[PUBLISHER] upload files #174

* PUSH NOTE : 3. Symmetric Key Encryption.md

* PUSH NOTE : 03. Symmetric Key Cryptography (2).md

* DELETE FILE : _posts/lecture-notes/modern-cryptography/2023-09-18-symmetric-key-cryptography-2.md

_posts/Mathematics/Measure Theory/2023-01-23-construction-of-measure.md

@@ -2,18 +2,23 @@
 share: true
 toc: true
 math: true
-categories: [Mathematics, Measure Theory]
-tags: [math, analysis, measure-theory]
-title: "02. Construction of Measure"
-date: "2023-01-23"
-github_title: "2023-01-23-construction-of-measure"
+categories:
+  - Mathematics
+  - Measure Theory
+tags:
+  - math
+  - analysis
+  - measure-theory
+title: 02. Construction of Measure
+date: 2023-01-23
+github_title: 2023-01-23-construction-of-measure
 image:
   path: /assets/img/posts/Mathematics/Measure Theory/mt-02.png
 attachment:
   folder: assets/img/posts/Mathematics/Measure Theory
 ---
 
-![mt-02.png](/assets/img/posts/Mathematics/Measure%20Theory/mt-02.png)
+![mt-02.png](../../../assets/img/posts/Mathematics/Measure%20Theory/mt-02.png)
 
 이제 본격적으로 집합을 재보도록 하겠습니다. 우리가 잴 수 있는 집합들부터 시작합니다. $\mathbb{R}^p$에서 논의할 건데, 이제 여기서부터는 $\mathbb{R}$의 구간의 열림/닫힘을 모두 포괄하여 정의합니다. 즉, $\mathbb{R}$의 구간이라고 하면 $[a, b], (a, b), [a, b), (a, b]$ 네 가지 경우를 모두 포함합니다.
 
@@ -139,11 +144,11 @@ Countably additive 조건이 성립하는 집합들만 모아서 measure를 cons
 
 	$$\left.\begin{array}{c}d(A_1 \cup A_2, B_1 \cup B_2) \\d(A_1 \cap A_2, B_1 \cap B_2) \\d(A_1 \setminus A_2, B_1 \setminus B_2)\end{array}\right\rbrace\leq d(A_1, B_1) + d(A_2, B_2).$$
 
-**정의.** (Finitely $\mu$-measurable) 집합 $A_n \in \Sigma$ 이 존재하여 $A_n \rightarrow A$ 이면 $A$가 **finitely $\mu$-measurable**이라 한다. 그리고 finitely $\mu$-measurable한 집합의 모임을 $\mathfrak{M} _ F(\mu)$로 표기한다.
+**정의.** (Finitely $\mu$-measurable) 집합 $A_n \in \Sigma$ 이 존재하여 $A_n \rightarrow A$ 이면 $A$가 **finitely $\mu$-measurable**이라 한다. 그리고 finitely $\mu$-measurable한 집합의 모임을 $\mathfrak{M}_F(\mu)$로 표기한다.
 
 위 정의는 $\mu$라는 set function에 의해 $\mu^\ast (A_n \mathop{\mathrm{\triangle}}A) \rightarrow 0$ 이 되는 elementary set $A_n$이 존재한다는 의미입니다.
 
-**정의.** ($\mu$-measurable) $A_n \in \mathfrak{M} _ F(\mu)$ 에 대하여 $A = \displaystyle\bigcup_ {n=1}^\infty A_n$ 이면 $A$가 **$\mu$-measurable**이라 한다. 그리고 $\mu$-measurable한 집합의 모임을 $\mathfrak{M}(\mu)$로 표기한다.
+**정의.** ($\mu$-measurable) $A_n \in \mathfrak{M}_F(\mu)$ 에 대하여 $A = \displaystyle\bigcup_ {n=1}^\infty A_n$ 이면 $A$가 **$\mu$-measurable**이라 한다. 그리고 $\mu$-measurable한 집합의 모임을 $\mathfrak{M}(\mu)$로 표기한다.
 
 **참고.** $\mu^\ast(A) = d(A, \varnothing) \leq d(A, B) + \mu^\ast(B)$.
 
@@ -151,7 +156,7 @@ Countably additive 조건이 성립하는 집합들만 모아서 measure를 cons
 
 $$\lvert \mu^\ast(A) - \mu^\ast(B) \rvert \leq d(A, B).$$
 
-**따름정리.** $A \in \mathfrak{M} _ F(\mu)$ 이면 $\mu^\ast(A) < \infty$ 이다.
+**따름정리.** $A \in \mathfrak{M}_F(\mu)$ 이면 $\mu^\ast(A) < \infty$ 이다.
 
 **증명.** $A_n \in \Sigma$ 가 존재하여 $A_n \rightarrow A$ 이고, $N \in \mathbb{N}$ 이 존재하여
 
@@ -159,7 +164,7 @@ $$\mu^\ast(A) \leq d(A_N, A) + \mu^\ast(A_N) \leq 1 + \mu^\ast(A_N) < \infty$$
 
 이다.
 
-**따름정리.** $A_n \rightarrow A$ 이고 $A_n, A \in \mathfrak{M} _ F(\mu)$ 이면 $\mu^\ast(A_n)\rightarrow\mu^\ast(A) < \infty$ 이다.
+**따름정리.** $A_n \rightarrow A$ 이고 $A_n, A \in \mathfrak{M}_F(\mu)$ 이면 $\mu^\ast(A_n)\rightarrow\mu^\ast(A) < \infty$ 이다.
 
 **증명.** $\mu^\ast(A)$, $\mu^\ast(A_n)$가 유한하므로, $n \rightarrow\infty$ 일 때 $\lvert \mu^\ast(A_n) - \mu^\ast(A) \rvert \leq d(A_n, A) \rightarrow 0$ 이다.
 
@@ -171,15 +176,15 @@ $$\mu^\ast(A) \leq d(A_N, A) + \mu^\ast(A_N) \leq 1 + \mu^\ast(A_N) < \infty$$
 
 **증명.** $\mathfrak{M}(\mu)$가 $\sigma$-algebra이고 $\mu^\ast$가 $\mathfrak{M}(\mu)$에서 countably additive임을 보이면 충분하다.
 
-**(Step 0)** *$\mathfrak{M} _ F(\mu)$는 ring이다.*
+**(Step 0)** *$\mathfrak{M}_F(\mu)$는 ring이다.*
 
-$A, B \in \mathfrak{M} _ F(\mu)$ 라 하자. 그러면 $A_n, B_n \in \Sigma$ 이 존재하여 $A_n \rightarrow A$, $B_n \rightarrow B$ 이 된다. 그러면
+$A, B \in \mathfrak{M}_F(\mu)$ 라 하자. 그러면 $A_n, B_n \in \Sigma$ 이 존재하여 $A_n \rightarrow A$, $B_n \rightarrow B$ 이 된다. 그러면
 
 $$\left.\begin{array}{c}d(A_n \cup B_n, A \cup B) \\ d(A_n \cap B_n, A \cap B) \\ d(A_n \setminus B_n, A \setminus B)\end{array}\right\rbrace\leq d(A_n, A) + d(B_n, B) \rightarrow 0$$
 
-이므로 $A_n \cup B_n \rightarrow A \cup B, A_n \setminus B_n \rightarrow A\setminus B$ 이기 때문에 $\mathfrak{M} _ F(\mu)$는 ring이다.
+이므로 $A_n \cup B_n \rightarrow A \cup B, A_n \setminus B_n \rightarrow A\setminus B$ 이기 때문에 $\mathfrak{M}_F(\mu)$는 ring이다.
 
-**(Step 1)** *$\mu^\ast$는 $\mathfrak{M} _ F(\mu)$ 위에서 additive이다*.
+**(Step 1)** *$\mu^\ast$는 $\mathfrak{M}_F(\mu)$ 위에서 additive이다*.
 
 $\Sigma$ 위에서는 $\mu = \mu^\ast$ 이므로, 위 따름정리에 의해
 
@@ -191,17 +196,17 @@ $$\mu^\ast(A) + \mu^\ast(B) = \mu^\ast(A\cup B) + \mu^\ast(A \cap B)$$
 
 를 얻는다. $A \cap B = \varnothing$ 라는 조건이 추가되면 $\mu^\ast$가 additive임을 알 수 있다.
 
-**(Step 2)** *$\mathfrak{M} _ F(\mu) = \lbrace A \in \mathfrak{M}(\mu) : \mu^\ast(A) < \infty\rbrace$.*[^2]
+**(Step 2)** *$\mathfrak{M}_F(\mu) = \lbrace A \in \mathfrak{M}(\mu) : \mu^\ast(A) < \infty\rbrace$.*[^2]
 
-**Claim**. 쌍마다 서로소인 $\mathfrak{M} _ F(\mu)$의 원소들을 잡아 이들의 합집합으로 $A \in \mathfrak{M}(\mu)$ 를 표현할 수 있다.
+**Claim**. 쌍마다 서로소인 $\mathfrak{M}_F(\mu)$의 원소들을 잡아 이들의 합집합으로 $A \in \mathfrak{M}(\mu)$ 를 표현할 수 있다.
 
-**증명.** $A_n' \in \mathfrak{M} _ F(\mu)$ 에 대하여 $A = \bigcup A_n'$ 로 두자.
+**증명.** $A_n' \in \mathfrak{M}_F(\mu)$ 에 대하여 $A = \bigcup A_n'$ 로 두자.
 
 > $A_1 = A_1'$, $n \geq 2$ 이면 $A_n = A_n' \setminus(A_1'\cup \cdots \cup A_ {n-1}')$
 
-와 같이 정의하면 $A_n$이 쌍마다 서로소이고 $A_n \in \mathfrak{M} _ F(\mu)$ 임을 알 수 있다.
+와 같이 정의하면 $A_n$이 쌍마다 서로소이고 $A_n \in \mathfrak{M}_F(\mu)$ 임을 알 수 있다.
 
-위 사실을 이용하여 $A_n \in \mathfrak{M} _ F(\mu)$ 에 대하여 $A = \displaystyle\bigcup_ {n=1}^\infty A_n$ 으로 두자.
+위 사실을 이용하여 $A_n \in \mathfrak{M}_F(\mu)$ 에 대하여 $A = \displaystyle\bigcup_ {n=1}^\infty A_n$ 으로 두자.
 
 1. Countable subadditivity에 의해 $\displaystyle\mu^\ast(A) \leq \sum_ {n=1}^{\infty} \mu^\ast (A_n)$ 가 성립한다.
 
@@ -215,7 +220,7 @@ $$\displaystyle d(A, B_n) = \mu^\ast\left( \bigcup_ {k=n+1}^\infty A_k \right) =
 
 임을 알 수 있다.
 
-$B_n \in \mathfrak{M} _ F(\mu)$ 이므로 $C_n \in \Sigma$ 를 잡아 각 $n \in \mathbb{N}$ 에 대하여 $d(B_n, C_n)$를 임의로 작게 만들 수 있다. 그러면 $d(A, C_n) \leq d(A, B_n) + d(B_n, C_n)$ 이므로 충분히 큰 $n$에 대하여 $d(A, C_n)$도 임의로 작게 만들 수 있다. 따라서 $C_n \rightarrow A$ 임을 알 수 있고 $A \in \mathfrak{M} _ F(\mu)$ 라는 결론을 내릴 수 있다.
+$B_n \in \mathfrak{M}_F(\mu)$ 이므로 $C_n \in \Sigma$ 를 잡아 각 $n \in \mathbb{N}$ 에 대하여 $d(B_n, C_n)$를 임의로 작게 만들 수 있다. 그러면 $d(A, C_n) \leq d(A, B_n) + d(B_n, C_n)$ 이므로 충분히 큰 $n$에 대하여 $d(A, C_n)$도 임의로 작게 만들 수 있다. 따라서 $C_n \rightarrow A$ 임을 알 수 있고 $A \in \mathfrak{M}_F(\mu)$ 라는 결론을 내릴 수 있다.
 
 **(Step 3)** *$\mu^\ast$는 $\mathfrak{M}(\mu)$ 위에서 countably additive이다.*
 
@@ -225,7 +230,7 @@ $$\mu^\ast\left( \bigcup_ {n=1}^\infty A_n \right) \geq \mu^\ast(A_m) = \infty =
 
 이므로 countable additivity가 성립한다.
 
-이제 모든 $n\in \mathbb{N}$ 에 대하여 $\mu^\ast(A_n) < \infty$ 이면, Step 2에 의해 $A_n \in \mathfrak{M} _ F(\mu)$ 이고
+이제 모든 $n\in \mathbb{N}$ 에 대하여 $\mu^\ast(A_n) < \infty$ 이면, Step 2에 의해 $A_n \in \mathfrak{M}_F(\mu)$ 이고
 
 $$\mu^\ast(A) = \mu^\ast\left( \bigcup_ {n=1}^\infty A_n \right) = \sum_ {n=1}^\infty \mu^\ast(A_n)$$
 
@@ -233,21 +238,21 @@ $$\mu^\ast(A) = \mu^\ast\left( \bigcup_ {n=1}^\infty A_n \right) = \sum_ {n=1}^\
 
 **(Step 4)** *$\mathfrak{M}(\mu)$는 $\sigma$-ring이다.*
 
-$A_n \in \mathfrak{M}(\mu)$ 이면 $B_ {n, k} \in \mathfrak{M} _ F(\mu)$ 가 존재하여 $\displaystyle A_n = \bigcup_k B_ {n,k}$ 이다. 그러면
+$A_n \in \mathfrak{M}(\mu)$ 이면 $B_ {n, k} \in \mathfrak{M}_F(\mu)$ 가 존재하여 $\displaystyle A_n = \bigcup_k B_ {n,k}$ 이다. 그러면
 
 $$\bigcup_n A_n = \bigcup_ {n, k} B_ {n, k} \in \mathfrak{M}(\mu)$$
 
 이다.
 
-$A, B \in \mathfrak{M}(\mu)$ 라 하면 $A_n, B_n \in \mathfrak{M} _ F(\mu)$ 에 대해 $\displaystyle A = \bigcup A_n$, $\displaystyle B = \bigcup B_n$ 이므로,
+$A, B \in \mathfrak{M}(\mu)$ 라 하면 $A_n, B_n \in \mathfrak{M}_F(\mu)$ 에 대해 $\displaystyle A = \bigcup A_n$, $\displaystyle B = \bigcup B_n$ 이므로,
 
 $$A \setminus B = \bigcup_ {n=1}^\infty \left( A_n \setminus B \right) = \bigcup_ {n=1}^\infty (A_n\setminus(A_n\cap B))$$
 
-임을 알 수 있다. 그러므로 $A_n \cap B \in \mathfrak{M} _ F(\mu)$ 인 것만 보이면 충분하다. 정의에 의해
+임을 알 수 있다. 그러므로 $A_n \cap B \in \mathfrak{M}_F(\mu)$ 인 것만 보이면 충분하다. 정의에 의해
 
 $$A_n \cap B = \bigcup_ {k=1}^\infty (A_n \cap B_k) \in \mathfrak{M}(\mu)$$
 
-이고 $\mu^\ast(A_n \cap B) \leq \mu^\ast(A_n) < \infty$ 이므로 $A_n\cap B \in \mathfrak{M} _ F(\mu)$ 이다. 따라서 $A \setminus B$ 가 $\mathfrak{M} _ F(\mu)$의 원소들의 countable 합집합으로 표현되므로 $A\setminus B \in \mathfrak{M}(\mu)$ 이다.
+이고 $\mu^\ast(A_n \cap B) \leq \mu^\ast(A_n) < \infty$ 이므로 $A_n\cap B \in \mathfrak{M}_F(\mu)$ 이다. 따라서 $A \setminus B$ 가 $\mathfrak{M}_F(\mu)$의 원소들의 countable 합집합으로 표현되므로 $A\setminus B \in \mathfrak{M}(\mu)$ 이다.
 
 따라서 $\mathfrak{M}(\mu)$는 $\sigma$-ring이고 $\sigma$-algebra이다.
 
@@ -257,5 +262,5 @@ $$A_n \cap B = \bigcup_ {k=1}^\infty (A_n \cap B_k) \in \mathfrak{M}(\mu)$$
 
 [^1]: $A$가 open이 아니면 자명하지 않은 명제입니다.
 [^2]: $A$가 $\mu$-measurable인데 $\mu^\ast(A) < \infty$이면 $A$는 finitely $\mu$-measurable이다.
-[^3]: $A$가 countable union of sets in $\mathfrak{M} _ F(\mu)$이므로 $\mu^\ast$도 각 set의 $\mu^\ast$의 합이 된다.
-[^4]: 아직 증명이 끝나지 않았습니다. $A_n$은 $\mathfrak{M}(\mu)$의 원소가 아니라 $\mathfrak{M} _ F(\mu)$의 원소입니다.
+[^3]: $A$가 countable union of sets in $\mathfrak{M}_F(\mu)$이므로 $\mu^\ast$도 각 set의 $\mu^\ast$의 합이 된다.
+[^4]: 아직 증명이 끝나지 않았습니다. $A_n$은 $\mathfrak{M}(\mu)$의 원소가 아니라 $\mathfrak{M}_F(\mu)$의 원소입니다.

_posts/Mathematics/Measure Theory/2023-01-24-measure-spaces.md

@@ -2,11 +2,16 @@
 share: true
 toc: true
 math: true
-categories: [Mathematics, Measure Theory]
-tags: [math, analysis, measure-theory]
-title: "03. Measure Spaces"
-date: "2023-01-24"
-github_title: "2023-01-24-measure-spaces"
+categories:
+  - Mathematics
+  - Measure Theory
+tags:
+  - math
+  - analysis
+  - measure-theory
+title: 03. Measure Spaces
+date: 2023-01-24
+github_title: 2023-01-24-measure-spaces
 image:
   path: /assets/img/posts/Mathematics/Measure Theory/mt-03.png
 attachment:
@@ -17,15 +22,15 @@ attachment:
 
 Construction of measure 증명에서 추가로 참고할 내용입니다.
 
