[PUBLISHER] upload files #170

* PUSH NOTE : 05. Lebesgue Integration.md * PUSH NOTE : 04. Measurable Functions.md * PUSH NOTE : 03. Measure Spaces.md * PUSH NOTE : 02. Construction of Measure.md * PUSH NOTE : Rules of Inference with Coq.md * PUSH NOTE : 9. Public Key Encryption.md * PUSH NOTE : 7. Key Exchange.md * PUSH NOTE : 6. Hash Functions.md * PUSH NOTE : 5. CCA-Security and Authenticated Encryption.md * PUSH NOTE : 2. PRFs, PRPs and Block Ciphers.md * PUSH NOTE : 14. Secure Multiparty Computation.md * PUSH NOTE : 07. Public Key Cryptography.md * PUSH NOTE : 06. RSA and ElGamal Encryption.md * PUSH NOTE : 05. Modular Arithmetic (2).md * PUSH NOTE : 03. Symmetric Key Cryptography (2).md * PUSH NOTE : 02. Symmetric Key Cryptography (1).md * DELETE FILE : _posts/Lecture Notes/Modern Cryptography/2023-10-19-public-key-encryption.md * DELETE FILE : _posts/lecture-notes/modern-cryptography/2023-10-09-public-key-cryptography.md
2025-12-06 22:53:51 +00:00 · 2024-11-13 10:49:03 +09:00
parent 78691732a8
commit 6960edd3d4
13 changed files with 134 additions and 114 deletions
--- a/_posts/lecture-notes/internet-security/2023-09-11-symmetric-key-cryptography-1.md
+++ b/_posts/lecture-notes/internet-security/2023-09-11-symmetric-key-cryptography-1.md
@@ -98,7 +98,7 @@ To attack this scheme, find the key length by [*index of coincidence*](https://e
 #### Hill Cipher

 - A polyalphabetic substitution
- A key is a *invertible* matrix $K = (k _ {ij}) _ {m \times m}$ where $k _ {ij} \in \mathbb{Z} _ {26}$.
+- A key is a *invertible* matrix $K = (k_{ij})_{m \times m}$ where $k_{ij} \in \mathbb{Z}_{26}$.
 - Encryption/decryption is done by multiplying $K$ or $K^{-1}$.

 This scheme is vulnerable to known plaintext attack, since the equation can be solved for $K$.
@@ -191,7 +191,7 @@ Let $m \in \left\lbrace 0, 1 \right\rbrace^n$ be the message to encrypt. Then ch
 - Encryption: $E(k, m) = k \oplus m$.
 - Decryption: $D(k, c) = k \oplus c$.

-This scheme is **provably secure**. See also [one-time pad (Modern Cryptography)](../../modern-cryptography/2023-09-07-otp-stream-cipher-prgs/#one-time-pad-(otp)).
+This scheme is **provably secure**. See also [one-time pad (Modern Cryptography)](../modern-cryptography/2023-09-07-otp-stream-cipher-prgs.md#one-time-pad-(otp)).

 ## Perfect Secrecy

@@ -204,7 +204,7 @@ This scheme is **provably secure**. See also [one-time pad (Modern Cryptography)
 > Or equivalently, for all $m_0, m_1 \in \mathcal{M}$, $c \in \mathcal{C}$,
 >
 > $$
-> \Pr[E(k, m _ 0) = c] = \Pr[E(k, m _ 1) = c]
+> \Pr[E(k, m_0) = c] = \Pr[E(k, m_1) = c]
 > $$ 
 >
 > where $k$ is chosen uniformly in $\mathcal{K}$.
@@ -225,7 +225,7 @@ since for each $m$ and $c$, $k$ is determined uniquely.

 *Proof*. Assume not, then we can find some message $m_0 \in \mathcal{M}$ such that $m_0$ is not a decryption of some $c \in \mathcal{C}$. This is because the decryption algorithm $D$ is deterministic and $\lvert \mathcal{K} \rvert < \lvert \mathcal{M} \rvert$.

-For the proof in detail, check [Shannon's Theorem (Modern Cryptography)](../../modern-cryptography/2023-09-07-otp-stream-cipher-prgs/#shannon's-theorem).
+For the proof in detail, check [Shannon's Theorem (Modern Cryptography)](../modern-cryptography/2023-09-07-otp-stream-cipher-prgs.md#shannon's-theorem).

