You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
title = {A verifiable secret shuffle and its application to e-voting},
172
+
year = {2001},
173
+
isbn = {1581133855},
174
+
publisher = {Association for Computing Machinery},
175
+
address = {New York, NY, USA},
176
+
url = {https://doi.org/10.1145/501983.502000},
177
+
doi = {10.1145/501983.502000},
178
+
abstract = {We present a mathematical construct which provides a cryptographic protocol to verifiably shuffle a sequence of k modular integers, and discuss its application to secure, universally verifiable, multi-authority election schemes. The output of the shuffle operation is another sequence of k modular integers, each of which is the same secret power of a corresponding input element, but the order of elements in the output is kept secret. Though it is a trivial matter for the "shuffler" (who chooses the permutation of the elements to be applied) to compute the output from the input, the construction is important because it provides a linear size proof of correctness for the output sequence (i.e. a proof that it is of the form claimed) that can be checked by an arbitrary verifiers. The complexity of the protocol improves on that of Furukawa-Sako[16] both measured by number of exponentiations and by overall size.The protocol is shown to be honest-verifier zeroknowledge in a special case, and is computational zeroknowledge in general. On the way to the final result, we also construct a generalization of the well known Chaum-Pedersen protocol for knowledge of discrete logarithm equality [10], [7]. In fact, the generalization specializes exactly to the Chaum-Pedersen protocol in the case k = 2. This result may be of interest on its own.An application to electronic voting is given that matches the features of the best current protocols with significant efficiency improvements. An alternative application to electronic voting is also given that introduces an entirely new paradigm for achieving Universally Verifiable elections.},
179
+
booktitle = {Proceedings of the 8th ACM Conference on Computer and Communications Security},
An adversary can use the proposer DoS attack to prevent a proposer from receiving rewards, gotten from proposing a block, and increase their oen rewards~\cite{EthereumSSLE2024}.
76
76
As a response to the proposer DoS attack, Ethereum has proposed a new protocol called Whisk~\cite{Whisk2024} as an attempt to mitigate the attack.
77
77
An attack on the Ethereum network that was discovered by Heimbach et al.~\cite{heimbach2024deanonymizingethereumvalidatorsp2p} is the deanonymization attack on validators.
78
-
In our preliminary work~\cite{ouroldpaper}, we have shown that the attack still possible to perform on the Ethereum network, and using the attack, a proposer DoS can be preformed.
78
+
In our preliminary work~\cite{ouroldpaper}, we have shown that the attack still possible to perform on the Ethereum network, and using the attack, a proposer~\gls{dos} can be performed.
Whisk is a zero-knowledge Single Secret Leader Election (SSLE) system that uses a zero-knowledge argument called curdleproofs~\cite{Curdleproofs} to verify the correctness of a shuffle without revealing the input or output~\cite{10.1145/3419614.3423258}
82
+
Whisk is a zero-knowledge Single Secret Leader Election (SSLE) system that uses a zero-knowledge argument called Curdleproofs~\cite{Curdleproofs} to verify the correctness of a shuffle without revealing the input or output~\cite{10.1145/3419614.3423258}.
83
83
Whisk works by selecting a list of proposers 16384 and shuffling them over 8192 slots (1 day).
84
84
Then 8192 proposers are selected from the shuffled list to propose blocks for the next 8192 slots while a new list is being shuffled.
85
85
This way a new list of proposers is created every day.
86
86
After each shuffle Whisk uses a zero-knowledge proof to prove that the shuffle is correct.
87
-
This is so that the proposer can prove that they are the correct proposer for the slot without revealing their identity, thereby mitigating the proposer DoS attack because of the identity of the upcoming proposers being hidden now.
87
+
This is so that the proposer can prove that they are the correct proposer for the slot without revealing their identity, thereby mitigating the proposer~\gls{dos} attack because of the identity of the upcoming proposers being hidden now.
Curdleproofs is a zero-knowledge proof system that allows a prover to prove the authenticity of a shuffle without revealing how it was shuffled.
91
-
It does this by using 3 different zero-knowledge proofs with one of them relying on two more zero-knowledge proofs.
92
-
the first proof is a sameperm proof.
93
-
The sameperm proof is used to prove a commitment to a specific, but not publicly known, permutation.
94
-
Sameperm also runs a subroutine to help with the proof, called a grand product argument.
95
-
The grand product argument is an intermediate step used to construct an inner product argument, which proves the grand product argument.
96
-
The second proof is a "same multiscalar" argument.
97
-
This proves that permuted set of ciphertexts was made by using the permutation that the prover previously committed to.
98
-
The third proof is a samescalar argument which proves that, given a public input, there exists a scalar, $k$, such that the commitment of the permuted set is equal to the commitment of the pre-permuted set multiplied by $k$.
90
+
Curdleproofs is a zero-knowledge proof system that allows a prover to prove knowledge of a shuffle without revealing how it shuffled the elements.
91
+
It does so by using three different zero-knowledge proofs, with one of them relying on two more zero-knowledge proofs.
92
+
93
+
The first proof is the~\gls{sameperm} proof.
94
+
The prover first constructs a commitment to the permutation, $\sigma()$, by saying $M=\sigma(1,2,\dots,\ell)\times\mathbf{g}$.
95
+
Then, using the Fiat-Shamir transformation, a challenge, $\mathbf{a}$, from public inputs is constructed, and a new commitment is made from that, $A=\sigma(\mathbf{a})\times\mathbf{g}$.
96
+
The~\gls{sameperm} proof now consists of convincing the verifier that the same permutation was used for constructing commitment $A$ and $M$.
97
+
To do this, the two commitments are used to construct a polynomial equation.
98
+
Then Neff's trick~\cite{10.1145/501983.502000}, which observes that two polynomials are equal iff.\ their roots are the same up to permutation.
99
+
100
+
This is proven through a grand product argument.
101
+
To prove that argument, Curdleproofs compiles it down to an~\gls{ipa} by expressing each multiplication of the grand product as its own equation.
102
+
103
+
Hence, the~\gls{sameperm} proof is done if the prover can prove the~\gls{ipa}.
104
+
105
+
106
+
The second proof is a~\gls{samemsm} argument.
107
+
The prover should by now have proven the existence of the permutation.
108
+
Now, the goal of the~\gls{samemsm} argument is to prove that the output ciphertext set was constructed with the same permutation, here called multiscalar, committed to in commitment $A$.
109
+
As the multiscalar is a vector this argument is an~\gls{ipa} by nature, contrary to the~\gls{sameperm} argument.
110
+
111
+
The third proof is a Same Scalar argument.
112
+
To mask the ciphertexts, each prover, besides permuting the set, multiplies all ciphertexts by a scalar, $k$.
113
+
This is for randomization purposes, making it harder for adversaries to track the ciphertexts~\cite{Whisk2024}.
114
+
Also, all validators are still able to open their commitments if they are chosen as block proposers, even after several randomizations.
115
+
So, the goal of the Same Scalar argument is to prove the existence of the scalar, $k$, such that the commitment of the permuted set is equal to the commitment of the pre-permuted set multiplied by $k$.
0 commit comments