fix: broken image links have been fixed

* [PUBLISHER] upload files #133

* [PUBLISHER] upload files #134

* PUSH NOTE : 9. Public Key Encryption.md

* PUSH ATTACHMENT : mc-09-ss-pke.png

* [PUBLISHER] upload files #135

* PUSH NOTE : 10. Digital Signatures.md

* PUSH ATTACHMENT : mc-10-dsig-security.png

* PUSH ATTACHMENT : mc-10-schnorr-identification.png

* [PUBLISHER] upload files #136

* [PUBLISHER] upload files #137

* PUSH NOTE : 12. Zero-Knowledge Proofs (Introduction).md

* PUSH ATTACHMENT : mc-12-id-protocol.png

* [PUBLISHER] upload files #138

* [PUBLISHER] upload files #139

* [PUBLISHER] upload files #140

* PUSH NOTE : 13. Sigma Protocols.md

* PUSH ATTACHMENT : mc-13-sigma-protocol.png

* PUSH ATTACHMENT : mc-13-okamoto.png

* PUSH ATTACHMENT : mc-13-chaum-pedersen.png

* PUSH ATTACHMENT : mc-13-gq-protocol.png

* [PUBLISHER] upload files #141

* [PUBLISHER] upload files #142

* [PUBLISHER] upload files #143

* PUSH NOTE : 16. The GMW Protocol.md

* PUSH ATTACHMENT : mc-16-beaver-triple.png

* [PUBLISHER] upload files #144

* [PUBLISHER] upload files #145

* fix: links have been fixed

.github/workflows/pages-deploy.yml

@@ -42,7 +42,7 @@ jobs:
       - name: Setup Ruby
         uses: ruby/setup-ruby@v1
         with:
-          ruby-version: 3
+          ruby-version: 3.2
           bundler-cache: true
 
       - name: Build site

Gemfile

@@ -2,7 +2,7 @@
 
 source "https://rubygems.org"
 
-gem "jekyll-theme-chirpy", "~> 6.2", ">= 6.2.2"
+gem "jekyll-theme-chirpy", "~> 6.4", ">= 6.4.2"
 
 group :test do
   gem "html-proofer", "~> 4.4"
@@ -21,8 +21,3 @@ gem "wdm", "~> 0.1.1", :platforms => [:mingw, :x64_mingw, :mswin]
 # Lock `http_parser.rb` gem to `v0.6.x` on JRuby builds since newer versions of the gem
 # do not have a Java counterpart.
 gem "http_parser.rb", "~> 0.6.0", :platforms => [:jruby]
-
-# Lock jekyll-sass-converter to 2.x on Linux-musl
-if RUBY_PLATFORM =~ /linux-musl/
-  gem "jekyll-sass-converter", "~> 2.0"
-end

_includes/js-selector.html

@@ -0,0 +1,164 @@
+<!-- JS selector for site. -->
+
+<!-- commons -->
+
+{% assign urls = site.data.origin[type].jquery.js
+  | append: ','
+  | append: site.data.origin[type].bootstrap.js
+  | append: ','
+  | append: site.data.origin[type].search.js
+%}
+
+<!-- layout specified -->
+
+{% if page.layout == 'post' or page.layout == 'page' or page.layout == 'home' %}
+  {% assign urls = urls | append: ',' | append: site.data.origin[type]['lazy-polyfill'].js %}
+
+  {% unless page.layout == 'home' %}
+    <!-- image lazy-loading & popup & clipboard -->
+    {% assign urls = urls
+      | append: ','
+      | append: site.data.origin[type]['magnific-popup'].js
+      | append: ','
+      | append: site.data.origin[type].clipboard.js
+    %}
+  {% endunless %}
+{% endif %}
+
+{% if page.layout == 'home'
+  or page.layout == 'post'
+  or page.layout == 'archives'
+  or page.layout == 'category'
+  or page.layout == 'tag'
+%}
+  {% assign locale = site.lang | split: '-' | first %}
+
+  {% assign urls = urls
+    | append: ','
+    | append: site.data.origin[type].dayjs.js.common
+    | append: ','
+    | append: site.data.origin[type].dayjs.js.locale
+    | replace: ':LOCALE', locale
+    | append: ','
+    | append: site.data.origin[type].dayjs.js.relativeTime
+    | append: ','
+    | append: site.data.origin[type].dayjs.js.localizedFormat
+  %}
+{% endif %}
+
+{% if page.content contains '<h2' or page.content contains '<h3' and site.toc and page.toc %}
+  {% assign urls = urls | append: ',' | append: site.data.origin[type].toc.js %}
+{% endif %}
+
+{% if page.mermaid %}
+  {% assign urls = urls | append: ',' | append: site.data.origin[type].mermaid.js %}
+{% endif %}
+
+{% include jsdelivr-combine.html urls=urls %}
+
+{% case page.layout %}
+  {% when 'home', 'categories', 'post', 'page' %}
+    {% assign js = page.layout %}
+  {% when 'archives', 'category', 'tag' %}
+    {% assign js = 'misc' %}
+  {% else %}
+    {% assign js = 'commons' %}
+{% endcase %}
+
+{% capture script %}/assets/js/dist/{{ js }}.min.js{% endcapture %}
+<script defer src="{{ script | relative_url }}"></script>
+
+{% if page.math %}
+  <!-- MathJax -->
+  <script>
+    /* see: <https://docs.mathjax.org/en/latest/options/input/tex.html#tex-options> */
+    MathJax = {
+      tex: {
+        /* start/end delimiter pairs for in-line math */
+        inlineMath: [
+          ['$', '$'],
+          ["\\(", "\\)"]
+        ],
+        /* start/end delimiter pairs for display math */
+        displayMath: [
+          ['$$', '$$'],
+          ["\\[", "\\]"]
+        ],
+        macros: {
+          ds: "\\displaystyle",
+
+          // font styles
+          rm: ["\\mathrm{#1}", 1],
+          mf: ["\\mathfrak{#1}", 1],
+          mc: ["\\mathcal{#1}", 1],
+          bb: ["\\mathbb{#1}", 1],
+          bf: ["\\mathbf{#1}", 1],
+          tt: ["\\texttt{#1}", 1],
+
+          inv: "^{-1}",
+          conj: "^\\ast",
+          trans: "^\\top",
+          cross: "^\\times",
+          bs: "\\setminus",
+          nsub: "\\unlhd",
+          pnsub: "\\lhd",
+
+          floor: ["\\left\\lfloor #1 \\right\\rfloor", 1],
+          ceil: ["\\left\\lceil #1 \\right\\rceil", 1],
+          round: ["\\left\\lfloor #1 \\right\\rceil", 1],
+          norm: ["\\left\\lVert #1 \\right\\rVert", 1],
+          abs: ["\\left\\lvert #1 \\right\\rvert", 1],
+          paren: ["\\left( #1 \\right)", 1],
+          braces: ["\\left\\{ #1 \\right\\}", 1],
+          span: ["\\left\\langle #1 \\right\\rangle", 1],
+          bar: ["\\overline{#1 \\vphantom{l}}", 1],
+
+          lcm: ["\\mathrm{lcm}"],
+
+          ra: "\\rightarrow",
+          la: "\\leftarrow",
+          lra: "\\leftrightarrow",
+          imp: "\\implies",
+          pll: "\\parallel",
+
+          N: "\\mathbb{N}",
+          Z: "\\mathbb{Z}",
+          Q: "\\mathbb{Q}",
+          R: "\\mathbb{R}",
+          C: "\\mathbb{C}",
+          F: "\\mathbb{F}",
+
+          Adv: ["\\mathrm{Adv}_{\\mathrm{#1}}[#2]", 2, ""],
+
+          im: "\\operatorname\{im\}",
+          ch: "\\operatorname\{char\}",
+
+          Aut: "\\mathrm{Aut}",
+          Gal: "\\mathrm{Gal}",
+          GF: "\\mathrm{GF}",
+
+          exists: "∃\\,",
+
+          tilde: ["\\widetilde{#1}", 1],
+          hat: ["\\widehat{#1}", 1],
+        }
+      }
+    };
+  </script>
+  <script src="https://polyfill.io/v3/polyfill.min.js?features=es6"></script>
+  <script id="MathJax-script" async src="{{ site.data.origin[type].mathjax.js | relative_url }}"></script>
+{% endif %}
+
+{% if jekyll.environment == 'production' %}
+  <!-- PWA -->
+  {% if site.pwa.enabled %}
+    <script defer src="{{ '/app.js' | relative_url }}"></script>
+  {% else %}
+    <script defer src="{{ '/unregister.js' | relative_url }}"></script>
+  {% endif %}
+
+  <!-- GA -->
+  {% if site.google_analytics.id != empty and site.google_analytics.id %}
+    {% include google-analytics.html %}
+  {% endif %}
+{% endif %}

_posts/Development/Kubernetes/2021-02-28-01-introducing-k8s.md

@@ -12,7 +12,7 @@ attachment:
   folder: assets/img/posts/Development/Kubernetes
 ---
 
-![k8s-01.jpeg](../../../assets/img/posts/Development/Kubernetes/k8s-01.jpeg) _Overview of Kubernetes Architecture (출처: https://livebook.manning.com/book/kubernetes-in-action/chapter-1)_
+![k8s-01.jpeg](/assets/img/posts/Development/Kubernetes/k8s-01.jpeg) _Overview of Kubernetes Architecture (출처: https://livebook.manning.com/book/kubernetes-in-action/chapter-1)_
 
 기존에는 소프트웨어가 커다란 덩어리였지만 최근에는 독립적으로 작동하는 작은 **마이크로서비스**(microservice)로 나뉘고 있다. 이들은 독립적으로 동작하기 때문에, 개발하고 배포하거나 스케일링을 따로 해줄 수 있다는 장점이 있으며, 이 장점은 빠르게 변화하는 소프트웨어의 요구사항을 반영하기에 적합하다.
 
@@ -202,4 +202,4 @@ VM은 자체적으로 OS를 가지고 있기 때문에 VM을 사용하게 되면
 새로운 버전의 애플리케이션을 배포할 때 연속적인 배포를 할 수 있게 된다. 중간에 서비스를 중단하지 않아도 된다.
 
 ---
-[^1]: 물론 컨테이너를 씀으로 인해 발생하는 새로운 문제를 얻겠지만, 개인적으로 장점이 더 크다고 생각한다.
+[^1]: 물론 컨테이너를 씀으로 인해 발생하는 새로운 문제를 얻겠지만, 개인적으로 장점이 더 크다고 생각한다.

_posts/Development/Kubernetes/2021-03-07-02-first-steps.md

@@ -12,7 +12,7 @@ attachment:
   folder: assets/img/posts/Development/Kubernetes
 ---
 
-![k8s-02.jpeg](../../../assets/img/posts/Development/Kubernetes/k8s-02.jpeg) _Running a container image in Kubernetes (출처: https://livebook.manning.com/book/kubernetes-in-action/chapter-2)_
+![k8s-02.jpeg](/assets/img/posts/Development/Kubernetes/k8s-02.jpeg) _Running a container image in Kubernetes (출처: https://livebook.manning.com/book/kubernetes-in-action/chapter-2)_
 
 도커와 쿠버네티스를 사용하여 간단한 애플리케이션을 배포해 보자!
 

_posts/Development/Kubernetes/2021-03-17-03-pods.md

@@ -12,7 +12,7 @@ attachment:
   folder: assets/img/posts/Development/Kubernetes
 ---
 
-![k8s-03.jpeg](../../../assets/img/posts/Development/Kubernetes/k8s-03.jpeg) _A container shouldn’t run multiple processes. (출처: https://livebook.manning.com/book/kubernetes-in-action/chapter-3)_
+![k8s-03.jpeg](/assets/img/posts/Development/Kubernetes/k8s-03.jpeg) _A container shouldn’t run multiple processes. (출처: https://livebook.manning.com/book/kubernetes-in-action/chapter-3)_
 
 다양한 쿠버네티스 오브젝트 (resources) 를 살펴보는 단원이다. 가장 기본이 되는 Pod 부터 시작한다. 이외의 모든 것들은 pod 를 관리하거나, pod 를 노출하거나, pod 에 의해 사용된다.
 

_posts/Development/Kubernetes/2021-03-21-04-replication-and-controllers.md

@@ -12,7 +12,7 @@ attachment:
   folder: assets/img/posts/Development/Kubernetes
 ---
 
-![k8s-04.jpeg](../../../assets/img/posts/Development/Kubernetes/k8s-04.jpeg) _ReplicationController recreating pods. (출처: https://livebook.manning.com/book/kubernetes-in-action/chapter-4)_
+![k8s-04.jpeg](/assets/img/posts/Development/Kubernetes/k8s-04.jpeg) _ReplicationController recreating pods. (출처: https://livebook.manning.com/book/kubernetes-in-action/chapter-4)_
 
 3장에서는 pod 를 직접 관리하는 방법에 대해 살펴봤다. 하지만 실무에서는 pod 의 관리가 자동으로 되길 원한다. 이를 위해 ReplicationController 나 Deployment 를 사용한다.
 

_posts/Development/Kubernetes/2021-04-07-05-services.md

@@ -12,7 +12,7 @@ attachment:
   folder: assets/img/posts/Development/Kubernetes
 ---
 
-![k8s-05.jpeg](../../../assets/img/posts/Development/Kubernetes/k8s-05.jpeg) _Using `kubectl exec` to test out a connection to the service by running curl in one of the pods. (출처: https://livebook.manning.com/book/kubernetes-in-action/chapter-5)_
+![k8s-05.jpeg](/assets/img/posts/Development/Kubernetes/k8s-05.jpeg) _Using `kubectl exec` to test out a connection to the service by running curl in one of the pods. (출처: https://livebook.manning.com/book/kubernetes-in-action/chapter-5)_
 
 많은 앱들이 request (요청) 을 받아 서비스를 제공하는 형태인데, 이런 요청을 보내려면 IP 주소를 알아야 한다. 한편 Kubernetes 를 사용하게 되면 pod 의 IP 주소를 알아야 하는데, Kubernetes 의 pod 들은 굉장히 동적이므로 이들의 IP 주소를 알아낼 방법이 필요하다.
 

_posts/Development/Kubernetes/2021-04-07-06-volumes.md

@@ -12,7 +12,7 @@ attachment:
   folder: assets/img/posts/Development/Kubernetes
 ---
 
-![k8s-06.jpeg](../../../assets/img/posts/Development/Kubernetes/k8s-06.jpeg) _The complete picture of dynamic provisioning of PersistentVolumes. (출처: https://livebook.manning.com/book/kubernetes-in-action/chapter-6)_
+![k8s-06.jpeg](/assets/img/posts/Development/Kubernetes/k8s-06.jpeg) _The complete picture of dynamic provisioning of PersistentVolumes. (출처: https://livebook.manning.com/book/kubernetes-in-action/chapter-6)_
 
 컨테이너가 재시작되면 기존 작업 내역이 모두 사라지게 될 수 있으므로, 컨테이너의 작업 내역을 저장하고 같은 pod 내의 다른 컨테이너가 함께 사용하는 저장 공간이다.
 

_posts/Development/Kubernetes/2021-04-18-07-configmaps-and-secrets.md

@@ -12,7 +12,7 @@ attachment:
   folder: assets/img/posts/Development/Kubernetes
 ---
 
-![k8s-07.jpeg](../../../assets/img/posts/Development/Kubernetes/k8s-07.jpeg) _Combining a ConfigMap and a Secret to run your fortune-https pod (출처: https://livebook.manning.com/book/kubernetes-in-action/chapter-7)_
+![k8s-07.jpeg](/assets/img/posts/Development/Kubernetes/k8s-07.jpeg) _Combining a ConfigMap and a Secret to run your fortune-https pod (출처: https://livebook.manning.com/book/kubernetes-in-action/chapter-7)_
 
 거의 대부분의 앱은 설정(configuration)이 필요하다. 개발 서버, 배포 서버의 설정 사항 (접속하려는 DB 서버 주소 등)이 다를 수도 있고, 클라우드 등에 접속하기 위한 access key 가 필요하거나, 데이터를 암호화하는 encryption key 도 설정해야하는 경우가 있다. 이러한 경우에 해당 값들을 도커 이미지 자체에 넣어버리면 보안 상 취약하고, 또 설정 사항을 변경하는 경우 이미지를 다시 빌드해야하는 등 불편함이 따른다.
 

_posts/Development/Kubernetes/2021-04-18-08-accessing-pod-metadata.md

@@ -12,7 +12,7 @@ attachment:
   folder: assets/img/posts/Development/Kubernetes
 ---
 
-![k8s-08.jpeg](../../../assets/img/posts/Development/Kubernetes/k8s-08.jpeg) _Using the files from the default-token Secret to talk to the API server (출처: https://livebook.manning.com/book/kubernetes-in-action/chapter-8)_
+![k8s-08.jpeg](/assets/img/posts/Development/Kubernetes/k8s-08.jpeg) _Using the files from the default-token Secret to talk to the API server (출처: https://livebook.manning.com/book/kubernetes-in-action/chapter-8)_
 
 ### 주요 내용
 

_posts/Development/Kubernetes/2021-04-30-09-deployments.md

@@ -12,7 +12,7 @@ attachment:
   folder: assets/img/posts/Development/Kubernetes
 ---
 
-![k8s-09.jpeg](../../../assets/img/posts/Development/Kubernetes/k8s-09.jpeg) _Rolling update of Deployments (출처: livebook.manning.com/book/kubernetes-in-action/chapter-9)_
+![k8s-09.jpeg](/assets/img/posts/Development/Kubernetes/k8s-09.jpeg) _Rolling update of Deployments (출처: livebook.manning.com/book/kubernetes-in-action/chapter-9)_
 
 ### 주요 내용
 

_posts/Development/Kubernetes/2021-05-17-10-statefulsets.md

@@ -12,7 +12,7 @@ attachment:
   folder: assets/img/posts/Development/Kubernetes
 ---
 
-![k8s-10.jpeg](../../../assets/img/posts/Development/Kubernetes/k8s-10.jpeg) _A stateful pod may be rescheduled to a different node, but it retains the name, hostname, and storage. (출처: https://livebook.manning.com/book/kubernetes-in-action/chapter-10)_
+![k8s-10.jpeg](/assets/img/posts/Development/Kubernetes/k8s-10.jpeg) _A stateful pod may be rescheduled to a different node, but it retains the name, hostname, and storage. (출처: https://livebook.manning.com/book/kubernetes-in-action/chapter-10)_
 
 ### 주요 내용
 

_posts/Development/Kubernetes/2021-05-30-11-k8s-internals.md

@@ -12,7 +12,7 @@ attachment:
   folder: assets/img/posts/Development/Kubernetes
 ---
 
-![k8s-11.jpeg](../../../assets/img/posts/Development/Kubernetes/k8s-11.jpeg) _The chain of events that unfolds when a Deployment resource is posted to the API server (출처: https://livebook.manning.com/book/kubernetes-in-action/chapter-11)_
+![k8s-11.jpeg](/assets/img/posts/Development/Kubernetes/k8s-11.jpeg) _The chain of events that unfolds when a Deployment resource is posted to the API server (출처: https://livebook.manning.com/book/kubernetes-in-action/chapter-11)_
 
 ### 주요 내용
 

_posts/Development/Kubernetes/2021-06-06-12-securing-k8s-api-server.md

@@ -12,7 +12,7 @@ attachment:
   folder: assets/img/posts/Development/Kubernetes
 ---
 
-![k8s-12.jpeg](../../../assets/img/posts/Development/Kubernetes/k8s-12.jpeg) _Roles grant permissions, whereas RoleBindings bind Roles to subjects (출처: https://livebook.manning.com/book/kubernetes-in-action/chapter-12)_
+![k8s-12.jpeg](/assets/img/posts/Development/Kubernetes/k8s-12.jpeg) _Roles grant permissions, whereas RoleBindings bind Roles to subjects (출처: https://livebook.manning.com/book/kubernetes-in-action/chapter-12)_
 
 ### 주요 내용
 

_posts/Development/Kubernetes/2021-06-29-13-securing-nodes-and-network.md

@@ -12,7 +12,7 @@ attachment:
   folder: assets/img/posts/Development/Kubernetes
 ---
 
-![k8s-13.jpeg](../../../assets/img/posts/Development/Kubernetes/k8s-13.jpeg) _A pod with hostNetwork: true uses the node's network interfaces instead of its own. (출처: https://livebook.manning.com/book/kubernetes-in-action/chapter-13)_
+![k8s-13.jpeg](/assets/img/posts/Development/Kubernetes/k8s-13.jpeg) _A pod with hostNetwork: true uses the node's network interfaces instead of its own. (출처: https://livebook.manning.com/book/kubernetes-in-action/chapter-13)_
 
 ### 주요 내용
 

_posts/Development/Kubernetes/2021-07-11-14-managing-computation-resources.md

@@ -12,7 +12,7 @@ attachment:
   folder: assets/img/posts/Development/Kubernetes
 ---
 
-![k8s-14.jpeg](../../../assets/img/posts/Development/Kubernetes/k8s-14.jpeg) _The Scheduler only cares about requests, not actual usage. (출처: https://livebook.manning.com/book/kubernetes-in-action/chapter-14)_
+![k8s-14.jpeg](/assets/img/posts/Development/Kubernetes/k8s-14.jpeg) _The Scheduler only cares about requests, not actual usage. (출처: https://livebook.manning.com/book/kubernetes-in-action/chapter-14)_
 
 ### 주요 내용
 

_posts/Development/Kubernetes/2021-07-18-15-autoscaling.md

@@ -12,7 +12,7 @@ attachment:
   folder: assets/img/posts/Development/Kubernetes
 ---
 
-![k8s-15.jpeg](../../../assets/img/posts/Development/Kubernetes/k8s-15.jpeg) _How the autoscaler obtains metrics and rescales the target deployment (출처: https://livebook.manning.com/book/kubernetes-in-action/chapter-15)_
+![k8s-15.jpeg](/assets/img/posts/Development/Kubernetes/k8s-15.jpeg) _How the autoscaler obtains metrics and rescales the target deployment (출처: https://livebook.manning.com/book/kubernetes-in-action/chapter-15)_
 
 ### 주요 내용
 

_posts/Development/Kubernetes/2021-08-15-16-advanced-scheduling.md

@@ -12,7 +12,7 @@ attachment:
   folder: assets/img/posts/Development/Kubernetes
 ---
 
-![k8s-16.jpeg](../../../assets/img/posts/Development/Kubernetes/k8s-16.jpeg) _A pod is only scheduled to a node if it tolerates the node’s taints. (출처: https://livebook.manning.com/book/kubernetes-in-action/chapter-16)_
+![k8s-16.jpeg](/assets/img/posts/Development/Kubernetes/k8s-16.jpeg) _A pod is only scheduled to a node if it tolerates the node’s taints. (출처: https://livebook.manning.com/book/kubernetes-in-action/chapter-16)_
 
 ### 주요 내용
 

_posts/Development/Kubernetes/2021-08-15-17-best-practices.md

@@ -12,7 +12,7 @@ attachment:
   folder: assets/img/posts/Development/Kubernetes
 ---
 
-![k8s-17.jpeg](../../../assets/img/posts/Development/Kubernetes/k8s-17.jpeg) _Resources in a typical application (출처: https://livebook.manning.com/book/kubernetes-in-action/chapter-17)_
+![k8s-17.jpeg](/assets/img/posts/Development/Kubernetes/k8s-17.jpeg) _Resources in a typical application (출처: https://livebook.manning.com/book/kubernetes-in-action/chapter-17)_
 
 ### 주요 내용
 

_posts/Development/Kubernetes/2021-09-04-18-extending-k8s.md

@@ -12,7 +12,7 @@ attachment:
   folder: assets/img/posts/Development/Kubernetes
 ---
 
-![k8s-18.jpeg](../../../assets/img/posts/Development/Kubernetes/k8s-18.jpeg) _API Server Aggregation (출처: https://livebook.manning.com/book/kubernetes-in-action/chapter-18)_
+![k8s-18.jpeg](/assets/img/posts/Development/Kubernetes/k8s-18.jpeg) _API Server Aggregation (출처: https://livebook.manning.com/book/kubernetes-in-action/chapter-18)_
 
 ### 주요 내용
 

_posts/Development/Web/2023-06-25-blog-moving.md

@@ -10,7 +10,7 @@ image:
   path: /assets/img/posts/blog-logo.png
 ---
 
-![blog-logo.png](../../../assets/img/posts/blog-logo.png) _New blog logo_
+![blog-logo.png](/assets/img/posts/blog-logo.png) _New blog logo_
 
 오래 전, Github Pages가 불편하다는 이유로 티스토리로 옮겼었다.
 근데 어쩌다 보니 결국 다시 돌아오게 되었다.
@@ -65,7 +65,7 @@ image:
 
 Obsidian을 Github과 연동하기 위해 [Obsidian Github Publisher](https://github.com/ObsidianPublisher/obsidian-github-publisher) 플러그인을 사용할 수 있다.
 
-![github-publisher.png](../../../assets/img/posts/github-publisher.png){: .shadow } _플러그인 설정 화면: 어느 폴더에 어떤 이름으로 파일을 업로드할지 설정할 수 있다._
+![github-publisher.png](/assets/img/posts/github-publisher.png){: .shadow } _플러그인 설정 화면: 어느 폴더에 어떤 이름으로 파일을 업로드할지 설정할 수 있다._
 
 이 플러그인을 사용하면 Obsidian의 문서 중에서 `share: true` 로 마킹된 문서들을 레포에 저장할 수 있게 된다. 그렇다면 블로그 글을 Obsidian에서 작성하고, 플러그인을 이용해 레포에 push하게 되면, 자동으로 빌드/배포가 이뤄져서 블로그에 반영되는 것을 확인할 수 있을 것이다.
 
@@ -103,4 +103,4 @@ Git은 version control system이기 때문에, 이미지가 버전에 따라 영
 시간될 때 댓글 기능도 붙이고, 과거 글도 몇 개 복원하고, 테마도 더 수정할 계획이다.
 
 [^1]: 공부 빼고 다 재미있을 시기 아니겠는가?
-[^2]: S3는 $0.025/GB라서 부담되는 가격이 아니고, CloudFront는 매달 데이터 전송 1TB까지 무료였다.
+[^2]: S3는 $0.025/GB라서 부담되는 가격이 아니고, CloudFront는 매달 데이터 전송 1TB까지 무료였다.

_posts/Lecture Notes/Internet Security/2023-09-10-security-intro.md

@@ -155,7 +155,7 @@ There are many ways of achieving security.
 
 ### Basics of a Cryptosystem
 
-![is-01-cryptosystem.png](../../../assets/img/posts/Lecture%20Notes/Internet%20Security/is-01-cryptosystem.png#)
+![is-01-cryptosystem.png](/assets/img/posts/Lecture%20Notes/Internet%20Security/is-01-cryptosystem.png#)
 
 - A **message** in *plaintext* is given to an **encryption algorithm**.
 - The encryption algorithm uses an **encryption key** to create a *ciphertext*.

_posts/Lecture Notes/Internet Security/2023-09-18-symmetric-key-cryptography-2.md

@@ -63,7 +63,7 @@ $$
 
 #### The Feistel Function
 
-![is-03-feistel-function.png](../../../assets/img/posts/Lecture%20Notes/Internet%20Security/is-03-feistel-function.png#)
+![is-03-feistel-function.png](/assets/img/posts/Lecture%20Notes/Internet%20Security/is-03-feistel-function.png#)
 
 The Feistel function takes $32$ bit data and divides it into eight $4$ bit chunks. Each chunk is expanded to $6$ bits using a P-box. Now, we have 48 bits of data, so apply XOR with the key for this round. Next, each $6$-bit block is compressed back to $4$ bits using a S-box. Finally, there is a (straight) permutation at the end, resulting in $32$ bit data.
 
@@ -179,7 +179,7 @@ AES, DES use fixed block size for encryption. How do we encrypt longer messages?
 
 ### Electronic Codebook Mode (ECB)
 
-![is-03-ecb-encryption.png](../../../assets/img/posts/Lecture%20Notes/Internet%20Security/is-03-ecb-encryption.png#)
+![is-03-ecb-encryption.png](/assets/img/posts/Lecture%20Notes/Internet%20Security/is-03-ecb-encryption.png#)
 
 - Codebook is a mapping table.
 - For the $i$-th plaintext block, we use key $k$ to encrypt and obtain the $i$-th ciphertext block.
@@ -198,7 +198,7 @@ Since the same key is used for all blocks, once a mapping from plaintext to ciph
 
 ### Cipher Block Chaining Mode (CBC)
 
-![is-03-cbc-encryption.png](../../../assets/img/posts/Lecture%20Notes/Internet%20Security/is-03-cbc-encryption.png#)
+![is-03-cbc-encryption.png](/assets/img/posts/Lecture%20Notes/Internet%20Security/is-03-cbc-encryption.png#)
 
 - Two identical messages produce to different ciphertexts.
 	- This prevents chosen plaintext attacks
@@ -248,7 +248,7 @@ Since the same key is used for all blocks, once a mapping from plaintext to ciph
 
 ### Cipher Feedback Mode (CFB)
 
-![is-03-cfb-encryption.png](../../../assets/img/posts/Lecture%20Notes/Internet%20Security/is-03-cfb-encryption.png#)
+![is-03-cfb-encryption.png](/assets/img/posts/Lecture%20Notes/Internet%20Security/is-03-cfb-encryption.png#)
 
 - The message is treated as a stream of bits; similar to stream cipher
 - **Result of the encryption is fed to the next stage.**
@@ -283,7 +283,7 @@ Since the same key is used for all blocks, once a mapping from plaintext to ciph
 
 ### Output Feedback Mode (OFB)
 
-![is-03-ofb-encryption.png](../../../assets/img/posts/Lecture%20Notes/Internet%20Security/is-03-ofb-encryption.png#)
+![is-03-ofb-encryption.png](/assets/img/posts/Lecture%20Notes/Internet%20Security/is-03-ofb-encryption.png#)
 
 - Very similar to stream cipher.
 - Initialization vector is used as a seed to generate the key stream.
@@ -316,7 +316,7 @@ Since the same key is used for all blocks, once a mapping from plaintext to ciph
 
 ### Counter Mode (CTR)
 
-![is-03-ctr-encryption.png](../../../assets/img/posts/Lecture%20Notes/Internet%20Security/is-03-ctr-encryption.png#)
+![is-03-ctr-encryption.png](/assets/img/posts/Lecture%20Notes/Internet%20Security/is-03-ctr-encryption.png#)
 
 - Without chaining, we use a counter (typically incremented by $1$).
 	- Counter starts from the initialization vector.

_posts/Lecture Notes/Internet Security/2023-10-16-pki.md

@@ -83,7 +83,7 @@ We have a root CA at the top. Then there are issuing CAs below. We usually reque
 
 ### Certificate Validation
 
-![is-08-certificate-validation.png](../../../assets/img/posts/Lecture%20Notes/Internet%20Security/is-08-certificate-validation.png#)[^1]
+![is-08-certificate-validation.png](/assets/img/posts/Lecture%20Notes/Internet%20Security/is-08-certificate-validation.png#)[^1]
 
 Since we have a hierarchy of CAs, certificate validation must also follow the hierarchy. When we receive a certificate, it is highly likely to be signed by an non-root CA.
 

_posts/Lecture Notes/Internet Security/2023-10-18-tls.md

@@ -146,7 +146,7 @@ Here's how the client and the server establishes a connection using the TLS hand
 > 3. Use the server's public key to share a secret.
 > 4. Both parties generate a symmetric key from the shared secret.
 
-![is-09-tls-handshake.png](../../../assets/img/posts/Lecture%20Notes/Internet%20Security/is-09-tls-handshake.png#)[^1]
+![is-09-tls-handshake.png](/assets/img/posts/Lecture%20Notes/Internet%20Security/is-09-tls-handshake.png#)[^1]
 
 - `ServerKeyExchange`, `ClientKeyExchange` is optional. Used sometimes if Diffie-Hellman is used.
 - The actual messages and process differ for each protocol and ciphers used.

_posts/Lecture Notes/Modern Cryptography/2023-09-07-otp-stream-cipher-prgs.md

@@ -292,7 +292,7 @@ We can deduce that if a PRG is predictable, then it is insecure.
 
 *Proof*. Let $\mathcal{A}$ be an efficient adversary (next bit predictor) that predicts $G$. Suppose that $i$ is the index chosen by $\mathcal{A}$. With $\mathcal{A}$, we construct a statistical test $\mathcal{B}$ such that $\mathrm{Adv}_\mathrm{PRG}[\mathcal{B}, G]$ is non-negligible.
 
-![mc-01-prg-game.png](../../../assets/img/posts/Lecture%20Notes/Modern%20Cryptography/mc-01-prg-game.png#)
+![mc-01-prg-game.png](/assets/img/posts/Lecture%20Notes/Modern%20Cryptography/mc-01-prg-game.png#)
 
 1. The challenger PRG will send a bit string $x$ to $\mathcal{B}$.
 	- In experiment $0$, PRG gives pseudorandom string $G(k)$.
@@ -318,7 +318,7 @@ The theorem implies that if next bit predictors cannot distinguish $G$ from true
 
 To motivate the definition of semantic security, we consider a **security game framework** (attack game) between a **challenger** (ex. the creator of some cryptographic scheme) and an **adversary** $\mathcal{A}$ (ex. attacker of the scheme).
 
-![mc-01-ss.png](../../../assets/img/posts/Lecture%20Notes/Modern%20Cryptography/mc-01-ss.png#)
+![mc-01-ss.png](/assets/img/posts/Lecture%20Notes/Modern%20Cryptography/mc-01-ss.png#)
 
 > **Definition.** Let $\mathcal{E} = (G, E, D)$ be a cipher defined over $(\mathcal{K}, \mathcal{M}, \mathcal{C})$. For a given adversary $\mathcal{A}$, we define two experiments $0$ and $1$. For $b \in \lbrace 0, 1 \rbrace$, define experiment $b$ as follows:
 > 

_posts/Lecture Notes/Modern Cryptography/2023-09-12-prfs-prps-block-ciphers.md

@@ -118,7 +118,7 @@ This is a matter of *collisions* of $f(x_i)$, so we use the facts from the birth
 
 A **block cipher** is actually a different name for PRPs. Since a PRP $E$ is a keyed function, applying $E(k, x)$ is in fact encryption, and applying its inverse is decryption.
 
-![mc-02-block-cipher.png](../../../assets/img/posts/Lecture%20Notes/Modern%20Cryptography/mc-02-block-cipher.png)
+![mc-02-block-cipher.png](/assets/img/posts/Lecture%20Notes/Modern%20Cryptography/mc-02-block-cipher.png)
 
 Block ciphers commonly have the following form.
 - A key $k$ is chosen uniformly from $\left\lbrace 0, 1 \right\rbrace^s$.
@@ -140,7 +140,7 @@ Block ciphers commonly have the following form.
 
 Since block ciphers are PRPs, we have to build an invertible function. Suppose we are given **any** functions $F_1, \dots, F_d : \left\lbrace 0, 1 \right\rbrace^n \rightarrow \left\lbrace 0, 1 \right\rbrace^n$. Can we build an **invertible** function $F : \left\lbrace 0, 1 \right\rbrace^{2n} \rightarrow \left\lbrace 0, 1 \right\rbrace^{2n}$?
 
-![mc-02-feistel-network.png](../../../assets/img/posts/Lecture%20Notes/Modern%20Cryptography/mc-02-feistel-network.png)
+![mc-02-feistel-network.png](/assets/img/posts/Lecture%20Notes/Modern%20Cryptography/mc-02-feistel-network.png)
 
 It turns out the answer is yes. Given an $2n$-bit long input, $L_0$ and $R_0$ denote the left and right halves ($n$ bits) of the input, respectively. Define
 
@@ -160,7 +160,7 @@ Note that we did not require $F_i$ to be invertible. We can build invertible fun
 
 In DES, the function $F_i$ is the DES round function.
 
-![mc-02-des-round.png](../../../assets/img/posts/Lecture%20Notes/Modern%20Cryptography/mc-02-des-round.png)
+![mc-02-des-round.png](/assets/img/posts/Lecture%20Notes/Modern%20Cryptography/mc-02-des-round.png)
 
 The Feistel function takes $32$ bit data and divides it into eight $4$ bit chunks. Each chunk is expanded to $6$ bits using $E$. Now, we have 48 bits of data, so apply XOR with the key for this round. Next, each $6$-bit block is compressed back to $4$ bits using a S-box. Finally, there is a permutation $P$ at the end, resulting in $32$ bit data.
 
@@ -168,7 +168,7 @@ The Feistel function takes $32$ bit data and divides it into eight $4$ bit chunk
 
 DES uses $56$ bit keys that generate $16$ rounds keys. The diagram below shows that DES has 16-round Feistel networks.
 
-![mc-02-DES.png](../../../assets/img/posts/Lecture%20Notes/Modern%20Cryptography/mc-02-DES.png)
+![mc-02-DES.png](/assets/img/posts/Lecture%20Notes/Modern%20Cryptography/mc-02-DES.png)
 
 The input goes through initial/final permutation, which are inverses of each other. These have no cryptographic significance, and just for engineering.
 
@@ -176,7 +176,7 @@ The input goes through initial/final permutation, which are inverses of each oth
 
 DES is not secure, since key space and block length is too small. Thankfully, we have a replacement called the **advanced encryption standard** (AES).
 
-![mc-02-aes-128.png](../../../assets/img/posts/Lecture%20Notes/Modern%20Cryptography/mc-02-aes-128.png)
+![mc-02-aes-128.png](/assets/img/posts/Lecture%20Notes/Modern%20Cryptography/mc-02-aes-128.png)
 
 - DES key only had $56$ bits, so DES was broken in the 1990s
 - NIST standardized AES in 2001, based on Rijndael cipher
@@ -254,7 +254,7 @@ Then the key space has increased (exponentially). As for 2DES, the key space is
 
 Unfortunately, 2DES is only secure as DES, with the attack strategy called **meet in the middle**. The idea is that if $c = E(k_1, E(k_2, m))$, then $D(k_1, c) = E(k_2, m)$.
 
-![mc-02-2des-mitm.png](../../../assets/img/posts/Lecture%20Notes/Modern%20Cryptography/mc-02-2des-mitm.png)
+![mc-02-2des-mitm.png](/assets/img/posts/Lecture%20Notes/Modern%20Cryptography/mc-02-2des-mitm.png)
 
 Since we have the plaintext and the ciphertext, we first build a table of $(k, E(k_2, m))$ over $k_2 \in \mathcal{K}$ and sort by $E(k_2, m)$. Next, we check if $D(k_1, c)$ is in the table for all $k_1 \in \mathcal{K}$.
 

_posts/Lecture Notes/Modern Cryptography/2023-09-19-symmetric-key-encryption.md

@@ -131,7 +131,7 @@ Additional explanation available in [Modes of Operations (Internet Security)](..
 
 ### Electronic Codebook Mode (ECB)
 
-![is-03-ecb-encryption.png](../../../assets/img/posts/is-03-ecb-encryption.png#)
+![is-03-ecb-encryption.png](/assets/img/posts/is-03-ecb-encryption.png#)
 
 - ECB mode encrypts each block with the same key.
 - Blocks are independent of each other.
@@ -139,7 +139,7 @@ Additional explanation available in [Modes of Operations (Internet Security)](..
 
 ### Ciphertext Block Chain Mode (CBC)
 
-![is-03-cbc-encryption.png](../../../assets/img/posts/is-03-cbc-encryption.png#)
+![is-03-cbc-encryption.png](/assets/img/posts/is-03-cbc-encryption.png#)
 
 Let $X = \left\lbrace 0, 1 \right\rbrace^n$ and $E : \mathcal{K} \times X \rightarrow X$ be a **PRP**.
 
@@ -190,7 +190,7 @@ Note that if $k_1$ is the same as the key used for encrypting messages, then thi
 
 ### Counter Mode (CTR)
 
-![is-03-ctr-encryption.png](../../../assets/img/posts/is-03-ctr-encryption.png#)
+![is-03-ctr-encryption.png](/assets/img/posts/is-03-ctr-encryption.png#)
 
 Let $F : \mathcal{K} \times X \rightarrow X$ be a secure **PRF**.
 

_posts/Lecture Notes/Modern Cryptography/2023-09-21-macs.md

@@ -26,7 +26,7 @@ On the other hand, MAC fixes data that is tampered in purpose. We will also requ
 
 ## Message Authentication Code
 
-![mc-04-mac.png](../../../assets/img/posts/Lecture%20Notes/Modern%20Cryptography/mc-04-mac.png)
+![mc-04-mac.png](/assets/img/posts/Lecture%20Notes/Modern%20Cryptography/mc-04-mac.png)
 
 > **Definition.** A **MAC** system $\Pi = (S, V)$ defined over $(\mathcal{K}, \mathcal{M}, \mathcal{T})$ is a pair of efficient algorithms $S$ and $V$ where $S$ is a **signing algorithm** and $V$ is a **verification algorithm**.
 > 
@@ -58,7 +58,7 @@ In the security definition of MACs, we allow the attacker to request tags for ar
 
 For strong MACs, the attacker only has to change the tag for the attack to succeed.
 
-![mc-04-mac-security.png](../../../assets/img/posts/Lecture%20Notes/Modern%20Cryptography/mc-04-mac-security.png)
+![mc-04-mac-security.png](/assets/img/posts/Lecture%20Notes/Modern%20Cryptography/mc-04-mac-security.png)
 
 > **Definition.** Let $\Pi = (S, V)$ be a MAC system defined over $(\mathcal{K}, \mathcal{M}, \mathcal{T})$. Given an adversary $\mathcal{A}$, the security game goes as follows.
 > 
@@ -123,7 +123,7 @@ The above construction uses a PRF, so it is restricted to messages of fixed size
 
 ### CBC-MAC
 
-![mc-04-cbc-mac.png](../../../assets/img/posts/Lecture%20Notes/Modern%20Cryptography/mc-04-cbc-mac.png)
+![mc-04-cbc-mac.png](/assets/img/posts/Lecture%20Notes/Modern%20Cryptography/mc-04-cbc-mac.png)
 
 > **Definition.** For any message $m = (m_0, m_1, \dots, m_{l-1}) \in \left\lbrace 0, 1 \right\rbrace^{nl}$, let $F_k := F(k, \cdot)$.
 > 
@@ -211,7 +211,7 @@ Since CBC-MAC is vulnerable to extension attacks, we encrypt the last block agai
 
 ECBC-MAC doesn't require us to know the message length in advance, but it is relatively expensive in practice, since a block cipher has to be initialized with a new key.
 
-![mc-04-ecbc-mac.png](../../../assets/img/posts/Lecture%20Notes/Modern%20Cryptography/mc-04-ecbc-mac.png)
+![mc-04-ecbc-mac.png](/assets/img/posts/Lecture%20Notes/Modern%20Cryptography/mc-04-ecbc-mac.png)
 
 > **Theorem.** Let $F : \mathcal{K} \times X \rightarrow X$ be a secure PRF. Then for any $l \geq 0$, $F_\mathrm{ECBC} : \mathcal{K}^2 \times X^{\leq l} \rightarrow X$ is a secure PRF.
 > 

_posts/Lecture Notes/Modern Cryptography/2023-09-26-cca-security-authenticated-encryption.md

@@ -83,7 +83,7 @@ The attacker shouldn't be able to create a new ciphertext that decrypts properly
 
 In this case, we fix the decryption algorithm so that $D : \mathcal{K} \times \mathcal{C} \rightarrow \mathcal{M} \cup \left\lbrace \bot \right\rbrace$, where $\bot$ means that the ciphertext was rejected.
 
-![mc-05-ci.png](../../../assets/img/posts/Lecture%20Notes/Modern%20Cryptography/mc-05-ci.png#)
+![mc-05-ci.png](/assets/img/posts/Lecture%20Notes/Modern%20Cryptography/mc-05-ci.png#)
 
 > **Definition.** Let $\mathcal{E} = (E, D)$ be a cipher defined over $(\mathcal{K}, \mathcal{M}, \mathcal{C})$. Given an adversary $\mathcal{A}$, the security game goes as follows.
 > 
@@ -138,7 +138,7 @@ Most natural constructions of CCA secure schemes satisfy AE, so we don't need to
 
 We want to combine CPA secure scheme and strongly secure MAC to get AE. Rather than focusing on the internal structure of the scheme, we want a general method to compose these two secure schemes so that we can get a AE secure scheme. We will see 3 examples.
 
-![mc-05-etm-mte.png](../../../assets/img/posts/Lecture%20Notes/Modern%20Cryptography/mc-05-etm-mte.png#)
+![mc-05-etm-mte.png](/assets/img/posts/Lecture%20Notes/Modern%20Cryptography/mc-05-etm-mte.png#)
 
 ### Encrypt-and-MAC (E&M)
 

_posts/Lecture Notes/Modern Cryptography/2023-09-28-hash-functions.md

@@ -106,7 +106,7 @@ Now we want to construct collision resistant hash functions that work for arbitr
 
 The Merkle-Damgård transform gives as a way to extend our input domain of the hash function by iterating the function.
 
-![mc-06-merkle-damgard.png](../../../assets/img/posts/Lecture%20Notes/Modern%20Cryptography/mc-06-merkle-damgard.png#)
+![mc-06-merkle-damgard.png](/assets/img/posts/Lecture%20Notes/Modern%20Cryptography/mc-06-merkle-damgard.png#)
 
 > **Definition.** Let $h : \left\lbrace 0, 1 \right\rbrace^n \times \left\lbrace 0, 1 \right\rbrace^l \rightarrow \left\lbrace 0, 1 \right\rbrace^n$ be a hash function. The **Merkle-Damgård function derived from $h$** is a function $H$ that works as follows.
 > 
@@ -151,7 +151,7 @@ Now we only have to build a collision resistant compression function. We can bui
 
 Number theoretic primitives will be shown after we learn some number theory.[^3] An example is shown in [collision resistance using DL problem (Modern Cryptography)](../2023-10-03-key-exchange#collision-resistance-based-on-dl-problem).
 
-![mc-06-davies-meyer.png](../../../assets/img/posts/Lecture%20Notes/Modern%20Cryptography/mc-06-davies-meyer.png#)
+![mc-06-davies-meyer.png](/assets/img/posts/Lecture%20Notes/Modern%20Cryptography/mc-06-davies-meyer.png#)
 
 > **Definition.** Let $\mathcal{E} = (E, D)$ be a block cipher over $(\mathcal{K}, X, X)$ where $X = \left\lbrace 0, 1 \right\rbrace^n$. The **Davies-Meyer compression function derived from $E$** maps inputs in $X \times \mathcal{K}$ to outputs in $X$, defined as follows.
 > 
@@ -216,7 +216,7 @@ This can be thought of as blocking the length extension attack from prepending t
 
 ### HMAC
 
-![mc-06-hmac.png](../../../assets/img/posts/Lecture%20Notes/Modern%20Cryptography/mc-06-hmac.png#)
+![mc-06-hmac.png](/assets/img/posts/Lecture%20Notes/Modern%20Cryptography/mc-06-hmac.png#)
 
 This is a variant of the two-key nest, but the difference is that the keys $k_1', k_2'$ are not independent. Choose a key $k \leftarrow \mathcal{K}$, and set
 

_posts/Lecture Notes/Modern Cryptography/2023-10-03-key-exchange.md

@@ -74,7 +74,7 @@ $$
 
 We assume that the description of $p$, $q$ and $g$ are generated at the setup and shared by all parties. Now the actual protocol goes like this.
 
-![mc-07-dhke.png](../../../assets/img/posts/Lecture%20Notes/Modern%20Cryptography/mc-07-dhke.png#)
+![mc-07-dhke.png](/assets/img/posts/Lecture%20Notes/Modern%20Cryptography/mc-07-dhke.png#)
 
 > 1. Alice chooses $\alpha \leftarrow \mathbb{Z}_q$ and computes $g^\alpha$.
 > 2. Bob chooses $\beta \leftarrow \mathbb{Z}_q$ and computes $g^\beta$.
@@ -189,7 +189,7 @@ Taking $\mathcal{O}(N)$ steps is impractical in the real world, due to many comm
 
 We assumed that the adversary only eavesdrops, but if the adversary carries out active attacks, then DHKE is not enough. The major problem is the lack of **authentication**. Alice and Bob are exchanging keys, but they both cannot be sure that there are in fact communicating with the other. An attacker can intercept messages and impersonate Alice or Bob. This attack is called a **man in the middle attack**, and this attack works on any key exchange protocol that lacks authentication.
 
-![mc-07-dhke-mitm.png](../../../assets/img/posts/Lecture%20Notes/Modern%20Cryptography/mc-07-dhke-mitm.png#)
+![mc-07-dhke-mitm.png](/assets/img/posts/Lecture%20Notes/Modern%20Cryptography/mc-07-dhke-mitm.png#)
 
 The adversary will impersonate Bob when communicating with Alice, and will do the same for Bob by pretending to be Alice. The values of $\alpha, \beta$ that Alice and Bob chose are not leaked, but the adversary can decrypt anything in the middle and obtain the plaintext.
 
@@ -211,7 +211,7 @@ Before Diffie-Hellman, Merkle proposed an idea for secure key exchange protocol
 
 The idea was to use *puzzles*, which are problems that can be solved with some effort.
 
-![mc-07-merkle-puzzles.png](../../../assets/img/posts/Lecture%20Notes/Modern%20Cryptography/mc-07-merkle-puzzles.png#)
+![mc-07-merkle-puzzles.png](/assets/img/posts/Lecture%20Notes/Modern%20Cryptography/mc-07-merkle-puzzles.png#)
 
 > Let $\mathcal{E} = (E, D)$ be a block cipher defined over $(\mathcal{K}, \mathcal{M})$.
 > 1. Alice chooses random pairs $(k_i, s_i) \leftarrow \mathcal{K} \times \mathcal{M}$ for $i = 1, \dots, L$.

_posts/Lecture Notes/Modern Cryptography/2023-10-05-number-theory.md

@@ -0,0 +1,257 @@
+---
+share: true
+toc: true
+math: true
+categories:
+  - Lecture Notes
+  - Modern Cryptography
+tags:
+  - lecture-note
+  - cryptography
+  - number-theory
+  - security
+title: 8. Number Theory
+date: 2023-10-05
+github_title: 2023-10-05-number-theory
+---
+
+
+## Background
+
+### Number Theory
+
+Let $n$ be a positive integer and let $p$ be prime.
+
+> **Notation.** Let $\mathbb{Z}$ denote the set of integers. We will write $\mathbb{Z}_n = \left\lbrace 0, 1, \dots, n - 1 \right\rbrace$.
+
+> **Definition.** Let $x, y \in \mathbb{Z}$. $\gcd(x, y)$ is the **greatest common divisor** of $x, y$. $x$ and $y$ are relatively prime if $\gcd(x, y) = 1$.
+
+> **Definition.** The **multiplicative inverse** of $x \in \mathbb{Z}_n$ is an element $y \in \mathbb{Z}_n$ such that $xy = 1$ in $\mathbb{Z}_n$.
+
+> **Lemma.** $x \in \mathbb{Z}_n$ has a multiplicative inverse if and only if $\gcd(x, n) = 1$.
+
+> **Definition.** $\mathbb{Z}_n^\ast$ is the set of invertible elements in $\mathbb{Z}_n$. i.e, $\mathbb{Z}_n^\ast = \left\lbrace x \in \mathbb{Z}_n : \gcd(x, n) = 1 \right\rbrace$.
+
+> **Lemma.** (Extended Euclidean Algorithm) For $x, y \in \mathbb{Z}$, there exists $a, b \in \mathbb{Z}$ such that $ax + by = \gcd(x, y)$.
+
+### Group Theory
+
+> **Definition.** A **group** is a set $G$ with a binary operation $* : G \times G \rightarrow G$, satisfying the following properties.
+> 
+> - $(\mathsf{G1})$ (Associative) $(a * b) * c = a * (b * c)$ for all $a, b, c \in G$.
+> - $(\mathsf{G2})$ (Identity) $\exists e \in G$ such that for all $a\in G$, $e * a = a * e = a$.
+> - $(\mathsf{G3})$ (Inverse) For each $a \in G$, $\exists x \in G$ such that $a * x = x * a = e$. In this case, $x = a^{-1}$.
+
+> **Definition.** A group is **commutative** if $a * b = b * a$ for all $a, b \in G$.
+
+> **Definition.** The **order** of a group is the number of elements in $G$, denoted as $\left\lvert G \right\lvert$.
+
+> **Definition.** A set $H \subseteq G$ is a **subgroup** of $G$ if $H$ is itself a group under the operation of $G$. We write $H \leq G$.
+
+> **Theorem.** (Lagrange) Let $G$ be a finite group and $H \leq G$. Then $\left\lvert H \right\lvert \mid \left\lvert G \right\lvert$.
+
+*Proof*. All left cosets of $H$ have the same number of elements. A bijection between any two coset can be constructed. Cosets partition $G$, so $\left\lvert G \right\lvert$ is equal to the number of left cosets multiplied by $\left\lvert H \right\lvert$.
+
+Let $G$ be a group.
+
+> **Definition.** Let $g \in G$. The set $\left\langle g \right\rangle = \left\lbrace g^n : n \in \mathbb{Z} \right\rbrace$ is called the **cyclic subgroup generated by $g$**. The **order** of $g$ is the number of elements in $\left\langle g \right\rangle$, denoted as $\left\lvert g \right\lvert$.
+
+> **Definition.** $G$ is **cyclic** if there exists $g \in G$ such that $G = \left\langle g \right\rangle$.
+
+> **Theorem.** $\mathbb{Z}_p^\ast$ is cyclic.
+
+*Proof*. $\mathbb{Z}_p$ is a finite field, so $\mathbb{Z}_p^\ast = \mathbb{Z}_p \setminus \left\lbrace 0 \right\rbrace$ is cyclic.
+
+> **Theorem.** If $G$ is a finite group, then $g^{\left\lvert G \right\lvert} = 1$ for all $g \in G$. i.e, $\left\lvert g \right\lvert \mid \left\lvert G \right\lvert$.
+
+*Proof*. Consider $\left\langle g \right\rangle \leq G$, then the result follows from Lagrange's theorem.
+
+> **Corollary.** (Fermat's Little Theorem) If $x \in \mathbb{Z}_p^\ast$, $x^{p-1} = 1$.
+
+*Proof*. $\mathbb{Z}_p^\ast$ has $p-1$ elements.
+
+> **Corollary.** (Euler's Generalization) If $x \in \mathbb{Z}_n^\ast$, $x^{\phi(n)} = 1$.
+
+*Proof*. $\mathbb{Z}_n^\ast$ has $\phi(n)$ elements, where $\phi(n)$ is the Euler's totient function.
+
+---
+
+Schemes such as Diffie-Hellman rely on the hardness of the DLP. So, *how hard is it*? How does one compute the discrete logarithm?
+
+There are group-specific algorithms that exploit the algebraic features of the group, but we only cover generic algorithms, that works on any cyclic group. A trivial example would be the exhaustive search, where if $\left\lvert G \right\lvert = n$ and given a generator $g \in G$, find the discrete logarithm of $h \in G$ by computing $g^i$ for all $i = 1, \dots, n - 1$. Obviously, it has running time $\mathcal{O}(n)$. We can do better than this.
+
+## Baby Step Giant Step Method (BSGS)
+
+Let $G = \left\langle g \right\rangle$, where $g \in G$ has order $q$. $q$ need not be prime for this method. We are given $u = g^\alpha$, $g$, and $q$. Our task is to find $\alpha \in \mathbb{Z}_q$.
+
+Set $m = \left\lceil \sqrt{q} \right\rceil$. $\alpha$ is currently unknown, but by the division algorithm, there exists integers $i,j$ such that $\alpha = i \cdot m + j$ and $0\leq i, j < m$. Then $u = g^\alpha = g^{i\cdot m + j} = g^{im} \cdot g^j$. Therefore,
+
+$$
+u(g^{-m})^i = g^j.
+$$
+
+Now, we compute the values of $g^j$ for $j = 0, 1,\dots, m - 1$ and keep a table of $(j, g^j)$ pairs. Next, compute $g^{-m}$ and for each $i$, compute $u(g^{-m})^{i}$ and check if this value is in the table. If a value is found, then we found $(i, j)$ such that $i \cdot m + j = \alpha$.
+
+We see that this algorithm takes $2\sqrt{q}$ group operations on $G$ in the worst case, so the time complexity is $\mathcal{O}(\sqrt{q})$. However, to store the values of $(j, g^j)$ pairs, a lot of memory is required. The table must be large enough to contain $\sqrt{q}$ group elements, so the space complexity is also $\mathcal{O}(\sqrt{q})$.
+
+To get around this, we can build a smaller table by choosing a smaller $m$. But then $0 \leq j < m$ but $i$ must be checked for around $q/m$ values.
+
+There is actually an algorithm using constant space. **Pollard's Rho** algorithm takes $\mathcal{O}(\sqrt{q})$ times and $\mathcal{O}(1)$ space.
+
+## Groups of Composite Order
+
+In Diffie-Hellman, we only used large primes. There is a reason for using groups with prime order. We study what would happen if we used composite numbers.
+
+Let $G$ be a cyclic group of composite order $n$. First, we start with a simple case.
+
+### Prime Power Case: Order $n = q^e$
+
+Let $G = \left\langle g \right\rangle$ be a cyclic group of order $q^e$.[^1] ($q > 1$, $e \geq 1$) We are given $g,q, e$ and $u = g^\alpha$ and we will find $\alpha$. ($0 \leq \alpha < q^e)$
+
+For each $f = 0, \dots, e$, define $g_f = g^{(q^f)}$. Then
+
+$$
+(g_f)^{(q^{e-f})} = g^{(q^f) \cdot (q^{e-f})} = g^{(q^e)} = 1.
+$$
+
+So $g_f$ generates a cyclic subgroup of order $q^{e-f}$. In particular, $g_{e-1}$ generates a cyclic subgroup of order $q$. Using this fact, we will reduce the given problem into a discrete logarithm problem on a group having smaller order $q$.
+
+We proceed with recursion on $e$. If $e = 1$, then $\alpha \in \mathbb{Z}_q$, so we have nothing to do. Suppose $e > 1$. Choose $f$ so that $1 \leq f \leq e-1$. We can write $\alpha = i\cdot q^f + j$, where $0 \leq i < q^{e-f}$ and $0 \leq j < g^f$. Then
+
+$$
+u = g^\alpha = g^{i \cdot q^f + j} = (g_f)^i \cdot g^j.
+$$
+
+Since $g_f$ has order $q^{e-f}$, exponentiate both sides by $q^{e-f}$ to get
+
+$$
+u^{(q^{e-f})} = (g_f)^{q^{e-f} \cdot i} \cdot g^{q^{e-f} \cdot j} = (g_{e-f})^j.
+$$
+
+Now the problem has been reduced to a discrete logarithm problem with base $g_{e-f}$, which has order $q^f$. We can compute $j$ using algorithms for discrete logarithms.
+
+After finding $j$, we have
+
+$$
+u/g^j = (g_f)^i
+$$
+
+which is also a discrete logarithm problem with base $g_f$, which has order $q^{e-f}$. We can compute $i$ that satisfies this equation. Finally, we can compute $\alpha = i \cdot q^f + j$. We have reduced a discrete logarithm problem into two smaller discrete logarithm problems.
+
+To get the best running time, choose $f \approx e/2$. Let $T(e)$ be the running time, then
+
+$$
+T(e) = 2T\left( \frac{e}{2} \right) + \mathcal{O}(e\log q).
+$$
+
+The $\mathcal{O}(e\log q)$ term comes from exponentiating both sides by $q^{e-f}$. Solving this recurrence gives
+
+$$
+T(e) = \mathcal{O}(e \cdot T_{\mathrm{base}} + e\log e \log q),
+$$
+
+where $T_\mathrm{base}$ is the complexity of the algorithm for the base case $e = 1$. $T_\mathrm{base}$ is usually the dominant term, since the best known algorithm takes $\mathcal{O}(\sqrt{q})$.
+
+Thus, computing the discrete logarithm in $G$ is only as hard as computing it in the subgroup of prime order.
+
+### General Case: Pohlig-Hellman Algorithm
+
+Let $G = \left\langle g \right\rangle$ be a cyclic group of order $n = q_1^{e_1}\cdots q_r^{e_r}$, where the factorization of $n$ into distinct primes $q_i$ is given. We want to find $\alpha$ such that $g^\alpha = u$.
+
+For $i = 1, \dots, r$, define $q_i^\ast = n / q_i^{e_i}$. Then $u^{q_i^\ast} = (g^{q_i^\ast})^\alpha$, where $g^{q_i^\ast}$ will have order $q_i^{e_i}$ in $G$. Now compute $\alpha_i$ using the algorithm for the prime power case.
+
+Then for all $i$, we have $\alpha \equiv \alpha_i \pmod{q_i^{e_i}}$. We can now use the Chinese remainder theorem to recover $\alpha$. Let $q_r$ be the largest prime, then the running time is bounded by
+
+$$
+\sum_{i=1}^r \mathcal{O}(e_i T(q_i) + e_i \log e_i \log q_i) = \mathcal{O}(T(q_r) \log n + \log n \log \log n)
+$$
+
+group operations. Thus, we can conclude the following.
+
+> The difficulty of computing discrete logarithms in a cyclic group of order $n$ is determined by the size of the largest prime factor.
+
+### Consequences
+
+- For a group with order $n = 2^k$, the Pohlig-Hellman algorithm will easily compute the discrete logarithm, since the largest prime factor is $2$. The DL assumption is false for this group.
+- For primes of the form $p = 2^k + 1$, the group $\mathbb{Z}_p^\ast$ has order $2^k$, so the DL assumption is also false for these primes.
+- In general, $G$ must have at least one large prime factor for the DL assumption to be true.
+- By the Pohlig-Hellman algorithm, discrete logarithms in groups of composite order is a little harder than groups of prime order. So we often use a prime order group.
+
+## Information Leakage in Groups of Composite Order
+
+Let $G = \left\langle g \right\rangle$ be a cyclic group of composite order $n$. We suppose that $n = n_1n_2$, where $n_1$ is a small prime factor.
+
+By the Pohlig-Hellman algorithm, the adversary can compute $\alpha_1 \equiv \alpha \pmod {n_1}$ by computing the discrete logarithm of $u^{n_2}$ with base $g^{n_2}$.
+
+Consider $n_1 = 2$. Then the adversary knows whether $\alpha$ is even or not.
+
+> **Lemma.** $\alpha$ is even if and only if $u^{n/2} = 1$.
+
+*Proof*. If $\alpha$ is even, then $u^{n/2} = g^{\alpha n/2} = (g^{\alpha/2})^n = 1$, since the group has order $n$. Conversely, if $u^{n/2} = g^{\alpha n/2} = 1$, then the order of $g$ must divide $\alpha n/2$, so $n \mid (\alpha n /2)$ and $\alpha$ is even.
+
+This lemma can be used to break the DDH assumption.
+
+> **Lemma.** Given $u = g^\alpha$ and $v = g^\beta$, $\alpha\beta \in \mathbb{Z}_n$ is even if and only if $u^{n/2} = 1$ or $v^{n/2} = 1$.
+
+*Proof*. $\alpha\beta$ is even if and only if either $\alpha$ or $\beta$ is even. By the above lemma, this is equivalent to $u^{n/2} = 1$ or $v^{n/2} = 1$.
+
+Now we describe an attack for the DDH problem.
+
+> 1. The adversary is given $(g^\alpha, g^\beta, g^\gamma)$.
+> 2. The adversary computes the parity of $\gamma$ and $\alpha\beta$ and compares them.
+> 3. The adversary outputs $\texttt{accept}$ if the parities match, otherwise output $\texttt{reject}$.
+
+If $\gamma$ was chosen uniformly, then the adversary wins with probability $1/2$. But if $\gamma = \alpha\beta$, the adversary always wins, so the adversary has DDH advantage $1/2$.
+
+The above process can be generalized to any groups with small prime factor. See Exercise 16.2[^2] Thus, this is another reason we use groups of prime order.
+
+- DDH assumption does not hold in $\mathbb{Z}_p^\ast$, since its order $p-1$ is always even.
+- Instead, we use a prime order subgroup of $\mathbb{Z}_p^\ast$ or prime order elliptic curve group.
+
+## Summary of Discrete Logarithm Algorithms
+
+|Name|Time Complexity|Space Complexity|
+|:-:|:-:|:-:|
+|BSGS|$\mathcal{O}(\sqrt{q})$|$\mathcal{O}(\sqrt{q})$|
+|Pohlig-Hellman|$\mathcal{O}(\sqrt{q_\mathrm{max}}$|$\mathcal{O}(1)$|
+|Pollard's Rho|$\mathcal{O}(\sqrt{q})$|$\mathcal{O}(1)$|
+
+- In generic groups, solving the DLP requires $\Omega(\sqrt{q})$ operations.
+	- By *generic groups*, we mean that only group operations and equality checks are allowed. Algebraic properties are not used.
+- Thus, we use a large prime $q$ such that $\sqrt{q}$ is large enough.
+
+## Candidates of Discrete Logarithm Groups
+
+We need groups of order prime, and we cannot use $\mathbb{Z}_p^\ast$ as itself. We have two candidates.
+
+- Use a subgroup of $\mathbb{Z}_p^\ast$ having prime order $q$ such that $q \mid (p-1)$ as in Diffie-Hellman.
+- Elliptic curve group modulo $p$.
+
+### Reduced Residue Class $\mathbb{Z}_p^\ast$
+
+There are many specific algorithms for discrete logarithms on $\mathbb{Z}_p^\ast$.
+
+- Index-calculus
+- Elliptic-curve method
+- Special number-field sieve (SNFS)
+- **General number-field sieve** (GNFS)
+
+GNFS running time is dominated by the term $\exp(\sqrt[3]{\ln p})$. If we let $p$ to be an $n$-bit prime, then the complexity is $\exp(\sqrt[3]{n})$. Suppose that GNFS runs in time $T$ for prime $p$. Since $\sqrt[3]{2} \approx 1.26$, doubling the number of bits will increase the running time of GNFS to $T^{1,26}$.
+
+Compare this with symmetric ciphers such as AES, where doubling the key size squares the amount of work required.[^3] NIST and Lenstra recommends the size of primes that gives a similar level of security to that of symmetric ciphers.
+
+|Symmetric key length|Size of prime (NIST)|Size of prime (Lenstra)|
+|:-:|:-:|:-:|
+|80|1024|1329|
+|128|3072|4440|
+|256|15360|26268|
+
+All sizes are in bits. Thus we need a very large prime, for example $p > 2^{2048}$, for security these days.
+
+### Elliptic Curve Group over $\mathbb{Z}_p$
+
+Currently, the best-known attacks are generic attacks, so we can use much smaller parameters than $\mathbb{Z}_p^\ast$. Often the groups have sizes about $2^{256}$, $2^{384}$, $2^{512}$.
+
+[^1]: We didn't require $q$ to be prime!
+[^2]: A Graduate Course in Applied Cryptography
+[^3]: Recall that the best known attack was only 4 times faster than brute-force search.

_posts/Lecture Notes/Modern Cryptography/2023-10-19-public-key-encryption.md

@@ -0,0 +1,457 @@
+---
+share: true
+toc: true
+math: true
+categories:
+  - Lecture Notes
+  - Modern Cryptography
+tags:
+  - lecture-note
+  - cryptography
+  - security
+title: 9. Public Key Encryption
+date: 2023-10-19
+github_title: 2023-10-19-public-key-encryption
+image:
+  path: assets/img/posts/Lecture Notes/Modern Cryptography/mc-09-ss-pke.png
+attachment:
+  folder: assets/img/posts/Lecture Notes/Modern Cryptography
+---
+
+
+In symmetric encryption, we assumed that the two parties had a shared key in advance. If the two parties do not have a shared key, **public-key encryption** can be used to encrypt messages.
+
+## Public Key Encryption
+
+> **Definition.** A **public key encryption scheme** $\mc{E} = (G, E, D)$ is a triple of efficient algorithms: a **key generation** algorithm $G$, an **encryption algorithm** $E$, a decryption algorithm $D$.
+> 
+> - $G$ generates a key pair as $(pk, sk) \la G()$. $pk$ is called a **public key** and $sk$ is called a **secret key**.
+> - $E$ takes a public key $pk$ and a message $m$ and outputs ciphertext $c \la E(pk, m)$.
+> - $D$ takes a secret key $sk$ and a ciphertext $c$ and outputs plaintext $m \la D(sk, c)$ or a special $\texttt{reject}$ value $\bot$.
+> 
+> We say that $\mc{E} = (G, E, D)$ is defined over $(\mc{M}, \mc{C})$.
+
+$G$ and $E$ may be probabilistic, but $D$ must be deterministic. Also, correctness condition is required. For any $(pk, sk)$ and $m \in \mc{M}$,
+
+$$
+\Pr[D(sk, E(pk, m)) = m] = 1.
+$$
+
+Public key $pk$ will be publicized. After Alice obtains $pk$, she can use it to encrypt any message and send it to Bob. This is the only interaction required. The public key can be used multiple times, and others besides Alice can use it too. Finally, $sk$ should be hard to compute from $pk$, obviously for security.
+
+## CPA Security for Public Key Encryption
+
+### Semantic Security
+
+The following notion of security is only for an eavesdropping adversary.
+
+![mc-09-ss-pke.png](/assets/img/posts/Lecture%20Notes/Modern%20Cryptography/mc-09-ss-pke.png)
+
+> **Definition.** Let $\mc{E} = (G, E, D)$ be a public key encryption scheme defined over $(\mc{M}, \mc{C})$. For an adversary $\mc{A}$, we define two experiments.
+> 
+> **Experiment** $b$.
+> 1. The challenger computes $(pk, sk) \la G()$ and sends $pk$ to the adversary.
+> 2. The adversary chooses $m_0, m_1 \in \mc{M}$ of the same length, and sends them to the challenger.
+> 3. The challenger computes $c \la E(pk, m_b)$ and sends $c$ to the adversary.
+> 4. $\mc{A}$ outputs a bit $b' \in \braces{0, 1}$.
+> 
+> Let $W_b$ be the event that $\mc{A}$ outputs $1$ in experiment $b$. The **advantage** of $\mc{A}$ with respect to $\mc{E}$ is defined as
+> 
+> $$
+> \Adv[SS]{\mc{A}, \mc{E}} = \abs{\Pr[W_0] - \Pr[W_1]}.
+> $$
+> 
+> $\mc{E}$ is **semantically secure** if $\rm{Adv}_{\rm{SS}}[\mc{A}, \mc{E}]$ is negligible for any efficient $\mc{A}$.
+
+Note that $pk$ is sent to the adversary, and adversary can encrypt any message! Thus, encryption must be randomized. Otherwise, the adversary can compute $E(pk, m_b)$ for each $b$ and compare with $c$ given from the challenger.
+
+### Semantic Security $\implies$ CPA
+
+For symmetric ciphers, semantic security (one-time) did not guarantee CPA security (many-time). But in public key encryption, semantic security implies CPA security. This is because *the attacker can encrypt any message using the public key*.
+
+First, we check the definition of CPA security for public key encryption. It is similar to that of symmetric ciphers, compare with [CPA Security for symmetric key encryption (Modern Cryptography)](../2023-09-19-symmetric-key-encryption/#cpa-security).
+
+> **Definition.** For a given public-key encryption scheme $\mc{E} = (G, E, D)$ defined over $(\mc{M}, \mc{C})$ and given an adversary $\mc{A}$, define experiments 0 and 1.
+> 
+> **Experiment $b$.**
+> 1. The challenger computes $(pk, sk) \la G()$ and sends $pk$ to the adversary.
+> 2. The adversary submits a sequence of queries to the challenger:
+> 	- The $i$-th query is a pair of messages $m_{i, 0}, m_{i, 1} \in \mc{M}$ of the same length.
+> 3. The challenger computes $c_i = E(pk, m_{i, b})$ and sends $c_i$ to the adversary.
+> 4. The adversary computes and outputs a bit $b' \in \braces{0, 1}$.
+> 
+> Let $W_b$ be the event that $\mc{A}$ outputs $1$ in experiment $b$. Then the **CPA advantage with respect to $\mc{E}$** is defined as
+> 
+> $$
+> \Adv[CPA]{\mc{A}, \mc{E}} = \abs{\Pr[W_0] - \Pr[W_1]}.
+> $$
+> 
+> If the CPA advantage is negligible for all efficient adversaries $\mc{A}$, then $\mc{E}$ is **semantically secure against chosen plaintext attack**, or simply **CPA secure**.
+
+We formally prove the following theorem.
+
+> **Theorem.** If a public-key encryption scheme $\mc{E}$ is semantically secure, then it is also CPA secure.
+> 
+> For any $q$-query CPA adversary $\mc{A}$, there exists an SS adversary $\mc{B}$ such that
+> 
+> $$
+> \rm{Adv}_{\rm{CPA}}[\mc{A}, \mc{E}] = q \cdot \rm{Adv}_{\rm{SS}}[\mc{B}, \mc{E}].
+> $$
+
+*Proof*. The proof uses a hybrid argument. For $j = 0, \dots, q$, the *hybrid game* $j$ is played between $\mc{A}$ and a challenger that responds to the $q$ queries as follows:
+
+- On the $i$-th query $(m_{i,0}, m_{i, 1})$, respond with $c_i$ where
+	- $c_i \la E(pk, m_{i, 1})$ if $i \leq j$.
+	- $c_i \la E(pk, m_{i, 0})$ otherwise.
+
+So, the challenger in hybrid game $j$ encrypts $m_{i, 1}$ in the first $j$ queries, and encrypts $m_{i, 0}$ for the rest of the queries. If we define $p_j$ to be the probability that $\mc{A}$ outputs $1$ in hybrid game $j$, we have
+
+$$
+\Adv[CPA]{\mc{A}, \mc{E}} = \abs{p_q - p_0}
+$$
+
+since hybrid $q$ is precisely experiment $1$, hybrid $0$ is experiment $0$. With $\mc{A}$, we define $\mc{B}$ as follows.
+
+1. $\mc{B}$ randomly chooses $\omega \la \braces{1, \dots, q}$.
+2. $\mc{B}$ obtains $pk$ from the challenger, and forwards it to $\mc{A}$.
+3. For the $i$-th query $(m_{i, 0}, m_{i, 1})$ from $\mc{A}$, $\mc{B}$ responds as follows.
+	- If $i < \omega$, $c \la E(pk, m_{i, 1})$.
+	- If $i = \omega$, forward query to the challenger and forward its response to $\mc{A}$.
+	- Otherwise, $c_i \la E(pk, m_{i, 0})$.
+4. $\mc{B}$ outputs whatever $\mc{A}$ outputs.
+
+Note that $\mc{B}$ can encrypt queries on its own, since the public key is given. Define $W_b$ as the event that $\mc{B}$ outputs $1$ in experiment $b$ in the semantic security game. For $j = 1, \dots, q$, we have that
+
+$$
+\Pr[W_0 \mid \omega = j] = p_{j - 1}, \quad \Pr[W_1 \mid \omega = j] = p_j.
+$$
+
+In experiment $0$ with $\omega = j$, $\mc{A}$ receives encryptions of $m_{i, 1}$ in the first $j - 1$ queries and receives encryptions of $m_{i, 1}$ for the rest of the queries. The second equation follows similarly.
+
+Then the SS advantage can be calculated as
+
+$$
+\begin{aligned}
+\Adv[SS]{\mc{B}, \mc{E}} &= \abs{\Pr[W_0] - \Pr[W_1]} \\
+&= \frac{1}{q} \abs{\sum_{j=1}^q \Pr[W_0 \mid \omega = j] - \sum_{j = 1}^q \Pr[W_1 \mid \omega = j]} \\
+&= \frac{1}{q} \abs{\sum_{j=1}^q (p_{j-1} - p_j)} \\
+&= \frac{1}{q} \Adv[CPA]{\mc{A}, \mc{E}}.
+\end{aligned}
+$$
+
+## CCA Security for Public Key Encryption
+
+We also define CCA security for public key encryption, which models a wide spectrum of real-world attacks. The definition is also very similar to that of symmetric ciphers, compare with [CCA security for symmetric ciphers (Modern Cryptography)](../2023-09-26-cca-security-authenticated-encryption/#cca-security).
+
+> **Definition.** Let $\mc{E} = (G, E, D)$ be a public-key encryption scheme over $(\mc{M}, \mc{C})$. Given an adversary $\mc{A}$, define experiments $0$ and $1$.
+> 
+> **Experiment $b$.**
+> 1. The challenger computes $(pk, sk) \la G()$ and sends $pk$ to the adversary.
+> 2. $\mc{A}$ makes a series of queries to the challenger, which is one of the following two types.
+> 	- *Encryption*: Send $(m_{i_,0}, m_{i, 1})$ and receive $c'_i \la E(pk, m_{i, b})$.
+> 	- *Decryption*: Send $c_i$ and receive $m'_i \la D(sk, c_i)$.
+> 	- Note that $\mc{A}$ is not allowed to make a decryption query for any $c_i'$.
+> 3. $\mc{A}$ outputs a pair of messages $(m_0^ * , m_1^*)$.
+> 4. The challenger generates $c^* \la E(pk, m_b^*)$ and gives it to $\mc{A}$.
+> 5. $\mc{A}$ is allowed to keep making queries, but not allowed to make a decryption query for $c^*$.
+> 6. The adversary computes and outputs a bit $b' \in \left\lbrace 0, 1 \right\rbrace$.
+> 
+> Let $W_b$ be the event that $\mc{A}$ outputs $1$ in experiment $b$. Then the **CCA advantage with respect to $\mc{E}$** is defined as
+> 
+> $$
+> \rm{Adv}_{\rm{CCA}}[\mc{A}, \mc{E}] = \left\lvert \Pr[W_0] - \Pr[W_1] \right\lvert.
+> $$
+> 
+> If the CCA advantage is negligible for all efficient adversaries $\mc{A}$, then $\mc{E}$ is **semantically secure against a chosen ciphertext attack**, or simply **CCA secure**.
+
+Note that encryption queries are not strictly required, since in public-key schemes, the adversary can encrypt any messages on its own. We can consider a restricted security game, where an adversary makes only a single encryption query.
+
+> **Definition.** If $\mc{A}$ is restricted to making a single encryption query, we denote its advantage by $\Adv[1CCA]{\mc{A}, \mc{E}}$. A public-key encryption scheme $\mc{E}$ is **one-time semantically secure against chosen ciphertext attack**, or simply **1CCA** secure if $\Adv[1CCA]{\mc{A}, \mc{E}}$ is negligible for all efficient adversaries $\mc{A}$.
+
+Similarly, 1CCA security implies CCA security, as in the above theorem. So to show CCA security for public-key schemes, *it suffices to show that the scheme is 1CCA secure*.
+
+> **Theorem.** If a public-key encryption scheme $\mc{E}$ is 1CCA secure, then it is also CCA secure.
+
+*Proof*. Same as the proof in above theorem.
+
+### Active Adversaries in Symmetric vs Public Key
+
+In symmetric key encryption, we studied [authenticated encryption (AE)](../2023-09-26-cca-security-authenticated-encryption/#authenticated-encryption-ae), which required the scheme to be CPA secure and provide ciphertext integrity. In symmetric key settings, AE implied CCA.
+
+However in public-key schemes, adversaries can always create new ciphertexts using the public key, which makes the original definition of ciphertext integrity unusable. Thus we directly require CCA security.
+
+## Hybrid Encryption and Key Encapsulation Mechanism
+
+Symmetric key encryptions are significantly faster than public key encryption, so we use public-key encryption for sharing the key, and then the key is used for symmetric key encryption.
+
+Generate $(pk, sk)$ for the public key encryption, and generate a symmetric key $k$. For the message $m$, encrypt it as
+
+$$
+(c, c_S) \la \big( E(pk, k), E_S(k, m) \big)
+$$
+
+where $E_S$ is the symmetric encryption algorithm, $E$ is the public-key encryption algorithm. The receiver decrypts $c$ and recovers $k$ that can be used for decrypting $c_S$. This is a form of **hybrid encryption**. We are *encapsulating* the key $k$ inside a ciphertext, so we call this **key encapsulation mechanism** (KEM).
+
+We can use public-key schemes for KEM, but there are dedicated constructions for KEM which are more efficient. The dedicated algorithms does the key generation and encryption in one-shot.
+
+> **Definition.** A KEM $\mc{E}_\rm{KEM}$ consists of a triple of algorithms $(G, E_\rm{KEM}, D_\rm{KEM})$.
+> 
+> - The key generation algorithm generates $(pk, sk) \la G()$.
+> - The encapsulation algorithm generates $(k, c_\rm{KEM}) \la E_\rm{KEM}(pk)$.
+> - The decapsulation algorithm generates $k \la D_\rm{KEM}(sk, c_\rm{KEM})$.
+
+Note that $E_\rm{KEM}$ only takes the public key as a parameter. The correctness condition is that for any $(pk, sk) \la G()$ and any $(k, c_\rm{KEM}) \la E_\rm{KEM}(pk)$, we must have $k \la D_\rm{KEM}(sk, c_\rm{KEM})$.
+
+Using the KEM, the symmetric key is automatically encapsulated during encryption process.
+
+> **Definition.** A KEM scheme is secure if any efficient adversary cannot distinguish between $(c_\rm{KEM}, k_0)$ and $(c_\rm{KEM}, k_1)$, where $k_0$ is generated by $E(pk)$, and $k_1$ is chosen randomly from $\mc{K}$.
+
+Read more about this in Exercise 11.9.[^1]
+
+## The ElGamal Encryption
+
+We introduce a public-key encryption scheme based on the hardness of discrete logarithms.
+
+> **Definition.** Suppose we have two parties Alice and Bob. Let $G = \left\langle g \right\rangle$ be a cyclic group of prime order $q$, let $\mc{E}_S = (E_S, D_S)$ be a symmetric cipher.
+> 
+> 1. Alice chooses $sk = \alpha \la \Z_q$, computes $pk = g^\alpha$ and sends $pk$ to Bob.
+> 2. Bob also chooses $\beta \la \Z_q$ and computes $k = h^\beta = g^{\alpha\beta}$.
+> 3. Bob sends $\big( g^\beta, E_S(k, m) \big)$ to Alice.
+> 4. Alice computes $k = g^{\alpha\beta} = (g^\beta)^\alpha$ using $\alpha$ and recovers $m$ by decrypting $E_S(k, m)$.
+
+As a concrete example, set $E_S(k, m) = k \cdot m$ and $D_S(k, c) = k^{-1} \cdot c$. The correctness property automatically holds. Therefore,
+
+- $G$ outputs $sk = \alpha \la \Z_q$, $pk = h = g^\alpha$.
+- $E(pk, m) = (c_1, c_2) \la (g^\beta, h^\beta \cdot m)$ where $\beta \la \Z_q$.
+- $D(sk, c) = c_2 \cdot (c_1)^{-\alpha} = m$.
+
+### Security of ElGamal Encryption
+
+> **Theorem.** If the DDH assumption holds on $G$, and the symmetric cipher $\mc{E}_S = (E_S, D_S)$ is semantically secure, then the ElGamal encryption scheme $\mc{E}_\rm{EG}$ is semantically secure.
+> 
+> For any SS adversary $\mc{A}$ of $\mc{E}_\rm{EG}$, there exist a DDH adversary $\mc{B}$, and an SS adversary $\mc{C}$ for $\mc{E}_S$ such that
+> 
+> $$
+> \Adv[SS]{\mc{A}, \mc{E}_\rm{EG}} \leq 2 \cdot \Adv[DDH]{\mc{B}, G} + \Adv[SS]{\mc{C}, \mc{E}_S}.
+> $$
+
+*Proof Idea*. For any $m_0, m_1 \in G$ and random $\gamma \la \Z_q$,
+
+$$
+E_S(g^{\alpha\beta}, m_0) \approx_c E_S(g^{\gamma}, m_0) \approx_c E_S(g^\gamma, m_1) \approx_c E_S(g^{\alpha\beta}, m_1).
+$$
+
+The first two and last two ciphertexts are computationally indistinguishable since the DDH problem is hard. The second and third ciphertexts are also indistinguishable since $\mc{E}_S$ is semantically secure.
+
+*Proof*. Full proof in Theorem 11.5.[^1]
+
+Note that $\beta \la \Z_q$ must be chosen differently for each encrypted message. This is the randomness part of the encryption, since $pk = g^\alpha, sk =\alpha$ are fixed.
+
+### Hashed ElGamal Encryption
+
+**Hashed ElGamal encryption** scheme is a variant of the original ElGamal scheme, where we use a hash function $H : G \ra \mc{K}$, where $\mc{K}$ is the key space of $\mc{E}_S$.
+
+The only difference is that we use $H(g^{\alpha\beta})$ as the key.[^2]
+
+> 1. Alice chooses $sk = \alpha \la \Z_q$, computes $pk = g^\alpha$ and sends $pk$ to Bob.
+> 2. Bob also chooses $\beta \la \Z_q$ and computes $h^\beta = g^{\alpha\beta}$**, and sets $k = H(g^{\alpha\beta})$.**
+> 3. Bob sends $\big( g^\beta, E_S(k, m) \big)$ to Alice.
+> 4. Alice computes $g^{\alpha\beta} = (g^\beta)^\alpha$ using $\alpha$, **computes $k = H(g^{\alpha\beta})$** and recovers $m$ by decrypting $E_S(k, m)$.
+
+This is also semantically secure, under the random oracle model.
+
+> **Theorem.** Let $H : G \ra \mc{K}$ be modeled as a random oracle. If the CDH assumption holds on $G$ and $\mc{E}_S$ is semantically secure, then the hashed ElGamal scheme $\mc{E}_\rm{HEG}$ is semantically secure.
+
+*Proof Idea*. Given a ciphertext $\big( g^\beta, E_S(k, m) \big)$ with $k = H(g^{\alpha\beta})$, the adversary learns nothing about $k$ unless it constructs $g^{\alpha\beta}$. This is because we modeled $H$ as a random oracle. If the adversary learns about $k$, then this adversary breaks the CDH assumption for $G$. Thus, if CDH assumption holds for the adversary, $k$ is completely random, so the hashed ElGamal scheme is secure by the semantic security of $\mc{E}_S$.
+
+*Proof*. Refer to Theorem 11.4.[^1]
+
+Since the hashed ElGamal scheme is semantically secure, it is automatically CPA secure. But this is not CCA secure, and we need a stronger assumption.
+
+### Interactive Computational Diffie-Hellman Problem (ICDH)
+
+> **Definition.** Let $G = \left\langle g \right\rangle$ be a cyclic group of prime order $q$. Let $\mc{A}$ be a given adversary.
+> 
+> 1. The challenger chooses $\alpha, \beta \la \Z_q$ and sends $g^\alpha, g^\beta$ to the adversary.
+> 2. The adversary makes a sequence of **DH-decision oracle queries** to the challenger.
+> 	- Each query has the form $(v, w) \in G^2$, challenger replies with $1$ if $v^\alpha = w$, replies $0$ otherwise.
+> 3. The adversary calculates and outputs some $w \in G$.
+> 
+> We define the **advantage in solving the interactive computational Diffie-Hellman problem for $G$** as
+> 
+> $$
+> \Adv[ICDH]{\mc{A}, G} = \Pr[w = g^{\alpha\beta}].
+> $$
+> 
+> We say that the **interactive computational Diffie-Hellman (ICDH) assumption** holds for $G$ if for any efficient adversary $\mc{A}$, $\Adv[ICDH]{\mc{A}, G}$ is negligible.
+
+This is also known as **gap-CDH**. Intuitively, it says that even if we have a DDH solver, CDH is still hard.
+
+### CCA Security of Hashed ElGamal
+
+> **Theorem.** If the gap-CDH assumption holds on $G$ and $\mc{E}_S$ provides AE and $H : G \ra \mc{K}$ is a random oracle, then the hashed ElGamal scheme is CCA secure.
+
+*Proof*. See Theorem 12.4.[^1] (very long)
+
+## The RSA Encryption
+
+The RSA scheme was originally designed by Rivest, Shamir and Adleman in 1977.[^3] The RSA trapdoor permutation is used in many places such as SSL/TLS, both for encryption and digital signatures.
+
+### Textbook RSA Encryption
+
+The "textbook RSA" is done as follows.
+
+- Key generation algorithm $G$ outputs $(pk, sk)$.
+	- Sample two large random primes $p, q$ and set $N = pq$.
+	- Choose $e \in \Z$ such that $\gcd(e, \phi(N)) = 1$, compute $d = e^{-1} \bmod{\phi(N)}$.
+	- Output $pk = (N, e)$, $sk = (N, d)$.
+- Encryption $E(pk, m) = m^e \bmod N$.
+- Decryption $D(sk, c) = c^d \bmod N$ .
+
+Correctness holds by **Fermat's little theorem**. $ed = 1 \bmod \phi(N)$, so
+
+$$
+D(sk, (E(pk, m))) = m^{ed} = m^{1 + k(p-1)(q-1)} \bmod N.
+$$
+
+Since $m^{p-1} = 1 \bmod p$, $m^{ed} = m \bmod N$ (holds trivially if $p \mid m$). A similar argument holds for modulus $q$, so we have $m^{ed} = m \bmod N$.
+
+### Attacks on Textbook RSA Encryption
+
+But this scheme is not CPA secure, since it is deterministic and the ciphertext is malleable. For instance, one can choose two messages to be $1$ and $2$. Then the ciphertext is easily distinguishable.
+
+Also, ciphertext is malleable by the **homomorphic property**. If $c_1 = m_1^e \bmod N$ and $c_2 = m_2^e \bmod N$, then set $c =c_1c_2 = (m_1m_2)^e \bmod N$, which is an encryption of $m_1m_2$.
+
+#### Attack on KEM
+
+Assume that the textbook RSA is used as KEM. Suppose that $k$ is $128$ bits, and the attacker sees $c = k^e \bmod N$. With high probability ($80\%$), $k = k_1 \cdot k_2$ for some $k_1, k_2 < 2^{64}$. Using the homomorphic property, $c = k_1^e k_2^e \bmod N$, so the following attack is possible.
+
+1. Build a table of $c\cdot k_2^{-e}$ for $0 \leq k_2 < 2^{64}$.
+2. For each $1 \leq k_1 < 2^{64}$, compute $k_1^e$ to check if it is in the table.
+3. Output a match $(k_1, k_2)$.
+
+The attack has complexity $\mc{O}(2^{n/2})$ where $n$ is the key length.
+
+## Trapdoor Functions
+
+Textbook RSA is not secure, but it is a **one-way trapdoor function**.
+
+A **one-way function** is a function that is computationally hard to invert. But we sometimes need to invert the functions, so we need functions that have a **trapdoor**. A trapdoor is a secret door that allows efficient inversion, but without the trapdoor, the function must be still hard to invert.
+
+> **Definition.** Let $\mc{X}$ and $\mc{Y}$ be finite sets. A **trapdoor function scheme** $\mc{T} = (G, F, I)$ defined over $(\mc{X}, \mc{Y})$ is a triple of algorithms.
+> 
+> - $G$ is a probabilistic key generation algorithm that outputs $(pk, sk)$, where $pk$ is the public key and $sk$ is the secret key.
+> - $F$ is a deterministic algorithm that outputs $y \la F(pk, x)$ for $x \in \mc{X}$.
+> - $I$ is a deterministic algorithm that outputs $x \la I(sk, y)$ for $y \in \mc{Y}$.
+
+The correctness property says that for any $(pk, sk) \la G()$ and $x \in \mc{X}$, $I(sk, F(pk, x)) = x$. So $sk$ is the trapdoor that inverts this function.
+
+One-wayness is defined as a security game.
+
+> **Definition.** Given a trapdoor function scheme $\mc{T} = (G, F, I)$ and an adversary $\mc{A}$, define a security game as follows.
+> 
+> 1. The challenger computes $(pk, sk) \la G()$, $x \la \mc{X}$ and $y \la F(pk, x)$.
+> 2. The challenger sends $pk$ and $y$ to the adversary.
+> 3. The adversary computes and outputs $x' \in \mc{X}$.
+> 
+> $\mc{A}$ wins if $\mc{A}$ inverts the function. The advantage is defined as
+> 
+> $$
+> \Adv[OW]{\mc{A}, \mc{T}} = \Pr[x = x'].
+> $$
+> 
+> If the advantage is negligible for any efficient adversary $\mc{A}$, then $\mc{T}$ is **one-way**.
+
+A one-way trapdoor function is not an encryption. The algorithm is deterministic, so it is not CPA secure. Never encrypt with trapdoor functions.
+
+### Textbook RSA as a Trapdoor Function
+
+It is easy to see that the textbook RSA is a trapdoor function.
+
+- Key generation algorithm $G$ chooses random primes $p, q$ and sets $N = pq$.
+	- Then chooses integer $e$ such that $\gcd(e, \phi(N)) = 1$.
+	- Set $d = e^{-1} \bmod \phi(N)$.
+- Then $F(pk, x) = x^e \bmod N$, and $I(sk, y) = y^d \bmod N$.
+- The correctness property holds by the above proof.
+
+But is RSA a *secure* trapdoor function? Is it one-way?
+
+- If $d$ is known, it is obviously not one-way.
+- If $\phi(N)$ is known, it is not one-way.
+	- One can find $d = e^{-1} \bmod \phi(N)$.
+- If $p$ and $q$ are known, it is not one-way.
+	- $\phi(N) = (p-1)(q-1)$.
+
+Thus, if factoring is easy, RSA is not one-way. Thus if RSA is a secure trapdoor function, then factoring must be hard. How about the converse? We don't have a proof, but it seems reasonable to assume.
+
+## The RSA Assumption
+
+The RSA assumption says that the RSA problem is hard, which implies that RSA is a **one-way** trapdoor function.
+
+### The RSA Problem
+
+> **Definition.** Let $\mc{T}_\rm{RSA} = (G, F, I)$ the RSA trapdoor function scheme. Given an adversary $\mc{A}$,
+> 
+> 1. The challenger chooses $(pk, sk) \la G()$ and $x \la \Z_N$.
+> 	- $pk = (N, e)$, $sk = (N, d)$.
+> 2. The challenger computes $y \la x^e \bmod N$ and sends $pk$ and $y$ to the adversary.
+> 3. The adversary computes and outputs $x' \in \Z_N$.
+> 
+> The adversary wins if $x = x'$. The advantage is defined as
+> 
+> $$
+> \rm{Adv}_{\rm{RSA}}[\mc{A}, \mc{T_\rm{RSA}}] = \Pr[x = x'].
+> $$
+> 
+> We say that the **RSA assumption** holds if the advantage is negligible for any efficient $\mc{A}$.
+
+## RSA Public Key Encryption (ISO Standard)
+
+- Let $(E_S, D_S)$ be a symmetric encryption scheme over $(\mc{K}, \mc{M}, \mc{C})$ that provides AE.
+- Let $H : \Z_N^{\ast} \ra \mc{K}$ be a hash function.
+
+The RSA public key encryption is done as follows.
+
+- Key generation is the same.
+- Encryption
+	1. Choose random $x \la \Z_N^{\ast}$ and let $y = x^e \bmod N$.
+	2. Compute $c \la E_S(H(x), m)$.
+	3. Output $c' = (y, c)$.
+- Decryption
+	- Output $D_S(H(y^d), c)$.
+
+This works because $x = y^d \bmod N$ and $H(y^d) = H(x)$. In short, this uses RSA trapdoor function as a **key exchange mechanism**, and the actual encryption is done by symmetric encryption.
+
+It is known that with RSA assumption and $H$ modeled as a random oracle, this scheme is CPA secure.
+
+### Optimizations for RSA
+
+The computation time depends on the exponents $e, d$.
+
+- To speed up RSA, choose a small public exponent $e$.
+	- $e = 65537 = 2^{16} + 1$ is often used, which only takes $17$ multiplications.
+- But $d$ cannot be too small.
+	- RSA is insecure for $d < N^{0.25}$. (Wiener'87)
+	- RSA is insecure for $d < N^{0.292}$. (BD'98)
+	- Is RSA secure for $d < N^{0.5}$? (open problem)
+- Often, encryption is fast, but decryption is slow.
+	- ElGamal takes approximately the same time for both.[^4]
+
+## Attacks on RSA Implementation
+
+- Timing Attack
+	- Time to compute $c^d \bmod N$ exposes $d$.
+	- More $1$'s in the binary representation of $d$ leads to more multiplications.
+- Power Attack
+	- The power consumption of a smartcard during the computation of $c^d \bmod N$ exposes $d$.
+- Faults Attack
+	- An error during computation exposes $d$.
+- Poor Randomness
+	- Poor entropy at initialization, then same $p$ is generated for multiple devices.
+	- Collect modulus $N$ from many public keys, and their $\gcd$ will be $p$.
+	- *PRG must be properly seeded when generating keys.*
+
+[^1]: A Graduate Course in Applied Cryptography.
+[^2]: There is another variant that uses $H : G^2 \ra \mc{K}$ and sets $H(g^\beta, g^{\alpha\beta})$ as the key. This one is also semantically secure, and gives further security properties than the one in the text.
+[^3]: This was one year before ElGamal.
+[^4]: Discrete logarithms have the same complexity for average case and worst case, but this is not the case for RSA. (Source?)

_posts/Lecture Notes/Modern Cryptography/2023-10-26-digital-signatures.md

@@ -0,0 +1,245 @@
+---
+share: true
+toc: true
+math: true
+categories:
+  - Lecture Notes
+  - Modern Cryptography
+tags:
+  - lecture-note
+  - cryptography
+  - security
+title: 10. Digital Signatures
+date: 2023-10-26
+github_title: 2023-10-26-digital-signatures
+image:
+  path: assets/img/posts/Lecture Notes/Modern Cryptography/mc-10-dsig-security.png
+attachment:
+  folder: assets/img/posts/Lecture Notes/Modern Cryptography
+---
+
+
+## Digital Signatures
+
+> **Definition.** A **signature scheme** $\mc{S} = (G, S, V)$ is a triple of efficient algorithms, where $G$ is a **key generation** algorithm, $S$ is a **signing** algorithm, and $V$ is a **verification** algorithm.
+> 
+> - A probabilistic algorithm $G$ outputs a pair $(pk, sk)$, where $sk$ is called a secret **signing key**, and $pk$ is a public **verification key**.
+> - Given $sk$ and a message $m$, a probabilistic algorithm $S$ outputs a **signature** $\sigma \la S(sk, m)$.
+> - $V$ is a deterministic algorithm that outputs either $\texttt{{accept}}$ or $\texttt{reject}$ for $V(pk, m, \sigma)$.
+
+The correctness property requires that all signatures generated by $S$ is always accepted by $V$. For all $(pk, sk) \la G$ and $m \in \mc{M}$,
+
+$$
+\Pr[V(pk, m, S(sk, m)) = \texttt{{accept}}] = 1.
+$$
+
+### Properties of Digital Signatures
+
+- Digital signatures can be verified by anyone, whereas MACs can be verified by the parties sharing the same key.
+	- No need to share a key for digital signatures.
+- **Non-repudiation**: cannot deny having created the signature.
+	- Signatures can only be created by people having the secret key.
+	- In cases where the secret key is leaked, then we don't have non-repudiation.
+	- In MACs, the secret key is shared by two parties, so we don't have non-repudiation.
+- Must trust the identity of the public key.
+	- How do you trust that this public key is Alice's?
+	- We need **public key infrastructure** (PKI).
+
+### Applications
+
+- Electronic document signing
+- HTTPS/TLS certificates
+- Software installation
+- Authenticated email (DKIM)
+- Bitcoins
+
+## Secure Digital Signatures
+
+The definition is similar to the [secure MAC](../2023-09-21-macs/#secure-mac-unforgeability). The adversary can perform a **chosen message attack**, but cannot create an **existential forgery**.
+
+![mc-10-dsig-security.png](/assets/img/posts/Lecture%20Notes/Modern%20Cryptography/mc-10-dsig-security.png)
+
+> **Definition.** Let $\mc{S} = (G, S, V)$ be a signature scheme defined over $(\mc{M}, \Sigma)$. Given an adversary $\mc{A}$, the game goes as follows.
+> 
+> 1. The challenger generates $(pk, sk) \la G()$ and sends $pk$ to $\mc{A}$.
+> 2. $\mc{A}$ makes a series of *signing queries* to the challenger.
+> 	- Each query is a message $m_i \in \mc{M}$, the challenger responds with $\sigma_i \la S(sk, m_i)$.
+> 3. $\mc{A}$ computes and outputs a candidate forgery pair $(m, \sigma) \in \mc{M} \times \Sigma$.
+> 	- $m \notin \left\lbrace m_1, \dots, m_q \right\rbrace$.
+> 	- $(m, \sigma) \notin \left\lbrace (m_1, \sigma_1), \dots, (m_q, \sigma_q) \right\rbrace$. (strong)
+> 
+> $\mc{A}$ wins if $V(pk, m, \sigma) = \texttt{accept}$, let this event be $W$. The advantage of $\mc{A}$ with respect to $\mc{S}$ is defined as
+> 
+> $$
+> \rm{Adv}_{\rm{SIG}}[\mc{A}, \mc{S}] = \Pr[W].
+> $$
+> 
+> If the advantage is negligible for all efficient adversaries $\mc{A}$, the signature scheme $S$ is (strongly) **secure**. $\mc{S}$ is **existentially unforgeable under a chosen message attack**.
+
+- We do not make verification queries, since the adversary can always check any signature.
+- The normal definition of security is sufficient. Secure signature schemes can be converted into strongly secure signature schemes. See Exercise 14.10.[^1]
+
+### Message Confusion
+
+Two different messages $m, m'$ can produce the same signature $\sigma$. In this case, the scheme is vulnerable to **message confusion**. See Exercise 13.3.[^1]
+
+In common implementations, we consider $m$, $m'$ both to be valid. But there may be situations that this is undesirable. For those cases, a signature is would be a *binding commitment* to the message, and there will be no confusion.
+
+### Signer Confusion
+
+Suppose that $(m, \sigma)$ is a valid pair with $pk$, i.e, $V(pk, m, \sigma) = \texttt{accept}$. But an attacker can generate $pk'$ different from $pk$ such that $V(pk', m, \sigma) = \tt{accept}$. In this cases, we have **signer confusion** since both can claim to have signed $m$. See Exercise 13.4.[^1]
+
+### Strongly Binding Signatures
+
+**Strongly binding signatures** prevent both message confusion and signer confusion.
+
+Any signature scheme can be made strongly binding by appending a collision resistant hash of $(pk, m)$ to the signature. See Exercise 13.5.[^1]
+
+## Extending the Message Space
+
+We can extend the message space of a secure digital signature scheme, [as we did for MACs](../2023-09-28-hash-functions/#mac-domain-extension). Let $\mc{S} = (G, S, V)$ be a signature scheme defined over $(\mc{M}, \Sigma)$ and let $H : \mc{M}' \ra \mc{M}$ be a hash function with $\left\lvert \mc{M}' \right\lvert \geq \left\lvert \mc{M} \right\lvert$.
+
+Define a new signature scheme $\mc{S}' = (G, S', V')$ over $(\mc{M}', \Sigma)$ as
+
+$$
+S'(sk, m) = S(sk, H(m)), \qquad V'(pk, m, \sigma) = V(pk, H(m), \sigma).
+$$
+
+This is often called the **hash-and-sign paradigm**, and the new signature scheme is also secure.
+
+> **Theorem.** Suppose that $\mc{S}$ is a secure signature scheme and $H$ is a collision resistant hash function. Then $\mc{S}'$ is a secure signature.
+> 
+> If $\mc{A}$ is an adversary attacking $\mc{S}'$, then there exist an adversary $\mc{B}_\mc{S}$ attacking $\mc{S}$ and an adversary $\mc{B}_H$ attacking $H$ such that
+> 
+> $$
+> \rm{Adv}_{\rm{SIG}}[A, \mc{S}'] \leq \rm{Adv}_{\rm{SIG}}[\mc{B}_\mc{S}, \mc{S}] + \rm{Adv}_{\rm{CR}}[\mc{B}_H, H].
+> $$
+
+*Proof*. The proof is identical to the theorem for MACs.
+
+## Digital Signature Constructions
+
+We can build secure signature schemes from hash functions, trapdoor permutations, or from discrete logarithms.
+
+### Textbook RSA Signatures
+
+This is the signature scheme based on the textbook RSA. It is also insecure.
+
+- Key generation: $pk = (N, e)$ and $sk = (N, d)$ are chosen to satisfy $d = e^{-1} \bmod \phi(N)$ for $N = pq$.
+- Sign: $S(sk, m) = m^d \bmod N$.
+- Verify: $V(pk, m, \sigma)$ returns $\texttt{accept}$ if and only if $\sigma^e = m \bmod N$.
+
+Here are some possible attacks.
+
+- No message attack
+	- Just return $(\sigma^e, \sigma)$ for some $\sigma$. Then it passes verification.
+- Attack using the homomorphic property.
+	- Suppose we want to forge a message $m$.
+	- Pick $m_1 \in \Z_N^{\ast}$ and set $m_2 = m\cdot m_1^{-1} \bmod N$.
+	- Query signatures for both messages and multiply the responses.
+		- $\sigma = \sigma_1 \cdot \sigma_2 = m_1^e \cdot m^e \cdot m_1^{-e} = m^e \bmod N$.
+	- Then $(m, \sigma)$ is a valid pair.
+
+Because of the second attack, the textbook RSA signature is **universally forgeable**. This property is used to create **blind signatures**, where the signer creates a signature without any knowledge about the message. See Exercise 13.15.[^1]
+
+### RSA Full Domain Hash Signature Scheme
+
+Given a hash function $H : \mc{M} \ra \mc{Y}$, the **RSA full domain hash** signature scheme $\mc{S}_\rm{RSA-FDH}$ is defined as follows.
+
+- Key generation: $pk = (N, e)$ and $sk = (N, d)$ are chosen to satisfy $d = e^{-1} \bmod \phi(N)$ for $N = pq$.
+- Sign: $S(sk, m) = H(m)^d \bmod N$.
+- Verify: $V(pk, m, \sigma)$ returns $\texttt{accept}$ if and only if $\sigma^d = H(m) \bmod N$.
+
+This scheme is now secure.
+
+> **Theorem.** If the hash function $H$ is modeled as a random oracle, and the RSA assumptions holds, then $\mc{S}_\rm{RSA-FDH}$ is a secure signature scheme.
+> 
+> For any $q$-query adversary $\mc{A}$ against hashed RSA, there exists an adversary $\mc{B}$ solving the RSA problem such that
+> 
+> $$
+> \rm{Adv}_{\rm{SIG}}[\mc{A}, \mc{S}_\rm{RSA-FDH}] \leq q \cdot \rm{Adv}_{\rm{RSA}}[\mc{B}].
+> $$
+
+### Full Domain Hash Signature Scheme
+
+The following is a description of a **full domain hash** scheme $\mc{S}_\rm{FDH}$, constructed from trapdoor permutation scheme $\mc{T} = (G, F, I)$.
+
+- Key generation: $(pk, sk) \la G()$.
+- Sign: $S(sk, m)$ returns $\sigma \la I(sk, H(m))$.
+- Verify: $V(pk, m, \sigma)$ returns $\texttt{accept}$ if and only if $F(pk, \sigma) = H(m)$.
+
+This scheme $\mc{S}_\rm{FDH} = (G, S, V)$ is secure if $\mc{T}$ is a **one-way trapdoor permutation** and $H$ is a random oracle.
+
+> **Theorem.** Let $\mc{T} = (G,F,I)$ be a one-way trapdoor permutation defined over $\mc{X}$. Let $H : \mc{M} \ra \mc{X}$ be a hash function, modeled as a random oracle. Then the derived FDH signature scheme $\mc{S}_\rm{FDH}$ is a secure signature scheme.
+
+*Proof*. See Theorem 13.3.[^1]
+
+## Schnorr Digital Signature Scheme
+
+This one uses discrete logarithms.
+
+### The Schnorr Identification Protocol
+
+This scheme is originally from the **Schnorr identification protocol**.
+
+Let $G = \left\langle g \right\rangle$ be a cyclic group of prime order $q$. We consider an interaction between two parties, prover $P$ and a verifier $V$. The prover has a secret $\alpha \in \Z_q$ and the verification key is $u = g^\alpha$. **$P$ wants to convince $V$ that he knows $\alpha$, but does not want to reveal $\alpha$**.
+
+![mc-10-schnorr-identification.png](/assets/img/posts/Lecture%20Notes/Modern%20Cryptography/mc-10-schnorr-identification.png)
+
+The protocol $\mc{I}_\rm{sch} = (G, P, V)$ works as follows.
+
+> 1. A **secret key** $\alpha \la \Z_q$ and **verification key** $u \la g^\alpha$ is generated. The prover $P$ has $\alpha$ and the verifier $V$ has $u$.
+> 2. $P$ computes a random $\alpha_t \la \Z_q$, and sends $u_t \la g^{\alpha_t}$ to $V$.
+> 3. $V$ chooses a random $c \la \Z_q$ and sends it to $P$.
+> 4. $P$ computes $\alpha_z \la \alpha_t + \alpha c \in \Z_q$ and sends it to $V$.
+> 5. $V$ checks if $g^{\alpha_z} = u_t \cdot u^c$. Accept if and only if it is equal.
+
+- $u_t$ is the **commitment** sent to the verifier.
+- $c$ is the **challenge** sent to the prover.
+	- If $P$ can predict the challenge, $P$ can choose $\alpha_t$ and $\alpha_z$ so that verifier accepts it.
+- $\alpha_z$ is the **response** sent to the verifier.
+
+We must check a few things.
+
+- **Correctness**: If $P$ has the correct $\alpha$, then $g^{\alpha_z} = g^{\alpha_t} \cdot (g^\alpha)^c = u_t \cdot u^c$.
+- **Soundness**: If $P$ does not have the correct $\alpha$, it is reject with probability $1 - \frac{1}{q}$.
+	- We can repeat this many times then the probability of reject is $1 - \frac{1}{q^n} \ra 1$.
+	- Thus $q$ (the size of the challenge space) must be large.
+- **Zero-knowledge**: $V$ learns no information about $x$ from the conversation.
+	- This will be revisited later. See [here](../2023-11-07-sigma-protocols/#the-schnorr-identification-protocol-revisited).
+
+> **Theorem.** The Schnorr identification protocol is secure if the DL problem is hard, and the challenge space $\mc{C}$ is large.
+
+### Schnorr Digital Signature Scheme
+
+We *transform* the above protocol to a signature scheme.[^2] We need a hash function $H : \mc{M} \times G \ra \mc{C}$, modeled as a random oracle. The protocol originally involves interaction between two parties, but a signature is computed by a single party. Intuitively, $H$ will play the role of the verifier.
+
+The **Schnorr signature scheme** $\mc{S}_\rm{sch} = (G, S, V)$ is defined as follows.
+
+- Key generation: a **secret key** $sk = \alpha \la \Z_q$ and **public key** $pk = u \la g^\alpha$ is generated.
+- Sign: $S(sk, m)$ outputs $\sigma = (u_t, \alpha_z)$ where
+	- Choose random $\alpha_t \la \Z_q$ and set $u_t \la g^{\alpha_t}$.
+	- **Compute $c \la H(m, u_t)$** and set $\alpha_z \la \alpha_t + \alpha c$.
+- Verify: $V(pk, m, \sigma)$ outputs $\texttt{accept}$ if and only if $g^{\alpha_z} = u_t \cdot u^c$.
+	- $c \la H(m, u_t)$ can be computed and $u$ is known.
+
+Since $H$ is being modeled as a random oracle, the signer cannot predict the value of the challenge $c$. Also, $c$ must take both $m$ and $u_t$ as input, since without $m$, the signature is not related to $m$ (the signature has no $m$ term inside it). On the other hand, without $u_t$, then the scheme is insecure since the Schnorr identification protocol is HVZK. See Exercise 19.12.[^1]
+
+> **Theorem.** If $H$ is modeled as a random oracle and Schnorr's identification protocol is secure, then Schnorr's signature scheme is also secure.
+
+*Proof*. See Theorem 19.7.[^1]
+
+Note that $\alpha \la \Z_q$ must be chosen randomly every time.
+
+## Digital Signature Algorithm
+
+Schnorr's scheme was protected by a patent, so NIST opted for a ad-hoc signature scheme based on a prime order subgroup of $\Z_p^{\ast}$. This algorithm eventually became the **Digital Signature Algorithm** (DSA). The standard was updated to support elliptic curve groups over a finite field, resulting in **ECDSA**.
+
+## Public Key Infrastructure
+
+How would you trust public keys? We introduce **digital certificates** for this.
+
+Read in [public key infrastructure (Internet Security)](../../internet-security/2023-10-16-pki).
+
+[^1]: A Graduate Course in Applied Cryptography
+[^2]: By using the [Fiat-Shamir transform](../2023-11-07-sigma-protocols/#the-fiat-shamir-transform).

_posts/Lecture Notes/Modern Cryptography/2023-10-31-advanced-topics.md

@@ -0,0 +1,222 @@
+---
+share: true
+toc: true
+math: true
+categories:
+  - Lecture Notes
+  - Modern Cryptography
+tags:
+  - lecture-note
+  - cryptography
+  - security
+title: 11. Advanced Topics
+date: 2023-10-31
+github_title: 2023-10-31-advanced-topics
+---
+
+
+## Ciphertext Indistinguishability
+
+- By **Shafi Goldwasser** and **Silvio Micali**
+	- Turing Award in 2012
+
+An adversary should not be able to...
+
+- **(Semantic Security)** gain any partial information about a secret.
+- **(Ciphertext Indistinguishability)** distinguish pairs of ciphertexts based on the chosen messages.
+
+They showed that
+
+- These two definitions are equivalent under chosen-plaintext attack.
+- Encryption schemes must be randomized.
+
+> **Definition.** A symmetric key encryption scheme $E$ is **semantically secure** if for any efficient adversary $\mc{A}$, there exists an efficient $\mc{A}'$ such that for any efficiently computable functions $f$ and $h$,
+> 
+> $$
+> \bigg\lvert \Pr\left[ \mc{A}\big( E(k, m), h(m) \big) = f(m) \right] - \Pr\left[ \mc{A}'\big( h(m) \big) = f(m) \right] \bigg\lvert
+> $$
+> 
+> is negligible.
+
+## Commitment Schemes
+
+A commitment scheme is for committing a value, and opening it later. The committed value cannot be forged.
+
+> **Definition.** A **commitment scheme** for a finite message space $\mc{M}$ is a pair of efficient algorithms $\mc{C} = (C, V)$ satisfying the following.
+> 
+> - For a message $m \in \mc{M}$ to be committed, $(c, o) \la C(m)$, where $c$ is the **commitment string**, and $o$ is an **opening string**.
+> - $V$ is a deterministic algorithm that $V(m, c, o)$ is either $\texttt{accept}$ or $\texttt{reject}$.
+> - **Correctness**: for all $m \in \mc{M}$, if $(c, o) \la C(m)$ then $V(m, c, o) = \texttt{accept}$.
+
+Suppose Alice wants to commit a message $m$. She computes $(c, o) \la C(m)$, and sends the commitment string $c$ to Bob, and keeps the opening string $o$ to herself. After some time, Alice sends the opening string $o$ to open the commitment, then Bob will verify the commitment by computing $V(m, c, o)$.
+
+### Secure Commitment Schemes
+
+The scheme must satisfy the following properties. First, the commitment must open to a single message. This is called the **binding** property. Next, the commitment must not reveal any information about the message. This is called the **hiding** property.
+
+> **Definition.** A commitment scheme $\mc{C} = (C, V)$ is **binding** if for every efficient adversary $\mc{A}$ that outputs a $5$-tuple $(c, m_1, o_1, m_2, o_2)$, the probability
+> 
+> $$
+> \Pr[m_1 \neq m_2 \land V(m_1, c, o_1) = V(m_2, c, o_2) = \texttt{{accept}}]
+> $$
+> 
+> is negligible.
+
+The hiding property is defined as a security game.
+
+> **Definition.** Let $\mc{C} = (C, V)$ be a commitment scheme. Given an adversary $\mc{A}$, define two experiments.
+> 
+> **Experiment $b$**.
+> 1. $\mc{A}$ sends $m_0, m_1 \in \mc{M}$ to the challenger.
+> 2. The challenger computes $(c, o) \la C(m_b)$ and sends $c$ to $\mc{A}$.
+> 3. $\mc{A}$ computes and outputs $b' \in \braces{0, 1}$.
+> 
+> Let $W_b$ be the event that $\mc{A}$ outputs $1$ in experiment $b$. The **advantage** of $\mc{A}$ with respect to $\mc{C}$ is defined as
+> 
+> $$
+> \Adv{\mc{A}, \mc{C}} = \abs{\Pr[W_0] - \Pr[W_1]}.
+> $$
+> 
+> If the advantage is negligible for all efficient adversaries $\mc{A}$, then the commitment scheme $\mc{C}$ has the **hiding** property.
+
+Next, the definition of secure commitment schemes.
+
+> **Definition.** A commitment scheme $\mc{C} = (C, V)$ is **secure** if it is both hiding and binding.
+
+### Non-binding Encryption Schemes
+
+A semantically secure cipher does not always yield a secure commitment scheme. One might be tempted to use a secure cipher $(E, D)$ as follows.
+
+- For $m \in \mc{M}$, choose $k \la \mc{K}$ and set $\big( E(k, m), k \big) \la C(m)$.
+- $V(m, c, k)$ accepts if and only if $D(k, c) = m$.
+
+However, it may be feasible to find another $k' \in \mc{K}'$ such that $D(k, c) \neq D(k', c)$. As an example, consider the one-time pad. It is easy for the committer to manipulate the message. $c = m \oplus k$, so later set $k' = k \oplus m \oplus m'$ as the opening string, then $c \oplus k' = m'$, resulting in a different message.
+
+## Constructions of Commitment Schemes
+
+### Commitment from Secure PRGs
+
+To commit a bit, we can use a secure PRG. The following is due to Naor.
+
+> Let $G : \mc{S} \ra \mc{R}$ be a secure PRG where $\left\lvert \mc{R} \right\lvert \geq \left\lvert \mc{S} \right\lvert^3$ and $\mc{R} = \braces{0, 1}^n$. Suppose that Bob wants to commit a bit $b_0 \in \braces{0, 1}$.
+> 
+> 1. Alice chooses a random $r \in \mc{R}$ and sends it to Bob.
+> 2. Bob chooses a random $s \in \mc{S}$ and computes $c \la C(s, r, b_0)$, where
+> 
+> 	$$
+> 	C(s, r, b_0) = \begin{cases} G(s) & (b_0 = 0) \\ G(s) \oplus r & (b_0 = 1). \end{cases}
+> 	$$
+> 
+> 	Then Bob outputs $(c, s)$ as the commitment and the opening string.
+> 3. During opening, Bob sends $(b_0, s)$ to Alice.
+> 4. Alice accepts if and only if $C(s, r, b_0) = c$.
+
+Correctness is obvious, since Alice recomputes $C(s, r, b_0)$.
+
+The hiding property follows since $G(s)$ and $G(s) \oplus r$ are indistinguishable if $G$ is a secure PRG.
+
+The binding property follows if $1 / \left\lvert \mc{S} \right\lvert$ is negligible. For Bob to open $c$ as both $0$ and $1$, he must find two seeds $s_0, s_1 \in \mc{S}$ such that $c = G(s_0) = G(s_1) \oplus r$. Then $r = G(s_0) \oplus G(s_1)$. There are at most $\left\lvert \mc{S} \right\lvert^2$ possible $r \in \mc{R}$ values that this can happen. The probability that Alice chooses such $r$ is
+
+$$
+\left\lvert \mc{S} \right\lvert^2 / \left\lvert \mc{R} \right\lvert \leq \left\lvert \mc{S} \right\lvert^2 / \left\lvert \mc{S} \right\lvert^3 = 1 / \left\lvert \mc{S} \right\lvert
+$$
+
+by assumption.
+
+The downside of the above protocol is that it has to be interactive.
+
+#### Coin Flipping Protocol
+
+A bit commitment scheme can be used for a **coin flipping protocol**. Suppose that Alice and Bob are flipping coins, when they are physically distant from each other.
+
+> 1. Bob chooses a random bit $b_0 \la \braces{0, 1}$.
+> 2. Execute the commitment protocol.
+> 	- Alice obtains a commitment string $c$ of $b_0$.
+> 	- Bob keeps an opening string $o$.
+> 3. Alice chooses a random bit $b_1 \la \braces{0, 1}$, and sends it to Bob.
+> 4. Bob reveals $b_0$ and $s$ to Alice, she verifies that $c$ is valid.
+> 5. The final outcome is $b = b_0 \oplus b_1$.
+
+After step $2$, Alice has no information about $b_0$ because of the hiding property. Her choice of $b_1$ is unbiased, and cannot affect the final outcome. Next, in step $4$, $b_0$ cannot be manipulated by the binding property.
+
+Thus, $b_0$ and $b_1$ are both random, so $b$ is either $0$ or $1$ each with probability $1/2$.[^1]
+
+### Commitment Scheme from Hashing
+
+> Let $H : \mc{X} \ra \mc{Y}$ be a collision resistant hash function, where $\mc{X} = \mc{M} \times \mc{R}$. $\mc{M}$ is the message space, and $\mc{R}$ is a finite nonce space. For $m \in \mc{M}$, the derived commitment scheme $\mc{C}_H = (C, V)$ is defined as follows.
+> 
+> - $C(m)$: choose random $o \la \mc{R}$, set $c = H(m, o)$ and output $(c, o)$.
+> - $V(m, c, o)$: output $\texttt{accept}$ if and only if $c = H(m, o)$.
+
+Correctness is obvious.
+
+The binding property follows since $H$ is collision resistant. If it is easy to find a $5$-tuple $(c, m_1, o_1, m_2, o_2)$ such that $c = H(m_1, o_1) = H(m_2, o_2)$, $H$ is not collision resistant.
+
+The hiding property follows if $H$ is modeled as a random oracle, or has a property called **input hiding**. For adversarially chosen $m_1, m_2 \in \mc{M}$ and random $o \la \mc{R}$, the distributions of $H(m_1, o)$ and $H(m_2, o)$ are computationally indistinguishable.
+
+Additionally, this scheme is **non-malleable** if $H$ is modeled as a random oracle and $\mc{Y}$ is sufficiently large.[^2]
+
+### Commitment Scheme from Discrete Logarithms
+
+> Let $G = \left\langle g \right\rangle$ be a cyclic group of prime order $q$. Let $h$ be chosen randomly from $G$.
+> 
+> - $C(m)$: choose random $o \la \mathbb{Z}_q$ and $c \la g^m h^o$ and return $(c, o)$.
+> - $V(m, c, o)$: output $\texttt{accept}$ if and only if $c = g^m h^o$.
+
+Correctness is obvious.
+
+The binding property follows from the DL assumption. If an adversary finds $m_1, m_2$, $o_1, o_2$ such that $c = g^{m_1} h^{o_1} = g^{m_2} h^{o_2}$, then $h = g^{(m_2 - m_1)/(o_1 - o_2)}$, solving the discrete logarithm problem for $h$.
+
+The hiding property follows since $h$ is uniform in $G$ and $o$ is also uniform in $\mathbb{Z}_q$. Then $g^m h^o$ is uniform in $G$, not revealing any information.
+
+## Post Quantum Cryptography
+
+Quantum computers use **qubits** and **quantum gates** for computation. A **qubit** is a *quantum bit*, a **superposition** of two states $\ket{0}$ and $\ket{1}$.
+
+$$
+\ket{\psi} = \alpha \ket{0} + \beta \ket{1}
+$$
+
+where $\alpha, \beta \in \mathbb{C}$ and $\left\lvert \alpha \right\lvert^2 + \left\lvert \beta \right\lvert^2 = 1$. The quantum gates are usually orthogonal matrices.
+
+The *superposition* may give the false impression that a quantum computer tries all possible solutions in parallel, but the actual magic comes from **complex amplitudes**.
+
+Quantum computers use **quantum interference**, carefully choreograph computations so that wrong answers *cancel out* their amplitudes, while correct answers combine. This process increases the probability of measuring correct results. Naturally, only a few special problems allow this choreograph.
+
+A scheme is **post-quantum secure** if it is secure against an adversary who has access to a quantum computer. Post-quantum cryptography is about classical algorithms that are believed to withstand quantum attacks.
+
+AES is probably safe, since it still takes $\mc{O}(2^{n/2})$ to solve it. (Grover's algorithm) Also, lattice-based cryptography is another candidate.
+
+## Shor's Algorithm
+
+But factorization and discrete logarithms are not safe. The core idea is that a quantum computer is very good at detecting periodicity. This is done by using the **quantum Fourier transform** (QFT).
+
+### Quantum Factorization
+
+Let $n \in \mathbb{Z}$ and $0\neq g \in \mathbb{Z}_n$. Let $\gamma_g : \mathbb{Z} \ra \mathbb{Z}_n$ be defined as $\gamma_g(\alpha) = g^\alpha$. This function is periodic, since $g^{\phi(n)} = 1$ by Euler's generalization. Also, the order of $g$ will certainly divide the period.
+
+Thus, find a period $p$, and let $t$ be the smallest positive integer such that $g^{p/2^t} \neq 1$. Then $\gcd(n, g^{p/2^t} - 1)$ is a non-trivial factor of $n$ with probability about $1/2$ over the choice of $g$. See Exercise 16.10.[^3]
+
+Shor's algorithm factors $n$ in $\mc{O}(\log^3 n)$ time. RSA is not a secure one-way trapdoor function for quantum computers.
+
+### Quantum Discrete Logarithms
+
+Let $G = \left\langle g \right\rangle$ be a cyclic group of prime order $q$. Let $u = g^\alpha$. Consider the function $f : \mathbb{Z}^2 \ra G$ defined as
+
+$$
+f(\gamma, \delta) = g^\gamma \cdot u^\delta.
+$$
+
+The period of this function is $(\alpha, -1)$, since for all $(\gamma, \delta) \in \mathbb{Z}^2$,
+
+$$
+f(\gamma + \alpha, \delta - 1) = g^{\gamma} \cdot g^\alpha \cdot u^\delta \cdot u^{-1} = g^\gamma \cdot u^\delta = f(\gamma, \delta).
+$$
+
+This period can be found in $\mc{O}(\log^3 q)$ time. The DL assumption is false for quantum computers.
+
+(Detailed explanation to be added...)
+
+[^1]: There is one caveat. Bob gets to know the final result before Alice. If the outcome is not what he desired, he could abort the protocol in some way, like sending an invalid $c$, and go over the whole process again.
+[^2]: A commitment scheme is **malleable** if a commitment $c = (c_1, c_2)$ of a message $m$ can be transformed into a commitment $c' = (c_1, c_2 + \delta)$ of a message $m + \delta$.
+[^3]: A Graduate Course in Applied Cryptography.

_posts/Lecture Notes/Modern Cryptography/2023-11-02-zkp-intro.md

@@ -0,0 +1,113 @@
+---
+share: true
+toc: true
+math: true
+categories:
+  - Lecture Notes
+  - Modern Cryptography
+tags:
+  - lecture-note
+  - cryptography
+  - security
+title: 12. Zero-Knowledge Proof (Introduction)
+date: 2023-11-02
+github_title: 2023-11-02-zkp-intro
+image:
+  path: assets/img/posts/Lecture Notes/Modern Cryptography/mc-12-id-protocol.png
+attachment:
+  folder: assets/img/posts/Lecture Notes/Modern Cryptography
+---
+
+
+- In 1980s, the notion of *zero knowledge* was proposed by Shafi Goldwasser, Silvio micali and Charles Rackoff.
+- **Interactive proof systems**: a **prover** tries to convince the **verifier** that some statement is true, by exchanging messages.
+	- What if the prover is trying to trick the verifier?
+	- What if the verifier is an adversary that tries to obtain more information?
+- These proof systems are harder to build in the digital world.
+	- This is because it is easy to copy data in the digital world.
+
+## Identification Protocol
+
+![mc-12-id-protocol.png](/assets/img/posts/Lecture%20Notes/Modern%20Cryptography/mc-12-id-protocol.png)
+
+> **Definition.** An **identification protocol** is a triple of algorithms $\mc{I} = (G, P, V)$ satisfying the following.
+> 
+> - $G$ is a probabilistic **key generation** algorithm that outputs $(vk, sk) \leftarrow G()$. $vk$ is the **verification key** and $sk$ is the **secret key**.
+> - $P$ is an interactive protocol algorithm called the **prover**, which takes the secret key $sk$ as an input.
+> - $V$ is an interactive protocol algorithm called the **verifier**, which takes the verification key $vk$ as an input and outputs $\texttt{accept}$ or $\texttt{reject}$.
+> 
+> For all possible outputs $(vk, sk)$ of $G$, at the end of the interaction between $P(sk)$ and $V(vk)$, $V$ outputs $\texttt{accept}$ with probability $1$.
+
+### Password Authentication
+
+A client is trying to log in, must prove its identity to the server. But the client cannot trust the server (verifier), so the client must prove itself without revealing the secret. The password is the secret in this case. The login is a *proof* that the client is who it claims to be. What should be the verification key? Setting $vk = sk$ certainly works, but the server learns the password, so this should not be used.
+
+Instead, we could set $vk = H(sk)$ by using a hash function $H$. Then the client sends the password, server computes the hash and checks if it is equal. This method still reveals the plaintext password to the server.
+
+## Example: 3-Coloring
+
+Suppose we are given a graph $G = (V, E)$, which we want to color the vertices with at most $3$ colors, so that no two adjacent vertices have the same color. This is an NP-complete problem.
+
+Bob has a graph $G$ and he is trying to $3$-color the graph. Alice shows up and claims that there is a way to $3$-color $G$. If the coloring is valid, Bob is willing to buy the solution, but he cannot trust Alice. Bob won't pay until he is convinced that Alice has a solution, and Alice won't give the solution until she receives the money. How can Alice and Bob settle this problem?
+
+### Protocol
+
+> 1. Bob gives Alice the graph $G = (V, E)$.
+> 2. Alice shuffles the colors and colors the graph. The coloring is hidden to Bob.
+> 3. Bob randomly picks a single edge $(u, v) \in E$ of this graph.
+> 4. Alice reveals the colors of $u$ and $v$.
+
+- If $u$ and $v$ have the same color, Alice is lying to Bob.
+- If they have different colors, Alice *might be* telling the truth.
+- What if Alice just sends two random colors in step $4$?
+	- We can use **commitment schemes** so that Alice cannot manipulate the colors after Bob's query.
+	- Specifically, send the colors of each $v$ using a commitment scheme.
+	- For Bob's query $(u, v)$, send the opening strings of $u$ and $v$.
+- What if Alice doesn't have a solution, but Bob picks an edge with different colors just by luck?
+	- We can repeat the protocol many times.
+	- For each protocol instance, an invalid solution can pass with probability $p = \frac{1}{\abs{E}}$.
+	- Repeat this many times, then $p^n \rightarrow 0$, so invalid solutions will pass with negligible probability.
+- Does Bob's query reveal anything about the solution?
+	- No, Alice randomizes colors for every protocol instance.
+	- Need formal definition and proof for this.[^1]
+
+## Zero Knowledge Proof (ZKP)
+
+We need three properties for a **zero-knowledge proof** (ZKP).
+
+- (**Completeness**) If the statement is true, an honest verifier must accept the fact by an honest prover.
+- (**Soundness**) If the statement is false, no cheating prover can convince an honest verifier, except with some small probability.
+- (**Zero Knowledge**) If the statement is true, no verifier (including honest and cheating) learns anything other than the truth of the statement. The statement does not reveal anything about the prover's secret.
+
+We define these formally.
+
+> **Definition.** Let $\mc{R} \subset \mc{X} \times \mc{Y}$ be a relation. A statement $y \in \mc{Y}$ is **true** if $(x, y) \in \mc{R}$ for some $x \in \mc{X}$. The set of true statements
+> 
+> $$
+> L_\mc{R} = \braces{y \in \mc{Y} : \exists x \in \mc{X},\; (x, y) \in \mc{R}}
+> $$
+> 
+> is called the **language** defined by $\mc{R}$.
+
+> **Definition.** A **zero-knowledge proof** is a protocol between a prover $P(x, y)$ and a verifier $V(x)$. At the end of the protocol, the verifier either accepts or rejects.
+
+In the above definition, $y$ is the statement to prove, and $x$ is the proof of that statement, which the prover wants to hide. The prover and the verifier exchanges messages for the protocol, and this collection of interactions is called the **view** (or conversation, transcript).
+
+> **Definition.**
+> 
+> - (**Completeness**) If $(x, y) \in R$, then an honest verifier accepts with very high probability.
+> - (**Soundness**) If $y \notin L$, an honest verifier accepts with a negligible probability.
+
+But how do we define *zero knowledge*? What is *knowledge*? If the verifier learns something, the verifier obtains something that he couldn't have computed without interacting with the prover. Thus, we define zero knowledge as the following.
+
+> **Definition.** We say that a protocol is **honest verifier zero knowledge** (HVZK) if there exists an efficient algorithm $\rm{Sim}$ (simulator) on input $x$ such that the output distribution of $\rm{Sim}(x)$ is indistinguishable from the distribution of the verifier's view.
+> 
+> $$
+> \rm{Sim}(x) \approx \rm{View}_V[P(x, y) \lra V(x)]
+> $$
+
+For every verifier $V^{\ast}$, possibly dishonest, there exists a simulator $\rm{Sim}$ such that $\rm{Sim}(x)$ is indistinguishable from the verifier's view $\rm{View}_{V^{\ast}}[P(x, y) \leftrightarrow V^{\ast}(x)]$.
+
+If the proof is *zero knowledge*, the adversary can simulate conversations on his own without knowing the secret. Meaning that the adversary learns nothing from the conversation.
+
+[^1]: How to give a formal proof for HVZK...?

