[PUBLISHER] upload files #154

* PUSH NOTE : You and Your Research, Richard Hamming.md * PUSH NOTE : 18. Bootstrapping & CKKS.md * PUSH NOTE : 17. BGV Scheme.md * PUSH NOTE : 16. The GMW Protocol.md * PUSH NOTE : 15. Garbled Circuits.md * PUSH NOTE : 14. Secure Multiparty Computation.md * PUSH NOTE : 13. Sigma Protocols.md * PUSH NOTE : 05. Modular Arithmetic (2).md * PUSH NOTE : 04. Modular Arithmetic (1).md * PUSH NOTE : 02. Symmetric Key Cryptography (1).md * PUSH NOTE : 랜덤 PS일지 (1).md
2025-12-06 14:53:50 +00:00 · 2024-11-12 19:52:52 +09:00
parent 03f5dec26f
commit b426538413
11 changed files with 115 additions and 71 deletions
--- a/_posts/Algorithms/BOJ/2023-11-02-random-ps-1.md
+++ b/_posts/Algorithms/BOJ/2023-11-02-random-ps-1.md
@@ -52,7 +52,7 @@ $$

 중학교 시절 에이급 수학에서 $(3 + 2\sqrt{2})^5$의 정수부분을 구하라는 문제를 봤었는데 이 때 사용했던 아이디어가 켤레무리수를 생각하는 것이었다. 비슷한 아이디어를 2017학년도 서울대학교 공과대학 수시 일반 심층 면접에서도 $(2 + \sqrt{5})^n$이 나와 사용했었다. 그리고...

-> **정리.** $\alpha = 3 + \sqrt{5}$, $\beta = 3 - \sqrt{5}$ 일 때, $\alpha^n + \beta^n \in \mathbb{N}$.[^2]
+> **정리.** $\alpha = 3 + \sqrt{5}$, $\beta = 3 - \sqrt{5}$ 일 때, $\alpha^n + \beta^n \in \mathbb{N}$ for all $n \in \mathbb{N}$.[^2]

 여기서 핵심은 $0 < \beta < 1$ 임을 이용하는 것이다. 따라서, $\alpha^n$의 정수부분은 $\alpha^n + \beta^n - 1$이 된다. 이제 $\alpha^n + \beta^n$만 구하면 된다. 근과 계수의 관계를 이용하면 수열 $s_n = \alpha^n + \beta^n$에 대한 귀납적 정의를 얻을 수 있다.

@@ -87,5 +87,27 @@ $$

 모든 가능한 프로그램의 후보를 얻었다면, 가장 짧은 것을 찾고 사전 순으로 제일 먼저 오는 것을 찾으면 된다. 사전 순 정렬의 경우 귀납적으로 생각하면 쉽게 구현할 수 있다. 앞에서부터 연산의 종류와 횟수를 비교하면 된다.

+## 13174번
+
+- [BOJ 13174](https://www.acmicpc.net/problem/13174): 괄호
+
+어차피 palindrome이니 절반을 정해주면 나머지는 자동으로 결정된다. 그러므로 길이 $n$인 괄호 문자열의 임의의 prefix에 대해 `)`의 개수는 `(`의 개수를 넘을 수 없다.
+
+이는 [Catalan's triangle](https://en.wikipedia.org/wiki/Catalan%27s_triangle)의 응용이다. $i$개의 `(`와 $n-i$개의 `)`로 길이 $n$인 괄호 문자열을 구성하고, $k$개의 색으로 칠한다고 했으니 정답은
+
+$$
+\sum_{i=\lceil n/2\rceil}^n C(i, n-i)\cdot k^i
+$$
+
+이다. 색칠하는 방법의 수가 $k^i$인 이유는 각 `)`가 짝이 되는 `(`와 색이 같아야 하므로 `(`의 색만 정하면 되기 때문이다.
+
+계산에는
+
+$$
+C(n, k) = \frac{n-k+1}{n+1} {n+k \choose k}
+$$
+
+를 사용하면 된다.
+
 [^1]: 원래 빠른 거듭제곱을 할 때는 $a^n = a \cdot (a^2)^{(n-1)/2}$ 으로 했던 것 같은데 이 경우에는 잘 안되므로...
 [^2]: 증명은 귀납법. 이항정리를 써도 좋고, 수열의 귀납적 정의를 사용해도 좋다.
--- a/_posts/Articles/2024-03-11-you-and-your-research.md
+++ b/_posts/Articles/2024-03-11-you-and-your-research.md
@@ -98,5 +98,20 @@ Read the full text for the full context!

 > I think it's very valuable to have first-class people around. \[...\] **I tried to go with people who had great ability so I could learn from them and who would expect great results out of me.**

+---
+
+## Summary By Claude 3 Sonnet
+
+Here is a summary of the key points from the article "You and Your Research" by Richard Hamming:
+
+- Hamming discusses what separates the great scientists who make significant contributions from the merely ordinary ones. He argues that great scientists possess certain key traits and approaches.
+- Great scientists work on important problems rather than following the crowd. They have courage, ambition, and become emotionally invested in their work.
+- Changing viewpoints and converting perceived negatives into positives is crucial. Luck favors the prepared mind that seizes opportunities.
+- Other key ingredients include continuous learning, knowing oneself and managing weaknesses, having a drive to work hard, tolerating ambiguity, shifting focus periodically to stay creative, and great scientists carefully pick their associates.
+- Presentation and selling ideas is extremely important, sometimes as much effort as the research itself. Having the courage to promote unorthodox ideas is vital.
+- While talent plays a role, Hamming argues factors like attitude, work habits, self-awareness and motivation are equally or more important determinants of whether someone does truly great, impactful research.
+
+The article crystallizes insights from Hamming's decades of observing what distinguishes elite scientists based on his experiences at Los Alamos and Bell Labs.
+
 [^1]: *if you don't think it is going to lead to something important, why are you at \[...\] working on it?"*
 [^2]: *What will be the impact of \[...\] on \[...\] and how can I change it?*
--- a/Security/2023-09-11-symmetric-key-cryptography-1.md
+++ b/Security/2023-09-11-symmetric-key-cryptography-1.md
@@ -185,7 +185,12 @@ The case for $C = 1$ is similar.

