n a_i a_j' e_{i, j} \\
+&= bb' + \span{b\bf{a}' + b'\bf{a}, \bf{s}} + \sum _ {i=1}^n \sum _ {j=1}^n a _ i a _ j' \paren{s _ i s _ j + 2e _ {i, j}} \\
+&= bb' + \span{b\bf{a}' + b'\bf{a}, \bf{s}} + \span{\bf{a} \otimes \bf{a}', \bf{s} \otimes \bf{s}'} + 2\sum _ {i=1}^n\sum _ {j=1}^n a _ i a _ j' e _ {i, j} \\
 &= rr' + 2e\conj \pmod q,
 \end{aligned}
 $$
@@ -380,57 +380,57 @@ and we have an encryption of $mm'$.
 However, we require that
 
 $$
-e\conj = \sum_{i=1}^n \sum_{j=1}^n a_i a_j' e_{i, j} \ll q
+e\conj = \sum _ {i=1}^n \sum _ {j=1}^n a _ i a _ j' e _ {i, j} \ll q
 $$
 
-for correctness. It is highly unlikely that this relation holds, since $a_i a_j'$ will be large. They are random elements of $\Z_q$ after all, so the size is about $\mc{O}(n^2 q)$.
+for correctness. It is highly unlikely that this relation holds, since $a _ i a _ j'$ will be large. They are random elements of $\Z _ q$ after all, so the size is about $\mc{O}(n^2 q)$.
 
 #### Relinearization
 
-We use a method to make $a_i a_j'$ smaller. The idea is to use the binary representation.
+We use a method to make $a _ i a _ j'$ smaller. The idea is to use the binary representation.
 
-Let $a[k] \in \braces{0, 1}$ denote the $k$-th least significant bit of $a \in \Z_q$. Then we can write
+Let $a[k] \in \braces{0, 1}$ denote the $k$-th least significant bit of $a \in \Z _ q$. Then we can write
 
 $$
-a = \sum_{0\leq k<l} 2^k \cdot a[k]
+a = \sum _ {0\leq k<l} 2^k \cdot a[k]
 $$
 
 where $l = \ceil{\log q}$. Then we have
 
 $$
-a_i a_j' s_i s_j = \sum_{0\leq k <l} (a_i a_j')[k] \cdot 2^k s_i s_j,
+a _ i a _ j' s _ i s _ j = \sum _ {0\leq k <l} (a _ i a _ j')[k] \cdot 2^k s _ i s _ j,
 $$
 
-so instead of encryptions of $s_i s_j$, we use encryptions of $2^k s_i s_j$.
+so instead of encryptions of $s _ i s _ j$, we use encryptions of $2^k s _ i s _ j$.
 
-For convenience, let $a_{i, j} = a_i a_j'$. Now we have triple indices including $k$.
+For convenience, let $a _ {i, j} = a _ i a _ j'$. Now we have triple indices including $k$.
 
 > **Relinearization Keys**: for $1 \leq i, j \leq n$ and $0 \leq k < \ceil{\log q}$, perform the following.
-> - Sample $\bf{u}_{i, j, k} \la \Z_q^{n}$ and $e_{i, j, k} \la D_\sigma$.
-> - Compute $v_{i, j, k} = -\span{\bf{u}_{i, j, k}, \bf{s}} + 2^k \cdot s_i s_j + 2e_{i, j, k} \pmod q$.
-> - Output $\bf{w}_{i, j, k} = (v_{i, j, k}, \bf{u}_{i, j, k})$.
+> - Sample $\bf{u} _ {i, j, k} \la \Z _ q^{n}$ and $e _ {i, j, k} \la D _ \sigma$.
+> - Compute $v _ {i, j, k} = -\span{\bf{u} _ {i, j, k}, \bf{s}} + 2^k \cdot s _ i s _ j + 2e _ {i, j, k} \pmod q$.
+> - Output $\bf{w} _ {i, j, k} = (v _ {i, j, k}, \bf{u} _ {i, j, k})$.
 > 
-> **Linearization**: given $\bf{c}_\rm{mul} = (bb', b\bf{a}' + b' \bf{a}, \bf{a} \otimes \bf{a}')$, $\bf{w}_{i, j, k}$ for $1 \leq i, j \leq n$ and $0 \leq k < \ceil{\log q}$, output the following.
+> **Linearization**: given $\bf{c} _ \rm{mul} = (bb', b\bf{a}' + b' \bf{a}, \bf{a} \otimes \bf{a}')$, $\bf{w} _ {i, j, k}$ for $1 \leq i, j \leq n$ and $0 \leq k < \ceil{\log q}$, output the following.
 > 
 > $$
-> \bf{c}_\rm{mul}^\ast = (b_\rm{mul}^\ast, \bf{a}_\rm{mul}^\ast) = (bb', b\bf{a}' + b'\bf{a}) + \sum_{i=1}^n \sum_{j=1}^n \sum_{k=0}^{\ceil{\log q}} a_{i, j}[k] \bf{w}_{i, j, k} \pmod q.
+> \bf{c} _ \rm{mul}^\ast = (b _ \rm{mul}^\ast, \bf{a} _ \rm{mul}^\ast) = (bb', b\bf{a}' + b'\bf{a}) + \sum _ {i=1}^n \sum _ {j=1}^n \sum _ {k=0}^{\ceil{\log q}} a _ {i, j}[k] \bf{w} _ {i, j, k} \pmod q.
 > $$
 
 Correctness can be checked similarly. The bounds for summations are omitted for brevity. They range from $1 \leq i, j \leq n$ and $0 \leq k < \ceil{\log q}$.
 
