I have some questions regarding lecture 10 and NIZK.
1. We proved that the Hamiltonicity protocl is HVZK, and it is mentioned on the first page that it is not hard to show that it is also malicious verifier ZK.
Corollary 4.3 states that If there exists a hash function H such that the Fiat-Shamir transform of, say, the Hamiltonicity protocol sound, the Hamiltonicity protocol cannot be ZK against malicious verifiers
and then you say that Fiat-Shamir hash functions are believed to exist.
So I don't understsnd how is this possible?
2. I'm not sure I understand claim 4.1, from the claim "make the verifier accept with probability at most (Q + 1)s"
Do you actually mean "make the verifier accept with probability at most (Q + 1)s for x not in L"
because if x is in L we want to make the verifier exist with probability 1, right?
Thanks.