Changes from supervisors

Author: Maltesius

report/src/sections/02-background.tex

@@ -62,15 +62,16 @@ \section{Background}\label{sec:background}
 \end{definition}
 
 \subsection{Zero-knowledge proofs}\label{sec:background-zkps}
-Before explaining the protocol, we must mention that Curdleproofs is a~\gls{zkp} system, which is a system that allows a prover to convince a verifier that they know a secret without revealing the secret itself.
+Before explaining the protocol, we must mention that Curdleproofs, and hence also Whisk, is a~\gls{zkp} system.
+It is a system that allows a prover to convince a verifier that they know a secret without revealing the secret itself.
 Within the context of Ethereum, it could be the ability to convince someone that a transaction is valid without revealing information about the transaction such as the value of it.
 In Whisk, it uses Curdleproofs to prove the validity of a shuffle.
 
 \begin{definition}[Zero-Knowledge Argument of Knowledge]
     An argument $(Setup, P, V)$ is a zero-knowledge argument of knowledge of a relation $\mathbb{R}$ if it satisfies completeness, knowledge-soundness and is honest-verifier zero-knowledge.
 \end{definition}
 
-Definitions for knowledge-soundness, completeness, and~\gls{hvzk} can be found in Appendix~\autoref{app:definitions}.
+Definitions for knowledge-soundness, completeness, and~\gls{hvzk} can be found in Appendix~\ref{sec:appendix}.
 
 Also, two of three proofs that make up Curdleproofs are~\glspl{ipa}.
 These are also~\glspl{zkp}, and will be the focus of this paper.
@@ -162,7 +163,7 @@ \subsection{Whisk}\label{subsec:related-work-whisk}
 
 In order to show this, the protocol makes use of a~\gls{grandprod} argument.
 To prove that argument, Curdleproofs compiles it down to a~\gls{dlipa} by expressing each multiplication of the grand product as its own equation.
-This~\gls{dlipa} stems from the protocol originally proposed by Bootle et al.~\cite{cryptoeprint:2016/263,Curdleproofs}
+The proof of the~\gls{dlipa} then stems from the protocol originally proposed by Bootle et al.~\cite{cryptoeprint:2016/263,Curdleproofs}
 
 Hence, the~\gls{sameperm} proof is done if the prover can prove the~\gls{dlipa}.
 

report/src/sections/03-related-work.tex

@@ -48,7 +48,7 @@ \subsection{Bulletproofs}\label{subsec:related-work-bulletproofs}
 One of these is Bulletproofs+~\cite{chung2022bulletproofs+} which uses a weighted inner product argument instead of the standard inner product argument to achieve a better performance.
 Bulletproofs+ is also a zero-knowledge proof by itself unlike the original bulletproofs.
 Trying to modify Curdleproofs with the weighted inner product argument introduces complications that would need larger modifications and is therefore not suitable.
-This can be seen in Appendix~\autoref{app:bpplus}
+This can be seen in Appendix~\ref{app:curdleproofs-weighted-inner-product-argument-modification-attempt}
 
 A third version of the Bulletproofs protocol is Bulletproofs++~\cite{eagen2024bulletproofs++} which uses a new type of argument called the norm argument to achieve a better performance.
 This comes from the prover only needing to commit to a single vector, rather than two.

report/src/sections/04-Approach.tex

@@ -402,25 +402,26 @@ \subsubsection{Size reduction}
 If we can reduce the shuffle size used in Whisk and still prove it secure, then we expect to see some reduction in the size overhead on the blockchain.
 
 We first set our focus on Curdleproofs, as this is the protocol we have modified directly.
-As mentioned in~\autoref{sec:background-zkps}, the size of Curdleproofs is $18+10 \log(\ell+4)\mathbb{G}$, $7\mathbb{F}$.
+As mentioned in~\autoref{subsec:related-work-whisk}, the size of Curdleproofs is $18+10 \log(\ell+4)\mathbb{G}$, $7\mathbb{F}$.
 The dependence on the $\log$ stems from the number of recursive rounds that take place in the~\gls{sameperm} and~\gls{samemsm} proofs.
 The addition of four elements in the $\log$ stems from the protocol needing those as blinders.
 Hence, at a proof of size 128, $\ell$ is 124.
-In the proof of theorem 1, we show CAAUrdleproofs to be $\mathcal{O}(\log n)$.
+In the proof of theorem 1, see Appendix~\ref{sec:appendix-thm1proof}, we show that CAAUrdleproofs is $\mathcal{O}(\log n)$, which is the same as Curdleproofs.
+However, as discussed in~\autoref{subsec:approach-CAAUrdleproofs}, CAAUrdleproofs'~\gls{ipa} proofs use $\lceil \log n \rceil$ recursive rounds.
 This means that the size of CAAUrdleproofs must be $18+10 \lceil\log(\ell+4)\rceil\mathbb{G}$, $7\mathbb{F}$.
 
 CAAUrdleproofs therefore has the same proof size as Curdleproofs.
 
 The CAAUrdleproofs modification can still reduce the overall block size overhead, though.
-Using Whisk with CAAUrdleproofs has a block size of $16.656$ KB, when the shuffle size is 128\cite{Whisk2024}.
+By using the overhead calculation described by Whisk on CAAUrdleproofs, it measures a block overhead of $16.656$ KB, when the shuffle size is 128~\cite{Whisk2024}.
 Note that this is the same size as Curdleproofs, as the shuffle size is a power of 2.
-The calculation of the block size comes from the following, where $\mathbb{G}=48$ bytes and $\mathbb{F}=32$ bytes\footnote{\text{As noted in the code on the Curdleproofs GitHub repository: }\\ \href{https://github.com/asn-d6/curdleproofs/blob/main/src/whisk.rs}{https://github.com/asn-d6/curdleproofs/blob/main/src/whisk.rs}. Accessed: 26/05/2025}:
+The provided calculation of the block overhead is provided as the following, where $\mathbb{G}=48$ bytes and $\mathbb{F}=32$ bytes\footnote{\text{As noted in the code on the Curdleproofs GitHub repository: }\\ \href{https://github.com/asn-d6/curdleproofs/blob/main/src/whisk.rs}{https://github.com/asn-d6/curdleproofs/blob/main/src/whisk.rs}. Accessed: 26/05/2025}:
 \begin{itemize}
     \item List of shuffled trackers ($\ell\cdot96\Rightarrow\text{eg. }124\cdot96=11,904$ bytes).
     \item Shuffle proof ($18+10 \lceil\log(\ell+4)\rceil\mathbb{G}$, $7\mathbb{F}\Rightarrow\text{eg. }(18+10\lceil\log(124+4)\rceil)\cdot48+7\cdot32=4,448$ bytes).
     \item A fresh tracker (two BLS G1 points $\Rightarrow48\cdot2=96$ bytes).
     \item A new commitment $com(k)$ to the proposer's tracker (one BLS G1 point $\Rightarrow48$ bytes).
     \item A Discrete Logarithm Equivalence Proof on the ownership of the elected proposer commitment (two G1 points, two Fr scalars $\Rightarrow2\cdot48+2\cdot32=160$ bytes).
 \end{itemize}
-The majority of the block size comes from the list of shuffled trackers.
-Hence, using CAAUrdleproofs could majorly decrease the block size by allowing~$\ell$ to be chosen at arbitrary length.
+The majority of the block overhead comes from the list of shuffled trackers.
+Hence, as the list size is heavily dependent on~$\ell$, using CAAUrdleproofs could majorly decrease the block overhead by allowing~$\ell$ to be more flexibly chosen as a smaller size than 128.

report/src/sections/06-results.tex

@@ -24,7 +24,7 @@ \subsection{Proving and Verifying Times}\label{subsec:results:provingverifying}
 Though, this seems to not be the case, at least not as aggressively, when increasing $\ell$ from 128.
 We find, however, that the bump is smaller the higher $\ell$ is.
 
-Additional to the proving and verifying times, the time used on shuffling is also lower for any $\ell$ that is not a power of 2; see Appendix~\autoref{app:shuffling-times}.
+Additional to the proving and verifying times, the time used on shuffling is also lower for any $\ell$ that is not a power of 2; see Appendix~\ref{sec:shuffling-results}.
 Though, that was to be expected since CAAUrdleproofs uses the same shuffling algorithm as Curdleproofs, but does not have to add additional padding to the non-power of 2 input sizes.
 
 

report/src/sections/aa-appendix.tex

@@ -3,7 +3,7 @@
 
 % Main appendix file
 % Insert appendix sections below
-\input{sections/appendix/01-appendix}\label{app:definitions}
-\input{sections/appendix/02-thm1proof}\label{app:thm1proof}
-\input{sections/appendix/03-bpplus}\label{app:bpplus}
-\input{sections/appendix/04-shuffling-times}\label{app:shuffling-times}
+\input{sections/appendix/01-appendix}
+\input{sections/appendix/02-thm1proof}
+\input{sections/appendix/03-bpplus}
+\input{sections/appendix/04-shuffling-times}

report/src/sections/appendix/03-bpplus.tex

@@ -1,2 +1,3 @@
 
-\section{Curdleproofs Weighted Inner Product Argument Modification Attempt}\label{sec:curdleproofs-weighted-inner-product-argument-modification-attempt}
+\section{Curdleproofs Weighted Inner Product Argument Modification Attempt}\label{app:curdleproofs-weighted-inner-product-argument-modification-attempt}
+We have made code for the~\gls{ipa} in the Curdleproofs repository which actually works with Bulletproofs+' Weighted Inner Product Argument.

report/src/setup/acronyms.tex

@@ -28,6 +28,6 @@
 \newacronym{samemsm}{SameMSM}{Same Multiscalar Multiplication}
 \newacronym{rrc}{RRC}{re-randomizable commitment}
 \newacronym{eth}{ETH}{Ether}
-\newacronym{grandprod}{GrandProd}{Grand Product Argument}
+\newacronym{grandprod}{GrandProd}{Grand Product}
 \newacronym{dlipa}{DL IPA}{Discrete-Logarithm Inner Product Argument}