From 74bc05e286d94967f37ebb5fef79eb762a4bcfe1 Mon Sep 17 00:00:00 2001 From: Sungchan Yi Date: Tue, 17 Oct 2023 10:28:58 +0900 Subject: [PATCH] [PUBLISHER] upload files #100 * PUSH NOTE : 1. OTP, Stream Ciphers and PRGs.md * PUSH ATTACHMENT : mc-01-prg-game.png * PUSH ATTACHMENT : mc-01-ss.png --- .../2023-09-07-otp-stream-cipher-prgs.md | 433 ++++++++++++++++++ .../Modern Cryptography/mc-01-prg-game.png | Bin 0 -> 11185 bytes .../Modern Cryptography/mc-01-ss.png | Bin 0 -> 7988 bytes 3 files changed, 433 insertions(+) create mode 100644 _posts/Lecture Notes/Modern Cryptography/2023-09-07-otp-stream-cipher-prgs.md create mode 100644 assets/img/posts/Lecture Notes/Modern Cryptography/mc-01-prg-game.png create mode 100644 assets/img/posts/Lecture Notes/Modern Cryptography/mc-01-ss.png diff --git a/_posts/Lecture Notes/Modern Cryptography/2023-09-07-otp-stream-cipher-prgs.md b/_posts/Lecture Notes/Modern Cryptography/2023-09-07-otp-stream-cipher-prgs.md new file mode 100644 index 0000000..5002227 --- /dev/null +++ b/_posts/Lecture Notes/Modern Cryptography/2023-09-07-otp-stream-cipher-prgs.md @@ -0,0 +1,433 @@ +--- +share: true +toc: true +math: true +categories: + - Lecture Notes + - Modern Cryptography +tags: + - lecture-note + - cryptography + - security +title: 1. One-Time Pad, Stream Ciphers and PRGs +date: 2023-09-07 +github_title: 2023-09-07-otp-stream-cipher-prgs +image: + path: "assets/img/posts/Lecture Notes/Modern Cryptography/mc-01-ss" +attachment: + folder: assets/img/posts/Lecture Notes/Modern Cryptography +--- + +## Assumptions and Notations + +An encryption scheme is defined by $3$ algorithms. + +- A (probabilistic) key generation algorithm $G$. +- $E: \mathcal{K} \times \mathcal{M} \rightarrow \mathcal{C}$ and $D: \mathcal{K} \times \mathcal{C} \rightarrow \mathcal{M}$ which are encryption, decryption algorithms respectively. + +We assume **perfect correctness**. + +> **Assumption**. $\forall k \in \mathcal{K}$, $\forall m \in \mathcal{M}$, if $c = E(k, m)$ then $D(k, c) = m$ with probability $1$. + +This assumption allows us to assume that the decryption algorithm $D : \mathcal{K} \times \mathcal{C} \rightarrow \mathcal{M}$ is *deterministic*, since it will always give the same output for the same key and ciphertext. + +Some random variables: + +- $K$ for the distribution over the key space $\mathcal{K}$. + - The output from $G$. We denote this as $k \leftarrow \mathcal{K}$. +- $M$ for the message being encrypted, and $C$ for the ciphertext. + - We will write $c \leftarrow E(k, m)$. +- $K$ and $M$ are required to be independent. + +## Perfect Secrecy + +For a scheme to be perfectly secret, the *ciphertext should not reveal any information about the underlying plaintext*, so that the adversary learns absolutely nothing about the plaintext. + +> **Definition**. An encryption scheme is **perfectly secret** if for any distribution of $M$ and any ciphertext $c \in \mathcal{C}$ such that $\Pr[C = c] > 0$, +> +> $$ +> \Pr[M = m \mid C = c] = \Pr[M = m] +> $$ +> +> for every $m \in \mathcal{M}$. + +For example, the shift cipher with $\mathcal{M}$ as the set of all two-letter characters is not perfectly secure. Suppose that $c = \texttt{XX}$ is observed. Then the adversary learns that the plaintext must consist of the same letter, revealing some information. + +The above definition is equivalent to the following. + +> **Definition**. An encryption scheme is **perfectly secret** if for any $m_1, m_2 \in \mathcal{M}$ and $c \in \mathcal{C}$, we have +> +> $$ +> \Pr[E(k, m_1) = c] = \Pr[E(k, m_2) = c] +> $$ +> +> where the probability is taken over the random choice $k \leftarrow \mathcal{K}$. + +> **Proposition**. The above two definitions are equivalent. + +*Proof*. Suppose we are given any distribution on $M$, any $m \in \mathcal{M}$ with $\Pr[M = m] > 0$ and any $c \in \mathcal{C}$. Since $K$ and $M$ are independent, we have + +$$ +\begin{align*} +\Pr[C = c \mid M = m] &= \Pr[E(k, M) = c \mid M = m] \\ +&= \Pr[E(k, m) = c \mid M = m] \\ +&= \Pr[E(k, m) = c], +\end{align*} +$$ + +where $E(k, m)$ denotes the distribution of the ciphertext of $m$ over the key $k \leftarrow \mathcal{K}$. Also, + +$$ +\begin{equation}\tag{1} +\Pr[M = m \mid C = c] \cdot \Pr[C = c] = \Pr[C = c \mid M = m] \cdot \Pr[M = m] +\end{equation} +$$ + +by the definition of conditional probability. + +($\implies$) If $\Pr[M = m \mid C = c] = \Pr[M = m]$, then $\Pr[C = c] = \Pr[C = c \mid M = m]$ by equation $(1)$. Therefore + +$$ +\begin{align*} + \Pr[E(k, m) = c] &= \Pr[C = c \mid M = m] \\ + &= \Pr[C = c] \\ + &= \Pr[C = c \mid M = m'] \\ + &= \Pr[E(k, m') = c]. +\end{align*} +$$ + +($\impliedby$) If $\Pr[M = m] = 0$, then we are