Вы находитесь на странице: 1из 31

1 1

2 2
2.1 ZK- . . . . . . . . . . . . . . . . . . . . . . . . . 2
2.2 ZK- . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
2.3 ? . . . . . . . . . . . . . . . . . . . . . . . . . . 3
2.4 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
2.5 . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
2.6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
2.7 ZK- . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
2.8 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
2.9 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
2.10 NP- . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

3 ZK- 8
3.1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
3.2 : . . . . . . . . . . . . . . . . . . . . . . 9
3.3 . . . . . . . . . . . . . . . . 10
3.4 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
3.5 Zn . . . . . . . . . . . . . . . . . 12
3.6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
3.7 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
3.8 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
3.9 . . . . . . . . . . . . . . . . 19
3.10 . . . . . . . . . . 22
3.11 ( ) . . . . . . . . . . . . . . . . . . . . . 24
3.12 ( ) . . . . . . . . . . . . . . . . 24
3.13 ( ) . . . . . . . . . . . . . . . . . . . . 26
3.14 , . . . . . . . . . . . . . . . . 26
3.15 E2 . . . . . . . . . . . . . . . . . . 28
3.16 . . . . . . . . . . . . . . . . . . . . . . . 30
3.17 zkSNARK . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

1
, , ,
- .
- . -
, .
, , -
s, ,
, s.
, -
- (

1
- ). , -
, , -
, .

2
2.1 ZK-
zero-knowledge-
(ZK-),
zero-knowledge proofs (ZK proofs). ZK
.
( , )
: prover ( ) verifier ( ). -
P V, Peggy Victor.
, , .
, () -
, , . -
ZK- , ,
,
, .
, ZK-:

, ,

, , ,
, .

, , ,
, .
, , .
, -
. ,
, -
( ,
soundness error). , -
(), ( )
, . k.
(trusted third party),
. ,
p q, n = pq
n , . p q ,
, . , -
, -, , ,
, .

, p q, , n ,
.

2
2.2 ZK-
-
, , .
: ,
. -
, , .

, . , -
P , -
M ,
(,
ZK- challenge-response ). , , -
, .
. (-
, , ), M
P . Challenge-response -
: P V ,
. , , ,
,
, -
P . ZK-
.

. , ,
, ,
, .

.
,
. ,
( ,
, , -
).

- .
, , ,
. , , . -
, .. ,
,
.

2.3 ?
,
.
. ,
( , ,
),
. .

3
, ,
,
s.
, , -
(, ).
s,
. , ,
Commit Challenge
Response.

Definition 2.1. ZK-, , -


,
.

2.4
Definition 2.2. -
, .

Definition 2.3. (complete, completeness


property), , ,
, (.. -
100% , ).

, , -
,
. .

Definition 2.4. (sound,


soundness property), , (-
),
1 .

, ,
,
. .
, , , -
, , -
( , ,
). , , -
. ,
, , -
, .
ZK- , .
1
,
( )

4
2.5
.2
, :

, , -
. , .
, , ,
, .
-
:

1. , . ,
, .
( ),
, .

2. , .
, ( ).

3. ,
, .
, , ,
, 1/2k , k ,
( , ).

, (
) ( , ).
2
There exists a series of examples that adequately express the main features of ZKP, some of which can be found in
(Koblitz, 1994; Menezes et al., 1996; Schneier, 1995).

5
2.6
. -
.
. , , -
. ,
, . -
, , ()
, -
. ,
( ), ,
.
Definition 2.5. , -
( ) ,
( -
).
Definition 2.6. (proof-of-knowledge)
, .
Definition 2.7. ,
,
.
Definition 2.8. ,
,
.
ZK- ZK-. , -
, ,
( ), , -
, NP-
. ,
, .

2.7 ZK-
Definition 2.9. (perfect zero
knowledge, PZK-),
.
Definition 2.10. 3 (computationally
zero knowledge, CZK-),
.
Definition 2.11. (statistically
zero knowledge, SZK-), -
, , ..
.
3
, computational zero knowledge property ZK.
, .. -
.

6
Definition 2.12.
(NIZK-),
,
.

Definition 2.13. -
(honest verifier zero-knowledge, HVZK-), -
, ZK-
.

2.8
ZK- ,
, x . -
ZK- , 0 (..
, ,
s Zn x).

Definition 2.14. , proof-


of-knowledge- (PoK-), (
) , -
(, , ..).

ZK- PoK-.
.
ZK- PoK- (-
,
, , ..).
(,
) (, -
). : -
() s
, . , s ,
s. , , x
n , x
n.

Definition 2.15. , ( -
commitment, challenge and response) -4 .

: -
Commit,
s.

Definition 2.16. (special soundness),


, Commit ( Challenge, , , Response
), , s .
4
,

7
2.9
-
. ,

, , -
(mafia fraud attack). : P , V , P
V , P , V , P , V .
P
.
, .. ( zero-knowledge)
P V . V , P
V
. , P V
. P ,
V ; V , P , ZK-
P V , , .
P V , P .

2.10 NP-
Theorem 2.17. NP- ZK-.

 NP-
5 (G3C-, graph-3-coloring), -
ZK- .
3.4. 
ZK-, , -
(NP-) .

3 ZK-
ZK- .

3.1
, , -
. Solidity
Ethereum -. , .

pragma solidity ^0.4.2;

contract CaveExample {

function executeOnce(address prover) returns (bool outcome) {


if (proverPossessesTheSecret) outcome = true;
5
: ,
, , ,
.

8
else outcome = uint(block.blockhash(block.number-2016))%2;
// uint(block.blockhash(block.number-2016)) is pseudo-random
}

/* Soundness error is the situation when prover,


while not possessing the knowledge,
is lucky enough to guess answers to all the verifiers questions
correctly and thus convince the verifier.
(Recall ZK-proofs are probabilistic ones.)

The variable highestAcceptableSoundnessErrorValue is provided by verifier,


obviously. While the soundness error is bigger than this variable,
the protocol (the function executeOnce) is being repeated.
In this cave example the soundness error is equal to 1/2^k,
where k is the number of times we call the function
executeOnce(...). */

function checkKnowledge(address prover,


uint highestAcceptableSoundnessErrorValue) constant returns (bool result) {

double soundnessError = 1;

while (soundnessError > highestAcceptableSoundnessErrorValue)


{
if executeOnce() soundnessError /= 2;
else {result = false; break;}
}
result = true;
}

3.2 :
, .

; round, 1.

1. -
, , .
, i (i = 1, ..., k) -
.

2. Challenge.

9
3. Challenge = 0, i -
(, i ).
Challenge = 1, , i .

4. .

5. round < k, round ++


. round = k, -
.

,
, , , -
3 1.
, = 1.

, = 1/2; k , -
= (1/2)k = 2k .
0 = 2100 , 100 .

k-
i 1. -
, , .
, i ( ),
, i ( ),
, ( 1 ).

ZK- , i
i ,
, i .
, .. 6 i ,
, .

3.3
ZK-, -
G. :

1. H, G, .

2. Challenge.

3. Challenge = 0, G H.
Challenge = 1, H.

4. .
6
265

10
, , ZKP,
,
.

3.4
ZK-,
MIT.

Definition 3.1. Vi c, -
, .
G3C- (G3C graph three coloring) c(Vi ),
, , .

G3C- .

G3C- c(Vi ),
S3 , : {red, blue, green} {red, blue, green}

( (c(Vi ))).
(, Ei , i
1 n). Ei ((c(Vi ))) .

,
( Ei1 Ej1 i j, ,
, ). , (c(Vi )) (c(Vj )).
- .

(c(Vi )) = (c(Vj )), .. , ,


G3C- , ;
. (c(Vi )) 6= (c(Vj )),
, .

round < k, round ++ -


. round = k, .

, G3C-
, , -
.
1, -
1 = 0, = 1.

11
G3C- (..
) , -
, ,
(|E| 1)/|E|, |E| . k

|E| 1 k 1 k
   
6 = 1
|E| |E|

k k = |E| ,

|E| !
1 k 1 |E|
    
1 |E|1 |
6 1 = 6 1 = 1 e1 = e
|E| |E| |E|

0 = e (, 0 2100 ),
70. , k > 70|E| .
k = |E|2 .

ZK- :

1. ,
i j, ,
(, ).
. , -
Ei .
{Ei ((c(Vi )))}, n .

2. i j .

3. (c(Vi )) (c(Vj )) .

,
. , , ,
, -
. ,
, ,
. ,
, , SZK-.

3.5 Zn
f , -

x, y Zn : f (x + y) = f (x) f (y),
Zn s Zn , f (s) = (mod n).
, s , ,
f (s) = f (1
|+1+ {z... + 1}) = |f (1) f (1) ... f (1) = (f (1))s ,
{z }
s times s times
, hf (1)i, f (1),
.

12
f n f (s). -
round, 1.

1. r Zn , Commit = f (r) -
Commit .

2. Challenge {0, 1} .

3. Challenge = 0, Response = r. Challenge = 1,


Response = r + s (mod n)

4. , f (Response) Commit Challenge = 0 Commit


Challenge = 1. ,
, , f
, .
.

5. round < k, round ++ -


. round = k, .

-
. , , f -
, f (x) = f (1)x x Zn .
: {f (s)|s Zn }. , -
hf (1)i, .. = f (1)s . , ord(f (1))
n, .. f (1) , n .
. ,
, f (1), , -
. n
7 . , f (1), Zn ,
. , -
. ,
, n .

, 4
100%
Challenge. , = 1.

, s , ..
. Challenge
Commit. :

1. Response Zn .

2. Challenge.
7
.. , f (1) n- ,
Zpn

13
3. Challenge = 0, 1 Commit = f (Response). Challenge = 1,
1 Commit = f (Response)/.

4. 3 Response.

, -
= 1/2, k- = 2k .
0 = 2100
k > 100 .

ZK- k .
s :
1 r, .. f (r) , 3
r, s r (
). PZK- , .

3.6
,
f (x) g x (mod p) , hgi
q.

. CZK-,
.

s mathbbZq ,
(g, ) Zp , , g s = (mod p). -
, g.

p q , 8
p 1 = 0 (mod q). p 1024 , q
160 . , g 6= 1, , g q = 1 (mod p).

1. r, Commit = g r (mod p)
Commit .

2. m , Challenge (
0 2m 1) Challenge .

3. Response = r + s Challenge (mod q) Response .


8
p 1 = 0 (mod q)? , Zp -
q, s . ,
hgi, : q = g q = 1 (mod p).

14
4. , g Response = Commit Challenge (mod p).
, , -
g , .
.

5. round < k, round ++ -


. round = k, .

, s, (Commit, Challenge) Response,


4? : .
, . Response.
(Commit, Challenge1 ) Response1 ,
(Commit, Challenge2 ) Response2 . , s:
Response Response
, s = Challenge1 Challenge2 .
1 2
, , s
, Commit.
, Commit , .

s, , -
, ( = 1). ,
g Response = Commit y Challenge (mod p)
. , .

(.. ) -
g Response = Commit y Challenge (mod p),
. , y Response
, s.
(, ), - ,
.
s , 4 ( Commit)
Challenge, . 6
Response, g Response Zp .
, , -
(.. ) , .
s, ( Commit)
Challenge, .
Commit g Response y Challenge (mod p), Response ,
. Response ( 6)
.
, m- Challenge, -
, , 2m . k- , ,
= (2m )k = 2mk .
k, -
0 = 2100 ? , mk > 100, ..
k = ceil(100/m) (100/m, ).

15

-
. . -
,
, ( g
y, y = g s (mod p) s)

, p q, .

, .

ZK- HVZK- . -
, .. -
s g .
k- , , k ,
. HVZK- :

1. Response Zp

2. m- Challenge

3. Commit g Response y Challenge (mod p)

4. (Commit, Challenge, Response).

(.. ) -
, , , . , HVZK- (honest
verifier case) Challenge ( , -
), ZK-
Challenge , , .
, ,
Zq ,
1 q1 (q 1)2
1 +2 2 +3 + ... = q
q q q3
, k , , -
, q k . -
, , ,
. , -
Response, , Commit = g Response y Challenge
(mod p) , s Response1 =
Commit + s Challenge1 , Response2 = Commit + s Challenge2 .

3.7
, Zp -
g1 g2 . (,
.)

, s1 , s2 .

16
g1 g2 , y = g1 s1 g2 s2

1. r1 , r2 Zp , Commit = g1 r1 g2 r2 -
.

2. Challenge Zp .

3. z1 = r1 + Challenge s1 , z2 = r2 + Challenge s2
(z1 , z2 ) .

4. g1 z1 g2 z2 = Commit y Challenge

3.8
, ,
, .
s Zq , (-
, , round = 1) :

, s, x = g s (mod p), y = hs
(mod p) logg x = logh y (mod q).

p q ,
p 1 = 0 (mod q). p 1024 , q
160 . , g h , g 6= 1, h 6= 1, g 6= h,
, g q = hq = 1 (mod p).

1. x = g s (mod p) y = hs (mod p) -
x y .

2. a b, CommitV = g a hb .
c (1)
 cs Zq , CommitP = CommitV g (mod p)
3.
(2) (1) (1) (2)
CommitP = CommitP (mod p) CommitP CommitP
.

4. a b.

5. 4 CommitV g a hb . CommitV =
g a hb (mod p), c ( -
). ( , , xa y b ,
.)

6.
(1) (2)
CommitP = CommitV g c (mod p), CommitP = xc xa y b (mod p).

17
,
. round < k, round ++
. round = k,
.

, = 1. .. -
s , .

. -
= 1/q.
, ..
, s, .
0
, . x = g s (mod p), y = hs (mod p), s 6= s0
(mod q).
, 5
(2)
CommitP ,
(2)
CommitP = xc xa y b (mod p) (3.1)

, a b, c Zq ,
(??). a b
(1) (2)
4, CommitP , CommitP 5,
(??) c 5. ,
c 5.
c Zq
(1)
CommitP
c = logg (mod q) (3.2)
g a hb
, (??)
(2)
CommitP
c logg x = logg (mod q) (3.3)
xa y b

g q = hq = 1 (mod p), h = g d (mod p) d Zq , d 6= 0 (mod q).


, (3.2) :
(1)
c logg CommitP = a bd (mod q) (3.4)

(3.3) :
(2)
c logg x logg CommitP = as bds0 (mod q) (3.5)

(3.4) (3.5) :
!
   (1)
1 d a c logg CommitP
= (mod q)
s ds0 b c logg x logh CommitP
(2)

s s0 , , -
, (rank = 2). ,

18
(a, b) Zq Zq . ,
CommitV 4,
8.
s s0 ( ),
(3.4). a b
Zq , q (a, b). (3.5),
s s0 (3.5)
, .. s s0 .
, , -
(a, b) 1/q. q 2160 ,
(k = 1) , ,
0 = 2100 .

ZK- PZK-. :

1. a, b Zq CommitV = g a hb (mod p).


(1)
2.  c  Zq CommitP = CommitV g c
(2) (1) s
(mod p), CommitP = CommitP (mod p)

(1) (2)
3. CommitV , CommitP , CommitP .

,
. -, , ..
CommitV , . -,
CommitV ( a, b), ,
y a z b (mod p).
s.

3.9
.
-
. , , ,
9 .
, ,
s.

s1 , s2 , ..., sm .

vi , , vi s2i (mod n),


.
, n .10
9
, ; -
, ,
.
10
. ()
p q n = pq. n, , ( ,

19

1. r, n, Commit = r2
(mod n) Commit .

2. m Challenge = {b1 b2 ...bm } .

