There is a protest with cid. For some protester pid = PRF_k(cid). All witnesses will compute widi = PRF{k_i}(pid). If Alice can find a manifesto m such that H(m) = pid. Then all witnesses for pid equivalently signs up as protesters for Alice's new protest.
However, no honest witness will accept signing these, since Alice cannot interactively prove the correctness of widi = PRF{k_i}(pid). But for any malicious witness she can provide a complete and valid proof share on the blockchain.
To fix this, we should use a slightly different PRF for witnessing and signing up. (The principle of never reusing security mechanisms.)
There is a protest with cid. For some protester pid = PRF_k(cid). All witnesses will compute widi = PRF{k_i}(pid). If Alice can find a manifesto m such that H(m) = pid. Then all witnesses for pid equivalently signs up as protesters for Alice's new protest.
However, no honest witness will accept signing these, since Alice cannot interactively prove the correctness of widi = PRF{k_i}(pid). But for any malicious witness she can provide a complete and valid proof share on the blockchain.
To fix this, we should use a slightly different PRF for witnessing and signing up. (The principle of never reusing security mechanisms.)