done. So assume $\Pr[M = m] > 0$. Then + +$$ +\begin{align*} + \Pr[C = c] &= \sum_{m' \in \mathcal{M}} \Pr[C = c \mid M = m'] \cdot \Pr[M = m'] \\ + &= \sum_{m' \in \mathcal{M}} \Pr[E(k, m') = c] \cdot \Pr[M = m'] \\ + &= \sum_{m' \in \mathcal{M}} \Pr[E(k, m) = c] \cdot \Pr[M = m'] \\ + &= \Pr[E(k, m) = c] = \Pr[C = c \mid M = m]. +\end{align*} +$$ + +Thus equation $(1)$ implies $\Pr[M = m \mid C = c] = \Pr[M = m]$. + +## One-Time Pad (OTP) + +This is an encryption scheme patented by Vernam in 1917. + +- Set $\mathcal{M} = \mathcal{K} = \mathcal{C} = \lbrace 0, 1 \rbrace^n$. +- $G$ chooses a key from $\mathcal{K}$ according to the uniform distribution. + - Each key is chosen with probability $2^{-n}$. +- $E(k, m) = k \oplus m$ and $D(k, c) = k \oplus c$. + +From the above definition, the correctness of the scheme is easily checked. + +Intuitively, $k \oplus m$ has the uniform distribution over $\lbrace 0, 1 \rbrace^n$. + +### Perfect Secrecy of OTP + +> **Theorem**. The one-time pad encryption scheme is perfectly secret. + +*Proof*. For any $c \in \mathcal{C}$ and $m \in \mathcal{M}$ with $\Pr[M = m] > 0$, we have + +$$ +\begin{align*} +\Pr[C = c \mid M = m] &= \Pr[K \oplus m = c \mid M = m] \\ +&= \Pr[K = m \oplus c \mid M = m] \\ +&= 2^{-n} +\end{align*} +$$ + +since $K$ and $M$ are independent. Given any distribution on $\mathcal{M}$, we can see that + +$$ +\begin{align*} +\Pr[C = c] &= \sum_{m \in \mathcal{M}} \Pr[C = c \mid M = m] \cdot \Pr[M = m] \\ +&= 2^{-n} \cdot \sum_{m \in \mathcal{M}} \Pr[M = m] = 2^{-n}. +\end{align*} +$$ + +Therefore $\Pr[M = m \mid C = c] = \Pr[M = m]$ by equation $(1)$. + +Here is another proof using the second definition. + +*Proof*. For any $m \in \mathcal{M}$ and $c \in \mathcal{C}$, + +$$ +\Pr[E(k, m) = c] = \Pr[k \oplus m = c] = \Pr[k = c \oplus m] = 2^{-n}. +$$ + +Thus OTP satisfies the definition of perfect secrecy. + +### Drawbacks of OTP + +The OTP is perfectly secure, but there are some drawbacks to using the OTP in practice. + +First of all, OTP is perfectly secure *only for one message*. Suppose that we reuse the key $k$ for two messages $m_1$, $m_2$. Then since $c_1 = m_1 \oplus k$, $c_2 = m_2 \oplus k$, we have the following relation + +$$ +c_1 \oplus c_2 = (m_1 \oplus k) \oplus (m_2 \oplus k) = m_1 \oplus m_2. +$$ + +Since the adversary can see the ciphertext, this kind of relation leaks some information about $m_1$ or $m_2$. For example, the adversary can learn exactly where the two messages differ. So if the key is reused, the scheme cannot be perfectly secret. + +Also, the key is (at least) as long as the message. This is why OTP is rarely used today. When sending a long message, two parties must communicate a very long key that is as long as the message, *every single time*! This makes it hard to manage the key. + +So is there a way to reduce the key size without losing perfect secrecy? Sadly, no. In fact, the key space must be as least as large as the message space. This is a requirement for perfectly secret schemes. + +> **Theorem**. If $(G, E, D)$ is a perfectly secret encryption scheme, then $\lvert \mathcal{K} \rvert \geq \lvert \mathcal{M} \rvert$. + +*Proof*. Assume $\lvert \mathcal{K} \rvert < \lvert \mathcal{M} \rvert$, and give $M$ the uniform distribution over $\mathcal{M}$. Let $c \in \mathcal{C}$ be a ciphertext with $\Pr[C = c] > 0$. Define + +$$ +\mathcal{M}(c) = \lbrace m \mid m = D(k, c) \text{ for some } k \in \mathcal{K}\rbrace, +$$ + +which is the set of all possible decryptions of $c$. Since we can assume $D$ to be deterministic, $\lvert \mathcal{M}(c) \rvert \leq \lvert \mathcal{K} \rvert$.[^1] Then we can choose $m' \in \mathcal{M} \setminus \mathcal{M}(c)$ since $\lvert \mathcal{M}(c) \rvert < \lvert \mathcal{M} \rvert$. Then + +$$ +\Pr[M = m' \mid C = c] = 0 \neq \Pr[M = m'], +$$ + +so the scheme cannot be perfectly secret. + +In words, if $\lvert \mathcal{K} \rvert < \lvert \mathcal{M} \rvert$, there is some message $m \in \mathcal{M}$ that is not a decryption of any ciphertext $c$. Then $\Pr[M = m \mid C = c]$ is $0$, but $\Pr[M = m]$ is not. Thus the scheme cannot be perfectly secret. + +## Pseudorandom Generators (PRG) + +The problem with one-time pad is that we must use very long keys. So the idea of stream ciphers is to replace the *random* key by a *pseudorandom* key. The **pseudorandom generator** (PRG) will compute a pseudorandom key from a seed chosen from a smaller space. + +> **Definition.