Home
2024-02-28T12:46:25+00:00
https://abbypan.github.io
潘蓝兰(Pan Lanlan, abbypan@gmail.com)
abbypan@gmail.com
dnssec keytrap
2024-02-27T00:00:00+00:00
https://abbypan.github.io/2024/02/27/dnssec-keytrap
<ul id="markdown-toc">
<li><a href="#doc" id="markdown-toc-doc">doc</a></li>
</ul>
<h1 id="doc">doc</h1>
<p><a href="https://www.athene-center.de/en/keytrap">KeyTrap: Serious Vulnerability in the Internet Infrastructure</a></p>
<p><a href="https://www.athene-center.de/fileadmin/content/PDF/Keytrap_2401.pdf">The KeyTrap Denial-of-Service Algorithmic Complexity Attacks on DNS</a></p>
<p>(zone name, algorithm, key-tag) 支持多tag,多key,多signature,且key-tag不是唯一标识(rfc4034)。</p>
<p>构造多个key下的多个invalid signature,使得resolver校验失败,消耗cpu。</p>
<p>这个主要考验多少resolver打开dnssec又不升级,连带影响解析服务。</p>
imessage pq3
2024-02-26T00:00:00+00:00
https://abbypan.github.io/2024/02/26/imessage-pq3
<ul id="markdown-toc">
<li><a href="#doc" id="markdown-toc-doc">doc</a></li>
</ul>
<h1 id="doc">doc</h1>
<p><a href="<https://security.apple.com/blog/imessage-pq3/">iMessage with PQ3: The new state of the art in quantum-secure messaging at scale</a></p>
<p><a href="https://security.apple.com/blog/imessage-contact-key-verification">Advancing iMessage security: iMessage Contact Key Verification</a></p>
<p>https://security.apple.com/assets/files/A_Formal_Analysis_of_the_iMessage_PQ3_Messaging_Protocol_Basin_et_al.pdf</p>
<p>https://security.apple.com/assets/files/Security_analysis_of_the_iMessage_PQ3_protocol_Stebila.pdf</p>
<p>用的lattice kem,kyber-1024/768。Pre-key是1024,rekey是768。</p>
<p>Lattice kem encap的ss用于hkdf派生。</p>
<p>prekey(ecdh pub key, kyber pub key)通过IDS发布(与identity关联),以device auth key(secure enclave保护)签名。device auth key有可能跨device shared。</p>
<p>device auth pub key 以 account contact key 签名,IDS以类似pki的CT (user opt-in)机制发布,按需更新。CT机制参考了CONIKS的数据结构,采用VRF处理。点对点确认选用Vaudenay SAS 。</p>
<p>account contact key为long-term key,keychain同步。</p>
<p>session key派生机制参考signal,per-message symmetric ratchet , per-direction ecdh ratchet, periodical kyber ratchet.</p>
<p>rekeying参考signal,支持BS/PCS。</p>
<p>Message auth用device auth key,不一定仅限于establishment。</p>
<p>其余基础内容不变。</p>
v2ray
2024-01-10T00:00:00+00:00
https://abbypan.github.io/2024/01/10/v2ray
<ul id="markdown-toc">
<li><a href="#install" id="markdown-toc-install">install</a></li>
<li><a href="#prepare" id="markdown-toc-prepare">prepare</a></li>
<li><a href="#server" id="markdown-toc-server">server</a> <ul>
<li><a href="#env" id="markdown-toc-env">env</a></li>
<li><a href="#conf" id="markdown-toc-conf">conf</a></li>
<li><a href="#run" id="markdown-toc-run">run</a></li>
</ul>
</li>
<li><a href="#client" id="markdown-toc-client">client</a> <ul>
<li><a href="#env-1" id="markdown-toc-env-1">env</a></li>
<li><a href="#conf-1" id="markdown-toc-conf-1">conf</a></li>
<li><a href="#run-1" id="markdown-toc-run-1">run</a></li>
</ul>
</li>
</ul>
<h1 id="install">install</h1>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>apt install v2ray
</code></pre></div></div>
<h1 id="prepare">prepare</h1>
<p>准备公私钥对,申请证书,例如letsencrypt。</p>
<h1 id="server">server</h1>
<h2 id="env">env</h2>
<p>假设server端:</p>
<ul>
<li>host: xxx.example.com</li>
<li>port: 443</li>
<li>私钥:/home/someusr/.cert/privkey.pem</li>
<li>证书链: /home/someusr/.cert/fullchain.pem</li>
<li>uuid: 66666666-6666-6666-6666-666666666666</li>
</ul>
<h2 id="conf">conf</h2>
<p>配置<code class="language-plaintext highlighter-rouge">/usr/local/etc/v2ray/config.json</code>:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>{
"log": {
"loglevel": "info"
},
"inbounds": [
{
"port": 443,
"protocol": "vless",
"settings": {
"clients": [
{
"id": "66666666-6666-6666-6666-666666666666",
"flow": "xtls-rprx-origin",
"level": 0
}
],
"decryption": "none",
"fallbacks": [
{
"dest": 80
}
]
},
"streamSettings": {
"network": "tcp",
"security": "xtls",
"xtlsSettings": {
"alpn": [
"http/1.2"
],
"certificates": [
{
"certificateFile": "/home/someusr/.cert/fullchain.pem",
"keyFile": "/home/someusr/.cert/privkey.pem"
}
]
}
}
}
],
"outbounds": [
{
"protocol": "freedom"
}
]
}
</code></pre></div></div>
<h2 id="run">run</h2>
<p>启动</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code> systemctl start v2ray
</code></pre></div></div>
<p>添加开机启动</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code> systemctl enable v2ray
</code></pre></div></div>
<h1 id="client">client</h1>
<h2 id="env-1">env</h2>
<p>假设client端:</p>
<ul>
<li>路径:<code class="language-plaintext highlighter-rouge">/home/someclient/share/v2ray</code>,</li>
<li>local port: 8888</li>
</ul>
<h2 id="conf-1">conf</h2>
<p>配置<code class="language-plaintext highlighter-rouge">/home/someclient/share/v2ray/config.json</code>:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>{
"log": {
"access": "",
"error": "",
"loglevel": "warning"
},
"inbounds": [
{
"port": 8888,
"listen": "127.0.0.1",
"protocol": "socks",
"sniffing": {
"enabled": true,
"destOverride": [
"http",
"tls"
]
},
"settings": {
"auth": "noauth",
"udp": true,
"ip": null,
"clients": null
},
"streamSettings": null
}
],
"outbounds": [
{
"tag": "proxy",
"protocol": "vless",
"settings": {
"vnext": [
{
"address": "xxx.example.com",
"port": 443,
"users": [
{
"id": "66666666-6666-6666-6666-666666666666",
"flow": "xtls-rprx-origin",
"level": 0,
"encryption": "none"
}
]
}
],
"servers": null,
"response": null
},
"streamSettings": {
"network": "tcp",
"security": "",
"tlsSettings": null,
"tcpSettings": null,
"kcpSettings": null,
"wsSettings": null,
"httpSettings": null,
"quicSettings": null
},
"mux": {
"enabled": true
}
},
{
"tag": "direct",
"protocol": "freedom",
"settings": {
"vnext": null,
"servers": null,
"response": null
},
"streamSettings": null,
"mux": null
},
{
"tag": "block",
"protocol": "blackhole",
"settings": {
"vnext": null,
"servers": null,
"response": {
"type": "http"
}
},
"streamSettings": null,
"mux": null
}
],
"dns": null,
"routing": {
"domainStrategy": "IPIfNonMatch",
"rules": []
}
}
</code></pre></div></div>
<h2 id="run-1">run</h2>
<p>启动</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>cd /home/someclient/share/v2ray
v2ray run
</code></pre></div></div>
trojan
2024-01-10T00:00:00+00:00
https://abbypan.github.io/2024/01/10/trojan
<ul id="markdown-toc">
<li><a href="#install" id="markdown-toc-install">install</a></li>
<li><a href="#prepare" id="markdown-toc-prepare">prepare</a></li>
<li><a href="#server" id="markdown-toc-server">server</a></li>
<li><a href="#client" id="markdown-toc-client">client</a></li>
</ul>
<h1 id="install">install</h1>
<p>apt install trojan</p>
<h1 id="prepare">prepare</h1>
<p>准备公私钥对,申请证书,例如letsencrypt。</p>
<p>server/client可以分别申请,相互信任。</p>
<p>假设密码为<code class="language-plaintext highlighter-rouge">mypasswd</code></p>
<h1 id="server">server</h1>
<p>假设server端:</p>
<ul>
<li>host: xxx.example.com</li>
<li>port: 443</li>
<li>私钥:/home/someusr/.cert/privkey.pem</li>
<li>证书链: /home/someusr/.cert/fullchain.pem</li>
</ul>
<p>配置<code class="language-plaintext highlighter-rouge">/usr/local/etc/trojan/config.json</code>:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>{
"run_type": "server",
"local_addr": "0.0.0.0",
"local_port": 443,
"remote_addr": "127.0.0.1",
"remote_port": 80,
"password": [
"mypasswd"
],
"log_level": 1,
"ssl": {
"cert": "/home/someusr/.cert/fullchain.pem",
"key": "/home/someusr/.cert/privkey.pem",
"key_password": "",
"cipher": "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305",
"cipher_tls13": "TLS_AES_128_GCM_SHA256:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384",
"prefer_server_cipher": true,
"alpn": [
"http/1.2",
"http/1.3",
"h2"
],
"reuse_session": true,
"session_ticket": false,
"session_timeout": 600,
"plain_http_response": "",
"curves": "",
"dhparam": ""
},
"tcp": {
"prefer_ipv4": false,
"no_delay": true,
"keep_alive": true,
"reuse_port": false,
"fast_open": false,
"fast_open_qlen": 20
},
"mysql": {
"enabled": false,
"server_addr": "127.0.0.1",
"server_port": 3306,
"database": "trojan",
"username": "trojan",
"password": "",
"key": "",
"cert": "",
"ca": ""
}
}
</code></pre></div></div>
<p>启动</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code> systemctl start trojan
</code></pre></div></div>
<p>添加开机启动</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code> systemctl enable trojan
</code></pre></div></div>
<h1 id="client">client</h1>
<p>假设client端:</p>
<ul>
<li>路径:<code class="language-plaintext highlighter-rouge">/home/someclient/share/trojan</code>,</li>
