Moreover - does the exam style will be similar to moed a?

Thanks!

The goal here is to show that the adversary cannot turn an encryption of an unknown message to an encryption of a related message.

So intuitively, we want to say that if the adversary can turn an encryption of m to an encryption of f(m), then it in fact turns anything to an encryption of f(m), which is something we may not be able to prevent. ]]>

I think there is a mistake in the second term, and it should be $f_n(m')$ instead of $f_n(m)$. ]]>

2014b: 2.a

2014b: 3. ]]>

I won't ask about CCA in the exam though. ]]>

The challenge is to show that its output is indistinguishable from a real proof $(P(w),V^*)(x)$.

To do this we consider a hybrid simulator $S'(w)$ that is essentially between the two, it behaves the same as $S$ only that instead of the zero commitments, it puts commitments that are consistent with $w$ etc. You can show that the proof generated by $S'$ is computationally ind from that of $S$ using the hiding of the commitments. Then you show that $S'$ is distributed identically to $(P(w),V^*)(x)$. ]]>

I was wondering if the material from HW6 (FHE, FE, and IO) will be on the test. The previous tests didn't touch on this material, and the solutions for Homework 6 won't be published until after the exam. ]]>

or to answer the question only under our definition of CCA? ]]>

My question is: assuming S' learns a witness, isn't it sufficient to claim the following general claim (not speicific to 3COL or the GMW protocol):

S' can output a view which is identically distributed as V*'s view, because it can run a full simulation of the protocol, i.e. simulate <P(w),V*>(x).

]]>Why is this difference?

]]>