三维重建基础知识_用零知识重建有缺陷的数据世界

三维重建基础知识

We live in an almost untrusted data world!

我们生活在一个几乎不受信任的数据世界中！

We live in a flawed and untrusted financial world!

我们生活在一个充满缺陷和不受信任的金融世界中！

So, let me pose a difficult question first, and I’ll answer it at the end:

因此，让我首先提出一个难题，最后我将回答：

“Prove to me that the [UK] currently — at this point in time — has economic stability in its financial infrastructure!”

“向我证明，[英国]当前(此时)在其金融基础设施中具有经济稳定！”

You can insert your own country within the brackets, or any organisation or ranges of organisations that you want. Before you call up your auditors and get your accountants primed, let’s meet Angry Bob and Angry Alice …

您可以在方括号内插入自己的国家，也可以在任何组织中插入自己想要的国家。 在召集审计员并准备好会计师之前，让我们认识愤怒的鲍勃和愤怒的爱丽丝……

认识愤怒的鲍勃和愤怒的爱丽丝 (Meet Angry Bob and Angry Alice)

Bob applies for a loan from Alice The Lender, and she asks him for his salary. Bob says, “I don’t want to tell you that!”, and she says, “Well, you’re not getting a loan!”, and so Bob says that his salary is “One trillion dollars per year”, and Alice hangs up the phone. He calls her up again, and says sorry, and then says that his salary is “… somewhere between $60,000 and $100,000. Is that okay?”. Alice replies that this is fine and that his loan has been approved. “Can you now tell me your password?”, she says. Bob now hangs up the phone and goes to lie down in a dark room.

鲍勃(Bob)向爱丽丝贷款人(Alice The Lender)申请了一笔贷款，她要他的薪水。 鲍勃说：“我不想告诉你！”，她说：“好吧，你没有贷款！”，鲍勃说他的薪水是“每年一万亿美元”，爱丽丝挂断电话。 他再次打电话给她，对不起，然后说他的薪水是“……在60,000美元到100,000美元之间。 这样可以吗？”。 爱丽丝回答这很好，他的贷款已被批准。 她说：“您现在能告诉我您的密码吗？” 鲍勃现在挂断电话，然后躺在黑暗的房间里。

In this new information world, why do we have to continually prove the same things, and why do we continually give away so much of our private things?

在这个新的信息世界中，为什么我们要不断证明同样的事情，为什么我们要不断地放弃这么多我们的私人事物呢？

我们的权利……不是他们的权利 (Our rights … not theirs)

We need a world which uses Zero-knowledge Proofs (ZKP) and where people can create their own signatures to prove things, without continual prompting and asking for things. If I am over 18, I should provide it once, and then show whoever I want. If I have enough money in my account to pay for something, I can prove this to a merchant, without me having to go and check with my bank. With ZKP, Peggy (the Prover) must prove something to Victor (the Verifier). We could get them to interact, and then at the end of their conversation, Peggy would have proven something to Victor. In a non-interactive method, Peggy does not have to interact with Victor, and where she can prove it without this interaction. This is normally achieved with the Fiat-Shamir heuristic [here].

我们需要一个使用零知识证明(ZKP)的世界，人们可以在其中创建自己的签名来证明事物，而无需不断提示和询问事物。 如果我18岁以上，我应该提供一次，然后告诉我想要的人。 如果我的帐户中有足够的钱来支付某些东西，那么我可以向商人证明这一点，而无需去银行查询。 使用ZKP，佩吉(证明者)必须向维克多(证明者)证明某些东西。 我们可以让他们互动，然后在他们的谈话结束时，佩吉一定会向Victor证明一些事情。 在非交互方法中，Peggy不必与Victor交互，并且在没有这种交互的情况下可以证明这一点。 这通常是通过Fiat-Shamir启发式方法[ 此处 ]实现的。

But we should have rights in the increasingly flawed digital world.

但是，在日益缺陷的数字世界中，我们应该拥有权利。

有缺陷的世界？ (A flawed world?)

Sometimes something comes along and it shakes our existing thinking. In a paper at the end of 2017, a research team showed the world how it could enact on-line in a trusted and privacy-preserving way [paper]:

有时会发生某些事情，这会动摇我们现有的思维。 在2017年底的一篇论文中，一个研究团队向世界展示了它如何以一种可信任的和隐私保护的方式在线进行制定[ 论文 ]：

Basically, their method defined a way that Bob can prove that his secret value — and or his encrypted value — is within a given range. For this, he might be applying for an online loan and does not want to reveal his salary. Bob would then be able to create a range proof for Alice The Lender and show that his salary was between $60,000 and $100,000. The challenge for this proof would not have to be set up by Alice, as Bob just sends the proof, and she checks it. If there were an inquiry related to his tax status, he could forward this signature to show the range of his salary to them too.

