密码学基础：多方计算

欢迎收听《零知识》，这是一档探索区块链技术和去中心化网络最新进展的播客节目。

Welcome to Zero Knowledge, a podcast where we explore the latest in blockchain technology and the decentralized web.

本节目由我安娜主持。

The show is hosted by me, Anna.

还有我弗雷德里克。

And me, Frederic.

在本期节目中，我们将尝试介绍多方计算技术。

In this episode, we try to introduce multi party computations.

我们会从基础知识讲起，为后续节目内容打下基础。

We start at the basics and try to lay a foundation for episodes to come.

在开始之前，我们要感谢本周的赞助商Aragon。

Before we start, we wanna say thank you to this week's sponsor, Aragon.

如果你想结识一些致力于去中心化治理和Web3开发的最杰出人才，那么你一定要关注即将于一月在柏林举行的首届Aragon社区大会Aricon。

If you're looking to connect with some of the brightest minds working on decentralized governance and web three development, then you should check out Aricon, the first Eragon community conference happening on January in Berlin.

届时将有关于开源可持续性模式、受压迫社会中的人道主义技术，以及DAO创始人亲自回顾DAO发展历程等重磅议题的演讲与讨论。

Enjoy presentations and discussions on important topics like open source sustainability models, humanist technology in oppressed societies, and a retrospective on the DAO by the creator himself.

您可以在eracon.one上了解更多会议信息并报名参加。

You can learn more about the conference and sign up to attend at eracon.one.

网址是aracon.one。

That's aracon.one.

柏林见。

See you in Berlin.

最后一件事，如果想联系我们或支持本播客，请查看节目说明中的链接。

One last thing, if you wanna connect with us or if you want to support this podcast, please check out the links in our show notes.

现在请收听我们关于MPC的节目。

And now here's our episode on MPCs.

嗨，Fredrik。

Hi, Fredrik.

你好。

Hello.

今天我们要讨论多方计算（MPC）。

Today, we're gonna be talking about multiparty computation or MPCs.

我认为这个话题出现的频率已经足够高，值得进行一次深入的探讨和真正的介绍。

This is a topic that I think has come up enough times that it seems really worth it to do a deep dive and a real introduction.

就我个人而言，感觉我们在之前的节目里已经多次提到它了。

Personally, I feel like we've heard about it a lot in previous episodes.

尽管我对MPC有个大致的概念，但直到现在才有机会深入探讨。

And even though I have a I've had a rough idea of what an NPC is, I haven't really had a chance up until now to dive in.

值得注意的是，MPC是一个极其广泛的课题，横跨多种不同技术和密码学、数学等不同领域，我们显然连其中一小部分都无法涵盖。

I think it's worth noting as well that NPC is such a huge broad topic that that spans, like, several different technologies and different, like, areas of cryptography and math and everything that we obviously can't cover even a fraction of it here.

但我想我们的目标至少是给出一个概念，从一些基础知识开始，或许能为未来的访谈打下基础。

But I think the goal is to at least give an idea, start with some of the fundamentals, and then maybe we can lay some groundwork for future interviews.

那么作为开场，或许我们应该先定义什么是MPC。

So I think maybe to start off, we should define what an MPC is.

我这里有几个定义。

I have a few definitions here.

其中有几个我很喜欢。

There's a couple I like.

多方计算（MPC）是一种密码学协议，它使得一组可能互不信任的参与者能够利用各自的秘密输入共同计算程序并生成新函数。

A multiparty computation, an MPC, is a cryptographic protocol that would allow a group of actors that may or may not trust each other to compute a program and generate a new function using their own secret inputs.

在这种设置中，每个参与者都持有秘密数据，且无法从所获信息中推断出其他人的数据。

In this setup, each actor would have secret data, and each could not infer the data of others, from anything that they're getting.

因此所有参与者的数据对其他成员都是保密的。

So everybody's data is secret from the other people in it.

当人们讨论MPC或在视频中展示时，经常会看到多台计算机围成一圈，每台代表一个参与者。

When people talk about NPCs, when they present them in videos or what have you, often you'll see computers in a circle, each one of them representing actors.

基本上，他们要做的是向这个NPC贡献一些东西，从而产生一个输出。

And, basically, what they're doing is they're going to be contributing something to this NPC that would result in an output.

这些输入彼此之间是完全保密的。

The inputs would be completely secret for one another.

输出可以共享，通常也是共享的。

The output could be shared, often is shared.

我认为我们过去讨论过这个话题，举个具体的例子，就像ZK SNARK场景中所谓的可信设置或有毒废物问题，或者当我们讨论随机信标时，那实际上是一个多方计算来生成随机值的过程。

And I think where we've seen this covered in the past and where we've talked about it before, just to give a concrete example off the bat, is like in the ZK SNARK scenario where you have this quote unquote trusted setup or toxic waste thing, or when we talk about random beacons, that's a multi party computation to produce a random value.

所以在区块链世界中，多方计算经常出现在不同场景中，它们可能被称为NPC也可能不这么叫，但像Zcash仪式、Powers of Tau就是多方计算的另一个例子。

So it comes up a lot in the blockchain world in different scenarios, they may or may not be called NPCs, but something like the Zcash ceremony, Powers of Tau is another example of a multiparty computation.

是的，我想回到我们为什么要讨论这个话题的原因。

So, yeah, I think going back to the reason why we wanted to cover this.

如前所述，这在我们之前的播客中已经多次提到过。

As mentioned, it's come up a number of times in previous podcast.

它被提及过。

It gets mentioned.

我们做这期节目的初衷是真正深入基础，通过一些例子让听众仅通过播客描述就能理解这个概念。

Our thinking with this episode is to really go into the basics, to look at examples where you, our listeners, can hopefully even understand it from just us describing it on a podcast.

和所有话题一样，我个人喜欢探究一些历史背景，试着梳理出这些技术出现的时间脉络。

Like always, with any of these topic, I personally like to look a little bit into the history, try to frame it like when this happened.

安全计算最初构想于1982年，当时是安全两方计算。

So secure computation originally was devised in 1982, and this was a secure two party computation.

这是由姚期智提出的。

And this was introduced by Andrew Yao.

但我们现在所知的MPC，最初是由Goldreich、Macaulay和Wigerson提出的。

But MPCs as we know it, the first initiation was done by Goldreich, Macaulay, Wigerson.

这很有趣。

It's funny.

Macaulay这个名字在这些讨论中经常出现。

Macaulay comes up a lot in a lot of these talks.

这是他们首次将首次将这种多方参与的概念引入。

So this was the first time that they started to add this, like, multiparty aspect to it.

这些工作都是在1980年代末到90年代完成的。

This was all done, I believe, in the nineties, '8 like, late eighties and and the nineties.

但首次大规模应用是在2008年1月的丹麦。

But the first time that you actually had it applied in a large scale was in Denmark in January 2008.

当时与甜菜农场主有关，他们实际上在市场上出售产品，并能够使用MPC来创建这种拍卖所需的隐私。

It had to do with sugar beet farmers where they were actually selling their wares in a market, and they were able to use NPCs to, basically create this privacy that one would need in such an auction.

这确实是其中一个用例场景，比如在拍卖中你不想透露自己的出价，但又希望能揭示最高出价等信息。

And that is indeed one of the types of use cases here where, let's say you have an auction and you don't want to reveal your bids, but you want to be able to reveal what the highest bid is or something like that.

这样你就可以进行安全的多方计算，在不透露各自具体数值的情况下，共同找出最大值。

And then you can have a secure multi party computation where the computation is find the highest number and each individual doesn't have to actually reveal what their bit is.

让我们回到MPC的定义，深入探讨一些MPC的基础构件。

So let's go back to this definition of MPCs and get into some of the building blocks of MPCs.

谈到基础NPC时，本质上就是在讨论多项式的组合。

When you talk about basic NPCs, you're definitely talking about a combination of polynomials.

这很有趣，对任何计算机科学背景、学过数学并经常接触数学的人来说，提到多项式都会会心一笑。

And it's funny, like, to anyone who is in computer science and has studied maths and works with math a lot, polynomials, you'll just be like, yeah, polynomial.

很酷。

That's cool.

但作为一个高中和大学学过一点数学，却很久没接触数学的人，我其实不得不重新复习多项式知识。

But as somebody who studied math in high school, little bit in university, and has not really looked that much at math for a while, I actually had to go check out polynomials.

当我查看时，我才恍然大悟。

When I looked at it, I was like, oh, wait.

原来我们都懂多项式。

This is so we've all we all know polynomials.

它们基本上是这样的：如果你见过像5加3x加x平方再加x立方这样的函数，那就是多项式。

They're basically something like if you've ever seen a function with, like, five plus three x plus x squared plus something x cubed, that's a polynomial.

在高中时，你可能做过多项式相加、相减之类的运算。

And in high school, you very likely done things like added polynomials together, subtracted polynomials.

你可能还做过一些插值计算，就是找出曲线上的一些点，然后通过这些点推导出函数表达式。

You've maybe even done a little bit of interpolation, so finding points along a a curve and then figuring out what the function is from that.

这些函数实际上确实构成了MPC（安全多方计算）的基础，至少就我们所知的基本MPC是这样。

And these these functions actually do make up the basis of MPCs, at least the basic MPCs as far as we can tell.

某种类型的NPC（非玩家角色），是的。

Of a type of NPC, yes.

对。

Yeah.

那我们来聊聊如何用基本多项式实现秘密共享，以及它的工作原理。

So let's talk a little bit about how to do secret sharing with just basic polynomials and sort of how that works.

我觉得想象一个图表会很有帮助，就像面前有一张空白的坐标纸。

I think it's useful to visualize a graph, like a graph paper blank slate in front of you.

如果图上有一个点，那么有无限多条直线可以穿过这个点。

If you have one dot on this graph, then there are infinite number of lines that can go through this dots.

但如果图上有两个点，那么只有一条直线能同时穿过这两点。

But if you have two points on a graph, then there's only one straight line that can go through both.

我想这是基本直觉，任何人都能轻松在脑海中想象出来，我希望如此。

I think this is basic intuition and anyone can sort of easily visualize this in their head, I hope.

所以如果你想表示有一个函数f(x)，这是一条直线，比如某个数加x或乘x，如果你说数字6是我的秘密，你就取一个满足f(0)=6的函数，然后创建一条比如6减x的直线，它会经过f(0)=6和另一个点。

So if you wanted to then say you have a function f of x, this is a straight line, so it's something plus x or something times x, and if you said I have the number six, this is my secret, you take a function such that f of zero equals six, and then you create a line such as six minus x that would go through f of zero equals six and some other point.

如果你想分享这个秘密，并且只有将两部分信息合在一起才能重建秘密，你可以在这个函数6-x的图像上任取两点，将其中一点给爱丽丝，另一点给鲍勃。

And then if you wanted to share this secret where it can only be constructed by bringing two things together, you take any two points on this graph, on this function six minus x, and you give one point to Alice and one point to Bob.

现在爱丽丝无法重建秘密，因为她只有一个点，而通过这个点有无限多条直线。

Now Alice can't reconstruct the secret because she only has one point and there are an infinite number of lines that go through this point.

鲍勃也无法重建秘密，因为他同样只有一个点，但如果两人联手合作，他们就能重建秘密，因为他们各自都持有一部分秘密信息。

Bob can't reconstruct the secret because he also only has one point, but if both of them go together and join forces, they can reconstruct the secret because they both have the share of this secret.

所以本质上，他们是将秘密分解成了两个点或两份份额。

So basically, they're breaking up the secret into two points or two shares.

所以这是一个非常简单的模型，基本直观理解，它将秘密分成两份，需要两份才能重构秘密。

So this is a very simple model, basic intuition, it breaks it up into two shares and both shares are needed to reconstruct the secrets.

