in discussion News / Course News, Fall 2017/2018 » Reference solution for Moed A

A reference solution for Moed A can be found here.

*Instructor:*- Nir Bitansky
*Location and Hours:*- Dan David 202, Thursday 10:00 - 13:00

*Assignment 6 due*: Feb 7*Exam*: Feb 4*Moed B*: Mar 28

**Reference solution for Moed A**

(15 Feb 2018 19:59)

**Reference solution for assignment 6**

(15 Feb 2018 19:56)

**Deadline for assignment 6**

(30 Jan 2018 13:37)

No mistake.
The goal here is to show that the adversary cannot turn an encryption of an unknown...

(by nbitansky 05 Feb 2018 19:34, posts: 3)

(by nbitansky 05 Feb 2018 19:34, posts: 3)

Recent Forum Posts

nbitansky 15 Feb 2018 19:59

in discussion News / Course News, Fall 2017/2018 » Reference solution for Moed A

in discussion News / Course News, Fall 2017/2018 » Reference solution for Moed A

A reference solution for Moed A can be found here.

nbitansky 15 Feb 2018 19:56

in discussion News / Course News, Fall 2017/2018 » Reference solution for assignment 6

in discussion News / Course News, Fall 2017/2018 » Reference solution for assignment 6

A reference solution for assignment 6 can be found here.

The goal here is to show that the adversary cannot turn an encryption of an unknown message to an encryption of a related message.

So intuitively, we want to say that if the adversary can turn an encryption of m to an encryption of f(m), then it in fact turns anything to an encryption of f(m), which is something we may not be able to prevent.

It's actually much easier the way it is stated in the HW now, so I hope it was not a mistake

I think there is a mistake in the second term, and it should be $f_n(m')$ instead of $f_n(m)$.

Omer Benami (guest) 03 Feb 2018 12:05

in discussion Forum / Course Forum, Fall 2017/2018 » Exams solutions

in discussion Forum / Course Forum, Fall 2017/2018 » Exams solutions

2014b 2a: I think it's the same construction as HW4 question 1b (the bonus question)

Nathan (guest) 03 Feb 2018 09:28

in discussion Forum / Course Forum, Fall 2017/2018 » Exams solutions

in discussion Forum / Course Forum, Fall 2017/2018 » Exams solutions

2014b 3: If the prover sends the verifier an encryption of the witness using some PKE scheme, it certainly isn't a zero-knowledge protocol, but the randomness of V* can be easily simulated using Gen, and the transcript can also be easily simulated because of the security of the PKE scheme.

Mr. Exam (guest) 03 Feb 2018 08:00

in discussion Forum / Course Forum, Fall 2017/2018 » Exams solutions

in discussion Forum / Course Forum, Fall 2017/2018 » Exams solutions

Did anyone manage to solve the following and can share their answers?

2014b: 2.a

2014b: 3.

The definition of CCA from hw6 coincides with CCA2.

I won't ask about CCA in the exam though.

I'm afraid it's too late to ask for that now.

nbitansky 01 Feb 2018 21:27

in discussion Forum / Course Forum, Fall 2017/2018 » Subjects from the last lectures

in discussion Forum / Course Forum, Fall 2017/2018 » Subjects from the last lectures

It won't.

nbitansky 01 Feb 2018 21:26

in discussion Forum / Course Forum, Fall 2017/2018 » Question re Sim in ZKP

in discussion Forum / Course Forum, Fall 2017/2018 » Question re Sim in ZKP

The point is that the actual simulator that we construct doesn't get the witness.

The challenge is to show that its output is indistinguishable from a real proof $(P(w),V^*)(x)$.

To do this we consider a hybrid simulator $S'(w)$ that is essentially between the two, it behaves the same as $S$ only that instead of the zero commitments, it puts commitments that are consistent with $w$ etc. You can show that the proof generated by $S'$ is computationally ind from that of $S$ using the hiding of the commitments. Then you show that $S'$ is distributed identically to $(P(w),V^*)(x)$.

Omer Benami (guest) 01 Feb 2018 20:59

in discussion Forum / Course Forum, Fall 2017/2018 » Subjects from the last lectures

in discussion Forum / Course Forum, Fall 2017/2018 » Subjects from the last lectures

Hi,

I was wondering if the material from HW6 (FHE, FE, and IO) will be on the test. The previous tests didn't touch on this material, and the solutions for Homework 6 won't be published until after the exam.

student (guest) 01 Feb 2018 17:20

in discussion Forum / Course Forum, Fall 2017/2018 » Exams solutions

in discussion Forum / Course Forum, Fall 2017/2018 » Exams solutions

and regarding exam 2017, should we ignore both questions about "CCA1", "CCA2",

or to answer the question only under our definition of CCA?

student (guest) 01 Feb 2018 15:57

in discussion Forum / Course Forum, Fall 2017/2018 » Exams solutions

in discussion Forum / Course Forum, Fall 2017/2018 » Exams solutions

Nir, can you please upload solution to the givens exams?

student (guest) 01 Feb 2018 08:49

in discussion Forum / Course Forum, Fall 2017/2018 » Question re Sim in ZKP

in discussion Forum / Course Forum, Fall 2017/2018 » Question re Sim in ZKP

When proving security of the GMW protocol, we imagined an intermidiate sim S' which learns a witness. We claimed that such S' can output a view which is identically distributed as V*'s view. There was some explanation as to why this is true (conditioning on a choice of e, etc.).

My question is: assuming S' learns a witness, isn't it sufficient to claim the following general claim (not speicific to 3COL or the GMW protocol):

S' can output a view which is identically distributed as V*'s view, because it can run a full simulation of the protocol, i.e. simulate <P(w),V*>(x).

In $[-B,B]$ as we defined in class.

Is $\chi$ between 0 and $B$ or between $-B$ and $B$?

Because a TDF is inherently injective (as mandated by the correctness requirement).

Tal Mid (guest) 30 Jan 2018 18:19

in discussion Forum / Course Forum, Fall 2017/2018 » One-wayness of TDF

in discussion Forum / Course Forum, Fall 2017/2018 » One-wayness of TDF

The definition of one-wayness of trapdoor function (class 7) is slightly different than that of OWF; in the definition of TDF, we demand that an adversary fails to recover the specific input $x$ used in the function, and not just any element in the domain that has the same image ($f^{-1}(f(x))$).

Why is this difference?

Unless otherwise stated, the content of this page is licensed under Creative Commons Attribution-ShareAlike 3.0 License