From 77bb2c0d9954e57b87777326a924af325891257d Mon Sep 17 00:00:00 2001 From: Maltesius Date: Thu, 22 May 2025 10:58:29 +0200 Subject: [PATCH 01/14] first corrections --- report/src/sections/04-Approach.tex | 13 ++++--------- 1 file changed, 4 insertions(+), 9 deletions(-) diff --git a/report/src/sections/04-Approach.tex b/report/src/sections/04-Approach.tex index ac3e57f..0cc22a6 100644 --- a/report/src/sections/04-Approach.tex +++ b/report/src/sections/04-Approach.tex @@ -5,13 +5,7 @@ \section{approach}\label{sec:approach} The following is our approach to, how we modified the~\gls{ipa}. \subsection{Springproofs}\label{sec:approach-springproofs} -In Chapter 6 of Curdleproofs~\cite{Curdleproofs}, they explain the efficiency of the protocol, including also the size of the proof. -They specifically mention that the proof has size $18+10 \log(\ell+4)\mathbb{G}$, $7\mathbb{F}$. -As the proof size is dependent on the size of the shuffle, $\ell$, an interest in the possibility of reducing this parameter arises. -The current proposal of curdleproofs only works on shuffles, where the size is a power of 2. -The reason is that the underlying proofs, such as the~\gls{ipa}, needs to fold recursively down to 1, by halving the size in every round. - -The Springproofs protocol~\cite{zhang2024springproofs} can be used very effectively in this scenario. +The Springproofs protocol~\cite{zhang2024springproofs} can be used very effectively in solving the problem stated in~\autoref{subsec:problem-definition}. The theory of Springproofs provides support for~\glspl{ipa} to use vectors of arbitrary length. Using the findings of Springproofs means Curdleproofs could be used on shuffle sizes other than powers of two. As such, they could lower the shuffle size from the current 128 to a size significantly lower, given it is still secure. @@ -258,11 +252,12 @@ \subsection{Shuffle security}\label{subsec:approach-shuffle-security} This process is repeated for $T$ slots and the shuffle is complete. During the $T$ shuffles, some shufflers may be adversarial. This means that whenever the shuffling process is taking place, a part of the shuffles may be adversarial. -An adversarial shuffle can be seen as no shuffling being done. +An adversary can choose to do anything with its shuffle, including not shuffling. +Hence, an adversarial shuffle can be seen as no shuffling being done. Therefore, the number of honest shuffles that happen during the shuffle process is $T_H = T - \beta$, where $\beta$ is the number of adversarial shuffles. The adversary can also track cups. -For instance, if some of the cups are the adversary's own. +For instance, if some of the cups are owned by the adversary. Those tracked cups are denoted by~$\alpha$, which is $\leq n$. The shuffle is secure if none of the following two events occur. From 8d7405b7b60391016e14b3474fac4b1a5bb34a97 Mon Sep 17 00:00:00 2001 From: Maltesius Date: Thu, 22 May 2025 10:58:43 +0200 Subject: [PATCH 02/14] first corrections --- report/src/sections/03-background.tex | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/report/src/sections/03-background.tex b/report/src/sections/03-background.tex index c1d1f6c..3189f8e 100644 --- a/report/src/sections/03-background.tex +++ b/report/src/sections/03-background.tex @@ -116,9 +116,17 @@ \subsection{Whisk}\label{subsec:related-work-whisk} \subsection{Zero-knowledge proofs}\label{sec:background-zkps} Curdleproofs is a zero-knowledge proof system, which means that it allows a prover to convince a verifier that they know a secret without revealing the secret itself. -within the context of Ethereum it could be the ability to convince someone that a transaction is valid without revealing information about the transaction such as the value of it. +Within the context of Ethereum it could be the ability to convince someone that a transaction is valid without revealing information about the transaction such as the value of it. +In Whisk, it uses Curdleproofs to prove the validity of a shuffle. \begin{definition}[Zero-Knowledge Argument of Knowledge] An argument $(Setup, P, V)$ is a zero-knowledge argument of knowledge of a relation $\mathbb{R}$ if it satisfies completeness, knowledge-soundness and is honest-verifier zero-knowledge. \end{definition} +\subsection{Problem definition}\label{subsec:problem-definition} +In Chapter 6 of Curdleproofs~\cite{Curdleproofs}, they explain the efficiency of the protocol, including also the size of the proof. +They specifically mention that the proof has size $18+10 \log(\ell+4)\mathbb{G}$, $7\mathbb{F}$. +As the proof size is dependent on the size of the shuffle, $\ell$, an interest in the possibility of reducing this parameter arises. +The current proposal of curdleproofs only works on shuffles, where the size is a power of 2. +The reason is that the underlying proofs, such as the~\gls{ipa}, needs to fold recursively down to 1, by halving the size in every round. + From 57e9c66cd2a5a6d7d584b6593e501d575c1bbd11 Mon Sep 17 00:00:00 2001 From: Maltesius Date: Thu, 22 May 2025 10:58:54 +0200 Subject: [PATCH 03/14] first corrections --- report/src/sections/02-related-work.tex | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/report/src/sections/02-related-work.tex b/report/src/sections/02-related-work.tex index 24a467d..751b46c 100644 --- a/report/src/sections/02-related-work.tex +++ b/report/src/sections/02-related-work.tex @@ -13,7 +13,7 @@ \subsection{Single Secret Leader Election}\label{sec:related-work-SSLE} -\subsection{Shuffling algorithm}\label{sec:related-work-Shuffling-algorithm} +\subsection{Shuffling algorithms}\label{subsec:related-work-shuffling-algorithm} The Håstad square shuffle~\cite{haastad2006square} is one of the proposed ways of integrating an~\gls{ssle}. The Håstad square shuffle is a shuffling algorithm that shuffles a $n$ long vector with a shuffle size of $\sqrt {n}$. @@ -26,12 +26,12 @@ \subsection{Shuffling algorithm}\label{sec:related-work-Shuffling-algorithm} The Feistel shuffle was then later replaced by the shuffle proposed be Larsen et al.~\cite{cryptoeprint:2022/560} because of the Feistel shuffle being too slow to shuffle the list of proposers. -\subsection{Bulletproofs}\label{sec:related-work-bulletproofs} -A big inspiration for the curdleproofs protocol is bulletproofs~\cite{bunz2018bulletproofs}. +\subsection{Bulletproofs}\label{subsec:related-work-bulletproofs} +A big inspiration for the Curdleproofs protocol is bulletproofs~\cite{bunz2018bulletproofs}. Bulletproofs is a type of range proof that uses inner product arguments to prove that a committed value is within a certain range without revealing the value itself. Bulletproofs is in itself not a zero-knowledge proof system, but with the help of Fiat Shamir~\cite{bunz2018bulletproofs} it can be used to create a zero-knowledge proof. Bulletproofs also has had a few iterations and improvements to increase the speed and reduce the size of the proof since it was used in curdleproofs. One of these is Bulletproofs+~\cite{chung2022bulletproofs+} which uses a weighted inner product argument instead of the standard inner product argument to achieve a better performance. -Bulletproofs+ is also different because it is zero-knowledge proof by itself unlike the original bulletproofs. -A third version of the bulletproofs is Bulletproofs++~\cite{eagen2024bulletproofs++} which uses a new type of argument called the norm argument to achieve a better performance. -Unlike the two other proofs Bulletproofs++ is a binary range proof, which means that even if it is the fastest proof it is not suitable for the curdleproofs protocol due to the binary nature of the bulletproofs++. \ No newline at end of file +Bulletproofs+ is also a zero-knowledge proof by itself unlike the original bulletproofs. +A third version of the Bulletproofs protocol is Bulletproofs++~\cite{eagen2024bulletproofs++} which uses a new type of argument called the norm argument to achieve a better performance. +Unlike the two other proofs Bulletproofs++ is a binary range proof, which means that even if it is the fastest proof it is not suitable for the Curdleproofs protocol due to the binary nature of the bulletproofs++. \ No newline at end of file From af7ddd0d994898c970ac4e7a052301043a3ff53b Mon Sep 17 00:00:00 2001 From: Maltesius Date: Thu, 22 May 2025 11:54:00 +0200 Subject: [PATCH 04/14] File renaming --- report/src/main.tex | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/report/src/main.tex b/report/src/main.tex index 06b8512..d91cc3b 100644 --- a/report/src/main.tex +++ b/report/src/main.tex @@ -16,8 +16,8 @@ \maketitle \input{sections/00-abstract} \input{sections/01-introduction} - \input{sections/03-background} - \input{sections/02-related-work} + \input{sections/02-background} + \input{sections/03-related-work} \input{sections/04-approach} \input{sections/05-experimental-protocol} \input{sections/06-results} From 2548dba9c6bd26eac715210be47b1a0e7979ac97 Mon Sep 17 00:00:00 2001 From: Maltesius Date: Thu, 22 May 2025 11:54:16 +0200 Subject: [PATCH 05/14] added bpp to appendix --- report/src/sections/aa-appendix.tex | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/report/src/sections/aa-appendix.tex b/report/src/sections/aa-appendix.tex index fb32dd6..10fac85 100644 --- a/report/src/sections/aa-appendix.tex +++ b/report/src/sections/aa-appendix.tex @@ -4,4 +4,5 @@ % Main appendix file % Insert appendix sections below \input{sections/appendix/01-appendix} -\input{sections/appendix/02-thm1proof} \ No newline at end of file +\input{sections/appendix/02-thm1proof} +\input{sections/appendix/03-bpplus} \ No newline at end of file From da189108570957d82322721272068428b7c68a29 Mon Sep 17 00:00:00 2001 From: Maltesius Date: Thu, 22 May 2025 11:54:37 +0200 Subject: [PATCH 06/14] bulletproofs corrections --- .../{02-related-work.tex => 03-related-work.tex} | 16 +++++++++++----- 1 file changed, 11 insertions(+), 5 deletions(-) rename report/src/sections/{02-related-work.tex => 03-related-work.tex} (71%) diff --git a/report/src/sections/02-related-work.tex b/report/src/sections/03-related-work.tex similarity index 71% rename from report/src/sections/02-related-work.tex rename to report/src/sections/03-related-work.tex index 751b46c..d7eb59f 100644 --- a/report/src/sections/02-related-work.tex +++ b/report/src/sections/03-related-work.tex @@ -20,18 +20,24 @@ \subsection{Shuffling algorithms}\label{subsec:related-work-shuffling-algorithm} The algorithm works by splitting the vector into $\sqrt {n}$ times $\sqrt {n}$ square matrix and for each step in the algorithm it switches between shuffling a row and a column. The Håstad shuffle is more rigid than the shuffling algorithm used in curdleproofs~\cite{cryptoeprint:2022/560} because of the fixed size of the shuffle being $\sqrt {n}$. -The Feistel shuffle~\cite{Feistle} is the previous shuffle method used in the Whisk protocol~\cite{Whisk2024}. -The Feistel shuffle is a shuffling algorithm that works by taking $n$ number of trackers and arranging them in a $k$ times $k$ matrix. +The Feistel shuffle~\cite{Feistle} is a previously used shuffle method in the Whisk protocol~\cite{Whisk2024}. +It takes $n$ number of validator trackers and arranges them in a $k$ times $k$ matrix. Each round the $i$-th proposer selects the $i$-th row of the created matrix and shuffles it in the form $F(x,y)=(y,x+y^3 mod k)$. -The Feistel shuffle was then later replaced by the shuffle proposed be Larsen et al.~\cite{cryptoeprint:2022/560} because of the Feistel shuffle being too slow to shuffle the list of proposers. - +The Feistel shuffle was later replaced by the shuffle proposed by Larsen et al.~\cite{cryptoeprint:2022/560}. +Ethereum mentioned the reason for this to be that the shuffle by Larsen et al.\ provides a simpler protocol~\cite{Whisk2024}. \subsection{Bulletproofs}\label{subsec:related-work-bulletproofs} A big inspiration for the Curdleproofs protocol is bulletproofs~\cite{bunz2018bulletproofs}. Bulletproofs is a type of range proof that uses inner product arguments to prove that a committed value is within a certain range without revealing the value itself. Bulletproofs is in itself not a zero-knowledge proof system, but with the help of Fiat Shamir~\cite{bunz2018bulletproofs} it can be used to create a zero-knowledge proof. Bulletproofs also has had a few iterations and improvements to increase the speed and reduce the size of the proof since it was used in curdleproofs. + One of these is Bulletproofs+~\cite{chung2022bulletproofs+} which uses a weighted inner product argument instead of the standard inner product argument to achieve a better performance. Bulletproofs+ is also a zero-knowledge proof by itself unlike the original bulletproofs. +Trying to modify Curdleproofs with the weighted inner product argument introduces complications that would need larger modifications and is therefore not suitable. +This can be seen in~\autoref{sec:curdleproofs-weighted-inner-product-argument-modification-attempt} + A third version of the Bulletproofs protocol is Bulletproofs++~\cite{eagen2024bulletproofs++} which uses a new type of argument called the norm argument to achieve a better performance. -Unlike the two other proofs Bulletproofs++ is a binary range proof, which means that even if it is the fastest proof it is not suitable for the Curdleproofs protocol due to the binary nature of the bulletproofs++. \ No newline at end of file +This comes from the prover only needing to commit to a single vector, rather than two. +Therefore, with the two vectors, $x$ and $y$ of a standard~\gls{ipa}, they need to assume $x=y$ for their protocol to work. +Then, along with the norm being weighted, which raises the same complications as with Bulletproofs+, this makes it unsuitable for Curdleproofs. \ No newline at end of file From e0d4400148f96e1d1a056ac8eac181f485de3f24 Mon Sep 17 00:00:00 2001 From: Maltesius Date: Thu, 22 May 2025 11:54:47 +0200 Subject: [PATCH 07/14] bpp appendix --- report/src/sections/appendix/03-bpplus.tex | 2 ++ 1 file changed, 2 insertions(+) create mode 100644 report/src/sections/appendix/03-bpplus.tex diff --git a/report/src/sections/appendix/03-bpplus.tex b/report/src/sections/appendix/03-bpplus.tex new file mode 100644 index 0000000..0068fbb --- /dev/null +++ b/report/src/sections/appendix/03-bpplus.tex @@ -0,0 +1,2 @@ + +\section{Curdleproofs Weighted Inner Product Argument Modification Attempt}\label{sec:curdleproofs-weighted-inner-product-argument-modification-attempt} From 7fc613c0318677c336f658df79b17fd3a75306ab Mon Sep 17 00:00:00 2001 From: Maltesius Date: Thu, 22 May 2025 11:55:06 +0200 Subject: [PATCH 08/14] Began on corrections --- report/src/sections/{03-background.tex => 02-background.tex} | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) rename report/src/sections/{03-background.tex => 02-background.tex} (97%) diff --git a/report/src/sections/03-background.tex b/report/src/sections/02-background.tex similarity index 97% rename from report/src/sections/03-background.tex rename to report/src/sections/02-background.tex index 3189f8e..2aa42d4 100644 --- a/report/src/sections/03-background.tex +++ b/report/src/sections/02-background.tex @@ -1,6 +1,6 @@ \section{Background}\label{sec:background} -In this section, we provide the necessary background information on the Curdleproofs protocol~\cite{Curdleproofs}, the Whisk protocol~\cite{Whisk2024} and an overview of the notation used in the paper. +In this section, we provide the necessary background information on Ethereum and a specific attack it is vulnerable to, the Curdleproofs protocol~\cite{Curdleproofs}, the Whisk protocol~\cite{Whisk2024} and an overview of the notation used in the paper. The notation used throughout this paper can be seen in~\autoref{tab:notation}. \begin{table*}[!htb] From 4dcfcc9aa495bd86519c354207f0fe74095893b3 Mon Sep 17 00:00:00 2001 From: Maltesius Date: Thu, 22 May 2025 14:54:32 +0200 Subject: [PATCH 09/14] Began on corrections2 --- report/src/bib/main.bib | 10 ++++++++- report/src/sections/02-background.tex | 21 ++++++++---------- report/src/sections/03-related-work.tex | 4 ++++ report/src/sections/04-Approach.tex | 22 +++++++++---------- .../src/sections/05-experimental-protocol.tex | 8 +++---- report/src/sections/appendix/02-thm1proof.tex | 2 +- report/src/setup/acronyms.tex | 1 + 7 files changed, 39 insertions(+), 29 deletions(-) diff --git a/report/src/bib/main.bib b/report/src/bib/main.bib index 4221381..72eff60 100644 --- a/report/src/bib/main.bib +++ b/report/src/bib/main.bib @@ -182,4 +182,12 @@ @inproceedings{10.1145/501983.502000 keywords = {zeroknowledge, verifiable shuffle, verifiable mix, universal verifiability, permutation, mix-net, honest-verifier, electronic voting, anonymous credentials}, location = {Philadelphia, PA, USA}, series = {CCS '01} -} \ No newline at end of file +} + +@misc{cryptoeprint:2023/1241, + author = {Dan Boneh and Aditi Partap and Lior Rotem}, + title = {Post-Quantum Single Secret Leader Election ({SSLE}) From Publicly Re-randomizable Commitments}, + howpublished = {Cryptology {ePrint} Archive, Paper 2023/1241}, + year = {2023}, + url = {https://eprint.iacr.org/2023/1241} +} diff --git a/report/src/sections/02-background.tex b/report/src/sections/02-background.tex index 2aa42d4..465f612 100644 --- a/report/src/sections/02-background.tex +++ b/report/src/sections/02-background.tex @@ -1,4 +1,3 @@ - \section{Background}\label{sec:background} In this section, we provide the necessary background information on Ethereum and a specific attack it is vulnerable to, the Curdleproofs protocol~\cite{Curdleproofs}, the Whisk protocol~\cite{Whisk2024} and an overview of the notation used in the paper. @@ -63,28 +62,24 @@ \section{Background}\label{sec:background} \subsection{Whisk}\label{subsec:related-work-whisk} -\paragraph*{\textbf{Ethereum Proof of Stake}}\label{par:background-ethereum} Ethereum uses a proof-of-stake consensus mechanism, which allows users to validate transactions and create new blocks by staking their Ether (ETH) tokens. The Proof-of stake protocol works in epochs of 32 slots, where each slot is 12 seconds long. In each slot a proposer is chosen to propose a block thereby allowing the network to reach consensus on the state of the blockchain. -\paragraph*{\textbf{Proposer DoS attack}}\label{sec:background-proposer-DoS-attacks} The proposer DoS attack is a type of attack that targets the block proposers making them unable to propose blocks. -An adversary can use the proposer DoS attack to prevent a proposer from receiving rewards, gotten from proposing a block, and increase their oen rewards~\cite{EthereumSSLE2024}. +An adversary can use the proposer DoS attack to prevent a proposer from receiving rewards, gotten from proposing a block, and increase their own rewards~\cite{EthereumSSLE2024}. As a response to the proposer DoS attack, Ethereum has proposed a new protocol called Whisk~\cite{Whisk2024} as an attempt to mitigate the attack. An attack on the Ethereum network that was discovered by Heimbach et al.~\cite{heimbach2024deanonymizingethereumvalidatorsp2p} is the deanonymization attack on validators. -In our preliminary work~\cite{ouroldpaper}, we have shown that the attack still possible to perform on the Ethereum network, and using the attack, a proposer~\gls{dos} can be performed. +In our preliminary work~\cite{ouroldpaper}, we have shown that the attack is still possible to perform on the Ethereum network, and using the attack, a proposer~\gls{dos} can be performed. -\paragraph*{\textbf{The Whisk protocol}}\label{sec:background-mitigation} Whisk is a zero-knowledge Single Secret Leader Election (SSLE) system that uses a zero-knowledge argument called Curdleproofs~\cite{Curdleproofs} to verify the correctness of a shuffle without revealing the input or output~\cite{10.1145/3419614.3423258}. -Whisk works by selecting a list of proposers 16384 and shuffling them over 8192 slots (1 day). -Then 8192 proposers are selected from the shuffled list to propose blocks for the next 8192 slots while a new list is being shuffled. +Whisk works by selecting a list of 16,384 validator trackers and shuffles them over 8,192 slots ($\sim$1 day). +Then 8,192 proposers are selected from the shuffled list to propose blocks for the next 8,192 slots while a new list is being shuffled. This way a new list of proposers is created every day. -After each shuffle Whisk uses a zero-knowledge proof to prove that the shuffle is correct. +After each shuffle, Whisk uses a zero-knowledge proof to prove that the shuffle is correct. This is so that the proposer can prove that they are the correct proposer for the slot without revealing their identity, thereby mitigating the proposer~\gls{dos} attack because of the identity of the upcoming proposers being hidden now. -\paragraph*{\textbf{Curdleproofs}}\label{sec:background-curdleproofs} Curdleproofs is a zero-knowledge proof system that allows a prover to prove knowledge of a shuffle without revealing how it shuffled the elements. It does so by using three different zero-knowledge proofs, with one of them relying on two more zero-knowledge proofs. @@ -93,9 +88,9 @@ \subsection{Whisk}\label{subsec:related-work-whisk} Then, using the Fiat-Shamir transformation, a challenge, $\mathbf{a}$, from public inputs is constructed, and a new commitment is made from that, $A=\sigma(\mathbf{a})\times\mathbf{g}$. The~\gls{sameperm} proof now consists of convincing the verifier that the same permutation was used for constructing commitment $A$ and $M$. To do this, the two commitments are used to construct a polynomial equation. -Then Neff's trick~\cite{10.1145/501983.502000}, which observes that two polynomials are equal iff.\ their roots are the same up to permutation. +Then Neff's trick~\cite{10.1145/501983.502000} is used, which observes that two polynomials are equal iff.\ their roots are the same up to permutation. -This is proven through a grand product argument. +To prove that, the protocol makes use of a grand product argument. To prove that argument, Curdleproofs compiles it down to an~\gls{ipa} by expressing each multiplication of the grand product as its own equation. Hence, the~\gls{sameperm} proof is done if the prover can prove the~\gls{ipa}. @@ -123,6 +118,8 @@ \subsection{Zero-knowledge proofs}\label{sec:background-zkps} An argument $(Setup, P, V)$ is a zero-knowledge argument of knowledge of a relation $\mathbb{R}$ if it satisfies completeness, knowledge-soundness and is honest-verifier zero-knowledge. \end{definition} +Definitions for knowledge-soundness, completeness, and~\gls{hvzk} can be found in~\autoref{sec:appendix}. + \subsection{Problem definition}\label{subsec:problem-definition} In Chapter 6 of Curdleproofs~\cite{Curdleproofs}, they