Proof of correct aggergation of Public keys has several crucial applications such as prove of consensus of a blockchain to resource restricted actors such as light clients and other block chain (i.e. Bridges), it also could be used to implement anonynmous verifiable voting as well as anonymous sigle leader election.
The use of twisetd Edwards coordinates allows that public keys on twisetd edward curves such as Bandersnatch curve could be used directly for aggregation without the need of conversion to short weierstrass coordinate and so decreasing the cost of verification computation.
The use case we were aiming (Bandersnatch curve) is defined over scaler field of BLS12-381 but Plonky3 does not support that. We had to find a suitable twisted edwards curve over Merssenes prime 2^31 -1 to demonsterate the correctness of the algorithm. As addition on twisted Edwards format is not implemented in Sage we had to implement the addition formula also in Sage so we could compute the aggregation to submit to the prover. Correct implemenatation of the Air table was also tricky with the selector bit of row i-1 should dictate the aggregation column of row i. Wrong use of ^ operator in rust as in 2^31 led into a hard to spot bug.
Tracks Applied (2)
Polygon
Discussion