Challenges to clarify

This is a list of problems to solve in order to get confidence in the design:

economical incentives

Whole section on Calypso paper on incentives is based on the fact that we can slash the committees. But that is only true if the chain is slashing them.

system design

  1. Do the shares get aggregated before going onchan ?
  2. → that allows a much cheaper cost for the provider (and thus everyone) but can't retrieve who participated → Can we create a SNARK or stg to show correct computation form the lagrangian coefficients which denote who is participating in the decryption ?

  3. Do the shares get aggregated onchain ? → that allows to penalize & incentivze rushing to decrypt but is costly on chain ? (linear in t)


  1. Do we provider NIZK of correct re-encryption ? if so, how ?
  2. Clear description of the NIZK proof to attach ciphertext to labelled identity so that eve can’t do replay attacks
    1. See rational incentives D.1 section in Calypso paper
  3. Can we use DLEQ offchain to prove correct partial decryption ? And “aggregator” produces proof of correct verification of these DLEQ? Avoiding linear verification onchain is primordial