但如果我们想要更多份额，或者想要一个M选N系统，即需要M个总份额中的N个来重构秘密，那么我们就需要扩展这个模型。

But if we want more shares or if we want sort of an N of M system where it's N number of shares that is needed out of the M total to reconstruct the secret, then we have to expand on this.

第一个明显的扩展就是我们可以采用更高次的多项式。

So the first obvious expansion is that we can go to higher degree polynomials.

我刚才说的是一次多项式，只有X项。

So what I said was a first degree polynomial, there's only X.

如果采用X平方项，那么你可以在图上取三个点。

If you go to X squared, then you can have three points on this graph.

如果采用X立方项，那么你可以在图上取四个点。

If you go to x cubed, then you can have four points on this graph.

而且我认为不是'可以有'，而是'实际上需要'。

And I don't even think it's you can have, you actually will need.

是的。

Yeah.

每提升一个级别，你都需要增加额外的数据点才能真正重建这个函数。

Every time you go up a level, you're gonna have to add extra data points in order to actually recreate this function.

确实如此。

Indeed.

因此你可以选择想要的次数和想要分割的份额数量，对于k次多项式你总是需要超过k个份额，但你可以运用各种技巧。

And so you can sort of choose the degree that you want and the number of shares you wanna split up, and, you will always need more than k shares in a k degree polynomial, but you can apply various tricks.

如果你想实现m中取n的系统，可以将部分份额完全公开给所有人，然后相应地进行分配。

So if you want an n of m system, you can make some of the shares completely public to everyone and then distribute them accordingly.

不过，这些都属于不太重要的细节。

But, you know, these are less important details.

那么为了更深入理解，我们可以用其他视频和NPC描述中见过的例子来说明。

So maybe to go a little deeper into this, we can use an example that we've seen in other videos and and descriptions of NPCs.

这里的理念是你可以创建一个投票系统，个人可以提交投票，最终的总票数会被计算出来，但不会向其他投票者透露任何个人投票情况。

The idea here is that you could actually create a voting system where individuals could submit a vote and the outcome, the total tally would be calculated, but no individual vote would be revealed to other individuals voting.

我认为我们要描述的例子中有三个参与者。

And the example that I think we're gonna describe has three actors.

我们要给他们起名字吗？

Should we give them names?

当然。

Sure.

爱丽丝、鲍勃，还有卡尔或卡罗尔。

Alice, Bob, and Carl or Carol.

在这个例子中，我们有三个个体。

So in this example, you have the three individuals.

每个参与者实际上会有自己的多项式函数。

Each of these actors will have their own polynomial function, actually.

他们会有一个代表投票结果的f(0)值，以及一个通过该点的函数。

So they'll have a f of zero that represents their vote and a function going through it.

这些函数彼此之间可以完全不同。

And those functions can be totally different from one another.

但当你把这些函数结合起来时，实际上就得到了代表计票结果的函数。

But when you combine those functions, you actually get a function that represents the tally.

也许我们应该更深入地探讨一下这个问题。

So maybe we should go a little bit deeper into that.

是的，他们都有自己独特的多项式。

So, yeah, they all have their own unique polynomial.

F(0)基本上代表他们的投票，为简化可以设为0或1表示反对或赞成。

F of zero is basically their votes, which we can say for simplicity is zero or one for a yes or a no.

在统计这些投票时，我们把所有多项式相加。

When it comes to sort of tallying up these votes, we add all of their polynomials together.

因此结果多项式的F(0)显然就是各方多项式F(0)的总和。

So f of zero of the resulting polynomial will obviously be the addition of f of zero of all of the party's polynomials.

这样就能非常简单地得出统计结果。

So it will very simply be the tally of it.

但如何在其他点上构建这个相加的多项式，同时不暴露每个人的独立多项式呢？

But how do you construct this added polynomial in the other points without revealing each individual's polynomial?

事实证明，通过揭示多项式上的某个点，他们可以透露一些关于其多项式的信息，但不会暴露全部内容。

Well, it turns out that by revealing a point on that polynomial, they can reveal some information about their polynomial, but not the entire thing.

所以爱丽丝揭示f(1)，鲍勃揭示f(2)，卡罗尔揭示f(3)。

So Alice reveals f of one, Bob reveals f of two, and Carol reveals f of three.

这样我们就可以通过拉格朗日插值法求出结果多项式，然后利用该多项式计算f(0)得出最终投票结果或票数统计。

And so we can then do Lagrange interpolation to find out a resulting polynomial, and then we, with that polynomial, can calculate f(zero) and get the resulting votes or the resulting tally of the votes.

这个例子有趣的地方在于你其实做了几个假设。

So what's interesting in this example is you're kind of making a few assumptions here.

你假设人们在投票时真的会说0或1。

You're assuming that people will actually say zero or one in terms of a vote.

而且由于你是按顺序操作的，你还假设最后报告的那个人会是诚实的。

And you're also assuming that the because you're kind of doing this sequentially, you're assuming that the person who's kind of reporting last would be honest.

这些因素完全没有被这个构建方案考虑进去。

Those are things that are not in any way taken into account by the construction of this.

所以这算是个缺陷，你不会想在大规模投票中使用这种方法。

So that's a bit of, like, a flaw in this in that you wouldn't wanna do this for voting in a mass skill.

但如果你有三个半可信的朋友，又不想向他们透露你的投票，这个方法可能适用。

But if you have, like, three semi trusted friends and yet you don't wanna reveal your vote to them, this might work.

是的。

Yeah.

所以所有这些都不是我日常处理的事情，也不是我特别热衷或非常了解的领域，但我能理解如何从这些基础发展到更先进的系统，因为你刚才提到的这些问题。

So all of this is kind of not something that I deal with on a regular basis and not something that I'm super into or like know a ton about, but I can see how it goes from this to a more advanced system because of these things that you were just talking about.

首先，这里有一个诚实多数的假设，即大多数人行为诚实，或者你可以某种程度上作弊并揭露其他人的行为。

First of all, there's an honest majority assumption here in that most people behave honestly or you can sort of cheat and reveal what other people are doing.

