本集简介
双语字幕
仅展示文本字幕,不包含中文音频;想边听边看,请使用 Bayt 播客 App。
欢迎收听《零知识》播客,我们将带您探索区块链技术和去中心化网络的最新动态。
Welcome to Zero Knowledge, a podcast where we explore the latest in blockchain technology and the decentralized web.
本节目由我安娜主持。
The show is hosted by me, Anna.
还有我弗雷德里克。
And me, Frederic.
在本期节目中,我们邀请到了密码学教授奈杰尔·斯马特,一起探讨多方计算技术。
In this episode, we sit down with Nigel Smart, professor in cryptology, to talk about multi party computation.
在开始之前,我们要感谢本周的赞助商StarkWare。
Before we start, we want to say thank you to this week's sponsor, StarkWare.
StarkWare将于9月16日在特拉维夫举办StarkWare技术交流会。
StarkWare will be putting together the StarkWare sessions in Tel Aviv on September 16.
此次活动将汇聚零知识证明领域最杰出的学者和应用实践者。
The event will be bringing together brightest minds in the field of zero knowledge proofs from both the academic and application arenas.
讨论主题包括自主托管交易、一层网络的Stark技术、Stark友好型哈希函数,以及Stark证明的其他创新应用。
Topics that will be discussed are self custodial trading, Starks for layer one, Stark friendly hash functions and other cool things you can do with Stark proofs.
另外,我将主持其中一个分会场。
Also, I will be hosting one of the stages.
所以如果你对这项激动人心的尖端技术感兴趣,请务必参加Stark研讨会,或者提前一天参加Stark入门工作坊,在那里你可以从零开始构建一个Stark证明器。
So if you're interested in this exciting cutting edge tech, do join the Stark recessions, or come a day early for the Stark one zero one workshop where you could build a Stark prover from scratch.
使用优惠码zkpodcast可享受任何门票8折优惠。
Use the code z k podcast to get 20% off any ticket.
我们大约有50个这样的优惠名额,所以赶快行动吧。
We have about 50 of these available, so get it fast.
再次感谢Starkware对本播客的支持。
So, again, thank you Starkware for supporting this podcast.
现在请收听我们对Nigel Smart的采访。
And now here's our interview with Nigel Smart.
今天我们想坐下来聊聊MPC系统,我们请到了可能是最适合的嘉宾——Nigel Smart教授,他是鲁汶大学密码学教授,也是Unbound Tech的联合创始人。
So we wanna sit down today and talk about MPC systems, and we have one of the possibly best guests to do so, Nigel Smart, professor at Cryptology at KU Loven and the co founder of Unbound Tech.
欢迎来到节目,Nigel。
Welcome to the show, Nigel.
哦,欢迎。
Oh, welcome.
很高兴来到这里。
Nice to be here.
和往常一样,安娜也在我们这里。
And we have Anna with us as usual.
你好?
Hello?
你好。
Hello.
那么作为开场,奈杰尔,如果你能回想一下最初进入这个领域的时候,密码学中真正让你感到兴奋并想要投身于此的是什么?
So to kick it off, Nigel, if you can think back to when you first started in this space, what is it about cryptography that really got you excited and wanted to to work in this space?
好的。
Okay.
最初我是学数学出身的,后来我发现那真的赚不到什么钱。
So originally, I trained as a mathematician and and then I realized there really wasn't much money in that.
所以情况大致是,如果你像我当初那样研究这类数学,你会想着要赚钱或不想受穷,那么你就会选择密码学。在九十年代中期,这门学科刚开始被广泛应用,因为互联网那时刚刚兴起等等。
And so it was much if you're doing this kind of maths I was doing and you go, I wanna make money or I don't wanna be poor, then what you do is you do cryptography, which in those days in the, like mid nineties was just beginning to be deployed, you know, everywhere because the internet had just started, etcetera.
我知道很多人是通过军方接触到密码学的。
I know a lot of people who got into cryptography through like the military.
比如在瑞典,我们有那种为期一年半左右的服役制度。
So either through in Sweden we have like this thing you go through for a year and a half or something.
他们就是通过那种途径进入这个领域的。
They get into it through that.
你有接触过军方背景的密码学应用吗?
Did you ever have that exposure to like the military side of it?
并没有。
Not really.
当然,当你参加国际会议时,总会遇到来自各国政府机构的人,有的机构名称是三个字母缩写,有的是四个,还有五个的,视国家而定。
Of course, when you turn up at all the international conferences, there are various people from various government agencies there, some with three letter and acronyms and some with four, some with five, depending on the country.
他们总是试图假装自己不在场,但其实都在。
And they always try and pretend they're not there, but they are.
所以你多少会见到这些人。
So you kind of you kind of get to see these people.
是啊。
Yeah.
我有个问题想问,关于你目前的研究方向,因为你是密码学教授,而不是密码技术教授。
So I have a question about, what you're working on right now because you're a professor of cryptology, not cryptography.
对。
Yeah.
这两者有什么区别?
What is the difference between those two things?
好的。
Okay.
密码学是设计和破解密码的科学。
So cryptology is the science of making and breaking ciphers.
密码技术是设计密码的科学,而密码分析则是破解密码的科学。
So cryptography is the science of making ciphers, and cryptanalysis is the science of breaking them.
如果你两者都做,那你就是在做密码学。
And if you do both, you do cryptology.
国际密码学协会,代表全球所有密码学家,尽管其成员都是密码学家,却被称为国际密码学协会。
So the, International Association, which represents all the cryptographers in the world, is called the International Association of Cryptologic Research, even though everyone in it is a cryptographer.
所以我想你可能是我们节目中的首批嘉宾之一,虽然不是第一个,但你是少数几位非区块链领域直接出身的嘉宾。
So I think you're one of the first maybe not the first guest, but you're one of the few guests that we've had on, that aren't necessarily coming straight out of the blockchain space.
但我的问题是,你与区块链领域有什么互动?
But my question is, have you I mean, what is your interaction with the blockchain space?
因为我了解到你曾与一些团体合作过。
Because I understand you have done some work with groups.
好的,首先,
So okay.
你必须明白区块链不等于加密货币。
So first, you've got to understand that blockchain isn't cryptocurrencies.
密码学中有两个信条:加密指的是密码学,不是加密货币;另一个是区块链不等于加密货币。
So there's two mantras in cryptography is crypto means cryptology, or crypto means cryptography, not cryptocurrency, and the other one is blockchain does not mean cryptocurrency.
好的。
Okay.
区块链在加密货币领域之外有很多应用。
So blockchains have a lot of applications outside of the cryptocurrency space.
而且在企业领域,许多区块链并不一定需要工作量证明。
And also in terms of corporate land, a lot of blockchains do not necessarily need proofs of work.
工作量证明在比特币这类系统中起到的作用是解决共识问题。
So you could do, so what proof of work gives you in something like Bitcoin is, it solves the consensus problem.
但如果你有所谓的许可区块链,还有其他方法可以解决共识问题。
But there are other ways to solve consensus problems if you have so called a provision blockchains.
因此有很多应用使用区块链作为基础,但配合许可服务,这时区块链被用作一种仅追加的数据库。
So there's a lot of applications around that use a blockchain as, but with provision services, and there what you're doing is you're using a blockchain as a, what's called a, like an append only database.
这使得数据库应用比使用标准分布式数据库更简单些,后者存在锁定和解锁等问题。
So it allows you to do database applications which are slightly simpler than using standard distributed databases where you have issues of locking and unlocking etcetera.
是的,我曾为这个领域的多家公司提供咨询,主要是金融行业的公司。
Yes, I've been advised to a number of companies in this space, mainly in the financial sector.
这很有趣。
That's interesting.
所以你接触过很多所谓的私有区块链,但你有接触过公共领域的项目吗?
So you've touched a lot of these quote unquote private blockchains, but have you touched anything in the public space?
我是说像Zcash这类更新潮的技术。
I mean there's like Zcash and a lot of these newer fancier things.
是的。
Yeah.
好的。
Okay.
我没有
I haven't
接触过复杂的加密技术。
touched complicated crypto.
我确实没有直接参与过像Zcash这样的公共区块链应用开发,但我认识背后的团队,我们经常交流,所以是的。
So I haven't explicitly worked on on any of the the public blockchain applications like Zcash, but I know the people behind them and we all talk to each other and so yeah.
所以这是一个非常、非常小的圈子,是的。
So it's a very, very small community Yeah.
他们清楚正在发生什么。
Who know what know what's going on.
特别是Zcash,我想,我们今天要讨论MPC,他们确实有。
Particularly Zcash, I think, I mean, we're going to be talking today about MPC and they have Yeah.
一个非常、非常著名的MPC应用案例。
A very, very famous case of using MPC.
我认为,在区块链社区里,第一个让人们真正理解MPC作用的就是Zcash的创始仪式,那是个很有意思的一次性应用。
I think, yeah, I think in the in in the blockchain community, the first, you know, thing that made people in the blockchain community understand that what MPC was doing was the Zcash opening ceremony, which was kind of an interesting one off application.
但你现在实际看到的,特别是在加密货币领域,是加密资产托管,现在有很多应用场景使用MPC进行授权和签名操作,这些操作比以往更高效,也更适合实际应用。
But what you're actually seeing, especially in return to when you go to cryptocurrencies, is crypto custodianship, is a lot of applications now there for MPC to do authorization and signing operations, which are more efficient and match the application much better than than previously.
加密货币的好处在于它催生了许多有趣的应用,不像传统金融机构或普通公司,它们绝对是高科技的早期采用者。
So there's cryptocurrency is good in that it generates lots of interesting unlike normal financial institutions or normal companies, they're they are definitely early adopters of high-tech.
我们的听众可能注意到的一点是我们发音MPC的方式。
One thing our listeners may be noticing is the way that we're pronouncing MPC.
是的。
Yeah.
而不是说MPCs。
And not saying MPCs.
因为我最近从奈杰尔那里了解到,用MPC的复数形式实际上是非常不正确的。
Because as I learned recently from Nigel, that's actually very incorrect to use MPC in plural.
MPCs这种说法没有意义。
MPCs doesn't make sense.
所以告诉我们为什么
So tell us why that
是这样。
is.
好的。
Okay.
当你谈论零知识证明时,它指的是一个特定的事物。
So when you talk about the zero knowledge proof, it's a thing.
所以你可以讨论复数形式的事物。
So you can talk about plural things.
所以你可以讨论零知识证明(复数形式)。
So you can talk about zero knowledge proofs.
所以你可以讨论ZKPs(零知识证明的复数形式)。
So you can talk you can talk about ZKPs.
这样才说得通。
So that makes sense.
而MPC代表多方计算。
Whereas MPC stands for multi party computation.
因此它是一种技术,如果你用复数形式,就是在讨论多方计算过程,而非这项技术本身。
Therefore it's a technology and if you pluralized it, you'll be talking about multi party computations and therefore you're talking about something that's a processes that's going on rather than a technology.
如果你想讨论这项技术的复数形式,就像可能有一个软件实现某个版本的MPC,另一个软件实现另一个MPC版本,这些就是两个MPC系统。
So it so if you if you want to talk about the technology and pluralize it, it's like you might have a piece of software that does one version of MPC and another version of software that does MPC, they would these would be two MPC systems.
确实如此。
So yeah.
明白了。
Got it.
感谢你与我们分享并澄清这一点。
Thank you for sharing that with us and for clarifying.
我知道我们和业内其他人经常犯这个错误,所以了解这一点很好。
I know that I think we and others in the space have made this mistake a lot, and so this is good to know.
是的。
Yeah.
当你遇到缩写词时,最好先弄清楚它实际代表什么,再决定能否使用复数形式。
It's whenever you have initials, it's always good to understand what go back to what they actually stand for to decide whether you can pluralize it or not.
你能说'FHEs'吗?
Can you say FHEs?
如果你指的是密文,那就可以谈论'FHEs',因为它们属于加密范畴。
Well, you can talk about FHEs if you're talking about the ciphertext because they're encryption.
如果你对x和y分别进行加密,那么它们就是多个加密实例。
So if you take an encryption of x and an encryption of y, then they are encryptions.
但实际上你指的是x和y的具体加密实例。
But they are you're actually talking about the specific encryptions of x and y.
而如果你想讨论FHE作为一种技术或不同类型的技术,你会说FHE技术。
Whereas if you want to talk about FHE as a technology or different types of technology, you talk about FHE technologies.
就像你说NPCs时,指的是实际正在进行的有效计算。
Like, if you're saying NPCs, you're talking about the actual computations that are good taking place.
对。
Yeah.
没错。
Exactly.
是的。
Yeah.
对。
Yeah.
嗯。
Yeah.
我之前在这个播客里做过一期关于MPC的内容,说实话,可能算不上是最好的开场。
Did an episode on MPC on this podcast before, and, you know, if I'm honest with myself, it's probably not the best intro ever.
但那只是你我之间的对话。
But It was just it was just you and me.
当时只有我和弗雷德里克在场,所以我们并没有让任何嘉宾难堪。
It was me it was just myself and Frederic, so this wasn't like we're putting any guest under the bus here.
是啊。
Yeah.
不过我很好奇想听听你的看法,奈杰尔,如果要简单介绍一下什么是MPC,你会怎么说?
But I'm curious to hear from you, Nigel, what would your, like, short introduction to just explaining what MPC is be?
好的。
Okay.
想象你有两组、三组或四组数据,你想在不暴露原始数据的情况下对这些联合数据执行函数计算。
So imagine you've got two sets of data, or three sets of data, four sets of data, and you want to compute a function on the joint data without revealing what the data is.
并且希望通过协议执行这种计算来完成。
And want to do this via a protocol by doing a computation.
所以这是多方参与、多组数据,在它们的联合输入上进行计算,而你唯一能获取的就是输出结果。
So it's multiple parties, multiple pieces of data, doing a computation on their joint input with and the only thing you learn is the output.
一个很好的实际应用案例就是医院场景。
So a really good example, a practical example that's used is hospitals.
医院掌握着患者的医疗数据,而你可能需要进行某些医学统计研究。
Hospitals have information on patients, and you might want to do some medical, statistical experiment.
这样你就能在不公开各医院患者信息的前提下,对多家医院的联合数据进行医学统计分析。
So you could do a medical statistical experiment on the joint data of the hospitals without each hospital having to reveal the information about their patients.
这在技术实现层面会是什么样子的?
What would that look like on on the sort of technical front?
具体是说每家医院都需要在计算机上运行什么程序吗?
Like, would that actually be each hospital, like running something on a computer?
整个流程会怎么运作呢?
Like, what would that look like?
具体表现为:每家医院都有独立的数据库,连接数据库的计算机从自家库中提取数据,然后与其他医院的计算机执行协议流程。最终协议结束时,你就能得到想要的统计结果——而任何医院都无法获取其他医院的原始数据。
So it looked like, each hospital would have their own separate database and they would have computers that attach to the database, and the computers would pull data from their own database and then engage in a protocol with the other hospitals, and at the end of the protocol, out pops the statistical answer you want, and what doesn't pop out to either hospital is the other hospital's data.
这在数学上保证了这些信息不会被泄露。
And this is mathematically guaranteed this doesn't pop out.
所以无论你进行多少黑客尝试,都能确保不会有额外信息泄露。
So it's you don't you know, no matter how much, you know, hackery you do, you're guaranteed that there's no extra information that jumps out.
我猜它还能保证共享的信息或那个指标是正确的。
Does it also I guess it also guarantees that the information that is shared or that, like, that metric is correct.
对。
Yeah.
对。
Yeah.
对。
Yeah.
所以你还能确保结果的正确性。
So you also get correctness of the results.
不过,你无法防止人们撒谎。
So, you can't protect against people lying.
所以如果一家医院谎报数据,你也无能为力。
So if one hospital lies about its data, that's all you can do.
但你可以防止某家医院计算出错。
But you can prevent a hospital, one of the hospitals doing the wrong calculation.
因此他们必须达成正确的计算共识,执行相同的计算。
So they all agree on the right calculation, they have to both do the same calculation.
在我们的介绍集中,我们从求解多项式的角度讲解了多方计算。
So in our introduction episode we covered MPC from the perspective of solving polynomials.
这是我们深入探讨的基础理论。
That's our fundamentals that we go into.
你认为现代多方计算系统本质上还是在构建和求解多项式方程吗?还是说已经远远超越了这一范畴?
Would you say that modern MPC systems are still like fundamentally, you know, constructing and and solving polynomial equations or has it moved way beyond that?
噢,这个嘛...
Oh, it's, yeah.
它不只是解多项式方程,你可以进行任何计算。
It's not just solving polynomial equations, so you could do any computation.
从八十年代起,我们就知道任何明文中可计算的内容,我们都能安全地计算。
So from the eighties, we knew that any any anything you can compute in the clear, we can compute securely.
是的。
Yeah.
所以理论上,任何你想进行的计算我们都能实现。
So if you have any computation you wanna do, in theory, we can do that computation.
实际上这取决于技术和具体需求,但理论上我们可以计算任何内容。
In practice, that depends on the technology and what you want to do, but in theory we can compute anything.
一个很好的例子是美国政府几年前实施的卫星项目。
A really good example that was done in a US government program a few years ago is satellite.
有两颗卫星环绕地球运行,有时卫星会相撞,代价极其昂贵。
There are two satellites going around around the earth, and sometimes satellites hit each other and it's really expensive.
明白吗?
Okay?
所以关键是要确保半数卫星不会相互碰撞。
So but what you wanna do is you wanna avoid make sure that half satellites don't hit each other.
另一方面,各国并不太愿意透露他们卫星的实际位置。
On the other hand, countries aren't really very keen on revealing where their satellite actually is.
是的。
Yeah.
所以你可以想象,卫星正飞越某个国家的事实,你可能并不想知道。
So you can imagine though the fact that the satellite is going over a country, you might not want to know that.
因此实际上,在那个我曾参与的美国政府项目中,一些人做了多方安全计算:一个国家知道自己的卫星位置和飞行方向,另一个国家也知道自己的,然后在不透露卫星位置的情况下,计算出卫星是否会相撞以及是否需要改变轨道。
So you could actually so what we what some people did in that US government program I was involved in is that they actually did an MPC calculation where you had one country knew where its satellite was and what direction it was going in, and another one was, and you would work out whether the satellites were going to hit each other and whether they should change course without revealing the positions of the satellites.
所以你可以进行类似牛顿力学的计算。
So you could do computations which are like Newtonian mechanics.
其他例子可能是,我们在这里参与的...听众可能不知道,但我们实际上身处三个不同的国家。
Other examples could be, we're engaged in here, we, I don't know, your listeners may not know this, but we're actually in three different countries here.
也就是说,我们分布在三个不同的国家,实际上在进行音频合并时就会遇到问题。
So this is this is we're in three different countries, and actually, when you do a merging audio, you actually have a problem.
所以如果你们使用加密通讯,为了进行群组对话的音频合并,实际上必须先解密这些通讯。
So so if you if you have encrypted communications, you actually have to decrypt them to merge the audios for group conversations.
这实际上还是同一个美国政府项目,我们当时有三个不同站点的语音通信。
So this is actually, and it's the same US government programme, we actually had voice communications from three different sites.
语音通信是加密的,但随后会被合并——即合并音频文件后,在对话过程中实时回传。
The voice communications were encrypted, but then merged, where you merge the audio files and then send them in back real time during the conversation.
这有点像Skype现在的功能:你连接Skype后,它会通过解密并在群组对话时动态合并三方音频。
So that's kind of like being able what Skype currently does is you connect to Skype and it will do it will merge the three together by decrypting and having to do the merging on the fly when you do a group conversation.
因为这其实相当困难,但我们成功在一个安全域内实现了这一点。
Because that's actually quite hard, but we managed to do this in a in a secure domain.
这两个例子真的非常惊人。
Those are two really, those are amazing examples.
是的,非常酷。
Yeah, really cool.
由此可见这项技术的应用场景——我们讨论过医疗保健、军事应用(比如卫星)、语音应用。
So you can really see that this has applicants, so we talked about healthcare, we talked about military applications, you know, with satellites, we can talk about voice applications.
在加密货币领域,你可以通过MPC计算来保护签名密钥:把加密签名密钥分割存储在不同服务器上,进行分布式数字签名。
In the cryptocurrency space, you can secure your cryptographic keys to signing by, you can take your cryptographic signing key, you can split that up and put those in different servers and then use those, then do an MPC calculation to actually do the digital signature.
因此密钥永远不会集中在一处,安全性大大提高。
So the key is never in one place, it's much more secure.
你可以将一部分签名密钥放在柏林,一部分放在美国,还有一部分放在日本,它们永远不会合并。
You could have just one signing key in Berlin, one signing key in America, or one part of it in in Japan, and they never come together.
这就解决了冷热钱包密钥存储的难题。
So this has solves the problem of where do you keep your cold and hot wallet keys.
哇。
Wow.
这超级有——这个真的存在吗?
That's super inter is that is that actually does that exist?
这不像是
That's not like
确实存在。
That exists.
听起来像是多重签名,但我觉得有所不同
Sounds sounds like a multisig, but I feel like it's different
比任何方式都好。
than anything.
这不是多重签名。
It's not a multisig.
它比多重签名更好,因为多重签名要求接收方知道它是多重签名。
It's better than a multisig because a multisig requires the recipient to know it's a multisig.
所以它看起来不一样。
So it looks different.
对吧?
Yeah?
而且多重签名假设你有一个多重签名,需要三个签名组合起来,这实际上告诉验证者你的授权策略需要三个人同意,而你可能并不希望这样。
And it also multisig, suppose you have a multi sig which says we're going to take three signatures and combine them, then what that actually tells the verifier is that your authorisation policy was three people had to agree and you might not actually want that to happen.
所以我们用MPC技术可以生成一个对验证者来说看起来像真实签名的东西,看起来就是一个普通的签名,但从签名者的角度来看,它是由具有不同授权的不同密钥组成的。
So what what we can do with MPC is produce what looks to the verifier like a genuine signature, looks like a normal, normal, normal signature, and then but from the signer's point of view, it is the it has been composed of different secret keys with different authorizations.
所以可以设置成允许我单独签署交易,但安娜和弗雷德里克必须一起才能签署,因为我们不太信任他们。
So it could be that you allow me on my own to sign a transaction, but Anna and Frederic have to get together to sign it because we don't trust them too much.
所以他们必须一起行动。
So they have to come together.
因此我们可以建立所谓的访问结构,要求两人签名或一人签名即可。
So we have there, we could have what is called an access structure where you have two people have to sign or one person.
类似的技术已被应用——虽然不是MPC领域——但这类访问结构被用于核武器指挥控制系统。
And similar things have been used, not in terms of MPC, but that kind of access structure is used for nuclear command and control.
发射核导弹需要总统和潜艇指挥官,或副总统、潜艇指挥官和一名将军等组合授权。
Launching nuclear missiles, require the president and the submarine commander, or the vice president, the submarine commander and a general, or something like that, you need a combination.
这些不同的访问结构可以通过区块链签名实现,验证者无从知晓背后的授权策略,这可能是企业机密。
So you have these different access structures, and you can do that within the signature on the blockchain in a way that the verified doesn't know what your authorization policy was behind, which could be company confidential.
那么,这个技术已经部署了吗?
And then to, is this deployed?
是的。
Yes.
Unbound Tech公司开发了相关技术,目前已在相当数量的大型加密货币交易所实际部署,用于保护他们的冷热钱包密钥。
Unbound Tech produced tech in this space and it's actually deployed in a reasonable number of the very large cryptocurrency exchanges to, secure their cold and hot wallet keys.
这也意味着他们能够处理更大规模的交易周转,为消费者带来越来越少的延迟。
And it also means that they have they could do, greater volumes of turnaround and and less and less, delay for consumers.
我确实认为这有一些应用场景。
I actually think there's some application.
我们过去讨论过比特币桥接问题,比特币的一个限制是你不能拥有超过特定参与方数量的多重签名。
We've talked about Bitcoin bridges in the past and like a constraint in Bitcoin is that you can't have multisigs above a certain number of parties.
但在桥接方案中,实际上可能需要一个由上千参与方组成的多重签名。
But in a bridge, might actually want a multisig of, like, a thousand parties.
是的。
Yeah.
这在比特币原生协议上是无法实现的。
And you can't you can't do that natively on Bitcoin.
所以你必须采用类似这样的方案。
So you would have to do something like this.
没错。
Yeah.
确实如此。
So yeah.
没错。
Exactly.
这正好解决了那个问题。
That exactly solves that problem.
你是说,MPC系统是你研究的重点吗?它们一直是你的研究重点,还是在此之前你还在研究其他内容?
Would you say I mean, is are MPC systems the focus of your research, and have they been the focus of your research, or was there something else that you were working on before this?
哦,在此之前,我做过各种各样的研究。
Oh, before this, was doing all sorts of stuff I've done.
最初我研究的是——哦,你应该知道这个。
So originally, I worked on what's called oh, you would know this.
我研究过椭圆曲线密码学。
I worked on things called elliptic curve cryptography.
那是在90年代末到21世纪初,我们研究如何破解椭圆曲线密码学之类的技术,然后在2000年代初出现了基于配对密码学的大热潮,这种技术现在被用在一些区块链应用中。
This was back in, like, the late nineties, early two thousands where we looked at ways of breaking elliptic curve cryptography and stuff, and then there was this big boom in the early 2000s on what's called pairing based cryptography, which is used in some blockchain applications.
举个例子,想想看,我认为Definiti是其某些应用中配对密码学的大用户。
So for example, think big, Definiti I think as a big user of pairing based crypto in some of its applications.
然后还研究过密钥协商等各种其他技术,涉猎很广。
And then worked on key agreement, all sorts of other things, so various things.
到了两千年代中期,主要聚焦在两个方向。
And then kind of in the mid two thousands, there were kind of two things.
所以我总会参加MPC相关的讲座。
So so I would always turn up to MPC talks.
要是复数形式,就该说talks(讲座)。
If you let plural, it's talks.
就是这样。
There we go.
因为这些是关于MPC的讲座。
Because they're talks about MPC.
总之,我经常参加MPC讲座时睡着,因为实在太无聊了。
Anyway, so I talked so I would always turn up to MPC talks and fall asleep because this was just so boring.
这就像它永远不可能实用一样。
This was just like this was never gonna be practical.
MPC自二十世纪八十年代就已存在。
MPC had been around since the nineteen eighties.
它非常、非常理论化,没人认为它会有实际用途。
It was very, very theoretical, and no one would ever think you could ever use it.
然后在两千年代中期,大概是2004年,我参加了欧洲密码学会议Eurocrypt,这是欧洲主要的密码学会议,在瑞士因特拉肯举行。
And then in the mid two thousands, I think it was like 2004, I think it was, I went to a Eurocrypt, which is the main cryptography conference for Europe in Interlaken in Switzerland.
在密码学会议上,我们有一种叫做'余兴会议'的环节。
And it at cryptography conferences, we have something called a rump session.
'余兴会议'是一种嗯...
Now a rump session is a Mhmm.
某个晚上举行的活动,人们会喝很多啤酒和葡萄酒,然后进行两分钟的短演讲。
An event in one of the evenings where people drink a lot of beer and a lot of wine, and people give two minute talks.
这些两分钟的演讲要么很有趣,要么是广告,要么是在演示某些东西。
And they're just giving two minute talks, which are either funny, an advertisement, or they're demonstrating something.
有个家伙上台了,他居然在两分钟内现场演示了MPC在他笔记本电脑上的运行。
And one guy got up and he actually, in two minutes, alive, gave a demonstration of MPC working on his laptop.
在一个两分钟的演示里,你需要把演示内容搬上舞台并让它实际运行起来,这时候你就会意识到:哦,这不再是理论了。
Now in a two minute presentation where you have to get the presentation onto the stage and actually do actually get it running and working, you go and you go like, oh, oh, this isn't theoretical anymore.
这是真实的。
This is real.
第二年,Eurocrypt在丹麦的奥胡斯举办。
And then the next year, there was a Eurocrypt this time in Aarhus in Denmark.
同样是在非正式会议上,有人站起来说,我们实际上已经用MPC为真实世界的人们完成了一项真实计算——这就是后来在MPC社区闻名遐迩的'丹麦甜菜拍卖'案例。
And at the same thing at the rump session, someone got up and said, actually, we've used MPC to do a real calculation in the real world for real people, which is what's called which was the calculation which is now famous in the MPC community as the Danish Sugar Bee Auction.
所以提到MPC就不得不提丹麦甜菜拍卖。
So you can't mention MPC without mentioning Danish Sugar Beet Auction.
那一刻我恍然大悟:这确实是真的。
And at that point, I went, uh-huh, it really is real.
之后我转变了方向,开始与Unbound Tech另一位联合创始人Yehuda Lindel合作,同时也与在因特拉肯做过非正式会议演讲的Benny Pinkus共事,我们真正开始构建MPC系统,尝试将理论转化为实践。
And then I kinda like shifted, and then we started doing I started working with Yehuda Lindel, who's the other, co founder of Unbound Tech, and also working with Benny Pinkus, who is the guy who had given the rump session talk at Interlaken, and we started actually then sort of building MPC and seeing whether we could turn the theory into practice.
为了让你们有个概念,我们在2007、2008年完成了首个超大规模的'主动安全'计算——这是安全计算领域的黄金标准,我们计算了一个特定函数。
And to give you an idea, we did the first very large scale, what's called Actively Secure, which is like the gold standard of security computation in 2007, 2008, and we calculated a specific function.
具体是什么函数不重要,重要的是我们计算了一个特定函数。
It doesn't matter what it is, we calculated a specific function.
那是人类历史上首次实现这种计算,当时耗费了数小时。
At that point was the first time anyone had ever done it, it took hours.
哇。
Wow.
小时。
Hours.
而现在同样的计算可以在毫秒内完成。
And now that same calculation can now be done in milliseconds.
十年间,性能提升幅度急剧下降,这就是它变得如此热门的原因。
In ten years, the the performance improvement has just dramatically dropped, and that's why it's become so hot.
我想回到最初,你早期从事的那些MPC工作。
I sort of wanna go back to that beginning, that early MPC work that you were doing.
那实际上是什么样子的?
What was that actually what did that look like?
嗯,好吧。
Well, okay.
对我来说是这样的。
So for me okay.
我可以谈谈整个领域或者我个人的经历。
So it well, I I could talk about the community or for me.
这两者有点不同。
So it's kind of, like, different.
在八十年代,这个领域的人们还在用纸笔工作。
So in in the community, in the eighties, people were just doing pen and paper.
你知道,他们当时在做思想实验。
You know, they were doing thought experiments.
明白吗?
You know?
会发生什么?
What would happen?
所以第一个例子在某种意义上就是心理扑克。
So the first example is mental poker in some sense.
你怎么能通过电话玩扑克呢?
How could you play poker by telephone?
所以我有一堆牌,我有一堆牌。
So I've got a bunch I've got a bunch of of cards.
你有一堆牌。
You've got a bunch of cards.
我们已经发好了牌。
We've dealt the cards.
我不知道你手里有什么牌。
I don't know what your cards are.
你不知道我手里有什么牌,但我们想通过电话玩扑克,并且仅通过交换加密消息来防止作弊。
You don't know what my cards are, but we want to play poker and not cheat over the telephone by just exchanging cryptographic messages.
于是人们就这样玩着心理游戏,并由此提出了MPC(多方计算)的概念。
So people were just playing mental games like that, and they came out with this idea of MPC.
然后在八十年代和九十年代初,人们只是在理论上探讨它能做些什么?
And then in the eighties and early nineties, people were just playing with the idea of what could it theoretically do?
你能计算任何东西吗?
Could you compute anything?
事实证明,确实可以。
And it turns out, you can.
从理论上讲,你可以安全地计算任何想要的东西,这挺酷的。
You could theoretically compute anything you want securely, which is kind of cool.
大约从九十年代中期到两千年代中期,人们不断探索各种计算方法,但这些方法当时并不实用,网络条件不佳,计算机速度也不够快,诸如此类。
And then maybe from the mid nineties to the mid two thousands, people were kind of coming up with ways of doing the computations, but they weren't really very practical and the networks weren't very good at the time and computers weren't so fast, etcetera etcetera.
到了两千年代中期,计算机的速度终于快到能处理一些非常基础的操作了。
And then like in the mid two thousands, computers were just about fast enough that you could do something really basic.
所以我认为,八十年代提出的那个著名案例——百万富翁问题——很好地体现了这个理念。
So I think the idea there's this famous example which came up in the eighties, which is called the millionaire's problem.
假设你有两位百万富翁,他们想知道谁更富有。
So imagine you've got two millionaires and they want to work out who's the richest.
他们各自有一个输入值,一位富翁有数值x,另一位有数值y,他们想计算x是否大于y,或者y是否大于x。
So they want to compute they've both got their inputs, one input, one millionaire's got the value x, one millionaire's got the value y, and you want to work out is x bigger than y or is y bigger than x.
这就是你想要计算的,同时不透露x或y的具体数值。
And that's all you wanna compute without revealing x or y.
所以只有这些信息:两位百万富翁,爱丽丝和鲍勃。
So the only information so you've got two millionaires, Alice and Bob.
爱丽丝可能会知道她更富有,而鲍勃会知道他是较穷的那个,但我们不知道具体相差多少。
Alice will learn maybe she's the richest, and Bob will learn he's the poorest, but we won't know by how much.
这就是所谓的'百万富翁问题'。
So that's what's called the millionaire's problem.
而这个人在因特拉肯的临时会议上所做的,就是在16位整数上运行了百万富翁问题。
And what this guy had done in this rump session in Interlaken is run the millionaire's problem on 16 bit integers.
这只是一个甚至不到百万的数字。
So it's just a number which isn't even a million.
这个数字还不到65536。
That's like less than six five five three six.
对吧?
Yeah?
所以这是在比较两个小于16位的数字,耗时两分钟。
So this is comparing two numbers less than 16 bits, and it took two minutes.
这就是他比较整数所用的演讲时长。
That was the length of his talk to compare the integers.
差不多就是这样,当时我们就是处于这个阶段。
That was kind of that that was kind of that's where we were.
但一旦你能实现某个功能并实际操作,你就会立即实施并思考:我能让这个跑得更快,我能优化那个,这部分可以省略,那个可以改进。
But as soon as you could do something, as soon as you could actually implement something and play with it, you would then implement it and you go, I can make this go faster, I can make that go faster, I don't need to do this, I can change that.
我可以利用基础设施的这一部分。
I can use this part of the infrastructure.
我可以这样使用操作系统。
I can use the operating system in this way.
我可以这样利用网络。
I can use the network in this way.
突然间改进就接踵而至,一个接一个地快速涌现。
And suddenly the improvements come rapidly, you know, one on top of each other.
所以你刚才谈到的就像是研究与工程之间的桥梁或鸿沟。
So what you just talked about is sort of this bridge or this gap between research and engineering.
我们之前在这个节目中也与其他人讨论过这个问题,这总是让我感到着迷。
And we've talked to people on this show before about this and it's always fascinating to me.
正如你所说,我看到的是一旦有了可以实际操作的东西,就能开始吸引工程师们。
What I see is exactly what you said that once there's something out there to play with, that's when you start attracting the engineers.
一旦工程师们加入进来,他们就会说,其实我可以稍微加快速度,我可以在这里做些改进,于是黑客们开始真正提升技术,然后你们开始更紧密地合作,这才是真正取得突破的时候。
And once you have the engineers on board, they can go, well, actually I can speed this up a little bit, I can do this over here, and you start having the hackers actually improve the technology and then you start working more hand in hand and that's when you get the real improvements.
你如何看待工程师和程序员与理论家们合作的角色?
How do you see the role of engineering and the programmers coming in and working with the theorists?
嗯,我认为关键在于,至少在这个领域,实际上每个人都是紧密合作的。
Well, I think the thing is, certainly in this area, actually everyone's hand in hand.
世界上仍有一些理论家在研究理论MPC,但几乎所有人现在都在理论与实践相结合,这是因为你无法仅凭新想法来改进某个协议。
There's still some theorists doing theoretical MPC in the world, but almost everyone's now doing a combination of theory and practice, is that because you can't so you have a new idea to to improve some protocol.
你有了些新奇古怪的想法。
So you have some new weird and wacky idea.
实际上,在纸上测试行不通,因为现实世界中所有东西都受网络延迟、内存问题和带宽影响。
Actually, testing it on paper, you can't test it on paper because in the real world, everything works on what's the network latency, memory issues, bandwidth.
这些系统现在如此复杂,有太多活动部件,不实际实施就无法真正测试某件事是否真实,或是否能带来改进。
And these systems are now so complicated, they have so many moving parts that you can't really test whether something is real or not, or whether it gives you an improvement without actually implementing it.
所以现在很多理论研究都与工程研究紧密结合。
So a lot of the theoretical research now is hand in hand with engineering research.
同时工程研究也需要理论家来解决问题——当你完成某个工程项目时,会突然发现'天啊,这是我们从未意识到的东西'。
And also the engineering research requires the theoreticians to solve problems or you do a piece of engineering and you go, oh my god, that's something we never realised.
然后你把问题抛回给理论家,他们会说'确实,我们之前测量的指标有问题',这时你突然意识到理论界应该测量的某个指标在实际世界中根本没有意义。
And then you pass it back to the theoreticians and they go, oh yeah, they kind of measure the wrong things and then you suddenly realize that you've got some one thing you're meant to be measuring in the theory world doesn't actually make sense in the practical world.
这就是理论与实践的永无止境的循环:理论指导实践,实践反哺理论,如此往复。
This is a never ending combination of theory to practice, practice to theory and so on.
所以大约十年前在密码学社区(crypto指的是密码学,必须强调这一点,必须强调,crypto就是密码学的意思)
So maybe ten years ago in the crypto community, that's crypto means cryptography, always got to get that in, always got to get that in, crypto means cryptography.
好的,在密码学社区里,理论家和实践者之间曾经存在某种分界线。
Okay, in the crypto community, there was a of like, there was a bit of a bifurcation between the theoreticians and the practitioners.
但我认为过去七八年发生的许多事情实际上让他们走到了一起,其中一个原因就是MPC应用和实用性的爆炸式增长,这让理论家们突然意识到:哇,这些东西真的有用。
But I think a lot of things over the last seven or eight years have actually brought them together, one of which has been this huge explosion in MPC applications and practicality, which suddenly the theoreticians are going, woo hoo, that stuff's useful.
而实践派的人则欢呼:哇,我们又有新玩具了。
And the practical people go, woo hoo, we've got something else to play with.
接着全同态加密也迎来了巨大爆发,同时我们还创建了一些让社区成员聚集的交流平台。
And then there was the huge explosion in fully homomorphed encryption and then also we've kind of created community places for people to come together.
比如我和Kenny Patterson共同创办的'真实世界密码学'会议,每年一月举办,从七年前只有100人参加的小型活动开始发展。
So I founded along with someone else, Kenny Patterson, this thing called Real World Crypto, which we run every year in January and it turned from being like seven years ago, it was like a tiny event with 100 people.
现在它已成为全球规模最大的密码学会议。
It's now the biggest cryptography conference in the world.
我们约有700人参会,包括加密货币领域从业者、学术界人士、政府人员,以及苹果、Facebook、谷歌和微软等公司的密码学团队都会出席。
We have about 700 people turn up and we have people from the cryptocurrency space, we have people from academia, we have people from government, we have the crypto teams of Apple and Facebook and Google and Microsoft turn up.
我们有对公共政策感兴趣的人士参与。
We have people who are interested in public policy.
去年,我们有人在波士顿进行了一项非常有趣的调查——波士顿议程调查,他们让200家公司参与了一项关于不同公司中男女薪酬差异的统计调查,并让所有公司将数据输入这个MPC系统进行统计分析。
Last year, we had people doing NPC, doing a really interesting survey in Boston, which is the Boston Agenda Survey, where they got 200 companies to do a statistical survey of whether there was a difference in pay between male and female in the different companies, and so they got all the companies to put their data into this MPC system to do the statistical analysis.
所以看到各种公共政策议题正在真正地将人们凝聚在一起。
So seeing all sorts of public policy stuff coming out that's really bringing people together.
你刚才提到了FHE(全同态加密)的概念。
You just mentioned sort of the FHE idea.
是的。
Yeah.
我不是
I'm not
在这里说FHE。
gonna say FHEs here.
FHE。
FHE.
实际上,你对MPC的定义听起来与FHE非常非常相似,都是这种能够组合几乎任何东西的理念。
Actually, the way you've defined the MPC, it sounds very, very similar to the FHE, this idea of this ability to combine things and almost anything.
是的。
Yeah.
在你目前的工作中,你认为MPC研究是一个独立领域,还是看到它与许多其他概念正在融合?
In the work that you're doing, I mean, do you see the the work on MPC as a as a silo or do you actually see that blending in with a lot of these other concepts?
它们非常非常相似。
They're very, very similar.
事实上它们确实密切相关。
In fact, they actually are really related.
好的。
Okay.
所以这个好的。
So the Okay.
好的。
Okay.
关于全同态加密(FHE)的典型应用场景,人们常说的模式是:你加密一些数据,发送到服务器,服务器在不知内容的情况下进行计算,然后将结果返回给你。
So the thing with the usual use case of FHE is, well, that's pretended that people say, is you encrypt some stuff, you send it to the server, the server computes on it without knowing what it is and sends it back to you.
想象一个加密的谷歌搜索——你加密搜索词发送给谷歌,谷歌返回搜索结果但不知道你搜了什么或结果内容,你收到后再解密。
So you think about an encrypted Google search, you encrypt your search term, you send it to Google, Google gives you your search results, but doesn't know what you've searched for or what your results are, sends them back and you decrypt.
好的。
Okay.
这虽然不实用,但能让你理解其核心概念。
That doesn't isn't practical, but that gives you an idea of what the idea is.
其实这和多方计算(MPC)很像,区别在于这里只有服务器单方参与计算。
Now that really is like MPC, except there's only one person doing the computation, the server.
所以这是...好的。
So it's it's Okay.
MPFHE本质上就是缺少多方参与的MPC
M p f h e is MPC without the
嗯。
m.
展开剩余字幕(还有 347 条)
哇。
Wow.
所以这确实是最简单的理解方式。
So it's really which is the really easy way to think about it.
因此它们非常非常相似。
So it's very, very similar.
不过它们并非独立存在,我们取得的一项重大突破是开发了名为SPDZ的MPC协议(按作者姓氏首字母拼写为s p d z,分别代表Smart、Patro、Vanguard和Zacharias)。
However, they're not separate, so one of the big breakthroughs we had is we have an MPC protocol called SPDZ, which is spelt s p d z for the authors, which is Smart, Patro, Vanguard and Zacharias.
通常在密码学中会按字母顺序排列作者名,但有人发现如果重新排列我们的姓氏,就能拼出SPDZ——因为这个协议速度极快。
So usually in cryptography you put things in alphabetical order, but someone realised if you reordered our names, it would be SPDZ cause it was a really fast protocol.
这些协议简直太棒了。
And that's, those are awesome.
比如Nizik、Dizik和Bulletproof这些协议。
Like Nizik and Dizik and Bulletproof.
没错。
Exactly.
命名很重要。
Naming is important.
命名真的非常非常重要。
Naming is really, really important.
实际上,我们每做一件事时,都会想出一个非常酷的名字,确保人们能记住。
We have actually, whenever we do something, we come up with a really cool name to make sure people remember.
大家都记得Speeds,这是大约2012年推出的。
It's the Speeds everyone remembers and this came out in about 2012.
Speeds的作用实际上是利用FHE(全同态加密)来实现MPC(多方计算)。
And what Speeds does is actually it uses FHE to do MPC.
它使用了一种FHE的形式,通常人们会觉得这完全不切实际。
So it uses a form of FHE, which usually people go, that's totally impractical.
但我们使用FHE实际上让事情比没有FHE时运行得更快。
But we use FHE to actually make things go faster than if we didn't have FHE.
所以我们实际上在MPC计算中使用FHE作为加速剂来提升速度。
So we can actually, we use FHE within the MPC calculation as an accelerant to make it go faster.
那么再深入一点,我想更好地实际理解这些MPC系统是如何工作的。
So to dig in a little bit more and get like, I want a better practical understanding of how these MPC systems work.
也许我们可以以SPEEDS为例,解释一下这个协议是如何运作的。
So maybe we take SPEEDS as an example and, like, explain how that protocol works.
好的,假设我们有三个人,我、亚当和弗雷德里克,我们有一些数据。
Okay, so imagine we've got three of us, we've got myself, we've got Adam, we've got Frederic and we have some piece of data.
想象一下,先不用考虑数据如何输入或输出系统,现在只关注如何进行实际计算。
So imagine, don't worry about putting data into the system or out of the system, just think at the moment of how you actually do computation.
如果程序中有一个变量,假设叫x,我们会把这个变量分成三部分。
So if we have a variable in a program, let's think of the variable called x, so what we do with that variable is we split it into three.
我们把x表示为x1加x2加x3,安娜得到x3,弗雷德里克得到x2,我得到x1。
And so we write x as x one plus x two plus x three, So Anna gets x three, Frederick gets x two and I get x one.
记住他们都是不可信的,如果安娜和弗雷德里克联手,他们是最不值得信任的,对吧?
Now if, because remember they're untrustworthy, if Anna and Frederick get together, they're the least trusted, right?
所以他们只有x2和x3的话,他们无法获取关于x的任何信息。
So if they're just x two and x three, they can learn nothing about x.
只有我们三个人一起才知道关于x的信息。
It's only the three of us together know something about x.
明白吗?
Okay?
所以在运行程序时,我只持有x1,Fredrik持有x2,Anna持有x3。
So in my piece of when I'm running the program, I only hold x one, Fredrik only holds x two and Anna holds x three.
现在我们假设有另一个变量,称之为y,我们同样有y1、y2和y3。
Now suppose we have another variable, call it y, we have y one, y two and y three in the same way.
如果我们要将变量相加得到z等于x加y,那么我只需计算z1等于x1加y1,Fredrik计算z2等于x2加y2,Anna计算z3等于x3加y3,然后通过数学的魔力,z实际上等于z1加z2加z3。
Now if we want to add the variables together to get z equals x plus y, then all that I have to do is go z one equals x one plus y one, Frederick goes z two equals x two plus y two, Anna goes z three equals x three plus y three, and then miraculously, z is actually z one plus z two plus z three by the magic of maths.
好的,这意味着线性操作是免费的,你不需要任何技巧就能完成线性操作,加法是线性操作,乘以常数也是线性操作。
Okay, so that turns out, so what that means is what's called linear operations are for free, is that you don't have to do anything clever to do linear operations, so addition is a linear operation, multiplication by constants are linear operations.
唯一的困难似乎在于非线性操作。
So the only difficulty seems to be doing nonlinear operations.
最简单的非线性操作就是乘法。
Now the simplest nonlinear operation you have is multiplication.
在学校学完加法后,接下来就要学习乘法。
After you do addition at school, you do multiplication.
乘法有各种复杂的运算方式,在播客里很难演示,因为需要大量黑板之类的工具。
So for multiplication, there's all sorts of complicated ways of doing multiplication, and it's very hard to do on a podcast because you need lots of blackboards and stuff.
但Speeds采用的方法是使用同态加密技术来快速实现乘法运算。
But what Speeds does is it uses homomorphic encryption to enable you to do the multiplication fast.
所以我们不是用同态加密进行任意计算(那样成本很高),而是仅用于简单的乘法运算。
So instead of using the homomorphic encryption to do an arbitrary computation, which is very expensive, we would use the homomorphic encryption to just do a very simple operation, which is multiplication.
这意味着我们可以让乘法运算变得非常快。
And that means that we can make the multiplication go very fast.
进行乘法运算时需要传输数据:我要发送数据给Frederick和Anna,Anna也要发送数据给我和Frederick,Frederick则发送数据给我和Anna。这些数据往来传输时不会泄露任何底层机密,却能完成乘法运算。
To do the multiplication, we have to communicate data, so I send some data to Frederick, I send some data to Anna, Anna sends some data to Frederick and me, and Frederick sends some data to Anna and me, so this data is transmitted around, but this data reveals nothing about the actual underlying secrets, but then we can do some multiplication.
事实证明,任何计算都可以转化为一系列加减乘除的组合。
And it turns out that any computation that you can think of can be written as a sequence of pluses and multiplies.
好,那么我们只需要一个编译器:把程序转换成加减乘除的序列(当然这是简化说法),运行后就能得到安全计算结果。
Okay, so we just then need a compiler which takes our program, turns it into a sequence of pluses and multiplies, not quite, this is simplifying it a bit, and then we just run that and then we've got our secure computation.
所以你基本上是用之前描述过的FHE(全同态加密)在这个非常小的领域里运算,这样速度极快,从而能加速MPC(多方计算)的复杂部分。
So you basically use, as you described before, FHEs to operate on this very small domain where it's really fast and therefore can speed up the complicated part of MPC.
没错,正是这样。
Yeah, exactly.
这就是实现MPC的一种方法。
So that's one way of doing MPC.
还有另一种实现MPC的方法是由姚期智提出的,可能有人听说过,叫做姚氏电路或混淆电路。
There's another way of doing MPC, which is due to Andy Yao, which is called which people might have heard of, which is called Yao circuits or garbled circuits.
在这种方法中,你需要把函数表示为一个二进制电路,就像微处理器芯片上的电子硅电路那样。
And here what you do is you represent the function as a binary circuit just like it would be on a on a microprocessor on the chip in electronics and silicon.
因此你会发现,所有运算都可以用一堆与门、或非门、或门和非门来表示。
And so it turns out there, you can represent everything as a bunch of ANDs and SORs and ORs and NOT gates.
具体操作是:先生成二进制运算的真值表,再创建这个真值表的加密版本。
Here what you do is that you actually produce the lookup table, the truth table for the binary operation, you actually form an encrypted version of the truth table.
这里你会使用标准加密算法(如AES)来加密真值表,当进行运算评估时,本质上是在解密部分真值表并逐步处理整个电路。
And there, what you use is you use a standard cipher like AES to do the encryption of the truth table and then when you evaluate the computation, you are basically decrypting parts of the truth tables and working through the circuit.
所以基本上有两种不同的实现方式,一种是基于Speeds的秘密共享方案,另一种则是混淆电路的加密真值表方法。
So there's kind of two different ways of doing it, there's the secret sharing approach of Speeds, And then there's the encrypted truth table approach of of of garbled circuits.
既然你在这个领域已经深耕多年,见证了它的发展历程,我特别想听听你对其他可能具有可比性的系统,或是常被拿来比较的系统有什么看法。
Since you've actually been working in the space for, like, a pretty good amount of time and you've seen this develop, I would be really curious to hear what you think of some other maybe comparable systems or systems that have been compared.
你可能不认为它们属于同一类别。
You might not think of them in the same category.
但举个例子,我们不久前其实也做过一期关于可信执行环境(TEEs)的节目。
But for example, we actually not too long ago also did an episode on TEEs.
好的。
Okay.
TEEs。
TEEs.
我们能说TEEs吗?
Can we say TEEs?
是的。
Yeah.
我赞成那个吗?
I pro life that one?
这是个环境。
It's an environment.
这是个东西。
It's a thing.
这是个东西。
It's a thing.
是的。
Yeah.
是的。
Yeah.
好的。
Good.
好的。
Okay.
我很好奇想听听你对TEEs(可信执行环境)的看法?
So I am very curious to hear what do you think of TEEs?
你认为TEEs和MPC(多方计算)之间有关联吗?
And do you see a relationship between TEs and MPC?
因为我们经常听到人们将它们相提并论,我想知道你的观点
Because we've often heard them lumped together or compared, and I wonder what you think
这其实挺有意思的
of It's kind of interesting.
好的,TEE指的是可信执行环境
Okay, so a TE is a trusted execution environment.
就目前来看,它类似于Arm Trust Zone或Intel SGX这样的技术
So as we see it now, it's something like Arm Trust Zone or Intel SGX.
实际上,如果回溯到1978年第一篇关于全同态加密的论文——那是很久以前了,Rivest等人在论文中提出了两个核心观点
Actually, you go back to the very first paper on fully homomorphic encryption, which was in 1978, okay, so this is a long time ago, in 1978, the paper on fully homomorphic encryption by Rivest, etcetera, they had two ideas in his paper.
第一个观点是:如果有人能发明全同态加密就好了,这样我们就能在不查看数据的情况下进行计算
The first idea is, wouldn't it be good if someone could invent fully homomorphic encryption because then we could compute on data without seeing it?
然后他们说,但这看起来真的很难,所以我们为什么不直接加密进入微处理器的数据呢?
And then they said, but that looks really hard, so why don't we just encrypt the stuff going into the microprocessor?
他们说,嗯,你可以做的是在数据进入微处理器时加一个小型加密设备,这样微处理器中的寄存器是明文的,但数据出来时会被解密。
And they said, well, what you could do is you could put a little encryption device as the data goes into the microprocessor, so the registers in the microprocessor are in the clear, but as the data comes out, it's decrypted.
它是加密的。
It's encrypted.
所以进去时解密,出来时加密。
So it's decrypted going in and encrypted going out.
然后他继续说,他们还说,但那也是个愚蠢的想法,因为实际上这是上世纪七十年代的技术,他们当时最好的加密算法是DES,即使在硬件中运行速度也很慢,甚至当时的微处理器都比它快。
And then he went and they also said, but that's also a stupid idea because actually, this was nineteen seventies technology, the best cipher they had was DES, which was terribly slow even in hardware, and even microprocessors then were faster than the dead.
所以他们无法足够快地将数据输入和输出。
So they couldn't get the data in quick enough and out.
所以那被认为不可行。
So that was considered a no go.
所以有趣的是,当FHE在2009年左右开始变得有趣时,Craig Gentry提出了第一个FHE实现,第一个FHE想法。
So what's kind of interesting is when FHE started becoming interesting in, like, 2009 when Craig Gentry came up with the first FHE implementation, first FHE idea.
与此同时,人们也重新审视了在通往微处理器的, 的巴士上安装一个小型加密设备来加密进出数据的概念。
At the same time, people also revisited this idea of putting a little encryption device on the bus going into a microprocessor to encrypt the stuff coming in and out.
当然,现在的微处理器实际上是由总线来放慢速度的。
And of course, now with microprocessors, actually it's the buses to slow things.
所以通过AES加密稍微放慢一点速度其实代价不大。
So slowing it down a little bit by just AES encrypting stuff doesn't really cost much.
好的。
Okay.
因为数据进出处理器是计算中最慢的部分。
Because getting data in and out of the processor is the slow bit of the computation.
所以现在,这导致了像英特尔SGX这样的可信执行环境(TEE)的出现。
So now, and that's then led to TEEs like the Intel SGX.
因此,从历史上看,它们确实源自同一源头,非常相似。
So they are they historically, they are absolutely come from the same source, so very similar.
然而,英特尔和其他公司在决定构建TEE时做出了一个非常有趣的决定。
However, Intel and the others made a very interesting decision when they decided to do build the TEE.
在微处理器内部,它必须做出决策。
So inside a microprocessor, it has to make decisions.
当它做出决策时,会泄漏功耗、辐射、热量或声音等各种信息。
And as it makes decisions, it leaks power or it leaks radiation or it leaks heat or sound or whatever.
因此他们明确将这类所谓的侧信道攻击排除在可信执行环境(TE)设计之外。
And so they explicitly excluded from the TE design these what's called side channel attacks.
所以,除非你完全信任没有人会实际监控并破解设备,否则TE是不可信的。
And therefore, TE's are only trusted if you trust no one to actually monitor the device and and break it.
所以
So there's
你刚才提到的关于能量和辐射的那些情况,比如那种
What you just said there about the energy and radii like, the kind of
是的。
Yeah.
它散发出的热量。
Heat coming off it.
你是指那个观点吗?就是通过监测热量和能耗的峰值,可能破解
Are you talking about that idea that, like, because you could track spikes in heat and energy consumption, could potentially crack
对。
Yeah.
你能看到它。
You can see it.
里面有什么?
What's in there?
你能看到它。
You can see it.
好的。
Okay.
没错。
Right.
太疯狂了。
Crazy.
这太酷了。
That's so cool.
银行业知道这种无线电技术,可能你们美国听众中有些人刚刚才用上芯片密码卡进行交易,或者在美国用的是芯片签名卡。
And the banking industries know this know this radio, so maybe some of your US listeners are kind of like, have only just got a a chip and PIN card for doing transactions or there's chip and signature in The US.
在世界其他地区,我们使用芯片密码卡已有大约二十年了。
In the rest of the world, we have been using chip and PIN for about twenty years.
而且银行早就知道,通过测量功耗和电磁辐射可以破解这些芯片密码卡。
And the chip and PIN cards, banks have known that the chips could be broken by measuring power consumption and electromagnetic radiation for years.
因此已经做了大量工作来确保芯片密码卡免受这类攻击。
So there has been a lot of work to actually secure chip and pin cards against these kinds of attacks.
这可是个大生意。
This is big business.
甚至可以追溯到六十年代。
It even goes back to the sixties.
人们在六十年代编程这些大型计算机时,就能知道计算机里发生了什么。
People would program these big computers in the sixties and they would know what was happening in the computer.
他们当时没有调试器,GDB还不存在。
They didn't have debuggers, GDB did not exist.
所以当时的做法是,你会监听电脑的声音,它会发出类似'哦,它卡在第四个循环了'这样的提示,因为你能通过电脑实际发出的声音识别出循环的特征。
And so what you would do is you'd listen to the computer and it would go like, oh, it's stuck in loop four because you knew the sound of the loop of what the computer sound was making by actually the sounds coming out.
因此这种侧信道攻击在1960年代实际上被用作调试工具。
So this side channel attacks were actually used as debuggers in the nineteen sixties.
哇。
Wow.
因此,我们讨论的TEEs(可信执行环境)并不具备针对这些攻击的保护
And so TEEs, as as we're talking about them, those are not protected against
它们不被设计来抵御侧信道攻击,这是有意为之的设计决策
They are not protected against side channel attacks as a deliberate design decision.
所以如果你把可信执行环境交到坏人手里,那么它就会
So if you put your trusted execution environment in the hands of the bad guy, then it's
而且他们拥有合适的工具
And they have the right tools.
而且他们已掌握了相应的工具手段。
And they have the right tools taken.
所以,没错,这就是可信执行环境面临的问题之一,而且这是有意为之的设计决策。
So, yeah, so this one of the problems that TEs have, and it's a deliberate design decision.
我认为设计时的假设是:如果这个TEE运行在云服务器上,你信任亚马逊不会在服务器周围部署大量电磁辐射监测设备(抱歉这么说),但你肯定不希望数据以明文形式存放在亚马逊或微软等公司的服务器上。
I think the assumption is, if this T is running in a cloud server, you don't trust Amazon to, you trust Amazon not to put a lot of electromagnetic radiation equipment to measure around the server, sorry, but you probably don't want the data in the clear on the Amazon server itself or Microsoft server or whatever.
因此它们确实有使用优势,但并非像大家以为的那样是万灵药。
So they are so they are they have advantages to use, but they're not the panacea that everyone seems okay.
我们不妨直面现实吧。
Let's just face it.
没有任何技术是万能的。
No technology is a panacea.
对吧?
Right?
多方计算有缺陷,全同态加密有缺陷,可信执行环境有缺陷——所有技术都有缺陷,而TEE的缺陷就是旁路攻击。
So MPC has a problem, FHA has a problem, TE's have a problem, everything has a problem, but TE's problem is side channel attacks.
嗯,还有一点是它们有这种认证机制,所以实际上你需要信任英特尔来验证你做的任何事。
Well, that and the fact that they have this attestation thing so you actually need to trust Intel attest whatever you're doing.
不然你怎么知道它真的是个可信执行环境?
Because otherwise how do you know it's actually a real TEE?
是啊。
Yeah.
听你说它不是大家以为的万能药还挺有意思的,因为在我的圈子里,我接触的领域里,所有人都讨厌它们。
It's funny to hear you say like it's not the panacea that everyone seems to think it is because in in my bubble, the space that I move, everyone hates them.
就像,没人愿意用它们,也没人愿意...
Like, no one no one wants to use them and no one wants to like
大家都讨厌所有东西。
everyone hates everything.
所以我们干脆这么说——我从来没听说过人们真正热爱什么,他们要么就是讨厌它。
So let's just let's just say every so I've never heard of people really love something or they hate it.
这有点像...我是英国人,我们有种叫马麦酱的东西,就是你要么爱要么恨。
It's kinda we I'm English so we have this thing called Marmite, which is something you either love or hate.
所以所有技术都像马麦酱(爱憎分明)。
So all technology is Marmite.
是啊。
Yeah.
确实如此。
That's true.
另一个想法,这可能更偏向零知识证明领域。
Another idea, this is more maybe in the zero knowledge proof camp.
但你知道,因为SNARKs需要可信设置,而可信设置——多方计算(MPC)可能相当繁琐,还需要某种社会组织形式。
But, you know, because they're snarks and snarks require a trusted setup and a trusted setup, an MPC, can be quite laborious and requires some sort of social organization.
实际上这可能存在潜在危险,你知道这个叫什么来着?
And it can actually be potentially dangerous that, you know, this what did you call it?
那个随机字符串。
The the random string.
公共参考字符串。
Common the common reference string.
是的。
Yeah.
公共参考字符串实际上可能被以某种方式发现。
That the common reference string could actually be discovered somehow.
这会带来危险。
So that poses a danger.
所以我们看到新系统出现,它们实际上消除了对多方计算的需求,比如Bulletproofs和Starks。
So we see new systems coming out where they've actually removed the need for an MPC, like Bulletproofs and Starks.
我想知道你对这些有什么看法。
And I'm wondering what you think about those.
好的。
Okay.
所以,好的。
So the okay.
你想使用这些东西的原因是因为你想对复杂陈述进行零知识证明,并且希望高效地完成。
So why the reason you wanna use these things is because you wanna do zero knowledge proofs of complex statements and you wanna do that efficiently.
那么问题在于,你所说的效率具体指什么?
Now the question is what do mean by efficient?
效率可以指证明者的速度快,验证者的速度快,通信成本低,或者证明的体积极小。
So efficient could be fast for the prover, it could be fast for the verifier, it could be low communication cost, the size of the proof is small.
这三种技术各自优化了其中一项。
And each one of those three technologies optimizes one.
因此理想目标是,完美的零知识证明应该同时具备证明速度快、验证速度快且不占空间的特点。
And so the goal is, the perfect zero knowledge proof would be faster to prover, faster to verifier and no space.
而且无需设置。
And no setup.
无需设置,是的。
No setup, yes.
所以你有这些不同的竞争技术,目前的技术水平是,我们还无法同时实现所有优点。
So you have these different competing things and currently the level of technology is, is we don't know how to do all good things at once.
基本上,Starks、Bulletproofs等等,以及Starks之类的技术,它们各自优化了不同的方面。
So you basically, the Starks, bulletproofs etcetera and the Starks and whatever, they all optimise different things.
另一方面,还有一种技术叫做'MPC in the head',用于实现序列运动证明,这真的非常奇特。
On the other hand, there is another technology to do serial motion proofs called MPC in the head, which is really, really funky.
所以
So
它真的叫'MPC in the head'吗?
Is it actually called MPC in the head?
是的。
Yeah.
这是什么意思?
What does that mean?
好吧。
Okay.
这个想法是,让我们回到之前的例子,就像我说的,我想向你证明某个任意陈述。
So the idea of so let's go back to our example where we like I said, I wanna prove some arbitrary statement to you.
所以我所做的就是在我脑海中运行一个MPC协议,比如说,在我的脑海中。
So what I do is I run an MPC protocol myself between two parties, say, in my head.
所以在我脑海中,我既是Alice又是Bob。
So I'm both Alice and I'm Bob in my head.
由于我知晓一切(作为证明者),我可以在脑海中同时运行双方协议。然后证明过程就是:你作为挑战者给我发送一个挑战指令,比如'公开Alice'。如果我确实知道要证明的陈述,那么唯一能正确公开Alice的方式就是我真的知道我要证明的那个值。
And so because I know everything, I'm the prover, so I run both parties in my head and then the proof is that you, the challenger, send me a challenge that says open Alice and if I know the statement, it is the only way I can open Alice correctly is if I actually know the value I am trying to prove correct.
因此存在一种名为'MPC in the head'的零知识证明技术,它不需要预先的信任假设。
And so there is a zero knowledge proof technique called MPC in the head, which doesn't require set up assumptions.
这个技术速度较慢,生成的证明体积也相当大。
It is quite slow, it is quite large but quite big.
但它能高效处理任何可被电路描述的陈述,实际上它构成了后量子签名方案的基础。
But it can do anything really, any statement really efficiently, if you can write down a circuit for it and it actually forms the basis of what's called post quantum signature schemes.
当前密码学领域的重要议题就是后量子密码学,其中提交给NIST竞赛的'Picnic'签名方案正是基于'MPC in the head'技术。
So one of the big things happening in crypto at the moment is post quantum and one of the post quantum signature schemes called Picnic that's been submitted to the NIST competition is actually based on MPC in the head.
大家都在尝试用不同方法改进零知识证明,但本质上都是在验证速度、证明速度、证明大小和信任假设这几个维度做取舍,总要牺牲其中一项。
So there's all sorts of different everyone's kind of trying to find different ways to do better zero knowledge, but it's basically speed of verifier, speed approver, size of proof and trusted setup assumptions are the things and you always have to give up one.
我觉得如果回顾百万富翁问题这个例子会很有意思。
I think it's interesting to look at an example like the millionaires problem if we go back to that.
比如在任何系统中都可以有一个零知识证明,表明爱丽丝比鲍勃更有钱。
Like you could have a zero knowledge proof in any system that says, yes, Alice has more money than Bob.
是的。
Yep.
没错。
Exactly.
很好。
Good.
而且,在防弹证明系统中,生成那个证明的成本会很高。
And, like, in a bulletproof system, it would be expensive to produce that proof.
它可能会相当庞大。
It might be pretty large.
所以如果你想多次向多人证明爱丽丝比鲍勃有钱,这完全合理。
So it would make total sense if you want to prove to many people many times over time that Alice has more money than Bob.
但如果只是为了向鲍勃证明一次,就没必要这么麻烦,或许用NPC来处理会更好。或者如果你想证明系统中的多对关系,为每对建立新的信任设置就太复杂和昂贵了。
But if you're just trying to prove it once to Bob then it doesn't make sense to go through all of this trouble and it might be better to have an NPC to do it or if you're trying to prove like bunch of pairs in the system, like setting up a new trusted setup for each pair, it's way too complicated and expensive.
你需要其他方案。
You need something else.
对。
Yeah.
没错。
Yeah.
银行有不同的应用场景,确实如此。
You have different applications to banks, whether yeah.
所以我认为这引出了我们的最后一个问题,关于这些系统的未来。
So I think this leads us to our last questions, which is about the future of these systems.
那么除了MPC在脑海中——或者说在我脑海中,MPC是什么来着?
So maybe you can tell me what other than the MPC in the head or in my head, what was it MPC?
在脑海中。
In the head.
在脑海中。
In the head.
在脑子里。
In the head.
是的。
Yeah.
听起来有点像九十年代的说唱歌曲之类的。
Sounds a little bit like a nineties rap song or something.
你还看到哪些新型的MPC系统、MPC设置或技术正在兴起?
What other new kinds of MPC systems or MPC setups or techniques are you seeing emerging?
好的,我认为在MPC领域,基础工作已经基本完成,我们现在主要是在进行更多优化。
Okay, so one of the big, I think in terms of MPC, it's kind of, we kind of, the basics are kind of done and we're just getting more optimizations.
我认为人们很关注如果量子计算机问世会带来什么影响,所以有很多研究转向量子计算场景下的安全性问题,确保系统能抵御量子计算机攻击。这涉及到整个加密领域(包括密码学和加密货币)的一个关键概念——加密敏捷性,过去十年我们已经看到一些密码算法不得不被淘汰的问题。
I think people are interested in what happens if there is a quantum computer built, so there is a lot of move to what happens in the case of quantum computing, making sure systems are secure against quantum computers and that brings on to a whole thing that really, really touches the whole of the crypto, both cryptography and cryptocurrency space, is what's called crypto agility, is that you've seen in the last ten years problems with ciphers and algorithms having to be retired.
MD5曾是一个被广泛使用的哈希函数,在Windows系统中无处不在,这给微软带来了巨大麻烦,他们不得不从数千个使用场景中移除它。
MD5 was a big, was a hash function that was used everywhere in Windows, and this caused real problems for Microsoft having to remove the thousands of places it was used.
我们需要思考的是,如何快速更新已经部署的系统。
And we kind of need to be able to have, how do you change a system which is already deployed quickly.
目前TLS 1.3虽然已经标准化,但实际部署起来相当困难。
So we're currently TLS 1.3 has currently been standardised, trying to deploy it is quite hard.
实际上,淘汰SSL 3.0花了很长时间,尽管大家都知道它很糟糕。
Actually, it took ages to get rid of everybody to get rid of SSL three despite everyone knowing it was rubbish.
在系统出现问题时部署新系统是很困难的。
Deploying new systems when things are broken is hard.
想象一下区块链的情况。
Imagine blockchain.
对吧?
Right?
假设哈希函数被攻破了。
So imagine the hash function is broken.
明白吗?
Okay?
你要如何立即更换所有的哈希函数呢?
How do you gonna have to change all the hash functions instantly?
所以它没有被内置到系统中,因为它是建立在共识和同意基础上的,对吧。
So then it's not built into the system because it's built on consensus and the consent yeah.
他们怎么才能就更换哈希函数达成一致?
How are they gonna agree on changing the hash function?
他们怎么才能就改用哪种数字签名达成一致?
How are they gonna agree on changing what digital signature to use?
如果你采用这种基于椭圆曲线的方案,不管叫什么,Koblitz曲线,我记不清具体编号了,比特币用的那种,如果有人破解了这种曲线,你想在一夜之间更换所有系统吗?
Now if you if you go this elliptic curve based on this, whatever it was, the Koblitz curve, I can't remember which number it is, yeah, that's used in Bitcoin, what happens if someone breaks that curve, you want to change everything overnight?
那些已经生成的签名会怎样?
What happens to all the signatures that have already been made?
它们会立即全部失效,因为你本可以维持签名的有效性。
All of them are invalid instantly because you could afford steady signature.
是啊。
Yeah.
所以你本可以保留你的...谁知道呢。
So you could have kept your you don't know.
那么,在已部署的系统上如何实现这种加密灵活性呢?
So how do you do this crypto agility on systems that are deployed?
人们对此并没有深入思考过。
And people haven't really thought about that very much.
这几乎可以归入可升级性的范畴吗?
Would that almost fall under the category of upgradability?
对,是的。
Yeah, yes.
你会这么称呼它吗?
Is that how you'd call it?
对,可升级性。
Yeah, upgradability.
所以称之为灵活性,是为了让你能够快速从加密算法A切换到B,如果发现前者被破解的话。
So it's called agility so that you can move, you could shift, you can quickly shift your cipher from A to B if you find out it's broken.
我认为当人们在九十年代构建互联网和早期系统时,他们觉得,得了吧,这玩意儿用不了多久,我们随便部署些东西很快就会被替换掉。
And so I think when people built the Internet and the early systems in the nineties, they went, yeah, it's not, hey, come on, it's not going to last very long, it's just going to, you know, we're going to just deploy some stuff and we're going to replace it very quickly.
所以他们当初并没有真正考虑过如何升级系统。
So they didn't really think about how you could upgrade things.
然后这种习惯就形成了,工程师们会说‘哦,我们就用这套加密方案吧,反正能用,搞定’。
And then this kind of habit got built in and engineers to go, oh, we're to use this piece of crypto, it worked, boom.
接着你就会看到数以百万计的设备——单台设备内部可能就有上千个加密调用点——你需要把它们全部隔离出来。
And then you see millions and millions of devices with, one device might have a thousand pieces of crypto calls within it and you've got to kind of isolate all of them.
如果算法被攻破,你必须隔离并替换所有调用点。
If you if the algorithm is broken, you have to isolate all of them and replace them.
这确实是个大问题。
It's a real real problem.
这不仅是加密领域的大问题——比如比特币如果要更换哈希函数,基本上就是不可能的事。
It's a it's a huge problem not only in crypt like, if Bitcoin had to change its hash function, I mean, it it would be like, it just wouldn't happen.
我简直无法想象会发生什么。
I I I can't even imagine what would happen.
但他们现在就应该考虑这个问题了。
Like But they should they should be thinking about this now.
是啊。
Yeah.
没错。
Yeah.
确实。
For sure.
对。
Yeah.
而且,想想以太坊,它刚推出时灵活多了。
And, yeah, like, think Ethereum, like, when it launched, it was a lot more agile.
那时候更像是'我们知道事情会变化'的态度。
It was a lot more like, yeah, we we know that things will change.
我们当时还在考虑量子计算机之类的,试图提前思考这些问题。
We were thinking about, you know, quantum computers and they're, like, trying to to to think about it.
但随着时间的推移它也停滞了,现在几乎和比特币一样抗拒改变。
But it's still, like, over time has stagnated and it's, like, almost to the same level as Bitcoin and, like, not wanting to change.
是的。
Yeah.
所以现在很多下一代区块链都在考虑可升级性,以及如何保持协议的敏捷性,但这非常困难。
So it's, a lot of the next generation of blockchains now are thinking about upgradability and, like, how do you keep an agile protocol, but it it's super hard.
这是一个根本性的难题。
It's, a fundamentally difficult question.
是的。
Yeah.
我想这不仅在技术上困难,在社会层面也很困难。
I guess it's not only difficult technically, but also just socially.
确实如此。
Like Yeah.
社区中存在很大的阻力。
People there's so much resistance from community.
而且还有一些人对自己喜欢的算法有点狂热。
And and also there are, you know, people who are a little evangelical about their favorite algorithm.
你得用算法X,因为它是有史以来最棒的,他们就是不肯承认其他可能。
You're gonna use algorithm X because it's the best thing ever, you know, and and they won't yeah.
他们根本停不下来。
They won't shut up.
这太真实了。
That's that's so true.
这太搞笑了。
And it's so funny.
你我是说,你在学术界经常遇到这种情况吗?
Have you I mean, do you see this in academia all
每时每刻都在发生。
the All time as the time.
确实,真的没错。
It's really, really yeah.
这真的很烦人。
It's really a pain.
你之前提到过这个后量子
So you kind of mentioned earlier on this post quantum
对。
Yep.
工作。
Work.
当你提到比特币哈希函数可能被破解时,是指后量子攻击吗?
When you mentioned this sort of bit the Bitcoin hash function could be broken, like, is it post quantum?
不是。
No.
