Lecture 9 questions - Foundations of Cryptography

Lecture 9 questions

Forum » Forum / Course Forum, Fall 2019/2020 » Lecture 9 questions

Started by:

AvivB
Date: 28 Jan 2020 15:39
Number of posts: 2

RSS: New posts

Unfold All Fold All More Options

Fold

Lecture 9 questions

AvivB 28 Jan 2020 15:39

Hi,
I have some question regarding Lecture 9:

1. Page 4, Claim 2.4: I didn't understand your comment about fixing the inputs for g_hat protocols. By fixing you mean for specific bits of inputs?
Why can we do that? how does it reduce the burden of prooving indistinguishability for the whole view?
2. Page 4, Remark about the original GMW construction: Can you please explain why it is sufficient to run the protocol only for MUL gates? (what is "the protocol" that we are supposed to run?).

3. Page 5, Garbling Scheme definition: Why do we need to encode the description of f if the simulator also gets f? (we assume that f is public)
4. Page 6, Yao's Garbled Circuit:
- In the first stage, each wire samples two secret keys. Are they one-bit? multiple-bits?
Also, we assumed a secret-key encryption scheme. Does the cipher's length equal to the secret key's length? (The table T_g implies that).
- In the second stage, we mentioned a mapping for the output wire. b can be either 0 or 1, and there is only one output wire. can't we turn it to two bits table? am I wrong somewhere?
- In the fourth stage, we saw v(w). I don't understand how do we get this function, and what it does. I guess that it has to use the gate's table T_G somehow.

Thanks, and sorry (again) for the long questions.

Reply Options

Unfold Lecture 9 questions by

AvivB, 28 Jan 2020 15:39

Fold

Re: Lecture 9 questions

nbitansky 28 Jan 2020 20:18

1. To show that two pairs of joint distributions $$(X,Y)$$ and $$(X',Y')$$ are indistinguishable, it suffices to show:
a. $$X$$ is $$X'$$ have the same distribution,
b. for any $$x$$ . $$Y|X=x$$ is indistinguishable from $$Y|X'=x$$ .
In our case, $$X,X'$$ represents the inputs, and $$Y,Y'$$ the messages in the subprotocols.

2. See reference solution for HW5.

3. The same scheme, can be used to encode any function $$f$$ . Naturally, to do so, it needs to know what is the function.

4.
- These are secret keys for symmetric encryption of long messages, they can't be one bit. As always, you can think about them as $$n$$ -bit long.
The ciphertext length is some polynomial in the length of the key and the message, nothing else is assumed (or implied by the table).

- Not sure I understand the question. The mapping simply says for the two keys corresponding to the output wire, which corresponds to zero and which to one.

- We don't explicitly learn $$v(w)$$ (we actually learn nothing about it, which is the whole point). What the evaluator learns for each wire $$w$$ is a single key, which is the key corresponding to $$v(w)$$ . For the evaluator this looks as any random key, it has no idea that it corresponds to $$v(w)$$ and not to $$1-v(w)$$ .

Last edited on 28 Jan 2020 20:32 by nbitansky Show more

Reply Options

Unfold Re: Lecture 9 questions by

nbitansky, 28 Jan 2020 20:18

New Post

Foundations of Cryptography

Fall 2019/2020, Tel-Aviv University

Quick Info

Mini Calendar

Latest News

Latest Posts

Other interesting sites

hdgbsg

后室HN层群维基站点

FiredawnFolder

Eitrigg Crafters