CN106911470A - A kind of bit coin transaction privacy Enhancement Method - Google Patents

Abstract

A kind of bit coin transaction privacy Enhancement Method, its step is as follows：1st, initialization, output system encryption and decryption and checking initial value；2nd, total input amount of money is calculated；3rd, each number for sending is encrypted；4 carry out verification process, it is ensured that trading value is always just, and ensure that transaction input and output are equal；5th, it is transmitted after being verified, recipient's decryption；6th, trading card discloses the whole network and is confirmed.By above step, the problem existed from existing bit coin system is produced, and then carries out complete design, for solving the problems, such as the exposed privacy leakage of number in bit coin system；It covers bit coin system, homomorphic cryptography system and commitment value and proves several cryptographic primitives, by the method for different field from new opplication in the enhanced practical problem of privacy, the method has encryption and decryption, homomorphic characteristic, Zero Knowledge characteristic, security, high efficiency and compatibility, realizes the smooth process of exchange of bit coin after encryption.

Description

A kind of bit coin transaction privacy Enhancement Method

(1) technical field：

The present invention devises a kind of bit coin transaction privacy Enhancement Method, for protecting the plaintext in bit coin process of exchange Number safety.Scheme realizes the encrypting and decrypting computing to number by adding homomorphism system, it is ensured that the number in transmitting procedure Privacy, while proving to ensure that hide number in transaction is always just and the equal requirement of input and output total value by commitment value. The program belongs to cryptography and cryptography currency field in information security.

(2) technical background：

2008, this acute hearing (Satoshi Nakamoto) was designed and has issued a kind of point-to-point go in Japan PROCEDURE person Heart digital cash --- bit coin.Bit coin system is proposed based on point-to-point new distribution type pattern, eliminates tradition The trusted-authority of electronic money.Decentralization that bit coin and bottom block chain technology show, information can not distort, Information wide-scale distribution, information anonymity characteristic are gradually paid close attention to by academia and industrial quarters and launch further investigation.

The generation of bit coin has driven a series of the Internet moneys based on cryptography to rise with development.According to operation principle Difference, three classes can be roughly divided into：It is based on PoW, based on PoS and based on PoW+PoS.POW(Proof of Work, proof of work) refer to that how many currency obtained, the workload of ore deposit contribution is dug depending on you, computer performance is better, gives you Ore deposit will be more, the currency of representative has：Bit coin, Lay spy coin, dog dog coin, Zcash.POS (Proof of Stake, equity Prove) according to you hold currency amount and the time carry out the system of interest distribution, under POS patterns, income is just for your " digging ore deposit " Than in your coin age, and unrelated with the calculating performance of computer, representative has：Bit stock, the black coin in intelligent mill.Based on PoW+PoS's Representative has：Ether mill, point point coin.Others also have some currency such as：Auspicious ripple coin, fixed star coin, contract coin.

The rise of bit coin and other electronic money has triggered the extensive use for block chain technology, during block chain 1.0 In generation, be the bottom industrial structure formed as core with digital cash such as bit coin, forms ore deposit machine, ore deposit pond, digital cash, payment Wallet, exchange, the industrial colony of digital cash gateway and industrial chain.In the epoch of block chain 2.0, the focus of technology and application is from list The application that pure electronic money is transferred to Floor layer Technology block chain technology comes up, form diversification, Suresh Kumar, many scenes should With classification and industry are high across big, degree of independence.Assets checking, financial service, charitable, media and community, research and investment, The fields such as intelligent contract, just false proof, transaction in assets, bank settlement, ecommerce, social communication, Internet of Things, file storage.

For the transaction privacy leakage problem brought that large area bit coin is used, scheme adds homomorphic cryptography by using Scheme Paillier systems are encrypted transmission to plaintext number of deals.The system is to be carried by Pascal Paillier for 1999 Go out, the difficulty of encryption system is based on closing number rank residue class difficult problem, with the anti-chosen -plain attact under master pattern Safety.The system has plus homomorphic characteristic so that the ciphertext after to encryption carries out multiplying operation realizing adding in plain text accordingly Reducing, the property applies to the verification process in the case of privacy is not revealed.Except homomorphic characteristic, the system is also equipped with efficiently Property so that scheme can meet and handed in bit coin by carrying out precomputation and quickly being calculated with Chinese remainder theorem Encrypting and decrypting step in the easy time.

After being encrypted with encryption system, the ciphertext of generation will be present in each trading card.It is corresponding close to ensure The satisfaction of the hiding plaintext of text has used the commitment value to prove to be verified on the occasion of and with equal requirement, scheme.Proof is held Promise value red et al. method for proposing before specific interval was using 2004 5, the method ensures under the relatively simple process of step Small extension field, makes secret number remain on the occasion of can demonstrate,prove.The equal utilization Hash mapping value of two commitment values of proof is equal Thought, verifies that two commitment values include same secret in the case where not revealing by promise number.Two commitment value proof schemes All possesses Zero Knowledge characteristic, it is ensured that the number after encryption is not compromised in verification process.

