fix: under review -> submitted

feat: upload missing file
fix: about as index
2025-12-06 14:53:50 +00:00 · 2025-11-25 18:37:03 +09:00 · 2025-11-20 17:43:40 +09:00 · 2025-11-20 17:42:27 +09:00 · 2025-11-20 14:31:21 +09:00 · 2025-10-14 12:50:36 +09:00
144 changed files with 4424 additions and 3287 deletions
--- a/.github/workflows/pages-deploy.yml
+++ b/.github/workflows/pages-deploy.yml
@@ -37,12 +37,12 @@ jobs:
      - name: Setup Pages
        id: pages
-        uses: actions/configure-pages@v3
+        uses: actions/configure-pages@v4
      - name: Setup Ruby
        uses: ruby/setup-ruby@v1
        with:
-          ruby-version: 3.2
+          ruby-version: 3.3
          bundler-cache: true
      - name: Build site
@@ -53,11 +53,12 @@ jobs:
      - name: Test site
        run: |
          bundle exec htmlproofer _site \
-            \-\-disable-external=true \
+            \-\-disable-external \
-            \-\-ignore-urls "/^http:\/\/127.0.0.1/,/^http:\/\/0.0.0.0/,/^http:\/\/localhost/"
+            \-\-ignore-urls "/^http:\/\/127.0.0.1/,/^http:\/\/0.0.0.0/,/^http:\/\/localhost/" \
            \-\-no-check-internal-hash
      - name: Upload site artifact
-        uses: actions/upload-pages-artifact@v1
+        uses: actions/upload-pages-artifact@v3
        with:
          path: "_site${{ steps.pages.outputs.base_path }}"
@@ -70,4 +71,4 @@ jobs:
    steps:
      - name: Deploy to GitHub Pages
        id: deployment
-        uses: actions/deploy-pages@v2
+        uses: actions/deploy-pages@v4
--- a/.gitignore
+++ b/.gitignore
@@ -5,6 +5,7 @@ Gemfile.lock
 # Jekyll cache
 .jekyll-cache
 .jekyll-metadata
 _site
 # RubyGems
@@ -16,7 +17,11 @@ package-lock.json
 # IDE configurations
 .idea
-.vscode
+.vscode/*
 !.vscode/settings.json
 !.vscode/extensions.json
 !.vscode/tasks.json
 # Misc
 _sass/vendors
 assets/js/dist
--- a/15
+++ b/15
@@ -2,22 +2,13 @@
 source "https://rubygems.org"
-gem "jekyll-theme-chirpy", "~> 6.4", ">= 6.4.2"
+gem "jekyll-theme-chirpy", "~> 7.3", ">= 7.3.1"
-group :test do
+gem "html-proofer", "~> 5.0", group: :test
  gem "html-proofer", "~> 4.4"
 end
 # Windows and JRuby does not include zoneinfo files, so bundle the tzinfo-data gem
 # and associated library.
 platforms :mingw, :x64_mingw, :mswin, :jruby do
  gem "tzinfo", ">= 1", "< 3"
  gem "tzinfo-data"
 end
-# Performance-booster for watching directories on Windows
+gem "wdm", "~> 0.2.0", :platforms => [:mingw, :x64_mingw, :mswin]
 gem "wdm", "~> 0.1.1", :platforms => [:mingw, :x64_mingw, :mswin]
 # Lock `http_parser.rb` gem to `v0.6.x` on JRuby builds since newer versions of the gem
 # do not have a Java counterpart.
 gem "http_parser.rb", "~> 0.6.0", :platforms => [:jruby]
--- a/README.md
+++ b/README.md
@@ -1,10 +1,18 @@
-# Chirpy Starter [![Gem Version](https://img.shields.io/gem/v/jekyll-theme-chirpy)](https://rubygems.org/gems/jekyll-theme-chirpy) [![GitHub license](https://img.shields.io/github/license/cotes2020/chirpy-starter.svg?color=blue)][mit]
+# Chirpy Starter
-When installing the [**Chirpy**][chirpy] theme through [RubyGems.org][gem], Jekyll can only read files in the folders `/_data`, `/_layouts`, `/_includes`, `/_sass` and `/assets`, as well as a small part of options of the `/_config.yml` file from the theme's gem. If you have ever installed this theme gem, you can use the command `bundle info --path jekyll-theme-chirpy` to locate these files.
+[![Gem Version](https://img.shields.io/gem/v/jekyll-theme-chirpy)][gem]&nbsp;
 [![GitHub license](https://img.shields.io/github/license/cotes2020/chirpy-starter.svg?color=blue)][mit]
-The Jekyll team claims that this is to leave the ball in the user’s court, but this also results in users not being able to enjoy the out-of-the-box experience when using feature-rich themes.
+When installing the [**Chirpy**][chirpy] theme through [RubyGems.org][gem], Jekyll can only read files in the folders
 `_data`, `_layouts`, `_includes`, `_sass` and `assets`, as well as a small part of options of the `_config.yml` file
 from the theme's gem. If you have ever installed this theme gem, you can use the command
 `bundle info --path jekyll-theme-chirpy` to locate these files.
-To fully use all the features of **Chirpy**, you need to copy the other critical files from the theme's gem to your Jekyll site. The following is a list of targets:
+The Jekyll team claims that this is to leave the ball in the user’s court, but this also results in users not being
 able to enjoy the out-of-the-box experience when using feature-rich themes.
 To fully use all the features of **Chirpy**, you need to copy the other critical files from the theme's gem to your
 Jekyll site. The following is a list of targets:
 ```shell
 .
@@ -14,19 +22,22 @@ To fully use all the features of **Chirpy**, you need to copy the other critical
 └── index.html
 ```
-To save you time, and also in case you lose some files while copying, we extract those files/configurations of the latest version of the **Chirpy** theme and the [CD][CD] workflow to here, so that you can start writing in minutes.
+To save you time, and also in case you lose some files while copying, we extract those files/configurations of the
 latest version of the **Chirpy** theme and the [CD][CD] workflow to here, so that you can start writing in minutes.
 ## Prerequisites
-Follow the instructions in the [Jekyll Docs](https://jekyllrb.com/docs/installation/) to complete the installation of the basic environment. [Git](https://git-scm.com/) also needs to be installed.
+Follow the instructions in the [Jekyll Docs](https://jekyllrb.com/docs/installation/) to complete the installation of
 the basic environment. [Git](https://git-scm.com/) also needs to be installed.
 ## Installation
-Sign in to GitHub and [**use this template**][use-template] to generate a brand new repository and name it `USERNAME.github.io`, where `USERNAME` represents your GitHub username.
+Sign in to GitHub and [**use this template**][use-template] to generate a brand new repository and name it
 `USERNAME.github.io`, where `USERNAME` represents your GitHub username.
 Then clone it to your local machine and run:
-```
+```console
 $ bundle
 ```
@@ -34,6 +45,11 @@ $ bundle
 Please see the [theme's docs](https://github.com/cotes2020/jekyll-theme-chirpy#documentation).
 ## Contributing
 The contents of this repository are automatically updated when new releases are made to the [main repository][chirpy].  
 If you have problems using it, or would like to participate in improving it, please go to the main repository for feedback!
 ## License
 This work is published under [MIT][mit] License.
--- a/_config.yml
+++ b/_config.yml
@@ -3,10 +3,6 @@
 # Import the theme
 theme: jekyll-theme-chirpy
 # Change the following value to '/PROJECT_NAME' ONLY IF your site type is GitHub Pages Project sites
 # and doesn't have a custom domain.
 baseurl: ""
 # The language of the webpage › http://www.lingoes.net/en/translator/langcode.htm
 # If it has the same name as one of the files in folder `_data/locales`, the layout language will also be changed,
 # otherwise, the layout language will use the default value of 'en'.
@@ -20,14 +16,12 @@ timezone: Asia/Seoul
 title: Life Log # the main title
-tagline: >- # it will display as the sub-title
+tagline: Recording Life. # it will display as the sub-title
  Sungchan Yi.<br/>
  CSE & Math & Life
-description: >- # used by seo meta and the atom feed
+description: CSE & Math & Life # used by seo meta and the atom feed
  Recording Life.
-# fill in the protocol & hostname for your site, e.g., 'https://username.github.io'
+# Fill in the protocol & hostname for your site.
 # e.g. 'https://username.github.io', note that it does not end with a '/'.
 url: "https://log.zxcvber.com"
 github:
@@ -43,18 +37,42 @@ social:
  email: calofmijuck@snu.ac.kr # change to your email address
  links:
    # The first element serves as the copyright owner's link
    # - https://twitter.com/username # change to your twitter homepage
    - https://github.com/calofmijuck # change to your github homepage
    # Uncomment below to add more social links
    # - https://www.facebook.com/username
    # - https://www.linkedin.com/in/username
-google_site_verification: # fill in to your verification string
+# Site Verification Settings
 webmaster_verifications:
  google: # fill in your Google verification code
  bing: # fill in your Bing verification code
  alexa: # fill in your Alexa verification code
  yandex: # fill in your Yandex verification code
  baidu: # fill in your Baidu verification code
  facebook: # fill in your Facebook verification code
 # ↑ --------------------------
 # The end of `jekyll-seo-tag` settings
-google_analytics:
+# Web Analytics Settings
 analytics:
  google:
    id: # fill in your Google Analytics ID
  goatcounter:
    id: # fill in your GoatCounter ID
  umami:
    id: # fill in your Umami ID
    domain: # fill in your Umami domain
  matomo:
    id: # fill in your Matomo ID
    domain: # fill in your Matomo domain
  cloudflare:
    id: # fill in your Cloudflare Web Analytics token
 # Pageviews settings
 pageviews:
  provider: # now only supports 'goatcounter'
 # Prefer color scheme setting.
 #
@@ -67,24 +85,29 @@ google_analytics:
 #     light  - Use the light color scheme
 #     dark   - Use the dark color scheme
 #
-theme_mode: light
+theme_mode: light # [light | dark]
-# The CDN endpoint for images.
+# The CDN endpoint for media resources.
 # Notice that once it is assigned, the CDN url
-# will be added to all image (site avatar & posts' images) paths starting with '/'
+# will be added to all media resources (site avatar, posts' images, audio and video files) paths starting with '/'
 #
 # e.g. 'https://cdn.com'
-img_cdn:
+cdn: "https://blog.zxcvber.com"
 # the avatar on sidebar, support local or CORS resources
 avatar: assets/img/avatar.png
 # The URL of the site-wide social preview image used in SEO `og:image` meta tag.
 # It can be overridden by a customized `page.image` in front matter.
 social_preview_image: # string, local or CORS resources
 # boolean type, the global switch for TOC in posts.
 toc: true
 comments:
-  active: # The global switch for posts comments, e.g., 'disqus'.  Keep it empty means disable
+  # Global switch for the post comment system. Keeping it empty means disabled.
-  # The active options are as follows:
+  provider: # [disqus | utterances | giscus]
  # The provider options are as follows:
  disqus:
    shortname: # fill with the Disqus shortname. › https://help.disqus.com/en/articles/1717111-what-s-a-shortname
  # utterances settings › https://utteranc.es/
@@ -98,6 +121,7 @@ comments:
    category:
    category_id:
    mapping: # optional, default to 'pathname'
    strict: # optional, default to '0'
    input_position: # optional, default to 'bottom'
    lang: # optional, default to the value of `site.lang`
    reactions_enabled: # optional, default to the value of `1`
@@ -108,16 +132,27 @@ assets:
    enabled: # boolean, keep empty means false
    # specify the Jekyll environment, empty means both
    # only works if `assets.self_host.enabled` is 'true'
-    env: # [development|production]
+    env: production # [development | production]
 pwa:
-  enabled: true # the option for PWA feature
+  enabled: true # the option for PWA feature (installable)
  cache:
    enabled: true # the option for PWA offline cache
    # Paths defined here will be excluded from the PWA cache.
    # Usually its value is the `baseurl` of another website that
    # shares the same domain name as the current website.
    deny_paths:
      # - "/example"  # URLs match `<SITE_URL>/example/*` will not be cached by the PWA
 paginate: 10
 # The base URL of your site
 baseurl: ""
 # ------------ The following options are not recommended to be modified ------------------
 kramdown:
  footnote_backlink: "&#8617;&#xfe0e;"
  syntax_highlighter: rouge
  syntax_highlighter_opts: # Rouge Options › https://github.com/jneen/rouge#full-options
    css_class: highlight
@@ -183,9 +218,8 @@ exclude:
  - docs
  - tools
  - README.md
  - CHANGELOG.md
  - LICENSE
-  - rollup.config.js
+  - "*.config.js"
  - package*.json
 jekyll-archives:
--- a/_data/locales/en.yml
+++ b/_data/locales/en.yml
@@ -1,91 +1,5 @@
 # The layout text of site
 # ----- Commons label -----
 layout:
  post: Post
  category: Category
  tag: Tag
 # The tabs of sidebar
 tabs:
  # format: <filename_without_extension>: <value>
  home: Home
  categories: Categories
  tags: Tags
  archives: Archives
  about: About
 # the text displayed in the search bar & search results
 search:
  hint: search
  cancel: Cancel
  no_results: Oops! No results found.
 panel:
  lastmod: Recently Updated
  trending_tags: Trending Tags
  toc: Contents
 copyright:
  # Shown at the bottom of the post
  license:
    template: This post is licensed under :LICENSE_NAME by the author.
    name: CC BY 4.0
    link: https://creativecommons.org/licenses/by/4.0/
  # Displayed in the footer
  brief: All rights reserved.
  verbose: >-
    Except where otherwise noted, the blog posts on this site are licensed
    under the Creative Commons Attribution 4.0 International (CC BY 4.0) License by the author.
 meta: ""
 not_found:
  statment: Sorry, we've misplaced that URL or it's pointing to something that doesn't exist.
 notification:
  update_found: A new version of content is available.
  update: Update
 # ----- Posts related labels -----
 post:
  written_by: By
  posted: Posted
  updated: Updated
  words: words
  pageview_measure: views
  read_time:
    unit: min
    prompt: read
  relate_posts: Further Reading
  share: Share
  button:
    next: Newer
    previous: Older
    copy_code:
      succeed: Copied!
    share_link:
      title: Copy link
      succeed: Link copied successfully!
 # Date time format.
 # See: <http://strftime.net/>, <https://day.js.org/docs/en/display/format>
 df:
  post:
    strftime: "%b %e, %Y"
    dayjs: "ll"
  archives:
    strftime: "%b"
    dayjs: "MMM"
 # categories page
 categories:
  category_measure:
    singular: category
    plural: categories
  post_measure:
    singular: post
    plural: posts
--- a/_data/share.yml
+++ b/_data/share.yml
@@ -2,20 +2,37 @@
 #  Icons from <https://fontawesome.com/>
 platforms:
-  - type: Facebook
+  # - type: Twitter
-    icon: "fab fa-facebook-square"
+  #   icon: "fa-brands fa-square-x-twitter"
-    link: "https://www.facebook.com/sharer/sharer.php?title=TITLE&u=URL"
+  #   link: "https://twitter.com/intent/tweet?text=TITLE&url=URL"
-  - type: Twitter
+  # - type: Facebook
-    icon: "fa-brands fa-square-x-twitter"
+  #   icon: "fab fa-facebook-square"
-    link: "https://twitter.com/intent/tweet?text=TITLE&url=URL"
+  #   link: "https://www.facebook.com/sharer/sharer.php?title=TITLE&u=URL"
  # - type: Telegram
  #   icon: "fab fa-telegram"
  #   link: "https://t.me/share/url?url=URL&text=TITLE"
  # Uncomment below if you need to.
  #
-  # - type: Linkedin
+  - type: Linkedin
-  #   icon: "fab fa-linkedin"
+    icon: "fab fa-linkedin"
-  #   link: "https://www.linkedin.com/sharing/share-offsite/?url=URL"
+    link: "https://www.linkedin.com/sharing/share-offsite/?url=URL"
  #
  # - type: Weibo
  #   icon: "fab fa-weibo"
-  #   link: "http://service.weibo.com/share/share.php?title=TITLE&url=URL"
+  #   link: "https://service.weibo.com/share/share.php?title=TITLE&url=URL"
  #
  # - type: Mastodon
  #   icon: "fa-brands fa-mastodon"
  #   # See: https://github.com/justinribeiro/share-to-mastodon#properties
  #   instances:
  #     - label: mastodon.social
  #       link: "https://mastodon.social/"
  #     - label: mastodon.online
  #       link: "https://mastodon.online/"
  #     - label: fosstodon.org
  #       link: "https://fosstodon.org/"
  #     - label: photog.social
  #       link: "https://photog.social/"
--- a/_includes/js-selector.html
+++ b/_includes/js-selector.html
@@ -2,17 +2,10 @@
 <!-- commons -->
-{% assign urls = site.data.origin[type].jquery.js
+{% assign urls = site.data.origin[type].search.js %}
  | append: ','
  | append: site.data.origin[type].bootstrap.js
  | append: ','
  | append: site.data.origin[type].search.js
 %}
 <!-- layout specified -->
 {% assign js_dist = '/assets/js/dist/' %}
 {% if page.layout == 'post' or page.layout == 'page' or page.layout == 'home' %}
  {% assign urls = urls | append: ',' | append: site.data.origin[type]['lazy-polyfill'].js %}
@@ -20,7 +13,7 @@
    <!-- image lazy-loading & popup & clipboard -->
    {% assign urls = urls
      | append: ','
-      | append: site.data.origin[type]['magnific-popup'].js
+      | append: site.data.origin[type].glightbox.js
      | append: ','
      | append: site.data.origin[type].clipboard.js
    %}
@@ -33,7 +26,7 @@
  or page.layout == 'category'
  or page.layout == 'tag'
 %}
-  {% assign locale = site.lang | split: '-' | first %}
+  {% assign locale = include.lang | split: '-' | first %}
  {% assign urls = urls
    | append: ','
@@ -67,11 +60,13 @@
    {% assign js = 'commons' %}
 {% endcase %}
-{% capture script %}{{ js_dist }}{{ js }}.min.js{% endcapture %}
+{% capture script %}/assets/js/dist/{{ js }}.min.js{% endcapture %}
 <script defer src="{{ script | relative_url }}"></script>
 {% if page.math %}
  <!-- MathJax -->
  <script src="{{ '/assets/js/data/mathjax.js' | relative_url }}"></script>
  <script>
    /* see: <https://docs.mathjax.org/en/latest/options/input/tex.html#tex-options> */
    MathJax = {
@@ -89,7 +84,7 @@
        macros: {
          ds: "\\displaystyle",
-          // font styles
+          /* font styles */
          rm: ["\\mathrm{#1}", 1],
          mf: ["\\mathfrak{#1}", 1],
          mc: ["\\mathcal{#1}", 1],
@@ -142,13 +137,13 @@
          exists: "∃\\,",
          tilde: ["\\widetilde{#1}", 1],
-          hat: ["\\widehat{#1}", 1],
+          hat: ["\\widehat{#1}", 1]
        },
        tags: 'ams'
      }
    };
  </script>
-  <script src="https://polyfill.io/v3/polyfill.min.js?features=es6"></script>
+  <script async src="https://cdnjs.cloudflare.com/polyfill/v3/polyfill.min.js?features=es6"></script>
  <script id="MathJax-script" async src="{{ site.data.origin[type].mathjax.js | relative_url }}"></script>
 {% endif %}
@@ -166,10 +161,17 @@
  {% endif %}
 {% endif %}
 {% if page.mermaid %}
  {% include mermaid.html %}
 {% endif %}
 {% if jekyll.environment == 'production' %}
  <!-- PWA -->
  {% if site.pwa.enabled %}
-    <script defer src="{{ 'app.min.js' | prepend: js_dist | relative_url }}"></script>
+    <script
      defer
      src="{{ 'app.min.js' | relative_url }}?baseurl={{ site.baseurl | default: '' }}&register={{ site.pwa.cache.enabled }}"
    ></script>
  {% endif %}
  <!-- Web Analytics -->
--- a/_includes/post-summary.html
+++ b/_includes/post-summary.html
@@ -0,0 +1,39 @@
 {%- comment -%}
  Get the post's description or body content.
  Arguments:
    full_text: If true, return the full content. Default is false.
    max_length: The maximum length of the returned content. Default is 200.
 {%- endcomment -%}
 {%- if post.description and include.full_text != true -%}
  {{- post.description -}}
 {%- else -%}
  {%- comment -%} Remove the line numbers from the code snippet. {%- endcomment -%}
  {%- assign content = post.content -%}
  {%- if content contains '<td class="rouge-gutter gl"><pre class="lineno">' -%}
    {%- assign content = content
      | replace: '<td class="rouge-gutter gl"><pre class="lineno">',
        '<!-- <td class="rouge-gutter gl"><pre class="lineno">'
    -%}
    {%- assign content = content | replace: '</td><td class="rouge-code">', '</td> --><td class="rouge-code">' -%}
  {%- endif -%}
  {%- assign content = content
    | markdownify
    | strip_html
    | newline_to_br
    | replace: '<br />', ' '
    | strip_newlines
    | strip
  -%}
  {%- unless include.full_text -%}
    {%- assign max_length = include.max_length | default: 200 -%}
    {%- assign content = content | truncate: max_length -%}
  {%- endunless -%}
  {{- content -}}
 {%- endif -%}
--- a/_includes/sidebar.html
+++ b/_includes/sidebar.html
@@ -0,0 +1,97 @@
 <!-- The Side Bar -->
 <aside aria-label="Sidebar" id="sidebar" class="d-flex flex-column align-items-end">
  <header class="profile-wrapper">
    <a href="{{ '/' | relative_url }}" id="avatar" class="rounded-circle">
      {%- if site.avatar != empty and site.avatar -%}
        {%- capture avatar_url -%}
          {% include media-url.html src=site.avatar %}
        {%- endcapture -%}
        <img src="{{- avatar_url -}}" width="112" height="112" alt="avatar" onerror="this.style.display='none'">
      {%- endif -%}
    </a>
    <a class="site-title d-block" href="{{ '/' | relative_url }}">{{ site.title }}</a>
    <p class="site-subtitle fst-italic mb-0">{{ site.tagline }}</p>
  </header>
  <!-- .profile-wrapper -->
  <nav class="flex-column flex-grow-1 w-100 ps-0">
    <ul class="nav">
      {% for tab in site.tabs %}
        <li class="nav-item{% if tab.url == page.url %}{{ " active" }}{% endif %}">
          <a href="{{ tab.url | relative_url }}" class="nav-link">
            <i class="fa-fw {{ tab.icon }}"></i>
            {% capture tab_name %}{{ tab.url | split: '/' }}{% endcapture %}
            <span>{{ site.data.locales[include.lang].tabs.[tab_name] | default: tab.title | upcase }}</span>
          </a>
        </li>
        <!-- .nav-item -->
      {% endfor %}
    </ul>
  </nav>
  <div class="sidebar-bottom d-flex flex-wrap  align-items-center w-100">
    {% unless site.theme_mode %}
      <button type="button" class="btn btn-link nav-link" aria-label="Switch Mode" id="mode-toggle">
        <i class="fas fa-adjust"></i>
      </button>
      {% if site.data.contact.size > 0 %}
        <span class="icon-border"></span>
      {% endif %}
    {% endunless %}
    {% for entry in site.data.contact %}
      {%- assign url = null -%}
      {% case entry.type %}
        {% when 'github', 'twitter' %}
          {%- unless site[entry.type].username -%}
            {%- continue -%}
          {%- endunless -%}
          {%- capture url -%}
            https://{{ entry.type }}.com/{{ site[entry.type].username }}
          {%- endcapture -%}
        {% when 'email' %}
          {%- unless site.social.email -%}
            {%- continue -%}
          {%- endunless -%}
          {%- assign email = site.social.email | split: '@' -%}
          {%- capture url -%}
            javascript:location.href = 'mailto:' + ['{{ email[0] }}','{{ email[1] }}'].join('@')
          {%- endcapture -%}
        {% when 'rss' %}
          {% assign url = '/feed.xml' | relative_url %}
        {% else %}
          {% assign url = entry.url %}
      {% endcase %}
      {% if url %}
        <a
          href="{{ url }}"
          aria-label="{{ entry.type }}"
          {% assign link_types = '' %}
          {% unless entry.noblank %}
            target="_blank"
            {% assign link_types = 'noopener noreferrer' %}
          {% endunless %}
          {% if entry.type == 'mastodon' %}
            {% assign link_types = link_types | append: ' me' | strip %}
          {% endif %}
          {% unless link_types == empty %}
            rel="{{ link_types }}"
          {% endunless %}
        >
          <i class="{{ entry.icon }}"></i>
        </a>
      {% endif %}
    {% endfor %}
  </div>
  <!-- .sidebar-bottom -->
 </aside>
 <!-- #sidebar -->
--- a/_layouts/home.html
+++ b/_layouts/home.html
@@ -0,0 +1,150 @@
 ---
 layout: default
 ---
 {% include lang.html %}
 {% assign all_pinned = site.posts | where: 'pin', 'true' %}
 {% assign all_normal = site.posts | where_exp: 'item', 'item.pin != true and item.hidden != true' %}
 {% assign posts = '' | split: '' %}
 <!-- Pagination fallbacks -->
 {% assign per_page = paginator.per_page | default: site.paginate | default: 10 %}
 {% assign page_num = paginator.page | default: 1 %}
 <!-- Get pinned posts on current page -->
 {% assign visible_start = page_num | minus: 1 | times: per_page %}
 {% assign visible_end = visible_start | plus: per_page %}
 {% if all_pinned.size > visible_start %}
  {% if all_pinned.size > visible_end %}
    {% assign pinned_size = paginator.per_page %}
  {% else %}
    {% assign pinned_size = all_pinned.size | minus: visible_start %}
  {% endif %}
  {% for i in (visible_start..all_pinned.size) limit: pinned_size %}
    {% assign posts = posts | push: all_pinned[i] %}
  {% endfor %}
 {% else %}
  {% assign pinned_size = 0 %}
 {% endif %}
 <!-- Get normal posts on current page -->
 {% assign paginator_posts = paginator.posts | default: site.posts %}
 {% assign normal_size = paginator_posts | size | minus: pinned_size %}
 {% if normal_size > 0 %}
  {% if pinned_size > 0 %}
    {% assign normal_start = 0 %}
  {% else %}
    {% assign normal_start = visible_start | minus: all_pinned.size %}
  {% endif %}
  {% assign normal_end = normal_start | plus: normal_size | minus: 1 %}
  {% assign normal_end = 10 %}
  {% for i in (normal_start..normal_end) %}
    {% assign posts = posts | push: all_normal[i] %}
  {% endfor %}
 {% endif %}
 <div id="post-list" class="flex-grow-1 px-xl-1">
  {% for post in posts %}
    <article class="card-wrapper card">
      <a href="{{ post.url | relative_url }}" class="post-preview row g-0 flex-md-row-reverse">
        {% assign card_body_col = '12' %}
        {% if post.image %}
          {% assign src = post.image.path | default: post.image %}
          {% if post.media_subpath %}
            {% unless src contains '://' %}
              {% assign src = post.media_subpath
                | append: '/'
                | append: src
                | replace: '///', '/'
                | replace: '//', '/'
              %}
            {% endunless %}
          {% endif %}
          {% if post.image.lqip %}
            {% assign lqip = post.image.lqip %}
            {% if post.media_subpath %}
              {% unless lqip contains 'data:' %}
                {% assign lqip = post.media_subpath
                  | append: '/'
                  | append: lqip
                  | replace: '///', '/'
                  | replace: '//', '/'
                %}
              {% endunless %}
            {% endif %}
            {% assign lqip_attr = 'lqip="' | append: lqip | append: '"' %}
          {% endif %}
          {% assign alt = post.image.alt | xml_escape | default: 'Preview Image' %}
          <div class="col-md-5">
            <img src="{{ src }}" alt="{{ alt }}" {{ lqip_attr }}>
          </div>
          {% assign card_body_col = '7' %}
        {% endif %}
        <div class="col-md-{{ card_body_col }}">
          <div class="card-body d-flex flex-column">
            <h1 class="card-title my-2 mt-md-0">{{ post.title }}</h1>
            <div class="card-text content mt-0 mb-3">
              <p>{% include post-summary.html %}</p>
            </div>
            <div class="post-meta flex-grow-1 d-flex align-items-end">
              <div class="me-auto">
                <!-- posted date -->
                <i class="far fa-calendar fa-fw me-1"></i>
                {% include datetime.html date=post.date lang=lang %}
                <!-- categories -->
                {% if post.categories.size > 0 %}
                  <i class="far fa-folder-open fa-fw me-1"></i>
                  <span class="categories">
                    {% for category in post.categories %}
                      {{ category }}
                      {%- unless forloop.last -%},{%- endunless -%}
                    {% endfor %}
                  </span>
                {% endif %}
              </div>
              {% if post.pin %}
                <div class="pin ms-1">
                  <i class="fas fa-thumbtack fa-fw"></i>
                  <span>{{ site.data.locales[lang].post.pin_prompt }}</span>
                </div>
              {% endif %}
            </div>
            <!-- .post-meta -->
          </div>
          <!-- .card-body -->
        </div>
      </a>
    </article>
  {% endfor %}
 </div>
 <!-- #post-list -->
 {% assign total_pages = paginator.total_pages | default: 2 %}
 {% if total_pages > 1 and paginator %}
  {% include post-paginator.html %}
 {% endif %}
--- a/_layouts/post.html
+++ b/_layouts/post.html
@@ -1,18 +1,25 @@
 ---
-layout: page
+layout: default
 refactor: true
 panel_includes:
  - toc
 tail_includes:
  - related-posts
  - post-nav
-  - comments
+script_includes:
  - comment
 ---
 {% include lang.html %}
 {% include toc-status.html %}
 <article class="px-1" data-toc="{{ enable_toc }}">
  <header>
    <h1 data-toc-skip>{{ page.title }}</h1>
    {% if page.description %}
      <p class="post-desc fw-light mb-4">{{ page.description }}</p>
    {% endif %}
    <div class="post-meta text-muted">
      <!-- published date -->
@@ -21,6 +28,14 @@ tail_includes:
        {% include datetime.html date=page.date tooltip=true lang=lang %}
      </span>
      <!-- lastmod date -->
      {% if page.last_modified_at and page.last_modified_at != page.date %}
        <span>
          {{ site.data.locales[lang].post.updated }}
          {% include datetime.html date=page.last_modified_at tooltip=true lang=lang %}
        </span>
      {% endif %}
      <div class="d-flex justify-content-between">
        <!-- author(s) -->
        <span>
@@ -35,7 +50,11 @@ tail_includes:
          <em>
            {% if authors %}
              {% for author in authors %}
                {% if site.data.authors[author].url -%}
                  <a href="{{ site.data.authors[author].url }}">{{ site.data.authors[author].name }}</a>
                {%- else -%}
                  {{ site.data.authors[author].name }}
                {%- endif %}
                {% unless forloop.last %}{{ '</em>, <em>' }}{% endunless %}
              {% endfor %}
            {% else %}
@@ -44,14 +63,48 @@ tail_includes:
          </em>
        </span>
        <div>
          <!-- pageviews -->
          {% if site.pageviews.provider and site.analytics[site.pageviews.provider].id %}
            <span>
              <em id="pageviews">
                <i class="fas fa-spinner fa-spin small"></i>
              </em>
              {{ site.data.locales[lang].post.pageview_measure }}
            </span>
          {% endif %}
          <!-- read time -->
          {% include read-time.html content=content prompt=true lang=lang %}
        </div>
    <!-- .d-flex -->
      </div>
-  <!-- .post-meta -->
+    </div>
  </header>
  {% if enable_toc %}
    <div id="toc-bar" class="d-flex align-items-center justify-content-between invisible">
      <span class="label text-truncate">{{ page.title }}</span>
      <button type="button" class="toc-trigger btn me-1">
        <i class="fa-solid fa-list-ul fa-fw"></i>
      </button>
    </div>
    <button id="toc-solo-trigger" type="button" class="toc-trigger btn btn-outline-secondary btn-sm">
      <span class="label ps-2 pe-1">{{- site.data.locales[lang].panel.toc -}}</span>
      <i class="fa-solid fa-angle-right fa-fw"></i>
    </button>
    <dialog id="toc-popup" class="p-0">
      <div class="header d-flex flex-row align-items-center justify-content-between">
        <div class="label text-truncate py-2 ms-4">{{- page.title -}}</div>
        <button id="toc-popup-close" type="button" class="btn mx-1 my-1 opacity-75">
          <i class="fas fa-close"></i>
        </button>
      </div>
      <div id="toc-popup-content" class="px-4 py-3 pb-4"></div>
    </dialog>
  {% endif %}
  <div class="content">
    {{ content }}
  </div>
@@ -106,3 +159,4 @@ tail_includes:
    <!-- .post-tail-bottom -->
  </div>
  <!-- div.post-tail-wrapper -->
 </article>
--- a/_posts/Development/2024-02-26-secure-iam.md
+++ b/_posts/Development/2024-02-26-secure-iam.md
@@ -1,15 +1,49 @@
 ---
 share: true
 pin: true
 categories:
  - Development
 path: _posts/development
 tags:
  - AWS
  - dev
 title: Secure IAM on AWS with Multi-Account Strategy
 date: 2024-02-26
 github_title: 2024-02-26-secure-iam
 image: /assets/img/posts/development/separation-by-product.png
 attachment:
  folder: assets/img/posts/development
 ---
-B.S. Graduation Paper, Received Best Paper Award!
+![separation-by-product.png](../../assets/img/posts/development/separation-by-product.png)
- [Paper Link](https://zxcvber.com/secure-iam.pdf)
+2024\. 2. B.S. Graduation Paper, Received Best Paper Award!
 - [Secure IAM on AWS with Multi-Account Strategy (pdf)](https://zxcvber.com/files/secure-iam.pdf)
 - [Presentation Poster (pdf)](https://zxcvber.com/files/secure-iam-poster.pdf)
 ## Abstract
 Many recent IT companies use cloud services for deploying their products, mainly because of their convenience. As such, cloud assets have become a new attack surface, and the concept of cloud security has emerged. However, cloud security is not emphasized enough compared to on-premise security, resulting in many insecure cloud architectures. In particular, small organizations often don't have enough human resources to design a secure architecture, leaving them vulnerable to cloud security breaches.
 We suggest the multi-account strategy for securing the cloud architecture. This strategy cost-effectively improves security by separating assets and reducing management overheads on the cloud infrastructure. When implemented, it automatically provides access restriction within the boundary of an account and eliminates redundancies in policy management. Since access control is a critical objective for constructing secure architectures, this practical method successfully enhances security even in small companies.
 In this paper, we analyze the benefits of multi-accounts compared to single accounts and explain how to deploy multiple accounts effortlessly using the services provided by AWS. Then, we present possible design choices for multi-account structures with a concrete example. Finally, we illustrate two techniques for operational excellence on multi-account structures. We take an incremental approach to secure policy management with the principle of least privilege and introduce methods for auditing multiple accounts.
 **Keywords**: multi-account strategy, identity and access management, cloud security
 ## 국문초록
 **제목**: 다중 계정을 이용한 안전한 AWS 권한 관리
 최근 많은 IT 기업이 편리하게 자사 제품을 배포하기 위해 클라우드 서비스를 사용한다. 이에 따라 기업의 클라우드 자원은 새로운 공격 표면이 되었고, 클라우드 보안이라는 분야가 새롭게 대두되었다. 그러나 클라우드 보안은 기존의 온프레미스 보안에 비해 충분히 강조되지 못해 보안에 취약한 클라우드 아키텍처를 사용하는 경우가 많다. 특히 작은 조직의 경우 안전한 클라우드 아키텍처를 고안할 인력이 부족한 경우가 많아 클라우드에서 발생하는 보안 사고에 취약한 편이다.
 이 상황에서 보안을 손쉽게 강화하려면 다중 계정 환경을 적용하면 된다. 다중 계정 환경은 클라우드의 자원을 분리하고 관리 부하를 줄여 보안을 강화하는 전략으로, 노력 대비 큰 보안 향상을 준다. 이 전략을 적용하면 자동으로 접근 권한이 계정 범위 내로 제한되며, 정책 관리 시 발생하는 불필요한 중복이 제거된다. 안전한 아키텍처를 위해 권한 관리가 필수임을 고려한다면, 다중 계정 환경은 인력이 부족한 작은 조직에서도 적용할 수 있는 효과적인 보안 강화 방법이다.
 이 논문에서는 다중 계정 환경의 장점을 단일 계정 환경과 비교하여 분석하고, AWS가 제공하는 서비스를 이용해 다중 계정 환경을 손쉽게 구성하는 방법을 설명한다. 또한 다중 계정 구조의 구체적인 예시를 통해 계정 구조 설계 시 유의할 점들을 언급한다. 마지막으로 최소 권한 원칙의 점진적 도입을 통한 안전한 정책 관리 방법과 다중 계정의 감사 방법을 소개하여 다중 계정 구조에서 운영 효율성을 달성하는 방법을 설명한다.
 **주요어**: 다중 계정 환경, 권한 및 접근 제어, 클라우드 보안
 ## Acknowledgements
 Special thanks to Professor Chung-Kil Hur for advising my paper, and to Professor Yongsoo Song for his recommendation for the best paper award.
--- a/_posts/Development/Kubernetes/2021-02-28-01-introducing-k8s.md
+++ b/_posts/Development/Kubernetes/2021-02-28-01-introducing-k8s.md
@@ -2,17 +2,18 @@
 share: true
 toc: true
 categories: [Development, Kubernetes]
 path: "_posts/development/kubernetes"
 tags: [kubernetes, sre, devops, docker]
 title: "01. Introducing Kubernetes"
 date: "2021-02-28"
 github_title: "2021-02-28-01-introducing-k8s"
 image:
-  path: /assets/img/posts/Development/Kubernetes/k8s-01.jpeg
+  path: /assets/img/posts/development/kubernetes/k8s-01.jpeg
 attachment:
-  folder: assets/img/posts/Development/Kubernetes
+  folder: assets/img/posts/development/kubernetes
 ---
-![k8s-01.jpeg](/assets/img/posts/Development/Kubernetes/k8s-01.jpeg) _Overview of Kubernetes Architecture (출처: https://livebook.manning.com/book/kubernetes-in-action/chapter-1)_
+![k8s-01.jpeg](/assets/img/posts/development/kubernetes/k8s-01.jpeg) _Overview of Kubernetes Architecture (출처: https://livebook.manning.com/book/kubernetes-in-action/chapter-1)_
 기존에는 소프트웨어가 커다란 덩어리였지만 최근에는 독립적으로 작동하는 작은 **마이크로서비스**(microservice)로 나뉘고 있다. 이들은 독립적으로 동작하기 때문에, 개발하고 배포하거나 스케일링을 따로 해줄 수 있다는 장점이 있으며, 이 장점은 빠르게 변화하는 소프트웨어의 요구사항을 반영하기에 적합하다.
--- a/_posts/Development/Kubernetes/2021-03-07-02-first-steps.md
+++ b/_posts/Development/Kubernetes/2021-03-07-02-first-steps.md
@@ -2,17 +2,18 @@
 share: true
 toc: true
 categories: [Development, Kubernetes]
 path: "_posts/development/kubernetes"
 tags: [kubernetes, sre, devops, docker]
 title: "02. First Steps with Docker and Kubernetes"
 date: "2021-03-07"
 github_title: "2021-03-07-02-first-steps"
 image:
-  path: /assets/img/posts/Development/Kubernetes/k8s-02.jpeg
+  path: /assets/img/posts/development/kubernetes/k8s-02.jpeg
 attachment:
-  folder: assets/img/posts/Development/Kubernetes
+  folder: assets/img/posts/development/kubernetes
 ---
-![k8s-02.jpeg](/assets/img/posts/Development/Kubernetes/k8s-02.jpeg) _Running a container image in Kubernetes (출처: https://livebook.manning.com/book/kubernetes-in-action/chapter-2)_
+![k8s-02.jpeg](/assets/img/posts/development/kubernetes/k8s-02.jpeg) _Running a container image in Kubernetes (출처: https://livebook.manning.com/book/kubernetes-in-action/chapter-2)_
 도커와 쿠버네티스를 사용하여 간단한 애플리케이션을 배포해 보자!
--- a/_posts/Development/Kubernetes/2021-03-17-03-pods.md
+++ b/_posts/Development/Kubernetes/2021-03-17-03-pods.md
@@ -2,17 +2,18 @@
 share: true
 toc: true
 categories: [Development, Kubernetes]
 path: "_posts/development/kubernetes"
 tags: [kubernetes, sre, devops]
 title: "03. Pods: Running Containers in Kubernetes"
 date: "2021-03-17"
 github_title: "2021-03-17-03-pods"
 image:
-  path: /assets/img/posts/Development/Kubernetes/k8s-03.jpeg
+  path: /assets/img/posts/development/kubernetes/k8s-03.jpeg
 attachment:
-  folder: assets/img/posts/Development/Kubernetes
+  folder: assets/img/posts/development/kubernetes
 ---
-![k8s-03.jpeg](/assets/img/posts/Development/Kubernetes/k8s-03.jpeg) _A container shouldn’t run multiple processes. (출처: https://livebook.manning.com/book/kubernetes-in-action/chapter-3)_
+![k8s-03.jpeg](/assets/img/posts/development/kubernetes/k8s-03.jpeg) _A container shouldn’t run multiple processes. (출처: https://livebook.manning.com/book/kubernetes-in-action/chapter-3)_
 다양한 쿠버네티스 오브젝트 (resources) 를 살펴보는 단원이다. 가장 기본이 되는 Pod 부터 시작한다. 이외의 모든 것들은 pod 를 관리하거나, pod 를 노출하거나, pod 에 의해 사용된다.
--- a/_posts/Development/Kubernetes/2021-03-21-04-replication-and-controllers.md
+++ b/_posts/Development/Kubernetes/2021-03-21-04-replication-and-controllers.md
@@ -2,17 +2,18 @@
 share: true
 toc: true
 categories: [Development, Kubernetes]
 path: "_posts/development/kubernetes"
 tags: [kubernetes, sre, devops]
 title: "04. Replication and Other Controllers: Deploying Managed Pods"
 date: "2021-03-21"
 github_title: "2021-03-21-04-replication-and-controllers"
 image:
-  path: /assets/img/posts/Development/Kubernetes/k8s-04.jpeg
+  path: /assets/img/posts/development/kubernetes/k8s-04.jpeg
 attachment:
-  folder: assets/img/posts/Development/Kubernetes
+  folder: assets/img/posts/development/kubernetes
 ---
-![k8s-04.jpeg](/assets/img/posts/Development/Kubernetes/k8s-04.jpeg) _ReplicationController recreating pods. (출처: https://livebook.manning.com/book/kubernetes-in-action/chapter-4)_
+![k8s-04.jpeg](/assets/img/posts/development/kubernetes/k8s-04.jpeg) _ReplicationController recreating pods. (출처: https://livebook.manning.com/book/kubernetes-in-action/chapter-4)_
 3장에서는 pod 를 직접 관리하는 방법에 대해 살펴봤다. 하지만 실무에서는 pod 의 관리가 자동으로 되길 원한다. 이를 위해 ReplicationController 나 Deployment 를 사용한다.
--- a/_posts/Development/Kubernetes/2021-04-07-05-services.md
+++ b/_posts/Development/Kubernetes/2021-04-07-05-services.md
@@ -2,17 +2,18 @@
 share: true
 toc: true
 categories: [Development, Kubernetes]
 path: "_posts/development/kubernetes"
 tags: [kubernetes, sre, devops]
 title: "05. Services: Enabling Clients to Discover and Talk to Pods"
 date: "2021-04-07"
 github_title: "2021-04-07-05-services"
 image:
-  path: /assets/img/posts/Development/Kubernetes/k8s-05.jpeg
+  path: /assets/img/posts/development/kubernetes/k8s-05.jpeg
 attachment:
-  folder: assets/img/posts/Development/Kubernetes
+  folder: assets/img/posts/development/kubernetes
 ---
-![k8s-05.jpeg](/assets/img/posts/Development/Kubernetes/k8s-05.jpeg) _Using `kubectl exec` to test out a connection to the service by running curl in one of the pods. (출처: https://livebook.manning.com/book/kubernetes-in-action/chapter-5)_
+![k8s-05.jpeg](/assets/img/posts/development/kubernetes/k8s-05.jpeg) _Using `kubectl exec` to test out a connection to the service by running curl in one of the pods. (출처: https://livebook.manning.com/book/kubernetes-in-action/chapter-5)_
 많은 앱들이 request (요청) 을 받아 서비스를 제공하는 형태인데, 이런 요청을 보내려면 IP 주소를 알아야 한다. 한편 Kubernetes 를 사용하게 되면 pod 의 IP 주소를 알아야 하는데, Kubernetes 의 pod 들은 굉장히 동적이므로 이들의 IP 주소를 알아낼 방법이 필요하다.
--- a/_posts/Development/Kubernetes/2021-04-07-06-volumes.md
+++ b/_posts/Development/Kubernetes/2021-04-07-06-volumes.md
@@ -2,17 +2,18 @@
 share: true
 toc: true
 categories: [Development, Kubernetes]
 path: "_posts/development/kubernetes"
 tags: [kubernetes, sre, devops]
 title: "06. Volumes: Attaching Disk Storage to Containers"
 date: "2021-04-07"
 github_title: "2021-04-07-06-volumes"
 image:
-  path: /assets/img/posts/Development/Kubernetes/k8s-06.jpeg
+  path: /assets/img/posts/development/kubernetes/k8s-06.jpeg
 attachment:
-  folder: assets/img/posts/Development/Kubernetes
+  folder: assets/img/posts/development/kubernetes
 ---
-![k8s-06.jpeg](/assets/img/posts/Development/Kubernetes/k8s-06.jpeg) _The complete picture of dynamic provisioning of PersistentVolumes. (출처: https://livebook.manning.com/book/kubernetes-in-action/chapter-6)_
+![k8s-06.jpeg](/assets/img/posts/development/kubernetes/k8s-06.jpeg) _The complete picture of dynamic provisioning of PersistentVolumes. (출처: https://livebook.manning.com/book/kubernetes-in-action/chapter-6)_
 컨테이너가 재시작되면 기존 작업 내역이 모두 사라지게 될 수 있으므로, 컨테이너의 작업 내역을 저장하고 같은 pod 내의 다른 컨테이너가 함께 사용하는 저장 공간이다.
--- a/_posts/Development/Kubernetes/2021-04-18-07-configmaps-and-secrets.md
+++ b/_posts/Development/Kubernetes/2021-04-18-07-configmaps-and-secrets.md
@@ -2,17 +2,18 @@
 share: true
 toc: true
 categories: [Development, Kubernetes]
 path: "_posts/development/kubernetes"
 tags: [kubernetes, sre, devops]
 title: "07. ConfigMaps and Secrets: Configuring Applications"
 date: "2021-04-18"
 github_title: "2021-04-18-07-configmaps-and-secrets"
 image:
-  path: /assets/img/posts/Development/Kubernetes/k8s-07.jpeg
+  path: /assets/img/posts/development/kubernetes/k8s-07.jpeg
 attachment:
-  folder: assets/img/posts/Development/Kubernetes
+  folder: assets/img/posts/development/kubernetes
 ---
-![k8s-07.jpeg](/assets/img/posts/Development/Kubernetes/k8s-07.jpeg) _Combining a ConfigMap and a Secret to run your fortune-https pod (출처: https://livebook.manning.com/book/kubernetes-in-action/chapter-7)_
+![k8s-07.jpeg](/assets/img/posts/development/kubernetes/k8s-07.jpeg) _Combining a ConfigMap and a Secret to run your fortune-https pod (출처: https://livebook.manning.com/book/kubernetes-in-action/chapter-7)_
 거의 대부분의 앱은 설정(configuration)이 필요하다. 개발 서버, 배포 서버의 설정 사항 (접속하려는 DB 서버 주소 등)이 다를 수도 있고, 클라우드 등에 접속하기 위한 access key 가 필요하거나, 데이터를 암호화하는 encryption key 도 설정해야하는 경우가 있다. 이러한 경우에 해당 값들을 도커 이미지 자체에 넣어버리면 보안 상 취약하고, 또 설정 사항을 변경하는 경우 이미지를 다시 빌드해야하는 등 불편함이 따른다.
--- a/_posts/Development/Kubernetes/2021-04-18-08-accessing-pod-metadata.md
+++ b/_posts/Development/Kubernetes/2021-04-18-08-accessing-pod-metadata.md
@@ -2,17 +2,18 @@
 share: true
 toc: true
 categories: [Development, Kubernetes]
 path: "_posts/development/kubernetes"
 tags: [kubernetes, sre, devops]
 title: "08. Accessing Pod Metadata and Other Resources from Applications"
 date: "2021-04-18"
 github_title: "2021-04-18-08-accessing-pod-metadata"
 image:
-  path: /assets/img/posts/Development/Kubernetes/k8s-08.jpeg
+  path: /assets/img/posts/development/kubernetes/k8s-08.jpeg
 attachment:
-  folder: assets/img/posts/Development/Kubernetes
+  folder: assets/img/posts/development/kubernetes
 ---
-![k8s-08.jpeg](/assets/img/posts/Development/Kubernetes/k8s-08.jpeg) _Using the files from the default-token Secret to talk to the API server (출처: https://livebook.manning.com/book/kubernetes-in-action/chapter-8)_
+![k8s-08.jpeg](/assets/img/posts/development/kubernetes/k8s-08.jpeg) _Using the files from the default-token Secret to talk to the API server (출처: https://livebook.manning.com/book/kubernetes-in-action/chapter-8)_
 ### 주요 내용
--- a/_posts/Development/Kubernetes/2021-04-30-09-deployments.md
+++ b/_posts/Development/Kubernetes/2021-04-30-09-deployments.md
@@ -2,17 +2,18 @@
 share: true
 toc: true
 categories: [Development, Kubernetes]
 path: "_posts/development/kubernetes"
 tags: [kubernetes, sre, devops]
 title: "09. Deployments: Updating Applications Declaratively"
 date: "2021-04-30"
 github_title: "2021-04-30-09-deployments"
 image:
-  path: /assets/img/posts/Development/Kubernetes/k8s-09.jpeg
+  path: /assets/img/posts/development/kubernetes/k8s-09.jpeg
 attachment:
-  folder: assets/img/posts/Development/Kubernetes
+  folder: assets/img/posts/development/kubernetes
 ---
-![k8s-09.jpeg](/assets/img/posts/Development/Kubernetes/k8s-09.jpeg) _Rolling update of Deployments (출처: livebook.manning.com/book/kubernetes-in-action/chapter-9)_
+![k8s-09.jpeg](/assets/img/posts/development/kubernetes/k8s-09.jpeg) _Rolling update of Deployments (출처: livebook.manning.com/book/kubernetes-in-action/chapter-9)_
 ### 주요 내용
--- a/_posts/Development/Kubernetes/2021-05-17-10-statefulsets.md
+++ b/_posts/Development/Kubernetes/2021-05-17-10-statefulsets.md
@@ -2,17 +2,18 @@
 share: true
 toc: true
 categories: [Development, Kubernetes]
 path: "_posts/development/kubernetes"
 tags: [kubernetes, sre, devops]
 title: "10. StatefulSets: Deploying Replicated Stateful Applications"
 date: "2021-05-17"
 github_title: "2021-05-17-10-statefulsets"
 image:
-  path: /assets/img/posts/Development/Kubernetes/k8s-10.jpeg
+  path: /assets/img/posts/development/kubernetes/k8s-10.jpeg
 attachment:
-  folder: assets/img/posts/Development/Kubernetes
+  folder: assets/img/posts/development/kubernetes
 ---
-![k8s-10.jpeg](/assets/img/posts/Development/Kubernetes/k8s-10.jpeg) _A stateful pod may be rescheduled to a different node, but it retains the name, hostname, and storage. (출처: https://livebook.manning.com/book/kubernetes-in-action/chapter-10)_
+![k8s-10.jpeg](/assets/img/posts/development/kubernetes/k8s-10.jpeg) _A stateful pod may be rescheduled to a different node, but it retains the name, hostname, and storage. (출처: https://livebook.manning.com/book/kubernetes-in-action/chapter-10)_
 ### 주요 내용
--- a/_posts/Development/Kubernetes/2021-05-30-11-k8s-internals.md
+++ b/_posts/Development/Kubernetes/2021-05-30-11-k8s-internals.md
@@ -2,17 +2,18 @@
 share: true
 toc: true
 categories: [Development, Kubernetes]
 path: "_posts/development/kubernetes"
 tags: [kubernetes, sre, devops]
 title: "11. Understanding Kubernetes Internals"
 date: "2021-05-30"
 github_title: "2021-05-30-11-k8s-internals"
 image:
-  path: /assets/img/posts/Development/Kubernetes/k8s-11.jpeg
+  path: /assets/img/posts/development/kubernetes/k8s-11.jpeg
 attachment:
-  folder: assets/img/posts/Development/Kubernetes
+  folder: assets/img/posts/development/kubernetes
 ---
-![k8s-11.jpeg](/assets/img/posts/Development/Kubernetes/k8s-11.jpeg) _The chain of events that unfolds when a Deployment resource is posted to the API server (출처: https://livebook.manning.com/book/kubernetes-in-action/chapter-11)_
+![k8s-11.jpeg](/assets/img/posts/development/kubernetes/k8s-11.jpeg) _The chain of events that unfolds when a Deployment resource is posted to the API server (출처: https://livebook.manning.com/book/kubernetes-in-action/chapter-11)_
 ### 주요 내용
--- a/_posts/Development/Kubernetes/2021-06-06-12-securing-k8s-api-server.md
+++ b/_posts/Development/Kubernetes/2021-06-06-12-securing-k8s-api-server.md
@@ -2,17 +2,18 @@
 share: true
 toc: true
 categories: [Development, Kubernetes]
 path: "_posts/development/kubernetes"
 tags: [kubernetes, sre, devops]
 title: "12. Securing the Kubernetes API Server"
 date: "2021-06-06"
 github_title: "2021-06-06-12-securing-k8s-api-server"
 image:
-  path: /assets/img/posts/Development/Kubernetes/k8s-12.jpeg
+  path: /assets/img/posts/development/kubernetes/k8s-12.jpeg
 attachment:
-  folder: assets/img/posts/Development/Kubernetes
+  folder: assets/img/posts/development/kubernetes
 ---
-![k8s-12.jpeg](/assets/img/posts/Development/Kubernetes/k8s-12.jpeg) _Roles grant permissions, whereas RoleBindings bind Roles to subjects (출처: https://livebook.manning.com/book/kubernetes-in-action/chapter-12)_
+![k8s-12.jpeg](/assets/img/posts/development/kubernetes/k8s-12.jpeg) _Roles grant permissions, whereas RoleBindings bind Roles to subjects (출처: https://livebook.manning.com/book/kubernetes-in-action/chapter-12)_
 ### 주요 내용
--- a/_posts/Development/Kubernetes/2021-06-29-13-securing-nodes-and-network.md
+++ b/_posts/Development/Kubernetes/2021-06-29-13-securing-nodes-and-network.md
@@ -2,17 +2,18 @@
 share: true
 toc: true
 categories: [Development, Kubernetes]
 path: "_posts/development/kubernetes"
 tags: [kubernetes, sre, devops]
 title: "13. Securing Cluster Nodes and the Network"
 date: "2021-06-29"
 github_title: "2021-06-29-13-securing-nodes-and-network"
 image:
-  path: /assets/img/posts/Development/Kubernetes/k8s-13.jpeg
+  path: /assets/img/posts/development/kubernetes/k8s-13.jpeg
 attachment:
-  folder: assets/img/posts/Development/Kubernetes
+  folder: assets/img/posts/development/kubernetes
 ---
-![k8s-13.jpeg](/assets/img/posts/Development/Kubernetes/k8s-13.jpeg) _A pod with hostNetwork: true uses the node's network interfaces instead of its own. (출처: https://livebook.manning.com/book/kubernetes-in-action/chapter-13)_
+![k8s-13.jpeg](/assets/img/posts/development/kubernetes/k8s-13.jpeg) _A pod with hostNetwork: true uses the node's network interfaces instead of its own. (출처: https://livebook.manning.com/book/kubernetes-in-action/chapter-13)_
 ### 주요 내용
--- a/_posts/Development/Kubernetes/2021-07-11-14-managing-computation-resources.md
+++ b/_posts/Development/Kubernetes/2021-07-11-14-managing-computation-resources.md
@@ -2,17 +2,18 @@
 share: true
 toc: true
 categories: [Development, Kubernetes]
 path: "_posts/development/kubernetes"
 tags: [kubernetes, sre, devops]
 title: "14. Managing Pods' Computational Resources"
 date: "2021-07-11"
 github_title: "2021-07-11-14-managing-computation-resources"
 image:
-  path: /assets/img/posts/Development/Kubernetes/k8s-14.jpeg
+  path: /assets/img/posts/development/kubernetes/k8s-14.jpeg
 attachment:
-  folder: assets/img/posts/Development/Kubernetes
+  folder: assets/img/posts/development/kubernetes
 ---
-![k8s-14.jpeg](/assets/img/posts/Development/Kubernetes/k8s-14.jpeg) _The Scheduler only cares about requests, not actual usage. (출처: https://livebook.manning.com/book/kubernetes-in-action/chapter-14)_
+![k8s-14.jpeg](/assets/img/posts/development/kubernetes/k8s-14.jpeg) _The Scheduler only cares about requests, not actual usage. (출처: https://livebook.manning.com/book/kubernetes-in-action/chapter-14)_
 ### 주요 내용
--- a/_posts/Development/Kubernetes/2021-07-18-15-autoscaling.md
+++ b/_posts/Development/Kubernetes/2021-07-18-15-autoscaling.md
@@ -2,17 +2,18 @@
 share: true
 toc: true
 categories: [Development, Kubernetes]
 path: "_posts/development/kubernetes"
 tags: [kubernetes, sre, devops]
 title: "15. Automatic Scaling of Pods and Cluster Nodes"
 date: "2021-07-18"
 github_title: "2021-07-18-15-autoscaling"
 image:
-  path: /assets/img/posts/Development/Kubernetes/k8s-15.jpeg
+  path: /assets/img/posts/development/kubernetes/k8s-15.jpeg
 attachment:
-  folder: assets/img/posts/Development/Kubernetes
+  folder: assets/img/posts/development/kubernetes
 ---
-![k8s-15.jpeg](/assets/img/posts/Development/Kubernetes/k8s-15.jpeg) _How the autoscaler obtains metrics and rescales the target deployment (출처: https://livebook.manning.com/book/kubernetes-in-action/chapter-15)_
+![k8s-15.jpeg](/assets/img/posts/development/kubernetes/k8s-15.jpeg) _How the autoscaler obtains metrics and rescales the target deployment (출처: https://livebook.manning.com/book/kubernetes-in-action/chapter-15)_
 ### 주요 내용
--- a/_posts/Development/Kubernetes/2021-08-15-16-advanced-scheduling.md
+++ b/_posts/Development/Kubernetes/2021-08-15-16-advanced-scheduling.md
@@ -2,17 +2,18 @@
 share: true
 toc: true
 categories: [Development, Kubernetes]
 path: "_posts/development/kubernetes"
 tags: [kubernetes, sre, devops]
 title: "16. Advanced Scheduling"
 date: "2021-08-15"
 github_title: "2021-08-15-16-advanced-scheduling"
 image:
-  path: /assets/img/posts/Development/Kubernetes/k8s-16.jpeg
+  path: /assets/img/posts/development/kubernetes/k8s-16.jpeg
 attachment:
-  folder: assets/img/posts/Development/Kubernetes
+  folder: assets/img/posts/development/kubernetes
 ---
-![k8s-16.jpeg](/assets/img/posts/Development/Kubernetes/k8s-16.jpeg) _A pod is only scheduled to a node if it tolerates the node’s taints. (출처: https://livebook.manning.com/book/kubernetes-in-action/chapter-16)_
+![k8s-16.jpeg](/assets/img/posts/development/kubernetes/k8s-16.jpeg) _A pod is only scheduled to a node if it tolerates the node’s taints. (출처: https://livebook.manning.com/book/kubernetes-in-action/chapter-16)_
 ### 주요 내용
--- a/_posts/Development/Kubernetes/2021-08-15-17-best-practices.md
+++ b/_posts/Development/Kubernetes/2021-08-15-17-best-practices.md
@@ -2,17 +2,18 @@
 share: true
 toc: true
 categories: [Development, Kubernetes]
 path: "_posts/development/kubernetes"
 tags: [kubernetes, sre, devops]
 title: "17. Best Practices for Developing Apps"
 date: "2021-08-15"
 github_title: "2021-08-15-17-best-practices"
 image:
-  path: /assets/img/posts/Development/Kubernetes/k8s-17.jpeg
+  path: /assets/img/posts/development/kubernetes/k8s-17.jpeg
 attachment:
-  folder: assets/img/posts/Development/Kubernetes
+  folder: assets/img/posts/development/kubernetes
 ---
-![k8s-17.jpeg](/assets/img/posts/Development/Kubernetes/k8s-17.jpeg) _Resources in a typical application (출처: https://livebook.manning.com/book/kubernetes-in-action/chapter-17)_
+![k8s-17.jpeg](/assets/img/posts/development/kubernetes/k8s-17.jpeg) _Resources in a typical application (출처: https://livebook.manning.com/book/kubernetes-in-action/chapter-17)_
 ### 주요 내용
--- a/_posts/Development/Kubernetes/2021-09-04-18-extending-k8s.md
+++ b/_posts/Development/Kubernetes/2021-09-04-18-extending-k8s.md
@@ -2,17 +2,18 @@
 share: true
 toc: true
 categories: [Development, Kubernetes]
 path: "_posts/development/kubernetes"
 tags: [kubernetes, sre, devops]
 title: "18. Extending Kubernetes"
 date: "2021-09-04"
 github_title: "2021-09-04-18-extending-k8s"
 image:
-  path: /assets/img/posts/Development/Kubernetes/k8s-18.jpeg
+  path: /assets/img/posts/development/kubernetes/k8s-18.jpeg
 attachment:
-  folder: assets/img/posts/Development/Kubernetes
+  folder: assets/img/posts/development/kubernetes
 ---
-![k8s-18.jpeg](/assets/img/posts/Development/Kubernetes/k8s-18.jpeg) _API Server Aggregation (출처: https://livebook.manning.com/book/kubernetes-in-action/chapter-18)_
+![k8s-18.jpeg](/assets/img/posts/development/kubernetes/k8s-18.jpeg) _API Server Aggregation (출처: https://livebook.manning.com/book/kubernetes-in-action/chapter-18)_
 ### 주요 내용
--- a/_posts/Development/web/2023-06-25-blog-moving.md
+++ b/_posts/Development/web/2023-06-25-blog-moving.md
@@ -1,16 +1,21 @@
 ---
 share: true
 toc: true
-categories: [Development, Web]
+categories:
-tags: [development, web]
+  - Development
-title: "블로그 이주 이야기"
+  - Web
-date: "2023-06-25"
+path: _posts/development/web
-github_title: "2023-06-25-blog-moving"
+tags:
  - development
  - web
 title: 블로그 이주 이야기
 date: 2023-06-25
 github_title: 2023-06-25-blog-moving
 image:
  path: /assets/img/posts/blog-logo.png
 ---
-![blog-logo.png](/assets/img/posts/blog-logo.png) _New blog logo_
+![blog-logo.png](../../../assets/img/posts/blog-logo.png) _New blog logo_
 오래 전, Github Pages가 불편하다는 이유로 티스토리로 옮겼었다.
 근데 어쩌다 보니 결국 다시 돌아오게 되었다.
@@ -65,7 +70,7 @@ image:
 Obsidian을 Github과 연동하기 위해 [Obsidian Github Publisher](https://github.com/ObsidianPublisher/obsidian-github-publisher) 플러그인을 사용할 수 있다.
-![github-publisher.png](/assets/img/posts/github-publisher.png){: .shadow } _플러그인 설정 화면: 어느 폴더에 어떤 이름으로 파일을 업로드할지 설정할 수 있다._
+![github-publisher.png](../../../assets/img/posts/github-publisher.png){: .shadow } _플러그인 설정 화면: 어느 폴더에 어떤 이름으로 파일을 업로드할지 설정할 수 있다._
 이 플러그인을 사용하면 Obsidian의 문서 중에서 `share: true` 로 마킹된 문서들을 레포에 저장할 수 있게 된다. 그렇다면 블로그 글을 Obsidian에서 작성하고, 플러그인을 이용해 레포에 push하게 되면, 자동으로 빌드/배포가 이뤄져서 블로그에 반영되는 것을 확인할 수 있을 것이다.
--- a/Cryptography/2023-11-09-secure-mpc.md
+++ b/Cryptography/2023-11-09-secure-mpc.md
@@ -1,188 +0,0 @@
 ---
 share: true
 toc: true
 math: true
 categories:
  - Lecture Notes
  - Modern Cryptography
 tags:
  - lecture-note
  - cryptography
  - security
 title: 14. Secure Multiparty Computation
 date: 2023-11-09
 github_title: 2023-11-09-secure-mpc
 ---
 ## Secure Multiparty Computation (MPC)
 Suppose we have a function $f$ that takes $n$ inputs and produces $m$ outputs.
 $$
 (y_1, \dots, y_m) = f(x_1, \dots, x_n).
 $$
 $N$ parties $P_1, \dots, P_N$ are trying to evaluate this function with a protocol. Each $x_i$ is submitted by one of the parties, and each output $y_j$ will be given to one or more parties.
 In **secure multiparty computation** (MPC), we wish to achieve some security functionalities.
 - **Privacy**: no party learns anything about any other party's inputs, except for the information in the output.
 - **Soundness**: honest parties compute correct outputs.
 - **Input independence**: all parties must choose their inputs independently of other parties' inputs.
 Security must hold even if there is any adversarial behavior in the party.
 ### Example: Secure Summation
 Suppose we have $n$ parties $P_1, \dots, P_n$ with private values $x_1, \dots, x_n$. We would like to *securely* compute the sum $s = x_1 + \cdots + x_n$.
 > 1. Choose $M$ large enough so that $M > s$.
 > 2. $P_1$ samples $r \la \Z_M$ and computes $s_1 = r + x_1 \pmod M$ and sends it to $P_2$.
 > 3. In the same manner, $P_i$ computes $s_i = s_{i-1} + x_i \pmod M$ and sends it to $P_{i+1}$.
 > 4. As the final step, $s_n$ is returned to $P_1$, where he outputs $s = s_n - r \pmod M$.
 This protocol seems secure since $r$ is a random noise added to the actual partial sum. But the security actually depends on how we model adversarial behavior.
 Consider the case where parties $P_2$ and $P_4$ team up (collusion). These two can share information between them. They have the following:
 - $P_2$ has $s_1$, $s_2$, $x_2$.
 - $P_4$ has $s_3$, $s_4$, $x_4$.
 Using $s_2$ and $s_3$, they can compute $x_3 = s_3 - s_2$ and obtain the input of $P_3$. This violates privacy. Similarly, if $P_i$ and $P_j$ team up, the can compute the partial sum
 $$
 s_{j - 1} - s_{i} = x_{i+1} + \cdots + x_{j-1}
 $$
 which leaks information about the inputs of $P_{i+1}, \dots, P_{j-1}$.
 ## Modeling Adversaries for Multiparty Computation
 The adversary can decide not to follow the protocol and perform arbitrarily.
 - **Semi-honest** adversaries follows the protocol and tries to learn more information by inspecting the communication.
 - **Malicious** adversaries can behave in any way, unknown to us.
 Semi-honest adversaries are similar to *passive* adversaries, whereas malicious adversaries are similar to *active* adversaries.
 We can also model the **corruption strategy**. Some parties can turn into an adversary during the protocol.
 - In **static** corruptions, the set of adversarial parties is fixed throughout the execution.
 - In **adaptive** corruptions, the adversary corrupts parties during the execution, based on the information gained from the protocol execution.
 We can decide how much computational power to give to the adversary. For *computational security*, an adversary must be efficient, only polynomial time strategies are allowed. For *information-theoretic security*, an adversary has unbounded computational power.
 We will only consider **semi-honest** adversaries with **static** corruptions.
 ## Defining Security for Multiparty Computation
 The idea is the following.
 > An attack on the protocol in the **real world** is equivalent to some attack on the protocol in an **ideal world** in which no damage can be done.
 In the **ideal world**, we use a trusted party to implement a protocol. All parties, both honest and corrupted, submit their input to the trusted party. Since the trusted party is not corrupted, the protocol is safe.
 In the **real world**, there is no trusted party and parties must communicate with each other using a protocol.
 Thus, a secure protocol must provide security in the real world that is equivalent to that in the ideal world. The definition is saying the following: **there is no possible attack in the ideal world, so there is no possible attack in the real world**. This kind of definition implies privacy, soundness and input independence.
 > For every efficient adversary $\mc{A}$ in the real world, there exists an *equivalent* efficient adversary $\mc{S}$ (usually called a **simulator**) in the ideal world.
 ### Semi-Honest & Static Corruption
 - The *view* of a party consists of its input, random tape and the list of messages obtained from the protocol.
 	- The view of an adversary is the union of views of corrupted parties.
 	- If an adversary learned anything from the protocol, it must be efficiently computable from its view.
 - If a protocol is secure, it must be possible in the ideal world to generate something indistinguishable from the real world adversary's view.
 	- In the ideal world, the adversary's view consists of inputs/outputs to and from the trusted party.
 	- An adversary in the ideal world must be able to generate a view equivalent to the real world view. We call this ideal world adversary a **simulator**.
 	- If we show the existence of a simulator, a real world adversary's ability is the same as an adversary in the ideal world.
 > **Definition.** Let $\mc{A}$ be the set of parties that are corrupted, and let $\rm{Sim}$ be a simulator algorithm.
 > - $\rm{Real}(\mc{A}; x_1, \dots, x_n)$: each party $P_i$ runs the protocol with private input $x_i$. Let $V_i$ be the final view of $P_i$. Output $\braces{V_i : i \in \mc{A}}$.
 > - $\rm{Ideal}_\rm{Sim}(x_1, \dots, x_n)$: output $\rm{Sim}(\mc{A}; \braces{(x_i, y_i) : i \in \mc{A}})$.
 > 
 > A protocol is **secure against semi-honest adversaries** if there exists a simulator such that for every subset of corrupted parties $\mc{A}$, its views in the real and ideal worlds are indistinguishable.
 ## Oblivious Transfer (OT)
 This is a building block for building any MPC.
 Suppose that the sender has data $m_1, \dots, m_n \in \mc{M}$, and the receiver has an index $i \in \braces{1, \dots, n}$. The sender wants to send exactly one message and hide others. Also, the receiver wants to hide which message he received.
 This problem is called 1-out-of-$n$ **oblivious transfer** (OT).
 ### 1-out-of-2 OT Construction from ElGamal Encryption
 We show an example of 1-out-of-2 OT using the ElGamal encryptions scheme. We use a variant where a hash function is used in encryption.
 It is known that $k$-out-of-$n$ OT is constructible from 1-out-of-2 OTs.
 > Suppose that the sender Alice has messages $x_0, x_1 \in \braces{0, 1}\conj$, and the receiver Bob has a choice $\sigma \in \braces{0, 1}$.
 > 
 > 1. Bob chooses $sk = \alpha \la \Z_q$ and computes ${} h = g^\alpha {}$, and chooses $h' \la G$.
 > 2. Bob sets $pk_\sigma = h$ and $pk_{1-\sigma} = h'$ and sends $(pk_0, pk_1)$ to Alice.
 > 3. Alice encrypts each $x_i$ using $pk_i$, obtains two ciphertexts.
 > 	- $\beta_0, \beta_1 \la \Z_q$.
 > 	- $c_0 = \big( g^{\beta_0}, H(pk_0^{\beta_0}) \oplus x_0 \big)$, $c_1 = \big( g^{\beta_1}, H(pk_1^{\beta_1}) \oplus x_1 \big)$.
 > 4. Alice sends $(c_0, c_1)$ to Bob.
 > 5. Bob decrypts $c_\sigma$ with $sk$ to get $x_\sigma$.
 Correctness is obvious.
 Alice's view contains the following: $x_0, x_1, pk_0, pk_1, c_0, c_1$. Among these, $pk_0, pk_1$ are the received values from Bob. But these are random group elements, so she learns nothing about $\sigma$. The simulator can choose two random group elements to simulate Alice.
 Bob's view contains the following: $\sigma, \alpha, g^\alpha, h', c_0, c_1, x_\sigma$. He only knows one private key, so he only learns $x_\sigma$, under the DL assumption. (He doesn't have the discrete logarithm for $h'$) The simulator must simulate $c_0, c_1$, so it encrypts $x_\sigma$ with $pk_\sigma$, and as for $x_{1-\sigma}$, a random message is encrypted with $pk_{1-\sigma}$. This works because the encryption scheme is semantically secure, meaning that it doesn't reveal any information about the underlying message.
 The above works for **semi-honest** parties. To prevent malicious behavior, we fix the protocol a bit.
 > 1. Alice sends a random $w \la G$ first.
 > 2. Bob must choose $h$ and $h'$ so that $hh' = w$. $h$ is chosen the same way, and $h' = wh\inv$ is computed.
 > 
 > The remaining steps are the same, except that Alice checks if $pk_0 \cdot pk_1 = w$.
 Bob must choose $h, h'$ such that $hh' = w$. If not, Bob can choose ${} \alpha' \la \Z_q {}$ and set $h' = g^{\alpha'}$, enabling him to decrypt both $c_0, c_1$, revealing $x_0, x_1$. Under the DL assumption, Bob cannot find the discrete logarithm of $h'$, which prevents malicious behavior.
 ### 1-out-of-$n$ OT Construction from ElGamal Encryption
 Let $m_1, \dots, m_n \in \mc{M}$ be the messages to send, and let $i$ be an index. We will use ElGamal encryption on a cyclic group $G = \span{g}$ of prime order, with a hash function and a semantically secure symmetric cipher $(E_S, D_S)$.
 > 1. Alice chooses $\beta \la \Z_q$, computes $v \la g^\beta$ and sends $v$ to Bob.
 > 2. Bob chooses $\alpha \la \Z_q$, computes $u \la g^\alpha v^{-i}$ and sends $u$ to Alice.
 > 3. For $j = 1, \dots, n$, Alice computes the following.
 > 	- Compute $u_j \la u \cdot v^j = g^\alpha v^{j-i}$ as the public key for the $j$-th message.
 > 	- Encrypt $m_j$ as $(g^\beta, c_j)$, where $c_j \la E_S\big( H(g^\beta, u_j^\beta), m_j \big)$.
 > 4. Alice sends $(c_1, \dots, c_n)$ to Bob.
 > 5. Bob decrypts $c_i$ as follows.
 > 	- Compute symmetric key $k \la H(v, v^\alpha)$ where $v = g^\beta$ from step $1$.
 > 	- $m_i \la D_S(k, c_i)$.
 Note that all ciphertexts $c_j$ were created from the same ephemeral key $\beta \in \Z_q$.
 For correctness, we check that Bob indeed receives $m_i$ from the above protocol. Check that $u_i = u\cdot v^i = g^\alpha v^0 = g^\alpha$, then $u_i^\beta = g^{\alpha\beta} = v^\alpha$. Since $c_i = E_S\big( H(g^\beta, u_i^\beta), m_i \big) = E_S\big( H(v, v^\alpha), m_i \big)$, the decryption gives ${} m_i {}$.
 Now is this oblivious? All that Alice sees is $u = g^\alpha v^{-i}$ from Bob. Since $\alpha \la \Z_q$, $u$ is uniformly distributed over elements of $G$. Alice learns no information about $i$.
 As for Bob, we need the **CDH assumption**. Suppose that Bob can query $H$ on two different ciphertexts $c_{j_1}, c_{j_2}$. Then he knows
 $$
 u_{j_1}^\beta/u_{j_2}^\beta = v^{\beta(j_1 - j_2)},
 $$
 and by raising both to the $(j_1 - j_2)\inv$ power (inverse in $\Z_q$), he can compute $v^\beta = g^{\beta^2}$. Thus, Bob has computed $g^{\beta^2}$ from $g^\beta$, and this breaks the CDH assumption.[^1] Thus Bob cannot query $H$ on two points, and is unable to decrypt two ciphertexts. He only learns $m_i$.
 ### OT for Computing $2$-ary Function with Finite Domain
 We can use an OT for computing a $2$-ary function with finite domain.
 Let $f : X_1 \times X_2 \ra Y$ be a deterministic function with $X_1$, $X_2$ both finite. There are two parties ${} P_1, P_2 {}$ with inputs $x_1, x_2$, and they want to compute $f(x_1, x_2)$ without revealing their input.
 Then we can use $1$-out-of-$\abs{X_2}$ OT to securely compute $f(x_1, x_2)$. Without loss of generality, suppose that $P_1$ is the sender.
 ${} P_1$ computes $y_x =f(x_1, x)$ for all $x \in X_2$, resulting in $\abs{X_2}$ messages. Then $P_1$ performs 1-out-of-$\abs{X_2}$ OT with $P_2$. The value of $x_2$ will be used as the choice of $P_2$, which will be oblivious to $P_1$.[^2]
 This method is inefficient, so we have better methods!
 [^1]: Given $g^\alpha, g^\beta$, compute $g^{\alpha + \beta}$. Then compute $g^{\alpha^2}, g^{\beta^2}, g^{(\alpha+\beta)^2}$, and obtain $g^{2\alpha\beta}$. Exponentiate by $2\inv \in \Z_q$ to find $g^{\alpha\beta}$.
 [^2]: Can $P_1$ learn the value of $x_2$ from the final output $y_{x_2} = f(x_1, x_2)$?
--- a/Cryptography/2023-11-16-gmw-protocol.md
+++ b/Cryptography/2023-11-16-gmw-protocol.md
@@ -1,290 +0,0 @@
 ---
 share: true
 toc: true
 math: true
 categories:
  - Lecture Notes
  - Modern Cryptography
 tags:
  - lecture-note
  - cryptography
  - security
 title: 16. The GMW Protocol
 date: 2023-11-16
 github_title: 2023-11-16-gmw-protocol
 image:
  path: assets/img/posts/Lecture Notes/Modern Cryptography/mc-16-beaver-triple.png
 attachment:
  folder: assets/img/posts/Lecture Notes/Modern Cryptography
 ---
 There are two types of MPC protocols, **generic** and **specific**. Generic protocols can compute arbitrary functions. [Garbled circuits](../2023-11-14-garbled-circuits/#garbled-circuits) were generic protocols, since it can be used to compute any boolean circuits. In contrast, the [summation protocol](../2023-11-09-secure-mpc/#example-secure-summation) is a specific protocol that can only be used to compute a specific function. Note that generic protocols are not necessarily better, since specific protocols are much more efficient.
 ## GMW Protocol
 The **Goldreich-Micali-Wigderson** (GMW) **protocol** is a designed for evaluating boolean circuits. In particular, it can be used for XOR and AND gates, which corresponds to addition and multiplication in $\Z_2$. Thus, the protocol can be generalized for evaluating arbitrary arithmetic circuits.
 We assume semi-honest adversaries and static corruption. The GMW protocol is known to be secure against any number of corrupted parties. We also assume that any two parties have private channels for communication.
 The idea is **secret sharing**, where each party shares its input with other parties. The actual input is not revealed, and after the computation, each party holds a *share* of the final result.
 The protocol can be broken down into $3$ phases.
 - **Input phase**: each party shares its input with the other parties.
 - **Evaluation phase**: each party computes gate by gate, using the shared values.
 - **Output phase**: each party publishes their output.
 ### Input Phase
 Suppose that we have $n$ parties $P_1, \dots, P_n$ with inputs $x_1, \dots, x_n \in \braces{0, 1}$. The inputs are bits but they can be generalized to inputs over $\Z_q$ where $q$ is prime.
 > Each party $P_i$ shares its input with other parties as follows.
 > 
 > 1. Choose random ${} r_{i, j} \la \braces{0, 1} {}$ for all $j \neq i$ and send $r_{i, j}$ to $P_j$.
 > 2. Set ${} r_{i, i} = x_i + \sum_{i \neq j} r_{i, j} {}$.
 Then we see that $x_i = \sum_{j = 1}^n r_{i, j} {}$. Each party has a **share** of $x_i$, which is $r_{i, j}$. We have a notation for this,
 $$
 [x_i] = (r_{i, 1}, \dots, r_{i, n}).
 $$
 It means that $r_{i, 1}, \dots, r_{i, n}$ are shares of $x_i$.
 After this phase, each party $P_j$ has $n$ shares $r_{1, j}, \dots, r_{n,j}$, where each is a share of $x_i$.
 ### Evaluation Phase
 Now, each party computes each gate using the shares received from other parties. We describe how the XOR and AND gate are computed.
 #### Evaluating XOR Gates
 Suppose we want to compute a share of ${} c = a + b {}$. Then, since
 $$
 [c] = [a] + [b],
 $$
 each party can simply add all the input shares.
 If ${} {} y = x_1 + \cdots + x_n {} {}$, then party $P_j$ will compute ${} y_j = \sum_{i=1}^n r_{i, j} {}$, which is a share of $y$, $[y] = (y_1, \dots, y_n)$. It can be checked that
 $$
 y = \sum_{j=1}^n y_j = \sum_{j=1}^n \sum_{i=1}^n r_{i, j}.
 $$
 #### Evaluating AND Gates
 AND gates are not as simple as XOR gates. If $c = ab$,
 $$
 c = \paren{\sum_{i=1}^n a_i} \paren{\sum_{j=1}^n b_j} = \sum_{i=1}^n a_ib_i + \sum_{1 \leq i < j \leq n} (a_ib_j + a_j b_i).
 $$
 The first term can be computed internally by each party. The problem is the second term. $P_i$ doesn't know the values of $a_j$ and $b_j$. Therefore, we need some kind of interaction between $P_i$ and $P_j$, but no information should be revealed. We can use an OT for this.
 > For every pair of parties $(P_i, P_j)$, perform the following.
 > 
 > 1. $P_i$ chooses a random bit $s_{i, j}$ and computes all possible values of $a_ib_j + a_jb_i + s_{i, j}$. These values are used in the OT.
 > 2. $P_i$ and $P_j$ run a $1$-out-of-$4$ OT.
 > 3. $P_i$ keeps $s_{i, j}$ and $P_j$ receives $a_ib_j + a_jb_i + s_{i, j}$.
 - If $a_ib_j + a_jb_i$ is exposed to any party, it reveals information about other party's share.
 - These are bits, so $P_i$ and $P_j$ get to keep a share of $a_ib_j + a_jb_i$. If these aren't bits, then $s_{i, j} - a_ib_j - a_jb_i$ must be computed for inputs to the OT.
 - Since $a_j, b_j \in \braces{0, 1}$, it is possible to compute all possible values, and use them in the OT. $(a_j, b_j)$ will be used as the choice of $P_j$.
 ### Output Phase
 After evaluation, each party has a share of the final output, so the share is sent to the parties that will learn the output. These shares can be summed to obtain the final output value.
 ### Performance
 Addition is easy, but multiplication gates require $n \choose 2$ OTs. Thus the protocol requires a communication round among the parties for every multiplication gate. Also, the multiplication gates on the same level can be processed in parallel.
 Overall, the round complexity is $\mc{O}(d)$, where $d$ is the depth of the circuit, including only the multiplication gates.
 A shallow circuit is better for GMW protocols. However, shallow circuits may end up using more gates depending on the function.
 ## Security Proof
 We show the case when there are $n-1$ corrupted parties.[^1] Let $P_i$ be the honest party and assume that all others are corrupted. We will construct a simulator.
 Let $(x_1, \dots, x_n)$ be inputs to the function, and let $[y] = (y_1, \dots, y_n)$ be output shares. The adversary's view contains $y$, and all $x_j$, $y_j$ values except for $x_i$ and $y_i$.
 To simulate the input phase, choose random shares to be communicated, both for $P_i \ra P_j$ and $P_j \ra P_i$. The shares were chosen randomly, so they are indistinguishable to the real protocol execution.
 For the evaluation phase, XOR gates can be computed internally, so we only consider AND gates.
 - When $P_j$ is the receiver, choose a random bit as the value learned from the OT. Since the OT contains possible values of $a_ib_j + a_jb_i + s_{i, j}$ and they are random, the random bit is equivalent.
 - When $P_j$ is the sender, choose $s_{i, j}$ randomly and compute all $4$ possible values following the protocol.
 Lastly, for the output phase, the simulator has to simulate the message $y_i$ from $P_i$. Since the final output $y$ is known and $y_j$ ($j \neq i$) is known, $y_i$ can be computed from the simulator.
 We see that the distribution of the values inside the simulator is identical to the view in the real protocol execution.
 ## Beaver Triples
 **Beaver triple sharing** is an offline optimization method for multiplication (AND) gates in the GMW protocol. Before actual computation, Beaver triples can be shared to speed up multiplication gates, reducing the running time in the online phase. Note that the overall complexity is the same.
 > **Definition.** A **Beaver triple** is a triple $(x, y, z)$ such that $z = xy$.
 ### Beaver Triple Sharing
 When Beaver triples are shared, $[x] = (x_1, x_2)$ and $[y] = (y_1, y_2)$ are chosen so that
 $$
 \tag{$\ast$}
 z = z_1 + z _2 = (x_1 + x_2)(y_1 + y_2) = x_1y_1 + x_1y_2 + x_2y_1 + x_2y_2.
 $$
 > 1. Each party $P_i$ chooses random bits $x_i, y_i$. Now they must generate $z_1, z_2$ so that the values satisfy equation $(\ast)$ above.
 > 2. $P_1$ chooses a random bit $s$ and computes all $4$ possible values of $s + x_1y_2 + x_2y_1$.
 > 3. $P_1$ and $P_2$ run a $1$-out-of-$4$ OT.
 > 4. $P_1$ keeps $z_1 = s + x_1y_1$, $P_2$ keeps $z_2 = (s + x_1y_2 + x_2y_1) + x_2y_2$.
 Indeed, $z_1, z_2$ are shares of $z$.[^2] See also Exercise 23.5.[^3]
 ### Evaluating AND Gates with Beaver Triples
 Now, in the actual computation of AND gates, proceed as follows.
 ![mc-16-beaver-triple.png](/assets/img/posts/Lecture%20Notes/Modern%20Cryptography/mc-16-beaver-triple.png)
 > Each $P_i$ has a share of inputs $a_i, b_i$ and a Beaver triple $(x_i, y_i, z_i)$.
 > 1. Each $P_i$ computes $u_i = a_i + x_i$, $v_i = b_i + y_i$.
 > 2. $P_i$ shares $u_i, v_i$ to $P_{3-i}$ and receives $u_{3-i}, v_{3-i}$ from $P_{3-i}$.
 > 3. Each party now can compute $u = u_1 + u_2$, $v = v_1 + v_2$.
 > 4. $P_1$ computes $c_1 = uv + uy_1 + vx_1 + z_1$, $P_2$ computes $c_2 = uy_2 + vx_2 + z_2$.
 Note that
 $$
 \begin{aligned}
 c = c_1 + c_2 &= uv + u(y_1 + y_2) + v(x_1 + x_2) + (z_1 + z_2) \\
 &= uv + uy + vx + xy \qquad (\because z = xy)  \\
 &= u(v + y) + x(v + y) \\
 &= (u + x)(v + y) = ab
 \end{aligned}
 $$
 The last equality comes from the fact that $u = a + x$ and $v = b+y$ from step $1$. The equation was derived from the following observation.
 $$
 c = ab = (a + x)(b + y) - x(b + y) - y(a + x) + xy.
 $$
 Substitute $u = a +x$ and $v = b + y$, since $z = xy$, we have
 $$
 c = uv - xv - yu + z.
 $$
 Thus
 $$
 [c] = uv - [x]v - [y]u + [z],
 $$
 and $uv$ is public, so any party can include it in its share.
 Also note that $u_i, v_i$ does not reveal any information about $x_i, y_i$. Essentially, they are *one-time pad* encryptions of $x_i$ and ${} y_i {}$ since $a_i, b_i$ were chosen randomly. No need for OTs during actual computation.
 ### Reusing Beaver Triples?
 **Beaver triples are to be used only once!** If $u_1 = a_1 + x_1$ and ${} u_1' = a_1' + x_1 {}$, then $u_1 + u_1' = a_1 + a_1'$, revealing information about $a_1 + a_1'$.
 Thus, before the online phase, a huge amount of Beaver triples are shared to speed up the computation. This can be done efficiently using [OT extension](#ot-extension) described below.
 ## Comparison of Yao and GMW
 |Protocol|Yao|GMW|
 |:-:|:-:|:-:|
 |Metaphor|Apple: bite-by-bite|Orange: peel and eat|
 |Pros|Constant round complexity|Circuit evaluation is simple|
 |Cons|Requires symmetric cipher in the online phase|High overhead in AND gates|
 |Good In|High latency networks|Low latency networks|
 |Round Complexity|$\mc{O}(1)$|Depends on circuit depth. $n$ OTs per AND gates per party.|
 Yao's protocol computes gates bite-by-bite, whereas GMW protocol is peel-and-eat. Most of the effort is required in the preprocessing phase, by sharing many Beaver triples, but the evaluation phase is easy.
 ## OT Extension
 Both Yao's and GMW protocol use OTs. Depending on the computation, one may end up performing thousands of OTs, which can be inefficient.
 There is a technique called **OT extension**, that allows us to obtain many OT instances from a small number of OT instances. OT extension only uses small number of base OTs, and uses symmetric cipher to extend it to many OTs.
 ### Protocol Description
 This protocol will extend $n$ OTs to $m$ OTs, where $m \gg n$.
 - Sender has inputs $\paren{x_i^0, x_i^1}$ for $i = 1, \dots, m$.
 - Receiver has choice vector $\sigma = (\sigma_1, \dots, \sigma_m) \in \braces{0, 1}^m$.
 	- After the protocol, the receiver will get $x_i^{\sigma_i}$ for $i = 1, \dots, m$.
 > **First phase.**
 > 
 > 1. The receiver samples $n$ random strings $T_1, \dots, T_n \la \braces{0, 1}^m$ of length $m$.
 > 2. The receiver prepares pairs $\paren{T_i, T_i \oplus \sigma}$ for $i = 1, \dots, n$ and plays *sender in base OT*.
 > 3. The sender chooses random $s = (s_1, \dots, s_n) \in \braces{0, 1}^n$.
 > 4. The sender plays *receiver in base OT* with input $s_i$ for $i = 1, \dots, n$.
 In the first phase, the roles are temporarily switched.
 - The receiver chose $n$ random $m$-bit vectors, now has a $m\times n$ bit matrix $T$.
 - For the $i$-th base OT, the receiver inputs $T_i$ or $T_i \oplus \sigma$. Therefore, if $s_i = 0$, the sender gets $T_i$. If $s_i = 1$, then sender gets $T_i \oplus \sigma$.
 - Suppose that the sender gets $Q_i \in \braces{0, 1}^m$ in the $i$-th base OT. The sender will also have a $m \times n$ bit matrix $Q$.
 $$
 Q_i = \begin{cases} T_i  & (s_i = 0)  \\
 	T_i \oplus \sigma  & (s_i = 1).
 \end{cases}
 $$
 **Now consider each row separately!** Let ${} A[k]$ be the $k$-th row of matrix $A$.
 If $\sigma_j = 0$, the XOR operation in $T_i \oplus \sigma$ has no effect on the $j$-th element (row), so the $j$-th element of $T_i \oplus \sigma$ and $T_i$ are the same. Thus, we have $Q[j] = T[j]$.
 On the other hand, suppose that $\sigma_j = 1$ and consider each element of $Q[j]$. The $i$-th element is the $j$-th element of $Q_i$. If $s_i = 0$, then $Q_i = T_i$, so the $j$-th element (row) is the same as the $j$-th element of $T_i$. If $s_i = 1$, then $Q_i = T_i \oplus \sigma$, so the $j$-th element is flipped. Thus, $Q[j] = T[j] \oplus s$.
 $$
 Q[j] = \begin{cases} T[j] & (\sigma_j = 0)  \\
 T[j] \oplus s & (\sigma_j = 1).
 \end{cases}
 $$
 > **Second phase.** To perform the $j$-th transfer $(j = 1, \dots, m)$,
 > 
 > 1. The sender sends $y_j^0 = H(j, Q[j]) \oplus x_j^0$ and $y_j^1 = H(j, Q[j] \oplus s) \oplus x_j^1$.
 > 2. The receiver computes $H(j, T[j]) \oplus y_j^{\sigma_j}$.
 If $\sigma_j = 0$, then the sender gets
 $$
 H(j, T[j]) \oplus y_j^0 = H(j, T[j]) \oplus H(j, Q[j]) \oplus x_j^0 = x_j^0.
 $$
 If $\sigma_j = 1$,
 $$
 H(j, T[j]) \oplus y_j^1 = H(j, T[j]) \oplus H(j, Q[j] \oplus s) \oplus x_j^1 = x_j^1.
 $$
 We have just shown correctness.
 ### Security Proof of OT Extension
 Intuitively, the sender receives either $T_i$ or $T_i \oplus \sigma$. But $T_i$ are chosen randomly, so it hides $\sigma$, revealing no information.
 As for the receiver, the values $(x_j^0, x_j^1)$ are masked by a hash function, namely $H(j, Q[j])$ and $H(j, Q[j] \oplus s)$. The receiver can compute $H(j, T[j])$, which equals *only one of them* but since receiver has no information about $s$, prohibiting the receiver from computing the other mask.
 ### Performance of OT Extension
 The extension technique allows us to run $n$ base OT instances to obtain $m$ OT instances. For each of the $m$ OT transfers, only a few hash operations are required, resulting in very efficient OT.
 One may concern that we have to send a lot of information for each of the $n$ OT instances, since we have to send $m$ bit data for each OT. But this of not much concern. For example, if we used [OT based on ElGamal](../2023-11-09-secure-mpc/#1-out-of-2-ot-construction-from-elgamal-encryption), we can choose primes large enough $> 2^m$ to handle $m$-bit data.
 Hence, with OT extensions, we can perform millions of OTs efficiently, which can be used especially for computing many Beaver triples during preprocessing.
 [^1]: Intuitively, it may seem that proving security for $n-1$ corrupted parties would be the hardest. However, security for $n-1$ corrupted parties does not imply security for $n-2$ corrupted parties, in general.
 [^2]: There is a variant of sharing Beaver triples, where a dealer generates all $x_i, y_i, z_i$ and gives them to each party.
 [^3]: A Graduate Course in Applied Cryptography.
--- a/Cryptography/2023-11-23-bgv-scheme.md
+++ b/Cryptography/2023-11-23-bgv-scheme.md
@@ -1,562 +0,0 @@
 ---
 share: true
 toc: true
 math: true
 categories:
  - Lecture Notes
  - Modern Cryptography
 tags:
  - lecture-note
  - cryptography
  - security
 title: 17. BGV Scheme
 date: 2023-11-23
 github_title: 2023-11-23-bgv-scheme
 ---
 ## Homomorphisms
 > **Definition.** Let $(X, \ast), (Y, \ast')$ be sets equipped with binary operations $\ast$, $\ast'$. A map $\varphi : X \ra Y$ is said to be a **homomorphism** if
 > 
 > $$
 > \varphi(a \ast b) = \varphi(a) \ast' \varphi(b)
 > $$
 > 
 > for all $a, b \in X$.
 A homomorphism *sort of* preserves the structure between two sets.[^1]
 We will mainly consider **additive homomorphisms** where
 $$
 \varphi(a + b) = \varphi(a) + \varphi(b),
 $$
 and **multiplicative homomorphisms** where
 $$
 \varphi(ab) = \varphi(a)\varphi(b).
 $$
 ## Homomorphic Encryption
 > **Definition.** A **homomorphic encryption scheme** defined over $\mc{M}$ consists of an encryption algorithm $E$ and a decryption algorithm $D$ such that
 > 
 > $$
 > D\big( E(x) + E(y) \big) = x + y
 > $$
 > 
 > or
 > 
 > $$
 > D\big( E(x) \cdot E(y) \big) = x \cdot y.
 > $$
 The **decryption $D$ is a homomorphism**. From ciphertexts of $x$ and $y$, this scheme can compute the ciphertext of $x + y$ or $x \cdot y$.
 There are mainly $3$ categories of homomorphic encryption.
 - **Partial** Homomorphic Encryption
 	- These schemes can evaluate *some* functions on encrypted data.
 	- Textbook RSA had a *homomorphic property*.
 - **Somewhat** Homomorphic Encryption (SHE)
 	- Both addition and multiplication are supported.
 	- But there is a limit on the number of operations.
 - **Fully** Homomorphic Encryption (FHE)
 	- Any function can be evaluated on encrypted data.
 	- There is a method called *bootstrapping* that compiles SHE into FHE.
 ### A Warm-up Scheme
 This is a sample scheme, which is insecure.
 > Choose parameters $n$ and $q$ as security parameters.
 > 
 > 1. Set secret key $\bf{s} = (s_1, \dots, s_n) \in \Z^n$.
 > 2. For message $m \in \Z_q$, encrypt it as follows.
 > 	- Randomly choose $\bf{a} = (a_1, \dots, a_n) \la \Z_q^n$.
 > 	- Compute $b = -\span{\bf{a}, \bf{s}} + m \pmod q$.
 > 	- Output ciphertext $\bf{c} = (b, \bf{a}) \in \Z_q^{n+1}$.
 > 3. To decrypt $\bf{c}$, compute $m = b + \span{\bf{a}, \bf{s}} \pmod q$.
 Correctness is trivial. Also, this encryption algorithm has the *additive homomorphism* property. If $b_1, b_2$ are encryptions of $m_1, m_2$, then
 $$
 b_1 = -\span{\bf{a}_1, \bf{s}} + m_1, \quad b_2 = -\span{\bf{a}_2, \bf{s}} + m_2
 $$
 in $\Z_q$. Thus,
 $$
 b_1 + b_2 = -\span{\bf{a}_1 + \bf{a}_2, \bf{s}} + m_1 + m_2.
 $$
 Decrypting the ciphertext $(b_1 + b_2, \bf{a}_1 + \bf{a}_2)$ will surely give $m_1 + m_2$.
 But this scheme is not secure. After $n$ queries, the plaintext-ciphertext pairs can be transformed into a linear system of equations
 $$
 \bf{b} = -A \bf{s} + \bf{m},
 $$
 where $\bf{a}_i$ are in the rows of $A$. This system can be solved for $\bf{s}$ with non-negligible probability.[^2]
 ## Lattice Cryptography
 Recall that schemes like RSA and ElGamal rely on the hardness of computational problems. The hardness of those problems make the schemes secure. There are other (known to be) *hard* problems using **lattices**, and recent homomorphic encryption schemes use **lattice-based** cryptography.
 > **Definition.** For $\bf{b}_i \in \Z^n$ for $i = 1, \dots, n$, let $B = \braces{\bf{b}_1, \dots, \bf{b}_n}$ be a basis. The set
 > 
 > $$
 > L = \braces{\sum_{i=1}^n a_i\bf{b}_i : a_i \in \Z}
 > $$
 > 
 > is called a **lattice**. The set $B$ is a basis over $L$.
 It is essentially a linear combination of basis elements, with *integer coefficients*.
 ### Bounded Distance Decoding Problem (BDD)
 Let $L$ be a lattice with basis $B$. Given
 $$
 \bf{t} = B\bf{u} + \bf{e} \notin L
 $$
 for a small error $\bf{e}$, the problem is to find the closest lattice point $B\bf{u} \in L$.
 It is known that all (including quantum) algorithms for solving BDD have costs $2^{\Omega(n)}$.
 This problem is easy when we have a *short* basis, where the angles between vectors are closer to $\pi/2$. For example, given $\bf{t}$, find $a_i \in \R$ such that
 $$
 \bf{t} = a_1 \bf{b}_1 + \cdots a_n \bf{b}_n
 $$
 and return $B\bf{u}$ as
 $$
 B\bf{u} = \sum_{i=1}^n \lfloor a_i \rceil \bf{b}_i.
 $$
 Then this ${} B\bf{u} \in L {}$ is pretty close to $\bf{t} \notin L$.
 ## Learning with Errors Problem (LWE)
 This is the problem we will mainly use for homomorphic schemes.
 Let $\rm{LWE}_{n, q, \sigma}(\bf{s})$ denote the LWE distribution, where
 - $n$ is the number of dimensions,
 - $q$ is the modulus,
 - $\sigma$ is the standard deviation of error.
 Also $D_\sigma$ denotes the discrete gaussian distribution with standard deviation $\sigma$.
 > Let $\bf{s} = (s_1, \dots, s_n) \in \Z_q^n$ be a secret.
 > 
 > - Sample $\bf{a} = (a_1, \dots, a_n) \la \Z_q^n$ and $e \la D_\sigma$.
 > - Compute $b = \span{\bf{a}, \bf{s}} + e \pmod q$.
 > - Output $(b, \bf{a}) \in \Z_q^{n+1}$.
 > 
 > This is called a **LWE instance**.
 ### Search LWE Problem
 > Given many samples from $\rm{LWE}_{n, q, \sigma}(\bf{s})$, find $\bf{s}$.
 ### Decisional LWE Problem (DLWE)
 > Distinguish two distributions $\rm{LWE}_{n, q, \sigma}(\bf{s})$ and $U(\Z_q^{n+1})$.
 It is known that the two versions of LWE problem are **equivalent** when $q$ is a prime bounded by some polynomial in $n$.
 LWE problem can be turned into **assumptions**, just like the DL and RSA problems. As in DL and RSA, the LWE problem is not hard for any parameters $n, q$. The problem is harder if $n$ is large and $q$ is small.
 ## The BGV Scheme
 **BGV scheme** is by Brakerski-Gentry-Vaikuntanathan (2012). The scheme is defined over the finite field $\Z_p$ and can perform arithmetic in $\Z_p$.
 > Choose security parameters $n$, $q$ and $\sigma$. It is important that $q$ is chosen as an **odd** integer.
 > 
 > **Key Generation**
 > - Set secret key $\bf{s} = (s_1, \dots, s_n) \in \Z^n$.
 > 
 > **Encryption**
 > - Sample $\bf{a} \la \Z_q^n$ and $e \la D_\sigma$.
 > - Compute $b = -\span{\bf{a}, \bf{s}} + m + 2e \pmod q$.
 > - Output ciphertext $\bf{c} = (b, \bf{a}) \in \Z_q^{n+1}$.
 > 
 > **Decryption**
 > - Compute $r = b + \span{\bf{a}, \bf{s}} \pmod q$.
 > - Output $m = r \pmod 2$.
 Here, it can be seen that
 $$
 r = m + 2e \pmod q.
 $$
 For correctness, $e \ll q$, and
 $$
 \abs{r} = \abs{m + 2e} < \frac{1}{2}q.
 $$
 Under the LWE assumption, it can be proven that the scheme is semantically secure, i.e,
 $$
 E(\bf{s}, 0) \approx_c E(\bf{s}, 1).
 $$
 ### Addition in BGV
 Addition is easy!
 > Let $\bf{c} = (b, \bf{a})$ and $\bf{c}' = (b', \bf{a}')$ be encryptions of ${} m, m' \in \braces{0, 1} {}$. Then, $\bf{c}_\rm{add} = \bf{c} + \bf{c}'$ is an encryption of $m + m'$.
 *Proof*. Decrypt $\bf{c}_\rm{add} = (b + b', \bf{a} + \bf{a}')$. If
 $$
 r = b + \span{\bf{a}, \bf{s}} = m + 2e \pmod q
 $$
 and
 $$
 r' = b' + \span{\bf{a}', \bf{s}} = m' + 2e' \pmod q,
 $$
 then we have
 $$
 r_\rm{add} = b + b' + \span{\bf{a} + \bf{a}', \bf{s}} = r + r' = m + m' + 2(e + e') \pmod q.
 $$
 If $\abs{r + r'} < q/2$, then $m + m' = r_\rm{add} \pmod 2$.
 ### Multiplication in BGV
 #### Tensor Product
 For multiplication, we need **tensor products**.
 > **Definition.** Let $\bf{a} = (a_1, \dots, a_n)^\top, \bf{b} = (b_1, \dots, b_n)^\top$ be vectors. Then the **tensor product** $\bf{a} \otimes \bf{b}$ is a vector with $n^2$ dimensions such that
 > 
 > $$
 > \bf{a} \otimes \bf{b} = \big( a_i \cdot b_j \big)_{1 \leq i, j \leq n}.
 > $$
 We will use the following property.
 > **Lemma.** Let $\bf{a}, \bf{b}, \bf{c}, \bf{d}$ be $n$-dimensional vectors. Then,
 > 
 > $$
 > \span{\bf{a}, \bf{b}} \cdot \span{\bf{c}, \bf{d}} = \span{\bf{a} \otimes \bf{c}, \bf{b} \otimes \bf{d}}.
 > $$
 *Proof*. Denote the components as $a_i, b_i, c_i, d_i$.
 $$
 \begin{aligned}
 \span{\bf{a} \otimes \bf{c}, \bf{b} \otimes \bf{d}} &= \sum_{i=1}^n\sum_{j=1}^n a_ic_j \cdot b_id_j \\
 &= \paren{\sum_{i=1}^n a_ib_i} \paren{\sum_{j=1}^n c_j d_j} =  \span{\bf{a}, \bf{b}} \cdot \span{\bf{c}, \bf{d}}.
 \end{aligned}
 $$
 #### Multiplication
 Let $\bf{c} = (b, \bf{a})$ and $\bf{c}' = (b', \bf{a}')$ be encryptions of $m, m' \in \braces{0, 1}$. Since
 $$
 r = b + \span{\bf{a}, \bf{s}} = m + 2e \pmod q
 $$
 and
 $$
 r' = b' + \span{\bf{a}', \bf{s}} = m' + 2e' \pmod q,
 $$
 we have that
 $$
 r_\rm{mul} = rr' = (m + 2e)(m' + 2e') = mm' + 2e\conj \pmod q.
 $$
 So $mm' = r_\rm{mul} \pmod 2$ if $e\conj$ is small.
 However, to compute $r_\rm{mul} = rr'$ from the ciphertext,
 $$
 \begin{aligned}
 r_\rm{mul} &= rr' = (b + \span{\bf{a}, \bf{s}})(b' + \span{\bf{a}', \bf{s}}) \\
 &= bb' + \span{b\bf{a}' + b' \bf{a}, \bf{s}} + \span{\bf{a} \otimes \bf{a}', \bf{s} \otimes \bf{s}'}.
 \end{aligned}
 $$
 Thus we define $\bf{c}_\rm{mul} = (bb', b\bf{a}' + b' \bf{a}, \bf{a} \otimes \bf{a}')$, then this can be decrypted with $(1, \bf{s}, \bf{s} \otimes \bf{s})$ by the above equation.
 > Let $\bf{c} = (b, \bf{a})$ and $\bf{c}' = (b', \bf{a}')$ be encryptions of $m, m'$. Then,
 > 
 > $$
 > \bf{c}_\rm{mul} = \bf{c} \otimes \bf{c}' = (bb', b\bf{a}' + b' \bf{a}, \bf{a} \otimes \bf{a}')
 > $$
 > 
 > is an encryption of $mm'$ with $(1, \bf{s}, \bf{s} \otimes \bf{s})$.
 Not so simple as addition, we need $\bf{s} \otimes \bf{s}$.
 #### Problems with Multiplication
 The multiplication described above has two major problems.
 - The dimension of the ciphertext has increased to $n^2$.
 	- At this rate, multiplications get inefficient very fast.
 - The *noise* $e\conj$ grows too fast.
 	- For correctness, $e\conj$ must be small compared to $q$, but it grows exponentially.
 	- We can only perform $\mc{O}(\log q)$ multiplications.
 ### Dimension Reduction
 First, we reduce the ciphertext dimension. In the ciphertext $\bf{c}_\rm{mul} = (bb', b\bf{a}' + b' \bf{a}, \bf{a} \otimes \bf{a}')$, $\bf{a} \otimes \bf{a}'$ is causing the problem, since it must be decrypted with $\bf{s} \otimes \bf{s}'$.
 Observe that the following dot product is calculated during decryption.
 $$
 \tag{1} \span{\bf{a} \otimes \bf{a}', \bf{s} \otimes \bf{s}'} = \sum_{i = 1}^n \sum_{j=1}^n a_i a_j' s_i s_j.
 $$
 The above expression has $n^2$ terms, so they have to be manipulated. The idea is to switch these terms as encryptions of $\bf{s}$, instead of $\bf{s} \otimes \bf{s}'$.
 Thus we use encryptions of $s_is_j$ by $\bf{s}$. If we have ciphertexts of $s_is_j$, we can calculate the expression in $(1)$ since this scheme is *homomorphic*. Then the ciphertext can be decrypted only with $\bf{s}$, as usual. This process is called **relinearization**, and the ciphertexts of $s_i s_j$ are called **relinearization keys**.
 #### First Attempt
 > **Relinearization Keys**: for $1 \leq i, j \leq n$, perform the following.
 > - Sample $\bf{u}_{i, j} \la \Z_q^{n}$ and $e_{i, j} \la D_\sigma$.
 > - Compute $v_{i, j} = -\span{\bf{u}_{i, j}, \bf{s}} + s_i s_j + 2e_{i, j} \pmod q$.
 > - Output $\bf{w}_{i, j} = (v_{i, j}, \bf{u}_{i, j})$.
 > 
 > **Linearization**: given $\bf{c}_\rm{mul} = (bb', b\bf{a}' + b' \bf{a}, \bf{a} \otimes \bf{a}')$ and $\bf{w}_{i, j}$ for $1 \leq i, j \leq n$, output the following.
 > 
 > $$
 > \bf{c}_\rm{mul}^\ast = (b_\rm{mul}^\ast, \bf{a}_\rm{mul}^\ast) = (bb', b\bf{a}' + b'\bf{a}) + \sum_{i=1}^n \sum_{j=1}^n a_i a_j' \bf{w}_{i, j} \pmod q.
 > $$
 Note that the addition $+$ is the addition of two ${} (n+1) {}$-dimensional vectors. By plugging in $\bf{w}_{i, j} = (v_{i, j}, \bf{u}_{i, j})$, we actually have
 $$
 b_\rm{mul}^\ast = bb' + \sum_{i=1}^n \sum_{j=1}^n a_i a_j' v_{i, j}
 $$
 and
 $$
 \bf{a}_\rm{mul}^\ast = b\bf{a}' + b'\bf{a} + \sum_{i=1}^n \sum_{j=1}^n a_i a_j' \bf{u}_{i, j}.
 $$
 Now we check correctness. $\bf{c}_\rm{mul}^\ast$ should decrypt to $mm'$ with only $\bf{s}$.
 $$
 \begin{aligned}
 b_\rm{mul}^\ast + \span{\bf{a}_\rm{mul}^\ast, \bf{s}} &= bb' + \sum_{i=1}^n \sum_{j=1}^n a_i a_j' v_{i, j} +  \span{b\bf{a}' + b'\bf{a}, \bf{s}} + \sum_{i=1}^n \sum_{j=1}^n a_i a_j' \span{\bf{u}_{i, j}, \bf{s}} \\
 &= bb' + \span{b\bf{a}' + b'\bf{a}, \bf{s}} + \sum_{i=1}^n \sum_{j=1}^n a_i a_j' \paren{v_{i, j} + \span{\bf{u}_{i, j}, \bf{s}}}.
 \end{aligned}
 $$
 Since $v_{i, j} + \span{\bf{u}_{i, j}, \bf{s}} = s_i s_j + 2e_{i, j} \pmod q$, the above expression further reduces to
 $$
 \begin{aligned}
 &= bb' + \span{b\bf{a}' + b'\bf{a}, \bf{s}} + \sum_{i=1}^n \sum_{j=1}^n a_i a_j' \paren{s_i s_j + 2e_{i, j}} \\
 &= bb' + \span{b\bf{a}' + b'\bf{a}, \bf{s}} + \span{\bf{a} \otimes \bf{a}', \bf{s} \otimes \bf{s}'} + 2\sum_{i=1}^n\sum_{j=1}^n a_i a_j' e_{i, j} \\
 &= rr' + 2e\conj \pmod q,
 \end{aligned}
 $$
 and we have an encryption of $mm'$.
 However, we require that
 $$
 e\conj = \sum_{i=1}^n \sum_{j=1}^n a_i a_j' e_{i, j} \ll q
 $$
 for correctness. It is highly unlikely that this relation holds, since $a_i a_j'$ will be large. They are random elements of $\Z_q$ after all, so the size is about $\mc{O}(n^2 q)$.
 #### Relinearization
 We use a method to make $a_i a_j'$ smaller. The idea is to use the binary representation.
 Let $a[k] \in \braces{0, 1}$ denote the $k$-th least significant bit of $a \in \Z_q$. Then we can write
 $$
 a = \sum_{0\leq k<l} 2^k \cdot a[k]
 $$
 where $l = \ceil{\log q}$. Then we have
 $$
 a_i a_j' s_i s_j = \sum_{0\leq k <l} (a_i a_j')[k] \cdot 2^k s_i s_j,
 $$
 so instead of encryptions of $s_i s_j$, we use encryptions of $2^k s_i s_j$.
 For convenience, let $a_{i, j} = a_i a_j'$. Now we have triple indices including $k$.
 > **Relinearization Keys**: for $1 \leq i, j \leq n$ and $0 \leq k < \ceil{\log q}$, perform the following.
 > - Sample $\bf{u}_{i, j, k} \la \Z_q^{n}$ and ${} e_{i, j, k} \la D_\sigma {}$.
 > - Compute ${} v_{i, j, k} = -\span{\bf{u}_{i, j, k}, \bf{s}} + 2^k \cdot s_i s_j + 2e_{i, j, k} \pmod q {}$.
 > - Output ${} \bf{w}_{i, j, k} = (v_{i, j, k}, \bf{u}_{i, j, k}) {}$.
 > 
 > **Linearization**: given $\bf{c}_\rm{mul} = (bb', b\bf{a}' + b' \bf{a}, \bf{a} \otimes \bf{a}')$, $\bf{w}_{i, j, k}$ for $1 \leq i, j \leq n$ and $0 \leq k < \ceil{\log q}$, output the following.
 > 
 > $$
 > \bf{c}_\rm{mul}^\ast = (b_\rm{mul}^\ast, \bf{a}_\rm{mul}^\ast) = (bb', b\bf{a}' + b'\bf{a}) + \sum_{i=1}^n \sum_{j=1}^n \sum_{k=0}^{\ceil{\log q}} a_{i, j}[k] \bf{w}_{i, j, k} \pmod q.
 > $$
 Correctness can be checked similarly. The bounds for summations are omitted for brevity. They range from $1 \leq i, j \leq n$ and $0 \leq k < \ceil{\log q}$.
 $$
 \begin{aligned}
 b_\rm{mul}^\ast + \span{\bf{a}_\rm{mul}^\ast, \bf{s}} &= bb' + \sum_{i, j, k} a_{i, j}[k] \cdot v_{i, j, k} +  \span{b\bf{a}' + b'\bf{a}, \bf{s}} + \sum_{i, j, k} a_{i, j}[k] \cdot \span{\bf{u}_{i, j, k}, \bf{s}} \\
 &= bb' + \span{b\bf{a}' + b'\bf{a}, \bf{s}} + \sum_{i, j, k} a_{i, j}[k] \paren{v_{i, j, k} + \span{\bf{u}_{i, j, k}, \bf{s}}}.
 \end{aligned}
 $$
 Since ${} v_{i, j, k} + \span{\bf{u}_{i, j, k}, \bf{s}} = 2^k \cdot s_i s_j + 2e_{i, j, k} \pmod q {}$, the above expression further reduces to
 $$
 \begin{aligned}
 &= bb' + \span{b\bf{a}' + b'\bf{a}, \bf{s}} + \sum_{i, j, k} a_{i, j}[k] \paren{2^k \cdot s_i s_j + 2e_{i, j, k}} \\
 &= bb' + \span{b\bf{a}' + b'\bf{a}, \bf{s}} + \sum_{i, j} a_{i, j}s_i s_j + 2\sum_{i, j, k} a_{i, j}[k] \cdot e_{i, j, k} \\
 &= bb' + \span{b\bf{a}' + b'\bf{a}, \bf{s}} + \span{\bf{a} \otimes \bf{a}', \bf{s} \otimes \bf{s}'} + 2e\conj \\
 &= rr' + 2e\conj \pmod q,
 \end{aligned}
 $$
 and we have an encryption of $mm'$. In this case,
 $$
 e\conj = 2\sum_{i=1}^n\sum_{j=1}^n \sum_{k=0}^{\ceil{\log q}} a_{i, j}[k] \cdot e_{i, j, k}
 $$
 is small enough to use, since $a_{i, j}[k] \in \braces{0, 1}$. The size is about $\mc{O}(n^2 \log q)$, which is a lot smaller than $q$ for practical uses. We have reduced $n^2 q$ to $n^2 \log q$ with this method.
 ### Noise Reduction
 Now we handle the noise growth. For correctness, we required that
 $$
 \abs{r} = \abs{m + 2e} < \frac{1}{2}q.
 $$
 But for multiplication, $\abs{r_\rm{mul}} = \abs{rr' + 2e\conj}$, so the noise grows very fast. If the initial noise size was $N$, then after $L$ levels of multiplication, the noise is now $N^{2^L}$.[^3] To reduce noise, we use **modulus switching**.
 Given $\bf{c} = (b, \bf{a}) \in \Z_q^{n+1}$, we reduce the modulus to $q' < q$ which results in a smaller noise $e'$. This can be done by scaling $\bf{c}$ by $q'/q$ and rounding it.
 > **Modulus Switching**: let $\bf{c} = (b, \bf{a}) \in \Z_q^{n+1}$ be given.
 > 
 > - Find $b'$ closest to $b \cdot (q' /q)$ such that $b' = b \pmod 2$.
 > - Find $a_i'$ closest to $a_i \cdot (q'/q)$ such that $a_i' = a_i \pmod 2$.
 > - Output $\bf{c}' = (b', \bf{a}') \in \Z_{q'}^{n+1}$.
 In summary, $\bf{c}' \approx \bf{c} \cdot (q'/q)$, and $\bf{c}' = \bf{c} \pmod 2$ component-wise.
 We check if the noise has been reduced, and decryption results in the same message $m$. Decryption of $\bf{c}'$ is done by $r' = b' + \span{\bf{a}', \bf{s}} \pmod{q'}$, so we must prove that ${} r' \approx r \cdot (q'/q) {}$ and $r' = r \pmod 2$. Then the noise is scaled down by $q'/q$ and the message is preserved.
 Let $k \in \Z$ such that $b + \span{\bf{a}, \bf{s}} = r + kq$. By the choice of $b'$ and $a_i'$,
 $$
 b' = b \cdot (q'/q) + \epsilon_0, \quad a_i' = a_i \cdot (q'/q) + \epsilon_i
 $$
 for $\epsilon_i \in\braces{0, 1}$. Then
 $$
 \begin{aligned}
 b' + \span{\bf{a}', \bf{s}} &= b' + \sum_{i=1}^n a_i's_i \\
 &= b \cdot (q'/q) + \epsilon_0 + \sum_{i=1}^n \paren{a_i \cdot (q'/q) + \epsilon_i} s_i \\
 &= (q'/q) \paren{b + \sum_{i=1}^n a_i s_i} + \epsilon_0 + \sum_{i=1}^n \epsilon_i s_i \\
 &= (q'/q) \cdot (r + kq) + \epsilon_0 + \sum_{i=1}^n \epsilon_i s_i \\
 &= r \cdot (q'/q) + \epsilon_0 + \sum_{i=1}^n \epsilon_i s_i +  kq'.
 \end{aligned}
 $$
 We additionally assume that $\bf{s} \in \Z_2^n$, then the error term is bounded by $n+1$, and $n \ll q$.[^4] Set
 $$
 r' = r \cdot (q'/q) + \epsilon_0 + \sum_{i=1}^n \epsilon_i s_i,
 $$
 then we have $r' \approx r \cdot (q'/q)$.
 Next, $b + \span{\bf{a}, \bf{s}} = b' + \span{\bf{a}', \bf{s}} \pmod 2$ component-wise. Then
 $$
 r + kq = b + \span{\bf{a}, \bf{s}} = b' + \span{\bf{a}', \bf{s}} = r' + kq' \pmod 2.
 $$
 Since $q, q'$ are odd, $r = r' \pmod 2$.
 ### Modulus Chain
 Let the initial noise be $\abs{r} \approx N$. Set the maximal level $L$ for multiplication, and set $q_{L} = N^{L+1}$. Then after each multiplication, switch the modulus to $q_{k-1} = q_k/N$ using the above method.
 Multiplication increases the noise to $N^2$, and then modulus switching decreases the noise back to $N$, allowing further computation.
