Fairness & Privacy

Orign: priewienv's secret sharing draws my attentions.

Some nice books&papers:

Q: is there an efficient way to do simple private information retrieval to get 1 out of N items, without the sender knowing which out of the N was requested?

A: oblivious transfer

  • 1-out-of-n oblivious transfer is incomparable to private information retrieval (PIR). On the one hand, 1-out-of-n oblivious transfer imposes an additional privacy requirement for the database: namely, that the receiver learn at most one of the database entries. On the other hand, PIR requires communication sublinear in n, whereas 1-out-of-n oblivious transfer has no such requirement.

1. DKG

2. MPC

  • (输出结果)正确性
  • 隐私性
  • 输入独立性
  • 公平性
    • 一个参与者获得了输出,则其他参与者也必须获得输出
  • 保证输出送达
    • 每个诚实参与者都能获得输出

2.1. Homomorphic Encryption, 同态加密

  • The computations are represented as either Boolean or arithmetic(加减乘除) circuits.
  • What is the link, if any, between Zero Knowledge Proof (ZKP) and Homomorphic encryption?
  • 分类
    • partially homomorphic
      • 只能实现一个运算
    • somewhat homomorphic
      • 实现两种门电路(运算), but only for a subset of circuits
    • leveled fully homomorphic
      • 先决有限深度的任意运算
    • fully homomorphic
      • 无限深度任意运算
      • 对于实际应用来说,主要是乘法深度比较重要

2.2. Garbled Circuit & Oblivious Transfer


2.3. Verifiable Secret Sharing

重建 secret, VSS 允许恶意参与者(submitting fake shares).

Shamir's Secret Sharing Scheme, SSSS

其实就是门限 Secret Sharing

May not be VSS:


bitcoin 原本的 multi-signature (BIP #11, #16, #17) 其实和 Shamir's Secret Sharing 有点关系:

Shamir's Secret Sharing Scheme (ssss)[2] is a general software implementation of multisig.

MuSig 中说:

Multi-signature protocols, first introduced by Itakura and Nakamura IN83, allow a group of signers (each possessing its own private/public key pair) to produce a single signature σ on a message m. Verification of the validity of a purported signature σ can be publicly performed given the message and the set of public keys of all signers. A trivial way to transform a standard signature scheme into a multi-signature scheme is to have each signer produce a stand-alone signature for m with its private key and to concatenate all individual signatures. However, the size of the multi-signature in that case grows linearly with the number of signers.

(所以还是找不到名字。。。。所以就叫它 standard-signature-scheme-transformed [IN83] 就好了?逃)

另,MuSig 中还说, Schnorr multi-signature 应该是在 [BN06] 提出. Schnorr 本身应该是在 [Sch91] 提出.

3. Threshold Signature Scheme


和传统的 多签方案不同的是 多签是有多把私钥,如果私钥复用则泄漏了就有危险。传统多签是链上的,和链采用哪条曲线有关。tss 是链下的纯密码学的计算,目的是为了生成签名,兼容性更强。

和 secret sharing也不一样,secret sharing 虽然也打碎了密钥,但是最终要有一个 dealer 重构出密钥并进行签名,那么就存在 单点故障和重构出的密钥可能被泄露的问题。而 tss不需要 重构出密钥,就不用怕 密钥泄漏。(tss还有一些别的nice feature,key rotation 也就是私钥可变,更增加了攻击的难度)

4. Timed Commitments

  • the receiver is kinda guaranteed (I mean, with high probability) to recover the signature from the commitment after given time
    • makes use of time needed for computing squarings
      • gradual revealing, eliminating possibility by trying again and again
    • high computing power won't speed it up
    • the committer also need to convince the receiver the commiment is indeed the commitment of the desired signature
      • use zkp (a simulator can produce...)
  • there also is a proof as the shortcut to verify, so that others don't need to go through the recovery process again to verify
  • not sure whether the use of CA will introduce problem?
  • applications
    • Contract Signing
    • Collective coin-flipping
    • Honest-Preserving Autions
    • in Zero-Knowledge
      • constant time/rounds by using force-opening

5. Atomic Swap

Atomic Swap 的一些解释说明。论文rephrase可用。

  • https://en.wikipedia.org/wiki/Atomicity_(database_systems)
    • An indivisible and irreducible series of operations such that either all occur, or nothing occurs.
    • At one moment in time, it has not yet happened, and at the next it has already occurred in whole (or nothing happened if the transaction was cancelled in progress).
  • Atomic Cross-Chain Swaps, https://arxiv.org/pdf/1801.09515.pdf
    • An atomic swap protocol guarantees
      • (1) if all parties conform to the protocol, then all swaps take place,
      • (2) if some coalition deviates from the protocol, then no conforming party ends up worse off, and
      • (3) no coalition has an incentive to deviate from the protocol.

6. Differential Privacy, 差分隐私





(Google: https://github.com/google/differential-privacy) (apple 也有用 差分隐私吧,但不开源?)

7. Projects

8. 如何安全地保存密码?

auth_key = HMAC-SHA256(key=stretched_key, "Auth Key") c1 = HMAC-SHA256(key=stretched_key, "Master Key Encryption") c2 = Secure-Random(output_length=32)

master_key = HMAC-SHA256(key=c1, c2) application_key = HMAC-SHA256(key=master_key, "Social Graph Encryption") ```

+ application_key: 可以根据不同的 app 从 master_key 派生
+ `r2` is random, we can regenerate others but we will need to restore `r2` 
    * 用 `auth_key` 加密存储 `c2`
Copyright © ChrisLinn 2017-2018 all right reserved,powered by Gitbook该文件修订时间: 2020-01-22 14:36:57

results matching ""

    No results matching ""