基本上，他们的方法定义了Bob可以证明其秘密值(或他的加密值)在给定范围内的方式。 为此，他可能正在申请在线贷款，并且不想透露自己的薪水。 这样，Bob就可以为Alice The Lender创建范围证明，并证明他的薪水在$ 60,000到$ 100,000之间。 爱丽丝不必为这个证明提出挑战，因为鲍勃只是发送证明，而她检查了它。 如果有关于他的纳税状况的询问，他可以转发此签名以向他们显示他的薪水范围。

In a perfect world, Bob could merge these range proofs into a single signature, and present when required. For example, if the lender wanted to check that his balance has at least $100, he could add this to his signature, and send to Alice.

在一个完美的世界中，Bob可以将这些范围证明合并为一个签名，并在需要时显示。 例如，如果贷方想要检查其余额中是否有至少$ 100，则可以将其添加到签名中，然后发送给Alice。

Within cryptocurrency trading, this is useful, as we can check whether someone has enough funds in their account before the transaction can be verified, but not actually reveal how much they have in their account. The proof is then that the sum of all the inputs (the money in) is greater than the sum of all the outputs (the money out). This proves that there are Unspent Transaction Outputs (UTXOs) — and that there are enough funds in a given account. One task of the miners in Bitcoin is then to prove that the inputs are greater than the outputs. For this, a user provides a signature for the transaction to prove there are enough unspent credits to cover the transaction, and then the miners check this and the current balance:

在加密货币交易中，这很有用，因为我们可以在验证交易之前检查某人的账户中是否有足够的资金，但实际上并未透露他们的账户中有多少。 那么证明就是所有投入的总和(进钱)大于所有产出的总和(进钱)。 这证明存在未使用的交易输出(UTXO)，并且给定帐户中有足够的资金。 比特币中的矿工的一项任务是证明输入大于输出。 为此，用户为交易提供签名，以证明有足够的未用信用额度来支付交易，然后矿工检查此余额和当前余额：

那为什么要防弹呢？ (So Why Bulletproofs?)

Before the Bulletproof paper, the size of this proof is linear to the number of inputs. Previous work on Confidential Transactions (CTs) focused on the Pedersen Commitment method [here] to preserve the confidentiality of the transaction (using Zero-Knowledge Proofs), but still prove that the sum of the inputs was greater than the sum of the outputs. The signature then is created to verify that the sum of the inputs is greater than the outputs and that the transaction values are between 0 and 2^n [0,2^n]. The signature of this grows linearly with the value of n, and there is a general worry that existing CT methods will overload our blockchains, with most of the data within a transaction used up with a range proof.

在防弹纸之前，该证明的大小与输入的数量成线性关系。 先前有关机密交易(CT)的工作侧重于Pedersen承诺方法[ 此处 ]，以维护交易的机密性(使用零知识证明)，但仍证明输入的总和大于输出的总和。 然后创建签名以验证输入的总和大于输出的总和，以及交易值在0到2 ^ n [0,2 ^ n]之间。 它的签名随n的值线性增长，并且普遍担心现有的CT方法会使我们的区块链超载，而交易中的大多数数据都用了范围证明。

Our checking model — and using anonymised transaction values — becomes:

我们的检查模型(并使用匿名交易值)变为：

With Bulletproofs we have a much smaller proof and where we can even merge range signatures together, and also never reveal any user secrets. A bulletproof only grows logarithmically in size with the number of outputs and range proof’s size. After implementation, Monero has seen an 80% reduction in transaction size, and which has also led to a significant reduction in the transaction fees.

使用Bulletproofs，我们的证据要小得多，甚至可以将范围签名合并到一起，并且永远不会泄露任何用户机密。 防弹装置的大小仅与输出数量和范围证明的大小成对数增长。 实施后，门罗币交易量减少了80％，交易费用也大大减少了。

来办个派对吧 (Let’s have a party)

In many things in our world, we often need to prove things that involve many people. Let’s say that Bob is applying for a loan from Alice, and now needs to prove that he has a salary of between $60,000 and $100,000, and that his employer — Trent — has at least $1million in the bank For this we can integrate MPC (Multi-party Computation) and where Bob and merge his proof with Trent into a single bulletproof signature to Alice, and she can check it. Bob or Alice does not know how much Trent has in the bank, and Alice cannot see what Bob’s salary is, but she can prove that things are correct from a single — and short — bulletproof signature.

