Proof Systems for General Statements about Discrete Logarithms 学习笔记
Jan Camenisch和Markus Stadler 1997年论文《Proof Systems for General Statements about Discrete Logarithms》。
1. 背景知识
-
Monotone Boolean function定义:
-
Concatenation of tuples:
-
Modified Cartesian Product:
-
Knowledge specification set:
2. 一些例子
2.1 Prove knowledge of discrete logarithm y = g x y=g^x y=gx (Schnorr signature for message ( g , y ) (g,y) (g,y))
博客 基于Sigma protocol实现的零知识证明protocol集锦 中1.2节类似:
Witness: x x x
Instance: y y y和 g g g
Relation: y = g x y=g^x y=gx
具体实现思路为:
- 1)Prover:Prover生成随机数 v ∈ R Z q v\in_R \mathbb{Z}_q v∈RZq,创建commitment t = g v t=g^v t=gv;Prover将 g , t , y g,t,y g,t,y作为hash函数输入计算challenge c ( = H a s h ( g , y , t ) ) c(=Hash(g,y,t)) c(=Hash(g,y,t));Prover计算response r = v − c ∗ x ( m o d q ) r=v-c*x(\mod q) r=v−c∗x(modq)。Prover将 ( c , r ) (c,r) (c,r)发送给Verifier。
Verifier根据收到的 ( c , r ) (c,r) (c,r),假设 g r = y − c ∗ t ′ g^r=y^{-c}*t' gr=y−c∗t′成立,计算 t ′ ( = g r ∗ y c ) t'(=g^r*y^c) t′(=gr∗yc),利用 g , y , t ′ g,y,t' g,y,t′作为相同hash函数的输入,计算 c ′ = h a s h ( g , y , t ′ ) c'=hash(g,y,t') c′=hash(g,y,t′),验证 c = c ′ c=c' c=c′是否成立即可。
2.2 Prove knowledge of two discrete logarithms satisfy a linear equation
Witness: x 1 , x 2 x_1,x_2 x1,x2
Instance: g 1 , y 1 , g 2 , y 2 , a 1 , a 2 , b g_1,y_1,g_2,y_2,a_1,a_2,b g1,y1,g2,y2,a1,a2,b
Relation: y 1 = g x 1 Λ y 2 = g x 2 Λ a 1 x 1 + a 2 x 2 = b ( m o d q ) y_1=g^{x_1} \ \Lambda\ y_2=g^{x_2}\ \Lambda \ a_1x_1+a_2x_2=b(\mod q) y1=gx1 Λ y2=gx2 Λ a1x1+a2x2=b(modq)
用knowledge specification set表示的Relation为: K = ( D L ( g 1 , y 1 ) ⊗ D L ( g 2 , y 2 ) ) ∩ L E ( ( a 1 , a 2 ) , b ) K=(DL(g_1,y_1)\otimes DL(g_2,y_2))\cap LE((a_1,a_2),b) K=(DL(g1,y1)⊗DL(g2,y2))∩LE((a1,a2),b)
具体实现为:
- 1)Prover:Prover生成满足 a 1 v 1 + a 2 v 2 = 0 ( m o d q ) a_1v_1+a_2v_2=0(\mod q) a1v1+a2v2=0(modq)的随机数 v 1 和 v 2 v_1和v_2 v1和v2【数学描述为 ( v 1 , v 2 ) ∈ R { ( u 1 , u 2 ) ∈ Z q ∣ a 1 u 1 + a 2 u 2 = 0 ( m o d q ) } (v_1,v_2)\in_R\{(u_1,u_2)\in\mathbb{Z}_q|a_1u_1+a_2u_2=0(\mod q)\} (v1,v2)∈R{(u1,u2)∈Zq∣a1u1+a2u2=0(modq)}】,创建commitment t 1 = g 1 v 1 , t 2 = g 2 v 2 t_1=g_1^{v_1},t_2=g_2^{v_2} t1=g1v1,t2=g2v2;Prover将 g 1 , y 1 , g 2 , y 2 , a 1 , a 2 , b , t 1 , t 2 g_1,y_1,g_2,y_2,a_1,a_2,b,t_1,t_2 g1,y1,g2,y2,a1,a2,b,t1,t2作为hash函数输入计算challenge c ( = H a s h ( g 1 , y 1 , g 2 , y 2 , a 1 , a 2 , b , t 1 , t 2 ) ) c(=Hash(g_1,y_1,g_2,y_2,a_1,a_2,b,t_1,t_2)) c(=Hash(g1,y1,g2,y2,a1,a2,b,t1,t2));Prover计算response r 1 = v 1 − c ∗ x 1 ( m o d q ) , r 2 = v 2 − c ∗ x 2 ( m o d q ) r_1=v_1-c*x_1(\mod q),r_2=v_2-c*x_2(\mod q) r1=v1−c∗x1(modq),r2=v2−c∗x2(modq)。Prover将 ( c , r 1 , r 2 ) (c,r_1,r_2) (c,r1,r2)发送给Verifier。
Verifier根据收到的 ( c , r 1 , r 2 ) (c,r_1,r_2) (c,r1,r2),假设 g r = y − c ∗ t ′ g^r=y^{-c}*t' gr=y−c∗t′成立,计算 t 1 ′ ( = g 1 r 1 ∗ y 1 c ) , t 2 ′ ( = g 2 r 2 ∗ y 2 c ) t_1'(=g_1^{r_1}*y_1^c),t_2'(=g_2^{r_2}*y_2^c) t1′(=g1r1∗y1c),t2′(=g2r2∗y2c),利用 g 1 , y 1 , g 2 , y 2 , a 1 , a 2 , b , t 1 ′ , t 2 ′ g_1,y_1,g_2,y_2,a_1,a_2,b,t_1',t_2' g1,y1,g2,y2,a1,a2,b,t1′,t2′作为相同hash函数的输入,计算 c ′ = h a s h ( g 1 , y 1 , g 2 , y 2 , a 1 , a 2 , b , t 1 ′ , t 2 ′ ) ( m o d q ) c'=hash(g_1,y_1,g_2,y_2,a_1,a_2,b,t_1',t_2')(\mod q) c′=hash(g1,y1,g2,y2,a1,a2,b,t1′,t2′)(modq),验证 c = c ′ c=c' c=c′是否成立以及 a 1 r 2 + a 2 r 2 = − c b ( m o d q ) a_1r_2+a_2r_2=-cb(\mod q) a1r2+a2r2=−cb(modq)是否成立即可。
2.3 OR proof
博客 基于Sigma protocol实现的零知识证明protocol集锦 中2.3节类似:
Witness: x 1 x_1 x1 OR x 2 x_2 x2
Instance: g 1 , y 1 , g 2 , y 2 g_1,y_1,g_2,y_2 g1,y1,g2,y2
Relation: y 1 = g 1 x 1 y_1=g_1^{x_1} y1=g1x1 OR y 2 = g 2 x 2 y_2=g_2^{x_2} y2=g2x2
假设Prover知道 x 1 x_1 x1(<1>),而不知道 x 2 x_2 x2(<2>)。
详细实现为:
1)Prover:
- 生成用于证明<1>随机数 v 1 v_1 v1,构建第1个commitment t 1 = g 1 v 1 t_1=g_1^{v_1} t1=g1v1;
- 生成用于证明<2>的challenge c 2 c_2 c2和随机response r 2 r_2 r2,(由于Prover由于不知道 b b b,只能随机生成,采用 博客 基于Sigma protocol实现的零知识证明protocol集锦 1.2.2节中的方式来伪造证明)计算 t 2 = y 2 c 2 ∗ g r 2 t_2=y_2^{c_2}*g^{r_2} t2=y2c2∗gr2;
- 计算hash值 c = H a s h ( g 1 , y 1 , g 2 , y 2 , t 1 , t 2 ) c=Hash(g_1,y_1,g_2,y_2,t_1,t_2) c=Hash(g1,y1,g2,y2,t1,t2),计算用于证明<1>的challenge c 1 = c − c 2 c_1=c-c_2 c1=c−c2;
- 计算用于证明<1>的response r 1 = v 1 − c 1 ∗ x 1 r_1=v_1-c_1*x_1 r1=v1−c1∗x1;
- 发送 ( ( c 1 , r 1 ) , ( c 2 , r 2 ) ) ((c_1,r_1),(c_2,r_2)) ((c1,r1),(c2,r2)) 给Verifier。
2)Verifier:
根据收到的proof ( ( c 1 , r 1 ) , ( c 2 , r 2 ) ) ((c_1,r_1),(c_2,r_2)) ((c1,r1),(c2,r2)),计算 t 1 ′ = g 1 r 1 y 1 c 1 , t 2 ′ = g 2 r 2 y 2 c 2 t_1'=g_1^{r_1}y_1^{c_1},t_2'=g_2^{r_2}y_2^{c_2} t1′=g1r1y1c1,t2′=g2r2y2c2,同时验证 c 1 + c 2 = H ( g 1 , y 1 , g 2 , y 2 , t 1 ′ , t 2 ′ ) ( m o d q ) c_1+c_2=H(g_1,y_1,g_2,y_2,t_1',t_2')(\mod q) c1+c2=H(g1,y1,g2,y2,t1′,t2′)(modq)是否成立即可。
The reason why this works is that the prover is “allowed to forge” one of the two proofs since he can choose the corresponding challenge before the commitment is computed; the other challenge is then determined by the hash function. The verifier, however, cannot decide which challenge was chosen and therefore obtains no information about which discrete loarithms the prover knows.