 ### Two-Time Pad is Insecure

--- a/_posts/lecture-notes/internet-security/2023-09-18-symmetric-key-cryptography-2.md
+++ b/_posts/lecture-notes/internet-security/2023-09-18-symmetric-key-cryptography-2.md
@@ -240,12 +240,12 @@ Since the same key is used for all blocks, once a mapping from plaintext to ciph
 - On IV reuse, same message will generate the same ciphertext if key isn't changed
 - If IV is predictable, CBC is vulnerable to chosen plaintext attacks.
 	- Suppose Eve obtains $(\mathrm{IV}_1, E_k(\mathrm{IV}_1 \oplus m))$.
-	- Define Eve's new message $m' = \mathrm{IV} _  {2} \oplus \mathrm{IV} _ {1} \oplus g$, where
-		- $\mathrm{IV} _ 2$ is the guess of the next IV, and
+	- Define Eve's new message $m' = \mathrm{IV}_{2} \oplus \mathrm{IV}_{1} \oplus g$, where
+		- $\mathrm{IV}_2$ is the guess of the next IV, and
 		- $g$ is a guess of Alice's original message $m$.
 	- Eve requests an encryption of $m'$
-		- $c' = E _ k(\mathrm{IV} _ 2 \oplus m') = E _ k(\mathrm{IV} _ \mathrm{1} \oplus g)$.
-	- Then Eve can compare $c'$ and the original $c = E _ k(\mathrm{IV} _ \mathrm{1} \oplus m)$ to recover $m$.
+		- $c' = E_k(\mathrm{IV}_2 \oplus m') = E_k(\mathrm{IV}_\mathrm{1} \oplus g)$.
+	- Then Eve can compare $c'$ and the original $c = E_k(\mathrm{IV}_\mathrm{1} \oplus m)$ to recover $m$.
 	- Useful when there are not many cases for $m$ (or most of the message is already known).

 ### Cipher Feedback Mode (CFB)
--- a/_posts/lecture-notes/internet-security/2023-10-04-modular-arithmetic-2.md
+++ b/_posts/lecture-notes/internet-security/2023-10-04-modular-arithmetic-2.md
@@ -85,12 +85,12 @@ For even better (maybe faster) results, we need the help of elementary number th
 ## Fermat's Little Theorem

 > **Theorem.** Let $p$ be prime. For $a \in \mathbb{Z}$ such that $\gcd(a, p) = 1$,
-> 
+>
 > $$
 > a^{p-1} \equiv 1 \pmod p.
 > $$

-*Proof*. (Using group theory) The statement can be rewritten as follows. For $a \neq 0$ in $\mathbb{Z}_p$, $a^{p-1} = 1$ in $\mathbb{Z}_p$. Since $\mathbb{Z}_p^*$ is a (multiplicative) group of order $p-1$, the order of $a$ should divide $p-1$. Therefore, $a^{p-1} = 1$ in $\mathbb{Z}_p$.
+*Proof*. (Using group theory) The statement can be rewritten as follows. For $a \neq 0$ in $\mathbb{Z}_p$, $a^{p-1} = 1$ in $\mathbb{Z}_p$. Since $\mathbb{Z}_p^\ast$ is a (multiplicative) group of order $p-1$, the order of $a$ should divide $p-1$. Therefore, $a^{p-1} = 1$ in $\mathbb{Z}_p$.

 Here is an elementary proof not using group theory.

@@ -115,11 +115,11 @@ For composite modulus, we have Euler's generalization. Before proving the theore
 For direct calculation, we use the following formula.

 > **Lemma.** For $n \in \mathbb{N}$, the following holds.
-> 
+>
 > $$
 > \phi(n) = n \cdot \prod_{p \mid n} \left( 1 - \frac{1}{p} \right)
 > $$
-> 
+>
 > where $p$ is a prime number dividing $n$.

 So to calculate $\phi(n)$, we need to **factorize** $n$. From the formula above, we have some corollaries.
@@ -139,41 +139,41 @@ $$

 We also often use the **reduced set of residues**.

