当前位置：文档之家› Universally Composable Efficient Multiparty Computation from Threshold Homomorphic Encrypti

Universally Composable Efficient Multiparty Computation from Threshold Homomorphic Encrypti

Universally Composable E?cient Multiparty Computation from Threshold Homomorphic

Encryption

Ivan Damg?ard and Jesper Buus Nielsen

BRICS Department of Computer Science

University of Aarhus

Ny Munkegade

DK-8000Arhus C,Denmark

Abstract.We present a new general multiparty computation protocol

for the cryptographic scenario which is universally composable—in par-

ticular,it is secure against an active and adaptive adversary,corrupting

any minority of the parties.The protocol is as e?cient as the best known

statically secure solutions,in particular the number of bits broadcast

(which dominates the complexity)is?(nk|C|),where n is the number

of parties,k is a security parameter,and|C|is the size of a circuit doing

the desired computation.Unlike previous adaptively secure protocols for

the cryptographic model,our protocol does not use non-committing en-

cryption,instead it is based on homomorphic threshold encryption,in

particular the Paillier cryptosystem.

1Introduction

The problem of multiparty computation(MPC)dates back to the papers by Yao[14]and Goldreich et al.[11].What was proved there was basically that a collection of n parties can e?ciently compute the value of an n-input function, s.t.everyone learns the correct result,but no other new information.More pre-cisely,these protocols can be proved secure against a polynomial time bounded adversary who can corrupt a set of less than n/2parties initially,and then make them behave as he likes,we say that the adversary is active.Even so,the adver-sary should not be able to prevent the correct result from being computed and should learn nothing more than the result and the inputs of corrupted parties. Because the set of corrupted parties is?xed from the start,such an adversary is called static or non-adaptive.

Proving security of the protocol from[11]requires a complexity assumption, such as existence of trapdoor one-way permutations.This is because the model of communication considered there is s.t.the adversary may see every message sent {ivan,buus}@brics.dk.

Basic Research in Computer Science,

Centre of the Danish National Research Foundation.

248I.Damg?ard,J.B.Nielsen

between parties,this is sometimes known as the cryptographic https://www.doczj.com/doc/3a9928636.html,ter,un-conditionally secure MPC protocols were proposed by Ben-Or et al.and Chaum et al.[2,6],in the model where private channels are assumed between every pair of parties.These protocols are secure,even against an adaptive adversary who may decide dynamically during the protocol who to corrupt.

Over the years,several protocols have been proposed which,under speci?c computational assumptions,improve the e?ciency of general statically secure MPC,see for instance[10].In particular,Cramer,Damg?ard and Nielsen[7]pro-posed a general MPC protocol that is secure against a static adversary corrupting any minority of the parties.The protocol assumes that keys for a threshold ho-momorphic cryptosystem have been set up,and has communication(broadcast) complexity?(nk|C|),where n is the number of parties,k is a security parame-ter,and|C|is the size of a circuit computing the desired function.This is the so far the most e?cient protocol known for the cryptographic model,tolerating a dishonest minority(which is the best possible if we want to guarantee termina-tion).The homomorphic threshold cryptosystem can be the one of Paillier[13], or can be built from the quadratic residuosity assumption.

It is possible to get adaptive security,also in the cryptographic model:we can start from an adaptively secure protocol for the private channels model([2, 6]),and then,instead of assuming perfect channels,we implement them using public-key encryption.While this will in general reduce adaptive security to static,using non-committing encryption,adaptive security carries over to the cryptographic model[4].In[5],it is shown that non-committing encryption plus some additional techniques can provide MPC that is universally composable,an even stronger notion of security de?ned by Canetti[3].All these protocols are, however,much less e?cient than the best statically secure ones.An alternative approach that also gives adaptive security is to assume that parties can be trusted to securely erase certain critical data[1].

Our Results In this paper,we present a new general MPC protocol for the cryptographic model,based on Paillier encryption.The protocol is universally composable,in particular,it is secure against an active adaptive adversary cor-rupting any minority of the parties.Up to a constant factor,it is as e?cient as the(statically secure)protocol from[7].It is therefore the?rst general MPC solution for the cryptographic model where going to adaptive security does not cause a major loss in e?ciency(or costs an extra assumption,such as secure era-sures).It is also the?rst that does not use non-committing encryption,which may be of separate interest from a technical point of view.(The protocol in[5] is not for the private channels model,but it uses non-committing encryption for building adaptively secure oblivious transfer.)Instead of non-committing en-cryption we use some ideas from the universally composable commitments of[9], and combine this with the protocol from[7].Thus we work on the same principle that parties supply encrypted input,and the protocol produces encryptions of the outputs,that the parties can then cooperate to decrypt.To make this se-cure,we introduce a new technique for randomizing encryptions before they are decrypted.This means that the adversary has no control over the encryptions

Universally Composable E?cient Multiparty Computation249 that are decrypted,and this turns out to be essential for our proof of security to go through.

We prove our protocols secure in the framework for universally composable (UC)security by Canetti[3].This framework allows to de?ne the security of general reactive tasks,rather than just evaluation of functions.This allows us to prove that our protocol does not just provide secure function evaluation, but is in fact equivalent to what we call an arithmetic black box(ABB).An ABB can be thought of as a secure general-purpose computer.Every party can in private specify inputs to the ABB,and any majority of parties can ask it to perform any feasible computational task and make the result(and only the result)public.Moreover the ABB can be invoked several times and keeps an internal state between invocations.This point of view allows for easier and more modular proofs,and also makes it easier to use our protocols as tools in other constructions.

2An Informal Description

In this section,we give a completely informal introduction to some main ideas. All the concepts introduced here will be treated more formally later in the paper. We will assume that from the start,the following scenario has been established: we have a semantically secure threshold public-key system given,i.e.,there is a public encryption key pk known by all parties,while the matching private decryption key has been shared among the parties,s.t.each party holds a share of it.

We will use a threshold version of the Paillier cryptosystem,so the message space is Z N for some RSA modulus N.For a plaintext a∈Z N,we let a denote an encryption of a.We have certain homomorphic properties:from encryptions a,b,anyone can easily compute(deterministically)an encryption of a+b,which we denote a b.We also require that from an encryption a and a constant α∈Z N,it is easy to compute a random encryption ofαa,which we denote α a.This immediately gives us an algorithm for subtracting.

We can then sketch how a computation was performed securely in the(stati-cally secure)protocol from[7]:we assume the desired computation is speci?ed as a circuit doing additions and multiplications in Z N—This allows us to simulate a Boolean circuit in a straightforward way using0/1values in R.The protocol then starts by having each party publish encryptions of his input values and give zero-knowledge proofs that he knows these values.Then any operation involving addition or multiplication by constants can be performed with no interaction:if all parties know encryptions a,b of input values to an addition gate,all parties can immediately compute an encryption of the output a+b.This leaves only the problem of multiplications:Given encryptions a,b(where it may be the case that no parties knows a nor b),compute securely an encryption of c=ab.This can be done by the following protocol(which is a slightly optimized version of the protocol from[7]):

250I.Damg ?ard,J.B.Nielsen

1.Each party P i chooses random d i ∈Z N and broadcasts encryptions d i and d i b .

2.All parties prove in zero-knowledge that they know their respective values of d i ,and that d i b encrypts the correct value.Let S be the subset of the parties succeeding with both proofs.

3.All parties can now compute a ( i ∈S d i ).This ciphertext is decrypted using threshold decryption,so all parties learn a + i ∈S d i .

4.All parties set c =(a + i ∈S d i ) b ( i ∈S d i b ).

At the ?nal stage we know encryptions of the output values,which we just decrypt using threshold decryption.Intuitively this is secure if the encryption is secure because,other than the outputs,only random values or values that should be known to the adversary are ever decrypted.This intuition was proved for a static adversary in [7].But in the UC framework,where the adversary is adaptive,it is well known that there are several additional problems:

Loosely speaking,a proof of security requires building a simulator that sim-ulates in an indistinguishable way the adversary’s view of a real attack,while having access only to data the adversary is supposed to know at any given time .This means that for instance in the input stage the simulator needs to show the adversary encryptions that are claimed to contain the inputs of honest parties.At this time the simulator does not know these inputs,so it must encrypt some arbitrary values.This is ?ne for the time being,but if one of the honest par-ties are later corrupted,the simulator learns the real inputs of this party and must reveal them to the adversary along with a simulation of all internal data of the party.The simulator is now stuck,since the real inputs most likely are not consistent with the arbitrary values encrypted earlier.

We handle this problem using a combination of two tricks:?rst,we include in the public key an encryption K =1.Then,we rede?ne the encryption method,and ?x the rule that to encrypt a value a ,one computes a K .Under normal circumstances,this will be an encryption of a .The point,however,is that in the simulation,the simulator can decide what K should be,and will set K =0.Then all encryptions used in the simulation will contain 0,in fact —using the algebraic properties of the encryption scheme —the simulator can compute C as an encryption of 0,store the random coins used for this and later make it seem as if C was computed as C =a K for any a it desires.

However,the simulator must also be able to ?nd the input values the ad-versary supplies,immediately as the encryptions are made public.This is not possible if it only sees encryptions of 0.We therefore rede?ne the way inputs are supplied:for each input value x of party P i ,P i uses the UC commitment scheme of [9]to make a commitment commit (x )to x ,and also sends an encryp-tion C =x K .Finally he proves in zero-knowledge that commit (x )contains the same value as C .This can be done e?ciently because [9]is also based on Paillier encryption,and the UC property of the commitments precisely allows the simulator to extract inputs of corrupted parties and fake it on behalf of honest parties.

Universally Composable E?cient Multiparty Computation251 A?nal problem we face is that the simulator will not be able to“cheat”in the threshold decryption protocol.The key setup for this protocol?xes the shares of the private key even in the simulation,so a ciphertext can only be decrypted to the value it actually contains.Of course,when decrypting the outputs,the correct results should be produced both in simulation and real life,and so we have

a problem since we just said that all ciphertexts in the simulation really contain

0.We solve this by randomizing all ciphertexts before they are decrypted:we include another?xed encryption R=0in the public key.Then,given ciphertext C,the parties cooperate to create an encryption r R,where r is a(secret) randomly chosen value that depends on input from all parties.Then we compute C (r R)and decrypt this ciphertext.Under normal circumstances,it will of course contain the same plaintext as C.But in the simulation,the simulator will set R=1,and“cheat”in the process where r is chosen,s.t.r=a,where a is the value the simulator wants the decryption to return.This works,since in the simulation any C actually encrypts0.

3Preliminaries

Notation Throughout the paper k will denote the security parameter.For a probabilistic polynomial time(PPT)algorithm A we will use a←A(x;r)to de-note running A on input x and uniformly random bits r∈{0,1}p(|x|)producing output a;Here p(·)is a polynomial upper bounding the running time of A. Non-erasureΣ-protocols Consider a binary relation R?{0,1}?×{0,1}?where (x,w)∈R can be checked in PPT.By L(R)we denote the set{x∈{0,1}?|?w∈{0,1}?((x,w)∈R)}.

