[PUBLISHER] upload files #170

* PUSH NOTE : 05. Lebesgue Integration.md * PUSH NOTE : 04. Measurable Functions.md * PUSH NOTE : 03. Measure Spaces.md * PUSH NOTE : 02. Construction of Measure.md * PUSH NOTE : Rules of Inference with Coq.md * PUSH NOTE : 9. Public Key Encryption.md * PUSH NOTE : 7. Key Exchange.md * PUSH NOTE : 6. Hash Functions.md * PUSH NOTE : 5. CCA-Security and Authenticated Encryption.md * PUSH NOTE : 2. PRFs, PRPs and Block Ciphers.md * PUSH NOTE : 14. Secure Multiparty Computation.md * PUSH NOTE : 07. Public Key Cryptography.md * PUSH NOTE : 06. RSA and ElGamal Encryption.md * PUSH NOTE : 05. Modular Arithmetic (2).md * PUSH NOTE : 03. Symmetric Key Cryptography (2).md * PUSH NOTE : 02. Symmetric Key Cryptography (1).md * DELETE FILE : _posts/Lecture Notes/Modern Cryptography/2023-10-19-public-key-encryption.md * DELETE FILE : _posts/lecture-notes/modern-cryptography/2023-10-09-public-key-cryptography.md
2025-12-06 14:53:50 +00:00 · 2024-11-13 10:49:03 +09:00
parent 78691732a8
commit 6960edd3d4
13 changed files with 134 additions and 114 deletions
--- a/Theory/2023-01-23-construction-of-measure.md
+++ b/Theory/2023-01-23-construction-of-measure.md
@@ -2,18 +2,23 @@
 share: true
 toc: true
 math: true
-categories: [Mathematics, Measure Theory]
-tags: [math, analysis, measure-theory]
-title: "02. Construction of Measure"
-date: "2023-01-23"
-github_title: "2023-01-23-construction-of-measure"
+categories:
+  - Mathematics
+  - Measure Theory
+tags:
+  - math
+  - analysis
+  - measure-theory
+title: 02. Construction of Measure
+date: 2023-01-23
+github_title: 2023-01-23-construction-of-measure
 image:
  path: /assets/img/posts/Mathematics/Measure Theory/mt-02.png
 attachment:
  folder: assets/img/posts/Mathematics/Measure Theory
 ---

-![mt-02.png](/assets/img/posts/Mathematics/Measure%20Theory/mt-02.png)
+![mt-02.png](../../../assets/img/posts/Mathematics/Measure%20Theory/mt-02.png)

 이제 본격적으로 집합을 재보도록 하겠습니다. 우리가 잴 수 있는 집합들부터 시작합니다. $\mathbb{R}^p$에서 논의할 건데, 이제 여기서부터는 $\mathbb{R}$의 구간의 열림/닫힘을 모두 포괄하여 정의합니다. 즉, $\mathbb{R}$의 구간이라고 하면 $[a, b], (a, b), [a, b), (a, b]$ 네 가지 경우를 모두 포함합니다.

--- a/Theory/2023-01-24-measure-spaces.md
+++ b/Theory/2023-01-24-measure-spaces.md
@@ -2,11 +2,16 @@
 share: true
 toc: true
 math: true
-categories: [Mathematics, Measure Theory]
-tags: [math, analysis, measure-theory]
-title: "03. Measure Spaces"
-date: "2023-01-24"
-github_title: "2023-01-24-measure-spaces"
+categories:
+  - Mathematics
+  - Measure Theory
+tags:
+  - math
+  - analysis
+  - measure-theory
+title: 03. Measure Spaces
+date: 2023-01-24
+github_title: 2023-01-24-measure-spaces
 image:
  path: /assets/img/posts/Mathematics/Measure Theory/mt-03.png
 attachment:
@@ -17,7 +22,7 @@ attachment:

 Construction of measure 증명에서 추가로 참고할 내용입니다.

-![mt-03.png](/assets/img/posts/Mathematics/Measure%20Theory/mt-03.png)
+![mt-03.png](../../../assets/img/posts/Mathematics/Measure%20Theory/mt-03.png)

 **명제.** $A$가 열린집합이면 $A \in \mathfrak{M}(\mu)$ 이다. 또한 $A^C \in \mathfrak{M}(\mu)$ 이므로, $F$가 닫힌집합이면 $F \in \mathfrak{M}(\mu)$ 이다.

--- a/Theory/2023-02-06-measurable-functions.md
+++ b/Theory/2023-02-06-measurable-functions.md
@@ -2,11 +2,16 @@
 share: true
 toc: true
 math: true
-categories: [Mathematics, Measure Theory]
-tags: [math, analysis, measure-theory]
-title: "04. Measurable Functions"
-date: "2023-02-06"
-github_title: "2023-02-06-measurable-functions"
+categories:
+  - Mathematics
+  - Measure Theory
+tags:
+  - math
+  - analysis
+  - measure-theory
+title: 04. Measurable Functions
+date: 2023-02-06
+github_title: 2023-02-06-measurable-functions
 image:
  path: /assets/img/posts/Mathematics/Measure Theory/mt-04.png
 attachment:
@@ -155,7 +160,7 @@ $$s(x) = \sum_ {i=1}^{n} c_i \chi_ {E_i}(x).$$

 여기서 $E_i$에 measurable 조건이 추가되면, 정의에 의해 $\chi_ {E_i}$도 measurable function입니다. 따라서 모든 measurable simple function을 measurable $\chi_ {E_i}$의 linear combination으로 표현할 수 있습니다.

-![mt-04.png](/assets/img/posts/Mathematics/Measure%20Theory/mt-04.png)
+![mt-04.png](../../../assets/img/posts/Mathematics/Measure%20Theory/mt-04.png)

 아래 정리는 simple function이 Lebesgue integral의 building block이 되는 이유를 잘 드러냅니다. 모든 함수는 simple function으로 근사할 수 있습니다.

--- a/Theory/2023-02-13-lebesgue-integration.md
+++ b/Theory/2023-02-13-lebesgue-integration.md
@@ -2,11 +2,16 @@
 share: true
 toc: true
 math: true
-categories: [Mathematics, Measure Theory]
-tags: [math, analysis, measure-theory]
-title: "05. Lebesgue Integration"
-date: "2023-02-13"
-github_title: "2023-02-13-lebesgue-integration"
+categories:
+  - Mathematics
+  - Measure Theory
+tags:
+  - math
+  - analysis
+  - measure-theory
+title: 05. Lebesgue Integration
+date: 2023-02-13
+github_title: 2023-02-13-lebesgue-integration
 image:
  path: /assets/img/posts/Mathematics/Measure Theory/mt-05.png
 attachment:
@@ -121,7 +126,7 @@ $$\int f \,d{\mu} = \sup\left\lbrace \int h \,d{\mu}: 0\leq h \leq f, h \text{ m

 $f$보다 작은 measurable simple function의 적분값 중 상한을 택하겠다는 의미입니다. $f$보다 작은 measurable simple function으로 $f$를 근사한다고도 이해할 수 있습니다. 또한 $f$가 simple function이면 Step 2의 정의와 일치하는 것을 알 수 있습니다.

-![mt-05.png](/assets/img/posts/Mathematics/Measure%20Theory/mt-05.png)
+![mt-05.png](../../../assets/img/posts/Mathematics/Measure%20Theory/mt-05.png)

 $f \geq 0$ 가 measurable이면 증가하는 measurable simple 함수열 $s_n$이 존재함을 지난 번에 보였습니다. 이 $s_n$에 대하여 적분값을 계산해보면

--- a/_posts/lecture-notes/internet-security/2023-09-11-symmetric-key-cryptography-1.md
+++ b/_posts/lecture-notes/internet-security/2023-09-11-symmetric-key-cryptography-1.md
@@ -191,7 +191,7 @@ Let $m \in \left\lbrace 0, 1 \right\rbrace^n$ be the message to encrypt. Then ch
 - Encryption: $E(k, m) = k \oplus m$.
 - Decryption: $D(k, c) = k \oplus c$.

-This scheme is **provably secure**. See also [one-time pad (Modern Cryptography)](../../modern-cryptography/2023-09-07-otp-stream-cipher-prgs/#one-time-pad-(otp)).
+This scheme is **provably secure**. See also [one-time pad (Modern Cryptography)](../modern-cryptography/2023-09-07-otp-stream-cipher-prgs.md#one-time-pad-(otp)).

