Course Forum, Spring 2019 (new threads)

HW 5

Thu, 27 Jun 2019 11:23:19 +0000

Hi, can you please give us an answer sketch for HW 5 Q2 section b, and for Q3 section a?
I asked around and I don't think anyone got full points for this.

NIZK

Tue, 25 Jun 2019 15:16:45 +0000

I have some questions regarding lecture 10 and NIZK.
1. We proved that the Hamiltonicity protocl is HVZK, and it is mentioned on the first page that it is not hard to show that it is also malicious verifier ZK.

Corollary 4.3 states that If there exists a hash function H such that the Fiat-Shamir transform of, say, the Hamiltonicity protocol sound, the Hamiltonicity protocol cannot be ZK against malicious verifiers
and then you say that Fiat-Shamir hash functions are believed to exist.

So I don't understsnd how is this possible?

2. I'm not sure I understand claim 4.1, from the claim "make the verifier accept with probability at most (Q + 1)s"
Do you actually mean "make the verifier accept with probability at most (Q + 1)s for x not in L"
because if x is in L we want to make the verifier exist with probability 1, right?

Thanks.

Example Exam 2b

Sat, 22 Jun 2019 14:41:20 +0000

Q2b seems inconsistent. If the puzzle is defined by $$y=x'-H(x') (mod N)$$ , then where did the $$H(x+y)$$ come from in the next line?

Thanks

Example Exam 1a

Sat, 22 Jun 2019 14:11:41 +0000

Can you be more formal? It is unclear what properties does this n->n-1 function has? Is n a predetermined parameter or we have such a function for any n? What does arbitrary compression means? (n->1 probably not so good) etc.
Also the definition from class about collision resistant hashes was about function families and not single functions. Shouldn't the question be formulated using that notation?

Thanks

HW5 question 2

Tue, 11 Jun 2019 20:56:44 +0000

Hi,

1) I'm a bit confused with the terminology. When an attacker joins before round r, is it possible that he already knows N(r) (with probability of atleast 99%) by the time he joins? For example, can we assume that if he publishes his pk just before the beginning of round r, with probability of atleast 99%, no more than m new nodes join after him before round r (where m is constant)?
2) In section b, is the leader chosen according to the original Algorand's consensus, or does the condition change for the leader as well?
3) Also in section b. What does "takes control of the entire system" mean? Does it mean that the attacker is able to control who becomes leader and which nodes will be on the committee for all future rounds? Does it have to be with probability 1?

HW5 Q2

Tue, 11 Jun 2019 09:39:37 +0000

Hi,

I am trying to parse the sentence: "at the beginning of round r there are N(r) nodes in the system, each with equal stake".
When new party join the system (and therefore create new node), what is the stake of that party? is N(r) does not change?

Thanks,
Guy Oren

HW 5 Q3 b

Sun, 09 Jun 2019 20:07:57 +0000

In Q3 b, it is stated that in zerocoin the size of the proof statement to be proven scales with all zerocoins ever created.
If I understand correctly then the reason is from lec 9 slides slide 32: "Create zero-knowledge proof that: “You know a string r such that C=H(S, r) is one of the zerocoins "C" _1,…,"C" _𝑁 in the block chain”
i.e. all the coins are part of the statement.

Why do we need the coins to be part of the statement? the coins C_1,.. C_N are public and on the chain itself, so anyone can read them, why don't you generate a proof for the statement: “You know a string r such that C=H(S, r) is one of the zerocoins in the block chain"

Thanks

recitation 9

Sun, 09 Jun 2019 20:04:01 +0000

In recitation 9 we saw that if phi(N) = K*e, then the mapping x->x^e mod N is e to 1 by explicitly showing e elements.
Did we also saw that these elements are indeed distinct? and if we did then how?
i.e, how do you show that x^e != x^(k+1) mod N

If I remember correctly, then I remember saying something about x^k != 1 mod N, but I don't think this is necessarily true.

HW5 Q3a

Sun, 09 Jun 2019 06:24:20 +0000

In q3a it is not entirely clear what the scenario is. Node pk recieves a zerocoin, which he can then legitimately use to pay other nodes. What exactly is the attack pk is attempting to perform?

HW4 Q1C

Fri, 31 May 2019 17:12:57 +0000

are there any constraints on the prover?
can he use more then O(n) time and polylog(n) space in the initialization phase?

HW4 Q1C

Tue, 28 May 2019 15:49:47 +0000

Hey,
I have 2 questions:
1. Is the prover limited to only sending the label of the node we are trying to verify or can it send more data?
2. In the initializtion phase, does the verifier still has access to the labels of all the nodes?
Thanks.

HW4 Q1A

Tue, 28 May 2019 08:28:29 +0000

Hi,

I have question regard to the property of the diameter. the graph should have n nodes with diameter n, which by definition says that there is shortest path between 2 nodes that should traverse all nodes.
such a path is not (d,r)-robust (i mean that if its the only path in the graph). so, in order to make the graph (d,r)-robust we should introduce "short-cuts", but those short-cuts make the diameter of the
graph smaller than n…

so, it seems to me that this 2 requirements contradicts each other.

its ok to say that i am wrong, and ask me to rethink about it :)

Thanks,
Guy

HW4 Q1C

Sat, 25 May 2019 08:25:18 +0000

Can we assume that the suggested candidate's graph is (d,r)-depth-robust?

HW4 Q1A

Fri, 24 May 2019 07:21:55 +0000

Hey,

In the question, we are asked to describe a (d,r)-depth-robust graph with n nodes with diameter n.
Does it mean that we need to describe a specific graph that answers this condition, or any graph that answers it.

In addition, I would like to know if the O(rlog(n)) space that the prover uses, could be set at the initialization phase, where we have access to all the labels,
and for each verifier query use this data+ d oracle H calls.

HW3 Q3

Mon, 06 May 2019 09:29:35 +0000

Hi,

If we have 2 pools with the same power (alpha), does it mean alpha is 0.5?

Thanks,
Guy Oren

HW3 Q3

Sat, 04 May 2019 18:43:59 +0000

Hi,
Regarding Q3 about Mining Pool Sabotage
According to the recitation, specifically in the $Gain_\beta$ statement it seems like the $\beta$ power dedicated to sabotaging is just wasted. But what happens if P_1 finds a block from this mining power?
Thanks

HW3Q5

Mon, 29 Apr 2019 11:22:52 +0000

"We say ch and ch' are consistent if they agree on all but their last n blocks".
If ch and ch' are of different size, what do we mean by last n blocks?
Is n fixed for the entire protocol?

HW 3 Q 2

Sat, 20 Apr 2019 12:01:01 +0000

In hw 3 q2, it is stated that for sanity check, for both a=0 and a=1 the result should be 2.
but I don't understand it, if a=1 then the attack will end after 1 turn because it is guaranteed that the attacker will create the next block and win,
If a=0 then it is guaranteed that after each block, the attacker will be 1 more block behind the main chain, so if we are currently tied, it will take us exactly 3 blocks created until we are 3 block behind the main chain and will stop the attack.

HW2 Q2c

Sun, 07 Apr 2019 00:14:57 +0000

Do we need to prove the statement for the trivial protocol of testing random strings, or do we need to prove that it holds for any (optimal) protocol?

HW2 Q2B

Fri, 05 Apr 2019 13:39:08 +0000

Hey,
Can we get a clarification about what are the criteria for a good proof of work?
Is it just that it takes a long time (yet not too long) to solve one and short time to verify it?
Should we refer to non-amortization and difficulty parameter (how to set one) as well?

Also is k fixed and is i public to everyone?