52 Things: Number 46: What do correctness, soundness and zero-knowledge mean in the context of a Sigma protocol?
52 Things: Number 46: What do correctness, soundness and zero-knowledge mean in the context of a Sigma protocol?
52件事:第46件:在西格玛协议的背景下,正确性、稳健性和零知识意味着什么?
这是一系列博客文章中的最新一篇,旨在解决“每个博士生在做密码学时应该知道的52件事”:这是一组问题,旨在让博士生在第一年结束时了解他们应该知道什么。本周,我们进入最后阶段,引入西格玛协议作为第一个“高级协议”。感谢David Bernhard在撰写本博客时给予的帮助。
Sigma protocols 西格玛协议
Sigma protocols are protocols for Alice to prove something to Bob (that she knows some secret). They have the following general form: Alice knows a secret; Alice and Bob both share some common information. Then:
西格玛协议是爱丽丝向鲍勃证明某些事情(她知道一些秘密)的协议。它们有以下一般形式:爱丽丝知道一个秘密;爱丽丝和鲍勃都有一些共同的信息。然后
- Alice sends a value to Bob, known as a commitment.
Alice向Bob发送一个值,称为承诺。 - Bob picks a challenge uniformly at random and sends it to Alice.
Bob随机挑选一个挑战,并将其发送给Alice。 - Alice computes a response and sends it to Bob.
Alice计算一个响应并将其发送给Bob。 - Bob checks the response and accepts or rejects Alice's claim.
Bob检查响应并接受或拒绝Alice的索赔。
传说,如果你以某种方式画一张图,它看起来像希腊语大写字母西格玛,因此得名西格玛协议。
In cryptography, the properties we expect a Sigma protocol to support are:
在密码学中,我们期望西格玛协议支持的属性是:
-
Correctness If everyone does what they are supposed to, then Bob accepts.
正确性如果每个人都做他们应该做的事,那么鲍勃就接受了。 -
Soundness If Alice lies, then Bob can tell (she can't trick him into accepting something false)
健全性如果爱丽丝撒谎,鲍勃就能说出来(她不能欺骗他接受虚假的东西) -
Zero-knoweldge If Alice tells the truth, Bob can't learn what her secret input was.
零知识如果Alice告诉真相,Bob就无法知道她的秘密输入是什么。
A more formal treatment
更正式的待遇
Having provided a rough overview, we now provide a more formal treatment, based on David's PhD thesis "Zero-Knowledge Proofs in Theory and Practice".
在提供了大致的概述之后,我们现在根据David的博士论文“理论与实践中的零知识证明”提供了一个更正式的处理方法。
Defining a Sigma Protocol
定义西格玛协议
Let k be a field. We're interested in linear functions f:W→X from one k- vector space to another, where Alice and Bob both know some public x∈X and Alice also knows a secret preimage w∈W such that f(w)=x. Alice wants to prove to Bob that she knows a preimage of x.
设 k 为字段。我们对从一个#2向量空间到另一个向量空间的线性函数 f:W→X 感兴趣,其中Alice和Bob都知道一些公共的#3,Alice也知道一个秘密的预映像#4,这样 f(w)=x 。爱丽丝想向鲍勃证明她知道 x 的原图。
Quite a lot of cryptography is done over elliptic curves nowadays. An elliptic curve is a group of points of the form P=(x,y) and a special point "at infinity" that is an honorary member of the curve. These points satisfy some equations and most importantly, one can add two points on the curve to get another and this addition makes the curve into a group. One often starts with a large prime p, works over the base field k=Fp and considers points P in Ep=E∩Fp×Fp.
现在有相当多的密码学是在椭圆曲线上进行的。椭圆曲线是一组 P=(x,y) 形式的点和一个特殊的点“在无穷大”,它是曲线的荣誉成员。这些点满足一些方程,最重要的是,可以在曲线上添加两个点来获得另一个点,这种添加使曲线成为一组。人们通常从一个大素数 p 开始,在基场 k=Fp 上工作,并考虑#4中的点 P 。
Many elliptic curve protocols start out by generating keypairs using point multiplication: everyone agrees on a common, public base point P. Then one can pick a secret key x∈Fp and compute the related public key Y=x⋅P. If Alice wants to register her public key somewhere, it is good for security if the registrar asks her to prove that she knows the associated secret key, or else she could register someone else's key as her own. But of course Alice should not reveal her secret key to the registrar. She could, for example, use a Sigma protocol to prove that she knows the secret key that she claims to know, without revealing it.
许多椭圆曲线协议一开始是使用点乘法生成关键点:每个人都在一个公共的公共基点 P 上达成一致。然后可以选择密钥 x∈Fp 并计算相关的公钥 Y=x⋅P 。如果Alice想在某个地方注册她的公钥,如果注册员要求她证明她知道相关的密钥,或者她可以将其他人的密钥注册为自己的密钥,这对安全有好处。但爱丽丝当然不应该向登记员透露她的秘密钥匙。例如,她可以使用西格玛协议来证明她知道她声称知道的密钥,而不必透露。
If one takes W=Fp as a k-vector space and X=Ep then point multiplication for a fixed base point, specifically f:W→X,w↦w⋅P is a linear function. The same can be said for "matrix product" functions. Suppose that Alice has a secret key x and a public key Y=x⋅P, and someone sends her an ElGamal ciphertext (C,D) for her key. She wants to decrypt this and prove that she has decrypted it correctly, one way to do this is to compute a decryption share S=x⋅C. The decryption is then D−S which anyone can compute from (C,D) and S. So Alice want to show that she knows an x meeting the two equations Y=x⋅P and S=x⋅C, so we set W=k,X=Ep×Ep and f(x)=(x⋅P,x⋅C) which is a linear function f:W→X.
如果取 W=Fp 作为 k 向量空间,取 X=Ep ,则固定基点的点乘,特别是#3是线性函数。“矩阵乘积”函数也是如此。假设Alice有一个秘密密钥#4和一个公共密钥 Y=x⋅P ,有人给她发送一个ElGamal密文 (C,D) 作为她的密钥。她想解密这个并证明她已经正确地解密了它,一种方法是计算解密共享 S=x⋅C 。解密是 D−S ,任何人都可以从 (C,D) 和 S 中计算出来。所以Alice想证明她知道一个 x 满足两个方程 Y=x⋅P 和 S=x⋅C ,所以我们设置 W=k,X=Ep×Ep 和 f(x)=(x⋅P,x⋅C) ,这是一个线性函数 f:W→X 。
The Sigma protocol for f:W→X is the following construction. Alice knows (x,w)∈X×W with f(w)=x and Bob knows x. 1. Alice picks r∈W at random, sets A=f(r) and sends A to Bob. This is the commitment (Alice is committing to r). 2. Bob picks c∈k at random and sends it to Alice. This is the challenge. 3. Alice computes the response s=r+c⋅w in W (the product is scalar multiplication in W) and sends s to Bob. 4. Bob accepts if f(s)=A+c⋅x in X.
f:W→X 的西格玛协议如下所示。Alice知道 (x,w)∈X×W 和 f(w)=x ,Bob知道 x 。1.Alice随机选取#4,设置 A=f(r) ,并将 A 发送给Bob。这就是承诺(Alice承诺 r )。2.Bob随机选取 c∈k 并将其发送给Alice。这就是挑战。3.Alice计算 W 中的响应 s=r+c⋅w (乘积是 W 中的标量乘法),并将 s 发送给Bob。4.如果 f(s)=A+c⋅x 在 X 中,Bob接受。
Let's look at the three security properties for Sigma protocols in more detail:
让我们更详细地了解Sigma协议的三个安全属性:
Correctness 正确性
In just about any protocol (cryptographic or otherwise), correctness means that if everyone follows the protocol then it does what it should. In the context of Sigma protocols, this means that if Alice and Bob do as told then Bob accepts; this is true because f is linear.
在几乎任何协议(加密或其他)中,正确性意味着如果每个人都遵循协议,那么它就会做它应该做的事情。在Sigma协议的上下文中,这意味着如果Alice和Bob按照指示行事,则Bob接受;这是真的,因为 f 是线性的。
Soundness 健全性
Soundness means that Alice cannot prove a false statement. This trips up a lot of people because the first protocol they see is Schnorr's protocol for proving that y=x⋅P, so Alice is proving that such an x exists. But that is obvious! (Alice is also proving that she knows x, which is more interesting but that's another property.) But let's look at the other example, Alice proving that S is a correct decryption share for C under public key Y. Here, Alice is proving that an x exists such that Y=x⋅P and S=x⋅C which is not true for all tuples (P,C,Y,S). What's actually going on is that the image of f is a one-dimensional subspace of the two-dimensional k- vector space X. In our formalism, soundness means that Bob does not accept (except with perhaps negligible probability) unless x is in the image of f (that is, a preimage w exists such that x=f(w)).
健全意味着爱丽丝无法证明虚假陈述。这让很多人感到困惑,因为他们看到的第一个协议是Schnorr的协议,用于证明 y=x⋅P ,所以Alice正在证明这样的 x 存在。但这是显而易见的!(Alice也在证明她知道#2,这更有趣,但这是另一个属性。)但让我们看看另一个例子,Alice证明#3是公钥 Y 下#4的正确解密共享。这里,Alice正在证明 x 的存在使得 Y=x⋅P 和 S=x⋅C 对于所有元组 (P,C,Y,S) 都不是真的。实际上, f 的图像是二维 k -向量空间 X 的一维子空间。在我们的形式中,健全性意味着Bob不接受(除非概率可以忽略不计),除非 x 在 f 的图像中(即,存在 w 的前图像,使得 x=f(w) )。
Sigma protocols are sound. Actually, they are even more than that, they have a property called special soundness. Informally, consider the point in time when Alice has just sent her commitment A to Bob. For which values of c can Alice possibly find a r that Bob will accept? If there is at most one such value then Alice gets Bob to accept overall with probability at most 1/|k|. Usually, |k| is exponentially large (it's the prime p that we started with) so 1/|k| is negligibly small. Special soundness says that if Alice can conveince Bob even for only two out of |k| possible challenges, then a preimage w must exist. Suppose that on challenge c Alice would reply s and on challenge c′≠c Alice would reply s′, and Bob would accept both of these. Then set d=(c−c′)−1 which we can do as k is a field and c≠c′, and a bit of linear algebra shows that w=d⋅(s−s′) where the product is again W-scalar multiplication satisfies the equation x=f(w).
西格玛协议是健全的。事实上,它们甚至不止于此,它们还有一种叫做特殊稳健性的性质。非正式地,考虑一下Alice刚刚将她的承诺 A 发送给Bob的时间点。对于 c 的哪些值,Alice可能找到Bob会接受的 r ?如果最多有一个这样的值,则Alice使Bob以最多#3的概率接受总体。通常,#4是指数大的(这是我们开始时的素数 p ),所以 1/|k| 小得可以忽略不计。特别可靠的说法是,如果Alice即使只应对 |k| 可能的挑战中的两个,也能说服Bob,那么 w 的预映像就必须存在。假设在挑战 c 时,Alice将回复 s ,在挑战 c′≠c 时,爱丽丝将回复 s′ ,并且Bob将接受这两个。然后设置 d=(c−c′)−1 ,我们可以这样做,因为 k 是一个域, c≠c′ ,一点线性代数表明 w=d⋅(s−s′) ,其中乘积再次是 W ——标量乘法满足方程 x=f(w) 。
Zero-Knowledge 零知识
Bob is happy because the protocol is sound. Alice still needs to know that Bob can't learn w from the Sigma protocol. Actually, Alice probably wants even more than that: after running the protocol with Bob, Bob should not be able to prove to Charlie that he knows Alice's secret w either. Zero-knowledge says even more than that, Bob does not learn anything from the protocol except that Alice knows w (and therefore, that w exists and x is in the image of f).
鲍勃很高兴,因为协议是合理的。Alice仍然需要知道Bob无法从Sigma协议中学习 w 。事实上,Alice可能想要更多:在与Bob运行协议后,Bob也不应该向Charlie证明他知道Alice的秘密 w 。零知识更重要的是,Bob没有从协议中学到任何东西,除了Alice知道#2(因此,#3存在,#4在 f 的图像中)。
The proof that Sigma protocols are zero-knowledge ... does not exist! Contrary to what one might guess after learning about Sigma protocols in the textbook chapter on zero-knowledge, Sigma protocols in general are not zero-knowledge, which beginning students of cryptography would do well to remember for their exams. (They meet a weaker requirement called honest-verifier zero-knowledge.)
西格玛协议是零知识的证明。。。不存在!与人们在教科书中关于零知识的章节中学习西格玛协议后可能猜测的相反,西格玛协议通常不是零知识,密码学的初学者应该在考试中记住这一点。(它们满足一个较弱的要求,称为诚实验证者零知识。)
Discussing Sigma protocols in the context of zero-knowledge isn't completely arbitrary though: one can make them zero-knowlege in several ways, the most practical of which is making them non-interactive. But that's next week's topic...
然而,在零知识的背景下讨论西格玛协议并不是完全武断的:人们可以通过几种方式使它们成为零知识,其中最实用的是使它们成为非交互式的。但这是下周的话题。。。