upgrade structures and migrate to nextra v4

content/CSE442T/Exam_reviews/CSE442T_E1.md

@@ -0,0 +1,215 @@
+# System check for exam list
+
+**The exam will take place in class on Monday, October 21.**
+
+The topics will cover Chapters 1 and 2, as well as the related probability discussions we've had (caveats below).  Assignments 1 through 3 span this material.
+
+## Specifics on material:
+
+NOT "match-making game" in 1.2 (seems fun though)
+
+NOT the proof of Theorem 31.3 (but definitely the result!)
+
+NOT 2.4.3 (again, definitely want to know this result, and we have discussed the idea behind it)
+
+NOT 2.6.5, 2.6.6
+
+NOT 2.12, 2.13
+
+The probability knowledge/techniques I've expanded on include conditional probability, independence, law of total probability, Bayes' Theorem, union bound, 1-p bound (or "useful bound"), collision
+
+I expect you to demonstrate understanding of the key definitions, theorems, and proof techniques.  The assignments are designed to reinforce all of these.  However, exam questions will be written with the understanding of the time limitations.
+
+The exam is "closed-book," with no notes of any kind allowed.  The advantage of this is that some questions might be very basic.  However, I will expect that you will have not just memorized definitions and theorems, but you can also explain their meaning and apply them.
+
+## Chapter 1
+
+### Prove security
+
+#### Definition 11.1 Shannon secrecy
+
+$(\mathcal{M},\mathcal{K}, Gen, Enc, Dec)$ (A crypto-system) is said to be private-key encryption scheme that is *Shannon-secrete with respect to distribution $D$ over the message space $\mathcal{M}$* if for all $m'\in \mathcal{M}$ and for all $c$,
+
+$$
+P[k\gets Gen;m\gets D:m=m'|Enc_k(m)=c]=P[m\gets D:m=m']
+$$
+
+(The adversary cannot learn all, part of, any letter of, any function off, or any partial information about the plaintext)
+
+#### Definition 11.2 Perfect Secrecy
+
+$(\mathcal{M},\mathcal{K}, Gen, ENc, Dec)$ (A crypto-system) is said to be private-key encryption scheme that is *perfectly secret* if forall $m_1,m_2\in \mathcal{M},\forall c$:
+
+$$
+P[k\gets Gen:Enc_k(m_1)=c]=P[k\gets Gen:Enc_k(m_2)=c]
+$$
+
+(For all coding scheme in the crypto system, for any two different message, they are equally likely to be mapped to $c$)
+
+#### Definition 12.3
+
+A private-key encryption scheme is perfectly secret if and only if it is Shannon secret.
+
+## Chapter 2
+
+### Efficient Private-key Encryption
+
+#### Definition 24.7
+
+A triplet of algorithms $(Gen,Enc,Dec)$ is called an efficient private-key encryption scheme if the following holds.
+
+1. $k\gets Gen(1^n)$ is a p.p.t. such that for every $n\in \mathbb{N}$, it samples a key $k$.
+2. $c\gets Enc_k(m)$ is a p.p.t. that given $k$ and $m\in \{0,1\}^n$ produces a ciphertext $c$.
+3. $m\gets Dec_c(c)$ is a p.p.t. that given a ciphertext $c$ and key $k$ produces a message $m\in \{0,1\}^n\cup \perp$.
+4. For all $n\in \mathbb{N},m\in \{0,1\}^n$
+
+$$
+Pr[k\gets Gen(1^n);Dec_k(Enc_k(m))=m]=1
+$$
+
+### One-Way functions
+
+#### Definition 26.1
+
+A function $f:\{0,1\}^*\to\{0,1\}^*$ is worst-case one-way if the function is:
+
+1. Easy to compute. There is a p.p.t $C$ that computes $f(x)$ on all inputs $x\in \{0,1\}^*$, and 
+2. Hard to invert. There is no adversary $\mathcal{A}$ such that
+
+$$
+\forall x,P[\mathcal{A}(f(x))\in f^{-1}(f(x))]=1
+$$
+
+#### Definition 27.2 Negligible function
+
+A function $\epsilon(n)$ is negligible if for every $c$. there exists some $n_0$ such that for all $n>n_0$, $\epsilon (n)\leq \frac{1}{n^c}$.