-![mt-03.png](/assets/img/posts/Mathematics/Measure%20Theory/mt-03.png)
+![mt-03.png](../../../assets/img/posts/Mathematics/Measure%20Theory/mt-03.png)
 
 **명제.** $A$가 열린집합이면 $A \in \mathfrak{M}(\mu)$ 이다. 또한 $A^C \in \mathfrak{M}(\mu)$ 이므로, $F$가 닫힌집합이면 $F \in \mathfrak{M}(\mu)$ 이다.
 
-**증명.** 중심이 $x\in \mathbb{R}^p$ 이고 반지름이 $r$인 열린 box를 $I(x, r)$이라 두자. $I(x, r)$은 명백히 $\mathfrak{M} _ F(\mu)$의 원소이다. 이제
+**증명.** 중심이 $x\in \mathbb{R}^p$ 이고 반지름이 $r$인 열린 box를 $I(x, r)$이라 두자. $I(x, r)$은 명백히 $\mathfrak{M}_F(\mu)$의 원소이다. 이제
 
 $$A = \bigcup_ {\substack{x \in \mathbb{Q}^p, \; r \in \mathbb{Q}\\ I(x, r)\subseteq A}} I(x, r)$$
 
-로 적을 수 있으므로 $A$는 $\mathfrak{M} _ F(\mu)$의 원소들의 countable union이 되어 $A \in \mathfrak{M}(\mu)$ 이다. 이제 $\mathfrak{M}(\mu)$가 $\sigma$-algebra이므로 $A^C\in \mathfrak{M}(\mu)$ 이고, 이로부터 임의의 닫힌집합 $F$도 $\mathfrak{M}(\mu)$의 원소임을 알 수 있다.
+로 적을 수 있으므로 $A$는 $\mathfrak{M}_F(\mu)$의 원소들의 countable union이 되어 $A \in \mathfrak{M}(\mu)$ 이다. 이제 $\mathfrak{M}(\mu)$가 $\sigma$-algebra이므로 $A^C\in \mathfrak{M}(\mu)$ 이고, 이로부터 임의의 닫힌집합 $F$도 $\mathfrak{M}(\mu)$의 원소임을 알 수 있다.
 
 **명제.** $A \in \mathfrak{M}(\mu)$ 이면 임의의 $\epsilon > 0$ 에 대하여
 
@@ -35,13 +40,13 @@ $$F \subseteq A \subseteq G, \quad \mu\left( G \setminus A \right) < \epsilon, \
 
 이는 곧 정의역을 $\mathfrak{M}(\mu)$로 줄였음에도 $\mu$가 여전히 $\mathfrak{M}(\mu)$ 위에서 regular라는 뜻입니다.
 
-**증명.** $A = \bigcup_ {n=1}^\infty A_n$ ($A_n \in \mathfrak{M} _ F(\mu)$) 로 두고 $\epsilon > 0$ 을 고정하자. 각 $n \in \mathbb{N}$ 에 대하여 열린집합 $B_ {n, k} \in \Sigma$ 를 잡아 $A_n \subseteq\bigcup_ {k=1}^\infty B_ {n, k}$ 와
+**증명.** $A = \bigcup_ {n=1}^\infty A_n$ ($A_n \in \mathfrak{M}_F(\mu)$) 로 두고 $\epsilon > 0$ 을 고정하자. 각 $n \in \mathbb{N}$ 에 대하여 열린집합 $B_ {n, k} \in \Sigma$ 를 잡아 $A_n \subseteq\bigcup_ {k=1}^\infty B_ {n, k}$ 와
 
 $$\mu\left( \bigcup_ {k=1}^{\infty} B_ {n, k} \right) \leq \sum_ {k=1}^{\infty} \mu\left( B_ {n, k} \right) < \mu\left( A_n \right) + 2^{-n}\epsilon$$
 
 을 만족하도록 할 수 있다.[^1]
 
-이제 열린집합을 잡아보자. $G_n = \bigcup_ {k=1}^{\infty} B_ {n, k}$ 으로 두고 $G = \bigcup_ {n=1}^{\infty} G_n$ 로 잡는다. $A_n \in \mathfrak{M} _ F(\mu)$ 이므로 $\mu\left( A_n \right) < \infty$ 이고, 다음이 성립한다.
+이제 열린집합을 잡아보자. $G_n = \bigcup_ {k=1}^{\infty} B_ {n, k}$ 으로 두고 $G = \bigcup_ {n=1}^{\infty} G_n$ 로 잡는다. $A_n \in \mathfrak{M}_F(\mu)$ 이므로 $\mu\left( A_n \right) < \infty$ 이고, 다음이 성립한다.
 
 $$\begin{aligned}        \mu\left( G \setminus A \right) & = \mu\left( \bigcup_ {n=1}^{\infty} G_n \setminus\bigcup_ {n=1}^{\infty} A_n \right) \leq \mu\left( \bigcup_ {n=1}^{\infty} G_n \setminus A_n \right) \\ &\leq \sum_ {n=1}^{\infty} \mu\left( G_n \setminus A_n \right) \leq \sum_ {n=1}^{\infty} 2^{-n}\epsilon = \epsilon.    \end{aligned}$$
 

_posts/Mathematics/Measure Theory/2023-02-06-measurable-functions.md

@@ -2,11 +2,16 @@
 share: true
 toc: true
 math: true
-categories: [Mathematics, Measure Theory]
-tags: [math, analysis, measure-theory]
-title: "04. Measurable Functions"
-date: "2023-02-06"
-github_title: "2023-02-06-measurable-functions"
+categories:
+  - Mathematics
+  - Measure Theory
+tags:
+  - math
+  - analysis
+  - measure-theory
+title: 04. Measurable Functions
+date: 2023-02-06
+github_title: 2023-02-06-measurable-functions
 image:
   path: /assets/img/posts/Mathematics/Measure Theory/mt-04.png
 attachment:
@@ -139,7 +144,7 @@ $$\begin{aligned}        \lbrace x \in X : F\bigl(f(x), g(x)\bigr) > a\rbrace =
 
 $$\chi_E(x) = \begin{cases}        1 & (x\in E) \\ 0 & (x \notin E).    \end{cases}$$
 
-참고로 characteristic function은 indicator function 등으로도 불리며, $\mathbf{1} _ E, K_E$로 표기하는 경우도 있습니다.
+참고로 characteristic function은 indicator function 등으로도 불리며, $\mathbf{1}_E, K_E$로 표기하는 경우도 있습니다.
 
 ## Simple Function
 
@@ -155,7 +160,7 @@ $$s(x) = \sum_ {i=1}^{n} c_i \chi_ {E_i}(x).$$
 
 여기서 $E_i$에 measurable 조건이 추가되면, 정의에 의해 $\chi_ {E_i}$도 measurable function입니다. 따라서 모든 measurable simple function을 measurable $\chi_ {E_i}$의 linear combination으로 표현할 수 있습니다.
 
-![mt-04.png](/assets/img/posts/Mathematics/Measure%20Theory/mt-04.png)
+![mt-04.png](../../../assets/img/posts/Mathematics/Measure%20Theory/mt-04.png)
 
 아래 정리는 simple function이 Lebesgue integral의 building block이 되는 이유를 잘 드러냅니다. 모든 함수는 simple function으로 근사할 수 있습니다.
 

_posts/Mathematics/Measure Theory/2023-02-13-lebesgue-integration.md

@@ -2,11 +2,16 @@
 share: true
 toc: true
 math: true
-categories: [Mathematics, Measure Theory]
-tags: [math, analysis, measure-theory]
-title: "05. Lebesgue Integration"
-date: "2023-02-13"
-github_title: "2023-02-13-lebesgue-integration"
+categories:
+  - Mathematics
+  - Measure Theory
+tags:
+  - math
+  - analysis
+  - measure-theory
+title: 05. Lebesgue Integration
+date: 2023-02-13
+github_title: 2023-02-13-lebesgue-integration
 image:
   path: /assets/img/posts/Mathematics/Measure Theory/mt-05.png
 attachment:
@@ -19,9 +24,9 @@ attachment:
 
 $E \in \mathscr{F}$ 일 때, 적분을 정의하기 위해
 
-$$\mathscr{F} _ E = \lbrace A \cap E : A \in \mathscr{F}\rbrace, \quad \mu_E = \mu|_ {\mathscr{F} _ E}$$
+$$\mathscr{F}_E = \lbrace A \cap E : A \in \mathscr{F}\rbrace, \quad \mu_E = \mu|_ {\mathscr{F}_E}$$
 
-로 설정하고 $\int = \int_E$ 로 두어 ($X, \mathscr{F} _ E, \mu_E$) 위에서 적분을 정의할 수 있습니다. 그러나 굳이 이렇게 하지 않아도 됩니다. $\int = \int_X$ 로 두고
+로 설정하고 $\int = \int_E$ 로 두어 ($X, \mathscr{F}_E, \mu_E$) 위에서 적분을 정의할 수 있습니다. 그러나 굳이 이렇게 하지 않아도 됩니다. $\int = \int_X$ 로 두고
 
 $$\int_E f \,d{\mu} = \int f \chi _E \,d{\mu}$$
 
@@ -45,7 +50,7 @@ $$\int \chi_A \,d{\mu} = \mu(A)$$
 
 다음으로 양의 값을 갖는 measurable simple function에 대해 정의합니다. $f = f^+ - f^-$ 에서 $f^+, f^-$ 모두 양의 값을 갖기 때문에 양의 값에 대해 먼저 정의합니다.
 
