“抗量子计算机破解算法”之Prof. Dan Boneh教授在2019年关于Grin的炉边夜话中文内容翻译
46 views
Skip to first unread message
LIUJIN
May 16, 2023, 1:10:30 AM5/16/23
to QUSAR 【抗量子计算机破解的数字签名算法研究小组】
“抗量子计算机破解算法”之2019年的炉边闲话
斯坦福大学Prof. Dan Boneh教授和旧金山比特币开发小组的Taariq Lewis
(斯坦福大学Prof. Dan Boneh教授,是全球最著名的密码学家之一,是硅谷著名风投A16Z的首席密码学家,
也是每年举办的斯坦福大学区块链大会Stanford Blockchain Conference的主席,和全球著名的零知识证明研究组织的协调长)
原文件:http://diyhpl.us/wiki/transcripts/grincon/2019/dan-boneh/
贡献者:
斯坦福大学Prof. Dan Boneh教授和旧金山比特币开发小组的Taariq Lewis
(斯坦福大学Prof. Dan Boneh教授,是全球最著名的密码学家之一,是硅谷著名风投A16Z的首席密码学家,
也是每年举办的斯坦福大学区块链大会Stanford Blockchain Conference的主席,和全球著名的零知识证明研究组织的协调长)
原文件:http://diyhpl.us/wiki/transcripts/grincon/2019/dan-boneh/
贡献者:
twitter @r8raq
日期:2023年5月16号
TL:
我是和比特币著名布道者Andreas Aantonop一起,创立了旧金山比特币开发组SF Bitcoin Devs的创始人Taariq Lewis。
我也是一家叫Promise的公司的联合创始人,我们公司赞助了隐私保护方面的数字签名算法MimbleWimble。
如果你正在挖矿,或者在找一些可以PoW挖矿的加密货币,那么请跟我招呼一声,因为我们和很多挖矿的,和矿机托管的公司,都有一些联系,
他们希望以非常便宜的价格,来为矿工托管矿机。我很愿意为各位效劳。
这是我们今天,非常重要的一个小组讨论。今天,不会再有比我们的嘉宾更重量级的了。
我们的这位嘉宾,一直是一个非常有影响力的人,他也是斯坦福大学,在密码学方面的一位了不起的教授。
我们请到他,给我们30分钟时间,谈谈后量子密码学PQC,即抗量子计算机破解算法,
以及抗量子算法PQC,是怎样影响一些类似Grin和其他具有隐私协议的加密货币的。
下面有请!欢迎斯坦福大学的Prof. Dan Bonehd丹教授!我要问丹一堆问题。
丹,你能不能告诉我们,当然,我们是绝对不会告诉其他人的:
是不是你?或你的哪位学生?发布了Mimble-Wimble这种隐私保护的数字签名协议?
TL: I was one of the founders of SF Bitcoin Devs with aantonop. I am also the co-founder of a company called Promise. We sponsor protocols in privacy as well as mimblewimble. If you are mining or actively looking to mine in grin, please say hello to me because we're connected with a lot of mining companies and hosting companies that are looking to host miners very cheaply. I'd love to help. This is the most important panel of the day. There is not going to be another more important panel than my guest. He has been a man of impact and a professor of awesome in cryptography at Stanford. We begged him to give us 30 minutes and to talk about post-quantum crypto and how it impacts coins like grin and other privacy tokens. Please ewlcome Professor Dan Boneh of Stanford University. We're going to ask Dan a bunch of questions.
TL: Dan, you can tell us, and we won't tell anyone else-- did you or one of your students create mimblewimble?
丹:
谢谢你!我很高兴到这里来。我喜欢后量子密码学,即抗量子计算机破解算法这研究领域,因为这样,我们就可以部署新的密码学算法了。
在加密货币里,部署密码学算法要容易得多,这也是一个非常有趣的研究领域,我喜欢它。
希望大家,能从那些学了我的密码学课程里的学习者中,聘请一些开发人员,
我最近的一堂课,就有250名学生。学习我密码学课程的研究者数量,会随着比特币市场价格的波动而增长。
不过,我想我不会回答你,关于是谁创造了Mimble Wimble这种有隐私保护的数字签名算法的问题的。
Dan: Thank you, it's a pleasure to be here. I love this area of research because we can deploy new cryptography. Deploying cryptography in blockchain is much easier. This is a fun area. I love it. Hopefully you guys can hire developers out of my classes. My last class had 250 students. It kind of grows with bitcoin's market price fluctuations. I think I'm not going to answer your question, though.
TL:
好的,有意思!
让我们来谈一谈,这个令人兴奋的科学研究领域,它本质上是一种量子密码学或量子计算相关的问题。
我们的问题是:量子计算机要多久?才会冲击到Grin这种加密货币?才会冲击到所有那些采用了椭圆曲线签名ECDSA算法的加密货币?
什么是量子计算?它对密码学有什么影响?
TL: Interesting. Let's talk about an exciting area of science which is essentially quantum cryptography or quantum computing. The question we have is, how long before a quantum computer impacts grin and all cryptography using ECDSA curves? What is quantum computing, how does it impact cryptography?
丹:
当然,很高兴能向大家解释:
你们大多数人都听说过量子计算机,量子物理学,并不符合经典物理学理论,而是使用量子叠加纠缠之类的理论。
你可以在这个量子系统中,更高效地进行某些计算。对于某些搜索问题,采用量子加速,有一个二次方的搜索速度提升。
开发量子计算机的驱动力,是让量子现象来模拟物理学的某些能力,比如设计药物,或肥料,或类似的一些东西。
这些量子计算机在模拟计算方面非常出色,这就是开发量子计算机在商业上的原因,我们需要有一些好的商业原因来实现这些量子计算机。
Dan: Sure, happy ot do that. Most of yo uhave heard of quantum computers. Rather than using classical physics, it uses superposition of particles. You can do certain computations more efficiently in this regime. There's a quadratic speed-up for search problems. The driving force for developing quantum computers is their ability to simulate physics, like for designing drugs or fertilizer or anything like that. These computers are very good at simultaion. That's the business reason to develop them. We need to have good business reasons to make these computers happen.
