CN117792607A - Identity privacy protection and traceable distributed supervision method and system on blockchain and readable storage medium - Google Patents
Identity privacy protection and traceable distributed supervision method and system on blockchain and readable storage medium Download PDFInfo
- Publication number
- CN117792607A CN117792607A CN202311835033.3A CN202311835033A CN117792607A CN 117792607 A CN117792607 A CN 117792607A CN 202311835033 A CN202311835033 A CN 202311835033A CN 117792607 A CN117792607 A CN 117792607A
- Authority
- CN
- China
- Prior art keywords
- node
- user
- committee
- private key
- blockchain
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 42
- 239000012634 fragment Substances 0.000 claims abstract description 124
- 238000004364 calculation method Methods 0.000 claims abstract description 46
- 238000012795 verification Methods 0.000 claims description 128
- 239000003795 chemical substances by application Substances 0.000 claims description 45
- 230000002776 aggregation Effects 0.000 claims description 18
- 238000004220 aggregation Methods 0.000 claims description 18
- 230000004931 aggregating effect Effects 0.000 claims description 12
- 230000002452 interceptive effect Effects 0.000 claims description 9
- 230000005540 biological transmission Effects 0.000 claims description 6
- 230000008030 elimination Effects 0.000 claims description 5
- 238000003379 elimination reaction Methods 0.000 claims description 5
- 230000001965 increasing effect Effects 0.000 claims description 5
- 238000012790 confirmation Methods 0.000 claims description 3
- 238000013507 mapping Methods 0.000 claims description 3
- 238000006116 polymerization reaction Methods 0.000 claims description 3
- 238000012545 processing Methods 0.000 claims description 3
- 238000006467 substitution reaction Methods 0.000 claims 1
- 238000012360 testing method Methods 0.000 claims 1
- 238000011161 development Methods 0.000 description 3
- 238000005516 engineering process Methods 0.000 description 3
- 238000007726 management method Methods 0.000 description 3
- 230000009466 transformation Effects 0.000 description 3
- VEXZGXHMUGYJMC-UHFFFAOYSA-N Hydrochloric acid Chemical compound Cl VEXZGXHMUGYJMC-UHFFFAOYSA-N 0.000 description 2
- 230000000694 effects Effects 0.000 description 2
- 230000002708 enhancing effect Effects 0.000 description 2
- 238000013459 approach Methods 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000004891 communication Methods 0.000 description 1
- 238000010276 construction Methods 0.000 description 1
- 230000002427 irreversible effect Effects 0.000 description 1
- 230000007774 longterm Effects 0.000 description 1
- 238000004806 packaging method and process Methods 0.000 description 1
- 238000010200 validation analysis Methods 0.000 description 1
Landscapes
- Management, Administration, Business Operations System, And Electronic Commerce (AREA)
Abstract
The invention provides a distributed supervision method, a system and a readable storage medium capable of protecting and tracking identity privacy on a blockchain, wherein the method comprises initializing parameters, generating public and private key pairs of a blockchain committee through basic parameters, simultaneously uploading and storing in a distributed mode, generating a group private key for a user, binding the user with the identity, generating revocation auxiliary information bound with time, completing anonymous signature, finally checking whether the anonymous signature is valid or not, revealing invalid anonymous signed user identity, adding the user identity into a revocation list, and enabling the anonymous signature after the user to be not valid; the system and the readable storage medium are used for realizing a distributed supervision method for protecting and tracking identity privacy on the blockchain; the invention adopts the joint calculation of the block chain committee node, reveals the user identity, updates the private key fragments regularly and the proxy node to receive, verify, aggregate and forward the information, and has the characteristics of safer user identity, flexible and safe system and low complexity.
Description
Technical Field
The invention relates to the technical field of blockchain user identity supervision, in particular to a blockchain identity privacy protection and traceable distributed supervision method, a blockchain identity privacy protection and traceable distributed supervision system and a readable storage medium.
