CN111989891B

CN111989891B - Data processing method, related device and block chain system

Info

Publication number: CN111989891B
Application number: CN201880092481.XA
Authority: CN
Inventors: 阮子瀚; 吴双; 贺伟
Original assignee: Huawei International Pte Ltd
Current assignee: Huawei International Pte Ltd
Priority date: 2018-04-26
Filing date: 2018-04-26
Publication date: 2024-07-05
Anticipated expiration: 2038-04-26
Also published as: WO2019209168A2; WO2019209168A3; CN111989891A

Abstract

The embodiment of the application provides a data processing method, a related device and a block chain system, wherein the method comprises the following steps: the sender encrypts a plaintext M of the transaction amount by adopting an addition homomorphic encryption algorithm to generate a ciphertext of the transaction amount; wherein, the bit length of the plaintext M of the transaction amount is U; the sender sends the ciphertext of the transaction amount to the verifier; the verification party verifies whether the plaintext M of the transaction amount belongs to a first effective range according to the ciphertext of the transaction amount; the first effective range is [0,2 ^U -1]. By implementing the embodiment of the application, the privacy of the transaction amount can be protected in the blockchain system, and under the condition that the verifier cannot acquire the plaintext of the transaction amount, whether the transaction amount is in the effective range is verified, so that the validity of the transaction is ensured.

Description

Data processing method, related device and block chain system

Technical Field

The present application relates to the field of blockchain technologies, and in particular, to a data processing method, a related device, and a blockchain system.

Background

A blockchain is a distributed database that maintains an ever-increasing list of ordered records known as blocks (blocks). Each block contains a time stamp and a link to the previous block. The blockchain naturally has the function of tamper-resistant data, once recorded, the data in the block cannot be unilaterally modified. By using a Peer-to-Peer (P2P) network and a distributed timestamp server, automatic management of data on the blockchain can be achieved. Blockchains are an open, distributed ledger that can effectively record transactions and other various information between two parties and permanently record in a verifiable manner. On a traditional blockchain, the user's account balance is stored directly on the block without encryption, resulting in the user's account being fully exposed on all nodes. In this way, the user's account privacy is fully exposed on all nodes of the blockchain, in addition to the basic functions of the blockchain being decentralised and the information being non-tamperable.

In the prior art, the privacy problem of transaction amount in a blockchain system can be protected by adopting addition homomorphic encryption, but a verifier cannot verify whether the transaction is valid. Because the verifier can only determine that the plaintext of the output amount is equal to the plaintext of the input amount, it cannot be confirmed whether the plaintext of the input amount and the plaintext of the output amount are within the valid range. Therefore, how to protect the privacy of the transaction amount in the blockchain system, and if the verification node cannot obtain the plaintext of the transaction amount, verifying whether the plaintext of the transaction amount is within the valid range is a problem to be solved.

Disclosure of Invention

The embodiment of the application provides a data processing method, a related device and a blockchain system, which can protect the privacy of transaction amount, and verify whether the transaction amount is in an effective range or not under the condition that a verifier cannot acquire the plaintext of the transaction amount, so as to ensure the validity of the transaction.

In a first aspect, an embodiment of the present application provides a data processing method, applied to a blockchain system, where the system includes a sender and a verifier, the method includes: the sender encrypts a plaintext M of the transaction amount by adopting an addition homomorphic encryption algorithm to generate a ciphertext (C, B) of the transaction amount; the sender sending ciphertext (C, B) of the transaction amount to the verifier; the verifier verifies whether the plaintext M of the transaction amount belongs to a first valid range according to the ciphertext (C, B) of the transaction amount; the first valid range is [0,2 ^U -1], U is the bit length of plaintext M of the transaction amount.

By implementing the embodiment of the application, the privacy of the transaction amount can be protected in the blockchain system, and under the condition that the verifier cannot acquire the plaintext of the transaction amount, whether the transaction amount is in the effective range is verified, so that the validity of the transaction is ensured.

In one possible implementation, theWherein r is a randomly generated integer, G ₃ is a generator of G ₁, G ₁ is a multiplication group with order prime numbers, G ₄ is a public key of the addition homomorphic encryption algorithm, G ₄＝g₃ ^ask, and ask is a private key of the addition homomorphic encryption algorithm.

In one possible implementation, the system further comprises a supervisor; the sender encrypts plaintext M of the transaction amount by using an addition homomorphic encryption algorithm, and generating ciphertext (C, B) of the transaction amount includes: the sender divides the plaintext M of the transaction amount into plaintext M _k of L transaction amounts, and encrypts plaintext M _k of the L transaction amounts by adopting an addition homomorphic encryption algorithm to generate ciphertext (C _k,B_k) of the L transaction amounts; the public key of the addition homomorphic encryption algorithm is provided by the supervisor, k is a positive integer, k=1,..l, L is a positive integer greater than or equal to 2; the verifying of whether the plaintext M of the transaction amount belongs to a first valid range by the verifying party based on the ciphertext (C, B) of the transaction amount comprises: the verifier verifies whether the plaintext M _k of the transaction amount belongs to a second valid range according to the ciphertext (C _k,B_k) of the transaction amount; wherein the second effective range is [0,2 ^u -1], u is the bit length of plaintext M _k of the transaction amount; the method further comprises the steps of: the supervision party adopts a private key corresponding to the public key to decrypt the ciphertext (C _k,B_k) of the L transaction amount, obtains the plaintext M _k of the L transaction amount, and obtains the plaintext M of the transaction amount according to the plaintext M _k of the L transaction amount.

When the plaintext length of the transaction amount is large, the embodiment of the application can divide the plaintext M of the transaction amount into a plurality of small blocks of plaintext, then encrypt the plaintext of each small block and prove that the plaintext belongs to the effective range, and the like, so that the supervision can effectively decrypt the ciphertext of the transaction amount of each small block.

In one possible implementation, the plaintext M _k of the L transaction amounts is equal in length.

In one possible implementation, the method further includes: the sender generates zero knowledge proof that plaintext M of the transaction amount belongs to a first effective range; the verifying of whether the plaintext M of the transaction amount belongs to a first valid range by the verifying party based on the ciphertext (C, B) of the transaction amount comprises: the verifier verifies that the plaintext M of the transaction amount belongs to a zero knowledge proof of a first valid range.

The embodiment of the application can enable the verification party to verify whether the transaction amount belongs to the effective range under the condition that the transaction amount is encrypted, thereby further verifying the validity of the transaction.

In one possible implementation, the transaction amount includes an output amount; the method further comprises the steps of: the sender calculates a ciphertext C 'of the difference value between the input amount and the output amount, and generates an addition homomorphic zero knowledge proof that C' is the ciphertext with the plaintext of zero; the ciphertext of the input amount is the ciphertext of the amount received by the sender in the last transaction or the ciphertext of the input amount is the ciphertext generated by encrypting the amount generated in the current transaction by the sender by adopting the homomorphic encryption algorithm of addition; the verifier verifies that the C' is an addition homomorphic zero knowledge proof of a ciphertext with a plaintext of zero.

The embodiment of the application can enable the verification party to verify that the input amount is equal to the output amount under the condition that the transaction amount is encrypted, thereby further verifying the validity of the transaction.

In one possible implementation, the system further comprises a supervisor, the public key of the addition homomorphic encryption algorithm being provided by the supervisor; the method further comprises the steps of: the sender generating a zero knowledge proof that the supervisor can decrypt ciphertext (C, B) of the transaction amount; the verifier verifying that the supervisor can decrypt a zero knowledge proof of ciphertext (C, B) of the transaction amount; the supervisor decrypts the ciphertext (C, B) of the transaction amount using a private key corresponding to the public key.

The embodiment of the application can enable the verification party to verify the ciphertext of the transaction amount by the supervision party under the condition that the transaction amount is encrypted, thereby verifying the legality of the ciphertext.

In a possible implementation, the system further comprises a third party for providing a random secret γ for generating a digital signature for each integer within the first validity range; the sender generating a zero knowledge proof that plaintext M of the transaction amount belongs to a first valid range comprises: the sender generates a digital signature for each integer in the first effective range according to the random secret gamma provided by the third party to generate a zero knowledge proof that the plaintext M of the transaction amount belongs to the first effective range.

The embodiment of the application provides a specific method for proving that the plaintext in the transaction amount secret belongs to the effective range, a digital signature is generated for each digital in the effective range, and the plaintext in the transaction amount secret can be proving that the plaintext in the transaction amount secret belongs to the effective range by proving that the plaintext in the transaction amount secret belongs to one of the digital signatures. And under the condition that the plaintext of the transaction amount is not provided for the verifier, the validity of the transaction amount is verified, and the transaction privacy is ensured.

In one possible implementation, the generating, by the sender, a zero-knowledge proof that the plaintext M of the transaction amount belongs to a first valid range includes: the sender generates N first parameters; n is a positive integer; the verifying, by the verifier, that the plaintext M of the transaction amount belongs to a zero-knowledge proof of a first valid range comprises: the verifier generates N second parameters; wherein the N first parameters are in one-to-one correspondence with the N second parameters; the verifier verifies whether the N second parameters are equal to the corresponding first parameters, and if so, the plaintext M of the transaction amount belongs to a first effective range.

According to the embodiment of the application, whether the plaintext in the transaction amount ciphertext belongs to the effective range is verified according to the first parameter generated by the comparison sender and the second parameter generated by the verification party, and the validity of the transaction amount is verified under the condition that the transaction amount plaintext is not provided for the verification party, so that the transaction privacy is ensured.

In one possible implementation, the generating, by the sender, a zero-knowledge proof that the plaintext M of the transaction amount belongs to the first valid range further includes: the sending Fang Shengcheng of the first authentication parameter; the first verification parameters are determined by the N first parameters; the verifying party verifying that the plaintext M of the transaction amount belongs to the zero knowledge proof of the first valid range further comprises: the validating Fang Shengcheng a second validation parameter; the second verification parameters are determined by the N second parameters; the verifying by the verifier whether the N second parameters are equal to the corresponding first parameters includes: the verifier verifies whether the first parameters are equal to the second verification parameters, and if so, the N second parameters are equal to the corresponding first parameters.

According to the embodiment of the application, whether the first parameter generated by the sender is equal to the second parameter generated by the verifier or not is verified according to the first verification parameter generated by the sender and the second verification parameter generated by the verifier, so that whether the plaintext in the transaction amount secret document belongs to an effective range or not is verified, and the validity of the transaction amount is verified under the condition that the transaction amount plaintext is not provided for the verifier, so that the transaction privacy is ensured.

In a second aspect, an embodiment of the present application provides a data processing method, applied to a blockchain system, where the system includes a sender and a verifier, the method includes: the sender encrypts a plaintext M of the transaction amount by adopting an addition homomorphic encryption algorithm to generate a ciphertext (C, B) of the transaction amount; the sender sends ciphertext (C, B) of the transaction amount to the verifier, so that the verifier verifies whether plaintext M of the transaction amount belongs to a first valid range according to the ciphertext (C, B) of the transaction amount; the first valid range is [0,2 ^U -1], U is the bit length of plaintext M of the transaction amount.

