Hi,

I have some question regarding Lecture 9:

1. Page 4, Claim 2.4: I didn't understand your comment about fixing the inputs for g_hat protocols. By fixing you mean for specific bits of inputs?

Why can we do that? how does it reduce the burden of prooving indistinguishability for the whole view?

2. Page 4, Remark about the original GMW construction: Can you please explain why it is sufficient to run the protocol only for MUL gates? (what is "the protocol" that we are supposed to run?).

3. Page 5, Garbling Scheme definition: Why do we need to encode the description of f if the simulator also gets f? (we assume that f is public)

4. Page 6, Yao's Garbled Circuit:

- In the first stage, each wire samples two secret keys. Are they one-bit? multiple-bits?

Also, we assumed a secret-key encryption scheme. Does the cipher's length equal to the secret key's length? (The table T_g implies that).

- In the second stage, we mentioned a mapping for the output wire. b can be either 0 or 1, and there is only one output wire. can't we turn it to two bits table? am I wrong somewhere?

- In the fourth stage, we saw v(w). I don't understand how do we get this function, and what it does. I guess that it has to use the gate's table T_G somehow.

Thanks, and sorry (again) for the long questions.