货币的抽象化

• 交换媒介
• 记账单位
• 价值储藏
• 延期支付标准

Rai stone from Yap

数字签名

插话: 堆叠炮弹问题

丢番图方法

• \(1^2+2^2+\cdots+x^2=\frac{x(x+1)(2x+1)}{6}=y^2\)
  • Two trivial solutions: \((x,y)=(0,0)\) or \((1,1)\)
• The line through these two points is \(y=x\), which intersects with the curve and gives the equation \[x^3-\frac{3}{2}x^2+\frac{1}{2}x=0\]
  • The third root is \(x=\frac{1}{2}\)

Repeat for (1,1) & (1/2,-1/2)

• The line is \(y=3x−2\), so the equation is \[x^3-\frac{51}{2}x^2+\cdots=0\]
  • The third root is \(x=24\), so \(y=70\), i.e., \[1^2+2^2+\cdots+24^2=70^2\]
• If we keep repeating this procedure, we'll obtain infinitely many rational solutions to our equation
• However, it can be shown that \((24,70)\) is the only non-trivial solution in positive integers

同余数问题

• The question of which integers \(n\) can occur as areas of right triangles with rational sides is known as the congruent number problem
• E.g., \(n=5\): are there rational numbers \(a,b,c\) s.t. \[a^2+b^2=c^2,ab=10?\]
• Equivalently, \(c^2+20=(a+b)^2,c^2-20=(a-b)^2\)
• Let \(x=(c/2)^2\): \(y^2=(x+5)x(x-5)=x^3-25x\)

丢番图方法

• Consider the tangent line at \((−4,6)\): \(y=\frac{23}{12}x+\frac{41}{3},\) which intersects the curve and gives \[x^3-\left(\frac{23}{12}\right)^2x^2+\cdots=0\]
• The third root is \((23/12)^2+4+4=(41/12)^2\), i.e., \[a=\frac{20}{3},b=\frac{3}{2},c=\frac{41}{6}\]
• There are infinitely many other solutions, which can be obtained by successively repeating this procedure

An elliptic curve \(E\) is the graph of an equation of the form \(y^2=x^3+Ax+B\), where \(A\) and \(B\) are constants.  This will be referred to as the Weierstraß equation for an elliptic curve.  We will need to specify what set \(A,B,x\) and \(y\) belong to.  Usually, they will be taken to be elements of a field, for example, the real numbers \(\mathbb R\), the complex numbers \(\mathbb C\), the rational numbers \(\mathbb Q\), one of the finite fields \(\mathbb F_p(=\mathbb Z/p\mathbb Z)\) for a prime \(p\), or one of the finite fields \(\mathbb F_q\), where \(q=p^k\) with \(k\geq 1\).  If \(K\) is a field with \(A,B\in K\), then we say that \(E\) is defined over \(K\).

椭圆曲线

椭圆曲线点群

• If we want to consider points with coordinates in some field \(L\supseteq K\), we write \(E(L)\)
• By definition, this always contains the point at infinity: \[E(L)=\Big\{\infty\Big\}\bigcup\Big\{(x,y)\in L\times L:y^2=x^3+Ax+B\Big\}\]
• \(E(L)\) is an abelian group (阿贝尔群)

\(E(L)\) 群运算

椭圆曲线密码学

• Security depends on the hardness of the elliptic curve discrete logarithm problem (ECDLP, 离散对数问题)
  • Given a point \(Q\in G\subseteq E(L)\) and a generator \(P\) of \(G,\) find an integer \(n\) s.t. \(nP=Q\)
• Pros: smaller keys and ciphertexts for achieving same security level as DLP-based cryptosystems
  • \(\text{160--256}\) bits vs. \(\text{1024--3072}\) bits
• Cons: security is achieved only over secure curves

ECDSA

• To sign a message \(m\):
  1. \(h\leftarrow H(m)\)
  2. \(k\stackrel{\$}{\leftarrow}(\mathbb Z/q\mathbb Z)^*\)
  3. \(\color{blue}r\color{black}\leftarrow f(kP)\bmod q\)
  4. \(\color{blue}s\color{black}\leftarrow(h+\color{red}x\color{blue}r\color{black})/k\bmod q\)

• To verify signature \(\color{blue}(r,s)\):
  1. \(h\leftarrow H(m)\)
  2. \(a\leftarrow h/\color{blue}s\color{black}\bmod q\)
  3. \(b\leftarrow \color{blue}r\color{black}/\color{blue}s\color{black}\bmod q\)
  4. \(f(aP+bQ)\stackrel{?}{=}\color{blue}r\color{black}\bmod q\)