+
+#### Definition 27.3 Strong One-Way Function
+
+A function mapping strings to strings $f:\{0,1\}^*\to \{0,1\}^*$ is a strong one-way function if it satisfies the following two conditions:
+
+1. Easy to compute. There is a p.p.t $C$ that computes $f(x)$ on all inputs $x\in \{0,1\}^*$, and 
+2. Hard to invert. There is no adversary $\mathcal{A}$ such that
+
+$$
+P[x\gets\{0,1\}^n;y\gets f(x):f(\mathcal{A}(1^n,y))=y]\leq \epsilon(n)
+$$
+
+#### Definition 28.4 (Weak One-Way Function)
+
+A function mapping strings to strings $f:\{0,1\}^*\to \{0,1\}^*$ is a strong one-way function if it satisfies the following two conditions:
+
+1. Easy to compute. There is a p.p.t $C$ that computes $f(x)$ on all inputs $x\in \{0,1\}^*$, and 
+2. Hard to invert. There is no adversary $\mathcal{A}$ such that
+
+$$
+P[x\gets\{0,1\}^n;y\gets f(x):f(\mathcal{A}(1^n,y))=y]\leq 1-\frac{1}{q(n)}
+$$
+
+#### Notation for prime numbers
+
+Denote the (finite) set of primes that are smaller than $2^n$ as
+
+$$
+\Pi_n=\{q|q<2^n\textup{ and } q \textup{ is prime}\}
+$$
+
+#### Assumption 30.1 (Factoring)
+
+For every adversary $\mathcal{A}$, there exists a negligible function $\epsilon$ such that
+
+$$
+P[p\gets \Pi_n;q\gets \Pi_n;N\gets pq:\mathcal{A}(N)\in \{p,q\}]<\epsilon(n)
+$$
+
+(For every product of random 2 primes, the probability for any adversary to find the prime factors is negligible.)
+
+(There is no polynomial function that can decompose the product of two $n$ bit prime, the best function is $2^{O(n^{\frac{1}{3}}\log^{\frac{2}{3}}n)}$)
+
+#### Theorem 35.1
+
+For any weak one-way function $f:\{0,1\}^n\to \{0,1\}^*$, there exists a polynomial $m(\cdot)$ such that function
+
+$$
+f'(x_1,x_2,\dots, x_{m(n)})=(f(x_1),f(x_2),\dots, f(x_{m(n)})).
+$$
+
+from $f'=(\{0,1\}^n)^{m(n)}\to(\{0,1\}^*)^{m(n)}$ is strong one-way.
+
+### RSA
+
+#### Definition 46.7
+
+A group $G$ is a set of elements with a binary operator $\oplus:G\times G\to G$ that satisfies the following properties
+
+1. Closure: $\forall a,b\in G, a\oplus b\in G$
+2. Identity: $\exists i\in G$ such that $\forall a\in G, i\oplus a=a\oplus i=a$
+3. Associativity: $\forall a,b,c\in G,(a\oplus b)\oplus c=a\oplus(b\oplus c)$.
+4. Inverse: $\forall a\in G$, there is an element $b\in G$ such that $a\oplus b=b\oplus a=i$
+
+#### Definition Euler totient function $\Phi(N)$.
+
+$$
+\Phi(p)=p-1
+$$ 
+
+if $p$ is prime
+
+$$
+\Phi(N)=(p-1)(q-1)
+$$ 
+
+if $N=pq$ and $p,q$ are primes
+
+#### Theorem 47.10
+
+$\forall a\in \mathbb{Z}_N^*,a^{\Phi(N)}=1\mod N$
+
+#### Corollary 48.11
+
+$\forall a\in \mathbb{Z}_p^*,a^{p-1}\equiv 1\mod p$.
+
+#### Corollary 48.12
+
+$a^x\mod N=a^{x\mod \Phi(N)}\mod N$
+
+## Some other important results
+
+### Exponent
+
+$$
+(1-\frac{1}{n})^n\approx e
+$$
+when $n$ is large.
+
+### Primes
+
+Let $\pi(x)$ be the lower-bounds for prime less than or equal to $x$.
+
+#### Theorem 31.3 Chebyshev
+
+For $x>1$,$\pi(x)>\frac{x}{2\log x}$
+
+#### Corollary 31.3
+
+For $2^n>1$, $p(n)>\frac{1}{n}$
+
+(The probability that a uniformly sampled n-bit integer is prime is greater than $\frac{1}{n}$)
+
+### Modular Arithmetic
+
+#### Extended Euclid Algorithm
+
+```python
+def eea(a,b)->tuple(int):
+    # assume a>b
+    # return x,y such that ax+by=gcd(a,b)=d.
