Jens Groth and Markulf Kohlweiss《One-Out-of-Many Proofs: Or How to Leak a Secret and Spend a Coin》In: EUROCRYPT 2015
https://link.springer.com/content/pdf/10.1007%2F978-3-662-46803-6_9.pdf
One-Out-of-Many Proofs
Σ \Sigma Σ-Protocol for Commitment to 0 or 1
用
Σ
\Sigma
Σ协议证明以下关系:
完整协议:
分析:
- 验证公式1
R H S = C o m c k ( f ; z a ) = C o m c k ( m x + a ; r x + s ) = C o m c k ( m x ; r x ) ⋅ C o m c k ( a ; s ) = C o m c k ( m ; r ) x ⋅ c a \begin{aligned} RHS&=Com_{ck}(f;z_a) \\ &= Com_{ck}(mx+a; rx+s)\\ &=Com_{ck}(mx; rx)\cdot Com_{ck}(a; s)\\ &=Com_{ck}(m; r)^x\cdot c_a \end{aligned} RHS=Comck(f;za)=Comck(mx+a;rx+s)=Comck(mx;rx)⋅Comck(a;s)=Comck(m;r)x⋅ca
当且仅当 c = C o m c k ( m ; r ) c=Com_{ck}(m; r) c=Comck(m;r)时,等式成立。 - 验证公式2
R H S = C o m c k ( 0 ; z b ) = C o m c k ( 0 ; r ( x − f ) + t ) = C o m c k ( − a m ; r ( x − f ) ) ⋅ C o m c k ( a m ; t ) = C o m c k ( − a m ; r ( x − f ) ) ⋅ c b \begin{aligned} RHS&=Com_{ck}(0;z_b) \\ &= Com_{ck}(0; r(x-f)+t)\\ &=Com_{ck}(-am; r(x-f))\cdot Com_{ck}(am; t)\\ &=Com_{ck}(-am; r(x-f))\cdot c_b\\ \end{aligned} RHS=Comck(0;zb)=Comck(0;r(x−f)+t)=Comck(−am;r(x−f))⋅Comck(am;t)=Comck(−am;r(x−f))⋅cb
要构造等式左边的形式,需要满足两个条件:
① c = C o m c k ( m ; r ) c=Com_{ck}(m; r) c=Comck(m;r);
② − a m = m ( x − f ) -am=m(x-f) −am=m(x−f),当 m = 0 m=0 m=0时显然成立;若 m ≠ 0 m\neq0 m=0,则有 − a = x − f -a=x-f −a=x−f,展开:
− a = x − m x − a 0 = x − m x = x ( 1 − m ) \begin{aligned} -a&=x-mx-a \\ 0&=x-mx\\ &=x(1-m) \end{aligned} −a0=x−mx−a=x−mx=x(1−m)
所以当 m = 0 , 1 m=0,1 m=0,1时,等式成立。
Σ \Sigma Σ-Protocol for One-out-of-N Commitment Containing 0
用
Σ
\Sigma
Σ-协议证明n个承诺中有一个对0的承诺,即证明关系:
R
=
{
(
c
k
,
(
c
0
,
…
,
c
N
−
1
)
,
(
ℓ
,
r
)
)
c
0
,
…
,
c
N
−
1
∈
C
c
k
and
ℓ
∈
{
0
,
…
,
N
−
1
}
and
r
∈
Z
q
and
c
ℓ
=
Com
c
k
(
0
;
r
)
}