Background
In recent years, the blockchain technology has been widely applied in the fields of digital currency, finance, evidence storage, traceability and the like, and the notification of the ' fourteen five ' digital economic development planning ' issued by the national institute of service in 2022 proposes: the new technological revolution and the industrial transformation are deeply developed, the digital transformation is becoming a trend, and the development of digital economy is a strategic choice for grasping the new opportunity of the new technological revolution and the industrial transformation. The current digital industrialization level is obviously improved, the digital public service is more universal and equal, the digital economic management system is more perfect, and the digital economy also enters a long-term and steady development stage. The blockchain technique would be a good solution to the need to efficiently, stably, and iteratively build the underlying order basis of the digital world, and it would be a "new infrastructure" to build the digital world's urgent needs.
Current blockchain technology also faces some problems and challenges. The transaction model of multi-party validation also presents a significant challenge to user privacy due to the ledger disclosure employed by blockchains. In order to protect transaction privacy data of users on a blockchain, the prior blockchain technology provides various privacy protection schemes, which mainly comprise the following two aspects. 1. The identity of the user is completely kept secret, only the transaction sender and the transaction receiver can acquire the identity of the other party and the specific information of the transaction, but the complete anonymity can cause the flooding of private data, so that malicious data on a chain is too much, and the system cannot identify the identity of the malicious user, thereby overtaking the identity of the malicious user; 2. the scheme for managing the user identity only can the supervisor know the identity of the user and the uplink data of the user, and the uplink transaction data still has anonymity for other common users.
There are many tasks performed for user identity authentication and privacy protection of blockchains. To achieve better anonymity, zero coin (Zerocoin) (Sasson E B, chiesa a, garman C, et al zeroflash: decentralized anonymous payments from bitcoin [ C ]//2014IEEE symposium onsecurity and privacy.IEEE,2014:459-474.) provides stronger privacy protection features by introducing promise Merkle trees, zero knowledge proof and encryption techniques, but because the zk-SNARKs algorithm employed is more efficient in verification but slower in the process of generating the proof, it is less efficient in transaction operations; in addition, the scheme cannot realize supervision on the identity of the user. The CryptoNote uses a linkable ring signature to hide the identity of the sender (Ruffing T, moreno-Sanchez P, gate a.p2p mixing andunlinkable bitcoin transactions [ J ]. Cryptology ePrint Archive, 2016.) because the ring signature has unconditional anonymity, an attacker cannot confirm which member of the ring is the completed signature, even if he obtains the member private key, and therefore cannot conduct supervision. On this basis, the door coin (running T, moreno-SanchezP. Valueshuffle: mixing confidential transactions for comprehensive transactionprivacy in bitcoin [ C ]// International Conference on Financial Cryptography and DataSecurity. Springer, cham, 2017:133-154.) also achieves hiding of transaction amounts. The privacy protection scheme based on the ring signature well conceals the identity of the signer, but still cannot solve the problem of user identity supervision. Tian Haibo et al (Tian Haibo, lin Huizhi, ro Pei Ran, etc.) A user privacy preserving digital currency supercedable scheme [ J ]. University of Western Ane-technology university newspaper, 2020,47 (5): 40-47.) uses group signature and zero knowledge proof techniques to improve cryptonotes and achieve supercedence of the door notes. But this approach relies on trusted third parties and cannot avoid malicious behaviour of the supervisor. Keita et al (Group Signatureswith Time-bound Keys Revisited: A New Model and an Efficient Construction) breaks away from the blockchain environment, performs group signature on the public key of the user, calculates the data of the false signature, completes distributed identity joint issuance and disclosure, binds the user with the tree node, completes decoupling of the user identity and the signature data, and introduces a new characteristic, namely identity deadline setting, in the existing scene, the identity of each user is time-limited, so that the identity deadline setting is added, and redundant storage of system identity management can be reduced better. However, the scheme relies on a trusted center to issue the identity of the user through the manager node, and if the manager dislikes, the privacy data of the user can be revealed, and the risk that the manager node is broken can be increased.
