3.a When generating an anonymous coin, generate also OTS keys $pk,sk$, then commit to both the serial number $S$ and to $pk$ (we don't publish in the clear either one). When paying a coin to some node $i$ publish both $S$ and a signature on $i$ with $sk$ and provide a ZK proof that there exists a commitment among all the anonymous coins to $S$ and a verification key $pk$ that such that the signature on $i$ is valid with respect to that key.

Forum category: Forum / Course Forum, Spring 2019

Forum thread: HW 5 ]]>

- $n$-sequential repetitions have soundness error $2^{-n}$ and is malicious ZK. Doesn't have FS.

- $3$-parallel repetition also has soundness error $2^{-n}$ but is not known to be malicious ZK, and is believed not to be. has FS under reasonable assumptions.

Forum category: Forum / Course Forum, Spring 2019

Forum thread: NIZK ]]>

I asked around and I don't think anyone got full points for this.

Forum category: Forum / Course Forum, Spring 2019

Forum thread: HW 5 ]]>

I thought we said in class it is malicious ZK, but the version where you try to parallelize it, it is no longer malicious ZK.

If you do mean that the repeated protocol sequential protocol is not malicious ZK, then the basic protocol only gives us soundness error of 1/2, are there other known ways to reduce this error to be negligible and still preserving malicious ZK?

Forum category: Forum / Course Forum, Spring 2019

Forum thread: NIZK ]]>

The repeated protocol is not known to be ZK, and in fact it is believed (and proved under reasonable assumptions) that it does have FS functions, and thus cannot be malicious ZK.

Forum category: Forum / Course Forum, Spring 2019

Forum thread: NIZK ]]>

2. Yes, the meaning is for x not in L.

Forum category: Forum / Course Forum, Spring 2019

Forum thread: NIZK ]]>

1. We proved that the Hamiltonicity protocl is HVZK, and it is mentioned on the first page that it is not hard to show that it is also malicious verifier ZK.

Corollary 4.3 states that If there exists a hash function H such that the Fiat-Shamir transform of, say, the Hamiltonicity protocol sound, the Hamiltonicity protocol cannot be ZK against malicious verifiers

and then you say that Fiat-Shamir hash functions are believed to exist.

So I don't understsnd how is this possible?

2. I'm not sure I understand claim 4.1, from the claim "make the verifier accept with probability at most (Q + 1)s"

Do you actually mean "make the verifier accept with probability at most (Q + 1)s for x not in L"

because if x is in L we want to make the verifier exist with probability 1, right?

Thanks.

Forum category: Forum / Course Forum, Spring 2019

Forum thread: NIZK ]]>

Forum category: Forum / Course Forum, Spring 2019

Forum thread: Example Exam 2b ]]>

Forum category: Forum / Course Forum, Spring 2019

Forum thread: Example Exam 2b ]]>

The example exam with the solutions can be found here.

Forum category: News / Course News, Spring 2019

Forum thread: Example Exam - revised version and solutions ]]>

Forum category: Forum / Course Forum, Spring 2019

Forum thread: Example Exam 2b ]]>

Given a collision resistant function H : {0,1}^{n} -> {0,1}^{n-1}, then for any t>= n, you need to show how to construct from it a collision resistant function H':{0,1}^{t} -> {0,1}^{n-1}. You right that the collision resistant is a property of a family of functions. So we can think of it as families (where n is the security level), but for the purpose of this question just show that from any collision for H' you can extract a collision for H.

Forum category: Forum / Course Forum, Spring 2019

Forum thread: Example Exam 1a ]]>

Q2b seems inconsistent. If the puzzle is defined by $y=x'-H(x') (mod N)$, then where did the $H(x+y)$ come from in the next line?

Thanks

Forum category: Forum / Course Forum, Spring 2019

Forum thread: Example Exam 2b ]]>

Can you be more formal? It is unclear what properties does this n->n-1 function has? Is n a predetermined parameter or we have such a function for any n? What does arbitrary compression means? (n->1 probably not so good) etc.

Also the definition from class about collision resistant hashes was about function families and not single functions. Shouldn't the question be formulated using that notation?

Thanks

Forum category: Forum / Course Forum, Spring 2019

Forum thread: Example Exam 1a ]]>

Forum category: News / Course News, Spring 2019

Forum thread: Example Exam ]]>

2) Condition changes for both leader/committee election. This should have been explicit.

3) Any reasonable interpretation here is accepted. Most naturally it means the attacker gets to decide exactly which blocks go into the blockchain. You can show with probability one (in expected constant number of rounds) or with very high probability either is accepted.

Forum category: Forum / Course Forum, Spring 2019

Forum thread: HW5 question 2 ]]>

1) I'm a bit confused with the terminology. When an attacker joins **before** round r, is it possible that he already knows N(r) (with probability of atleast 99%) by the time he joins? For example, can we assume that if he publishes his pk just before the beginning of round r, with probability of atleast 99%, no more than m new nodes join after him before round r (where m is constant)?

