In Part II, we saw how Alice can blindly evaluate the hiding E(P(s)) of her polynomial P of degree d, at a point s belonging to Bob. We called this “blind” evaluation, because Alice did not learn s in the process.
在第二部分,我们知道了Alice如何在属于Bob的 s 点,去盲评她d阶多项式P的匿数E(P(s))。我们将其称为 “盲” 评估,因为 Alice 在这个过程中并不知道 s。
However, there was something missing in that protocol – the fact that Alice is able to compute E(P(s)) does not guarantee she will indeed send E(P(s)) to Bob, rather than some completely unrelated value.
然而,在那项协议中有瑕疵 – 虽然Alice 能够计算出 E(P(s)) ,但并不能确保她将正确 E(P(s)) 发送给 Bob,而非一些完全不相关的值。
Thus, we need a way to “force” Alice to follow the protocol correctly. We will explain in part IV precisely how we achieve this. In this post, we focus on explaining the basic tool needed for that – which we call here the Knowledge of Coefficient (KC) Test.
因此,我们需要一种 “强制” Alice 正确地遵从协议的方式。我们将在第四部分详细解释我们如何实现这一点。在本文中,我们专注在解释实现这一功能需要用到的基础工具 – 我们将其称为 “知识系数(KC)测试”。
As before, we denote by g a generator of a group G of order |G|=p where the discrete log is hard. It will be convenient from this post onwards to write our group additively rather than multiplicatively. That is, for α ∈ Fp, α⋅g denotes the result of summing α copies of g.
正如之前一样,我们使用 g 表示一个阶为|G|=p的群G的生成器,对于该群,离散对数是困难的。在文章开始时使用加法而不是乘法解释起来更加方便。 那就是,对于 α∈Fp ,α⋅g 表示 α 个 g 的求和结果。
THE KC TEST
知识系数(KC)测试
For α ∈ F(∗,p) [1], let us call a pair of elements (a,b) in G an α-pair if a,b≠0 and b=α⋅a.
[1] F(∗,p) denotes the non-zero elements of Fp. It is the same as Z(∗,p) described in Part I.
The KC Test proceeds as follows.
Bob chooses random α ∈ F(∗,p) and a ∈ G. He computes b=α⋅a.
He sends to Alice the “challenge” pair (a,b). Note that (a,b) is an α-pair.
Alice must now respond with a different pair (a′,b′) that is also an α-pair.
Bob accepts Alice’s response only if (a′,b′) is indeed an α-pair. (As he knows α he can check if b′=α⋅a′.)
对于 α∈F(∗,p)[1], 如果 a,b≠0 和 b=α⋅a 同时成立,则我们称 G 中的一组元素 (a,b) 为 α-pair。
-
- F(∗,p) 表示 Fp 中的非零元素组成的集合,它与第一部分描述的 Z(∗,p) 相类似。
知识系数(KC)测试按照如下的步骤进行:
- Bob 随机选择一个 α∈F(∗,p) 和 a∈G 。他计算出 b=α⋅a 。
- 他发送 “挑战” 数对 (a,b) 给 Alice。注意,(a,b) 是一个 α-pair 。
- Alice 现在必须回复一个不同的数对 (a′,b′) 同时也必须是 α-pair 。
- 如果 (a′,b′) 确实是一个 α-pair ,则 Bob 接受 Alice 的回复。(由于他知道 α ,他可以检查 b′=α⋅a′是否成立。)
Now, let’s think how Alice could successfully respond to the challenge. Let’s assume for a second that she knew α. In that case, she could simply choose any a′ in G, and compute b′=α⋅a′; and return (a′,b′) as her new α-pair.
现在,让我们思考 Alice 如何成功地回复挑战。 让我们假设一下,她知道 α 。 在这种情况下,她便可以在 G 中简单地挑选出 a′,并计算出 b′=α⋅a′; 同时返回 (a′,b′) 作为她得到的新 α-pair 。
However, as the only information about α she has is α⋅a and G has a hard discrete log problem, we expect that Alice cannot find α.