Disclosure of Invention
In order to overcome the above-mentioned drawbacks of the prior art, an object of the present invention is to provide a distributed supervision method, system and readable storage medium for protecting and tracking identity privacy on a blockchain, wherein the blockchain committee node, proxy node and user structure are based on the blockchain, the blockchain committee node is selected from normal nodes of the blockchain, and the blockchain node performs responsibilities of issuing, revealing and cancelling user identities on behalf of all blockchain nodes; the agent node is a single node, can be selected from all block chain link points, can also be designated to act as a certain node, is mainly responsible for receiving messages from other nodes, verifying and aggregating the messages, and finally forwarding the aggregated messages; the user is the entity which breaks away from the blockchain; the public and private key pair of the block chain committee is generated through joint calculation of the block chain committee node and the proxy node, and user identity issuing, revocation, signature, verification and identity disclosure are carried out on the user, so that privacy protection and supervision are considered, and meanwhile backward unlinkability is achieved.
In order to achieve the above purpose, the technical scheme adopted by the invention is as follows:
a distributed supervision method for identity privacy protection and traceability on a blockchain comprises the following steps:
Step 1: initializing parameters, and generating basic parameters needed in the subsequent protocol: bilinear pair parameters, hash parameters, binary tree parameters, and chaining;
step 2: generating a public and private key pair of the block chain committee by joint calculation of the block chain committee node and the proxy node by using the basic parameters generated in the step 1, and then, uploading the public key of the block chain committee, wherein the private key of the block chain committee is stored in a distributed mode by each block chain committee node;
step 3: a user initiates an application to a block chain committee node to request an identity key, the block chain committee node responds to the user application, when a preset number of block chain committee nodes agree that the user joins, the block chain committee node calculates the block chain committee private key stored in the step 2, generates a group private key with timeliness limitation for the user, carries out identity binding, and simultaneously the block chain committee node locally reserves a ciphertext of the user private key;
step 4: the block chain committee node and the agent node jointly use the block chain committee private key generated in the step 2 to perform joint calculation on time, and generate revocation auxiliary information bound with time;
Step 5: using the group private key generated in the step 3 and the revocation auxiliary information bound in the step 4 to complete anonymous signature;
step 6: checking whether the anonymous signature finished in the step 5 is valid or not through a block chain committee node and an agent node, if so, uploading the anonymous signature, and if not, executing the step 7;
step 7: step 3, the preset number of blockchain committee nodes jointly use the blockchain committee private key calculation generated in step 2 to reveal that step 6 is used for checking the user identity of the invalid anonymous signature, and the user identity is added into a revocation list, so that the anonymous signature after the user is not valid any more.
The step 1 specifically comprises the following steps:
step 1.1: the proxy node selects a bilinear pair parameter, wherein g, cryptophan hydrochloride>G respectively 1 ,G 2 E is G 1 ,G 2 To G T Mapping of f, & gt>g 2 ,h 0 ,h 1 ,h 2 Is G 1 Random group elements in (a);
step 1.2: the proxy node selects a Hash algorithm to generate a Hash parameter H {0,1} →Z q ;
Step 1.3: the agent node generates a full binary tree, generates a binary tree parameter BT, carries out time binding on each leaf node from left to right according to the time increasing sequence, and carries out random number binding on each node;
Step 1.4: the proxy node uses the basic parameters generated in the steps 1.1 to 1.3:transmitting to all blockchain committee nodes;
step 1.5: the blockchain committee node receives the transmission of step 1.4Then, a CL encryption and decryption public-private key pair (CL.sk) is obtained through a CL.KeyGen algorithm i ,CL.pk i ) And gives out zero knowledge proof of CL encryption and decryption public and private key pair correctnessSending public key and zero knowledge proof of CL encryption and decryptionTo the proxy node;
step 1.6: the proxy node receives the CL encryption and decryption public key and zero knowledge proof sent in the step 1.5After that, the public key and zero knowledge proof of CL encryption and decryption of the block chain committee node are collated +.>And add the entry blockchain committee node key pair list +.>Finishing node information publication and node ordering, and broadcasting a blockchain committee node key pair list to all blockchain committee nodes>
Step 1.7: the blockchain committee node receives the blockchain committee node key pair list broadcast in step 1.6After that, the CL encryption and decryption public key and the corresponding zero knowledge proof of each node are verifiedAnd transmitting authentication information to all blockchain committee nodes;
step 1.8: when more than half of the verification information sent in the step 1.7 is received as error information by the block chain committee node, the block chain committee node corresponding to the error information is removed from the block chain link point network; when all the block chain committee nodes receive the verification information sent in the step 1.7 as correct information, the block chain committee nodes Key pair listAnd (5) carrying out uplink.
