You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: report/src/sections/04-Approach.tex
+10-3Lines changed: 10 additions & 3 deletions
Original file line number
Diff line number
Diff line change
@@ -297,7 +297,7 @@ \subsubsection{CAAUdleproofs}
297
297
Curdleproofs' implementation is simpler than CAAUrdleproofs' in this case.
298
298
As Curdleproofs works on powers of two, it is always the right half of the vectors in each round that are multiplied by the challenge.
299
299
300
-
The multiplication of challenges are not as easily trackable in the CAAUrdleproofs protocol.
300
+
The multiplication of challenges on each element is not as easily trackable in the CAAUrdleproofs protocol.
301
301
Here, it is necessary to simulate a run though the recursive protocol.
302
302
Though, this should not have a big impact on performance, as it is run over vectors of small integers, and never actually has to do any multiplications.
So, the modifications and optimization used on the~\gls{sameperm} argument are also used on the~\gls{samemsm} argument.
371
371
This includes the split into set $T$ and $S$ before recursion, and the construction of the bit matrix,~$b_{i,j}$, to keep track of multiplications on individual elements.
372
372
373
+
It is also worth noting that the concatenation of $T$ and $S$ in the recursive phase, lines 26--29 in~\autoref{lst:ipa-prover}, is handled effectively in the code.
374
+
Instead of concatenating, the computation uses pointers to the original vector, so it never practically concatenates.
375
+
376
+
The code is also using the fact that the used scheme function will always end up with vectors being a power of two after the first round.
377
+
So, after the first round of recursion, we use the same code as Curdleproofs to run the rest of the protocol.
373
378
374
379
\subsubsection{Shuffle Security}
375
380
As mentioned in~\autoref{subsec:approach-shuffle-security}, the theoretically proven bound, on the necessary number of shuffles to ensure security is too high.
We first set our focus on Curdleproofs, as this is the protocol we have modified directly.
400
405
As mentioned in~\autoref{sec:background-zkps}, the size of Curdleproofs is $18+10\log(\ell+4)\mathbb{G}$, $7\mathbb{F}$.
401
406
The dependence on the $\log$ stems from the number of recursive rounds that take place in the~\gls{sameperm} and~\gls{samemsm} proofs.
407
+
The addition of four elements in the $\log$ stems from the protocol needing those as blinders.
408
+
Hence, at a proof of size 128, $\ell$ is 124.
402
409
In the proof of theorem 1, we show CAAUrdleproofs to be $\mathcal{O}(\log n)$.
403
410
This means that the size of CAAUrdleproofs must be $18+10\lceil\log(\ell+4)\rceil\mathbb{G}$, $7\mathbb{F}$.
404
411
405
412
CAAUrdleproofs therefore has the same proof size as Curdleproofs.
406
413
407
414
The CAAUrdleproofs modification can still reduce the overall block size overhead, though.
408
-
Using Whisk with CAAUrdleproofs has a block size of $17.04$ KB, when the shuffle size is 128\cite{Whisk2024}.
415
+
Using Whisk with CAAUrdleproofs has a block size of $16.656$ KB, when the shuffle size is 128\cite{Whisk2024}.
409
416
Note that this is the same size as Curdleproofs, as the shuffle size is a power of 2.
410
417
The calculation of the block size comes from the following, where $\mathbb{G}=48$ bytes and $\mathbb{F}=32$ bytes\footnote{\text{As noted in the code on the Curdleproofs GitHub repository: }\\\href{https://github.com/asn-d6/curdleproofs/blob/main/src/whisk.rs}{https://github.com/asn-d6/curdleproofs/blob/main/src/whisk.rs}. Accessed: 26/05/2025}:
411
418
\begin{itemize}
412
-
\item List of shuffled trackers ($\ell\cdot96\Rightarrow\text{eg. }128\cdot96=12,288$ bytes).
419
+
\item List of shuffled trackers ($\ell\cdot96\Rightarrow\text{eg. }124\cdot96=11,904$ bytes).
Copy file name to clipboardExpand all lines: report/src/sections/06-results.tex
+25-21Lines changed: 25 additions & 21 deletions
Original file line number
Diff line number
Diff line change
@@ -1,6 +1,8 @@
1
1
\section{Results}\label{sec:results}
2
2
\subsection{Proving and Verifying Times}\label{subsec:results:provingverifying}
3
3
4
+
After running the experiment where Curdleproofs and CAAUrdleproofs were compared across different shuffle sizes, we got the results shown in \autoref{fig:resulttimes}.
@@ -10,18 +12,20 @@ \subsection{Proving and Verifying Times}\label{subsec:results:provingverifying}
10
12
\label{fig:resulttimes}%
11
13
\end{figure*}
12
14
13
-
After running the experiment where Curdleproofs and CAAUrdleproofs were compared across different shuffle sizes, we obtained the results shown in \autoref{fig:resulttimes}.
14
-
15
-
As mentioned in \autoref{sec:CAAUrdleproof-experiment}, CAAUdleproofs was run with a shuffle size $\ell$ of $\{8,9,\dots,256\}$ but Curdleproofs was only run with a shuffle size $\ell$ of $\{8,16,32,64,128,256\}$.
16
-
This is why the results for Curdleproofs show the shuffle size, $\ell$, instantly goes up to the next power of 2, because it theoretically would have to pad the input set until it reached the next power of 2.
15
+
As mentioned in \autoref{sec:CAAUrdleproof-experiment}, CAAUrdleproofs was run with a shuffle size $\ell$ of $\{8,9,\dots,256\}$.
16
+
Curdleproofs was only run with a shuffle size $\ell$ of $\{8,16,32,64,128,256\}$, as it is only able to run in powers of 2.
17
+
This is why the results for Curdleproofs show the shuffle size,~$\ell$, instantly going up to the next power of 2, because it theoretically would have to pad the input set until it reached the next power of 2.
17
18
18
-
From the results, we can see that CAAUrdleproofs and Curdleproofs have similar proving and verifying times when $\ell$ is a power of 2.
19
-
However, when $\ell$ is not a power of 2, CAAUrdleproofs is faster.
19
+
From the results, we can see that CAAUrdleproofs and Curdleproofs have similar proving and verifying times when~$\ell$ is a power of 2.
20
+
However, when~$\ell$ is not a power of 2, CAAUrdleproofs is faster.
21
+
When $\ell$ is below a power of 2, we see that the performance advantage of CAAUrdleproofs contra Curdleproofs grows the lower~$\ell$ is.
20
22
21
-
The results for the verifying time also shows that the verifying time jumps up the first four times it reaches a power of 2.
23
+
The results for the verifying time also show that the verifying time jumps up quite significantly the first four times it reaches a power of 2.
24
+
Though, this seems to not be the case, at least not as aggressively, when increasing $\ell$ from 128.
25
+
We find, however, that the bump is smaller the higher $\ell$ is.
22
26
23
-
Additional to the proving and verifying times, the time used on shuffling is also lower for any $\ell$ that is not a power of 2.
24
-
Though, that was to be expected since CAAUrdleproofs uses the same shuffling algorithm as Curdleproofs but does not have to add additional padding values to the nonpower of 2 input sizes.
27
+
Additional to the proving and verifying times, the time used on shuffling is also lower for any $\ell$ that is not a power of 2; see~\autoref{sec:shuffling-results}.
28
+
Though, that was to be expected since CAAUrdleproofs uses the same shuffling algorithm as Curdleproofs, but does not have to add additional padding to the non-power of 2 input sizes.
We can see that the bigger the shuffle size $\ell$ is, the less honest shuffles are necessary to make the shuffle secure.
45
49
In Ethereum, each shuffling phase is limited to 8192 shuffles, meaning that the maximum number of honest shuffles that can be used is 8192.
46
50
Therefore, the results of the experiment also find $T_H=T-\beta$.
47
-
This is how many of the $T$ shuffles, available during the shuffling phase, are needed to be honest, $T_H$, shuffles.
51
+
This is how many of the $T$ shuffles, available during the shuffling phase, are needed to be honest~$T_H$ shuffles.
48
52
The rest could then be the number of dishonest shuffles,~$\beta$.
49
-
We also see that the bigger the shuffle size the narrower the standard deviation gets.
53
+
We also see that the bigger the shuffle size, the narrower the standard deviation gets.
50
54
51
-
From the results of the experiment with$\alpha=8192$ we can see that number of honest shuffles necessary to make the shuffle secure sharply goes down until a size of $\ell=64$, and then it starts to flatten out.
55
+
From the results of the experiment, with~$\alpha=8192$ we can see that the number of honest shuffles necessary to make the shuffle secure sharply goes down until the size of $\ell=64$, and then it starts to flatten out.
52
56
we can see that with a size of $\ell=75$ we need about 1/3 of the shuffles to be honest to make the shuffle secure.
53
-
Likewise, we can see the at$\ell=108$ we need about 1/4 of the shuffles to be honest to make the shuffle secure.
54
-
55
-
In general all three of the experiments, despite the difference in $\alpha$, show the same trend.
56
-
They all level out but the higher the $\alpha$ is, the lower the leveling happens but the later it happens as well.
57
-
There are two things however that are different between the experiments.
58
-
At an$\alpha$ of 4096 we can see that at the start, with $\ell=32$, the mean number of honest shuffles necessary to make the shuffle secure is $\sim500$ lower than the 2 others.
