零知识证明|4.如何验证多项式盲计算的值?
这篇文章正式介绍一下Bob如何验证Alice发过来的 E ( P ( s ) ) E(P(s)) E(P(s))的值是否正确。实际上,我们想要实现2个目的:
- 双盲:Alice不知道s,Bob也不知道P(X)
- 可验证:Alice只有发送正确的 E ( P ( s ) ) E(P(s)) E(P(s))的值,才会被Bob接受
要实现第2个目标,需要用到上一篇文章里介绍的α对和KCA的概念。
上一篇文章里的KCA只用到了一个α对,我们可以扩展一下,让Bob给Alice发送多个α对(使用同一个α):
( a 1 , b 1 ) , ( a 2 , b 2 ) , … , ( a d , b d ) (a_1,b_1),(a_2,b_2),…,(a_d,b_d) (a1,b1),(a2,b2),…,(ad,bd)
Alice需要回复一个α对,根据之前介绍的方法,她可以从上面的α对中随机挑选一个 ( a i , b i ) (a_i,b_i) (ai,bi),然后各自乘以一个系数: ( a ′ , b ′ ) = ( c ⋅ a i , c ⋅ b i ) (a',b') = (c \cdot a_i, c \cdot b_i) (a′,b′)=(c⋅ai,c⋅bi)。那么,除此之外,还有没有其他方法生成新的α对呢?答案是肯定的,我们可以通过"线性组合"来生成。
举个例子,随机选2个系数 c 1 , c 2 c_1,c_2 c1,c2,生成新的α对: ( a ′ , b ′ ) = ( c 1 ⋅ a 1 + c 2 ⋅ a 2 , c 1 ⋅ b 1 + c 2 ⋅ b 2 ) (a',b') = (c_1 \cdot a_1 + c_2 \cdot a_2, c_1 \cdot b_1 + c_2 \cdot b_2) (a′,b′)=(c1⋅a1+c2⋅a2,c1⋅b1+c2⋅b2)。
我们来证明一下:
b ′ = c 1 ⋅ b 1 + c 2 ⋅ b 2 = c 1 ⋅ α ⋅ a 1 + c 2 ⋅ α ⋅ a 2 = α ⋅ ( c 1 ⋅ a 1 + c 2 ⋅ a 2 ) = α ⋅ a ′ b' = c_1 \cdot b_1 + c_2 \cdot b_2 = c_1 \cdot \alpha \cdot a_1 + c_2 \cdot \alpha \cdot a_2 = \alpha \cdot (c_1 \cdot a_1 + c_2 \cdot a_2) = \alpha \cdot a' b′=c1⋅b1+c2⋅b2=c1⋅α⋅a1+c2⋅α⋅a2=α⋅(c1⋅a1+c2⋅a2)=α⋅a′
可以发现,确实是一个α对。我们可以通过求和符号写出新α对的一般形式:
( a ′ , b ′ ) = ( Σ i = 1 d c i a i , Σ i = 1 d c i b i ) (a',b') = (\Sigma^d_{i=1}c_ia_i, \Sigma^d_{i=1}c_ib_i) (a′,b′)=(Σi=1dciai,Σi=1dcibi)
根据上面的分析,可以引出一个"d阶系数知识假设",简称d-KCA:
假设G是一个有限循环群,g是它的一个生成元。Bob选取一个α和一个s,然后把下面这些α对发送给Alice:
( g , α ⋅ g ) , ( s ⋅ g , α s ⋅ g ) , … , ( s d ⋅ g , α s d ⋅ g ) (g,\alpha \cdot g), (s \cdot g, \alpha s \cdot g), …, (s^d \cdot g, \alpha s^d \cdot g) (g,α⋅g),(s⋅g,αs⋅g),…,(sd⋅g,αsd⋅g)
如果Alice成功回复了一个新的α对,那么Alice一定持有一组系数 c 0 , c 1 , … , c d c_0,c_1,…,c_d c0,c1,…,cd,使得 a ′ = Σ i = 1 d c i s i a'=\Sigma^d_{i=1}c_is^i a′=Σi=1dcisi。