<li>local port: 8888</li>
<li>cert chain:<code class="language-plaintext highlighter-rouge">/home/someclient/share/trojan/fullchain.pem</code></li>
<li>priv key:<code class="language-plaintext highlighter-rouge">/home/someclient/share/trojan/privkey.pem</code></li>
</ul>
<p>配置<code class="language-plaintext highlighter-rouge">/home/someclient/share/trojan/config.json</code>:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>{
"run_type": "client",
"local_addr": "127.0.0.1",
"local_port": 8888,
"remote_addr": "xxx.example.com",
"remote_port": 443,
"password": [
"mypasswd"
],
"log_level": 1,
"ssl": {
"cert": "fullchain.pem",
"key": "privkey.pem",
"key_password": "",
"cipher": "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305",
"cipher_tls13": "TLS_AES_128_GCM_SHA256:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384",
"prefer_server_cipher": true,
"alpn": [
"http/1.2",
"http/1.3",
"h2"
],
"reuse_session": true,
"session_ticket": false,
"session_timeout": 600,
"plain_http_response": "",
"curves": "",
"dhparam": ""
},
"tcp": {
"prefer_ipv4": false,
"no_delay": true,
"keep_alive": true,
"reuse_port": false,
"fast_open": false,
"fast_open_qlen": 20
},
"mysql": {
"enabled": false,
"server_addr": "127.0.0.1",
"server_port": 3306,
"database": "trojan",
"username": "trojan",
"password": "",
"key": "",
"cert": "",
"ca": ""
}
}
</code></pre></div></div>
<p>启动</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>cd /home/someclient/share/trojan
trojan -c config.json
</code></pre></div></div>
SSH: TerrapinAttack
2024-01-04T00:00:00+00:00
https://abbypan.github.io/2024/01/04/ssh-terrapin
<ul id="markdown-toc">
<li><a href="#doc" id="markdown-toc-doc">doc</a></li>
</ul>
<h1 id="doc">doc</h1>
<p><a href="https://terrapin-attack.com/">Terrapin Attack</a></p>
<p><a href="https://terrapin-attack.com/TerrapinAttack.pdf">Terrapin Attack: Breaking SSH Channel Integrity By Sequence Number Manipulation</a></p>
<p>mitm条件下,操纵handshake sequence计数,drop关键extinfo,实施downgrade attack。</p>
<p>symmetric cipher mode影响的分析比较漂亮, something synced is influnenced by seq number。</p>
<p>核心还是full transcript hash,参考sequence number reset, handshake与record互不影响;end-of-communication message,标识h结束。</p>
左传·襄公二十四年: 三不朽
2024-01-04T00:00:00+00:00
https://abbypan.github.io/2024/01/04/dgy
<p>二十四年春,穆叔如晋。</p>
<p>范宣子逆之,问焉,曰:“古人有言曰,‘死而不朽’,何谓也?”</p>
<p>穆叔未对。</p>
<p>宣子曰:“昔匄之祖,自虞以上,为陶唐氏,在夏为御龙氏,在商为豕韦氏,在周为唐、杜氏,晋主夏盟为范氏,其是之谓乎?”</p>
<p>穆叔曰:“以豹所闻,此之谓世禄,非不朽也。
鲁有先大夫曰臧文仲,既没,其言立。
其是之谓乎?豹闻之,太上有立德,其次有立功,其次有立言,虽久不废,此之谓不朽。
若夫保姓受氏,以守宗祊,世不绝祀,无国无之。
禄之大者,不可谓不朽。”</p>
KVAC
2023-12-18T00:00:00+00:00
https://abbypan.github.io/2023/12/18/kvac
<ul id="markdown-toc">
<li><a href="#doc" id="markdown-toc-doc">doc</a></li>
</ul>
<h1 id="doc">doc</h1>
<p><a href="https://www.semanticscholar.org/paper/The-Signal-Private-Group-System-and-Anonymous-Chase-Perrin/dd8ec2ccb7c91c6a6352d341032d1d7746283c6f">The Signal Private Group System and Anonymous Credentials Supporting Efficient Verifiable Encryption</a></p>
<p>注意这里zero knowledge proof的assume condition:</p>
<ul>
<li>uid的proof由server校验,因此用sk做verify,无需public 。</li>
<li>user profile的proof由group member使用shared key校验。group management的access control。</li>
<li>利用elgamal encryption的同态特性来做blinded attr/public verifiable。</li>
</ul>
<p>其他思路与group signature相似。</p>
git删除部分commit
2023-09-12T00:00:00+00:00
https://abbypan.github.io/2023/09/12/git-remove-commit
<ul id="markdown-toc">
<li><a href="#doc" id="markdown-toc-doc">doc</a></li>
</ul>
<h1 id="doc">doc</h1>
<p><a href="https://stackoverflow.com/a/46049102">How do I delete a commit from a branch?</a></p>
<p><a href="https://www.jianshu.com/p/4a8f4af4e803">git rebase</a></p>
<p>假设branch为patch-1,准备删除commit 1</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>commit 0 : b16a1aa
commit 1 : <any_hash>
commit 2 : 1a5197b
commit 3 : 330da83
</code></pre></div></div>
<p>git指令如下</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>git checkout b16a1aa
git checkout -b repair
git cherry-pick 1a5197b
git cherry-pick 330a83
git checkout patch-1
git reset --hard b16a1aa
git merge repair
git push -f origin patch-1
</code></pre></div></div>
<p>或者用 git rebase 处理</p>
openssl OSSL_PARAM 的 endian 处理
2023-09-06T00:00:00+00:00
https://abbypan.github.io/2023/09/06/openssl-endian
<ul id="markdown-toc">
<li><a href="#background" id="markdown-toc-background">background</a></li>
<li><a href="#problem" id="markdown-toc-problem">problem</a></li>
<li><a href="#sample" id="markdown-toc-sample">sample</a></li>
</ul>
<h1 id="background">background</h1>
<p>openssl v3 之后的 <a href="https://www.openssl.org/docs/man3.0/man3/OSSL_PARAM.html">OSSL_PARAM</a></p>
<p>处理 OSSL_PARAM_INTEGER, OSSL_PARAM_UNSIGNED_INTEGER</p>
<p>是按native form的,也就是遵守system本身的big endian, little endian。</p>
<p>因此,<a href="https://github.com/openssl/openssl/blob/master/crypto/params.c">OSSL_PARAM_set_BN</a> 内部使用<code class="language-plaintext highlighter-rouge">BN_bn2native</code>将Bignum按转成符合system endian form的raw binary,避免在little endian系统出现大小端兼容问题。</p>
<figure class="highlight"><pre><code class="language-c" data-lang="c"><span class="kt">int</span> <span class="n">OSSL_PARAM_set_BN</span><span class="p">(</span><span class="n">OSSL_PARAM</span> <span class="o">*</span><span class="n">p</span><span class="p">,</span> <span class="k">const</span> <span class="n">BIGNUM</span> <span class="o">*</span><span class="n">val</span><span class="p">)</span></code></pre></figure>
<p><a href="https://github.com/openssl/openssl/blob/master/crypto/evp/p_lib.c">EVP_PKEY_set_bn_param</a>内部也有类似处理</p>
<figure class="highlight"><pre><code class="language-c" data-lang="c"><span class="kt">int</span> <span class="n">EVP_PKEY_set_bn_param</span><span class="p">(</span><span class="n">EVP_PKEY</span> <span class="o">*</span><span class="n">pkey</span><span class="p">,</span> <span class="k">const</span> <span class="kt">char</span> <span class="o">*</span><span class="n">key_name</span><span class="p">,</span>
<span class="k">const</span> <span class="n">BIGNUM</span> <span class="o">*</span><span class="n">bn</span><span class="p">)</span></code></pre></figure>
<h1 id="problem">problem</h1>
<p><a href="https://github.com/openssl/openssl/blob/master/crypto/params.c">OSSL_PARAM_construct_BN</a> 的value输入是<code class="language-plaintext highlighter-rouge">unsigned char*, size_t</code>,而非<code class="language-plaintext highlighter-rouge">BIGNUM *</code>,因此,调用方须自行处理endian问题。</p>
<figure class="highlight"><pre><code class="language-c" data-lang="c"><span class="n">OSSL_PARAM</span> <span class="nf">OSSL_PARAM_construct_BN</span><span class="p">(</span><span class="k">const</span> <span class="kt">char</span> <span class="o">*</span><span class="n">key</span><span class="p">,</span> <span class="kt">unsigned</span> <span class="kt">char</span> <span class="o">*</span><span class="n">buf</span><span class="p">,</span>
<span class="kt">size_t</span> <span class="n">bsize</span><span class="p">)</span>
<span class="p">{</span>
<span class="k">return</span> <span class="n">ossl_param_construct</span><span class="p">(</span><span class="n">key</span><span class="p">,</span> <span class="n">OSSL_PARAM_UNSIGNED_INTEGER</span><span class="p">,</span>
<span class="n">buf</span><span class="p">,</span> <span class="n">bsize</span><span class="p">);</span>
<span class="p">}</span></code></pre></figure>
<h1 id="sample">sample</h1>
<p>举例,将BIGNUM的priv_bn转换为natvie endian form的binary,再construct BN,能够生成以priv_bn为私钥的params。</p>
<p>否则,容易在hexstr, binary, bignum的转换间出错。</p>
<figure class="highlight"><pre><code class="language-c" data-lang="c"><span class="n">BN_bn2nativepad</span><span class="p">(</span><span class="n">priv_bn</span><span class="p">,</span> <span class="n">priv</span><span class="p">,</span> <span class="n">priv_len</span><span class="p">);</span>
<span class="n">OSSL_PARAM</span> <span class="n">params</span><span class="p">[</span><span class="mi">3</span><span class="p">];</span>
<span class="n">params</span><span class="p">[</span><span class="mi">0</span><span class="p">]</span> <span class="o">=</span> <span class="n">OSSL_PARAM_construct_utf8_string</span><span class="p">(</span><span class="n">OSSL_PKEY_PARAM_GROUP_NAME</span><span class="p">,</span> <span class="p">(</span><span class="kt">char</span> <span class="o">*</span><span class="p">)</span> <span class="n">group_name</span><span class="p">,</span> <span class="mi">0</span><span class="p">);</span>
<span class="n">params</span><span class="p">[</span><span class="mi">1</span><span class="p">]</span> <span class="o">=</span> <span class="n">OSSL_PARAM_construct_BN</span><span class="p">(</span><span class="n">OSSL_PKEY_PARAM_PRIV_KEY</span><span class="p">,</span> <span class="n">priv</span><span class="p">,</span> <span class="n">priv_len</span><span class="p">);</span>
<span class="n">params</span><span class="p">[</span><span class="mi">2</span><span class="p">]</span> <span class="o">=</span> <span class="n">OSSL_PARAM_construct_end</span><span class="p">();</span>
<span class="n">EVP_PKEY_fromdata</span><span class="p">(</span><span class="n">pctx</span><span class="p">,</span> <span class="o">&</span><span class="n">pkey</span><span class="p">,</span> <span class="n">EVP_PKEY_KEYPAIR</span><span class="p">,</span> <span class="n">params</span><span class="p">);</span></code></pre></figure>
<p>因此,直接调用<code class="language-plaintext highlighter-rouge">EVP_PKEY_set_bn_param</code>更简单。</p>
windows下安装plantuml
2023-06-29T00:00:00+00:00
https://abbypan.github.io/2023/06/29/plantuml-win
<ul id="markdown-toc">
<li><a href="#java" id="markdown-toc-java">JAVA</a></li>
<li><a href="#graphviz" id="markdown-toc-graphviz">Graphviz</a></li>
<li><a href="#plantuml" id="markdown-toc-plantuml">plantuml</a></li>
<li><a href="#示例" id="markdown-toc-示例">示例</a></li>
</ul>
<h1 id="java">JAVA</h1>
<p>假设JAVA安装目录为<code class="language-plaintext highlighter-rouge">d:\software\java</code>。</p>
<p>配置环境变量:
JAVA_HOME = d:\software\java
CLASSPATH = %JAVA_HOME%\lib</p>
<p>在PATH环境变量中新增<code class="language-plaintext highlighter-rouge">%JAVA_HOME%\bin</code>。</p>
<h1 id="graphviz">Graphviz</h1>
<p>下载<a href="https://graphviz.gitlab.io/">Graphviz</a>,假设安装目录为<code class="language-plaintext highlighter-rouge">d:\software\graphviz</code>。</p>
<p>在PATH环境变量中新增<code class="language-plaintext highlighter-rouge">d:\software\graphviz\bin</code>。</p>
<h1 id="plantuml">plantuml</h1>
<p>下载<a href="https://plantuml.com/">plantuml</a>的jar文件,假设安装目录为<code class="language-plaintext highlighter-rouge">d:\software\plantuml</code>,文件名为<code class="language-plaintext highlighter-rouge">plantuml.jar</code>。</p>
<p>在PATH环境变量中新增<code class="language-plaintext highlighter-rouge">d:\software\plantuml</code></p>
<p>新建bat文件<code class="language-plaintext highlighter-rouge">d:\software\plantuml\plantuml.bat</code>,内容为</p>
<figure class="highlight"><pre><code class="language-bat" data-lang="bat"><span class="kd">java</span> <span class="na">-jar </span><span class="vm">%~dp0</span><span class="kd">plantuml</span>.jar <span class="na">-charset </span><span class="kd">utf8</span> <span class="err">%</span><span class="o">*</span></code></pre></figure>
<h1 id="示例">示例</h1>
<p>参考<a href="https://plantuml.com/zh/starting">plantuml-starting</a>的示例,假设<code class="language-plaintext highlighter-rouge">pic.txt</code>内容为</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>@startuml
Alice -> Bob: test
@enduml
</code></pre></div></div>
<p>命令行执行<code class="language-plaintext highlighter-rouge">plantuml pic.txt</code>,得到<code class="language-plaintext highlighter-rouge">pic.png</code></p>
HD Wallets
2023-06-09T00:00:00+00:00
https://abbypan.github.io/2023/06/09/hd-wallets
<ul id="markdown-toc">
<li><a href="#bip-0032" id="markdown-toc-bip-0032">BIP-0032</a></li>
<li><a href="#bip-0044" id="markdown-toc-bip-0044">BIP-0044</a></li>
</ul>
<h1 id="bip-0032">BIP-0032</h1>
<p><a href="https://github.com/bitcoin/bips/blob/master/bip-0032.mediawiki">bip-0032</a></p>
<p>hierarchical deterministic wallets,通过单个CSPRNG,来回调用hmac-sha256,结合ec point的加法、乘法,层次化派生公私钥对,用于bitcoin wallet。</p>
<p>通过<code class="language-plaintext highlighter-rouge">i>=2^31</code>区分派生的hardened / normal</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>i ≥ 2^31: hardened child
let I = HMAC-SHA512(Key = cpar, Data = 0x00 || ser256(kpar) || ser32(i))
otherwise: normal child
let I = HMAC-SHA512(Key = cpar, Data = serP(point(kpar)) || ser32(i))
IL || IR = I
ki = parse256(IL) + kpar (mod n)
ci = IR
private key: (ki, ci)
public key: (Ki, ci), Ki=point(ki)
</code></pre></div></div>
<p>hardened child无法通过父公钥直接派生子公钥,而normal child可以</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>CKDpub((Kpar, cpar), i) → (Ki, ci)
i ≥ 2^31: hardened child
return fail
otherwise: normal child
let I = HMAC-SHA512(Key = cpar, Data = serP(Kpar) || ser32(i))
IL || IR = I
Ki = point(parse256(IL)) + Kpar
ci = IR
public key: (Ki, ci)
</code></pre></div></div>
<h1 id="bip-0044">BIP-0044</h1>
<p><a href="https://github.com/bitcoin/bips/blob/master/bip-0044.mediawiki">bip-0044</a></p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>m / purpose' / coin_type' / account' / change / address_index
</code></pre></div></div>
FROST
2023-06-02T00:00:00+00:00
https://abbypan.github.io/2023/06/02/frost
<ul id="markdown-toc">
<li><a href="#frost" id="markdown-toc-frost">FROST</a> <ul>
<li><a href="#feldmans-verifiable-secret-sharing-vss-scheme" id="markdown-toc-feldmans-verifiable-secret-sharing-vss-scheme">Feldman’s Verifiable Secret Sharing (VSS) Scheme</a></li>
<li><a href="#keygen" id="markdown-toc-keygen">KeyGen</a></li>
<li><a href="#preprocess-for-signing" id="markdown-toc-preprocess-for-signing">Preprocess for signing</a></li>
<li><a href="#signing" id="markdown-toc-signing">Signing</a></li>
</ul>
</li>
<li><a href="#frost-interactive" id="markdown-toc-frost-interactive">FROST-Interactive</a> <ul>
<li><a href="#preprocess" id="markdown-toc-preprocess">Preprocess</a></li>
<li><a href="#signing-1" id="markdown-toc-signing-1">Signing</a></li>
</ul>
</li>
<li><a href="#ietf-draft" id="markdown-toc-ietf-draft">ietf draft</a></li>
</ul>
<h1 id="frost">FROST</h1>
<p><a href="https://eprint.iacr.org/2020/852.pdf">FROST: Flexible Round-Optimized Schnorr Threshold Signatures</a></p>
<p>threshold signature</p>
<p>基于schnorr signature, 注意<code class="language-plaintext highlighter-rouge">c=H(R, Y, m)</code></p>
<h2 id="feldmans-verifiable-secret-sharing-vss-scheme">Feldman’s Verifiable Secret Sharing (VSS) Scheme</h2>
<p>t-1阶多项式f, <code class="language-plaintext highlighter-rouge">f(0)=s</code>,coffients为<code class="language-plaintext highlighter-rouge">(a1, . . . , at−1)</code></p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>distributing the private share (i, f (i)) to each participant Pi
C = 〈φ0, . . . , φt−1〉
φ0 = g^s
φj = g^aj
</code></pre></div></div>
<p>显然,可以用Lagrange校验</p>
<h2 id="keygen">KeyGen</h2>
<p>基于VSS。</p>
<p>Round 1:</p>
<p>每个Pi都随机生成自己的fi, 以ai0为私钥计算<code class="language-plaintext highlighter-rouge">φi0=g^ai0</code>的schnorr signature <code class="language-plaintext highlighter-rouge">σi</code>, 广播<code class="language-plaintext highlighter-rouge">σi</code>、<code class="language-plaintext highlighter-rouge">Ci = 〈φi0, . . . , φi(t−1)〉</code>。</p>
<p>Round 2:</p>
<p>Each Pi securely sends to each other participant Pl a secret share <code class="language-plaintext highlighter-rouge">(l, fi(l))</code></p>
<p>Pi 校验<code class="language-plaintext highlighter-rouge">g^fl(i)</code>等于<code class="language-plaintext highlighter-rouge">φlk^(i^k mod q), 0 ≤ k ≤ t-1</code>的积,相当于Pi确认fi(l)与Pl发布的Cl匹配</p>
<p>Pi 计算</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>si = ∑ fl(i), 1 ≤ l ≤ n
Yi = g^si
Y = ∏ φj0, 1 ≤ j ≤ n
</code></pre></div></div>
<p>其他Pj可以校验<code class="language-plaintext highlighter-rouge">Yi = ∏ ∏ φlk^(i^k mod q), 0 ≤ k ≤ t-1; 1 ≤ l ≤ n</code></p>
<p>si相当于每个Participants的f在i上取值的和,作为Pi的私钥</p>
<p>而Y相当于以<code class="language-plaintext highlighter-rouge">每个Participants的f的0上取值的和</code>求幂, 即为公共Public Key</p>
<h2 id="preprocess-for-signing">Preprocess for signing</h2>
<p>每个Pi随机生成nonce list ` ((dij , Dij), (eij , Eij)), 1 ≤ j ≤ π<code class="language-plaintext highlighter-rouge">, Li是</code>(Dij, Eij), 1 ≤ j ≤ π`的集合</p>
<p>一次Preprocess生成的<code class="language-plaintext highlighter-rouge">π</code>份nonce,可以算<code class="language-plaintext highlighter-rouge">π</code>次signature</p>
<p>用过即删</p>
<h2 id="signing">Signing</h2>
<p>SA为此次Signing选择<code class="language-plaintext highlighter-rouge">α : t ≤ α ≤ n</code> participants, the next available commitment <code class="language-plaintext highlighter-rouge">(Di, Ei) : i ∈ S</code>集合记为<code class="language-plaintext highlighter-rouge">B</code>。</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>ρi = H1(i, m, B)
ki = di + ei · ρi
Ri = Di · Ei^(ρi)
zi = di + (ei · ρi) + λi · si · c
verify g^(zi) = Ri · Yi^(c·λi)
R = ∏ Ri, i∈S
z = ∑ zi, i∈S
σ = (R, z)
verify R = g^z · Y^(-c)
</code></pre></div></div>
<p>显然,secret nonce相当于<code class="language-plaintext highlighter-rouge">k = ∑ki i∈S</code></p>
<h1 id="frost-interactive">FROST-Interactive</h1>
<p>主要是<code class="language-plaintext highlighter-rouge">ρi</code>的区别</p>
<h2 id="preprocess">Preprocess</h2>
<p><code class="language-plaintext highlighter-rouge">(i, 〈(Dij , Eij , Aij , Bij )〉, 1 ≤ j ≤ π)</code></p>
<p>注意<code class="language-plaintext highlighter-rouge">Aij, Bij</code>用于辅助校验<code class="language-plaintext highlighter-rouge">ρi</code></p>
<h2 id="signing-1">Signing</h2>
<p>SA公开所有<code class="language-plaintext highlighter-rouge">ρi</code></p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>ρi = aij + bij · Hρ(m, B)
</code></pre></div></div>
<p>每个Participant校验</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>g^ρi = = Aij · Bij^(Hρ(m,B))
</code></pre></div></div>
<h1 id="ietf-draft">ietf draft</h1>
<p><a href="https://datatracker.ietf.org/doc/draft-irtf-cfrg-frost/">Two-Round Threshold Schnorr Signatures with FROST</a></p>
<p>参数名贼长。。。</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>hiding_nonce: di
hiding_nonce_commitment: Di
binding_nonce: ei
binding_nonce_commitment_i: Ei
binding_factor: ρi
</code></pre></div></div>
Verifiable Delay Functions
2023-05-31T00:00:00+00:00
https://abbypan.github.io/2023/05/31/vdf
<ul id="markdown-toc">
<li><a href="#doc" id="markdown-toc-doc">doc</a></li>
<li><a href="#proof-of-work" id="markdown-toc-proof-of-work">Proof of Work</a></li>
<li><a href="#hidden-order-groups-rsa" id="markdown-toc-hidden-order-groups-rsa">hidden order groups, RSA</a> <ul>
<li><a href="#wesolowski" id="markdown-toc-wesolowski">Wesolowski</a></li>
<li><a href="#pietrzak" id="markdown-toc-pietrzak">Pietrzak</a></li>
</ul>
</li>
<li><a href="#de-feo" id="markdown-toc-de-feo">De Feo</a> <ul>
<li><a href="#supersingular-curves-over-fp" id="markdown-toc-supersingular-curves-over-fp">supersingular curves over Fp</a></li>
<li><a href="#supersingular-curves-over-fp2" id="markdown-toc-supersingular-curves-over-fp2">supersingular curves over Fp2</a></li>
</ul>
</li>
<li><a href="#univariate-permutation-polynomials" id="markdown-toc-univariate-permutation-polynomials">Univariate permutation polynomials</a> <ul>
<li><a href="#rational-functions-on-finite-fields" id="markdown-toc-rational-functions-on-finite-fields">Rational functions on finite fields</a></li>
<li><a href="#rational-maps-on-elliptic-curves" id="markdown-toc-rational-maps-on-elliptic-curves">Rational maps on elliptic curves</a></li>
<li><a href="#weaker-vdf" id="markdown-toc-weaker-vdf">weaker VDF</a></li>
</ul>
</li>
</ul>
<h1 id="doc">doc</h1>
<p><a href="https://vdfresearch.org/">VDF research</a></p>
<p><a href="https://eprint.iacr.org/2018/712.pdf">A Survey of Two Verifiable Delay Functions</a></p>
<p><a href="https://speakerdeck.com/asanso/on-verifiable-delay-functions-vdf-how-to-slow-burning-down-the-planet-verifiably">On Verifiable Delay Functions</a></p>
<p>计算耗时,校验简单,并行计算不能明显提速</p>
<p>Proofs of sequential work (PoSW)</p>
<p>randomness beacon (unpredictable), multiparty random (not bias), consensus from proof of resources(blockchain, elect/vote)</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>Setup pp = (ek, vk)
(y, 𝜋) = Eval(ek, x)
Verify(vk, x, y, 𝜋)
</code></pre></div></div>
<p>Correctness, Soundness, Sequentiality, Decodability, Incremental</p>
<h1 id="proof-of-work">Proof of Work</h1>
<p>blockchain 求解小于某个t值的 H(nonce, x)</p>
<h1 id="hidden-order-groups-rsa">hidden order groups, RSA</h1>
<p>euler,<code class="language-plaintext highlighter-rouge">n = p*q</code>,<code class="language-plaintext highlighter-rouge">ϕ(n)=(p-1)*(q-1)</code></p>
<p>unknown order, 则为Time-lock puzzles</p>
<p>trusted setup, small subgroup attack</p>
<h2 id="wesolowski">Wesolowski</h2>
<p><a href="https://eprint.iacr.org/2018/623.pdf">Wesolowski: Efficient verifiable delay functions</a></p>
<p>verfier随机选定l, 也可改造为nizk,例如置<code class="language-plaintext highlighter-rouge">l=next_prime(hash(x, y, T))</code></p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>r = 2^T mod l
2^T = m*l + r
𝜋 = x^m
y = x^(2^T)
Verify y = (𝜋^l) * (x^r)
</code></pre></div></div>
<h2 id="pietrzak">Pietrzak</h2>
<p><a href="https://eprint.iacr.org/2018/627.pdf">Pietrzak: Simple Verifiable Delay Functions</a></p>
<p>QRN是Zn 上的二次剩余的<code class="language-plaintext highlighter-rouge">|x|</code>绝对值集合,因此是1/4的Zn。</p>
<p>选取的cyclic group QRN+ 与 QRN 同构,x值在<code class="language-plaintext highlighter-rouge">{−(n − 1)/2, . . . , (n − 1)/2}</code>以内。</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>P: μ = x^(2^(T/2)), y=μ^(2^(T/2))
P->V: y
P->V: μ
V->P: r
P: (x', y') = (x^r * μ, μ^r * y)
P -> V: (x', y'), T/2
V: verify y' = x'^(2^(T/2))
</code></pre></div></div>
<h1 id="de-feo">De Feo</h1>
<p><a href="https://eprint.iacr.org/2019/166.pdf">De Feo: Verifiable Delay Functions from Supersingular Isogenies and Pairings</a></p>
<p>trusted setup, attack在于curve内部结构</p>
<p>例如bls signature选用的pairing curve,是在embedding degree k, characteristic p的<code class="language-plaintext highlighter-rouge">F_(p^k)</code>上order为N的subgroup</p>
<p>X1, X2, Y1, Y2, G 的order为N</p>
<p>φ, ˆφ 为 E, E’ 之间 degree l 的同态映射</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>φ : X1 → Y1
eY : Y1 × Y2 → G
X1 × Y2 -> Y1 × Y2 -> G
ˆφ : Y2 → X2
eX : X1 × X2 → G
X1 × Y2 -> X1 x X2 -> G
eX (P, ˆφ(Q)) = eY (φ(P ), Q)
</code></pre></div></div>
<p>P为X1的生成元</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>pp = (N, X1, X2, Y1, Y2, G, eX , eY , P, φ(P ))
</code></pre></div></div>
<h2 id="supersingular-curves-over-fp">supersingular curves over Fp</h2>
<p>类似CSIDH</p>
<p>supersingular curve E/Fp, order N</p>
<p>E, ̃E 在 Fp2 上 quadratic twist 同构,分别对应X2, X1</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>u ∈ Fp^2 \ Fp, u^2 ∈ Fp
υ : E → ̃E
(x, y) → (u^2 * x, u^3 * y)
X2 = E[N] ∩ E(Fp).
X1 = υ^−1 ( ̃E[N] ∩ ̃E(Fp) )
Y2 = E′[N] ∩ E′(Fp)
Y1 = υ^−1 ( ̃E′[N] ∩ ̃E′(Fp))
isogeny φ : E → E′ of degree l^T , 对应 ˆφ;
P为X1生成元
(ek, vk) = (ˆφ, (E, E′, P, φ(P)))
Eval( ˆφ, Q ∈ Y2) = ˆφ(Q)
Verify(E, E′, P, Q, φ(P), ˆφ(Q))
ˆφ(Q) ∈ X2
eN (P, ˆφ(Q)) = eN (φ(P), Q).
</code></pre></div></div>
<h2 id="supersingular-curves-over-fp2">supersingular curves over Fp2</h2>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>Let π be the Frobenius endomorphism of E/Fp, the trace map on E/Fp2 is the map
Tr: E/Fp2 → E/Fp,
P → P + π(P).
eN (P, Tr(R)) = eN (P, (1+π)(R))
= eN ((1−π)(P), R)
= eN ([2]P, R)
= eN (P, R) ^2
f : E′[N] → X2,
Q → (Tr ◦ ˆφ)(Q);
Eval( ˆφ, Q ∈ E′[N]) = (Tr ◦ ˆφ)(Q)
Verify(E, E′, P, Q, φ(P ), (Tr ◦ ˆφ)(Q))
(Tr ◦ ˆφ)(Q) ∈ X2
eN (P, (Tr ◦ ˆφ)(Q)) = eN (φ(P), Q) ^2
</code></pre></div></div>
<h1 id="univariate-permutation-polynomials">Univariate permutation polynomials</h1>
<p><a href="https://iacr.org/cryptodb/data/paper.php?pubkey=28858">Verifiable Delay Functions</a></p>
<p><code class="language-plaintext highlighter-rouge">Y ⊆ Fq^n to X ⊆ Fq^m</code> 的<code class="language-plaintext highlighter-rouge">injective rational map F = (f1 , ...., fm)</code></p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>fi( ̄y) = xi for i = 1, ..., m
fi( ̄y) = g( ̄y)/h( ̄y) = xi
zi( ̄y) := g( ̄y)−xi*h( ̄y) = 0
</code></pre></div></div>
<h2 id="rational-functions-on-finite-fields">Rational functions on finite fields</h2>
<p>有限域上求根</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>F(X) = g(X)/h(X)
GCD(X^q − X, g(X) − c · h(X))
outputs X − s for the unique s such that F(s) = c
</code></pre></div></div>
<h2 id="rational-maps-on-elliptic-curves">Rational maps on elliptic curves</h2>
<p>曲线上求公共点</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>E(y, x) = y^2 − x^3 − ax − b
R = Res_y (z1 , z2) is a univariate polynomial in x of degree deg(z1) · deg(z2) such that R(x) = 0
R ′= Res_y (R, E)
</code></pre></div></div>
<h2 id="weaker-vdf">weaker VDF</h2>
<p>基于GCD/Res求解的困难度</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>Setup(λ, t): choose a (q, F, X , Y) ∈ F specified by λ and t, and output pp := ((q, F ), (q, F )).
Eval((q, F), ̄x):
for an output ̄x ∈ X ⊆ Fq^m
compute ̄y ∈ Y such that F ( ̄y) = ̄x;
The proof π is empty.
Verify((q, F ), ̄x, ̄y, π)
outputs Yes if F ( ̄y) = ̄x.