丹:
那么,他们要多久才能影响到使用ECDSA的区块链?有一个计算方法,我想带你了解一下。
这很简单,但也许很乐观。假设摩尔定律适用于量子计算机。
几年前,我们有5个qbits。我们到了15,30,现在我们到了90。
如果你画一下曲线,就会发现,它在量子比特数量上,看起来有点像摩尔定律。
破解椭圆曲线签名这些算法,可能需要一万个量子比特,但必须假定,这都是完美的量子比特。
但是,我们正在建造的那玩意,还远远不是完美的量子比特。它需要纠错,这增加了大量的开支。
因此,为了破解这个密码,因为纠错所以我们需要大约1亿个量子比特。
逻辑量子比特是完美的量子比特,它没有把噪音引入计算,并且完全按照算法的要求来表现。
物理量子比特呢,就是那些你用激光照射,或者用电磁辐射击中它们所产生的量子比特,
它们的行为并不像你希望的那样,所以需要纠错。
如果你看一下摩尔定律,那里面的量子比特的数量,就大致可以了解,我们需要大约一亿个量子比特。
破解RSA算法,则需要更多的量子比特,
因为RSA算法里,所有的参数都比椭圆曲线签名ECDSA要大得多。
当我们把量子比特数,尝试画一条摩尔定律的曲线时,对数基数18才得到1亿,我们必须在18个月里连续翻倍,
这样算下来,大概要30年,如果我们假设这些计算机将以与传统计算相同的速度发展。
Dan: So how long until they impact blockchains that use ECDSA? There is a calculation that I would like to take you through. It's simple but maybe optimistic. Let's say Moore's law applies to quantum computers. A couple of years ago, we had 5 qbits. We went to 15, 30, and now we're at 90. If you plot it, it starts to look like Moore's law in number of qubits. The algorithms require 10,000 qubits but that assumes perfect qubits. But what's being built is far from perfect qubits. It requires error correction which adds a lot of overhead. So to break this crypto, because of the error correction, you need like 100 million qubits. Logical qubits are the perfect qubits that don't introduce noise and behave exactly like the algorithm wants to them to behave like. Physical qubits are the ones where you shine a laser at them or hit them with EM radiation and they don't behave in the way you want them to, so error correction is required. If you look at Moore's law in number of qubits, we need like 100 million qubits. RSA requires more qubits, because all of the parameters in RSA are much bigger than ECDSA. When you do Moore's law, so log base 18 of a 100 million, and you get with a doubling of 18 months, you get 30 years if you assume these computers will develop at the same rate as conventional computing.
世界上大多数地方都依靠密码学算法进行加密。
30年内,如果有人研发了一台大型量子计算机,它就可以解密破解你今天说的东西。
在商业上,有一种很好的方法,就是开始使用后量子密码学技术,即抗量子计算机破解的算法,
这样你就可以让你的文件资料,安全保密地运行30年到50年。银行、政府都希望保持他们的数据安全。
对于数字签名来说,就没有那么大的需求了。
如果我的估计正确的话,大概要30年左右,才有可能,会有人利用量子计算机,来破解你的椭圆曲线签名算法ECDSA。
所以你现在不必担心这个问题。
Most of the rest of the world relies on cryptography for encryption. In 30 years if someone builds a quantum computer, they can decrypt things you said today. For business, there's a good use case to start using post-quantum crypto so that you can have your documents secure for 30-50 years. Banks, governments all want to keep their data secure. For signatures, there's less of a need- it's only in 30 years that someone can break your ECDSA keys if the estimate is correct. So you don't have to worry about that right now.
TL:
那么,会不会有一些五个字母的机构,比我们公开渠道知道的消息,还要深入地了解得更多呢?
TL: Are there any five letter agencies that have reached even further than what we know in public?
丹:
我们只能猜测三字母,或五字母机构什么的,正在做些什么。
在斯诺登披露的资料中,我们发现某些机构,有那么一些关于量子计算机的投资,但我们不知道他们在做些什么。
Dan: We can only speculate what 3 letter or 5 letter agencies are doing. In the Snowden revelations, we found out that there are investments in certain agencies about quantum computing but we have no clue what they are doing.
TL:
我们聊聊PQC,抗量子计算机破解算法吧!你谈到了签名算法。
抗量子计算机破解的数字签名算法,都是些什么算法?
TL: Let's talk about post-quantum cryptography. You talked about signatures. What are the post-quantum kinds of signatures?
丹:
说真的,要聊这,我们可在这整整聊上6个小时,聊聊量子计算机,聊聊量子计算怎样应对处理。密码学界一直在努力研究,怎么抵御量子计算机的破解。
尤其你可以想象一下,你面对的是一个装备了量子计算机的对手。怎么办呢?答案就是,你得采用抗量子计算机破解的算法,即后量子密码学。
抗量子算法是在经典计算机上运行的密码学算法,经典电子计算机只有采用了抗量子算法,才可以继续使用这些计算机,这时即使对手装备了量子计算机,这些抗量子算法也是安全的。
因此,首先我们必须定义一个在经典计算机上容易衡量的抗量子算法,但破解它,即使对量子计算机来说,也是非常困难的。
那么这些可以衡量的数学问题,是什么呢?
对于抗量子计算机破解的数字签名算法,有3类算法。
Dan: Literally we could be here for 6 hours talking about quantum computing and what to do about it. The crypto community has been hard at work about defending against quantum computers. In particular, imagine you're facing an adversary that is equipped with a quantum computer. The answer is you move to post-quantum crypto. It's crypto that runs on a classical computer. You continue to use non-quantum computers. But the encryption will be secure even if the adversary is equipped with a quantum computer. So first we have to define a problem that is easy to compute on a classical computer, but breaking it would be difficult even for a quantum computer. So what are those problems? For signatures, there's 3 classes of post-quantum signatures.
丹:
第一种是哈希函数签名,如Lamport签名。量子计算机不太可能会冲击SHA256。如果它冲击影响了SHA256,
你可以转移到另一个哈希函数。这些哈希函数签名,被认为是抗量子破解的。
但哈希函数签名,也有一个问题,这种签名算法,签名长度真的很大。
SINCS是一种多签的哈希函数签名算法,它的签名长度,就有三四万个字节长度。
Dan: The first one is a hash-based signature like Lamport signatures. A quantum computer is unlikely to effect sha256. If it does, you can move to another hash function. These signatures are believed to be post-quantum secure, but there's a problem: these are really large signatures. SINCS is a multi-signature scheme with signatures that are 30 to 40 kilobytes in size.
TL:的确很大!
TL: Uh, that's big.
Dan:
椭圆曲线签名ECDSA的签名长度是64个字节。
但这些哈希函数签名的长度大约是三万个字节,如果把这些哈希函数签名的一些参数,删掉一点,也许可以得到一个更短一点的签名算法,但也有一万多个字节。
哈希函数签名对软件的更新,非常有用!如果我想让你更新一个软件,因为那些软件代码的更新,其更新数据本身也很大,
在互联网上,多发送一个这样额外的数字签名算法,只是一个三五万个字节的哈希函数签名,没什么影响。
所以对于软件更新采用哈希函数签名非常好。但对于加密货币区块链来说,你要发一个三五万个字节的哈希函数签名,就不是没影响了,而是影响非常大了。
Dan: ECDSA signatures are 64 bytes. But these hash-based signatures are around 30 kilobytes. If you shave the parameters a bit, you can get a signature that is maybe a little shorter, but maybe in the 10s of kilobytes. This is useful for software updates. If I want to send you a software update, those are so big anyway that sending an extra 50 kilobytes isn't important. But not so for blockchain.