 ### One-Time Pad (OTP)

-[1. OTP, Stream Ciphers and PRGs > One-Time Pad (OTP)](../../modern-cryptography/2023-09-07-otp-stream-cipher-prgs#one-time-pad-otp)
+Let $m \in \left\lbrace 0, 1 \right\rbrace^n$ be the message to encrypt. Then choose a *random* key $k \in \left\lbrace 0, 1 \right\rbrace^n$, and XOR $k$ and $m$.
+
+- Encryption: $E(k, m) = k \oplus m$.
+- Decryption: $D(k, c) = k \oplus c$.
+
+This scheme is **provably secure**. See also [one-time pad (Modern Cryptography)](../Modern%20Cryptography/2023-09-07-otp-stream-cipher-prgs.md#one-time-pad-(otp)).

 ## Perfect Secrecy

@@ -219,6 +224,8 @@ since for each $m$ and $c$, $k$ is determined uniquely.

 *Proof*. Assume not, then we can find some message $m_0 \in \mathcal{M}$ such that $m_0$ is not a decryption of some $c \in \mathcal{C}$. This is because the decryption algorithm $D$ is deterministic and $\lvert \mathcal{K} \rvert < \lvert \mathcal{M} \rvert$.

+For the proof in detail, check [Shannon's Theorem (Modern Cryptography)](../Modern%20Cryptography/2023-09-07-otp-stream-cipher-prgs.md#shannon's-theorem).
+
 ### Two-Time Pad is Insecure

 It is not secure to use the same key twice. If for the key $k$ and two messages $m_1$, $m_2$,
@@ -237,6 +244,7 @@ So some information is leaked, even though we cannot actually recover $m_i$ from
 	- Ex. RC4
 - **Block cipher**: encrypt a block of bits at a time
 	- Can provide integrity or authentication.
+	- Block ciphers usually have feedback between blocks, so errors during transmission will be propagated during the decryption process.
 	- Ex. DES, AES

 ### Stream Cipher
@@ -247,7 +255,7 @@ Stream cipher does not have perfect secrecy, since the key length is shorter tha

 ### Linear Feedback Shift Register (LFSR)

-The seed can be used in a **linear feedback shift register** (LFSR) to generate the actual key for the stream cipher. There are $n$ stages (or states) and the generated key stream is periodic with period $2^n - 1$.
+The seed can be used in a **linear feedback shift register** (LFSR) to generate the actual key for the stream cipher. There are $n$ stages (or states) and the generated key stream is periodic with maximal period $2^n - 1$.

 The links between stages may be different. But in general, if one is given $2n$ output bits of LFSR, one can solve the $n$-stage LFSR.

@@ -278,9 +286,10 @@ To alleviate this problem, we can combine multiple LFSRs with a $k$-input binary
 1. Compute CRC for the message
 	- CRC-32 polynomial is used
 2. Compute the keystream from IV and the key
-	- $128$ bit input is given to the PRG
+	- IV is concatenated with the key.
+	- $128$ bit input is given to the key generation algorithm.
 3. Now encrypt the plaintext with XOR.
-	- The IV is prepended to the ciphertext, since the receiver needs it to decrypt
+	- The IV is prepended to the ciphertext, since the receiver needs it to decrypt.

 #### Decryption Process

@@ -292,17 +301,17 @@ To alleviate this problem, we can combine multiple LFSRs with a $k$-input binary
 ### Initialization Vector

 - The IV is not encrypted, and carried in plaintext.
- IV is only $24$ bits, so around $16$ million.
+- IV is only $24$ bits, so around $16$ million possible IVs.
 - **IV must be different for every message transmitted.**
 - 802.11 standard doesn't specify how IV is calculated.
-	- Usually increment by $1$ for each frame
-	- No restrictions on reusing the IV
+	- Usually increment by $1$ for each frame.
+	- No restrictions on reusing the IV.

 #### IV Collision

- The key is fixed, and the period of IV is $2^{24}$
+- The key is fixed, and the period of IV is $2^{24}$.
 - Same IV leads to same key stream.
- So if the adversary takes two frames with same IV to obtain the XOR of two plaintext messages.
+- So if the adversary takes two frames with the same IV to obtain the XOR of two plaintext messages.
 	- $c_1 \oplus c_2 = (p_1 \oplus k_s) \oplus (p_2 \oplus k_s) = p_1 \oplus p_2$
 - Since network traffic contents are predictable, messages can be recovered.
 	- We are in the link layer, so HTTP, IP, TCP headers will be contained in the encrypted payload.
@@ -315,12 +324,13 @@ Given a bit string (defined in the specification), the sender performs long divi
 ### Message Modification

 - CRC is actually a linear function.
-	- $\mathrm{CRC}(x \oplus y) = \mathrm{CRC}(x) \oplus \mathrm{CRC}(y)$
+	- $\mathrm{CRC}(x \oplus y) = \mathrm{CRC}(x) \oplus \mathrm{CRC}(y)$.
+	- The remainder of $x \oplus y$ is equal to the sum of the remainders of $x$ and $y$, since $\oplus$ is effectively an addition over $\mathbb{Z}_2$.
 - CRC function doesn't have a key, so it is forgeable.
 - **RC4 is transparent to XOR**, and messages can be modified.
-	- $c = k_s \oplus (m \parallel \mathrm{CRC}(m))$
-	- If we XOR $(x \parallel \mathrm{CRC}(x))$, where $x$ is some malicious message
-	- $c \oplus (x \parallel \mathrm{CRC}(x)) = k_s \oplus (m\oplus x \parallel \mathrm{CRC}(m\oplus x))$
+	- Let $c = k_s \oplus (m \parallel \mathrm{CRC}(m))$.
+	- If we XOR $(x \parallel \mathrm{CRC}(x))$, where $x$ is some malicious message.
+	- $c \oplus (x \parallel \mathrm{CRC}(x)) = k_s \oplus (m\oplus x \parallel \mathrm{CRC}(m\oplus x))$.
 	- The receiver will decrypt and get $(m\oplus x \parallel \mathrm{CRC}(m\oplus x))$.
 	- CRC check by the receiver will succeed.

--- a/Security/2023-09-25-modular-arithmetic-1.md
+++ b/Security/2023-09-25-modular-arithmetic-1.md
@@ -9,6 +9,7 @@ tags:
  - lecture-note
  - security
  - cryptography
+  - number-theory
 title: 04. Modular Arithmetic (1)
 date: 2023-09-25
 github_title: 2023-09-25-modular-arithmetic-1
@@ -169,7 +170,7 @@ The inverse exists if and only if $\gcd(a, n) = 1$.

 > **Lemma**. For $n \geq 2$ and $a \in \mathbb{Z}$, its inverse $a^{-1} \in \mathbb{Z}_n$ exists if and only if $\gcd(a, n) = 1$.

-*Proof*. We use the Extended Euclidean Algorithm. There exists $u, v \in \mathbb{Z}$ such that
+*Proof*. We use the extended Euclidean algorithm. There exists $u, v \in \mathbb{Z}$ such that

 $$
 au + nv = \gcd(a, n).
--- a/Security/2023-10-04-modular-arithmetic-2.md
+++ b/Security/2023-10-04-modular-arithmetic-2.md
@@ -166,7 +166,7 @@ Now we can prove Euler's generalization.
 > a^{\phi(n)} \equiv 1 \pmod n.
 > $$

-*Proof*. Since $\gcd(a, n) = 1$, $a \in \mathbb{Z}_n^{ * }$. Then $a^\left\lvert \mathbb{Z}_n^{ * } \right\lvert = 1$ in $\mathbb{Z}_n$. By the above lemma, we have the desired result.
+*Proof*. Since $\gcd(a, n) = 1$, $a \in \mathbb{Z}_n^{ * }$. Then $a^{\left\lvert \mathbb{Z}_n^{ * } \right\lvert} = 1$ in $\mathbb{Z}_n$. By the above lemma, we have the desired result.

 *Proof*. (Elementary) Set $f : \mathbb{Z}_n^* \rightarrow \mathbb{Z}_n^*$ as $x \mapsto ax \bmod n$, then the rest of the reasoning follows similarly as in the proof of Fermat's little theorem.

@@ -195,7 +195,7 @@ $\mathbb{Z}_n$ is an additive group, and $\mathbb{Z}_n^*$ is a multiplicative gr

 ## Chinese Remainder Theorem (CRT)

-> **Theorem.** Let $n_1, \dots, n_k$ integers greater than $1$, and let $N = n_1n_2\cdots n_k$. If $n_i$ are pairwise relatively prime, then the system of equations $x \equiv a_i \pmod {n_i}$ has a unique solution modulo $N$.
+> **Theorem.** Let $n_1, \dots, n_k$ be integers greater than $1$, and let $N = n_1n_2\cdots n_k$. If $n_i$ are pairwise relatively prime, then the system of equations $x \equiv a_i \pmod {n_i}$ has a unique solution modulo $N$.
 > 
 > *(Abstract Algebra)* The map
 > 
--- a/Cryptography/2023-11-07-sigma-protocols.md
+++ b/Cryptography/2023-11-07-sigma-protocols.md
@@ -18,8 +18,7 @@ attachment:
  folder: assets/img/posts/Lecture Notes/Modern Cryptography
 ---

-
-The previous [3-coloring example](../2023-11-02-zkp-intro/#example-3-coloring) certainly works as a zero knowledge proof, but is quite slow, and requires a lot of interaction. There are efficient protocols for interactive proofs, we will study sigma protocols.
+The previous [3-coloring example](./2023-11-02-zkp-intro.md#example-3-coloring) certainly works as a zero knowledge proof, but is quite slow, and requires a lot of interaction. There are efficient protocols for interactive proofs, we will study sigma protocols.

 ## Sigma Protocols

@@ -27,7 +26,7 @@ The previous [3-coloring example](../2023-11-02-zkp-intro/#example-3-coloring) c

 > **Definition.** An **effective relation** is a binary relation $\mc{R} \subset \mc{X} \times \mc{Y}$, where $\mc{X}$, $\mc{Y}$, $\mc{R}$ are efficiently recognizable finite sets. Elements of $\mc{Y}$ are called **statements**. If $(x, y) \in \mc{R}$, then $x$ is called a **witness for** $y$.

-![mc-13-sigma-protocol.png](/assets/img/posts/Lecture%20Notes/Modern%20Cryptography/mc-13-sigma-protocol.png)
+![mc-13-sigma-protocol.png](../../../assets/img/posts/Lecture%20Notes/Modern%20Cryptography/mc-13-sigma-protocol.png)

 > **Definition.** Let $\mc{R} \subset \mc{X} \times \mc{Y}$ be an effective relation. A **sigma protocol** for $\mc{R}$ is a pair of algorithms $(P, V)$ satisfying the following.
 > 
@@ -105,9 +104,9 @@ Also note that **the simulator is free to generate the messages in any convenien

 ## The Schnorr Identification Protocol Revisited

-The Schnorr identification protocol is actually a sigma protocol. Refer to [Schnorr identification protocol (Modern Cryptography)](../2023-10-26-digital-signatures/#the-schnorr-identification-protocol) for the full description.
+The Schnorr identification protocol is actually a sigma protocol. Refer to [Schnorr identification protocol (Modern Cryptography)](./2023-10-26-digital-signatures.md#the-schnorr-identification-protocol) for the full description.

-![mc-10-schnorr-identification.png](/assets/img/posts/Lecture%20Notes/Modern%20Cryptography/mc-10-schnorr-identification.png)
+![mc-10-schnorr-identification.png](../../../assets/img/posts/Lecture%20Notes/Modern%20Cryptography/mc-10-schnorr-identification.png)

 > The pair $(P, V)$ is a sigma protocol for the relation $\mc{R} \subset \mc{X} \times \mc{Y}$ where
 > 
@@ -165,7 +164,7 @@ $$

 goes as follows.

-![mc-13-okamoto.png](/assets/img/posts/Lecture%20Notes/Modern%20Cryptography/mc-13-okamoto.png)
+![mc-13-okamoto.png](../../../assets/img/posts/Lecture%20Notes/Modern%20Cryptography/mc-13-okamoto.png)

 > 1. $P$ computes random $\alpha_t, \beta_t \la \bb{Z}_q$ and sends commitment $u_t \la g^{\alpha_t}h^{\beta_t}$ to $V$.
 > 2. $V$ computes challenge $c \la \mc{C}$ and sends it to $P$.
@@ -192,7 +191,7 @@ $$

 goes as follows.

-![mc-13-chaum-pedersen.png](/assets/img/posts/Lecture%20Notes/Modern%20Cryptography/mc-13-chaum-pedersen.png)
+![mc-13-chaum-pedersen.png](../../../assets/img/posts/Lecture%20Notes/Modern%20Cryptography/mc-13-chaum-pedersen.png)

 > 1. $P$ computes random $\beta_t \la \bb{Z}_q$ and sends commitment $v_t \la g^{\beta_t}$, $w_t \la u^{\beta_t}$ to $V$.
 > 2. $V$ computes challenge $c \la \mc{C}$ and sends it to $P$.
@@ -223,7 +222,7 @@ $$

 goes as follows.

-![mc-13-gq-protocol.png](/assets/img/posts/Lecture%20Notes/Modern%20Cryptography/mc-13-gq-protocol.png)
+![mc-13-gq-protocol.png](../../../assets/img/posts/Lecture%20Notes/Modern%20Cryptography/mc-13-gq-protocol.png)

 > 1. $P$ computes random $x_t \la \bb{Z}_n^{\ast}$ and sends commitment $y_t \la x_t^e$ to $V$.
 > 2. $V$ computes challenge $c \la \mc{C}$ and sends it to $P$.
@@ -279,7 +278,7 @@ If the challenge is known in advance, the prover can cheat. We exploit this fact

 Suppose we are given two sigma protocols $(P_0, V_0)$ for $\mc{R}_0 \subset \mc{X}_0 \times \mc{Y}_0$ and $(P_1, V_1)$ for $\mc{R}_1 \subset \mc{X}_1 \times \mc{Y}_1$. We assume that these both use the same challenge space, and both are special HVZK with simulators $\rm{Sim}_0$ and $\rm{Sim}_1$.

-We combine the protocols to form a sigma protocol for the relation $\mc{R}_\rm{OR}$ defined on ${} \big( \braces{0, 1} \times (\mc{X}_0 \cup \mc{X}_1) \big) \times (\mc{Y}_0\times \mc{Y}_1) {}$ as
+We combine the protocols to form a sigma protocol for the relation $\mc{R}_\rm{OR}$ defined on $\big( \braces{0, 1} \times (\mc{X}_0 \cup \mc{X}_1) \big) \times (\mc{Y}_0\times \mc{Y}_1)$ as

 $$
 \mc{R}_\rm{OR} = \bigg\lbrace \big( (b, x), (y_0, y_1)  \big): (x, y_b) \in \mc{R}_b\bigg\rbrace.
@@ -425,7 +424,7 @@ Omitted. Works...

 ### The Fiat-Shamir Signature Scheme

-Now we understand why the [Schnorr signature scheme](../2023-10-26-digital-signatures/#schnorr-digital-signature-scheme) used hash functions. In general, the Fiat-Shamir transform can be used to convert sigma protocols into signature schemes.
+Now we understand why the [Schnorr signature scheme](./2023-10-26-digital-signatures.md#schnorr-digital-signature-scheme) used hash functions. In general, the Fiat-Shamir transform can be used to convert sigma protocols into signature schemes.

 We need $3$ building blocks.

@@ -450,7 +449,7 @@ If an adversary can come up with a forgery, then the underlying sigma protocol i

 $n$ voters are casting a vote, either $0$ or $1$. At the end, all voters learn the sum of the votes, but we want to keep the votes secret for each party.

-We can use the [multiplicative ElGamal encryption](../2023-10-19-public-key-encryption/#the-elgamal-encryption) scheme in this case. Assume that a trusted vote tallying center generates a key pair, keeps $sk = \alpha$ to itself and publishes $pk = g^\alpha$.
+We can use the [multiplicative ElGamal encryption](./2023-10-19-public-key-encryption.md#the-elgamal-encryption) scheme in this case. Assume that a trusted vote tallying center generates a key pair, keeps $sk = \alpha$ to itself and publishes $pk = g^\alpha$.

 Each voter encrypts the vote $b_i$ and the ciphertext is

@@ -468,7 +467,7 @@ where $\beta^{\ast} = \sum_{i=1}^n \beta_i$ and $b^{\ast} = \sum_{i=1}^n b_i$. N

 Since the ElGamal scheme is semantically secure, the protocol is also secure if all voters follow the protocol. But a dishonest voter can encrypt $b_i = -100$ or some arbitrary value.

-To fix this, we can make each voter prove that the vote is valid. Using the [Chaum-Pedersen protocol for DH-triples](#the-chaum-pedersen-protocol-for-dh-triples) and the [OR-proof construction](#or-proof-construction), the voter can submit a proof that the ciphertext is either a encryption of $b_i = 0$ or $1$. We can also apply the Fiat-Shamir transform here for efficient protocols, resulting in non-interactive proofs.
+To fix this, we can make each voter prove that the vote is valid. Using the [Chaum-Pedersen protocol for DH-triples](2023-11-07-sigma-protocols.md#the-chaum-pedersen-protocol-for-dh-triples) and the [OR-proof construction](2023-11-07-sigma-protocols.md#or-proof-construction), the voter can submit a proof that the ciphertext is either a encryption of $b_i = 0$ or $1$. We can also apply the Fiat-Shamir transform here for efficient protocols, resulting in non-interactive proofs.

 [^1]: The message flows in a shape that resembles the greek letter $\Sigma$, hence the name *sigma protocol*.
 [^2]: A Graduate Course in Applied Cryptography.
--- a/Cryptography/2023-11-09-secure-mpc.md
+++ b/Cryptography/2023-11-09-secure-mpc.md
@@ -14,7 +14,6 @@ date: 2023-11-09
 github_title: 2023-11-09-secure-mpc
 ---

-
 ## Secure Multiparty Computation (MPC)

 Suppose we have a function $f$ that takes $n$ inputs and produces $m$ outputs.
@@ -121,7 +120,7 @@ It is known that $k$-out-of-$n$ OT is constructible from 1-out-of-2 OTs.

 > Suppose that the sender Alice has messages $x_0, x_1 \in \braces{0, 1}\conj$, and the receiver Bob has a choice $\sigma \in \braces{0, 1}$.
 > 
-> 1. Bob chooses $sk = \alpha \la \Z_q$ and computes ${} h = g^\alpha {}$, and chooses $h' \la G$.
+> 1. Bob chooses $sk = \alpha \la \Z_q$ and computes $h = g^\alpha$, and chooses $h' \la G$.
 > 2. Bob sets $pk_\sigma = h$ and $pk_{1-\sigma} = h'$ and sends $(pk_0, pk_1)$ to Alice.
 > 3. Alice encrypts each $x_i$ using $pk_i$, obtains two ciphertexts.
 > 	- $\beta_0, \beta_1 \la \Z_q$.
@@ -142,7 +141,7 @@ The above works for **semi-honest** parties. To prevent malicious behavior, we f
 > 
 > The remaining steps are the same, except that Alice checks if $pk_0 \cdot pk_1 = w$.

-Bob must choose $h, h'$ such that $hh' = w$. If not, Bob can choose ${} \alpha' \la \Z_q {}$ and set $h' = g^{\alpha'}$, enabling him to decrypt both $c_0, c_1$, revealing $x_0, x_1$. Under the DL assumption, Bob cannot find the discrete logarithm of $h'$, which prevents malicious behavior.
+Bob must choose $h, h'$ such that $hh' = w$. If not, Bob can choose $\alpha' \la \Z_q$ and set $h' = g^{\alpha'}$, enabling him to decrypt both $c_0, c_1$, revealing $x_0, x_1$. Under the DL assumption, Bob cannot find the discrete logarithm of $h'$, which prevents malicious behavior.

 ### 1-out-of-$n$ OT Construction from ElGamal Encryption

@@ -160,7 +159,7 @@ Let $m_1, \dots, m_n \in \mc{M}$ be the messages to send, and let $i$ be an inde

 Note that all ciphertexts $c_j$ were created from the same ephemeral key $\beta \in \Z_q$.

-For correctness, we check that Bob indeed receives $m_i$ from the above protocol. Check that $u_i = u\cdot v^i = g^\alpha v^0 = g^\alpha$, then $u_i^\beta = g^{\alpha\beta} = v^\alpha$. Since $c_i = E_S\big( H(g^\beta, u_i^\beta), m_i \big) = E_S\big( H(v, v^\alpha), m_i \big)$, the decryption gives ${} m_i {}$.
+For correctness, we check that Bob indeed receives $m_i$ from the above protocol. Check that $u_i = u\cdot v^i = g^\alpha v^0 = g^\alpha$, then $u_i^\beta = g^{\alpha\beta} = v^\alpha$. Since $c_i = E_S\big( H(g^\beta, u_i^\beta), m_i \big) = E_S\big( H(v, v^\alpha), m_i \big)$, the decryption gives $m_i$.

 Now is this oblivious? All that Alice sees is $u = g^\alpha v^{-i}$ from Bob. Since $\alpha \la \Z_q$, $u$ is uniformly distributed over elements of $G$. Alice learns no information about $i$.

@@ -176,11 +175,11 @@ and by raising both to the $(j_1 - j_2)\inv$ power (inverse in $\Z_q$), he can c

 We can use an OT for computing a $2$-ary function with finite domain.

-Let $f : X_1 \times X_2 \ra Y$ be a deterministic function with $X_1$, $X_2$ both finite. There are two parties ${} P_1, P_2 {}$ with inputs $x_1, x_2$, and they want to compute $f(x_1, x_2)$ without revealing their input.
+Let $f : X_1 \times X_2 \ra Y$ be a deterministic function with $X_1$, $X_2$ both finite. There are two parties $P_1, P_2$ with inputs $x_1, x_2$, and they want to compute $f(x_1, x_2)$ without revealing their input.

 Then we can use $1$-out-of-$\abs{X_2}$ OT to securely compute $f(x_1, x_2)$. Without loss of generality, suppose that $P_1$ is the sender.

-${} P_1$ computes $y_x =f(x_1, x)$ for all $x \in X_2$, resulting in $\abs{X_2}$ messages. Then $P_1$ performs 1-out-of-$\abs{X_2}$ OT with $P_2$. The value of $x_2$ will be used as the choice of $P_2$, which will be oblivious to $P_1$.[^2]
+$P_1$ computes $y_x =f(x_1, x)$ for all $x \in X_2$, resulting in $\abs{X_2}$ messages. Then $P_1$ performs 1-out-of-$\abs{X_2}$ OT with $P_2$. The value of $x_2$ will be used as the choice of $P_2$, which will be oblivious to $P_1$.[^2]

 This method is inefficient, so we have better methods!

--- a/Cryptography/2023-11-14-garbled-circuits.md
+++ b/Cryptography/2023-11-14-garbled-circuits.md
@@ -14,8 +14,7 @@ date: 2023-11-14
 github_title: 2023-11-14-garbled-circuits
 ---

-
-A simple solution for two party computation would be to use oblivious transfers as noted [here](../2023-11-09-secure-mpc/#ot-for-computing-2-ary-function-with-finite-domain). However, this method is inefficient. We will look at **Yao's protocol**, presented in 1986, for secure two-party computation.
+A simple solution for two party computation would be to use oblivious transfers as noted [here](./2023-11-09-secure-mpc.md#ot-for-computing-14.-secure-multiparty-computation#ot-for-computing-$2$-ary-function-with-finite-domain$-ary-function-with-finite-domain). However, this method is inefficient. We will look at **Yao's protocol**, presented in 1986, for secure two-party computation.

 The term **garbled circuit** was used by Beaver-Micali-Rogaway (BMR), presenting a multiparty protocol using a similar approach to Yao's protocol.

@@ -42,7 +41,7 @@ Then we have the following garbled values, as in columns 1 to 3. Now, encrypt th
 |$A$|$B$|$C$|$C = \rm{AND}(A, B)$|
 |:-:|:-:|:-:|:-:|
 |$A_0$|$B_0$|$C_0$|$E(A_0 \parallel B_0, C_0)$|
-|$A_0$|$B_1$|$C_0$|${} E(A_0 \parallel B_1, C_0) {}$|
+|$A_0$|$B_1$|$C_0$|$E(A_0 \parallel B_1, C_0)$|
 |$A_1$|$B_0$|$C_0$|$E(A_1 \parallel B_0, C_0)$|
 |$A_1$|$B_1$|$C_1$|$E(A_1 \parallel B_1, C_1)$|

--- a/Cryptography/2023-11-16-gmw-protocol.md
+++ b/Cryptography/2023-11-16-gmw-protocol.md
@@ -18,8 +18,7 @@ attachment:
  folder: assets/img/posts/Lecture Notes/Modern Cryptography
 ---

-
-There are two types of MPC protocols, **generic** and **specific**. Generic protocols can compute arbitrary functions. [Garbled circuits](../2023-11-14-garbled-circuits/#garbled-circuits) were generic protocols, since it can be used to compute any boolean circuits. In contrast, the [summation protocol](../2023-11-09-secure-mpc/#example-secure-summation) is a specific protocol that can only be used to compute a specific function. Note that generic protocols are not necessarily better, since specific protocols are much more efficient.
+There are two types of MPC protocols, **generic** and **specific**. Generic protocols can compute arbitrary functions. [Garbled circuits](./2023-11-14-garbled-circuits.md#garbled-circuits) were generic protocols, since it can be used to compute any boolean circuits. In contrast, the [summation protocol](./2023-11-09-secure-mpc.md#example-secure-summation) is a specific protocol that can only be used to compute a specific function. Note that generic protocols are not necessarily better, since specific protocols are much more efficient.

 ## GMW Protocol

@@ -40,10 +39,10 @@ Suppose that we have $n$ parties $P_1, \dots, P_n$ with inputs $x_1, \dots, x_n

 > Each party $P_i$ shares its input with other parties as follows.
 > 
-> 1. Choose random ${} r_{i, j} \la \braces{0, 1} {}$ for all $j \neq i$ and send $r_{i, j}$ to $P_j$.
-> 2. Set ${} r_{i, i} = x_i + \sum_{i \neq j} r_{i, j} {}$.
+> 1. Choose random $r_{i, j} \la \braces{0, 1}$ for all $j \neq i$ and send $r_{i, j}$ to $P_j$.
+> 2. Set $r_{i, i} = x_i + \sum_{i \neq j} r_{i, j}$.

-Then we see that $x_i = \sum_{j = 1}^n r_{i, j} {}$. Each party has a **share** of $x_i$, which is $r_{i, j}$. We have a notation for this,
+Then we see that $x_i = \sum_{j = 1}^n r_{i, j}$. Each party has a **share** of $x_i$, which is $r_{i, j}$. We have a notation for this,

 $$
 [x_i] = (r_{i, 1}, \dots, r_{i, n}).
@@ -59,7 +58,7 @@ Now, each party computes each gate using the shares received from other parties.

 #### Evaluating XOR Gates

-Suppose we want to compute a share of ${} c = a + b {}$. Then, since
+Suppose we want to compute a share of $c = a + b$. Then, since

 $$
 [c] = [a] + [b],
@@ -67,7 +66,7 @@ $$

 each party can simply add all the input shares.

-If ${} {} y = x_1 + \cdots + x_n {} {}$, then party $P_j$ will compute ${} y_j = \sum_{i=1}^n r_{i, j} {}$, which is a share of $y$, $[y] = (y_1, \dots, y_n)$. It can be checked that
+If $y = x_1 + \cdots + x_n$, then party $P_j$ will compute $y_j = \sum_{i=1}^n r_{i, j}$, which is a share of $y$, $[y] = (y_1, \dots, y_n)$. It can be checked that

 $$
 y = \sum_{j=1}^n y_j = \sum_{j=1}^n \sum_{i=1}^n r_{i, j}.
@@ -148,7 +147,7 @@ Indeed, $z_1, z_2$ are shares of $z$.[^2] See also Exercise 23.5.[^3]

 Now, in the actual computation of AND gates, proceed as follows.

-![mc-16-beaver-triple.png](/assets/img/posts/Lecture%20Notes/Modern%20Cryptography/mc-16-beaver-triple.png)
+![mc-16-beaver-triple.png](../../../assets/img/posts/Lecture%20Notes/Modern%20Cryptography/mc-16-beaver-triple.png)

 > Each $P_i$ has a share of inputs $a_i, b_i$ and a Beaver triple $(x_i, y_i, z_i)$.
 > 1. Each $P_i$ computes $u_i = a_i + x_i$, $v_i = b_i + y_i$.
@@ -187,13 +186,13 @@ $$

 and $uv$ is public, so any party can include it in its share.

-Also note that $u_i, v_i$ does not reveal any information about $x_i, y_i$. Essentially, they are *one-time pad* encryptions of $x_i$ and ${} y_i {}$ since $a_i, b_i$ were chosen randomly. No need for OTs during actual computation.
+Also note that $u_i, v_i$ does not reveal any information about $x_i, y_i$. Essentially, they are *one-time pad* encryptions of $x_i$ and $y_i$ since $a_i, b_i$ were chosen randomly. No need for OTs during actual computation.

 ### Reusing Beaver Triples?

-**Beaver triples are to be used only once!** If $u_1 = a_1 + x_1$ and ${} u_1' = a_1' + x_1 {}$, then $u_1 + u_1' = a_1 + a_1'$, revealing information about $a_1 + a_1'$.
+**Beaver triples are to be used only once!** If $u_1 = a_1 + x_1$ and $u_1' = a_1' + x_1$, then $u_1 + u_1' = a_1 + a_1'$, revealing information about $a_1 + a_1'$.

-Thus, before the online phase, a huge amount of Beaver triples are shared to speed up the computation. This can be done efficiently using [OT extension](#ot-extension) described below.
+Thus, before the online phase, a huge amount of Beaver triples are shared to speed up the computation. This can be done efficiently using [OT extension](2023-11-16-gmw-protocol.md#ot-extension) described below.

 ## Comparison of Yao and GMW

@@ -240,7 +239,7 @@ Q_i = \begin{cases} T_i  & (s_i = 0)  \\
 \end{cases}
 $$

-**Now consider each row separately!** Let ${} A[k]$ be the $k$-th row of matrix $A$.
+**Now consider each row separately!** Let $A[k]$ be the $k$-th row of matrix $A$.

 If $\sigma_j = 0$, the XOR operation in $T_i \oplus \sigma$ has no effect on the $j$-th element (row), so the $j$-th element of $T_i \oplus \sigma$ and $T_i$ are the same. Thus, we have $Q[j] = T[j]$.

@@ -281,7 +280,7 @@ As for the receiver, the values $(x_j^0, x_j^1)$ are masked by a hash function,

 The extension technique allows us to run $n$ base OT instances to obtain $m$ OT instances. For each of the $m$ OT transfers, only a few hash operations are required, resulting in very efficient OT.

-One may concern that we have to send a lot of information for each of the $n$ OT instances, since we have to send $m$ bit data for each OT. But this of not much concern. For example, if we used [OT based on ElGamal](../2023-11-09-secure-mpc/#1-out-of-2-ot-construction-from-elgamal-encryption), we can choose primes large enough $> 2^m$ to handle $m$-bit data.
+One may concern that we have to send a lot of information for each of the $n$ OT instances, since we have to send $m$ bit data for each OT. But this of not much concern. For example, if we used [OT based on ElGamal](./2023-11-09-secure-mpc.md#1-out-of-2-ot-construction-from-elgamal-encryption), we can choose primes large enough $> 2^m$ to handle $m$-bit data.

 Hence, with OT extensions, we can perform millions of OTs efficiently, which can be used especially for computing many Beaver triples during preprocessing.

--- a/Cryptography/2023-11-23-bgv-scheme.md
+++ b/Cryptography/2023-11-23-bgv-scheme.md
@@ -139,7 +139,7 @@ $$
 B\bf{u} = \sum_{i=1}^n \lfloor a_i \rceil \bf{b}_i.
 $$

-Then this ${} B\bf{u} \in L {}$ is pretty close to $\bf{t} \notin L$.
+Then this $B\bf{u} \in L$ is pretty close to $\bf{t} \notin L$.

 ## Learning with Errors Problem (LWE)

@@ -212,7 +212,7 @@ $$

 Addition is easy!

-> Let $\bf{c} = (b, \bf{a})$ and $\bf{c}' = (b', \bf{a}')$ be encryptions of ${} m, m' \in \braces{0, 1} {}$. Then, $\bf{c}_\rm{add} = \bf{c} + \bf{c}'$ is an encryption of $m + m'$.
+> Let $\bf{c} = (b, \bf{a})$ and $\bf{c}' = (b', \bf{a}')$ be encryptions of $m, m' \in \braces{0, 1}$. Then, $\bf{c}_\rm{add} = \bf{c} + \bf{c}'$ is an encryption of $m + m'$.

 *Proof*. Decrypt $\bf{c}_\rm{add} = (b + b', \bf{a} + \bf{a}')$. If

@@ -343,7 +343,7 @@ Thus we use encryptions of $s_is_j$ by $\bf{s}$. If we have ciphertexts of $s_is
 > \bf{c}_\rm{mul}^\ast = (b_\rm{mul}^\ast, \bf{a}_\rm{mul}^\ast) = (bb', b\bf{a}' + b'\bf{a}) + \sum_{i=1}^n \sum_{j=1}^n a_i a_j' \bf{w}_{i, j} \pmod q.
 > $$

-Note that the addition $+$ is the addition of two ${} (n+1) {}$-dimensional vectors. By plugging in $\bf{w}_{i, j} = (v_{i, j}, \bf{u}_{i, j})$, we actually have
+Note that the addition $+$ is the addition of two $(n+1)$-dimensional vectors. By plugging in $\bf{w}_{i, j} = (v_{i, j}, \bf{u}_{i, j})$, we actually have

 $$
 b_\rm{mul}^\ast = bb' + \sum_{i=1}^n \sum_{j=1}^n a_i a_j' v_{i, j}
@@ -405,9 +405,9 @@ so instead of encryptions of $s_i s_j$, we use encryptions of $2^k s_i s_j$.
 For convenience, let $a_{i, j} = a_i a_j'$. Now we have triple indices including $k$.

 > **Relinearization Keys**: for $1 \leq i, j \leq n$ and $0 \leq k < \ceil{\log q}$, perform the following.
-> - Sample $\bf{u}_{i, j, k} \la \Z_q^{n}$ and ${} e_{i, j, k} \la D_\sigma {}$.
-> - Compute ${} v_{i, j, k} = -\span{\bf{u}_{i, j, k}, \bf{s}} + 2^k \cdot s_i s_j + 2e_{i, j, k} \pmod q {}$.
-> - Output ${} \bf{w}_{i, j, k} = (v_{i, j, k}, \bf{u}_{i, j, k}) {}$.
+> - Sample $\bf{u}_{i, j, k} \la \Z_q^{n}$ and $e_{i, j, k} \la D_\sigma$.
+> - Compute $v_{i, j, k} = -\span{\bf{u}_{i, j, k}, \bf{s}} + 2^k \cdot s_i s_j + 2e_{i, j, k} \pmod q$.
+> - Output $\bf{w}_{i, j, k} = (v_{i, j, k}, \bf{u}_{i, j, k})$.
 > 
 > **Linearization**: given $\bf{c}_\rm{mul} = (bb', b\bf{a}' + b' \bf{a}, \bf{a} \otimes \bf{a}')$, $\bf{w}_{i, j, k}$ for $1 \leq i, j \leq n$ and $0 \leq k < \ceil{\log q}$, output the following.
 > 
@@ -424,7 +424,7 @@ b_\rm{mul}^\ast + \span{\bf{a}_\rm{mul}^\ast, \bf{s}} &= bb' + \sum_{i, j, k} a_
 \end{aligned}
 $$

-Since ${} v_{i, j, k} + \span{\bf{u}_{i, j, k}, \bf{s}} = 2^k \cdot s_i s_j + 2e_{i, j, k} \pmod q {}$, the above expression further reduces to
+Since $v_{i, j, k} + \span{\bf{u}_{i, j, k}, \bf{s}} = 2^k \cdot s_i s_j + 2e_{i, j, k} \pmod q$, the above expression further reduces to

 $$
 \begin{aligned}
@@ -463,7 +463,7 @@ Given $\bf{c} = (b, \bf{a}) \in \Z_q^{n+1}$, we reduce the modulus to $q' < q$ w

 In summary, $\bf{c}' \approx \bf{c} \cdot (q'/q)$, and $\bf{c}' = \bf{c} \pmod 2$ component-wise.

-We check if the noise has been reduced, and decryption results in the same message $m$. Decryption of $\bf{c}'$ is done by $r' = b' + \span{\bf{a}', \bf{s}} \pmod{q'}$, so we must prove that ${} r' \approx r \cdot (q'/q) {}$ and $r' = r \pmod 2$. Then the noise is scaled down by $q'/q$ and the message is preserved.
+We check if the noise has been reduced, and decryption results in the same message $m$. Decryption of $\bf{c}'$ is done by $r' = b' + \span{\bf{a}', \bf{s}} \pmod{q'}$, so we must prove that $r' \approx r \cdot (q'/q)$ and $r' = r \pmod 2$. Then the noise is scaled down by $q'/q$ and the message is preserved.

 Let $k \in \Z$ such that $b + \span{\bf{a}, \bf{s}} = r + kq$. By the choice of $b'$ and $a_i'$,

@@ -511,7 +511,7 @@ $$
 N^{L+1} \ra N^L \ra \cdots \ra N.
 $$

-When we perform $L$ levels of computation and reach modulus $q_0 = N$, we cannot perform any multiplications. We must apply [bootstrapping](../2023-12-08-bootstrapping-ckks/#bootstrapping).
+When we perform $L$ levels of computation and reach modulus $q_0 = N$, we cannot perform any multiplications. We must apply [bootstrapping](./2023-12-08-bootstrapping-ckks.md#bootstrapping).

 Note that without modulus switching, we need $q_L > N^{2^L}$ for $L$ levels of computation, which is very large. Since we want $q$ to be small (for the hardness of the LWE problem), modulus switching is necessary. We now only require $q_L > N^{L+1}$.

