Verify blinding of the key shares

[piotr-roslaniec]

• Implemented in the tpke crate, verify_blinding
• Checks that $e(g, \sum_i(Y_i)) = e(\sum_i(A_i), [b] H)$
• Used to be a part of fast threshold decryption flow
• Currently doesn't work
  • At one point we "fixed" that code by removing the blinding (source). Those changes were temporary - the bliding on main branch is done using a random factor. This factor corresponds to validator's key in ferveo.
  • Removing blinding factor didn't impact verifiabilty (verification didn't work).
• Missing from operation summary in docs

[derekpierre]

Is this done or still ongoing? And is it needed for the initial version?

[piotr-roslaniec]

This is in backlog and not necessary for the initial version since it relates to the fast tDec variant that we don't plan on using. We also don't know if this check is relevant to other variants, and hence this issue is tagged as "research".