In the scheme of Section 16.2, show that a valid coin satisfies the verification equations

In the scheme of Section 16.2, a hacker discovers the Bank’s secret number $x$. Show how coins can be produced and spent without having an account at the bank.

In the scheme of Section 16.2, the numbers $g_1$ and $g_2$ are powers of $g$, but the exponents are supposed to be hard to find. Suppose we take $g_1=g_2$.

1. Show that if the Spender replaces $r_1\text{,}{r}_2$ with $r_1^{{}^{\prime }}\text{,}{r}_2^{{}^{\prime }}$ such that $r_1+r_2=r_1^{\prime }+r_2^{\prime }$, then the verification equations still work.

2. Show how the Spender can double spend without being identified.

Suppose that, in the scheme of Section 16.2, the coin is represented only as $(A\text{,}B\text{,}a\text{,}r)$; for example, by ignoring $z$ and $b$, taking the hash function $H$ to be a function of only $A\text{,}B\text{,}a$, and ignoring the verification equation $A^r\equiv z^{H}b$. Show that the Spender can change the value of $u$ to any desired number (without informing the Bank), compute a new value of $I$, and produce a coin that will pass the two remaining verification equations.

In the scheme of Section 16.2, if the Spender double spends, once with the Merchant and once with the Vendor, why is it very likely that $r_2-r_2^{{}^{\prime }}\cancel{\equiv }0(\text{mod}q)$ (where $r_2\text{,}{r}_2^{{}^{\prime }}$ are as in the discussion of Fraud Control)?

A Sybil attack is one in which an entity claims multiple identities or roles in order to achieve an advantage against a system or protocol. Explain why there is no advantage in launching a Sybil attack against Bitcoin’s proof of work approach to determining which user will randomly be selected to announce the next block in a blockchain.

Forgetful Fred would like to save a file containing his homework to a server in the network, which will allow him to download it later when he needs it. Describe an approach using hash functions that will allow Forgetful Fred to verify that he has obtained the correct file from the server, without requiring that Fred keep a copy of the entire file to check against the downloaded file.

A cryptographic hash puzzle involves finding a nonce $n$ that, when combined with a message $m$, will hash to an output $y$ that belongs to a target set $S$, i.e. $h(n\parallel x)\in S$.

1. Assuming that all outputs of a $k\text{-bit}$ cryptographic hash function are equally likely, find an expression for the average amount of nonces $n$ that need to be tried in order to satisfy

   $$h(n\parallel x)<2^L\text{.}$$

2. Using your answer from part (a), estimate how many hashes it takes to obtain a hash value where the first 66 binary digits are 0s.