KeysetCommitment
In light client protocols the commitment is to the upcoming validator set, signed by the current validator set. Honest validator checks the proofs of possession, interpolates with the right padding over the right domain, computes the commitment using the right parameters, and then sign it. Verifier checks the signatures and can trust that the properties hold under some "2/3 honest validators" assumption. As every honest validator generates the same commitment, verifier needs to check only the aggregate signature.
*Polynomial commitment to the vector of public keys. Let 'pks' be such a vector that commit(pks) == KeysetCommitment::pks_comm, also let domain_size := KeysetCommitment::domain.size and keyset_size := KeysetCommitment::keyset_size Then the verifier needs to trust that:
- a. pks.len() == KeysetCommitment::domain.size b. pks[i] lie in BLS12-377 G1 for i=0,...,domain_size-2 c. for the 'real' keys pks[i], i=0,...,keyset_size-1, there exist proofs of possession for the padding, pks[i], i=keyset_size,...,domain_size-2, dlog is not known, e.g. pks[i] = hash_to_g1("something"). pks[domain_size-1] is not a part of the relation (not constrained) and can be anything, we set pks[domain_size-1] = (0,0), not even a curve point.
- KeysetCommitment::domain is the domain used to interpolate pks*
struct KeysetCommitment {
Bw6G1[2] pks_comm;
uint32 log_domain_size;
}