Course Forum, Fall 2019/2020 (new posts)

Exam F17 A question 2 a:

Sun, 02 Feb 2020 07:35:02 +0000

Yes. Note that given a public key $$pk$$ sampling a matching secret key is at least as hard as breaking the encryption.

Exam F17 A question 2 a:

Sun, 02 Feb 2020 07:15:49 +0000

Thanks!
So if I generated a pair of (sk_1,pk) and you generated the pair (sk_2,pk), I will be able to decrypt messages that are sent to you with my secret key?

Exam F17 A question 2 a:

Sun, 02 Feb 2020 06:47:21 +0000

No, it doesn't. By the correctness of the scheme it must be decrypted under both keys to whichever message was encrypted.

Exam F17 A question 2 a:

Sat, 01 Feb 2020 21:51:27 +0000

But doesn't it mean that a cipher text that was encrypted with the same public key can be decrypted to 2 different messages, based on the corresponding secret key?
If so, then the commitment does not have to be binding, the fact that the public key is the same and the cipher text is the same does not mean that the message is the same ( I will be able to open the commitment to 2 different messages).

What do I miss here?

Exam 2017 A question 1b: Re: Exam 2017 A question 1b

Sat, 01 Feb 2020 17:57:11 +0000

We didn't show that this function is OW in lecture 3, we showed that a different function is OW.

Exam 2017 A question 1b: Exam 2017 A question 1b

Sat, 01 Feb 2020 16:50:16 +0000

It seems that the counter example described in the solution works even for messages of length 2n (and the sk remains the same) - the encryption scheme will get m,r both of length 2n, the expansion of the PRG will be 2n instead of n+1 and in case that sk != 1^n we will output: G(sk) XOR m, 0^2n. It seems that the scheme is secure since sk = 1^n w.p at most 2^-n and in case that sk != 1^n the output of the xor is pseudorandom since G is PRG. The adversary will invert the function exactly in the same way as in the solution (the suffix is always 0^2n thus for sk = 1^2n we get (r,m)).
However, in lecture 3 we claimed that for messages of length 2n the function is OWF. So where am i wrong?
Thanks!!

Exam F17 A question 2 a: Re: Exam F17 A question 2 a

Sat, 01 Feb 2020 14:24:30 +0000

They don't have to be equal as strings, and the proof in the solution doesn't assume they are, it just invokes the perfect correctness guarantee. In particular, there exist public-key encryption schemes where a single public key may have many corresponding secret keys. As an uninteresting example you can always pad the key with bits that are ignored (there are also interesting examples…).

Exam F17 A question 2 a: Exam F17 A question 2 a

Sat, 01 Feb 2020 12:47:18 +0000

It sounds from the solution that if G created the same public key for 2 randomnesses then it must create the same public key.

Is it correct? I could not convince myself that it is, but the solution is dependent on it if I understood correctly.

Hope the question is clear, will write it more formally:
if G generates secret and public keys for a public key encryption, and for randomness r_g it created (sk,pk), and for randomness r_g_2 it created (sk^', pk), does it mean that sk^' == sk?

Otherwise I think there is a counter example for the solution described.

MAC security construction question:

Sat, 01 Feb 2020 08:36:17 +0000

A CPA-secure encryption cannot be deterministic (we talked about it).

MAC security construction question:

Sat, 01 Feb 2020 08:09:37 +0000

Now I got it. Thank you very much!
(The original scheme had no randomness, that's why I failed to understand it so far)

MAC security construction question:

Sat, 01 Feb 2020 07:51:47 +0000

$D_{sk}$ is a deterministic operation so the probability is one or zero. The scheme is constructed so that it is one.

Let's add more details:
Take any CPA-secure scheme $$(E',D')$$ and now construct a new scheme $$(E,D)$$ that is defined as follows: $$E$$ uses randomness of size $\ell+n$ where $\ell$ is the amount of randomness used by $$E$$ , we'll parse the randomness used by $$E$$ as two random strings $$r,r'$$ of respective lengths $n,\ell$. Define $E_{sk}(m;r,r')$ : if $$m=0^n,r=1^n$$ , output $$0^n$$ , else output $E'_{sk}(m;r')$ . Define $D_{sk}(ct)$ as follows: if $$ct=0^n$$ output $$0^n$$ , else output $D'_{sk}(ct)$ .

