From c446506f4ab7abf566099a6f048103d5f8c2e977 Mon Sep 17 00:00:00 2001 From: Sungchan Yi Date: Tue, 12 Nov 2024 22:47:01 +0900 Subject: [PATCH] chore: fix all broken links --- .../2023-09-11-symmetric-key-cryptography-1.md | 4 ++-- .../internet-security/2023-10-04-rsa-elgamal.md | 2 +- .../2023-10-09-public-key-cryptography.md | 6 +++--- .../lecture-notes/internet-security/2023-10-18-tls.md | 6 +++--- .../2023-09-19-symmetric-key-encryption.md | 2 +- ...2023-09-26-cca-security-authenticated-encryption.md | 2 +- .../modern-cryptography/2023-09-28-hash-functions.md | 4 ++-- .../2023-10-19-public-key-encryption.md | 6 +++--- .../2023-10-26-digital-signatures.md | 10 +++++----- .../modern-cryptography/2023-11-07-sigma-protocols.md | 10 +++++----- .../modern-cryptography/2023-11-14-garbled-circuits.md | 2 +- .../modern-cryptography/2023-11-16-gmw-protocol.md | 6 +++--- .../modern-cryptography/2023-11-23-bgv-scheme.md | 2 +- .../2023-12-08-bootstrapping-ckks.md | 10 +++++----- 14 files changed, 36 insertions(+), 36 deletions(-) diff --git a/_posts/lecture-notes/internet-security/2023-09-11-symmetric-key-cryptography-1.md b/_posts/lecture-notes/internet-security/2023-09-11-symmetric-key-cryptography-1.md index 205295f..082576a 100644 --- a/_posts/lecture-notes/internet-security/2023-09-11-symmetric-key-cryptography-1.md +++ b/_posts/lecture-notes/internet-security/2023-09-11-symmetric-key-cryptography-1.md @@ -191,7 +191,7 @@ Let $m \in \left\lbrace 0, 1 \right\rbrace^n$ be the message to encrypt. Then ch - Encryption: $E(k, m) = k \oplus m$. - Decryption: $D(k, c) = k \oplus c$. -This scheme is **provably secure**. See also [one-time pad (Modern Cryptography)](../modern-cryptography/2023-09-07-otp-stream-cipher-prgs.md#one-time-pad-(otp)). +This scheme is **provably secure**. See also [one-time pad (Modern Cryptography)](../../modern-cryptography/2023-09-07-otp-stream-cipher-prgs/#one-time-pad-(otp)). ## Perfect Secrecy @@ -225,7 +225,7 @@ since for each $m$ and $c$, $k$ is determined uniquely. *Proof*. Assume not, then we can find some message $m_0 \in \mathcal{M}$ such that $m_0$ is not a decryption of some $c \in \mathcal{C}$. This is because the decryption algorithm $D$ is deterministic and $\lvert \mathcal{K} \rvert < \lvert \mathcal{M} \rvert$. -For the proof in detail, check [Shannon's Theorem (Modern Cryptography)](../modern-cryptography/2023-09-07-otp-stream-cipher-prgs.md#shannon's-theorem). +For the proof in detail, check [Shannon's Theorem (Modern Cryptography)](../../modern-cryptography/2023-09-07-otp-stream-cipher-prgs/#shannon's-theorem). ### Two-Time Pad is Insecure diff --git a/_posts/lecture-notes/internet-security/2023-10-04-rsa-elgamal.md b/_posts/lecture-notes/internet-security/2023-10-04-rsa-elgamal.md index d98d9f6..4c2387b 100644 --- a/_posts/lecture-notes/internet-security/2023-10-04-rsa-elgamal.md +++ b/_posts/lecture-notes/internet-security/2023-10-04-rsa-elgamal.md @@ -140,7 +140,7 @@ This is an inverse problem of exponentiation. The inverse of exponentials is log Given $y \equiv g^x \pmod p$ for some prime $p$, we want to find $x = \log_g y$. We set $g$ to be a generator of the group $\mathbb{Z}_p$ or $\mathbb{Z}_p^*$, since if $g$ is the generator, a solution always exists. -Read more in [discrete logarithm problem (Modern Cryptography)](../modern-cryptography/2023-10-03-key-exchange.md#discrete-logarithm-problem-(dl)). +Read more in [discrete logarithm problem (Modern Cryptography)](../../modern-cryptography/2023-10-03-key-exchange/#discrete-logarithm-problem-(dl)). ## ElGamal Encryption diff --git a/_posts/lecture-notes/internet-security/2023-10-09-public-key-cryptography.md b/_posts/lecture-notes/internet-security/2023-10-09-public-key-cryptography.md index 2a066a4..bf893f3 100644 --- a/_posts/lecture-notes/internet-security/2023-10-09-public-key-cryptography.md +++ b/_posts/lecture-notes/internet-security/2023-10-09-public-key-cryptography.md @@ -15,7 +15,7 @@ date: 2023-10-09 github_title: 2023-10-09-public-key-cryptography --- -In symmetric key cryptography, we have a problem with key sharing and management. More info in the first few paragraphs of [Key Exchange (Modern Cryptography)](../modern-cryptography/2023-10-03-key-exchange.md). +In symmetric key cryptography, we have a problem with key sharing and management. More info in the first few paragraphs of [Key Exchange (Modern Cryptography)](../../modern-cryptography/2023-10-03-key-exchange). ## Public Key Cryptography @@ -32,7 +32,7 @@ These keys are created to be used in **trapdoor one-way functions**. A **one-way function** is a function that is easy to compute, but hard to compute the pre-image of any output. Here are some common examples. -- *Cryptographic hash functions*: [Hash Functions (Modern Cryptography)](../modern-cryptography/2023-09-28-hash-functions.md#collision-resistance). +- *Cryptographic hash functions*: [Hash Functions (Modern Cryptography)](../../modern-cryptography/2023-09-28-hash-functions/#collision-resistance). - *Factoring a large integer*: It is easy to multiply to integers even if they're large, but factoring is very hard. - *Discrete logarithm problem*: It is easy to exponentiate a number, but it is hard to find the discrete logarithm. @@ -87,7 +87,7 @@ Choose a large prime $p$ and a generator $g$ of $\mathbb{Z}_p^{ * }$. The descri > 3. Alice and Bob calculate $g^{xy} \bmod p$ separately. > 4. Eve can see $g^x \bmod p$, $g^y \bmod p$ but cannot calculate $g^{xy} \bmod p$. -Refer to [Diffie-Hellman Key Exchange (Modern Cryptography)](../modern-cryptography/2023-10-03-key-exchange.md#diffie-hellman-key-exchange-(dhke)). +Refer to [Diffie-Hellman Key Exchange (Modern Cryptography)](../../modern-cryptography/2023-10-03-key-exchange/#diffie-hellman-key-exchange-(dhke)). ## Message Integrity diff --git a/_posts/lecture-notes/internet-security/2023-10-18-tls.md b/_posts/lecture-notes/internet-security/2023-10-18-tls.md index 149fa6c..3bbf5c8 100644 --- a/_posts/lecture-notes/internet-security/2023-10-18-tls.md +++ b/_posts/lecture-notes/internet-security/2023-10-18-tls.md @@ -62,13 +62,13 @@ You can check if TLS is used on your browser. The address should begin with `htt ## CBC Padding Oracle Attack -Recall [CBC Mode (Internet Security)](./2023-09-18-symmetric-key-cryptography-2.md#cipher-block-chaining-mode-(cbc)) . +Recall [CBC Mode (Internet Security)](../2023-09-18-symmetric-key-cryptography-2/#cipher-block-chaining-mode-(cbc)) . Suppose that each block has $8$ bytes. If the message size is not a multiple of the block size, we pad the message. If we need to pad $b$ bytes, we pad $b$ bytes with $b$, encoded in binary. If the padding is not valid, the decryption algorithm outputs a *padding error* during the decryption process. The attacker can observe if a padding error has occurred, and use this information to recover the plaintext. -To defend this attack, we can use [encrypt-then-MAC (Modern Cryptography)](../modern-cryptography/2023-09-26-cca-security-authenticated-encryption.md#encrypt-then-mac-(etm)), or hide the padding error. +To defend this attack, we can use [encrypt-then-MAC (Modern Cryptography)](../../modern-cryptography/2023-09-26-cca-security-authenticated-encryption/#encrypt-then-mac-(etm)), or hide the padding error. ### Attack in Detail @@ -114,7 +114,7 @@ $$ ## Hashed MAC (HMAC) -Let $H$ be a has function. We defined MAC as $H(k \parallel m)$ where $k$ is a key and $m$ is a message. This MAC is insecure if $H$ has [Merkle-Damgård construction](../modern-cryptography/2023-09-28-hash-functions.md#merkle-damgård-transform), since it is vulnerable to length extension attacks. See [prepending the key in MAC is insecure (Modern Cryptography)](../modern-cryptography/2023-09-28-hash-functions.md#prepending-the-key). +Let $H$ be a has function. We defined MAC as $H(k \parallel m)$ where $k$ is a key and $m$ is a message. This MAC is insecure if $H$ has [Merkle-Damgård construction](../../modern-cryptography/2023-09-28-hash-functions/#merkle-damgård-transform), since it is vulnerable to length extension attacks. See [prepending the key in MAC is insecure (Modern Cryptography)](../../modern-cryptography/2023-09-28-hash-functions/#prepending-the-key). Choose a key $k \leftarrow \mathcal{K}$, and set diff --git a/_posts/lecture-notes/modern-cryptography/2023-09-19-symmetric-key-encryption.md b/_posts/lecture-notes/modern-cryptography/2023-09-19-symmetric-key-encryption.md index 53ca65c..9514242 100644 --- a/_posts/lecture-notes/modern-cryptography/2023-09-19-symmetric-key-encryption.md +++ b/_posts/lecture-notes/modern-cryptography/2023-09-19-symmetric-key-encryption.md @@ -128,7 +128,7 @@ We learned how to encrypt a single block. How do we encrypt longer messages with There are many ways of processing multiple blocks, this is called the **mode of operation**. -Additional explanation available in [Modes of Operations (Internet Security)](../internet-security/2023-09-18-symmetric-key-cryptography-2.md#modes-of-operations). +Additional explanation available in [Modes of Operations (Internet Security)](../../internet-security/2023-09-18-symmetric-key-cryptography-2/#modes-of-operations). ### Electronic Codebook Mode (ECB) diff --git a/_posts/lecture-notes/modern-cryptography/2023-09-26-cca-security-authenticated-encryption.md b/_posts/lecture-notes/modern-cryptography/2023-09-26-cca-security-authenticated-encryption.md index 7fb39e7..cc76120 100644 --- a/_posts/lecture-notes/modern-cryptography/2023-09-26-cca-security-authenticated-encryption.md +++ b/_posts/lecture-notes/modern-cryptography/2023-09-26-cca-security-authenticated-encryption.md @@ -54,7 +54,7 @@ Now we define a stronger notion of security against **chosen ciphertext attacks* None of the encryption schemes already seen thus far is CCA secure. -Recall a [CPA secure construction from PRF](./2023-09-19-symmetric-key-encryption.md#secure-construction-from-prf). This scheme is not CCA secure. Suppose that the adversary is given $c^* = (r, F(k, r) \oplus m_b)$. Then it can request a decryption for $c' = (r, s')$ for some $s'$ and receive $m' = s' \oplus F(k, r)$. Then $F(k, r) = m' \oplus s'$, so the adversary can successfully recover $m_b$. +Recall a [CPA secure construction from PRF](../2023-09-19-symmetric-key-encryption/#secure-construction-from-prf). This scheme is not CCA secure. Suppose that the adversary is given $c^* = (r, F(k, r) \oplus m_b)$. Then it can request a decryption for $c' = (r, s')$ for some $s'$ and receive $m' = s' \oplus F(k, r)$. Then $F(k, r) = m' \oplus s'$, so the adversary can successfully recover $m_b$. In general, any encryption scheme that allows ciphertexts to be *manipulated* in a controlled way cannot be CCA secure. diff --git a/_posts/lecture-notes/modern-cryptography/2023-09-28-hash-functions.md b/_posts/lecture-notes/modern-cryptography/2023-09-28-hash-functions.md index c248eca..af54d71 100644 --- a/_posts/lecture-notes/modern-cryptography/2023-09-28-hash-functions.md +++ b/_posts/lecture-notes/modern-cryptography/2023-09-28-hash-functions.md @@ -150,7 +150,7 @@ See Joux's attack.[^2] Now we only have to build a collision resistant compression function. We can build these functions from either a block cipher, or by using number theoretic primitives. -Number theoretic primitives will be shown after we learn some number theory.[^3] An example is shown in [collision resistance using DL problem (Modern Cryptography)](./2023-10-03-key-exchange.md#collision-resistance-based-on-dl-problem). +Number theoretic primitives will be shown after we learn some number theory.[^3] An example is shown in [collision resistance using DL problem (Modern Cryptography)](../2023-10-03-key-exchange/#collision-resistance-based-on-dl-problem). ![mc-06-davies-meyer.png](../../../assets/img/posts/lecture-notes/modern-cryptography/mc-06-davies-meyer.png) @@ -195,7 +195,7 @@ We needed a complicated construction for MACs that work on long messages. We mig Here are a few approaches. Suppose that a compression function $h$ is given and $H$ is a Merkle-Damgård function derived from $h$. -Recall that [we can construct a MAC scheme from a PRF](./2023-09-21-macs.md#mac-constructions-from-prfs), so either we want a secure PRF or a secure MAC scheme. +Recall that [we can construct a MAC scheme from a PRF](../2023-09-21-macs/#mac-constructions-from-prfs), so either we want a secure PRF or a secure MAC scheme. #### Prepending the Key diff --git a/_posts/lecture-notes/modern-cryptography/2023-10-19-public-key-encryption.md b/_posts/lecture-notes/modern-cryptography/2023-10-19-public-key-encryption.md index c47010e..4d29f4c 100644 --- a/_posts/lecture-notes/modern-cryptography/2023-10-19-public-key-encryption.md +++ b/_posts/lecture-notes/modern-cryptography/2023-10-19-public-key-encryption.md @@ -69,7 +69,7 @@ Note that $pk$ is sent to the adversary, and adversary can encrypt any message! For symmetric ciphers, semantic security (one-time) did not guarantee CPA security (many-time). But in public key encryption, semantic security implies CPA security. This is because *the attacker can encrypt any message using the public key*. -First, we check the definition of CPA security for public key encryption. It is similar to that of symmetric ciphers, compare with [CPA Security for symmetric key encryption (Modern Cryptography)](./2023-09-19-symmetric-key-encryption.md#cpa-security). +First, we check the definition of CPA security for public key encryption. It is similar to that of symmetric ciphers, compare with [CPA Security for symmetric key encryption (Modern Cryptography)](../2023-09-19-symmetric-key-encryption/#cpa-security). > **Definition.** For a given public-key encryption scheme $\mc{E} = (G, E, D)$ defined over $(\mc{M}, \mc{C})$ and given an adversary $\mc{A}$, define experiments 0 and 1. > @@ -141,7 +141,7 @@ $$ ## CCA Security for Public Key Encryption -We also define CCA security for public key encryption, which models a wide spectrum of real-world attacks. The definition is also very similar to that of symmetric ciphers, compare with [CCA security for symmetric ciphers (Modern Cryptography)](./2023-09-26-cca-security-authenticated-encryption.md#cca-security). +We also define CCA security for public key encryption, which models a wide spectrum of real-world attacks. The definition is also very similar to that of symmetric ciphers, compare with [CCA security for symmetric ciphers (Modern Cryptography)](../2023-09-26-cca-security-authenticated-encryption/#cca-security). > **Definition.** Let $\mc{E} = (G, E, D)$ be a public-key encryption scheme over $(\mc{M}, \mc{C})$. Given an adversary $\mc{A}$, define experiments $0$ and $1$. > @@ -176,7 +176,7 @@ Similarly, 1CCA security implies CCA security, as in the above theorem. So to sh ### Active Adversaries in Symmetric vs Public Key -In symmetric key encryption, we studied [authenticated encryption (AE)](./2023-09-26-cca-security-authenticated-encryption.md#authenticated-encryption-(ae)), which required the scheme to be CPA secure and provide ciphertext integrity. In symmetric key settings, AE implied CCA. +In symmetric key encryption, we studied [authenticated encryption (AE)](../2023-09-26-cca-security-authenticated-encryption/#authenticated-encryption-(ae)), which required the scheme to be CPA secure and provide ciphertext integrity. In symmetric key settings, AE implied CCA. However in public-key schemes, adversaries can always create new ciphertexts using the public key, which makes the original definition of ciphertext integrity unusable. Thus we directly require CCA security. diff --git a/_posts/lecture-notes/modern-cryptography/2023-10-26-digital-signatures.md b/_posts/lecture-notes/modern-cryptography/2023-10-26-digital-signatures.md index c7e3f9c..1cce799 100644 --- a/_posts/lecture-notes/modern-cryptography/2023-10-26-digital-signatures.md +++ b/_posts/lecture-notes/modern-cryptography/2023-10-26-digital-signatures.md @@ -55,7 +55,7 @@ $$ ## Secure Digital Signatures -The definition is similar to the [secure MAC](./2023-09-21-macs.md#secure-mac-unforgeability). The adversary can perform a **chosen message attack**, but cannot create an **existential forgery**. +The definition is similar to the [secure MAC](../2023-09-21-macs/#secure-mac-unforgeability). The adversary can perform a **chosen message attack**, but cannot create an **existential forgery**. ![mc-10-dsig-security.png](../../../assets/img/posts/lecture-notes/modern-cryptography/mc-10-dsig-security.png) @@ -97,7 +97,7 @@ Any signature scheme can be made strongly binding by appending a collision resis ## Extending the Message Space -We can extend the message space of a secure digital signature scheme, [as we did for MACs](./2023-09-28-hash-functions.md#mac-domain-extension). Let $\mc{S} = (G, S, V)$ be a signature scheme defined over $(\mc{M}, \Sigma)$ and let $H : \mc{M}' \ra \mc{M}$ be a hash function with $\left\lvert \mc{M}' \right\lvert \geq \left\lvert \mc{M} \right\lvert$. +We can extend the message space of a secure digital signature scheme, [as we did for MACs](../2023-09-28-hash-functions/#mac-domain-extension). Let $\mc{S} = (G, S, V)$ be a signature scheme defined over $(\mc{M}, \Sigma)$ and let $H : \mc{M}' \ra \mc{M}$ be a hash function with $\left\lvert \mc{M}' \right\lvert \geq \left\lvert \mc{M} \right\lvert$. Define a new signature scheme $\mc{S}' = (G, S', V')$ over $(\mc{M}', \Sigma)$ as @@ -206,7 +206,7 @@ We must check a few things. - We can repeat this many times then the probability of reject is $1 - \frac{1}{q^n} \ra 1$. - Thus $q$ (the size of the challenge space) must be large. - **Zero-knowledge**: $V$ learns no information about $x$ from the conversation. - - This will be revisited later. See [here](./2023-11-07-sigma-protocols.md#the-schnorr-identification-protocol-revisited). + - This will be revisited later. See [here](../2023-11-07-sigma-protocols/#the-schnorr-identification-protocol-revisited). > **Theorem.** The Schnorr identification protocol is secure if the DL problem is hard, and the challenge space $\mc{C}$ is large. @@ -239,7 +239,7 @@ Schnorr's scheme was protected by a patent, so NIST opted for a ad-hoc signature How would you trust public keys? We introduce **digital certificates** for this. -Read in [public key infrastructure (Internet Security)](../internet-security/2023-10-16-pki.md). +Read in [public key infrastructure (Internet Security)](../../internet-security/2023-10-16-pki). [^1]: A Graduate Course in Applied Cryptography -[^2]: By using the [Fiat-Shamir transform](./2023-11-07-sigma-protocols.md#the-fiat-shamir-transform). +[^2]: By using the [Fiat-Shamir transform](../2023-11-07-sigma-protocols/#the-fiat-shamir-transform). diff --git a/_posts/lecture-notes/modern-cryptography/2023-11-07-sigma-protocols.md b/_posts/lecture-notes/modern-cryptography/2023-11-07-sigma-protocols.md index 7d77381..b7023e4 100644 --- a/_posts/lecture-notes/modern-cryptography/2023-11-07-sigma-protocols.md +++ b/_posts/lecture-notes/modern-cryptography/2023-11-07-sigma-protocols.md @@ -19,7 +19,7 @@ attachment: folder: assets/img/posts/lecture-notes/modern-cryptography --- -The previous [3-coloring example](./2023-11-02-zkp-intro.md#example-3-coloring) certainly works as a zero knowledge proof, but is quite slow, and requires a lot of interaction. There are efficient protocols for interactive proofs, we will study sigma protocols. +The previous [3-coloring example](../2023-11-02-zkp-intro/#example-3-coloring) certainly works as a zero knowledge proof, but is quite slow, and requires a lot of interaction. There are efficient protocols for interactive proofs, we will study sigma protocols. ## Sigma Protocols @@ -105,7 +105,7 @@ Also note that **the simulator is free to generate the messages in any convenien ## The Schnorr Identification Protocol Revisited -The Schnorr identification protocol is actually a sigma protocol. Refer to [Schnorr identification protocol (Modern Cryptography)](./2023-10-26-digital-signatures.md#the-schnorr-identification-protocol) for the full description. +The Schnorr identification protocol is actually a sigma protocol. Refer to [Schnorr identification protocol (Modern Cryptography)](../2023-10-26-digital-signatures/#the-schnorr-identification-protocol) for the full description. ![mc-10-schnorr-identification.png](../../../assets/img/posts/lecture-notes/modern-cryptography/mc-10-schnorr-identification.png) @@ -425,7 +425,7 @@ Omitted. Works... ### The Fiat-Shamir Signature Scheme -Now we understand why the [Schnorr signature scheme](./2023-10-26-digital-signatures.md#schnorr-digital-signature-scheme) used hash functions. In general, the Fiat-Shamir transform can be used to convert sigma protocols into signature schemes. +Now we understand why the [Schnorr signature scheme](../2023-10-26-digital-signatures/#schnorr-digital-signature-scheme) used hash functions. In general, the Fiat-Shamir transform can be used to convert sigma protocols into signature schemes. We need $3$ building blocks. @@ -450,7 +450,7 @@ If an adversary can come up with a forgery, then the underlying sigma protocol i $n$ voters are casting a vote, either $0$ or $1$. At the end, all voters learn the sum of the votes, but we want to keep the votes secret for each party. -We can use the [multiplicative ElGamal encryption](./2023-10-19-public-key-encryption.md#the-elgamal-encryption) scheme in this case. Assume that a trusted vote tallying center generates a key pair, keeps $sk = \alpha$ to itself and publishes $pk = g^\alpha$. +We can use the [multiplicative ElGamal encryption](../2023-10-19-public-key-encryption/#the-elgamal-encryption) scheme in this case. Assume that a trusted vote tallying center generates a key pair, keeps $sk = \alpha$ to itself and publishes $pk = g^\alpha$. Each voter encrypts the vote $b_i$ and the ciphertext is @@ -468,7 +468,7 @@ where $\beta^{\ast} = \sum_{i=1}^n \beta_i$ and $b^{\ast} = \sum_{i=1}^n b_i$. N Since the ElGamal scheme is semantically secure, the protocol is also secure if all voters follow the protocol. But a dishonest voter can encrypt $b_i = -100$ or some arbitrary value. -To fix this, we can make each voter prove that the vote is valid. Using the [Chaum-Pedersen protocol for DH-triples](2023-11-07-sigma-protocols.md#the-chaum-pedersen-protocol-for-dh-triples) and the [OR-proof construction](2023-11-07-sigma-protocols.md#or-proof-construction), the voter can submit a proof that the ciphertext is either a encryption of $b_i = 0$ or $1$. We can also apply the Fiat-Shamir transform here for efficient protocols, resulting in non-interactive proofs. +To fix this, we can make each voter prove that the vote is valid. Using the [Chaum-Pedersen protocol for DH-triples](../2023-11-07-sigma-protocols/#the-chaum-pedersen-protocol-for-dh-triples) and the [OR-proof construction](../2023-11-07-sigma-protocols/#or-proof-construction), the voter can submit a proof that the ciphertext is either a encryption of $b_i = 0$ or $1$. We can also apply the Fiat-Shamir transform here for efficient protocols, resulting in non-interactive proofs. [^1]: The message flows in a shape that resembles the greek letter $\Sigma$, hence the name *sigma protocol*. [^2]: A Graduate Course in Applied Cryptography. diff --git a/_posts/lecture-notes/modern-cryptography/2023-11-14-garbled-circuits.md b/_posts/lecture-notes/modern-cryptography/2023-11-14-garbled-circuits.md index 2650d6e..356d746 100644 --- a/_posts/lecture-notes/modern-cryptography/2023-11-14-garbled-circuits.md +++ b/_posts/lecture-notes/modern-cryptography/2023-11-14-garbled-circuits.md @@ -15,7 +15,7 @@ date: 2023-11-14 github_title: 2023-11-14-garbled-circuits --- -A simple solution for two party computation would be to use oblivious transfers as noted [here](./2023-11-09-secure-mpc.md#ot-for-computing-14.-secure-multiparty-computation#ot-for-computing-$2$-ary-function-with-finite-domain$-ary-function-with-finite-domain). However, this method is inefficient. We will look at **Yao's protocol**, presented in 1986, for secure two-party computation. +A simple solution for two party computation would be to use oblivious transfers as noted [here](../2023-11-09-secure-mpc/#ot-for-computing-14.