</code></pre></div></div>
Verifiable Distributed Aggregation Functions
2023-05-29T00:00:00+00:00
https://abbypan.github.io/2023/05/29/vdaf
<ul id="markdown-toc">
<li><a href="#doc" id="markdown-toc-doc">doc</a></li>
<li><a href="#prio" id="markdown-toc-prio">prio</a></li>
<li><a href="#plasma" id="markdown-toc-plasma">PLASMA</a></li>
</ul>
<h1 id="doc">doc</h1>
<p><a href="https://datatracker.ietf.org/doc/draft-irtf-cfrg-vdaf/">vdaf</a></p>
<p>主要针对smc的场景,相对于DP引入noise的模糊统计,vdaf是通过<code class="language-plaintext highlighter-rouge">拆分提交-独立计算-合并求值</code>处理。</p>
<p>client -> aggregator -> collector。</p>
<p>client随机机拆分上报n个share给n个aggregator,aggregator整合计算后提交到collector,collector合并计算。</p>
<p>如果client提交share, proof给到aggregator,则为vdaf。</p>
<h1 id="prio">prio</h1>
<p><a href="https://crypto.stanford.edu/prio/">prio</a></p>
<p>zkp: secret-shared non-interactive proofs (SNIPs)</p>
<p>proof通过<code class="language-plaintext highlighter-rouge">f(r), r*g(r), r*h(r)</code>构造<code class="language-plaintext highlighter-rouge">r*(f(r)*g(r) - h(r))</code>的validate进行聚合校验。</p>
<h1 id="plasma">PLASMA</h1>
<p><a href="https://eprint.iacr.org/2023/80">PLASMA: Private, Lightweight Aggregated Statistics against Malicious Adversaries with Full Security</a></p>
<p><a href="https://datatracker.ietf.org/meeting/116/materials/slides-116-cfrg-plasma-00.pdf">slides-116-cfrg-plasma</a></p>
RFC7664: Dragonfly Key Exchange
2023-05-29T00:00:00+00:00
https://abbypan.github.io/2023/05/29/dragonfly
<ul id="markdown-toc">
<li><a href="#doc" id="markdown-toc-doc">doc</a> <ul>
<li><a href="#derivation-of-the-password-element" id="markdown-toc-derivation-of-the-password-element">Derivation of the Password Element</a></li>
<li><a href="#commit-exchange" id="markdown-toc-commit-exchange">Commit Exchange</a></li>
<li><a href="#confirm-exchange" id="markdown-toc-confirm-exchange">Confirm Exchange</a></li>
</ul>
</li>
<li><a href="#security" id="markdown-toc-security">security</a></li>
</ul>
<h1 id="doc">doc</h1>
<p><a href="https://www.rfc-editor.org/rfc/rfc7664.html">RFC7664</a></p>
<h2 id="derivation-of-the-password-element">Derivation of the Password Element</h2>
<p>1) 基于双方id、password、counter计算hash,得到base</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>base = H(max(Alice,Bob) | min(Alice,Bob) | password | counter)
</code></pre></div></div>
<p>2) 基于base,派生<code class="language-plaintext highlighter-rouge">seed ( 1<= seed < p)</code></p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>temp = KDF-n(base, "Dragonfly Hunting and Pecking")
seed = (temp mod (p - 1)) + 1
</code></pre></div></div>
<p>3) 如果seed二次剩余,则作为x;否则counter++,重新计算base。</p>
<p>4) 基于计算E公式,选取较小的y值,得到PE = (x, y)</p>
<h2 id="commit-exchange">Commit Exchange</h2>
<p>q为阶</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>scalar = (private + mask) mod q
Element = - mask * PE
</code></pre></div></div>
<p>双方互相发送 (scalar, Element)</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>share = private * (peer-Element + peer-scalar * PE)
= private * peer-private * PE
ss = F(share)
kck | mk = KDF-n(ss, "Dragonfly Key Derivation")
</code></pre></div></div>
<h2 id="confirm-exchange">Confirm Exchange</h2>
<p>校验confirm,确认可用,则以mk做为master key建立会话</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>confirm = H(kck | scalar | peer-scalar | Element | Peer-Element | <sender-id>)
</code></pre></div></div>
<h1 id="security">security</h1>
<p>resistant to active attack, passive attack, and offline dictionary attack</p>
<p>不同client区分会话密钥</p>
<p>side-channel attack</p>
<p>small subgroup</p>
Key Blinding for Signature Schemes
2023-05-22T00:00:00+00:00
https://abbypan.github.io/2023/05/22/key-blinding
<ul id="markdown-toc">
<li><a href="#doc" id="markdown-toc-doc">doc</a></li>
<li><a href="#security" id="markdown-toc-security">security</a></li>
</ul>
<h1 id="doc">doc</h1>
<p><a href="https://datatracker.ietf.org/doc/draft-irtf-cfrg-signature-key-blinding/">Key Blinding for Signature Schemes</a></p>
<p>核心是:unforgeability and unlinkability</p>
<p>参考RFC8032 EdDSA的处理。</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>s1 || prefix1 = hash(skS)
</code></pre></div></div>
<p>引入一个private bk 。ctx 类似 DST,用于区分标识。</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>s2 || prefix2 = hash(bk || 0x00 || ctx)
</code></pre></div></div>
<p>s2 与 pkS 点乘,即为pkR</p>
<p>计算signature时,<code class="language-plaintext highlighter-rouge">s1*s2</code>, <code class="language-plaintext highlighter-rouge">prefix1 || prefix2</code></p>
<p>实现了同一个skS,映射不同的 pkR,计算不同的signature。</p>
<h1 id="security">security</h1>
<p><a href="https://eprint.iacr.org/2015/1135">On the Security of the Schnorr Signature Scheme and DSA against Related-Key Attacks</a></p>
<p>Schnorr/ECDSA 可被Related-Key Attacks构造signature攻击。</p>
<p>针对Schnorr的攻击主要在于s值的h’倍增,这个比较无聊。</p>
<p>针对DSA的攻击能够构造新H(m),结合弱hash,风险性较高。</p>
<p>缓解方案:改造<code class="language-plaintext highlighter-rouge">H( m || r || pk(x) )</code>,注意公钥从x动态导出。</p>
FIPS 186-5 Digital Signature Standard (DSS)
2023-05-22T00:00:00+00:00
https://abbypan.github.io/2023/05/22/dss
<ul id="markdown-toc">
<li><a href="#signature" id="markdown-toc-signature">signature</a></li>
<li><a href="#curve" id="markdown-toc-curve">curve</a></li>
</ul>
<h1 id="signature">signature</h1>
<p><a href="https://csrc.nist.gov/publications/detail/fips/186/5/final">FIPS 186-5 Digital Signature Standard (DSS)</a></p>
<p>更新了deterministic ECDSA , EdDSA</p>
<p>RSASSA-PSS,ECDSA支持XOFs</p>
<p>仅保留标准化的curve</p>
<p>删除DSA</p>
<h1 id="curve">curve</h1>
<p><a href="https://csrc.nist.gov/publications/detail/sp/800-186/final">SP 800-186 Recommendations for Discrete Logarithm-based Cryptography: Elliptic Curve Domain Parameters</a></p>
<p>更新了M/E相关curve</p>
BLS Signatures
2023-05-22T00:00:00+00:00
https://abbypan.github.io/2023/05/22/bls-signature
<ul id="markdown-toc">
<li><a href="#doc" id="markdown-toc-doc">doc</a></li>
<li><a href="#keyvalidate" id="markdown-toc-keyvalidate">KeyValidate</a></li>
<li><a href="#coresign" id="markdown-toc-coresign">CoreSign</a></li>
<li><a href="#coreverify" id="markdown-toc-coreverify">CoreVerify</a></li>
<li><a href="#aggregate" id="markdown-toc-aggregate">Aggregate</a></li>
<li><a href="#coreaggregateverify" id="markdown-toc-coreaggregateverify">CoreAggregateVerify</a></li>
<li><a href="#bls-signatures" id="markdown-toc-bls-signatures">BLS Signatures</a> <ul>
<li><a href="#basic-scheme" id="markdown-toc-basic-scheme">Basic scheme</a></li>
<li><a href="#message-augmentation" id="markdown-toc-message-augmentation">Message augmentation</a></li>
<li><a href="#proof-of-possession" id="markdown-toc-proof-of-possession">Proof of possession</a></li>
<li><a href="#bls-multi-signatures-with-public-key-aggregation" id="markdown-toc-bls-multi-signatures-with-public-key-aggregation">BLS Multi-Signatures With Public-Key Aggregation</a></li>
</ul>
</li>
<li><a href="#security" id="markdown-toc-security">security</a></li>
<li><a href="#use-case" id="markdown-toc-use-case">use case</a></li>
</ul>
<h1 id="doc">doc</h1>
<p><a href="https://datatracker.ietf.org/doc/draft-irtf-cfrg-bls-signature/">BLS Signatures: draft-irtf-cfrg-bls-signature</a></p>
<p><a href="https://crypto.stanford.edu/~dabo/pubs/papers/BLSmultisig.html">BLS Multi-Signatures With Public-Key Aggregation</a></p>
<p><a href="https://2π.com/22/bls-signatures/">BLS Signatures</a></p>
<h1 id="keyvalidate">KeyValidate</h1>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>result = KeyValidate(PK)
</code></pre></div></div>
<p>valid point, not identity element, prime order subgroup point check</p>
<h1 id="coresign">CoreSign</h1>
<p>利用pairing特性,把msg的hash2curve获得的point,与SK点乘,作为signature。</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>Q = hash_to_point(message)
R = SK * Q
</code></pre></div></div>
<h1 id="coreverify">CoreVerify</h1>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>result = CoreVerify(PK, message, signature)
检查signature对应的R point的valid、以及subgroup
检查PK的KeyValidate
Q = hash_to_point(message)
C1 = pairing(Q, PK)
C2 = pairing(R, P)
If C1 == C2, return VALID, else return INVALID
C2 = pairing(SK * Q, P) = pairing(Q, SK * P) = pairing(Q, PK) = C1
</code></pre></div></div>
<h1 id="aggregate">Aggregate</h1>
<p>检查<code class="language-plaintext highlighter-rouge">signature_i</code>的validation</p>
<p>利用signature point addition,实现signature aggregation。</p>
<p>signature aggregation时,优选选用较小p的E用做public key的curve。</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>R = signature_1 + ... + signature_n
</code></pre></div></div>
<h1 id="coreaggregateverify">CoreAggregateVerify</h1>
