Merge pull request #25 from AAU-Dat/ipa-and-codecomments

ironmand123 · web-flow · commit 4eb7d17dc55e · 2025-05-27T11:56:45.000+02:00
Ipa and codecomments
diff --git a/report/src/sections/02-background.tex b/report/src/sections/02-background.tex
@@ -66,22 +66,22 @@ \subsection{Whisk}\label{subsec:related-work-whisk}
 The Proof-of stake protocol works in epochs of 32 slots, where each slot is 12 seconds long.
 In each slot a proposer is chosen to propose a block thereby allowing the network to reach consensus on the state of the blockchain.
 
-The proposer DoS attack is a type of attack that targets the block proposers making them unable to propose blocks.
-An adversary can use the proposer DoS attack to prevent a proposer from receiving rewards, gotten from proposing a block, and increase their own rewards~\cite{EthereumSSLE2024}.
-As a response to the proposer DoS attack, Ethereum has proposed a new protocol called Whisk~\cite{Whisk2024} as an attempt to mitigate the attack.
+The proposer~\gls{dos} attack is a type of attack that targets the block proposers making them unable to propose blocks.
+An adversary can use the proposer~\gls{dos} attack to prevent a proposer from receiving rewards, gotten from proposing a block, and increase their own rewards~\cite{EthereumSSLE2024}.
+As a response to the proposer~\gls{dos} attack, Ethereum has proposed a new protocol called Whisk~\cite{Whisk2024} as an attempt to mitigate the attack.
 An attack on the Ethereum network that was discovered by Heimbach et al.~\cite{heimbach2024deanonymizingethereumvalidatorsp2p} is the deanonymization attack on validators.
 In our preliminary work~\cite{ouroldpaper}, we have shown that the attack is still possible to perform on the Ethereum network, and using the attack, a proposer~\gls{dos} can be performed.
 
 
-Whisk is a zero-knowledge Single Secret Leader Election (SSLE) system that uses a zero-knowledge argument called Curdleproofs~\cite{Curdleproofs} to verify the correctness of a shuffle without revealing the input or output~\cite{10.1145/3419614.3423258}.
+Whisk is a~\gls{zk}~\gls{ssle} system that uses a~\gls{zk} argument called Curdleproofs~\cite{Curdleproofs} to verify the correctness of a shuffle without revealing the input or output~\cite{10.1145/3419614.3423258}.
 Whisk works by selecting a list of 16,384 validator trackers and shuffles them over 8,192 slots ($\sim$1 day).
 Then 8,192 proposers are selected from the shuffled list to propose blocks for the next 8,192 slots while a new list is being shuffled.
 This way a new list of proposers is created every day.
-After each shuffle, Whisk uses a zero-knowledge proof to prove that the shuffle is correct.
+After each shuffle, Whisk uses a~\gls{zkp} to prove that the shuffle is correct.
 This is so that the proposer can prove that they are the correct proposer for the slot without revealing their identity, thereby mitigating the proposer~\gls{dos} attack because of the identity of the upcoming proposers being hidden now.
 
-Curdleproofs is a zero-knowledge proof system that allows a prover to prove knowledge of a shuffle without revealing how it shuffled the elements.
-It does so by using three different zero-knowledge proofs, with one of them relying on two more zero-knowledge proofs.
+Curdleproofs is a~\gls{zkp} system that allows a prover to prove knowledge of a shuffle without revealing how it shuffled the elements.
+It does so by using three different~\glspl{zkp}, with one of them relying on two more~\glspl{zkp}.
 The overview can be seen in~\autoref{fig:curdleproof-protocol}.
 
 \begin{figure}[!ht]
@@ -141,6 +141,7 @@ \subsection{Whisk}\label{subsec:related-work-whisk}
 
 To prove that, the protocol makes use of a grand product argument.
 To prove that argument, Curdleproofs compiles it down to an~\gls{ipa} by expressing each multiplication of the grand product as its own equation.
+This~\gls{ipa} stems from the protocol originally proposed by Bootle et al.~\cite{cryptoeprint:2016/263,Curdleproofs}
 
 Hence, the~\gls{sameperm} proof is done if the prover can prove the~\gls{ipa}.
 
