零知識證明的抗量子協議以加強區塊鏈安全

Catherine
2021-10-05T19:50

Researchers at Technology Innovation Institute (TII) in the United Arab
Emirates have improved the feasibility of a new class of algorithms to
protect blockchain applications against quantum computing cryptographic
attacks. This builds on the considerable research already underway across the
cryptographic community in developing better protocols for improving
zero-knowledge proofs.

阿拉伯聯合大公國技術創新研究所 (TII) 的研究人員提高了一類新算法的可行性,以保

The specialised area of cryptography has been gaining significant interest
since zero-knowledge proofs are widely used in techniques like blockchain,
smart contracts, and identity verification.


The most popular approaches have involved using matrix computations. However,
there is some concern that future research may find new and improved ways to
compromise these protocols. So, researchers are always looking for promising
alternatives to provide multiple types of protection against future
cryptographic attacks.


Need for alternative approaches


The various types of quantum-resistant problems and algorithms built on them
are considered safe at the present time, because no one has demonstrated a
credible quantum computer attack against them. Emanuele Bellini, Lead
Cryptographer at TII, said: “We are in the early stages of understanding
what is quantum-resistant and what is not. The safest approach is to build
the quantum-resistant scheme based on many different problems so that if one
is broken, you are still hopeful that the others are not.”

過可信的量子計算機攻擊它們。 TII 的首席密碼學家 Emanuele Bellini 說:“我們正

Most of the work on quantum-resistant protocols for zero-knowledge proofs has
been based on lattices. Lattices are very flexible and are one of the most
malleable cryptographic mathematical structures that can be applied across
the board. The TII team has focused on alternatives to lattices based on the
Rank Syndrome Decoding problems, which, although promising, still need more
research to make them a credible solution.

最具延展性的加密數學結構之一。 TII 團隊專注於基於 Rank Syndrome Decoding 問題

Cryptography is a bit of a cat-and-mouse game, where researchers are
constantly finding enhanced solutions to break protocols and more effective
ways to implement them. It is not even necessary to completely break an
approach to reduce its attractiveness. Bellini said, “If someone discovers
an attack to the lattice problem that just slightly improves the previous
attack, it means that the lattice parameters would have to become larger, and
then other approaches would become relatively more efficient.”


The importance of zero-knowledge proofs


“Zero-knowledge” has recently become the most popular keyword in
cryptographic papers presented at conferences. The popularity of these
protocols grew in response to the enthusiasm around blockchain since this is
the most common use case. In these applications, the goal is to be able to
prove a statement is true without the rest of the blockchain understanding
information about the exchange. The simplest implementations of
zero-knowledge protocols are often used for identity verification.


A zero-knowledge-proof protocol organised the interaction between two parties
in which one is the prover and the other the verifier. The two parties
exchange information, and after the exchange, the prover can confirm the
truthfulness of the statement, such as whether someone has enough money in a
blockchain wallet for a transaction without knowing the total in the wallet.
This is also done in a way that hides information from third-party observers.


Initially, the zero-knowledge-proof community focused on using classical
cryptographic algorithms based on discrete logs or factorisation problems.
The community has recently started exploring quantum-resistant zero-knowledge


Classical algorithms were inefficient, and the quantum-resistant
implementations are even less so because they require larger keys. They also
require larger parameters such as the size of the proof, the number of bits
that need to be communicated between prover and verifier, and the amount of
work each party must perform to build the proof. These quantum-resistant
protocols might take minutes or hours to run compared to a few seconds for
the protocols built on classical algorithms.


Rank Syndrome Decoding problem

Rank Syndrome 解碼問題

TII’s researchers studied the Rank Syndrome Decoding problem, an evolution
of another technique called the Syndrome Decoding problem. Other popular
quantum techniques have included the shortest vector problem, the NTRU
problem, the isogenies problem, and the multivariate quadratic problem.

TII 的研究人員研究了 Rank Syndrome Decoding 問題,這是另一種稱為 Syndrome
Decoding 問題的技術的演變。其他流行的量子技術包括最短向量問題、NTRU 問題、同構

These different classes of problems organise numbers into a particular
structure that is best suited for verifying a zero-knowledge proof built on
top of the problem. The shortest vector and NTRU are similar and use lattices
to encode the numbers to compute the problem’s answer. Multivariate problems
use a system of polynomials to organise the calculation. The Syndrome
Decoding Problem uses a linear code. The Rank Syndrome Decoding problem is
similar to the Syndrome Decoding problem but organises the linear codes more

證明。最短向量和 NTRU 相似,使用格子對數字進行編碼以計算問題的答案。多元問題使
用多項式系統來組織計算。Syndrome Decoding問題使用線性代碼。
Rank Syndrome Decoding 問題類似於 Syndrome Decoding 問題,但可以更有效地組織線

Emanuele Bellini, Lead Cryptographer at the TII, said: “The Rank Syndrome
Decoding problem is not something we invented. However, it is a newer problem
than Syndrome Decoding and the lattice problems, so it is less studied.”

