CN113783705A - Zero knowledge proof method, verification terminal, equipment and storage medium of key - Google Patents
Zero knowledge proof method, verification terminal, equipment and storage medium of key Download PDFInfo
- Publication number
- CN113783705A CN113783705A CN202111341758.8A CN202111341758A CN113783705A CN 113783705 A CN113783705 A CN 113783705A CN 202111341758 A CN202111341758 A CN 202111341758A CN 113783705 A CN113783705 A CN 113783705A
- Authority
- CN
- China
- Prior art keywords
- verification
- data
- public key
- digital
- digital abstract
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3218—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using proof of knowledge, e.g. Fiat-Shamir, GQ, Schnorr, ornon-interactive zero-knowledge proofs
- H04L9/3221—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using proof of knowledge, e.g. Fiat-Shamir, GQ, Schnorr, ornon-interactive zero-knowledge proofs interactive zero-knowledge proofs
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0816—Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
- H04L9/0819—Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
- H04L9/0825—Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) using asymmetric-key encryption or public key infrastructure [PKI], e.g. key signature or public key certificates
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Storage Device Security (AREA)
Abstract
The embodiment of the disclosure provides a zero-knowledge proof method of a secret key, a verification end, equipment and a storage medium. The method comprises the steps that a verification end encrypts preset private key verification data by using a locally stored public key to obtain first data, and the first data are sent to a certification end; the certification side decrypts the first data by using a locally stored private key to obtain second data, generates a first digital abstract based on the second data and a preset digital abstract generating algorithm, and sends the first digital abstract to the verification side; the verification end generates a second digital abstract based on a preset digital abstract generation algorithm and preset private key verification data; and the verification end determines a private key verification result according to the first digital abstract and the second digital abstract. In this way, the security of the encryption key can be ensured, and the security in the key verification process is further improved.
Description
Technical Field
The present disclosure relates to the field of key attestation, and more particularly, to the field of zero knowledge attestation of keys.
Background
In a multi-server data interaction scenario, in order to ensure data security, an asymmetric key is usually used for data encryption. After the key is generated, in some scenarios, the generated key needs to be verified to ensure the consistency of the keys of the two parties in communication.
But the generated key is often validated, which results in the key leakage.
Disclosure of Invention
The disclosure provides a zero-knowledge proof method of a secret key, a verification end, equipment and a storage medium.
According to a first aspect of the present disclosure, there is provided a zero-knowledge proof method of a key, the method comprising:
the verifying end encrypts the preset private key verification data by using a locally stored public key to obtain first data and sends the first data to the proving end;
the certification side decrypts the first data by using a locally stored private key to obtain second data, generates a first digital abstract based on the second data and a preset digital abstract generating algorithm, and sends the first digital abstract to the verification side;
the verification end generates a second digital abstract based on a preset digital abstract generation algorithm and preset private key verification data;
and the verification end determines a private key verification result according to the first digital abstract and the second digital abstract.
In some implementations of the first aspect, the determining, by the verifying end, a private key verification result according to the first digital digest and the second digital digest includes:
when the first digital abstract and the second digital abstract are the same, the private key verification result is that the public key locally stored at the verification end and the private key locally stored at the certification end belong to the same pair of keys;
when the first digital abstract and the second digital abstract are different, the private key verification result is that the public key locally stored at the verification end and the private key locally stored at the certification end do not belong to the same pair of keys;
and the verifying end sends the private key verification result to the proving end.
In some implementation manners of the first aspect, before the verifying end encrypts the preset private key verification data by using the locally stored public key to obtain the first data, and sends the first data to the proving end, the method further includes:
the verifying terminal encrypts the preset public key verification data based on the locally stored public key to obtain third data;
the verification end generates a third digital abstract based on a preset digital abstract generating algorithm and third data;
the verifying end sends the preset public key verification data to the proving end;
the certification side encrypts the preset public key verification data by using the locally stored public key to obtain fourth data, generates a fourth digital abstract based on a preset digital abstract generating algorithm and the fourth data, and sends the fourth digital abstract to the verification side;
and the verification end determines a public key verification result according to the third digital abstract and the fourth digital abstract.
In some implementations of the first aspect, the determining, by the verifying end, a public key verification result according to the third digital digest and the fourth digital digest includes:
when the third digital abstract and the fourth digital abstract are the same, the public key verification result is that the public key locally stored by the verification end is the same as the public key locally stored by the certification end;
when the third digital abstract is different from the fourth digital abstract, the public key verification result is that the public key locally stored by the verification end is different from the public key locally stored by the certification end;
and the verifying end sends the public key verification result to the proving end.
In some implementations of the first aspect, the method further comprises:
generating a fifth digital abstract by the verification end based on a preset digital abstract generation algorithm and the first data;
the certification side encrypts the second data by using the locally stored public key to obtain fifth data, generates a sixth digital abstract based on the fifth data and a preset digital abstract generating algorithm, and sends the sixth digital abstract to the verification side;
and the verification end determines a public key verification result according to the fifth digital abstract and the sixth digital abstract.
In some implementations of the first aspect, the determining, by the verifying end, a public key verification result according to the fifth digital digest and the sixth digital digest includes:
when the fifth digital abstract is the same as the sixth digital abstract, the public key verification result is that the public key locally stored by the verification end is the same as the public key locally stored by the certification end;
when the fifth digital abstract is different from the sixth digital abstract, the public key verification result is that the public key locally stored by the verification end is different from the public key locally stored by the certification end;
and the verifying end sends the public key verification result to the proving end.
In some implementations of the first aspect, the preset digital digest generation algorithm of the verifying end and the preset digital digest generation algorithm of the proving end have the same algorithm logic and configuration parameters.
In some implementations of the first aspect, the method further comprises:
the third device side generates a key pair comprising a public key and a private key based on a preset key generation algorithm and sends the key pair to the verification side and the certification side, or the verification side generates the key pair comprising the public key and the private key based on the preset key generation algorithm and sends the key pair to the certification side.
According to a second aspect of the present disclosure, there is provided a verification end comprising:
the system comprises an encryption module, a verification end and a verification end, wherein the encryption module is used for encrypting preset private key verification data by using a locally stored public key to obtain first data, sending the first data to the verification end for the verification end to decrypt the first data by using the locally stored private key to obtain second data, generating a first digital abstract based on the second data and a preset digital abstract generating algorithm, and sending the first digital abstract to the verification end;
the digital abstract generating module is used for generating a second digital abstract based on a preset digital abstract generating algorithm and preset private key verification data;
and the verification result determining module is used for determining the verification result of the private key according to the first digital abstract and the second digital abstract.
According to a third aspect of the present disclosure, an electronic device is provided. The electronic device includes: a memory having stored thereon a computer program and a processor implementing, when executing the program, a zero knowledge proof of a key as in the first aspect described above, and some implementations of the first aspect.
According to a fourth aspect of the present disclosure, there is provided a computer readable storage medium having stored thereon a computer program which, when executed by a processor, implements a zero knowledge proof of a key as in the first aspect described above, and in some implementations of the first aspect.
According to the zero-knowledge proof method, the verification end, the equipment and the storage medium of the secret key, the verification end encrypts the verification data of the preset private key by using the locally stored public key to obtain first data and sends the first data to the proof end; the certification side decrypts the first data by using a locally stored private key to obtain second data, generates a first digital abstract based on the second data and a preset digital abstract generating algorithm, and sends the first digital abstract to the verification side; the verification end generates a second digital abstract based on a preset digital abstract generation algorithm and preset private key verification data; and the verification end determines a private key verification result according to the first digital abstract and the second digital abstract. In the verification process, the keys held by the verification end and the certification end are not transmitted on the network and are stored in the inner parts of each other, and the transmitted content is the digital digest of the verification sample and is irreversible, so that the security of the encryption key is ensured, and the security in the key verification process is further improved.
It should be understood that the statements herein reciting aspects are not intended to limit the critical or essential features of the embodiments of the present disclosure, nor are they intended to limit the scope of the present disclosure. Other features of the present disclosure will become apparent from the following description.
Drawings
The above and other features, advantages and aspects of various embodiments of the present disclosure will become more apparent by referring to the following detailed description when taken in conjunction with the accompanying drawings. The accompanying drawings are included to provide a further understanding of the present disclosure, and are not intended to limit the disclosure thereto, and the same or similar reference numerals will be used to indicate the same or similar elements, where:
FIG. 1 shows an interaction diagram of a zero-knowledge proof of a secret key method of an embodiment of the present disclosure;
FIG. 2 illustrates a block diagram of a validation end of an embodiment of the present disclosure;
FIG. 3 illustrates a block diagram of an exemplary electronic device capable of implementing embodiments of the present disclosure.
Detailed Description
To make the objects, technical solutions and advantages of the embodiments of the present disclosure more clear, the technical solutions of the embodiments of the present disclosure will be described clearly and completely with reference to the drawings in the embodiments of the present disclosure, and it is obvious that the described embodiments are some, but not all embodiments of the present disclosure. All other embodiments, which can be derived by a person skilled in the art from the embodiments disclosed herein without making any creative effort, shall fall within the protection scope of the present disclosure.
In addition, the term "and/or" herein is only one kind of association relationship describing an associated object, and means that there may be three kinds of relationships, for example, a and/or B, which may mean: a exists alone, A and B exist simultaneously, and B exists alone. In addition, the character "/" herein generally indicates that the former and latter related objects are in an "or" relationship.
In a multi-server data interaction scenario, in order to ensure data security, an asymmetric key is usually used for data encryption. To achieve management of the key pair, the following three requirements are generally included:
1) asymmetric key generation algorithms such as ECDH or ECDHE.
2) The key verification algorithm means that after a key is generated, the generated key needs to be verified in some scenarios to ensure the consistency of the keys of the two parties in communication.
3) And (4) an encryption and decryption algorithm based on an asymmetric key, such as RSA and the like.
Asymmetric encryption is that a pair of decryptions (kp, kq) is generated through a certain algorithm, wherein kp is a public key and can be used by all people, and kq is a private key and can only be used by a decrypter personally, and is information needing to be kept secret. With the disclosed algorithm f, m can be obtained by encrypting the original text t with kp, and the original text t can be recovered by using the key kq in decryption.
Zero knowledge proof refers to the process of proving to V after P has obtained the secret S, but at the same time does not reveal the secret.