 $$
 \begin{aligned}
-b_\rm{mul}^\ast + \span{\bf{a}_\rm{mul}^\ast, \bf{s}} &= bb' + \sum_{i, j, k} a_{i, j}[k] \cdot v_{i, j, k} +  \span{b\bf{a}' + b'\bf{a}, \bf{s}} + \sum_{i, j, k} a_{i, j}[k] \cdot \span{\bf{u}_{i, j, k}, \bf{s}} \\
-&= bb' + \span{b\bf{a}' + b'\bf{a}, \bf{s}} + \sum_{i, j, k} a_{i, j}[k] \paren{v_{i, j, k} + \span{\bf{u}_{i, j, k}, \bf{s}}}.
+b _ \rm{mul}^\ast + \span{\bf{a} _ \rm{mul}^\ast, \bf{s}} &= bb' + \sum _ {i, j, k} a _ {i, j}[k] \cdot v _ {i, j, k} +  \span{b\bf{a}' + b'\bf{a}, \bf{s}} + \sum _ {i, j, k} a _ {i, j}[k] \cdot \span{\bf{u} _ {i, j, k}, \bf{s}} \\
+&= bb' + \span{b\bf{a}' + b'\bf{a}, \bf{s}} + \sum _ {i, j, k} a _ {i, j}[k] \paren{v _ {i, j, k} + \span{\bf{u} _ {i, j, k}, \bf{s}}}.
 \end{aligned}
 $$
 
-Since $v_{i, j, k} + \span{\bf{u}_{i, j, k}, \bf{s}} = 2^k \cdot s_i s_j + 2e_{i, j, k} \pmod q$, the above expression further reduces to
+Since $v _ {i, j, k} + \span{\bf{u} _ {i, j, k}, \bf{s}} = 2^k \cdot s _ i s _ j + 2e _ {i, j, k} \pmod q$, the above expression further reduces to
 
 $$
 \begin{aligned}
-&= bb' + \span{b\bf{a}' + b'\bf{a}, \bf{s}} + \sum_{i, j, k} a_{i, j}[k] \paren{2^k \cdot s_i s_j + 2e_{i, j, k}} \\
-&= bb' + \span{b\bf{a}' + b'\bf{a}, \bf{s}} + \sum_{i, j} a_{i, j}s_i s_j + 2\sum_{i, j, k} a_{i, j}[k] \cdot e_{i, j, k} \\
+&= bb' + \span{b\bf{a}' + b'\bf{a}, \bf{s}} + \sum _ {i, j, k} a _ {i, j}[k] \paren{2^k \cdot s _ i s _ j + 2e _ {i, j, k}} \\
+&= bb' + \span{b\bf{a}' + b'\bf{a}, \bf{s}} + \sum _ {i, j} a _ {i, j}s _ i s _ j + 2\sum _ {i, j, k} a _ {i, j}[k] \cdot e _ {i, j, k} \\
 &= bb' + \span{b\bf{a}' + b'\bf{a}, \bf{s}} + \span{\bf{a} \otimes \bf{a}', \bf{s} \otimes \bf{s}'} + 2e\conj \\
 &= rr' + 2e\conj \pmod q,
 \end{aligned}
@@ -439,10 +439,10 @@ $$
 and we have an encryption of $mm'$. In this case,
 
 $$
-e\conj = 2\sum_{i=1}^n\sum_{j=1}^n \sum_{k=0}^{\ceil{\log q}} a_{i, j}[k] \cdot e_{i, j, k}
+e\conj = 2\sum _ {i=1}^n\sum _ {j=1}^n \sum _ {k=0}^{\ceil{\log q}} a _ {i, j}[k] \cdot e _ {i, j, k}
 $$
 
-is small enough to use, since $a_{i, j}[k] \in \braces{0, 1}$. The size is about $\mc{O}(n^2 \log q)$, which is a lot smaller than $q$ for practical uses. We have reduced $n^2 q$ to $n^2 \log q$ with this method.
+is small enough to use, since $a _ {i, j}[k] \in \braces{0, 1}$. The size is about $\mc{O}(n^2 \log q)$, which is a lot smaller than $q$ for practical uses. We have reduced $n^2 q$ to $n^2 \log q$ with this method.
 
 ### Noise Reduction
 
@@ -452,42 +452,42 @@ $$
 \abs{r} = \abs{m + 2e} < \frac{1}{2}q.
 $$
 
-But for multiplication, $\abs{r_\rm{mul}} = \abs{rr' + 2e\conj}$, so the noise grows very fast. If the initial noise size was $N$, then after $L$ levels of multiplication, the noise is now $N^{2^L}$.[^3] To reduce noise, we use **modulus switching**.
+But for multiplication, $\abs{r _ \rm{mul}} = \abs{rr' + 2e\conj}$, so the noise grows very fast. If the initial noise size was $N$, then after $L$ levels of multiplication, the noise is now $N^{2^L}$.[^3] To reduce noise, we use **modulus switching**.
 
-Given $\bf{c} = (b, \bf{a}) \in \Z_q^{n+1}$, we reduce the modulus to $q' < q$ which results in a smaller noise $e'$. This can be done by scaling $\bf{c}$ by $q'/q$ and rounding it.
+Given $\bf{c} = (b, \bf{a}) \in \Z _ q^{n+1}$, we reduce the modulus to $q' < q$ which results in a smaller noise $e'$. This can be done by scaling $\bf{c}$ by $q'/q$ and rounding it.
 
-> **Modulus Switching**: let $\bf{c} = (b, \bf{a}) \in \Z_q^{n+1}$ be given.
+> **Modulus Switching**: let $\bf{c} = (b, \bf{a}) \in \Z _ q^{n+1}$ be given.
 > 
 > - Find $b'$ closest to $b \cdot (q' /q)$ such that $b' = b \pmod 2$.
-> - Find $a_i'$ closest to $a_i \cdot (q'/q)$ such that $a_i' = a_i \pmod 2$.
-> - Output $\bf{c}' = (b', \bf{a}') \in \Z_{q'}^{n+1}$.
+> - Find $a _ i'$ closest to $a _ i \cdot (q'/q)$ such that $a _ i' = a _ i \pmod 2$.
+> - Output $\bf{c}' = (b', \bf{a}') \in \Z _ {q'}^{n+1}$.
 
 In summary, $\bf{c}' \approx \bf{c} \cdot (q'/q)$, and $\bf{c}' = \bf{c} \pmod 2$ component-wise.
 
 We check if the noise has been reduced, and decryption results in the same message $m$. Decryption of $\bf{c}'$ is done by $r' = b' + \span{\bf{a}', \bf{s}} \pmod{q'}$, so we must prove that $r' \approx r \cdot (q'/q)$ and $r' = r \pmod 2$. Then the noise is scaled down by $q'/q$ and the message is preserved.
 
-Let $k \in \Z$ such that $b + \span{\bf{a}, \bf{s}} = r + kq$. By the choice of $b'$ and $a_i'$,
+Let $k \in \Z$ such that $b + \span{\bf{a}, \bf{s}} = r + kq$. By the choice of $b'$ and $a _ i'$,
 
 $$
-b' = b \cdot (q'/q) + \epsilon_0, \quad a_i' = a_i \cdot (q'/q) + \epsilon_i
+b' = b \cdot (q'/q) + \epsilon _ 0, \quad a _ i' = a _ i \cdot (q'/q) + \epsilon _ i
 $$
 
-for $\epsilon_i \in\braces{0, 1}$. Then
+for $\epsilon _ i \in\braces{0, 1}$. Then
 
 $$
 \begin{aligned}
-b' + \span{\bf{a}', \bf{s}} &= b' + \sum_{i=1}^n a_i's_i \\
-&= b \cdot (q'/q) + \epsilon_0 + \sum_{i=1}^n \paren{a_i \cdot (q'/q) + \epsilon_i} s_i \\
-&= (q'/q) \paren{b + \sum_{i=1}^n a_i s_i} + \epsilon_0 + \sum_{i=1}^n \epsilon_i s_i \\
-&= (q'/q) \cdot (r + kq) + \epsilon_0 + \sum_{i=1}^n \epsilon_i s_i \\
-&= r \cdot (q'/q) + \epsilon_0 + \sum_{i=1}^n \epsilon_i s_i +  kq'.
+b' + \span{\bf{a}', \bf{s}} &= b' + \sum _ {i=1}^n a _ i's _ i \\
+&= b \cdot (q'/q) + \epsilon _ 0 + \sum _ {i=1}^n \paren{a _ i \cdot (q'/q) + \epsilon _ i} s _ i \\
+&= (q'/q) \paren{b + \sum _ {i=1}^n a _ i s _ i} + \epsilon _ 0 + \sum _ {i=1}^n \epsilon _ i s _ i \\
+&= (q'/q) \cdot (r + kq) + \epsilon _ 0 + \sum _ {i=1}^n \epsilon _ i s _ i \\
+&= r \cdot (q'/q) + \epsilon _ 0 + \sum _ {i=1}^n \epsilon _ i s _ i +  kq'.
 \end{aligned}
 $$
 
-We additionally assume that $\bf{s} \in \Z_2^n$, then the error term is bounded by $n+1$, and $n \ll q$.[^4] Set
+We additionally assume that $\bf{s} \in \Z _ 2^n$, then the error term is bounded by $n+1$, and $n \ll q$.[^4] Set
 
 $$
-r' = r \cdot (q'/q) + \epsilon_0 + \sum_{i=1}^n \epsilon_i s_i,
+r' = r \cdot (q'/q) + \epsilon _ 0 + \sum _ {i=1}^n \epsilon _ i s _ i,
 $$
 
 then we have $r' \approx r \cdot (q'/q)$.
@@ -502,7 +502,7 @@ Since $q, q'$ are odd, $r = r' \pmod 2$.
 
 ### Modulus Chain
 
-Let the initial noise be $\abs{r} \approx N$. Set the maximal level $L$ for multiplication, and set $q_{L} = N^{L+1}$. Then after each multiplication, switch the modulus to $q_{k-1} = q_k/N$ using the above method.
+Let the initial noise be $\abs{r} \approx N$. Set the maximal level $L$ for multiplication, and set $q _ {L} = N^{L+1}$. Then after each multiplication, switch the modulus to $q _ {k-1} = q _ k/N$ using the above method.
 
 Multiplication increases the noise to $N^2$, and then modulus switching decreases the noise back to $N$, allowing further computation.
 
@@ -512,27 +512,27 @@ $$
 N^{L+1} \ra N^L \ra \cdots \ra N.
 $$
 
-When we perform $L$ levels of computation and reach modulus $q_0 = N$, we cannot perform any multiplications. We must apply [bootstrapping](../2023-12-08-bootstrapping-ckks/#bootstrapping).
+When we perform $L$ levels of computation and reach modulus $q _ 0 = N$, we cannot perform any multiplications. We must apply [bootstrapping](../2023-12-08-bootstrapping-ckks/#bootstrapping).
 
-Note that without modulus switching, we need $q_L > N^{2^L}$ for $L$ levels of computation, which is very large. Since we want $q$ to be small (for the hardness of the LWE problem), modulus switching is necessary. We now only require $q_L > N^{L+1}$.
+Note that without modulus switching, we need $q _ L > N^{2^L}$ for $L$ levels of computation, which is very large. Since we want $q$ to be small (for the hardness of the LWE problem), modulus switching is necessary. We now only require $q _ L > N^{L+1}$.
 
 ### Multiplication in BGV (Summary)
 
-- Set up a modulus chain $q_k = N^{k+1}$ for $k = 0, \dots, L$.
-- Given two ciphertexts $\bf{c} = (b, \bf{a}) \in \Z_{q_k}^{n+1}$ and $\bf{c}' = (b', \bf{a}') \in \Z_{q_k}^{n+1}$ with modulus $q_k$ and noise $N$.
+- Set up a modulus chain $q _ k = N^{k+1}$ for $k = 0, \dots, L$.
+- Given two ciphertexts $\bf{c} = (b, \bf{a}) \in \Z _ {q _ k}^{n+1}$ and $\bf{c}' = (b', \bf{a}') \in \Z _ {q _ k}^{n+1}$ with modulus $q _ k$ and noise $N$.
 
-- (**Tensor Product**) $\bf{c}_\rm{mul} = \bf{c} \otimes \bf{c}' \pmod{q_k}$.
+- (**Tensor Product**) $\bf{c} _ \rm{mul} = \bf{c} \otimes \bf{c}' \pmod{q _ k}$.
 	- Now we have $n^2$ dimensions and noise $N^2$.
 - (**Relinearization**)
 	- Back to $n$ dimensions and noise $N^2$.
 - (**Modulus Switching**)
-	- Modulus is switched to $q_{k-1}$ and noise is back to $N$.
+	- Modulus is switched to $q _ {k-1}$ and noise is back to $N$.
 
 ## BGV Generalizations and Optimizations
 
-### From $\Z_2$ to $\Z_p$
+### From $\Z _ 2$ to $\Z _ p$
 
-The above description is for messages $m \in \braces{0, 1} = \Z_2$. This can be extend to any finite field $\Z_p$. Replace $2$ with $p$ in the scheme. Then encryption of $m \in \Z_p$ is done as
+The above description is for messages $m \in \braces{0, 1} = \Z _ 2$. This can be extend to any finite field $\Z _ p$. Replace $2$ with $p$ in the scheme. Then encryption of $m \in \Z _ p$ is done as
 
 $$
 b = -\span{\bf{a}, \bf{s}} + m + pe \pmod q,
@@ -542,7 +542,7 @@ and we have $r = b + \span{\bf{a}, \bf{s}} = m + pe$, $m = r \pmod p$.
 
 ### Packing Technique
 
-Based on the Ring LWE problem, plaintext space can be extended from $\Z_p$ to $\Z_p^n$ by using **polynomials**.
+Based on the Ring LWE problem, plaintext space can be extended from $\Z _ p$ to $\Z _ p^n$ by using **polynomials**.
 
 With this technique, the number of linearization keys is reduced from $n^2 \log q$ to $\mc{O}(1)$.
 
@@ -558,6 +558,6 @@ With this technique, the number of linearization keys is reduced from $n^2 \log
 	- Parallelization is effective for optimization, since multiplication is basically performing the same operations on different data.
 
 [^1]: A homomorphism is a *confused name changer*. It can map different elements to the same name.
-[^2]: The columns $\bf{a}_i$ are chosen random, so $A$ is invertible with high probability.
+[^2]: The columns $\bf{a} _ i$ are chosen random, so $A$ is invertible with high probability.
 [^3]: Noise: $N \ra N^2 \ra N^4 \ra \cdots \ra N^{2^L}$.
 [^4]: This is how $\bf{s}$ is chosen in practice.

_posts/lecture-notes/modern-cryptography/2023-12-08-bootstrapping-ckks.md

@@ -40,18 +40,18 @@ Then $f(\bf{s}) = m$.
 Let $\bf{s}' \in \braces{0, 1}^n$ be a new secret key. Generate the **bootstrapping keys**
 
 $$
-BK = \braces{\bf{k}_i}_{i=1}^n, \qquad  \bf{k}_i = E(\bf{s}', s_i).
+BK = \braces{\bf{k} _ i} _ {i=1}^n, \qquad  \bf{k} _ i = E(\bf{s}', s _ i).
 $$
 
 Then by the homomorphic property of $f$,
 
 $$
-f(\bf{k_1}, \bf{k}_2, \dots, \bf{k}_n) = f\big( E(\bf{s}', s_1), \dots, E(\bf{s}', s_n) \big) = E\big( \bf{s}', f(s_1, \dots, s_n) \big) = E(\bf{s}', m).
+f(\bf{k _ 1}, \bf{k} _ 2, \dots, \bf{k} _ n) = f\big( E(\bf{s}', s _ 1), \dots, E(\bf{s}', s _ n) \big) = E\big( \bf{s}', f(s _ 1, \dots, s _ n) \big) = E(\bf{s}', m).
 $$
 
 #### Example with BGV
 
-Technically, the expression $f(\bf{k_1}, \bf{k}_2, \dots, \bf{k}_n)$ doesn't make sense, but it works. Consider a message $m$ encrypted with secret $\bf{s}$ in the BGV scheme.
+Technically, the expression $f(\bf{k _ 1}, \bf{k} _ 2, \dots, \bf{k} _ n)$ doesn't make sense, but it works. Consider a message $m$ encrypted with secret $\bf{s}$ in the BGV scheme.
 
 $$
 \bf{c} = (b, \bf{a}), \quad b = -\span{\bf{a}, \bf{s}} + m + 2e \pmod q.
@@ -60,15 +60,15 @@ $$
 The decryption is $r = b + \span{\bf{a}, \bf{s}} \pmod q$, and then taking the least significant bit. Consider it as a function
 
 $$
-f(\bf{s}) = b + \span{\bf{a}, \bf{s}} = b + \sum_{i=1}^n a_is_i.
+f(\bf{s}) = b + \span{\bf{a}, \bf{s}} = b + \sum _ {i=1}^n a _ is _ i.
 $$
 
-For a new key $\bf{s}' = (s_1', \dots, s_n')$, generate bootstrapping keys $\bf{k}_i = E(\bf{s}', s_i)$ and plugging it in forcefully gives
+For a new key $\bf{s}' = (s _ 1', \dots, s _ n')$, generate bootstrapping keys $\bf{k} _ i = E(\bf{s}', s _ i)$ and plugging it in forcefully gives
 
 $$
 \begin{aligned}
-f(\bf{k}_1, \dots, \bf{k}_n) &= b + \sum_{i=1}^n a_i E(\bf{s}', s_i) = b + \sum_{i=1}^n E(\bf{s}', a_is_i) \\
-&=b + E\paren{\bf{s}', \sum_{i=1}^n a_is_i} = b + E\paren{\bf{s}', \span{\bf{a}, \bf{s}}}.
+f(\bf{k} _ 1, \dots, \bf{k} _ n) &= b + \sum _ {i=1}^n a _ i E(\bf{s}', s _ i) = b + \sum _ {i=1}^n E(\bf{s}', a _ is _ i) \\
+&=b + E\paren{\bf{s}', \sum _ {i=1}^n a _ is _ i} = b + E\paren{\bf{s}', \span{\bf{a}, \bf{s}}}.
 \end{aligned}
 $$
 
@@ -81,7 +81,7 @@ b' &=b -\span{\bf{a}', \bf{s}'} + \span{\bf{a}, \bf{s}} + 2e' \\
 \end{aligned}
 $$
 
-Indeed, decrypting $b'$ will give $m$. So we have $E(\bf{s}', m)$ from $f(\bf{k}_1, \dots, \bf{k}_n)$.[^1]
+Indeed, decrypting $b'$ will give $m$. So we have $E(\bf{s}', m)$ from $f(\bf{k} _ 1, \dots, \bf{k} _ n)$.[^1]
 
 ### Bootstrapping Procedure
 
@@ -89,13 +89,13 @@ Indeed, decrypting $b'$ will give $m$. So we have $E(\bf{s}', m)$ from $f(\bf{k}
 > 
 > **Bootstrapping Key Generation**
 > - Choose a new secret key $\bf{s}' \in \braces{0, 1}^n$.
-> - Generate *bootstrapping key* $BK = \braces{\bf{k}_i}_{i=1}^n$ where $\bf{k}_i = E(\bf{s}', s_i)$.
+> - Generate *bootstrapping key* $BK = \braces{\bf{k} _ i} _ {i=1}^n$ where $\bf{k} _ i = E(\bf{s}', s _ i)$.
 > 
 > **Bootstrapping**
 > - Generate a circuit representation $f : \braces{0, 1}^n \ra \braces{0, 1}$ of the decryption function $D(\cdot, \bf{c})$.
-> - Compute and output $\bf{c}' = f(\bf{k}_1, \dots, \bf{k}_n)$.
+> - Compute and output $\bf{c}' = f(\bf{k} _ 1, \dots, \bf{k} _ n)$.
 
-The bootstrapping procedure returns an encryption of $m$ under $\bf{s}'$, as shown above. The key idea here is that $\bf{k}_i$ are *fresh* ciphertexts at level $L$. Even though a few levels are consumed during the evaluation of $f$, the resulting ciphertext $\bf{c}'$ is not at level $0$ anymore, allowing us to do more computation.
+The bootstrapping procedure returns an encryption of $m$ under $\bf{s}'$, as shown above. The key idea here is that $\bf{k} _ i$ are *fresh* ciphertexts at level $L$. Even though a few levels are consumed during the evaluation of $f$, the resulting ciphertext $\bf{c}'$ is not at level $0$ anymore, allowing us to do more computation.
 
 > Suppose that the homomorphic evaluation of $f$ requires depth $d$, consuming $d$ levels. Then we say that the BGV scheme is **bootstrappable** if $d < L$. The output ciphertext $\bf{c}'$ will have level $l = L - d > 0$, which we call **remaining level**.
 
@@ -111,13 +111,13 @@ $$
 \bf{s} \ra \bf{s}' \ra \bf{s}'' \ra \cdots
 $$
 
-Currently, we set $\bf{s}' = \bf{s}$ and make the chain **circular**, so the bootstrapping keys are $E(\bf{s}, s_i)$. $\bf{s}$ is being encrypted by itself. We wonder if this is secure, but there is no known proof for this. This is used as an assumption called the **circular security assumption**.
+Currently, we set $\bf{s}' = \bf{s}$ and make the chain **circular**, so the bootstrapping keys are $E(\bf{s}, s _ i)$. $\bf{s}$ is being encrypted by itself. We wonder if this is secure, but there is no known proof for this. This is used as an assumption called the **circular security assumption**.
 
 Designing an FHE scheme without the circular security assumption is currently an open problem.
 
 ## CKKS Scheme
 
-The [BGV scheme](../2023-11-23-bgv-scheme/#the-bgv-scheme) operates on $\Z_p$, so it doesn't work on real numbers. **Cheon-Kim-Kim-Song** (CKKS) scheme works on real numbers using approximate computation.
+The [BGV scheme](../2023-11-23-bgv-scheme/#the-bgv-scheme) operates on $\Z _ p$, so it doesn't work on real numbers. **Cheon-Kim-Kim-Song** (CKKS) scheme works on real numbers using approximate computation.
 
 ### Approximate Computation
 
@@ -129,7 +129,7 @@ $$
 
 Here, $2.9979$ is the **significand**, $10$ is the base and $8$ is the exponent. We also call $10^8$ the **scaling factor**.
 
-Floating point operations involve **rounding**, but rounding is not easy in homomorphic encryption. Using the BGV scheme on $\Z_p$, there are $2$ methods to do this.
+Floating point operations involve **rounding**, but rounding is not easy in homomorphic encryption. Using the BGV scheme on $\Z _ p$, there are $2$ methods to do this.
 
 - Bit-wise Encryption
 	- $32$-bit integer results in $32$ ciphertexts.
@@ -139,7 +139,7 @@ Floating point operations involve **rounding**, but rounding is not easy in homo
 - Integer Encryption
 	- To encrypt the significant, use a modulus large enough, such as $p > 2^{32}$.
 	- For multiplication, use $p > 2^{64}$.
-	- But rounding is hard in $\Z_p$.
+	- But rounding is hard in $\Z _ p$.
 
 So our wish is to design an HE scheme that natively supports rounding operation!
 
