Chinese remainder

content/Basic Algebra/Chinese Remainder Theorem.md

@@ -0,0 +1,138 @@
+## Intro 
+Chinese remainder theorem states that if one knows remainders of the Euclidean division of an integer n by several integers which are pairwise coprime, one can uniquely determine the remainder of the division of n.  
+
+ >Simple example is as follows.
+ >If one knows that the remainder of n divided by 3 is 2 ($n \equiv 2 \pmod{3}$), and that remainder divided by 7 is 2 ($n \equiv 2\pmod{7}$), one can determine that remainder of n divided by $105(=3*5*7)$ has a unique value, 23. 
+
+## Theorem
+>If the integers \(m_1, m_2, \dots, m_n\) are pairwise coprime, then the following system of simultaneous congruences: 
+\[
+    x\equiv
+    \begin{cases}
+    a_1 \pmod{m_1} \\
+    a_2 \pmod{m_2} \\
+    a_3 \pmod{m_3} \\
+    \vdots \\
+    a_n \pmod{m_n}
+    \end{cases}
+\]
+    has a unique solution modulo
+    \[
+        M=\prod_{i=1}^{n} m_i=m_1 m_2 \cdots m_n.
+    \]
+
+Such formula could be otherwise expressed as written in section "Ring Isomorphism" below, according to ring isomorphism.(definition can be checked from [[Ring Homorphism]].)
+
+## Computation
+Though its existence can be checked using CRT, derivation of value $x$ using pure computation requires long time. 
+
+### 1. Systematic Search
+Systematic Search is the simplest method available to find the solution, which checks every possible value for $x$. 
+It suffices to check all the possible values from 0 to $N$, computing the remainder of the Euclidean division of $x$ by each $n_i$. 
+
+Although such method is very simple, it is very inefficient. This algorithm is an exponential time algorithm, as the size of the input is the number of digits of $N$, and the average number of operation is of the order of $N$. 
+
+### 2. Search by Sieving
+Searching of the solution can be made faster by using "sieving" algorithm.
+
+**1. Concept**
+Given the system of congruences:
+
+\[
+x \equiv a_1 \pmod{n_1}
+\]
+
+\[
+x \equiv a_2 \pmod{n_2}
+\]
+
+\[
+\vdots
+\]
+
+\[
+x \equiv a_k \pmod{n_k}
+\]
+
+the **sieving method** finds the solution by iteratively filtering values that satisfy each congruence.
+
+
+**2. Step-by-Step Process**
+1. **Generate the sequence from the first congruence**  
+   - The numbers satisfying \( x \equiv a_1 \pmod{n_1} \) form an arithmetic sequence:
+     \[
+     a_1, a_1 + n_1, a_1 + 2n_1, \dots
+     \]
+
+2. **Filter by the second modulus \( n_2 \)**  
+   - Test values from the sequence modulo \( n_2 \) until finding the first \( x_2 \) such that:
+     \[
+     x_2 \equiv a_2 \pmod{n_2}
+     \]
+   - Once found, construct a new sequence:
+     \[
+     x_2, x_2 + n_1 n_2, x_2 + 2 n_1 n_2, \dots
+     \]
+
+3. **Repeat the process for \( n_3, n_4, \dots, n_k \)**  
+   - Continue filtering each sequence by the next modulus \( n_3 \), forming a new arithmetic sequence each time.
+   - The final step yields the unique solution \( x \).
+
+---
+### **Mathematical Representation: Ring Isomorphism**
+This can be mathematically formulated by defining the following function \( f \):
+
+\[
+f: \mathbb{Z}/N\mathbb{Z} \to \mathbb{Z}/n_1\mathbb{Z} \times \mathbb{Z}/n_2\mathbb{Z} \times \cdots \times \mathbb{Z}/n_k\mathbb{Z}
+\]
+
+This function operates as follows:
+
+\[
+x \mod N \mapsto (x \mod n_1, x \mod n_2, \dots, x \mod n_k)
+\]
+
+That is, the function takes an integer \( x \) modulo \( N \) and transforms it into a tuple of its remainders when divided by \( n_1, n_2, \dots, n_k \). 
+
+The key point is that this function \( f \) is a **ring isomorphism**, meaning that the following holds:
+
+\[
+\mathbb{Z}/N\mathbb{Z} \cong \mathbb{Z}/n_1\mathbb{Z} \times \cdots \times \mathbb{Z}/n_k\mathbb{Z}
+\]
+
+This implies that the ring of integers modulo \( N \) has a structure equivalent to the direct product of the rings of integers modulo \( n_i \). In other words, for doing sequence of arithmetic operations in \(\mathbb{Z}/N\mathbb{Z}\), one can do the same computation independently in each \( \mathbb{Z}/n_i\mathbb{Z}\), and then get the result by applying the isomorphism. This can work way faster than the direct computation of $N$.
+
+## Example: Direct Calculation
+
+Consider the system of congruences for \( N = 15 \), where \( n_1 = 3 \) and \( n_2 = 5 \):
+
+\[
+x \equiv 2 \pmod{3}
+\]
+
+\[
+x \equiv 3 \pmod{5}
+\]
+
+Using the Chinese Remainder Theorem (CRT), we find \( x \) as follows:
+
+\[
+x \equiv 8 \pmod{15}
+\]
+
+Thus, \( x = 8 \) is the unique solution.
+
+However, using **ring isomorphism**, we can take a different approach:
+
+1. **Perform independent computations**  
+   - \( x_1 \equiv 2 \pmod{3} \)  
+   - \( x_2 \equiv 3 \pmod{5} \)  
+
+2. **Combine the results**  
+   - \( x \equiv 8 \pmod{15} \)  
+
+By extending this method, we can optimize computations involving a large number \( N \) by performing calculations on smaller values \( n_i \) and then recombining the results. This approach significantly improves efficiency in modular arithmetic.
+
+
+Rather than simply solving a system of congruences, the Chinese Remainder Theorem possesses the remarkable property that a unique solution exists, making it an extremely powerful tool.
+

content/Basic Algebra/Ring Homomorphism.md

@@ -1,6 +1,38 @@
+## Definition
 For two [[Rings]] $R$ and $S$, a mapping $f: R \to S$ is called a ring homomorphism if it satisfies the following conditions:
 1. For any $(a, b) \in R$, $f(a + b) = f(a) + f(b)$.
 2. For any $(a, b) \in R$, $f(ab) = f(a) \cdot f(b)$.
 3. $f(1_R) = 1_S$.
 
-Here, the operations on the left-hand side of each condition are those defined in $R$, and the operations on the right-hand side are those defined in $S$. If such a mapping $f$ is bijective, it is called a [[Ring Isomorphism]].
+Here, the operations on the left-hand side of each condition are those defined in $R$, and the operations on the right-hand side are those defined in $S$. 
+
+###  Ring Isomorphism
+If addition $f$ above is bijection, then its inverse $f^{-1}$ is also a ring homomorphism. In such cases, $f$ is called a ring isomorphism, and the rings R and S are called isomorphic. 
+Such isomorphism is noted as $R \cong S$
+
+## Properties
+Below are useful properties derived from ring homomorphism.
+- \( f(0_R) = 0_S \).
+- \( f(-a) = -f(a) \) for all \( a \in R \).
+- For any **unit** \( a \) in \( R \), \( f(a) \) is a unit element such that  
+  \[
+  f(a)^{-1} = f(a^{-1})
+  \]
+  In particular, \( f \) induces a **group homomorphism** from the (multiplicative) group of units of \( R \) to the (multiplicative) group of units of \( S \) (or of \( \operatorname{im}(f) \)).
+- The **image** of \( f \), denoted \( \operatorname{im}(f) \), is a subring of \( S \).
+- The **kernel** of \( f \), defined as  
+  \[
+  \ker(f) = \{ a \in R \mid f(a) = 0_S \}
+  \]
+  is a **two-sided ideal** in \( R \). Every two-sided ideal in a ring \( R \) is the kernel of some ring homomorphism.
+- A homomorphism is injective if and only if the kernel is the **zero ideal**.
+- The **characteristic** of \( S \) **divides** the characteristic of \( R \). This can sometimes be used to show that between certain rings \( R \) and \( S \), no ring homomorphism \( R \to S \) exists.
+- If \( R_p \) is the smallest **subring** contained in \( R \) and \( S_p \) is the smallest subring contained in \( S \), then every ring homomorphism \( f: R \to S \) induces a ring homomorphism \( f_p: R_p \to S_p \).
+- If \( R \) is a **field** (or more generally a **skew-field**) and \( S \) is not the **zero ring**, then \( f \) is injective.
+- If both \( R \) and \( S \) are **fields**, then \( \operatorname{im}(f) \) is a subfield of \( S \), so \( S \) can be viewed as a **field extension** of \( R \).
+- If \( I \) is an ideal of \( S \), then \( f^{-1}(I) \) is an ideal of \( R \).
+- If \( R \) and \( S \) are commutative and \( P \) is a **prime ideal** of \( S \), then \( f^{-1}(P) \) is a prime ideal of \( R \).
+- If \( R \) and \( S \) are commutative, \( M \) is a **maximal ideal** of \( S \), and \( f \) is surjective, then \( f^{-1}(M) \) is a maximal ideal of \( R \).
+- If \( R \) and \( S \) are commutative and \( S \) is an **integral domain**, then \( \ker(f) \) is a prime ideal of \( R \).
+- If \( R \) and \( S \) are commutative, \( S \) is a field, and \( f \) is surjective, then \( \ker(f) \) is a **maximal ideal** of \( R \).
+- If \( f \) is surjective, \( P \) is a prime (maximal) ideal in \( R \) and \( \ker(f) \subseteq P \), then \( f(P) \) is a prime (maximal) ideal in \( S \).

content/Basic Cryptography/Feistel cipher.md

@@ -0,0 +1,106 @@
+## Intro
+The Feistel Cipher is a cryptographic structure that divides the input into left and right blocks, repeatedly applying a round function to one block and combining its output with the other block.
+Typically, all elements of an encryption process must be invertible, as decryption requires reversing the encryption steps to recover the plaintext. However, the Feistel Cipher uniquely employs both invertible and non-invertible components.
+
+The primary reason the Feistel Cipher can utilize non-invertible elements lies in its design, which is based on the XOR operation.
+> [!Question] The Invertibility of XOR
+> Due to the "self-inverse" property of XOR, performing the same XOR operation during the decryption phase restores the original data.
+> * Self-inverse property: A⊕B⊕B=A
+
+As a result, the Feistel Cipher allows for more flexible designs compared to Non-Feistel Ciphers. Additionally, the use of non-invertible components simplifies management by making the encryption and decryption processes identical.
+
+A well-known example of a Feistel Cipher is [[DES]] (Data Encryption Standard). In contrast, a prominent example of a Non-Feistel Cipher is [[AES]] (Advanced Encryption Standard).
+
+
+## Design
+### 1-Round Feistel Structure
+![[Feistel_cipher(1).png]]
+
+The left side represents the encryption process, while the right side shows the decryption process.
+
+#### Encryption Process
+
+In the encryption process, the plaintext input $p = (L_0 \parallel R_0)$ is divided into $L_0$​ and $R_0$​. A function $F$ takes the key $k$ and $R_0$​ as its input. Then, $L_0$​ is XORed with the output of $F(k, R_0)$, producing the left half of the ciphertext $L_1$. Meanwhile, $R_0$​ remains unchanged and becomes the right half of the ciphertext $R_1$​.
+
+The encryption process can be represented mathematically as follows:
+$$
+L_1 = L_0 \oplus F(k, R_0)
+$$
+$$
+R_1 = R_0
+$$
+
+#### Decryption Process
+
+In the decryption process, the input ciphertext $c = (L'_0|R'_0) = (L_1|R_1)$ is divided into $L'_0$​ and $R'_0$.
+$L'_0$ is XORed with $F(k, R'_0)$, resulting in the left half of the plaintext $L'_1$. Similarly, $R'_0$ remains unchanged and becomes the right half of the plaintext $R'_1$.
+
+The decryption process can be represented mathematically as follows:
+$$
+L'_1 = L'_0 \oplus F(k, R'_0)
+$$$$
+R'_1 = R'_0
+$$
+
+#### Observations
+
+As you may have noticed, the encryption and decryption processes are identical except for their inputs and outputs being reversed.
+
+Encryption:
+$$c = p \oplus (F(k, R_0) \parallel 0)$$
+Decryption: 
+$$c \oplus (F(k, R'_0) \parallel 0) \\ = p \oplus (F(k, R_0) \parallel 0) \oplus (F(k, R'_0) \parallel 0) \\ = p \oplus (F(k, R_0) \parallel 0) \oplus (F(k, R'_0) \parallel 0) \\ = p \oplus 0 = p$$
+As mentioned in the [[#Intro]], the self-inverse property of the XOR operation ensures that $F(k, R'_0)$ is canceled out during decryption. This means the decryption process works correctly even without requiring the inverse function $F^{-1}$, allowing the use of non-invertible components in the Feistel Cipher.
+
+#### Limitations of a 1-Round Feistel Structure
+
+Analyzing the 1-round Feistel Cipher reveals a critical drawback: the right half of the plaintext, $R_0$, directly becomes the right half of the ciphertext, $R_1$, without undergoing any transformation. This exposes half of the plaintext in the ciphertext, significantly compromising security.
+
+To address this issue, Feistel Cipher structures are designed with multiple rounds. In a multi-round Feistel Cipher, the left and right halves are swapped at the end of each round, effectively ensuring that all parts of the plaintext are processed. However, this design requires more rounds compared to Non-Feistel Ciphers to achieve the same level of security.
+
+### Multi-Round Feistel Structure
+![[Feistel_cipher(2).png]]
+The diagram above illustrates a Feistel structure with multiple rounds, as opposed to a single round.
+
+#### Encryption Process
+
+Unlike the single-round Feistel structure, in a multi-round Feistel Cipher, the right half of the plaintext ($R_0$) does not directly become the right half of the ciphertext ($R_1$). Instead, it becomes the left half of the output ($L_1$). Additionally, the XOR computation that previously resulted in $L_1$ in the single-round structure now determines $R_1$. In other words, the outputs of the left and right halves are swapped after each round.
+In the second round, $L_1$ undergoes further encryption, ensuring that both $L_0$ and $R_0$ are processed through the encryption rounds.
+
+The encryption process can be expressed as follows:
+$$L_1 = R_0$$
+$$
+R_1 = L_0 \oplus F(k_1, R_0)
+$$
+$$
+L_2 = L_1 \oplus F(k_2, R_1)
+$$
+$$
+R_2 = R_1
+$$
+
+#### Decryption Process
+
+The decryption process mirrors the encryption process, with the only difference being the reverse order of the keys used during the computation.
+$$
+L'_1 = R'_0 = R_2 = R_1
+$$
+$$
+R'_1 = L'_0 \oplus F(k_2, R'_0) = L_2 \oplus F(k_2, R_1)
+$$
+$$
+= L_1 \oplus F(k_2, R_1) \oplus F(k_2, R_1) = L_1 = R_0
+$$
+$$
+L'_2 = L'_1 \oplus F(k_1, R'_1) = R_1 \oplus F(k_1, R_0)
+$$
+$$
+= L_0 \oplus F(k_1, R_0) \oplus F(k_1, R_0) = L_0
+$$
+$$
+R'_2 = R'_1 = R_0
+$$
+
+> [!Note] 
+> A Feistel Cipher with two rounds provides the same level of security as a single round of a Non-Feistel Cipher. Therefore, Feistel Ciphers generally require a greater number of rounds to achieve comparable security.
+

content/Privacy Enhancing Technologies (PET)/Secure Multiparty Computation/Garbled Circuit.md

@@ -0,0 +1,90 @@
+# **Garbled Circuit**
+
+**Garbled Circuit** is a cryptographic protocol that enables two untrusted parties to jointly compute a function over their private inputs without revealing the inputs to each other. This is achieved without relying on a trusted third party, ensuring secure computation.
+
+## **Background**
+
+### **Oblivious Transfer (OT)**
+Garbled Circuit protocols rely on **Oblivious Transfer (OT)**, a cryptographic primitive where:
+- The sender has two messages \( S_0 \) and \( S_1 \).
+- The receiver selects one message \( S_b \) (where \( b \in \{0,1\} \)) without revealing their choice to the sender.
+- The sender remains unaware of which message was received.
+
+Oblivious Transfer ensures that private inputs remain hidden, a crucial requirement for secure computation.
+
+---
+
+## **The Garbled Circuit Protocol**
+
+Yao’s Garbled Circuit protocol consists of the following steps:
+
+### **1. Circuit Representation**
+The function to be computed is expressed as a **Boolean circuit**, composed of:
+- **Input wires** (holding input values).
+- **Output wires** (holding final results).
+- **Intermediate wires** (connecting gates).
+
+Each **gate** in the circuit:
+- Has **two input wires** and **one output wire**.
+- Implements a Boolean function (e.g., AND, XOR).
+- Can be represented using a **truth table**.
+
+### **2. Garbling the Circuit**
+The sender (Alice) garbles the circuit as follows:
+- Assigns **two random labels** to each wire (representing 0 and 1).
+- Encrypts the output labels for each gate using its input labels as encryption keys.
+- The **garbled truth table** is shuffled to hide gate information.
+
+### **3. Data Transmission**
+- Alice sends the **garbled circuit** and her input labels to the receiver (Bob).
+- Bob obtains his input labels via **1-out-of-2 Oblivious Transfer (OT)**.
+
+### **4. Circuit Evaluation**
+- Bob evaluates the circuit **obliviously**, decrypting only the correct output labels.
+- The correct row in each gate’s garbled truth table is found and decrypted, obtaining new labels for the next layer of computation.
+
+### **5. Output Recovery**
+- Bob sends his garbled output labels to Alice.
+- Alice maps the labels to actual bits and sends the final output mapping to Bob.
+
+---
+
+## **Optimizations in Garbled Circuit Protocols**
+Several techniques improve the efficiency of Garbled Circuit protocols:
+
+### **1. Point-and-Permute**
+- Assigns **select bits** to wire labels, allowing Bob to find the correct ciphertext row efficiently.
+- Reduces the number of comparisons, improving circuit evaluation speed.
+
+### **2. Row Reduction**
+- Reduces the garbled truth table size from **4 rows to 3 rows**, minimizing communication overhead.
+
+### **3. Free XOR**
+- Eliminates encryption overhead for XOR gates by leveraging a global random value \( R \), significantly reducing computational costs.
+
+### **4. Fixed-Key Blockcipher**
+- Uses a **fixed-key block cipher** to efficiently encrypt the gate outputs, optimizing performance.
+
+### **5. Half AND**
+- Reduces the garbled truth table for AND gates to **2 rows**, minimizing storage requirements.
+
+---
+
+## **Security Considerations**
+### **Semi-Honest Security**
+- Yao’s protocol is **secure against semi-honest adversaries**, who follow the protocol but may attempt to infer information from received messages.
+
+### **Malicious Security**
+- A malicious sender could construct a garbled circuit that leaks the receiver’s input.
+- Since the receiver cannot inspect the garbled circuit, additional **Zero-Knowledge Proofs (ZKP)** are required for security against malicious adversaries.
+
+---
+
+## **Conclusion**
+Garbled Circuit is a powerful cryptographic protocol that allows secure function evaluation between two untrusted parties. It is widely used in privacy-preserving computation, including:
+- **Secure auctions**
+- **Privacy-preserving machine learning**
+- **Secure electronic voting**
+- **Anonymous data analysis**
+
+Despite its efficiency improvements, Garbled Circuit protocols still require optimizations for practical large-scale applications. Continued research in cryptographic techniques ensures better efficiency and stronger security guarantees.