还有你提到的最后一人问题，当轮到最后一个参与者时，他们可以利用其他人揭露的信息，要么诚实地揭露自己的信息，要么改变投票来影响结果，这样轮到他们时，他们揭露的内容可能并非最初打算的。

There's the last man problem that you were talking about where when it comes to the last person, they can take the other people's revealed information and either reveal their information honestly or they can change their votes to affect the outcome such that, you know, they then when it comes to them, they reveal something that they hadn't originally intended on revealing.

当然，在这样一个简单的基于数学的系统中，我们规定f(0)应该是0或1，但我可以构造一个函数让f(0)等于-12，从而彻底搞砸整个系统。

And then, of course, like in a simple math based system like this, we say that it is the rule of the system that f of zero should be zero one, but I can make a function such that f of zero is negative 12, and I messed up the entire thing.

而且其他人无法证明这一点。嗯。

And there's nothing that anyone can do to prove that Mhmm.

我把整个事情搞砸了。

I messed up the entire thing.

显然这个系统存在大量缺陷或问题，这显然是因为它过于简单了。

So there's obviously a ton of downsides or a ton of, like, flaws in this system, and obviously it's because it's so simplistic.

但我真正希望在未来的节目中做的，是与更了解这方面的人深入探讨如何解决这些缺陷。

But what I would really like to do in future episodes is dig in with people that know more about this on how you address these flaws.

我在想，我有点想回到我们刚才举的例子，因为就像你之前说的弗雷德里克，这个图表有y轴和x轴，上面有一个点。

I wonder I kinda wanna go back a little bit to the to the example we just gave because I think, like, as you were saying earlier, Fredrik, with this graph, so you have, a y axis and an x axis, you have a dot.

在第一个例子中，你有一个点或两个点，这种情况下实际线条通常不是直线。

In that first example where you had a dot or two dots, In this case, what the line actually looks like it's not a straight line often.

每个单独的函数会有几个点沿着曲线分布，无论它穿过y轴的位置是零还是一，实际上反映了他们的秘密。

It'll be something like each individual function will have a few dots along a curved line, and wherever it's passing through the y axis, if it's passing at zero or it's passing at one, that actually reflects their secret.

这个f(0)实际上定义了他们对这个系统的贡献程度。

It's that f of zero which actually defines what they have contributed to this.

每个函数都应该在y轴上某处穿过，这代表了他们投票的最终位置。

And each of them should be crossing through the y axis somewhere, which represents where their vote would land.

而更大的函数无论在哪里穿过y轴，那就是最终的计票结果。

And then the larger function, wherever it crosses through the y axis, that is the tally.

所以我们刚才举的例子，我们讨论的是一个二阶多项式。

So that example that we just gave, we're talking about a polynomial with order two.

一个例子可能是3加1x加4x平方。

An example could be three plus one x plus four x squared.

随着阶数的增加，你会进入x立方，x四次方。

As you increase the order, you will go into x cubed, you'll go into x to the four.

计算的复杂度也会随之增加。

The complexity of the calculations will also increase.

而更高级别的NPC对这些多项式所做的将不仅仅是相加。

And higher level NPCs will be doing more to these polynomials than simply adding them.

是的。

Yeah.

即使是这么简单的事情，做乘法运算也要困难得多，你必须修改系统才能实现。

Even with this simple thing, doing multiplication is significantly more difficult and you have to modify the system to be able to do that.

所以在介绍更多简单系统的例子之前，我想说的是，我强烈建议大家查看节目说明中解释简单系统的视频，然后去编写代码，因为它非常简单易行，一两个小时就能完成。

So before we cover maybe some more just examples of the simple system, what I would say is I highly encourage people to check out the videos in the show notes that sort of explains the simple system, and then go and code it up because it's so simple and easy, and you can easily do this in an hour or two.

通过实际操作，我认为你会对这种东西在最基本层面上的工作原理有很好的理解，并培养出对这些系统如何运作的直觉，这可能在未来带来更有用的东西。

And just working with this practically, I think you will get a great sense of how this stuff actually works at a very basic fundamental level and give you an intuition of how these systems work that might then lead to something more useful down the line.

我看到的另一个例子是关于投票的，正如提到的，我们面临的一个问题是缺乏对输入值为1或0的约束。

So another example that I did see was so the voting one, as mentioned, one of the issues we have is like there's no constraints over whether it's one or zero.

我们某种程度上信任参与者会输入1或0，但他们可能会搞砸并输入负五这样的数值。

We're sort of trusting that the participants put in one or zero, but they could screw that up and put, like, minus five.

但我们可以考虑的另一个例子是分摊账单的场景。

But another example which we could look at would be contributions to a bill.

假设你和一些密码学家朋友围坐在桌旁——我们都有这样的朋友，确实如此。

So say you're sitting at a table with some cryptographer friends, cause we all have those, and, we do, actually.

你们想要支付账单。

And you want to pay the bill.

每个人都想贡献一些金额（也可能不贡献），但你们不想透露各自的具体出资额。

And everyone wants to contribute something or maybe nothing, but you don't wanna reveal what each of you is contributing.

你们只需要确认总金额达到了支付账单所需的数目。

You just wanna know that you've reached the the sum that you need to in order to pay this bill.

这可以成为另一个应用案例，实际上会使用非常类似的设置，但这里处理的是你们的出资额。

So this could be another example where you actually, would use a very similar setup, but there, your contribution.

它并不只限于1或0之间。

It wouldn't only need to be between one or zero.

我想这也是某种延伸出来的问题。

I guess and this this is something also that sort of goes out.

在我们讨论这个的时候，我认为在大多数更高级的NPC中，你必须建立某种约束系统，这样你就不能超过某个限制，或者你必须始终有一个f(0)落在预期值上。

As as we're talking about this, I guess that you have to somehow in most of the more, like, advanced NPCs create a constraint system so that you aren't able to go over a certain limit or you have to always have an f of zero that lands on something that's expected.

