Bulletproof

Bulletproof is a new non-interactive zero-knowledge proof protocol with short proofs and without trusted setup. It is integrated in the Monero project as a replacement for the previous protocol based on ring signatures which generates larger proofs. Bulletproof proves that amounts lie in a given positive interval, which is crucial in validating a transaction.

以下来自论文《Bulletproofs-Efficient Range Proofs for Confidential Transactions》

Bulletproofs, a new non-interactive zero-knowledge proof protocol with very short proofs and without a trusted setup; the proof size is only logarithmic in the witness size. Bulletproofs are especially well suited for effcient range proofs on committed values: they enable proving that a committed value is in a range using only 2 log2(n) + 9 group and field elements, where n is the bit length of the range. Proof generation and verification times are linear in n.

Beyond range proofs, Bulletproofs provide short zero-knowledge proofs for general arithmetic circuits while only relying on the discrete logarithm assumption and without requiring a trusted setup.

Bulletproofs greatly improve on the linear (in n) sized range proofs currently used to implement Confidential Transactions (CT) in Bitcoin and other cryptocurrencies. Moreover, Bulletproofs supports aggregation of range proofs, so that a party can prove that m commitments lie within a given range by providing only an additive O(log(m)) group elements over the length of a single proof. To aggregate proofs from multiple parties, we enable the parties to generate a single proof without revealing their inputs to each other via a simple multi-party computation (MPC) protocol for constructing Bulletproofs. This MPC protocol uses either a constant number of rounds and linear communication, or a logarithmic number of rounds and logarithmic communication.

In general, we separate privacy for payments into two properties: (1) anonymity, hiding the identities of sender and receiver in a transaction and (2) confidentiality, hiding the amount transferred. While Bitcoin provides some weak anonymity through the unlinkability of Bitcoin addresses to real world identities, it lacks any confidentiality.

While we focus on confidential transactions, where our work translates to significant practical savings, we stress that the improvements are not limited to CT. We present Bulletproofs for general NP languages. The proof size is logarithmic in the number of multiplication gates in the arithmetic circuit for verifying a witness.

All current implementations of confidential transactions [Max16,MP15,PBF+,NM+16] use range proofs over committed values, where the proof size is linear in n. These range proofs are the main contributor to the size of a confidential transaction. In current implementations, a confidential transaction with only two outputs and 32 bits of precision is 5.5kB bytes, of which 5.3kB are allocated to the range proof.

At the time of writing, Bitcoin has roughly 50 million UTXOs from 22 million transactions (see statoshi.info). Using a 52-bit representation of bitcoin that can cover all values from 1 satoshi up to 21 million bitcoins, this results in roughly 160GB of range proof data using the current systems. Using aggregated Bulletproofs, the range proofs for all UTXOs would take less than 17GB, about a factor 10 reduction in size.

A Mimblewimble blockchain only grows with the size of the UTXO set. Using Bulletproofs, it would only grow with the number of transactions that have unspent outputs. Overall, Bulletproofs can not only act as a drop-in replacement for the range proofs in confidential transactions, but it can also help make Mimblewimble a practical scheme with a blockchain that is significantly smaller than the current Bitcoin blockchain.

以下来自审计报告《Evaluation of Bulletproof Implementation》

The Monero project currently uses Borromean-style range proofs [MP15] in their confidential transactions, and plan to replace them with bulletproofs. Their motivation to move from Borromean range proofs to bulletproofs is the size of the proof: bulletproofs would significantly reduce the size of the blockchain, as well as bring down transaction fees on the platform by an estimated 70-80%.

2018年1月,Monero Research Lab委托Quarkslab做安全审计。
The review target is the C++ code of the https://github.com/moneromooo-monero/bitmonero repository, branch bp-multi-aggregation, commit 7f964dfc8f15145e364ae4763c49026a3fab985d, directory src/ringct.

To extend the work done on multi-exponentiation during the evaluation, we also studied the code in the branch bp-multi-aggregation-pippenger. The last commit taken in the branch bp-multi-aggregation-pippenger is b7e61db030da8c97b3e82354bfee8caae57d3137 (Wed Jun 20).

Monero relies on three cryptographic mechanisms.
• One-time keys generated for each transaction hide the actual recipient of a transaction.
• Ring signatures mix the spender’s input among other people’s inputs (which are hidden, see below). The spender can spend (sign) the amount spent but it is not possible for an external party to link different transactions. A special adaptation of this mechanism detects double spending.
• Ring confidential transactions hide the transferred amount.

Ring confidential transactions [NMM16] use zero-knowledge proof techniques (Perdersen commitments) to hide amounts and also keep the verifiability of the blockchain.

In short, a transaction is valid if the total of inputs equals the total of outputs and fees. This means that the total amount of inputs minus the total amount of outputs minus the fees equals zero, which can also be committed to by zero-knowledge techniques.

Such techniques however, relying on group based cryptography, do not differentiate between a small negative amount or a big positive amount (due to modular arithmetic), which could cause, left unchecked, the fraudulent creation of coins.

To ensure that amounts spent are indeed reasonably positive amounts (and not huge amounts equivalent to negative ones) without revealing them, a proof of interval is necessary for each output amount. In Monero, the interval has been fixed to [0, 264 − 1]. A first version of a proof of interval implemented in Monero also used ring signature techniques. The size of this proof was linear in the size of the upper-bound of the interval and the major contributor to the size of a transaction.

Bulletproof is a new proof of interval whose size is only logarithmic in the size of the upperbound of the interval. It has further optimizations reducing the overall size when several proofs are combined.

Bulletproof实用的Hash函数为Keccak

Bulletproof depends on a hash function to turn the interactive protocols into non-interactive ones using Fiat-Shamir heuristic. Besides, in Monero, such a hash function is also used as a
subroutine in many other functions: hashing (to points for instance), random generation and point derivation.
In Monero’s Bulletproof, the underlying hash function is [Keccak]. Keccak is based on a sponge construction, a class of algorithms that produce a pseudorandom bit stream of a chosen length from an input bit stream of arbitrary length. To achieve this, a finite internal state is processed using the Keccak-?[1600] permutation.
Keccak has been chosen by NIST as the basis of its SHA-3 standard. Choosing Keccak as the underlying hash function in Monero is a sound choice from a cryptographic point of view.

Bulletproof随机数生成

A strong PRNG is therefore a critical requirement for Bulletproof.

src/crypto/crypto.h:152

/* Generate N random bytes
*/
inline void rand(size_t N, uint8_t *bytes) {
    generate_random_bytes_thread_safe(N, bytes);
}

The function generate_random_bytes_thread_safe is a simple wrapper, calling generate_random_bytes_not_thread_safe, making it thread-safe with a lock.
src/crypto/crypto.cpp:89

void generate_random_bytes_thread_safe(size_t N, uint8_t *bytes)
{
    static boost::mutex random_lock;
    boost::lock_guard<boost::mutex> lock(random_lock);
    generate_random_bytes_not_thread_safe(N, bytes);
}

The low-level routine generate_random_bytes_not_thread_safe uses iterations of the permutation Keccak-?[1600] on a global state. Each iteration produces a maximum of 136 bytes (= 1088 bits), which corresponds to the security parameters of Keccak [1088,512]. The production of pseudorandom bits is the squeezing phase in the sponge construction vocabulary.
This construction is sound as long as the global state is initialized with true random bits coming from the system.

Multi-exponentiation

Multi-exponentiation computes simultaneously multiple exponentiations of different elements of a group with different exponents, in a much faster way than a naive approach.

In Bulletproof, multi-exponentiation is at the heart of the proof verification algorithm. The batch verification of multiple aggregated proofs combines gracefully with a simple verification of aggregated proofs in a single large multi-exponentiation.

In the branch bp-multi-aggregation we had to evaluate, the Straus algorithm is used up to a given number of exponentiations, then from this number, Bos-Coster algorithm is preferred.

In the new branch bp-multi-aggregation-pippenger, the Straus algorithm is used up to another number of exponentiations, then from this number, Pippenger algorithm is preferred.

Serialization

Serialization is used to transmit and store structured data in the blockchain; therefore its robustness is critical. Monero serialization library is inspired by the boost::serialization framework.

It provides a generic implementation, that can be specialized for various objects. Serializing a high level object reuses all low-level specializations for types it depends on. A complementary goal is to describe how an object needs to be dealt with only once. It means the same code is used in order to generate both serialization and deserialization routines. This nice feature, in theory, comes with various downsides.

