I asked around and I don't think anyone got full points for this. ]]>

1. We proved that the Hamiltonicity protocl is HVZK, and it is mentioned on the first page that it is not hard to show that it is also malicious verifier ZK.

Corollary 4.3 states that If there exists a hash function H such that the Fiat-Shamir transform of, say, the Hamiltonicity protocol sound, the Hamiltonicity protocol cannot be ZK against malicious verifiers

and then you say that Fiat-Shamir hash functions are believed to exist.

So I don't understsnd how is this possible?

2. I'm not sure I understand claim 4.1, from the claim "make the verifier accept with probability at most (Q + 1)s"

Do you actually mean "make the verifier accept with probability at most (Q + 1)s for x not in L"

because if x is in L we want to make the verifier exist with probability 1, right?

Thanks.

]]>The example exam with the solutions can be found here. ]]>

Q2b seems inconsistent. If the puzzle is defined by $y=x'-H(x') (mod N)$, then where did the $H(x+y)$ come from in the next line?

Thanks

]]>Can you be more formal? It is unclear what properties does this n->n-1 function has? Is n a predetermined parameter or we have such a function for any n? What does arbitrary compression means? (n->1 probably not so good) etc.

Also the definition from class about collision resistant hashes was about function families and not single functions. Shouldn't the question be formulated using that notation?

Thanks

]]>1) I'm a bit confused with the terminology. When an attacker joins **before** round r, is it possible that he already knows N(r) (with probability of atleast 99%) by the time he joins? For example, can we assume that if he publishes his pk just before the beginning of round r, with probability of atleast 99%, no more than m new nodes join after him before round r (where m is constant)?

2) In section b, is the leader chosen according to the original Algorand's consensus, or does the condition change for the leader as well?

3) Also in section b. What does "takes control of the entire system" mean? Does it mean that the attacker is able to control who becomes leader and which nodes will be on the committee for all future rounds? Does it have to be with probability 1?

I am trying to parse the sentence: "at the beginning of round r there are N(r) nodes in the system, each with equal stake".

When new party join the system (and therefore create new node), what is the stake of that party? is N(r) does not change?

Thanks,

Guy Oren

If I understand correctly then the reason is from lec 9 slides slide 32: "Create zero-knowledge proof that: โYou know a string r such that C=H(S, r) is one of the zerocoins "C" _1,โฆ,"C" _๐ in the block chainโ

i.e. all the coins are part of the statement.

Why do we need the coins to be part of the statement? the coins C_1,.. C_N are public and on the chain itself, so anyone can read them, why don't you generate a proof for the statement: โYou know a string r such that C=H(S, r) is one of the zerocoins in the block chain"

Thanks

]]>Did we also saw that these elements are indeed distinct? and if we did then how?

i.e, how do you show that x^e != x^(k+1) mod N

If I remember correctly, then I remember saying something about x^k != 1 mod N, but I don't think this is necessarily true.

]]>can he use more then O(n) time and polylog(n) space in the initialization phase? ]]>

I have 2 questions:

1. Is the prover limited to only sending the label of the node we are trying to verify or can it send more data?

2. In the initializtion phase, does the verifier still has access to the labels of all the nodes?

Thanks. ]]>

I have question regard to the property of the diameter. the graph should have n nodes with diameter n, which by definition says that there is shortest path between 2 nodes that should traverse all nodes.

such a path is not (d,r)-robust (i mean that if its the only path in the graph). so, in order to make the graph (d,r)-robust we should introduce "short-cuts", but those short-cuts make the diameter of the

graph smaller than n…

so, it seems to me that this 2 requirements contradicts each other.

its ok to say that i am wrong, and ask me to rethink about it :)

Thanks,

Guy

In the question, we are asked to describe a (d,r)-depth-robust graph with n nodes with diameter n.

Does it mean that we need to describe a specific graph that answers this condition, or any graph that answers it.