-**(Step 2)** $f: X \rightarrow[0, \infty)$ 가 measurable simple function이라 하자. 그러면 $A_k \subseteq\mathscr{F}$ 이면서 쌍마다 서로소인 집합열 $\left( A_k \right) _ {k=1}^n$과 $a_k \in [0, \infty)$ 인 수열 $\left( a_k \right) _ {k=1}^n$을 잡아
+**(Step 2)** $f: X \rightarrow[0, \infty)$ 가 measurable simple function이라 하자. 그러면 $A_k \subseteq\mathscr{F}$ 이면서 쌍마다 서로소인 집합열 $\left( A_k \right)_{k=1}^n$과 $a_k \in [0, \infty)$ 인 수열 $\left( a_k \right)_{k=1}^n$을 잡아
 
 $$f(x) = \sum_ {k=1}^n a_k \chi_ {A_k}$$
 
@@ -121,7 +126,7 @@ $$\int f \,d{\mu} = \sup\left\lbrace \int h \,d{\mu}: 0\leq h \leq f, h \text{ m
 
 $f$보다 작은 measurable simple function의 적분값 중 상한을 택하겠다는 의미입니다. $f$보다 작은 measurable simple function으로 $f$를 근사한다고도 이해할 수 있습니다. 또한 $f$가 simple function이면 Step 2의 정의와 일치하는 것을 알 수 있습니다.
 
-![mt-05.png](/assets/img/posts/Mathematics/Measure%20Theory/mt-05.png)
+![mt-05.png](../../../assets/img/posts/Mathematics/Measure%20Theory/mt-05.png)
 
 $f \geq 0$ 가 measurable이면 증가하는 measurable simple 함수열 $s_n$이 존재함을 지난 번에 보였습니다. 이 $s_n$에 대하여 적분값을 계산해보면
 

_posts/lecture-notes/internet-security/2023-09-11-symmetric-key-cryptography-1.md

@@ -98,7 +98,7 @@ To attack this scheme, find the key length by [*index of coincidence*](https://e
 #### Hill Cipher
 
 - A polyalphabetic substitution
-- A key is a *invertible* matrix $K = (k _ {ij}) _ {m \times m}$ where $k _ {ij} \in \mathbb{Z} _ {26}$.
+- A key is a *invertible* matrix $K = (k_{ij})_{m \times m}$ where $k_{ij} \in \mathbb{Z}_{26}$.
 - Encryption/decryption is done by multiplying $K$ or $K^{-1}$.
 
 This scheme is vulnerable to known plaintext attack, since the equation can be solved for $K$.
@@ -191,7 +191,7 @@ Let $m \in \left\lbrace 0, 1 \right\rbrace^n$ be the message to encrypt. Then ch
 - Encryption: $E(k, m) = k \oplus m$.
 - Decryption: $D(k, c) = k \oplus c$.
 
-This scheme is **provably secure**. See also [one-time pad (Modern Cryptography)](../../modern-cryptography/2023-09-07-otp-stream-cipher-prgs/#one-time-pad-(otp)).
+This scheme is **provably secure**. See also [one-time pad (Modern Cryptography)](../modern-cryptography/2023-09-07-otp-stream-cipher-prgs.md#one-time-pad-(otp)).
 
 ## Perfect Secrecy
 
@@ -204,7 +204,7 @@ This scheme is **provably secure**. See also [one-time pad (Modern Cryptography)
 > Or equivalently, for all $m_0, m_1 \in \mathcal{M}$, $c \in \mathcal{C}$,
 >
 > $$
-> \Pr[E(k, m _ 0) = c] = \Pr[E(k, m _ 1) = c]
+> \Pr[E(k, m_0) = c] = \Pr[E(k, m_1) = c]
 > $$ 
 >
 > where $k$ is chosen uniformly in $\mathcal{K}$.
@@ -225,7 +225,7 @@ since for each $m$ and $c$, $k$ is determined uniquely.
 
 *Proof*. Assume not, then we can find some message $m_0 \in \mathcal{M}$ such that $m_0$ is not a decryption of some $c \in \mathcal{C}$. This is because the decryption algorithm $D$ is deterministic and $\lvert \mathcal{K} \rvert < \lvert \mathcal{M} \rvert$.
 
-For the proof in detail, check [Shannon's Theorem (Modern Cryptography)](../../modern-cryptography/2023-09-07-otp-stream-cipher-prgs/#shannon's-theorem).
+For the proof in detail, check [Shannon's Theorem (Modern Cryptography)](../modern-cryptography/2023-09-07-otp-stream-cipher-prgs.md#shannon's-theorem).
 
 ### Two-Time Pad is Insecure
 

_posts/lecture-notes/internet-security/2023-09-18-symmetric-key-cryptography-2.md

@@ -240,12 +240,12 @@ Since the same key is used for all blocks, once a mapping from plaintext to ciph
 - On IV reuse, same message will generate the same ciphertext if key isn't changed
 - If IV is predictable, CBC is vulnerable to chosen plaintext attacks.
 	- Suppose Eve obtains $(\mathrm{IV}_1, E_k(\mathrm{IV}_1 \oplus m))$.
-	- Define Eve's new message $m' = \mathrm{IV} _  {2} \oplus \mathrm{IV} _ {1} \oplus g$, where
-		- $\mathrm{IV} _ 2$ is the guess of the next IV, and
+	- Define Eve's new message $m' = \mathrm{IV}_{2} \oplus \mathrm{IV}_{1} \oplus g$, where
+		- $\mathrm{IV}_2$ is the guess of the next IV, and
 		- $g$ is a guess of Alice's original message $m$.
 	- Eve requests an encryption of $m'$
-		- $c' = E _ k(\mathrm{IV} _ 2 \oplus m') = E _ k(\mathrm{IV} _ \mathrm{1} \oplus g)$.
-	- Then Eve can compare $c'$ and the original $c = E _ k(\mathrm{IV} _ \mathrm{1} \oplus m)$ to recover $m$.
+		- $c' = E_k(\mathrm{IV}_2 \oplus m') = E_k(\mathrm{IV}_\mathrm{1} \oplus g)$.
+	- Then Eve can compare $c'$ and the original $c = E_k(\mathrm{IV}_\mathrm{1} \oplus m)$ to recover $m$.
 	- Useful when there are not many cases for $m$ (or most of the message is already known).
 
 ### Cipher Feedback Mode (CFB)

_posts/lecture-notes/internet-security/2023-10-04-modular-arithmetic-2.md

@@ -90,7 +90,7 @@ For even better (maybe faster) results, we need the help of elementary number th
 > a^{p-1} \equiv 1 \pmod p.
 > $$
 
-*Proof*. (Using group theory) The statement can be rewritten as follows. For $a \neq 0$ in $\mathbb{Z}_p$, $a^{p-1} = 1$ in $\mathbb{Z}_p$. Since $\mathbb{Z}_p^*$ is a (multiplicative) group of order $p-1$, the order of $a$ should divide $p-1$. Therefore, $a^{p-1} = 1$ in $\mathbb{Z}_p$.
+*Proof*. (Using group theory) The statement can be rewritten as follows. For $a \neq 0$ in $\mathbb{Z}_p$, $a^{p-1} = 1$ in $\mathbb{Z}_p$. Since $\mathbb{Z}_p^\ast$ is a (multiplicative) group of order $p-1$, the order of $a$ should divide $p-1$. Therefore, $a^{p-1} = 1$ in $\mathbb{Z}_p$.
 
 Here is an elementary proof not using group theory.
 
@@ -139,23 +139,23 @@ $$
 
 We also often use the **reduced set of residues**.
 
-> **Definition.** The **reduced set of residues** is the set of residues that are relatively prime to $n$. We denote this set as $\mathbb{Z}_n^*$.
+> **Definition.** The **reduced set of residues** is the set of residues that are relatively prime to $n$. We denote this set as $\mathbb{Z}_n^\ast$.
 >
 > $$
-> \mathbb{Z}_n^* = \left\lbrace a \in \mathbb{Z}_n \setminus \left\lbrace 0 \right\rbrace : \gcd(a, n) = 1 \right\rbrace.
+> \mathbb{Z}_n^\ast = \left\lbrace a \in \mathbb{Z}_n \setminus \left\lbrace 0 \right\rbrace : \gcd(a, n) = 1 \right\rbrace.
 > $$
 
 Then by definition, we have the following result.
 
-> **Lemma.** $\left\lvert \mathbb{Z}_n^* \right\lvert = \phi(n)$.
+> **Lemma.** $\left\lvert \mathbb{Z}_n^\ast \right\lvert = \phi(n)$.
 
-We can also show that $\mathbb{Z}_n^*$ is a multiplicative group.
+We can also show that $\mathbb{Z}_n^\ast$ is a multiplicative group.
 
-> **Lemma.** $\mathbb{Z}_n^*$ is a multiplicative group.
+> **Lemma.** $\mathbb{Z}_n^\ast$ is a multiplicative group.
 
