We will aggregate PVSS proofs with binary fold trees (Merkle-like), producing three recursive proofs that are publicly verifiable and guarantee process integrity without trusting the aggregator:
- Phase 1 (DKG) recursive proof: aggregates all Phase 1 proofs for the honest set H (circuits 0–4). Built in two layers:
- Per-party tree: for each party i ∈ H, wrap and fold that party’s Phase 1 proofs into a single party_root_i (leaves are the per-circuit proofs; C3a/C3b are represented as folded subtrees for the (H−1) instances).
- Phase tree: fold all party_root_i (H leaves) into one phase1_root.
- Phase 2 recursive proof: single proof for circuit 5 (pk aggregation), published with pk_agg and linked to Phase 1 via a digest.
- Phase 4 recursive proof: folds H proofs of C6 plus 1 proof of C7 into one phase4_root, published with final_message and linked back via a digest.
Wrappers verify individual leaf proofs under the expected VK (VK-hash hardening) and emit a standardized digest. Folds verify two child proofs and hash-combine their digests up the binary tree until a single root proof remains.
Regarding timing—when to generate wrappers and how to build the aggregation trees—there are two viable approaches:
Merkle-like fold tree in the DKG phase:
- Aggregate everything at the end of the phase
- Generate all leaf proofs first (C1–C4), then produce all wrappers, then build the full binary fold tree.
- This is straightforward and works well when H is small, but it creates a large end-of-phase proving spike.
- Incremental aggregation (progressive folding)
- Build the tree gradually as proofs become available.
- As soon as a leaf proof is generated, immediately generate its wrapper.
- Then continuously fold wrappers into partial subtrees (subroots), e.g.:
- generate C1 → generate W(C1)
- generate C2 → generate W(C2)
- fold W(C1) and W(C2) into an intermediate node
- This spreads proving cost over time, reduces peak load, and lets you finalize the phase root quickly once the last leaves arrive.
We will aggregate PVSS proofs with binary fold trees (Merkle-like), producing three recursive proofs that are publicly verifiable and guarantee process integrity without trusting the aggregator:
Wrappers verify individual leaf proofs under the expected VK (VK-hash hardening) and emit a standardized digest. Folds verify two child proofs and hash-combine their digests up the binary tree until a single root proof remains.
Regarding timing—when to generate wrappers and how to build the aggregation trees—there are two viable approaches:
Merkle-like fold tree in the DKG phase: