Incorporating CCS23 feedback/comments part I

[InaOana]

• incorporated reviewer's 606A feedback

1. p. 7: Does Defn 3.3 cover only syntax or also perfect completeness and soundness?

2. Sec 3.3: Motivation/intuition for the formalization of the properties perfect completeness, soundness, and unforgeability is missing. Why do these capture what should be achieved?

3. p. 7: forgecomkey game: pk* \neq pk \land bit_i =0: should \land be \lor? Seems like the implication (pk*=pk) -> bit_i=0 is desired here?

4. p. 9: "while the R_ba^incl relation is defined using" -> should it be "pa" here?

5. p. 9, 11: No intuition/motivation is provided for the stated polynomial identities.

6. p. 12: "If this holds": should it be "if this doesn't hold"?

7. Typos ...

• incorporated reviewer's 606B feedback

1. The paper claims to achieve accountability, and the key reason for it is the existence of a bit vector that describes the set of parties that have signed a given block. However, given prior works in the space of accountability [A, B], it is not clear if having a set of signatures is sufficient for accountability. In some cases, accountability is not achievable [A, Appendix E] and in others, we require a different forensic protocol to identify the set of bad parties. It would be helpful if the paper can shed more light on whether their scheme achieves accountability or provides one of the necessary conditions for achieving accountability.
2. Proof of stake schemes require a threshold fraction of parties to sign a message but not all parties may have the same stake. In such a case, isn’t it essential for the client to know the parties (public keys) involved and their corresponding stake?
   [A]: Polygraph: Accountable Byzantine Agreement https://eprint.iacr.org/archive/2019/587/1591910049.pdf
   [B]: BFT Protocol Forensics: https://arxiv.org/pdf/2010.06785.pdf

• incorporated reviewer's 606C feedback

1. It would be best if you explain the intuition of how the SNARK is being tailored before diving into constructing identity polynomials.
2. Extra “and” - last sentence of page 9.
3. Would be best to explain the unforgeability game in a couple of sentences first before giving a formal definition.
4. The identify polynomials are not explained well, the logic for defining them is unclear. It would be best to give intuition behind their constructions.

• Additionally, shrink the second section on our range poly protocols and add a summary of our compiler and provide the intuition for the new polynomials and identity polynomials used.

[InaOana]

@AlistairStewart, @FatemeShirazi, I have tackled the reviewers' comments found in the first 3 items above and would appreciate any feedback you have. My updates have been marked/added as red text to this folder. The 4th item needs more time and I will not tackle it this week. Thank you.