(3) content of the invention：

1st, purpose：The purpose of the present invention is to propose to a kind of bit coin transaction privacy Enhancement Method, with realizing process of exchange Original number of deals is encrypted hiding privacy enhancing function in plain text.On the one hand scheme makes the ciphertext value after encryption good Protect dealer's privacy, on the other hand also ensure hiding trading value be always on the occasion of and number of deals before and after sum one Cause, to meet the compatibility with former bit system.

2nd, technical scheme：

The inventive method is divided into six steps, and six steps are scattered in transaction layer and validation layer successively：1) system initialization, Generation initial value.2) calculate the total input value of transaction, i.e., go up single cross easily with digging ore deposit total income.3) system uses recipient in transaction layer Public key distinguishes encrypted transmission number, while using each number of the identical number of system public key encryption in validation layer.4) in checking Whether as evidence layer verifies the number after hiding, and whether input and output total value is equal.5) after validation layer is verified, transaction layer Number after encryption is sent to recipient, recipient is decrypted according to the private key of oneself.6) recipient checks and find correct laggard Row the whole network broadcast trading card etc. is to be confirmed.

2.1 rudimentary knowledge：

2.1.1 bit coin system

Bit coin system includes three skill elements：Transaction, common recognition mechanism, distributed network.Three skill elements Form the three-decker of bit coin and block chain：Trading card, block, block chain.The existence form of bit coin be it is some not Reversible trading card, the transaction data of several users per transaction unirecord, including transaction source and send address, number of deals The information such as volume, signature.Can all there is a special identifier symbol generated by SHA-256 hash algorithms to come to transaction in per transaction list Singly it is identified.Must carry out broadcasting etc. to be confirmed to the whole network after the completion of every transaction list.When each absence from work without reason was to one section of past Between trading card verified after and find an initial character continuously for a data block can be generated after the cryptographic Hash of d zero, often Individual data block generates and final after six data blocks confirm and can not change behind.Not modifiable data block forms a chain type Structure, i.e. block chain.The generation of block is confirmed by the calculation power of distributed the whole network node, and calculation power is more big more is easily found New block, but due to the corresponding adjustment of difficulty in computation, the corresponding calculating time is maintained at 10 minutes or so.Bit coin system phase For the specific decentralization of original electronic-monetary system, can not forge, it is open can verify that, the advantage, the system such as cryptography safety By nearly 9 years verified its stability of development and expansion.

2.1.2Paillier public encryption system

Paillier encryption systems provide the anti-chosen -plain attact safety under master pattern, possess efficient encryption solution Close efficiency and add the characteristic of homomorphism, the system encryption and decryption step is as follows：

Generation：If p and q is Big prime, g is that system generates unit, makes n=pq, calculates λ=λ (n)=lcm (p-1, q-1), Wherein public key is (n, g), and private key is λ.

Encryption：C=g^m·rⁿ mod n², wherein r is any selection.

Decryption：

Homomorphic characteristic：Dec_sk(Enc_pk(m₁)·Enc_pk(m₂)mod n²)=m₁+m₂mod n。

2.1.3 commitment value is proved

Commitment value proves to be mainly used in the validation layer of scheme, on the one hand solves to be always just by commitment value, on the other hand solves Ensure the equal characteristic of input and output after certainly being operated by commitment value.In order to ensure the privacy number after being encrypted to be always On the occasion of to prevent the stealing of bit coin, scheme employs Wu Qianhong et al. in the commitment value of proposition in 2004 in specific interval Efficient proof method.The method design procedure is relatively easy, and extension field is 1 so that can be limited to by promise number specific Interval, lower bound is set to 0 by scheme, you can prove by promise number be on the occasion of.In order to ensure encryption after numerical value as output with Transaction input value self-consistentency, scheme is employed proves that two are promised to undertake the equal method of number.Program mentality of designing is simple, passes through Secret value is hidden in commitment value, and adds the value that randomly selects, enter using whether the value of hash function twice is equal Row judges whether self-consistentency, you can prove by before and after commitment value and always.

2.2 technical scheme contents

A kind of bit coin transaction privacy Enhancement Method of present invention design, the method is divided into six steps according to flow carries out reality Existing, scheme framework is divided into transaction layer and validation layer two-layer, and six steps are sequentially distributed among two-layer；

A kind of bit coin transaction privacy Enhancement Method of the present invention, its operating procedure is as follows：

Step 1：System initialization/KeyGen：Generate the security parameter for encryption and decryption computing and checking；System is input into Security parameter, exports public key and private key for the generation of encryption and decryption computing to (pk_i,sk_i), while exporting the public affairs for verifying Key pk_d, note this public key without pairing private key；

Step 2：Calculate input total value/Insum：The total input value of transaction is calculated, that is, goes up single cross easily (non-first with digging ore deposit total income Beginning block chain then take in by no this item)；If the trading card is as the new block for confirming, the trading card will obtain 50 extra ratios Used as reward, total income is the summation that the part mutually operates with former ciphertext in plain text to special coin expense；If the trading card is not new confirmation Block is first single, then without additional income, total income is the value that single cross is easily transmitted；

