Add multi-evaluation support

[burdges]

If I read the protocol correctly, one signer could sign numerous messages simultaneously, like in BLS, using the same alpha and beta, and the same point not involving the hash Z, but supplying numerous π_2 and π_4 points. All messages could then be verified simultaneously by using Z = Σ_i Z_i and π_2 = Σ_i π_{2,i} and π_4 = Σ_i π_{4,i}. In this variant, adversaries could forge signatures on linear combinations of Z, and similarly malicious signers could play games, but this should yield nothing useful.

This looks useful because users could pay to query the threshold VRF alongside the randomness beacon.

Ideally one wants slightly more than this: Users should query for secret evaluations. We could implement secrecy by users providing a SNARK on BW6 that secretly evaluates the hash-to-curve on BLS12-377 and multiplies by a blinding scalar. Again this should yield security for this scheme.

I'm unsure if this make sense as some brain wallet recovery method, but it should definitely makes sense for public rendezvous protocols, like SecureDrop or the Panda protocol in Pond.

[kobigurk]

Hey Jeff,

Yep, that all sounds about right, also discussed this briefly with @mmaller.
IMO the analogy to what you can do in BLS and what you can do here is apt.

I'm out for the next few weeks, and I would be interested in following up on this when I get back!

[burdges]

It'd support some roll up for your randomness beacon too, which sounds more immediately useful.

[burdges]

In this vein, one could similarly do threshold decryption by replacing Z by a sender controlled scalar multiple of G_1, but then senders much include a proof-of-knowledge of Z, and you've a nice partially batched proof of correct decryption too. It's slightly inferior to straight IBE-like designs like https://eprint.iacr.org/2020/638 or scalar threshold IBE itself, but still fairly nice.