跨数据库所有权链接_动手发布所有权证明，而不会泄露底层私人数据

跨数据库所有权链接

This article shows how to securely share data between organizations and provides a few examples in python.

本文介绍了如何在组织之间安全地共享数据，并提供了一些python示例。

Previously I wrote an article on how to make some computations on encrypted data without decrypting it using homomorphic encryption. While such an approach is great, it is still encryption, meaning that you still have to decrypt the final result to open the real value. Additionally, there is a risk of leaking the decryption key too.

以前，我写过一篇文章，介绍如何在不使用同态加密将其解密的情况下对加密数据进行一些计算 。 尽管这种方法很棒，但仍然是加密，这意味着您仍然必须解密最终结果才能打开真实价值。 另外，也存在泄漏解密密钥的风险。

Would it be cool if we can share encrypted data that computable while the decryption key does not exist at all so no one can decrypt and see our data ever?

如果我们可以共享可计算的加密数据，而解密密钥根本不存在，那么任何人都无法解密并看到我们的数据，这会很酷吗？

Fortunately, there is even a whole field in cryptography that studies such problems and it is called Zero-Knowledge Proof. ZKP allows you to prove that you know some secret(s) to the others without actually revealing it. The term “zero-knowledge” tells that no (“zero”) information about the secret is revealed, while the second party (called “Verifier”) is mathematically convinced that the originating party (called “Prover”) indeed knows the secret.

幸运的是，密码学中甚至有一个研究此类问题的领域，被称为零知识证明 。 ZKP允许您证明自己对其他人知道一些秘密，而无需实际透露。 术语“零知识”表示没有泄露有关机密的信息(“零”)，而第二方(称为“验证者”)在数学上认为发起方(称为“证明者”)确实知道该机密。

The latest inventions in ZNP allow us to run complex computations over secrets. As of now, there are 3 main methods of how to run such computation namely SNARKs, STARKs, and Bulletproofs. Here is the link where you can compare them and see their details.

ZNP中的最新发明使我们能够对秘密进行复杂的计算。 到目前为止，有3种主要的方法来运行这种计算，即SNARK，STARK和Bulletproofs。 这是您可以比较它们并查看其详细信息的链接。

One of the main properties of SNARKs is to produce none - interactive proves, meaning you don't need a connected server or API. You can verify the correctness of computations offline.

SNARK的主要特性之一是不产生任何内容-交互式证明，这意味着您不需要连接的服务器或API。 您可以离线验证计算的正确性。

In this article, I am using SNARKs and I skip all the math, focusing on how to use it instead.

在本文中，我使用的是SNARK，而我跳过了所有的数学运算，而是重点介绍了如何使用它。

Zero-Knowledge Proof Pipeline

零知识证明管道

For example, we want to prove that person is older than 18 years old. The age of the person is a secret. We want to generate a proof that the person is at least 18 years old.

例如，我们要证明该人年龄大于18岁。 这个人的年龄是个秘密。 我们要生成一个证明该人至少18岁的证据。

SNARKs has the following implementation steps:

SNARKs具有以下实现步骤：

1. Building a constraint system

   建立约束系统

   At this step, you define all the variables and their computations, with all the constraints. Data variables could be private or public. Both the private and public variables are used to generate a proof, while the public variables are used later to verify the proof.

   在此步骤中，您将定义所有变量及其计算以及所有约束。 数据变量可以是私有的也可以是公共的。 私有变量和公共变量均用于生成证明，而公共变量稍后用于验证证明。

   In our example, we have 2 variables:

   在我们的示例中，我们有2个变量：

   age(private), age_of_majority(public). Our constraint system is age ≥ age_of_majority = True, where ≥ is computation, and the equal sign (=) is the constraint of the computation result to the term True.

   年龄 (私人)， 年龄 多数 (公开)。 我们的约束系统是age≥age_of_majority = True，其中≥是计算，等号(=)是计算结果对True的约束。

2. Keypair generation

   密钥对生成

   After the constraint system is built we need to generate a pair of keys:

   构建约束系统后，我们需要生成一对密钥：

   proving key and verification key. Both keys could be public, with the difference is that proving key is used to generate proofs, and verifying key is used for proof verification.