我非常好奇那实际上会是什么样子。

I'm very curious what that would actually look like.

是啊。

Yeah.

我也是。

Likewise.

PS，这是真正的零知识环节。

PS, this is a true Zero Knowledge episode.

我感觉我们真的...真的...真的在践行我们的名字。

I feel like we really we really we really, like, living our living our name right here.

我也想去更多可以完全不用贡献的晚餐聚会。

I also wanna go to more dinners where I'm allowed to contribute nothing.

天啊。

Oh god.

好吧。

Alright.

然后我认为我们在这个节目中讨论过的最相关的MPC例子，也是这集早些时候提到的，就是ZK Snarks和可信设置。

And then I think the most the most relevant example of an MPC that we have definitely talked about on this show, and we kinda mentioned earlier in this episode, that is ZK Snarks and the trusted setups.

正如前面提到的，我们给出的例子极其简单。

So the example that we gave as mentioned is extremely simple.

可信设置具有与我们刚才描述的NPC不同的特性。

The trusted setups have different characteristics than the NPC that we just described.

例如，我们刚才描述的NPC，实际上需要一个诚实多数。

For example, the NPC we just described, you need to actually have an honest majority.

而如果你看CK SNARKS中的可信设置，那些就是NPC。

Whereas if you look at trusted setups in CK SNARKS, those are NPCs.

它们是NPC的一种形式。

They're a form of an NPC.

但在这些多方计算中，大多数参与者可能是恶意的，可能会行为不当。

But in those multiparty computations, the majority of actors could be malicious, could act incorrectly.

但只要有一个诚实参与者正确贡献了他们的秘密值，结果就仍然是正确的。

But if one honest participant contributes their secret value correctly, then the outcome is still correct.

在我们超级简单的例子中，有毒废物就是你的多项式。

Toxic waste in our super simple example is your polynomial.

就像在这个系统中，确实存在一种诚实多数的情况。

Like in this system, yeah, there's an honest majority type of thing.

比如说，这与Powers of TAL中的约束类型相同，即系统运行至少需要一名诚实玩家。

Let's say that it is the same type of constraint that is in the Powers of TAL, for instance, where at least one honest player is needed for the system to work.

其多项式等价形式就是至少有一人在贡献完他们的公开值后丢弃多项式。

The polynomial equivalent of that would be that at least one person after contributing their public value throws away the polynomial.

基本上，他们构建这个多项式，向公众提供他们的f(1)函数，然后删除整个多项式，这样就没有人能重新构建它。

So basically, they construct this polynomial, provide their f of one function to the public, and then deletes their entire polynomial so that no one can re reconstruct it.

然后你贡献了公共部分并删除了私有部分，而私有部分就是有毒废物。

And then you've contributed your public part and deleted your private part, and the private part is the toxic waste.

所以在幂次τ设置中，如果有人收集了所有秘密多项式，他们就能重建zk-SNARK参数并创建这种能验证相同结果的伪造SNARK。

So in in a powers of tau setup, if someone collects all of the secret polynomials, then they can reconstruct the the z k SNARK parameters and and create this sort of fake SNARK that validates to the same thing.

我一直对这点挺好奇的。

I've been kind of curious about that.

我们是将有毒废物视为每个单独的秘密还是组合起来的秘密？

Do we do we read toxic waste as each individual secret or as the combined secrets?

我猜每个都带点放射性。

I guess each one is slightly radioactive.

对。

Yeah.

没错。

Yeah.

正是如此。

Exactly.

我是说，我认为Zuko提到过有毒废物的组成部分，而所谓有毒废物就是指当所有这些组成部分聚集在一起时形成的。

I mean, it's components I think Zuko said the components of the of the toxic waste, and that the toxic waste is if they are if all the components come together to create it.

但是，是的。

But Yeah.

它们都多少有点毒性，所以这就是为什么你要销毁它。

They are all kind of toxic a little bit, so, like, that's why you wanna delete it.

我最近参加了一个研讨会，我们实际上正在演练可信设置的步骤，有人确实提出过，在一个可信设置中，如果有少数成员可能不会丢弃那个秘密，他们不会销毁自己的多项式或其他什么，那安全性就会降低。

I was in a workshop recently where, we were actually going through the steps of a trusted setup, and someone did make the statement that if there were, you know, in a trusted setup, a few members that likely wouldn't get rid of that secret, they wouldn't destroy their polynomial or or what have you, that it would be less secure.

但这并不完全正确。

But that's not really true.

并不是说安全性降低了。

It's not that it's less secure.

安全性是一样的，因为有一两个恶意行为者并不影响整体。

It's as secure because it doesn't matter if there's one or two malicious actors.

确实如此。

Indeed.

是的。

Yeah.

据我理解，唯一的风险是所有人都在共谋。

The only risk as I've understood it is if everyone's colluding.

这意味着，如果你有一个较小的群体，比如三个彼此认识的人，他们共谋的可能性可能比散布在世界各地、驱车进入森林的100人群体要高。

And that means, like, if you have a smaller group, say you have three people who know each other, the likelihood of them colluding is probably higher than, like, a 100 people who are scattered around the world and driving into the woods.

而且确实。

And Yeah.

我的意思是，这确实是概率性的，就像安全论证所说的那样，如果有些人保留着他们的秘密，那么更有可能所有人都在保留自己的秘密。

I mean, it it is probabilistic, like, security argument of if some people are keeping their secrets around, it is more likely that everyone is keeping their secrets around.

但只有当确实所有人都保留了秘密时，这才构成安全风险。

But it's only a security risk if indeed everyone kept them around.

当你深入探讨这些话题时，当你谈到NPC时，它们经常与其他加密概念结合或比较。

When you dive into these topics, when you talk about NPCs, they are often combined with or compared to some other encryption ideas.

其中之一是完全同态...让我想想能不能说清楚这个。

So one of these is fully homo let me see if I can say this.

等一下。

Hold on.

全同态加密。

Fully homomorphic encryption.