  • 0
    点赞
  • 1
    收藏
    觉得还不错? 一键收藏
  • 0
    评论
Bulletproof SSL and TLS by Ivan Ristić Table of Contents Preface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xv Scope and Audience xvi Contents xvii SSL versus TLS xix SSL Labs xix Online Resources xx Feedback xxi About the Author xxi Acknowledgments xxi 1. SSL, TLS, and Cryptography . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 Transport Layer Security 1 Networking Layers 2 Protocol History 3 Cryptography 4 Building Blocks 5 Protocols 15 Attacking Cryptography 16 Measuring Strength 17 Man-in-the-Middle Attack 18 2. Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23 Record Protocol 24 Handshake Protocol 25 Full Handshake 26 Client Authentication 32 Session Resumption 34 Key Exchange 35 RSA Key Exchange 38 Diffie-Hellman Key Exchange 38 Elliptic Curve Diffie-Hellman Key Exchange 40 iii Authentication 41 Encryption 42 Stream Encryption 42 Block Encryption 43 Authenticated Encryption 44 Renegotiation 45 Application Data Protocol 47 Alert Protocol 47 Connection Closure 47 Cryptographic Operations 48 Pseudorandom Function 48 Master Secret 48 Key Generation 49 Cipher Suites 49 Extensions 52 Application Layer Protocol Negotiation 53 Certificate Transparency 53 Elliptic Curve Capabilities 54 Heartbeat 55 Next Protocol Negotiation 56 Secure Renegotiation 57 Server Name Indication 57 Session Tickets 58 Signature Algorithms 59 OCSP Stapling 59 Protocol Limitations 60 Differences between Protocol Versions 60 SSL 3 60 TLS 1.0 61 TLS 1.1 61 TLS 1.2 61 3. Public-Key Infrastructure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63 Internet PKI 63 Standards 65 Certificates 66 Certificate Fields 67 Certificate Extensions 68 Certificate Chains 71 Relying Parties 72 iv Certification Authorities 74 Certificate Lifecycle 74 Revocation 76 Weaknesses 76 Root Key Compromise 79 Ecosystem Measurements 80 Improvements 82 4. Attacks against PKI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87 VeriSign Microsoft Code-Signing Certificate 87 Thawte login.live.com 88 StartCom Breach (2008) 89 CertStar (Comodo) Mozilla Certificate 89 RapidSSL Rogue CA Certificate 90 Chosen-Prefix Collision Attack 92 Construction of Colliding Certificates 92 Predicting the Prefix 94 What Happened Next 96 Comodo Resellers Breaches 96 StartCom Breach (2011) 98 DigiNotar 99 Public Discovery 99 Fall of a Certification Authority 99 Man-in-the-Middle Attacks 102 ComodoHacker Claims Responsibility 103 DigiCert Sdn. Bhd. 104 Flame 105 Flame against Windows Update 106 Flame against Windows Terminal Services 107 Flame against MD5 107 TURKTRUST 109 ANSSI 110 5. HTTP and Browser Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113 Sidejacking 113 Cookie Stealing 115 Cookie Manipulation 116 Understanding HTTP Cookies 117 Cookie Manipulation Attacks 118 Impact 122 Mitigation 122 v SSL Stripping 123 MITM Certificates 125 Certificate Warnings 126 Why So Many Invalid Certificates? 127 Effectiveness of Certificate Warnings 129 Click-Through Warnings versus Exceptions 130 Mitigation 131 Security Indicators 131 Mixed Content 133 Root Causes 134 Impact 136 Browser Treatment 136 Prevalence of Mixed Content 138 Mitigation 139 Extended Validation Certificates 140 Certificate Revocation 141 Inadequate Client-Side Support 141 Key Issues with Revocation-Checking Standards 142 Certificate Revocation Lists 143 Online Certificate Status Protocol 146 6. Implementation Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151 Certificate Validation Flaws 152 Library and Platform Validation Failures 152 Application Validation Failures 155 Hostname Validation Issues 156 Random Number Generation 158 Netscape Navigator (1994) 158 Debian (2006) 159 Insufficient Entropy on Embedded Devices 160 Heartbleed 162 Impact 163 Mitigation 164 Protocol Downgrade Attacks 165 Rollback Protection in SSL 3 165 Interoperability Problems 167 Voluntary Protocol Downgrade 169 Rollback Protection in TLS 1.0 and Better 171 Attacking Voluntary Protocol Downgrade 172 Modern Rollback Defenses 172 vi Truncation Attacks 173 Truncation Attack History 175 Cookie Cutting 175 Deployment Weaknesses 177 Virtual Host Confusion 177 TLS Session Cache Sharing 178 7. Protocol Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 181 Insecure Renegotiation 181 Why Was Renegotiation Insecure? 