-secure-multiparty-computation#ot-for-computing-$2$-ary-function-with-finite-domain$-ary-function-with-finite-domain). However, this method is inefficient. We will look at **Yao's protocol**, presented in 1986, for secure two-party computation. The term **garbled circuit** was used by Beaver-Micali-Rogaway (BMR), presenting a multiparty protocol using a similar approach to Yao's protocol. diff --git a/_posts/lecture-notes/modern-cryptography/2023-11-16-gmw-protocol.md b/_posts/lecture-notes/modern-cryptography/2023-11-16-gmw-protocol.md index 066f975..2d45065 100644 --- a/_posts/lecture-notes/modern-cryptography/2023-11-16-gmw-protocol.md +++ b/_posts/lecture-notes/modern-cryptography/2023-11-16-gmw-protocol.md @@ -19,7 +19,7 @@ attachment: folder: assets/img/posts/lecture-notes/modern-cryptography --- -There are two types of MPC protocols, **generic** and **specific**. Generic protocols can compute arbitrary functions. [Garbled circuits](./2023-11-14-garbled-circuits.md#garbled-circuits) were generic protocols, since it can be used to compute any boolean circuits. In contrast, the [summation protocol](./2023-11-09-secure-mpc.md#example-secure-summation) is a specific protocol that can only be used to compute a specific function. Note that generic protocols are not necessarily better, since specific protocols are much more efficient. +There are two types of MPC protocols, **generic** and **specific**. Generic protocols can compute arbitrary functions. [Garbled circuits](../2023-11-14-garbled-circuits/#garbled-circuits) were generic protocols, since it can be used to compute any boolean circuits. In contrast, the [summation protocol](../2023-11-09-secure-mpc/#example-secure-summation) is a specific protocol that can only be used to compute a specific function. Note that generic protocols are not necessarily better, since specific protocols are much more efficient. ## GMW Protocol @@ -193,7 +193,7 @@ Also note that $u_i, v_i$ does not reveal any information about $x_i, y_i$. Esse **Beaver triples are to be used only once!** If $u_1 = a_1 + x_1$ and $u_1' = a_1' + x_1$, then $u_1 + u_1' = a_1 + a_1'$, revealing information about $a_1 + a_1'$. -Thus, before the online phase, a huge amount of Beaver triples are shared to speed up the computation. This can be done efficiently using [OT extension](2023-11-16-gmw-protocol.md#ot-extension) described below. +Thus, before the online phase, a huge amount of Beaver triples are shared to speed up the computation. This can be done efficiently using [OT extension](../2023-11-16-gmw-protocol/#ot-extension) described below. ## Comparison of Yao and GMW @@ -281,7 +281,7 @@ As for the receiver, the values $(x_j^0, x_j^1)$ are masked by a hash function, The extension technique allows us to run $n$ base OT instances to obtain $m$ OT instances. For each of the $m$ OT transfers, only a few hash operations are required, resulting in very efficient OT. -One may concern that we have to send a lot of information for each of the $n$ OT instances, since we have to send $m$ bit data for each OT. But this of not much concern. For example, if we used [OT based on ElGamal](./2023-11-09-secure-mpc.md#1-out-of-2-ot-construction-from-elgamal-encryption), we can choose primes large enough $> 2^m$ to handle $m$-bit data. +One may concern that we have to send a lot of information for each of the $n$ OT instances, since we have to send $m$ bit data for each OT. But this of not much concern. For example, if we used [OT based on ElGamal](../2023-11-09-secure-mpc/#1-out-of-2-ot-construction-from-elgamal-encryption), we can choose primes large enough $> 2^m$ to handle $m$-bit data. Hence, with OT extensions, we can perform millions of OTs efficiently, which can be used especially for computing many Beaver triples during preprocessing. diff --git a/_posts/lecture-notes/modern-cryptography/2023-11-23-bgv-scheme.md b/_posts/lecture-notes/modern-cryptography/2023-11-23-bgv-scheme.md index cce25db..05741aa 100644 --- a/_posts/lecture-notes/modern-cryptography/2023-11-23-bgv-scheme.md +++ b/_posts/lecture-notes/modern-cryptography/2023-11-23-bgv-scheme.md @@ -512,7 +512,7 @@ $$ N^{L+1} \ra N^L \ra \cdots \ra N. $$ -When we perform $L$ levels of computation and reach modulus $q_0 = N$, we cannot perform any multiplications. We must apply [bootstrapping](./2023-12-08-bootstrapping-ckks.md#bootstrapping). +When we perform $L$ levels of computation and reach modulus $q_0 = N$, we cannot perform any multiplications. We must apply [bootstrapping](../2023-12-08-bootstrapping-ckks/#bootstrapping). Note that without modulus switching, we need $q_L > N^{2^L}$ for $L$ levels of computation, which is very large. Since we want $q$ to be small (for the hardness of the LWE problem), modulus switching is necessary. We now only require $q_L > N^{L+1}$. diff --git a/_posts/lecture-notes/modern-cryptography/2023-12-08-bootstrapping-ckks.md b/_posts/lecture-notes/modern-cryptography/2023-12-08-bootstrapping-ckks.md index f387d20..0bcd9b1 100644 --- a/_posts/lecture-notes/modern-cryptography/2023-12-08-bootstrapping-ckks.md +++ b/_posts/lecture-notes/modern-cryptography/2023-12-08-bootstrapping-ckks.md @@ -117,7 +117,7 @@ Designing an FHE scheme without the circular security assumption is currently an ## CKKS Scheme -The [BGV scheme](./2023-11-23-bgv-scheme.md#the-bgv-scheme) operates on $\Z_p$, so it doesn't work on real numbers. **Cheon-Kim-Kim-Song** (CKKS) scheme works on real numbers using approximate computation. +The [BGV scheme](../2023-11-23-bgv-scheme/#the-bgv-scheme) operates on $\Z_p$, so it doesn't work on real numbers. **Cheon-Kim-Kim-Song** (CKKS) scheme works on real numbers using approximate computation. ### Approximate Computation @@ -209,7 +209,7 @@ so the decryption results in $\Delta\inv \cdot (\mu + \mu') \approx m + m'$. ### Multiplication in CKKS -We also use [tensor products](./2023-11-23-bgv-scheme.md#tensor-product), and their properties. +We also use [tensor products](../2023-11-23-bgv-scheme/#tensor-product), and their properties. > Let $\bf{c} = (b, \bf{a})$ and $\bf{c}' = (b', \bf{a}')$ be encryptions of $m, m' \in \R$. Then, > @@ -244,7 +244,7 @@ We have issues with multiplication, as we did in BGV. ### Dimension Reduction -The relinearization procedure is almost the same as in [BGV relinearization](./2023-11-23-bgv-scheme.md#relinearization). +The relinearization procedure is almost the same as in [BGV relinearization](../2023-11-23-bgv-scheme/#relinearization). For convenience, let $a_{i, j} = a_i a_j'$. @@ -288,7 +288,7 @@ Note that the proof is identical to that of BGV linearization, except for missin ### Scaling Factor Reduction -In BGV, we used modulus switching for [noise reduction](./2023-11-23-bgv-scheme.md#noise-reduction). It was for reducing the error and preserving the message. We also use modulus switching here, but for a different purpose. The message can have small numerical errors, we just want to reduce the scaling factor. This operation is called **rescaling**. +In BGV, we used modulus switching for [noise reduction](../2023-11-23-bgv-scheme/#noise-reduction). It was for reducing the error and preserving the message. We also use modulus switching here, but for a different purpose. The message can have small numerical errors, we just want to reduce the scaling factor. This operation is called **rescaling**. Given $\bf{c} = (b, \bf{a}) \in \Z_q^{n+1}$ such that $b + \span{\bf{a}, \bf{s}} = \mu \pmod q$ and $\mu \approx \Delta^2 \cdot m$, we want to generate a new ciphertext of $m' \approx m$ that has a scaling factor reduced to $\Delta$. This can be done by dividing the ciphertext by $\Delta$ and then rounding it appropriately. @@ -330,7 +330,7 @@ $$ \Delta^{L+1} \ra \Delta^L \ra \cdots \ra \Delta. $$ -When we reach $q_0 = \Delta$, we cannot perform any multiplications, so we apply [bootstrapping](2023-12-08-bootstrapping-ckks.md#bootstrapping) here. +When we reach $q_0 = \Delta$, we cannot perform any multiplications, so we apply [bootstrapping](../2023-12-08-bootstrapping-ckks/#bootstrapping) here. ### Multiplication in CKKS (Summary)