Fairness & Privacy

Orign: priewienv's secret sharing draws my attentions.

Some nice books&papers:

Q: is there an efficient way to do simple private information retrieval to get 1 out of N items, without the sender knowing which out of the N was requested?

A: oblivious transfer

  • 1-out-of-n oblivious transfer is incomparable to private information retrieval (PIR). On the one hand, 1-out-of-n oblivious transfer imposes an additional privacy requirement for the database: namely, that the receiver learn at most one of the database entries. On the other hand, PIR requires communication sublinear in n, whereas 1-out-of-n oblivious transfer has no such requirement.

1. DKG

2. MPC

  • (输出结果)正确性
  • 隐私性
  • 输入独立性
  • 公平性
    • 一个参与者获得了输出,则其他参与者也必须获得输出
  • 保证输出送达
    • 每个诚实参与者都能获得输出

2.1. Homomorphic Encryption, 同态加密

  • The computations are represented as either Boolean or arithmetic(加减乘除) circuits.
  • What is the link, if any, between Zero Knowledge Proof (ZKP) and Homomorphic encryption?
  • 分类
    • partially homomorphic
      • 只能实现一个运算
    • somewhat homomorphic
      • 实现两种门电路(运算), but only for a subset of circuits
    • leveled fully homomorphic
      • 先决有限深度的任意运算
    • fully homomorphic
      • 无限深度任意运算
      • 对于实际应用来说,主要是乘法深度比较重要

2.2. Garbled Circuit & Oblivious Transfer

和电路也紧密相关

2.3. Verifiable Secret Sharing

重建 secret, VSS 允许恶意参与者(submitting fake shares).

Shamir's Secret Sharing Scheme, SSSS

其实就是门限 Secret Sharing

May not be VSS:

multi-signature

bitcoin 原本的 multi-signature (BIP #11, #16, #17) 其实和 Shamir's Secret Sharing 有点关系:

Shamir's Secret Sharing Scheme (ssss)[2] is a general software implementation of multisig.

MuSig 中说:

Multi-signature protocols, first introduced by Itakura and Nakamura IN83, allow a group of signers (each possessing its own private/public key pair) to produce a single signature σ on a message m. Verification of the validity of a purported signature σ can be publicly performed given the message and the set of public keys of all signers. A trivial way to transform a standard signature scheme into a multi-signature scheme is to have each signer produce a stand-alone signature for m with its private key and to concatenate all individual signatures. However, the size of the multi-signature in that case grows linearly with the number of signers.

(所以还是找不到名字。。。。所以就叫它 standard-signature-scheme-transformed [IN83] 就好了?逃)

另,MuSig 中还说, Schnorr multi-signature 应该是在 [BN06] 提出. Schnorr 本身应该是在 [Sch91] 提出.

3. Threshold Signature Scheme

密钥打碎分开存储,然后在需要时通过MPC多方安全计算生成签名

和传统的 多签方案不同的是 多签是有多把私钥,如果私钥复用则泄漏了就有危险。传统多签是链上的,和链采用哪条曲线有关。tss 是链下的纯密码学的计算,目的是为了生成签名,兼容性更强。

和 secret sharing也不一样,secret sharing 虽然也打碎了密钥,但是最终要有一个 dealer 重构出密钥并进行签名,那么就存在 单点故障和重构出的密钥可能被泄露的问题。而 tss不需要 重构出密钥,就不用怕 密钥泄漏。(tss还有一些别的nice feature,key rotation 也就是私钥可变,更增加了攻击的难度)

4. Timed Commitments

  • the receiver is kinda guaranteed (I mean, with high probability) to recover the signature from the commitment after given time
    • makes use of time needed for computing squarings
      • gradual revealing, eliminating possibility by trying again and again
    • high computing power won't speed it up
    • the committer also need to convince the receiver the commiment is indeed the commitment of the desired signature
      • use zkp (a simulator can produce...)
  • there also is a proof as the shortcut to verify, so that others don't need to go through the recovery process again to verify
  • not sure whether the use of CA will introduce problem?
  • applications
    • Contract Signing
    • Collective coin-flipping
    • Honest-Preserving Autions
    • in Zero-Knowledge
      • constant time/rounds by using force-opening

5. Atomic Swap

Atomic Swap 的一些解释说明。论文rephrase可用。

  • https://en.wikipedia.org/wiki/Atomicity_(database_systems)
    • An indivisible and irreducible series of operations such that either all occur, or nothing occurs.
    • At one moment in time, it has not yet happened, and at the next it has already occurred in whole (or nothing happened if the transaction was cancelled in progress).
  • Atomic Cross-Chain Swaps, https://arxiv.org/pdf/1801.09515.pdf
    • An atomic swap protocol guarantees
      • (1) if all parties conform to the protocol, then all swaps take place,
      • (2) if some coalition deviates from the protocol, then no conforming party ends up worse off, and
      • (3) no coalition has an incentive to deviate from the protocol.

6. Differential Privacy, 差分隐私

注入噪音或扰动

在或者不在这个数据集中,对查询结果没有影响。

攻击者通过对该数据集的任何查询或者背景知识都无法准确推断出是否在数据集中。

在不在数据集中都不会影响最终的查询结果,那么可以认为就不在这个数据集中,而如果不在数据集中,数据自然不会泄露。

(Google: https://github.com/google/differential-privacy) (apple 也有用 差分隐私吧,但不开源?)

7. Projects

8. 如何安全地保存密码?

auth_key = HMAC-SHA256(key=stretched_key, "Auth Key") c1 = HMAC-SHA256(key=stretched_key, "Master Key Encryption") c2 = Secure-Random(output_length=32)

master_key = HMAC-SHA256(key=c1, c2) application_key = HMAC-SHA256(key=master_key, "Social Graph Encryption") ```

+ application_key: 可以根据不同的 app 从 master_key 派生
+ `r2` is random, we can regenerate others but we will need to restore `r2` 
    * 用 `auth_key` 加密存储 `c2`
Copyright © ChrisLinn 2017-2018 all right reserved,powered by Gitbook该文件修订时间: 2020-02-15 15:47:54

results matching ""

    No results matching ""