@@ -150,12 +150,12 @@ In the LWE problem, error was added for security. This can be exploited, since c
 > Let $n, q, \sigma$ be parameters for LWE and set a scaling factor $\Delta > 0$.
 > 
 > **Key Generation**
-> - A secret key is chosen as $\bf{s} = (s_1, \dots, s_n) \in \braces{0, 1}^n$, with its linearization gadget.
+> - A secret key is chosen as $\bf{s} = (s _ 1, \dots, s _ n) \in \braces{0, 1}^n$, with its linearization gadget.
 > 
 > **Encryption**: message $m \in \R$.
-> - Randomly sample $\bf{a} = (a_1, \dots, a_n) \la \Z_q^n$ and $e \la D_\sigma$.
+> - Randomly sample $\bf{a} = (a _ 1, \dots, a _ n) \la \Z _ q^n$ and $e \la D _ \sigma$.
 > - Compute $b = -\span{\bf{a}, \bf{s}} + \round{\Delta \cdot m} + e \pmod q$.
-> - Output ciphertext $\bf{c} = (b, \bf{a}) \in \Z_q^{n+1}$.
+> - Output ciphertext $\bf{c} = (b, \bf{a}) \in \Z _ q^{n+1}$.
 > 
 > **Decryption**
 > - Compute $\mu = b + \span{\bf{a}, \bf{s}} \pmod q$.
@@ -191,18 +191,18 @@ $$
 
 ### Addition in CKKS
 
-> Let $\bf{c} = (b, \bf{a})$ and $\bf{c}' = (b', \bf{a}')$ be encryptions of $m, m' \in \R$. Then, $\bf{c}_\rm{add} = \bf{c} + \bf{c}'$ is an encryption of $m + m'$.
+> Let $\bf{c} = (b, \bf{a})$ and $\bf{c}' = (b', \bf{a}')$ be encryptions of $m, m' \in \R$. Then, $\bf{c} _ \rm{add} = \bf{c} + \bf{c}'$ is an encryption of $m + m'$.
 
-*Proof*. Decrypt $\bf{c}_\rm{add} = (b + b', \bf{a} + \bf{a}')$.
+*Proof*. Decrypt $\bf{c} _ \rm{add} = (b + b', \bf{a} + \bf{a}')$.
 
 $$
-\mu_\rm{add} = \mu + \mu' = (b + b') + \span{\bf{a} + \bf{a}', \bf{s}} \pmod q.
+\mu _ \rm{add} = \mu + \mu' = (b + b') + \span{\bf{a} + \bf{a}', \bf{s}} \pmod q.
 $$
 
 If $\abs{\mu + \mu'} < q/2$, then
 
 $$
-\mu_\rm{add} = \mu + \mu' = \Delta \cdot (m + m'),
+\mu _ \rm{add} = \mu + \mu' = \Delta \cdot (m + m'),
 $$
 
 so the decryption results in $\Delta\inv \cdot (\mu + \mu') \approx m + m'$.
@@ -214,7 +214,7 @@ We also use [tensor products](../2023-11-23-bgv-scheme/#tensor-product), and the
 > Let $\bf{c} = (b, \bf{a})$ and $\bf{c}' = (b', \bf{a}')$ be encryptions of $m, m' \in \R$. Then,
 > 
 > $$
-> \bf{c}_\rm{mul} = \bf{c} \otimes \bf{c}' = (bb', b\bf{a}' + b' \bf{a}, \bf{a} \otimes \bf{a}')
+> \bf{c} _ \rm{mul} = \bf{c} \otimes \bf{c}' = (bb', b\bf{a}' + b' \bf{a}, \bf{a} \otimes \bf{a}')
 > $$
 > 
 > is an encryption of $mm'$ with $(1, \bf{s}, \bf{s} \otimes \bf{s})$.
@@ -223,7 +223,7 @@ We also use [tensor products](../2023-11-23-bgv-scheme/#tensor-product), and the
 
 $$
 \begin{aligned}
-\mu_\rm{mul} &= \mu\mu' = (b + \span{\bf{a}, \bf{s}})(b' + \span{\bf{a}', \bf{s}}) \\
+\mu _ \rm{mul} &= \mu\mu' = (b + \span{\bf{a}, \bf{s}})(b' + \span{\bf{a}', \bf{s}}) \\
 &= bb' + \span{b\bf{a}' + b' \bf{a}, \bf{s}} + \span{\bf{a} \otimes \bf{a}', \bf{s} \otimes \bf{s}'} \pmod q
 \end{aligned}
 $$
@@ -231,10 +231,10 @@ $$
 if $\abs{\mu\mu'} < q/2$. Then
 
 $$
-\mu_\rm{mul} = \mu\mu' \approx (\Delta \cdot m) \cdot (\Delta \cdot m') = \Delta^2 \cdot mm'.
+\mu _ \rm{mul} = \mu\mu' \approx (\Delta \cdot m) \cdot (\Delta \cdot m') = \Delta^2 \cdot mm'.
 $$
 
-So $mm' \approx \Delta^{-2} \cdot \mu_\rm{mul}$.
+So $mm' \approx \Delta^{-2} \cdot \mu _ \rm{mul}$.
 
 We have issues with multiplication, as we did in BGV.
 
@@ -246,42 +246,42 @@ We have issues with multiplication, as we did in BGV.
 
 The relinearization procedure is almost the same as in [BGV relinearization](../2023-11-23-bgv-scheme/#relinearization).
 
-For convenience, let $a_{i, j} = a_i a_j'$.
+For convenience, let $a _ {i, j} = a _ i a _ j'$.
 
