Contributions
In this section, we describe the contributions that make up a setup ceremony in more detail. We describe:
- the high level idea behind the ceremony,
- what contributions look like, and how to check their correctness,
- how to check the correctness of the setup as a whole.
High Level Overview
We break the CRS described previously into two parts:
First, we have:
Second, we have:
We split the ceremony into two phases, to calculate the first and second part of the CRS, respectively. The general idea in each ceremony is that the secret values of interest (e.g. etc.) are shared multiplicatively, as , with each party having one of the shares. Because of this structure, given the current value of the CRS elements in a given phase, it’s possible for a new party to add their contribution. For example, in the first phase, one can multiply each element by some combination , depending on the element, to get a new CRS element.
Each contribution will come with a proof of knowledge for the new secret values contributed, which can also partially attest to how these secret values were used. However, this is not enough to guarantee that the resulting elements are a valid CRS: for this, we have a consistency check allowing us to check that the elements in a given phase have the correct internal structure.
Each party can thus contribute one after the other, until enough contributions have been gathered through that phase.
In order to link phase 1 and phase 2, we use the fact that with , the CRS elements of phase 2 are linear combinations of those in phase 1. If we consider , with up to , the largest monomial we’ll find is , since has degree at most . In the first phase, we calculated these powers of , and so can calculate these values by linear combination. We can do the same for: since we have access to and for sufficiently high degrees.
Phase 1
Assuming we have the CRS elements of phase 1, a contribution involves fresh random scalars , and produces the following elements:
Additionally, a contribution includes three proofs:
Checking Correctness
Given purported CRS elements:
We can check their validity by ensuring the following checks hold:
- Check that (the identity element in the respective groups).
- Check that .
- Check that .
- Check that .
- Check that .
- Check that .
Checking Linkedness
To check that CRS elements build off a prior CRS , one checks the included discrete logarithm proofs , via:
Phase 2
Assuming we have the CRS elements of phase 2, a contribution involves a fresh random scalar , and produces the following elements:
Additionally, a contribution includes a proof:
Checking Correctness
Assume that the elements and are known.
Then, given purported CRS elements:
We can check their validity by ensuring the following checks hold:
- Check that (the identity element in the respective groups).
- Check that .
- Check that .
- Check that .
Checking Linkedness
To check that CRS elements build off a prior CRS , one checks the included discrete logarithm proof , via:
Batched Pairing Checks
Very often, we need to check equations of the form: (this would also work if the right hand side is of the form , and vice versa).
This equation is equivalent to checking: If you pick random scalars from a set , then except with probability , this is equivalent to checking: By the homomorphic properties of a pairing, this is the same as:
Instead of checking pairings, we can instead perform MSMs of size , and then pairings, which is more performant.