From bc9b2599a9f1518674a27e37b8e49e41e539bf59 Mon Sep 17 00:00:00 2001
From: Sungchan Yi <calofmijuck@snu.ac.kr>
Date: Wed, 25 Oct 2023 16:32:25 +0900
Subject: [PATCH] fix: links to other posts

---
 .../2023-09-26-cca-security-authenticated-encryption.md         | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/_posts/Lecture Notes/Modern Cryptography/2023-09-26-cca-security-authenticated-encryption.md b/_posts/Lecture Notes/Modern Cryptography/2023-09-26-cca-security-authenticated-encryption.md
index 6129013..fd541c0 100644
--- a/_posts/Lecture Notes/Modern Cryptography/2023-09-26-cca-security-authenticated-encryption.md	
+++ b/_posts/Lecture Notes/Modern Cryptography/2023-09-26-cca-security-authenticated-encryption.md	
@@ -53,7 +53,7 @@ Now we define a stronger notion of security against **chosen ciphertext attacks*
 
 None of the encryption schemes already seen thus far is CCA secure.
 
-Recall a [CPA secure construction from PRF](2023-09-19-symmetric-key-encryption.md#secure-construction-from-prf). This scheme is not CCA secure. Suppose that the adversary is given $c^* = (r, F(k, r) \oplus m_b)$. Then it can request a decryption for $c' = (r, s')$ for some $s'$ and receive $m' = s' \oplus F(k, r)$. Then $F(k, r) = m' \oplus s'$, so the adversary can successfully recover $m_b$.
+Recall a [CPA secure construction from PRF](../2023-09-19-symmetric-key-encryption#secure-construction-from-prf). This scheme is not CCA secure. Suppose that the adversary is given $c^* = (r, F(k, r) \oplus m_b)$. Then it can request a decryption for $c' = (r, s')$ for some $s'$ and receive $m' = s' \oplus F(k, r)$. Then $F(k, r) = m' \oplus s'$, so the adversary can successfully recover $m_b$.
 
 In general, any encryption scheme that allows ciphertexts to be *manipulated* in a controlled way cannot be CCA secure.