[PUBLISHER] upload files #122

* PUSH NOTE : 01. Security Introduction.md

* PUSH ATTACHMENT : is-01-cryptosystem.png

_posts/Lecture Notes/Internet Security/2023-09-10-security-intro.md

@@ -36,7 +36,7 @@ attachment:
 In this course, we are mainly interested in system/network security!
 
 There are two categories in **IT Security**, (though the boundary is blurry)
-- **Computer** (system) **security** uses automated tools and mechanisms to protect **data in a computer**, against hackers, malware, etc.
+- **Computer** (system) **security** uses automated tools and mechanisms to protect the **data in a computer**, against hackers, malware, etc.
 - **Internet** (network) **security** prevents, detects, and corrects security violations that involve the **transmission of information** in a network.
 
 In internet security, we assume that:
@@ -52,7 +52,7 @@ In internet security, we assume that:
 	- inserting, modifying, deleting, replaying messages
 	- poisoning data
 	- impersonate and pretend to be someone else
-- Conventionally, we use the terms:
+- Conventionally, we use the following names:
 	- Alice and Bob for the two parties participating in the communication.
 	- Eve (or Mallory, Oscar) for the adversary.
 
@@ -94,9 +94,9 @@ This is only an overview, so the attacks are introduced briefly.
 There are two types of attacks in security attacks
 - **Active attacks**: modify the content of messages
 	- Ex. (D)DoS, MITM, poisoning, smurf attack, system attacks.
-	- *Prevention* is important since the active attacks are a danger to *data integrity* and *availability*.
+	- *Prevention* is important since the active attacks concern *data integrity* and *availability*.
 - **Passive attacks**: does not modify information, but observes the content or copies it.
-	- Ex. eavesdropping, port scanning (idle scan secretly scanns).
+	- Ex. eavesdropping, port scanning (idle scan secretly scans).
 	- *Detection* is important since passive attacks are a danger to *confidentiality*.
 
 ## Security Services and Mechanisms
@@ -112,7 +112,7 @@ What kind of security services do we want? The basic network security services m
 Additionally, we also need:
 - **Authentication**: a way to authenticate users (ID, passwords)
 - **Non-repudiation**: ensure that no party can deny that it sent or received a message or approved some information
-	- Assurance that someone cannot deny the validity of something
+	- Assurance that someone cannot deny the validity of message or information
 
 ### Attacks Against CIA Triad
 
@@ -142,10 +142,10 @@ There are many ways of achieving security.
 	- It may be desirable to not leak *any* information, so one might add padding to the traffic, so the traffic is indistinguishable by the adversary (prevents side-channel attacks)
 - **Digital signatures**: provides authenticity of digital messages or documents
 - **Trusted Third Party** (TTP): a safe third-party that we can trust
-	- If we have a TTP, a lot of problems go away. We can always ask the TTP for the truth
-	- But TTP can become a *single point of failure* (SPOF), and security architectures may become too dependent on the TTP
+	- If we have a TTP, a lot of problems go away. We can always ask the TTP for the truth.
+	- But TTP can become a *single point of failure* (SPOF), and security architectures may become too dependent on the TTP.
 - **Append-only server**: keeps track of all modifications, good for auditing
-	- Blockchain is a kind of append-only data structure
+	- Blockchain is a kind of append-only data structure.
 
 ## Cryptography
 
@@ -155,7 +155,7 @@ There are many ways of achieving security.
 
 ### Basics of a Cryptosystem
 
-![is-01-cryptosystem.png](../../../assets/img/posts/Lecture%20Notes/Internet%20Security/is-01-cryptosystem.png)
+![is-01-cryptosystem.png](../../../assets/img/posts/Lecture%20Notes/Internet%20Security/is-01-cryptosystem.png#)
 
 - A **message** in *plaintext* is given to an **encryption algorithm**.
 - The encryption algorithm uses an **encryption key** to create a *ciphertext*.
@@ -168,7 +168,7 @@ There are many ways of achieving security.
 There are two criteria for classifying cryptosystems.
 
 - How are the keys used?
-	- **Symmetric** cryptography uses a single key for both encryption and decryption
+	- **Symmetric** cryptography uses a single key for both encryption and decryption.
 	- **Public key** cryptography uses different keys for encryption and decryption, respectively.
 - How are plaintexts processed?
 	- **Block cipher**
@@ -232,7 +232,7 @@ In a smartphone, assets (things of value) would be
 For example,
 
 |Attacker|Abilities|Goals|
-|-|-|-|
+|:-:|-|-|
 |Thief|Steal the phone|Take the device|
 |FBI|Lot of things...|Obtain evidence from the device|
 |Eavesdropper|Observe network traffic|Steal information|

_posts/Lecture Notes/Internet Security/2023-09-18-symmetric-key-cryptography-2.md

