libbrandt/tex-stuff/math.tex

217 lines
8.7 KiB
TeX
Raw Normal View History

2016-06-10 16:48:50 +02:00
\documentclass{article}
\usepackage[a4paper, margin=2cm]{geometry}
\usepackage{amsmath}
\usepackage{amsfonts}
2016-06-10 16:48:50 +02:00
\begin{document}
\section{Ed25519 Elliptic Curve Based Algorithms And Protocols}
\subsection{Zero Knowledge Proofs}
2016-06-20 20:48:43 +02:00
\subsubsection{Proof 1: Knowledge of an ECDL}
Alice and Bob know $V$, $G$ and $q = |G|$, but only Alice knows $x$, so that
$V = xG$.
\begin{enumerate}
\item Alice chooses $z \bmod q$ at random and calculates $A = zG$.
\item Alice computes $c = HASH(G,V,A) \bmod q$.
\item Alice sends $G, V, A$ and $r = (z + cx) \bmod q$ to Bob.
\item Bob computes $c$ as above and checks that $rG = A + cV$.
\end{enumerate}
2016-06-20 20:48:43 +02:00
\begin{tabular}{r l}
Prover only knowledge: & $x$ \\
Common knowledge: & $V, G$ \\
Proof: & $r, A$
2016-06-20 20:48:43 +02:00
\end{tabular}
\subsubsection{Proof 2: Equality of two ECDL}
Alice and Bob know $V$, $W$, $G_1$ and $G_2$, but only Alice knows $x$, so that
$V = xG_1$ and $W = xG_2$.
\begin{enumerate}
\item Alice chooses $z \bmod q$ at random and calculates $A = zG_1$ and $B = zG_2$.
\item Alice computes $c = HASH(G_1,G_2,V,W,A,B) \bmod q$.
\item Alice sends $V, W, G_1, G_2, A, B$ and $r = (z + cx) \bmod q$ to Bob.
\item Bob computes $c$ as above and checks that $rG_1 = A + cV$ and $rG_2 = B + cW$.
\end{enumerate}
2016-06-20 20:48:43 +02:00
\begin{tabular}{r l}
Prover only knowledge: & $x$ \\
Common knowledge: & $V, W, G_1, G_2$ \\
Proof: & $r, A, B$
2016-06-20 20:48:43 +02:00
\end{tabular}
\subsubsection{Proof 3: An encrypted value is one out of two values}
Alice proves that an El Gamal encrypted value $(\alpha, \beta) = (M + rY, rG)$
either decrypts to $0$ or to the fixed value $G$ without revealing which is the
case, in other words, it is shown that $M \in \{0, G\}$. \\
2016-06-12 15:35:05 +02:00
\noindent If $M = 0$:
2016-06-12 15:35:05 +02:00
\begin{enumerate}
\item Alice chooses $r_1, d_1, w \bmod q$ at random and calculates $A_1 = r_1G + d_1\beta$, $B_1 = r_1Y + d_1(\alpha - G)$, $A_2=wG$ and $B_2=wY$.
\item Alice computes $c = HASH(G,\alpha,\beta,A_1,B_1,A_2,B_2) \bmod q$.
\item Alice chooses $d_2=c-d_1 \bmod q$ and $r_2=w-rd_2 \bmod q$.
2016-06-12 15:35:05 +02:00
\end{enumerate}
\noindent If $M = G$:
2016-06-12 15:35:05 +02:00
\begin{enumerate}
\item Alice chooses $r_2, d_2, w \bmod q$ at random and calculates $A_1=wG$, $B_1=wY$, $A_2=r_2G + d_2\beta$ and $B_2=r_2Y + d_2\alpha$.
\item Alice computes $c = HASH(G,\alpha,\beta,A_1,B_1,A_2,B_2) \bmod q$.
\item Alice chooses $d_1=c-d_2 \bmod q$ and $r_1=w-rd_1 \bmod q$.
2016-06-12 15:35:05 +02:00
\end{enumerate}
\noindent Then regardless of the value of $M$:
2016-06-12 15:35:05 +02:00
\begin{enumerate}
\item Alice sends $G, (\alpha, \beta), A_1, B_1, A_2, B_2, d_1, d_2, r_1, r_2$ to Bob.
\item Bob computes $c$ as above and checks that $c=d_1+d_2 \bmod q$, $A_1=r_1G+d_1\beta$, $B_1=r_1Y+d_1(\alpha-G)$, $A_2=r_2G+d_2\beta$ and $B_2=r_2Y+d_2\alpha$.
