diff --git a/_posts/Algorithms/BOJ/2023-11-02-random-ps-1.md b/_posts/Algorithms/BOJ/2023-11-02-random-ps-1.md index 033e39f..9b442c3 100644 --- a/_posts/Algorithms/BOJ/2023-11-02-random-ps-1.md +++ b/_posts/Algorithms/BOJ/2023-11-02-random-ps-1.md @@ -52,7 +52,7 @@ $$ 중학교 시절 에이급 수학에서 $(3 + 2\sqrt{2})^5$의 정수부분을 구하라는 문제를 봤었는데 이 때 사용했던 아이디어가 켤레무리수를 생각하는 것이었다. 비슷한 아이디어를 2017학년도 서울대학교 공과대학 수시 일반 심층 면접에서도 $(2 + \sqrt{5})^n$이 나와 사용했었다. 그리고... -> **정리.** $\alpha = 3 + \sqrt{5}$, $\beta = 3 - \sqrt{5}$ 일 때, $\alpha^n + \beta^n \in \mathbb{N}$.[^2] +> **정리.** $\alpha = 3 + \sqrt{5}$, $\beta = 3 - \sqrt{5}$ 일 때, $\alpha^n + \beta^n \in \mathbb{N}$ for all $n \in \mathbb{N}$.[^2] 여기서 핵심은 $0 < \beta < 1$ 임을 이용하는 것이다. 따라서, $\alpha^n$의 정수부분은 $\alpha^n + \beta^n - 1$이 된다. 이제 $\alpha^n + \beta^n$만 구하면 된다. 근과 계수의 관계를 이용하면 수열 $s_n = \alpha^n + \beta^n$에 대한 귀납적 정의를 얻을 수 있다. @@ -87,5 +87,27 @@ $$ 모든 가능한 프로그램의 후보를 얻었다면, 가장 짧은 것을 찾고 사전 순으로 제일 먼저 오는 것을 찾으면 된다. 사전 순 정렬의 경우 귀납적으로 생각하면 쉽게 구현할 수 있다. 앞에서부터 연산의 종류와 횟수를 비교하면 된다. +## 13174번 + +- [BOJ 13174](https://www.acmicpc.net/problem/13174): 괄호 + +어차피 palindrome이니 절반을 정해주면 나머지는 자동으로 결정된다. 그러므로 길이 $n$인 괄호 문자열의 임의의 prefix에 대해 `)`의 개수는 `(`의 개수를 넘을 수 없다. + +이는 [Catalan's triangle](https://en.wikipedia.org/wiki/Catalan%27s_triangle)의 응용이다. $i$개의 `(`와 $n-i$개의 `)`로 길이 $n$인 괄호 문자열을 구성하고, $k$개의 색으로 칠한다고 했으니 정답은 + +$$ +\sum_{i=\lceil n/2\rceil}^n C(i, n-i)\cdot k^i +$$ + +이다. 색칠하는 방법의 수가 $k^i$인 이유는 각 `)`가 짝이 되는 `(`와 색이 같아야 하므로 `(`의 색만 정하면 되기 때문이다. + +계산에는 + +$$ +C(n, k) = \frac{n-k+1}{n+1} {n+k \choose k} +$$ + +를 사용하면 된다. + [^1]: 원래 빠른 거듭제곱을 할 때는 $a^n = a \cdot (a^2)^{(n-1)/2}$ 으로 했던 것 같은데 이 경우에는 잘 안되므로... [^2]: 증명은 귀납법. 이항정리를 써도 좋고, 수열의 귀납적 정의를 사용해도 좋다. diff --git a/_posts/Articles/2024-03-11-you-and-your-research.md b/_posts/Articles/2024-03-11-you-and-your-research.md index 5cb81a7..56de50a 100644 --- a/_posts/Articles/2024-03-11-you-and-your-research.md +++ b/_posts/Articles/2024-03-11-you-and-your-research.md @@ -98,5 +98,20 @@ Read the full text for the full context! > I think it's very valuable to have first-class people around. \[...\] **I tried to go with people who had great ability so I could learn from them and who would expect great results out of me.** +--- + +## Summary By Claude 3 Sonnet + +Here is a summary of the key points from the article "You and Your Research" by Richard Hamming: + +- Hamming discusses what separates the great scientists who make significant contributions from the merely ordinary ones. He argues that great scientists possess certain key traits and approaches. +- Great scientists work on important problems rather than following the crowd. They have courage, ambition, and become emotionally invested in their work. +- Changing viewpoints and converting perceived negatives into positives is crucial. Luck favors the prepared mind that seizes opportunities. +- Other key ingredients include continuous learning, knowing oneself and managing weaknesses, having a drive to work hard, tolerating ambiguity, shifting focus periodically to stay creative, and great scientists carefully pick their associates. +- Presentation and selling ideas is extremely important, sometimes as much effort as the research itself. Having the courage to promote unorthodox ideas is vital. +- While talent plays a role, Hamming argues factors like attitude, work habits, self-awareness and motivation are equally or more important determinants of whether someone does truly great, impactful research. + +The article crystallizes insights from Hamming's decades of observing what distinguishes elite scientists based on his experiences at Los Alamos and Bell Labs. + [^1]: *if you don't think it is going to lead to something important, why are you at \[...\] working on it?"* [^2]: *What will be the impact of \[...\] on \[...\] and how can I change it?* diff --git a/_posts/Lecture Notes/Internet Security/2023-09-11-symmetric-key-cryptography-1.md b/_posts/Lecture Notes/Internet Security/2023-09-11-symmetric-key-cryptography-1.md index 2de8aa5..3e6bdfb 100644 --- a/_posts/Lecture Notes/Internet Security/2023-09-11-symmetric-key-cryptography-1.md +++ b/_posts/Lecture Notes/Internet Security/2023-09-11-symmetric-key-cryptography-1.md @@ -185,7 +185,12 @@ The case for $C = 1$ is similar. ### One-Time Pad (OTP) -[1. OTP, Stream Ciphers and PRGs > One-Time Pad (OTP)](../../modern-cryptography/2023-09-07-otp-stream-cipher-prgs#one-time-pad-otp) +Let $m \in \left\lbrace 0, 1 \right\rbrace^n$ be the message to encrypt. Then choose a *random* key $k \in \left\lbrace 0, 1 \right\rbrace^n$, and XOR $k$ and $m$. + +- Encryption: $E(k, m) = k \oplus m$. +- Decryption: $D(k, c) = k \oplus c$. + +This scheme is **provably secure**. See also [one-time pad (Modern Cryptography)](../Modern%20Cryptography/2023-09-07-otp-stream-cipher-prgs.md#one-time-pad-(otp)). ## Perfect Secrecy @@ -219,6 +224,8 @@ since for each $m$ and $c$, $k$ is determined uniquely. *Proof*. Assume not, then we can find some message $m_0 \in \mathcal{M}$ such that $m_0$ is not a decryption of some $c \in \mathcal{C}$. This is because the decryption algorithm $D$ is deterministic and $\lvert \mathcal{K} \rvert < \lvert \mathcal{M} \rvert$. +For the proof in detail, check [Shannon's Theorem (Modern Cryptography)](../Modern%20Cryptography/2023-09-07-otp-stream-cipher-prgs.md#shannon's-theorem). + ### Two-Time