深度优先(2): Exploring zk-SNARKs [currently ongoing]

• 上一篇：深度优先（1）Exploring Elliptic Curve Cryptography

deep into ...

两个关键机构

• 美国国家安全局: National Security Agency(NSA)
  • 例如，Digital Signature Algorithm (DSA)就是由NSA发布的Digital Signature Standard(DSS) 规范
• 美国国家标准技术研究所: National Institute of Standards and Technology(NIST)
  • 例如，NIST多次组织密码哈希函数竞赛，选举最新的安全的哈希函数。
    • NIST hash function competition
  • NIST Reveals 26 Algorithms Advancing to the Post-Quantum Crypto ‘Semifinals’

密码学上的哈希函数

加密哈希函数，它需要尽量满足三个安全性质：

1. 原像防御(Pre-Image resistance)：就是任意给一个hash值h，你很难破解出它的原像m，使得hash(m)=h，这个难度一般是NP难度的，也就是所谓的单向函数。
2. 弱碰撞防御(Second pre-image resistance)：就是给定一个m1，你很难找到另一个m2，使得h(m1)=h(m2)。
3. 强碰撞防御(Collision resistance)：就是你很难找到两个不同的m1和m2，使得h(m1)=h(m2)。

如果符合强碰撞防御，也就是会符合弱碰撞防御，但是不一定符合原像防御。如果只满足前2个，在密码学上是不安全的，一般加密哈希函数应该满足1，2，3。例如SHA-1因为已经在2005年可以被暴力找出碰撞，就不满足性质3，从而已经不再推荐使用了，现在常用的SHA-256,SHA-512都是属于SHA-2这个大类的，最新的则是SHA-3系列。MD5也已经在2004年就不满足强碰撞防御了，也不推荐作为密码哈希函数来用了。

加密哈希函数的使用场景，典型的有在SSL(Secure Sockets Layer)和数字签名(Digital Signature)上使用。需要说明的是非加密哈希函数不需要满足上述三个性质，比如在散列表里面，哈希函数只要尽量满足均匀分布，周期尽量大，计算速度又足够快等即可。

• cryptographic hash function
  • 1991: MD5
    • MD5 was designed by Ronald Rivest in 1991 to replace an earlier hash function MD4, and was specified in 1992 as RFC 1321.
  • 1993: SHA-1
    • SHA = Secure Hash Algorithm.
    • SHA-1 was developed as part of the U.S. Government's Capstone project. 1993.
  • 1996: RIPEMD-160
    • RIPEMD (RACE Integrity Primitives Evaluation Message Digest) is a family of cryptographic hash functions developed in Leuven, Belgium, by Hans Dobbertin, Antoon Bosselaers and Bart Preneel at the COSIC research group at the Katholieke Universiteit Leuven, and first published in 1996.
  • 2000: Whirlpool
    • It was designed by Vincent Rijmen and Paulo S. L. M. Barreto, who first described it in 2000.
  • 2001: SHA-2
    • designed by the United States National Security Agency (NSA), first published in 2001.
    • SHA-256/SHA-512
  • 2012: BLAKE2
    • An improved version of BLAKE called BLAKE2 was announced in December 21, 2012. It was created by Jean-Philippe Aumasson, Samuel Neves, Zooko Wilcox-O'Hearn, and Christian Winnerlein with the goal to replace widely used, but broken MD5 and SHA-1 algorithms.
  • 2015: SHA-3
    • was released by NIST on August 5, 2015.
    • SHA3-256/SHA3-512
• security level of a cryptographic hash function
  • Pre-image resistance
  • Second pre-image resistance
  • Collision resistance

密码学的预言机(oracle)模型

• wiki:Standard model

  • idealised cryptographic model
  • the adversary is only limited by the amount of time and computational power available.
  • Cryptographic schemes are usually based on complexity assumptions, which state that some problems, such as factorization, cannot be solved in polynomial time.
    • Provable security
  • Schemes which can be proven secure using only complexity assumptions are said to be secure in the standard model. Security proofs are notoriously difficult to achieve in the standard model, so in many proofs, cryptographic primitives are replaced by idealized versions.
  • Computational hardness assumption