 So we have a modulus chain,
 $$
 N^{L+1} \ra N^L \ra \cdots \ra N.
 $$
 When we perform $L$ levels of computation and reach modulus $q_0 = N$, we cannot perform any multiplications. We must apply [bootstrapping](../2023-12-08-bootstrapping-ckks/#bootstrapping).
 Note that without modulus switching, we need $q_L > N^{2^L}$ for $L$ levels of computation, which is very large. Since we want $q$ to be small (for the hardness of the LWE problem), modulus switching is necessary. We now only require $q_L > N^{L+1}$.
 ### Multiplication in BGV (Summary)
 - Set up a modulus chain $q_k = N^{k+1}$ for $k = 0, \dots, L$.
 - Given two ciphertexts $\bf{c} = (b, \bf{a}) \in \Z_{q_k}^{n+1}$ and $\bf{c}' = (b', \bf{a}') \in \Z_{q_k}^{n+1}$ with modulus $q_k$ and noise $N$.
 - (**Tensor Product**) $\bf{c}_\rm{mul} = \bf{c} \otimes \bf{c}' \pmod{q_k}$.
 	- Now we have $n^2$ dimensions and noise $N^2$.
 - (**Relinearization**)
 	- Back to $n$ dimensions and noise $N^2$.
 - (**Modulus Switching**)
 	- Modulus is switched to $q_{k-1}$ and noise is back to $N$.
 ## BGV Generalizations and Optimizations
 ### From $\Z_2$ to $\Z_p$
 The above description is for messages $m \in \braces{0, 1} = \Z_2$. This can be extend to any finite field $\Z_p$. Replace $2$ with $p$ in the scheme. Then encryption of $m \in \Z_p$ is done as
 $$
 b = -\span{\bf{a}, \bf{s}} + m + pe \pmod q,
 $$
 and we have $r = b + \span{\bf{a}, \bf{s}} = m + pe$, $m = r \pmod p$.
 ### Packing Technique
 Based on the Ring LWE problem, plaintext space can be extended from $\Z_p$ to $\Z_p^n$ by using **polynomials**.
 With this technique, the number of linearization keys is reduced from $n^2 \log q$ to $\mc{O}(1)$.
 ## Security and Performance of BGV
 - Security depends on $n$ and $q$.
 	- $(n, \log q) = (2^{10}, 30), (2^{13}, 240), (2^{16}, 960)$.
 	- $q$ is much larger than $n$.
 	- We want $n$ small and $q$ large enough to be correct.
 - BGV is a **somewhat** homomorphic encryption.
 	- The number of multiplications is limited.
 - Multiplication is expensive, especially linearization.
 	- Parallelization is effective for optimization, since multiplication is basically performing the same operations on different data.
 [^1]: A homomorphism is a *confused name changer*. It can map different elements to the same name.
 [^2]: The columns $\bf{a}_i$ are chosen random, so $A$ is invertible with high probability.
 [^3]: Noise: $N \ra N^2 \ra N^4 \ra \cdots \ra N^{2^L}$.
 [^4]: This is how $\bf{s}$ is chosen in practice.
--- a/_posts/Mathematics/2022-04-08-thoughts-on-studying-math.md
+++ b/_posts/Mathematics/2022-04-08-thoughts-on-studying-math.md
@@ -2,11 +2,15 @@
 share: true
 toc: true
 math: true
-categories: [Mathematics]
+categories:
-tags: [math, study]
+  - Mathematics
-title: "수학 공부에 대한 고찰"
+path: _posts/mathematics
-date: "2022-02-03"
+tags:
-github_title: "2022-04-08-thoughts-on-studying-math"
+  - math
  - study
 title: 수학 공부에 대한 고찰
 date: 2022-02-03
 github_title: 2022-04-08-thoughts-on-studying-math
 ---
 과외돌이 수업을 위해 새로운 교재를 골라야 했다. 교재를 고민하던 도중 내가 생각하는 수학 공부 방법을 설명하기에 매우 좋은 예시가 생겨서 이렇게 글로 남기게 되었다.
--- a/Theory/2023-01-23-construction-of-measure.md
+++ b/Theory/2023-01-23-construction-of-measure.md
@@ -1,261 +0,0 @@
 ---
 share: true
 toc: true
 math: true
 categories: [Mathematics, Measure Theory]
 tags: [math, analysis, measure-theory]
 title: "02. Construction of Measure"
 date: "2023-01-23"
 github_title: "2023-01-23-construction-of-measure"
 image:
  path: /assets/img/posts/Mathematics/Measure Theory/mt-02.png
 attachment:
  folder: assets/img/posts/Mathematics/Measure Theory
 ---
 ![mt-02.png](/assets/img/posts/Mathematics/Measure%20Theory/mt-02.png)
 이제 본격적으로 집합을 재보도록 하겠습니다. 우리가 잴 수 있는 집합들부터 시작합니다. $\mathbb{R}^p$에서 논의할 건데, 이제 여기서부터는 $\mathbb{R}$의 구간의 열림/닫힘을 모두 포괄하여 정의합니다. 즉, $\mathbb{R}$의 구간이라고 하면 $[a, b], (a, b), [a, b), (a, b]$ 네 가지 경우를 모두 포함합니다.
 ## Elementary Sets
 **정의.** ($\mathbb{R}^p$의 구간) $a_i, b_i \in \mathbb{R}$, $a_i \leq b_i$ 라 하자. $I_i$가 $\mathbb{R}$의 구간이라고 할 때, $\mathbb{R}^p$의 구간은
 $$\prod_ {i=1}^p I_i = I_1 \times \cdots \times I_p$$
 와 같이 정의한다.
 예를 들어 $\mathbb{R}^2$의 구간이라 하면 직사각형 영역, $\mathbb{R}^3$의 구간이라 하면 직육면체 영역을 떠올릴 수 있습니다. 단, 경계는 포함되지 않을 수도 있습니다.
 이러한 구간들을 유한개 모아 합집합하여 얻은 집합을 모아 elementary set이라 합니다.
 **정의.** (Elementary Set) 어떤 집합이 유한개 구간의 합집합으로 표현되면 그 집합을 **elementary set**이라고 한다. 그리고 $\mathbb{R}^p$의 elementary set의 모임을 $\Sigma$로 표기한다.
 임의의 구간은 유계입니다. 따라서 구간의 유한한 합집합도 유계일 것입니다.
 **참고.** 임의의 elementary set은 유계이다.
 Elementary set의 모임에서 집합의 연산을 정의할 수 있을 것입니다. 이 때, $\Sigma$가 ring이 된다는 것을 간단하게 확인할 수 있습니다.
 **명제.** $\Sigma$는 ring이다. 하지만 전체 공간인 $\mathbb{R}^p$를 포함하고 있지 않기 때문에 $\sigma$-ring은 아니다.
 구간의 길이를 재는 방법은 아주 잘 알고 있습니다. 유한개 구간의 합집합인 elementary set에서도 쉽게 잴 수 있습니다. 이제 길이 함수 $m: \Sigma \rightarrow[0, \infty)$ 을 정의하겠습니다. 아직 measure는 아닙니다.
 **정의.** $a_i, b_i \in \mathbb{R}$ 가 구간 $I_i$의 양 끝점이라 하자. $\mathbb{R}^p$의 구간 $I = \displaystyle\prod_ {i=1}^p I_i$ 에 대하여,
 $$m(I) = \prod_ {i=1}^p (b_i - a_i)$$
 로 정의한다.
 **정의.** $I_i$가 쌍마다 서로소인 $\mathbb{R}^p$의 구간이라 하자. $A = \displaystyle\bigcup_ {i=1}^n I_i$ 에 대하여
 $$m(A) = \sum_ {i=1}^n m(I_i)$$
 로 정의한다.
 $\mathbb{R}, \mathbb{R}^2, \mathbb{R}^3$에서 생각해보면 $m$은 곧 길이, 넓이, 부피와 대응되는 함수임을 알 수 있습니다. 또한 쌍마다 서로소인 구간의 합집합에 대해서는 각 구간의 함숫값을 더한 것으로 정의합니다. 어떤 집합을 겹치지 않게 구간으로 나눌 수 있다면, 집합의 ‘길이’가 각 구간의 ‘길이’ 합이 되는 것은 자연스럽습니다.
 그리고 이 정의는 well-defined 입니다. $A \in \Sigma$ 에 대해서 서로소인 유한개 구간의 합집합으로 나타내는 방법이 유일하지 않아도, $m$ 값은 같습니다.
 **참고.** $m$은 $\Sigma$ 위에서 additive이다. 따라서 $m : \Sigma \rightarrow[0, \infty)$ 은 additive set function이다.
 여기서 추가로 regularity 조건을 만족했으면 좋겠습니다.
 **정의.** (Regularity) Set function $\mu: \Sigma \rightarrow[0, \infty]$ 가 additive라 하자. 모든 $A \in \Sigma$ 와 $\epsilon > 0$ 에 대하여
 > 닫힌집합 $F \in \Sigma$, 열린집합 $G \in \Sigma$ 가 존재하여 $F \subseteq A \subseteq G$ 이고 $\mu(G) - \epsilon \leq \mu(A) \leq \mu(F) + \epsilon$
 이면 $\mu$가 $\Sigma$ 위에서 **regular**하다고 정의한다.
 위에서 정의한 $m$이 regular한 것은 쉽게 확인할 수 있습니다.
 이제 set function $\mu: \Sigma \rightarrow[0, \infty)$ 가 finite, regular, additive 하다고 가정합니다.
 **정의.** (Outer Measure) $E \in \mathcal{P}(\mathbb{R}^p)$ 의 **outer measure** $\mu^\ast: \mathcal{P}(\mathbb{R}^p) \rightarrow[0, \infty]$ 는
 $$\mu^\ast(E) = \inf \left\lbrace \sum_ {n=1}^\infty \mu(A_n) : \text{열린집합 } A_n \in \Sigma \text{ 에 대하여 } E \subseteq\bigcup_ {n=1}^\infty A_n\right\rbrace.$$
 로 정의한다.
 Outer measure라 부르는 이유는 $E$의 바깥에서 길이를 재서 근사하기 때문입니다. Outer measure는 모든 power set에 대해서 정의할 수 있으니, 이를 이용해서 모든 집합을 잴 수 있으면 좋겠습니다. 하지만 measure가 되려면 countably additive 해야하는데, 이 조건이 가장 만족하기 까다로운 조건입니다. 실제로 countably additive 조건이 성립하지 않습니다.
 **참고.**
 - $\mu^\ast \geq 0$ 이다.
 - $E_1 \subseteq E_2$ 이면 $\mu^\ast(E_1) \leq \mu^\ast(E_2)$ 이다. (단조성)
 **정리.**
 1. $A \in \Sigma$ 이면 $\mu^\ast(A) = \mu(A)$.[^1]
 2. Countable subadditivity가 성립한다.
 	$$\mu^\ast\left( \bigcup_ {n=1}^\infty E_n \right) \leq \sum_ {n=1}^\infty \mu^\ast(E_n), \quad (\forall E_n \in \mathcal{P}(\mathbb{R}^p))$$
 **증명.**
 (1) $A \in \Sigma$, $\epsilon > 0$ 라 두자. $\mu$의 regularity를 이용하면, 열린집합 $G \in \Sigma$ 가 존재하여 $A \subseteq G$ 이고
 $$\mu^\ast(A) \leq \mu(G) \leq \mu(A) + \epsilon$$
 이다. $\mu^\ast$의 정의에 의해 열린집합 $A_n \in \Sigma$ 가 존재하여 $A \subseteq\displaystyle\bigcup_ {n=1}^\infty A_n$ 이고
 $$\sum_ {n=1}^\infty \mu(A_n) \leq \mu^\ast(A) + \epsilon$$
 이다. 마찬가지로 regularity에 의해 닫힌집합 $F \in \Sigma$ 가 존재하여 $F\subseteq A$ 이고 $\mu(A) \leq \mu(F) + \epsilon$ 이다. $F \subseteq\mathbb{R}^p$ 는 유계이고 닫힌집합이므로 compact set이고, finite open cover를 택할 수 있다. 즉, 적당한 $N \in \mathbb{N}$ 에 대하여 $F \subseteq\displaystyle\bigcup_ {i=1}^N A_ {i}$ 가 성립한다.
 따라서
 $$\mu(A) \leq \mu(F) + \epsilon \leq \sum_ {i=1}^N \mu(A_i) \leq \sum_ {i=1}^n \mu(A_i) + \epsilon \leq \mu^\ast(A) + 2\epsilon$$
 이제 $\epsilon \rightarrow 0$ 로 두면 $\mu(A) = \mu^\ast(A)$ 를 얻는다.
 \(2\) 부등식의 양변이 모두 $\infty$ 이면 증명할 것이 없으므로, 양변이 모두 유한하다고 가정하여 모든 $n\in \mathbb{N}$ 에 대해 $\mu^\ast(E_n) < \infty$ 라 하자. $\epsilon > 0$ 로 두고, 각 $n \in \mathbb{N}$ 에 대하여 열린집합 $A_ {n, k} \in \Sigma$ 가 존재하여 $E_n \subseteq\displaystyle\bigcup_ {k=1}^\infty A_ {n, k}$ 이고 $\displaystyle\sum_ {k=1}^\infty \mu(A_ {n,k}) \leq \mu^\ast(E_n) + 2^{-n}\epsilon$ 이다.
 $\mu^\ast$는 하한(infimum)으로 정의되었기 때문에,
 $$\mu^\ast\left( \bigcup_ {n=1}^\infty E_n \right) \leq \sum_ {n=1}^\infty \sum_ {k=1}^\infty \mu(A_ {n,k}) \leq \sum_ {n=1}^\infty \mu^\ast(E_n) + \epsilon$$
 가 성립하고, $\epsilon \rightarrow 0$ 로 두면 부등식이 성립함을 알 수 있다.
 ## $\mu$-measurable Sets
 Countably additive 조건이 성립하는 집합들만 모아서 measure를 construct 하려고 합니다. 아래 내용은 이를 위한 사전 준비 작업입니다.
 **표기법.** (대칭차집합) $A \mathop{\mathrm{\triangle}}B = (A\setminus B) \cup (B \setminus A)$.
 **정의.**
 - $d(A, B) = \mu^\ast(A \mathop{\mathrm{\triangle}}B)$ 로 정의한다.
 - 집합열 $A_n$에 대하여 $d(A_n, A) \rightarrow 0$ 이면 $A_n \rightarrow A$ 로 정의한다.
 **참고.**
 - $A, B, C \in \mathbb{R}^p$ 에 대하여 $d(A, B) \leq d(A, C) + d(C, B)$ 이다.
 - $A_1, B_2, B_1, B_2 \in \mathbb{R}^p$ 일 때, 다음이 성립한다.
 	$$\left.\begin{array}{c}d(A_1 \cup A_2, B_1 \cup B_2) \\d(A_1 \cap A_2, B_1 \cap B_2) \\d(A_1 \setminus A_2, B_1 \setminus B_2)\end{array}\right\rbrace\leq d(A_1, B_1) + d(A_2, B_2).$$
 **정의.** (Finitely $\mu$-measurable) 집합 $A_n \in \Sigma$ 이 존재하여 $A_n \rightarrow A$ 이면 $A$가 **finitely $\mu$-measurable**이라 한다. 그리고 finitely $\mu$-measurable한 집합의 모임을 $\mathfrak{M} _ F(\mu)$로 표기한다.
 위 정의는 $\mu$라는 set function에 의해 $\mu^\ast (A_n \mathop{\mathrm{\triangle}}A) \rightarrow 0$ 이 되는 elementary set $A_n$이 존재한다는 의미입니다.
 **정의.** ($\mu$-measurable) $A_n \in \mathfrak{M} _ F(\mu)$ 에 대하여 $A = \displaystyle\bigcup_ {n=1}^\infty A_n$ 이면 $A$가 **$\mu$-measurable**이라 한다. 그리고 $\mu$-measurable한 집합의 모임을 $\mathfrak{M}(\mu)$로 표기한다.
 **참고.** $\mu^\ast(A) = d(A, \varnothing) \leq d(A, B) + \mu^\ast(B)$.
 **명제.** $\mu^\ast(A)$ 또는 $\mu^\ast(B)$가 유한하면, 다음이 성립한다.
 $$\lvert \mu^\ast(A) - \mu^\ast(B) \rvert \leq d(A, B).$$
 **따름정리.** $A \in \mathfrak{M} _ F(\mu)$ 이면 $\mu^\ast(A) < \infty$ 이다.
 **증명.** $A_n \in \Sigma$ 가 존재하여 $A_n \rightarrow A$ 이고, $N \in \mathbb{N}$ 이 존재하여
 $$\mu^\ast(A) \leq d(A_N, A) + \mu^\ast(A_N) \leq 1 + \mu^\ast(A_N) < \infty$$
 이다.
 **따름정리.** $A_n \rightarrow A$ 이고 $A_n, A \in \mathfrak{M} _ F(\mu)$ 이면 $\mu^\ast(A_n)\rightarrow\mu^\ast(A) < \infty$ 이다.
 **증명.** $\mu^\ast(A)$, $\mu^\ast(A_n)$가 유한하므로, $n \rightarrow\infty$ 일 때 $\lvert \mu^\ast(A_n) - \mu^\ast(A) \rvert \leq d(A_n, A) \rightarrow 0$ 이다.
 ## Construction of Measure
 준비가 끝났으니 measure를 construct 해보겠습니다! $\mathcal{P}(\mathbb{R}^p)$에서는 할 수 없지만 정의역을 $\mathfrak{M}(\mu)$로 조금 좁히면 measure가 된다는 뜻입니다.
 **정리.** $\mathfrak{M}(\mu)$는 $\sigma$-algebra 이고 $\mu^\ast$는 $\mathfrak{M}(\mu)$의 measure가 된다.
 **증명.** $\mathfrak{M}(\mu)$가 $\sigma$-algebra이고 $\mu^\ast$가 $\mathfrak{M}(\mu)$에서 countably additive임을 보이면 충분하다.
 **(Step 0)** *$\mathfrak{M} _ F(\mu)$는 ring이다.*
 $A, B \in \mathfrak{M} _ F(\mu)$ 라 하자. 그러면 $A_n, B_n \in \Sigma$ 이 존재하여 $A_n \rightarrow A$, $B_n \rightarrow B$ 이 된다. 그러면
 $$\left.\begin{array}{c}d(A_n \cup B_n, A \cup B) \\ d(A_n \cap B_n, A \cap B) \\ d(A_n \setminus B_n, A \setminus B)\end{array}\right\rbrace\leq d(A_n, A) + d(B_n, B) \rightarrow 0$$
 이므로 $A_n \cup B_n \rightarrow A \cup B, A_n \setminus B_n \rightarrow A\setminus B$ 이기 때문에 $\mathfrak{M} _ F(\mu)$는 ring이다.
 **(Step 1)** *$\mu^\ast$는 $\mathfrak{M} _ F(\mu)$ 위에서 additive이다*.
 $\Sigma$ 위에서는 $\mu = \mu^\ast$ 이므로, 위 따름정리에 의해
 $$\begin{matrix} \mu(A_n) \rightarrow\mu^\ast(A), & \mu(A_n\cup B_n) \rightarrow\mu^\ast(A\cup B), \\ \mu(B_n) \rightarrow\mu^\ast(B), & \mu(A_n\cap B_n) \rightarrow\mu^\ast(A\cap B) \end{matrix}$$
 가 성립함을 알 수 있다. 일반적으로 $\mu(A_n) + \mu(B_n) = \mu(A_n \cup B_n) + \mu(A_n \cap B_n)$ 이므로 여기서 $n \rightarrow\infty$ 로 두면
 $$\mu^\ast(A) + \mu^\ast(B) = \mu^\ast(A\cup B) + \mu^\ast(A \cap B)$$
 를 얻는다. $A \cap B = \varnothing$ 라는 조건이 추가되면 $\mu^\ast$가 additive임을 알 수 있다.
 **(Step 2)** *$\mathfrak{M} _ F(\mu) = \lbrace A \in \mathfrak{M}(\mu) : \mu^\ast(A) < \infty\rbrace$.*[^2]
 **Claim**. 쌍마다 서로소인 $\mathfrak{M} _ F(\mu)$의 원소들을 잡아 이들의 합집합으로 $A \in \mathfrak{M}(\mu)$ 를 표현할 수 있다.
 **증명.** $A_n' \in \mathfrak{M} _ F(\mu)$ 에 대하여 $A = \bigcup A_n'$ 로 두자.
 > $A_1 = A_1'$, $n \geq 2$ 이면 $A_n = A_n' \setminus(A_1'\cup \cdots \cup A_ {n-1}')$
 와 같이 정의하면 $A_n$이 쌍마다 서로소이고 $A_n \in \mathfrak{M} _ F(\mu)$ 임을 알 수 있다.
 위 사실을 이용하여 $A_n \in \mathfrak{M} _ F(\mu)$ 에 대하여 $A = \displaystyle\bigcup_ {n=1}^\infty A_n$ 으로 두자.
 1. Countable subadditivity에 의해 $\displaystyle\mu^\ast(A) \leq \sum_ {n=1}^{\infty} \mu^\ast (A_n)$ 가 성립한다.
 2. Step 1에 의해 $\displaystyle\bigcup_ {n=1}^k A_n \subseteq A$, $\displaystyle\sum_ {n=1}^{k} \mu^\ast(A_n) \leq \mu^\ast(A)$ 이다. $k \rightarrow\infty$ 로 두면 $\displaystyle\mu^\ast(A) \geq \sum_ {n=1}^\infty \mu^\ast(A_n)$ 임을 알 수 있다.
 따라서 $\displaystyle\mu^\ast(A) = \sum_ {n=1}^\infty \mu^\ast(A_n)$ 이다.[^3] [^4]
 이제 $B_n =\displaystyle\bigcup_ {k=1}^n A_k$ 로 두자. $\mu^\ast(A) < \infty$ 를 가정하면 $\displaystyle\sum_ {n=1}^\infty \mu^\ast(A_n)$의 수렴성에 의해
 $$\displaystyle d(A, B_n) = \mu^\ast\left( \bigcup_ {k=n+1}^\infty A_k \right) = \sum_ {k=n+1}^{\infty} \mu^\ast(A_i) \rightarrow 0 \text{ as } n \rightarrow\infty$$
 임을 알 수 있다.
 $B_n \in \mathfrak{M} _ F(\mu)$ 이므로 $C_n \in \Sigma$ 를 잡아 각 $n \in \mathbb{N}$ 에 대하여 $d(B_n, C_n)$를 임의로 작게 만들 수 있다. 그러면 $d(A, C_n) \leq d(A, B_n) + d(B_n, C_n)$ 이므로 충분히 큰 $n$에 대하여 $d(A, C_n)$도 임의로 작게 만들 수 있다. 따라서 $C_n \rightarrow A$ 임을 알 수 있고 $A \in \mathfrak{M} _ F(\mu)$ 라는 결론을 내릴 수 있다.
 **(Step 3)** *$\mu^\ast$는 $\mathfrak{M}(\mu)$ 위에서 countably additive이다.*
 $A_n \in \mathfrak{M}(\mu)$ 가 $A \in \mathfrak{M}(\mu)$ 의 분할이라 하자. 적당한 $m \in \mathbb{N}$ 에 대하여 $\mu^\ast(A_m) = \infty$ 이면
 $$\mu^\ast\left( \bigcup_ {n=1}^\infty A_n \right) \geq \mu^\ast(A_m) = \infty = \sum_ {n=1}^\infty \mu^\ast(A_n)$$
 이므로 countable additivity가 성립한다.
 이제 모든 $n\in \mathbb{N}$ 에 대하여 $\mu^\ast(A_n) < \infty$ 이면, Step 2에 의해 $A_n \in \mathfrak{M} _ F(\mu)$ 이고
 $$\mu^\ast(A) = \mu^\ast\left( \bigcup_ {n=1}^\infty A_n \right) = \sum_ {n=1}^\infty \mu^\ast(A_n)$$
 가 성립한다.
 **(Step 4)** *$\mathfrak{M}(\mu)$는 $\sigma$-ring이다.*
 $A_n \in \mathfrak{M}(\mu)$ 이면 $B_ {n, k} \in \mathfrak{M} _ F(\mu)$ 가 존재하여 $\displaystyle A_n = \bigcup_k B_ {n,k}$ 이다. 그러면
 $$\bigcup_n A_n = \bigcup_ {n, k} B_ {n, k} \in \mathfrak{M}(\mu)$$
 이다.
 $A, B \in \mathfrak{M}(\mu)$ 라 하면 $A_n, B_n \in \mathfrak{M} _ F(\mu)$ 에 대해 $\displaystyle A = \bigcup A_n$, $\displaystyle B = \bigcup B_n$ 이므로,
 $$A \setminus B = \bigcup_ {n=1}^\infty \left( A_n \setminus B \right) = \bigcup_ {n=1}^\infty (A_n\setminus(A_n\cap B))$$
 임을 알 수 있다. 그러므로 $A_n \cap B \in \mathfrak{M} _ F(\mu)$ 인 것만 보이면 충분하다. 정의에 의해
 $$A_n \cap B = \bigcup_ {k=1}^\infty (A_n \cap B_k) \in \mathfrak{M}(\mu)$$
 이고 $\mu^\ast(A_n \cap B) \leq \mu^\ast(A_n) < \infty$ 이므로 $A_n\cap B \in \mathfrak{M} _ F(\mu)$ 이다. 따라서 $A \setminus B$ 가 $\mathfrak{M} _ F(\mu)$의 원소들의 countable 합집합으로 표현되므로 $A\setminus B \in \mathfrak{M}(\mu)$ 이다.
 따라서 $\mathfrak{M}(\mu)$는 $\sigma$-ring이고 $\sigma$-algebra이다.
 ---
 이제 $\Sigma$ 위의 $\mu$ 정의를 $\mathfrak{M}(\mu)$ ($\sigma$-algebra)로 확장하여 $\mathfrak{M}(\mu)$ 위에서는 $\mu = \mu^\ast$ 로 정의합니다. $\Sigma$ 위에서 $\mu = m$ 일 때, 이와 같이 확장한 $\mathfrak{M}(m)$ 위의 $m$을 **Lebesgue measure** on $\mathbb{R}^p$라 합니다. 그리고 $A \in \mathfrak{M}(m)$ 를 Lebesgue measurable set이라 합니다.
 [^1]: $A$가 open이 아니면 자명하지 않은 명제입니다.
 [^2]: $A$가 $\mu$-measurable인데 $\mu^\ast(A) < \infty$이면 $A$는 finitely $\mu$-measurable이다.
 [^3]: $A$가 countable union of sets in $\mathfrak{M} _ F(\mu)$이므로 $\mu^\ast$도 각 set의 $\mu^\ast$의 합이 된다.
 [^4]: 아직 증명이 끝나지 않았습니다. $A_n$은 $\mathfrak{M}(\mu)$의 원소가 아니라 $\mathfrak{M} _ F(\mu)$의 원소입니다.
--- a/Theory/2023-03-25-convergence-theorems.md
+++ b/Theory/2023-03-25-convergence-theorems.md
@@ -1,200 +0,0 @@
 ---
 share: true
 toc: true
 math: true
 categories: [Mathematics, Measure Theory]
 tags: [math, analysis, measure-theory]
 title: "06. Convergence Theorems"
 date: "2023-03-25"
 github_title: "2023-03-25-convergence-theorems"
 image:
  path: /assets/img/posts/Mathematics/Measure Theory/mt-06.png
 attachment:
  folder: assets/img/posts/Mathematics/Measure Theory
 ---
 르벡 적분 이론에서 굉장히 자주 사용되는 수렴 정리에 대해 다루겠습니다. 이 정리들을 사용하면 굉장히 유용한 결과를 쉽게 얻을 수 있습니다.
 ## Monotone Convergence Theorem
 먼저 단조 수렴 정리(monotone convergence theorem, MCT)입니다. 이 정리에서는 $f_n \geq 0$ 인 것이 매우 중요합니다.
 ![mt-06.png](/assets/img/posts/Mathematics/Measure%20Theory/mt-06.png)
 **정리.** (단조 수렴 정리) $f_n: X \rightarrow[0, \infty]$ 가 measurable이고 모든 $x \in X$ 에 대하여 $f_n(x) \leq f_ {n+1}(x)$ 라 하자.
 $$\lim_ {n\rightarrow\infty} f_n(x) = \sup_ {n} f_n(x) = f(x)$$
 로 두면,
 $$\int f \,d{\mu} = \lim_ {n\rightarrow\infty} \int f_n \,d{\mu} = \sup_ {n \in \mathbb{N}} \int f_n \,d{\mu}$$
 이다.
 **증명.**
 ($\geq$) $f_n(x) \leq f(x)$ 이므로 단조성을 이용하면 모든 $n \in \mathbb{N}$ 에 대하여 $\displaystyle\int f_n \,d{\mu} \leq \displaystyle\int f \,d{\mu}$ 이다. 따라서 다음이 성립한다.
 $$\sup_n \int f_n \,d{\mu} \leq \int f \,d{\mu}.$$
 ($\leq$) 실수 $c \in (0, 1)$ 를 잡자. 마지막에 $c \nearrow 1$ 로 둘 것이다. 이제 measurable simple function $s$가 $0 \leq s \leq f$ 라 하자. 그러면 모든 $x \in X$ 에 대하여 $c \cdot s(x) < f(x)$ 일 것이다.
 이제
 $$E_n = \lbrace x \in X : f_n(x) \geq cs(x)\rbrace$$
 으로 두면, $f_n(x) - cs(x)$ 가 measurable function이므로 $E_n$ 또한 measurable이다. 여기서 $f_n$이 증가하므로 $E_n\subseteq E_ {n+1} \subseteq\cdots$ 임을 알 수 있고 $f_n \rightarrow f$ 이므로 $\bigcup_ {n=1}^\infty E_n = X$ 이다.
 충분히 큰 $N \in \mathbb{N}$ 에 대하여 $n \geq N$ 일 때, 모든 $x$에 대하여 $f(x) \geq f_n(x) > cs(x)$ 가 되게 할 수 있다. 그리고 $f_n \geq f_n \chi_ {E_n} \geq cs \chi_ {E_n}$ 이므로
 $$\tag{\(\star\)}    \int f_n \,d{\mu} \geq \int f_n \chi_ {E_n} \,d{\mu} \geq c\int s \chi_ {E_n} \,d{\mu},$$
 이고 여기서 $s, \chi_ {E_n}$는 simple function이다. 그러므로 $s = \sum_ {k=0}^m y_k \chi_ {A_k}$ 라고 적으면
 $$s\chi_ {E_n} = \sum_ {k=0}^m y_k \chi_ {A_k\cap E_n} \implies \int s \chi_ {E_n} \,d{\mu} = \sum_ {k=0}^m y_k \mu(A_k\cap E_n)$$
 이다. $n\rightarrow\infty$ 일 때 $A_k\cap E_n \nearrow A_k$ 이므로, continuity of measure를 사용해 $\mu(A_k \cap E_n) \nearrow \mu(A_k)$ 를 얻고
 $$\lim_ {n\rightarrow\infty} \int s \chi_ {E_n}\,d{\mu} = \int s \,d{\mu}$$
 임도 알 수 있다. 이제 ($\star$)를 이용하면
 $$\lim_ {n\rightarrow\infty} \int f_n \,d{\mu} \geq c\int s \,d{\mu}$$
 이므로, $c \nearrow 1$ 로 두고 $0\leq s\leq f$ 에 대하여 $\sup$을 취하면
 $$\lim_ {n\rightarrow\infty} \int f_n \,d{\mu} \geq \sup_ {0\leq s\leq f} \int s \,d{\mu} = \int f \,d{\mu}$$
 가 되어 원하는 결과를 얻는다.
 **참고.** 만약 부등식 $0 \leq f_n \leq f_ {n+1}$ 이 정의역 전체가 아닌 정의역의 부분집합 $E$에서만 성립한다고 하면, 다음과 같이 생각할 수 있다.
 $$0 \leq f_n \chi_E \leq f_ {n+1} \chi_E \nearrow f \chi_E.$$
 그러므로 단조 수렴 정리가 $E$에서도 성립함을 알 수 있다.
 > $E$에서 $0\leq f_n \leq f_ {n+1} \nearrow f$ 이면 $\displaystyle\lim_ {n\rightarrow\infty} \int_E f_n \,d{\mu} = \int_E f \,d{\mu}$.
 **참고.** 함수열 $f_n$이 증가하는 경우에만 정리가 성립합니다. 감소하는 경우에는 반례로 함수 $f_n = \chi_ {[n, \infty)}$ 를 생각할 수 있습니다. 그러면 $n \rightarrow\infty$ 일 때 $\chi_ {[n, \infty)} \searrow 0$ 입니다.
 그러면 Lebesgue measure $m$에 대하여
 $$\infty = \int \chi_ {[n, \infty)} \,d{m} \neq \int 0 \,d{m} = 0$$
 이 되어 단조 수렴 정리가 성립하지 않음을 확인할 수 있습니다.
 ---
 지난 번에 $f \geq 0$ 가 measurable이면 증가하는 measurable simple 함수열 $s_n$이 존재함을 보였고, 이 $s_n$에 대하여 적분값을 계산하여
 $$\int_E s_n \,d{\mu} = \sum_ {i=1}^{n2^n} \frac{i - 1}{2^n}\mu\left( \left\lbrace x \in E : \frac{i-1}{2^n} \leq f(x) \leq \frac{i}{2^n}\right\rbrace \right) + n\mu(\lbrace x \in E : f(x)\geq n\rbrace)$$
 라는 결과까지 얻었습니다. 그런데 여기서
 $$f(x) = \displaystyle\lim_ {n\rightarrow\infty} s_n(x)$$
 이기 때문에, 단조 수렴 정리에 의해
 $$\int_E f \,d{\mu} = \lim_ {n\rightarrow\infty} \int_E s_n \,d{\mu}$$
 가 성립하여 기대했던 결과를 얻었습니다. 지난 번 설명한 것처럼, 이는 곧 르벡 적분은 치역을 잘게 잘라 넓이를 계산한 것으로 이해할 수 있다는 의미가 됩니다.
 ---
 다음은 단조 수렴 정리를 활용하여 유용한 결과를 쉽게 얻을 수 있는 예제입니다.
 **참고.** Measurable function $f, g \geq 0$ 과 $\alpha, \beta \in [0, \infty)$ 에 대하여 다음이 성립한다.
 $$\int_E \left( \alpha f + \beta g \right) \,d{\mu} = \alpha \int_E f \,d{\mu} + \beta \int_E g\,d{\mu}.$$
 **증명.** Measurable function은 measurable simple function으로 근사할 수 있고, $f, g \geq 0$ 이므로 단조증가하도록 잡을 수 있다. 그러므로 measurable simple function $f_n$, $g_n$에 대하여 $0 \leq f_n \leq f_ {n+1} \nearrow f$, $0 \leq g_n \leq g_ {n+1} \nearrow g$ 으로 잡는다.
 그러면 $\alpha f_n + \beta g_n \nearrow \alpha f + \beta g$ 이고 $\alpha f_n + \beta g_n$ 은 단조증가하는 measurable simple 함수열이다. 따라서 단조 수렴 정리에 의해
 $$\int_E \left( \alpha f_n + \beta g_n \right) \,d{\mu} = \alpha \int_E f_n \,d{\mu} + \beta \int_E g_n \,d{\mu} \rightarrow\alpha \int_E f \,d{\mu} + \beta \int_E g\,d{\mu}$$
 이다.
 이와 비슷한 방법을 급수에도 적용할 수 있습니다.
 **정리.** Measurable function $f_n: X \rightarrow[0, \infty]$ 에 대하여 $\sum_ {n=1}^\infty f_n$는 measurable이고, 단조 수렴 정리에 의해 다음이 성립한다.
 $$\int_E \sum_ {n=1}^\infty f_n \,d{\mu} = \sum_ {n=1}^\infty \int_E f_n \,d{\mu}.$$
 **증명.** $\sum_ {n=1}^\infty f_n$는 measurable function의 극한이므로 measurable이다. 무한급수를 부분합의 극한으로 생각하면 $f_n \geq 0$ 이므로 부분합이 증가함을 알 수 있다. 따라서 단조 수렴 정리를 적용하여 결론을 얻는다.
 ## Fatou's Lemma
 단조 수렴 정리와 동치인 수렴 정리를 하나 더 소개합니다. Fatou's lemma로 알려져 있습니다.
 **정리.** (Fatou) $f_n \geq 0$ 가 measurable이고 $E$가 measurable이라 하자. 다음이 성립한다.
 $$\int_E \liminf_ {n\rightarrow\infty} f_n \,d{\mu} \leq \liminf_ {n\rightarrow\infty} \int_E f_n \,d{\mu}.$$
 **증명.** $g_n = \displaystyle\inf_ {k \geq n} f_k$ 으로 두면 $\displaystyle\lim_ {n \rightarrow\infty} g_n = \liminf_ {n\rightarrow\infty} f_n$ 이다. $g_n$이 증가함은 쉽게 확인할 수 있으며 $g_n \geq 0$ 이다. $g_n$의 정의로부터 모든 $k \geq n$ 에 대하여 $g_n \leq f_k$ 이므로,
 $$\int_E g_n \,d{\mu} \leq \inf_ {k\geq n} \int_E f_k \,d{\mu}$$
 이다. 여기서 $n \rightarrow\infty$ 로 두면
 $$\int_E \liminf_ {n\rightarrow\infty} f_n \,d{\mu} = \lim_ {n \rightarrow\infty} \int_E g_n \,d{\mu} \leq \lim_ {n \rightarrow\infty} \inf_ {k \geq n}\int_E f_k \,d{\mu} = \liminf_ {n \rightarrow\infty} \int_E f_n \,d{\mu}$$
 이 된다. 여기서 첫 번째 등호는 단조 수렴 정리에 의해 성립한다.
 **참고.** 위 증명에서는 단조 수렴 정리를 활용했습니다. 반대로 이 정리를 가정하면 단조 수렴 정리를 증명할 수 있기도 합니다. 따라서 이 둘은 동치입니다. 증명은 생략합니다.
 **참고.** 왠지 위와 비슷한 결론이 $\limsup$에 대해서도 성립해야 할 것 같습니다. 구체적으로,
 $$\int_E \limsup_ {n \rightarrow\infty} f_n \,d{\mu} \geq \limsup_ {n \rightarrow\infty} \int_E f_n \,d{\mu}$$
 일 것 같습니다. 안타깝게도 이는 성립하지 않습니다. 반례로 앞서 소개한 $\chi_ {[n, \infty)}$를 한 번 더 가져올 수 있습니다. 좌변을 계산해 보면 0이지만, 우변을 계산해 보면 $\infty$입니다. 나중에 소개하겠지만, $\lvert f_n \rvert \leq g$ 를 만족하는 함수 $g \in \mathcal{L}^{1}$ 가 존재해야 위 부등식이 성립합니다.
 ## Properties of the Lebesgue Integral
 르벡 적분의 몇 가지 성질을 소개하고 마칩니다.
 1. $f$가 measurable이고 $E$에서 bounded이며 $\mu(E) < \infty$ 일 때, 적당한 실수 $M > 0$ 에 대하여 $\lvert f \rvert \leq M$ 이므로
 	$$\int_E \lvert f \rvert \,d{\mu} \leq \int_E M \,d{\mu} = M\mu(E) < \infty$$
 	임을 알 수 있습니다. 그러므로 $f \in \mathcal{L}^{1}(E, \mu)$ 입니다. $E$의 measure가 finite라는 가정 하에, bounded function은 모두 르벡 적분 가능합니다.
 2. $f, g \in \mathcal{L}^{1}(E, \mu)$ 이고 $E$에서 $f \leq g$ 일 때, 단조성이 성립함을 보이려고 합니다. 앞에서는 $0 \leq f \leq g$ 인 경우에만 단조성을 증명했었는데, 이를 확장하여 함수가 음의 값을 가지는 경우에도 증명하고 싶습니다. 그러므로 양수인 부분과 음수인 부분을 나누어 고려하여 다음과 같이 적을 수 있습니다.
 	$$\chi_E (x) f^+(x) \leq \chi_E(x) g^+(x), \qquad \chi_E(x) g^-(x) \leq \chi_E (x) f^-(x)$$
 	이로부터
 	$$\int_E f^+ \,d{\mu} \leq \int_E g^+ \,d{\mu} < \infty, \qquad \int_E g^- \,d{\mu} \leq \int_E f^- \,d{\mu} < \infty$$
 	를 얻습니다. 따라서
 	$$\int_E f\,d{\mu} \leq \int_E g \,d{\mu}$$
 	가 성립하고, 함수가 음의 값을 가지는 경우에도 단조성이 성립함을 알 수 있습니다.
 3. $f \in \mathcal{L}^{1}(E, \mu)$, $c \in \mathbb{R}$ 라 하면 $cf \in \mathcal{L}^{1}(E, \mu)$ 입니다. 왜냐하면
 	$$\int_E \lvert c \rvert\lvert f \rvert \,d{\mu} = \lvert c \rvert \int_E \lvert f \rvert\,d{\mu} < \infty$$
 	이기 때문입니다. 적분이 가능하니 실제 적분값을 계산할 때 선형성이 성립했으면 좋겠습니다. 앞에서는 음이 아닌 실수에 대해서만 증명했었는데, 이도 마찬가지로 확장하려 합니다. $c < 0$ 인 경우만 보이면 됩니다. 이 때, $(cf)^+ = -cf^-$, $(cf)^- = -cf^+$ 이므로, 다음이 성립합니다.
 	$$\int_E cf \,d{\mu} = \int_E (cf)^+ - \int_E (cf)^- \,d{\mu} = -c \int_E f^- \,d{\mu} - (-c) \int_E f^+ \,d{\mu} = c\int_E f\,d{\mu}.$$
 4. Measurable function $f$에 대하여 $E$에서 $a \leq f(x) \leq b$ 이고 $\mu(E) < \infty$ 일 때 다음이 성립합니다.
 	$$\int_E a \chi_E \,d{\mu} \leq \int_E f\chi_E \,d{\mu} \leq \int_E b \chi_E \,d{\mu} \implies a \mu(E) \leq \int_E f \,d{\mu} \leq b \mu(E).$$
 	$f$가 르벡 적분 가능하다는 사실은 $f$가 bounded라는 사실을 이용합니다.
 5. $f \in \mathcal{L}^{1}(E, \mu)$ 와 measurable set $A \subseteq E$ 가 주어지는 경우, $f$는 $E$의 부분집합인 $A$ 위에서도 르벡 적분 가능합니다. 이는 다음 부등식에서 확인할 수 있습니다.
 	$$\int_A \lvert f \rvert \,d{\mu} \leq \int_E \lvert f \rvert\,d{\mu} < \infty.$$
 6. 만약 measure가 0인 집합에서 적분을 하면 어떻게 될까요? $\mu(E) = 0$ 라 하고, measurable function $f$를 적분해 보겠습니다. 여기서 $\min\lbrace \lvert f \rvert, n\rbrace\chi_E$ 도 measurable이며 $n \rightarrow\infty$ 일 때 $\min\lbrace \lvert f \rvert, n\rbrace\chi_E \nearrow \lvert f \rvert\chi_E$ 임을 이용합니다. 마지막으로 단조 수렴 정리를 적용하면
 	$$\begin{aligned}                    \int_E \lvert f \rvert \,d{\mu} &= \lim_ {n \rightarrow\infty} \int_E \min\lbrace \lvert f \rvert, n\rbrace \,d{\mu} \\                    &\leq \lim_ {n \rightarrow\infty} \int_E n \,d{\mu} = \lim_ {n \rightarrow\infty} n\mu(E) = 0                  \end{aligned}$$
 	임을 얻습니다. 따라서 $f \in \mathcal{L}^{1}(E, \mu)$ 이고, $\displaystyle\int_E f \,d{\mu} = 0$ 가 되어 적분값이 0임을 알 수 있습니다. 즉, measure가 0인 집합 위에서 적분하면 그 결과는 0이 됩니다.[^1]
 [^1]: 편의상 $0\cdot\infty = 0$ 으로 정의했기 때문에 $f \equiv \infty$ 인 경우에도 성립합니다.
--- a/Theory/2023-06-20-comparison-with-riemann-integral.md
+++ b/Theory/2023-06-20-comparison-with-riemann-integral.md
@@ -1,130 +0,0 @@
 ---
 share: true
 toc: true
 math: true
 categories: [Mathematics, Measure Theory]
 tags: [math, analysis, measure-theory]
 title: "08. Comparison with the Riemann Integral"
 date: "2023-06-20"
 github_title: "2023-06-20-comparison-with-riemann-integral"
 image:
  path: /assets/img/posts/Mathematics/Measure Theory/mt-08.png
 attachment:
  folder: assets/img/posts/Mathematics/Measure Theory
 ---
 ![mt-08.png](/assets/img/posts/Mathematics/Measure%20Theory/mt-08.png)
 ## Comparison with the Riemann Integral
 먼저 혼동을 막기 위해 Lebesgue measure $m$에 대하여 르벡 적분을
 $$\int_ {[a, b]} f \,d{m} = \int_ {[a, b]} f \,d{x} = \int_a^b f \,d{x}$$
 와 같이 표기하고, 리만 적분은
 $$\mathcal{R}\int_a^b f\,d{x}$$
 로 표기하겠습니다.
 **정리.** $a, b \in \mathbb{R}$ 에 대하여 $a < b$ 이고 함수 $f$가 유계라고 하자.
 1. $f \in \mathcal{R}[a, b]$ 이면 $f \in \mathcal{L}^{1}[a, b]$ 이고 $\displaystyle\int_a^b f\,d{x} = \mathcal{R}\int_a^b f \,d{x}$ 이다.
 2. $f \in \mathcal{R}[a, b]$ $\iff$ $f$가 연속 $m$-a.e. on $[a, b]$.
 쉽게 풀어서 적어보면, (1)은 $f$가 $[a, b]$에서 리만 적분 가능하면 르벡 적분 또한 가능하며, 적분 값이 같다는 의미입니다. 즉 르벡 적분이 리만 적분보다 더 강력하다는 것을 알 수 있습니다.
 또한 (2)는 리만 적분 가능성에 대한 동치 조건을 알려줍니다. Almost everywhere라는 조건이 붙었기 때문에, $\mathcal{L}^1$의 equivalence class를 고려하면 사실상 연속함수에 대해서만 리만 적분이 가능하다는 뜻이 됩니다.
 **증명.** $k \in \mathbb{N}$ 에 대하여 구간 $[a, b]$의 분할 $P_k = \lbrace a = x_0^k < x_1^k < \cdots < x_ {n_k}^k = b\rbrace$ 를 잡는다. 단 $P_k \subseteq P_ {k+1}$ (refinement) 이고 $\lvert x_ {i}^k - x_ {i-1}^k \rvert < \frac{1}{k}$ 이 되도록 한다.
 그러면 리만 적분의 정의로부터
 $$\lim_ {k \rightarrow\infty} L(P_k, f) = \mathcal{R}\underline{\int_ {a}^{b}} f\,d{x}, \quad \lim_ {k \rightarrow\infty} U(P_k, f) = \mathcal{R} \overline{\int_ {a}^{b}} f \,d{x}$$
 임을 알 수 있다.
 이제 measurable simple function $U_k, L_k$를 다음과 같이 잡는다.
 $$U_k = \sum_ {i=1}^{n_k} \sup_ {x_ {i-1}^k \leq y \leq x_ {i}^k} f(y) \chi_ {(x_ {i-1}^k, x_i^k]}, \quad L_k = \sum_ {i=1}^{n_k} \inf_ {x_ {i-1}^k \leq y \leq x_ {i}^k} f(y) \chi_ {(x_ {i-1}^k, x_i^k]}.$$
 그러면 구간 $[a, b]$ 위에서 $L_k \leq f \leq U_k$인 것은 당연하고, 르벡 적분이 가능하므로
 $$\int_a^b L_k \,d{x} = L(P_k, f), \quad \int_a^b U_k \,d{x} = U(P_k, f)$$
 이 됨을 알 수 있다. 여기서 $P_k \subseteq P_ {k + 1}$ 이 되도록 잡았기 때문에, $L_k$는 증가하는 수열, $U_k$는 감소하는 수열이다.
 그러므로
 $$L(x) = \lim_ {k \rightarrow\infty} L_k(x), \quad U(x) = \lim_ {k \rightarrow\infty} U_k(x)$$
 로 정의했을 때, 극한이 존재함을 알 수 있다. 여기서 $f, L_k, U_k$가 모두 유계인 함수이므로 지배 수렴 정리에 의해
 $$\int_a^b L \,d{x} = \lim_ {k \rightarrow\infty} \int_a^b L_k \,d{x} = \lim_ {k \rightarrow\infty} L(P_k, f) = \mathcal{R}\underline{\int_ {a}^{b}} f\,d{x} < \infty,$$
 $$\int_a^b U\,d{x} = \lim_ {k \rightarrow\infty} \int_a^b U_k \,d{x} = \lim_ {k \rightarrow\infty} U(P_k, f) = \mathcal{R} \overline{\int_ {a}^{b}} f \,d{x} < \infty$$
 이므로 $L, U \in \mathcal{L}^{1}[a, b]$ 이다.
 위 사실을 종합하면 $f \in \mathcal{R}[a, b]$ 일 때,
 $$\mathcal{R}\underline{\int_ {a}^{b}} f\,d{x} = \mathcal{R}\overline{\int_ {a}^{b}} f\,d{x}$$
 이므로
 $$\int_a^b (U - L)\,d{x} = 0$$
 가 되어 $U = L$ $m$-a.e. on $[a, b]$라는 사실을 알 수 있다. 역으로 이를 거꾸로 읽어보면 $U = L$ $m$-a.e. on $[a, b]$일 때 $f \in \mathcal{R}[a, b]$ 가 되는 것 또한 알 수 있다.
 (1) 위 논의에 의해 $f \in \mathcal{R}[a, b]$ 이면 $f = U = L$ a.e. on $[a, b]$ 이다. 따라서 $f$는 measurable.
 $$\int_a^b f \,d{x} = \mathcal{R}\int_a^b f\,d{x} < \infty \implies f \in \mathcal{L}^{1}[a, b].$$
 (2) 만약 $x \notin \bigcup_ {k=1}^{\infty} P_k$ 라고 가정하면, 임의의 $\epsilon > 0$ 에 대해 충분히 큰 $n \in \mathbb{N}$ 을 잡았을 때 적당한 $j_0 \in \mathbb{N}$ 이 존재하여 $x \in (t_ {j_0-1}^n, t_ {j_0}^n)$ 이면서
 $$\lvert L_n(x) - L(x) \rvert + \lvert U_n(x) - U(x) \rvert < \epsilon$$
 이 되도록 할 수 있다. 그러면 $y \in (t_ {j_0-1}^n, t_ {j_0}^n)$ 일 때
 $$\begin{aligned}        \lvert f(x) - f(y) \rvert & \leq M_ {j_0}^n - m_ {j_0}^n = M_ {j_0}^n - U(x) + U(x) - L(x) + L(x) - m_ {j_0}^n \\                          & \leq U(x) - L(x) + \epsilon    \end{aligned}$$
 가 됨을 알 수 있다.
 위 부등식에 의해 $y \in \lbrace x : U(x) = L(x)\rbrace \setminus\bigcup_ {k=1}^{\infty} P_k$ 이면 $f$가 $y$에서 연속임을 알 수 있게 된다.
 따라서, $f$가 연속인 점들의 집합을 $C_f$라 하면
 $$\lbrace x : U(x) = L(x)\rbrace \setminus\bigcup_ {k=1}^{\infty} P_k \subseteq C_f \subseteq\lbrace x : U(x) = L(x)\rbrace$$
 이 된다. 한편 $\bigcup_ {k=1}^{\infty} P_k$는 measure가 0 이므로, $U = L$ $m$-a.e. 인 것과 $f$가 연속 $m$-a.e. 인 것은 동치이다. 위 논의의 결과를 이용하면 $f \in \mathcal{R}[a, b]$ 인 것과 $f$가 연속 $m$-a.e. 인 것은 동치이다.
 아래는 증명의 부산물입니다.
 **참고.**
 1. $x \notin \bigcup_ {k=1}^\infty P_k$ 이면 $f$가 $x$에서 연속 $\iff f(x) = U(x) = L(x)$ 이다.
 2. $L(x) \leq f(x) \leq U(x)$ 이고 measurable function의 극한인 $L(x), U(x)$ 또한 measurable이다.
 3. $f$가 유계라는 조건이 있기 때문에 $f \geq 0$ 인 경우만 생각해도 충분하다. $\lvert f \rvert \leq M$ 라고 하면 $f$ 대신 $f + M$ 을 생각하면 되기 때문이다.
 이제 리만 적분의 유용한 성질들을 가지고 와서 사용할 수 있습니다.
 1. $f \geq 0$ 이고 measurable일 때, $f_n = f\chi_ {[0, n]}$으로 정의한다. 단조 수렴 정리에 의해
 	$$\int_0^\infty f \,d{x} = \lim_ {n \rightarrow\infty} \int_0^\infty f_n \,d{x} = \lim_ {n \rightarrow\infty} \int_0^n f \,d{x}$$
 	이다. 마지막 적분을 리만 적분으로 계산할 수 있다.
 2. 닫힌 유계 구간 $I \subseteq(0, \infty)$ 에 대하여 $f \in \mathcal{R}(I)$ 라 하면 $f \in \mathcal{L}^{1}(I)$ 이다. $f_n = f\chi_ {[0, n]}$ 으로 잡으면 $\lvert f_n \rvert \leq f$ 이므로 지배 수렴 정리를 적용하여
 	$$\int_0^\infty f \,d{x} = \lim_ {n \rightarrow\infty} \int_0^\infty f_n \,d{x} = \lim_ {n \rightarrow\infty} \int_0^n f \,d{x} = \lim_ {n \rightarrow\infty} \mathcal{R} \int_0^n f \,d{x}$$
 	임을 알 수 있다.
 마찬가지로 $f_n = f\chi_ {(1/n, 1)}$ 으로 잡은 경우에도 지배 수렴 정리에 의해
 $$\int_0^1 f\,d{x} = \lim_ {n \rightarrow\infty} \int_ {0}^1 f_n \,d{x} = \lim_ {n \rightarrow\infty}\int_ {1/n}^1 f \,d{x} = \lim_ {n \rightarrow\infty} \mathcal{R}\int_ {1/n}^1 f \,d{x}$$
 이 된다.
--- a/Theory/2023-07-31-Lp-functions.md
+++ b/Theory/2023-07-31-Lp-functions.md
@@ -1,210 +0,0 @@
 ---
 share: true
 toc: true
 math: true
 categories: [Mathematics, Measure Theory]
 tags: [math, analysis, measure-theory]
 title: "09. $\\mathcal{L}^p$ Functions"
 date: "2023-07-31"
 github_title: "2023-07-31-Lp-functions"
 image:
  path: /assets/img/posts/Mathematics/Measure Theory/mt-09.png
 attachment:
  folder: assets/img/posts/Mathematics/Measure Theory
 ---
 ![mt-09.png](/assets/img/posts/Mathematics/Measure%20Theory/mt-09.png){: .w-50}
 ## Integration on Complex Valued Function
 Let $(X, \mathscr{F}, \mu)$ be a measure space, and $E \in \mathscr{F}$.
 **정의.**
 1. A complex valued function $f = u + iv$, (where $u, v$ are real functions) is measurable if $u$ and $v$ are both measurable.
 2. For a complex function $f$,
 	$$f \in \mathcal{L}^{1}(E, \mu) \iff  \int_E \left\lvert  f \right\rvert  \,d{\mu} < \infty \iff u, v \in \mathcal{L}^{1}(E, \mu).$$
 3. If $f = u + iv \in \mathcal{L}^{1}(E, \mu)$, we define
 	$$\int_E f \,d{\mu} = \int_E u \,d{\mu} + i\int_E v \,d{\mu}.$$
 **참고.**
 1. Linearity also holds for complex valued functions. For $f_1, f_2 \in \mathcal{L}^{1}(\mu)$ and $\alpha \in \mathbb{C}$,
 	$$\int_E \left( f_1 + \alpha f_2 \right) \,d{\mu} = \int_E f_1 \,d{\mu} +  \alpha \int_E f_2 \,d{\mu}.$$
 2. Choose $c \in \mathbb{C}$ and $\left\lvert  c \right\rvert  = 1$ such that $\displaystyle c \int_E f \,d{\mu} \geq 0$. This is possible since multiplying by $c$ is equivalent to a rotation.
 Now set $cf = u + vi$ where $u, v$ are real functions and the integral of $v$ over $E$ is $0$. Then,
 $$\begin{aligned}                      \left\lvert  \int_E f \,d{\mu} \right\rvert  & = c \int_E f\,d{\mu} = \int_E u \,d{\mu}              \\                                             & \leq \int_E (u^2+v^2)^{1/2} \,d{\mu}                 \\                                             & = \int_E \left\lvert  cf \right\rvert  \,d{\mu} = \int_E \left\lvert  f \right\rvert  \,d{\mu}.                  \end{aligned}$$
 ## Functions of Class $\mathcal{L}^{p}$
 ### $\mathcal{L}^p$ Space
 Assume that $(X, \mathscr{F}, \mu)$ is given and $X = E$.
 **정의.** ($\mathcal{L}^{p}$) A complex function $f$ is in $\mathcal{L}^{p}(\mu)$ if $f$ is measurable and $\displaystyle\int_E \left\lvert  f \right\rvert ^p \,d{\mu} < \infty$.
 **정의.** ($\mathcal{L}^{p}$-norm) **$\mathcal{L}^{p}$-norm** of $f$ is defined as
 $$\left\lVert f \right\rVert_p = \left[\int_E \left\lvert  f \right\rvert ^p \,d{\mu} \right]^{1/p}.$$
 ### Inequalities
 **정리.** (Young Inequality) For $a, b \geq 0$, if $p > 1$ and $1/p + 1/q = 1$, then
 $$ab \leq \frac{a^p}{p} + \frac{b^q}{q}.$$
 **증명.** From $1/p + 1/q = 1$, $p - 1 = \frac{1}{q - 1}$. The graph $y = x^{p - 1}$ is equal to the graph of $x = y^{q - 1}$. Sketch the graph on the $xy$-plane and consider the area bounded by $x = 0$, $x = a$, $y = 0$, $y = b$. Then we directly see that
 $$\int_0^a x^{p-1} \,d{x} + \int_0^b y^{q-1} \,d{y} \geq ab,$$
 with equality when $a^p = b^q$. Evaluating the integral gives the desired inequality.
 **참고.** For $\mathscr{F}$-measurable $f, g$ on $X$,
 $$\left\lvert  fg \right\rvert  \leq \frac{\left\lvert  f \right\rvert ^p}{p} + \frac{\left\lvert  g \right\rvert ^q}{q} \implies \left\lVert fg \right\rVert_1 \leq \frac{\left\lVert f \right\rVert_p^p}{p} + \frac{\left\lVert g \right\rVert_q^q}{q}$$
 by Young inequality. In particular, if $\left\lVert f \right\rVert_p = \left\lVert g \right\rVert_q = 1$, then $\left\lVert fg \right\rVert_1 \leq 1$.
 **정리.** (Hölder Inequality) Let $1 < p < \infty$ and $\displaystyle\frac{1}{p} + \frac{1}{q} = 1$. If $f, g$ are measurable,
 $$\left\lVert fg \right\rVert_1 \leq \left\lVert f \right\rVert_p \left\lVert g \right\rVert_q.$$
 So if $f \in \mathcal{L}^{p}(\mu)$ and $g \in \mathcal{L}^{q}(\mu)$, then $fg \in \mathcal{L}^{1}(\mu)$.
 **증명.** If $\left\lVert f \right\rVert_p = 0$ or $\left\lVert g \right\rVert_q = 0$ then $f = 0$ a.e. or $g = 0$ a.e. So $fg = 0$ a.e. and $\left\lVert fg \right\rVert_1 = 0$.
 Now suppose that $\left\lVert f \right\rVert_p > 0$ and $\left\lVert g \right\rVert_q > 0$. By the remark above, the result directly follows from
 $$\left\lVert \frac{f}{\left\lVert f \right\rVert_p} \cdot \frac{g}{\left\lVert g \right\rVert_q} \right\rVert_1 \leq 1.$$
 **정리.** (Minkowski Inequality) For $1 \leq p < \infty$, if $f, g$ are measurable, then
 $$\left\lVert f + g \right\rVert_p \leq \left\lVert f \right\rVert_p + \left\lVert g \right\rVert_p.$$
 **증명.** If $f, g \notin \mathcal{L}^{p}$, the right hand side is $\infty$ and we are done. For $p = 1$, the equality is equivalent to the triangle inequality. Also if $\left\lVert f + g \right\rVert_p = 0$, the inequality holds trivially. We suppose that $p > 1$, $f, g \in \mathcal{L}^p$ and $\left\lVert f+g \right\rVert_p > 0$.
 Let $q = \frac{p}{p-1}$. Since
 $$\begin{aligned}        \left\lvert  f + g \right\rvert ^p & = \left\lvert  f + g \right\rvert \cdot \left\lvert  f + g \right\rvert ^{p - 1}                \\                      & \leq \bigl(\left\lvert  f \right\rvert  + \left\lvert  g \right\rvert \bigr) \left\lvert  f + g \right\rvert ^{p-1},    \end{aligned}$$
 we have
 $$\begin{aligned}        \int \left\lvert  f+g \right\rvert ^p & \leq \int \left\lvert  f \right\rvert  \cdot \left\lvert  f+g \right\rvert ^{p-1} + \int \left\lvert  g \right\rvert  \cdot \left\lvert  f+g \right\rvert ^{p-1} \\                         & \leq \left( \int \left\lvert  f \right\rvert ^p  \right)^{1/p}\left( \int \left\lvert  f+g \right\rvert ^{(p-1)q} \right)^{1/q}      \\                         & \quad + \left( \int \left\lvert  q \right\rvert ^p  \right)^{1/p}\left( \int \left\lvert  f+g \right\rvert ^{(p-1)q} \right)^{1/q}   \\                         & = \left( \left\lVert f \right\rVert_p + \left\lVert g \right\rVert_p \right) \left( \int \left\lvert  f+g \right\rvert ^p \right)^{1/q}.    \end{aligned}$$
 Since $\left\lVert f + g \right\rVert_p^p > 0$, we have
 $$\begin{aligned}        \left\lVert f + g \right\rVert_p & = \left( \int \left\lvert  f+g \right\rvert ^p \right)^{1/p}             \\                       & = \left( \int \left\lvert  f+g \right\rvert ^p \right)^{1 - \frac{1}{q}} \\                       & \leq \left\lVert f \right\rVert_p + \left\lVert g \right\rVert_p.    \end{aligned}$$
 **정의.** $f \sim g \iff f = g$ $\mu$-a.e. and define
 $$[f] = \left\lbrace g : f \sim g\right\rbrace.$$
 We treat $[f]$ as an element in $\mathcal{L}^{p}(X, \mu)$, and write $f = [f]$.
 **참고.**
 1. We write $\left\lVert f \right\rVert_p = 0 \iff f = [0] = 0$ in the sense that $f = 0$ $\mu$-a.e.
 2. Now $\lVert \cdot \rVert_p$ is a **norm** in $\mathcal{L}^{p}(X, \mu)$ so $d(f, g) = \left\lVert f - g \right\rVert_p$ is a **metric** in $\mathcal{L}^{p}(X, \mu)$.
 ## Completeness of $\mathcal{L}^p$
 Now we have a *function space*, so we are interested in its *completeness*.
 **정의.** (Convergence in $\mathcal{L}^p$) Let $f, f_n \in \mathcal{L}^{p}(\mu)$.
 1. $f_n \rightarrow f$ in $\mathcal{L}^p(\mu) \iff \left\lVert f_n-f \right\rVert_p \rightarrow 0$ as $n \rightarrow\infty$.
 2. $\left( f_n \right)_{n=1}^\infty$ is a Cauchy sequence in $\mathcal{L}^{p}(\mu)$ if and only if
 > $\forall \epsilon > 0$, $\exists\,N > 0$ such that $n, m \geq N \implies \left\lVert f_n-f_m \right\rVert_p < \epsilon$.
 **도움정리.** Let $\left( g_n \right)$ be a sequence of measurable functions. Then,
 $$\left\lVert \sum_{n=1}^{\infty} \left\lvert  g_n \right\rvert  \right\rVert_p \leq \sum_{n=1}^{\infty} \left\lVert g_n \right\rVert_p.$$
 Thus, if $\displaystyle\sum_{n=1}^{\infty} \left\lVert g_n \right\rVert_p < \infty$, then $\displaystyle\sum_{n=1}^{\infty} \left\lvert  g_n \right\rvert  < \infty$ $\mu$-a.e. So $\displaystyle\sum_{n=1}^{\infty} g_n < \infty$ $\mu$-a.e.
 **증명.** By monotone convergence theorem and Minkowski inequality,
 $$\begin{aligned}        \left\lVert \sum_{n=1}^{\infty} \left\lvert  g_n \right\rvert  \right\rVert_p & = \lim_{m \rightarrow\infty} \left\lVert \sum_{n=1}^{m} \left\lvert  g_n \right\rvert  \right\rVert_p \\                                               & \leq \lim_{n \rightarrow\infty} \sum_{n=1}^{m} \left\lVert g_n \right\rVert_p    \\                                               & = \sum_{n=1}^{\infty} \left\lVert g_n \right\rVert_p < \infty.    \end{aligned}$$
 Thus $\displaystyle\sum_{n=1}^{\infty} \left\lvert  g_n \right\rvert  < \infty$ $\mu$-a.e. and $\displaystyle\sum_{n=1}^{\infty} g_n < \infty$ $\mu$-a.e. by absolute convergence.
 **정리.** (Fischer) Suppose $\left( f_n \right)$ is a Cauchy sequence in $\mathcal{L}^{p}(\mu)$. Then there exists $f \in \mathcal{L}^{p}(\mu)$ such that $f_n \rightarrow f$ in $\mathcal{L}^{p}(\mu)$.
 **증명.** We construct $\left( n_k \right)$ by the following procedure.
 $\exists\,n_1 \in \mathbb{N}$ such that $\left\lVert f_m - f_{n_1} \right\rVert_p < \frac{1}{2}$ for all $m \geq n_1$.
 $\exists\,n_2 \in \mathbb{N}$ such that $\left\lVert f_m - f_{n_2} \right\rVert_p < \frac{1}{2^2}$ for all $m \geq n_2$.
 Then, $\exists\,1 \leq n_1 < n_2 < \cdots < n_k$ such that $\left\lVert f_m - f_{n_k} \right\rVert_p < \frac{1}{2^k}$ for $m \geq n_k$.
 Since $\displaystyle\left\lVert f_{n_{k+1}} - f_{n_k} \right\rVert_p < \frac{1}{2^k}$, we have
 $$\sum_{k=1}^{\infty} \left\lVert f_{n_{k+1}} - f_{n_k} \right\rVert_p < \infty.$$
 By the above lemma, $\sum \left\lvert  f_{n_{k+1}} - f_{n_k} \right\rvert$ and $\sum (f_{n_{k+1}} - f_{n_k})$ are finite. Let $f_{n_0} \equiv 0$. Then as $m \rightarrow\infty$,
 $$f_{n_{m+1}} = \sum_{k=0}^{m} \left( f_{n_{k+1}} - f_{n_k} \right)$$
 converges $\mu$-a.e. Take $N \in \mathscr{F}$ with $\mu(N) = 0$ such that $f_{n_k}$ converges on $X \setminus N$. Let
 $$f(x) = \begin{cases}        \displaystyle\lim_{k \rightarrow\infty} f_{n_k} (x) & (x \in X \setminus N) \\ 0 & (x\in N)    \end{cases}$$
 then $f$ is measurable. Using the convergence,
 $$\begin{aligned}        \left\lVert f - f_{n_m} \right\rVert_p & = \left\lVert \sum_{k=m}^{\infty} \left( f_{n_{k+1}} (x) - f_{n_k}(x) \right) \right\rVert_p  \\                             & \leq \left\lVert \sum_{k=m}^{\infty} \left\lvert  f_{n_{k+1}} (x) - f_{n_k}(x) \right\rvert  \right\rVert_p \\                             & \leq \sum_{k=m}^{\infty} \left\lVert f_{n_{k+1}} - f_{n_k} \right\rVert_p \leq 2^{-m}    \end{aligned}$$
 by the choice of $f_{n_k}$. So $f_{n_k} \rightarrow f$ in $\mathcal{L}^{p}(\mu)$. Also, $f = (f - f_{n_k}) + f_{n_k} \in \mathcal{L}^{p}(\mu)$.
 Let $\epsilon > 0$ be given. Since $\left( f_n \right)$ is a Cauchy sequence in $\mathcal{L}^{p}$, $\exists\,N \in \mathbb{N}$ such that for all $n, m \geq N$, $\left\lVert f_n - f_m \right\rVert < \frac{\epsilon}{2}$. Note that $n_k \geq k$, so $n_k \geq N$ if $k \geq N$. Choose $N_1 \geq N$ such that for $k \geq N$, $\left\lVert f - f_{n_k} \right\rVert_p < \frac{\epsilon}{2}$. Then for all $k \geq N_1$,
 $$\left\lVert f - f_k \right\rVert_p \leq \left\lVert f - f_{n_k} \right\rVert_p + \left\lVert f_{n_k} - f_k \right\rVert_p < \frac{\epsilon}{2} + \frac{\epsilon}{2} = \epsilon.$$
 **참고.** $\mathcal{L}^{p}$ is a complete normed vector space, also known as **Banach space**.
 **정리.** $C[a, b]$ is a dense subset of $\mathcal{L}^{p}[a, b]$. That is, for every $f \in \mathcal{L}^{p}[a, b]$ and $\epsilon > 0$, $\exists\,g \in C[a, b]$ such that $\left\lVert f - g \right\rVert_p < \epsilon$.
 **증명.** Let $A$ be a closed subset in $[a, b]$, and consider a distance function
 $$d(x, A) = \inf_{y\in A} \left\lvert  x - y \right\rvert , \quad x \in [a, b].$$
 Since $d(x, A) \leq \left\lvert  x - z \right\rvert  \leq \left\lvert  x - y \right\rvert  + \left\lvert  y - z \right\rvert$ for all $z \in A$, taking infimum over $z \in A$ gives $d(x, A) \leq \left\lvert  x - y \right\rvert  + d(y, A)$. So
 $$\left\lvert  d(x, A) - d(y, A) \right\rvert  \leq \left\lvert  x - y \right\rvert ,$$
 and $d(x, A)$ is continuous. If $d(x, A) = 0$, $\exists\,x_n \in A$ such that $\left\lvert  x_n - x \right\rvert  \rightarrow d(x, A) = 0$. Since $A$ is closed, $x \in A$. We know that $x \in A \iff d(x, A) = 0$.
 Let
 $$g_n(x) = \frac{1}{1 + n d(x, A)}.$$
 $g_n$ is continuous, $g_n(x) = 1$ if and only if $x \in A$. Also for all $x \in [a, b] \setminus A$, $g_n(x) \rightarrow 0$ as $n \rightarrow\infty$. By Lebesgue’s dominated convergence theorem,
 $$\begin{aligned}        \left\lVert g_n - \chi_A \right\rVert_p^p & = \int_A \left\lvert  g_n - \chi_A \right\rvert ^p \,d{x} + \int_{[a, b]\setminus A} \left\lvert  g_n - \chi_A \right\rvert ^p \,d{x} \\                                & = 0 + \int_{[a, b]\setminus A} \left\lvert  g_n \right\rvert ^p \,d{x} \rightarrow 0    \end{aligned}$$
 since $\left\lvert  g_n \right\rvert ^p \leq 1$. We have shown that characteristic functions of closed sets can be approximated by continuous functions in $\mathcal{L}^{p}[a, b]$.
 For every $A \in \mathfrak{M}(m)$, $\exists\,F_\text{closed} \subseteq A$ such that $m(A \setminus F) < \epsilon$. Since $\chi_A - \chi_F = \chi_{A \setminus F}$,
 $$\begin{aligned}        \int \left\lvert  \chi_A-\chi_F \right\rvert ^p \,d{x} & = \int \left\lvert  \chi_{A\setminus F} \right\rvert ^p \,d{x}             \\                                         & = \int_{A\setminus F} \,d{x} = m(A \setminus F) < \epsilon.    \end{aligned}$$
 Therefore, for every $A \in \mathfrak{M}$, $\exists\,g_n \in C[a, b]$ such that $\left\lVert g_n - \chi_A \right\rVert_p \rightarrow 0$ as $n \rightarrow\infty$. So characteristic functions of any measurable set can be approximated by continuous functions in $\mathcal{L}^{p}[a, b]$.
 Next, for any measurable simple function $f = \sum_{k=1}^{m}a_k \chi_{A_k}$, we can find $g_n^k \in C[a, b]$ so that
 $$\left\lVert f - \sum_{k=1}^{m} a_k g_n^k \right\rVert_p = \left\lVert \sum_{k=1}^{m}a_k \left( \chi_{A_k} - g_n^k \right) \right\rVert_p \rightarrow 0.$$
 Next for $f \in \mathcal{L}^{p}$ and $f \geq 0$, there exist simple functions $f_n \geq 0$ such that $f_n \nearrow f$ in $\mathcal{L}^{p}$. Finally, any $f \in \mathcal{L}^{p}$ can be written as $f = f^+ - f^-$, which completes the proof.
 이러한 확장을 몇 번 해보면 굉장히 routine합니다. $\chi_F$ for closed $F$ $\rightarrow$ $\chi_A$ for measurable $A$ $\rightarrow$ measurable simple $f$ $\rightarrow$ $0\leq f \in \mathcal{L}^{p} \rightarrow$ $f \in \mathcal{L}^{p}$ 와 같은 순서로 확장합니다.
--- a/_posts/Mathematics/coq/2023-07-08-rules-of-inference.md
+++ b/_posts/Mathematics/coq/2023-07-08-rules-of-inference.md
@@ -2,11 +2,17 @@
 share: true
 toc: true
 math: true
-categories: [Mathematics, Coq]
+categories:
-tags: [math, coq, proof-verification]
+  - Mathematics
-title: "Rules of Inference with Coq"
+  - Coq
-date: "2023-07-08"
+path: _posts/mathematics/coq
-github_title: "2023-07-08-rules-of-inference"
+tags:
  - math
  - coq
  - proof-verification
 title: Rules of Inference with Coq
 date: 2023-07-08
 github_title: 2023-07-08-rules-of-inference
 ---
 This is a list of proofs with Coq, for each rule of inference stated in [List of Rules of Inference (Wikipedia)](https://en.wikipedia.org/wiki/List_of_rules_of_inference)
@@ -188,7 +194,7 @@ Lemma distributive_conjunction : forall P Q R : Prop,
 Proof.
  split; intros.
  - destruct H as [H [H1 | H1]]; auto.
-  - destruct H as [ [H1 H2](H1%20H2.md); auto.
+  - destruct H as [[H1 H2] | [H1 H2]]; auto.
 Qed.
 Lemma material_implication_converse : forall P Q : Prop,
--- a/_posts/Mathematics/measure-theory/2023-07-31-Lp-functions.md
+++ b/_posts/Mathematics/measure-theory/2023-07-31-Lp-functions.md
@@ -0,0 +1,216 @@
 ---
 share: true
 toc: true
 math: true
 categories:
  - Mathematics
  - Measure Theory
 path: _posts/mathematics/measure-theory
 tags:
  - math
  - analysis
  - measure-theory
 title: 09. $\mathcal{L}^p$ Functions
 date: 2023-07-31
 github_title: 2023-07-31-Lp-functions
 image:
  path: /assets/img/posts/mathematics/measure-theory/mt-09.png
 attachment:
  folder: assets/img/posts/mathematics/measure-theory
 ---
 ![mt-09.png](../../../assets/img/posts/mathematics/measure-theory/mt-09.png){: .w-50}
 ## Integration on Complex Valued Function
 Let $(X, \mathscr{F}, \mu)$ be a measure space, and $E \in \mathscr{F}$.
 **정의.**
 1. A complex valued function $f = u + iv$, (where $u, v$ are real functions) is measurable if $u$ and $v$ are both measurable.
 2. For a complex function $f$,
 	$$f \in \mathcal{L}^{1}(E, \mu) \iff  \int _ E \left\lvert  f \right\rvert  \,d{\mu} < \infty \iff u, v \in \mathcal{L}^{1}(E, \mu).$$
 3. If $f = u + iv \in \mathcal{L}^{1}(E, \mu)$, we define
 	$$\int _ E f \,d{\mu} = \int _ E u \,d{\mu} + i\int _ E v \,d{\mu}.$$
 **참고.**
 1. Linearity also holds for complex valued functions. For $f _ 1, f _ 2 \in \mathcal{L}^{1}(\mu)$ and $\alpha \in \mathbb{C}$,
 	$$\int _ E \left( f _ 1 + \alpha f _ 2 \right) \,d{\mu} = \int _ E f _ 1 \,d{\mu} +  \alpha \int _ E f _ 2 \,d{\mu}.$$
 2. Choose $c \in \mathbb{C}$ and $\left\lvert  c \right\rvert  = 1$ such that $\displaystyle c \int _ E f \,d{\mu} \geq 0$. This is possible since multiplying by $c$ is equivalent to a rotation.
 Now set $cf = u + vi$ where $u, v$ are real functions and the integral of $v$ over $E$ is $0$. Then,
 $$\begin{aligned}                      \left\lvert  \int _ E f \,d{\mu} \right\rvert  & = c \int _ E f\,d{\mu} = \int _ E u \,d{\mu}              \\                                             & \leq \int _ E (u^2+v^2)^{1/2} \,d{\mu}                 \\                                             & = \int _ E \left\lvert  cf \right\rvert  \,d{\mu} = \int _ E \left\lvert  f \right\rvert  \,d{\mu}.                  \end{aligned}$$
 ## Functions of Class $\mathcal{L}^{p}$
 ### $\mathcal{L}^p$ Space
 Assume that $(X, \mathscr{F}, \mu)$ is given and $X = E$.
 **정의.** ($\mathcal{L}^{p}$) A complex function $f$ is in $\mathcal{L}^{p}(\mu)$ if $f$ is measurable and $\displaystyle\int _ E \left\lvert  f \right\rvert ^p \,d{\mu} < \infty$.
 **정의.** ($\mathcal{L}^{p}$-norm) **$\mathcal{L}^{p}$-norm** of $f$ is defined as
 $$\left\lVert f \right\rVert _ p = \left[\int _ E \left\lvert  f \right\rvert ^p \,d{\mu} \right]^{1/p}.$$
 ### Inequalities
 **정리.** (Young Inequality) For $a, b \geq 0$, if $p > 1$ and $1/p + 1/q = 1$, then
 $$ab \leq \frac{a^p}{p} + \frac{b^q}{q}.$$
 **증명.** From $1/p + 1/q = 1$, $p - 1 = \frac{1}{q - 1}$. The graph $y = x^{p - 1}$ is equal to the graph of $x = y^{q - 1}$. Sketch the graph on the $xy$-plane and consider the area bounded by $x = 0$, $x = a$, $y = 0$, $y = b$. Then we directly see that
 $$\int _ 0^a x^{p-1} \,d{x} + \int _ 0^b y^{q-1} \,d{y} \geq ab,$$
 with equality when $a^p = b^q$. Evaluating the integral gives the desired inequality.
 **참고.** For $\mathscr{F}$-measurable $f, g$ on $X$,
 $$\left\lvert  fg \right\rvert  \leq \frac{\left\lvert  f \right\rvert ^p}{p} + \frac{\left\lvert  g \right\rvert ^q}{q} \implies \left\lVert fg \right\rVert _ 1 \leq \frac{\left\lVert f \right\rVert _ p^p}{p} + \frac{\left\lVert g \right\rVert _ q^q}{q}$$
 by Young inequality. In particular, if $\left\lVert f \right\rVert _ p = \left\lVert g \right\rVert _ q = 1$, then $\left\lVert fg \right\rVert _ 1 \leq 1$.
 **정리.** (Hölder Inequality) Let $1 < p < \infty$ and $\displaystyle\frac{1}{p} + \frac{1}{q} = 1$. If $f, g$ are measurable,
 $$\left\lVert fg \right\rVert _ 1 \leq \left\lVert f \right\rVert _ p \left\lVert g \right\rVert _ q.$$
 So if $f \in \mathcal{L}^{p}(\mu)$ and $g \in \mathcal{L}^{q}(\mu)$, then $fg \in \mathcal{L}^{1}(\mu)$.
 **증명.** If $\left\lVert f \right\rVert _ p = 0$ or $\left\lVert g \right\rVert _ q = 0$ then $f = 0$ a.e. or $g = 0$ a.e. So $fg = 0$ a.e. and $\left\lVert fg \right\rVert _ 1 = 0$.
 Now suppose that $\left\lVert f \right\rVert _ p > 0$ and $\left\lVert g \right\rVert _ q > 0$. By the remark above, the result directly follows from
 $$\left\lVert \frac{f}{\left\lVert f \right\rVert _ p} \cdot \frac{g}{\left\lVert g \right\rVert _ q} \right\rVert _ 1 \leq 1.$$
 **정리.** (Minkowski Inequality) For $1 \leq p < \infty$, if $f, g$ are measurable, then
 $$\left\lVert f + g \right\rVert _ p \leq \left\lVert f \right\rVert _ p + \left\lVert g \right\rVert _ p.$$
 **증명.** If $f, g \notin \mathcal{L}^{p}$, the right hand side is $\infty$ and we are done. For $p = 1$, the equality is equivalent to the triangle inequality. Also if $\left\lVert f + g \right\rVert _ p = 0$, the inequality holds trivially. We suppose that $p > 1$, $f, g \in \mathcal{L}^p$ and $\left\lVert f+g \right\rVert _ p > 0$.
 Let $q = \frac{p}{p-1}$. Since
 $$\begin{aligned}        \left\lvert  f + g \right\rvert ^p & = \left\lvert  f + g \right\rvert \cdot \left\lvert  f + g \right\rvert ^{p - 1}                \\                      & \leq \bigl(\left\lvert  f \right\rvert  + \left\lvert  g \right\rvert \bigr) \left\lvert  f + g \right\rvert ^{p-1},    \end{aligned}$$
 we have
 $$\begin{aligned}        \int \left\lvert  f+g \right\rvert ^p & \leq \int \left\lvert  f \right\rvert  \cdot \left\lvert  f+g \right\rvert ^{p-1} + \int \left\lvert  g \right\rvert  \cdot \left\lvert  f+g \right\rvert ^{p-1} \\                         & \leq \left( \int \left\lvert  f \right\rvert ^p  \right)^{1/p}\left( \int \left\lvert  f+g \right\rvert ^{(p-1)q} \right)^{1/q}      \\                         & \quad + \left( \int \left\lvert  q \right\rvert ^p  \right)^{1/p}\left( \int \left\lvert  f+g \right\rvert ^{(p-1)q} \right)^{1/q}   \\                         & = \left( \left\lVert f \right\rVert _ p + \left\lVert g \right\rVert _ p \right) \left( \int \left\lvert  f+g \right\rvert ^p \right)^{1/q}.    \end{aligned}$$
 Since $\left\lVert f + g \right\rVert _ p^p > 0$, we have
 $$\begin{aligned}        \left\lVert f + g \right\rVert _ p & = \left( \int \left\lvert  f+g \right\rvert ^p \right)^{1/p}             \\                       & = \left( \int \left\lvert  f+g \right\rvert ^p \right)^{1 - \frac{1}{q}} \\                       & \leq \left\lVert f \right\rVert _ p + \left\lVert g \right\rVert _ p.    \end{aligned}$$
 **정의.** $f \sim g \iff f = g$ $\mu$-a.e. and define
 $$[f] = \left\lbrace g : f \sim g\right\rbrace.$$
 We treat $[f]$ as an element in $\mathcal{L}^{p}(X, \mu)$, and write $f = [f]$.
 **참고.**
 1. We write $\left\lVert f \right\rVert _ p = 0 \iff f = [0] = 0$ in the sense that $f = 0$ $\mu$-a.e.
 2. Now $\lVert \cdot \rVert _ p$ is a **norm** in $\mathcal{L}^{p}(X, \mu)$ so $d(f, g) = \left\lVert f - g \right\rVert _ p$ is a **metric** in $\mathcal{L}^{p}(X, \mu)$.
 ## Completeness of $\mathcal{L}^p$
 Now we have a *function space*, so we are interested in its *completeness*.
 **정의.** (Convergence in $\mathcal{L}^p$) Let $f, f _ n \in \mathcal{L}^{p}(\mu)$.
 1. $f _ n \rightarrow f$ in $\mathcal{L}^p(\mu) \iff \left\lVert f _ n-f \right\rVert _ p \rightarrow 0$ as $n \rightarrow\infty$.
 2. $\left( f _ n \right) _ {n=1}^\infty$ is a Cauchy sequence in $\mathcal{L}^{p}(\mu)$ if and only if
 > $\forall \epsilon > 0$, $\exists\,N > 0$ such that $n, m \geq N \implies \left\lVert f _ n-f _ m \right\rVert _ p < \epsilon$.
 **도움정리.** Let $\left( g _ n \right)$ be a sequence of measurable functions. Then,
 $$\left\lVert \sum _ {n=1}^{\infty} \left\lvert  g _ n \right\rvert  \right\rVert _ p \leq \sum _ {n=1}^{\infty} \left\lVert g _ n \right\rVert _ p.$$
 Thus, if $\displaystyle\sum _ {n=1}^{\infty} \left\lVert g _ n \right\rVert _ p < \infty$, then $\displaystyle\sum _ {n=1}^{\infty} \left\lvert  g _ n \right\rvert  < \infty$ $\mu$-a.e. So $\displaystyle\sum _ {n=1}^{\infty} g _ n < \infty$ $\mu$-a.e.
 **증명.** By monotone convergence theorem and Minkowski inequality,
 $$\begin{aligned}        \left\lVert \sum _ {n=1}^{\infty} \left\lvert  g _ n \right\rvert  \right\rVert _ p & = \lim _ {m \rightarrow\infty} \left\lVert \sum _ {n=1}^{m} \left\lvert  g _ n \right\rvert  \right\rVert _ p \\                                               & \leq \lim _ {n \rightarrow\infty} \sum _ {n=1}^{m} \left\lVert g _ n \right\rVert _ p    \\                                               & = \sum _ {n=1}^{\infty} \left\lVert g _ n \right\rVert _ p < \infty.    \end{aligned}$$
 Thus $\displaystyle\sum _ {n=1}^{\infty} \left\lvert  g _ n \right\rvert  < \infty$ $\mu$-a.e. and $\displaystyle\sum _ {n=1}^{\infty} g _ n < \infty$ $\mu$-a.e. by absolute convergence.
 **정리.** (Fischer) Suppose $\left( f _ n \right)$ is a Cauchy sequence in $\mathcal{L}^{p}(\mu)$. Then there exists $f \in \mathcal{L}^{p}(\mu)$ such that $f _ n \rightarrow f$ in $\mathcal{L}^{p}(\mu)$.
 **증명.** We construct $\left( n _ k \right)$ by the following procedure.
 $\exists\,n _ 1 \in \mathbb{N}$ such that $\left\lVert f _ m - f _ {n _ 1} \right\rVert _ p < \frac{1}{2}$ for all $m \geq n _ 1$.
 $\exists\,n _ 2 \in \mathbb{N}$ such that $\left\lVert f _ m - f _ {n _ 2} \right\rVert _ p < \frac{1}{2^2}$ for all $m \geq n _ 2$.
 Then, $\exists\,1 \leq n _ 1 < n _ 2 < \cdots < n _ k$ such that $\left\lVert f _ m - f _ {n _ k} \right\rVert _ p < \frac{1}{2^k}$ for $m \geq n _ k$.
 Since $\displaystyle\left\lVert f _ {n _ {k+1}} - f _ {n _ k} \right\rVert _ p < \frac{1}{2^k}$, we have
 $$\sum _ {k=1}^{\infty} \left\lVert f _ {n _ {k+1}} - f _ {n _ k} \right\rVert _ p < \infty.$$
 By the above lemma, $\sum \left\lvert  f _ {n _ {k+1}} - f _ {n _ k} \right\rvert$ and $\sum (f _ {n _ {k+1}} - f _ {n _ k})$ are finite. Let $f _ {n _ 0} \equiv 0$. Then as $m \rightarrow\infty$,
 $$f _ {n _ {m+1}} = \sum _ {k=0}^{m} \left( f _ {n _ {k+1}} - f _ {n _ k} \right)$$
 converges $\mu$-a.e. Take $N \in \mathscr{F}$ with $\mu(N) = 0$ such that $f _ {n _ k}$ converges on $X \setminus N$. Let
 $$f(x) = \begin{cases}        \displaystyle\lim _ {k \rightarrow\infty} f _ {n _ k} (x) & (x \in X \setminus N) \\ 0 & (x\in N)    \end{cases}$$
 then $f$ is measurable. Using the convergence,
 $$\begin{aligned}        \left\lVert f - f _ {n _ m} \right\rVert _ p & = \left\lVert \sum _ {k=m}^{\infty} \left( f _ {n _ {k+1}} (x) - f _ {n _ k}(x) \right) \right\rVert _ p  \\                             & \leq \left\lVert \sum _ {k=m}^{\infty} \left\lvert  f _ {n _ {k+1}} (x) - f _ {n _ k}(x) \right\rvert  \right\rVert _ p \\                             & \leq \sum _ {k=m}^{\infty} \left\lVert f _ {n _ {k+1}} - f _ {n _ k} \right\rVert _ p \leq 2^{-m}    \end{aligned}$$
 by the choice of $f _ {n _ k}$. So $f _ {n _ k} \rightarrow f$ in $\mathcal{L}^{p}(\mu)$. Also, $f = (f - f _ {n _ k}) + f _ {n _ k} \in \mathcal{L}^{p}(\mu)$.
 Let $\epsilon > 0$ be given. Since $\left( f _ n \right)$ is a Cauchy sequence in $\mathcal{L}^{p}$, $\exists\,N \in \mathbb{N}$ such that for all $n, m \geq N$, $\left\lVert f _ n - f _ m \right\rVert < \frac{\epsilon}{2}$. Note that $n _ k \geq k$, so $n _ k \geq N$ if $k \geq N$. Choose $N _ 1 \geq N$ such that for $k \geq N$, $\left\lVert f - f _ {n _ k} \right\rVert _ p < \frac{\epsilon}{2}$. Then for all $k \geq N _ 1$,
 $$\left\lVert f - f _ k \right\rVert _ p \leq \left\lVert f - f _ {n _ k} \right\rVert _ p + \left\lVert f _ {n _ k} - f _ k \right\rVert _ p < \frac{\epsilon}{2} + \frac{\epsilon}{2} = \epsilon.$$
 **참고.** $\mathcal{L}^{p}$ is a complete normed vector space, also known as **Banach space**.
 **정리.** $C[a, b]$ is a dense subset of $\mathcal{L}^{p}[a, b]$. That is, for every $f \in \mathcal{L}^{p}[a, b]$ and $\epsilon > 0$, $\exists\,g \in C[a, b]$ such that $\left\lVert f - g \right\rVert _ p < \epsilon$.
 **증명.** Let $A$ be a closed subset in $[a, b]$, and consider a distance function
 $$d(x, A) = \inf _ {y\in A} \left\lvert  x - y \right\rvert , \quad x \in [a, b].$$
 Since $d(x, A) \leq \left\lvert  x - z \right\rvert  \leq \left\lvert  x - y \right\rvert  + \left\lvert  y - z \right\rvert$ for all $z \in A$, taking infimum over $z \in A$ gives $d(x, A) \leq \left\lvert  x - y \right\rvert  + d(y, A)$. So
 $$\left\lvert  d(x, A) - d(y, A) \right\rvert  \leq \left\lvert  x - y \right\rvert ,$$
 and $d(x, A)$ is continuous. If $d(x, A) = 0$, $\exists\,x _ n \in A$ such that $\left\lvert  x _ n - x \right\rvert  \rightarrow d(x, A) = 0$. Since $A$ is closed, $x \in A$. We know that $x \in A \iff d(x, A) = 0$.
 Let
 $$g _ n(x) = \frac{1}{1 + n d(x, A)}.$$
 $g _ n$ is continuous, $g _ n(x) = 1$ if and only if $x \in A$. Also for all $x \in [a, b] \setminus A$, $g _ n(x) \rightarrow 0$ as $n \rightarrow\infty$. By Lebesgue’s dominated convergence theorem,
 $$\begin{aligned}        \left\lVert g _ n - \chi _ A \right\rVert _ p^p & = \int _ A \left\lvert  g _ n - \chi _ A \right\rvert ^p \,d{x} + \int _ {[a, b]\setminus A} \left\lvert  g _ n - \chi _ A \right\rvert ^p \,d{x} \\                                & = 0 + \int _ {[a, b]\setminus A} \left\lvert  g _ n \right\rvert ^p \,d{x} \rightarrow 0    \end{aligned}$$
 since $\left\lvert  g _ n \right\rvert ^p \leq 1$. We have shown that characteristic functions of closed sets can be approximated by continuous functions in $\mathcal{L}^{p}[a, b]$.
 For every $A \in \mathfrak{M}(m)$, $\exists\,F _ \text{closed} \subseteq A$ such that $m(A \setminus F) < \epsilon$. Since $\chi _ A - \chi _ F = \chi _ {A \setminus F}$,
 $$\begin{aligned}        \int \left\lvert  \chi _ A-\chi _ F \right\rvert ^p \,d{x} & = \int \left\lvert  \chi _ {A\setminus F} \right\rvert ^p \,d{x}             \\                                         & = \int _ {A\setminus F} \,d{x} = m(A \setminus F) < \epsilon.    \end{aligned}$$
 Therefore, for every $A \in \mathfrak{M}$, $\exists\,g _ n \in C[a, b]$ such that $\left\lVert g _ n - \chi _ A \right\rVert _ p \rightarrow 0$ as $n \rightarrow\infty$. So characteristic functions of any measurable set can be approximated by continuous functions in $\mathcal{L}^{p}[a, b]$.
 Next, for any measurable simple function $f = \sum _ {k=1}^{m}a _ k \chi _ {A _ k}$, we can find $g _ n^k \in C[a, b]$ so that
 $$\left\lVert f - \sum _ {k=1}^{m} a _ k g _ n^k \right\rVert _ p = \left\lVert \sum _ {k=1}^{m}a _ k \left( \chi _ {A _ k} - g _ n^k \right) \right\rVert _ p \rightarrow 0.$$
 Next for $f \in \mathcal{L}^{p}$ and $f \geq 0$, there exist simple functions $f _ n \geq 0$ such that $f _ n \nearrow f$ in $\mathcal{L}^{p}$. Finally, any $f \in \mathcal{L}^{p}$ can be written as $f = f^+ - f^-$, which completes the proof.
 이러한 확장을 몇 번 해보면 굉장히 routine합니다. $\chi _ F$ for closed $F$ $\rightarrow$ $\chi _ A$ for measurable $A$ $\rightarrow$ measurable simple $f$ $\rightarrow$ $0\leq f \in \mathcal{L}^{p} \rightarrow$ $f \in \mathcal{L}^{p}$ 와 같은 순서로 확장합니다.
--- a/_posts/algorithms/boj/2023-11-02-random-ps-1.md
+++ b/_posts/algorithms/boj/2023-11-02-random-ps-1.md
@@ -5,6 +5,7 @@ math: true
 categories:
  - Algorithms
  - BOJ
 path: _posts/algorithms/boj
 tags:
  - algorithms
  - boj
@@ -52,7 +53,7 @@ $$
 중학교 시절 에이급 수학에서 $(3 + 2\sqrt{2})^5$의 정수부분을 구하라는 문제를 봤었는데 이 때 사용했던 아이디어가 켤레무리수를 생각하는 것이었다. 비슷한 아이디어를 2017학년도 서울대학교 공과대학 수시 일반 심층 면접에서도 $(2 + \sqrt{5})^n$이 나와 사용했었다. 그리고...
-> **정리.** $\alpha = 3 + \sqrt{5}$, $\beta = 3 - \sqrt{5}$ 일 때, $\alpha^n + \beta^n \in \mathbb{N}$.[^2]
+> **정리.** $\alpha = 3 + \sqrt{5}$, $\beta = 3 - \sqrt{5}$ 일 때, $\alpha^n + \beta^n \in \mathbb{N}$ for all $n \in \mathbb{N}$.[^2]
 여기서 핵심은 $0 < \beta < 1$ 임을 이용하는 것이다. 따라서, $\alpha^n$의 정수부분은 $\alpha^n + \beta^n - 1$이 된다. 이제 $\alpha^n + \beta^n$만 구하면 된다. 근과 계수의 관계를 이용하면 수열 $s _ n = \alpha^n + \beta^n$에 대한 귀납적 정의를 얻을 수 있다.
@@ -87,5 +88,27 @@ $$
 모든 가능한 프로그램의 후보를 얻었다면, 가장 짧은 것을 찾고 사전 순으로 제일 먼저 오는 것을 찾으면 된다. 사전 순 정렬의 경우 귀납적으로 생각하면 쉽게 구현할 수 있다. 앞에서부터 연산의 종류와 횟수를 비교하면 된다.
 ## 13174번
 - [BOJ 13174](https://www.acmicpc.net/problem/13174): 괄호
 어차피 palindrome이니 절반을 정해주면 나머지는 자동으로 결정된다. 그러므로 길이 $n$인 괄호 문자열의 임의의 prefix에 대해 `)`의 개수는 `(`의 개수를 넘을 수 없다.
 이는 [Catalan's triangle](https://en.wikipedia.org/wiki/Catalan%27s_triangle)의 응용이다. $i$개의 `(`와 $n-i$개의 `)`로 길이 $n$인 괄호 문자열을 구성하고, $k$개의 색으로 칠한다고 했으니 정답은
 $$
 \sum _ {i=\lceil n/2\rceil}^n C(i, n-i)\cdot k^i
 $$
 이다. 색칠하는 방법의 수가 $k^i$인 이유는 각 `)`가 짝이 되는 `(`와 색이 같아야 하므로 `(`의 색만 정하면 되기 때문이다.
 계산에는
 $$
 C(n, k) = \frac{n-k+1}{n+1} {n+k \choose k}
 $$
 를 사용하면 된다.
 [^1]: 원래 빠른 거듭제곱을 할 때는 $a^n = a \cdot (a^2)^{(n-1)/2}$ 으로 했던 것 같은데 이 경우에는 잘 안되므로...
 [^2]: 증명은 귀납법. 이항정리를 써도 좋고, 수열의 귀납적 정의를 사용해도 좋다.
--- a/_posts/algorithms/data-structures/2024-04-12-search-time-hash-tables.md
+++ b/_posts/algorithms/data-structures/2024-04-12-search-time-hash-tables.md
@@ -0,0 +1,114 @@
 ---
 share: true
 toc: true
 math: true
 categories:
  - Algorithms
  - Data Structures
 path: _posts/algorithms/data-structures
 tags:
  - algorithms
  - data-structures
 title: Search Time in Hash Tables
 date: 2024-04-12
 github_title: 2024-04-12-search-time-hash-tables
 ---
 Here are the expected time complexities of the search operation in hash tables.
 ## Assumptions
 - Let $m$ be the number of buckets in the hash table.
 - Let $n$ be the number of entries currently in the hash table.
 - Let $\alpha = n/m$ be the *load factor*.
 - Elements are uniformly hashed to each bucket of the hash table.
 These results imply that the `search` operation takes almost constant time.
 ## Hashing with Chaining
 ### Unsuccessful Search
 > **Theorem.** The expected time complexity of an unsuccessful search in a hash table using chaining is $\alpha$.
 *Proof*. Observe that since elements are hashed uniformly into each bucket, the expected number of elements in each bucket is the same for all buckets. By linearity of expectation, their sum should equal $n$. So each bucket has $\alpha = n/m$ expected number of elements. Thus, on an unsuccessful search, we search at most $\alpha$ elements.
 ### Successful Search
 > **Theorem.** The expected time complexity of a successful search in a hash table using chaining is $1 + \frac{\alpha}{2} - \frac{\alpha}{2n}$.
 *Proof*. Suppose we are looking for the element $x$. The number of elements to search is determined by the number of elements inserted after $x$, whose hash collided with $x$.
 The probability of collision is $\frac{1}{m}$, since the hash function is uniform by assumption. If $x$ was inserted as the $i$-th element, the number of elements to search equals
 $$
 1 + \sum _ {j = i + 1}^n \frac{1}{m}.
 $$
 The additional $1$ comes from searching $x$ itself. Averaging over all $i$ gives the final result.
 $$
 \begin{aligned}
 \frac{1}{n}\sum _ {i=1}^n \paren{1 + \sum _ {j=i+1}^n \frac{1}{m}} &= 1 + \frac{1}{mn} \sum _ {i=1}^n \sum _ {j=i+1}^n 1 \\
 &= 1 + \frac{1}{mn}\paren{n^2 - \frac{n(n+1)}{2}} \\
 &= 1 + \frac{n(n-1)}{2mn} \\
 &= 1+ \frac{(n-1)\alpha}{2n} = 1+ \frac{\alpha}{2} - \frac{\alpha}{2n}.
 \end{aligned}
 $$
 ## Hashing with Open Addressing
 For open addressing, we first assume that $\alpha < 1$. The case $\alpha = 1$ will be handled separately. Also, we assume no deletion.
 ### Unsuccessful Search
 > **Theorem.** The expected time complexity of an unsuccessful search in a hash table using open addressing is $\frac{1}{1-\alpha}$.
 *Proof*. Let the random variable $X$ be the number of probes made in an unsuccessful search. We want to find $\bf{E}[X]$, so we use the identity
 $$
 \bf{E}[X] = \sum _ {i \geq 1} \Pr[X \geq i].
 $$
 We want to find a bound for $\Pr[X \geq i]$. For $X \geq i$ to happen, $i - 1$ probes must fail, i.e., it must probe to an occupied bucket. On the $j$-th probe, there are $m - j + 1$ buckets left to be probed, and $n - j + 1$ elements not probed yet. Thus the $j$-th probe fails with probability $\frac{n - j + 1}{m - j + 1} < \frac{n}{m}$. Therefore,
 $$
 \begin{aligned}
 \Pr[X \geq i] &= \frac{n}{m} \cdot \frac{n - 1}{m - 1} \cdot \cdots \cdot \frac{n - (i - 2)}{m - (i - 2)} \\
 &\leq \paren{\frac{n}{m}}^{i-1} = \alpha^{i - 1}.
 \end{aligned}
 $$
 Now we have
 $$
 \bf{E}[X] = \sum _ {i \geq 1} \Pr[X \geq i] \leq \sum _ {i\geq 1} \alpha^{i-1} = \frac{1}{1 - \alpha}.
 $$
 ### Successful Search
 > **Theorem.** The expected time complexity of a successful search in a hash table using open addressing is $\frac{1}{\alpha} \log \frac{1}{1- \alpha}$.
 *Proof*. On a successful search, the sequence of probes is exactly the same as the sequence of probes when that element was inserted.
 Suppose that an element $x$ was the $i$-th inserted element. At the moment of insertion, the load factor is ${} \alpha _ i = (i-1)/m {}$. By the above theorem, the expected number of probes must have been ${} 1/(1 -\alpha _ i) = \frac{m}{m-(i-1)} {}$. Averaging this over all $i$ gives
 $$
 \begin{aligned}
 \frac{1}{n} \sum _ {i=1}^n \frac{m}{m - (i - 1)} &= \frac{m}{n} \sum _ {i=0}^{n-1} \frac{1}{m - i} \\
 &\leq \frac{1}{\alpha} \int _ {m-n}^m \frac{1}{x}\,dx \\
 &= \frac{1}{\alpha} \log \frac{1}{1-\alpha}.
 \end{aligned}
 $$
 ### When the Hash Table is Full ($\alpha = 1$)
 First of all, on an unsuccessful search, all $m$ buckets should be probed.
 On a successful search, set $m = n$ on the above argument, then the average number of probes is
 $$
 \frac{1}{m} \sum _ {i=1}^m \frac{m}{m - (i - 1)} = \sum _ {i=1}^m \frac{1}{i} = H _ m,
 $$
 where $H _ m$ is the $m$-th harmonic number.
--- a/_posts/articles/2024-03-11-you-and-your-research.md
+++ b/_posts/articles/2024-03-11-you-and-your-research.md
@@ -0,0 +1,118 @@
 ---
 share: true
 categories:
  - Articles
 path: _posts/articles
 tags:
  - research
  - career
 title: You and Your Research, Richard Hamming
 date: 2024-03-11
 github_title: 2024-03-11-you-and-your-research
 ---
 - [Link](https://www.cs.virginia.edu/~robins/YouAndYourResearch.html) to original text.
 - **I recommend reading the full text. It may seem a bit long but I assure you that it is worth the time.**
 - The talk is mainly about how to do **first-class work**, something **significant** as a great scientist.
 The following is a list of quotes from the text that inspired me. Bold fonts were not in the original text, I added them on my own.
 Read the full text for the full context!
 ---
 ## Luck
 > And I will cite Pasteur who said, "Luck favors the prepared mind." \[...\]
 > **There is indeed an element of luck, and no, there isn't.**
 > I want to dispose of this matter of luck as being the sole criterion whether you do great work or not.
 > Newton said, "If others would think as hard as I did, then they would get similar results."
 > I'd say luck changes the odds, but there is some definite control on the part of the individual.
 ## Courage
 > One of the characteristics you see, and many people have it including great scientists, is that usually **when they were young they had independent thoughts and had the courage to pursue them.**
 > One of the characteristics of successful scientists is having **courage**. \[...\]
 > They will go forward under incredible circumstances; **they think and continue to think.**
 ## Working Conditions
 > What most people think are the best working conditions, are not. Very clearly they are not because **people are often most productive when working conditions are bad.**
 ## Drive
 > "**Knowledge and productivity are like compound interest.**" \[...\] The more you know, the more you learn; the more you learn, the more you can do; the more you can do, the more the opportunity.
 > Given two people with exactly the same ability, **the one person who manages day in and day out to get in one more hour of thinking will be tremendously more productive over a lifetime.**
 > On this matter of **drive** Edison says, "Genius is 99% perspiration and 1% inspiration." He may have been exaggerating, but the idea is that **solid work, steadily applied, gets you surprisingly far**. The steady application of effort with a little bit more work, *intelligently applied* is what does it.
 ## Ambiguity
 > Most people like to believe something is or is not true. Great scientists tolerate **ambiguity** very well. **They believe the theory enough to go ahead; they doubt it enough to notice the errors and faults so they can step forward and create the new replacement theory.** If you believe to much you'll never notice the flaws; if you doubt to much you won't get started. It requires a lovely balance.
 > When you find apparent flaws you've got to be sensitive and keep track of those things, and keep an eye out for how they can be explained or how the theory can be changed to fit them.
 ## Commitment
 > If you are deeply immersed and committed to a topic, day after day after day, **your subconscious has nothing to do but work on your problem.** \[...\] For those who don't get committed to their current problem, **the subconscious goofs off on other things and doesn't produce the big result**.
 > Keep your subconscious starved so it has to work on *your* problem, so you can sleep peacefully and get the answer in the morning, free.
 ## Important Problem
 > "What are the important problems of your field?"
 > "What important problems are you working on?"
 > "**If what you are doing is not important, and if you don't think it is going to lead to something important, why are you at Bell Labs working on it?**"[^1]
 > If you do not work on an important problem, it's unlikely you'll do important work. It's perfectly obvious.
 > We didn't work on (1) time travel, (2) teleportation, and (3) antigravity. They are not important problems because we do not have an attack. **It's not the consequence that makes a problem important, it is that you have a reasonable attack.**
 > "**What will be the impact of computers on science and how can I change it?**"[^2]
 > I thought hard about where was my field going, where were the opportunities, and what were the important things to do. Let me go there so there is a chance I can do important things.
 > They (most great scientists) have something between 10 and 20 important problems for which they are looking for an attack. And when they see a new idea come up, one hears them say "Well that bears on this problem." They drop all the other things and get after it.
 > They get rid of other things and they get after an idea because **they had already thought the thing through**. Their minds are prepared; they see the opportunity and they go after it.
 ## Working with an Open Door
 > He who works with the door open gets all kinds of interruptions, but **he also occasionally gets clues as to what the world is and what might be important.**
 ## Others
 > "Is the effort to be a great scientist worth it?" \[...\] I think it is very definitely worth the struggle to try and do first-class work because the truth is, **the value is in the struggle more than it is in the result**.
 > But if you want to be a great scientist you're going to have to put up with stress.
 > You know the idea called the '**critical mass**'. \[...\] What you want to do is get that critical mass in action; "Yes, that reminds me of so and so," or, "Have you thought about that or this?" When you talk to other people, you want to get rid of those **sound absorbers** who are nice people but merely say, "Oh yes," and **to find those who will stimulate you right back.**
 > If you read all the time what other people have done you will think the way they thought. **If you want to think new thoughts that are different, then do what a lot of creative people do** - get the problem reasonably clear and then **refuse to look at any answers until you've thought the problem through** carefully how you would do it, how you could slightly change the problem to be the correct one.
 > The reading is necessary to know what is going on and what is possible. But reading to get the solutions does not seem to be the way to do great research. \[...\] **You read; but it is not the amount, it is the way you read that counts.**
 > I think it's very valuable to have first-class people around. \[...\] **I tried to go with people who had great ability so I could learn from them and who would expect great results out of me.**
 ---
 ## Summary By Claude 3 Sonnet
 Here is a summary of the key points from the article "You and Your Research" by Richard Hamming:
 - Hamming discusses what separates the great scientists who make significant contributions from the merely ordinary ones. He argues that great scientists possess certain key traits and approaches.
 - Great scientists work on important problems rather than following the crowd. They have courage, ambition, and become emotionally invested in their work.
 - Changing viewpoints and converting perceived negatives into positives is crucial. Luck favors the prepared mind that seizes opportunities.
 - Other key ingredients include continuous learning, knowing oneself and managing weaknesses, having a drive to work hard, tolerating ambiguity, shifting focus periodically to stay creative, and great scientists carefully pick their associates.
 - Presentation and selling ideas is extremely important, sometimes as much effort as the research itself. Having the courage to promote unorthodox ideas is vital.
 - While talent plays a role, Hamming argues factors like attitude, work habits, self-awareness and motivation are equally or more important determinants of whether someone does truly great, impactful research.
 The article crystallizes insights from Hamming's decades of observing what distinguishes elite scientists based on his experiences at Los Alamos and Bell Labs.
 [^1]: *if you don't think it is going to lead to something important, why are you at \[...\] working on it?"*
 [^2]: *What will be the impact of \[...\] on \[...\] and how can I change it?*
--- a/_posts/development/web/2024-11-17-math-equations-in-markdown.md
+++ b/_posts/development/web/2024-11-17-math-equations-in-markdown.md
@@ -0,0 +1,117 @@
 ---
 share: true
 toc: true
 math: false
 categories:
  - Development
  - Web
 path: _posts/development/web
 tags:
  - markdown
  - math
  - web
 title: Math Equations in Markdown
 date: 2024-11-17
 github_title: 2024-11-17-math-equations-in-markdown
 image:
  path: /assets/img/posts/development/web/broken-math-equations.png
 attachment:
  folder: assets/img/posts/development/web
 ---
 마크다운에서 수식을 사용하는 것은 **생각보다** 어렵다. 애초에 마크다운은 원래 수식을 지원하지 않는다. 그저 Github, Obsidian 등 다양한 플랫폼이 마크다운의 확장 형태로 수식 입력을 지원하고 있는 상황이다.
 이 블로그는 jekyll을 사용하기 때문에 모든 글이 마크다운으로 작성되어 있다. 수학을 좋아하는 나의 특성상 블로그 글에 수식을 입력할 일이 많은데, 어느 날 블로그에서 깨져있거나 잘못된 수식을 발견하고 마크다운에서 수식을 사용하는 것이 그리 간단치 않다는 것을 깨닫게 되었다.
 이 글에서는 마크다운에서 수식을 사용할 때 생기는 문제점과 이에 대한 해결책을 정리했다.
 ## 문법의 충돌
 마크다운 엔진에 따라 구체적인 내용이 다를 수도 있지만, Kramdown의 경우 문법이 충돌하는 대표적인 예시는 다음과 같다.
 **`$$`는 `$`와 같다.** LaTeX 문법에서 `$$`는 *display mode*로, 한 줄 전체에 수식을 크게 출력하고, `$`는 *inline mode*로 텍스트 중간에 수식을 끼워넣을 때 사용한다. 그런데 Kramdown에서 display math를 사용하기 위해서는 `$$`를 반드시 **새로운 줄**에 입력해야 하고, 그렇지 않으면 `$$`가 inline math로 해석된다.
 이는 기존 마크다운에서 `$` 기호가 이미 널리 사용되었을 것을 고려하여 이러한 결정을 내린 것으로 보인다. ([Github Issue](https://github.com/gettalong/kramdown/issues/672)) 그렇다고 `$`가 아예 지원이 되지 않는 것은 아니다.
 위 차이가 조금 크게 느껴지고, 이외의 내용은 다음과 같다.
 - 절댓값 기호 `| ... |`는 마크다운 테이블로 먼저 해석된다.
 - `\{`와 `\}`는 `\\{`, `\\}`로 escape 해줘야 한다.
 - 아래 첨자를 위한 `_`, 또는 기호 `*`를 그냥 사용하면 마크다운의 기울임 표시와 충돌할 수 있다.
 ![broken-math-equations.png](../../../assets/img/posts/development/web/broken-math-equations.png)
 ## 해결 방법
 ### Display Math
 우선 이 문제의 경우, 애초에 문서를 작성할 때 조심하는 것이 권장된다. `$$`를 사용한다면 애초에 새로운 줄에 수식을 입력하려는 것이기 때문에 이 수식을 위해 새로운 줄에 `$$`를 입력하면 된다.
 만약 이미 작성된 문서를 고치고 싶다면, 다음 정규식을 사용하면 된다.
 ```
 (^|[^\$])\$\$([^\$]+)\$\$([^\$]|$)
 ```
 문서에 존재하는 `$$ ... $$` 형태를 잡아줄 것이다. Replace 기능을 적절히 이용하면 `$$` 앞 뒤에 newline character `\n` 을 넣을 수 있다.
 개인적으로는 Obsidian의 Markdown Linter 플러그인을 이용하여 `$$`를 사용한 수식 앞 뒤에 newline character를 강제로 넣어주도록 하고 있다. 그렇지만 이미 새로운 줄에 입력하는게 습관이 되었다.
 ### 절댓값, 중괄호 기호
 이 기호들은 키보드에 존재하는 `|`, `{}` 키가 아닌 LaTeX 문법을 사용해서
 - 절댓값 기호 `| ... |`는 `\lvert ... \rvert`로,
 - Norm 기호 `|| ... ||` 는 `\lVert ... \rVert`로,
 - 중괄호 `{ ... }`는 `\lbrace \rbrace`로
 입력해야 한다. 앞뒤에 `\left`, `\right` 붙이면 크기 조절도 알아서 된다.
 그러나 저 기호들을 매번 입력하는 일은 정말 귀찮은 일이다. 따라서 매크로를 사용하는 것이 좋아 보인다. 게다가 매크로를 사용하면 `\{`를 별도로 escaping하지 않아도 사용할 수 있다.
 ```tex
 \newcommand{\abs}[1]{\left\lvert #1 \right\rvert}
 \newcommand{\norm}[1]{\left\lVert #1 \right\rVert}
 \newcommand{\braces}[1]{\left\{ #1 \right\}}
 ```
 ### 기울임체 충돌
 개인적으로 이 문제가 가장 골치아팠다. 어떤 경우에는 문제가 되지 않다가, 또 어떤 경우에는 문제가 된다. `_`를 사용해도 멀쩡하게 보이는 수식이 있는가 하면, 완전히 깨져버리는 수식도 있다. 조금 찾아보니 나만 이런 문제를 겪은 것이 아니었다.
 문제의 원인은 마크다운으로 쓴 글을 html로 변환할 때 `_` 사이에 있는 텍스트가 기울임체로 먼저 해석되고, 수식은 그 이후에 처리되기 때문이었다. 그러다보니 수식 내부의 `_`가 다른 문자열로 치환되어 버리면서 (기울임을 나타내는 html 태그 `<em>`) 수식이 깨지는 현상이 발생한 것이다.
 가장 간단한 해결 방법은 `_`를 escaping 하는 것이다. 그러면 마크다운 변환기가 이를 기울임체 표시로 해석하지 않는다. 다만 `\_`와 같이 하게 되면 Obsidian에서는 수식이 제대로 렌더링 되지 않게 되는데, 아마 다른 툴들도 비슷한 문제가 있을 것으로 예상된다.
 진짜 해결 방법은 혼자서 삽질을 하다가 알아내게 되었는데, **`_` 앞 뒤로 공백을 추가하면 기울임체로 표시되지 않는다는 사실을 발견**했다. 이 사실이 신기해서 알려진 바가 있는지 찾아봤는데, 이 내용이 마크다운 문법에 실제로 있었다.
 > But if you surround an `*` or `_` with spaces, it’ll be treated as a literal asterisk or underscore.
 - 출처: John Grubber's original [Markdown syntax description](https://daringfireball.net/projects/markdown/syntax#em)
 - 공식: https://spec.commonmark.org/0.31.2/#emphasis-and-strong-emphasis
 그런데 이 문제는 확정적으로 발생하지 않을 수도 있기 때문에, 모든 `_` 앞 뒤로 공백을 추가하면 된다. 어차피 수식은 공백을 무시해 버리기 때문에 수식에는 영향이 없다.[^1]
 한편, 이 작업은 매우 귀찮은 일이기 때문에, 자동화된 방법이 필요해 보인다. 수식에서 아래 첨자를 쓸 일은 굉장히 빈번하기 때문에 매번 손수 `_` 앞 뒤에 공백을 추가하기는 힘들다.
 이를 위해서는 또 다시 정규식을 사용하면 된다. 내가 직접 만들어 보려고 하다가 결국에는 [StackOverflow에 질문](https://stackoverflow.com/questions/79183172/regex-to-add-spaces-around-all-underscores-in-math-equations?noredirect=1#comment139629564_79183172)하게 되었다.
 아무튼 사용할 정규식은 다음과 같다.
 ```
 (?<=\$\S[^$]*)\s?_\s?(?=[^$]*\S\$)
 ```
 자세한 설명은 생략한다... 이 정규식이 잡아낸 `_`를 전부 `\s_\s`로 고쳐주면 끝이다.
 개인적으로는 Obsidian에서 블로그 repository로 push할 때 text replacement 기능을 이용해서 자동으로 고쳐지도록 세팅해 두었다.[^2]
 ## 후기
 애초에 마크다운에 수식을 쓰려고 하는 것과, jekyll 블로그에 이를 업로드 하려는 생각 자체가 잘못된 것일 수도 있다. 다른 툴을 썼다면 이런 고생을 하지 않아도 됐을지도 모른다. 실제로 digital garden 같은 툴 중에서 수식을 잘 지원하는 경우도 있다.[^3] 하지만 내가 Obsidian을 포기할 수 없었고, 지금 사용하고 있는 chirpy theme이 너무 마음에 들었기 때문에 이 조합을 포기할 수 없었다.
 현대 암호학 개론 수업 내용을 정리한 노트에서 깨진 수식이 대량으로 발생해서, 그동안 방치해두고 있었는데 이번에 칼을 뽑아서 **1년 넘게 묵혀둔 문제를 드디어 해결**했다. 앞으로는 이런 문제가 안 생겼으면 좋겠다.
 [^1]: 여기까지 23년 7월 26일에 알아낸 내용이다.
 [^2]: 24년 11월 13일에 작업한 내용이다.
 [^3]: Obsidian의 경우 Quartz가 대세인 듯 하다.
--- a/_posts/lecture-notes/internet-security/2023-09-10-security-intro.md
+++ b/_posts/lecture-notes/internet-security/2023-09-10-security-intro.md
@@ -5,6 +5,7 @@ math: false
 categories:
  - Lecture Notes
  - Internet Security
 path: _posts/lecture-notes/internet-security
 tags:
  - network
  - security
@@ -13,9 +14,9 @@ title: 01. Security Introduction
 date: 2023-09-10
 github_title: 2023-09-10-security-intro
 image:
-  path: /assets/img/posts/Lecture Notes/Internet Security/is-01-cryptosystem.png
+  path: /assets/img/posts/lecture-notes/internet-security/is-01-cryptosystem.png
 attachment:
-  folder: assets/img/posts/Lecture Notes/Internet Security
+  folder: assets/img/posts/lecture-notes/internet-security
 ---
 > Every program has at least two purposes: the one for which it was written, and another for which it wasn't. - Alan J. Perlis
@@ -155,7 +156,7 @@ There are many ways of achieving security.
 ### Basics of a Cryptosystem
-![is-01-cryptosystem.png](/assets/img/posts/Lecture%20Notes/Internet%20Security/is-01-cryptosystem.png#)
+![is-01-cryptosystem.png](../../../assets/img/posts/lecture-notes/internet-security/is-01-cryptosystem.png)
 - A **message** in *plaintext* is given to an **encryption algorithm**.
 - The encryption algorithm uses an **encryption key** to create a *ciphertext*.
--- a/_posts/lecture-notes/internet-security/2023-09-11-symmetric-key-cryptography-1.md
+++ b/_posts/lecture-notes/internet-security/2023-09-11-symmetric-key-cryptography-1.md
@@ -5,6 +5,7 @@ math: true
 categories:
  - Lecture Notes
  - Internet Security
 path: _posts/lecture-notes/internet-security
 tags:
  - security
  - lecture-note
@@ -185,7 +186,12 @@ The case for $C = 1$ is similar.
 ### One-Time Pad (OTP)
-[1. OTP, Stream Ciphers and PRGs > One-Time Pad (OTP)](../../modern-cryptography/2023-09-07-otp-stream-cipher-prgs#one-time-pad-otp)
+Let $m \in \left\lbrace 0, 1 \right\rbrace^n$ be the message to encrypt. Then choose a *random* key $k \in \left\lbrace 0, 1 \right\rbrace^n$, and XOR $k$ and $m$.
 - Encryption: $E(k, m) = k \oplus m$.
 - Decryption: $D(k, c) = k \oplus c$.
 This scheme is **provably secure**. See also [one-time pad (Modern Cryptography)](../../modern-cryptography/2023-09-07-otp-stream-cipher-prgs/#one-time-pad-(otp)).
 ## Perfect Secrecy
@@ -219,6 +225,8 @@ since for each $m$ and $c$, $k$ is determined uniquely.
 *Proof*. Assume not, then we can find some message $m _ 0 \in \mathcal{M}$ such that $m _ 0$ is not a decryption of some $c \in \mathcal{C}$. This is because the decryption algorithm $D$ is deterministic and $\lvert \mathcal{K} \rvert < \lvert \mathcal{M} \rvert$.
 For the proof in detail, check [Shannon's Theorem (Modern Cryptography)](../../modern-cryptography/2023-09-07-otp-stream-cipher-prgs/#shannon's-theorem).
 ### Two-Time Pad is Insecure
 It is not secure to use the same key twice. If for the key $k$ and two messages $m _ 1$, $m _ 2$,
@@ -237,6 +245,7 @@ So some information is leaked, even though we cannot actually recover $m_i$ from
 	- Ex. RC4
 - **Block cipher**: encrypt a block of bits at a time
 	- Can provide integrity or authentication.
 	- Block ciphers usually have feedback between blocks, so errors during transmission will be propagated during the decryption process.
 	- Ex. DES, AES
 ### Stream Cipher
@@ -247,7 +256,7 @@ Stream cipher does not have perfect secrecy, since the key length is shorter tha
 ### Linear Feedback Shift Register (LFSR)
-The seed can be used in a **linear feedback shift register** (LFSR) to generate the actual key for the stream cipher. There are $n$ stages (or states) and the generated key stream is periodic with period $2^n - 1$.
+The seed can be used in a **linear feedback shift register** (LFSR) to generate the actual key for the stream cipher. There are $n$ stages (or states) and the generated key stream is periodic with maximal period $2^n - 1$.
 The links between stages may be different. But in general, if one is given $2n$ output bits of LFSR, one can solve the $n$-stage LFSR.
@@ -278,9 +287,10 @@ To alleviate this problem, we can combine multiple LFSRs with a $k$-input binary
 1. Compute CRC for the message
 	- CRC-32 polynomial is used
 2. Compute the keystream from IV and the key
-	- $128$ bit input is given to the PRG
+	- IV is concatenated with the key.
 	- $128$ bit input is given to the key generation algorithm.
 3. Now encrypt the plaintext with XOR.
-	- The IV is prepended to the ciphertext, since the receiver needs it to decrypt
+	- The IV is prepended to the ciphertext, since the receiver needs it to decrypt.
 #### Decryption Process
@@ -292,17 +302,17 @@ To alleviate this problem, we can combine multiple LFSRs with a $k$-input binary
 ### Initialization Vector
 - The IV is not encrypted, and carried in plaintext.
- IV is only $24$ bits, so around $16$ million.
+- IV is only $24$ bits, so around $16$ million possible IVs.
 - **IV must be different for every message transmitted.**
 - 802.11 standard doesn't specify how IV is calculated.
-	- Usually increment by $1$ for each frame
+	- Usually increment by $1$ for each frame.
-	- No restrictions on reusing the IV
+	- No restrictions on reusing the IV.
 #### IV Collision
- The key is fixed, and the period of IV is $2^{24}$
+- The key is fixed, and the period of IV is $2^{24}$.
 - Same IV leads to same key stream.
- So if the adversary takes two frames with same IV to obtain the XOR of two plaintext messages.
+- So if the adversary takes two frames with the same IV to obtain the XOR of two plaintext messages.
 	- $c _ 1 \oplus c _ 2 = (p _ 1 \oplus k _ s) \oplus (p _ 2 \oplus k _ s) = p _ 1 \oplus p _ 2$
 - Since network traffic contents are predictable, messages can be recovered.
 	- We are in the link layer, so HTTP, IP, TCP headers will be contained in the encrypted payload.
@@ -315,12 +325,13 @@ Given a bit string (defined in the specification), the sender performs long divi
 ### Message Modification
 - CRC is actually a linear function.
-	- $\mathrm{CRC}(x \oplus y) = \mathrm{CRC}(x) \oplus \mathrm{CRC}(y)$
+	- $\mathrm{CRC}(x \oplus y) = \mathrm{CRC}(x) \oplus \mathrm{CRC}(y)$.
 	- The remainder of $x \oplus y$ is equal to the sum of the remainders of $x$ and $y$, since $\oplus$ is effectively an addition over $\mathbb{Z} _ 2$.
 - CRC function doesn't have a key, so it is forgeable.
 - **RC4 is transparent to XOR**, and messages can be modified.
-	- $c = k_s \oplus (m \parallel \mathrm{CRC}(m))$
+	- Let $c = k _ s \oplus (m \parallel \mathrm{CRC}(m))$.
-	- If we XOR $(x \parallel \mathrm{CRC}(x))$, where $x$ is some malicious message
+	- If we XOR $(x \parallel \mathrm{CRC}(x))$, where $x$ is some malicious message.
-	- $c \oplus (x \parallel \mathrm{CRC}(x)) = k_s \oplus (m\oplus x \parallel \mathrm{CRC}(m\oplus x))$
+	- $c \oplus (x \parallel \mathrm{CRC}(x)) = k _ s \oplus (m\oplus x \parallel \mathrm{CRC}(m\oplus x))$.
 	- The receiver will decrypt and get $(m\oplus x \parallel \mathrm{CRC}(m\oplus x))$.
 	- CRC check by the receiver will succeed.
--- a/_posts/lecture-notes/internet-security/2023-09-18-symmetric-key-cryptography-2.md
+++ b/_posts/lecture-notes/internet-security/2023-09-18-symmetric-key-cryptography-2.md
@@ -5,6 +5,7 @@ math: true
 categories:
  - Lecture Notes
  - Internet Security
 path: _posts/lecture-notes/internet-security
 tags:
  - lecture-note
  - security
@@ -13,9 +14,9 @@ title: 03. Symmetric Key Cryptography (2)
 date: 2023-09-18
 github_title: 2023-09-18-symmetric-key-cryptography-2
 image:
-  path: /assets/img/posts/Lecture Notes/Internet Security/is-03-feistel-function.png
+  path: /assets/img/posts/lecture-notes/internet-security/is-03-feistel-function.png
 attachment:
-  folder: assets/img/posts/Lecture Notes/Internet Security
+  folder: assets/img/posts/lecture-notes/internet-security
 ---
 ## Block Cipher Overview
@@ -63,7 +64,7 @@ $$
 #### The Feistel Function
-![is-03-feistel-function.png](/assets/img/posts/Lecture%20Notes/Internet%20Security/is-03-feistel-function.png#)
+![is-03-feistel-function.png](../../../assets/img/posts/lecture-notes/internet-security/is-03-feistel-function.png)
 The Feistel function takes $32$ bit data and divides it into eight $4$ bit chunks. Each chunk is expanded to $6$ bits using a P-box. Now, we have 48 bits of data, so apply XOR with the key for this round. Next, each $6$-bit block is compressed back to $4$ bits using a S-box. Finally, there is a (straight) permutation at the end, resulting in $32$ bit data.
@@ -179,7 +180,7 @@ AES, DES use fixed block size for encryption. How do we encrypt longer messages?
 ### Electronic Codebook Mode (ECB)
-![is-03-ecb-encryption.png](/assets/img/posts/Lecture%20Notes/Internet%20Security/is-03-ecb-encryption.png#)
+![is-03-ecb-encryption.png](../../../assets/img/posts/lecture-notes/internet-security/is-03-ecb-encryption.png)
 - Codebook is a mapping table.
 - For the $i$-th plaintext block, we use key $k$ to encrypt and obtain the $i$-th ciphertext block.
@@ -198,9 +199,9 @@ Since the same key is used for all blocks, once a mapping from plaintext to ciph
 ### Cipher Block Chaining Mode (CBC)
-![is-03-cbc-encryption.png](/assets/img/posts/Lecture%20Notes/Internet%20Security/is-03-cbc-encryption.png#)
+![is-03-cbc-encryption.png](../../../assets/img/posts/lecture-notes/internet-security/is-03-cbc-encryption.png)
- Two identical messages produce to different ciphertexts.
+- Two identical messages produce two different ciphertexts.
 	- This prevents chosen plaintext attacks
 - Blocks are linked together in the encryption process
 	- **Each previous cipher block is chained with current block**
@@ -238,17 +239,18 @@ Since the same key is used for all blocks, once a mapping from plaintext to ciph
 	- **IV changes should be unpredictable**
 - On IV reuse, same message will generate the same ciphertext if key isn't changed
 - If IV is predictable, CBC is vulnerable to chosen plaintext attacks.
-	- Define Eve's new message $m' = \mathrm{IV} _ {\mathrm{E}} \oplus \mathrm{IV} _ {\mathrm{A}} \oplus g$, where
+	- Suppose Eve obtains $(\mathrm{IV} _ 1, E _ k(\mathrm{IV} _ 1 \oplus m))$.
-		- $\mathrm{IV} _ \mathrm{A}$ and $\mathrm{IV} _ \mathrm{E}$ are Alice and Eve's IVs
+	- Define Eve's new message $m' = \mathrm{IV} _ {2} \oplus \mathrm{IV} _ {1} \oplus g$, where
 		- $\mathrm{IV} _ 2$ is the guess of the next IV, and
 		- $g$ is a guess of Alice's original message $m$.
-	- Since Eve can encrypt any message, $m'$ can be encrypted.
+	- Eve requests an encryption of $m'$
-	- $c' = E _ k(\mathrm{IV} _ \mathrm{E} \oplus m') = E _ k(\mathrm{IV} _ \mathrm{A} \oplus g)$.
+		- $c' = E _ k(\mathrm{IV} _ 2 \oplus m') = E _ k(\mathrm{IV} _ \mathrm{1} \oplus g)$.
-	- Then Eve can compare $c'$ and the original $c = E _ k(\mathrm{IV} _ \mathrm{A} \oplus m)$ to recover $m$.
+	- Then Eve can compare $c'$ and the original $c = E _ k(\mathrm{IV} _ \mathrm{1} \oplus m)$ to recover $m$.
 	- Useful when there are not many cases for $m$ (or most of the message is already known).
 ### Cipher Feedback Mode (CFB)
-![is-03-cfb-encryption.png](/assets/img/posts/Lecture%20Notes/Internet%20Security/is-03-cfb-encryption.png#)
+![is-03-cfb-encryption.png](../../../assets/img/posts/lecture-notes/internet-security/is-03-cfb-encryption.png)
 - The message is treated as a stream of bits; similar to stream cipher
 - **Result of the encryption is fed to the next stage.**
@@ -283,7 +285,7 @@ Since the same key is used for all blocks, once a mapping from plaintext to ciph
 ### Output Feedback Mode (OFB)
-![is-03-ofb-encryption.png](/assets/img/posts/Lecture%20Notes/Internet%20Security/is-03-ofb-encryption.png#)
+![is-03-ofb-encryption.png](../../../assets/img/posts/lecture-notes/internet-security/is-03-ofb-encryption.png)
 - Very similar to stream cipher.
 - Initialization vector is used as a seed to generate the key stream.
@@ -316,7 +318,7 @@ Since the same key is used for all blocks, once a mapping from plaintext to ciph
 ### Counter Mode (CTR)
-![is-03-ctr-encryption.png](/assets/img/posts/Lecture%20Notes/Internet%20Security/is-03-ctr-encryption.png#)
+![is-03-ctr-encryption.png](../../../assets/img/posts/lecture-notes/internet-security/is-03-ctr-encryption.png)
 - Without chaining, we use a counter (typically incremented by $1$).
 	- Counter starts from the initialization vector.
--- a/_posts/lecture-notes/internet-security/2023-09-25-modular-arithmetic-1.md
+++ b/_posts/lecture-notes/internet-security/2023-09-25-modular-arithmetic-1.md
@@ -5,10 +5,12 @@ math: true
 categories:
  - Lecture Notes
  - Internet Security
 path: _posts/lecture-notes/internet-security
 tags:
  - lecture-note
  - security
  - cryptography
  - number-theory
 title: 04. Modular Arithmetic (1)
 date: 2023-09-25
 github_title: 2023-09-25-modular-arithmetic-1
@@ -169,7 +171,7 @@ The inverse exists if and only if $\gcd(a, n) = 1$.
 > **Lemma**. For $n \geq 2$ and $a \in \mathbb{Z}$, its inverse $a^{-1} \in \mathbb{Z} _ n$ exists if and only if $\gcd(a, n) = 1$.
-*Proof*. We use the Extended Euclidean Algorithm. There exists $u, v \in \mathbb{Z}$ such that
+*Proof*. We use the extended Euclidean algorithm. There exists $u, v \in \mathbb{Z}$ such that
 $$
 au + nv = \gcd(a, n).
--- a/_posts/lecture-notes/internet-security/2023-10-04-modular-arithmetic-2.md
+++ b/_posts/lecture-notes/internet-security/2023-10-04-modular-arithmetic-2.md
@@ -5,6 +5,7 @@ math: true
 categories:
  - Lecture Notes
  - Internet Security
 path: _posts/lecture-notes/internet-security
 tags:
  - lecture-note
  - security
@@ -89,7 +90,7 @@ For even better (maybe faster) results, we need the help of elementary number th
 > a^{p-1} \equiv 1 \pmod p.
 > $$
-*Proof*. (Using group theory) The statement can be rewritten as follows. For $a \neq 0$ in $\mathbb{Z}_p$, $a^{p-1} = 1$ in $\mathbb{Z}_p$. Since $\mathbb{Z}_p^*$ is a (multiplicative) group of order $p-1$, the order of $a$ should divide $p-1$. Therefore, $a^{p-1} = 1$ in $\mathbb{Z}_p$.
+*Proof*. (Using group theory) The statement can be rewritten as follows. For $a \neq 0$ in $\mathbb{Z} _ p$, $a^{p-1} = 1$ in $\mathbb{Z} _ p$. Since $\mathbb{Z} _ p^\ast$ is a (multiplicative) group of order $p-1$, the order of $a$ should divide $p-1$. Therefore, $a^{p-1} = 1$ in $\mathbb{Z} _ p$.
 Here is an elementary proof not using group theory.
@@ -138,23 +139,23 @@ $$
 We also often use the **reduced set of residues**.
-> **Definition.** The **reduced set of residues** is the set of residues that are relatively prime to $n$. We denote this set as $\mathbb{Z}_n^*$.
+> **Definition.** The **reduced set of residues** is the set of residues that are relatively prime to $n$. We denote this set as $\mathbb{Z} _ n^\ast$.
 >
 > $$
-> \mathbb{Z}_n^* = \left\lbrace a \in \mathbb{Z}_n \setminus \left\lbrace 0 \right\rbrace : \gcd(a, n) = 1 \right\rbrace.
+> \mathbb{Z} _ n^\ast = \left\lbrace a \in \mathbb{Z} _ n \setminus \left\lbrace 0 \right\rbrace : \gcd(a, n) = 1 \right\rbrace.
 > $$
 Then by definition, we have the following result.
-> **Lemma.** $\left\lvert \mathbb{Z}_n^* \right\lvert = \phi(n)$.
+> **Lemma.** $\left\lvert \mathbb{Z} _ n^\ast \right\lvert = \phi(n)$.
-We can also show that $\mathbb{Z}_n^*$ is a multiplicative group.
+We can also show that $\mathbb{Z} _ n^\ast$ is a multiplicative group.
-> **Lemma.** $\mathbb{Z}_n^*$ is a multiplicative group.
+> **Lemma.** $\mathbb{Z} _ n^\ast$ is a multiplicative group.
-*Proof*. Let $a, b \in \mathbb{Z}_n^{ * }$. We must check if $ab \in \mathbb{Z}_n^{ * }$. Since $\gcd(a, n) = \gcd(b, n) = 1$, $\gcd(ab, n) = 1$. This is because if $d = \gcd(ab, n) > 1$, then a prime factor $p$ of $d$ must divide $a$ or $b$ and also $n$. Then $\gcd(a, n) \geq p$ or $\gcd(b, n) \geq p$, which is a contradiction. Thus $ab \in \mathbb{Z}_n^{ * }$.
+*Proof*. Let $a, b \in \mathbb{Z} _ n^\ast$. We must check if $ab \in \mathbb{Z} _ n^\ast$. Since $\gcd(a, n) = \gcd(b, n) = 1$, $\gcd(ab, n) = 1$. This is because if $d = \gcd(ab, n) > 1$, then a prime factor $p$ of $d$ must divide $a$ or $b$ and also $n$. Then $\gcd(a, n) \geq p$ or $\gcd(b, n) \geq p$, which is a contradiction. Thus $ab \in \mathbb{Z} _ n^\ast$.
-Associativity holds trivially, as a subset of $\mathbb{Z}_n$. We also have an identity element $1$, and inverse of $a \in \mathbb{Z}_n^*$ exists since $\gcd(a, n) = 1$.
+Associativity holds trivially, as a subset of $\mathbb{Z} _ n$. We also have an identity element $1$, and inverse of $a \in \mathbb{Z} _ n^\ast$ exists since $\gcd(a, n) = 1$.
 Now we can prove Euler's generalization.
@@ -166,13 +167,13 @@ Now we can prove Euler's generalization.
 > a^{\phi(n)} \equiv 1 \pmod n.
 > $$
-*Proof*. Since $\gcd(a, n) = 1$, $a \in \mathbb{Z}_n^{ * }$. Then $a^\left\lvert \mathbb{Z}_n^{ * } \right\lvert = 1$ in $\mathbb{Z}_n$. By the above lemma, we have the desired result.
+*Proof*. Since $\gcd(a, n) = 1$, $a \in \mathbb{Z} _ n^\ast$. Then $a^{\left\lvert \mathbb{Z} _ n^\ast \right\lvert} = 1$ in $\mathbb{Z} _ n$. By the above lemma, we have the desired result.
-*Proof*. (Elementary) Set $f : \mathbb{Z}_n^* \rightarrow \mathbb{Z}_n^*$ as $x \mapsto ax \bmod n$, then the rest of the reasoning follows similarly as in the proof of Fermat's little theorem.
+*Proof*. (Elementary) Set $f : \mathbb{Z} _ n^\ast \rightarrow \mathbb{Z} _ n^\ast$ as $x \mapsto ax \bmod n$, then the rest of the reasoning follows similarly as in the proof of Fermat's little theorem.
 Using the above result, we remark an important result that will be used in RSA.
-> **Lemma.** Let $n \in \mathbb{N}$. For $a, b \in \mathbb{Z}$ and $x \in \mathbb{Z}_n^*$, if $a \equiv b \pmod{\phi(n)}$, then $x^a \equiv x^b \pmod n$.
+> **Lemma.** Let $n \in \mathbb{N}$. For $a, b \in \mathbb{Z}$ and $x \in \mathbb{Z} _ n^\ast$, if $a \equiv b \pmod{\phi(n)}$, then $x^a \equiv x^b \pmod n$.
 *Proof*. $a = b + k\phi(n)$ for some $k \in \mathbb{Z}$. Then
@@ -191,11 +192,11 @@ by Euler's generalization.
 > - $(\mathsf{G3})$ $G$ has an **identity** element $e$ such that $e * a = a * e = a$ for all $a \in G$.
 > - $(\mathsf{G4})$ There is an **inverse** for every element of $G$. For each $a \in G$, there exists $x \in G$ such that $a * x = x * a = e$. We write $x = a^{-1}$ in this case.
-$\mathbb{Z}_n$ is an additive group, and $\mathbb{Z}_n^*$ is a multiplicative group.
+$\mathbb{Z} _ n$ is an additive group, and $\mathbb{Z} _ n^\ast$ is a multiplicative group.
 ## Chinese Remainder Theorem (CRT)
-> **Theorem.** Let $n_1, \dots, n_k$ integers greater than $1$, and let $N = n_1n_2\cdots n_k$. If $n_i$ are pairwise relatively prime, then the system of equations $x \equiv a_i \pmod {n_i}$ has a unique solution modulo $N$.
+> **Theorem.** Let $n _ 1, \dots, n _ k$ be integers greater than $1$, and let $N = n _ 1n _ 2\cdots n _ k$. If $n _ i$ are pairwise relatively prime, then the system of equations $x \equiv a _ i \pmod {n _ i}$ has a unique solution modulo $N$.
 >
 > *(Abstract Algebra)* The map
 >
--- a/_posts/lecture-notes/internet-security/2023-10-04-rsa-elgamal.md
+++ b/_posts/lecture-notes/internet-security/2023-10-04-rsa-elgamal.md
@@ -5,6 +5,7 @@ math: true
 categories:
  - Lecture Notes
  - Internet Security
 path: _posts/lecture-notes/internet-security
 tags:
  - lecture-note
  - security
@@ -137,36 +138,36 @@ So we don't actually need Euler's generalization for proving the correctness of
 This is an inverse problem of exponentiation. The inverse of exponentials is logarithms, so we consider the **discrete logarithm of a number modulo $p$**.
-Given $y \equiv g^x \pmod p$ for some prime $p$, we want to find $x = \log_g y$. We set $g$ to be a generator of the group $\mathbb{Z}_p$ or $\mathbb{Z}_p^*$, since if $g$ is the generator, a solution always exists.
+Given $y \equiv g^x \pmod p$ for some prime $p$, we want to find $x = \log _ g y$. We set $g$ to be a generator of the group $\mathbb{Z} _ p$ or $\mathbb{Z} _ p^\ast$, since if $g$ is the generator, a solution always exists.
-Read more in [discrete logarithm problem (Modern Cryptography)](../../modern-cryptography/2023-10-03-key-exchange#discrete-logarithm-problem-dl).
+Read more in [discrete logarithm problem (Modern Cryptography)](../../modern-cryptography/2023-10-03-key-exchange/#discrete-logarithm-problem-(dl)).
 ## ElGamal Encryption
 This is an encryption scheme built upon the hardness of the DLP.
 > 1. Let $p$ be a large prime.
-> 2. Select a generator $g \in \mathbb{Z}_p^*$.
+> 2. Select a generator $g \in \mathbb{Z} _ p^\ast$.
-> 3. Choose a private key $x \in \mathbb{Z}_p^*$.
+> 3. Choose a private key $x \in \mathbb{Z} _ p^\ast$.
 > 4. Compute the public key $y = g^x \pmod p$.
 > 	- $p, g, y$ will be publicly known.
 > 	- $x$ is kept secret.
 ### ElGamal Encryption and Decryption
-Suppose we encrypt a message $m \in \mathbb{Z}_p^*$.
+Suppose we encrypt a message $m \in \mathbb{Z} _ p^\ast$.
-> 1. The sender chooses a random $k \in \mathbb{Z}_p^*$, called *ephemeral key*.
+> 1. The sender chooses a random $k \in \mathbb{Z} _ p^\ast$, called *ephemeral key*.
 > 2. Compute $c _ 1 = g^k \pmod p$ and $c _ 2 = my^k \pmod p$.
 > 3. $c _ 1, c _ 2$ are sent to the receiver.
-> 4. The receiver calculates $c_1^x \equiv g^{xk} \equiv y^k \pmod p$, and find the inverse $y^{-k} \in \mathbb{Z}_p^*$.
+> 4. The receiver calculates $c _ 1^x \equiv g^{xk} \equiv y^k \pmod p$, and find the inverse $y^{-k} \in \mathbb{Z} _ p^\ast$.
 > 5. Then $c _ 2y^{-k} \equiv m \pmod p$, recovering the message.
 The attacker will see $g^k$. By the hardness of DLP, the attacker is unable to recover $k$ even if he knows $g$.
 #### Ephemeral Key Should Be Distinct
-If the same $k$ is used twice, the encryption is not secure. Suppose we encrypt two different messages $m_1, m_2 \in \mathbb{Z} _ p^{ * }$. The attacker will see $(g^k, m_1y^k)$ and $(g^k, m_2 y^k)$. Then since we are in a multiplicative group $\mathbb{Z} _ p^{ * }$, inverses exist. So
+If the same $k$ is used twice, the encryption is not secure. Suppose we encrypt two different messages $m _ 1, m _ 2 \in \mathbb{Z} _ p^\ast$. The attacker will see $(g^k, m _ 1y^k)$ and $(g^k, m _ 2 y^k)$. Then since we are in a multiplicative group $\mathbb{Z} _ p^\ast$, inverses exist. So
 $$
 m _ 1y^k \cdot (m _ 2 y^k)^{-1} \equiv m _ 1m _ 2^{-1} \equiv 1 \pmod p
--- a/_posts/lecture-notes/internet-security/2023-10-09-public-key-cryptography.md
+++ b/_posts/lecture-notes/internet-security/2023-10-09-public-key-cryptography.md
@@ -5,6 +5,7 @@ math: true
 categories:
  - Lecture Notes
  - Internet Security
 path: _posts/lecture-notes/internet-security
 tags:
  - lecture-note
  - security
@@ -14,7 +15,7 @@ date: 2023-10-09
 github_title: 2023-10-09-public-key-cryptography
 ---
-In symmetric key cryptography, we have a problem with key sharing and management. More info in the first few paragraphs of [Key Exchange (Modern Cryptography)](../../modern-cryptography/2023-10-03-key-exchange).
+In symmetric key cryptography, we have a problem with key sharing and management. More info in the first few paragraphs of [Key Exchange (Modern Cryptography)](../../modern-cryptography/2023-10-03-key-exchange/).
 ## Public Key Cryptography
@@ -31,7 +32,7 @@ These keys are created to be used in **trapdoor one-way functions**.
 A **one-way function** is a function that is easy to compute, but hard to compute the pre-image of any output. Here are some common examples.
- *Cryptographic hash functions*: [Hash Functions (Modern Cryptography)](../../modern-cryptography/2023-09-28-hash-functions#collision-resistance).
+- *Cryptographic hash functions*: [Hash Functions (Modern Cryptography)](../../modern-cryptography/2023-09-28-hash-functions/#collision-resistance).
 - *Factoring a large integer*: It is easy to multiply to integers even if they're large, but factoring is very hard.
 - *Discrete logarithm problem*: It is easy to exponentiate a number, but it is hard to find the discrete logarithm.
@@ -79,14 +80,14 @@ But a problem still remains. How does one verify that this key is indeed from th
 ## Diffie-Hellman Key Exchange
-Choose a large prime $p$ and a generator $g$ of $\mathbb{Z}_p^{ * }$. The description of $g$ and $p$ will be known to the public.
+Choose a large prime $p$ and a generator $g$ of $\mathbb{Z} _ p^\ast$. The description of $g$ and $p$ will be known to the public.
-> 1. Alice chooses some $x \in \mathbb{Z}_p^{ * }$ and sends $g^x \bmod p$ to Bob.
+> 1. Alice chooses some $x \in \mathbb{Z} _ p^\ast$ and sends $g^x \bmod p$ to Bob.
-> 2. Bob chooses some $y \in \mathbb{Z}_p^{ * }$ and sends $g^y \bmod p$ to Alice.
+> 2. Bob chooses some $y \in \mathbb{Z} _ p^\ast$ and sends $g^y \bmod p$ to Alice.
 > 3. Alice and Bob calculate $g^{xy} \bmod p$ separately.
 > 4. Eve can see $g^x \bmod p$, $g^y \bmod p$ but cannot calculate $g^{xy} \bmod p$.
-Refer to [Diffie-Hellman Key Exchange (Modern Cryptography)](../../modern-cryptography/2023-10-03-key-exchange#diffie-hellman-key-exchange-dhke).
+Refer to [Diffie-Hellman Key Exchange (Modern Cryptography)](../../modern-cryptography/2023-10-03-key-exchange/#diffie-hellman-key-exchange-(dhke)).
 ## Message Integrity
@@ -132,7 +133,7 @@ Suppose Alice wants to **sign** a message $m$. Alice has public key $pk$ and pri
 > 2. Bob receives it and calculates $E(pk, \sigma)$ and compares it with $m$.
 > 	- The key $pk$ here is Alice's public key.
- Since the signature can be decrypted using Alice's public key, it must have been signed using Alice's private key.
+- Since the signature can be verified using Alice's public key, it must have been signed using Alice's private key.
 	- Thus the message must have been from Alice.
 - Verification is done using Alice's public key, so anyone can verify the message.
 - Messages are usually long, so we take a hash function $H$ to shorten it, and sign $H(m)$ instead.
--- a/_posts/lecture-notes/internet-security/2023-10-16-pki.md
+++ b/_posts/lecture-notes/internet-security/2023-10-16-pki.md
@@ -5,6 +5,7 @@ math: true
 categories:
  - Lecture Notes
  - Internet Security
 path: _posts/lecture-notes/internet-security
 tags:
  - lecture-note
  - security
@@ -12,7 +13,7 @@ title: 08. Public Key Infrastructure
 date: 2023-10-16
 github_title: 2023-10-16-pki
 attachment:
-  folder: assets/img/posts/Lecture Notes/Internet Security
+  folder: assets/img/posts/lecture-notes/internet-security
 ---
 Suppose that we're using RSA, Alice has public key $(N, e)$ and private key $d$. Anyone can send messages to Alice using $(N, e)$. But because anyone can generate $(N, e)$, we are not sure whether the key $(N, e)$ is *really* Alice's key. We might run into a situation where $(N, e)$ was actually some other person's key. *How do we check whose key this is?*
@@ -83,7 +84,7 @@ We have a root CA at the top. Then there are issuing CAs below. We usually reque
 ### Certificate Validation
-![is-08-certificate-validation.png](/assets/img/posts/Lecture%20Notes/Internet%20Security/is-08-certificate-validation.png#)[^1]
+![is-08-certificate-validation.png](../../../assets/img/posts/lecture-notes/internet-security/is-08-certificate-validation.png)[^1]
 Since we have a hierarchy of CAs, certificate validation must also follow the hierarchy. When we receive a certificate, it is highly likely to be signed by an non-root CA.
@@ -149,13 +150,13 @@ CRL checking is done in the following way.
 > 2. The client queries the certificate revocation server and downloads CRLs.
 > 3. The client checks whether the certificate is revoked or not.
-But Distributing CRL in real-time is not possible. Furthermore, CRL lifecycles/update periods can vary depending on CAs. Thus there can be attacks between CRL updates. Also, CRL sizes will keep increasing over time, so it gets harder to download and manage the CRLs.
+But distributing CRL in real-time is not possible. Furthermore, CRL lifecycles/update periods can vary depending on CAs. Thus there can be attacks between CRL updates. Also, CRL sizes will keep increasing over time, so it gets harder to download and manage the CRLs.
 ### Online Certificate Status Protocol (OCSP)
 The **online certificate status protocol** (OCSP) is another way to handle certificate revocation. Basically, the client queries a OCSP server for revocation information.
-There is a **OCSP server** that runs 24/7, responding to queries. This server can be run by the CAs or may be delegated to some other entities. The address of the OCSP server is specified in the certificate.
+There is an **OCSP server** that runs 24/7, responding to queries. This server can be run by the CAs or may be delegated to some other entities. The address of the OCSP server is specified in the certificate.
 Using OCSP, revocation check is done in the following way.
--- a/_posts/lecture-notes/internet-security/2023-10-18-tls.md
+++ b/_posts/lecture-notes/internet-security/2023-10-18-tls.md
@@ -5,6 +5,7 @@ math: true
 categories:
  - Lecture Notes
  - Internet Security
 path: _posts/lecture-notes/internet-security
 tags:
  - lecture-note
  - security
@@ -12,9 +13,9 @@ title: 09. Transport Layer Security
 date: 2023-10-18
 github_title: 2023-10-18-tls
 image:
-  path: /assets/img/posts/Lecture Notes/Internet Security/is-09-tls-handshake.png
+  path: /assets/img/posts/lecture-notes/internet-security/is-09-tls-handshake.png
 attachment:
-  folder: assets/img/posts/Lecture Notes/Internet Security
+  folder: assets/img/posts/lecture-notes/internet-security
 ---
 This is a brief comparison of HTTP and HTTPS
@@ -61,19 +62,19 @@ You can check if TLS is used on your browser. The address should begin with `htt
 ## CBC Padding Oracle Attack
-Recall [CBC Mode (Internet Security)](../2023-09-18-symmetric-key-cryptography-2#cipher-block-chaining-mode-cbc) .
+Recall [CBC Mode (Internet Security)](../2023-09-18-symmetric-key-cryptography-2/#cipher-block-chaining-mode-(cbc)) .
 Suppose that each block has $8$ bytes. If the message size is not a multiple of the block size, we pad the message. If we need to pad $b$ bytes, we pad $b$ bytes with $b$, encoded in binary.
 If the padding is not valid, the decryption algorithm outputs a *padding error* during the decryption process. The attacker can observe if a padding error has occurred, and use this information to recover the plaintext.
-To defend this attack, we can use [encrypt-then-MAC (Modern Cryptography)](../../modern-cryptography/2023-09-26-cca-security-authenticated-encryption#encrypt-then-mac-etm), or hide the padding error.
+To defend this attack, we can use [encrypt-then-MAC (Modern Cryptography)](../../modern-cryptography/2023-09-26-cca-security-authenticated-encryption/#encrypt-then-mac-(etm)), or hide the padding error.
 ### Attack in Detail
 We will perform a **chosen ciphertext attack** to fully recover the plaintext.
-Suppose that we obtains a ciphertext $(\mathrm{IV}, c_1, c_2)$, which is an encryption of two blocks $m = m_0 \parallel m_1$, including the padding. By the CBC encryption algorithm we know that
+Suppose that we obtain a ciphertext $(\mathrm{IV}, c _ 1, c _ 2)$, which is an encryption of two blocks $m = m _ 0 \parallel m _ 1$, including the padding. By the CBC encryption algorithm we know that
 $$
 c _ 1 = E _ k(m _ 0 \oplus \mathrm{IV}), \qquad c _ 2 = E _ k(m _ 1 \oplus c _ 1).
@@ -81,7 +82,7 @@ $$
 We don't know exactly how many padding bits there were, but it doesn't matter. We brute force by **changing the last byte of $c _ 1$** and requesting the decryption of the modified ciphertext $(\mathrm{IV}, c _ 1', c _ 2)$.
-The decryption process of the last block is $c_1 \oplus D_k(c_2)$, so by changing the last byte of $c_1$, we hope to get a decryption result that ends with $\texttt{0x01}$. Then the last byte $\texttt{0x01}$ will be treated as a padding and padding errors will not occur. So we keep trying until we don't get a padding error.
+The decryption process of the last block is $c _ 1 \oplus D _ k(c _ 2)$, so by changing the last byte of $c _ 1$, we hope to get a decryption result that ends with $\texttt{0x01}$. Then the last byte $\texttt{0x01}$ will be treated as a padding and padding errors will not occur. So we keep trying until we don't get a padding error.[^1]
 Now, suppose that we successfully changed the last byte of $c _ 1$ to $b$, so that the last byte of $(c _ 1[0\dots6] \parallel b) \oplus D _ k(c _ 2)$ is $\texttt{0x01}$. Next, we change the second-last bit $c _ 1[6]$ and request the decryption and hope to get an output that ends with $\texttt{0x0202}$. The last two bytes will also be treated as a padding and we won't get a padding error.
@@ -113,7 +114,7 @@ $$
 ## Hashed MAC (HMAC)
-Let $H$ be a has function. We defined MAC as $H(k \parallel m)$ where $k$ is a key and $m$ is a message. This MAC is insecure if $H$ has [Merkle-Damgård construction](../../modern-cryptography/2023-09-28-hash-functions#merkle-damg%C3%A5rd-transform), since it is vulnerable to length extension attacks. See [prepending the key in MAC is insecure (Modern Cryptography)](../../modern-cryptography/2023-09-28-hash-functions#prepending-the-key).
+Let $H$ be a has function. We defined MAC as $H(k \parallel m)$ where $k$ is a key and $m$ is a message. This MAC is insecure if $H$ has [Merkle-Damgård construction](../../modern-cryptography/2023-09-28-hash-functions/#merkle-damgård-transform), since it is vulnerable to length extension attacks. See [prepending the key in MAC is insecure (Modern Cryptography)](../../modern-cryptography/2023-09-28-hash-functions/#prepending-the-key).
 Choose a key $k \leftarrow \mathcal{K}$, and set
@@ -146,7 +147,7 @@ Here's how the client and the server establishes a connection using the TLS hand
 > 3. Use the server's public key to share a secret.
 > 4. Both parties generate a symmetric key from the shared secret.
-![is-09-tls-handshake.png](/assets/img/posts/Lecture%20Notes/Internet%20Security/is-09-tls-handshake.png#)[^1]
+![is-09-tls-handshake.png](../../../assets/img/posts/lecture-notes/internet-security/is-09-tls-handshake.png)[^2]
 - `ServerKeyExchange`, `ClientKeyExchange` is optional. Used sometimes if Diffie-Hellman is used.
 - The actual messages and process differ for each protocol and ciphers used.
@@ -209,7 +210,7 @@ key_block = PRF(SecurityParameters.master_secret,
 ```
 - Why do we use `pre_master_secret` and `master_secret`?
-	- To provide greater consistency between TLS cipher suites.[^2]
+	- To provide greater consistency between TLS cipher suites.[^3]
 ## Version Rollback Attack (SSL)
@@ -252,9 +253,9 @@ These two protocols run over the record protocol.
 ### Forward Secrecy
-> **Forward secrecy** is a feature of key agreement protocols that session keys will not be compromised even if long-term secrets used in the session key exchange are compromised.[^3]
+> **Forward secrecy** is a feature of key agreement protocols that session keys will not be compromised even if long-term secrets used in the session key exchange are compromised.[^4]
-> An encryption system has the property of **forward secrecy** if plaintext (decrypted) inspection of the data exchange that occurs during key agreement phase of session initiation does not reveal the key that was used to encrypt the remainder of the session.[^3]
+> An encryption system has the property of **forward secrecy** if plaintext (decrypted) inspection of the data exchange that occurs during key agreement phase of session initiation does not reveal the key that was used to encrypt the remainder of the session.[^4]
 - Forward secrecy prevents an **NSA-style attack**.
 	- Save all TLS traffic starting from TLS handshake.
@@ -282,7 +283,7 @@ Actual secret sharing is done using Diffie-Hellman key exchange, and RSA is used
 	- Certificate is signed using RSA.
 - The client sends $g^c \bmod p$.
 - The server and client agree on a secret $g^{sc} \bmod p$.
- The ephemeral keys $s$ and $g^{sc} \bmod p$ is discarded after the session.
+- The ephemeral keys $s$ and $g^{sc} \bmod p$ are discarded after the session.
 ## TLS 1.3
@@ -297,12 +298,13 @@ We previously had 2 round trips, but now we have one. The main difference is the
 - **Client hello**
 	- Protocol version, client random, cipher suites are sent.
-	- **Parameters for calculating the premaster secret is also sent.**[^4]
+	- **Parameters for calculating the premaster secret are also sent.**[^5]
 - **Server generates master secret**
 	- Server has client random, parameters and cipher suites.
 	- Using the server random, generate the master secret.
 - **Server hello** and **Finished**
 	- Server's certificate, digital signature, server random, chosen cipher suite is sent.
 	- This message is encrypted, so server random is not leaked.
 	- Master secret has been generated, so `Finished` is sent.
 - **Client Finished**
 	- Client verifies the certificate, generates master secret, sends `Finished`.
@@ -312,7 +314,7 @@ We previously had 2 round trips, but now we have one. The main difference is the
 TLS 1.3 also supports an event faster handshake that doesn't require and round trips.
 - Works only if the user has visited the website before.
- The both parties can derive another shared secret from the first session.
+- Both parties can derive another shared secret from the first session.
 	- **Resumption main secret**, **pre-shared key** (PSK)
 - The server sends a **session ticket** during the first session.
 	- The client sends this ticket along with the first encrypted message of the new session.
@@ -327,7 +329,8 @@ TLS 1.3 also supports an event faster handshake that doesn't require and round t
 Read more in [Introducing 0-RTT (Cloudflare Blog)](https://blog.cloudflare.com/introducing-0-rtt/).
-[^1]: Source: [The SSL Store](https://www.thesslstore.com/blog/explaining-ssl-handshake/).
+[^1]: We have to brute force this, since if a padding error occurs, we don't get to see the decrypted data. If we don't get a padding error, we will likely get a MAC error, so we still don't get to see the decrypted data. All we do is exploit the fact that a padding error didn't occur.
-[^2]: Source: [Cryptography SE](https://crypto.stackexchange.com/questions/24780/what-is-the-purpose-of-pre-master-secret-in-ssl-tls).
+[^2]: Source: [The SSL Store](https://www.thesslstore.com/blog/explaining-ssl-handshake/).
-[^3]: Source: [Forward secrecy (Wikipedia)](https://en.wikipedia.org/wiki/Forward_secrecy).
+[^3]: Source: [Cryptography SE](https://crypto.stackexchange.com/questions/24780/what-is-the-purpose-of-pre-master-secret-in-ssl-tls).
-[^4]: The client is assuming that it knows the server's preferred key exchange method, since many insecure cipher suites have been removed. Now, the number of possible cipher suites has been reduced.
+[^4]: Source: [Forward secrecy (Wikipedia)](https://en.wikipedia.org/wiki/Forward_secrecy).
 [^5]: The client is assuming that it knows the server's preferred key exchange method, since many insecure cipher suites have been removed. Now, the number of possible cipher suites has been reduced.
--- a/_posts/lecture-notes/modern-cryptography/2023-09-05-introduction.md
+++ b/_posts/lecture-notes/modern-cryptography/2023-09-05-introduction.md
@@ -5,6 +5,7 @@ math: true
 categories:
  - Lecture Notes
  - Modern Cryptography
 path: _posts/lecture-notes/modern-cryptography
 tags:
  - lecture-note
  - security
--- a/_posts/lecture-notes/modern-cryptography/2023-09-07-otp-stream-cipher-prgs.md
+++ b/_posts/lecture-notes/modern-cryptography/2023-09-07-otp-stream-cipher-prgs.md
@@ -5,6 +5,7 @@ math: true
 categories:
  - Lecture Notes
  - Modern Cryptography
 path: _posts/lecture-notes/modern-cryptography
 tags:
  - lecture-note
  - cryptography
@@ -13,9 +14,9 @@ title: 1. One-Time Pad, Stream Ciphers and PRGs
 date: 2023-09-07
 github_title: 2023-09-07-otp-stream-cipher-prgs
 image:
-  path: "assets/img/posts/Lecture Notes/Modern Cryptography/mc-01-ss.png"
+  path: assets/img/posts/lecture-notes/modern-cryptography/mc-01-ss.png
 attachment:
-  folder: assets/img/posts/Lecture Notes/Modern Cryptography
+  folder: assets/img/posts/lecture-notes/modern-cryptography
 ---
 ## Assumptions and Notations
@@ -292,7 +293,7 @@ We can deduce that if a PRG is predictable, then it is insecure.
 *Proof*. Let $\mathcal{A}$ be an efficient adversary (next bit predictor) that predicts $G$. Suppose that $i$ is the index chosen by $\mathcal{A}$. With $\mathcal{A}$, we construct a statistical test $\mathcal{B}$ such that $\mathrm{Adv} _ \mathrm{PRG}[\mathcal{B}, G]$ is non-negligible.
-![mc-01-prg-game.png](/assets/img/posts/Lecture%20Notes/Modern%20Cryptography/mc-01-prg-game.png#)
+![mc-01-prg-game.png](../../../assets/img/posts/lecture-notes/modern-cryptography/mc-01-prg-game.png)
 1. The challenger PRG will send a bit string $x$ to $\mathcal{B}$.
 	- In experiment $0$, PRG gives pseudorandom string $G(k)$.
@@ -318,7 +319,7 @@ The theorem implies that if next bit predictors cannot distinguish $G$ from true
 To motivate the definition of semantic security, we consider a **security game framework** (attack game) between a **challenger** (ex. the creator of some cryptographic scheme) and an **adversary** $\mathcal{A}$ (ex. attacker of the scheme).
-![mc-01-ss.png](/assets/img/posts/Lecture%20Notes/Modern%20Cryptography/mc-01-ss.png#)
+![mc-01-ss.png](../../../assets/img/posts/lecture-notes/modern-cryptography/mc-01-ss.png)
 > **Definition.** Let $\mathcal{E} = (G, E, D)$ be a cipher defined over $(\mathcal{K}, \mathcal{M}, \mathcal{C})$. For a given adversary $\mathcal{A}$, we define two experiments $0$ and $1$. For $b \in \lbrace 0, 1 \rbrace$, define experiment $b$ as follows:
 >
--- a/_posts/lecture-notes/modern-cryptography/2023-09-12-prfs-prps-block-ciphers.md
+++ b/_posts/lecture-notes/modern-cryptography/2023-09-12-prfs-prps-block-ciphers.md
@@ -5,6 +5,7 @@ math: true
 categories:
  - Lecture Notes
  - Modern Cryptography
 path: _posts/lecture-notes/modern-cryptography
 tags:
  - lecture-note
  - cryptography
@@ -13,9 +14,9 @@ title: 2. PRFs, PRPs and Block Ciphers
 date: 2023-09-12
 github_title: 2023-09-12-prfs-prps-block-ciphers
 image:
-  path: assets/img/posts/Lecture Notes/Modern Cryptography/mc-02-block-cipher.png
+  path: assets/img/posts/lecture-notes/modern-cryptography/mc-02-block-cipher.png
 attachment:
-  folder: assets/img/posts/Lecture Notes/Modern Cryptography
+  folder: assets/img/posts/lecture-notes/modern-cryptography
 ---
 ## Pseudorandom Functions (PRF)
@@ -118,7 +119,7 @@ This is a matter of *collisions* of $f(x_i)$, so we use the facts from the birth
 A **block cipher** is actually a different name for PRPs. Since a PRP $E$ is a keyed function, applying $E(k, x)$ is in fact encryption, and applying its inverse is decryption.
-![mc-02-block-cipher.png](/assets/img/posts/Lecture%20Notes/Modern%20Cryptography/mc-02-block-cipher.png)
+![mc-02-block-cipher.png](../../../assets/img/posts/lecture-notes/modern-cryptography/mc-02-block-cipher.png)
 Block ciphers commonly have the following form.
 - A key $k$ is chosen uniformly from $\left\lbrace 0, 1 \right\rbrace^s$.
@@ -140,7 +141,7 @@ Block ciphers commonly have the following form.
 Since block ciphers are PRPs, we have to build an invertible function. Suppose we are given **any** functions $F _ 1, \dots, F _ d : \left\lbrace 0, 1 \right\rbrace^n \rightarrow \left\lbrace 0, 1 \right\rbrace^n$. Can we build an **invertible** function $F : \left\lbrace 0, 1 \right\rbrace^{2n} \rightarrow \left\lbrace 0, 1 \right\rbrace^{2n}$?
-![mc-02-feistel-network.png](/assets/img/posts/Lecture%20Notes/Modern%20Cryptography/mc-02-feistel-network.png)
+![mc-02-feistel-network.png](../../../assets/img/posts/lecture-notes/modern-cryptography/mc-02-feistel-network.png)
 It turns out the answer is yes. Given an $2n$-bit long input, $L _ 0$ and $R _ 0$ denote the left and right halves ($n$ bits) of the input, respectively. Define
@@ -160,7 +161,7 @@ Note that we did not require $F_i$ to be invertible. We can build invertible fun
 In DES, the function $F _ i$ is the DES round function.
-![mc-02-des-round.png](/assets/img/posts/Lecture%20Notes/Modern%20Cryptography/mc-02-des-round.png)
+![mc-02-des-round.png](../../../assets/img/posts/lecture-notes/modern-cryptography/mc-02-des-round.png)
 The Feistel function takes $32$ bit data and divides it into eight $4$ bit chunks. Each chunk is expanded to $6$ bits using $E$. Now, we have 48 bits of data, so apply XOR with the key for this round. Next, each $6$-bit block is compressed back to $4$ bits using a S-box. Finally, there is a permutation $P$ at the end, resulting in $32$ bit data.
@@ -168,7 +169,7 @@ The Feistel function takes $32$ bit data and divides it into eight $4$ bit chunk
 DES uses $56$ bit keys that generate $16$ rounds keys. The diagram below shows that DES has 16-round Feistel networks.
-![mc-02-DES.png](/assets/img/posts/Lecture%20Notes/Modern%20Cryptography/mc-02-DES.png)
+![mc-02-DES.png](../../../assets/img/posts/lecture-notes/modern-cryptography/mc-02-DES.png)
 The input goes through initial/final permutation, which are inverses of each other. These have no cryptographic significance, and just for engineering.
@@ -176,7 +177,7 @@ The input goes through initial/final permutation, which are inverses of each oth
 DES is not secure, since key space and block length is too small. Thankfully, we have a replacement called the **advanced encryption standard** (AES).
-![mc-02-aes-128.png](/assets/img/posts/Lecture%20Notes/Modern%20Cryptography/mc-02-aes-128.png)
+![mc-02-aes-128.png](../../../assets/img/posts/lecture-notes/modern-cryptography/mc-02-aes-128.png)
 - DES key only had $56$ bits, so DES was broken in the 1990s
 - NIST standardized AES in 2001, based on Rijndael cipher
@@ -254,7 +255,7 @@ Then the key space has increased (exponentially). As for 2DES, the key space is
 Unfortunately, 2DES is only secure as DES, with the attack strategy called **meet in the middle**. The idea is that if $c = E(k _ 1, E(k _ 2, m))$, then $D(k _ 1, c) = E(k _ 2, m)$.
-![mc-02-2des-mitm.png](/assets/img/posts/Lecture%20Notes/Modern%20Cryptography/mc-02-2des-mitm.png)
+![mc-02-2des-mitm.png](../../../assets/img/posts/lecture-notes/modern-cryptography/mc-02-2des-mitm.png)
 Since we have the plaintext and the ciphertext, we first build a table of $(k, E(k _ 2, m))$ over $k _ 2 \in \mathcal{K}$ and sort by $E(k _ 2, m)$. Next, we check if $D(k _ 1, c)$ is in the table for all $k _ 1 \in \mathcal{K}$.
--- a/_posts/lecture-notes/modern-cryptography/2023-09-19-symmetric-key-encryption.md
+++ b/_posts/lecture-notes/modern-cryptography/2023-09-19-symmetric-key-encryption.md
@@ -5,6 +5,7 @@ math: true
 categories:
  - Lecture Notes
  - Modern Cryptography
 path: _posts/lecture-notes/modern-cryptography
 tags:
  - lecture-note
  - cryptography
@@ -12,6 +13,8 @@ tags:
 title: 3. Symmetric Key Encryption
 date: 2023-09-19
 github_title: 2023-09-19-symmetric-key-encryption
 attachment:
  folder: assets/img/posts/lecture-notes/internet-security
 ---
 ## CPA Security
@@ -127,11 +130,11 @@ We learned how to encrypt a single block. How do we encrypt longer messages with
 There are many ways of processing multiple blocks, this is called the **mode of operation**.
-Additional explanation available in [Modes of Operations (Internet Security)](../../internet-security/2023-09-18-symmetric-key-cryptography-2#modes-of-operations).
+Additional explanation available in [Modes of Operations (Internet Security)](../../internet-security/2023-09-18-symmetric-key-cryptography-2/#modes-of-operations).
 ### Electronic Codebook Mode (ECB)
-![is-03-ecb-encryption.png](/assets/img/posts/is-03-ecb-encryption.png#)
+![is-03-ecb-encryption.png](../../../assets/img/posts/lecture-notes/internet-security/is-03-ecb-encryption.png)
 - ECB mode encrypts each block with the same key.
 - Blocks are independent of each other.
@@ -139,7 +142,7 @@ Additional explanation available in [Modes of Operations (Internet Security)](..
 ### Ciphertext Block Chain Mode (CBC)
-![is-03-cbc-encryption.png](/assets/img/posts/is-03-cbc-encryption.png#)
+![is-03-cbc-encryption.png](../../../assets/img/posts/lecture-notes/internet-security/is-03-cbc-encryption.png)
 Let $X = \left\lbrace 0, 1 \right\rbrace^n$ and $E : \mathcal{K} \times X \rightarrow X$ be a **PRP**.
@@ -190,7 +193,7 @@ Note that if $k_1$ is the same as the key used for encrypting messages, then thi
 ### Counter Mode (CTR)
-![is-03-ctr-encryption.png](/assets/img/posts/is-03-ctr-encryption.png#)
+![is-03-ctr-encryption.png](../../../assets/img/posts/lecture-notes/internet-security/is-03-ctr-encryption.png)
 Let $F : \mathcal{K} \times X \rightarrow X$ be a secure **PRF**.
--- a/_posts/lecture-notes/modern-cryptography/2023-09-21-macs.md
+++ b/_posts/lecture-notes/modern-cryptography/2023-09-21-macs.md
@@ -5,6 +5,7 @@ math: true
 categories:
  - Lecture Notes
  - Modern Cryptography
 path: _posts/lecture-notes/modern-cryptography
 tags:
  - lecture-note
  - cryptography
@@ -13,9 +14,9 @@ title: 4. Message Authentication Codes
 date: 2023-09-21
 github_title: 2023-09-21-macs
 image:
-  path: assets/img/posts/Lecture Notes/Modern Cryptography/mc-04-mac-security.png
+  path: assets/img/posts/lecture-notes/modern-cryptography/mc-04-mac-security.png
 attachment:
-  folder: assets/img/posts/Lecture Notes/Modern Cryptography
+  folder: assets/img/posts/lecture-notes/modern-cryptography
 ---
 Message authentication codes (MAC) were designed to provide message integrity. Bob receives a message from Alice and wants to know if this message was not modified during transmission. For MACs, the message itself does not have to be secret. For example, when we download a file the file itself does not have to be protected, but we need a way to verify that the file was not modified.
@@ -26,7 +27,7 @@ On the other hand, MAC fixes data that is tampered in purpose. We will also requ
 ## Message Authentication Code
-![mc-04-mac.png](/assets/img/posts/Lecture%20Notes/Modern%20Cryptography/mc-04-mac.png)
+![mc-04-mac.png](../../../assets/img/posts/lecture-notes/modern-cryptography/mc-04-mac.png)
 > **Definition.** A **MAC** system $\Pi = (S, V)$ defined over $(\mathcal{K}, \mathcal{M}, \mathcal{T})$ is a pair of efficient algorithms $S$ and $V$ where $S$ is a **signing algorithm** and $V$ is a **verification algorithm**.
 > 
@@ -58,7 +59,7 @@ In the security definition of MACs, we allow the attacker to request tags for ar
 For strong MACs, the attacker only has to change the tag for the attack to succeed.
-![mc-04-mac-security.png](/assets/img/posts/Lecture%20Notes/Modern%20Cryptography/mc-04-mac-security.png)
+![mc-04-mac-security.png](../../../assets/img/posts/lecture-notes/modern-cryptography/mc-04-mac-security.png)
 > **Definition.** Let $\Pi = (S, V)$ be a MAC system defined over $(\mathcal{K}, \mathcal{M}, \mathcal{T})$. Given an adversary $\mathcal{A}$, the security game goes as follows.
 > 
@@ -123,7 +124,7 @@ The above construction uses a PRF, so it is restricted to messages of fixed size
 ### CBC-MAC
-![mc-04-cbc-mac.png](/assets/img/posts/Lecture%20Notes/Modern%20Cryptography/mc-04-cbc-mac.png)
+![mc-04-cbc-mac.png](../../../assets/img/posts/lecture-notes/modern-cryptography/mc-04-cbc-mac.png)
 > **Definition.** For any message $m = (m _ 0, m _ 1, \dots, m _ {l-1}) \in \left\lbrace 0, 1 \right\rbrace^{nl}$, let $F _ k := F(k, \cdot)$.
 > 
@@ -211,7 +212,7 @@ Since CBC-MAC is vulnerable to extension attacks, we encrypt the last block agai
 ECBC-MAC doesn't require us to know the message length in advance, but it is relatively expensive in practice, since a block cipher has to be initialized with a new key.
-![mc-04-ecbc-mac.png](/assets/img/posts/Lecture%20Notes/Modern%20Cryptography/mc-04-ecbc-mac.png)
+![mc-04-ecbc-mac.png](../../../assets/img/posts/lecture-notes/modern-cryptography/mc-04-ecbc-mac.png)
 > **Theorem.** Let $F : \mathcal{K} \times X \rightarrow X$ be a secure PRF. Then for any $l \geq 0$, $F _ \mathrm{ECBC} : \mathcal{K}^2 \times X^{\leq l} \rightarrow X$ is a secure PRF.
 > 
--- a/_posts/lecture-notes/modern-cryptography/2023-09-26-cca-security-authenticated-encryption.md
+++ b/_posts/lecture-notes/modern-cryptography/2023-09-26-cca-security-authenticated-encryption.md
@@ -5,6 +5,7 @@ math: true
 categories:
  - Lecture Notes
  - Modern Cryptography
 path: _posts/lecture-notes/modern-cryptography
 tags:
  - lecture-note
  - cryptography
@@ -13,9 +14,9 @@ title: 5. CCA-Security and Authenticated Encryption
 date: 2023-09-26
 github_title: 2023-09-26-cca-security-authenticated-encryption
 image:
-  path: assets/img/posts/Lecture Notes/Modern Cryptography/mc-05-ci.png
+  path: assets/img/posts/lecture-notes/modern-cryptography/mc-05-ci.png
 attachment:
-  folder: assets/img/posts/Lecture Notes/Modern Cryptography
+  folder: assets/img/posts/lecture-notes/modern-cryptography
 ---
 Previously, we focused on semantic security against **passive adversaries**, that only eavesdrop on the ciphertext. But in the real world, there are **active adversaries** that interfere with the communication, or even modify them.
@@ -36,9 +37,9 @@ Now we define a stronger notion of security against **chosen ciphertext attacks*
 > 	- *Encryption*: Send $m _ i$ and receive $c' _ i = E(k, m _ i)$.
 > 	- *Decryption*: Send $c _ i$ and receive $m' _ i = D(k, c _ i)$.
 > 	- Note that $\mathcal{A}$ is not allowed to make a decryption query for any $c _ i'$.
-> 3. $\mathcal{A}$ outputs a pair of messages $(m_0^ * , m_1^*)$.
+> 3. $\mathcal{A}$ outputs a pair of messages $(m _ 0^\ast , m _ 1^\ast)$.
-> 4. The challenger generates $c^* \leftarrow E(k, m_b^*)$ and gives it to $\mathcal{A}$.
+> 4. The challenger generates $c^\ast \leftarrow E(k, m _ b^\ast)$ and gives it to $\mathcal{A}$.
-> 5. $\mathcal{A}$ is allowed to keep making queries, but not allowed to make a decryption query for $c^*$.
+> 5. $\mathcal{A}$ is allowed to keep making queries, but not allowed to make a decryption query for $c^\ast$.
 > 6. The adversary computes and outputs a bit $b' \in \left\lbrace 0, 1 \right\rbrace$.
 > 
 > Let $W _ b$ be the event that $\mathcal{A}$ outputs $1$ in experiment $b$. Then the **CCA advantage with respect to $\mathcal{E}$** is defined as
@@ -53,7 +54,7 @@ Now we define a stronger notion of security against **chosen ciphertext attacks*
 None of the encryption schemes already seen thus far is CCA secure.
-Recall a [CPA secure construction from PRF](../2023-09-19-symmetric-key-encryption#secure-construction-from-prf). This scheme is not CCA secure. Suppose that the adversary is given $c^* = (r, F(k, r) \oplus m_b)$. Then it can request a decryption for $c' = (r, s')$ for some $s'$ and receive $m' = s' \oplus F(k, r)$. Then $F(k, r) = m' \oplus s'$, so the adversary can successfully recover $m_b$.
+Recall a [CPA secure construction from PRF](../2023-09-19-symmetric-key-encryption/#secure-construction-from-prf). This scheme is not CCA secure. Suppose that the adversary is given $c^\ast = (r, F(k, r) \oplus m _ b)$. Then it can request a decryption for $c' = (r, s')$ for some $s'$ and receive $m' = s' \oplus F(k, r)$. Then $F(k, r) = m' \oplus s'$, so the adversary can successfully recover $m _ b$.
 In general, any encryption scheme that allows ciphertexts to be *manipulated* in a controlled way cannot be CCA secure.
@@ -67,12 +68,12 @@ An adversary at destination 25 wants to receive the message sent to destination
 Suppose we used CBC mode encryption. Then the first block of the ciphertext would contain the IV, the next block would contain $E(k, \mathrm{IV} \oplus m _ 0)$.
-The adversary can generate a new ciphertext $c'$ without knowing the actual key. Set the new IV as $\mathrm{IV}' =\mathrm{IV} \oplus m^ *$ where $m^ *$ contains a payload that can change $\texttt{80}$ to $\texttt{25}$. (This can be calculated)
+The adversary can generate a new ciphertext $c'$ without knowing the actual key. Set the new IV as $\mathrm{IV}' =\mathrm{IV} \oplus m^\ast$ where $m^\ast$ contains a payload that can change $\texttt{80}$ to $\texttt{25}$. (This can be calculated)
 Then the decryption works as normal,
 $$
-D(k, c_0) \oplus \mathrm{IV}' = (m_0 \oplus \mathrm{IV}) \oplus \mathrm{IV}' = m_0 \oplus m^*.
+D(k, c _ 0) \oplus \mathrm{IV}' = (m _ 0 \oplus \mathrm{IV}) \oplus \mathrm{IV}' = m _ 0 \oplus m^\ast.
 $$
 The destination of the original message has been changed, even though the adversary had no information of the key.
@@ -83,7 +84,7 @@ The attacker shouldn't be able to create a new ciphertext that decrypts properly
 In this case, we fix the decryption algorithm so that $D : \mathcal{K} \times \mathcal{C} \rightarrow \mathcal{M} \cup \left\lbrace \bot \right\rbrace$, where $\bot$ means that the ciphertext was rejected.
-![mc-05-ci.png](/assets/img/posts/Lecture%20Notes/Modern%20Cryptography/mc-05-ci.png#)
+![mc-05-ci.png](../../../assets/img/posts/lecture-notes/modern-cryptography/mc-05-ci.png)
 > **Definition.** Let $\mathcal{E} = (E, D)$ be a cipher defined over $(\mathcal{K}, \mathcal{M}, \mathcal{C})$. Given an adversary $\mathcal{A}$, the security game goes as follows.
 > 
@@ -138,7 +139,7 @@ Most natural constructions of CCA secure schemes satisfy AE, so we don't need to
 We want to combine CPA secure scheme and strongly secure MAC to get AE. Rather than focusing on the internal structure of the scheme, we want a general method to compose these two secure schemes so that we can get a AE secure scheme. We will see 3 examples.
-![mc-05-etm-mte.png](/assets/img/posts/Lecture%20Notes/Modern%20Cryptography/mc-05-etm-mte.png#)
+![mc-05-etm-mte.png](../../../assets/img/posts/lecture-notes/modern-cryptography/mc-05-etm-mte.png)
 ### Encrypt-and-MAC (E&M)
--- a/_posts/lecture-notes/modern-cryptography/2023-09-28-hash-functions.md
+++ b/_posts/lecture-notes/modern-cryptography/2023-09-28-hash-functions.md
@@ -5,6 +5,7 @@ math: true
 categories:
  - Lecture Notes
  - Modern Cryptography
 path: _posts/lecture-notes/modern-cryptography
 tags:
  - lecture-note
  - cryptography
@@ -13,9 +14,9 @@ title: 6. Hash Functions
 date: 2023-09-28
 github_title: 2023-09-28-hash-functions
 image:
-  path: assets/img/posts/Lecture Notes/Modern Cryptography/mc-06-merkle-damgard.png
+  path: assets/img/posts/lecture-notes/modern-cryptography/mc-06-merkle-damgard.png
 attachment:
-  folder: assets/img/posts/Lecture Notes/Modern Cryptography
+  folder: assets/img/posts/lecture-notes/modern-cryptography
 ---
 Hash functions are functions that take some input an compress them to produce an output of fixed size, usually just called *hash* or *digest*. A desired property of hash function is **collision resistance**.
@@ -106,7 +107,7 @@ Now we want to construct collision resistant hash functions that work for arbitr
 The Merkle-Damgård transform gives as a way to extend our input domain of the hash function by iterating the function.
-![mc-06-merkle-damgard.png](/assets/img/posts/Lecture%20Notes/Modern%20Cryptography/mc-06-merkle-damgard.png#)
+![mc-06-merkle-damgard.png](../../../assets/img/posts/lecture-notes/modern-cryptography/mc-06-merkle-damgard.png)
 > **Definition.** Let $h : \left\lbrace 0, 1 \right\rbrace^n \times \left\lbrace 0, 1 \right\rbrace^l \rightarrow \left\lbrace 0, 1 \right\rbrace^n$ be a hash function. The **Merkle-Damgård function derived from $h$** is a function $H$ that works as follows.
 > 
@@ -149,9 +150,9 @@ See Joux's attack.[^2]
 Now we only have to build a collision resistant compression function. We can build these functions from either a block cipher, or by using number theoretic primitives.
-Number theoretic primitives will be shown after we learn some number theory.[^3] An example is shown in [collision resistance using DL problem (Modern Cryptography)](../2023-10-03-key-exchange#collision-resistance-based-on-dl-problem).
+Number theoretic primitives will be shown after we learn some number theory.[^3] An example is shown in [collision resistance using DL problem (Modern Cryptography)](../2023-10-03-key-exchange/#collision-resistance-based-on-dl-problem).
-![mc-06-davies-meyer.png](/assets/img/posts/Lecture%20Notes/Modern%20Cryptography/mc-06-davies-meyer.png#)
+![mc-06-davies-meyer.png](../../../assets/img/posts/lecture-notes/modern-cryptography/mc-06-davies-meyer.png)
 > **Definition.** Let $\mathcal{E} = (E, D)$ be a block cipher over $(\mathcal{K}, X, X)$ where $X = \left\lbrace 0, 1 \right\rbrace^n$. The **Davies-Meyer compression function derived from $E$** maps inputs in $X \times \mathcal{K}$ to outputs in $X$, defined as follows.
 > 
@@ -194,7 +195,7 @@ We needed a complicated construction for MACs that work on long messages. We mig
 Here are a few approaches. Suppose that a compression function $h$ is given and $H$ is a Merkle-Damgård function derived from $h$.
-Recall that [we can construct a MAC scheme from a PRF](../2023-09-21-macs#mac-constructions-from-prfs), so either we want a secure PRF or a secure MAC scheme.
+Recall that [we can construct a MAC scheme from a PRF](../2023-09-21-macs/#mac-constructions-from-prfs), so either we want a secure PRF or a secure MAC scheme.
 #### Prepending the Key
@@ -214,9 +215,9 @@ Define $S((k_1,k_2), m) = H(k_2 \parallel H(k_1 \parallel m))$. This can also be
 This can be thought of as blocking the length extension attack from prepending the key method.
-### HMAC
+### HMAC Definition
-![mc-06-hmac.png](/assets/img/posts/Lecture%20Notes/Modern%20Cryptography/mc-06-hmac.png#)
+![mc-06-hmac.png](../../../assets/img/posts/lecture-notes/modern-cryptography/mc-06-hmac.png)
 This is a variant of the two-key nest, but the difference is that the keys $k _ 1', k _ 2'$ are not independent. Choose a key $k \leftarrow \mathcal{K}$, and set
--- a/_posts/lecture-notes/modern-cryptography/2023-10-03-key-exchange.md
+++ b/_posts/lecture-notes/modern-cryptography/2023-10-03-key-exchange.md
@@ -5,6 +5,7 @@ math: true
 categories:
  - Lecture Notes
  - Modern Cryptography
 path: _posts/lecture-notes/modern-cryptography
 tags:
  - lecture-note
  - cryptography
@@ -13,9 +14,9 @@ title: 7. Key Exchange
 date: 2023-10-03
 github_title: 2023-10-03-key-exchange
 image:
-  path: assets/img/posts/Lecture Notes/Modern Cryptography/mc-07-dhke.png
+  path: assets/img/posts/lecture-notes/modern-cryptography/mc-07-dhke.png
 attachment:
-  folder: assets/img/posts/Lecture Notes/Modern Cryptography
+  folder: assets/img/posts/lecture-notes/modern-cryptography
 ---
 In symmetric key encryption, we assumed that the two parties already share the same key. We will see how this can be done.
@@ -64,17 +65,17 @@ To implement the above protocol, we need two functions $E$ and $F$ that satisfy
 Let $p$ be a large prime, and let $q$ be another large prime dividing $p - 1$. We typically use very large random primes, $p$ is about $2048$ bits long, and $q$ is about $256$ bits long.
-All arithmetic will be done in $\mathbb{Z}_p$. We also consider $\mathbb{Z} _ p^ *$ , the **unit group** of $\mathbb{Z} _ p$. Since $\mathbb{Z} _ p$ is a field, $\mathbb{Z} _ p^ * = \mathbb{Z} _ p \setminus \left\lbrace 0 \right\rbrace$, meaning that $\mathbb{Z} _ p^ *$ has order $p-1$.
+All arithmetic will be done in $\mathbb{Z} _ p$. We also consider $\mathbb{Z} _ p^\ast$ , the **unit group** of $\mathbb{Z} _ p$. Since $\mathbb{Z} _ p$ is a field, $\mathbb{Z} _ p^\ast = \mathbb{Z} _ p \setminus \left\lbrace 0 \right\rbrace$, meaning that $\mathbb{Z} _ p^\ast$ has order $p-1$.
-Since $q$ is a prime dividing $p - 1$, $\mathbb{Z}_p^*$ has an element $g$ of order $q$.[^1] Let
+Since $q$ is a prime dividing $p - 1$, $\mathbb{Z} _ p^\ast$ has an element $g$ of order $q$.[^1] Let
 $$
-G = \left\langle g \right\rangle = \left\lbrace 1, g, g^2, \dots, g^{q-1} \right\rbrace \leq \mathbb{Z}_p^*.
+G = \left\langle g \right\rangle = \left\lbrace 1, g, g^2, \dots, g^{q-1} \right\rbrace \leq \mathbb{Z} _ p^\ast.
 $$
 We assume that the description of $p$, $q$ and $g$ are generated at the setup and shared by all parties. Now the actual protocol goes like this.
-![mc-07-dhke.png](/assets/img/posts/Lecture%20Notes/Modern%20Cryptography/mc-07-dhke.png#)
+![mc-07-dhke.png](../../../assets/img/posts/lecture-notes/modern-cryptography/mc-07-dhke.png)
 > 1. Alice chooses $\alpha \leftarrow \mathbb{Z} _ q$ and computes $g^\alpha$.
 > 2. Bob chooses $\beta \leftarrow \mathbb{Z} _ q$ and computes $g^\beta$.
@@ -99,7 +100,7 @@ We have used $E(x) = g^x$ in the above implementation. This function is called t
 We required that $E$ must be a one-way function for the protocol to work. So it must be hard to compute the discrete logarithm function. There are some problems related to the discrete logarithm, which are used as assumptions in the security proof. They are formalized as a security game, as usual.
-$G = \left\langle g \right\rangle \leq \mathbb{Z} _ p^{ * }$ will be a *cyclic group* of order $q$ and $g$ is given as a generator. Note that $g$ and $q$ are also given to the adversary.
+$G = \left\langle g \right\rangle \leq \mathbb{Z} _ p^\ast$ will be a *cyclic group* of order $q$ and $g$ is given as a generator. Note that $g$ and $q$ are also given to the adversary.
 ### Discrete Logarithm Problem (DL)
@@ -189,7 +190,7 @@ Taking $\mathcal{O}(N)$ steps is impractical in the real world, due to many comm
 We assumed that the adversary only eavesdrops, but if the adversary carries out active attacks, then DHKE is not enough. The major problem is the lack of **authentication**. Alice and Bob are exchanging keys, but they both cannot be sure that there are in fact communicating with the other. An attacker can intercept messages and impersonate Alice or Bob. This attack is called a **man in the middle attack**, and this attack works on any key exchange protocol that lacks authentication.
-![mc-07-dhke-mitm.png](/assets/img/posts/Lecture%20Notes/Modern%20Cryptography/mc-07-dhke-mitm.png#)
+![mc-07-dhke-mitm.png](../../../assets/img/posts/lecture-notes/modern-cryptography/mc-07-dhke-mitm.png)
 The adversary will impersonate Bob when communicating with Alice, and will do the same for Bob by pretending to be Alice. The values of $\alpha, \beta$ that Alice and Bob chose are not leaked, but the adversary can decrypt anything in the middle and obtain the plaintext.
@@ -211,7 +212,7 @@ Before Diffie-Hellman, Merkle proposed an idea for secure key exchange protocol
 The idea was to use *puzzles*, which are problems that can be solved with some effort.
-![mc-07-merkle-puzzles.png](/assets/img/posts/Lecture%20Notes/Modern%20Cryptography/mc-07-merkle-puzzles.png#)
+![mc-07-merkle-puzzles.png](../../../assets/img/posts/lecture-notes/modern-cryptography/mc-07-merkle-puzzles.png)
 > Let $\mathcal{E} = (E, D)$ be a block cipher defined over $(\mathcal{K}, \mathcal{M})$.
 > 1. Alice chooses random pairs $(k _ i, s _ i) \leftarrow \mathcal{K} \times \mathcal{M}$ for $i = 1, \dots, L$.
@@ -240,5 +241,5 @@ It is unknown whether we can get a better gap (than quadratic) using a general s
 To get exponential gaps, we need number theory.
-[^1]: By Cauchy's theorem, or use the fact that $\mathbb{Z}_p^*$ is commutative. Finite commutative groups have a subgroup of every order that divides the order of the group.
+[^1]: By Cauchy's theorem, or use the fact that $\mathbb{Z} _ p^\ast$ is commutative. Finite commutative groups have a subgroup of every order that divides the order of the group.
 [^2]: R. Impagliazzo and S. Rudich. Limits on the provable consequences of one-way permutations. In Proceedings of the Symposium on Theory of Computing (STOC), pages 44–61, 1989.
--- a/_posts/lecture-notes/modern-cryptography/2023-10-05-number-theory.md
+++ b/_posts/lecture-notes/modern-cryptography/2023-10-05-number-theory.md
@@ -5,6 +5,7 @@ math: true
 categories:
  - Lecture Notes
  - Modern Cryptography
 path: _posts/lecture-notes/modern-cryptography
 tags:
  - lecture-note
  - cryptography
@@ -15,7 +16,6 @@ date: 2023-10-05
 github_title: 2023-10-05-number-theory
 ---
 ## Background
 ### Number Theory
--- a/_posts/lecture-notes/modern-cryptography/2023-10-19-public-key-encryption.md
+++ b/_posts/lecture-notes/modern-cryptography/2023-10-19-public-key-encryption.md
@@ -5,6 +5,7 @@ math: true
 categories:
  - Lecture Notes
  - Modern Cryptography
 path: _posts/lecture-notes/modern-cryptography
 tags:
  - lecture-note
  - cryptography
@@ -13,12 +14,11 @@ title: 9. Public Key Encryption
 date: 2023-10-19
 github_title: 2023-10-19-public-key-encryption
 image:
-  path: assets/img/posts/Lecture Notes/Modern Cryptography/mc-09-ss-pke.png
+  path: assets/img/posts/lecture-notes/modern-cryptography/mc-09-ss-pke.png
 attachment:
-  folder: assets/img/posts/Lecture Notes/Modern Cryptography
+  folder: assets/img/posts/lecture-notes/modern-cryptography
 ---
 In symmetric encryption, we assumed that the two parties had a shared key in advance. If the two parties do not have a shared key, **public-key encryption** can be used to encrypt messages.
 ## Public Key Encryption
@@ -45,7 +45,7 @@ Public key $pk$ will be publicized. After Alice obtains $pk$, she can use it to
 The following notion of security is only for an eavesdropping adversary.
-![mc-09-ss-pke.png](/assets/img/posts/Lecture%20Notes/Modern%20Cryptography/mc-09-ss-pke.png)
+![mc-09-ss-pke.png](../../../assets/img/posts/lecture-notes/modern-cryptography/mc-09-ss-pke.png)
 > **Definition.** Let $\mc{E} = (G, E, D)$ be a public key encryption scheme defined over $(\mc{M}, \mc{C})$. For an adversary $\mc{A}$, we define two experiments.
 >
@@ -151,9 +151,9 @@ We also define CCA security for public key encryption, which models a wide spect
 > 	- *Encryption*: Send $(m _ {i _ ,0}, m _ {i, 1})$ and receive $c' _ i \la E(pk, m _ {i, b})$.
 > 	- *Decryption*: Send $c _ i$ and receive $m' _ i \la D(sk, c _ i)$.
 > 	- Note that $\mc{A}$ is not allowed to make a decryption query for any $c _ i'$.
-> 3. $\mc{A}$ outputs a pair of messages $(m_0^ * , m_1^*)$.
+> 3. $\mc{A}$ outputs a pair of messages $(m _ 0^\ast , m _ 1^\ast)$.
-> 4. The challenger generates $c^* \la E(pk, m_b^*)$ and gives it to $\mc{A}$.
+> 4. The challenger generates $c^\ast \la E(pk, m _ b^\ast)$ and gives it to $\mc{A}$.
-> 5. $\mc{A}$ is allowed to keep making queries, but not allowed to make a decryption query for $c^*$.
+> 5. $\mc{A}$ is allowed to keep making queries, but not allowed to make a decryption query for $c^\ast$.
 > 6. The adversary computes and outputs a bit $b' \in \left\lbrace 0, 1 \right\rbrace$.
 >
 > Let $W _ b$ be the event that $\mc{A}$ outputs $1$ in experiment $b$. Then the **CCA advantage with respect to $\mc{E}$** is defined as
@@ -176,7 +176,7 @@ Similarly, 1CCA security implies CCA security, as in the above theorem. So to sh
 ### Active Adversaries in Symmetric vs Public Key
-In symmetric key encryption, we studied [authenticated encryption (AE)](../2023-09-26-cca-security-authenticated-encryption/#authenticated-encryption-ae), which required the scheme to be CPA secure and provide ciphertext integrity. In symmetric key settings, AE implied CCA.
+In symmetric key encryption, we studied [authenticated encryption (AE)](../2023-09-26-cca-security-authenticated-encryption/#authenticated-encryption-(ae)), which required the scheme to be CPA secure and provide ciphertext integrity. In symmetric key settings, AE implied CCA.
 However in public-key schemes, adversaries can always create new ciphertexts using the public key, which makes the original definition of ciphertext integrity unusable. Thus we directly require CCA security.
--- a/_posts/lecture-notes/modern-cryptography/2023-10-26-digital-signatures.md
+++ b/_posts/lecture-notes/modern-cryptography/2023-10-26-digital-signatures.md
@@ -5,6 +5,7 @@ math: true
 categories:
  - Lecture Notes
  - Modern Cryptography
 path: _posts/lecture-notes/modern-cryptography
 tags:
  - lecture-note
  - cryptography
@@ -13,19 +14,18 @@ title: 10. Digital Signatures
 date: 2023-10-26
 github_title: 2023-10-26-digital-signatures
 image:
-  path: assets/img/posts/Lecture Notes/Modern Cryptography/mc-10-dsig-security.png
+  path: assets/img/posts/lecture-notes/modern-cryptography/mc-10-dsig-security.png
 attachment:
-  folder: assets/img/posts/Lecture Notes/Modern Cryptography
+  folder: assets/img/posts/lecture-notes/modern-cryptography
 ---
 ## Digital Signatures
 > **Definition.** A **signature scheme** $\mc{S} = (G, S, V)$ is a triple of efficient algorithms, where $G$ is a **key generation** algorithm, $S$ is a **signing** algorithm, and $V$ is a **verification** algorithm.
 >
 > - A probabilistic algorithm $G$ outputs a pair $(pk, sk)$, where $sk$ is called a secret **signing key**, and $pk$ is a public **verification key**.
 > - Given $sk$ and a message $m$, a probabilistic algorithm $S$ outputs a **signature** $\sigma \la S(sk, m)$.
-> - $V$ is a deterministic algorithm that outputs either $\texttt{{accept}}$ or $\texttt{reject}$ for $V(pk, m, \sigma)$.
+> - $V$ is a deterministic algorithm that outputs either $\texttt{accept}$ or $\texttt{reject}$ for $V(pk, m, \sigma)$.
 The correctness property requires that all signatures generated by $S$ is always accepted by $V$. For all $(pk, sk) \la G$ and $m \in \mc{M}$,
@@ -57,7 +57,7 @@ $$
 The definition is similar to the [secure MAC](../2023-09-21-macs/#secure-mac-unforgeability). The adversary can perform a **chosen message attack**, but cannot create an **existential forgery**.
-![mc-10-dsig-security.png](/assets/img/posts/Lecture%20Notes/Modern%20Cryptography/mc-10-dsig-security.png)
+![mc-10-dsig-security.png](../../../assets/img/posts/lecture-notes/modern-cryptography/mc-10-dsig-security.png)
 > **Definition.** Let $\mc{S} = (G, S, V)$ be a signature scheme defined over $(\mc{M}, \Sigma)$. Given an adversary $\mc{A}$, the game goes as follows.
 >
@@ -184,7 +184,7 @@ This scheme is originally from the **Schnorr identification protocol**.
 Let $G = \left\langle g \right\rangle$ be a cyclic group of prime order $q$. We consider an interaction between two parties, prover $P$ and a verifier $V$. The prover has a secret $\alpha \in \Z _ q$ and the verification key is $u = g^\alpha$. **$P$ wants to convince $V$ that he knows $\alpha$, but does not want to reveal $\alpha$**.
-![mc-10-schnorr-identification.png](/assets/img/posts/Lecture%20Notes/Modern%20Cryptography/mc-10-schnorr-identification.png)
+![mc-10-schnorr-identification.png](../../../assets/img/posts/lecture-notes/modern-cryptography/mc-10-schnorr-identification.png)
 The protocol $\mc{I} _ \rm{sch} = (G, P, V)$ works as follows.
@@ -239,7 +239,7 @@ Schnorr's scheme was protected by a patent, so NIST opted for a ad-hoc signature
 How would you trust public keys? We introduce **digital certificates** for this.
-Read in [public key infrastructure (Internet Security)](../../internet-security/2023-10-16-pki).
+Read in [public key infrastructure (Internet Security)](../../internet-security/2023-10-16-pki/).
 [^1]: A Graduate Course in Applied Cryptography
 [^2]: By using the [Fiat-Shamir transform](../2023-11-07-sigma-protocols/#the-fiat-shamir-transform).
--- a/_posts/lecture-notes/modern-cryptography/2023-10-31-advanced-topics.md
+++ b/_posts/lecture-notes/modern-cryptography/2023-10-31-advanced-topics.md
@@ -5,6 +5,7 @@ math: true
 categories:
  - Lecture Notes
  - Modern Cryptography
 path: _posts/lecture-notes/modern-cryptography
 tags:
  - lecture-note
  - cryptography
@@ -14,7 +15,6 @@ date: 2023-10-31
 github_title: 2023-10-31-advanced-topics
 ---
 ## Ciphertext Indistinguishability
 - By **Shafi Goldwasser** and **Silvio Micali**
--- a/_posts/lecture-notes/modern-cryptography/2023-11-02-zkp-intro.md
+++ b/_posts/lecture-notes/modern-cryptography/2023-11-02-zkp-intro.md
@@ -5,6 +5,7 @@ math: true
 categories:
  - Lecture Notes
  - Modern Cryptography
 path: _posts/lecture-notes/modern-cryptography
 tags:
  - lecture-note
  - cryptography
@@ -13,12 +14,11 @@ title: 12. Zero-Knowledge Proof (Introduction)
 date: 2023-11-02
 github_title: 2023-11-02-zkp-intro
 image:
-  path: assets/img/posts/Lecture Notes/Modern Cryptography/mc-12-id-protocol.png
+  path: assets/img/posts/lecture-notes/modern-cryptography/mc-12-id-protocol.png
 attachment:
-  folder: assets/img/posts/Lecture Notes/Modern Cryptography
+  folder: assets/img/posts/lecture-notes/modern-cryptography
 ---
 - In 1980s, the notion of *zero knowledge* was proposed by Shafi Goldwasser, Silvio micali and Charles Rackoff.
 - **Interactive proof systems**: a **prover** tries to convince the **verifier** that some statement is true, by exchanging messages.
 	- What if the prover is trying to trick the verifier?
@@ -28,7 +28,7 @@ attachment:
 ## Identification Protocol
-![mc-12-id-protocol.png](/assets/img/posts/Lecture%20Notes/Modern%20Cryptography/mc-12-id-protocol.png)
+![mc-12-id-protocol.png](../../../assets/img/posts/lecture-notes/modern-cryptography/mc-12-id-protocol.png)
 > **Definition.** An **identification protocol** is a triple of algorithms $\mc{I} = (G, P, V)$ satisfying the following.
 > 
--- a/_posts/lecture-notes/modern-cryptography/2023-11-07-sigma-protocols.md
+++ b/_posts/lecture-notes/modern-cryptography/2023-11-07-sigma-protocols.md
@@ -5,6 +5,7 @@ math: true
 categories:
  - Lecture Notes
  - Modern Cryptography
 path: _posts/lecture-notes/modern-cryptography
 tags:
  - lecture-note
  - cryptography
@@ -13,12 +14,11 @@ title: 13. Sigma Protocols
 date: 2023-11-07
 github_title: 2023-11-07-sigma-protocols
 image:
-  path: assets/img/posts/Lecture Notes/Modern Cryptography/mc-13-sigma-protocol.png
+  path: assets/img/posts/lecture-notes/modern-cryptography/mc-13-sigma-protocol.png
 attachment:
-  folder: assets/img/posts/Lecture Notes/Modern Cryptography
+  folder: assets/img/posts/lecture-notes/modern-cryptography
 ---
 The previous [3-coloring example](../2023-11-02-zkp-intro/#example-3-coloring) certainly works as a zero knowledge proof, but is quite slow, and requires a lot of interaction. There are efficient protocols for interactive proofs, we will study sigma protocols.
 ## Sigma Protocols
@@ -27,7 +27,7 @@ The previous [3-coloring example](../2023-11-02-zkp-intro/#example-3-coloring) c
 > **Definition.** An **effective relation** is a binary relation $\mc{R} \subset \mc{X} \times \mc{Y}$, where $\mc{X}$, $\mc{Y}$, $\mc{R}$ are efficiently recognizable finite sets. Elements of $\mc{Y}$ are called **statements**. If $(x, y) \in \mc{R}$, then $x$ is called a **witness for** $y$.
-![mc-13-sigma-protocol.png](/assets/img/posts/Lecture%20Notes/Modern%20Cryptography/mc-13-sigma-protocol.png)
+![mc-13-sigma-protocol.png](../../../assets/img/posts/lecture-notes/modern-cryptography/mc-13-sigma-protocol.png)
 > **Definition.** Let $\mc{R} \subset \mc{X} \times \mc{Y}$ be an effective relation. A **sigma protocol** for $\mc{R}$ is a pair of algorithms $(P, V)$ satisfying the following.
 > 
@@ -107,7 +107,7 @@ Also note that **the simulator is free to generate the messages in any convenien
 The Schnorr identification protocol is actually a sigma protocol. Refer to [Schnorr identification protocol (Modern Cryptography)](../2023-10-26-digital-signatures/#the-schnorr-identification-protocol) for the full description.
-![mc-10-schnorr-identification.png](/assets/img/posts/Lecture%20Notes/Modern%20Cryptography/mc-10-schnorr-identification.png)
+![mc-10-schnorr-identification.png](../../../assets/img/posts/lecture-notes/modern-cryptography/mc-10-schnorr-identification.png)
 > The pair $(P, V)$ is a sigma protocol for the relation $\mc{R} \subset \mc{X} \times \mc{Y}$ where
 > 
@@ -165,7 +165,7 @@ $$
 goes as follows.
-![mc-13-okamoto.png](/assets/img/posts/Lecture%20Notes/Modern%20Cryptography/mc-13-okamoto.png)
+![mc-13-okamoto.png](../../../assets/img/posts/lecture-notes/modern-cryptography/mc-13-okamoto.png)
 > 1. $P$ computes random $\alpha _ t, \beta _ t \la \bb{Z} _ q$ and sends commitment $u _ t \la g^{\alpha _ t}h^{\beta _ t}$ to $V$.
 > 2. $V$ computes challenge $c \la \mc{C}$ and sends it to $P$.
@@ -192,7 +192,7 @@ $$
 goes as follows.
-![mc-13-chaum-pedersen.png](/assets/img/posts/Lecture%20Notes/Modern%20Cryptography/mc-13-chaum-pedersen.png)
+![mc-13-chaum-pedersen.png](../../../assets/img/posts/lecture-notes/modern-cryptography/mc-13-chaum-pedersen.png)
 > 1. $P$ computes random $\beta _ t \la \bb{Z} _ q$ and sends commitment $v _ t \la g^{\beta _ t}$, $w _ t \la u^{\beta _ t}$ to $V$.
 > 2. $V$ computes challenge $c \la \mc{C}$ and sends it to $P$.
@@ -223,7 +223,7 @@ $$
 goes as follows.
-![mc-13-gq-protocol.png](/assets/img/posts/Lecture%20Notes/Modern%20Cryptography/mc-13-gq-protocol.png)
+![mc-13-gq-protocol.png](../../../assets/img/posts/lecture-notes/modern-cryptography/mc-13-gq-protocol.png)
 > 1. $P$ computes random $x _ t \la \bb{Z} _ n^{\ast}$ and sends commitment $y _ t \la x _ t^e$ to $V$.
 > 2. $V$ computes challenge $c \la \mc{C}$ and sends it to $P$.
@@ -279,7 +279,7 @@ If the challenge is known in advance, the prover can cheat. We exploit this fact
 Suppose we are given two sigma protocols $(P _ 0, V _ 0)$ for $\mc{R} _ 0 \subset \mc{X} _ 0 \times \mc{Y} _ 0$ and $(P _ 1, V _ 1)$ for $\mc{R} _ 1 \subset \mc{X} _ 1 \times \mc{Y} _ 1$. We assume that these both use the same challenge space, and both are special HVZK with simulators $\rm{Sim} _ 0$ and $\rm{Sim} _ 1$.
-We combine the protocols to form a sigma protocol for the relation $\mc{R}_\rm{OR}$ defined on ${} \big( \braces{0, 1} \times (\mc{X}_0 \cup \mc{X}_1) \big) \times (\mc{Y}_0\times \mc{Y}_1) {}$ as
+We combine the protocols to form a sigma protocol for the relation $\mc{R} _ \rm{OR}$ defined on $\big( \braces{0, 1} \times (\mc{X} _ 0 \cup \mc{X} _ 1) \big) \times (\mc{Y} _ 0\times \mc{Y} _ 1)$ as
 $$
 \mc{R} _ \rm{OR} = \bigg\lbrace \big( (b, x), (y _ 0, y _ 1)  \big): (x, y _ b) \in \mc{R} _ b\bigg\rbrace.
@@ -468,7 +468,7 @@ where $\beta^{\ast} = \sum_{i=1}^n \beta_i$ and $b^{\ast} = \sum_{i=1}^n b_i$. N
 Since the ElGamal scheme is semantically secure, the protocol is also secure if all voters follow the protocol. But a dishonest voter can encrypt $b _ i = -100$ or some arbitrary value.
-To fix this, we can make each voter prove that the vote is valid. Using the [Chaum-Pedersen protocol for DH-triples](#the-chaum-pedersen-protocol-for-dh-triples) and the [OR-proof construction](#or-proof-construction), the voter can submit a proof that the ciphertext is either a encryption of $b_i = 0$ or $1$. We can also apply the Fiat-Shamir transform here for efficient protocols, resulting in non-interactive proofs.
+To fix this, we can make each voter prove that the vote is valid. Using the [Chaum-Pedersen protocol for DH-triples](../2023-11-07-sigma-protocols/#the-chaum-pedersen-protocol-for-dh-triples) and the [OR-proof construction](../2023-11-07-sigma-protocols/#or-proof-construction), the voter can submit a proof that the ciphertext is either a encryption of $b _ i = 0$ or $1$. We can also apply the Fiat-Shamir transform here for efficient protocols, resulting in non-interactive proofs.
 [^1]: The message flows in a shape that resembles the greek letter $\Sigma$, hence the name *sigma protocol*.
 [^2]: A Graduate Course in Applied Cryptography.
--- a/_posts/lecture-notes/modern-cryptography/2023-11-09-secure-mpc.md
+++ b/_posts/lecture-notes/modern-cryptography/2023-11-09-secure-mpc.md
@@ -0,0 +1,188 @@
 ---
 share: true
 toc: true
 math: true
 categories:
  - Lecture Notes
  - Modern Cryptography
 path: _posts/lecture-notes/modern-cryptography
 tags:
  - lecture-note
  - cryptography
  - security
 title: 14. Secure Multiparty Computation
 date: 2023-11-09
 github_title: 2023-11-09-secure-mpc
 ---
 ## Secure Multiparty Computation (MPC)
 Suppose we have a function $f$ that takes $n$ inputs and produces $m$ outputs.
 $$
 (y _ 1, \dots, y _ m) = f(x _ 1, \dots, x _ n).
 $$
 $N$ parties $P _ 1, \dots, P _ N$ are trying to evaluate this function with a protocol. Each $x _ i$ is submitted by one of the parties, and each output $y _ j$ will be given to one or more parties.
 In **secure multiparty computation** (MPC), we wish to achieve some security functionalities.
 - **Privacy**: no party learns anything about any other party's inputs, except for the information in the output.
 - **Soundness**: honest parties compute correct outputs.
 - **Input independence**: all parties must choose their inputs independently of other parties' inputs.
 Security must hold even if there is any adversarial behavior in the party.
 ### Example: Secure Summation
 Suppose we have $n$ parties $P _ 1, \dots, P _ n$ with private values $x _ 1, \dots, x _ n$. We would like to *securely* compute the sum $s = x _ 1 + \cdots + x _ n$.
 > 1. Choose $M$ large enough so that $M > s$.
 > 2. $P _ 1$ samples $r \la \Z _ M$ and computes $s _ 1 = r + x _ 1 \pmod M$ and sends it to $P _ 2$.
 > 3. In the same manner, $P _ i$ computes $s _ i = s _ {i-1} + x _ i \pmod M$ and sends it to $P _ {i+1}$.
 > 4. As the final step, $s _ n$ is returned to $P _ 1$, where he outputs $s = s _ n - r \pmod M$.
 This protocol seems secure since $r$ is a random noise added to the actual partial sum. But the security actually depends on how we model adversarial behavior.
 Consider the case where parties $P _ 2$ and $P _ 4$ team up (collusion). These two can share information between them. They have the following:
 - $P _ 2$ has $s _ 1$, $s _ 2$, $x _ 2$.
 - $P _ 4$ has $s _ 3$, $s _ 4$, $x _ 4$.
 Using $s _ 2$ and $s _ 3$, they can compute $x _ 3 = s _ 3 - s _ 2$ and obtain the input of $P _ 3$. This violates privacy. Similarly, if $P _ i$ and $P _ j$ team up, the can compute the partial sum
 $$
 s _ {j - 1} - s _ {i} = x _ {i+1} + \cdots + x _ {j-1}
 $$
 which leaks information about the inputs of $P _ {i+1}, \dots, P _ {j-1}$.
 ## Modeling Adversaries for Multiparty Computation
 The adversary can decide not to follow the protocol and perform arbitrarily.
 - **Semi-honest** adversaries follows the protocol and tries to learn more information by inspecting the communication.
 - **Malicious** adversaries can behave in any way, unknown to us.
 Semi-honest adversaries are similar to *passive* adversaries, whereas malicious adversaries are similar to *active* adversaries.
 We can also model the **corruption strategy**. Some parties can turn into an adversary during the protocol.
 - In **static** corruptions, the set of adversarial parties is fixed throughout the execution.
 - In **adaptive** corruptions, the adversary corrupts parties during the execution, based on the information gained from the protocol execution.
 We can decide how much computational power to give to the adversary. For *computational security*, an adversary must be efficient, only polynomial time strategies are allowed. For *information-theoretic security*, an adversary has unbounded computational power.
 We will only consider **semi-honest** adversaries with **static** corruptions.
 ## Defining Security for Multiparty Computation
 The idea is the following.
 > An attack on the protocol in the **real world** is equivalent to some attack on the protocol in an **ideal world** in which no damage can be done.
 In the **ideal world**, we use a trusted party to implement a protocol. All parties, both honest and corrupted, submit their input to the trusted party. Since the trusted party is not corrupted, the protocol is safe.
 In the **real world**, there is no trusted party and parties must communicate with each other using a protocol.
 Thus, a secure protocol must provide security in the real world that is equivalent to that in the ideal world. The definition is saying the following: **there is no possible attack in the ideal world, so there is no possible attack in the real world**. This kind of definition implies privacy, soundness and input independence.
 > For every efficient adversary $\mc{A}$ in the real world, there exists an *equivalent* efficient adversary $\mc{S}$ (usually called a **simulator**) in the ideal world.
 ### Semi-Honest & Static Corruption
 - The *view* of a party consists of its input, random tape and the list of messages obtained from the protocol.
 	- The view of an adversary is the union of views of corrupted parties.
 	- If an adversary learned anything from the protocol, it must be efficiently computable from its view.
 - If a protocol is secure, it must be possible in the ideal world to generate something indistinguishable from the real world adversary's view.
 	- In the ideal world, the adversary's view consists of inputs/outputs to and from the trusted party.
 	- An adversary in the ideal world must be able to generate a view equivalent to the real world view. We call this ideal world adversary a **simulator**.
 	- If we show the existence of a simulator, a real world adversary's ability is the same as an adversary in the ideal world.
 > **Definition.** Let $\mc{A}$ be the set of parties that are corrupted, and let $\rm{Sim}$ be a simulator algorithm.
 > - $\rm{Real}(\mc{A}; x _ 1, \dots, x _ n)$: each party $P _ i$ runs the protocol with private input $x _ i$. Let $V _ i$ be the final view of $P _ i$. Output $\braces{V _ i : i \in \mc{A}}$.
 > - $\rm{Ideal} _ \rm{Sim}(x _ 1, \dots, x _ n)$: output $\rm{Sim}(\mc{A}; \braces{(x _ i, y _ i) : i \in \mc{A}})$.
 > 
 > A protocol is **secure against semi-honest adversaries** if there exists a simulator such that for every subset of corrupted parties $\mc{A}$, its views in the real and ideal worlds are indistinguishable.
 ## Oblivious Transfer (OT)
 This is a building block for building any MPC.
 Suppose that the sender has data $m _ 1, \dots, m _ n \in \mc{M}$, and the receiver has an index $i \in \braces{1, \dots, n}$. The sender wants to send exactly one message and hide others. Also, the receiver wants to hide which message he received.
 This problem is called 1-out-of-$n$ **oblivious transfer** (OT).
 ### 1-out-of-2 OT Construction from ElGamal Encryption
 We show an example of 1-out-of-2 OT using the ElGamal encryptions scheme. We use a variant where a hash function is used in encryption.
 It is known that $k$-out-of-$n$ OT is constructible from 1-out-of-2 OTs.
 > Suppose that the sender Alice has messages $x _ 0, x _ 1 \in \braces{0, 1}\conj$, and the receiver Bob has a choice $\sigma \in \braces{0, 1}$.
 > 
 > 1. Bob chooses $sk = \alpha \la \Z _ q$ and computes $h = g^\alpha$, and chooses $h' \la G$.
 > 2. Bob sets $pk _ \sigma = h$ and $pk _ {1-\sigma} = h'$ and sends $(pk _ 0, pk _ 1)$ to Alice.
 > 3. Alice encrypts each $x _ i$ using $pk _ i$, obtains two ciphertexts.
 > 	- $\beta _ 0, \beta _ 1 \la \Z _ q$.
 > 	- $c _ 0 = \big( g^{\beta _ 0}, H(pk _ 0^{\beta _ 0}) \oplus x _ 0 \big)$, $c _ 1 = \big( g^{\beta _ 1}, H(pk _ 1^{\beta _ 1}) \oplus x _ 1 \big)$.
 > 4. Alice sends $(c _ 0, c _ 1)$ to Bob.
 > 5. Bob decrypts $c _ \sigma$ with $sk$ to get $x _ \sigma$.
 Correctness is obvious.
 Alice's view contains the following: $x _ 0, x _ 1, pk _ 0, pk _ 1, c _ 0, c _ 1$. Among these, $pk _ 0, pk _ 1$ are the received values from Bob. But these are random group elements, so she learns nothing about $\sigma$. The simulator can choose two random group elements to simulate Alice.
 Bob's view contains the following: $\sigma, \alpha, g^\alpha, h', c _ 0, c _ 1, x _ \sigma$. He only knows one private key, so he only learns $x _ \sigma$, under the DL assumption. (He doesn't have the discrete logarithm for $h'$) The simulator must simulate $c _ 0, c _ 1$, so it encrypts $x _ \sigma$ with $pk _ \sigma$, and as for $x _ {1-\sigma}$, a random message is encrypted with $pk _ {1-\sigma}$. This works because the encryption scheme is semantically secure, meaning that it doesn't reveal any information about the underlying message.
 The above works for **semi-honest** parties. To prevent malicious behavior, we fix the protocol a bit.
 > 1. Alice sends a random $w \la G$ first.
 > 2. Bob must choose $h$ and $h'$ so that $hh' = w$. $h$ is chosen the same way, and $h' = wh\inv$ is computed.
 > 
 > The remaining steps are the same, except that Alice checks if $pk _ 0 \cdot pk _ 1 = w$.
 Bob must choose $h, h'$ such that $hh' = w$. If not, Bob can choose $\alpha' \la \Z _ q$ and set $h' = g^{\alpha'}$, enabling him to decrypt both $c _ 0, c _ 1$, revealing $x _ 0, x _ 1$. Under the DL assumption, Bob cannot find the discrete logarithm of $h'$, which prevents malicious behavior.
 ### 1-out-of-$n$ OT Construction from ElGamal Encryption
 Let $m _ 1, \dots, m _ n \in \mc{M}$ be the messages to send, and let $i$ be an index. We will use ElGamal encryption on a cyclic group $G = \span{g}$ of prime order, with a hash function and a semantically secure symmetric cipher $(E _ S, D _ S)$.
 > 1. Alice chooses $\beta \la \Z _ q$, computes $v \la g^\beta$ and sends $v$ to Bob.
 > 2. Bob chooses $\alpha \la \Z _ q$, computes $u \la g^\alpha v^{-i}$ and sends $u$ to Alice.
 > 3. For $j = 1, \dots, n$, Alice computes the following.
 > 	- Compute $u _ j \la u \cdot v^j = g^\alpha v^{j-i}$ as the public key for the $j$-th message.
 > 	- Encrypt $m _ j$ as $(g^\beta, c _ j)$, where $c _ j \la E _ S\big( H(g^\beta, u _ j^\beta), m _ j \big)$.
 > 4. Alice sends $(c _ 1, \dots, c _ n)$ to Bob.
 > 5. Bob decrypts $c _ i$ as follows.
 > 	- Compute symmetric key $k \la H(v, v^\alpha)$ where $v = g^\beta$ from step $1$.
 > 	- $m _ i \la D _ S(k, c _ i)$.
 Note that all ciphertexts $c _ j$ were created from the same ephemeral key $\beta \in \Z _ q$.
 For correctness, we check that Bob indeed receives $m _ i$ from the above protocol. Check that $u _ i = u\cdot v^i = g^\alpha v^0 = g^\alpha$, then $u _ i^\beta = g^{\alpha\beta} = v^\alpha$. Since $c _ i = E _ S\big( H(g^\beta, u _ i^\beta), m _ i \big) = E _ S\big( H(v, v^\alpha), m _ i \big)$, the decryption gives $m _ i$.
 Now is this oblivious? All that Alice sees is $u = g^\alpha v^{-i}$ from Bob. Since $\alpha \la \Z _ q$, $u$ is uniformly distributed over elements of $G$. Alice learns no information about $i$.
 As for Bob, we need the **CDH assumption**. Suppose that Bob can query $H$ on two different ciphertexts $c _ {j _ 1}, c _ {j _ 2}$. Then he knows
 $$
 u _ {j _ 1}^\beta/u _ {j _ 2}^\beta = v^{\beta(j _ 1 - j _ 2)},
 $$
 and by raising both to the $(j _ 1 - j _ 2)\inv$ power (inverse in $\Z _ q$), he can compute $v^\beta = g^{\beta^2}$. Thus, Bob has computed $g^{\beta^2}$ from $g^\beta$, and this breaks the CDH assumption.[^1] Thus Bob cannot query $H$ on two points, and is unable to decrypt two ciphertexts. He only learns $m _ i$.
 ### OT for Computing $2$-ary Function with Finite Domain
 We can use an OT for computing a $2$-ary function with finite domain.
 Let $f : X _ 1 \times X _ 2 \ra Y$ be a deterministic function with $X _ 1$, $X _ 2$ both finite. There are two parties $P _ 1, P _ 2$ with inputs $x _ 1, x _ 2$, and they want to compute $f(x _ 1, x _ 2)$ without revealing their input.
 Then we can use $1$-out-of-$\abs{X _ 2}$ OT to securely compute $f(x _ 1, x _ 2)$. Without loss of generality, suppose that $P _ 1$ is the sender.
 $P _ 1$ computes $y _ x =f(x _ 1, x)$ for all $x \in X _ 2$, resulting in $\abs{X _ 2}$ messages. Then $P _ 1$ performs 1-out-of-$\abs{X _ 2}$ OT with $P _ 2$. The value of $x _ 2$ will be used as the choice of $P _ 2$, which will be oblivious to $P _ 1$.[^2]
 This method is inefficient, so we have better methods!
 [^1]: Given $g^\alpha, g^\beta$, compute $g^{\alpha + \beta}$. Then compute $g^{\alpha^2}, g^{\beta^2}, g^{(\alpha+\beta)^2}$, and obtain $g^{2\alpha\beta}$. Exponentiate by $2\inv \in \Z _ q$ to find $g^{\alpha\beta}$.
 [^2]: Can $P _ 1$ learn the value of $x _ 2$ from the final output $y _ {x _ 2} = f(x _ 1, x _ 2)$?
--- a/_posts/lecture-notes/modern-cryptography/2023-11-14-garbled-circuits.md
+++ b/_posts/lecture-notes/modern-cryptography/2023-11-14-garbled-circuits.md
@@ -5,6 +5,7 @@ math: true
 categories:
  - Lecture Notes
  - Modern Cryptography
 path: _posts/lecture-notes/modern-cryptography
 tags:
  - lecture-note
  - cryptography
@@ -14,8 +15,7 @@ date: 2023-11-14
 github_title: 2023-11-14-garbled-circuits
 ---
-
+A simple solution for two party computation would be to use oblivious transfers as noted [here](../2023-11-09-secure-mpc/#ot-for-computing-14.-secure-multiparty-computation#ot-for-computing-$2$-ary-function-with-finite-domain$-ary-function-with-finite-domain). However, this method is inefficient. We will look at **Yao's protocol**, presented in 1986, for secure two-party computation.
 A simple solution for two party computation would be to use oblivious transfers as noted [here](../2023-11-09-secure-mpc/#ot-for-computing-2-ary-function-with-finite-domain). However, this method is inefficient. We will look at **Yao's protocol**, presented in 1986, for secure two-party computation.
 The term **garbled circuit** was used by Beaver-Micali-Rogaway (BMR), presenting a multiparty protocol using a similar approach to Yao's protocol.
@@ -42,7 +42,7 @@ Then we have the following garbled values, as in columns 1 to 3. Now, encrypt th
 |$A$|$B$|$C$|$C = \rm{AND}(A, B)$|
 |:-:|:-:|:-:|:-:|
 |$A _ 0$|$B _ 0$|$C _ 0$|$E(A _ 0 \parallel B _ 0, C _ 0)$|
-|$A_0$|$B_1$|$C_0$|${} E(A_0 \parallel B_1, C_0) {}$|
+|$A _ 0$|$B _ 1$|$C _ 0$|$E(A _ 0 \parallel B _ 1, C _ 0)$|
 |$A _ 1$|$B _ 0$|$C _ 0$|$E(A _ 1 \parallel B _ 0, C _ 0)$|
 |$A _ 1$|$B _ 1$|$C _ 1$|$E(A _ 1 \parallel B _ 1, C _ 1)$|
--- a/_posts/lecture-notes/modern-cryptography/2023-11-16-gmw-protocol.md
+++ b/_posts/lecture-notes/modern-cryptography/2023-11-16-gmw-protocol.md
@@ -0,0 +1,290 @@
 ---
 share: true
 toc: true
 math: true
 categories:
  - Lecture Notes
  - Modern Cryptography
 path: _posts/lecture-notes/modern-cryptography
 tags:
  - lecture-note
  - cryptography
  - security
 title: 16. The GMW Protocol
 date: 2023-11-16
 github_title: 2023-11-16-gmw-protocol
 image:
  path: assets/img/posts/lecture-notes/modern-cryptography/mc-16-beaver-triple.png
 attachment:
  folder: assets/img/posts/lecture-notes/modern-cryptography
 ---
 There are two types of MPC protocols, **generic** and **specific**. Generic protocols can compute arbitrary functions. [Garbled circuits](../2023-11-14-garbled-circuits/#garbled-circuits) were generic protocols, since it can be used to compute any boolean circuits. In contrast, the [summation protocol](../2023-11-09-secure-mpc/#example-secure-summation) is a specific protocol that can only be used to compute a specific function. Note that generic protocols are not necessarily better, since specific protocols are much more efficient.
 ## GMW Protocol
 The **Goldreich-Micali-Wigderson** (GMW) **protocol** is a designed for evaluating boolean circuits. In particular, it can be used for XOR and AND gates, which corresponds to addition and multiplication in $\Z _ 2$. Thus, the protocol can be generalized for evaluating arbitrary arithmetic circuits.
 We assume semi-honest adversaries and static corruption. The GMW protocol is known to be secure against any number of corrupted parties. We also assume that any two parties have private channels for communication.
 The idea is **secret sharing**, where each party shares its input with other parties. The actual input is not revealed, and after the computation, each party holds a *share* of the final result.
 The protocol can be broken down into $3$ phases.
 - **Input phase**: each party shares its input with the other parties.
 - **Evaluation phase**: each party computes gate by gate, using the shared values.
 - **Output phase**: each party publishes their output.
 ### Input Phase
 Suppose that we have $n$ parties $P _ 1, \dots, P _ n$ with inputs $x _ 1, \dots, x _ n \in \braces{0, 1}$. The inputs are bits but they can be generalized to inputs over $\Z _ q$ where $q$ is prime.
 > Each party $P _ i$ shares its input with other parties as follows.
 >
 > 1. Choose random $r _ {i, j} \la \braces{0, 1}$ for all $j \neq i$ and send $r _ {i, j}$ to $P _ j$.
 > 2. Set $r _ {i, i} = x _ i + \sum _ {i \neq j} r _ {i, j}$.
 Then we see that $x _ i = \sum _ {j = 1}^n r _ {i, j}$. Each party has a **share** of $x _ i$, which is $r _ {i, j}$. We have a notation for this,
 $$
 [x _ i] = (r _ {i, 1}, \dots, r _ {i, n}).
 $$
 It means that $r _ {i, 1}, \dots, r _ {i, n}$ are shares of $x _ i$.
 After this phase, each party $P _ j$ has $n$ shares $r _ {1, j}, \dots, r _ {n,j}$, where each is a share of $x _ i$.
 ### Evaluation Phase
 Now, each party computes each gate using the shares received from other parties. We describe how the XOR and AND gate are computed.
 #### Evaluating XOR Gates
 Suppose we want to compute a share of $c = a + b$. Then, since
 $$
 [c] = [a] + [b],
 $$
 each party can simply add all the input shares.
 If $y = x _ 1 + \cdots + x _ n$, then party $P _ j$ will compute $y _ j = \sum _ {i=1}^n r _ {i, j}$, which is a share of $y$, $[y] = (y _ 1, \dots, y _ n)$. It can be checked that
 $$
 y = \sum _ {j=1}^n y _ j = \sum _ {j=1}^n \sum _ {i=1}^n r _ {i, j}.
 $$
 #### Evaluating AND Gates
 AND gates are not as simple as XOR gates. If $c = ab$,
 $$
 c = \paren{\sum _ {i=1}^n a _ i} \paren{\sum _ {j=1}^n b _ j} = \sum _ {i=1}^n a _ ib _ i + \sum _ {1 \leq i < j \leq n} (a _ ib _ j + a _ j b _ i).
 $$
 The first term can be computed internally by each party. The problem is the second term. $P _ i$ doesn't know the values of $a _ j$ and $b _ j$. Therefore, we need some kind of interaction between $P _ i$ and $P _ j$, but no information should be revealed. We can use an OT for this.
 > For every pair of parties $(P _ i, P _ j)$, perform the following.
 >
 > 1. $P _ i$ chooses a random bit $s _ {i, j}$ and computes all possible values of $a _ ib _ j + a _ jb _ i + s _ {i, j}$. These values are used in the OT.
 > 2. $P _ i$ and $P _ j$ run a $1$-out-of-$4$ OT.
 > 3. $P _ i$ keeps $s _ {i, j}$ and $P _ j$ receives $a _ ib _ j + a _ jb _ i + s _ {i, j}$.
 - If $a _ ib _ j + a _ jb _ i$ is exposed to any party, it reveals information about other party's share.
 - These are bits, so $P _ i$ and $P _ j$ get to keep a share of $a _ ib _ j + a _ jb _ i$. If these aren't bits, then $s _ {i, j} - a _ ib _ j - a _ jb _ i$ must be computed for inputs to the OT.
 - Since $a _ j, b _ j \in \braces{0, 1}$, it is possible to compute all possible values, and use them in the OT. $(a _ j, b _ j)$ will be used as the choice of $P _ j$.
 ### Output Phase
 After evaluation, each party has a share of the final output, so the share is sent to the parties that will learn the output. These shares can be summed to obtain the final output value.
 ### Performance
 Addition is easy, but multiplication gates require $n \choose 2$ OTs. Thus the protocol requires a communication round among the parties for every multiplication gate. Also, the multiplication gates on the same level can be processed in parallel.
 Overall, the round complexity is $\mc{O}(d)$, where $d$ is the depth of the circuit, including only the multiplication gates.
 A shallow circuit is better for GMW protocols. However, shallow circuits may end up using more gates depending on the function.
 ## Security Proof
 We show the case when there are $n-1$ corrupted parties.[^1] Let $P _ i$ be the honest party and assume that all others are corrupted. We will construct a simulator.
 Let $(x _ 1, \dots, x _ n)$ be inputs to the function, and let $[y] = (y _ 1, \dots, y _ n)$ be output shares. The adversary's view contains $y$, and all $x _ j$, $y _ j$ values except for $x _ i$ and $y _ i$.
 To simulate the input phase, choose random shares to be communicated, both for $P _ i \ra P _ j$ and $P _ j \ra P _ i$. The shares were chosen randomly, so they are indistinguishable to the real protocol execution.
 For the evaluation phase, XOR gates can be computed internally, so we only consider AND gates.
 - When $P _ j$ is the receiver, choose a random bit as the value learned from the OT. Since the OT contains possible values of $a _ ib _ j + a _ jb _ i + s _ {i, j}$ and they are random, the random bit is equivalent.
 - When $P _ j$ is the sender, choose $s _ {i, j}$ randomly and compute all $4$ possible values following the protocol.
 Lastly, for the output phase, the simulator has to simulate the message $y _ i$ from $P _ i$. Since the final output $y$ is known and $y _ j$ ($j \neq i$) is known, $y _ i$ can be computed from the simulator.
 We see that the distribution of the values inside the simulator is identical to the view in the real protocol execution.
 ## Beaver Triples
 **Beaver triple sharing** is an offline optimization method for multiplication (AND) gates in the GMW protocol. Before actual computation, Beaver triples can be shared to speed up multiplication gates, reducing the running time in the online phase. Note that the overall complexity is the same.
 > **Definition.** A **Beaver triple** is a triple $(x, y, z)$ such that $z = xy$.
 ### Beaver Triple Sharing
 When Beaver triples are shared, $[x] = (x _ 1, x _ 2)$ and $[y] = (y _ 1, y _ 2)$ are chosen so that
 $$
 \tag{$\ast$}
 z = z _ 1 + z _ 2 = (x _ 1 + x _ 2)(y _ 1 + y _ 2) = x _ 1y _ 1 + x _ 1y _ 2 + x _ 2y _ 1 + x _ 2y _ 2.
 $$
 > 1. Each party $P _ i$ chooses random bits $x _ i, y _ i$. Now they must generate $z _ 1, z _ 2$ so that the values satisfy equation $(\ast)$ above.
 > 2. $P _ 1$ chooses a random bit $s$ and computes all $4$ possible values of $s + x _ 1y _ 2 + x _ 2y _ 1$.
 > 3. $P _ 1$ and $P _ 2$ run a $1$-out-of-$4$ OT.
 > 4. $P _ 1$ keeps $z _ 1 = s + x _ 1y _ 1$, $P _ 2$ keeps $z _ 2 = (s + x _ 1y _ 2 + x _ 2y _ 1) + x _ 2y _ 2$.
 Indeed, $z _ 1, z _ 2$ are shares of $z$.[^2] See also Exercise 23.5.[^3]
 ### Evaluating AND Gates with Beaver Triples
 Now, in the actual computation of AND gates, proceed as follows.
 ![mc-16-beaver-triple.png](../../../assets/img/posts/lecture-notes/modern-cryptography/mc-16-beaver-triple.png)
 > Each $P _ i$ has a share of inputs $a _ i, b _ i$ and a Beaver triple $(x _ i, y _ i, z _ i)$.
 > 1. Each $P _ i$ computes $u _ i = a _ i + x _ i$, $v _ i = b _ i + y _ i$.
 > 2. $P _ i$ shares $u _ i, v _ i$ to $P _ {3-i}$ and receives $u _ {3-i}, v _ {3-i}$ from $P _ {3-i}$.
 > 3. Each party now can compute $u = u _ 1 + u _ 2$, $v = v _ 1 + v _ 2$.
 > 4. $P _ 1$ computes $c _ 1 = uv + uy _ 1 + vx _ 1 + z _ 1$, $P _ 2$ computes $c _ 2 = uy _ 2 + vx _ 2 + z _ 2$.
 Note that
 $$
 \begin{aligned}
 c = c _ 1 + c _ 2 &= uv + u(y _ 1 + y _ 2) + v(x _ 1 + x _ 2) + (z _ 1 + z _ 2) \\
 &= uv + uy + vx + xy \qquad (\because z = xy)  \\
 &= u(v + y) + x(v + y) \\
 &= (u + x)(v + y) = ab
 \end{aligned}
 $$
 The last equality comes from the fact that $u = a + x$ and $v = b+y$ from step $1$. The equation was derived from the following observation.
 $$
 c = ab = (a + x)(b + y) - x(b + y) - y(a + x) + xy.
 $$
 Substitute $u = a +x$ and $v = b + y$, since $z = xy$, we have
 $$
 c = uv - xv - yu + z.
 $$
 Thus
 $$
 [c] = uv - [x]v - [y]u + [z],
 $$
 and $uv$ is public, so any party can include it in its share.