然而,由于 Alice 唯一拥有关于α的信息的载体是α⋅a ,并且 G 具有难离散对数问题,我们可以预计 Alice 并不能得到 α。
So how can she successfully respond to the challenge without knowing α?
因此,如何让 Alice 在不知道 α 的前提下成功回复挑战呢?
Here’s the natural way to do it: Alice simply chooses some γ∈F∗p,γ∈Fp∗, and responds with (a′,b′)=(γ⋅a,γ⋅b).(a′,b′)=(γ⋅a,γ⋅b).
In this case, we have:
b′=γ⋅b=γα⋅a=α(γ⋅a)=α⋅a′,b′=γ⋅b=γα⋅a=α(γ⋅a)=α⋅a′,
so indeed (a′,b′)(a′,b′) is an αα-pair as required.
以下是实现这一目标的自然做法: Alice 简单地选择一些 γ∈F(∗,p),并且回复 (a′,b′)=(γ⋅a,γ⋅b) 。
在这种情况下,我们有:
b′=γ⋅b=γα⋅a=α(γ⋅a)=α⋅a′,
因此(a′,b′)确实是这里需要的 α-pair 。
Note that if Alice responds using this strategy, she knows the ratio between a and a′. That is, she knows the coefficient γ such that a′=γ⋅a.
注意到,如果 Alice 使用这种策略进行回复,她就知道 a 和 a′ 之间的比率。 也就是说,她知道系数 γ 满足 a′=γ⋅a 。
The Knowledge of Coefficient Assumption [2] (KCA) states that this is always the case, namely:
This is typically called the Knowledge of Exponent Assumption in the literature, as traditionally it was used for groups written multiplicatively.
KCA: If Alice returns a valid response (a′,b′) to Bob’s challenge (a,b) with non-negligible probability over Bob’s choices of a,α, then she knows γ such that a′=γ⋅a.
The KC Test and Assumption will be important tools in Part IV.
知识系数假设 [2] (KCA) 指出,情况总是像这样:
-
- 它的书面名称通常为知识系数假设,传统上被用在字面乘法性质的群上。
KCA: 如果 Alice 对于Bob选择的a,α,以不可忽略的可能性,对Bob的挑战(a,b)**给出一个有效的回复 (a′,b′),此时,她所知道的 γ ,可以满足 a′=γ⋅a 。
知识系数(KC)测试和假设将是第四部分的重要工具。
WHAT DOES “ALICE KNOWS” MEAN EXACTLY
“ALICE知道”的确切意义是什么
You may wonder how we can phrase the KCA in precise mathematical terms; specifically, how do we formalize the notion that “Alice knows γ” in a mathematical definition?
你也许会好奇我们如何将 KCA 用准确地数学形式表达出来;具体来说,我们如何用数学定义将 “Alice 知道 γ” 的意义形式化出来?
This is done roughly as follows: We say that, in addition to Alice, we have another party which we call Alice’s Extractor. Alice’s Extractor has access to Alice’s inner state.
我们通过下面这样粗略的方式说明: 我们说,除了 Alice 之外,我们有一个被称为 Alice的提取器 的角色。 Alice的提取器可以访问 Alice 的内部状态。
We then formulate the KCA as saying that: whenever Alice successfully responds with an α-pair (a′,b′), Alice’s Extractor outputs γ such that a′=γ⋅a. [3]
[3]The fully formal definition needs to give the Extractor “a little slack” and states instead that the probability that Alice responds successfully but the Extractor does not output such γ is negligible.
我们这时便可以这样形式化 KCA: 当 Alice 使用一个 α-pair (a′,b′) 成功回复时,Alice的提取器 输出的 γ 满足 a′=γ⋅a. [3]
-
- 完整正式定义需要让提取器 “稍微松懈一下”,并反过来声明,Alice 成功回复但是提取器无法正常输出这样的 γ 的可能性可以忽略不计。
译者总结
数学关系
交互模型