Verify PVSS transcript correctness

[piotr-roslaniec]

• Check #3 and #4 of section 4.2.3
• This should be implemented in ferveo PVSS
• Has a relation to verify_full
  • Described in docs as "Public verification" of PVSS

[piotr-roslaniec]

Reopening since check #3 of 4.2.3 is not yet implemented. Check #4 is implemented as verify_full.

[piotr-roslaniec]

The current Ferveo implementation doesn't use A directly. Instead, the pairing in check #4 uses A indirectly. Ferveo uses F to compute A. So implementing #3 is not feasible without rewriting the whole thing.

The #3 check is supposed to be fixed by the KZG research.

[KPrasch]

Is this done?

[piotr-roslaniec]

No. As per my previous comment, it may be at least partially fixed by using KZG (which is firmly in the research stage):

The #3 check is supposed to be fixed by the KZG research.

[cygnusv]

The current Ferveo implementation doesn't use A directly. Instead, the pairing in check #4 uses A indirectly. Ferveo uses F to compute A. So implementing #3 is not feasible without rewriting the whole thing.

The #3 check is supposed to be fixed by the KZG research.

In the Ferveo paper they take the approach of:

• Generating A_i and F_i components independently
• Performing check#3 to verify that A_i and F_i are consistent with each other

In the original Ferveo implementation, we found the approach of:

• Only generating F_i components
• Using F_i to generate A_i when needed, so they're automatically consistent with F_i

Since A_i were used mainly for check#4, we can continue with existing approach. It's equivalent to simply rewriting check#4 to use F_i directly instead of A_i.

---

Let me explain better how each A_i can be reconstructed from F_i components:

$F_i$ components have the form $F_i = [a_i] G$, for $a_i$ a coefficient of polynomial $f$.
$A_i$ components have the form $A_i = \left[f(\omega_i \right] G$, with $\omega_i$ being the domain point (aka x coordinate) of participant $i$.

Let's recall basic polynomial evaluation: $$f(x) = \sum_{j=0}^k a_j \cdot x^j$$

We can use this to redefine $A_i$ as $\sum \left[ a_j \cdot {\omega_i}^j \right] G$, and with some math golfing we arrive at $A_i = \sum \omega_i^j F_j$

---

So, unless we find another reason to explicitly store A_i components, I'd say let's go with current approach and close this issue.