In addition, I would like to know if the O(rlog(n)) space that the prover uses, could be set at the initialization phase, where we have access to all the labels,

and for each verifier query use this data+ d oracle H calls.

If we have 2 pools with the same power (alpha), does it mean alpha is 0.5?

Thanks,

Guy Oren

Regarding Q3 about Mining Pool Sabotage

According to the recitation, specifically in the $Gain_\beta$ statement it seems like the $\beta$ power dedicated to sabotaging is just wasted. But what happens if P_1 finds a block from this mining power?

Thanks ]]>

If ch and ch' are of different size, what do we mean by last n blocks?

Is n fixed for the entire protocol? ]]>

but I don't understand it, if a=1 then the attack will end after 1 turn because it is guaranteed that the attacker will create the next block and win,

If a=0 then it is guaranteed that after each block, the attacker will be 1 more block behind the main chain, so if we are currently tied, it will take us exactly 3 blocks created until we are 3 block behind the main chain and will stop the attack. ]]>

Can we get a clarification about what are the criteria for a good proof of work?

Is it just that it takes a long time (yet not too long) to solve one and short time to verify it?

Should we refer to non-amortization and difficulty parameter (how to set one) as well?

Also is k fixed and is i public to everyone?

]]>we were asked to solve t queries in time O(klogt)*(2^k+t). However, it seems that a trivial algorithm can solve this in time O(t * 2^k) by brute-forcing each challenge. What am I missing? ]]>

Is there a memory limitation for our algorithm?

Because if we are not bounded, then the trivial solution takes only O(1)* (2

ืชืืื! ]]>

edit: also, can we assume that the traitors know each-other, or must them work independently?

]]>If we assume there is a BA protocol for t >= n/3. Then the BA protocol for (3, 1) is the BA from the assumption. ]]>

Before sending message t, generate sk_(t+1), pk_(t+1). Instead of signing just m_t, sign (m_t, pk_(t+1)). This way, the verifier can tell that pk_(t+1) really came from the same person who signed m_t. Now, use pk_(t+1) and sk_(t+1) to sign (m_(t+1), pk_(t+2)) and so on. This way the size of pk remains constant and we can sign as many messages as we want!

Is there something in the settings of the question that I'm missing? Or perhaps some reason that the above algorithm doesn't work?

Thanks!

]]>1. An attacker with > 50% of the power can definitely do this.

2. An attacker with < 50% can do this but for a relatively small k and cannot remove blocks that have been confirmed. First, it is important to note that when you create a block you include the hash of the block that you extend in your block. Accordingly, the puzzles you solve depend on the block you chose to extend (you cannot create a detached chain and then append it in an arbitrary place). This means that you need to outrun the longest chain in order to perform such an attack. As we explained, the probability of that decreases exponentially with k.

]]>We are instructed to use 3a's scheme but the concatenation makes PK dependent on the message length. ]]>

I am not sure I understand the direction of the question,

If the signatures don't grow with the length of the messages, then they are of fixed length.

Can't a PPT adversary guess (in polynomial time), a random signature for a message m* with a constant probability (even if it is really small),

which is better than negl(n)?

assume we have a tree and each node has two pointers to a left and right child (and he has both childs)

How will a new node look after the transformation?

if he now has only a single hash=h(v1.data, v1.hash, v2.data, v2.hash), instead of both pointers, I dont understand how can any operation (like search for exmaple) can be implemented.

or does the hash comes as addition to having both pointers?

Just to be sure about the settings:

Everyone has access to the plain data structure and the hash of the root (but not the hash of other nodes). Right?

Thanks,

Guy

I am not sure that I understand the definition of h. what is b?

Or more precisely, If we want to apply h to x from {0, 1}* how we do that?

Thanks,

Guy

Recall that the idea is to present a Blockchain news item of your choice in the last 15 minutes of class. You can present in pair.

This is a voluntary assignment that you can do to get up to five bonus points toward your grade. ]]>