Proof Systems for General Statements about Discrete Logarithms 学习笔记

其他 2020-08-05 10:42:21 阅读次数: 0

Jan Camenisch和Markus Stadler 1997年论文《Proof Systems for General Statements about Discrete Logarithms》。

1. 背景知识

  • Monotone Boolean function定义:
    在这里插入图片描述
    在这里插入图片描述

  • Concatenation of tuples:
    在这里插入图片描述

  • Modified Cartesian Product:
    在这里插入图片描述

  • Knowledge specification set:
    在这里插入图片描述
    在这里插入图片描述

2. 一些例子

2.1 Prove knowledge of discrete logarithm y = g x y=g^x (Schnorr signature for message ( g , y ) (g,y) )

博客 基于Sigma protocol实现的零知识证明protocol集锦 中1.2节类似:
Witness: x x
Instance: y y g g
Relation: y = g x y=g^x

具体实现思路为:

  • 1)Prover:Prover生成随机数 v R Z q v\in_R \mathbb{Z}_q ,创建commitment t = g v t=g^v ;Prover将 g , t , y g,t,y 作为hash函数输入计算challenge c ( = H a s h ( g , y , t ) ) c(=Hash(g,y,t)) ;Prover计算response r = v c x ( m o d    q ) r=v-c*x(\mod q) 。Prover将 ( c , r ) (c,r) 发送给Verifier。

Verifier根据收到的 ( c , r ) (c,r) ,假设 g r = y c t g^r=y^{-c}*t' 成立,计算 t ( = g r y c ) t'(=g^r*y^c) ,利用 g , y , t g,y,t' 作为相同hash函数的输入,计算 c = h a s h ( g , y , t ) c'=hash(g,y,t') ,验证 c = c c=c' 是否成立即可。

2.2 Prove knowledge of two discrete logarithms satisfy a linear equation

Witness: x 1 , x 2 x_1,x_2
Instance: g 1 , y 1 , g 2 , y 2 , a 1 , a 2 , b g_1,y_1,g_2,y_2,a_1,a_2,b
Relation: y 1 = g x 1   Λ   y 2 = g x 2   Λ   a 1 x 1 + a 2 x 2 = b ( m o d    q ) y_1=g^{x_1} \ \Lambda\ y_2=g^{x_2}\ \Lambda \ a_1x_1+a_2x_2=b(\mod q)
用knowledge specification set表示的Relation为: K = ( D L ( g 1 , y 1 ) D L ( g 2 , y 2 ) ) L E ( ( a 1 , a 2 ) , b ) K=(DL(g_1,y_1)\otimes DL(g_2,y_2))\cap LE((a_1,a_2),b)

具体实现为:

  • 1)Prover:Prover生成满足 a 1 v 1 + a 2 v 2 = 0 ( m o d    q ) a_1v_1+a_2v_2=0(\mod q) 的随机数 v 1 v 2 v_1和v_2 【数学描述为 ( v 1 , v 2 ) R { ( u 1 , u 2 ) Z q a 1 u 1 + a 2 u 2 = 0 ( m o d    q ) } (v_1,v_2)\in_R\{(u_1,u_2)\in\mathbb{Z}_q|a_1u_1+a_2u_2=0(\mod q)\} 】,创建commitment t 1 = g 1 v 1 , t 2 = g 2 v 2 t_1=g_1^{v_1},t_2=g_2^{v_2} ;Prover将 g 1 , y 1 , g 2 , y 2 , a 1 , a 2 , b , t 1 , t 2 g_1,y_1,g_2,y_2,a_1,a_2,b,t_1,t_2 作为hash函数输入计算challenge c ( = H a s h ( g 1 , y 1 , g 2 , y 2 , a 1 , a 2 , b , t 1 , t 2 ) ) c(=Hash(g_1,y_1,g_2,y_2,a_1,a_2,b,t_1,t_2)) ;Prover计算response r 1 = v 1 c x 1 ( m o d    q ) , r 2 = v 2 c x 2 ( m o d    q ) r_1=v_1-c*x_1(\mod q),r_2=v_2-c*x_2(\mod q) 。Prover将 ( c , r 1 , r 2 ) (c,r_1,r_2) 发送给Verifier。

