Good point. It suffices for a single collation body to be unavailable for the BLS signature to be unfalsifiable. We could strengthen the BLS scheme with a SNARK/STARK that the BLS signature faithfully corresponds to B. At that point both the XOR scheme and the BLS scheme follow the same recipe:
- Split B into small chunks B[0], ..., B[n].
- For each chunk apply some mixing function on (B[i], P):
- For the XOR scheme that’s (B[i], P) \mapsto \textrm{SHA3}(B[i] \oplus P)
- For the BLS scheme that’s (B[i], P) \mapsto \textrm{sig}(B[i], P)
- Merge the mixed chunks into a succinct object
- Prove with a SNARK/STARK that the succinct object is faithful
Although this recipe works well for honest-but-lazy validators, I don’t think step 2) works in the context of bribed validators because of MCPs that allow a validator and a briber to compute f(B[i], P) without the briber revealing B[i] (withholding B[i]) and without the validator revealing P.