TII 的首席密碼學家 Emanuele Bellini 說:“Rank Syndrome Decoding 問題不是我們
發明的。然而,它是一個Syndrome Decoding和格問題更新的問題,因此研究較少。”

More efficient and adaptable


TII’s researchers improved the efficiency of RSD and implemented it in a way
that is more adaptable to different use cases. Their implementation is 60%
smaller, and the parameters are 1% of the size compared to the
state-of-the-art Syndrome Decoding implementation for a given proof. It is
also considerably faster, solving one benchmark proof in 47 ms compared to
5,000 ms for Syndrome Decoding.

TII 的研究人員提高了 RSD 的效率,並以更適合不同用例的方式實施。對於給定的證明
,與最先進的Syndrome Decoding實現相比,它們的實現小了 60%,參數大小只有其大小的
1%。它也快得多,與 Syndrome Decoding 的 5,000 ms 相比,它在 47 ms 內解決了一個

A key building block of this new construction is a commitment scheme that
essentially requires one party to commit to a statement, such as having
executed a certain amount of work, which can be verified later as part of a


TII researchers also demonstrated how this commitment scheme could be built
into any kind of circuit, which is a fundamental building block for
cryptographic transactions. Prior research had examined how RSD could be
applied to signature schemes based on identification protocols using
zero-knowledge proofs. However, the TII research is the first demonstration
of how RSD could apply to any arbitrary circuit that could be used across
many different applications.

TII 研究人員還演示了如何將這種承諾方案構建到任何類型的電路中,這是加密交易的基
本構建區塊。先前的研究已經研究瞭如何將 RSD 應用於基於使用零知識證明的識別協議
的簽名方案。然而,TII 研究首次展示了 RSD 如何應用於可用於許多不同應用的任意電

An arbitrary circuit in cryptography is analogous to an electrical circuit in
a computer chip in which bits are logically combined using gates that perform
logical operations such as executing AND, OR, and NOT statements. Bellini
said: “if you have enough of these gates, you can build any function.”

密碼學中的任意電路類似於計算機芯片中的電路,其中使用執行邏輯運算(例如執行 AND
、OR 和 NOT 語句)的門對位進行邏輯組合。貝里尼說:“如果你有足夠多的這些門,你

The proof size required for verifying the statement grows at a quasi-linear
rate. This means that larger statements require more computation to prove but
not nearly as much as would be needed if the proof size grew at a quadratic
or exponential rate.


Reducing the cheating probability


A zero-knowledge proof is not the same as a mathematical proof. A
mathematical proof is a deterministic process that allows someone to assert
whether a statement is true or false based on certain assumptions. In
contrast, a zero-knowledge proof is a probabilistic proof in which a
statement is proved with a certain degree of probability. The probability of
making a mistake is called the soundness error or cheating probability since
it represents the risk that someone might be cheating but not caught.


This error can be made as small as possible by repeating the calculation
multiple times. The current implementation’s cheating probability is 2/3 on
the first pass, which is insufficient to convince a verifier. However, by
repeating the proof 219 times, the cheating probability drops to 1/2128,
which is extremely low. “The fact that it is wrong is less probable than a
meteor will fall on your head this afternoon,” said Bellini.

通過多次重複計算,可以使這個誤差盡可能小。當前實現的第一遍作弊概率為 2/3,不足

Future research is looking at how to reduce the soundness error of the
fundamental building blocks even further. But this needs to be approached
cautiously since it may reduce the probability by creating a much longer
proof that takes more time to execute. Bellini expects this to be doable
since there are already examples of reducing the likelihood from 2/3 to 1/2
when using RSD for identification protocols. This would mean the researchers
would only need to repeat the process 128-times rather than 219-times!

為它可能會通過創建需要更多時間來執行的更長的證明來降低概率。 Bellini 預計這是
可行的,因為在使用 RSD 進行識別協議時,已經有將可能性從 2/3 降低到 1/2 的例子。
這意味著研究人員只需要重複這個過程 128 次而不是 219 次。


All Comments

Joseph
at 2021-10-08T12:15
好奇SHA256不是已經是quantum resistant了嗎
Franklin
at 2021-10-11T04:40
Enid
at 2021-10-09T21:24
零知識證明是零知識證明 簡單來說用處就是隱私保護
Mia
at 2021-10-12T13:50
Robert
at 2021-10-09T21:24
Belly
at 2021-10-12T13:50
Damian
at 2021-10-09T21:24
Elvira
at 2021-10-12T13:50
哦哦誤解 感謝!
Mia
at 2021-10-09T21:24
Rebecca
at 2021-10-12T13:50
Hazel
at 2021-10-09T21:24
Doris
at 2021-10-12T13:50
Andrew
at 2021-10-09T21:24