-*Proof*. Let $a, b \in \mathbb{Z}_n^{ * }$. We must check if $ab \in \mathbb{Z}_n^{ * }$. Since $\gcd(a, n) = \gcd(b, n) = 1$, $\gcd(ab, n) = 1$. This is because if $d = \gcd(ab, n) > 1$, then a prime factor $p$ of $d$ must divide $a$ or $b$ and also $n$. Then $\gcd(a, n) \geq p$ or $\gcd(b, n) \geq p$, which is a contradiction. Thus $ab \in \mathbb{Z}_n^{ * }$.
+*Proof*. Let $a, b \in \mathbb{Z}_n^\ast$. We must check if $ab \in \mathbb{Z}_n^\ast$. Since $\gcd(a, n) = \gcd(b, n) = 1$, $\gcd(ab, n) = 1$. This is because if $d = \gcd(ab, n) > 1$, then a prime factor $p$ of $d$ must divide $a$ or $b$ and also $n$. Then $\gcd(a, n) \geq p$ or $\gcd(b, n) \geq p$, which is a contradiction. Thus $ab \in \mathbb{Z}_n^\ast$.
 
-Associativity holds trivially, as a subset of $\mathbb{Z}_n$. We also have an identity element $1$, and inverse of $a \in \mathbb{Z}_n^*$ exists since $\gcd(a, n) = 1$.
+Associativity holds trivially, as a subset of $\mathbb{Z}_n$. We also have an identity element $1$, and inverse of $a \in \mathbb{Z}_n^\ast$ exists since $\gcd(a, n) = 1$.
 
 Now we can prove Euler's generalization.
 
@@ -167,13 +167,13 @@ Now we can prove Euler's generalization.
 > a^{\phi(n)} \equiv 1 \pmod n.
 > $$
 
-*Proof*. Since $\gcd(a, n) = 1$, $a \in \mathbb{Z}_n^{ * }$. Then $a^{\left\lvert \mathbb{Z}_n^{ * } \right\lvert} = 1$ in $\mathbb{Z}_n$. By the above lemma, we have the desired result.
+*Proof*. Since $\gcd(a, n) = 1$, $a \in \mathbb{Z}_n^\ast$. Then $a^{\left\lvert \mathbb{Z}_n^\ast \right\lvert} = 1$ in $\mathbb{Z}_n$. By the above lemma, we have the desired result.
 
-*Proof*. (Elementary) Set $f : \mathbb{Z}_n^* \rightarrow \mathbb{Z}_n^*$ as $x \mapsto ax \bmod n$, then the rest of the reasoning follows similarly as in the proof of Fermat's little theorem.
+*Proof*. (Elementary) Set $f : \mathbb{Z}_n^\ast \rightarrow \mathbb{Z}_n^\ast$ as $x \mapsto ax \bmod n$, then the rest of the reasoning follows similarly as in the proof of Fermat's little theorem.
 
 Using the above result, we remark an important result that will be used in RSA.
 
-> **Lemma.** Let $n \in \mathbb{N}$. For $a, b \in \mathbb{Z}$ and $x \in \mathbb{Z}_n^*$, if $a \equiv b \pmod{\phi(n)}$, then $x^a \equiv x^b \pmod n$.
+> **Lemma.** Let $n \in \mathbb{N}$. For $a, b \in \mathbb{Z}$ and $x \in \mathbb{Z}_n^\ast$, if $a \equiv b \pmod{\phi(n)}$, then $x^a \equiv x^b \pmod n$.
 
 *Proof*. $a = b + k\phi(n)$ for some $k \in \mathbb{Z}$. Then
 
@@ -192,7 +192,7 @@ by Euler's generalization.
 > - $(\mathsf{G3})$ $G$ has an **identity** element $e$ such that $e * a = a * e = a$ for all $a \in G$.
 > - $(\mathsf{G4})$ There is an **inverse** for every element of $G$. For each $a \in G$, there exists $x \in G$ such that $a * x = x * a = e$. We write $x = a^{-1}$ in this case.
 
-$\mathbb{Z}_n$ is an additive group, and $\mathbb{Z}_n^*$ is a multiplicative group.
+$\mathbb{Z}_n$ is an additive group, and $\mathbb{Z}_n^\ast$ is a multiplicative group.
 
 ## Chinese Remainder Theorem (CRT)
 
@@ -273,6 +273,6 @@ $$
 
 and using the result, add the next equation $x \equiv a_3 \pmod{n_3}$ and find a solution.[^1]
 
-Lastly, the ring isomorphism actually tells us a lot and is quite effective for computation. Since the two rings are *isomorphic*, operations in $\mathbb{Z} _ N$ can be done independently in each $\mathbb{Z} _ {n_i}$ and then merged back to $\mathbb{Z} _ N$. $N$ was a large number, so computations can be much faster in $\mathbb{Z} _ {n _ i}$. Specifically, we will see how this fact is used for computations in RSA.
+Lastly, the ring isomorphism actually tells us a lot and is quite effective for computation. Since the two rings are *isomorphic*, operations in $\mathbb{Z}_N$ can be done independently in each $\mathbb{Z}_{n_i}$ and then merged back to $\mathbb{Z}_N$. $N$ was a large number, so computations can be much faster in $\mathbb{Z}_{n_i}$. Specifically, we will see how this fact is used for computations in RSA.
 
 [^1]: I have an implementation in my repository. [Link](https://github.com/calofmijuck/BOJ/blob/4b29e0c7f487aac3186661176d2795f85f0ab21b/Codes/23000/23062.cpp#L38).

_posts/lecture-notes/internet-security/2023-10-04-rsa-elgamal.md

@@ -138,36 +138,36 @@ So we don't actually need Euler's generalization for proving the correctness of
 
 This is an inverse problem of exponentiation. The inverse of exponentials is logarithms, so we consider the **discrete logarithm of a number modulo $p$**.
 
-Given $y \equiv g^x \pmod p$ for some prime $p$, we want to find $x = \log_g y$. We set $g$ to be a generator of the group $\mathbb{Z}_p$ or $\mathbb{Z}_p^*$, since if $g$ is the generator, a solution always exists.
+Given $y \equiv g^x \pmod p$ for some prime $p$, we want to find $x = \log_g y$. We set $g$ to be a generator of the group $\mathbb{Z}_p$ or $\mathbb{Z}_p^\ast$, since if $g$ is the generator, a solution always exists.
 
-Read more in [discrete logarithm problem (Modern Cryptography)](../../modern-cryptography/2023-10-03-key-exchange/#discrete-logarithm-problem-(dl)).
+Read more in [discrete logarithm problem (Modern Cryptography)](../modern-cryptography/2023-10-03-key-exchange.md#discrete-logarithm-problem-(dl)).
 
 ## ElGamal Encryption
 
 This is an encryption scheme built upon the hardness of the DLP.
 
 > 1. Let $p$ be a large prime.
-> 2. Select a generator $g \in \mathbb{Z}_p^*$.
-> 3. Choose a private key $x \in \mathbb{Z}_p^*$.
+> 2. Select a generator $g \in \mathbb{Z}_p^\ast$.
+> 3. Choose a private key $x \in \mathbb{Z}_p^\ast$.
 > 4. Compute the public key $y = g^x \pmod p$.
 > 	- $p, g, y$ will be publicly known.
 > 	- $x$ is kept secret.
 
 ### ElGamal Encryption and Decryption
 
-Suppose we encrypt a message $m \in \mathbb{Z}_p^*$.
+Suppose we encrypt a message $m \in \mathbb{Z}_p^\ast$.
 
-> 1. The sender chooses a random $k \in \mathbb{Z}_p^*$, called *ephemeral key*.
+> 1. The sender chooses a random $k \in \mathbb{Z}_p^\ast$, called *ephemeral key*.
 > 2. Compute $c_1 = g^k \pmod p$ and $c_2 = my^k \pmod p$.
 > 3. $c_1, c_2$ are sent to the receiver.
-> 4. The receiver calculates $c_1^x \equiv g^{xk} \equiv y^k \pmod p$, and find the inverse $y^{-k} \in \mathbb{Z}_p^*$.
+> 4. The receiver calculates $c_1^x \equiv g^{xk} \equiv y^k \pmod p$, and find the inverse $y^{-k} \in \mathbb{Z}_p^\ast$.
 > 5. Then $c_2y^{-k} \equiv m \pmod p$, recovering the message.
 
 The attacker will see $g^k$. By the hardness of DLP, the attacker is unable to recover $k$ even if he knows $g$.
 