丹:
另一种是基于格的数字签名算法。
要了解格算法,那需要把你带回线性代数的那个时代,
在那你想解一个线性方程组,这些方程有很多解。签名所基于的问题不仅仅是找到方程组的解,而是找到只由小数组成的解。
这或者已经被证明了,是一个困难问题,
而且,至今为止,我们甚至没找到一个更好的量子加速算法,
来计算格的这类问题。不幸的是,在密码学中,我们没有办法证明这个格的问题,是一个困难问题。
我们有很多密码学家,试图破解找到这种证明方法,虽然没有找到,但我们仍然倾向认为,它是困难问题。
如果你想了解更多关于这个被称为SIS的问题,你可以查一下,看看它是如何工作的。
对于格的数字签名算法,它的签名长度,大约是1千个字节,或稍微再小一点。
但是,和64个字节的椭圆曲线签名算法ECDSA相比,
这种格的数字签名算法,要实际上使用起来,那代价也是相当昂贵的。
Dan: Another one is lattice-based signatures. Let me take you back to your linear algebra days, where you were trying to solve a system of linear equations. There are many solutions to these equations. The signature is based on the problem not just finding the solutions ot the system of equations, but finding the solution that is made up of only small numbers. This turns out to be a difficult problem, and we don't even have a good quantum algorithm for that. Well, not yet. That's a good point. Unfortunately, in crypto you can't prove that things are hard. We have a lot of people that try to break them, and then we say it's assumed to be hard. If you want to learn more about that assumption, it's called SIS and you can look that up to see how it worked. For lattices, signatures are about 1 kilobyte or a little less. Still quite expensive compared to 64 byte ECDSA signatures.
丹:
第三类是超奇异同源算法。
理解这类算法,会有点烧脑......如果你了解Diffie-Hellman协议,
就是那类经常到处听到的用组动作来代替组(the buzzword is instead of groups you use group actions.) ,
我们可以把这类超奇异同源的方式用于数字签名算法。
不幸的是,这里最好的超奇异同源签名算法是c5,c5是在新西兰开发的,
而且,这种算法的签名长度,也是一万个字节左右。
因为我们使用的是组动作,而不是组,所以结构更少,
因此,这种签名算法的签名长度,也因此变得更大。
Dan: The third category is isogeny cryptography. It's twisted on its head a bit... if you understand the Diffie-Hellman protocol, the buzzword is instead of groups you use group actions. You can use this for signatures. Unfortunately, the best signature scheme we have here is c5-- it's developed in New Zealand and that signature is also around 10 kilobytes. Since we're using group actions not groups, there's less structure, and thus our signatures get bigger as a result.
TL:
所以说:30年内所有基于椭圆曲线签名算法ECDSA的加密货币,都将不得不转向采用抗量子计算机破解算法。
任何一种算法,都会面临着这个签名长度的问题。
TL: In 30 years, every blockchain based on ECDSA is going to have to move to this. Everyone is going to have this size problem.
丹:
是的,解决这签名长度的问题,这得去找那些密码学家帮忙,或者找他们抱怨。
我们显然需要一种抗量子计算机破解算法,这种抗量子算法必须是安全的,
并且在签名长度上,和椭圆曲线签名算法ECDSA的签名长度差不多,比如只有64个字节。
我们在这方面一直在努力试图搞出一种抗量子算法,但任何一种算法,也许都能尝试破解。
这是加密货币社区面临的一个关键问题。
我们一直在努力研究抗量子算法,只是这真的有点难。
这是一个很难彻底解决的问题。应该有更多的密码学家在这方面努力。
我一直很看好超奇异同源这类抗量子数字签名算法,看好这种签名很短的算法,
因为这种超奇异函数同源算法的结构,和椭圆曲线非常相似。
但有一个真正的基本问题,使超奇异函数算法很难,
就是这类算法,还不能真正地应用起来,我们一直在这方面尝试。
Dan: You guys should be looking to cryptographers and complaining. There's a clear need for a post-quantum signature that is secure and comparable to ECDSA in size, like 64 bytes. We've been working very hard on this. Every scheme we've tried to come up with, we've been able to break them. This is a critical problem for the blockchain community. We've been working on hard on it, it's just hard. It's a hard problem to solve. More people should be working on this. I've been very optimistic about having short signatures based on isogeny because the structure is so similar to elliptic curves. But there's a really fundamental problem making it difficult. It doesn't work yet. We've been trying.
TL:
我们不只是需要一个签名长度很短的抗量子算法,而且还需要其他功能,
比如多签,其他各种类型的签名功能。
在这些抗量子算法里,哪一种算法,会有我们之前用的椭圆曲线签名算法ECDSA所拥有的那些丰富的功能特性呢?
TL: We need not just a small signature size, but we also need things like multisignature, other types of signature features. Which of these post-quantum signature schemes or categories will give us those features we had before with ECDSA?
丹:
这是个好问题。第一个要考虑的就是验证时间。
椭圆曲线签名算法ECDSA的验证速度非常快。我们能不能有验证速度同样快的抗量子签名算法呢?
哈希函数签名和格签名的签名长度很大,但它们的验证速度比椭圆曲线签名ECDSA的签名快。
到目前为止,超奇异函数算法用在密钥交换方面有一些长处有点,但它的速度有些慢。我们正在努力解决这些问题。
我们的目标是,不只是有一个签名长度很短的算法,我们也希望有像阈值签名这样的东西。这些都是很有趣的研究问题。
Dan: That's a great question. One thing you can ask about is verification time. ECDSA is very fast to verify. Can we have post-quantum signatures that are as fast to verify? Hash-based signatures and lattice-based signatures might be large, but they are faster to verify than ECDSA signatures. Isogeny so far, it has some benefits for key exchange, but they are somewhat slower. We're working hard on these problems. The goal is to not just have a short signature thing, but we would also like things like threshold signing. These are all fantastic research problems.
TL:
在我们研发的过程中,Grin这种加密货币,是不是能够利用这些抗量子计算机破解算法呢?
TL: Will grin be able to take advantage of those as we go forward?
丹:
是的。
Dan: Yes.
TL:
当我们想到,我们能在30年的时间里,在Grin这种加密货币上,采用抗量子计算机破解算法,以及更多的功能。
那么在 grin 上?我们是不是还需要在Grin这种加密货币上,来一个硬分叉,从而进行大规模的修改呢?
TL: When we think of where we are with grin, and in 30 years where we are with grin, will it be that these features come to grin? Or will it require a hard-fork or massive changes based on where we are with grin today?
丹:
啊,是的。
想象一下,在15年,20年内,我们......我不是说这是时间表啊......
但想象一下,我们在15年,20年内,在这个时间表内,就解决这个抗量子计算机破解的问题。
这样我们就能达到30年的目标,这就是你应该瞄准的目标。
这是我的估计,有一定的参考价值。
但也许在互联网上,这种抗量子计算机破解算法的部署实施,需要很快发生,也很快会发生。
在加密货币上,因为至少可以硬分叉,所以抗量子计算机破解算法的实施,会更容易部署。
现在,就是你们要积极地准备升级到抗量子破解算法的时候。
当然,那些密码学家如果找到了这种升级方法,可能会为这种方法申请专利。((会场出现嘘声))
Dan: Ah, I see. Imagine in 15-20 years we.. and I'm not saying that's the timeline.. but imagine we solve the problem in that timeline. That gets us to the 30 year mark. That's the mark you should be shooting for. That's my estimate, with a grain of salt. Maybe on the internet encryption deployment needs to happen soon. On blockchains, it's easier to deploy because of hard-forks ((what?)). This is the time where you want to be moving aggressively to post-quantum signatures. Also they might patent the scheme. ((boos))
TL:
请别给这种升级到抗量子计算机破解算法的方式方法申请专利!
让我们来谈谈抗量子计算机破解算法的一些很酷的想法。让我们来谈谈“Post-Quantum Accumulators 后量子累积器”
TL: Please don't patent it. Let's talk about some cool ideas in post-quantum cryptography. Let's talk about post-quantum accumulators.
丹:
我想这是属于量子的部分。
有很多我们想做的事情,加密货币通常想要使用的,都是非标准的密码学算法。
这是更常见的密码学算法。Merkle Tree 默克树是一种累积器。
你可以向累积器添加元素,并有效地证明其成员资格。
事实证明,有一些累加器比Merkle Tree默克树有更好的属性。
其中一些也有更有效的证明。这些累加器是基于未知顺序的组,如RSA使用的RSA组。
今天,事实证明,以上这些都不能抗量子计算机的破解,都不是量子安全的。
我们拥有的代数累加器,也不是量子安全的。
Merkle Tree默克树是量子安全的,但新的累积器不是。
那么,我们如何建立后量子积累器呢?
Dan: I guess this is the quantum section. There's lots of things we would like to do, that blockchain wants to use that are non-standard internet crypto. It's more regular crypto. A merkle tree is a kind of accumulator. You can add elements to the accumulator and efficiently prove its membership. It turns out there are accumulators that have better properties than merkle trees. Some of them have more efficient proofs too. These accumulators are based on groups of unknown order like RSA uses the RSA group. Today, it turns out that those are not quantum-secure. The algebraic accumulators we have are not quantum secure. Merkle trees are quantum-secure, but the new accumulators are not. So how do we build post-quantum accumulators?
丹:
有一个专门用于加密货币共识的新基础架构,叫可验证延迟函数VDF,
这是一种任何人都可以对一个谜题进行流派的方法。
一个谜题出现了,需要一定的时间来解决它,即使你有一台并行的计算机。
即使一个拥有更多机器的矿工,也将无法加快它的速度。
这种VDF,对于达成共识非常有用。这些都是由未知秩序的组建立的,
在我们今天所有的组中,这些组都不是抗量子计算机破解的。
有这么多奇妙的问题,我们有可以研究的。
我们正在努力。希望我们能在未来几年内解决它。
Dan: There's a new primitive specifically for consensus, called a verifiyable delay function (VDF), which is a way for anyone to genreate a puzzle. A puzzle appears, and it takes a certain amount of time to solve it, even if you have a parallel computer. A miner with more machines wont be able to speed it up. These VDFs are useful for consensus. These are built from groups of unknown order, which of all the ones we have today are all quantum vulnerable. There are so many wonderful problems that we have available to work on. We're working on it. Hopefully we'll solve it in the coming years.
TL:
让我们回到Grin这种加密货币的PoW工作量证明的问题。量子计算机会影响PoW工作证明吗?
TL: Let's come back to proof-of-work in grin in a quantum world. Do quantum computers impact proof-of-work?
丹:
是的。量子计算机会冲击到PoW工作量证明。
有一种量子加速算法,可以为任何搜索问题提供二次方的加速。
如果你想解决一个难度为270的PoW工作量证明,传统上它需要270个哈希值。
通常情况下,我们把大量的计算能力扔给那种量子加速算法,在10分钟内量子计算机就能解决这种PoW工作量证明。
Dan: Right, so. Quantum computers could impact proof-of-work. There's an algorithm that gives a quadratic speedup for any search problem. If you want to solve a PoW work with a difficulty of 270, classically it would take 270 hashes. Classically we throw a lot of computing power at that, and we solve it in 10 minutes.
丹:
我们建立了斯坦福区块链中心。如果你有任何加密货币问题或想与我们合作,请联系我们。
我们设了这个斯坦福区块链中心,以便我们可以与各种加密货币项目合作。我喜欢这些问题的提出。
我每和一个加密货币项目沟通交流,就会发现有更多的问题需要解决。
我们曾被问到一个问题,现在已经解决了......
这是Handshake项目,他们有一个关于空投的问题。他们想向所有github的开发者空投。
他们有ssh密钥,无论是RSA还是ECDSA密钥。Github将这些公钥公开。
因此,你有一个由几十万名拥有公钥的开发者组成的社区,你可以对这些公钥进行空投。
所以这是一个很酷的想法。因此,开发人员得到了硬币。
但他们担心的是,当开发者提取资金时,他们希望没有与之相关的污名。
你怎么能在不透露哪个开发者的情况下提取资金?
因此,这是一个很好的问题。
我们对此有一个解决方案,我们称之为私人空投。
这将很快在Handshake中部署。
这个想法是,与其说是向公钥空投,不如说是向公钥的承诺空投。
因此,你会看到一个承诺列表,当有人想提取资金时,他们只需证明对私钥的了解,而无需透露用于提取资金的实际密钥。
因此,我们有一个私人空投系统。
这方面的好处是,Handshake将所有这些都提供给任何人,
未来任何想要做私人空投的项目都可以使用这个相同的系统。
从现在开始,这是一种很酷的空投方式。
Dan: We setup the Stanford Blockchain Center. If you have any crypto questions or want to work with us, please contact us. We set this up so that we can work with projects. I love how these questions are brought up. Every blockchain project I talk to, I find more problems to work on. One question that we had been asked, which is solved now... this was the Handshake project and they had a problem with airdrops. They wanted to airdrop to all github developers. They have ssh keys, either RSA or ECDSA keys. Github makes those public keys public. So you have a community of several hundred thousand developers who have public keys, and you can just do airdrops to those public keys. So that's a cool idea. So the developers get the coins. But what they were worried about was that when a developer withdraws the funds, they wanted no stigma associated with that. How could you withdraw funds without revealing which developer was doing it? So that was a beautiful question. We have a solution to this, we call this private airdrops. This is being deployed in Handshake soon. The idea would be that rather than airdrop to a public key, the airdrop is to a commitment to the public key. So you see a list of commitments, and when someone wants to withdraw the funds, they just prove knowledge of the private key without revealing the actual key used to withdraw funds. So we have a private airdrop system. The beauty of this is that Handshake is making all of this available to anyone, so that any project in the future wanting to do a private airdrop can use this same system. It's a cool way to do airdrops from now on.
TL:
你花了多长时间来做这个解决方案?
TL: How long did it take you to do that solution?
丹:
嗯,有几个月了。
Dan: Well, it was a couple of months.
TL:
很好。所以现在有私人空投了,这很好。
所以,最后总结一下:
你并没有创建Mimble-Wimble这种算法,也没有创立Grin这种加密货币。
但如果你要创建一个新的加密货币,丹,你会在里面放什么?给我们一些功能。
TL: Great. So now there are private airdrops, that's great. So, you didn't create mimblewimble or grin. But if you were to create a new cryptocurrency, Dan, what would you put in it? Give us some features.