A non-erasureΣ-protocol for relation R is six PPT algorithms(A,l,Z,B,hvs, rbs,xtr)(and an integer l)specifying a three move,public randomness,honest veri?er zero-knowledge protocol with special soundness.The prover has input (x,w)∈R and the veri?er has input x.The prover?rst computes a message a←A(x,w;r A)and sends a to V.Then V returns a l-bit challenge e.The prover then computes a response to the challenge z←Z(x,w,r a,e)and sends z to the veri?er.The veri?er then computes b←B(x,a,e,z),where b∈{0,1} indicates whether to believe that the prover knows a valid witness w or not.The algorithm hvs is called the honest veri?er simulator and takes as input x∈L(R), e∈{0,1}l and a uniformly random bit-string r hvs and produces as output(a,z) which is supposed to be distributed as the(a,z)produced by a honest prover with instance x receiving challenge e—this is de?ned formally below.The algorithm rbs is called the random bits simulator.It takes as input(x,w)∈R,a challenge e∈{0,1}l and bits r hvs,which we think of as the random bits used by hvs in a run(a,z)←hvs(x,e;r hvs),and it produces as output a bit-string r A s.t.a=A(x,w;r A)and z=Z(x,w,r A,e).I.e.if(a,z)is the messages simulated using hvs given just x∈L(R),then if w s.t.(x,w)∈R later becomes known it is possible to construct random bits r A s.t.it looks like(a,z)was generated as a←A(x,w;r A)and z←Z(x,w,r A,e).Finally xtr is a knowledge extractor,

252I.Damg?ard,J.B.Nielsen

which given two correct conversations with the same?rst message can compute a witness.We now formalize these requirements along with completeness. Completeness:For all(x,w)∈R,r A and e∈{0,1}l we have that B(x,A(x,w;r a),e,Z(x,w,r a,e))=1.

Special non-erasure honest veri?er zero-knowledge:The following two random variables are identically distributed for all(x,w)∈R and e∈{0,1}l:

EXEC(x,w,e)=[a←A(x,w;r A);z←Z(x,w,r A,e):(x,w,a,r A,e,z)] SIM(x,w,e)=[(a,z)←hvs(x,e;r hvs);r A←rbs(x,w,e,r hvs):(x,w,a,r A,e,z)] Special soundness:For all x∈S and(a,e,z)and(a,e ,z )where e=e ,B(x,a,e,z)= 1and B(x,a,e ,z )=1,we have that(x,xtr(x,a,e,z,e ,z ))∈R.

4Non-Erasure Concurrent Zero-Knowledge Proofs of Knowledge

In[8]a concurrent zero-knowledge proofs of knowledge is presented based on anyΣ-protocol.The protocol assumes that the prover P and veri?er V agree on a key K for a trapdoor commitment scheme.The prover has input(x,w)∈R and the veri?er knows x.The protocol proceeds as follows.

1.The prover generates a←A(x,w;r A),commits c←commit K(a;r c)and

sends c to the veri?er.

2.The veri?er sends uniformly random e∈{0,1}l to the prover.

3.The prover computes z←Z(x,w,r A,e)and sends(a,r c,z)to the veri?er.

4.The veri?er outputs1i?c=commit K(a,r c)and B(x,a,e,z)=1.

To simulate the protocol without w one assumes that the simulator knows the trapdoor t of K.The simulator can then let c be a fake commitment and when it receives e compute(a,z)←hvs(x,e;r hvs),use t to compute r c s.t.c= commit K(a;r c)and send(a,r c,z).As observed in[9],if theΣ-protocol is non-erasure the above protocol is adaptively secure.Assume namely that P is cor-rupted and the simulator learns a witness.Then compute r A←rbs(x,w,e,r hvs) and by special non-erasure honest veri?er zero-knowledge the simulation is per-fect.In the following we will call this to patch the state of the proof of knowledge.

In[8]a knowledge extractor xtr is given working as follows.Assume K is a random commitment key so that commit K is computational binding and assume a corrupt prover succeeds in giving an acceptable proof with probability p say. Then by rewinding and giving new random challenges e until a proof is accepted again we get,e.w.n.p.,values a,e,z,a,e ,z s.t.B(x,a,e,z)=B(x,a,e ,z )= 1and e=e and can compute a witness w for x.The expected number of rechallenges needed is1

so if we run a proof and extract if a correct proof is

given the expected number of rechallenges used in the extraction is p1

p where p

is the probability that the proof is accepted in the?rst place.This generalizes to several proofs run concurrently.Each time a proof is accepted invoke xtr and get a witness.If the context in which the proofs are run is PPT,then the

Universally Composable E?cient Multiparty Computation253 running time,and the number of proofs,is bounded by a polynomial P,and so each invocation of xtr has expected running time less than P which with a total of at most P invocations,by the linearity of expectation,gives an expected polynomial running time of at most P2.

Note that for the zero-knowledge simulator it is enough that K is a trapdoor commitment key,whereas for knowledge soundness it was needed that the key was random to ensure that commit K is computational binding.We can therefore let V pick the key K and send it to P.All we need to ensure is that is the simulator can get its hands on the trapdoor of K.We will use the protocol and simulator exactly this way later.

5Universally Composable Security

In this section we give a sketch of the notion of universally composable security of synchronous protocols for the authenticated link model.Except for some minor technical di?erences it is the synchronous model described in[3].

A protocolπconsists of n parties P1,...,P n,all PPT interactive Turing machines(ITMs).The execution of a protocol takes place in the presence of an environment Z,also a PPT ITM,which supplies inputs to and receives outputs from the parties.Z also models the adversary of the protocol,and so schedules the activation of the parties and corrupts parties.In each round r each party P i sends a message m i,j,r to each party P j;The message m i,i,r is the state of P i after round r,and m i,i,0=(k,r i)will be the security parameter and the random bits used by P i.We model open channels by showing the messages {m i,j,r}j∈[n]\{i}to Z,where[n]={1,...,n}.In each round Z inputs a value x i,r to P i and receives and output y i,r from P i.We write the r’th activation of P i as({m i,j,r}j∈[n],y i,r)=P i({m j,i,r?1}j∈[n],x i,r).We model that the parties cannot reliably erase their state by giving r i to Z when P i is corrupted.In the following C will denote the set of corrupted parties and H=[n]\C.In detail the real-life execution proceeds as follows.

Init:The input is k,random bits r=(r1,...,r n)∈({0,1}?)n and an auxiliary input z∈{0,1}?.Set r=0and C=?.For i,j∈[n]let m i,j,0= for i=j and m i,i,0=(k,r i).Then input k and z to Z and activate Z.

Environment activation:When activated Z outputs one of the following commands: (activate i,x i,r,{m j,i,r?1}j∈C)for i∈H;(corrupt i)for i∈H;(end round);

or(guess b)for b∈{0,1}.Commands are handled as described below and the environment is then activated again.We require that all honest parties are acti-vated between two(end round)commands.When a(guess b)command is given the execution stops.

Party activation:{m j,i,r?1}j∈H were de?ned in the previous round;Add these to {m j,i,r?1}j∈C from the environment and compute({m i,j,r}j∈[n],y i,r)= P i({m j,i,r?1}j∈[n],x i,r).Then give{m i,j,r}j∈[n]\{i}to Z.

Corrupt:Give r i to Z.Set C=C∪{i}.

End round:Give the value{y i,r}i∈H de?ned in Party activation to Z and set r=r+1.

254I.Damg?ard,J.B.Nielsen

The result of the execution is the bit b output by Z.We denote this bit by REALπ,Z(k,r,z).This de?nes a Boolean distribution ensemble REALπ,Z= {REALπ,Z(k,z)}k∈N,z∈{0,1}?,where we take r to be uniformly random.

To de?ne the security of a protocol an ideal functionality F is speci?ed.The ideal functionality is a PPT ITM with n input tapes and n output tapes which we think of as being connected to n parties.The input-output behavior of the ideal functionality de?nes the desired input-output behavior of the protocol.To be able to specify protocols which are allowed to leak certain information F has a special output tape(SOT)on which it writes this information.The ideal functionality also has the special input tape(SIT).Each time F is given an input for P i it writes some value on the SOT modeling the part of the input which is not required to be kept secret.When F receives the input(activate v)a round is over,in response to which it writes a value on the output tape for each party. The value v models the inputs from the corrupted parties.When a party P i is corrupted the ideal functionality receives the input(corrupt i)on the SIT.

We then say that a protocolπrealizes an ideal functionality F if there exists an interface,also called simulator,S which given access to F can simulate a run ofπwith the same input-output behavior.In doing this S is given the inputs of the corrupted parties,and the information leaked on the SOT of F,and can specify the inputs of corrupted parties.In detail the ideal process,proceeds as follows.

Init:The input is k,random bits r=(r F,r S)∈({0,1}?)2and an auxiliary input z∈{0,1}?.Set r=0and C=?.Provide S with r S,provide F with r F and give k and z to Z and activate Z.

Environment activation:Z is de?ned exactly as in the real-word,but now com-mands are handled by S,as described below.

Party activation:Give{m j,i,r?1}i∈C to S and give x i,r to F on the input tape for P i and run F to get some value v F on the SOT.This value is given to S which is then required to compute some value{m i,j,r}j∈[n]\{i}which is given to Z. Corrupt:When Z corrupts P i,S is given the values x i,0,y i,0,x i,1,...exchanged be-tween Z and F for P i.Furthermore(corrupt i)is input on the SIT of F and F writes a value on the SOT;This value is given to S.Then S outputs some value r i which is given to Z.Set C=C∪{i}.

End round:S is activated and produces a value v.Then(activate v)is input to F which produces output{y i,r}i∈[n].Then{y i,r}i∈C is given to S and{y i,r}i∈H is given to Z.Set r=r+1.

The result of the ideal-process is the bit b output by Z.We denote this bit by IDEAL F,S,Z(k,r,z).This de?nes a Boolean distribution ensemble IDEAL F,S,Z= {IDEAL F,S,Z(k,z)}k∈N,z∈{0,1}?.

De?nition1.We say thatπt-realizes F if there exists an interface S s.t.for all environments Z corrupting at most t parties it holds that IDEAL F,S,Z c≈REALπ,Z.

We then de?ne the hybrid models.The G-hybrid model is basically the real-life model where the parties in addition to the communication lines also have

Universally Composable E?cient Multiparty Computation255 access to an ideal functionality G.In each round all parties give an input to G and receive the output from G in the following round.The inputs to the SIT of G are given by Z and Z receives the outputs on the SOT.When de?ning security of a protocol in a hybrid model the interface S must in addition to the communication and internal state of parties also simulate the values exchanged between G and Z.We call this a hybrid interface.

De?nition2.We say thatπt-realizes F in the G-hybrid model if there exists a hybrid interface S s.t.for all environments Z corrupting at most t parties it holds that IDEAL F,S,Z c≈HYB Gπ,Z.

A universal composability theorem can be proven for this framework.I.e.if a protocol realizes a given functionality it can be replaced for the functionality in all contexts.The above description easily generalizes to the case of several ideal functionalities in a hybrid model.In particular we will in the protocols following assume that the parties have access to an ideal functionality F BA for doing Byzantine Agreement.It expects a bit b i as input from all parties.If all honest parties agree on a value v,then F BA outputs v to all parties.Otherwise the environment is allowed to determine the output through the SIT.We also assume a broadcast channel,which can easily be model with an ideal functionality.

6The Paillier Cryptosystem and Some Tools

In this section we describe the Paillier cryptosystem[13].The public key is a k-bit RSA modulus pk=N=pq,where p an q are chosen s.t.p=2p +1,q=2q +1 for primes p ,q ,and both p and q have k/2bits.The plaintext space is Z N and

the ciphertext space is Z?

N2.To encrypt a∈Z N,one chooses r∈Z?N uniformly

at random and computes the ciphertext as E pk(a;r)=g a r N mod N2,where

the element g=N+1has order N in Z?

N2.The encryption function is homo-

morphic in the following sense E pk(a1;r1)E pk(a2;r2)mod N2=E pk(a1a2mod N;r1r2mod N)and E pk(a;r)b=E pk(ab mod N;r b mod N).The private key is e.g.sk=φ(N)(φ(N)?1mod N),and it is straightforward to verify that ((N+1)a r N)sk mod N2=Na+1from which a mod N can be computed.Given a one can then compute r N and r=(r N)N?1modφ(N)mod N2.Under an appro-priate complexity assumption—the DCRA—this system is semantic secure.

The DCRA states that random elements in Z?