Verifier根据收到的 ( c , r 1 , r 2 ) (c,r_1,r_2) ,假设 g r = y c t g^r=y^{-c}*t' 成立,计算 t 1 ( = g 1 r 1 y 1 c ) , t 2 ( = g 2 r 2 y 2 c ) t_1'(=g_1^{r_1}*y_1^c),t_2'(=g_2^{r_2}*y_2^c) ,利用 g 1 , y 1 , g 2 , y 2 , a 1 , a 2 , b , t 1 , t 2 g_1,y_1,g_2,y_2,a_1,a_2,b,t_1',t_2' 作为相同hash函数的输入,计算 c = h a s h ( g 1 , y 1 , g 2 , y 2 , a 1 , a 2 , b , t 1 , t 2 ) ( m o d    q ) c'=hash(g_1,y_1,g_2,y_2,a_1,a_2,b,t_1',t_2')(\mod q) ,验证 c = c c=c' 是否成立以及 a 1 r 2 + a 2 r 2 = c b ( m o d    q ) a_1r_2+a_2r_2=-cb(\mod q) 是否成立即可。

扫描二维码关注公众号,回复: 11523511 查看本文章

2.3 OR proof

博客 基于Sigma protocol实现的零知识证明protocol集锦 中2.3节类似:
Witness: x 1 x_1 OR x 2 x_2
Instance: g 1 , y 1 , g 2 , y 2 g_1,y_1,g_2,y_2
Relation: y 1 = g 1 x 1 y_1=g_1^{x_1} OR y 2 = g 2 x 2 y_2=g_2^{x_2}

假设Prover知道 x 1 x_1 (<1>),而不知道 x 2 x_2 (<2>)。
详细实现为:
1)Prover:

  • 生成用于证明<1>随机数 v 1 v_1 ,构建第1个commitment t 1 = g 1 v 1 t_1=g_1^{v_1}
  • 生成用于证明<2>的challenge c 2 c_2 和随机response r 2 r_2 ,(由于Prover由于不知道 b b ,只能随机生成,采用 博客 基于Sigma protocol实现的零知识证明protocol集锦 1.2.2节中的方式来伪造证明)计算 t 2 = y 2 c 2 g r 2 t_2=y_2^{c_2}*g^{r_2}
  • 计算hash值 c = H a s h ( g 1 , y 1 , g 2 , y 2 , t 1 , t 2 ) c=Hash(g_1,y_1,g_2,y_2,t_1,t_2) ,计算用于证明<1>的challenge c 1 = c c 2 c_1=c-c_2
  • 计算用于证明<1>的response r 1 = v 1 c 1 x 1 r_1=v_1-c_1*x_1
  • 发送 ( ( c 1 , r 1 ) , ( c 2 , r 2 ) ) ((c_1,r_1),(c_2,r_2)) 给Verifier。

2)Verifier:
根据收到的proof ( ( c 1 , r 1 ) , ( c 2 , r 2 ) ) ((c_1,r_1),(c_2,r_2)) ,计算 t 1 = g 1 r 1 y 1 c 1 , t 2 = g 2 r 2 y 2 c 2 t_1'=g_1^{r_1}y_1^{c_1},t_2'=g_2^{r_2}y_2^{c_2} ,同时验证 c 1 + c 2 = H ( g 1 , y 1 , g 2 , y 2 , t 1 , t 2 ) ( m o d    q ) c_1+c_2=H(g_1,y_1,g_2,y_2,t_1',t_2')(\mod q) 是否成立即可。

The reason why this works is that the prover is “allowed to forge” one of the two proofs since he can choose the corresponding challenge before the commitment is computed; the other challenge is then determined by the hash function. The verifier, however, cannot decide which challenge was chosen and therefore obtains no information about which discrete loarithms the prover knows.

3 prove knowledge of an element of an arbitrary knowledge specification set

即构建an element of an aribitrary knowledge specification set。 OR证明的generalization。

3.1 Transformation and Tree-Representation:

在这里插入图片描述
在这里插入图片描述
在这里插入图片描述
在这里插入图片描述

3.2 Constructing a proof for F F

F F 为knowledge specification,可表示为 F ~ = i = 1 m F ~ i \tilde{F}=\bigcup_{i=1}^{m}\tilde{F}_i ,其中 F ~ i \tilde{F}_i 中没有任何形式的 \cup 操作。
假设Prover知道an element K F K \in F ,则意味着存在an index α F ~ α \alpha\in\tilde{F}_{\alpha} K K 为a tuple of elements of Z q \mathbb{Z}_q

证明方式如下:
1)Commitment:
(a)设置 w ˉ α = 0 \bar{w}_{\alpha}=0 ,对于 i α i\neq \alpha ,则选择随机数 w ˉ i R Z q \bar{w}_i\in_R\mathbb{Z}_q 。构建 W ˉ = ( w ˉ 1 , , w ˉ m ) \bar{W}=(\bar{w}_1,\cdots,\bar{w}_m) 。【 w ˉ i \bar{w}_{i} 是对整个tree F ~ i \tilde{F}_i 全局的,当 w ˉ i 0 \bar{w}_i\neq 0 意味着是提前预测了challenge伪造了证明,仅对 w ˉ i = 0 \bar{w}_i=0 的tree是知道witness的正确证明。
(b)选择满足 E W = W ˉ E|_{W=\bar{W}} 的random tuple V ˉ = ( v ˉ 1.0 , 1 , , v ˉ m . 0 , . ) \bar{V}=(\bar{v}_{1.0\cdots,1,\cdots},\bar{v}_{m.0\cdots,.})
(c)为forest F ~ \tilde{F} 的每一个node n n 配置commitment T n T_n

  • n n 为a leaf of type D L ( g , y ) DL(g,y) in the tree F ~ i \tilde{F}_i ,则:
    T n = ( y w ˉ i g v ˉ n ) T_n=(y^{\bar{w}_i}g^{\bar{v}_n})
  • n n 为 a leaf ot type R E P ( ( g 1 , , g k ) , y ) REP((g_1,\cdots,g_k),y) in the tree F ~ i \tilde{F}_i ,则:
    T n = ( y w ˉ i j = 1 k g j v ˉ n , j ) T_n=(y^{\bar{w}_i}\prod_{j=1}^{k}g_j^{\bar{v}_{n,j}})
  • n n 为a leaf of type L E ( ( a 1 , , a k ) , b ) LE((a_1,\cdots,a_k),b) ,则:
    T n T_n 为empty tuple ( ) ()
  • n n \otimes \cap 的inner node,则:
    T n = T n 0 T n 1 T_n=T_{n||0}\circ T_{n||1}

所有的Commitment T T 表示为:
T = T 1.0 T m . 0 T=T_{1.0}\circ\cdots\circ T_{m.0}

2)Challenge:
The challenge C = ( c 1 , , c m ) C=(c_1,\cdots,c_m) ,计算规则为:
c i = { H ( F ~ , T ) j = 1 m w ˉ j ( m o d    q ) for  i = α w ˉ i otherwise c_i=\left\{\begin{matrix} H(\tilde{F},T)-\sum_{j=1}^{m}\bar{w}_j(\mod q)& \text{for }i=\alpha\\ \bar{w}_i & \text{otherwise} \end{matrix}\right.

3)Response:
Given K F ~ α K\in\tilde{F}_{\alpha} ,the prover can construct a tuple X X 满足以下条件:(the components of X X are labeled in the same way as the components of V V

  • x n , j = 0 x_{n,j}=0 for all indices j j if the leaf n n is n o t not in the tree F ~ α \tilde{F}_{\alpha}
  • n n 为a leaf of the type D L DL 或者 R E P REP in F α F_{\alpha} ,则 sub-tuple ( x n , 1 , , x n , k ) (x_{n,1},\cdots,x_{n,k}) 为 an element of the set defined by the type of the leaf。
  • X α . 0 X_{\alpha.0} 应使 E α . 0 w α = 1 E_{\alpha.0}|_{w_{\alpha}=-1} 成立,其中 X α . 0 X_{\alpha.0} 是对应sub-tuple V α . 0 V_{\alpha.0} 的sub-tuple。

所有的response R = ( r 1.0 , 1 , , r m . 0 , . ) R=(r_{1.0\cdots,1,\cdots},r_{m.0\cdots,.}) 定义为:
r n , j = v ˉ n , j c α x n , j ( m o d    q ) r_{n,j}=\bar{v}_{n,j}-c_{\alpha}x_{n,j}(\mod q)
for all leaves n n and all indices j j

The proof of knowledge 为pair ( C , R ) (\vec{C},\vec{R})

3.3 Verifying a proof

The verification of a proof ( C , R ) (\vec{C},\vec{R}) 主要分两步:
1)重构commitment:

  • n n 为a leaf of type D L ( g , y ) DL(g,y) in the tree F ~ i \tilde{F}_i ,则:
    T n = ( y c i g r n ) T_n'=(y^{c_i}g^{r_n})
  • n n 为a leaf ot type R E P ( ( g 1 , , g k ) , y ) REP((g_1,\cdots,g_k),y) in the tree F ~ i \tilde{F}_i ,则:
    T n = ( y c i j = 1 k g j r n , j ) T_n'=(y^{c_i}\prod_{j=1}^{k}g_j^{r_{n,j}})
  • n n 为a leaf of type L E ( ( a 1 , , a k ) , b ) LE((a_1,\cdots,a_k),b) ,则:
    T n T_n' 为empty tuple ( ) ()
  • n n \otimes \cap 的inner node,则:
    T n = T n 0 T n 1 T_n'=T_{n||0}'\circ T_{n||1}'

2)Verifying the challenge and the response by:

  • 验证 H ( F ~ , T ) = i = 1 m c i ( m o d    q ) H(\tilde{F},T')=\sum_{i=1}^{m}c_i(\mod q) 成立。
  • 验证 R \vec{R} 使得 E W = C E|_{W=C} 成立。

3.4 举例

Witness: x 1 , x 2 , x 3 x_1,x_2,x_3
Instance: h , z , g 1 , g 2 , y , a 1 , a 2 , a 3 , b h,z,g_1,g_2,y,a_1,a_2,a_3,b
Relation: ( z = h x 1 , y = g 1 x 2 g 2 x 3 ) (z=h^{x_1},y=g_1^{x_2}g_2^{x_3}) 使得 b = a 1 x 1 + a 2 x 2 + a 3 x 3 ( m o d    q ) b=a_1x_1+a_2x_2+a_3x_3(\mod q) 成立 或 使得 b = a 1 x 2 + a 2 x 3 + a 3 x 1 ( m o d    q ) b=a_1x_2+a_2x_3+a_3x_1(\mod q) 成立。
用knowledge specification set表示的Relation为: F = ( ( D L ( h , z ) R E P ( ( g 1 , g 2 ) , y ) ) ( R E P ( ( g 1 , g 2 ) , y ) D L ( h , z ) ) ) L E ( ( a 1 , a 2 , a 3 ) , b ) F=((DL(h,z)\otimes REP((g_1,g_2),y))\cup(REP((g_1,g_2),y)\otimes DL(h,z)))\cap LE((a_1,a_2,a_3),b)

进一步表示为: F ~ = ( ( D L ( h , z ) R E P ( ( g 1 , g 2 ) , y ) ) L E ( ( a 1 , a 2 , a 3 ) , b ) ( R E P ( ( g 1 , g 2 ) , y ) D L ( h , z ) ) L E ( ( a 1 , a 2 , a 3 ) , b ) = F ~ 1 F ~ 2 \tilde{F}=((DL(h,z)\otimes REP((g_1,g_2),y))\cap LE((a_1,a_2,a_3),b)\cup(REP((g_1,g_2),y)\otimes DL(h,z))\cap LE((a_1,a_2,a_3),b)=\tilde{F}_1\cup\tilde{F}_2
可以具体表示为如下图示:
在这里插入图片描述