丹:
我会加入签名聚合(BLS签名),零知识的隐私保护。
Bullet-Proof这种协议也是肯定要加入的。还有高效的共识,
不需要燃烧大量的能量,比如可验证的延迟函数VDF。
好抱歉, 我真的没有足够的时间了。
Dan: I'd put in signature aggregation (BLS signatures). Privacy with zero-knowledge. Bulletproofs for sure. And efficient consensus, without burning a lot of energy, like verifiyable delay functions. There's not enough time really.
最后由 Mon 28 Jan 2019 11:03:03 PST 编辑
Last edited Mon 28 Jan 2019 11:03:03 PST
TL:
我是和比特币著名布道者Andreas Aantonop一起,创立了旧金山比特币开发组SF Bitcoin Devs的创始人Taariq Lewis。
我也是一家叫Promise的公司的联合创始人,我们公司赞助了隐私保护方面的数字签名算法MimbleWimble。
如果你正在挖矿,或者在找一些可以PoW挖矿的加密货币,那么请跟我招呼一声,因为我们和很多挖矿的,和矿机托管的公司,都有一些联系,
他们希望以非常便宜的价格,来为矿工托管矿机。我很愿意为各位效劳。
这是我们今天,非常重要的一个小组讨论。今天,不会再有比我们的嘉宾更重量级的了。
我们的这位嘉宾,一直是一个非常有影响力的人,他也是斯坦福大学,在密码学方面的一位了不起的教授。
我们请到他,给我们30分钟时间,谈谈后量子密码学PQC,即抗量子计算机破解算法,
以及抗量子算法PQC,是怎样影响一些类似Grin和其他具有隐私协议的加密货币的。
下面有请!欢迎斯坦福大学的Prof. Dan Bonehd丹教授!我要问丹一堆问题。
丹,你能不能告诉我们,当然,我们是绝对不会告诉其他人的:
是不是你?或你的哪位学生?发布了Mimble-Wimble这种隐私保护的数字签名协议?
TL: I was one of the founders of SF Bitcoin Devs with aantonop. I am also the co-founder of a company called Promise. We sponsor protocols in privacy as well as mimblewimble. If you are mining or actively looking to mine in grin, please say hello to me because we're connected with a lot of mining companies and hosting companies that are looking to host miners very cheaply. I'd love to help. This is the most important panel of the day. There is not going to be another more important panel than my guest. He has been a man of impact and a professor of awesome in cryptography at Stanford. We begged him to give us 30 minutes and to talk about post-quantum crypto and how it impacts coins like grin and other privacy tokens. Please ewlcome Professor Dan Boneh of Stanford University. We're going to ask Dan a bunch of questions.
TL: Dan, you can tell us, and we won't tell anyone else-- did you or one of your students create mimblewimble?
丹:
谢谢你!我很高兴到这里来。我喜欢后量子密码学,即抗量子计算机破解算法这研究领域,因为这样,我们就可以部署新的密码学算法了。
在加密货币里,部署密码学算法要容易得多,这也是一个非常有趣的研究领域,我喜欢它。
希望大家,能从那些学了我的密码学课程里的学习者中,聘请一些开发人员,
我最近的一堂课,就有250名学生。学习我密码学课程的研究者数量,会随着比特币市场价格的波动而增长。
不过,我想我不会回答你,关于是谁创造了Mimble Wimble这种有隐私保护的数字签名算法的问题的。
Dan: Thank you, it's a pleasure to be here. I love this area of research because we can deploy new cryptography. Deploying cryptography in blockchain is much easier. This is a fun area. I love it. Hopefully you guys can hire developers out of my classes. My last class had 250 students. It kind of grows with bitcoin's market price fluctuations. I think I'm not going to answer your question, though.
TL:
好的,有意思!
让我们来谈一谈,这个令人兴奋的科学研究领域,它本质上是一种量子密码学或量子计算相关的问题。
我们的问题是:量子计算机要多久?才会冲击到Grin这种加密货币?才会冲击到所有那些采用了椭圆曲线签名ECDSA算法的加密货币?
什么是量子计算?它对密码学有什么影响?
TL: Interesting. Let's talk about an exciting area of science which is essentially quantum cryptography or quantum computing. The question we have is, how long before a quantum computer impacts grin and all cryptography using ECDSA curves? What is quantum computing, how does it impact cryptography?
丹:
当然,很高兴能向大家解释:
你们大多数人都听说过量子计算机,量子物理学,并不符合经典物理学理论,而是使用量子叠加纠缠之类的理论。
你可以在这个量子系统中,更高效地进行某些计算。对于某些搜索问题,采用量子加速,有一个二次方的搜索速度提升。
开发量子计算机的驱动力,是让量子现象来模拟物理学的某些能力,比如设计药物,或肥料,或类似的一些东西。
这些量子计算机在模拟计算方面非常出色,这就是开发量子计算机在商业上的原因,我们需要有一些好的商业原因来实现这些量子计算机。
Dan: Sure, happy ot do that. Most of yo uhave heard of quantum computers. Rather than using classical physics, it uses superposition of particles. You can do certain computations more efficiently in this regime. There's a quadratic speed-up for search problems. The driving force for developing quantum computers is their ability to simulate physics, like for designing drugs or fertilizer or anything like that. These computers are very good at simultaion. That's the business reason to develop them. We need to have good business reasons to make these computers happen.
丹:
那么,他们要多久才能影响到使用ECDSA的区块链?有一个计算方法,我想带你了解一下。
这很简单,但也许很乐观。假设摩尔定律适用于量子计算机。
几年前,我们有5个qbits。我们到了15,30,现在我们到了90。
如果你画一下曲线,就会发现,它在量子比特数量上,看起来有点像摩尔定律。
破解椭圆曲线签名这些算法,可能需要一万个量子比特,但必须假定,这都是完美的量子比特。
但是,我们正在建造的那玩意,还远远不是完美的量子比特。它需要纠错,这增加了大量的开支。
因此,为了破解这个密码,因为纠错所以我们需要大约1亿个量子比特。
逻辑量子比特是完美的量子比特,它没有把噪音引入计算,并且完全按照算法的要求来表现。
物理量子比特呢,就是那些你用激光照射,或者用电磁辐射击中它们所产生的量子比特,
它们的行为并不像你希望的那样,所以需要纠错。
如果你看一下摩尔定律,那里面的量子比特的数量,就大致可以了解,我们需要大约一亿个量子比特。
破解RSA算法,则需要更多的量子比特,
因为RSA算法里,所有的参数都比椭圆曲线签名ECDSA要大得多。
当我们把量子比特数,尝试画一条摩尔定律的曲线时,对数基数18才得到1亿,我们必须在18个月里连续翻倍,
这样算下来,大概要30年,如果我们假设这些计算机将以与传统计算相同的速度发展。
Dan: So how long until they impact blockchains that use ECDSA? There is a calculation that I would like to take you through. It's simple but maybe optimistic. Let's say Moore's law applies to quantum computers. A couple of years ago, we had 5 qbits. We went to 15, 30, and now we're at 90. If you plot it, it starts to look like Moore's law in number of qubits. The algorithms require 10,000 qubits but that assumes perfect qubits. But what's being built is far from perfect qubits. It requires error correction which adds a lot of overhead. So to break this crypto, because of the error correction, you need like 100 million qubits. Logical qubits are the perfect qubits that don't introduce noise and behave exactly like the algorithm wants to them to behave like. Physical qubits are the ones where you shine a laser at them or hit them with EM radiation and they don't behave in the way you want them to, so error correction is required. If you look at Moore's law in number of qubits, we need like 100 million qubits. RSA requires more qubits, because all of the parameters in RSA are much bigger than ECDSA. When you do Moore's law, so log base 18 of a 100 million, and you get with a doubling of 18 months, you get 30 years if you assume these computers will develop at the same rate as conventional computing.