 #### Ephemeral Key Should Be Distinct
 
-If the same $k$ is used twice, the encryption is not secure. Suppose we encrypt two different messages $m_1, m_2 \in \mathbb{Z} _ p^{ * }$. The attacker will see $(g^k, m_1y^k)$ and $(g^k, m_2 y^k)$. Then since we are in a multiplicative group $\mathbb{Z} _ p^{ * }$, inverses exist. So
+If the same $k$ is used twice, the encryption is not secure. Suppose we encrypt two different messages $m_1, m_2 \in \mathbb{Z}_p^\ast$. The attacker will see $(g^k, m_1y^k)$ and $(g^k, m_2 y^k)$. Then since we are in a multiplicative group $\mathbb{Z}_p^\ast$, inverses exist. So
 
 $$
 m_1y^k \cdot (m_2 y^k)^{-1} \equiv m_1m_2^{-1} \equiv 1 \pmod p

_posts/lecture-notes/internet-security/2023-10-09-public-key-cryptography.md

@@ -15,7 +15,7 @@ date: 2023-10-09
 github_title: 2023-10-09-public-key-cryptography
 ---
 
-In symmetric key cryptography, we have a problem with key sharing and management. More info in the first few paragraphs of [Key Exchange (Modern Cryptography)](../../modern-cryptography/2023-10-03-key-exchange).
+In symmetric key cryptography, we have a problem with key sharing and management. More info in the first few paragraphs of [Key Exchange (Modern Cryptography)](../modern-cryptography/2023-10-03-key-exchange.md).
 
 ## Public Key Cryptography
 
@@ -32,7 +32,7 @@ These keys are created to be used in **trapdoor one-way functions**.
 
 A **one-way function** is a function that is easy to compute, but hard to compute the pre-image of any output. Here are some common examples.
 
-- *Cryptographic hash functions*: [Hash Functions (Modern Cryptography)](../../modern-cryptography/2023-09-28-hash-functions/#collision-resistance).
+- *Cryptographic hash functions*: [Hash Functions (Modern Cryptography)](../modern-cryptography/2023-09-28-hash-functions.md#collision-resistance).
 - *Factoring a large integer*: It is easy to multiply to integers even if they're large, but factoring is very hard.
 - *Discrete logarithm problem*: It is easy to exponentiate a number, but it is hard to find the discrete logarithm.
 
@@ -80,14 +80,14 @@ But a problem still remains. How does one verify that this key is indeed from th
 
 ## Diffie-Hellman Key Exchange
 
-Choose a large prime $p$ and a generator $g$ of $\mathbb{Z}_p^{ * }$. The description of $g$ and $p$ will be known to the public.
+Choose a large prime $p$ and a generator $g$ of $\mathbb{Z}_p^\ast$. The description of $g$ and $p$ will be known to the public.
 
-> 1. Alice chooses some $x \in \mathbb{Z}_p^{ * }$ and sends $g^x \bmod p$ to Bob.
-> 2. Bob chooses some $y \in \mathbb{Z}_p^{ * }$ and sends $g^y \bmod p$ to Alice.
+> 1. Alice chooses some $x \in \mathbb{Z}_p^\ast$ and sends $g^x \bmod p$ to Bob.
+> 2. Bob chooses some $y \in \mathbb{Z}_p^\ast$ and sends $g^y \bmod p$ to Alice.
 > 3. Alice and Bob calculate $g^{xy} \bmod p$ separately.
 > 4. Eve can see $g^x \bmod p$, $g^y \bmod p$ but cannot calculate $g^{xy} \bmod p$.
 
-Refer to [Diffie-Hellman Key Exchange (Modern Cryptography)](../../modern-cryptography/2023-10-03-key-exchange/#diffie-hellman-key-exchange-(dhke)).
+Refer to [Diffie-Hellman Key Exchange (Modern Cryptography)](../modern-cryptography/2023-10-03-key-exchange.md#diffie-hellman-key-exchange-(dhke)).
 
 ## Message Integrity
 

_posts/lecture-notes/modern-cryptography/2023-09-12-prfs-prps-block-ciphers.md

@@ -227,7 +227,7 @@ These 4 modules are all invertible!
 
 For DES, the S-box is the non-linear part. If the S-box is linear, then the entire DES cipher would be linear.
 
-Specifically, there would be a fixed binary matrix $B _ 1 \in \mathbb{Z} _ 2^{64 \times 64}$ and $B _ 2 \in \mathbb{Z} _ 2^{64 \times (48 \times 16)}$ such that
+Specifically, there would be a fixed binary matrix $B_1 \in \mathbb{Z}_2^{64 \times 64}$ and $B_2 \in \mathbb{Z}_2^{64 \times (48 \times 16)}$ such that
 
 $$
 \mathrm{DES}(k, m) = B_1 m \oplus B_2 \mathbf{k}

_posts/lecture-notes/modern-cryptography/2023-09-19-symmetric-key-encryption.md

@@ -13,6 +13,8 @@ tags:
 title: 3. Symmetric Key Encryption
 date: 2023-09-19
 github_title: 2023-09-19-symmetric-key-encryption
+attachment:
+  folder: assets/img/posts/lecture-notes/internet-security
 ---
 
 ## CPA Security
@@ -128,7 +130,7 @@ We learned how to encrypt a single block. How do we encrypt longer messages with
 
 There are many ways of processing multiple blocks, this is called the **mode of operation**.
 
-Additional explanation available in [Modes of Operations (Internet Security)](../../internet-security/2023-09-18-symmetric-key-cryptography-2/#modes-of-operations).
+Additional explanation available in [Modes of Operations (Internet Security)](../internet-security/2023-09-18-symmetric-key-cryptography-2.md#modes-of-operations).
 
 ### Electronic Codebook Mode (ECB)
 
@@ -172,7 +174,7 @@ Also, CBC mode is not secure if the adversary can predict the IV of the next mes
 > 	m_0' = \mathrm{IV}_2 \oplus \mathrm{IV}_0 \oplus m_0, \quad m_1' = \mathrm{IV}_2 \oplus \mathrm{IV}_1 \oplus m_1
 > 	$$
 >
-> 	and send it to the challenger.
+> and send it to the challenger.
 > 4. In experiment $b$, the adversary will receive $E(k, \mathrm{IV}_b \oplus m_b)$. Compare this with the result of the query from (2). The adversary wins with advantage $1$.
 
 (More on this to be added)

_posts/lecture-notes/modern-cryptography/2023-09-26-cca-security-authenticated-encryption.md

@@ -37,9 +37,9 @@ Now we define a stronger notion of security against **chosen ciphertext attacks*
 > 	- *Encryption*: Send $m_i$ and receive $c'_i = E(k, m_i)$.
 > 	- *Decryption*: Send $c_i$ and receive $m'_i = D(k, c_i)$.
 > 	- Note that $\mathcal{A}$ is not allowed to make a decryption query for any $c_i'$.
-> 3. $\mathcal{A}$ outputs a pair of messages $(m_0^ * , m_1^*)$.
-> 4. The challenger generates $c^* \leftarrow E(k, m_b^*)$ and gives it to $\mathcal{A}$.
-> 5. $\mathcal{A}$ is allowed to keep making queries, but not allowed to make a decryption query for $c^*$.
+> 3. $\mathcal{A}$ outputs a pair of messages $(m_0^\ast , m_1^\ast)$.
+> 4. The challenger generates $c^\ast \leftarrow E(k, m_b^\ast)$ and gives it to $\mathcal{A}$.
+> 5. $\mathcal{A}$ is allowed to keep making queries, but not allowed to make a decryption query for $c^\ast$.
 > 6. The adversary computes and outputs a bit $b' \in \left\lbrace 0, 1 \right\rbrace$.
 > 
 > Let $W_b$ be the event that $\mathcal{A}$ outputs $1$ in experiment $b$. Then the **CCA advantage with respect to $\mathcal{E}$** is defined as
@@ -54,7 +54,7 @@ Now we define a stronger notion of security against **chosen ciphertext attacks*
 
 None of the encryption schemes already seen thus far is CCA secure.
 
-Recall a [CPA secure construction from PRF](../2023-09-19-symmetric-key-encryption/#secure-construction-from-prf). This scheme is not CCA secure. Suppose that the adversary is given $c^* = (r, F(k, r) \oplus m_b)$. Then it can request a decryption for $c' = (r, s')$ for some $s'$ and receive $m' = s' \oplus F(k, r)$. Then $F(k, r) = m' \oplus s'$, so the adversary can successfully recover $m_b$.
+Recall a [CPA secure construction from PRF](./2023-09-19-symmetric-key-encryption.md#secure-construction-from-prf). This scheme is not CCA secure. Suppose that the adversary is given $c^\ast = (r, F(k, r) \oplus m_b)$. Then it can request a decryption for $c' = (r, s')$ for some $s'$ and receive $m' = s' \oplus F(k, r)$. Then $F(k, r) = m' \oplus s'$, so the adversary can successfully recover $m_b$.
 
 In general, any encryption scheme that allows ciphertexts to be *manipulated* in a controlled way cannot be CCA secure.
 
@@ -68,12 +68,12 @@ An adversary at destination 25 wants to receive the message sent to destination
 
 Suppose we used CBC mode encryption. Then the first block of the ciphertext would contain the IV, the next block would contain $E(k, \mathrm{IV} \oplus m_0)$.
 
-The adversary can generate a new ciphertext $c'$ without knowing the actual key. Set the new IV as $\mathrm{IV}' =\mathrm{IV} \oplus m^ *$ where $m^ *$ contains a payload that can change $\texttt{80}$ to $\texttt{25}$. (This can be calculated)
+The adversary can generate a new ciphertext $c'$ without knowing the actual key. Set the new IV as $\mathrm{IV}' =\mathrm{IV} \oplus m^\ast$ where $m^\ast$ contains a payload that can change $\texttt{80}$ to $\texttt{25}$. (This can be calculated)
 
 Then the decryption works as normal,
 
 $$
-D(k, c_0) \oplus \mathrm{IV}' = (m_0 \oplus \mathrm{IV}) \oplus \mathrm{IV}' = m_0 \oplus m^*.
+D(k, c_0) \oplus \mathrm{IV}' = (m_0 \oplus \mathrm{IV}) \oplus \mathrm{IV}' = m_0 \oplus m^\ast.
 $$
 
 The destination of the original message has been changed, even though the adversary had no information of the key.
@@ -119,7 +119,7 @@ This theorem enables us to use AE secure schemes as a CCA secure scheme.
 
 > **Theorem.** Let $\mathcal{E} = (E, D)$ be a cipher. If $\mathcal{E}$ is AE-secure, then it is CCA-secure.
 > 
-> For any efficient $q$-query CCA adversary $\mathcal{A}$, there exists efficient adversaries $\mathcal{B} _ \mathrm{CPA}$ and $\mathcal{B} _ \mathrm{CI}$ such that
+> For any efficient $q$-query CCA adversary $\mathcal{A}$, there exists efficient adversaries $\mathcal{B}_\mathrm{CPA}$ and $\mathcal{B}_\mathrm{CI}$ such that
 > 
 > $$
 > \mathrm{Adv}_{\mathrm{CCA}}[\mathcal{A}, \mathcal{E}] \leq \mathrm{Adv}_{\mathrm{CPA}}[\mathcal{B}_\mathrm{CPA}, \mathcal{E}] + 2q \cdot \mathrm{Adv}_{\mathrm{CI}}[\mathcal{B}_\mathrm{CI}, \mathcal{E}].
@@ -183,13 +183,13 @@ In **Encrypt-then-MAC**, the encrypted message is signed, and is known to be sec
 
 > **Theorem.** Let $\mathcal{E} = (E, D)$ be a cipher and let $\Pi = (S, V)$ be a MAC system. If $\mathcal{E}$ is CPA secure cipher and $\Pi$ is a strongly secure MAC, then $\mathcal{E}_\mathrm{EtM}$ is AE secure.
 > 
-> For every efficient CI adversary $\mathcal{A} _ \mathrm{CI}$ attacking $\mathcal{E} _ \mathrm{EtM}$, there exists an efficient MAC adversary $\mathcal{B} _ \mathrm{MAC}$ attacking $\Pi$ such that
+> For every efficient CI adversary $\mathcal{A}_\mathrm{CI}$ attacking $\mathcal{E}_\mathrm{EtM}$, there exists an efficient MAC adversary $\mathcal{B}_\mathrm{MAC}$ attacking $\Pi$ such that
 > 
 > $$
 > \mathrm{Adv}_{\mathrm{CI}}[\mathcal{A}_\mathrm{CI}, \mathcal{E}_\mathrm{EtM}] = \mathrm{Adv}_{\mathrm{MAC}}[\mathcal{B}_\mathrm{MAC}, \Pi].
 > $$
 > 
-> For every efficient CPA adversary $\mathcal{A} _ \mathrm{CPA}$ attacking $\mathcal{E} _ \mathrm{EtM}$, there exists an efficient CPA adversary $\mathcal{B} _ \mathrm{MAC}$ attacking $\mathcal{E}$ such that
+> For every efficient CPA adversary $\mathcal{A}_\mathrm{CPA}$ attacking $\mathcal{E}_\mathrm{EtM}$, there exists an efficient CPA adversary $\mathcal{B}_\mathrm{MAC}$ attacking $\mathcal{E}$ such that
 > 
 > $$
 > \mathrm{Adv}_{\mathrm{CPA}}[\mathcal{A}_\mathrm{CPA}, \mathcal{E}_\mathrm{EtM}] = \mathrm{Adv}_{\mathrm{CPA}}[\mathcal{B}_\mathrm{CPA}, \mathcal{E}].

_posts/lecture-notes/modern-cryptography/2023-09-28-hash-functions.md

@@ -59,7 +59,7 @@ Let $\Pi = (S, V)$ be a MAC scheme defined over $(\mathcal{K}, \mathcal{M}, \mat
 > 
 > If $\Pi$ is a secure MAC and $H$ is collision resistant, then $\Pi'$ is a secure MAC.
 > 
-> For any efficient adversary $\mathcal{A}$ attacking $\Pi'$, there exist a MAC adversary $\mathcal{B} _ \mathrm{MAC}$ attacking $\Pi$ and an adversary $\mathcal{B} _ \mathrm{CR}$ attacking $H$ such that
+> For any efficient adversary $\mathcal{A}$ attacking $\Pi'$, there exist a MAC adversary $\mathcal{B}_\mathrm{MAC}$ attacking $\Pi$ and an adversary $\mathcal{B}_\mathrm{CR}$ attacking $H$ such that
 > 
 > $$
 > \mathrm{Adv}_{\mathrm{MAC}}[\mathcal{A}, \Pi'] \leq \mathrm{Adv}_{\mathrm{MAC}}[\mathcal{B}_\mathrm{MAC}, \Pi] + \mathrm{Adv}_{\mathrm{CR}}[\mathcal{B}_\mathrm{CR}, H].
@@ -140,7 +140,7 @@ Suppose that $t_{u-1} \neq t_{v-1}'$ and $m_u \neq m_v'$. Then this is a collisi
 
 Now we have $t_{u-1} = t_{u-1}'$, which implies $h(t_{u-2}, m_{u-1}) = h(t_{u-2}', m_{u-1}')$. We can now repeat the same process until the first block. If $\mathcal{B}$ did not find any collision then it means that $m_i = m_i'$ for all $i$, so $m = m'$. This is a contradiction, so $\mathcal{B}$ must have found a collision.
 
-By the above argument, we see that $\mathrm{Adv} _ {\mathrm{CR}}[\mathcal{A}, H] = \mathrm{Adv} _ {\mathrm{CR}}[\mathcal{B}, h]$.
+By the above argument, we see that $\mathrm{Adv}_{\mathrm{CR}}[\mathcal{A}, H] = \mathrm{Adv}_{\mathrm{CR}}[\mathcal{B}, h]$.
 
 ### Attacking Merkle-Damgård Hash Functions
 
@@ -150,7 +150,7 @@ See Joux's attack.[^2]
 
 Now we only have to build a collision resistant compression function. We can build these functions from either a block cipher, or by using number theoretic primitives.
 
-Number theoretic primitives will be shown after we learn some number theory.[^3] An example is shown in [collision resistance using DL problem (Modern Cryptography)](../2023-10-03-key-exchange/#collision-resistance-based-on-dl-problem).
+Number theoretic primitives will be shown after we learn some number theory.[^3] An example is shown in [collision resistance using DL problem (Modern Cryptography)](./2023-10-03-key-exchange.md#collision-resistance-based-on-dl-problem).
 
 ![mc-06-davies-meyer.png](../../../assets/img/posts/lecture-notes/modern-cryptography/mc-06-davies-meyer.png)
 
@@ -195,7 +195,7 @@ We needed a complicated construction for MACs that work on long messages. We mig
 
 Here are a few approaches. Suppose that a compression function $h$ is given and $H$ is a Merkle-Damgård function derived from $h$.
 
-Recall that [we can construct a MAC scheme from a PRF](../2023-09-21-macs/#mac-constructions-from-prfs), so either we want a secure PRF or a secure MAC scheme.
+Recall that [we can construct a MAC scheme from a PRF](./2023-09-21-macs.md#mac-constructions-from-prfs), so either we want a secure PRF or a secure MAC scheme.
 
 #### Prepending the Key
 

_posts/lecture-notes/modern-cryptography/2023-10-03-key-exchange.md

@@ -65,12 +65,12 @@ To implement the above protocol, we need two functions $E$ and $F$ that satisfy
 
 Let $p$ be a large prime, and let $q$ be another large prime dividing $p - 1$. We typically use very large random primes, $p$ is about $2048$ bits long, and $q$ is about $256$ bits long.
 
-All arithmetic will be done in $\mathbb{Z}_p$. We also consider $\mathbb{Z} _ p^ *$ , the **unit group** of $\mathbb{Z} _ p$. Since $\mathbb{Z} _ p$ is a field, $\mathbb{Z} _ p^ * = \mathbb{Z} _ p \setminus \left\lbrace 0 \right\rbrace$, meaning that $\mathbb{Z} _ p^ *$ has order $p-1$.
+All arithmetic will be done in $\mathbb{Z}_p$. We also consider $\mathbb{Z}_p^\ast$ , the **unit group** of $\mathbb{Z}_p$. Since $\mathbb{Z}_p$ is a field, $\mathbb{Z}_p^\ast = \mathbb{Z}_p \setminus \left\lbrace 0 \right\rbrace$, meaning that $\mathbb{Z}_p^\ast$ has order $p-1$.
 
