This is a list of problems to solve in order to get confidence in the design:
Whole section on Calypso paper on incentives is based on the fact that we can slash the committees. But that is only true if the chain is slashing them.
- Do the shares get aggregated before going onchan ?
- Do the shares get aggregated onchain ? → that allows to penalize & incentivze rushing to decrypt but is costly on chain ? (linear in t)
→ that allows a much cheaper cost for the provider (and thus everyone) but can't retrieve who participated → Can we create a SNARK or stg to show correct computation form the lagrangian coefficients which denote who is participating in the decryption ?
- Do we provider NIZK of correct re-encryption ? if so, how ?
- Clear description of the NIZK proof to attach ciphertext to labelled identity so that eve can’t do replay attacks
- See rational incentives D.1 section in Calypso paper
- Can we use DLEQ offchain to prove correct partial decryption ? And “aggregator” produces proof of correct verification of these DLEQ? Avoiding linear verification onchain is primordial