跳转到内容
Aptos 文档

sigma_protocol_homomorphism - [devnet]

此内容尚不支持你的语言。

This module can be used to build Σ\Sigma-protocols for proving knowledge of a pre-image on a homomorphism ψ\psi.

Let Gn1×Fn2\mathbb{G}^{n_1} \times \mathbb{F}^{n_2} denote the set of public statements.

This module helps you convince a verifier with XSX\in S that you know a secret wFkw\in \mathbb{F}^k such that ψ(w)=f(X)\psi(w) = f(X), where:

ψ:FkGm\psi : \mathbb{F}^k \rightarrow \mathbb{G}^m is a homomorphism, and f:Gn1×Fn2Gmf : \mathbb{G}^{n_1} \times \mathbb{F}^{n_2} \rightarrow \mathbb{G}^m is a transformation function.

Many useful statements can be proved in ZK by framing them as proving knowledge of a pre-image on a homomorphism:

e.g., a Schnorr signature is just proving knowledge of xx such that ψ(x)=xG\psi(x) = x G, where the PK is xGx G.

e.g., a proof that C1,C2C_1, C_2 both Pedersen-commit to the same mm is proving knowledge of (m,r1,r2)(m, r_1, r_2) s.t. ψ(m,r1,r2)=(mG+r1H,mG+r2H)\psi(m, r_1, r_2) = (m G + r_1 H, m G + r_2 H)

The sigma protocol is very simple:

  • ------------------ + + ------------------------------------------------ + | Prover has (X,w)(X, w) | | Verifier has |
  • ------------------ + | XGn1×Fn2X \in \mathbb{G}^{n_1} \times \mathbb{F}^{n_2} |
  • ------------------------------------------------ +

  1. Sample $\alpha \in \mathbb{F}^k

  2. Compute commitment Aψ(α)A \gets \psi(\alpha)

  3. send commitment AA ------------------------------->

  4. Assert AGmA \in \mathbb{G}^m

  5. Pick random challenge ee (via Fiat-Shamir on: (X,A)(X, A) a protocol identifier and a session identifier)

  6. send challenge ee <-------------------------------

  7. Compute response σ=α+ew\sigma = \alpha + e \cdot w

  8. send response σ\sigma ------------------------------->

  9. Check ψ(σ)=A+ef(X)\psi(\sigma) = A + e f(X)

use 0x1::sigma_protocol_representation_vec;
use 0x1::sigma_protocol_statement;
use 0x1::sigma_protocol_witness;

Structs

TransformationFunction

The transformation function f:Gn1×Fn2Gmf : \mathbb{G}^{n_1} \times \mathbb{F}^{n_2} \rightarrow \mathbb{G}^m

struct TransformationFunction<P>
Fields
0: |&sigma_protocol_statement::Statement<P>|sigma_protocol_representation_vec::RepresentationVec

Homomorphism

The homomorphism ψ:FkGm\psi : \mathbb{F}^k \rightarrow \mathbb{G}^m

struct Homomorphism<P>
Fields
0: |&sigma_protocol_statement::Statement<P>, &sigma_protocol_witness::Witness|sigma_protocol_representation_vec::RepresentationVec