3 prove knowledge of an element of an arbitrary knowledge specification set
即构建an element of an aribitrary knowledge specification set。 OR证明的generalization。
3.1 Transformation and Tree-Representation:
3.2 Constructing a proof for F F F
F F F为knowledge specification,可表示为 F ~ = ⋃ i = 1 m F ~ i \tilde{F}=\bigcup_{i=1}^{m}\tilde{F}_i F~=⋃i=1mF~i,其中 F ~ i \tilde{F}_i F~i中没有任何形式的 ∪ \cup ∪操作。
假设Prover知道an element K ∈ F K \in F K∈F,则意味着存在an index α ∈ F ~ α \alpha\in\tilde{F}_{\alpha} α∈F~α。 K K K为a tuple of elements of Z q \mathbb{Z}_q Zq。
证明方式如下:
1)Commitment:
(a)设置 w ˉ α = 0 \bar{w}_{\alpha}=0 wˉα=0,对于 i ≠ α i\neq \alpha i=α,则选择随机数 w ˉ i ∈ R Z q \bar{w}_i\in_R\mathbb{Z}_q wˉi∈RZq。构建 W ˉ = ( w ˉ 1 , ⋯ , w ˉ m ) \bar{W}=(\bar{w}_1,\cdots,\bar{w}_m) Wˉ=(wˉ1,⋯,wˉm)。【 w ˉ i \bar{w}_{i} wˉi是对整个tree F ~ i \tilde{F}_i F~i全局的,当 w ˉ i ≠ 0 \bar{w}_i\neq 0 wˉi=0意味着是提前预测了challenge伪造了证明,仅对 w ˉ i = 0 \bar{w}_i=0 wˉi=0的tree是知道witness的正确证明。】
(b)选择满足 E ∣ W = W ˉ E|_{W=\bar{W}} E∣W=Wˉ的random tuple V ˉ = ( v ˉ 1.0 ⋯ , 1 , ⋯ , v ˉ m . 0 ⋯ , . ) \bar{V}=(\bar{v}_{1.0\cdots,1,\cdots},\bar{v}_{m.0\cdots,.}) Vˉ=(vˉ1.0⋯,1,⋯,vˉm.0⋯,.)。
(c)为forest F ~ \tilde{F} F~的每一个node n n n配置commitment T n T_n Tn:
- 若 n n n为a leaf of type D L ( g , y ) DL(g,y) DL(g,y) in the tree F ~ i \tilde{F}_i F~i,则:
T n = ( y w ˉ i g v ˉ n ) T_n=(y^{\bar{w}_i}g^{\bar{v}_n}) Tn=(ywˉigvˉn) - 若 n n n为 a leaf ot type R E P ( ( g 1 , ⋯ , g k ) , y ) REP((g_1,\cdots,g_k),y) REP((g1,⋯,gk),y) in the tree F ~ i \tilde{F}_i F~i,则:
T n = ( y w ˉ i ∏ j = 1 k g j v ˉ n , j ) T_n=(y^{\bar{w}_i}\prod_{j=1}^{k}g_j^{\bar{v}_{n,j}}) Tn=(ywˉi∏j=1kgjvˉn,j) - 若 n n n为a leaf of type L E ( ( a 1 , ⋯ , a k ) , b ) LE((a_1,\cdots,a_k),b) LE((a1,⋯,ak),b),则:
T n T_n Tn为empty tuple ( ) () () - 若 n n n为 ⊗ \otimes ⊗或 ∩ \cap ∩的inner node,则:
T n = T n ∣ ∣ 0 ∘ T n ∣ ∣ 1 T_n=T_{n||0}\circ T_{n||1} Tn=Tn∣∣0∘Tn∣∣1
所有的Commitment T T T表示为:
T = T 1.0 ∘ ⋯ ∘ T m . 0 T=T_{1.0}\circ\cdots\circ T_{m.0} T=T1.0∘⋯∘Tm.0
2)Challenge:
The challenge C = ( c 1 , ⋯ , c m ) C=(c_1,\cdots,c_m) C=(c1,⋯,cm),计算规则为:
c i = { H ( F ~ , T ) − ∑ j = 1 m w ˉ j ( m o d q ) for i = α w ˉ i otherwise c_i=\left\{\begin{matrix} H(\tilde{F},T)-\sum_{j=1}^{m}\bar{w}_j(\mod q)& \text{for }i=\alpha\\ \bar{w}_i & \text{otherwise} \end{matrix}\right. ci={H(F~,T)−∑j=1mwˉj(modq)wˉifor i=αotherwise
3)Response:
Given K ∈ F ~ α K\in\tilde{F}_{\alpha} K∈F~α,the prover can construct a tuple X X X满足以下条件:(the components of X X X are labeled in the same way as the components of V V V)
- x n , j = 0 x_{n,j}=0 xn,j=0 for all indices j j j if the leaf n n n is n o t not notin the tree F ~ α \tilde{F}_{\alpha} F~α;
- 若 n n n为a leaf of the type D L DL DL或者 R E P REP REP in F α F_{\alpha} Fα,则 sub-tuple ( x n , 1 , ⋯ , x n , k ) (x_{n,1},\cdots,x_{n,k}) (xn,1,⋯,xn,k)为 an element of the set defined by the type of the leaf。
- X α . 0 X_{\alpha.0} Xα.0应使 E α . 0 ∣ w α = − 1 E_{\alpha.0}|_{w_{\alpha}=-1} Eα.0∣wα=−1成立,其中 X α . 0 X_{\alpha.0} Xα.0是对应sub-tuple V α . 0 V_{\alpha.0} Vα.0的sub-tuple。
所有的response R = ( r 1.0 ⋯ , 1 , ⋯ , r m . 0 ⋯ , . ) R=(r_{1.0\cdots,1,\cdots},r_{m.0\cdots,.}) R=(r1.0⋯,1,⋯,rm.0⋯,.)定义为:
r n , j = v ˉ n , j − c α x n , j ( m o d q ) r_{n,j}=\bar{v}_{n,j}-c_{\alpha}x_{n,j}(\mod q) rn,j=vˉn,j−cαxn,j(modq)
for all leaves n n n and all indices j j j。
The proof of knowledge 为pair ( C ⃗ , R ⃗ ) (\vec{C},\vec{R}) (C,R)。
3.3 Verifying a proof
The verification of a proof ( C ⃗ , R ⃗ ) (\vec{C},\vec{R}) (C,R) 主要分两步:
1)重构commitment:
- 若 n n n为a leaf of type D L ( g , y ) DL(g,y) DL(g,y) in the tree F ~ i \tilde{F}_i F~i,则:
T n ′ = ( y c i g r n ) T_n'=(y^{c_i}g^{r_n}) Tn′=(ycigrn) - 若 n n n为a leaf ot type R E P ( ( g 1 , ⋯ , g k ) , y ) REP((g_1,\cdots,g_k),y) REP((g1,⋯,gk),y) in the tree F ~ i \tilde{F}_i F~i,则:
T n ′ = ( y c i ∏ j = 1 k g j r n , j ) T_n'=(y^{c_i}\prod_{j=1}^{k}g_j^{r_{n,j}}) Tn′=(yci∏j=1kgjrn,j) - 若 n n n为a leaf of type L E ( ( a 1 , ⋯ , a k ) , b ) LE((a_1,\cdots,a_k),b) LE((a1,⋯,ak),b),则:
T n ′ T_n' Tn′为empty tuple ( ) () () - 若 n n n为 ⊗ \otimes ⊗或 ∩ \cap ∩的inner node,则:
T n ′ = T n ∣ ∣ 0 ′ ∘ T n ∣ ∣ 1 ′ T_n'=T_{n||0}'\circ T_{n||1}' Tn′=Tn∣∣0′∘Tn∣∣1′