可以发现,Bob发的这组α对不是随便给出来的,对应d次多项式的每一项。
有了d-KCA的保证,我们就可以来验证Alice给出的盲计算结果了:
-
假设G是一个有限循环群,g是它的一个生成元
-
选取同态隐藏函数 E ( x ) = x ⋅ g E(x) = x \cdot g E(x)=x⋅g
-
Bob随机选择一个α和一个s,把生成的α对发送给Allice:
( a 0 , b 0 ) = ( E ( 1 ) , α ⋅ E ( 1 ) ) (a_0,b_0) = (E(1),\alpha \cdot E(1)) (a0,b0)=(E(1),α⋅E(1))
( a 1 , b 1 ) = ( E ( s ) , α ⋅ E ( s ) ) (a_1,b_1) = (E(s), \alpha \cdot E(s)) (a1,b1)=(E(s),α⋅E(s))
… …
( a d , b d ) = ( E ( s d ) , α ⋅ E ( s d ) ) (a_d,b_d) = (E(s^d), \alpha \cdot E(s^d)) (ad,bd)=(E(sd),α⋅E(sd))
-
Alice需要保守的秘密是 P ( X ) P(X) P(X)的系数: P ( X ) = c 0 + c 1 ⋅ X + … + c d ⋅ X d P(X) = c_0 + c_1 \cdot X + … + c_d \cdot X^d P(X)=c0+c1⋅X+…+cd⋅Xd
-
Alice计算新的α对:
a ′ = P ( s ) ⋅ g = c 0 ⋅ g + c 1 ⋅ s ⋅ g + … + c d ⋅ s d ⋅ g = c 0 ⋅ a 0 + c 1 ⋅ a 1 + … + c d ⋅ a d = Σ i = 0 d c i ⋅ a i a' = P(s) \cdot g = c_0 \cdot g + c_1 \cdot s \cdot g + … + c_d \cdot s^d \cdot g = c_0 \cdot a_0 + c_1 \cdot a_1 + … + c_d \cdot a_d = \Sigma^d_{i=0}c_i \cdot a_i a′=P(s)⋅g=c0⋅g+c1⋅s⋅g+…+cd⋅sd⋅g=c0⋅a0+c1⋅a1+…+cd⋅ad=Σi=0dci⋅ai
b ′ = α ⋅ a ′ = Σ i = 0 d c i ⋅ α ⋅ a i = Σ i = 0 d c i ⋅ b i b' = \alpha \cdot a' = \Sigma^d_{i=0}c_i \cdot \alpha \cdot a_i = \Sigma^d_{i=0}c_i \cdot b_i b′=α⋅a′=Σi=0dci⋅α⋅ai=Σi=0dci⋅bi
然后把 ( a ′ , b ′ ) (a',b') (a′,b′)发送给Bob
-
Bob验证 ( a ′ , b ′ ) (a',b') (a′,b′)是否是α对,如果是的话就接受该回复
经过这一过程,Bob就可以确认Alice确实知道这组系数了(根据d-KCA)。因此,我们把上一篇文章中的图改一下,让Alice知道的2个秘密合二为一,就可以得到下面这张图了:
最终的效果是:在Bob不知道P(X)中的系数,Alice也不知道α跟s的情况下,确认了Alice的确知道这组多项式系数。
还是举个简单的实例结束本篇文章,假设 g = 3 , d = 2 g=3, d=2 g=3,d=2:
Bob随机选择一组系数 s = 2 , α = 4 s=2, \alpha=4 s=2,α=4,然后把3个α对发送给Alice:
( a 0 , b 0 ) = ( E ( 1 ) , α ⋅ E ( 1 ) ) = ( 3 , 4 ⋅ 3 ∣ m o d 7 ) = ( 3 , 5 ) (a_0,b_0) = (E(1), \alpha \cdot E(1)) = (3, 4 \cdot 3|_{mod7}) = (3, 5) (a0,b0)=(E(1),α⋅E(1))=(3,4⋅3∣mod7)=(3,5)
( a 1 , b 1 ) = ( E ( s ) , α ⋅ E ( s ) ) = ( 2 ⋅ 3 ∣ m o d 7 , 4 ⋅ 2 ⋅ 3 ∣ m o d 7 ) = ( 6 , 3 ) (a_1,b_1) = (E(s), \alpha \cdot E(s)) = (2 \cdot 3|_{mod7}, 4 \cdot 2 \cdot 3|_{mod7}) = (6, 3) (a1,b1)=(E(s),α⋅E(s))=(2⋅3∣mod7,4⋅2⋅3∣mod7)=(6,3)
( a 2 , b 2 ) = ( E ( s 2 ) , α ⋅ E ( s 2 ) ) = ( 2 2 ⋅ 3 ∣ m o d 7 , 3 ⋅ 2 2 ⋅ 4 ∣ m o d 7 ) = ( 5 , 6 ) (a_2,b_2) = (E(s^2), \alpha \cdot E(s^2)) = (2^2 \cdot 3|_{mod7}, 3 \cdot 2^2 \cdot 4|_{mod7}) = (5, 6) (a2,b2)=(E(s2),α⋅E(s2))=(22⋅3∣mod7,3⋅22⋅4∣mod7)=(5,6)
假设Alice持有的多项式为 P ( X ) = 1 + 2 ⋅ X + 3 ⋅ X 2 P(X) = 1 + 2 \cdot X + 3 \cdot X^2 P(X)=1+2⋅X+3⋅X2,在收到Bob的α对之后,计算新的α对:
a ′ = Σ i = 0 2 c i ⋅ a i = 1 ⋅ a 0 + 2 ⋅ a 1 + 3 ⋅ a 2 = 1 ⋅ 3 + 2 ⋅ 6 + 3 ⋅ 5 ∣ m o d 7 = 30 ∣ m o d 7 = 2 a' = \Sigma^2_{i=0}c_i \cdot a_i = 1 \cdot a_0 + 2 \cdot a_1 + 3 \cdot a_2 = 1 \cdot 3 + 2 \cdot 6 + 3 \cdot 5|_{mod7} = 30|_{mod7} = 2 a′=Σi=02ci⋅ai=1⋅a0+2⋅a1+3⋅a2=1⋅3+2⋅6+3⋅5∣mod7=30∣mod7=2
b ′ = Σ i = 0 2 c i ⋅ b i = 1 ⋅ b 0 + 2 ⋅ b 1 + 3 ⋅ b 2 = 1 ⋅ 5 + 2 ⋅ 3 + 3 ⋅ 6 ∣ m o d 7 = 29 ∣ m o d 7 = 1 b' = \Sigma^2_{i=0}c_i \cdot b_i = 1 \cdot b_0 + 2 \cdot b_1 + 3 \cdot b_2 = 1 \cdot 5 + 2 \cdot 3 + 3 \cdot 6|_{mod7} = 29|_{mod7} = 1 b′=Σi=02ci⋅bi=1⋅b0+2⋅b1+3⋅b2=1⋅5+2⋅3+3⋅6∣mod7=29∣mod7=1
然后把 ( a ′ , b ′ ) = ( 2 , 1 ) (a',b') = (2,1) (a′,b′)=(2,1)发送给Bob。
Bob接收到Alice的回复之后,验证其是否为α对:
α ⋅ a ′ = 4 ⋅ 2 ∣ m o d 7 = 8 ∣ m o d 7 = 1 = b ′ \alpha \cdot a' = 4 \cdot 2|_{mod7} = 8|_{mod7} = 1 = b' α⋅a′=4⋅2∣mod7=8∣mod7=1=b′
验证成功!至此,Bob确信Alice确实知道P(X)的这组系数。
更多文章欢迎关注“鑫鑫点灯”专栏:https://blog.csdn.net/turkeycock
或关注飞久微信公众号:
