匿名性が気になってZerocashの White Paperを追ってみた #blockchaintokyo

ಗ໊ੑ͕ؾʹͳͬͯ;FSPDBTIͷ  8IJUF1BQFSΛ௥ͬͯΈͨ @MasashiSalvador 2018/01/16 blockchain.tokyo#4 @Mercari

Who am I? %F/" ιʔγϟϧήʔϜ։ൃ FVSFLB σʔςΟϯάΞϓϦέʔγϣϯ։ൃ (Pݴޠ 'PVOEFEBTUBSUVQ'SFFMBODF ཱྀߦऀ޲͚ͷαʔϏε্ཱͪ͛
3FBDU 3BJMT J04։ൃ (VOPTZOPX d/08 άϊγʔͷಈըपลͷ։ൃ @MasashiSalvador (Masashi Salvador Mitsuzawa) ܦྺ झຯ ΧϨʔ৯͏ͨΊʹੜ͖ͯΔ!JOTUBHSBN ஡ಓ͓஡पΓ ɹɹք۾Ͱ͓஡΍ͬͯΔํ͓੠͕͚Λʜ

- Ծ૝௨՟ʹ͓͚Δಗ໊ੑ - Zcashೖ໳ - Zcashͱ͸ - θϩ஌ࣝূ໌ - zcashd
/ zcash-cli - Zcashͷߟ͑ํ - Zcash White PaperΛಡΉ

Ծ૝௨՟ʹ͓͚Δಗ໊ੑ - औҾ͕νΣʔϯ্ʹશͯެ։͞Ε͍ͯΔ - ୭͔Β୭ʹ͍͘Βࢧ෷ΘΕ͔ͨΛtraceͰ͖Δ - ࢧ෷͍ܦ࿏ / ֹ͕ݟ͑ͯ͠·͏ͱ͍͏ҙຯͰඇಗ໊ -
Mixing - Ring Signature - One-Time Address - Zero Knowledge Proof - Bitcoin - traceabilityΛԼ͛ΔͨΊͷٕज़ 5Y 5Y 5Y 5Y 1PPM/PEF 5Y 5Y

- ֤छಗ໊ੑ௨՟ͱར༻ٕज़ - ͦͷଞʮಗ໊ੑʯΛ࣮ݱ͢ΔͨΊͷٕज़ - Blind Signature (த਎Λ஌Δ͜ͱͳ͘ॺ໊͢Δʣ

;$BTIͱ͸ʁ - ਖ਼ࣜϦϦʔε: 2016/10/26 ~ - ZCash Company͕؅ཧओମ - ZCash
Foundation͕Zcash ProtocolΛ؅ཧ  https://github.com/ZcashFoundation/ZcashFoundation/blob/master/MISSION.md - Protocol΍࣮૷͸Φʔϓϯιʔε - White PaperΛϕʔεʹProtocol Specʹ۩ମԽͷํ๏͕هࡌ - ൃߦ૯ྔ͸Bitcoinͱಉ͡2100ສຕ - ൃߦϧʔϧ͸ௐ੔͞Ε͍ͯΔ - Proof of Work / EquiHash - ιʔείʔυͷେݩ͸Bitcoin - ͔ͳΓScientificͳํ๏Ͱ࡞͍ͬͯΔͳ͊…ͱ͍͏ҹ৅

θϩ஌ࣝূ໌<d> - > ࣗ෼ͷ͍࣋ͬͯΔ໋୊͕ਅͰ͋Δ͜ͱΛ఻͑ΔͷʹɺਅͰ͋Δ͜ͱҎ֎ͷԿͷ஌ࣝ΋఻͑Δ͜ͱ ͳ͘ূ໌Ͱ͖ΔΑ͏ͳ΍ΓͱΓͷख๏ (https://ja.wikipedia.org/wiki/θϩ஌ࣝূ໌) - Πϝʔδ:ະ࢖༻τϥϯβΫγϣϯʹରԠ͢Δൿີ伴Λॴ͍࣋ͯ͠Δ͜ͱΛൿີ伴Λఏࣔͤͣʹূ໌ - ֬཰తূ໌
(ࢼߦճ਺Λ܁Γฦ͢͜ͱͰِͷ໋୊Λਅͱࣔ֬͢཰ΛݮΒ͢ - ಎ۸ͷྫ - ຤ඌʹࢀߟจݙΛ෇͠·͢ - ର࿩ܕͱඇର࿩ܕ͕͋Δ

[DBTIE[DBTIDMJ - جຊbitcoinͱಉ͡ / Debianܥʹ͸γϡοͱೖΔ TFFIUUQTHJUIVCDPN[DBTI[DBTIXJLJ%FCJBOCJOBSZQBDLBHFT - Installation - Download
Required Parameters - testnet༻ͷઃఆΛॻ͍ͯΰχϣΔ

[DBTIE[DBTIDMJ - جຊbitcoinͷclientͱಉ͡ - Shield address / ී௨ͷΞυϨεͲͪΒ΋ൃߦͰ͖Δ

τϥϯβΫγϣϯͷத਎ - https://explorer.zcha.inɹͰݟΕΔ - ಗ໊ΞυϨε -> ެ։ΞυϨε https://explorer.zcha.in/transactions/ad01194807f9f343f46125ef703742ea91be14c72c5277880a98b4e4a5a3f450 - ެ։ΞυϨε
-> ಗ໊ΞυϨε https://explorer.zcha.in/transactions/757b8ec048fc76a39c12813d5861df868e9036f98c13b4464b1662b55b09609e

;DBTIͷߟ͑ํ - ҎԼ White Paper[2014] ʹଇΓ·͢ - Լهͷ6εςοϓͰ Decentralized Anonimous
PaymentΛߟ͑Δ 1. user anonymity with fixed-value coins ૹ৴ऀΛൿಗ͢Δํ๏Λ؆୯ʹఏҊ 2. compressing the list of coin commitments. ϚʔΫϧπϦʔΛѹॖͯ͠ޮ཰Λ্͛Δ 3. extending coins for direct anonymous payments. ಗ໊ੑΛอͬͨ··ະ࢖༻τϥϯβΫγϣϯΛ࢖༻͢Δํ๏ 4. sending coins. ɹɹkey-private encryption schemeΛ༻͍ͨૹۚ๏ 5. public outputs. ɹɹඇಗ໊ͳτϥϯβΫγϣϯΞ΢τϓοτΛ࡞ΕΔΑ͏ʹमਖ਼ 6. non-malleability. ɹɹϚϦΞϏϦςΟʹؔ͢Δߟ࡯

1. user anonymity with fixed-value coins બ୒ͨ͠ϥϯμϜͳ஋ ϝοηʔδ ίϛοτϝϯτ statistically-hiding
non-interactive commitment schemeΛ༻͍Δͦ͏ ༻ޠ ྆ऀΛ஌͍ͬͯΔ৔߹ͷΈ౳߸ͷ੒ཱΛ֬ೝͰ͖Δ coinͷϕʔεͱͳΔߟ͑ํ 2ͭͷཚ਺ Λબ୒͠ Λܭࢉ͢Δ ͱ͢Δ ΛؚΊͯ ૹ৴ 1BTCΛpoolʹdeposit ωοτϫʔΫʹه࿥͞ΕͨίϛοτϝϯτͷҰཡ ίΠϯੜ੒

΋஌͍ͬͯΔͷͰ͕ Λ࢖͔ͬͨͲ͏͔෼͔Δɻͦ΋ͦ΋͕ෆਖ਼ʹ࢖͑Δ ͓Αͼ ྆ऀΛؚΜͩ ͕ ૹ৴ ίΠϯ࢖༻ θϩ஌ࣝূ໌͢Δ໋୊ : ʹؚ·ΕΔΑ͏ͳ
Λ஌͍ͬͯΔ ূ໌Ͱ͖Ε͹depositͨ͠1BTC͕෷͍ग़͞ΕΔ White Paperʹ͸͜ΕʹΑΓར༻ऀͷಗ໊ੑ͕ಘΒΕΔͱॻ͔Ε͍ͯΔ͕ʢϐϯͱ͖͍ͯͳ͍…) > the origin of the payment is anonymous. ໰୊఺:ૹۚͰ͖ͳ͍ ΋