Step 3：Encrypted entry/Encrypt：System distinguishes encrypted transmission number in transaction layer using recipient's public key, while Each number of the identical number of system public key encryption is used in validation layer；To pass through in validation layer in the encrypted number of transaction layer After send to each recipient's account, it is noted that the encryption number sent in validation layer will into " mute's account ", the account without Private key, the amount of money is abandoned after this authentication；

Step 4：Checking item/Verify：Whether number after validation layer checking is hidden is on the occasion of and input and output are total Whether volume is equal；Validation layer is divided into two steps, and the first step proves the hiding amount of money by commitment value in specific interval method of proof Be always on the occasion of；The equal method of proof of used two commitment values of second step proves total phase before and after hiding amount of money input and output Deng；When two steps are true, into the sending link of transaction layer；

Step 5：Decryption item/Decrypt：After validation layer is verified, the number after encryption is sent to reception by transaction layer Person, recipient is decrypted according to the private key of oneself；After the reception amount of money that recipient checks oneself is correct, continue next single Transaction；The reception value of the recipient is next single input value；

Step 6：Broadcast acknowledgements/Broadcast：I.e. recipient carries out the whole network broadcast trading card and waits true after checking and finding correct Recognize；The ciphertext for that cannot distinguish will be hidden by cleartext information original on the trading card after program treatment, it is ensured that transaction The privacy of the only possible analyzed treatment of process.

Wherein, described in step 1 " system initialization/KeyGen ", its specific practice is as follows：

The input of system is security parameter, and output is then the parameter for encryption and decryption computing and checking；It is right in transaction layer In each different recipient i, system is generated and generates two Big prime p to each recipient_iAnd q_i；Recipient's private key is sk_i= λ_i, public key is pk_i=(n_i,g_i), wherein n_i=p_iq_i；

Simultaneously in validation layer, system exports the public key pk for " the mute's account " verified_d=(n_d,g_d), it is noted that this is public Key is without pairing private key；I.e. the system account can not be operated to the amount of money for receiving；System generation option V_α(g_α,h_α) and V_β(g_β, h_β) for verifying.

Wherein, described in step 2 " calculating input total value/Insum ", calculating input total value is divided into two kinds of situations and begs for By its specific practice is as follows：

If the trading card is as the new block for confirming, the trading card will obtain 50 extra bit coin expenses as prize Encourage (halved now to 25 bit coin, cut-off in January, 2017), total income is that the part mutually operates with former ciphertext in plain text Summation, is expressed as

If the trading card is not newly to confirm that block is first single, without additional income, total income is the value that single cross is easily transmitted, It is expressed as

Wherein, described in step 3 " encrypted entry/Encrypt ", ciphering process is to add simultaneously in transaction layer and validation layer Close identical number, its specific practice is as follows：

In transaction layer, scheme uses the public key pk of different recipients₁,pk₂,...,pk_iCome using Paillier encryption systems Encrypt the plaintext number m for sending₁,m₂,...,m_iIt is c₁,c₂,...,c_i, it is expressed as：

Meanwhile, in validation layer, scheme uses the same public key pk of system_dBy the number m that each sends in transaction layer₁, m₂,...,m_iIt is encrypted, is expressed as：

Wherein design of scheme random number r_d=h_β。

Wherein, described in step 4 " checking item/Verify ", its validation layer is divided into two steps, and the first step passes through commitment value Specific interval method of proof prove the hiding amount of money be always on the occasion of；The used two equal proof sides of commitment value of second step Sum is equal before and after method proves hiding amount of money input and output；Its specific practice is as follows：

It is Verify-I for the first step, scheme ensures encrypted number using commitment value in specific interval proof m_iIt is on the occasion of sender Alice makes promise respectively for different recipient iFor letter Change, use E₀,E₁,E₂,E₃, F, V replace E_i0,E_i1,E_i2,E_i3,F_i,V_i；

1) Alice sets v=α²Y+ ω ＞ 2^t+l+s+T, wherein arbitrarily selection α ≠ 0,0 ＜ ω≤2^s+T；R is set₃-rα²+r₁α +r₂∈[-2^sn+1,...,2^sN-1], wherein arbitrarily selection r₁,r₂,r₃∈[-2^sn+1,...,2^sn-1]；Then calculate：

Alice sends (V, E₂,E₃, F) and give recipient；

2) recipient calculates：

E₁=E₀(m_i,r)/g^a=g^yh^r mod n

3) Alice and recipient each calculate：

Wherein r^*=-r α²-r₁α-r₂；

4) recipient's checking PK1, the correctness of PK2, PK3, and whether meet v ＞ 2^t+l+s+T, the recipient if meeting It is believed that x ＞ a；

5) for each recipient m_i, scheme repeat step 1) and-step 4) it is provable m_i＞ 0 (i=1,2 ..., i })；

The proof part is by the m of each recipient_iRepeat i times, if wherein have arbitrarily once failed, transaction is lost Lose；If all successes, system passes through, and continues the checking of next step；

It is Verify-II for second step, scheme ensures transaction output using the equal proofs of two commitment values of proof Input self-consistentency, i.e. m=m₁+m₂+...+m_i=∑ m_i；Now, to make two promises as follows for Alice：