--- a/Cryptography/2023-12-08-bootstrapping-ckks.md
+++ b/Cryptography/2023-12-08-bootstrapping-ckks.md
@@ -88,7 +88,7 @@ Indeed, decrypting $b'$ will give $m$. So we have $E(\bf{s}', m)$ from $f(\bf{k}
 > 
 > **Bootstrapping Key Generation**
 > - Choose a new secret key $\bf{s}' \in \braces{0, 1}^n$.
-> - Generate *bootstrapping key* ${} BK = \braces{\bf{k}_i}_{i=1}^n {}$ where $\bf{k}_i = E(\bf{s}', s_i)$.
+> - Generate *bootstrapping key* $BK = \braces{\bf{k}_i}_{i=1}^n$ where $\bf{k}_i = E(\bf{s}', s_i)$.
 > 
 > **Bootstrapping**
 > - Generate a circuit representation $f : \braces{0, 1}^n \ra \braces{0, 1}$ of the decryption function $D(\cdot, \bf{c})$.
@@ -116,7 +116,7 @@ Designing an FHE scheme without the circular security assumption is currently an

 ## CKKS Scheme

-The [BGV scheme](../2023-11-23-bgv-scheme/#the-bgv-scheme) operates on $\Z_p$, so it doesn't work on real numbers. **Cheon-Kim-Kim-Song** (CKKS) scheme works on real numbers using approximate computation.
+The [BGV scheme](./2023-11-23-bgv-scheme.md#the-bgv-scheme) operates on $\Z_p$, so it doesn't work on real numbers. **Cheon-Kim-Kim-Song** (CKKS) scheme works on real numbers using approximate computation.

 ### Approximate Computation

@@ -208,7 +208,7 @@ so the decryption results in $\Delta\inv \cdot (\mu + \mu') \approx m + m'$.

 ### Multiplication in CKKS

-We also use [tensor products](../2023-11-23-bgv-scheme/#tensor-product), and their properties.
+We also use [tensor products](./2023-11-23-bgv-scheme.md#tensor-product), and their properties.

 > Let $\bf{c} = (b, \bf{a})$ and $\bf{c}' = (b', \bf{a}')$ be encryptions of $m, m' \in \R$. Then,
 > 
@@ -243,14 +243,14 @@ We have issues with multiplication, as we did in BGV.

 ### Dimension Reduction

-The relinearization procedure is almost the same as in [BGV relinearization](../2023-11-23-bgv-scheme/#relinearization).
+The relinearization procedure is almost the same as in [BGV relinearization](./2023-11-23-bgv-scheme.md#relinearization).

 For convenience, let $a_{i, j} = a_i a_j'$.

 > **Relinearization Keys**: for $1 \leq i, j \leq n$ and $0 \leq k < \ceil{\log q}$, perform the following.
-> - Sample $\bf{u}_{i, j, k} \la \Z_q^{n}$ and ${} e_{i, j, k} \la D_\sigma {}$.
-> - Compute ${} v_{i, j, k} = -\span{\bf{u}_{i, j, k}, \bf{s}} + 2^k \cdot s_i s_j + e_{i, j, k} \pmod q {}$.
-> - Output ${} \bf{w}_{i, j, k} = (v_{i, j, k}, \bf{u}_{i, j, k}) {}$.
+> - Sample $\bf{u}_{i, j, k} \la \Z_q^{n}$ and $e_{i, j, k} \la D_\sigma$.
+> - Compute $v_{i, j, k} = -\span{\bf{u}_{i, j, k}, \bf{s}} + 2^k \cdot s_i s_j + e_{i, j, k} \pmod q$.
+> - Output $\bf{w}_{i, j, k} = (v_{i, j, k}, \bf{u}_{i, j, k})$.
 > 
 > **Linearization**: given $\bf{c}_\rm{mul} = (bb', b\bf{a}' + b' \bf{a}, \bf{a} \otimes \bf{a}')$, $\bf{w}_{i, j, k}$ for $1 \leq i, j \leq n$ and $0 \leq k < \ceil{\log q}$, output the following.
 > 
@@ -287,7 +287,7 @@ Note that the proof is identical to that of BGV linearization, except for missin

 ### Scaling Factor Reduction

-In BGV, we used modulus switching for [noise reduction](../2023-11-23-bgv-scheme/#noise-reduction). It was for reducing the error and preserving the message. We also use modulus switching here, but for a different purpose. The message can have small numerical errors, we just want to reduce the scaling factor. This operation is called **rescaling**.
+In BGV, we used modulus switching for [noise reduction](./2023-11-23-bgv-scheme.md#noise-reduction). It was for reducing the error and preserving the message. We also use modulus switching here, but for a different purpose. The message can have small numerical errors, we just want to reduce the scaling factor. This operation is called **rescaling**.

 Given $\bf{c} = (b, \bf{a}) \in \Z_q^{n+1}$ such that $b + \span{\bf{a}, \bf{s}} = \mu \pmod q$ and $\mu \approx \Delta^2 \cdot m$, we want to generate a new ciphertext of $m' \approx m$ that has a scaling factor reduced to $\Delta$. This can be done by dividing the ciphertext by $\Delta$ and then rounding it appropriately.

@@ -319,7 +319,7 @@ since $\epsilon = \epsilon_0 + \sum_{i=1}^n \epsilon_i s_i$ is small.

 ### Modulus Chain

-Using modulus switching, we can set ${} q_L = \Delta^{L+1} {}$ where $L$ is the maximal level for multiplication. After each multiplication, the modulus is switched to $q_{k-1} = q_k / \Delta$.
+Using modulus switching, we can set $q_L = \Delta^{L+1}$ where $L$ is the maximal level for multiplication. After each multiplication, the modulus is switched to $q_{k-1} = q_k / \Delta$.

 Multiplication increases the scaling factor to $\Delta^2$, and then rescaling operation reduces the scaling factor back to $\Delta$.

@@ -329,11 +329,11 @@ $$
 \Delta^{L+1} \ra \Delta^L \ra \cdots \ra \Delta.
 $$

-When we reach $q_0 = \Delta$, we cannot perform any multiplications, so we apply [bootstrapping](#bootstrapping) here.
+When we reach $q_0 = \Delta$, we cannot perform any multiplications, so we apply [bootstrapping](2023-12-08-bootstrapping-ckks.md#bootstrapping) here.

 ### Multiplication in CKKS (Summary)

- Set up a modulus chain ${} q_k = \Delta^{k+1} {}$ for $k = 0, \dots, L$.
+- Set up a modulus chain $q_k = \Delta^{k+1}$ for $k = 0, \dots, L$.
 - Given two ciphertexts $\bf{c} = (b, \bf{a}) \in \Z_{q_k}^{n+1}$ and $\bf{c}' = (b', \bf{a}') \in \Z_{q_k}^{n+1}$ with modulus $q_k$ and **scaling factor** $\Delta$.

 - (**Tensor Product**) $\bf{c}_\rm{mul} = \bf{c} \otimes \bf{c}' \pmod{q_k}$.