59
-
As$\ell$ increases, the mean number of honest shuffles necessary to make the shuffle secure becomes similar to the other $\alpha$ values.
60
-
Another thing that differs between the experiments is that they all have sudden dip later on in the experiment.
61
-
Here we can see a trend that the lower the~$\alpha$ is, the earlier the dip happens.
57
+
Likewise, we see that at~$\ell=108$ we need about 1/4 of the shuffles to be honest to make the shuffle secure.
58
+
59
+
In general, all three of the experiments, despite the difference in $\alpha$, show the same trend.
60
+
They all level out, but the higher~$\alpha$ is, the lower the leveling happens, but the later it happens as well.
61
+
There are two things, however, that are different between the experiments.
62
+
At an~$\alpha$ of 4096 we see that at the start, with $\ell=32$, the mean number of honest shuffles necessary to make the shuffle secure is $\sim500$ lower than the 2 others.
63
+
As~$\ell$ increases, the mean number of honest shuffles necessary to make the shuffle secure becomes similar to the other $\alpha$ values.
64
+
Another thing that differs between the experiments is that they all have a sudden dip in higher $\ell$ values in the experiment.
65
+
Here we see a trend that the lower the~$\alpha$ is, the earlier the dip happens.
\subsection{CAAUrdleproofs in comparison to Curdleproofs}\label{subsec:CAAUrdleproofs-vs-Curdleproofs}
9
-
10
-
11
-
9
+
As mentioned in~\autoref{subsec:results:provingverifying}, the proving and verifying times between the two protocols are close to identical when $\ell$ is a power of two.
10
+
We expect that this is because the added computation is negligible compared to other computations that are present in the original Curdleproofs protocol.
11
+
12
+
On the prover, there is the addition of the scheme function from Springproofs.
13
+
Though, as seen in~\autoref{lst:schemefunc}, the scheme function only makes integer calculations based on $n$, and hence should have a negligible impact compared to the cryptographic group computations.
14
+
In addition to that, mentioned in~\autoref{subsec:approach-implementation}, the vector is never practically split in two but instead uses pointers.
15
+
Therefore, we avoid having to add new variables to memory in every round.
16
+
17
+
Also, we mentioned in~\autoref{subsec:approach-implementation} that, every round after the first, runs the same code as Curdleproofs.
18
+
Thus, only the first round should be able to introduce some computational overhead.
19
+
But, as mentioned before, the overhead should be negligible.
20
+
21
+
The same kind of explanation can be used to describe the same scenario at powers of two on the verifier side.
22
+
Looking at~\autoref{lst:ipa-verifier-optimized}(b), we see that the only difference in computation between CAAUrdleproofs and Curdleproofs stems from the calculation of $\mathbf{s}$.
23
+
Comparing line 29 and lines 33--47, it becomes clear that both ways work in $\mathcal{O}(n\log n)$, as they do $m$ computations for each of the $n$ elements.
24
+
CAAUrdleproofs does, however, need some more integer variables for splitting as well as an array for keeping track of the vector elements' active positions during recursion.
25
+
Nevertheless,~\autoref{fig:resulttimes}(b) shows that this does not have a big, if any, impact on the running time.
26
+
27
+
However, as mentioned in~\autoref{subsec:results:provingverifying}, when~$\ell$ is just above a power of two, we see some more aggressively increasing verifying times.
28
+
We expect this to be a result of~$m$ being set to~$\lceil\log n\rceil$ in line 8 of~\autoref{lst:ipa-verifier-optimized}.
29
+
E.g., when~$\ell$ is~$65$, it will have to handle computations from an additional recursive round, in comparison to when~$\ell$ is~$64$.
30
+
Additionally, this also explains why the increase in running time flattens when~$\ell$ is increases.
31
+
32
+
Though the pattern shows that this bump has a decreasing impact on the running time, the higher $\ell$ is, as mentioned in~\autoref{subsec:results:provingverifying}.
33
+
In theory, the addition of an extra proof element should introduce a constant amount of work for the verifier.
34
+
35
+
Therefore, we believe this to be an artifact of memory optimizations done either by hardware or Rust.
36
+
This could, for instance, include pre-fetching, in which the memory system can optimize access if it suspects some values in memory are going to be used some time later on\footnote{\href{https://doc.rust-lang.org/core/arch/aarch64/fn._prefetch.html}{https://doc.rust-lang.org/core/arch/aarc.h64/fn.\_prefetch.html} — Accessed: 29/05/2025}.
37
+
As $\ell$ increases, the memory system will have more data to predict and optimize memory access.
When looking at the results of the shuffle security experiment in \autoref{fig:shufflesecurity} and \autoref{fig:shufflesecurityviolin}, we can see that when taking into account the standard deviation, the shuffle can still be secure with an~$\ell$ as low as 32 within the 8192 shuffles available.
0 commit comments