Wherein r_α∈{-2^sn+1,...,2^sn-1},r_β=n_d∈{-2^sn+1,...,2^sn-1}；If receiving identical number " mute's account " want to verify whether contained plaintext number in its ciphertext for receiving equal with the value that Alice sends, then it Needs carry out following two steps：

1) the equal m=∑s m of secret value being hidden in commitment value E and F_i；

2) the ciphertext H=Π c after operating_idF is promised to undertake equal to one of；

In order to realize above-mentioned steps 1), we are proved as follows：

1.Alice random selection ω ∈ 1 ..., 2^i+tb-1},η_α∈{1,...,2^l+t+sn-1},η_β∈{1,...,2^{l+t+ s}n-1}；Then calculate：

2.Alice calculates u=H (W_α||W_β)；

3.Alice is calculated：

D=ω+um, D_α=η_α+ur_α,D_β=η_β+ur_β

And send (u, D, D_α,D_β) give " mute's account "；

4. " mute's account " checks whether u=u ', wherein

If the part steps are proved to be successful, proceeding lower part steps proves：

1. the ciphertext of " mute's account " to receiving is calculated：

2. from the above it can be seen that we arbitrarily can choose r in ciphering process_d=h_β, arbitrarily selected in verification process Take r_β=n_d；And in system initialization process, we are setAnd g_d=g_β, it is event：

3. check whether H is equal to F, if not, Fail Transaction, if it is passes through, and carry out next step；

To sum up verify, when being true the step of two parts, into the sending link of transaction layer.

Wherein, described in steps of 5 " decryption item/Decrypt ", after card layer is verified, transaction layer is by after encryption Number c_iRecipient is sent to, its specific practice is as follows：

Recipient is according to the private key sk of oneself_iIt is decrypted：

Wherein

After the reception amount of money that recipient checks oneself is correct, continue next single transaction；The reception value of the recipient is It is next single input value；It is worth noting that, after the completion of transaction, the ciphertext number in " mute's account " will be dropped, its The value that effect only makes validation layer as bridge is contacted with the value generation for sending.

Wherein, described in step 6 " broadcast acknowledgements/Broadcast ", i.e. recipient to carry out the whole network after checking and finding correct wide Broadcast trading card etc. to be confirmed, its specific practice is as follows：

The ciphertext for that cannot distinguish will be hidden by cleartext information original on the trading card after program treatment, it is ensured that The privacy of the only possible analyzed treatment of process of exchange；This trading card can be masked as T by us_Alice, the process is equally applicable It is easy in any other single crosses.

By above step, the enhanced method of bit coin privacy proposed by the invention is discussed, the method be from The problem that existing bit coin system is present is produced, and then carries out complete design, for solving number exposure in bit coin system Privacy leakage problem；The method covers bit coin system, homomorphic cryptography system and commitment value and proves several cryptographic primitives, By the method for different field from new opplication in the enhanced practical problem of privacy, according to its conceptual design understand, the program has Encryption and decryption, homomorphic characteristic, Zero Knowledge characteristic, security, high efficiency and compatibility；Finally, the systems approach realizes encryption The smooth process of exchange of bit coin afterwards.

3rd, advantage and effect：

The invention provides a kind of bit coin transaction privacy Enhancement Method, the method is simultaneous in guarantee and original bit coin system The hidden function of number in transaction is realized in the case of appearance, and ensure that the number of encryption is always just and input and output phase Deng requirement.The method has 1) homomorphic characteristic so that system can carry out plus-minus operation to ciphertext.2) Zero Knowledge characteristic, passes Any plaintext value is not revealed in defeated and checking.3) security, can resist different types of active attack and passive attack.4) efficiently Property, there is less computational complexity compared to solutions such as Zerocoin, and can be by precomputation and Chinese remainder theorem Carry out algorithm acceleration.5) compatibility, with conventional bit coin system compatible, can be implanted into primal system.

(4) illustrate：

Fig. 1 is the FB(flow block) of the method for the invention.

Sequence number, code name, symbol description are as follows in figure：

In diagram, Insum/Encrypt/Verify/Decrypt/Braodcast represents step 2-6 respectively, Transcation layer/Verification layer represent the two-layer of system architecture, m respectively₁,m₂,...,m_iTo send To the plaintext number of recipient, c₁,c₂,...,c_iIt is the ciphertext number after encryption, (pk_i,sk_i) it is the public private key pair encrypted, Enc/Dec is encryption process, " mute's account " that Dumb account are set when being checking.