世界上大多数地方都依靠密码学算法进行加密。
30年内,如果有人研发了一台大型量子计算机,它就可以解密破解你今天说的东西。
在商业上,有一种很好的方法,就是开始使用后量子密码学技术,即抗量子计算机破解的算法,
这样你就可以让你的文件资料,安全保密地运行30年到50年。银行、政府都希望保持他们的数据安全。
对于数字签名来说,就没有那么大的需求了。
如果我的估计正确的话,大概要30年左右,才有可能,会有人利用量子计算机,来破解你的椭圆曲线签名算法ECDSA。
所以你现在不必担心这个问题。
Most of the rest of the world relies on cryptography for encryption. In 30 years if someone builds a quantum computer, they can decrypt things you said today. For business, there's a good use case to start using post-quantum crypto so that you can have your documents secure for 30-50 years. Banks, governments all want to keep their data secure. For signatures, there's less of a need- it's only in 30 years that someone can break your ECDSA keys if the estimate is correct. So you don't have to worry about that right now.
TL:
那么,会不会有一些五个字母的机构,比我们公开渠道知道的消息,还要深入地了解得更多呢?
TL: Are there any five letter agencies that have reached even further than what we know in public?
丹:
我们只能猜测三字母,或五字母机构什么的,正在做些什么。
在斯诺登披露的资料中,我们发现某些机构,有那么一些关于量子计算机的投资,但我们不知道他们在做些什么。
Dan: We can only speculate what 3 letter or 5 letter agencies are doing. In the Snowden revelations, we found out that there are investments in certain agencies about quantum computing but we have no clue what they are doing.
TL:
我们聊聊PQC,抗量子计算机破解算法吧!你谈到了签名算法。
抗量子计算机破解的数字签名算法,都是些什么算法?
TL: Let's talk about post-quantum cryptography. You talked about signatures. What are the post-quantum kinds of signatures?
丹:
说真的,要聊这,我们可在这整整聊上6个小时,聊聊量子计算机,聊聊量子计算怎样应对处理。密码学界一直在努力研究,怎么抵御量子计算机的破解。
尤其你可以想象一下,你面对的是一个装备了量子计算机的对手。怎么办呢?答案就是,你得采用抗量子计算机破解的算法,即后量子密码学。
抗量子算法是在经典计算机上运行的密码学算法,经典电子计算机只有采用了抗量子算法,才可以继续使用这些计算机,这时即使对手装备了量子计算机,这些抗量子算法也是安全的。
因此,首先我们必须定义一个在经典计算机上容易衡量的抗量子算法,但破解它,即使对量子计算机来说,也是非常困难的。
那么这些可以衡量的数学问题,是什么呢?
对于抗量子计算机破解的数字签名算法,有3类算法。
Dan: Literally we could be here for 6 hours talking about quantum computing and what to do about it. The crypto community has been hard at work about defending against quantum computers. In particular, imagine you're facing an adversary that is equipped with a quantum computer. The answer is you move to post-quantum crypto. It's crypto that runs on a classical computer. You continue to use non-quantum computers. But the encryption will be secure even if the adversary is equipped with a quantum computer. So first we have to define a problem that is easy to compute on a classical computer, but breaking it would be difficult even for a quantum computer. So what are those problems? For signatures, there's 3 classes of post-quantum signatures.
丹:
第一种是哈希函数签名,如Lamport签名。量子计算机不太可能会冲击SHA256。如果它冲击影响了SHA256,
你可以转移到另一个哈希函数。这些哈希函数签名,被认为是抗量子破解的。
但哈希函数签名,也有一个问题,这种签名算法,签名长度真的很大。
SINCS是一种多签的哈希函数签名算法,它的签名长度,就有三四万个字节长度。
Dan: The first one is a hash-based signature like Lamport signatures. A quantum computer is unlikely to effect sha256. If it does, you can move to another hash function. These signatures are believed to be post-quantum secure, but there's a problem: these are really large signatures. SINCS is a multi-signature scheme with signatures that are 30 to 40 kilobytes in size.
TL:的确很大!
TL: Uh, that's big.
Dan:
椭圆曲线签名ECDSA的签名长度是64个字节。
但这些哈希函数签名的长度大约是三万个字节,如果把这些哈希函数签名的一些参数,删掉一点,也许可以得到一个更短一点的签名算法,但也有一万多个字节。
哈希函数签名对软件的更新,非常有用!如果我想让你更新一个软件,因为那些软件代码的更新,其更新数据本身也很大,
在互联网上,多发送一个这样额外的数字签名算法,只是一个三五万个字节的哈希函数签名,没什么影响。
所以对于软件更新采用哈希函数签名非常好。但对于加密货币区块链来说,你要发一个三五万个字节的哈希函数签名,就不是没影响了,而是影响非常大了。
Dan: ECDSA signatures are 64 bytes. But these hash-based signatures are around 30 kilobytes. If you shave the parameters a bit, you can get a signature that is maybe a little shorter, but maybe in the 10s of kilobytes. This is useful for software updates. If I want to send you a software update, those are so big anyway that sending an extra 50 kilobytes isn't important. But not so for blockchain.
丹:
另一种是基于格的数字签名算法。
要了解格算法,那需要把你带回线性代数的那个时代,
在那你想解一个线性方程组,这些方程有很多解。签名所基于的问题不仅仅是找到方程组的解,而是找到只由小数组成的解。
这或者已经被证明了,是一个困难问题,
而且,至今为止,我们甚至没找到一个更好的量子加速算法,
来计算格的这类问题。不幸的是,在密码学中,我们没有办法证明这个格的问题,是一个困难问题。
我们有很多密码学家,试图破解找到这种证明方法,虽然没有找到,但我们仍然倾向认为,它是困难问题。
如果你想了解更多关于这个被称为SIS的问题,你可以查一下,看看它是如何工作的。
对于格的数字签名算法,它的签名长度,大约是1千个字节,或稍微再小一点。
但是,和64个字节的椭圆曲线签名算法ECDSA相比,
这种格的数字签名算法,要实际上使用起来,那代价也是相当昂贵的。
Dan: Another one is lattice-based signatures. Let me take you back to your linear algebra days, where you were trying to solve a system of linear equations. There are many solutions to these equations. The signature is based on the problem not just finding the solutions ot the system of equations, but finding the solution that is made up of only small numbers. This turns out to be a difficult problem, and we don't even have a good quantum algorithm for that. Well, not yet. That's a good point. Unfortunately, in crypto you can't prove that things are hard. We have a lot of people that try to break them, and then we say it's assumed to be hard. If you want to learn more about that assumption, it's called SIS and you can look that up to see how it worked. For lattices, signatures are about 1 kilobyte or a little less. Still quite expensive compared to 64 byte ECDSA signatures.