 Also note that $u _ i, v _ i$ does not reveal any information about $x _ i, y _ i$. Essentially, they are *one-time pad* encryptions of $x _ i$ and $y _ i$ since $a _ i, b _ i$ were chosen randomly. No need for OTs during actual computation.
 ### Reusing Beaver Triples?
 **Beaver triples are to be used only once!** If $u _ 1 = a _ 1 + x _ 1$ and $u _ 1' = a _ 1' + x _ 1$, then $u _ 1 + u _ 1' = a _ 1 + a _ 1'$, revealing information about $a _ 1 + a _ 1'$.
 Thus, before the online phase, a huge amount of Beaver triples are shared to speed up the computation. This can be done efficiently using [OT extension](../2023-11-16-gmw-protocol/#ot-extension) described below.
 ## Comparison of Yao and GMW
 |Protocol|Yao|GMW|
 |:-:|:-:|:-:|
 |Metaphor|Apple: bite-by-bite|Orange: peel and eat|
 |Pros|Constant round complexity|Circuit evaluation is simple|
 |Cons|Requires symmetric cipher in the online phase|High overhead in AND gates|
 |Good In|High latency networks|Low latency networks|
 |Round Complexity|$\mc{O}(1)$|Depends on circuit depth. $n$ OTs per AND gates per party.|
 Yao's protocol computes gates bite-by-bite, whereas GMW protocol is peel-and-eat. Most of the effort is required in the preprocessing phase, by sharing many Beaver triples, but the evaluation phase is easy.
 ## OT Extension
 Both Yao's and GMW protocol use OTs. Depending on the computation, one may end up performing thousands of OTs, which can be inefficient.
 There is a technique called **OT extension**, that allows us to obtain many OT instances from a small number of OT instances. OT extension only uses small number of base OTs, and uses symmetric cipher to extend it to many OTs.
 ### Protocol Description
 This protocol will extend $n$ OTs to $m$ OTs, where $m \gg n$.
 - Sender has inputs $\paren{x _ i^0, x _ i^1}$ for $i = 1, \dots, m$.
 - Receiver has choice vector $\sigma = (\sigma _ 1, \dots, \sigma _ m) \in \braces{0, 1}^m$.
 	- After the protocol, the receiver will get $x _ i^{\sigma _ i}$ for $i = 1, \dots, m$.
 > **First phase.**
 >
 > 1. The receiver samples $n$ random strings $T _ 1, \dots, T _ n \la \braces{0, 1}^m$ of length $m$.
 > 2. The receiver prepares pairs $\paren{T _ i, T _ i \oplus \sigma}$ for $i = 1, \dots, n$ and plays *sender in base OT*.
 > 3. The sender chooses random $s = (s _ 1, \dots, s _ n) \in \braces{0, 1}^n$.
 > 4. The sender plays *receiver in base OT* with input $s _ i$ for $i = 1, \dots, n$.
 In the first phase, the roles are temporarily switched.
 - The receiver chose $n$ random $m$-bit vectors, now has a $m\times n$ bit matrix $T$.
 - For the $i$-th base OT, the receiver inputs $T _ i$ or $T _ i \oplus \sigma$. Therefore, if $s _ i = 0$, the sender gets $T _ i$. If $s _ i = 1$, then sender gets $T _ i \oplus \sigma$.
 - Suppose that the sender gets $Q _ i \in \braces{0, 1}^m$ in the $i$-th base OT. The sender will also have a $m \times n$ bit matrix $Q$.
 $$
 Q _ i = \begin{cases} T _ i  & (s _ i = 0)  \\
 	T _ i \oplus \sigma  & (s _ i = 1).
 \end{cases}
 $$
 **Now consider each row separately!** Let $A[k]$ be the $k$-th row of matrix $A$.
 If $\sigma _ j = 0$, the XOR operation in $T _ i \oplus \sigma$ has no effect on the $j$-th element (row), so the $j$-th element of $T _ i \oplus \sigma$ and $T _ i$ are the same. Thus, we have $Q[j] = T[j]$.
 On the other hand, suppose that $\sigma _ j = 1$ and consider each element of $Q[j]$. The $i$-th element is the $j$-th element of $Q _ i$. If $s _ i = 0$, then $Q _ i = T _ i$, so the $j$-th element (row) is the same as the $j$-th element of $T _ i$. If $s _ i = 1$, then $Q _ i = T _ i \oplus \sigma$, so the $j$-th element is flipped. Thus, $Q[j] = T[j] \oplus s$.
 $$
 Q[j] = \begin{cases} T[j] & (\sigma _ j = 0)  \\
 T[j] \oplus s & (\sigma _ j = 1).
 \end{cases}
 $$
 > **Second phase.** To perform the $j$-th transfer $(j = 1, \dots, m)$,
 >
 > 1. The sender sends $y _ j^0 = H(j, Q[j]) \oplus x _ j^0$ and $y _ j^1 = H(j, Q[j] \oplus s) \oplus x _ j^1$.
 > 2. The receiver computes $H(j, T[j]) \oplus y _ j^{\sigma _ j}$.
 If $\sigma _ j = 0$, then the sender gets
 $$
 H(j, T[j]) \oplus y _ j^0 = H(j, T[j]) \oplus H(j, Q[j]) \oplus x _ j^0 = x _ j^0.
 $$
 If $\sigma _ j = 1$,
 $$
 H(j, T[j]) \oplus y _ j^1 = H(j, T[j]) \oplus H(j, Q[j] \oplus s) \oplus x _ j^1 = x _ j^1.
 $$
 We have just shown correctness.
 ### Security Proof of OT Extension
 Intuitively, the sender receives either $T _ i$ or $T _ i \oplus \sigma$. But $T _ i$ are chosen randomly, so it hides $\sigma$, revealing no information.
 As for the receiver, the values $(x _ j^0, x _ j^1)$ are masked by a hash function, namely $H(j, Q[j])$ and $H(j, Q[j] \oplus s)$. The receiver can compute $H(j, T[j])$, which equals *only one of them* but since receiver has no information about $s$, prohibiting the receiver from computing the other mask.
 ### Performance of OT Extension
 The extension technique allows us to run $n$ base OT instances to obtain $m$ OT instances. For each of the $m$ OT transfers, only a few hash operations are required, resulting in very efficient OT.
 One may concern that we have to send a lot of information for each of the $n$ OT instances, since we have to send $m$ bit data for each OT. But this of not much concern. For example, if we used [OT based on ElGamal](../2023-11-09-secure-mpc/#1-out-of-2-ot-construction-from-elgamal-encryption), we can choose primes large enough $> 2^m$ to handle $m$-bit data.
 Hence, with OT extensions, we can perform millions of OTs efficiently, which can be used especially for computing many Beaver triples during preprocessing.
 [^1]: Intuitively, it may seem that proving security for $n-1$ corrupted parties would be the hardest. However, security for $n-1$ corrupted parties does not imply security for $n-2$ corrupted parties, in general.
 [^2]: There is a variant of sharing Beaver triples, where a dealer generates all $x _ i, y _ i, z _ i$ and gives them to each party.
 [^3]: A Graduate Course in Applied Cryptography.
--- a/_posts/lecture-notes/modern-cryptography/2023-11-23-bgv-scheme.md
+++ b/_posts/lecture-notes/modern-cryptography/2023-11-23-bgv-scheme.md
@@ -0,0 +1,563 @@
 ---
 share: true
 toc: true
 math: true
 categories:
  - Lecture Notes
  - Modern Cryptography
 path: _posts/lecture-notes/modern-cryptography
 tags:
  - lecture-note
  - cryptography
  - security
 title: 17. BGV Scheme
 date: 2023-11-23
 github_title: 2023-11-23-bgv-scheme
 ---
 ## Homomorphisms
 > **Definition.** Let $(X, \ast), (Y, \ast')$ be sets equipped with binary operations $\ast$, $\ast'$. A map $\varphi : X \ra Y$ is said to be a **homomorphism** if
 > 
 > $$
 > \varphi(a \ast b) = \varphi(a) \ast' \varphi(b)
 > $$
 > 
 > for all $a, b \in X$.
 A homomorphism *sort of* preserves the structure between two sets.[^1]
 We will mainly consider **additive homomorphisms** where
 $$
 \varphi(a + b) = \varphi(a) + \varphi(b),
 $$
 and **multiplicative homomorphisms** where
 $$
 \varphi(ab) = \varphi(a)\varphi(b).
 $$
 ## Homomorphic Encryption
 > **Definition.** A **homomorphic encryption scheme** defined over $\mc{M}$ consists of an encryption algorithm $E$ and a decryption algorithm $D$ such that
 > 
 > $$
 > D\big( E(x) + E(y) \big) = x + y
 > $$
 > 
 > or
 > 
 > $$
 > D\big( E(x) \cdot E(y) \big) = x \cdot y.
 > $$
 The **decryption $D$ is a homomorphism**. From ciphertexts of $x$ and $y$, this scheme can compute the ciphertext of $x + y$ or $x \cdot y$.
 There are mainly $3$ categories of homomorphic encryption.
 - **Partial** Homomorphic Encryption
 	- These schemes can evaluate *some* functions on encrypted data.
 	- Textbook RSA had a *homomorphic property*.
 - **Somewhat** Homomorphic Encryption (SHE)
 	- Both addition and multiplication are supported.
 	- But there is a limit on the number of operations.
 - **Fully** Homomorphic Encryption (FHE)
 	- Any function can be evaluated on encrypted data.
 	- There is a method called *bootstrapping* that compiles SHE into FHE.
 ### A Warm-up Scheme
 This is a sample scheme, which is insecure.
 > Choose parameters $n$ and $q$ as security parameters.
 > 
 > 1. Set secret key $\bf{s} = (s _ 1, \dots, s _ n) \in \Z^n$.
 > 2. For message $m \in \Z _ q$, encrypt it as follows.
 > 	- Randomly choose $\bf{a} = (a _ 1, \dots, a _ n) \la \Z _ q^n$.
 > 	- Compute $b = -\span{\bf{a}, \bf{s}} + m \pmod q$.
 > 	- Output ciphertext $\bf{c} = (b, \bf{a}) \in \Z _ q^{n+1}$.
 > 3. To decrypt $\bf{c}$, compute $m = b + \span{\bf{a}, \bf{s}} \pmod q$.
 Correctness is trivial. Also, this encryption algorithm has the *additive homomorphism* property. If $b _ 1, b _ 2$ are encryptions of $m _ 1, m _ 2$, then
 $$
 b _ 1 = -\span{\bf{a} _ 1, \bf{s}} + m _ 1, \quad b _ 2 = -\span{\bf{a} _ 2, \bf{s}} + m _ 2
 $$
 in $\Z _ q$. Thus,
 $$
 b _ 1 + b _ 2 = -\span{\bf{a} _ 1 + \bf{a} _ 2, \bf{s}} + m _ 1 + m _ 2.
 $$
 Decrypting the ciphertext $(b _ 1 + b _ 2, \bf{a} _ 1 + \bf{a} _ 2)$ will surely give $m _ 1 + m _ 2$.
 But this scheme is not secure. After $n$ queries, the plaintext-ciphertext pairs can be transformed into a linear system of equations
 $$
 \bf{b} = -A \bf{s} + \bf{m},
 $$
 where $\bf{a} _ i$ are in the rows of $A$. This system can be solved for $\bf{s}$ with non-negligible probability.[^2]
 ## Lattice Cryptography
 Recall that schemes like RSA and ElGamal rely on the hardness of computational problems. The hardness of those problems make the schemes secure. There are other (known to be) *hard* problems using **lattices**, and recent homomorphic encryption schemes use **lattice-based** cryptography.
 > **Definition.** For $\bf{b} _ i \in \Z^n$ for $i = 1, \dots, n$, let $B = \braces{\bf{b} _ 1, \dots, \bf{b} _ n}$ be a basis. The set
 > 
 > $$
 > L = \braces{\sum _ {i=1}^n a _ i\bf{b} _ i : a _ i \in \Z}
 > $$
 > 
 > is called a **lattice**. The set $B$ is a basis over $L$.
 It is essentially a linear combination of basis elements, with *integer coefficients*.
 ### Bounded Distance Decoding Problem (BDD)
 Let $L$ be a lattice with basis $B$. Given
 $$
 \bf{t} = B\bf{u} + \bf{e} \notin L
 $$
 for a small error $\bf{e}$, the problem is to find the closest lattice point $B\bf{u} \in L$.
 It is known that all (including quantum) algorithms for solving BDD have costs $2^{\Omega(n)}$.
 This problem is easy when we have a *short* basis, where the angles between vectors are closer to $\pi/2$. For example, given $\bf{t}$, find $a _ i \in \R$ such that
 $$
 \bf{t} = a _ 1 \bf{b} _ 1 + \cdots a _ n \bf{b} _ n
 $$
 and return $B\bf{u}$ as
 $$
 B\bf{u} = \sum _ {i=1}^n \lfloor a _ i \rceil \bf{b} _ i.
 $$
 Then this $B\bf{u} \in L$ is pretty close to $\bf{t} \notin L$.
 ## Learning with Errors Problem (LWE)
 This is the problem we will mainly use for homomorphic schemes.
 Let $\rm{LWE} _ {n, q, \sigma}(\bf{s})$ denote the LWE distribution, where
 - $n$ is the number of dimensions,
 - $q$ is the modulus,
 - $\sigma$ is the standard deviation of error.
 Also $D _ \sigma$ denotes the discrete gaussian distribution with standard deviation $\sigma$.
 > Let $\bf{s} = (s _ 1, \dots, s _ n) \in \Z _ q^n$ be a secret.
 > 
 > - Sample $\bf{a} = (a _ 1, \dots, a _ n) \la \Z _ q^n$ and $e \la D _ \sigma$.
 > - Compute $b = \span{\bf{a}, \bf{s}} + e \pmod q$.
 > - Output $(b, \bf{a}) \in \Z _ q^{n+1}$.
 > 
 > This is called a **LWE instance**.
 ### Search LWE Problem
 > Given many samples from $\rm{LWE} _ {n, q, \sigma}(\bf{s})$, find $\bf{s}$.
 ### Decisional LWE Problem (DLWE)
 > Distinguish two distributions $\rm{LWE} _ {n, q, \sigma}(\bf{s})$ and $U(\Z _ q^{n+1})$.
 It is known that the two versions of LWE problem are **equivalent** when $q$ is a prime bounded by some polynomial in $n$.
 LWE problem can be turned into **assumptions**, just like the DL and RSA problems. As in DL and RSA, the LWE problem is not hard for any parameters $n, q$. The problem is harder if $n$ is large and $q$ is small.
 ## The BGV Scheme
 **BGV scheme** is by Brakerski-Gentry-Vaikuntanathan (2012). The scheme is defined over the finite field $\Z _ p$ and can perform arithmetic in $\Z _ p$.
 > Choose security parameters $n$, $q$ and $\sigma$. It is important that $q$ is chosen as an **odd** integer.
 > 
 > **Key Generation**
 > - Set secret key $\bf{s} = (s _ 1, \dots, s _ n) \in \Z^n$.
 > 
 > **Encryption**
 > - Sample $\bf{a} \la \Z _ q^n$ and $e \la D _ \sigma$.
 > - Compute $b = -\span{\bf{a}, \bf{s}} + m + 2e \pmod q$.
 > - Output ciphertext $\bf{c} = (b, \bf{a}) \in \Z _ q^{n+1}$.
 > 
 > **Decryption**
 > - Compute $r = b + \span{\bf{a}, \bf{s}} \pmod q$.
 > - Output $m = r \pmod 2$.
 Here, it can be seen that
 $$
 r = m + 2e \pmod q.
 $$
 For correctness, $e \ll q$, and
 $$
 \abs{r} = \abs{m + 2e} < \frac{1}{2}q.
 $$
 Under the LWE assumption, it can be proven that the scheme is semantically secure, i.e,
 $$
 E(\bf{s}, 0) \approx _ c E(\bf{s}, 1).
 $$
 ### Addition in BGV
 Addition is easy!
 > Let $\bf{c} = (b, \bf{a})$ and $\bf{c}' = (b', \bf{a}')$ be encryptions of $m, m' \in \braces{0, 1}$. Then, $\bf{c} _ \rm{add} = \bf{c} + \bf{c}'$ is an encryption of $m + m'$.
 *Proof*. Decrypt $\bf{c} _ \rm{add} = (b + b', \bf{a} + \bf{a}')$. If
 $$
 r = b + \span{\bf{a}, \bf{s}} = m + 2e \pmod q
 $$
 and
 $$
 r' = b' + \span{\bf{a}', \bf{s}} = m' + 2e' \pmod q,
 $$
 then we have
 $$
 r _ \rm{add} = b + b' + \span{\bf{a} + \bf{a}', \bf{s}} = r + r' = m + m' + 2(e + e') \pmod q.
 $$
 If $\abs{r + r'} < q/2$, then $m + m' = r _ \rm{add} \pmod 2$.
 ### Multiplication in BGV
 #### Tensor Product
 For multiplication, we need **tensor products**.
 > **Definition.** Let $\bf{a} = (a _ 1, \dots, a _ n)^\top, \bf{b} = (b _ 1, \dots, b _ n)^\top$ be vectors. Then the **tensor product** $\bf{a} \otimes \bf{b}$ is a vector with $n^2$ dimensions such that
 > 
 > $$
 > \bf{a} \otimes \bf{b} = \big( a _ i \cdot b _ j \big) _ {1 \leq i, j \leq n}.
 > $$
 We will use the following property.
 > **Lemma.** Let $\bf{a}, \bf{b}, \bf{c}, \bf{d}$ be $n$-dimensional vectors. Then,
 > 
 > $$
 > \span{\bf{a}, \bf{b}} \cdot \span{\bf{c}, \bf{d}} = \span{\bf{a} \otimes \bf{c}, \bf{b} \otimes \bf{d}}.
 > $$
 *Proof*. Denote the components as $a _ i, b _ i, c _ i, d _ i$.
 $$
 \begin{aligned}
 \span{\bf{a} \otimes \bf{c}, \bf{b} \otimes \bf{d}} &= \sum _ {i=1}^n\sum _ {j=1}^n a _ ic _ j \cdot b _ id _ j \\
 &= \paren{\sum _ {i=1}^n a _ ib _ i} \paren{\sum _ {j=1}^n c _ j d _ j} =  \span{\bf{a}, \bf{b}} \cdot \span{\bf{c}, \bf{d}}.
 \end{aligned}
 $$
 #### Multiplication
 Let $\bf{c} = (b, \bf{a})$ and $\bf{c}' = (b', \bf{a}')$ be encryptions of $m, m' \in \braces{0, 1}$. Since
 $$
 r = b + \span{\bf{a}, \bf{s}} = m + 2e \pmod q
 $$
 and
 $$
 r' = b' + \span{\bf{a}', \bf{s}} = m' + 2e' \pmod q,
 $$
 we have that
 $$
 r _ \rm{mul} = rr' = (m + 2e)(m' + 2e') = mm' + 2e\conj \pmod q.
 $$
 So $mm' = r _ \rm{mul} \pmod 2$ if $e\conj$ is small.
 However, to compute $r _ \rm{mul} = rr'$ from the ciphertext,
 $$
 \begin{aligned}
 r _ \rm{mul} &= rr' = (b + \span{\bf{a}, \bf{s}})(b' + \span{\bf{a}', \bf{s}}) \\
 &= bb' + \span{b\bf{a}' + b' \bf{a}, \bf{s}} + \span{\bf{a} \otimes \bf{a}', \bf{s} \otimes \bf{s}'}.
 \end{aligned}
 $$
 Thus we define $\bf{c} _ \rm{mul} = (bb', b\bf{a}' + b' \bf{a}, \bf{a} \otimes \bf{a}')$, then this can be decrypted with $(1, \bf{s}, \bf{s} \otimes \bf{s})$ by the above equation.
 > Let $\bf{c} = (b, \bf{a})$ and $\bf{c}' = (b', \bf{a}')$ be encryptions of $m, m'$. Then,
 > 
 > $$
 > \bf{c} _ \rm{mul} = \bf{c} \otimes \bf{c}' = (bb', b\bf{a}' + b' \bf{a}, \bf{a} \otimes \bf{a}')
 > $$
 > 
 > is an encryption of $mm'$ with $(1, \bf{s}, \bf{s} \otimes \bf{s})$.
 Not so simple as addition, we need $\bf{s} \otimes \bf{s}$.
 #### Problems with Multiplication
 The multiplication described above has two major problems.
 - The dimension of the ciphertext has increased to $n^2$.
 	- At this rate, multiplications get inefficient very fast.
 - The *noise* $e\conj$ grows too fast.
 	- For correctness, $e\conj$ must be small compared to $q$, but it grows exponentially.
 	- We can only perform $\mc{O}(\log q)$ multiplications.
 ### Dimension Reduction
 First, we reduce the ciphertext dimension. In the ciphertext $\bf{c} _ \rm{mul} = (bb', b\bf{a}' + b' \bf{a}, \bf{a} \otimes \bf{a}')$, $\bf{a} \otimes \bf{a}'$ is causing the problem, since it must be decrypted with $\bf{s} \otimes \bf{s}'$.
 Observe that the following dot product is calculated during decryption.
 $$
 \tag{1} \span{\bf{a} \otimes \bf{a}', \bf{s} \otimes \bf{s}'} = \sum _ {i = 1}^n \sum _ {j=1}^n a _ i a _ j' s _ i s _ j.
 $$
 The above expression has $n^2$ terms, so they have to be manipulated. The idea is to switch these terms as encryptions of $\bf{s}$, instead of $\bf{s} \otimes \bf{s}'$.
 Thus we use encryptions of $s _ is _ j$ by $\bf{s}$. If we have ciphertexts of $s _ is _ j$, we can calculate the expression in $(1)$ since this scheme is *homomorphic*. Then the ciphertext can be decrypted only with $\bf{s}$, as usual. This process is called **relinearization**, and the ciphertexts of $s _ i s _ j$ are called **relinearization keys**.
 #### First Attempt
 > **Relinearization Keys**: for $1 \leq i, j \leq n$, perform the following.
 > - Sample $\bf{u} _ {i, j} \la \Z _ q^{n}$ and $e _ {i, j} \la D _ \sigma$.
 > - Compute $v _ {i, j} = -\span{\bf{u} _ {i, j}, \bf{s}} + s _ i s _ j + 2e _ {i, j} \pmod q$.
 > - Output $\bf{w} _ {i, j} = (v _ {i, j}, \bf{u} _ {i, j})$.
 > 
 > **Linearization**: given $\bf{c} _ \rm{mul} = (bb', b\bf{a}' + b' \bf{a}, \bf{a} \otimes \bf{a}')$ and $\bf{w} _ {i, j}$ for $1 \leq i, j \leq n$, output the following.
 > 
 > $$
 > \bf{c} _ \rm{mul}^\ast = (b _ \rm{mul}^\ast, \bf{a} _ \rm{mul}^\ast) = (bb', b\bf{a}' + b'\bf{a}) + \sum _ {i=1}^n \sum _ {j=1}^n a _ i a _ j' \bf{w} _ {i, j} \pmod q.
 > $$
 Note that the addition $+$ is the addition of two $(n+1)$-dimensional vectors. By plugging in $\bf{w} _ {i, j} = (v _ {i, j}, \bf{u} _ {i, j})$, we actually have
 $$
 b _ \rm{mul}^\ast = bb' + \sum _ {i=1}^n \sum _ {j=1}^n a _ i a _ j' v _ {i, j}
 $$
 and
 $$
 \bf{a} _ \rm{mul}^\ast = b\bf{a}' + b'\bf{a} + \sum _ {i=1}^n \sum _ {j=1}^n a _ i a _ j' \bf{u} _ {i, j}.
 $$
 Now we check correctness. $\bf{c} _ \rm{mul}^\ast$ should decrypt to $mm'$ with only $\bf{s}$.
 $$
 \begin{aligned}
 b _ \rm{mul}^\ast + \span{\bf{a} _ \rm{mul}^\ast, \bf{s}} &= bb' + \sum _ {i=1}^n \sum _ {j=1}^n a _ i a _ j' v _ {i, j} +  \span{b\bf{a}' + b'\bf{a}, \bf{s}} + \sum _ {i=1}^n \sum _ {j=1}^n a _ i a _ j' \span{\bf{u} _ {i, j}, \bf{s}} \\
 &= bb' + \span{b\bf{a}' + b'\bf{a}, \bf{s}} + \sum _ {i=1}^n \sum _ {j=1}^n a _ i a _ j' \paren{v _ {i, j} + \span{\bf{u} _ {i, j}, \bf{s}}}.
 \end{aligned}
 $$
 Since $v _ {i, j} + \span{\bf{u} _ {i, j}, \bf{s}} = s _ i s _ j + 2e _ {i, j} \pmod q$, the above expression further reduces to
 $$
 \begin{aligned}
 &= bb' + \span{b\bf{a}' + b'\bf{a}, \bf{s}} + \sum _ {i=1}^n \sum _ {j=1}^n a _ i a _ j' \paren{s _ i s _ j + 2e _ {i, j}} \\
 &= bb' + \span{b\bf{a}' + b'\bf{a}, \bf{s}} + \span{\bf{a} \otimes \bf{a}', \bf{s} \otimes \bf{s}'} + 2\sum _ {i=1}^n\sum _ {j=1}^n a _ i a _ j' e _ {i, j} \\
 &= rr' + 2e\conj \pmod q,
 \end{aligned}
 $$
 and we have an encryption of $mm'$.
 However, we require that
 $$
 e\conj = \sum _ {i=1}^n \sum _ {j=1}^n a _ i a _ j' e _ {i, j} \ll q
 $$
 for correctness. It is highly unlikely that this relation holds, since $a _ i a _ j'$ will be large. They are random elements of $\Z _ q$ after all, so the size is about $\mc{O}(n^2 q)$.
 #### Relinearization
 We use a method to make $a _ i a _ j'$ smaller. The idea is to use the binary representation.
 Let $a[k] \in \braces{0, 1}$ denote the $k$-th least significant bit of $a \in \Z _ q$. Then we can write
 $$
 a = \sum _ {0\leq k<l} 2^k \cdot a[k]
 $$
 where $l = \ceil{\log q}$. Then we have
 $$
 a _ i a _ j' s _ i s _ j = \sum _ {0\leq k <l} (a _ i a _ j')[k] \cdot 2^k s _ i s _ j,
 $$
 so instead of encryptions of $s _ i s _ j$, we use encryptions of $2^k s _ i s _ j$.
 For convenience, let $a _ {i, j} = a _ i a _ j'$. Now we have triple indices including $k$.
 > **Relinearization Keys**: for $1 \leq i, j \leq n$ and $0 \leq k < \ceil{\log q}$, perform the following.
 > - Sample $\bf{u} _ {i, j, k} \la \Z _ q^{n}$ and $e _ {i, j, k} \la D _ \sigma$.
 > - Compute $v _ {i, j, k} = -\span{\bf{u} _ {i, j, k}, \bf{s}} + 2^k \cdot s _ i s _ j + 2e _ {i, j, k} \pmod q$.
 > - Output $\bf{w} _ {i, j, k} = (v _ {i, j, k}, \bf{u} _ {i, j, k})$.
 > 
 > **Linearization**: given $\bf{c} _ \rm{mul} = (bb', b\bf{a}' + b' \bf{a}, \bf{a} \otimes \bf{a}')$, $\bf{w} _ {i, j, k}$ for $1 \leq i, j \leq n$ and $0 \leq k < \ceil{\log q}$, output the following.
 > 
 > $$
 > \bf{c} _ \rm{mul}^\ast = (b _ \rm{mul}^\ast, \bf{a} _ \rm{mul}^\ast) = (bb', b\bf{a}' + b'\bf{a}) + \sum _ {i=1}^n \sum _ {j=1}^n \sum _ {k=0}^{\ceil{\log q}} a _ {i, j}[k] \bf{w} _ {i, j, k} \pmod q.
 > $$
 Correctness can be checked similarly. The bounds for summations are omitted for brevity. They range from $1 \leq i, j \leq n$ and $0 \leq k < \ceil{\log q}$.
 $$
 \begin{aligned}
 b _ \rm{mul}^\ast + \span{\bf{a} _ \rm{mul}^\ast, \bf{s}} &= bb' + \sum _ {i, j, k} a _ {i, j}[k] \cdot v _ {i, j, k} +  \span{b\bf{a}' + b'\bf{a}, \bf{s}} + \sum _ {i, j, k} a _ {i, j}[k] \cdot \span{\bf{u} _ {i, j, k}, \bf{s}} \\
 &= bb' + \span{b\bf{a}' + b'\bf{a}, \bf{s}} + \sum _ {i, j, k} a _ {i, j}[k] \paren{v _ {i, j, k} + \span{\bf{u} _ {i, j, k}, \bf{s}}}.
 \end{aligned}
 $$
 Since $v _ {i, j, k} + \span{\bf{u} _ {i, j, k}, \bf{s}} = 2^k \cdot s _ i s _ j + 2e _ {i, j, k} \pmod q$, the above expression further reduces to
 $$
 \begin{aligned}
 &= bb' + \span{b\bf{a}' + b'\bf{a}, \bf{s}} + \sum _ {i, j, k} a _ {i, j}[k] \paren{2^k \cdot s _ i s _ j + 2e _ {i, j, k}} \\
 &= bb' + \span{b\bf{a}' + b'\bf{a}, \bf{s}} + \sum _ {i, j} a _ {i, j}s _ i s _ j + 2\sum _ {i, j, k} a _ {i, j}[k] \cdot e _ {i, j, k} \\
 &= bb' + \span{b\bf{a}' + b'\bf{a}, \bf{s}} + \span{\bf{a} \otimes \bf{a}', \bf{s} \otimes \bf{s}'} + 2e\conj \\
 &= rr' + 2e\conj \pmod q,
 \end{aligned}
 $$
 and we have an encryption of $mm'$. In this case,
 $$
 e\conj = 2\sum _ {i=1}^n\sum _ {j=1}^n \sum _ {k=0}^{\ceil{\log q}} a _ {i, j}[k] \cdot e _ {i, j, k}
 $$
 is small enough to use, since $a _ {i, j}[k] \in \braces{0, 1}$. The size is about $\mc{O}(n^2 \log q)$, which is a lot smaller than $q$ for practical uses. We have reduced $n^2 q$ to $n^2 \log q$ with this method.
 ### Noise Reduction
 Now we handle the noise growth. For correctness, we required that
 $$
 \abs{r} = \abs{m + 2e} < \frac{1}{2}q.
 $$
 But for multiplication, $\abs{r _ \rm{mul}} = \abs{rr' + 2e\conj}$, so the noise grows very fast. If the initial noise size was $N$, then after $L$ levels of multiplication, the noise is now $N^{2^L}$.[^3] To reduce noise, we use **modulus switching**.
 Given $\bf{c} = (b, \bf{a}) \in \Z _ q^{n+1}$, we reduce the modulus to $q' < q$ which results in a smaller noise $e'$. This can be done by scaling $\bf{c}$ by $q'/q$ and rounding it.
 > **Modulus Switching**: let $\bf{c} = (b, \bf{a}) \in \Z _ q^{n+1}$ be given.
 > 
 > - Find $b'$ closest to $b \cdot (q' /q)$ such that $b' = b \pmod 2$.
 > - Find $a _ i'$ closest to $a _ i \cdot (q'/q)$ such that $a _ i' = a _ i \pmod 2$.
 > - Output $\bf{c}' = (b', \bf{a}') \in \Z _ {q'}^{n+1}$.
 In summary, $\bf{c}' \approx \bf{c} \cdot (q'/q)$, and $\bf{c}' = \bf{c} \pmod 2$ component-wise.
 We check if the noise has been reduced, and decryption results in the same message $m$. Decryption of $\bf{c}'$ is done by $r' = b' + \span{\bf{a}', \bf{s}} \pmod{q'}$, so we must prove that $r' \approx r \cdot (q'/q)$ and $r' = r \pmod 2$. Then the noise is scaled down by $q'/q$ and the message is preserved.
 Let $k \in \Z$ such that $b + \span{\bf{a}, \bf{s}} = r + kq$. By the choice of $b'$ and $a _ i'$,
 $$
 b' = b \cdot (q'/q) + \epsilon _ 0, \quad a _ i' = a _ i \cdot (q'/q) + \epsilon _ i
 $$
 for $\epsilon _ i \in\braces{0, 1}$. Then
 $$
 \begin{aligned}
 b' + \span{\bf{a}', \bf{s}} &= b' + \sum _ {i=1}^n a _ i's _ i \\
 &= b \cdot (q'/q) + \epsilon _ 0 + \sum _ {i=1}^n \paren{a _ i \cdot (q'/q) + \epsilon _ i} s _ i \\
 &= (q'/q) \paren{b + \sum _ {i=1}^n a _ i s _ i} + \epsilon _ 0 + \sum _ {i=1}^n \epsilon _ i s _ i \\
 &= (q'/q) \cdot (r + kq) + \epsilon _ 0 + \sum _ {i=1}^n \epsilon _ i s _ i \\
 &= r \cdot (q'/q) + \epsilon _ 0 + \sum _ {i=1}^n \epsilon _ i s _ i +  kq'.
 \end{aligned}
 $$
 We additionally assume that $\bf{s} \in \Z _ 2^n$, then the error term is bounded by $n+1$, and $n \ll q$.[^4] Set
 $$
 r' = r \cdot (q'/q) + \epsilon _ 0 + \sum _ {i=1}^n \epsilon _ i s _ i,
 $$
 then we have $r' \approx r \cdot (q'/q)$.
 Next, $b + \span{\bf{a}, \bf{s}} = b' + \span{\bf{a}', \bf{s}} \pmod 2$ component-wise. Then
 $$
 r + kq = b + \span{\bf{a}, \bf{s}} = b' + \span{\bf{a}', \bf{s}} = r' + kq' \pmod 2.
 $$
 Since $q, q'$ are odd, $r = r' \pmod 2$.
 ### Modulus Chain
 Let the initial noise be $\abs{r} \approx N$. Set the maximal level $L$ for multiplication, and set $q _ {L} = N^{L+1}$. Then after each multiplication, switch the modulus to $q _ {k-1} = q _ k/N$ using the above method.
 Multiplication increases the noise to $N^2$, and then modulus switching decreases the noise back to $N$, allowing further computation.
 So we have a modulus chain,
 $$
 N^{L+1} \ra N^L \ra \cdots \ra N.
 $$
 When we perform $L$ levels of computation and reach modulus $q _ 0 = N$, we cannot perform any multiplications. We must apply [bootstrapping](../2023-12-08-bootstrapping-ckks/#bootstrapping).
 Note that without modulus switching, we need $q _ L > N^{2^L}$ for $L$ levels of computation, which is very large. Since we want $q$ to be small (for the hardness of the LWE problem), modulus switching is necessary. We now only require $q _ L > N^{L+1}$.
 ### Multiplication in BGV (Summary)
 - Set up a modulus chain $q _ k = N^{k+1}$ for $k = 0, \dots, L$.
 - Given two ciphertexts $\bf{c} = (b, \bf{a}) \in \Z _ {q _ k}^{n+1}$ and $\bf{c}' = (b', \bf{a}') \in \Z _ {q _ k}^{n+1}$ with modulus $q _ k$ and noise $N$.
 - (**Tensor Product**) $\bf{c} _ \rm{mul} = \bf{c} \otimes \bf{c}' \pmod{q _ k}$.
 	- Now we have $n^2$ dimensions and noise $N^2$.
 - (**Relinearization**)
 	- Back to $n$ dimensions and noise $N^2$.
 - (**Modulus Switching**)
 	- Modulus is switched to $q _ {k-1}$ and noise is back to $N$.
 ## BGV Generalizations and Optimizations
 ### From $\Z _ 2$ to $\Z _ p$
 The above description is for messages $m \in \braces{0, 1} = \Z _ 2$. This can be extend to any finite field $\Z _ p$. Replace $2$ with $p$ in the scheme. Then encryption of $m \in \Z _ p$ is done as
 $$
 b = -\span{\bf{a}, \bf{s}} + m + pe \pmod q,
 $$
 and we have $r = b + \span{\bf{a}, \bf{s}} = m + pe$, $m = r \pmod p$.
 ### Packing Technique
 Based on the Ring LWE problem, plaintext space can be extended from $\Z _ p$ to $\Z _ p^n$ by using **polynomials**.
 With this technique, the number of linearization keys is reduced from $n^2 \log q$ to $\mc{O}(1)$.
 ## Security and Performance of BGV
 - Security depends on $n$ and $q$.
 	- $(n, \log q) = (2^{10}, 30), (2^{13}, 240), (2^{16}, 960)$.
 	- $q$ is much larger than $n$.
 	- We want $n$ small and $q$ large enough to be correct.
 - BGV is a **somewhat** homomorphic encryption.
 	- The number of multiplications is limited.
 - Multiplication is expensive, especially linearization.
 	- Parallelization is effective for optimization, since multiplication is basically performing the same operations on different data.
 [^1]: A homomorphism is a *confused name changer*. It can map different elements to the same name.
 [^2]: The columns $\bf{a} _ i$ are chosen random, so $A$ is invertible with high probability.
 [^3]: Noise: $N \ra N^2 \ra N^4 \ra \cdots \ra N^{2^L}$.
 [^4]: This is how $\bf{s}$ is chosen in practice.
--- a/_posts/lecture-notes/modern-cryptography/2023-12-08-bootstrapping-ckks.md
+++ b/_posts/lecture-notes/modern-cryptography/2023-12-08-bootstrapping-ckks.md
@@ -5,6 +5,7 @@ math: true
 categories:
  - Lecture Notes
  - Modern Cryptography
 path: _posts/lecture-notes/modern-cryptography
 tags:
  - lecture-note
  - cryptography
@@ -88,7 +89,7 @@ Indeed, decrypting $b'$ will give $m$. So we have $E(\bf{s}', m)$ from $f(\bf{k}
 > 
 > **Bootstrapping Key Generation**
 > - Choose a new secret key $\bf{s}' \in \braces{0, 1}^n$.
-> - Generate *bootstrapping key* ${} BK = \braces{\bf{k}_i}_{i=1}^n {}$ where $\bf{k}_i = E(\bf{s}', s_i)$.
+> - Generate *bootstrapping key* $BK = \braces{\bf{k} _ i} _ {i=1}^n$ where $\bf{k} _ i = E(\bf{s}', s _ i)$.
 > 
 > **Bootstrapping**
 > - Generate a circuit representation $f : \braces{0, 1}^n \ra \braces{0, 1}$ of the decryption function $D(\cdot, \bf{c})$.
@@ -248,9 +249,9 @@ The relinearization procedure is almost the same as in [BGV relinearization](../
 For convenience, let $a _ {i, j} = a _ i a _ j'$.
 > **Relinearization Keys**: for $1 \leq i, j \leq n$ and $0 \leq k < \ceil{\log q}$, perform the following.
-> - Sample $\bf{u}_{i, j, k} \la \Z_q^{n}$ and ${} e_{i, j, k} \la D_\sigma {}$.
+> - Sample $\bf{u} _ {i, j, k} \la \Z _ q^{n}$ and $e _ {i, j, k} \la D _ \sigma$.
-> - Compute ${} v_{i, j, k} = -\span{\bf{u}_{i, j, k}, \bf{s}} + 2^k \cdot s_i s_j + e_{i, j, k} \pmod q {}$.
+> - Compute $v _ {i, j, k} = -\span{\bf{u} _ {i, j, k}, \bf{s}} + 2^k \cdot s _ i s _ j + e _ {i, j, k} \pmod q$.
-> - Output ${} \bf{w}_{i, j, k} = (v_{i, j, k}, \bf{u}_{i, j, k}) {}$.
+> - Output $\bf{w} _ {i, j, k} = (v _ {i, j, k}, \bf{u} _ {i, j, k})$.
 > 
 > **Linearization**: given $\bf{c} _ \rm{mul} = (bb', b\bf{a}' + b' \bf{a}, \bf{a} \otimes \bf{a}')$, $\bf{w} _ {i, j, k}$ for $1 \leq i, j \leq n$ and $0 \leq k < \ceil{\log q}$, output the following.
 > 
@@ -319,7 +320,7 @@ since $\epsilon = \epsilon_0 + \sum_{i=1}^n \epsilon_i s_i$ is small.
 ### Modulus Chain
-Using modulus switching, we can set ${} q_L = \Delta^{L+1} {}$ where $L$ is the maximal level for multiplication. After each multiplication, the modulus is switched to $q_{k-1} = q_k / \Delta$.
+Using modulus switching, we can set $q _ L = \Delta^{L+1}$ where $L$ is the maximal level for multiplication. After each multiplication, the modulus is switched to $q _ {k-1} = q _ k / \Delta$.
 Multiplication increases the scaling factor to $\Delta^2$, and then rescaling operation reduces the scaling factor back to $\Delta$.
@@ -329,11 +330,11 @@ $$
 \Delta^{L+1} \ra \Delta^L \ra \cdots \ra \Delta.
 $$
-When we reach $q_0 = \Delta$, we cannot perform any multiplications, so we apply [bootstrapping](#bootstrapping) here.
+When we reach $q _ 0 = \Delta$, we cannot perform any multiplications, so we apply [bootstrapping](../2023-12-08-bootstrapping-ckks/#bootstrapping) here.
 ### Multiplication in CKKS (Summary)
- Set up a modulus chain ${} q_k = \Delta^{k+1} {}$ for $k = 0, \dots, L$.
+- Set up a modulus chain $q _ k = \Delta^{k+1}$ for $k = 0, \dots, L$.
 - Given two ciphertexts $\bf{c} = (b, \bf{a}) \in \Z _ {q _ k}^{n+1}$ and $\bf{c}' = (b', \bf{a}') \in \Z _ {q _ k}^{n+1}$ with modulus $q _ k$ and **scaling factor** $\Delta$.
 - (**Tensor Product**) $\bf{c} _ \rm{mul} = \bf{c} \otimes \bf{c}' \pmod{q _ k}$.
--- a/_posts/mathematics/2025-08-22-group-structure-of-z-2n-z-star.md
+++ b/_posts/mathematics/2025-08-22-group-structure-of-z-2n-z-star.md
@@ -0,0 +1,146 @@
 ---
 share: true
 toc: true
 math: true
 categories:
  - Mathematics
 path: _posts/mathematics
 tags:
  - math
  - cryptography
 title: Group Structure of $(\mathbb{Z}/2^n \mathbb{Z})^*$
 date: 2025-08-22
 github_title: 2025-08-22-group-structure-of-z-2n-z-star
 ---
 To compute the rotation automorphism homomorphically, we use the fact that $(\Z/2^n\Z)^* \simeq \span{-1, 5}$. I couldn't find a clear proof of this result online, so I just accepted the fact although it wasn't very satisfying.
 After more than a year, I got a chance to revisit the rotation automorphism and I figured that I should clear things up once and for all. So I decided to compile a proof, drawn from many sources.
 ## Theorem
 > **Theorem 1.** $(\Z/2^n \Z)^*$ is the direct product of a cyclic group of order $2$ and cyclic group of order $2^{n-2}$, for all $n \geq 2$.
 The above theorem is from Corollary 20 (2) of Section 9.5 in Abstract Algebra, 3rd Edition, Dummit and Foote.
 > **Theorem 2.** $(\Z/2^n\Z)^* \simeq \span{-1, 5}$ for $n \geq 3$.
 ## Observations
 ### Order of $5$ Modulo $2^n$
 > **Proposition.** $5^{2^{n-3}} \equiv 1 + 2^{n-1} \pmod {2^n}$ for $n \geq 3$.
 *Proof*. This is an easy proof with induction. Omitted.
 > **Lemma.** $5$ has order $2^{n-2}$ in $(\Z/2^n \Z)^*$, for $n \geq 2$.
 *Proof*. We will use strong induction. For $n = 2, 3$, the lemma can be checked by direct computation. Now assume that the order of $5$ is $2^{k-2}$ in $(\Z/2^k\Z)^*$, for all $3 \leq k \leq n$.
 Let $r$ be the order of $5$ modulo $2^{n+1}$. Then $2^{n-2} \mid r$. This is from the fact that
 $$
 5^r \equiv 1 \pmod {2^{n+1}} \implies 5^r \equiv 1 \pmod {2^n}.
 $$
 Therefore $r$ must be a multiple of $2^{n-2}$. (order of $5$ modulo $2^n$) But from the above proposition, $5^{2^{n-2}} \equiv 1 + 2^n \pmod {2^{n+1}}$, so $r \neq 2^{n-2}$. The next candidate of $r$ is $2^{n-1}$ since it should be a multiple of $2^{n-2}$. Observe that
 $$
 5^{2^{n-1}} = \paren{5^{2^{n-2}}}^2 = (1 + 2^{n})^2 \equiv 1 \pmod {2^{n+1}},
 $$
 completing the proof.
 ### Group is Not Cyclic
 > **Proposition.** Let $G = \span{x}$ be a cyclic group of finite order $n < \infty$. For each divisor $a$ of $n$, there exists a unique subgroup of $G$ with order $a$.
 *Proof*. Since $a \mid n$, set $d = n /a$. Then $\span{x^d}$ is a subgroup of order $a$, showing existence.
 For uniqueness, suppose $H \neq \span{x^d}$ is another subgroup of $G$ with order $a$. Since subgroups of cyclic groups are also cyclic, $H = \span{x^k}$ where $k$ is the smallest positive integer with $x^k \in H$. Then from
 $$
 \frac{n}{d} = a = \abs{H} = \frac{n}{\gcd(n, k)},
 $$
 $d = \gcd(n, k)$. So $k$ is a multiple of $d$, resulting in $x^k \in \span{x^d}$. Therefore, $H \leq \span{x^d}$, but the two groups have the same order, so $H = \span{x^d}$.
 > **Lemma.** $(\Z/2^n \Z)^*$ is not cyclic for any $n \geq 3$.
 *Proof*. $(\Z/2^n\Z)^*$ has two distinct subgroups of order $2$. For $n \geq 3$,
 $$
 (2^n - 1)^2 \equiv (-1)^2 \equiv 1 \pmod {2^n}
 $$
 and
 $$
 (2^{n-1}-1)^2 = 2^{2n-2} - 2^n + 1 \equiv 1 \pmod {2^n}.
 $$
 Both $2^n-1$ and $2^{n-1} - 1$ have order $2$ modulo $2^n$ and they are distinct since $n \geq 3$. By the above proposition, $(\Z/2^n\Z)^*$ cannot be cyclic.
 ## Proof of Theorem 1
 *Proof*. $(\Z/2^n\Z)^*$ is a finitely generated abelian group, so the fundamental theorem of finitely generated abelian groups applies here. We know that group has order $2^{n-1}$, and from the above results,
 - $(\Z/2^n \Z)^*$ has an element of order $2^{n-2}$,
 - $(\Z/2^n \Z)^*$ is not cyclic for $n \geq 3$.
 Thus, for $n \geq 3$, the only possible case is $(\Z/2^n\Z)^* \simeq \Z _ 2 \times \Z_{2^{n-2}}$. As for $n = 2$, $(\Z/4\Z)^* \simeq \Z_2 \times \Z_1$ is pretty obvious.
 *Note*. I'm still looking for an elementary proof that doesn't use the fundamental theorem. This sort of feels like nuking a mosquito.
 ## More Observations
 > **Lemma.** Suppose that $H$ and $K$ are normal subgroups of $G$ and $H \cap K = \braces{1}$. Then $HK \simeq H \times K$.
 *Proof*. Construct an isomorphism $\varphi : H \times K \ra HK$ such that $(h, k) \mapsto hk$.
 Since $H, K \unlhd G$, observe that $hkh\inv k \inv \in K \cap H = \braces{1}$ and $hk = kh$. Therefore,
 $$
 \varphi(h, k) \cdot \varphi(h',k') = hkh'k' = hh' kk' = \varphi\paren{(h, k)\cdot (h', k')}
 $$
 and $\varphi$ is a homomorphism.
 Next, if $\varphi(h, k) = hk = 1$, we have $h = k\inv \in H\cap K = \braces{1}$. Then $h = k = 1$, showing that $\ker \varphi$ is trivial and $\varphi$ is injective.
 Surjectivity of $\varphi$ is trivial. $\varphi$ is an isomorphism and $HK \simeq H \times K$.
 > **Proposition.** As subgroups of $(\Z/2^n\Z)^*$, $\span{-1} \cap \span{5} = \braces{1}$ for $n \geq 3$.
 *Proof*. It suffices to show that $-1 \notin \span{{5}}$. Suppose that $-1 \in \span{5}$. Since $\span{5}$ is cyclic, it has a unique element of order $2$. Since $5$ has order $2^{n-2}$, it must be the case that $-1 \equiv 5^{2^{n-3}} \pmod {2^n}$.
 Then we have
 $$
 -1 \equiv 5^{2^{n-3}} \equiv 1 + 2^{n-1} \pmod {2^n},
 $$
 which gives $2^{n-1} + 2 \equiv 0 \pmod {2^n}$. But for $n \geq 3$, this is impossible since $0 < 2^{n-1} + 2 < 2^n$. Contradiction.
 *Note*. If $-1 \in \span{5}$, then maybe $5$ would have generated the whole group. But the group isn't cyclic, so we have a contradiction?
 ## Proof of Theorem 2
 *Proof*. Since we are dealing with commutative groups, all subgroups are normal. We have $\span{-1}, \span{5} \unlhd (\Z/2^n\Z)^*$ and $\span{-1} \cap \span{5} = \braces{1}$. Therefore,
 $$
 (\Z/2^n\Z)^* \simeq \Z_2 \times \Z_{2^{n-2}} = \span{-1} \times \span{5} \simeq \span{-1}\span{5}.
 $$
 This means that we can uniquely write all elements of $(\Z/2^n\Z)^*$ as $(-1)^a 5^b$ for ${} 0 \leq a < 2 {}$, $0 \leq b < 2^{n-2}$. From commutativity, this exactly equals the subgroup generated by $-1$ and $5$, which is $\span{-1, 5}$. This concludes the proof.
 ## Notes
 The theorem wasn't so trivial after all, but I'm still happy to have resolved a long overdue task.
 ## References
 - My notes taken from abstract algebra class
 - <https://math.stackexchange.com/q/459815>
 - <https://math.stackexchange.com/q/3881641>
 - <https://math.stackexchange.com/a/4910312/329909>
--- a/_posts/mathematics/measure-theory/2023-01-11-algebra-of-sets.md
+++ b/_posts/mathematics/measure-theory/2023-01-11-algebra-of-sets.md
@@ -2,18 +2,24 @@
 share: true
 toc: true
 math: true
-categories: [Mathematics, Measure Theory]
+categories:
-tags: [math, analysis, measure-theory]
+  - Mathematics
-title: "01. Algebra of Sets"
+  - Measure Theory
-date: "2023-01-11"
+path: _posts/mathematics/measure-theory
-github_title: "2023-01-11-algebra-of-sets"
+tags:
  - math
  - analysis
  - measure-theory
 title: 01. Algebra of Sets
 date: 2023-01-11
 github_title: 2023-01-11-algebra-of-sets
 image:
-  path: /assets/img/posts/Mathematics/Measure Theory/mt-01.png
+  path: /assets/img/posts/mathematics/measure-theory/mt-01.png
 attachment:
-  folder: assets/img/posts/Mathematics/Measure Theory
+  folder: assets/img/posts/mathematics/measure-theory
 ---
-![mt-01.png](/assets/img/posts/Mathematics/Measure%20Theory/mt-01.png)
+![mt-01.png](../../../assets/img/posts/mathematics/measure-theory/mt-01.png)
 르벡 적분을 공부하기 위해서는 먼저 집합의 ‘길이’ 개념을 공부해야 합니다. 그리고 집합의 ‘길이’ 개념을 확립하기 위해서는 집합 간의 연산과 이에 대한 구조가 필요합니다.
--- a/_posts/mathematics/measure-theory/2023-01-23-construction-of-measure.md
+++ b/_posts/mathematics/measure-theory/2023-01-23-construction-of-measure.md
@@ -0,0 +1,267 @@
 ---
 share: true
 toc: true
 math: true
 categories:
  - Mathematics
  - Measure Theory
 path: _posts/mathematics/measure-theory
 tags:
  - math
  - analysis
  - measure-theory
 title: 02. Construction of Measure
 date: 2023-01-23
 github_title: 2023-01-23-construction-of-measure
 image:
  path: /assets/img/posts/mathematics/measure-theory/mt-02.png
 attachment:
  folder: assets/img/posts/mathematics/measure-theory
 ---
 ![mt-02.png](../../../assets/img/posts/mathematics/measure-theory/mt-02.png)
 이제 본격적으로 집합을 재보도록 하겠습니다. 우리가 잴 수 있는 집합들부터 시작합니다. $\mathbb{R}^p$에서 논의할 건데, 이제 여기서부터는 $\mathbb{R}$의 구간의 열림/닫힘을 모두 포괄하여 정의합니다. 즉, $\mathbb{R}$의 구간이라고 하면 $[a, b], (a, b), [a, b), (a, b]$ 네 가지 경우를 모두 포함합니다.
 ## Elementary Sets
 **정의.** ($\mathbb{R}^p$의 구간) $a _ i, b _ i \in \mathbb{R}$, $a _ i \leq b _ i$ 라 하자. $I _ i$가 $\mathbb{R}$의 구간이라고 할 때, $\mathbb{R}^p$의 구간은
 $$\prod _ {i=1}^p I _ i = I _ 1 \times \cdots \times I _ p$$
 와 같이 정의한다.
 예를 들어 $\mathbb{R}^2$의 구간이라 하면 직사각형 영역, $\mathbb{R}^3$의 구간이라 하면 직육면체 영역을 떠올릴 수 있습니다. 단, 경계는 포함되지 않을 수도 있습니다.
 이러한 구간들을 유한개 모아 합집합하여 얻은 집합을 모아 elementary set이라 합니다.
 **정의.** (Elementary Set) 어떤 집합이 유한개 구간의 합집합으로 표현되면 그 집합을 **elementary set**이라고 한다. 그리고 $\mathbb{R}^p$의 elementary set의 모임을 $\Sigma$로 표기한다.
 임의의 구간은 유계입니다. 따라서 구간의 유한한 합집합도 유계일 것입니다.
 **참고.** 임의의 elementary set은 유계이다.
 Elementary set의 모임에서 집합의 연산을 정의할 수 있을 것입니다. 이 때, $\Sigma$가 ring이 된다는 것을 간단하게 확인할 수 있습니다.
 **명제.** $\Sigma$는 ring이다. 하지만 전체 공간인 $\mathbb{R}^p$를 포함하고 있지 않기 때문에 $\sigma$-ring은 아니다.
 구간의 길이를 재는 방법은 아주 잘 알고 있습니다. 유한개 구간의 합집합인 elementary set에서도 쉽게 잴 수 있습니다. 이제 길이 함수 $m: \Sigma \rightarrow[0, \infty)$ 을 정의하겠습니다. 아직 measure는 아닙니다.
 **정의.** $a _ i, b _ i \in \mathbb{R}$ 가 구간 $I _ i$의 양 끝점이라 하자. $\mathbb{R}^p$의 구간 $I = \displaystyle\prod _ {i=1}^p I _ i$ 에 대하여,
 $$m(I) = \prod _ {i=1}^p (b _ i - a _ i)$$
 로 정의한다.
 **정의.** $I _ i$가 쌍마다 서로소인 $\mathbb{R}^p$의 구간이라 하자. $A = \displaystyle\bigcup _ {i=1}^n I _ i$ 에 대하여
 $$m(A) = \sum _ {i=1}^n m(I _ i)$$
 로 정의한다.
 $\mathbb{R}, \mathbb{R}^2, \mathbb{R}^3$에서 생각해보면 $m$은 곧 길이, 넓이, 부피와 대응되는 함수임을 알 수 있습니다. 또한 쌍마다 서로소인 구간의 합집합에 대해서는 각 구간의 함숫값을 더한 것으로 정의합니다. 어떤 집합을 겹치지 않게 구간으로 나눌 수 있다면, 집합의 ‘길이’가 각 구간의 ‘길이’ 합이 되는 것은 자연스럽습니다.
 그리고 이 정의는 well-defined 입니다. $A \in \Sigma$ 에 대해서 서로소인 유한개 구간의 합집합으로 나타내는 방법이 유일하지 않아도, $m$ 값은 같습니다.
 **참고.** $m$은 $\Sigma$ 위에서 additive이다. 따라서 $m : \Sigma \rightarrow[0, \infty)$ 은 additive set function이다.
 여기서 추가로 regularity 조건을 만족했으면 좋겠습니다.
 **정의.** (Regularity) Set function $\mu: \Sigma \rightarrow[0, \infty]$ 가 additive라 하자. 모든 $A \in \Sigma$ 와 $\epsilon > 0$ 에 대하여
 > 닫힌집합 $F \in \Sigma$, 열린집합 $G \in \Sigma$ 가 존재하여 $F \subseteq A \subseteq G$ 이고 $\mu(G) - \epsilon \leq \mu(A) \leq \mu(F) + \epsilon$
 이면 $\mu$가 $\Sigma$ 위에서 **regular**하다고 정의한다.
 위에서 정의한 $m$이 regular한 것은 쉽게 확인할 수 있습니다.
 이제 set function $\mu: \Sigma \rightarrow[0, \infty)$ 가 finite, regular, additive 하다고 가정합니다.
 **정의.** (Outer Measure) $E \in \mathcal{P}(\mathbb{R}^p)$ 의 **outer measure** $\mu^\ast: \mathcal{P}(\mathbb{R}^p) \rightarrow[0, \infty]$ 는
 $$\mu^\ast(E) = \inf \left\lbrace \sum _ {n=1}^\infty \mu(A _ n) : \text{열린집합 } A _ n \in \Sigma \text{ 에 대하여 } E \subseteq\bigcup _ {n=1}^\infty A _ n\right\rbrace.$$
 로 정의한다.
 Outer measure라 부르는 이유는 $E$의 바깥에서 길이를 재서 근사하기 때문입니다. Outer measure는 모든 power set에 대해서 정의할 수 있으니, 이를 이용해서 모든 집합을 잴 수 있으면 좋겠습니다. 하지만 measure가 되려면 countably additive 해야하는데, 이 조건이 가장 만족하기 까다로운 조건입니다. 실제로 countably additive 조건이 성립하지 않습니다.
 **참고.**
 - $\mu^\ast \geq 0$ 이다.
 - $E _ 1 \subseteq E _ 2$ 이면 $\mu^\ast(E _ 1) \leq \mu^\ast(E _ 2)$ 이다. (단조성)
 **정리.**
 1. $A \in \Sigma$ 이면 $\mu^\ast(A) = \mu(A)$.[^1]
 2. Countable subadditivity가 성립한다.
 	$$\mu^\ast\left( \bigcup _ {n=1}^\infty E _ n \right) \leq \sum _ {n=1}^\infty \mu^\ast(E _ n), \quad (\forall E _ n \in \mathcal{P}(\mathbb{R}^p))$$
 **증명.**
 (1) $A \in \Sigma$, $\epsilon > 0$ 라 두자. $\mu$의 regularity를 이용하면, 열린집합 $G \in \Sigma$ 가 존재하여 $A \subseteq G$ 이고
 $$\mu^\ast(A) \leq \mu(G) \leq \mu(A) + \epsilon$$
 이다. $\mu^\ast$의 정의에 의해 열린집합 $A _ n \in \Sigma$ 가 존재하여 $A \subseteq\displaystyle\bigcup _ {n=1}^\infty A _ n$ 이고
 $$\sum _ {n=1}^\infty \mu(A _ n) \leq \mu^\ast(A) + \epsilon$$
 이다. 마찬가지로 regularity에 의해 닫힌집합 $F \in \Sigma$ 가 존재하여 $F\subseteq A$ 이고 $\mu(A) \leq \mu(F) + \epsilon$ 이다. $F \subseteq\mathbb{R}^p$ 는 유계이고 닫힌집합이므로 compact set이고, finite open cover를 택할 수 있다. 즉, 적당한 $N \in \mathbb{N}$ 에 대하여 $F \subseteq\displaystyle\bigcup _ {i=1}^N A _ {i}$ 가 성립한다.
 따라서
 $$\mu(A) \leq \mu(F) + \epsilon \leq \sum _ {i=1}^N \mu(A _ i) \leq \sum _ {i=1}^n \mu(A _ i) + \epsilon \leq \mu^\ast(A) + 2\epsilon$$
 이제 $\epsilon \rightarrow 0$ 로 두면 $\mu(A) = \mu^\ast(A)$ 를 얻는다.
