Recent Forum Posts
 From categories: All categories News: Course News, Fall 2017/2018 Forum: Course Forum, Fall 2017/2018
page 1123...next »

Yes and yes.

Hey nir, In moed A you stated on the forum that subjects from last lectures wont be in the exam: FHE, FE, IO, CCA security. Is this holds also for moed b?

Moreover - does the exam style will be similar to moed a?
Thanks!

A reference solution for Moed A can be found here.

A reference solution for assignment 6 can be found here.

No mistake.
The goal here is to show that the adversary cannot turn an encryption of an unknown message to an encryption of a related message.
So intuitively, we want to say that if the adversary can turn an encryption of m to an encryption of f(m), then it in fact turns anything to an encryption of f(m), which is something we may not be able to prevent.

It's actually much easier the way it is stated in the HW now, so I hope it was not a mistake

In Question 3 about CCA-security, we have to prove the difference between two probabilities is negligible.
I think there is a mistake in the second term, and it should be $f_n(m')$ instead of $f_n(m)$.

2014b 2a: I think it's the same construction as HW4 question 1b (the bonus question)

2014b 3: If the prover sends the verifier an encryption of the witness using some PKE scheme, it certainly isn't a zero-knowledge protocol, but the randomness of V* can be easily simulated using Gen, and the transcript can also be easily simulated because of the security of the PKE scheme.

Did anyone manage to solve the following and can share their answers?
2014b: 2.a
2014b: 3.

The definition of CCA from hw6 coincides with CCA2.

I'm afraid it's too late to ask for that now.

It won't.

The point is that the actual simulator that we construct doesn't get the witness.
The challenge is to show that its output is indistinguishable from a real proof $(P(w),V^*)(x)$.
To do this we consider a hybrid simulator $S'(w)$ that is essentially between the two, it behaves the same as $S$ only that instead of the zero commitments, it puts commitments that are consistent with $w$ etc. You can show that the proof generated by $S'$ is computationally ind from that of $S$ using the hiding of the commitments. Then you show that $S'$ is distributed identically to $(P(w),V^*)(x)$.

Hi,
I was wondering if the material from HW6 (FHE, FE, and IO) will be on the test. The previous tests didn't touch on this material, and the solutions for Homework 6 won't be published until after the exam.

and regarding exam 2017, should we ignore both questions about "CCA1", "CCA2",
or to answer the question only under our definition of CCA?

In $[-B,B]$ as we defined in class.
Is $\chi$ between 0 and $B$ or between $-B$ and $B$?