Nomad Note Someone's Intermediate Representation 2020-10-12T18:47:55.705Z https://nomadtype.ninja/ AnthonySu Hexo Zero Knowledge Proof on PCP and SNARK https://nomadtype.ninja/2020/09/10/ZKP-note-0/ 2020-09-10T23:10:46.000Z 2020-10-12T18:47:55.705Z

Just trying to take notes about R1CS/QAP/SSP/PCP and sort out things about ZKP and SNARK.

Partly adopted from QAP from Zero to Hero by Vitalik Buterin and ZK Proof Note.

graph LRP(Problem) -->|Flatten| C(Circuit)subgraph Problem TranslateC -->|Synthesize| R(R1CS)R -->|FFT| Q(QAP)endsubgraph VerificationQ -->|Create Proof| Pr(Proof)Q -->|Setup| Pa(Params)Pa -->|Create Proof| PrPr -->|Verify Proof| V(Verify)Pa -->|Verify Proof| Vend

# SNARK and PCP

A SNARK (Succinct Non-Interactive Argument of Knowledge) system has 3 components:

• Setup: $\text{Setup}(C) \to (S_p, S_v)$
• Proof: $\text{Proof}(S_p, x, w) \to \pi$
• Verify: $\text{Verify}(S_v, x, \pi) \to \top/\bot$

$x$ is the public input, $\pi$ is proof, $S_p$ and $S_v$ is random parameter send to prover and verifier.

graph LRsubgraph SNARKS(Setup C) -->|Sv| V(Verify Sv, x, pi)S -->|Sp| P(Prover Sp, x, w)P -->|pi| Vend

A robust ZK proof system must satisfy

• Completeness: $\text{Verify}(S_v, x, \text{Proof}(S_p,x,w)) = \top \Leftrightarrow C(x,w) = 0$.
• Proof of Knowledge: Extractor
• Succinctness: $|\pi| = O(\log|C|)$, $\text{time}(V) = O(|x| + \log|C|)$, $\text{time}(P) = O(|C|)$.
• Zero Knowledge.

## PCP and Kilian SNARK

PCP, a.k.a. Probabilistically Checkable Proof in 1990 indicates that all NP problems can be verified in polynomial time with probabilistic check.

Since all the NP problems can be converted into a circuit $C$, we can construct a probabilistic check system $(S, P, V)$ by

graph LRP(Prove C, x, w) -->|pi| Pf["Proof pi: size O(C)"]subgraph Read OnlyPfendV(Verify Sv, x) -->|"O(k) query"| PfPf -->|"O(k) bits"| V

Such a random check system must satisfy

• Completeness: If verifier is honest and $C(x,w) = 0$, then verifier will output $\top$.
• Soundness: If prover is not honest and it does not have witness $w$ such that $C(x, w) = 0$, then $\Pr\lbrack V = \top\rbrack = \text{negl}$.

But the construction above is too expensive since it does not have succinctness in proof. We can rely on Merkle commitment and Merkle proof so that prover can’t be cheating.

graph LRP(Prove C, x, w) -->|Commitment C-pi| Cm["Commitment C-pi"]subgraph Read OnlyCmendV(Verify Sv, x) -->|"O(k) query"| PV -->|"O(k) query"| CmP -->|"O(k) bits"| VCm -->|"Merkle Proof for bits"| Vsubgraph VerifyVend

The proof size $|\pi|$ is made to $O(\log |C|)$.

## Interactive to Non-Interactive

In the constructions above, we assume that prover is always online so that verifier can ask for interactive proofs.

We can remove the interaction with random oracle:

• Prover generates Merkle commitment $c_\pi$ and sends it to a public read only location.
• Prover relies on a random oracle to generate $r_1 \gets \text{rand}(x \parallel c_\pi)$.
• Prover computes $m_1 \gets \pi$ on $r_1$.
• Prover generates $r_2 \gets \text{rand}(x \parallel c_\pi \parallel m_1)$.
• Prover computes $m_2 \gets \pi$ on $r_2$.
• Repeat to $O(k)$ query length.

Once the prover sends $(m_1 \parallel \ldots \parallel m_k)$ to verifier, the verifier can relies on public random oracle and $c_\pi$ to examine the hash.

# R1CS and QAP

If we want to prove that we have a solution for something without sending all these solutions in clear to verifier, we will need these techniques.

We constrain the context into proving we know solution for a polynomial function $f(x_1,\dots, x_k)$.

## R1CS Definition

The relation $\mathcal{R}_{\text{R1CS}}$ consists of a set of all pairs $((\mathbb{F}, k, m, n, A,B,C,v), w)$ where

• $\mathbb{F}$ is a finite field
• $k$ be the number of inputs
• $n$ be the number of variables
• $m$ be the number of constraints
• $A,B,C\in\mathbb{F}^{m\times (n+1)}$
• $v \in \mathbb{F}^{k}$
• $w \in \mathbb{F}^{n-k}$

If a pair is in such relation set, it must satisfy $(A \cdot z) \circ (B\cdot z) = C\cdot z$ where $z = (1, v,w)$ and $\circ$ stands for Hadamard Production (entry-wise product).

## R1CS and Polynomial, or Arithmetic Circuit

So, obviously, a polynomial of form $f(x_1, \dots, x_k)$ with operation $+,\times$ can be written or flatten into an arithmetic circuit with binary gates of $+,\times$.

By R1CS, a gate means one constraint. So each entry of $A,B,C$, donated by $A_i,B_i,C_i$ where $i \in \lbrack 1,m \rbrack$ must satisfy $\langle A_i, z\rangle \cdot \langle B_i ,z\rangle = \langle C_i,z\rangle$.

In this way, the matrix-vector production checks each matrix entry for $m$ times by $(A_1,\dots, A_m)^\top\cdot z \equiv (\langle A_1,z\rangle,\dots,\langle A_m,z\rangle)^\top$.

The problem then lies in each entry, why we need to satisfy $\langle A_i, z\rangle \cdot \langle B_i ,z\rangle = \langle C_i,z\rangle$.

We let the $\langle C_i,z\rangle$ be the output for this gate, where $\langle C_i,z\rangle \in \lbrace w_i\rbrace$.

The left side of the previous entry equation represents the computation of the gate.

• If the gate is an add gate $+$, then $\langle A_i,z\rangle$ can represent the addition, while $\langle B_i,z\rangle$ represents the constant 1. Such addition gate is satisfied. (vise versa for $A,B$)
• If the gate is an mult gate $\times$, then $\langle A_i,z\rangle$ represents the left input, while $\langle B_i,z\rangle$ represents the right input. The scalar multiplication does the gate computation.

## R1CS to QAP

So far, we have $A,B,C \in \mathbb{F}^{m\times (n+1)}$ and $z \in \mathbb{F}^{n+1}$. If we want to hide $z$ witness better, then we need to transfer R1CS to QAP.

For matrix $M \in \mathbb{F}^{m\times(n+1)}$, we can represent the columns as $M_i(x)$ for $i \in \lbrack 1, n+1\rbrack$ with a corresponding $\lbrace x_i\rbrace$. Then $M = (M_1(x),\dots,M_{n+1}(x))\ |_{x_1,\dots,x_m}$.

If we transform $A,B,C$ to a row of polynomials $A_p,B_p,C_p$, then we have $\langle A_p^\top,z\rangle \cdot \langle B_p^\top,z\rangle =_{\text{polynomial}} \langle C_p^\top,z\rangle$ to be checked.

The detail for such transform lies in Lagrange Polynomial Interpolation.

The polynomial $\langle A_p^\top , z \rangle \cdot \langle B_p^\top ,z\rangle - \langle C_p^\top , z \rangle$ should be able to be divided by $\prod (x - x_i)$ without remainder, which means $\exists H(x), \langle A , z \rangle \cdot \langle B,z\rangle - \langle C , z \rangle = H(x) \prod (x - x_i)$.

It seems more interesting to have QAP than R1CS since the elements are all polynomials.

The equation under polynomial can be rewritten to pure equation, where each entry in $A_p^\top,B_p^\top$ is of order $m-1$ and entries of $C_p^\top$ are of order $2m-2$ (it will require additional samples on $A_p,B_p$).

## Schwartz-Zippel Lemma

Consider polynomials over $\mathbb{F}_p$, $P(X_1,\dots,X_n)$. They compute functions $\mathbb{F}_p^n \to \mathbb{F}_p$. There exists $p^{p^n}$ such functions, but there are infinitely many polynomials.

$X_1,\dots,X_n$ has $p^n$ and output $p$ probabilities. Thus $p^{p^n}$ such functions exists.

In this way, we can have multiple non identical polynomials representing the same function. The differentiation of these polynomials is zero function.

E.g., $X^p - X$ for $\mathbb{F}_p$.

Given any $P \in \mathbb{F}_p \lbrack X_1,\dots,X_n\rbrack$ can reduce each $X^m$ to $X^{m\mod p}$. So these individual degrees (for each variable) are smaller than or equal to $p - 1$.

Thus the total reduced degree (the largest degree of monomial) is $p^n$, and the reduced polynomial number is $p^{p^n}$.

In this way, we let $P \in \mathbb{F}_p\lbrack X_1,\dots,X_n\rbrack$ be reduced nonzero polynomial of total degree $\le d < p$. We also let $\alpha_1,\dots,\alpha_n \overset{R}{\leftarrow} \mathbb{F}_p$. Then $\Pr\lbrack P(\alpha_1,\dots,\alpha_n) = 0\rbrack \le \dfrac{d}{p}$.

If $p = 2$ then $\Pr\lbrack P(\alpha_1,\dots,\alpha_n) \neq 0\rbrack \ge \dfrac{1}{2^d}$.

We assume the theorem is true for $n-1$ variables. Let $k$ be the largest individual degree for $X_1$ in any monomial, then $P(X_1,\dots,X_n) = \sum\limits^k_{i=0} X_1^i \cdot q_i(X_2, \dots, X_n)$.

$q_k$ degree is at most $d - k$, by induction $\Pr\lbrack q_k(y_2,\dots,y_n) = 0\rbrack \le \dfrac{d - k}{p}$ for $y_2,\dots,y_n \overset{R}{\leftarrow} \mathbb{F}_p$.

Donate $q_k(y_2,\dots,y_n) = 0$ as event $\varepsilon_1$, $f(X_1) = P(X_1, y_2,\dots,y_n)$. By induction we also have $\Pr\lbrack f(y_1) = 0 | \neg \varepsilon_1\rbrack \le \dfrac{k}{p}$ for $y_1 \overset{R}{\leftarrow} \mathbb{F}_p$.
\begin{aligned} \Pr\lbrack f(y_1 ) = 0\rbrack &= \Pr\lbrack f(y_1 ) = 0 | \varepsilon_1\rbrack \cdot \Pr \lbrack \varepsilon_1\rbrack + \Pr\lbrack f(y_1 ) = 0 | \neg \varepsilon_1\rbrack \cdot \Pr \lbrack \neg \varepsilon_1\rbrack\newline &\le \Pr\lbrack f(y_1 ) = 0 | \varepsilon_1\rbrack \cdot \dfrac{d- k}{p} + \dfrac{k}{p} \le \dfrac{d}{p} \end{aligned}

## QAP to LPCP

We denote public inputs to be $\boldsymbol{x}$ and private inputs to be $\boldsymbol{w}$. We have proof to be $\pi = \left[ 1,\boldsymbol{x},\boldsymbol{w} \right]^\top$.

By previous QAP construction, we want to hide the R1CS coefficients so that verifiers cannot guess the proof private inputs.

Denote $t \overset{R}{\leftarrow}\mathbb{F}$ and $A_t,B_t,C_t, H_t$ be the QAP polynomial matrices evaluated on $t$. Then we want to satisfy that $\langle A_t, \pi\rangle \cdot \langle B_t,\pi\rangle - \langle C_t , \pi \rangle = H_t \cdot \prod (t - x_i)$.

We can sample a random query based on $A_p$ and $A$ by following method (denote $A_r$ to be $A_t$ with $t$ evaluated on $r$:
$$A_r = \begin{bmatrix} 1&r & \ldots & r^{m-1} \end{bmatrix} A_t,$$
and similarly on $B_r$ and $C_r$.

PCP is quite general since it just specify thats problem in NP scope can be verified with a random sample.

With such method, a soundness amplification can be done by multiple round of random sample verification, the probability of cheating is close to negliable.

Observing that verifier has circuit, and thus can construct from R1CS to QAP and finally these three queries. Almost all the computations are on verifier side.

## LPCP Protocol

Noticing that previously $\langle A_r, \pi\rangle \cdot \langle B_r,\pi\rangle - \langle C_r, \pi \rangle = H_r \cdot \prod (r - x_i)$, where $\pmb{\pi} = \lbrack 1, \pmb{x},\pmb{w}\rbrack^\top$. We can separate these queries into $q^L$ and $q^R$, where $q^L$ corresponds to $\lbrack 1, \pmb{x}\rbrack^\top$ and $q^R$ corresponds to $\pmb{w}$.

We just need to send $A_r^R,B_r^R,C_r^R$ to prover, and receive $a = \langle A^R, \pi \rangle, b = \langle B^R, \pi \rangle, c = \langle C^R, \pi \rangle$.

Verifier needs to check if
$$(\langle A^L, \lbrack 1, x\rbrack \rangle + a) \cdot (\langle B^L, \lbrack 1, x\rbrack \rangle + b) \overset{?}{=} (\langle C^L, \lbrack 1, x\rbrack \rangle + c) + H_r \cdot \prod (r - x_i)$$

## Common Reference String Model (CRS)

The LPCP can become non-interactive, based on trusted setup. One thing we really need is an assumption called CRS.

If we can randomly generate the queries $A_r,B_r,C_r$ on verifier side, we can pre-generate these queries and throw them into CRS.

In this way, the interactive PCP becomes non-interactive PCP, the prover just send over its proof based on CRS.

The CRS hiding relies on linear-only encoding, which is additive homomorphic encryption.

# FFT and Polynomial

For previously talked about QAP, we have to interpolate polynomials. We are transforming $A \cdot z$ to $\langle A_p, z\rangle$ where $A_p$ is the vector of polynomials for $A$ over $x_1,\dots,x_m$ for $m$ constraints.

$A_p = (A_{p_0}(x), \dots, A_{p_{n+1}}(x))$, so $A_p|_{x_1,\dots,x_m} = (A_p(x_1),\dots,A_p(x_m))^\top$.

For every column, we get a $A_{p_i}$ for some $i \in \lbrack 1 ,m \rbrack$. Consider for one $A_{p_i}$ (to represent $A$ column $i$) we have
$$\begin{bmatrix} 1 & x_1 & \dots &x_1^{m-1} \newline \vdots & \vdots & &\vdots \newline 1 & x_m & \dots &x_m^{m-1} \end{bmatrix} \cdot \begin{bmatrix} a_0 \newline \vdots \newline a_m \end{bmatrix} = A\text{ column }i$$

The basic idea was to use $g(x) = \sum\limits^{m-1}_{i=0} f_i I_i(x)$, where $I_i(x_j) = \begin{cases} 0 &i \neq j \newline 1 & i = j \end{cases}$.

We can have $I_i(x) = \prod\limits_{k \in \lbrack 0, m-1 \rbrack \backslash \lbrace i \rbrace}\dfrac{x - x_k}{x_i - x_k}$.

Still, to evaluate such $\prod (x - x_k)$ will need $O(n^2)$ if we go brute force.

## FFT/IFFT and Polynomial Multiplication/Interpolation

If we want the brute force $A(x) \cdot B(x)$ or do interpolation for some $A(x)$, then it is obvious that $O(n^2)$.

We consider $n$ to be the power of 2 for simplicity.

Consider $\omega_n$ be a root of unity, then it has feature $\omega_n^n \equiv 1$. In this way we have

• $\omega^{2k}_{2n} = \omega^k_n$.
• $\omega_n^{k + \frac{n}{2}} = -\omega_n^k$.

Considering interpolation, where we are considering $\lbrack A(\omega_n^0),\dots,A(\omega_n^{n-1})\rbrack$ for $x = \omega_n^0,\dots,\omega^{n-1}_n$.

We can separate $A=\sum\limits^{n-1}_{i=0}a_i x^i$ into $A = A^{\lbrack 1\rbrack}(x^2) + xA^{\lbrack 2\rbrack}(x^2)$ where

• $A^{\lbrack 1\rbrack}(x^2) = \sum\limits_{i = 0,2,\dots,n-2} a_i x^i = \sum\limits_{i = 0,2,\dots,n-2} a_i (x^2)^{\frac{i}{2}}$. So $A^{\lbrack 1\rbrack} = \sum\limits_{i = 0,2,\dots,n-2} a_i x^{\frac{i}{2}}$.
• $xA^{\lbrack 2\rbrack}(x^2) = \sum\limits_{i = 1,3,\dots,n-1} a_i x^i = x \sum\limits_{i = 0, 2, \dots, n-2}a_{i+1}x^i = x \sum\limits_{i = 0, 2, \dots, n-2}a_{i+1}(x^2)^{\frac{i}{2}}$. So $A^{\lbrack 2\rbrack} = \sum\limits_{i = 0, 2, \dots, n-2}a_{i+1}x^{\frac{i}{2}}$.

If we want to know $A(\omega_n^k)$, we do $A(\omega_n^k) = A^{\lbrack 1 \rbrack} (\omega^k_{\frac{n}{2}}) + \omega_n^k A^{\lbrack 2\rbrack}(\omega^k_{\frac{n}{2}})$. ($k \in \lbrack 0, \dfrac{n}{2} - 1\rbrack$)

If we want to know $k + \dfrac{n}{2}$ scenario, $A(\omega_n^{k + \frac{n}{2}}) = A^{\lbrack 1 \rbrack} (\omega^k_{\frac{n}{2}}) - \omega_n^k A^{\lbrack 2\rbrack}(\omega^k_{\frac{n}{2}})$.

If we know $A^{\lbrack 1\rbrack},A^{\lbrack 2\rbrack}$ for $\omega_{\frac{n}{2}}^k$ $\forall k \in \lbrack 0, \dfrac{n}{2} - 1\rbrack$, we can solve $\forall k \in \lbrack 0, n-1 \rbrack, A(x)|_{x = \omega_n^k}$ in $O(n)$.

By $T(n) = 2 T(\dfrac{n}{2}) + O(n)$ we have $T(n) = O(n\log n)$.

IFFT is used to get $(a_0,\dots,a_{n-1})$ coefficients by $(A(\omega_n^{0}),\dots,A(\omega_n^{n-1}))$, which is used for fast interpolation.

Since we the required value $\lbrace A(\omega_n^i)\rbrace$ is given by the R1CS, then we don’t need to worry about these computations for $\lbrace A(\omega_n^i)\rbrace$.

IFFT follows a similar step like FFT. We construct polynomial $F(x) = \sum\limits^{n-1}_{i=0} d_i x^i$ where $\lbrace d_i\rbrace = (A(\omega_n^{0}),\dots,A(\omega_n^{n-1}))$.

We use the polynomial to FFT get $(c_0, \dots,c_{n-1})$ for $(F(\omega_n^{0}),\dots,F(\omega_n^{-(n-1)}))$ or $\lbrace F(\omega_n^{-k})\rbrace$.

$c_k = \sum\limits^{n-1}_{i = 0} \lbrack \sum \limits^{n-1}_{j=0} a_j \cdot (\omega_n^i)^j\rbrack \cdot (\omega^{-k}_n)^i = \sum\limits^{n-1}_{i = 0}\lbrack \sum \limits^{n-1}_{j = 0} a_j \cdot (\omega_n^i)^{j-k}\rbrack$. It is obvious that $c_k = n a_k$. Thus $\lbrace a_k \rbrace = \lbrace \dfrac{c_k}{n}\rbrace$.

IFFT takes also $O(n\log n)$ like FFT.

The polynomial multiplication brute force can be considered as $A:a_0,\dots,a_{n-1}, B:b_0,\dots,b_{n-1}$ to $C: c_0,\dots,c_{2n-1}$ which takes $O(n^2)$.

With FFT/IFFT we can finish following process:

• $A:a_0,\dots,a_{n-1}, B:b_0,\dots,b_{n-1}$ to $\lbrace A(\omega_{2n}^k)\rbrace, \lbrace B(\omega_{2n}^k)\rbrace$ takes $O(n\log n)$.
• $\lbrace A(\omega_{2n}^k)\rbrace, \lbrace B(\omega_{2n}^k)\rbrace$ to $\lbrace C(\omega_{2n}^k)\rbrace$ takes $O(n)$.
• $\lbrace C(\omega_{2n}^k)\rbrace$ to $C : c_0 ,\dots,c_{2n-1}$.

So the total cost comes to $O(n\log n)$.

]]>
<blockquote> <p>Just trying to take notes about R1CS/QAP/SSP/PCP and sort out things about ZKP and SNARK.</p> <p>Partly adopted from <a href="https://medium.com/@VitalikButerin/quadratic-arithmetic-programs-from-zero-to-hero-f6d558cea649" target="_blank" rel="noopener">QAP from Zero to Hero</a> by Vitalik Buterin and <a href="http://blog.higashi.tech/2020/07/12/zkpub_04.html" target="_blank" rel="noopener">ZK Proof Note</a>.</p> </blockquote> <pre class="mermaid">graph LR P(Problem) -->|Flatten| C(Circuit) subgraph Problem Translate C -->|Synthesize| R(R1CS) R -->|FFT| Q(QAP) end subgraph Verification Q -->|Create Proof| Pr(Proof) Q -->|Setup| Pa(Params) Pa -->|Create Proof| Pr Pr -->|Verify Proof| V(Verify) Pa -->|Verify Proof| V end</pre>
Cryptographic Lattice Geometry Note 2 https://nomadtype.ninja/2020/07/28/lattice-geometry-2/ 2020-07-28T18:08:26.000Z 2020-10-12T18:47:55.709Z

All info comes from this note and this course.

This note will be mainly focusing on $q$-ary lattice, SIS problem and LWE assumption.

# $q$-ary Lattice

We assume that $m \ge n \ge 0$ in the following parts.

A $q$-ary lattice $\Lambda$ of dimension $m$ is a lattice satisfying $q\mathbb{Z}^m \subseteq \Lambda \subseteq \mathbb{Z}^m$.

Noticing that people denote $\mathbb{Z}_q = \mathbb{Z} / q\mathbb{Z}$, where we want to express the integers modulo $q$ by excluding all the integer $x \equiv 0 \pmod q$.

One can consider that a $q$-ary lattice is a subgroup of $\mathbb{Z}^m_q$ (or linear code of $\mathbb{Z}^m_q$) both algebraically and computationally.

Parity Check Lattice (Dual Lattice) is defined as follows: Let $\pmb{A} \in \mathbb{Z}^{n \times m}_q$ and define
\begin{aligned} \Lambda_q^\bot (\pmb{A}) &= \lbrace \pmb{x} \in \mathbb{Z}^m \mid \pmb{Ax} \equiv \pmb{0} \pmod q \rbrace \newline &= \ker(\pmb{A}: \mathbb{Z}^m_q \mapsto \mathbb{Z}^n_q) \end{aligned}
Row-Generated Lattice is defined as follows: Let $\pmb{A} \in \mathbb{Z}^{n \times m}_q$ and define
\begin{aligned} \Lambda_q(\pmb{A}) &= \lbrace \pmb{y} \in \mathbb{Z}^m \mid \exists \pmb{s} \in \mathbb{Z}^n, \pmb{y} \equiv \pmb{As} \pmod q \rbrace \newline &= \pmb{A}\mathbb{Z}^n + q\mathbb{Z}^m \end{aligned}
For $\pmb{A} \in \mathbb{Z}^{n\times m}_q$ and $\pmb{A}’ \in \mathbb{Z}^{m \times n}_q$, we have

• $\dim \Lambda^\bot_q(\pmb{A}) = m, \dim\Lambda_q(\pmb{A}’) = m$.
• $\det(\Lambda^\bot_q(\pmb{A})) \le q^n$ and $\det(\Lambda_q(\pmb{A}’)) \ge q^{m - n}$.
• If $q$ is prime and $\pmb{A,A’}$ are non-singular in finite field $\mathbb{Z}_q$, the inequalities are equalities.

Noticing that $q\mathbb{Z}^m \subseteq \Lambda \subseteq \mathbb{Z}^m$, the dimension argument holds.

Since $\Lambda^\bot_q(\pmb{A}) = \ker(\pmb{A}), \Lambda_q^\bot(\pmb{A}) \subset \mathbb{Z}^m$ and $\det(\Lambda^\bot_q) = |\mathbb{Z}^m / \Lambda_q^\bot(\pmb{A}) |$. We noticing that $\det(\Lambda_q^\bot) = |\text{im}(\pmb{A})|$ and we argue that the image space $\text{im}(\pmb{A}) \subset \mathbb{Z}^n_q$.

Similarly, $\det(\Lambda_q(\pmb{A}’)) = | \mathbb{Z}^m / \Lambda_q(\pmb{A}’) |$. Noticing that $\text{im}(\pmb{A}’) \subset \mathbb{Z}^n_q$, then $\det(\Lambda_q(\pmb{A}’) \ge q^{m-n}$.

Let $q$ be a prime, and let $\pmb{A}\in\mathbb{Z}^{n \times m}_q$, then

1. $\lambda_1^\infty(\Lambda_q^\bot(\pmb{A})) \le q^{n / m}$.
2. $\lambda_1^\infty(\Lambda^\bot_q(\pmb{A})) > \dfrac{(q / 2)^{n / m} - 1}{2}$ except with probability at most $2^{-n}$ over $\pmb{A}\overset{R}{\leftarrow}\mathbb{Z}^{n \times m}_q$.

By the fact that any convex symmetric set with volume $\text{vol}_n(K) > 2^n\det(\mathcal{L})$ contains a non-zero lattice vector, we have
$$(2 \cdot \lambda^\infty_1(\Lambda_q^\bot(\pmb{A})))^m \le 2^m \cdot \det(\Lambda^\bot_q(\pmb{A})) \le 2^m \cdot q^n$$
Thus $\lambda_1^\infty (\Lambda^\bot_q(\pmb{A})) \le q^{n /m}$.

Recall SIS problem, where $\pmb{A}$ is a universal hash function, then $\Pr\lbrack H(\text{pk},x) = H(\text{pk},x^\ast)\rbrack = \dfrac{1}{q^n}$, i.e., it must be uniformly random distributed.

Then denote $\beta = \dfrac{(q / 2)^{n / m} - 1}{2}$ and take vectors of $l_\infty$ smaller than $\beta$, we have
$$|\lbrace \pmb{x} \in \mathbb{Z}^m \mid \lVert \pmb{x} \rVert_\infty \le \beta \rbrace | = (2\beta + 1)^m$$
Thus by a union bound
$$\Pr_{\pmb{A}}\lbrack \exists \pmb{x}, \lVert \pmb{x} \rVert _\infty \le \beta, \pmb{Ax}\equiv \pmb{0}\pmod q\rbrack \le (2\beta + 1)^m q^{-n} = 2^{-n}$$

]]>
<blockquote> <p>All info comes from this <a href="http://www.sti.uniurb.it/events/fosad11/slides/MICCIANCIO.pdf" target="_blank" rel="noopener">note</a> and this <a href="https://homepages.cwi.nl/~dadush/teaching/lattices-2018" target="_blank" rel="noopener">course</a>.</p> <p>This note will be mainly focusing on $q$-ary lattice, SIS problem and LWE assumption.</p> </blockquote>
Cryptographic Lattice Geometry Note 1 https://nomadtype.ninja/2020/07/23/lattice-geometry-1/ 2020-07-23T19:15:08.000Z 2020-10-12T18:47:55.709Z

All info comes from this note and this course.

This note will be mainly focusing on lattice parallelepiped and Minkowski’s Theorem.

# Parallelepiped

Let $\mathcal{L} = \mathcal{L}(\pmb{B}) \subseteq \mathbb{R}^n$ for some basis matrix $\pmb{B} \in \mathbb{R}^{n \times k}$. Define fundamental parallelepiped of $\mathcal{L}$ with respect to $\pmb{B}$ as $\mathcal{P}(\pmb{B}) = \pmb{B}\lbrack 0, 1)^k$.

## Fundamental Parallelepiped

A fundamental question is: given linear individual vectors $\pmb{b}_1,\dots,\pmb{b}_n \in \mathcal{L}$, how can we tell if they form a basis of $\mathcal{L}$?

Observing that basic parallelepiped generated by vectors should not contain any lattice point, except the origin.

Then, let $\mathcal{L}$ be a lattice of rank $n$, let $\pmb{b}_1,\dots,\pmb{b}_n\in \mathcal{L}$ be $n$ linearly independent lattice vectors. Then $\pmb{b}_1,\dots,\pmb{b}_n$ form a basis of $\mathcal{L}$ if and only if $\mathcal{P}(\pmb{b}_1,\dots,\pmb{b}_n) \cap \mathcal{L} = \lbrace \pmb{0}\rbrace$.

Assuming that $\pmb{b}_1,\dots,\pmb{b}_n$ form a basis for $\mathcal{L}$, then $\mathcal{L}$ is the linear span of $\pmb{b}_1,\dots,\pmb{b}_n$. Since $\mathcal{P}(\pmb{b}_1,\dots,\pmb{b}_n) = \sum\limits_{i = 1}^n \pmb{b}_i\lbrack 0, 1)$, then the only intersection is $\pmb{0}$.

Suppose $\mathcal{P}(\pmb{b}_1,\dots,\pmb{b}_n) \cap \mathcal{L} = \lbrace \pmb{0}\rbrace$, by $\mathcal{L}$ being rank $n$ and $\pmb{b}_1,\dots,\pmb{b}_n$ being linearly independent, we can represent $\pmb{x} \in \mathcal{L}$ by $\pmb{x} = \sum\limits^n_{i=1}k_i\pmb{b}_i$ with $k_i \in \mathbb{R}$.

By closed additional operation, we have $\delta = \pmb{x} - \sum\limits^n_{i = 1} \lfloor k_i \rfloor \pmb{b}_i = \sum\limits^n_{i = 1} (k_i - \lfloor k_i \rfloor) \pmb{b}_i\in \mathcal{L}$. By definition, $\delta = \pmb{0}$. Thus $k_i \in \mathbb{Z}$ and $\pmb{b}_1,\dots,\pmb{b}_n$ forms a basis for $\mathcal{L}$.

## Determinant

Let $\mathcal{L} = \mathcal{\pmb{B}} \subseteq \mathbb{R}^n$ for some $\pmb{B}\in \mathbb{R}^{n \times k}$. Define the determinant of $\mathcal{L}$ be $\det(\mathcal{L}) = \sqrt{\det(\pmb{B}^\top\pmb{B})}$.

Such definition will have: $\det(\mathcal{L}(\pmb{B})) = \det(\mathcal{L}(\pmb{BU}))$ for some $\pmb{U}\in \mathbb{R}^{k \times k}$ unimodular matrix. By
\begin{aligned} \det((\pmb{BU})^\top \pmb{BU}) &= \det(\pmb{U}^\top \pmb{B}^\top \pmb{BU})\newline &= \det(U)^2 \det(\pmb{B}^\top\pmb{B})\newline &= \det(\pmb{B}^\top\pmb{B}) \end{aligned}
the feature is satisfied. In the case when $k = n$, $\pmb{B}$ is a square matrix, $\det(\mathcal{L}) = |\det(\pmb{B})|$.

Also let $\pmb{B} = (\pmb{b}_1,\dots,\pmb{b}_n)$ denotes a basis for a lattice $\mathcal{L}$. For $\mathcal{P}(\pmb{B})$:

1. $\text{vol}_k(\mathcal{P}(\pmb{B})) = \det(\mathcal{L})$. (see this link)
2. $\forall \pmb{x} \in \text{span}(\mathcal{L})$, $\exists \pmb{y}$ unique that $\pmb{y}\in\mathcal{L}$ such that $\pmb{x} \in \pmb{y} + \mathcal{P}(\pmb{B})$. In particular, $\text{span}(\mathcal{L}) = \mathcal{L} + \mathcal{P}(\pmb{B})$, meaning $\mathcal{P}(\pmb{B})$ tiles space with respect to $\mathcal{L}$.

Let $\pmb{x} \in \text{span}(\mathcal{L})$, where $\pmb{x} = \sum\limits^{k}_{i = 1}a_i\pmb{b}_i$. We define $\pmb{x} \pmod{\mathcal{P}(\pmb{B})}$ to the vector $\sum\limits^k_{i = 1} (a_i - \lfloor a_i \rfloor)\pmb{b}_i \in \mathcal{P}(\pmb{B})$.

## Packing, Covering and Tilting

Let $\mathcal{L}\subseteq \mathbb{R}^n$ be a lattice and let $F \subseteq \text{span}(\mathcal{L})$ be a measurable set (with respect to Lesbegue measure on $\text{span}(\mathcal{L})$). We define $F$ to be

1. $\mathcal{L}$-packing if $\forall \pmb{x},\pmb{y} \in \mathcal{L}, \pmb{x}\neq\pmb{y}, (\pmb{x} + F) \cap (\pmb{y} + F) = \varnothing$.
2. $\mathcal{L}$-covering if $\mathcal{L} + F = \text{span}(\mathcal{L})$.
3. $\mathcal{L}$-tilting (or a fundamental domain of $\mathcal{L}$) if $F$ is both $\mathcal{L}$-packing and $\mathcal{L}$-covering.

$F \subseteq \text{span}(\mathcal{L})$ is $\mathcal{L}$-packing/covering/tilting if and only if $\forall \pmb{x} \in \text{span}(\mathcal{L}), |(\mathcal{L} + \pmb{x}) \cap F |\ \ (\le,\ge,=)\ \ 1$.

Prove the $\mathcal{L}$-packing case here. Assuming $F$ is $\mathcal{L}$-packing and take $\pmb{x} \in \text{span}(\mathcal{L})$.

If $|(\mathcal{L} + \pmb{x}) \cap F| > 1$, we take $\pmb{w_0},\pmb{w_1} \in F$ such that $\pmb{w_0},\pmb{w_1} \in \mathcal{L} + \pmb{x}$.

WLOG we let $\pmb{w_0} \in F = F + \pmb{0}$ and $\pmb{w_0} = \pmb{w_1} + (\pmb{w_0} - \pmb{w_1}) \in F + (\pmb{w_0} - \pmb{w_1})$. Thus $(F + \pmb{0}) \cap (F ＋ (\pmb{w_0} - \pmb{w_1})) = \lbrace \pmb{w_0}\rbrace$. Contradiction.

Also, $F \subseteq \text{span}(\mathcal{L})$ is non-empty and $\mathcal{L}$-packing $\Leftrightarrow (F - F)\cap\mathcal{L} = \lbrace \pmb{0}\rbrace$.

Suppose $\exists \pmb{x} \in \text{span}(\mathcal{L})$ s.t. $|(\mathcal{L} + \pmb{x}) \cap F| > 1$, which means $\exists \pmb{w_0}\ne\pmb{w_1} \in F$ that $\pmb{w_0 - w_1} \in \mathcal{L}\backslash\lbrace \pmb{0}\rbrace$, i.e., $(F - F) \cap\mathcal{L} \backslash \lbrace \pmb{0}\rbrace \neq \varnothing$.

Therefore $F$ is $\mathcal{L}$-packing if and only if $(F - F)\cap\mathcal{L} = \lbrace \pmb{0}\rbrace$.

Let $\mathcal{L}\subseteq \mathbb{R}^n$ be a $k\ge 1$ dimensional lattice and let $W = \text{span}(\mathcal{L})$. Let $F \subseteq W$ be measurable set and $g:\text{span}(\mathcal{L})\to \mathbb{R}_+$ be a measurable function w.r.t $k$-dimensional Lesbegue measure on $W$.

If $F$ is $\mathcal{L}$-packing/covering/tilting we have that
$$\int_F \sum_{\pmb{y}\in\mathcal{L}} g(\pmb{y + x})\text{dvol}_k(\pmb{x})\phantom{‘’’’’’}(\le,\ge,=)\phantom{‘’’’’’}\int_W g(\pmb{x})\text{dvol}_k(\pmb{x})$$

By choosing an orthonormal basis for $W$ and applying a change of coordinates, we might assume that $W = \mathbb{R}^n$ and $k=n$.

Since $g \ge 0$ and measurable, we have that $m(A) = \int_Ag(\pmb{x})d\pmb{x}$ for $A \subseteq \mathbb{R}^n$ measurable, defines a measure on $\mathbb{R}^n$.

Let $1_{\pmb{y}+F},\pmb{y}\in\mathcal{L}$ denote the indicator function of $\pmb{y}+F$ measurable.

Since $\mathcal{L}$ is countable, we have
\begin{aligned} \sum_{y\in\mathcal{L}}m(\pmb{y}+F) &= \sum_{y\in\mathcal{L}} \int_{\mathbb{R}^n} 1_{\pmb{y}+F}(\pmb{x}) g(\pmb{x})\text{d}\pmb{x}\newline &=\sum_{y\in\mathcal{L}} \int_{\pmb{x} \in \pmb{y}+F \subseteq \mathbb{R}^n} g(\pmb{x})\text{d}\pmb{x}\newline &= \sum_{y\in\mathcal{L}} \int_{\pmb{x} \in F} g(\pmb{x}+\pmb{y})\text{d}\pmb{x}\newline &= \int_{\pmb{x} \in F} \sum_{y\in\mathcal{L}} g(\pmb{x}+\pmb{y})\text{d}\pmb{x} \end{aligned}
If $F$ is $\mathcal{L}$-packing then collections of sets $\pmb{y} + F \subseteq \mathbb{R}^n$ for $\pmb{y}\in\mathcal{L}$ are all disjoint. Thus we have
$$\int_{\mathcal{R}^n}g(\pmb{x})\text{d}\pmb{x}=m(\mathbb{R}^n) \ge m(\mathcal{L}+F) = \sum_{\pmb{y}\in\mathcal{L}}m(\pmb{y}+F) = \int_{\pmb{x} \in F} \sum_{y\in\mathcal{L}} g(\pmb{x}+\pmb{y})\text{d}\pmb{x}$$
If $F$ is $\mathcal{L}$-covering then the order of operators are reversed since $\mathbb{R}^n \subseteq \mathcal{L}+F$.