2) In section b, is the leader chosen according to the original Algorand's consensus, or does the condition change for the leader as well?

3) Also in section b. What does "takes control of the entire system" mean? Does it mean that the attacker is able to control who becomes leader and which nodes will be on the committee for all future rounds? Does it have to be with probability 1?

Forum category: Forum / Course Forum, Spring 2019

Forum thread: HW5 question 2 ]]>

Forum category: News / Course News, Spring 2019

Forum thread: Exam header ]]>

Forum category: Forum / Course Forum, Spring 2019

Forum thread: HW5 Q2 ]]>

I am trying to parse the sentence: "at the beginning of round r there are N(r) nodes in the system, each with equal stake".

When new party join the system (and therefore create new node), what is the stake of that party? is N(r) does not change?

Thanks,

Guy Oren

Forum category: Forum / Course Forum, Spring 2019

Forum thread: HW5 Q2 ]]>

Because of the mistake, everyone will get the original 15 points of this question. I edited this question (now it should be correct) and turned it into a bonus question of 10 points.

Forum category: Forum / Course Forum, Spring 2019

Forum thread: recitation 9 ]]>

Forum category: Forum / Course Forum, Spring 2019

Forum thread: HW 5 Q3 b ]]>

Regardless of the incentive of doing this (which is not the important part of this question), I guess the problem is clear now: we cannot allow redirections.

Forum category: Forum / Course Forum, Spring 2019

Forum thread: HW5 Q3a ]]>

If I understand correctly then the reason is from lec 9 slides slide 32: "Create zero-knowledge proof that: “You know a string r such that C=H(S, r) is one of the zerocoins "C" _1,…,"C" _𝑁 in the block chain”

i.e. all the coins are part of the statement.

Why do we need the coins to be part of the statement? the coins C_1,.. C_N are public and on the chain itself, so anyone can read them, why don't you generate a proof for the statement: “You know a string r such that C=H(S, r) is one of the zerocoins in the block chain"

Thanks

Forum category: Forum / Course Forum, Spring 2019

Forum thread: HW 5 Q3 b ]]>

Did we also saw that these elements are indeed distinct? and if we did then how?

i.e, how do you show that x^e != x^(k+1) mod N

If I remember correctly, then I remember saying something about x^k != 1 mod N, but I don't think this is necessarily true.

Forum category: Forum / Course Forum, Spring 2019

Forum thread: recitation 9 ]]>

pk has no reason to want to do this instead of just taking the transaction and then normally sending it to pk'…

Forum category: Forum / Course Forum, Spring 2019

Forum thread: HW5 Q3a ]]>

In zerocoin, there is no signature from pk' on the transaction (since it will break the anonymity of pk') and in particular there is no signature on the target node pk.

Therefore, when pk (or any other node in the network) receives the coins which only contains {(serial_num,proof)=(S,\pi),target=pk} (without a signature on pk), they can try to redirect them to other node pk'' just by setting target=pk'' and send this new transaction to the network (and hope that it will reach the blockchain before the original transaction will).

Forum category: Forum / Course Forum, Spring 2019

Forum thread: HW5 Q3a ]]>

Forum category: Forum / Course Forum, Spring 2019

Forum thread: HW5 Q3a ]]>

Forum category: Forum / Course Forum, Spring 2019

Forum thread: HW4 Q1C ]]>

can he use more then O(n) time and polylog(n) space in the initialization phase?

Forum category: Forum / Course Forum, Spring 2019

Forum thread: HW4 Q1C ]]>

Forum category: News / Course News, Spring 2019

Forum thread: Problem Set 5 is up ]]>

2. No, the verifier has only access to the graph, not the labels.

Note that according to the question the verifier should use at most polylog(n) space also in the initialization phase, so it cannot just compute all the labels of the graph and store them once (this will require O(n) space). Yet, it can use interaction with the prover also in the initialization phase.

Forum category: Forum / Course Forum, Spring 2019

Forum thread: HW4 Q1C ]]>

Forum category: Forum / Course Forum, Spring 2019

Forum thread: HW4 Q1A ]]>

I have 2 questions:

1. Is the prover limited to only sending the label of the node we are trying to verify or can it send more data?

2. In the initializtion phase, does the verifier still has access to the labels of all the nodes?

Thanks.

Forum category: Forum / Course Forum, Spring 2019

Forum thread: HW4 Q1C ]]>

I have question regard to the property of the diameter. the graph should have n nodes with diameter n, which by definition says that there is shortest path between 2 nodes that should traverse all nodes.

such a path is not (d,r)-robust (i mean that if its the only path in the graph). so, in order to make the graph (d,r)-robust we should introduce "short-cuts", but those short-cuts make the diameter of the

graph smaller than n…

so, it seems to me that this 2 requirements contradicts each other.

its ok to say that i am wrong, and ask me to rethink about it :)

Thanks,

Guy

Forum category: Forum / Course Forum, Spring 2019

Forum thread: HW4 Q1A ]]>

Hint: Nir's slides might be helpful.

