---
title: PVSS succinct proofs
description: How to aggregate PVSS proofs nicely
theme: gaia
size: 16:9
_class: lead
class: invert
paginate: true
backgroundColor: #000000
marp: true
math: katex
header: IOTA Foundation
---
# PVSS succinct proofs #
2022-02-03
---
## PVSS proof ##
$$\texttt{PVSS}\{(F_k,E_j,X_j; s_j):
\\ P_j\; \text{can decrypt}\; E_j\; \text{to recover}\; s_j \wedge
\\ s_j\; \text{is a correct share wrt.}\; F_k\}
\\ \text{for}\; k=0..t-1, j=1..n$$
- $X_j = x_j G$ -- $P_j$'s public key, $G$ -- standard base point
- $s = \sum_{i \in I} s^i_0$ -- common key
- Do not prove knowledge of $f_k: F_k = f_k G$, forget $s_j=f(j)$
- Use ElGamal or twisted ElGamal to encrypt shares
- Proof protocol depends on encryption method
<!-- Can't work with f_k, we need to split each s_j into chunks. -->
---
## ElGamal commitment ##
$$(s_j,r) \mapsto (s_j G + r X_j, r G) = (C_j, R) = E_j$$
- randomization $r$ can be reused for different receivers $P_j$
- can't use other base points in $s_j G$ and $r G$
---
## Twisted ElGamal commitment ##
$$(s_j,r_j) \mapsto (s_j G + r_j H, r_j X_j) = (C_j, R_j) = E_j$$
- randomization $r_j$ can't be reused for different receivers
- base points $G$ and $H$ must be independent, otherwise no *binding*
- $s_j G$ must use $G$, otherwise common public key is not standard
- hence $X_j = x_j H$ must use non-standard base point $H$, otherwise $P_j$ can't recover $r_j H \neq r_j G = x_j^{-1} r_j X_j$ :x:
---
## Issue with ElGamal commitments ##
$$E_j = \texttt{Commit}_{\textcolor{red}{X_j}}(s_j,r_j)$$
- Commitment scheme depends on $X_j$ as parameter
- Can't easily aggregate (which $X_j$ to use in aggregated proof?) :x:
$T_i = \texttt{Commit}_{\textcolor{red}{X_j}}(t_i,\tau_i)$
---
## Notation ##
- $\vec{c}^n = (c^i)_{i=0}^{n-1} \in \mathbb{Z}_q^n$
- $x \cdot \vec{a} = (x a_i)_{i=0}^{n-1}$
- $\langle \vec{a}, \vec{b} \rangle = \sum_{i=0}^{n-1} a_i b_i$
- $\vec{a} \circ \vec{b} = (a_i b_i)_{i=0}^{n-1}$
- $\vec{x} \times \vec{b} = \|_{i=0}^{n-1} (x_i \cdot \vec{b})$
- $v_j = \sum_{l=0}^{m-1} 2^{bl} v_{j,l}$, $v = \|_j (v_{j,l})_l$
- $\texttt{VCommit}(a,b,c) = \langle a, \vec{G} \rangle + \langle b, \vec{H} \rangle + c K$
---
## Initial Range proof system ##
Input: $v_{j,l} \in \{0,\ldots,2^b-1\}$, $\textcolor{red}{V} = \textcolor{red}{\texttt{Commit}}(v_{j,l})$
<!-- 1. Commit is black-box. -->
<!-- 2. V covers secret shares and secret polynomial. -->
<!-- 3. "v is small" is equivalent to "there's unique aL, aR satisfying the system of equations". -->
<!-- 4. Hence commit to aL, aR with VCommit -- Pedersen vector commitment. -->
Choose nonces $\textcolor{lightgreen}{a_L}$, $\textcolor{lightgreen}{a_R}$: $\textcolor{violet}{A} = \texttt{VCommit}(\textcolor{lightgreen}{a_L}, \textcolor{lightgreen}{a_R}, \textcolor{lightgreen}{\alpha})$.