N2are computationally indistin-

guishable from random elements of form r N mod N2.

For any ciphertext K=E pk(a;r K)we can consider the function E pk,K(m;r)= K m r N mod N2=E pk(am;s m r mod N).If r is uniformly random in Z?N,then s m r mod N is uniformly random in Z?N and so E pk,K(m;r)is a uniformly ran-dom encryption of am mod N.Notice that if a∈Z?N,then from K and c= E pk,K(m;r)and sk we can e?ciently compute m.Therefore E pk,K(m;r)is again a semantically secure encryption function.If on the other hand a=0,then E pk,K(m;r)is a uniformly random encryption of0.So,E pk,K(m;r)can be seen as a perfect hiding commitment scheme commit pk,K(m;r)=E pk,K(m;r).It is

256I.Damg?ard,J.B.Nielsen

trivial to see that commit pk,K(m;r)is computationally binding.If K∈E pk(1), then commit pk,K(m;r)would be perfect binding,so no algorithm can?nd two di?erent openings.An algorithm?nding two di?erent openings when K=E pk(0) would therefore distinguish encryptions of1from encryptions K of0.

Notice furthermore that if K=E pk(0;r K)and r K is known,then given ar-bitrary m,m ∈Z N and r∈Z?N we can compute r =s m?m r mod N,so that E pk,K(m;r)=E pk,K(m ;r ).All in all we have argued that if K=E pk(0;r K)is a random encryption,then commit K(m;r)is a perfect hiding computationally binding trapdoor commitment scheme with trapdoor t K.When considering val-

ues K∈Z?

N2as keys we will call keys of the form K=E pk(0;t K)trapdoor keys

and we will call keys of the form K=E pk(a;s)for a∈Z?n encryption keys.We now describe a commitment scheme from[9].

A UC Commitment Scheme First we have to introduce a so-called double-trapdoor commitment scheme.Consider a trapdoor commitment scheme with key K=(K1,K2),where K1and K2are both encryptions of0.We commit as

commit K

1,K2(m)=(E pk,K

(m1),E pk,K

(m2)),where m1and m2are uniformly

random values for which m=m1+m2mod N.To make a fake commitment just commit to random values m1and m2,call the commitment(c1,c2).To trapdoor open such a commitment it is enough to know the trapdoor of one of K1and K2.To open c=(c1,c2)to m we can open c1to m?m2or we can open c2 to m?m1.We note for later use that the distribution of the random bits is independent of which trapdoor is used.Note that the domain of commit K can be extended by committing block-wise.Here is the protocol from[9].

Setup:We assume that commitment sender S and receiver R agree on two inde-pendently chosen Paillier public-keys N and N and a commitment key K= (K1,K2)=(E N (0;t1),E N (0,t1).If R is honest at the beginning of the proto-col we furthermore assume that t1and t2are uniformly random. Commitment:S commits to s∈Z N as follows.

1.S generate uniformly random L S∈Z?

N2,commits c L=commit N ,K(L S;r L)

and sends c L to R.

2.R generates uniformly random L R∈Z N2and sends L R to R.

3.S computes L=L S L R mod N2,commits to s under L as c s=commit L(s;r s)

for uniformly random s∈Z?N and sends c s to R along with(L S,r L),and outputs(L,c s,r s).

4.R checks that c L=commit N ,K(L S;r L)and if so computes L=L S L R mod N2

and outputs(L,c s).

In[9]a simulator S commit for the UC framework is given which has the prop-erty that given any so-called hitting commitment(L,c s)it can simulate a run of the protocol which results in R outputting(L,c s).All the simulator needs to do this is the trapdoor(s)of K when R is corrupted and an opening(s,r s)of(L,c s) when S is corrupted.The simulator has some properties given in Theorem1. Theorem1.Consider a simulation with hitting commitment(L,c s)and output commitment(L ,c s)from R.

Universally Composable E?cient Multiparty Computation257

1.If L is uniformly random from Z?

N2and c s is a uniformly random commit-

ment to s,then the simulation is distributed exactly as the real-life protocol on input s.

2.If S is honest after the simulation,then(L ,c s)=(L,c s).

3.If N is a modulus for which commit N ,K is computationally binding,then

after a simulation where S was corrupted when c L was sent and R was honest by the end of the simulation,L is an encryption key,e.w.n.p.

By simulating a trapdoor commitment under(pk,K)we mean the following. Generate L=E N(0;r L)for uniformly random r0and compute c s=E N,L(0;r s) for uniformly random r s.Then run S commit with hitting commitment(L,c s).We write the resulting commitment as(L,c s,?).If at some point any s∈Z N is given,then use r0and r s to compute r s s.t.c s=E pk,N(s;r s)and give(s,r s)to S commit to patch the state of the simulation.We call this patching(L,c s,?)to s.

A Non-ErasureΣ-Protocol In[9]a non-erasureΣ-protocol for identical plaintext is given for the Paillier cryptosystem.The instance is(K1,c1,K2,c2)and a

witness is(s,r1,r2)s.t.c1=E pk,K

1(s;r1)and c2=E pk,K

(s;r2).

Escape-Secure Threshold Decryption In this section we introduce the adaptively secure threshold decryption protocol from[12].We?rst make a de?nition which will help us state the results precisely.We will introduce a weaker notion of UC security,which we call escape-security.An escape-simulator S is de?ned as a sim-ulator in the UC framework augmented with a special escape state.An escape-simulation IDEAL F,S,Z(k,z)proceeds exactly as in the UC framework except that if S enters the escape state,then the simulation terminates with the output⊥—we say that the simulation was escaped.For environment Z and values k∈N and z∈{0,1}?of the security parameter we de?ne the simulation probability by s Z(k,z)=1?Pr[IDEAL F,S,Z(k,z)=⊥].When s Z(k,z)is non-zero we de?ne the conditional probabilities c Z(k,z,b)=Pr[IDEAL F,S,Z(k,z)=b]

.When s Z(k,z)is zero we de?ne c Z(k,z,b)=1for b∈{0,1}.Then(c Z(k,z,0),c Z(k,z,1))de?nes a Boolean distribution ensemble which we denote by[IDEAL F,S,Z|?⊥].

De?nition3.We say thatπt-escape-securely realizes F if there exists an escape-simulator S s.t.REALπ,Z c≈[IDEAL F,S,Z|?⊥]for all environments Z cor-rupting at most t parties.

We now proceed to present the result from[12]in the above framework. Let(G,E,D)be a public-key cryptosystem and consider the following ideal functionality F(G,E,D)for threshold decryption.

Init:In the?rst round it generates(pk,sk)←G(k)and outputs pk to all parties and to the adversary.

Decryption:After a public key pk has been output we allow the parties to input a ciphertext C for decryption in any round and we also allow that more than one ciphertext is input in each round.Each ciphertext is handled as follows:If in some

258I.Damg?ard,J.B.Nielsen

round r all honest parties input C,then send(C,m=D sk(C))to the adversary1 and in round r+6return m to all parties.

In our terminology here,what is proved in[12]is:

Theorem2.There exists a protocolπpal escape-securely realizing F pal with sim-ulation probability1

In[12]the key distribution is handled using a trusted party or a general MPC. Here we model this by assuming the key is generated by an ideal functionality

F pal,key?gen;It generates a random threshold key(N,pv,sk1,...,sk n)where N

is a random Paillier public key,sk1,...,sk n are the private key shares of the parties and pv is public values used in the protocol for a.o.t.checking decryption shares.In[12]a decryption protocolπpal,dec using this key is then described.

Their simulator consists of two parts.A simulator S pal,key?gen which given the public key pk from the ideal functionality simulates a key(N,pv,sk1,...,sk n)= S pal,key?gen(pk)with the property that(N,pv)is computationally indistinguish-able from a real key.Furthermore a simulator S pal,dec for the decryption protocol

is given,which again is computationally indistinguishable from the real protocol as long as the simulation is not escaped.We need a last property of the proto-col.Given a random Paillier key(pk,sk)it is possible to generate a threshold key(pk,pv,sk1,...,sk n)with the same distribution as F pal,key?gen.We write (pk,pv,sk1,...,sk n)=SingleToThesh(pk,sk).

7An Arithmetic Black Box

The ABB is an ideal functionality F ABB.Initially F ABB outputs a uniformly ran-dom key pk=N to all parties,de?ning the ring Z N that F ABB does arithmetic over.In each activation it expects a command from all honest parties and carries out the command if all honest parties agree.Typically agreement means that the parties gave the same command,e.g.(x←x1+x2),but this does not always make sense.If e.g.party P i is to load a secret value s into variable x,using the command(P i:x←s),of course the other parties cannot acknowledge by giving the same command.In this case they input(P i:x←?);The intended meaning

is that P i is allowed to de?ne x using a value unknown to the other parties.

If two honest parties ever disagree F ABB goes corrupted in the following sense:

It outputs its entire current state and all future inputs on the SOT.Besides this it lets the environment determine all future outputs through the SIT.The functionality F ABB holds a list of de?ned variable names x and stores a value val(x)∈Z N for each.For all commands we require that variables on the right hand side of←are de?ned and that x is de?ned when a(output x)command

is given.In the command(P i:x←x1·x2)we require that x1was de?ned by

a(P i:x1←?)command.A violation of these requirements will make F ABB go

1We return these values to the adversary to specify that it is not part of the func-tionality to keep C or m secret

Universally Composable E?cient Multiparty Computation 259

corrupted.Each time a variable x is de?ned F ABB outputs (defined x )to all parties.Except for the s in (P i :x ←s )all input values are output on the SOT.Init:Let c be the number of rounds used for setting up the keys in the real-life protocol.

When the init command is given the ABB simply runs for c rounds ignoring all inputs.Then it generates a random Paillier key (N,sk )and outputs pk to all parties and outputs (N,sk )to the adversary.

Load:On (P i :x ←?)in round r ,if P i inputs (P i :x ←s )for s ∈Z N ,then set

val (x )=s in round r +8.If in a round before round r +8P i is corrupted and the adversary inputs (change s )on the SIT,then val (x )=s ,and if the adversary inputs fail ,then val (x )is not de?ned.Linear combination:On (x ←a 0+ l

j =1a j x j )for a j ∈Z N de?ne val (x )=a 0+ l

j =1a j val (x j )mod N in the same round.

Private multiplication:On (P i :x ←x 1·x 2)in round r ,if P i also inputs (P i :x ←

x 1·x 2),(this is an extra requirement as P i might be corrupted),then in round r +4de?ne val (x )=val (x 1)val (x 2)mod N .If in a round before round r +5the adversary inputs fail on the SIT and P i is corrupted,then val (x )is not de?ned.Output:On (output x )in round r output (output x =val (x ))on the SIT and output

(output x =val (x ))to all parties in round r +12.

The functionality has no general multiplication command,but running in the F ABB -hybrid model,parties can do a multiplication of any two variable using the multiplication protocol from the introduction.We now describe a protocol πABB realizing F ABB .A variable x with val (x )=s is represented by an encryption enc (x )=E pk,K (s )on which the parties agree.

Init:The protocol runs in the hybrid model with access to two copies of the func-

tionality F pal ,key ?gen described in Section 6.We call the public key returned by the ?rst copy pk =N ,and we assume that the ?rst copy also returns two random encryptions K =E pk (1)and R =E pk (0).We call the public key returned by the second copy pk =N ,and we assume that the second copy also return 3n random encryptions K i,l =E pk (0)for i ∈[n ],l ∈{0,1,2}.The key K j,0is for for running the proof of knowledge protocol from Section 4with the relation in Section 6with P j as veri?er.We will denote this by P i proves to P j .The double-trapdoor key K j =(N ,K j,1,K j,2)will be used for running the universally composable commit-ment scheme in Section 6with P j as receiver to generate commitments under N .When P i is the committer with some value s we will denote this by P i commits to s to P j .In the ?rst round the parties call the ideal functionalities and wait until all keys are returned.

Load:Below we use M as the key under which encryptions are made.When the

parties carry out the load commands given from the environment they always use M =K .However the implementation of Output also uses the load command as an internal sub-routine,with M =R .

1.P i computes S =E pk,M (s ;r S )and broadcasts S .

2.For j =i party P i commits to s to P j .Denote the commitment by (L j ,c s,j ,r s,j ).

3.For j =i party P i proves to P j with instance x =(pk,M,S,L j ,c s,j )and witness (s,r S ,s,r s,j ).

260I.Damg?ard,J.B.Nielsen

4.For j=i party P j inputs1to F BA i?the zero-knowledge proof given by P i to

P j was accepted.

5.Wait until F BA outputs a bit b.If b=1the parties set enc(x)=S. Linear combination:Set enc(x)=g a0 l i=1enc(x j)a j mod N2.

Private multiplication:We assume that P i knows(s,r s)s.t.enc(x1)=E pk,K(s;r s).

1.P i computes X=E pk,enc(x

2)(s;r X)and broadcasts X.

2.For j=i party P i proves to P j with instance x=(pk,K,enc(x1),enc(x2),X)

and witness(s,r S,s,r X),and as above the parties run a BA to determine

whether to accept the proof.

3.If the result of the BA is1the parties set enc(x)=X.

Output: 1.P i generates random r i∈Z N and loads it into variable x i using M=K.

Let{C j}j=i denote the commitments used in Step2of the load.

2.Parti P i loads r i into variable y i using M=R,but reuses the commitments

{C j}j=i from the previous load.If a party P i input0to the BA in the previous

load for P j,then input0again in this load.

3.Let I be a size t+1subset of the set of indices i for which y i is now de?ned.Let

{λI i}i∈I be degree t Lagrange coe?cients interpolating from{f(i)}i∈I to f(0)

over Z https://www.doczj.com/doc/3a9928636.html,pute S= i∈I enc(y i)λI i mod N2and T=enc(x)S mod N2.

We assume some?xed way of picking the subset I so that all parties agree on

4.The parties runπpal,dec from Section6on T and take as their output the value

v returned byπpal,dec.

Theorem3.πABB (n?1)/2 -securely realizes F ABB.

Due to space limitations we can only sketch the proof of Theorem3,a full proof will appear in the Ph.D.dissertation of the second author.In the proof we construct an interface S simulatingπABB in the ideal process with access to F ABB. The simulator runs a copy of the protocolπABB and keeps it consistent with the inputs and outputs of F ABB in ideal process(in which S is run).In simulating πABB,S must provide inputs to F ABB on behalf of the corrupted parties.For all commands except Load and Private Multiplication only the inputs from honest parties are consider by F ABB.However for a load(P i:x←?)and a private multiplication(P i:x←x1·x2)the input from S matters.In the?rst case S must provide an input(P i:x←s)for x to be de?ned and in the second case S must provide the input(P i:x←x1·x2)for x to be de?ned.Whether the simulator supplies these inputs,and the value of s,depends on Z:If Z lets P i participate in the simulation ofπABB in a way which results in the honest parties de?ning enc(x)to hold some encryption,then S will provide the input to F ABB and in the case of a Load it will determine an appropriate value of s. The initialization is simulated as follows::

Init:For the?rst copy it receives the key(pk=N,sk)from F ABB and computes (N,pv,sk1,...,sk n)=SingleToThesh(pk,sk).(1)Then it computes K=E pk(0;r K) and computes R=E pk(1;r R)and outputs(pk,pv,sk i,R,K)to party P i.For the second copy it generates N and all the keys K j,l=E N (0;r j,l)itself and distributes these as in the protocol.When running the simulator for the zero-knowledge proofs with P j as veri?er the key K j,0is given to the simulator,and if P j is corrupted t j,0

Universally Composable E?cient Multiparty Computation261 is given to the simulator.Notice that we do not use sk so the commitment schemes

E pk ,K

j,0will be computationally binding as required.When running the simulator

for a commitment from P i to P j the key(K j,1,K j,2)is given to the simulator,and if P j is corrupted t j,1and t j,2are given to the simulator.Notice that except for K and R this initialization simulates perfectly the protocol.

The simulator maintains the invariant that a variable x is de?ned in the simulatedπABB i?it is de?ned in F ABB.Furthermore the simulator maintains that for all de?ned variables x it knows ran(x)s.t.enc(x)=E pk(0;ran(x)).These values are used for trapdoor openings under K,e.g.in the simulation of the load command:

Load:We only describe how to simulate for M=K as for all loads with key R we will actually know the value to load,so the’simulation’can be done by running the protocol.On(P i:x←?),if P i is honest we proceed as follows:

1.P i computes S=E pk(0;r0)and broadcasts S.If P i is corrupted after this

step,then we learn(P i:x←s)from the ideal process.Then using r K and r0 compute r S s.t.S=E pk,K(s;r S)and uses r S as the internal state of P i.

2.For j=i party P i simulates a trapdoor commitment to P j giving commitment

(L j,c s,j,?).If P i is corrupted in or after this step,then?rst patch as as above, and then patch(L j,c s,j,?)to s.

3.For each party P j where j=i party P i run the simulator from Section4with

instance x=(pk,K,S,(L j,c s,j)).If P i is corrupted after this Step,then?rst patch as above.Then w=(s,r S,r s,j)is a witness to x.Give this witness to the simulator from Section4to patch the state of the proof of knowledge.

4.The parties execute the BA following the protocol.If the result is1the parties

set enc(x)=S and ran(x)=r0.

For corrupted P i the simulator inputs(P i:x←0)to F ABB on behalf of P i and then lets the honest parties follow the protocol.If the BA fails the simulator inputs fail on the SIT of F ABB.If the broadcast value enc(x)=S is accepted,then the simulator must at the end of the load input(change s)on behalf of P i on the SIT of F ABB.Since the BA output1,at least t+1parties input1,so at least one party P j which is still honest input1.Let(L j,c s,j)be the commitment received by P j.

Since the proof received was accepted,P i can,e.w.n.p.,open(L j,c s,j)and S to the same value,s say—i.e.if we could rewind we could extract such a value.

By Theorem1we can assume that if S was sent by the adversary,then L j is a binding key,so(L j,s j)can only be opened to one value.Therefore we can using sk decrypt(2)(L j,c s,j)to obtain the value s to which P i can open S.The intuition here is that if K had been an encryption of1,then this value s,to which P i can open S,would indeed be its plaintext value,so we have extracted the’plaintext’of S.

If P i is honest at the onset of the load but is corrupted before the third message of the commitment protocol is sent,i.e.in round r+2,then the environment might send a commitment(L j,c s,j)to a value s di?erent from the s which has already been input to F ABB,and we have no guarantee that L j is an encryption key.However,we have no need to decrypt either:Since the simulator sent S it patched the state of P i to be consistent with S=enc pk,K(s;r S).So,if K had been

a binding key,then the state of P i would be consistent with F ABB.

In all cases,if enc(c)is accepted the simulator decrypts(3)enc(x)to learn random bits ran(x)s.t.enc(x)=E pk(0;ran(x)).

262I.Damg ?ard,J.B.Nielsen

A private multiplication is simulated similarly,letting X =E pk (0;r 0)and if s becomes known,computing r X s.t.X =E pk,enc (x 2)(s ;r X )—in doing this we use that we know ran (x 2)s.t.enc (x 2)=E pk (0;ran (x 2)).Linear com-

bination is simulated by letting enc (x )=g a 0 l i =1enc (x j )a j and ran (x )=a 0 l i =1ran (x j )a j mod N .An output is simulated as follows:

Output:On input (output x =v )from F ABB we know that all honest parties got the

input (output x )and will output v in 12rounds.We cannot use the simulator from Section 6to simulate a decryption to v ,as the inconsistent party might get corrupted.Instead we cheating in the randomization as to make T an encryption of v ,and then decrypt honestly.

1.For honest P i run the load command by committing to uniformly random elements r i under trapdoor keys.

2.Let J be the indices j of corrupted parties for which the load into x j succeeded.If |J |

3.This step is simulated by following the protocol.Since R is an encryption of 1,unless a corrupted party P j was able to load di?erent values into x j and y j ,we will have that S is an encryption of f (0)=v and so is then T .(4)

4.Run the decryption protocol as in the protocol.

We then prove IDEAL F ABB ,S ,Z c

≈REAL πABB ,Z using a hybrids argument.De?ne H 0by taking F ABB ,S and Z and running IDEAL F ABB ,S ,Z with the modi?cation that S gen,pal (pk )is run at (1)to produce the key and S pal ,dec (T,D sk (T ))is run at (4)instead of πpal ,gen .Let H 0=[H 0|?⊥].Doing this we got rid of the use of sk at (1)but introduced one at (4).By the results in Section 6we will have that IDEAL F ABB ,S ,Z c ≈H 0.De?ne H 1as H 0but at (2,3)use xtr from Section 4to extract the plaintext (and for (3),the random bits.)Let H 1=[H 1|?⊥].By the results in Section 4we will have H 0c ≈H 1.De?ne H 2as H 1but at (4)run S pal ,dec (T,v )instead of S pal ,dec (T,D sk (T )).Let H 2=[H 2|?⊥].By using Sections 4it can be proved that v =D sk (T ),e.w.n.p.So,H 2c ≈H 1.Notice that H 2can be produced without using sk ,so now we can use the semantic security of E pk .De?ne H 3as H 2,but use R =E pk (0).It follows via semantic security that H 3=[H 3|?⊥]c ≈H 2.De?ne H 4as H 3except that we use correct inputs to all honest parties and pick the r i values uniformly at random for all honest parties.It can be seen that H 4=[H 4|?⊥]=H 3,as K,R ∈E pk (0),so no information is leaked about the inputs and the environment sees at most t of the r i values and so cannot distinguish random values from random values consistent with a degree t +1polynomial.De?ne H 5as H 4but with K =E pk (1)and use semantic security to prove H 5=[H 5|?⊥]c ≈H 4.Because K =E (1)we cannot use the simulator from 6for simulating the commitments anymore.However this not not needed either as from H 4all honest parties use correct

Universally Composable E?cient Multiparty Computation263 inputs,so at the same time we start running all commitments honestly.De?ne

H 6as H 5but starting to use sk at(2)again and as for H0c≈H1get that H6=[H 6|?⊥]c≈H5.De?ne H 7as H 6but at(4)run S pal,dec on(T,D sk(T)) instead.Proving H7=[H 7|?⊥]c≈H 6basically involves proving the protocol correct,which is done using the results from Sections4.The only di?erence

between H7and REALπ

ABB ,Z

is between the use of S pal,key?gen and S pal,dec instead

of F pal,key?gen andπpal,dec,and H7c≈REALπ

ABB ,F

follows as IDEAL F

ABB

,S,Z

≈H0.

References

1. D.Beaver and S.Haber.Cryptographic protocols provably secure against dynamic

adversaries.In R.A.Rueppel,editor,Advances in Cryptology-EuroCrypt’92, pp.307–323,Berlin,1992.Springer-Verlag.LNCS Vol.658.

2.M.Ben-Or,S.Goldwasser,and https://www.doczj.com/doc/3a9928636.html,pleteness theorems for non-

cryptographic fault-tolerant distributed computation(extended abstract).In20th STOC,pp.1–10,Chicago,Illinois,May1988.

3.R.Canetti.Universally composable security:A new paradigm for cryptographic

protocols.In42th FOCS.IEEE,2001.

4.R.Canetti,U.Feige,O.Goldreich,and M.Naor.Adaptively secure multi-party

computation.In28th STOC,pp.639–648,Philadelphia,Pennsylvania,May1996.

5.R.Canetti,Y.Lindell,R.Ostrovsky,and A.Sahai.Universally composable two-

party and multi-party secure computation.In34th STOC,pp.494–503,Montreal, Quebec,Canada,2002.

6. D.Chaum,C.Cr′e peau,and I.Damg?ard.Multiparty unconditionally secure pro-

tocols(extended abstract).In20th STOC,pp.11–19,Chicago,Illinois,May1988.

7.R.Cramer,I.Damgaard,and J.B.Nielsen.Multiparty computation from threshold

homomorphic encryption.In Advances in Cryptology-EuroCrypt2001,pp.280–300,Berlin,2001.Springer-Verlag.LNCS Vol.2045.

8.I.Damg?ard.E?cient concurrent zero-knowledge in the auxiliary string model.In

B.Preneel,editor,Advances in Cryptology-EuroCrypt2000,pp.418–430,Berlin,

2000.Springer-Verlag.LNCS Vol.1807.

9.I.Damg?ard and J.B.Nielsen.Perfect hiding and perfect binding universally

composable commitment schemes with constant expansion factor.In M.Yung, editor,Advances in Cryptology-Crypto2002,pp.581–596,Berlin,2002.Springer-Verlag.LNCS Vol.2442.

10.R.Gennaro,M.Rabin,and T.Rabin.Simpli?ed VSS and fast-track multi-party

computations with applications to threshold cryptography.In PODC’98,1998.

11.O.Goldreich,S.Micali,and A.Wigderson.How to play any mental game or

a completeness theorem for protocols with honest majority.In19th STOC,pp.

218–229,New York City,May1987.

12. A.Lysyanskaya and C.Peikert.Adaptive security in the threshold setting:From

cryptosystems to signature schemes.In C.Boyd,editor,Advances in Cryptology-ASIACRYPT2001,pp.331–350,Berlin,2001.Springer.LNCS Vol.2248.

13.P.Paillier.Public-key cryptosystems based on composite degree residue classes.

In J.Stern,editor,Advances in Cryptology-EuroCrypt’99,pp.223–238,Berlin, 1999.Springer-Verlag.LNCS Vol.1592.

14. A.C.Yao.Protocols for secure computations(extended abstract).In23rd FOCS.

IEEE.1982.pp.160–164,Chicago,Illinois,3–5Nov.1982.

销售人员十大心态知识分享

销售人员十大心态

态度决定一切——顶尖销售员的十种心态自从神奇教练米卢登陆中国后，“态度决定一切”这句话就常常出现在我们的耳边。不错，态度真的决定一切，可是什么样的态度将决定什么样的一切。态度是一个人对待事物的一种驱动力，不同的态度将决定产生不同的驱动作用。好的态度产生好的驱动力，注定会得到好的结果，而不好的态度也会产生不好的驱动力，注定会得到不好的结果。同时，对待任何事物不是单纯的一种态度，而是各种不同心态的综合。作为庞大军团的销售队伍，又应该有什么样的心态呢？一、积极的心态首先我们需要具备积极的心态。积极的心态就是把好的，正确的方面扩张开来，同时第一时间投入进去。一个国家，一个企业肯定都有很多好的方面，也有很多不够好的地方，我们就需要用积极的心态去对待。贪污犯还有，可是我们应该看见国家已经大力的整顿了；企业有很多不尽合理的管理，可是我们应该看到企业管理风格的改变。也许你在销售中遇到了很多困难，可是我们应该看到克复这些困难后的一片蓝天。同时，我们应该把正确的、好的事情在第一时间去投入，唯有第一时间去投入才会唤起你的激情，唯有第一时间投入才会使困难在你面前变的渺小，好的地方在你眼前光大。积极的人象太阳，走到那里那里亮。消极的人象月亮，初一十五不一样。某种阴暗的现象、某种困难出现在你的面前时，如果你去关注这种阴暗，这种困难，那你就会因此而消沉，但如果你更加关注着这种阴暗的改变，这种困难的排除，你会感觉到自己的心中充满阳光，充满力量。同时，积极的心态不但使自己充满奋斗的阳光，也会给你身边的人带来阳光。二、主动的心态主动是什么？主动就是“没有人告诉你而你正做着恰当的事情”。在竞争异常激烈的时代，被动就会挨打，主动就可以占据优势地位。我们的事业、我们的人生不是上天安排的，是我们主动的争取的。在企业里，有很多的事情也许没有人安排你去作，有很多的职位空缺。如果你去主动的行动起来，你不但锻炼了自己，同时也为自己争取这样的职位积蓄了力量，但如果什么事情都需要别人来告诉你时，你已经很落后了，这样的职位也挤满了那些主动行动着的人。主动是为了给自己增加机会，增加锻炼自己的机会，增加实现自己价值的机会。社会、企业只能给你提供道具，而舞台需要自己搭建，演出需要自己排练，能演出什么精彩的节目，有什么样的收视率决定权在你自己。三、空杯的心态人无完人。任何人都有自己的缺陷，自己相对较弱的地方。也许你在某个行业已经满腹经纶，也许你已经具备了丰富的技能，但是你对于新的企业，对于新的经销商，对于新的客户，你仍然是你，没有任何的特别。你需要用空杯的心态重新去整理自己的智慧，去吸收现在的、别人的正确的、优秀的东西。企业有企业的文化，有企业发展的思路，有自身管理的方法，只要是正确的，合理的，我们就必须去领悟，去感受。把自己融入到企业之中，融入到团队之中，否则，你永远是企业的局外人。四、双赢的心态杀头的事情有人干，但亏本的买卖没人作，这是商业规则。你必须站在双赢的心态上去处理你与企业之间的、企业与商家之间的、企业和消费者之间的关系。你不能为了自身

销售成功的十大心态

销售成功的十大心态经过不断实践和验证发现，自信、积极、坚持、包容、舍得、空杯、谦逊、感恩、善缘、反省等十大心态尤为重要。其中，存在交叉重叠又相互影响之状况，关键在于领会吸纳核心要领。下面是小编分享的一些相关资料，供大家参考。自信的心态从实际出发，相信自己一定可以。这便是自信。笔者身高1米58，一定要去nba去打球，并且充满信心，这不叫自信，叫自残，残害自己的心灵。去年比较火爆的“凤姐”所言：我九岁博览群书，二十岁达到顶峰，往前推三百年，往后推三百年，六百年之内没有人能超过我。凤姐不是自信，而是自负，超级自负。自信过度我们还是要反对的。世界著名的销售大师原一平去保险公司面试时，主考官蔑视他。原一平说：“我身高只有145厘米，又瘦又小，体重也只有52千克，但我并不自卑。” 主考官说：“推销保险的工作太困难了，你不能胜任。” 原一平像一只勇猛的斗鸡，张牙舞爪地问道：“请问进入贵公司，究竟要做多少业绩? 主考官傲慢地说：“每人每月一万元。” 原一平充满力量地说：“既然这样，我每月也可以推销这么多。” 要是放在今天，碰到这样的主考官，应聘者可能会嗤之以鼻，心想，这样的傻逼，这家公司肯定不怎么样，然后傲慢滴走了，还庆幸自己没有被录取。自信能产生一种气势，一种强大的气场，一种让人震慑的力量。毛老的“自信人生二百年，会当水击三千”是何等的气势磅礴。积极的心态积极和主动是孪生兄弟，积极的人肯定主动，肯定热情面对现实，不管发生什么，都能乐观看之，泰然处之。看上一个美眉，有信心摆平，但是没有积极主动的行动是不行的。所以，要自信，更要积极的行动。积极主动是自信的外在表现。

原一平在主考官面前承诺后，开始了艰辛的推销之旅。他没想到会这样的艰难，竟然连续7个月没有一单业务，房租都交不起了，被房东赶到了公园的长椅上过夜。原一平常常自我解嘲：“虽然今天很凄惨，不过公园也蛮不错的，安静又清凉。”更多的时候，原一平会鼓励自己：“只要你的精神还站立着，就没有什么能让你倒下!”每天清晨5点，原一平从公园的长椅上“起床”后徒步上班。一路上精神抖擞，丝毫没有睡眠不足的倦态。有时候还吹吹口哨，热情地和路人打打招呼。有一天，一个常去公园散步的大老板看到原一平身处这样的窘境还能笑傲生活，便好奇地与他攀谈起来。没想到他听了原一平的故事后，被他的积极和乐观的心态所感染，并愉快地买了一份保单。这是原一平从事推销以来的第一笔业务。这位大老板几天后又给原一平介绍了许多商界的朋友。原一平积极的生活态度感染了越来越多的人，业务也做得越来越大。生活像一面镜子，当你对它展颜欢笑时，它所回报给你的，一定也是醉人的笑容。世界上最伟大的汽车推销员乔·吉拉德曾说：“当你笑时，整个世界都在笑，一脸苦相没人理睬你。”积极的人需要笑看风云。坚持的心态自信可以做得到，积极的行动和乐观的精神也可以没有问题，在目标没有实现以前，能不能够坚持，就是对你最大的考验。为什么追不到自己喜欢的女生，因为你只有三天的热度，一开始火势很猛，慢慢地火就灭了。一个真正敢于坚持的人，就像永不熄灭的奥运圣火一样，熊熊燃烧。汤姆·霍普金斯是全世界单年内销售最多房地产的业务员，平均每天卖一幢房子。后来他的名字进入了吉尼斯世界纪录，被国际上很多报刊称为国际销售界的传奇冠军。当他的事业迎来辉煌的时候，有人问他：“你成功的秘诀是什么?”他回答说：“每当我遇到挫折的时候，我只有一个信念，那就是马上行动，坚持到底。成功者绝不放弃，放弃者绝不会成功!” 好莱坞动作巨星史泰龙你肯定熟悉，他的成名之路首先是推销自己写的剧本《洛基》，并要求自己当男一号，这让很多的制片和导演直言拒绝。据说史泰龙没有放弃，据说被拒绝1850次才成功。这个数字有很多种说法，我也没有考证，反正就是1800多次，不过我想这个数字可能有点山寨，但被拒绝上百次甚至几百次是有可能的，因为史泰龙其貌不扬，而且还残疾，面瘫，

成功销售的十大积极心态

成功销售的十大积极心态自从神奇教练米卢登陆中国后，"态度决定一切"这句话就常常出现在我们的耳边。不错，态度真的决定一切，可是什么样的态度将决定什么样的一切。态度是一个人对待事物的一种驱动力，不同的态度将决定产生不同的驱动作用。好的态度产生好的驱动力，注定会得到好的结果，而不好的态度也会产生不好的驱动力，注定会得到不好的结果。同时，对待任何事物不是单纯的一种态度，而是各种不同心态的综合。作为庞大军团的销售队伍，又应该有什么样的心态呢？ 1、积极的心态首先我们需要具备积极的心态。积极的心态就是把好的，正确的方面扩张开来，同时第一时间投入进去。一个国家，一个企业肯定都有很多好的方面，也有很多不够好的地方，我们就需要用积极的心态去对待。贪污犯还有，可是我们应该看见国家已经大力的整顿了；企业有很多不尽合理的管理，可是我们应该看到企业管理风格的改变。也许你在销售中遇到了很多困难，可是我们应该看到克服这些困难后的一片蓝天。同时，我们应该就正确的、好的事情第一时间去投入，

唯有第一时间去投入才会唤起你的激情，唯有第一时间投入才会使困难在你面前变的渺小，好的地方在你眼前光大。积极的人像太阳，走到那里那里亮。消极的人像月亮，初一十五不一样。某种阴暗的现象、某种困难出现在你的面前时，如果你去关注这种阴暗，这种困难，那你就会因此而消沉，但如果你更加关注着这种阴暗的改变，这种困难的排除，你会感觉到自己的心中充满阳光，充满力量。同时，积极的心态不但使自己充满奋斗的阳光，也会给你身边的人带来阳光。 2、主动的心态主动是什么？主动就是"没有人告诉你而你正做着恰当的事情"。在竞争异常激烈的时代，被动就会挨打，主动就可以占据优势地位。我们的事业、我们的人生不是上天安排的，是我们主动的去争取的。在企业里，有很多的事情也许没有人安排你去做，有很多的职位空缺。如果你去主动的行动起来，你不但锻炼了自己，同时也为自己争取这样的职位积蓄了力量，但如果什么事情都需要别人来告诉你时，你已经很落后了，这样的职位也挤满了那些主动行动着的人。主动是为了给自己增加机会，增加锻炼自己的机会，增加实现自己价值的机

销售人员的十大心态

销售人员的十大心态推销人员通过人员接触起到联系公司与顾客的纽带作用。销售代表对顾客来说就是公司的象徵，同时也为公司带回许多急需的有关顾客的情报资讯。完全可以说，销售队伍是企业最重要的财富之一，是企业市场营销组合的主要组成部分。销售队伍及其成员的素质和能力在很大程度上决定企业市场销售目标的实现程度。特别是对於那些把销售产品或服务作为主要业务的企业，如生产日用工业品的企业、保险业、运输业等，这一方面尤为关键。因此，公司对销售队伍的设计问题需要给予周密的考虑，即应制定销售队伍的目标、策略、结构、报酬、人员、职责、遴选及训练、销售评估等办法。 (一)销售队伍的目标销售队伍的目标必须根据公司目标市场的特点和公司期望在这些市场中所取得的地位来确定。不同的公司都为推销队伍确立不同的目标，但通常都包括以下各项： 1.探寻。销售代表寻找和招徕新的顾客； 2.沟通。销售代表熟练地将公司的有关产品和服务的资讯通报给顾客； 3.推销。销售代表应精通“推销”的艺术──与顾客接洽、向顾客介绍、回答顾客的疑问和达成交易等； 4.服务。销售代表向顾客提供各种服务──对顾客的问题提供谘询意见、给予技术帮助、安排资金融通和加快交货等； 5.收集资讯。销售代表进行市场调研和情报工作并填写访问报告，收集相关的业务资讯； 6.分配。销售代表能评估顾客的信誉，并在产品短缺时分配稀缺产品。 (二)销售队伍策略要从顾客那获得订单，各公司就要相互竞争。他们必须在策略上部署其销售队伍，

这样他们就可在适当的时机和以适当的方式访问适当的物件。销售代表可用以下几种方式与顾客接触： 1.销售代表与购买者个别接触。销售代表通过电话或面对面与潜在顾客或现有顾客交谈； 2.销售代表与购买者群体接触。销售代表向购买者群体作销售介绍； 3.销售小组与购买者群体接触。销售小组(如由一位公司高级职员、一位销售代表和一位销售工程师组成的小组)向购买者群体作销售介绍； 4.推销会议。销售公司派代表和相关高级人员会见多个购买者，举行洽谈会以便讨论有关问题或相互的机会。 5.培训研讨会。公司派一个推销小组到客户公司为他们的有关人员举办教育性的研讨会，讲解和介绍有关领域的最新发展情况。因此，销售代表常常起到“客户经理”的作用，他安排买方和卖方机构的各种人员之间的联系。现在推销工作越来越需要互相配合，需要其他人员的支援，例如需要高层管理部门、技术人员、顾客服务代表和办公室工作人员、包括销售分析人员、订单催办人员和秘书等等人员的支持。公司一旦决定采用一种合意的推销方法，它可使用直接的或合约性的推销人员。直接的推销人员包括专职的和兼职的雇员，他们只为本公司一家做工作。这部分销售人员包括：内部推销人员和现场推销人员，他们在办公室通过电话或接受潜在客户的访问来进行业务工作，或者出差到外地对顾客进行访问。合约性的推销人员则包括生产商的代表、销售代理商或经纪人，他们按其销售量的多寡收取佣金。 (三)销售人员的组织结构销售队伍策略含有组织销售人员的意思。如果一个公司有多种产品或其顾客分布比较复杂

做销售必备的十大心态

做销售必备的十大心态做销售，俗话说：心态决定命运，做销售，最重要的是心态。学习心态为什么那么多的销售人员在同一家公司，同样知名度，同样的24小时，销售一模一样的产品，而工作的收入却相差十倍百倍？差别在于销售能力！通常来说，销售能力的获得有两种方法：一）自我摸索；二）学习成功者证明有效的方法。投资脖子以上的投资，是回报率最高的投资。你对学习的态度决定了你未来成就的高度。事业心态能否做好一件事情，能否做好自己的销售工作，能力很重要，但工作态度更为重要。你能力好，如果你有着非常认真细细致的心态，一定做好一件事情。一个销售工作者的成就、经济收入就来自于销售工作，所以说好好对待自己自己现在的工作，你的工作就会回报你。你每天的工作当作是自己的事业，在将来的几年以后你就拥有自己的真正事业；你好好地对待今天的职业，在将来的几年以后你依然有一份你满意的职业！积极心态任何事情都有两面，你看到好的就看不到坏的，看到美的就看不到丑的。好的美的就吸引着更好更美的人和事，坏和丑也一样，你愿意怎样？培养自己积极的心态：一段时间以后你会养成积极的习惯，销售人员尤其需要好的心态。面对客户的拒绝时：把拒绝定义为老师，即把每次拒绝的痛苦变成了成长的快乐；把拒绝定义成不够了解，即把每次拒绝的痛苦变成了再次拜访的理由。乔·吉拉德说：”当客户拒绝我七次后，我才有点相信客户可能不会买，但是我还要再试三次，我每个客户至少试十次。”这就是世界销售冠军与一般销售人员的区别。记住：你的收入不是来源于成交的客户，而是来源于拜访的总量。感恩心态在我们的一生中要不要有贵人相助？请问当你有能力去帮助别人时，你是愿意帮助那些懂得感恩的人，还是那些狼心狗肺的家伙？这个世界上你认为理所当然的将越来越少，你感恩得越多，你就获得越多。有一句话说：你怎么对待别人，别人就会怎么样对你；你付出多少，你就会得到多少。当我们以一种感恩的态度对待周围的人时，周围的人同样不会忘了感谢你们，感谢得越多，得到的就会越多。感恩也意味着宽容，容则大、大则多。长远心态销售这份工作，你把它当成什么呢？是暂时维持生存的过度，还是准备在这一领域奋斗五年、十年？你是为生计所迫，还是热爱这份工作？成功的人与一般的人最大区别是：一般人只看到眼前的利益，而成功者看到眼前利益的同时，更多的是关注长远未来的利益。吃亏就是占便宜，眼前的一些小亏，往往给你带来长远的利益。必备心态优秀销售员必备十大心态真诚态度是决定一个人做事能否成功的基本要求，作为一个销售人员，必须抱着一颗真诚的心，诚恳的对待客户，对待同事，只有这样，别人才会尊重你，把你当作朋友。业务代表是企业的形象，企业素质的体现，是连接企业与社会，与消费者，与经销商的枢纽，因此，业务代表的态度直接影响着企业的产品销量。自信心信心是一种力量，首先，要对自己有信心，每天工作开始的时候，都要鼓励自己，我是最优

销售人员应该具有的十大心态

销售人员应该具有的十大心态营销人员每天都要很多新的问题与困难，以什么样的心态对待工作，直接决定着营销人员的工作质量。拿破仑·希尔把积极心态作为成功的第一原则。因此，营销人员应重点做好十大心态修炼，那么在实际工作中销售人员应该具有怎样的心态呢？一、积极心态在工作和生活中，每个人都会遇到诸多的困难与矛盾，我们要学会用积极的心态去面对，这样，我们的工作、生活才会阳光灿烂。林语堂说中国人太熟悉三个字了：不可能！消极心态的特征就是这三个字。积极心态就是对事态的积极面关注，并在行动上向积极面推进，即使是消极面也以平静的心态予以接纳，这就是积极心态的特征：不，可能！渴望人生的愉悦.追求人生的快乐，是人的天性，每个人都希望自己的人生是快乐的，充满欢声笑语的。可是在现实生活中并不如真空状态简单纯一，不如意的事情是难免的。事物永远是阴阳同存，积极的心态看到的永远是事物好的一面，而消极的心态只看到不好的一面。积极的心态能把坏的事情变好，消极的心态能把好的事情变坏。当今时代是悟性的赛跑！积极的心态象太阳，照到哪里哪里亮，消极的心态象月亮，初一十五不一样，不是没有阳光，是因为你总低着头，不是没有绿洲，是因为你心中一片沙漠。乐观心态的人往往将人生的感受与人的牛存状态区别开来，认为人生是一种体验，是一种心理感受，即使人的境遇由于外来因素而有所改

变，人们无法通过自身的努力去改变自己的生存状态，人也可以通过自己的精神力量去调节自己的心理感受，尽量地将其调适到最佳的状态。要拥有乐观的心态，首先目光就要盯在积极的那一方面。一个装了半杯酒的酒杯，你是盯着那香淳的下半杯，还是盯着那空空的上半杯?积极心态的人，我们总能看到他们乐观、积极、开朗的一面。有一次，苏格拉底跟妻子吵架后，刚走出屋子，他的妻子就把一桶水浇在他头上，弄得他全身尽湿，苏格拉底于是自我解嘲地说：“雷声过后，雨便来了”一个乐观的人，当他面临苦难和不幸时，绝不自怨自悲.而以一种幽默的态度，豁达、宽恕的胸怀来承纳。乐观的心态是痛苦时的解脱，是反抗的微笑，笑是一种心情，时时有好心情是一种境界。“一个人若能将个人的生命与人类的生命激流深刻地交触在一起，便能欢畅地享受人生至高无上的快乐。” 二、主动的心态: 对于营销人员来说，工作具有极大的挑战性，很多的时候没有人告诉你哪些事该做、哪些事不该做，完全靠自己的悟性和主动，为什么有的人五年之内坐上了老总的位置，而有的营销人十多年了，还在原地踏步重复昨天的故事，关键还是主动。“被动就会挨打”，只有怀着主动的心态做事，在工作中我们才有机会锻炼自己，为自己的成功积蓄力量，社会、企业只能给你提供道具，而舞台需要自己搭建，演出需要自己排练，能演出什么精彩的节目，有什么样的收视率决定权在你自己。三、空杯的心态

一张卡片创造的营销奇迹

一张卡创造的营销奇迹通过国际扩张发展成为一家国际性的零售巨头，经过80年的努力，2003年特易购终于扬眉吐气，首次在英国企业中排名第一。对于特易购制胜的原因，现任首席执行官特里?莱希说，“过去我们只是抄袭对手的招数，虽然可以赚钱，但不会成为市场第一。于是，有一天，我们决定停下来，放弃跟随市场，开始追随我们的顾客。”特里?莱希所谓的追随顾客，最主要的行动就是，从1995年起，开始实施忠诚计划——“俱乐部卡”（Clubcard），并且根据俱乐部卡得到的信息数据细分的顾客数据来设立特易购13个“利基俱乐部”，通过俱乐部提高客户对公司的忠诚度，帮助公司将市场份额从1995年的16%上升到了2003年的27%，成为了英国最大的连锁超市集团。特易购凭什么赢特易购俱乐部卡绝对不是第一个超市忠诚计划，但它是最用心、做得最成功；特易购也没有发明零售业的忠诚营销的概念，它所做的是把这种思路带到了一个商业谋略和效益的全新高度。对顾客说“谢谢你” 20世纪80年代以来，英国主要商业街区的自助式超市被大型店铺及巨型店铺所替代，更多的选择和更优的价格取而代之，因此顾客变得无足轻重——直到俱乐部卡出现。俱乐部卡本身并不产生忠诚——它是产生让特易购按获得积分的比例对顾客的忠诚说“谢谢你”的一个媒介。特易购清醒地意识到，产生忠诚的是总的顾客体验，而非促销。因此要与顾客建立一种情感上的沟通，赋予顾客被尊重的优越感，才能为企业创造更多的价值。在俱乐部卡推出的前一个星期，市场推广团队和广告代理商合作，迅速推出了与品牌完美结合的广告“一点一滴都有好处”，获得了各顾客团体压倒性的肯定。特易购的宣传切中要点：

销售人员十大心态

直销人十大心态

直销人十大心态观念是人们在实践当中形成的各种认识的集合体。心态是指对事物发展的反应和理解表现出不同的思想状态和观点。"心态"是决定人们思维模式和行为方式的一种心理状态或态度宇宙即我心，我心即宇宙。细微至发梢，宏大至天地。世界、宇宙乃至万物皆为思维心力所驱使。一、积极(乐观)的心态事物永远是阴阳同存的，积极的心态能把坏的事情变好，消极的心态能把好的事情变坏。积极的心态象太阳，照到哪里哪里亮；消极的心态象月亮，初一十五不一样。不是没有绿洲，是因为你心中只有沙漠。无论发生什么事情都是好事。（非洲土人穿鞋的故事）、国王与丞相的故事二、自信（相信）的心态人们永远顺着相信的方向走，您一定要相信您的公司、产品、制度，相信您的老师，相信您的团队伙伴，积极的人问题是过程，消极的人问题是打击。相信是成功的开始，更重要的是您一定要相信您自己一定能成功，奇迹就会发生！感谢高山，锻炼了我的腿！感谢拒绝，磨练了我的嘴！感谢嘲笑，让我一生笑！感谢梦想，让我一生辉煌！三、学习的心态学习是储备知识的唯一途径，知识能给梦想插上腾飞的翅膀，学习是给自己补充能量，先有输入，才能输出。成功是学习的过程，只有不断的学习，才能不断摄取能量，才能适应社会的发展，才能生存下来。学习是积累财富的过程，是创造财富的过程，当今学习就是创收，学习就是创业。四、归零的心态就是空杯的心态，就是一切从头再来。三百六十行，行行出状元，但是隔行如隔山，第一次成功相对比较容易，第二次却不容易，原因是不能归零。如果你要喝一杯咖啡，就必须把杯子里的茶先倒掉。归零的心态就是空杯的心态，就是一切重头再来，就象大海一样，把自己放在最低点，来吸纳百川！五、感恩的心态可见，感恩是一种处世哲学，是生活中的大智慧。人生在世，不可能一帆风顺，种种失败、无奈都需要我们勇敢地面对、旷达地处理。这时，是一味地埋怨生活，从此变得消沉、萎靡不振？还是对生活满怀感恩，跌倒了再爬起来？感恩周围的一切，包括坎坷、困难和我们的敌人。生活在感恩的世界里感激伤害你的人，因为他磨炼了你的心志；感激欺骗你的人，因为他增进了你的见识；感激鞭打你的人，因为他消除了你的业障；感激遗弃你的人，因为他教导了你应自立；感激绊倒你的人，因为他强化了你的能力；感激斥责你的人，因为他助长了你的定慧；

销售最高境界是创造需求

[销售最高境界是创造需求] 一个乡下来的小伙子去应聘城里“世界最大”的“应有尽有”百货公司的销售员。老板问他：“你以前做过销售员吗？”他回答说：“我以前是村里挨家挨户推销的小贩子。”老板喜欢他的机灵：“你明天可以来上班了。等下班的时候，我会来看一下。” 一天的光阴对这个乡下来的穷小子来说太长了，而且还有些难熬。但是年轻人还是熬到了5点，差不多该下班了。老板真的来了，问他说：“你今天做了几单买卖。”“一单”年轻人回答说。“只有一单？”老板很吃惊地说：“我们这儿的售货员一天基本上可以完成20到30单生意呢。你卖了多少钱？”“300,000美元”年轻人回答道。你怎么卖到那么多钱的？目瞪口呆，半晌才回过神来的老板问道。 “是这样的”乡下来的年轻人说，“一个男士进来买东西，我先卖给他一个小号的鱼钩，然后中号的鱼钩，最后大号的鱼钩。接着，我卖给他小号的鱼线，中号的鱼线，最后是大号的鱼线。我问他上哪儿钓鱼，他说海边。我建议他买条船，所以我带他到卖船的专柜，卖给他长20英尺有两个发动机的纵帆船。然后他说他的大众牌汽车可能拖不动这么大的船。我于是带他去汽车销售区，卖给他一辆丰田新款豪华型巡洋舰。老板后退两步，几乎难以置信地问道：“一个顾客仅仅来买个鱼钩，你就能卖给他这么多东西？”“不是的，”乡下来的年轻售货员回答道，“他是来给他妻子买卫生棉的。我就告诉他…你的周末算是毁了，干吗不去钓鱼呢？李嘉诚曾经说过“我一生最好的经商锻炼是做推销员，这是我用10亿元也买不来的”。很多人一谈到销售，就简单的认为是“卖东西”，这只是对销售很片面的理解，其实人生无处不在销售，因为销售实际上是一个分析需求、判断需求、解决需求、满足需求的过程。比如我们到一个新的环境，进行自我介绍，就是对自己的一种销售；再譬如我们做一个学术报告，就是在向与会者销售自己的一些观点，诸多种种不胜枚举。但在实际中很多人的销售并不是很成功，营销人员拼命的预约、讲解、讨好客户，跑折了腿、磨破了嘴，可客户就是不买账；追其原因，其实就是分析、判断、解决需求有了偏差，对方的需求得不到满足，我们的目标就很难达成。经常看见营销人员见到客户就迫不及待的介绍产品、报价，恨不得马上成交，听着他的专家般讲解，往往让人感叹其销售知识的匮乏，使得他的专业知识不能得到很好的发挥。销售是有规律可循的，就象拨打电话号码，次序是不能错的。销售

成功营销人员必备十大心态2信心

第2节信心有些营销人员在顾客面前常常羞于启齿，总是怕自己说错了让顾客笑话，这就是缺乏自信的表现。美国著名心理医生基恩博士常跟病人分享下面的故事。一天，几个白人小孩正在公园里玩，这时，一位卖氢气球的老人推着货车进了公园。白人小孩一窝蜂地跑了过去，每人买了一个，兴高采烈地追逐着放飞在天空中的色彩艳丽的氢气球。在公园的一个角落里躺着一个黑人小孩，他羡慕地看着白人小孩在嬉笑，觉得他们手中的气球真是了不起，可以在空中飞，但他却不敢过去和他们一起玩。白人小孩的身影消失后，他才怯生生地走到老人的货车旁，用略带恳求的语气问道：“您可以卖一个气球给我吗？”老人用慈祥的目光打量了一下他，温和地说：“当然可以。你要一个什么颜色的？” 小孩鼓起勇气回答说：“我要一个黑色的。”脸上写满沧桑的老人惊诧地看了看小孩，旋即给了他一个黑色的氢气球。小孩开心地拿过气球，小手一松，黑气球在微风中冉冉升起，在蓝天白云的映衬下形成了一道别致的风景。老人一边眯着眼睛看着气球上升，一边用手轻轻地拍了拍小孩的后脑勺，说：“记住，气球能不能升起，不是因为客观存在的颜色、形状，而是因为气球内充满了氢气。一个人的成败不是因为种族、出身，关键是你的心中有没有自信，有没有向上升腾的活力。”那个黑人小孩便是基恩。几乎每一个营销人员在进入职业生涯领域之初都或多或少的会有些害羞的心理，而优秀的营销人员善于调控自己的心态，在很短的时间内为自己树立起信心。一、妄自菲薄等于自降身价 1.相信自己并不平庸一个人遇到的最大对手就是自己。很多人可以战胜别人，但却不能战胜自己。你要想成大事，就必须充分地相信自己并不平庸。只有相信自己是有用之才，你才会精力充沛，豪情万丈，活得有滋有味。胸无大志、自暴自弃、破罐子破摔，怎么会成就一番事业呢？一个缺乏自信的人，他最大的任务就是要战胜藏在自己心底的恐惧、怀疑和忧虑。你越小瞧自己，你就越做不成什么大事，但是如果你总是鼓励自己，给自己信心和力量，你就会向越来越高的目标前进。 2.要相信自己也许人生道路上最大的障碍就是妄自菲薄。这比别人故意为你设置的障碍更加可怕。因为一个妄自菲薄的人永远都不可能真正实现自身的价值。一个哲人曾说过：“当一个人自己都认为自己不行的时候，宇宙中就再也找不到什么神秘的力量可以帮助他了。” 小蜗牛问妈妈：为什么我们从生下来开始，就要背负这个又硬又重的壳呢？妈妈：因为我们的身体没有骨骼的支撑，只能爬，但又爬不快。所以要这个壳的保护！小蜗牛：毛虫姐姐没有骨头，也爬不快。为什么她却不用背这个又硬又重的壳呢？妈妈：因为毛虫姐姐能变成蝴蝶，天空会保护它啊。小蜗牛：可是蚯蚓弟弟也没骨头，也爬不快，也不会变成蝴蝶，它为什么不用背这个又硬又重的壳呢？

成功营销人员必备十大心态7耐心

俗话说，心急吃不了热豆腐。也就是说，欲速则不达。一个有所追求的人，往往需要有极大的耐心，深入了解事物的关键所在，才能有的放矢，圆满地达成目标。子夏被派到莒父任地方官，临行前向孔子请教如何为官。孔子对子夏说： “你到了莒父后会面临很多事情，你做事要有耐心，不要单纯追求速度，不要贪图小利。单纯追求速度，不讲效果，反而达不到目的；只顾眼前小利，不讲长远利益，那就什么大事也做不成。” 子夏到莒父后，按照孔子所说，耐下心来，首先对当地的情况进行了一番调查，在调查的基础上总结出当地的一些问题。然后再按照这些问题的轻重缓急，一一处理。三年后，莒父被子夏治理得井井有条。面对难题的时候，应该学会等待，慢慢寻找成熟的时机，如果急于求成，往往会适得其反。营销人员每天要面对很多顾客，都希望这些顾客能够接受自己的服务。但是，事实上顾客不可能一下子就认可你、接受你，这就需要营销人员以足够的耐心去面对顾客，让顾客真正感受到你的服务能够给他带来的好处。一、不要急于求成许多营销人员急于卖出产品，这样极易导致浮躁的情绪，使人沉不住气。其实，成功是讲究储备的，仓库里的东西越充足，成功的机会就越大，才可能走得更远。成功之路就如同一场马拉松赛跑，一开始领先的人不一定就能成为全程的优秀者，甚至都不可能跑完全程。在遥远的营销征途上，耐心的积累将会起到决定性的作用。营销人员，特别是刚刚进入营销领域的人，一定要沉住气。不是每一次推销都会成交，恰恰相反，大多数推销都会无功而返。营销人员一定要有耐心，要学会等待，用耐心改变自己的命运。只有水到，方可渠成，欲速则不达。田野里，庄稼沐浴着阳光雨露，茁壮成长。也许你看不出庄稼每天都在长，但它却是实实在在地长高了。一个宋国人靠种庄稼为生，有一天，他自言自语地说：“庄稼呀，快长高、快长高……”他一边念叨，一边顺手去拔身上衣服的一根线头，线头没拔断，却拔出来了一大截线。宋国人望着线头出神，突然，他的脑子里蹦出一个主意：“对呀，我原来怎么没想到，就这么办！”宋国人一跃而起开始忙碌，他把田里的庄稼一根根全拔了起来。看着庄稼马上“长高”了不少，宋国人心里好高兴。可是没几天，他的庄稼全枯死了。耐心是改变命运的最快速度，不会耐心等待，就有可能面临失败；没有耐心，急于求成，不但会失去很多成功的机会，还有可能像那个宋国人一样，到头来颗粒无收。销售经验是需要日积月累的，顾客群也是需要慢慢培养的。要遵循细水长流的自然规律，厚积薄发。记住：80%的销售收入来自20%的顾客，要对顾客有耐心，不要急于求成，急于求成是销售工作的大忌。我销售我进步不是每一次播种，都会有所收获耐心是改变命运的最快速度急于求成是成功的大敌二、让顾客慢慢接受你要想让顾客接受你的产品，必须先让顾客接受你。而让顾客接受你，需要一个很长的过

成功销售员必备的“十大心态”

成功销售员必备的“十大心态” 1、积极的心态首先我们需要具备积极的心态。积极的心态就是把好的，正确的方面扩张开来，同时第一时间投入进去。一个国家，一个企业肯定都有很多好的方面，也有很多不够好的地方，我们就需要用积极的心态去对待。贪污犯还有，可是我们应该看见国家已经大力的整顿了；企业有很多不尽合理的管理，可是我们应该看到企业管理风格的改变。也许你在销售中遇到了很多困难，可是我们应该看到克服这些困难后的一片蓝天。同时，我们应该就正确的、好的事情第一时间去投入，唯有第一时间去投入才会唤起你的激情，唯有第一时间投入才会使困难在你面前变的渺小，好的地方在你眼前光大。积极的人像太阳，走到那里那里亮。消极的人像月亮，初一十五不一样。某种阴暗的现象、某种困难出现在你的面前时，如果你去关注这种阴暗，这种困难，那你就会因此而消沉，但如果你更加关注着这种阴暗的改变，这种困难的排除，你会感觉到自己的心中充满阳光，充满力量。同时，积极的心态不但使自己充满奋斗的阳光，也会给你身边的人带来阳光。 2、主动的心态主动是什么？主动就是没有人告诉你而你正做着恰当的事情。在竞争异常激烈的时代，被动就会挨打，主动就可以占据优势地位。

我们的事业、我们的人生不是上天安排的，是我们主动的去争取的。在企业里，有很多的事情也许没有人安排你去做，有很多的职位空缺。如果你去主动的行动起来，你不但锻炼了自己，同时也为自己争取这样的职位积蓄了力量，但如果什么事情都需要别人来告诉你时，你已经很落后了，这样的职位也挤满了那些主动行动着的人。主动是为了给自己增加机会，增加锻炼自己的机会，增加实现自己价值的机会。社会、企业只能给你提供道具，而舞台需要自己搭建，演出需要自己排练，能演出什么精彩的节目，有什么样的收视率决定权在你自己。 3、空杯的心态人无完人。任何人都有自己的缺陷，自己相对较弱的地方。也许你在某个行业已经满腹经纶，也许你已经具备了丰富的技能，但是你对于新的企业，对于新的经销商，对于新的客户，你仍然是你，没有任何的特别。你需要用空杯的心态重新去整理自己的智慧，去吸收现在的、别人的正确的、优秀的东西。企业有企业的文化，有企业发展的思路，有自身管理的方法，只要是正确的，合理的，我们就必须去领悟，去感受。把自己融入到企业之中，融入到团队之中，否则，你永远是企业的局外人。 4、双赢的心态杀头的事情有人干，但亏本的买卖没人做，这是商业规则。你必须站在双赢的心态上去处理你与企业之间的、企业与商家之间的、企业和消费者之间的关系。你不能为了自身的利益去损坏企业

(营销技巧)如何创造万到万销售奇迹

如何创造80万到6000万销售奇迹我国乳业市场有着巨大的增长潜力和发展空间，不但引来跨国乳业巨头的激烈争夺，更诱发了“饲料大王”希望集团、“豆奶大王”维维集团等携巨资杀入，而光明、伊利、三元等全国性领导品牌则加快了跑马圈地、抢夺奶源的步伐。在这场牛奶市场的鏖战中，一个地方弱势品牌却以极低的成本和投入，创造了在不到两年的时间内销量由80万迅速增长到6000万、区域市场占有率高达30%的奇迹。杰信的策划专家作为这场奇迹的策划者和创造者，我们现在公开低成本开发牛奶市场的策略和方法，希望能够带给中国乳品业些许启示和参考。一、市场背景与企业现状 (一)市场背景： 1、行业现状与规模：据统计，近几年来我国乳品行业呈现快速、强劲的拉升态势，乳品消费总量和人均消费量均以超过15%的增幅增长，成为我国食品工业中发展最快、成长性最好的朝阳产业，2001年我国牛奶总产量达1000万吨，其中液态奶制品产量达900万吨。

2、行业竞争状况：据中国乳制品工业协会统计，目前国内日加工能力超过100吨的企业只占5%，大部分在20吨以下；年销售额500万元以上的企业有359家，上亿元的只有12家。中国乳业真正的全国性品牌只有光明、伊利、三元等几家，其余均为地方性品牌，牛奶品牌呈现出明显的区域性垄断特点，如“三元”北京市场占有率92.6%，“光明”上海占有率87.1%，“燕塘”广州占有率43.8%，“菊乐”成都占有率53.4%，“华西” 52.9%。 3、行业发展潜力与空间：目前我国牛奶人均占有量仅为7.6公斤，世界平均水平是100公斤，欧美则达到了300公斤，与发达国家相比有着较大的差距。据中国乳制品工业协会预测，未来5年，我国乳类产品消费将大幅度增加，特别是液态奶，预计年增长率可达30%，而且乳业被列为国家重点扶持项目，由九部委局联手推动的“国家学生饮用奶计划”的实施，将拉动乳业需求每年增加150万吨，我国乳业市场发展潜力与空间巨大，前景广阔。 (二) 公司状况：梁丰乳业是以其母公司F食品集团公司为依托，于2000年5月份开始筹建。公司总部坐落在江苏省的一个县级市，是国家级的卫生模范城市，被国家列为全国城市建设的标兵和样板。其母公司F食品集团公司于20世纪60年代由饲养10头奶牛起家，

成功销售人员的十大特质

成功销售人员的十大特质一、成功销售员应该具备的第一项素质：强烈的自信心。销售员销售的第一产品是什么？就是销售员自己。把自己成功的推销出去，你的销售就成功了一半。很难想象，一个对自己都没有信心的人，又怎么可以把自己、把公司的产品成功的销售给客户。成功销售员都具有强烈的自信心和自我价值。信心来自哪里？信心来自了解。我们要了解我们的行业，了解我们的公司，了解我们的产品。另外，我们一定要了解我们自己。下面是三个提升信心的方法: （一）想象成功。信心是可以通过对成功影象的想象来重建的。想象一下你曾经成功的说服过别人，想象你曾经有过的一次成功的恋爱经历，想象你以前曾经成功的说服客户达成交易的经历。让成功的影象牢牢的印在脑海里，不断刺激你的神经，你就会发现你已经革心换面，充满活力，以饱满的斗志迎接新的一天！（二）总结过去失败的经验。失败不是成功之母，总结才是成功之母。通过总结，人们在失败的经验上学习得到的更多。世界上从来就没有一帆风顺的成功者，成功者都是在不断的总结失败的经验上获得最后的成功。当贝尔发明电话的时候，有成千上万的人失败了，放弃了，只有贝尔和爱迪生离成功最近，但是，最后法院把专利权判给了贝尔。为什么？就是因为贝尔比爱迪生多一“点”，他把电话机上的一颗螺丝旋转了90度，从而改变了电话的音质。贝尔的成功就在于他不断失败和在失败后的总结。成功其实就是比失败多那么一“点”。（三）集中注意力。把你的注意力集中到正面、积极的思维上来，充分调动你所有积极的心态，不要让消极的情绪影响自己。消极的情绪就象癌细胞会在我们的思想内扩散，会在人群里传染，如果不把它从自己的体内切除，那么，它最终会毁了我们的事业和前途。二、成功销售员应该具备的第二项素质：勇敢。销售人员最恐惧的是什么？就是被拒绝。下面是几个问题：A、你对被拒绝的定义？什么事发生了你才算是被客户拒绝了？B、客户用怎样的语气对你说，你才感觉被拒绝？C、你的客户的面部表情怎样的时候，你才感觉被拒绝？设想一下，你到商场去买衣服。当你迈进商场的时候，马上就会有一位笑容可掬的导购小姐来到你的面前，不厌其烦的向你介绍各种款式、面料的服装。这时候，你神情严肃，板

成功营销人员必备十大心态4爱心

第4节爱心有位孤独的老人决定出售他漂亮的住宅，然后搬到养老院去安度余生。他的这一举动引起了社会的广泛关注，也得到了不少好心人的支持。底价８万英镑的这套住宅，很快就被人们炒到了１０万英镑，而且价格仍在攀升。可是，老人显得并不高兴，相反却越来越郁闷了。有一天，一个衣着朴素的青年来到老人跟前，恭敬地说：“先生，我也很想购买这栋住宅，但我只有１万英镑。可是，如果您把住宅卖给我，我保证会让您依旧生活在这里，和我一起喝茶、读报、散步，天天都快快乐乐的——相信我，我会用整颗心来照顾您！” 老人颔首微笑，把住宅以１万英镑的价钱卖给了他。其实，老人需要的并不是多少财富，也不是慈善家们所谓的“义买”，他需要的是人们对他的真诚爱心。作为营销人员，你只有拥有一颗爱人之心，才能够真正地深入顾客的内心，了解顾客的需求，并通过满足这种需求，实现自己的目标，成就远大的理想。一、人人都是潜在顾客优秀的营销人员应该是一个真正有爱心的人。他可以随时随地向所认识的人贡献爱心而不求回报。这种无私的爱贯穿整个营销活动，其所获得的回报，可能比他预想的还要多。因为事实上，营销人员认识的所有人，乃至这些人的家人、朋友、同事等，也都是他的潜在顾客。爱心使营销人员与顾客建立起了长期的信任关系和稳定的沟通渠道，它可以帮助营销人员打开更多潜在顾客的心扉，帮助他们解决生活中遇到的问题，从而也因此实现自己的销售目标。吉拉德是世界上有名的营销专家。在商业推销史上，他独创了一个巧妙的促销法，被世人广为称赞。吉拉德创造的是一种有节奏、有频率的“持续关心别人”的促销法。他认为所有已经认识的人都是自己潜在的顾客，而“顾客是我们的衣食父母”，对这些潜在的每一位顾客，每年他大约要寄上１２封广告信函，每次均以不同的色彩及形式投递，并且在信封上尽量避免使用与他的行业相关的名称。１月份，他的信函展现的是一幅精美的喜庆气氛图案，同时配以几个大字“恭贺新禧！”下面是一个简单的署名：“雪佛兰轿车，乔伊· 吉拉德敬上。”此外再无多余的话。即使遇上大拍卖期间，也绝口不提买卖。２月份，信函上写的是：“请你享受快乐的情人节！”下面仍是简短的签名。３月份，信中写的是：“祝你圣巴特利库节快乐！”圣巴特利库节是爱尔兰人的节日。也许你是波兰人，或是捷克人，但这无关紧要，关键的是他不忘向你表示祝愿。然后是４月、５月、６月……每月一张。不要小看这几张印刷品，它们所起的作用并不小。不少顾客一到节日，往往会问夫人：“过节有没有人来信？”“乔伊·吉拉德又寄来一张卡片！” 这样一来，每年中就有１２次机会，使乔伊·吉拉德的名字在愉悦的气氛中来到每个家庭。吉拉德没有说一句：“请你们买我的汽车吧！”但这种“不说之语”，不讲推销的推销，反而给人们留下了最深刻、最美好的印象。等到他们打算买汽车时，往往第一个想到的就是吉拉德。不要奢求每一次播种都有收获，今天不是自己的顾客，并不代表明天不是。成功的营销