<p>检查R、<code class="language-plaintext highlighter-rouge">PK_i</code>的validation</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>C_i = pairing(hash_to_point(message_i), PK_i)
C1 = C_1 * ... * C_n
C2 = pairing(R, P)
If C1 == C2, return VALID, else return INVALID
</code></pre></div></div>
<p>显然,N+1次pairing</p>
<h1 id="bls-signatures">BLS Signatures</h1>
<p>point addition难以控制归零风险</p>
<h2 id="basic-scheme">Basic scheme</h2>
<p>要求<code class="language-plaintext highlighter-rouge">message_i</code>各不相同,禁止重复</p>
<h2 id="message-augmentation">Message augmentation</h2>
<p>原始message前面带上PK,再去做<code class="language-plaintext highlighter-rouge">hash_to_point</code></p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>message = PK || message
</code></pre></div></div>
<h2 id="proof-of-possession">Proof of possession</h2>
<p>把PK作为msg,计算signature,作为proof</p>
<p>相当于原始message的siganture + PK的proof 都要校验</p>
<p>size/cost都要增加</p>
<p>在此模式下,如果message完全相同,可以优化为2次paring的FastAggregateVerify:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>R = signature_1 + ... + signature_n
PK = PK_1 + ... + PK_n
CoreVerify(PK, message, signature)
</code></pre></div></div>
<h2 id="bls-multi-signatures-with-public-key-aggregation">BLS Multi-Signatures With Public-Key Aggregation</h2>
<p><a href="https://crypto.stanford.edu/~dabo/pubs/papers/BLSmultisig.html">BLS Multi-Signatures With Public-Key Aggregation</a></p>
<p><a href="https://link.springer.com/chapter/10.1007/978-3-030-03329-3_15">Compact Multi-signatures for Smaller Blockchains</a></p>
<p>增加一个H映射: <code class="language-plaintext highlighter-rouge">(t_1, ..., t_n) = H1(PK_1, ..., PK_n)</code></p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>PK_i~ = PK_i ^ t_i
signature_i~ = signature_i ^ t_i
</code></pre></div></div>
<p>当message完全相同时,同样能优化为2次pairing</p>
<p>i关联信息变一点,重算一遍</p>
<h1 id="security">security</h1>
<p>rogue key attack: 不是valid key,但构造的signature、pk能够通过aggregation verification。其根源在于没有proof校验、以及point addtion的归零</p>
<p>DST区分</p>
<p>KeyValidate</p>
<p>point validation</p>
<p>side channel attack (constant time)</p>
<p>CSPRNG</p>
<h1 id="use-case">use case</h1>
<p>blockchain的transaction block size优化,节省signature空间</p>
<p>涉及cash的rogue key attack风险性更高</p>
The BBS Signature Scheme
2023-05-18T00:00:00+00:00
https://abbypan.github.io/2023/05/18/bbs-signature
<ul id="markdown-toc">
<li><a href="#doc" id="markdown-toc-doc">doc</a></li>
<li><a href="#sign" id="markdown-toc-sign">Sign</a></li>
<li><a href="#verify" id="markdown-toc-verify">Verify</a></li>
<li><a href="#proofgen" id="markdown-toc-proofgen">ProofGen</a></li>
<li><a href="#proofverify" id="markdown-toc-proofverify">ProofVerify</a></li>
<li><a href="#security" id="markdown-toc-security">security</a></li>
<li><a href="#use-case" id="markdown-toc-use-case">use case</a></li>
</ul>
<h1 id="doc">doc</h1>
<p><a href="https://datatracker.ietf.org/doc/draft-irtf-cfrg-bbs-signatures/">The BBS Signature Scheme</a></p>
<p><a href="https://research.nccgroup.com/wp-content/uploads/2020/07/NCC_Group_Zcash2018_Public_Report_2019-01-30_v1.3.pdf">Zcash Overwinter Consensus and Sapling Cryptography Review</a></p>
<p><a href="https://datatracker.ietf.org/meeting/114/materials/slides-114-cfrg-bbs-signature-scheme-pdf-00">Slide: The BBS Signature Scheme</a></p>
<p>bbs的核心特征是short group Signature,支持zkp,选择性披露部分消息(Selective Disclosure),而proof of possession本身并不泄漏与原始signature的关联(Unlinkable)。</p>
<p>BLS12-381 pairing curve,同zcash,117~120 bits security。</p>
<p>G1/G2均为r质数阶的subgroup,public key在G2,signature在G1。</p>
<p>random要求CSPRNG。</p>
<p>基于IKM,结合keyinfo,派生私钥SK。</p>
<p>PK = P2 * SK, P2为G2的生成元。</p>
<p>header 配置信息,signature/proof中都含header。</p>
<p>messages 内容信息,signature全量,proof按需。</p>
<h1 id="sign">Sign</h1>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>Sign(SK, PK, header, messages)
</code></pre></div></div>
<p>生成确定的generators</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>(Q_1, Q_2, H_1, ..., H_L) = create_generators(L+2)
</code></pre></div></div>
<p>基于PK、generators、header计算domain,一个hash2scalar映射。</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code> domain = calculate_domain(PK, Q_1, Q_2, (H_1, ..., H_L), header)
</code></pre></div></div>
<p>基于SK、domain, msg1 … msgL 计算 (e, s),一个expand_message,两个hash2scalar映射。</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>e_s_octs = serialize((SK, domain, msg_1, ..., msg_L))
e_s_expand = expand_message(e_s_octs, expand_dst, e_s_len)
e = hash_to_scalar(e_s_expand[0..(octet_scalar_length - 1)])
s = hash_to_scalar(e_s_expand[octet_scalar_length..(e_s_len - 1)])
</code></pre></div></div>
<p>计算A</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>B = P1 + Q_1 * s + Q_2 * domain + H_1 * msg_1 + ... + H_L * msg_L
A = B * (1 / (SK + e))
</code></pre></div></div>
<p>signature = (A, e, s)</p>
<h1 id="verify">Verify</h1>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>ProofVerify(PK, proof, header, ph, disclosed_messages, disclosed_indexes)
</code></pre></div></div>
<p>同样生成generators、domain</p>
<p>计算B</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>B = P1 + Q_1 * s + Q_2 * domain + H_1 * msg_1 + ... + H_L * msg_L
</code></pre></div></div>
<p>校验签名</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code> if e(A, W + P2 * e) * e(B, -P2) != Identity_GT, return INVALID
return VALID
</code></pre></div></div>
<p>pairing比较简单,<code class="language-plaintext highlighter-rouge">W = octets_to_pubkey(PK) = P2 * SK</code></p>
<h1 id="proofgen">ProofGen</h1>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>proof = ProofGen(PK, signature, header, ph, messages, disclosed_indexes)
</code></pre></div></div>
<p>L为messages总数,R为披露的messages数,U为未披露的messages数</p>
<p>同样生成generators、domain</p>
<p>生成random列表</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>random_scalars = calculate_random_scalars(6+U)
(r1, r2, e~, r2~, r3~, s~, m~_j1, ..., m~_jU) = random_scalars
</code></pre></div></div>
<p>计算中间参数</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>B = P1 + Q_1 * s + Q_2 * domain + H_1 * msg_1 + ... + H_L * msg_L
r3 = r1 ^ -1 mod r
A' = A * r1
Abar = A' * (-e) + B * r1
D = B * r1 + Q_1 * r2
s' = r2 * r3 + s mod r
C1 = A' * e~ + Q_1 * r2~
C2 = D * (-r3~) + Q_1 * s~ + H_j1 * m~_j1 + ... + H_jU * m~_jU
</code></pre></div></div>
<p>计算challenge,同样是hash2scalar</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>c = calculate_challenge(A', Abar, D, C1, C2, (i1, ..., iR), (msg_i1, ..., msg_iR), domain, ph)
</code></pre></div></div>
<p>计算proof</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>e^ = c * e + e~ mod r
r2^ = c * r2 + r2~ mod r
r3^ = c * r3 + r3~ mod r
s^ = c * s' + s~ mod r
for j in (j1, ..., jU): m^_j = c * msg_j + m~_j mod r
proof = (A', Abar, D, c, e^, r2^, r3^, s^, (m^_j1, ..., m^_jU))
</code></pre></div></div>
<p>注意j1, …, jU 是未披露的messages index</p>
<h1 id="proofverify">ProofVerify</h1>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>result = ProofVerify(PK, proof, header, ph, disclosed_messages, disclosed_indexes)
</code></pre></div></div>
<p>同样生成generators、domain</p>
<p>计算C1</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>C1 = (Abar - D) * c + A' * e^ + Q_1 * r2^
= (A' * (-e) + B * r1 - D) * c + A' * e^ + Q_1 * r2^
= (A' * (-e) - Q_1 * r2) * c + A' * e^ + Q_1 * r2^
= A' * (e^ - e * c) + Q_1 * (r2^ - r2 * c)
= A' * e~ + Q_1 * r2~
= C1
</code></pre></div></div>
<p>计算C2</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>T = P1 + Q_2 * domain + H_i1 * msg_i1 + ... + H_iR * msg_iR
C2 = T * c - D * r3^ + Q_1 * s^ + H_j1 * m^_j1 + ... + H_jU * m^_jU
= (P1 + Q_2 * domain + H_i1 * msg_i1 + ... + H_iR * msg_iR) * c - D * (c * r3 + r3~) + Q_1 * (c * s' + s~) + H_j1 * (c * msg_j1 + m~_j1) + ... + H_jU * (c * msg_jU + m~_jU)
= (P1 + Q_2 * domain + H_1 * msg_1 + ... + H_L * msg_L - D * r3 + Q_1 * s') * c - D * r3~ + Q_1 * s~ + H_j1 * m~_j1 + ... + H_jU * m~_jU
= (B - Q_1 * s - D * r3 + Q_1 * s') * c + D * (-r3~) + Q_1 * s~ + H_j1 * m~_j1 + ... + H_jU * m~_jU
= (B + Q_1 * r2 * r3 - B * r1 * r3 - Q_1 * r2 * r3) * c + D * (-r3~) + Q_1 * s~ + H_j1 * m~_j1 + ... + H_jU * m~_jU
= D * (-r3~) + Q_1 * s~ + H_j1 * m~_j1 + ... + H_jU * m~_jU
= C2
</code></pre></div></div>
<p>计算cv</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>cv = calculate_challenge(A', Abar, D, C1, C2, (i1, ..., iR), (msg_i1, ..., msg_iR), domain, ph)
</code></pre></div></div>
<p>检查cv是否与c相等</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>if A' == Identity_G1, return INVALID
if e(A', W) * e(Abar, -P2) != Identity_GT, return INVALID
e(A', W) * e(Abar, -P2)
= e(A', P2 * SK) * e(A' * (-e) + B * r1, -P2)
= e(A * r1 * SK, P2) * e( (A * (-e) + B) * r1, -P2)
= e(A * r1 * SK, P2) * e( A * SK * r1, -P2)
= Identity_GT
</code></pre></div></div>