 ## Perfect Secrecy

@@ -225,7 +225,7 @@ since for each $m$ and $c$, $k$ is determined uniquely.

 *Proof*. Assume not, then we can find some message $m_0 \in \mathcal{M}$ such that $m_0$ is not a decryption of some $c \in \mathcal{C}$. This is because the decryption algorithm $D$ is deterministic and $\lvert \mathcal{K} \rvert < \lvert \mathcal{M} \rvert$.

-For the proof in detail, check [Shannon's Theorem (Modern Cryptography)](../../modern-cryptography/2023-09-07-otp-stream-cipher-prgs/#shannon's-theorem).
+For the proof in detail, check [Shannon's Theorem (Modern Cryptography)](../modern-cryptography/2023-09-07-otp-stream-cipher-prgs.md#shannon's-theorem).

 ### Two-Time Pad is Insecure

--- a/_posts/lecture-notes/internet-security/2023-10-04-modular-arithmetic-2.md
+++ b/_posts/lecture-notes/internet-security/2023-10-04-modular-arithmetic-2.md
@@ -90,7 +90,7 @@ For even better (maybe faster) results, we need the help of elementary number th
 > a^{p-1} \equiv 1 \pmod p.
 > $$

-*Proof*. (Using group theory) The statement can be rewritten as follows. For $a \neq 0$ in $\mathbb{Z}_p$, $a^{p-1} = 1$ in $\mathbb{Z}_p$. Since $\mathbb{Z}_p^*$ is a (multiplicative) group of order $p-1$, the order of $a$ should divide $p-1$. Therefore, $a^{p-1} = 1$ in $\mathbb{Z}_p$.
+*Proof*. (Using group theory) The statement can be rewritten as follows. For $a \neq 0$ in $\mathbb{Z}_p$, $a^{p-1} = 1$ in $\mathbb{Z}_p$. Since $\mathbb{Z}_p^\ast$ is a (multiplicative) group of order $p-1$, the order of $a$ should divide $p-1$. Therefore, $a^{p-1} = 1$ in $\mathbb{Z}_p$.

 Here is an elementary proof not using group theory.

@@ -139,23 +139,23 @@ $$

 We also often use the **reduced set of residues**.

-> **Definition.** The **reduced set of residues** is the set of residues that are relatively prime to $n$. We denote this set as $\mathbb{Z}_n^*$.
+> **Definition.** The **reduced set of residues** is the set of residues that are relatively prime to $n$. We denote this set as $\mathbb{Z}_n^\ast$.
 >
 > $$
-> \mathbb{Z}_n^* = \left\lbrace a \in \mathbb{Z}_n \setminus \left\lbrace 0 \right\rbrace : \gcd(a, n) = 1 \right\rbrace.
+> \mathbb{Z}_n^\ast = \left\lbrace a \in \mathbb{Z}_n \setminus \left\lbrace 0 \right\rbrace : \gcd(a, n) = 1 \right\rbrace.
 > $$

 Then by definition, we have the following result.

-> **Lemma.** $\left\lvert \mathbb{Z}_n^* \right\lvert = \phi(n)$.
+> **Lemma.** $\left\lvert \mathbb{Z}_n^\ast \right\lvert = \phi(n)$.

-We can also show that $\mathbb{Z}_n^*$ is a multiplicative group.
+We can also show that $\mathbb{Z}_n^\ast$ is a multiplicative group.

-> **Lemma.** $\mathbb{Z}_n^*$ is a multiplicative group.
+> **Lemma.** $\mathbb{Z}_n^\ast$ is a multiplicative group.

-*Proof*. Let $a, b \in \mathbb{Z}_n^{ * }$. We must check if $ab \in \mathbb{Z}_n^{ * }$. Since $\gcd(a, n) = \gcd(b, n) = 1$, $\gcd(ab, n) = 1$. This is because if $d = \gcd(ab, n) > 1$, then a prime factor $p$ of $d$ must divide $a$ or $b$ and also $n$. Then $\gcd(a, n) \geq p$ or $\gcd(b, n) \geq p$, which is a contradiction. Thus $ab \in \mathbb{Z}_n^{ * }$.
+*Proof*. Let $a, b \in \mathbb{Z}_n^\ast$. We must check if $ab \in \mathbb{Z}_n^\ast$. Since $\gcd(a, n) = \gcd(b, n) = 1$, $\gcd(ab, n) = 1$. This is because if $d = \gcd(ab, n) > 1$, then a prime factor $p$ of $d$ must divide $a$ or $b$ and also $n$. Then $\gcd(a, n) \geq p$ or $\gcd(b, n) \geq p$, which is a contradiction. Thus $ab \in \mathbb{Z}_n^\ast$.

-Associativity holds trivially, as a subset of $\mathbb{Z}_n$. We also have an identity element $1$, and inverse of $a \in \mathbb{Z}_n^*$ exists since $\gcd(a, n) = 1$.
+Associativity holds trivially, as a subset of $\mathbb{Z}_n$. We also have an identity element $1$, and inverse of $a \in \mathbb{Z}_n^\ast$ exists since $\gcd(a, n) = 1$.

 Now we can prove Euler's generalization.

@@ -167,13 +167,13 @@ Now we can prove Euler's generalization.
 > a^{\phi(n)} \equiv 1 \pmod n.
 > $$

-*Proof*. Since $\gcd(a, n) = 1$, $a \in \mathbb{Z}_n^{ * }$. Then $a^{\left\lvert \mathbb{Z}_n^{ * } \right\lvert} = 1$ in $\mathbb{Z}_n$. By the above lemma, we have the desired result.
+*Proof*. Since $\gcd(a, n) = 1$, $a \in \mathbb{Z}_n^\ast$. Then $a^{\left\lvert \mathbb{Z}_n^\ast \right\lvert} = 1$ in $\mathbb{Z}_n$. By the above lemma, we have the desired result.

-*Proof*. (Elementary) Set $f : \mathbb{Z}_n^* \rightarrow \mathbb{Z}_n^*$ as $x \mapsto ax \bmod n$, then the rest of the reasoning follows similarly as in the proof of Fermat's little theorem.
+*Proof*. (Elementary) Set $f : \mathbb{Z}_n^\ast \rightarrow \mathbb{Z}_n^\ast$ as $x \mapsto ax \bmod n$, then the rest of the reasoning follows similarly as in the proof of Fermat's little theorem.

 Using the above result, we remark an important result that will be used in RSA.

-> **Lemma.** Let $n \in \mathbb{N}$. For $a, b \in \mathbb{Z}$ and $x \in \mathbb{Z}_n^*$, if $a \equiv b \pmod{\phi(n)}$, then $x^a \equiv x^b \pmod n$.
+> **Lemma.** Let $n \in \mathbb{N}$. For $a, b \in \mathbb{Z}$ and $x \in \mathbb{Z}_n^\ast$, if $a \equiv b \pmod{\phi(n)}$, then $x^a \equiv x^b \pmod n$.

 *Proof*. $a = b + k\phi(n)$ for some $k \in \mathbb{Z}$. Then

@@ -192,7 +192,7 @@ by Euler's generalization.
 > - $(\mathsf{G3})$ $G$ has an **identity** element $e$ such that $e * a = a * e = a$ for all $a \in G$.
 > - $(\mathsf{G4})$ There is an **inverse** for every element of $G$. For each $a \in G$, there exists $x \in G$ such that $a * x = x * a = e$. We write $x = a^{-1}$ in this case.

-$\mathbb{Z}_n$ is an additive group, and $\mathbb{Z}_n^*$ is a multiplicative group.
+$\mathbb{Z}_n$ is an additive group, and $\mathbb{Z}_n^\ast$ is a multiplicative group.

 ## Chinese Remainder Theorem (CRT)

--- a/_posts/lecture-notes/internet-security/2023-10-04-rsa-elgamal.md
+++ b/_posts/lecture-notes/internet-security/2023-10-04-rsa-elgamal.md
@@ -138,36 +138,36 @@ So we don't actually need Euler's generalization for proving the correctness of

 This is an inverse problem of exponentiation. The inverse of exponentials is logarithms, so we consider the **discrete logarithm of a number modulo $p$**.

-Given $y \equiv g^x \pmod p$ for some prime $p$, we want to find $x = \log_g y$. We set $g$ to be a generator of the group $\mathbb{Z}_p$ or $\mathbb{Z}_p^*$, since if $g$ is the generator, a solution always exists.
+Given $y \equiv g^x \pmod p$ for some prime $p$, we want to find $x = \log_g y$. We set $g$ to be a generator of the group $\mathbb{Z}_p$ or $\mathbb{Z}_p^\ast$, since if $g$ is the generator, a solution always exists.

-Read more in [discrete logarithm problem (Modern Cryptography)](../../modern-cryptography/2023-10-03-key-exchange/#discrete-logarithm-problem-(dl)).
+Read more in [discrete logarithm problem (Modern Cryptography)](../modern-cryptography/2023-10-03-key-exchange.md#discrete-logarithm-problem-(dl)).

 ## ElGamal Encryption

 This is an encryption scheme built upon the hardness of the DLP.

 > 1. Let $p$ be a large prime.
-> 2. Select a generator $g \in \mathbb{Z}_p^*$.
-> 3. Choose a private key $x \in \mathbb{Z}_p^*$.
+> 2. Select a generator $g \in \mathbb{Z}_p^\ast$.
+> 3. Choose a private key $x \in \mathbb{Z}_p^\ast$.
 > 4. Compute the public key $y = g^x \pmod p$.
 > 	- $p, g, y$ will be publicly known.
 > 	- $x$ is kept secret.

 ### ElGamal Encryption and Decryption

-Suppose we encrypt a message $m \in \mathbb{Z}_p^*$.
+Suppose we encrypt a message $m \in \mathbb{Z}_p^\ast$.

-> 1. The sender chooses a random $k \in \mathbb{Z}_p^*$, called *ephemeral key*.
+> 1. The sender chooses a random $k \in \mathbb{Z}_p^\ast$, called *ephemeral key*.
 > 2. Compute $c_1 = g^k \pmod p$ and $c_2 = my^k \pmod p$.
 > 3. $c_1, c_2$ are sent to the receiver.
-> 4. The receiver calculates $c_1^x \equiv g^{xk} \equiv y^k \pmod p$, and find the inverse $y^{-k} \in \mathbb{Z}_p^*$.
+> 4. The receiver calculates $c_1^x \equiv g^{xk} \equiv y^k \pmod p$, and find the inverse $y^{-k} \in \mathbb{Z}_p^\ast$.
 > 5. Then $c_2y^{-k} \equiv m \pmod p$, recovering the message.

 The attacker will see $g^k$. By the hardness of DLP, the attacker is unable to recover $k$ even if he knows $g$.

 #### Ephemeral Key Should Be Distinct

-If the same $k$ is used twice, the encryption is not secure. Suppose we encrypt two different messages $m_1, m_2 \in \mathbb{Z} _ p^{ * }$. The attacker will see $(g^k, m_1y^k)$ and $(g^k, m_2 y^k)$. Then since we are in a multiplicative group $\mathbb{Z} _ p^{ * }$, inverses exist. So
+If the same $k$ is used twice, the encryption is not secure. Suppose we encrypt two different messages $m_1, m_2 \in \mathbb{Z}_p^\ast$. The attacker will see $(g^k, m_1y^k)$ and $(g^k, m_2 y^k)$. Then since we are in a multiplicative group $\mathbb{Z}_p^\ast$, inverses exist. So

 $$
 m_1y^k \cdot (m_2 y^k)^{-1} \equiv m_1m_2^{-1} \equiv 1 \pmod p
--- a/_posts/lecture-notes/modern-cryptography/2023-09-26-cca-security-authenticated-encryption.md
+++ b/_posts/lecture-notes/modern-cryptography/2023-09-26-cca-security-authenticated-encryption.md
@@ -37,9 +37,9 @@ Now we define a stronger notion of security against **chosen ciphertext attacks*
 > 	- *Encryption*: Send $m_i$ and receive $c'_i = E(k, m_i)$.
 > 	- *Decryption*: Send $c_i$ and receive $m'_i = D(k, c_i)$.
 > 	- Note that $\mathcal{A}$ is not allowed to make a decryption query for any $c_i'$.
-> 3. $\mathcal{A}$ outputs a pair of messages $(m_0^ * , m_1^*)$.
-> 4. The challenger generates $c^* \leftarrow E(k, m_b^*)$ and gives it to $\mathcal{A}$.
-> 5. $\mathcal{A}$ is allowed to keep making queries, but not allowed to make a decryption query for $c^*$.
+> 3. $\mathcal{A}$ outputs a pair of messages $(m_0^\ast , m_1^\ast)$.
+> 4. The challenger generates $c^\ast \leftarrow E(k, m_b^\ast)$ and gives it to $\mathcal{A}$.
+> 5. $\mathcal{A}$ is allowed to keep making queries, but not allowed to make a decryption query for $c^\ast$.
 > 6. The adversary computes and outputs a bit $b' \in \left\lbrace 0, 1 \right\rbrace$.
 > 
 > Let $W_b$ be the event that $\mathcal{A}$ outputs $1$ in experiment $b$. Then the **CCA advantage with respect to $\mathcal{E}$** is defined as
@@ -54,7 +54,7 @@ Now we define a stronger notion of security against **chosen ciphertext attacks*

