I asked around and I don't think anyone got full points for this. ]]>

1. We proved that the Hamiltonicity protocl is HVZK, and it is mentioned on the first page that it is not hard to show that it is also malicious verifier ZK.

Corollary 4.3 states that If there exists a hash function H such that the Fiat-Shamir transform of, say, the Hamiltonicity protocol sound, the Hamiltonicity protocol cannot be ZK against malicious verifiers

and then you say that Fiat-Shamir hash functions are believed to exist.

So I don't understsnd how is this possible?

2. I'm not sure I understand claim 4.1, from the claim "make the verifier accept with probability at most (Q + 1)s"

Do you actually mean "make the verifier accept with probability at most (Q + 1)s for x not in L"

because if x is in L we want to make the verifier exist with probability 1, right?

Thanks.

]]>Q2b seems inconsistent. If the puzzle is defined by $y=x'-H(x') (mod N)$, then where did the $H(x+y)$ come from in the next line?

Thanks

]]>Can you be more formal? It is unclear what properties does this n->n-1 function has? Is n a predetermined parameter or we have such a function for any n? What does arbitrary compression means? (n->1 probably not so good) etc.

Also the definition from class about collision resistant hashes was about function families and not single functions. Shouldn't the question be formulated using that notation?

Thanks

]]>1) I'm a bit confused with the terminology. When an attacker joins **before** round r, is it possible that he already knows N(r) (with probability of atleast 99%) by the time he joins? For example, can we assume that if he publishes his pk just before the beginning of round r, with probability of atleast 99%, no more than m new nodes join after him before round r (where m is constant)?

2) In section b, is the leader chosen according to the original Algorand's consensus, or does the condition change for the leader as well?

3) Also in section b. What does "takes control of the entire system" mean? Does it mean that the attacker is able to control who becomes leader and which nodes will be on the committee for all future rounds? Does it have to be with probability 1?

I am trying to parse the sentence: "at the beginning of round r there are N(r) nodes in the system, each with equal stake".

When new party join the system (and therefore create new node), what is the stake of that party? is N(r) does not change?

Thanks,

Guy Oren

If I understand correctly then the reason is from lec 9 slides slide 32: "Create zero-knowledge proof that: “You know a string r such that C=H(S, r) is one of the zerocoins "C" _1,…,"C" _𝑁 in the block chain”

i.e. all the coins are part of the statement.

Why do we need the coins to be part of the statement? the coins C_1,.. C_N are public and on the chain itself, so anyone can read them, why don't you generate a proof for the statement: “You know a string r such that C=H(S, r) is one of the zerocoins in the block chain"

Thanks

]]>Did we also saw that these elements are indeed distinct? and if we did then how?

i.e, how do you show that x^e != x^(k+1) mod N

If I remember correctly, then I remember saying something about x^k != 1 mod N, but I don't think this is necessarily true.

]]>can he use more then O(n) time and polylog(n) space in the initialization phase? ]]>

I have 2 questions:

1. Is the prover limited to only sending the label of the node we are trying to verify or can it send more data?

2. In the initializtion phase, does the verifier still has access to the labels of all the nodes?

Thanks. ]]>

I have question regard to the property of the diameter. the graph should have n nodes with diameter n, which by definition says that there is shortest path between 2 nodes that should traverse all nodes.

such a path is not (d,r)-robust (i mean that if its the only path in the graph). so, in order to make the graph (d,r)-robust we should introduce "short-cuts", but those short-cuts make the diameter of the

graph smaller than n…

so, it seems to me that this 2 requirements contradicts each other.

its ok to say that i am wrong, and ask me to rethink about it :)

Thanks,

Guy

In the question, we are asked to describe a (d,r)-depth-robust graph with n nodes with diameter n.

Does it mean that we need to describe a specific graph that answers this condition, or any graph that answers it.

In addition, I would like to know if the O(rlog(n)) space that the prover uses, could be set at the initialization phase, where we have access to all the labels,

and for each verifier query use this data+ d oracle H calls.

If we have 2 pools with the same power (alpha), does it mean alpha is 0.5?

Thanks,

Guy Oren

Regarding Q3 about Mining Pool Sabotage

According to the recitation, specifically in the $Gain_\beta$ statement it seems like the $\beta$ power dedicated to sabotaging is just wasted. But what happens if P_1 finds a block from this mining power?

Thanks ]]>

If ch and ch' are of different size, what do we mean by last n blocks?

Is n fixed for the entire protocol? ]]>

but I don't understand it, if a=1 then the attack will end after 1 turn because it is guaranteed that the attacker will create the next block and win,

If a=0 then it is guaranteed that after each block, the attacker will be 1 more block behind the main chain, so if we are currently tied, it will take us exactly 3 blocks created until we are 3 block behind the main chain and will stop the attack. ]]>

Can we get a clarification about what are the criteria for a good proof of work?

Is it just that it takes a long time (yet not too long) to solve one and short time to verify it?

Should we refer to non-amortization and difficulty parameter (how to set one) as well?

Also is k fixed and is i public to everyone?

]]>