So if I generated a pair of (sk_1,pk) and you generated the pair (sk_2,pk), I will be able to decrypt messages that are sent to you with my secret key? ]]>

If so, then the commitment does not have to be binding, the fact that the public key is the same and the cipher text is the same does not mean that the message is the same ( I will be able to open the commitment to 2 different messages).

What do I miss here?

]]>However, in lecture 3 we claimed that for messages of length 2n the function is OWF. So where am i wrong?

Thanks!! ]]>

Is it correct? I could not convince myself that it is, but the solution is dependent on it if I understood correctly.

Hope the question is clear, will write it more formally:

if G generates secret and public keys for a public key encryption, and for randomness r_g it created (sk,pk), and for randomness r_g_2 it created (sk^', pk), does it mean that sk^' == sk?

Otherwise I think there is a counter example for the solution described.

]]>(The original scheme had no randomness, that's why I failed to understand it so far) ]]>

Let's add more details:

Take any CPA-secure scheme $(E',D')$ and now construct a new scheme $(E,D)$ that is defined as follows: $E$ uses randomness of size $\ell+n$ where $\ell$ is the amount of randomness used by $E$, we'll parse the randomness used by $E$ as two random strings $r,r'$ of respective lengths $n,\ell$. Define $E_{sk}(m;r,r')$: if $m=0^n,r=1^n$, output $0^n$, else output $E'_{sk}(m;r')$. Define $D_{sk}(ct)$ as follows: if $ct=0^n$ output $0^n$, else output $D'_{sk}(ct)$.

Assuming that $E'$ doesn't encrypt length-$n$ plaintexts into $0^n$, the scheme is perfectly correct (this assumption is w.l.og, can always pad with 1). It's also secure, as except with negligible probability it's identical to $E$. If you define a MAC where authentication of $m$ is a random encryption $E_{sk}(m)$, and verification of $m,ct$ is checking whether $D_{sk}(ct) = m$, you get an insecure MAC —- the attacker that outputs $0^n,0^n$ wins with probability 1.

]]>The adversary will generate $(m^*, t^*) = (0^n, 0^n)$ as forgery. The verifier will check that it's actually true that $E_{sk}(0^n) = 0^n$, but that's only true with negligible probability. So $Pr[Ver_{sk}(m^*, t^*) = 1] \leq \mu(n)$, which is a secure MAC.

]]>This protocol is not sound. A malicious prover can pick $b$ arbitrarily and choose $a = b^2/y$ and convince you of accepting a non-residue. Recall that in general, there cannot be one-message zero knowledge, except for trivial languages. ]]>