The step 2 specifically comprises the following steps:
step 2.1: all blockchain committee node operations Generating polynomial values of n corresponding nodes +.>And commitment of polynomial coefficientsSimultaneously encrypting the n polynomial values using a CL encryption algorithm: /> And performing zero knowledge proof on the polynomial value encryption ciphertext and the polynomial value promise:finally pair->Use->Promise to getFor->And->Zero knowledge proof is performed: />And sendTo proxy node, broadcast polynomial constant term coefficient promise and zero knowledge proof ++to all block chain committee nodes and proxy nodes simultaneously>
Step 2.2: the proxy node receives the transmission in the step 2.1Andand then, verifying the correctness of the polynomial coefficient promise and the polynomial value encryption ciphertext and the correctness of the encryption format: /> Confirm->Andafter correctness of (2), the proxy node aggregates { c 'the polynomial value encrypted ciphertext' j =CL Eval ({c i,j } i∈[1,n] ,+)} j∈[1,n] And then the polynomial coefficient promises are aggregated: /> And transmitting the aggregated polynomial-valued encrypted ciphertext c' j To the corresponding node N j Finally broadcast polynomial coefficient commitmentTo the global blockchain committee node;
step 2.3: all blockchain committee nodes receive the polynomial constant term coefficient commitment and its zero knowledge proof in step 2.1 Step 2.2, the polynomial value encryption ciphertext c 'sent by the proxy node' j And polynomial coefficient commitment->Then, the polynomial constant term promises broadcasted in step 2.1 are aggregated: />And verifies whether the polynomial constant term promise is correct: />When the verification is correct, after the verification is passed, the proxy node carries out decryption operation on the encrypted ciphertext of the polynomial value:and verifies whether the polynomial values are correct: /> When the polynomial value of the current blockchain committee node is determined to be correct, the vk transmitted in step 2.1 A Polymerization is carried out: />Setting upFor the private key fragments of the block chain committee, assembling the private key fragments of each block chain committee node to obtain the private key of the block chain committee, and setting vk A Obtaining public and private key pair of the block chain committee for the public and private keys of the block chain committee and storing the public and private key pair locally>When the verification is incorrect, the block chain committee node sends verification information to other block chain committee nodes;
step 2.4: and (3) performing step 2.1-step 2.3 regularly to finish the regular updating of the private key fragments of the block chain committee node.
The step 3 specifically comprises the following steps:
step 3.1: pre-calculating by adopting an index joint inversion algorithm to provide index information for a group private key of a generated user;
Step 3.1.1: all blockchain committee nodes select a random number r k ←Z q And uses the blockchain committee public key vk generated in step 2.3 A Encrypting the random number to obtain a first encrypted ciphertext, and performing zero knowledge proof calculation on the first encrypted ciphertext:finally, all the block chain committee nodes encrypt the first encrypted ciphertext and zero knowledge proof thereof>Transmitting to the global blockchain committee node;
step 3.1.2: each blockchain committee node receives the random number encrypted ciphertext and zero knowledge proof of the other blockchain committee nodes in step 3.1.1And then, verifying the content of each block chain committee node, and if the random number encryption ciphertext and the zero knowledge proof verification pass, aggregating the random number encryption ciphertext:each blockchain committee node selects a random number and homomorphism between the random number and the random number encrypted ciphertext in step 3.1.1: zeta type toy k ←Z q ,And gives a zero knowledge proof: /> Finally, each blockchain committee node transmits aggregate ciphertext information, random numbers, and zero knowledge proof +.>To other blockchain committee nodes;
step 3.1.3: each blockchain committee node receives the aggregate ciphertext information, the random number, and the zero knowledge proof of step 3.1.2 Later, messages of other blockchain committee nodes are validated: /> After each block chain committee node verifies that the aggregation ciphertext of all nodes passes, performing secondary aggregation on the aggregation ciphertext to obtain a second aggregation ciphertext: /> Each blockchain committee node decrypts the second aggregate ciphertext using the key of step 2 and gives zero knowledge proof of the decrypted message to ensure the correctness of the message: r is (r) k ←CL Dec (CL.sk k ,c' r ),Finally, the decryption message and the zero knowledge proof are sent to other block chain committee nodes;
step 3.1.4: each blockchain committee node receives the decrypted ciphertext information of step 3.1.3 and its zero knowledge proofAnd then, verifying the decrypted ciphertext information of each node:and after the verification is passed, all decrypted ciphertext information is aggregated to obtain the completely decrypted exponent information with the mask: r' =r (γ) A +ζ) and stores temp [ i ]]=(r' i ,ξ i ,r i,k ) If the verification is not passed, the block chain committee node sends verification information to other block chain committee nodes;
step 3.2: based on the index information of the step 3.1, jointly issuing a user identity, generating a group private key with time-efficiency limitation, and carrying out identity binding, and simultaneously, locally reserving a user private key ciphertext;
Step 3.2.1: the current user i generates a user CL public-private key pair of the CL and gives corresponding zero knowledge proof to the key pair: (CL. Sk) i ,CL.pk i )=CL.KeyGen,The current user i then selects the random number x i ←Z q Setting usk i =x i And commits to this random number and gives zero knowledge proof:selecting a random number r≡Z q Calculate-> s x =r x +c x x i Finally, the current user i sends promise of the user private key, CL public key and zero knowledge proof corresponding to each user private key and CL public key +.>Giving the agent node;
step 3.2.2: the proxy node receives the promise of the user private key, the CL public key and the zero knowledge proof corresponding to each user private key and the CL public key sent by the current user i in the step 3.2.1And then, verifying the correctness of the data of the user: /> After passing the verification, the proxy node allocates a leaf node eta to the current user i, wherein the leaf node eta has a corresponding time corresponding to the identity expiration date tau of the user i According to the expiration time tau of the proxy node i The proxy node gives the path node u of the current user i by using a CS-TBK scheme j ∈Path(η):=(u 1 ,...,u l )←CS-TBK(BT,τ i ) The proxy node selects a random number for the current user i and computes the base part of the current user i group private key: (ζ) 1 ,...,ζ l )←Z q Base part for calculating keyDivide->Finally, the proxy node sends the base part and random number of the private key of the current user i group +. >Promise of user private key generated in step 3.2.1, CL public key, zero knowledge proof corresponding to each user private key and CL public key ≡>Transmitting authentication information to all the block chain committee nodes, wherein the authentication is not passed, and the block chain committee nodes transmit authentication information to other block chain committee nodes;
step 3.2.3: each blockchain committee node receives the base part of the private key of the current user i group and the random number sent by the proxy node in step 3.2.2Promise of user private key generated in step 3.2.1, CL public key, zero knowledge proof corresponding to each user private key and CL public key ≡>And then, verifying the correctness of the data of the user: /> After passing the verification, according to the plaintext information r j Temp and plaintext information r in the' query step 3.1.4 j ' other bound value r i,k And pass throughComputing the group private key fragments of the current user i while passing { C } j,k =CL Enc (CL.pk i ,A j,k )} j∈[1,l] For this purposeEncrypting the fragments of the group private key, and finally each block chain committee node transmits ciphertext fragments { C (C) of the user group private key j,k } j∈[1,l] To the agent node and other blockchain committee nodes, the verification is failed, the blockchain committee nodes send verification information to the other blockchain committee nodes;
step 3.2.4: the proxy node receives the ciphertext fragment { C } of the user group private key sent by the blockchain committee in step 3.2.3 j,k } j∈[1,l] After that, user group private key information ({ C) is transmitted j,k ,r j ',ζ j ,ξ j ,u j } j∈[1,l] ,τ i ) To the current user i;
step 3.2.5: user group private key information ({ C) sent by current user i at receiving proxy node j,k ,r j ',ζ j ,ξ j ,u j } j∈[1,l] ,τ i ) Then, the current user i decrypts the encrypted ciphertext of the user group private key fragment by the blockchain committee node, and aggregates the group private key fragment private key of the user: { A j,k =CL Dec (CL.sk i ,C j,k )} j∈[1,l] ,And finally, finishing the calculation of the private key of the user: />
Step 3.2.6: each blockchain committee node receives the ciphertext fragment { C } of the private key of the user group sent by the other blockchain committee nodes in step 3.2.3 j,k } j∈[1,l] Thereafter, the key fragments generated in step 2.3 are usedBy passing throughCalculating the private key of the user to obtain encryption information of ciphertext fragments of the private key of the user group, and sending the encryption information of the ciphertext fragments of the private key of the user group to the proxy node;
step 3.2.7: after receiving the encrypted information of the ciphertext fragments of the user group private key sent by each blockchain committee node in step 3.2.6, the proxy node aggregates the encrypted information of the ciphertext fragments of the user group private key to obtain the encrypted information of the ciphertext of the user group private key:and the encryption information { C 'of the private key ciphertext of the user group' j } j∈[1,l] Transmitting to a blockchain committee node;
Step 3.2.8: each blockchain committee node receives the encryption information { C 'of the user group private key ciphertext sent by the proxy node in step 3.2.7' j } j∈[1,l] After that, throughEncryption information { C 'of private key ciphertext of user group' j } j∈[1,l] Performing partial mask elimination calculation to obtain half mask encryption information of the user group private key, and finally transmitting half mask encryption information C' of the user group private key " j,k To the proxy node;
step 3.2.9: the proxy node receives the user group private key semi-mask encryption information C' sent by the blockchain committee node in step 3.2.8 " j,k And then, aggregation is carried out, mask information of the user group private key is completely eliminated, and encryption information of the user group private key is obtained: { C' j =(C” j,k } j∈[1,l] And transmitting the encrypted information { C }' of the aggregated user group private key " j =(C” j,k } j∈[1,l] To a blockchain committee node;
step 3.2.10: each blockchain committee node receives the encryption information { C "of the private key of the user group sent by the proxy node in step 3.2.9" j =(C” j,k } j∈[1,l] Thereafter, stored locally:gsk i ={(C” j ,ζ j ,ξ j ),u j } j∈[1,l] ,reg[i]=(τ i ,grt i ,{C” j } j∈[1,l] )。
the step 4 specifically comprises the following steps:
step 4.1: the agent node obtains the current time t and matches with the time-bound full binary tree BT obtained in the step 1.3, and the CS-TBK algorithm is operated to obtain information of a plurality of nodes: y= (v) 1 ,...,v num ) C, selecting a random number by CS-TBK (BT, t): { ζ' j } j∈[1,num] ←Z q And finally, the current time, the obtained information of a plurality of nodes and the random number are sent: (t, { v) j ,ζ' j } j∈[1,num] ) To a blockchain committee node;
step 4.2: each blockchain committee node receives the current time sent in step 4.1, the obtained multiple node information and the random number: (t, { v) j ,ζ' j } j∈[1,num] ) Then, selecting the number of binary tree nodes and the index information with the mask stored in the step 3.1.4:is-> Performing joint calculation to obtain masked revocation assistance information { B }, and j,t,k } j∈[1,num] finally, the masked revocation assistance information { B j,t,k } j∈[1,num] Giving the agent node;
step 4.3: the proxy node receives the masked revocation assistance information { B }, sent by the block chain committee node in step 4.2 j,t,k } j∈[1,num] Then, selecting the random number and carrying out promise calculation on the random number: y is t ←Z q ,After commitment calculation is completed, aggregating various pieces of withdrawal auxiliary information with masks to obtain complete withdrawal auxiliary information: />Finally pass-> The revocation assistance information is consolidated and transmitted to blockchain committee nodes.