在我们世界上的许多事物中，我们经常需要证明涉及许多人的事物。 假设鲍勃(Bob)正在向爱丽丝(Alice)申请贷款，现在需要证明他的年薪在6万至10万美元之间，而他的雇主特伦特(Trent)在银行中至少有100万美元。为此，我们可以整合MPC(多方计算)，并在其中Bob和他的证明与Trent合并为Alice的单个防弹签名，她可以对其进行检查。 鲍勃(Bob)或爱丽丝(Alice)不知道特伦特(Trent)银行里有多少，爱丽丝(Alice)看不清楚鲍勃(Bob)的工资是多少，但她可以用一个简短的防弹签名证明事情是正确的。

是否设置受信任？ (A trusted setup or not?)

One of the best methods for range proofs was proposed by Jan Camenisch et al in 2008. This involves Peggy committing to a secret value, and then proves this to Victor with ZKP that the bits are the same, and where each commitment will have another signature. Some sample code which integrates into the Ethereum blockchain is [here]. The example defined in this code is where the check whether someone is over 18 years old, and is based in the EU (without giving away their age and their location).

Jan Camenisch等人在2008年提出了一种最佳的范围证明方法。这涉及Peggy承诺一个秘密值，然后用ZKP向Victor证明这一点是相同的，并且每个承诺将具有另一个签名。 。 [ 此处 ]集成了以太坊区块链的一些示例代码。 这段代码中定义的示例是检查某人是否超过18岁且居住在欧盟(不放弃其年龄和位置)的地方。

While this works well, it can lead to lengthy signatures for different ranges, and also requires a trusted setup. With Bulletproofs we can merge signatures, and where it does not require an initial trusted setup. Peggy thus does not need to set the bulletproof up with Victor, and can basically just pass the signature when required.

尽管这很好用，但可能导致不同范围的签名冗长，并且还需要可信的设置。 使用Bulletproofs，我们可以合并签名，并且不需要初始信任设置即可合并签名。 因此，Peggy不需要与Victor一起设置防弹功能，基本上可以在需要时通过签名。

那有什么特别的呢？ (So what’s so special?)

So what’s so special about Bulletproofs:

那么Bulletproofs有什么特别之处：

• Significant reduction in the size of the signature as opposed to other CT methods (such as zk-SNARKs and zk-STARKs).
  与其他CT方法(例如zk-SNARK和zk-STARK)相比，签名的大小显着减小。
• Significantly reduced transaction fees with shorter signatures.
  签名缩短，大大降低了交易费用。
• Supports MPC (Multiparty Computation) and where many parties can come together to create a single range proof, without revealing their secrets.
  支持MPC(多方计算)，并且许多方可以聚集在一起以创建单个范围证明，而无需透露其秘密。
• Allow for the aggregation of range proofs and produces a single, and short, signature.
  允许范围证明的汇总，并产生单个且简短的签名。
• Fast verification of proofs (and which are faster than most range proof methods, but still slower than zk-SNARKs).
  快速验证证明(比大多数范围证明方法要快，但仍比zk-SNARK慢)。
• Design to be set up for blockchain integration.
  设计用于区块链集成。
• No need to set up a trust infrastructure. This often involves creating an initial set of encryption keys which are then used for trusted signatures. These keys should be used only once, and then deleted. If these keys are not deleted, there is a risk to future trustworthiness of the whole infrastructure.
  无需建立信任基础结构。 这通常涉及创建一组初始的加密密钥，然后将其用于受信任的签名。 这些密钥只能使用一次，然后再删除。 如果不删除这些密钥，则存在整个基础架构将来可信赖的风险。

这对我们金融世界的稳定意味着什么？ (What will this mean for the stability of our financial world?)

Our current financial world is built on 20th Century methods and has little in the way of trust. Our auditing system, too, is still focused on old ways of thinking.

我们当前的金融世界建立在20世纪的方法之上，几乎没有信任的方式。 我们的审计系统也仍然专注于旧的思维方式。

Over the past few decades, we have seen banks fail, and cryptocurrency exchanges crashing. With bulletproofs, we can ask our financial institutions to prove that they have liquidity … “Prove that you have more than $1 billion of liquidity”, and if they failed to prove this, we would quickly move to audit them. Fraud on a large-scale basis would thus be detected in seconds.