接下来,Prover需要构建the lists of variables V n V_n 和 the set of equations E n E_n for each node。
对tree F ~ 1 \tilde{F}_1 有:

  • node 1.000 1.000 V 1.000 = ( v 1.000 , 1 ) V_{1.000}=(v_{1.000,1})
    E 1.000 = E_{1.000}=\emptyset
  • node 1.001 1.001 V 1.001 = ( v 1.001 , 1 , v 1.001 , 2 ) V_{1.001}=(v_{1.001,1},v_{1.001,2})
    E 1.001 = E_{1.001}=\emptyset
  • node 1.00 1.00 V 1.00 = V 1.000 V 1.001 = ( v 1.000 , 1 , v 1.001 , 1 , v 1.001 , 2 ) V_{1.00}=V_{1.000}\circ V_{1.001}=(v_{1.000,1},v_{1.001,1},v_{1.001,2})
    E 1.00 = E 1.000 E 1.001 = E_{1.00}=E_{1.000}\cup E_{1.001}=\emptyset
  • node 1.01 1.01 V 1.01 = ( v 1.01 , 1 , v 1.01 , 2 , v 1.01 , 3 ) V_{1.01}=(v_{1.01,1},v_{1.01,2},v_{1.01,3})
    E 1.01 = { a 1 v 1.01 , 1 + a 2 v 1.01 , 2 + a 3 v 1.01 , 3 = w 1 b } E_{1.01}=\{a_1v_{1.01,1}+a_2v_{1.01,2}+a_3v_{1.01,3}=-w_1b\}
  • node 1.0 1.0 V 1.0 = ( v 1.000 , 1 , v 1.001 , 1 , v 1.001 , 2 , v 1.01 , 1 , v 1.01 , 2 , v 1.01 , 3 ) V_{1.0}=(v_{1.000,1},v_{1.001,1},v_{1.001,2},v_{1.01,1},v_{1.01,2},v_{1.01,3})
    E 1.0 = { v 1.01 , 1 = v 1.000 , 1 , v 1.01 , 2 = v 1.001 , 1 , v 1.01 , 3 = v 1.001 , 2 , a 1 v 1.01 , 1 + a 2 v 1.01 , 2 + a 3 v 1.01 , 3 = w 1 b } E_{1.0}=\{v_{1.01,1}=v_{1.000,1},v_{1.01,2}=v_{1.001,1},v_{1.01,3}=v_{1.001,2},a_1v_{1.01,1}+a_2v_{1.01,2}+a_3v_{1.01,3}=-w_1b\}

对tree F ~ 2 \tilde{F}_2 有:

  • node 2.000 2.000 V 2.000 = ( v 2.000 , 1 , v 2.000 , 2 ) V_{2.000}=(v_{2.000,1},v_{2.000,2})
    E 2.000 = E_{2.000}=\emptyset
  • node 2.001 2.001 V 2.001 = ( v 2.001 , 1 ) V_{2.001}=(v_{2.001,1})
    E 2.001 = E_{2.001}=\emptyset
  • node 2.00 2.00 V 2.00 = V 2.000 V 2.001 = ( v 2.000 , 1 , v 2.000 , 2 , v 2.001 , 1 ) V_{2.00}=V_{2.000}\circ V_{2.001}=(v_{2.000,1},v_{2.000,2},v_{2.001,1})
    E 2.00 = E 2.000 E 2.001 = E_{2.00}=E_{2.000}\cup E_{2.001}=\emptyset
  • node 2.01 2.01 V 2.01 = ( v 2.01 , 1 , v 2.01 , 2 , v 2.01 , 3 ) V_{2.01}=(v_{2.01,1},v_{2.01,2},v_{2.01,3})
    E 2.01 = { a 1 v 2.01 , 1 + a 2 v 2.01 , 2 + a 3 v 2.01 , 3 = w 2 b } E_{2.01}=\{a_1v_{2.01,1}+a_2v_{2.01,2}+a_3v_{2.01,3}=-w_2b\}
  • node 2.0 2.0 V 2.0 = ( v 2.000 , 1 , v 2.000 , 2 , v 2.001 , 1 , v 2.01 , 1 , v 2.01 , 2 , v 2.01 , 3 ) V_{2.0}=(v_{2.000,1},v_{2.000,2},v_{2.001,1},v_{2.01,1},v_{2.01,2},v_{2.01,3})
    E 2.0 = { v 2.01 , 1 = v 2.000 , 1 , v 2.01 , 2 = v 2.000 , 2 , v 2.01 , 3 = v 2.001 , 1 , a 1 v 2.01 , 1 + a 2 v 2.01 , 2 + a 3 v 2.01 , 3 = w 2 b } E_{2.0}=\{v_{2.01,1}=v_{2.000,1},v_{2.01,2}=v_{2.000,2},v_{2.01,3}=v_{2.001,1},a_1v_{2.01,1}+a_2v_{2.01,2}+a_3v_{2.01,3}=-w_2b\}

