Daniele's changes for background done

Maltesius · Maltesius · commit 9100d3603801 · 2025-05-29T14:21:28.000+02:00
diff --git a/report/src/sections/02-background.tex b/report/src/sections/02-background.tex
@@ -1,5 +1,5 @@
 \section{Background}\label{sec:background}
-In this section, we provide the necessary background information on Ethereum and a specific attack it is vulnerable to, the Curdleproofs protocol~\cite{Curdleproofs}, and the Whisk protocol~\cite{Whisk2024}
+In this section, we provide the necessary background information on Ethereum and a specific attack it is vulnerable to, the Whisk protocol~\cite{Whisk2024}, and the Curdleproofs protocol~\cite{Curdleproofs} used in Whisk.
 
 The notation used throughout this paper can be seen in~\autoref{tab:notation}.
 \begin{table*}[!htb]
@@ -30,13 +30,13 @@ \section{Background}\label{sec:background}
         $\mathbf{a}\times \mathbf{b}=\sum_{i=1}^n a_i\cdot b_i$
         & Inner product of $\mathbf{a},\mathbf{b}\in\mathbb{F}^n$ \\
         \hline
-        $\mathbf{G}=(g_1,\dots,g_n)\in\mathbb{G}^n,\mathbf{G'}=(g'_1,\dots,g'_n)\in\mathbb{G}^n$
+        $\mathbf{g}=(g_1,\dots,g_n)\in\mathbb{G}^n,\mathbf{g'}=(g'_1,\dots,g'_n)\in\mathbb{G}^n$
         & Vectors of generators (for Pedersen commitments) \\
         \hline
         $A=a\times G=\sum_{i=1}^n a_i\cdot G_i$
         & Binding (but not hiding) commitment to $a\in\mathbb{Z}_p^n\in $ \\
         \hline
-        $\mathbf{r}_A\in\mathbb{Z}^n$ & Blinding factors, e.g.\ $A=\mathbf{a}\times\mathbf{G} + \mathbf{r}_A \times \mathbf{G}$ is a Pedersen commitment to $\mathbf{a}$ \\
+        $\mathbf{r}_A\in\mathbb{Z}^n$ & Blinding factors, e.g.\ $A=\mathbf{a}\times\mathbf{g} + \mathbf{r}_A \times \mathbf{g}$ is a Pedersen commitment to $\mathbf{a}$ \\
         \hline
         $\mathbf{a}\parallel \mathbf{b}\in\mathbb{Z}_p^{n+m}$
         & Concatenation: if $\mathbf{a}\in\mathbb{Z}_p^n$, $\mathbf{b}\in\mathbb{Z}_p^m$, then $\mathbf{a}\parallel \mathbf{b}\in\mathbb{Z}_p^{n+m}$ \\
@@ -61,19 +61,40 @@ \section{Background}\label{sec:background}
  Given a finite, multiplicative cyclic group $\mathbb{G}$ of prime order $p$, the decisional Diffie-Hellman problem is defined as follows: Given $(g^a,g^b,g^c)\in\mathbb{G}$, where $g$ is a generator of $\mathbb{G}$ and $a,b,c\in\mathbb{Z}_p$, decide whether $c=ab$.
 \end{definition}
 