2)Verifying the challenge and the response by:
- 验证 H ( F ~ , T ′ ) = ∑ i = 1 m c i ( m o d q ) H(\tilde{F},T')=\sum_{i=1}^{m}c_i(\mod q) H(F~,T′)=∑i=1mci(modq)成立。
- 验证 R ⃗ \vec{R} R使得 E ∣ W = C E|_{W=C} E∣W=C成立。
3.4 举例
Witness: x 1 , x 2 , x 3 x_1,x_2,x_3 x1,x2,x3
Instance: h , z , g 1 , g 2 , y , a 1 , a 2 , a 3 , b h,z,g_1,g_2,y,a_1,a_2,a_3,b h,z,g1,g2,y,a1,a2,a3,b
Relation: ( z = h x 1 , y = g 1 x 2 g 2 x 3 ) (z=h^{x_1},y=g_1^{x_2}g_2^{x_3}) (z=hx1,y=g1x2g2x3) 使得 b = a 1 x 1 + a 2 x 2 + a 3 x 3 ( m o d q ) b=a_1x_1+a_2x_2+a_3x_3(\mod q) b=a1x1+a2x2+a3x3(modq)成立 或 使得 b = a 1 x 2 + a 2 x 3 + a 3 x 1 ( m o d q ) b=a_1x_2+a_2x_3+a_3x_1(\mod q) b=a1x2+a2x3+a3x1(modq)成立。
用knowledge specification set表示的Relation为: F = ( ( D L ( h , z ) ⊗ R E P ( ( g 1 , g 2 ) , y ) ) ∪ ( R E P ( ( g 1 , g 2 ) , y ) ⊗ D L ( h , z ) ) ) ∩ L E ( ( a 1 , a 2 , a 3 ) , b ) F=((DL(h,z)\otimes REP((g_1,g_2),y))\cup(REP((g_1,g_2),y)\otimes DL(h,z)))\cap LE((a_1,a_2,a_3),b) F=((DL(h,z)⊗REP((g1,g2),y))∪(REP((g1,g2),y)⊗DL(h,z)))∩LE((a1,a2,a3),b)
进一步表示为: F ~ = ( ( D L ( h , z ) ⊗ R E P ( ( g 1 , g 2 ) , y ) ) ∩ L E ( ( a 1 , a 2 , a 3 ) , b ) ∪ ( R E P ( ( g 1 , g 2 ) , y ) ⊗ D L ( h , z ) ) ∩ L E ( ( a 1 , a 2 , a 3 ) , b ) = F ~ 1 ∪ F ~ 2 \tilde{F}=((DL(h,z)\otimes REP((g_1,g_2),y))\cap LE((a_1,a_2,a_3),b)\cup(REP((g_1,g_2),y)\otimes DL(h,z))\cap LE((a_1,a_2,a_3),b)=\tilde{F}_1\cup\tilde{F}_2 F~=((DL(h,z)⊗REP((g1,g2),y))∩LE((a1,a2,a3),b)∪(REP((g1,g2),y)⊗DL(h,z))∩LE((a1,a2,a3),b)=F~1∪F~2
可以具体表示为如下图示:
接下来,Prover需要构建the lists of variables V n V_n Vn 和 the set of equations E n E_n En for each node。
对tree F ~ 1 \tilde{F}_1 F~1有:
- node 1.000 1.000 1.000: V 1.000 = ( v 1.000 , 1 ) V_{1.000}=(v_{1.000,1}) V1.000=(v1.000,1)
E 1.000 = ∅ E_{1.000}=\emptyset E1.000=∅ - node 1.001 1.001 1.001: V 1.001 = ( v 1.001 , 1 , v 1.001 , 2 ) V_{1.001}=(v_{1.001,1},v_{1.001,2}) V1.001=(v1.001,1,v1.001,2)
E 1.001 = ∅ E_{1.001}=\emptyset E1.001=∅ - node 1.00 1.00 1.00: V 1.00 = V 1.000 ∘ V 1.001 = ( v 1.000 , 1 , v 1.001 , 1 , v 1.001 , 2 ) V_{1.00}=V_{1.000}\circ V_{1.001}=(v_{1.000,1},v_{1.001,1},v_{1.001,2}) V1.00=V1.000∘V1.001=(v1.000,1,v1.001,1,v1.001,2)