Why it works? \[f(aP+bQ)=f(aP+b\color{red}x\color{black}P)=f(\frac{h+\color{red}x\color{blue}r\color{black}}{s}P)=f(kP)\]

比特币的数字签名

• ECDSA over curve secp256k1
  • Public/private keys: 33 or 65 bytes
  • Signatures: 71, 72, or 73 bytes
• Bitcoin address = RIPEND160(SHA256(pk)): 20 bytes
  • Often in Base58Check encoding

比特币交易帐本

• Transaction consists of \(\geq 1\) inputs and \(\geq 1\) outputs
• To prevent double spending, each input must refer to a previous unspent transaction output (UTXO)
  • Except for coin generation, e.g.: genesis block
• How to ensure integrity of transaction ledger?

Hash function 杂凑函数

• One-way function 单向函数
  • A function \(f\) that is easy to compute on every input \(x\), but hard to invert given the image \(f(x_0)\) of a random input \(x_0\)
• Ideal model: random oracle 随机预言机
• In practice: cryptographic hash function
  • SHA-256, SHA-512
  • SHA3 (Keccak)

Merkel tree

防篡改日志: 区块链

比特币共识协议

• New transactions are broadcast to all nodes
• Each node collects transactions into a block and broadcasts the block as its proof of work (PoW)
• Other nodes accept the block only if all transactions in it are valid, i.e., unspent with valid signatures
• Nodes express their acceptance of the block by including its hash in the next block they create

比特币挖矿激励机制

• Bitcoin miners' incentives
  • Transaction fees
  • Block rewards
    • Started being 50 bitcoins in 2009, now 3.125
    • Cut in half every 4 years to limit supply to ≈21M
• Best strategy: when there are multiple chains of blocks, follow the longest chain of blocks

The Bitcoin script

Executing P2PKH scripts

• Pay-to-PubkeyHash
  • scriptSig: <sig> <pubKey>
  • scriptPubKey: OP_DUP OP_HASH160 <pubKeyHash?> OP_EQUALVERIFY OP_CHECKSIG
• Pay-to-ScriptHash
  • scriptSig: ...signatures... <serialized script>
  • scriptPubKey: OP_HASH160 <scriptHash> OP_EQUAL

Ethereum 以太坊

• Proposed in late 2013 by Vitalik Buterin
• Went live on 30 July 2015
• Stewarded by nonprofit foundation
• Turing-complete scripts, a.k.a. smart contracts (智能合约)
  • A contract is a program that lives on the blockchain
  • A dApp is a collection of integrated contracts
  • A decentralized autonomous organization (DAO) is an organization represented by rules encoded as contracts on a blockchain

智能合约范例

Web3 区块链应用

• Electronic payment
• Asset tokenization
• Provenance tracking
• Digital identity
• Custody & escrow
• Automation
• Non-fugible token (NFT)

Web3 区块链挑战

• Operating models and regulation
• Scalability
• Privacy
• Latency
• Integration

超越数字签名

• Standard digital signature on message \( x \):
  • "I swear that the signer said \( x \)."
• Beyond digital signature:
  • "The signer said \( \color{red}x\color{black} \), which I'm not going to disclose here, but I swear that \( f(\color{red}x\color{black})=y \)."

应用范例

• CA signs Cert: "Batman was born on Jan 1, 1976"
• \( f(x,\color{red}w\color{black})=1 \) if and only if:
  • \( \color{red}w\color{black} \) is a valid certificate signed by CA
  • \( \color{red}w\color{black} \) says as of today, \( x \) is over 18 years old
• Beers for Batman if \( f(\text{Batman},\color{red}\text{Cert}\color{black})=1 \)

Proving \( f(x)=y \)

• Syntax of (polynomial) functional commitment
  • \( c=\text{commit}(r,f) \)
  • \( (y,\pi)=\text{eval}(r,f,x) \)
  • \( \text{verify}\Big(c,x,y,\pi\Big) \) iff \( \exists r\text{ s.t. }c=\text{commit}(r,f) \) and \( f(x)=y \)
• Example (Merkle tree)
  • Leaves \( y_0,y_1,\ldots,y_{n-1} \) define \( f:\Big\{0,1,\ldots,n-1\Big\}\rightarrow Y \)
  • Authentication path encodes (binary expansion of) \( i\in\Big\{0,1,\ldots,n-1\Big\} \) and thus proves \( f(i)=y_i \)

Why polynomials?