-Since $q$ is a prime dividing $p - 1$, $\mathbb{Z}_p^*$ has an element $g$ of order $q$.[^1] Let
+Since $q$ is a prime dividing $p - 1$, $\mathbb{Z}_p^\ast$ has an element $g$ of order $q$.[^1] Let
 
 $$
-G = \left\langle g \right\rangle = \left\lbrace 1, g, g^2, \dots, g^{q-1} \right\rbrace \leq \mathbb{Z}_p^*.
+G = \left\langle g \right\rangle = \left\lbrace 1, g, g^2, \dots, g^{q-1} \right\rbrace \leq \mathbb{Z}_p^\ast.
 $$
 
 We assume that the description of $p$, $q$ and $g$ are generated at the setup and shared by all parties. Now the actual protocol goes like this.
@@ -100,7 +100,7 @@ We have used $E(x) = g^x$ in the above implementation. This function is called t
 
 We required that $E$ must be a one-way function for the protocol to work. So it must be hard to compute the discrete logarithm function. There are some problems related to the discrete logarithm, which are used as assumptions in the security proof. They are formalized as a security game, as usual.
 
-$G = \left\langle g \right\rangle \leq \mathbb{Z} _ p^{ * }$ will be a *cyclic group* of order $q$ and $g$ is given as a generator. Note that $g$ and $q$ are also given to the adversary.
+$G = \left\langle g \right\rangle \leq \mathbb{Z}_p^\ast$ will be a *cyclic group* of order $q$ and $g$ is given as a generator. Note that $g$ and $q$ are also given to the adversary.
 
 ### Discrete Logarithm Problem (DL)
 
@@ -182,7 +182,7 @@ If we used the DL assumption and it turns out to be false, there will be an effi
 
 Suppose we want something like a secret group chat, where there are $N$ ($\geq 3$) people and they need to generate a shared secret key. It is known that $N$-party Diffie-Hellman is possible in $N-1$ rounds. Here's how it goes. The indices are all in modulo $N$.
 
-Each party $i$ chooses $\alpha _ i \leftarrow \mathbb{Z} _ q$, and computes $g^{\alpha _ i}$. The parties communicate in a circular form, and passes the computed value to the $(i+1)$-th party. In the next round, the $i$-th party receives $g^{\alpha _ {i-1}}$ and computes $g^{\alpha _ {i-1}\alpha _ i}$ and passes it to the next party. After $N-1$ rounds, all parties have the shared key $g^{\alpha _ 1\cdots\alpha _ N}$.
+Each party $i$ chooses $\alpha_i \leftarrow \mathbb{Z}_q$, and computes $g^{\alpha_i}$. The parties communicate in a circular form, and passes the computed value to the $(i+1)$-th party. In the next round, the $i$-th party receives $g^{\alpha_{i-1}}$ and computes $g^{\alpha_{i-1}\alpha_i}$ and passes it to the next party. After $N-1$ rounds, all parties have the shared key $g^{\alpha_1\cdots\alpha_N}$.
 
 Taking $\mathcal{O}(N)$ steps is impractical in the real world, due to many communications that the above algorithm requires. Researchers are looking for methods to generate a shared key in a single round. It has been solved for $N=3$ using bilinear pairings, but for $N \geq 4$ it is an open problem.
 
@@ -241,5 +241,5 @@ It is unknown whether we can get a better gap (than quadratic) using a general s
 
 To get exponential gaps, we need number theory.
 
-[^1]: By Cauchy's theorem, or use the fact that $\mathbb{Z}_p^*$ is commutative. Finite commutative groups have a subgroup of every order that divides the order of the group.
+[^1]: By Cauchy's theorem, or use the fact that $\mathbb{Z}_p^\ast$ is commutative. Finite commutative groups have a subgroup of every order that divides the order of the group.
 [^2]: R. Impagliazzo and S. Rudich. Limits on the provable consequences of one-way permutations. In Proceedings of the Symposium on Theory of Computing (STOC), pages 44–61, 1989.

_posts/lecture-notes/modern-cryptography/2023-10-19-public-key-encryption.md

@@ -14,9 +14,9 @@ title: 9. Public Key Encryption
 date: 2023-10-19
 github_title: 2023-10-19-public-key-encryption
 image:
-  path: assets/img/posts/Lecture Notes/Modern Cryptography/mc-09-ss-pke.png
+  path: assets/img/posts/lecture-notes/modern-cryptography/mc-09-ss-pke.png
 attachment:
-  folder: assets/img/posts/Lecture Notes/Modern Cryptography
+  folder: assets/img/posts/lecture-notes/modern-cryptography
 ---
 
 In symmetric encryption, we assumed that the two parties had a shared key in advance. If the two parties do not have a shared key, **public-key encryption** can be used to encrypt messages.
@@ -45,7 +45,7 @@ Public key $pk$ will be publicized. After Alice obtains $pk$, she can use it to
 
 The following notion of security is only for an eavesdropping adversary.
 
-![mc-09-ss-pke.png](../../../assets/img/posts/Lecture%20Notes/Modern%20Cryptography/mc-09-ss-pke.png)
+![mc-09-ss-pke.png](../../../assets/img/posts/lecture-notes/modern-cryptography/mc-09-ss-pke.png)
 
 > **Definition.** Let $\mc{E} = (G, E, D)$ be a public key encryption scheme defined over $(\mc{M}, \mc{C})$. For an adversary $\mc{A}$, we define two experiments.
 >
@@ -69,7 +69,7 @@ Note that $pk$ is sent to the adversary, and adversary can encrypt any message!
 
 For symmetric ciphers, semantic security (one-time) did not guarantee CPA security (many-time). But in public key encryption, semantic security implies CPA security. This is because *the attacker can encrypt any message using the public key*.
 
-First, we check the definition of CPA security for public key encryption. It is similar to that of symmetric ciphers, compare with [CPA Security for symmetric key encryption (Modern Cryptography)](../2023-09-19-symmetric-key-encryption/#cpa-security).
+First, we check the definition of CPA security for public key encryption. It is similar to that of symmetric ciphers, compare with [CPA Security for symmetric key encryption (Modern Cryptography)](./2023-09-19-symmetric-key-encryption.md#cpa-security).
 
 > **Definition.** For a given public-key encryption scheme $\mc{E} = (G, E, D)$ defined over $(\mc{M}, \mc{C})$ and given an adversary $\mc{A}$, define experiments 0 and 1.
 >
@@ -141,7 +141,7 @@ $$
 
 ## CCA Security for Public Key Encryption
 
-We also define CCA security for public key encryption, which models a wide spectrum of real-world attacks. The definition is also very similar to that of symmetric ciphers, compare with [CCA security for symmetric ciphers (Modern Cryptography)](../2023-09-26-cca-security-authenticated-encryption/#cca-security).
+We also define CCA security for public key encryption, which models a wide spectrum of real-world attacks. The definition is also very similar to that of symmetric ciphers, compare with [CCA security for symmetric ciphers (Modern Cryptography)](./2023-09-26-cca-security-authenticated-encryption.md#cca-security).
 
 > **Definition.** Let $\mc{E} = (G, E, D)$ be a public-key encryption scheme over $(\mc{M}, \mc{C})$. Given an adversary $\mc{A}$, define experiments $0$ and $1$.
 >
@@ -151,9 +151,9 @@ We also define CCA security for public key encryption, which models a wide spect
 > 	- *Encryption*: Send $(m_{i_,0}, m_{i, 1})$ and receive $c'_i \la E(pk, m_{i, b})$.
 > 	- *Decryption*: Send $c_i$ and receive $m'_i \la D(sk, c_i)$.
 > 	- Note that $\mc{A}$ is not allowed to make a decryption query for any $c_i'$.
-> 3. $\mc{A}$ outputs a pair of messages $(m_0^ * , m_1^*)$.
-> 4. The challenger generates $c^* \la E(pk, m_b^*)$ and gives it to $\mc{A}$.
-> 5. $\mc{A}$ is allowed to keep making queries, but not allowed to make a decryption query for $c^*$.
+> 3. $\mc{A}$ outputs a pair of messages $(m_0^\ast , m_1^\ast)$.
+> 4. The challenger generates $c^\ast \la E(pk, m_b^\ast)$ and gives it to $\mc{A}$.
+> 5. $\mc{A}$ is allowed to keep making queries, but not allowed to make a decryption query for $c^\ast$.
 > 6. The adversary computes and outputs a bit $b' \in \left\lbrace 0, 1 \right\rbrace$.
 >
 > Let $W_b$ be the event that $\mc{A}$ outputs $1$ in experiment $b$. Then the **CCA advantage with respect to $\mc{E}$** is defined as
@@ -176,7 +176,7 @@ Similarly, 1CCA security implies CCA security, as in the above theorem. So to sh
 
 ### Active Adversaries in Symmetric vs Public Key
 
-In symmetric key encryption, we studied [authenticated encryption (AE)](../2023-09-26-cca-security-authenticated-encryption/#authenticated-encryption-(ae)), which required the scheme to be CPA secure and provide ciphertext integrity. In symmetric key settings, AE implied CCA.
+In symmetric key encryption, we studied [authenticated encryption (AE)](./2023-09-26-cca-security-authenticated-encryption.md#authenticated-encryption-(ae)), which required the scheme to be CPA secure and provide ciphertext integrity. In symmetric key settings, AE implied CCA.
 
 However in public-key schemes, adversaries can always create new ciphertexts using the public key, which makes the original definition of ciphertext integrity unusable. Thus we directly require CCA security.