3. Response = rs1 b1 s2 b2 ...sm bm (mod n)


Response .

4. , Response2 = Commitv1 b1 v2 b2 ...vm bm (mod n).

s, , -
, ( = 1). ,
Response2 = Commitv1 b1 v2 b2 ...vm bm (mod n) -
. , .

(.. ) -
Response2 = Commitv1 b1 v2 b2 ...vm bm (mod n),
. , vi ,
Response , s. -
(, ), - ,
.
s , 4 ( Commit)
Challenge, . 6 -
Response, Response2 Zn .
, -
( n), ,
(.. ) , .
s, ( Commit)
Challenge, .
Commit Response2 v1 b1 v2 b2 ...vm bm (mod n), Response ,
. Response ( 6)
.
, m (
Challenge), , , 2m . k- -
, , = (2m )k = 2mk .
k, -
0 = 2100 ? , mk > 100, ..
k = ceil(100/m) (100/m, ).
, 512-1024 ). n si . n
s1 , s2 , ..., sm ,
n . p q . , si
, n (.
). , -, , p q
, ,
, .

20


, .
.
, -
, .
, -
n (.. p q),
. ,
s. , -
Zn Zp Zq . ,
. ,
, v Zn , Zp Zq ;
. - -
, , . ,
v Zpq -
v Zp Zq .
(
); .
a v Zp , .. a2 = v (mod p),
11 (a) = (p a). b v Zq , .. b2 = v
(mod q), (b) = (q b).
Zn Zp Zq v Zn -
,
(a, b), (a, b), (a, b), (a, b) ( Zp Zq ).
, s.
r (, ,
Commit). Commit,
, Challenge,
. , -
, Response1 = rs1 b1 s2 b2 ...sm bm (mod n)
Challenge = {b1 b2 ...bn }, Response2 = rs1 b1 s2 b2 ...sm bm (mod n)
Challenge = {b1 b2 ...bn }. (
Response1 /Response2 , Response2 /Response1 ), s1 s2 ...sm (mod n) =
(s1 (mod n)) (s2 (mod n)) ... (sm (mod n)). , -
(s1 (mod n)) (s2 (mod n)) ... (sm (mod n))
m , ,
si s
( , ,
, ). m = 1
s. , Commit
, (m + 1) , si .

ZK- -
. , () ,
11
, (p a)2 = v (mod p) , .. (p a)2 = p2 2ap + a2 = a2 (mod p).

21
(v1 , v2 , ..., vm ) m
.
vi .
-
,
.

3.10
, -
(. ), 0
si . ,
vi si ,
.

s1 , s2 , ..., sm .

vi , , vi ti s2i (mod n), ti


{1, 1} , .
, n .
, , :
.
.

1. r, n, Commit = r2
(mod n) Commit .
2. m Challenge = {b1 b2 ...bm } .
3. Response = rs1 b1 s2 b2 ...sm bm (mod n)
Response .
4. , Response2 = Commitv1 b1 v2 b2 ...vm bm (mod n).

, -
, , -
vi . ,
, vi ,
.
, vi ,
12 , ,
12
. x ,
, , . , ..
x

n
= 1, Zn . .
Zn (Zp1 )1 (Zp2 )2 ...(Zpk )k ( n =
(p1 )1 (p2 )2 ...(pk )k ), x Zn ,
Zpi . ,
+1, , +1 (.., ,
).

22
vi

n .
, n . ,
:

(1) Zn

(1) :
    
1 1 1
= = (1)2 = 1
n p q

, (1), vi ,
, , vi ,
.
, v1 b1 v2 b2 ...vm bm
, (1
n, .. n ; , ,
v1 b1 v2 b2 ...vm bm , 13 ).
vi s2i (mod n), .. -
, vi = ti s2i (mod n)
.
vi = ti s2i (mod n), , -
, 14 .

, .

, .

, .
13
, , .
n1 n1 n1
. ab = (a b) 2 = a 2 b 2 = na nb . , 1 1 = 1, (1) (1) = 1,
  
n
1 (1) = (1), .
14
, , ,
. s2i , , , , -
, , ti .
V ;
V . , ti = 1 -
ti (V V ); ,  ti = 1. -,
(1) ( 1 n
, n
). -, ,
.. V V . -, : , -
(1) ,
( ,
). -, V V
(1) : V V , . ,
ti V V V , ..
.

23
ZK- , -
,
. , , vi
, si , , .
-
, . ,
, PZK- .
, . -
:

1. Response Zn .

2. Challenge.

3. Commit Response2 v1 b1 v2 b2 ...vm bm (mod n).

4. Commit, Challenge,
Response. , .

3.11 ( )
1. r, n, Commit = r2
(mod n) Commit .

2. x, m 15 Challenge = {b1 b2 ...bm } :


bi = hash(Commit, M ), M .
.

3. Response = rs1 b1 s2 b2 ...sm bm (mod n)


Response .

4. , Response2 = Commitv1 b1 v2 b2 ...vm bm (mod n).

5. : (Challenge, Response).

, Commit 4, .. Challenge
Response. Commit bi = hash(Commit, M ),
bi Challenge , .
, M .

3.12 ( )
-
, . -
, , -
, -
.

s.
15
- bi .

24
(n, d, y), n = p q (p q
, , .. ,
); d - , , 1 < d < (n), ,
, (n) = (p 1)(q 1); y
y = sd (mod n).

1. r, 1 (n 1).
Commit = rd (mod n) .

2. Challenge Zd .

3. Response = rsChallenge (mod n) . -


Responsed = Commit y Challenge (mod n), , -
.

s, , -
, ( = 1). Responsed =
Commity Challenge (mod n) ; -
, . ,
.

(.. ) -
Responsed = Commit y Challenge (mod n), -
. , y Response
, s.
(, ), - ,
.
s , 4 ( Commit)
Challenge, . 6
Response, Responsed Zn . -
Zn
n, , (.. )
, .
s, ( Commit)
Challenge, .
Commit Responsed y Challenge (mod n), Response ,
. Response ( 6)
.
, Challenge ( -
0 (d 1)), , , 1/d. k-
, , = (1/d)k = dk .
k, -
0 = 2100 ? , dk 6 2100 .
(2100 6 dk , k > 100 logd 2), ,
k = ceil(100 logd 2) .

25
ZK- PZK-. , -
? Commit = rd r, ; -
Commit .
Response = rsChallenge , -, r ,
16 , Response .
r. ,
s.

3.13 ( )
M .
:

1. r Zn a = re (mod n).

2. d = hash(M, a) (mod e), M ,


hash(x) -.

3. z = rxd (mod n). M , -


d z, J. .

. :

1. a0 = z e J d (mod n). d0 = hash(M, a0 ). d = d0 ,


, .

3.14 ,
: -
G0 G1 , ,
? , ZK-
( ),
?
G1 G2 . ( ),
1 5. , -
= {5, 4, 3, 2, 1}, (.. {5, 4, 3, 2, 1}
G1 {1, 2, 3, 4, 5} G2 ). :

1. . H =
(G1 ). .

2. i {1, 2} .

3. {1, ..., 5}, H = (Gi ).


i = 1, = . i = 2, = ,
, G1 = (G2 ) ( ).

4. , H = (Gi ).
16
Commit = rd r, ..

26
:

1:

1. = {1, 4, 3, 2, 5}. H = G1 =
{1, 4, 3, 2, 5} .
2. i = 1 .
3. = .
4. , H = {1, 4, 3, 2, 5} = G1 = {1, 4, 3, 2, 5}.

2:

1. = {2, 4, 1, 3, 5}. H = G1 =
{2, 4, 1, 3, 5} .
2. i = 2 .
3. = = {2, 4, 1, 3, 5} {5, 4, 3, 2, 1} = {4, 2, 5, 3, 1}
.
4. , H = {2, 4, 1, 3, 5} = G2 = {4, 2, 5, 3, 1} {1, 2, 3, 4, 5} =
{4, 2, 5, 3, 1}

, ,
. i = 1 ,
H = G1 (.. H G1 ). i = 2 ,
H = G1 ( ) G2 , .. , G1 ( H),
G2 .