   证明密钥和验证密钥 。 这两个密钥都可以是公共密钥，不同之处在于，将证明密钥用于生成证明，而验证密钥则用于证明验证。

3. Generate a proof

   产生证明

   At this step, we take the proving key, constraint system, set all the variables {

   在这一步，我们采用证明密钥约束系统，设置所有变量{

   age; age_of_majority}, and finally generate the proof.

   年龄; age_of_majority }，最后生成证明。

4. Verify the proofOnce we have the proof we can publish it, and everyone can check it against the verification key, constraint system, and the public variables {age_of_majority} for correctness. Verifier does not know the secret, but the verifier is confident that all the constraints have been met.

   验证证明一旦有了证明，我们就可以发布它，每个人都可以根据验证密钥，约束系统和公共变量{age_of_majority}对其进行检查，以确保正确性。 验证者不知道秘密，但是验证者确信已满足所有约束。

Zero-Knowledge Examples for Financial Industry

金融业的零知识实例

ZNP could be applied widely to a whole range of problems when secret data needs to be shared between organizations.

当需要在组织之间共享秘密数据时，ZNP可以广泛应用于一系列问题。

Let's look at two typical examples:

让我们看两个典型的例子：

1. Mutual fund verification. An active mutual fund manager wants investors to be confident by proving daily that the fund contains only certain stocks, and nothing else, so the risk is limited within the pre-defined published set of stocks. But the manager wants to hide the individual stock positions.

   共同基金验证。 一位积极的共同基金经理希望投资者通过每天证明该基金仅包含某些股票而没有其他股票来充满信心，因此，将风险限制在预先定义的已发布股票范围内。 但是经理想要隐藏各个股票头寸。

2. Sufficient amount’s verification. A client has at least N dollars and her/his bank account without showing the actual balance.

   足够数量的验证 。 客户至少有N美元和她/他的银行帐户，但未显示实际余额。

I implemented these examples in Python using SNARKs as a single Jupiter notebook. You can run them in your browser here in Google Colab, a free online Python sandbox, or you can download source code and run it locally.

我使用SNARK作为单个Jupiter笔记本在Python中实现了这些示例。 您可以在浏览器中的Google Colab (免费的在线Python沙箱)中运行它们， 也可以下载源代码并在本地运行。

Example 1. Mutual fund verification

例子1.共同基金验证

An active mutual fund manager wants to prove that the fund contains only certain stocks, eg. { GOOG, AAPL }. The manager wants to hide individual stock positions.

一个积极的共同基金经理想要证明该基金仅包含某些股票，例如。 {GOOG，AAPL}。 经理想要隐藏单个库存头寸。

First, let's build the constraint system against the daily closing stock and fund prices, so the manager wants to prove that:

首先，让我们建立一个针对每日收盘价和基金价格的约束系统，因此经理想要证明：

partial_sum1 = goog_position * goog_pricepartial_sum2 = aapl_position * aapl_priceprice = partial_sum1 + partial_sum2

partial_sum1 = goog_position * goog_pricepartial_sum2 = aapl_position * aapl_priceprice = partial_sum1 + partial_sum2

The variables goog_position, aapl_position, partial_sum1, partial_sum2 are private, and goog_price, aapl_price, and fund price is public.

变量goog_position，aapl_position，partial_sum1，partial_sum2是私有的，而goog_price，apl_price和基金价格是公共的。

This type of proof is known as inner product zero-knowledge proof.

这种类型的证明称为内部乘积零知识证明。

We need to define variables and set constraints. A variable is defined by calling the method PbVariable(), once defined you need to add it to the SNARKs execution context called the protoboard, and tell the protoboard if it is private (by default) or public ( protoboard’s method setpublic() ).