In one possible implementation, the system further comprises a supervisor; the sender encrypts plaintext M of the transaction amount by using an addition homomorphic encryption algorithm, and generating ciphertext (C, B) of the transaction amount includes: the sender divides the plaintext M of the transaction amount into plaintext M _k of L transaction amounts, encrypts the plaintext M _k of the L transaction amounts by adopting an addition homomorphic encryption algorithm respectively to generate ciphertext (C _k,B_k) of the L transaction amounts, so that the supervisor decrypts the ciphertext (C _k,B_k) of the L transaction amounts by adopting a private key corresponding to the public key to obtain plaintext M _k of the L transaction amounts, and obtains plaintext M of the transaction amounts according to plaintext M _k of the L transaction amounts; the public key of the additive homomorphic encryption algorithm is provided by the supervisor, k is a positive integer, k=1. L is a positive integer greater than or equal to 2; the sender sending ciphertext (C, B) of the transaction amount to the verifier, such that the verifier verifies, based on the ciphertext (C, B) of the transaction amount, whether plaintext M of the transaction amount belongs to a first valid range, comprising: the sender sends the ciphertext (C _k,B_k) of the L transaction amounts to the verifier, so that the verifier verifies whether the plaintext M _k of the transaction amounts belongs to a second valid range according to the ciphertext (C _k,B_k) of the transaction amounts; wherein the second valid range is [0,2 ^u -1], u is the bit length of plaintext M _k of the transaction amount.

In one possible implementation, the method further includes: the sender generates zero knowledge proof that plaintext M of the transaction amount belongs to a first effective range; the sender sending ciphertext (C, B) of the transaction amount to the verifier, such that the verifier verifies, based on the ciphertext (C, B) of the transaction amount, whether plaintext M of the transaction amount belongs to a first valid range, comprising: the sender sends the ciphertext (C, B) of the transaction amount to the verifier, so that the verifier verifies zero knowledge proof that the plaintext M of the transaction amount belongs to a first valid range according to the ciphertext (C, B) of the transaction amount.

In one possible implementation, the transaction amount includes an output amount; the method further comprises the steps of: the sender calculates a ciphertext C ' of the difference between the input amount and the output amount, and generates an addition homomorphic zero knowledge proof that C ' is the ciphertext with the plaintext being zero, so that the verifier verifies that C ' is the addition homomorphic zero knowledge proof with the ciphertext with the plaintext being zero; the ciphertext of the input amount is the ciphertext of the amount received by the sender in the last transaction or the ciphertext of the input amount is the ciphertext generated by encrypting the amount generated in the current transaction by the sender by adopting the homomorphic encryption algorithm of addition.

In one possible implementation, the system further comprises a supervisor, the public key of the addition homomorphic encryption algorithm being provided by the supervisor; the method further comprises the steps of: the sender generates a zero knowledge proof that the supervisor can decrypt the ciphertext C of the transaction amount, such that the verifier verifies that the supervisor can decrypt the zero knowledge proof of the ciphertext C of the transaction amount.

In a possible implementation, the system further comprises a third party for providing a random secret γ for generating a digital signature for each integer within the first validity range; the sender generating a zero knowledge proof that plaintext M of the transaction amount belongs to a first valid range comprises: the sender generates a zero knowledge proof that the plaintext M of the transaction amount belongs to a first valid range for a digital signature generated by the third party for each integer within the first valid range according to a random secret γ provided by the third party.

In a third aspect, an embodiment of the present application provides a data processing method, applied to a blockchain system, where the system includes a sender and a verifier, the method includes: the verifier receiving ciphertext (C, B) of the transaction amount sent by the sender; the ciphertext (C, B) of the transaction amount is ciphertext generated by encrypting the plaintext M of the transaction amount by the sender through an addition homomorphic encryption algorithm; the bit length of the plaintext M of the transaction amount is U; the verifier verifies whether the plaintext M of the transaction amount belongs to a first valid range according to the ciphertext (C, B) of the transaction amount; the first effective range is [0,2 ^U -1].

In one possible implementation, the verifying by the verifying party whether the plaintext M of the transaction amount belongs to a first valid range according to the ciphertext (C, B) of the transaction amount comprises: the verifier verifies zero knowledge proof that the plaintext M of the transaction amount belongs to a first effective range; wherein a zero knowledge proof that the plaintext M of the transaction amount belongs to a first valid range is generated by the sender.

In one possible implementation, the transaction amount includes an output amount; the method further comprises the steps of: the verifier verifies that ciphertext C' of the difference between the input amount and the output amount is an addition homomorphic zero knowledge proof of ciphertext with the plaintext of zero; the ciphertext of the input amount is the ciphertext of the amount received by the sender in the last transaction or the ciphertext of the input amount is the ciphertext generated by encrypting the amount generated in the current transaction by the sender by adopting the homomorphic encryption algorithm of addition; the ciphertext C' of the difference between the input amount and the output amount is an addition homomorphic zero knowledge proof which encrypts the ciphertext with the plaintext being zero, and is generated by the sender.

In one possible implementation, the system further comprises a supervisor, the public key of the addition homomorphic encryption algorithm being provided by the supervisor; the method further comprises the steps of: the verifier is also configured to verify that the supervisor can decrypt a zero knowledge proof of ciphertext (C, B) of the transaction amount; wherein a zero knowledge proof of ciphertext (C, B) of the transaction amount may be decrypted by the supervisor as generated by the sender.

In a fourth aspect, an embodiment of the present application provides a blockchain system, the system including a sender and a verifier: the sender is used for encrypting the plaintext M of the transaction amount by adopting an addition homomorphic encryption algorithm, generating ciphertext (C, B) of the transaction amount, and sending the ciphertext (C, B) of the transaction amount to the verifier; the verifying party is used for verifying whether the plaintext M of the transaction amount belongs to a first effective range according to the ciphertext (C, B) of the transaction amount; the first valid range is [0,2 ^U -1], U is the bit length of plaintext M of the transaction amount.

In one possible implementation, the system further comprises a supervisor; the sender is used for dividing the plaintext M of the transaction amount into plaintext M _k of L transaction amounts, and encrypting the plaintext M _k of the L transaction amounts by adopting an addition homomorphic encryption algorithm respectively to generate ciphertext (C _k,B_k) of the L transaction amounts; the public key of the additive homomorphic encryption algorithm is provided by the supervisor, k is a positive integer, k=1. L is a positive integer greater than or equal to 2; the verifier is used for verifying whether plaintext M _k of the transaction amount belongs to a second valid range according to ciphertext (C _k,B_k) of the transaction amount; the second effective range is [0,2 ^u -1], u is the bit length of plaintext M _k of the transaction amount; the supervision party is used for decrypting the ciphertext (C _k,B_k) of the L transaction amount by adopting a private key corresponding to the public key to obtain a plaintext M _k of the L transaction amount, and obtaining the plaintext M of the transaction amount according to the plaintext M _k of the L transaction amount.

In one possible implementation, the sender is further configured to generate a zero knowledge proof that the plaintext M of the transaction amount belongs to a first valid range; the verifier is used for verifying zero knowledge proof that plaintext M of the transaction amount belongs to a first effective range according to ciphertext (C, B) of the transaction amount.

In one possible implementation, the transaction amount includes an output amount; the sender is also used for calculating a ciphertext C 'of the difference value between the input amount and the output amount and generating an addition homomorphic zero knowledge proof that C' is the ciphertext with the plaintext of zero; the ciphertext of the input amount is the ciphertext of the amount received by the sender in the last transaction or the ciphertext of the input amount is the ciphertext generated by encrypting the amount generated in the current transaction by the sender by adopting the homomorphic encryption algorithm of addition; the verifier is also used for verifying that the C' is an addition homomorphic zero knowledge proof with the ciphertext with the plaintext of zero encrypted.

In one possible implementation, the system further comprises a supervisor, the public key of the addition homomorphic encryption algorithm being provided by the supervisor; the sender is further configured to generate a zero knowledge proof that the supervisor can decrypt ciphertext (C, B) of the transaction amount; the verifier is also configured to verify that the supervisor can decrypt a zero knowledge proof of ciphertext (C, B) of the transaction amount; the supervisor is operable to decrypt ciphertext (C, B) of the transaction amount using a private key corresponding to the public key.

In a possible implementation, the system further comprises a third party for providing a random secret γ for generating a digital signature for each integer within the first validity range; the sender is configured to generate, for each integer in the validity range, a zero knowledge proof that a plaintext of the transaction amount belongs to a first validity range, based on a digital signature generated by a random secret γ provided by the third party.

In one possible implementation, the sender is configured to generate N first parameters; the verifier is used for generating N second parameters; wherein the N first parameters are in one-to-one correspondence with the N second parameters; verifying whether the N second parameters are equal to the corresponding first parameters, and if so, determining that the plaintext M of the transaction amount belongs to a first effective range.

In one possible implementation, the sender is further configured to generate a first authentication parameter; the first verification parameters are determined by the N first parameters; the verifier is also used for generating a second verification parameter; the second verification parameters are determined by the N second parameters; the verifier is further configured to verify whether the first parameters are equal to the second verification parameters, and if so, the N second parameters are equal to the corresponding first parameters.

In a fifth aspect, an embodiment of the present application provides a sender applied to a blockchain system, where the system includes a sender and a verifier, and the sender includes: the encryption unit is used for encrypting the plaintext M of the transaction amount by adopting an addition homomorphic encryption algorithm to generate ciphertext (C, B) of the transaction amount; wherein, the bit length of the plaintext M of the transaction amount is U; a transmitting unit configured to transmit ciphertext (C, B) of the transaction amount to the verifier, so that the verifier verifies whether plaintext M of the transaction amount belongs to a first valid range according to the ciphertext (C, B) of the transaction amount; the first valid range is [0,2 ^U -1], U is the bit length of plaintext M of the transaction amount.

In one possible implementation, the system further comprises a supervisor; the encryption unit includes: a dividing subunit, configured to divide the plaintext M of the transaction amount into plaintext M _k of L transaction amounts; wherein k is a positive integer, k=1.., L is; l is a positive integer greater than or equal to 2; an encryption subunit, configured to encrypt plaintext M _k of the transaction amount by using an addition homomorphic encryption algorithm, to generate ciphertext of the transaction amount of L shares (C _k,B_k), so that the supervisor decrypts the ciphertext of the transaction amount of L shares (C _k,B_k) using a private key corresponding to the public key, obtains plaintext M _k of the transaction amount of L shares, and obtains plaintext M of the transaction amount according to plaintext M _k of the transaction amount of L shares; the public key of the addition homomorphic encryption algorithm is provided by the supervisor; the sending unit is configured to send the ciphertext (C _k,B_k) of the L transaction amounts to the verifier, so that the verifier verifies whether the plaintext M _k of the transaction amounts belongs to a second valid range according to the ciphertext (C _k,B_k) of the transaction amounts; wherein the second valid range is [0,2 ^u -1], u is the bit length of plaintext M _k of the transaction amount.

In one possible implementation, the sender further includes: the first generation unit is used for generating zero knowledge proof that the plaintext M of the transaction amount belongs to a first effective range; the sending unit is used for sending the ciphertext (C, B) of the transaction amount to the verification party, so that the verification party verifies zero knowledge proof that the plaintext M of the transaction amount belongs to a first effective range according to the ciphertext (C, B) of the transaction amount.

In one possible implementation, the transaction amount includes an output amount; the sender further comprises: the second generation unit is used for calculating a ciphertext C ' of the difference value between the input amount and the output amount and generating an addition homomorphic zero knowledge proof that C ' is the ciphertext with the plaintext being zero, so that the verification party verifies that C ' is the addition homomorphic zero knowledge proof with the ciphertext with the plaintext being zero; the ciphertext of the input amount is the ciphertext of the amount received by the sender in the last transaction or the ciphertext of the input amount is the ciphertext generated by encrypting the amount generated in the current transaction by the sender by adopting the homomorphic encryption algorithm of addition.

In one possible implementation, the system further comprises a supervisor, the public key of the addition homomorphic encryption algorithm being provided by the supervisor; the sender further comprises: and a third generation unit configured to generate a zero-knowledge proof that the supervisor can decrypt the ciphertext (C, B) of the transaction amount, so that the verification party verifies the zero-knowledge proof that the supervisor can decrypt the ciphertext (C, B) of the transaction amount.

In a possible implementation, the system further comprises a third party for providing a random secret γ for generating a digital signature for each integer within the first validity range; the first generation unit is configured to generate, for each integer in the first valid range, a zero knowledge proof that plaintext M of ciphertext C of the transaction amount belongs to the first valid range according to a digital signature generated by random secret γ provided by the third party.

In a sixth aspect, an embodiment of the present application provides an authenticator applied to a blockchain system, the system including a sender and an authenticator, the authenticator including: a receiving unit for receiving ciphertext (C, B) of the transaction amount transmitted by the transmitting party; the ciphertext (C, B) of the transaction amount is ciphertext generated by encrypting the plaintext M of the transaction amount by the sender through an addition homomorphic encryption algorithm; the bit length of the plaintext M of the transaction amount is U; a verification unit for verifying whether the plaintext M of the transaction amount belongs to a first valid range according to the ciphertext (C, B) of the transaction amount; the first effective range is [0,2 ^U -1].

In one possible implementation, the verification unit is configured to verify that the plaintext M of the transaction amount belongs to a zero-knowledge proof of a first validity range; wherein a zero knowledge proof that the plaintext M of the transaction amount belongs to a first valid range is generated by the sender.

In one possible implementation, the transaction amount includes an output amount; the verification unit is also used for verifying that the ciphertext C' of the difference value between the input amount and the output amount is an addition homomorphic zero knowledge proof of the ciphertext with the plaintext of zero; the ciphertext C 'is calculated according to the ciphertext of the output amount and the ciphertext of the input amount, the ciphertext of the input amount is the ciphertext of the amount received by the sender in the last transaction, or the ciphertext of the input amount is the ciphertext generated by the sender by encrypting the amount generated in the current transaction by adopting the addition homomorphic encryption algorithm, and the addition homomorphic zero knowledge proof that the ciphertext C' of the difference value between the input amount and the output amount is the ciphertext with the plaintext of zero is generated by the sender.

In one possible implementation, the system further comprises a supervisor, the public key of the addition homomorphic encryption algorithm being provided by the supervisor; the verification unit is further configured to verify that the supervisor can decrypt a zero knowledge proof of ciphertext (C, B) of the transaction amount; wherein a zero knowledge proof of ciphertext (C, B) of the transaction amount may be decrypted by the supervisor as generated by the sender.

In a seventh aspect, an embodiment of the present application provides a sender applied to a blockchain system, where the system includes a sender and a verifier, and the sender includes: a processor, a memory, and a transceiver, wherein: the processor, the memory and the transceiver are interconnected, the memory is used for storing a computer program, the computer program comprises program instructions, the processor is configured to call the program instructions, and the data processing method provided by the second aspect or any possible implementation manner of the second aspect of the embodiment of the present application is executed.

In an eighth aspect, an embodiment of the present application provides an authenticator applied to a blockchain system, the system including a sender and an authenticator, the authenticator including: a processor, a memory, and a transceiver, wherein: the processor, the memory and the transceiver are interconnected, the memory is used for storing a computer program, the computer program comprises program instructions, the processor is configured to call the program instructions, and the data processing method provided by the third aspect or any possible implementation manner of the third aspect of the embodiments of the present application is executed.

In a ninth aspect, embodiments of the present application provide a computer readable storage medium storing a computer program comprising program instructions which, when executed by a processor, cause the processor to perform the data processing method provided by the second aspect of the embodiments or any one of the possible implementations of the second aspect.

In a tenth aspect, embodiments of the present application provide a computer readable storage medium storing a computer program comprising program instructions which, when executed by a processor, cause the processor to perform the data processing method provided by the third aspect or any one of the possible implementations of the third aspect of the embodiments of the present application.

By implementing the embodiment of the application, the privacy of the transaction amount can be protected in the blockchain system, and under the condition that the verifier cannot acquire the plaintext of the transaction amount, whether the transaction amount is in the effective range is verified, so that the validity of the transaction is ensured. Meanwhile, when the bit length of the transaction amount plaintext is larger, the transaction amount plaintext can be divided into a plurality of small blocks of transaction amount plaintext, then the transaction amount plaintext of each small block is encrypted, and the encryption, the proof of the transaction amount plaintext belonging to the effective range and the like are respectively carried out, so that the supervision party can effectively decrypt the ciphertext of each small block of transaction amount.

Drawings

In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below.

FIG. 1 is a block chain system architecture diagram according to an embodiment of the present application;

FIG. 2 is a schematic diagram of an input amount and an output amount;

FIG. 3 is a schematic flow chart of a data processing method according to an embodiment of the present application;

FIG. 4 is a flowchart of another data processing method according to an embodiment of the present application;

FIG. 5 is a schematic diagram illustrating a process of processing a transaction amount plaintext M by a sender according to an embodiment of the present application;

FIG. 6 is a flowchart of another data processing method according to an embodiment of the present application;

fig. 7 is a schematic structural diagram of a sender according to an embodiment of the present application;

Fig. 8 is a schematic structural diagram of a verifier according to an embodiment of the present application;

Fig. 9 is a schematic structural diagram of another sender according to an embodiment of the present application;

fig. 10 is a schematic structural diagram of another verification party according to an embodiment of the present application.

Detailed Description

The technical solutions of the embodiments of the present application will be clearly and thoroughly described below with reference to the accompanying drawings.

First, a blockchain system provided by an embodiment of the present application is described with reference to fig. 1. As shown in FIG. 1, the blockchain system may include at least a sender and a verifier. The method comprises the steps that a sender is used for initiating a transaction to a receiver and encrypting the transaction amount; the verifier is used for verifying whether the transaction initiated by the sender to the receiver is legal or not. The blockchain system can also comprise a supervisor for providing a pair of public and private keys, providing the public keys to the sender to encrypt the transaction amount, and decrypting the transaction amount by the supervisor by adopting the private keys so as to monitor the transaction behavior of the blockchain network, discover abnormal transaction behavior in time and perform corresponding processing. In a specific implementation, the sender may be a terminal such as a sender's mobile phone or a computer, the verifier may be a server of a bank, etc., and the supervisor may be a computer or a server of a supervisor.

The blockchain system can be applied to a alliance chain scene, namely, can be applied to an alliance formed by a plurality of organizations which cannot find unified trusted third parties, for example, in the alliance chain of financial services, a sender initiates a transaction to a receiver, the sender pays a certain transaction amount to the receiver, and a verifier can verify whether the transaction is legal or not. Whether a transaction is legal is mainly manifested in two aspects: first, whether the output amount is equal to the input amount; second, whether the output amount and the input amount belong to the effective range. If the output amount is equal to the input amount and both the output amount and the input amount belong to the effective range, the transaction is a legal transaction. For an explanation of the output amount and the input amount, see fig. 2 in detail. Assuming that the transaction amount that the sender a intends to pay is X, the sender a now pays X to the receiver a ₁ and the receiver a ₂, respectively, the transaction amount received by the receiver a ₁ is Y, and the transaction amount received by the receiver a ₂ is Z. Then X is the input amount and Y and Z are the output amounts. Only when x=y+z, and X, Y, Z are all greater than or equal to 0 and less than or equal to the maximum value, indicates that the transaction is legal. Wherein the maximum value is determined by the bit length of the transaction amount, and if the bit length of the transaction amount is U, the maximum value is 2 ^U -1.

Next, a data processing method provided by an embodiment of the present application is described with reference to the blockchain system described in fig. 1. As shown in fig. 3, the data processing method may include at least the following steps:

S301: the sender encrypts the plaintext M of the transaction amount by adopting an addition homomorphic encryption algorithm to generate ciphertext (C, B) of the transaction amount.

Specifically, the addition homomorphic encryption algorithm may be an ElGamal algorithm. C in the ciphertext (C, B) of the transaction amount is a ciphertext body of the transaction amount plaintext M, and B is an auxiliary ciphertext of the transaction amount plaintext M, and the auxiliary ciphertext is used for assisting in decrypting the ciphertext body C in the subsequent supervisor decrypting process.

In particular, the method comprises the steps of,Where r is a randomly generated integer, G ₃ is a generator of G ₁, G ₁ is a multiplicative group with order prime numbers, G ₄ is a public key of the addition homomorphic encryption algorithm, G ₄＝g₃ ^ask, and ask is a private key of the addition homomorphic encryption algorithm.

Wherein, the bit length of the plaintext M of the transaction amount is U, and U is a positive integer.

In one possible implementation, the transaction amount includes an output amount. When the transaction amount includes only the output amount, the input amount may be the ciphertext of the amount received by the sender in the last transaction, without further encryption and subsequent steps of zero knowledge proof that the transaction amount falls within a valid range.

In another possible implementation, the transaction amount may include an input amount in addition to the output Jin Ewai. The sender needs to encrypt the output amount and the input amount at the same time, and then carries out zero knowledge proof that the transaction amount belongs to the effective range.

It can be appreciated whether the sender directly uses the ciphertext of the amount received in the last transaction, whether the sender needs to encrypt the input amount and subsequently have zero knowledge proof that the amount of the transaction falls within a valid range, etc., depending on the initialization settings of the blockchain system, i.e., whether the transaction model in the blockchain system is the sender directly forwards the amount of the transaction it received in the last transaction to the receiver, or whether the sender regenerates the input amount in each transaction.

The number of input amounts may be at least one, and the number of output amounts may be at least one.

In one possible implementation, the supervisor has a pair of asymmetric passwords, including a public key and a private key. The sender can encrypt the plaintext M of the transaction amount by adopting the public key provided by the supervision party to generate the ciphertext of the transaction amount, so that the supervision party can be ensured to decrypt the ciphertext of the transaction amount by adopting the private key corresponding to the public key, and the supervision party can conveniently supervise the transaction.

S302: the sender sends the ciphertext (C, B) of the transaction amount to the verifier.

Specifically, after the sender encrypts the transaction amount by adopting the addition homomorphic encryption algorithm, the verifier cannot acquire the plaintext M of the transaction amount, so that the sender is prevented from being tracked by users on other nodes, and information leakage is avoided. Therefore, the sender generates the ciphertext (C, B) of the transaction amount after encrypting the plaintext M of the transaction amount, and sends the ciphertext (C, B) of the transaction amount to the verifier, so that the verifier verifies the validity of the transaction amount.

S303: the verifier verifies whether the plaintext M of the transaction amount belongs to the first valid range according to the ciphertext (C, B) of the transaction amount.

Specifically, if the bit length of the plaintext M of the transaction amount is U, then the first valid range is [0,2 ^U -1].

In particular, the verifier may verify that the plaintext M of the transaction amount belongs to a zero knowledge proof of the first valid range. A zero knowledge proof that the plaintext M of the transaction amount belongs to the first valid range is generated by the sender. It may be appreciated that the embodiment of the present application may employ an ElGamal encryption algorithm in an addition homomorphic state, because in the blockchain system, the ElGamal encryption algorithm in the addition homomorphic state may be compatible with a zero knowledge proof algorithm in which the plaintext M of the transaction amount belongs to the first valid range. Specifically, the data obtained by the addition homomorphic ElGamal encryption algorithm is two-dimensional data, and the data obtained by the zero knowledge proof algorithm of the effective range is two-dimensional, and the two algorithms belong to the same group of mathematical systems, so that the two algorithms can be compatible in the mathematical systems. It will be appreciated that zero knowledge proof refers to the ability of a prover to trust that a certain assertion is correct without providing any useful information to the verifier. Zero knowledge that the plaintext M of the transaction amount belongs to the first valid range proves that the sender cannot provide the verifier with the plaintext M of the transaction amount, but the verifier is made to trust that the plaintext M of the transaction amount belongs to the first valid range. In the embodiment of the application, a digital signature can be generated for all integers in the first effective range, and a sender can prove that the plaintext M of the transaction amount belongs to the first effective range only by proving that the plaintext of the transaction amount corresponds to one of the digital signatures of all integers in the first range. Addition homomorphic encryption is an encryption form that allows one to perform a specific algebraic operation on ciphertext to obtain a result that is still encrypted, and to decrypt it to obtain the same result as performing the same operation on plaintext. In other words, additive homomorphic encryption allows one to operate on encrypted data to get the correct result without decrypting the data throughout the process.

In addition, when the sender provides the supervisor with a public key using an ElGamal encryption algorithm in addition to the plaintext M of the transaction amount, the sender may also generate a zero knowledge proof that the supervisor may decrypt the ciphertext (C, B) of the transaction amount. The verifier may also verify that the supervisor may decrypt the zero knowledge proof of ciphertext (C, B) of the transaction amount.

It is known that the order of generating the zero-knowledge proof that the plaintext M of the transaction amount belongs to the first valid range and the order of generating the zero-knowledge proof that the supervisor can decrypt the ciphertext (C, B) of the transaction amount is not limited. The order of the zero knowledge proof that the verifying party verifies that the plaintext M of the transaction amount belongs to the first valid range and the zero knowledge proof that the supervising party verifies that the ciphertext (C, B) of the transaction amount can be decrypted is not limited.

In addition, the sender may also calculate the ciphertext C 'of the difference between the input amount and the output amount, and generate an addition homomorphic zero knowledge proof that C' is the ciphertext in which the plaintext is zero. The verifier may also verify that C' is an additive homomorphic zero knowledge proof that encrypts the ciphertext with zero plaintext.

It will be appreciated that when the output amount is equal to the input amount and both the output amount and the input amount fall within the valid range, the transaction may prove legitimate.

Specifically, the sender may generate at least one first parameter when generating a zero knowledge proof that the plaintext M of the transaction amount belongs to the first valid range. The verifier may also generate at least one second parameter upon verifying that the plaintext M of the transaction amount belongs to the zero-knowledge proof of the first validity range. Wherein the first parameter corresponds to the second parameter one by one. When at least one second parameter generated by the verifier is equal to at least one first parameter generated by the sender, the plaintext M of the transaction amount can be verified to belong to the first valid range. The same calculation method is applicable to zero knowledge proof that the supervisor can decrypt ciphertext (C, B) of the transaction amount, and also applicable to addition homomorphic zero knowledge proof that C' is ciphertext with plaintext of zero, that is, it is verified that the input amount is equal to the output amount, and details are not repeated here.

In particular, the sender may further generate a first verification parameter when generating the zero-knowledge proof, where the first verification parameter is determined by the plurality of first parameters. The verifier may also generate a second verification parameter when verifying the zero-knowledge proof, the second verification parameter being determined by the plurality of second parameters. When the second verification parameter generated by the verification party is equal to the first verification parameter generated by the sender, the first parameters are equal to the corresponding second parameters in the second parameters. Thereby verifying the zero knowledge proof.

By implementing the embodiment of the application, the privacy of the transaction amount can be protected in the blockchain system, and under the condition that the verifier cannot acquire the plaintext of the transaction amount, whether the transaction amount is in the effective range is verified, so that the validity of the transaction is ensured. And can cooperate with the supervision of the supervision party when necessary.

In another possible embodiment, another data processing method is provided in the embodiment of the present application, where the supervisor can not effectively decrypt the ciphertext of the transaction amount plaintext having a larger bit length when the bit length of the transaction amount plaintext M is larger. Therefore, in the embodiment of the application, the plaintext M of the transaction amount can be firstly divided into the plaintext of the transaction amount of a plurality of small blocks, and then the plaintext of the transaction amount of each small block is respectively encrypted and decrypted, the certification that the plaintext belongs to the effective range and the like, so that the supervisor can effectively decrypt the ciphertext of the transaction amount of each small block. See fig. 4 in detail. As shown in fig. 4, the data processing method may include at least the following steps:

s401: the sender divides the plaintext M of the transaction amount into L parts of plaintext M _k of the transaction amount.

Optionally, if the bit length of the plaintext M of the transaction amount is U, it is split into L parts of plaintext M _k of the transaction amount with bit length U, where l×u=u, k is a positive integer, k=1.

For example, when the bit length of the plaintext M of the transaction amount is 64, l=4, u=16 may be set, that is, the plaintext M of the transaction amount is divided into 4 parts of the plaintext M _k of the transaction amount having the bit length of 16, where k=1, 2, 3, 4. At this time, the maximum value of the plaintext M _k for each transaction amount is 2 ¹⁶ -1.

For another example, when the bit length of the plaintext M of the transaction amount is 64, l= 8,u =8 may be set, that is, the plaintext M of the transaction amount is divided into 8 pieces of plaintext M _k of the transaction amount having the bit length of 8, where k=1, 2, 3. At this time, the maximum value of the plaintext M _k for each transaction amount is 2 ⁸ -1.

It is to be appreciated that the bit lengths of the plaintext M _k of the above-described L transaction amounts may also be unequal.

Specifically, the transaction amount may be an output amount, or the transaction amount may be both an output amount and an input amount, depending on the initialization settings of the blockchain system. For the detailed description, reference is made to the description in S301, and the detailed description is omitted here.

It is to be noted that the bit lengths of the output amount and the input amount are not necessarily the same, and therefore, when the sender performs the split encryption on the output amount and the input amount, the split number of copies may be different, and the bit lengths of the split transaction amounts may be different. The number of input amounts may be at least one, and the number of output amounts may be at least one, that is, there may be a plurality of input amounts or a plurality of output amounts in one transaction.

S402: the sender encrypts plaintext M _k of the transaction amount of the L shares by using an addition homomorphic encryption algorithm, respectively, to generate ciphertext of the transaction amount of the L shares (C _k,B_k).

Specifically, k=1,..and L. The public key of the addition homomorphic encryption algorithm described above may be provided by a supervisor. The use of the public key provided by the supervising party to encrypt the transaction amount ensures that the supervising party can decrypt the ciphertext (C _k,B_k) of the transaction amount using the private key corresponding to the public key, so that the supervising party can supervise the transaction.

Specifically, the addition homomorphic encryption algorithm may be an ElGamal algorithm. C _k in the ciphertext (C _k,B_k) of the transaction amount is a ciphertext body of the transaction amount plaintext M _k, and B _k is an auxiliary ciphertext of the transaction amount plaintext M _k, which is used for auxiliary decryption of the ciphertext body C _k in a subsequent supervisor decryption process.

In particular, the method comprises the steps of,Wherein r _k is a randomly generated integer, G ₃ is a generator of G ₁, G ₁ is a multiplication group with order prime numbers, G ₄ is a public key of the addition homomorphic encryption algorithm, G ₄＝g₃ ^ask, and ask is a private key of the addition homomorphic encryption algorithm.

S403: the sender sends the ciphertext (C _k,B_k) of the L transaction amounts to the verifier.

Specifically, after the sender carries out addition homomorphic ElGamal encryption on the transaction amount, the verifier cannot acquire the plaintext of the transaction amount, so that the sender is prevented from being tracked by users on other nodes, and information leakage is avoided. Therefore, after the sender carries out addition homomorphic ElGamal encryption on the plaintext of the transaction amount, the ciphertext of the transaction amount is directly sent to the verifier, so that the verifier can verify the validity of the transaction amount.

S404: the verifier verifies whether the plaintext M _k of the transaction amount belongs to the second valid range according to the ciphertext (C _k,B_k) of the transaction amount.

Specifically, the verifier verifies whether the plaintext M _k of each transaction amount belongs to a second valid range, where the bit length of the plaintext M _k of the transaction amount is u, and the second valid range is [0,2 ^u -1].

In particular, the verifier may verify that the plaintext M _k of the transaction amount belongs to the zero-knowledge proof of the second valid range. A zero knowledge proof that the plaintext M _k of the transaction amount belongs to the second valid range is generated by the sender. In the embodiment of the present application, the blockchain system may further include a trusted third party, and the trusted third party may generate a digital signature for each integer in the second valid range, where the sender only needs to prove that the plaintext M _k of the transaction amount belongs to the second valid range if the plaintext M _k in the ciphertext (C _k,B_k) of the transaction amount corresponds to one of the digital signatures of all integers in the second valid range.

Referring specifically to fig. 5, fig. 5 shows the process of the sender for plaintext M segmentation, encryption, and range attestation of the transaction amount. As shown in fig. 5, the plaintext M of the transaction amount is divided into 8 parts of plaintext M _k of the transaction amount having a bit length u, where k=1, 2,..8. Firstly, in the process of encrypting the plaintext M _k of the transaction amount, the sender encrypts the plaintext M _k of the transaction amount by adopting an addition homomorphic encryption algorithm to obtain the ciphertext of the corresponding transaction amount (C _k,B_k). Secondly, a process of proving that the plaintext M _k of the transaction amount belongs to the second effective range is performed, and the sender generates zero knowledge proof that the plaintext M _k of the transaction amount belongs to the second effective range, wherein the zero knowledge proof that the plaintext M _k of the transaction amount belongs to the second effective range is represented by pi _k. Specifically that the plaintext M _k of the transaction amount corresponds to one of the 2 ^u digital signatures sigma _i of 0 to 2 ^u -1 based on the ciphertext (C _k,B_k) of the transaction amount, Thereby proving that the plaintext M _k of the transaction amount is within the second valid range 0,2 ^u -1. Wherein the digital signature σ _i is generated by a trusted third party in the data processing system, σ _i represents the signature of the digital i, where i e [0,2 ^u -1], i is an integer. It is known that, in the actual calculation process, for each plaintext M _k of the transaction amount, the plaintext M _k representing the transaction amount by a _k is generated to belong to the second valid range, and after the sender generates a _k, The correctness of a _k is verified by the verifier, and if the correctness is correct, the plaintext M _k representing the transaction amount belongs to the second valid range. a _k can be described in the following examples.

In addition, the sender may also generate a zero knowledge proof that the supervisor may decrypt the ciphertext (C _k,B_k) of the transaction amount. The verifier may also verify that the supervisor may decrypt the zero knowledge proof of ciphertext (C _k,B_k) of the transaction amount.

It is to be appreciated that the order of generating the zero-knowledge proof that the plaintext M _k of the transaction amount belongs to the second valid range and the order of generating the zero-knowledge proof that the ciphertext (C _k,B_k) of the transaction amount can be decrypted by the supervisor is not limited. The order of the zero-knowledge proof that the verifier verifies that the plaintext M _k of the transaction amount belongs to the second valid range and the zero-knowledge proof that verifies that the supervisor can decrypt the ciphertext (C _k,B_k) of the transaction amount is not limited.

In addition, the sender may also calculate the ciphertext C 'of the difference between the input amount and the output amount, and generate an addition homomorphic zero knowledge proof that C' is the ciphertext in which the plaintext is zero. The verifier may also verify that C' is an additive homomorphic zero knowledge proof that encrypts the ciphertext with zero plaintext. It will be appreciated that when the output amount is equal to the input amount and both the output amount and the input amount fall within the valid range, the transaction may prove legitimate.

It is known that the zero-knowledge proof that the plaintext M _k of the transaction amount belongs to the second valid range, the addition homomorphic zero-knowledge proof that the ciphertext with the plaintext of zero is the ciphertext, and the zero-knowledge proof that the supervisor can decrypt the ciphertext (C _k,B_k) of the transaction amount are all generated by the sender and verified by the verifier. The sender generates corresponding parameters, and the verifier verifies the correctness of the corresponding parameters.

Specifically, the sender generates at least one first parameter for each small block of plaintext M _k, respectively, when generating a zero-knowledge proof for each small block of plaintext M _k that plaintext M _k of the transaction amount belongs to the second valid range. The verifier may also generate at least one second parameter upon verifying that the plaintext M _k of the transaction amount belongs to the zero-knowledge proof of the second valid range. Wherein the first parameter corresponds to the second parameter one by one. When the at least one second parameter generated by the verifier is equal to the at least one first parameter generated by the sender, the plaintext M _k of the transaction amount can be verified to belong to the second valid range. Likewise, the above approach is also used to prove that the supervisor can decrypt the ciphertext of the transaction amount for each patch (C _k,B_k). For the proof that C' is an additive homomorphic zero knowledge proof that encrypts the ciphertext with zero plaintext, the sender needs to integrally calculate a first parameter according to all the input amounts and all the output amounts, and here does not need to calculate according to the transaction amount of each small block. The verifier may also calculate a second parameter based on all the output amounts and all the input amounts. When the second parameter generated by the verifier is equal to the first parameter generated by the sending mode, the C' can be verified to be the ciphertext with the plaintext being zero, namely the input amount is verified to be equal to the output amount.

S405: the supervisor decrypts the ciphertext of the L transaction amount by using the private key corresponding to the public key (C _k,B_k) to obtain the plaintext M _k of the L transaction amount.

Specifically, the supervisor has a pair of asymmetric passwords, including a public key and a private key. The public key is provided for the sender to encrypt the plaintext M _k of the transaction amount by using an addition homomorphic encryption algorithm, so as to obtain the encrypted ciphertext (C _k,B_k), protect the transaction privacy and prevent information leakage. The private key is stored by the supervisor and used for decrypting the ciphertext (C _k,B_k) of the transaction amount sent by the sender, obtaining the decrypted plaintext M _k, so that the supervisor reorganizes the L M _k to obtain the initial transaction amount M, and the supervisor supervises the transaction.

S406: and the supervision party obtains the plaintext M of the transaction amount according to the plaintext M _k of the L transaction amounts.

Specifically, if the bit lengths of the plaintext M _k of the L transaction amounts are U, the supervisor needs to recombine the plaintext M _k of the transaction amount with the bit length of U to obtain the plaintext M of the original transaction amount with the bit length of U, so that the supervisor can supervise the transaction.

Wherein,

When the embodiment of the application is implemented, the plaintext M of the transaction amount can be divided into a plurality of small blocks of plaintext when the bit length of the plaintext M of the transaction amount is longer, then the plaintext of each small block is respectively encrypted and decrypted, the verification that the plaintext belongs to the effective range and the like, the transaction privacy is protected, and the supervision is matched, and meanwhile, the supervision can effectively decrypt the ciphertext of the transaction amount of each small block.

Next, another data processing method provided by an embodiment of the present application is described with reference to fig. 6. As shown in fig. 6, the data processing method at least includes the following steps:

S601: and initializing a system.

Specifically, system initialization may include the following aspects:

1) The plaintext M of the transaction amount is divided into L shares, and the bit length of each share is set to be u. For example, in a scenario where the bit length of the plaintext of the transaction amount is 64, l=4, u=16 may be set. G ₃、g₅ is the generator of G ₁、G₂, and G ₁、G₂ is the multiplication group with prime order. H is a secure hash function.

2) The private key of the supervision party is set as ask, and the public key is set as g ₄＝g₃ ^ask.

3) Generating random secret gamma by trusted third party, generatingGenerating a2 ^u digital signature for an integer of [0,2 ^u -1 ]: where i is an integer, i.e. [0,2 ^u -1], i.e., σ _i is the signature of the number i.

It is appreciated that L, u, H, g ₃、g₅、g₄、σ_i above are disclosed parameters in the blockchain system.

S602: the sender encrypts each output amount.

Specifically, the following description is given of a process in which the sender encrypts a single output amount, and if there are a plurality of output amounts, the following process of encrypting a single output amount may be repeated.

In this embodiment, the explanation will be given taking the case of dividing the plain text M of the output amount. The sender adopts an addition homomorphic encryption algorithm to encrypt the plaintext M of the output amount, and the method specifically comprises the following steps:

1) The sender splits the plaintext M of the output amount into L parts of plaintext M _k,M_k∈[0,2^u -1 of the output amount having a bit length u, where k=1, 2, L,

Assuming that the bit length of the plaintext M of the output amount is 64, l=4, u=16 is set, and the plaintext M of the output amount is divided into 4 parts of plaintext M _k of the output amount having the bit length of 16, where k=1, 2, 3, 4. Then:

2) And (3) encrypting the plaintext M _k of each output amount by adopting an addition homomorphic encryption algorithm to generate ciphertext of the output amount (C _k,B_k).

Specifically, the encryption algorithm of the addition homomorphism may be an ElGamal algorithm. C _k in the ciphertext of the output amount (C _k,B_k) is a ciphertext body of the plaintext M _k of the output amount, and B _k is an auxiliary ciphertext of the plaintext M _k of the output amount, which is used for auxiliary decryption of the ciphertext body C _k in the decryption process of the subsequent supervisor.

Specifically, calculateWhere r _k is a randomly generated integer.

S603: the sender generates a zero knowledge proof.

Specifically, the process of generating the zero-knowledge proof for the single output amount is still performed here, and if there are a plurality of output amounts, the following process of generating the zero-knowledge proof for the single output amount may be repeated.

Specifically, the sender generated zero knowledge proof includes the following aspects:

1) The sender generates a zero knowledge proof that the supervisor can decrypt the ciphertext (C _k,B_k) for each output amount.

Specifically, a random number ω _k is generated, and a first parameter is calculated

2) The sender generates a zero knowledge proof that the plaintext M _k of the output amount belongs to the second valid range.

Specifically, the plaintext M _k of the proof output amount corresponds to one of the 2 ^u digital signatures in the second valid range [0,2 ^u -1], thereby proving that the plaintext M _k of the output amount belongs to the second valid range [0,2 ^u -1].

Specifically, a random number v _k,s_k,t_k is generated for calculationAnd calculate a first parameter

It is known that a ciphertext body C of an output amount may be calculated from the ciphertext body C _k of the L output amounts obtained by dividing:

It will be appreciated that the above is encryption and attestation of the output amount (attestation supervisor can decrypt the ElGamal ciphertext of each small block and the plaintext in attestation ciphertext falls within the second valid range). For the input amount, the above process can be repeated for encryption and certification; or directly using ciphertext of the transaction amount received by the sender in the last transaction as the input amount of the transaction, without repeating the process. Whether the sender directly sources the ciphertext of the transaction amount received in the last transaction depends on the initialization setting of the blockchain system for the transaction model, i.e. whether the transaction model in the blockchain system directly forwards the transaction amount it received in the last transaction to the receiver or whether the sender regenerates the input amount in each transaction.

3) The sender calculates the ciphertext of C '= (total input amount-total output amount), and generates an addition homomorphic zero knowledge proof that C' is the ciphertext with the plaintext being zero encrypted.

Specifically, assume that there are Y output amounts M ^(out,y) and their ciphertext bodies C ^(out,y), X input amounts M ^(in,x) and their ciphertext bodies C ^(in,x), where x=1, 2. The sender may calculate delta using the random number for each ciphertext body such thatIn particular the number of the elements,Wherein the method comprises the steps ofIs a random number of the ciphertext body C ^(in,x),Is a random number of ciphertext body C ^(out,y). Generating a random number r _δ, calculating a first parameter

When the total input amount and the total output amount are equal, the difference between the plaintext of the total input amount and the plaintext of the total output amount is calculated, and the calculation mode adopted in the encrypted data is the ratio of the ciphertext of the total input amount to the ciphertext of the total output amount. And the ciphertext of the total output amount is equal to the cumulative multiplication of the ciphertext of the plurality of output amounts, and the ciphertext of the total input amount is equal to the cumulative multiplication of the ciphertext of the plurality of input amounts.

4) The sender calculates a first verification parameter d, which is a result of the calculation using a hash function H, where the input of H includes B _k,C_k,D_k,E_k,V_k,a_k and R _δ described above. The sender calculates according to the first verification parameter d: Z _δ＝r_δ + dδ.

The sender ultimately outputs one B _k,C_k,V_k for each output amount,Where k=1, 2,.. the sender also outputs a Z _δ and d for all output amounts and all input amounts. It will be appreciated that if in the blockchain system, the sender regenerates the input amount for each transaction, the sender will eventually output a B _k,C_k,V_k for each input amount,The sender sends the output parameters to the verifier.

S604: the verifier verifies the zero-knowledge proof.

Specifically, the verification of the zero knowledge proof by the verifier includes the following aspects:

1) The verifier verifies that the plaintext M _k of each output amount belongs to the zero-knowledge proof of the second valid range with the zero-knowledge proof that the supervisor can decrypt.

It can be known that the first parameter V _k,a_k generated by the sender is used to prove that the plaintext M _k of the output amount has a digital signature generated by the corresponding trusted third party, that is, 0 is less than or equal to M _k≤2^u -1, that is, the plaintext M _k of the output amount is proved to belong to the second valid range; the first parameter D _k,E_k generated by the sender is used to prove that B _k,C_k is a legal ciphertext, i.e., the proving supervisor can decrypt the ciphertext.

In particular, the verifier may calculate a second parameter for each patch Where k=1, 2,..l.

For the input amount, if the sender source receives the amount ciphertext from the last transaction, the input amount does not need to be verified; otherwise, the verifier needs to repeat the operation to verify the zero knowledge proof that the input amount belongs to the second effective range and the zero knowledge proof that the supervisor can decrypt.

2) The verifier verifies that C' is an additive homomorphic zero knowledge proof of ciphertext with plaintext being zero.

Specifically, calculateAnd calculate the second parameter

The verifier calculates a second verification parameter d ' using a hash function, wherein the input of H includes B _k,C_k,D_k′,E_k′,V_k,a_k ' and R _δ '. If the second verification parameter is equal to the first verification parameter, i.e., d' =d, it indicates that the verification party passes the verification. Here, "verifier verification pass" refers to the following three aspects:

1. The verifier verifies that the plaintext M _k of each output amount belongs to the second valid range;

2. The verifier verifies that C' is the ciphertext with the plaintext being zero, namely the output amount is equal to the input amount;

3. The verifier verifies that the supervisor can decrypt the ciphertext for each output amount (C _k,B_k).

The 1 st and 2 nd aspects of the above verification verify the legitimacy of the transaction; in the above-identified aspect 3, the validity of the ciphertext is verified.

It is known that when the sender calculates the first verification parameter d, the input of the hash function H includes B _k,C_k,D_k,E_k,V_k,a_k and R _δ. When the verifier calculates the second verification parameter d ', the inputs to the hash function H include B _k,C_k,D_k′,E_k′,V_k,a_k ' and R _δ '. When d' =d is calculated, this means that the respective input parameters of the hash function H are also each equal. I.e. D _k′＝D_k,E_k′＝E_k,a_k′＝a_k,R_δ′＝R_δ. Since the first parameter D _k,E_k is used to prove (C _k,B_k) that it is a legal ciphertext, D _k′＝D_k,E_k′＝E_k means (C _k,B_k) that it is a legal ciphertext, i.e., that it is verified that the supervisor can decrypt the output amount of each tile. Since the first parameter a _k is used to prove that the plaintext M _k of the output amount has a corresponding digital signature generated by a trusted third party, a _k′＝a_k means that the plaintext M _k of the output amount belongs to the second valid range. Since the first parameter R _δ is used to prove that C 'is the ciphertext with the plaintext being zero, then R _δ′＝R_δ verifies that C' is the ciphertext with the plaintext being zero, i.e., verifies that the total input amount is equal to the total output amount. And combining the result that the ciphertext of each output amount of verification belongs to the effective range of the ciphertext, and verifying the validity of the transaction by a verification party.

S605: and (5) decrypting by the supervisor.

Specifically, the supervisor decryption may include the following aspects:

1) The supervisor adopts the private key ask to decrypt the ciphertext (C _k,B_k) of each output amount to obtain

2) Supervisor computingAnd respectively withAnd comparing to find out the plaintext M _k of the output amount.

Specifically, the supervisor may pre-calculateWherein i is an integer, i is [0,2 ^u -1], generating a pre-calculation table The supervisor can reuse the pre-calculation table in the process of multiple decryptions to obtain the result of each decryptionThe value of plaintext M _k of the output amount is found by comparison with the pre-calculation table.

3) And restoring the plaintext M of the output amount according to the decrypted plaintext M _k of the plurality of output amounts. Wherein,

It is to be appreciated that the above-described decryption process of the supervisor is also applicable to decryption of the input amount, and will not be described herein.

It can be appreciated that the above calculation process is equally applicable to a scenario where the transaction amount plaintext does not need to be divided, and will not be described herein.

The embodiment of the application provides a specific calculation method of the data processing method, and the plaintext of the transaction amount can be divided according to the calculation method. And then encrypting and decrypting the plaintext of each small block, proving that the plaintext belongs to the effective range and the like, protecting the transaction privacy, and ensuring that the supervisor effectively decrypts the ciphertext of the transaction amount of each small block while cooperating with supervision, smoothly restoring the plaintext M of the transaction amount, and effectively supervising the transaction.

The embodiment of the present application further provides a sender, which is applied to the blockchain system shown in fig. 1, where the system may at least include a sender and a verifier, and as shown in fig. 7, the sender 70 may at least include: encryption unit 710, transmission unit 720, wherein:

an encryption unit 710 that encrypts a plaintext M of the transaction amount by using an addition homomorphic encryption algorithm, generating a ciphertext (C, B) of the transaction amount; wherein, the bit length of the plaintext M of the transaction amount is U, and the detailed description of S301 is referred to.

A transmitting unit 720 for transmitting ciphertext (C, B) of the transaction amount to the verifier, so that the verifier verifies whether the plaintext M of the transaction amount belongs to a first valid range; the first effective range is [0,2 ^U -1], and the detailed description is referred to as S302.

In one possible implementation, the addition homomorphic encryption algorithm may be ElGamal algorithm, which is described above Where r is a randomly generated integer, G ₃ is a generator of G ₁, G ₁ is a multiplicative group with order prime numbers, G ₄ is a public key of the addition homomorphic encryption algorithm, G ₄＝g₃ ^ask, and ask is a private key of the addition homomorphic encryption algorithm.

In one possible implementation, the blockchain system described above further includes a supervisor. The encryption unit 710 includes: the segmentation subunit 7110 and the encryption subunit 7120. Wherein:

A dividing subunit 7110, configured to divide the plaintext M of the transaction amount into plaintext M _k of L transaction amounts; wherein k is a positive integer, k=1.., L is; l is a positive integer greater than or equal to 2, and the detailed description is described with reference to S401 or with reference to 1) in S602.

An encryption subunit 7120, configured to encrypt the plaintext M _k of the L transaction amounts by using an addition homomorphic encryption algorithm, respectively, to generate ciphertext (C _k,B_k) of the L transaction amounts, so that the supervisor decrypts the ciphertext (C _k,B_k) of the L transaction amounts by using a private key corresponding to the public key, to obtain the plaintext M _k of the L transaction amounts, and obtain the plaintext M of the transaction amounts according to the plaintext M _k of the L transaction amounts, where the public key of the addition homomorphic encryption algorithm is provided by the supervisor; for details, refer to the descriptions of S402, S405 and S406, or refer to the description of 2) in S602).

A transmitting unit 720 configured to transmit the ciphertext (C _k,B_k) of the L transaction amounts to the verifier, so that the verifier verifies whether the plaintext M _k of the ciphertext (C _k,B_k) of the L transaction amounts belongs to a second valid range; the second valid range is [0,2 ^u -1], u is the bit length of the plaintext M _k of the transaction amount, and please refer to the descriptions of S403 and S404 for details.

In one possible implementation, the sender 70 further includes: the first generating unit 730 is configured to generate a zero-knowledge proof that the plaintext M of the transaction amount belongs to the first valid range, and refer to the description of 2) in S603 for details.

The transmitting unit 720 is configured to transmit the ciphertext (C, B) of the transaction amount to the verifier, so that the verifier verifies, according to the ciphertext (C, B) of the transaction amount, zero knowledge proof that the plaintext M of the transaction amount belongs to a first valid range.

In one possible implementation, the transaction amount includes an output amount. The sender 70 further includes: a second generating unit 740, configured to calculate a ciphertext C ' of a difference between the input amount and the output amount, and generate an addition homomorphic zero knowledge proof that C ' is a ciphertext in which plaintext is zero, so that the verifier verifies that C ' is an addition homomorphic zero knowledge proof in which ciphertext in which plaintext is zero is encrypted; wherein, the above-mentioned C' is a ciphertext calculated from the ciphertext of the above-mentioned output amount and the ciphertext of the above-mentioned input amount, the ciphertext of the above-mentioned input amount is a ciphertext of an amount received by the sender 70 in the last transaction, or the ciphertext of the above-mentioned input amount is a ciphertext generated by encrypting an amount generated in the current transaction by the sender 70 using the addition homomorphic encryption algorithm, and for details, please refer to the description of 3) in S603).

In one possible implementation, the system further includes a supervisor, and the public key of the addition homomorphic encryption algorithm is provided by the supervisor; for the detailed description, refer to the description of S301.

The sender 70 further includes: the third generating unit 750 is configured to generate a zero-knowledge proof that the supervisor can decrypt the ciphertext (C, B) of the transaction amount, so that the verifying party verifies the zero-knowledge proof that the supervisor can decrypt the ciphertext (C, B) of the transaction amount, and for details, please refer to the description of 1) in S603.

In a possible implementation manner, the system further includes a third party configured to provide a random secret γ, where the random secret γ is used to generate a digital signature for each integer in the first validity range, and for details, please refer to description 3) in S601.

The first generating unit 730 is configured to generate, for each digital signature generated by the integer in the first valid range, a zero knowledge proof that the plaintext M of the ciphertext C of the transaction amount belongs to the first valid range according to the random secret γ provided by the third party, and for details, refer to the description of 2) in S603.

The embodiment of the application also provides a verifier, which is applied to the blockchain system shown in fig. 1, wherein the system at least can comprise a sender and a verifier, and as shown in fig. 7, the verifier 80 at least can comprise: a receiving unit 810, a verifying unit 820, wherein:

A receiving unit 810 for receiving ciphertext (C, B) of the transaction amount transmitted by the transmitting side 70; the ciphertext (C, B) of the transaction amount is ciphertext generated by encrypting the plaintext M of the transaction amount by the sender 70 by adopting an addition homomorphic encryption algorithm; the bit length of the plaintext M of the transaction amount is U, and for details, please refer to the description of S302 or S403.

A verification unit 820 for verifying whether the plaintext M of the transaction amount belongs to the first valid range according to the ciphertext (C, B) of the transaction amount; the first effective range is [0,2 ^U -1], and the detailed description is referred to as S303 or S404.

In one possible implementation, the addition homomorphic encryption algorithm may be ElGamal algorithm, which is described above Wherein r is a randomly generated integer, G ₃ is a generator of G ₁, G ₁ is a multiplication group with order prime numbers, G ₄ is a public key of the addition homomorphic encryption algorithm, G ₄＝g₃ ^ask, and ask is a private key of the addition homomorphic encryption algorithm.

In one possible implementation, the verification unit 820 is configured to verify a zero knowledge proof that the plaintext M of the transaction amount belongs to the first valid range; the zero-knowledge proof that the plaintext M of the transaction amount belongs to the first valid range is generated by the sender 70, and the detailed description of 1) in S604 is referred to.

In one possible implementation, the transaction amount includes an output amount; the verification unit 820 is further configured to verify that the ciphertext C' of the difference between the input amount and the output amount is an addition homomorphic zero knowledge proof in which the ciphertext with the plaintext being zero is encrypted; wherein, C 'is a ciphertext calculated from a ciphertext of the output amount and a ciphertext of the input amount, the ciphertext of the input amount is a ciphertext of the amount received by the sender 70 in the last transaction, or the ciphertext of the input amount is a ciphertext generated by the sender 70 encrypting the amount generated in the current transaction by using the addition homomorphic encryption algorithm, and the ciphertext C' of the difference between the input amount and the output amount is an addition homomorphic zero knowledge proof generated by the sender 70 encrypting a ciphertext of which the plaintext is zero, which is described in step S604 for details with reference to 2).

In one possible implementation, the blockchain system further includes a supervisor, and the public key of the addition homomorphic encryption algorithm is provided by the supervisor.

The verification unit 820 is further configured to verify a zero knowledge proof that the supervisor can decrypt the ciphertext (C, B) of the transaction amount; wherein, the zero knowledge proof that the supervisor can decrypt the ciphertext (C, B) of the transaction amount is generated by the sender 70, and the description of 1) in S604 is referred to for details.

The embodiment of the present application further provides another sender, as shown in fig. 9, the sender 90 may at least include: at least one processor 901, at least one network interface 904, a user interface 903, memory 905, at least one communication bus 902, and a display 906. Where communication bus 902 is used to enable connected communication among these components, it is understood that the various components in sender 90 may also be coupled by other connectors, which may include various interfaces, transmission lines, buses, etc., and in various embodiments of the present application, coupled refers to interconnection by a particular means, including direct connection or indirect connection via other devices.

Wherein the processor 901 may include at least one of the following types: a general purpose central processing unit (Central Processing Unit, CPU), a digital signal Processor (DIGITAL SIGNAL Processor, DSP), a microprocessor, an application specific integrated Circuit (Applination SPECIFIC INTEGRATED Circuit, ASIC), a microcontroller (Microcontroller Unit, MCU), a field programmable gate array (Field Programmable GATE ARRAY, FPGA), or an integrated Circuit for implementing logic operations. For example, processor 901 may be a single-core (single-CPU) processor or a multi-core (multi-CPU) processor. The multiple processors or units included within processor 901 may be integrated in one chip or located on multiple different chips.

The user interface 903 may include a keyboard, physical buttons (push buttons, rocker buttons, etc.), dials, slider switches, joysticks, click wheels, optical mice (optical mice are touch sensitive surfaces that do not display visual output, or are extensions of touch sensitive surfaces formed by a touch screen), and so forth. The network interface 904 may optionally include a standard wired interface, a wireless interface (e.g., WI-FI interface).

The Memory 905 may be a non-powered-down volatile Memory such as EMMC (Embedded Multi MEDIA CARD ), UFS (Universal Flash Storage, universal flash Memory) or Read-Only Memory (ROM), optionally, the Memory 905 includes flash in embodiments of the present application, or other types of static storage devices that can store static information and instructions, or a powered-down volatile Memory (volatile Memory), such as random access Memory (Random Access Memory, RAM) or other types of dynamic storage devices that can store information and instructions, or an electrically erasable programmable Read-Only Memory (ELECTRICALLY ERASABLE PROGRAMMABLE READ-Only Memory, EEPROM), a compact disc-Only Memory (Compact Disc Read-Only Memory, CD-ROM) or other optical storage, storage (including compact discs, laser discs, digital versatile discs, blu-ray discs, etc.), storage media or other magnetic storage devices, or any other computer readable storage medium that can be used to carry or store program code in the form of instructions or data structures and that can be accessed by a computer. Optionally, the memory 905 may also be at least one storage system located remotely from the processor 901. As shown in fig. 9, an operating system, a network communication module, a user interface module, and program instructions may be included in the memory 905, which is a type of computer storage medium.

The memory 905 may be stand alone and coupled to the processor 901 via a connector. Memory 905 may also be integrated with processor 901. The memory 905 is capable of storing various types of computer program instructions including program instructions for executing the present application, and is controlled by the processor 901, and the various types of computer program instructions executed may also be regarded as drivers for the processor 901. For example, the processor 901 is adapted to execute computer program instructions stored in the memory 905 to implement the methods of the embodiments of the methods of fig. 3-6 of the present application. The computer program instructions may be in a large number of computer-executable instructions that are executable by at least one of the processors 901 to drive the associated processor to perform various types of processing, such as communication signal processing algorithms, operating system operations, or application program operations that support the various types of wireless communication protocols described above.

A display screen 906 for displaying information input by a user. By way of example, the display screen 906 may include a display panel and a touch panel. Among them, the display panel may be configured using a Liquid crystal display (Liquid CRYSTAL DISPLAY, LCD), an Organic Light-Emitting Diode (OLED), a Light-Emitting Diode (LIGHT EMITTING Diode) display device, a Cathode Ray Tube (CRT), or the like. Touch panels, also known as touch screens, touch sensitive screens, etc., collect touch or non-touch operations on or near a user (e.g., operations of the user using a finger, a stylus, etc., of any suitable object or accessory on or near the touch panel, and may also include somatosensory operations; the operations include single-point control operations, multi-point control operations, etc., types of operations), and drive the corresponding connection devices according to a preset program.

An embodiment of the present application provides another verifier, as shown in fig. 10, where the verifier 100 may at least include: at least may include: at least one processor 1001, at least one network interface 1004, a user interface 1003, a memory 1005, at least one communication bus 1002, a display 1006. Where communication bus 1002 is used to enable connected communication between these components, it should be understood that the various components in verifier 100 may also be coupled by other connectors, which may include various types of interfaces, transmission lines, buses, etc., in various embodiments of the application, coupling refers to interconnection by a particular means, including direct connection or indirect connection via other devices.

The processor 1001 is similar to the processor 901, and will not be described herein.

The user interface 1003 is similar to the user interface 903 and will not be described again.

The memory 1005 is similar to the memory 905, and the processor 1001 is configured to execute the computer program instructions stored in the memory 905, so as to implement the method in the method embodiments of fig. 3 to 6 in the present application, which is not described herein.

Display 1006 is similar to display 906 and will not be described in detail herein.

Embodiments of the present application also provide a computer readable storage medium having instructions stored therein which, when run on a computer or processor, cause the computer or processor to perform one or more steps of any of the data processing methods described above. The constituent modules of the above apparatus, if implemented in the form of software functional units and sold or used as independent products, may be stored in the computer-readable storage medium.

Based on such understanding, the embodiments of the present application also provide a computer program product comprising instructions which may be embodied in the form of a software product, which may be stored on a storage medium, and which may include instructions for causing a computer device, mobile terminal or processor therein to perform all or part of the steps of the method described in the embodiments of the present application. The type of storage medium is described with reference to memory 905 or 1005.

The steps in the method of the embodiment of the application can be sequentially adjusted, combined and deleted according to actual needs.

The modules in the device of the embodiment of the application can be combined, divided and deleted according to actual needs.

The above embodiments are only for illustrating the technical solution of the present application, and not for limiting the same; although the application has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical scheme described in the foregoing embodiments can be modified or some technical features thereof can be replaced by equivalents; such modifications and substitutions do not depart from the spirit of the application.

Claims

1. A data processing method applied to a blockchain system, the system including a sender and a verifier, the method comprising:

The sender encrypts a plaintext M of the transaction amount by adopting an addition homomorphic encryption algorithm to generate a ciphertext (C, B) of the transaction amount;

the sender sending ciphertext (C, B) of the transaction amount to the verifier;

The verifier verifies whether the plaintext M of the transaction amount belongs to a first effective range according to ciphertext (C, B) of the transaction amount, wherein the first effective range is [0,2 ^U -1], and U is the bit length of the plaintext M of the transaction amount;

The system further includes a supervisor, the public key of the addition homomorphic encryption algorithm being provided by the supervisor, the method further comprising:

the sender generating a zero knowledge proof that the supervisor can decrypt ciphertext (C, B) of the transaction amount;

the verifier verifying that the supervisor can decrypt a zero knowledge proof of ciphertext (C, B) of the transaction amount;

the supervisor decrypts the ciphertext (C, B) of the transaction amount using a private key corresponding to the public key.

2. The method of claim 1, wherein,

The sender encrypts plaintext M of the transaction amount by using an addition homomorphic encryption algorithm, and generating ciphertext (C, B) of the transaction amount includes: the sender divides the plaintext M of the transaction amount into plaintext M _k of L transaction amounts, and encrypts plaintext M _k of the L transaction amounts by adopting an addition homomorphic encryption algorithm to generate ciphertext (C _k,B_k) of the L transaction amounts; the public key of the addition homomorphic encryption algorithm is provided by the supervisor, k is a positive integer, k=1,..l, L is a positive integer greater than or equal to 2;

The verifying of whether the plaintext M of the transaction amount belongs to a first valid range by the verifying party based on the ciphertext (C, B) of the transaction amount comprises: the verifier verifies whether the plaintext M _k of the transaction amount belongs to a second valid range according to the ciphertext (C _k,B_k) of the transaction amount; wherein the second effective range is [0,2 ^u -1], u is the bit length of plaintext M _k of the transaction amount;

the method further comprises the steps of: the supervision party adopts a private key corresponding to the public key to decrypt the ciphertext (C _k,B_k) of the L transaction amount, obtains the plaintext M _k of the L transaction amount, and obtains the plaintext M of the transaction amount according to the plaintext M _k of the L transaction amount.

3. The method of claim 1 or 2, wherein the method further comprises: the sender generates zero knowledge proof that plaintext M of the transaction amount belongs to a first effective range;

The verifying of whether the plaintext M of the transaction amount belongs to a first valid range by the verifying party based on the ciphertext (C, B) of the transaction amount comprises: the verifier verifies that the plaintext M of the transaction amount belongs to a zero knowledge proof of a first valid range.

4. The method of claim 1 or 2, wherein the transaction amount comprises an output amount;

The method further comprises the steps of: the sender calculates a ciphertext C 'of the difference value between the input amount and the output amount, and generates an addition homomorphic zero knowledge proof that C' is the ciphertext with the plaintext of zero; the ciphertext of the input amount is the ciphertext of the amount received by the sender in the last transaction or the ciphertext of the input amount is the ciphertext generated by encrypting the amount generated in the current transaction by the sender by adopting the homomorphic encryption algorithm of addition;

The verifier verifies that the C' is an addition homomorphic zero knowledge proof of a ciphertext with a plaintext of zero.

5. The method of claim 3, wherein the sender generating a zero knowledge proof that plaintext M of the transaction amount belongs to a first valid range comprises: the sender generates N first parameters; n is a positive integer;

the verifying, by the verifier, that the plaintext M of the transaction amount belongs to a zero-knowledge proof of a first valid range comprises:

the verifier generates N second parameters; wherein the N first parameters are in one-to-one correspondence with the N second parameters;

The verifier verifies whether the N second parameters are equal to the corresponding first parameters, and if so, the plaintext M of the transaction amount belongs to a first effective range.

6. The method of claim 5, wherein the sender generating a zero knowledge proof that plaintext M of the transaction amount belongs to a first valid range further comprises: the sending Fang Shengcheng of the first authentication parameter; the first verification parameters are determined by the N first parameters;

The verifying party verifying that the plaintext M of the transaction amount belongs to the zero knowledge proof of the first valid range further comprises:

The validating Fang Shengcheng a second validation parameter; the second verification parameters are determined by the N second parameters;

The verifying by the verifier whether the N second parameters are equal to the corresponding first parameters includes:

The verifier verifies whether the first parameters are equal to the second verification parameters, and if so, the N second parameters are equal to the corresponding first parameters.

7. A data processing method applied to a blockchain system, the system including a sender and a verifier, the method comprising:

The sender sends ciphertext (C, B) of the transaction amount to the verifier, so that the verifier verifies whether plaintext M of the transaction amount belongs to a first valid range according to the ciphertext (C, B) of the transaction amount; the first effective range is [0,2 ^U -1], U is the bit length of the plaintext M of the transaction amount;

The sender generates a zero knowledge proof that the supervisor can decrypt the ciphertext (C, B) of the transaction amount, such that the verifier verifies that the supervisor can decrypt the zero knowledge proof of the ciphertext (C, B) of the transaction amount.

8. The method of claim 7, wherein,

The sender encrypts plaintext M of the transaction amount by using an addition homomorphic encryption algorithm, and generating ciphertext (C, B) of the transaction amount includes: the sender divides the plaintext M of the transaction amount into plaintext M _k of L transaction amounts, encrypts the plaintext M _k of the L transaction amounts by adopting an addition homomorphic encryption algorithm respectively to generate ciphertext (C _k,B_k) of the L transaction amounts, so that the supervisor decrypts the ciphertext (C _k,B_k) of the L transaction amounts by adopting a private key corresponding to the public key to obtain plaintext M _k of the L transaction amounts, and obtains plaintext M of the transaction amounts according to plaintext M _k of the L transaction amounts; the public key of the additive homomorphic encryption algorithm is provided by the supervisor, k is a positive integer, k=1. L is a positive integer greater than or equal to 2;

The sender sending ciphertext (C, B) of the transaction amount to the verifier, such that the verifier verifies, based on the ciphertext (C, B) of the transaction amount, whether plaintext M of the transaction amount belongs to a first valid range, comprising: the sender sends the ciphertext (C _k,B_k) of the L transaction amounts to the verifier, so that the verifier verifies whether the plaintext M _k of the transaction amounts belongs to a second valid range according to the ciphertext (C _k,B_k) of the transaction amounts; wherein the second valid range is [0,2 ^u -1], u is the bit length of plaintext M _k of the transaction amount.

9. A data processing method applied to a blockchain system, the system including a sender and a verifier, the method comprising:

The verifier receiving ciphertext (C, B) of the transaction amount sent by the sender; the ciphertext (C, B) of the transaction amount is ciphertext generated by encrypting the plaintext M of the transaction amount by the sender through an addition homomorphic encryption algorithm; the bit length of the plaintext M of the transaction amount is U;

The verifier verifies whether the plaintext M of the transaction amount belongs to a first valid range according to the ciphertext (C, B) of the transaction amount; the first effective range is [0,2 ^U -1];

the supervisor, sent by the sender of the verifier, may decrypt a zero knowledge proof of ciphertext (C, B) of the transaction amount;

The verifier verifies that the supervisor can decrypt the zero knowledge proof of ciphertext (C, B) of the transaction amount.

10. A blockchain system, the system comprising a sender and a verifier, characterized by:

The sender is used for encrypting the plaintext M of the transaction amount by adopting an addition homomorphic encryption algorithm, generating ciphertext (C, B) of the transaction amount, and sending the ciphertext (C, B) of the transaction amount to the verifier;

The verifying party is used for verifying whether the plaintext M of the transaction amount belongs to a first effective range according to the ciphertext (C, B) of the transaction amount; the first effective range is [0,2 ^U -1], U is the bit length of the plaintext M of the transaction amount;

the system also comprises a supervisor, wherein the public key of the addition homomorphic encryption algorithm is provided by the supervisor;

The sender is further configured to generate a zero knowledge proof that the supervisor can decrypt ciphertext (C, B) of the transaction amount;

the verifier is also configured to verify that the supervisor can decrypt a zero knowledge proof of ciphertext (C, B) of the transaction amount;

The supervisor is operable to decrypt ciphertext (C, B) of the transaction amount using a private key corresponding to the public key.

11. The system of claim 10, wherein the system comprises a plurality of sensors,

The sender is used for dividing the plaintext M of the transaction amount into plaintext M _k of L transaction amounts, and encrypting the plaintext M _k of the L transaction amounts by adopting an addition homomorphic encryption algorithm respectively to generate ciphertext (C _k,B_k) of the L transaction amounts; the public key of the addition homomorphic encryption algorithm is provided by the supervisor, k is a positive integer, k=1,..l, L is a positive integer greater than or equal to 2;

The verifier is used for verifying whether the plaintext M _k of the transaction amount belongs to a second valid range according to the ciphertext (C _k,B_k) of the transaction amount; the second effective range is [0,2 ^u -1], u is the bit length of plaintext M _k of the transaction amount;

The supervision party is used for decrypting the ciphertext (C _k,B_k) of the L transaction amount by adopting a private key corresponding to the public key to obtain a plaintext M _k of the L transaction amount, and obtaining the plaintext M of the transaction amount according to the plaintext M _k of the L transaction amount.

12. The system according to claim 10 or 11, wherein the sender is further configured to generate a zero knowledge proof that the plaintext M of the transaction amount belongs to a first validity range;

the verifier is used for verifying zero knowledge proof that plaintext M of the transaction amount belongs to a first effective range according to ciphertext (C, B) of the transaction amount.

13. The system of claim 10 or 11, wherein the transaction amount comprises an output amount;

The sender is also used for calculating a ciphertext C 'of the difference value between the input amount and the output amount and generating an addition homomorphic zero knowledge proof that C' is the ciphertext with the plaintext of zero; the ciphertext of the input amount is the ciphertext of the amount received by the sender in the last transaction or the ciphertext of the input amount is the ciphertext generated by encrypting the amount generated in the current transaction by the sender by adopting the homomorphic encryption algorithm of addition;

the verifier is also used for verifying that the C' is an addition homomorphic zero knowledge proof with the ciphertext with the plaintext of zero encrypted.

14. The system of claim 12, wherein the sender is configured to generate N first parameters;

The verifier is used for generating N second parameters; wherein the N first parameters are in one-to-one correspondence with the N second parameters;

verifying whether the N second parameters are equal to the corresponding first parameters, and if so, determining that the plaintext M of the transaction amount belongs to a first effective range.

15. The system of claim 14, wherein the sender is further configured to generate a first authentication parameter; the first verification parameters are determined by the N first parameters;

The verifier is also used for generating a second verification parameter; the second verification parameters are determined by the N second parameters;

The verifier is further configured to verify whether the first parameters are equal to the second verification parameters, and if so, the N second parameters are equal to the corresponding first parameters.

16. A sender applied to a blockchain system, the system comprising a sender and a verifier, the sender comprising:

the encryption unit is used for encrypting the plaintext M of the transaction amount by adopting an addition homomorphic encryption algorithm to generate ciphertext (C, B) of the transaction amount; wherein, the bit length of the plaintext M of the transaction amount is U;

A transmitting unit configured to transmit ciphertext (C, B) of the transaction amount to the verifier, so that the verifier verifies whether plaintext M of the transaction amount belongs to a first valid range according to the ciphertext (C, B) of the transaction amount; the first effective range is [0,2 ^U -1], U is the bit length of the plaintext M of the transaction amount;

the system further comprises a supervisor, the encryption unit further being adapted to generate a zero knowledge proof that the supervisor can decrypt ciphertext (C, B) of the transaction amount.

17. The sender according to claim 16, wherein,

The encryption unit includes:

A dividing subunit, configured to divide the plaintext M of the transaction amount into plaintext M _k of L transaction amounts; wherein k is a positive integer, k=1.., L is; l is a positive integer greater than or equal to 2;

An encryption subunit, configured to encrypt plaintext M _k of the transaction amount by using an addition homomorphic encryption algorithm, to generate ciphertext of the transaction amount of L shares (C _k,B_k), so that the supervisor decrypts the ciphertext of the transaction amount of L shares (C _k,B_k) using a private key corresponding to the public key, obtains plaintext M _k of the transaction amount of L shares, and obtains plaintext M of the transaction amount according to plaintext M _k of the transaction amount of L shares; the public key of the addition homomorphic encryption algorithm is provided by the supervisor;

The sending unit is configured to send the ciphertext (C _k,B_k) of the L transaction amounts to the verifier, so that the verifier verifies whether the plaintext M _k of the transaction amounts belongs to a second valid range according to the ciphertext (C _k,B_k) of the transaction amounts; wherein the second valid range is [0,2 ^u -1], u is the bit length of plaintext M _k of the transaction amount.

18. An authenticator applied to a blockchain system, the system comprising a sender and an authenticator, the authenticator comprising:

a receiving unit for receiving ciphertext (C, B) of the transaction amount transmitted by the transmitting party; the ciphertext (C, B) of the transaction amount is ciphertext generated by encrypting the plaintext M of the transaction amount by the sender through an addition homomorphic encryption algorithm; the bit length of the plaintext M of the transaction amount is U;

A verification unit for verifying whether the plaintext M of the transaction amount belongs to a first valid range according to the ciphertext (C, B) of the transaction amount; the first effective range is [0,2 ^U -1];

the system further comprises a supervisor, the verification unit further being adapted to verify that the supervisor can decrypt a zero knowledge proof of ciphertext (C, B) of the transaction amount.

19. A sender applied to a blockchain system, the system comprising a sender and a verifier, the sender comprising: a processor, a memory, and a transceiver, wherein:

The processor, the memory and the transceiver are interconnected, the memory being for storing a computer program comprising program instructions, the processor being configured to invoke the program instructions for performing the data processing method according to claim 7 or 8.

20. An authenticator applied to a blockchain system, the system comprising a sender and an authenticator, the authenticator comprising: a processor, a memory, and a transceiver, wherein:

The processor, the memory and the transceiver are interconnected, the memory is used for storing a computer program, the computer program comprises program instructions, the processor is configured to call the program instructions, and the data processing method is executed according to claim 9.

21. A computer readable storage medium, characterized in that the computer readable storage medium stores a computer program comprising program instructions which, when executed by a processor, cause the processor to perform the data processing method according to claim 7 or 8.

22. A computer readable storage medium, characterized in that the computer readable storage medium stores a computer program comprising program instructions which, when executed by a processor, cause the processor to perform the data processing method of claim 9.