Forum category: Forum / Course Forum, Fall 2017/2018

Forum thread: Moed B subjects ]]>

Moreover - does the exam style will be similar to moed a?

Thanks!

Forum category: Forum / Course Forum, Fall 2017/2018

Forum thread: Moed B subjects ]]>

Forum category: News / Course News, Fall 2017/2018

Forum thread: Reference solution for Moed A ]]>

Forum category: News / Course News, Fall 2017/2018

Forum thread: Reference solution for assignment 6 ]]>

The goal here is to show that the adversary cannot turn an encryption of an unknown message to an encryption of a related message.

So intuitively, we want to say that if the adversary can turn an encryption of m to an encryption of f(m), then it in fact turns anything to an encryption of f(m), which is something we may not be able to prevent.

Forum category: Forum / Course Forum, Fall 2017/2018

Forum thread: HW6 Q3a ]]>

Forum category: Forum / Course Forum, Fall 2017/2018

Forum thread: HW6 Q3a ]]>

I think there is a mistake in the second term, and it should be $f_n(m')$ instead of $f_n(m)$.

Forum category: Forum / Course Forum, Fall 2017/2018

Forum thread: HW6 Q3a ]]>

Forum category: Forum / Course Forum, Fall 2017/2018

Forum thread: Exams solutions ]]>

Forum category: Forum / Course Forum, Fall 2017/2018

Forum thread: Exams solutions ]]>

2014b: 2.a

2014b: 3.

Forum category: Forum / Course Forum, Fall 2017/2018

Forum thread: Exams solutions ]]>

I won't ask about CCA in the exam though.

Forum category: Forum / Course Forum, Fall 2017/2018

Forum thread: Exams solutions ]]>

Forum category: Forum / Course Forum, Fall 2017/2018

Forum thread: Exams solutions ]]>

Forum category: Forum / Course Forum, Fall 2017/2018

Forum thread: Subjects from the last lectures ]]>

The challenge is to show that its output is indistinguishable from a real proof $(P(w),V^*)(x)$.

To do this we consider a hybrid simulator $S'(w)$ that is essentially between the two, it behaves the same as $S$ only that instead of the zero commitments, it puts commitments that are consistent with $w$ etc. You can show that the proof generated by $S'$ is computationally ind from that of $S$ using the hiding of the commitments. Then you show that $S'$ is distributed identically to $(P(w),V^*)(x)$.

Forum category: Forum / Course Forum, Fall 2017/2018

Forum thread: Question re Sim in ZKP ]]>

I was wondering if the material from HW6 (FHE, FE, and IO) will be on the test. The previous tests didn't touch on this material, and the solutions for Homework 6 won't be published until after the exam.

Forum category: Forum / Course Forum, Fall 2017/2018

Forum thread: Subjects from the last lectures ]]>

or to answer the question only under our definition of CCA?

Forum category: Forum / Course Forum, Fall 2017/2018

Forum thread: Exams solutions ]]>

Forum category: Forum / Course Forum, Fall 2017/2018

Forum thread: Exams solutions ]]>

My question is: assuming S' learns a witness, isn't it sufficient to claim the following general claim (not speicific to 3COL or the GMW protocol):

S' can output a view which is identically distributed as V*'s view, because it can run a full simulation of the protocol, i.e. simulate <P(w),V*>(x).

Forum category: Forum / Course Forum, Fall 2017/2018

Forum thread: Question re Sim in ZKP ]]>

Forum category: Forum / Course Forum, Fall 2017/2018

Forum thread: HW6 Q1 ]]>

Forum category: Forum / Course Forum, Fall 2017/2018

Forum thread: HW6 Q1 ]]>

Forum category: Forum / Course Forum, Fall 2017/2018

Forum thread: One-wayness of TDF ]]>

Why is this difference?

Forum category: Forum / Course Forum, Fall 2017/2018

Forum thread: One-wayness of TDF ]]>

Also, clarifications and corrections were made following questions raised in the forum.

Forum category: News / Course News, Fall 2017/2018

Forum thread: Deadline for assignment 6 ]]>

Does your confusion concern question 2? Note that there ct \oplus ct' is defined in the question as "their homomorphic Xor" and not as their Xor as bit strings.

This is an abuse of notation. I now made this clear. Also added another clarification about homomorphic evaluation.