Let $a_L = \|_{j=0}^{n-1} (\|_{l=0}^{m-1} a_{L,j,l})$
$$\langle \textcolor{lightgreen}{a_{L,j,l}}, \vec{2}^b \rangle = v_{j,l}, \forall j, \forall l \wedge
\\\textcolor{lightgreen}{a_L} = \textcolor{lightgreen}{a_R} + \vec{1}^{bnm} \wedge
\\\textcolor{lightgreen}{a_L} \circ \textcolor{lightgreen}{a_R} = \vec{0}^{bnm}$$
- $nm+2bnm$ scalar equations
---
## Shorter Range proof system ##
Receive challenge $\textcolor{lightgreen}{y}$:
<!-- 1. Standard approach -- aggregate equations into one via polynomial in y. -->
<!-- 2. Random y is unlikely to be root of a polynomial. -->
$$\langle a_{L,j,l}, \vec{2}^b \rangle = v_{j,l}, \forall j, \forall l \wedge
\\\langle a_L - a_R - \vec{1}^{bnm}, \vec{\textcolor{lightgreen}{y}}^{bnm} \rangle = 0 \wedge
\\\langle a_L, \vec{\textcolor{lightgreen}{y}}^{bnm} \circ a_R \rangle = 0$$
- $nm+2$ scalar equations
---
## Single Range proof equation ##
Receive challenge $\textcolor{lightgreen}{z}$:
<!-- Same, but with z as variable. -->
$$\textcolor{lightgreen}{z}^2 \sum_{j=1}^n \sum_{l=0}^{m-1} \textcolor{lightgreen}{z}^{(j-1)m+l} \langle a_{L,j,l}, \vec{2}^b \rangle +
\\+ \textcolor{lightgreen}{z} \langle a_L - a_R - \vec{1}^{bnm}, \vec{y}^{bnm} \rangle +
\\+ \langle a_L, \vec{y}^{bnm} \circ a_R \rangle =
\\= \textcolor{lightgreen}{z}^2 \sum_{j=1}^n \sum_{l=0}^{m-1} \textcolor{lightgreen}{z}^{(j-1)m+l} v_{j,l}$$
- $1$ scalar equation
---
## Inner-product form ##
Same, but in inner-product form:
$$z^2 \langle \textcolor{red}{a_L}, \vec{z}^{nm} \times \vec{2}^b \rangle + z \langle \textcolor{red}{a_L}, \vec{y}^{bnm}\rangle + \langle \textcolor{red}{a_L}, \vec{y}^{bnm} \circ \textcolor{red}{a_R} \rangle -
\\- z \langle \vec{y}^{bnm}, \textcolor{red}{a_R} \rangle = z^2 \langle z^{nm}, \textcolor{red}{v} \rangle + z \langle \vec{y}^{bnm}, \vec{1}^{bnm} \rangle$$
Same, but folded with only 1 inner product:
<!-- The goal is to get inner product of aL and aR. -->
$$\langle \textcolor{red}{a_L} - z \cdot \vec{1}^{bnm}, z^2 \cdot z^{nm} \times \vec{2}^b + \vec{y}^{bnm} \circ (\textcolor{red}{a_R} + z \cdot \vec{1}^{bnm}) \rangle =
\\= z^2 \langle z^{nm}, \textcolor{red}{v} \rangle + (z-z^2) \langle \vec{y}^{bnm}, \vec{1}^{bnm} \rangle - z^3 \langle \vec{1}^{bnm}, \vec{z}^{nm} \times \vec{2}^b \rangle =
\\= z^2 \langle z^{nm}, \textcolor{red}{v} \rangle + \delta(y, z)$$
---
## Blindings in inner product ##
<!-- 1. Need to blind aL and aR in order to use IPA and make proof zero-knowledge. -->
<!-- 2. Introduce blindings sL, sR and commit to those. -->
Choose nonces $\textcolor{lightgreen}{s_L}, \textcolor{lightgreen}{s_R}$: $\textcolor{violet}{S} = \texttt{VCommit}(\textcolor{lightgreen}{s_L}, \textcolor{lightgreen}{s_R}, \textcolor{lightgreen}{\rho})$.
Receive challenge $\textcolor{lightgreen}{x}$:
$$l = \textcolor{red}{a_L} - z \cdot \vec{1}^{bnm} + \textcolor{lightgreen}{x} \cdot \textcolor{lightgreen}{s_L}$$
$$r = z^2 \cdot z^{nm} \times \vec{2}^b + \vec{y}^{bnm} \circ (\textcolor{red}{a_R} + z \cdot \vec{1}^{bnm} + \textcolor{lightgreen}{x} \cdot \textcolor{lightgreen}{s_R})$$
Note: $l$ and $r$ are polynomials in $x$ over $\mathbb{Z}_q^{bnm}$
$$\textcolor{violet}{t} = \langle l, r \rangle = t_0 + \textcolor{lightgreen}{x} t_1 + \textcolor{lightgreen}{x}^2 t_2$$
---
## IPA ##
Equation $t_0 = z^2 \langle z^{nm}, v \rangle + \delta(y, z)$ ($t$ evaluated at $x=0$) is equivalent\* to the initial system and the statement that $v_{j,l}$ is small.