 > **Relinearization Keys**: for $1 \leq i, j \leq n$ and $0 \leq k < \ceil{\log q}$, perform the following.
-> - Sample $\bf{u}_{i, j, k} \la \Z_q^{n}$ and $e_{i, j, k} \la D_\sigma$.
-> - Compute $v_{i, j, k} = -\span{\bf{u}_{i, j, k}, \bf{s}} + 2^k \cdot s_i s_j + e_{i, j, k} \pmod q$.
-> - Output $\bf{w}_{i, j, k} = (v_{i, j, k}, \bf{u}_{i, j, k})$.
+> - Sample $\bf{u} _ {i, j, k} \la \Z _ q^{n}$ and $e _ {i, j, k} \la D _ \sigma$.
+> - Compute $v _ {i, j, k} = -\span{\bf{u} _ {i, j, k}, \bf{s}} + 2^k \cdot s _ i s _ j + e _ {i, j, k} \pmod q$.
+> - Output $\bf{w} _ {i, j, k} = (v _ {i, j, k}, \bf{u} _ {i, j, k})$.
 > 
-> **Linearization**: given $\bf{c}_\rm{mul} = (bb', b\bf{a}' + b' \bf{a}, \bf{a} \otimes \bf{a}')$, $\bf{w}_{i, j, k}$ for $1 \leq i, j \leq n$ and $0 \leq k < \ceil{\log q}$, output the following.
+> **Linearization**: given $\bf{c} _ \rm{mul} = (bb', b\bf{a}' + b' \bf{a}, \bf{a} \otimes \bf{a}')$, $\bf{w} _ {i, j, k}$ for $1 \leq i, j \leq n$ and $0 \leq k < \ceil{\log q}$, output the following.
 > 
 > $$
-> \bf{c}_\rm{mul}^\ast = (b_\rm{mul}^\ast, \bf{a}_\rm{mul}^\ast) = (bb', b\bf{a}' + b'\bf{a}) + \sum_{i=1}^n \sum_{j=1}^n \sum_{k=0}^{\ceil{\log q}} a_{i, j}[k] \bf{w}_{i, j, k} \pmod q.
+> \bf{c} _ \rm{mul}^\ast = (b _ \rm{mul}^\ast, \bf{a} _ \rm{mul}^\ast) = (bb', b\bf{a}' + b'\bf{a}) + \sum _ {i=1}^n \sum _ {j=1}^n \sum _ {k=0}^{\ceil{\log q}} a _ {i, j}[k] \bf{w} _ {i, j, k} \pmod q.
 > $$
 
 Correctness can be checked. The bounds for summations are omitted for brevity. They range from $1 \leq i, j \leq n$ and $0 \leq k < \ceil{\log q}$.
 
 $$
 \begin{aligned}
-b_\rm{mul}^\ast + \span{\bf{a}_\rm{mul}^\ast, \bf{s}} &= bb' + \sum_{i, j, k} a_{i, j}[k] \cdot v_{i, j, k} + \span{b\bf{a}' + b'\bf{a}, \bf{s}} + \sum_{i, j, k} a_{i, j}[k] \cdot \span{\bf{u}_{i, j, k}, \bf{s}} \\
-&= bb' + \span{b\bf{a}' + b'\bf{a}, \bf{s}} + \sum_{i, j, k} a_{i, j}[k] \cdot \paren{v_{i, j, k} + \span{\bf{u}_{i, j, k}, \bf{s}}} \\
-&= bb' + \span{b\bf{a}' + b'\bf{a}, \bf{s}} + \sum_{i, j, k} a_{i, j}[k] \paren{2^k \cdot s_is_j + e_{i, j, k}} \\
-&= bb' + \span{b\bf{a}' + b'\bf{a}, \bf{s}} + \sum_{i, j} a_{i, j}s_i s_j + \sum_{i, j, k} a_{i, j}[k] \cdot e_{i, j, k} \\
+b _ \rm{mul}^\ast + \span{\bf{a} _ \rm{mul}^\ast, \bf{s}} &= bb' + \sum _ {i, j, k} a _ {i, j}[k] \cdot v _ {i, j, k} + \span{b\bf{a}' + b'\bf{a}, \bf{s}} + \sum _ {i, j, k} a _ {i, j}[k] \cdot \span{\bf{u} _ {i, j, k}, \bf{s}} \\
+&= bb' + \span{b\bf{a}' + b'\bf{a}, \bf{s}} + \sum _ {i, j, k} a _ {i, j}[k] \cdot \paren{v _ {i, j, k} + \span{\bf{u} _ {i, j, k}, \bf{s}}} \\
+&= bb' + \span{b\bf{a}' + b'\bf{a}, \bf{s}} + \sum _ {i, j, k} a _ {i, j}[k] \paren{2^k \cdot s _ is _ j + e _ {i, j, k}} \\
+&= bb' + \span{b\bf{a}' + b'\bf{a}, \bf{s}} + \sum _ {i, j} a _ {i, j}s _ i s _ j + \sum _ {i, j, k} a _ {i, j}[k] \cdot e _ {i, j, k} \\
 &= bb' + \span{b\bf{a}' + b'\bf{a}, \bf{s}} + \span{\bf{a} \otimes \bf{a}', \bf{s} \otimes \bf{s}} + e\conj \\
-&= \mu_\rm{mul} + e\conj\pmod q.
+&= \mu _ \rm{mul} + e\conj\pmod q.
 \end{aligned}
 $$
 
 Since
 
 $$
-e\conj = \sum_{i, j, k} a_{i, j}[k] \cdot e_{i, j, k} \ll q,
+e\conj = \sum _ {i, j, k} a _ {i, j}[k] \cdot e _ {i, j, k} \ll q,
 $$
 
 we have
 
 $$
-\mu_\rm{mul}^\ast = \mu_\rm{mul} + e\conj \approx \mu\mu' \approx \Delta^2 \cdot mm'.
+\mu _ \rm{mul}^\ast = \mu _ \rm{mul} + e\conj \approx \mu\mu' \approx \Delta^2 \cdot mm'.
 $$
 
 Note that the proof is identical to that of BGV linearization, except for missing constant factor $2$ in the error.
@@ -290,12 +290,12 @@ Note that the proof is identical to that of BGV linearization, except for missin
 
 In BGV, we used modulus switching for [noise reduction](../2023-11-23-bgv-scheme/#noise-reduction). It was for reducing the error and preserving the message. We also use modulus switching here, but for a different purpose. The message can have small numerical errors, we just want to reduce the scaling factor. This operation is called **rescaling**.
 
-Given $\bf{c} = (b, \bf{a}) \in \Z_q^{n+1}$ such that $b + \span{\bf{a}, \bf{s}} = \mu \pmod q$ and $\mu \approx \Delta^2 \cdot m$, we want to generate a new ciphertext of $m' \approx m$ that has a scaling factor reduced to $\Delta$. This can be done by dividing the ciphertext by $\Delta$ and then rounding it appropriately.
+Given $\bf{c} = (b, \bf{a}) \in \Z _ q^{n+1}$ such that $b + \span{\bf{a}, \bf{s}} = \mu \pmod q$ and $\mu \approx \Delta^2 \cdot m$, we want to generate a new ciphertext of $m' \approx m$ that has a scaling factor reduced to $\Delta$. This can be done by dividing the ciphertext by $\Delta$ and then rounding it appropriately.
 
-> **Modulus Switching**: let $\bf{c} = (b, \bf{a}) \in \Z_q^{n+1}$ be given.
+> **Modulus Switching**: let $\bf{c} = (b, \bf{a}) \in \Z _ q^{n+1}$ be given.
 > 
 > - Let $q' = \Delta \inv \cdot q$.[^2]
-> - Output $\bf{c}' = \round{\Delta\inv \cdot \bf{c}} \in \Z_{q'}^{n+1}$.
+> - Output $\bf{c}' = \round{\Delta\inv \cdot \bf{c}} \in \Z _ {q'}^{n+1}$.
 
 Note that the modulus has been switched to $q'$. Constant multiplication and rounding is done component-wise on $\bf{c}$.
 
@@ -304,23 +304,23 @@ We check that $\bf{c}'$ has scaling factor $\Delta$. We know that $\mu' = b' + \
 Let $k \in \Z$ such that $b + \span{\bf{a}, \bf{s}} = \mu + kq$. By the choice of $b'$ and $\bf{a}'$, we have
 
 $$
-b' = \Delta\inv \cdot b + \epsilon_0, \quad a_i' = \Delta\inv \cdot a_i + \epsilon_i
+b' = \Delta\inv \cdot b + \epsilon _ 0, \quad a _ i' = \Delta\inv \cdot a _ i + \epsilon _ i
 $$
 
-for some $\epsilon_i$ such that $\abs{\epsilon_i} \leq 0.5$. So we have
+for some $\epsilon _ i$ such that $\abs{\epsilon _ i} \leq 0.5$. So we have
 
 $$
 \begin{aligned}
-\mu' &= \Delta\inv \cdot \paren{b + \sum_{i=1}^n a_i s_i} + \epsilon_0 + \sum_{i=1}^n \epsilon_i s_i \\
+\mu' &= \Delta\inv \cdot \paren{b + \sum _ {i=1}^n a _ i s _ i} + \epsilon _ 0 + \sum _ {i=1}^n \epsilon _ i s _ i \\
 &= \Delta\inv \cdot (\mu + kq) + \epsilon \approx \Delta \inv \cdot (\Delta^2 \cdot m) + kq' = \Delta \cdot m \pmod{q'},
 \end{aligned}
 $$
 
-since $\epsilon = \epsilon_0 + \sum_{i=1}^n \epsilon_i s_i$ is small.
+since $\epsilon = \epsilon _ 0 + \sum _ {i=1}^n \epsilon _ i s _ i$ is small.
 
 ### Modulus Chain
 
-Using modulus switching, we can set $q_L = \Delta^{L+1}$ where $L$ is the maximal level for multiplication. After each multiplication, the modulus is switched to $q_{k-1} = q_k / \Delta$.
+Using modulus switching, we can set $q _ L = \Delta^{L+1}$ where $L$ is the maximal level for multiplication. After each multiplication, the modulus is switched to $q _ {k-1} = q _ k / \Delta$.
 
 Multiplication increases the scaling factor to $\Delta^2$, and then rescaling operation reduces the scaling factor back to $\Delta$.
 
@@ -330,19 +330,19 @@ $$
 \Delta^{L+1} \ra \Delta^L \ra \cdots \ra \Delta.
 $$
 
-When we reach $q_0 = \Delta$, we cannot perform any multiplications, so we apply [bootstrapping](../2023-12-08-bootstrapping-ckks/#bootstrapping) here.
+When we reach $q _ 0 = \Delta$, we cannot perform any multiplications, so we apply [bootstrapping](../2023-12-08-bootstrapping-ckks/#bootstrapping) here.
 
 ### Multiplication in CKKS (Summary)
 
-- Set up a modulus chain $q_k = \Delta^{k+1}$ for $k = 0, \dots, L$.
-- Given two ciphertexts $\bf{c} = (b, \bf{a}) \in \Z_{q_k}^{n+1}$ and $\bf{c}' = (b', \bf{a}') \in \Z_{q_k}^{n+1}$ with modulus $q_k$ and **scaling factor** $\Delta$.
+- Set up a modulus chain $q _ k = \Delta^{k+1}$ for $k = 0, \dots, L$.
+- Given two ciphertexts $\bf{c} = (b, \bf{a}) \in \Z _ {q _ k}^{n+1}$ and $\bf{c}' = (b', \bf{a}') \in \Z _ {q _ k}^{n+1}$ with modulus $q _ k$ and **scaling factor** $\Delta$.
 
-- (**Tensor Product**) $\bf{c}_\rm{mul} = \bf{c} \otimes \bf{c}' \pmod{q_k}$.
+- (**Tensor Product**) $\bf{c} _ \rm{mul} = \bf{c} \otimes \bf{c}' \pmod{q _ k}$.
 	- Now we have $n^2$ dimensions and scaling factor $\Delta^2$.
 - (**Relinearization**)
 	- Back to $n$ dimensions and scaling factor $\Delta^2$.
 - (**Modulus Switching**; **Rescaling**)
-	- Modulus is switched to $q_{k-1}$ and scaling factor is back to $\Delta$.
+	- Modulus is switched to $q _ {k-1}$ and scaling factor is back to $\Delta$.
 
 [^1]: The noise hasn't gone away since we didn't *fully evaluate* the decryption circuit, which takes the remainders from dividing by $q$ and $2$.
 [^2]: No rounding...?