** A **pseudorandom generator** is an efficient deterministic algorithm $G$ such that given an input **seed** from $\lbrace 0, 1 \rbrace^s$, it outputs an element of $\lbrace 0, 1 \rbrace^n$. Typically, $s \ll n$. + +## Stream Ciphers + +Then the stream cipher is defined as follows. Note that we have reduced the key size. + +- $\mathcal{K} = \lbrace 0, 1 \rbrace^s$, $\mathcal{M} = \mathcal{C} = \lbrace 0, 1 \rbrace^n$ with $s \ll n$. +- $G : \lbrace 0, 1 \rbrace^s \rightarrow \lbrace 0, 1 \rbrace^n$. +- $E(k, m) = G(k) \oplus m$ and $D(k, c) = G(k) \oplus c$. + +Since $\lvert \mathcal{K} \rvert < \lvert \mathcal{M} \rvert$, stream cipher cannot be perfectly secret. + +## Security of PRGs + +### Negligible Functions + +A negligible function is a function that tends to $0$ as $n \rightarrow \infty$, but faster than the inverse of any polynomial. + +> **Definition.** A function $f : \mathbb{N} \rightarrow \mathbb{R}$ is **negligible** if for all $c > 0$, there exists $N \in \mathbb{N}$ such that for all $n \geq N$, we have $\lvert f(n) \rvert < n^{-c}$. + +The following is evident from the definition. + +> **Lemma.** A function $f : \mathbb{N} \rightarrow \mathbb{R}$ is negligible if and only if for all $c > 0$, +> +> $$ +> \lim_{n \rightarrow \infty} f(n) n^c = 0. +> $$ + +In practice, about $2^{-30}$ is non-negligible since it is likely to happen over $1$ GB of data. Meanwhile, $2^{-80}$, $2^{-128}$ are negligible since it is very unlikely to happen over the life of a key. + +### Unpredictability of PRGs + +The adversary will want to distinguish if some bit string is an output of a PRG or truly random. So PRGs must satisfy the notion of **unpredictability**, which says that no *efficient* algorithm can predict the next bit of PRGs. + +> **Definition.** A PRG is **predictable** if there exists an efficient adversary $\mathcal{A}$ and $i < n$ such that +> +> $$ +> \Pr[\mathcal{A}(G(k)[0..i-1]) = G(k)[i]] > \frac{1}{2} + \epsilon +> $$ +> +> for non-negligible $\epsilon > 0$. + +The probability here is taken over $k \leftarrow \lbrace 0, 1 \rbrace^s$, and $G(k)[0..i-1]$ denotes the first $i$ bits of $G(k)$. Also, the probability has to be non-negligible compared to $\frac{1}{2}$, implying that the adversary should be better than random guessing. + +A PRG is **unpredictable** if it is not predictable, meaning that no efficient adversary $\mathcal{A}$ can predict the next bit at any position. + +### Indistinguishability + +#### Statistical Test + +Since the stream cipher is not perfectly secret, we need a weaker notion of security. That is, **indistinguishability** to the adversary. + +Let $G : \lbrace 0, 1 \rbrace^s \rightarrow \lbrace 0, 1 \rbrace^n$ be a PRG. Then our goal is that $G(k)$ from $k \leftarrow \lbrace 0, 1 \rbrace^s$ and $r \leftarrow \lbrace 0, 1 \rbrace^n$ are indistinguishable, while they differ in their procedures. + +To formally define what it means to be *indistinguishable*, we consider a **statistical test**. + +> **Definition.** A **statistical test** on $\lbrace 0, 1 \rbrace^n$ is an algorithm $\mathcal{A}$ such that $\mathcal{A}(x)$ outputs $0$ for not random or $1$ for random. + +For example, an algorithm $\mathcal{A}$ defined as + +> $\mathcal{A}(x) = 1$ if and only if the difference in the number of occurrences of $0$ and $1$ is less than $10 \sqrt{n}$. + +would be a statistical test. + +#### Advantage + +Let $G : \lbrace 0, 1 \rbrace^s \rightarrow \lbrace 0, 1 \rbrace^n$ be a PRG and $\mathcal{A}$ be a statistical test on $\lbrace 0, 1 \rbrace^n$. + +> **Definition.** The **PRG advantage** is defined as +> +> $$ +> \mathrm{Adv}_\mathrm{PRG}[\mathcal{A} , G] = \left\lvert \Pr_{k \leftarrow \left\lbrace 0, 1 \right\rbrace^s}[\mathcal{A}(G(k)) = 1] - \Pr_{r \leftarrow \left\lbrace 0, 1 \right\rbrace^n}[\mathcal{A}(r) = 1] \right\rvert. +> $$ + +Intuitively, the **advantage** calculates how well $\mathcal{A}$ distinguishes $G(k)$ from truly random bit strings. Recall that $\mathcal{A}$ will output $1$ if it thinks that the given bit string is random. The first probability term is the case when $\mathcal{A}$ is given a pseudorandom string, but $\mathcal{A}$ decides that the string is random. (incorrect) The second probability term is the case when $\mathcal{A}$ is given a random string and it decides that it is indeed random. (correct) Therefore, + +- If the advantage is close to $0$, the probabilities are almost the same, meaning that $\mathcal{A}$ cannot distinguish $G(k)$ from a random bit string. +- If the advantage is close to $1$, one of the probabilities is close to $0$, meaning that $\mathcal{A}$ can distinguish $G(k)$ from a random bit string.[^2] + +### Secure PRG + +Now we can define the security of PRGs. + +> **Definition.