@@ -154,13 +155,13 @@ \subsection{Whisk}\label{subsec:related-work-whisk}
 To mask the ciphertexts, each prover, besides permuting the set, multiplies all ciphertexts by a scalar, $k$.
 This is for randomization purposes, making it harder for adversaries to track the ciphertexts~\cite{Whisk2024}.
 Also, all validators are still able to open their commitments if they are chosen as block proposers, even after several randomizations.
-So, the goal of the Same Scalar argument is to prove the existence of the scalar, $k$, such that the commitment of the permuted set is equal to the commitment of the pre-permuted set multiplied by $k$.
+So, the goal of the Same Scalar argument is to prove the existence of the scalar,~$k$, such that the commitment of the permuted set is equal to the commitment of the pre-permuted set multiplied by $k$.
 
 
 
 \subsection{Zero-knowledge proofs}\label{sec:background-zkps}
-Curdleproofs is a zero-knowledge proof system, which means that it allows a prover to convince a verifier that they know a secret without revealing the secret itself.
-Within the context of Ethereum it could be the ability to convince someone that a transaction is valid without revealing information about the transaction such as the value of it.
+Curdleproofs is a~\gls{zkp} system, which means that it allows a prover to convince a verifier that they know a secret without revealing the secret itself.
+Within the context of Ethereum, it could be the ability to convince someone that a transaction is valid without revealing information about the transaction such as the value of it.
 In Whisk, it uses Curdleproofs to prove the validity of a shuffle.
 
 \begin{definition}[Zero-Knowledge Argument of Knowledge]
@@ -169,10 +170,20 @@ \subsection{Zero-knowledge proofs}\label{sec:background-zkps}
 
 Definitions for knowledge-soundness, completeness, and~\gls{hvzk} can be found in~\autoref{sec:appendix}.
 
+Two of the three proofs in Curdleproofs are~\glspl{ipa}.
+These are also~\glspl{zkp}, and will be the focus of this paper.
+Hence, we provide a definition on~\glspl{ipa}.
+
+\begin{definition}[Inner Product Argument]
+    Takes as input two binding vector commitments $C=\mathbf{c}\times\mathbf{G}\in\mathbb{G}$ and $D=\mathbf{d}\times\mathbf{G'}\in\mathbb{G}$ to the vectors $\mathbf{c},\mathbf{d}\in\mathbb{Z}_p^n$ and $z\in\mathbb{Z}_p$.
+    The goal is to prove that $z=\mathbf{c}\times\mathbf{d}$.
+    The argument has logarithmic communication by halving the dimensions of $\mathbf{c}$ and $\mathbf{d}$ in each iteration.
+\end{definition}
+
 \subsection{Problem definition}\label{subsec:problem-definition}
 In Chapter 6 of Curdleproofs~\cite{Curdleproofs}, they explain the efficiency of the protocol, including also the size of the proof.
-They specifically mention that the proof has size $18+10 \log(\ell+4)\mathbb{G}$, $7\mathbb{F}$.
-As the proof size is dependent on the size of the shuffle, $\ell$, an interest in the possibility of reducing this parameter arises.
-The current proposal of curdleproofs only works on shuffles, where the size is a power of 2.
-The reason is that the underlying proofs, such as the~\gls{ipa}, needs to fold recursively down to 1, by halving the size in every round.
+They specifically mention that the proof has size~$18+10 \log(\ell+4)\mathbb{G}$, $7\mathbb{F}$.
+As the proof size is dependent on the size of the shuffle,~$\ell$, an interest in the possibility of reducing this parameter arises.
+The current proposal of Curdleproofs only works on shuffles, where the size is a power of 2.
+The reason is that the underlying proofs, such as the~\gls{ipa}, need to fold recursively down to 1, by halving the size in every round.
 
diff --git a/report/src/sections/04-Approach.tex b/report/src/sections/04-Approach.tex
@@ -24,17 +24,17 @@ \subsection{Springproofs}\label{sec:approach-springproofs}
 The computation is for finding the set, $T$.
 
 \begin{figure}[!htb]
-    \begin{lstlisting}[language=Python,mathescape=true,label={lst:schemefunc},numbers=right,caption={Scheme function \textbf{\textit{f}} used in CAAUrdleproofs},captionpos=b,frame=single]
+    \begin{lstlisting}[language=Python,mathescape=true,label={lst:schemefunc},numbers=left,caption={Scheme function \textbf{\textit{f}} used in CAAUrdleproofs},captionpos=b,frame=single]
     input: $n$, where $n>0$
 
     $\{n\}\gets n$
     $N\gets 2^{\lceil\log n\rceil-1}$
     $i_h \gets \lfloor (2N-n)/2\rfloor+1$
     $i_t=\lfloor n/2\rfloor$
-    if $n\neq N$:
+    if $n\neq N$: #Not power of 2
         $\{T\}\gets(i_h:i_t)\cup(N+1:n)$
-    else if $n=N$:
-        $\{T\}\gets(1:n)$
+    else if $n=N$: #Power of 2
+        $\{T\}\gets(1:n)$ #Meaning S is empty
     $\{S\}\gets\{n\}-\{T\}$
     \end{lstlisting}
 \label{fig:schemefunc}
@@ -67,42 +67,42 @@ \subsubsection*{Prover computation}
 The construction can be seen in~\autoref{lst:ipa-prover}.
 
 \begin{figure}[!htb]
-    \begin{lstlisting}[language=Python,mathescape=true,label={lst:ipa-prover},numbers=right,caption={Prover computation for CAAU-IPA in CAAUrdleproofs},captionpos=b,frame=single]
-$\textbf{Step 1:}$
+    \begin{lstlisting}[language=Python,mathescape=true,label={lst:ipa-prover},numbers=left,caption={Prover computation for CAAU-IPA in CAAUrdleproofs},captionpos=b,frame=single]
+$\textbf{Step 1:}$ #Setup phase
 $(\textbf{G},\textbf{G}',H)\gets$parse$(crs_{dl_{inner}})$
-$\textbf{r}_C,\textbf{r}_D\overset{\$}{\leftarrow}\mathbb{F}^n$
+$\textbf{r}_C,\textbf{r}_D\overset{\$}{\leftarrow}\mathbb{F}^n$ #Vector blinders
  where $(\textbf{r}_C\times \textbf{d} + \textbf{r}_D\times \textbf{c})=0\text{ and }\textbf{r}_C\times \textbf{r}_D=0$
-$B_C\gets \textbf{r}_C\times \textbf{G}$
+$B_C\gets \textbf{r}_C\times \textbf{G}$ #Blinder commitments
 $B_D\gets \textbf{r}_D\times \textbf{G}'$
-$\alpha,\beta\gets$Hash$(C,D,z,B_C,B_C)$
-$\textbf{c}\gets \textbf{r}_C+\alpha \textbf{c}$
+$\alpha,\beta\gets$Hash$(C,D,z,B_C,B_C)$ #FS challenges
+$\textbf{c}\gets \textbf{r}_C+\alpha \textbf{c}$ #Blinded vectors
 $\textbf{d}\gets \textbf{r}_D+\alpha \textbf{d}$
 $H\gets\beta H$
-$\textbf{Step 2:}$
+$\textbf{Step 2:}$ #Recursive protocol
 $m\gets \lceil \log n\rceil$
 while $1\leq j\leq m:$
-    $T,S\gets \textbf{\textit{f(}}n\textbf{\textit{)}}$
+    $T,S\gets \textbf{\textit{f(}}n\textbf{\textit{)}}$ #Scheme function
     $n\gets \frac{|T|}{2}$
-    $\textbf{c}\gets\textbf{c}_T$, $\textbf{cS}\gets\textbf{c}_S$
+    $\textbf{c}\gets\textbf{c}_T$, $\textbf{cS}\gets\textbf{c}_S$ #Vector splitting
     $\textbf{d}\gets\textbf{d}_T$, $\textbf{dS}\gets\textbf{d}_S$
     $\textbf{G}\gets\textbf{G}_T$, $\textbf{GS}\gets\textbf{G}_S$
     $\textbf{G}'\gets\textbf{G}'_T$, $\textbf{GS}'\gets\textbf{G}'_T$
-    $L_{C,j}\gets\textbf{c}_{[:n]}\times\textbf{G}_{[n:]}+(\textbf{c}_{[:n]}\times\textbf{d}_{[n:]})H$
+    $L_{C,j}\gets\textbf{c}_{[:n]}\times\textbf{G}_{[n:]}+(\textbf{c}_{[:n]}\times\textbf{d}_{[n:]})H$ #Cross-comm
     $L_{D,j}\gets\textbf{d}_{[n:]}\times\textbf{G}'_{[:n]}$
     $R_{C,j}\gets\textbf{c}_{[n:]}\times\textbf{G}_{[:n]}+(\textbf{c}_{[n:]}\times\textbf{d}_{[:n]})H$
     $R_{D,j}\gets\textbf{d}_{[:n]}\times\textbf{G}'_{[n:]}$
-    $\pi_j\gets(L_{C,j},L_{D,j},R_{C,j},R_{D,j})$
-    $\gamma_j\gets Hash(\pi_j)$
-    $\textbf{c}\gets\textbf{cS}\|\textbf{c}_{[:n]}+\gamma_j^{-1}\textbf{c}_{[n:]}$
+    $\pi_j\gets(L_{C,j},L_{D,j},R_{C,j},R_{D,j})$ #Proof elements
+    $\gamma_j\gets Hash(\pi_j)$ #Folding challenges
+    $\textbf{c}\gets\textbf{cS}\|\textbf{c}_{[:n]}+\gamma_j^{-1}\textbf{c}_{[n:]}$ #Next round vectors
     $\textbf{d}\gets\textbf{dS}\|\textbf{d}_{[:n]}+\gamma_j\textbf{d}_{[n:]}$
     $\textbf{G}\gets\textbf{GS}\|\textbf{G}_{[:n]}+\gamma_j\textbf{G}_{[n:]}$
     $\textbf{G}'\gets\textbf{GS}'\|\textbf{G}'_{[:n]}+\gamma_j^{-1}\textbf{G}'_{[n:]}$
     $n\gets len(c)$
-$\textbf{Step 3:}$
+$\textbf{Step 3:}$ #Final proof element
 $c\gets c_1$
 $d\gets d_1$
 
-return $(B_C,B_D,\mathbf{\pi},c,d)$
+return $(B_C,B_D,\mathbf{\pi},c,d)$ # Elements for verifier
     \end{lstlisting}
 \label{fig:ipa-prover}
 \end{figure}
@@ -149,33 +149,33 @@ \subsubsection*{Verifier computation}
 Again, the originally proposed verifying protocol has been modified according to Springproofs, which is seen in~\autoref{lst:ipa-verifier}.
 
 \begin{figure}[!htb]
-\begin{lstlisting}[language=Python,mathescape=true,label={lst:ipa-verifier},numbers=left,caption={Verifier computation for CAAU-IPA in CAAUrdleproofs},captionpos=b,frame=single]
-$\textbf{Step 1:}$
+\begin{lstlisting}[language=Python,mathescape=true,label={lst:ipa-verifier},numbers=right,caption={Verifier computation for CAAU-IPA in CAAUrdleproofs},captionpos=b,frame=single]
+$\textbf{Step 1:}$ #Setup phase
 $(\textbf{G},\textbf{G}',H)\gets$parse$(crs_{dl_{inner}})$
-$(C,D,z)\gets$parse$(\phi_{dl_{inner}})$
-$(B_C,B_D,\mathbf{\pi},c,d)\gets$parse$(\pi_{dl_{inner}})$
-$\alpha,\beta\gets$Hash$(C,D,z,B_C,B_D)$
+$(C,D,z)\gets$parse$(\phi_{dl_{inner}})$ #Public input
+$(B_C,B_D,\mathbf{\pi},c,d)\gets$parse$(\pi_{dl_{inner}})$ #From prover
+$\alpha,\beta\gets$Hash$(C,D,z,B_C,B_D)$ #FS challenges
 $H\gets \beta H$
-$C\gets B_C+\alpha C+(\alpha^2z)H$
+$C\gets B_C+\alpha C+(\alpha^2z)H$ #Blinded commitments
 $D\gets B_D+\alpha D$
 
-$\textbf{Step 2:}$
+$\textbf{Step 2:}$ #Recursive round
 $m\gets \lceil\log n\rceil$
 for $1\leq j\leq m$
-    $T,S\gets \textbf{\textit{f(}}n\textbf{\textit{)}}$
+    $T,S\gets \textbf{\textit{f(}}n\textbf{\textit{)}}$ #Scheme function
     $n\gets \frac{|T|}{2}$
-    $\textbf{G}=\textbf{G}_T$, $\textbf{GS}=\textbf{G}_S$
+    $\textbf{G}=\textbf{G}_T$, $\textbf{GS}=\textbf{G}_S$ #Vector splitting
     $\textbf{G}'=\textbf{G}'_T$, $\textbf{GS}'=\textbf{G}'_T$
-    $(L_{C,j},L_{D,j},R_{C,j},R_{D,j})\gets$parse$(\pi_j)$
-    $\gamma_j\gets$Hash$(\pi_j)$
-    $C\gets\gamma_j L_{C,j}+C+\gamma_j^{-1}R_{C,j}$
+    $(L_{C,j},L_{D,j},R_{C,j},R_{D,j})\gets$parse$(\pi_j)$ #Proof elem
+    $\gamma_j\gets$Hash$(\pi_j)$ #Folding challenges
+    $C\gets\gamma_j L_{C,j}+C+\gamma_j^{-1}R_{C,j}$ #Update comms
     $D\gets\gamma_j L_{D,j}+D+\gamma_j^{-1}R_{D,j}$
-    $\textbf{G}\gets\textbf{GS}\|\textbf{G}_{[:n]}+\gamma_j\textbf{G}_{[n:]}$
+    $\textbf{G}\gets\textbf{GS}\|\textbf{G}_{[:n]}+\gamma_j\textbf{G}_{[n:]}$ #Next round vectors
     $\textbf{G}'\gets\textbf{GS}'\|\textbf{G}'_{[:n]}+\gamma_j^{-1}\textbf{G}'_{[n:]}$
     $n\gets\text{len}(\textbf{G})$
 
-$\textbf{Step 3:}$
-Check $C=c\times G_1+cdH$
+$\textbf{Step 3:}$ #Final check
+Check $C=c\times G_1+cdH$ #Initial ?= Folded
 Check $D=d\times G'_1$
 return 1 $\text{if both checks pass, else}$ return 0
 \end{lstlisting}
@@ -304,23 +304,23 @@ \subsubsection{CAAUdleproofs}
 
 \begin{figure}[!htb]
         \begin{lstlisting}[language=Python,mathescape=true,label={lst:ipa-verifier-optimized},numbers=left,caption={Optimized verifier computation for CAAU-IPA in CAAUrdleproofs},captionpos=b,frame=single]
-$\textbf{Step 1:}$
+$\textbf{Step 1:}$ #Setup phase
 $(\textbf{G},H)\gets$parse$(crs_{dl_{inner}})$
 $(C,D,z,\mathbf{u})\gets$parse$(\phi_{dl_{inner}})$
 $(B_C,B_D,\mathbf{\pi},c,d)\gets$parse$(\pi_{dl_{inner}})$
-$\alpha,\beta\gets$Hash$(C,D,z,B_C,B_D)$
+$\alpha,\beta\gets$Hash$(C,D,z,B_C,B_D)$ #FS challenges
 
-$\textbf{Step 2:}$
+$\textbf{Step 2:}$ #Recursive phase
 $m\gets \lceil\log n\rceil$
 for $1\leq j\leq m$
-    $T,S\gets \textbf{\textit{f(}}n\textbf{\textit{)}}$
+    $T,S\gets \textbf{\textit{f(}}n\textbf{\textit{)}}$ #Scheme function
     $n\gets \frac{|T|}{2}$
-    $(L_{C,j},L_{D,j},R_{C,j},R_{D,j})\gets$parse$(\pi_j)$
-    $\gamma_j\gets$Hash$(\pi_j)$
+    $(L_{C,j},L_{D,j},R_{C,j},R_{D,j})\gets$parse$(\pi_j)$ #Proof elem
+    $\gamma_j\gets$Hash$(\pi_j)$ #Folding challenges
     $n\gets n+\text{len}(S)$
 
-$\textbf{Step 3:}$
-$\mathbf{CP}\text{: }\mathbf{\gamma}\gets(\gamma_m,...,\gamma_1)$
+$\textbf{Step 3:}$ # Accumulated checking phase
+$\mathbf{CP}\text{: }\mathbf{\gamma}\gets(\gamma_m,...,\gamma_1)$ #Construction difference
 $\mathbf{CAAUP}\text{: }\mathbf{\gamma}\gets(\gamma_1,...,\gamma_m)$
 $\textit{Compute }\mathbf{s}\textit{: see below for difference}$
 
@@ -331,27 +331,27 @@ \subsubsection{CAAUdleproofs}
 $\text{return 1}$
 
 $\textbf{s-step Curdleproofs:}$
-for $1\leq j\leq n$:
+for $1\leq j\leq n$: Simulate halving each round
     $s_i=\sum_{j=1}^m\delta_j^{b_{i,j}}\text{, }b_{i,j}\in\{0,1\}\text{ s.t. }i=\sum_{j=1}^mb_{i,j}2^j$
     $s'_i=\sum_{j=1}^m\delta_j^{-b_{i,j}}$
 $\textbf{s-step CAAUrdleproofs:}$
-$ActivePos\gets[(i,i)\text{, }i=1,\dots,n]$
+$ActivePos\gets[(i,i)\text{, }i=1,\dots,n]$ #Pos after round
 for $1\leq j\leq m:$
     $h\gets\frac{2^{\lceil\log n\rceil}}{2}$
     $f\gets n-h$
     $nf\gets h-f$
     $fs\gets \frac{nf}{2}$
     for $(i,k)$ in $ActivePos$:
-        if $k\geq h:$
+        if $k\geq h:$ #Elem has challenge j
             $b_{i,j}\gets1$
             $newPos=k-h-fs$
-        else:
+        else: #Elem has no challenge j
             $b_{i,j}\gets0$
             $newPos=k$
         $nextActivePos.push((i,newPos))$
-    $ActivePos\gets nextActivePos$
+    $ActivePos\gets nextActivePos$ #New positions
     $n\gets h$
-for $1\leq j\leq n$:
+for $1\leq j\leq n$: #Same as Curdleproofs
     $s_i=\sum_{j=1}^m\delta_j^{b_{i,j}}$
     $s'_i=\sum_{j=1}^m\delta_j^{-b_{i,j}}$
         \end{lstlisting}
diff --git a/report/src/setup/acronyms.tex b/report/src/setup/acronyms.tex
@@ -3,6 +3,7 @@
 
 \newacronym{aau}{AAU}{Aalborg University}
 \newacronym{zkp}{ZKP}{Zero-Knowledge Proof}
+\newacronym{zk}{ZK}{Zero-Knowledge}
 \newacronym{pos}{PoS}{Proof of Stake}
 \newacronym{pow}{PoW}{Proof of Work}
 \newacronym{zk-snark}{ZK-SNARK}{Zero-Knowledge Succinct Non-Interactive Argument of Knowledge}
diff --git a/report/src/setup/preamble.tex b/report/src/setup/preamble.tex
@@ -17,6 +17,9 @@
 \usepackage{subfig}
 \usepackage{circuitikz}
 \usetikzlibrary{arrows.meta,arrows}
+\lstset{
+    commentstyle=\color{gray}
+}
 
 
 % Packages with options set
