Moreover - does the exam style will be similar to moed a?

Thanks!

I think there is a mistake in the second term, and it should be $f_n(m')$ instead of $f_n(m)$. ]]>

I was wondering if the material from HW6 (FHE, FE, and IO) will be on the test. The previous tests didn't touch on this material, and the solutions for Homework 6 won't be published until after the exam. ]]>

My question is: assuming S' learns a witness, isn't it sufficient to claim the following general claim (not speicific to 3COL or the GMW protocol):

S' can output a view which is identically distributed as V*'s view, because it can run a full simulation of the protocol, i.e. simulate <P(w),V*>(x).

]]>Why is this difference?

]]>Also, clarifications and corrections were made following questions raised in the forum. ]]>

I think that I'm missing something in the definition of non-malleability— we require that for every message $m$ the adversary will succeed with negligible probability.

A silly example— fix any PKE that is CCA secure and define $f_n(x)$ to be 1 if $x=0^n$ and 0 otherwise. Then by defining $\cA$ on input $(pk, ct)$ to return the encryption of 1 under the public key, don't we actually succeed on every message which is not $0^n$ with very high probability? In fact it seems that for every function and any message we can construct an adversary which succeeds on the message.

What am I missing?

Thanks,

Eliran

The ref solution you published doesn't have it.

Thanks. ]]>

1. You can find here the header page of the exam including the instructions and structure of the exam. Make sure to read it before the exam.

2. Here are some exams by Iftach Haitner and Benny Applebaum from previous years. (I think that the only concept there we haven't touched in either class/hw is CCA1 encryption.)

Good luck!

Nir

For example, if we encrypt message m=1 using sample e=0, when decrypting we get:

m' = -m mod q mod 2 = -1 mod q mod 2 = q-1 mod q mod 2 = q-1 mod 2 = 0

=> m' != m

What am I missing?

]]>If we assume that the parties are using a "good" MPC protocol, then $A^*$'s view should be computationally indistinguishable to that of the ideal world, right? In that ideal world both sections are easy, so what exactly do we need to prove? ]]>

1)In section a, can we assume a semi-honest protocol for any two-party **randomized** function?

2)In both sections, do we need to formaly prove the security of our scheme?

Thanks,

]]>Just for clarification, can you specify what happens in a case of a tie in the bids?

Also, can we assume that each of (A, B, C) gets back as output it's own bid? namely that

y

I don't understand what it means for $G_i$ to occur. ]]>

I don't understand what it means for $G_i$ to occur. ]]>

Thanks! ]]>

A solution for the bonus can be found here.

]]>Say, where there are communication channels between some player p1 and many others, and every player that wants to send p1 a message can do it using p1's public-key while maintaining some state, while p1 can maintain a different state for every communication channel.

If this is possible, then we cannot generate samples of encryptions from a certain player just by knowing pk, and I don't think that 1c holds. ]]>

1. You're not meant to show that there exists secret-key KPA schemes out of thin air (as you know by now, their existence is equivalent to that of OWFs). Your meant to show that if there are such KPA schemes then there are such that are not CPA secure. Thanks to Yotam for pointing out.

2. You're not meant to do this for bit-encryption schemes (like in item c). Thanks to Nathan for pointing out. In fact, as Nathan pointed out in the forum it is untrue for bit encryption schemes.

]]>2. I understand that the definition given for the Known plaintext setting is completely not adaptive, as it should. Still, the adversary chooses the messages. How could it be considered to be a Known Plaintext ?

]]>2) If $f$ gets an input of arbitrary length, what should be the runtime bound of a polynomial adversary? Should we treat $f$ as an ensemble of functions?

]]>I can see why $H^*$ is collision resistant for inputs with the same length, but I can't see why the same holds for general inputs whose length is a power of two.

Say $H'$ is a collision-resistant hash function that for a key $hk\in \{0,1\}^n$ maps $\{0,1\}^{2n}$ to $\{0,1\}^{n-1}$.

Then $H_{hk}(x):=\begin{cases} H'_{hk}(x)1&x\neq0^{2n}\\0^n&x=0^{2n}\end{cases}$ should be a collision-resistant hash function that for a key $hk\in \{0,1\}^n$ maps $\{0,1\}^{2n}$ to $\{0,1\}^{n}$, right?

However, $H^*_{hk}(0^{k})=H^*_{hk}(0^{2k})=0^{n}$.

Is there a mistake in the question?

]]>Here you can find three reference solutions for HW1.

The first two are by Nathan and Omri.

The third is my solution for questions 1,3, and is supposed to give you some impression of what I consider "concise but yet convincing".

Note: in the Bonus solutions of Omri and Nathan there's a slight inaccuracy (although they definitely got the main point), try to figure out what the issue is.

]]>Make sure to note your collaborators and any external sources. If you don't use any, explicitly write "none". ]]>

And if so, will it influence the grade (some penalty)? ]]>

We proved that for distinguishers. I imagine the proof for inverters should be very similar.

]]>Does this thm mean that any OWF is also a PRG?

For example, let f be a OWF from {0,1}^n to {0,1}^(n+l), is f also a PRG with stretch l? ]]>

It seems that for all i, G_i is the same set, because the way the t-fold product is defined, we can reorder its output without affecting A's ability of inverting it (A will see the same values in a different order. It still needs to invert all of them).

So proving in Q3.b.i. that "there exists an i" is equivalent to proving "for all i".

Am I missing anything?

]]>1. Why do we need the $1^n$ in $f$'s definition? We know that for every positive non-constant poly $p$ there exists $c>0$ such that $cp(n)\geq n$.

2. May we assume for simplicity that $\mu(\cdot)$ is non-increasing?

3. Do we need to prove that the composition of a negligible function over the inverse of a positive non-constant poly is negligible, or can we just use it without proof?

Thanks

]]>\begin{align} \forall m: \Pr_{sk,r}[D_{sk}(E_{sk}(m;r))=m]=1 \end{align}

2. In question 2.a, there was a missing absolute value (the same one that was missing in class). That is, you need to show:

(2)\begin{align} \left|\Pr\left[A(x) = b : \begin{array}{l} b \gets \{0,1\}\\ x \gets X_b \end{array}\right] - \frac{1}{2}\right|=\frac{\Delta_A(X_0,X_1)}{2}\enspace. \end{align}

]]>