Readthrough changes

report/src/sections/00-abstract.tex

@@ -1,11 +1,11 @@
 
 \begin{abstract}
-    Ethereum is one of the leading proof-of-stake blockchains.
+    Ethereum is one of the leading Proof-of-Stake blockchains.
     However, it is still vulnerable to attacks.
     One such attack is the de-anonymization attack by Heimbach et al.~where an adversary could get validator IP addresses and then perform a denial-of-service attack on them.
     To try and combat this attack, Ethereum has proposed the use of the Whisk protocol.
-    Whisk is a Single secret leader election protocol that uses a zero-knowledge proof called Curdleproofs that uses inner product arguments to prove the validity of a shuffle of validators.
-    This paper improves upon Curdleproofs' inner product arguments by introducing CAAUrdleproofs, which is a modified version of Curdleproofs with ideas from Springproofs as to overcome the limitations of Curdleproofs regarding the shuffle size.
+    Whisk is a Single Secret Leader Election protocol that uses a zero-knowledge proof called Curdleproofs that uses Inner Product Arguments to prove the validity of a shuffle of validators.
+    This paper improves upon Curdleproofs' Inner Product Arguments by introducing CAAUrdleproofs, which is a modified version of Curdleproofs with ideas from Springproofs as to overcome the limitations of Curdleproofs regarding the shuffle size.
     We show that CAAUrdleproofs has similar proving and verifying times to Curdleproofs when the shuffle size is a power of two.
     We also show that CAAUrdleproofs has a performance advantage for any shuffle size that is not a power of two, and that this advantage grows the lower the shuffle size is below a power of two.
     After performing experiments, we also suggest a new shuffle size which is smaller than the current one used in Curdleproofs that would result in a smaller block overhead than the one created by the current Curdleproofs protocol.
@@ -14,5 +14,5 @@
 \end{abstract}
 
 \begin{IEEEkeywords}
-    Ethereum, Proof of Shuffle, Distributed Systems, Inner Product Arguments, Zero-Knowledge Proof
+    Ethereum, Proof of Shuffle, Distributed Systems, Inner Product Arguments, Zero-Knowledge Proof, Single Secret Leader Election
 \end{IEEEkeywords}

report/src/sections/01-introduction.tex

@@ -3,27 +3,27 @@
 \section{Introduction}\label{sec:introduction}
 Ethereum is a decentralized blockchain platform that enables developers to build and deploy smart contracts and decentralized applications.
 It is the second-largest blockchain platform by market capitalization and has a large and active developer community.
-Currently working as a Proof-of-Stake protocol, block proposal opportunities are allocated to the community members willing to stake their ether cryptocurrency on entities called validators.
+Currently working as a Proof-of-Stake protocol, block proposal opportunities are allocated to validators, which can be created by community members willing to stake their ether cryptocurrency.
 Though, previous work from Heimbach et al., confirmed also by our previous study, shows that adversaries are able to gather validator IP addresses~\cite{heimbach2024deanonymizingethereumvalidatorsp2p,ouroldpaper}.
 These can be used to perform a Denial-of-Service (DoS) attack on the validators, threatening the liveness of the blockchain~\cite{EthereumAttackDefense2024,ouroldpaper}.
 
-In response to the potential threat, Ethereum has proposed a protocol, Whisk, which hides validators' identities making the DoS attack harder to perform~\cite{Whisk2024}.
+In response to the potential threat, Ethereum has proposed a protocol, Whisk, which hides block proposers' identities making the DoS attack harder to perform~\cite{Whisk2024}.
 Whisk is a Single Secret Leader Election (SSLE) protocol~\cite{10.1145/3419614.3423258}, where validators each publish a private tracker, which is used for proposer selection instead.
 When proposing a block, the validator will then prove the ownership of the tracker.
 To ensure that adversaries are unable to trace the tracker to specific validators, each block proposer shuffles the list of validator trackers while adding randomness to the trackers.
 
 Making sure that this has been done correctly is essential to the protocol.
-Hence, Whisk uses a proof protocol, called Curdleproofs, which is a Zero-Knowledge proof of shuffle~\cite{Curdleproofs}.
+Hence, Whisk uses a proof protocol, called Curdleproofs, which is a Zero-Knowledge Proof of Shuffle~\cite{Curdleproofs}.
 Therefore, the block proposer constructs such a proof, adds it to the block, after which other validators can verify the proof.
 
-This introduces block size overhead to the blockchain.
+This introduces a block size overhead to the blockchain.
 Also, additional work is required for both provers and verifiers.
 
 In this paper, we dive into the structure of Curdleproofs to understand, where the protocol can be optimized.
-Specifically, we work with the concept of Inner Product Arguments (IPA) and how they generally only work for vector sizes that are powers of two.
+Specifically, we work with the concept of Inner Product Arguments (IPAs) and how they generally only work for vector sizes that are powers of two.
 
 Our protocol, CAAUrdleproofs, aims to improve on the rigid nature of Curdleproofs.
-Following this, we also provide argumentation of in which conditions CAAUrdleproofs is still secure.
+Following this, we also provide argumentation of the conditions in which CAAUrdleproofs is still secure.
 
 Working with this led to the following contributions:
 \begin{itemize}

report/src/sections/02-background.tex

@@ -73,7 +73,7 @@ \subsection{Zero-knowledge proofs}\label{sec:background-zkps}
 
 Definitions for knowledge-soundness, completeness, and~\gls{hvzk} can be found in Appendix~\ref{sec:appendix}.
 
-Also, two of three proofs that make up Curdleproofs are~\glspl{ipa}.
+Also, two of three proofs that make up Curdleproofs are proven using~\glspl{ipa}.
 These are also~\glspl{zkp}, and will be the focus of this paper.
 Hence, we provide a definition on~\glspl{ipa}.
 
@@ -90,19 +90,20 @@ \subsection{Whisk}\label{subsec:related-work-whisk}
 
 The proposer~\gls{dos} attack is a type of attack that targets the block proposers, making them unable to propose blocks.
 An adversary can use the proposer~\gls{dos} attack to prevent a proposer from receiving rewards, gotten from proposing a block, and increase their own rewards~\cite{EthereumSSLE2024}.
+The proposer~\gls{dos} is made possible by an attack on the Ethereum network that was discovered by Heimbach et al.~\cite{heimbach2024deanonymizingethereumvalidatorsp2p} in which they deanonymize validators and get their IP addresses.
+In our preliminary work~\cite{ouroldpaper}, we show that the attack is still possible to perform on the Ethereum network.
 As a response to the proposer~\gls{dos} attack, Ethereum proposed a new protocol called Whisk~\cite{Whisk2024} as an attempt to mitigate the attack.
-An attack on the Ethereum network that was discovered by Heimbach et al.~\cite{heimbach2024deanonymizingethereumvalidatorsp2p} is the deanonymization attack on validators.
-In our preliminary work~\cite{ouroldpaper}, we show that the attack is still possible to perform on the Ethereum network, and using the attack, a proposer~\gls{dos} can be performed.
-
 
 Whisk is a~\gls{zk}~\gls{ssle} system that uses a~\gls{zk} argument called Curdleproofs~\cite{Curdleproofs} to verify the correctness of a shuffle with size $\ell$ without revealing the input or output~\cite{10.1145/3419614.3423258}.
-Whisk works by selecting a list of 16,384 validator trackers and shuffles them over 8,192 slots ($\sim$1 day).
+Whisk works by selecting a list of 16,384 validator trackers and then the following 8,192 block proposers shuffle them over 8,192 slots ($\sim$1 day).
 Then 8,192 proposers are selected from the shuffled list to propose blocks for the next 8,192 slots while a new list is being shuffled.
-This way a new list of proposers is created every day.
+This way, a new list of proposers is created every day.
 After each shuffle, Whisk uses a~\gls{zkp} to prove that the shuffle is correct.
-This is so that the proposer can prove that they are the correct proposer for the slot without revealing their identity, thereby mitigating the proposer~\gls{dos} attack because of the identity of the upcoming proposers being hidden now.
+As the specific shuffle is hidden to prevent adversarial tracking, this is done to ensure that the trackers are shuffled according to protocol specifications.
+Whenever a proposer is chosen, they can prove that they are the correct proposer for the slot without revealing their identity.
+Thereby, Whisk mitigates the proposer~\gls{dos} attack because of the identity of the upcoming proposers being hidden now.
 
-Curdleproofs is a~\gls{zkp} system that allows a prover to prove knowledge of a shuffle without revealing how it shuffled the elements.
+Curdleproofs is a~\gls{zkp} system, used by Whisk, that allows a prover to prove knowledge of a shuffle without revealing how it shuffled the elements.
 It does so by using three different~\glspl{zkp}, with one of them relying on two more~\glspl{zkp}.
 The overview can be seen in~\autoref{fig:curdleproof-protocol}.
 
@@ -170,8 +171,8 @@ \subsection{Whisk}\label{subsec:related-work-whisk}
 
 The second proof is a~\gls{samemsm} argument.
 The prover has proven the existence of the permutation.
-Now, the goal of the~\gls{samemsm} argument is to prove that the output ciphertext set was constructed with the same permutation, $\sigma$, here called multiscalar $\mathbf{v}$\footnote{Denoted as $\mathbf{c}$ in the Curdleproofs paper but changed for readability}, committed to in commitment $A$.
-Note, therefore, that $A$ in~\gls{sameperm} and~\gls{samemsm} is the same commitment, where $\mathbf{v}=\sigma(\mathbf{a})$
+Now, the goal of the~\gls{samemsm} argument is to prove that the output ciphertext set was constructed with the same permutation,~$\sigma$, here called multiscalar $\mathbf{v}$\footnote{Denoted as $\mathbf{c}$ in the Curdleproofs paper but changed for readability}, committed to in commitment $A$.
+Note, therefore, that commitment~$A$ in~\gls{sameperm} and~\gls{samemsm} is the same commitment, where $\mathbf{v}=\sigma(\mathbf{a})$.
 As the multiscalar is a vector, this argument is an~\gls{ipa} by nature, contrary to the~\gls{sameperm} argument.
 
 The third proof is a Same Scalar argument.
@@ -181,7 +182,7 @@ \subsection{Whisk}\label{subsec:related-work-whisk}
 Therefore, the goal of the Same Scalar argument is to prove the existence of the scalar,~$k$, such that the commitment of the permuted set is equal to the commitment of the pre-permuted set multiplied by $k$.
 
 
-In Chapter 6 of Curdleproofs~\cite{Curdleproofs} they explain that the proof has size~$18+10 \log(\ell+4)\mathbb{G}$, $7\mathbb{F}$, where $\mathbb{G}$ is a cryptographic group point, and $\mathbb{F}$ is a field element.
+In Chapter 6 of Curdleproofs~\cite{Curdleproofs} they explain that the proof has size~$(18+10 \log(\ell+4))\mathbb{G}+7\mathbb{F}$, where $\mathbb{G}$ is a cryptographic group point, and $\mathbb{F}$ is a field element.
 
 \subsection{Problem definition}\label{subsec:problem-definition}
 The current proposal of Curdleproofs only works when the shuffle size of Whisk is set to a power of 2.

report/src/sections/03-related-work.tex

@@ -4,7 +4,7 @@ \section{Related Work}\label{sec:related-work}
 
 
 \subsection{Single Secret Leader Election}\label{sec:related-work-SSLE}
-A~\gls{ssle} is a protocol where a group of participants randomly elects only one leader from the group.
+An~\gls{ssle} is a protocol where a group of participants randomly elects only one leader from the group.
 The identity of the leader is kept secret from all other participants so only the leader themselves know that they have been chosen.
 The elected leader can then later publicly prove that they have been elected~\cite{10.1145/3419614.3423258}.
 
@@ -18,7 +18,7 @@ \subsection{Single Secret Leader Election}\label{sec:related-work-SSLE}
 Safrole is the production version of the research protocol Sassafras~\cite{sassafras}.
 In this, validators each produce a number of tickets, some of which are winning, depending on some threshold.
 A~\gls{zk-snark} is then used to prove that a ticket is winning, after which the winning tickets are published to the chain.
-A randomization algorithm will then pick, from all the winning tickets, proposers for all the slots two epochs later.
+A randomization algorithm will then pick proposers from all the winning tickets for all the slots two epochs later.
 
 
 
@@ -40,17 +40,17 @@ \subsection{Shuffling algorithms}\label{subsec:related-work-shuffling-algorithm}
 Ethereum mentioned the reason for this to be that the shuffle by Larsen et al.\ provides a simpler protocol~\cite{Whisk2024}.
 
 \subsection{Bulletproofs}\label{subsec:related-work-bulletproofs}
-A big inspiration for the Curdleproofs protocol is bulletproofs~\cite{bunz2018bulletproofs}.
-Bulletproofs is a type of range proof that uses inner product arguments to prove that a committed value is within a certain range without revealing the value itself.
-Bulletproofs is in itself not a zero-knowledge proof system, but with the help of Fiat Shamir~\cite{bunz2018bulletproofs} it can be used to create a zero-knowledge proof.
-Bulletproofs also has had a few iterations and improvements to increase the speed and reduce the size of the proof since it was used in curdleproofs.
-
-One of these is Bulletproofs+~\cite{chung2022bulletproofs+} which uses a weighted inner product argument instead of the standard inner product argument to achieve a better performance.
-Bulletproofs+ is also a zero-knowledge proof by itself unlike the original bulletproofs.
-Trying to modify Curdleproofs with the weighted inner product argument introduces complications that would need larger modifications and is therefore not suitable.
+A big inspiration for the Curdleproofs protocol is Bulletproofs~\cite{bunz2018bulletproofs}.
+Bulletproofs is a type of range proof that uses~\glspl{ipa} to prove that a committed value is within a certain range without revealing the value itself.
+Bulletproofs is in itself not a~\gls{zkp} system, but with the help of Fiat Shamir~\cite{bunz2018bulletproofs} it can be used to create a~\gls{zkp}.
+Bulletproofs also has had a few iterations and improvements to increase the speed and reduce the size of the proof since it was used in Curdleproofs.
+
+One of these is Bulletproofs+~\cite{chung2022bulletproofs+} which uses a~\gls{wipa} instead of the standard~\gls{ipa} to achieve a better performance.
+Bulletproofs+ is also a~\gls{zkp} by itself unlike the original Bulletproofs.
+Trying to modify Curdleproofs with the~\gls{wipa} introduces complications that would need larger modifications and is therefore not suitable.
 This can be seen in Appendix~\ref{app:curdleproofs-weighted-inner-product-argument-modification-attempt}
 
 A third version of the Bulletproofs protocol is Bulletproofs++~\cite{eagen2024bulletproofs++} which uses a new type of argument called the norm argument to achieve a better performance.
 This comes from the prover only needing to commit to a single vector, rather than two.
-Therefore, with the two vectors, $x$ and $y$ of a standard~\gls{ipa}, they need to assume $x=y$ for their protocol to work.
+Therefore, with the two vectors, $x$ and $y$ of a standard~\gls{ipa}, they need to assume~$x=y$ for their protocol to work.
 Then, along with the norm being weighted, which raises the same complications as with Bulletproofs+, this makes it unsuitable for Curdleproofs.