Merge pull request #16 from AAU-Dat/zkargument

Zkargument

Author: Maltesius

report/src/sections/03-background.tex

@@ -103,4 +103,7 @@ \subsection{Zero-knowledge proofs}\label{sec:background-zkps}
 Curdleproofs is a zero-knowledge proof system, which means that it allows a prover to convince a verifier that they know a secret without revealing the secret itself.
 within the context of Ethereum it could be the ability to convince someone that a transaction is valid without revealing information about the transaction such as the value of it.
 
+\begin{definition}[Zero-Knowledge Argument of Knowledge]
+    An argument $(Setup, P, V)$ is a zero-knowledge argument of knowledge of a relation $\mathbb{R}$ if it satisfies completeness, knowledge-soundness and is honest-verifier zero-knowledge.
+\end{definition}
 

report/src/sections/04-Approach.tex

@@ -204,6 +204,10 @@ \subsection{CAAUrdleproofs}\label{subsec:approach-CAAUrdleproofs}
 The verifier now checks if these commitments match the commitments that he constructed in the recursive protocol.
 If so, the verifier accepts the proof.
 
+\begin{theorem}
+    CAAUrdleproofs is a zero-knowledge argument of knowledge when $\left|k\right|\geq8$
+\end{theorem}
+
 
 \subsection{Shuffle security}\label{subsec:approach-shuffle-security}
 The shuffle method proposed by Larsen et al.~\cite{cryptoeprint:2022/560} that was used in Curdleproofs is based on the idea of shuffling a list of proposers over a set of slots.

report/src/sections/aa-appendix.tex

@@ -3,4 +3,5 @@
 
 % Main appendix file
 % Insert appendix sections below
-\input{sections/appendix/01-appendix}
+\input{sections/appendix/01-appendix}
+\input{sections/appendix/02-thm1proof}

report/src/sections/appendix/01-appendix.tex

@@ -1,3 +1,52 @@
 
-\section{Appendix}\label{sec:appendix}
-This is the appendix
+\section{Definitions of Zero-Knowledge Argument of Knowledge}\label{sec:appendix}
+\begin{definition}[Honest-Verifier Zero-Knowledge]
+    An interactive argument $(Setup, P, V)$ for a relation $R$ is honest-verifier zero-knowledge, if there exists a
+    probabilistic polynomial time simulator, such that there exists a negligible function $\epsilon(\lambda)$, for all adversaries $A_1$ and $A_2$
+
+    \begin{align*}
+        \left| % Opening absolute value
+        \begin{aligned} % Inner environment for the multi-line content within abs value
+            & \Pr \left[ % Alignment point before Pr
+                \begin{array}{c|l}
+                (\mathbb{x},\mathbb{w}) \in \mathcal{R} \land & \sigma \leftarrow \text{Setup}(1^\lambda) \\
+                \mathcal{A}_1(tr) = 1 & (\mathbb{x},\mathbb{w},\rho) \leftarrow \mathcal{A}_2(\sigma) \\
+                & tr \leftarrow \text{SIM}(x,\rho)
+                \end{array}
+                \right] - \\ % End of first line inside aligned
+            % Start of second line inside aligned
+            & \Pr \left[ % Minus sign, then alignment point before Pr
+                \begin{array}{c|l}
+                (\mathbb{x},\mathbb{w}) \in \mathcal{R} \land & \sigma \leftarrow \text{Setup}(1^\lambda) \\
+                \mathcal{A}_1(tr) = 1 & (\mathbb{x},\mathbb{w},\rho) \leftarrow \mathcal{A}_2(\sigma) \\
+                & tr \leftarrow \langle \mathcal{P}(\sigma,\mathbb{x},\mathbb{w}), \mathcal{V}_\rho(\sigma,\mathbb{x}) \rangle
+                \end{array}
+                \right]
+        \end{aligned}
+        \right| % Closing absolute value
+        \leq \epsilon(\lambda)
+    \end{align*}
+\end{definition}
+
+\begin{definition}[Non-Interactive Knowledge-Soundness]
+    A non-interactive random oracle argument $(Setup, P, V)$ for relation $R$ is knowledge sound, if there exists an efficient knowledge extractor $\mathcal{E}$ and a positive polynomial $z$, such that for any statement $\mathbb{x}\in\{0,1\}^\lambda$ and prover $P^*$ with at most $Q$ queries to the random oracle \texttt{RO},
+
+
+    \begin{align*}
+        \Pr \left[ (\mathbb{x},\mathbb{w}') \in \mathcal{R} \;\middle|\;
+        \begin{array}{@{}l@{}} % Using an array for the assignments to the right of the bar
+            \sigma \leftarrow \text{Setup}(1^\lambda) \\
+            \mathbb{w}' \leftarrow \mathcal{E}^{P^*}(x)
+        \end{array}
+        \right]
+        \geq \frac{\epsilon(P^*, \mathbb{x}) - \kappa(|\mathbb{x}|, Q)}{z(|\mathbb{x}|)},
+    \end{align*}
+\end{definition}
+
+\begin{definition}[Completeness]
+    An argument $(Setup, P, V)$ is complete, if for any statement $\mathbb{x}\in L$ and witness $\mathbb{w}$ such that $(\mathbb{x,w})\in R$, there exists a negligible function $\mu(\lambda)$, such that
+    \begin{align*}
+        \Pr\left[\langle P(\sigma,\mathbb{x},\mathbb{w}), V(\sigma,\mathbb{x})\rangle=1|\sigma\gets Setup(1^\lambda)\right]\geq 1-\mu(\lambda)
+    \end{align*}
+\end{definition}
+

report/src/sections/appendix/02-thm1proof.tex

@@ -0,0 +1,90 @@
+
+\section{Proof of Theorem 1}\label{sec:appendix-thm1proof}
+\begin{proof}
+    CAAUrdleproofs is the Curdleproofs DL~\gls{ipa} on which the Springproofs protocol has been applied.
+    So to help show that it is~\gls{hvzk}, we refer to Theorem 5 of Springproofs~\cite{zhang2024springproofs}.
+    \begin{theorem}[Springproofs Theorem 5]
+        Suppose IPA$_k$ is a~\gls{hvzk} IPA which reduces a relation $R_{zk,k}$ into a relation $R_{zk,k/2}$, and the blinding factors in the two relations distribute independently.
+        Given a scheme function $f$, if the SIPA$_{\text{IPA}}(f)$ is terminative for any lengths $n$ of the witness vector, and there exists a polynomial $\texttt{poly}(\lambda)$ such that the number of rounds $m<\texttt{poly}(\lambda)$, then SIPA$_{\text{IPA}}(f)$ is~\gls{hvzk} when $n\geq2$.
+    \end{theorem}
+    Given this Theorem, we interpret $\text{IPA}_k$ as the Curdleproofs DL~\gls{ipa}.
+
+    In Theorem 5.3.1 of the Curdleproofs paper, they prove their~\gls{ipa} to be zero-knowledge~\cite{Curdleproofs}.
+    They do this by help of a simulator and show that the prover's and simulator's response are distributed identically.
+    This matches the definition of~\gls{hvzk} from Definition 2, hence the Curdleproofs~\gls{ipa} is~\gls{hvzk}.
+
+    We also know that the~\gls{ipa} is a folding argument, which reduces the size of the argument by half after each iteration.
+    In this reduction, Curdleproofs also proved in Theorem 5.3.1 that the values $B_C,B_D,L_{C,j},L_{D,j},R_{C,j},R_{D,j}$ are blinded and identically distributed.
+
+    The scheme function used in CAAUrdleproofs, as seen in~\autoref{fig:fold}(b), is shown by Springproofs to be a variant of their pre-compression method~\cite{zhang2024springproofs}.
+    Springproofs show this function to be optimal in the number of folding steps, hence it must also terminate.
+    Specifically, the pre-compression is shown to run in $\lceil \log n\rceil$ folding rounds, satisfying the existence of the polynomial mentioned in Theorem 5.
+
+    Curdleproofs show their argument to be zero-knowledge in the random oracle model provided $|\mathbf{G}|\geq8$~\cite{Curdleproofs}.
+    Therefore, following Theorem 1, CAAUrdleproofs must be~\gls{hvzk} when $n\geq8$
+
+    For soundness and completeness, we refer to Theorem 3 of Springproofs~\cite{zhang2024springproofs}.
+    \begin{theorem}[Springproofs Theorem 3]
+        Given a terminative SIPA$(f)$, if the number of compression steps in SIPA$(f)$ is $O(\log n)$, then SIPA$(f)$ is a complete and computational knowledge sound argument of relation (1).
+        Moreover, the Fiat-Shamir transformation of SIPA$(f)$ is a non-interactive random oracle argument having completeness and computational knowledge soundness as well.
+    \end{theorem}
+    Here, relation (1) is
+    \begin{align}
+        \{(\mathbf{g},\mathbf{h}\in\mathbb{G}^n,u,P\in\mathbb{G};\mathbf{a},\mathbf{b}\in\mathbb{F}_p^n):P=\mathbf{g}^\mathbf{a}\mathbf{h}^\mathbf{b}u^{\langle \mathbf{a},\mathbf{b}\rangle}\}
+    \end{align}
+    or analogously for an additive cryptographic group:
+    \begin{align}