在过去的几十年中，我们看到银行倒闭，加密货币交易所崩溃。 借助防弹衣，我们可以要求我们的金融机构证明他们有流动性……“证明您拥有超过10亿美元的流动性”，如果他们未能证明这一点，我们将Swift采取行动对其进行审计。 因此，将在几秒钟内检测到大规模欺诈。

In the end, we can say, “Prove to me that the UK has economic stability in its financial infrastructure!”, and our financial institutions can come together, and prove this, without actually revealing their current financial status. And so bulletproofs could prove us with a way for the sharing of information, without having to give our secrets away.

最后，我们可以说：“向我证明英国的金融基础设施具有经济稳定！”，我们的金融机构可以团结起来，证明这一点，而无需实际透露其当前的金融状况。 因此，防弹产品可以为我们证明一种信息共享的方式，而不必泄露我们的秘密。

锈实现 (Rust implementation)

Rust is one of the most secure and robust programming languages around, so let’s create a simple demo. First, we create the Rust project with:

Rust是周围最安全，最强大的编程语言之一，因此让我们创建一个简单的演示。 首先，我们使用以下命令创建Rust项目：

cargo new bulletproof

We then go into the bulletproof folder, and add the following to the cargo.toml file [here]:

然后，我们进入防弹文件夹，并将以下内容添加到cargo.toml文件中[ 此处 ]：

[package]
name = "bulletproof"
version = "0.1.0"
authors = ["billatnapier"]
[dependencies]
curve25519-dalek = "1.2.3"
merlin="1.3.0"
bulletproofs="1.0.4"
rand= "0.6.0"
hex="0.4.0"

Next we go into the src folder, and edit the main.rs file with [here]:

接下来，我们进入src文件夹，并使用[ here ]编辑main.rs文件：

extern crate rand;
use rand::OsRng; extern crate curve25519_dalek;
 use curve25519_dalek::scalar::Scalar; extern crate merlin;
 use merlin::Transcript; extern crate bulletproofs;
 use bulletproofs::{BulletproofGens, PedersenGens, RangeProof}; extern crate hex;use std::env; fn main() {// Generate a secret value
    let mut secret = 1037578891;
    let mut nbits= 32;
	let args: Vec < String >  = env::args().collect();    if args.len()> 1 { secret = args[1].clone().parse::<u64>().unwrap(); }
    if args.len()> 2 { nbits= args[2].clone().parse::<usize<().unwrap(); }// Pedersen commitments
    let ped_commits = PedersenGens::default();// Generators for Bulletproofs, valid for proofs up to 64 bits
    let bullet_gens = BulletproofGens::new(64, 1);// blinding factor
    let mut csprng: OsRng = OsRng::new().unwrap();    let blinding_factor = Scalar::random(&mut csprng);
// Create transcript    let mut prover_ts = Transcript::new("Test".as_bytes());// Implement an n-bit rangeproof
    let (proof, commitment) = RangeProof::prove_single( &bullet_gens,&ped_commits,&mut prover_ts,secret,&blinding_factor, nbits,).expect("Oops!");    println!("Secret:\t{}",secret);
    println!("Bits:\t{}. Range: 0 to {}",nbits,u128::pow(2,nbits as u32));
// Verify the proof    let mut verifier_ts = Transcript::new("Test".as_bytes());    let rtn = proof.verify_single(&bullet_gens, &ped_commits, &mut verifier_ts, &commitment, nbits);
           if rtn.is_ok()==true { println!("++++ Proven!!!"); }
    else  { println!("---- Not Proven!!!"); }
    println!("\n\nCommitments:\t{}",hex::encode(commitment.as_bytes()));
    println!("Proof:\t{}", hex::encode(proof.to_bytes()));
}

Finally we simply build with:

最后，我们简单地使用：

cargo build

For a proof for 110 for 8 bits:

对于8位110的证明：

cargo run 110 8

The following is a valid proof [here]:

以下是有效的证明[ here ]：

Secret:	110
Bits:	8. Range: 0 to 256
++++ Proven!!!
Commitments:	84209ac579b373a9698c7e068a376f423355d0874956fb7c76cdd8772cf24354
Proof:	44d0ed5b7a67a4bbadf6a64f1eed2bb307c627c4e2aae73798dbed7014314e69b402ff48380a11f179722d99982462689174057745ff0e5cbb0e1ab8e932564860b419a1a69486256f5ef4f88dcc846e35b875a3aec0732aebbaac7487a56114e8629b67766888b703c5b734514a26b5c0f18e42847ddde7ef415123f9e83b1c64fee1fb39faa6efc3c784ea957318423de8fd9afe79516c7250b097fe44d90ef2e142a6993c9d6e1bd9cf55a45999977cfb67c4233c9b41b113d40a7cd0ed0aa12186bd1551b831815402ca5c93208d219c5d34ea4f8cba6428d28b0eb3ec07969c3c9cdbefdca441be47c305a9824b491346e973b02186d97eaacdc5548263acc27e373a0f374653c28cbf879c594070f04a3fb1b99c20a3da4087f254316ce4f0a39fa241befc2e4c1633b83e8ef4e806534703d18a165a0a3d6a5491e93f4456068daa21c936b6ffb98c5fa35abb8165bfb50afd7ebdbcce4c2ac8a2ad5670b1024a9647051a360dae9335aa510e9c42bcfaba73d1ba8a99112a851a27477ecc1378f3b1b1ca51f0bc386445c834195765e2591168a2149c1822a0c4603d71c3398bf2af2ab33066e35e7adb2b5400973161775a9b9dd123415ae69fb10f33a3aaba42b0134bad0ce5a6a5576455b7b1563fe1c97fe05bed6e5c4ab07302

and not proven [here]:

尚未证明[ 这里 ]：

Secret:	310
Bits:	8. Range: 0 to 256
---- Not Proven!!!
Commitments:	5ce5f19103e26c4ba42cc4a127cc3b2d289e1f5fa9c510f1c473ff75a10a623f
Proof:	62c415f03e9de164aafcc763634a6bae693b71ab6a8d71cd43cc6f884c7334530c18d876917d346d2e79540c1f016df91a9c2d002d122671f7385349f1921d2cf073826158098826aa766aff182294cb77f2d161a3e4807ac204d60100364b257c0d6ab18730ffa2e54f7b0b2e6cd4804087ce7d885ebc49adf2fd483c474820e67609db7cc329430c6e74574a59a8ca34963f166ecf5c218800ebec2773080f25b91a4b8d016d2a4fabcae4efe621220de51c78dea6e96a3f8b6c2ec795370af580dd52468afa337fb1a9750d7073c8c8ccc1bdbe4457d1c5584a5efc34290b3afea862ce08d3a660b7f9e75837cbeb7a8a23a24f898066b4fc6ee5b085c26efa92e44193ceaa76883bcab77c653566ef77b09f92046f2bc049ab2e749cfc08b88b675222ddcbb9150712959d4beabc6a386f654b471c445411c0dc2fceb81784330f89582c23a279fb6061ac170d5d2ec35235788c0c56f5bb3b852360d70c0697d5799c3aaf00b2bccf43797a165cacae59fe976b8437c76e5b645c19d108a43c1a5d3dc6d3c24fd6d632bbeaf9f67cc3ba2eaf87d00b56c3496634a5d020fb1cf314e8cfad20fda58cfb98d02be6f70f70bd54b22fc95b0249c4a6cfe3078e55397e2c6ba4e520876ad50ff78719c4ad24eff85ad5fcc741223d40910a00

结论 (Conclusions)

If you are interested in anything that is discussed here, then contact us in our Blockpass ID Lab — the first fully-funded research lab in the world which focuses on identity — as we want to collaborate and build a more trusted world, and which puts the rights of those involved at the core of this new world.

如果您对此处讨论的内容感兴趣，请与我们的Blockpass ID实验室(我们是世界上第一个以身份验证为重点的全额资助的研究实验室)联系我们，因为我们希望合作并建立一个更值得信赖的世界，这些参与新世界核心的人们的权利。

The way we audit needs to change and to not spend months pouring over financial statements and spreadsheets. We need ways to prove and merge and share information — and stop giving away all our secret information — and bulletproofs provide another piece of the jigsaw.

我们的审计方式需要改变，不要花费数月时间查看财务报表和电子表格。 我们需要证明，合并和共享信息的方式-并停止泄露我们的所有秘密信息-防弹技术为拼图提供了另一部分。

I leave you with one word … Trust!

我只剩下一个字……相信！

翻译自: https://medium.com/swlh/rebuilding-a-flawed-data-world-with-zero-knowledge-f4712e55b508

三维重建基础知识