From 6960edd3d4c2bb1454338daacb20a06cc04d361d Mon Sep 17 00:00:00 2001 From: Sungchan Yi Date: Wed, 13 Nov 2024 10:49:03 +0900 Subject: [PATCH] [PUBLISHER] upload files #170 * PUSH NOTE : 05. Lebesgue Integration.md * PUSH NOTE : 04. Measurable Functions.md * PUSH NOTE : 03. Measure Spaces.md * PUSH NOTE : 02. Construction of Measure.md * PUSH NOTE : Rules of Inference with Coq.md * PUSH NOTE : 9. Public Key Encryption.md * PUSH NOTE : 7. Key Exchange.md * PUSH NOTE : 6. Hash Functions.md * PUSH NOTE : 5. CCA-Security and Authenticated Encryption.md * PUSH NOTE : 2. PRFs, PRPs and Block Ciphers.md * PUSH NOTE : 14. Secure Multiparty Computation.md * PUSH NOTE : 07. Public Key Cryptography.md * PUSH NOTE : 06. RSA and ElGamal Encryption.md * PUSH NOTE : 05. Modular Arithmetic (2).md * PUSH NOTE : 03. Symmetric Key Cryptography (2).md * PUSH NOTE : 02. Symmetric Key Cryptography (1).md * DELETE FILE : _posts/Lecture Notes/Modern Cryptography/2023-10-19-public-key-encryption.md * DELETE FILE : _posts/lecture-notes/modern-cryptography/2023-10-09-public-key-cryptography.md --- .../Coq/2023-07-08-rules-of-inference.md | 2 +- .../2023-01-23-construction-of-measure.md | 59 ++++++++++--------- .../2023-01-24-measure-spaces.md | 25 ++++---- .../2023-02-06-measurable-functions.md | 19 +++--- .../2023-02-13-lebesgue-integration.md | 23 +++++--- ...2023-09-11-symmetric-key-cryptography-1.md | 8 +-- ...2023-09-18-symmetric-key-cryptography-2.md | 8 +-- .../2023-10-04-modular-arithmetic-2.md | 48 +++++++-------- .../2023-10-04-rsa-elgamal.md | 16 ++--- .../2023-09-12-prfs-prps-block-ciphers.md | 2 +- ...6-cca-security-authenticated-encryption.md | 18 +++--- .../2023-09-28-hash-functions.md | 8 +-- .../2023-10-03-key-exchange.md | 12 ++-- 13 files changed, 134 insertions(+), 114 deletions(-) diff --git a/_posts/Mathematics/Coq/2023-07-08-rules-of-inference.md b/_posts/Mathematics/Coq/2023-07-08-rules-of-inference.md index e52c4b1..331373e 100644 --- a/_posts/Mathematics/Coq/2023-07-08-rules-of-inference.md +++ b/_posts/Mathematics/Coq/2023-07-08-rules-of-inference.md @@ -240,4 +240,4 @@ Qed. --- -I was supposed to be reading the [source](https://github.com/snu-sf/promising-seq-coq) for the paper [Sequential Reasoning for Optimizing Compilers Under Weak Memory Concurrency](https://dl.acm.org/doi/abs/10.1145/3519939.3523718) but I got carried away... \ No newline at end of file +I was supposed to be reading the [source](https://github.com/snu-sf/promising-seq-coq) for the paper [Sequential Reasoning for Optimizing Compilers Under Weak Memory Concurrency](https://dl.acm.org/doi/abs/10.1145/3519939.3523718) but I got carried away... diff --git a/_posts/Mathematics/Measure Theory/2023-01-23-construction-of-measure.md b/_posts/Mathematics/Measure Theory/2023-01-23-construction-of-measure.md index 5f68735..3f5aff9 100644 --- a/_posts/Mathematics/Measure Theory/2023-01-23-construction-of-measure.md +++ b/_posts/Mathematics/Measure Theory/2023-01-23-construction-of-measure.md @@ -2,18 +2,23 @@ share: true toc: true math: true -categories: [Mathematics, Measure Theory] -tags: [math, analysis, measure-theory] -title: "02. Construction of Measure" -date: "2023-01-23" -github_title: "2023-01-23-construction-of-measure" +categories: + - Mathematics + - Measure Theory +tags: + - math + - analysis + - measure-theory +title: 02. Construction of Measure +date: 2023-01-23 +github_title: 2023-01-23-construction-of-measure image: path: /assets/img/posts/Mathematics/Measure Theory/mt-02.png attachment: folder: assets/img/posts/Mathematics/Measure Theory --- -![mt-02.png](/assets/img/posts/Mathematics/Measure%20Theory/mt-02.png) +![mt-02.png](../../../assets/img/posts/Mathematics/Measure%20Theory/mt-02.png) 이제 본격적으로 집합을 재보도록 하겠습니다. 우리가 잴 수 있는 집합들부터 시작합니다. $\mathbb{R}^p$에서 논의할 건데, 이제 여기서부터는 $\mathbb{R}$의 구간의 열림/닫힘을 모두 포괄하여 정의합니다. 즉, $\mathbb{R}$의 구간이라고 하면 $[a, b], (a, b), [a, b), (a, b]$ 네 가지 경우를 모두 포함합니다. @@ -139,11 +144,11 @@ Countably additive 조건이 성립하는 집합들만 모아서 measure를 cons $$\left.\begin{array}{c}d(A_1 \cup A_2, B_1 \cup B_2) \\d(A_1 \cap A_2, B_1 \cap B_2) \\d(A_1 \setminus A_2, B_1 \setminus B_2)\end{array}\right\rbrace\leq d(A_1, B_1) + d(A_2, B_2).$$ -**정의.** (Finitely $\mu$-measurable) 집합 $A_n \in \Sigma$ 이 존재하여 $A_n \rightarrow A$ 이면 $A$가 **finitely $\mu$-measurable**이라 한다. 그리고 finitely $\mu$-measurable한 집합의 모임을 $\mathfrak{M} _ F(\mu)$로 표기한다. +**정의.** (Finitely $\mu$-measurable) 집합 $A_n \in \Sigma$ 이 존재하여 $A_n \rightarrow A$ 이면 $A$가 **finitely $\mu$-measurable**이라 한다. 그리고 finitely $\mu$-measurable한 집합의 모임을 $\mathfrak{M}_F(\mu)$로 표기한다. 위 정의는 $\mu$라는 set function에 의해 $\mu^\ast (A_n \mathop{\mathrm{\triangle}}A) \rightarrow 0$ 이 되는 elementary set $A_n$이 존재한다는 의미입니다. -**정의.** ($\mu$-measurable) $A_n \in \mathfrak{M} _ F(\mu)$ 에 대하여 $A = \displaystyle\bigcup_ {n=1}^\infty A_n$ 이면 $A$가 **$\mu$-measurable**이라 한다. 그리고 $\mu$-measurable한 집합의 모임을 $\mathfrak{M}(\mu)$로 표기한다. +**정의.** ($\mu$-measurable) $A_n \in \mathfrak{M}_F(\mu)$ 에 대하여 $A = \displaystyle\bigcup_ {n=1}^\infty A_n$ 이면 $A$가 **$\mu$-measurable**이라 한다. 그리고 $\mu$-measurable한 집합의 모임을 $\mathfrak{M}(\mu)$로 표기한다. **참고.** $\mu^\ast(A) = d(A, \varnothing) \leq d(A, B) + \mu^\ast(B)$. @@ -151,7 +156,7 @@ Countably additive 조건이 성립하는 집합들만 모아서 measure를 cons $$\lvert \mu^\ast(A) - \mu^\ast(B) \rvert \leq d(A, B).$$ -**따름정리.** $A \in \mathfrak{M} _ F(\mu)$ 이면 $\mu^\ast(A) < \infty$ 이다. +**따름정리.** $A \in \mathfrak{M}_F(\mu)$ 이면 $\mu^\ast(A) < \infty$ 이다. **증명.** $A_n \in \Sigma$ 가 존재하여 $A_n \rightarrow A$ 이고, $N \in \mathbb{N}$ 이 존재하여 @@ -159,7 +164,7 @@ $$\mu^\ast(A) \leq d(A_N, A) + \mu^\ast(A_N) \leq 1 + \mu^\ast(A_N) < \infty$$ 이다. -**따름정리.** $A_n \rightarrow A$ 이고 $A_n, A \in \mathfrak{M} _ F(\mu)$ 이면 $\mu^\ast(A_n)\rightarrow\mu^\ast(A) < \infty$ 이다. +**따름정리.** $A_n \rightarrow A$ 이고 $A_n, A \in \mathfrak{M}_F(\mu)$ 이면 $\mu^\ast(A_n)\rightarrow\mu^\ast(A) < \infty$ 이다. **증명.** $\mu^\ast(A)$, $\mu^\ast(A_n)$가 유한하므로, $n \rightarrow\infty$ 일 때 $\lvert \mu^\ast(A_n) - \mu^\ast(A) \rvert \leq d(A_n, A) \rightarrow 0$ 이다. @@ -171,15 +176,15 @@ $$\mu^\ast(A) \leq d(A_N, A) + \mu^\ast(A_N) \leq 1 + \mu^\ast(A_N) < \infty$$ **증명.** $\mathfrak{M}(\mu)$가 $\sigma$-algebra이고 $\mu^\ast$가 $\mathfrak{M}(\mu)$에서 countably additive임을 보이면 충분하다. -**(Step 0)** *$\mathfrak{M} _ F(\mu)$는 ring이다.