我们需要定义变量并设置约束。 变量是通过调用方法PbVariable()定义的，定义后，您需要将其添加到SNARK的执行上下文中，称为protoboard，并告诉protoboard是私有的(默认情况下)还是public的( protoboard的方法s etpublic() )。 。

So our variables are the following:

因此，我们的变量如下：

# position variables
# they are private for the fund managergoog_position = libsnark.PbVariable()
goog_position.allocate(pb)aapl_position = libsnark.PbVariable()
aapl_position.allocate(pb)# partials
partial_sum1 = libsnark.PbVariable()
partial_sum1.allocate(pb)
partial_sum2 = libsnark.PbVariable()
partial_sum2.allocate(pb)# daily close price variables
# they are public and they will used by verifiersgoog_price = libsnark.PbVariable()
goog_price.allocate(pb)
pb.setpublic(goog_price)aapl_price = libsnark.PbVariable()
aapl_price.allocate(pb)
pb.setpublic(aapl_price)# fund closing pricefund_price = libsnark.PbVariable()
fund_price.allocate(pb)
pb.setpublic(fund_price)

Next, we need to define constraints. Constrains is SNAKs are called R1SC constraints. R1CS is a constraint satisfaction and it should be expressed as three linear combinations as such:Linear Combination1 * Linear Combination2 = Linear Combination3.

接下来，我们需要定义约束。 约束是SNAK，称为R1SC约束。 R1CS 是约束满足，应将其表示为三个线性组合，例如： 线性组合1 *线性组合2 =线性组合3。

Linear Combination defines a full linear combination which should include either a variable, a constant, addition, subtraction, or multiplication with a constant.

线性组合定义了完整的线性组合，其中应包括变量，常数，加法，减法或与常数的乘积。

The method that creates R1CS is the following:libsnark.R1csConstraint(Linear_Combination1, Linear_Combination2, Linear_Combination3)

创建R1CS的方法如下： libsnark.R1csConstraint(Linear_Combination1，Linear_Combination2，Linear_Combination3)

R1CS examples:

R1CS示例：

1*1 = 1

1 * 1 = 1

libsnark.R1csConstraint(Linear_Combination(1), Linear_Combination(1), Linear_Combination(1))

(2*A+B)*C = D, where A, B, C, D are the variables

(2 * A + B)* C = D，其中A，B，C，D为变量

libsnark.R1csConstraint(
Linear_Combination(A)*2 + Linear_Combination(B), 
Linear_Combination(C), 
Linear_Combination(D))

Now we can define R1CS constraints for our example and add it to the current protoboard:

现在，我们可以为示例定义R1CS约束并将其添加到当前的原型板上：

# partial1 = goog_price * goog_position
pb.add_r1cs_constraint(libsnark.R1csConstraint(libsnark.LinearCombination(goog_price), libsnark.LinearCombination(goog_position), libsnark.LinearCombination(partial_sum1)))# partial2 = aapl_price * aapl_position
pb.add_r1cs_constraint(libsnark.R1csConstraint(libsnark.LinearCombination(aapl_price), libsnark.LinearCombination(aapl_position), libsnark.LinearCombination(partial_sum2)))# fund  price = (partial_sum1 + partial_sum2) * 1
pb.add_r1cs_constraint(libsnark.R1csConstraint(libsnark.LinearCombination(partial_sum1) + libsnark.LinearCombination(partial_sum2), libsnark.LinearCombination(1), libsnark.LinearCombination(fund_price)))

The variables and constraints are all that we need to generate and save a new proving and verification key.

变量和约束是我们生成和保存新的证明和验证密钥所需的全部。

cs=pb.get_constraint_system_pubs()
keypair=libsnark.zk_generator(cs)
libsnark.zk_write_keys(keypair, "fund.vk", "fund.ek")

Now the fund manager is ready to create a proof for the fund. Let's say the manager has 10 positions in Google and 20 positions in Apple. The stock price is respectively 1465, 437 USD.