\* with high probability.
Prove $t = z^2 \langle z^{nm}, v \rangle + \delta(y, z) + x t_1 + x^2 t_2$ with IPA instead.
$t_1$, $t_2$ serve as blindings for $t_0$, commit to those before IPA:
$$\textcolor{violet}{T_i} = \textcolor{red}{\texttt{Commit}}(t_i),\; \text{for}\; i=1,2$$
---
## Commitment $P$ for IPA ##
<!-- 1. Need to compute commitment P as input to IPA. -->
$$P = \texttt{IPACommit}(l,r) =
\\= (\langle \textcolor{red}{a_L}, \vec{G} \rangle + \langle \vec{y}^{bnm} \circ \textcolor{red}{a_R}, \vec{H'} \rangle + \alpha K) +
\\+ \textcolor{lightgreen}{x} (\langle \textcolor{lightgreen}{s_L}, \vec{G} \rangle + \langle \vec{y}^{bnm} \circ \textcolor{lightgreen}{s_R}, \vec{H'} \rangle + \rho K) -
\\ - (\alpha + \textcolor{lightgreen}{x} \rho) K - \langle z \cdot \vec{1}^{bnm}, \vec{G} \rangle + \langle z^2 \cdot z^{nm} \times \vec{2}^b + z \cdot \vec{y}^{bnm}, \vec{H'} \rangle$$
Let's use $\vec{H'} = \vec{y}^{-bnm} \circ \vec{H}$ in $\texttt{IPACommit}$:
<!-- 2. Generators in H' depend on y which prevents batch verification of IPA. -->
$$P = \textcolor{violet}{A} + \textcolor{lightgreen}{x} \textcolor{violet}{S} - \textcolor{violet}{\mu} K - z \cdot \vec{G} + \langle \gamma(y,z), \vec{H'} \rangle$$
$\textcolor{violet}{\mu} = \alpha + \textcolor{lightgreen}{x} \rho$ is part of proof so $P$ can be reconstructed.
---
## How to $\texttt{Commit}$? ##
$$\texttt{IPA}\{(P,t;l,r): P = \texttt{IPACommit}(l,r) \wedge t = \langle l, r \rangle\}$$
Last step -- verify proof $\textcolor{violet}{t} = z^2 \langle z^{nm}, v \rangle + \delta(y, z) + x t_1 + x^2 t_2$ against commitment $\textcolor{red}{V}$. Use homomorphic property:
$$\textcolor{red}{\texttt{Commit}}(t) + \textcolor{red}{\ldots} \overset{?}{=} z^2 \langle z^{nm}, \textcolor{red}{V} \rangle + \textcolor{red}{\ldots}$$
TODO:
- $T_i$, $\tau_i$, $\tau_x$, $C_{j,l}$, $R_l$
- correct sharing proof: $\sum_l 2^{bl} (C_{j,l} - r_l X_j) = F(j)$
---
## Commit with Pedersen ##
Pedersen commitment:
$$\texttt{Commit}(s,r) = sG + rH$$
<!-- 1. Commitment is used to compute Ti and V with corresponding randomizations. -->
$T_i = t_i G + \tau_i H$, $\textcolor{red}{V_{j,l}} = \textcolor{red}{v_{j,l}} G + \textcolor{red}{r_{j,l}} H$
<!-- 2. Construct verification equation using homomorphic property. -->
$\texttt{Commit}(\textcolor{violet}{t},\textcolor{violet}{\tau_x}) = z^2 \langle z^{nm}, \textcolor{red}{V} \rangle + \delta(y, z) G + x \textcolor{violet}{T_1} + x^2 \textcolor{violet}{T_2}$
<!-- 3. Derive expression for taux from verification equation. -->
$\tau_x = z^2 \langle z^{nm}, \textcolor{red}{r} \rangle + 0 + x \tau_1 + x^2 \tau_2$
---
## Commit with ElGamal ##
ElGamal commitment:
$$\texttt{Commit}_X(s,r) = sG + rX, rG$$
Family of commitments, which $X_j$ to use?