* +**(Step 0)** *$\mathfrak{M}_F(\mu)$는 ring이다.* -$A, B \in \mathfrak{M} _ F(\mu)$ 라 하자. 그러면 $A_n, B_n \in \Sigma$ 이 존재하여 $A_n \rightarrow A$, $B_n \rightarrow B$ 이 된다. 그러면 +$A, B \in \mathfrak{M}_F(\mu)$ 라 하자. 그러면 $A_n, B_n \in \Sigma$ 이 존재하여 $A_n \rightarrow A$, $B_n \rightarrow B$ 이 된다. 그러면 $$\left.\begin{array}{c}d(A_n \cup B_n, A \cup B) \\ d(A_n \cap B_n, A \cap B) \\ d(A_n \setminus B_n, A \setminus B)\end{array}\right\rbrace\leq d(A_n, A) + d(B_n, B) \rightarrow 0$$ -이므로 $A_n \cup B_n \rightarrow A \cup B, A_n \setminus B_n \rightarrow A\setminus B$ 이기 때문에 $\mathfrak{M} _ F(\mu)$는 ring이다. +이므로 $A_n \cup B_n \rightarrow A \cup B, A_n \setminus B_n \rightarrow A\setminus B$ 이기 때문에 $\mathfrak{M}_F(\mu)$는 ring이다. -**(Step 1)** *$\mu^\ast$는 $\mathfrak{M} _ F(\mu)$ 위에서 additive이다*. +**(Step 1)** *$\mu^\ast$는 $\mathfrak{M}_F(\mu)$ 위에서 additive이다*. $\Sigma$ 위에서는 $\mu = \mu^\ast$ 이므로, 위 따름정리에 의해 @@ -191,17 +196,17 @@ $$\mu^\ast(A) + \mu^\ast(B) = \mu^\ast(A\cup B) + \mu^\ast(A \cap B)$$ 를 얻는다. $A \cap B = \varnothing$ 라는 조건이 추가되면 $\mu^\ast$가 additive임을 알 수 있다. -**(Step 2)** *$\mathfrak{M} _ F(\mu) = \lbrace A \in \mathfrak{M}(\mu) : \mu^\ast(A) < \infty\rbrace$.*[^2] +**(Step 2)** *$\mathfrak{M}_F(\mu) = \lbrace A \in \mathfrak{M}(\mu) : \mu^\ast(A) < \infty\rbrace$.*[^2] -**Claim**. 쌍마다 서로소인 $\mathfrak{M} _ F(\mu)$의 원소들을 잡아 이들의 합집합으로 $A \in \mathfrak{M}(\mu)$ 를 표현할 수 있다. +**Claim**. 쌍마다 서로소인 $\mathfrak{M}_F(\mu)$의 원소들을 잡아 이들의 합집합으로 $A \in \mathfrak{M}(\mu)$ 를 표현할 수 있다. -**증명.** $A_n' \in \mathfrak{M} _ F(\mu)$ 에 대하여 $A = \bigcup A_n'$ 로 두자. +**증명.** $A_n' \in \mathfrak{M}_F(\mu)$ 에 대하여 $A = \bigcup A_n'$ 로 두자. > $A_1 = A_1'$, $n \geq 2$ 이면 $A_n = A_n' \setminus(A_1'\cup \cdots \cup A_ {n-1}')$ -와 같이 정의하면 $A_n$이 쌍마다 서로소이고 $A_n \in \mathfrak{M} _ F(\mu)$ 임을 알 수 있다. +와 같이 정의하면 $A_n$이 쌍마다 서로소이고 $A_n \in \mathfrak{M}_F(\mu)$ 임을 알 수 있다. -위 사실을 이용하여 $A_n \in \mathfrak{M} _ F(\mu)$ 에 대하여 $A = \displaystyle\bigcup_ {n=1}^\infty A_n$ 으로 두자. +위 사실을 이용하여 $A_n \in \mathfrak{M}_F(\mu)$ 에 대하여 $A = \displaystyle\bigcup_ {n=1}^\infty A_n$ 으로 두자. 1. Countable subadditivity에 의해 $\displaystyle\mu^\ast(A) \leq \sum_ {n=1}^{\infty} \mu^\ast (A_n)$ 가 성립한다. @@ -215,7 +220,7 @@ $$\displaystyle d(A, B_n) = \mu^\ast\left( \bigcup_ {k=n+1}^\infty A_k \right) = 임을 알 수 있다. -$B_n \in \mathfrak{M} _ F(\mu)$ 이므로 $C_n \in \Sigma$ 를 잡아 각 $n \in \mathbb{N}$ 에 대하여 $d(B_n, C_n)$를 임의로 작게 만들 수 있다. 그러면 $d(A, C_n) \leq d(A, B_n) + d(B_n, C_n)$ 이므로 충분히 큰 $n$에 대하여 $d(A, C_n)$도 임의로 작게 만들 수 있다. 따라서 $C_n \rightarrow A$ 임을 알 수 있고 $A \in \mathfrak{M} _ F(\mu)$ 라는 결론을 내릴 수 있다. +$B_n \in \mathfrak{M}_F(\mu)$ 이므로 $C_n \in \Sigma$ 를 잡아 각 $n \in \mathbb{N}$ 에 대하여 $d(B_n, C_n)$를 임의로 작게 만들 수 있다. 그러면 $d(A, C_n) \leq d(A, B_n) + d(B_n, C_n)$ 이므로 충분히 큰 $n$에 대하여 $d(A, C_n)$도 임의로 작게 만들 수 있다. 따라서 $C_n \rightarrow A$ 임을 알 수 있고 $A \in \mathfrak{M}_F(\mu)$ 라는 결론을 내릴 수 있다. **(Step 3)** *$\mu^\ast$는 $\mathfrak{M}(\mu)$ 위에서 countably additive이다.* @@ -225,7 +230,7 @@ $$\mu^\ast\left( \bigcup_ {n=1}^\infty A_n \right) \geq \mu^\ast(A_m) = \infty = 이므로 countable additivity가 성립한다. -이제 모든 $n\in \mathbb{N}$ 에 대하여 $\mu^\ast(A_n) < \infty$ 이면, Step 2에 의해 $A_n \in \mathfrak{M} _ F(\mu)$ 이고 +이제 모든 $n\in \mathbb{N}$ 에 대하여 $\mu^\ast(A_n) < \infty$ 이면, Step 2에 의해 $A_n \in \mathfrak{M}_F(\mu)$ 이고 $$\mu^\ast(A) = \mu^\ast\left( \bigcup_ {n=1}^\infty A_n \right) = \sum_ {n=1}^\infty \mu^\ast(A_n)$$ @@ -233,21 +238,21 @@ $$\mu^\ast(A) = \mu^\ast\left( \bigcup_ {n=1}^\infty A_n \right) = \sum_ {n=1}^\ **(Step 4)** *$\mathfrak{M}(\mu)$는 $\sigma$-ring이다.* -$A_n \in \mathfrak{M}(\mu)$ 이면 $B_ {n, k} \in \mathfrak{M} _ F(\mu)$ 가 존재하여 $\displaystyle A_n = \bigcup_k B_ {n,k}$ 이다. 그러면 +$A_n \in \mathfrak{M}(\mu)$ 이면 $B_ {n, k} \in \mathfrak{M}_F(\mu)$ 가 존재하여 $\displaystyle A_n = \bigcup_k B_ {n,k}$ 이다. 그러면 $$\bigcup_n A_n = \bigcup_ {n, k} B_ {n, k} \in \mathfrak{M}(\mu)$$ 이다. -$A, B \in \mathfrak{M}(\mu)$ 라 하면 $A_n, B_n \in \mathfrak{M} _ F(\mu)$ 에 대해 $\displaystyle A = \bigcup A_n$, $\displaystyle B = \bigcup B_n$ 이므로, +$A, B \in \mathfrak{M}(\mu)$ 라 하면 $A_n, B_n \in \mathfrak{M}_F(\mu)$ 에 대해 $\displaystyle A = \bigcup A_n$, $\displaystyle B = \bigcup B_n$ 이므로, $$A \setminus B = \bigcup_ {n=1}^\infty \left( A_n \setminus B \right) = \bigcup_ {n=1}^\infty (A_n\setminus(A_n\cap B))$$ -임을 알 수 있다. 그러므로 $A_n \cap B \in \mathfrak{M} _ F(\mu)$ 인 것만 보이면 충분하다. 정의에 의해 +임을 알 수 있다. 그러므로 $A_n \cap B \in \mathfrak{M}_F(\mu)$ 인 것만 보이면 충분하다. 정의에 의해 $$A_n \cap B = \bigcup_ {k=1}^\infty (A_n \cap B_k) \in \mathfrak{M}(\mu)$$ -이고 $\mu^\ast(A_n \cap B) \leq \mu^\ast(A_n) < \infty$ 이므로 $A_n\cap B \in \mathfrak{M} _ F(\mu)$ 이다. 따라서 $A \setminus B$ 가 $\mathfrak{M} _ F(\mu)$의 원소들의 countable 합집합으로 표현되므로 $A\setminus B \in \mathfrak{M}(\mu)$ 이다. +이고 $\mu^\ast(A_n \cap B) \leq \mu^\ast(A_n) < \infty$ 이므로 $A_n\cap B \in \mathfrak{M}_F(\mu)$ 이다. 따라서 $A \setminus B$ 가 $\mathfrak{M}_F(\mu)$의 원소들의 countable 합집합으로 표현되므로 $A\setminus B \in \mathfrak{M}(\mu)$ 이다. 따라서 $\mathfrak{M}(\mu)$는 $\sigma$-ring이고 $\sigma$-algebra이다. @@ -257,5 +262,5 @@ $$A_n \cap B = \bigcup_ {k=1}^\infty (A_n \cap B_k) \in \mathfrak{M}(\mu)$$ [^1]: $A$가 open이 아니면 자명하지 않은 명제입니다. [^2]: $A$가 $\mu$-measurable인데 $\mu^\ast(A) < \infty$이면 $A$는 finitely $\mu$-measurable이다. -[^3]: $A$가 countable union of sets in $\mathfrak{M} _ F(\mu)$이므로 $\mu^\ast$도 각 set의 $\mu^\ast$의 합이 된다. -[^4]: 아직 증명이 끝나지 않았습니다. $A_n$은 $\mathfrak{M}(\mu)$의 원소가 아니라 $\mathfrak{M} _ F(\mu)$의 원소입니다. +[^3]: $A$가 countable union of sets in $\mathfrak{M}_F(\mu)$이므로 $\mu^\ast$도 각 set의 $\mu^\ast$의 합이 된다. +[^4]: 아직 증명이 끝나지 않았습니다. $A_n$은 $\mathfrak{M}(\mu)$의 원소가 아니라 $\mathfrak{M}_F(\mu)$의 원소입니다. diff --git a/_posts/Mathematics/Measure Theory/2023-01-24-measure-spaces.md b/_posts/Mathematics/Measure Theory/2023-01-24-measure-spaces.md index 4ebcdb3..168cbd7 100644 --- a/_posts/Mathematics/Measure Theory/2023-01-24-measure-spaces.md +++ b/_posts/Mathematics/Measure Theory/2023-01-24-measure-spaces.md @@ -2,11 +2,16 @@ share: true toc: true math: true -categories: [Mathematics, Measure Theory] -tags: [math, analysis, measure-theory] -title: "03. Measure Spaces" -date: "2023-01-24" -github_title: "2023-01-24-measure-spaces" +categories: + - Mathematics + - Measure Theory +tags: + - math + - analysis + - measure-theory +title: 03. Measure Spaces +date: 2023-01-24 +github_title: 2023-01-24-measure-spaces image: path: /assets/img/posts/Mathematics/Measure Theory/mt-03.png attachment: @@ -17,15 +22,15 @@ attachment: Construction of measure 증명에서 추가로 참고할 내용입니다. -![mt-03.png](/assets/img/posts/Mathematics/Measure%20Theory/mt-03.png) +![mt-03.png](../../../assets/img/posts/Mathematics/Measure%20Theory/mt-03.png) **명제.