Secure Custody Dictionary

Adversary

敌手

In cryptography, an adversary (rarely opponent, enemy) is a malicious entity whose aim is to prevent the users of the cryptosystem from achieving their goal (primarily privacy, integrity, and availability of data). An adversary's efforts might take the form of attempting to discover secret data, corrupting some of the data in the system, spoofing the identity of a message sender or receiver, or forcing system downtime.

在密码学中，敌手（很少是对手、敌人）是一个恶意实体，其目的是阻止密码系统的用户实现他们的目标（主要是数据的隐私性、完整性和可用性）。敌手可能采取以下形式：尝试发现秘密数据、破坏系统中的某些数据、欺骗消息发送者或接收者的身份，或迫使系统停机来进行阻碍。

Malicious Adversaries

恶意敌手模型

In malicious adversary mode, a malicious (also known as active) adversary may cause corrupted parties to deviate arbitrarily from the prescribed protocol in an attempt to violate security. A malicious adversary has all the powers of a semi-honest one in analyzing the protocol execution, but may also take any actions it wants during protocol execution. Note that this subsumes an adversary that can control, manipulate, and arbitrarily inject messages on the network.

在恶意敌手模型中, 恶意敌手（也称为主动敌手）可能使得被损方任意偏离原定协议以破环安全。恶意敌手有着半诚信敌手分析协议执行状况的所有权利，但是也可能在协议执行过程中采取任何想要进行的行动。注意，这还包括一位敌手可以在网络内控制、篡改和任意植入信息。

Semi-Honest Adversaries

半诚实敌手模型

A semi-honest adversary (also known as passive) is one who corrupts parties but follows the protocol as specified. In this mode, the corrupt parties run the protocol honestly but they may try to learn as much as possible from the messages they receive from other parties. Note that this may involve several colluding corrupt parties pooling their views together in order to learn information. That’s to say, the corrupt parties have the needs to acquire raw data from their counterparties and the involved parties have certain trust on each other.

半诚信敌手（也称为消极敌手）是损害涉及方但遵循指定的协议的敌手。在半诚信敌手模型中，腐败方会诚实运行协议，但可能会尝试从对方发来的信息中尽可能获取更多内容。注意，这可能包括几个腐败方串通在一起将他们的观点汇总以得到信息。也就是说，参与方之间有一定的信任关系，且有计算方存在获取交易对方原始数据的需求。

ARM TrustZone

ARM TrustZone

ARM TrustZone is a hardware security extension technology, which aims to provide secure execution environment by splitting computer resources between two execution worlds, namely normal world and secure world. Two words are totally segregated by hardware that they have different permissions. The applications or operating systems in normal world will be strictly limited to access resources in secure world, while in contrast, programs in secure world can access resources in normal world normally. These qualities, such as hardware isolation and different permissions all make up an effective mechanism for protecting code and data of applications. Generally, normal world is used for product operating system (such as Android, iOS) which provides REE (Rich Execution Environment), and in secure world, TEE-kernel is used to create TEE (Trusted Execution Environment) that confidential data can be stored and accessed in TEE.

ARM TrustZone 是硬件安全扩展技术，旨在通过在两个执行世界（即正常世界和安全世界）之间分置计算机资源来提供安全的执行环境。两个世界做到完全硬件隔离，并具有不同的权限，正常世界中运行的应用程序或操作系统访问安全世界的资源受到严格的限制，反过来安全世界中运行的程序可以正常访问正常世界中的资源。这种两个世界之间的硬件隔离和不同权限等属性为保护应用程序的代码和数据提供了有效的机制：通常正常世界用于运行商品操作系统（例如Android、iOS等），该操作系统提供了正常执行环境（Rich Execution Environment，REE）；安全世界则始终使用安全的小内核（TEE-kernel）提供可信执行环境（Trusted Execution Environment，TEE），机密数据可以在TEE中被存储和访问。

Chain of Trust

信任链

The main function of chain of trust is to extend the trust relationship to the whole computing platform. Based on root of trust (RoT), the chain of trust will acquire various data that influence platform trustworthiness via trust measurement mechanism, and then it will judge the trustworthiness for the platform after comparing the acquired data to expected data.

信任链的主要作用是将信任关系扩展到整个计算机平台，它建立在信任根（RoT，root of trust）的基础上。信任链可以通过可信度量机制来获取各种各样影响平台可信性的数据，并通过将这些数据与预期数据进行比较，来判断平台的可信性。

Consensus Algorithm

共识算法

A consensus algorithm is a fault-tolerant mechanism/algorithm that allows users or machines to coordinate in a distributed setting. It achieves the necessary agreement on a single data value or a single state of the network among distributed processes or multi-agent system (even if some agents fail).

共识算法是一种容错机制/算法，允许用户或机器在分布式环境中进行协调配合。 在分布式进程或多代理系统（即使某些代理出故障）中达成对单个数据值或网络的单个状态的必要共识。

Cryptography

密码学

Cryptography is the study of securing communications from outside observers that converts ordinary plain text into ciphertext and vice-versa. Encryption algorithms take the original message, or plain text, and converts it into ciphertext. The key allows the user to decrypt the message, thus ensuring on they can read the message. Cryptography focuses on four different objectives which are confidentiality, non-repudiation, integrity and authenticity. And, cryptography can be subdivided into symmetric cryptography, asymmetric cryptography and hash functions.

密码学是保护来自外部的通信的研究，将普通纯文本转换为密文，反之亦然。 加密算法将原始消息或纯文本转换为密文。密钥允许用户解密消息，确保他们可以阅读消息。密码学注重四方面，即机密性、不可否认性、完整性和真实性。 密码学可以细分为对称密码学、非对称密码学和哈希函数。

Asymmetric Cryptography

非对称加密技术

Asymmetric cryptography, or public key cryptography, uses two keys to encrypt data. One is used for encryption, while the other key can decrypts the message. One key is kept private, and is called the “private key”, while the other is shared publicly and can be used by anyone, hence it is known as the “public key”. The mathematical relation of the keys is such that the private key cannot be derived from the public key, but the public key can be derived from the private. The private key should not be distributed and should remain with the owner only. The public key can be given to any other entity.

非对称加密技术，又称公钥加密技术，双密钥来加密数据。一个用于加密，而另一个用于解密数据。一个必须保持私有，称为“私钥”，而另一个可以公开分享，且任何人都可以使用，称为“公钥”。双密钥的数学关系是私钥不能从公钥导出，但公钥可以从私钥导出。 私钥不能分发，并且应该只由所有者保管。 公钥可以提供给任何其他个体。

Symmetric Cryptography

对称加密技术

Symmetric cryptography, or secret key cryptography, uses a single key to encrypt data. Both encryption and decryption in symmetric cryptography use the same key, making this the easiest form of cryptography. The cryptographic algorithm utilizes the key in a cipher to encrypt the data, and when the data must be accessed again, a person entrusted with the secret key can decrypt the data.

对称加密技术，又称密钥加密技术，使用单个密钥加密数据。在对称加密技术中，加密与解密都使用同一个密钥，这也是加密技术最简单的形式。加密算法使用密码中的密钥来加密数据，当必须再次访问数据时，受托使用密钥的人可以解密数据。

Distributed Network

分布式网络

As a part of distributed computing architecture, a distributed network is a type of computer network that is spread over different networks. This provides a shared data communication network, which can be managed jointly or separately by each network. Along with distributed processing, different users work together to deliver specialized applications.

作为分布式计算架构的一部分，分布式网络是分布于不同网络的计算网络。提供共享式数据沟通网络，可由各网络共同或单独管理。协同分布式处理，不同使用者一起交付专门的应用。

Garbled Circuit

混淆电路

Two millionaires, A and B, both want to know who's richer while not to have anyone else know the exact fortune they have. So, they will break, mix and encrypt data to get the output only and decrypt it only. This is where garbled circuit can be applied. Computation can be transformed into circuits. Each circuit is made up of gates who has input wire and output wire. Also, for each gate, it has one truth table. Garbled circuit will conceal the truth table by encryption and garbling. A will use key to encrypt truth table and garble it , then send it to B. B will receive encrypted truth table, key for the inputs given by A and B-related key. All the keys received by B are random numbers. B will use keys to decrypt information and get the result, then send the result back to A. A will compare with information and get to know the result. The whole process is communicated via ciphertext or random numbers with no disclosure of valid information.

两个百万富翁 A 和 B，都想知道谁更富有，但不想让任何人知道自己的真实资产额，于是便将数据拆散、打乱并加密，输出结果并只解密该结果。那么，混淆电路便可以运用。计算可以转换为电路，一个电路由一个个门组成，每个门包含输入线和输出线，同时，每个门都有一张真值表，混淆电路就要通过加密和扰乱来掩盖真值表信息，A 通过密钥加密真值表并将其打乱发送给 B，B 收到加密后的真值表、A 所给的其输入对应的密钥以及与 B 相关的密钥，其中，B 所收到的密钥都是随机数，B 用收到的密钥进行解密得到输出结果，再将输出结果发给A，A来进行比较得知输出结果。整个过程都是密文或随机数进行往来，不泄露任何有效信息。

Hardware Wallet

硬件钱包

Hardware wallet is a cold wallet that uses a hardware device — typically in the shape of a USB stick — to store the wallet’s private keys. It provides full isolation making them de facto unreachable to hackers or other malicious parties, such as like Trezor, Ledger and SafePal. To store crypto in the hardware wallet, owner sends it from a hot wallet to the hardware wallet’s public address. Conversely, if owner wants to send crypto from the hardware wallet to a friend or an exchange address, the owner connects the hardware wallet to the internet via the wallet’s dedicated software and then sign the transaction with private key.

硬件钱包是一种冷钱包，使用硬件设备，通常是外观类似USB的设备来储存钱包的私钥。硬件钱包提供完全隔离，使得真正做到黑客或其他作恶方无法触及，比如 Trezor、Ledger 和 SafePal。为了将加密货币储存在硬件钱包中，所有者将货币从热钱包发送至硬件钱包的公开地址。反之，如果所有者想从硬件钱包发送加密货币给朋友或交易所地址，所有者就会通过硬件钱包的专有软件将钱包联网，并使用私钥签署交易。

Hash Function

哈希函数

Hash functions are irreversible, one-way functions which protect the data, at the cost of not being able to recover the original message. Hashing is a way to transform a given string into a fixed length string. A good hashing algorithm will produce unique outputs for each input given. It can also act like digital fingerprints for any data that’s been encrypted being used to verify and secure against any unauthorized modifications during transport through networks. The only way to crack a hash is by trying every input possible, until you get the exact same hash.

哈希函数是不可逆的单向函数，它保护数据，但无法恢复原始消息。哈希是一种将给定字符串转换为固定长度字符串的方式。一个好的哈希算法将为给定的每个输入产生唯一的输出。 它还可以充当任何已加密数据的数字指纹，用于验证和防御网络传输过程中的任何未经授权的修改。 破解哈希的唯一方法是尝试所有可能的输入，直到获得完全相同的哈希。

Homomorphic Encryption (HE)

同态加密（HE）

Homomorphic Encryption (HE) refers to a special type of encryption technique that allows for computations to be done on encrypted data, without requiring access to a secret key (for decryption). The results of the computations are encrypted, and can be revealed only by the owner of the secret key. There are 3 types of homomorphic encryption, partially homomorphic encryption, somewhat homomorphic encryption and fully homomorphic encryption, which their primary difference is majorly related to the types and frequency of mathematical operations.

同态加密 (HE) 是一种特殊的加密技术，它允许对加密数据进行计算，而无需访问密钥（用于解密）。计算结果被加密，并且只能由密钥的所有者披露。同态加密有部分同态加密、微同态加密和全同态加密三种，它们的主要区别主要与数学运算的类型和频率有关。

Identity and Access Management (IAM)

身份识别与访问管理（IAM）

Identity and access management (IAM) is a framework that enables the right individuals to access the right resources at the right times for the right reasons. It defines and manages the roles and access privileges of individual network entities (users and devices) to a variety of cloud and on-premises applications. IAM addresses the mission-critical need to ensure appropriate access to resources across increasingly heterogeneous technology environments, and to meet increasingly rigorous compliance requirements.

身份识别与访问管理（IAM）是让对的人在合适的时间，以正当理由访问相应资源的框架。定义和管理各个网络实体（用户和设备）对各种云和本地应用程序的角色和访问权限。IAM 满足关键任务需求，以确保在日益异构混杂的技术环境中正确地访问资源，并满足日益严格的合规性要求。

Key Shard/ Private Key Shard

私钥分片

A key shard is a split or piece of private key that is for asset transactions or other decision making. Certain amount of shard keys will be required to execute the respective matter.

私钥分片是用于资产交易或其他决策的私钥片。执行相应事项需要一定数量的分片来完成。

Micro-Segmentation (MSG)

微隔离（MSG）

Micro-segmentation is a network security technique that enables security architects to logically divide the data center into distinct security segments down to the individual workload level, and then define security controls and deliver services for each unique segment. It expressly allows particular application traffic and, by default, denying all other traffic.

微隔离（MSG）是一项网络安全技术，安全架构师能够在逻辑上将数据中心划分为不同安全段，直至各个工作负载级别，然后为每个独特安全段定义相应的安全管控并提供服务。它明确允许特定的应用程序流量，并默认拒绝所有其他流量。

Secure Multi-Party Computation (MPC)

安全多方计算（MPC）

Two millionaires, A and B, both want to know who's richer while never have anyone else know the amount of fortune they have. Then, without any trusted parties, how to compare their wealth and let the 2 parties know the result? This is the famous Yao's millionaire question and that's the beginning of secure multi-party computation. Multi-party computation is a set of protocols based on modern cryptography to realize distributed computation in a coordinated manner without any third parties and data disclosure involved on the premise that multiple parties do not trust each other. Secure multi-party computation designs the protocol to let the algorithm be the middleman. Invovled multiple parties will execute the algorithm protocol to jointly acquire the desired output.

两个百万富翁在路上遇到，他们都想知道谁更富有，但是不想让任何人知道自己实际拥有的资产额，那么，在没有任何可信第三方的情况下，要怎么进行比较并让双方知道结果呢？这就是著名的姚式百万富翁问题，开创了安全多方计算领域。 安全多方计算是一套基于现代密码学的协议组，旨在实现互不信任的多方，在没有任何第三方的情况下，协同进行分布式计算并无从知晓对方的数据。安全多方计算设计协议，算法取代中间人，涉及的多方通过执行算法协议，来共同获得输出结果。

Multi-signature (Multisig)

多签 （Multisig）

Multi-signature (Multisig) is a digital signing process that enables two or more users to sign transactions as a group, that’s to require multiple keys to verify a transaction.

多签（Multisig）是一种数字签名过程，它允许两个或多个用户作为一组对交易进行签名，即需要多个密钥来验证交易。

Native MultiSig

原生多签

Native MultiSig is a multisig mechanism supported by public blockchains represented by Bitcoin. Generally, it's M-of-N wallet whose address is jointly generated by N private keys, and when a transaction is being made, M private keys are required to sign it.

原生多签通常是以比特币为代表的公链上所支持的多签机制，一般为 m-n 模式，n 个单签私钥共同生成钱包地址，进行交易时，则由 m 个私钥进行签名。

Contract MultiSig

合约多签

Contract MultiSig is a multisig mechanism realized by smart contracts on public blockchains which do not support native multisig. That is, through deploying multisig contracts, multisig wallet address is generated, thus, M-of-N multisig can be realized.

合约多签通常指在不支持原生多签的公链上通过智能合约实现的多签机制，即通过部署合约，得到多签钱包地址，实现 m-n 多签机制。

Oblivious Transfer (OT)

不经意传输（OT）

Oblivious transfer is a cryptographic protocol in which a message sender sends one message among messages to be sent to message receiver. First introduced in 1981 by Michael O. Rabin, sender Alice sends a message to receiver, Bob, and there’s 50% probability for Bob to receive the message. Alice will not know if Bob gets the message or not, while Bob can be sure if he receives or not. Another more pragmatic form is 1-out-2 oblivious transfer. Alice sends 2 messages to Bob, and Bob gives one input to get the output that Bob will get what he wants in the end and Alice still doesn’t know which one Bob got. And, there has been extension from 1-out-2 which is 1-out-n mode.

不经意传输是一个密码学协议，在这个协议中，消息发送者从一些待发送的消息中发送一条给接收者，但事后对发送了哪一条消息仍然未知。1981年由 Michael O. Rabin 首先提出，发送者 Alice 给接收者 Bob 发送一条消息，而Bob右50%机率收到消息。Alice 不会得知 Bob 是否收到消息，而 Bob 可以明确知道。另一个更实用的不经意传输是2选1不经意传输。Alice 给 Bob 发送两条消息，Bob 给一个输入来获得输出信息。最后，Bob 会得到他想要的信息而 Alice 不会知道 Bob 是否有收到。另外，还对二选一进行了延伸，有 n 选一不经意传输。

Private Key

私钥

A private key is a sophisticated form of cryptography that allows a user to access their cryptocurrency. Unlike the publicly accessible public key, the private key is a secret key known only by its owner and cryptocurrency owners are usually given a public address and a private key to send and receive coins or tokens.

私钥是一串复杂密码，允许用户访问他们的加密货币。 与可公开访问的公钥不同，私钥是只有其所有者知道。加密货币所有者通常会获得一个公共地址和一个私钥来发送和接收主网货币或代币。

Public Key

公钥

A public key is a cryptographic code that allows users to receive cryptocurrencies into their accounts which is published for all the world to see.

公钥是公开给所有人的加密代码，允许用户的账户接收加密货币。

Rich Execution Environment (REE)

正常执行环境（REE）

Rich Execution Environment (REE) is a system operating environment for mobile devices whose operating system is called Rich OS (Operating System). The Rich OS is open and universal for all devices which can provides all functions for applications. Typical systems are Android, IOS and Linux etc. Meanwhile, Rich OS also faces lots of security vulnerabilities prone to be attacked by hacking.

正常执行环境是移动终端的系统运行环境，其中运行的系统称为Rich OS（Operating System），开放、通用且可以给上层应用提供设备的所有功能，典型的系统有Android、IOS、Linux等，同时，Rich OS 存在诸多安全漏洞，且易受黑客攻击。

Root of Trust (RoT)

信任根（RoT）

According to TCG, a Root of Trust (RoT) is a component that performs one or more security-specific functions, such as measurement, storage, reporting, verification, and/or update. It is trusted always to behave in the expected manner, because its misbehavior cannot be detected (such as by measurement) under normal operation.

根据 TCG 定义，信任根 (RoT) 是执行一个或多个安全特定功能的组件，例如测量、存储、报告、验证和/或更新。 它总是以预期的方式运行，进而值得信赖的，因为在正常操作下无法检测到它的不当行为（例如通过测量）。

Root of Trust for Confidentiality (RTC)

可信保密根（RTC）

According to TCG, a Root of Trust for Confidentiality (RTC) is an RoT providing confidentiality for data stored in TPM Shielded Locations.

根据 TCG 定义，可信保密根（RTC）是一种为存储于TPM被隔离位置的数据提供保密性的信任根。

Root of Trust for Integrity (RTI)

可信完整根（RTI）

According to TCG, a Root of Trust for Integrity (RTI) is an RoT providing integrity for data stored in TPM Shielded Locations.

根据 TCG 定义，可信完整根（RTI）是一种为存储于TPM被隔离位置的数据提供完整性的信任根。

Root of Trust for Measurement (RTM)

可信度量根（RTM）

According to TCG, a Root of Trust for Measurement (RTM) is an RoT that makes the initial integrity measurement, and adds it to a tamper-resistant log.

根据 TCG 定义，可信度量根（RTM）是进行初始完整性测量并将其添加到防篡改日志的信任根。

Root of Trust for Reporting (RTR)

可信报告根（RTR）

According to TCG, a Root of Trust for Reporting (RTR) an RoT that reliably provides authenticity and non-repudiation services for the purposes of attesting to the origin and integrity of platform characteristics.

根据 TCG 定义，可信报告根（RTR）是一种提供可靠真实性和不可否认性以证明平台特征的来源和完整性的信任根。

Root of Trust for Storage (RTS)

可信存储根（RTS）

According to TCG, a Root of Trust for Storage (RTS) is the combination of an RTC and an RTI.

根据 TCG 定义，可信存储根（RTS）是一种结合可信保密根（RTC）和可信完整根（RTI）的信任根。

Shamir's Secret Sharing

秘密分享

Shamir's secret sharing, or key sharding, is a process by which a private crypto key is split into separate pieces, or shards, rendering each shard useless unless enough are assembled to reconstruct the original key.

秘密共享，或密钥共享，是一个分片过程，将加密私钥拆分为单独的部分或分片，需组装足够的分片来重建原始私钥进行接下来的操作，否则每个分片将毫无用处。

Single Point of Failure

单点风险

A single point of failure is any non-redundant part of a system that, if dysfunctional, would cause the entire system to fail. Essentially, it’s a flaw in the design, configuration, or implementation of a system, circuit, or component. It poses a potential risk as it can lead to a total system break-down. In a system or network, such as server hardware, single private key or network switch all can be single point of failure.

单点风险是系统中任何若功能失调，将导致整个系统出现故障的非冗余部分。从本质上讲，这是系统、电路或组件的设计、配置或实施中的缺陷。它存在潜在风险，可能导致整个系统崩溃。在一个系统或网络中，例如服务器硬件、单个私钥或网络交换机都可能是单点风险。

Single-Signature Wallet

单签钱包

A single signature wallet is a type of wallet that typically only needs one signature to sign the transaction.

单签名钱包通常是指只需要一个签名来签署交易的加密货币钱包。

Software Defined Perimeter (SDP)

软件定义边界（SDP）

A software-defined perimeter (SDP) is a way to hide Internet-connected infrastructure (servers, routers, etc.) so that external parties and attackers cannot see it, whether it is hosted on-premises or in the cloud. The goal of the SDP approach is to base the network perimeter on software instead of hardware. It forms a virtual boundary around company assets at the network layer, not the application layer. This separates it from other access-based controls that restrict user privileges but allow wide network access.

软件定义边界（SDP）是隐藏联网基础设施（如服务器、路由器等）的方法，不论是预置的、本地托管还是在云端，外部人员和黑客都无法查看。软件定义边界方法的目标是将网络边界基于软件而不是硬件。它在网络层，而非应用层，围绕公司资产形成虚拟边界。 这使得，SDP与其他基于访问的控制途径（限制用户权限但允许宽广网络访问）区别开来。

TCG Software Stack (TSS)

可信软件栈（TSS）

TCG Software Stack (TSS) are untrusted software services that facilitate the use of the TPM and do not require the protections afforded to the TPM. As a software stack designed to isolate TPM application programmers from the low level details of interfacing to the TPM, it provides a standard API for accessing the functions of the TPM, for operation systems and applications.

可信软件栈（TSS）是不受信任的软件服务，便利TPM 的使用，并且不需要为 TPM 提供保护。 作为将 TPM 应用软件程序员与 TPM 接口的低端细节隔离开来的软件堆栈，它为操作系统和应用程序提供了用于访问 TPM 功能的标准 API。

Threshold Signature Scheme (TSS)

门限签名方案（TSS）

Threshold Signature Scheme (TSS) is, based on MPC, a signing protocol which combines Shamir's secret sharing and multi-signature. TSS requires multiple shard keys to sign transactions in turns and then generate the final valid signature. During the signing process, all shard keys held by multiple parties are not disclosed nor shared. The only public output is the final signature.

门限多签方案是基于 MPC，将秘密共享和多签结合起来，使用多个私钥分片轮流进行交易签名，生成最终有效签名的签名协议。而在整个签名过程中，各方所用的私钥分片不公开、不共享，公开的输出就是最终生成的签名。

Trusted Computing (TC)

可信计算（TC）

Trusted Computing (TC) is a technology developed and promoted by the Trusted Computing Group. In the computing platform, first, one root of trust will be created, then to build up a chain of trust from hardware platform, operating system to application system. In this chain, starting from the root, to verify and trust next one in a hierarchical manner, so that the trust is extended to the whole level and a secure and trusted computing environment is built up. One trusted computing system consists of root of trust, trusted hardware platform, trusted operating system and trusted application. The ultimate goal is to enhance the security of computing platform.

可信计算（TrustedComputing，简称TC）是一项由 TCG (可信计算组)推动和开发的技术。在计算平台中，首先创建一个安全信任根，再建立从硬件平台、操作系统到应用系统的信任链，在这条信任链上从根开始一级测量认证一级，一级信任一级，以此实现信任的逐级扩展，从而构建一个安全可信的计算环境。一个可信计算系统由信任根、可信硬件平台、可信操作系统和可信应用组成，其目标是提高计算平台的安全性。

Trusted Computing Platform

可信计算平台

A Trusted Computing Platform is a computing platform that can be trusted to report its properties.

可信计算平台是可报告平台属性的可信任计算平台。

Trusted Execution Environment (TEE)

可信执行环境（TEE）

A Trusted Execution Environment (TEE) is a secure area inside a main processor. It runs in parallel of the operating system (OS), in an isolated environment. It guarantees that the code and data loaded in the TEE are protected with respect to confidentiality and integrity. That is, executed code and the data that is accessed are physically isolated and confidentially protected so that no one without integrity can access the data or change the code or its behavior.

可信执行环境（TEE）是主处理器内的安全区域。它在隔离环境中与操作系统 (OS) 并行运行。它保证在 TEE 中加载的代码和数据在机密性和完整性上均受到保护，也就是说，执行的代码和被访问的数据是物理隔离的并受到机密保护，因此没有完整性的人员无法访问数据或更改代码或进行其行为。

Trusted Platform Module （TPM)

可信平台模块（TPM）

A trusted platform module(TPM) is a computer chip (microcontroller) that can securely store artifacts used to authenticate the platform (your PC or laptop). These artifacts can include passwords, certificates, or encryption keys. A TPM can also be used to store platform measurements that help ensure that the platform remains trustworthy. TPM provides a hardware-based tamper-resistant environment.

可信平台模块 (TPM) 是一种计算机芯片（微控制器），可以安全地存储用于验证平台（PC 或笔记本）的工件。 这些工件可以包括密码、证书或加密密钥。 TPM 还可用于存储有助于确保平台保持可信的平台测量值。 TPM 提供了一个基于硬件的防篡改环境。

Zero-Knowledge Proof

零知识证明

A zero-knowledge proof is a method by which one party (the prover) can prove to another party (the verifier) that they know a value x, without conveying any information apart from the fact that they know the value x. A zero-knowledge proof must satisfy three parameters, completeness (true statement will be true), soundness (false statement cannot be true) and zero knowledge (only the result of proving is revealed to verifier). Take an example, a cave is shaped like a ring and, Alice and Bob are at the entrance on the left side, which is also the exit. In the cave, there is a magic door getting in the way for going back to the exit. When they get into the cave at the entrance, as Bob says that he knows the spell to open the door and wants to prove himself to Alice. Then, Alice waits at the exit, Bob gets into the cave and uses the spell to open the door and returns. This process can be repeated till Alice believes that Bob tells truth. This is a simple process for zero knowledge proof that Alice still doesn’t know the spell except the proving result and Bob proves his statement true.

零知识证明是一方（证明方）向另一方（验证方）证明他们知道某一事实/值 X ，而出了验证结果外，不用透露任何其他信息的方法。零信任证明需要有3个性质，完备性（真的假不了）、可靠性（假的真不了）和零知识性（验证方仅知道验证结果）。举一个例子，在一个呈环形的洞穴里，Alice 和 Bob 都在左侧的入口处，也是出口处。洞穴里有一个魔法门挡住去路。当他们进入山东入口时，Bob 表示他知道魔法门咒语并想向 Alice 证明。随后，Alice 等在出口处，Bob 进入洞穴，用咒语打开魔法门并返回。这一过程可以重复多次直到 Alice 相信 Bob 说的是真的。这是零信任证明的简单过程，Alice 除了验证结果，依旧不知道咒语，Bob 已经证明他的说法是真的。

Zero Trust Architecture

零信任架构

A zero trust architecture is an approach/ a framework to system design where inherent trust in the network is removed. Instead, the network is assumed hostile and each access request is verified, based on an access policy. It requires strict identity verification for every person and device trying to access resources on a private network, regardless of whether they are sitting within or outside of the network perimeter.

零信任架构是一种系统设计方法/框架，摒弃了对网络的固有信任。 相反，零信任架构假设网络是敌对的，并且每个访问请求都通过访问策略进行验证。 它要求，无论个人或设备是在网络边界之内还是之外，对试图访问私有网络上资源的每个人和设备都要进行严格的身份验证。

zk-SNARK

zk-SNARK

According to Zcash, the first widespread application of zk-SNARKs, the acronym zk-SNARK stands for “Zero-Knowledge Succinct Non-Interactive Argument of Knowledge,” and refers to a proof construction where one can prove possession of certain information, e.g. a secret key, without revealing that information, and without any interaction between the prover and verifier. “Zero-knowledge” proofs allow one party (the prover) to prove to another (the verifier) that a statement is true, without revealing any information beyond the validity of the statement itself. In a zero-knowledge “Proof of Knowledge” the prover can convince the verifier not only that the number exists, but that they in fact know such a number – again, without revealing any information about the number. “Succinct” zero-knowledge proofs can be verified within a few milliseconds, with a proof length of only a few hundred bytes even for statements about programs that are very large. In the first zero-knowledge protocols, the prover and verifier had to communicate back and forth for multiple rounds, but in “non-interactive” constructions, the proof consists of a single message sent from prover to verifier. Currently, the most efficient known way to produce zero-knowledge proofs that are non-interactive and short enough to publish to a block chain is to have an initial setup phase that generates a common reference string shared between prover and verifier.

根据 Zcash, 最早广泛应用的 zk-SNARK，zk-SNARK 的全称是零知识简洁非交互式知识论证（Zero-Knowledge Succinct Non-Interactive Argument of Knowledge），是一种证据构造，在不用披露信息内容，证明方和验证方无互动的情况下证明持有该信息，如私钥。“零知识”证明允许一方（证明方）向另一方（验证方）证明陈述是真实的，而不用泄露超出陈述本身有效性的任何信息。在零知识的“知识证明”中，证明方不仅可以使验证方相信该数字存在，而且实际上他们知道这样的数字，同时也不会泄露有关该数字的任何信息。“简洁”的零知识证明可以在几毫秒内得到验证，证据长度只有几百字节，就算是对非常大的程序的陈述也是如此。在第一个零知识协议中，证明方和验证方必须来回传递多轮，但在“非交互式”构造中，证明包括从证明方发送给验证方的单个消息。目前，向一区块链生成非交互足够简短的零知识证明的最有效已知方式是具有初始设置阶段生成在证明方和验证方间共享的公共参考串。