• wiki:random oracle model(ROM)

  • replacing a cryptographic hash function with a genuinely random function.
  • responds to every unique query with a (truly) random response chosen uniformly from its output domain. If a query is repeated it responds the same way every time that query is submitted.
  • Bellare, Mihir; Rogaway, Phillip (1993)
    • Random oracles are practical: A paradigm for designing efficient protocols
  • wiki:common reference string model(CRS)
    • What is the CRS and what is the difference to the ROM?
    • The primary difference between the two models is the amount of randomness that is produced.
    • The string d has to be polynomial in length, as opposed to a random oracle which can be thought of as an exponential length CRS.

• wiki:generic group model(GGM)

  • the adversary is only given access to a randomly chosen encoding of a group, instead of efficient encodings, such as those used by the finite field or elliptic curve groups used in practice.

• Public key infrastructure(PKI)

  • invoke trusted third parties to perform some task without cheating;
  • Certificate authority
    • Public key certificate
      • X.509

• Robustness principles for public key protocols

密码学的攻击模型

• Adversary
  • Alice and Bob
• Man-in-the-middle attack
• Sybil attack
• attacks for cryptographic hash function
  • Preimage attack
    • break the Preimage resistance
    • break the Second-preimage resistance
  • Collision_attack
    • Birthday attack
• Dictionary attack
• Rainbow table

交互式证明

• wiki:Interactive proof system
  • Completeness
  • Soundness

零知识证明

• wiki:Zero-knowledge proof
  • Completeness
  • Soundness
  • Zero knowledge
• wiki:Commitment scheme
• Shafi Goldwasser, Silvio Micali, and Charles Rackoff
  • a common reference string shared between the prover and the verifier is enough to achieve computational zero-knowledge without requiring interaction.
  • The knowledge complexity of interactive proof systems
• Zero knwoledge proofs illustrated (1)
  • using a timemachine simulator to proof the Zero knowledge
• Zero knwoledge proofs illustrated (2)
  • using another extractor simulator to proof the Soundness

非交互式零知识证明

• Blum, Feldman, and Micali
  • Non-Interactive Zero-Knowledge and Its Applications
• Fiat–Shamir heuristic
• wiki:Non-interactive zero-knowledge proof
  • In the common reference string model non-interactive zero-knowledge protocols do not preserve all of the properties of interactive zero-knowledge protocols; e.g., they do not preserve deniability.
  • Non-interactive zero-knowledge proofs can also be obtained in the random oracle model using the Fiat–Shamir heuristic.
  • Feige, Lapidot, and Shamir introduced multi-theorem zero-knowledge proofs as a more versatile notion for non-interactive zero knowledge proofs.
    • Completeness
    • Soundness
    • Multi-theorem zero-knowledge
• RFC 8235 Schnorr Non-interactive Zero-Knowledge Proof
• Non-Interactive Zero-Knowledge (NIZK) and the Hidden-Bit Model

ZKP as a Signature Algorithm

• EdDSA

zk-SNARKs

• Quadratic Arithmetic Programs: from Zero to Hero
• Exploring Elliptic Curve Pairings
  • Bilinear Pairings in Cryptography
  • Elliptic CurvesNumber Theory and Cryptography
  • Miller’s Algorithm
• Zk-SNARKs: Under the Hood
  • zksnarks-in-a-nutshell
    • A Quadratic Span Program consists of a set of polynomials and the task is to find a linear combination of those that is a multiple of another given polynomial.

代码

• libsnark
• a simple SNARK application

密码学界/群组

• CMU Cryptography Group
  • 15503: Introduction to Cryptography
  • Special Topics in Cryptography: Introduction to Cryptography
• crypto.stackexchange