@@ -28,8 +28,8 @@ attachment:
 ### Modules
 
 - **S-box**: a substitution module
-	- Usually for confusion
-	- $m \times n$ lookup box is needed, since it should be invertible
+	- Usually for confusion, also gives diffusion
+	- $m \times n$ lookup box is used for implementation
 - **P-box**: a permutation module
 	- Usually for diffusion
 	- Compared to the number of input bits,
@@ -42,28 +42,28 @@ attachment:
 - Standardized in 1979.
 - Block size is $64$ bits ($8$ bytes)
 - $64$ bits input $\rightarrow$ $64$ bits output
-- Key is $56$ bits, but there are $8$ bits representing parity, so total of $64$ bits
-	- Every $8$th bit is a parity bit
+- Key is $56$ bits, and every $8$th bit is a parity bit.
+	- Thus $64$ bits in total
 
 ### Encryption
 
 1. From the $56$-bit key, generate $16$ different $48$ bit keys $k_1, \dots, k_{16}$.
-2. The plaintext message goes through the P-box.
-3. The output goes through $16$ rounds, and in the round $i$, key $k_i$ is used.
+2. The plaintext message goes through an initial permutation.
+3. The output goes through $16$ rounds, and key $k_i$ is used in round $i$.
 4. After $16$ rounds, split the output into two $32$ bit halves and swap them.
-5. The output goes through the inverse of the P-box from Step 1.
+5. The output goes through the inverse of the permutation from Step 1.
 
-Let $L_{i-1} \parallel R_{i-1}$ be the output of round $i-1$, where $L_{i-1}$ and $R_{i-1}$ are $32$ bit halves. Also let $f$ be the Feistel function.
+Let $L_{i-1} \parallel R_{i-1}$ be the output of round $i-1$, where $L_{i-1}$ and $R_{i-1}$ are $32$ bit halves. Also let $f$ be the Feistel function.[^1]
 
-In each round $i$,
+In each round $i$, the following operation is performed:
 
 $$
-L_i = R_{i - 1}, \qquad R_i = L_{i-1} \oplus f(k_i, R_{i-1})
+L_i = R_{i - 1}, \qquad R_i = L_{i-1} \oplus f(k_i, R_{i-1}).
 $$
 
 #### The Feistel Function
 
-![is-03-feistel-function.png](../../../assets/img/posts/Lecture%20Notes/Internet%20Security/is-03-feistel-function.png)
+![is-03-feistel-function.png](../../../assets/img/posts/Lecture%20Notes/Internet%20Security/is-03-feistel-function.png#)
 
 The Feistel function takes $32$ bit data and divides it into eight $4$ bit chunks. Each chunk is expanded to $6$ bits using a P-box. Now, we have 48 bits of data, so apply XOR with the key for this round. Next, each $6$-bit block is compressed back to $4$ bits using a S-box. Finally, there is a (straight) permutation at the end, resulting in $32$ bit data.
 
@@ -108,10 +108,10 @@ Thus $F$ and $G$ are inverses of each other, thus $f$ doesn't have to be inverti
 Also, note that
 
 $$
-G(L_i \parallel R_i) = F(L_i \oplus f(R_i) \parallel R_i),
+G(L_i \parallel R_i) = F(L_i \oplus f(R_i) \parallel R_i).
 $$
 
-so evaluating the decryption round is actually equivalent to running the encryption round with upper/lower $32$ bit halves swapped. Hence the reason for swapping each $32$ bit halves.
+Notice that evaluating $G$ is equivalent to evaluating $F$ on a encrypted block, with their upper/lower $32$ bit halves swapped. We get $L_i \oplus f(R_i) \parallel R_i$ exactly when we swap each halves of $F(L_i \parallel R_i)$. Thus, we can use the same hardware for encryption and decryption, which is the reason for swapping each $32$ bit halves.
 
 ## Advanced Encryption Standard (AES)
 
@@ -130,7 +130,7 @@ Each round consists of the following:
 - **AddRoundKey**: XOR with round key
 
 The first and last rounds are a little different.
-- Before the first round, AddRoundKey is done.
+- AddRoundKey is done before the first round.
 - The last round does not have MixColumns.
 
 The objectives of AES:
@@ -138,7 +138,7 @@ The objectives of AES:
 - Code must be compact, and should run fast on many CPUs
 - Design must be simple
 
-### Modules
+### Layers
 
 #### SubBytes
 
@@ -157,7 +157,7 @@ The objectives of AES:
 - For each column, each byte is replaced by a value
 	- The value depends on all 4 bytes of the column
 - Each column is processed separately
-	- Thus effectively, it is a matrix multiplication (Hill cipher)
+	- Thus effectively, it is a matrix multiplication (Hill cipher).[^2]
 
 #### AddRoundKey
 
@@ -171,7 +171,7 @@ These 4 modules are all invertible!
 - Why is there a AddRoundKey at the beginning?
 - Why is the last round different?
 
-Both are for engineering purposes, to make the encryption and decryption process the same. (Check!)
+Both are for engineering purposes, to make the encryption and decryption process the same.[^3]
 
 ## Modes of Operations
 
@@ -179,14 +179,14 @@ AES, DES use fixed block size for encryption. How do we encrypt longer messages?
 