+\subsection{Zero-knowledge proofs}\label{sec:background-zkps}
+Before explaining the protocol, we must mention that Curdleproofs is a~\gls{zkp} system, which is a system that allows a prover to convince a verifier that they know a secret without revealing the secret itself.
+Within the context of Ethereum, it could be the ability to convince someone that a transaction is valid without revealing information about the transaction such as the value of it.
+In Whisk, it uses Curdleproofs to prove the validity of a shuffle.
+
+\begin{definition}[Zero-Knowledge Argument of Knowledge]
+    An argument $(Setup, P, V)$ is a zero-knowledge argument of knowledge of a relation $\mathbb{R}$ if it satisfies completeness, knowledge-soundness and is honest-verifier zero-knowledge.
+\end{definition}
+
+Definitions for knowledge-soundness, completeness, and~\gls{hvzk} can be found in Appendix~\autoref{app:definitions}.
+
+Also, two of three proofs that make up Curdleproofs are~\glspl{ipa}.
+These are also~\glspl{zkp}, and will be the focus of this paper.
+Hence, we provide a definition on~\glspl{ipa}.
+
+\begin{definition}[Inner Product Argument]
+    The argument takes as input two binding vector commitments $C=\mathbf{c}\times\mathbf{g}\in\mathbb{G}$ and $D=\mathbf{d}\times\mathbf{g'}\in\mathbb{G}$ to the vectors $\mathbf{c},\mathbf{d}\in\mathbb{Z}_p^n$ and $z\in\mathbb{Z}_p$.
+    The goal is to prove that $z=\mathbf{c}\times\mathbf{d}$.
+    The argument has logarithmic communication by halving the dimensions of $\mathbf{c}$ and $\mathbf{d}$ in each iteration.
+\end{definition}
+
 \subsection{Whisk}\label{subsec:related-work-whisk}
-Ethereum uses a proof-of-stake consensus mechanism, which allows users to validate transactions and create new blocks by staking their Ether (ETH) tokens.
-The Proof-of stake protocol works in epochs of 32 slots, where each slot is 12 seconds long.
+Ethereum uses a~\gls{pos} consensus mechanism, which allows users to validate transactions and create new blocks by staking their~\gls{eth} tokens.
+The~\gls{pos} protocol works in epochs of 32 slots, where slots are 12 seconds long.
 In each slot a proposer is chosen to propose a block thereby allowing the network to reach consensus on the state of the blockchain.
 
-The proposer~\gls{dos} attack is a type of attack that targets the block proposers making them unable to propose blocks.
+The proposer~\gls{dos} attack is a type of attack that targets the block proposers, making them unable to propose blocks.
 An adversary can use the proposer~\gls{dos} attack to prevent a proposer from receiving rewards, gotten from proposing a block, and increase their own rewards~\cite{EthereumSSLE2024}.
-As a response to the proposer~\gls{dos} attack, Ethereum has proposed a new protocol called Whisk~\cite{Whisk2024} as an attempt to mitigate the attack.
+As a response to the proposer~\gls{dos} attack, Ethereum proposed a new protocol called Whisk~\cite{Whisk2024} as an attempt to mitigate the attack.
 An attack on the Ethereum network that was discovered by Heimbach et al.~\cite{heimbach2024deanonymizingethereumvalidatorsp2p} is the deanonymization attack on validators.
-In our preliminary work~\cite{ouroldpaper}, we have shown that the attack is still possible to perform on the Ethereum network, and using the attack, a proposer~\gls{dos} can be performed.
+In our preliminary work~\cite{ouroldpaper}, we show that the attack is still possible to perform on the Ethereum network, and using the attack, a proposer~\gls{dos} can be performed.
 
 
-Whisk is a~\gls{zk}~\gls{ssle} system that uses a~\gls{zk} argument called Curdleproofs~\cite{Curdleproofs} to verify the correctness of a shuffle without revealing the input or output~\cite{10.1145/3419614.3423258}.
+Whisk is a~\gls{zk}~\gls{ssle} system that uses a~\gls{zk} argument called Curdleproofs~\cite{Curdleproofs} to verify the correctness of a shuffle with size $\ell$ without revealing the input or output~\cite{10.1145/3419614.3423258}.
 Whisk works by selecting a list of 16,384 validator trackers and shuffles them over 8,192 slots ($\sim$1 day).
 Then 8,192 proposers are selected from the shuffled list to propose blocks for the next 8,192 slots while a new list is being shuffled.
 This way a new list of proposers is created every day.
@@ -112,9 +133,9 @@ \subsection{Whisk}\label{subsec:related-work-whisk}
         \node  at (2.4,4) {A=$\sigma(\mathbf{a})\times \mathbf{g}$};
         \node  at (2.4,3.5) {$M=\sigma(1,2,\dots,\ell)\times \mathbf{g}$};
         \node [font=\large] at (5.75,4.5) {SameMSM};
-        \node  at (5.75,4) {$A=\mathbf{c}\times \mathbf{g}$};
-        \node  at (5.75,3.5) {$T=\mathbf{c}\times \mathbf{T}$};
-        \node  at (5.75,3) {$U=\mathbf{c}\times \mathbf{U}$};
+        \node  at (5.75,4) {$A=\mathbf{v}\times \mathbf{g}$};
+        \node  at (5.75,3.5) {$T=\mathbf{v}\times \mathbf{T}$};
+        \node  at (5.75,3) {$U=\mathbf{v}\times \mathbf{U}$};
         \node [font=\large] at (8.5,4.5) {SameScalar};
         \node  at (8.5,4) {$T=k(\mathbf{a}\times \mathbf{R})$};
         \node  at (8.5,3.5) {$U=k(\mathbf{a}\times \mathbf{S})$};
@@ -133,57 +154,37 @@ \subsection{Whisk}\label{subsec:related-work-whisk}
 \end{figure}
 
 The first proof is the~\gls{sameperm} proof.
-The prover first constructs a commitment to the permutation, $\sigma()$, by saying $M=\sigma(1,2,\dots,\ell)\times\mathbf{g}$.
-Then, using the Fiat-Shamir transformation, a challenge, $\mathbf{a}$, from public inputs is constructed, and a new commitment is made from that, $A=\sigma(\mathbf{a})\times\mathbf{g}$.
-The~\gls{sameperm} proof now consists of convincing the verifier that the same permutation was used for constructing commitment $A$ and $M$.
+The prover first constructs a commitment to the permutation,~$\sigma()$, by saying $M=\sigma(1,2,\dots,\ell)\times\mathbf{g}$, where~$\ell$ is the number of shuffled trackers, and $\mathbf{g}$ is a vector of cryptographic generators.
+Then, using the Fiat-Shamir transformation, a challenge,~$\mathbf{a}$, from public inputs is constructed, and a new commitment is made from that, $A=\sigma(\mathbf{a})\times\mathbf{g}$.
+The~\gls{sameperm} proof consists of convincing the verifier that the same permutation was used for constructing the commitments $A$ and $M$.
 To do this, the two commitments are used to construct a polynomial equation.
 Then Neff's trick~\cite{10.1145/501983.502000} is used, which observes that two polynomials are equal iff.\ their roots are the same up to permutation.
 
-To prove that, the protocol makes use of a grand product argument.
-To prove that argument, Curdleproofs compiles it down to an~\gls{ipa} by expressing each multiplication of the grand product as its own equation.
-This~\gls{ipa} stems from the protocol originally proposed by Bootle et al.~\cite{cryptoeprint:2016/263,Curdleproofs}
+In order to show this, the protocol makes use of a~\gls{grandprod} argument.
+To prove that argument, Curdleproofs compiles it down to a~\gls{dlipa} by expressing each multiplication of the grand product as its own equation.
+This~\gls{dlipa} stems from the protocol originally proposed by Bootle et al.~\cite{cryptoeprint:2016/263,Curdleproofs}
 
-Hence, the~\gls{sameperm} proof is done if the prover can prove the~\gls{ipa}.
+Hence, the~\gls{sameperm} proof is done if the prover can prove the~\gls{dlipa}.
 
 
 The second proof is a~\gls{samemsm} argument.
-The prover should by now have proven the existence of the permutation.
-Now, the goal of the~\gls{samemsm} argument is to prove that the output ciphertext set was constructed with the same permutation, here called multiscalar, committed to in commitment $A$.
-As the multiscalar is a vector this argument is an~\gls{ipa} by nature, contrary to the~\gls{sameperm} argument.
+The prover has proven the existence of the permutation.
+Now, the goal of the~\gls{samemsm} argument is to prove that the output ciphertext set was constructed with the same permutation, $\sigma$, here called multiscalar $\mathbf{v}$\footnote{Denoted as $\mathbf{c}$ in the Curdleproofs paper but changed for readability}, committed to in commitment $A$.
+Note, therefore, that $A$ in~\gls{sameperm} and~\gls{samemsm} is the same commitment, where $\mathbf{v}=\sigma(\mathbf{a})$
+As the multiscalar is a vector, this argument is an~\gls{ipa} by nature, contrary to the~\gls{sameperm} argument.
 
 The third proof is a Same Scalar argument.
 To mask the ciphertexts, each prover, besides permuting the set, multiplies all ciphertexts by a scalar, $k$.
 This is for randomization purposes, making it harder for adversaries to track the ciphertexts~\cite{Whisk2024}.
 Also, all validators are still able to open their commitments if they are chosen as block proposers, even after several randomizations.
-So, the goal of the Same Scalar argument is to prove the existence of the scalar,~$k$, such that the commitment of the permuted set is equal to the commitment of the pre-permuted set multiplied by $k$.
+Therefore, the goal of the Same Scalar argument is to prove the existence of the scalar,~$k$, such that the commitment of the permuted set is equal to the commitment of the pre-permuted set multiplied by $k$.
 
 
-
-\subsection{Zero-knowledge proofs}\label{sec:background-zkps}
-Curdleproofs is a~\gls{zkp} system, which means that it allows a prover to convince a verifier that they know a secret without revealing the secret itself.
-Within the context of Ethereum, it could be the ability to convince someone that a transaction is valid without revealing information about the transaction such as the value of it.
-In Whisk, it uses Curdleproofs to prove the validity of a shuffle.
-
-\begin{definition}[Zero-Knowledge Argument of Knowledge]
-    An argument $(Setup, P, V)$ is a zero-knowledge argument of knowledge of a relation $\mathbb{R}$ if it satisfies completeness, knowledge-soundness and is honest-verifier zero-knowledge.
-\end{definition}
-
-Definitions for knowledge-soundness, completeness, and~\gls{hvzk} can be found in~\autoref{sec:appendix}.
-
-Two of the three proofs in Curdleproofs are~\glspl{ipa}.
-These are also~\glspl{zkp}, and will be the focus of this paper.
-Hence, we provide a definition on~\glspl{ipa}.
-
-\begin{definition}[Inner Product Argument]
-    Takes as input two binding vector commitments $C=\mathbf{c}\times\mathbf{G}\in\mathbb{G}$ and $D=\mathbf{d}\times\mathbf{G'}\in\mathbb{G}$ to the vectors $\mathbf{c},\mathbf{d}\in\mathbb{Z}_p^n$ and $z\in\mathbb{Z}_p$.
-    The goal is to prove that $z=\mathbf{c}\times\mathbf{d}$.
-    The argument has logarithmic communication by halving the dimensions of $\mathbf{c}$ and $\mathbf{d}$ in each iteration.
-\end{definition}
+In Chapter 6 of Curdleproofs~\cite{Curdleproofs} they explain that the proof has size~$18+10 \log(\ell+4)\mathbb{G}$, $7\mathbb{F}$, where $\mathbb{G}$ is a cryptographic group point, and $\mathbb{F}$ is a field element.
 
 \subsection{Problem definition}\label{subsec:problem-definition}
-In Chapter 6 of Curdleproofs~\cite{Curdleproofs}, they explain the efficiency of the protocol, including also the size of the proof.
-They specifically mention that the proof has size~$18+10 \log(\ell+4)\mathbb{G}$, $7\mathbb{F}$.
-As the proof size is dependent on the size of the shuffle,~$\ell$, an interest in the possibility of reducing this parameter arises.
-The current proposal of Curdleproofs only works on shuffles, where the size is a power of 2.
-The reason is that the underlying proofs, such as the~\gls{ipa}, need to fold recursively down to 1, by halving the size in every round.
+The current proposal of Curdleproofs only works when the shuffle size of Whisk is set to a power of 2.
+The reason is that the underlying proofs,~\gls{dlipa} in~\gls{sameperm} and~\gls{samemsm}, need to fold recursively down to 1, by halving the size in every round.
+With the current shuffling size being 128, being able to choose the size more flexibly could lead to both performance and size gains.
+The problem we study in this article is therefore how to extend Curdleproofs to~$\ell$ values that are not a power of 2.
 