我觉得每个人都会在这个词上磕磕绊绊。

I feel like everyone stumbles over that.

就是，全同态加密。

Like, fully homomorphic encryption.

对。

Yes.

全同态加密，简称FHE。

Full fully homomorphic encryption, f h e for short.

这个经常要么是...

That is often either yeah.

它经常要么与多方计算配合使用，要么被拿来比较。

It's often used either in tandem with an MPC or compared to.

你想不想快速解释一下你对FHE（全同态加密）的理解？

So do you wanna do a quick, maybe high level explanation of how you understand f eight fully homomorphic encryption?

好的。

Yeah.

没问题。

Sure.

全同态加密是指你可以加密某些内容，同时仍保留对其的功能操作域。

So, fully homomorphic encryption is where you can encrypt something, but you still retain a domain of functionality over it.

我们还是用一个简单的加法例子来说明。

So, let's stick with a simple example of addition again.

假设有数字和加法运算。

You have numbers and you have addition.

你想加密数字6然后发送给别人。

So, you want to encrypt the number six and then send that out to people.

然后有人想对这个数字进行加法操作，但他们不知道原始数字是多少。

Then someone wants to add something to this number, but they don't know what the number what the original number is.

所以我想给这个数字六加上四，但我不知道它实际上是六，或者说，我不被允许知道它是六。

So I wanna add four to this number six, but I don't know that it's a or, like, I'm not allowed to know that it's a six.

于是我拿到加密后的文本，然后我给加密文本加上四，得到另一个加密文本。

So I get the encrypted text, and then I add four to the encrypted text and get another encrypted text.

然后我把它发回去，最初加密六的人可以解密得到十。

Then I send that back, and the person who originally encrypted the six can decrypt 10.

所以他们知道有人加了四，但

So they know that a four was added, but

你并不知道。

You do not.

那个加四的人并不知道他们是给六加的。

The person who added four don't know that they added it to a six.

哦，哇。

Oh, wow.

所以你可以在这里构建一个类似的投票系统，最初的人发出一个零，每个人都加一然后继续传递下去。

And so you could you could construct a similar voting system here where the original person sends out a zero, everyone adds one to it and keeps sending it along down the chain, and then when it gets back to the originator, they're the only one that can actually decrypt this, so they're the only one that can see the tally, and when they decrypt it, they see how many people added one to it.

而每个个体都不会知道其他人做了什么

Whereas each individual wouldn't have known what others

对。

Yeah.

他们看不到前面的操作，而且当信息传递时，他们无法知道实际的计票结果。

They can't see what came before them and, like, when sent around, they can't see what the actual tally is.

就你举的例子而言，我立刻看到的区别是：至少在我们研究过的许多NPC构建中，最终输出实际上是参与者已知的，或者被用于某些用途，某种程度上是公开的。

Just in the example you gave, the difference here that I can already see is that at least with a lot of the NPC constructions that we've looked at, the resulting output is actually you it is known by the participant or it's used for something and it's somewhat public.

没错。

Yeah.

在这种情况下，你说的是人们——我猜他们可能仍在秘密使用某些东西——但他们只是往黑箱里添加内容，而这个操作的结果是完全未知的。

In this case, what you're talking about is people having they I guess they could still be using something in secret, but they're just adding something into a black box, and the outcome of that is completely unknown.

是的。

Yeah.

而且你可以把这个扩展到相当大的应用领域。

And you can extend this to quite a large domain of stuff.

这就是全同态加密所谓的问题所在——你扩展的领域越大，实现起来就越困难。

And so that's where the problem, quote unquote, of FHE is, is that the greater you expand this domain, the more difficult it becomes to do it.

要知道，NewCypher在某些领域加速全同态加密方面做了很棒的工作。

So know, NewCypher has been doing some great work speeding up fully homomorphic encryption for some domain and what they're doing.

但理论上，你可以设想：如果想在不暴露视频内容的情况下进行视频压缩，你可以先加密视频，发送出去，然后对这段你完全无法解密的密文进行视频压缩。

But I mean, in principle, you could envision if you wanted to do, like, video compression without revealing what the video is, you encrypt the video, send this out, and then do video compression on this encrypted text that you have no idea how to decipher.

接着让数据通过完整的压缩算法处理后，最终会生成另一段加密视频——当原始发送者收到后，可以解密得到实际转码后的视频。

And then you run that through your entire compression algorithm, and out at the end comes another encrypted video that when the originator gets it back, they can decrypt it and have a an actually transcoded video.

目前要在全同态领域实现转码可能还不可能，但现在能做的肯定远不止加减乘除——虽然那是最简单的例子。

Transcoding something in a fully homomorphic domain is probably impossible right now, but you can do certainly much more than addition and multiplication these days, but that's the simplest example.

我觉得人们经常把全同态加密当作一种选择来讨论，但深入研究后，大家都会承认这项研究还不成熟。

I think you often hear people talk about fully homomorphic encryption as an option, but when we dig into it, I think everybody will admit that it's just not there in terms of the research.

是的。

Yeah.

我认为它现在的状态类似于三年前我们和Starkware讨论时的零知识证明技术——当时做简单操作都需要几百G内存，而如今这已不成问题。

I would say that it's it feels like a similar state to the to the Starks were, like when we talked to Starkware, you know, just three years ago, doing simple stuff required hundreds of gigs of RAM and we can do that today without a problem.

同样地，我不知道全神经形态加密是否属于研究难题，还是说仍需要某些创新才能真正突破这些界限，亦或这只是一个实现问题，只是目前还没有人真正投入精力去开发一个高速高效的版本。

Similarly, I don't know with fully neuromorphic encryption if it's like a research problem or if there's like some innovation still necessary to actually like break through some of these boundaries, or if it's an implementation problem and no one has really put in the effort to make a really fast and performant version.

所以，我们并不真正清楚这些界限在哪里，也不清楚目前我们能做什么，什么是超出能力范围的。

So, don't really know where the boundaries there lie and what can we do today, what is too much.

再次强调，我们应该邀请NewCypher来聊聊他们在这个领域的工作成果，据我所知他们通过优化实现已经将某些操作速度提升了10倍。

Again, we should have NewCypher on to talk about what their work has been done on that field because they've sped up some things like 10x, but just through implementation as far as I understand.

但你知道，目前这些成果是否具有实际应用价值，或者说他们是否还需要再提升10倍甚至100倍才能真正实用，我确实不太确定。

But you know, whether or not that's practically useful and applicable yet or if they need another 10 x or a 100 x before it actually is, I don't really know.

现在另一个你经常听到与MPC相关或被拿来与MPC比较的术语是TEE。

Now one other term that you often hear used in relation to MPCs or compared to MPCs are TEEs.

这代表可信执行环境。

This stands for trusted execution environments.

我认为这种比较出现是因为它能保证某些数据的完整性和机密性，但这显然看起来是个非常不同的概念。

So I think the comparison comes because it can guarantee, like, the integrity and confidentiality of some data, but this definitely seems like a very different concept.

这种情况下，你谈论的是硬件中可以进行计算的受保护区域，但我没看到它使用了我们刚才讨论的任何相同概念或多项式概念，然而却经常被拿来比较。

In this case, you're talking about a secure place in the hardware where computation can be done, but I don't see it using any of the same concepts or, like, polynomial concepts that we've just been talking about, and yet it's often compared.

是的。

Yeah.

我认为它们截然不同，但很多人对硬件制造商在此方面的信任度很高，这点我觉得值得商榷。

I would say it's very different, but, a lot of people trust the hardware manufacturers a lot here, which I find questionable.

这个TEE就像苹果的安全隔离区，现在几乎每部iPhone都配备了。

So this TEE is like Apple's secure enclave that almost every iPhone has now.

你的指纹数据就存储在那里。

That's where it stores your fingerprints.

理论上这个部件没有联网，所以没人能入侵它。

And supposedly, this thing isn't connected to the internet so no one can hack it.

即使你物理入侵了设备，理论上也很难或不可能从中提取数据。

If you actually break into the device, it's supposed to be hard or impossible to get out physically.

它具有特定的执行属性，因此你能获得其正确执行的证据。

And you can, like it has certain properties of how things are executed, so you have some evidence of it being executed correctly.

但这归根结底取决于硬件制造商的具体实现方式。在这个领域有很多优秀的研究者，无论是区块链还是密码学领域，他们肯定能给出比我更专业的解释。

But again, this is down to implementation of how the hardware manufacturers actually do this, and there are some good people playing around with this stuff in the field, like both in blockchain and crypto in general, that I'm sure have much better explanations of this than I can.

但是，对，就像你说的，这是一种硬件层面的玩法，你拥有这种执行环境，理论上能生成某些证据来证明计算是正确完成的。

But, yeah, it's it's like you say, it's a hardware play where you kind of have this execution environment that supposedly produces some evidence that a computation has been done correctly.

你认为还有其他技术也属于这一类别吗？

Would you say that there's any other technologies that also are in this category?

我感觉有时会听到比如环签名也被归入这类，但那其实完全不同，对吧？

I feel like I sometimes hear, like, ring signatures put into this, but that really different, isn't it?

是的。

Yeah.

我的意思是，从多方参与的角度看确实类似，就像多方带着各自的签名加入环签名那样。

I mean, it's multiparty in that, like, a lot like, multiple parties are going into the ring signature with their signatures.

对。

Yeah.

但要说这是多方会话的话。

But, calling it a multi party conversation.

我是说，也许从最宽泛的定义上可以这么讲。

I mean, maybe in the broadest definition of the term.

我们最近一期节目采访Starkwear的Eli Ben Sasan时，我问他如何看待Stark或零知识技术的未来发展方向，他最期待什么？

When we were talking to Eli Ben Sasan from Starkwear in a very recent episode, I asked him, like, where the future of, you know, Stark like or zero knowledge technologies could come from or what, you know, what is he looking forward to?

他提到NPC这个概念已经存在很长时间了。

He mentioned that this concept of NPCs, it's been around for a long time.

但像Stark或Snark这类技术，当时还没有配套技术让它们真正可用。

But like Starks or like Snarks, there weren't necessarily technologies in place that would make them usable.

我其实特别好奇，现在还有哪些NPC技术存在？

And I would I'm actually really curious about, like, what other NPCs are out there?

有哪些超级理论化的密码学NPC构造虽然目前完全不可行，但或许在不久的将来会在这个领域变得实用？

Like, what what super hyper theoretical cryptography NPC constructions are floating around and they're still totally, like, impossible, but, you know, maybe they come into to to relevancy in the near future, maybe in this space specifically.

最后总结一下，我们提到了几个与NPC竞争或协同使用的概念。

So maybe to wrap up, we've mentioned a few concepts that are sort of either competing with or being used along with NPCs.

但还有至少两个术语经常被提及。

But there are a couple other, at least terms, that are brought up.

一个是Shamir秘密共享，另一个术语是拉格朗日插值。

One of these is Shamir's secret sharing, and the other term is Lagrange interpolation.

或许我们可以简单聊聊

Maybe we can talk very briefly about

这个。

that.

对。

Yeah.

我想说的是，如果你从那个简单的多项式例子入手，并且已经理解掌握了它，那么下一步自然就是开始研究Shamir秘密共享。

So what I would say is if you go from that easy polynomial example and that's something that you've played around with and understood, the next logical step to go to and start playing with is Shamir secret sharing.

这里你会让它变得更抽象、更复杂，将一个秘密分解成N选M系统。

So here, you're making it a little bit more abstract, a little bit more complex, and you're breaking up a secret into N of M system.

你可以说，我想把这个秘密分成23份，需要其中17份才能重构出原始秘密。

So you can say, I want this secret to be broken up into 23 pieces, and I want, you know, you need 17 of them to be able to reconstruct the secrets.

你可以完全定义所有这些参数，然后把这个秘密分成多份。

So you can fully define all of these parameters and then, you know, break up this secret into multiple pieces.

这种方法特别实用，比如你有一把私钥，想把它分配到五个U盘里分散存放在家中。

And this is something super useful too if you have, like, a private key and you wanna distribute that over five USB devices that you spread around your house.

比如，这本身就是一个实用工具，而多项式那个更像是一个学习实验。

Like, a useful tool in itself, whereas the polynomial thing is more of like a learning experiment.

我们有Parity的Rob，他有一个用Rust编写的Schmir安全共享库，代码清晰易懂，我可以把链接也发给你。

And we have, like, Rob at Parity, he has a library for Schmir Secure Sharing in Rust that's pretty easy to understand and nice to look at, so, I can link that as well.

所以这也是个值得尝试的有趣工具。

So that that's a useful thing that might be fun to experiment with as well.

虽然我不确定如何用它替代零知识证明场景，但可以替代Schnorr签名或其他M/N签名系统，比如多重签名这类方案。

I don't know how you would use it in sort of a replacement for a zero knowledge proof kind of setting, but as a replacement for Schnorr signatures or other N of M signing systems, like a multisig type thing.

但这种秘密共享，数据是被分割的，组合起来才能还原完整数据。

But this secret sharing, it's like the data is broken up, but when you combine it, it becomes the full piece of data.

你们实际上不是通过多项式插值实现的吧？

You don't actually do it through polynomial interpolation, or do you?

因为看起来确实有点像。

Because it sort of looks like, yeah.

确实是，所以原理还是相同的。

You do, so it still works on the same basis.

如果你要实现这个方案，确实需要创建这些多项式，并且使用超大素数来确保安全性。

If you go to implement this, you do create these polynomials and you create them with super large prime number stuff to have security.

当你要重构这些内容时，基本上每个秘密片段都是多项式上的一个点，也就是说，基本原理仍然相同。

And then when you go to reconstruct these things, so basically each of these secret pieces is a point on the polynomial, mean, it's still the same fundamentals.

然后你使用拉格朗日插值法，这只是一个用于重构原始多项式的公式。

And then you use Lagrange interpolation, which is just a formula to reconstruct the original polynomial.

但输出的秘密不是数字形式，而可以是任意32位值。

But instead of being a number that is the secret output, it can be any, like, 32 bit value.

我的意思是，你总是可以把任意长度的比特串视为数字，但这取决于你如何解释这些内容。

I mean, you can always see any random any arbitrary number of bits as a number, but, yeah, it depends on how you interpret things.

你刚才提到的另一个频繁出现的术语就是拉格朗日插值法。

And the other thing you just actually mentioned, another term that has come up a lot, and that's this Lagrange interpolation.

我其实做过一些插值练习，但发现自己没完全理解如何引入有限域这个概念。

One thing I actually went through a few exercises to do some interpolation, but what I realized I didn't quite understand was how to introduce the finite field.

这就是拉格朗日插值法的关键所在吗？

Is that the thing that makes it a Lagrange interpolation?

我不知道。

I don't know.

我认为即使不是有限域，你也会称之为拉格朗日插值。

I think you would call it a Lagrange interpolation even if it's not a finite field.

我想我们确实已经提到过，我认为我们已经解释过什么是插值了。

And I think we we've definitely mentioned I think we've already covered what interpolation is.

这个概念指的是在图表中取最少数量的数据点，并能够从中重建一个函数。

It's this idea of taking a minimum number of data points in a graph and being able to recreate a function from that.

其实我很好奇沙米尔阈值具体如何与NPC相关，因为它们总是被一起使用。

Actually, I am curious how exactly the Shamir threshold relates to NPCs because they're always used together.

或者说，你几乎需要理解沙米尔阈值方案才能正确构建NPC。

Or it's almost like you need to understand Shamir threshold schemes in order to be able to build NPCs correctly.

是的，我也注意到了这一点，它们是许多事物的基础。

Yeah, I've noticed that too, that they're the basis for a lot of things.

我猜这就是你定义基础构建模块的方式，然后在其上附加其余的逻辑。

And I guess that's how you kind of define your fundamental building block upon which you attach the rest of your logic.

但我真的不太明白这两者是怎么联系起来的。

But I don't really know how how that ties together.

是啊，什么？

What's yeah.

这是个很酷的概念。

It's it's a cool concept.

我觉得我还是不太确定它具体如何与NPCs相关。

I like, I'm still I think my I'm still not sure how it relates to exactly how it relates to NPCs.

显然它们属于同一领域，但我好奇它是否并非与NPCs协同使用，或者实际上是更高级多方计算的基础。

Like, obviously, it's in the same space, but, yeah, I'm wondering if it's not, like, used in tandem or if it's actually underlying more advanced multiparty computation.

如果有人对此有很好的解释，请通过邮件联系我们。

If anyone feels like they have a great explanation to that, hit us up on the email.

总的来说，我们想说的是：我们是零知识的，这个节目经常邀请专家来为我们解释这些内容。

And in general, I think that's what we do wanna say to you is we are zero knowledge and this is a show where we often bring on experts to explain this stuff to us.

这一集我们自己做了些研究，但如果你愿意发邮件告诉我们哪里说对了，哪里说错了，那就太好了。

This was an episode which we did a little bit of research on our own, but it would be wonderful if you wanna send us an email telling us where we're right, where we're wrong.

如果你想在Twitter上联系我们，并告诉我们你是否能解答我们提出的一些问题。

If you wanna ping us on Twitter and let us know if you can answer some of the questions that we brought up.

能收到你的消息会非常有趣。

It'd be really fun to hear from you.

总之，谢谢，Fredrik。

Anyway, thanks, Fredrik.

感谢，感谢这次对话。

Thanks for, thanks for having this chat.

谢谢。

Thank you.

我期待未来能更深入地研究这个领域。

And I'm looking forward to digging into this a lot more in the future.

对于我们的听众，感谢你们的收听。

And to our listeners, thanks for listening.

感谢收听。

Thanks for listening.