 ### Electronic Codebook Mode (ECB)
 
-![is-03-ecb-encryption.png](../../../assets/img/posts/Lecture%20Notes/Internet%20Security/is-03-ecb-encryption.png)
+![is-03-ecb-encryption.png](../../../assets/img/posts/Lecture%20Notes/Internet%20Security/is-03-ecb-encryption.png#)
 
 - Codebook is a mapping table.
 - For the $i$-th plaintext block, we use key $k$ to encrypt and obtain the $i$-th ciphertext block.
 	- **Uses the same key for all blocks**
 - Adjacent blocks are independent of each other.
 - Advantages
-	- Good when run in parallel
+	- Fast when run in parallel
 - Limitations
 	- Repetitions in messages (if aligned with the block) may lead to repetitions in the ciphertext
 	- Susceptible to *cut-and-paste attacks*
@@ -198,7 +198,7 @@ Since the same key is used for all blocks, once a mapping from plaintext to ciph
 
 ### Cipher Block Chaining Mode (CBC)
 
-![is-03-cbc-encryption.png](../../../assets/img/posts/Lecture%20Notes/Internet%20Security/is-03-cbc-encryption.png)
+![is-03-cbc-encryption.png](../../../assets/img/posts/Lecture%20Notes/Internet%20Security/is-03-cbc-encryption.png#)
 
 - Two identical messages produce to different ciphertexts.
 	- This prevents chosen plaintext attacks
@@ -234,8 +234,8 @@ Since the same key is used for all blocks, once a mapping from plaintext to ciph
 - If the IV is the same, then the encryption of the same plaintext is the same.
 	- Thus IVs should be random.
 - IV are not required to be secret, but
-	- No IVs should be reused under the same key
-	- IV changes should be unpredictable
+	- **No IVs should be reused under the same key**
+	- **IV changes should be unpredictable**
 - On IV reuse, same message will generate the same ciphertext if key isn't changed
 - If IV is predictable, CBC is vulnerable to chosen plaintext attacks.
 	- Define Eve's new message $m' = \mathrm{IV} _ {\mathrm{E}} \oplus \mathrm{IV} _ {\mathrm{A}} \oplus g$, where
@@ -248,12 +248,12 @@ Since the same key is used for all blocks, once a mapping from plaintext to ciph
 
 ### Cipher Feedback Mode (CFB)
 
-![is-03-cfb-encryption.png](../../../assets/img/posts/Lecture%20Notes/Internet%20Security/is-03-cfb-encryption.png)
+![is-03-cfb-encryption.png](../../../assets/img/posts/Lecture%20Notes/Internet%20Security/is-03-cfb-encryption.png#)
 
 - The message is treated as a stream of bits; similar to stream cipher
 - **Result of the encryption is fed to the next stage.**
 	- Standard allows any number of bits to be fed to the next stage
-	- It is most efficient to use all $64$ bits (CFB-64)
+	- It is most efficient to use all bits.
 - Initialization vector is used.
 	- Same requirements on the IV as CBC mode.
 	- Should be randomized, and should not be predictable.
@@ -277,13 +277,13 @@ Since the same key is used for all blocks, once a mapping from plaintext to ciph
 - CFB mode is self-recovering.
 - 1 bit error in the ciphertext corrupts some number of blocks.
 	- Bit errors in the ciphertext will cause bit errors at the same position.
-	- Since this ciphertext is fed to the next block, the error is propagated
+	- Since this ciphertext is fed to the next block, the error is propagated.
 - Some implementations (like CFB-8) use shift registers, so errors will be propagated as long as the erroneous bit is in the shift register.
 	- If the error is removed from the shift register, it automatically recovers.
 
 ### Output Feedback Mode (OFB)
 
-![is-03-ofb-encryption.png](../../../assets/img/posts/Lecture%20Notes/Internet%20Security/is-03-ofb-encryption.png)
+![is-03-ofb-encryption.png](../../../assets/img/posts/Lecture%20Notes/Internet%20Security/is-03-ofb-encryption.png#)
 
 - Very similar to stream cipher.
 - Initialization vector is used as a seed to generate the key stream.
@@ -316,14 +316,39 @@ Since the same key is used for all blocks, once a mapping from plaintext to ciph
 
 ### Counter Mode (CTR)
 
-![is-03-ctr-encryption.png](../../../assets/img/posts/Lecture%20Notes/Internet%20Security/is-03-ctr-encryption.png)
+![is-03-ctr-encryption.png](../../../assets/img/posts/Lecture%20Notes/Internet%20Security/is-03-ctr-encryption.png#)
 
 - Without chaining, we use a counter (typically incremented by $1$).
 	- Counter starts from the initialization vector.
 	- Highly parallelizable.
 	- Can decrypt from any arbitrary position.
 - Counter should not be repeated for the same key.
+	- Suppose that the same counter $ctr$ is used for encrypting $m_0$ and $m_1$.
+	- Encryption results are: $(ctr, E(k, ctr) \oplus m_0), (ctr, E(k, ctr) \oplus m_1)$.
+	- Then the attacker can obtain $m_0 \oplus m_1$.
+
+## Modes of Operations Summary
+
+|Criteria\Modes|ECB|CBC|CFB|OFB|CTR|
+|:-:|:-:|:-:|:-:|:-:|:-:|
+|IV|-|Yes|Yes|Yes|Counter|
+|Encryption Parallelizable|Yes|No|No|Yes\*|Yes|
+|Decryption Parallelizable|Yes|Yes|Yes|Yes\*|Yes|
+|Random Read Access|Yes|Yes|Yes|No|Yes|
+|Self-Recovering|-|Yes|Yes|-|-|
+
+- OFB is parallelizable only if the keystream is generated in advance.
+- We don't have to consider self-recovery if the ciphertext is not fed into the encryption of the next block.
+	- Errors in the ciphertext are not be propagated for ECB, OFB and CTR.
+- **Random read access**
+	- Suppose that a part of the plaintext changes.
+	- In OFB, the *whole* keystream must be recalculated to fix the ciphertext.
+	- But for other modes, only a part of the ciphertext needs to be changed, using the information from the previous block if necesary.
 