丹:
第三类是超奇异同源算法。
理解这类算法,会有点烧脑......如果你了解Diffie-Hellman协议,
就是那类经常到处听到的用组动作来代替组(the buzzword is instead of groups you use group actions.) ,
我们可以把这类超奇异同源的方式用于数字签名算法。
不幸的是,这里最好的超奇异同源签名算法是c5,c5是在新西兰开发的,
而且,这种算法的签名长度,也是一万个字节左右。
因为我们使用的是组动作,而不是组,所以结构更少,
因此,这种签名算法的签名长度,也因此变得更大。
Dan: The third category is isogeny cryptography. It's twisted on its head a bit... if you understand the Diffie-Hellman protocol, the buzzword is instead of groups you use group actions. You can use this for signatures. Unfortunately, the best signature scheme we have here is c5-- it's developed in New Zealand and that signature is also around 10 kilobytes. Since we're using group actions not groups, there's less structure, and thus our signatures get bigger as a result.
TL:
所以说:30年内所有基于椭圆曲线签名算法ECDSA的加密货币,都将不得不转向采用抗量子计算机破解算法。
任何一种算法,都会面临着这个签名长度的问题。
TL: In 30 years, every blockchain based on ECDSA is going to have to move to this. Everyone is going to have this size problem.
丹:
是的,解决这签名长度的问题,这得去找那些密码学家帮忙,或者找他们抱怨。
我们显然需要一种抗量子计算机破解算法,这种抗量子算法必须是安全的,
并且在签名长度上,和椭圆曲线签名算法ECDSA的签名长度差不多,比如只有64个字节。
我们在这方面一直在努力试图搞出一种抗量子算法,但任何一种算法,也许都能尝试破解。
这是加密货币社区面临的一个关键问题。
我们一直在努力研究抗量子算法,只是这真的有点难。
这是一个很难彻底解决的问题。应该有更多的密码学家在这方面努力。
我一直很看好超奇异同源这类抗量子数字签名算法,看好这种签名很短的算法,
因为这种超奇异函数同源算法的结构,和椭圆曲线非常相似。
但有一个真正的基本问题,使超奇异函数算法很难,
就是这类算法,还不能真正地应用起来,我们一直在这方面尝试。
Dan: You guys should be looking to cryptographers and complaining. There's a clear need for a post-quantum signature that is secure and comparable to ECDSA in size, like 64 bytes. We've been working very hard on this. Every scheme we've tried to come up with, we've been able to break them. This is a critical problem for the blockchain community. We've been working on hard on it, it's just hard. It's a hard problem to solve. More people should be working on this. I've been very optimistic about having short signatures based on isogeny because the structure is so similar to elliptic curves. But there's a really fundamental problem making it difficult. It doesn't work yet. We've been trying.
TL:
我们不只是需要一个签名长度很短的抗量子算法,而且还需要其他功能,
比如多签,其他各种类型的签名功能。
在这些抗量子算法里,哪一种算法,会有我们之前用的椭圆曲线签名算法ECDSA所拥有的那些丰富的功能特性呢?
TL: We need not just a small signature size, but we also need things like multisignature, other types of signature features. Which of these post-quantum signature schemes or categories will give us those features we had before with ECDSA?
丹:
这是个好问题。第一个要考虑的就是验证时间。
椭圆曲线签名算法ECDSA的验证速度非常快。我们能不能有验证速度同样快的抗量子签名算法呢?
哈希函数签名和格签名的签名长度很大,但它们的验证速度比椭圆曲线签名ECDSA的签名快。
到目前为止,超奇异函数算法用在密钥交换方面有一些长处有点,但它的速度有些慢。我们正在努力解决这些问题。
我们的目标是,不只是有一个签名长度很短的算法,我们也希望有像阈值签名这样的东西。这些都是很有趣的研究问题。
Dan: That's a great question. One thing you can ask about is verification time. ECDSA is very fast to verify. Can we have post-quantum signatures that are as fast to verify? Hash-based signatures and lattice-based signatures might be large, but they are faster to verify than ECDSA signatures. Isogeny so far, it has some benefits for key exchange, but they are somewhat slower. We're working hard on these problems. The goal is to not just have a short signature thing, but we would also like things like threshold signing. These are all fantastic research problems.
TL:
在我们研发的过程中,Grin这种加密货币,是不是能够利用这些抗量子计算机破解算法呢?
TL: Will grin be able to take advantage of those as we go forward?
丹:
是的。
Dan: Yes.
TL:
当我们想到,我们能在30年的时间里,在Grin这种加密货币上,采用抗量子计算机破解算法,以及更多的功能。
那么在 grin 上?我们是不是还需要在Grin这种加密货币上,来一个硬分叉,从而进行大规模的修改呢?
TL: When we think of where we are with grin, and in 30 years where we are with grin, will it be that these features come to grin? Or will it require a hard-fork or massive changes based on where we are with grin today?
丹:
啊,是的。
想象一下,在15年,20年内,我们......我不是说这是时间表啊......
但想象一下,我们在15年,20年内,在这个时间表内,就解决这个抗量子计算机破解的问题。
这样我们就能达到30年的目标,这就是你应该瞄准的目标。
这是我的估计,有一定的参考价值。
但也许在互联网上,这种抗量子计算机破解算法的部署实施,需要很快发生,也很快会发生。
在加密货币上,因为至少可以硬分叉,所以抗量子计算机破解算法的实施,会更容易部署。
现在,就是你们要积极地准备升级到抗量子破解算法的时候。
当然,那些密码学家如果找到了这种升级方法,可能会为这种方法申请专利。((会场出现嘘声))
Dan: Ah, I see. Imagine in 15-20 years we.. and I'm not saying that's the timeline.. but imagine we solve the problem in that timeline. That gets us to the 30 year mark. That's the mark you should be shooting for. That's my estimate, with a grain of salt. Maybe on the internet encryption deployment needs to happen soon. On blockchains, it's easier to deploy because of hard-forks ((what?)). This is the time where you want to be moving aggressively to post-quantum signatures. Also they might patent the scheme. ((boos))
TL:
请别给这种升级到抗量子计算机破解算法的方式方法申请专利!
让我们来谈谈抗量子计算机破解算法的一些很酷的想法。让我们来谈谈“Post-Quantum Accumulators 后量子累积器”
TL: Please don't patent it. Let's talk about some cool ideas in post-quantum cryptography. Let's talk about post-quantum accumulators.