3. extending coins for direct anonymous payments ಗ໊Ͱૹۚ͠߹͑ΔΑ͏ʹಓ۩Λಋೖ pseudorandom function
(moreover collision-resistant) address public key / address private key Լ४උ Λੜ੒ γʔυ ੜ੒͞Εͨaddress private key ίΠϯͷੜ੒ ͷྔͷcoinΛੜ੒ Λ1ͭબͼcoinͷγϦΞϧφϯόʔ ΛఆΊΔ ཚ਺ ʹରͯ͠ Λܭࢉ͢Δ ʹରͯ͠ Λܭࢉ͢Δ Λcoinͱ͠ ͸ ΛؚΉ Λdepositͨ͠৔߹ͷΈωοτϫʔΫʹτϥϯβΫγϣϯ͕औΓࠐ·ΕΔ ཚ਺

3. extending coins for direct anonymous payments ίΠϯͷ࢖༻ address: address:
ίΠϯੜ੒ͱಉ༷ʹ Λܭࢉ Լهͷθϩ஌ࣝূ໌͢΂໋͖୊ΛίΠϯར༻ͷτϥϯβΫγϣϯʹؚΊΔ ʁʁ

Λղऍ͢Δͱ - ൿಗ͢΂͖৘ใΛ໌͔ͣ͞ʹɺίΠϯ͕ϧʔϧʹଇͬͯੜ੒͞Ε͍ͯΔ͜ͱ - ૹۚݩͷެ։伴Λੜ੒͢Δൿີ伴஌͍ͬͯΔ͜ͱ - ίΠϯͷ࢖༻৚݅Ͱ͋ΔγϦΞϧφϯόʔΛੜ੒͢Δൿີ伴Λ஌͍ͬͯΔ͜ͱ - ࢖༻͢ΔίΠϯʹରԠ͢Δੜ੒τϥϯβΫγϣϯ͕ଘࡏ͢Δ -
ૹۚ͢ΔίΠϯͷֹ໘͕͍͘Β͔͸໌͔͞ͳ͍͕ɺ߹ܭ஋ͰӕΛ͍͍ͭͯͳ͍ ͱ͍͏͜ͱʹͳΔ

- ݁ՌɺτϥϯβΫγϣϯʹૹۚઌΞυϨε΋ૹۚ͢Δ஋΋ؚΊ͍ͯͳ͍ - ಗ໊ੑ͕੒Γཱ͍ͬͯΔ - ίΠϯΛ࢖༻͢ΔͨΊͷ஋Λ҆શʹૹۚ૬खʹ఻͑Δඞཁ͕͋Δ…

௥͍͖Ε͍ͯͳ͍͜ͱ - εέʔϥϏϦςΟ - Zk-SNARKͱݺ͹ΕΔθϩ஌ࣝূ໌ͷৄࡉ - ඇର࿩ܕͰͲ͏࣮૷͍ͯ͠Δ͔ - τϥϯβΫγϣϯͷৄࡉ -
JoinSplit Transaction - ͲΜͳ෩ʹ࣮૷͞Ε͍ͯΔͷ͔… - पลٕज़.. - ੬ऑੑपΓ  https://z.cash/blog/fixing-zcash-vulns.html

ॴײ - ։ൃ͸ͦΕͳΓʹਐΜͰ͍ͦ͏ - BlogͰͷ৘ใൃ৴΋׆ൃ - ΰπ͔ͬͨ…

匿名性が気になってZerocashの White Paperを追ってみた #blockchaintokyo

匿名性が気になってZerocashの White Paperを追ってみた #blockchaintokyo

Masashi Salvador Mitsuzawa

More Decks by Masashi Salvador Mitsuzawa

Other Decks in Technology

Featured

Transcript

ಗ໊ੑ͕ؾʹͳͬͯ;FSPDBTIͷ  8IJUF1BQFSΛ௥ͬͯΈͨ @MasashiSalvador 2018/01/16 blockchain.tokyo#4 @Mercari

Who am I? %F/" ιʔγϟϧήʔϜ։ൃ FVSFLB σʔςΟϯάΞϓϦέʔγϣϯ։ൃ (Pݴޠ 'PVOEFEBTUBSUVQ'SFFMBODF ཱྀߦऀ޲͚ͷαʔϏε্ཱͪ͛

- Ծ૝௨՟ʹ͓͚Δಗ໊ੑ - Zcashೖ໳ - Zcashͱ͸ - θϩ஌ࣝূ໌ - zcashd

Ծ૝௨՟ʹ͓͚Δಗ໊ੑ - औҾ͕νΣʔϯ্ʹશͯެ։͞Ε͍ͯΔ - ୭͔Β୭ʹ͍͘Βࢧ෷ΘΕ͔ͨΛtraceͰ͖Δ - ࢧ෷͍ܦ࿏ / ֹ͕ݟ͑ͯ͠·͏ͱ͍͏ҙຯͰඇಗ໊ -