$C_{j,l} = \textcolor{red}{v_{j,l}} G + \textcolor{red}{r_l} X_j$, $R_l = \textcolor{red}{r_l} G$, $\forall j=1..n, \forall l=0..m-1$
<!-- Let's consider three key parts to ElGamal commitment. -->
---
## Share chunks ##
Step 1: $C_{j,l} = \textcolor{red}{v_{j,l}} G + r_l X_j$, $R_l = r_l G$
$t = z^2 \langle z^{nm}, \textcolor{red}{v} \rangle + \delta(y, z) + x t_1 + x^2 t_2$
$t G = z^2 \langle z^{nm}, \textcolor{red}{v} \rangle G + \delta(y, z)G + x \textcolor{lightgreen}{t_1 G} + x^2 \textcolor{lightgreen}{t_2 G}$
$\textcolor{violet}{T_i} = \textcolor{lightgreen}{t_i G} + \textcolor{red}{\ldots}$
---
## Aggregated public key $\overline{X}$ ##
Step 2: $C_{j,l} = v_{j,l} G + \textcolor{red}{r_l} X_j$, $R_l = r_l G$
$\langle z^{nm}, \textcolor{red}{C} \rangle = \sum_{j=1}^n z^{(j-1)m} \sum_{l=0}^{m-1} z^l (v_{j,l} G + \textcolor{red}{r_l} X_j)$
$$\sum_{j=1}^n z^{(j-1)m} \sum_{l=0}^{m-1} z^l \textcolor{red}{r_l} X_j = (\sum_{l=0}^{m-1} z^l \textcolor{red}{r_l}) (\sum_{j=1}^n z^{(j-1)m} X_j)$$
$\textcolor{lightgreen}{\overline{X}} = \sum_{j=1}^n z^{(j-1)m} X_j$
<!-- Aggregated public key X-bar allows to use ElGamal commitment. -->
---
## Commitment with aggregated public key ##
Part 2: $C_{j,l} = v_{j,l} G + \textcolor{red}{r_l} X_j$, $R_l = r_l G$
$\textcolor{violet}{\tau_x} = z^2 \sum_{l=0}^{m-1} z^l \textcolor{red}{r_l} + x \textcolor{lightgreen}{\tau_1} + x^2 \textcolor{lightgreen}{\tau_2}$
$\textcolor{violet}{T_i} = t_i G + \textcolor{lightgreen}{\tau_i \overline{X}}$
ElGamal commitment with *aggregated* public key $\overline{X}$:
$T_i = \texttt{Commit}_{\overline{X}}(t_i,\tau_i)$
$\texttt{Commit}_{\overline{X}}(t,\tau_x) \overset{?}{=} \ldots$
---
## Commitment complete ##
Part 3: $C_{j,l} = v_{j,l} G + r_l X_j$, $R_l = \textcolor{red}{r_l} G$
$\textcolor{violet}{\tau_x} = z^2 \sum_{l=0}^{m-1} z^l \textcolor{red}{r_l} + x \textcolor{lightgreen}{\tau_1} + x^2 \textcolor{lightgreen}{\tau_2}$
$\textcolor{violet}{Q_i} = \textcolor{lightgreen}{\tau_i G}$
Verify:
$$\textcolor{violet}{t} G + \textcolor{violet}{\tau_x} \overline{X} \overset{?}{=} z^2 \langle z^{nm}, \textcolor{red}{C} \rangle + \delta(y, z)G + x \textcolor{violet}{T_1} + x^2 \textcolor{violet}{T_2}$$
$$\textcolor{violet}{\tau_x} G \overset{?}{=} z^2 \langle z^m, \textcolor{red}{R} \rangle + x \textcolor{violet}{Q_1} + x^2 \textcolor{violet}{Q_2}$$
<!-- Note connection to / difference with range proof. -->
---
## Correct sharing proof ##
Part 4: $(\sum_l \textcolor{red}{2^{bl} r_l}) X_j = \sum_l 2^{bl} C_{j,l} - F(j)$,
$\quad\quad\quad\!(\sum_l \textcolor{red}{2^{bl} r_l})G = \sum_l 2^{bl} R_l$
$\textcolor{violet}{\tau_x} = z^2 \sum_{l=0}^{m-1} \textcolor{red}{z^l r_l} + x \tau_1 + x^2 \tau_2$ :x:
<!-- 1. Can't really tie to previous stuff, tau_x. -->
<!-- 2. Use aggregated preimage NIZKP -- DLEQ. -->
Choose nonce $\eta$, $\textcolor{violet}{N} = \texttt{Commit}(\eta) = \eta \cdot (G \| \vec{X})$.