** $A$가 열린집합이면 $A \in \mathfrak{M}(\mu)$ 이다. 또한 $A^C \in \mathfrak{M}(\mu)$ 이므로, $F$가 닫힌집합이면 $F \in \mathfrak{M}(\mu)$ 이다. -**증명.** 중심이 $x\in \mathbb{R}^p$ 이고 반지름이 $r$인 열린 box를 $I(x, r)$이라 두자. $I(x, r)$은 명백히 $\mathfrak{M} _ F(\mu)$의 원소이다. 이제 +**증명.** 중심이 $x\in \mathbb{R}^p$ 이고 반지름이 $r$인 열린 box를 $I(x, r)$이라 두자. $I(x, r)$은 명백히 $\mathfrak{M}_F(\mu)$의 원소이다. 이제 $$A = \bigcup_ {\substack{x \in \mathbb{Q}^p, \; r \in \mathbb{Q}\\ I(x, r)\subseteq A}} I(x, r)$$ -로 적을 수 있으므로 $A$는 $\mathfrak{M} _ F(\mu)$의 원소들의 countable union이 되어 $A \in \mathfrak{M}(\mu)$ 이다. 이제 $\mathfrak{M}(\mu)$가 $\sigma$-algebra이므로 $A^C\in \mathfrak{M}(\mu)$ 이고, 이로부터 임의의 닫힌집합 $F$도 $\mathfrak{M}(\mu)$의 원소임을 알 수 있다. +로 적을 수 있으므로 $A$는 $\mathfrak{M}_F(\mu)$의 원소들의 countable union이 되어 $A \in \mathfrak{M}(\mu)$ 이다. 이제 $\mathfrak{M}(\mu)$가 $\sigma$-algebra이므로 $A^C\in \mathfrak{M}(\mu)$ 이고, 이로부터 임의의 닫힌집합 $F$도 $\mathfrak{M}(\mu)$의 원소임을 알 수 있다. **명제.** $A \in \mathfrak{M}(\mu)$ 이면 임의의 $\epsilon > 0$ 에 대하여 @@ -35,13 +40,13 @@ $$F \subseteq A \subseteq G, \quad \mu\left( G \setminus A \right) < \epsilon, \ 이는 곧 정의역을 $\mathfrak{M}(\mu)$로 줄였음에도 $\mu$가 여전히 $\mathfrak{M}(\mu)$ 위에서 regular라는 뜻입니다. -**증명.** $A = \bigcup_ {n=1}^\infty A_n$ ($A_n \in \mathfrak{M} _ F(\mu)$) 로 두고 $\epsilon > 0$ 을 고정하자. 각 $n \in \mathbb{N}$ 에 대하여 열린집합 $B_ {n, k} \in \Sigma$ 를 잡아 $A_n \subseteq\bigcup_ {k=1}^\infty B_ {n, k}$ 와 +**증명.** $A = \bigcup_ {n=1}^\infty A_n$ ($A_n \in \mathfrak{M}_F(\mu)$) 로 두고 $\epsilon > 0$ 을 고정하자. 각 $n \in \mathbb{N}$ 에 대하여 열린집합 $B_ {n, k} \in \Sigma$ 를 잡아 $A_n \subseteq\bigcup_ {k=1}^\infty B_ {n, k}$ 와 $$\mu\left( \bigcup_ {k=1}^{\infty} B_ {n, k} \right) \leq \sum_ {k=1}^{\infty} \mu\left( B_ {n, k} \right) < \mu\left( A_n \right) + 2^{-n}\epsilon$$ 을 만족하도록 할 수 있다.[^1] -이제 열린집합을 잡아보자. $G_n = \bigcup_ {k=1}^{\infty} B_ {n, k}$ 으로 두고 $G = \bigcup_ {n=1}^{\infty} G_n$ 로 잡는다. $A_n \in \mathfrak{M} _ F(\mu)$ 이므로 $\mu\left( A_n \right) < \infty$ 이고, 다음이 성립한다. +이제 열린집합을 잡아보자. $G_n = \bigcup_ {k=1}^{\infty} B_ {n, k}$ 으로 두고 $G = \bigcup_ {n=1}^{\infty} G_n$ 로 잡는다. $A_n \in \mathfrak{M}_F(\mu)$ 이므로 $\mu\left( A_n \right) < \infty$ 이고, 다음이 성립한다. $$\begin{aligned} \mu\left( G \setminus A \right) & = \mu\left( \bigcup_ {n=1}^{\infty} G_n \setminus\bigcup_ {n=1}^{\infty} A_n \right) \leq \mu\left( \bigcup_ {n=1}^{\infty} G_n \setminus A_n \right) \\ &\leq \sum_ {n=1}^{\infty} \mu\left( G_n \setminus A_n \right) \leq \sum_ {n=1}^{\infty} 2^{-n}\epsilon = \epsilon. \end{aligned}$$ diff --git a/_posts/Mathematics/Measure Theory/2023-02-06-measurable-functions.md b/_posts/Mathematics/Measure Theory/2023-02-06-measurable-functions.md index 21c9791..46c03cc 100644 --- a/_posts/Mathematics/Measure Theory/2023-02-06-measurable-functions.md +++ b/_posts/Mathematics/Measure Theory/2023-02-06-measurable-functions.md @@ -2,11 +2,16 @@ share: true toc: true math: true -categories: [Mathematics, Measure Theory] -tags: [math, analysis, measure-theory] -title: "04. Measurable Functions" -date: "2023-02-06" -github_title: "2023-02-06-measurable-functions" +categories: + - Mathematics + - Measure Theory +tags: + - math + - analysis + - measure-theory +title: 04. Measurable Functions +date: 2023-02-06 +github_title: 2023-02-06-measurable-functions image: path: /assets/img/posts/Mathematics/Measure Theory/mt-04.png attachment: @@ -139,7 +144,7 @@ $$\begin{aligned} \lbrace x \in X : F\bigl(f(x), g(x)\bigr) > a\rbrace = $$\chi_E(x) = \begin{cases} 1 & (x\in E) \\ 0 & (x \notin E). \end{cases}$$ -참고로 characteristic function은 indicator function 등으로도 불리며, $\mathbf{1} _ E, K_E$로 표기하는 경우도 있습니다. +참고로 characteristic function은 indicator function 등으로도 불리며, $\mathbf{1}_E, K_E$로 표기하는 경우도 있습니다. ## Simple Function @@ -155,7 +160,7 @@ $$s(x) = \sum_ {i=1}^{n} c_i \chi_ {E_i}(x).$$ 여기서 $E_i$에 measurable 조건이 추가되면, 정의에 의해 $\chi_ {E_i}$도 measurable function입니다. 따라서 모든 measurable simple function을 measurable $\chi_ {E_i}$의 linear combination으로 표현할 수 있습니다. -![mt-04.png](/assets/img/posts/Mathematics/Measure%20Theory/mt-04.png) +![mt-04.png](../../../assets/img/posts/Mathematics/Measure%20Theory/mt-04.png) 아래 정리는 simple function이 Lebesgue integral의 building block이 되는 이유를 잘 드러냅니다. 모든 함수는 simple function으로 근사할 수 있습니다. diff --git a/_posts/Mathematics/Measure Theory/2023-02-13-lebesgue-integration.md b/_posts/Mathematics/Measure Theory/2023-02-13-lebesgue-integration.md index 3b59bb7..c132b2f 100644 --- a/_posts/Mathematics/Measure Theory/2023-02-13-lebesgue-integration.md +++ b/_posts/Mathematics/Measure Theory/2023-02-13-lebesgue-integration.md @@ -2,11 +2,16 @@ share: true toc: true math: true -categories: [Mathematics, Measure Theory] -tags: [math, analysis, measure-theory] -title: "05. Lebesgue Integration" -date: "2023-02-13" -github_title: "2023-02-13-lebesgue-integration" +categories: + - Mathematics + - Measure Theory +tags: + - math + - analysis + - measure-theory +title: 05. Lebesgue Integration +date: 2023-02-13 +github_title: 2023-02-13-lebesgue-integration image: path: /assets/img/posts/Mathematics/Measure Theory/mt-05.png attachment: @@ -19,9 +24,9 @@ attachment: $E \in \mathscr{F}$ 일 때, 적분을 정의하기 위해 -$$\mathscr{F} _ E = \lbrace A \cap E : A \in \mathscr{F}\rbrace, \quad \mu_E = \mu|_ {\mathscr{F} _ E}$$ +$$\mathscr{F}_E = \lbrace A \cap E : A \in \mathscr{F}\rbrace, \quad \mu_E = \mu|_ {\mathscr{F}_E}$$ -로 설정하고 $\int = \int_E$ 로 두어 ($X, \mathscr{F} _ E, \mu_E$) 위에서 적분을 정의할 수 있습니다. 그러나 굳이 이렇게 하지 않아도 됩니다. $\int = \int_X$ 로 두고 +로 설정하고 $\int = \int_E$ 로 두어 ($X, \mathscr{F}_E, \mu_E$) 위에서 적분을 정의할 수 있습니다. 그러나 굳이 이렇게 하지 않아도 됩니다. $\int = \int_X$ 로 두고 $$\int_E f \,d{\mu} = \int f \chi _E \,d{\mu}$$ @@ -45,7 +50,7 @@ $$\int \chi_A \,d{\mu} = \mu(A)$$ 다음으로 양의 값을 갖는 measurable simple function에 대해 정의합니다. $f = f^+ - f^-$ 에서 $f^+, f^-$ 모두 양의 값을 갖기 때문에 양의 값에 대해 먼저 정의합니다. -**(Step 2)** $f: X \rightarrow[0, \infty)$ 가 measurable simple function이라 하자. 그러면 $A_k \subseteq\mathscr{F}$ 이면서 쌍마다 서로소인 집합열 $\left( A_k \right) _ {k=1}^n$과 $a_k \in [0, \infty)$ 인 수열 $\left( a_k \right) _ {k=1}^n$을 잡아 +**(Step 2)** $f: X \rightarrow[0, \infty)$ 가 measurable simple function이라 하자. 그러면 $A_k \subseteq\mathscr{F}$ 이면서 쌍마다 서로소인 집합열 $\left( A_k \right)_{k=1}^n$과 $a_k \in [0, \infty)$ 인 수열 $\left( a_k \right)_{k=1}^n$을 잡아 $$f(x) = \sum_ {k=1}^n a_k \chi_ {A_k}$$ @@ -121,7 +126,7 @@ $$\int f \,d{\mu} = \sup\left\lbrace \int h \,d{\mu}: 0\leq h \leq f, h \text{ m $f$보다 작은 measurable simple function의 적분값 중 상한을 택하겠다는 의미입니다. $f$보다 작은 measurable simple function으로 $f$를 근사한다고도 이해할 수 있습니다. 또한 $f$가 simple function이면 Step 2의 정의와 일치하는 것을 알 수 있습니다. -![mt-05.png](/assets/img/posts/Mathematics/Measure%20Theory/mt-05.png) +![mt-05.png](../../../assets/img/posts/Mathematics/Measure%20Theory/mt-05.png) $f \geq 0$ 가 measurable이면 증가하는 measurable simple 함수열 $s_n$이 존재함을 지난 번에 보였습니다. 이 $s_n$에 대하여 적분값을 계산해보면 diff --git a/_posts/lecture-notes/internet-security/2023-09-11-symmetric-key-cryptography-1.md b/_posts/lecture-notes/internet-security/2023-09-11-symmetric-key-cryptography-1.md index 082576a..e7d44f8 100644 --- a/_posts/lecture-notes/internet-security/2023-09-11-symmetric-key-cryptography-1.md +++ b/_posts/lecture-notes/internet-security/2023-09-11-symmetric-key-cryptography-1.md @@ -98,7 +98,7 @@ To attack this scheme, find the key length by [*index of coincidence*](https://e #### Hill Cipher - A polyalphabetic substitution -- A key is a *invertible* matrix $K = (k _ {ij}) _ {m \times m}$ where $k _ {ij} \in \mathbb{Z} _ {26}$. +- A key is a *invertible* matrix $K = (k_{ij})_{m \times m}$ where $k_{ij} \in \mathbb{Z}_{26}$. - Encryption/decryption is done by multiplying $K$ or $K^{-1}$. This scheme is vulnerable to known plaintext attack, since the equation can be solved for $K$. @@ -191,7 +191,7 @@ Let $m \in \left\lbrace 0, 1 \right\rbrace^n$ be the message to encrypt. Then ch - Encryption: $E(k, m) = k \oplus m$. - Decryption: $D(k, c) = k \oplus c$. -This scheme is **provably secure**. See also [one-time pad (Modern Cryptography)](../../modern-cryptography/2023-09-07-otp-stream-cipher-prgs/#one-time-pad-(otp)). +This scheme is **provably secure**. See also [one-time pad (Modern Cryptography)](../modern-cryptography/2023-09-07-otp-stream-cipher-prgs.md#one-time-pad-(otp)). ## Perfect Secrecy @@ -204,7 +204,7 @@ This scheme is **provably secure**. See also [one-time pad (Modern Cryptography) > Or equivalently, for all $m_0, m_1 \in \mathcal{M}$, $c \in \mathcal{C}$, > > $$ -> \Pr[E(k, m _ 0) = c] = \Pr[E(k, m _ 1) = c] +> \Pr[E(k, m_0) = c] = \Pr[E(k, m_1) = c] > $$ > > where $k$ is chosen uniformly in $\mathcal{K}$. @@ -225,7 +225,7 @@ since for each $m$ and $c$, $k$ is determined uniquely. *Proof*. Assume not, then we can find some message $m_0 \in \mathcal{M}$ such that $m_0$ is not a decryption of some $c \in \mathcal{C}$. This is because the decryption algorithm $D$ is deterministic and $\lvert \mathcal{K} \rvert < \lvert \mathcal{M} \rvert$. -For the proof in detail, check [Shannon's Theorem (Modern Cryptography)](../../modern-cryptography/2023-09-07-otp-stream-cipher-prgs/#shannon's-theorem). +For the proof in detail, check [Shannon's Theorem (Modern Cryptography)](../modern-cryptography/2023-09-07-otp-stream-cipher-prgs.md#shannon's-theorem). ### Two-Time Pad is Insecure diff --git a/_posts/lecture-notes/internet-security/2023-09-18-symmetric-key-cryptography-2.md b/_posts/lecture-notes/internet-security/2023-09-18-symmetric-key-cryptography-2.md index b4fc8d7..154a474 100644 --- a/_posts/lecture-notes/internet-security/2023-09-18-symmetric-key-cryptography-2.md +++ b/_posts/lecture-notes/internet-security/2023-09-18-symmetric-key-cryptography-2.md @@ -240,12 +240,12 @@ Since the same key is used for all blocks, once a mapping from plaintext to ciph - On IV reuse, same message will generate the same ciphertext if key isn't changed - If IV is predictable, CBC is vulnerable to chosen plaintext attacks. - Suppose Eve obtains $(\mathrm{IV}_1, E_k(\mathrm{IV}_1 \oplus m))$. - - Define Eve's new message $m' = \mathrm{IV} _ {2} \oplus \mathrm{IV} _ {1} \oplus g$, where - - $\mathrm{IV} _ 2$ is the guess of the next IV, and + - Define Eve's new message $m' = \mathrm{IV}_{2} \oplus \mathrm{IV}_{1} \oplus g$, where + - $\mathrm{IV}_2$ is the guess of the next IV, and - $g$ is a guess of Alice's original message $m$. - Eve requests an encryption of $m'$ - - $c' = E _ k(\mathrm{IV} _ 2 \oplus m') = E _ k(\mathrm{IV} _ \mathrm{1} \oplus g)$. - - Then Eve can compare $c'$ and the original $c = E _ k(\mathrm{IV} _ \mathrm{1} \oplus m)$ to recover $m$. + - $c' = E_k(\mathrm{IV}_2 \oplus m') = E_k(\mathrm{IV}_\mathrm{1} \oplus g)$. + - Then Eve can compare $c'$ and the original $c = E_k(\mathrm{IV}_\mathrm{1} \oplus m)$ to recover $m$. - Useful when there are not many cases for $m$ (or most of the message is already known). ### Cipher Feedback Mode (CFB) diff --git a/_posts/lecture-notes/internet-security/2023-10-04-modular-arithmetic-2.md b/_posts/lecture-notes/internet-security/2023-10-04-modular-arithmetic-2.md index 52403ba..7d54174 100644 --- a/_posts/lecture-notes/internet-security/2023-10-04-modular-arithmetic-2.md +++ b/_posts/lecture-notes/internet-security/2023-10-04-modular-arithmetic-2.md @@ -85,12 +85,12 @@ For even better (maybe faster) results, we need the help of elementary number th ## Fermat's Little Theorem > **Theorem.** Let $p$ be prime. For $a \in \mathbb{Z}$ such that $\gcd(a, p) = 1$, -> +> > $$ > a^{p-1} \equiv 1 \pmod p. > $$ -*Proof*. (Using group theory) The statement can be rewritten as follows. For $a \neq 0$ in $\mathbb{Z}_p$, $a^{p-1} = 1$ in $\mathbb{Z}_p$. Since $\mathbb{Z}_p^*$ is a (multiplicative) group of order $p-1$, the order of $a$ should divide $p-1$. Therefore, $a^{p-1} = 1$ in $\mathbb{Z}_p$. +*Proof*. (Using group theory) The statement can be rewritten as follows. For $a \neq 0$ in $\mathbb{Z}_p$, $a^{p-1} = 1$ in $\mathbb{Z}_p$. Since $\mathbb{Z}_p^\ast$ is a (multiplicative) group of order $p-1$, the order of $a$ should divide $p-1$. Therefore, $a^{p-1} = 1$ in $\mathbb{Z}_p$. Here is an elementary proof not using group theory. @@ -115,11 +115,11 @@ For composite modulus, we have Euler's generalization. Before proving the theore For direct calculation, we use the following formula. > **Lemma.