丹:
我想这是属于量子的部分。
有很多我们想做的事情,加密货币通常想要使用的,都是非标准的密码学算法。
这是更常见的密码学算法。Merkle Tree 默克树是一种累积器。
你可以向累积器添加元素,并有效地证明其成员资格。
事实证明,有一些累加器比Merkle Tree默克树有更好的属性。
其中一些也有更有效的证明。这些累加器是基于未知顺序的组,如RSA使用的RSA组。
今天,事实证明,以上这些都不能抗量子计算机的破解,都不是量子安全的。
我们拥有的代数累加器,也不是量子安全的。
Merkle Tree默克树是量子安全的,但新的累积器不是。
那么,我们如何建立后量子积累器呢?
Dan: I guess this is the quantum section. There's lots of things we would like to do, that blockchain wants to use that are non-standard internet crypto. It's more regular crypto. A merkle tree is a kind of accumulator. You can add elements to the accumulator and efficiently prove its membership. It turns out there are accumulators that have better properties than merkle trees. Some of them have more efficient proofs too. These accumulators are based on groups of unknown order like RSA uses the RSA group. Today, it turns out that those are not quantum-secure. The algebraic accumulators we have are not quantum secure. Merkle trees are quantum-secure, but the new accumulators are not. So how do we build post-quantum accumulators?
丹:
有一个专门用于加密货币共识的新基础架构,叫可验证延迟函数VDF,
这是一种任何人都可以对一个谜题进行流派的方法。
一个谜题出现了,需要一定的时间来解决它,即使你有一台并行的计算机。
即使一个拥有更多机器的矿工,也将无法加快它的速度。
这种VDF,对于达成共识非常有用。这些都是由未知秩序的组建立的,
在我们今天所有的组中,这些组都不是抗量子计算机破解的。
有这么多奇妙的问题,我们有可以研究的。
我们正在努力。希望我们能在未来几年内解决它。
Dan: There's a new primitive specifically for consensus, called a verifiyable delay function (VDF), which is a way for anyone to genreate a puzzle. A puzzle appears, and it takes a certain amount of time to solve it, even if you have a parallel computer. A miner with more machines wont be able to speed it up. These VDFs are useful for consensus. These are built from groups of unknown order, which of all the ones we have today are all quantum vulnerable. There are so many wonderful problems that we have available to work on. We're working on it. Hopefully we'll solve it in the coming years.
TL:
让我们回到Grin这种加密货币的PoW工作量证明的问题。量子计算机会影响PoW工作证明吗?
TL: Let's come back to proof-of-work in grin in a quantum world. Do quantum computers impact proof-of-work?
丹:
是的。量子计算机会冲击到PoW工作量证明。
有一种量子加速算法,可以为任何搜索问题提供二次方的加速。
如果你想解决一个难度为270的PoW工作量证明,传统上它需要270个哈希值。
通常情况下,我们把大量的计算能力扔给那种量子加速算法,在10分钟内量子计算机就能解决这种PoW工作量证明。
Dan: Right, so. Quantum computers could impact proof-of-work. There's an algorithm that gives a quadratic speedup for any search problem. If you want to solve a PoW work with a difficulty of 270, classically it would take 270 hashes. Classically we throw a lot of computing power at that, and we solve it in 10 minutes.
丹:
我们建立了斯坦福区块链中心。如果你有任何加密货币问题或想与我们合作,请联系我们。
我们设了这个斯坦福区块链中心,以便我们可以与各种加密货币项目合作。我喜欢这些问题的提出。
我每和一个加密货币项目沟通交流,就会发现有更多的问题需要解决。
我们曾被问到一个问题,现在已经解决了......
这是Handshake项目,他们有一个关于空投的问题。他们想向所有github的开发者空投。
他们有ssh密钥,无论是RSA还是ECDSA密钥。Github将这些公钥公开。
因此,你有一个由几十万名拥有公钥的开发者组成的社区,你可以对这些公钥进行空投。
所以这是一个很酷的想法。因此,开发人员得到了硬币。
但他们担心的是,当开发者提取资金时,他们希望没有与之相关的污名。
你怎么能在不透露哪个开发者的情况下提取资金?
因此,这是一个很好的问题。
我们对此有一个解决方案,我们称之为私人空投。
这将很快在Handshake中部署。
这个想法是,与其说是向公钥空投,不如说是向公钥的承诺空投。
因此,你会看到一个承诺列表,当有人想提取资金时,他们只需证明对私钥的了解,而无需透露用于提取资金的实际密钥。
因此,我们有一个私人空投系统。
这方面的好处是,Handshake将所有这些都提供给任何人,
未来任何想要做私人空投的项目都可以使用这个相同的系统。
从现在开始,这是一种很酷的空投方式。
Dan: We setup the Stanford Blockchain Center. If you have any crypto questions or want to work with us, please contact us. We set this up so that we can work with projects. I love how these questions are brought up. Every blockchain project I talk to, I find more problems to work on. One question that we had been asked, which is solved now... this was the Handshake project and they had a problem with airdrops. They wanted to airdrop to all github developers. They have ssh keys, either RSA or ECDSA keys. Github makes those public keys public. So you have a community of several hundred thousand developers who have public keys, and you can just do airdrops to those public keys. So that's a cool idea. So the developers get the coins. But what they were worried about was that when a developer withdraws the funds, they wanted no stigma associated with that. How could you withdraw funds without revealing which developer was doing it? So that was a beautiful question. We have a solution to this, we call this private airdrops. This is being deployed in Handshake soon. The idea would be that rather than airdrop to a public key, the airdrop is to a commitment to the public key. So you see a list of commitments, and when someone wants to withdraw the funds, they just prove knowledge of the private key without revealing the actual key used to withdraw funds. So we have a private airdrop system. The beauty of this is that Handshake is making all of this available to anyone, so that any project in the future wanting to do a private airdrop can use this same system. It's a cool way to do airdrops from now on.
TL:
你花了多长时间来做这个解决方案?
TL: How long did it take you to do that solution?
丹:
嗯,有几个月了。
Dan: Well, it was a couple of months.
TL:
很好。所以现在有私人空投了,这很好。
所以,最后总结一下:
你并没有创建Mimble-Wimble这种算法,也没有创立Grin这种加密货币。
但如果你要创建一个新的加密货币,丹,你会在里面放什么?给我们一些功能。
TL: Great. So now there are private airdrops, that's great. So, you didn't create mimblewimble or grin. But if you were to create a new cryptocurrency, Dan, what would you put in it? Give us some features.
丹:
我会加入签名聚合(BLS签名),零知识的隐私保护。
Bullet-Proof这种协议也是肯定要加入的。还有高效的共识,
不需要燃烧大量的能量,比如可验证的延迟函数VDF。
好抱歉, 我真的没有足够的时间了。
Dan: I'd put in signature aggregation (BLS signatures). Privacy with zero-knowledge. Bulletproofs for sure. And efficient consensus, without burning a lot of energy, like verifiyable delay functions. There's not enough time really.
最后由 Mon 28 Jan 2019 11:03:03 PST 编辑
Last edited Mon 28 Jan 2019 11:03:03 PST
原文链接:
贡献者:
Twitter: @r8raq
Reply all
Reply to author
Forward
0 new messages