_posts/Lecture Notes/Modern Cryptography/2023-11-07-sigma-protocols.md

@@ -0,0 +1,476 @@
+---
+share: true
+toc: true
+math: true
+categories:
+  - Lecture Notes
+  - Modern Cryptography
+tags:
+  - lecture-note
+  - cryptography
+  - security
+title: 13. Sigma Protocols
+date: 2023-11-07
+github_title: 2023-11-07-sigma-protocols
+image:
+  path: assets/img/posts/Lecture Notes/Modern Cryptography/mc-13-sigma-protocol.png
+attachment:
+  folder: assets/img/posts/Lecture Notes/Modern Cryptography
+---
+
+
+The previous [3-coloring example](../2023-11-02-zkp-intro/#example-3-coloring) certainly works as a zero knowledge proof, but is quite slow, and requires a lot of interaction. There are efficient protocols for interactive proofs, we will study sigma protocols.
+
+## Sigma Protocols
+
+### Definition
+
+> **Definition.** An **effective relation** is a binary relation $\mc{R} \subset \mc{X} \times \mc{Y}$, where $\mc{X}$, $\mc{Y}$, $\mc{R}$ are efficiently recognizable finite sets. Elements of $\mc{Y}$ are called **statements**. If $(x, y) \in \mc{R}$, then $x$ is called a **witness for** $y$.
+
+![mc-13-sigma-protocol.png](/assets/img/posts/Lecture%20Notes/Modern%20Cryptography/mc-13-sigma-protocol.png)
+
+> **Definition.** Let $\mc{R} \subset \mc{X} \times \mc{Y}$ be an effective relation. A **sigma protocol** for $\mc{R}$ is a pair of algorithms $(P, V)$ satisfying the following.
+> 
+> - The **prover** $P$ is an interactive protocol algorithm, which takes $(x, y) \in \mc{R}$ as input.
+> - The **verifier** $V$ is an interactive protocol algorithm, which takes $y \in \mc{Y}$ as input, and outputs $\texttt{accept}$ or $\texttt{reject}$.
+> 
+> The interaction goes as follows.[^1]
+> 
+> 1. $P$ computes a **commitment** message $t$ and sends it to $V$.
+> 2. $V$ chooses a random **challenge** $c \la \mc{C}$ from a **challenge space** and sends it to $P$.
+> 3. $P$ computes a **response** $z$ and sends it to $V$.
+> 4. $V$ outputs either $\texttt{accept}$ or $\texttt{reject}$, computed strictly as a function of the statement $y$ and the **conversation** $(t, c, z)$.
+> 
+> For all $(x, y) \in \mc{R}$, at the end of the interaction between $P(x, y)$ and $V(y)$, $V(y)$ always outputs $\texttt{accept}$.
+
+- The verifier is deterministic except for choosing a random challenge $c \la \mc{C}$.
+- If the output is $\texttt{accept}$, then the conversation $(t, c, z)$ is an **accepting conversation for** $y$.
+- In most cases, the challenge space has to be super-poly. We say that the protocol has a **large challenge space**.
+
+## Soundness
+
+The **soundness** property says that it is infeasible for any prover to make the verifier accept a statement that is false.
+
+> **Definition.** Let $\Pi = (P, V)$ be a sigma protocol for $\mc{R} \subset \mc{X}\times \mc{Y}$. For a given adversary $\mc{A}$, the security game goes as follows.
+> 
+> 1. The adversary chooses a statement $y^{\ast} \in \mc{Y}$ and gives it to the challenger.
+> 2. The adversary interacts with the verifier $V(y^{\ast})$, where the challenger plays the role of verifier, and the adversary is a possibly *cheating* prover.
+> 
+> The adversary wins if $V(y^{\ast})$ outputs $\texttt{accept}$ but $y^{\ast} \notin L_\mc{R}$. The advantage of $\mc{A}$ with respect to $\Pi$ is denoted $\rm{Adv}_{\rm{Snd}}[\mc{A}, \Pi]$ and defined as the probability that $\mc{A}$ wins the game.
+> 
+> If the advantage is negligible for all efficient adversaries $\mc{A}$, then $\Pi$ is **sound**.
+
+### Special Soundness
+
+For sigma protocols, it suffices to require **special soundness**.
+
+> **Definition.** Let $(P, V)$ be a sigma protocol for $\mc{R} \subset \mc{X} \times \mc{Y}$. $(P, V)$ provides **special soundness** if there is an efficient deterministic algorithm $\rm{Ext}$, called a **knowledge extractor** with the following property.
+> 
+> Given a statement $y \in \mc{Y}$ and two accepting conversations $(t, c, z)$ and $(t, c', z')$ with $c \neq c'$, $\rm{Ext}$ outputs a **witness** (proof) $x \in \mc{X}$ such that $(x, y) \in \mc{R}$.
+
+The extractor efficiently finds a proof $x$ for $y \in \mc{Y}$. This means, if a possibly cheating prover $P^{\ast}$ makes $V$ accept $y$ with non-negligible probability, then $P^{\ast}$ must have known a proof $x$ for $y$. **Thus $P^{\ast}$ isn't actually a dishonest prover, he already has a proof.**
+
+Note that the commitment $t$ is the same for the two accepting conversations. The challenge $c$ and $c'$ are chosen after the commitment, so if the prover can come up with $z$ and $z'$ so that $(t, c, z)$ and $(t, c', z')$ are accepting conversations for $y$, then the prover must have known $x$.
+
+We also require that the challenge space is large, the challenger shouldn't be accepted by luck.
+
+### Special Soundness $\implies$ Soundness
+
+> **Theorem.** Let $\Pi$ be a sigma protocol with a large challenge space. If $\Pi$ provides special soundness, then $\Pi$ is sound.
+> 
+> For every efficient adversary $\mc{A}$,
+> 
+> $$
+> \rm{Adv}_{\rm{Snd}}[\mc{A}, \Pi] \leq \frac{1}{N}
+> $$
+> 
+> where $N$ is the size of the challenge space.
+
+*Proof*. Suppose that $\mc{A}$ chooses a false statement $y^{\ast}$ and a commitment $t^{\ast}$. It suffices to show that there exists at most one challenge $c$ such that $(t^{\ast}, c, z)$ is an accepting conversation for some response $z$.
+
+If there were two such challenges $c, c'$, then there would be two accepting conversations for $y^{\ast}$, which are $(t^{\ast}, c, z)$ and $(t^{\ast}, c', z')$. Now by special soundness, there exists a witness $x$ for $y^{\ast}$, which is a contradiction.
+
+## Special Honest Verifier Zero Knowledge
+
+The conversation between $P$ and $V$ must not reveal anything.
+
+> **Definition.** Let $(P, V)$ be a sigma protocol for $\mc{R} \subset \mc{X} \times \mc{Y}$. $(P, V)$ is **special honest verifier zero knowledge** (special HVZK) if there exists an efficient probabilistic algorithm $\rm{Sim}$ (**simulator**) that satisfies the following.
+> 
+> - For all inputs $(y, c) \in \mc{Y} \times \mc{C}$, $\rm{Sim}(y, c)$ outputs a pair $(t, z)$ such that $(t, c, z)$ is always an accepting conversation for $y$.
+> - For all $(x, y) \in \mc{R}$, let $c \la \mc{C}$ and $(t, z) \la \rm{Sim}(y, c)$. Then $(t, c, z)$ has the same distribution as the conversation between $P(x, y)$ and $V(y)$.
+
+The difference is that the simulator takes an additional input $c$. Also, the simulator produces an accepting conversation even if the statement $y$ does not have a proof.
+
+Also note that **the simulator is free to generate the messages in any convenient order**.
+
+## The Schnorr Identification Protocol Revisited
+
+The Schnorr identification protocol is actually a sigma protocol. Refer to [Schnorr identification protocol (Modern Cryptography)](../2023-10-26-digital-signatures/#the-schnorr-identification-protocol) for the full description.
+
+![mc-10-schnorr-identification.png](/assets/img/posts/Lecture%20Notes/Modern%20Cryptography/mc-10-schnorr-identification.png)
+
+> The pair $(P, V)$ is a sigma protocol for the relation $\mc{R} \subset \mc{X} \times \mc{Y}$ where
+> 
+> $$
+> \mc{X} = \bb{Z}_q, \quad \mc{Y} = G, \quad \mc{R} = \left\lbrace (\alpha, u) \in \bb{Z}_q \times G : g^\alpha = u \right\rbrace.
+> $$
+> 
+> The challenge space $\mc{C}$ is a subset of $\bb{Z}_q$.
+
+The protocol provides **special soundness**. If $(u_t, c, \alpha_z)$ and $(u_t, c', \alpha_z')$ are two accepting conversations with $c \neq c'$, then we have
+
+$$
+g^{\alpha_z} = u_t \cdot u^c, \quad g^{\alpha_z'} = u_t \cdot u^{c'},
+$$
+
+so we have $g^{\alpha_z - \alpha_z'} = u^{c - c'}$. Setting $\alpha^{\ast} = (\alpha_z - \alpha_z') /(c - c')$ satisfies $g^{\alpha^{\ast}} = u$, solving the discrete logarithm and $\alpha^{\ast}$ is a proof.
+
+As for HVZK, the simulator chooses $\alpha_z \la \bb{Z}_q$, $c \la \mc{C}$ randomly and sets $u_t = g^{\alpha_z} \cdot u^{-c}$. Then $(u_t, c, \alpha_z)$ will be accepted. *Note that the order doesn't matter.* Also, the distribution is same, since $c$ and $\alpha_z$ are uniform over $\mc{C}$ and $\bb{Z}_q$ and the choice of $c$ and $\alpha_z$ determines $u_t$ uniquely. This is identical to the distribution in the actual protocol.
+
+### Dishonest Verifier
+
+In case of dishonest verifiers, $V$ may not follow the protocol. For example, $V$ may choose non-uniform $c \in \mc{C}$ depending on the commitment $u_t$. In this case, the conversation from the actual protocol and the conversation generated by the simulator will have different distributions.
+
+We need a different distribution. The simulator must also take the verifier's actions as input, to properly simulate the dishonest verifier.
+
+### Modified Schnorr Protocol
+
+The original protocol can be modified so that the challenge space $\mc{C}$ is smaller. Completeness property is obvious, and the soundness error grows, but we can always repeat the protocol.
+
+As for zero knowledge, the simulator $\rm{Sim}_{V^{\ast}}(u)$ generates a verifier's view $(u, c, z)$ as follows.
+- Guess $c' \la \mc{C}$. Sample $z' \la \bb{Z}_q$ and set $u' = g^{z'}\cdot u^{-c'}$. Send $u'$ to $V^{\ast}$.
+- If the response from the verifier $V^{\ast}(u')$ is $c$ and $c \neq c'$, restart.
+	- $c = c'$ holds with probability $1 / \left\lvert \mc{C} \right\lvert$, since $c'$ is uniform.
+- Otherwise, output $(u, c, z) = (u', c', z')$.
+
+Sending $u'$ to $V^{\ast}$ is possible because the simulator also takes the actions of $V^{\ast}$ as input. The final output conversation has distribution identical to the real protocol execution.
+
+Overall, this modified protocol works for dishonest verifiers, at the cost of efficiency because of the increased soundness error. We have a security-efficiency tradeoff.
+
+But in most cases, it is enough to assume honest verifiers, as we will see soon.
+
+## Other Sigma Protocol Examples
+
+### Okamoto's Protocol
+
+This one is similar to Schnorr protocol. This is used for proving the representation of a group element.
+
+Let $G = \left\langle g \right\rangle$ be a cyclic group of prime order $q$, let $h \in G$ be some arbitrary group element, fixed as a system parameter. A **representation** of $u$ relative to $g$ and $h$ is a pair $(\alpha, \beta) \in \bb{Z}_q^2$ such that $g^\alpha h^\beta = u$.
+
+**Okamoto's protocol** for the relation
+
+$$
+\mc{R} = \bigg\lbrace \big( (\alpha, \beta), u \big) \in \bb{Z}_q^2 \times G : g^\alpha h^\beta = u \bigg\rbrace
+$$
+
+goes as follows.
+
+![mc-13-okamoto.png](/assets/img/posts/Lecture%20Notes/Modern%20Cryptography/mc-13-okamoto.png)
+
+> 1. $P$ computes random $\alpha_t, \beta_t \la \bb{Z}_q$ and sends commitment $u_t \la g^{\alpha_t}h^{\beta_t}$ to $V$.
+> 2. $V$ computes challenge $c \la \mc{C}$ and sends it to $P$.
+> 3. $P$ computes $\alpha_z \la \alpha_t + \alpha c$, $\beta_z \la \beta_t + \beta c$ and sends $(\alpha_z, \beta_z)$ to $V$.
+> 4. $V$ outputs $\texttt{accept}$ if and only if $g^{\alpha_z} h^{\beta_z} = u_t \cdot u^c$.
+
+Completeness is obvious.
+
+> **Theorem**. Okamoto's protocol provides special soundness and is special HVZK.
+
+*Proof*. Very similar to the proof of Schnorr. Refer to Theorem 19.9.[^2]
+
+### The Chaum-Pedersen Protocol for DH-Triples
+
+The **Chaum-Pederson protocol** is for convincing a verifier that a given triple is a DH-triple.
+
+Let $G = \left\langle g \right\rangle$ be a cyclic group of prime order $q$. $(g^\alpha, g^\beta, g^\gamma)$ is a DH-triple if $\gamma = \alpha\beta$. Then, the triple $(u, v, w)$ is a DH-triple if and only if $v = g^\beta$ and $w = u^\beta$ for some $\beta \in \bb{Z}_q$.
+
+The Chaum-Pederson protocol for the relation
+
+$$
+\mc{R} = \bigg\lbrace \big( \beta, (u, v, w) \big) \in \bb{Z}_q \times G^3 : v = g^\beta \land w = u^\beta \bigg\rbrace
+$$
+
+goes as follows.
+
+![mc-13-chaum-pedersen.png](/assets/img/posts/Lecture%20Notes/Modern%20Cryptography/mc-13-chaum-pedersen.png)
+
+> 1. $P$ computes random $\beta_t \la \bb{Z}_q$ and sends commitment $v_t \la g^{\beta_t}$, $w_t \la u^{\beta_t}$ to $V$.
+> 2. $V$ computes challenge $c \la \mc{C}$ and sends it to $P$.
+> 3. $P$ computes $\beta_z \la \beta_t + \beta c$, and sends it to $V$.
+> 4. $V$ outputs $\texttt{accept}$ if and only if $g^{\beta_z} = v_t \cdot v^c$ and $u^{\beta_z} = w_t \cdot w^c$.
+
+Completeness is obvious.
+
+> **Theorem.** The Chaum-Pedersen protocol provides special soundness and is special HVZK.
+
+*Proof*. Also similar. See Theorem 19.10.[^2]
+
+This can be used to prove that an ElGamal ciphertext $c = (u, v) = (g^k, h^k \cdot m)$ is an encryption of $m$ with public key $h = g^\alpha$, without revealing the private key or the ephemeral key $k$. If $(g^k, h^k \cdot m)$ is a valid ciphertext, then $(h, u, vm^{-1}) = (g^\alpha, g^k, g^{\alpha k})$ is a valid DH-triple.
+
+### Sigma Protocol for Arbitrary Linear Relations
+
+Schnorr, Okamoto, Chaum-Pedersen protocols look similar. They are special cases of a generic sigma protocol for proving a linear relation among group elements. Read more in Section 19.5.3.[^2]
+
+### Sigma Protocol for RSA
+
+Let $(n, e)$ be an RSA public key, where $e$ is prime. The **Guillou-Quisquater** (GQ) protocol is used to convince a verifier that he knows an $e$-th root of $y \in \bb{Z}_n^{\ast}$.
+
+The Guillou-Quisquater protocol for the relation
+
+$$
+\mc{R} = \bigg\lbrace (x, y) \in \big( \bb{Z}_n^{\ast} \big)^2 : x^e = y \bigg\rbrace
+$$
+
+goes as follows.
+
+![mc-13-gq-protocol.png](/assets/img/posts/Lecture%20Notes/Modern%20Cryptography/mc-13-gq-protocol.png)
+
+> 1. $P$ computes random $x_t \la \bb{Z}_n^{\ast}$ and sends commitment $y_t \la x_t^e$ to $V$.
+> 2. $V$ computes challenge $c \la \mc{C}$ and sends it to $P$.
+> 3. $P$ computes $x_z \la x_t \cdot x^c$ and sends it to $V$.
+> 4. $V$ outputs $\texttt{accept}$ if and only if $x_z^e = y_t \cdot y^c$.
+
+Completeness is obvious.
+
+> **Theorem.** The GQ protocol provides special soundness and is special HVZK.
+
+*Proof*. Also similar. See Theorem 19.13.[^2]
+
+## Combining Sigma Protocols
+
+Using the basic sigma protocols, we can build sigma protocols for complex statements.
+
+### AND-Proof Construction
+
+The construction is straightforward, since we can just prove both statements.
+
+Given two sigma protocols $(P_0, V_0)$ for $\mc{R}_0 \subset \mc{X}_0 \times \mc{Y}_0$ and $(P_1, V_1)$ for $\mc{R}_1 \subset \mc{X}_1 \times \mc{Y}_1$, we construct a sigma protocol for the relation $\mc{R}_\rm{AND}$ defined on $(\mc{X}_0 \times \mc{X}_1) \times (\mc{Y}_0 \times \mc{Y}_1)$ as
+
+$$
+\mc{R}_\rm{AND} = \bigg\lbrace \big( (x_0, x_1), (y_0, y_1) \big) : (x_0, y_0) \in \mc{R}_0 \land (x_1, y_1) \in \mc{R}_1 \bigg\rbrace.
+$$
+
+Given a pair of statements $(y_0, y_1) \in \mc{Y}_0 \times \mc{Y}_1$, the prover tries to convince the verifier that he knows a proof $(x_0, x_1) \in \mc{X}_0 \times \mc{X}_1$. This is equivalent to proving the AND of both statements.
+
+> 1. $P$ runs $P_i(x_i, y_i)$ to get a commitment $t_i$. $(t_0, t_1)$ is sent to $V$.
+> 2. $V$ computes challenge $c \la C$ and sends it to $P$.
+> 3. $P$ uses the challenge for both $P_0, P_1$, obtains response $z_0$, $z_1$, which is sent to $V$.
+> 4. $V$ outputs $\texttt{accept}$ if and only if $(t_i, c, z_i)$ is an accepting conversation for $y_i$.
+
+Completeness is clear.
+
+> **Theorem.** If $(P_0, V_0)$ and $(P_1, V_1)$ provide special soundness and are special HVZK, then the AND protocol $(P, V)$ defined above also provides special soundness and is special HVZK.
+
+*Proof*. For special soundness, let $\rm{Ext}_0$, $\rm{Ext}_1$ be the knowledge extractor for $(P_0, V_0)$ and $(P_1, V_1)$, respectively. Then the knowledge extractor $\rm{Ext}$ for $(P, V)$ can be constructed straightforward. For statements $(y_0, y_1)$, suppose that $\big( (t_0, t_1), c, (z_0, z_1) \big)$ and $\big( (t_0, t_1), c', (z_0', z_1') \big)$ are two accepting conversations. Feed $\big( y_0, (t_0, c, z_0), (t_0, c', z_0') \big)$ to $\rm{Ext}_0$, and feed $\big( y_1, (t_1, c, z_1), (t_1, c', z_1') \big)$ to $\rm{Ext}_1$.
+
+For special HVZK, let $\rm{Sim}_0$ and $\rm{Sim}_1$ be simulators for each protocol. Then the simulator $\rm{Sim}$ for $(P, V)$ is built by using $(t_0, z_0) \la \rm{Sim}_0(y_0, c)$ and $(t_1, z_1) \la \rm{Sim}_1(y_1, c)$. Set
+
+$$
+\big( (t_0, t_1), (z_0, z_1) \big) \la \rm{Sim}\big( (y_0, y_1), c \big).
+$$
+
+We have used the fact that the challenge is used for both protocols.
+
+### OR-Proof Construction
+
+However, OR-proof construction is difficult. The prover must convince the verifier that either one of the statement is true, but **should not reveal which one is true.**
+
+If the challenge is known in advance, the prover can cheat. We exploit this fact. For the proof of $y_0 \lor y_1$, do the real proof for $y_b$ and cheat for $y_{1-b}$.
+
+Suppose we are given two sigma protocols $(P_0, V_0)$ for $\mc{R}_0 \subset \mc{X}_0 \times \mc{Y}_0$ and $(P_1, V_1)$ for $\mc{R}_1 \subset \mc{X}_1 \times \mc{Y}_1$. We assume that these both use the same challenge space, and both are special HVZK with simulators $\rm{Sim}_0$ and $\rm{Sim}_1$.
+
+We combine the protocols to form a sigma protocol for the relation $\mc{R}_\rm{OR}$ defined on ${} \big( \braces{0, 1} \times (\mc{X}_0 \cup \mc{X}_1) \big) \times (\mc{Y}_0\times \mc{Y}_1) {}$ as
+
+$$
+\mc{R}_\rm{OR} = \bigg\lbrace \big( (b, x), (y_0, y_1)  \big): (x, y_b) \in \mc{R}_b\bigg\rbrace.
+$$
+
+Here, $b$ denotes the actual statement $y_b$ to prove. For $y_{1-b}$, we cheat.
+
+> $P$ is initialized with $\big( (b, x), (y_0, y_1) \big) \in \mc{R}_\rm{OR}$ and $V$ is initialized with $(y_0, y_1) \in \mc{Y}_0 \times \mc{Y}_1$. Let $d = 1 - b$.
+> 
+> 1. $P$ computes $c_d \la \mc{C}$ and $(t_d, z_d) \la \rm{Sim}_d(y_d, c_d)$.
+> 2. $P$ runs $P_b(x, y_b)$ to get a real commitment $t_b$ and sends $(t_0, t_1)$ to $V$.
+> 3. $V$ computes challenge $c \la C$ and sends it to $P$.
+> 4. $P$ computes $c_b \la c \oplus c_d$, feeds it to $P_b(x, y_b)$ obtains a response $z_b$.
+> 5. $P$ sends $(c_0, z_0, z_1)$ to $V$.
+> 6. $V$ computes $c_1 \la c \oplus c_0$, and outputs $\texttt{accept}$ if and only if $(t_0, c_0, z_0)$ is an accepting conversation for $y_0$ and $(t_1, c_1, z_1)$ is an accepting conversation for $y_1$.
+
+Step $1$ is the cheating part, where the prover chooses a challenge, and generates a commitment and a response from the simulator.
+
+Completeness follows from the following.
+- $c_b = c \oplus c_{1-b}$, so $c_1 = c \oplus c_0$ always holds.
+- Both conversations $(t_0, c_0, z_0)$ and $(t_1, c_1, z_1)$ are accepted.
+	- An actual proof is done for statement $y_b$.
+	- For statement $y_{1-b}$, the simulator always outputs an accepting conversation.
+
+$c_b = c \oplus c_d$ is random, so $P$ cannot manipulate the challenge. Also, $V$ checks $c_1 = c \oplus c_0$.
+
+> **Theorem.** If $(P_0, V_0)$ and $(P_1, V_1)$ provide special soundness and are special HVZK, then the OR protocol $(P, V)$ defined above also provides special soundness and is special HVZK.
+
+*Proof*. For special soundness, suppose that $\rm{Ext}_0$ and $\rm{Ext}_1$ are knowledge extractors. Let
+
+$$
+\big( (t_0, t_1), c, (c_0, z_0, z_1) \big), \qquad \big( (t_0, t_1), c', (c_0', z_0', z_1') \big)
+$$
+
+be two accepting conversations with $c \neq c'$. Define $c_1 = c \oplus c_0$ and $c_1' = c' \oplus c_0'$. Since $c \neq c'$, it must be the case that either $c_0 \neq c_0'$ or $c_1 \neq c_1'$. Now $\rm{Ext}$ will work as follows.
+
+- If $c_0 \neq c_0'$, output $\bigg( 0, \rm{Ext}_0\big( y_0, (t_0, c_0, z_0), (t_0, c_0', z_0') \big) \bigg)$.
+- If $c_1 \neq c_1'$, output $\bigg( 1, \rm{Ext}_1\big( y_1, (t_1, c_1, z_1), (t_1, c_1', z_1') \big) \bigg)$.
+
+Then $\rm{Ext}$ will extract the knowledge.
+
+For special HVZK, define $c_0 \la \mc{C}$, $c_1 \la c \oplus c_0$. Then run each simulator to get
+
+$$
+(t_0, z_0) \la \rm{Sim}_0(y_0, c_0), \quad (t_1, z_1) \la \rm{Sim}_1(y_1, c_1).
+$$
+
+Then the simulator for $(P, V)$ outputs
+
+$$
+\big( (t_0, t_1), (c_0, z_0, z_1) \big) \la \rm{Sim}\big( (y_0, y_1), c \big).
+$$
+
+The simulator just simulates for both of the statements and returns the messages as in the protocol. $c_b$ is random, and the remaining values have the same distribution since the original two protocols were special HVZK.
+
+### Example: OR of Sigma Protocols with Schnorr Protocol
+
+Let $G = \left\langle g \right\rangle$ be a cyclic group of prime order $q$. The prover wants to convince the verifier that he knows the discrete logarithm of either $h_0$ or $h_1$ in $G$.
+
+Suppose that the prover knows $x_b \in \bb{Z}_q$ such that $g^{x_b} = h_b$.
+
+> 1. Choose $c_{1-b} \la \mc{C}$ and call simulator of $1-b$ to obtain $(u_{1-b}, z_{1-b}) \la \rm{Sim}_{1-b}$.
+> 2. $P$ sends two commitments $u_0, u_1$.
+> 	- For $u_b$, choose random $y \la \bb{Z}_q$ and set $u_b = g^y$.
+> 	- For $u_{1-b}$, use the value from the simulator.
+> 3. $V$ sends a single challenge $c \la \mc{C}$.
+> 4. Using $c_{1-b}$, split the challenge into $c_0$, $c_1$ so that they satisfy $c_0 \oplus c_1 = c$. Then send $(c_0, c_1, z_0, z_1)$ to $V$.
+> 	- For $z_b$, calculate $z_b \la y + c_b x$.
+> 	- For $z_{1-b}$, use the value from the simulator.
+> 5. $V$ checks if $c = c_0 \oplus c_1$. $V$ accepts if and only if $(u_0, c_0, z_0)$ and $(u_1, c_1, z_1)$ are both accepting conversations.
+
+- Since $c, c_{1-b}$ are random, $c_b$ is random. Thus one of the proofs must be valid.
+
+### Generalized Constructions
+
+See Exercise 19.26 and 19.28.[^2]
+
+## Non-interactive Proof Systems
+
+Sigma protocols are interactive proof systems, but we can convert them into **non-interactive proof systems** using the **Fiat-Shamir transform**.
+
+First, the definition of non-interactive proof systems.
+
+> **Definition.** Let $\mc{R} \subset \mc{X} \times \mc{Y}$ be an effective relation. A **non-interactive proof system** for $\mc{R}$ is a pair of algorithms $(G, V)$ satisfying the following.
+> 
+> - $G$ is an efficient probabilistic algorithm that generates the proof as $\pi \la G(x, y)$ for $(x, y) \in \mc{R}$. $\pi$ belongs to some proof space $\mc{PS}$.
+> - $V$ is an efficient deterministic algorithm that verifies the proof as $V(y, \pi)$ where $y \in \mc{Y}$ and $\pi \in \mc{PS}$. $V$ outputs either $\texttt{accept}$ or $\texttt{reject}$. If $V$ outputs $\texttt{accept}$, $\pi$ is a **valid proof** for $y$.
+> 
+> For all $(x, y) \in \mc{R}$, the output of $G(x, y)$ must be a valid proof for $y$.
+
+### Non-interactive Soundness
+
+Intuitively, it is hard to create a valid proof of a false statement.
+
+> **Definition.** Let $\Phi = (G, V)$ be a non-interactive proof system for $\mc{R} \subset \mc{X} \times \mc{Y}$ with proof space $\mc{PS}$. An adversary $\mc{A}$ outputs a statement $y^{\ast} \in \mc{Y}$ and a proof $\pi^{\ast} \in \mc{PS}$ to attack $\Phi$.
+> 
+> The adversary wins if $V(y^{\ast}, \pi^{\ast}) = \texttt{accept}$ and $y^{\ast} \notin L_\mc{R}$. The advantage of $\mc{A}$ with respect to $\Phi$ is defined as the probability that $\mc{A}$ wins, and is denoted as $\rm{Adv}_{\rm{niSnd}}[\mc{A}, \Phi]$.
+> 
+> If the advantage is negligible for all efficient adversaries $\mc{A}$, $\Phi$ is **sound**.
+
+### Non-interactive Zero Knowledge
+
+Omitted.
+
+## The Fiat-Shamir Transform
+
+The basic idea is **using a hash function to derive a challenge**, instead of a verifier. Now the only job of the verifier is checking the proof, requiring no interaction for the proof.
+
+> **Definition.** Let $\Pi = (P, V)$ be a sigma protocol for a relation $\mc{R} \subset \mc{X} \times \mc{Y}$. Suppose that conversations $(t, c, z) \in \mc{T} \times \mc{C} \times \mc{Z}$. Let $H : \mc{Y} \times \mc{T} \rightarrow \mc{C}$ be a hash function.
+> 
+> Define the **Fiat-Shamir non-interactive proof system** $\Pi_\rm{FS} = (G_\rm{FS}, V_\rm{FS})$ with proof space $\mc{PS} = \mc{T} \times \mc{Z}$ as follows.
+> 
+> - For input $(x, y) \in \mc{R}$, $G_\rm{FS}$ runs $P(x, y)$ to obtain a commitment $t \in \mc{T}$. Then computes the challenge $c = H(y, t)$, which is fed to $P(x, y)$, obtaining a response $z \in \mc{Z}$. $G_\rm{FS}$ outputs $(t, z) \in \mc{T} \times \mc{Z}$.
+> - For input $\big( y, (t, z) \big) \in \mc{Y} \times (\mc{T} \times \mc{Z})$, $V_\rm{FS}$ verifies that $(t, c, z)$ is an accepting conversation for $y$, where $c = H(y, t)$.
+
+Any sigma protocol can be converted into a non-interactive proof system. Its completeness is automatically given by the completeness of the sigma protocol.
+
+By modeling the hash function as a random oracle, we can show that:
+- If the sigma protocol is sound, then so is the non-interactive proof system.[^3]
+- If the sigma protocol is special HVZK, then running the non-interactive proof system does not reveal any information about the secret.
+
+### Implications
+
+- No interactions are required, resulting in efficient protocols with lower round complexity.
+- No need to consider dishonest verifiers, since prover chooses the challenge. The verifier only verifies.
+- In distributed systems, a single proof can be used multiple times.
+
+### Soundness of the Fiat-Shamir Transform
+
+> **Theorem.** Let $\Pi$ be a sigma protocol for a relation $\mc{R} \subset \mc{X} \times \mc{Y}$, and let $\Pi_\rm{FS}$ be the Fiat-Shamir non-interactive proof system derived from $\Pi$ with hash function $H$. If $\Pi$ is sound and $H$ is modeled as a random oracle, then $\Pi_\rm{FS}$ is also sound.
+> 
+> Let $\mc{A}$ be a $q$-query adversary attacking the soundness of $\Pi_\rm{FS}$. There exists an adversary $\mc{B}$ attacking the soundness of $\Pi$ such that
+> 
+> $$
+> \rm{Adv}_{\rm{niSnd^{ro}}}[\mc{A}, \Pi_\rm{FS}] \leq (q + 1) \rm{Adv}_{\rm{Snd}}[\mc{B}, \Pi].
+> $$
+
+*Proof Idea*. Suppose that $\mc{A}$ produces a valid proof $(t^{\ast}, z^{\ast})$ on a false statement $y^{\ast}$. Without loss of generality, $\mc{A}$ queries the random oracle at $(y^{\ast}, t^{\ast})$ within $q+1$ queries. Then $\mc{B}$ guesses which of the $q+1$ queries is the relevant one. If $\mc{B}$ guesses the correct query, the conversation $(t^{\ast}, c, z^{\ast})$ will be accepted and $\mc{B}$ succeeds. The factor $q+1$ comes from the choice of $\mc{B}$.
+
+### Zero Knowledge of the Fiat-Shamir Transform
+
+Omitted. Works...
+
+### The Fiat-Shamir Signature Scheme
+
+Now we understand why the [Schnorr signature scheme](../2023-10-26-digital-signatures/#schnorr-digital-signature-scheme) used hash functions. In general, the Fiat-Shamir transform can be used to convert sigma protocols into signature schemes.
+
+We need $3$ building blocks.
+
+- A sigma protocol $(P, V)$ with conversations of the form $(t, c, z)$.
+- A key generation algorithm $G$ for $\mc{R}$, that outputs $pk = y$, $sk = (x, y) \in \mc{R}$.
+- A hash function $H : \mc{M} \times \mc{T} \rightarrow \mc{C}$, modeled as a random oracle.
+
+> **Definition.** The **Fiat-Shamir signature scheme** derived from $G$ and $(P, V)$ works as follows.
+> 
+> - Key generation: invoke $G$ so that $(pk, sk) \la G()$.
+> 	- $pk = y \in \mc{Y}$ and $sk = (x, y) \in \mc{R}$.
+> - Sign: for message $m \in \mc{M}$
+> 	1. Start the prover $P(x, y)$ and obtain the commitment $t \in \mc{T}$.
+> 	2. Compute the challenge $c \la H(m, t)$.
+> 	3. $c$ is fed to the prover, which outputs a response $z$.
+> 	4. Output the signature $\sigma = (t, z) \in \mc{T} \times \mc{Z}$.
+> - Verify: with the public key $pk = y$, compute $c \la H(m, t)$ and check that $(t, c, z)$ is an accepting conversation for $y$ using $V(y)$.
+
+If an adversary can come up with a forgery, then the underlying sigma protocol is not secure.
+
+### Example: Voting Protocol
+
+$n$ voters are casting a vote, either $0$ or $1$. At the end, all voters learn the sum of the votes, but we want to keep the votes secret for each party.
+
+We can use the [multiplicative ElGamal encryption](../2023-10-19-public-key-encryption/#the-elgamal-encryption) scheme in this case. Assume that a trusted vote tallying center generates a key pair, keeps $sk = \alpha$ to itself and publishes $pk = g^\alpha$.
+
+Each voter encrypts the vote $b_i$ and the ciphertext is
+
+$$
+(u_i, v_i) = (g^{\beta_i}, h^{\beta_i} \cdot g^{b_i})
+$$
+
+where $\beta_i \la\bb{Z}_q$. The vote tallying center aggregates all ciphertexts my multiplying everything. No need to decrypt yet. Then
+
+$$
+(u^{\ast}, v^{\ast}) = \left( \prod_{i=1}^n g^{\beta_i}, \prod_{i=1}^n h^{\beta_i} \cdot g^{b_i} \right) = \big( g^{\beta^{\ast}}, h^{\beta^{\ast}} \cdot g^{b^{\ast}} \big),
+$$
+
+where $\beta^{\ast} = \sum_{i=1}^n \beta_i$ and $b^{\ast} = \sum_{i=1}^n b_i$. Now decrypt $(u^{\ast}, v^{\ast})$ and publish the result $b^{\ast}$.[^4]
+
+Since the ElGamal scheme is semantically secure, the protocol is also secure if all voters follow the protocol. But a dishonest voter can encrypt $b_i = -100$ or some arbitrary value.
+
+To fix this, we can make each voter prove that the vote is valid. Using the [Chaum-Pedersen protocol for DH-triples](#the-chaum-pedersen-protocol-for-dh-triples) and the [OR-proof construction](#or-proof-construction), the voter can submit a proof that the ciphertext is either a encryption of $b_i = 0$ or $1$. We can also apply the Fiat-Shamir transform here for efficient protocols, resulting in non-interactive proofs.
+
+[^1]: The message flows in a shape that resembles the greek letter $\Sigma$, hence the name *sigma protocol*.
+[^2]: A Graduate Course in Applied Cryptography.
+[^3]: The challenge is chosen after the commitment, making it random.
+[^4]: To find $b^{\ast}$, one has to solve the discrete logarithm, but for realistic $n$, we can brute force this.

_posts/Lecture Notes/Modern Cryptography/2023-11-09-secure-mpc.md

@@ -0,0 +1,188 @@
+---
+share: true
+toc: true
+math: true
+categories:
+  - Lecture Notes
+  - Modern Cryptography
+tags:
+  - lecture-note
+  - cryptography
+  - security
+title: 14. Secure Multiparty Computation
+date: 2023-11-09
+github_title: 2023-11-09-secure-mpc
+---
+
+
+## Secure Multiparty Computation (MPC)
+
+Suppose we have a function $f$ that takes $n$ inputs and produces $m$ outputs.
+
+$$
+(y_1, \dots, y_m) = f(x_1, \dots, x_n).
+$$
+
+$N$ parties $P_1, \dots, P_N$ are trying to evaluate this function with a protocol. Each $x_i$ is submitted by one of the parties, and each output $y_j$ will be given to one or more parties.
+
+In **secure multiparty computation** (MPC), we wish to achieve some security functionalities.
+
+- **Privacy**: no party learns anything about any other party's inputs, except for the information in the output.
+- **Soundness**: honest parties compute correct outputs.
+- **Input independence**: all parties must choose their inputs independently of other parties' inputs.
+
+Security must hold even if there is any adversarial behavior in the party.
+
+### Example: Secure Summation
+
+Suppose we have $n$ parties $P_1, \dots, P_n$ with private values $x_1, \dots, x_n$. We would like to *securely* compute the sum $s = x_1 + \cdots + x_n$.
+
+> 1. Choose $M$ large enough so that $M > s$.
+> 2. $P_1$ samples $r \la \Z_M$ and computes $s_1 = r + x_1 \pmod M$ and sends it to $P_2$.
+> 3. In the same manner, $P_i$ computes $s_i = s_{i-1} + x_i \pmod M$ and sends it to $P_{i+1}$.
+> 4. As the final step, $s_n$ is returned to $P_1$, where he outputs $s = s_n - r \pmod M$.
+
+This protocol seems secure since $r$ is a random noise added to the actual partial sum. But the security actually depends on how we model adversarial behavior.
+
+Consider the case where parties $P_2$ and $P_4$ team up (collusion). These two can share information between them. They have the following:
+
+- $P_2$ has $s_1$, $s_2$, $x_2$.
+- $P_4$ has $s_3$, $s_4$, $x_4$.
+
+Using $s_2$ and $s_3$, they can compute $x_3 = s_3 - s_2$ and obtain the input of $P_3$. This violates privacy. Similarly, if $P_i$ and $P_j$ team up, the can compute the partial sum
+
+$$
+s_{j - 1} - s_{i} = x_{i+1} + \cdots + x_{j-1}
+$$
+
+which leaks information about the inputs of $P_{i+1}, \dots, P_{j-1}$.
+
+## Modeling Adversaries for Multiparty Computation
+
+The adversary can decide not to follow the protocol and perform arbitrarily.
+
+- **Semi-honest** adversaries follows the protocol and tries to learn more information by inspecting the communication.
+- **Malicious** adversaries can behave in any way, unknown to us.
+
+Semi-honest adversaries are similar to *passive* adversaries, whereas malicious adversaries are similar to *active* adversaries.
+
+We can also model the **corruption strategy**. Some parties can turn into an adversary during the protocol.
+
+- In **static** corruptions, the set of adversarial parties is fixed throughout the execution.
+- In **adaptive** corruptions, the adversary corrupts parties during the execution, based on the information gained from the protocol execution.
+
+We can decide how much computational power to give to the adversary. For *computational security*, an adversary must be efficient, only polynomial time strategies are allowed. For *information-theoretic security*, an adversary has unbounded computational power.
+
+We will only consider **semi-honest** adversaries with **static** corruptions.
+
+## Defining Security for Multiparty Computation
+
+The idea is the following.
+
+> An attack on the protocol in the **real world** is equivalent to some attack on the protocol in an **ideal world** in which no damage can be done.
+
+In the **ideal world**, we use a trusted party to implement a protocol. All parties, both honest and corrupted, submit their input to the trusted party. Since the trusted party is not corrupted, the protocol is safe.
+
+In the **real world**, there is no trusted party and parties must communicate with each other using a protocol.
+
+Thus, a secure protocol must provide security in the real world that is equivalent to that in the ideal world. The definition is saying the following: **there is no possible attack in the ideal world, so there is no possible attack in the real world**. This kind of definition implies privacy, soundness and input independence.
+
+> For every efficient adversary $\mc{A}$ in the real world, there exists an *equivalent* efficient adversary $\mc{S}$ (usually called a **simulator**) in the ideal world.
+
+### Semi-Honest & Static Corruption
+
+- The *view* of a party consists of its input, random tape and the list of messages obtained from the protocol.
+	- The view of an adversary is the union of views of corrupted parties.
+	- If an adversary learned anything from the protocol, it must be efficiently computable from its view.
+- If a protocol is secure, it must be possible in the ideal world to generate something indistinguishable from the real world adversary's view.
+	- In the ideal world, the adversary's view consists of inputs/outputs to and from the trusted party.
+	- An adversary in the ideal world must be able to generate a view equivalent to the real world view. We call this ideal world adversary a **simulator**.
+	- If we show the existence of a simulator, a real world adversary's ability is the same as an adversary in the ideal world.
+
+> **Definition.** Let $\mc{A}$ be the set of parties that are corrupted, and let $\rm{Sim}$ be a simulator algorithm.
+> - $\rm{Real}(\mc{A}; x_1, \dots, x_n)$: each party $P_i$ runs the protocol with private input $x_i$. Let $V_i$ be the final view of $P_i$. Output $\braces{V_i : i \in \mc{A}}$.
+> - $\rm{Ideal}_\rm{Sim}(x_1, \dots, x_n)$: output $\rm{Sim}(\mc{A}; \braces{(x_i, y_i) : i \in \mc{A}})$.
+> 
+> A protocol is **secure against semi-honest adversaries** if there exists a simulator such that for every subset of corrupted parties $\mc{A}$, its views in the real and ideal worlds are indistinguishable.
+
+## Oblivious Transfer (OT)
+
+This is a building block for building any MPC.
+
+Suppose that the sender has data $m_1, \dots, m_n \in \mc{M}$, and the receiver has an index $i \in \braces{1, \dots, n}$. The sender wants to send exactly one message and hide others. Also, the receiver wants to hide which message he received.
+
+This problem is called 1-out-of-$n$ **oblivious transfer** (OT).
+
+### 1-out-of-2 OT Construction from ElGamal Encryption
+
+We show an example of 1-out-of-2 OT using the ElGamal encryptions scheme. We use a variant where a hash function is used in encryption.
+
+It is known that $k$-out-of-$n$ OT is constructible from 1-out-of-2 OTs.
+
+> Suppose that the sender Alice has messages $x_0, x_1 \in \braces{0, 1}\conj$, and the receiver Bob has a choice $\sigma \in \braces{0, 1}$.
+> 
+> 1. Bob chooses $sk = \alpha \la \Z_q$ and computes ${} h = g^\alpha {}$, and chooses $h' \la G$.
+> 2. Bob sets $pk_\sigma = h$ and $pk_{1-\sigma} = h'$ and sends $(pk_0, pk_1)$ to Alice.
+> 3. Alice encrypts each $x_i$ using $pk_i$, obtains two ciphertexts.
+> 	- $\beta_0, \beta_1 \la \Z_q$.
+> 	- $c_0 = \big( g^{\beta_0}, H(pk_0^{\beta_0}) \oplus x_0 \big)$, $c_1 = \big( g^{\beta_1}, H(pk_1^{\beta_1}) \oplus x_1 \big)$.
+> 4. Alice sends $(c_0, c_1)$ to Bob.
+> 5. Bob decrypts $c_\sigma$ with $sk$ to get $x_\sigma$.
+
+Correctness is obvious.
+
+Alice's view contains the following: $x_0, x_1, pk_0, pk_1, c_0, c_1$. Among these, $pk_0, pk_1$ are the received values from Bob. But these are random group elements, so she learns nothing about $\sigma$. The simulator can choose two random group elements to simulate Alice.
+
+Bob's view contains the following: $\sigma, \alpha, g^\alpha, h', c_0, c_1, x_\sigma$. He only knows one private key, so he only learns $x_\sigma$, under the DL assumption. (He doesn't have the discrete logarithm for $h'$) The simulator must simulate $c_0, c_1$, so it encrypts $x_\sigma$ with $pk_\sigma$, and as for $x_{1-\sigma}$, a random message is encrypted with $pk_{1-\sigma}$. This works because the encryption scheme is semantically secure, meaning that it doesn't reveal any information about the underlying message.
+
+The above works for **semi-honest** parties. To prevent malicious behavior, we fix the protocol a bit.
+
+> 1. Alice sends a random $w \la G$ first.
+> 2. Bob must choose $h$ and $h'$ so that $hh' = w$. $h$ is chosen the same way, and $h' = wh\inv$ is computed.
+> 
+> The remaining steps are the same, except that Alice checks if $pk_0 \cdot pk_1 = w$.
+
+Bob must choose $h, h'$ such that $hh' = w$. If not, Bob can choose ${} \alpha' \la \Z_q {}$ and set $h' = g^{\alpha'}$, enabling him to decrypt both $c_0, c_1$, revealing $x_0, x_1$. Under the DL assumption, Bob cannot find the discrete logarithm of $h'$, which prevents malicious behavior.
+
+### 1-out-of-$n$ OT Construction from ElGamal Encryption
+
+Let $m_1, \dots, m_n \in \mc{M}$ be the messages to send, and let $i$ be an index. We will use ElGamal encryption on a cyclic group $G = \span{g}$ of prime order, with a hash function and a semantically secure symmetric cipher $(E_S, D_S)$.
+
+> 1. Alice chooses $\beta \la \Z_q$, computes $v \la g^\beta$ and sends $v$ to Bob.
+> 2. Bob chooses $\alpha \la \Z_q$, computes $u \la g^\alpha v^{-i}$ and sends $u$ to Alice.
+> 3. For $j = 1, \dots, n$, Alice computes the following.
+> 	- Compute $u_j \la u \cdot v^j = g^\alpha v^{j-i}$ as the public key for the $j$-th message.
+> 	- Encrypt $m_j$ as $(g^\beta, c_j)$, where $c_j \la E_S\big( H(g^\beta, u_j^\beta), m_j \big)$.
+> 4. Alice sends $(c_1, \dots, c_n)$ to Bob.
+> 5. Bob decrypts $c_i$ as follows.
+> 	- Compute symmetric key $k \la H(v, v^\alpha)$ where $v = g^\beta$ from step $1$.
+> 	- $m_i \la D_S(k, c_i)$.
+
+Note that all ciphertexts $c_j$ were created from the same ephemeral key $\beta \in \Z_q$.
+
+For correctness, we check that Bob indeed receives $m_i$ from the above protocol. Check that $u_i = u\cdot v^i = g^\alpha v^0 = g^\alpha$, then $u_i^\beta = g^{\alpha\beta} = v^\alpha$. Since $c_i = E_S\big( H(g^\beta, u_i^\beta), m_i \big) = E_S\big( H(v, v^\alpha), m_i \big)$, the decryption gives ${} m_i {}$.
+
+Now is this oblivious? All that Alice sees is $u = g^\alpha v^{-i}$ from Bob. Since $\alpha \la \Z_q$, $u$ is uniformly distributed over elements of $G$. Alice learns no information about $i$.
+
+As for Bob, we need the **CDH assumption**. Suppose that Bob can query $H$ on two different ciphertexts $c_{j_1}, c_{j_2}$. Then he knows
+
+$$
+u_{j_1}^\beta/u_{j_2}^\beta = v^{\beta(j_1 - j_2)},
+$$
+
+and by raising both to the $(j_1 - j_2)\inv$ power (inverse in $\Z_q$), he can compute $v^\beta = g^{\beta^2}$. Thus, Bob has computed $g^{\beta^2}$ from $g^\beta$, and this breaks the CDH assumption.[^1] Thus Bob cannot query $H$ on two points, and is unable to decrypt two ciphertexts. He only learns $m_i$.
+
+### OT for Computing $2$-ary Function with Finite Domain
+
+We can use an OT for computing a $2$-ary function with finite domain.
+
+Let $f : X_1 \times X_2 \ra Y$ be a deterministic function with $X_1$, $X_2$ both finite. There are two parties ${} P_1, P_2 {}$ with inputs $x_1, x_2$, and they want to compute $f(x_1, x_2)$ without revealing their input.
+
+Then we can use $1$-out-of-$\abs{X_2}$ OT to securely compute $f(x_1, x_2)$. Without loss of generality, suppose that $P_1$ is the sender.
+
+${} P_1$ computes $y_x =f(x_1, x)$ for all $x \in X_2$, resulting in $\abs{X_2}$ messages. Then $P_1$ performs 1-out-of-$\abs{X_2}$ OT with $P_2$. The value of $x_2$ will be used as the choice of $P_2$, which will be oblivious to $P_1$.[^2]
+
+This method is inefficient, so we have better methods!
+
+[^1]: Given $g^\alpha, g^\beta$, compute $g^{\alpha + \beta}$. Then compute $g^{\alpha^2}, g^{\beta^2}, g^{(\alpha+\beta)^2}$, and obtain $g^{2\alpha\beta}$. Exponentiate by $2\inv \in \Z_q$ to find $g^{\alpha\beta}$.
+[^2]: Can $P_1$ learn the value of $x_2$ from the final output $y_{x_2} = f(x_1, x_2)$?

_posts/Lecture Notes/Modern Cryptography/2023-11-14-garbled-circuits.md

@@ -0,0 +1,157 @@
+---
+share: true
+toc: true
+math: true
+categories:
+  - Lecture Notes
+  - Modern Cryptography
+tags:
+  - lecture-note
+  - cryptography
+  - security
+title: 15. Garbled Circuits
+date: 2023-11-14
+github_title: 2023-11-14-garbled-circuits
+---
+
+
+A simple solution for two party computation would be to use oblivious transfers as noted [here](../2023-11-09-secure-mpc/#ot-for-computing-2-ary-function-with-finite-domain). However, this method is inefficient. We will look at **Yao's protocol**, presented in 1986, for secure two-party computation.
+
+The term **garbled circuit** was used by Beaver-Micali-Rogaway (BMR), presenting a multiparty protocol using a similar approach to Yao's protocol.
+
+## Yao's Protocol
+
+This protocol is for **general secure two party computation**. By general, it means that the protocol can securely compute any functionality. The protocol works on boolean circuits using AND/OR gates, which can be extended to arbitrary circuits, such as addition, multiplication, etc. This protocol takes **constant number of rounds**, and is secure for semi-honest parties.
+
+A plain circuit would be evaluated by giving raw values $0/1$ to the input wires. These inputs will be evaluated through the gates, and the output is fed to another gate, and so on. But for *secure computation*, we require that **no party learns the values of any internal wires**.
+
+**Yao's protocol** is a compiler which transforms a circuit so that all information is hidden except for the final output.
+
+## Garbled Circuits
+
+A **garbled circuit** is an *encrypted circuit*, with a pair of keys for each wire. For each gate, a key is given for each of the input wires. Using the keys, it is possible to compute the key of the gate output, but nothing else can be learned. For this process, we will use **oblivious transfer**.
+
+### Constructing a Garbled Circuit
+
+The garbler first encrypts the circuit. First, assign two keys, called **garbled values**, to each wire of the circuit.
+
+Suppose we have an AND gate, where $C = \rm{AND}(A, B)$. For the wire $A$, the garbler assigns $A_0, A_1$, each for representing the bit $0$ and $1$. Note that this mapping is known only to the garbler. Similar process is done for wires $B$ and $C$.
+
+Then we have the following garbled values, as in columns 1 to 3. Now, encrypt the values of $C$ with a semantically secure scheme $E$, and obtain the $4$th column. Then, permute the rows in random order so that it is indistinguishable.
+
+|$A$|$B$|$C$|$C = \rm{AND}(A, B)$|
+|:-:|:-:|:-:|:-:|
+|$A_0$|$B_0$|$C_0$|$E(A_0 \parallel B_0, C_0)$|
+|$A_0$|$B_1$|$C_0$|${} E(A_0 \parallel B_1, C_0) {}$|
+|$A_1$|$B_0$|$C_0$|$E(A_1 \parallel B_0, C_0)$|
+|$A_1$|$B_1$|$C_1$|$E(A_1 \parallel B_1, C_1)$|
+
+For evaluation, the **last column** will be given to the other party as the representation of the **garbled gate**. The inputs will be given as $A_x$ and $B_y$, but the evaluator will have no idea about the actual value of $x$ and $y$, hiding the actual input value. Although he doesn't know the underlying bit values, the evaluator is able to compute $C_z$ where $z = x \land y$. Similarly, the evaluator will not know whether $z$ is $0$ or $1$, hiding the output or intermediate values.
+
+The above *garbling* process is done for all gates. For the last output gate, the garbler keeps a **output translation table** to himself, that maps $0$ to $C_0$ and $1$ to $C_1$. This is used for recovering the bit, when the evaluation is done and the evaluator sends the final garbled value.
+
+> In summary, given a boolean circuit,
+> 1. Assign garbled values to all wires in the circuit.
+> 2. Construct garbled gates using the garbled values.
+
+Note that the evaluator learns nothing during the evaluation.
+
+### Evaluating a Garbled Circuit
+
+There is a slight problem here. In some encryption schemes, a ciphertext can be decrypted by an incorrect key. If the above encryptions are in arbitrary order, how does the evaluator know if he decrypted the correct one?
+
+One method is to add **redundant zeros** to the $C_k$. Then the last column would contain $E\big( A_i \pll B_j, C_k \pll 0^n \big)$. Then when the evaluator decrypts these ciphertexts, the probability of getting redundant zeros with an incorrect key would be negligible. But with this method, all four ciphertexts have to be decrypted in the worst case.
+
+Another method is adding a bit to signal which ciphertext to decrypt. This method is called **point-and-permute**. The garbler chooses a random bit $b_A$ for each wire $A$. Then when drawing $A_0, A_1$, set the first bit (MSB) to $b_A$ and $1 - b_A$, respectively. Next, the ciphertexts are sorted in the order of $b_A$ and $b_B$. Then the evaluator can exploit this information during evaluation.
+
+For example, if the evaluator has $X$ and $Y$ such that $\rm{MSB}(X) = 0$ and $\rm{MSB}(Y) = 1$, then choose the second ($01$ in binary) ciphertext entry to decrypt.
+
+This method does not reduce security, since the bits $b_A$, $b_B$ are random. Also, now the evaluator doesn't have to decrypt all four ciphertexts, reducing the evaluation load.
+
+## Protocol Description
+
+> Suppose we have garbler Alice and evaluator Bob.
+> 
+> 1. Alice garbles the circuit, generating garbled values and gates.
+> 2. Garbled gate tables and the garbled values of Alice's inputs are sent to Bob.
+> 3. For Bob's input wire $B$, Alice and Bob run an 1-out-of-2 OT protocol.
+> 	- Alice provides $B_0$ and $B_1$ to the OT.
+> 	- Bob inputs his input bit $b$ to the OT, and Bob now has $B_b$.
+> 4. Bob has garbled values for all input wires, so evaluates the circuit.
+> 5. Bob sends the final garbled output to Alice.
+> 6. Alices uses the output translation table to recover the final result bit.
+
+Note that OT can be done in *parallel*, reducing the round complexity.
+
+### Why is OT Necessary?
+
+Suppose Alice gave both $B_0$ and $B_1$ to Bob. Bob doesn't know which one represents $0$ or $1$, but he can just run the evaluation for both inputs.
+
+Suppose we have a $2$-input AND gate $C = \rm{AND}(A, B)$. Bob already has $A_x$ from Alice, so he evaluates for both $B_0$ and $B_1$, obtaining $C_{x\land 0}$ and $C_{x \land 1}$. If these are the same, Bob learns that $x = 0$. If different, $x = 1$.
+
+So we need an OT to make sure that Bob only learns one of the garbled values.
+
+### Performance
+
+- We need about $2$ to $4$ rounds.
+	- Depends on the implementation of the OT.
+	- Need additional rounds if the final output should be sent to a party.
+	- Anyways, takes constant number of rounds.
+- Need $m$ oblivious transfers, where $m$ is the number of inputs of Bob.
+	- These can be carried out in parallel.
+- Suppose that there are $N$ gates.[^1]
+	- $8N$ symmetric encryptions are required to build a garbled circuit.
+	- $2N$ decryptions are required to compute the circuit.
+	- We need to communicate the data of $\mc{O}(N)$ gates.
+
+## Summary of Yao's Protocol
+
+Let $f$ be a given public function that Alice and Bob want to compute, in circuit representation. Let $(x_1, \dots, x_n)$ and $(y_1, \dots, y_m)$ be inputs provided by Alice and Bob, respectively.
+
+Alice generates a garbled circuit $G(f)$ by assigning garbled values for each wire. Then gives Bob $G(f)$ and the garbled values of her inputs. Then Alice and Bob run several OTs in parallel for the garbled values of Bob's inputs.
+
+Bob computes $G(f)$ and obtains a key of $f(x_1, \dots, x_n, y_1, \dots, y_m)$, which is sent to Alice and Alice recovers the final result.
+
+## Proof of Security (Semi-honest)
+
+We show that if the underlying OT is secure, then Yao's protocol is secure. If both parties are honest or corrupted, there is nothing to show, so we only show for the cases where one party is corrupted.
+
+### Alice is Corrupted
+
+Alice's view only consists of the messages it receives during the oblivious transfers. Since the OT is secure, OT will have its own simulator $\mc{S}$ for the sender of the OT. To simulate Alice, we can use the same simulator $\mc{S}$.
+
+In the OT-hybrid model, we assume an ideal OT. In this case, Alice receives no messages during the oblivious transfers. Then to simulate Alice, an empty transcript will be sufficient.
+
+### Bob is Corrupted
+
+This case is harder to show. The simulator must construct a fake garbled circuit that is indistinguishable to the real one. But the simulator doesn't know the inputs of Alice, so it cannot generate a real circuit.
+
+Bob's view contains his inputs $(y_1, \dots, y_m)$ and the final output $z = (z_1, \dots, z_k)$. Thus, the simulator generates a fake garbled circuit that **always** outputs $z$. To do this, the garbled values for the wires can be chosen randomly, and use them for encryption keys. But the encrypted message is fixed to the (intermediate) output. For instance, make the gate table consists of $E\big( A_i \pll B_j, C_0 \big)$ for fixed $C_0$. In this way, the simulator can control the values of output wires and get $z$ for the final output.
+
+The output translation tables can be generated using this method. An entry of the table would be $(z_i, C_0)$ where $C_0$ is the garbled value used for generating the gate table. As for $1-z_i$, any random garbled value can be used.
+
+Lastly for communicating garbled values, Alice's input wires can be set to any two garbled values of the wire. Bob's input wires should be simulated by the simulator of the OT, which will result in any one of the two values on the wire.
+
+## The BMR Protocol
+
+This is a multiparty variant of Yao's protocol.
+
+For each wire of the circuit, two random *super-seeds* (garbled values) are used. Each party generates a seed, and the super-seed of the wire is the concatenation of all seeds generated by the parties.
+
+For example, for input wire $A$, let
+
+$$
+A_0 = a_0^1 \pll \cdots \pll a_0^n, \quad A_1 = a_1^1 \pll \cdots \pll a_1^n,
+$$
+
+where $a_0^k, a_1^k$ are seeds generated by party $P_k$.
+
+Then for garbling gates, the super-seeds of the output wire is encrypted by the super-seeds of the input wires. As an example, suppose that we use $A_b = a_b^1 \pll \cdots \pll a_b^n$ to encrypt an output value $B$. Then we could use a secure PRG $G$ and set
+
+$$
+B \oplus G(a_b^1) \oplus \cdots \oplus G(a_b^n)
+$$
+
+as the garbled value.
+
+[^1]: Why???

_posts/Lecture Notes/Modern Cryptography/2023-11-16-gmw-protocol.md

@@ -0,0 +1,290 @@
+---
+share: true
+toc: true
+math: true
+categories:
+  - Lecture Notes
+  - Modern Cryptography
+tags:
+  - lecture-note
+  - cryptography
+  - security
+title: 16. The GMW Protocol
+date: 2023-11-16
+github_title: 2023-11-16-gmw-protocol
+image:
+  path: assets/img/posts/Lecture Notes/Modern Cryptography/mc-16-beaver-triple.png
+attachment:
+  folder: assets/img/posts/Lecture Notes/Modern Cryptography
+---
+
+
+There are two types of MPC protocols, **generic** and **specific**. Generic protocols can compute arbitrary functions. [Garbled circuits](../2023-11-14-garbled-circuits/#garbled-circuits) were generic protocols, since it can be used to compute any boolean circuits. In contrast, the [summation protocol](../2023-11-09-secure-mpc/#example-secure-summation) is a specific protocol that can only be used to compute a specific function. Note that generic protocols are not necessarily better, since specific protocols are much more efficient.
+
+## GMW Protocol
+
+The **Goldreich-Micali-Wigderson** (GMW) **protocol** is a designed for evaluating boolean circuits. In particular, it can be used for XOR and AND gates, which corresponds to addition and multiplication in $\Z_2$. Thus, the protocol can be generalized for evaluating arbitrary arithmetic circuits.
+
+We assume semi-honest adversaries and static corruption. The GMW protocol is known to be secure against any number of corrupted parties. We also assume that any two parties have private channels for communication.
+
+The idea is **secret sharing**, where each party shares its input with other parties. The actual input is not revealed, and after the computation, each party holds a *share* of the final result.
+
+The protocol can be broken down into $3$ phases.
+- **Input phase**: each party shares its input with the other parties.
+- **Evaluation phase**: each party computes gate by gate, using the shared values.
+- **Output phase**: each party publishes their output.
+
+### Input Phase
+
+Suppose that we have $n$ parties $P_1, \dots, P_n$ with inputs $x_1, \dots, x_n \in \braces{0, 1}$. The inputs are bits but they can be generalized to inputs over $\Z_q$ where $q$ is prime.
+
+> Each party $P_i$ shares its input with other parties as follows.
+> 
+> 1. Choose random ${} r_{i, j} \la \braces{0, 1} {}$ for all $j \neq i$ and send $r_{i, j}$ to $P_j$.
+> 2. Set ${} r_{i, i} = x_i + \sum_{i \neq j} r_{i, j} {}$.
+
+Then we see that $x_i = \sum_{j = 1}^n r_{i, j} {}$. Each party has a **share** of $x_i$, which is $r_{i, j}$. We have a notation for this,
+
+$$
+[x_i] = (r_{i, 1}, \dots, r_{i, n}).
+$$
+
+It means that $r_{i, 1}, \dots, r_{i, n}$ are shares of $x_i$.
+
+After this phase, each party $P_j$ has $n$ shares $r_{1, j}, \dots, r_{n,j}$, where each is a share of $x_i$.
+
+### Evaluation Phase
+
+Now, each party computes each gate using the shares received from other parties. We describe how the XOR and AND gate are computed.
+
+#### Evaluating XOR Gates
+
+Suppose we want to compute a share of ${} c = a + b {}$. Then, since
+
+$$
+[c] = [a] + [b],
+$$
+
+each party can simply add all the input shares.
+
+If ${} {} y = x_1 + \cdots + x_n {} {}$, then party $P_j$ will compute ${} y_j = \sum_{i=1}^n r_{i, j} {}$, which is a share of $y$, $[y] = (y_1, \dots, y_n)$. It can be checked that
+
+$$
+y = \sum_{j=1}^n y_j = \sum_{j=1}^n \sum_{i=1}^n r_{i, j}.
+$$
+
+#### Evaluating AND Gates
+
+AND gates are not as simple as XOR gates. If $c = ab$,
+
+$$
+c = \paren{\sum_{i=1}^n a_i} \paren{\sum_{j=1}^n b_j} = \sum_{i=1}^n a_ib_i + \sum_{1 \leq i < j \leq n} (a_ib_j + a_j b_i).
+$$
+
+The first term can be computed internally by each party. The problem is the second term. $P_i$ doesn't know the values of $a_j$ and $b_j$. Therefore, we need some kind of interaction between $P_i$ and $P_j$, but no information should be revealed. We can use an OT for this.
+
+> For every pair of parties $(P_i, P_j)$, perform the following.
+> 
+> 1. $P_i$ chooses a random bit $s_{i, j}$ and computes all possible values of $a_ib_j + a_jb_i + s_{i, j}$. These values are used in the OT.
+> 2. $P_i$ and $P_j$ run a $1$-out-of-$4$ OT.
+> 3. $P_i$ keeps $s_{i, j}$ and $P_j$ receives $a_ib_j + a_jb_i + s_{i, j}$.
+
+- If $a_ib_j + a_jb_i$ is exposed to any party, it reveals information about other party's share.
+- These are bits, so $P_i$ and $P_j$ get to keep a share of $a_ib_j + a_jb_i$. If these aren't bits, then $s_{i, j} - a_ib_j - a_jb_i$ must be computed for inputs to the OT.
+- Since $a_j, b_j \in \braces{0, 1}$, it is possible to compute all possible values, and use them in the OT. $(a_j, b_j)$ will be used as the choice of $P_j$.
+
+### Output Phase
+
+After evaluation, each party has a share of the final output, so the share is sent to the parties that will learn the output. These shares can be summed to obtain the final output value.
+
+### Performance
+
+Addition is easy, but multiplication gates require $n \choose 2$ OTs. Thus the protocol requires a communication round among the parties for every multiplication gate. Also, the multiplication gates on the same level can be processed in parallel.
+
+Overall, the round complexity is $\mc{O}(d)$, where $d$ is the depth of the circuit, including only the multiplication gates.
+
+A shallow circuit is better for GMW protocols. However, shallow circuits may end up using more gates depending on the function.
+
+## Security Proof
+
+We show the case when there are $n-1$ corrupted parties.[^1] Let $P_i$ be the honest party and assume that all others are corrupted. We will construct a simulator.
+
+Let $(x_1, \dots, x_n)$ be inputs to the function, and let $[y] = (y_1, \dots, y_n)$ be output shares. The adversary's view contains $y$, and all $x_j$, $y_j$ values except for $x_i$ and $y_i$.
+
+To simulate the input phase, choose random shares to be communicated, both for $P_i \ra P_j$ and $P_j \ra P_i$. The shares were chosen randomly, so they are indistinguishable to the real protocol execution.
+
+For the evaluation phase, XOR gates can be computed internally, so we only consider AND gates.
+- When $P_j$ is the receiver, choose a random bit as the value learned from the OT. Since the OT contains possible values of $a_ib_j + a_jb_i + s_{i, j}$ and they are random, the random bit is equivalent.
+- When $P_j$ is the sender, choose $s_{i, j}$ randomly and compute all $4$ possible values following the protocol.
+
+Lastly, for the output phase, the simulator has to simulate the message $y_i$ from $P_i$. Since the final output $y$ is known and $y_j$ ($j \neq i$) is known, $y_i$ can be computed from the simulator.
+
+We see that the distribution of the values inside the simulator is identical to the view in the real protocol execution.
+
+## Beaver Triples
+
+**Beaver triple sharing** is an offline optimization method for multiplication (AND) gates in the GMW protocol. Before actual computation, Beaver triples can be shared to speed up multiplication gates, reducing the running time in the online phase. Note that the overall complexity is the same.
+
+> **Definition.** A **Beaver triple** is a triple $(x, y, z)$ such that $z = xy$.
+
+### Beaver Triple Sharing
+
+When Beaver triples are shared, $[x] = (x_1, x_2)$ and $[y] = (y_1, y_2)$ are chosen so that
+
+$$
+ 
+\tag{$\ast$}
+z = z_1 + z _2 = (x_1 + x_2)(y_1 + y_2) = x_1y_1 + x_1y_2 + x_2y_1 + x_2y_2.
+$$
+
+> 1. Each party $P_i$ chooses random bits $x_i, y_i$. Now they must generate $z_1, z_2$ so that the values satisfy equation $(\ast)$ above.
+> 2. $P_1$ chooses a random bit $s$ and computes all $4$ possible values of $s + x_1y_2 + x_2y_1$.
+> 3. $P_1$ and $P_2$ run a $1$-out-of-$4$ OT.
+> 4. $P_1$ keeps $z_1 = s + x_1y_1$, $P_2$ keeps $z_2 = (s + x_1y_2 + x_2y_1) + x_2y_2$.
+
+Indeed, $z_1, z_2$ are shares of $z$.[^2] See also Exercise 23.5.[^3]
+
+### Evaluating AND Gates with Beaver Triples
+
+Now, in the actual computation of AND gates, proceed as follows.
+
+![mc-16-beaver-triple.png](/assets/img/posts/Lecture%20Notes/Modern%20Cryptography/mc-16-beaver-triple.png)
+
+> Each $P_i$ has a share of inputs $a_i, b_i$ and a Beaver triple $(x_i, y_i, z_i)$.
+> 1. Each $P_i$ computes $u_i = a_i + x_i$, $v_i = b_i + y_i$.
+> 2. $P_i$ shares $u_i, v_i$ to $P_{3-i}$ and receives $u_{3-i}, v_{3-i}$ from $P_{3-i}$.
+> 3. Each party now can compute $u = u_1 + u_2$, $v = v_1 + v_2$.
+> 4. $P_1$ computes $c_1 = uv + uy_1 + vx_1 + z_1$, $P_2$ computes $c_2 = uy_2 + vx_2 + z_2$.
+
+Note that
+
+$$
+\begin{aligned}
+c = c_1 + c_2 &= uv + u(y_1 + y_2) + v(x_1 + x_2) + (z_1 + z_2) \\
+&= uv + uy + vx + xy \qquad (\because z = xy)  \\
+&= u(v + y) + x(v + y) \\
+&= (u + x)(v + y) = ab
+\end{aligned}
+$$
+
+The last equality comes from the fact that $u = a + x$ and $v = b+y$ from step $1$. The equation was derived from the following observation.
+
+$$
+c = ab = (a + x)(b + y) - x(b + y) - y(a + x) + xy.
+$$
+
+Substitute $u = a +x$ and $v = b + y$, since $z = xy$, we have
+
+$$
+c = uv - xv - yu + z.
+$$
+
+Thus
+
+$$
+[c] = uv - [x]v - [y]u + [z],
+$$
+
+and $uv$ is public, so any party can include it in its share.
+
+Also note that $u_i, v_i$ does not reveal any information about $x_i, y_i$. Essentially, they are *one-time pad* encryptions of $x_i$ and ${} y_i {}$ since $a_i, b_i$ were chosen randomly. No need for OTs during actual computation.
+
+### Reusing Beaver Triples?
+
+**Beaver triples are to be used only once!** If $u_1 = a_1 + x_1$ and ${} u_1' = a_1' + x_1 {}$, then $u_1 + u_1' = a_1 + a_1'$, revealing information about $a_1 + a_1'$.
+
+Thus, before the online phase, a huge amount of Beaver triples are shared to speed up the computation. This can be done efficiently using [OT extension](#ot-extension) described below.
+
+## Comparison of Yao and GMW
+
+|Protocol|Yao|GMW|
+|:-:|:-:|:-:|
+|Metaphor|Apple: bite-by-bite|Orange: peel and eat|
+|Pros|Constant round complexity|Circuit evaluation is simple|
+|Cons|Requires symmetric cipher in the online phase|High overhead in AND gates|
+|Good In|High latency networks|Low latency networks|
+|Round Complexity|$\mc{O}(1)$|Depends on circuit depth. $n$ OTs per AND gates per party.|
+
+Yao's protocol computes gates bite-by-bite, whereas GMW protocol is peel-and-eat. Most of the effort is required in the preprocessing phase, by sharing many Beaver triples, but the evaluation phase is easy.
+
+## OT Extension
+
+Both Yao's and GMW protocol use OTs. Depending on the computation, one may end up performing thousands of OTs, which can be inefficient.
+
+There is a technique called **OT extension**, that allows us to obtain many OT instances from a small number of OT instances. OT extension only uses small number of base OTs, and uses symmetric cipher to extend it to many OTs.
+
+### Protocol Description
+
+This protocol will extend $n$ OTs to $m$ OTs, where $m \gg n$.
+
+- Sender has inputs $\paren{x_i^0, x_i^1}$ for $i = 1, \dots, m$.
+- Receiver has choice vector $\sigma = (\sigma_1, \dots, \sigma_m) \in \braces{0, 1}^m$.
+	- After the protocol, the receiver will get $x_i^{\sigma_i}$ for $i = 1, \dots, m$.
+
+> **First phase.**
+> 
+> 1. The receiver samples $n$ random strings $T_1, \dots, T_n \la \braces{0, 1}^m$ of length $m$.
+> 2. The receiver prepares pairs $\paren{T_i, T_i \oplus \sigma}$ for $i = 1, \dots, n$ and plays *sender in base OT*.
+> 3. The sender chooses random $s = (s_1, \dots, s_n) \in \braces{0, 1}^n$.
+> 4. The sender plays *receiver in base OT* with input $s_i$ for $i = 1, \dots, n$.
+
+In the first phase, the roles are temporarily switched.
+
+- The receiver chose $n$ random $m$-bit vectors, now has a $m\times n$ bit matrix $T$.
+- For the $i$-th base OT, the receiver inputs $T_i$ or $T_i \oplus \sigma$. Therefore, if $s_i = 0$, the sender gets $T_i$. If $s_i = 1$, then sender gets $T_i \oplus \sigma$.
+- Suppose that the sender gets $Q_i \in \braces{0, 1}^m$ in the $i$-th base OT. The sender will also have a $m \times n$ bit matrix $Q$.
+
+$$
+Q_i = \begin{cases} T_i  & (s_i = 0)  \\
+	T_i \oplus \sigma  & (s_i = 1).
+\end{cases}
+$$
+
+**Now consider each row separately!** Let ${} A[k]$ be the $k$-th row of matrix $A$.
+
+If $\sigma_j = 0$, the XOR operation in $T_i \oplus \sigma$ has no effect on the $j$-th element (row), so the $j$-th element of $T_i \oplus \sigma$ and $T_i$ are the same. Thus, we have $Q[j] = T[j]$.
+
+On the other hand, suppose that $\sigma_j = 1$ and consider each element of $Q[j]$. The $i$-th element is the $j$-th element of $Q_i$. If $s_i = 0$, then $Q_i = T_i$, so the $j$-th element (row) is the same as the $j$-th element of $T_i$. If $s_i = 1$, then $Q_i = T_i \oplus \sigma$, so the $j$-th element is flipped. Thus, $Q[j] = T[j] \oplus s$.
+
+$$
+Q[j] = \begin{cases} T[j] & (\sigma_j = 0)  \\
+T[j] \oplus s & (\sigma_j = 1).
+\end{cases}
+$$
+
+> **Second phase.** To perform the $j$-th transfer $(j = 1, \dots, m)$,
+> 
+> 1. The sender sends $y_j^0 = H(j, Q[j]) \oplus x_j^0$ and $y_j^1 = H(j, Q[j] \oplus s) \oplus x_j^1$.
+> 2. The receiver computes $H(j, T[j]) \oplus y_j^{\sigma_j}$.
+
+If $\sigma_j = 0$, then the sender gets
+
+$$
+H(j, T[j]) \oplus y_j^0 = H(j, T[j]) \oplus H(j, Q[j]) \oplus x_j^0 = x_j^0.
+$$
+
+If $\sigma_j = 1$,
+
+$$
+H(j, T[j]) \oplus y_j^1 = H(j, T[j]) \oplus H(j, Q[j] \oplus s) \oplus x_j^1 = x_j^1.
+$$
+
+We have just shown correctness.
+
+### Security Proof of OT Extension
+
+Intuitively, the sender receives either $T_i$ or $T_i \oplus \sigma$. But $T_i$ are chosen randomly, so it hides $\sigma$, revealing no information.
+
+As for the receiver, the values $(x_j^0, x_j^1)$ are masked by a hash function, namely $H(j, Q[j])$ and $H(j, Q[j] \oplus s)$. The receiver can compute $H(j, T[j])$, which equals *only one of them* but since receiver has no information about $s$, prohibiting the receiver from computing the other mask.
+
+### Performance of OT Extension
+
+The extension technique allows us to run $n$ base OT instances to obtain $m$ OT instances. For each of the $m$ OT transfers, only a few hash operations are required, resulting in very efficient OT.
+
+One may concern that we have to send a lot of information for each of the $n$ OT instances, since we have to send $m$ bit data for each OT. But this of not much concern. For example, if we used [OT based on ElGamal](../2023-11-09-secure-mpc/#1-out-of-2-ot-construction-from-elgamal-encryption), we can choose primes large enough $> 2^m$ to handle $m$-bit data.
+
+Hence, with OT extensions, we can perform millions of OTs efficiently, which can be used especially for computing many Beaver triples during preprocessing.
+
+[^1]: Intuitively, it may seem that proving security for $n-1$ corrupted parties would be the hardest. However, security for $n-1$ corrupted parties does not imply security for $n-2$ corrupted parties, in general.
+[^2]: There is a variant of sharing Beaver triples, where a dealer generates all $x_i, y_i, z_i$ and gives them to each party.
+[^3]: A Graduate Course in Applied Cryptography.

_posts/Lecture Notes/Modern Cryptography/2023-11-23-bgv-scheme.md

@@ -0,0 +1,562 @@
+---
+share: true
+toc: true
+math: true
+categories:
+  - Lecture Notes
+  - Modern Cryptography
+tags:
+  - lecture-note
+  - cryptography
+  - security
+title: 17. BGV Scheme
+date: 2023-11-23
+github_title: 2023-11-23-bgv-scheme
+---
+
+## Homomorphisms
+
+> **Definition.** Let $(X, \ast), (Y, \ast')$ be sets equipped with binary operations $\ast$, $\ast'$. A map $\varphi : X \ra Y$ is said to be a **homomorphism** if
+> 
+> $$
+> \varphi(a \ast b) = \varphi(a) \ast' \varphi(b)
+> $$
+> 
+> for all $a, b \in X$.
+
+A homomorphism *sort of* preserves the structure between two sets.[^1]
+
+We will mainly consider **additive homomorphisms** where
+
+$$
+\varphi(a + b) = \varphi(a) + \varphi(b),
+$$
+
+and **multiplicative homomorphisms** where
+
+$$
+\varphi(ab) = \varphi(a)\varphi(b).
+$$
+
+## Homomorphic Encryption
+
+> **Definition.** A **homomorphic encryption scheme** defined over $\mc{M}$ consists of an encryption algorithm $E$ and a decryption algorithm $D$ such that
+> 
+> $$
+> D\big( E(x) + E(y) \big) = x + y
+> $$
+> 
+> or
+> 
+> $$
+> D\big( E(x) \cdot E(y) \big) = x \cdot y.
+> $$
+
+The **decryption $D$ is a homomorphism**. From ciphertexts of $x$ and $y$, this scheme can compute the ciphertext of $x + y$ or $x \cdot y$.
+
+There are mainly $3$ categories of homomorphic encryption.
+
+- **Partial** Homomorphic Encryption
+	- These schemes can evaluate *some* functions on encrypted data.
+	- Textbook RSA had a *homomorphic property*.
+- **Somewhat** Homomorphic Encryption (SHE)
+	- Both addition and multiplication are supported.
+	- But there is a limit on the number of operations.
+- **Fully** Homomorphic Encryption (FHE)
+	- Any function can be evaluated on encrypted data.
+	- There is a method called *bootstrapping* that compiles SHE into FHE.
+
+### A Warm-up Scheme
+
+This is a sample scheme, which is insecure.
+
+> Choose parameters $n$ and $q$ as security parameters.
+> 
+> 1. Set secret key $\bf{s} = (s_1, \dots, s_n) \in \Z^n$.
+> 2. For message $m \in \Z_q$, encrypt it as follows.
+> 	- Randomly choose $\bf{a} = (a_1, \dots, a_n) \la \Z_q^n$.
+> 	- Compute $b = -\span{\bf{a}, \bf{s}} + m \pmod q$.
+> 	- Output ciphertext $\bf{c} = (b, \bf{a}) \in \Z_q^{n+1}$.
+> 3. To decrypt $\bf{c}$, compute $m = b + \span{\bf{a}, \bf{s}} \pmod q$.
+
+Correctness is trivial. Also, this encryption algorithm has the *additive homomorphism* property. If $b_1, b_2$ are encryptions of $m_1, m_2$, then
+
+$$
+b_1 = -\span{\bf{a}_1, \bf{s}} + m_1, \quad b_2 = -\span{\bf{a}_2, \bf{s}} + m_2
+$$
+
+in $\Z_q$. Thus,
+
+$$
+b_1 + b_2 = -\span{\bf{a}_1 + \bf{a}_2, \bf{s}} + m_1 + m_2.
+$$
+
+Decrypting the ciphertext $(b_1 + b_2, \bf{a}_1 + \bf{a}_2)$ will surely give $m_1 + m_2$.
+
+But this scheme is not secure. After $n$ queries, the plaintext-ciphertext pairs can be transformed into a linear system of equations
+
+$$
+\bf{b} = -A \bf{s} + \bf{m},
+$$
+
+where $\bf{a}_i$ are in the rows of $A$. This system can be solved for $\bf{s}$ with non-negligible probability.[^2]
+
+## Lattice Cryptography
+
+Recall that schemes like RSA and ElGamal rely on the hardness of computational problems. The hardness of those problems make the schemes secure. There are other (known to be) *hard* problems using **lattices**, and recent homomorphic encryption schemes use **lattice-based** cryptography.
+
+> **Definition.** For $\bf{b}_i \in \Z^n$ for $i = 1, \dots, n$, let $B = \braces{\bf{b}_1, \dots, \bf{b}_n}$ be a basis. The set
+> 
+> $$
+> L = \braces{\sum_{i=1}^n a_i\bf{b}_i : a_i \in \Z}
+> $$
+> 
+> is called a **lattice**. The set $B$ is a basis over $L$.
+
+It is essentially a linear combination of basis elements, with *integer coefficients*.
+
+### Bounded Distance Decoding Problem (BDD)
+
+Let $L$ be a lattice with basis $B$. Given
+
+$$
+\bf{t} = B\bf{u} + \bf{e} \notin L
+$$
+
+for a small error $\bf{e}$, the problem is to find the closest lattice point $B\bf{u} \in L$.
+
+It is known that all (including quantum) algorithms for solving BDD have costs $2^{\Omega(n)}$.
+
+This problem is easy when we have a *short* basis, where the angles between vectors are closer to $\pi/2$. For example, given $\bf{t}$, find $a_i \in \R$ such that
+
+$$
+\bf{t} = a_1 \bf{b}_1 + \cdots a_n \bf{b}_n
+$$
+
+and return $B\bf{u}$ as
+
+$$
+B\bf{u} = \sum_{i=1}^n \lfloor a_i \rceil \bf{b}_i.
+$$
+
+Then this ${} B\bf{u} \in L {}$ is pretty close to $\bf{t} \notin L$.
+
+## Learning with Errors Problem (LWE)
+
+This is the problem we will mainly use for homomorphic schemes.
+
+Let $\rm{LWE}_{n, q, \sigma}(\bf{s})$ denote the LWE distribution, where
+- $n$ is the number of dimensions,
+- $q$ is the modulus,
+- $\sigma$ is the standard deviation of error.
+
+Also $D_\sigma$ denotes the discrete gaussian distribution with standard deviation $\sigma$.
+
+> Let $\bf{s} = (s_1, \dots, s_n) \in \Z_q^n$ be a secret.
+> 
+> - Sample $\bf{a} = (a_1, \dots, a_n) \la \Z_q^n$ and $e \la D_\sigma$.
+> - Compute $b = \span{\bf{a}, \bf{s}} + e \pmod q$.
+> - Output $(b, \bf{a}) \in \Z_q^{n+1}$.
+> 
+> This is called a **LWE instance**.
+
+### Search LWE Problem
+
+> Given many samples from $\rm{LWE}_{n, q, \sigma}(\bf{s})$, find $\bf{s}$.
+
+### Decisional LWE Problem (DLWE)
+
+> Distinguish two distributions $\rm{LWE}_{n, q, \sigma}(\bf{s})$ and $U(\Z_q^{n+1})$.
+
+It is known that the two versions of LWE problem are **equivalent** when $q$ is a prime bounded by some polynomial in $n$.
+
+LWE problem can be turned into **assumptions**, just like the DL and RSA problems. As in DL and RSA, the LWE problem is not hard for any parameters $n, q$. The problem is harder if $n$ is large and $q$ is small.
+
+## The BGV Scheme
+
+**BGV scheme** is by Brakerski-Gentry-Vaikuntanathan (2012). The scheme is defined over the finite field $\Z_p$ and can perform arithmetic in $\Z_p$.
+
+> Choose security parameters $n$, $q$ and $\sigma$. It is important that $q$ is chosen as an **odd** integer.
+> 
+> **Key Generation**
+> - Set secret key $\bf{s} = (s_1, \dots, s_n) \in \Z^n$.
+> 
+> **Encryption**
+> - Sample $\bf{a} \la \Z_q^n$ and $e \la D_\sigma$.
+> - Compute $b = -\span{\bf{a}, \bf{s}} + m + 2e \pmod q$.
+> - Output ciphertext $\bf{c} = (b, \bf{a}) \in \Z_q^{n+1}$.
+> 
+> **Decryption**
+> - Compute $r = b + \span{\bf{a}, \bf{s}} \pmod q$.
+> - Output $m = r \pmod 2$.
+
+Here, it can be seen that
+
+$$
+r = m + 2e \pmod q.
+$$
+
+For correctness, $e \ll q$, and
+
+$$
+\abs{r} = \abs{m + 2e} < \frac{1}{2}q.
+$$
+
+Under the LWE assumption, it can be proven that the scheme is semantically secure, i.e,
+
+$$
+E(\bf{s}, 0) \approx_c E(\bf{s}, 1).
+$$
+
+### Addition in BGV
+
+Addition is easy!
+
+> Let $\bf{c} = (b, \bf{a})$ and $\bf{c}' = (b', \bf{a}')$ be encryptions of ${} m, m' \in \braces{0, 1} {}$. Then, $\bf{c}_\rm{add} = \bf{c} + \bf{c}'$ is an encryption of $m + m'$.
+
+*Proof*. Decrypt $\bf{c}_\rm{add} = (b + b', \bf{a} + \bf{a}')$. If
+
+$$
+r = b + \span{\bf{a}, \bf{s}} = m + 2e \pmod q
+$$
+
+and
+
+$$
+r' = b' + \span{\bf{a}', \bf{s}} = m' + 2e' \pmod q,
+$$
+
+then we have
+
+$$
+r_\rm{add} = b + b' + \span{\bf{a} + \bf{a}', \bf{s}} = r + r' = m + m' + 2(e + e') \pmod q.
+$$
+
+If $\abs{r + r'} < q/2$, then $m + m' = r_\rm{add} \pmod 2$.
+
+### Multiplication in BGV
+
+#### Tensor Product
+
+For multiplication, we need **tensor products**.
+
+> **Definition.** Let $\bf{a} = (a_1, \dots, a_n)^\top, \bf{b} = (b_1, \dots, b_n)^\top$ be vectors. Then the **tensor product** $\bf{a} \otimes \bf{b}$ is a vector with $n^2$ dimensions such that
+> 
+> $$
+> \bf{a} \otimes \bf{b} = \big( a_i \cdot b_j \big)_{1 \leq i, j \leq n}.
+> $$
+
+We will use the following property.
+
+> **Lemma.** Let $\bf{a}, \bf{b}, \bf{c}, \bf{d}$ be $n$-dimensional vectors. Then,
+> 
+> $$
+> \span{\bf{a}, \bf{b}} \cdot \span{\bf{c}, \bf{d}} = \span{\bf{a} \otimes \bf{c}, \bf{b} \otimes \bf{d}}.
+> $$
+
+*Proof*. Denote the components as $a_i, b_i, c_i, d_i$.
+
+$$
+\begin{aligned}
+\span{\bf{a} \otimes \bf{c}, \bf{b} \otimes \bf{d}} &= \sum_{i=1}^n\sum_{j=1}^n a_ic_j \cdot b_id_j \\
+&= \paren{\sum_{i=1}^n a_ib_i} \paren{\sum_{j=1}^n c_j d_j} =  \span{\bf{a}, \bf{b}} \cdot \span{\bf{c}, \bf{d}}.
+\end{aligned}
+$$
+
+#### Multiplication
+
+Let $\bf{c} = (b, \bf{a})$ and $\bf{c}' = (b', \bf{a}')$ be encryptions of $m, m' \in \braces{0, 1}$. Since
+
+$$
+r = b + \span{\bf{a}, \bf{s}} = m + 2e \pmod q
+$$
+
+and
+
+$$
+r' = b' + \span{\bf{a}', \bf{s}} = m' + 2e' \pmod q,
+$$
+
+we have that
+
+$$
+r_\rm{mul} = rr' = (m + 2e)(m' + 2e') = mm' + 2e\conj \pmod q.
+$$
+
+So $mm' = r_\rm{mul} \pmod 2$ if $e\conj$ is small.
+
+However, to compute $r_\rm{mul} = rr'$ from the ciphertext,
+
+$$
+\begin{aligned}
+r_\rm{mul} &= rr' = (b + \span{\bf{a}, \bf{s}})(b' + \span{\bf{a}', \bf{s}}) \\
+&= bb' + \span{b\bf{a}' + b' \bf{a}, \bf{s}} + \span{\bf{a} \otimes \bf{a}', \bf{s} \otimes \bf{s}'}.
+\end{aligned}
+$$
+
+Thus we define $\bf{c}_\rm{mul} = (bb', b\bf{a}' + b' \bf{a}, \bf{a} \otimes \bf{a}')$, then this can be decrypted with $(1, \bf{s}, \bf{s} \otimes \bf{s})$ by the above equation.
+
+> Let $\bf{c} = (b, \bf{a})$ and $\bf{c}' = (b', \bf{a}')$ be encryptions of $m, m'$. Then,
+> 
+> $$
+> \bf{c}_\rm{mul} = \bf{c} \otimes \bf{c}' = (bb', b\bf{a}' + b' \bf{a}, \bf{a} \otimes \bf{a}')
+> $$
+> 
+> is an encryption of $mm'$ with $(1, \bf{s}, \bf{s} \otimes \bf{s})$.
+
+Not so simple as addition, we need $\bf{s} \otimes \bf{s}$.
+
+#### Problems with Multiplication
+
+The multiplication described above has two major problems.
+
+- The dimension of the ciphertext has increased to $n^2$.
+	- At this rate, multiplications get inefficient very fast.
+- The *noise* $e\conj$ grows too fast.
+	- For correctness, $e\conj$ must be small compared to $q$, but it grows exponentially.
+	- We can only perform $\mc{O}(\log q)$ multiplications.
+
+### Dimension Reduction
+
+First, we reduce the ciphertext dimension. In the ciphertext $\bf{c}_\rm{mul} = (bb', b\bf{a}' + b' \bf{a}, \bf{a} \otimes \bf{a}')$, $\bf{a} \otimes \bf{a}'$ is causing the problem, since it must be decrypted with $\bf{s} \otimes \bf{s}'$.
+
+Observe that the following dot product is calculated during decryption.
+
+$$
+\tag{1} \span{\bf{a} \otimes \bf{a}', \bf{s} \otimes \bf{s}'} = \sum_{i = 1}^n \sum_{j=1}^n a_i a_j' s_i s_j.
+$$
+
+The above expression has $n^2$ terms, so they have to be manipulated. The idea is to switch these terms as encryptions of $\bf{s}$, instead of $\bf{s} \otimes \bf{s}'$.
+
+Thus we use encryptions of $s_is_j$ by $\bf{s}$. If we have ciphertexts of $s_is_j$, we can calculate the expression in $(1)$ since this scheme is *homomorphic*. Then the ciphertext can be decrypted only with $\bf{s}$, as usual. This process is called **relinearization**, and the ciphertexts of $s_i s_j$ are called **relinearization keys**.
+
+#### First Attempt
+
+> **Relinearization Keys**: for $1 \leq i, j \leq n$, perform the following.
+> - Sample $\bf{u}_{i, j} \la \Z_q^{n}$ and $e_{i, j} \la D_\sigma$.
+> - Compute $v_{i, j} = -\span{\bf{u}_{i, j}, \bf{s}} + s_i s_j + 2e_{i, j} \pmod q$.
+> - Output $\bf{w}_{i, j} = (v_{i, j}, \bf{u}_{i, j})$.
+> 
+> **Linearization**: given $\bf{c}_\rm{mul} = (bb', b\bf{a}' + b' \bf{a}, \bf{a} \otimes \bf{a}')$ and $\bf{w}_{i, j}$ for $1 \leq i, j \leq n$, output the following.
+> 
+> $$
+> \bf{c}_\rm{mul}^\ast = (b_\rm{mul}^\ast, \bf{a}_\rm{mul}^\ast) = (bb', b\bf{a}' + b'\bf{a}) + \sum_{i=1}^n \sum_{j=1}^n a_i a_j' \bf{w}_{i, j} \pmod q.
+> $$
+
+Note that the addition $+$ is the addition of two ${} (n+1) {}$-dimensional vectors. By plugging in $\bf{w}_{i, j} = (v_{i, j}, \bf{u}_{i, j})$, we actually have
+
+$$
+b_\rm{mul}^\ast = bb' + \sum_{i=1}^n \sum_{j=1}^n a_i a_j' v_{i, j}
+$$
+
+and
+
+$$
+\bf{a}_\rm{mul}^\ast = b\bf{a}' + b'\bf{a} + \sum_{i=1}^n \sum_{j=1}^n a_i a_j' \bf{u}_{i, j}.
+$$
+
+Now we check correctness. $\bf{c}_\rm{mul}^\ast$ should decrypt to $mm'$ with only $\bf{s}$.
+
+$$
+\begin{aligned}
+b_\rm{mul}^\ast + \span{\bf{a}_\rm{mul}^\ast, \bf{s}} &= bb' + \sum_{i=1}^n \sum_{j=1}^n a_i a_j' v_{i, j} +  \span{b\bf{a}' + b'\bf{a}, \bf{s}} + \sum_{i=1}^n \sum_{j=1}^n a_i a_j' \span{\bf{u}_{i, j}, \bf{s}} \\
+&= bb' + \span{b\bf{a}' + b'\bf{a}, \bf{s}} + \sum_{i=1}^n \sum_{j=1}^n a_i a_j' \paren{v_{i, j} + \span{\bf{u}_{i, j}, \bf{s}}}.
+\end{aligned}
+$$
+
+Since $v_{i, j} + \span{\bf{u}_{i, j}, \bf{s}} = s_i s_j + 2e_{i, j} \pmod q$, the above expression further reduces to
+
+$$
+\begin{aligned}
+&= bb' + \span{b\bf{a}' + b'\bf{a}, \bf{s}} + \sum_{i=1}^n \sum_{j=1}^n a_i a_j' \paren{s_i s_j + 2e_{i, j}} \\
+&= bb' + \span{b\bf{a}' + b'\bf{a}, \bf{s}} + \span{\bf{a} \otimes \bf{a}', \bf{s} \otimes \bf{s}'} + 2\sum_{i=1}^n\sum_{j=1}^n a_i a_j' e_{i, j} \\
+&= rr' + 2e\conj \pmod q,
+\end{aligned}
+$$
+
+and we have an encryption of $mm'$.
+
+However, we require that
+
+$$
+e\conj = \sum_{i=1}^n \sum_{j=1}^n a_i a_j' e_{i, j} \ll q
+$$
+
+for correctness. It is highly unlikely that this relation holds, since $a_i a_j'$ will be large. They are random elements of $\Z_q$ after all, so the size is about $\mc{O}(n^2 q)$.
+
+#### Relinearization
+
+We use a method to make $a_i a_j'$ smaller. The idea is to use the binary representation.
+
+Let $a[k] \in \braces{0, 1}$ denote the $k$-th least significant bit of $a \in \Z_q$. Then we can write
+
+$$
+a = \sum_{0\leq k<l} 2^k \cdot a[k]
+$$
+
+where $l = \ceil{\log q}$. Then we have
+
+$$
+a_i a_j' s_i s_j = \sum_{0\leq k <l} (a_i a_j')[k] \cdot 2^k s_i s_j,
+$$
+
+so instead of encryptions of $s_i s_j$, we use encryptions of $2^k s_i s_j$.
+
+For convenience, let $a_{i, j} = a_i a_j'$. Now we have triple indices including $k$.
+
+> **Relinearization Keys**: for $1 \leq i, j \leq n$ and $0 \leq k < \ceil{\log q}$, perform the following.
+> - Sample $\bf{u}_{i, j, k} \la \Z_q^{n}$ and ${} e_{i, j, k} \la D_\sigma {}$.
+> - Compute ${} v_{i, j, k} = -\span{\bf{u}_{i, j, k}, \bf{s}} + 2^k \cdot s_i s_j + 2e_{i, j, k} \pmod q {}$.
+> - Output ${} \bf{w}_{i, j, k} = (v_{i, j, k}, \bf{u}_{i, j, k}) {}$.
+> 
+> **Linearization**: given $\bf{c}_\rm{mul} = (bb', b\bf{a}' + b' \bf{a}, \bf{a} \otimes \bf{a}')$, $\bf{w}_{i, j, k}$ for $1 \leq i, j \leq n$ and $0 \leq k < \ceil{\log q}$, output the following.
+> 
+> $$
+> \bf{c}_\rm{mul}^\ast = (b_\rm{mul}^\ast, \bf{a}_\rm{mul}^\ast) = (bb', b\bf{a}' + b'\bf{a}) + \sum_{i=1}^n \sum_{j=1}^n \sum_{k=0}^{\ceil{\log q}} a_{i, j}[k] \bf{w}_{i, j, k} \pmod q.
+> $$
+
+Correctness can be checked similarly. The bounds for summations are omitted for brevity. They range from $1 \leq i, j \leq n$ and $0 \leq k < \ceil{\log q}$.
+
+$$
+\begin{aligned}
+b_\rm{mul}^\ast + \span{\bf{a}_\rm{mul}^\ast, \bf{s}} &= bb' + \sum_{i, j, k} a_{i, j}[k] \cdot v_{i, j, k} +  \span{b\bf{a}' + b'\bf{a}, \bf{s}} + \sum_{i, j, k} a_{i, j}[k] \cdot \span{\bf{u}_{i, j, k}, \bf{s}} \\
+&= bb' + \span{b\bf{a}' + b'\bf{a}, \bf{s}} + \sum_{i, j, k} a_{i, j}[k] \paren{v_{i, j, k} + \span{\bf{u}_{i, j, k}, \bf{s}}}.
+\end{aligned}
+$$
+
+Since ${} v_{i, j, k} + \span{\bf{u}_{i, j, k}, \bf{s}} = 2^k \cdot s_i s_j + 2e_{i, j, k} \pmod q {}$, the above expression further reduces to
+
+$$
+\begin{aligned}
+&= bb' + \span{b\bf{a}' + b'\bf{a}, \bf{s}} + \sum_{i, j, k} a_{i, j}[k] \paren{2^k \cdot s_i s_j + 2e_{i, j, k}} \\
+&= bb' + \span{b\bf{a}' + b'\bf{a}, \bf{s}} + \sum_{i, j} a_{i, j}s_i s_j + 2\sum_{i, j, k} a_{i, j}[k] \cdot e_{i, j, k} \\
+&= bb' + \span{b\bf{a}' + b'\bf{a}, \bf{s}} + \span{\bf{a} \otimes \bf{a}', \bf{s} \otimes \bf{s}'} + 2e\conj \\
+&= rr' + 2e\conj \pmod q,
+\end{aligned}
+$$
+
+and we have an encryption of $mm'$. In this case,
+
+$$
+e\conj = 2\sum_{i=1}^n\sum_{j=1}^n \sum_{k=0}^{\ceil{\log q}} a_{i, j}[k] \cdot e_{i, j, k}
+$$
+
+is small enough to use, since $a_{i, j}[k] \in \braces{0, 1}$. The size is about $\mc{O}(n^2 \log q)$, which is a lot smaller than $q$ for practical uses. We have reduced $n^2 q$ to $n^2 \log q$ with this method.
+
+### Noise Reduction
+
+Now we handle the noise growth. For correctness, we required that
+
+$$
+\abs{r} = \abs{m + 2e} < \frac{1}{2}q.
+$$
+
+But for multiplication, $\abs{r_\rm{mul}} = \abs{rr' + 2e\conj}$, so the noise grows very fast. If the initial noise size was $N$, then after $L$ levels of multiplication, the noise is now $N^{2^L}$.[^3] To reduce noise, we use **modulus switching**.
+
+Given $\bf{c} = (b, \bf{a}) \in \Z_q^{n+1}$, we reduce the modulus to $q' < q$ which results in a smaller noise $e'$. This can be done by scaling $\bf{c}$ by $q'/q$ and rounding it.
+
+> **Modulus Switching**: let $\bf{c} = (b, \bf{a}) \in \Z_q^{n+1}$ be given.
+> 
+> - Find $b'$ closest to $b \cdot (q' /q)$ such that $b' = b \pmod 2$.
+> - Find $a_i'$ closest to $a_i \cdot (q'/q)$ such that $a_i' = a_i \pmod 2$.
+> - Output $\bf{c}' = (b', \bf{a}') \in \Z_{q'}^{n+1}$.
+
+In summary, $\bf{c}' \approx \bf{c} \cdot (q'/q)$, and $\bf{c}' = \bf{c} \pmod 2$ component-wise.
+
+We check if the noise has been reduced, and decryption results in the same message $m$. Decryption of $\bf{c}'$ is done by $r' = b' + \span{\bf{a}', \bf{s}} \pmod{q'}$, so we must prove that ${} r' \approx r \cdot (q'/q) {}$ and $r' = r \pmod 2$. Then the noise is scaled down by $q'/q$ and the message is preserved.
+
+Let $k \in \Z$ such that $b + \span{\bf{a}, \bf{s}} = r + kq$. By the choice of $b'$ and $a_i'$,
+
+$$
+b' = b \cdot (q'/q) + \epsilon_0, \quad a_i' = a_i \cdot (q'/q) + \epsilon_i
+$$
+
+for $\epsilon_i \in\braces{0, 1}$. Then
+
+$$
+\begin{aligned}
+b' + \span{\bf{a}', \bf{s}} &= b' + \sum_{i=1}^n a_i's_i \\
+&= b \cdot (q'/q) + \epsilon_0 + \sum_{i=1}^n \paren{a_i \cdot (q'/q) + \epsilon_i} s_i \\
+&= (q'/q) \paren{b + \sum_{i=1}^n a_i s_i} + \epsilon_0 + \sum_{i=1}^n \epsilon_i s_i \\
+&= (q'/q) \cdot (r + kq) + \epsilon_0 + \sum_{i=1}^n \epsilon_i s_i \\
+&= r \cdot (q'/q) + \epsilon_0 + \sum_{i=1}^n \epsilon_i s_i +  kq'.
+\end{aligned}
+$$
+
+We additionally assume that $\bf{s} \in \Z_2^n$, then the error term is bounded by $n+1$, and $n \ll q$.[^4] Set
+
+$$
+r' = r \cdot (q'/q) + \epsilon_0 + \sum_{i=1}^n \epsilon_i s_i,
+$$
+
+then we have $r' \approx r \cdot (q'/q)$.
+
+Next, $b + \span{\bf{a}, \bf{s}} = b' + \span{\bf{a}', \bf{s}} \pmod 2$ component-wise. Then
+
+$$
+r + kq = b + \span{\bf{a}, \bf{s}} = b' + \span{\bf{a}', \bf{s}} = r' + kq' \pmod 2.
+$$
+
+Since $q, q'$ are odd, $r = r' \pmod 2$.
+
+### Modulus Chain
+
+Let the initial noise be $\abs{r} \approx N$. Set the maximal level $L$ for multiplication, and set $q_{L} = N^{L+1}$. Then after each multiplication, switch the modulus to $q_{k-1} = q_k/N$ using the above method.
+
+Multiplication increases the noise to $N^2$, and then modulus switching decreases the noise back to $N$, allowing further computation.
+
+So we have a modulus chain,
+
+$$
+N^{L+1} \ra N^L \ra \cdots \ra N.
+$$
+
+When we perform $L$ levels of computation and reach modulus $q_0 = N$, we cannot perform any multiplications. We must apply [bootstrapping](../2023-12-08-bootstrapping-ckks/#bootstrapping).
+
+Note that without modulus switching, we need $q_L > N^{2^L}$ for $L$ levels of computation, which is very large. Since we want $q$ to be small (for the hardness of the LWE problem), modulus switching is necessary. We now only require $q_L > N^{L+1}$.
+
+### Multiplication in BGV (Summary)
+
+- Set up a modulus chain $q_k = N^{k+1}$ for $k = 0, \dots, L$.
+- Given two ciphertexts $\bf{c} = (b, \bf{a}) \in \Z_{q_k}^{n+1}$ and $\bf{c}' = (b', \bf{a}') \in \Z_{q_k}^{n+1}$ with modulus $q_k$ and noise $N$.
+
+- (**Tensor Product**) $\bf{c}_\rm{mul} = \bf{c} \otimes \bf{c}' \pmod{q_k}$.
+	- Now we have $n^2$ dimensions and noise $N^2$.
+- (**Relinearization**)
+	- Back to $n$ dimensions and noise $N^2$.
+- (**Modulus Switching**)
+	- Modulus is switched to $q_{k-1}$ and noise is back to $N$.
+
+## BGV Generalizations and Optimizations
+
+### From $\Z_2$ to $\Z_p$
+
+The above description is for messages $m \in \braces{0, 1} = \Z_2$. This can be extend to any finite field $\Z_p$. Replace $2$ with $p$ in the scheme. Then encryption of $m \in \Z_p$ is done as
+
+$$
+b = -\span{\bf{a}, \bf{s}} + m + pe \pmod q,
+$$
+
+and we have $r = b + \span{\bf{a}, \bf{s}} = m + pe$, $m = r \pmod p$.
+
+### Packing Technique
+
+Based on the Ring LWE problem, plaintext space can be extended from $\Z_p$ to $\Z_p^n$ by using **polynomials**.
+
+With this technique, the number of linearization keys is reduced from $n^2 \log q$ to $\mc{O}(1)$.
+
+## Security and Performance of BGV
+
+- Security depends on $n$ and $q$.
+	- $(n, \log q) = (2^{10}, 30), (2^{13}, 240), (2^{16}, 960)$.
+	- $q$ is much larger than $n$.
+	- We want $n$ small and $q$ large enough to be correct.
+- BGV is a **somewhat** homomorphic encryption.
+	- The number of multiplications is limited.
+- Multiplication is expensive, especially linearization.
+	- Parallelization is effective for optimization, since multiplication is basically performing the same operations on different data.
+
+[^1]: A homomorphism is a *confused name changer*. It can map different elements to the same name.
+[^2]: The columns $\bf{a}_i$ are chosen random, so $A$ is invertible with high probability.
+[^3]: Noise: $N \ra N^2 \ra N^4 \ra \cdots \ra N^{2^L}$.
+[^4]: This is how $\bf{s}$ is chosen in practice.

_posts/Lecture Notes/Modern Cryptography/2023-12-08-bootstrapping-ckks.md

@@ -0,0 +1,347 @@
+---
+share: true
+toc: true
+math: true
+categories:
+  - Lecture Notes
+  - Modern Cryptography
+tags:
+  - lecture-note
+  - cryptography
+  - security
+title: 18. Bootstrapping & CKKS
+date: 2023-12-08
+github_title: 2023-12-08-bootstrapping-ckks
+---
+
+## Bootstrapping
+
+Recall that BGV has a limit on the number of operations, so it cannot evaluate a circuit with a large depth. This was because of the growing noise, so we need a way to remove the noise.
+
+An easy answer is decrypting the ciphertext and encrypting it again, but we want to do it without using the secret key.
+
+**Bootstrapping** is a method to convert SHE into FHE.
+
+### Key Idea
+
+The main idea is to *homomorphically evaluate the decryption circuit over encrypted $\bf{s}$*.
+
+Let $\bf{c}$ be an encryption of $m \in \braces{0, 1}$, at the lowest level $0$. (Cannot perform multiplications anymore) The decryption algorithm, with a secret $\bf{s}$ fixed, is a function of $\bf{c}$.
+
+Change the perspective and view it as a function of $\bf{s}$.
+
+$$
+f(\bf{s}) = D(\bf{s}, \bf{c}) : \braces{0, 1}^n \ra \braces{0, 1}
+$$
+
+Then $f(\bf{s}) = m$.
+
+Let $\bf{s}' \in \braces{0, 1}^n$ be a new secret key. Generate the **bootstrapping keys**
+
+$$
+BK = \braces{\bf{k}_i}_{i=1}^n, \qquad  \bf{k}_i = E(\bf{s}', s_i).
+$$
+
+Then by the homomorphic property of $f$,
+
+$$
+f(\bf{k_1}, \bf{k}_2, \dots, \bf{k}_n) = f\big( E(\bf{s}', s_1), \dots, E(\bf{s}', s_n) \big) = E\big( \bf{s}', f(s_1, \dots, s_n) \big) = E(\bf{s}', m).
+$$
+
+#### Example with BGV
+
+Technically, the expression $f(\bf{k_1}, \bf{k}_2, \dots, \bf{k}_n)$ doesn't make sense, but it works. Consider a message $m$ encrypted with secret $\bf{s}$ in the BGV scheme.
+
+$$
+\bf{c} = (b, \bf{a}), \quad b = -\span{\bf{a}, \bf{s}} + m + 2e \pmod q.
+$$
+
+The decryption is $r = b + \span{\bf{a}, \bf{s}} \pmod q$, and then taking the least significant bit. Consider it as a function
+
+$$
+f(\bf{s}) = b + \span{\bf{a}, \bf{s}} = b + \sum_{i=1}^n a_is_i.
+$$
+
+For a new key $\bf{s}' = (s_1', \dots, s_n')$, generate bootstrapping keys $\bf{k}_i = E(\bf{s}', s_i)$ and plugging it in forcefully gives
+
+$$
+\begin{aligned}
+f(\bf{k}_1, \dots, \bf{k}_n) &= b + \sum_{i=1}^n a_i E(\bf{s}', s_i) = b + \sum_{i=1}^n E(\bf{s}', a_is_i) \\
+&=b + E\paren{\bf{s}', \sum_{i=1}^n a_is_i} = b + E\paren{\bf{s}', \span{\bf{a}, \bf{s}}}.
+\end{aligned}
+$$
+
+Since an encryption of $\span{\bf{a}, \bf{s}}$ with $\bf{s}'$ is $-\span{\bf{a}', \bf{s}'} + \span{\bf{a}, \bf{s}} + 2e' \pmod q$, the above equation equals
+
+$$
+\begin{aligned}
+b' &=b -\span{\bf{a}', \bf{s}'} + \span{\bf{a}, \bf{s}} + 2e' \\
+&= -\span{\bf{a}', \bf{s}'} + m + 2(e + e') \pmod q.
+\end{aligned}
+$$
+
+Indeed, decrypting $b'$ will give $m$. So we have $E(\bf{s}', m)$ from $f(\bf{k}_1, \dots, \bf{k}_n)$.[^1]
+
+### Bootstrapping Procedure
+
+> Given an encryption $\bf{c}$ of $m$ at level $0$, perform the following procedure.
+> 
+> **Bootstrapping Key Generation**
+> - Choose a new secret key $\bf{s}' \in \braces{0, 1}^n$.
+> - Generate *bootstrapping key* ${} BK = \braces{\bf{k}_i}_{i=1}^n {}$ where $\bf{k}_i = E(\bf{s}', s_i)$.
+> 
+> **Bootstrapping**
+> - Generate a circuit representation $f : \braces{0, 1}^n \ra \braces{0, 1}$ of the decryption function $D(\cdot, \bf{c})$.
+> - Compute and output $\bf{c}' = f(\bf{k}_1, \dots, \bf{k}_n)$.
+
+The bootstrapping procedure returns an encryption of $m$ under $\bf{s}'$, as shown above. The key idea here is that $\bf{k}_i$ are *fresh* ciphertexts at level $L$. Even though a few levels are consumed during the evaluation of $f$, the resulting ciphertext $\bf{c}'$ is not at level $0$ anymore, allowing us to do more computation.
+
+> Suppose that the homomorphic evaluation of $f$ requires depth $d$, consuming $d$ levels. Then we say that the BGV scheme is **bootstrappable** if $d < L$. The output ciphertext $\bf{c}'$ will have level $l = L - d > 0$, which we call **remaining level**.
+
+Thus, we need to set $L$ large enough in the BGV scheme so that it is bootstrappable. But larger $L$ results in larger $q$, reducing the security of the scheme. This is another reason we must use **modulus switching**. Without it, we wouldn't have been able to set $L$ large enough for bootstrapping.
+
+### Fully Homomorphic Encryption
+
+Thus, if BGV is bootstrappable, then we can apply bootstrapping on the ciphertext whenever its level reaches $0$. Now we can evaluate *any* circuit of finite depth.
+
+There is a slight catch here. For every bootstrapping procedure, we need a bootstrapping key. This must be generated by the owner of the original secret. As a result, lots of secret keys are required to homomorphically evaluate a circuit.
+
+$$
+\bf{s} \ra \bf{s}' \ra \bf{s}'' \ra \cdots
+$$
+
+Currently, we set $\bf{s}' = \bf{s}$ and make the chain **circular**, so the bootstrapping keys are $E(\bf{s}, s_i)$. $\bf{s}$ is being encrypted by itself. We wonder if this is secure, but there is no known proof for this. This is used as an assumption called the **circular security assumption**.
+
+Designing an FHE scheme without the circular security assumption is currently an open problem.
+
+## CKKS Scheme
+
+The [BGV scheme](../2023-11-23-bgv-scheme/#the-bgv-scheme) operates on $\Z_p$, so it doesn't work on real numbers. **Cheon-Kim-Kim-Song** (CKKS) scheme works on real numbers using approximate computation.
+
+### Approximate Computation
+
+Computers use floating point representations for real numbers.
+
+$$
+2.9979 \times 10^8
+$$
+
+Here, $2.9979$ is the **significand**, $10$ is the base and $8$ is the exponent. We also call $10^8$ the **scaling factor**.
+
+Floating point operations involve **rounding**, but rounding is not easy in homomorphic encryption. Using the BGV scheme on $\Z_p$, there are $2$ methods to do this.
+
+- Bit-wise Encryption
+	- $32$-bit integer results in $32$ ciphertexts.
+	- Binary multiplier circuits can be used for multiplication.
+	- Rounding is easy if done this way.
+	- But this is *extremely* inefficient. Huge number of gates are required, consumes a lot of levels.
+- Integer Encryption
+	- To encrypt the significant, use a modulus large enough, such as $p > 2^{32}$.
+	- For multiplication, use $p > 2^{64}$.
+	- But rounding is hard in $\Z_p$.
+
+So our wish is to design an HE scheme that natively supports rounding operation!
+
+### CKKS Description
+
+In the LWE problem, error was added for security. This can be exploited, since computing floating points allows some rounding errors.
+
+> Let $n, q, \sigma$ be parameters for LWE and set a scaling factor $\Delta > 0$.
+> 
+> **Key Generation**
+> - A secret key is chosen as $\bf{s} = (s_1, \dots, s_n) \in \braces{0, 1}^n$, with its linearization gadget.
+> 
+> **Encryption**: message $m \in \R$.
+> - Randomly sample $\bf{a} = (a_1, \dots, a_n) \la \Z_q^n$ and $e \la D_\sigma$.
+> - Compute $b = -\span{\bf{a}, \bf{s}} + \round{\Delta \cdot m} + e \pmod q$.
+> - Output ciphertext $\bf{c} = (b, \bf{a}) \in \Z_q^{n+1}$.
+> 
+> **Decryption**
+> - Compute $\mu = b + \span{\bf{a}, \bf{s}} \pmod q$.
+> - Output $m' = \Delta\inv \cdot \mu \in \R$.
+
+Note that the decrypted output is $m'$, which is **not equal to $m$**. We have
+
+$$
+\mu = \round{\Delta \cdot m} + e
+$$
+
+if $\mu$ is small. (ex. $\abs{\mu} < q/2$) But $m' = \Delta\inv \cdot \mu \neq m$. The traditional *correctness* does not apply here, since $D(\bf{s}, \bf{c}) \neq m$.
+
+Instead, CKKS is an **approximate encryption**. The exact $m$ is not recovered, but we get an approximation $m'$ with bounded error,
+
+$$
+\abs{m - m'} \leq \frac{1}{\Delta} (0.5 + \abs{e}).
+$$
+
+This is okay, since small numerical errors are allowed in floating-point operations. Also, it can be seen from this inequality that $\Delta$ is sort of a *precision*.
+
+Also, CKKS is secure under the LWE assumption.
+
+## Operations on Ciphertexts in CKKS
+
+The overall process is similar to that of BGV, with some additional changes.
+
+Remember that if $\bf{c} = (b, \bf{a})$ is an encryption of $m \in \R$, then
+
+$$
+\mu = b + \span{\bf{a}, \bf{s}} \pmod q, \quad \mu \approx \Delta \cdot m.
+$$
+
+### Addition in CKKS
+
+> Let $\bf{c} = (b, \bf{a})$ and $\bf{c}' = (b', \bf{a}')$ be encryptions of $m, m' \in \R$. Then, $\bf{c}_\rm{add} = \bf{c} + \bf{c}'$ is an encryption of $m + m'$.
+
+*Proof*. Decrypt $\bf{c}_\rm{add} = (b + b', \bf{a} + \bf{a}')$.
+
+$$
+\mu_\rm{add} = \mu + \mu' = (b + b') + \span{\bf{a} + \bf{a}', \bf{s}} \pmod q.
+$$
+
+If $\abs{\mu + \mu'} < q/2$, then
+
+$$
+\mu_\rm{add} = \mu + \mu' = \Delta \cdot (m + m'),
+$$
+
+so the decryption results in $\Delta\inv \cdot (\mu + \mu') \approx m + m'$.
+
+### Multiplication in CKKS
+
+We also use [tensor products](../2023-11-23-bgv-scheme/#tensor-product), and their properties.
+
+> Let $\bf{c} = (b, \bf{a})$ and $\bf{c}' = (b', \bf{a}')$ be encryptions of $m, m' \in \R$. Then,
+> 
+> $$
+> \bf{c}_\rm{mul} = \bf{c} \otimes \bf{c}' = (bb', b\bf{a}' + b' \bf{a}, \bf{a} \otimes \bf{a}')
+> $$
+> 
+> is an encryption of $mm'$ with $(1, \bf{s}, \bf{s} \otimes \bf{s})$.
+
+*Proof*. It can be checked that
+
+$$
+\begin{aligned}
+\mu_\rm{mul} &= \mu\mu' = (b + \span{\bf{a}, \bf{s}})(b' + \span{\bf{a}', \bf{s}}) \\
+&= bb' + \span{b\bf{a}' + b' \bf{a}, \bf{s}} + \span{\bf{a} \otimes \bf{a}', \bf{s} \otimes \bf{s}'} \pmod q
+\end{aligned}
+$$
+
+if $\abs{\mu\mu'} < q/2$. Then
+
+$$
+\mu_\rm{mul} = \mu\mu' \approx (\Delta \cdot m) \cdot (\Delta \cdot m') = \Delta^2 \cdot mm'.
+$$
+
+So $mm' \approx \Delta^{-2} \cdot \mu_\rm{mul}$.
+
+We have issues with multiplication, as we did in BGV.
+
+- The dimension of the ciphertext has increased to $n^2$.
+- The scaling factor has increased to $\Delta^2$.
+	- A larger scaling factor means more significant digits to calculate.
+
+### Dimension Reduction
+
+The relinearization procedure is almost the same as in [BGV relinearization](../2023-11-23-bgv-scheme/#relinearization).
+
+For convenience, let $a_{i, j} = a_i a_j'$.
+
+> **Relinearization Keys**: for $1 \leq i, j \leq n$ and $0 \leq k < \ceil{\log q}$, perform the following.
+> - Sample $\bf{u}_{i, j, k} \la \Z_q^{n}$ and ${} e_{i, j, k} \la D_\sigma {}$.
+> - Compute ${} v_{i, j, k} = -\span{\bf{u}_{i, j, k}, \bf{s}} + 2^k \cdot s_i s_j + e_{i, j, k} \pmod q {}$.
+> - Output ${} \bf{w}_{i, j, k} = (v_{i, j, k}, \bf{u}_{i, j, k}) {}$.
+> 
+> **Linearization**: given $\bf{c}_\rm{mul} = (bb', b\bf{a}' + b' \bf{a}, \bf{a} \otimes \bf{a}')$, $\bf{w}_{i, j, k}$ for $1 \leq i, j \leq n$ and $0 \leq k < \ceil{\log q}$, output the following.
+> 
+> $$
+> \bf{c}_\rm{mul}^\ast = (b_\rm{mul}^\ast, \bf{a}_\rm{mul}^\ast) = (bb', b\bf{a}' + b'\bf{a}) + \sum_{i=1}^n \sum_{j=1}^n \sum_{k=0}^{\ceil{\log q}} a_{i, j}[k] \bf{w}_{i, j, k} \pmod q.
+> $$
+
+Correctness can be checked. The bounds for summations are omitted for brevity. They range from $1 \leq i, j \leq n$ and $0 \leq k < \ceil{\log q}$.
+
+$$
+\begin{aligned}
+b_\rm{mul}^\ast + \span{\bf{a}_\rm{mul}^\ast, \bf{s}} &= bb' + \sum_{i, j, k} a_{i, j}[k] \cdot v_{i, j, k} + \span{b\bf{a}' + b'\bf{a}, \bf{s}} + \sum_{i, j, k} a_{i, j}[k] \cdot \span{\bf{u}_{i, j, k}, \bf{s}} \\
+&= bb' + \span{b\bf{a}' + b'\bf{a}, \bf{s}} + \sum_{i, j, k} a_{i, j}[k] \cdot \paren{v_{i, j, k} + \span{\bf{u}_{i, j, k}, \bf{s}}} \\
+&= bb' + \span{b\bf{a}' + b'\bf{a}, \bf{s}} + \sum_{i, j, k} a_{i, j}[k] \paren{2^k \cdot s_is_j + e_{i, j, k}} \\
+&= bb' + \span{b\bf{a}' + b'\bf{a}, \bf{s}} + \sum_{i, j} a_{i, j}s_i s_j + \sum_{i, j, k} a_{i, j}[k] \cdot e_{i, j, k} \\
+&= bb' + \span{b\bf{a}' + b'\bf{a}, \bf{s}} + \span{\bf{a} \otimes \bf{a}', \bf{s} \otimes \bf{s}} + e\conj \\
+&= \mu_\rm{mul} + e\conj\pmod q.
+\end{aligned}
+$$
+
+Since
+
+$$
+e\conj = \sum_{i, j, k} a_{i, j}[k] \cdot e_{i, j, k} \ll q,
+$$
+
+we have
+
+$$
+\mu_\rm{mul}^\ast = \mu_\rm{mul} + e\conj \approx \mu\mu' \approx \Delta^2 \cdot mm'.
+$$
+
+Note that the proof is identical to that of BGV linearization, except for missing constant factor $2$ in the error.
+
+### Scaling Factor Reduction
+
+In BGV, we used modulus switching for [noise reduction](../2023-11-23-bgv-scheme/#noise-reduction). It was for reducing the error and preserving the message. We also use modulus switching here, but for a different purpose. The message can have small numerical errors, we just want to reduce the scaling factor. This operation is called **rescaling**.
+
+Given $\bf{c} = (b, \bf{a}) \in \Z_q^{n+1}$ such that $b + \span{\bf{a}, \bf{s}} = \mu \pmod q$ and $\mu \approx \Delta^2 \cdot m$, we want to generate a new ciphertext of $m' \approx m$ that has a scaling factor reduced to $\Delta$. This can be done by dividing the ciphertext by $\Delta$ and then rounding it appropriately.
+
+> **Modulus Switching**: let $\bf{c} = (b, \bf{a}) \in \Z_q^{n+1}$ be given.
+> 
+> - Let $q' = \Delta \inv \cdot q$.[^2]
+> - Output $\bf{c}' = \round{\Delta\inv \cdot \bf{c}} \in \Z_{q'}^{n+1}$.
+
+Note that the modulus has been switched to $q'$. Constant multiplication and rounding is done component-wise on $\bf{c}$.
+
+We check that $\bf{c}'$ has scaling factor $\Delta$. We know that $\mu' = b' + \span{\bf{a}', \bf{s}} \pmod{q'}$.
+
+Let $k \in \Z$ such that $b + \span{\bf{a}, \bf{s}} = \mu + kq$. By the choice of $b'$ and $\bf{a}'$, we have
+
+$$
+b' = \Delta\inv \cdot b + \epsilon_0, \quad a_i' = \Delta\inv \cdot a_i + \epsilon_i
+$$
+
+for some $\epsilon_i$ such that $\abs{\epsilon_i} \leq 0.5$. So we have
+
+$$
+\begin{aligned}
+\mu' &= \Delta\inv \cdot \paren{b + \sum_{i=1}^n a_i s_i} + \epsilon_0 + \sum_{i=1}^n \epsilon_i s_i \\
+&= \Delta\inv \cdot (\mu + kq) + \epsilon \approx \Delta \inv \cdot (\Delta^2 \cdot m) + kq' = \Delta \cdot m \pmod{q'},
+\end{aligned}
+$$
+
+since $\epsilon = \epsilon_0 + \sum_{i=1}^n \epsilon_i s_i$ is small.
+
+### Modulus Chain
+
+Using modulus switching, we can set ${} q_L = \Delta^{L+1} {}$ where $L$ is the maximal level for multiplication. After each multiplication, the modulus is switched to $q_{k-1} = q_k / \Delta$.
+
+Multiplication increases the scaling factor to $\Delta^2$, and then rescaling operation reduces the scaling factor back to $\Delta$.
+
+So we have a modulus chain,
+
+$$
+\Delta^{L+1} \ra \Delta^L \ra \cdots \ra \Delta.
+$$
+
+When we reach $q_0 = \Delta$, we cannot perform any multiplications, so we apply [bootstrapping](#bootstrapping) here.
+
+### Multiplication in CKKS (Summary)
+
+- Set up a modulus chain ${} q_k = \Delta^{k+1} {}$ for $k = 0, \dots, L$.
+- Given two ciphertexts $\bf{c} = (b, \bf{a}) \in \Z_{q_k}^{n+1}$ and $\bf{c}' = (b', \bf{a}') \in \Z_{q_k}^{n+1}$ with modulus $q_k$ and **scaling factor** $\Delta$.
+
+- (**Tensor Product**) $\bf{c}_\rm{mul} = \bf{c} \otimes \bf{c}' \pmod{q_k}$.
+	- Now we have $n^2$ dimensions and scaling factor $\Delta^2$.
+- (**Relinearization**)
+	- Back to $n$ dimensions and scaling factor $\Delta^2$.
+- (**Modulus Switching**; **Rescaling**)
+	- Modulus is switched to $q_{k-1}$ and scaling factor is back to $\Delta$.
+
+[^1]: The noise hasn't gone away since we didn't *fully evaluate* the decryption circuit, which takes the remainders from dividing by $q$ and $2$.
+[^2]: No rounding...?

_posts/Mathematics/Measure Theory/2023-01-11-algebra-of-sets.md

@@ -13,7 +13,7 @@ attachment:
   folder: assets/img/posts/Mathematics/Measure Theory
 ---
 
-![mt-01.png](../../../assets/img/posts/Mathematics/Measure%20Theory/mt-01.png)
+![mt-01.png](/assets/img/posts/Mathematics/Measure%20Theory/mt-01.png)
 
 르벡 적분을 공부하기 위해서는 먼저 집합의 ‘길이’ 개념을 공부해야 합니다. 그리고 집합의 ‘길이’ 개념을 확립하기 위해서는 집합 간의 연산과 이에 대한 구조가 필요합니다.
 

_posts/Mathematics/Measure Theory/2023-01-23-construction-of-measure.md

@@ -13,7 +13,7 @@ attachment:
   folder: assets/img/posts/Mathematics/Measure Theory
 ---
 
-![mt-02.png](../../../assets/img/posts/Mathematics/Measure%20Theory/mt-02.png)
+![mt-02.png](/assets/img/posts/Mathematics/Measure%20Theory/mt-02.png)
 
 이제 본격적으로 집합을 재보도록 하겠습니다. 우리가 잴 수 있는 집합들부터 시작합니다. $\mathbb{R}^p$에서 논의할 건데, 이제 여기서부터는 $\mathbb{R}$의 구간의 열림/닫힘을 모두 포괄하여 정의합니다. 즉, $\mathbb{R}$의 구간이라고 하면 $[a, b], (a, b), [a, b), (a, b]$ 네 가지 경우를 모두 포함합니다.
 

_posts/Mathematics/Measure Theory/2023-01-24-measure-spaces.md

@@ -17,7 +17,7 @@ attachment:
 
 Construction of measure 증명에서 추가로 참고할 내용입니다.
 
-![mt-03.png](../../../assets/img/posts/Mathematics/Measure%20Theory/mt-03.png)
+![mt-03.png](/assets/img/posts/Mathematics/Measure%20Theory/mt-03.png)
 
 **명제.** $A$가 열린집합이면 $A \in \mathfrak{M}(\mu)$ 이다. 또한 $A^C \in \mathfrak{M}(\mu)$ 이므로, $F$가 닫힌집합이면 $F \in \mathfrak{M}(\mu)$ 이다.
 

_posts/Mathematics/Measure Theory/2023-02-06-measurable-functions.md

@@ -155,7 +155,7 @@ $$s(x) = \sum_ {i=1}^{n} c_i \chi_ {E_i}(x).$$
 
 여기서 $E_i$에 measurable 조건이 추가되면, 정의에 의해 $\chi_ {E_i}$도 measurable function입니다. 따라서 모든 measurable simple function을 measurable $\chi_ {E_i}$의 linear combination으로 표현할 수 있습니다.
 
-![mt-04.png](../../../assets/img/posts/Mathematics/Measure%20Theory/mt-04.png)
+![mt-04.png](/assets/img/posts/Mathematics/Measure%20Theory/mt-04.png)
 
 아래 정리는 simple function이 Lebesgue integral의 building block이 되는 이유를 잘 드러냅니다. 모든 함수는 simple function으로 근사할 수 있습니다.
 

_posts/Mathematics/Measure Theory/2023-02-13-lebesgue-integration.md

@@ -121,7 +121,7 @@ $$\int f \,d{\mu} = \sup\left\lbrace \int h \,d{\mu}: 0\leq h \leq f, h \text{ m
 
 $f$보다 작은 measurable simple function의 적분값 중 상한을 택하겠다는 의미입니다. $f$보다 작은 measurable simple function으로 $f$를 근사한다고도 이해할 수 있습니다. 또한 $f$가 simple function이면 Step 2의 정의와 일치하는 것을 알 수 있습니다.
 
-![mt-05.png](../../../assets/img/posts/Mathematics/Measure%20Theory/mt-05.png)
+![mt-05.png](/assets/img/posts/Mathematics/Measure%20Theory/mt-05.png)
 
 $f \geq 0$ 가 measurable이면 증가하는 measurable simple 함수열 $s_n$이 존재함을 지난 번에 보였습니다. 이 $s_n$에 대하여 적분값을 계산해보면
 

_posts/Mathematics/Measure Theory/2023-03-25-convergence-theorems.md

@@ -19,7 +19,7 @@ attachment:
 
 먼저 단조 수렴 정리(monotone convergence theorem, MCT)입니다. 이 정리에서는 $f_n \geq 0$ 인 것이 매우 중요합니다.
 
-![mt-06.png](../../../assets/img/posts/Mathematics/Measure%20Theory/mt-06.png)
+![mt-06.png](/assets/img/posts/Mathematics/Measure%20Theory/mt-06.png)
 
 **정리.** (단조 수렴 정리) $f_n: X \rightarrow[0, \infty]$ 가 measurable이고 모든 $x \in X$ 에 대하여 $f_n(x) \leq f_ {n+1}(x)$ 라 하자.
 

_posts/Mathematics/Measure Theory/2023-04-07-dominated-convergence-theorem.md

@@ -149,7 +149,7 @@ $$[f] = \lbrace g \in \mathcal{L}^{1}(E, \mu) : f \sim g\rbrace.$$
 
 마지막 수렴정리를 소개하고 수렴정리와 관련된 내용을 마칩니다. 지배 수렴 정리(dominated convergence theorem, DCT)로 불립니다.
 
-![mt-07.png](../../../assets/img/posts/Mathematics/Measure%20Theory/mt-07.png)
+![mt-07.png](/assets/img/posts/Mathematics/Measure%20Theory/mt-07.png)
 
 **정리.** (지배 수렴 정리) Measurable set $E$와 measurable function $f$에 대하여, $\lbrace f_n\rbrace$이 measurable function의 함수열이라 하자. $E$의 거의 모든 점 위에서 극한 $f(x) = \displaystyle\lim_ {n \rightarrow\infty} f_n(x)$ 가 $\overline{\mathbb{R}}$에 존재하고 (점별 수렴) $\lvert f_n \rvert \leq g \quad \mu$-a.e. on $E$ ($\forall n \geq 1$) 를 만족하는 $g \in \mathcal{L}^{1}(E, \mu)$ 가 존재하면,
 

_posts/Mathematics/Measure Theory/2023-06-20-comparison-with-riemann-integral.md

@@ -13,7 +13,7 @@ attachment:
   folder: assets/img/posts/Mathematics/Measure Theory
 ---
 
-![mt-08.png](../../../assets/img/posts/Mathematics/Measure%20Theory/mt-08.png)
+![mt-08.png](/assets/img/posts/Mathematics/Measure%20Theory/mt-08.png)
 
 ## Comparison with the Riemann Integral
 

_posts/Mathematics/Measure Theory/2023-07-31-Lp-functions.md

@@ -13,7 +13,7 @@ attachment:
   folder: assets/img/posts/Mathematics/Measure Theory
 ---
 
-![mt-09.png](../../../assets/img/posts/Mathematics/Measure%20Theory/mt-09.png){: .w-50}
+![mt-09.png](/assets/img/posts/Mathematics/Measure%20Theory/mt-09.png){: .w-50}
 
 ## Integration on Complex Valued Function