 None of the encryption schemes already seen thus far is CCA secure.

-Recall a [CPA secure construction from PRF](../2023-09-19-symmetric-key-encryption/#secure-construction-from-prf). This scheme is not CCA secure. Suppose that the adversary is given $c^* = (r, F(k, r) \oplus m_b)$. Then it can request a decryption for $c' = (r, s')$ for some $s'$ and receive $m' = s' \oplus F(k, r)$. Then $F(k, r) = m' \oplus s'$, so the adversary can successfully recover $m_b$.
+Recall a [CPA secure construction from PRF](./2023-09-19-symmetric-key-encryption.md#secure-construction-from-prf). This scheme is not CCA secure. Suppose that the adversary is given $c^\ast = (r, F(k, r) \oplus m_b)$. Then it can request a decryption for $c' = (r, s')$ for some $s'$ and receive $m' = s' \oplus F(k, r)$. Then $F(k, r) = m' \oplus s'$, so the adversary can successfully recover $m_b$.

 In general, any encryption scheme that allows ciphertexts to be *manipulated* in a controlled way cannot be CCA secure.

@@ -68,12 +68,12 @@ An adversary at destination 25 wants to receive the message sent to destination

 Suppose we used CBC mode encryption. Then the first block of the ciphertext would contain the IV, the next block would contain $E(k, \mathrm{IV} \oplus m_0)$.

-The adversary can generate a new ciphertext $c'$ without knowing the actual key. Set the new IV as $\mathrm{IV}' =\mathrm{IV} \oplus m^ *$ where $m^ *$ contains a payload that can change $\texttt{80}$ to $\texttt{25}$. (This can be calculated)
+The adversary can generate a new ciphertext $c'$ without knowing the actual key. Set the new IV as $\mathrm{IV}' =\mathrm{IV} \oplus m^\ast$ where $m^\ast$ contains a payload that can change $\texttt{80}$ to $\texttt{25}$. (This can be calculated)

 Then the decryption works as normal,

 $$
-D(k, c_0) \oplus \mathrm{IV}' = (m_0 \oplus \mathrm{IV}) \oplus \mathrm{IV}' = m_0 \oplus m^*.
+D(k, c_0) \oplus \mathrm{IV}' = (m_0 \oplus \mathrm{IV}) \oplus \mathrm{IV}' = m_0 \oplus m^\ast.
 $$

 The destination of the original message has been changed, even though the adversary had no information of the key.
--- a/_posts/lecture-notes/modern-cryptography/2023-09-28-hash-functions.md
+++ b/_posts/lecture-notes/modern-cryptography/2023-09-28-hash-functions.md
@@ -150,7 +150,7 @@ See Joux's attack.[^2]

 Now we only have to build a collision resistant compression function. We can build these functions from either a block cipher, or by using number theoretic primitives.

-Number theoretic primitives will be shown after we learn some number theory.[^3] An example is shown in [collision resistance using DL problem (Modern Cryptography)](../2023-10-03-key-exchange/#collision-resistance-based-on-dl-problem).
+Number theoretic primitives will be shown after we learn some number theory.[^3] An example is shown in [collision resistance using DL problem (Modern Cryptography)](./2023-10-03-key-exchange.md#collision-resistance-based-on-dl-problem).

