Merge pull request #29 from AAU-Dat/danielechanges

ironmand123 · web-flow · commit 0c7b7b227535 · 2025-06-02T08:41:56.000+02:00
Danielechanges
diff --git a/report/src/sections/00-abstract.tex b/report/src/sections/00-abstract.tex
@@ -1,6 +1,6 @@
 
 \begin{abstract}
-    This is the abstract~\gls{zkp}~\cite{greenwade1993}.
+    This is the abstract~\cite{greenwade1993}.
 \end{abstract}
 
 \begin{IEEEkeywords}
diff --git a/report/src/sections/02-background.tex b/report/src/sections/02-background.tex
@@ -1,5 +1,5 @@
 \section{Background}\label{sec:background}
-In this section, we provide the necessary background information on Ethereum and a specific attack it is vulnerable to, the Curdleproofs protocol~\cite{Curdleproofs}, and the Whisk protocol~\cite{Whisk2024}
+In this section, we provide the necessary background information on Ethereum and a specific attack it is vulnerable to, the Whisk protocol~\cite{Whisk2024}, and the Curdleproofs protocol~\cite{Curdleproofs} used in Whisk.
 
 The notation used throughout this paper can be seen in~\autoref{tab:notation}.
 \begin{table*}[!htb]
@@ -30,13 +30,13 @@ \section{Background}\label{sec:background}
         $\mathbf{a}\times \mathbf{b}=\sum_{i=1}^n a_i\cdot b_i$
         & Inner product of $\mathbf{a},\mathbf{b}\in\mathbb{F}^n$ \\
         \hline
-        $\mathbf{G}=(g_1,\dots,g_n)\in\mathbb{G}^n,\mathbf{G'}=(g'_1,\dots,g'_n)\in\mathbb{G}^n$
+        $\mathbf{g}=(g_1,\dots,g_n)\in\mathbb{G}^n,\mathbf{g'}=(g'_1,\dots,g'_n)\in\mathbb{G}^n$
         & Vectors of generators (for Pedersen commitments) \\
         \hline
         $A=a\times G=\sum_{i=1}^n a_i\cdot G_i$
         & Binding (but not hiding) commitment to $a\in\mathbb{Z}_p^n\in $ \\
         \hline
-        $\mathbf{r}_A\in\mathbb{Z}^n$ & Blinding factors, e.g.\ $A=\mathbf{a}\times\mathbf{G} + \mathbf{r}_A \times \mathbf{G}$ is a Pedersen commitment to $\mathbf{a}$ \\
+        $\mathbf{r}_A\in\mathbb{Z}^n$ & Blinding factors, e.g.\ $A=\mathbf{a}\times\mathbf{g} + \mathbf{r}_A \times \mathbf{g}$ is a Pedersen commitment to $\mathbf{a}$ \\
         \hline
         $\mathbf{a}\parallel \mathbf{b}\in\mathbb{Z}_p^{n+m}$
         & Concatenation: if $\mathbf{a}\in\mathbb{Z}_p^n$, $\mathbf{b}\in\mathbb{Z}_p^m$, then $\mathbf{a}\parallel \mathbf{b}\in\mathbb{Z}_p^{n+m}$ \\
@@ -61,19 +61,41 @@ \section{Background}\label{sec:background}
  Given a finite, multiplicative cyclic group $\mathbb{G}$ of prime order $p$, the decisional Diffie-Hellman problem is defined as follows: Given $(g^a,g^b,g^c)\in\mathbb{G}$, where $g$ is a generator of $\mathbb{G}$ and $a,b,c\in\mathbb{Z}_p$, decide whether $c=ab$.
 \end{definition}
 
+\subsection{Zero-knowledge proofs}\label{sec:background-zkps}
+Before explaining the protocol, we must mention that Curdleproofs, and hence also Whisk, is a~\gls{zkp} system.
+It is a system that allows a prover to convince a verifier that they know a secret without revealing the secret itself.
+Within the context of Ethereum, it could be the ability to convince someone that a transaction is valid without revealing information about the transaction such as the value of it.
+Whisk uses Curdleproofs to prove the validity of a shuffle.
+
+\begin{definition}[Zero-Knowledge Argument of Knowledge]
+    An argument $(Setup, P, V)$ is a zero-knowledge argument of knowledge of a relation $\mathbb{R}$ if it satisfies completeness, knowledge-soundness and is honest-verifier zero-knowledge.
+\end{definition}
+
+Definitions for knowledge-soundness, completeness, and~\gls{hvzk} can be found in Appendix~\ref{sec:appendix}.
+
+Also, two of three proofs that make up Curdleproofs are~\glspl{ipa}.
+These are also~\glspl{zkp}, and will be the focus of this paper.
+Hence, we provide a definition on~\glspl{ipa}.
+
+\begin{definition}[Inner Product Argument]
+    The argument takes as input two binding vector commitments $C=\mathbf{c}\times\mathbf{g}\in\mathbb{G}$ and $D=\mathbf{d}\times\mathbf{g'}\in\mathbb{G}$ to the vectors $\mathbf{c},\mathbf{d}\in\mathbb{Z}_p^n$ and $z\in\mathbb{Z}_p$.
+    The goal is to prove that $z=\mathbf{c}\times\mathbf{d}$.
+    The argument has logarithmic communication by halving the dimensions of $\mathbf{c}$ and $\mathbf{d}$ in each iteration.
+\end{definition}
+
 \subsection{Whisk}\label{subsec:related-work-whisk}
-Ethereum uses a proof-of-stake consensus mechanism, which allows users to validate transactions and create new blocks by staking their Ether (ETH) tokens.
-The Proof-of stake protocol works in epochs of 32 slots, where each slot is 12 seconds long.
+Ethereum uses a~\gls{pos} consensus mechanism, which allows users to validate transactions and create new blocks by staking their~\gls{eth} tokens.
+The~\gls{pos} protocol works in epochs of 32 slots, where slots are 12 seconds long.
 In each slot a proposer is chosen to propose a block thereby allowing the network to reach consensus on the state of the blockchain.
 
-The proposer~\gls{dos} attack is a type of attack that targets the block proposers making them unable to propose blocks.
+The proposer~\gls{dos} attack is a type of attack that targets the block proposers, making them unable to propose blocks.
 An adversary can use the proposer~\gls{dos} attack to prevent a proposer from receiving rewards, gotten from proposing a block, and increase their own rewards~\cite{EthereumSSLE2024}.
-As a response to the proposer~\gls{dos} attack, Ethereum has proposed a new protocol called Whisk~\cite{Whisk2024} as an attempt to mitigate the attack.
+As a response to the proposer~\gls{dos} attack, Ethereum proposed a new protocol called Whisk~\cite{Whisk2024} as an attempt to mitigate the attack.
 An attack on the Ethereum network that was discovered by Heimbach et al.~\cite{heimbach2024deanonymizingethereumvalidatorsp2p} is the deanonymization attack on validators.
-In our preliminary work~\cite{ouroldpaper}, we have shown that the attack is still possible to perform on the Ethereum network, and using the attack, a proposer~\gls{dos} can be performed.
+In our preliminary work~\cite{ouroldpaper}, we show that the attack is still possible to perform on the Ethereum network, and using the attack, a proposer~\gls{dos} can be performed.
 
