Optimistically verifiable commitments

Introduction

We describe a protocol which can be used to verify that a commitment has been constructed as expected.

Commitment Schemes

A commitment scheme is a cryptographic protocol with two roles: a prover and a verifier.
The prover computes a commitment to a message and sends the commitment to the verifier, binding the prover to that message.
Examples are cryptographic hashes, Ethereum block headers, and The Graph’s Proof of Indexing.
A challenge is how the verifier can check the correctness of the committed message without requiring the prover to reveal the entire message.
- The correctness of a message and commitment depends on the expectations of the verifier, such as how they are used in a high-level protocol.

Bisection Games

Bisection game is a mechanism designed to efficiently identify and resolve disagreements between different provers in the network, ensuring the integrity and security of the protocols.
The bisection game identifies the first point of disagreement between the alleged sync committee sequences at the leaves of the provers' Merkle trees.
The bisection game ensures that the honest prover eventually wins once an adversarial Merkle tree is challenged at sufficient depth.

Proof of Indexing (PoI), a commitment scheme

PoI is a commitment to data that has been indexed by an indexer.
Currently, the entire dataset must be revealed in order to verify the correctness of the data.
Correctness means that the data committed to was sourced from events, traces, or eth_call, optionally processed by Substreams and that the indexer did not exclude any data.

Refereed games

A protocol with two roles: referee and provers

Commitment Schemes

A commitment scheme is a cryptographic protocol between two parties, a prover and a verifier. The prover computes a commitment to data and sends the commitment to the verifier. The committer's goal is to bind themselves to a message without disclosing it to the verifier. Once a commitment to a message $m$ is made, the committer should be unable to reveal any value other than $m$, which is known as the binding property. Additionally, the commitment should not disclose any information about the message $m$ to the verifier, which is referred to as hiding.