 ![mc-06-davies-meyer.png](../../../assets/img/posts/lecture-notes/modern-cryptography/mc-06-davies-meyer.png)

@@ -195,7 +195,7 @@ We needed a complicated construction for MACs that work on long messages. We mig

 Here are a few approaches. Suppose that a compression function $h$ is given and $H$ is a Merkle-Damgård function derived from $h$.

-Recall that [we can construct a MAC scheme from a PRF](../2023-09-21-macs/#mac-constructions-from-prfs), so either we want a secure PRF or a secure MAC scheme.
+Recall that [we can construct a MAC scheme from a PRF](./2023-09-21-macs.md#mac-constructions-from-prfs), so either we want a secure PRF or a secure MAC scheme.

 #### Prepending the Key

--- a/_posts/lecture-notes/modern-cryptography/2023-10-03-key-exchange.md
+++ b/_posts/lecture-notes/modern-cryptography/2023-10-03-key-exchange.md
@@ -65,12 +65,12 @@ To implement the above protocol, we need two functions $E$ and $F$ that satisfy

 Let $p$ be a large prime, and let $q$ be another large prime dividing $p - 1$. We typically use very large random primes, $p$ is about $2048$ bits long, and $q$ is about $256$ bits long.

-All arithmetic will be done in $\mathbb{Z}_p$. We also consider $\mathbb{Z} _ p^ *$ , the **unit group** of $\mathbb{Z} _ p$. Since $\mathbb{Z} _ p$ is a field, $\mathbb{Z} _ p^ * = \mathbb{Z} _ p \setminus \left\lbrace 0 \right\rbrace$, meaning that $\mathbb{Z} _ p^ *$ has order $p-1$.
+All arithmetic will be done in $\mathbb{Z}_p$. We also consider $\mathbb{Z}_p^\ast$ , the **unit group** of $\mathbb{Z}_p$. Since $\mathbb{Z}_p$ is a field, $\mathbb{Z}_p^\ast = \mathbb{Z}_p \setminus \left\lbrace 0 \right\rbrace$, meaning that $\mathbb{Z}_p^\ast$ has order $p-1$.

-Since $q$ is a prime dividing $p - 1$, $\mathbb{Z}_p^*$ has an element $g$ of order $q$.[^1] Let
+Since $q$ is a prime dividing $p - 1$, $\mathbb{Z}_p^\ast$ has an element $g$ of order $q$.[^1] Let

 $$
-G = \left\langle g \right\rangle = \left\lbrace 1, g, g^2, \dots, g^{q-1} \right\rbrace \leq \mathbb{Z}_p^*.
+G = \left\langle g \right\rangle = \left\lbrace 1, g, g^2, \dots, g^{q-1} \right\rbrace \leq \mathbb{Z}_p^\ast.
 $$

 We assume that the description of $p$, $q$ and $g$ are generated at the setup and shared by all parties. Now the actual protocol goes like this.
@@ -100,7 +100,7 @@ We have used $E(x) = g^x$ in the above implementation. This function is called t

 We required that $E$ must be a one-way function for the protocol to work. So it must be hard to compute the discrete logarithm function. There are some problems related to the discrete logarithm, which are used as assumptions in the security proof. They are formalized as a security game, as usual.

-$G = \left\langle g \right\rangle \leq \mathbb{Z} _ p^{ * }$ will be a *cyclic group* of order $q$ and $g$ is given as a generator. Note that $g$ and $q$ are also given to the adversary.
+$G = \left\langle g \right\rangle \leq \mathbb{Z}_p^\ast$ will be a *cyclic group* of order $q$ and $g$ is given as a generator. Note that $g$ and $q$ are also given to the adversary.

 ### Discrete Logarithm Problem (DL)

@@ -241,5 +241,5 @@ It is unknown whether we can get a better gap (than quadratic) using a general s

 To get exponential gaps, we need number theory.

-[^1]: By Cauchy's theorem, or use the fact that $\mathbb{Z}_p^*$ is commutative. Finite commutative groups have a subgroup of every order that divides the order of the group.
+[^1]: By Cauchy's theorem, or use the fact that $\mathbb{Z}_p^\ast$ is commutative. Finite commutative groups have a subgroup of every order that divides the order of the group.
 [^2]: R. Impagliazzo and S. Rudich. Limits on the provable consequences of one-way permutations. In Proceedings of the Symposium on Theory of Computing (STOC), pages 44–61, 1989.