 
-Whisk is a~\gls{zk}~\gls{ssle} system that uses a~\gls{zk} argument called Curdleproofs~\cite{Curdleproofs} to verify the correctness of a shuffle without revealing the input or output~\cite{10.1145/3419614.3423258}.
+Whisk is a~\gls{zk}~\gls{ssle} system that uses a~\gls{zk} argument called Curdleproofs~\cite{Curdleproofs} to verify the correctness of a shuffle with size $\ell$ without revealing the input or output~\cite{10.1145/3419614.3423258}.
 Whisk works by selecting a list of 16,384 validator trackers and shuffles them over 8,192 slots ($\sim$1 day).
 Then 8,192 proposers are selected from the shuffled list to propose blocks for the next 8,192 slots while a new list is being shuffled.
 This way a new list of proposers is created every day.
@@ -112,9 +134,9 @@ \subsection{Whisk}\label{subsec:related-work-whisk}
         \node  at (2.4,4) {A=$\sigma(\mathbf{a})\times \mathbf{g}$};
         \node  at (2.4,3.5) {$M=\sigma(1,2,\dots,\ell)\times \mathbf{g}$};
         \node [font=\large] at (5.75,4.5) {SameMSM};
-        \node  at (5.75,4) {$A=\mathbf{c}\times \mathbf{g}$};
-        \node  at (5.75,3.5) {$T=\mathbf{c}\times \mathbf{T}$};
-        \node  at (5.75,3) {$U=\mathbf{c}\times \mathbf{U}$};
+        \node  at (5.75,4) {$A=\mathbf{v}\times \mathbf{g}$};
+        \node  at (5.75,3.5) {$T=\mathbf{v}\times \mathbf{T}$};
+        \node  at (5.75,3) {$U=\mathbf{v}\times \mathbf{U}$};
         \node [font=\large] at (8.5,4.5) {SameScalar};
         \node  at (8.5,4) {$T=k(\mathbf{a}\times \mathbf{R})$};
         \node  at (8.5,3.5) {$U=k(\mathbf{a}\times \mathbf{S})$};
@@ -133,57 +155,37 @@ \subsection{Whisk}\label{subsec:related-work-whisk}
 \end{figure}
 
 The first proof is the~\gls{sameperm} proof.
-The prover first constructs a commitment to the permutation, $\sigma()$, by saying $M=\sigma(1,2,\dots,\ell)\times\mathbf{g}$.
-Then, using the Fiat-Shamir transformation, a challenge, $\mathbf{a}$, from public inputs is constructed, and a new commitment is made from that, $A=\sigma(\mathbf{a})\times\mathbf{g}$.
-The~\gls{sameperm} proof now consists of convincing the verifier that the same permutation was used for constructing commitment $A$ and $M$.
+The prover first constructs a commitment to the permutation,~$\sigma()$, by saying $M=\sigma(1,2,\dots,\ell)\times\mathbf{g}$, where~$\ell$ is the number of shuffled trackers, and $\mathbf{g}$ is a vector of cryptographic generators.
+Then, using the Fiat-Shamir transformation, a challenge,~$\mathbf{a}$, from public inputs is constructed, and a new commitment is made from that, $A=\sigma(\mathbf{a})\times\mathbf{g}$.
+The~\gls{sameperm} proof consists of convincing the verifier that the same permutation was used for constructing the commitments $A$ and $M$.
 To do this, the two commitments are used to construct a polynomial equation.
 Then Neff's trick~\cite{10.1145/501983.502000} is used, which observes that two polynomials are equal iff.\ their roots are the same up to permutation.
 
-To prove that, the protocol makes use of a grand product argument.
-To prove that argument, Curdleproofs compiles it down to an~\gls{ipa} by expressing each multiplication of the grand product as its own equation.
-This~\gls{ipa} stems from the protocol originally proposed by Bootle et al.~\cite{cryptoeprint:2016/263,Curdleproofs}
+In order to show this, the protocol makes use of a~\gls{grandprod} argument.
+To prove that argument, Curdleproofs compiles it down to a~\gls{dlipa} by expressing each multiplication of the grand product as its own equation.
+The proof of the~\gls{dlipa} then stems from the protocol originally proposed by Bootle et al.~\cite{cryptoeprint:2016/263,Curdleproofs}
 
-Hence, the~\gls{sameperm} proof is done if the prover can prove the~\gls{ipa}.
+Hence, the~\gls{sameperm} proof is done if the prover can prove the~\gls{dlipa}.
 
 
 The second proof is a~\gls{samemsm} argument.
-The prover should by now have proven the existence of the permutation.
-Now, the goal of the~\gls{samemsm} argument is to prove that the output ciphertext set was constructed with the same permutation, here called multiscalar, committed to in commitment $A$.
-As the multiscalar is a vector this argument is an~\gls{ipa} by nature, contrary to the~\gls{sameperm} argument.
+The prover has proven the existence of the permutation.
+Now, the goal of the~\gls{samemsm} argument is to prove that the output ciphertext set was constructed with the same permutation, $\sigma$, here called multiscalar $\mathbf{v}$\footnote{Denoted as $\mathbf{c}$ in the Curdleproofs paper but changed for readability}, committed to in commitment $A$.
+Note, therefore, that $A$ in~\gls{sameperm} and~\gls{samemsm} is the same commitment, where $\mathbf{v}=\sigma(\mathbf{a})$
+As the multiscalar is a vector, this argument is an~\gls{ipa} by nature, contrary to the~\gls{sameperm} argument.
 
 The third proof is a Same Scalar argument.
 To mask the ciphertexts, each prover, besides permuting the set, multiplies all ciphertexts by a scalar, $k$.
 This is for randomization purposes, making it harder for adversaries to track the ciphertexts~\cite{Whisk2024}.
 Also, all validators are still able to open their commitments if they are chosen as block proposers, even after several randomizations.
-So, the goal of the Same Scalar argument is to prove the existence of the scalar,~$k$, such that the commitment of the permuted set is equal to the commitment of the pre-permuted set multiplied by $k$.
+Therefore, the goal of the Same Scalar argument is to prove the existence of the scalar,~$k$, such that the commitment of the permuted set is equal to the commitment of the pre-permuted set multiplied by $k$.
 
 
-
-\subsection{Zero-knowledge proofs}\label{sec:background-zkps}
-Curdleproofs is a~\gls{zkp} system, which means that it allows a prover to convince a verifier that they know a secret without revealing the secret itself.
-Within the context of Ethereum, it could be the ability to convince someone that a transaction is valid without revealing information about the transaction such as the value of it.
-In Whisk, it uses Curdleproofs to prove the validity of a shuffle.
-
-\begin{definition}[Zero-Knowledge Argument of Knowledge]
-    An argument $(Setup, P, V)$ is a zero-knowledge argument of knowledge of a relation $\mathbb{R}$ if it satisfies completeness, knowledge-soundness and is honest-verifier zero-knowledge.
-\end{definition}
-
-Definitions for knowledge-soundness, completeness, and~\gls{hvzk} can be found in~\autoref{sec:appendix}.
-
-Two of the three proofs in Curdleproofs are~\glspl{ipa}.
-These are also~\glspl{zkp}, and will be the focus of this paper.
-Hence, we provide a definition on~\glspl{ipa}.
-
-\begin{definition}[Inner Product Argument]
-    Takes as input two binding vector commitments $C=\mathbf{c}\times\mathbf{G}\in\mathbb{G}$ and $D=\mathbf{d}\times\mathbf{G'}\in\mathbb{G}$ to the vectors $\mathbf{c},\mathbf{d}\in\mathbb{Z}_p^n$ and $z\in\mathbb{Z}_p$.
-    The goal is to prove that $z=\mathbf{c}\times\mathbf{d}$.
-    The argument has logarithmic communication by halving the dimensions of $\mathbf{c}$ and $\mathbf{d}$ in each iteration.
-\end{definition}
+In Chapter 6 of Curdleproofs~\cite{Curdleproofs} they explain that the proof has size~$18+10 \log(\ell+4)\mathbb{G}$, $7\mathbb{F}$, where $\mathbb{G}$ is a cryptographic group point, and $\mathbb{F}$ is a field element.
 
