Provide a simple HTML page to compute proof size and time from parameters #22
Conversation
ghost
requested review from
|
ping @djetchev |
ghost
mentioned this pull request
|
As noted by @tolikzinovyev (see #17 (reply in thread)) and discussed with @rrtoledo it seems my adversary proof time estimates are way over inflated. My skills in combinatorics being what they are (limited) I would appreciate if someone could suggest a more accurate estimate. |
Basically, there are two scenarios. Either there exists an adversarial proof and the adversary can find it very quickly, or there doesn't exists an adversarial proof and so the adversary cannot find one no matter how much computation is done. So I think modeling CPU power is not useful for ALBA. |
|
So it's just a matter of luck, and there's no way to brute force finding a proof? |
|
Only if grinding proof statement is possible. E.g., the attacker can move his money to new accounts thus creating new signatures. In that case we need to rehash the blockchain state and include it as a seed to the hash function used by ALBA. Then the security becomes computation as opposed to information theoretic. But it kind of is outside the scope for ALBA. |
| if (!S_1_bot && !S_2_bot) { | ||
| throw Error("S_1_bot or S_2_bot"); | ||
| } |
There was a problem hiding this comment.
- Currently, this will just silently log this error to the console, potentially confusing users. Maybe use
alertor sth like that? - One could also implement the remaining two cases in the proof of Corollary 3 in order to handle large
n_pvalues (where this error is currently thrown).
(Doesn't necessarily have to happen in this PR)
There was a problem hiding this comment.
Yes, I copy/pasted your code. I think it's good enough for now but obviously throwing exceptions in user-facing code is not great. I don't like alert() but can find a good substitute.
There was a problem hiding this comment.
Why do you throw an error and not update the d/q/r parameters depending on S1 and S2?
There was a problem hiding this comment.
I think for this simulation we can just use the parameters for the "small case". They in fact work for all cases, it's just, the prover will not have a good worst-case running time. Then we don't need to worry about S_1_bot, etc.
We can borrow the math code from Raphael's implementation.
https://github.com/cardano-scaling/alba/pull/33/files#diff-b0bad697f839908964cc4e445cd9c87a76b4a5f84da347b24a426b61b7d09322R127
|
Thanks for the thorough review @amesgen, I will fix the remaining issues tomorrow. |
|
The simulation looks nice. I would just use a different name for S_p. S_p is normally defined as the honest party's elements. Also, S_p is a set, not a number. Maybe we just call it n? |
Co-authored-by: amesgen <amesgen@amesgen.de>
Co-authored-by: amesgen <amesgen@amesgen.de>
Co-authored-by: amesgen <amesgen@amesgen.de>
Co-authored-by: amesgen <amesgen@amesgen.de>
Co-authored-by: amesgen <amesgen@amesgen.de>
Co-authored-by: amesgen <amesgen@amesgen.de>
Co-authored-by: amesgen <amesgen@amesgen.de>
Co-authored-by: amesgen <amesgen@amesgen.de>
Co-authored-by: amesgen <amesgen@amesgen.de>
* remove 'unique' qualification for elements of a set (by definition, all elements in a set are unique...) * rename `S_p` -> `n`
| if (!S_1_bot && !S_2_bot) { | ||
| throw Error("S_1_bot or S_2_bot"); | ||
| } |
There was a problem hiding this comment.
I think for this simulation we can just use the parameters for the "small case". They in fact work for all cases, it's just, the prover will not have a good worst-case running time. Then we don't need to worry about S_1_bot, etc.
We can borrow the math code from Raphael's implementation.
https://github.com/cardano-scaling/alba/pull/33/files#diff-b0bad697f839908964cc4e445cd9c87a76b4a5f84da347b24a426b61b7d09322R127
| const u = U(n_p_v, n_f_v); | ||
| const proba = probabilityOfProof(u, n_p_v, n_f_v, n_v); | ||
| // expected prover time is n_p + O (u^2), we neglect the n_p part here | ||
| proof_proba.value = proba.toExponential(4); |
There was a problem hiding this comment.
Confused about what this does.
|
Let's merge this with @curiecrypt ongoing documentation efforts |
This PR adds a simple HTML page to the ALBA website that provides user with an interactive model to understand how parameters impact the proof size and adversarial proving time.