## TL;DR This is basically a question of where the boundary between individuals verifying and client teams implementing lies. How much work should be required to verify that client teams correctly put the output of the ceremony into the clients? Do we need everyone to verify the exact file gets included in clients, or are we ok having only some people do it and anyone can check at any time. ## Desiderata - PoT output in Lagrange form for ingestion into KZG libs - People have verified that their contribution was legitimately included. - People have verified that the final output file is correct ## Things to verify: - The Powers are actually powers - Your contribution is in there - Your Eth account signed the contribution - The BLS signatures check out - The contributions after yours: - Are not `0` - build on top of one another ## Option 1 - everyone verifies & everyone does Lagrange form User performs all of the above checks as well as does the calculation to verify ceremony is correctly output into Lagrange form (it verifies the output file that will be put directly into clients). The downside is that we need the Lagrange calculations to be implemented in a way that can be computed on the web. (Similar work to getting the original crypto done in the ceremony) ## Option 2 - everyone verifies & "community" does Lagrange calculation User performs all of the above checks which guarantees that their contribution was included correctly and that the sequencer didn't rug them. This requires some minor modifications to the functions we already have implemented but does require we implement/expose pairings. The level of compute required is a little worse than what was required to do the initial contribution. The only real way users could be rugged is by the client teams & the community if they do the Lagrange calc incorrectly, but this is verifiable at any point, so if users have suspicions, they can always check. ## Option 3 - everyone partially verifies & some do Lagrange calculation Users only verify that their address is included and that their ECDSA (normal Ethereum) signatures are correct. (And that there are no 0 contributions.) This can be done pretty much instantly and requires almost nothing new to be implemented beyond a simple one-page website. (POAPs would be the hardest part.) The rug potential here is largely the same as `Option 2` above as client devs are the only real ones who can rug, users can always verify themselves and anyone in the community could blow the whistle. ## Option 4 - some verify & some do Lagrange calculation Only those who choose to verify anything. This is how all previous ceremonies have gone so far. The major downside is that you trust the sequencer to have included your contribution and unless you saved the receipt from the sequencer after you contributed, you couldn't prove sequencer fraud. ## The comparison in a table | | What individual verifies | Who does Lagrange calc | How user can be tricked | What needs to be implemented in the website | |----------|--------------------------|------------------------|-----------------------------------------------------|------------------------------------| | Option 1 | Everything | User | CL & EL Clients could rug | Lagrange in web + BLS verification | | Option 2 | Everything | "Community" | Above plus "community" does Lagrange calc correctly | BLS Pairings | | Option 3 | Their inclusion | "Community" | Same as above | Text checks and 1 ECDSA sig (trivial) | | Option 4 | Nothing | "Community" | Sequencer could delete their contribution | 0 | ## Proposed choice I think we should go with `Option 3` as it makes users verify that they were included (something only they can really do as they know whether they contributed) and trusts client teams (and anyone else who'd like to check themselves) to do the _right thing (tm)_, which is basically where we currently draw the line of trust between the community and client teams already.