 \subsection{Problem definition}\label{subsec:problem-definition}
-In Chapter 6 of Curdleproofs~\cite{Curdleproofs}, they explain the efficiency of the protocol, including also the size of the proof.
-They specifically mention that the proof has size~$18+10 \log(\ell+4)\mathbb{G}$, $7\mathbb{F}$.
-As the proof size is dependent on the size of the shuffle,~$\ell$, an interest in the possibility of reducing this parameter arises.
-The current proposal of Curdleproofs only works on shuffles, where the size is a power of 2.
-The reason is that the underlying proofs, such as the~\gls{ipa}, need to fold recursively down to 1, by halving the size in every round.
+The current proposal of Curdleproofs only works when the shuffle size of Whisk is set to a power of 2.
+The reason is that the underlying proofs,~\gls{dlipa} in~\gls{sameperm} and~\gls{samemsm}, need to fold recursively down to 1, by halving the size in every round.
+With the current shuffling size being 128, being able to choose the size more flexibly could lead to both performance and size gains.
+The problem we study in this article is therefore how to extend Curdleproofs to~$\ell$ values that are not a power of 2.
 
diff --git a/report/src/sections/03-related-work.tex b/report/src/sections/03-related-work.tex
@@ -48,7 +48,7 @@ \subsection{Bulletproofs}\label{subsec:related-work-bulletproofs}
 One of these is Bulletproofs+~\cite{chung2022bulletproofs+} which uses a weighted inner product argument instead of the standard inner product argument to achieve a better performance.
 Bulletproofs+ is also a zero-knowledge proof by itself unlike the original bulletproofs.
 Trying to modify Curdleproofs with the weighted inner product argument introduces complications that would need larger modifications and is therefore not suitable.
-This can be seen in~\autoref{sec:curdleproofs-weighted-inner-product-argument-modification-attempt}
+This can be seen in Appendix~\ref{app:curdleproofs-weighted-inner-product-argument-modification-attempt}
 
 A third version of the Bulletproofs protocol is Bulletproofs++~\cite{eagen2024bulletproofs++} which uses a new type of argument called the norm argument to achieve a better performance.
 This comes from the prover only needing to commit to a single vector, rather than two.
diff --git a/report/src/sections/04-Approach.tex b/report/src/sections/04-Approach.tex
@@ -402,25 +402,26 @@ \subsubsection{Size reduction}
 If we can reduce the shuffle size used in Whisk and still prove it secure, then we expect to see some reduction in the size overhead on the blockchain.
 
 We first set our focus on Curdleproofs, as this is the protocol we have modified directly.
-As mentioned in~\autoref{sec:background-zkps}, the size of Curdleproofs is $18+10 \log(\ell+4)\mathbb{G}$, $7\mathbb{F}$.
+As mentioned in~\autoref{subsec:related-work-whisk}, the size of Curdleproofs is $18+10 \log(\ell+4)\mathbb{G}$, $7\mathbb{F}$.
 The dependence on the $\log$ stems from the number of recursive rounds that take place in the~\gls{sameperm} and~\gls{samemsm} proofs.
 The addition of four elements in the $\log$ stems from the protocol needing those as blinders.
 Hence, at a proof of size 128, $\ell$ is 124.
-In the proof of theorem 1, we show CAAUrdleproofs to be $\mathcal{O}(\log n)$.
+In the proof of theorem 1, see Appendix~\ref{sec:appendix-thm1proof}, we show that CAAUrdleproofs is $\mathcal{O}(\log n)$, which is the same as Curdleproofs.
+However, as discussed in~\autoref{subsec:approach-CAAUrdleproofs}, CAAUrdleproofs'~\gls{ipa} proofs use $\lceil \log n \rceil$ recursive rounds.
 This means that the size of CAAUrdleproofs must be $18+10 \lceil\log(\ell+4)\rceil\mathbb{G}$, $7\mathbb{F}$.
 