R=\left\{\begin{array}{l|l}\left(c k,\left(c_{0}, \ldots, c_{N-1}\right),(\ell, r)\right) & \begin{array}{l}c_{0}, \ldots, c_{N-1} \in \mathcal{C}_{c k} \text { and } \ell \in\{0, \ldots, N-1\} \\ \text { and } r \in \mathbb{Z}_{q} \text { and } c_{\ell}=\operatorname{Com}_{c k}(0 ; r)\end{array}\end{array}\right\}
R={(ck,(c0,…,cN−1),(ℓ,r))c0,…,cN−1∈Cck and ℓ∈{0,…,N−1} and r∈Zq and cℓ=Comck(0;r)}
思路:
将要证明的命题等价转换:
- 存在一个index l l l,有: ∏ i = 0 N − 1 c i δ i ℓ \prod_{i=0}^{N-1} c_{i}^{\delta_{i \ell}} ∏i=0N−1ciδiℓ是一个0的承诺。其中 δ i ℓ \delta_{i \ell} δiℓ是Kronecker’s delta,即, δ ℓ ℓ = 1 \delta_{\ell \ell}=1 δℓℓ=1 and δ i ℓ = 0 \delta_{i \ell}=0 δiℓ=0 for i ≠ ℓ i \neq \ell i=ℓ
- 不失一般性,假设 N = 2 n N=2^{n} N=2n,将 i , l i,l i,l写成二进制: i = i 1 … i n ∈ { 0 , 1 } n i=i_{1} \ldots i_{n}\in\{0,1\}^n i=i1…in∈{0,1}n, ℓ = ℓ 1 … ℓ n ∈ { 0 , 1 } n \ell=\ell_{1} \ldots \ell_{n}\in\{0,1\}^n ℓ=ℓ1…ℓn∈{0,1}n,Kronecker’s delta可写成: δ i ℓ = ∏ j = 1 n δ i j ℓ j \delta_{i \ell}=\prod_{j=1}^{n} \delta_{i_{j} \ell_{j}} δiℓ=∏j=1nδijℓj;所以要证明的命题可等价转换为: ∏ i = 0 N − 1 c i ∏ j = 1 n δ i j ℓ j \prod_{i=0}^{N-1} c_{i}^{\prod_{j=1}^{n} \delta_{i_{j} \ell_{j}}} ∏i=0N−1ci∏j=1nδijℓj是一个0的承诺。
Prover:
- 计算bits ℓ 1 … ℓ n \ell_{1} \ldots \ell_{n} ℓ1…ℓn的承诺 c ℓ 1 , … , c ℓ n c_{\ell_{1}},\ldots, c_{\ell_{n}} cℓ1,…,cℓn。运行n个平行的 Σ \Sigma Σ-Protocol for Commitment ℓ j ∈ { 0 , 1 } \ell_j\in\{0,1\} ℓj∈{0,1}(上一节)
- 在其中任一个
Σ
\Sigma
Σ-Protocol for
ℓ
j
∈
{
0
,
1
}
\ell_j\in\{0,1\}
ℓj∈{0,1},Prover:
- 展示 f 1 , … , f n f_{1}, \ldots, f_{n} f1,…,fn 以形式: f j = ℓ j x + a j f_{j}=\ell_{j} x+a_{j} fj=ℓjx+aj
- 令 f j , 1 = f j = ℓ j x + a j = δ 1 ℓ j x + a j f_{j, 1}=f_{j}=\ell_{j} x+a_{j}=\delta_{1 \ell_{j}} x+a_{j} fj,1=fj=ℓjx+aj=δ1ℓjx+aj, f j , 0 = x − f j = ( 1 − ℓ j ) x − a j = δ 0 ℓ j x − a j f_{j, 0}=x-f_{j}=\left(1-\ell_{j}\right) x-a_{j}=\delta_{0 \ell_{j}} x-a_{j} fj,0=x−fj=(1−ℓj)x−aj=δ0ℓjx−aj
- 则对每个 i i i,连乘积 ∏ j = 1 n f j , i j \prod_{j=1}^{n} f_{j, i_{j}} ∏j=1nfj,ij是一个如下形式的多项式:
p i ( x ) = ∏ j = 1 n ( δ i j ℓ j x ) + ∑ k = 0 n − 1 p i , k x k = δ i ℓ x n + ∑ k = 0 n − 1 p i , k x k p_{i}(x)=\prod_{j=1}^{n}\left(\delta_{i_{j} \ell_{j}} x\right)+\sum_{k=0}^{n-1} p_{i, k} x^{k}=\delta_{i \ell} x^{n}+\sum_{k=0}^{n-1} p_{i, k} x^{k} pi(x)=j=1∏n(δijℓjx)+k=0∑n−1pi,kxk=δiℓxn+k=0∑n−1pi,kxk - 现在的想法是,在初始消息中的prover将发送承诺
c
d
0
,
…
,
c
d
n
−
1
c_{d_{0}}, \ldots, c_{d_{n-1}}
cd0,…,cdn−1,该承诺将被用来抵消对应于
x
0
,
…
,
x
n
−
1
x^{0}, \ldots, x^{n-1}
x0,…,xn−1的低阶系数.同时
x
n
x^n
xn的高阶系数将保证承诺
c
ℓ
c_\ell
cℓ可以打开为0。Verifer最后将查验:
∏ i = 0 N − 1 c i ∏ j = 1 n f j , i j ⋅ ∏ k = 0 n − 1 c d k − x k \prod_{i=0}^{N-1} c_{i}^{\prod_{j=1}^{n} f_{j, i_{j}}} \cdot \prod_{k=0}^{n-1} c_{d_{k}}^{-x^{k}} i=0∏N−1ci∏j=1nfj,ij⋅k=0∏n−1cdk−xk
是一个0的承诺。(根据Schwartz-Zippel lemma,除非 c ℓ c_\ell cℓ是0的承诺,否则成立的概率可以忽略。补充说明)
完整协议:
分析:
(黄色划线:证明for all
j
j
j,
c
ℓ
j
c_{\ell_{j}}
cℓj是0,1的承诺)
c
ℓ
j
,
c
a
j
,
c
b
j
c_{\ell_{j}},c_{a_{j}},c_{b_{j}}
cℓj,caj,cbj分别对应于上一节中的
c
,
a
,
b
c,a,b
c,a,b,协议用于证明
ℓ
j
∈
0
,
1
\ell_{j}\in{0,1}
ℓj∈0,1;经过
n
n
n轮协议,可证明index
ℓ
<
2
n
\ell<2^n
ℓ<2n,范围合法。
(蓝色划线:证明
c
ℓ
=
Com
c
k
(
0
;
r
)
c_{\ell}=\operatorname{Com}_{c k}\left(0 ; r\right)
cℓ=Comck(0;r))
c
d
k
c_{d_{k}}
cdk
∏
i
c
i
∏
j
=
1
n
f
j
,
i
j
⋅
∏
k
=
0
n
−
1
c
d
k
−
x
k
=
∏
i
c
i
δ
i
ℓ
x
n
+
∑
k
=
0
n
−
1
p
i
,
k
x
k
⋅
∏
k
=
0
n
−
1
(
∏
i
c
i
p
i
,
k
Com
c
k
(
0
;
ρ
k
)
)
−
x
k
=
∏
i
(
c
i
δ
i
ℓ
x
n
⋅
c
i
∑
k
=
0
n
−
1
p
i
,
k
x
k
⋅
c
i
−
∑
k
=
0
n
−
1
p
i
,
k
x
k
)
⋅
∏
k
=
0
n
−
1
Com
c
k
(
0
;
ρ
k
)
−
x
k
=
c
ℓ
x
n
⋅
∏
k
=
0
n
−
1
Com
c
k
(
0
;
−
ρ
k
x
k
)
(
o
n
l
y
i
f
c
ℓ
=
Com
c
k
(
0
;
r
)
)
=
Com
c
k
(
0
;
r
x
n
)
⋅
Com
c
k
(
0
;
−
∑
k
=
0
n
−
1
ρ
k
x
k
)
=
Com
c
k
(
0
;
z
d
)
\begin{aligned} &\prod_i c_{i}^{\prod_{j=1}^{n} f_{j, i_{j}}} \cdot \prod_{k=0}^{n-1} c_{d_{k}}^{-x^{k}}\\ =&\prod_i c_{i}^{\delta_{i \ell} x^{n}+\sum_{k=0}^{n-1} p_{i, k} x^{k}} \cdot \prod_{k=0}^{n-1} \left(\prod_{i} c_{i}^{p_{i, k}} \operatorname{Com}_{c k}\left(0 ; \rho_{k}\right)\right)^{-x^{k}}\\ =&\prod_i \left(c_{i}^{\delta_{i \ell} x^{n}} \cdot c_{i}^{\sum_{k=0}^{n-1} p_{i, k} x^{k}}\cdot c_{i}^{-\sum_{k=0}^{n-1} p_{i, k} x^{k}}\right)\cdot \prod_{k=0}^{n-1} \operatorname{Com}_{c k}\left(0 ; \rho_{k}\right)^{-x^{k}}\\ =&c_{\ell}^{x^{n}}\cdot\prod_{k=0}^{n-1}\operatorname{Com}_{c k}\left(0 ; -\rho_{k}x^{k}\right)\\ (only~if~~c_{\ell}=\operatorname{Com}_{c k}\left(0 ; r\right))=&\operatorname{Com}_{c k}\left(0 ; rx^n\right)\cdot\operatorname{Com}_{c k}\left(0 ; -\sum_{k=0}^{n-1} \rho_{k}x^{k}\right)\\ =&\operatorname{Com}_{c k}\left(0 ; z_d\right) \end{aligned}
===(only if cℓ=Comck(0;r))==i∏ci∏j=1nfj,ij⋅k=0∏n−1cdk−xki∏ciδiℓxn+∑k=0n−1pi,kxk⋅k=0∏n−1(i∏cipi,kComck(0;ρk))−xki∏(ciδiℓxn⋅ci∑k=0n−1pi,kxk⋅ci−∑k=0n−1pi,kxk)⋅k=0∏n−1Comck(0;ρk)−xkcℓxn⋅k=0∏n−1Comck(0;−ρkxk)Comck(0;rxn)⋅Comck(0;−k=0∑n−1ρkxk)Comck(0;zd)
Ring Signature
思路:
结合两种技术:同态承诺+
Σ
\Sigma
Σ-Protocol for One-out-of-N Commitment Containing 0=对等组认证协议。
- 生成承诺密钥 c k ck ck作为setup,用户的vk是0的承诺 c c c。
- 用 Σ \Sigma Σ-协议证明用户知道其中一个承诺的打开。
- 用Fiat-Shamir heuristic 变成非交互协议。
环签名:
Zerocoin
Zerocoin允许用户生成自己的硬币,这些硬币被列入在公告板上,通过公众共识变得有价值。然后,这些硬币可以匿名消费,而每枚硬币中都有一个秘密序列号,在消费协议中会显示出来,从而防止了双重消费。
零币协议的算法:(Setup, Mint, Spend, Vfy)
- p p ← Setup ( 1 λ ) p p \leftarrow \operatorname{Setup}\left(1^{\lambda}\right) pp←Setup(1λ)
- ( c , s k c ) ← Mint ( p p ) (c, s k c) \leftarrow \operatorname{Mint}(p p) (c,skc)←Mint(pp) 铸币算法;输出硬币 c c c和用于授权它支出的密钥 s k c skc skc
- ( π , S ) ← Spend p p , s k c ( M , c , C ) (\pi, S) \leftarrow \operatorname{Spend}_{p p, s k c}(M, c, C) (π,S)←Spendpp,skc(M,c,C) 生成硬币用于支付交易的证明;输入交易串 M ∈ { 0 , 1 } ∗ M\in\{0,1\}^* M∈{0,1}∗(用来表示交易接收者的身份或合同条款),任意一组包含 c c c的硬币 C C C;输出证明 π \pi π和一个序列号 S S S
- b ← Vfy p p ( M , S , C , π ) b \leftarrow \operatorname{Vfy}_{p p}(M, S, C, \pi) b←Vfypp(M,S,C,π) 验证支出交易的证明 π \pi π。
Zerocoin 协议
注意交易中被承诺的是序列号
S
S
S不是0,所以在提交证明前先用
Com
c
k
(
S
;
0
)
−
1
\operatorname{Com}_{c k}(S ; 0)^{-1}
Comck(S;0)−1将所有承诺变成0的承诺。