Assuming that $$E'$$ doesn't encrypt length- $$n$$ plaintexts into $$0^n$$ , the scheme is perfectly correct (this assumption is w.l.og, can always pad with 1). It's also secure, as except with negligible probability it's identical to $$E$$ . If you define a MAC where authentication of $$m$$ is a random encryption $E_{sk}(m)$ , and verification of $$m,ct$$ is checking whether $D_{sk}(ct) = m$ , you get an insecure MAC —- the attacker that outputs $$0^n,0^n$$ wins with probability 1.

MAC security construction question:

Sat, 01 Feb 2020 06:35:10 +0000

But who says that the underlying plaintext is also $$0^n$$ ? That's what I don't understand here. The adversary forged that tuple of $$(m^*=0^n, t^*=0^n)$$ . I claim that $Pr[D_{sk}(t^*) \neq 0^n] > 1 - \mu(n)$ , hence the adversary will fail with non-negligible probability.

MAC security construction question:

Sat, 01 Feb 2020 05:56:51 +0000

Decryption is deterministic and is determined by the ciphertext alone (in this case $$0^n$$ ). The fact that the underlying plaintext (in this case also $$0^n$$ ) has multiple different encryptions does not change that (these other ciphertext will also decrypt to $$0^n$$ , but may look differently).

MAC security construction question:

Fri, 31 Jan 2020 21:02:17 +0000

But it's a forge, the attacker doesn't really know that's true, he just guesses it (no queries are made to the oracle). Why do you claim it's true? $E_{sk}(0^n)$ might also be something else than $$0^n$$ with non-negligible probability (and then $D_{sk}(0^n)$ would be something different from $$0^n$$ which will fail the attacker).

MAC security construction question:

Fri, 31 Jan 2020 19:25:59 +0000

Verification is defined by decryption, and $$0^n$$ decrypts to $$0^n$$ (with probability $$1$$ ).

MAC security construction question:

Fri, 31 Jan 2020 18:43:38 +0000

I'm sorry but I still don't understand how it will work with probability one.

The adversary will generate $$(m^*, t^*) = (0^n, 0^n)$$ as forgery. The verifier will check that it's actually true that $E_{sk}(0^n) = 0^n$ , but that's only true with negligible probability. So $Pr[Ver_{sk}(m^*, t^*) = 1] \leq \mu(n)$ , which is a secure MAC.

QR ZK protocol in Lecture 7: Re: QR ZK protocol in Lecture 7

Fri, 31 Jan 2020 17:37:08 +0000

If I understand what you're saying, you seem to be suggesting a one-message protocol: $$P$$ sends $$a = r^2, b= rx$$ , $$V$$ checks that $$ya = b^2$$ .
This protocol is not sound. A malicious prover can pick $$b$$ arbitrarily and choose $$a = b^2/y$$ and convince you of accepting a non-residue. Recall that in general, there cannot be one-message zero knowledge, except for trivial languages.

Exam number 1 question 3 b: Re: Exam number 1 question 3 b

Fri, 31 Jan 2020 17:23:11 +0000

Sorry but I don't understand the first part of your question. You should first make sure you understand the solution to the HW5.Q1. Then you're welcome to try and reformulate the question more clearly. As for the second part, see Ohad's answer.

MAC security construction question:

Fri, 31 Jan 2020 17:14:34 +0000

As you described yourself: "every secret key $$sk$$ encodes $$0^n$$ to $$0^n$$ with negligible probability (over the encryption randomness)".

Exam number 1 question 2 a: Re: Exam number 1 question 2 a

Fri, 31 Jan 2020 17:11:58 +0000

No. The commitment should only be hiding and binding as defined in lecture 7.