 ---
 
 Images are from [Wikipedia](https://en.wikipedia.org/wiki/Block_cipher_mode_of_operation).
+
+[^1]: Some people call this function the *mangler* function.
+[^2]: Over the finite field $\mathrm{GF}(2^8)$.
+[^3]: See also a helpful [question](https://crypto.stackexchange.com/questions/1346/why-is-mixcolumns-omitted-from-the-last-round-of-aes) on cryptography SE.

_posts/Lecture Notes/Internet Security/2023-10-04-modular-arithmetic-2.md

@@ -0,0 +1,277 @@
+---
+share: true
+toc: true
+math: true
+categories:
+  - Lecture Notes
+  - Internet Security
+tags:
+  - lecture-note
+  - security
+  - cryptography
+  - number-theory
+title: 05. Modular Arithmetic (2)
+date: 2023-10-04
+github_title: 2023-10-04-modular-arithmetic-2
+---
+
+## Exponentiation by Squaring
+
+Suppose we want to calculate $a^n$ where $n$ is very large, like $n \approx 2^{1000}$. A naive multiplication would take $\mathcal{O}(n)$ multiplications. We will ignore integer overflow for simplicity.
+
+```c
+int naive_exponentiation(int a, int n) {
+    int result = 1;
+    for (int i = 0; i < n; ++i) {
+        result *= a;
+    }
+    return result;
+}
+```
+
+Using the above implementation, computing $3^{2^{63} - 1}$ takes almost forever...
+
+Instead, we use **exponentiation by squaring** method. Notice the following,
+
+$$
+a^n = \begin{cases}
+(a^2)^{\frac{n}{2}} & (n \text{ is even})\\
+a \cdot (a^2)^{\frac{n-1}{2}} & (n \text{ is odd})
+\end{cases}.
+$$
+
+Therefore, the exponent is reduced by half for every multiplication. Here is the implementation. The base cases are to be handled separately.
+
+```c
+int exponentiation_by_squaring(int a, int n) {
+    if (n == 0) {
+        return 1;
+    } else if (n == 1) {
+        return a;
+    }
+
+    int result = 1;
+    if (n % 2 == 0) {
+        return exponentiation_by_squaring(a * a, n / 2);
+    } else {
+        return a * exponentiation_by_squaring(a * a, (n - 1) / 2);
+    }
+}
+```
+
+The above code executes about $\mathcal{O}(\log n)$ multiplications. Now we can actually get an answer for $3^{2^{63} - 1}$.
+
+Alternatively, here is an iterative version of the above for those who want to save some memory.
+
+```c
+int exponentiation_by_squaring_iterative(int a, int n) {
+    int result = 1;
+    int base = a, exponent = n;
+    while (exponent > 0) {
+        if (n % 2 == 1) {
+            result *= base;
+        }
+
+        base *= base;
+        exponent /= 2;
+    }
+    return result;
+}
+```
+
+For even better (maybe faster) results, we need the help of elementary number theory.
+
+## Fermat's Little Theorem
+
+> **Theorem.** Let $p$ be prime. For $a \in \mathbb{Z}$ such that $\gcd(a, p) = 1$,
+> 
+> $$
+> a^{p-1} \equiv 1 \pmod p.
+> $$
+
+*Proof*. (Using group theory) The statement can be rewritten as follows. For $a \neq 0$ in $\mathbb{Z}_p$, $a^{p-1} = 1$ in $\mathbb{Z}_p$. Since $\mathbb{Z}_p^*$ is a (multiplicative) group of order $p-1$, the order of $a$ should divide $p-1$. Therefore, $a^{p-1} = 1$ in $\mathbb{Z}_p$.
+
+Here is an elementary proof not using group theory.
+
+*Proof*. (Elementary) Let $S = \left\lbrace 0, 1, \dots, p-1 \right\rbrace$. Consider a map $f : S \rightarrow S$ defined as $x \mapsto ax \bmod p$ ($a \neq 0$).
+
+We will show that $f$ is injective. Suppose that $ax \equiv ay \pmod p$ for distinct $x, y \in S$. Since $\gcd(a, p) = 1$, $a$ has a multiplicative inverse, thus $x \equiv y \pmod p$. Then $x, y$ should be same elements of $S$.
+
+By injectivity, $f(i)$ are distinct for all $i \in S$, so $f$ is a permutation on $S$. Therefore, the product of all elements of $S$ must be equal to the product of all $f(i)$ for $i \in S$.
+
+$$
+(p-1)! \equiv f(1)f(2)\cdots f(p-1) \equiv a^{p-1} \cdot (p-1)!\pmod p.
+$$
+
