# Fairness & Privacy

Orign: priewienv's secret sharing draws my attentions.

Some nice books&papers:

Q: is there an efficient way to do simple private information retrieval to get 1 out of N items, without the sender knowing which out of the N was requested?

• 1-out-of-n oblivious transfer is incomparable to private information retrieval (PIR). On the one hand, 1-out-of-n oblivious transfer imposes an additional privacy requirement for the database: namely, that the receiver learn at most one of the database entries. On the other hand, PIR requires communication sublinear in n, whereas 1-out-of-n oblivious transfer has no such requirement.

## 2. MPC

• (输出结果)正确性
• 隐私性
• 输入独立性
• 公平性
• 一个参与者获得了输出，则其他参与者也必须获得输出
• 保证输出送达
• 每个诚实参与者都能获得输出

### 2.1. Homomorphic Encryption, 同态加密

• The computations are represented as either Boolean or arithmetic(加减乘除) circuits.
• What is the link, if any, between Zero Knowledge Proof (ZKP) and Homomorphic encryption?
• 分类
• partially homomorphic
• 只能实现一个运算
• somewhat homomorphic
• 实现两种门电路(运算), but only for a subset of circuits
• leveled fully homomorphic
• 先决有限深度的任意运算
• fully homomorphic
• 无限深度任意运算
• 对于实际应用来说，主要是乘法深度比较重要

### 2.3. Verifiable Secret Sharing

May not be VSS:

#### multi-signature

bitcoin 原本的 multi-signature (BIP #11, #16, #17) 其实和 Shamir's Secret Sharing 有点关系:

Shamir's Secret Sharing Scheme (ssss)[2] is a general software implementation of multisig.

MuSig 中说:

Multi-signature protocols, first introduced by Itakura and Nakamura IN83, allow a group of signers (each possessing its own private/public key pair) to produce a single signature σ on a message m. Verification of the validity of a purported signature σ can be publicly performed given the message and the set of public keys of all signers. A trivial way to transform a standard signature scheme into a multi-signature scheme is to have each signer produce a stand-alone signature for m with its private key and to concatenate all individual signatures. However, the size of the multi-signature in that case grows linearly with the number of signers.

（所以还是找不到名字。。。。所以就叫它 standard-signature-scheme-transformed [IN83] 就好了？逃）

## 4. Timed Commitments

• the receiver is kinda guaranteed (I mean, with high probability) to recover the signature from the commitment after given time
• makes use of time needed for computing squarings
• gradual revealing, eliminating possibility by trying again and again
• high computing power won't speed it up
• the committer also need to convince the receiver the commiment is indeed the commitment of the desired signature
• use zkp (a simulator can produce...)
• there also is a proof as the shortcut to verify, so that others don't need to go through the recovery process again to verify
• not sure whether the use of CA will introduce problem?
• applications
• Contract Signing
• Collective coin-flipping
• Honest-Preserving Autions
• in Zero-Knowledge
• constant time/rounds by using force-opening

## 5. Atomic Swap

Atomic Swap 的一些解释说明。论文rephrase可用。

• https://en.wikipedia.org/wiki/Atomicity_(database_systems)
• An indivisible and irreducible series of operations such that either all occur, or nothing occurs.
• At one moment in time, it has not yet happened, and at the next it has already occurred in whole (or nothing happened if the transaction was cancelled in progress).
• Atomic Cross-Chain Swaps, https://arxiv.org/pdf/1801.09515.pdf
• An atomic swap protocol guarantees
• (1) if all parties conform to the protocol, then all swaps take place,
• (2) if some coalition deviates from the protocol, then no conforming party ends up worse off, and
• (3) no coalition has an incentive to deviate from the protocol.

## 8. 如何安全地保存密码？

auth_key = HMAC-SHA256(key=stretched_key, "Auth Key") c1 = HMAC-SHA256(key=stretched_key, "Master Key Encryption") c2 = Secure-Random(output_length=32)

master_key = HMAC-SHA256(key=c1, c2) application_key = HMAC-SHA256(key=master_key, "Social Graph Encryption") 

+ application_key: 可以根据不同的 app 从 master_key 派生
+ r2 is random, we can regenerate others but we will need to restore r2
* 用 auth_key 加密存储 c2
`