比特币的签名方案并不具备后量子安全性。
The bit Bitcoin hash function the the Bitcoin signature scheme is not post quantum.
从某种意义上说,比特币哈希函数具有后量子特性,因为它是哈希函数,但比特币哈希函数是基于MD家族的。
The Bitcoin hash function is in some sense post quantum in the fact that it's a hash function, except the Bitcoin hash function is based on what's called the MD family.
现在说到MD应该警铃大作,因为那是MD5。
Now MD should go, oh, you know, light up bells because that's MD five.
它与MD5同源,是MD5的改良版本,一个更复杂的MD5变体。
It comes from the same stable as MD five, it's a tweaked version of MD five, it's a more complex version of MD five.
所以它被称为SHA-2,而SHA-2基于SHA-1,SHA-1又基于SHA-0,SHA-0基于MD5,MD5基于MD4,MD4则源自MD2。
So it's called SHA two, and sha two is based on Sha one, which is based on Sha zero, which is based on m d five, which is based on m d four, which is based on m d two.
它们按顺序相继被攻破。
And they have been broken in order.
MD2先被攻破,接着是MD4,然后是MD5,再到SHA-0,之后是SHA-1,现在我们用的是SHA-2。
M d two was broken, then m d four, then m d five, then Sha zero, then Sha 1, and now we're on Shah 2.
就像你知道的,这只是时间问题。可能是十年,可能是一年,也可能是一百年,但它们属于同一家族,技术手段应该适用,它只是已被攻破技术的更复杂版本。
And they're going like, you know, it's only gonna take a matter of time, it might be ten years, it might be one year, it might be a hundred years, but it's the same family, it's technique should apply, it's just a more complex version of something that's already been broken.
你是否认为所有被创造出来的东西最终都会被
Do you believe that actually everything that's being will created will
攻破,好问题。
be broken, good question.
是的。
Yeah.
但在其他方面,美国政府已经对此做出了反应,所以现在有了SHA-3,而SHA-3来自完全不同的家族。
But in the rest of well, so the US government already reacted to this, so there is a SHA three, and SHA three is from a completely different family.
SHA-3与SHA-2的关系,就像AES与DES的关系一样。
So SHA three SHA three looks to SHA two like AES looks to Dez.
它们看起来完全不同。
They just look different.
因此,针对SHA-2的攻击技术不适用于SHA-3,而且SHA-3是一种更有趣的算法,可以用于更多不同的用途。
So the attack techniques you'd use on SHA-two do not apply to SHA-three, and SHA-three is a much more interesting algorithm, you can use it for much more different things.
这是由一些比利时人创造的。
So that was created by some Belgians.
我现在住在比利时,因为比利时是密码学的发源地,听众们可能记得AES就来自比利时。
I now live in Belgium because Belgium is the home of cryptography, so your listeners may remember that AS comes from Belgium.
所以希望SHA-3也来自比利时。
So hopefully, SHA-three comes from Belgium.
我们的希望是NIST后量子算法竞赛的优胜者同样来自比利时,因为我们认为优秀加密算法的定义.
So our hope is that the winner of the NIST competition for the post quantum algorithms will also come from Belgium because we think that just should be the definition is that good crypto algorithms should come from Belgium.
但在以太坊的情况下,他们实际上是什么?
But in the case of Ethereum, what are they what are they actually?
那里使用了什么?
What's used there?
据我所知它使用的是Keccak,也就是SHA-3。
So I'm led to believe it's using Ketchhack, which is Shaa three.
所以这是另一个不同的版本。
So that's a a different one.
希望在未来几年内我们能获得对SHA-3的微处理器支持。
And, hopefully, we'll get a microprocessor support for Shaa three in the next few years.
以太坊协议有个有趣的故事或者说怪事——他们在Keccak256赢得NIST竞赛前就采用了这个SHA-3变体。
There's a funny, like, story or, like, oddity of the Ethereum protocol that, Ethereum uses Ketchik two fifty six, which is SHA three before it won the NIST competition.
从Keccak256到SHA3的过程中有过微小调整,当时有硬核以太坊社区成员推测这个调整可能是政府机构试图植入后门,所以他们坚持使用Keccak256。
So it's, SHA three went into NIST and from Ketchik 2.56 to SHA3 there was a small tweak and some hardcore Ethereum people when this was going through was theorizing that maybe this tweak was applied by a government agency to try to inject or some something so they stuck with SketchAct two fifty six.
关于DES还有个精彩的故事。
There's a good story there about DES.
DES在提交和最终确定之间被修改过,当时所有人都认为是美国政府为了削弱算法而做的改动。
So DES was modified between the submission and the thing and everyone thought it was because the US government had modified to make it weaker.
实际上,美国政府的修改是为了增强算法的安全性。
Actually what happened was the US government modified to make it stronger.
是啊。
Yeah.
那么总结一下,在接下来的这段时间里,你最期待的是什么?
So to wrap up, what would you say that you're looking forward to the most over the the coming little while?
比如新技术、新项目之类的?
Like, what new technologies, new projects, whatever it may be?
好的。
Okay.
即将到来的酷炫事物中,最令人兴奋的是NIST后量子密码学竞赛的结果。
So, cool things that are coming up is the excitement of the NIST post quantum crypto competition.
那么谁会胜出呢?
So who's gonna win?
会是比利时吗?
Is it going be Belgium?
还是会是其他人?
Is it going to be someone else?
当然,他们说这不是比赛,所以不会有赢家。
And of course, they're saying it's not a competition, so there's not going to be a winner.
你会觉得,是啊,对,大家还是会把它当作有赢家的。
And you're going like, yeah, right, everyone's going to still treat it as a winner.
所以这真的很重要。
And so it's really important.
所以这将成为人们最终采用的加密和签名方案。
And so that's going to be like what people settle on for encryption and signatures.
我认为在序列知识证明方面有很多工作,我们已经提到过这些。
I think there's a lot of work on serial knowledge proofs and proving those we've already touched on.
我觉得很多人认为NPC在脑海中,可能会被推进得更远。
I think a lot of people think NPC in the head, I think might be pushed a lot further.
我认为NPC在现实世界的应用将会真正腾飞。
I think applications of NPC in the real world are going to really take off.
我们会看到很多应用,这期播客中我们已经提到了一些,我认为未来还会有更多。
We're going to see lots of app we've already touched on a number in this podcast and I think there's going be a load there.
然后这些就像非常奇怪和疯狂的东西,你知道,就像密码学家总是能想出这些,几年前有个概念叫不可区分混淆,是一种代码混淆的方法。
And then this is like really weird and wacky stuff, you know, like the the cryptographers always come up with this, you know, things there was this idea a few years ago called indistinguishable obfuscation, which is a way of obfuscating code.
我可以把代码给你,但你不知道这段程序具体是做什么的。
I could give you the code and you don't know what the code program does.
不过这个概念目前在研究领域已经有点沉寂了。
It's kind of but that that's kind of died a bit in terms of research at the moment.
但总会有新事物不断涌现。
But there'll be things keep popping up.
我们注意到的一个现象是,很多时候某项技术会被开发出来。
One of the things we've noticed is that a lot of times something will be developed.
它可能令人兴奋,但暂时还不太实用。
It'll be kind of exciting, but maybe not yet useful.
它会沉寂一段时间,然后以某种新形式重新出现。
It'll die down and then come back in some new form.
在早期研究中,有没有你特别希望看到复兴的内容?
Is there anything in, like, early research that you would love to see come back?
噢,我不确定。
Oh, I don't know.
被重新关注?
Be picked up?
我认为关键在于,如果它确实处于早期研究阶段,是的,这确实有点奇怪——事实是你回头一看就会恍然大悟。
I think the thing is is that if it was in early research, yeah, it's kind of weird in the the fact is is that you go back and you go, oh, yeah, duh.
它其实一直都在那里。
It was actually there.
它早就在那里了。
It was already there.
比如我们之前讨论过的可信执行环境,其实早就在全同态加密论文里提到过,但大家都忘了这茬。
So for example, we already talked about trust execution environments were already in the FHE paper, you know, and you go like, but everyone forgets it.
所以实际上,如果我知道过去有什么很酷的东西,那我现在就会去做。
And so actually, if I knew what was kind of cool in the past, that's what I would now be doing.
嗯,我想这意味着我们应该保持关注。
Well, I guess that suggests we should be on the lookout.
是啊。
Yeah.
对。
Yeah.
没错。
Yeah.
是的。
Yeah.
你得留心观察,但事物总会卷土重来,确实如此。
You gotta look out and but things things come back and yeah.
这有点意思,你总会看到新事物不断涌现。
It's kind of it's kind of an interesting you kind of you always see new things.
世界在不断演变,新事物不断涌现,旧事物也会以新面貌回归。
The world resolves and you get new things come the old things come back and they look like new.
那你接下来要做什么项目?
So what are you working on next?
或者说目前,
Or Currently,
我们正在研究一些MPC核心概念,以实现更高效的序列化证明。
we're working on some MPC in the head ideas to do more efficient serialized proofs.
我们正在研究改进MPC协议的方法。
We're looking at improvements for MPC protocols.
我们已将Speeds协议实现为一个名为SCALE(S C A L E)的软件,目前我们正在维护并应用于多个应用中,大家都可以下载该系统进行MPC。
We have, so our Speeds protocol, we've embodied it in a piece of software called SCALE, S C A L E, which we've been, we're now maintaining and using that in a number of applications, so people can download that and play with that as an MPC system.
我们一直在招募新人。
We're always looking to recruit new people.
我的意思是,整个领域现在非常热门。
Mean, the whole area is really hot.
地球上没有哪个密码学家不是手握大量职位空缺的。
There's not a single cryptographer on the planet who hasn't got a large number of job openings.
所以如果听众中有谁想来Lerven工作——这里是全球最大的密码学研究团队,我们这里有AES的发明者之一,就坐在离我办公室不远的走廊那头。
So if anyone listening to this would like to come and work in Lerven, which is the biggest crypto group on the planet, we have the inventor of AES, one of the inventors of AES, just works down from the corridor from me.
无论我们在比特币、对称密码、隐私保护等领域做什么研究,鲁汶都是这一切发生的中心。
So whatever it we have work on Bitcoin and symmetric ciphers, privacy, and, everything is going on in Leuven.
仅在鲁汶,我们就有约70人从事密码学研究。
It's we got about 70 people working on cryptography just in Leuven.
所以如果你感兴趣,请直接联系我们,来和我们共事吧。
So if you're interested, please just drop us a line and come and work with us.
非常感谢您参加这次播客。
Thank you very much for being on the podcast.
这是我的荣幸。
It was a pleasure.
不客气。
No problem.
非常有趣。
Very interesting.
感谢各位听众的收听。
And to our listeners, thanks for listening.
谢谢收听。
Thanks for listening.
关于 Bayt 播客
Bayt 提供中文+原文双语音频和字幕,帮助你打破语言障碍,轻松听懂全球优质播客。