+Since $\gcd(i, p) = 1$ for all $i \in S$, we can multiply the multiplicative inverse for all $i \in S$ and we get $a^{p-1} \equiv 1 \pmod p$.
+
+## Euler's Totient Function
+
+For composite modulus, we have Euler's generalization. Before proving the theorem, we first need to define Euler's totient function.
+
+> **Definition.** Let $n \in \mathbb{N}$. Define $\phi(n)$ as the number of positive integers $k \leq n$ such that $\gcd(n, k) = 1$.
+
+For direct calculation, we use the following formula.
+
+> **Lemma.** For $n \in \mathbb{N}$, the following holds.
+> 
+> $$
+> \phi(n) = n \cdot \prod_{p \mid n} \left( 1 - \frac{1}{p} \right)
+> $$
+> 
+> where $p$ is a prime number dividing $n$.
+
+So to calculate $\phi(n)$, we need to **factorize** $n$. From the formula above, we have some corollaries.
+
+> **Corollary.** For prime numbers $p, q$ and $k \in \mathbb{N}$, the following hold.
+> 1. $\phi(p) = p - 1$.
+> 2. $\phi(pq) = (p-1)(q-1)$.
+> 3. $\phi(p^k) = p^{k-1}(p-1)$.
+
+### Reduced Set of Residues
+
+Let $n \in \mathbb{N}$. The **complete set of residues** was denoted $\mathbb{Z}_n$ and
+
+$$
+\mathbb{Z}_n = \left\lbrace 0, 1, \dots, n-1 \right\rbrace.
+$$
+
+We also often use the **reduced set of residues**.
+
+> **Definition.** The **reduced set of residues** is the set of residues that are relatively prime to $n$. We denote this set as $\mathbb{Z}_n^*$.
+> 
+> $$
+> \mathbb{Z}_n^* = \left\lbrace a \in \mathbb{Z}_n \setminus \left\lbrace 0 \right\rbrace : \gcd(a, n) = 1 \right\rbrace.
+> $$
+
+Then by definition, we have the following result.
+
+> **Lemma.** $\left\lvert \mathbb{Z}_n^* \right\lvert = \phi(n)$.
+
+We can also show that $\mathbb{Z}_n^*$ is a multiplicative group.
+
+> **Lemma.** $\mathbb{Z}_n^*$ is a multiplicative group.
+
+*Proof*. Let $a, b \in \mathbb{Z}_n^{ * }$. We must check if $ab \in \mathbb{Z}_n^{ * }$. Since $\gcd(a, n) = \gcd(b, n) = 1$, $\gcd(ab, n) = 1$. This is because if $d = \gcd(ab, n) > 1$, then a prime factor $p$ of $d$ must divide $a$ or $b$ and also $n$. Then $\gcd(a, n) \geq p$ or $\gcd(b, n) \geq p$, which is a contradiction. Thus $ab \in \mathbb{Z}_n^{ * }$.
+
+Associativity holds trivially, as a subset of $\mathbb{Z}_n$. We also have an identity element $1$, and inverse of $a \in \mathbb{Z}_n^*$ exists since $\gcd(a, n) = 1$.
+
+Now we can prove Euler's generalization.
+
+## Euler's Generalization
+
+> **Theorem.** Let $a \in \mathbb{Z}$ such that $\gcd(a, n) = 1$. Then
+> 
+> $$
+> a^{\phi(n)} \equiv 1 \pmod n.
+> $$
+
+*Proof*. Since $\gcd(a, n) = 1$, $a \in \mathbb{Z}_n^{ * }$. Then $a^\left\lvert \mathbb{Z}_n^{ * } \right\lvert = 1$ in $\mathbb{Z}_n$. By the above lemma, we have the desired result.
+
+*Proof*. (Elementary) Set $f : \mathbb{Z}_n^* \rightarrow \mathbb{Z}_n^*$ as $x \mapsto ax \bmod n$, then the rest of the reasoning follows similarly as in the proof of Fermat's little theorem.
+
+Using the above result, we remark an important result that will be used in RSA.
+
+> **Lemma.** Let $n \in \mathbb{N}$. For $a, b \in \mathbb{Z}$ and $x \in \mathbb{Z}_n^*$, if $a \equiv b \pmod{\phi(n)}$, then $x^a \equiv x^b \pmod n$.
+
+*Proof*. $a = b + k\phi(n)$ for some $k \in \mathbb{Z}$. Then
+
+$$
+x^a \equiv x^{b + k\phi(n)} = (x^{\phi(n)})^k \cdot x^b \equiv x^b \pmod n
+$$
+
+by Euler's generalization.
+
+## Groups Based on Modular Arithmetic
+
+> **Definition.** A **group** is a set $G$ with a binary operation $* : G \times G \rightarrow G$, satisfying the following properties.
+> 
+> - $(\mathsf{G1})$ The binary operation $*$ is **closed**.
+> - $(\mathsf{G2})$ The binary operation $*$ is **associative**, so $(a * b) * c = a * (b * c)$ for all $a, b, c \in G$.
+> - $(\mathsf{G3})$ $G$ has an **identity** element $e$ such that $e * a = a * e = a$ for all $a \in G$.
+> - $(\mathsf{G4})$ There is an **inverse** for every element of $G$. For each $a \in G$, there exists $x \in G$ such that $a * x = x * a = e$. We write $x = a^{-1}$ in this case.
+
+$\mathbb{Z}_n$ is an additive group, and $\mathbb{Z}_n^*$ is a multiplicative group.
+
+## Chinese Remainder Theorem (CRT)
+
+> **Theorem.** Let $n_1, \dots, n_k$ integers greater than $1$, and let $N = n_1n_2\cdots n_k$. If $n_i$ are pairwise relatively prime, then the system of equations $x \equiv a_i \pmod {n_i}$ has a unique solution modulo $N$.
+> 
+> *(Abstract Algebra)* The map
+> 
+> $$
+> x \bmod N \mapsto (x \bmod n_1, \dots, x \bmod n_k)
+> $$
+> 
+>  defines a ring isomorphism
+> 
+> $$
+>  \mathbb{Z}_N \simeq \mathbb{Z}_{n_1} \times \mathbb{Z}_{n_2} \times \cdots \times \mathbb{Z}_{n_k}.
+> $$
+
+*Proof*. (**Existence**) Let $N_i = N/n_i$. Then $\gcd(N_i, n_i) = 1$. By the extended Euclidean algorithm, there exist integers $M_i, m_i$ such that $M_iN_i + m_in_i= 1$. Now set
+
+$$
+x = \sum_{i=1}^k a_i M_i N_i.
+$$
+
+Then $x \equiv a_iM_iN_i \equiv a_i(1 - m_in_i) \equiv a_i \pmod {n_i}$ for all $i = 1, \dots, k$.
+
+(**Uniqueness**) Suppose that we have two distinct solutions $x, y$ modulo $N$. $x, y$ are solutions to $x \equiv a_i \pmod {n_i}$, so $n_i \mid (x - y)$ for all $i$. Therefore we have
+
+$$
+\mathrm{lcm}(n_1, \dots, n_k) \mid (x - y).
+$$
+
+But $n_i$ are pairwise relatively prime, so $\mathrm{lcm}(n_1, \dots, n_k) = N$ and $N \mid (x-y)$. Hence $x \equiv y \pmod N$.
+
+*Proof*. (**Abstract Algebra**) The above uniqueness proof shows that the map
+
+$$
+x \bmod N \mapsto (x \bmod n_1, \dots, x \bmod n_k) 
+$$
+
+is injective. By pigeonhole principle, this map must also be surjective. This map is also a ring homomorphism, by the properties of modular arithmetic. We have a ring isomorphism.
+
+### Notes on the Proof of the Chinese Remainder Theorem
+
+The elementary proof given above gives a *direct construction* of the solution. It is clear and easy to understand, and tells us how to find the actual solution.
+
+But when the above proof is used in actual computation, it involves computations of very large numbers. The following is an implementation.
+
+```cpp
+// remainder holds the a_i values
+// modulus holds the n_i values
+int chinese_remainder_theorem(vector<int>& remainder, vector<int>& modulus) {
+    int product = 1;
+    for (int m : modulus) {
+        product *= m;
+    }
+
+    int result = 0;
+    for (int i = 0; i < (int) modulus.size(); ++i) {
+        int N_i = product / modulus[i];
+        result += remainder[i] * modular_inverse(N_i, modulus[i]) * N_i;
+        result %= product;
+    }
+
+    return result;
+}
+```
+
+The `modular_inverse` function uses the extended Euclidean algorithm to find $M_i$ in the proof. For large moduli and many equations, $N_i = N / n_i$ results in a very large number, which is hard to handle (if your language has integer overflow) and takes longer to compute.
+
+A better way is to construct the solution **inductively**. Find a solution for the first two equations,
+
+$$
+\begin{array}{c}
+x \equiv a_1 \pmod{n_1} \\
+x \equiv a_2 \pmod{n_2}
+\end{array} \implies x \equiv a_{1, 2} \pmod{n_1n_2}
+$$
+
+and using the result, add the next equation $x \equiv a_3 \pmod{n_3}$ and find a solution.[^1]
+
+Lastly, the ring isomorphism actually tells us a lot and is quite effective for computation. Since the two rings are *isomorphic*, operations in $\mathbb{Z} _ N$ can be done independently in each $\mathbb{Z} _ {n_i}$ and then merged back to $\mathbb{Z} _ N$. $N$ was a large number, so computations can be much faster in $\mathbb{Z} _ {n _ i}$. Specifically, we will see how this fact is used for computations in RSA.
+
+[^1]: I have an implementation in my repository. [Link](https://github.com/calofmijuck/BOJ/blob/4b29e0c7f487aac3186661176d2795f85f0ab21b/Codes/23000/23062.cpp#L38).