Also by previous, we have
$$\text{vol}_n(F) = \int_{\mathcal{R}^n} 1_F(\pmb{x})\text{d}\pmb{x} =\sum_{\pmb{y}\in\mathcal{L}} \int_{B\lbrack 0,1)^n}1_F(\pmb{x} + \pmb{y})\text{d}\pmb{x} = \int_{B\lbrack 0,1)^n}|(\mathcal{L}+\pmb{x}) \cap F|\text{d}\pmb{x}$$
If $\mathcal{L}$-packing/covering/tilting, then by $\forall \pmb{x} \in \text{span}(\mathcal{L}), |(\mathcal{L} + \pmb{x}) \cap F |\ \ (\le,\ge,=)\ \ 1$, we have
$$\text{vol}_n(F) = \int_{B\lbrack 0,1)^n}|(\mathcal{L}+\pmb{x}) \cap F|\text{d}\pmb{x}\phantom{‘’’’’’}(\le,\ge,=)\phantom{‘’’’’’}\int_{B\lbrack 0,1)^n}1\text{d}\pmb{x} = \text{vol}_n(\pmb{B}\lbrack0,1)^n) = \det(\mathcal{L})$$

# Sublattice and Quotient Group

For lattice $\mathcal{L}\subseteq\mathbb{R}^n$ of rank $k$, we define quotient group $\text{span}(\mathcal{L})/\mathcal{L} = \lbrace \pmb{x} + \mathcal{L} : \pmb{x} \in \text{span}(\mathcal{L})\rbrace$.

Noticing that $\pmb{x} + \mathcal{L} = \pmb{y} + \mathcal{L} \Leftrightarrow \pmb{x-y}\in\mathcal{L}$. For convenience we denote $\pmb{x} \equiv \pmb{y} \pmod{\mathcal{L}}$ if $\pmb{x}-\pmb{y}\in\mathcal{L}$.

Then $\text{span}(\mathcal{L})/\mathcal{L} = \lbrace \pmb{x} + \mathcal{L} : \pmb{x} \in \text{span}(\mathcal{L})\rbrace$ forms a group under addition, where $(\pmb{x} + \mathcal{L}) + (\pmb{y}+\mathcal{L}) = \pmb{x} + \pmb{y}+ \mathcal{L}$.

For a lattice $\mathcal{L}\subseteq\mathbb{R}^n$, a lattice $\mathcal{L}’ \subseteq \mathcal{L}$ is called a sublattice $\mathcal{L}’$.

An example of $\mathcal{L}’ = \lbrace (x, y) \in \mathbb{Z}^2: x + y \equiv 0 \pmod 2\rbrace \subseteq \mathbb{Z}^2$.

Quotient group $\mathcal{L}/\mathcal{L}’ = \lbrace \pmb{x} + \mathcal{L}’ : \pmb{x} \in \mathcal{L}\rbrace$ is defined. $|\mathcal{L}/\mathcal{L}’|$ is generally finite, so long as $\text{span}(\mathcal{L}) = \text{span}(\mathcal{L}’)$.

Let $\mathcal{L}\subseteq\mathbb{R}^n$ be a $k \ge 1$ dimensional lattice. The following holds:

1. $\text{span}(\mathcal{L})/\mathcal{L} \cong \mathbb{R}^k/\mathbb{Z}^k$.
2. $m \in \mathbb{N}, \mathcal{L}/m\mathcal{L}\cong \mathbb{Z}^k_m$ and $|\mathcal{L}/m\mathcal{L}|=m^k$. Furthermore, $\det(m\mathcal{L}) = m^k\det(\mathcal{L})$.

Let $(\pmb{b}_1,\dots,\pmb{b}_k)$ denote any basis for $\mathcal{L}$. $\pmb{x} \in \mathcal{L}$ can be represented in $\sum\limits^k_{i=1}a_i\pmb{b}_i$ and form $T:\text{span}(\mathcal{L}) \to \mathbb{R}^k$ by taking $\pmb{x}$ and outputting $(a_1,\dots,a_k)$.

Given that $T$ is bijective and linear, $T(\text{span}(\mathcal{L})) = \mathbb{R}^k$ and $T(\mathcal{L})= \mathbb{Z}^k$, we have that $\text{span}(\mathcal{L}) / \mathcal{L} \cong \mathbb{R}^k / \mathbb{Z}^k$.

Also, we have $\mathcal{L}(m\pmb{b}_1,\dots,m\pmb{b}_k) = m\mathcal{L}(\pmb{b}_1,\dots,\pmb{b}_k) = m\mathcal{L}$, and hence $(m\pmb{b}_1,\dots,m\pmb{b}_k)$ is a basis for $m\mathcal{L}$.

By definition, we have $\det(m\mathcal{L}) = m^k\det(\mathcal{L})$.

Let $\tau : \mathcal{L}\to \mathbb{Z}^k_m$ denote the map which sends $\pmb{x} = \sum\limits^k_{i = 1}a_i\pmb{b}_i \in \mathcal{L}$ to $(a_1,\dots,a_k) \pmod m$.

The property of $\tau$ addition is on modular $m$, making $\forall\pmb{x},\pmb{y}\in\mathcal{L}, \tau(\pmb{x}+\pmb{y}) = \tau(\pmb{x}) +\tau(\pmb{y})$. Thus $\tau$ forms a homomorphism from $\mathcal{L}$ to $\mathbb{Z}^k_m$.

$\tau$ is surjective onto $\mathbb{Z}^k_m$ since $\tau(\pmb{B}\lbrace 0,\dots,m-1\rbrace^k) = \mathbb{Z}^k_m$.

Also, $\tau(\pmb{x}) \equiv 0^k \Leftrightarrow a_i \equiv 0\ \forall a_i \in \mathbb{Z}$. Thus $m\mathcal{L} = \ker(\tau)$. Thus $\mathcal{L}/m\mathcal{L}\cong \mathbb{Z}^k_m$ by first isomorphism theorem for groups.

Let $\mathcal{L}\subseteq \mathbb{R}^n$ be a $k\ge 1$ dimensional lattice, and $\mathcal{L}’\subseteq L$ being a sublattice. The following holds:

1. $|\mathcal{L}/\mathcal{L}’| < \infty \Leftrightarrow \text{span}(\mathcal{L}) = \text{span}(\mathcal{L}’)$.
2. Assuming $|\mathcal{L}/\mathcal{L}’| < \infty$, then $|\mathcal{L}/\mathcal{L}’| = |\mathcal{L}\cap\mathcal{P}(\pmb{B}’)| = \det(\mathcal{L’}) /\det(\mathcal{L})$, for any basis $\pmb{B}’$ for $\mathcal{L}’$.

Suppose $|\mathcal{L}/\mathcal{L}’| < \infty$, then suppose $\pmb{x} \in \mathcal{L}$ that $\exists k \in \mathbb{Z}\backslash\lbrace 0\rbrace$ that $k\pmb{x} \notin \mathcal{L}’$, i.e., $k\pmb{x} \not\equiv \pmb{0} \pmod {\mathcal{L}’}$.

Then we can see that $|\mathcal{L}/\mathcal{L}’| = |\mathbb{Z}\backslash\lbrace 0\rbrace| = \infty$. Contradiction. Thus $\forall \pmb{x} \in \mathcal{L}, \pmb{x} \in \text{span}(\mathcal{L}’)$. Thus $\text{span}(\mathcal{L}) = \text{span}(\mathcal{L}’)$.

$|\mathcal{L}/\mathcal{L}’| = |\mathcal{L}\cap\mathcal{P}(\pmb{B}’)|$ follows directly from the previous proof.

By previous we have that
\begin{aligned} \det(\mathcal{L}’) &= \text{vol}_k(\mathcal{P}(\pmb{B}’)) = \int_{\text{span}(\pmb{B}’)} 1_{\mathcal{P}(\pmb{B}’)}(\pmb{x})\text{dvol}_k(\pmb{x})\newline &= \int_{\mathcal{P}(\pmb{B})} \sum_{\pmb{y}\in\mathcal{L}} 1_{\mathcal{P}(\pmb{B}’)}(\pmb{y}+\pmb{x})\text{dvol}_k(\pmb{x})\newline &= \int_{\mathcal{P}(\pmb{B})} |\mathcal{P}(\pmb{B}’) \cap (\mathcal{L} + \pmb{x})| \text{dvol}_k(\pmb{x}) \end{aligned}
We let $A = \mathcal{P}(\pmb{B}’)\cap \mathcal{L}$, then we see that $\mathcal{L}’ + A = \mathcal{L}$ and $|A| = |\mathcal{L}/\mathcal{L}’|$.

Then we have $|\mathcal{P}(\pmb{B}’) \cap (\mathcal{L} + \pmb{x})| = |\mathcal{P}(\pmb{B}’) \cap (\mathcal{L}’ + A + \pmb{x})|$. Therefore
\begin{aligned} \det(\mathcal{L}’) &= \int_{\mathcal{P}(\pmb{B})} |\mathcal{P}(\pmb{B}’) \cap (\mathcal{L} + \pmb{x})| \text{dvol}_k(\pmb{x}) = \int_{\mathcal{P}(\pmb{B})} |\mathcal{P}(\pmb{B}’) \cap (\mathcal{L}’ + A + \pmb{x})| \text{dvol}_k(\pmb{x})\newline &= |\mathcal{L}/\mathcal{L}’| \int_{\mathcal{P}(\pmb{B})}\text{dvol}_k(\pmb{x}) = |\mathcal{L}/\mathcal{L}’| \text{vol}_k(\mathcal{P}(\pmb{B})) = |\mathcal{L}/\mathcal{L}’| \det(\mathcal{L}) \end{aligned}

# Lattice Geometry

First check previous note on successive minima and $\lambda_i$.

Distance function is defined as $\mu(t,\mathcal{L}) = \min\limits_{x \in \mathcal{L}} \lVert t - x \rVert$.

The covering radius is defined as $\mu(\mathcal{L}) = \max\limits_{t \in \text{span}(\mathcal{L})} \mu(t, \mathcal{L})$.

We have a very rough conclusion that if $t \in x + \mathcal{P}(\pmb{B})$, then $\lVert t - x \rVert \le \sum \lVert v_i\rVert \le n\lambda_n$. Thus $\mu(\mathcal{L}) \le n \lambda_n$.

Let $\mathcal{L}\subseteq \mathbb{R}^n$ be a $k \ge 1$ dimensional lattice. There exists linearly independent vectors $\pmb{y}_1,\dots,\pmb{y}_k\in\mathcal{L}$ such that $\lVert\pmb{y}_i\rVert = \lambda_i$.

Let $\pmb{b}_1,\dots,\pmb{b}_k$ be the basis of $\mathcal{L}$. Let $R = \max\lVert\pmb{b}_i\rVert$. Trivially, $\dim(R\mathcal{B}^n_2 \cap \mathcal{L}) = \dim(\mathcal{L}) = k$. Thus $\lambda_i \le R$.

Recursively choose $\pmb{y}_1,\dots,\pmb{y}_k\in\mathcal{L} \backslash \lbrace \pmb{0}\rbrace$ by $\pmb{y}_i \in \mathcal{L}\cap R \mathcal{B}^n_2 \backslash V_{i-1}$ where $V_{i} = \text{span}(\pmb{y}_1,\dots,\pmb{y}_{i})$. Note that $R\mathcal{B}^n_2$ is finite so such $\pmb{y}_1,\dots,\pmb{y}_k$ exists.

By construction, $\dim(\lVert \pmb{y}_i\rVert \mathcal{B}^n_2 \cap \mathcal{L}) \ge \dim(V_i) = i$, thus $\lVert \pmb{y}_i\rVert \ge \lambda_i$.

Take $\pmb{y}\in \mathcal{L}\cap(\lVert \pmb{y}_i\rVert -\epsilon)\mathcal{B}^n_2$ where $\epsilon \in (0, \lVert \pmb{y}_i\rVert\rbrack$. We claim that $\pmb{y}\in V_{i-1}$. If not then we have $(\lVert \pmb{y}_i \rVert - \epsilon) \ge \lVert \pmb{y}\rVert \ge \lVert \pmb{y}_i\rVert$. Contradiction.

Thus $\dim((\lVert \pmb{y}_i\rVert - \epsilon) \mathcal{B}^n_2 \cap \mathcal{L}) \le \dim(V_{i-1}) = i-1$.

Thus we have $\dim(\lVert \pmb{y}_i\rVert \mathcal{B}^n_2 \cap \mathcal{L}) = i$ exactly and $\lVert \pmb{y}_i\rVert = \lambda_i$.

By previous lemma, we can have full rank lattice $\mathcal{L}\subseteq \mathbb{R}^n, \mu(\mathcal{L}) \le \sum\limits^n_{i=1}\dfrac{1}{2}\lambda_i$.

It can be equivalent to $\forall \pmb{x} \in \mathbb{R}^n,\exists \pmb{y} \in \mathcal{L}, \lVert \pmb{x} - \pmb{y}\rVert \le \sum\limits^n_{i=1}\dfrac{1}{2}\lambda_i$. Denoting $\pmb{x} = \sum\limits^n_{i=1}a_i\pmb{y}_i$ and $\pmb{y} = \sum\limits^n_{i=1}\lfloor a_i \rceil \pmb{y}_i$. Noticing that
$$\lVert \pmb{x} - \pmb{y}\rVert = \lVert \sum^n_{i=1} (a_i - \lfloor a_i \rceil)\pmb{y}_i \rVert \le \sum^n_{i=1} \lVert (a_i - \lfloor a_i \rceil)\pmb{y}_i \rVert \le \sum^n_{i=1}\dfrac{1}{2}\lambda_i$$

## Blichfeldt’s Theorem

Let $\mathcal{L}\subseteq \mathbb{R}^n$ be a full dimensional lattice. Then for any measurable set $A \subseteq \mathbb{R}^n$ such that $\text{vol}_n(A) > \text{vol}_n(\mathcal{L})$, there exists $\pmb{w}\ne\pmb{z}\in A$ such that $\pmb{w} - \pmb{z} \in \mathcal{L}$.

By previous we let $\pmb{B}$ be the basis of $\mathcal{L}$ and we have
$$\text{vol}_n(A) = \int_{\mathbb{R}^n}1_A(\pmb{x})\text{d}\pmb{x} = \int_{\mathcal{P}(\pmb{B})} | (\mathcal{L}+\pmb{x})\cap A | \text{d}\pmb{x}$$
Assume $\forall \pmb{x} \in F, |(\mathcal{L} +\pmb{x}) \cap A| \le 1$, then noticing that $\text{vol}_n(A) \le \text{vol}_n(\mathcal{P}(\pmb{B})) = \det(\mathcal{L})$. Contradiction.

## Minkowski’s First and Second Theorem

Let $K\subseteq \mathbb{R}^n$ be a non-empty convex set. Then $\forall s,t\ge 0, sK+tK = (s+t)K$. Furthermore, if $K$ is symmetric, then $\forall s,t, sK +tK = (s+t)K$.

Let $(s+t)\pmb{x} \in (s+t)K$, if any $\pmb{x} \in K$. Then $(s+t)\pmb{x} = s\pmb{x} + t\pmb{x} \in sK + tK$. Thus $(s+t)K \subseteq sK+tK$.

Let $\pmb{x},\pmb{y}\in K$, then $s\pmb{x} + t\pmb{y} \in sK+tK$. By convex set, we have $\dfrac{s}{s+t}\pmb{x} + \dfrac{t}{s+t}\pmb{y}\in K$. Then $(s+t)(\dfrac{s}{s+t}\pmb{x} + \dfrac{t}{s+t}\pmb{y})\in (s+t)K$. Thus $sK + tK \subseteq (s+t)K$.

Symmetry part follows by $\forall s, sK = |s|K$.

Let $\mathcal{L} \subseteq \mathbb{R}^n$ be a full dimensional lattice. Let $K \subseteq \mathbb{R}^n$ be a symmetric convex set with $\text{vol}_n(K) > 2^n\det(\mathcal{L})$. Then $K$ contains a non-zero lattice vectors.

$\det(2\mathcal{L}) = 2^n\det(\mathcal{L})$, then $\text{vol}_n(K) > \det(2\mathcal{L})$. By Blichfeldt’s Theorem, there exists $\pmb{w},\pmb{z}\in K$ that $\pmb{w}-\pmb{z} \in \mathcal{L}’ = 2\mathcal{L}$.

Since $\pmb{w}-\pmb{z} \in 2\mathcal{L}\backslash \lbrace \pmb{0}\rbrace$, we let $\pmb{y} = \dfrac{1}{2}(\pmb{w}-\pmb{z}) \in \mathcal{L} \backslash \lbrace \pmb{0}\rbrace$. Noticing that $K$ is symmetric convex set, $-\dfrac{1}{2}\pmb{z} \in K$.

Then $\pmb{y} \in K$ and $A$ exists a non-zero lattice vector in $\mathcal{L}$.

For any full rank lattice $\mathcal{L}$ of rank $n$, we have
$$\lambda_1 \le 2\left(\dfrac{\det(\mathcal{L})}{\text{vol}_n(\mathcal{B}^n_2)}\right)^{\frac{1}{n}} \le \sqrt{n}\det(\mathcal{L})^{\frac{1}{n}}$$

Let $d= 2\left(\dfrac{\det(\mathcal{L})}{\text{vol}_n(\mathcal{B}^n_2)}\right)^{\frac{1}{n}}$, then we have $\forall \epsilon > 0, \text{vol}_n(d(1+\epsilon)\mathcal{B}^n_2) = d^n (1+\epsilon)^n\text{vol}_n(\mathcal{B}^n_2) = (1+\epsilon)^n2^n\det(\mathcal{L}) > 2^n\det(\mathcal{L})$.

Then $d(1+\epsilon)\mathcal{B}^n_2$ follows previous theorem that $\exists \pmb{x} \in d(1+\epsilon)\mathcal{B}^n_2 \cap \mathcal{L} \backslash \lbrace \pmb{0}\rbrace$. Such $\pmb{x} \in \mathcal{L}\backslash \lbrace \pmb{0}\rbrace$ must have $\lVert \pmb{x}\rVert \ge \lambda_1$.

Since it applies to any $\epsilon >0$, then $\lVert \pmb{x}\rVert \le d$. Thus $\lambda_1 \le d$.

Also, by $\lbrack -\dfrac{1}{\sqrt{n}}, \dfrac{1}{\sqrt{n}}\rbrack^n \subseteq \mathcal{B}^n_2$ we have $\text{vol}_n(\lbrack -\dfrac{1}{\sqrt{n}}, \dfrac{1}{\sqrt{n}}\rbrack^n) \leq \text{vol}_n(\mathcal{B}^n_2)$. Thus
$$d = 2\left(\dfrac{\det(\mathcal{L})}{\text{vol}_n(\mathcal{B}^n_2)}\right)^{\frac{1}{n}} \le 2 \left(\dfrac{\det(\mathcal{L})}{\text{vol}_n(\lbrack -\dfrac{1}{\sqrt{n}}, \dfrac{1}{\sqrt{n}}\rbrack^n)}\right)^{\frac{1}{n}} = 2 \left(\dfrac{\det(\mathcal{L})}{2^n n^{-\frac{n}{2}}}\right)^{\frac{1}{n}} = \sqrt{n}\det(\mathcal{L})^{\frac{1}{n}}$$

For any full rank lattice $\mathcal{L}$ of rank $n$, we have
$$\left(\prod^n_{i=1}\lambda_i\right)^{\frac{1}{n}} \le 2\left(\dfrac{\det(\mathcal{L})}{\text{vol}_n(\mathcal{B}^n_2)}\right)^{\frac{1}{n}} \le \sqrt{n}\det(\mathcal{L})^{\frac{1}{n}}$$

Let $\pmb{x}_1,\dots,\pmb{x}_n\in\mathcal{L}$ be independent vectors achieving the successive minima $\lambda_1,\dots,\lambda_n$.

Let $\widetilde{\pmb{x}_1},\dots,\widetilde{\pmb{x}_n}$ be the Gram-Schmidt orthogonalization.

Consider the open ellipsoid defined as follows
$$E = \lbrace \pmb{y} \in \mathbb{R}^n : \sum^n_{i=1}\left( \dfrac{\langle \pmb{y},\widetilde{\pmb{x}_i} \rangle}{\lVert \widetilde{\pmb{x}_i} \rVert \cdot \lambda_i} \right)^2 < 1 \rbrace$$
Let $Q = (\dfrac{\widetilde{\pmb{x}_1}}{\lVert \widetilde{\pmb{x}_1} \rVert}, \ldots, \dfrac{\widetilde{\pmb{x}_n}}{\lVert \widetilde{\pmb{x}_n} \rVert})^\top\in\mathbb{R}^{n\times n}$ with rows of normalized Gram-Schmidt vectors of $\pmb{x}_1,\dots,\pmb{x}_n$.

Let $D = (\dfrac{1}{\lambda_1}\pmb{e}_1,\ldots,\dfrac{1}{\lambda_n}\pmb{e}_n)\in\mathbb{R}^{n\times n}$ be the diagonal matrix with diagonal $\dfrac{1}{\lambda_i}$.

Thus we have
\begin{aligned} E &= \lbrace \pmb{x}\in\mathbb{R}^n : \lVert D Q \pmb{x} \rVert^2 < 1\rbrace\newline &= (DQ)^{-1} \lbrace \pmb{x} \in \mathbb{R}^n : \lVert \pmb{x} \rVert^2 < 1\rbrace \newline &= Q^\top (\lambda_1 \pmb{e}_1,\dots,\lambda_n \pmb{e}_n) \lbrace \pmb{x} \in \mathcal{B}^n_2\rbrace \end{aligned}
The volume of $E$ must follow
$$\text{vol}_n(E) = |\det(Q^\top (\lambda_1\pmb{e}_1,\dots,\lambda_n \pmb{e}_n))| \text{vol}_n(\mathcal{B}^n_2) = (\prod^n_{i=1}\lambda_i)\text{vol}_n(\mathcal{B}^n_2)$$
We want to show that $E$ does not contain any non zero lattice vector.

Assume that $\pmb{y} \in \mathcal{L}$ and $1 \le k \le n$ being the largest $k$ that $\lVert \pmb{y}\rVert \ge \lambda_k$. Then $\pmb{y} \in \text{span}(\pmb{x}_1,\ldots,\pmb{x}_k) = \text{span}(\widetilde{\pmb{x}_1},\ldots,\widetilde{\pmb{x}_k})$ by $\lambda$ definition.

Then we notice that
$$\sum^n_{i=1}\left( \dfrac{\langle \pmb{y},\widetilde{\pmb{x}_i} \rangle}{\lVert \widetilde{\pmb{x}_i} \rVert \cdot \lambda_i} \right)^2 = \sum^k_{i=1}\left( \dfrac{\langle \pmb{y},\widetilde{\pmb{x}_i} \rangle}{\lVert \widetilde{\pmb{x}_i} \rVert \cdot \lambda_i} \right)^2 \ge \dfrac{1}{\lambda_k^2}\sum^k_{i=1}\left( \dfrac{\langle \pmb{y},\widetilde{\pmb{x}_i} \rangle}{\lVert \widetilde{\pmb{x}_i} \rVert} \right)^2 = \dfrac{1}{\lambda_k^2} \lVert \pmb{y} \rVert^2 \ge 1$$
Then no such $\pmb{y}$ is in $E$. By previous theorem, $\text{vol}_n(E) \le 2^n\det(\mathcal{L})$.

Also $\text{vol}_n(E) = (\prod\limits^n_{i=1}\lambda_i)\text{vol}_n(\mathcal{B}^n_2) \le 2^n \det(\mathcal{L})$. Thus $\prod\limits^n_{i=1}\lambda_i \le 2^n \dfrac{\det(\mathcal{L})}{\text{vol}_n(\mathcal{B}^n_2)}$.

]]>
<blockquote> <p>All info comes from this <a href="http://www.sti.uniurb.it/events/fosad11/slides/MICCIANCIO.pdf" target="_blank" rel="noopener">note</a> and this <a href="https://homepages.cwi.nl/~dadush/teaching/lattices-2018" target="_blank" rel="noopener">course</a>.</p> <p>This note will be mainly focusing on lattice parallelepiped and Minkowski’s Theorem.</p> </blockquote>
Cryptographic Lattice Geometry Note 0 https://nomadtype.ninja/2020/07/20/lattice-geometry-0/ 2020-07-20T22:19:52.000Z 2020-10-12T18:47:55.709Z

All info comes from this note and this course.

This note will be mainly focusing on lattice definitions.

# Lattice Definition

The simplest example of lattice is $\mathbb{Z}^n = \lbrace (x_1,\dots,x_n): x_i \in \mathbb{Z} \rbrace$.

Other lattices are obtained by applying linear transformation $\pmb{B}: \pmb{x} = (x_1,\dots,x_n) \mapsto \pmb{Bx} = \sum\limits_{i =1}^n x_i \cdot b_i$.

A lattice is the set of all integer linear combinations of linearly independent basis vectors $\pmb{B} = \lbrace b_1,\dots,b_n \rbrace \subset \mathbb{R}^n$: $\mathcal{L} = \sum\limits^n_{i = 1} b_i \cdot \mathbb{Z} = \lbrace \pmb{Bx}: \pmb{x} \in \mathbb{Z}^n\rbrace$.

The same lattice has many bases $\mathcal{L} = \sum\limits^n_{i = 1} c_i \cdot \mathbb{Z}$.

A formal definition of lattice is a discrete addictive subgroup of $\mathbb{R}^n$.

Given a linear subspace $\pmb{W} \subset \mathbb{R}^n$, let $\pmb{W}^{\bot} = \lbrace \pmb{x} \in \mathbb{R}^n : \forall \pmb{y} \in \pmb{W}, \langle \pmb{x}, \pmb{y} \rangle = 0\rbrace$. Define $\pi_{\pmb{W}}: \mathbb{R}^n \to \pmb{W}$ to be the orthogonal projection into $\pmb{W}$.

## Dual Lattice

We can also define a lattice via a set of modular equations. Given any matrix $\pmb{A} \in \mathbb{R}^{m\times n}$, we examine
$$\Lambda^{\bot}(\pmb{A}) = \lbrace \pmb{x} \in \text{rowspan}(\pmb{A}): \pmb{Ax\equiv 0}\pmod1 \rbrace$$

The above is in fact equivalent to $\pmb{Ax} \in \mathbb{Z}^n$.

The condition $\pmb{x} \in \text{rowspan}(\pmb{A})$ is imposed to disallow non-zero vectors in kernel of $\pmb{A}$. If so, then we will have an entire line through the origin, and hence not discrete.

$\text{rowspan}(\pmb{A})$ means the linear subspace with basis of each row of $\pmb{A}$. Noticing that orthogonal component of kernel is equal to row space by
$$\begin{pmatrix} \pmb{a_1} \newline \pmb{a_2} \newline \dots \newline \pmb{a_n} \end{pmatrix} \pmb{x} = \begin{pmatrix} \langle \pmb{a_1}^\top, \pmb{x} \rangle \newline \langle \pmb{a_2}^\top, \pmb{x} \rangle \newline \dots \newline \langle \pmb{a_n}^\top, \pmb{x} \rangle \end{pmatrix} = \pmb{0}$$
which means $\pmb{x}$ is orthonormal to every row vector $\pmb{a}_i$.

Thus if we choose an $\text{rowspan}(\pmb{A})$ element, then we avoid problems.

The most important instantion of these above is to isolate a sublattice of $\mathbb{Z}^n$ via parity check matrix.

Let $\pmb{C} \in \mathbb{Z}_p^{m\times n}$ and examine $\Lambda_p^\bot(\pmb{C}) = \lbrace \pmb{x} \in \mathbb{Z}^n: \pmb{Cx\equiv 0}\pmod p \rbrace$.

A parity check matrix lattice can be expressed in a dual lattice form. In particular, if each element in $\pmb{C}$ is integer $\lbrace 0,\dots,p-1\rbrace$, one can verify that
$$\Lambda_p^\bot(\pmb{C}) = \Lambda^\bot\begin{pmatrix}\pmb{C}/p\newline \text{I}_n \end{pmatrix}$$

The $\text{I}_n$ matrix at the bottom is trying to ensure each lattice $\pmb{x}$ in latter dual lattice has all integer entry.

## Minimum Distance and Successive Minima

Minimum distance $\lambda_1 = \min\limits_{x,y \in \mathcal{L},x \ne y} \lVert x-y \rVert = \min\limits_{x\in \mathcal{L},x \ne 0} \lVert x\rVert$.

Successive minima $i \in \lbrack n\rbrack$: $\lambda_i = \min \lbrace r : \dim \text{ span}(\mathcal{B}(\boldsymbol{0}, r) \cap \mathcal{L}) \ge i \rbrace$.

$\mathcal{B}(\boldsymbol{0}, \cdot)$ means all the points with distance $r$ to $\boldsymbol{0}$. Thus $\mathcal{B}(\boldsymbol{0}, r) \cap \mathcal{L}$ are all the lattice points with less than $r$ distance to $\boldsymbol{0}$.

$\text{span}$ means the smallest linear subspace containing $\pmb{A} \subset \mathbb{R}^n$, where $\text{span}(\mathcal{B}(\boldsymbol{0}, r) \cap \mathcal{L})$ will be $\mathbb{R}^k$ with $k \le n$.

Thus $\lambda_i$ means the least distance where there are $i$ linearly independent lattice vectors.

For $\mathbb{Z}^n$, $\lambda_i = 1$. Always have $\lambda_1 \le \lambda_2 \le \dots\le \lambda_n$.

Let $\pmb{B} \in \mathbb{R}^{k \times n},k\ge 1$ be a non-singular matrix. Then $\lambda_1 \ge \sigma_\min(\pmb{B}) > 0$, where $\sigma_\min(\pmb{B})$ is the smallest singular value of $\pmb{B}$.

A non-singular matrix means the kernel space of matrix has only zero vector. Since unit sphere in $\mathbb{R}^n$ is compact and $\lVert \pmb{Bx} \rVert$ is continuous, $\sigma_\min(\pmb{B})> 0$ is achievable.

Also let $\pmb{x} \in \mathcal{L}(\pmb{B})$ be a non-zero vector, we express $\pmb{x = Bz}$ where $\pmb{z} \in \mathbb{Z}^n \backslash \lbrace \pmb{0}\rbrace$. By $\lVert \pmb{z}\rVert \ge 1$,
$$\lVert x \rVert = \lVert\pmb{Bz}\rVert \ge \lVert z \rVert \sigma_\min(\pmb{B}) \ge \sigma_\min(\pmb{B})$$

Let $\pmb{A} \in \mathbb{R}^{m \times n}$ with rows $\pmb{a_1},\dots,\pmb{a_m} \in \mathbb{R}^n$ such that $\Lambda^\bot(\pmb{A})$ is non-trivial. We have $\lambda_1(\Lambda^\bot(\pmb{A})) \ge \min \dfrac{1}{\lVert \pmb{a_i}\rVert} > 0$.

Let $\pmb{x} \in \Lambda^\bot(\pmb{A})$ be a non-zero vector, then $\exists j \in \lbrack m \rbrack, |\langle \pmb{x, a_j}\rangle | \ge 1$ since $\pmb{x} \in \text{rowspan}(\pmb{A})$.

Thus $1 \le |\langle \pmb{x, a_j}\rangle| \le \lVert \pmb{x}\rVert \Vert \pmb{a_j}\rVert \Rightarrow \lVert \pmb{x}\rVert \ge \dfrac{1}{\lVert \pmb{a_j}\rVert} \ge \min\limits_{j \in \lbrack m\rbrack} \dfrac{1}{\lVert \pmb{a}_j\rVert}$.

## Shortest Non-Zero Vector

Let $\mathcal{L}$ be a non-trivial addictive subgroup of $\mathbb{R}^n$. The following are equivalent

1. $\mathcal{L}$ is a lattice.

2. $\lambda_1 > 0$

3. $|\mathcal{L} \cap \mathcal{S}| < \infty$ for any bounded set $S \subseteq \mathbb{R}^n$

4. $\mathcal{L}$ contains a shortest non-zero vector.

$1 \Rightarrow 2$. $\mathcal{L}$ is an addictive subgroup of $\mathbb{R}^n$. Also by discreteness of $\mathcal{L}$, $\pmb{0} \in \mathcal{L}$ has no immediate neighbor, thus $\lbrace \pmb{0}\rbrace$ is an open-set. Thus there exists $r > 0$ that $r \mathcal{B}^n_2 \cap \mathcal{L} = \lbrace \pmb{0}\rbrace$. $\mathcal{B}^n_2$ is unit sphere of $\mathbb{R}^n$.

Since $\mathcal{L}$ contains non-zero vector by non-trivial assumption, $\lambda_1 \ge r$ is required.

$2 \Rightarrow 3$. Let $\lambda_1 > 0, A = \mathcal{L} \cap r\mathcal{B}^n_2$. Let $\pmb{x,y} \in A, \pmb{x} \ne \pmb{y}$ and noticing that $\lVert \pmb{x} - \pmb{y}\rVert \ge \lambda_1$. Thus $(\pmb{x} + \dfrac{\lambda_1}{2}\mathcal{B}^n_2) \cap (\pmb{y} + \dfrac{\lambda_1}{2}\mathcal{B}^n_2) = \varnothing$ ($\pmb{x,y}$ with open balls of radius $\dfrac{\lambda_1}{2}$ must be interior disjoint)

If $|\mathcal{L} \cap \mathcal{S}| = \infty$, then $\pmb{x} + \dfrac{\lambda_1}{2}\mathcal{B}^n_2 \subseteq \mathcal{S} + \dfrac{\lambda_1}{2}\mathcal{B}^n_2$ and $\text{vol}_n(\mathcal{S} + \dfrac{\lambda_1}{2}\mathcal{B}^n_2) \ge \sum\limits_{\pmb{x} \in \mathcal{L}\cap\mathcal{S}}\text{vol}_n(\dfrac{\lambda_1}{2}\mathcal{B}^n_2) = \infty$. Since $\mathcal{S} + \dfrac{\lambda_1}{2}\mathcal{B}^n_2$ is bounded, then contradiction.

$3 \Rightarrow 4$. Since $\mathcal{L}$ is non-trivial, and we set $\pmb{y} \in \mathcal{L}\backslash\lbrace\pmb{0}\rbrace, r = \lVert \pmb{y}\rVert, A = (\mathcal{L} \cap r \mathcal{B}^n_2) \backslash \lbrace \pmb{0}\rbrace$. Obviously $\pmb{y} \in A$.

Since $r\mathcal{B}^n_2$ is bounded, $|A| < \infty$. We pick $\pmb{y}’ \in A$ with smallest $l_2$-norm and it is the shortest non-zero vector in $\mathcal{L}$.

$4 \Rightarrow 1$. By assumption there exists a shortest non-zero vector in $\mathcal{L}$ with length $\lambda_1$. To show $\mathcal{L}$ is discrete, we just need to prove that all the sets $\lbrace \pmb{x}\rbrace$ are open where $\pmb{x} \in \mathcal{L}$.

Taking an open ball of radius $\lambda_1$ around $\pmb{x}$. It suffices to show that the ball uniquely intersects $\mathcal{L}$ in $\pmb{x}$. If not, suppose there exists $\pmb{y} \in \mathcal{L}, \pmb{y} \ne \pmb{x}$. Then $\lVert \pmb{y}-\pmb{x}\rVert < \lambda_1$. Contradiction.

## Primitive Lattice and Lattice Basis

A vector in lattice is called primitive if $\pmb{y} \in \mathcal{L}$ have $\forall t \in \mathbb{R}, t \pmb{y} \in \mathcal{L}$ if and only if $t \in \mathbb{Z}$.

Let $\mathcal{L} \subset \mathbb{R}^n$ be a lattice. A set of linearly independent vectors $\pmb{y}_1,\dots,\pmb{y}_k \in \mathcal{L}$ is primitive with respect to $\mathcal{L}$ if $\mathcal{L}(\pmb{y}_1,\dots,\pmb{y}_n) = \mathcal{L} \cap \text{span}(\pmb{y}_1,\dots,\pmb{y}_n)$.

### Lemma 8

Let $\mathcal{L} \subset \mathbb{R}^n$ be a lattice. Let $\pmb{y}_1,\dots,\pmb{y}_k\in \mathcal{L}$ and $W = \text{span}(\pmb{b}_1,\dots,\pmb{b}_k)^\bot$. Then $\pi_W(\mathcal{L})$ is a lattice.

By previous shortest non-zero vector, so long as we prove that $|\mathcal{S} \cap \pi_W(\mathcal{L}) | < \infty$, where $\mathcal{S} \in \mathbb{R}^n$ is bounded, we prove $\pi_W(\mathcal{L})$ is a lattice.

We can construct an injective map $\tau: \pi_W(\mathcal{L}) \to \mathcal{L}$ satisfying $\lVert \tau(\pmb{x}) - \pmb{x} \rVert \le \sum\limits^k_{i = 1} \dfrac{1}{2} \lVert \pmb{b}_i \rVert = R$. Given such $\tau$ mapping, noticing that if $\pmb{x} \in \pi_W(\mathcal{L}) \cap \mathcal{S}$ then $\tau(\pmb{x}) \in (\mathcal{S} + R\mathcal{B}^n_2) \cap \mathcal{L}$.

By injectivity of $\tau$ and discreteness of $\mathcal{L}$ we have
$$| \mathcal{S} \cap \pi_W(\mathcal{L}) | \le | (\mathcal{S} + R \mathcal{B}^n_2)\cap \tau(\pi_W(\mathcal{L})) | \le | (\mathcal{S} + R \mathcal{B}^n_2)\cap \mathcal{L} | < \infty$$
To construct such $\tau$, we denote $\widehat{\pmb{x}} \in \mathcal{L}$. We have $\pi_W(\widehat{\pmb{x}}) = \pmb{x}$, where $\widehat{\pmb{x}} = \pmb{x} + \sum\limits^k_{i = 1} a_{\pmb{x}, i}\pmb{b}_i$.

Define $\tau(\pmb{x}) = \pmb{x} + \sum\limits^k_{i=1} (a_{\pmb{x}, i} - \lfloor a_{\pmb{x}, i} \rceil) \pmb{b}_i$, then we have

• $\tau(\pmb{x}) = \widehat{\pmb{x}} - \sum\limits^k_{i=1}\lfloor a_{\pmb{x}, i}\rceil \pmb{b}_i \in \mathcal{L}$.
• Injectivity of $\tau$ follows from $\pi_W \circ \tau \equiv 1: \pi_W(\mathcal{L}) \to \pi_W(\mathcal{L})$.
• The distance property also follows from previous $\tau$ definition.