** $G : \lbrace 0, 1 \rbrace^s \rightarrow \lbrace 0, 1 \rbrace^n$ is a **secure PRG** if for any efficient statistical test $\mathcal{A}$, $\mathrm{Adv}_\mathrm{PRG}[\mathcal{A}, G]$ is negligible. + +There are no provably secure PRGs, but we have heuristic candidates, meaning that no such efficient $\mathcal{A}$ has been found. + +### Predictability and Security of PRGs + +We can deduce that if a PRG is predictable, then it is insecure. + +> **Theorem.** Let $G$ be a PRG. If $G$ is predictable, then it is insecure. + +*Proof*. Let $\mathcal{A}$ be an efficient adversary (next bit predictor) that predicts $G$. Suppose that $i$ is the index chosen by $\mathcal{A}$. With $\mathcal{A}$, we construct a statistical test $\mathcal{B}$ such that $\mathrm{Adv}_\mathrm{PRG}[\mathcal{B}, G]$ is non-negligible. + +![mc-01-prg-game.png](../../../assets/img/posts/Lecture%20Notes/Modern%20Cryptography/mc-01-prg-game.png) + +1. The challenger PRG will send a bit string $x$ to $\mathcal{B}$. + - In experiment $0$, PRG gives pseudorandom string $G(k)$. + - In experiment $1$, PRG gives truly random string $r$. +2. $\mathcal{B}$ gives $x[0..i-1]$ to $\mathcal{A}$, then $\mathcal{A}$ will do some calculation and return $y$. +3. $\mathcal{B}$ compares $x[i]$ with $y$, and returns $1$ if $x[i] = y$, $0$ otherwise. + +Let $W_b$ be the event that $\mathcal{B}$ outputs $1$ in experiment $b$. For $b = 0$, $\mathcal{B}$ outputs $1$ if $\mathcal{A}$ correctly guesses $x[i]$, which happens with probability $\frac{1}{2} + \epsilon$ for non-negligible $\epsilon$. As for $b = 1$, the received string is truly random. Then the values of $x[i]$ and $y$ are independent so $\Pr[W_1] = \frac{1}{2}$. Therefore, + +$$ +\mathrm{Adv}_\mathrm{PRG}[\mathcal{B}, G] = \lvert \Pr[W_0] - \Pr[W_1] \rvert = \left\lvert \frac{1}{2} + \epsilon - \frac{1}{2} \right\rvert = \epsilon, +$$ + +and the advantage is non-negligible. + +Surprisingly, the other way around is also true. + +> **Theorem.** (Yao'82) If a PRG $G$ is unpredictable, then $G$ is secure. + +The theorem implies that if next bit predictors cannot distinguish $G$ from true random, then no statistical test can. + +## Security Game Framework + +To motivate the definition of semantic security, we consider a **security game framework** (attack game) between a **challenger** (ex. the creator of some cryptographic scheme) and an **adversary** $\mathcal{A}$ (ex. attacker of the scheme). + +![mc-01-ss.png](../../../assets/img/posts/Lecture%20Notes/Modern%20Cryptography/mc-01-ss.png) + +> **Definition.** Let $\mathcal{E} = (G, E, D)$ be a cipher defined over $(\mathcal{K}, \mathcal{M}, \mathcal{C})$. For a given adversary $\mathcal{A}$, we define two experiments $0$ and $1$. For $b \in \lbrace 0, 1 \rbrace$, define experiment $b$ as follows: +> +> **Experiment** $b$. +> 1. The adversary computes $m_0, m_1 \in \mathcal{M}$ and sends them to the challenger. +> 2. The challenger computes $k \leftarrow \mathcal{K}$, $c \leftarrow E(k, m_b)$ and sends $c$ to the adversary. +> 3. The adversary outputs a bit $b' \in \lbrace 0, 1 \rbrace$. +> +> Let $W_b$ be the event that $\mathcal{A}$ outputs $1$ in experiment $b$. i.e, the event that $\mathcal{A}(\mathrm{EXP}(b)) = 1$. Now define the **semantic security advantage** of $\mathcal{A}$ with respect to $\mathcal{E}$ as +> +> $$ +> \mathrm{Adv}_\mathrm{SS}[\mathcal{A}, \mathcal{E}] = \lvert \Pr [W_0] - \Pr[W_1] \rvert. +> $$ + +As we understood the advantage of PRG, semantic security advantage can be understood the same way. If the advantage is closer to $1$, the better the adversary distinguishes the two experiments. + +### Distinguishing Distributions + +In the same way, we can define a security game for distinguishing two distributions. + +> **Definition.** Let $P_0$, $P_1$ be two distributions over a set $\mathcal{S}$. For any given efficient adversary $\mathcal{A}$, define experiments $0$ and $1$. +> +> **Experiment $b$.** +> 1. The challenger computes $x \leftarrow P_b$ and sends $x$ to the adversary. +> 2. The adversary computes and outputs a bit $b' \in \lbrace 0, 1 \rbrace$. +> +> Let $W_b$ the event that $\mathcal{A}$ outputs $1$ in experiment $b$. Then the advantage is defined as +> +> $$ +> \mathrm{Adv}[\mathcal{A}] = \lvert \Pr[W_0] - \Pr[W_1] \rvert +> $$ +> +> If the advantage is negligible, we say that $P_0$ and $P_1$ are **computationally indistinguishable**, and write $P_0 \approx_c P_1$. + +As an example, a PRG $G$ is secure if the two distributions $G(k)$ over $k \leftarrow \lbrace 0, 1 \rbrace^s$ and $r \leftarrow \lbrace 0, 1 \rbrace^n$ are *computationally indistinguishable*. + +### Semantic Security + +So now we can define a semantically secure encryption scheme. + +> **Definition.