Forum category: Forum / Course Forum, Spring 2019

Forum thread: HW4 Q1C ]]>

Forum category: Forum / Course Forum, Spring 2019

Forum thread: HW4 Q1C ]]>

2) As you wrote, in the initialization phase the prover sets at most O(rlog(n)) space, and then it should use it in order to answer any verifier's query with at most d oracle calls.

Forum category: Forum / Course Forum, Spring 2019

Forum thread: HW4 Q1A ]]>

In the question, we are asked to describe a (d,r)-depth-robust graph with n nodes with diameter n.

Does it mean that we need to describe a specific graph that answers this condition, or any graph that answers it.

In addition, I would like to know if the O(rlog(n)) space that the prover uses, could be set at the initialization phase, where we have access to all the labels,

and for each verifier query use this data+ d oracle H calls.

Forum category: Forum / Course Forum, Spring 2019

Forum thread: HW4 Q1A ]]>

Forum category: News / Course News, Spring 2019

Forum thread: Problem Set 4 is up ]]>

Forum category: Forum / Course Forum, Spring 2019

Forum thread: HW3 Q3 ]]>

If we have 2 pools with the same power (alpha), does it mean alpha is 0.5?

Thanks,

Guy Oren

Forum category: Forum / Course Forum, Spring 2019

Forum thread: HW3 Q3 ]]>

Forum category: Forum / Course Forum, Spring 2019

Forum thread: HW3 Q3 ]]>

Forum category: News / Course News, Spring 2019

Forum thread: No recitation today (May 5) ]]>

Regarding Q3 about Mining Pool Sabotage

According to the recitation, specifically in the $Gain_\beta$ statement it seems like the $\beta$ power dedicated to sabotaging is just wasted. But what happens if P_1 finds a block from this mining power?

Thanks

Forum category: Forum / Course Forum, Spring 2019

Forum thread: HW3 Q3 ]]>

- $n$ is fixed.

Forum category: Forum / Course Forum, Spring 2019

Forum thread: HW3Q5 ]]>

If ch and ch' are of different size, what do we mean by last n blocks?

Is n fixed for the entire protocol?

Forum category: Forum / Course Forum, Spring 2019

Forum thread: HW3Q5 ]]>

Forum category: News / Course News, Spring 2019

Forum thread: Next Recitation (April 28) - Solving HW 1-2 ]]>

Forum category: Forum / Course Forum, Spring 2019

Forum thread: HW 3 Q 2 ]]>

but I don't understand it, if a=1 then the attack will end after 1 turn because it is guaranteed that the attacker will create the next block and win,

If a=0 then it is guaranteed that after each block, the attacker will be 1 more block behind the main chain, so if we are currently tied, it will take us exactly 3 blocks created until we are 3 block behind the main chain and will stop the attack.

Forum category: Forum / Course Forum, Spring 2019

Forum thread: HW 3 Q 2 ]]>

Forum category: News / Course News, Spring 2019

Forum thread: Problem Set 3 is up ]]>

Forum category: News / Course News, Spring 2019

Forum thread: No recitation next Sunday (April 14) ]]>

Forum category: News / Course News, Spring 2019

Forum thread: No class today (April 10) ]]>

Forum category: News / Course News, Spring 2019

Forum thread: HW1 has been graded ]]>

Forum category: Forum / Course Forum, Spring 2019

Forum thread: HW2 Q2c ]]>

Forum category: Forum / Course Forum, Spring 2019

Forum thread: HW2 Q2c ]]>

- In general, please do not suggest solutions in the forum (before the deadline).

Forum category: Forum / Course Forum, Spring 2019

Forum thread: HW 2 Q2A ]]>

1) Single Instance is hard: It takes long time to solve a single puzzle (denote by d the number of steps needed)

2) Non-amortization: Solving t puzzles requires around t*d steps (up to some constant, say t*d/100).

3) Fast verification: verifying a solution to the puzzle requires time « d.

In this question, k is fixed, but i is part of the solution and depends on the challenge x.

Forum category: Forum / Course Forum, Spring 2019

Forum thread: HW2 Q2B ]]>

Forum category: Forum / Course Forum, Spring 2019

Forum thread: HW 2 Q2A ]]>

Can we get a clarification about what are the criteria for a good proof of work?

Is it just that it takes a long time (yet not too long) to solve one and short time to verify it?

Should we refer to non-amortization and difficulty parameter (how to set one) as well?

Also is k fixed and is i public to everyone?

Forum category: Forum / Course Forum, Spring 2019

Forum thread: HW2 Q2B ]]>