### SetupPick a random toxic waste.`α`Generate t+1 public key tuple.`PK

1. ### Setup
2.  
3. Pick a random toxic waste.
4.  
5. `α`
6.  
7. Generate t+1 public key tuple.
8.  
9. `PK = (G, αG, (α^2)G, ... (α^t)G)`
10.  
11. Generate the set for valid numbers [0,k) as polynomial, where t >= k.
12.  
13.  
14. `ϕ(x) = Π(x-j) = Σ(ϕ_j)(x^j)`
15.  
16. Commit to the polynomial.
17.  
18. `P = ϕ(α) = Σ(ϕ_j)(α^j)G`
19.  
20. Reference string `αG` and Point `P` which is a blind eveluation of polynomial `ϕ(x)` are stored on a public machine.
21.  
22.  
23. ### Pedersen Commitment
24.  
25. Generate secondary independent group genarator.
26.  
27. `H = λG`
28.  
29. Note that `λ` is unknown and infeasible to calculate.
30.  
31. Commit to a number `i` which must be a root of the committed polynomial.
32.  
33. `C = iG+rH`
34.  
35. `r` is a random blinding factor that is only know by a player who prepares the commitment.
36.  
37. ### Witness
38.  
39. `ψ(x) = (ϕ(x)-ϕ(i))/(x-i)`
40.  
41. Coefficients of `ψ(x)`, `(ψ_0, ψ_i, ... ψ_n)` can be calulated with O(nlogn) using FFT interpolation.
42.  
43. Set membership is defined as `ϕ(i) = 0`, so our equation becomes,
44.  
45. `ψ(x) = ϕ(x)/(x-i)`
46.  
47. And the witness point can be calculated as,
48.  
49. `W = ψ(α) = Σ(ψ_j)(α^j)G`
50.  
51.  
52. ### Neutralizing
53.  
54. Given, public points `(P, αG)` and witnesses `(W, iG)` the equation, `P = W(αG-iG)` can be satisfied.
55.  
56. `e(P,g) = e(W, (αG-iG))`
57.  
58. However, we use pedersen commitments `(iG+rH)` instead of plain public keys `iG`. So, we need to cut off `rH` part of the commitment.
59.  
60. ```
61. e(P,g) = e(W,(αG-C))e(H,rW)
62. ϕ(α) = ψ(α)(α-(i+λr))+λrψ(α)
63. ϕ(α) = αψ(α)-iψ(α)
64. ϕ(α) = ψ(α)(α-i)
65. ```
66.  
67. ### Randomizing
68.  
69. At this point, a player who makes the commit should provide, `(W, C, rW)`
70.  
71. However, we don't want to reveal `W` without blinding, since our valid number set is so small to easily calculate the queried number `i`.
72.  
73. Player picks a random scalar `a` in order to randomize the witness.
74.  
75. ```
76. A = ϕ(α)
77. B = ψ(α)(α-(i+λr))
78. C = λrψ(α)
79. A = B + C
80. aA = aB + aC
81. ```
82.  
83. Pairing equation becomes,
84.  
85. ```
86. e(aP,g) = e(aW,(αG-C))e(H,arW)
87. aϕ(α) = aψ(α)(α-(i+λr))+λarψ(α)
88. ϕ(α) = ψ(α)(α-(i+λr))+λrψ(α)
89. ϕ(α) = αψ(α)-iψ(α)
90. ϕ(α) = ψ(α)(α-i)
91. ```
92.  
93. Now, the player must provide `(aP, aW, C, arW)` tuple for satisfy the equation.
94.  
95. Further, for the point `aP` in the proof tuple, the player also should provide knowlegde of `a` with a simple signature on P.