previously i was thinking that proof-of-work might be unfeasible because of the computational power differences between smartphones and large computers (eg botnets). however i wonder if this could not be substantially eliminated, if not fully eliminated by carefully choosing the proof-of-work method. for example, litecoin's hashcash-scrypt has properties which give all machines roughly the same computing power. sure there is variability but its no way near as big as sha256 where a single asic can be many orders of magnitude faster than a cpu.
so maybe careful selection of the pow algorithm could level the playing-field between devices and make this a valid method of cutting down on network dos attacks when using fawkes signatures. hashcash-scrypt does this by introducing memory into the algorithm, but another way might be to introduce milestones into the algorithm. for example, if we wanted to make it so that the proof of work always took 5 seconds to complete then maybe we could make it so that the algorithm had to fetch 5 consecutive pieces of information to complete the proof of work - one each second - as they come available on the network. i'm no cryptographer and i can already see exploits for such a thing, but maybe some algorithm like this exists. or maybe hashcash-scrypt would be sufficient for the purposes of such a cryptocurrency?
as for the zero knowledge proof of the hash function, i finally found the video which is mentioned in the crypto-stackexchange answer previously mentioned, however this seems to be specific for sha1. still, that might be a feasible algorithm and method
![Smiley](https://bitcointalk.org/Smileys/default/smiley.gif)