Merge pull request #23 from AAU-Dat/proof-size

Maltesius · web-flow · commit 74c9a478b1ce · 2025-05-27T08:45:40.000+02:00
Added subsubsection on the size of CAAUrdleproofs
diff --git a/report/src/sections/04-Approach.tex b/report/src/sections/04-Approach.tex
@@ -393,3 +393,27 @@ \subsubsection{Shuffle Security}
 
 By repeating this experiment for several runs, one can experimentally say, when a shuffle with given parameters is secure.
 
+\subsubsection{Size reduction}
+If we can reduce the shuffle size used in Whisk and still prove it secure, then we expect to see some reduction in the size overhead on the blockchain.
+
+We first set our focus on Curdleproofs, as this is the protocol we have modified directly.
+As mentioned in~\autoref{sec:background-zkps}, the size of Curdleproofs is $18+10 \log(\ell+4)\mathbb{G}$, $7\mathbb{F}$.
+The dependence on the $\log$ stems from the number of recursive rounds that take place in the~\gls{sameperm} and~\gls{samemsm} proofs.
+In the proof of theorem 1, we show CAAUrdleproofs to be $\mathcal{O}(\log n)$.
+This means that the size of CAAUrdleproofs must be $18+10 \lceil\log(\ell+4)\rceil\mathbb{G}$, $7\mathbb{F}$.
+
+CAAUrdleproofs therefore has the same proof size as Curdleproofs.
+
+The CAAUrdleproofs modification can still reduce the overall block size overhead, though.
+Using Whisk with CAAUrdleproofs has a block size of $17.04$ KB, when the shuffle size is 128\cite{Whisk2024}.
+Note that this is the same size as Curdleproofs, as the shuffle size is a power of 2.
+The calculation of the block size comes from the following, where $\mathbb{G}=48$ bytes and $\mathbb{F}=32$ bytes\footnote{\text{As noted in the code on the Curdleproofs GitHub repository: }\\ \href{https://github.com/asn-d6/curdleproofs/blob/main/src/whisk.rs}{https://github.com/asn-d6/curdleproofs/blob/main/src/whisk.rs}. Accessed: 26/05/2025}:
+\begin{itemize}
+    \item List of shuffled trackers ($\ell\cdot96\Rightarrow\text{eg. }128\cdot96=12,288$ bytes).
+    \item Shuffle proof ($18+10 \lceil\log(\ell+4)\rceil\mathbb{G}$, $7\mathbb{F}\Rightarrow\text{eg. }(18+10\lceil\log(124+4)\rceil)\cdot48+7\cdot32=4,448$ bytes).
+    \item A fresh tracker (two BLS G1 points $\Rightarrow48\cdot2=96$ bytes).
+    \item A new commitment $com(k)$ to the proposer's tracker (one BLS G1 point $\Rightarrow48$ bytes).
+    \item A Discrete Logarithm Equivalence Proof on the ownership of the elected proposer commitment (two G1 points, two Fr scalars $\Rightarrow2\cdot48+2\cdot32=160$ bytes).
+\end{itemize}
+The majority of the block size comes from the list of shuffled trackers.
+Hence, using CAAUrdleproofs could majorly decrease the block size by allowing~$\ell$ to be chosen at arbitrary length.
diff --git a/report/src/sections/appendix/02-thm1proof.tex b/report/src/sections/appendix/02-thm1proof.tex
@@ -32,7 +32,7 @@ \section{Proof of Theorem 1}\label{sec:appendix-thm1proof}
     \paragraph*{\textbf{Proof of knowledge-soundness and completeness}}
     For soundness and completeness, we refer to Theorem 3 of Springproofs~\cite{zhang2024springproofs}.
     \begin{theorem}[Springproofs Theorem 3]
-        Given a terminative SIPA$(f)$, if the number of compression steps in SIPA$(f)$ is $O(\log n)$, then SIPA$(f)$ is a complete and computational knowledge sound argument of relation (1).
+        Given a terminative SIPA$(f)$, if the number of compression steps in SIPA$(f)$ is $\mathcal{O}(\log n)$, then SIPA$(f)$ is a complete and computational knowledge sound argument of relation (1).
         Moreover, the Fiat-Shamir transformation of SIPA$(f)$ is a non-interactive random oracle argument having completeness and computational knowledge soundness as well.
     \end{theorem}
     Here, relation (1) is
@@ -84,7 +84,7 @@ \section{Proof of Theorem 1}\label{sec:appendix-thm1proof}
     \end{align}
     This exactly the same commitment as in~\autoref{al:P}.
 
-    Therefore, using Curdleproofs' DL~\gls{ipa} and the pre-compression scheme function, we can instantiate SIPA$(f)$, equivalent to CAAUrdleproofs, as a terminative SIPA$(f)$, with $O(\log n)$ compression steps.
+    Therefore, using Curdleproofs' DL~\gls{ipa} and the pre-compression scheme function, we can instantiate SIPA$(f)$, equivalent to CAAUrdleproofs, as a terminative SIPA$(f)$, with $\mathcal{O}(\log n)$ compression steps.
     Hence, SIPA$(f)$ is a complete and computational knowledge sound argument of relation (1).
     We have just shown that Curdleproofs'~\gls{ipa} proves the same relation, so the properties hold for our SIPA$(f)$ as well.
     Furthermore, Curdleproofs uses the Fiat-Shamir transformation for its verifier challenges.