** For $n \in \mathbb{N}$, the following holds. -> +> > $$ > \phi(n) = n \cdot \prod_{p \mid n} \left( 1 - \frac{1}{p} \right) > $$ -> +> > where $p$ is a prime number dividing $n$. So to calculate $\phi(n)$, we need to **factorize** $n$. From the formula above, we have some corollaries. @@ -139,41 +139,41 @@ $$ We also often use the **reduced set of residues**. -> **Definition.** The **reduced set of residues** is the set of residues that are relatively prime to $n$. We denote this set as $\mathbb{Z}_n^*$. -> +> **Definition.** The **reduced set of residues** is the set of residues that are relatively prime to $n$. We denote this set as $\mathbb{Z}_n^\ast$. +> > $$ -> \mathbb{Z}_n^* = \left\lbrace a \in \mathbb{Z}_n \setminus \left\lbrace 0 \right\rbrace : \gcd(a, n) = 1 \right\rbrace. +> \mathbb{Z}_n^\ast = \left\lbrace a \in \mathbb{Z}_n \setminus \left\lbrace 0 \right\rbrace : \gcd(a, n) = 1 \right\rbrace. > $$ Then by definition, we have the following result. -> **Lemma.** $\left\lvert \mathbb{Z}_n^* \right\lvert = \phi(n)$. +> **Lemma.** $\left\lvert \mathbb{Z}_n^\ast \right\lvert = \phi(n)$. -We can also show that $\mathbb{Z}_n^*$ is a multiplicative group. +We can also show that $\mathbb{Z}_n^\ast$ is a multiplicative group. -> **Lemma.** $\mathbb{Z}_n^*$ is a multiplicative group. +> **Lemma.** $\mathbb{Z}_n^\ast$ is a multiplicative group. -*Proof*. Let $a, b \in \mathbb{Z}_n^{ * }$. We must check if $ab \in \mathbb{Z}_n^{ * }$. Since $\gcd(a, n) = \gcd(b, n) = 1$, $\gcd(ab, n) = 1$. This is because if $d = \gcd(ab, n) > 1$, then a prime factor $p$ of $d$ must divide $a$ or $b$ and also $n$. Then $\gcd(a, n) \geq p$ or $\gcd(b, n) \geq p$, which is a contradiction. Thus $ab \in \mathbb{Z}_n^{ * }$. +*Proof*. Let $a, b \in \mathbb{Z}_n^\ast$. We must check if $ab \in \mathbb{Z}_n^\ast$. Since $\gcd(a, n) = \gcd(b, n) = 1$, $\gcd(ab, n) = 1$. This is because if $d = \gcd(ab, n) > 1$, then a prime factor $p$ of $d$ must divide $a$ or $b$ and also $n$. Then $\gcd(a, n) \geq p$ or $\gcd(b, n) \geq p$, which is a contradiction. Thus $ab \in \mathbb{Z}_n^\ast$. -Associativity holds trivially, as a subset of $\mathbb{Z}_n$. We also have an identity element $1$, and inverse of $a \in \mathbb{Z}_n^*$ exists since $\gcd(a, n) = 1$. +Associativity holds trivially, as a subset of $\mathbb{Z}_n$. We also have an identity element $1$, and inverse of $a \in \mathbb{Z}_n^\ast$ exists since $\gcd(a, n) = 1$. Now we can prove Euler's generalization. ## Euler's Generalization > **Theorem.** Let $a \in \mathbb{Z}$ such that $\gcd(a, n) = 1$. Then -> +> > $$ > a^{\phi(n)} \equiv 1 \pmod n. > $$ -*Proof*. Since $\gcd(a, n) = 1$, $a \in \mathbb{Z}_n^{ * }$. Then $a^{\left\lvert \mathbb{Z}_n^{ * } \right\lvert} = 1$ in $\mathbb{Z}_n$. By the above lemma, we have the desired result. +*Proof*. Since $\gcd(a, n) = 1$, $a \in \mathbb{Z}_n^\ast$. Then $a^{\left\lvert \mathbb{Z}_n^\ast \right\lvert} = 1$ in $\mathbb{Z}_n$. By the above lemma, we have the desired result. -*Proof*. (Elementary) Set $f : \mathbb{Z}_n^* \rightarrow \mathbb{Z}_n^*$ as $x \mapsto ax \bmod n$, then the rest of the reasoning follows similarly as in the proof of Fermat's little theorem. +*Proof*. (Elementary) Set $f : \mathbb{Z}_n^\ast \rightarrow \mathbb{Z}_n^\ast$ as $x \mapsto ax \bmod n$, then the rest of the reasoning follows similarly as in the proof of Fermat's little theorem. Using the above result, we remark an important result that will be used in RSA. -> **Lemma.** Let $n \in \mathbb{N}$. For $a, b \in \mathbb{Z}$ and $x \in \mathbb{Z}_n^*$, if $a \equiv b \pmod{\phi(n)}$, then $x^a \equiv x^b \pmod n$. +> **Lemma.** Let $n \in \mathbb{N}$. For $a, b \in \mathbb{Z}$ and $x \in \mathbb{Z}_n^\ast$, if $a \equiv b \pmod{\phi(n)}$, then $x^a \equiv x^b \pmod n$. *Proof*. $a = b + k\phi(n)$ for some $k \in \mathbb{Z}$. Then @@ -186,26 +186,26 @@ by Euler's generalization. ## Groups Based on Modular Arithmetic > **Definition.** A **group** is a set $G$ with a binary operation $* : G \times G \rightarrow G$, satisfying the following properties. -> +> > - $(\mathsf{G1})$ The binary operation $*$ is **closed**. > - $(\mathsf{G2})$ The binary operation $*$ is **associative**, so $(a * b) * c = a * (b * c)$ for all $a, b, c \in G$. > - $(\mathsf{G3})$ $G$ has an **identity** element $e$ such that $e * a = a * e = a$ for all $a \in G$. > - $(\mathsf{G4})$ There is an **inverse** for every element of $G$. For each $a \in G$, there exists $x \in G$ such that $a * x = x * a = e$. We write $x = a^{-1}$ in this case. -$\mathbb{Z}_n$ is an additive group, and $\mathbb{Z}_n^*$ is a multiplicative group. +$\mathbb{Z}_n$ is an additive group, and $\mathbb{Z}_n^\ast$ is a multiplicative group. ## Chinese Remainder Theorem (CRT) > **Theorem.** Let $n_1, \dots, n_k$ be integers greater than $1$, and let $N = n_1n_2\cdots n_k$. If $n_i$ are pairwise relatively prime, then the system of equations $x \equiv a_i \pmod {n_i}$ has a unique solution modulo $N$. -> +> > *(Abstract Algebra)* The map -> +> > $$ > x \bmod N \mapsto (x \bmod n_1, \dots, x \bmod n_k) > $$ -> +> > defines a ring isomorphism -> +> > $$ > \mathbb{Z}_N \simeq \mathbb{Z}_{n_1} \times \mathbb{Z}_{n_2} \times \cdots \times \mathbb{Z}_{n_k}. > $$ @@ -229,7 +229,7 @@ But $n_i$ are pairwise relatively prime, so $\mathrm{lcm}(n_1, \dots, n_k) = N$ *Proof*. (**Abstract Algebra**) The above uniqueness proof shows that the map $$ -x \bmod N \mapsto (x \bmod n_1, \dots, x \bmod n_k) +x \bmod N \mapsto (x \bmod n_1, \dots, x \bmod n_k) $$ is injective. By pigeonhole principle, this map must also be surjective. This map is also a ring homomorphism, by the properties of modular arithmetic. We have a ring isomorphism. @@ -273,6 +273,6 @@ $$ and using the result, add the next equation $x \equiv a_3 \pmod{n_3}$ and find a solution.