(Title, in the lattices chapter)

The subheader ::: {.definition title="Pseudorandom permutations" #PRPdef} in the second paragraph of Sect 5.2 is displaying as plaintext

Thanks very much for making these notes available, but please sir, can I have some more...

I wonder if you are able to make available some of the exercises/problem sets referred to by the text? I suspect you may wish to avoid disseminating graded problem sets, but thought I would ask. Perhaps you might be able to provide suggested exercises from other texts/locations.

crytpgoraphy in the Computational Secrecy section.

In 3.4 Case Study 3: B.B.S., in the centered line where Q_n is defined, N should be n.

The sentence seems a bit confusing - I think it might be missing a for ("then for every subset M \subset {0, 1}^\ell")

The footnote 1 and the label for figure 8.1 overlap. I would fix this in my pull request, but I honestly don't know how.

As usual, we will use the hybrid argument. (...) to be the distribution where the first i bits chosen at random

And I think it should be $s_i$ chosen at random from ${ 0, 1 }^i$ as well (in the following line)

Just grammar, but better to drop the comma on "Now suppose otherwise, that there exists some adversary Eve such that ..." ("Now suppose otherwise that there exists some adversary Eve such that ...")

And on the following sentence, instead of "We will build from Eve an adversary Eve' breaking ...", make it "From Eve, we will build an adversary Eve' ..."

On following sentence, instead of "On input of string y", make it "On an input string y"

"Eve' will interpret $y$ as (s_i + 1, y_i + 1). Choose y_1, ..." (turn the comma into a period)

I believe $\alpha$ and $\beta$ should be divided by $\large{2^n}$.
Also, a minor suggestion: "There exists a set $\large{S}$..." -> "Consider the set $\large{S}$ with all $x$ such that $\large{s(x) \geq \frac{1}{2} + \frac{\epsilon_A(n)}{2}}$, we claim $\large{|S| > \epsilon_A(n) (2^n)}$".

In Safari 11.1 and Chrome 68, clicking on your website link in README.md results in a TLS error and the page does not load. Your server redirects HTTP to HTTPS without adding a www. prefix, but you don't have a certificate for intensecrypto.org, only www.intensecrypto.org.

Saw this in recent ACM news digest.
Maybe relevant to future edits of the PKE / Key Exchange chapters:

https://www.siliconrepublic.com/enterprise/bt-unhackable-network

The link is said to be ‘unhackable’ due to its reliance on the use of single particles of light (photons) to transmit encryption keys across the fibre. If this communication is intercepted, the sender will be able to detect that the link has been tampered with.

An intensive introduction to cryptography: Introduction

Lecture notes on Cryptography by Boaz Barak

https://intensecrypto.org/public/lec_01_introduction.html

Definition 6.1 should have a "." after "Mallory gets 1^n where n is the length of the key".

There seems to be a missing/incomplete reference on pages 133 and 134.

The definition of S_0 in the first line seems incorrect; I think it should match the definition given in the second paragraph of the proof of Theorem 1.11. It should be all the ciphertexts corresponding to x_0 ranging over the keys, not ranging over x for fixed k.

In both definitions, "encyption" should be "encryption."

There is no makefile or explanation in the readme.md how this is compiled to a pdf.
Not even a reference to the used software (pandoc?)
This would be helpful both for people trying to contribute and lecturers trying to create similarly beautiful scripts.

On the first flyleaf. Sorry it's trivial. Obviously Jimi is past caring.

In Definition 10.19(Hardcore predicate), I'm not sure $h$ or $b$ which is the presentation of the hardcore predicate.

Formatting issue where column notes too long intersect one beneath them, like page 153 and 156 of https://files.boazbarak.org/crypto/lnotes_book.pdf

https://intensecrypto.org/public links are all broken

Changes and Deletions marked; it's difficult to bold punctuation in Markdown though

• "with messages that can much longer (sometimes even terrabytes or more of data)" → "with messages that can be much longer (sometimes even terabytes or more of data)"

• Theorem 2.3: "If (E, D) is has t bits of computational security as per Definition 2.4 then every" → "If (E,D) is has t bits of computational security as per Definition 2.4 then for every"

• "we will assume towards a contradiction, that there is an efficient adversay strategy" → "we will assume towards a contradiction, that there is an efficient adversary strategy"

• "and build from Eve a strategy Eve' demonstrating that S' violates X." → "and build from Eve a strategy Eve' demonstrating that S' violates X**'**."

• "for short) , which we will consider as efficient" → "for short), which we will consider as efficient**.**" (notice the extra space before the comma) (there also isn't a comma in the equivalent spot in the next bullet, but w/e)

• "Note that for every non-constant polynomials p, q," → "Note that for all non-constant polynomials p, q,"

• "For concreteness, lets define that a function F ... has complexity at most T is there is a Boolean circuits that" → "For concreteness, let**'**s define that a function F ... has complexity at most T if there is a Boolean circuit that"

• "gate that outputs a single random bits (though" → "gate that outputs a single random bit (though"

• The Cipher Conjecture "There exists a computationally scure encryption scheme (E,D)" → "There exists a computationally secure encryption scheme (E,D)"

• "and hence in particular there must exists some i" → "and hence in particular there must exist some i"

• "Indeed, suppose towards the sake of contradction that there was" → "Indeed, suppose towards the sake of contradiction that there was"

• under Theorem 2.9 "some $T-10\ell n$-time $Eve's:{{0,1}}^{n\ell}\rightarrow{{0,1}}$" → some $T-10\ell n$-time $Eve's:{{0,1}}^{n\ell}\rightarrow{{0,1}}$

• "$$ \left| {\mathbb{E}}[ Eve'(H_i) ] - {\mathbb{E}}[ Eve(H_{i+1}) ] \right| > \epsilon;. $$" → "$$ \left| {\mathbb{E}}[ Eve'(H_i) ] - {\mathbb{E}}[ Eve**'**(H_{i+1}) ] \right| > \epsilon;. $$"

• "variable $Z$ satisfies ${\mathbb{E}}Z \geq \alpha$" → "variable $Z$ satisfies ${\mathbb{E}}[Z] \geq \alpha$"

• "then $Eve$ runs in time at most the running time of $Eve$" → "then $Eve$ runs in time at most the running time of $Eve**'**$"

• "For a warm-up, let's show that the easier fact that" → "For a warm-up, let's show that the easier fact that"

• "Since we know that for every pair of message $m" → "Since we know that for every pair of messages $m"

This is a really amazing textbook you have put together. I am wondering, could you include your typesetting toolchain in the source tree here, e.g. the Makefile that might build this Markdown into the PDFs and HTML you have published?

Not sure if this is intended, but it seems like there are a few broken itemize groups in the chapters where * item 1 doesn't render correctly. Some samples are attached -

>
Consider the following "box" $\hat{D}$ that will answer decryption queries $c\|y\|z$ of the adversary as follows: \
* If $z$ was returned before to the adversary as an answer to $H'(m\|r)$ for some $m,r$, and $c=E_e(m\;H(m\|r))$ and $y=m\oplus r$ then return $m$. \
* Otherwise return ```error```
>

I believe it is because of the \ on the previous line before the itemize environment, but I might be wrong. Here's an example for when it renders correctly:

>__CCA-ROM-ENC Scheme:__
>
* **Ingredients:** A public key encryption scheme $(G',E',D')$ and a two hash functions $H,H':\{0,1\}^*\rightarrow\{0,1\}^n$ (which we model as independent random oracles[^oracles])
>
* **Key generation:** We generate keys $(e,d)=G'(1^n)$ for the underlying encryption scheme.
>
* **Encryption:** To encrypt a message $m\in\{0,1\}^\ell$, we select randomness $r\leftarrow_R\{0,1\}^\ell$ for the underlying encryption algorithm $E'$ and output $E'_e(r;H(m\|r))\|(r \oplus m)\|H'(m\|r)$, where by $E'_e(m';r')$ we denote the result of encrypting $m'$ using the key $e$ and the randomness $r'$ (we assume the scheme takes $n$ bits of randomness as input; otherwise modify the output length of $H$ accordingly).
>
* **Decryption:** To decrypt a ciphertext $c\|y\|z$ first let $r=D_d(c)$, $m=r \oplus y$ and then check that $c=E_e(m;H(m\|r))$ and $z=H'(m\|r)$. If any of the checks fail we output ```error```; otherwise we output $m$.

Footnote 1: "one way functions" without the "".

From @vc-l

In the proof of CLAIM 2 of Lemma 10.10, isn't x^{(N-1)/2}(1-x)^{(N-1)/2} the polynomial whose degree is at most N-1? Also, the integer coefficients C_k start from k=0 for a generic polynomial (but it doesn't change anything).

Best,
Valerio

"etc" should be "etc."

e.g., messages are denoted as x instead of m.

• Page 18: third-to-last line: "... perfectly secure regardless of the attacker's computational resources.
• Page 26: sixth-to-last line: "More precisely, this means that for every natural number k, there are (not ->) more than k primes.
• Page 27: second paragraph, second-to-last line: "... to be a number that is (divisable ->) divisible neither by p,q, nor r, and more generally ... is not (divisable ->) divisible by..."

On the second line it says "if an only if"

-Michael Gul

Page 76, text says "Clearly if the cipher conjecture is false then we also don’t have a secure encryption with a key, say, twice as long as the message."

But I think this should be "a message twice as long as the key"

For the proof of the theorem here:

I think that instead of "iff $F_k(m) = \tau$" it maybe should be "iff $F(k, m) = \tau" or "iff $S_k(m) = \tau"

Step 2 of the simulator in the proof of Zero Knowledge for ZK-QR says "Pick 𝑠″ at random in ℤ∗_m. If 𝑏 = 0 then let 𝑥′ = 𝑠″2 (mod 𝑚).Otherwise output 𝑥′ = 𝑥𝑠″2 (mod 𝑚)." I believe it's supposed to be b' instead of b here, since b' is defined in the previous step, but b is not defined until the next step.

First paragraph of section 6.2.1 (protocls -> protocols):

This is a great example of how hard it is to remove insecure protocols from practical usage (and so how important it is to get these protocls right).

You write that for $A=(-\beta y | A')$ and for column vector $s=(\alpha, s')$: $As = e$. But for the definitions given, it would actually reduce to $As = -e$.

Table clips off in PDF Version, weird formatting happens on the web version too.

Here's the web version from my browser as well:

Some text is overlaid on other text.

In the definition of the encryption scheme you write: "Ciphertexts are $$(n \log q)\times (n\log q)$$ matrixes C". Shouldn't this be $$n \times (n\log q)$$?

Second Paragraph:

we will generally associate (or denote) efficient computation with...

Seung Hwan An

o is an alternative to C(n) for the length of a ciphertext, right? If so, this should probably be documented here:

HTML generator sends the comments to TCS repository - will try to fix

Hi!
Reporting a formatting issue here.
The table of content is missing some entries/chapters quite sporadically, depending on which chapter you are reading, different chapters are missing in the TOC. An example:

Thank you for a great online resource 🌟

Taken from page 233 of Chapter 14.

There are two typo in the Decryption section. It should read

1. "... first let $r = D'_d(c)$" (note D' not D)
2. "... and then check that $c = E'_e(r; H(m | r)$"

I would like to make the following suggestions:

1. Explicitly define the CCA encryption function as:

$$E_e(m) = E'_e(r; H(m | r) | (r \oplus m) | H'(m | r)$$

2. Make a note about the notation $m', r'$ used in the Encryption section (see here)

The book has extensive links to other sites. This could cause problems if any of those sites went offline. There's no great solution to this afaik, but Perma.cc comes close.

Given that 30% of students used it incorrectly in hw1, we should probably add a "Pause" box after the theorem noting that the theorem does not apply when the distributions are dependent.

In chapter 3 (pseudo randomness), the footnote (12) on Page 103 is not displaying.

In the second bullet point at the beginning of 2.1, there's a typo $2^{\Omega(sqrt{n})}$.
In Exercise 2.1, shouldn't p have zero constant term?

The page numbers in both tables of contents in the PDFs (main and detailed) are incorrect. For example, Section 2 (computational security) starts on p. 69, but appears as if it starts on p. 61:

The hyperlinks seem to work correctly.

I would like to use this opportunity to thank you Boaz for this wonderful resource!