-> **Definition.** The **reduced set of residues** is the set of residues that are relatively prime to $n$. We denote this set as $\mathbb{Z}_n^*$.
-> 
+> **Definition.** The **reduced set of residues** is the set of residues that are relatively prime to $n$. We denote this set as $\mathbb{Z}_n^\ast$.
+>
 > $$
-> \mathbb{Z}_n^* = \left\lbrace a \in \mathbb{Z}_n \setminus \left\lbrace 0 \right\rbrace : \gcd(a, n) = 1 \right\rbrace.
+> \mathbb{Z}_n^\ast = \left\lbrace a \in \mathbb{Z}_n \setminus \left\lbrace 0 \right\rbrace : \gcd(a, n) = 1 \right\rbrace.
 > $$

 Then by definition, we have the following result.

-> **Lemma.** $\left\lvert \mathbb{Z}_n^* \right\lvert = \phi(n)$.
+> **Lemma.** $\left\lvert \mathbb{Z}_n^\ast \right\lvert = \phi(n)$.

-We can also show that $\mathbb{Z}_n^*$ is a multiplicative group.
+We can also show that $\mathbb{Z}_n^\ast$ is a multiplicative group.

-> **Lemma.** $\mathbb{Z}_n^*$ is a multiplicative group.
+> **Lemma.** $\mathbb{Z}_n^\ast$ is a multiplicative group.

-*Proof*. Let $a, b \in \mathbb{Z}_n^{ * }$. We must check if $ab \in \mathbb{Z}_n^{ * }$. Since $\gcd(a, n) = \gcd(b, n) = 1$, $\gcd(ab, n) = 1$. This is because if $d = \gcd(ab, n) > 1$, then a prime factor $p$ of $d$ must divide $a$ or $b$ and also $n$. Then $\gcd(a, n) \geq p$ or $\gcd(b, n) \geq p$, which is a contradiction. Thus $ab \in \mathbb{Z}_n^{ * }$.
+*Proof*. Let $a, b \in \mathbb{Z}_n^\ast$. We must check if $ab \in \mathbb{Z}_n^\ast$. Since $\gcd(a, n) = \gcd(b, n) = 1$, $\gcd(ab, n) = 1$. This is because if $d = \gcd(ab, n) > 1$, then a prime factor $p$ of $d$ must divide $a$ or $b$ and also $n$. Then $\gcd(a, n) \geq p$ or $\gcd(b, n) \geq p$, which is a contradiction. Thus $ab \in \mathbb{Z}_n^\ast$.

-Associativity holds trivially, as a subset of $\mathbb{Z}_n$. We also have an identity element $1$, and inverse of $a \in \mathbb{Z}_n^*$ exists since $\gcd(a, n) = 1$.
+Associativity holds trivially, as a subset of $\mathbb{Z}_n$. We also have an identity element $1$, and inverse of $a \in \mathbb{Z}_n^\ast$ exists since $\gcd(a, n) = 1$.

 Now we can prove Euler's generalization.

 ## Euler's Generalization

 > **Theorem.** Let $a \in \mathbb{Z}$ such that $\gcd(a, n) = 1$. Then
-> 
+>
 > $$
 > a^{\phi(n)} \equiv 1 \pmod n.
 > $$

-*Proof*. Since $\gcd(a, n) = 1$, $a \in \mathbb{Z}_n^{ * }$. Then $a^{\left\lvert \mathbb{Z}_n^{ * } \right\lvert} = 1$ in $\mathbb{Z}_n$. By the above lemma, we have the desired result.
+*Proof*. Since $\gcd(a, n) = 1$, $a \in \mathbb{Z}_n^\ast$. Then $a^{\left\lvert \mathbb{Z}_n^\ast \right\lvert} = 1$ in $\mathbb{Z}_n$. By the above lemma, we have the desired result.

-*Proof*. (Elementary) Set $f : \mathbb{Z}_n^* \rightarrow \mathbb{Z}_n^*$ as $x \mapsto ax \bmod n$, then the rest of the reasoning follows similarly as in the proof of Fermat's little theorem.
+*Proof*. (Elementary) Set $f : \mathbb{Z}_n^\ast \rightarrow \mathbb{Z}_n^\ast$ as $x \mapsto ax \bmod n$, then the rest of the reasoning follows similarly as in the proof of Fermat's little theorem.

 Using the above result, we remark an important result that will be used in RSA.

-> **Lemma.** Let $n \in \mathbb{N}$. For $a, b \in \mathbb{Z}$ and $x \in \mathbb{Z}_n^*$, if $a \equiv b \pmod{\phi(n)}$, then $x^a \equiv x^b \pmod n$.
+> **Lemma.** Let $n \in \mathbb{N}$. For $a, b \in \mathbb{Z}$ and $x \in \mathbb{Z}_n^\ast$, if $a \equiv b \pmod{\phi(n)}$, then $x^a \equiv x^b \pmod n$.

 *Proof*. $a = b + k\phi(n)$ for some $k \in \mathbb{Z}$. Then

@@ -186,26 +186,26 @@ by Euler's generalization.
 ## Groups Based on Modular Arithmetic

 > **Definition.** A **group** is a set $G$ with a binary operation $* : G \times G \rightarrow G$, satisfying the following properties.
-> 
+>
 > - $(\mathsf{G1})$ The binary operation $*$ is **closed**.
 > - $(\mathsf{G2})$ The binary operation $*$ is **associative**, so $(a * b) * c = a * (b * c)$ for all $a, b, c \in G$.
 > - $(\mathsf{G3})$ $G$ has an **identity** element $e$ such that $e * a = a * e = a$ for all $a \in G$.
 > - $(\mathsf{G4})$ There is an **inverse** for every element of $G$. For each $a \in G$, there exists $x \in G$ such that $a * x = x * a = e$. We write $x = a^{-1}$ in this case.

-$\mathbb{Z}_n$ is an additive group, and $\mathbb{Z}_n^*$ is a multiplicative group.
+$\mathbb{Z}_n$ is an additive group, and $\mathbb{Z}_n^\ast$ is a multiplicative group.

 ## Chinese Remainder Theorem (CRT)

 > **Theorem.** Let $n_1, \dots, n_k$ be integers greater than $1$, and let $N = n_1n_2\cdots n_k$. If $n_i$ are pairwise relatively prime, then the system of equations $x \equiv a_i \pmod {n_i}$ has a unique solution modulo $N$.
-> 
+>
 > *(Abstract Algebra)* The map
-> 
+>
 > $$
 > x \bmod N \mapsto (x \bmod n_1, \dots, x \bmod n_k)
 > $$
-> 
+>
 >  defines a ring isomorphism
-> 
+>
 > $$
 >  \mathbb{Z}_N \simeq \mathbb{Z}_{n_1} \times \mathbb{Z}_{n_2} \times \cdots \times \mathbb{Z}_{n_k}.
 > $$
@@ -229,7 +229,7 @@ But $n_i$ are pairwise relatively prime, so $\mathrm{lcm}(n_1, \dots, n_k) = N$
 *Proof*. (**Abstract Algebra**) The above uniqueness proof shows that the map

 $$
-x \bmod N \mapsto (x \bmod n_1, \dots, x \bmod n_k) 
+x \bmod N \mapsto (x \bmod n_1, \dots, x \bmod n_k)
 $$

 is injective. By pigeonhole principle, this map must also be surjective. This map is also a ring homomorphism, by the properties of modular arithmetic. We have a ring isomorphism.
@@ -273,6 +273,6 @@ $$

 and using the result, add the next equation $x \equiv a_3 \pmod{n_3}$ and find a solution.[^1]

-Lastly, the ring isomorphism actually tells us a lot and is quite effective for computation. Since the two rings are *isomorphic*, operations in $\mathbb{Z} _ N$ can be done independently in each $\mathbb{Z} _ {n_i}$ and then merged back to $\mathbb{Z} _ N$. $N$ was a large number, so computations can be much faster in $\mathbb{Z} _ {n _ i}$. Specifically, we will see how this fact is used for computations in RSA.
+Lastly, the ring isomorphism actually tells us a lot and is quite effective for computation. Since the two rings are *isomorphic*, operations in $\mathbb{Z}_N$ can be done independently in each $\mathbb{Z}_{n_i}$ and then merged back to $\mathbb{Z}_N$. $N$ was a large number, so computations can be much faster in $\mathbb{Z}_{n_i}$. Specifically, we will see how this fact is used for computations in RSA.

 [^1]: I have an implementation in my repository. [Link](https://github.com/calofmijuck/BOJ/blob/4b29e0c7f487aac3186661176d2795f85f0ab21b/Codes/23000/23062.cpp#L38).
--- a/_posts/lecture-notes/internet-security/2023-10-04-rsa-elgamal.md
+++ b/_posts/lecture-notes/internet-security/2023-10-04-rsa-elgamal.md
@@ -138,36 +138,36 @@ So we don't actually need Euler's generalization for proving the correctness of

 This is an inverse problem of exponentiation. The inverse of exponentials is logarithms, so we consider the **discrete logarithm of a number modulo $p$**.

-Given $y \equiv g^x \pmod p$ for some prime $p$, we want to find $x = \log_g y$. We set $g$ to be a generator of the group $\mathbb{Z}_p$ or $\mathbb{Z}_p^*$, since if $g$ is the generator, a solution always exists.
+Given $y \equiv g^x \pmod p$ for some prime $p$, we want to find $x = \log_g y$. We set $g$ to be a generator of the group $\mathbb{Z}_p$ or $\mathbb{Z}_p^\ast$, since if $g$ is the generator, a solution always exists.

-Read more in [discrete logarithm problem (Modern Cryptography)](../../modern-cryptography/2023-10-03-key-exchange/#discrete-logarithm-problem-(dl)).
+Read more in [discrete logarithm problem (Modern Cryptography)](../modern-cryptography/2023-10-03-key-exchange.md#discrete-logarithm-problem-(dl)).

 ## ElGamal Encryption

 This is an encryption scheme built upon the hardness of the DLP.

 > 1. Let $p$ be a large prime.
-> 2. Select a generator $g \in \mathbb{Z}_p^*$.
-> 3. Choose a private key $x \in \mathbb{Z}_p^*$.
+> 2. Select a generator $g \in \mathbb{Z}_p^\ast$.
+> 3. Choose a private key $x \in \mathbb{Z}_p^\ast$.
 > 4. Compute the public key $y = g^x \pmod p$.
 > 	- $p, g, y$ will be publicly known.
 > 	- $x$ is kept secret.

 ### ElGamal Encryption and Decryption

-Suppose we encrypt a message $m \in \mathbb{Z}_p^*$.
+Suppose we encrypt a message $m \in \mathbb{Z}_p^\ast$.

-> 1. The sender chooses a random $k \in \mathbb{Z}_p^*$, called *ephemeral key*.
+> 1. The sender chooses a random $k \in \mathbb{Z}_p^\ast$, called *ephemeral key*.
 > 2. Compute $c_1 = g^k \pmod p$ and $c_2 = my^k \pmod p$.
 > 3. $c_1, c_2$ are sent to the receiver.
-> 4. The receiver calculates $c_1^x \equiv g^{xk} \equiv y^k \pmod p$, and find the inverse $y^{-k} \in \mathbb{Z}_p^*$.
+> 4. The receiver calculates $c_1^x \equiv g^{xk} \equiv y^k \pmod p$, and find the inverse $y^{-k} \in \mathbb{Z}_p^\ast$.
 > 5. Then $c_2y^{-k} \equiv m \pmod p$, recovering the message.

 The attacker will see $g^k$. By the hardness of DLP, the attacker is unable to recover $k$ even if he knows $g$.

 #### Ephemeral Key Should Be Distinct

-If the same $k$ is used twice, the encryption is not secure. Suppose we encrypt two different messages $m_1, m_2 \in \mathbb{Z} _ p^{ * }$. The attacker will see $(g^k, m_1y^k)$ and $(g^k, m_2 y^k)$. Then since we are in a multiplicative group $\mathbb{Z} _ p^{ * }$, inverses exist. So
+If the same $k$ is used twice, the encryption is not secure. Suppose we encrypt two different messages $m_1, m_2 \in \mathbb{Z}_p^\ast$. The attacker will see $(g^k, m_1y^k)$ and $(g^k, m_2 y^k)$. Then since we are in a multiplicative group $\mathbb{Z}_p^\ast$, inverses exist. So

 $$
 m_1y^k \cdot (m_2 y^k)^{-1} \equiv m_1m_2^{-1} \equiv 1 \pmod p