** An encryption scheme $\mathcal{E}$ is **semantically secure** if for any efficient adversary $\mathcal{A}$, its advantage $\mathrm{Adv}_\mathrm{SS}[\mathcal{A}, \mathcal{E}]$ is negligible. + +It means that the adversary cannot distinguish whether the received message is an encryption of $m_0$ or $m_1$, even though it knows what the original messages were in the first place! + +Using the notion of computational indistinguishability, $\mathcal{E}$ is semantically secure if for any $m_0, m_1 \in \mathcal{M}$, the distribution of ciphertexts of $m_0$ and $m_1$ with respect to $k \leftarrow \mathcal{K}$ is computationally indistinguishable. + +$$ +E(K, m_0) \approx_c E(K, m_1) +$$ + +## Semantic Security of the Stream Cipher + +> **Theorem.** If $G : \lbrace 0, 1 \rbrace^s \rightarrow \lbrace 0, 1 \rbrace^n$ is a secure PRG, then the stream cipher $\mathcal{E}$ constructed from $G$ is semantically secure. + +*Proof*. Let $\mathcal{A}$ be an efficient adversary that breaks the semantic security of $\mathcal{E}$. We will use $\mathcal{A}$ to construct a statistical test $\mathcal{B}$ that breaks the security of the PRG. + +Since $\mathcal{A}$ can break the semantic security of the stream cipher, for $m_0, m_1 \in \mathcal{M}$ chosen by $\mathcal{A}$, it can distinguish $m_0 \oplus G(k)$ and $m_1 \oplus G(k)$. Let $W_b$ be the event that $\mathcal{A}$ returns $1$ for $m_b \oplus G(k)$. The advantage $\mathrm{Adv}_\mathrm{SS}[\mathcal{A}, \mathcal{E}] = \lvert \Pr[W_0] - \Pr[W_1] \rvert$ is non-negligible. + +Define two new experiments as follows: +1. The adversary $\mathcal{A}$ gives two messages $m_0, m_1 \in \mathcal{M}$. +2. The challenger draws a random string $r \leftarrow \lbrace 0, 1 \rbrace^n$. +3. In experiment $b$, return $m_b \oplus r$. +4. $\mathcal{A}$ will return $b' \in \lbrace 0, 1 \rbrace$. + +Let $W'_b$ be the event that $\mathcal{A}$ returns $1$ for $m_b \oplus r$. Then, by triangle inequality, + +$$ +\tag{2} +\begin{align*} +\mathrm{Adv}_\mathrm{SS}[\mathcal{A}, \mathcal{E}] &= \lvert \Pr[W_0] - \Pr[W_1] \rvert \\ +&\leq \lvert \Pr[W_0] - \Pr[W_0'] \rvert + \lvert \Pr[W_0'] - \Pr[W_1'] \rvert \\ +&\qquad + \lvert \Pr[W_1'] - \Pr[W_1] \rvert \\ +&= \lvert \Pr[W_0] - \Pr[W_0'] \rvert + \lvert \Pr[W_1'] - \Pr[W_1] \rvert. +\end{align*} +$$ + +The last equality holds since OTP is perfectly secure and thus $\lvert \Pr[W_0'] - \Pr[W_1'] \rvert = 0$. Since $\mathrm{Adv}_\mathrm{SS}[\mathcal{A}, \mathcal{E}]$ is non-negligible, at least one of the terms on the right hand side should also be non-negligible. + +Without loss of generality, assume that $\lvert \Pr[W_0] - \Pr[W_0'] \rvert$ is non-negligible. This implies that $\mathcal{A}$ can distinguish $m_0 \oplus G(k)$ from $m_0 \oplus r$. Using this fact, we can construct a statistical test $\mathcal{B}$ for the PRG as follows. + +1. Challenger PRG gives a bit string $x$. + - In experiment $0$, challenger gives pseudorandom string $G(k)$. + - In experiment $1$, challenger gives truly random string $r$. +2. Invoke $\mathcal{A}$, then $\mathcal{A}$ will send two messages $m_0, m_1 \in \mathcal{M}$. +3. Compute $c = m_0 \oplus x$ and return $c$ to $\mathcal{A}$. +4. $\mathcal{A}$ will return $b'$, and return $b'$ directly to challenger PRG. + +Let $Y_b$ the event that $\mathcal{B}$ returns $1$ on experiment $b$. Then, we directly see that + +$$ +\Pr[Y_0] = \Pr[W_0], \qquad \Pr[Y_1] = \Pr[W_0']. +$$ + +Therefore, the PRG advantage of $\mathcal{B}$ is + +$$ +\mathrm{Adv}_\mathrm{PRG}[\mathcal{B}, G] = \lvert \Pr[Y_0] - \Pr[Y_1] \rvert = \lvert \Pr[W_0] - \Pr[W_0'] \rvert, +$$ + +which is non-negligible, so it breaks the security of the PRG. + +> **Corollary.** For any adversary $\mathcal{A}$ for the stream cipher $\mathcal{E}$, there exists an adversary $\mathcal{B}$ for a PRG $G$ such that +> +> $$ +> \mathrm{Adv}_\mathrm{SS}[\mathcal{A}, \mathcal{E}] \leq 2 \cdot \mathrm{Adv}_\mathrm{PRG}[\mathcal{B}, G]. +> $$ + +*Proof*. Use equation $(2)$ in the above proof. + +This theorem tells use that the (semantic) security of the stream cipher relies on the security of the PRGs.[^3] Thus we conclude that it is important to construct a secure PRG. + +[^1]: Some pair of keys may give the same decryption of $c$. +[^2]: If $\Pr[\mathcal{A}(r) = 1] \approx 0$, then $\mathcal{A}$ *can* distinguish pseudorandom from true random, although it is almost always incorrect. +[^3]: Note that the meaning of *security* is different for stream ciphers and PRGs. diff --git a/assets/img/posts/Lecture Notes/Modern Cryptography/mc-01-prg-game.png b/assets/img/posts/Lecture Notes/Modern Cryptography/mc-01-prg-game.png new file mode 100644 index 0000000000000000000000000000000000000000..7e8c5970bdd0db82c0483a8129bd83a3faddf352 GIT binary patch literal 11185 zcmc(EcQ{<%*Y7aHC{c$f(R&vWL>)CzqNM3Hf&|gah&DPAArd4QH6qbV^fsf59=(s= z8GSIg^Zowb_df4m_dd`4=brP&-e>K#_FiqDbdo&To&SG&Bt{P^+Xnwpx!!^5kq ztBZ>Z{J{T|Jv}|eQ?jzM9336;oyEmPcXxMu2hWUW!{Kmvk;ur%!NEZ+7JG7XGCe(w zMx(>S!z(K*dwY9xa&oM!td^FRHa9mD5)vjRCR$or+}zyG&d!{ioKjO$qobp(t*sjy z8_mtlJ3BkQyu9#h+1c6Q^+`-joSmH=9UX0LZQb47-QV9gG&KB=6?JuWg@uKAd3h@< zE9K?ov9Yni!NJwl)d&P)czF2u__)8nzoewZ*4EbF-~Z>&pRZrP*4Nk9($aeH;6YMS zlA4-YcX#)nKYx6Dd?X|!U@+L)+8Q@Ew~&xfN=gbXE$!R4ZzCcil$4aRv$H!oI@;UY zSy))u?LP_QZD#j+s`m_lJIcgeNl8hO_%02S#+=@dmYP4A=+kE=zPjj)i9((~KL7v( z_q5bip2MbhzMXsiRi^7Iv~AjVN*_MBoOiiH`HSWDlWE6W1Y{ng@4-S*T%z;WH_*+8 z648`)EUYqJ4#f7A;%QTXmrAN-cnCS6tu{$F0QjL)4qZrG%3088FofdRzVe-J^*4;{)n}oM^*%ZamY`?DL$ZK&z z0pAlooJVi)dD$?I@m3DY!O6+_2dcz;=S41}fMI8ur!j%11~W`7#-pK#fhu;b^B35{ z*mWxGdll!**?izI@S^P5WK=9U|Hrp%=&J4O#U6jXuq@!zy_C$?pJw>Qv4WjAA)J<& z%yP4h-~f)ARxSZOUtCKmB1%z9#o`-o701}j8LJR~pGL_eP4q8U&2zLbK;^(}Q6ELE zq|yrOWnvBIxBixv@D%6Eqn?`5LYgU8Mh3O<)PpQm*3?ldmcdBxKZCKW$W+l8gZtOjmgFwLCE&~R2S72 z*ZJw@kHTA{S_kz78rMl9s3I~m4Pb*1GIla3G#it_Pp3o|6oj8FJ|&#LPg!kID~KpT zU6uBS+l3}cNE68q3=c^qCLF_)mq5$Ik@wvyjFwucj3IdyfkyqMmpFsQpNH8CGC#(-$*;VD<;_iX>#9Hj1%fdOPs8~W+6=(udF*i0`tAm@ zuO-+vEQnI(U2JB8;J)c45WI8MNv$$~Xr?dsBK4YVb+#%TUx4(FKxBxQyI zvM-)TcfUbx=9IDn9Ff?spQHM)8^rHtuzQt5^4imNVgk1t!hF7 zoKF3z27=6uEEEkQ(k$=<5vjnQ`d1vaO145?Zux~bhkA>lmI_7`gH8mL%O;7L2Cc$0 zAE!cR2XG_}nYyk?fo)*vZZc&Dx z)S41fkoQ(xcLRu&VQBB=$eIZ7`^;e2$$=CmB=*W)o`~>eu9>jj@<-a{tnjFFPNfR# zm6?gY6MO$>8vWqS0O!k-dv|x5FB4P`-2D}+5@nQ|88YBObrqfTr6g46$#*yeelCP| zzPiwSz%2s~oef?1335IJmdx1rs)c z$!QY&Vlaz%(R}(l7PL_Q*W9(E4stUMWCASqAMzi=9@u8ck?Kc(nFD`D}J_3h=OBYA2a{( z8lm+8P`%`gr*AG_IjL0RY2E{e@&i7?wj0;Y80#iY0`~!!It;!vORS<&y}84|@~Th*3c|>Q6Elux2jc-g^qO}3d}Wi_)VH)ZU#N9ChJCi{0_NG zi7vg6y&kL-A}QOaxq`7K{o@1RKq4q*@%xwimsF#=`=cJ@IDtXS~I_;Zd9CxbncGrp#+ zWLo%Mh)nONs!&V9cXrkAYYCfm#zkU%6EPEOnwKcr6|%?4 z{_R5SXu>hhwS?GTfqCL(~N)VYd~`*8Ti?b6Bsus~APz)v$wBQNCGxc@=Qi(WETV3YPmi1Jhwt*v9IRzL@(i z($CAq5~GGFI;CpJFoX0s4baC@1t2&PSEKMh^CprF6sb$72&Yq7xjH z?y7vva-oke%cm;9h)N13lXS0T zUj+-@csE@>PX?og_dgXR8xm*TO3zj$dfiEwc0G5QK4=Ze8moocP^N9vYZ7@+@DpJpLR4{hWTK8AmA>@&MV;OSkDjT%ooROADoIEM z4$c2e`{;&pD0V$!K#f3Mein||QWqvv+VBq(VTHkQ*f=e=nL(nyTL63Q^Fzd(IrP0r z*3`fYfd0tBd|J?A|1llXD>ASqUbjW@mm+;WFGo`It5n~9m-e59S@ng3X2zb7% z8(5bUmXe+?v|c8l8K^R{T$-1PV>D@CFTyb{+5jyKIiWsve&_b78J+VNrGa4LLCh(1~^vybJ5;tK3KD!OtS_1_3h41_Md5`iW{|s%Nskxp3W#P?4&PB%-)i%LgyhKhnPRNWtAM zuqAjmuTl~7`mmL-Y$OpKT;b`U+heN&h%8<6ZJd)$1;|y9Z1BIQ;n}(T7@8{}RC06U zNX=mH?zr~S@oTJ?$uCd2Kp_T;cv1sdCn9l7Y`yVU);NHsSE$LZo--4Tt*b{4%f(ETY6AsJ{-dm=62|p)|zu-5UINE09dR|H# zX7I@-Cdb!d~3hnW6#2{ERVxgKhyuZf|+Ek8vUh zE|4M7)Kn`DY*I_G){;`zIV0R#%pG^-y7P`yrhfnSkza${u>0nVrk(R9wI3zx{q4Ux zb2|zsk$RTT5sJk=sqd`B)qiw7ZB&q-nH39wFPIl3Et`O|J<^l|Fx!OUn4{t__{hZh zuyIWpwM=2^vg2(}U9=^Y-EjXiflXe-%C|YKZ3XFA2+P^0S@lORERT1-gt{m{9MRM$ zWGP@v7~xJwI<>_X)j!^YC|n9sv*UuPnt$wpu?_Dg@a5j?p}FjU7XU(y*;P5fZUqCobQ5@GdiNT?h@-ur`;0oYvBGxt#_ zJ(R(`I1HJIT9}*0Cop_pw;zmUWVwALb<0VXUfkm%RX4Ij3jxwNuIPnW| znCYX*mZ})1eJ@|5quLRta7Ay4bN0eQZ|FWoto7IJ0E`n6yW&Go`j^{TvZ!en?$P^6 zDj?r!WN3Y7!F2GnKiMX^St>!Q?FAIBBrjR(=QL>jG2g1|$xC6jJ z*i;OvlnB=qJPqzwwP6r4Gw%KtDPhgJPNAxsCab%bOi8J&BJF+0BxEqO=69{TQxUGn z&p=M#?b5&&iLVYuo=X~_`Z$-w-eC)iz5%24pJFJR$vSQsHpRx}?)UrV13`S#6k9xu zi*sl8hdaJe4MfC~4F>R`>;msJ3pm7R#8`5v{ zRM7pDmV|_6?h&R_o;Z6G`nQw`H=nCQEt980n;el=!1XvM*CYzGcRyV8?~t_$KZ&uJ zE`>Fc=|uEX1@R~Nc-icz#NP7M-?EyId&Dxl{RZ@fa+whpL;Htm%<$T{aCq)sL)xro!zbk`wK@|x_ zoNi>MHaVES$u*;%WPW+*=AVG~`w?ZQJpQ;8hCw}WQPMoT3g3`@@QoZMaD@@LVPuDFaH6_m*h2skO| z8238FOg_x=TsX$R%^Qd61h@@7U5))r)$7N$OjpMT8&-r?z4DeHFXy3x2GxvTF=uD1 ziO%Vyu#)+&YOmT0Tew*G@HgcbKX!WHZ0Dw(-D#1uXR*I-%GdOme*Ymom;jERb9?ZZ zN--R6kKd4hc!Lb)GWqIVuXK&c$Z*>ku2U}CsjEiFtr-sZi+(Sde3~1`gihA}pvL$> z+MLZfi&3C;|EUjO6acP#QjrD>FS#9v*(Msq(1h>Xo-@r?os;AP4`mcveQusFksYqL z8nU&6TPQIlE=Lm)kFMe?=%<3I53gWSknk16&0(J@ihIS9>ZbnOzL9{Vunp?ifD5y~ z?G0IOQK%%w=xC9y$dpe5h)RE$e&n!1;2sDgjeZqHX42!7A~5v(Iw>i;_%cP2;ehw0 z4D{~PIdN-(%-!oB=M~H)?}IXzgq3<_3%IXmJe&xq9w#m^kbU~B&CC1{E29PqFCwN6 z27agteUyc3;|O5*WHr@b3jyT_MCau7!JUahLqeRbIlfNAuVieM1sv16TiV>0zSjkSDq(FC3e7I)$^ zbOIy6@huBp5`|Szf}o9~elf);0YD2m7K#l(dOB{+02bKL1esv$1%L{xfSdrskn04^ zN=Tp*73PG14dVwdrNY1mfdPSVZ~z;68>oOj0$8#CPmwd5%#UyIKrkcmxvwI*e;OPd z&T!2ikb!Bv2_J-5Vly#*t>iZlC4JapaO*m$I8Gm{uo!Ven#tdYfi52Xe`W3(KuGa= zM7T4y{8@)x?{7}Rd*LFT?mc(2xN^ETYL{#KlHH|SZeH*Sr9M&ppg~XJmnp=M`YcZd zN;$WFpYr-Z7MneYlE-$fqob6-P)!Wk6OvCG-@^8j!+bGnU`t=9{|dTc70rq(3t>2! zv(Fv=$^GtsQ@}wr0q=?t8aPkNW;4op6csD%V9mGNnCRfy`yieYPt2SLhB9aa32{s# zH(UR_!FHCZx62w(!_pYWE{);3eB&z*;^8Jixlh!obh~wEnuy4!59t ziuEr;d5OZe902fwD0m+ob*phwNp8T+zTX?NAJXXrHvzrCh)u-a>t8EbC=`eZAo$z-m=|hc<7Z5hXyS1e7OL zsq5nLuWOVR(Y^fkM}DAaqROQX-2B@|Ry5IAySGHB&?bx1SRX~a`;>;!A**Z6ta;S% zd;WvH?ggWQ^aRlsIuPn#xm3*~B}RC^^D{LH{Fc0HbHGmcsJM&+TlY_-{ zefJ0cC(!zGSkMZZwGkhL_?VetRJU=@ti zd1{alrVqnUVHL)XqjUr7pZ&8W4v8cui#`7-aV5$D*1v(Ξ9vfuS6jP_Obg9i2Z` zV^{)$6Tefs9-OV930QDwWYngs-^{9RgPt2EP*Vk<0*HPvBuLhc0#XLKp_lEikjYv} zIF@E{Era<<>c)@C&lfbjc1j0EKZQj-AuPpk9}M!6DMUZ_?