<h1 id="security">security</h1>
<p>valid public key</p>
<p>valid point</p>
<p>prime order check</p>
<p>run in constant time</p>
<p>nonce reuse attack</p>
<p>header中带个nonce</p>
<p>G1与G2不同构</p>
<p>DRBG</p>
<p>proof replay attack</p>
<h1 id="use-case">use case</h1>
<p>改进oauth2式的bearer access token</p>
<p>改进oauth2 DPoP式的校验形态,不用hmac/hash啥的</p>
<p>verifiable credential,例如driver license</p>
ZKP: Zero Knowledge Proofs, ZK-SNARK
2023-05-17T00:00:00+00:00
https://abbypan.github.io/2023/05/17/zkp
<ul id="markdown-toc">
<li><a href="#mooc-zero-knowledge-proofs" id="markdown-toc-mooc-zero-knowledge-proofs">MOOC: Zero Knowledge Proofs</a> <ul>
<li><a href="#lecture-2-dan-boneh-introduction-to-modern-snarks" id="markdown-toc-lecture-2-dan-boneh-introduction-to-modern-snarks">Lecture 2 Dan Boneh: Introduction to Modern SNARKs</a></li>
<li><a href="#lecture-5-dan-boneh-the-plonk-snark" id="markdown-toc-lecture-5-dan-boneh-the-plonk-snark">Lecture 5 Dan Boneh: The Plonk SNARK</a></li>
<li><a href="#lecture-6-yupeng-zhang-polynomial-commitments-based-on-pairing-and-discrete-logarithm" id="markdown-toc-lecture-6-yupeng-zhang-polynomial-commitments-based-on-pairing-and-discrete-logarithm">Lecture 6 Yupeng Zhang: Polynomial Commitments based on Pairing and Discrete Logarithm</a></li>
</ul>
</li>
<li><a href="#kzg10" id="markdown-toc-kzg10">KZG10</a></li>
<li><a href="#groth16" id="markdown-toc-groth16">Groth16</a> <ul>
<li><a href="#r1cs-rank-1-constraint-system" id="markdown-toc-r1cs-rank-1-constraint-system">R1CS: rank-1 constraint system</a></li>
<li><a href="#qap" id="markdown-toc-qap">QAP</a></li>
<li><a href="#nizk" id="markdown-toc-nizk">NIZK</a></li>
<li><a href="#security" id="markdown-toc-security">security</a></li>
</ul>
</li>
<li><a href="#bccgp16" id="markdown-toc-bccgp16">BCCGP16</a> <ul>
<li><a href="#homomorphic-commitment" id="markdown-toc-homomorphic-commitment">homomorphic commitment</a></li>
<li><a href="#pedersen-commitment" id="markdown-toc-pedersen-commitment">Pedersen commitment</a></li>
<li><a href="#recursive-argument-for-inner-product-evaluation" id="markdown-toc-recursive-argument-for-inner-product-evaluation">Recursive Argument for Inner Product Evaluation</a></li>
</ul>
</li>
<li><a href="#bulletproofs" id="markdown-toc-bulletproofs">Bulletproofs</a> <ul>
<li><a href="#improved-inner-product-argument" id="markdown-toc-improved-inner-product-argument">Improved Inner-Product Argument</a></li>
<li><a href="#inner-product-range-proof" id="markdown-toc-inner-product-range-proof">Inner-Product Range Proof</a></li>
<li><a href="#logarithmic-range-proof" id="markdown-toc-logarithmic-range-proof">Logarithmic Range Proof</a></li>
<li><a href="#aggregating-logarithmic-proofs" id="markdown-toc-aggregating-logarithmic-proofs">Aggregating Logarithmic Proofs</a></li>
<li><a href="#non-interactive-proof-through-fiat-shamir" id="markdown-toc-non-interactive-proof-through-fiat-shamir">Non-Interactive Proof through Fiat-Shamir</a></li>
<li><a href="#mpc" id="markdown-toc-mpc">mpc</a></li>
<li><a href="#inner-product-proof-for-arithmetic-circuits" id="markdown-toc-inner-product-proof-for-arithmetic-circuits">Inner-Product Proof for Arithmetic Circuits</a></li>
</ul>
</li>
<li><a href="#scalable-zero-knowledge-via-cycles-of-elliptic-curves" id="markdown-toc-scalable-zero-knowledge-via-cycles-of-elliptic-curves">Scalable Zero Knowledge via Cycles of Elliptic Curves</a></li>
<li><a href="#nova" id="markdown-toc-nova">Nova</a></li>
</ul>
<h1 id="mooc-zero-knowledge-proofs">MOOC: Zero Knowledge Proofs</h1>
<p><a href="https://zk-learning.org/">MOOC: Zero Knowledge Proofs</a></p>
<h2 id="lecture-2-dan-boneh-introduction-to-modern-snarks">Lecture 2 Dan Boneh: Introduction to Modern SNARKs</h2>
<p>zk-SNARK: Zero-knowledge a Succinct ARgument of Knowledge</p>
<p>setup for circuit C:</p>
<ul>
<li>trusted setup per circuit: <code class="language-plaintext highlighter-rouge">S(C; r) -> (pp, vp)</code>, secret r</li>
<li>trusted but universal setup: <code class="language-plaintext highlighter-rouge">Sinit(λ; r) -> gp</code>, secret r 仅初始化一次; Sindex(gp, C) -> (pp, vp), per circuit</li>
<li>transparent setup: <code class="language-plaintext highlighter-rouge">S(C) -> (pp, vp)</code></li>
</ul>
<p>SNARK (S, P, V)</p>
<ul>
<li><code class="language-plaintext highlighter-rouge">S(C) -> (pp, vp), public parameters</code></li>
<li><code class="language-plaintext highlighter-rouge">P(pp, x, w) -> π, proof</code></li>
<li><code class="language-plaintext highlighter-rouge">V(vp, x, π) -> accept/reject</code></li>
</ul>
<p>functional commitment</p>
<ul>
<li><code class="language-plaintext highlighter-rouge">setup(1^λ) -> gp</code></li>
<li><code class="language-plaintext highlighter-rouge">commit(gp, f, r) -> comf</code>, r为random, f为function
<ul>
<li>polinomial</li>
<li>multilinear</li>
<li>vector</li>
<li>inner product arguments (IPA)</li>
</ul>
</li>
<li>eval(P, V): <code class="language-plaintext highlighter-rouge">P(gp, f, x, y, r) -> π, V(gp, comf, x, y, π) -> accept/reject</code></li>
</ul>
<p>interactive oracle proof (IOP)</p>
<h2 id="lecture-5-dan-boneh-the-plonk-snark">Lecture 5 Dan Boneh: The Plonk SNARK</h2>
<p>Poly-IOP: Zero Test, Sum Check, Prod Check, Permutation Check</p>
<p>PLONK: a poly-IOP for a general circuit <code class="language-plaintext highlighter-rouge">𝐶(𝑥, 𝑤)</code>,构造input, gate, wiring, output的check,使用lagrange & FFT</p>
<h2 id="lecture-6-yupeng-zhang-polynomial-commitments-based-on-pairing-and-discrete-logarithm">Lecture 6 Yupeng Zhang: Polynomial Commitments based on Pairing and Discrete Logarithm</h2>
<p>Univariate KZG, Multivariate KZG, …</p>
<p>Bulletproofs</p>
<h1 id="kzg10">KZG10</h1>
<p><a href="https://www.iacr.org/archive/asiacrypt2010/6477178/6477178.pdf">KZG10: Constant-Size Commitments to Polynomials and Their Applications</a></p>
<p>universal polynomial φ(x)的取值作为g的幂次,同等变换为,polynomial φ(x)的coffients做为PK里的g^(α^i)的幂次</p>
<p>再结合pairing求解</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>Trusted Setup:
bilinear pairing group GG = 〈e, G, Gt〉
SK = Random α, PK =〈GG, g, g^α, . . . , g^(α^t) 〉
polynomial φ(x) ∈ Zp[x]
φ(x) = ∑ φj * x^j, 0<= j <=deg(φ), deg(φ) <= t
Commit(PK, φ(x)):
commit C = g^φ(α)
= g^(∑ φj * x^j)
= ∏ g^(φj * α^j)
= ∏ (g^(a^j))^φj
Open(PK, C, φ(x)): φ(x)
VerifyPoly(PK, C, φ(x)):
verify C == ∏ (g^(a^j))^φj
CreateWitness(PK, φ(x), i):
ψi(x) = (φ(x)−φ(i))/(x−i),
proof wi = g^ψi(α)
output 〈i, φ(i), wi〉
VerifyEval(PK, C, i, φ(i), wi):
verify e(C, g) == e(wi, g^α/g^i) * e(g, g)^φ(i)
e(wi, g^α/g^i) * e(g, g)^φ(i)
= e(g^ψi(α) , g^(α-i)) * e(g^φ(i), g)
= e(g^(ψi(α) * (α-i)), g) * e(g^φ(i), g)
= e(g^(φ(α)−φ(i)), g) * e(g^φ(i), g)
= e(g^φ(α), g)
= e(C, g)
</code></pre></div></div>
<p>Batch Opening 针对多个i聚合运算</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>CreateWitnessBatch(PK, φ(x), B): 〈B, r(x), wB 〉
B ⊂ Zp
r(x) = φ(x) % ∏ (x-i), i∈B
ψB(x) = (φ(x)−r(x))/ ∏ (x-i), i∈B
wB = g^ψB(α)
VerifyEvalBatch(PK, C, B, r(x), wB ): i∈B
verify e(C, g) == e(g^∏ (α−i), wB ) * e(g, g^r(α))
verify r(i) == φ(i)
</code></pre></div></div>
<h1 id="groth16">Groth16</h1>
<p><a href="https://eprint.iacr.org/2016/260.pdf">Groth16: On the Size of Pairing-based Non-interactive Arguments</a></p>
<p><a href="https://risencrypto.github.io/R1CSQAP/">Groth16 zkSNARK: R1CS and QAP - From Zero to Hero with Finite Fields & sagemath</a></p>
<p><a href="http://www.zeroknowledgeblog.com/index.php/groth16">Groth16</a></p>
<p><a href="https://kayleegeorge.github.io/math110_WIM.pdf">The Mathematical Mechanics Behind the Groth16 Zero-knowledge Proving Protocol</a></p>
<h2 id="r1cs-rank-1-constraint-system">R1CS: rank-1 constraint system</h2>
<ul>
<li>假设共m个Gate。</li>
<li>将Gate运算的variable按顺序排列,S中的每一列对应每个variable在某个输入的取值statement x。</li>
<li>将Gate运算公式转换为约束matrix:A中的每一行为left input,B中的每一行为right input,C中的每一行为output。</li>
</ul>
<h2 id="qap">QAP</h2>
<ul>
<li>对A/B/C的每一列,以<code class="language-plaintext highlighter-rouge">(row_i, value)</code>为point计算lagrange多项式,获得转置后的lagrange系数多项式matrix,对应ui(x), vi(x), wi(x)。</li>
<li>
<p>S 与 上述lagrange matrix点乘,获得A/B/C对应的多项式A(x), B(x), C(x),计算</p>
<p>T(x) = A(x) * B(x) - C(x)
Z(x) = (x - 1) * … * (x - m)
H(x) = T(x) / Z(x)</p>
</li>
</ul>
<p>显然,<code class="language-plaintext highlighter-rouge">T(x) = H(x) * Z(x)</code></p>
<h2 id="nizk">NIZK</h2>
<p>见 3.2 NIZK arguments for quadratic arithmetic programs</p>
<p>pairing-friendly elliptic curves</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>a0 = 1
public statements (a1, ..., al)
secret witnesses (al+1, ..., am)
∑ ai*ui(x) · ∑ ai*vi(x) = ∑ ai*wi(X) + h(X)t(X), i = 0, ..., m
Setup(R):
τ = (α, β, γ, δ, x)
σ1 = ( α, β, δ,
{x^i} 0<=i<=n−1,