最后:
E 1.0 E_{1.0} E 2.0 E_{2.0} 进行merge后,得到:
E = { v 1.01 , 1 = v 1.000 , 1 , v 1.01 , 2 = v 1.001 , 1 , v 1.01 , 3 = v 1.001 , 2 , a 1 v 1.01 , 1 + a 2 v 1.01 , 2 + a 3 v 1.01 , 3 = w 1 b , v 2.01 , 1 = v 2.000 , 1 , v 2.01 , 2 = v 2.000 , 2 , v 2.01 , 3 = v 2.001 , 1 , a 1 v 2.01 , 1 + a 2 v 2.01 , 2 + a 3 v 2.01 , 3 = w 2 b } E=\{v_{1.01,1}=v_{1.000,1},v_{1.01,2}=v_{1.001,1},v_{1.01,3}=v_{1.001,2},a_1v_{1.01,1}+a_2v_{1.01,2}+a_3v_{1.01,3}=-w_1b,v_{2.01,1}=v_{2.000,1},v_{2.01,2}=v_{2.000,2},v_{2.01,3}=v_{2.001,1},a_1v_{2.01,1}+a_2v_{2.01,2}+a_3v_{2.01,3}=-w_2b\}
V = V 1.0 V 2.0 = ( v 1.000 , 1 , v 1.001 , 1 , v 1.001 , 2 , v 1.01 , 1 , v 1.01 , 2 , v 1.01 , 3 , v 2.000 , 1 , v 2.000 , 2 , v 2.001 , 1 , v 2.01 , 1 , v 2.01 , 2 , v 2.01 , 3 ) = ( v ˉ 1 , v ˉ 2 , v ˉ 3 , v ˉ 1 , v ˉ 2 , v ˉ 3 , v ˉ 4 , v ˉ 5 , v ˉ 6 , v ˉ 4 , v ˉ 5 , v ˉ 6 ) V=V_{1.0}\circ V_{2.0}=(v_{1.000,1},v_{1.001,1},v_{1.001,2},v_{1.01,1},v_{1.01,2},v_{1.01,3},v_{2.000,1},v_{2.000,2},v_{2.001,1},v_{2.01,1},v_{2.01,2},v_{2.01,3})=(\bar{v}_1,\bar{v}_2,\bar{v}_3,\bar{v}_1,\bar{v}_2,\bar{v}_3,\bar{v}_4,\bar{v}_5,\bar{v}_6,\bar{v}_4,\bar{v}_5,\bar{v}_6)
W = ( w 1 , w 2 ) W=(w_1,w_2)

1)Prover构建proof的方式可为:

  • 随机选择 W ˉ = ( w ˉ 1 , w ˉ 2 ) = ( 0 , w ) w R Z q \bar{W}=(\bar{w}_1,\bar{w}_2)=(0,w),其中w\in_R\mathbb{Z}_q ;【即此时选择 α = 1 \alpha=1
  • 随机选择a random tuple V ˉ R Z q 12 \bar{V}\in_R\mathbb{Z}_q^{12} 使得满足 E W = W ˉ E|_{W=\bar{W}} 成立即可。即随机选择 v ˉ 1 , , v ˉ 6 Z q \bar{v}_1,\cdots,\bar{v}_6\in \mathbb{Z}_q ,使得 a 1 v ˉ 1 + a 2 v ˉ 2 + a 3 v ˉ 3 = 0 ( m o d    q ) a_1\bar{v}_1+a_2\bar{v}_2+a_3\bar{v}_3=0(\mod q) a 1 v ˉ 4 + a 2 v ˉ 5 + a 3 v ˉ 6 = w b ( m o d    q ) a_1\bar{v}_4+a_2\bar{v}_5+a_3\bar{v}_6=-wb(\mod q) 均成立。设置 V = ( v ˉ 1 , v ˉ 2 , v ˉ 3 , v ˉ 1 , v ˉ 2 , v ˉ 3 , v ˉ 4 , v ˉ 5 , v ˉ 6 , v ˉ 4 , v ˉ 5 , v ˉ 6 ) V=(\bar{v}_1,\bar{v}_2,\bar{v}_3,\bar{v}_1,\bar{v}_2,\bar{v}_3,\bar{v}_4,\bar{v}_5,\bar{v}_6,\bar{v}_4,\bar{v}_5,\bar{v}_6)
  • 构建commitment: T = T 1.0 T 2.0 = ( h v ˉ 1 , g 1 v ˉ 2 g 2 v ˉ 3 , z w h v ˉ 4 , y w g 1 v ˉ 5 g 2 v ˉ 6 ) T=T_{1.0}\circ T_{2.0}=(h^{\bar{v}_1},g_1^{\bar{v}_2}g_2^{\bar{v}_3},z^wh^{\bar{v}_4},y^wg_1^{\bar{v}_5}g_2^{\bar{v}_6})
    在这里插入图片描述
  • 计算challenge: C = ( c 1 , c 2 ) = ( H ( F ~ , T ) w ( m o d    q ) , w ) C=(c_1,c_2)=(H(\tilde{F},T)-w(\mod q),w)
  • 计算response:构建list X = ( x 1 , x 2 , x 3 , x 1 , x 2 , x 3 , 0 , 0 , 0 , 0 , 0 , 0 ) X=(x_1,x_2,x_3,x_1,x_2,x_3,0,0,0,0,0,0) 【针对此处 α = 1 \alpha=1 】,计算response R R 中的 r i , j , l r_{i,j,l} (所有方程式都是modulo q q ):
    在这里插入图片描述

在整个proof内容即为 ( C , R ) (C,R)

2)Verifier验证proof ( C , R ) (C,R) 的过程为:

  • 重构commitment: T = T 1.0 T 2.0 T'=T_{1.0}'\circ T_{2.0}'
    在这里插入图片描述
  • check challenge和equations of E W = C E|_{W=C} (均为modulo q q 运算):
    在这里插入图片描述

注意以上算法未做优化。
在这里插入图片描述

参考资料:
[1] Monotone Boolean function
[2] 博客 基于Sigma protocol实现的零知识证明protocol集锦

猜你喜欢

转载自blog.csdn.net/mutourend/article/details/106467642
今日推荐
《美国对全球网络空间安全与发展的威胁和破坏》报告发布
火速冲上 GitHub 热榜 —— 开源编程语言、框架哪有这么可爱?
北京人形机器人创新中心发布全球首个纯电驱拟人奔跑的全尺寸人形机器人“天工”
LFOSSA 源来如此公开课 | 掌握云原生未来:CNCF 认证全面攻略与备考秘籍
周排行
让自己的头脑极度开放
CentOS 6.5(x64) 和Redhat6.5操作系误删libc
高可用注册中心
【日记】12.28/【题解】AtCoder AGC041
XML(5)_XML 约束_DTD
Java集合Map(四)
树梅派安装桌面环境教程
pipenv 的 使用和安装
小程序白屏问题和内存研究
C语言简单选择排序
每日归档
更多
2024-05-02(0)
2024-05-01(4)
2024-04-30(1)
2024-04-29(40)
2024-04-28(0)
2024-04-27(56)
2024-04-26(39)
2024-04-25(22)
2024-04-24(36)
2024-04-23(26)

代码天地 © 2018 codetd.com

境外服务器   最新电视剧2022