Forum category: Forum / Course Forum, Fall 2017/2018

Forum thread: HW6 Q2b ]]>

Forum category: Forum / Course Forum, Fall 2017/2018

Forum thread: HW6 Q2b ]]>

Forum category: Forum / Course Forum, Fall 2017/2018

Forum thread: HW6 Q2b ]]>

By the definition of homomorphic encryption, if E is homomorphic to Xor, Eval_Xor is not necessarily Xor but it is implied from the process of decryption that it is.

can you confirm this?

Forum category: Forum / Course Forum, Fall 2017/2018

Forum thread: HW6 Q2b ]]>

Forum category: Forum / Course Forum, Fall 2017/2018

Forum thread: HW6 Q2b ]]>

I mean, does ct include

"m XOR xor-of-those-r_i's", or

"m TIMES xor-of-those-r_i's"?

Forum category: Forum / Course Forum, Fall 2017/2018

Forum thread: HW6 Q2b ]]>

Posted a corrected version.

Thanks for noting.

Forum category: Forum / Course Forum, Fall 2017/2018

Forum thread: Q3a ]]>

I think that I'm missing something in the definition of non-malleability— we require that for every message $m$ the adversary will succeed with negligible probability.

A silly example— fix any PKE that is CCA secure and define $f_n(x)$ to be 1 if $x=0^n$ and 0 otherwise. Then by defining $\cA$ on input $(pk, ct)$ to return the encryption of 1 under the public key, don't we actually succeed on every message which is not $0^n$ with very high probability? In fact it seems that for every function and any message we can construct an adversary which succeeds on the message.

What am I missing?

Thanks,

Eliran

Forum category: Forum / Course Forum, Fall 2017/2018

Forum thread: Q3a ]]>

Forum category: Forum / Course Forum, Fall 2017/2018

Forum thread: HW6 Q2b ]]>

Forum category: Forum / Course Forum, Fall 2017/2018

Forum thread: HW6 Q2b ]]>

Forum category: News / Course News, Fall 2017/2018

Forum thread: HW5 reference solution ]]>

Think about the input $s\in \{0,1\}^n$ for $G$ as $(b,y,s'))$ where $b$ is a bit, $y$ is of length $(n+1)/2$, and $s'$ is the rest (formally, of size $(n-3)/2$). Let $G'$ be any PRG that stretches strings of length $|s'|$ to $n+1$ bits. Define $G$ so that if $b=0$, it would return $y0^{(n+1)/2} \oplus G'(s')$, and if $b=1$, it would return $0^{(n+1)/2}y \oplus G'(s')$.

You can see that $G$ is a PRG, because $G'$ is a PRG and $s'$ is independent of $y$. However, $G(s_1)\oplus G(S_2)$ can always be inverted. Indeed, denote any such strings by its two halves $(u,v)$ and return as the preimage $s_1 = (0,u,s'), s_2 =(1,v,s')$.

Forum category: Forum / Course Forum, Fall 2017/2018

Forum thread: HW2 Q3(c) ]]>

Forum category: Forum / Course Forum, Fall 2017/2018

Forum thread: HW2 Q3(c) ]]>

The ref solution you published doesn't have it.

Thanks.

Forum category: Forum / Course Forum, Fall 2017/2018

Forum thread: HW2 Q3(c) ]]>

1. You can find here the header page of the exam including the instructions and structure of the exam. Make sure to read it before the exam.

2. Here are some exams by Iftach Haitner and Benny Applebaum from previous years. (I think that the only concept there we haven't touched in either class/hw is CCA1 encryption.)

Good luck!

Nir

Forum category: News / Course News, Fall 2017/2018

Forum thread: Exam ]]>

Forum category: News / Course News, Fall 2017/2018

Forum thread: Assignment 6 ]]>

So given a set of encryptions of bits $x_1,\dots,x_n$, you should be able to compute a new encryption of $f(x_1\dots x_n)$ for any $f$.

Forum category: Forum / Course Forum, Fall 2017/2018

Forum thread: HW6 Q2b ]]>

Forum category: Forum / Course Forum, Fall 2017/2018

Forum thread: HW6 Q2b ]]>

Forum category: Forum / Course Forum, Fall 2017/2018

Forum thread: HW6 Q1 ]]>

Forum category: Forum / Course Forum, Fall 2017/2018

Forum thread: HW6 Q1 ]]>

For example, if we encrypt message m=1 using sample e=0, when decrypting we get:

m' = -m mod q mod 2 = -1 mod q mod 2 = q-1 mod q mod 2 = q-1 mod 2 = 0

=> m' != m

What am I missing?

Forum category: Forum / Course Forum, Fall 2017/2018

Forum thread: HW6 Q1 ]]>

Forum category: News / Course News, Fall 2017/2018

Forum thread: HW4 reference solution ]]>

Forum category: Forum / Course Forum, Fall 2017/2018

Forum thread: HW5 Q3b ]]>

Forum category: Forum / Course Forum, Fall 2017/2018

Forum thread: HW5 Q3b ]]>

Forum category: Forum / Course Forum, Fall 2017/2018

Forum thread: HW5 Q1 ]]>

Forum category: Forum / Course Forum, Fall 2017/2018

Forum thread: HW5 Q1 ]]>

Forum category: Forum / Course Forum, Fall 2017/2018

Forum thread: HW5 Q1- Question about V's randomness ]]>

Forum category: Forum / Course Forum, Fall 2017/2018

Forum thread: HW5 Q1- Question about V's randomness ]]>

2. Once you fix some first $i-1$ interactions, you can now ask what's the probability (over the verifier's next query) that the prover will answer correctly, this probability is what we call $p_i$.

3. The extractor can extract with probability one in expected poly-time, or with probability $1-n^{-\omega(1)}$ in fixed poly-time. This indeed shows that a prover that always answers according to an assignment that is invalid on some edge will fail to convince us in some iteration, except with negligible probability.

Forum category: Forum / Course Forum, Fall 2017/2018

Forum thread: HW5 Q1 ]]>

We care about the probability that $V$ accepts in a given interaction after the previous interactions have been fixed. Redefining $G_i$ is not necessary (although it is possible, since we're anyhow looking at the intersection with the event that $V$ accepts in all interactions).

Forum category: Forum / Course Forum, Fall 2017/2018

Forum thread: HW5 Q1 ]]>

For p_i to have a value, the (i-1) interactions should be fixed as you stated. Does that mean that whenever the question is refering to G_i and probabiliy of it (such as in section a) we can assume t interactions were fixed and they're not random event ? otherwise, what meaning could p_i > 1 - 1/|E| have ?

Another question, perhaps semantic, V is said to accept in the i-th interaction. It makes more sense to me if it would say that V accepts (all interactions) up until the i-th interaction, because V is obviously aware to all prior interactions.

Thanks.

Forum category: Forum / Course Forum, Fall 2017/2018

Forum thread: HW5 Q1 ]]>

1. In the GMW zk-proof for 3col, the interaction between prover and verifier was consists of commitments, edge, coloring. So saying that $f$ receive the transcript so far, meaning it receives set of edges asked so far? i.e. $e_1, ..., e_k$

2. Why when we fixing the $i-1$ interactions, $p_i$ became fixed? Isn't all $p_i$ independents? Because $V$ chooses random edge for every interaction, all the interactions between the prover and verifier are independent too. What I'm missing?

3. I assume the extractor should succeed w/ probability 1. However theoretically speaking, the prover manages to convince us w/ some success rate. Isn't it make it impossible to "always extract" coloring? Cause maybe he's assignment isn't valid for some edge.

Forum category: Forum / Course Forum, Fall 2017/2018

Forum thread: HW5 Q1 ]]>

Forum category: Forum / Course Forum, Fall 2017/2018

Forum thread: HW5 Q2 ]]>

Forum category: Forum / Course Forum, Fall 2017/2018

Forum thread: HW5 Q2 ]]>

2) you just need to describe the protocols (but you better convince yourself of their validity to make sure you're not describing a protocol that doesn't work).

Forum category: Forum / Course Forum, Fall 2017/2018

Forum thread: HW5 Q3 ]]>

Forum category: Forum / Course Forum, Fall 2017/2018

Forum thread: HW5 Q2 ]]>

If we assume that the parties are using a "good" MPC protocol, then $A^*$'s view should be computationally indistinguishable to that of the ideal world, right? In that ideal world both sections are easy, so what exactly do we need to prove?

Forum category: Forum / Course Forum, Fall 2017/2018

Forum thread: HW5 Q2 ]]>