### Lemma 9

Let $\mathcal{L} \subset \mathbb{R}^n$ be a $k$-dimensional lattice. Assume that $\pmb{b}_1,\dots,\pmb{b}_i \in \mathcal{L}$ is primitive with respect to $\mathcal{L}$ and $\widetilde{\pmb{b}_{i+1}},\dots,\widetilde{\pmb{b}_k} \in \pi_W(\mathcal{L})$ is a basis of $\pi_W(\mathcal{L})$ where $W = \text{span}(\pmb{b}_1,\dots,\pmb{b}_i)^\bot$.

Then for any choice of $\pmb{b}_{i+1},\dots,\pmb{b}_k \in \mathcal{L}$ where $\pi_W(\pmb{b_j}) = \widetilde{\pmb{b}_j}$, the vectors $\pmb{b}_1,\dots,\pmb{b}_k$ form a basis of $\mathcal{L}$.

Denote $\pmb{x}\in\mathcal{L}$, we want to prove $\pmb{x} = \sum\limits^k_{i=1} z_{\pmb{x},i}\pmb{b}_i$ with $z_{\pmb{x}, i} \in \mathbb{Z}$.

We write $\pi_W(\pmb{x}) = \sum\limits_{j = i + 1}^k z_j \widetilde{\pmb{b}_j}$ with $z_j \in \mathbb{Z}$. Now we have
$$\pi_W(\pmb{x} - \sum^k_{j = i+1} z_j \pmb{b}_j) = \pi_W(\pmb{x}) - \sum^{k}_{j = i+1}z_j \widetilde{\pmb{b}_j} = \pmb{0}$$
By $\pmb{x} - \sum\limits^{k}_{j = i+1}z_j \pmb{b}_j\ \bot\ \text{span}(\pmb{b}_1,\dots,\pmb{b}_i)^\bot$, we have $\pmb{x} - \sum\limits^{k}_{j = i+1}z_j \pmb{b}_j \in \text{span}(\pmb{b}_1,\dots,\pmb{b}_i) \cap \mathcal{L}$.

Since $\pmb{b}_1,\dots,\pmb{b}_i$ are primitive with respect to $\mathcal{L}$, we write $\pmb{x} - \sum\limits^{k}_{j = i+1}z_j \pmb{b}_j = \sum\limits_{j = 1}^i z_j \pmb{b}_j$.

Thus $\pmb{x} = \sum\limits^{k}_{j = 1} z_j \pmb{b}_j$, and we prove that $\mathcal{L} = \mathcal{L}(\pmb{b}_1,\dots,\pmb{b}_k)$.

### Theorem 7

Let $\mathcal{L} \subset \mathbb{R}^n$ be a $k \ge 1$ dimensional lattice. $\mathcal{L}$ admits a basis of lattice vectors.

Given $\pmb{b}_1,\dots,\pmb{b}_i \in \mathcal{L}$ primitive with respect to $\mathcal{L}$, there exists $\pmb{b}_{i+1},\dots,\pmb{b}_k\in\mathcal{L}$ such that the extension $\pmb{b}_1,\dots,\pmb{b}_k$ is a basis of $\mathcal{L}$.

Trivially, we have $\mathcal{L}_1 = \mathcal{L}(\pmb{b}_1)$.

If $k \ge 2$, we let $W = \text{span}(\pmb{b}_1)^\bot$ and $\pi_W = \pi_{\text{span}(\pmb{b}_1)^\bot}$. By Lemma 8 we have $\mathcal{L}_2 = \pi_W(\mathcal{L})$ being a lattice.

Then $\mathcal{L}_2$ has dimension $k - 1$ and by induction hypothesis $\mathcal{L}_2$ admits basis $\widetilde{\pmb{b}_2},\dots,\widetilde{\pmb{b}_k}$. By construction we may choose $\pmb{b}_2,\dots,\pmb{b}_{k} \in \mathcal{L}$ such that $\pi_{\text{span}(\pmb{b}_1)^\bot}(\pmb{b}_j) = \widetilde{\pmb{b}_j}, \forall j \in \lbrack 2, k\rbrack$.

By Lemma 9, we have $\pmb{b}_1,\dots,\pmb{b}_k$ being the basis of $\mathcal{L}$.

Then we expand by setting $W = \text{span}(\pmb{b}_1,\dots,\pmb{b}_i)^\bot$ with $\pmb{b}_1,\dots,\pmb{b}_k$ being the basis of $\mathcal{L}$, trying to show any set of primitive vectors $\pmb{b}_1,\dots,\pmb{b}_i$ can be extended to a basis of $\mathcal{L}$.

## Basis = Dual in Representation

If $\mathcal{L} = \mathcal{L}(\pmb{B})$ is represented in basic representation, $\pmb{B}$ is non-singular. We want to see $\mathcal{L} = \Lambda^\bot(\pmb{A})$ is expressible.

By discreteness, $\lambda_1 > 0$ in basic representation by lemma in lower bound part. The dual representation $\lambda_1 > \min \dfrac{1}{\lVert \pmb{a}_j \rVert}$ for some row $\pmb{a}_j \in \pmb{A}$.

The addictive feature simply follows from matrix multiplication.

If $\mathcal{L} = \Lambda^\bot(\pmb{A})$ is represented in dual representation, we want to have an equivalent $\mathcal{L} = \mathcal{L}(\pmb{B})$.

A very intuitive start point is: If we have a $\pmb{x} \in \Lambda^\bot(\pmb{A})$, then suppose $\pmb{x} \in \mathcal{L}(\pmb{B})$ is achievable. Then we have $\pmb{x} = \pmb{Bz}$ for some $\pmb{z} \in \mathbb{Z}^n$. We must have $\pmb{ABz} \equiv 0 \pmod 1$.

WLOG if we have $\pmb{AB} = I_k$, then any $\pmb{x}$ satisfying $\Lambda^\bot(\pmb{A})$ can be in $\mathcal{L}(\pmb{B})$.

For $\pmb{B} = (\pmb{b}_1,\dots,\pmb{b}_k)$, we admit a dual basis $\pmb{B}^\ast = (\pmb{b}^\ast_1,\dots,\pmb{b}^\ast_k)$ satisfying $\langle \pmb{b}_i, \pmb{b}^\ast_j \rangle = 1$ if $i = j$ and 0 otherwise, and $\text{span}(\pmb{B}) = \text{span}(\pmb{B}^\ast)$. Then we claim $\mathcal{L}(\pmb{B}) = \Lambda^\bot(\pmb{B}^{\ast\top})$.

1. $\forall \pmb{x} \in \mathcal{L}(\pmb{B}), \pmb{x} \in \Lambda^\bot(\pmb{A})$. Trivially, $\pmb{B}^{\ast\top} \pmb{B} = I_k$. Then $\pmb{B}^{\ast\top} \pmb{x} = \pmb{B}^{\ast\top} \pmb{Bz} = I_k\pmb{z} = \pmb{z}$.

2. $\forall \pmb{x} \in \Lambda^\bot(\pmb{A}), \pmb{x} \in \mathcal{L}(\pmb{B})$. By construction, $\pmb{x} \in \text{rowspan}(\pmb{B}^{\ast\top}) = \text{span}(\pmb{B}) = \text{span}(\pmb{B}^\ast)$, $\pmb{x}$ cannot be in kernel space of $\pmb{B}^{\ast\top}$.

$\pmb{B}\pmb{B}^{\ast\top}\pmb{x} = \pmb{x}’$, we want to have $\pmb{x} = \pmb{x}’$. First, $\pmb{Bz = 0}$ if $\pmb{z = 0}$ by $\pmb{B}$ being non-singular. $\pmb{B}^{\ast\top} \pmb{x = 0}$ if and only if $\pmb{x = 0}$ by $\pmb{x} \in \text{span}(\pmb{B}^\ast)$.

Since $\pmb{x},\pmb{x}’ \in \text{span}(\pmb{B})$, then we only have $\pmb{x = x}’$.

## Equivalent Lattice Bases and Unimodular Matrix

A matrix $U \in \mathbb{Z}^{n \times n}$ is unimodular if $\det{U} = \pm 1$. Thus $U \in \mathbb{Z}^{n \times n}$ is unimodular iff $U^{-1} \in \mathbb{Z}^{n \times n}$.

$U \in \mathbb{Z^{n \times n}}$ unimodular $\Rightarrow U^{-1} \in \mathbb{Z}^{n \times n}$. By Cramer’s Rule we have $U^{-1}$ and by $\det$ of integer matrix, $U^{-1} \in \mathbb{Z}^{n\times n}$.

$U \in \mathbb{Z^{n \times n}}$ unimodular $\Leftarrow U^{-1} \in \mathbb{Z}^{n \times n}$. Trivial.

For non-singular matrices $\pmb{B}_1,\pmb{B}_2 \in \mathbb{R}^{n \times k}, \mathcal{L}(\pmb{B}_1) = \mathcal{L}(\pmb{B}_2)$ if and only if $\pmb{B}_1 = \pmb{B}_2U$ for some unimodular matrix $U \in \mathbb{Z}^{k \times k}$.

Assume that $\mathcal{L}(\pmb{B}_1) = \mathcal{L}(\pmb{B}_2)$. Then we need to prove $\mathcal{L}(\pmb{B}_1) \subseteq \mathcal{L}(\pmb{B}_2)$ and $\mathcal{L}(\pmb{B}_2) \subseteq \mathcal{L}(\pmb{B}_1)$.

Suppose $\pmb{B}_1 = \pmb{B}_2 V$ and $\pmb{B}_2 = \pmb{B}_1 K$. Then $VK = I$. Since $V, K \in \mathbb{Z}^{k \times k}$, then it must follow that $K = V^{-1}$ with $K$ unimodular matrix.

]]>
<blockquote> <p>All info comes from this <a href="http://www.sti.uniurb.it/events/fosad11/slides/MICCIANCIO.pdf" target="_blank" rel="noopener">note</a> and this <a href="https://homepages.cwi.nl/~dadush/teaching/lattices-2018" target="_blank" rel="noopener">course</a>.</p> <p>This note will be mainly focusing on lattice definitions.</p> </blockquote>
Leftover Hash Lemma and Noise Smudging https://nomadtype.ninja/2020/07/11/crypto-leftover-hash-lemma/ 2020-07-11T14:40:08.000Z 2020-10-12T18:47:55.709Z

All info comes from David Wu’s Note, Purdue’s cryptography course note, some MIT note and Stanford CS355 note

This note will be focusing on Leftover Hash Lemma and Noise Smudging in Homomorphic Encryption.

graph LR;subgraph Measure of RandomnessGP(Guess Probability) --> ME(Min Entropy)CP(Collision Probability) --> RE(Renyi Entropy)endME --> LHL(Leftover Hash Lemma)RE --> LHLsubgraph Hash FunctionKI(k-independence) --> UHF(Universal Hash Function)CLBD(Collision Lower Bound) --> UHFendUHF --> LHLLHL --> SLHL(Simplified LHL versions)LHL -->|?| NS(Noise Smudging)SS(Subset Sum) -->|?| NS

# Hash Function Part

Let $\mathcal{H}$ be a family of $X \to Y$, for distinct $x_1,\dots, x_k \in X$ and any $y_1 ,\dots, y_k \in Y$, the class of hash function $\mathcal{H}$ satisfies
$$\Pr\lbrack h \overset{R}{\leftarrow} \mathcal{H} : h(x_1) = y_1,\dots, h(x_k) = y_k\rbrack = \frac{1}{|Y|^k}$$
is $k$-wise independence.

For any $i \in \lbrack k\rbrack$, the $i$-th input is uniformly randomly answered, thus the proof follows.

Let $\mathcal{H}$ be a family of $X \to Y$ hash functions. $\mathcal{H}$ is a $\epsilon$-universal hash function ($\epsilon$-UHF) if $\forall x, x’ \in X, x \ne x’$,
$$\Pr\lbrack h \overset{R}{\leftarrow} \mathcal{H}: h(x) = h(x’)\rbrack < \epsilon$$
2-wise independent hash function family implies $\frac{1}{|Y|}$-universal hash function family.

But universal hash function is not necessarily 2-wise independent hash function. See construction.

## Collision Lower Bound

Let $\mathcal{H}$ be a hash function family such that $X \to Y$, supposing $|X| > |Y|$, there exists distinct $x_1^\ast, x_2^\ast \in X$ such that
$$\Pr\lbrack h \overset{R}{\leftarrow} \mathcal{H} : h(x_1^\ast) = h(x_2^\ast)\rbrack \geq \dfrac{\frac{|Y|}{|X|} - 1}{|Y| - 1}$$
Fix a hash function $h \in \mathcal{H}$, suppose the range $Y = \lbrace y_1,\dots,y_m\rbrace$. Then we have a bunch of sets $\lbrace x \in X: h(x) = y_i\rbrace$, and we denote $n_i$ be the size.

We denote the entries of $\lbrace x_1, x_2 \rbrace$ for $x_1, x_2 \in X, x_1 \neq x_2$ such that $h(x_1) = h(x_2)$, $\sharp \text{col}_h = \sum\limits^m_{i = 1}C^2_{n_i}$.

Noticing that $\sharp\text{col}_h = \sum\limits^m_{i = 1} \dfrac{n_i^2}{2} - \dfrac{|X|}{2} \ge \dfrac{1}{2} (\dfrac{|X|^2}{|Y|} - |X|)$. The lower bound is reached if $n_i = \dfrac{|X|}{|Y|}$.

For $\mathcal{H}$, we have $\sharp\text{col}_{\mathcal{H}} \ge \dfrac{|\mathcal{H}|}{2} (\dfrac{|X|^2}{|Y|} - |X|)$. Then perform experiment sampling $(x_1,x_2)\overset{R}{\leftarrow} X,h\overset{R}{\leftarrow} \mathcal{H}$ and outputs 1 if $h(x_1) = h(x_2)$.
$$\Pr\lbrack h(x_1) = h(x_2) \mid (x_1, x_2)\overset{R}{\leftarrow} X,h\overset{R}{\leftarrow} \mathcal{H}\rbrack = \dfrac{\sharp\text{col}_{\mathcal{H}}}{|\mathcal{H}| \cdot C^2_{|X|}}\geq \dfrac{\frac{|Y|}{|X|} - 1}{|Y| - 1}$$

Fact: $\Pr\lbrack h \overset{R}{\leftarrow} \mathcal{H} : h(x_1^\ast) = h(x_2^\ast)\rbrack > \dfrac{1}{|Y|} - \dfrac{1}{|X|}$.

# Measure of Randomness

Suppose $R$ is a random variable over set $\Omega$ where $|\Omega|= n$. Let $U$ denote the uniform distribution over $\Omega$.

## Statistical Distance

The statistical distance between two random variables $X,Y$ is defined as $\Delta(X,Y) = \dfrac{1}{2} \sum\limits_{u \in \Omega} |\Pr\lbrack X = u \rbrack - \Pr \lbrack Y = u \rbrack|$. We denote $\epsilon$-close for two distribution
$$\Delta(X ,Y) \le \epsilon \Leftrightarrow X \approx_\epsilon Y$$

$\Delta(X,Y) = \max\limits_{T \subset \Omega}(\Pr\lbrack X \in T\rbrack - \Pr \lbrack Y \in T\rbrack)$

$\forall T \subset U, \Pr\lbrack Y \in T\rbrack \le \Pr \lbrack X \in T \rbrack + \Delta (X,Y)$

For every randomized function $F$, $\Delta(F(X), F(Y)) \le \Delta(X,Y)$. Moreover, equality is achieved if each realization $f$ of $F$ is one-to-one.

Let $F$ be a random variable over functions $f: \Omega \to V$
\begin{aligned} \Delta(F(X),F(Y)) &= \dfrac{1}{2}\sum_{u \in \Omega} | \Pr \lbrack F(X) = u\rbrack -\Pr \lbrack F(Y) = u\rbrack |\newline &=\sum_{f \in F} \Pr\lbrack F = f\rbrack \left(\dfrac{1}{2}\sum_{u \in \Omega} | \Pr \lbrack F(X) = u \mid F = f\rbrack -\Pr \lbrack F(Y) = u\mid F = f \rbrack |\right)\newline &= \sum_{f \in F} \Pr\lbrack F = f\rbrack \Delta(f(X), f(Y))\newline &\le \sum_{f \in F} \Pr\lbrack F = f\rbrack \Delta(X, Y)\newline &= \Delta(X,Y) \end{aligned}

$R$ is $\delta$-uniform if $\delta = \Delta(U,R) = \dfrac{1}{2} \sum\limits_{x \in \Omega} | \Pr\lbrack R = x \rbrack - \dfrac{1}{n} |$.

## Randomness Extractor

The guessing probability $\gamma(R)$ is defined by $\gamma(R) = \max\limits_{x \in \Omega}\lbrace \Pr\lbrack R = x\rbrack \rbrace$. The min-entropy $H_\infty(R) = -\log \gamma(R) = -\log \max\limits_{x \in \Omega}\lbrace \Pr\lbrack R = x\rbrack \rbrace$.

We say that $R$ is $k$-source if $H_\infty(R) \geq k$.

Let the seed $U_d$ be uniformly distributed over $\lbrace0,1\rbrace^d$. We say that a function $f_e: \lbrace 0,1 \rbrace^n \times \lbrace 0,1 \rbrace^d \to \lbrace 0,1 \rbrace^m$ is a $(k,\epsilon)$-extractor if $\forall X$ $k$-source variables on $\lbrace 0,1 \rbrace^n$ independent of $U_d$
$$(f_e(X, U_d), U_d) \approx_\epsilon (U_m, U_d)$$
The collision probability $\kappa(R) = \sum\limits_{x \in \Omega} \Pr \lbrack R = x \rbrack^2$. The Renyi entropy $H_2(R) = -\log \kappa(R) = -\log \sum\limits_{x \in \Omega} \Pr \lbrack R = x \rbrack^2$.

Define $p_R \in \lbrack 0,1\rbrack^{n}$ to be a vector of probabilities for values of $R$.

The guessing probability is $l_\infty$-norm and collision probability is $l_2$-norm.

Fact: for a uniform distribution $U$ over $\Omega$, $\gamma(R) = \kappa(R) = \dfrac{1}{n}$.

Fact: for $\delta$-uniform $R$ on $\Omega$, then $\dfrac{1}{n} + \dfrac{4\delta^2}{n} \le \kappa(R) \le \gamma(R) \le \dfrac{1}{n} + \delta$.

$R$ is $\delta$-uniform, then $\sum\limits_{x \in \Omega} |\Pr \lbrack R = x \rbrack - \dfrac{1}{n}| = 2\delta$.

Suppose $\gamma(R) > \dfrac{1}{n} + \delta$, then let $x^\ast = \max_x \lbrace \Pr\lbrack R = x\rbrack \rbrace$ we have
\begin{aligned} \sum\limits_{x \in \Omega} |\Pr \lbrack R = x \rbrack - \dfrac{1}{n}| &= \sum_{x \in \Omega, x \ne x^\ast} |\Pr \lbrack R = x \rbrack - \dfrac{1}{n}| + |\Pr \lbrack R = x^\ast \rbrack - \dfrac{1}{n}|\newline &\ge | \sum_{x \in \Omega, x \ne x^\ast} (\Pr \lbrack R = x \rbrack - \dfrac{1}{n})| + |\gamma(R) - \dfrac{1}{n}|\newline &> | 1 - \Pr \lbrack R = x^\ast \rbrack - \dfrac{n - 1}{n} | + \delta = 2 \delta \end{aligned}
Thus contradiction, we have $\gamma(R) \le \dfrac{1}{n} + \delta$.

For $\kappa(R) \le \gamma(R)$, we have
\begin{aligned} \sum_{x \in \Omega} \Pr \lbrack R = x \rbrack^2 &\le \max_{x \in \Omega} \Pr \lbrack R = x\rbrack (\sum_{x \in \Omega} \Pr \lbrack R = x \rbrack)\newline &= \max_{x \in \Omega} \Pr \lbrack R = x\rbrack \end{aligned}
For $\dfrac{1}{n} + \dfrac{4\delta^2}{n} \le \kappa(R)$, we have
\begin{aligned} \kappa(R) &= \sum\limits_{x \in \Omega} \Pr \lbrack R = x \rbrack^2 = \sum_{x \in \Omega} (\dfrac{1}{n} + \delta_x)^2\newline &=\sum_{x \in \Omega} (\dfrac{1}{n^2} + \dfrac{2\delta_x}{n} + \delta_x^2) = \dfrac{1}{n} + \sum_{x \in \Omega} \delta_x^2\newline &\ge\dfrac{1}{n} + \dfrac{1}{n}(\sum_{x \in \Omega}|\delta_x|)^2 = \dfrac{1}{n} + \dfrac{4\delta^2}{n} \end{aligned}

# Leftover Hash Lemma

Let $\mathcal{H} = \lbrace h : X \to Y \rbrace$ be an $\epsilon$-universal hash family. $h \overset{R}{\leftarrow} \mathcal{H}$. Let $R$ be a random variable over $X$. $(h, R)$ are independently chosen. Then $(h, h(R))$ is $\delta$-uniform over $\mathcal{H}\times Y$ by
$$\delta \le \dfrac{1}{2}\sqrt{|Y| \cdot (\kappa(R) + \epsilon) - 1}$$

## Some Simplified Version

In CS355 course note we have a simplified version of LHL, where $\mathcal{H}$ still follows. Let $\mathcal{D_X}$ be some distribution on $\mathcal{X}$ with $\gamma(\mathcal{X}) = \gamma$. Then we have
$$\left| \Pr\lbrack \mathcal{A}(\text{pk}, H(\text{pk}, x)) = 1 \mid \text{pk} \overset{R}{\leftarrow} \mathcal{K}, x\leftarrow \mathcal{D_X} \rbrack - \Pr\lbrack \mathcal{A}(\text{pk}, y) = 1 \mid \text{pk}\overset{R}{\leftarrow}\mathcal{K}, y \overset{R}{\leftarrow}\mathcal{Y} \rbrack \right| = \gamma\cdot |\mathcal{Y}|$$
Then if we sample $A \overset{R}{\leftarrow} \mathbb{Z}^{n \times m}, x \overset{R}{\leftarrow} \lbrace 0,1 \rbrace^m, y \overset{R}{\leftarrow} \mathbb{Z}^m$, we have $(A, A\cdot x) \approx_{\text{stat}} (A, y)$.

# Noise Smudging

This is written in Gentry’s Thesis, which is used for the (Statistical) Circuit Privacy.

(Statistical) Circuit Privacy: Let $\mathcal{E}$ be an encryption scheme, $\mathcal{E}$ is circuit private for circuits $C_{\mathcal{E}}$.

If for any keypair $(\text{sk},\text{pk})$ output by $\text{KeyGen}_{\mathcal{E}}(\lambda)$, any circuit $C\in C_{\mathcal{E}}$, and any fixed ciphertexts $\Psi = \langle \psi_1,\dots,\psi_k\rangle$, that are in the image of $\text{Encrypt}_{\mathcal{E}}$ for plaintext $\pi_1,\dots,\pi_k$, we have
$$\text{Encrypt}_{\mathcal{E}}(\text{pk},C(\pi_1,\dots,\pi_t)) \approx_{\text{stat}} \text{Evaluate}_{\mathcal{E}}(\text{pk},C,\Psi)$$
meaning the distributions are statistically indistinguishable.

The main idea here is that, for every ciphertext in $\Psi$ there is a noise $\rho$. Denote $\rho_f$ to be the noise of $C(\pi_1,\dots,\pi_k)$ encrypted.

We add one more significantly larger noise $\rho^\ast \gg \rho_f > \rho$, so that the distribution should look just the same.

]]>
<blockquote> <p>All info comes from David Wu’s <a href="https://www.cs.virginia.edu/dwu4/notes/CS355LectureNotes.pdf" target="_blank" rel="noopener">Note</a>, Purdue’s cryptography <a href="https://www.cs.purdue.edu/homes/hmaji/teaching/Fall%202017/CS-35500-Fall-2017.html" target="_blank" rel="noopener">course note</a>, some MIT <a href="https://www.cs.bu.edu/~reyzin/teaching/s11cs937/notes-leo-1.pdf" target="_blank" rel="noopener">note</a> and Stanford CS355 note</p> <p>This note will be focusing on Leftover Hash Lemma and Noise Smudging in Homomorphic Encryption.</p> </blockquote> <pre class="mermaid">graph LR; subgraph Measure of Randomness GP(Guess Probability) --> ME(Min Entropy) CP(Collision Probability) --> RE(Renyi Entropy) end ME --> LHL(Leftover Hash Lemma) RE --> LHL subgraph Hash Function KI(k-independence) --> UHF(Universal Hash Function) CLBD(Collision Lower Bound) --> UHF end UHF --> LHL LHL --> SLHL(Simplified LHL versions) LHL -->|?| NS(Noise Smudging) SS(Subset Sum) -->|?| NS</pre>
Probabilistically Checkable and Interactive Proof Note 1 https://nomadtype.ninja/2020/05/12/berkeley-cs294-1/ 2020-05-12T23:45:00.000Z 2020-10-12T18:47:55.705Z

All info comes from Alessandro Chiesa’s Lecture CS294 2019 version.

We are now trying to figure out relation $\text{IP = PSPACE}$.

## $\text{IP}\subseteq\text{PSPACE}$

Let $L \in \text{IP}$, we have interactive proof verifier $V_L$. Fix an instance $x$ to have $q_x \triangleq \max\limits_{\overset{\sim}{P}}\Pr\left[\langle \overset{\sim}{P},V_L\rangle (x) \right]$. $q_x$ has properties that $\begin{cases} x\in L&\to q_x = 1\newline x\notin L &\to q_x \le \dfrac{1}{2}\end{cases}$.

If we can compute $q_x$ in $\text{PSPACE}$, then $L$ is also in $\text{PSPACE}$.

Define transcript $\text{tr} = (p_1,v_1,\dots,p_i,v_i)$.

Define $\text{P}^\ast(x, \text{tr})$ to be a function that outputs $p_{i+1}$ that maximize $\Pr\left[ V_L = 1\right]$ based on $\text{tr}$.

### If $P^\ast \in \text{PSPACE}$, then $q_x \in \text{PSPACE}$

For every random string $\mathbf{r}$ of $V_L$, compute the bit $b = b(x,\mathbf{r}) = V_L(x,\mathbf{r},p_1^\ast,\dots,p_l^\ast)$, where
\begin{aligned} p_1^\ast &= P^\ast(x,\bot)\newline v_1 &= V_L(x,\mathbf{r}, p_1^\ast)\newline p_2^\ast &= P^\ast(x, \text{tr} = (p_1^\ast, v_1))\newline v_2 &= V_L(x,\mathbf{r}, p_1^\ast,p_2^\ast)\newline &\dots \end{aligned}
Compute $q_x = \dfrac{\sum\limits_{\mathbf{r}\in R} b(x, \mathbf{r})}{|R|}$. Noticing we play $|R|$ times of game of interactive proof with different $\mathbf{r}$ on function $b$, where $P^\ast$ is asserted as $\text{PSPACE}$ and $V_L$ is $\text{poly}$, so $q_x$ is $\text{PSPACE}$ if $|R|$ is constant.

### $P^\ast \in \text{PSPACE}$

Let $\mathcal{C}(x, \text{tr}) \subseteq R$ be the set of strings $\mathbf{r}$ that are consistent with $(x, \text{tr})$ that, namely, if $\text{tr} = (p_1,v_1,\dots,p_i,v_i)$, then $v_i = V_L(x,\mathbf{r}, p_1,\dots, p_i)$.

$P^\ast$ is defined recursively that $P^\ast(x, (p_1,v_1,\dots,p_{l-1},v_{l-1})) \to p^\ast_{l} = \arg\max\limits_{p_l} \mathbb{E}(\underset{\mathbf{r}\leftarrow \mathcal{C}(x,\text{tr})}{V_L}(x, \mathbf{r}, p_1,\dots,p_{l-1}))$.

The prover can choose $p_l$ from possible $p_l$ space and do the $V_L$ testing. Each $p_l$ keep track of the expectation and roll back the memory. Keep track of the best $p_l$ and return.

All we want is pick the best $p_l$ and keep a polynomial space complexity.

## Sumcheck Protocol and IP for Counting Problems

Given a boolean function $\phi$ with $n$ variables and $m$ clauses, there are $2^n$ possible assignments out there.

Considering a $\text{UN-SAT}$ problem, we want to prove that $\not\exists \lbrace a_i\rbrace$ that $\phi(a_1,\dots,a_n) = 1$ and we want to convince $V$ with a $\text{poly}(m, n)$ resource.

We can translate the problem from logic side to algebraic side by mapping the logical formula $\phi$ to a low degree polynomial $P$.
$$3 \text{-CNF } \phi\ (n\text{ vars}, m\text{ clauses}) \mapsto \text{low-degree polynomial }P(x_1, \dots, x_n)$$

E.g.
\begin{aligned} &(x_1 \vee x_2 \vee x_3) \wedge (x_4 \vee \overset{-}{x_2} \vee x_1)\newline \mapsto &(x_1 + x_2 + x_3) \cdot (x_4 + (1-x_2) + x_1) \end{aligned}
A clause is $\text{SAT}$ then the corresponding term $> 0$, a clause is $\overline{\text{SAT}}$ then the corresponding term $=0$.

\begin{aligned} \forall a_1,\dots,a_n \in \lbrace 0,1\rbrace, \phi(a_1,\dots,a_n) = 1 &\mapsto P(a_1,\dots,a_n) > 0\newline \forall a_1,\dots,a_n \in \lbrace 0,1\rbrace, \phi(a_1,\dots,a_n) = 0 &\mapsto P(a_1,\dots,a_n) = 0 \end{aligned}

Thus, we consider sum that
$$\phi \in \text{UN-SAT} \leftrightarrow \sum\limits_{a_1,\dots,a_n} P(a_1,\dots,a_n) = 0$$
If $\phi \in \text{SAT}$, the sum is at most $2^n 3^m$.

A useful tool here is that $\mathbb{F}$ be a field and $f \in \mathbb{F}\lbrack X \rbrack$ of degree $d$, then $|\text{roots}(f)| \le d$.

$f$ should never be defined over ring since no zero divisor must be satisfied. Check crypto-3-note and here.

We can pick a prime $q > 2^n3^m$ and we will be able to do all the arithmetic over $\mathbb{F}_q$.

Then we want to convince $V$ that $\sum\limits_{a_1,\dots,a_n} P(a_1,\dots,a_n) = 0$ with $P \in \mathbb{F}_q\lbrack X\rbrack$.

### Sumcheck Protocol for UNSAT

$\langle P,V \rangle$ has common input $\phi$ and transformed polynomial $P_\phi$. They want to prove $\sum P= 0$.

• $P$ generates $P_1(x) = \sum\limits_{a_2,\dots,a_n} P_\phi(x, a_2,\dots,a_n)$ to $V$.

• $V$ checks $P_1(0) + P_1(1) = 0$. $V$ generates $r_1 \overset{R}{\leftarrow}\mathbb{F}_q$ and send to $P$.

Since $P_1(0) + P_1(1) = \sum\limits_{a_1,\dots,a_n} P_\phi(a_1, a_2,\dots,a_n)$, if $P_\phi$ is unsatisfiable, then $\sum = 0$.

• $P$ generates $P_2 (x) = \sum\limits_{a_3,\dots,a_n} P_\phi(r_1,x, a_3,\dots,a_n)$ to $V$.

• $V$ checks $P_2(0) + P_2(1) = P_1(r_1)$. $V$ generates $r_2 \overset{R}{\leftarrow}\mathbb{F}_q$ and send to $P$.

• $\dots$

• $P$ generates $P_i(x) = \sum\limits_{a_{i+1}, \dots,a_n} P_\phi(r_1, \dots,r_{i-1},x, a_{i+1},\dots,a_n)$ to $V$.

• $V$ checks $P_i(0) + P_i(1) = P_{i-1}(r_{i-1})$. ($P_{i-1}(x) = \sum\limits_{a_{i}, \dots,a_n} P_\phi(r_1, \dots,r_{i-2},x, a_{i},\dots,a_n)$)

$V$ generates $r_{i+1} \overset{R}{\leftarrow} \mathbb{F}_q$ and send to $P$.

• $\dots$

• $P$ generates $P_n(x) = P_\phi(r_1,\dots,r_{n-1}, x)$ to $V$.

• $V$ checks $P_n(0) + P_n(1) = P_{n-1}(r_{n-1})$.

$V$ samples $r_n \overset{R}{\leftarrow} \mathbb{F}_q$.

$V$ checks $P_\phi(r_1,\dots,r_n) = P_n(r_n)$.

The efficiency of $V$ is $\text{poly}(n, \text{degree of }P_\phi \le m, |P_\phi|)$.

We need to also prove the completeness and soundness.

Completeness is trivial, $\sum P_\phi = 0,\Pr \lbrack \langle P,V\rangle(\phi, P_\phi) = 1\rbrack = 1$.

Soundness relies on a basis of induction. $\sum P_\phi \neq 0,\Pr \lbrack \langle \overset{\sim}{P},V\rangle(\phi, P_\phi) = 1\rbrack \leq \dfrac{n\cdot m}{q}$.

Claim that $E_i$ be the event that $\overset{\sim}{P_i} = P_i(x) = \sum\limits_{a_{i+1}, \dots,a_n} P_\phi(r_1, \dots,r_{i-1},x, a_{i+1},\dots,a_n)$, $W$ be the event that $\overset{\sim}{P}$ wins.

Claim that $\Pr\lbrack W | E_1 \wedge \dots \wedge E_n\rbrack = 0$. Since $\Pr\lbrack W | E_1 \wedge \dots \wedge E_n\rbrack \le \Pr \lbrack W | E_1 \rbrack$ and $\sum P_\phi > 0$, $\Pr \lbrack W | E_1 \rbrack = 0$.

Claim that $\Pr\lbrack W \rbrack \leq \dfrac{n\cdot m}{q} + \Pr\lbrack W | E_1 \wedge \dots \wedge E_n\rbrack$, which can be proven by induction.

By induction, $\Pr \lbrack W \rbrack \le \dfrac{(n-j+1)\cdot m}{q} + \Pr \lbrack W | E_j \wedge \dots\wedge E_n\rbrack$.

Consider $j = n, \Pr \lbrack W \rbrack = \Pr\lbrack W | E_n \rbrack + \Pr \lbrack W | \overset{-}{E_n}\rbrack$, then consider $\Pr \lbrack W | \overset{-}{E_n}\rbrack$, i.e., $\overset{\sim}{P}$ wins the game and cheated in the last round by $\overset{\sim}{P_n} \neq P_n(x) = P_\phi(r_1, \dots, r_{n-1},x)$.

Then we can notice that two checks must be done in the last round: $\begin{cases}\overset{\sim}{P_n}(0) + \overset{\sim}{P_n}(1) = \overset{\sim}{P_{n-1}}(r_{n-1}) \newline \overset{\sim}{P_n}(r_n) = P_\phi(r_1,\dots,r_n) \end{cases}$ , for $r_n \overset{R}{\leftarrow} \mathbb{F}_q$.

Since we have $\overset{\sim}{P_{n-1}}$ and $r_{n-1}$ clear, we can construct some $\overset{\sim}{P_n}$ to satisfy the first check.

For the second checking, we can see that $(\overset{\sim}{P_n} - P_\phi(r_1,\dots,r_{n-1}))(x)$ has at most $d \le m$ roots. The probability is less then $\dfrac{m}{q}$. Thus $\Pr \lbrack W | \overset{-}{E_n}\rbrack \le \dfrac{m}{q}$.

If $j$ is satisfied that $\Pr \lbrack W \rbrack \le \dfrac{(n-j+1)\cdot m}{q} + \Pr \lbrack W | E_j \wedge \dots\wedge E_n\rbrack$, then we proceed by $\Pr \lbrack W | E_j \wedge \dots\wedge E_n\rbrack = \Pr \lbrack W | E_{j-1} \wedge E_j \wedge \dots\wedge E_n\rbrack + \Pr \lbrack W | \overset{-}{E_{j-1}} \wedge E_j \wedge \dots\wedge E_n\rbrack$.

Since $\Pr \lbrack W | \overset{-}{E_{j-1}} \wedge E_j \wedge \dots\wedge E_n\rbrack \le \dfrac{m}{q}$, $\Pr \lbrack W \rbrack \le \dfrac{(n-(j-1)+1)\cdot m}{q} + \Pr \lbrack W | E_{j-1} \wedge \dots\wedge E_n\rbrack$.

For $\overset{\sim}{P_j}(0) + \overset{\sim}{P_j}(1) = \overset{\sim}{P_{j-1}}(r_{j-1})$, since we are now $\overset{-}{E_{j-1}}$ event, so $\overset{\sim}{P_j} = P_j$ and $\overset{\sim}{P_{j-1}} \neq P_{j-1}$, the probability that $r_{j-1}$ is a root is $\dfrac{m}{q}$.

Thus $\Pr\lbrack W \rbrack \le \dfrac{mn}{q}$.

### #SAT Counting Problem

Let’s go beyond $\text{UN-SAT}$ problem for $\sharp\text{SAT}$ counting problem.

Given $\phi$, how many assignments satisfies $\phi$.

The map from $\phi$ to $P$ is given by
$$x \vee y \vee \neg z \mapsto 1 - (1-x)(1-y)z$$
Therefore
$$\sharp \phi = \sum\limits_{a_1,\dots,a_n} P(a_1,\dots,a_n)$$
The term is $\le 2^n$. We just need to convince the prover that $\sum P = \sharp \phi$. (modify the first round modify $0$ with $\sharp \phi$)

By Toda’s Theorem we notice that $\text{coNP} \subseteq \text{PH}\subseteq \text{P}^{\sharp \text{P}} \subseteq \text{IP}$.

## $\text{IP} = \text{PSPACE}$

If we want to prove this, we want to find a problem that is $\text{PSPACE-Complete}$.

TQBF is $\text{PSPACE-Comlete}$.

A qualified boolean formula ($\text{QBF}$) is an expression $\forall x_1 \exists x_2 \forall x_3 \dots \phi(x_1,\dots,x_n)\in\lbrace 0, 1\rbrace$. $\text{TQBF} = \lbrace \phi \text{ be true}\rbrace$.

We first do arithmetization of $\phi$ to some polynomial $p_\phi$. The mapping is similar
\begin{aligned} x_i &\mapsto x_i\newline \neg x_i &\mapsto 1 - x_i\newline x \vee y \vee z &\mapsto 1 - (1-x)(1-y)(1-z)\newline t_1 \wedge \dots \wedge t_n &\mapsto \prod\limits_{i \in \lbrack n\rbrack} A(t_i) \end{aligned}
The $P_\phi$ has an individual degree of $3m$.

