2015-zero-knowledgeproofsandapplication.pdf资源-CSDN文库

需积分: 9 180 浏览量 2019-11-01 10:25:16 上传评论收藏 353KB PDF 举报

零知识证明及其应用是密码学中一个非常重要且影响深远的概念。这个概念最早由Goldwasser, Micali和Rackoff在1985年提出，其核心思想是证明某事“只证明其有效性，而不泄露任何其他信息”。本教材将通过两个讲座来探讨零知识证明的概念，并在此基础上讨论其在密码学中的应用。课程内容将包括基于零知识证明的构造，例如安全的身份认证方案和数字签名方案，以及如何构建NP问题的零知识证明。我们从一个简化的运行示例开始，这将帮助我们抽象出一些基本属性，并引入Σ-协议的概念。Σ-协议在构建安全的身份识别方案中具有重要作用。随后，我们将进入密码学应用领域，特别是如何使用零知识证明来构建高效且可证明安全的身份识别和签名方案。此外，我们还将正式定义零知识，并概述构建所有NP问题零知识证明的主要成果。在讲述零知识证明时，我们会涉及一些基础知识，包括Schnorr协议及其基础属性。Schnorr协议是解决“离散对数问题”的一种方法，该问题在密码学中具有重要意义。通过该协议，一方可以向另一方证明他/她知道一个秘密，而无需透露秘密本身是什么。该协议的应用可以推广到其他需要验证知识的情况中。 Σ-协议是零知识证明的一个子类，其特点是交互式证明系统，它们可以用来构造安全的身份识别方案。Σ-协议具有几个关键属性，包括OR证明和见证隐藏（Witness Hiding）能力，这些属性对于在不泄露更多信息的前提下验证知识的真实性至关重要。在讨论安全身份识别的过程中，我们会探讨被动和主动安全性的区别。被动安全性仅要求在没有积极攻击的条件下系统保持安全，而主动安全性意味着在存在攻击者试图破坏安全性的条件下，系统仍然能保持安全。课程还将讨论如何从Σ-协议构造身份识别方案，并探讨在超越主动安全性之后的安全模型。 Fiat-Shamir启发式方法是将交互式证明系统转化为非交互式证明系统的一种技术，它极大地促进了零知识证明的实际应用。此启发式方法基于某些安全假设，并允许我们将一个交互式协议（比如基于零知识证明的协议）转化为一个非交互式方案，从而使协议在实际应用中更为方便和高效。 Fiat-Shamir变换是实现这一转化的关键技术，它依赖于一种被称为“随机预言机”（Random Oracle）的模型。这个模型中，密码学中的某些函数被假设为完全随机的，并且在每次被查询时都返回一个全新的随机结果。然而，围绕随机预言机模型的有效性以及实际安全性也存在一些争议。课程还将探讨零知识在NP问题中的应用，以及如何构建这些零知识证明。NP问题是计算机科学中的一个重要概念，指的是可以在多项式时间内验证其解的问题。在密码学中，对于这类问题提供零知识证明的能力是保证系统安全的关键。课程会提供进一步阅读的资源，以便有兴趣深入研究的学生能够获得更多的知识和信息。为了奖励他们在零知识证明和其他密码学问题方面的杰出贡献，Shafi Goldwasser和Silvio Micali在2012年被授予了具有高度声望的ACM图灵奖。更多的相关成果和信息可以通过访问提供的网址获得。

资源推荐

资源详情

资源评论

Tecniche di Sicurezza Informatica dei Dati e delle Reti May 21, 2015

Zero-Knowledge Proofs and Applications

Guest Lecturer: Daniele Venturi Lecturer: Antonio Villani

Abstract

The material below covers two lectures on the beautiful and inﬂuential concept of zero-

knowledge proofs. This notion, introduced by Goldwasser, Micali and Rackoﬀ [GMR85] formal-

izes the idea of a proof that “yields nothing but its validity”.

We will start by describing a simple running example, which will allow us to abstract away

some basic properties. This will lead to the concept of Σ-protocols, and their application to

construct secure identiﬁcation schemes. Next, we will move to cryptographic applications. In

particular we will show how to use zero-knowledge proofs to construct eﬃcient (and provably

secure) identiﬁcation and signature schemes. Finally, we will formalize the deﬁnition of zero-

knowledge and survey the main results about constructing zero-knowledge proofs for all NP.

The topics covered and the exposition, are inspired by [Dam10, HL10, Ven12]. Comments,

questions and corrections can be sent by email to:

Daniele Venturi

Via Salaria 113, 00198 Rome, Italy

website: http://wwwusers.di.uniroma1.it/

venturi

email: venturi@di.uniroma1.it.

Contents

1 A Running Example 2

1.1 The Schnorr Protocol . . . . . . 2

1.2 Basic Properties . . . . . . . . . 2

2 Σ-Protocols 5

2.1 OR Proofs . . . . . . . . . . . . . 6

2.2 Witness Hiding . . . . . . . . . . 7

3 Secure Identiﬁcation 8

3.1 Detour I: Passive/Active Security 8

3.2 Constructions from Σ-Protocols . 9

3.3 Beyond Active Security . . . . . 10

4 The Fiat-Shamir Heuristic 11

4.1 Detour II: Universal Unforgeability 11

4.2 The Fiat-Shamir Transform . . . 11

4.3 The Random Oracle Controversy 13

5 Zero-Knowledge Proofs 13

5.1 On the Role of Randomness and

Interaction . . . . . . . . . . . . 14

5.2 Zero Knowledge for NP . . . . . 14

6 Further Reading 14

For this and others inﬂuential results, Shaﬁ Goldwasser and Silvio Micali received the prestigious ACM Turing

Award in 2012. Read more at http://www.acm.org/press-room/awards/turing-award-12.

Alice(G, y, x) Bob(G, y = g

)

a ←

; α = g

−−−−→

β ←

←−−−−

γ = β · x + a

−−−−→

check y

· α = g

Figure 1: The Schnorr protocol for proving “knowledge” of a discrete logarithm.

1 A Running Example

We start by introducing a protocol due to Schnorr [Sch89], and later abstract away several properties

that will be useful in the sequel.

1.1 The Schnorr Protocol

Let p be a prime, and take a generator g of a subgroup G of Z

∗

of prime order q. We should think

of G as a group where computing discrete logarithms is believed to be hard (for proper choice of

the parameters). The Schnorr protocol can be used to “prove knowledge” of a discrete logarithm

x of some value y = g

∈ G. The protocol is shown in Fig. 1.

1.2 Basic Properties

We now put forward a series of intuitive requirements we would like to be satisﬁed by the above

protocol. To facilitate generalizing the Schnorr protocol, we will talk about so-called NP relations

R : {0, 1}

∗

× {0, 1}

∗

→ {0, 1} naturally deﬁning a language L

:= {y : ∃x s.t. R(y, x) = 1}. We

will refer to Alice as the prover—modelled as a PPT algorithm P—and to Bob as the veriﬁer—

modelled as a PPT algorithm V; the prover holds a witness x for a value y ∈ L, and his goal is to

convince the veriﬁer of this fact via an interactive protocol at the end of which the veriﬁer outputs

a judgement yes/no. We will denote the interaction as P(y, x)  V(y); each interaction yields a

transcript τ ∈ {0, 1}

∗

, i.e. a sequence of messages (e.g., the values (α, β, γ) in Fig. 1).

Completeness. The ﬁrst property we would like to be satisﬁed is a correctness requirement,

namely, whenever Alice knows a valid witness she should always be able to convince Bob.

Deﬁnition 1 (Completeness). We say that (P, V) satisﬁes completeness relative to an NP relation

R, if for all y ∈ L

we have that P(y, x)  V(y) = yes with probability one (over the randomness

of all involved algorithms).

The lemma below says that the Schnorr protocol satisﬁes completeness.

Lemma 1. The protocol of Fig. 1 satisﬁes completeness relative to the relation R

(y, x) = 1 iﬀ

y = g

(for g a generator of G).

Proof.

≡ g

β·x+a

≡ g

· (g

)

= y

· α (mod p).

Knowledge soundness. The second natural property is that it should be hard to convince Bob of

the validity of a false statement. It turns out that this can be deﬁned in several ways; the deﬁnition

below aims at capturing the requirement that in order to convince the veriﬁer it is necessary to

actually know a witness.