 CAAUrdleproofs therefore has the same proof size as Curdleproofs.
 
 The CAAUrdleproofs modification can still reduce the overall block size overhead, though.
-Using Whisk with CAAUrdleproofs has a block size of $16.656$ KB, when the shuffle size is 128\cite{Whisk2024}.
+By using the overhead calculation described by Whisk on CAAUrdleproofs, it measures a block overhead of $16.656$ KB, when the shuffle size is 128~\cite{Whisk2024}.
 Note that this is the same size as Curdleproofs, as the shuffle size is a power of 2.
-The calculation of the block size comes from the following, where $\mathbb{G}=48$ bytes and $\mathbb{F}=32$ bytes\footnote{\text{As noted in the code on the Curdleproofs GitHub repository: }\\ \href{https://github.com/asn-d6/curdleproofs/blob/main/src/whisk.rs}{https://github.com/asn-d6/curdleproofs/blob/main/src/whisk.rs}. Accessed: 26/05/2025}:
+The provided calculation of the block overhead is provided as the following, where $\mathbb{G}=48$ bytes and $\mathbb{F}=32$ bytes\footnote{\text{As noted in the code on the Curdleproofs GitHub repository: }\\ \href{https://github.com/asn-d6/curdleproofs/blob/main/src/whisk.rs}{https://github.com/asn-d6/curdleproofs/blob/main/src/whisk.rs}. Accessed: 26/05/2025}:
 \begin{itemize}
     \item List of shuffled trackers ($\ell\cdot96\Rightarrow\text{eg. }124\cdot96=11,904$ bytes).
     \item Shuffle proof ($18+10 \lceil\log(\ell+4)\rceil\mathbb{G}$, $7\mathbb{F}\Rightarrow\text{eg. }(18+10\lceil\log(124+4)\rceil)\cdot48+7\cdot32=4,448$ bytes).
     \item A fresh tracker (two BLS G1 points $\Rightarrow48\cdot2=96$ bytes).
     \item A new commitment $com(k)$ to the proposer's tracker (one BLS G1 point $\Rightarrow48$ bytes).
     \item A Discrete Logarithm Equivalence Proof on the ownership of the elected proposer commitment (two G1 points, two Fr scalars $\Rightarrow2\cdot48+2\cdot32=160$ bytes).
 \end{itemize}
-The majority of the block size comes from the list of shuffled trackers.
-Hence, using CAAUrdleproofs could majorly decrease the block size by allowing~$\ell$ to be chosen at arbitrary length.
+The majority of the block overhead comes from the list of shuffled trackers.
+Hence, as the list size is heavily dependent on~$\ell$, using CAAUrdleproofs could majorly decrease the block overhead by allowing~$\ell$ to be more flexibly chosen as a smaller size than 128.
diff --git a/report/src/sections/06-results.tex b/report/src/sections/06-results.tex
@@ -24,7 +24,7 @@ \subsection{Proving and Verifying Times}\label{subsec:results:provingverifying}
 Though, this seems to not be the case, at least not as aggressively, when increasing $\ell$ from 128.
 We find, however, that the bump is smaller the higher $\ell$ is.
 
-Additional to the proving and verifying times, the time used on shuffling is also lower for any $\ell$ that is not a power of 2; see~\autoref{sec:shuffling-results}.
+Additional to the proving and verifying times, the time used on shuffling is also lower for any $\ell$ that is not a power of 2; see Appendix~\ref{sec:shuffling-results}.
 Though, that was to be expected since CAAUrdleproofs uses the same shuffling algorithm as Curdleproofs, but does not have to add additional padding to the non-power of 2 input sizes.
 
 
diff --git a/report/src/sections/appendix/03-bpplus.tex b/report/src/sections/appendix/03-bpplus.tex
diff --git a/report/src/setup/acronyms.tex b/report/src/setup/acronyms.tex