现在，基金经理准备为该基金创建证明。 假设经理在Google中有10个职位，在Apple中有20个职位。 股票价格分别为1465、437美元。

# private variables
pb.setval(goog_position, 10 )
pb.setval(aapl_position, 20 )
pb.setval(partial_sum1, 1465 * 10 )
pb.setval(partial_sum2, 437 * 20 )# public variables
pb.setval(goog_price, 1465 )
pb.setval(aapl_price, 437 )
# 1465 * 10 + 437 * 20 = 23390
pb.setval(fund_price, 23390)

Now, the manager can create a proof and then save it

现在，经理可以创建证明，然后保存

keypair=libsnark.zk_read_key("fund.ek", cs)
pubvals=pb.primary_input_pubs();
privvals=pb.auxiliary_input_pubs();proof=libsnark.zk_prover(keypair.pk, pubvals, privvals);
libsnark.zk_write_proof(proof,pubvals,'proof')
ls -lart----*** Private inputs: 10 20 14650 8740 
*** Public inputs: 1465 437 23390 
total 36 
-rw-r--r-- 1 root root  2479 Aug  5 03:48 fund.vk 
-rw-r--r-- 1 root root 10582 Aug  5 03:48 fund.ek 
-rw-r--r-- 1 root root  1412 Aug  5 03:48 proof 

Our proof size is quite small (1KB) so the manager can publish it on the webpage.

我们的证明大小很小(1KB)，因此管理员可以将其发布在网页上。

And finally, anyone can check our proof along with the public parameters using the verification key.

最后，任何人都可以使用验证码来检查我们的证明以及公共参数。

# public variables
pb.setval(goog_price, 1465 )
pb.setval(aapl_price, 437 )
pb.setval(fund_price, 23390)pubvals=pb.primary_input_pubs();verified=libsnark.zk_verifier_strong_IC(keypair.vk, pubvals, proof);print("*** Verification status:", verified)*** Public inputs: 1465 437 23390 
*** Verification status: True

Sufficient amount’s verification Example

足够金额的验证示例

A Bank ABC’s client has at least N dollars on her/his account

银行ABC客户的帐户中至少有N美元

The Bank will compare the client account balance (which is private data) with the requested threshold (public data) and generates the public proof.

银行将客户账户余额(私人数据)与请求的门槛(公共数据)进行比较，并生成公共证明。

This is an example of the comparison constraint

这是比较约束的一个例子

Our constrain system is private_amount — N ≥ 0.

我们的约束系统为private_amount — N≥0 。

But unfortunately, R1CS constrains could be built using only addition, substruction, and multiplication, and there are no less or greater operations.

但是不幸的是，只能使用加法，减法和乘法来构建R1CS约束，并且没有更少或更多的运算。

But if we can present a number in a binary format, we will be only dealing with 1 or 0. Also, remember that any positive number has the highest bit is equal to 0 and it is 1 for all the negative numbers.

但是，如果我们可以用二进制格式表示数字，那么我们只会处理1或0。此外，请记住，任何具有最高位的正数都等于0，而所有负数都为1。

So to prove A<B for positive numbers, we calculate R = A-B.

因此，为了证明A <B为正数，我们计算R = AB。

We convert R into a binary string and check if the highest bit is 0, then R is positive then A≥B.If the highest bit is 1 then R is negative then A<B respectively.

我们将R转换为二进制字符串，并检查最高位是否为0，则R为正，然后A≥B;如果最高位为1，则R为负，则A <B.

Our new constrain system for A<B will transform into:

我们针对A <B的新约束系统将转换为：

A - B = R. It is the main constraintR is the same as b_R. b_R is array {0,1} of 32 elements b_R[31] = 1 # highest bit, meaning the value is negative

A-B = R。 它的主要约束条件R与b_R相同 。 b_R是32个元素的数组{0,1} b_R [31] = 1＃最高位，表示该值为负

The first and the last constrains are easy

第一个和最后一个约束很容易

# 1. (a-b) * 1 = r
pb.add_r1cs_constraint(libsnark.R1csConstraint( libsnark.LinearCombination(a) - libsnark.LinearCombination(b), libsnark.LinearCombination(1),
libsnark.LinearCombination(r))# 3. b(R)[word_size - 1]*1 == 1
pb.add_r1cs_constraint(libsnark.R1csConstraint( libsnark.LinearCombination(b_r[word_size - 1]),
libsnark.LinearCombination(1),libsnark.LinearCombination(1)))

Let’s implement the binary constraints. We call the variable R as packed and b_R as unpacked_array (all elements are private).