The arithmetization for $\forall,\exists$ follows
\begin{aligned} \forall x_n \phi (x_1,\dots,x_n) &\mapsto \prod_{x_n \in \lbrace 0,1\rbrace} P_\phi(x_1,\dots, x_n) \triangleq P_\phi(x_1,\dots,x_n =0) \cdot P_\phi(x_1,\dots, x_n = 1)\newline \exists x_n \phi (x_1,\dots,x_n) &\mapsto \underset{x_n \in \lbrace 0,1\rbrace}{\huge\amalg} P_\phi(x_1,\dots, x_n) \triangleq 1 - (1 - P_\phi(x_1, \dots, x_n = 0))\cdot(1 - P_\phi(x_1, \dots, x_n = 1)) \end{aligned}
Therefore $\forall x_1\exists x_2 \forall x_3 \dots \phi(x_1,\dots,x_n) \mapsto \prod\limits_{x_1} \underset{x_2}{\large\amalg}\prod\limits_{x_3}\dots P_{\phi}(x_1,\dots,x_n)$. The individual degree is exponential about $n$, which is $2^{n}3m$.

Introduce degree reduction operator $R_x$ to decrease the degree. If $x \in \lbrace 0,1\rbrace$, then $x^p$ for some $p > 0$ is still $x$. Thus we can insert $R_x$ into arithmetization.
$$\forall x_1\exists x_2 \forall x_3 \dots \phi(x_1,\dots,x_n) \mapsto \prod\limits_{x_1} \underset{x_1}{R} \underset{x_2}{\huge\amalg} \underset{x_1}{R}\underset{x_2}{R} \prod\limits_{x_3}\underset{x_1}{R}\underset{x_2}{R}\underset{x_3}{R}\dots P_{\phi}(x_1,\dots,x_n) \overset{?}{=} 1$$
This time, the $q$ chosen will be related with just $\text{poly}(m,n)$.

An operator $\mathcal{O} \in \lbrace \Pi_{x_i}, \amalg_{x_i}, R_{x_i} \rbrace^n_{i=1}$, there are $l = \sum\limits^n_{i=1}(i + 1) = \dfrac{n(n+3)}{2}$ operators after the arithmetization for $P_\phi$.

In this way we can write arithmetized $\text{TQPF}$ into $\mathcal{O}_1\dots \mathcal{O}_l P_\phi$.

The protocol largely needs to check whether $v_k = \mathcal{O}_{k+1}\dots O_l P_{\phi, k}$, where $P_{\phi, k}$ is the poly in round $k$. At the end of each round $V$ computes $v_{k+1}$ for next round.

• Completeness means if $v_k = \mathcal{O}_{k+1}\dots O_l P_{\phi, k}$ is true, then $v_{k+1} = \mathcal{O}_{k+2}\dots O_l P_{\phi, k+1}$ is true up to probability 1.
• Soundness means if $v_k = \mathcal{O}_{k+1}\dots O_l P_{\phi, k}$ is false, then $v_{k+1} = \mathcal{O}_{k+2}\dots O_l P_{\phi, k+1}$ is false up to probability less then $\dfrac{1}{2}$.

The initialization $v_0 = 1, P_{\phi, 0} = P_\phi$, where the end means $P_{\phi, l} = v_l$. Three situations on $\mathcal{O}$ need to be reconsidered, we can also check this out.

### $\mathcal{O}_{k+1} = \prod\limits_{x_i}/\underset{x_i}{\large\amalg}$

In this case, $V$ already stored $v_k$, $V$ need to be convinced this round that $v_k = \mathcal{O}_{k+1}\dots \mathcal{O}_{l}P_{\phi, k}$, where $P_{\phi, k} = P_\phi(r_1,\dots,r_{k-1}, x_k, \dots, x_n)$.

$P$ sends over some polynomial $\overset{\sim}{P}$ to satisfy
\begin{aligned} \mathcal{O}_{k+1} \overset{\sim}{P} &= \overset{\sim}{P}(0)\cdot\overset{\sim}{P}(1) \overset{?}{=} v_k\newline &= \prod\limits_{x_k} \underset{x_1}{R}\dots\underset{x_k}{R} \underset{x_{i+1}}{\huge\amalg} \dots P_{\phi}(r_1,\dots,r_{k-1},x_k,\dots ,x_n) \end{aligned}
$V$ generates $r_k \overset{R}{\leftarrow}\mathbb{F}_q$ and send over to $P$.

$v_{k+1}$ is calculated by following
\begin{aligned} v_{k+1} &= \underset{x_1}{R}\dots\underset{x_k}{R} \underset{x_{i+1}}{\huge\amalg} \dots P_{\phi}(r_1,\dots,r_{k},x_{k+1},\dots ,x_n)\newline &= \overset{\sim}{P}(r_{k}) \end{aligned}

Completeness simply follows.

Soundness is similar to sumcheck protocol ($\overset{\sim}{P}$ means a forged polynomial).

If $v_k \neq \prod\limits_{x_k} {\big\lbrace} \underset{x_1}{R}\dots\underset{x_k}{R} \underset{x_{i+1}}{\huge\amalg} \dots P_{\phi}(r_1,\dots,r_{k-1},x_k,\dots ,x_n){\big\rbrace}$, then $P$ must forge $\overset{\sim}{P} \neq \underset{x_1}{R}\dots\underset{x_k}{R} \underset{x_{i+1}}{\huge\amalg} \dots P_{\phi}(r_1,\dots,r_{k-1},x_k,\dots ,x_n)$.

$v_k$ can be used to construct $\overset{\sim}{P}$ but $\overset{\sim}{P}(r_k) = \underset{x_1}{R}\dots\underset{x_k}{R} \underset{x_{i+1}}{\huge\amalg} \dots P_{\phi}(r_1,\dots,r_k, x_{k+1},\dots ,x_n)$ has a probability of $\dfrac{1}{q}$ for degree decreased to 1.

$\mathcal{O}_{k+1} = \underset{x_i}{\large\amalg}$ is similar case.

### $\mathcal{O}_{k+1} = \underset{x_i}{R}$

$V$ need to check $v_k = \underset{x_i}{R} \mathcal{O}_{k+2} \dots P_{\phi,k}$, where $P_{\phi, k} = P_\phi(r_1,\dots,r_j, x_{j+1}, \dots, x_n)$ with some $j \ge i$.

$P$ sends over some polynomial $\overset{\sim}{P}(r_i)$ to satisfy
$$\underset{x_i}{R}\mathcal{O}_{k+2} \dots P_{\phi}(r_1,\dots,r_j, x_{j+1}, \dots,x_n) = v_k \overset{?}{=} \mathcal{O}_{k+1}\overset{\sim}{P} = (\underset{x_i}{R}\overset{\sim}{P})(r_i)$$
$V$ generates $r_i^{\text{new}} \overset{R}{\leftarrow}\mathbb{F}_q$

• send $r_i^{\text{new}}$ to $P$
• $v_{k+1} \triangleq \overset{\sim}{P}(r^{\text{new}}_i)$

$v_{k+1}$ should be equal to $\mathcal{O}_{k+2} \dots P_\phi(r_1,\dots,r_i^{\text{new}},\dots,r_j, x_{j+1}, \dots, x_n)$

Completeness simply follows.

Soundness must holds in
$$\underset{x_i}{R}\mathcal{O}_{k+2} \dots P_{\phi}(r_1,\dots,r_j, x_{j+1}, \dots,x_n) \neq v_k$$
If the $\overset{\sim}{P}$ is forged, donate $P_{\text{true}}(r_i) = \mathcal{O}_{k+2} \dots P_\phi(r_1,\dots,r_i,\dots,r_j, x_{j+1}, \dots, x_n)$, we want to see $P_{\text{true}}(r_i) = \overset{\sim}{P}(r_i)$. The probability is $\dfrac{\deg(P_{\text{true}} - \overset{\sim}{P})}{q}$.

For $\deg(P_{\text{true}} - \overset{\sim}{P})$, only the most inner operators would lead to $3m$ degree, the other would just be $2$ degree.

### Total Soundness

$\dfrac{1}{q}n$ comes from quantifier arimetization.

$\dfrac{2}{q}\sum\limits^{n-1}_{i=1} i$ comes from degree reduction with polynomial degree 2.

$\dfrac{3m}{q}n$ comes from degree reduction with polynomial degree $3m$.

A total soundness error would be $\dfrac{3mn + n^2}{q}$.

Given the claim that $\text{TQBF}$ is $\text{PSPACE-Complete}$, $\text{PSPACE} \subseteq \text{IP}$.

]]>
<blockquote> <p>All info comes from Alessandro Chiesa’s Lecture CS294 2019 version.</p> <p>We are now trying to figure out relation $\text{IP = PSPACE}$.</p> </blockquote>

All info comes from David Wu’s Lecture and Boneh-Shoup Book.

This note will be focusing on methods of constructing block ciphers, with examples like DES and AES, and message integrity.

Typically we rely on iteration to construct block ciphers, where key expansion relies on a PRG. Since $\hat{E}(k,x) \to y$, which is a round function, we have $|x| = |y|$, where $n$ times applied $\hat{E}$ constructed a PRF or PRP.

# DES (Data Encryption Standard with Feistel Structure)

DES relies on Feistel design, where $|L_0| = |R_0|$.
$$\require{AMScd} \begin{CD} L_0 @. R_0\newline @V VV @V VV\newline \oplus@<F_K<< R_0\newline @V VV @V VV\newline R_1 @.L_1 \end{CD}$$
Even if $F(k,\cdot):\lbrace 0,1\rbrace^n \times \lbrace 0,1\rbrace^k \to \lbrace 0,1\rbrace^n$ is non-invertible, Feistel round function $\Psi_F:\lbrace 0,1\rbrace^{2n} \to \lbrace 0,1\rbrace^{2n}$ is still invertible, noticing $\lbrack L_0,R_0\rbrack \mapsto \lbrack R_0, L_0 \oplus F(k, R_0)\rbrack \equiv \lbrack L_1, R_1\rbrack$.

If we have $R_0$ or $L_1$, then we can construct
$$\require{AMScd} \begin{CD} L_1 @. R_1\newline @V VV @V VV\newline L_1 @>F_K>> \oplus\newline @V VV @V VV\newline R_0 @.L_0 \end{CD}$$

## Luby-Rackoff Theorem

If $F$ is a secure PRF, then 3-round Feistel with independent $k$ yields a secure PRP.

This shows that Feistel network is a good heuristic for block cipher design, so long as we have $F$ as PRF.

The practical usage here uses 16 round Feistel function since we hope $F$ scramble enough times will confuse all the adversary.

## Feistel Round Function

The block size of DES is 64 bit and key size is 56 bit. For each S-Box $F$, the key size is 48 bit.

DES generate each 48-bit key from the 56-bit key, a simple way is that each 48-bit key is a subset of the original 56-bit key. • $E$ expands 32-bit input into 48-bit output by rearranging and replicating these input bits.
• $P$ is a mixing permutation, maps 32-bit input to 32-bit output by rearranging.
• $S_i$ is S-Box (substitution box), maps 6-bit to 4-bit by some truth table. They are highly non-linear functions, which is the source of non-linearity in the design.

# AES (Even-Mansour)

Even-Mansour construction follows
$$\require{AMScd} \begin{CD} @.k_1 @. k_2\newline @.@V VV @V VV\newline x @>>>\oplus @>\pi>> \oplus @>>> y \end{CD}$$
where $\pi$ is a permutation.

The inversion from $y$ to $x$ can be constructed by $\pi^{-1}$ where
$$\require{AMScd} \begin{CD} @.k_1 @. k_2\newline @.@V VV @V VV\newline x @<<<\oplus @<\pi^{-1}<< \oplus @<<< y \end{CD}$$

## Even-Mansour Theorem

If $\pi$ is modeled as a random permutation, then Even-Mansour cipher is a secure PRP. Details about SubBytes, ShiftRows, MixColumns can go to previous note.

# Message Integrity and Message Authentic Code (MAC)

Message Integrity is needed when adversary can temper with message. A “tag”, or a signature, is appended to a message to prove integrity.

The signature should be computed with a keyed-function, or it can be forged by any other adversary.

## MAC

A MAC with key-space $\mathcal{K}$, message space $\mathcal{M}$ and tag space $\mathcal{T}$ is a tuple of algorithms $\pi_{MAC} = (\text{Sign, Verify}): \begin{cases}\text{Sign}&\mathcal{K\times M\to T}\newline \text{Verify} &\mathcal{K\times M\times T}\to\lbrace 0,1\rbrace \end{cases}$.

$(\text{Sign, Verify})$ must be efficiently computable. The correctness of such algorithm is guaranteed by $\forall k \in \mathcal{K}, \forall m \in \mathcal{M}, \Pr\lbrack \text{Verify}(k,m,\text{Sign}(k,m)) = 1\rbrack = 1$.

Intuitively an adversary cannot compute a signature without any knowledge of the key. It should also not be able to know anything about key on existing message or signature.

A MAC satisfies existential unforgeability against chosen message attack if $\forall \mathcal{A}$, $\text{MACAdv}\lbrack\mathcal{A},\pi_{MAC}\rbrack = \Pr\lbrack W=1\rbrack = \text{negl}(\lambda)$, where $W$ is the output of the security game. $W = 1 \iff \text{Verify}(k, m^\ast, t^\ast) = 1$ and $(m^\ast,t^\ast)\notin\lbrace (m_1,t_1),\dots,(m_q, t_q)\rbrace$, where $q$ donates the query number.

## MAC from PRF

Let $F :\mathcal{K\times M\to T}$ be a secure PRF, then we have $\begin{cases}\text{Sign}(k,m)&\text{output }t\leftarrow F(k,m)\newline\text{Verify}(k,m,t)&\text{output } 1\text{ if }t = F(k,m)\text{ and }0\text{ otherwise}\end{cases}$ to be $\pi_{MAC}$ over $(\mathcal{K,M,T})$.

Theorem: If $F$ is a secure PRF with a sufficient large range, $\pi_{MAC}$ defined above is a secure MAC. For every efficient MAC adversary $\mathcal{A}$, there exists an efficient PRF adversary $\mathcal{B}$ such that
$$\text{MACAdv}\lbrack \mathcal{A},\pi_{MAC}\rbrack \le \text{PRFAdv}\lbrack \mathcal{B},F\rbrack + \dfrac{1}{|\mathcal{T}|}$$

Proof intuitive goes like:

• PRF is computationally indistinguishable from the truly random function.
• If we replace PRF with truly random function from $\text{Func}\lbrack\mathcal{M,T}\rbrack$, adversary wins the MAC game with only $\dfrac{1}{|\mathcal{T}|}$ probability.

If we want to sign a longer message, we can look into two types of constructions:

• Constructing a large-domain PRF from a small-domain PRF
• Hash-based construction

## CBC-MAC

CBC without an IV can build a MAC and we often call this raw-CBC. But raw-CBC is not security for shared-prefix messages, namely it is secure for prefix-free messages.

The attack can be formulated:

• We query for MAC on an arbitrary block $x$ and get a $t = F(k, x)$.
• We then query MAC on message $(x, x\oplus t)$ and get $t$ again.

So adversary succeed with probability 1.

### ECBC

raw-CBC is used to build a MAC on fixed length messages, we can construct MAC for variable-length messages by Encrypted-CBC (ECBC). The current CBC constructed MAC must use a message length of multiple of block size. We must introduce padding function. It must be injective or different message may end up with same MAC.

A standard padding is $\texttt{0b1000…}$ since it will guarantee no collision and easy to be implemented.

ECBC limitations are

• Always need two keys for PRF

We can try raw CBC-MAC message with prefix-free messages like prepend message length to the message.

But it is problematic if we do know the message length like streaming.

### CMAC

Or it can secretly do a random shift to the last block of the message $(x_1,x_2,\dots,x_n)\mapsto (x_1,x_2,\dots,x_n\oplus k)$ where $k \overset{R}{\leftarrow}\mathcal{X}$, this is called cipher-based MAC (CMAC).

Adversary wins the game with advantage $\dfrac{1}{|\mathcal{X}|}$ if he can guess $k$. The key for CMAC is $(k, k_1, k_2)$ where $k_1$ is for unpadded and $k_2$ is for padded.

Nested MAC construction is constructed as follows and the total key needed are $(k, k_2)$. If the $\mathcal{K}$ is smaller than $\mathcal{X}$, then we need to use pad, the padding is just a hard-coded constant, which can be string of $0$s.

Theorem: Let $F:\mathcal{K\times X\to X}$ in CMAC and $F:\mathcal{K\times X \to K}$, then for all MAC adversaries $\mathcal{A}$, exists a PRF adversary $\mathcal{B}$ where
\begin{aligned} \text{MACAdv}\lbrack\mathcal{A},\pi_{ECBC}\rbrack &\le 2\cdot \text{PRFAdv}\lbrack \mathcal{B},F\rbrack + \dfrac{Q^2(l+1)^2}{|\mathcal{X}|}\newline \text{MACAdv}\lbrack\mathcal{A},\pi_{NMAC}\rbrack &\le (Q(l+1) + 1)\cdot \text{PRFAdv}\lbrack \mathcal{B},F\rbrack + \dfrac{Q^2}{2|\mathcal{K}|} \end{aligned}

So first we can try to prove that for every prefix-free PRF adversary $\mathcal{A}$ attacks $F_{CBC}$ and issues at most $Q$ queries, exists PRF adversary $\mathcal{B}$ that attacks $F$ such that
$$\text{PRF}^{\text{pf}}\text{adv}\lbrack\mathcal{A},F_{CBC}\rbrack \le \text{PRFAdv}\lbrack\mathcal{B},F\rbrack + \dfrac{(Ql)^2}{2|\mathcal{X}|}$$
We present adversary’s queries in a rooted tree, where edges are labeled with message blocks $a_i$, defines a path in a tree from root: $root \overset{a_1}{\rightarrow} p_1 \cdots \overset{a_v}{\rightarrow} p_v$ ($m = (a_1,\dots,a_v) \in \mathcal{X}^v, 1 \le v\le l$).

We associate a value $\gamma_p\in\mathcal{X}$ to the computed value in CBC query tree. Define $\gamma_{root} = 0^n$ and $p\overset{a}{\rightarrow}q$ to be $\gamma_q = F(k,a \oplus \gamma_{p})$.

1. We use PRF in the CBC mode.

2. Replace $F(k,\cdot)$ with some $f \overset{R}{\leftarrow}\text{Funs}\lbrack\mathcal{X,X}\rbrack$.

3. Make the $f$ a “faithful gnome”, which means the challenger prepares random variables $\beta_i\overset{R}{\leftarrow}\mathcal{X}$ where $i = 1,\dots,B = (Ql)$.

The challenger must satisfy

• $\gamma_q\leftarrow \beta_i$
• If $\exists$ another edge $p’\overset{a’}{\rightarrow} q’$ with $\gamma_{p’}\oplus a’ = \gamma_p \oplus a$ then $\gamma_q \leftarrow \gamma_{q’}$.
4. Make the Challenger forgetful, which means we only follow $\gamma_q \leftarrow \beta_i$.

If we want to analyze the change, we can suppose for distant pair of edges $p \overset{a}{\rightarrow} q$ and $p’ \overset{a’}{\rightarrow} q’$, and we have $\gamma_{p’}\oplus a’ = \gamma_p \oplus a$.

There is no way $p = p’$ since edges are distant, we must have $a \ne a’$ or $\gamma_{p’}\oplus a’ = \gamma_p \oplus a$ will not hold.

Since $\mathcal{A}$ never know anything about $\gamma_{p’}$ and $\gamma_{p}$, then $\gamma_p \oplus \gamma_{p’}$ is uniformly distributed over $\mathcal{X}$. By $a’ \oplus a = \gamma_p \oplus \gamma_{p’}$, we know that $\gamma_p \oplus \gamma_{p’}$ is independent of $a \oplus a’$.

Thus $|\Pr\lbrack W_0\rbrack - \Pr\lbrack W_1\rbrack | = \text{PRFAdv}\lbrack\mathcal{B},F\rbrack$, $\Pr\lbrack W_2 \rbrack = \Pr\lbrack W_1 \rbrack$, $|\Pr\lbrack W_2\rbrack - \Pr\lbrack W_3\rbrack |\le \dfrac{(Ql)^2}{2|\mathcal{X}|}$.

Also we need to know for every PRF adversary $\mathcal{A}$ that attacks $F^\ast$, the cascade of $F$, at most $Q$ queries. There exists PRF adversary $\mathcal{B}$ that attacks $F$ where $\mathcal{B}$ is a wrapper around $\mathcal{A}$ such that
$$\text{PRF}^\text{pf}\text{adv}\lbrack\mathcal{A},F^\ast\rbrack \le Ql\cdot \text{PRFadv}\lbrack \mathcal{B},F\rbrack$$
We can build a tree construction, which combines hybrid argument (which is described in 4.6 Boneh Book) in cascaded PRFs. Also it is a $Q$ queries in parallel, which adds a $Q$ coefficient.

Let $PF$ be an extendable and prefix-free secure PRF defined over $(\mathcal{K_1, X^{\le l}, Y})$, $F$ be a secure PRF defined over $(\mathcal{K_2,Y,T})$. Then $EF$ is a secure PRF defined over $(\mathcal{K_1 \times K_2, X^{\le l},T})$.

Forall PRF adversary $\mathcal{A}$ that attacks EF at most $Q$ queries exists PRF adversary $\mathcal{B}_1$ attacks $F$ and $\mathcal{B}_2$ prefix-free PRF adversary attacks $PF$, where $\mathcal{B_1,B_2}$ are wrappers around $\mathcal{A}$, such that
$$\text{PRFadv}\lbrack \mathcal{A},EF\rbrack \le \text{PRFadv}\lbrack\mathcal{B}_1,F\rbrack + \text{PRF}^\text{pf}\text{adv}\lbrack\mathcal{B_2},PF\rbrack + \dfrac{Q^2}{2|\mathcal{Y}|}$$
In this way MAC adv are proved trivially by the last theorem and the previous two theorems.

]]>
<blockquote> <p>All info comes from David Wu’s Lecture and Boneh-Shoup Book.</p> <p>This note will be focusing on methods of constructing block ciphers, with examples like <strong>DES</strong> and <strong>AES</strong>, and <strong>message integrity</strong>.</p> </blockquote> <p>Typically we rely on iteration to construct block ciphers, where key expansion relies on a <strong>PRG</strong>.</p> <img src="/images/crypto_7/block_cipher_iter.png" width="700"> <p>Since $\hat{E}(k,x) \to y$, which is a round function, we have $|x| = |y|$, where $n$ times applied $\hat{E}$ constructed a <strong>PRF</strong> or <strong>PRP</strong>.</p>

All info comes from David Wu’s Lecture and Boneh-Shoup Book.

This note will be focusing on PRG security, PRF and Block Cipher.

Claim: If PRGs with non-trivial stretch ($n > \lambda$) exists, then $P\neq NP$.

Suppose $G :\lbrace 0,1\rbrace^\lambda \to \lbrace 0,1\rbrace^n$ is a secure PRG, consider the decision problem: on input $t\in \lbrace 0, 1\rbrace ^n$, does there exist $s \in \lbrace 0,1\rbrace^\lambda$ such that $t = G(s)$.

The reverse search of $G$ is in $NP$. If $G$ is secure, then no poly-time algorithm can solve this problem.

If there is a poly-time algorithm for the problem, it breaks PRG in advantage of $1 - \dfrac{1}{2^{n-\lambda}} > \dfrac{1}{2}$ since $n>\lambda$.

# CPA (Chosen Plaintext Attack) Security

Semantic Security still holds even if multiple ciphertext is seen by adversary.

The adversary can send multiple round of message query $m_0,m_1 \in \mathcal{M}$ to challenger and the challenger will send back one ciphertext $c_b$ with $k \overset{R}{\longleftarrow}\mathcal{K}$ and $b \in \lbrace 0, 1\rbrace$. The semantic security still holds.

CPA-Secure is defined by: An encryption scheme $\Pi_{SE} = (\text{Encryption},\text{Decryption})$ is CPA-Secure if $\forall \mathcal{A}$ efficient adversaries: $\text{CPAAdv}\lbrack \mathcal{A},\Pi_{SE}\rbrack = |\Pr\lbrack W_0 = 1\rbrack - \Pr\lbrack W_1 = 1\rbrack | = \text{negl}$.

$W_b$ means the experiment encrypt $m_b$ and $\mathcal{A}$’s guessing result. A stream cipher is not CPA-secure. • The query number is 2, a constant.
• $\Pr\lbrack \text{output}=1 \vert b=0\rbrack = 0$ and $\Pr\lbrack \text{output} = 1\vert b=1\rbrack = 1$, thus $\text{CPAAdv}\lbrack\mathcal{A},\Pi_{SE}\rbrack = 1 \gg\text{negl}$.

One thing we notice is that CPA-secure encryption is randomized rather than deterministic. Encrypting the same message twice should not reveal that identical messages were encrypted.

# PRF and PRP (Block Cipher)

Key crypto building block is called PRF (pseudo random function). A similar notion is PRP (pseudo random permutation), or block cipher.

Block cipher is an invertible keyed function: takes in a block of $n$ bits and outputs $n$ bits.

But it is not a encryption scheme, and it would end up with very broken stuff. It is a building block for secure encryption (maybe CPA secure or even more secure)

We define PRF by $F:\mathcal{K}\times\mathcal{X}\to\mathcal{Y}$ with key space $\mathcal{K}$ and domain $\mathcal{X}$ and range $\mathcal{Y}$ if $\forall \mathcal{A}$ efficient can have only $|W_0 - W_1| = \text{negl}$, where $W_b$ is the probability $\mathcal{A}$ outputs 1 in the experiment We define $\text{PRFAdv}\lbrack\mathcal{A}, \text{F}\rbrack = |W_0 - W_1|$.

The size of $\text{Funs}\lbrack\mathcal{X,Y}\rbrack = |\mathcal{Y}|^{|\mathcal{X}|}$.

PRP is a $F:\mathcal{K}\times\mathcal{X}\to\mathcal{X}$ if

• $\forall k \in \mathcal{K}$, $F(k,\cdot)$ is a permutation on $\mathcal{X}$.
• $F^{-1}(k,\cdot)$ is efficient to compute $\forall x\in\mathcal{X},\forall k\in\mathcal{K}, F^{-1} (k,F(k,x))=x$.
• $k\overset{R}{\leftarrow} \mathcal{K}: F(k,\cdot)$ is computationally indistinguishable from $f(\cdot) \overset{R}{\leftarrow}\text{Perm}\lbrack \mathcal{X}\rbrack$. ($\text{Perm}\lbrack \mathcal{X}\rbrack$ is the set of all permutations on $\mathcal{X}$)

In this way, block cipher is another term of PRP.

# PRF implies PRG

Noticing that a block cipher has form $F:\lbrace 0,1\rbrace^\lambda \times \lbrace 0,1\rbrace ^n\to\lbrace 0,1\rbrace ^n$, we can define a PRG with $G:\lbrace 0,1\rbrace^\lambda \to \lbrace 0,1\rbrace^{ln}$, $G(k) = F(k,1)\parallel F(k,2) \parallel \cdots \parallel F(k,l)$.

Theorem: If $F$ is a secure PRF, then $G$ is a secure PRG.

We can construct the following experiment, say if $G$ is not secure, we can use it to break $F$. We can see that $\text{PRFAdv}\lbrack \mathcal{B},F\rbrack = |W_0 - W_1| = \text{PRGAdv}\lbrack \mathcal{A}, G\rbrack$.

$\mathcal{B}$ query is efficient by $\mathcal{A}$ efficient and $l$ polynomial. ($l < 2^n$ or $n > \log l$)

## PRF and PRP Distinctions

One thing we must see that the definition of PRF and PRP differ a little. For PRF, $f(1)=f(2)$ with probability $\dfrac{1}{2^n}$ but in PRP $f(1) = f(2)$ has no probability.

The adversary will not know until he sees a collision, or $f(x) = f(y)$.

PRF Switching Lemma: Let $F :\mathcal{K\times X \to X}$ be a secure PRP. For any $Q$ query adversary $\mathcal{A}$, $|\text{PRPAdv}\lbrack \mathcal{B},F\rbrack - \text{PRFAdv}\lbrack \mathcal{A}, G\rbrack| \leq \dfrac{Q^2}{2|\mathcal{X}|}$.

Since $\Pr\lbrack x ,y \overset{R}{\leftarrow}:x=y\rbrack = \dfrac{1}{|\mathcal{X}|}$. Also by $Q$ query takes $Q$ random points and compose $\dfrac{Q^2}{2}$ pairs, the total collision probability is $\dfrac{Q^2}{2|\mathcal{X}|}$.

For adversary, he should go $Q \sim \sqrt{|\mathcal{X}|}$, if $Q \ll \sqrt{|\mathcal{X}|}$ then it is safe to use PRF.

# PRF/PRP Reusable Encryption Scheme

In this way, PRP/PRF in “counter mode” gives us a stream cipher, but this is just one-time encryption scheme.

## Randomized Counter Mode

$$\newcommand{\da}{\bigg\downarrow\raise.5ex\rlap{\scriptstyle#1}} \begin{array}{ccccccccc} IV &&&& IV &&&& IV+1 &&&& \dots &&&& IV+l-1\newline &&&& \da{E_k} &&&& \da{E_k} &&&& &&&& \da{E_k}\newline &&m_1\longrightarrow&&\oplus&&m_2\longrightarrow&&\oplus&&&&&&m_{l-1}\longrightarrow&&\oplus\newline &&&&\da{}&&&&\da{}&&&&&&&&\da{}\newline IV &&&&c_1&&&&c_2&&&&\dots&&&&c_{l-1} \end{array}$$

We can choose a random starting point called initializing vector, and this is called randomized counter mode.

Theorem: Let $F : \mathcal{K\times X \to Y}$ be a secure PRF and $\Pi_{CTR}$ be randomized counter mode encryption scheme from $l$-block messages ($\mathcal{M=Y^{\leq l}}$).

Then $\forall\mathcal{A}$ efficient CPA adversaries, $\exists\mathcal{B}$ efficient PRF adversary
$$\text{CPAAdv}\lbrack\mathcal{A},\Pi_{CTR}\rbrack \leq \dfrac{4Q^2l}{|\mathcal{X}|} + 2\cdot \text{PRFAdv}\lbrack\mathcal{B},F\rbrack$$
The proof intuition can be considered:

• If there are no collision, or PRF never evaluate on a same block, then it is as if everything is encrypted under OTP.

• Collision event: $(x, x+1,\dots, x+l-1)$ overlaps with $(x’,x’+1,\dots,x’+l-1)$ when $x,x’\overset{R}{\longleftarrow}\mathcal{X}$, then the probability of collision is $\dfrac{2l}{|\mathcal{X}|}$.

The total possible pairs among $Q$ queries will be $\leq Q^2$, thus $\Pr\lbrack\text{collision}\rbrack \leq \dfrac{2lQ^2}{|\mathcal{X}|}$.

• Design 4 experiments with intermediate distributions:

• $W_0$: Encrypt $m_0$ with PRF
• $W_1$: Encrypt $m_0$ with OTP
• $W_2$: Encrypt $m_1$ with OTP
• $W_3$: Encrypt $m_1$ with PRF

Here we can see $|W_0 - W_1| = |W_2 - W_3| = \dfrac{2Q^2l}{|\mathcal{X}|} + \text{PRFAdv}\lbrack\mathcal{B},F\rbrack$, thus $|W_0 - W_3|$, which is CPA advantage, must satisfy $\text{CPAAdv}\lbrack\mathcal{A},\Pi_{CTR}\rbrack \leq \dfrac{4Q^2l}{|\mathcal{X}|} + 2\cdot \text{PRFAdv}\lbrack\mathcal{B},F\rbrack$.

### Nonce-Based Counter Mode

Divide $IV$ into two pieces: $IV = \text{nonce} \parallel \text{counter}$.

The only requirement here is that the nonce does not repeat in the encryption process.

Counter mode can be parallelized.

## Cipherblock Chaining (CBC Mode)

Cipherblock is chained up in the encryption session
$$\newcommand{\ra}{!!!!!!!!!!!!\xrightarrow{\quad#1\quad}!!!!!!!!} \newcommand{\da}{\bigg\downarrow\raise.5ex\rlap{\scriptstyle#1}} \begin{array}{ccccccccc} &&&&b_0&&&&b_1&&&&b_2&&&&\dots&&&&b_n\newline &&&&\Big\downarrow&&&&\Big\downarrow&&&&\Big\downarrow&&&&&&&&\Big\downarrow\newline IV&&\to&&\oplus&&&&\oplus&&&&\oplus&&&&&&&&\oplus\newline &&&&\da{E_k}&&\nearrow&&\da{E_k}&&\nearrow&&\da{E_k}&&\nearrow&&&&\nearrow&&\da{E_k}\newline &&&&c_0&&&&c_1&&&&c_2&&&&&&&&c_n \end{array}$$

and the structure of decryption of
$$\newcommand{\ra}{!!!!!!!!!!!!\xrightarrow{\quad#1\quad}!!!!!!!!} \newcommand{\da}{\bigg\downarrow\raise.5ex\rlap{\scriptstyle#1}} \begin{array}{ccccccccc} &&&&c_0&&&&c_1&&&&c_2&&&&\dots&&&&c_n\newline &&&&\da{E_k^{-1}}&&\searrow&&\da{E_k^{-1}}&&\searrow&&\da{E_k^{-1}}&&\searrow&&&&\searrow&&\da{E_k^{-1}}\newline IV&&\to&&\oplus&&&&\oplus&&&&\oplus&&&&&&&&\oplus\newline &&&&\da{}&&&&\da{}&&&&\da{}&&&&&&&&\da{}\newline &&&&b_0&&&&b_1&&&&b_2&&&&&&&&b_n \end{array}$$
Theorem: Let $\mathcal{K\times X\to Y}$ be a secure PRF and $\Pi_{CBC}$ be CBC encryption scheme for $l$-block message ($\mathcal{M = Y^{\leq l}}$).

Then $\forall\mathcal{A}$ efficient CPA adversaries, $\exists\mathcal{B}$ efficient PRF adversary
$$\text{CPAAdv}\lbrack\mathcal{A},\Pi_{CTR}\rbrack \leq \dfrac{2Q^2l^2}{|\mathcal{X}|} + 2\cdot \text{PRFAdv}\lbrack\mathcal{B},F\rbrack$$

The only difference here is that the collision between $Q$ intervals of $l$ length is changed to $Ql$ random blocks.

]]>
<blockquote> <p>All info comes from David Wu’s Lecture and Boneh-Shoup Book.</p> <p>This note will be focusing on <strong>PRG</strong> security, <strong>PRF</strong> and Block Cipher.</p> </blockquote> <p><strong>Claim</strong>: If PRGs with non-trivial stretch ($n &gt; \lambda$) exists, then $P\neq NP$.</p> <p>Suppose $G :\lbrace 0,1\rbrace^\lambda \to \lbrace 0,1\rbrace^n$ is a secure PRG, consider the <strong>decision</strong> problem: on input $t\in \lbrace 0, 1\rbrace ^n$, does there exist $s \in \lbrace 0,1\rbrace^\lambda$ such that $t = G(s)$.</p> <p>The reverse search of $G$ is in $NP$. If $G$ is secure, then no poly-time algorithm can solve this problem.</p> <blockquote> <p>If there is a poly-time algorithm for the problem, it breaks PRG in advantage of $1 - \dfrac{1}{2^{n-\lambda}} &gt; \dfrac{1}{2}$ since $n&gt;\lambda$.</p> </blockquote>

All info comes from David Wu’s Lecture and Boneh-Shoup Book.

This note will be focusing mainly on perfect security, semantics security and PRG (Pseudo Random Generator).

The overall goal of cryptography is to secure communication over untrusted network. Two things must be achieved:

• Confidentiality: No one can eavesdrop the communication
• Integrity: No one can tamper with communication

# Perfect Security

A cipher $(Enc, Dec)$ satisfies perfect secure if $\forall m_0, m_1 \in M$ and $\forall c\in C$, $\Pr[k\overset{R}{\longleftarrow} K: Enc(k, m_0) = c] = \Pr[k\overset{R}{\longleftarrow} K:Enc(k,m_1) = c]$.

$k$ in two $\Pr$ might mean different $k$, the $\Pr$ just indicate the possibility of $\dfrac{\text{number of }k\text{ that }Enc(k, m) = c}{|K|}$.

## OTP is Perfect Secure

For every fixed $m = \lbrace 0, 1\rbrace^n$ there is $k, c = \lbrace 0, 1\rbrace^n$ uniquely paired that $m \oplus k = c$.

Considering perfect security definition, only one $k$ can encrypt $m$ to $c$. Thus $\Pr = \dfrac{1}{|K|} = \dfrac{1}{2^n}$ and equation is satisfied.

If a cipher is perfect secure, then $|K| \ge |M|$.

Assume $|K| < |M|$, we want to show it is not perfect secure. Let $k_0 \in K$ and $m_0 \in M$, then $c \leftarrow Enc(k_0, m_0)$. Let $S = \lbrace Dec(k, c): k \in K\rbrace$, we can see $|S| \le |K| < |M|$.

We can see that $\Pr\lbrack k \overset{R}{\longleftarrow} K: Enc(k, m_0) = c\rbrack > 0$, if we choose $m_1 \in M \backslash S$, then $\not\exists k \in K: Enc(k, m_1) = c$. Thus it is not perfect secure. $\square$

We can observe that perfect security requires a large key space, in both $|K|$ large or long $k$ string.

Given infinity computation power, adversary cannot break security, since $|K| = |C| = |M|$, and no information about $m$ can be retrieved by $c$ simply.

A even more generalized version is that, given an arbitrary $c$, $m_0, m_1\in M$, since the possibility to encrypt $m$ to a fixed $c$ is the same for $k \in K$, computation power does not help.

A large cost is required since we have to give the $k$ in advance, where $k$ might be huge.

# Semantic Security

We relaxed our security requirement on Shannon Theorem to get more flexibility on $k$ length. We only consider computationally feasible adversary here, rather than adversary with infinity computability.

## Predicate

We define a boolean function $\phi$ that takes $c$ and returns a boolean value.

It is easy to see that if cipher $\mathcal{E} = (E,D)$ is Perfect Security if and only if $\forall \phi,\Pr\lbrack k\overset{R}{\longleftarrow}K:\phi(\text{Enc}(k,m_0))\rbrack = \Pr\lbrack k\overset{R}{\longleftarrow}K:\phi(\text{Enc}(k,m_1))\rbrack$.

If $\mathcal{E} = (E,D)$ is perfectly secure, then let $S = \lbrace c \in C:\phi(c)\rbrace$ and we have
$$\Pr\lbrack k\overset{R}{\longleftarrow}K:\phi(\text{Enc}(k,m_0))\rbrack = \sum\limits_{c\in S} \Pr\lbrack k\overset{R}{\longleftarrow}K: \text{Enc}(k,m_0) = c \rbrack = \sum\limits_{c\in S} \Pr\lbrack k\overset{R}{\longleftarrow}K: \text{Enc}(k,m_1) = c \rbrack = \Pr\lbrack k\overset{R}{\longleftarrow}K:\phi(\text{Enc}(k,m_1))\rbrack$$
If $\Pr\lbrack k\overset{R}{\longleftarrow}K:\phi(\text{Enc}(k,m_0))\rbrack = \Pr\lbrack k\overset{R}{\longleftarrow}K:\phi(\text{Enc}(k,m_1))\rbrack$, suppose $\mathcal{E}$ is not perfect secure, we can construct a $\phi$ is only true for $c$.

Then $\Pr[k\overset{R}{\longleftarrow} K: Enc(k, m_0) = c] \neq \Pr[k\overset{R}{\longleftarrow} K:Enc(k,m_1) = c]$ is contradicted.

Semantic Security is a weaker definition than perfect security.

Consider a deterministic cipher $\mathcal{E} = (E, D)$ over $(K,M,C)$, we can relax perfect security $\Pr\lbrack k\overset{R}{\longleftarrow}K:\phi(\text{Enc}(k,m_0))\rbrack = \Pr\lbrack k\overset{R}{\longleftarrow}K:\phi(\text{Enc}(k,m_1))\rbrack$ to
$$|\Pr\lbrack k\overset{R}{\longleftarrow}K:\phi(\text{Enc}(k,m_0))\rbrack - \Pr\lbrack k\overset{R}{\longleftarrow}K:\phi(\text{Enc}(k,m_1))\rbrack| \le \epsilon$$

## Attack Game Experiment and Advantage

The attack game or experiment can help formulate semantic security. Two experiments are involved and indexed by $b \in \lbrace 0,1\rbrace$.

$\mathcal{A}$ may follow any efficient protocol, it chooses two messages and receives encryption of one of them, it needs to guess which one by returning $\hat{b}$ of which message.

The goal is to capture property that no efficient adversary can learn any information about the message given only then cipher text, or distinguish encrypted $m_0$ from encrypted $m_1$. Let $\begin{cases}W_0 = \Pr\lbrack\hat{b} = 1 | b=0 \rbrack\newline W_1 = \Pr\lbrack\hat{b} = 1 | b=1 \rbrack\end{cases}$ be probability that adversary guesses 1 in $b^\text{th}$ experiment.

If adversary knows something, then $W_0,W_1$ will be greatly different.

We can define the $\mathcal{A}$ adversary’s semantic security advantage w.r.t. $\mathcal{E}$ be $\text{SSadv}\lbrack \mathcal{A,E}\rbrack = |\Pr\lbrack W_0\rbrack - \Pr\lbrack W_1\rbrack|$.

If cipher $\mathcal{E}$ is semantically secure if $\forall \mathcal{A}, \text{SSadv}\lbrack \mathcal{A,E}\rbrack = |\Pr\lbrack W_0\rbrack - \Pr\lbrack W_1\rbrack| = \text{negl}(\lambda)$.

We can also prove “if $\mathcal{E}$ is perfectly secure, then it is semantically secure” in this perspective.

Since we can let
$$\underbrace{\Pr[k\overset{R}{\longleftarrow} K: Enc(k, m_0) = c]}_{W_0} = \underbrace{\Pr[k\overset{R}{\longleftarrow} K:Enc(k,m_1) = c]}_{W_1}$$
be two experiments, by previously discussed predicate function we cannot infer any information from $\phi$ on $m_0, m_1$ about $c$, thus $\text{SSAdv}\lbrack \mathcal{A,E}\rbrack = 0$.

# Pseudo Random Generator and Stream Cipher

The idea is to compress the OTP key, by generating a long random-looking string from a small seed. $s \in \lbrace 0, 1\rbrace^\lambda \to G(s) \in \lbrace 0,1\rbrace^n$, where $n \gg \lambda$ and $G$ s a deterministic algorithm.

This is PRG (Pseudo Random Generator), and the indistinguishable feature from OPT goes to computationally indistinguishable feature.

The security is discussed in the following attack game (experiment) just like semantic security. The $\mathcal{A}$ advantage towards $G$ this pseudo random generator is defined as $\text{PRGAdv}\lbrack\mathcal{A},G\rbrack = | W_0 - W_1 |$ where $\begin{cases}W_0 = \Pr\lbrack\hat{b} = 1 | b=0 \rbrack\newline W_1 = \Pr\lbrack\hat{b} = 1 | b=1 \rbrack\end{cases}$.

A PRG $G : \lbrace 0,1\rbrace^\lambda \to \lbrace 0,1\rbrace^n$ is secure if $\forall \text{efficient }\mathcal{A}$, $\text{PRGAdv}\lbrack\mathcal{A},G\rbrack = \text{negl}(\lambda)$.

Efficient here means probabilistic polynomial time.

## PRG Stream Cipher is Semantically Secure

We can formulate PRG OTP with following function.

$$k = \lbrace 0, 1\rbrace^\lambda, m=c=\lbrace0,1\rbrace^n, \begin{cases} \text{Enc}(k,m) & c \longleftarrow m \oplus G(k)\newline \text{Dec}(k, c) &m\longleftarrow c \oplus G(k)\end{cases}$$
Suppose $G$ is secure, then PRG OPT is semantically secure.

We can construct similar experiment that $b^\text{th}$ experiment chooses $m_0,m_1$ and receives $c_b = G(s)\oplus m_b$ where $s\overset{R}{\longleftarrow} S$. $\begin{cases}W_0 = \Pr\lbrack\hat{b} = 1 | b=0 \rbrack\newline W_1 = \Pr\lbrack\hat{b} = 1 | b=1 \rbrack\end{cases}$. We want to show $|W_0 - W_1| = \text{negl}(\lambda)$.

Since $|W_0 - W_1 | \le |W_0 -W_0’ | + |W_0’ - W_1’| + |W_1’ - W_1|$, we let $W’$ be experiment distinguishing PRG OPT and random key OPT. Since OPT is perfectly secure, $|W_0’ - W_1’| = 0$.

$W’$: $b^{\text{th}}$ experiment chooses $m_0,m_1$ and $c_b = m_b \oplus k$ where $k \overset{R}{\longleftarrow}\lbrace 0,1\rbrace^n$. $\begin{cases}W_0’ = \Pr\lbrack\hat{b} = 1 | b=0 \rbrack\newline W_1’ = \Pr\lbrack\hat{b} = 1 | b=1 \rbrack\end{cases}$.

We want to show if $G$ is secure for efficient $\mathcal{A}$, $|W_b - W_b’| = \text{negl}(\lambda)$ and we can prove the contrapositive.

Suppose there exists efficient $\mathcal{A}$ that can distinguish $W_b$ and $W_b’$, we want to prove $G$ is not secure. We construct attack game for $\mathcal{A}$.  We can then construct $\mathcal{B}$ attack game on PRG distinguish with $\mathcal{A}$. On $\text{PRGAdv}\lbrack B,G\rbrack$, we can see $\begin{cases}\Pr\lbrack\hat{b} = 1 | b=0 \rbrack\newline \Pr\lbrack\hat{b} = 1 | b=1 \rbrack\end{cases}$ matches exactly with $W,W’$ experiment behavior, and thus $\text{PRGAdv}\lbrack B,G\rbrack = |W_0 - W_0’| = |W_1 - W_1’|$ and it is not negligible.

Since $B$ uses $\mathcal{A}$ as subroutine and $\mathcal{A}$ is efficient, $B$ is efficient.

$G$ is not secure. Thus contrapositive proved. $\square$

]]>
<blockquote> <p>All info comes from David Wu’s Lecture and Boneh-Shoup Book.</p> <p>This note will be focusing mainly on <strong>perfect security</strong>, <strong>semantics security</strong> and <strong>PRG (Pseudo Random Generator)</strong>.</p> <p>The overall goal of cryptography is to secure communication over untrusted network. Two things must be achieved:</p> <ul> <li><strong>Confidentiality</strong>: No one can eavesdrop the communication</li> <li><strong>Integrity</strong>: No one can tamper with communication</li> </ul> </blockquote> <h1 id="Perfect-Security"><a href="#Perfect-Security" class="headerlink" title="Perfect Security"></a>Perfect Security</h1><p>A cipher $(Enc, Dec)$ satisfies <strong>perfect secure</strong> if $\forall m_0, m_1 \in M$ and $\forall c\in C$, $\Pr[k\overset{R}{\longleftarrow} K: Enc(k, m_0) = c] = \Pr[k\overset{R}{\longleftarrow} K:Enc(k,m_1) = c]$.</p> <blockquote> <p>$k$ in two $\Pr$ might mean different $k$, the $\Pr$ just indicate the possibility of $\dfrac{\text{number of }k\text{ that }Enc(k, m) = c}{|K|}$.</p> </blockquote> <h2 id="OTP-is-Perfect-Secure"><a href="#OTP-is-Perfect-Secure" class="headerlink" title="OTP is Perfect Secure"></a>OTP is Perfect Secure</h2><p>For every fixed $m = \lbrace 0, 1\rbrace^n$ there is $k, c = \lbrace 0, 1\rbrace^n$ uniquely paired that $m \oplus k = c$.</p> <p>Considering perfect security definition, only one $k$ can encrypt $m$ to $c$. Thus $\Pr = \dfrac{1}{|K|} = \dfrac{1}{2^n}$ and equation is satisfied.</p> <h2 id="Shannon-“Bad-News”-Theorem"><a href="#Shannon-“Bad-News”-Theorem" class="headerlink" title="Shannon “Bad News” Theorem"></a>Shannon “Bad News” Theorem</h2><p>If a cipher is perfect secure, then $|K| \ge |M|$.</p> <p>Assume $|K| &lt; |M|$, we want to show it is not perfect secure. Let $k_0 \in K$ and $m_0 \in M$, then $c \leftarrow Enc(k_0, m_0)$. Let $S = \lbrace Dec(k, c): k \in K\rbrace$, we can see $|S| \le |K| &lt; |M|$.</p> <p>We can see that $\Pr\lbrack k \overset{R}{\longleftarrow} K: Enc(k, m_0) = c\rbrack &gt; 0$, if we choose $m_1 \in M \backslash S$, then $\not\exists k \in K: Enc(k, m_1) = c$. Thus it is not perfect secure. $\square$</p>
Category Theory Note 2 Newbie Composition and Morphisms https://nomadtype.ninja/2020/01/08/cata-concept-02/ 2020-01-08T20:43:22.000Z 2020-10-12T18:47:55.705Z

Isomorphism or invertible map will be discussed in this chapter.

## Isomorphism as Invertible Map

The crucial part of such map property is that an inverse map exists that $f: A \longrightarrow B$ has a $g$ inverse that satisfies $g \circ f \equiv 1_A$ and $f \circ g \equiv 1_B$.

A similarity between two collections can be given by choosing a map, which maps each element from the first one to the second one.

Thus isomorphism is also called invertible map. $A,B$ two objects are said to be isomorphic if an isomorphism $f:A\longrightarrow B$ exists. Properties:

• Reflexive: $A$ is isomorphic to $A$.
• Symmetric: If $A$ is isomorphic to $B$, $B$ is isomorphic to $A$.
• Transitive: If $A$ is isomorphic to $B$, $B$ is isomorphic to $C$, $A$ is isomorphic to $C$.

Thus it is obvious that $1_A$ is an isomorphism, if $f:A\longrightarrow B$ is an isomorphism, $g$ as inverse of $f$ is also an isomorphism.

It is also obvious that the inverse (if exists) of any map $f$ is unique, which means only one $g$ be $f-$inv or $f^{-1}$.

Two simple problems may occur, one is “determination“ or “extension and the other one is “choice“ or “lifting ### Examples

What if we have “determination“ problem with $B = \boldsymbol{1}$, which makes It is easy to see that $g$ is a point to $C$, which means $g:\boldsymbol{1}\longrightarrow C$. Thus $h(x)$ for $x \in A$ have $h(x) = (g \circ f)(x) = g(b)$ for $b \in B \equiv \boldsymbol{1}$.

In this way, $h$ is a constant because $\forall x \in A$, $h$ maps them to a single value $g(b)$ on $C$.

Another example here is on “choice“ problem with $A = C$, which makes To make things easier, we give a small example It is not hard to see that $g$ is constant and $f$ has two choices. The only way for $f$ existence is that $|B| \ge |A|$ and every element in $C$ is mapped.

## Retraction, Section

Retraction can be defined if $f:A \longrightarrow B$, a retraction for $f$ is a map $r :B \longrightarrow A$ for which $r \circ f = 1_A$. The determination problem can be simplified in a way shown in following pictures.  Section can be defined if $f : A \longrightarrow B$, a section for $f$ is a map $s: B\longrightarrow A$ for which $f \circ s = 1_B$. The choice problem can be simplified in a way shown in following pictures.  It is not hard to see that, if $f:A\longrightarrow B$ has a section $s:B\longrightarrow A$, then $\forall T$ and $\forall m:T\longrightarrow B, \exists x:T\longrightarrow X$ that $f \circ x = m$. The dual version is: If $f:A\longrightarrow B$ has a retraction $r:B\longrightarrow A$, then $\forall T, \forall m: A\longrightarrow T, \exists x: B\longrightarrow T$ that $x \circ f = m$. ## Epimorphism, Monomorphism, Idempotent

Suppose $f:A\longrightarrow B$ has a retraction, then $\forall T, \forall x_1, x_2:T\longrightarrow A$, if $f \circ x_1 = f\circ x_2$, then $x_1 = x_2$.

A map $f$ satisfying this conclusion is said to be injective for maps from $T$. If $\forall T$ is satisfied, then $f$ is injective, or is a monomorphism. The dual version is that $f :A\longrightarrow B$ has a section, then $\forall T, \forall x_1, x_2:B \longrightarrow T$, if $x_1 \circ f = x_2 \circ f$, then $x_1 = x_2$.

A map $f$ with cancellation property ($x_1 \circ f = x_2 \circ f$ then $x_1 = x_2$) for any $T$ is called epimorphism. Both epimorphism and monomorphism are cancellation properties.

An endomap $e$ is called idempotent if $e \circ e = e$.

If $f: A\longrightarrow B$ has both a retraction $r$ and a section $s$, then $r = s$.

## Isomorphism, Automorphism

We can rephrase isomorphism with retraction and section:

A map $f$ is called an isomorphism if $\exists f^{-1}$ which is both a retraction and a section for $f$ that $f \circ f^{-1} = 1_B$ and $f^{-1} \circ f = 1_A$.

A map, which is an isomorphism and an endomap at a same time, is an automorphism.

In general, if any isomorphism exists for $A\longrightarrow B$, there are the same number of them as there are automorphism of $A$, and this can be proved without counting.

Let $Aut(A)$ be the set of all automorphisms of $A$ and $Isom(A,B)$ be the set of all isomorphisms of $A\longrightarrow B$. We just need to construct isomorphism between those two sets.

If $f : A\longrightarrow B$ is an isomorphism, then $F : Aut(A)\longrightarrow Isom(A,B)$ can be constructed by $F(\alpha) = f\circ \alpha$ for any automorphism $\alpha$ on $A$. $F(\alpha) \in Isom(A,B)$, and we want to show $F$ itself is an isomorphism, by constructing $S = F^{-1}: Isom(A,B)\longrightarrow Aut(A)$. Thus, $S(g) = f^{-1} \circ g$.
\begin{aligned} (F \circ S)(g) &= F(S(g))= F(f^{-1}\circ g) = f \circ (f^{-1}\circ g) = g\newline (S \circ F)(\alpha) &= S(F(\alpha)) =S (f\circ \alpha) = f^{-1} \circ(f\circ \alpha) = \alpha \end{aligned}
We can see that $F\circ S = 1_{Isom(A,B)}$ and $S\circ F = 1_{Aut(A)}$.

### Automorphism, or Permutation

An automorphism in category of sets is traditionally called a permutation, suggesting that it shifts elements of its sets around in a specified way.

A category of permutation has an object defined with a set $A$ and an automorphism $\alpha$. Thus an object is defined as $A^{\Large\circlearrowright_\alpha}$.

A map from $A^{\Large\circlearrowright_\alpha}$ to $B^{\Large\circlearrowright_\beta}$ is a map of $f : A\longrightarrow B$ which preserve the automorphisms $\alpha$ and $\beta$ in a sense that $f \circ \alpha = \beta\circ f$. If $g$ is a map from $B^{\Large\circlearrowright_\beta}$ to $C^{\Large\circlearrowright_\gamma}$, and we want to compose $f$ and $g$, the natural thing is to compose them as $A \overset{f}{\longrightarrow} B \overset{g}{\longrightarrow} C$.

The verification is shown in the following commutative diagram, which indicates $g \circ f \circ \alpha = g \circ \beta\circ f = \gamma \circ g \circ f$. ]]>
<blockquote> <p>Isomorphism or invertible map will be discussed in this chapter.</p> </blockquote> <h2 id="Isomorphism-as-Invertible-Map"><a href="#Isomorphism-as-Invertible-Map" class="headerlink" title="Isomorphism as Invertible Map"></a>Isomorphism as Invertible Map</h2><p>The crucial part of such map property is that an <strong>inverse map</strong> exists that $f: A \longrightarrow B$ has a $g$ inverse that satisfies $g \circ f \equiv 1_A$ and $f \circ g \equiv 1_B$.</p> <p>A similarity between two collections can be given by choosing a map, which maps each element from the first one to the second one.</p>
Category Theory Note 1 Newbie Category of Sets https://nomadtype.ninja/2019/12/28/cata-concept-01/ 2019-12-28T15:23:48.000Z 2020-10-12T18:47:55.705Z

Sets, maps and the map composition will be talked about in this note.

## Maps and Diagrams

An object in finite category means a finite set or collection.

A map $f$ in a category consists of three things:

• set $A$ called domain of the map
• set $B$ called codomain of the map
• A rule assigning to each element $a$ in domain, an element $b$ in codomain.

A map where domain and codomain are the same object is called endomap.

If $\forall a \in A$, $f(a) = a$, this means $f$ is an identity map, or simply $1_A$.

External Diagram is a scheme to keep track of domain and codomain, without indicating all the detail in map. Each external diagram can correspond to some map:

• $f$ that has $A$ be domain and $B$ as codomain:
$$\require{AMScd} \begin{CD} A @>{f}>> B \end{CD}$$

• $g$ being an endomap on $A$:
$$\require{AMScd} \begin{CD} A @>{g}>> A \end{CD}\\ A^{\huge{\circlearrowright}^{\Large g}}$$

• $1_A$ being an identity map:
$$\require{AMScd} \begin{CD} A @>{1_A}>> A \end{CD}\\ A^{\huge{\circlearrowright}^{\normalsize 1_A}}$$

The composition of two maps, with forms of
$$\require{AMScd} \begin{CD} X @>{g}>> Y @>{f}>> Z \end{CD}$$
can be written into $f \circ g$, which is in internal diagram form like
$$\require{AMScd} \begin{CD} X @>{f \circ g}>> Z \end{CD}$$
A singleton set is a set with exactly one element, and we can donate that set with $\boldsymbol{1}$.

A point of set $X$ is a map $\boldsymbol{1} \longrightarrow X$.

## Composing Maps and Laws

Identity law was defined as $f: A\longrightarrow B, 1_B \circ f\equiv f \circ 1_A \equiv f$.

Associative law was defined as $f : A\longrightarrow B, g:B \longrightarrow C, h: C \longrightarrow D, h\circ(g\circ f) \equiv (h\circ g)\circ f$.

]]>
<blockquote> <p>Sets, maps and the map composition will be talked about in this note.</p> </blockquote>
CS6620 Compiler Note 4 Path Sensitivity https://nomadtype.ninja/2019/10/05/compiler-4-note/ 2019-10-05T20:59:16.000Z 2020-10-12T18:47:55.705Z

If we ignore the value of conditions by treating if or while statements as nondeterministic choices between two branches, we call these analyses as path insensitive analysis.

Path sensitive analysis is used to increase pessimistic accuracy of path insensitive analysis.

# Assertions

In interval analysis, the constraints introduced by assertions will narrow the intervals by exploiting information in conditionals.

A trivial assertion constraint can be done in interval analysis by
\begin{aligned} & &\lbrack \lbrack v\rbrack\rbrack &= JOIN(v)\newline \text{assert}(x> E)&:&\lbrack \lbrack v \rbrack\rbrack &= JOIN(v)\lbrack x\mapsto gt(JOIN(v)(x), eval(JOIN(v), E))\rbrack\newline & & gt(\lbrack l_1, r_1\rbrack, \lbrack l_2, r_2\rbrack) &= \lbrack l_1, h_1 \rbrack \sqcap\lbrack l_2,\infty\rbrack\newline \text{assert}(x< E)&:&\lbrack \lbrack v \rbrack\rbrack &= JOIN(v)\lbrack x\mapsto lt(JOIN(v)(x), eval(JOIN(v), E))\rbrack\newline & & gt(\lbrack l_1, r_1\rbrack, \lbrack l_2, r_2\rbrack) &= \lbrack l_1, h_1 \rbrack \sqcap\lbrack -\infty, h_2\rbrack \end{aligned}

# Branch Correlations

For an example program like

We want to ensure the follow flowchart is established and close every opened file / open any closed file.

graph LR;A[Entry Point] --> B[Closed]subgraph Branch CorrelationB -. "open()" .-> C[Open]C -. "close()" .-> Bend

Analysis that keeps track of relations between variables is needed. This can be achieved by generalizing analysis to maintain multiple abstract states per program point.

The expansion can be done on $L’’ = Paths \to L$ where $L$ is the original lattice and $Paths$ is a finite set of path contexts.

A path context is used to predict over the program state. In general, each statement is analyzed in $|Paths|$ path contexts.

For the example, $Paths = \lbrace flag = 0,flag\ne 0\rbrace$. The constraint rules can be shown as
\begin{aligned} &JOIN(v)(p) &=& \bigcup_{w\in pred(v)} \lbrack\lbrack w\rbrack\rbrack(p)\newline \text{open}() &\phantom{“”} \lbrack\lbrack v\rbrack\rbrack &=& \lambda p.\lbrace\text{open}\rbrace\newline \text{close}() &\phantom{“”} \lbrack\lbrack v \rbrack\rbrack &=& \lambda p. \lbrace\text{close}\rbrace\newline entry &\phantom{“”} \lbrack\lbrack v \rbrack\rbrack &=& \lambda p. \lbrace\text{close}\rbrace\newline \text{flag} = 0 &\phantom{“”} \lbrack\lbrack v\rbrack \rbrack &=& \lbrack \text{flag} = 0 \mapsto \bigcup_{p\in Paths} JOIN(v)(p),\newline & & &\ \text{flag} \neq 0 \mapsto \varnothing\rbrack\newline \text{flag} = I &\phantom{“”} \lbrack\lbrack v\rbrack \rbrack &=& \lbrack \text{flag} \ne 0 \mapsto \bigcup_{p\in Paths} JOIN(v)(p),\newline & & &\ \text{flag} = 0 \mapsto \varnothing\rbrack\newline \text{flag} = E &\phantom{“”} \lbrack\lbrack v\rbrack \rbrack &=&\lambda q. \bigcup_{p\in Paths} JOIN(v)(p)\newline \text{assert}(\text{flag}) &\phantom{“”} \lbrack\lbrack v\rbrack\rbrack &=& \lbrack \text{flag} \ne 0 \mapsto JOIN(v)(\text{flag}\ne 0),\newline & & &\ \text{flag} = 0 \mapsto \varnothing\rbrack\newline \text{assert}(\text{!flag}) &\phantom{“”} \lbrack\lbrack v\rbrack\rbrack &=& \lbrack \text{flag} = 0 \mapsto JOIN(v)(\text{flag}= 0),\newline & & &\ \text{flag} \ne 0 \mapsto \varnothing\rbrack\newline &\phantom{“”} \lbrack\lbrack v\rbrack\rbrack &=& \lambda p.JOIN(v)(p) \end{aligned}

$\varnothing$ stands for infeasible here, which means normal code cannot reach here, or program crashes.

The example can be see from SPA page 84.

]]>
<blockquote> <p>If we ignore the value of conditions by treating <code>if</code> or <code>while</code> statements as <strong>nondeterministic choices</strong> between two branches, we call these analyses as <strong>path insensitive</strong> analysis.</p> </blockquote> <p><strong>Path sensitive</strong> analysis is used to increase pessimistic accuracy of path insensitive analysis.</p>
CS6620 Compiler Note 3 Narrowing and Widening https://nomadtype.ninja/2019/10/04/compiler-3-note/ 2019-10-04T23:50:05.000Z 2020-10-12T18:47:55.705Z

Interval analysis can be used in integer representation or array bound check. This would involve widening and narrowing.

A lattice of intervals is defined as $\text{Interval} \triangleq \text{lift}(\lbrace \lbrack l,h\rbrack \mid l,h\in\mathbb{Z} \wedge l \leq h\rbrace)$. The partial order is defined as $\lbrack l_1,h_1\rbrack \sqsubseteq \lbrack l_2,h_2\rbrack \iff l_2 \leq l_1 \wedge h_1 \le h_2$.

The top is defined to be $\lbrack -\infty,+\infty\rbrack$ and the bottom is defined as $\bot$, which means no integer. Since the chain of partial order can have infinite length, the lattice itself has infinite height.

The total lattice for a program point is $L = \text{Vars}\to \text{Interval}$, which provides bounds for each integer value.

The constraint rules are listed as
\begin{aligned} & & & JOIN(v) = \bigsqcup_{w\in pred(v)}\lbrack \lbrack w\rbrack \rbrack \newline \lbrack\lbrack X = E\rbrack\rbrack &\phantom{:::} \lbrack\lbrack v\rbrack\rbrack &=& JOIN(v) \lbrack X \mapsto \text{eval}(JOIN(v), E)\rbrack\newline & & & \text{eval}(\sigma, X) = \sigma(X)\newline & & & \text{eval}(\sigma, I) = \lbrack I, I\rbrack\newline & & & \text{eval}(\sigma, \text{input}) = \lbrack -\infty, \infty\rbrack\newline & & & \text{eval}(\sigma, E_1\ op\ E_2) = \hat{op}(\text{eval}(\sigma, E_1), \text{eval}(\sigma, E_2))\newline & & & \hat{op}(\lbrack l_1,r_1\rbrack, \lbrack l_2,r_2\rbrack) = \lbrack \min_{x\in \lbrack l_1,r_1\rbrack, y\in \lbrack l_2,r_2\rbrack} x\ op\ y, \max_{x\in \lbrack l_1,r_1\rbrack, y\in \lbrack l_2,r_2\rbrack }x\ op\ y\rbrack \newline & \phantom{:::}\lbrack\lbrack v\rbrack\rbrack &=& JOIN(v)\newline & \lbrack \lbrack exit\rbrack\rbrack &=& \varnothing \end{aligned}
The fixed-point problem we previously discussed is only restricted in lattice with finite height. New fixed-point algorithm is needed in practical space.

# Widening and Narrowing

A widening function $\omega: L^n \to L^n$ is introduced by $(\omega \circ f)^i (\bot,\dots,\bot)$ is guaranteed to converge on a fixed-point that is larger or equal to the $f^i(\bot,\dots, \bot)$.

To ensure the convergence, the $\omega$ must monotone and extensive ($\forall x,x \sqsubseteq \omega(x)$), and $\omega(L) = \lbrace y \in L \mid \exists x \in L: y = \omega(x)\rbrace$ has finite height.

$\omega$ would coarsen the information sufficiently to ensure termination.

In this interval analysis, $\omega$ is defined pointwise on $L^n$. It operates relative to a fixed (parameterized to program) finite subset $\mathbb{B}\subset \mathbb{N}$ that must contain $\pm \infty$.

Typically $\mathbb{B}$ could seeded with all the integer constants occurring in the given program but other heuristic methods could be used.

$\omega’$ on single interval could be defined as $\omega’:\text{Interval}\to\text{Interval}$ by
$$\omega’(\lbrack l,r\rbrack) = \lbrack \max\lbrace x \in \mathbb{B}\mid x \le l\rbrace, \min\lbrace x \in \mathbb{B}\mid x \ge r\rbrace\rbrack\ \omega’(\bot) = \bot$$
Thus the new fixed-point algorithm is working on $L = (\text{Vars} \to \text{Interval})^n$ and $\omega:L\to L$ can be simply expand definition of $\omega’$ on each $L$ by
\begin{aligned} \omega(\sigma_1,\dots,\sigma_n) &= (\sigma_1’,\dots,\sigma_n’)\ \sigma_i’(X) &= \omega’(\sigma_i(X)), \forall X \in \text{Vars}, 1 \le i \le n \end{aligned}

Recap on the fixed-point and termination, the $\omega \circ f:\omega(L) \to\omega(L)$ is defined on a finite height lattice since $\omega(L)$ has finite height.

$fix = \bigsqcup f^i(\bot)$ and $fix\omega = \bigsqcup (\omega\circ f)^i(\bot)$, then we see $fix \sqsubseteq f\circ fix\omega \sqsubseteq (fix\omega = \omega \circ f \circ fix\omega)$.

This would lead to narrowing, which helps improve the result and still provide sound information.

# More Sophisticated Widening

A new widening function can be defined as $\nabla: L\times L \to L$ that is extensive in both arguments and satisfies property:

• $\forall z$ be increasing chains where $z_0 \sqsubseteq z_1 \sqsubseteq \dots$, the sequence $y_0 = z_0,\dots y_{i + 1} =y_i \nabla z_{i+1}$ converges.

Basic fixed-point solver can compute $x_0 = \bot, x_{i+1} = x_i \nabla F(x_i)$ until convergence.

If we let $\nabla = \sqcup$, then we see that fixed-point with widening is a special case of a fixed-point algorithm.

$\sqcup$ is a widening operator for a finite height $L$.

The idea of using infix binary $\nabla$ is that it allows us to combine abstract information from previous and current iteration fixed-point computation, and only coarsen values that are unstable.

A widening operator $\nabla’:\text{Interval}\to\text{Interval}$ is defined as
\begin{aligned} \bot \nabla’ y &= y\newline x \nabla’ \bot &= x\newline \lbrack l_1, h_1\rbrack \nabla’ \lbrack l_2,h_2\rbrack &= \lbrack l_3, r_3\rbrack\newline l_3 &= \begin{cases} l_1 &\text{if }l_1 \le l_2\newline \max\lbrace i \in \mathbb{B} \mid i \le l_2\rbrace &\text{otherwise} \end{cases}\newline h_3 &=\begin{cases} h_1 &\text{if }h_2 \le h_1\newline \text{min}\lbrace i \in \mathbb{B} \mid h_2 \le i \rbrace&\text{otherwise} \end{cases} \end{aligned}
$\nabla$ can then be expanded from definition of $\nabla’$ by
\begin{aligned} (\sigma_1,\dots,\sigma_n)\nabla (\sigma_1’, \dots, \sigma_n’) &= (\sigma_1’’,\dots,\sigma_n’’)\newline \sigma_i’’(X)& = \sigma_i(X)\nabla’\sigma_i’(X), \forall X \in \text{Vars}, 1\le i \le n \end{aligned}

]]>
<blockquote> <p>Interval analysis can be used in integer representation or array bound check. This would involve <strong>widening</strong> and <strong>narrowing</strong>.</p> </blockquote> <p>A lattice of <strong>intervals</strong> is defined as $\text{Interval} \triangleq \text{lift}(\lbrace \lbrack l,h\rbrack \mid l,h\in\mathbb{Z} \wedge l \leq h\rbrace)$. The partial order is defined as $\lbrack l_1,h_1\rbrack \sqsubseteq \lbrack l_2,h_2\rbrack \iff l_2 \leq l_1 \wedge h_1 \le h_2$.</p> <p>The top is defined to be $\lbrack -\infty,+\infty\rbrack$ and the bottom is defined as $\bot$, which means no integer. Since the chain of partial order can have infinite length, the lattice itself has infinite height.</p> <p>The total lattice for a program point is $L = \text{Vars}\to \text{Interval}$, which provides bounds for each integer value.</p> <p>The constraint rules are listed as<br><br>\begin{aligned}<br> &amp; &amp; &amp; JOIN(v) = \bigsqcup_{w\in pred(v)}\lbrack \lbrack w\rbrack \rbrack \newline<br> \lbrack\lbrack X = E\rbrack\rbrack &amp;\phantom{:::} \lbrack\lbrack v\rbrack\rbrack &amp;=&amp; JOIN(v) \lbrack X \mapsto \text{eval}(JOIN(v), E)\rbrack\newline<br> &amp; &amp; &amp; \text{eval}(\sigma, X) = \sigma(X)\newline<br> &amp; &amp; &amp; \text{eval}(\sigma, I) = \lbrack I, I\rbrack\newline<br> &amp; &amp; &amp; \text{eval}(\sigma, \text{input}) = \lbrack -\infty, \infty\rbrack\newline<br> &amp; &amp; &amp; \text{eval}(\sigma, E_1\ op\ E_2) = \hat{op}(\text{eval}(\sigma, E_1), \text{eval}(\sigma, E_2))\newline<br> &amp; &amp; &amp; \hat{op}(\lbrack l_1,r_1\rbrack, \lbrack l_2,r_2\rbrack) = \lbrack \min_{x\in \lbrack l_1,r_1\rbrack, y\in \lbrack l_2,r_2\rbrack} x\ op\ y, \max_{x\in \lbrack l_1,r_1\rbrack, y\in \lbrack l_2,r_2\rbrack }x\ op\ y\rbrack \newline<br>&amp; \phantom{:::}\lbrack\lbrack v\rbrack\rbrack &amp;=&amp; JOIN(v)\newline<br>&amp; \lbrack \lbrack exit\rbrack\rbrack &amp;=&amp; \varnothing<br>\end{aligned}<br><br>The fixed-point problem we previously discussed is only restricted in lattice with finite height. New fixed-point algorithm is needed in practical space.</p>
CS6620 Compiler Note 2 Data Flow Analysis with Lattice https://nomadtype.ninja/2019/09/28/compiler-2-note/ 2019-09-28T00:35:53.000Z 2020-10-12T18:47:55.705Z

More flow sensitive analysis (data flow analysis) on the way

Forward AnalysisBackward Analysis
May AnalysisReaching DefinitionLiveness
Must AnalysisAvailable ExpressionsVery Busy Expressions

# Liveness Analysis

Live for a variable at a program point means its current value may be read later in remaining execution without being written to in between. The analysis only answer “dead” if the variable is really dead.

The Lattice we set up is a parameterized lattice, which depends on specific program being analyzed. It should be established as $(2^{\lbrace vars \rbrace}, \subseteq)$.

Each CFG node $v$ a constraint variable $\lbrack \lbrack v\rbrack\rbrack$ is introduced donating the subset of program variables that live at program point before the node. In this way the total logic of this analysis is like
$$\lbrack \lbrack v\rbrack \rbrack = \bigcup_{v_{next} \in succ(v)} \lbrack \lbrack v_{next}\rbrack \rbrack \cup \Delta v_{introduce}$$

$\lbrack\lbrack v\rbrack\rbrack$ describes state before $v$.

The definition of $JOIN$ follows $JOIN(v) = \bigcup_{w\in succ(v)} \lbrack \lbrack w \rbrack\rbrack$. The constraint rules follows
\begin{aligned} x = E &\phantom{“”} \lbrack\lbrack v \rbrack\rbrack &=& \bigcup_{v_{next} \in succ(v)} \lbrack \lbrack v_{next}\rbrack \rbrack \backslash \lbrace X\rbrace \cup vars(E)\newline \begin{array}{l} \text{if }E\newline \text{while }E&\newline \text{output }E& \end{array} &\phantom{“”} \lbrack\lbrack v\rbrack \rbrack &=& \bigcup_{v_{next} \in succ(v)} \lbrack \lbrack v_{next}\rbrack \rbrack \cup vars(E)\newline \text{var }X_1,\dots, X_n&\phantom{“”}\lbrack\lbrack v\rbrack\rbrack &=& \bigcup_{v_{next} \in succ(v)} \lbrack \lbrack v_{next}\rbrack \rbrack \backslash \lbrace X_1,\dots,X_n\rbrace\newline &\phantom{“”}\lbrack\lbrack exit\rbrack\rbrack &=& \varnothing\newline &\phantom{“”}\lbrack\lbrack v\rbrack \rbrack &=& \bigcup_{v_{next} \in succ(v)} \lbrack \lbrack v_{next}\rbrack \rbrack \end{aligned}
Each iteration of such constraint rules on CFG, there will be $k$ variables and $n$ CFG nodes. $k-$nodes set would take $O(k)$ in union/remove operation, and $O(n)$ for iteration node. Total $O(nk)$ per iteration.

The total iteration number until it stops would be $O(nk)$ considering work-list algorithm last chapter. The worst case would be each node goes up to top of lattice. Thus the total time complexity is $O(n^2k^2)$.

# Available Expressions Analysis

A nontrivial expression is available at a program point if its current value has already been computed.

Since the approximation is generally including too few expressions, the analysis can only say available if it is definitely available.

The lattice $L = (2^{expr}, \supseteq)$ have $JOIN(n) = \bigcap_{w\in pred(v)}\lbrack \lbrack w\rbrack \rbrack$ (since $\sqsubseteq = \supseteq$). The lattice is upside down with $\varnothing$ on the top.

$\lbrack\lbrack v\rbrack\rbrack$ describes state after $v$.

Since availability of expression depends on information from the past, also the partial order defined here, JOIN has such definition.

\begin{aligned} X = E &\phantom{:::}\lbrack \lbrack v\rbrack\rbrack &=& (\bigcap_{w\in pred(v)}\lbrack \lbrack w\rbrack \rbrack \cup exps(E)) \downarrow X\newline & & & exps(X)= \varnothing\newline & & & exps(I) = \varnothing\newline & & & exps(\text{input}) = \varnothing\newline & & & exps(E_1\ op\ E_2) = \lbrace E_1\ op\ E_2\rbrace \cup exps(E_1) \cup exps(E_2)\newline &\phantom{:::}\lbrack\lbrack entry\rbrack\rbrack & =& \varnothing\newline \begin{array}{l} \text{if } E \newline \text{while }E\newline \text{output }E \end{array} & \phantom{:::}\lbrack\lbrack v\rbrack\rbrack &=& \bigcap_{w\in pred(v)}\lbrack \lbrack w\rbrack \rbrack \cup exps(E)\newline &\phantom{:::}\lbrack\lbrack v\rbrack\rbrack & = & \bigcap_{w\in pred(v)}\lbrack \lbrack w\rbrack \rbrack \end{aligned}

# Very Busy Expression Analysis

A nontrivial expression is very busy if it will definitely be evaluated again before its value changes.