 \(2\) 부등식의 양변이 모두 $\infty$ 이면 증명할 것이 없으므로, 양변이 모두 유한하다고 가정하여 모든 $n\in \mathbb{N}$ 에 대해 $\mu^\ast(E _ n) < \infty$ 라 하자. $\epsilon > 0$ 로 두고, 각 $n \in \mathbb{N}$ 에 대하여 열린집합 $A _ {n, k} \in \Sigma$ 가 존재하여 $E _ n \subseteq\displaystyle\bigcup _ {k=1}^\infty A _ {n, k}$ 이고 $\displaystyle\sum _ {k=1}^\infty \mu(A _ {n,k}) \leq \mu^\ast(E _ n) + 2^{-n}\epsilon$ 이다.
 $\mu^\ast$는 하한(infimum)으로 정의되었기 때문에,
 $$\mu^\ast\left( \bigcup _ {n=1}^\infty E _ n \right) \leq \sum _ {n=1}^\infty \sum _ {k=1}^\infty \mu(A _ {n,k}) \leq \sum _ {n=1}^\infty \mu^\ast(E _ n) + \epsilon$$
 가 성립하고, $\epsilon \rightarrow 0$ 로 두면 부등식이 성립함을 알 수 있다.
 ## $\mu$-measurable Sets
 Countably additive 조건이 성립하는 집합들만 모아서 measure를 construct 하려고 합니다. 아래 내용은 이를 위한 사전 준비 작업입니다.
 **표기법.** (대칭차집합) $A \mathop{\mathrm{\triangle}}B = (A\setminus B) \cup (B \setminus A)$.
 **정의.**
 - $d(A, B) = \mu^\ast(A \mathop{\mathrm{\triangle}}B)$ 로 정의한다.
 - 집합열 $A _ n$에 대하여 $d(A _ n, A) \rightarrow 0$ 이면 $A _ n \rightarrow A$ 로 정의한다.
 **참고.**
 - $A, B, C \in \mathbb{R}^p$ 에 대하여 $d(A, B) \leq d(A, C) + d(C, B)$ 이다.
 - $A _ 1, B _ 2, B _ 1, B _ 2 \in \mathbb{R}^p$ 일 때, 다음이 성립한다.
 	$$\left.\begin{array}{c}d(A _ 1 \cup A _ 2, B _ 1 \cup B _ 2) \\d(A _ 1 \cap A _ 2, B _ 1 \cap B _ 2) \\d(A _ 1 \setminus A _ 2, B _ 1 \setminus B _ 2)\end{array}\right\rbrace\leq d(A _ 1, B _ 1) + d(A _ 2, B _ 2).$$
 **정의.** (Finitely $\mu$-measurable) 집합 $A _ n \in \Sigma$ 이 존재하여 $A _ n \rightarrow A$ 이면 $A$가 **finitely $\mu$-measurable**이라 한다. 그리고 finitely $\mu$-measurable한 집합의 모임을 $\mathfrak{M} _ F(\mu)$로 표기한다.
 위 정의는 $\mu$라는 set function에 의해 $\mu^\ast (A _ n \mathop{\mathrm{\triangle}}A) \rightarrow 0$ 이 되는 elementary set $A _ n$이 존재한다는 의미입니다.
 **정의.** ($\mu$-measurable) $A _ n \in \mathfrak{M} _ F(\mu)$ 에 대하여 $A = \displaystyle\bigcup _ {n=1}^\infty A _ n$ 이면 $A$가 **$\mu$-measurable**이라 한다. 그리고 $\mu$-measurable한 집합의 모임을 $\mathfrak{M}(\mu)$로 표기한다.
 **참고.** $\mu^\ast(A) = d(A, \varnothing) \leq d(A, B) + \mu^\ast(B)$.
 **명제.** $\mu^\ast(A)$ 또는 $\mu^\ast(B)$가 유한하면, 다음이 성립한다.
 $$\lvert \mu^\ast(A) - \mu^\ast(B) \rvert \leq d(A, B).$$
 **따름정리.** $A \in \mathfrak{M} _ F(\mu)$ 이면 $\mu^\ast(A) < \infty$ 이다.
 **증명.** $A _ n \in \Sigma$ 가 존재하여 $A _ n \rightarrow A$ 이고, $N \in \mathbb{N}$ 이 존재하여
 $$\mu^\ast(A) \leq d(A _ N, A) + \mu^\ast(A _ N) \leq 1 + \mu^\ast(A _ N) < \infty$$
 이다.
 **따름정리.** $A _ n \rightarrow A$ 이고 $A _ n, A \in \mathfrak{M} _ F(\mu)$ 이면 $\mu^\ast(A _ n)\rightarrow\mu^\ast(A) < \infty$ 이다.
 **증명.** $\mu^\ast(A)$, $\mu^\ast(A _ n)$가 유한하므로, $n \rightarrow\infty$ 일 때 $\lvert \mu^\ast(A _ n) - \mu^\ast(A) \rvert \leq d(A _ n, A) \rightarrow 0$ 이다.
 ## Construction of Measure
 준비가 끝났으니 measure를 construct 해보겠습니다! $\mathcal{P}(\mathbb{R}^p)$에서는 할 수 없지만 정의역을 $\mathfrak{M}(\mu)$로 조금 좁히면 measure가 된다는 뜻입니다.
 **정리.** $\mathfrak{M}(\mu)$는 $\sigma$-algebra 이고 $\mu^\ast$는 $\mathfrak{M}(\mu)$의 measure가 된다.
 **증명.** $\mathfrak{M}(\mu)$가 $\sigma$-algebra이고 $\mu^\ast$가 $\mathfrak{M}(\mu)$에서 countably additive임을 보이면 충분하다.
 **(Step 0)** *$\mathfrak{M} _ F(\mu)$는 ring이다.*
 $A, B \in \mathfrak{M} _ F(\mu)$ 라 하자. 그러면 $A _ n, B _ n \in \Sigma$ 이 존재하여 $A _ n \rightarrow A$, $B _ n \rightarrow B$ 이 된다. 그러면
 $$\left.\begin{array}{c}d(A _ n \cup B _ n, A \cup B) \\ d(A _ n \cap B _ n, A \cap B) \\ d(A _ n \setminus B _ n, A \setminus B)\end{array}\right\rbrace\leq d(A _ n, A) + d(B _ n, B) \rightarrow 0$$
 이므로 $A _ n \cup B _ n \rightarrow A \cup B, A _ n \setminus B _ n \rightarrow A\setminus B$ 이기 때문에 $\mathfrak{M} _ F(\mu)$는 ring이다.
 **(Step 1)** *$\mu^\ast$는 $\mathfrak{M} _ F(\mu)$ 위에서 additive이다*.
 $\Sigma$ 위에서는 $\mu = \mu^\ast$ 이므로, 위 따름정리에 의해
 $$\begin{matrix} \mu(A _ n) \rightarrow\mu^\ast(A), & \mu(A _ n\cup B _ n) \rightarrow\mu^\ast(A\cup B), \\ \mu(B _ n) \rightarrow\mu^\ast(B), & \mu(A _ n\cap B _ n) \rightarrow\mu^\ast(A\cap B) \end{matrix}$$
 가 성립함을 알 수 있다. 일반적으로 $\mu(A _ n) + \mu(B _ n) = \mu(A _ n \cup B _ n) + \mu(A _ n \cap B _ n)$ 이므로 여기서 $n \rightarrow\infty$ 로 두면
 $$\mu^\ast(A) + \mu^\ast(B) = \mu^\ast(A\cup B) + \mu^\ast(A \cap B)$$
 를 얻는다. $A \cap B = \varnothing$ 라는 조건이 추가되면 $\mu^\ast$가 additive임을 알 수 있다.
 **(Step 2)** *$\mathfrak{M} _ F(\mu) = \lbrace A \in \mathfrak{M}(\mu) : \mu^\ast(A) < \infty\rbrace$.*[^2]
 **Claim**. 쌍마다 서로소인 $\mathfrak{M} _ F(\mu)$의 원소들을 잡아 이들의 합집합으로 $A \in \mathfrak{M}(\mu)$ 를 표현할 수 있다.
 **증명.** $A _ n' \in \mathfrak{M} _ F(\mu)$ 에 대하여 $A = \bigcup A _ n'$ 로 두자.
 > $A _ 1 = A _ 1'$, $n \geq 2$ 이면 $A _ n = A _ n' \setminus(A _ 1'\cup \cdots \cup A _ {n-1}')$
 와 같이 정의하면 $A _ n$이 쌍마다 서로소이고 $A _ n \in \mathfrak{M} _ F(\mu)$ 임을 알 수 있다.
 위 사실을 이용하여 $A _ n \in \mathfrak{M} _ F(\mu)$ 에 대하여 $A = \displaystyle\bigcup _ {n=1}^\infty A _ n$ 으로 두자.
 1. Countable subadditivity에 의해 $\displaystyle\mu^\ast(A) \leq \sum _ {n=1}^{\infty} \mu^\ast (A _ n)$ 가 성립한다.
 2. Step 1에 의해 $\displaystyle\bigcup _ {n=1}^k A _ n \subseteq A$, $\displaystyle\sum _ {n=1}^{k} \mu^\ast(A _ n) \leq \mu^\ast(A)$ 이다. $k \rightarrow\infty$ 로 두면 $\displaystyle\mu^\ast(A) \geq \sum _ {n=1}^\infty \mu^\ast(A _ n)$ 임을 알 수 있다.
 따라서 $\displaystyle\mu^\ast(A) = \sum _ {n=1}^\infty \mu^\ast(A _ n)$ 이다.[^3] [^4]
 이제 $B _ n =\displaystyle\bigcup _ {k=1}^n A _ k$ 로 두자. $\mu^\ast(A) < \infty$ 를 가정하면 $\displaystyle\sum _ {n=1}^\infty \mu^\ast(A _ n)$의 수렴성에 의해
 $$\displaystyle d(A, B _ n) = \mu^\ast\left( \bigcup _ {k=n+1}^\infty A _ k \right) = \sum _ {k=n+1}^{\infty} \mu^\ast(A _ i) \rightarrow 0 \text{ as } n \rightarrow\infty$$
 임을 알 수 있다.
 $B _ n \in \mathfrak{M} _ F(\mu)$ 이므로 $C _ n \in \Sigma$ 를 잡아 각 $n \in \mathbb{N}$ 에 대하여 $d(B _ n, C _ n)$를 임의로 작게 만들 수 있다. 그러면 $d(A, C _ n) \leq d(A, B _ n) + d(B _ n, C _ n)$ 이므로 충분히 큰 $n$에 대하여 $d(A, C _ n)$도 임의로 작게 만들 수 있다. 따라서 $C _ n \rightarrow A$ 임을 알 수 있고 $A \in \mathfrak{M} _ F(\mu)$ 라는 결론을 내릴 수 있다.
 **(Step 3)** *$\mu^\ast$는 $\mathfrak{M}(\mu)$ 위에서 countably additive이다.*
 $A _ n \in \mathfrak{M}(\mu)$ 가 $A \in \mathfrak{M}(\mu)$ 의 분할이라 하자. 적당한 $m \in \mathbb{N}$ 에 대하여 $\mu^\ast(A _ m) = \infty$ 이면
 $$\mu^\ast\left( \bigcup _ {n=1}^\infty A _ n \right) \geq \mu^\ast(A _ m) = \infty = \sum _ {n=1}^\infty \mu^\ast(A _ n)$$
 이므로 countable additivity가 성립한다.
 이제 모든 $n\in \mathbb{N}$ 에 대하여 $\mu^\ast(A _ n) < \infty$ 이면, Step 2에 의해 $A _ n \in \mathfrak{M} _ F(\mu)$ 이고
 $$\mu^\ast(A) = \mu^\ast\left( \bigcup _ {n=1}^\infty A _ n \right) = \sum _ {n=1}^\infty \mu^\ast(A _ n)$$
 가 성립한다.
 **(Step 4)** *$\mathfrak{M}(\mu)$는 $\sigma$-ring이다.*
 $A _ n \in \mathfrak{M}(\mu)$ 이면 $B _ {n, k} \in \mathfrak{M} _ F(\mu)$ 가 존재하여 $\displaystyle A _ n = \bigcup _ k B _ {n,k}$ 이다. 그러면
 $$\bigcup _ n A _ n = \bigcup _ {n, k} B _ {n, k} \in \mathfrak{M}(\mu)$$
 이다.
 $A, B \in \mathfrak{M}(\mu)$ 라 하면 $A _ n, B _ n \in \mathfrak{M} _ F(\mu)$ 에 대해 $\displaystyle A = \bigcup A _ n$, $\displaystyle B = \bigcup B _ n$ 이므로,
 $$A \setminus B = \bigcup _ {n=1}^\infty \left( A _ n \setminus B \right) = \bigcup _ {n=1}^\infty (A _ n\setminus(A _ n\cap B))$$
 임을 알 수 있다. 그러므로 $A _ n \cap B \in \mathfrak{M} _ F(\mu)$ 인 것만 보이면 충분하다. 정의에 의해
 $$A _ n \cap B = \bigcup _ {k=1}^\infty (A _ n \cap B _ k) \in \mathfrak{M}(\mu)$$
 이고 $\mu^\ast(A _ n \cap B) \leq \mu^\ast(A _ n) < \infty$ 이므로 $A _ n\cap B \in \mathfrak{M} _ F(\mu)$ 이다. 따라서 $A \setminus B$ 가 $\mathfrak{M} _ F(\mu)$의 원소들의 countable 합집합으로 표현되므로 $A\setminus B \in \mathfrak{M}(\mu)$ 이다.
 따라서 $\mathfrak{M}(\mu)$는 $\sigma$-ring이고 $\sigma$-algebra이다.
 ---
 이제 $\Sigma$ 위의 $\mu$ 정의를 $\mathfrak{M}(\mu)$ ($\sigma$-algebra)로 확장하여 $\mathfrak{M}(\mu)$ 위에서는 $\mu = \mu^\ast$ 로 정의합니다. $\Sigma$ 위에서 $\mu = m$ 일 때, 이와 같이 확장한 $\mathfrak{M}(m)$ 위의 $m$을 **Lebesgue measure** on $\mathbb{R}^p$라 합니다. 그리고 $A \in \mathfrak{M}(m)$ 를 Lebesgue measurable set이라 합니다.
 [^1]: $A$가 open이 아니면 자명하지 않은 명제입니다.
 [^2]: $A$가 $\mu$-measurable인데 $\mu^\ast(A) < \infty$이면 $A$는 finitely $\mu$-measurable이다.
 [^3]: $A$가 countable union of sets in $\mathfrak{M} _ F(\mu)$이므로 $\mu^\ast$도 각 set의 $\mu^\ast$의 합이 된다.
 [^4]: 아직 증명이 끝나지 않았습니다. $A _ n$은 $\mathfrak{M}(\mu)$의 원소가 아니라 $\mathfrak{M} _ F(\mu)$의 원소입니다.
--- a/_posts/mathematics/measure-theory/2023-01-24-measure-spaces.md
+++ b/_posts/mathematics/measure-theory/2023-01-24-measure-spaces.md
@@ -2,22 +2,28 @@
 share: true
 toc: true
 math: true
-categories: [Mathematics, Measure Theory]
+categories:
-tags: [math, analysis, measure-theory]
+  - Mathematics
-title: "03. Measure Spaces"
+  - Measure Theory
-date: "2023-01-24"
+path: _posts/mathematics/measure-theory
-github_title: "2023-01-24-measure-spaces"
+tags:
  - math
  - analysis
  - measure-theory
 title: 03. Measure Spaces
 date: 2023-01-24
 github_title: 2023-01-24-measure-spaces
 image:
-  path: /assets/img/posts/Mathematics/Measure Theory/mt-03.png
+  path: /assets/img/posts/mathematics/measure-theory/mt-03.png
 attachment:
-  folder: assets/img/posts/Mathematics/Measure Theory
+  folder: assets/img/posts/mathematics/measure-theory
 ---
 ## Remarks on Construction of Measure
 Construction of measure 증명에서 추가로 참고할 내용입니다.
-![mt-03.png](/assets/img/posts/Mathematics/Measure%20Theory/mt-03.png)
+![mt-03.png](../../../assets/img/posts/mathematics/measure-theory/mt-03.png)
 **명제.** $A$가 열린집합이면 $A \in \mathfrak{M}(\mu)$ 이다. 또한 $A^C \in \mathfrak{M}(\mu)$ 이므로, $F$가 닫힌집합이면 $F \in \mathfrak{M}(\mu)$ 이다.
--- a/_posts/mathematics/measure-theory/2023-02-06-measurable-functions.md
+++ b/_posts/mathematics/measure-theory/2023-02-06-measurable-functions.md
@@ -2,15 +2,21 @@
 share: true
 toc: true
 math: true
-categories: [Mathematics, Measure Theory]
+categories:
-tags: [math, analysis, measure-theory]
+  - Mathematics
-title: "04. Measurable Functions"
+  - Measure Theory
-date: "2023-02-06"
+path: _posts/mathematics/measure-theory
-github_title: "2023-02-06-measurable-functions"
+tags:
  - math
  - analysis
  - measure-theory
 title: 04. Measurable Functions
 date: 2023-02-06
 github_title: 2023-02-06-measurable-functions
 image:
-  path: /assets/img/posts/Mathematics/Measure Theory/mt-04.png
+  path: /assets/img/posts/mathematics/measure-theory/mt-04.png
 attachment:
-  folder: assets/img/posts/Mathematics/Measure Theory
+  folder: assets/img/posts/mathematics/measure-theory
 ---
 Lebesgue integral을 공부하기 전 마지막 준비입니다. Lebesgue integral은 다음과 같이 표기합니다.
@@ -155,7 +161,7 @@ $$s(x) = \sum_ {i=1}^{n} c_i \chi_ {E_i}(x).$$
 여기서 $E _ i$에 measurable 조건이 추가되면, 정의에 의해 $\chi _ {E _ i}$도 measurable function입니다. 따라서 모든 measurable simple function을 measurable $\chi _ {E _ i}$의 linear combination으로 표현할 수 있습니다.
-![mt-04.png](/assets/img/posts/Mathematics/Measure%20Theory/mt-04.png)
+![mt-04.png](../../../assets/img/posts/mathematics/measure-theory/mt-04.png)
 아래 정리는 simple function이 Lebesgue integral의 building block이 되는 이유를 잘 드러냅니다. 모든 함수는 simple function으로 근사할 수 있습니다.
--- a/_posts/mathematics/measure-theory/2023-02-13-lebesgue-integration.md
+++ b/_posts/mathematics/measure-theory/2023-02-13-lebesgue-integration.md
@@ -2,15 +2,21 @@
 share: true
 toc: true
 math: true
-categories: [Mathematics, Measure Theory]
+categories:
-tags: [math, analysis, measure-theory]
+  - Mathematics
-title: "05. Lebesgue Integration"
+  - Measure Theory
-date: "2023-02-13"
+path: _posts/mathematics/measure-theory
-github_title: "2023-02-13-lebesgue-integration"
+tags:
  - math
  - analysis
  - measure-theory
 title: 05. Lebesgue Integration
 date: 2023-02-13
 github_title: 2023-02-13-lebesgue-integration
 image:
-  path: /assets/img/posts/Mathematics/Measure Theory/mt-05.png
+  path: /assets/img/posts/mathematics/measure-theory/mt-05.png
 attachment:
-  folder: assets/img/posts/Mathematics/Measure Theory
+  folder: assets/img/posts/mathematics/measure-theory
 ---
 ## Lebesgue Integration
@@ -121,7 +127,7 @@ $$\int f \,d{\mu} = \sup\left\lbrace \int h \,d{\mu}: 0\leq h \leq f, h \text{ m
 $f$보다 작은 measurable simple function의 적분값 중 상한을 택하겠다는 의미입니다. $f$보다 작은 measurable simple function으로 $f$를 근사한다고도 이해할 수 있습니다. 또한 $f$가 simple function이면 Step 2의 정의와 일치하는 것을 알 수 있습니다.
-![mt-05.png](/assets/img/posts/Mathematics/Measure%20Theory/mt-05.png)
+![mt-05.png](../../../assets/img/posts/mathematics/measure-theory/mt-05.png)
 $f \geq 0$ 가 measurable이면 증가하는 measurable simple 함수열 $s _ n$이 존재함을 지난 번에 보였습니다. 이 $s _ n$에 대하여 적분값을 계산해보면
--- a/_posts/mathematics/measure-theory/2023-03-25-convergence-theorems.md
+++ b/_posts/mathematics/measure-theory/2023-03-25-convergence-theorems.md
@@ -0,0 +1,206 @@
 ---
 share: true
 toc: true
 math: true
 categories:
  - Mathematics
  - Measure Theory
 path: _posts/mathematics/measure-theory
 tags:
  - math
  - analysis
  - measure-theory
 title: 06. Convergence Theorems
 date: 2023-03-25
 github_title: 2023-03-25-convergence-theorems
 image:
  path: /assets/img/posts/mathematics/measure-theory/mt-06.png
 attachment:
  folder: assets/img/posts/mathematics/measure-theory
 ---
 르벡 적분 이론에서 굉장히 자주 사용되는 수렴 정리에 대해 다루겠습니다. 이 정리들을 사용하면 굉장히 유용한 결과를 쉽게 얻을 수 있습니다.
 ## Monotone Convergence Theorem
 먼저 단조 수렴 정리(monotone convergence theorem, MCT)입니다. 이 정리에서는 $f _ n \geq 0$ 인 것이 매우 중요합니다.
 ![mt-06.png](../../../assets/img/posts/mathematics/measure-theory/mt-06.png)
 **정리.** (단조 수렴 정리) $f _ n: X \rightarrow[0, \infty]$ 가 measurable이고 모든 $x \in X$ 에 대하여 $f _ n(x) \leq f _ {n+1}(x)$ 라 하자.
 $$\lim _ {n\rightarrow\infty} f _ n(x) = \sup _ {n} f _ n(x) = f(x)$$
 로 두면,
 $$\int f \,d{\mu} = \lim _ {n\rightarrow\infty} \int f _ n \,d{\mu} = \sup _ {n \in \mathbb{N}} \int f _ n \,d{\mu}$$
 이다.
 **증명.**
 ($\geq$) $f _ n(x) \leq f(x)$ 이므로 단조성을 이용하면 모든 $n \in \mathbb{N}$ 에 대하여 $\displaystyle\int f _ n \,d{\mu} \leq \displaystyle\int f \,d{\mu}$ 이다. 따라서 다음이 성립한다.
 $$\sup _ n \int f _ n \,d{\mu} \leq \int f \,d{\mu}.$$
 ($\leq$) 실수 $c \in (0, 1)$ 를 잡자. 마지막에 $c \nearrow 1$ 로 둘 것이다. 이제 measurable simple function $s$가 $0 \leq s \leq f$ 라 하자. 그러면 모든 $x \in X$ 에 대하여 $c \cdot s(x) < f(x)$ 일 것이다.
 이제
 $$E _ n = \lbrace x \in X : f _ n(x) \geq cs(x)\rbrace$$
 으로 두면, $f _ n(x) - cs(x)$ 가 measurable function이므로 $E _ n$ 또한 measurable이다. 여기서 $f _ n$이 증가하므로 $E _ n\subseteq E _ {n+1} \subseteq\cdots$ 임을 알 수 있고 $f _ n \rightarrow f$ 이므로 $\bigcup _ {n=1}^\infty E _ n = X$ 이다.
 충분히 큰 $N \in \mathbb{N}$ 에 대하여 $n \geq N$ 일 때, 모든 $x$에 대하여 $f(x) \geq f _ n(x) > cs(x)$ 가 되게 할 수 있다. 그리고 $f _ n \geq f _ n \chi _ {E _ n} \geq cs \chi _ {E _ n}$ 이므로
 $$\tag{\(\star\)}    \int f _ n \,d{\mu} \geq \int f _ n \chi _ {E _ n} \,d{\mu} \geq c\int s \chi _ {E _ n} \,d{\mu},$$
 이고 여기서 $s, \chi _ {E _ n}$는 simple function이다. 그러므로 $s = \sum _ {k=0}^m y _ k \chi _ {A _ k}$ 라고 적으면
 $$s\chi _ {E _ n} = \sum _ {k=0}^m y _ k \chi _ {A _ k\cap E _ n} \implies \int s \chi _ {E _ n} \,d{\mu} = \sum _ {k=0}^m y _ k \mu(A _ k\cap E _ n)$$
 이다. $n\rightarrow\infty$ 일 때 $A _ k\cap E _ n \nearrow A _ k$ 이므로, continuity of measure를 사용해 $\mu(A _ k \cap E _ n) \nearrow \mu(A _ k)$ 를 얻고
 $$\lim _ {n\rightarrow\infty} \int s \chi _ {E _ n}\,d{\mu} = \int s \,d{\mu}$$
 임도 알 수 있다. 이제 ($\star$)를 이용하면
 $$\lim _ {n\rightarrow\infty} \int f _ n \,d{\mu} \geq c\int s \,d{\mu}$$
 이므로, $c \nearrow 1$ 로 두고 $0\leq s\leq f$ 에 대하여 $\sup$을 취하면
 $$\lim _ {n\rightarrow\infty} \int f _ n \,d{\mu} \geq \sup _ {0\leq s\leq f} \int s \,d{\mu} = \int f \,d{\mu}$$
 가 되어 원하는 결과를 얻는다.
 **참고.** 만약 부등식 $0 \leq f _ n \leq f _ {n+1}$ 이 정의역 전체가 아닌 정의역의 부분집합 $E$에서만 성립한다고 하면, 다음과 같이 생각할 수 있다.
 $$0 \leq f _ n \chi _ E \leq f _ {n+1} \chi _ E \nearrow f \chi _ E.$$
 그러므로 단조 수렴 정리가 $E$에서도 성립함을 알 수 있다.
 > $E$에서 $0\leq f _ n \leq f _ {n+1} \nearrow f$ 이면 $\displaystyle\lim _ {n\rightarrow\infty} \int _ E f _ n \,d{\mu} = \int _ E f \,d{\mu}$.
 **참고.** 함수열 $f _ n$이 증가하는 경우에만 정리가 성립합니다. 감소하는 경우에는 반례로 함수 $f _ n = \chi _ {[n, \infty)}$ 를 생각할 수 있습니다. 그러면 $n \rightarrow\infty$ 일 때 $\chi _ {[n, \infty)} \searrow 0$ 입니다.
 그러면 Lebesgue measure $m$에 대하여
 $$\infty = \int \chi _ {[n, \infty)} \,d{m} \neq \int 0 \,d{m} = 0$$
 이 되어 단조 수렴 정리가 성립하지 않음을 확인할 수 있습니다.
 ---
 지난 번에 $f \geq 0$ 가 measurable이면 증가하는 measurable simple 함수열 $s _ n$이 존재함을 보였고, 이 $s _ n$에 대하여 적분값을 계산하여
 $$\int _ E s _ n \,d{\mu} = \sum _ {i=1}^{n2^n} \frac{i - 1}{2^n}\mu\left( \left\lbrace x \in E : \frac{i-1}{2^n} \leq f(x) \leq \frac{i}{2^n}\right\rbrace \right) + n\mu(\lbrace x \in E : f(x)\geq n\rbrace)$$
 라는 결과까지 얻었습니다. 그런데 여기서
 $$f(x) = \displaystyle\lim _ {n\rightarrow\infty} s _ n(x)$$
 이기 때문에, 단조 수렴 정리에 의해
 $$\int _ E f \,d{\mu} = \lim _ {n\rightarrow\infty} \int _ E s _ n \,d{\mu}$$
 가 성립하여 기대했던 결과를 얻었습니다. 지난 번 설명한 것처럼, 이는 곧 르벡 적분은 치역을 잘게 잘라 넓이를 계산한 것으로 이해할 수 있다는 의미가 됩니다.
 ---
 다음은 단조 수렴 정리를 활용하여 유용한 결과를 쉽게 얻을 수 있는 예제입니다.
 **참고.** Measurable function $f, g \geq 0$ 과 $\alpha, \beta \in [0, \infty)$ 에 대하여 다음이 성립한다.
 $$\int _ E \left( \alpha f + \beta g \right) \,d{\mu} = \alpha \int _ E f \,d{\mu} + \beta \int _ E g\,d{\mu}.$$
 **증명.** Measurable function은 measurable simple function으로 근사할 수 있고, $f, g \geq 0$ 이므로 단조증가하도록 잡을 수 있다. 그러므로 measurable simple function $f _ n$, $g _ n$에 대하여 $0 \leq f _ n \leq f _ {n+1} \nearrow f$, $0 \leq g _ n \leq g _ {n+1} \nearrow g$ 으로 잡는다.
 그러면 $\alpha f _ n + \beta g _ n \nearrow \alpha f + \beta g$ 이고 $\alpha f _ n + \beta g _ n$ 은 단조증가하는 measurable simple 함수열이다. 따라서 단조 수렴 정리에 의해
 $$\int _ E \left( \alpha f _ n + \beta g _ n \right) \,d{\mu} = \alpha \int _ E f _ n \,d{\mu} + \beta \int _ E g _ n \,d{\mu} \rightarrow\alpha \int _ E f \,d{\mu} + \beta \int _ E g\,d{\mu}$$
 이다.
 이와 비슷한 방법을 급수에도 적용할 수 있습니다.
 **정리.** Measurable function $f _ n: X \rightarrow[0, \infty]$ 에 대하여 $\sum _ {n=1}^\infty f _ n$는 measurable이고, 단조 수렴 정리에 의해 다음이 성립한다.
 $$\int _ E \sum _ {n=1}^\infty f _ n \,d{\mu} = \sum _ {n=1}^\infty \int _ E f _ n \,d{\mu}.$$
 **증명.** $\sum _ {n=1}^\infty f _ n$는 measurable function의 극한이므로 measurable이다. 무한급수를 부분합의 극한으로 생각하면 $f _ n \geq 0$ 이므로 부분합이 증가함을 알 수 있다. 따라서 단조 수렴 정리를 적용하여 결론을 얻는다.
 ## Fatou's Lemma
 단조 수렴 정리와 동치인 수렴 정리를 하나 더 소개합니다. Fatou's lemma로 알려져 있습니다.
 **정리.** (Fatou) $f _ n \geq 0$ 가 measurable이고 $E$가 measurable이라 하자. 다음이 성립한다.
 $$\int _ E \liminf _ {n\rightarrow\infty} f _ n \,d{\mu} \leq \liminf _ {n\rightarrow\infty} \int _ E f _ n \,d{\mu}.$$
 **증명.** $g _ n = \displaystyle\inf _ {k \geq n} f _ k$ 으로 두면 $\displaystyle\lim _ {n \rightarrow\infty} g _ n = \liminf _ {n\rightarrow\infty} f _ n$ 이다. $g _ n$이 증가함은 쉽게 확인할 수 있으며 $g _ n \geq 0$ 이다. $g _ n$의 정의로부터 모든 $k \geq n$ 에 대하여 $g _ n \leq f _ k$ 이므로,
 $$\int _ E g _ n \,d{\mu} \leq \inf _ {k\geq n} \int _ E f _ k \,d{\mu}$$
 이다. 여기서 $n \rightarrow\infty$ 로 두면
 $$\int _ E \liminf _ {n\rightarrow\infty} f _ n \,d{\mu} = \lim _ {n \rightarrow\infty} \int _ E g _ n \,d{\mu} \leq \lim _ {n \rightarrow\infty} \inf _ {k \geq n}\int _ E f _ k \,d{\mu} = \liminf _ {n \rightarrow\infty} \int _ E f _ n \,d{\mu}$$
 이 된다. 여기서 첫 번째 등호는 단조 수렴 정리에 의해 성립한다.
 **참고.** 위 증명에서는 단조 수렴 정리를 활용했습니다. 반대로 이 정리를 가정하면 단조 수렴 정리를 증명할 수 있기도 합니다. 따라서 이 둘은 동치입니다. 증명은 생략합니다.
 **참고.** 왠지 위와 비슷한 결론이 $\limsup$에 대해서도 성립해야 할 것 같습니다. 구체적으로,
 $$\int _ E \limsup _ {n \rightarrow\infty} f _ n \,d{\mu} \geq \limsup _ {n \rightarrow\infty} \int _ E f _ n \,d{\mu}$$
 일 것 같습니다. 안타깝게도 이는 성립하지 않습니다. 반례로 앞서 소개한 $\chi _ {[n, \infty)}$를 한 번 더 가져올 수 있습니다. 좌변을 계산해 보면 0이지만, 우변을 계산해 보면 $\infty$입니다. 나중에 소개하겠지만, $\lvert f _ n \rvert \leq g$ 를 만족하는 함수 $g \in \mathcal{L}^{1}$ 가 존재해야 위 부등식이 성립합니다.
 ## Properties of the Lebesgue Integral
 르벡 적분의 몇 가지 성질을 소개하고 마칩니다.
 1. $f$가 measurable이고 $E$에서 bounded이며 $\mu(E) < \infty$ 일 때, 적당한 실수 $M > 0$ 에 대하여 $\lvert f \rvert \leq M$ 이므로
 	$$\int _ E \lvert f \rvert \,d{\mu} \leq \int _ E M \,d{\mu} = M\mu(E) < \infty$$
 	임을 알 수 있습니다. 그러므로 $f \in \mathcal{L}^{1}(E, \mu)$ 입니다. $E$의 measure가 finite라는 가정 하에, bounded function은 모두 르벡 적분 가능합니다.
 2. $f, g \in \mathcal{L}^{1}(E, \mu)$ 이고 $E$에서 $f \leq g$ 일 때, 단조성이 성립함을 보이려고 합니다. 앞에서는 $0 \leq f \leq g$ 인 경우에만 단조성을 증명했었는데, 이를 확장하여 함수가 음의 값을 가지는 경우에도 증명하고 싶습니다. 그러므로 양수인 부분과 음수인 부분을 나누어 고려하여 다음과 같이 적을 수 있습니다.
 	$$\chi _ E (x) f^+(x) \leq \chi _ E(x) g^+(x), \qquad \chi _ E(x) g^-(x) \leq \chi _ E (x) f^-(x)$$
 	이로부터
 	$$\int _ E f^+ \,d{\mu} \leq \int _ E g^+ \,d{\mu} < \infty, \qquad \int _ E g^- \,d{\mu} \leq \int _ E f^- \,d{\mu} < \infty$$
 	를 얻습니다. 따라서
 	$$\int _ E f\,d{\mu} \leq \int _ E g \,d{\mu}$$
 	가 성립하고, 함수가 음의 값을 가지는 경우에도 단조성이 성립함을 알 수 있습니다.
 3. $f \in \mathcal{L}^{1}(E, \mu)$, $c \in \mathbb{R}$ 라 하면 $cf \in \mathcal{L}^{1}(E, \mu)$ 입니다. 왜냐하면
 	$$\int _ E \lvert c \rvert\lvert f \rvert \,d{\mu} = \lvert c \rvert \int _ E \lvert f \rvert\,d{\mu} < \infty$$
 	이기 때문입니다. 적분이 가능하니 실제 적분값을 계산할 때 선형성이 성립했으면 좋겠습니다. 앞에서는 음이 아닌 실수에 대해서만 증명했었는데, 이도 마찬가지로 확장하려 합니다. $c < 0$ 인 경우만 보이면 됩니다. 이 때, $(cf)^+ = -cf^-$, $(cf)^- = -cf^+$ 이므로, 다음이 성립합니다.
 	$$\int _ E cf \,d{\mu} = \int _ E (cf)^+ - \int _ E (cf)^- \,d{\mu} = -c \int _ E f^- \,d{\mu} - (-c) \int _ E f^+ \,d{\mu} = c\int _ E f\,d{\mu}.$$
 4. Measurable function $f$에 대하여 $E$에서 $a \leq f(x) \leq b$ 이고 $\mu(E) < \infty$ 일 때 다음이 성립합니다.
 	$$\int _ E a \chi _ E \,d{\mu} \leq \int _ E f\chi _ E \,d{\mu} \leq \int _ E b \chi _ E \,d{\mu} \implies a \mu(E) \leq \int _ E f \,d{\mu} \leq b \mu(E).$$
 	$f$가 르벡 적분 가능하다는 사실은 $f$가 bounded라는 사실을 이용합니다.
 5. $f \in \mathcal{L}^{1}(E, \mu)$ 와 measurable set $A \subseteq E$ 가 주어지는 경우, $f$는 $E$의 부분집합인 $A$ 위에서도 르벡 적분 가능합니다. 이는 다음 부등식에서 확인할 수 있습니다.
 	$$\int _ A \lvert f \rvert \,d{\mu} \leq \int _ E \lvert f \rvert\,d{\mu} < \infty.$$
 6. 만약 measure가 0인 집합에서 적분을 하면 어떻게 될까요? $\mu(E) = 0$ 라 하고, measurable function $f$를 적분해 보겠습니다. 여기서 $\min\lbrace \lvert f \rvert, n\rbrace\chi _ E$ 도 measurable이며 $n \rightarrow\infty$ 일 때 $\min\lbrace \lvert f \rvert, n\rbrace\chi _ E \nearrow \lvert f \rvert\chi _ E$ 임을 이용합니다. 마지막으로 단조 수렴 정리를 적용하면
 	$$\begin{aligned}                    \int _ E \lvert f \rvert \,d{\mu} &= \lim _ {n \rightarrow\infty} \int _ E \min\lbrace \lvert f \rvert, n\rbrace \,d{\mu} \\                    &\leq \lim _ {n \rightarrow\infty} \int _ E n \,d{\mu} = \lim _ {n \rightarrow\infty} n\mu(E) = 0                  \end{aligned}$$
 	임을 얻습니다. 따라서 $f \in \mathcal{L}^{1}(E, \mu)$ 이고, $\displaystyle\int _ E f \,d{\mu} = 0$ 가 되어 적분값이 0임을 알 수 있습니다. 즉, measure가 0인 집합 위에서 적분하면 그 결과는 0이 됩니다.[^1]
 [^1]: 편의상 $0\cdot\infty = 0$ 으로 정의했기 때문에 $f \equiv \infty$ 인 경우에도 성립합니다.
--- a/_posts/mathematics/measure-theory/2023-04-07-dominated-convergence-theorem.md
+++ b/_posts/mathematics/measure-theory/2023-04-07-dominated-convergence-theorem.md
@@ -2,15 +2,21 @@
 share: true
 toc: true
 math: true
-categories: [Mathematics, Measure Theory]
+categories:
-tags: [math, analysis, measure-theory]
+  - Mathematics
-title: "07. Dominated Convergence Theorem"
+  - Measure Theory
-date: "2023-04-07"
+path: _posts/mathematics/measure-theory
-github_title: "2023-04-07-dominated-convergence-theorem"
+tags:
  - math
  - analysis
  - measure-theory
 title: 07. Dominated Convergence Theorem
 date: 2023-04-07
 github_title: 2023-04-07-dominated-convergence-theorem
 image:
-  path: /assets/img/posts/Mathematics/Measure Theory/mt-07.png
+  path: /assets/img/posts/mathematics/measure-theory/mt-07.png
 attachment:
-  folder: assets/img/posts/Mathematics/Measure Theory
+  folder: assets/img/posts/mathematics/measure-theory
 ---
 ## Almost Everywhere
@@ -149,7 +155,7 @@ $$[f] = \lbrace g \in \mathcal{L}^{1}(E, \mu) : f \sim g\rbrace.$$
 마지막 수렴정리를 소개하고 수렴정리와 관련된 내용을 마칩니다. 지배 수렴 정리(dominated convergence theorem, DCT)로 불립니다.
-![mt-07.png](/assets/img/posts/Mathematics/Measure%20Theory/mt-07.png)
+![mt-07.png](../../../assets/img/posts/mathematics/measure-theory/mt-07.png)
 **정리.** (지배 수렴 정리) Measurable set $E$와 measurable function $f$에 대하여, $\lbrace f _ n\rbrace$이 measurable function의 함수열이라 하자. $E$의 거의 모든 점 위에서 극한 $f(x) = \displaystyle\lim _ {n \rightarrow\infty} f _ n(x)$ 가 $\overline{\mathbb{R}}$에 존재하고 (점별 수렴) $\lvert f _ n \rvert \leq g \quad \mu$-a.e. on $E$ ($\forall n \geq 1$) 를 만족하는 $g \in \mathcal{L}^{1}(E, \mu)$ 가 존재하면,
--- a/_posts/mathematics/measure-theory/2023-06-20-comparison-with-riemann-integral.md
+++ b/_posts/mathematics/measure-theory/2023-06-20-comparison-with-riemann-integral.md
@@ -0,0 +1,136 @@
 ---
 share: true
 toc: true
 math: true
 categories:
  - Mathematics
  - Measure Theory
 path: _posts/mathematics/measure-theory
 tags:
  - math
  - analysis
  - measure-theory
 title: 08. Comparison with the Riemann Integral
 date: 2023-06-20
 github_title: 2023-06-20-comparison-with-riemann-integral
 image:
  path: /assets/img/posts/mathematics/measure-theory/mt-08.png
 attachment:
  folder: assets/img/posts/mathematics/measure-theory
 ---
 ![mt-08.png](../../../assets/img/posts/mathematics/measure-theory/mt-08.png)
 ## Comparison with the Riemann Integral
 먼저 혼동을 막기 위해 Lebesgue measure $m$에 대하여 르벡 적분을
 $$\int _ {[a, b]} f \,d{m} = \int _ {[a, b]} f \,d{x} = \int _ a^b f \,d{x}$$
 와 같이 표기하고, 리만 적분은
 $$\mathcal{R}\int _ a^b f\,d{x}$$
 로 표기하겠습니다.
 **정리.** $a, b \in \mathbb{R}$ 에 대하여 $a < b$ 이고 함수 $f$가 유계라고 하자.
 1. $f \in \mathcal{R}[a, b]$ 이면 $f \in \mathcal{L}^{1}[a, b]$ 이고 $\displaystyle\int _ a^b f\,d{x} = \mathcal{R}\int _ a^b f \,d{x}$ 이다.
 2. $f \in \mathcal{R}[a, b]$ $\iff$ $f$가 연속 $m$-a.e. on $[a, b]$.
 쉽게 풀어서 적어보면, (1)은 $f$가 $[a, b]$에서 리만 적분 가능하면 르벡 적분 또한 가능하며, 적분 값이 같다는 의미입니다. 즉 르벡 적분이 리만 적분보다 더 강력하다는 것을 알 수 있습니다.
 또한 (2)는 리만 적분 가능성에 대한 동치 조건을 알려줍니다. Almost everywhere라는 조건이 붙었기 때문에, $\mathcal{L}^1$의 equivalence class를 고려하면 사실상 연속함수에 대해서만 리만 적분이 가능하다는 뜻이 됩니다.
 **증명.** $k \in \mathbb{N}$ 에 대하여 구간 $[a, b]$의 분할 $P _ k = \lbrace a = x _ 0^k < x _ 1^k < \cdots < x _ {n _ k}^k = b\rbrace$ 를 잡는다. 단 $P _ k \subseteq P _ {k+1}$ (refinement) 이고 $\lvert x _ {i}^k - x _ {i-1}^k \rvert < \frac{1}{k}$ 이 되도록 한다.
 그러면 리만 적분의 정의로부터
 $$\lim _ {k \rightarrow\infty} L(P _ k, f) = \mathcal{R}\underline{\int _ {a}^{b}} f\,d{x}, \quad \lim _ {k \rightarrow\infty} U(P _ k, f) = \mathcal{R} \overline{\int _ {a}^{b}} f \,d{x}$$
 임을 알 수 있다.
 이제 measurable simple function $U _ k, L _ k$를 다음과 같이 잡는다.
 $$U _ k = \sum _ {i=1}^{n _ k} \sup _ {x _ {i-1}^k \leq y \leq x _ {i}^k} f(y) \chi _ {(x _ {i-1}^k, x _ i^k]}, \quad L _ k = \sum _ {i=1}^{n _ k} \inf _ {x _ {i-1}^k \leq y \leq x _ {i}^k} f(y) \chi _ {(x _ {i-1}^k, x _ i^k]}.$$
 그러면 구간 $[a, b]$ 위에서 $L _ k \leq f \leq U _ k$인 것은 당연하고, 르벡 적분이 가능하므로
 $$\int _ a^b L _ k \,d{x} = L(P _ k, f), \quad \int _ a^b U _ k \,d{x} = U(P _ k, f)$$
 이 됨을 알 수 있다. 여기서 $P _ k \subseteq P _ {k + 1}$ 이 되도록 잡았기 때문에, $L _ k$는 증가하는 수열, $U _ k$는 감소하는 수열이다.
 그러므로
 $$L(x) = \lim _ {k \rightarrow\infty} L _ k(x), \quad U(x) = \lim _ {k \rightarrow\infty} U _ k(x)$$
 로 정의했을 때, 극한이 존재함을 알 수 있다. 여기서 $f, L _ k, U _ k$가 모두 유계인 함수이므로 지배 수렴 정리에 의해
 $$\int _ a^b L \,d{x} = \lim _ {k \rightarrow\infty} \int _ a^b L _ k \,d{x} = \lim _ {k \rightarrow\infty} L(P _ k, f) = \mathcal{R}\underline{\int _ {a}^{b}} f\,d{x} < \infty,$$
 $$\int _ a^b U\,d{x} = \lim _ {k \rightarrow\infty} \int _ a^b U _ k \,d{x} = \lim _ {k \rightarrow\infty} U(P _ k, f) = \mathcal{R} \overline{\int _ {a}^{b}} f \,d{x} < \infty$$
 이므로 $L, U \in \mathcal{L}^{1}[a, b]$ 이다.
 위 사실을 종합하면 $f \in \mathcal{R}[a, b]$ 일 때,
 $$\mathcal{R}\underline{\int _ {a}^{b}} f\,d{x} = \mathcal{R}\overline{\int _ {a}^{b}} f\,d{x}$$
 이므로
 $$\int _ a^b (U - L)\,d{x} = 0$$
 가 되어 $U = L$ $m$-a.e. on $[a, b]$라는 사실을 알 수 있다. 역으로 이를 거꾸로 읽어보면 $U = L$ $m$-a.e. on $[a, b]$일 때 $f \in \mathcal{R}[a, b]$ 가 되는 것 또한 알 수 있다.
 (1) 위 논의에 의해 $f \in \mathcal{R}[a, b]$ 이면 $f = U = L$ a.e. on $[a, b]$ 이다. 따라서 $f$는 measurable.
 $$\int _ a^b f \,d{x} = \mathcal{R}\int _ a^b f\,d{x} < \infty \implies f \in \mathcal{L}^{1}[a, b].$$
 (2) 만약 $x \notin \bigcup _ {k=1}^{\infty} P _ k$ 라고 가정하면, 임의의 $\epsilon > 0$ 에 대해 충분히 큰 $n \in \mathbb{N}$ 을 잡았을 때 적당한 $j _ 0 \in \mathbb{N}$ 이 존재하여 $x \in (t _ {j _ 0-1}^n, t _ {j _ 0}^n)$ 이면서
 $$\lvert L _ n(x) - L(x) \rvert + \lvert U _ n(x) - U(x) \rvert < \epsilon$$
 이 되도록 할 수 있다. 그러면 $y \in (t _ {j _ 0-1}^n, t _ {j _ 0}^n)$ 일 때
 $$\begin{aligned}        \lvert f(x) - f(y) \rvert & \leq M _ {j _ 0}^n - m _ {j _ 0}^n = M _ {j _ 0}^n - U(x) + U(x) - L(x) + L(x) - m _ {j _ 0}^n \\                          & \leq U(x) - L(x) + \epsilon    \end{aligned}$$
 가 됨을 알 수 있다.
 위 부등식에 의해 $y \in \lbrace x : U(x) = L(x)\rbrace \setminus\bigcup _ {k=1}^{\infty} P _ k$ 이면 $f$가 $y$에서 연속임을 알 수 있게 된다.
 따라서, $f$가 연속인 점들의 집합을 $C _ f$라 하면
 $$\lbrace x : U(x) = L(x)\rbrace \setminus\bigcup _ {k=1}^{\infty} P _ k \subseteq C _ f \subseteq\lbrace x : U(x) = L(x)\rbrace$$
 이 된다. 한편 $\bigcup _ {k=1}^{\infty} P _ k$는 measure가 0 이므로, $U = L$ $m$-a.e. 인 것과 $f$가 연속 $m$-a.e. 인 것은 동치이다. 위 논의의 결과를 이용하면 $f \in \mathcal{R}[a, b]$ 인 것과 $f$가 연속 $m$-a.e. 인 것은 동치이다.
 아래는 증명의 부산물입니다.
 **참고.**
 1. $x \notin \bigcup _ {k=1}^\infty P _ k$ 이면 $f$가 $x$에서 연속 $\iff f(x) = U(x) = L(x)$ 이다.
 2. $L(x) \leq f(x) \leq U(x)$ 이고 measurable function의 극한인 $L(x), U(x)$ 또한 measurable이다.
 3. $f$가 유계라는 조건이 있기 때문에 $f \geq 0$ 인 경우만 생각해도 충분하다. $\lvert f \rvert \leq M$ 라고 하면 $f$ 대신 $f + M$ 을 생각하면 되기 때문이다.
 이제 리만 적분의 유용한 성질들을 가지고 와서 사용할 수 있습니다.
 1. $f \geq 0$ 이고 measurable일 때, $f _ n = f\chi _ {[0, n]}$으로 정의한다. 단조 수렴 정리에 의해
 	$$\int _ 0^\infty f \,d{x} = \lim _ {n \rightarrow\infty} \int _ 0^\infty f _ n \,d{x} = \lim _ {n \rightarrow\infty} \int _ 0^n f \,d{x}$$
 	이다. 마지막 적분을 리만 적분으로 계산할 수 있다.
 2. 닫힌 유계 구간 $I \subseteq(0, \infty)$ 에 대하여 $f \in \mathcal{R}(I)$ 라 하면 $f \in \mathcal{L}^{1}(I)$ 이다. $f _ n = f\chi _ {[0, n]}$ 으로 잡으면 $\lvert f _ n \rvert \leq f$ 이므로 지배 수렴 정리를 적용하여
 	$$\int _ 0^\infty f \,d{x} = \lim _ {n \rightarrow\infty} \int _ 0^\infty f _ n \,d{x} = \lim _ {n \rightarrow\infty} \int _ 0^n f \,d{x} = \lim _ {n \rightarrow\infty} \mathcal{R} \int _ 0^n f \,d{x}$$
 	임을 알 수 있다.
 마찬가지로 $f _ n = f\chi _ {(1/n, 1)}$ 으로 잡은 경우에도 지배 수렴 정리에 의해
 $$\int _ 0^1 f\,d{x} = \lim _ {n \rightarrow\infty} \int _ {0}^1 f _ n \,d{x} = \lim _ {n \rightarrow\infty}\int _ {1/n}^1 f \,d{x} = \lim _ {n \rightarrow\infty} \mathcal{R}\int _ {1/n}^1 f \,d{x}$$
 이 된다.
--- a/_tabs/about.md
+++ b/_tabs/about.md
@@ -1,8 +1,112 @@
 ---
 # the default layout is 'page'
 icon: fas fa-info-circle
-order: 4
+order: 0
 ---
-> Add Markdown syntax content to file `_tabs/about.md`{: .filepath } and it will show up on this page.
+# Sungchan Yi
-{: .prompt-tip }
+
 - Last updated: 2025-11-20
 - Email: [calofmijuck at snu dot ac dot kr](mailto:calofmijuck@snu.ac.kr)
 **Research Interests**: computer architecture, hardware-software co-design, cryptography, formal verification
 ## Education
 **Seoul National University** (Sept. 2024 ~ Present)
 - M.S. Candidate in Computer Science and Engineering at [Architecture and Code Optimization Lab](https://arc.snu.ac.kr)
 - **Advisor**: Professor Jae W. Lee
 - GPA: 4.18/4.3
 **Seoul National University** (Mar. 2017 ~ Feb. 2024)
 - B.S. in Computer Science and Engineering, Minor in Mathematical Sciences
 - GPA: 3.96/4.3 (Summa Cum Laude)
 ## Research Experience
 [**Architecture and Code Optimization Lab**](https://arc.snu.ac.kr), *M.S. Candidate* (Mar. 2024 ~ Present)
 - Leading **Software Defined Manycores** project
 [**Cryptography & Privacy Lab**](https://crypto.snu.ac.kr), *Undergraduate Research Assistant* (Jan. 2024 ~ Feb. 2024)
 - Implemented generalized BFV scheme with bootstrapping based on CKKS bootstrapping techniques
 - Analyzed automorphism group of the plaintext space and determined their effects on ciphertext
 [**Software Foundations Lab**](https://sf.snu.ac.kr), *Undergraduate Research Assistant* (Jul. 2023 ~ Oct. 2023)
 - Implemented stack variable merging optimization that reduces memory allocation calls and tried to prove its correctness with Rocq theorem prover
 [**Architecture and Code Optimization Lab**](https://arc.snu.ac.kr), *Undergraduate Research Assistant* (Jan. 2023 ~ Mar. 2023)
 - Implemented a parametrized experiment framework to automate training and evaluation of various CNN models with different activation functions and their knowledge distillation based ReLUifications
 - Quantified benefits of ReLUification on sparsity-aware NPU for Samsung mobile SoC in terms of memory footprint and computation reduction
 ## Work Experience
 [**Scatterlab**](https://scatterlab.co.kr), *Software Reliability / Security Engineer* (Nov. 2020 ~ Sept. 2022)
 - Spring Boot (Java) Backend, Docker/Kubernetes, AWS Cloud Security and Operations
 - Led cloud security project, co-worked with AWS to completely rebuild and secure the cloud infrastructure
 - Led software reliability team, cut server operation costs with spot instances and container orchestration
 [**Logpresso**](https://logpresso.com/en), *Big Data Platform Engineer* (Jul. 2019 ~ Oct. 2020)
 - Implemented loggers, parsers, and query commands that collect and analyze data from various sources, applied software-level optimizations to improve performance
 - Optimized distributed security operation system from pull to push architecture to reduce latency
 ## Publications
 - **Sungchan Yi**, Keun Soo Lim, Hoyeon Jo, Sungjun Jung, Minwoo Kwak, Dongoh Kim, Luigi Cussigh, Seong Hoon Seo, Jinkyu Jeong, Jae W. Lee, "Software-Defined Manycores via Hardware-Managed Preemptive Coroutine Scheduling", _International Symposium on Computer Architecture (ISCA)_, 2026. (Submitted)
 - **[ACCV'24]** Soosung Kim, Yeonhong Park, Hyunseung Lee, **Sungchan Yi**, and Jae W. Lee, "ReLUifying Smooth Functions: Low-Cost Knowledge Distillation to Obtain High-Performance ReLU Networks", _Asian Conference on Computer Vision (ACCV)_, Hanoi, Vietnam, December 2024. ([PDF](https://arc.snu.ac.kr/pubs/ACCV24_ReLU.pdf))
 - **Sungchan Yi**, "Secure IAM on AWS with Multi-Account Strategy", _Undergraduate Thesis_, December 2023. **Outstanding Undergraduate Thesis Award.** ([PDF](https://arxiv.org/pdf/2501.02203))
 ## Honors & Awards
 **Outstanding Undergraduate Thesis Award**
 - Title: Secure IAM on AWS using Multi-Account Strategy
 **Top Prize in Hacking and Defense Contest 2021**
 - Awarded by Korea Internet & Security Agency (KISA)
 - Topic: Design and Operation of Secure Cloud Architectures
 **Kwanjeong Educational Foundation Scholarship**
 - Full tuition and fees for 2 years of undergraduate studies
 ## Extracurricular Activities
 **Web Administrator of Architecture and Code Optimization Lab**
 - Responsible for maintaining the web infrastructure: website, cloud, accounts, wiki, etc.
 - Installation of convenient tools such as shared password manager and schedule notification system
 **Seoul National University College of Engineering Honor Society** (Mar. 2022 ~ Aug. 2023)
 - SNU Tomorrow’s Edge Membership (STEM)
 - **Web Administrator**: reduced cloud infrastructure costs by 50% and installed shared storage
 **Guardian**, Seoul National University Security Club (2018 ~ Present)
 - Former president of the club in 2019
 - Taught basic Linux, x86 assembly, and C programming to new members
 - Created 30 linux/x86 assembly wargame challenges for members to practice
 ## Technical Skills & Interests
 - **Programming Languages**: C/C++, Java, Python, Golang, Coq
 - **Architectural Simulators**: gem5
 - **DevOps**: Docker, Kubernetes, AWS
 - System/cloud security, cryptography
 - Compilers and formal verification
 - Mathematics in general, especially algebra and analysis
 ## Language Proficiency
 Fluent in **English** and native in **Korean**
 - **IBT TOEFL**: 113 (Reading: 30, Listening: 30, Speaking: 26, Writing: 27)
--- a/_tabs/archives.md
+++ b/_tabs/archives.md
@@ -1,5 +1,5 @@
 ---
 layout: archives
 icon: fas fa-archive
-order: 3
+order: 4
 ---
--- a/_tabs/blog.md
+++ b/_tabs/blog.md
@@ -0,0 +1,13 @@
 ---
 title: Blog
 layout: home
 icon: fas fa-pencil
 order: 1
 # pagination:
 #   enabled: true
 #   per_page: 10
 #   collection: posts
 #   permalink: '/page/:num/'
 ---
 This page serves as the site "Home" (posts listing). It is now a tab in the sidebar.
--- a/_tabs/categories.md
+++ b/_tabs/categories.md
@@ -1,5 +1,5 @@
 ---
 layout: categories
 icon: fas fa-stream
-order: 1
+order: 2
 ---
--- a/_tabs/tags.md
+++ b/_tabs/tags.md
@@ -1,5 +1,5 @@
 ---
 layout: tags
 icon: fas fa-tags
-order: 2
+order: 3
 ---
--- a/assets/css/jekyll-theme-chirpy.scss
+++ b/assets/css/jekyll-theme-chirpy.scss
@@ -1,7 +1,14 @@
 ---
 ---
-@import 'main';
+@use 'main
 {%- if jekyll.environment == 'production' -%}
  .bundle
 {%- endif -%}
 ';
 /* append your custom style below */
@import url("https://cdn.jsdelivr.net/gh/orioncactus/pretendard@v1.3.8/dist/web/static/pretendard.css");
 /* append your custom style below */
@@ -46,3 +53,12 @@ div.language-plaintext.highlighter-rouge {
 div.footnotes {
    font-size: 90%;
 }
 nav#breadcrumb {
    font-family: "Palatino Linotype", Palatino, Pretendard;
 }
 /* for post title */
 h1 {
    font-family: "Palatino Linotype", Palatino, Pretendard;
 }
--- a/assets/img/avatar.png
+++ b/assets/img/avatar.png
--- a/assets/img/posts/development/separation-by-product.png
+++ b/assets/img/posts/development/separation-by-product.png
--- a/assets/img/posts/development/web/broken-math-equations.png
+++ b/assets/img/posts/development/web/broken-math-equations.png
--- a/assets/img/posts/is-03-cbc-encryption.png
+++ b/assets/img/posts/is-03-cbc-encryption.png
--- a/assets/img/posts/is-03-ctr-encryption.png
+++ b/assets/img/posts/is-03-ctr-encryption.png
--- a/assets/img/posts/is-03-ecb-encryption.png
+++ b/assets/img/posts/is-03-ecb-encryption.png
--- a/assets/img/posts/lecture-notes/internet-security/is-01-cryptosystem.png
+++ b/assets/img/posts/lecture-notes/internet-security/is-01-cryptosystem.png
--- a/assets/img/posts/lecture-notes/internet-security/is-03-cbc-encryption.png
+++ b/assets/img/posts/lecture-notes/internet-security/is-03-cbc-encryption.png
--- a/assets/img/posts/lecture-notes/internet-security/is-03-cfb-encryption.png
+++ b/assets/img/posts/lecture-notes/internet-security/is-03-cfb-encryption.png
--- a/assets/img/posts/lecture-notes/internet-security/is-03-ctr-encryption.png
+++ b/assets/img/posts/lecture-notes/internet-security/is-03-ctr-encryption.png
--- a/assets/img/posts/lecture-notes/internet-security/is-03-ecb-encryption.png
+++ b/assets/img/posts/lecture-notes/internet-security/is-03-ecb-encryption.png
--- a/Show More
+++ b/Show More