Pad is Insecure It is not secure to use the same key twice. If for the key $k$ and two messages $m_1$, $m_2$, @@ -237,6 +244,7 @@ So some information is leaked, even though we cannot actually recover $m_i$ from - Ex. RC4 - **Block cipher**: encrypt a block of bits at a time - Can provide integrity or authentication. + - Block ciphers usually have feedback between blocks, so errors during transmission will be propagated during the decryption process. - Ex. DES, AES ### Stream Cipher @@ -247,7 +255,7 @@ Stream cipher does not have perfect secrecy, since the key length is shorter tha ### Linear Feedback Shift Register (LFSR) -The seed can be used in a **linear feedback shift register** (LFSR) to generate the actual key for the stream cipher. There are $n$ stages (or states) and the generated key stream is periodic with period $2^n - 1$. +The seed can be used in a **linear feedback shift register** (LFSR) to generate the actual key for the stream cipher. There are $n$ stages (or states) and the generated key stream is periodic with maximal period $2^n - 1$. The links between stages may be different. But in general, if one is given $2n$ output bits of LFSR, one can solve the $n$-stage LFSR. @@ -278,9 +286,10 @@ To alleviate this problem, we can combine multiple LFSRs with a $k$-input binary 1. Compute CRC for the message - CRC-32 polynomial is used 2. Compute the keystream from IV and the key - - $128$ bit input is given to the PRG + - IV is concatenated with the key. + - $128$ bit input is given to the key generation algorithm. 3. Now encrypt the plaintext with XOR. - - The IV is prepended to the ciphertext, since the receiver needs it to decrypt + - The IV is prepended to the ciphertext, since the receiver needs it to decrypt. #### Decryption Process @@ -292,17 +301,17 @@ To alleviate this problem, we can combine multiple LFSRs with a $k$-input binary ### Initialization Vector - The IV is not encrypted, and carried in plaintext. -- IV is only $24$ bits, so around $16$ million. +- IV is only $24$ bits, so around $16$ million possible IVs. - **IV must be different for every message transmitted.** - 802.11 standard doesn't specify how IV is calculated. - - Usually increment by $1$ for each frame - - No restrictions on reusing the IV + - Usually increment by $1$ for each frame. + - No restrictions on reusing the IV. #### IV Collision -- The key is fixed, and the period of IV is $2^{24}$ +- The key is fixed, and the period of IV is $2^{24}$. - Same IV leads to same key stream. -- So if the adversary takes two frames with same IV to obtain the XOR of two plaintext messages. +- So if the adversary takes two frames with the same IV to obtain the XOR of two plaintext messages. - $c_1 \oplus c_2 = (p_1 \oplus k_s) \oplus (p_2 \oplus k_s) = p_1 \oplus p_2$ - Since network traffic contents are predictable, messages can be recovered. - We are in the link layer, so HTTP, IP, TCP headers will be contained in the encrypted payload. @@ -315,12 +324,13 @@ Given a bit string (defined in the specification), the sender performs long divi ### Message Modification - CRC is actually a linear function. - - $\mathrm{CRC}(x \oplus y) = \mathrm{CRC}(x) \oplus \mathrm{CRC}(y)$ + - $\mathrm{CRC}(x \oplus y) = \mathrm{CRC}(x) \oplus \mathrm{CRC}(y)$. + - The remainder of $x \oplus y$ is equal to the sum of the remainders of $x$ and $y$, since $\oplus$ is effectively an addition over $\mathbb{Z}_2$. - CRC function doesn't have a key, so it is forgeable. - **RC4 is transparent to XOR**, and messages can be modified. - - $c = k_s \oplus (m \parallel \mathrm{CRC}(m))$ - - If we XOR $(x \parallel \mathrm{CRC}(x))$, where $x$ is some malicious message - - $c \oplus (x \parallel \mathrm{CRC}(x)) = k_s \oplus (m\oplus x \parallel \mathrm{CRC}(m\oplus x))$ + - Let $c = k_s \oplus (m \parallel \mathrm{CRC}(m))$. + - If we XOR $(x \parallel \mathrm{CRC}(x))$, where $x$ is some malicious message. + - $c \oplus (x \parallel \mathrm{CRC}(x)) = k_s \oplus (m\oplus x \parallel \mathrm{CRC}(m\oplus x))$. - The receiver will decrypt and get $(m\oplus x \parallel \mathrm{CRC}(m\oplus x))$. - CRC check by the receiver will succeed. diff --git a/_posts/Lecture Notes/Internet Security/2023-09-25-modular-arithmetic-1.md b/_posts/Lecture Notes/Internet Security/2023-09-25-modular-arithmetic-1.md index 93d87b4..359e848 100644 --- a/_posts/Lecture Notes/Internet Security/2023-09-25-modular-arithmetic-1.md +++ b/_posts/Lecture Notes/Internet Security/2023-09-25-modular-arithmetic-1.md @@ -9,6 +9,7 @@ tags: - lecture-note - security - cryptography + - number-theory title: 04. Modular Arithmetic (1) date: 2023-09-25 github_title: 2023-09-25-modular-arithmetic-1 @@ -169,7 +170,7 @@ The inverse exists if and only if $\gcd(a, n) = 1$. > **Lemma**. For $n \geq 2$ and $a \in \mathbb{Z}$, its inverse $a^{-1} \in \mathbb{Z}_n$ exists if and only if $\gcd(a, n) = 1$. -*Proof*. We use the Extended Euclidean Algorithm. There exists $u, v \in \mathbb{Z}$ such that +*Proof*. We use the extended Euclidean algorithm. There exists $u, v \in \mathbb{Z}$ such that $$ au + nv = \gcd(a, n). diff --git a/_posts/Lecture Notes/Internet Security/2023-10-04-modular-arithmetic-2.md b/_posts/Lecture Notes/Internet Security/2023-10-04-modular-arithmetic-2.md index 717a22c..1ddefa4 100644 --- a/_posts/Lecture Notes/Internet Security/2023-10-04-modular-arithmetic-2.md +++ b/_posts/Lecture Notes/Internet Security/2023-10-04-modular-arithmetic-2.md @@ -166,7 +166,7 @@ Now we can prove Euler's generalization. > a^{\phi(n)} \equiv 1 \pmod n. > $$ -*Proof*. Since $\gcd(a, n) = 1$, $a \in \mathbb{Z}_n^{ * }$. Then $a^\left\lvert \mathbb{Z}_n^{ * } \right\lvert = 1$ in $\mathbb{Z}_n$. By the above lemma, we have the desired result. +*Proof*. Since $\gcd(a, n) = 1$, $a \in \mathbb{Z}_n^{ * }$. Then $a^{\left\lvert \mathbb{Z}_n^{ * } \right\lvert} = 1$ in $\mathbb{Z}_n$. By the above lemma, we have the desired result. *Proof*. (Elementary) Set $f : \mathbb{Z}_n^* \rightarrow \mathbb{Z}_n^*$ as $x \mapsto ax \bmod n$, then the rest of the reasoning follows similarly as in the proof of Fermat's little theorem. @@ -195,7 +195,7 @@ $\mathbb{Z}_n$ is an additive group, and $\mathbb{Z}_n^*$ is a multiplicative gr ## Chinese Remainder Theorem (CRT) -> **Theorem.** Let $n_1, \dots, n_k$ integers greater than $1$, and let $N = n_1n_2\cdots n_k$. If $n_i$ are pairwise relatively prime, then the system of equations $x \equiv a_i \pmod {n_i}$ has a unique solution modulo $N$. +> **Theorem.** Let $n_1, \dots, n_k$ be integers greater than $1$, and let $N = n_1n_2\cdots n_k$. If $n_i$ are pairwise relatively prime, then the system of equations $x \equiv a_i \pmod {n_i}$ has a unique solution modulo $N$. > > *(Abstract Algebra)* The map > diff --git a/_posts/Lecture Notes/Modern Cryptography/2023-11-07-sigma-protocols.md b/_posts/Lecture Notes/Modern Cryptography/2023-11-07-sigma-protocols.md index 37cc38f..38cd912 100644 --- a/_posts/Lecture Notes/Modern Cryptography/2023-11-07-sigma-protocols.md +++ b/_posts/Lecture Notes/Modern Cryptography/2023-11-07-sigma-protocols.md @@ -18,8 +18,7 @@ attachment: folder: assets/img/posts/Lecture Notes/Modern Cryptography --- - -The previous [3-coloring example](../2023-11-02-zkp-intro/#example-3-coloring) certainly works as a zero knowledge proof, but is quite slow, and requires a lot of interaction. There are efficient protocols for interactive proofs, we will study sigma protocols. +The previous [3-coloring example](./2023-11-02-zkp-intro.md#example-3-coloring) certainly works as a zero knowledge proof, but is quite slow, and requires a lot of interaction. There are efficient protocols for interactive proofs, we will study sigma protocols. ## Sigma Protocols @@ -27,7 +26,7 @@ The previous [3-coloring example](../2023-11-02-zkp-intro/#example-3-coloring) c > **Definition.** An **effective relation** is a binary relation $\mc{R} \subset \mc{X} \times \mc{Y}$, where $\mc{X}$, $\mc{Y}$, $\mc{R}$ are efficiently recognizable finite sets. Elements of $\mc{Y}$ are called **statements**. If $(x, y) \in \mc{R}$, then $x$ is called a **witness for** $y$. -![mc-13-sigma-protocol.png](/assets/img/posts/Lecture%20Notes/Modern%20Cryptography/mc-13-sigma-protocol.png) +![mc-13-sigma-protocol.png](../../../assets/img/posts/Lecture%20Notes/Modern%20Cryptography/mc-13-sigma-protocol.png) > **Definition.** Let $\mc{R} \subset \mc{X} \times \mc{Y}$ be an effective relation. A **sigma protocol** for $\mc{R}$ is a pair of algorithms $(P, V)$ satisfying the following. > @@ -105,9 +104,9 @@ Also note that **the simulator is free to generate the messages in any convenien ## The Schnorr Identification Protocol Revisited -The Schnorr identification protocol is actually a sigma protocol. Refer to [Schnorr identification protocol (Modern Cryptography)](../2023-10-26-digital-signatures/#the-schnorr-identification-protocol) for the full description. +The Schnorr identification protocol is actually a sigma protocol. Refer to [Schnorr identification protocol (Modern Cryptography)](./2023-10-26-digital-signatures.md#the-schnorr-identification-protocol) for the full description. -![mc-10-schnorr-identification.png](/assets/img/posts/Lecture%20Notes/Modern%20Cryptography/mc-10-schnorr-identification.png) +![mc-10-schnorr-identification.png](../../../assets/img/posts/Lecture%20Notes/Modern%20Cryptography/mc-10-schnorr-identification.png) > The pair $(P, V)$ is a sigma protocol for the relation $\mc{R} \subset \mc{X} \times \mc{Y}$ where > @@ -165,7 +164,7 @@ $$ goes as follows. -![mc-13-okamoto.png](/assets/img/posts/Lecture%20Notes/Modern%20Cryptography/mc-13-okamoto.png) +![mc-13-okamoto.png](../../../assets/img/posts/Lecture%20Notes/Modern%20Cryptography/mc-13-okamoto.png) > 1. $P$ computes random $\alpha_t, \beta_t \la \bb{Z}_q$ and sends commitment $u_t \la g^{\alpha_t}h^{\beta_t}$ to $V$. > 2. $V$ computes challenge $c \la \mc{C}$ and sends it to $P$. @@ -192,7 +191,7 @@ $$ goes as follows. -![mc-13-chaum-pedersen.png](/assets/img/posts/Lecture%20Notes/Modern%20Cryptography/mc-13-chaum-pedersen.png) +![mc-13-chaum-pedersen.png](../../../assets/img/posts/Lecture%20Notes/Modern%20Cryptography/mc-13-chaum-pedersen.png) > 1. $P$ computes random $\beta_t \la \bb{Z}_q$ and sends commitment $v_t \la g^{\beta_t}$, $w_t \la u^{\beta_t}$ to $V$. > 2. $V$ computes challenge $c \la \mc{C}$ and sends it to $P$. @@ -223,7 +222,7 @@ $$ goes as follows. -![mc-13-gq-protocol.png](/assets/img/posts/Lecture%20Notes/Modern%20Cryptography/mc-13-gq-protocol.png) +![mc-13-gq-protocol.png](../../../assets/img/posts/Lecture%20Notes/Modern%20Cryptography/mc-13-gq-protocol.png) > 1. $P$ computes random $x_t \la \bb{Z}_n^{\ast}$ and sends commitment $y_t \la x_t^e$ to $V$. > 2. $V$ computes challenge $c \la \mc{C}$ and sends it to $P$. @@ -279,7 +278,7 @@ If the challenge is known in advance, the prover can cheat. We exploit this fact Suppose we are given two sigma protocols $(P_0, V_0)$ for $\mc{R}_0 \subset \mc{X}_0 \times \mc{Y}_0$ and $(P_1, V_1)$ for $\mc{R}_1 \subset \mc{X}_1 \times \mc{Y}_1$. We assume that these both use the same challenge space, and both are special HVZK with simulators $\rm{Sim}_0$ and $\rm{Sim}_1$. -We combine the protocols to form a sigma protocol for the relation $\mc{R}_\rm{OR}$ defined on ${} \big( \braces{0, 1} \times (\mc{X}_0 \cup \mc{X}_1) \big) \times (\mc{Y}_0\times \mc{Y}_1) {}$ as +We combine the protocols to form a sigma protocol for the relation $\mc{R}_\rm{OR}$ defined on $\big( \braces{0, 1} \times (\mc{X}_0 \cup \mc{X}_1) \big) \times (\mc{Y}_0\times \mc{Y}_1)$ as $$ \mc{R}_\rm{OR} = \bigg\lbrace \big( (b, x), (y_0, y_1) \big): (x, y_b) \in \mc{R}_b\bigg\rbrace. @@ -425,7 +424,7 @@ Omitted. Works... ### The Fiat-Shamir Signature Scheme -Now we understand why the [Schnorr signature scheme](../2023-10-26-digital-signatures/#schnorr-digital-signature-scheme) used hash functions. In general, the Fiat-Shamir transform can be used to convert sigma protocols into signature schemes. +Now we understand why the [Schnorr signature scheme](./2023-10-26-digital-signatures.md#schnorr-digital-signature-scheme) used hash functions. In general, the Fiat-Shamir transform can be used to convert sigma protocols into signature schemes. We need $3$ building blocks. @@ -450,7 +449,7 @@ If an adversary can come up with a forgery, then the underlying sigma protocol i $n$ voters are casting a vote, either $0$ or $1$. At the end, all voters learn the sum of the votes, but we want to keep the votes secret for each party. -We can use the [multiplicative ElGamal encryption](../2023-10-19-public-key-encryption/#the-elgamal-encryption) scheme in this case. Assume that a trusted vote tallying center generates a key pair, keeps $sk = \alpha$ to itself and publishes $pk = g^\alpha$. +We can use the [multiplicative ElGamal encryption](./2023-10-19-public-key-encryption.md#the-elgamal-encryption) scheme in this case. Assume that a trusted vote tallying center generates a key pair, keeps $sk = \alpha$ to itself and publishes $pk = g^\alpha$. Each voter encrypts the vote $b_i$ and the ciphertext is @@ -468,7 +467,7 @@ where $\beta^{\ast} = \sum_{i=1}^n \beta_i$ and $b^{\ast} = \sum_{i=1}^n b_i$. N Since the ElGamal scheme is semantically secure, the protocol is also secure if all voters follow the protocol. But a dishonest voter can encrypt $b_i = -100$ or some arbitrary value. -To fix this, we can make each voter prove that the vote is valid. Using the [Chaum-Pedersen protocol for DH-triples](#the-chaum-pedersen-protocol-for-dh-triples) and the [OR-proof construction](#or-proof-construction), the voter can submit a proof that the ciphertext is either a encryption of $b_i = 0$ or $1$. We can also apply the Fiat-Shamir transform here for efficient protocols, resulting in non-interactive proofs. +To fix this, we can make each voter prove that the vote is valid. Using the [Chaum-Pedersen protocol for DH-triples](2023-11-07-sigma-protocols.md#the-chaum-pedersen-protocol-for-dh-triples) and the [OR-proof construction](2023-11-07-sigma-protocols.md#or-proof-construction), the voter can submit a proof that the ciphertext is either a encryption of $b_i = 0$ or $1$. We can also apply the Fiat-Shamir transform here for efficient protocols, resulting in non-interactive proofs. [^1]: The message flows in a shape that resembles the greek letter $\Sigma$, hence the name *sigma protocol*. [^2]: A Graduate Course in Applied Cryptography. diff --git a/_posts/Lecture Notes/Modern Cryptography/2023-11-09-secure-mpc.md b/_posts/Lecture Notes/Modern Cryptography/2023-11-09-secure-mpc.md index af5a538..b636010 100644 --- a/_posts/Lecture Notes/Modern Cryptography/2023-11-09-secure-mpc.md +++ b/_posts/Lecture Notes/Modern Cryptography/2023-11-09-secure-mpc.md @@ -14,7 +14,6 @@ date: 2023-11-09 github_title: 2023-11-09-secure-mpc --- - ## Secure Multiparty Computation (MPC) Suppose we have a function $f$ that takes $n$ inputs and produces $m$ outputs. @@ -121,7 +120,7 @@ It is known that $k$-out-of-$n$ OT is constructible from 1-out-of-2 OTs. > Suppose that the sender Alice has messages $x_0, x_1 \in \braces{0, 1}\conj$, and the receiver Bob has a choice $\sigma \in \braces{0, 1}$. > -> 1. Bob chooses $sk = \alpha \la \Z_q$ and computes ${} h = g^\alpha {}$, and chooses $h' \la G$. +> 1. Bob chooses $sk = \alpha \la \Z_q$ and computes $h = g^\alpha$, and chooses $h' \la G$. > 2. Bob sets $pk_\sigma = h$ and $pk_{1-\sigma} = h'$ and sends $(pk_0, pk_1)$ to Alice. > 3. Alice encrypts each $x_i$ using $pk_i$, obtains two ciphertexts. > - $\beta_0, \beta_1 \la \Z_q$. @@ -142,7 +141,7 @@ The above works for **semi-honest** parties. To prevent malicious behavior, we f > > The remaining steps are the same, except that Alice checks if $pk_0 \cdot pk_1 = w$. -Bob must choose $h, h'$ such that $hh' = w$. If not, Bob can choose ${} \alpha' \la \Z_q {}$ and set $h' = g^{\alpha'}$, enabling him to decrypt both $c_0, c_1$, revealing $x_0, x_1$. Under the DL