Halo2 学习笔记——背景资料之Cryptographic groups

Posted mutourend

tags:

篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了Halo2 学习笔记——背景资料之Cryptographic groups相关的知识,希望对你有一定的参考价值。

1. 引言

一个group内有:

  • an identity
  • a group operation

对于加法group,其identity为 O \\mathcal{O} O,group operation为 + + +

某些group可用作cryptographic group。基于的DLP假设为:
已知base G G G和group element P P P,找到 x x x使得 P = [ x ] G P=[x]G P=[x]G是很难的。

instantiate cryptographic group的方法之一是使用椭圆曲线

2. Pedersen commitment

Pedersen commitment为:
a way to commit to a secret message in a verifiable way.

Pedersen commitment中有2个random public generators G , H ∈ G G,H\\in\\mathbb{G} G,HG,其中 G \\mathbb{G} G为a cryptographic group of order p p p r r r为random secret chosen in Z q \\mathbb{Z}_q Zq,message m m m 来自于 any subset of Z q \\mathbb{Z}_q Zq,相应的Pedersen commitment为:
c = C o m m i t ( m , r ) = [ m ] G + [ r ] H c=Commit(m,r)=[m]G+[r]H c=Commit(m,r)=[m]G+[r]H

为了open该commitment,committer需公开 m m m r r r,从而允许任意人来verify that c c c is indeed a commitment to m m m

Pedersen commitment scheme具有同态性:
C o m m i t ( m , r ) + C o m m i t ( m ′ , r ′ ) = C o m m i t ( m + m ′ , r + r ′ ) Commit(m,r)+Commit(m',r')=Commit(m+m',r+r') Commit(m,r)+Commit(m,r)=Commit(m+m,r+r)

假设DLP成立,则Pedernsen commmitment具有perfectly hiding和computationally binding属性:

  • perfectly hiding:adversary 选择messages m 0 , m 1 m_0,m_1 m0,m1,committer commits to one of these messages c = C o m m i t ( m b , r ) , b ∈ { 0 , 1 } c=Commit(m_b,r), b\\in\\{0,1\\} c=Commit(mb,r),b{0,1}。已知 c c c,adversary猜中 b b b的概率不高于 1 2 \\frac{1}{2} 21
  • computationally binding:adversary无法找到两个不同的messages m 0 ≠ m 1 m_0\\neq m_1 m0=m1 和 randomness r 0 , r 1 r_0,r_1 r0,r1,使得 C o m m i t ( m 0 , r 0 ) = C o m m i t ( m 1 , r 1 ) Commit(m_0,r_0)=Commit(m_1,r_1) Commit(m0,r0)=Commit(m1,r1)

3. Vector Pedersen commitment

对于多个消息 m ⃗ = ( m 1 , m 2 , ⋯   , m n ) \\vec{m}=(m_1,m_2,\\cdots,m_n) m =(m1,m2,,mn),相应有多个random public generators G ⃗ = ( G 0 , G 1 , ⋯   , G n − 1 ) \\vec{G}=(G_0,G_1,\\cdots,G_{n-1}) G =(G0,G1,,Gn1) 以及 一个random generator H H H,相应的vector pedersen commitment scheme为:
C o m m i t ( m ⃗ ; r ) = C o m m i t ( ( m 0 , ⋯   , m n − 1 ) ; r ) = [ r ] H + ∑ i = 0 n − 1 [ m i ] G i Commit(\\vec{m};r)=Commit((m_0,\\cdots,m_{n-1});r)=[r]H+\\sum_{i=0}^{n-1}[m_i]G_i Commit(m ;r)=Commit((m0,,mn1);r)=[r]H+i=0n1[mi]Gi

4. Diffie-Hellman

另一个使用cryptographic groups的例子就是Diffie-Hellman key aggrement [DH1976]。

Diffie-Hellman protocol针对的场景为:有2个用户Alice和Bob,需要生成一个共享私钥,具体的流程为: