原文:Using the blockchain as a digital signature scheme
原作者Franco Amati
原作者资料
以下为个人翻译学习记录。如果有任何错误和理解偏差希望各位看官不吝赐教。
这篇文章原文有很多WIKI的链接,有的内容我把它陈列出来方便查阅和理解。用引用框标识的都不是原文内容,都是我自己的注解。
Since late ’70s digital signatures have been successfully used to provide authentication, integrity and non-repudiation of a message and its source. 自七十年代末期起,数字签名已成功地用于提供消息及其来源的身份验证,完整性和不可否认性。
Lotus Notes 1.0 (1989), first widely marketed software package to offer digital signature.
Algorithms such as DSA,PKCS #1(RSA),ECDSA and others were or are used in digital signature solutions like Pretty Good Privacy (PGP) and Adobe Sign, among others.数字签名解决方案如PGP, Adobe Sign等等用的是DSA, PKCS#1, ECDSA和其他一些算法。
DSA(Digital Signature Algorithm数字签名算法)
PKCS#1(Public-Key Cryptography Standards公钥密码学标准)
ECDSA(Elliptic Curve Digital Signature Algorithm椭圆曲线数字签名算法)
Bitcoin uses digital signatures (ECDSA) to prove ownership of funds, so sending bitcoins requires the owner of them to digitally sign authorizing the transfer. This transaction is sent to Bitcoin’s public network and later recorded in Bitcoin’s public database (blockchain), so anyone can verify it by checking its digital signature. 比特币使用数字签名(ECDSA椭圆曲线)来证明资金的所有权,因此发送比特币需要其所有者进行数字签名来授权转让。这笔交易被发送到比特币的公共网络,之后会被记录在比特币的公共数据库(区块链)中,所以任何人都可以通过检查数字签名进行验证。
Beyond that, Bitcoin has a scripting opcode called OP_RETURN that allows to embed up to 80 bytes of data when creating a transaction. It’s not much, but enough for a short phrase or metadata.除此之外,比特币中还有一个名为OP_RETURN的脚本操作码,允许在创建一笔新的交易(transaction)时嵌入最多80个字节的数据。这不是很多,但足够容纳一个短语或元数据。
In summary, by spending a very small amount of bitcoins (transaction fee cost), we can record short authenticated pieces of immutable, irreversible and undeletable data in a public blockchain. 综上所述,通过花费少量的比特币(交易费用),我们就可以在公开的区块链中记录不可变的,不可逆转的和不可转让的数据。
Let’s start simple to improve the idea step-by-step.让我们一步一步的达成这个想法。
2.1 Starting point: 起点
If a Bitcoin address is ours, and using funds from it we record data in the blockchain, then that data is digitally signed by us.如果我们的比特币地址是属于我们的,并且利用该地址的资金,我们将数据记录在区块链中,那么这些数据就是是由我们数字签署的。(个人理解:要把数据记录到区块链中,就只能通过OP_RETURN来存储,其代价就是付出少量的资金,如上面背景那段所述)
2.2 Hash functions: 哈希方程/哈希函数
Since we only have 80 bytes, that would only work for signing very tiny pieces of data. To resolve this, we can select a document, use a cryptographic hash function with it, and record the result in the Bitcoin transaction.
既然我们只有80个字节,那只能用于签名非常小的数据。为了解决这个问题,我们可以选择一个文档,使用加密哈希函数,并将结果记录在比特币交易中。
哈希函数的例子(INPUT=输入 DIGEST=摘要)
Because of how these one-way functions work, we would be signing the whole document, no matter the length or size of it, and without exposing its contents. 由于哈希函数的单向性,我们可以给文档进行签名,不受文档的大小或者长度的限制,也不担心暴露其内容。(个人理解:哈希函数具有一个特性,就是把任意长度的内容转换成固定长度的哈希值,并且这个过程几乎无法被逆转/逆运算。 因此任何文档对于哈希函数而言就是一个任意长度的输入值,总是会输出固定长度的哈希值,这个哈希值是可以被放入区块链中的。区块链的公开性只会暴露哈希值,拥有哈希值的人无法逆运算原文件内容,所以文件内容不用担心被暴露)
As an example for people not used to these functions,Bitcoin’s white paper(a nine pages PDF file sizing 184 kB) SHA-256 digest is “b1674191a88ec5cdd733e4240a81803105dc412d6c6708d53ab94fc248f4f553”.
给不用哈希函数的人举个例子,Bitcoin的白皮书(9页PDF文件大小为184 kB)的SHA-256摘要是结果是“b1674191a88ec5cdd733e4240a81803105dc412d6c6708d53ab94fc248f4f553”.
So we can combine cryptographic digests with some other metadata to record digitally signed information using our own format.因此,我们可以将加密摘要与其他元数据结合,使用我们自己的格式来记录数字签名的信息。
In 1976 Martin Hellman (center) and Whitfield Diffie (right), influenced by Ralph Merkle’s (left) work, described the first published public-key cryptosystem. 1976年,Martin Hellman(中)和Whitfield Diffie(右)受到Ralph Merkle(左)成果的影响,描述了第一个发布的公钥密码系统。
When using digital signature we are using public-key cryptography. Under the hood, Bitcoin is using the same, but to verify a signature in traditional schemes we would be checking against a public key, and in my excessively basic example we were verifying against a Bitcoin address (which usually happens to be a ECDSA public key after some hashes,encoding and error checking)
当使用数字签名时,我们使用的是公钥密码学。 看看比特币的本质,它也正在使用相同的方式。但是要验证传统方案中的签名,我们将检查公钥。而在我非常基本的例子中,我们正在对比特币地址进行检查。(比特别地址一般是进行哈希,编码和错误检查后的ECDSA 椭圆曲线数字签名算法公钥,对算法有兴趣的可以看英文原文的WIKI链接)
引自WIKI: Public key cryptography, or asymmetric cryptography, is any cryptographic system that uses pairs of keys: public keys which may be disseminated widely, and private keys which are known only to the owner. This accomplishes two functions:authentication, which is when the public key is used to verify that a holder of the paired private key sent the message, and encryption, whereby only the holder of the paired private key can decrypt the message encrypted with the public key.
公共密钥加密或非对称密码术是指任何加密系统使用如下的密钥的:可以广泛传播的公共密钥,以及仅对所有者已知的专用密钥。 这实现了两个功能:1.认证,当公共密钥被用于验证配对私钥的持有者发送了消息时就是认证。2:加密,只有配对私钥的持有者才可能解密用公钥加密的消息。
Since most Bitcoin addresses (P2PKH) are created using their own public key, we could be showing that key instead of the address to verify our signed data. Or we could be using different P2SH addresses to record data in the blockchain, being all of them verifiable against the same public key (or against the same extended public key on hierarchical deterministic wallets). 由于大多数比特币地址(P2PKH)都是使用自己的公共密钥创建的,因此我们可以通过展示该密钥而不是地址本身来验证我们的签名数据。 或者我们可以使用不同的P2SH地址在区块链中记录数据,所有这些P2SH地址都可以针对相同的公钥(或者相同的扩展公钥在等级确定性钱包上)进行验证。(个人理解:这里的P2SH需要进一步研究 本身就可以写一篇文章了 有兴趣的人可以自己看资料先:Mastering bitcoin P2SH。
根据P2SH的Github 内容:The purpose of pay-to-script-hash is to move the responsibility for supplying the conditions to redeem a transaction from the sender of the funds to the redeemer.The benefit is allowing a sender to fund any arbitrary transaction, no matter how complicated, using a fixed-length 20-byte hash that is short enough to scan from a QR code or easily copied and pasted. P2SH是为了把责任从交易接收方转移到资交易发送方。什么责任呢?提供必要的条件来兑换一笔交易的责任。好处是交易发送方可以进行任意金额的交易,不管由多么复杂的符合地址组成的交易,总会形成一个20字节的哈希,可以短到可以变成二维码或者可以轻松复制粘贴。
这个地方提到的复杂地址我个人的理解是比特币特有的余额制度找钱制度,比如我(X)账户里只有A给我的2块和B给我的3块,而我要发出去4块钱给C,那么我就会用到A,B,C和我自己的地址。AB地址会组成一笔5块的金额,然后剩下1块我要发送给自己的地址形成找钱。这个过程会有大量的地址出现,如果C下次要花钱除了知道我的存在以外还要知道A B和我(X)的交易的地址,那么对C而言用这4块钱就非常复杂非常痛苦了。利用P2SH把这些复杂地址哈希之后,C只需要知道我(X)的地址就好了)
P2PKH
引自Mastering bitcoin:The vast majority of transactions processed on the bitcoin network are P2PKH transactions. These contain a locking script that encumbers the output with a public key hash, more commonly known as a bitcoin address. Transactions that pay a bitcoin address contain P2PKH scripts. An output locked by a P2PKH script can be unlocked (spent) by presenting a public key and a digital signature created by the corresponding private key.
引自 精通比特币:P2PKH(Pay-to-Public-Key-Hash)
比特币网络上的大多数交易都是P2PKH交易,此类交易都含有一个锁定脚本,该脚本由公钥哈希实现阻止输出功能,公钥哈希即为广为人知的比特币地址。由P2PKH脚本锁定的输出可以通过键入公钥和由相应私钥创设的数字签名得以解锁。
Combining everything we mentioned we achieve a digital signature scheme with unique characteristics. I will try to detail a few of those, and depending on the context, some could be considered advantages or disadvantages. 综上所述,我们实现了一个具有独特特征的数字签名方案。我将尝试详细说明其中的一些,根据上下文,有些可以被认为是优点或者缺点。
4.1 “Multisig” digital signatures: 多重电子签名
Let’s first explain what is a“multisig” Bitcoin address. They are addresses that have multiple associated private keys, and a quorum of them is needed to spend its funds. So we can have an address with some bitcoins in it and make them spendable only if two-of-two, three-of-four, two-of-five or any other valid combination of private keys are available for signing (we can relate it to secret sharing as described by Adi Shamir).我们先来解释一下什么是“multisig”比特币地址。 它们是具有多个关联私钥的地址,需要其中的法定人数来花费其资金。 所以我们可以有一个地址和一些比特币,只有当二分之二,三分之二,五分之二或任何其他有效的私钥组合可用于签名(我们可以关联 它是由Adi Shamir所描述的秘密分享)。
(个人理解: 最简单的比喻就是老公老婆两个开了个共同账户,密码总共6个数字长,可是老公知道前3个老婆知道后3个,要取钱要花钱都必须两个人输密码才可以用。多重签名账户就是要求某个固定组合或者固定个数的账户拥有者同时签名才可以动用资金的账户。)
Bringing this to digital signatures, we could record a cryptographic digest of a document in the blockchain using an address with any of this m-of-n combinations. Then, we would be signing the document with a preset combination of signatures. 将其带入数字签名,我们可以使用任何这种N个里面选M个的组合的地址,来把上文说的文档的加密摘要储存在区块链中。然后,我们将使用预设的签名组合签署文档。
(个人理解:也就是说,要读取这份信息你就需要多个人的签名才能看到)
By using traditional digital signature schemes we can have a contract signed by many people, but we can’t preset the required signatures according to the contract content, neither we can enforce that m-of-n predefined signatures are needed for the contract to be signed. 如果使用传统的数字签名方案,我们可以签署一个许多人同时签名的合同,但是我们不能根据合同内容来预设所需的签名,我们也不能强制要求N中选M个预设的签名来签署这份文档。
This method could make audits far simpler and was already used two months ago when we helped CESYT in being the first academic institution to record proof of all their official career diplomas on Bitcoin’s blockchain. 这种方法可以使审计更简单,两个月前已经使用,当时我们帮助CESYT(阿根廷圣伊西德罗的教育机构) 成为第一个用比特币区块链验证所有官方职业文凭证明的学习机构。
4.2 Smart signing: 智能签名
Making m-of-n predefined signatures mandatory is not the only requirement we can set. Using a Bitcoin opcode like CHECKLOCKTIMEVERIFY (CLTV) we can define time conditions for a contract to be digitally signed.
制定强制性的m-n预定义的签名不是我们可以设置的唯一要求。使用诸如CHECKLOCKTIMEVERIFY(CLTV)的比特币操作码,我们可以为合同规定进行数字签名的时间条件。
(个人理解:此处CHECKLOCKTIMEVERIFY 有待进一步研究和理解 )
Future Bitcoin features, as well as solutions like Ethereum,CounterpartyorRootStock, will further improve this functionality. 未来的比特币功能,以及如以太币,Counterparty 或 RootStock的解决方案,将进一步改进此功能
4.3 Timestamping: 时间戳
Timestamps based in blockchain technology work quite differently than the ones generally used in digital signature. Bitcoin transactions are included in blocks being generated in 10-minute periods (average block time). When a transaction, or a signed document in our case, is included in a block and recorded in the blockchain, we get block’s timestamp for all its transactions. 基于区块链技术的时间戳与数字签名中通常使用的时间戳功能截然不同。比特币交易会被包括在10分钟(平均块时间)的周期生成的区块内。当一个交易或一个在我们的案例中提到的已签名的文档 被包含在块中并被记录在区块链中时,我们得到所有交易都拥有本区块的时间戳。
(个人理解:所以在这里时间戳不是一个交易一个戳,不一定是交易发生的瞬间的时间。时间戳是以交易被固定在区块中的时间为准的。而且会有大量的交易拥有同一个时间戳。你进行了一个交易然后等待时间戳的生成,这里说平均10分钟,但是你的交易不一定在10分钟内就会被戳记呢,有可能长于10分钟的。)
Meanwhile, traditional timestamp solutions (RFC 3161/ANSI X9.95) need trusted third parties called Time Stamping Authorities (TSAs), and their long-term use (RFC 4998) involves an eternal maintenance to preserve the validity of the certified timestamp (linked timestamping). 同时,传统的时间戳解决方案(RFC 3161 / ANSI X9.95)需要受信任的被称之为“时间戳局”(TSA)的第三方,并且它们的长期使用(RFC 4998)涉及到永久维护,以保持认证时间戳(链接时间戳)的有效性。
The blockchain alternative has none of this problems, but its accuracy is in the range of several minutes (it may improve in future Bitcoin protocol revisions, or with new layers on top of it), not seconds like most TSAs. For signing contracts a date is more than enough, but a few use cases may need a more accurate time representation where adding a TSA hash to the blockchain record could be desired (best of both worlds). 区块链替代方案没有这个问题,但其准确度在几分钟的范围内(可能会改进未来的Bitcoin协议修订版,或者在其上面有新的层),而不是像大多数TSA那样的秒级准确度。对于签署合同而言,日期是足够的,但是有些用例可能需要更准确的时间表示,那么可能需要向块链记录添加TSA的哈希(取双边的精华)。
Nevertheless,the advantages of blockchain timestamping are substantial, and particularly decisive in legal matters (no trusted third party) and long-term record archiving (no maintenance costs/risks).与此同时,区块链时间戳的优点是巨大的,在法律事务(不信任的第三方)和长期记录存档(无维护成本/风险)方面尤为关键。
(个人理解:挺有道理的,时间戳大部分时候并不要求精确到秒,同一天内就挺足够了,所以区块链十几分钟乃至于几十分钟的影响也不是很大了。区块链不用费心维护问题确实是一个非常大的优点)
The scheme we described works as a detached digital signature, where the signature is recorded in the public blockchain and kept separate from its signed data. It has the convenience of not needing to safeguard the signature itself somewhere else, while still being able to verify it with the appropriate document and public key.我们描述的方案作为分离的数字签名方案,其中签名本身被记录在公共块链中,并与被签名的数据分开。它具有不需要把签名存储在某个特别的地方,又同时仍然能够使用适当的文档和公钥进行验证的方便性。
This also means that anyone with our public key can notice when we are signing something or, when using “multisig”, with whom. Some use cases like certifications or notary services may need this property, but even if the data publicly recorded in the blockchain is a cryptographic digest that has no use without the original document, it’s still something to take into consideration. 这也意味着任何知道我们的公开密钥的人都可以注意到,我们什么时候签了某些东西,什么时候和谁用了“multisig”多重电子签名。 一些使用案例(如认证或公证服务)可能需要此属性。但即使在区块链中公开记录的数据是原始文档的密码摘要,在没有原始文档的时候也没有什么用处,但仍然需要考虑。
(个人理解:举个例子,你是个房地产经纪人,你有很多竞争对手。你的对手们在区块链上看不到你具体签署了什么东西,但是可以看得到你什么时间,和谁签了个东西。对手们可以看到你今天做了笔生意,明天又做了笔生意等等。。这些数据从某个角度上来说也是有价值的。)
Anyhow, the above-described behaviour could be made optional using Schnorr signatures, which may be supported by Bitcoin in the near future, and which are also planned inRootStock’s white paperas one of their supported signature schemes. 无论如何,上述行为可以使用Snnorr签名来代替,可以在不久的将来得到Bitcoin的支持,并且还在RootStock的白皮书中规划了他们支持的签名方案之一。(个人理解:Schnorr签名感觉是个大坑,又要花半天时间来理解了)
Digital signatures authenticate the source of a message and guarantee its integrity, but what we expect from these roles may be compromised if we require trusting the repository where those signatures are located. 数字签名验证消息的来源并保证其完整性,但是如果前提是我们需要信任那些签名所在的存储库,我们对数字签名的期望就可能会受到影响。
For example, a software package and its signature could be replaced with older versions having an important vulnerability, which can be exploited to gain unauthorized access. In this case, the old but valid signature will assure source and integrity, even when deceived by an intruder. 例如,软件包及其签名可能被用具有重要漏洞的旧版本替代,这可能被不法分子利用来获得未经授权的访问。在这种情况下,旧的但有效的签名必须确保来源和完整性,即使被入侵者欺骗。(个人理解:这里没明白。。)
Blockchain’s distributed consensus solves this with a public repository where we can all agree on latest signatures (a shared single source of truth). In fact, and more important,we can be sure that we are all seeing the same signatures, and no one can change them. Blockchain的分布式共识用一个公共存储库,存储我们都可以同意的最新的签名(一个共同的真相来源) 解决了上述问题。其实更重要的是,我们可以肯定,我们都看到相同的签名,而且没有人可以改变他们。
The immutable, irreversible, undeletable and distributed consensus nature of the blockchain has appropriate attributes for the management and storage of public keys. 区块链的不可变,不可逆转,不可分割和分布的共识性质对于公钥的管理和存储而言是个很适当的属性。
Key revocation could be publicly announced and timestamped in the same blockchain where documents using that key are signed and timestamped as well, making the whole process simple and straightforward. 钥匙的撤销可以公开的宣布,在同一个块链中使用该密钥签名的文档和时间戳的也是同理,使整个过程简单直接。(个人理解:这段英文原文没看懂。。)
Conclusion 结论We believe there are use cases where using the blockchain as a digital signature scheme provides useful features over traditional solutions. 我们认为有使用情况,使用区块链作为数字签名方案会提供比传统解决方案更有用的功能。
As a result, we will be soon providing a platform and API where anyone can sign documents, records or contracts as described here, and we plan to use this as part of more specialized transparency, authentication and data integrity services. Stay tuned. :) 因此,我们将很快提供一个平台和API,任何人都可以按照这里所述签署文件,记录或合同,我们计划将其作为更专业的透明度,身份验证和数据完整性服务的一部分。敬请关注