assumption, Bob cannot find the discrete logarithm of $h'$, which prevents malicious behavior. +Bob must choose $h, h'$ such that $hh' = w$. If not, Bob can choose $\alpha' \la \Z_q$ and set $h' = g^{\alpha'}$, enabling him to decrypt both $c_0, c_1$, revealing $x_0, x_1$. Under the DL assumption, Bob cannot find the discrete logarithm of $h'$, which prevents malicious behavior. ### 1-out-of-$n$ OT Construction from ElGamal Encryption @@ -160,7 +159,7 @@ Let $m_1, \dots, m_n \in \mc{M}$ be the messages to send, and let $i$ be an inde Note that all ciphertexts $c_j$ were created from the same ephemeral key $\beta \in \Z_q$. -For correctness, we check that Bob indeed receives $m_i$ from the above protocol. Check that $u_i = u\cdot v^i = g^\alpha v^0 = g^\alpha$, then $u_i^\beta = g^{\alpha\beta} = v^\alpha$. Since $c_i = E_S\big( H(g^\beta, u_i^\beta), m_i \big) = E_S\big( H(v, v^\alpha), m_i \big)$, the decryption gives ${} m_i {}$. +For correctness, we check that Bob indeed receives $m_i$ from the above protocol. Check that $u_i = u\cdot v^i = g^\alpha v^0 = g^\alpha$, then $u_i^\beta = g^{\alpha\beta} = v^\alpha$. Since $c_i = E_S\big( H(g^\beta, u_i^\beta), m_i \big) = E_S\big( H(v, v^\alpha), m_i \big)$, the decryption gives $m_i$. Now is this oblivious? All that Alice sees is $u = g^\alpha v^{-i}$ from Bob. Since $\alpha \la \Z_q$, $u$ is uniformly distributed over elements of $G$. Alice learns no information about $i$. @@ -176,11 +175,11 @@ and by raising both to the $(j_1 - j_2)\inv$ power (inverse in $\Z_q$), he can c We can use an OT for computing a $2$-ary function with finite domain. -Let $f : X_1 \times X_2 \ra Y$ be a deterministic function with $X_1$, $X_2$ both finite. There are two parties ${} P_1, P_2 {}$ with inputs $x_1, x_2$, and they want to compute $f(x_1, x_2)$ without revealing their input. +Let $f : X_1 \times X_2 \ra Y$ be a deterministic function with $X_1$, $X_2$ both finite. There are two parties $P_1, P_2$ with inputs $x_1, x_2$, and they want to compute $f(x_1, x_2)$ without revealing their input. Then we can use $1$-out-of-$\abs{X_2}$ OT to securely compute $f(x_1, x_2)$. Without loss of generality, suppose that $P_1$ is the sender. -${} P_1$ computes $y_x =f(x_1, x)$ for all $x \in X_2$, resulting in $\abs{X_2}$ messages. Then $P_1$ performs 1-out-of-$\abs{X_2}$ OT with $P_2$. The value of $x_2$ will be used as the choice of $P_2$, which will be oblivious to $P_1$.[^2] +$P_1$ computes $y_x =f(x_1, x)$ for all $x \in X_2$, resulting in $\abs{X_2}$ messages. Then $P_1$ performs 1-out-of-$\abs{X_2}$ OT with $P_2$. The value of $x_2$ will be used as the choice of $P_2$, which will be oblivious to $P_1$.[^2] This method is inefficient, so we have better methods! diff --git a/_posts/Lecture Notes/Modern Cryptography/2023-11-14-garbled-circuits.md b/_posts/Lecture Notes/Modern Cryptography/2023-11-14-garbled-circuits.md index 0b3f856..a9caf6d 100644 --- a/_posts/Lecture Notes/Modern Cryptography/2023-11-14-garbled-circuits.md +++ b/_posts/Lecture Notes/Modern Cryptography/2023-11-14-garbled-circuits.md @@ -14,8 +14,7 @@ date: 2023-11-14 github_title: 2023-11-14-garbled-circuits --- - -A simple solution for two party computation would be to use oblivious transfers as noted [here](../2023-11-09-secure-mpc/#ot-for-computing-2-ary-function-with-finite-domain). However, this method is inefficient. We will look at **Yao's protocol**, presented in 1986, for secure two-party computation. +A simple solution for two party computation would be to use oblivious transfers as noted [here](./2023-11-09-secure-mpc.md#ot-for-computing-14.-secure-multiparty-computation#ot-for-computing-$2$-ary-function-with-finite-domain$-ary-function-with-finite-domain). However, this method is inefficient. We will look at **Yao's protocol**, presented in 1986, for secure two-party computation. The term **garbled circuit** was used by Beaver-Micali-Rogaway (BMR), presenting a multiparty protocol using a similar approach to Yao's protocol. @@ -42,7 +41,7 @@ Then we have the following garbled values, as in columns 1 to 3. Now, encrypt th |$A$|$B$|$C$|$C = \rm{AND}(A, B)$| |:-:|:-:|:-:|:-:| |$A_0$|$B_0$|$C_0$|$E(A_0 \parallel B_0, C_0)$| -|$A_0$|$B_1$|$C_0$|${} E(A_0 \parallel B_1, C_0) {}$| +|$A_0$|$B_1$|$C_0$|$E(A_0 \parallel B_1, C_0)$| |$A_1$|$B_0$|$C_0$|$E(A_1 \parallel B_0, C_0)$| |$A_1$|$B_1$|$C_1$|$E(A_1 \parallel B_1, C_1)$| diff --git a/_posts/Lecture Notes/Modern Cryptography/2023-11-16-gmw-protocol.md b/_posts/Lecture Notes/Modern Cryptography/2023-11-16-gmw-protocol.md index aa3acdb..5786e7a 100644 --- a/_posts/Lecture Notes/Modern Cryptography/2023-11-16-gmw-protocol.md +++ b/_posts/Lecture Notes/Modern Cryptography/2023-11-16-gmw-protocol.md @@ -18,8 +18,7 @@ attachment: folder: assets/img/posts/Lecture Notes/Modern Cryptography --- - -There are two types of MPC protocols, **generic** and **specific**. Generic protocols can compute arbitrary functions. [Garbled circuits](../2023-11-14-garbled-circuits/#garbled-circuits) were generic protocols, since it can be used to compute any boolean circuits. In contrast, the [summation protocol](../2023-11-09-secure-mpc/#example-secure-summation) is a specific protocol that can only be used to compute a specific function. Note that generic protocols are not necessarily better, since specific protocols are much more efficient. +There are two types of MPC protocols, **generic** and **specific**. Generic protocols can compute arbitrary functions. [Garbled circuits](./2023-11-14-garbled-circuits.md#garbled-circuits) were generic protocols, since it can be used to compute any boolean circuits. In contrast, the [summation protocol](./2023-11-09-secure-mpc.md#example-secure-summation) is a specific protocol that can only be used to compute a specific function. Note that generic protocols are not necessarily better, since specific protocols are much more efficient. ## GMW Protocol @@ -40,10 +39,10 @@ Suppose that we have $n$ parties $P_1, \dots, P_n$ with inputs $x_1, \dots, x_n > Each party $P_i$ shares its input with other parties as follows. > -> 1. Choose random ${} r_{i, j} \la \braces{0, 1} {}$ for all $j \neq i$ and send $r_{i, j}$ to $P_j$. -> 2. Set ${} r_{i, i} = x_i + \sum_{i \neq j} r_{i, j} {}$. +> 1. Choose random $r_{i, j} \la \braces{0, 1}$ for all $j \neq i$ and send $r_{i, j}$ to $P_j$. +> 2. Set $r_{i, i} = x_i + \sum_{i \neq j} r_{i, j}$. -Then we see that $x_i = \sum_{j = 1}^n r_{i, j} {}$. Each party has a **share** of $x_i$, which is $r_{i, j}$. We have a notation for this, +Then we see that $x_i = \sum_{j = 1}^n r_{i, j}$. Each party has a **share** of $x_i$, which is $r_{i, j}$. We have a notation for this, $$ [x_i] = (r_{i, 1}, \dots, r_{i, n}). @@ -59,7 +58,7 @@ Now, each party computes each gate using the shares received from other parties. #### Evaluating XOR Gates -Suppose we want to compute a share of ${} c = a + b {}$. Then, since +Suppose we want to compute a share of $c = a + b$. Then, since $$ [c] = [a] + [b], @@ -67,7 +66,7 @@ $$ each party can simply add all the input shares. -If ${} {} y = x_1 + \cdots + x_n {} {}$, then party $P_j$ will compute ${} y_j = \sum_{i=1}^n r_{i, j} {}$, which is a share of $y$, $[y] = (y_1, \dots, y_n)$. It can be checked that +If $y = x_1 + \cdots + x_n$, then party $P_j$ will compute $y_j = \sum_{i=1}^n r_{i, j}$, which is a share of $y$, $[y] = (y_1, \dots, y_n)$. It can be checked that $$ y = \sum_{j=1}^n y_j = \sum_{j=1}^n \sum_{i=1}^n r_{i, j}. @@ -148,7 +147,7 @@ Indeed, $z_1, z_2$ are shares of $z$.[^2] See also Exercise 23.5.[^3] Now, in the actual computation of AND gates, proceed as follows. -![mc-16-beaver-triple.png](/assets/img/posts/Lecture%20Notes/Modern%20Cryptography/mc-16-beaver-triple.png) +![mc-16-beaver-triple.png](../../../assets/img/posts/Lecture%20Notes/Modern%20Cryptography/mc-16-beaver-triple.png) > Each $P_i$ has a share of inputs $a_i, b_i$ and a Beaver triple $(x_i, y_i, z_i)$. > 1. Each $P_i$ computes $u_i = a_i + x_i$, $v_i = b_i + y_i$. @@ -187,13 +186,13 @@ $$ and $uv$ is public, so any party can include it in its share. -Also note that $u_i, v_i$ does not reveal any information about $x_i, y_i$. Essentially, they are *one-time pad* encryptions of $x_i$ and ${} y_i {}$ since $a_i, b_i$ were chosen randomly. No need for OTs during actual computation. +Also note that $u_i, v_i$ does not reveal any information about $x_i, y_i$. Essentially, they are *one-time pad* encryptions of $x_i$ and $y_i$ since $a_i, b_i$ were chosen randomly. No need for OTs during actual computation. ### Reusing Beaver Triples? -**Beaver triples are to be used only once!** If $u_1 = a_1 + x_1$ and ${} u_1' = a_1' + x_1 {}$, then $u_1 + u_1' = a_1 + a_1'$, revealing information about $a_1 + a_1'$. +**Beaver triples are to be used only once!** If $u_1 = a_1 + x_1$ and $u_1' = a_1' + x_1$, then $u_1 + u_1' = a_1 + a_1'$, revealing information about $a_1 + a_1'$. -Thus, before the online phase, a huge amount of Beaver triples are shared to speed up the computation. This can be done efficiently using [OT extension](#ot-extension) described below. +Thus, before the online phase, a huge amount of Beaver triples are shared to speed up the computation. This can be done efficiently using [OT extension](2023-11-16-gmw-protocol.md#ot-extension) described below. ## Comparison of Yao and GMW @@ -240,7 +239,7 @@ Q_i = \begin{cases} T_i & (s_i = 0) \\ \end{cases} $$ -**Now consider each row separately!** Let ${} A[k]$ be the $k$-th row of matrix $A$. +**Now consider each row separately!** Let $A[k]$ be the $k$-th row of matrix $A$. If $\sigma_j = 0$, the XOR operation in $T_i \oplus \sigma$ has no effect on the $j$-th element (row), so the $j$-th element of $T_i \oplus \sigma$ and $T_i$ are the same. Thus, we have $Q[j] = T[j]$. @@ -281,7 +280,7 @@ As for the receiver, the values $(x_j^0, x_j^1)$ are masked by a hash function, The extension technique allows us to run $n$ base OT instances to obtain $m$ OT instances. For each of the $m$ OT transfers, only a few hash operations are required, resulting in very efficient OT. -One may concern that we have to send a lot of information for each of the $n$ OT instances, since we have to send $m$ bit data for each OT. But this of not much concern. For example, if we used [OT based on ElGamal](../2023-11-09-secure-mpc/#1-out-of-2-ot-construction-from-elgamal-encryption), we can choose primes large enough $> 2^m$ to handle $m$-bit data. +One may concern that we have to send a lot of information for each of the $n$ OT instances, since we have to send $m$ bit data for each OT. But this of not much concern. For example, if we used [OT based on