Receive challenge $w$.
Proof: $\textcolor{violet}{s} = \eta + w \sum_l \textcolor{red}{2^{bl} r_l}$
Verify:
$s \cdot (G \| \vec{X}) \overset{?}{=} \textcolor{violet}{N} + w \cdot (\sum_l 2^{bl} R_l \| (\sum_l 2^{bl} C_{j,l} - F(j))_{j=1}^n)$
<!-- 3. n+1 equations in verify. Use batch verification and additional challenge. -->
---
## Aggregated correct sharing proof ##
Part 4: $(\sum_l \textcolor{red}{2^{bl} r_l}) X_j = \sum_l 2^{bl} C_{j,l} - F(j)$,
$\quad\quad\quad\!(\sum_l \textcolor{red}{2^{bl} r_l})G = \sum_l 2^{bl} R_l$
<!-- 2 points in commitments N,M instead of n+1. -->
Choose nonce $\eta$, $\textcolor{violet}{N} = \texttt{Commit}(\eta) = \eta \cdot G$.
Receive challenge $\textcolor{lightgreen}{u}$. Commit $\textcolor{violet}{M} = \eta \sum_{j=1}^n \textcolor{lightgreen}{u}^j X_j$.
Receive challenge $\textcolor{lightgreen}{w}$.
Proof: $\textcolor{violet}{s} = \eta + \textcolor{lightgreen}{w} \sum_l \textcolor{red}{2^{bl} r_l}$
Verify: $\textcolor{violet}{s} (G + \sum_{j=1}^n \textcolor{lightgreen}{u}^j X_j) \overset{?}{=} \textcolor{violet}{N} + \textcolor{violet}{M} +
\\\quad\quad\quad\!+ \textcolor{lightgreen}{w} (\sum_l 2^{bl} R_l + \sum_{j=1}^n \textcolor{lightgreen}{u}^j (\sum_l 2^{bl} C_{j,l} - F(j))$
---
## Final protocol: Prove 1/ ##
1. Nonces $\textcolor{lightgreen}{a_L}$, $\textcolor{lightgreen}{a_R}$, rand $\textcolor{lightgreen}{\alpha}$: $\textcolor{violet}{A} = \langle \textcolor{lightgreen}{a_L}, \vec{G} \rangle + \langle \textcolor{lightgreen}{a_R}, \vec{H} \rangle + \textcolor{lightgreen}{\alpha} K$
2. Nonces $\textcolor{lightgreen}{s_L}$, $\textcolor{lightgreen}{s_R}$, rand $\textcolor{lightgreen}{\rho}$: $\textcolor{violet}{S} = \langle \textcolor{lightgreen}{s_L}, \vec{G} \rangle + \langle \textcolor{lightgreen}{s_R}, \vec{H} \rangle + \textcolor{lightgreen}{\rho} K$
3. Challenge $\textcolor{lightgreen}{y}$
4. Challenge $\textcolor{lightgreen}{z}$
5. Calc $t_i$, rand $\textcolor{lightgreen}{\tau_i}$: $\textcolor{violet}{T_i} = t_i G + \textcolor{lightgreen}{\tau_i} \overline{X}$, $\textcolor{violet}{Q_i} = \textcolor{lightgreen}{\tau_i} G$
6. Challenge $\textcolor{lightgreen}{x}$
---
## Final protocol: Prove 2/2 ##
7. Calc $l$, $r$. Proof $\textcolor{violet}{t} = \langle l, r \rangle$, $\textcolor{violet}{\mu} = \alpha + x \rho$,
$\textcolor{violet}{\tau_x} = z^2 \sum_{l=0}^{m-1} z^l r_l + x \tau_1 + x^2 \tau_2$
8. Calc $\vec{H'}(\textcolor{lightgreen}{y})$, $P(\textcolor{lightgreen}{x},\textcolor{lightgreen}{y},\textcolor{lightgreen}{z};\textcolor{violet}{A},\textcolor{violet}{S},\textcolor{violet}{\mu})$. Proof $\texttt{IPA}\{(\vec{G}, \vec{H'},P,\textcolor{violet}{t};l,r)\}$
9. Nonce $\textcolor{lightgreen}{\eta}$: $\textcolor{violet}{N} = \textcolor{lightgreen}{\eta} G$