(5) specific embodiment

The present invention is a kind of bit coin transaction privacy Enhancement Method, and the method is divided into six steps according to flow carries out reality Existing, scheme framework is divided into transaction layer and validation layer two-layer.The system flow of the method is shown in Fig. 1, with reference to FB(flow block), by the method The step that implements be described below：

A kind of bit coin transaction privacy Enhancement Method of the present invention is as follows by the method specific implementation step：

Step 1：System initialization/KeyGen：Input security parameter, exports the ginseng for encryption and decryption computing and checking Number.In transaction layer, the recipient i different for each, system is generated and generates two Big prime p to each recipient_iAnd q_i.Connect Receipts person's private key is sk_i=λ_i, public key is pk_i=(n_i,g_i), wherein n_i=p_iq_i；

Simultaneously in validation layer, system exports the public key pk for " the mute's account " verified_d=(n_d,g_d), it is noted that this is public Key is without pairing private key.I.e. the system account can not be operated to the amount of money for receiving；System generation option V_α(g_α,h_α) and V_β(g_β, h_β) for verifying；

It is noted that because " mute's account " and commitment value prove to be in validation layer together, and its parameter is generated by system, Design of scheme g_β=g_dAndNumber is promised to undertake to ensure that the ciphertext after operation can turn into；

Step 2：Calculate total input value/Insum：Calculate the total input value of transaction, i.e., go up single cross easily with digging ore deposit total income.

If the trading card is as the new block for confirming, the trading card will obtain 50 extra bit coin expenses as prize Encourage (halved now to 25 bit coin), total income is the summation that the part mutually operates with former ciphertext in plain text, is expressed as

If the trading card is not newly to confirm that block is first single, without additional income, total income is the value that single cross is easily transmitted, It is expressed as

Step 3：Encrypted entry/Encrypt：In transaction layer, scheme uses the public key pk of different recipients₁,pk₂,...,pk_i The plaintext number m of transmission is encrypted using Paillier encryption systems₁,m₂,...,m_iIt is c₁,c₂,...,c_i, it is expressed as：

Meanwhile, in validation layer, scheme uses the same public key pk of system_dBy the number m that each sends in transaction layer₁, m₂,...,m_iIt is encrypted, is expressed as：

Wherein design of scheme random number r_d=h_β；

The common ground of two-layer is to have encrypted identical number of deals m_i, difference is that transaction layer is used from recipient Different public key pk_i, validation layer used the identical public key pk from system_dFor realize Paillier systems plus homomorphism Characteristic.In identical number m in it_iEnsure that the correctness that recipient is worth after this authentication；

Step 4：Checking item/Verify：System validation layer checking hide after number whether be on the occasion of, and be input into it is defeated Whether equal go out total value.Validation layer is divided into two steps, and the first step proves what is hidden by commitment value in specific interval method of proof The amount of money be always on the occasion of；It is total before and after the hiding amount of money input and output of the equal method of proof proof of used two commitment values of second step Number is equal；

For the first step, scheme ensures encrypted number m using commitment value in specific interval proof_iBe on the occasion of, Sender Alice makes promise respectively for different recipient iTo put it more simply, using E₀, E₁,E₂,E₃, F, V replace E_i0,E_i1,E_i2,E_i3,F_i,V_i。

1) Alice sets v=α²Y+ ω ＞ 2^t+l+s+T, wherein arbitrarily selection α ≠ 0,0 ＜ ω≤2^s+T；R is set₃-rα²+r₁α +r₂∈[-2^sn+1,...,2^sN-1], wherein arbitrarily selection r₁,r₂,r₃∈[-2^sn+1,...,2^sn-1]；Then calculate：

Alice sends (V, E₂,E₃, F) and give recipient；

2) recipient calculates：

E₁=E₀(m_i,r)/g^a=g^yh^r mod n

3) Alice and recipient each calculate：

Wherein r^*=-r α²-r₁α-r₂；

4) recipient's checking PK1, the correctness of PK2, PK3, and whether meet v ＞ 2^t+l+s+T, the recipient if meeting It is believed that x ＞ a；

5) for each recipient m_i, scheme repeat step 1-4 is provable m_i＞ 0 (i=1,2 ..., i }).

The proof part is by the m of each recipient_iRepeat i times, if wherein have arbitrarily once failed, transaction is lost Lose；If all successes, system returns to 1, and continues the checking of next step.

For second step, scheme is ensured one before and after transaction output input using the equal proofs of two commitment values of proof Cause, i.e. m=m₁+m₂+...+m_i=Σ m_i.Now, to make two promises as follows for Alice：

Wherein r_α∈{-2^sn+1,...,2^sn-1},r_β=n_d∈{-2^sn+1,...,2^sn-1}；If receiving identical number " mute's account " want to verify whether contained plaintext number in its ciphertext for receiving equal with the value that Alice sends, then it Needs carry out following two steps：

1) the equal m=∑s m of secret value being hidden in commitment value E and F_i；

2) the ciphertext H=Π c after operating_idF is promised to undertake equal to one of.

In order to realize above-mentioned steps 1), we are proved as follows：

1.Alice random selection ω ∈ 1 ..., 2^i+tb-1},η_α∈{1,...,2^l+t+sn-1},η_β∈{1,...,2^{l+t+ s}n-1}；Then calculate：

2.Alice calculates u=H (W_α||W_β)；

3.Alice is calculated：

D=ω+um, D_α=η_α+ur_α,D_β=η_β+ur_β

And send (u, D, D_α,D_β) give " mute's account "；

4. " mute's account " checks whether u=u ', wherein

If the part steps are proved to be successful, proceeding lower part steps proves：

1. the ciphertext of " mute's account " to receiving is calculated：

2. from the above it can be seen that we arbitrarily can choose r in ciphering process_d=h_β, arbitrarily selected in verification process Take r_β=n_d；And in system initialization process, we are setAnd g_d=g_β, it is event：

3. check whether H is equal to F, if not, Fail Transaction, if returning to 1, and carries out next step.