, ZK-. ,
, ZK-.
, ,
. ZK-,
.
, :

1. T0 = (G1 , G2 )

2. ib {1, 2}.

3. Hb = b Gb .

4. (Hb , ib , b ) .

5. , .

, , -
, . -
, .. . , -
, , .
, ZK-.

27
3.15 E2
Definition 3.2. , En , -
n . , ,
E2 , .

, n
( ).

n.

1. , n ,
(, primetest i- n)

2. Challenge, m xi
xni 17 1, .


3. n, , ,
, -
Challenge,
.
x1 , x2 , ..., xj , Challenge. -

, , j -
.

4. j > floor( 38 m), ; -


.

 ,
xi , xni = 1 3/8.
.
Fact 3.3. n E2 , xi , xni = 1, -


.18
Fact 3.4. n / E2 (.. n Ek , k > 2)  n ,
19 , xi , xni = 1,
1/4. , , x
QRn , , p n x
(mod p) QRp .
17
, , .
18
,
. , ,
.
19 i
, n
 . n = p , ,
xi , xni = 1, .

28
, , , -
. , Challenge,
, , , 3/8.
(1) , .
, , 100%
, = 1. ,
,
,
.
(.. n E2 ), , -
, 4.1, p = 1/2.
m. ,
m , (, ),
= 1/2, = 1/2.
. , , (3/8)m ,

m    l  ml m    m
X m 1 1 X m 1
(1) = =
l 2 2 l 2
l=ceil(3m/8) l=ceil(3m/8)

, k

   m k

m
X m 1
(k) = ((1))k =
l 2
l=ceil(3m/8)

, m, ;
m (1) . ,
m xni 1 (


), : (1) = 1
5, ..
, (. 4.1), m/2 > floor( 38 m).
m > 2000. m = 2000 (1) 1 1.688 1029 .

, , -
, , ..
n/ E2 E2 , .. -
. , ,
( m 3m/8 -
). (1) ,
.
(.. n / E2 ), ,
, 4.2, , p = 1/4.
, (3m/8) ,
m    l  ml
X m 1 3
(1) =
l 4 4
l=ceil(3m/8)

29
, k

   l  ml k

m
k
X m 1 3
(k) = ((1)) =
l 4 4
l=ceil(3m/8)

m (1) . m > 2000.


m = 2000 (1) 1.847 1035 .

ZK- ( ) PZK- , ..
, . , -
, , :
; n
.

3.16

(NIZK). , ,
.

, s.

w r, yV = g xV (mod p),
yP = g s (mod p). xV -
.

1. w, r Zq T C = g w yVr
(mod p).

2. k Zq Commit = g k
(mod p).

3. Challenge . , Challenge = hash(T C||Commit||M ),


M

4. Response Response = k+s(Challenge+


w) (mod q).

1. (w, r, Commit, Challenge, Response), M , -


Challenge = hash(T C||Commit||M ).

2.
Challenge w
g Response = Commit yP yP (mod p).

, , .

30
(Commit, Challenge, Response),
. , -
yPw (mod p).

yPw (mod p), , -


, w T C . ,
yPw (mod p), xV . ,
, , yPw (mod p)
, , (Commit, Challenge, Response) .

ZK- :

1. , Zq .

2. T C = g (mod p)

3. Commit = g Response yP (mod p)

4. Challenge = hash(T C||Commit||M )

5. w = Challenge (mod q)

6. r = ( w)/xV (mod q)

7. (w, r, Commit, Challenge, Response) .

, .. 3

g Response = Commit yP (mod p),

4
w+Challenge Challenge w
Commit yP = Commit yP = Commit yP yP (mod p),


Challenge w
g Response = Commit yP yP (mod p),
. -
, , , , -

.

31

Оценить