{ (β*ui(x)+α*vi(x)+wi(x))/γ } 0<=i<=l,
{ (β*ui(x)+α*vi(x)+wi(x))/δ } l+1<=i<=m,
{ (x^i * t(x))/δ } 0<=i<=n-2
)
σ2 = ( β, γ, δ,
{x^i} 0<=i<=n-1
)
σ = ([σ1]1, [σ2]2)
Prove:
π ← Prove(R, σ, a1, . . . , am)
r, s ← Zp
A = α + ∑ ai*ui(x) + rδ, 0<=i<=m
B = β + ∑ ai*vi(x) + sδ, 0<=i<=m
C = ( ∑ ai*( β*ui(x) + α*vi(x) + wi(x)) + h(x)t(x) )/δ + As + Br − rsδ
π = ([A]1, [C]1, [B]2)
Verify:
Vfy(R, σ, a1, . . . , al, π)
[A]1 · [B]2 = [α]1 · [β]2 + ∑ ai*( (β*ui(x) + α*vi(x) + wi(x))/γ ) · [γ]2 + [C]1 · [δ]2, 0<=i<=l
Sim:
π ← Sim(R, τ, a1, . . . , al)
C = ( AB − αβ − ∑ ai*(β*ui(x) + α*vi(x) + wi(x)) )/δ, i= 0, ..., l
</code></pre></div></div>
<p>精简的σV,只需<code class="language-plaintext highlighter-rouge">l+2</code>个G1 element, 3个G2 element,1个GT element</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>σV = ( p, G1, G2, GT , e, [1]1, { [( β*ui(x) + α*vi(x) + wi(x))/γ ]1 } 0<=i<=l, [1]2, [γ]2, [δ]2, [αβ]T )
</code></pre></div></div>
<h2 id="security">security</h2>
<p>显然容易继承pairing curve的malleable问题,基本参考校验原文,或者防重放等。</p>
<p>如果关联identity,同时涉及identity的trust。</p>
<h1 id="bccgp16">BCCGP16</h1>
<p><a href="https://eprint.iacr.org/2016/263.pdf">BCCGP16: Efficient Zero-Knowledge Arguments for Arithmetic Circuits in the Discrete Log Setting</a></p>
<h2 id="homomorphic-commitment">homomorphic commitment</h2>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code> Comck(m0; r0) · Comck(m1; r1) = Comck(m0 + m1; r0 + r1)
</code></pre></div></div>
<h2 id="pedersen-commitment">Pedersen commitment</h2>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>g, h are group elements
(m, r) ∈ Zp x Zp
c = g^r * h^m
</code></pre></div></div>
<h2 id="recursive-argument-for-inner-product-evaluation">Recursive Argument for Inner Product Evaluation</h2>
<p>假设g vector size 为 n</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>n = ∏ m_i , 1 <= i <= µ
</code></pre></div></div>
<p>按因子顺序做reduce, 例如</p>
<p>取首个<code class="language-plaintext highlighter-rouge">m = m_µ</code>,拆分<code class="language-plaintext highlighter-rouge">g = (g_1, ..., g_m)</code>, 相当于拆分成 m 个 vector size 为 n/m 的vectors <code class="language-plaintext highlighter-rouge">g_i</code>。h, a, b 的拆分与g类似。</p>
<p>计算</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>A_k = ∏ g_i^a_(i+k), min(m,m−k) <=i<=max(1,1−k), k = 1 − m, . . . , m − 1
A = g^a = ∏ g_i^a_i, 1<=i<=m
</code></pre></div></div>
<p><code class="language-plaintext highlighter-rouge">g_i^a_j</code>的matrix斜线元素相乘,即为<code class="language-plaintext highlighter-rouge">A_(j-i)</code>,显然,<code class="language-plaintext highlighter-rouge">A = A_0</code>。B与A类似。</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>(G, p, g, A, h, B, z, m_µ = m, m_µ−1 = m', . . . , m_1)
</code></pre></div></div>
<p>计算</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>random challenge x
g' = ∏ (g_i)^(x^−i), 1<=i<=m
A' = ∏ (A_k)^(x^k), 1-m<=k<=m-1
a' = ∑ a_i*(x^i), 1<=i<=m
A' = g'^a'
random challenge x^-1
h' = ∏ (h_i)^(x^i), 1<=i<=m
B' = ∏ (B_k)^(x^-k), 1-m<=k<=m-1
b' = ∑ b_i*(x^-i), 1<=i<=m
B' = h'^b'
z_k = ∑ a_i · b_(i+k), min(m,m−k) <= i <= max(1,1−k), 1-m<=k<=m-1
z_0 = z = ∑ a_i · b_i, 1 <= i <= m
z' = ∑ z_k * x^(-k), 1-m<=k<=m-1
a' · b' = ∑ a_i*(x^i) · ∑ b_j*(x^-j)
= ∑ a_i*(x^i) · b_j*(x^-j)
= ∑ (a_i · b_j)*(x^(i-j))
= ∑ (a_i · b_(i+k))*(x^(-k)) , permutation, let j = i+k
= ∑ z_k * x^(-k)
= z'
</code></pre></div></div>
<p>获得<code class="language-plaintext highlighter-rouge">(G, p, g', A', h', B', z', m_µ−1, . . . , m_1)</code>,显然,g’ vector size为<code class="language-plaintext highlighter-rouge">n/m</code>,可进一步拆分为<code class="language-plaintext highlighter-rouge">m' = m_µ−1</code>个子vector size。</p>
<p>Recursive Argument, 直至<code class="language-plaintext highlighter-rouge">m_1</code>。</p>
<h1 id="bulletproofs">Bulletproofs</h1>
<p><a href="https://crypto.stanford.edu/bulletproofs/">Bulletproofs: Short Proofs for Confidential Transactions and More</a></p>
<p><a href="https://eprint.iacr.org/2017/1066.pdf">Bulletproofs17</a></p>
<p><a href="https://ieeexplore.ieee.org/document/8418611">Bulletproofs18</a></p>
<h2 id="improved-inner-product-argument">Improved Inner-Product Argument</h2>
<p>与BCCGP思路类似,优化为每次折半,Recursive ARgument log(n) 次</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>g, h ∈ G^n
u, P ∈ G
a, b ∈ Zp^n
n=1:
P->V: a, b
c = a · b
V check P == g^a · h^b · u^c
n>1:
n' = n/2
(a1, a2) = a, (b1, b2) = b, (g1, g2) = g, (h1, h2) = h
c = a · b = a1 · b1 + a2 · b2
CL = a1 · b2 ∈ Zp
CR = a2 · b1 ∈ Zp
L = g2^a1 · h1^b2 · u^CL ∈ G
R = g1^a2 · h2^b1 · u^CR ∈ G
P->V: L, R
V->P: x ∈ Zp*
g' = g1^(x^(-1)) · g2^x ∈ G^n'
h' = h1^x · h2^(x^(-1)) ∈ G^n'
P' = L^(x^2) · P · R^(x^(-2)) ∈ G
a' = a1*x + a2*x^(-1) ∈ Zp^n'
b' = b1*x^(-1) + b2*x ∈ Zp^n'
c' = a' · b'
= a1 · b1 + (a1 · b2)*x^2 + (a2 · b1)*x^(-2) + a2 · b2
P' = L^(x^2) · P · R^(x^(-2))
= (g2^(a1*x^2) · h1^(b2*x^2) · u^(CL*x^2))
· ((g1^a1 · g2^a2) · (h1^b1 · h2^b2) · u^(a · b))
· ((g1^(a2*x^(-2)) · h2^(b1*x^(-2)) · u^(CR*x^(-2))
= (g1^(a1+a2*x^(-2)) · g2^(a2+a1*x^2))
· (h1^(b2*x^2+b1) · h2^(b2+b1*x^(-2)))
· u^(CL*x^2+a · b+CR*x^(-2))
= (g1^(x^(-1)))^(a1*x+a2*x^(-1)) · (g2^x)^(a2*x^(-1)+a1*x)
· (h1^x)^(b2*x+b1*x^(-1)) · (h2^(x^(-1)))^(b2*x+b1*x^(-1))
· u^((a1 · b2)*x^2+a1 · b1 + a2 · b2+(a2 · b1)*x^(-2))
= g'^a' · h'^b · u^c'
get (g', h', u, P', a', b')
</code></pre></div></div>
<p>显然,g’/h’/a’/b’ 的vector size折半</p>
<h2 id="inner-product-range-proof">Inner-Product Range Proof</h2>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>< aL - z * 1^n, y^n · (aR + z * 1^n) + z^2 * 2^n >
= < aL, y^n · (aR + z * 1^n) >
+ < aL, z^2 * 2^n >
+ < - z * 1^n, y^n · (aR + z * 1^n) >
- z^3 * <1^n, 2^n>
= <aL · aR, y^n> + <aL, y^n · z * 1^n>
+ z^2 * <aL, 2^n>
- z * <1^n, y^n · aR>
- z^2 * <1^n, y^n>
- z^3 * <1^n, 2^n>
= 0 + z * <aL, y^n>
+ z^2 * v
- z * <aR, y^n>
- z^2 * <1^n, y^n>
- z^3 * <1^n, 2^n>
= z * <aL -aR, y^n>
+ z^2 * v
- z^2 * <1^n, y^n>
- z^3 * <1^n, 2^n>
= z^2 *v
+ (z - z^2) * <1^n, y^n>
- z^3 * <1^n, 2^n>
= z^2 * v
+ δ(y, z)
</code></pre></div></div>
<p>隐藏aL,引入sL、sR</p>
<p>A为aL/aR的commitment, S为sL/sR的commitment</p>
<p>结合Inner-Product, aL/aR/sL/sR 构造 linear vector polynomials</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>l(X) = (aL - z * 1^n) + sL · X
r(X) = y^n · (aR + z * 1^n + sR · X) + z^2 * 2^n
t(X) = <l(X), r(X)> = t0 + t1 · X + t2 · X^2
显然,t0 = z^2 * v + δ(y, z)
</code></pre></div></div>
<p>再构造检查</p>
<ul>
<li>t1,t2的commitments: T1, T2</li>
<li>l(x), r(x)的commitment: P</li>
<li>t与<code class="language-plaintext highlighter-rouge"><l, r></code>相等</li>
</ul>
<h2 id="logarithmic-range-proof">Logarithmic Range Proof</h2>
<p>结合Inner-Product Argument, Inner-Product Range Proof,节省 l, r的传输,可优化为<code class="language-plaintext highlighter-rouge">2log2(n) + 2</code> elements</p>
<p>达到n的Logarithmic</p>
<h2 id="aggregating-logarithmic-proofs">Aggregating Logarithmic Proofs</h2>
<p>把m个indivual proof 拼成<code class="language-plaintext highlighter-rouge">n*m</code>size的vector,同样经过Inner-Product优化,以及Logarithmic的约减,优化为<code class="language-plaintext highlighter-rouge">log2(n*m)+4</code>element</p>
<p>达到m的additive</p>
<h2 id="non-interactive-proof-through-fiat-shamir">Non-Interactive Proof through Fiat-Shamir</h2>
<p>把 Inner-Product Range Proof 中的 y, z 生成方式改一下</p>
<h2 id="mpc">mpc</h2>
<p>看dealer</p>
<h2 id="inner-product-proof-for-arithmetic-circuits">Inner-Product Proof for Arithmetic Circuits</h2>
<p>注意t2可直接计算,因此仅构造t1, t3, t4, t5, t6的commitment,用于校验t(x)</p>
<p><code class="language-plaintext highlighter-rouge">h' = h^(y^(-n))</code>, 注意此处h’, h为G^n element</p>
<p>再基于P校验l(x), r(x)</p>
<h1 id="scalable-zero-knowledge-via-cycles-of-elliptic-curves">Scalable Zero Knowledge via Cycles of Elliptic Curves</h1>
<p><a href="https://eprint.iacr.org/2014/595.pdf">Scalable Zero Knowledge via Cycles of Elliptic Curves</a></p>
<h1 id="nova">Nova</h1>
<p><a href="https://eprint.iacr.org/2021/370.pdf">Nova: Recursive Zero-Knowledge Arguments from Folding Schemes</a></p>
<p>通过incrementally verifiable computation (IVC)构造recursive zk ARgument, 实现folding</p>
<p>Relaxed R1CS 将W, E均构造为witness;folding时,二者对应的commitment W’, E’也进行对应的变换</p>
<p>Relaxed R1CS:
A, B, C ∈ F^(m x m)</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>public scalar u ∈ F
public x ∈ F^l
witness W ∈ F^(m−l−1)
Z = (W, x, u)
Folding:
E ← E1 + r · (AZ1 ◦ BZ2 + AZ2 ◦ BZ1 − u1CZ2 − u2CZ1) + r2 · E2
E ∈ F^m
AZ ◦ BZ = (u1 + r · u2) · C(Z1 + rZ2) + E
= uCZ + E
T = AZ1 ◦ BZ2 + AZ2 ◦ BZ1 − u1CZ2 − u2CZ1
...
</code></pre></div></div>
<p>Construction 1:
E’ = Com(ppE , E, rE )
W’ = Com(ppW , W, rW )
T’ = Com(ppE , T, rT )
将2个Relaxed R1CS instance/witness进行folding,得到新的instance/witness
instance (E’, u, W’, x)
witness (E, rE , W, rW )</p>