An expression can be busy if it is evaluated in current node or will be evaluated unless some assignment changes its value.

Since the approximation is generally including too few expressions, the analysis can only say busy if it is definitely busy. The lattice upside down is arranged like available expression’s.

For every CFG node $v$ variable $\lbrack\lbrack v\rbrack\rbrack$ donates the set of expressions that at the program point before $v$ definitely are busy. The lattice definition is the same as available expression analysis.

$\lbrack\lbrack v\rbrack\rbrack$ describes state before $v$.

\begin{aligned} & & & JOIN(v) = \bigcap_{w\in succ(v)}\lbrack \lbrack w\rbrack \rbrack \newline X = E &\phantom{:::} \lbrack\lbrack v\rbrack\rbrack &=& \bigcap_{w\in succ(v)}\lbrack \lbrack w\rbrack \rbrack \downarrow X \cup exps(E)\newline \begin{array}{l} \text{if } E \newline \text{while }E\newline \text{output }E \end{array} & \phantom{:::}\lbrack\lbrack v\rbrack\rbrack &=& \bigcap_{w\in succ(v)}\lbrack \lbrack w\rbrack \rbrack \cup exps(E)\newline & \phantom{:::}\lbrack\lbrack v\rbrack\rbrack &=& \bigcap_{w\in succ(v)}\lbrack \lbrack w\rbrack \rbrack\newline & \lbrack \lbrack exit\rbrack\rbrack &=& \varnothing \end{aligned}

# Reach Definitions Analysis

Reaching definitions for a given program point are those assignments that may define the current value of variables.

$\lbrack\lbrack v\rbrack\rbrack$ describes state after $v$.

The lattice is modeled by $(2^{assignments}, \subseteq)$ and $JOIN(v) = \bigcup_{w\in pred(v)} \lbrack\lbrack w \rbrack\rbrack$. The rules follows
\begin{aligned} X = E &\phantom{:::} \lbrack\lbrack v\rbrack\rbrack &=& \bigcup_{w\in pred(v)} \lbrack\lbrack w \rbrack\rbrack \downarrow X \cup \lbrace X = E \rbrace\newline &\phantom{:::}\lbrack \lbrack v\rbrack \rbrack &=&\bigcup_{w\in pred(v)} \lbrack\lbrack w \rbrack\rbrack \end{aligned}

# Forward, Backward. May, Must

Forward analysis computes about past behaviors. E.g., Available Analysis, Very Busy Expression Analysis

Backward analysis computes about future behaviors. E.g., Living Analysis, Reach Definition Analysis

May analysis means over-approximation, talking about possibly true info. E.g., Living Analysis, Reach Definitions Analysis

Must analysis means under-approximation, talking about definite true info. E.g., Available Analysis, Very Busy Expression Analysis

]]>
<blockquote> <p>More flow sensitive analysis (data flow analysis) on the way</p> </blockquote> <table> <thead> <tr> <th></th> <th>Forward Analysis</th> <th>Backward Analysis</th> </tr> </thead> <tbody><tr> <td>May Analysis</td> <td>Reaching Definition</td> <td>Liveness</td> </tr> <tr> <td>Must Analysis</td> <td>Available Expressions</td> <td>Very Busy Expressions</td> </tr> </tbody></table>
CS6620 Compiler Note 1 Lattice Basics https://nomadtype.ninja/2019/09/23/compiler-1-note/ 2019-09-23T01:38:43.000Z 2020-10-12T18:47:55.705Z

This part will take notes about Lattice Theory.

Appetizer: Sign analysis can be done by first construct a lattice with elements $\lbrace +,-,0,\top,\bot\rbrace$ with each parts’ meaning:

• $+, -, 0$ stand for integer value signs
• $\top$ stands for any integer values while $\bot$ means empty set of integer values.

$$\begin{array}{ccccc} & & \top& & \newline & \swarrow & \downarrow & \searrow \newline & + & 0 &- \newline & \searrow & \downarrow & \swarrow \newline & &\bot \end{array}$$

# Lattice Basics

Partial order on a set $S$ is defined by a binary relation $\sqsubseteq$ satisfying

• reflexivity: $\forall x \in S: x \sqsubseteq x$
• transitivity: $\forall x,y,z\in S: x\sqsubseteq y \wedge y\sqsubseteq z \Rightarrow x \sqsubseteq z$
• anti-symmetry: $\forall x,y\in S: x \sqsubseteq y \wedge y \sqsubseteq x\Rightarrow x =y$

A lattice is pair $(S,\sqsubseteq)$. The lower an element in a lattice network, or so to say $x \sqsubseteq y$ means $x$ is at least as precise as $y$ in $S$.

## Upper Bound and Lower Bound

$X \subseteq S$ with $y \in S$ is upper bound of $X$ donated $X \sqsubseteq y$ if $\forall x \in X: x \sqsubseteq y$. A least upper bound is written $\bigsqcup X$ defined by $X \sqsubseteq \bigsqcup X\wedge \forall y \in S:X\sqsubseteq y \Rightarrow \bigsqcup X \sqsubseteq y$.

$y$ is a lower bound of $X$ donated $y \sqsubseteq X$ if $\forall x \in X: y \sqsubseteq x$. A greatest lower bound is written $\sqcap X$ defined by $\sqcap X\sqsubseteq X\wedge \forall y \in S : y \sqsubseteq X\Rightarrow y \sqsubseteq \sqcap X$.

Sometimes we donate $x \bigsqcup y$ and $\bigsqcup_{a \in A} f(a)$ to say find the least upper bound unions.

$\exists x \bigsqcup y \Rightarrow (x \sqsubseteq y \Leftrightarrow x \bigsqcup y = y)$, $\exists x \sqcap y \Rightarrow (x \sqsubseteq y \Leftrightarrow x \sqcap y = x)$.

The height of a lattice is defined to be the length path from $\bot$ to $\top$.

## Lattice Constructing

Every finite set $A = \lbrace a_1,\dots, a_n\rbrace$ defines a lattice $(2^A, \subseteq)$ where $\bot = \varnothing, \top = A, x \bigsqcup y =x \bigcup y, x \sqcap y = x \cap y$. Such lattice has a height $|A|$.

A flat lattice with $flat(A)$ is shown by
$$\begin{array}{cccccc} & & \top\newline & \swarrow & & \searrow\newline a_1 & a_2 & a_3 & \dots & a_n\newline & \searrow & & \swarrow \newline & & \bot \end{array}$$

Product of lattices, where $\prod_{l\in L_1,\dots,L_n} =\lbrace (x_1, x_2, \dots, x_n) | x_i \in L_i\rbrace$ where the $\sqsubseteq$ is defined point-wise like $(x_1, x_2,\dots,x_n)\sqsubseteq (x_1’, x_2’,\dots,x_n’)\Leftrightarrow \forall i=1,\dots,n:x_i\sqsubseteq x_i’$.

In this way the $\sqcap$ and $\sqcup$ operations are also done point-wise. The height is $\sum |L_i|$.

Map lattice is defined by $A \to L = \lbrace \lbrack a_1 \mapsto x_1, a_2 \mapsto x_2,\dots\rbrack | A = \lbrace a_1,a_2,\dots\rbrace\wedge x_1, x_2,\dots \in L\rbrace$. The $f \sqsubseteq g \Leftrightarrow \forall a_i \in A: f(a_i)\sqsubseteq g(a_i)$. Height is $|A| \cdot height(L)$.

For sign analysis constraint revisit, we can donate $\left[\!\left[ v\right]\!\right]$ as a map for the sign value for all variables at the program after node $v$. Donate $\text{JOIN}(v) = \bigsqcup_{w\in pred(v)}\left[\!\left[ w\right] \!\right]$. Thus we have

• $\left[\!\left[\text{var }x_1,\dots,x_n\right]\!\right] = \text{JOIN}(v)\left[\!\left[x_1\mapsto \top,\dots,x_n\mapsto\top\right]\!\right]$
• $\left[\!\left[ x = E\right]\!\right] = \text{JOIN}(v) \lbrack x \mapsto \text{eval}(\text{JOIN}(v), E) \rbrack$
• $\left[\!\left[v\right]\!\right] = \text{JOIN}(v)$ for all other nodes

Lift lattice means lift a lattice with one more $\bot$ sign. Height plus 1.

## Monotonicity and Fixed-Points

Monotone function $f:L\to L$ is defined with $\forall x,y\in L: x \sqsubseteq y \Rightarrow f(x) \sqsubseteq f(y)$.

Multiple arguments function is monotone if it is monotone in each argument. Monotonicity is closed under composition, where composition has notation $f \circ g$ and $f \circ \dots \circ f = f^i$.

Kleene’s fixed-point theorem: In a lattice with finite height, every monotone function $f$ has a unique least fixed-point $fix(f) = \bigsqcup_{i \ge 0} f^i(\bot)$.

Existence is trivial.

For uniqueness, suppose $x$ is another fixed-point, then $f^i(\bot) \sqsubseteq f^i(x) = x$. By $fix(f) = f^k(\bot) \sqsubseteq f^k(x) = x$, thus $fix(f)$ is the least. By anti-symmetric, $x = fix(f)$ and uniqueness is proved.

An equation system over $L$ lattice with form $\begin{cases} x_1 &=&f_1(x_1,\dots,x_n) \newline x_2 &=&f_2(x_1,\dots,x_n) \newline \vdots \newline x_n &=&f_n(x_1,\dots,x_n)\end{cases}$ where $f_i: L^n \to L$. A solution to such equation system provides $L^n$ value that satisfies all equations.

Rewrite functions in one with $f:L^n\to L^n, f(x_1,\dots,x_n) = (f_1(x_1,\dots,x_n),\dots,f_n(x_1,\dots,x_n))$, which looks like $x = f(x)$ with $x \in L^n$.

The solving process of such equation system can be done like:

• $\begin{cases} x_1 &\sqsubseteq &f_1(x_1,\dots,x_n) \newline \vdots \newline x_n &\sqsubseteq &f_n(x_1,\dots,x_n)\end{cases}$ has predicate of fixed-point existence, thus solution satisfies $x_i = x_i \sqcap f_i(x_1,\dots,x_n)$. Rewrite into form $\begin{cases} x_1 &=& x_1 \sqcap f_1(x_1,\dots,x_n) \newline \vdots \newline x_n &= &x_n \sqcap f_n(x_1,\dots,x_n)\end{cases}$.
• $\begin{cases} x_1 &\sqsupseteq &f_1(x_1,\dots,x_n) \newline \vdots \newline x_n &\sqsupseteq &f_n(x_1,\dots,x_n)\end{cases}$ can be rewritten into $\begin{cases} x_1 &= &x_1\bigsqcup f_1(x_1,\dots,x_n) \newline \vdots \newline x_n &= & x_n \bigsqcup f_n(x_1,\dots,x_n)\end{cases}$.

The lattice points as answers can be shown below. The most trivial answer is on top and undefined/null is at bottom.

graph TD;subgraph Safe AnswersA1["Trivial Useless Answer (Top)"] --- A2["Our Answer (Least Fixpoint)"]A2 .-> A3["The true answer"]A2 --- A4["."]endsubgraph Unsafe AnswersA4 --- A5["."]A5 --- A6["Bottom"]end

## Monotone Framework

We want to extract all constraints (like sign analysis) from a CFG. For each node $v$ in CFG we can assign a constraint variable $\lbrack \! \lbrack v \rbrack\!\rbrack$ ranging over elements of lattice.

If all constraints for the given program happen to be equations or inequations with monotone RHS, then fixed-point algorithms come into place to find unique least solution.

The combination of lattice and a space of monotone functions is called monotone framework.

For naive/round-robin fixed-point algorithm, an improved version called work-list algorithm can be used here from chaotic iteration.

An map $\text{dep}:\text{Nodes}\to 2^\text{Nodes}$ is used for $v$ in CFG to tell us the subset of other node where $\lbrack \! \lbrack v \rbrack\!\rbrack$ occurs in a nontrivial way on RHS of dataflow equation.

Thus work-list algorithm is shown as
\begin{aligned} &x_1\leftarrow \bot; \dots; x_n\leftarrow \bot;\newline &W \leftarrow \lbrace v_1,\dots,v_n\rbrace;\newline &\text{while }(W \neq \varnothing)\newline &\phantom{“”””}v_i\leftarrow W.\text{removeNext}()\newline &\phantom{“”””}y\leftarrow f_i(x_1,\dots,x_n)\newline &\phantom{“”””}\text{if }y \neq x_i\newline &\phantom{“”””””””}x_i \leftarrow y\newline &\phantom{“”””””””}\text{for }v_j \in dep(v_i)\newline &\phantom{“”””””””””””}W.\text{add}(v_j)\newline &\phantom{“”””””””}\text{end for}\newline &\phantom{“”””}\text{end if}\newline &\text{end while}\newline &\text{return }(x_1,\dots,x_n) \end{aligned}

The complexity of the algorithm is explained in next chapter.

]]>
<blockquote> <p>This part will take notes about Lattice Theory.</p> </blockquote> <p>Appetizer: Sign analysis can be done by first construct a lattice with elements $\lbrace +,-,0,\top,\bot\rbrace$ with each parts’ meaning:</p> <ul> <li>$+, -, 0$ stand for integer value signs</li> <li>$\top$ stands for any integer values while $\bot$ means empty set of integer values.</li> </ul> <p>$$<br>\begin{array}{ccccc}<br> &amp; &amp; \top&amp; &amp; \newline<br> &amp; \swarrow &amp; \downarrow &amp; \searrow \newline<br>&amp; + &amp; 0 &amp;- \newline<br> &amp; \searrow &amp; \downarrow &amp; \swarrow \newline<br> &amp; &amp;\bot<br> \end{array}<br>$$</p>
VE475 Cryptography Note 4 https://nomadtype.ninja/2019/07/09/crypto-4-note/ 2019-07-09T12:03:36.000Z 2020-10-12T18:47:55.709Z

All info comes from Manuel’s slides on Lecture 4.

# Intros on Hash Functions

What if we want some high-level of fingerprint that can be built from any data, with a tiny change in data cause radical impact on the whole fingerprint.

## Hash Function Definitions

The following properties are required for hash function $h$:

• Efficiently computed for any input.
• Pre-image resistant: given $y$ it is computationally infeasible to find $x$ such that $h(x) = y$.
• Second pre-image resistant: given $x$, it is computationally infeasible to find $x’\neq x$ with $h(x) = h(x’)$.
• Collision resistant: it is computationally infeasible to find $\langle x,x’\rangle$ with $x\neq x’$ and $h(x) = h(x’)$.

The output of hash function is called message digest.

The collision resistant is the most general of 3 resistance properties.

# DLP Hash Function

Let $p$ prime and $q = \dfrac{p-1}{2}$ is also a prime and choose $\alpha,\beta$ two generator of $U(\mathbb{Z}/p\mathbb{Z})$. Donate $x \in \mathbb{Z}/q^2 \mathbb{Z}$ as $x_0 + x_1 q$ with $0\le x_0,x_1\le q-1$, and define $h = \alpha^{x_0}\beta^{x_1}\pmod p$.

We can prove the previous function $h$ is collision resistant.

## Lemma and Proposal

Lemma: Let $a,b\in\mathbb{Z}$ and $m\in\mathbb{N}\backslash\lbrace 0\rbrace$ and $d = \gcd(a,m)$. Linear congruence $ax \equiv b \pmod m$ has solution iff $d \mid b$. In this case, there are $d$ solutions that are mutually incongruent mod $m$.

Proposal: If $x \neq x’, h(x) = h(x’)$ are known, then $\log_\alpha \beta$ can be easily computed.

## Proof

Since we have $x = x_0+x_1 q$ and $x’ = x_0’ + x_1’q$, we have $\alpha^{x_0 + x_1 a}\equiv \alpha^{x_0’+x_1’ a}\pmod p$ where $a = \log_\alpha \beta$.

By FST we know $x_0 + x_1 a \equiv x_0’ + x_1’ a \pmod {(p-1)}$, we have $a(x_1 - x_1’) \equiv (x_0’ - x_0)\pmod {(p-1)}$.

Suppose $x_1 - x_1’ \neq 0$, then $d = \gcd(x_1 - x_1’,p-1)$ solutions for $a$ here. But as $q = \dfrac{p-1}{2}$ is prime, only $1,2,q,p-1$ as factor.

Since $x_1 - x_1’ \in \lbrack -(q-1),(q-1)\rbrack$, so $d$ can only be 1 or 2. Thus at most 2 solutions should be tested to determine $a$, hence finding $x\neq x’,h(x) = h(x’)$ implies solving DLP.

# Birthday Attack

The essence of the birthday attack can be expressed by considering birthday of 23 people. If all of them have different birthdays, then the possibility of having such people is $\prod\limits_{i=1}^{22}\dfrac{365 - i}{365}$, close to $\dfrac{1}{2}$.

The possibility of at least 2 sharing same birthday is $1 - \prod\limits_{i=1}^{22}\dfrac{365 - i}{365} = 0.507 > \dfrac{1}{2}$.

In a more general case, if there are $n$ possible birthdays and $r$ test inputs, we can have the result on birthday collision possibility.

First, $-x-x^2 \le \ln(1-x)\le -x$. Then when $r \le \dfrac{n}{2}$, we can add $x = \dfrac{j}{n}$ with $j \in \lbrack 1, r-1\rbrack$. In this way $-\dfrac{(r-1)r}{2n}-\dfrac{r^3}{3n^2}\le \sum\limits^{r-1}_{j=1}\ln(1-\dfrac{j}{n})\le -\dfrac{(r-1)r}{2n}$.

With both sides on exponent on $e$, then $e^{-\frac{(r-1)r}{2n}-\frac{r^3}{3n^2}}\le \prod\limits^{r-1}{j=1}(1-\dfrac{j}{n})\le e^{-\frac{(r-1)r}{2n}}$. Let $\lambda = \dfrac{r^2}{2n}$, we have $e^{-\lambda}e^{\frac{c_1}{\sqrt n}}\le \prod\limits^{r-1}{j=1}(1-\dfrac{j}{n}) \le e^{-\lambda} e^{\frac{c_2}{\sqrt{n}}}$, where $c_1 = \sqrt{\dfrac{\lambda}{2}} - \dfrac{(2\lambda)^{\frac{3}{2}}}{3}$ and $c_2=\sqrt{\dfrac{\lambda}{2}}$.

It is easy to see that $\lambda \le \dfrac{n}{8}$. Then $\prod\limits^{r-1}_{j=1} (1-\dfrac{j}{n}) \approx e^{-\lambda}$.

Consider 2 people from a group want to choose, causing a match, then the possibility may yields that $-\lambda = -\ln(2)$, or so to say $r \approx 1.1174 \sqrt n$. Thus $r$ has a bound in $O(\sqrt n)$.

Consider 2 group of people, then consider each object is not over-chosen in one group. The possibility of $i$ matches is $\Big(\dfrac{r^2}{n} \Big)^i \dfrac{e^{-\frac{r^2}{n}}}{i!}$. (unproved)

In this way, we can attack a hash function $h$ by attacking about $O(\sqrt n)$ random $x$ and find a collision, if possible.

## Improved Birthday Attack

We can get idea from Pollard’s rho by setting $x_i = h(x_{i-1})$ and $x_{2i} = (h \circ h)(x_{2(i-1)})$. A collision on $x_{i-1}$ and $h(x_{2(i-1)})$ is found as soon as $x_{i} = x_{2i}$.

This decreases the storage necessary by iterating over computation results.

# MD Construction

On designing hash functions, we have difficulty as:

• Infinite number of possible input.
• Finite number of possible output.

The conclusion says that: any hash function has an infinite number of collisions.

MD Construction is a method to convert a hash function on string of fixed length into a hash function accepting arbitrary input length.

If the original hash function is collision resistant, so is the constructed one.

## Definitions

Compression function is a function $g$ defined by $g:\lbrace 0,1\rbrace^{m+t}\longrightarrow \lbrace 0,1\rbrace ^m$, $t \ge 1$.

Iterated hash function is a hash function constructed by iteratively applying a compression function.

Let $x \parallel y$ be concatenation of $x$ and $y$. Then we donate $x \parallel \dots \parallel x$ as $x^k$.

Let $a$ be an integer, then $(a)_2$ is its binary representation.

The MD construction has the form like
$$\newcommand{\ra}{!!!!!!!!!!!!\xrightarrow{\quad#1\quad}!!!!!!!!}\newcommand{\da}{\bigg\downarrow\raise.5ex\rlap{\scriptstyle#1}} \begin{array}{ccccccccc} &&&&x_1&&&&x_2&&\dots&&x_k \parallel 0^d &&&& (d)2\newline &&&&\downarrow&&&&\downarrow&&\dots&&\downarrow&&&&\downarrow\newline &&&&y_1&&&&y_2&&\dots&&y_k&&&&y {k+1}\newline &&&&\da{}&&&&\da{}&&&&\da{}&&&&\da{}\newline 0^{m+1}&&\longrightarrow&&g&&\longrightarrow&&g&&\longrightarrow&&b_2&&\longrightarrow&&g&&\longrightarrow&&h(x) \end{array}$$

• Split $x$ into $k = \Big\lceil \dfrac{n}{t-1}\Big\rceil$ blocks
• Set $y_k = x_k \parallel 0^d$, $y_{k+1} = (d)_2$
• $z_1 = g(0^{m+1}\parallel y_1)$, $z_{i+1} = g(z_i \parallel 1 \parallel y_{i+1})$
• $h(x) = z_{k+1}$

## MD Theorem

Let $g$ be collision resistant compression function $\lbrace 0,1\rbrace^{m+t}\longrightarrow \lbrace 0,1\rbrace^m$, with $t\ge 2$. Then MD construction is a collision resistant hash function.

Suppose we have a collision on $h$, which means $x \neq x’$ and $h(x) = h(x’)$, we can prove that a collision on $g$ can also be efficiently found.

First, we note if $|x|\neq |x’|$, then 2 different values $d$ and $d’$, respectively. Suppose $k + 1$ and $k’ + 1$ donate the $y-$block for $x$ and $x’$.

1. Consider $x \ne x’$ with $|x| \not\equiv |x’|\pmod {(t-1)}$. Then $d\ne d’$ and $y_{k+1}\ne y_{k’+1}’$. We then have

\begin{aligned} g(z_k\parallel 1 \parallel y_{k+1}) &= z_{k+1} = h(x)\newline &=h(x’) =z_{k’+1}’\newline &=g(z_{k’}’\parallel 1\parallel y_{k’+1}’) \end{aligned}
which is a collision on $g$ since $y_{k+1}\ne y_{k’+1}’$.

2. Consider 2 cases

1. $|x| \equiv |x’| \pmod {(t-1)}$ with $k=k’$. This implies $y_{k+1} = y_{k’+1}’$, then we have
\begin{aligned} g(z_k\parallel 1 \parallel y_{k+1}) &= z_{k+1} = h(x)\newline &=h(x’) =z_{k+1}’\newline &=g(z_{k}’\parallel 1\parallel y_{k+1}’) \end{aligned}
If $z_k \ne z_k’$ then a collision is found, otherwise we repeat the process and find the collision point.

2. $|x| \equiv |x’| \pmod {(t-1)}$ with $k\ne k’$. WLOG assume $k’ > k$, then proceed as previous 2.1 solution.

If no collision is found before $k=1$ then consider before $k=1$,

By construction, $m+1^{st}$ bit on left hand side is 0 while it is 1 on right hand side. Collision found.

\begin{aligned} g(0^{m+1}\parallel y_1) &= z_1\newline &= z_{k’-k+1}’\newline &=g(z_{k’-k}’\parallel 1\parallel y_{k’-k+1}’) \end{aligned}

# Secure Hash Algorithm

Currently, SHA-0/1 are broken. SHA-3 is out for safety.

If message is $x$, we append 1 to $x$, then append $0^d$ with $1 + |x| \equiv -64 \pmod {512}$, then append $|x|$ in base 2 over 64 bits.

In this way, the padded value $y$ is of form $x \parallel 1 \parallel 0^d\parallel |x|_{2,64}$. By construction $|y|\equiv 0\pmod {512}$. Break $y$ into $k = \Big\lfloor \dfrac{|x|}{512}\Big\rfloor + 1$ blocks.

## SHA-1 Algorithm

\begin{aligned} &\text{Input: }x\text{ a bit string}\newline &\text{Output: }h(x)\text{, where }h\text{ is SHA-1}\newline &H_0\leftarrow 67452301; H_1\leftarrow EFCDAB89; H_2\leftarrow 98BADCFE;\newline &H_3\leftarrow 10325476; H_4\leftarrow C3D2E1F0;\newline &d \leftarrow (447 - |x|) \pmod {512};\newline &y \leftarrow (x \parallel 1 \parallel 0^d\parallel (|x|)_2);\newline &\text{for }i\leftarrow 1 \text{ to }k\text{ do}\newline &\phantom{“”””}H_0,H_1,H_2,H_3,H_4\leftarrow \text{compress}(H_0, H_1,H_2,H_3,H_4,y_i)\newline &\text{end for}\newline &\text{return } H_0\parallel H_1\parallel H_2\parallel H_3\parallel H_4 \end{aligned}

## Compression Function

The functions $f_0,\dots,f_{79}$ are defined by
$$f_{i}(B,C,D) = \begin{cases} (B \wedge C) \vee (\not B\wedge D) & 0 \le i \le 19\newline B\oplus C \oplus D & 20 \le i \le 39\newline (B \wedge C )\vee (B \wedge D)\vee (C \wedge D) & 40 \le i \le 59\newline B \oplus C \oplus D & 60 \le i \le 79 \end{cases}$$
The constants $K_0,\dots,K_{79}$ are defined by
$$K_i = \begin{cases} 5A827999 & 0 \le i \le 19\newline 6ED9EBA1 & 20 \le i \le 39\newline 8F1BBCDC & 40 \le i \le 59\newline CA62C1D6 & 60 \le i \le 79 \end{cases}$$
The algorithm goes like
\begin{aligned} &\text{Input: 32-bit values }H_0,\dots,H_4, \text{512-bit block }y\newline &\text{Output: 32-bit values }H_0,\dots, H_4\newline &\text{Function compress}(H_0,\dots,H_4):\newline &\phantom{“”””}\text{split }y\text{ into }16\text{ words }W_0,\dots,W_{15};\newline &\phantom{“”””}\text{for }i\leftarrow 16\text{ to }79\text{ do}\newline &\phantom{“”””}\phantom{“”””}W_i\leftarrow ROTL(W_{i-3}\oplus W_{i-8}\oplus W_{i-14}\oplus W_{i-16})\newline &\phantom{“”””}\text{end for}\newline &\phantom{“”””}A\leftarrow H_0;B \leftarrow H_1;\dots E \leftarrow H_4;\newline &\phantom{“”””}\text{for }i\leftarrow 0\text{ to }79\text{ do}\newline &\phantom{“”””}\phantom{“”””}T \leftarrow ROTL^5(A) + f_i(B,C,D)+E + W_i + K_i;\newline &\phantom{“”””}\phantom{“”””}E \leftarrow D;D \leftarrow C;\newline &\phantom{“”””}\phantom{“”””}C \leftarrow ROTL^{30}(B);\newline &\phantom{“”””}\phantom{“”””}B \leftarrow A;A\leftarrow T;\newline &\phantom{“”””}\text{end for}\newline &\phantom{“”””}H_0\leftarrow H_0 + A; H_1 \leftarrow H_1 + B;\dots H_4 \leftarrow H_4 + E;\newline &\phantom{“”””}\text{return }H_0,\dots,H_4\newline &\text{end} \end{aligned}

]]>
<blockquote> <p>All info comes from Manuel’s slides on Lecture 4.</p> </blockquote> <h1 id="Intros-on-Hash-Functions"><a href="#Intros-on-Hash-Functions" class="headerlink" title="Intros on Hash Functions"></a>Intros on Hash Functions</h1><p>What if we want some high-level of <strong>fingerprint</strong> that can be built from any data, with a tiny change in data cause radical impact on the whole fingerprint.</p>
VE475 Cryptography Note 3 https://nomadtype.ninja/2019/06/13/crypto-3-note/ 2019-06-13T01:11:11.000Z 2020-10-12T18:47:55.705Z

All info comes from Manuel’s slides on Lecture 3.

# Public-Key Cryptosystem

Encryption depends on a public key $K$ and decryption depends on a secret key $K’$.

Finding $K’$ when knowing $K$ is computationally infeasible.

# One-Way Function

Function easy to evaluate but hard to invert, or so to say:

• it is easy to calculate $y=f(x)$ given $x$
• but it is hard to get $x$ on the range of $f(x)$ for some $y$

The requirement for encrypting with such one-way function $E$:

• $E$ must be injective
• Some secret that allows to invert $E$, which means finding such $E^{-1}$ has negligible possibility so only decipher can know how to decrypt

## Trapdoor One-Way Function

Trapdoor one-way function is a one-way function that with certain kind of knowledge, it is easy to be inverted.

Not all one-way function is easy to be inverted since people may not know its $E^{-1}$.

# Some Abstract Algebra

graph LRsubgraph Fieldsubgraph Integral Domainsubgraph Communicative Ringsubgraph Ringsubgraph Abelian Groupsubgraph GroupA1["Closed Operation (Addition)"] --- A2["Associativity (Assoc of Add)"]A1 --- A3["Exist a unit element (Add unit 0)"]A1 --- A4["Existence of Inverse (Addictive Inverse)"]endA1 --- A5["Commutativity (of Addition)"]endM1 --- M3["Distributivity (a * (b + c))"]A1 --- M3M1["Closed Operation (Multiplication)"] --- M2["Associativity (Assoc of Mult)"]endM1 --- M4["Commutativity (of Mult)"]endM1 --- M5["Existence of a unit element (Mult unit 1)"]M6[No zero divisors] --- M1endM5 --- F1["2 different unit elements (0 != 1)"]F1 --- A3M1 --- F2["Existence of Inverse (Exists inverse of mult for F\{0})"]end

## Group

A group is a pair $(G, \circ)$ consisting of a set $G$ and an operation $\circ:G\times G\to G$ (closed operation) with properties

• Associativity: $\forall a,b,c \in G, a \circ (b \circ c) = (a\circ b)\circ c$
• Existence of a unit element: $\exists e \in G, \forall a \in G, a\circ e = e\circ a = a$
• Existence of inverse: $\forall a \in G, \exists a^{-1} \in G, a\circ a^{-1} = a^{-1}\circ a = e$

### Abelian Group

An Abelian Group is a group with property

• Commutativity: $\forall a,b\in G, a\circ b = b\circ a$

## Ring

A ring is a triple $(R, +,\cdot)$ consisting of a set $R$ and two binary operations $+,\cdot: R\times R \to R$ (closed operations) with properties

• $(R, +)$ is an abelian group
• Associativity: $\forall a,b,c\in R, a\cdot (b\cdot c) = (a\cdot b)\cdot c$
• Distributivity: $\forall a,b,c\in R, a \cdot (b+c) = (a\cdot b) + (a\cdot c), (b+c)\cdot a = (b\cdot a) + (c\cdot a)$

### Commutative Ring

A commutative ring is a ring with property

• Commutativity: $\forall a,b\in R, a\cdot b = b\cdot a$

### Integral Domain

An integral domain is a commutative ring with properties

• Existence of unit element: In multiplication, $\exists 1 \in G, \forall a \in R, a\cdot 1=1\cdot a = a$
• No zero divisors: if $a\cdot b = 0$ for $a,b\in R$, then either $a=0$ or $b=0$

## Field

A field is an integral domain with unit element of addition 0 and unit element of multiplication 1 and properties

• $0\neq 1$
• Existence of inverse: $\forall a\in F\backslash\lbrace 0\rbrace,\exists a^{-1}, a\cdot a^{-1}= a^{-1}\cdot a= 1$

Another way to write the definition is that $(F,+,\cdot)$ is a field with properties

• $(F, +)$ is an abelian group
• $(F \backslash \lbrace 0\rbrace,\cdot)$ is an abelian group
• $0\neq 1$
• $\cdot$ distributes over $+$

## Integers Modulo n

Let $n$ be integer, $\mathbb{Z} / n\mathbb{Z}$ be the set of integers modulo $n$.

• $(\mathbb{Z} / n \mathbb{Z},+)$, or donated as $(\mathbb{Z}_n,+)$ is a group
• $(\mathbb{Z}/n\mathbb{Z}, +,\cdot)$ is a ring
• If $n$ prime, then $(\mathbb{Z}/n\mathbb{Z},+,\cdot)$ is a field $\mathbb{F}_n$
• $(\mathbb{Z}/n\mathbb{Z}\lbrack X\rbrack, +,\cdot)$ is the ring of polynomials over $\mathbb{Z} / n \mathbb{Z}$
• If $n$ prime and polynomial $P(X)$ is irreducible, then $(\mathbb{F}_n\lbrack X\rbrack / \langle P(X)\rangle,+,\cdot)$ is a field
• The invertible elements of $\mathbb{Z}/n\mathbb{Z}$ w.r.t $\cdot$ form a group donated $U(\mathbb{Z}/n\mathbb{Z})$ or $\mathbb{Z}_n^\times$ or $\mathbb{Z}_n^\ast$ (operation is $\cdot$)

## Order

Let $G$ be a group

• The order of $G$ is $|G|$
• The order of $g\in G$ is the smallest positive integer $m$ such that $g^m = 1$
• An element of order equal to the order of group is called a primitive element or a generator
• When $G = \mathbb{Z} / n\mathbb{Z}$, Euler’s totient function $\varphi(n)$ counts the number of invertible elements, that is the number $k$ such that $\gcd(n,k)=1$

Let $p$ be prime and $\alpha$ as generator of $G = U(\mathbb{Z}/p\mathbb{Z})$. Then $\forall \beta\in G$ can be written $\beta = \alpha^i, 1\le i\le p -1$.

Noting $d=\gcd(i, p-1)$, we have $\beta^{\frac{p-1}{d}} = (\alpha^i)^{\frac{p-1}{d}}=1$.

Since $d = \gcd(i,p-1)$, thus $\beta$ order is $\dfrac{p-1}{d}$.

## CRT and Ring Isomorphism

Recap on CRT discussed on chapter 2, we can see that a system of congruences has a unique solution modulo the product of all moduli of the system.

We can reformulate the problem into form like: Let $n$ be a positive integer with prime decomposition $n = \prod\limits_i p_i^{e_i}$. Then there exists ring isomorphism between $\mathbb{Z}/n\mathbb{Z}$ and $\prod\limits_i \mathbb{Z}/p_i^{e_i}\mathbb{Z}$.

We can get $U(\mathbb{Z}/n\mathbb{Z}) \cong U(\prod\limits_i \mathbb{Z}/p_i^{e_i}\mathbb{Z})$ by previous ring isomorphism.

Noticing that non-invertible elements of $\mathbb{Z}/p_i^{e_i}\mathbb{Z}$ is of form $kp_i$ where $k$ is some integer. Conversely an element that is not invertible mod $n$ is a multiple of some $p_i$.

Therefore $U(\mathbb{Z}/n\mathbb{Z}) \cong U(\prod\limits_i \mathbb{Z}/p_i^{e_i}\mathbb{Z})\cong \prod\limits_i U(\mathbb{Z}/p_i^{e_i}\mathbb{Z})$.

## Lagrange’s Theorem

Previously $\varphi(n)$ is defined as $|U(\mathbb{Z}/n\mathbb{Z})|$. Then we can see some properties of such function

• $m,n$ coprime integers can have $\varphi(mn)=\varphi(m)\varphi(n)$.
• If $m,n$ are primes, then $\varphi(mn) = (m-1)(n-1)$.

Lagrange’s Theorem states that: Let $G$ be a finite group and $H$ be a subgroup of $G$. Then $\text{ord}(H)|\text{ord}(G)$.

$\forall x \in G$, it generates a subgroup of order $\text{ord}_G x$, it follows the order of all elements of $G$ divides $\text{ord}(G)$.

Thus we can have $\varphi(n) = |U(\mathbb{Z} / \prod\limits_{i\in P} p_{i}^{e_i} \mathbb{Z})| = \prod\limits_{i\in P} |U(\mathbb{Z} / p_i^{e_i} \mathbb{Z})| = \prod\limits_{i\in P} (p_i - 1)\times p_i^{e_i-1} = \prod\limits_{i \in P} p_i^{e_i}\times\frac{p_i - 1}{p_i} = n \prod\limits_{p | n} (1 - \frac{1}{p})$.

## Euler’s Theorem (Extended FLT)

Let $a$ and $n$ be two coprime integers, then $a^{\varphi(n)}\equiv 1\pmod n$.

Recall the FLT, which is $a^{n-1}\equiv 1\pmod n$, Euler’s Theorem extended the usage to coprime integers.

Proof: Based on Lagrange’s Theorem, we can say $\forall a \in G = U(\mathbb{Z}/ n \mathbb{Z}), \text{ord}_G a = k$ and $k | \varphi(n)$.

Then $a^{\varphi(n)}\equiv a^{\text{ord}_G a} \equiv 1\pmod n$.

## Finding Primitive Elements / Generators

Let $p > 2$ be prime and $\alpha \in U(\mathbb{Z}/p\mathbb{Z})$. Then $\alpha$ is a generator for $U(\mathbb{Z} / p\mathbb{Z}) \iff \forall q | (p-1), \alpha^{\frac{p-1}{q}}\not\equiv 1 \pmod p$.

### Collary

Still, let $\alpha$ be a generator for $U(\mathbb{Z} / p\mathbb{Z})$, we have

• Let $n$ be an integer. $\alpha^{n-1}\equiv 1\pmod p \iff n\equiv 0\pmod{(p-1)}$.
• Let $j$ and $k$ be two integers. $\alpha^{j}\equiv \alpha^{k}\pmod{p}\iff j\equiv k\pmod{(p-1)}$.

Order and factorization: Let $x$ be an element of order $r$ in $U(\mathbb{Z} / n\mathbb{Z})$. By definition $x^r \equiv 1 \pmod {n}$, or $n|(x^r - 1)$. Then $\gcd{(x^{r/2}-1,n)}$ and $\gcd{(x^{r/2}+1,n)}$ are factors of $n$.

Knowing $n$’s factorization gives $\varphi(n)$, which is discussed in Lagrange’s Theorem part. We can use this method to check if $x$ is a generator.

## Square roots modulo p

For $p$ an odd prime and $a$ such that $a\not\equiv 0\pmod p$, $a^{\frac{p-1}{2}}\equiv\pm 1\pmod p$.

$a$ is a square mod $p\iff a^{\frac{p-1}{2}}\equiv 1\pmod p$.

Proof: $y\equiv a^{\frac{p-1}{2}}\pmod p$ and apply FMT, we see $y^2 \equiv a^{p-1}\equiv 1\pmod p$. Therefore $y^2 - 1\equiv (y - 1)(y + 1)\equiv 0\pmod p$.

Since $p$ prime, all elements but 0 are invertible. Thus $y \equiv\pm 1\pmod p$.

Let $g$ be generator mod $p$ and donate $a \equiv g^j$ for some $j$. If the $j$ even, then $a^{\frac{p-1}{2}}\equiv 1\pmod p$.

## Legendre Symbol

Given $p$ be odd prime, and $a\not\equiv 0\pmod p$, define Legendre symbol by $\Big(\dfrac{a}{p}\Big)=\begin{cases} +1 & \text{if }a\text{ is a square mod }p\newline -1 & \text{if }a\text{ is not a square mod }p\end{cases}$

Then we can get some features and properties like

• If $a\equiv b\pmod p$, then $\Big(\dfrac{a}{p}\Big)=\Big(\dfrac{b}{p}\Big)$.
• If $a\not\equiv 0\pmod p$, then $\Big(\dfrac{a}{p}\Big)\equiv a^{\frac{p-1}{2}}\pmod p$.
• If $ab\not\equiv 0\pmod p$, then $\Big(\dfrac{ab}{p}\Big)=\Big(\dfrac{a}{p}\Big)\Big(\dfrac{b}{p}\Big)$.
• If $p\equiv 1\pmod 4$, then $-1$ is a square mod $p$.

## Jacobi Symbol

Given $n=\prod\limits_i p_i^{e_i}$ an odd integer and $a$ a non-zero integer coprime to $n$, define Jacobi symbol by $\Big(\dfrac{a}{n}\Big)_J = \prod\limits_i\Big(\dfrac{a}{p_i}\Big)^{e_i}_L$, where each of $\Big(\dfrac{a}{p_i}\Big)_L$ is a Legendre symbol.

Let $n$ be an odd integer

• $a\equiv b\pmod n$ and $\gcd{(a,n)}=1$, then $\Big(\dfrac{a}{n}\Big)_L = \Big(\dfrac{b}{n}\Big)_J$.
• $\text{gcd}{(ab,n)}=1$, then $\Big(\dfrac{ab}{n}\Big)_J = \Big(\dfrac{a}{n}\Big)_L \Big(\dfrac{b}{n}\Big)_J$.
• $\Big(\dfrac{-1}{n}\Big)_J = (-1)^{\frac{n-1}{2}}$.
• $\Big(\dfrac{2}{n}\Big)_J = \begin{cases} +1 & \text{if }n\equiv 1\text{ or }7\pmod 8\newline -1 & \text{if }n\equiv 3\text{ or }5\pmod{8} \end{cases}$.
• If $m,n$ are odd coprime positive integers, then $\Big(\dfrac{m}{n}\Big)_J=\begin{cases} -\Big(\dfrac{n}{m}\Big)_L & \text{if }m\equiv n\equiv3\pmod 4\newline +\Big(\dfrac{n}{m}\Big)_L & \text{otherwise}\end{cases}$.

# RSA Cryptosystem

The basic idea is to know two primes $p,q$, then compute the product $n$ and $\varphi(n)$.

An integer $e$ coprime to $\varphi(n)$ is chosen, we can run the extended Euclidean algorithm to get the $d$ satisfying $ed\equiv 1\pmod{\varphi(n)}$.

Given $e$ and $n$ it is possible to compute $c \equiv m^e\pmod n$ for any integer $m$. Then $c^d\equiv (m^e)^d\equiv m^{ed\pmod{\varphi(n)}}\equiv m\pmod n$.

We can see that $n-\varphi(n) + 1 = pq-(p-1)(q-1) + 1 = p+q$, then $p,q$ are roots of the quadratic equation $X^2-(n-\varphi(n)+1)X + n$.

Hence $p,q = \dfrac{n - \varphi(n)+1\pm\sqrt{(n-\varphi(n)+1)^2 - 4n}}{2}$. Thus if $\varphi(n)$ can be computed, then $n$ can be factorized.

## Modular Exponentiation

The modular exponentiations can be done in $O((\log n)^2\log d)$ bit operations.
\begin{aligned} &\text{Input: }m\text{ an integer}, d=(d_{k-1}\dots d_0)_2\text{ and }n\text{ two positive integers}\newline &\text{Output: }x=m^d\pmod n\newline &power\leftarrow 1;\newline &\text{for }i\leftarrow k-1\text{ to }0\text{ do }\newline &\phantom{“”””}power\leftarrow (power\cdot power)\pmod n;\newline &\phantom{“”””}\text{if }d_i=1\text{ then }power \leftarrow (m\cdot power)\pmod n;\newline &\text{end for}\newline &\text{return }power \end{aligned}

## Faster Decryption

There are 2 practical methods used to accelerate the decryption process.

One is save $d \pmod{\varphi(n)}$ such that it helps reduce decryption steps required.

The other methods is to use CRT to speed up the computation.

Consider $c \equiv m^e\pmod{n}$, then by Euler’s Theorem, we have $e\cdot d \equiv 1\pmod{\varphi(n)}\equiv 1\pmod{(p-1)(q-1)}$. We can see $\begin{cases}e\cdot d\equiv 1\pmod{p-1}\newline e\cdot d\equiv 1\pmod{q-1} \end{cases}$.

Thus $\begin{cases}c^d\equiv m \pmod{p}\newline c^d\equiv m\pmod{q} \end{cases}$ can be achieved. In this way CRT can be applied to get $m$ from such equations.

## Prime Generating

There are mainly 2 methods to choose for prime generating:

• Generate a random integer, pick the next prime
• Generate random integers until one of them is prime

### Prime Number Theorem (PNT)

$\pi(n)\sim \dfrac{n}{\ln{n}}$ describes in range $\lbrack 1,n\rbrack$, approximately $\dfrac{n}{\ln{n}}$ integers are prime.

Therefore, on 1024 level of security, a random integer has possibility of $\dfrac{1}{\ln{2^{1024}}}\approx\dfrac{1}{710}$.

## Solovay-Strassen Primality Test

Recall, $\Big(\dfrac{a}{n}\Big)\equiv a^{\frac{n-1}{2}}\pmod n$ if $n$ prime and $a\not\equiv 0\pmod n$. But there exists $a$ to make this be true if $n$ is not prime.

Let $n$ be composite and $A = \lbrace a | \gcd{(a,n)}=1\text{ and }\Big(\dfrac{a}{n}\Big)\equiv a^{\frac{n-1}{2}}\pmod n\rbrace$.

Since $n$ is composite, $\exists b$ such that $\gcd{(b,n)}=1$ and $\Big(\dfrac{b}{n}\Big)\not\equiv b^{\frac{n-1}{2}}\pmod n$. $\forall a \in A, (ab)^{\frac{n-1}{2}} = \Big(\dfrac{a}{n}\Big)b^{\frac{n-1}{2}}\not\equiv \Big(\dfrac{a}{n}\Big)\Big(\dfrac{b}{n}\Big)\pmod n$.

Hence, $\forall a \in A$, there’s an element coprime to $n$ that is not belonging to $A$. A Monte-Carlo algorithm can be composed with $O(k(\log n)^3)$ complexity.
\begin{aligned} &\text{Input: }n\text{ an integer}, k\text{ the number of tests to run}\newline &\text{Output: }n\text{ is composite or probably prime}\newline &\text{for }i \leftarrow 1\text{ to }k\text{ do}\newline &\phantom{“”””}a\leftarrow\text{rand}(2,n-2);\newline &\phantom{“”””}\text{if }\gcd{(a,n)}\neq 1\text{ then return }n\text{ is composite};\newline &\phantom{“”””}x\leftarrow\Big(\dfrac{a}{n}\Big);\newline &\phantom{“”””}y\leftarrow a^{\frac{n-1}{2}}\pmod n;\newline &\phantom{“”””}\text{if }x\not\equiv y\pmod n\text{ then return }n\text{ is composite};\newline &\text{end for}\newline &\text{return }n\text{ is probably prime} \end{aligned}

## Miller-Rabin Primality Test

Let $n$ be an odd integer, then $n = 1 + 2^s m$ where $s$ is an integer and $m$ is odd. $n$ passes Miller-Rabin test if $\begin{cases} a^m&\equiv 1\pmod n\newline a^{2^j m}&\equiv -1\pmod n \end{cases}$ where $0\leq j \leq s-1$.

Starts from $m$ power to $2^{s-1} m$ power, we can see that if $x^2\equiv 1\pmod n$ does have $(x-1)(x+1)\equiv 0\pmod n$. Thus we can rewrite $x^{n-1}\equiv 1 \pmod n$ to $x^{n-1}-1 = x^{2^s m - 1} - 1$.

Thus $x^{2^s m} - 1 = (x^m - 1)(x^m + 1)\dots(x^{2^{s-1} m} + 1)\equiv 0 \pmod n$, in this way the test congruences are established.

If the $n$ is prime, then $n$ passes Miller’s test to base $a$ ($1 < a < n$). Check previously talked Square Root Modulo.

If $n$ is composite, then fewer than $\frac{n}{4}$ bases $a$ passes Miller’s test.

A Monte-Carlo algorithm uses randomly $k$ bases $a$, the possibility that $n$ composite and passes all tests in $k$ times is $p_k = \dfrac{1}{4^k}$.
\begin{aligned} &\text{Input: }n \text{ an odd integer}, k\text{ the number of tests to run}\newline &\text{Output: }n \text{ is composite or probably prime}\newline &m\leftarrow \dfrac{n-1}{2};s\leftarrow 1;\newline &\text{while }2\mid m\text{ do }\lbrace m\leftarrow \dfrac{m}{2};s\leftarrow s+1;\rbrace\newline &\text{for }i\leftarrow 1\text{ to }k\text{ do}\newline &\phantom{“”””}a\leftarrow \text{rand}(2,n-2);\newline &\phantom{“”””}\text{if }\gcd{(a,n)}\neq 1\text{ then return }n\text{ is composite};\newline &\phantom{“”””}a\leftarrow a^m\pmod n;\newline &\phantom{“”””}\text{if }a=\pm1\text{ then continue};\newline &\phantom{“”””}\text{for }j\leftarrow 1\text{ to }s-1\text{ do}\newline &\phantom{“”””””””}a \leftarrow a^2\pmod n;\newline &\phantom{“”””””””}\text{if }a \equiv 1\pmod n\text{ then return }n\text{ is composite};\newline &\phantom{“”””””””}\text{if }a\equiv-1\pmod n\text{ then }b\leftarrow 1;\text{break};\newline &\phantom{“”””}\text{end for}\newline &\phantom{“”””}\text{if }b=1\text{ then continue else return }n\text{ is composite};\newline &\text{end for}\newline &\text{return }n\text{ is probably prime} \end{aligned}

### Witness 75%

First we have a definition about witness. We say $a$ is a Miller-Rabin witness for $n$ if all of the congruences are false: $a^k\not\equiv 1\pmod n$ and $a^{2^jm}\not\equiv -1\pmod n, \forall j \in \lbrack 0, s-1\rbrack$.

Thus the definition of nonwitness for $n$ is that if one of the congruences is true: $a^k \equiv 1\pmod n$ or $a^{2^jm}\equiv -1\pmod n, \exists j \in \lbrack 0, s-1\rbrack$.

A odd prime in Miller-Rabin has no witness.

The product of two Miller-Rabin nonwitnesses might not be a nonwitness.

If $n=p^\alpha$, the Miller-Rabin nonwitness for $n$ are the solutions to $a^{p - 1}\equiv 1\pmod {p^\alpha}$. This forms a group under multiplication mod $n$.

Proof: First, suppose $a \in \lbrack 1,n-1\rbrack$ is a Miller-Rabin nonwitness, by Euler’s Theorem, $a^{p^{\alpha - 1}(p-1)}\equiv 1\pmod {p^\alpha}$. Then by Miller-Rabin nonwitness, $a^{p^\alpha - 1}\equiv 1\pmod{p^\alpha}$.

Consider the $\gcd{(p^\alpha-1,(p-1)p^{\alpha - 1})}$, we get $p-1$. Then $a^{p - 1} \equiv 1\pmod n$.

Then suppose $a^{p-1}\equiv 1\pmod {p^{\alpha}}$. Then we can write $p-1 = 2^f l$ where $f \ge 1$ and $l$ odd. Since $p - 1$ is a factor of $p^\alpha - 1 = 2^e k$, we have $f \le e$ and $l \mid k$.

By $a^{2^f l}\equiv 1 \pmod {p^\alpha}$, the order of $a^l$ is $2^j$ for some $j \in \lbrack 0, f\rbrack$.

• If the order $j = 0$, then it is nonwitness of Miller-Rabin test.

• If $j \ge 1$, then $x = (a^{l})^{2^{j - 1}}$ satisfies $x \not\equiv 1\pmod {p^\alpha}$ but $x^2 \equiv 1 \pmod {p^\alpha}$. In this way $p^\alpha\mid (x+1)(x-1)$, since $x\pm 1$ differ at most 2, so at most one of them can be divisible by $p$.

Since $(a^l)^{2^{j-1}}\equiv -1\pmod {p^{\alpha}}$, $l \mid k$, then $(a^k)^{2^{j-1}}\equiv -1\pmod {p^\alpha}$. $j - 1 \in \lbrack 0, f-1\rbrack \subset\lbrack 0, e-1\rbrack$. $\square$

Then check this out.

## RSA Attack

Suppose $e,d$ are known, then $n$ can be efficiently factorized. Since $a^{ed - 1}\equiv 1 \pmod n$ for some random $a$ coprime to $n$ and apply square root modulo $n$.

Rewrite $ed - 1= 2^s m$ then define $b_0 = a^m$ and $b_{i+1} = b_i^2 \pmod n$. Recall square root modulo, we know if $b_{i+1} \equiv 1\pmod n$ and $b_i \equiv \pm 1\pmod n$, then $n \mid b_i + 1$ or $n \mid b_i-1$.

If $b_i\not\equiv\pm 1\pmod n$, interesting things happen. $b_i \equiv k \pmod n$, then $(k-1)(k+1)\equiv 0\pmod n$, then $\gcd{(k-1,n)}$ and $\gcd{(k+1, n)}$ are non-trivial factors for $n$ ($k \in \lbrack 0, k-1\rbrack$).

### RSA Problem

Let $n$ be a large integer and $e > 0$ coprime to $\varphi(n)$. Given $y$ in $U(\mathbb{Z}/n\mathbb{Z})$, compute $x$ such that $x^e\equiv y \pmod n$.

## Pollard’s Rho Algorithm

An idea is to remove all small factors consists in computing $\gcd{(n,P)}$ where $P = \prod\limits_{p < B} p$. This might be efficient for small primes, but it can be slow in large primes.

Let $n$ be a composite integer with an unknown prime factor $p\le \sqrt n$. Define the function $f:\mathbb{Z}/n\mathbb{Z}\to\mathbb{Z}/n\mathbb{Z}$, $f(x) = x^2+ 1\pmod n$.

Recursively define a sequence $(x_k)$ by $x_0=2,x_{k+1}=f(x_k), k\in\mathbb{N}$. The sequence must at some point produce a repeated value and enter a cycle.

We hope the cycle contains two or more elements with same remainder modulo $p$: $x_i \equiv x_j \pmod p$. In this case, $\gcd{(x_i-x_j,n)}$ is a factor of $n$.

In summary the result can be evaluated as $\gcd{(x_i - x_j,n)} =\begin{cases} n &\text{if }x_i=x_j\newline 1 & \text{if }x_i\not\equiv x_j\pmod p, \forall p \text{ as factor of }n\newline t & \text{if }x_i \equiv x_j\pmod p, \text{where }p\mid t,t\mid n \end{cases}$

The algorithm now uses a pair of sequence $(x_k),(y_k)$ that $\begin{cases}x_0 = 2\newline x_{k+1} = f(x_k)\end{cases}$ and $\begin{cases}y_0 = 2\newline y_{k+1}=f(f(y_k)) \end{cases}$. For each pair of $(x_i, x_j)$, $\gcd{(x_i - x_j, n)}$ is evaluated.
\begin{aligned} &\text{Input: }n, \text{a composite integer}, f(x) = x^2 + 1\pmod n.\newline &\text{Output: }d\text{ a non-trivial factor of }n,\text{ or failure}.\newline &\text{repeat}\newline &\phantom{“”””}a\leftarrow f(a);b\leftarrow f(f(b));\newline &\phantom{“”””}d \leftarrow \gcd{(a-b,n)};\newline &\text{until }d \neq 1;\newline &\text{if }d=n\text{ then}\newline &\phantom{“”””}\text{return failure}\newline &\text{else}\newline &\phantom{“”””}\text{return }d\newline &\text{end if} \end{aligned}

The role of $f$ is to “randomly” choose numbers in $\mathbb{Z}/n\mathbb{Z}$. It should be a polynomial for $f(f(x)\pmod n)\pmod n = f(f(x))\pmod n$.

### Complexity

Suppose the algorithm selects random numbers $x_i,x_j\in\mathbb{Z}/n\mathbb{Z}$ for comparison of their remainders.

Suppose any given number between $0$ and $n$ has an equal probability $\dfrac{1}{p}$ of having a remainder $m$ modulo $p$ ($0 \le m < p$): $P\lbrack x_k\pmod p = m\rbrack = \dfrac{1}{p}$. Then $P\lbrack x_i\not\equiv x_j\pmod p\rbrack = \dfrac{p-1}{p}$.

Suppose $x_0,\dots,x_{k-1}$ has $k$ distinct remainders modulo $p$, then $x_k$ have a remainder different from them has possibility $\dfrac{p-k}{p}$.

Thus creating such $k + 1$ different remainder modulo $p$ enjoys possibility $P_k = P\lbrack x_i\not\equiv x_j\pmod p, i, j\in \lbrack 0,k\rbrack, i\neq j \rbrack = \prod\limits_{i\in\lbrack 0,k\rbrack} \dfrac{p-i}{p} = \dfrac{p!}{(p-k-1)! p^k}$.

If we want the $P_k > \dfrac{1}{2}$, or $1- P_k < \dfrac{1}{2}$, then $k > 1.177\sqrt p$. This means with a possibility $>\dfrac{1}{2}$, the algorithm can find same remainder modulo $p$. Thus this is $O(n^{\frac{1}{4}})$ complexity.

## RSA-OAEP

RSA on textbook is not CCA secure, maybe some improvement can be applied.

Generate: $p,q,n,e,d$ and two random oracles $G,H:\lbrace 0,1\rbrace^{2l}\to\lbrace 0,1\rbrace^{2l}$.

Encrypt $m\in\lbrace 0,1\rbrace^l$:

• Pick a random $r \in \lbrace 0,1\rbrace^{2l}$
• Set $m’=m \parallel 0^l$
• Compute $m’’=(G(r)\oplus m’)\parallel (r\oplus H(G(r)\oplus m’))$
• $c = (m’’)^e\pmod n$

Decrypt ciphertext $c$:

• $m’’ = c^d\pmod n$
• $m’’ = m_1 \parallel m_2$
• Recover $r = H(m_1) \oplus m_2$
• Recover $m’ = m_1 \oplus G(r)$
• If the $l$ last bits are not $0^l$ output error
• Otherwise $m’ = m \parallel 0^l$

# Discrete Logarithm Problem

Let $\mathbb{F}_q$ be a finite field, with $q=p^n$ for a positive integer $n$. Given $\alpha$ generator of $G$, a subgroup of $\mathbb{F}^\ast_q$ and $\beta\in G$, find $x$ such that $\beta = \alpha^x\in\mathbb{F}_q$.

$x$ is restricted to $0\le x < \text{ord}_{\mathbb{F}_q^\ast}(\alpha)$ since $x$ is unique only up to congruence $\mod {|G|}$.

## Pollard Rho Again

Let $\alpha$ be a generator of a group $G$ of prime order $p$. Any element of $G$ can be written $\alpha^a\beta^b$ for some $a,b\in\mathbb{N}$ and $\beta\in G$.

Assuming $x\equiv y\pmod p$, then $\alpha^{a_1}\beta^{b_1}\equiv \alpha^{a_2}\beta^{b_2}\pmod p$. Then we rewrite it as $\beta^{b_1-b_2}\equiv \alpha^{a_2-a_1}\pmod p$. Take $\log_\alpha$ both sides leads to $(b_1 - b_2)\log_\alpha\beta = a_2 - a_1\pmod p$.

So long as $p\nmid (b_1 - b_2)$ we get $\log_\alpha\beta = \dfrac{a_2-a_1}{b_1-b_2}$.

The goal for Pollard Rho algorithm is to find $x \equiv y\pmod p$. We consider three partitions $G = S_1\cup S_2\cup S_3$, which are of approximately same size based on easily testable property.

Define $f = \begin{cases} \beta x&x\in S_1\newline x^2 &x \in S_2\newline \alpha x & x \in S_3 \end{cases}$, $g(a,x) = \begin{cases} a & x \in S_1 \newline 2a\pmod p & x \in S_2 \newline a + 1 \pmod p & x \in S_3 \end{cases}$, $h(b,x) = \begin{cases} b+1 \pmod p & x \in S_1 \newline 2b \pmod p & x \in S_2 \newline b & x \in S_3 \end{cases}$.

The function $f,g,h$ are defined such as the progress of $x$ and $y$ appears “random”.

\begin{aligned} &\text{Input: }\alpha\text{ a generator of }G,\text{ a group of prime order }p\text{ and }\beta\in G,f,g,h\newline &\text{Output: }\log_\alpha\beta\text{ or failure}\newline &a_1 \leftarrow 0; b_1\leftarrow 0;a_2\leftarrow 0;b_2\leftarrow 0;y\leftarrow 1;\newline &\text{repeat}\newline &\phantom{“”””}a_1\leftarrow g(a_1,x);b_1 \leftarrow h(b_1,y);\newline &\phantom{“”””}x\leftarrow f(x);\newline &\phantom{“”””}a_2\leftarrow g(g(a_1,x),x);b_2 \leftarrow h(h(b_1,y)));\newline &\phantom{“”””}y\leftarrow f(f(y));\newline &\text{until }x \not\equiv y\pmod p;\newline &r \leftarrow b_1-b_2;\newline &\text{if }r \neq 0\text{ then return }r^{-1}(a_2 - a_1)\pmod p;\newline &\text{else return failed};\newline \end{aligned}

## Diffie-Hellman Key Exchange

Alice and Bob publicly agree on parameter:

• $G$ a group of order $p$
• $\alpha$ a generator of $G$

Both Alice and Bob generate a random secret from $G:x,y$. They send each other the $\alpha^{secret}:\alpha^x,\alpha^y$. By calculating $\alpha^{xy}$ they get the key.

## Diffie-Hellman Problem

If you solve DLP, we can break Diffle-Hellman Key Exchange Protocal. However, it is not necessary to solve DLP to know $\alpha^{xy}$.

Computational Diffie-Hellman (CDH): given $\alpha^x,\alpha^y$, for some unknown integer $x,y$, compute $\alpha^{xy}$.

Decisional Diffie-Hellman (DDH): given $\alpha^x,\alpha^y$, decide whether or not some $c\in G$ is equal to $\alpha^{xy}$.

Multiplication is not so practical, so we use DLP to get $x$ from $\log_\alpha \alpha^x$ first, then $(\alpha^y)^x$.

While solving DLP implies solving CDH, it is not known whether or not solving CDH solves DLP.

### Elgamal Cryptosystem

$G$ a group of prime order $p$, $\alpha$ a generator of $G$.

$x$ is a secret number from Bob and $\beta = \alpha^x \pmod p$.

Encryption:

• $r = \alpha^k\pmod p$ for some random integer $k$.
• $t \equiv \beta^k m$ where $m$ is message.
• Send $c = \langle r,t\rangle$.

Decryption:

• Compute $t r^{-x}\equiv \beta^k m(\alpha^k)^{-x}\equiv m\pmod p$.

Solving CDH is equivalent to breaking Elgamal.

In CDH, we have to use $\alpha^a,\alpha^b$ to compute $\alpha^{ab}$. Set $\beta =\alpha^a,r=\alpha^b$. Then $m\equiv tr^{-a}\equiv t\alpha^{-ab}$.

### CCA on Elgamal

By definition, we can $c = \langle r,t\rangle = \langle \alpha^k,\beta^k m\rangle$. Then construct a message $m’$, compute $c’’=\langle r\alpha^{k’},t\beta^{k’}m’\rangle$.

Decrypt $c’’$ and we get $m’’ = (r\alpha^{k’})^{-x}t\beta^{k’}m’ = (\alpha^{k+k’})^{-x}\beta^{k+k’’} m m’ = mm’$. Compute $m=m’’ m’^{-1}$.

]]>
<blockquote> <p>All info comes from Manuel’s slides on Lecture 3.</p> </blockquote> <h1 id="Public-Key-Cryptosystem"><a href="#Public-Key-Cryptosystem" class="headerlink" title="Public-Key Cryptosystem"></a>Public-Key Cryptosystem</h1><p>Encryption depends on a public key $K$ and decryption depends on a secret key $K’$.</p> <p>Finding $K’$ when knowing $K$ is computationally infeasible.</p>
VE475 Cryptography Note 2 https://nomadtype.ninja/2019/05/30/crypto-2-note/ 2019-05-30T13:36:46.000Z 2020-10-12T18:47:55.705Z

All info comes from Manuel’s slides on Lecture 2.

# Block Cipher

A block cipher is composed of 2 co-inverse functions:
\begin{aligned} E:\lbrace 0,1\rbrace^n\times\lbrace0,1\rbrace^k&\to\lbrace 0,1\rbrace^n& D:\lbrace 0,1\rbrace^n\times\lbrace0,1\rbrace^k&\to\lbrace 0,1\rbrace^n\\ (P,K)&\mapsto C&(C,K)&\mapsto P \end{aligned}
where $n,k$ means the size of a block and key respectively.

The goal is that given a key $K$ and design an invertible function $E$ whose output cannot be distinguished from a random permutation over $\lbrace 0, 1\rbrace^n$.

## Mode ECB

Electronic Codebook mode has the basic principle that

• Splits the plaintext in blocks of size $n$.
• Encrypt each block with a function $E$ and a key $K$.

\begin{aligned} b_1&&b_2&&b_3&&\dots&&b_n\\ \Bigg\downarrow&&\Bigg\downarrow&&\Bigg\downarrow&&&&\Bigg\downarrow\\ E_k&&E_k&&E_k&&\dots&&E_k\\ \Bigg\downarrow&&\Bigg\downarrow&&\Bigg\downarrow&&&&\Bigg\downarrow\\ c_1&&c_2&&c_3&&\dots&&c_n \end{aligned}

The limitation of ECB mode is that, consider a block is repeated several times over the message, then it is easy to guess what is happening since they share same $K$.

## Mode CBC

Cipher Block Chaining mode has the following structure of encryption
$$\newcommand{\ra}{!!!!!!!!!!!!\xrightarrow{\quad#1\quad}!!!!!!!!} \newcommand{\da}{\bigg\downarrow\raise.5ex\rlap{\scriptstyle#1}} \begin{array}{ccccccccc} &&&&b_0&&&&b_1&&&&b_2&&&&\dots&&&&b_n\newline &&&&\Big\downarrow&&&&\Big\downarrow&&&&\Big\downarrow&&&&&&&&\Big\downarrow\newline IV&&\to&&\oplus&&&&\oplus&&&&\oplus&&&&&&&&\oplus\newline &&&&\da{E_k}&&\nearrow&&\da{E_k}&&\nearrow&&\da{E_k}&&\nearrow&&&&\nearrow&&\da{E_k}\newline &&&&c_0&&&&c_1&&&&c_2&&&&&&&&c_n \end{array}$$

and the structure of decryption of
$$\newcommand{\ra}{!!!!!!!!!!!!\xrightarrow{\quad#1\quad}!!!!!!!!} \newcommand{\da}{\bigg\downarrow\raise.5ex\rlap{\scriptstyle#1}} \begin{array}{ccccccccc} &&&&c_0&&&&c_1&&&&c_2&&&&\dots&&&&c_n\newline &&&&\da{E_k^{-1}}&&\searrow&&\da{E_k^{-1}}&&\searrow&&\da{E_k^{-1}}&&\searrow&&&&\searrow&&\da{E_k^{-1}}\newline IV&&\to&&\oplus&&&&\oplus&&&&\oplus&&&&&&&&\oplus\newline &&&&\da{}&&&&\da{}&&&&\da{}&&&&&&&&\da{}\newline &&&&b_0&&&&b_1&&&&b_2&&&&&&&&b_n \end{array}$$
It have to be done in a sequential way, so it cannot be parallelized. So we can introduce a new method next.

## Mode CTR

$$\newcommand{\da}{\bigg\downarrow\raise.5ex\rlap{\scriptstyle#1}} \begin{array}{ccccccccc} ct &&&& ct+1 &&&& ct+2 &&&& \dots &&&& ct+n\newline &&&& \da{E_k} &&&& \da{E_k} &&&& &&&& \da{E_k}\newline &&b_1\longrightarrow&&\oplus&&b_2\longrightarrow&&\oplus&&&&&&b_n\longrightarrow&&\oplus\newline &&&&\da{}&&&&\da{}&&&&&&&&\da{}\newline &&&&c_1&&&&c_2&&&&&&&&c_n \end{array}$$

CT stands for counter, for a new block, it generates new counter value then XOR with block value. It can be run in parallel.

# Randomness Definition

We apply the Kolmogorov randomness definition here, with $x$ be a string

• We way that $x$ is random $\iff$ it is not shorter than any program that can produce it in any language.
• The entropy of $x$ is the minimum number of bits necessary to describe $x$.

Thus, a random string of length $k$ cannot be composed in any way, therefore it has entropy $k$.

# Fermat’s Little Theorem

Let $p\in\mathbb{N}, a\in\mathbb{Z}$. If $p$ is prime and $p\nmid a$, then $a^{p-1}\equiv1\text{ mod }p$.

We can try the proof like that:

Consider $S=\lbrace 1,2,\dots,p-1\rbrace$, then $S\equiv S\text{ mod }p$. If we do $a\cdot S=\lbrace 1\cdot a,2\cdot a,\dots,(p-1)\cdot a\rbrace$, then if $a\cdot S\equiv S\text{ mod }p$ ?

If this was the case, we can have $a\cdot v_0\equiv a\cdot v_1\text { mod }p$ for some $1 \le v_0 < v_1\le p-1$. Since $\text{gcd}(a,p)=1$, then $v_0\equiv v_1\text{ mod }p$, which means $v_0=v_1$, leading to contradiction.

Thus $a\cdot S\equiv S\text{ mod }p$. In this way, we can have
$$\prod (a\cdot S)=(\prod_{i=1}^{p-1}i)\cdot a^{p-1}\equiv (\prod^{p-1}_{i=1}i)\text{ mod }p$$
But we know that $\forall i \in S, i \nmid p$, thus $a^{p-1}\equiv 1\text{ mod }p$.

# Chinese Remainder Theorem

Let $m_1, \dots,m_k\in\mathbb{N}\backslash\lbrace 0\rbrace$ be pairwise relatively prime and $a_1,\dots,a_k\in\mathbb{Z}$. Then the system of congruences
$$\begin{cases} x&&\equiv && a_1\text{ mod }m_1,\newline x&&\equiv && a_2\text{ mod }m_2,\newline &&\vdots\newline x&&\equiv && a_k\text{ mod }m_k. \end{cases}$$
has a unique solution modulo $M= \prod\limits^{k}_{i=1} m_i$.

Then we setup a table here to see what is required:
$$\begin{array}{c|c|c|c} a_i & m_i & M_i & t_i\newline & & \dfrac{M}{m_i} & t_i\cdot M_i\equiv 1\mod m_i \end{array}$$
The solution space is $\lbrace kM+\sum\limits^n_{i=1}a_i t_iM_i\rbrace$ where $k\in\mathbb{Z}$.

# Squares Modulo Prime

Lemma: If $p\equiv 3\mod 4$ is prime, then equation $x^2\equiv -1\pmod p$ has no solution.

Proof: Suppose $x$ exists, then by Fermat’s Little Theorem, $(x^2)^{\frac{p-1}{2}}\equiv x^{p-1}\equiv 1\pmod p$.

But the $p\equiv 3\mod 4$, implies $\frac{p-1}{2}$ odd and $(-1)^{\frac{p-1}{2}}\equiv -1\pmod p$.

## Proposition

Let $p\equiv 3 \mod 4$ be prime, $y$ be an integer and $x\equiv y^{\frac{p+1}{4}}\pmod p$.

• If $y$ has a square root mod $p$, then its square roots are $\pm x\pmod p$.
• If $y$ has no square root mod $p$, then the square roots of $-y$ are $\pm x\pmod p$.

Proof: According to Fermat’s Little Theorem, we get $x^4 \equiv y^{p+1}\equiv y^2\pmod p$.

According to Bezout Theorem, since $p$ prime, then for all non zero elements, there exists multiplicative inverse.

Therefore we rewrite previous eq into $(x^2 - y)(x^2+y)\equiv 0\pmod p$ implies $x^2\equiv\pm y\pmod p$.

Consider exists $a$ and $b$ satisfying at the same time that $y\equiv a^2\pmod p$ and $-y\equiv b^2\pmod p$.

Then $(b^{-1} a)^2\equiv -1\pmod p$, then this contradicts lemma.

Hence exactly only one of $y$ and $-y$ has square roots $\pm x\pmod p$.

# BBS Generator

BBS Generator is a Pseudo-Random Bits Generator.

• Let $p,q$ be 2 large primes with $p\equiv q\equiv 3\pmod 4$.
• Set $n=p\cdot q$.
• Choose a random integer $x$ coprime to $n$.
• Define $\begin{cases}x_0&\equiv x^2\pmod n\\\vdots\\x_{i+1}&\equiv x^2_{i+1}\pmod{n}\end{cases}$
• At each iteration, choose the least significant bit of $x_i$.

## Proposition

Let $n=p\cdot q$ with $p,q$ follow BBS Generator requirements.

Let $x\equiv \pm a,\pm b\pmod n$ be the four solutions to $x^2\equiv y\pmod n$.

Then $\gcd(a-b,n)$ is a non-trivial factor of $n$.

## Building Block Cipher

A random oracle is a “black box” that returns a truly uniform random output on an input.

Submitting same input leads to same output.

Pseudorandom function emulates a random oracle.

A pseudorandom function that cannot be distinguished from a random permutation is pseudo random permutation. A blockcipher is a pseudorandom permutation.

# Feistel Network - DES

This is just one node of Feistel network.
$$\require{AMScd} \begin{CD} L_0 @. R_0\newline @V VV @V VV\newline \oplus@<F_K<< R_0\newline @V VV @V VV\newline R_1 @.L_1 \end{CD}$$

• The size of a block: $2n$ bits
• Split the block into 2 blocks of $n$ bits each
• $F:\lbrace 0,1\rbrace^n\times\lbrace 0,1\rbrace^k\to\lbrace 0, 1\rbrace^n$

Then we define function \begin{aligned}\Psi_F: \lbrace 0,1\rbrace^{2n}&\to\lbrace 0,1\rbrace^{2n}\newline \lbrack L, R\rbrack&\mapsto\lbrack R, L\oplus F(R,K)\rbrack\end{aligned}

## Inverse Function

$\forall F$, $\Psi_F$ is a bijection and $\Psi_F^{-1}=\sigma\circ\Psi_F\circ\sigma$, with \begin{aligned}\sigma:\lbrace 0,1\rbrace^{2n}&\to\lbrace 0,1\rbrace^{2n}\newline\lbrack L,R\rbrack&\mapsto\lbrack R,L\rbrack\end{aligned}

This can be shown by definition that $\Psi_F\lbrack L_0,R_0\rbrack = \lbrack R_0,L_0\oplus F(R_0,K)\rbrack=\lbrack L_1,R_1\rbrack$.

Thus \begin{aligned} \sigma\circ\Psi_F\circ\sigma \lbrack L_1,R_1\rbrack &=\sigma\circ \Psi_F\lbrack R_1,L_1\rbrack\newline &= \sigma\circ\Psi_F\lbrack L_0\oplus F(R_0,K),R_0\rbrack\newline &=\sigma\lbrack R_0, L_0\oplus F(R_0,K)\oplus F(R_0,K)\rbrack\newline &=\lbrack R_0, L_0\rbrack \end{aligned}

## Attack

Setting up 2 black boxes, a random oracle and a Feistel network, the goal for an attack is to distinguish them.
$$\begin{array}{c|rrr} \text{Rounds} & \text{KPA} & \text{CPA} & \text{CPCA} \newline \hline 1 & 1 & 1 & 1 \newline 2 & O(\sqrt{2^n}) & 2 & 2 \newline 3 & O(\sqrt{2^n}) & O(\sqrt{2^n}) & 3\newline 4 & O(2^n) & O(\sqrt{2^n}) & O(\sqrt{2^n}) \end{array}$$

### Two rounds - CPA

For simplify, we donate $\Psi_{F_{K_2}}\circ\Psi_{F_{K_1}}$ by $\Psi_{F_{K_1},F_{K_2}}^2$. $\Psi_{F_{K_1},F_{K_2}}^2\lbrack L_0, R_0\rbrack = \lbrack L_2, R_2\rbrack$ with $\begin{cases} L_2 &=L_0\oplus F_{K_1}(R_0)\newline R_2&= R_0\oplus F_{K_2}(L_2)\end{cases}$ ($L_2 = R_1$ which can be seen in previous part).

Thus the inverse of $\Psi_{F_{K_1},F_{K_2}}^2$ is $\Psi_{F_{K_1},F_{K_2}}^{-2} = \Psi_{F_{K_1}}^{-1}\circ\Psi_{F_{K_2}}^{-1} = \sigma\circ\Psi_{F_{K_2},F_{K_1}}^2\circ\sigma$.

If we use $m_1 = \lbrack m_{1_L}, m_{1_R}\rbrack$ and $m_2=\lbrack m_{2_L},m_{2_R}\rbrack$ such that $\begin{cases} m_{1_L}\neq m_{2_L}\newline m_{1_R}=m_{2_R}\end{cases}$, we can see $\begin{cases}m_1 &\Rightarrow \begin{cases} R_2 &= m_{1_R}\oplus F_{K_2}(L_2)\newline L_2 &=m_{1_L}\oplus F_{K_1}(m_{1_R})\end{cases}\newline m_2 &\Rightarrow \begin{cases}R_2 &= m_{2_R}\oplus F_{K_2}(L_2)\newline L_2 &=m_{2_L}\oplus F_{K_1}(m_{2_R})\end{cases}\end{cases}$.

It is easy to see $\begin{cases}m_{1_{R_2}}\oplus m_{2_{R_2}} &=m_{1_R}\oplus m_{2_R}\newline m_{1_{L_2}}\oplus m_{2_{L_2}} &=m_{1_L}\oplus m_{2_L}\end{cases}$, which only requires 2 test for 2 round Feistel network.

### Two rounds - KPA

Find a collision over $m_{i_R}$, where $1 \le i \le 2^n$. By birthday paradox, this requires $O(\sqrt{2^n})$ message.

If a collision is found for $m_j$ and $m_i$, check if $m_{j_{L_2}}\oplus m_{l_{L_2}}=m_{j_{L_0}}\oplus m_{l_{L_0}}$.

The collision on $m_{i_{L_2}}=m_{i_{L_0}}\oplus F_{K_1}(m_{i_{R_0}})$ for 2 messages, just like what is mention in previous 2-round CPA part.

Fix $m_{i_{L_2}}$, $m_{i_{L_0}}$ and $m_{i_{R_0}}$, then the uncertain outcome is $m_{j_{L_2}}$. Since it depends on $F_{K_1}$, which maps variables to $2^n$ different values.

If we take $l$ time same message with probably different $K$, then $\dfrac{l(l-1)}{2}$ pairs can be constructed and the possibility of collision is $\dfrac{l(l-1)}{2\cdot 2^n}$.

### Three rounds - CPCA

$\Psi^2_{F_{K_1},F_{K_2},F_{K_3}} \lbrack L_0, R_0\rbrack=\lbrack L_3,R_3\rbrack$ with $\begin{cases} L_3 &=R_0\oplus F_{K_2}(L_2)\newline R_3&=L_2\oplus F_{K_3}(L_3)\end{cases}$ and $L_2=L_0\oplus F_{K_1}(R_0)$.

Notice for a pair of messages $(m_a, m_b)$, $\begin{cases}m_{a_{R_0}} = m_{b_{R_0}} &\Rightarrow m_{a_{L_2}}\oplus m_{b_{L_2}} = m_{a_{L_0}}\oplus m_{b_{L_0}}\newline m_{a_{L_2}} = m_{b_{L_2}} &\Rightarrow m_{a_{L_3}}\oplus m_{b_{L_3}} = m_{a_{R_0}}\oplus m_{b_{R_0}}\newline m_{a_{L_3}} = m_{b_{L_3}} &\Rightarrow m_{a_{R_3}}\oplus m_{b_{R_3}} = m_{a_{L_2}}\oplus m_{b_{L_2}}\newline\end{cases}$ can be used to verify.

The attack strategy is constructed then by taking $m_1$, $m_2$, $m_3$ satisfying $\begin{cases} m_{2_{R_0}} &=m_{1_{R_0}}\newline m_{3_{L_3}} &=m_{2_{L_3}}\newline m_{3_{L_2}} &=m_{1_{L_2}} \end{cases}$ where a graph can be formed like

graph LRsubgraph attackA((m1))B((m2))C((m3))A ---|R0| BB ---|L3| CA ---|L2| Cend

From the previous equation sets we get $\begin{cases} m_{2_{R_0}} &=m_{1_{R_0}}\newline m_{3_{L_3}} &=m_{2_{L_3}}\newline m_{3_{R_3}} &=m_{2_{R_3}}\oplus m_{1_{L_0}} \oplus m_{2_{L_0}} \end{cases}$ ($m_{1_{L_2}}\oplus m_{2_{L_2}} = m_{1_{L_0}}\oplus m_{2_{L_0}} = m_{1_{R_3}}\oplus m_{2_{R_3}}$)

Finally, $m_{3_{R_0}} = m_{1_{L_3}} \oplus m_{3_{L_3}} \oplus m_{1_{R_0}}$.

# AES - Encryption

graph TDA(Plaintext) --> B(Add Round Key)style A fill:#87afffB --> Csubgraph Rounds 1 to 9C(Sub Bytes) --> D(Shift Rows)D --> E(Mix Columns)E --> F(Add Round Key)F -->|1 to 9| Csubgraph Round 10C --> H(Shift Rows)H --> FendendF --> G(Ciphertext)style G fill:#ffd700

There are 128 bits, grouped into 16 bytes, and arranged into a $4\times 4$ matrix: $\begin{bmatrix} a_{0,0} & a_{0,1} & a_{0,2} & a_{0,3}\newline a_{1,0} & a_{1,1} & a_{1,2} & a_{1,3}\newline a_{2,0} & a_{2,1} & a_{2,2} & a_{2,3} \newline a_{3,0} & a_{3,1} & a_{3,2} & a_{3,3}\end{bmatrix}$. (Plaintext is arranged in order $a_{0,0}, a_{1,0},a_{2,0},a_{3,0},a_{0,1}\dots$)

## Finite Field

Loosely speaking, a set where addition and multiplication operations are defined and such that non-zero element is invertible for multiplication is called a field.

For each prime $p$ and positive integer $n$ there exists a finite field with $p^n$ elements, donated as $\mathbb{F}_{p^n}$.

Polynomials can also be defined over finite fields. The main difference relies on the coefficients: their values are taken in the base field.

A polynomial, in a field, cannot be written as the product of two polynomials of lower degree is said to be irreducible.

So long it has some root, then it can not be irreducible.

$\mathbb{F}_2\lbrack X\rbrack$, $X^2+3X + 1 = X^2 + X + 1$.

$\mathbb{F}_5\lbrack X\rbrack$, $X^3 + X + 3 = (X + 4)(X ^ 2 + X + 2)$ is not irreducible.

$\mathbb{F}_{17}\lbrack X\rbrack$, $X^3 + X + 3$ is irreducible.

### Theorem on Non-Prime Fields

We can construct a non-prime field from prime field.

Let $P(X)$ be an irreducible polynomial of degree $n$ in $\mathbb{F}_p\lbrack X \rbrack$, and $F$ be the set of all polynomial of degree less than $n$. Then $F$ is a finite field with $p^n$ elements.

Proof: $F$ has $p^n$ elements since $n$ monomials and $p$ different values taken.

Assume $A(X),B(X),C(X)$ be distinct non-zero polynomials such that $A(X)B(X)\equiv A(X)C(X)\pmod{P(X)}$, this implies $A(X)(B(X) - C(X))\equiv 0\pmod{P(X)}$.

Contradicting to $P(X)$ irreducible.

Hence, it applies for all polynomial $A(X)$ in $F$ such that there exists $B(X)$ satisfying $A(X)B(X)\equiv 1\pmod{P(X)}$.

We donate these non-prime fields as $\mathbb{F}_{p^n}\lbrack X\rbrack = \mathbb{F}_p\lbrack X\rbrack / \langle F(X)\rangle$.

## Finite Fields in AES

Finite fields in AES is used like:

• $P(X) = X^8+X^4+X^3+X+1$ is irreducible over $\mathbb{F}_2\lbrack X\rbrack$.
• The polynomial is described as a byte $a_7 a_6 a_5 a_4 a_3 a_2 a_1 a_0$.
• The sum of 2 polynomials is $b_0 \oplus b_1 = \prod\limits^7_{i=1} (a_{0i}\oplus a_{1i})$.
• Multiplying a polynomial $Q(X)$ by $X$:
• Shift left the byte representation of $Q(X)$ and append a $0$.
• If the first bit is $0$, then stop. Otherwise XOR with $P(X)$. (since $Q(X)$ left shift by 1 equals to $P(X) + Q’(X)$)
• Multiplying $Q(X)$ by $R(X)$:
• Split $R(X)$ into monomials $M_i(X), i\le\deg R(X)$.
• For $M_i(X)$ applying multiplication by $X\deg M_i(X)$ times.
• Add all results using XOR.

## S-Box SubBytes Layer

S-Box can be generated by:

• Compute $b = a^{-1}$ on $\mathbb{F}_{2^8}$ or set $b=0$ if $a=0$.

• Represent $b$ as a column vector $B = (b_0,\dots,b_7)$.

• Compute
$$\begin{pmatrix} 1 & 0 & 0 & 0 & 1 & 1 & 1 & 1\newline 1 & 1 & 0 & 0 & 0 & 1 & 1 & 1\newline 1 & 1 & 1 & 0 & 0 & 0 & 1 & 1\newline 1 & 1 & 1 & 1 & 0 & 0 & 0 & 1\newline 1 & 1 & 1 & 1 & 1 & 0 & 0 & 0\newline 0 & 1 & 1 & 1 & 1 & 1 & 0 & 0\newline 0 & 0 & 1 & 1 & 1 & 1 & 1 & 0\newline 0 & 0 & 0 & 1 & 1 & 1 & 1 & 1 \end{pmatrix} \cdot \begin{pmatrix} b_0 \newline b_1 \newline b_2\newline b_3 \newline b_4 \newline b_5 \newline b_6 \newline b_7 \newline \end{pmatrix} + \begin{pmatrix} 1 \newline 1 \newline 0 \newline 0 \newline 0\newline 1 \newline 1 \newline 0 # \end{pmatrix} \begin{pmatrix} c_0 \newline c_1 \newline c_2\newline c_3 \newline c_4 \newline c_5 \newline c_6 \newline c_7 \newline \end{pmatrix}$$

## ShiftRows Layer

Cyclically shift to left row $i$ by offset $0 \le i \le 3$.

## Mix Columns Layer

Let the original matrix be $A$, then the output is $C(X)\cdot A$ where $C(X) =\begin{pmatrix} 2 & 3 & 1 & 1\newline 1& 2 & 3 & 1\newline 1 & 1 & 2 & 3\newline 3 & 1 & 1 & 2\end{pmatrix}$.

The inverse $C(X)^{-1} = \begin{pmatrix} 14& 11& 13& 9 \newline 9& 14& 11& 13 \newline13& 9&14& 11 \newline 11& 13& 9 & 14\end{pmatrix}$.

The roundkey is generated by a $4\times4$ matrix $K(X)$.

Label the first four columns $K(0),\dots,K(3)$ and add $40$ more:

• $K(i) = K(i-4)\oplus K(i-1)$ for $i\not\equiv 0\pmod 4$
• $K(i) = K(i-4)\oplus T(K(i-1))$ for $i\equiv 0\pmod 4$

The transformation $T(K(i-1))$ is defined over column $i$:

• Compute $r(i) = 00000010^{\frac{i-4}{4}}$
• Cyclically top shift elements of column by 1: $(a,b,c,d)^{T}\to(b,c,d,a)^{T}$
• Apply S-box to each byte of the column
• Finally the column vector $T(K(i-1))=(s(b)\oplus r(i),s(c),s(d),s(a))^{T}$
]]>
<blockquote> <p>All info comes from Manuel’s slides on Lecture 2.</p> </blockquote> <h1 id="Block-Cipher"><a href="#Block-Cipher" class="headerlink" title="Block Cipher"></a>Block Cipher</h1><p>A <strong>block cipher</strong> is composed of 2 co-inverse functions:<br><br>\begin{aligned}<br>E:\lbrace 0,1\rbrace^n\times\lbrace0,1\rbrace^k&amp;\to\lbrace 0,1\rbrace^n&amp; D:\lbrace 0,1\rbrace^n\times\lbrace0,1\rbrace^k&amp;\to\lbrace 0,1\rbrace^n\\<br>(P,K)&amp;\mapsto C&amp;(C,K)&amp;\mapsto P<br>\end{aligned}<br><br>where $n,k$ means the size of a block and key respectively.</p> <p>The goal is that given a key $K$ and design an invertible function $E$ whose output cannot be distinguished from a <strong>random permutation</strong> over $\lbrace 0, 1\rbrace^n$.</p>
VE475 Cryptography Note 1 https://nomadtype.ninja/2019/05/21/crypto-1-note/ 2019-05-21T09:57:55.000Z 2020-10-12T18:47:55.705Z

All info comes from Manuel’s slides on Lecture 1.

# Five Main Types of Attacks

• Ciphertext only: Attacker has only a copy of the ciphertext
• Known Plaintext Attack: Attacker has a copy of ciphertext and corresponding plaintext
• Chosen Plaintext Attack: Attacker chooses the plaintext to be encrypted.
• Chosen Ciphertext Attack: Attacker chooses the ciphertext to be decrypted.
• Chosen Plaintext and Ciphertext Attack: Attacker chooses any plaintext to be encrypted or ciphertext to be decrypted.

By XORing message and key, it is almost not possible to decrypt the ciphertext.

Consider the previous attack methods, the breaking results turn out to be

• Ciphertext only: all messages of same length can have possibility.
• KPA/CCA/CPA: only reveal part of the key used during the attack. (Since key means a set of key for XOR)

# Hill Cipher

First we should have a look at the inverse of matrix of $m\times m$ size, consider $m=2$ or $3$:
$$A\equiv\begin{pmatrix}a&b\\c&d\end{pmatrix}, A^{-1}\equiv\dfrac{1}{\mid A\mid}\begin{pmatrix}d&-b\\-c&a\end{pmatrix}\\ A\equiv\begin{pmatrix}a_{11}&a_{12}&a_{13}\\a_{21}&a_{22}&a_{23}\\a_{31}&a_{32}&a_{33}\end{pmatrix},A^{-1}\equiv\dfrac{1}{\mid A\mid}\begin{pmatrix}\begin{vmatrix}a_{22}&a_{23}\\a_{32}&a_{33}\end{vmatrix}&\begin{vmatrix}a_{13}&a_{12}\\a_{33}&a_{32}\end{vmatrix}&\begin{vmatrix}a_{12}&a_{13}\\a_{22}&a_{23}\end{vmatrix}\\\begin{vmatrix}a_{23}&a_{21}\\a_{33}&a_{31}\end{vmatrix}&\begin{vmatrix}a_{11}&a_{13}\\a_{31}&a_{33}\end{vmatrix}&\begin{vmatrix}a_{13}&a_{11}\\a_{23}&a_{21}\end{vmatrix}\\\begin{vmatrix}a_{21}&a_{22}\\a_{31}&a_{32}\end{vmatrix}&\begin{vmatrix}a_{12}&a_{11}\\a_{32}&a_{31}\end{vmatrix}&\begin{vmatrix}a_{11}&a_{12}\\a_{21}&a_{22}\end{vmatrix}\end{pmatrix}$$
Then by Cramer’s Rule that: Let $A$ be an $m\times m$ matrix, then $\text{Adj}(A)\cdot A=\text{det}(A)I_{m}$, where $\text{Adj}(A)$ donates the adjugate of $A$.

Thus, $A$ must be invertible to get $A^{-1}$ and $\text{Adj}(A)$. ($\text{Adj}(A)=\begin{vmatrix}A\end{vmatrix}A^{-1}$)

Consider the matrix inversion on mod $n$, then by $A\cdot A^{-1}\equiv I_{m}\text{ mod }26$, we can see that $\text{det}(A)$ must be invertible modulo $n$.

Take $A=\begin{pmatrix}1&1&1\\1&2&3\\1&4&9\end{pmatrix}\text{ mod }11$ as example. We can see that $A^{-1}=\dfrac{1}{2}\begin{pmatrix}6&-5&1\\-6&8&-2\\2&-3&1\end{pmatrix}\text{ mod }11$. $6$ is invertible modulo $11$ for $2$, then $A^{-1}=\begin{pmatrix}3&3&6\\8&4&10\\1&4&6\end{pmatrix}\text{ mod }11$.

The key for Hill cipher requires $n\times n$ matrix $K\text{ mod }26$, with $\text{gcd}(\text{det}(K),n)=1$.

# Symmetric and Asymmetric Key

Symmetric scheme use same key for both encrypt and decrypt. Thus the key management problem arises when user number increases: $n$ users means $O(n^2)$ keys.

Asymmetric scheme creates a pair of public and private key. Encrypt with public key and decrypt with private key.

# Double Encryption

Consider symmetric encryption using function $f$ and key $k$:

• Simple encryption: $c=f_{k}(m)$
• Double encryption: $c=f_{k_2}(f_{k_1}(m))$
• Decryption: $m = f_{k_1}^{-1}(f_{k_2}^{-1}(c))$

Assume the KPA setup, then we can setup meet in the middle attack.

• $\forall k\in\lbrace\text{Key}\rbrace$, compute and store the ciphertexts $c_i=f_{k_i}(m)$.
• Compute $m_i=f_{k_i}^{-1}(c)$ and find the matching $c_i$.
• Recover the $k_1$ and $k_2$.

Thus double encryption do not guarantee a multiple instruction complexity, it can only guarantees a plus instruction complexity. (Not $I_1\times I_2$ but $I_1 +I_2$)

# Zero Knowledge Proof

If Bob wants to prove he knows a secret path without revealing it, what should he do?

The strategy is that:

• Alice hides while Bob go L or R.
• Alice randomly asks Bob to exit on L or R.
• If Bob is on the wrong side he uses the secret path or he returns.
• Repeat previous steps many times.

## Graph Isomorphism and Hamiltonian Circuit

Graph Isomorphism is defined on $G_1=(V_1,E_2)$ and $G_2=(V_2,E_2)$ two simple graphs.

If there exists a bijection function $\varphi:V_1\to V_2$ such that the induced map $\varphi_\ast:E_1\to E_2, (a,b)\mapsto(\varphi(a),\varphi(b))$ is bijective. Such $\varphi$ is a graph isomorphism.

Graph isomorphism is not known to be $NPC$ problem, but the best known algorithm has exponential complexity.

Hamilton circuit in $G$ is a simple circuit that passes through every vertex in $G$ exactly once. It is proven to be $NPC$ and best known algorithm has exponential complexity.

In this scenario, we can set the condition as

BobAlice
A graph $G$Bob’s graph $G$
Hamiltonian Circuit in $G$

The process goes like:

• Bob generates $H\cong G$ and commits it.
• Alice randomly asks for either isomorphism map or Hamiltonian circuit in $H$.
• Bob show the required result.

The procedure is not related to the security level like $2^{128}$ stuff.

]]>
<blockquote> <p>All info comes from Manuel’s slides on Lecture 1.</p> </blockquote>
PFPL Chapter 20 System FPC of Recursive Types https://nomadtype.ninja/2019/05/09/PFPL-Chapter-20-System-FPC-of-Recursive-Types/ 2019-05-09T17:57:40.000Z 2020-10-12T18:47:55.705Z

# Intros on System FPC and Recursive Types

FPC is a language with products, sums, partial functions, and recursive types.

Recursive types are solutions to type equations $t\cong\tau$ where there is no restriction on $t$ occurrence in $\tau$. Equivalently, it is a fixed point up to isomorphism of associated unrestricted type operator $t.\tau$. When removing the restriction on type operator, we may see the solution satisfies $t\cong t\rightharpoonup t$, which describes a type is isomorphic to the type of partial function defined on itself.

Types are not sets: they classify computable functions not arbitrary functions. With types we may solve such type equations. The penalty is that we must admit non-termination. For one thing, type equations involving functions have solutions only if the functions involved are partial.

A benefit of working in the setting of partial functions is that type operations have unique solutions (up to isomorphism). But what about the inductive/coinductive type as solution to same type equation? This turns out that based on fixed dynamics, be it lazy or eager:

• Under a lazy dynamics, recursive types have a coinductive flavor, and inductive analogs are inaccessible.
• Under an eager dynamics, recursive types have an inductive flavor, but coinductive analogs are accessible as well.

# Solving Type Equations

The syntax table of recursive type is defined as follows
\begin{aligned} \text{Typ}&&\tau&&::=&&t&&t&&\text{self-reference}\\ &&&&&&\text{rec}(t.\tau)&&\text{rec }t\text{ is }\tau&&\text{recursive type}\\ \text{Exp}&&e&&::=&&\text{fold}\lbrace t.\tau\rbrace(e)&&\text{fold}(e)&&\text{fold}\\ &&&&&&\text{unfold}(e)&&\text{unfold}(e)&&\text{unfold} \end{aligned}

Recursive types have the same general form as inductive/coinductive types.

## Statics

$$\dfrac{\Delta,t\text{ type}\vdash\tau\text{ type}}{\Delta\vdash\text{rec}(t.\tau)\text{ type}}\\ \dfrac{\Gamma\vdash e:\lbrack\text{rec}(t.\tau)/t\rbrack\tau}{\Gamma\vdash\text{fold}\lbrace t.\tau\rbrace(e):\text{rec}(t.\tau)}\\ \dfrac{\Gamma\vdash e:\text{rec}(t.\tau)}{\Gamma\vdash\text{unfold}(e):\lbrack\text{rec}(t.\tau)/t\rbrack\tau}$$

## Dynamics

$$\dfrac{\lbrack e\text{ val}\rbrack}{\text{fold}\lbrace t.\tau\rbrace(e)\text{ val}}\\ \Big\lbrack\dfrac{e\longmapsto e’}{\text{fold}\lbrace t.\tau\rbrace(e)\longmapsto\text{fold}\lbrace t.\tau\rbrace(e’)}\Big\rbrack\\ \dfrac{e\longmapsto e’}{\text{unfold}(e)\longmapsto\text{unfold}(e’)}\\ \dfrac{\text{fold}\lbrace t.\tau\rbrace(e)\text{ val}}{\text{unfold}(\text{fold}\lbrace t.\tau\rbrace(e))\longmapsto e}$$

## Safety Theorem

1. If $e:\tau$ and $e\longmapsto e’$, then $e’:\tau$.
2. If $e:\tau$, then either $e\text{ val}$ or $\exists e’,e\longmapsto e’$.

# Inductive and Coinductive Types

Recursive types may be used to represent inductive types such as natural numbers and natural number list.

## Example First on Natural Number

Use an eager dynamics for FPC, the recursive type $\rho=\text{rec }t\text{ is }\lbrack z\hookrightarrow\text{unit},s\hookrightarrow t\rbrack$ satisfies the type equation $\rho\cong\lbrack z\hookrightarrow\text{unit},s\hookrightarrow\rho\rbrack$, and is isomorphic to the type of eager natural numbers.

Introduction and elimination forms defined on $\rho$ is defined with following equations
\begin{aligned} z&\triangleq\text{fold}(z\cdot\langle\rangle)\\ s(e)&\triangleq\text{fold}(s\cdot e)\\ \text{ifz }e\lbrace z\hookrightarrow e_0\shortmid s(x)\hookrightarrow e_1\rbrace&\triangleq\text{case unfold}(e)\space\lbrace z\cdot\underline{}\hookrightarrow e_0\shortmid s\cdot x\hookrightarrow e_1\rbrace \end{aligned}
On the other hand, with an lazy dynamics of natural numbers in PCF, the same recursive type $\rho’=\text{rec }t\text{ is }\lbrack z\hookrightarrow\text{unit},s\hookrightarrow t\rbrack$ satisfying $\rho\cong\lbrack z\hookrightarrow\text{unit},s\hookrightarrow\rho\rbrack$ is not the type of natural numbers.

Consider what chapter 15 mentioned, $\rho’$ contains infinity number $\omega$ which is not natural number.

## Another Example on Natlist

Using an eager dynamics for FPC, the natlist is defined by recursive type $\text{rec }t\text{ is }\lbrack z\hookrightarrow\text{unit},c\hookrightarrow\text{nat}\times t\rbrack$, satisfying the type equation $\text{natlist}\cong\lbrack n\hookrightarrow\text{unit},c\hookrightarrow\text{nat}\times\text{natlist}\rbrack$.

Introduction and elimination forms are given by equations
\begin{aligned} \text{nil}&\triangleq\text{fold}(n\cdot\langle\rangle)\\ \text{cons}(e_1;e_2)&\triangleq\text{fold}(c\cdot\langle e_1,e_2\rangle)\\ \text{case }e\lbrace\text{nil}\hookrightarrow e_0\shortmid\text{cons}(x;y)\hookrightarrow e_1\rbrace&\triangleq\text{case unfold}(e)\space\lbrace n\cdot\underline{}\hookrightarrow e_0\shortmid c\cdot\langle x,y\rangle\hookrightarrow e_1\rbrace \end{aligned}
Consider the same recursive type under a context of lazy dynamics for FPC. Then we can see a value of such recursive type has the form $\text{fold}(e)$, where $e$ is an unevaluated computation of the sum type.

## Redefine (Co)Inductive Type

Consider the recursive type $\tau\triangleq\text{rec }t\text{ is }\tau’$ and the associated inductive type and coinductive type $\mu(t.\tau’)$ and $\nu(t.\tau’)$. We redefine these types consistently with statics of inductive and coinductive types here
\begin{aligned} \text{fold}\lbrace t.\tau’\rbrace(e)&\triangleq\text{fold}(e)\\ \text{rec}\lbrace t.\tau’\rbrace(x.e’;e)&\triangleq(\text{fix }r\text{ is }\lambda(u: \tau)\space e_{rec})(e),\text{ where}\\ e_{rec}&\triangleq\lbrack\text{map}\lbrace t.\tau’\rbrace(x.r(x))(\text{unfold}(u))/x\rbrack e’\\ \text{unfold}\lbrace t.\tau’\rbrace(e)&\triangleq\text{unfold}(e)\\ \text{gen}\lbrace t.\tau’\rbrace(x.e’;e)&\triangleq(\text{fix }g\text{ is }\lambda(u:\rho)\space e_{gen})(e),\text{ where}\\ e_{gen}&\triangleq\text{fold}(\text{map}\lbrace t.\tau’\rbrace(x.g(x))(\lbrack u/x\rbrack e’)) \end{aligned}

Dynamics is ill-behaved. Under eager interpretation, the generator may not converge, depending on choice of $e’$; under lazy interpretation, the recursor may not converge, depending on choice of $e’$.

The outcome shows that in the eager case the recursive type is inductive, not coinductive; whereas in the lazy case the recursive type is coinductive, not inductive.

## Coinductive Signal Transducer

We can define type Sig for signal to be the coinductive type of infinite streams of booleans, then we can also define the type of a signal transducer as $\text{Sig}\rightharpoonup\text{Sig}$.

Sig as a coinductive type can have form $\nu(t.e’)$ follows previous redefined coinductive type. In each of its unfold and generate, it gets a new boolean value out. Thus it can have definition $\nu(t.\text{bool}\times t)$.

The definition applies in lazy dynamics, whereas under an eager definition one may use $\nu(t.\text{unit}\rightharpoonup\text{bool}\times t)$. Maybe we just need to feed it with something we do not care in case it won’t stop.

The NOR here can have the type of $\text{Sig}\times\text{Sig}\rightharpoonup\text{Sig}$, with definition as
$$\lambda(a,b)\text{gen}\lbrace t.\text{bool}\times t\rbrace(\langle a,b\rangle.\langle e_{nor}\langle\text{hd}(a),\text{hd}(b)\rangle,\langle\text{tl}(a),\text{tl}(b)\rangle\rangle;a,b)$$

# Self-Reference

In general recursive expression $\text{fix}\lbrace\tau\rbrace(x.e)$, the variable $x$ stands for the expression itself. Self-reference is effected by the unrolling transition and it substitutes itself for $x$ in its body during execution.
$$\text{fix}\lbrace\tau\rbrace(x.e)\longmapsto\lbrack\text{fix}\lbrace\tau\rbrace(x.e)/x\rbrack e$$

It is useful to think $x$ as an implicit argument to $e$ that it is instantiated to itself when expression is used.

Type of self-referential expressions given by the syntax table
\begin{aligned} \text{Typ}&&\tau&&::=&&\text{self}(\tau)&&\tau\text{ self}&&\text{self-referential type}\\ \text{Exp}&&e&&::=&&\text{self}\lbrace\tau\rbrace(x.e)&&\text{self }x\text{ is }e&&\text{self-referential expression}\\ &&&&&&\text{unroll}(e)&&\text{unroll}(e)&&\text{unroll self-reference} \end{aligned}

## Statics and Dynamics

The statics of these constructs is defined as
$$\dfrac{\Gamma,x:\text{self}(\tau)\vdash e:\tau}{\Gamma\vdash\text{self}\lbrace\tau\rbrace(x.e):\text{self}(\tau)}\\ \dfrac{\Gamma\vdash e:\text{self}(\tau)}{\Gamma\vdash\text{unroll}(e):\tau}$$
The dynamics is given by
$$\dfrac{}{\text{self}\lbrace\tau\rbrace(x.e)\text{ val}}\\ \dfrac{e\longmapsto e’}{\text{unroll}(e)\longmapsto\text{unroll}(e’)}\\ \dfrac{}{\text{unroll}(\text{self}\lbrace\tau\rbrace(x.e))\longmapsto\lbrack\text{self}\lbrace\tau\rbrace(x.e)/x\rbrack e}$$

The main difference, compared to general recursion, is that we distinguish a type of self-referential expressions, instead of having self-reference at every type. It’s all a matter of taste.

## Recursive Type Defined Self-Reference

We can define the $\text{self}(\tau)$ with recursive type since a self-referential expression of type $\tau$ depends on the expression itself. It satisfies the isomorphism $\text{self}(\tau)\cong\text{self}(\tau)\rightharpoonup \tau$.

The type equation can be solved by type operator $t.t\rightharpoonup\tau$, where $t\notin\tau$ is a type variable. Required fixed point is just the recursive type $\text{self}(\tau)\triangleq\text{rec}(t.t\rightharpoonup\tau)$. Redefinition on type is shown as follows
\begin{aligned} \text{self}(\tau)&\triangleq\text{rec}(t.t\rightharpoonup\tau)\\ \lambda(x)\space e&:\space\space\text{self}(\tau)\rightharpoonup\tau\equiv\lbrack\text{rec}(t.t\rightharpoonup\tau)/t\rbrack(t\rightharpoonup\tau)\\ \text{self}\lbrace\tau\rbrace(x.e)&:\space\space\text{rec}(t.t\rightharpoonup\tau)\equiv\text{self}(\tau)\\ \text{self}\lbrace\tau\rbrace(x.e)&\triangleq\text{fold}(\lambda(x:\text{self}(\tau))\space e)\\ \text{unroll}(e:\text{self}(\tau))&:\space\space\tau\\ \text{unroll}(e:\text{rec}(t.t\rightharpoonup\tau))&\triangleq(\text{unfold}(e:\text{rec}(t.t\rightharpoonup\tau)):\lbrack\text{rec}(t.t\rightharpoonup\tau)/t\rbrack(t\rightharpoonup\tau))(e)\\ &\equiv\text{unfold}(e)(e) \end{aligned}
It is easy to check that final line of redefinition is correct by $\text{unroll}(\text{self}\lbrace\tau\rbrace(y.e))\longmapsto^\ast\lbrack\text{self}\lbrace\tau\rbrace(y.e)/y\rbrack e$.

## Self-Reference Defined Fixed Point

We may define $\text{fix}\lbrace\tau\rbrace(x.e)$ to stand for the expression $\text{unroll}(\text{self}\lbrace\tau\rbrace(y.\lbrack\text{unroll}(y)/x\rbrack e))$.

\begin{aligned} \text{unroll}(\text{self}\lbrace\tau\rbrace(y.\lbrack\text{unroll}(y)/x\rbrack e))&\equiv\lbrack\text{self}\lbrace\tau\rbrace(y.\lbrack\text{unroll}(y)/x\rbrack e)/y\rbrack(\lbrack\text{unroll}(y)/x\rbrack e)\\ &\equiv\lbrack\text{unroll}(\text{self}\lbrace\tau\rbrace(y.\lbrack\text{unroll}(y)/x\rbrack e))/x\rbrack e \end{aligned}

Also in $\text{fix}\lbrace\tau\rbrace(x.e)$ form, we can see that
\begin{aligned} \text{fix}\lbrace\tau\rbrace(x.e)&=\text{unroll}(\text{self}\lbrace\tau\rbrace(y.\lbrack\text{unroll}(y)/x\rbrack e))\\ &\longmapsto^\ast\lbrack\text{unroll}(\text{self}\lbrace\tau\rbrace(y.\lbrack\text{unroll}(y)/x\rbrack e))/x\rbrack e\\ &=\lbrack\text{fix}\lbrace\tau\rbrace(x.e)/x\rbrack e \end{aligned}

In this way we define factorial as $\text{fact}\triangleq\text{self }f:\text{nat}\to\text{nat}\text{ is }\lambda(n:\text{nat})\text{ ifz }n\space\lbrace z\hookrightarrow s(z)\shortmid s(n’)\hookrightarrow n\times \text{unroll}(f)(n’)\rbrace$.

# The Origin of State

The concept of state in computation has its origins in the concept of recursion, or self-reference.

RS latch as an example maintains its output at logic level of zero or one in response to a signal on the R or S inputs. We can implement an RS latch using recursive types.

The idea is to use self-reference to model the passage of time, with the current output being computed from its input and its previous output. It is a value of type $\tau_{rsl}$ given by
$$\text{res }t\text{ is }\langle\text{X}\hookrightarrow\text{bool},\text{Q}\hookrightarrow\text{bool},\text{N}\hookrightarrow t\rangle$$

The X and Q components of the latch represents its current outputs. (Q represents the current of latch), and N represents the next state of the latch.

If $e:\tau_{rsl}$, then we define e @ X to mean $\text{unfold}(e)\cdot \text{X}$, and e @ Q and e @ N are defined similarly.

• e @ X and e @ Q evaluate to boolean output of latch $e$
• e @ N evaluates to another latch representing its evolution over time based on its inputs

For given value $r$ and $s$, a new latch is computed from an old latch by the recursive function $rsl$ with definition
$$\text{fix }rsl\text{ is }\lambda(l:\tau_{rsl})\space e_{rsl}$$
where $e_{rsl}$ is the expression
$$\text{fix }this\text{ is fold}(\langle\text{X}\hookrightarrow e_{NOR}(\langle s, l@\text{Q}),\text{Q}\hookrightarrow e_{NOR}(\langle r,l@\text{X}\rangle)),\text{N}\hookrightarrow rsl(this) \rangle)$$

## Coinductive RS Latch

According to the previous settings of lazy dynamics with PCF, we can try to interpret RS latch expression with coinductive type, which still follows the previous $\tau_{rsl}$ type.

Consider an initial state type $\rho\triangleq\langle\text{X}\hookrightarrow\text{bool},\text{Q}\hookrightarrow\text{bool}\rangle$ and we initialize them with $\langle\text{false},\text{false}\rangle$. Then we can get the RS latch expression
\begin{aligned} e_{rsl}&\triangleq\text{gen}\lbrace t.\tau_{rsl}’\rbrace(\langle\text{X}\hookrightarrow x,\text{Q}\hookrightarrow q\rangle.e_{rsl}’;\langle\text{X}\hookrightarrow\text{false},\text{Q}\hookrightarrow\text{false}\rangle),\text{ where}\\ e_{rsl}’&\triangleq\langle\text{X}\hookrightarrow x,\text{Q}\hookrightarrow q,\text{N}\hookrightarrow\langle e_{nor}\langle s,q\rangle,e_{nor}\langle x,r\rangle\rangle\rangle \end{aligned}
Then we can simplify previously stated self-reference expression of RS latch like
$$\text{fix }g\text{ is }\lambda(\langle\text{X}\hookrightarrow x,\text{Q}\hookrightarrow q)\text{ fold}(e_{rsl}’’), \text{ where}\\ e_{rsl}’’\triangleq\langle\text{X}\hookrightarrow x,\text{Q}\hookrightarrow q,\text{N}\hookrightarrow g(e_{nor}\langle s,q\rangle,e_{nor}\langle x,r\rangle)$$

# SKI Combinator as Recursive Type

Consider the type $\text{D}\triangleq\text{rec }t\text{ is }t\rightharpoonup t$, then we can try to define element $\text{k}:\text{D}$ and $\text{s}:\text{D}$ and application that satisfying:

• $x:\text{D},y:\text{D}\vdash x\cdot y:\text{D}$
• $\text{k}\cdot x\cdot y\longmapsto^\ast x$
• $\text{s}\cdot x\cdot y\cdot z\longmapsto^\ast (x\cdot z)\cdot(y\cdot z)$

We can easily find definition of $\text{k}\triangleq\text{fold}(\lambda(x:\text{D})\space\text{fold}(\lambda(y:\text{D})\space x))$ follows the application convention $x\cdot y\triangleq(\text{unfold}(x))(y)$.

Then $s\triangleq\text{fold}(\lambda(x:\text{D})\space\text{fold}(\lambda(y:\text{D})\space\text{fold}(\lambda(z:\text{D})\space(x\cdot z)\cdot(y\cdot z))))$.

]]>
<blockquote> <p>Please refer <a href="https://www.cs.cmu.edu/~rwh/pfpl/2nded.pdf" target="_blank" rel="noopener">this link</a> from page 177 to 184.</p> </blockquote> <h1 id="Intros-on-System-FPC-and-Recursive-Types"><a href="#Intros-on-System-FPC-and-Recursive-Types" class="headerlink" title="Intros on System FPC and Recursive Types"></a>Intros on System FPC and Recursive Types</h1><p><strong>FPC</strong> is a language with products, sums, partial functions, and <strong>recursive types</strong>.</p> <p><strong>Recursive types</strong> are solutions to type equations $t\cong\tau$ where there is no restriction on $t$ occurrence in $\tau$. Equivalently, it is a fixed point up to isomorphism of associated unrestricted type operator $t.\tau$. When removing the restriction on type operator, we may see the solution satisfies $t\cong t\rightharpoonup t$, which describes a type is isomorphic to the type of partial function defined on itself.</p> <p>Types are not sets: they classify <strong>computable functions</strong> not arbitrary functions. With types we may solve such type equations. The penalty is that we must admit non-termination. For one thing, type equations involving functions have solutions only if the functions involved are <strong>partial</strong>.</p> <p>A benefit of working in the setting of partial functions is that type operations have <strong>unique solutions</strong> (up to isomorphism). But what about the inductive/coinductive type as solution to same type equation? This turns out that based on fixed dynamics, be it lazy or eager:</p> <ul> <li>Under a lazy dynamics, recursive types have a coinductive flavor, and inductive analogs are inaccessible.</li> <li>Under an eager dynamics, recursive types have an inductive flavor, but coinductive analogs are accessible as well.</li> </ul>