Hello, Habr!
In the first part of the article, we discussed why it might be necessary to generate random numbers for participants who do not trust each other, what requirements are put forward for such random number generators, and considered two approaches to their implementation.
, .
, , , . : , , (x, y) , .
, :
( xG, Gx ). -- .
G xG x.
p(x) k-1. , : p(x) k x ( p(x)), p(x) x.
, p(x) G, p(x)G k x, p(x)G x.
, , , .
n , , k , , k-1 , .
p(x) k-1, p(1), p(2), (n- p(n)). , G p(x)G x. p(i) “ ” i- ( i- ), p(i)G “ ” i- ( ). , p(i)G p(i).
, i- – , . , , .
, ? , . h -- . , h seed. h :
H = scalarToPoint(h)
i Hi = p(i)H, , p(i) H. Hi i- , . , , , .
k Hi = p(i)H, Hx = p(x)H x , . H0 = p(0)H, . , p(0), p(0)H – p(x)H, k p(i)H . p(i)H p(0)H.
, : , k-1 , , , k , k seed.
, . , Hi i p(i)H. i- p(i), i- Hi , - Hi Hi, :
Hi, , .
, p(x) k-1 i p(i), . G p(x)G x.
, xi, Xi.
:
i pi(x) k-1. j pi(j), Xj. i- j- pi(j). i pi(j)G j 1 k .
k , . , n . – Z k , (1).
, pi(j) pi(j)G. Z , pi(j) pi(j)G.
j p(j) pi(j) i Z. p(x)G pi(x)G i Z.
, p(x) – k-1, pi(x), – k-1. , , j p(j), p(x) x ≠ j. , , pi(x), j , p(x).
, . 1, 2 4 . 3 .
, , pi(j) pi(j)G. , i pi(j) j, j pi(j), .
, proofi(j), , e, proofi(j) pi(j)G, , e – pi(j), j. , , O(nk) , .
, , pi(j) pi(j)G , pi(j), pi(j)G, , . , pi(G) , , . , , , , , , .
, , . , , , k , , .
H_i
, , Hi, Hi = p(i)H, p(i).
, H, G, p(i)G . p(i) p(i)G G , dlog, , :
dlog(p(i)G, G) = dlog(Hi, H)
p(i). , Schnorr Protocol.
, Hi .
, , , . Hi .
: – H0, p(0)G – , Hi, ,
dlog(p(0)G, G) = dlog(H0, H)
, Schnorr Protocol , p(0), , , , . Hi , H0.
, - , , H0 , ,
H0 × G = p(0)G × H
elliptic curve pairings, . H0 – , , G, H p(0)G. H0 – , seed, , k n . , seed – , H0 – - , .
– NEAR. NEAR – , .
!