ElGamal](./2023-11-09-secure-mpc.md#1-out-of-2-ot-construction-from-elgamal-encryption), we can choose primes large enough $> 2^m$ to handle $m$-bit data. Hence, with OT extensions, we can perform millions of OTs efficiently, which can be used especially for computing many Beaver triples during preprocessing. diff --git a/_posts/Lecture Notes/Modern Cryptography/2023-11-23-bgv-scheme.md b/_posts/Lecture Notes/Modern Cryptography/2023-11-23-bgv-scheme.md index c20e651..558a463 100644 --- a/_posts/Lecture Notes/Modern Cryptography/2023-11-23-bgv-scheme.md +++ b/_posts/Lecture Notes/Modern Cryptography/2023-11-23-bgv-scheme.md @@ -139,7 +139,7 @@ $$ B\bf{u} = \sum_{i=1}^n \lfloor a_i \rceil \bf{b}_i. $$ -Then this ${} B\bf{u} \in L {}$ is pretty close to $\bf{t} \notin L$. +Then this $B\bf{u} \in L$ is pretty close to $\bf{t} \notin L$. ## Learning with Errors Problem (LWE) @@ -212,7 +212,7 @@ $$ Addition is easy! -> Let $\bf{c} = (b, \bf{a})$ and $\bf{c}' = (b', \bf{a}')$ be encryptions of ${} m, m' \in \braces{0, 1} {}$. Then, $\bf{c}_\rm{add} = \bf{c} + \bf{c}'$ is an encryption of $m + m'$. +> Let $\bf{c} = (b, \bf{a})$ and $\bf{c}' = (b', \bf{a}')$ be encryptions of $m, m' \in \braces{0, 1}$. Then, $\bf{c}_\rm{add} = \bf{c} + \bf{c}'$ is an encryption of $m + m'$. *Proof*. Decrypt $\bf{c}_\rm{add} = (b + b', \bf{a} + \bf{a}')$. If @@ -343,7 +343,7 @@ Thus we use encryptions of $s_is_j$ by $\bf{s}$. If we have ciphertexts of $s_is > \bf{c}_\rm{mul}^\ast = (b_\rm{mul}^\ast, \bf{a}_\rm{mul}^\ast) = (bb', b\bf{a}' + b'\bf{a}) + \sum_{i=1}^n \sum_{j=1}^n a_i a_j' \bf{w}_{i, j} \pmod q. > $$ -Note that the addition $+$ is the addition of two ${} (n+1) {}$-dimensional vectors. By plugging in $\bf{w}_{i, j} = (v_{i, j}, \bf{u}_{i, j})$, we actually have +Note that the addition $+$ is the addition of two $(n+1)$-dimensional vectors. By plugging in $\bf{w}_{i, j} = (v_{i, j}, \bf{u}_{i, j})$, we actually have $$ b_\rm{mul}^\ast = bb' + \sum_{i=1}^n \sum_{j=1}^n a_i a_j' v_{i, j} @@ -405,9 +405,9 @@ so instead of encryptions of $s_i s_j$, we use encryptions of $2^k s_i s_j$. For convenience, let $a_{i, j} = a_i a_j'$. Now we have triple indices including $k$. > **Relinearization Keys**: for $1 \leq i, j \leq n$ and $0 \leq k < \ceil{\log q}$, perform the following. -> - Sample $\bf{u}_{i, j, k} \la \Z_q^{n}$ and ${} e_{i, j, k} \la D_\sigma {}$. -> - Compute ${} v_{i, j, k} = -\span{\bf{u}_{i, j, k}, \bf{s}} + 2^k \cdot s_i s_j + 2e_{i, j, k} \pmod q {}$. -> - Output ${} \bf{w}_{i, j, k} = (v_{i, j, k}, \bf{u}_{i, j, k}) {}$. +> - Sample $\bf{u}_{i, j, k} \la \Z_q^{n}$ and $e_{i, j, k} \la D_\sigma$. +> - Compute $v_{i, j, k} = -\span{\bf{u}_{i, j, k}, \bf{s}} + 2^k \cdot s_i s_j + 2e_{i, j, k} \pmod q$. +> - Output $\bf{w}_{i, j, k} = (v_{i, j, k}, \bf{u}_{i, j, k})$. > > **Linearization**: given $\bf{c}_\rm{mul} = (bb', b\bf{a}' + b' \bf{a}, \bf{a} \otimes \bf{a}')$, $\bf{w}_{i, j, k}$ for $1 \leq i, j \leq n$ and $0 \leq k < \ceil{\log q}$, output the following. > @@ -424,7 +424,7 @@ b_\rm{mul}^\ast + \span{\bf{a}_\rm{mul}^\ast, \bf{s}} &= bb' + \sum_{i, j, k} a_ \end{aligned} $$ -Since ${} v_{i, j, k} + \span{\bf{u}_{i, j, k}, \bf{s}} = 2^k \cdot s_i s_j + 2e_{i, j, k} \pmod q {}$, the above expression further reduces to +Since $v_{i, j, k} + \span{\bf{u}_{i, j, k}, \bf{s}} = 2^k \cdot s_i s_j + 2e_{i, j, k} \pmod q$, the above expression further reduces to $$ \begin{aligned} @@ -463,7 +463,7 @@ Given $\bf{c} = (b, \bf{a}) \in \Z_q^{n+1}$, we reduce the modulus to $q' < q$ w In summary, $\bf{c}' \approx \bf{c} \cdot (q'/q)$, and $\bf{c}' = \bf{c} \pmod 2$ component-wise. -We check if the noise has been reduced, and decryption results in the same message $m$. Decryption of $\bf{c}'$ is done by $r' = b' + \span{\bf{a}', \bf{s}} \pmod{q'}$, so we must prove that ${} r' \approx r \cdot (q'/q) {}$ and $r' = r \pmod 2$. Then the noise is scaled down by $q'/q$ and the message is preserved. +We check if the noise has been reduced, and decryption results in the same message $m$. Decryption of $\bf{c}'$ is done by $r' = b' + \span{\bf{a}', \bf{s}} \pmod{q'}$, so we must prove that $r' \approx r \cdot (q'/q)$ and $r' = r \pmod 2$. Then the noise is scaled down by $q'/q$ and the message is preserved. Let $k \in \Z$ such that $b + \span{\bf{a}, \bf{s}} = r + kq$. By the choice of $b'$ and $a_i'$, @@ -511,7 +511,7 @@ $$ N^{L+1} \ra N^L \ra \cdots \ra N. $$ -When we perform $L$ levels of computation and reach modulus $q_0 = N$, we cannot perform any multiplications. We must apply [bootstrapping](../2023-12-08-bootstrapping-ckks/#bootstrapping). +When we perform $L$ levels of computation and reach modulus $q_0 = N$, we cannot perform any multiplications. We must apply [bootstrapping](./2023-12-08-bootstrapping-ckks.md#bootstrapping). Note that without modulus switching, we need $q_L > N^{2^L}$ for $L$ levels of computation, which is very large. Since we want $q$ to be small (for the hardness of the LWE problem), modulus switching is necessary. We now only require $q_L > N^{L+1}$. diff --git a/_posts/Lecture Notes/Modern Cryptography/2023-12-08-bootstrapping-ckks.md b/_posts/Lecture Notes/Modern Cryptography/2023-12-08-bootstrapping-ckks.md index 1ce377a..c23cc23 100644 --- a/_posts/Lecture Notes/Modern Cryptography/2023-12-08-bootstrapping-ckks.md +++ b/_posts/Lecture Notes/Modern