- ֤छಗ໊ੑ௨՟ͱར༻ٕज़ - ͦͷଞʮಗ໊ੑʯΛ࣮ݱ͢ΔͨΊͷٕज़ - Blind Signature (த਎Λ஌Δ͜ͱͳ͘ॺ໊͢Δʣ

;$BTIͱ͸ʁ - ਖ਼ࣜϦϦʔε: 2016/10/26 ~ - ZCash Company͕؅ཧओମ - ZCash

[DBTIE[DBTIDMJ - جຊbitcoinͱಉ͡ / Debianܥʹ͸γϡοͱೖΔ TFFIUUQTHJUIVCDPN[DBTI[DBTIXJLJ%FCJBOCJOBSZQBDLBHFT - Installation - Download

[DBTIE[DBTIDMJ - جຊbitcoinͷclientͱಉ͡ - Shield address / ී௨ͷΞυϨεͲͪΒ΋ൃߦͰ͖Δ

τϥϯβΫγϣϯͷத਎ - https://explorer.zcha.inɹͰݟΕΔ - ಗ໊ΞυϨε -> ެ։ΞυϨε https://explorer.zcha.in/transactions/ad01194807f9f343f46125ef703742ea91be14c72c5277880a98b4e4a5a3f450 - ެ։ΞυϨε

;DBTIͷߟ͑ํ - ҎԼ White Paper[2014] ʹଇΓ·͢ - Լهͷ6εςοϓͰ Decentralized Anonimous

1. user anonymity with fixed-value coins બ୒ͨ͠ϥϯμϜͳ஋ ϝοηʔδ ίϛοτϝϯτ statistically-hiding

΋஌͍ͬͯΔͷͰ͕ Λ࢖͔ͬͨͲ͏͔෼͔Δɻͦ΋ͦ΋͕ෆਖ਼ʹ࢖͑Δ ͓Αͼ ྆ऀΛؚΜͩ ͕ ૹ৴ ίΠϯ࢖༻ θϩ஌ࣝূ໌͢Δ໋୊ : ʹؚ·ΕΔΑ͏ͳ

3. extending coins for direct anonymous payments ಗ໊Ͱૹۚ͠߹͑ΔΑ͏ʹಓ۩Λಋೖ pseudorandom function

3. extending coins for direct anonymous payments ίΠϯͷ࢖༻ address: address:

Λղऍ͢Δͱ - ൿಗ͢΂͖৘ใΛ໌͔ͣ͞ʹɺίΠϯ͕ϧʔϧʹଇͬͯੜ੒͞Ε͍ͯΔ͜ͱ - ૹۚݩͷެ։伴Λੜ੒͢Δൿີ伴஌͍ͬͯΔ͜ͱ - ίΠϯͷ࢖༻৚݅Ͱ͋ΔγϦΞϧφϯόʔΛੜ੒͢Δൿີ伴Λ஌͍ͬͯΔ͜ͱ - ࢖༻͢ΔίΠϯʹରԠ͢Δੜ੒τϥϯβΫγϣϯ͕ଘࡏ͢Δ -

- ݁ՌɺτϥϯβΫγϣϯʹૹۚઌΞυϨε΋ૹۚ͢Δ஋΋ؚΊ͍ͯͳ͍ - ಗ໊ੑ͕੒Γཱ͍ͬͯΔ - ίΠϯΛ࢖༻͢ΔͨΊͷ஋Λ҆શʹૹۚ૬खʹ఻͑Δඞཁ͕͋Δ…

௥͍͖Ε͍ͯͳ͍͜ͱ - εέʔϥϏϦςΟ - Zk-SNARKͱݺ͹ΕΔθϩ஌ࣝূ໌ͷৄࡉ - ඇର࿩ܕͰͲ͏࣮૷͍ͯ͠Δ͔ - τϥϯβΫγϣϯͷৄࡉ -

ॴײ - ։ൃ͸ͦΕͳΓʹਐΜͰ͍ͦ͏ - BlogͰͷ৘ใൃ৴΋׆ൃ - ΰπ͔ͬͨ…