Jeff Burdges

Yes, doing so is a straightforward sequential trusted setup. Each stage proves correctness using `E::pairing(params.powers_of*_g[i],params.h) = E::pairing(params.powers_of*_g[i+1],E::G2Affine::prime_subgroup_generator())` etc, although Schnorr DLEQ proofs sound faster.

Assuming hacspec crates adopt the multi-file rust module system, maybe one needs an alternative top level build target, meaning `hacspec.rs` replaces `lib.rs` and then `use`s modules being verified. As an...

I'd think transcripts are easier than arbitrary persistent data, but rust code should always access them via mutable borrows. I've not yet looked at how F* handles persistent data, but...

Is this so common as to warrant an `iproduct!` like convenience macro? It's easy enough to do this now with `std::iter::repeat([fasle, true].iter()).take(dim).multi_cartesian_product()` right?

You might want `+`, `*`, etc. defined, which prevents using a type alias. You might check into using both `Vec` and `SmallVec` with roughly: ``` pub struct Polynomial(V) where E:...

Oh? It's true the related keys created by soft derivations are a mine field. You basically need all security proofs to address related keys.

Jubjub or BLS or some zk thing? If JubJub then Schnorr multi-sigs require three round trips between all signers. I've included references with the schnorrkel musig implementation on Ristretto https://github.com/w3f/schnorrkel/blob/master/src/musig.rs...

You might find https://github.com/w3f/schnorrkel/blob/master/src/musig.rs useful then since it already expresses the musig protocol in session types.

I'm unsure how your backed would catch these, but you could've some preparation builder presumably.

We're quite interested in optimizations to the GF(2^16) arithmetic. I'm not convinced the sum of logs optimization is being used quite right, although I've not hard the time to dig...