_posts/Lecture Notes/Internet Security/2023-10-04-rsa-elgamal.md

@@ -0,0 +1,179 @@
+---
+share: true
+toc: true
+math: true
+categories:
+  - Lecture Notes
+  - Internet Security
+tags:
+  - lecture-note
+  - security
+  - cryptography
+  - number-theory
+title: 06. RSA and ElGamal Encryption
+date: 2023-10-04
+github_title: 2023-10-04-rsa-elgamal
+---
+
+## Exponential Inverses
+
+Suppose we are given integers $a$ and $N$. For any integer $x$ that is relatively prime to $N$, we choose $b$ so that
+
+$$
+ 
+\tag{$*$}
+ab \equiv 1 \pmod{\phi(N)}.
+$$
+
+Then we have
+
+$$
+x^{ab} \equiv x^{1 + k\phi(N)} \equiv x \pmod N
+$$
+
+by Euler's generalization.
+
+> **Definition.** The integer $b$ satisfying $(\ast)$ is called the **exponential inverse of $a$ modulo $N$**.
+
+Using exponential inverses will be a key idea in the RSA cryptosystem.
+
+## RSA Cryptosystem
+
+This is an explanation of *textbook* RSA encryption scheme.
+
+### Key Generation
+
+- We pick two large primes $p, q$ and set $N = pq$.
+- Select $(e, d)$ so that $ed \equiv 1 \pmod{\phi(N)}$.
+- Set $(N, e)$ as the **public key** and make it public.
+- Set $d$ as the **private key** and keep it secret.
+
+### RSA Encryption and Decryption
+
+Suppose we want to encrypt a message $m \in \mathbb{Z}_N$.
+
+- **Encryption**
+	- Using the public key $(N, e)$, compute the ciphertext $c = m^e \bmod N$.
+- **Decryption**
+	- Recover the original message by computing $c^d \bmod N$.
+
+### Correctness of RSA?
+
+Since $ed \equiv 1 \pmod{\phi(N)}$, we have
+
+$$
+c^d \equiv m^{ed} \equiv m \pmod N
+$$
+
+by the properties of exponential inverses.
+
+Wait, but the properties requires that $\gcd(m, N) = 1$. So it seems like we can't use some values of $m$. Furthermore, it should be computationally infeasible to recover $d$ using $e$ and $N$.
+
+### Regarding the Choice of $N$
+
+If $N$ is prime, it is very easy to find $d$. Since the relation $ed \equiv 1 \pmod {(N-1)}$ holds, we directly see that $d$ can be computed efficiently using the extended Euclidean algorithm.
+
+The next simplest case would be setting $N = pq$ for two large primes $p$ and $q$. We expose $N$ to the public but hide primes $p$ and $q$. Now suppose the attacker wants to compute $d$ using $(N, e)$. The attacker knows that $ed \equiv 1 \pmod {\phi(N)}$, and $\phi(N) = (p-1)(q-1)$. So to calculate $d$, the attacker must know $\phi(N)$, which requires the **factorization of $N$**.
+
+If the factorization $N = pq$ is known, finding $d$ is easy. But factoring large prime numbers (especially a product of two primes of similar size) is known to be very difficult.[^1] No one has formally proven this, but we believe and assume that it is hard.[^2]
+
+## Chinese Remainder Theorem in RSA
+
+Assume that the message $m$ is not divisible by both $p$ and $q$. By Fermat's little theorem, we have $m^{p-1} \equiv 1 \pmod p$ and $m^{q-1} \equiv 1 \pmod q$.
+
+Therefore, for decryption in RSA, the following holds. Note that $N = pq$.
+
+$$
+c^d \equiv m^{ed} \equiv m^{1 + k\phi(N)} \equiv m \cdot (m^{p-1})^{k(q-1)} \equiv m \cdot 1^{k(q-1)} \equiv m \pmod p.
+$$
+
+A similar result holds for modulus $q$. This does not exactly recover the message yet, since $m$ could have been chosen to be larger than $p$. The above equation is true, but during actual computation, one may get a result that is less than $p$. *This may not be equal to the original message*.[^3]
+
+Since $N = pq$, we use the Chinese remainder theorem. Instead of computing $c^d \pmod N$, we can compute
+
+$$
+c^d \equiv m \pmod p, \qquad c^d \equiv m \pmod q
+$$
+
+independently and solve the system of equations to recover the message.
+
+## Can I Encrypt $p$ with RSA?
+
+Now we return to the problem where $\gcd(m, N) \neq 1$. The probability of $\gcd(m, N) \neq 1$ is actually $\frac{1}{p} + \frac{1}{q} - \frac{1}{pq}$, so if we take large primes $p, q \approx 2^{1000}$ as in RSA2048, the probability of this occurring is roughly $2^{-999}$, which is negligible. But for completeness, we also prove for this case.
+
+$e, d$ are still chosen to satisfy $ed \equiv 1 \pmod {\phi(N)}$. Suppose we want to decrypt $c \equiv m^e \pmod N$.
+
+We will also use the Chinese remainder theorem here.
+
+Since $\gcd(m, N) \neq 1$ and $N = pq$, we have $p \mid m$. So if we compute in $\mathbb{Z}_p$, we will get $0$,
+
+$$
+c^d \equiv m^{ed} \equiv 0^{ed} \equiv 0 \pmod p.
+$$
+
+We also do the computation in $\mathbb{Z}_q$ and get
+
+$$
+c^d \equiv m^{ed} \equiv m^{1 + k\phi(N)} \equiv m\cdot (m^{q-1})^{k(p-1)} \equiv m \cdot 1^{k(p-1)} \equiv m \pmod q.
+$$
+
+Here, we used the fact that $m^{q-1} \equiv 1 \pmod q$. This holds because if $p \mid m$, $m$ is a multiple of $p$ that is less than $N$, so $m = pm'$ for some $m'$ such that $1 \leq m' < q$. Then $\gcd(m, q) = \gcd(pm', q) = 1$ since $q$ does not divide $p$ and $m'$ is less than $q$.
+
+Therefore, from $c^d \equiv 0 \pmod p$ and $c^d \equiv (m \bmod q) \pmod q$, we can recover a unique solution $c^d \equiv m \pmod N$.
+
+Now we must argue that the recovered solution is actually equal to the original $m$. But what we did above was showing that $m^{ed}$ and $m$ in $\mathbb{Z}_N$ are mapped to the same element $(0, m \bmod q)$ in $\mathbb{Z}_p \times \mathbb{Z}_q$. Since the Chinese remainder theorem tells us that this mapping is an isomorphism, $m^{ed}$ and $m$ must have been the same elements of $\mathbb{Z}_N$ in the first place.
+
+Notice that we did not require $m$ to be relatively prime to $N$. Thus the RSA encryption scheme is correct for any $m \in \mathbb{Z}_N$.
+
+## Correctness of RSA with Fermat's Little Theorem
+
+Actually, the above argument can be proven only with Fermat's little theorem. In the above proof, the Chinese remainder theorem was used to transform the operation, but for $N = pq$, the situation is simple enough that this theorem is not necessarily required.
+
+Let $M = m^{ed} - m$. We have shown above only using Fermat's little theorem that $p \mid M$ and $q \mid M$, for any choice of $m \in \mathbb{Z}_N$. Then since $N = pq = \mathrm{lcm}(p, q)$, we have $N \mid M$, so $m^{ed} \equiv m \pmod N$. Hence the RSA scheme is correct.
+
+So we don't actually need Euler's generalization for proving the correctness of RSA...?! In fact, the proof given in the original paper of RSA used Fermat's little theorem.
+
+## Discrete Logarithms
+
+This is an inverse problem of exponentiation. The inverse of exponentials is logarithms, so we consider the **discrete logarithm of a number modulo $p$**.
+
+Given $y \equiv g^x \pmod p$ for some prime $p$, we want to find $x = \log_g y$. We set $g$ to be a generator of the group $\mathbb{Z}_p$ or $\mathbb{Z}_p^*$, since if $g$ is the generator, a solution always exists.
+
+Read more in [discrete logarithm problem (Modern Cryptography)](2023-10-03-key-exchange.md#discrete-logarithm-problem-dl).
+
+## ElGamal Encryption
+
+This is an encryption scheme built upon the hardness of the DLP.
+
+> 1. Let $p$ be a large prime.
+> 2. Select a generator $g \in \mathbb{Z}_p^*$.
+> 3. Choose a private key $x \in \mathbb{Z}_p^*$.
+> 4. Compute the public key $y = g^x \pmod p$.
+> 	- $p, g, y$ will be publicly known.
+> 	- $x$ is kept secret.
+
+### ElGamal Encryption and Decryption
+
+Suppose we encrypt a message $m \in \mathbb{Z}_p^*$.
+
+> 1. The sender chooses a random $k \in \mathbb{Z}_p^*$, called *ephemeral key*.
+> 2. Compute $c_1 = g^k \pmod p$ and $c_2 = my^k \pmod p$.
+> 3. $c_1, c_2$ are sent to the receiver.
+> 4. The receiver calculates $c_1^x \equiv g^{xk} \equiv y^k \pmod p$, and find the inverse $y^{-k} \in \mathbb{Z}_p^*$.
+> 5. Then $c_2y^{-k} \equiv m \pmod p$, recovering the message.
+
+The attacker will see $g^k$. By the hardness of DLP, the attacker is unable to recover $k$ even if he knows $g$.
+
+#### Ephemeral Key Should Be Distinct
+
+If the same $k$ is used twice, the encryption is not secure. Suppose we encrypt two different messages $m_1, m_2 \in \mathbb{Z} _ p^{ * }$. The attacker will see $(g^k, m_1y^k)$ and $(g^k, m_2 y^k)$. Then since we are in a multiplicative group $\mathbb{Z} _ p^{ * }$, inverses exist. So
+
+$$
+m_1y^k \cdot (m_2 y^k)^{-1} \equiv m_1m_2^{-1} \equiv 1 \pmod p
+$$
+
+which implies that $m_1 \equiv m_2 \pmod p$, leaking some information.
+
+[^1]: If one of the primes is small, factoring is easy. Therefore we require that $p, q$ both be large primes.
+[^2]: There is a quantum polynomial time (BQP) algorithm for integer factorization. See [Shor's algorithm](https://en.wikipedia.org/wiki/Shor%27s_algorithm).
+[^3]: This part of the explanation is not necessary if we use abstract algebra!