• 作者:Jon 巴比特资讯

    上周,世界著名政府告密者爱德华·斯诺登(Edward Snowden)提到说 , 匿名加密货币项目Zcash是比特币公开交易记录监控风险的一个解决方案。

    • 这位前美国国家安全局的职员,现在已成为了一名逃亡者。6月1日,风险投资公司BlueYard Capital在都柏林举办了一场“升级互联网”会议,斯诺登在“去中心化与加密”视频小组讨论环节中,对 Zcash项目发表了评论。
    • Zcash脱胎于Zerocoin项目,其最初是作为比特币的加密匿名层,后来转变成了一个独立的加密货币。
    • 目前Zcash团队拥有约翰·霍普金斯大学Zerocoin 项目的密码学家以及研究人员,包括著名的安全专家Matthew D. Green。
    • Zcash创始人Zooko Wilcox是一名富有经验的计算机安全研究者,正是 David Chaum的著作《privacy-preserving money》启发了他。Wilcox开始从Digicash入手,这个由Chaum于20世纪90年代所创建的数字货币。
    • 目前,Zcash已推出了一个alpha公开版软件。6月1日,Zcash团队宣布将开启项目的“慢速启动挖矿”阶段。
    • 这种分配方式,意味着其最初的挖矿回报是慢的,然后逐渐增多,以确保Zcash代币在分配期间,矿工们能够体验到更公平的体验。与比特币相同的是,Zcash的总量同样是2100万。
    • 据悉,该项目的资助者是Bitcoin.com的所有者Roger Ver。
    • Zcash拥有一个公共区块链来展示交易,但它会隐藏掉交易的金额,而查看密钥的所有者(即币的拥有者),可允许他人查看这个密钥相关联的信息。
    • 它通过加密交易原数据,而不是像比特币那样将交易数据公布于众。完整的交易输出并不是由Zcash节点保存的,只是使用称为 “zk-SNARKs”的证明机制来记录花费币的能力。
    • 而大多数的交易详情,都可从区块链上修剪掉。
    • 据悉,其他寻求避免公链“跟踪能力”的项目,还有竞争币Monero、达世币(Dash), 以及匿名比特币钱包Samourai Wallet。
    • 你认为市场会接受一种新的提倡匿名性的加密货币吗?欢迎发表您的看法。


  • 管理员

    zero-knowledge proofs/arguments of knowledge: reading list

    This page collects useful papers, articles, and links about
    multi-party computation and zero-knowledge proofs.


    SNARKs for C

    [http://tau.ac.il/~tromer/papers/csnark-20131007.pdf SNARKs for 😄 Verifying Program Executions Succinctly and in Zero Knowledge]:
    (Ben-Sasson, Chiesa, Genkin, Tromer, Virza). This defines the
    zk-SNARK (zero-knowledge Succinct Non-interactive ARgument of
    Knowledge) scheme used by Zerocash.

    This paper collects a number of previous clever ideas, adds some
    new ones, and finds ways to optimize the combination enough to make
    everything useful. The resulting system does the following:

    • compiles an arbitrary C program into a simple virtual machine
      named "TinyRAM"
    • performs a one-time key-generation phase that takes the program
      and limits on runtime and input size, and produces two keys: the
      "proving key" and the "verification key". The proving key is very
      big, while the verification key is pretty small.
    • for each run of the program (given some primary input):
    • the Prover runs the TinyRAM program in a special way that
      gathers information about its execution (order of execution,
      changes to memory values). It also gets "auxilliary input",
      which is not revealed to the verifier, and represents
      nondeterminism (somehow).
    • the Prover combines this information with the proving key to
      create the proof. These proofs are very small.
    • later, the Verifier can combine the proof, the primary input,
      and the verification key, and compute a single "accept/reject"
      value. Verifying a proof is much much faster than creating one.

    One example they use is a proof of a good solution for the
    "rectilinear Traveling Salesman Problem", whose input is the node
    locations (x,y), the starting point (x,y), and a distance bound.
    You can solve this problem by measuring the Manhattan distance for
    all possible routes (permutations of the non-starting-point nodes)
    and finding at least one whose total distance is lower than the
    bound. Their example uses such a solution as the "auxilliary
    input", and a TinyRAM program which sums the distances and compares
    it against the bound. The verifier learns that the program really
    does run and emits "yes", without learning what the route is.

    For a 200-node graph, their TinyRAM program had 1105 instructions
    and needed 11001 steps to complete. It took 247 minutes to create
    the proving and verification keys. The proving key was about 12GB
    (using an 80-bit security level), and the verification key was 620
    bytes. It then took 155 minutes to create one instance of the
    proof, and the proof itself was 322 bytes. Verifying the proof took
    0.11 seconds.


    [https://eprint.iacr.org/2013/279.pdf Pinocchio: Nearly Practical Verifiable Computation]: (Parno, Gentry)

    This precursor is the application paper for the main generic snark



    C++ program which takes a target program (as a restricted-form C++ template) and emits an executable which can generate SNARK public-key datasets, generate proofs, or verify proofs. Includes AES and SHA primitives.


    Eli Ben-Sasson's presentation with high-level description, comparison against ZeroCoin : https://www.youtube.com/watch?v=l7LSSE0bRRo

    Recursive Composition of SNARKs

    [http://www.cs.tau.ac.il/~tromer/papers/bootsnark-20120403.pdf Recursive Composition and Bootstrapping for SNARKs and Proof-Carrying Data]: (Nitansky, Canetti, Chiesa, Tromer)

    Andrew Miller tells me that the introductory text in this paper is
    really good, but the rest is "more advanced technical stuff".


    [https://usukitacs.com/sites/default/files/QSP.pdf Quadratic Span Programs and Succinct NIZKs without PCPs]: (Gennaro, Gentry, Parno, Raykova)

    This is "the" big result in this field, known as "GGPR". Andrew
    says this is analogous to the big Craig Gentry paper on
    fully-homomorphic encryption, but for SNARKs. He says it's good to
    use to gauge your understanding by flipping back to this one.

    Justin Thaler's survey post


    MPC Lounge blog series


    History of provable complexity-classes


    Over the last 30 years, folks have been trying to identify what
    kinds of problems can be proved in this zero-knowledge style (where
    the "prover" knows a solution but doesn't want to reveal it, and a
    "verifier" wants to be convinced that they really do know a valid
    solution). Originally the categories of problems (defined as a
    class of languages in which the solution is an valid statement in
    the language) were quite narrow. Variations on what it means to
    prove something were thrown about (interactive vs non-interactive,
    publically-verifiable versus not, public coin-tosses vs private).
    Eventually it was shown that a very large class of problems can be
    efficiently proved this way.

  • 管理员


  • 管理员



与 区块链大学 | qkldx.net 的连接断开,我们正在尝试重连,请耐心等待