explain the efficiency of the protocol, including also the size of the proof. They specifically mention that the proof has size $18+10 \log(\ell+4)\mathbb{G}$, $7\mathbb{F}$. diff --git a/report/src/sections/03-related-work.tex b/report/src/sections/03-related-work.tex index d7eb59f..80d3d4d 100644 --- a/report/src/sections/03-related-work.tex +++ b/report/src/sections/03-related-work.tex @@ -7,6 +7,10 @@ \subsection{Single Secret Leader Election}\label{sec:related-work-SSLE} A~\gls{ssle} is a protocol where a group of participants randomly elects only one leader from the group. The identity of the leader is kept secret from all other participants so only the leader themselves know that they have been chosen. The elected leader can then later publicly prove that they have been elected~\cite{10.1145/3419614.3423258}. + +Leading research on~\gls{ssle} includes a proposal for a post-quantum secure protocol based on Ring Learning With Errors~\cite{cryptoeprint:2023/1241}. +They also construct a new concept called~\gls{rrc}, which is based on the commit-and-shuffle approach also used in Whisk. + One of the use cases of~\gls{ssle} is to make~\gls{pos} cryptocurrencies more secure due to the added privacy that the proposer has. One~\gls{pos} cryptocurrency that uses an~\gls{ssle} is Polkadot which uses Safrole as their~\gls{ssle} protocol~\cite{safrole}. diff --git a/report/src/sections/04-Approach.tex b/report/src/sections/04-Approach.tex index 0cc22a6..b1d74ca 100644 --- a/report/src/sections/04-Approach.tex +++ b/report/src/sections/04-Approach.tex @@ -219,7 +219,7 @@ \subsubsection*{Verifier computation} If so, the verifier accepts the proof. \begin{theorem} - CAAUrdleproofs is a zero-knowledge argument of knowledge when~$\left|k\right|\geq8$. + CAAUrdleproofs is a zero-knowledge argument of knowledge when~$\left|\ell\right|\geq8$. \end{theorem} @@ -237,9 +237,9 @@ \subsection{Shuffle security}\label{subsec:approach-shuffle-security} \noindent \textbf{For} $t \in [T]$ \textbf{:} \begin{itemize} - \item[$S_t$] picks random $\{i_1, \ldots, i_k\} \subset [n]$ - \item[$S_t$] computes $(\tilde{c}_{i_1}, \ldots, \tilde{c}_{i_k}) \leftarrow \text{Shuffle}(c_{i_1}, \ldots, c_{i_k})$ - \item[$S_t$] publishes $(\tilde{c}_{i_1}, \ldots, \tilde{c}_{i_k})$ + \item[$S_t$] picks random $\{i_1, \ldots, i_\ell\} \subset [n]$ + \item[$S_t$] computes $(\tilde{c}_{i_1}, \ldots, \tilde{c}_{i_\ell}) \leftarrow \text{Shuffle}(c_{i_1}, \ldots, c_{i_\ell})$ + \item[$S_t$] publishes $(\tilde{c}_{i_1}, \ldots, \tilde{c}_{i_\ell})$ \end{itemize} \end{framed} \caption{Distributed shuffling protocol. Source:~\cite{cryptoeprint:2022/560}} @@ -247,7 +247,7 @@ \subsection{Shuffle security}\label{subsec:approach-shuffle-security} \end{figure} Here the set $(c_1, \ldots, c_n)$ is a set of ciphertexts that are shuffled over $T$ slots. -In each slot $t$, a subset of the ciphertexts ${i_1, \ldots, i_k}$ is chosen randomly, shuffled, and added back to the list of ciphertexts. +In each slot $t$, a subset of the ciphertexts ${i_1, \ldots, i_\ell}$ is chosen randomly, shuffled, and added back to the list of ciphertexts. The shuffler then re-encrypts the ciphertexts and publishes them. This process is repeated for $T$ slots and the shuffle is complete. During the $T$ shuffles, some shufflers may be adversarial. @@ -268,12 +268,12 @@ \subsection{Shuffle security}\label{subsec:approach-shuffle-security} So, if a shuffle contains a lot of ciphertexts with a larger than average chance of containing a certain ciphertext, then that would imply that there is a higher chance of that ciphertext being in that slot. It is theoretically possible to find a number of shuffles, given the shuffle size, and a number of adversarial shufflers, to guarantee that the shuffle is secure. -For any $0 < \delta < 1/3$, if $T \geq 20 n / k \ln(n/\delta) + \beta $ and $ k \geq 256 \ln^2(n/\delta)(1 - \alpha/n)^{-2}$. -If $T$ and $k$ are chosen such that the above two conditions are met, then the protocol is an $(\epsilon , \delta)$-secure $(T,n,k)$-shuffle in the presence of a $(\alpha, \beta)$-adversary where $\epsilon = 2/(n-\alpha)$. +For any $0 < \delta < 1/3$, if $T \geq 20 n / \ell \ln(n/\delta) + \beta $ and $ \ell \geq 256 \ln^2(n/\delta)(1 - \alpha/n)^{-2}$. +If $T$ and $\ell$ are chosen such that the above two conditions are met, then the protocol is an $(\epsilon , \delta)$-secure $(T,n,\ell)$-shuffle in the presence of a $(\alpha, \beta)$-adversary where $\epsilon = 2/(n-\alpha)$. -This formula is the lowest theoretically proven bound for $T$ and $k$. +This formula is the lowest theoretically proven bound for $T$ and $\ell$. Plotting numbers relevant to Whisk will show that this theoretical bound is too large to use for argumentation of security. -It is, however, possible to find lower secure values for $T$ and $k$, but this has to be done experimentally. +It is, however, possible to find lower secure values for $T$ and $\ell$, but this has to be done experimentally. \subsection{Implementation}\label{subsec:approach-implementation} @@ -381,8 +381,8 @@ \subsubsection{Shuffle Security} An experiment run starts with the first cup being full and the rest being empty. As mentioned, $\alpha$ cups are tracked by an adversary, the first $n-\alpha$ cups are called active cups, while the last $\alpha$ cups are tracked. -So, at each shuffle, the shuffler randomly picks $k$ ciphertexts and shuffles them, also randomly. -Meanwhile, an average of the water between the active indices of the $k$-shuffle is found. +So, at each shuffle, the shuffler randomly picks $\ell$ ciphertexts and shuffles them, also randomly. +Meanwhile, an average of the water between the active indices of the $\ell$-shuffle is found. All active indices are given this amount of water. Now, after each shuffle, if any cup has more than $2/(n-\alpha)$ water, its position can be predicted by the adversary, hence the shuffle is insecure~\cite{cryptoeprint:2022/560}. diff --git a/report/src/sections/05-experimental-protocol.tex b/report/src/sections/05-experimental-protocol.tex index b0dc1fd..dbae06e 100644 --- a/report/src/sections/05-experimental-protocol.tex +++ b/report/src/sections/05-experimental-protocol.tex @@ -13,11 +13,11 @@ \subsection{CAAUrdleproof}\label{sec:CAAUrdleproof-experiment} In this experiment we measure the time to run the CAAUrdleproofs protocol. The results will be compared to those of Curdleproofs, which we re-run on our own hardware. As Curdleproofs already has a Rust benchmark implemented, we will be using that same benchmark for both protocols. -The parameter that we want to change between benchmark runs is the shuffle size, $k$. +The parameter that we want to change between benchmark runs is the shuffle size, $\ell$. -In CAAUrdleproofs, we will test the protocol with $k=\{8,9,\dots,256\}$. +In CAAUrdleproofs, we will test the protocol with $\ell=\{8,9,\dots,256\}$. -Since Curdleproofs is unable to run benchmarks, unless the shuffle size is a power of two, those benchmarks will be run on values $k=\{8,16,32,64,128,256\}$. +Since Curdleproofs is unable to run benchmarks, unless the shuffle size is a power of two, those benchmarks will be run on values $\ell=\{8,16,32,64,128,256\}$. @@ -25,7 +25,7 @@ \subsection{CAAUrdleproof}\label{sec:CAAUrdleproof-experiment} \subsection{Shuffle security}\label{subsec:experimental-protocol-shuffle-security} In this experiment we run the shuffle protocol with varying shuffle sizes and varying number of adversarial tracked ciphertexts. The purpose of this experiment is to find the lowest possible shuffle size that is still secure. -We therefore run the experiment with shuffle sizes, $k$, between 64 and 128. +We therefore run the experiment with shuffle sizes, $\ell$, between 64 and 128. For the number of adversarial tracked ciphertexts, we use the values $\alpha=\{1/2,1/3,1/4\}$ Because Curdleproofs is meant to be used in an Ethereum setting, all the experiments were done with a maximum of 8192 shuffles. diff --git a/report/src/sections/appendix/02-thm1proof.tex b/report/src/sections/appendix/02-thm1proof.tex index 0efdb4a..ac72c48 100644 --- a/report/src/sections/appendix/02-thm1proof.tex +++ b/report/src/sections/appendix/02-thm1proof.tex @@ -83,7 +83,7 @@ \section{Proof of Theorem 1}\label{sec:appendix-thm1proof} Furthermore, Curdleproofs uses the Fiat-Shamir transformation for its verifier challenges. So, the SIPA$(f)$, analogously CAAUrdleproofs, is a non-interactive random oracle argument having completeness and computational knowledge soundness as well. - From this, we can conclude that CAAUrdleproofs is a zero-knowledge argument of knowledge when shuffle size $|k|\geq8$. + From this, we can conclude that CAAUrdleproofs is a zero-knowledge argument of knowledge when shuffle size $|\ell|\geq8$. \end{proof} diff --git a/report/src/setup/acronyms.tex b/report/src/setup/acronyms.tex index 65c431c..67207f5 100644 --- a/report/src/setup/acronyms.tex +++ b/report/src/setup/acronyms.tex @@ -25,4 +25,5 @@ \newacronym{hvzk}{HVZK}{Honest-Verifier Zero-Knowledge} \newacronym{sameperm}{SamePerm}{Same Permutation} \newacronym{samemsm}{SameMSM}{Same Multiscalar} +\newacronym{rrc}{RRC}{re-randomizable commitment} From 2bfb890f346799a9ae1bf74f73c7380d2b41a735 Mon Sep 17 00:00:00 2001 From: Maltesius Date: Thu, 22 May 2025 15:00:48 +0200 Subject: [PATCH 10/14] corrections2 --- report/src/sections/03-related-work.tex | 5 +++-- report/src/sections/04-Approach.tex | 2 +- 2 files changed, 4 insertions(+), 3 deletions(-) diff --git a/report/src/sections/03-related-work.tex b/report/src/sections/03-related-work.tex index 80d3d4d..3250f24 100644 --- a/report/src/sections/03-related-work.tex +++ b/report/src/sections/03-related-work.tex @@ -8,8 +8,9 @@ \subsection{Single Secret Leader Election}\label{sec:related-work-SSLE} The identity of the leader is kept secret from all other participants so only the leader themselves know that they have been chosen. The elected leader can then later publicly prove that they have been elected~\cite{10.1145/3419614.3423258}. -Leading research on~\gls{ssle} includes a proposal for a post-quantum secure protocol based on Ring Learning With Errors~\cite{cryptoeprint:2023/1241}. -They also construct a new concept called~\gls{rrc}, which is based on the commit-and-shuffle approach also used in Whisk. +Leading research on~\gls{ssle} includes proposals for post-quantum secure protocols based on Learning With Errors and Ring Learning With Errors~\cite{cryptoeprint:2023/1241}. +This work also constructs a new concept called~\gls{rrc} for easier work with such protocols. +\gls{rrc} is based on the commit-and-shuffle approach also used in Whisk. One of the use cases of~\gls{ssle} is to make~\gls{pos} cryptocurrencies more secure due to the added privacy that the proposer has. diff --git a/report/src/sections/04-Approach.tex b/report/src/sections/04-Approach.tex index b1d74ca..d5e9bf5 100644 --- a/report/src/sections/04-Approach.tex +++ b/report/src/sections/04-Approach.tex @@ -303,7 +303,7 @@ \subsubsection{CAAUdleproofs} It is simply used as a measuring tool. \begin{figure}[!htb] - \begin{lstlisting}[language=Python,mathescape=true,label={lst:ipa-verifier-optimized},numbers=right,caption={Optimized verifier computation for CAAU-IPA in