[^1] -Lastly, the ring isomorphism actually tells us a lot and is quite effective for computation. Since the two rings are *isomorphic*, operations in $\mathbb{Z} _ N$ can be done independently in each $\mathbb{Z} _ {n_i}$ and then merged back to $\mathbb{Z} _ N$. $N$ was a large number, so computations can be much faster in $\mathbb{Z} _ {n _ i}$. Specifically, we will see how this fact is used for computations in RSA. +Lastly, the ring isomorphism actually tells us a lot and is quite effective for computation. Since the two rings are *isomorphic*, operations in $\mathbb{Z}_N$ can be done independently in each $\mathbb{Z}_{n_i}$ and then merged back to $\mathbb{Z}_N$. $N$ was a large number, so computations can be much faster in $\mathbb{Z}_{n_i}$. Specifically, we will see how this fact is used for computations in RSA. [^1]: I have an implementation in my repository. [Link](https://github.com/calofmijuck/BOJ/blob/4b29e0c7f487aac3186661176d2795f85f0ab21b/Codes/23000/23062.cpp#L38). diff --git a/_posts/lecture-notes/internet-security/2023-10-04-rsa-elgamal.md b/_posts/lecture-notes/internet-security/2023-10-04-rsa-elgamal.md index 4c2387b..29f5b97 100644 --- a/_posts/lecture-notes/internet-security/2023-10-04-rsa-elgamal.md +++ b/_posts/lecture-notes/internet-security/2023-10-04-rsa-elgamal.md @@ -138,36 +138,36 @@ So we don't actually need Euler's generalization for proving the correctness of This is an inverse problem of exponentiation. The inverse of exponentials is logarithms, so we consider the **discrete logarithm of a number modulo $p$**. -Given $y \equiv g^x \pmod p$ for some prime $p$, we want to find $x = \log_g y$. We set $g$ to be a generator of the group $\mathbb{Z}_p$ or $\mathbb{Z}_p^*$, since if $g$ is the generator, a solution always exists. +Given $y \equiv g^x \pmod p$ for some prime $p$, we want to find $x = \log_g y$. We set $g$ to be a generator of the group $\mathbb{Z}_p$ or $\mathbb{Z}_p^\ast$, since if $g$ is the generator, a solution always exists. -Read more in [discrete logarithm problem (Modern Cryptography)](../../modern-cryptography/2023-10-03-key-exchange/#discrete-logarithm-problem-(dl)). +Read more in [discrete logarithm problem (Modern Cryptography)](../modern-cryptography/2023-10-03-key-exchange.md#discrete-logarithm-problem-(dl)). ## ElGamal Encryption This is an encryption scheme built upon the hardness of the DLP. > 1. Let $p$ be a large prime. -> 2. Select a generator $g \in \mathbb{Z}_p^*$. -> 3. Choose a private key $x \in \mathbb{Z}_p^*$. +> 2. Select a generator $g \in \mathbb{Z}_p^\ast$. +> 3. Choose a private key $x \in \mathbb{Z}_p^\ast$. > 4. Compute the public key $y = g^x \pmod p$. > - $p, g, y$ will be publicly known. > - $x$ is kept secret. ### ElGamal Encryption and Decryption -Suppose we encrypt a message $m \in \mathbb{Z}_p^*$. +Suppose we encrypt a message $m \in \mathbb{Z}_p^\ast$. -> 1. The sender chooses a random $k \in \mathbb{Z}_p^*$, called *ephemeral key*. +> 1. The sender chooses a random $k \in \mathbb{Z}_p^\ast$, called *ephemeral key*. > 2. Compute $c_1 = g^k \pmod p$ and $c_2 = my^k \pmod p$. > 3. $c_1, c_2$ are sent to the receiver. -> 4. The receiver calculates $c_1^x \equiv g^{xk} \equiv y^k \pmod p$, and find the inverse $y^{-k} \in \mathbb{Z}_p^*$. +> 4. The receiver calculates $c_1^x \equiv g^{xk} \equiv y^k \pmod p$, and find the inverse $y^{-k} \in \mathbb{Z}_p^\ast$. > 5. Then $c_2y^{-k} \equiv m \pmod p$, recovering the message. The attacker will see $g^k$. By the hardness of DLP, the attacker is unable to recover $k$ even if he knows $g$. #### Ephemeral Key Should Be Distinct -If the same $k$ is used twice, the encryption is not secure. Suppose we encrypt two different messages $m_1, m_2 \in \mathbb{Z} _ p^{ * }$. The attacker will see $(g^k, m_1y^k)$ and $(g^k, m_2 y^k)$. Then since we are in a multiplicative group $\mathbb{Z} _ p^{ * }$, inverses exist. So +If the same $k$ is used twice, the encryption is not secure. Suppose we encrypt two different messages $m_1, m_2 \in \mathbb{Z}_p^\ast$. The attacker will see $(g^k, m_1y^k)$ and $(g^k, m_2 y^k)$. Then since we are in a multiplicative group $\mathbb{Z}_p^\ast$, inverses exist. So $$ m_1y^k \cdot (m_2 y^k)^{-1} \equiv m_1m_2^{-1} \equiv 1 \pmod p diff --git a/_posts/lecture-notes/modern-cryptography/2023-09-12-prfs-prps-block-ciphers.md b/_posts/lecture-notes/modern-cryptography/2023-09-12-prfs-prps-block-ciphers.md index 27a5818..5ff8515 100644 --- a/_posts/lecture-notes/modern-cryptography/2023-09-12-prfs-prps-block-ciphers.md +++ b/_posts/lecture-notes/modern-cryptography/2023-09-12-prfs-prps-block-ciphers.md @@ -227,7 +227,7 @@ These 4 modules are all invertible! For DES, the S-box is the non-linear part. If the S-box is linear, then the entire DES cipher would be linear. -Specifically, there would be a fixed binary matrix $B _ 1 \in \mathbb{Z} _ 2^{64 \times 64}$ and $B _ 2 \in \mathbb{Z} _ 2^{64 \times (48 \times 16)}$ such that +Specifically, there would be a fixed binary matrix $B_1 \in \mathbb{Z}_2^{64 \times 64}$ and $B_2 \in \mathbb{Z}_2^{64 \times (48 \times 16)}$ such that $$ \mathrm{DES}(k, m) = B_1 m \oplus B_2 \mathbf{k} diff --git a/_posts/lecture-notes/modern-cryptography/2023-09-26-cca-security-authenticated-encryption.md b/_posts/lecture-notes/modern-cryptography/2023-09-26-cca-security-authenticated-encryption.md index cc76120..507a29f 100644 --- a/_posts/lecture-notes/modern-cryptography/2023-09-26-cca-security-authenticated-encryption.md +++ b/_posts/lecture-notes/modern-cryptography/2023-09-26-cca-security-authenticated-encryption.md @@ -37,9 +37,9 @@ Now we define a stronger notion of security against **chosen ciphertext attacks* > - *Encryption*: Send $m_i$ and receive $c'_i = E(k, m_i)$. > - *Decryption*: Send $c_i$ and receive $m'_i = D(k, c_i)$. > - Note that $\mathcal{A}$ is not allowed to make a decryption query for any $c_i'$. -> 3. $\mathcal{A}$ outputs a pair of messages $(m_0^ * , m_1^*)$. -> 4. The challenger generates $c^* \leftarrow E(k, m_b^*)$ and gives it to $\mathcal{A}$. -> 5. $\mathcal{A}$ is allowed to keep making queries, but not allowed to make a decryption query for $c^*$. +> 3. $\mathcal{A}$ outputs a pair of messages $(m_0^\ast , m_1^\ast)$. +> 4. The challenger generates $c^\ast \leftarrow E(k, m_b^\ast)$ and gives it to $\mathcal{A}$. +> 5. $\mathcal{A}$ is allowed to keep making queries, but not allowed to make a decryption query for $c^\ast$. > 6. The adversary computes and outputs a bit $b' \in \left\lbrace 0, 1 \right\rbrace$. > > Let $W_b$ be the event that $\mathcal{A}$ outputs $1$ in experiment $b$. Then the **CCA advantage with respect to $\mathcal{E}$** is defined as @@ -54,7 +54,7 @@ Now we define a stronger notion of security against **chosen ciphertext attacks* None of the encryption schemes already seen thus far is CCA secure. -Recall a [CPA secure construction from PRF](../2023-09-19-symmetric-key-encryption/#secure-construction-from-prf). This scheme is not CCA secure. Suppose that the adversary is given $c^* = (r, F(k, r) \oplus m_b)$. Then it can request a decryption for $c' = (r, s')$ for some $s'$ and receive $m' = s' \oplus F(k, r)$. Then $F(k, r) = m' \oplus s'$, so the adversary can successfully recover $m_b$. +Recall a [CPA secure construction from PRF](./2023-09-19-symmetric-key-encryption.md#secure-construction-from-prf). This scheme is not CCA secure. Suppose that the adversary is given $c^\ast = (r, F(k, r) \oplus m_b)$. Then it can request a decryption for $c' = (r, s')$ for some $s'$ and receive $m' = s' \oplus F(k, r)$. Then $F(k, r) = m' \oplus s'$, so the adversary can successfully recover $m_b$. In general, any encryption scheme that allows ciphertexts to be *manipulated* in a controlled way cannot be CCA secure. @@ -68,12 +68,12 @@ An adversary at destination 25 wants to receive the message sent to destination Suppose we used CBC mode encryption. Then the first block of the ciphertext would contain the IV, the next block would contain $E(k, \mathrm{IV} \oplus m_0)$. -The adversary can generate a new ciphertext $c'$ without knowing the actual key. Set the new IV as $\mathrm{IV}' =\mathrm{IV} \oplus m^ *$ where $m^ *$ contains a payload that can change $\texttt{80}$ to $\texttt{25}$. (This can be calculated) +The adversary can generate a new ciphertext $c'$ without knowing the actual key. Set the new IV as $\mathrm{IV}' =\mathrm{IV} \oplus m^\ast$ where $m^\ast$ contains a payload that can change $\texttt{80}$ to $\texttt{25}$. (This can be calculated) Then the decryption works as normal, $$ -D(k, c_0) \oplus \mathrm{IV}' = (m_0 \oplus \mathrm{IV}) \oplus \mathrm{IV}' = m_0 \oplus m^*. +D(k, c_0) \oplus \mathrm{IV}' = (m_0 \oplus \mathrm{IV}) \oplus \mathrm{IV}' = m_0 \oplus m^\ast. $$ The destination of the original message has been changed, even though the adversary had no information of the key. @@ -119,7 +119,7 @@ This theorem enables us to use AE secure schemes as a CCA secure scheme. > **Theorem.** Let $\mathcal{E} = (E, D)$ be a cipher. If $\mathcal{E}$ is AE-secure, then it is CCA-secure. > -> For any efficient $q$-query CCA adversary $\mathcal{A}$, there exists efficient adversaries $\mathcal{B} _ \mathrm{CPA}$ and $\mathcal{B} _ \mathrm{CI}$ such that +> For any efficient $q$-query CCA adversary $\mathcal{A}$, there exists efficient adversaries $\mathcal{B}_\mathrm{CPA}$ and $\mathcal{B}_\mathrm{CI}$ such that > > $$ > \mathrm{Adv}_{\mathrm{CCA}}[\mathcal{A}, \mathcal{E}] \leq \mathrm{Adv}_{\mathrm{CPA}}[\mathcal{B}_\mathrm{CPA}, \mathcal{E}] + 2q \cdot \mathrm{Adv}_{\mathrm{CI}}[\mathcal{B}_\mathrm{CI}, \mathcal{E}]. @@ -183,13 +183,13 @@ In **Encrypt-then-MAC**, the encrypted message is signed, and is known to be sec > **Theorem.** Let $\mathcal{E} = (E, D)$ be a cipher and let $\Pi = (S, V)$ be a MAC system. If $\mathcal{E}$ is CPA secure cipher and $\Pi$ is a strongly secure MAC, then $\mathcal{E}_\mathrm{EtM}$ is AE secure. > -> For every efficient CI adversary $\mathcal{A} _ \mathrm{CI}$ attacking $\mathcal{E} _ \mathrm{EtM}$, there exists an efficient MAC adversary $\mathcal{B} _ \mathrm{MAC}$ attacking $\Pi$ such that +> For every efficient CI adversary $\mathcal{A}_\mathrm{CI}$ attacking $\mathcal{E}_\mathrm{EtM}$, there exists an efficient MAC adversary $\mathcal{B}_\mathrm{MAC}$ attacking $\Pi$ such that > > $$ > \mathrm{Adv}_{\mathrm{CI}}[\mathcal{A}_\mathrm{CI}, \mathcal{E}_\mathrm{EtM}] = \mathrm{Adv}_{\mathrm{MAC}}[\mathcal{B}_\mathrm{MAC}, \Pi]. > $$ > -> For every efficient CPA adversary $\mathcal{A} _ \mathrm{CPA}$ attacking $\mathcal{E} _ \mathrm{EtM}$, there exists an efficient CPA adversary $\mathcal{B} _ \mathrm{MAC}$ attacking $\mathcal{E}$ such that +> For every efficient CPA adversary $\mathcal{A}_\mathrm{CPA}$ attacking $\mathcal{E}_\mathrm{EtM}$, there exists an efficient CPA adversary $\mathcal{B}_\mathrm{MAC}$ attacking $\mathcal{E}$ such that > > $$ > \mathrm{Adv}_{\mathrm{CPA}}[\mathcal{A}_\mathrm{CPA}, \mathcal{E}_\mathrm{EtM}] = \mathrm{Adv}_{\mathrm{CPA}}[\mathcal{B}_\mathrm{CPA}, \mathcal{E}]. diff --git a/_posts/lecture-notes/modern-cryptography/2023-09-28-hash-functions.md b/_posts/lecture-notes/modern-cryptography/2023-09-28-hash-functions.md index af54d71..371fc13 100644 --- a/_posts/lecture-notes/modern-cryptography/2023-09-28-hash-functions.md +++ b/_posts/lecture-notes/modern-cryptography/2023-09-28-hash-functions.md @@ -59,7 +59,7 @@ Let $\Pi = (S, V)$ be a MAC scheme defined over $(\mathcal{K}, \mathcal{M}, \mat > > If $\Pi$ is a secure MAC and $H$ is collision resistant, then $\Pi'$ is a secure MAC. > -> For any efficient adversary $\mathcal{A}$ attacking $\Pi'$, there exist a MAC adversary $\mathcal{B} _ \mathrm{MAC}$ attacking $\Pi$ and an adversary $\mathcal{B} _ \mathrm{CR}$ attacking $H$ such that +> For any efficient adversary $\mathcal{A}$ attacking $\Pi'$, there exist a MAC adversary $\mathcal{B}_\mathrm{MAC}$ attacking $\Pi$ and an adversary $\mathcal{B}_\mathrm{CR}$ attacking $H$ such that > > $$ > \mathrm{Adv}_{\mathrm{MAC}}[\mathcal{A}, \Pi'] \leq \mathrm{Adv}_{\mathrm{MAC}}[\mathcal{B}_\mathrm{MAC}, \Pi] + \mathrm{Adv}_{\mathrm{CR}}[\mathcal{B}_\mathrm{CR}, H]. @@ -140,7 +140,7 @@ Suppose that $t_{u-1} \neq t_{v-1}'$ and $m_u \neq m_v'$. Then this is a collisi Now we have $t_{u-1} = t_{u-1}'$, which implies $h(t_{u-2}, m_{u-1}) = h(t_{u-2}', m_{u-1}')$. We can now repeat the same process until the first block. If $\mathcal{B}$ did not find any collision then it means that $m_i = m_i'$ for all $i$, so $m = m'$. This is a contradiction, so $\mathcal{B}$ must have found a collision. -By the above argument, we see that $\mathrm{Adv} _ {\mathrm{CR}}[\mathcal{A}, H] = \mathrm{Adv} _ {\mathrm{CR}}[\mathcal{B}, h]$. +By the above argument, we see that $\mathrm{Adv}_{\mathrm{CR}}[\mathcal{A}, H] = \mathrm{Adv}_{\mathrm{CR}}[\mathcal{B}, h]$. ### Attacking Merkle-Damgård Hash Functions @@ -150,7 +150,7 @@ See Joux's attack.