Cryptography/2023-12-08-bootstrapping-ckks.md @@ -88,7 +88,7 @@ Indeed, decrypting $b'$ will give $m$. So we have $E(\bf{s}', m)$ from $f(\bf{k} > > **Bootstrapping Key Generation** > - Choose a new secret key $\bf{s}' \in \braces{0, 1}^n$. -> - Generate *bootstrapping key* ${} BK = \braces{\bf{k}_i}_{i=1}^n {}$ where $\bf{k}_i = E(\bf{s}', s_i)$. +> - Generate *bootstrapping key* $BK = \braces{\bf{k}_i}_{i=1}^n$ where $\bf{k}_i = E(\bf{s}', s_i)$. > > **Bootstrapping** > - Generate a circuit representation $f : \braces{0, 1}^n \ra \braces{0, 1}$ of the decryption function $D(\cdot, \bf{c})$. @@ -116,7 +116,7 @@ Designing an FHE scheme without the circular security assumption is currently an ## CKKS Scheme -The [BGV scheme](../2023-11-23-bgv-scheme/#the-bgv-scheme) operates on $\Z_p$, so it doesn't work on real numbers. **Cheon-Kim-Kim-Song** (CKKS) scheme works on real numbers using approximate computation. +The [BGV scheme](./2023-11-23-bgv-scheme.md#the-bgv-scheme) operates on $\Z_p$, so it doesn't work on real numbers. **Cheon-Kim-Kim-Song** (CKKS) scheme works on real numbers using approximate computation. ### Approximate Computation @@ -208,7 +208,7 @@ so the decryption results in $\Delta\inv \cdot (\mu + \mu') \approx m + m'$. ### Multiplication in CKKS -We also use [tensor products](../2023-11-23-bgv-scheme/#tensor-product), and their properties. +We also use [tensor products](./2023-11-23-bgv-scheme.md#tensor-product), and their properties. > Let $\bf{c} = (b, \bf{a})$ and $\bf{c}' = (b', \bf{a}')$ be encryptions of $m, m' \in \R$. Then, > @@ -243,14 +243,14 @@ We have issues with multiplication, as we did in BGV. ### Dimension Reduction -The relinearization procedure is almost the same as in [BGV relinearization](../2023-11-23-bgv-scheme/#relinearization). +The relinearization procedure is almost the same as in [BGV relinearization](./2023-11-23-bgv-scheme.md#relinearization). For convenience, let $a_{i, j} = a_i a_j'$. > **Relinearization Keys**: for $1 \leq i, j \leq n$ and $0 \leq k < \ceil{\log q}$, perform the following. -> - Sample $\bf{u}_{i, j, k} \la \Z_q^{n}$ and ${} e_{i, j, k} \la D_\sigma {}$. -> - Compute ${} v_{i, j, k} = -\span{\bf{u}_{i, j, k}, \bf{s}} + 2^k \cdot s_i s_j + e_{i, j, k} \pmod q {}$. -> - Output ${} \bf{w}_{i, j, k} = (v_{i, j, k}, \bf{u}_{i, j, k}) {}$. +> - Sample $\bf{u}_{i, j, k} \la \Z_q^{n}$ and $e_{i, j, k} \la D_\sigma$. +> - Compute $v_{i, j, k} = -\span{\bf{u}_{i, j, k}, \bf{s}} + 2^k \cdot s_i s_j + e_{i, j, k} \pmod q$. +> - Output $\bf{w}_{i, j, k} = (v_{i, j, k}, \bf{u}_{i, j, k})$. > > **Linearization**: given $\bf{c}_\rm{mul} = (bb', b\bf{a}' + b' \bf{a}, \bf{a} \otimes \bf{a}')$, $\bf{w}_{i, j, k}$ for $1 \leq i, j \leq n$ and $0 \leq k < \ceil{\log q}$, output the following. > @@ -287,7 +287,7 @@ Note that the proof is identical to that of BGV linearization, except for missin ### Scaling Factor Reduction -In BGV, we used modulus switching for [noise reduction](../2023-11-23-bgv-scheme/#noise-reduction). It was for reducing the error and preserving the message. We also use modulus switching here, but for a different purpose. The message can have small numerical errors, we just want to reduce the scaling factor. This operation is called **rescaling**. +In BGV, we used modulus switching for [noise reduction](./2023-11-23-bgv-scheme.md#noise-reduction). It was for reducing the error and preserving the message. We also use modulus switching here, but for a different purpose. The message can have small numerical errors, we just want to reduce the scaling factor. This operation is called **rescaling**. Given $\bf{c} = (b, \bf{a}) \in \Z_q^{n+1}$ such that $b + \span{\bf{a}, \bf{s}} = \mu \pmod q$ and $\mu \approx \Delta^2 \cdot m$, we want to generate a new ciphertext of $m' \approx m$ that has a scaling factor reduced to $\Delta$. This can be done by dividing the ciphertext by $\Delta$ and then rounding it appropriately. @@ -319,7 +319,7 @@ since $\epsilon = \epsilon_0 + \sum_{i=1}^n \epsilon_i s_i$ is small. ### Modulus Chain -Using modulus switching, we can set ${} q_L = \Delta^{L+1} {}$ where $L$ is the maximal level for multiplication. After each multiplication, the modulus is switched to $q_{k-1} = q_k / \Delta$. +Using modulus switching, we can set $q_L = \Delta^{L+1}$ where $L$ is the maximal level for multiplication. After each multiplication, the modulus is switched to $q_{k-1} = q_k / \Delta$. Multiplication increases the scaling factor to $\Delta^2$, and then rescaling operation reduces the scaling factor back to $\Delta$. @@ -329,11 +329,11 @@ $$ \Delta^{L+1} \ra \Delta^L \ra \cdots \ra \Delta. $$ -When we reach $q_0 = \Delta$, we cannot perform any multiplications, so we apply [bootstrapping](#bootstrapping) here. +When we reach $q_0 = \Delta$, we cannot perform any multiplications, so we apply [bootstrapping](2023-12-08-bootstrapping-ckks.md#bootstrapping) here. ### Multiplication in CKKS (Summary) -- Set up a modulus chain ${} q_k = \Delta^{k+1} {}$ for $k = 0, \dots, L$. +- Set up a modulus chain $q_k = \Delta^{k+1}$ for $k = 0, \dots, L$. - Given two ciphertexts $\bf{c} = (b, \bf{a}) \in \Z_{q_k}^{n+1}$ and $\bf{c}' = (b', \bf{a}') \in \Z_{q_k}^{n+1}$ with modulus $q_k$ and **scaling factor** $\Delta$. - (**Tensor Product**) $\bf{c}_\rm{mul} = \bf{c} \otimes \bf{c}' \pmod{q_k}$.