update math.tex description
- Points are upper case letters now (except for the greek symbols) - Common knowledge inputs are explicitly stated to be transferred to Bob in ZKPs - Computation of the Challenge c from Bob is explicitly stated for Bob in ZKPs
This commit is contained in:
parent
d1fe3b0be7
commit
a9e4574c49
@ -7,80 +7,80 @@
|
|||||||
\subsection{Zero Knowledge Proofs}
|
\subsection{Zero Knowledge Proofs}
|
||||||
\subsubsection{Proof 1: Knowledge of an ECDL}
|
\subsubsection{Proof 1: Knowledge of an ECDL}
|
||||||
|
|
||||||
Alice and Bob know $v$, $g$ and $q = |g|$, but only Alice knows $x$, so that
|
Alice and Bob know $V$, $G$ and $q = |G|$, but only Alice knows $x$, so that
|
||||||
$v = xg$.
|
$V = xG$.
|
||||||
|
|
||||||
\begin{enumerate}
|
\begin{enumerate}
|
||||||
\item Alice chooses $z$ at random and calculates $a = zg$.
|
\item Alice chooses $z \bmod q$ at random and calculates $A = zG$.
|
||||||
\item Alice computes $c = HASH(g,v,a)$ mod $q$.
|
\item Alice computes $c = HASH(G,V,A) \bmod q$.
|
||||||
\item Alice sends $r = (z + cx)$ mod $q$ and $a$ to Bob.
|
\item Alice sends $G, V, A$ and $r = (z + cx) \bmod q$ to Bob.
|
||||||
\item Bob checks that $rg = a + cv$.
|
\item Bob computes $c$ as above and checks that $rG = A + cV$.
|
||||||
\end{enumerate}
|
\end{enumerate}
|
||||||
|
|
||||||
\begin{tabular}{r l}
|
\begin{tabular}{r l}
|
||||||
Prover only knowledge: & $x$ \\
|
Prover only knowledge: & $x$ \\
|
||||||
Common knowledge: & $v, g$ \\
|
Common knowledge: & $V, G$ \\
|
||||||
Proof: & $r, a$
|
Proof: & $r, A$
|
||||||
\end{tabular}
|
\end{tabular}
|
||||||
|
|
||||||
\subsubsection{Proof 2: Equality of two ECDL}
|
\subsubsection{Proof 2: Equality of two ECDL}
|
||||||
|
|
||||||
Alice and Bob know $v$, $w$, $g_1$ and $g_2$, but only Alice knows $x$, so that
|
Alice and Bob know $V$, $W$, $G_1$ and $G_2$, but only Alice knows $x$, so that
|
||||||
$v = xg_1$ and $w = xg_2$.
|
$V = xG_1$ and $W = xG_2$.
|
||||||
|
|
||||||
\begin{enumerate}
|
\begin{enumerate}
|
||||||
\item Alice chooses $z$ at random and calculates $a = zg_1$ and $b = zg_2$.
|
\item Alice chooses $z \bmod q$ at random and calculates $A = zG_1$ and $B = zG_2$.
|
||||||
\item Alice computes $c = HASH(g_1,g_2,v,w,a,b)$ mod $q$.
|
\item Alice computes $c = HASH(G_1,G_2,V,W,A,B) \bmod q$.
|
||||||
\item Alice sends $r = (z + cx)$ mod $q$, $a$ and $b$ to Bob.
|
\item Alice sends $V, W, G_1, G_2, A, B$ and $r = (z + cx) \bmod q$ to Bob.
|
||||||
\item Bob checks that $rg_1 = a + cv$ and $rg_2 = b + cw$.
|
\item Bob computes $c$ as above and checks that $rG_1 = A + cV$ and $rG_2 = B + cW$.
|
||||||
\end{enumerate}
|
\end{enumerate}
|
||||||
|
|
||||||
\begin{tabular}{r l}
|
\begin{tabular}{r l}
|
||||||
Prover only knowledge: & $x$ \\
|
Prover only knowledge: & $x$ \\
|
||||||
Common knowledge: & $v, w, g_1, g_2$ \\
|
Common knowledge: & $V, W, G_1, G_2$ \\
|
||||||
Proof: & $r, a, b$
|
Proof: & $r, A, B$
|
||||||
\end{tabular}
|
\end{tabular}
|
||||||
|
|
||||||
\subsubsection{Proof 3: An encrypted value is one out of two values}
|
\subsubsection{Proof 3: An encrypted value is one out of two values}
|
||||||
|
|
||||||
Alice proves that an El Gamal encrypted value $(\alpha, \beta) = (m + ry, rg)$
|
Alice proves that an El Gamal encrypted value $(\alpha, \beta) = (M + rY, rG)$
|
||||||
either decrypts to $0$ or to the fixed value $g$ without revealing which is the
|
either decrypts to $0$ or to the fixed value $G$ without revealing which is the
|
||||||
case, in other words, it is shown that $m \in \{0, g\}$. \\
|
case, in other words, it is shown that $M \in \{0, G\}$. \\
|
||||||
|
|
||||||
\noindent If $m = 0$:
|
\noindent If $M = 0$:
|
||||||
|
|
||||||
\begin{enumerate}
|
\begin{enumerate}
|
||||||
\item Alice chooses $r_1$, $d_1$, $w$ at random and calculates $a_1 = r_1g + d_1\beta$, $b_1 = r_1y + d_1(\alpha - g)$, $a_2=wg$ and $b_2=wy$.
|
\item Alice chooses $r_1, d_1, w \bmod q$ at random and calculates $A_1 = r_1G + d_1\beta$, $B_1 = r_1Y + d_1(\alpha - G)$, $A_2=wG$ and $B_2=wY$.
|
||||||
\item Alice computes $c = HASH(g,\alpha,\beta,a_1,b_1,a_2,b_2)$ mod $q$.
|
\item Alice computes $c = HASH(G,\alpha,\beta,A_1,B_1,A_2,B_2) \bmod q$.
|
||||||
\item Alice chooses $d_2=c-d_1$ mod $q$ and $r_2=w-rd_2$ mod $q$.
|
\item Alice chooses $d_2=c-d_1 \bmod q$ and $r_2=w-rd_2 \bmod q$.
|
||||||
\end{enumerate}
|
\end{enumerate}
|
||||||
|
|
||||||
\noindent If $m = g$:
|
\noindent If $M = G$:
|
||||||
|
|
||||||
\begin{enumerate}
|
\begin{enumerate}
|
||||||
\item Alice chooses $r_2$, $d_2$, $w$ at random and calculates $a_1=wg$, $b_1=wy$, $a_2=r_2g + d_2\beta$ and $b_2=r_2y + d_2\alpha$.
|
\item Alice chooses $r_2, d_2, w \bmod q$ at random and calculates $A_1=wG$, $B_1=wY$, $A_2=r_2G + d_2\beta$ and $B_2=r_2Y + d_2\alpha$.
|
||||||
\item Alice computes $c = HASH(g,\alpha,\beta,a_1,b_1,a_2,b_2)$ mod $q$.
|
\item Alice computes $c = HASH(G,\alpha,\beta,A_1,B_1,A_2,B_2) \bmod q$.
|
||||||
\item Alice chooses $d_1=c-d_2$ mod $q$ and $r_1=w-rd_1$ mod $q$.
|
\item Alice chooses $d_1=c-d_2 \bmod q$ and $r_1=w-rd_1 \bmod q$.
|
||||||
\end{enumerate}
|
\end{enumerate}
|
||||||
|
|
||||||
\noindent Then regardless of the value of $m$:
|
\noindent Then regardless of the value of $M$:
|
||||||
|
|
||||||
\begin{enumerate}
|
\begin{enumerate}
|
||||||
\item Alice sends $(\alpha, \beta), a_1, b_1, a_2, b_2, d_1, d_2, r_1, r_2$ to Bob.
|
\item Alice sends $G, (\alpha, \beta), A_1, B_1, A_2, B_2, d_1, d_2, r_1, r_2$ to Bob.
|
||||||
\item Bob checks that $c=d_1+d_2$ mod $q$, $a_1=r_1g+d_1\beta$, $b_1=r_1y+d_1(\alpha-g)$, $a_2=r_2g+d_2\beta$ and $b_2=r_2y+d_2\alpha$.
|
\item Bob computes $c$ as above and checks that $c=d_1+d_2 \bmod q$, $A_1=r_1G+d_1\beta$, $B_1=r_1Y+d_1(\alpha-G)$, $A_2=r_2G+d_2\beta$ and $B_2=r_2Y+d_2\alpha$.
|
||||||
\end{enumerate}
|
\end{enumerate}
|
||||||
|
|
||||||
\begin{tabular}{r l}
|
\begin{tabular}{r l}
|
||||||
Prover only knowledge: & $r, x$ \\
|
Prover only knowledge: & $r, x$ \\
|
||||||
Common knowledge: & $\alpha, \beta$ \\
|
Common knowledge: & $\alpha, \beta$ \\
|
||||||
Proof: & $a_1, a_2, b_1, b_2, d_1, d_2, r_1, r_2$
|
Proof: & $A_1, A_2, B_1, B_2, d_1, d_2, r_1, r_2$
|
||||||
\end{tabular}
|
\end{tabular}
|
||||||
|
|
||||||
\subsection{Protocol}
|
\subsection{Protocol}
|
||||||
|
|
||||||
Let $n$ be the number of participating bidders/agents in the protocol and $k$ be
|
Let $n$ be the number of participating bidders/agents in the protocol and $k$ be
|
||||||
the amount of possible valuations/prices for the sold good. Let $g$ be the
|
the amount of possible valuations/prices for the sold good. Let $G$ be the
|
||||||
base point of Ed25519 and $q = ord(g)$ the order of it. $0$ is the neutral point
|
base point of Ed25519 and $q = ord(G)$ the order of it. $0$ is the neutral point
|
||||||
for addition on Ed25519. $a \in \left\{1,2,\dots,n\right\}$ is the index of the
|
for addition on Ed25519. $a \in \left\{1,2,\dots,n\right\}$ is the index of the
|
||||||
agent executing the protocol, while $i, h \in \left\{1, 2, \dots, n\right\}$ are
|
agent executing the protocol, while $i, h \in \left\{1, 2, \dots, n\right\}$ are
|
||||||
other agent indizes. $j, b_a \in \left\{1,2,\dots,k\right\}$ with $b_a$ denoting
|
other agent indizes. $j, b_a \in \left\{1,2,\dots,k\right\}$ with $b_a$ denoting
|
||||||
@ -89,9 +89,9 @@ the price $p_{b_a}$ bidder $a$ is willing to pay. $\forall j: p_j < p_{j+1}$.
|
|||||||
\subsubsection{Generate public key}
|
\subsubsection{Generate public key}
|
||||||
|
|
||||||
\begin{enumerate}
|
\begin{enumerate}
|
||||||
\item Choose $x_{+a} \in \mathbb{Z}_q$ and $\forall i,j: m_{ij}^{\times a}, r_{aj} \in \mathbb{Z}_q$ at random.
|
\item Choose $x_{+a} \in \mathbb{Z}_q$ and $\forall i,j: m_{ij}^{\times a}, r_{aj} \bmod q$ at random.
|
||||||
\item Publish $y_{\times a}={x_{+a}}g$ along with Proof 1 of $y_{\times a}$'s ECDL.
|
\item Publish $Y_{\times a}={x_{+a}}G$ along with Proof 1 of $Y_{\times a}$'s ECDL.
|
||||||
\item Compute $y=\sum_{i=1}^ny_{\times i}$.
|
\item Compute $Y=\sum_{i=1}^nY_{\times i}$.
|
||||||
\end{enumerate}
|
\end{enumerate}
|
||||||
|
|
||||||
\subsubsection{Round 1: Encrypt bid}
|
\subsubsection{Round 1: Encrypt bid}
|
||||||
@ -101,9 +101,9 @@ Points for the last proof. Therefore the message is $10k*32 + 3*32 = 320k + 96$
|
|||||||
bytes large.
|
bytes large.
|
||||||
|
|
||||||
\begin{enumerate}
|
\begin{enumerate}
|
||||||
\item $\forall j:$ Set $b_{aj}=\begin{cases}g & \mathrm{if}\quad j=b_a\\0 & \mathrm{else}\end{cases}$ and publish $\alpha_{aj}=b_{aj}+r_{aj}y$ and $\beta_{aj}=r_{aj}g$.
|
\item $\forall j:$ Set $B_{aj}=\begin{cases}G & \mathrm{if}\quad j=b_a\\0 & \mathrm{else}\end{cases}$ and publish $\alpha_{aj}=B_{aj}+r_{aj}Y$ and $\beta_{aj}=r_{aj}G$.
|
||||||
\item $\forall j:$ Use Proof 3 to show that $(\alpha_{aj}, \beta_{aj})$ decrypts to either $0$ or $g$.
|
\item $\forall j:$ Use Proof 3 to show that $(\alpha_{aj}, \beta_{aj})$ decrypts to either $0$ or $G$.
|
||||||
\item Use Proof 2 to show that $ ECDL_y\left(\left(\sum_{j=1}^k\alpha_{aj}\right) - g\right) = ECDL_g\left(\sum_{j=1}^k\beta_{aj}\right)$.
|
\item Use Proof 2 to show that $ ECDL_Y\left(\left(\sum_{j=1}^k\alpha_{aj}\right) - G\right) = ECDL_G\left(\sum_{j=1}^k\beta_{aj}\right)$.
|
||||||
\end{enumerate}
|
\end{enumerate}
|
||||||
|
|
||||||
\subsubsection{Round 2: Compute outcome}
|
\subsubsection{Round 2: Compute outcome}
|
||||||
@ -120,15 +120,15 @@ with a corresponding Proof 2 for $ECDL(\gamma_{ij}^{\times a}) = ECDL(\delta_{ij
|
|||||||
|
|
||||||
$\forall i,j:$ Send $\varphi_{ij}^{\times a} =
|
$\forall i,j:$ Send $\varphi_{ij}^{\times a} =
|
||||||
x_{+a}\left(\sum_{h=1}^n\delta_{ij}^{\times h}\right)$ with a Proof 2
|
x_{+a}\left(\sum_{h=1}^n\delta_{ij}^{\times h}\right)$ with a Proof 2
|
||||||
$ECDL(\varphi_{ij}^{\times a}) = ECDL(y_{\times a})$ to the seller who publishes
|
$ECDL(\varphi_{ij}^{\times a}) = ECDL(Y_{\times a})$ to the seller who publishes
|
||||||
all $\varphi_{ij}^{\times h}$ and the corresponding proofs of correctness for
|
all $\varphi_{ij}^{\times h}$ and the corresponding proofs of correctness for
|
||||||
each $i, j$ and $h \neq i$ after having received all of them.
|
each $i, j$ and $h \neq i$ after having received all of them.
|
||||||
|
|
||||||
\subsubsection{Epilogue: Outcome determination}
|
\subsubsection{Epilogue: Outcome determination}
|
||||||
|
|
||||||
\begin{enumerate}
|
\begin{enumerate}
|
||||||
\item $\forall j:$ Compute $v_{aj}=\sum_{i=1}^n\gamma_{aj}^{\times i} - \sum_{i=1}^n\varphi_{aj}^{\times i}$.
|
\item $\forall j:$ Compute $V_{aj}=\sum_{i=1}^n\gamma_{aj}^{\times i} - \sum_{i=1}^n\varphi_{aj}^{\times i}$.
|
||||||
\item If $\exists w: v_{aw} = 1$, then bidder $a$ is the winner of the auction. $p_w$ is the selling price.
|
\item If $\exists w: V_{aw} = 1$, then bidder $a$ is the winner of the auction. $p_w$ is the selling price.
|
||||||
\end{enumerate}
|
\end{enumerate}
|
||||||
|
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user