To sum up verify, when being true the step of two parts, into the sending link of transaction layer；

Step 5：Decryption item/Dcrypt：After card layer is verified, transaction layer is by the number c after encryption_iIt is sent to reception Person, recipient is according to the private key sk of oneself_iIt is decrypted：

Wherein

After the reception amount of money that recipient checks oneself is correct, continue next single transaction.The reception value of the recipient is It is next single input value.It is worth noting that, after the completion of transaction, the ciphertext number in " mute's account " will be dropped, its The value that effect only makes validation layer as bridge is contacted with the value generation for sending；

Step 6：Broadcast acknowledgements/Broadcast：Recipient carries out the whole network broadcast trading card etc. after checking and finding correct to be confirmed. The ciphertext for that cannot distinguish will be hidden by cleartext information original on the trading card after program treatment, it is ensured that process of exchange The privacy of only possible analyzed treatment.This trading card can be masked as T by us_Alice, the process be equally applicable to it is any its His single cross is easy.

Claims (7)

1. a kind of bit coin transaction privacy Enhancement Method, it is characterised in that：Its operating procedure is as follows：

Step 1：System initialization/KeyGen：Generate the security parameter for encryption and decryption computing and checking；System input safety Parameter, exports public key and private key for the generation of encryption and decryption computing to (pk_i,sk_i), while exporting the public key for verifying pk_d, note this public key without pairing private key；

Step 2：Calculate input total value/Insum：Calculate the total input value of transaction, i.e., go up single cross easily with digging ore deposit total income；If the transaction It is singly the block as new confirmation, then the trading card will obtain 50 extra bit coin expenses as reward, total income is the portion The summation that clearly demarcated Wen Yuyuan ciphertexts are mutually operated；If the trading card is not newly to confirm that block is first single, without additional income, total income is For the value that upper single cross is easily transmitted；

Step 3：Encrypted entry/Encrypt：System distinguishes encrypted transmission number in transaction layer using recipient's public key, while testing Card layer uses each number of the identical number of system public key encryption；Sent out after the encrypted number of transaction layer will pass through in validation layer Deliver to each recipient's account, it is noted that validation layer send encryption number will into " mute's account ", the account without private key, The amount of money is abandoned after this authentication；

Step 4：Checking item/Verify：Whether number after validation layer checking is hidden is on the occasion of and input and output total value is It is no equal；Validation layer is divided into two steps, and the first step proves the hiding amount of money all the time by commitment value in specific interval method of proof Be on the occasion of；Sum is equal before and after the equal method of proof of used two commitment values of second step proves hiding amount of money input and output； When two steps are true, into the sending link of transaction layer；

Step 5：Decryption item/Decrypt：After validation layer is verified, the number after encryption is sent to recipient by transaction layer, is connect Receipts person is decrypted according to the private key of oneself；After the reception amount of money that recipient checks oneself is correct, continue next single transaction； The reception value of the recipient is next single input value；

Step 6：Broadcast acknowledgements/Broadcast：I.e. recipient that the whole network broadcast trading card etc. is carried out after checking and finding correct is to be confirmed；Through Original cleartext information will hide the ciphertext for that cannot distinguish on the trading card crossed after program treatment, it is ensured that process of exchange is only One privacy that may be analyzed treatment；

By above step, the enhanced method of bit coin privacy proposed by the invention is discussed, and the method is from existing Bit coin system exist problem produce, then carry out complete design, for solving bit coin system in number it is exposed hidden Private leakage problem；The method covers bit coin system, homomorphic cryptography system and commitment value and proves several cryptographic primitives, will not The method of same domain in the enhanced practical problem of privacy, knows that the program has encryption and decryption from new opplication according to its conceptual design Property, homomorphic characteristic, Zero Knowledge characteristic, security, high efficiency and compatibility；Finally, the systems approach realizes bit after encryption The smooth process of exchange of coin.

2. a kind of bit coin transaction privacy Enhancement Method according to claim 1, it is characterised in that：It is described in step 1 " system initialization/KeyGen ", its specific practice is as follows：

The input of system is security parameter, and output is then the parameter for encryption and decryption computing and checking；In transaction layer, for every Individual different recipient i, system is generated and generates two Big prime p to each recipient_iAnd q_i；Recipient's private key is sk_i=λ_i, Public key is pk_i=(n_i,g_i), wherein n_i=p_iq_i；

Simultaneously in validation layer, system exports the public key pk for " the mute's account " verified_d=(n_d,g_d), it is noted that this public key without Pairing private key；I.e. the system account can not be operated to the amount of money for receiving；System generation option V_α(g_α,h_α) and V_β(g_β,h_β) For verifying.

3. a kind of bit coin transaction privacy Enhancement Method according to claim 1, it is characterised in that：It is described in step 2 " calculate input total value/Insum ", calculate input total value and be divided into two kinds of situations, its specific practice is as follows：

If the trading card is as the new block for confirming, the trading card will obtain 50 extra bit coin expenses as reward, Total income is the summation that the part mutually operates with former ciphertext in plain text, is expressed as

$m=m_{in}+50={\mathrm{Dec}}_{{\mathrm{pk}}_{Alice}}(c_{in}\⊗50);$

If the trading card is not newly to confirm that block is first single, without additional income, total income is the value that single cross is easily transmitted, and represents For

$m=m_{in}={\mathrm{Dec}}_{{\mathrm{pk}}_{Alice}}\left(c_{in}\right).$

4. a kind of bit coin transaction privacy Enhancement Method according to claim 1, it is characterised in that：It is described in step 3 " encrypted entry/Encrypt ", ciphering process is to encrypt identical number simultaneously in transaction layer and validation layer, and its specific practice is such as Under：

In transaction layer, scheme uses the public key pk of different recipients₁,pk₂,...,pk_iEncrypted using Paillier encryption systems The plaintext number m of transmission₁,m₂,...,m_iIt is c₁,c₂,...,c_i, it is expressed as：

$c_i={\mathrm{Enc}}_{{\mathrm{pk}}_i}\left(m_i\right)=g_i^{m_i}{r}_i^{n_i}\mathrm{mod}{n}_i^2;$

Meanwhile, in validation layer, scheme uses the same public key pk of system_dBy the number m that each sends in transaction layer₁, m₂,...,m_iIt is encrypted, is expressed as：

$c_{id}={\mathrm{Enc}}_{{\mathrm{pk}}_d}\left(m_i\right)=g_d^{m_i}{r}_d^{n_d}\mathrm{mod}{n}_d^2$

Wherein design of scheme random number r_d=h_β。

5. a kind of bit coin transaction privacy Enhancement Method according to claim 1, it is characterised in that：It is described in step 4 " checking item/Verify ", its validation layer is divided into two steps, and the first step proves hidden by commitment value in specific interval method of proof The amount of money of Tibetan be always on the occasion of；Before the equal method of proof of used two commitment values of second step proves hiding amount of money input and output It is total equal afterwards；Its specific practice is as follows：

It is Verify-I for the first step, scheme ensures encrypted number m using commitment value in specific interval proof_iFor On the occasion of sender Alice makes promise respectively for different recipient iTo put it more simply, Use E₀,E₁,E₂,E₃, F, V replace E_i0,E_i1,E_i2,E_i3,F_i,V_i；

1) Alice sets v=α²Y+ ω ＞ 2^t+l+s+T, wherein arbitrarily selection α ≠ 0,0 ＜ ω≤2^s+T；

R is set₃-rα²+r₁α+r₂∈[-2^sn+1,...,2^sN-1],

Wherein any selection r₁,r₂,r₃∈[-2^sn+1,...,2^sn-1]；Then calculate：

$E_1=g^{m_i-a}{h}^r=g^y{h}^r\mathrm{mod}n$

$E_2=E_1^{\mathrm{\α}}{h}^{r_1}\mathrm{mod}n,E_3=E_2^{\mathrm{\α}}{h}^{r_2}\mathrm{mod}n$

$F=g^{\mathrm{\ω}}{h}^{r_3}\mathrm{mod}n$

$V=g^v/E_2=g^{\mathrm{\ω}}{h}^{-{\mathrm{r\α}}^2-r_1\mathrm{\α}-r_2}\mathrm{mod}n$

Alice sends (V, E₂,E₃, F) and give recipient；

2) recipient calculates：

E₁=E₀(m_i,r)/g^a=g^yh^r mod n

$V=g^v/E_3=g^{\mathrm{\ω}}{h}^{-{\mathrm{r\α}}^2-r_1\mathrm{\α}-r_2}\mathrm{mod}n$

3) Alice and recipient each calculate：

Wherein r^*=-r α²-r₁α-r₂；

4) recipient's checking PK1, the correctness of PK2, PK3, and whether meet v ＞ 2^t+l+s+T, recipient firmly believes x if meeting ＞ a；

5) for each recipient m_i, scheme repeat step 1) and-step 4) it is that can prove that m_i＞ 0 (i=1,2 ..., i })；

The proof part is by the m of each recipient_iRepeat i times, if wherein have arbitrarily once failed, Fail Transaction；Such as Fruit all successes, system passes through, and continues the checking of next step；

It is Verify-II for second step, scheme ensures transaction output input using the equal proofs of two commitment values of proof Self-consistentency, i.e. m=m₁+m₂+...+m_i=∑ m_i；Now, to make two promises as follows for Alice：

$E=E_{\mathrm{\α}}(m,r_{\mathrm{\α}})=g_{\mathrm{\α}}^m{h}_{\mathrm{\α}}^{r_{\mathrm{\α}}},F=E_{\mathrm{\β}}({\mathrm{\Σm}}_i,r_{\mathrm{\β}})=g_{\mathrm{\β}}^m{h}_{\mathrm{\β}}^{r_{\mathrm{\β}}},$

Wherein r_α∈{-2^sn+1,...,2^sn-1},r_β=n_d∈{-2^sn+1,...,2^sn-1}；If receiving the " mute of identical number Bar account " wants to verify whether contained plaintext number in its ciphertext for receiving equal with the value that Alice sends, then it need into Following two steps of row：

1) the equal m=Σ m of secret value being hidden in commitment value E and F_i；

2) the ciphertext H=Π c after operating_idF is promised to undertake equal to one of；

In order to realize above-mentioned steps 1), we are proved as follows：

1.Alice random selection ω ∈ 1 ..., 2^i+tb-1},η_α∈{1,...,2^l+t+sn-1},η_β∈{1,...,2^l+t+sn- 1}；Then calculate：

$W_{\mathrm{\α}}=g_{\mathrm{\α}}^{\mathrm{\ω}}{h}_{\mathrm{\α}}^{{\mathrm{\η}}_{\mathrm{\α}}}\mathrm{mod}{n}_{\mathrm{\α}},W_{\mathrm{\β}}=g_{\mathrm{\β}}^{\mathrm{\ω}}{h}_{\mathrm{\β}}^{{\mathrm{\η}}_{\mathrm{\β}}}\mathrm{mod}{n}_{\mathrm{\β}};$

2.Alice calculates u=H (W_α||W_β)；

3.Alice is calculated：

D=ω+um, D_α=η_α+ur_α,D_β=η_β+ur_β

And send (u, D, D_α,D_β) give " mute's account "；

4. " mute's account " checks whether u=u ', wherein

$u^{\′}=H\left(g_{\mathrm{\α}}^D{h}_{\mathrm{\α}}^{D_{\mathrm{\α}}}{E}^{-u}\mathrm{mod}{n}_{\mathrm{\α}}\right|\left|g_{\mathrm{\β}}^D{h}_{\mathrm{\β}}^{D_{\mathrm{\β}}}{F}^{-u}\mathrm{mod}{n}_{\mathrm{\β}}\right);$

If the part steps are proved to be successful, proceeding lower part steps proves：

1. the ciphertext of " mute's account " to receiving is calculated：

$H={\mathrm{\Πc}}_{id}=c_{1^{\′}}{c}_2^{\′}\mathrm{...}{c}_i^{\′}=g_d^{m_1^{\′}+m_2^{\′}+...+m_i^{\′}}{r}_d^{n_d}=g_d^{{\mathrm{\Σm}}_i^{\′}}{r}_d^{n_d}\mathrm{mod}{n}_d^2;$

2. can find out from above, we are any in ciphering process to choose r_d=h_β, it is any in verification process to choose r_β=n_d；And And in system initialization process, we are setAnd g_d=g_β, it is event：

$H=g_d^{{\mathrm{\Σm}}_i^{\′}}{r}_d^{n_d}\mathrm{mod}{n}_d^2$

$\begin{array}{c}F=g_{\mathrm{\β}}^{{\mathrm{\Σm}}_i}{h}_{\mathrm{\β}}^{r_{\mathrm{\β}}}\mathrm{mod}{n}_{\mathrm{\β}}\\ =g_d^{{\mathrm{\Σm}}_i}{r}_d^{n_d}\mathrm{mod}{n}_d^2\end{array};$

3. check whether H is equal to F, if not, Fail Transaction, if it is passes through, and carry out next step；

To sum up verify, when being true the step of two parts, into the sending link of transaction layer.

6. a kind of bit coin transaction privacy Enhancement Method according to claim 1, it is characterised in that：It is described in steps of 5 " decryption item/Decrypt ", after card layer is verified, transaction layer is by the number c after encryption_iRecipient is sent to, its specific work Method is as follows：

Recipient is according to the private key sk of oneself_iIt is decrypted：

$m_i=\frac{L\left(c_i^{{\mathrm{\λ}}_i}\mathrm{mod}{n}_i^2\right)}{L\left(g_i^{{\mathrm{\λ}}_i}\mathrm{mod}{n}_i^2\right)}\mathrm{mod}{n}_i$

Whereinx∈S_n={ u ＜ n²| x=1 mod n }；

After the reception amount of money that recipient checks oneself is correct, continue next single transaction；The reception value of the recipient is down The input value of one list；It is worth noting that, after the completion of transaction, the ciphertext number in " mute's account " will be dropped, its effect Only make the value of validation layer be produced with the value for sending as bridge to contact.

7. a kind of bit coin transaction privacy Enhancement Method according to claim 1, it is characterised in that：It is described in step 6 " broadcast acknowledgements/Broadcast ", i.e. recipient carries out the whole network broadcast to be confirmed, its specific work such as trading card after checking and finding correct Method is as follows：

The ciphertext for that cannot distinguish will be hidden by cleartext information original on the trading card after program treatment, it is ensured that transaction Process can uniquely be analyzed the privacy for the treatment of；This trading card is masked as T by us_Alice, the process be equally applicable to it is any other Single cross is easy.