[^2] Now we only have to build a collision resistant compression function. We can build these functions from either a block cipher, or by using number theoretic primitives. -Number theoretic primitives will be shown after we learn some number theory.[^3] An example is shown in [collision resistance using DL problem (Modern Cryptography)](../2023-10-03-key-exchange/#collision-resistance-based-on-dl-problem). +Number theoretic primitives will be shown after we learn some number theory.[^3] An example is shown in [collision resistance using DL problem (Modern Cryptography)](./2023-10-03-key-exchange.md#collision-resistance-based-on-dl-problem). ![mc-06-davies-meyer.png](../../../assets/img/posts/lecture-notes/modern-cryptography/mc-06-davies-meyer.png) @@ -195,7 +195,7 @@ We needed a complicated construction for MACs that work on long messages. We mig Here are a few approaches. Suppose that a compression function $h$ is given and $H$ is a Merkle-Damgård function derived from $h$. -Recall that [we can construct a MAC scheme from a PRF](../2023-09-21-macs/#mac-constructions-from-prfs), so either we want a secure PRF or a secure MAC scheme. +Recall that [we can construct a MAC scheme from a PRF](./2023-09-21-macs.md#mac-constructions-from-prfs), so either we want a secure PRF or a secure MAC scheme. #### Prepending the Key diff --git a/_posts/lecture-notes/modern-cryptography/2023-10-03-key-exchange.md b/_posts/lecture-notes/modern-cryptography/2023-10-03-key-exchange.md index 9fe862e..f3bcd01 100644 --- a/_posts/lecture-notes/modern-cryptography/2023-10-03-key-exchange.md +++ b/_posts/lecture-notes/modern-cryptography/2023-10-03-key-exchange.md @@ -65,12 +65,12 @@ To implement the above protocol, we need two functions $E$ and $F$ that satisfy Let $p$ be a large prime, and let $q$ be another large prime dividing $p - 1$. We typically use very large random primes, $p$ is about $2048$ bits long, and $q$ is about $256$ bits long. -All arithmetic will be done in $\mathbb{Z}_p$. We also consider $\mathbb{Z} _ p^ *$ , the **unit group** of $\mathbb{Z} _ p$. Since $\mathbb{Z} _ p$ is a field, $\mathbb{Z} _ p^ * = \mathbb{Z} _ p \setminus \left\lbrace 0 \right\rbrace$, meaning that $\mathbb{Z} _ p^ *$ has order $p-1$. +All arithmetic will be done in $\mathbb{Z}_p$. We also consider $\mathbb{Z}_p^\ast$ , the **unit group** of $\mathbb{Z}_p$. Since $\mathbb{Z}_p$ is a field, $\mathbb{Z}_p^\ast = \mathbb{Z}_p \setminus \left\lbrace 0 \right\rbrace$, meaning that $\mathbb{Z}_p^\ast$ has order $p-1$. -Since $q$ is a prime dividing $p - 1$, $\mathbb{Z}_p^*$ has an element $g$ of order $q$.[^1] Let +Since $q$ is a prime dividing $p - 1$, $\mathbb{Z}_p^\ast$ has an element $g$ of order $q$.[^1] Let $$ -G = \left\langle g \right\rangle = \left\lbrace 1, g, g^2, \dots, g^{q-1} \right\rbrace \leq \mathbb{Z}_p^*. +G = \left\langle g \right\rangle = \left\lbrace 1, g, g^2, \dots, g^{q-1} \right\rbrace \leq \mathbb{Z}_p^\ast. $$ We assume that the description of $p$, $q$ and $g$ are generated at the setup and shared by all parties. Now the actual protocol goes like this. @@ -100,7 +100,7 @@ We have used $E(x) = g^x$ in the above implementation. This function is called t We required that $E$ must be a one-way function for the protocol to work. So it must be hard to compute the discrete logarithm function. There are some problems related to the discrete logarithm, which are used as assumptions in the security proof. They are formalized as a security game, as usual. -$G = \left\langle g \right\rangle \leq \mathbb{Z} _ p^{ * }$ will be a *cyclic group* of order $q$ and $g$ is given as a generator. Note that $g$ and $q$ are also given to the adversary. +$G = \left\langle g \right\rangle \leq \mathbb{Z}_p^\ast$ will be a *cyclic group* of order $q$ and $g$ is given as a generator. Note that $g$ and $q$ are also given to the adversary. ### Discrete Logarithm Problem (DL) @@ -182,7 +182,7 @@ If we used the DL assumption and it turns out to be false, there will be an effi Suppose we want something like a secret group chat, where there are $N$ ($\geq 3$) people and they need to generate a shared secret key. It is known that $N$-party Diffie-Hellman is possible in $N-1$ rounds. Here's how it goes. The indices are all in modulo $N$. -Each party $i$ chooses $\alpha _ i \leftarrow \mathbb{Z} _ q$, and computes $g^{\alpha _ i}$. The parties communicate in a circular form, and passes the computed value to the $(i+1)$-th party. In the next round, the $i$-th party receives $g^{\alpha _ {i-1}}$ and computes $g^{\alpha _ {i-1}\alpha _ i}$ and passes it to the next party. After $N-1$ rounds, all parties have the shared key $g^{\alpha _ 1\cdots\alpha _ N}$. +Each party $i$ chooses $\alpha_i \leftarrow \mathbb{Z}_q$, and computes $g^{\alpha_i}$. The parties communicate in a circular form, and passes the computed value to the $(i+1)$-th party. In the next round, the $i$-th party receives $g^{\alpha_{i-1}}$ and computes $g^{\alpha_{i-1}\alpha_i}$ and passes it to the next party. After $N-1$ rounds, all parties have the shared key $g^{\alpha_1\cdots\alpha_N}$. Taking $\mathcal{O}(N)$ steps is impractical in the real world, due to many communications that the above algorithm requires. Researchers are looking for methods to generate a shared key in a single round. It has been solved for $N=3$ using bilinear pairings, but for $N \geq 4$ it is an open problem. @@ -241,5 +241,5 @@ It is unknown whether we can get a better gap (than quadratic) using a general s To get exponential gaps, we need number theory. -[^1]: By Cauchy's theorem, or use the fact that $\mathbb{Z}_p^*$ is commutative. Finite commutative groups have a subgroup of every order that divides the order of the group. +[^1]: By Cauchy's theorem, or use the fact that $\mathbb{Z}_p^\ast$ is commutative. Finite commutative groups have a subgroup of every order that divides the order of the group. [^2]: R. Impagliazzo and S. Rudich. Limits on the provable consequences of one-way permutations. In Proceedings of the Symposium on Theory of Computing (STOC), pages 44–61, 1989.