CAAUrdleproofs},captionpos=b,frame=single] + \begin{lstlisting}[language=Python,mathescape=true,label={lst:ipa-verifier-optimized},numbers=left,caption={Optimized verifier computation for CAAU-IPA in CAAUrdleproofs},captionpos=b,frame=single] $\textbf{Step 1:}$ $(\textbf{G},H)\gets$parse$(crs_{dl_{inner}})$ $(C,D,z,\mathbf{u})\gets$parse$(\phi_{dl_{inner}})$ From 904a1f67956888cae41f4cf71a580032eccd8d43 Mon Sep 17 00:00:00 2001 From: Maltesius Date: Fri, 23 May 2025 10:22:32 +0200 Subject: [PATCH 11/14] Daniele related work corrections --- report/src/bib/main.bib | 10 +++++++++- report/src/sections/03-related-work.tex | 24 ++++++++++++++++-------- 2 files changed, 25 insertions(+), 9 deletions(-) diff --git a/report/src/bib/main.bib b/report/src/bib/main.bib index 72eff60..364f35d 100644 --- a/report/src/bib/main.bib +++ b/report/src/bib/main.bib @@ -160,12 +160,20 @@ @article{Feistle } @article{safrole, - title = {-safrole}, + title = {Safrole}, author = {Polkadot Web3 Foundation}, note = {Accessed: 16-05-2025}, url = {https://wiki.polkadot.network/learn/learn-safrole/} } +@article{sassafras, + title = {Sassafras}, + author = {Polkadot Web3 Foundation}, + note = {Accessed: 23-05-2025}, + url = {https://research.web3.foundation/Polkadot/protocols/block-production/SASSAFRAS} +} + + @inproceedings{10.1145/501983.502000, author = {Neff, C. Andrew}, title = {A verifiable secret shuffle and its application to e-voting}, diff --git a/report/src/sections/03-related-work.tex b/report/src/sections/03-related-work.tex index 3250f24..bb8ce63 100644 --- a/report/src/sections/03-related-work.tex +++ b/report/src/sections/03-related-work.tex @@ -12,22 +12,30 @@ \subsection{Single Secret Leader Election}\label{sec:related-work-SSLE} This work also constructs a new concept called~\gls{rrc} for easier work with such protocols. \gls{rrc} is based on the commit-and-shuffle approach also used in Whisk. -One of the use cases of~\gls{ssle} is to make~\gls{pos} cryptocurrencies more secure due to the added privacy that the proposer has. +One of the use cases of~\gls{ssle} is to make~\gls{pos} blockchains more secure due to the added privacy that the proposer has. -One~\gls{pos} cryptocurrency that uses an~\gls{ssle} is Polkadot which uses Safrole as their~\gls{ssle} protocol~\cite{safrole}. +One~\gls{pos} blockchain that uses an~\gls{ssle} is Polkadot which uses Safrole as their~\gls{ssle} protocol~\cite{safrole}. +Safrole is the production version of the research protocol Sassafras~\cite{sassafras}. +In this, validators each produce a number of tickets, some of which are winning, depending on some threshold. +A~\gls{zk-snark} is then used to prove that a ticket is winning, after which the winning tickets are published to the chain. +A randomization algorithm will then pick, from all the winning tickets, proposers for all the slots two epochs later. \subsection{Shuffling algorithms}\label{subsec:related-work-shuffling-algorithm} -The Håstad square shuffle~\cite{haastad2006square} is one of the proposed ways of integrating an~\gls{ssle}. -The Håstad square shuffle is a shuffling algorithm that shuffles a $n$ long vector with a shuffle size of $\sqrt {n}$. -The algorithm works by splitting the vector into $\sqrt {n}$ times $\sqrt {n}$ square matrix and for each step in the algorithm it switches between shuffling a row and a column. -The Håstad shuffle is more rigid than the shuffling algorithm used in curdleproofs~\cite{cryptoeprint:2022/560} because of the fixed size of the shuffle being $\sqrt {n}$. +The Håstad square shuffle~\cite{haastad2006square} is one of the proposed ways of shuffling, which could be integrated in a shuffling~\gls{ssle} such as Whisk. +The Håstad square shuffle is a shuffling algorithm that shuffles a vector with $n$ items with a shuffle size of $\sqrt {n}$. +The algorithm works by re-arranging the vector into a~$\sqrt{n}\times\sqrt{n}$ square matrix. +It then works in time steps, starting at 1. +For each odd step, each column and its elements are shuffled independently. +For each even step, each row and its elements are shuffled independently as well. +Håstad shows that at least three time steps are needed for the shuffle to be secure. +The Håstad shuffle is more rigid than the shuffling algorithm used in curdleproofs~\cite{cryptoeprint:2022/560} because of the fixed size of the shuffle being $\sqrt{n}$. The Feistel shuffle~\cite{Feistle} is a previously used shuffle method in the Whisk protocol~\cite{Whisk2024}. -It takes $n$ number of validator trackers and arranges them in a $k$ times $k$ matrix. -Each round the $i$-th proposer selects the $i$-th row of the created matrix and shuffles it in the form $F(x,y)=(y,x+y^3 mod k)$. +It takes $n$ number of validator trackers and arranges them in a $k\times k$ matrix. +Each round the $i$-th proposer selects the $i$-th row of the created matrix and shuffles it in the form $F(x,y)=(y,x+y^3\text{ mod }k)$. The Feistel shuffle was later replaced by the shuffle proposed by Larsen et al.~\cite{cryptoeprint:2022/560}. Ethereum mentioned the reason for this to be that the shuffle by Larsen et al.\ provides a simpler protocol~\cite{Whisk2024}. From edf63e1914552c087e46aab69342505399980637 Mon Sep 17 00:00:00 2001 From: Maltesius Date: Fri, 23 May 2025 10:25:27 +0200 Subject: [PATCH 12/14] Daniele background corrections --- report/src/sections/02-background.tex | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/report/src/sections/02-background.tex b/report/src/sections/02-background.tex index 465f612..63e0ae3 100644 --- a/report/src/sections/02-background.tex +++ b/report/src/sections/02-background.tex @@ -1,5 +1,5 @@ \section{Background}\label{sec:background} -In this section, we provide the necessary background information on Ethereum and a specific attack it is vulnerable to, the Curdleproofs protocol~\cite{Curdleproofs}, the Whisk protocol~\cite{Whisk2024} and an overview of the notation used in the paper. +In this section, we provide the necessary background information on Ethereum and a specific attack it is vulnerable to, the Curdleproofs protocol~\cite{Curdleproofs}, and the Whisk protocol~\cite{Whisk2024} The notation used throughout this paper can be seen in~\autoref{tab:notation}. \begin{table*}[!htb] @@ -55,13 +55,13 @@ \section{Background}\label{sec:background} Since this work is based on the existing Curdleproofs protocol~\cite{Curdleproofs}, it inherits the same security assumptions. Our work therefore runs as a public coin protocol in any cryptographic group where~\gls{ddh} is hard~\cite{10.1007/BFb0054851}. +\gls{ddh} is defined as follows. \begin{definition}[DDH] Given a finite, multiplicative cyclic group $\mathbb{G}$ of prime order $p$, the decisional Diffie-Hellman problem is defined as follows: Given $(g^a,g^b,g^c)\in\mathbb{G}$, where $g$ is a generator of $\mathbb{G}$ and $a,b,c\in\mathbb{Z}_p$, decide whether $c=ab$. \end{definition} \subsection{Whisk}\label{subsec:related-work-whisk} - Ethereum uses a proof-of-stake consensus mechanism, which allows users to validate transactions and create new blocks by staking their Ether (ETH) tokens. The Proof-of stake protocol works in epochs of 32 slots, where each slot is 12 seconds long. In each slot a proposer is chosen to propose a block thereby allowing the network to reach consensus on the state of the blockchain. From 6269a928342813e1938cf85616b429fd37702d97 Mon Sep 17 00:00:00 2001 From: Maltesius Date: Fri, 23 May 2025 10:34:35 +0200 Subject: [PATCH 13/14] Proof corrections --- report/src/sections/appendix/02-thm1proof.tex | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/report/src/sections/appendix/02-thm1proof.tex b/report/src/sections/appendix/02-thm1proof.tex index ac72c48..75620a2 100644 --- a/report/src/sections/appendix/02-thm1proof.tex +++ b/report/src/sections/appendix/02-thm1proof.tex @@ -1,6 +1,12 @@ \section{Proof of Theorem 1}\label{sec:appendix-thm1proof} \begin{proof} + The following proof is divided into two separate proofs. + First we prove~\gls{hvzk}. + + After this, both knowledge-soundness and completeness are proven in the same proof. + + \paragraph*{\textbf{Proof of HVZK}} CAAUrdleproofs is the Curdleproofs DL~\gls{ipa} on which the Springproofs protocol has been applied. So to help show that it is~\gls{hvzk}, we refer to Theorem 5 of Springproofs~\cite{zhang2024springproofs}. \begin{theorem}[Springproofs Theorem 5] @@ -23,6 +29,7 @@ \section{Proof of Theorem 1}\label{sec:appendix-thm1proof} Curdleproofs show their argument to be zero-knowledge in the random oracle model provided $|\mathbf{G}|\geq8$~\cite{Curdleproofs}. Therefore, following Theorem 1, CAAUrdleproofs must be~\gls{hvzk} when $n\geq8$ + \paragraph*{\textbf{Proof of knowledge-soundness and completeness}} For soundness and completeness, we refer to Theorem 3 of Springproofs~\cite{zhang2024springproofs}. \begin{theorem}[Springproofs Theorem 3] Given a terminative SIPA$(f)$, if the number of compression steps in SIPA$(f)$ is $O(\log n)$, then SIPA$(f)$ is a complete and computational knowledge sound argument of relation (1). From acba9530f749362f355d186f6844e84a77dbaa5d Mon Sep 17 00:00:00 2001 From: Maltesius Date: Fri, 23 May 2025 11:28:50 +0200 Subject: [PATCH 14/14] Number placements and small changes --- report/src/sections/04-Approach.tex | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/report/src/sections/04-Approach.tex b/report/src/sections/04-Approach.tex index d5e9bf5..bb30b1c 100644 --- a/report/src/sections/04-Approach.tex +++ b/report/src/sections/04-Approach.tex @@ -67,7 +67,7 @@ \subsubsection*{Prover computation} The construction can be seen in~\autoref{lst:ipa-prover}. \begin{figure}[!htb] - \begin{lstlisting}[language=Python,mathescape=true,label={lst:ipa-prover},numbers=left,caption={Prover computation for CAAU-IPA in CAAUrdleproofs},captionpos=b,frame=single] + \begin{lstlisting}[language=Python,mathescape=true,label={lst:ipa-prover},numbers=right,caption={Prover computation for CAAU-IPA in CAAUrdleproofs},captionpos=b,frame=single] $\textbf{Step 1:}$ $(\textbf{G},\textbf{G}',H)\gets$parse$(crs_{dl_{inner}})$ $\textbf{r}_C,\textbf{r}_D\overset{\$}{\leftarrow}\mathbb{F}^n$ @@ -359,11 +359,11 @@ \subsubsection{CAAUdleproofs} \end{figure} The protocol used in the implementation can be seen in~\autoref{lst:ipa-verifier-optimized}. -A list, \texttt{ActivePos}, keeps track of the original index placement and its position after each fold. +A list, \texttt{ActivePos}, on line 32, keeps track of the original index placement and its position after each fold. Doing this, we can run the recursion and find the correct challenges for each index, while still knowing what the original index was. A bit matrix,~$b_{i,j}$, is constructed as in Curdleproofs, such that the vector, $\mathbf{s}$, is made in the same way for both protocols. -The vector, $\mathbf{u}$, is used for optimization in the grand product argument rather than $\mathbf{G'}$, and the \texttt{AccumulateCheck} function is used for the multiscalar multiplication optimization. +The vector, $\mathbf{u}$, seen on line 3, is used for optimization in the grand product argument rather than $\mathbf{G'}$, and the \texttt{AccumulateCheck} function, on line 21 and 23, is used for the multiscalar multiplication optimization. For a thorough explanation of these, we refer to Curdleproofs~\cite{Curdleproofs}. In Curdleproofs, both the~\gls{sameperm} and~\gls{samemsm} proof are recursive~\glspl{ipa}.