让我们实现二进制约束。 我们将变量R称为压缩，将b_R称为 unpacked_array(所有元素都是私有的)。

packed = libsnark.PbVariable()
packed.allocate(pb)
word_size = 32# array of bin representation of the decimal value
unpacked_array = []for n in range(word_size):
   v = libsnark.PbVariable()
   v.allocate(pb)
   unpacked_array.append(v)

Our LinearCombination becomes a sum of each bit at the n position multiple by 2^n where n=[0..31]. The sum should add up to the same number as the packed value. So the R1CS constraint simply checks if sum*1 = packed.

我们的LinearCombination变成n位上每个位的总和乘以2 ^ n，其中n = [0..31]。 总和应与包装值的总和相同。 因此，R1CS约束仅检查sum * 1 = packed 。

# bin to decimal calculation
packed_combination = libsnark.LinearCombination(0);for n in range(word_size):
    packed_combination += libsnark.LinearCombination(unpacked_array[n]) * 2**n# add constrain packed == packed_combination
pb.add_r1cs_constraint(libsnark.R1csConstraint( packed_combination,
libsnark.LinearCombination(1),
libsnark.LinearCombination(packed)))

The next steps are the key pair generation, proof generation, and verification. The implementation is the same as in the previous example. Let’s assume the client balance is 1000 USD but the required threshold is 900 USD.

下一步是密钥对的生成，证明的生成和验证。 实现与前面的示例相同。 假设客户余额为1000美元，但所需的起付金额为900美元。

keypair=libsnark.zk_generator(cs)val_clients_balance = 1000
val_required_threshold = 900val_unsigned_r = signed_2_unsigned(val_required_threshold - val_clients_balance )
bit_array = bitfield(val_unsigned_r)print(bit_array)
for n, bit in zip(range(len(bit_array)), bit_array):
     pb.setval(b_r[n], bit)pb.setval(r_unsigned, val_unsigned_r )
pb.setval(a, val_required_threshold )
pb.setval(b, val_clients_balance )cs=pb.get_constraint_system_pubs()
pubvals=pb.primary_input_pubs();
privvals=pb.auxiliary_input_pubs();proof=libsnark.zk_prover(keypair.pk, pubvals, privvals);
verified=libsnark.zk_verifier_strong_IC(keypair.vk, pubvals, proof);print("*** Public inputs: " + " ".join([str(pubvals.at(i)) for i in range(pubvals.size())]))print("*** Verification status:", verified)--------[0, 0, 1, 1, 1, 0, 0, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1] 
*** Public inputs: 1000 
*** Verification status: True

I hope these two examples gave you an understanding of how to build similar solutions using ZNP.

我希望这两个示例可以使您了解如何使用ZNP构建类似的解决方案。

I can see a great value of SNARKs in machine learning as well when models could be tested for the quality without revealing its coefficients.

当可以测试模型的质量而又不揭示其系数时，我也可以看到SNARK在机器学习中的巨大价值。

I recommend to test this code in Google Colab since all you need to run it is a browser, but you are welcome to download it from GitHub.

我建议您在Google Colab中测试此代码， 因为运行它所需的全部是浏览器 ，但是欢迎您从GitHub下载它。

Thank you for reading the article.

感谢您阅读这篇文章。

翻译自: https://medium.com/swlh/hands-on-disseminate-proof-of-ownership-without-disclosing-the-underlying-private-data-6a87f1681ab8

跨数据库所有权链接