• \( f_{v+w}=f_v+f_w, f_{v\odot w}=f_vf_w \) for coordinate-wise product \( \odot \) \[ \Big(\because\text{ev}\in k[X]\times k\rightarrow k\cong k[X]\rightarrow k\rightarrow k\Big) \]
• Lemma [Schwartz-Zippel] \[ \text{Pr}_{r\in k}\Big(f(r)=g(r)\Big)\leq\frac{d}{|k|}\text{ for }f\neq g\text{ with }\deg f,\deg g\leq d \]
  • Zero test: \( f(\omega)=0\ \forall\omega\in\Omega \)
  • Sum check: \( \sum_{\omega\in\Omega}f(\omega)=0 \)
  • Product check: \( \prod_{\omega\in\Omega}f(\omega)=1 \)

交互式零知识证明

• V learns nothing beyond S is true
  • Consider special S: \( y=f(x,\color{red}w\color{black}) \)
  • Can simulate the dialogues without knowing \(\color{red}w\color{black}\)
• Example: Blind V with two colored balls

应用范例

• Prover: "I know integers \( \color{red}p\color{black},\color{red}q\color{black} \) s.t. \( n=\color{red}pq\color{black} \)"
• Prover commits to three polynomial functions: \[ \color{red}r_p\color{black}X+\color{red}p\color{black},\color{red}r_q\color{black}X+\color{red}q\color{black},\text{ and }\color{red}r_pr_q\color{black}X^2+(\color{red}r_pq\color{black}+\color{red}pr_q\color{black})X+n \]
• Verifier challenges Prover with random \( r \) and checks whether \( (\color{red}r_p\color{black}r+\color{red}p\color{black})(\color{red}r_q\color{black}r+\color{red}q\color{black})\stackrel{?}{=}\color{red}r_pr_q\color{black}r^2+(\color{red}r_pq\color{black}+\color{red}pr_q\color{black})r+n \)
• Lemma [Schwartz-Zippel] \[ \text{Pr}_{r\in k}\Big(f(r)=g(r)\Big)\leq\frac{d}{|k|}\text{ for }f\neq g\text{ with }\deg f,\deg g\leq d \]

Schnorr 离散对数零知识证明

• S: "I know \( \color{red}x\color{black} \) s.t. \( y=g^{\color{red}x\color{black}} \)"
  • P \( \rightarrow \) V: \( r=g^{\color{red}k\color{black}} \)
  • P \( \leftarrow \) V: \( e \)
  • P \( \rightarrow \) V: \( s=\color{red}k\color{black}-\color{red}x\color{black}e \)
  • V checks: \( r\stackrel{?}{=}g^sy^e\left(=g^{\color{red}k\color{black}-\color{red}x\color{black}e}(g^x)^e\right) \)
• Fiat-Shamir heuristic turns (most) IP to NIROP (Non-Interactive Random-Oracle Proof)
  • Schnorr's signature: \( \pi=(r,s) \) for \( e=H(r||m) \)
  • zk-NARK (Noninteractive ARgument of Knowledge)

知识提取器

How Sony PS3 got hacked in 2011:

\[ \left\{\begin{aligned} s_1 & =\color{red}k\color{black}-\color{red}x\color{black}e_1 \\ s_2 &= \color{red}k\color{black}-\color{red}x\color{black}e_2 \end{aligned}\right. \]

以太坊基金會

Semaphore 協議

• "Users who broadcast a signal will not expose their identity"
  • "Specifically, an adversary will only know they're a user in the group, but not which user"
• "Users cannot broadcast two different signals on the same topic twice"

实现技术细节

• Identity commitment integrity: \[ \text{id}_\text{comm}=\text{Commit}_{\text{id}_\text{trapdoor}}(\text{id}_\text{pub},\text{id}_\text{nullifier}) \]
• Merkle path validity: \[ (\text{id\textunderscore path},\text{id\textunderscore path\textunderscore index})\text{ is a valid Merkle path from id}_\text{comm}\text{ to root} \]
• Nullifiers hash integrity: \[ \text{nullifiers\textunderscore hash}=\text{PRF}_{\text{id}_\text{nullifier}}(\text{external\textunderscore nullifier},\text{id\textunderscore path\textunderscore index}) \]
• Signal authorization: \[ \text{Verify}(\text{id}_\text{pub},(\text{external\textunderscore nullifier},\text{signal\textunderscore hash}),\text{signature}) \]

范例: Merkle tree

ZoKrates

• Witness contains array of arrays of hash values along authentication path
• Well-known trick to include the indices of these hash values at each level
  • Not strictly necessarily but for easy programming
  • Will expand to nested if-then-else in R1CS anyway

\(\text{\tt fold}\) in Keelung

\(\text{\tt foldl :: Foldable t => (b -> a -> b) -> b -> t a -> b}\)