+        \{(&\mathbf{g},\mathbf{h}\in\mathbb{G}^n,u,P\in\mathbb{G};\mathbf{a},\mathbf{b}\in\mathbb{F}_p^n):\\
+        &P=\mathbf{a}\times\mathbf{g}+\mathbf{b}\times\mathbf{h}+\langle \mathbf{a},\mathbf{b}\rangle u\}\label{al:P}
+    \end{align}
+    Relating that to Curdleproofs, they mention that they discuss the~\gls{ipa} for the relation
+    \begin{align}
+        \left\{
+        \,(C,D,z;\,\mathbf{c},\mathbf{d})\;\middle|\;
+        \begin{aligned}
+            C &= \mathbf{c} \times \mathbf{G},\\
+            D &= \mathbf{d} \times \mathbf{G'},\\
+            z &= \mathbf{c} \times \mathbf{d}
+        \end{aligned}
+        \right\}
+    \end{align}
+    Though, taking inspiration from Bulletproofs, which also happens to be the~\gls{ipa} used in Springproofs, they include a commitment to the inner product, $z$, in commitment $C$~\cite{bunz2018bulletproofs}.
+    So, before the addition of blinding values and challenges, the relation they want to prove is:
+    \begin{align}
+        \left\{
+        \, \left(
+        \begin{aligned}
+            \mathbf{G},\mathbf{G'}\in\mathbb{G}^n,\\
+            C,D\in\mathbb{G},\\
+            z\in\mathbb{F}_p
+        \end{aligned}
+        \;\middle|\;
+        \begin{aligned}
+            \mathbf{c},\mathbf{d}\in\mathbb{F}^n_p
+        \end{aligned}
+        \right)\;\middle|\;
+        \begin{aligned}
+            C &= \mathbf{c} \times \mathbf{G}+zH,\\
+            D &= \mathbf{d} \times \mathbf{G'},\\
+            z &= \mathbf{c} \times \mathbf{d}
+        \end{aligned}
+        \right\}
+    \end{align}
+    We can now take a look at Springproofs' $P$ commitment in relation to Curdleproofs' $C$ and $D$ commitments.
+    If we add together Curdleproofs' two commitment, we get:
+    \begin{align}
+        C+D=\mathbf{c} \times \mathbf{G}+\mathbf{d} \times \mathbf{G'}+zH
+    \end{align}
+    This exactly the same commitment as in~\autoref{al:P}.
+
+    Therefore, using Curdleproofs' DL~\gls{ipa} and the pre-compression scheme function, we can instantiate SIPA$(f)$, equivalent to CAAUrdleproofs, as a terminative SIPA$(f)$, with $O(\log n)$ compression steps.
+    Hence, SIPA$(f)$ is a complete and computational knowledge sound argument of relation (1).
+    We have just shown that Curdleproofs'~\gls{ipa} proves the same relation, so the properties hold for our SIPA$(f)$ as well.
+    Furthermore, Curdleproofs uses the Fiat-Shamir transformation for its verifier challenges.
+    So, the SIPA$(f)$, analogously CAAUrdleproofs, is a non-interactive random oracle argument having completeness and computational knowledge soundness as well.
+
+    From this, we can conclude that CAAUrdleproofs is a zero-knowledge argument of knowledge when shuffle size $|k|\geq8$.
+\end{proof}
+
+
+

report/src/setup/acronyms.tex

@@ -21,4 +21,5 @@
 \newacronym{de-anon paper}{De-anonymizing Paper}{"Deanonymizing Ethereum Validators: The P2P Network Has a Privacy Issue"}
 \newacronym{mev}{MEV}{Maximal Extractable Value}
 \newacronym{ddh}{DDH}{Decisional Diffie-Hellman}
-\newacronym{ipa}{IPA}{Inner Product Argument}
+\newacronym{ipa}{IPA}{Inner Product Argument}
+\newacronym{hvzk}{HVZK}{Honest-Verifier Zero-Knowledge}