E 1.00 = E 1.000 ∪ E 1.001 = ∅ E_{1.00}=E_{1.000}\cup E_{1.001}=\emptyset E1.00=E1.000∪E1.001=∅ - node 1.01 1.01 1.01: V 1.01 = ( v 1.01 , 1 , v 1.01 , 2 , v 1.01 , 3 ) V_{1.01}=(v_{1.01,1},v_{1.01,2},v_{1.01,3}) V1.01=(v1.01,1,v1.01,2,v1.01,3)
E 1.01 = { a 1 v 1.01 , 1 + a 2 v 1.01 , 2 + a 3 v 1.01 , 3 = − w 1 b } E_{1.01}=\{a_1v_{1.01,1}+a_2v_{1.01,2}+a_3v_{1.01,3}=-w_1b\} E1.01={a1v1.01,1+a2v1.01,2+a3v1.01,3=−w1b} - node 1.0 1.0 1.0: V 1.0 = ( v 1.000 , 1 , v 1.001 , 1 , v 1.001 , 2 , v 1.01 , 1 , v 1.01 , 2 , v 1.01 , 3 ) V_{1.0}=(v_{1.000,1},v_{1.001,1},v_{1.001,2},v_{1.01,1},v_{1.01,2},v_{1.01,3}) V1.0=(v1.000,1,v1.001,1,v1.001,2,v1.01,1,v1.01,2,v1.01,3)
E 1.0 = { v 1.01 , 1 = v 1.000 , 1 , v 1.01 , 2 = v 1.001 , 1 , v 1.01 , 3 = v 1.001 , 2 , a 1 v 1.01 , 1 + a 2 v 1.01 , 2 + a 3 v 1.01 , 3 = − w 1 b } E_{1.0}=\{v_{1.01,1}=v_{1.000,1},v_{1.01,2}=v_{1.001,1},v_{1.01,3}=v_{1.001,2},a_1v_{1.01,1}+a_2v_{1.01,2}+a_3v_{1.01,3}=-w_1b\} E1.0={v1.01,1=v1.000,1,v1.01,2=v1.001,1,v1.01,3=v1.001,2,a1v1.01,1+a2v1.01,2+a3v1.01,3=−w1b}
对tree F ~ 2 \tilde{F}_2 F~2有:
- node 2.000 2.000 2.000: V 2.000 = ( v 2.000 , 1 , v 2.000 , 2 ) V_{2.000}=(v_{2.000,1},v_{2.000,2}) V2.000=(v2.000,1,v2.000,2)
E 2.000 = ∅ E_{2.000}=\emptyset E2.000=∅ - node 2.001 2.001 2.001: V 2.001 = ( v 2.001 , 1 ) V_{2.001}=(v_{2.001,1}) V2.001=(v2.001,1)
E 2.001 = ∅ E_{2.001}=\emptyset E2.001=∅ - node 2.00 2.00 2.00: V 2.00 = V 2.000 ∘ V 2.001 = ( v 2.000 , 1 , v 2.000 , 2 , v 2.001 , 1 ) V_{2.00}=V_{2.000}\circ V_{2.001}=(v_{2.000,1},v_{2.000,2},v_{2.001,1}) V2.00=V2.000∘V2.001=(v2.000,1,v2.000,2,v2.001,1)
E 2.00 = E 2.000 ∪ E 2.001 = ∅ E_{2.00}=E_{2.000}\cup E_{2.001}=\emptyset E2.00=E2.000∪E2.001=∅ - node 2.01 2.01 2.01: V 2.01 = ( v 2.01 , 1 , v 2.01 , 2 , v 2.01 , 3 ) V_{2.01}=(v_{2.01,1},v_{2.01,2},v_{2.01,3}) V2.01=(v2.01,1,v2.01,2,v2.01,3)
E 2.01 = { a 1 v 2.01 , 1 + a 2 v 2.01 , 2 + a 3 v 2.01 , 3 = − w 2 b } E_{2.01}=\{a_1v_{2.01,1}+a_2v_{2.01,2}+a_3v_{2.01,3}=-w_2b\} E2.01={a1v2.01,1+a2v2.01,2+a3v2.01,3=−w2b} - node 2.0 2.0 2.0: V 2.0 = ( v 2.000 , 1 , v 2.000 , 2 , v 2.001 , 1 , v 2.01 , 1 , v 2.01 , 2 , v 2.01 , 3 ) V_{2.0}=(v_{2.000,1},v_{2.000,2},v_{2.001,1},v_{2.01,1},v_{2.01,2},v_{2.01,3}) V2.0=(v2.000,1,v2.000,2,v2.001,1,v2.01,1,v2.01,2,v2.01,3)
E 2.0 = { v 2.01 , 1 = v 2.000 , 1 , v 2.01 , 2 = v 2.000 , 2 , v 2.01 , 3 = v 2.001 , 1 , a 1 v 2.01 , 1 + a 2 v 2.01 , 2 + a 3 v 2.01 , 3 = − w 2 b } E_{2.0}=\{v_{2.01,1}=v_{2.000,1},v_{2.01,2}=v_{2.000,2},v_{2.01,3}=v_{2.001,1},a_1v_{2.01,1}+a_2v_{2.01,2}+a_3v_{2.01,3}=-w_2b\} E2.0={v2.01,1=v2.000,1,v2.01,2=v2.000,2,v2.01,3=v2.001,1,a1v2.01,1+a2v2.01,2+a3v2.01,3=−w2b}
最后:
对 E 1.0 E_{1.0} E1.0和 E 2.0 E_{2.0} E2.0进行merge后,得到:
E = { v 1.01 , 1 = v 1.000 , 1 , v 1.01 , 2 = v 1.001 , 1 , v 1.01 , 3 = v 1.001 , 2 , a 1 v 1.01 , 1 + a 2 v 1.01 , 2 + a 3 v 1.01 , 3 = − w 1 b , v 2.01 , 1 = v 2.000 , 1 , v 2.01 , 2 = v 2.000 , 2 , v 2.01 , 3 = v 2.001 , 1 , a 1 v 2.01 , 1 + a 2 v 2.01 , 2 + a 3 v 2.01 , 3 = − w 2 b } E=\{v_{1.01,1}=v_{1.000,1},v_{1.01,2}=v_{1.001,1},v_{1.01,3}=v_{1.001,2},a_1v_{1.01,1}+a_2v_{1.01,2}+a_3v_{1.01,3}=-w_1b,v_{2.01,1}=v_{2.000,1},v_{2.01,2}=v_{2.000,2},v_{2.01,3}=v_{2.001,1},a_1v_{2.01,1}+a_2v_{2.01,2}+a_3v_{2.01,3}=-w_2b\} E={v1.01,1=v1.000,1,v1.01,2=v1.001,1,v1.01,3=v1.001,2,a1v1.01,1+a2v1.01,2+a3v1.01,3=−w1b,v2.01,1=v2.000,1,v2.01,2=v2.000,2,v2.01,3=v2.001,1,a1v2.01,1+a2v2.01,2+a3v2.01,3=−w2b}
V = V 1.0 ∘ V 2.0 = ( v 1.000 , 1 , v 1.001 , 1 , v 1.001 , 2 , v 1.01 , 1 , v 1.01 , 2 , v 1.01 , 3 , v 2.000 , 1 , v 2.000 , 2 , v 2.001 , 1 , v 2.01 , 1 , v 2.01 , 2 , v 2.01 , 3 ) = ( v ˉ 1 , v ˉ 2 , v ˉ 3 , v ˉ 1 , v ˉ 2 , v ˉ 3 , v ˉ 4 , v ˉ 5 , v ˉ 6 , v ˉ 4 , v ˉ 5 , v ˉ 6 ) V=V_{1.0}\circ V_{2.0}=(v_{1.000,1},v_{1.001,1},v_{1.001,2},v_{1.01,1},v_{1.01,2},v_{1.01,3},v_{2.000,1},v_{2.000,2},v_{2.001,1},v_{2.01,1},v_{2.01,2},v_{2.01,3})=(\bar{v}_1,\bar{v}_2,\bar{v}_3,\bar{v}_1,\bar{v}_2,\bar{v}_3,\bar{v}_4,\bar{v}_5,\bar{v}_6,\bar{v}_4,\bar{v}_5,\bar{v}_6) V=V1.0∘V2.0=(v1.000,1,v1.001,1,v1.001,2,v1.01,1,v1.01,2,v1.01,3,v2.000,1,v2.000,2,v2.001,1,v2.01,1,v2.01,2,v2.01,3)=(vˉ1,vˉ2,vˉ3,vˉ1,vˉ2,vˉ3,vˉ4,vˉ5,vˉ6,vˉ4,vˉ5,vˉ6)
W = ( w 1 , w 2 ) W=(w_1,w_2) W=(w1,w2)
1)Prover构建proof的方式可为:
- 随机选择 W ˉ = ( w ˉ 1 , w ˉ 2 ) = ( 0 , w ) , 其 中 w ∈ R Z q \bar{W}=(\bar{w}_1,\bar{w}_2)=(0,w),其中w\in_R\mathbb{Z}_q Wˉ=(wˉ1,wˉ2)=(0,w),其中w∈RZq;【即此时选择 α = 1 \alpha=1 α=1】
- 随机选择a random tuple V ˉ ∈ R Z q 12 \bar{V}\in_R\mathbb{Z}_q^{12} Vˉ∈RZq12使得满足 E ∣ W = W ˉ E|_{W=\bar{W}} E∣W=Wˉ成立即可。即随机选择 v ˉ 1 , ⋯ , v ˉ 6 ∈ Z q \bar{v}_1,\cdots,\bar{v}_6\in \mathbb{Z}_q vˉ1,⋯,vˉ6∈Zq,使得 a 1 v ˉ 1 + a 2 v ˉ 2 + a 3 v ˉ 3 = 0 ( m o d q ) a_1\bar{v}_1+a_2\bar{v}_2+a_3\bar{v}_3=0(\mod q) a1vˉ1+a2vˉ2+a3vˉ3=0(modq)和 a 1 v ˉ 4 + a 2 v ˉ 5 + a 3 v ˉ 6 = − w b ( m o d q ) a_1\bar{v}_4+a_2\bar{v}_5+a_3\bar{v}_6=-wb(\mod q) a1vˉ4+a2vˉ5+a3vˉ6=−wb(modq)均成立。设置 V = ( v ˉ 1 , v ˉ 2 , v ˉ 3 , v ˉ 1 , v ˉ 2 , v ˉ 3 , v ˉ 4 , v ˉ 5 , v ˉ 6 , v ˉ 4 , v ˉ 5 , v ˉ 6 ) V=(\bar{v}_1,\bar{v}_2,\bar{v}_3,\bar{v}_1,\bar{v}_2,\bar{v}_3,\bar{v}_4,\bar{v}_5,\bar{v}_6,\bar{v}_4,\bar{v}_5,\bar{v}_6) V=(vˉ1,vˉ2,vˉ3,vˉ1,vˉ2,vˉ3,vˉ4,vˉ5,vˉ6,vˉ4,vˉ5,vˉ6)
- 构建commitment: T = T 1.0 ∘ T 2.0 = ( h v ˉ 1 , g 1 v ˉ 2 g 2 v ˉ 3 , z w h v ˉ 4 , y w g 1 v ˉ 5 g 2 v ˉ 6 ) T=T_{1.0}\circ T_{2.0}=(h^{\bar{v}_1},g_1^{\bar{v}_2}g_2^{\bar{v}_3},z^wh^{\bar{v}_4},y^wg_1^{\bar{v}_5}g_2^{\bar{v}_6}) T=T1.0∘T2.0=(hvˉ1,g1vˉ2g2vˉ3,zwhvˉ4,ywg1vˉ5g2vˉ6)
- 计算challenge: C = ( c 1 , c 2 ) = ( H ( F ~ , T ) − w ( m o d q ) , w ) C=(c_1,c_2)=(H(\tilde{F},T)-w(\mod q),w) C=(c1,c2)=(H(F~,T)−w(modq),w)。
- 计算response:构建list X = ( x 1 , x 2 , x 3 , x 1 , x 2 , x 3 , 0 , 0 , 0 , 0 , 0 , 0 ) X=(x_1,x_2,x_3,x_1,x_2,x_3,0,0,0,0,0,0) X=(x1,x2,x3,x1,x2,x3,0,0,0,0,0,0)【针对此处 α = 1 \alpha=1 α=1】,计算response R R R中的 r i , j , l r_{i,j,l} ri,j,l(所有方程式都是modulo q q q):
在整个proof内容即为 ( C , R ) (C,R) (C,R)。
2)Verifier验证proof ( C , R ) (C,R) (C,R) 的过程为:
- 重构commitment: T ′ = T 1.0 ′ ∘ T 2.0 ′ T'=T_{1.0}'\circ T_{2.0}' T′=T1.0′∘T2.0′
- check challenge和equations of E ∣ W = C E|_{W=C} E∣W=C(均为modulo q q q运算):
注意以上算法未做优化。
参考资料:
[1] Monotone Boolean function
[2] 博客 基于Sigma protocol实现的零知识证明protocol集锦