MoneroResearch.info

Eagen presented the barebones sketch of a scheme for demonstrating the correct computation of sums of points in an elliptic curve group in [Eag22], and is based on the theory of divisors (which goes back at least to [DW82]). Eagen’s approach lends itself to probabilistically checkable proof schemes, especially for efficient full-chain membership proofs for Monero as described in [Par24a]. Bassa investigated further in [Bas24c], [Bas24a], and [Bas24b]. An implementation Sage by Eagen is at [Eag24]. Eagen’s implementation inspired the implementation by Parker in Rust at [Par24a] (and Parker’s implementation is described in pseudocode by Parker at [Par24b]). These implementations are variations of the protocol described in [Bas24b], and both pass basic correctness tests. The overall approach was commented upon in [BHLS25] as possibly useful in exponent-VRFs. Cypher Stack also wrote a review of [Bas24c] in [CS].

Great material may come from Eagen’s work on divisors and Bassa’s follow-ups, but more time is necessary. Production deployment of code based on these approaches is premature. We find the following troubling issues have not fully been addressed, which range from superficial to serious. We describe the approach from a high level in Section 2, elaborating on our complaints along the way.

• The informality of the work in [Eag22] leads to an accumulating cascade of unclear reasoning, leading to unseen complications, weak conclusions, and more.
• Even after Bassa’s clarifications in [Bas24c], [Bas24a], and [Bas24b], there still still seems to be some mistakes related to calculus and the application of the Schwartz-Zippel lemma. Specifically, the verification equations may have terms excluded which have no impact on correctness but do impact soundness. These mistakes seem to be restricted to generalizations over higher multiplicities, and they seem to be correctable. Nevertheless, such mistakes would not be caught by typical correctness tests, and fixing them will require a nontrivial amount of work.
• Even after corrections are made, the resulting scheme is (or rather, the schemes described in [Bas24c], [Eag24], and [Par24a] are) highly malleable and with a non-zero soundness error, introducing unnecessary attack surfaces and calling soundness results into question.