[ZKP]Sigma Protocol

Sigma Protocol

Introduction

Sigma protocols are a specific type of interactive zero-knowledge proof (ZKP) that are known for their efficiency and simplicity.
They involve three distinct phases between a prover and a verifier:

  • Prover: P ( x , y ) P(x,y) P(x,y)
  • Verifier: V ( y ) V(y) V(y)
  • Commitment: The prover sends an initial commitment t t t to the verifier, often involving a secret value.
  • Challenge: The verifier responds with a random challenge c c c.
  • Response: The prover calculates a response z z z based on the challenge and their secret knowledge and sends it to the verifier.
  • Evaluation: Upon receiving prover’s response z z z, the verifier outputs either accept or reject, which must be computed strictly as a function of the statement y y y and the conversation ( t , c , z ) (t,c,z) (t,c,z). In particular, the verifier does not make any random choices other than the selection of the challenge: all other computations are completely deterministic.

Example: Okamoto’s protocol

Okamoto’s protocol allows a prover to convince a skeptical verifier that he “knows” a representation of a given u ∈ G u \in \mathbb{G} uG, without revealing anything about that representation to the verifier.

A witness for the statement u ∈ G u \in \mathbb{G} uG is ( α ; β ) ∈ Z q 2 (\alpha; \beta) \in \mathbb{Z}_q^2 (α;β)Zq2such that g α h β = u g^{\alpha}h^{\beta} = u gαhβ=u, i.e., a representation of u u u. Thus, in this example, every statement has many witnesses.

  • Prover: P ( ( α , β ) , u ) P((\alpha, \beta), u) P((α,β),u)
  • Verifier: V ( u ) V(u) V(u)
  • The prover computes α t ← G \alpha_t \leftarrow \mathbb{G} αtG, β t ← G \beta_t \leftarrow \mathbb{G} βtG, u t ← g α t h β t u_t \leftarrow g^{\alpha_t}h^{\beta_t} utgαthβt and sends the commitment u t u_t ut to the verifier.
  • The verifier computes a random c c c and sends the challenge c c c to the prover.
  • The prover computes α z ← α t + α c ∈ Z q \alpha_z \leftarrow \alpha_t + \alpha c \in \mathbb{Z}_q αzαt+αcZq, β z ← β t + β c ∈ Z q \beta_z \leftarrow \beta_t + \beta c \in \mathbb{Z}_q βzβt+βcZq and sends the response ( α z , β z ) (\alpha_z, \beta_z) (αz,βz) to the verifier.
  • The verifier checks if g α z h β z = u t ⋅ u c g^{\alpha_z}h^{\beta_z} = u_t \cdot u^c gαzhβz=utuc. if so, the verifier outputs “accept”; otherwise, the verifier outputs “reject”.

[ZKP]Sigma Protocol_第1张图片

你可能感兴趣的:(零知识证明,零知识证明,笔记)