The digital digest is a process of extracting a fixed-length fingerprint message from a message with any length, and the fingerprint message satisfies the characteristics of uniqueness, irreversibility, easy calculation and the like, so that whether the original data is modified or not can be confirmed by using the digital digest.
Since the key must be regenerated in use and the validity of the existing key needs to be verified, for example, when the B-party obtains the private key (kq) of the a-party, in some cases (e.g., when a and B lose the connection), it needs to re-verify that kq held by B is the same private key as that held by a. In a conventional authentication process, the authentication is usually completed by comparing the password itself, and this process may cause the password to be leaked. Therefore, in the existing verification process, the problem of key leakage exists.
In order to solve the problem of secret key leakage in the existing verification process, the disclosure provides a zero-knowledge proof method of a secret key, a verification end, a device and a storage medium, wherein the verification end uses a locally stored public key to encrypt preset private key verification data to obtain first data, and sends the first data to the verification end; the certification side decrypts the first data by using a locally stored private key to obtain second data, generates a first digital abstract based on the second data and a preset digital abstract generating algorithm, and sends the first digital abstract to the verification side; then, the verification end generates a second digital abstract based on a preset digital abstract generation algorithm and preset private key verification data; and the verification end determines a private key verification result according to the first digital abstract and the second digital abstract. In the verification process, the keys held by the verification end and the certification end are not transmitted on the network and are stored in the inner parts of each other, and the transmitted content is the digital digest of the verification sample and is irreversible, so that the security of the encryption key is ensured, and the security in the key verification process is further improved.
The technical solutions provided by the embodiments of the present disclosure are described below with reference to the accompanying drawings.
Fig. 1 is an interaction diagram of a zero-knowledge proof method for a key according to an embodiment of the present disclosure, and as shown in fig. 1, the zero-knowledge proof method for a key may include:
s101: the verifying end encrypts the preset private key verification data by using the locally stored public key to obtain first data, and sends the first data to the proving end.
The preset private key verification data may specifically be a specific character string.
S102: the certification side decrypts the first data by using a locally stored private key to obtain second data, generates a first digital abstract based on the second data and a preset digital abstract generating algorithm, and sends the first digital abstract to the verification side.
S103: and the verification end generates a second digital abstract based on a preset digital abstract generation algorithm and preset private key verification data.
S104: and the verification end determines a private key verification result according to the first digital abstract and the second digital abstract.
It should be noted that in the process of S101-S104, the verifying end refers to an end used for verifying whether the private key of the proving end is modified, and the proving end refers to an end that is verified. In the certification process of S101-S104, the keys held by the verifying end and the certifying end are not transmitted over the network, but are all stored inside each other, and the transmitted content is a digital digest of a verification sample, which is irreversible, so that whether the private key held by the certifying end is modified can be confirmed by using the digital digest to ensure the security of the encryption key, thereby improving the security in the key verification process. Because the keys held by the verifying end and the proving end are not transmitted on the network, the validity of the key can be effectively proved under the condition of not revealing the key, so that the security of the key can be ensured in many application scenes.
It should be explained that the digital digest is a process of extracting a fixed-length fingerprint message from a message of any length, and the fingerprint message satisfies the characteristics of uniqueness, irreversibility, easy calculation, and the like, so that the security in the key verification process can be ensured.
In S104, the specific process of determining the private key verification result may be: when the first digital digest and the second digital digest are the same, the public key locally stored by the verifying end and the private key locally stored by the proving end can be proved to belong to the same pair of keys due to the uniqueness of the digests, namely, the verification result of the private key is that the public key locally stored by the verifying end and the private key locally stored by the proving end belong to the same pair of keys; when the first digital abstract and the second digital abstract are different, the private key verification result is that the public key locally stored at the verification end and the private key locally stored at the certification end do not belong to the same pair of keys; the verifying end sends the private key verification result to the proving end so that the proving end can also obtain the private key verification result.
In addition, in the present disclosure, a public key held by the certifying end may also be verified to prevent the public key of the certifying end from being tampered, specifically, in an embodiment, before the verifying end encrypts the preset private key verification data using the locally stored public key to obtain the first data and sends the first data to the certifying end, the verifying end may encrypt the preset public key verification data based on the locally stored public key to obtain the third data; then, generating a third digital abstract by the verification end based on a preset digital abstract generation algorithm and third data; then the verifying end sends the preset public key verification data to the proving end; the certification side encrypts the preset public key verification data by using the locally stored public key to obtain fourth data, generates a fourth digital abstract based on a preset digital abstract generating algorithm and the fourth data, and sends the fourth digital abstract to the verification side; and finally, the verification end determines a public key verification result according to the third digital abstract and the fourth digital abstract.
In the process of verifying the public key held by the certification side, the used preset public key verification data may be a specific character string different from the preset private key verification data.
In addition, in the process of verifying the public key held by the verifying end, the verifying end determines a public key verification result according to the third digital digest and the fourth digital digest, which may specifically include: when the third digital abstract and the fourth digital abstract are the same, the public key verification result is that the public key locally stored by the verification end is the same as the public key locally stored by the certification end; when the third digital abstract is different from the fourth digital abstract, the public key verification result is that the public key locally stored by the verification end is different from the public key locally stored by the certification end; and then the verifying end sends the public key verification result to the proving end so that the proving end can also obtain the public key verification result to verify the public key held by the proving end.
When the public key held by the verifying terminal is verified, in one embodiment, the verifying terminal generates a fifth digital abstract on the basis of a preset digital abstract generation algorithm and first data; the certification side encrypts the second data by using the locally stored public key to obtain fifth data, generates a sixth digital abstract based on the fifth data and a preset digital abstract generating algorithm, and sends the sixth digital abstract to the verification side; and the verification end determines a public key verification result according to the fifth digital abstract and the sixth digital abstract.
The determining, by the verifying end, a public key verification result according to the fifth digital digest and the sixth digital digest may specifically include: when the fifth digital abstract is the same as the sixth digital abstract, the public key verification result is that the public key locally stored by the verification end is the same as the public key locally stored by the certification end; when the fifth digital abstract is different from the sixth digital abstract, the public key verification result is that the public key locally stored by the verification end is different from the public key locally stored by the certification end; the verifying end sends the public key verification result to the proving end so that the proving end can also obtain the public key verification result, and the public key held by the proving end is verified.
In addition, it should be explained that the above-mentioned encryption and decryption algorithm based on the asymmetric key can be, for example, RSA.
In order to ensure that the preset digital digest generation algorithm used by the verifying end and the preset digital digest generation algorithm used by the proving end are completely the same, the algorithm logic and the configuration parameters of the preset digital digest generation algorithm of the verifying end are the same as those of the preset digital digest generation algorithm of the proving end, that is, the calculation logic, the configuration parameters and the format of the finally generated digital digest used by the preset digital digest generation algorithm of the verifying end and the preset digital digest generation algorithm of the proving end are completely the same, so as to ensure that the preset digital digest generation algorithm used by the verifying end and the preset digital digest generation algorithm used by the proving end are completely the same. Specifically, the preset digital digest generation algorithm may use the SHA256 algorithm or higher.
In the embodiment of the present disclosure, the key pair including the public key and the private key may be generated by the third device side based on a preset key generation algorithm, and the key pair is sent to the verifying side and the proving side; in addition, the verifying side may generate a key pair including a public key and a private key based on a preset key generation algorithm, and send the key pair to the proving side. That is, in the embodiment of the present disclosure, the key pair including the public key and the private key may be generated by the third device side, or may be generated by the verification side, so that the source of the key pair is more flexible. The preset key generation algorithm may specifically be an asymmetric key generation algorithm, such as ECDH or ECDHE.
According to the zero knowledge proof method of the key, the keys held by the verifying end and the proving end are not transmitted on the internet in the verifying process and are stored in the verifying end and the transmitted content is the digital digest of the verifying sample and is irreversible, so that whether the private key and the public key stored in the proving end are modified or not can be confirmed by using the digital digest, the security of the encryption key is ensured, and the security in the key verifying process is further improved. The keys held by the verifying end and the proving end are not transmitted on the network, so the validity of the keys can be effectively proved under the condition of not revealing the keys, and the security of the keys can be ensured in a plurality of application scenes.
It is noted that while for simplicity of explanation, the foregoing method embodiments have been described as a series of acts or combination of acts, it will be appreciated by those skilled in the art that the present disclosure is not limited by the order of acts, as some steps may, in accordance with the present disclosure, occur in other orders and concurrently. Further, those skilled in the art should also appreciate that the embodiments described in the specification are exemplary embodiments and that acts and modules referred to are not necessarily required by the disclosure.
The above is a description of embodiments of the method, and the embodiments of the apparatus are further described below.
Corresponding to the interaction diagram of the zero-knowledge proof method of keys shown in fig. 1, fig. 2 shows a block diagram of a verifier 200. The verifying end 200, as shown in fig. 2, may include:
the encryption module 201 may be configured to encrypt the verification data of the preset private key by using the locally stored public key to obtain first data, send the first data to the certifying end, so that the certifying end decrypts the first data by using the locally stored private key to obtain second data, generate a first digital digest based on the second data and a preset digital digest generation algorithm, and send the first digital digest to the verifying end;
a digital digest generation module 202, configured to generate a second digital digest based on a preset digital digest generation algorithm and preset private key verification data;
the verification result determining module 203 may be configured to determine a verification result of the private key according to the first digital digest and the second digital digest.
In one embodiment, the verifying end 200 may further include a sending module (not shown in the figure), and the verification result determining module 203 may be further configured to, when the first digital digest and the second digital digest are the same, obtain the verification result of the private key that the public key locally stored by the verifying end and the private key locally stored by the proving end belong to the same pair of keys; when the first digital abstract and the second digital abstract are different, the private key verification result is that the public key locally stored at the verification end and the private key locally stored at the certification end do not belong to the same pair of keys; and the sending module can be used for sending the private key verification result to the proving end.
In an embodiment, the encryption module 201 may be further configured to encrypt the preset public key verification data based on a locally stored public key to obtain third data; the digital abstract generating module 202 may be further configured to generate a third digital abstract based on a preset digital abstract generating algorithm and third data; the sending module can be further used for sending the preset public key verification data to the proving terminal so that the proving terminal can encrypt the preset public key verification data by using the locally stored public key to obtain fourth data, generate a fourth digital abstract based on a preset digital abstract generating algorithm and the fourth data, and send the fourth digital abstract to the verifying terminal;
the verification result determining module 203 may be further configured to determine, by the verifying end, a public key verification result according to the third digital digest and the fourth digital digest.
In an embodiment, the verification result determining module 203 may be further configured to, when the third digital digest is the same as the fourth digital digest, determine that the public key verification result is that the public key locally stored by the verifying end is the same as the public key locally stored by the proving end; when the third digital abstract is different from the fourth digital abstract, the public key verification result is that the public key locally stored by the verification end is different from the public key locally stored by the certification end;
the sending module may be further configured to send the public key verification result to the certifying end.
In an embodiment, the digital digest generation module 202 may be further configured to generate a fifth digital digest based on a preset digital digest generation algorithm and the first data, so that the certification end encrypts the second data using the locally stored public key to obtain fifth data, generate a sixth digital digest based on the fifth data and the preset digital digest generation algorithm, and send the sixth digital digest to the verification end;
the verification result determining module 203 may be further configured to determine a public key verification result according to the fifth digital digest and the sixth digital digest.
The verification result determining module 203 may be further configured to, when the fifth digital digest is the same as the sixth digital digest, determine that the public key verification result is that the public key locally stored by the verifying end is the same as the public key locally stored by the proving end; when the fifth digital abstract is different from the sixth digital abstract, the public key verification result is that the public key locally stored by the verification end is different from the public key locally stored by the certification end;
the sending module may be further configured to send the public key verification result to the certifying end.
In one embodiment, the preset digital digest generation algorithm of the verifying end and the preset digital digest generation algorithm of the proving end have the same algorithm logic and configuration parameters.
In one embodiment, the key pair including the public key and the private key may be generated by the third device side based on a preset key generation algorithm and sent to the verifying side and the certifying side, or the key pair including the public key and the private key may be generated by the verifying side based on a preset key generation algorithm and sent to the certifying side.
According to the verification end provided by the disclosure, in the verification process, the secret keys held by the verification end and the certification end are not transmitted on the internet and are all stored in the verification end, and the transmitted content is the digital digest of the verification sample and is irreversible, so that whether the private key and the public key stored in the certification end are modified or not can be confirmed by using the digital digest, the safety of the encryption secret key is ensured, and the safety in the secret key verification process is further improved. Because the keys held by the verifying end and the proving end are not transmitted on the network, the validity of the key can be effectively proved under the condition of not revealing the key, so that the security of the key can be ensured in many application scenes.
It can be understood that each module in the verification end shown in fig. 2 has a function of implementing each step of the verification end shown in fig. 1, and can achieve the corresponding technical effect, and for brevity, no further description is provided herein.
It can be clearly understood by those skilled in the art that, for convenience and brevity of description, the specific working process of the described module may refer to the corresponding process in the foregoing method embodiment, and is not described herein again.
The present disclosure also provides an electronic device, a readable storage medium, and a computer program product according to embodiments of the present disclosure. Electronic devices are intended to represent various forms of digital computers, such as laptops, desktops, workstations, personal digital assistants, servers, blade servers, mainframes, and other appropriate computers. The electronic device may also represent various forms of mobile devices, such as personal digital processing, cellular phones, smart phones, wearable devices, and other similar computing devices. The components shown herein, their connections and relationships, and their functions, are meant to be examples only, and are not meant to limit implementations of the disclosure described and/or claimed herein.
The present disclosure also provides an electronic device, a readable storage medium, and a computer program product according to embodiments of the present disclosure.
FIG. 3 shows a schematic block diagram of an electronic device 300 that may be used to implement embodiments of the present disclosure. Electronic devices are intended to represent various forms of digital computers, such as laptops, desktops, workstations, personal digital assistants, servers, blade servers, mainframes, and other appropriate computers. The electronic device may also represent various forms of mobile devices, such as personal digital processing, cellular phones, smart phones, wearable devices, and other similar computing devices. The components shown herein, their connections and relationships, and their functions, are meant to be examples only, and are not meant to limit implementations of the disclosure described and/or claimed herein.
The device 300 comprises a computing unit 301 which may perform various suitable actions and processes in accordance with a computer program stored in a Read Only Memory (ROM) 302 or a computer program loaded from a storage unit 308 into a Random Access Memory (RAM) 303. In the RAM303, various programs and data required for the operation of the device 300 can also be stored. The calculation unit 301, the ROM302, and the RAM303 are connected to each other via a bus 304. An input/output (I/O) interface 305 is also connected to bus 304.
Various components in device 300 are connected to I/O interface 305, including: an input unit 306 such as a keyboard, a mouse, or the like; an output unit 307 such as various types of displays, speakers, and the like; a storage unit 308 such as a magnetic disk, optical disk, or the like; and a communication unit 309 such as a network card, modem, wireless communication transceiver, etc. The communication unit 309 allows the device 300 to exchange information/data with other devices via a computer network such as the internet and/or various telecommunication networks.
The computing unit 301 may be a variety of general and/or special purpose processing components having processing and computing capabilities. Some examples of the computing unit 301 include, but are not limited to, a Central Processing Unit (CPU), a Graphics Processing Unit (GPU), various dedicated Artificial Intelligence (AI) computing chips, various computing units running machine learning model algorithms, a Digital Signal Processor (DSP), and any suitable processor, controller, microcontroller, and so forth. The computing unit 301 performs the various methods and processes described above, such as the zero knowledge proof of key method of fig. 1. For example, in some embodiments, the zero knowledge proof of keys method of FIG. 1 may be implemented as a computer software program tangibly embodied in a machine-readable medium, such as storage unit 308. In some embodiments, part or all of the computer program may be loaded and/or installed onto device 300 via ROM302 and/or communication unit 309. When the computer program is loaded into RAM303 and executed by the computing unit 301, one or more steps of the zero-knowledge proof of keys method described above may be performed. Alternatively, in other embodiments, the computing unit 301 may be configured to perform the zero knowledge proof of key method of fig. 1 by any other suitable means (e.g., by means of firmware).
Various implementations of the systems and techniques described here above may be implemented in digital electronic circuitry, integrated circuitry, Field Programmable Gate Arrays (FPGAs), Application Specific Integrated Circuits (ASICs), Application Specific Standard Products (ASSPs), system on a chip (SOCs), load programmable logic devices (CPLDs), computer hardware, firmware, software, and/or combinations thereof. These various embodiments may include: implemented in one or more computer programs that are executable and/or interpretable on a programmable system including at least one programmable processor, which may be special or general purpose, receiving data and instructions from, and transmitting data and instructions to, a storage system, at least one input device, and at least one output device.
Program code for implementing the methods of the present disclosure may be written in any combination of one or more programming languages. These program codes may be provided to a processor or controller of a general purpose computer, special purpose computer, or other programmable data processing apparatus, such that the program codes, when executed by the processor or controller, cause the functions/operations specified in the flowchart and/or block diagram to be performed. The program code may execute entirely on the machine, partly on the machine, as a stand-alone software package partly on the machine and partly on a remote machine or entirely on the remote machine or server.
In the context of this disclosure, a machine-readable medium may be a tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device. The machine-readable medium may be a machine-readable signal medium or a machine-readable storage medium. A machine-readable medium may include, but is not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any suitable combination of the foregoing. More specific examples of a machine-readable storage medium would include an electrical connection based on one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing.
To provide for interaction with a user, the systems and techniques described here can be implemented on a computer having: a display device (e.g., a CRT (cathode ray tube) or LCD (liquid crystal display) monitor) for displaying information to a user; and a keyboard and a pointing device (e.g., a mouse or a trackball) by which a user can provide input to the computer. Other kinds of devices may also be used to provide for interaction with a user; for example, feedback provided to the user can be any form of sensory feedback (e.g., visual feedback, auditory feedback, or tactile feedback); and input from the user may be received in any form, including acoustic, speech, or tactile input.
The systems and techniques described here can be implemented in a computing system that includes a back-end component (e.g., as a data server), or that includes a middleware component (e.g., an application server), or that includes a front-end component (e.g., a user computer having a graphical user interface or a web browser through which a user can interact with an implementation of the systems and techniques described here), or any combination of such back-end, middleware, or front-end components. The components of the system can be interconnected by any form or medium of digital data communication (e.g., a communication network). Examples of communication networks include: local Area Networks (LANs), Wide Area Networks (WANs), and the Internet.
The computer system may include clients and servers. A client and server are generally remote from each other and typically interact through a communication network. The relationship of client and server arises by virtue of computer programs running on the respective computers and having a client-server relationship to each other. The server may be a cloud server, a server of a distributed system, or a server with a combined blockchain.
It should be understood that various forms of the flows shown above may be used, with steps reordered, added, or deleted. For example, the steps described in the present disclosure may be executed in parallel, sequentially, or in different orders, as long as the desired results of the technical solutions disclosed in the present disclosure can be achieved, and the present disclosure is not limited herein.
The above detailed description should not be construed as limiting the scope of the disclosure. It should be understood by those skilled in the art that various modifications, combinations, sub-combinations and substitutions may be made in accordance with design requirements and other factors. Any modification, equivalent replacement, and improvement made within the spirit and principle of the present disclosure should be included in the scope of protection of the present disclosure.
Claims (11)
1. A method of zero-knowledge proof of a key, the method comprising:
the method comprises the steps that a verification end encrypts preset private key verification data by using a locally stored public key to obtain first data, and the first data are sent to a certification end;
the certification side decrypts the first data by using a locally stored private key to obtain second data, generates a first digital abstract based on the second data and a preset digital abstract generating algorithm, and sends the first digital abstract to a verification side;
the verification end generates a second digital abstract based on a preset digital abstract generation algorithm and preset private key verification data;
and the verification end determines a private key verification result according to the first digital abstract and the second digital abstract.
2. The method of claim 1, wherein the verifying end determines a private key verification result according to the first digital digest and the second digital digest, and comprises:
when the first digital digest and the second digital digest are the same, the private key verification result is that a public key locally stored by the verification end and a private key locally stored by the certification end belong to the same pair of keys;
when the first digital digest is different from the second digital digest, the private key verification result is that the public key locally stored at the verification end and the private key locally stored at the certification end do not belong to the same pair of keys;
and the verifying end sends the private key verification result to the proving end.
3. The method according to claim 1, wherein before the verifying end encrypts the preset private key verification data by using a locally stored public key to obtain first data and sends the first data to the proving end, the method further comprises:
the verifying terminal encrypts the preset public key verification data based on the locally stored public key to obtain third data;
generating a third digital abstract by the verification end based on a preset digital abstract generation algorithm and the third data;
the verifying end sends the preset public key verification data to the proving end;
the certification side encrypts the preset public key verification data by using a locally stored public key to obtain fourth data, generates a fourth digital abstract based on a preset digital abstract generating algorithm and the fourth data, and sends the fourth digital abstract to the verification side;
and the verification end determines a public key verification result according to the third digital abstract and the fourth digital abstract.
4. The method of claim 3, wherein the verifying end determines a public key verification result according to the third digital digest and the fourth digital digest, and comprises:
when the third digital abstract and the fourth digital abstract are the same, the public key verification result is that the public key locally stored by the verification end is the same as the public key locally stored by the certification end;
when the third digital abstract is different from the fourth digital abstract, the public key verification result is that the public key locally stored by the verification end is different from the public key locally stored by the certification end;
and the verifying end sends the public key verification result to the proving end.
5. The method of claim 1, further comprising:
generating a fifth digital abstract by the verification end based on a preset digital abstract generation algorithm and the first data;
the certification side encrypts the second data by using a locally stored public key to obtain fifth data, generates a sixth digital abstract based on the fifth data and a preset digital abstract generating algorithm, and sends the sixth digital abstract to the verification side;
and the verification end determines a public key verification result according to the fifth digital abstract and the sixth digital abstract.
6. The method of claim 5, wherein the verifying end determines a public key verification result according to the fifth digital digest and the sixth digital digest, and comprises:
when the fifth digital abstract is the same as the sixth digital abstract, the public key verification result is that the public key locally stored by the verification end is the same as the public key locally stored by the certification end;
when the fifth digital abstract is different from the sixth digital abstract, the public key verification result is that the public key locally stored by the verification end is different from the public key locally stored by the certification end;
and the verifying end sends the public key verification result to the proving end.
7. The method according to any one of claims 1 to 6, wherein the algorithm logic and configuration parameters of the preset digital digest generation algorithm of the verifying end and the preset digital digest generation algorithm of the proving end are the same.
8. The method according to any one of claims 1-6, further comprising:
the third device side generates a key pair comprising a public key and a private key based on a preset key generation algorithm and sends the key pair to the verification side and the certification side, or the verification side generates a key pair comprising a public key and a private key based on a preset key generation algorithm and sends the key pair to the certification side.
9. An authentication peer, the authentication peer comprising:
the system comprises an encryption module, a verification end and a verification end, wherein the encryption module is used for encrypting preset private key verification data by using a locally stored public key to obtain first data, sending the first data to the verification end so that the verification end decrypts the first data by using the locally stored private key to obtain second data, generating a first digital abstract based on the second data and a preset digital abstract generating algorithm, and sending the first digital abstract to the verification end;
the digital abstract generating module is used for generating a second digital abstract based on a preset digital abstract generating algorithm and preset private key verification data;
and the verification result determining module is used for determining a private key verification result according to the first digital abstract and the second digital abstract.
10. An electronic device, comprising:
at least one processor; and
a memory communicatively coupled to the at least one processor; wherein the content of the first and second substances,
the memory stores instructions executable by the at least one processor to enable the at least one processor to perform the method of any one of claims 1-8.
11. A non-transitory computer readable storage medium having stored thereon computer instructions for causing the computer to perform the method of any one of claims 1-8.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111341758.8A CN113783705A (en) | 2021-11-12 | 2021-11-12 | Zero knowledge proof method, verification terminal, equipment and storage medium of key |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111341758.8A CN113783705A (en) | 2021-11-12 | 2021-11-12 | Zero knowledge proof method, verification terminal, equipment and storage medium of key |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN113783705A true CN113783705A (en) | 2021-12-10 |
Family
ID=78873863
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111341758.8A Pending CN113783705A (en) | 2021-11-12 | 2021-11-12 | Zero knowledge proof method, verification terminal, equipment and storage medium of key |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113783705A (en) |
Citations (12)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103516522A (en) * | 2013-10-12 | 2014-01-15 | 湖南科技大学 | Core watermark blind detection method based on zero-knowledge proof protocol |
| WO2014192086A1 (en) * | 2013-05-28 | 2014-12-04 | 株式会社日立製作所 | Biometric signature system, signature verification method, registration terminal, signature generation terminal, and signature verification device |
| US20150172052A1 (en) * | 2013-12-17 | 2015-06-18 | Oberthur Technologies | Integrity verification of cryptographic key pairs |
| CN106850207A (en) * | 2017-02-28 | 2017-06-13 | 南方电网科学研究院有限责任公司 | Identity identifying method and system without CA |
| CN106992850A (en) * | 2017-03-16 | 2017-07-28 | 武汉世纪金桥安全技术有限公司 | A kind of secret key verification method of blue-tooth intelligence lock controller |
| CN107733766A (en) * | 2017-11-02 | 2018-02-23 | 平安科技(深圳)有限公司 | Safe interconnected method, device, equipment and storage medium between cloud platform proprietary network |
| CN109245897A (en) * | 2018-08-23 | 2019-01-18 | 北京邮电大学 | A kind of node authentication method and device based on noninteractive zero-knowledge proof |
| CN110035433A (en) * | 2018-01-11 | 2019-07-19 | 华为技术有限公司 | Using the verification method and device of shared key, public key and private key |
| CN110781521A (en) * | 2018-12-06 | 2020-02-11 | 山东大学 | Intelligent contract authentication data privacy protection method and system based on zero-knowledge proof |
| CN111445250A (en) * | 2020-04-16 | 2020-07-24 | 中国银行股份有限公司 | Block chain key testing method and device |
| CN112202551A (en) * | 2020-09-23 | 2021-01-08 | 中国建设银行股份有限公司 | Password verification method and device based on zero-knowledge proof and electronic equipment |
| CN112953712A (en) * | 2021-02-19 | 2021-06-11 | 昆明理工大学 | Block chain data cross-chain sharing method based on zero knowledge proof and homomorphic encryption |
-
2021
- 2021-11-12 CN CN202111341758.8A patent/CN113783705A/en active Pending
Patent Citations (12)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2014192086A1 (en) * | 2013-05-28 | 2014-12-04 | 株式会社日立製作所 | Biometric signature system, signature verification method, registration terminal, signature generation terminal, and signature verification device |
| CN103516522A (en) * | 2013-10-12 | 2014-01-15 | 湖南科技大学 | Core watermark blind detection method based on zero-knowledge proof protocol |
| US20150172052A1 (en) * | 2013-12-17 | 2015-06-18 | Oberthur Technologies | Integrity verification of cryptographic key pairs |
| CN106850207A (en) * | 2017-02-28 | 2017-06-13 | 南方电网科学研究院有限责任公司 | Identity identifying method and system without CA |
| CN106992850A (en) * | 2017-03-16 | 2017-07-28 | 武汉世纪金桥安全技术有限公司 | A kind of secret key verification method of blue-tooth intelligence lock controller |
| CN107733766A (en) * | 2017-11-02 | 2018-02-23 | 平安科技(深圳)有限公司 | Safe interconnected method, device, equipment and storage medium between cloud platform proprietary network |
| CN110035433A (en) * | 2018-01-11 | 2019-07-19 | 华为技术有限公司 | Using the verification method and device of shared key, public key and private key |
| CN109245897A (en) * | 2018-08-23 | 2019-01-18 | 北京邮电大学 | A kind of node authentication method and device based on noninteractive zero-knowledge proof |
| CN110781521A (en) * | 2018-12-06 | 2020-02-11 | 山东大学 | Intelligent contract authentication data privacy protection method and system based on zero-knowledge proof |
| CN111445250A (en) * | 2020-04-16 | 2020-07-24 | 中国银行股份有限公司 | Block chain key testing method and device |
| CN112202551A (en) * | 2020-09-23 | 2021-01-08 | 中国建设银行股份有限公司 | Password verification method and device based on zero-knowledge proof and electronic equipment |
| CN112953712A (en) * | 2021-02-19 | 2021-06-11 | 昆明理工大学 | Block chain data cross-chain sharing method based on zero knowledge proof and homomorphic encryption |
Non-Patent Citations (1)
| Title |
|---|
| THEIS HJORTH等: "《IEEE International Conference on Social Computing / IEEE International Conference on Privacy, Security, Risk and Trust》", 31 December 2010 * |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN113364760A (en) | Data encryption processing method and device, computer equipment and storage medium | |
| CN112560091B (en) | Digital signature method, signature information verification method, related device and electronic equipment | |
| US20220141039A1 (en) | Certificate based security using post quantum cryptography | |
| CN115795513A (en) | File encryption method, file decryption method, file encryption device, file decryption device and equipment | |
| CN114553590A (en) | Data transmission method and related equipment | |
| KR101586439B1 (en) | User data integrity verification method and apparatus capable of guaranteeing privacy | |
| CN113630412B (en) | Resource downloading method, resource downloading device, electronic equipment and storage medium | |
| CN113794706B (en) | Data processing method and device, electronic equipment and readable storage medium | |
| CN113422832B (en) | File transmission method, device, equipment and storage medium | |
| CN114139176A (en) | Industrial internet core data protection method and system based on state secret | |
| CN114363088A (en) | Method and device for requesting data | |
| CN114070568A (en) | Data processing method and device, electronic equipment and storage medium | |
| CN115549930B (en) | Verification method for logging in operating system | |
| CN114884714B (en) | Task processing method, device, equipment and storage medium | |
| CN114363094B (en) | Data sharing method, device, equipment and storage medium | |
| CN115484080A (en) | Data processing method, device and equipment of small program and storage medium | |
| CN114239014A (en) | File processing method and device based on offline device and electronic device | |
| CN113783705A (en) | Zero knowledge proof method, verification terminal, equipment and storage medium of key | |
| CN114117388A (en) | Device registration method, device registration apparatus, electronic device, and storage medium | |
| CN111355584B (en) | Method and apparatus for generating blockchain multi-signatures | |
| CN112788061B (en) | Authentication method, authentication device, authentication apparatus, authentication storage medium, and authentication program product | |
| KR20190041203A (en) | Efficient signature verification method for digital signatures using implicit certificates | |
| CN116321022A (en) | Encryption transmission method and device for over-the-air OTA data file | |
| CN116226932A (en) | Service data verification method and device, computer medium and electronic equipment | |
| CN115296825A (en) | Authentication method based on random number, first terminal, device and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20211210 |
|
| RJ01 | Rejection of invention patent application after publication |