2016-06-12 15:35:05 +02:00
\end{enumerate}
2016-06-16 00:08:49 +02:00
2016-06-20 20:48:43 +02:00
\begin{tabular}{r l}
Prover only knowledge: & $r, x$ \\
Common knowledge: & $\alpha, \beta$ \\
Proof: & $A_1, A_2, B_1, B_2, d_1, d_2, r_1, r_2$
2016-06-20 20:48:43 +02:00
\end{tabular}
\subsection{public outcome auctions}
TODO: no need to unicast Round 3 to seller, implications
\subsection{M+1st price auctions}
TODO: explain blowing up $k$ to $nk$ to prevent ties and the additional check
needed in Round 1.
\subsection{Prologue}
These steps are the same for all following protocols in this section.
2016-06-16 00:08:49 +02:00
Let $n$ be the number of participating bidders/agents in the protocol and $k$ be
the amount of possible valuations/prices for the sold good. Let $G$ be the
base point of Ed25519 and $q = ord(G)$ the order of it. $0$ is the neutral point
for addition on Ed25519. $a \in \left\{1,2,\dots,n\right\}$ is the index of the
agent executing the protocol, while $i, h \in \left\{1, 2, \dots, n\right\}$ are
other agent indizes. $j, b_a \in \left\{1,2,\dots,k\right\}$ with $b_a$ denoting
the price $p_{b_a}$ bidder $a$ is willing to pay. $\forall j: p_j < p_{j+1}$.
2016-06-16 00:08:49 +02:00
\subsubsection{Generate public key}
\begin{enumerate}
2016-06-28 16:19:52 +02:00
\item Choose $x_{+a} \in \mathbb{Z}_q$ and $\forall i,j: m_{ij}^{+a}, r_{aj} \bmod q$ at random.
\item Publish $Y_{\times a}={x_{+a}}G$ along with Proof 1 of $Y_{\times a}$'s ECDL.
\item Compute $Y=\sum_{i=1}^nY_{\times i}$.
2016-06-16 00:08:49 +02:00
\end{enumerate}
\subsubsection{Round 1: Encrypt bid}
2016-06-20 01:38:16 +02:00
The message has $k$ parts, each consisting of $10$ Points plus an additional $3$
Points for the last proof. Therefore the message is $10k*32 + 3*32 = 320k + 96$
bytes large.
2016-06-16 00:08:49 +02:00
\begin{enumerate}
\item $\forall j:$ Set $B_{aj}=\begin{cases}G & \mathrm{if}\quad j=b_a\\0 & \mathrm{else}\end{cases}$ and publish $\alpha_{aj}=B_{aj}+r_{aj}Y$ and $\beta_{aj}=r_{aj}G$.
\item $\forall j:$ Use Proof 3 to show that $(\alpha_{aj}, \beta_{aj})$ decrypts to either $0$ or $G$.
\item Use Proof 2 to show that $ ECDL_Y\left(\left(\sum_{j=1}^k\alpha_{aj}\right) - G\right) = ECDL_G\left(\sum_{j=1}^k\beta_{aj}\right)$.
2016-06-16 00:08:49 +02:00
\end{enumerate}
\subsection{First Price Auction Protocol With Private Outcome}
2016-06-16 00:08:49 +02:00
\subsubsection{Round 2: Compute outcome}
2016-06-20 01:38:16 +02:00
The message has $nk$ parts, each consisting of $5$ Points. Therefore the message
is $5nk*32 = 160nk$ bytes large.
2016-06-20 20:48:43 +02:00
$\forall i,j:$ Compute and publish \\[2.0ex]
$\gamma_{ij}^{\times a} = m_{ij}^{+a}\displaystyle\left(\left(\sum_{h=1}^n\sum_{d=j+1}^k\alpha_{hd}\right)+\left(\sum_{d=1}^{j-1}\alpha_{id}\right)+\left(\sum_{h=1}^{i-1}\alpha_{hj}\right)\right)$ and \\[2.0ex]
$\delta_{ij}^{\times a} = m_{ij}^{+a}\displaystyle\left(\left(\sum_{h=1}^n\sum_{d=j+1}^k\beta_{hd}\right)+\left(\sum_{d=1}^{j-1}\beta_{id}\right)+\left(\sum_{h=1}^{i-1}\beta_{hj}\right)\right)$ \\[2.0ex]
with a corresponding Proof 2 for $ECDL(\gamma_{ij}^{\times a}) = ECDL(\delta_{ij}^{\times a})$.
2016-06-16 00:08:49 +02:00
\subsubsection{Round 3: Decrypt outcome}
2016-06-20 20:48:43 +02:00
$\forall i,j:$ Send $\varphi_{ij}^{\times a} =
2016-06-28 16:51:55 +02:00
x_{+a}\left(\sum_{h=1}^n\delta_{ij}^{\times h}\right)$ with a Proof 2 showing
$ECDL(\varphi_{ij}^{\times a}) = ECDL(Y_{\times a})$ to the seller who publishes
2016-06-20 20:48:43 +02:00
all $\varphi_{ij}^{\times h}$ and the corresponding proofs of correctness for
each $i, j$ and $h \neq i$ after having received all of them.
2016-06-16 00:08:49 +02:00
\subsubsection{Epilogue: Outcome determination}
\begin{enumerate}
\item $\forall j:$ Compute $V_{aj}=\sum_{i=1}^n\gamma_{aj}^{\times i} - \sum_{i=1}^n\varphi_{aj}^{\times i}$.
2016-06-28 17:26:33 +02:00
\item If $\exists w: V_{aw} = 0$, then bidder $a$ is the winner of the auction. $p_w$ is the selling price.
2016-06-16 00:08:49 +02:00
\end{enumerate}
2016-07-13 14:01:24 +02:00
\subsection{First Price Auction Protocol With Public Outcome}
TODO
2016-06-16 00:08:49 +02:00
\subsection{M+1st Price Auction Protocol With Private Outcome}
2016-06-16 00:08:49 +02:00
\subsubsection{Addition to Round 1: Encrypt bid}
The Bidders also have to use Proof 2 to show that $ ECDL_Y\left(\left(\sum_{j=1}^k\alpha_{a,jn+a}\right) - G\right) = ECDL_G\left(\sum_{j=1}^k\beta_{a,jn+a}\right)$.
This is to ensure bidders have only chosen valid bids for their bid index, since
in M+1st price auctions the amount of possible prices is multiplied by $n$ to
prevent ties. This increases the message size by $96$ bytes.
\subsubsection{Round 2: Compute outcome}
The message has $nk$ parts, each consisting of $5$ Points. Therefore the message
is $5nk*32 = 160nk$ bytes large.
$\forall i,j:$ Compute and publish \\[2.0ex]
$\gamma_{ij}^{\times a} = m_{ij}^{+a}\displaystyle\left(\left(2M+2\right)\left(\sum_{h=1}^n\left(\sum_{d=j}^k\alpha_{hd}+\sum_{d=j+1}^k\alpha_{hd}\right)+\sum_{d=1}^{j}\alpha_{id}\right) - \left(2M+1\right)Y \right)$ and \\[2.0ex]
$\delta_{ij}^{\times a} = m_{ij}^{+a}\displaystyle\left(\left(2M+2\right)\left(\sum_{h=1}^n\left(\sum_{d=j}^k\beta_{hd}+\sum_{d=j+1}^k\beta_{hd}\right)+\sum_{d=1}^{j}\beta_{id}\right)\right)$ \\[2.0ex]
with a corresponding Proof 2 for $ECDL(\gamma_{ij}^{\times a}) = ECDL(\delta_{ij}^{\times a})$.
\subsubsection{Round 3: Decrypt outcome}
$\forall i,j:$ Send $\varphi_{ij}^{\times a} =
x_{+a}\left(\sum_{h=1}^n\delta_{ij}^{\times h}\right)$ with a Proof 2 showing
$ECDL(\varphi_{ij}^{\times a}) = ECDL(Y_{\times a})$ to the seller who publishes
all $\varphi_{ij}^{\times h}$ and the corresponding proofs of correctness for
each $i, j$ and $h \neq i$ after having received all of them.
\subsubsection{Epilogue: Outcome determination}
\begin{enumerate}
\item $\forall j:$ Compute $V_{aj}=\sum_{i=1}^n\gamma_{aj}^{\times i} - \sum_{i=1}^n\varphi_{aj}^{\times i}$.
\item If $\exists w: V_{aw} = 0$, then bidder $a$ is the winner of the auction. $p_w$ is the selling price.
\end{enumerate}
2016-06-16 00:08:49 +02:00
2016-06-10 16:48:50 +02:00
\subsection{fixes to step 5 in (M+1)st Price auction from the 2003 paper pages 9 an 10}
\begin{align}
\gamma_{ij} = & \frac{\prod_{h=1}^n \prod_{d=j}^k (\alpha_{hd}\alpha_{h,d+1})\left(\prod_{d=1}^j \alpha_{id}\right)^{2M+2}}{(2M+1)Y} \\
\text{changed to} & \frac{\prod_{h=1}^n \left(\prod_{d=j}^k \alpha_{hd} \cdot \prod_{d=j+1}^k \alpha_{hd}\right)\left(\prod_{d=1}^j \alpha_{id}\right)^{2M+2}}{Y^{2M+1}} \\[2.0ex]
\delta_{ij} = & \prod_{h=1}^n \prod_{d=j}^k (\beta_{hd}\beta_{h,d+1})\left(\prod_{d=1}^j \beta_{id}\right)^{2M+2} \\
\text{changed to} & \prod_{h=1}^n \left(\prod_{d=j}^k \beta_{hd} \prod_{d=j+1}^k \beta_{hd}\right)\left(\prod_{d=1}^j \beta_{id}\right)^{2M+2}
\end{align}
\end{document}