3.a When generating an anonymous coin, generate also OTS keys $pk,sk$, then commit to both the serial number $S$ and to $pk$ (we don't publish in the clear either one). When paying a coin to some node $i$ publish both $S$ and a signature on $i$ with $sk$ and provide a ZK proof that there exists a commitment among all the anonymous coins to $S$ and a verification key $pk$ that such that the signature on $i$ is valid with respect to that key.

]]>- $n$-sequential repetitions have soundness error $2^{-n}$ and is malicious ZK. Doesn't have FS.

- $3$-parallel repetition also has soundness error $2^{-n}$ but is not known to be malicious ZK, and is believed not to be. has FS under reasonable assumptions. ]]>

I asked around and I don't think anyone got full points for this. ]]>

I thought we said in class it is malicious ZK, but the version where you try to parallelize it, it is no longer malicious ZK.

If you do mean that the repeated protocol sequential protocol is not malicious ZK, then the basic protocol only gives us soundness error of 1/2, are there other known ways to reduce this error to be negligible and still preserving malicious ZK?

]]>The repeated protocol is not known to be ZK, and in fact it is believed (and proved under reasonable assumptions) that it does have FS functions, and thus cannot be malicious ZK. ]]>

2. Yes, the meaning is for x not in L.

]]>1. We proved that the Hamiltonicity protocl is HVZK, and it is mentioned on the first page that it is not hard to show that it is also malicious verifier ZK.

Corollary 4.3 states that If there exists a hash function H such that the Fiat-Shamir transform of, say, the Hamiltonicity protocol sound, the Hamiltonicity protocol cannot be ZK against malicious verifiers

and then you say that Fiat-Shamir hash functions are believed to exist.

So I don't understsnd how is this possible?

2. I'm not sure I understand claim 4.1, from the claim "make the verifier accept with probability at most (Q + 1)s"

Do you actually mean "make the verifier accept with probability at most (Q + 1)s for x not in L"

because if x is in L we want to make the verifier exist with probability 1, right?

Thanks.

]]>Given a collision resistant function H : {0,1}^{n} -> {0,1}^{n-1}, then for any t>= n, you need to show how to construct from it a collision resistant function H':{0,1}^{t} -> {0,1}^{n-1}. You right that the collision resistant is a property of a family of functions. So we can think of it as families (where n is the security level), but for the purpose of this question just show that from any collision for H' you can extract a collision for H. ]]>

Q2b seems inconsistent. If the puzzle is defined by $y=x'-H(x') (mod N)$, then where did the $H(x+y)$ come from in the next line?

Thanks

]]>Can you be more formal? It is unclear what properties does this n->n-1 function has? Is n a predetermined parameter or we have such a function for any n? What does arbitrary compression means? (n->1 probably not so good) etc.

Also the definition from class about collision resistant hashes was about function families and not single functions. Shouldn't the question be formulated using that notation?

Thanks

]]>2) Condition changes for both leader/committee election. This should have been explicit.

3) Any reasonable interpretation here is accepted. Most naturally it means the attacker gets to decide exactly which blocks go into the blockchain. You can show with probability one (in expected constant number of rounds) or with very high probability either is accepted. ]]>

1) I'm a bit confused with the terminology. When an attacker joins **before** round r, is it possible that he already knows N(r) (with probability of atleast 99%) by the time he joins? For example, can we assume that if he publishes his pk just before the beginning of round r, with probability of atleast 99%, no more than m new nodes join after him before round r (where m is constant)?

2) In section b, is the leader chosen according to the original Algorand's consensus, or does the condition change for the leader as well?

3) Also in section b. What does "takes control of the entire system" mean? Does it mean that the attacker is able to control who becomes leader and which nodes will be on the committee for all future rounds? Does it have to be with probability 1?

I am trying to parse the sentence: "at the beginning of round r there are N(r) nodes in the system, each with equal stake".

When new party join the system (and therefore create new node), what is the stake of that party? is N(r) does not change?

Thanks,

Guy Oren

Because of the mistake, everyone will get the original 15 points of this question. I edited this question (now it should be correct) and turned it into a bonus question of 10 points. ]]>

Regardless of the incentive of doing this (which is not the important part of this question), I guess the problem is clear now: we cannot allow redirections. ]]>