+    # so y is the modular inverse of b mod a
+    # so x is the modular inverse of a mod b
+    # so gcd(a,b)=ax+by
+    if a%b==0:
+        return (0,1)
+    x,y=eea(b,a%b)
+    return (y,x-y(a//b))
+```
+

content/CSE442T/Exam_reviews/CSE442T_E2.md

@@ -0,0 +1,222 @@
+# CSE442T Exam 2 Review
+
+## Review
+
+### Assumptions used in cryptography (this course)
+
+#### Diffie-Hellman assumption
+
+The Diffie-Hellman assumption is that the following problem is hard.
+
+$$
+\text{Given } g,g^a,g^b\text{, it is hard to compute } g^{ab}.
+$$
+
+More formally,
+
+If $p$ is a randomly sampled safe prime.
+
+Denote safe prime as $\tilde{\Pi}_n=\{p\in \Pi_n:q=\frac{p-1}{2}\in \Pi_{n-1}\}$
+
+Then
+
+$$
+P\left[p\gets \tilde{\Pi_n};a\gets\mathbb{Z}_p^*;g=a^2\neq 1;x\gets \mathbb{Z}_q;y=g^x\mod p:\mathcal{A}(y)=x\right]\leq \varepsilon(n)
+$$
+
+$p\gets \tilde{\Pi_n};a\gets\mathbb{Z}_p^*;g=a^2\neq 1$ is the function condition when we do the encryption on cyclic groups.
+
+#### Discrete logarithm assumption
+
+> If Diffie-Hellman assumption holds, then discrete logarithm assumption holds.
+
+This is a corollary of the Diffie-Hellman assumption, it states as follows.
+
+This is collection of one-way functions
+
+$$
+p\gets \tilde\Pi_n(\textup{ safe primes }), p=2q+1
+$$
+$$
+a\gets \mathbb{Z}*_{p};g=a^2(\textup{ make sure }g\neq 1)
+$$
+$$
+f_{g,p}(x)=g^x\mod p
+$$
+$$
+f:\mathbb{Z}_q\to \mathbb{Z}^*_p
+$$
+
+#### RSA assumption
+
+The RSA assumption is that it is hard to factorize a product of two large primes. (no polynomial time algorithm for factorization product of two large primes with $n$ bits)
+
+Let $e$ be the exponents
+
+$$
+P[p,q\gets \Pi_n;N\gets p\cdot q;e\gets \mathbb{Z}_{\phi(N)}^*;y\gets \mathbb{N}_n;x\gets \mathcal{A}(N,e,y);x^e=y\mod N]<\varepsilon(n)
+$$
+
+#### Factoring assumption
+
+> If RSA assumption holds, then factoring assumption holds.
+
+The only way to efficiently factorize the product of prime is to iterate all the primes.
+
+### Fancy product of these assumptions
+
+#### Trapdoor permutation
+
+> RSA assumption $\implies$ Trapdoor permutation exists.
+
+Idea: $f:D\to R$ is a one-way permutation.
+
+$y\gets R$.
+
+* Finding $x$ such that $f(x)=y$ is hard.
+* With some secret info about $f$, finding $x$ is easy.
+
+$\mathcal{F}=\{f_i:D_i\to R_i\}_{i\in I}$
+
+1. $\forall i,f_i$ is a permutation
+2. $(i,t)\gets Gen(1^n)$ efficient. ($i\in I$ paired with $t$), $t$ is the "trapdoor info"
+3. $\forall i,D_i$ can be sampled efficiently.
+4. $\forall i,\forall x,f_i(x)$ can be computed in polynomial time.
+5. $P[(i,t)\gets Gen(1^n);y\gets R_i:f_i(\mathcal{A}(1^n,i,y))=y]<\varepsilon(n)$ (note: $\mathcal{A}$ is not given $t$)
+6. (trapdoor) There is a p.p.t. $B$ such that given $i,y,t$, B always finds x such that $f_i(x)=y$. $t$ is the "trapdoor info"
+
+_There is one bit of trapdoor info that without it, finding $x$ is hard._
+
+#### Collision resistance hash function
+
+> If discrete logarithm assumption holds, then collision resistance hash function exists.
+
+Let $h: \{0, 1\}^{n+1} \to \{0, 1\}^n$ be a CRHF.
+
+Base on the discrete log assumption, we can construct a CRHF $H: \{0, 1\}^{n+1} \to \{0, 1\}^n$ as follows:
+
+$Gen(1^n):(g,p,y)$
+
+$p\in \tilde{\Pi}_n(p=2q+1)$
+
+$g$ generator for group of sequence $\mod p$ (G_q)
+
+$y$ is a random element in $G_q$
+
+$h_{g,p,y}(x,b)=y^bg^x\mod p$, $y^bg^x\mod p \in \{0,1\}^n$
+
+$g^x\mod p$ if $b=0$, $y\cdot g^x\mod p$ if $b=1$.
+
+Under the discrete log assumption, $H$ is a CRHF.
+
+- It is easy to sample $(g,p,y)$
+- It is easy to compute
+- Compressing by 1 bit
+
+#### One-way permutation
+
+> If trapdoor permutation exists, then one-way permutation exists.
+
+A one-way permutation is a function that is one-way and returns a permutation of the input.
+
+#### One-way function
+
+> If one-way permutation exists, then one-way function exists.
+
+One-way function is a class of functions that are easy to compute but hard to invert.
+
+##### Weak one-way function
+
+A weak one-way function is
+
+$$
+f:\{0,1\}^n\to \{0,1\}^*
+$$
+
+1. $\exists$ a P.P.T. that computes $f(x),\forall x\in\{0,1\}^n$
+2. $\forall a$ adversaries, $\exists \varepsilon(n),\forall n$.
+
+$$
+P[x\gets \{0,1\}^n;y=f(x):f(a(y,1^n))=y]<1-\frac{1}{p(n)}
+$$
+_The probability of success should not be too close to 1_
+
+
+##### Strong one-way function
+
+> If weak one-way function exists, then strong one-way function exists.
+
+A strong one-way function is
+
+$$
+f:\{0,1\}^n\to \{0,1\}^*(n\to \infty)
+$$
+
+There is a negligible function $\varepsilon (n)$ such that for any adversary $a$ (n.u.p.p.t)
+
+$$
+P[x\gets\{0,1\}^n;y=f(x):f(a(y))=y,a(y)=x']\leq\varepsilon(n)
+$$
+
+_Probability of guessing correct message is negligible_
+
+#### Hard-core bits
+
+> Strong one-way function $\iff$ hard-core bits exists.
+
+A hard-core bit is a bit that is hard to predict given the output of a one-way function.
+
+#### Pseudorandom generator
+
+> If one-way permutation exists, then pseudorandom generator exists.
+
+We can also use pseudorandom generator to construct one-way function.
+
+And hard-core bits can be used to construct pseudorandom generator.
+
+#### Pseudorandom function
+
+> If pseudorandom generator exists, then pseudorandom function exists.
+
+A pseudorandom function is a function that is indistinguishable from a true random function.
+
+### Multi-message secure private-key encryption
+
+> If pseudorandom function exists, then multi-message secure private-key encryption exists.
+
+A multi-message secure private-key encryption is a function that is secure against an adversary who can see multiple messages.
+
+#### Single message secure private-key encryption
+
+> If multi-message secure private-key encryption exists, then single message secure private-key encryption exists.
+
+#### Message-authentication code
+
+> If pseudorandom function exists, then message-authentication code exists.
+
+
+### Public-key encryption
+
+> If Diffie-Hellman assumption holds, and Trapdoor permutation exists, then public-key encryption exists.
+
+### Digital signature
+
+A digital signature scheme is a triple $(Gen, Sign, Ver)$ where
+
+- $(pk,sk)\gets Gen(1^k)$ is a p.p.t. algorithm that takes as input a security parameter $k$ and outputs a public key $pk$ and a secret key $sk$.
+- $\sigma\gets Sign_{sk}(m)$ is a p.p.t. algorithm that takes as input a secret key $sk$ and a message $m$ and outputs a signature $\sigma$.
+- $Ver_{pk}(m, \sigma)$ is a deterministic algorithm that takes as input a public key $pk$, a message $m$, and a signature $\sigma$ and outputs "Accept" if $\sigma$ is a valid signature for $m$ under $pk$ and "Reject" otherwise.
+
+For all $n\in\mathbb{N}$, all $m\in\mathcal{M}_n$.
+
+$$
+P[(pk,sk)\gets Gen(1^k); \sigma\gets Sign_{sk}(m); Ver_{pk}(m, \sigma)=\textup{``Accept''}]=1
+$$
+
+#### One-time secure digital signature
+
+#### Fixed-length one-time secure digital signature
+
+> If one-way function exists, then fixed-length one-time secure digital signature exists.
+
+

content/CSE442T/Exam_reviews/_meta.js

@@ -0,0 +1,4 @@
+export default {
+    CSE442T_E1: "CSE442T Exam 1 Review",
+    CSE442T_E2: "CSE442T Exam 2 Review"
+}