182 Triggering the Weakness 183 Attacks against HTTP 184 Attacks against Other Protocols 187 Insecure Renegotiation Issues Introduced by Architecture 188 Impact 188 Mitigation 188 Discovery and Remediation Timeline 189 BEAST 191 How the Attack Works 191 Client-Side Mitigation 195 Server-Side Mitigation 197 History 198 Impact 199 Compression Side Channel Attacks 201 How the Compression Oracle Works 201 History of Attacks 203 CRIME 204 Mitigation of Attacks against TLS and SPDY 212 Mitigation of Attacks against HTTP Compression 213 Padding Oracle Attacks 214 What Is a Padding Oracle? 214 Attacks against TLS 215 Impact 216 Mitigation 217 RC4 Weaknesses 218 Key Scheduling Weaknesses 218 Early Single-Byte Biases 219 Biases across the First 256 Bytes 220 Double-Byte Biases 222 Mitigation: RC4 versus BEAST and Lucky 13 222 vii Triple Handshake Attack 224 The Attack 224 Impact 229 Prerequisites 230 Mitigation 231 Bullrun 232 Dual Elliptic Curve Deterministic Random Bit Generator 232 8. Deployment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 235 Key 235 Key Algorithm 235 Key Size 236 Key Management 237 Certificate 238 Certificate Type 238 Certificate Hostnames 239 Certificate Sharing 239 Signature Algorithm 240 Certificate Chain 240 Revocation 241 Choosing the Right Certificate Authority 241 Protocol Configuration 243 Cipher Suite Configuration 244 Server cipher suite preference 244 Cipher Strength 244 Forward Secrecy 244 Performance 245 Interoperability 246 Server Configuration and Architecture 246 Shared Environments 246 Virtual Secure Hosting 247 Session Caching 247 Complex Architectures 248 Issue Mitigation 249 Renegotiation 249 BEAST (HTTP) 249 CRIME (HTTP) 250 Lucky 13 250 RC4 250 TIME and BREACH (HTTP) 251 viii Triple Handshake Attack 252 Heartbleed 252 Pinning 253 HTTP 253 Making Full Use of Encryption 253 Cookie Security 254 Backend Certificate and Hostname Validation 254 HTTP Strict Transport Security 254 Content Security Policy 255 Protocol Downgrade Protection 255 9. Performance Optimization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 257 Latency and Connection Management 258 TCP Optimization 259 Connection Persistence 260 SPDY, HTTP 2.0, and Beyond 262 Content Delivery Networks 263 TLS Protocol Optimization 265 Key Exchange 265 Certificates 270 Revocation Checking 271 Session Resumption 272 Transport Overhead 273 Symmetric Encryption 275 TLS Record Buffering Latency 277 Interoperability 279 Hardware Acceleration 279 Denial of Service Attacks 280 Key Exchange and Encryption CPU Costs 281 Client-Initiated Renegotiation 282 Optimized TLS Denial of Service Attacks 282 10. HSTS, CSP, and Pinning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 285 HTTP Strict Transport Security 285 Configuring HSTS 286 Ensuring Hostname Coverage 287 Cookie Security 288 Attack Vectors 289 Robust Deployment Checklist 290 Browser Support 291 Privacy Implications 293 ix Content Security Policy 293 Preventing Mixed Content Issues 294 Policy Testing 295 Reporting 295 Browser Support 296 Pinning 296 What to Pin? 297 Where to Pin? 299 Should You Use Pinning? 300 Pinning in Native Applications 300 Chrome Public Key Pinning 301 Microsoft Enhanced Mitigation Experience Toolkit 303 Public Key Pinning Extension for HTTP 303 DNS-Based Authentication of Named Entities (DANE) 305 Trust Assertions for Certificate Keys (TACK) 309 Certification Authority Authorization 310 11. OpenSSL Cookbook . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 313 Getting Started 314 Determine OpenSSL Version and Configuration 314 Building OpenSSL 315 Examine Available Commands 316 Building a Trust Store 318 Key and Certificate Management 319 Key Generation 320 Creating Certificate Signing Requests 323 Creating CSRs from Existing Certificates 325 Unattended CSR Generation 325 Signing Your Own Certificates 326 Creating Certificates Valid for Multiple Hostnames 326 Examining Certificates 327 Key and Certificate Conversion 330 Configuration 333 Cipher Suite Selection 333 Performance 345 Creating a Private Certification Authority 348 Features and Limitations 348 Creating a Root CA 349 Creating a Subordinate CA 355 12. Testing with OpenSSL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 359 x Connecting to SSL Services 359 Testing Protocols that Upgrade to SSL 363 Using Different Handshake Formats 363 Extracting Remote Certificates 364 Testing Protocol Support 365 Testing Cipher Suite Support 366 Testing Servers that Require SNI 366 Testing Session Reuse 367 Checking OCSP Revocation 368 Testing OCSP Stapling 371 Checking CRL Revocation 371 Testing Renegotiation 373 Testing for the BEAST Vulnerability 375 Testing for Heartbleed 376 13. Configuring Apache . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 381 Installing Apache with Static OpenSSL 382 Enabling TLS 383 Configuring TLS Protocol 384 Configuring Keys and Certificates 385 Configuring Multiple Keys 386 Wildcard and Multisite Certificates 387 Virtual Secure Hosting 388 Reserving Default Sites for Error Messages 390 Forward Secrecy 391 OCSP Stapling 392 Configuring OCSP Stapling 392 Handling Errors 393 Using a Custom OCSP Responder 394 Configuring Ephemeral DH Key Exchange 394 TLS Session Management 395 Standalone Session Cache 395 Standalone Session Tickets 396 Distributed Session Caching 396 Distributed Session Tickets 398 Disabling Session Tickets 399 Client Authentication 400 Mitigating Protocol Issues 401 Insecure Renegotiation 402 BEAST 402 xi CRIME 402 Deploying HTTP Strict Transport Security 403 Monitoring Session Cache Status 403 Logging Negotiated TLS Parameters 404 Advanced Logging with mod_sslhaf 406 14. Configuring Java and Tomcat . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 409 Java Cryptography Components 409 Strong and Unlimited Encryption 410 Provider Configuration 411 Features Overview 411 Protocol Vulnerabilities 412 Interoperability Issues 413 Tuning via Properties 414 Common Error Messages 417 Securing Java Web Applications 420 Common Keystore Operations 425 Tomcat 430 Configuring TLS Handling 434 JSSE Configuration 436 APR and OpenSSL Configuration 439 15. Configuring Microsoft Windows and IIS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 443 Schannel 443 Features Overview 443 Protocol Vulnerabilities 445 Interoperability Issues 446 Microsoft Root Certificate Program 448 Managing System Trust Stores 448 Importing a Trusted Certificate 449 Blacklisting Trusted Certificates 449 Disabling the Auto-Update of Root Certificates 449 Configuration 450 Schannel Configuration 450 Cipher Suite Configuration 452 Key and Signature Restrictions 454 Configuring Renegotiation 460 Configuring Session Caching 461 Monitoring Session Caching 462 FIPS 140-2 463 Third-Party Utilities 465 xii Securing ASP.NET Web Applications 466 Enforcing SSL Usage 466 Securing Cookies 467 Securing Session Cookies and Forms Authentication 467 Deploying HTTP Strict Transport Security 468 Internet Information Server 469 Managing Keys and Certificates 470 16. Configuring Nginx . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 477 Installing Nginx with Static OpenSSL 478 Enabling TLS 478 Configuring TLS Protocol 479 Configuring Keys and Certificates 479 Configuring Multiple Keys 480 Wildcard and Multisite Certificates 480 Virtual Secure Hosting 481 Reserving Default Sites for Error Messages 482 Forward Secrecy 483 OCSP Stapling 483 Configuring OCSP Stapling 484 Using a Custom OCSP Responder 485 Manual Configuration of OCSP Responses 485 Configuring Ephemeral DH Key Exchange 486 Configuring Ephemeral ECDH Key Exchange 487 TLS Session Management 488 Standalone Session Cache 488 Standalone Session Tickets 488 Distributed Session Cache 489 Distributed Session Tickets 489 Disabling Session Tickets 491 Client Authentication 491 Mitigating Protocol Issues 492 Insecure Renegotiation 492 BEAST 492 CRIME 493 Deploying HTTP Strict Transport Security 493 Tuning TLS Buffers 494 Logging 494 17. Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 497

“相关推荐”对你有帮助么?

  • 非常没帮助
  • 没帮助
  • 一般
  • 有帮助
  • 非常有帮助
提交
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值