Deﬁnition 2 (Knowledge soundness). We say that (P, V) is a proof-of-knowledge (PoK) relative

to an NP relation R, if for any (possibly unbounded

) malicious prover P

∗

such that P

∗

(y) 

V(y) = yes with probability larger than ε, there exists a PPT knowledge extractor K (with rewinding

black-box access to P

∗

) such that K

∗

(y) returns a value x satisfying R(y, x) = 1 with probability

polynomial in ε.

The original (slightly more precise) deﬁnition is due to Bellare and Goldreich [BG92] (see

also [HL10, Deﬁnition 6.3.1]). Let us look again at the protocol of Fig. 1 in order to get some

intuition. Roughly, if some P

∗

having sent α could answer two diﬀerent challenges β, β

correctly,

this would mean that it could produce γ, γ

such that g

= y

· α mod p and g

= y

· α mod p.

Dividing one equation by the other, we get that g

γ−γ

= y

β−β

mod p; since β 6= β

mod q we get

that (β−β

) can be inverted modulo q, and thus y = g

(γ−γ

)·(β−β

)

−1

mod p yielding x =

γ−γ

β−β

mod q.

So loosely speaking, a cheating prover who does not know x can only be able to answer at most

one challenge value correctly, since otherwise the argument we just gave would imply that it was

in fact able to compute x after all.

The above discussion leads to the deﬁnition of special soundness, which is tailored to 3-round

interactive protocols.

Deﬁnition 3 (Special soundness). Let (P, V) be a 3-round protocol (for a relation R) with tran-

scripts of the form (α, β, γ), where the prover speaks ﬁrst. We say that (P, V) satisﬁes special

soundness if the following holds: for any y ∈ L

and any pair of accepting conversations (α, β, γ)

and (α, β

, γ

) on input y with β 6= β

, we can eﬃciently compute x such that R(y, x) = 1.

The above discussion yields the following result:

Lemma 2. The protocol of Fig. 1 satisﬁes special soundness.

The lemma below says that, for 3-round protocols, special soundness implies knowledge soundness.

Theorem 1. Let (P, V) be a 3-round interactive protocol for a relation R, with challenge space

B. Then, if (P, V) satisﬁes special soundness it also satisﬁes knowledge soundness whenever |B| =

ω(log κ) for security parameter κ ∈ N.

Proof. Assume there exists (an unbounded) P

∗

such that P [P

∗

(y)  V(y) = yes] ≥ ε. We construct

a PPT K (using P

∗

) as follows:

Knowledge Extractor K:

1. Choose the coins r ←

{0, 1}

∗

for P

∗

, and sample β, β

←

If we restrict the malicious prover to be computationally bounded, we speak of arguments of knowledge (AoK).

剩余16页未读，继续阅读

评论收藏

内容反馈

la980

粉丝: 5
资源: 8

2015-zero-knowledge proofs and application.pdf

最新资源

2015-zero-knowledge proofs and application.pdf

Round-optimal zero-knowledge proofs of knowledge for NP

[数学，物理，化学，生物学习资料（新增资料）].McGraw-Hill.-.Demystified.-.Math.Proofs.Demystified.-.2005

软件测试相关论文-英文原文82篇

信息安全_数据安全_Zero-knowledge_proofs_(ZKP)：Priv.pdf

Baier, Katoen - 2008 - Principles of Model Checking.pdf

Probability－1 3rd Ed. by A.N.Shiryaev.pdf

Python库 | blockchain_proofs-0.2.0-py3-none-any.whl

PyPI 官网下载 | blockchain_proofs-0.2.0-py3-none-any.whl

Data Structures And Algorithms With Object-Oriented Design Patterns In C Sharp.pdf

2018 The-Theory-of-Quantum-Information.pdf

Proofs_as_Programs_Bates_and_Constable.pdf

Proofs and Algorithms

Graphs and Matrices.pdf

lnotes_book.pdf

Proofs from THE BOOK 3rd.pdf

BurpLoaderKeygen.jar.zip

最新版ISO/IEC 27001:2022、ISO 27002:2022中英文合集

Chrome Header Editor 插件

Goby红队版-win-x64-2.4.7版本

xray2024最新版下载，Xray的windows安装使用

第四届网鼎杯赛前训练(20241019)

OpenVAS GVM 中文翻译补丁

软件工程导论(第六版)课后习题答案1

通达信股票行情接口C#版API手册

最新资源