@U>}NV0Y~sD0r1Wsp^r zyTVYzoZk}hJs~V=n4mPcLE-a#OhUPLC<`uFM@8ZB7qjZ5xaG>v%MLW^k0`v(c$U*B z*%&!7MJtkHTg1_Oytf*ydwik;BKHxXzb(bK?`J=~AoyD8P3V*&L1;i7U6l7JjGY(L z+ad1Ru>XTF$EgQ+)42r#FG!-QCTEr+=-$EJ{dSNiX)i!zZ>+!p)Bw^+c3;e0IW$q` zoif`(&|YGzl~%$7%)u~QH|k8gXnZm7qaK&*su((dhk`abeU;-a6Da!WJ0Q=vGZ6({ zBPcO!Uq5GdzBn^ZCSl{dGQXe=S|y2Mg<K^;v;rBOUAk(e#PDsSIH;WJy! z!wyGtUgNSC;Q$ncpM;I5dm0w^nB-ISeTQVuGG`|skvNx%$O`&0!PeU*p^XDuj9g1U=pCoXpxU+{~mzVG93|eykk(ScL zk>q7;l>&<%H#LR)H_>(yZT=PtT7_S+J*k0L_L-~! zRxTpC^vn>GinJE*fmn?<*J@dBW&pZr8m*`W;VCo?ok)DGVEWjOe~|NK$x|?nF%)~1 zS|u#e*T)5T+ax8-p~>n>LEUJ~9KV~;w^$u^v%iVg$c(9k%(tte>SsTO zjM)!^+{wSUR6Y7K798Vk#-$pfl|~3N0->g8S9fbJHH(aG;b=}o$t3NeT^)ZCJG<@T zYE47`-c~kjSE!4&A^R#<+6luw;`%a3Q6;8@Owtszli&i1L!)FJbnPBbP!PmB$FK`DR)N^Q`c4^|GGdjC5pixQfCj6 zIjZY+y?&>3#m4#L<9%a{aCJ;T{#>yBP|;)4j0s`$ysaEoXYq7IhJ~+OU8o%QTaR96 za?lmAl}%RMOx{#qq1@Oo5!L%TD=jabx}AqHdd0pZLx)b(1{V)P7+GKv_C)xc&<;JY zdivAWb$UKX$x31Ww{aiDB|~WX&tY~PIgR=Pt^2V3Kx`~s8Q8&SWtiAaTnp+04bvWP#u*@bH`UL%?uedR5lTYBipX?TXn5UD4uxilWx(M%LiF zl~;MPmt&{}ouV2Q-|cg0*^L=n9oZJYwVoG6TJ5@_zvHq?Vrv&@(xfSO8dbN}%`WZ( zcPqasy1F1w1zPfgUxtqJZ7FDuF<-~X7*TM;Q0c3rP*K0WFt!gP&BfH+GpjOu&WT78 zi#+J>g+htkCXusab)4cuK=g$SivqGN)YXL4J#Dg#EW0=Oz6N!wwA0`^Q#Qhf>$_)e z%ScJ^885|El(Epp4cWE+>0WVRjPQpx>D_{fZjtW@s|+u% zN*$S0dA|2(nmF;D1iE-7HdQ1e2b&xQc>v{}n*8%!#MTIq5CKDN{^?UTws$VxZ+r9r z+w%usq}|ckL5A|CEK2PteZvD3x4S$Tx*10#F4R?7lyU#zRT{nKhsR_qXo$EpjI`aF zGHB@zIotbQq!;~x>zmP2%NrV5?5kKR%Q6%GR~%sIK^(ZW+&n^#YTAT{;^Su!?R0=q zP&i9KVh33K^~@8ZxI5Bvve;26HU*txA7RPA{$Fbl9n>n`YGK@xCLo>Fqb4p7Ow8@z zNN6#=jCk@;_sD}zURmrHdLZtS|8$esmZ*Nm^ifYLT);)~+SZ25-NG2xWXQ2YLB{&e z8kw87v(xW*GV{kN#F2wMFq@7Fu;H>4ka>PuFiqc-u<9qj+T`r1V5v`jL0-;<;lqV} zkOz4ETfXzdhkNVC^e=TZnbUjn0H7~U=M3Gb{DN{c(Q3En7xn5gDap#Km8}NejY&Gr zA~VX+2u12AsK0wo!jI4?ECGidKyjh--K$RI1I`OUSF1wK(9H?&A$0yU$-NV35#9x< z?}680cCG{KU4vFWRMLeTd|1&!4nyZK`1Tr0!29=LHXkEshN9}tyH2tB869Q11=a!f zQj+1qirB0859IjJeOY0de> zK7XwTSt-aDa`_ZVf)qw~d6{IfJh4>GuZS+5YphzARvXHvs!gCBNZTu#__E%<@S^zk z&UJ*}6F1<1^^&4&%yQP9EPta4>UTJ%g-4Gcawf$tFY#h0)Eux&9n2iyOzQ)btEpnz zCY5SpDC`^ofR;YUBk$`S<*X< zl8;h9SrH+G%Frp)Rdz*?d0@2Y*%jV-X55@$=n1J=h21J&M@EVIt013yQS)A);{zh~ zO_os(@fk7b7+tH78-?JDMYBPpEfVyTn$wAU1UuvN57#lz!v6wbSx@}^4SX@Ax7h<$ z+f#oRg#aoTzyb+$(Ldo7PPAFR(z?n$(otbIjrwTGfK+CxW}6n3lg4BX5_|T)I_eRZ z;~YGb@jjcmDUc?`W>qij>wS@JoeK~?249NEdCm9%!?F!c{u9lk%t7^p3#?=rqGljj z>@gh>*Y(1#&gQH4iHZ#W{nPRms#K?(Vpol4X@@}mv zfGq5Xch7}4_6r>Y?povaS}`PK;oRJ%q$y1Q z$ubg{R~fK-UwsI2^QID0)o7_MgBmFxnHn@B5D8Kmq#;auM4lOcdm6vN1o*IJ(qZ?i zj)Vxy188PV|H{054=_#U&U$0DNo6y=MoRG8Rm19UegPx;SKpY5I%#tK{&>cC2F1Lo z@ay{yIvk%YzHxyn#^#*M>$fEXwBM6jR{05-eC9Z8IR!OCt7>w z90JmzwoM1Tpf@vVKif?n&=XQ>du_-%QBCr(uB!4C|7kwW@#og*J9r7* zIdWKtsziaoHD|Km26H3NLp};N@{_sBSM0R zH|wbw*Pi*rbe%|!kpY|Wa`|(mYja=B=AYniD}y9#_wq&{g^(>5qL43UQw0#A+IQ;I zvy3W!!BvbDjHiS%;bjTUc(eqdz$L{r#c_Qg*2w^gm*c3^1EWwS`ls0bhFym&9~6VSDe z!{zR(^uY3j)%fS_lSW1SS3!e3%;3<<9-OI6gH568-&w-tB3SkmbqbmsqNLK?|6#zc zl=eKp@@$E3dV(LF7Au4#_R8!=`s|}eFuXn(tscQa}Y9kq(SxdY?D+;L^Wb+h2wCxDqav5#R6Fv=if%J~I_<^TNc;{Q_R zVfgZXWB)I_WX(Zx?rTB5a6pSe{);HJ{EI00{);H-{evhi{EH~b|AQz6{R=m3QK@m z`QlRsK`fsi8NlK@QM~(rxdBiZwpvi^sZ|UL)=9^45J94JI#%cqCRI0Jh}^Q0+VLEvs#u5w^lk>&gKCHkG}um@IhUX z$b+a61^n|WH{^_=QFqolz}eUdCI4HE%h!$Ji3A0kecxTMiK31N<~@UIHhjpV&8YkK zL#e)HL&p;Dh8>Z=O_EPwH%ev2V}k%K4L$V| IRqN3I1z*zq2><{9 literal 0 HcmV?d00001 diff --git a/assets/img/posts/Lecture Notes/Modern Cryptography/mc-01-ss.png b/assets/img/posts/Lecture Notes/Modern Cryptography/mc-01-ss.png new file mode 100644 index 0000000000000000000000000000000000000000..e7f48c961d8aab86413bf447d2a3d58aad78085e GIT binary patch literal 7988 zcma)hcTiJL*mdZk2%)1!I)pA=LWz_}kzN!KPyqqykkE@XX@Vj27K(!ODqW;X3xptD zx^zK$uk!MH=lkpX>z$ps=eg&c-Fas2?lZf0qxE#u?oiyL0001YG}Pe+001Er03eV7 z65TSW5IVbC*w)iBdUA7fbA5e%`*wDA*4o;7d3mX?umAS#+xGVM<>h5K9KN-+m7JUm zfk3LNsumX)u~@91pWnsBMRj%c=;)}lv~+B2?A6uP!NI}t@i7jE+t}EcnVD&9Y@D2& zTw7b~?(QBM8v6F_+v(}4lao_%aj~MJ;?B+v8jW69Sdf*K?d|Oy9v&_zDA3Z$JUTkEu&~I>%bS~FJ@Pqr>CzEG#VK8s-gsJ(A!5Nll1~zNuf2-rD@hk;4C9N^*ZQ>%sW&&s49mzDG$+4C(Kw_`Di(K* z*2lUU zTKb{*e*v@J8XqzV+K)-qzYV?z-wJs+{k8A0x4|;Wt?-|D-R8gG;hyf`RD?ICVIDJh z>Enpw$WZfxE++FKQ`paEVui&b0W3BI%-Sxn9Hr5-dr441`6trz=jEc2!EbJsi%hGB z>)pIf_(LZo4w$c7S=5LsmC_|5e_9O~uYp`>&cC~7{tb-z8a@)N*_KJqc95N>+IgFi zEoc+R@i<+j&!~|E8!s;@nGJ;z3h)z&3n2eZV5}F?=~pSw)p);-fbVL3wl5_Xu|3TL zXfNg88*S5Y_l)6=xo3m-={w&NL;_E7Cr%W&FV)Z()BVpz=X`7K&lMskq}TO7LJfiI z!$m_l=<1Nwa~LuoN+Mat9RdLJSX~m zsqA$~-b1JfHg?O1dcg$3>GX>t<^s1F>D+asQ^K(AoLarHQIhF&^$tuEwsWxvKh)-!=IN{c-*qWjek*2e5g5ujK$VlqX&+JNZi=LQjjjE|<^>aY5F+>6&KWfc{3YCxn*yBrzXN(^t1e0P2p zeh`%m;oMyfutBj@5k*UX=zu5u065*1Gbiq1#&>rX<^L8(R}X0b&RcMZ3iY{F6v{)T zes4={F7xKL6H{dVbMC zkVB(Pedzub=3&jWA!6qKxAfzeS#X3<@d>bTF~m71ha;#vz{Xxl8q$%P(*z`pH@Eki z#%iAg$>9hH&fj^~9&V5aPiej{Gr=RQHP!w({A}vb?nUK9DC<=3^i24-f8U^@UjE6{ zq$7MT699~)PcDz(07lGI5|vz!>sJn8pJlQ6WUOJSKDm0iZw@d9C4V;@xyd+eKaaU3t^ zW^tHfql01jb#3bC*Y0M_oQQT`5Yw3_?$gKJbXnU7*OFd~X@Iy4S6PqWGq^+fRrC?K!?cs|3K>Loh@# z6G-+J11e&JhSeN5j{BrJ@-|cLnoBAVdJ~AE?=-2Z>R7>`Y-&iXDb1b>79cXj$^c>` zu}_sVi=>JC{kH<)r$!<1Lvnn}1bc>it5X~mxbXx2tUee6ZwkI#zq*lIMeokM=&s_p z6y0vL?)@g>O{VzN;CE@o%8S<#7)tVOhh)|3^d14ivDN1AG7qiSrme5{dyqhoNBE7F zq4BcZY57P(ux0N(EsW-asyBCeSvlF&@krWsDrj`G+iZMBs|!DgiAr(r7k6^{$b^@Q z2)DL_l!XwV8XP4_>#mQEStmO+H@Qh>v)0_K`kgn;b`El{Jf2Cgk5fV2HRRh$LS~~Y ze7L_I36pntnohrb`l-UKROtucMC}eq>+f#_(Z3|2>`P=LTI&vVvmfOw zd7yd=e}w*wX^G=RSfH2q#NB@JT53(+v&1>}rBUqhU;Naovi$bDJDZ7SK?UunT##&z zr~#_uj&*U6x5OKBYN0(IW&*bpU-~|H%B-&-r^I);91C+zBd(1D<+|r^{gc{6ZT?_( z+Q<62!fxO?=TL&I-`So|rxj7l$ijctzfYWOzsHuly6a^oWCWk)2zpn}yAWw$!{A?k z_=<>&M2ZGog;=tPb;eUX{_@L1AtsrFp4{$zSfN3%axN(&m9;9b;_}8s$x`FnKWqTW zj%tpAxQ}X=v7-S(MBGMI#Kv&b&wBVrG?}~84WI8T-SKHOCO^U-7wU}u1{;5Gws7#= ztQ2Nk(@a9gNYSZpMQ5Oq1i9&?H4fL`s#+tGTRQQmXLoBIHt^%m`!%9;Q8WAu4W#8C zkDi^1OR>NirR(JiR}YmO)r$X~jMtICpdZznQ+1z&g;AL}_SteHT(m4_9=l2zD}vTP zw?A%#MT*jGY@U665PIm8@@4FcU!9ryg@098Ia6Fg_}kQ%@0Mf$XdAL$41#oD=C z0Lpd|MB{XndLtYTBZ>}sB=tj909n5^(IPwQN>vK6$@J9tchD99`&fGtOVYQRV}8%d z^SA^ew1`4wx_S;Kh?X`J*RW?qm^*GlYMF4x`Iqb!fDVf75OwFH_y@5K0W744cPsOdz0Plz36LxgqArQ zVKETMn9QpVYI4s)qge?N<8_{NPdOpXxy=@@-Rg?+NZe*nB)5Zw)`(G9f3n0qxKL9* zwHo;fV~w*QZE2*Qf~-R}!Sqwy=$)`Qnp(yl2I%RCqN10PJZl4$1--Vbi+=zE5zCl< z;<79~T^gqvhbbxK@Z+i91mF4?6b41EDj;U%3!$XMygH*%i))tJ)8K~Z1ItuiubBm> zo%k)*8&}eLbq4dm2=hY2^;x+UhU%1T^k}NMUh9l-+~3;wx_EQnkKo`AdcrhTm6!4I zAXo0HhyHH2Nxgk~XLX#5^8FOW@&t?<=z#~a7cJMLvbe0L(s4iO+<6P7-+{J54hGurF5hs)>UQ4( zDPTx`Kt2llB9U>=Rf2+DF|Bx(LeXYG9FX@m2q!6Q6V&CFM_7>c1VYyxV7s~0h)vGg zE$?s9#RvGJz}JjSXBmsnQ*yS8!X~9Au~S?y5_m*`+5+_nHr;!7=tMEN0wDi{j)1?N zJqR3?b#dt%u;bBo)~!ERHl~z=X*ytqvWq9A|K<6x9UmKN2@297R*7$@BtM!qycoa^ z&+V)PNJyk-;vzyGmySx$E2GrruT4b}if_KM|I@wO&~tww@aHc+SA~MMY|JCvgSNb= zM`#tovYk318U;QP0Fa)O7y@i^61Ei}s>3DZRxf5A@azEVgyJkBiJsr1)ygutLLlU>SpEb}WOtptf( zv99Ivf)Ewn*MYE>#Bt4sHhq#;R8ut>JIP$WzfKG)1894Yu!?sqz8A&gM{rr=xDit5*g-jYJ7TjYhW7X3#usof&|=l@Ll(3tYXl(ue-l{e!s5wTlYc z52PuoyP!UED$HXg+t#O6EGSbebxtAjT4g4%;@mX{ba_DI6H%wz0)z>{^-wdRNS0U~ z;4k8wey|3YG$mPAD@Nn`labo0naH|cM)1PaB~S-L5*r-iIQfLaq}4dtTCp<)DFEFH zY>bDUHTNa+%A^;L>%u9zMvA~hbY3(~NXP9KRegtL=cX(PPQLe^W^?he^-zIGH@f{H z?e@XnVke7D`4Y`+5Chf*Rr{vsr%!J`%F;`?0~tVuRY7CsbcT&lgCaS#ovIuatw|^W7Z^lW za+%@&41WMZs&(z=mM6$=USHRJRfgIZrzioYRY++K!2Ba~Eq}zfnp)065g!m#fP7T{ zkIaEidYbkxUF~{{fPf~}0|=CaU=z9mT0OIBLglCrZG{YlMJ8?R8IMzHR;B zwH!Zw`{aGn^Nlr6bAcK+!g>1h7#77~>6?1zzt7rJ6A}|;0b8w)M_3PZz3}0Xk9@$q z^-L1D(kFJ20Y}=h+@iiE`s!ng`_4BvL-wUieAAI1rSxRT$(!!G1S?F*dE0t-wJFM^ zs7l3rUgWA7wBj?;3d&;GLo9tg7a~>KRKNZv(JU3n|o4U6m z{Na#~+~4O7Q}pEDd}{gXe0jmXW!eF$3` zp?=RzYgW#|#D*{B`xWBD``OX-$d6H1a?Y$J7D}g1l@Ln+>|~E{n>k_9AgtVGN3E9v zLHdrLd&><$bn0<5q3R|;?cJ?VF$py)a!z^8L^}5TUWIzytqg`HlD!%JqT`v@W5UsH zNKFU^n{T)YJ7d{vELvW0Z|8djY2HW6R@M{7njML5z7(8|vC)T+! z*Up9!p7|DK&^){0N=MD#%%43}rj6u(C5m28)TS ztqjtk&wlM}7aW#<5^P@dS>i)tWQ2o* zGD#Y;+(A*Hjo;0bY&z~%}jl2?Zwwi zv8bv{fdTrv)Md{(-)P@E!77DGd`oh^|EWENJh6reF}(f&LU}PdUZP~erIPkJkgDHQ zap!#o(k90M=$^eThp;Cxzi!u)R!cCiz^QS%n2rssnVW>V5Pb^49Nz65*s`PbjG=4m zY0%jd>Ei@_Tu|#9h-I+Jd?dFaA}ji7&F8R`pSbQAyjeV&y;#WY|D^Pn1|^3;eN<~h zC~`i>C@YpG`lNo~!A?BS&JVDX=XKb6;1U0f`@~0Lz~{GLZvRz2E`6^W@zfXV;sQ%E zZ8l9)M}jiFNOgSQ9rk8jFfNgMWV@Pj|INzjed=FY9|9U+dJ+{{7cO#Q`j$gyFah}9 z)ok%)+VT`dq=k$WO^S;F@NN33BeLGtS+Vbf6DCDSToH=v(=zfN7qh&&@=;l$zD?NRm=q@=H1p3_r$y$ z@K4<7I@4Ti&^gEyvX!x4k{mM)W!HA%-Ru6R=J@$j^_Ihtu~h8d{D=)J$87oQE!l_U z`Oy`y?^K^fzh^{EEwOo3oA&#>#o?4P_CBmra!6Af{Mfv@M^4^l)f~~Yogq=4+{Vy3 z{>rNZNcnNjK}u?U=qxCky4B7B4@^HyqusJ`9~#3HL%BMby*AQr??fUj(Ls~QpDj>D zqBW0nYZR0QiQ^aT1tW1&II+U^TNJaC=*1A;VlQS8jHI|lFjD&eW~yjuc74kEAy4KV z-jzVAm?~*i39YWr5MQRX&ml2rP(Qu<%$&d>KeU9L^ zbLg6$DDCU`kKq)U@k&A66NV;8c*Y%TZ9`Haqx)T!@0D3-9N15n_m?TU- z)1gf7H4e;}GD2%u{qJioJUAio=h9Gr5D|XOrNB7szJ`vc%2=BPD{<}$ca0CCM9t1L zwB|S149c#UYanQaxO$Oeq*pgNy~bTxwq4*Q$4L(lI|9?DmaBQdEljP)AXGO2k8>H6N1gn7@TN$vB7(%PE5 zLb_ypvtuv~bARvOmq64{=)DPtWLZIiUu^u)XyN%X`CtD4v3Fd&w@%LXL~GVlP(DDp zL2%Tw8A36GGbO~ouqEud(_G!v=1=PQ2IX)}eFLX}7lx?XXOg^q__2(@x+;S1g*=r1 zZeL6VS0MKdH&!-|=&e52Z79ilM z4q*(B-M9|uv&(&#?pMDia>v|o*wL3H#O@M~nM9uhC!1aXcp$#r2@Aen}9Ge$N?@kzP8K9Mt3y;a-61`dlLO(hL^>odT>atI#kkB4g1K#X8 z^WhG&`WHgb7%u}~ zM=3XA>^nj2gwd6i31f+ z(0wjx{}Uc|)q!m$rC4UBM?$5JYzfl~sYIX8w!Rt@iA}Ez#;jeCc#`@XT#_LagDX4J zji0X){wYacIWb=CYBSKC^x>_4oRn7@#-q0I{dR%guFfkJXsd!XcE3R%dbD%?6xDWT z6%9bt0bo4Pe_jvm$T$efR{a}ze&%rZE@QyCCJT>h3SP~C)lm&iEzioEt!#Cjn^{Pq zuP6{5X4rix&Og7f-_o;QEu_ztpN;!F`g~*JCR6GW5%71#ZCy;@2L@o{*`w0Ele6;_ zO{-f?>4Aq^{JWZ{$~$Y%0Uwwj;=X5?iH*^IZTQ%hb9mKW*_3R%`cE3YylU2$u)xU ze3SE-;o(hS@ww`#mwZaiarZzS`suhX8`?Uq=;3_7>7yLM;Iyc@PhNd`}^zqArj4m_K2UkeDj QE%E@3Cpz#7<=3JA1FRBQg#Z8m literal 0 HcmV?d00001