10. Challenge $\textcolor{lightgreen}{u}$: $\textcolor{violet}{M} = \textcolor{lightgreen}{\eta} \sum_{j=1}^n \textcolor{lightgreen}{u}^j X_j$
11. Challenge $\textcolor{lightgreen}{w}$
12. Proof $\textcolor{violet}{s} = \textcolor{lightgreen}{\eta} + \textcolor{lightgreen}{w} \sum_l 2^{bl} r_l$
---
## Final protocol: Verify 1/ ##
1. Commitments $\textcolor{violet}{A}, \textcolor{violet}{S}$
2. Challenges $\textcolor{lightgreen}{y}, \textcolor{lightgreen}{z}$
3. Commitments $\textcolor{violet}{T_i}, \textcolor{violet}{Q_i}$
4. Challenge $\textcolor{lightgreen}{x}$
5. Verify $\textcolor{violet}{t} G + \textcolor{violet}{\tau_x} \overline{X} \overset{?}{=} z^2 \langle z^{nm}, C \rangle + \delta(y, z)G + x \textcolor{violet}{T_1} + x^2 \textcolor{violet}{T_2}$
6. Verify $\textcolor{violet}{\tau_x} G \overset{?}{=} z^2 \langle z^m, R \rangle + x \textcolor{violet}{Q_1} + x^2 \textcolor{violet}{Q_2}$
7. Calc $\vec{H'}(\textcolor{lightgreen}{y})$, $P(\textcolor{lightgreen}{x},\textcolor{lightgreen}{y},\textcolor{lightgreen}{z};\textcolor{violet}{A},\textcolor{violet}{S},\textcolor{violet}{\mu})$. Verify $\texttt{IPA}\{(\vec{G}, \vec{H'},P,\textcolor{violet}{t};l,r)\}$
---
## Final protocol: Verify 2/2 ##
8. Commitment $\textcolor{violet}{N}$
9. Challenge $\textcolor{lightgreen}{u}$. Commitment $\textcolor{violet}{M}$
10. Challenge $\textcolor{lightgreen}{w}$
11. Verify: $\textcolor{violet}{s} (G + \sum_{j=1}^n \textcolor{lightgreen}{u}^j X_j) \overset{?}{=} \textcolor{violet}{N} + \textcolor{violet}{M} +
\\\quad\quad\quad\!+ \textcolor{lightgreen}{w} (\sum_l 2^{bl} R_l + \sum_{j=1}^n \textcolor{lightgreen}{u}^j (\sum_l 2^{bl} C_{j,l} - F(j))$
---
## Summary ##
| Class | Items | Size |
|:-------------|:-----------------------------------|:------------|
|Witness | $v_{j,l}$, $r_l$ | |
|Instance | $F_k$, $C_{j,l}$, $R_l$ | $O(t+nm+m)$ |
|Nonces | $a_L$, $a_R$, $s_L$, $s_R$, $t_i$ | |
|Randomizations| $\alpha$, $\rho$, $\tau_i$, $\eta$ | |
|Commitments | $A$, $S$, $T_i$, $Q_i$, $N$, $M$ | $O(8)$ |
|Challenges | $y$, $z$, $x$, $u$, $w$ | |
|Proof | $\tau_x$, $\mu$, $t$, IPA, $s$ | $O(4+2\log_2(bnm)+2)$ |
---
## Failed attempts ##
<!-- n randomizations tau1, tau2, taux. Commitment with n randomizations. -->
- ElGamal with $r_{j,l}$ :x: can't separate $r_{j,l}$ and $X_j$, need many $\tau_{x,j}$
- Twisted ElGamal :x: same issue
- Twisted heterogenous ElGamal -- (sG+rH,rG,rX). Range proof + DLEQ. :x: Too big overhead
- Reuse proof for correct sharing :x: incompatible $r_l$ aggregation
- Do not use $a_R$ :x: can't derive commitment to RHS from $A_L$
- Batch verification :x: IPA use different $\vec{H'}$
---
## Thanks ##
Questions?
Sign in with Wallet
Connect another wallet