The step 5 specifically comprises the following steps:
step 5.1: the user selects a random number: alpha, beta, d ≡Z q ;
Step 5.2: the user uses the basic parameters in the step 1.1, the user group private key obtained in the step 3 and the revocation auxiliary information obtained in the step 4.3 And the random numbers α, β, d+.z selected in step 5.1 q Obtaining various relation parameters: psi phi type 1 =f α ,/> δ=αξ,δ'=αξ';
Step 5.3: the user again selects a random number: r is (r) α ,r β ,r ζ ,r ξ ,r ζ' ,r ξ' ,r u ,r x ,r δ ,r δ' ←Z q ;
Step 5.4: the user uses the random number selected in the step 5.3 and each relation parameter calculated in the step 5.2 to calculate to obtain a proving parameter:
step 5.5: the user uses the relation parameters in step 5.2 and the proving parameters in step 5.4 to generate a Hash value in the non-interactive zero knowledge proving to make random challenges: c≡H (ψ) 1 ,…,ψ 7 ,R 1 ,…,R 6 ,m);
Step 5.6: the user uses the random challenge in step 5.5 to calculate a non-interactive zero knowledge proof: s is(s) α =r α +cα,s β =r β +cβ,s ζ =r ζ +cζ,s ξ =r ξ +cξ,s ζ' =r ζ' +cζ',s ξ' =r ξ' +cξ',s u =r u +cu,s x =r x +cx i ,s δ =r δ +cδ,s δ' =r δ' +cδ';
Step 5.7: the user sorts the relation parameters in step 5.2, the random challenges in step 5.5 and the non-interactive zero knowledge proof in step 5.6 to obtain signature information sigma= (ψ) 1 ,…,ψ 7 ,c,s α ,s β ,s ζ ,s ξ ,s ζ' ,s ξ' ,s u ,s x ,s δ ,s δ' ) And sent to the proxy node.
The step 6 specifically comprises the following steps:
step 6.1: the proxy node receives signature information sigma= (ψ) sent by the user in step 5.7 1 ,…,ψ 7 ,c,s α ,s β ,s ζ ,s ξ ,s ζ' ,s ξ' ,s u ,s x ,s δ ,s δ' ) After that, throughAfter the format verification is passed, the agent node performs zero knowledge proof verification on the user signature information, after the zero knowledge proof verification is passed, the user signature information sigma and verification information 0/1 are sent to other block chain committee nodes, and when the format verification or the zero knowledge proof verification is not passed, the agent node sends the verification information to the other block chain committee nodes, and the zero knowledge proof verification comprises the following steps:
Step 6.1.1: and (3) calculating:
step 6.1.2: and (3) verification: 0/1+.c+.noteq.H (ψ) 1 ,…,ψ 7 ,R' 1 ,…,R' 6 ,m);
Step 6.1.3: and (3) verification:
step 6.2: after each block chain committee node receives user signature information sigma and verification result 0/1 sent by the proxy node in the step 6.1, repeating the verification operation in the step 6.1, and if the verification is passed and is consistent with the verification result of the proxy node, carrying out uplink operation on the message; if the verification is not passed and is consistent with the verification result of the proxy node, discarding the message; if the verification information sent by the agent node in the step 6.1 is inconsistent, the block chain committee node sends the verification information to other block chain committee nodes, and if the block chain committee node confirmation of the preset number in the step 3 is inconsistent with the verification information of the agent node in the step 6.1, the agent node is switched.
The step 7 specifically comprises the following steps:
step 7.1: each blockchain committee node verifies the signature information of the user in step 6.2, and after finding that the verification is not passed, calculates decryption fragments of the group private key in the signature information of the user and performs zero knowledge proof calculation on the decryption fragments:finally, the decrypted fragments of the user group key and their zero knowledge proof (A' i ,π' i ) To the proxy node;
step 7.2: the proxy node receives the user group key decryption fragments and the zero knowledge proof (A 'sent by the block chain committee node in the step 7.1' i ,π' i ) And then, verifying the correctness of the decryption operation:after the proxy node passes the verification, the decryption fragments of each node are aggregated, and the private key of the user is calculated: />A=ψ 2 And (a') and finally sending the group private key of the user to each block chain committee node;
step 7.3: each block chain committee node receives the private key of the user group sent by the proxy node in the step 7.2 and passes throughThe user private key is encrypted and calculated to obtain encrypted fragments of the user private key, and the encrypted fragments are simultaneously obtained throughTo encryptThe user private key after the encryption operation is subjected to zero knowledge proof calculation to obtain zero knowledge proof (C 'of the correctness of the encryption operation' k ,π' i ) Finally, the encryption fragment and zero knowledge proof of the encryption operation (C 'are sent' k ,π' i ) To the proxy node;
step 7.4: the proxy node receives the encryption fragments and the zero knowledge proof of encryption operation (C 'sent by the block chain committee node in step 7.3' k ,π' i ) And then, carrying out zero knowledge proof verification on the encrypted fragments of the private key of the user group:if the verification is passed, the received encrypted fragments are aggregated to complete the encryption of the private key of the user group: / >Finally, the encryption form C' of the private key of the user group is sent to the block chain committee node;
step 7.5: after receiving the encrypted form C 'of the private key of the user group sent by the proxy node in the step 7.4, the block chain committee node inquires reg [ k ] in the user registry, so that the reg [ k ] contains C', and finally, the specific information k of the user is obtained.
A distributed supervisory system for identity privacy protection and traceability on a blockchain, comprising the following modules:
the system initialization module initializes parameters and generates basic parameters;
the system comprises a system initialization module, a block chain committee key module, a block chain committee public-private key module and a block chain data processing module, wherein the system initialization module is used for generating a basic parameter of a block chain committee public-private key pair based on the basic parameter generated by the system initialization module, and carrying out uplink and storage on the block chain committee public-private key pair;
the user identity issuing module generates a group private key for a user based on the block chain committee private key stored by the block chain committee key module, performs identity binding, and simultaneously locally stores ciphertext of the user private key;
the revocation module is used for generating revocation auxiliary information bound with time based on the block chain committee private key generated by the block chain committee key module;
the signature module completes anonymous signature by using the group private key generated by the user identity issuing module and the revocation auxiliary information bound by the revocation module;
The verification module is used for verifying whether the anonymous signature completed by the signature module is valid or not;
and the identity revealing module is used for revealing the identity of the clear signature which is verified to be invalid by the verification module through the private key of the blockchain committee generated by the blockchain committee key module and adding the clear signature into the revocation list.
A readable storage medium having instructions stored therein that, when executed on a computer, cause the computer to perform the above-described distributed method of identity privacy protection and traceability on a blockchain.
Compared with the prior art, the invention has the beneficial effects that:
1. the invention realizes the decentralization of identity management by adopting the joint calculation of all the block chain committee nodes and the proxy nodes, and improves the safety of the user identity.
2. The invention reveals the user identity through the preset number of the block chain committee nodes, only the preset number of the block chain committee nodes are required to be on-line, the on-line number of the block chain committee nodes is reduced, and the flexibility of the system is improved.
3. The invention adopts the proxy node to receive, verify, aggregate and forward the information, so as to reduce the communication complexity of the system from O (n 3) to O (n 2).
4. According to the invention, the private key fragments of the block chain committee nodes are updated regularly, so that under the condition of ensuring that the committee secret key is unchanged, the private key fragments of each block chain committee node can be updated, thus not only can the dynamic property of a network be dealt with, but also the updating of the nodes can be completed, and the attack caused by a preset number of block chain committee nodes broken by a malicious attacker due to the fact that the secret key is unchanged for a long time can be dealt with, and the safety of the system is increased.
In summary, the present invention adopts the joint calculation of all the blockchain committee nodes, the disclosure of the user identity by the blockchain committee nodes with the preset number, the regular update of the private key fragments of the blockchain committee nodes and the receiving, verifying, aggregating and forwarding of the information by the proxy nodes, thus improving the safety of the user identity, enhancing the flexibility and safety of the system and reducing the complexity of the system.
Drawings
FIG. 1 is a flow chart of the method of the present invention.
Detailed Description
The present invention will be described in detail with reference to the accompanying drawings.
Referring to fig. 1, a distributed supervision method for protecting identity privacy and traceability on a blockchain includes the following steps:
step 1: initializing parameters, and generating basic parameters needed in the subsequent protocol: bilinear pair parameters, hash parameters, binary tree parameters, and are uplink, these information do not include any privacy information, can be generated by the proxy node in the actual application, and are directly uplink;
Step 2: generating a public and private key pair of the block chain committee by joint calculation of the block chain committee node and the proxy node by using the basic parameters generated in the step 1, and then, uploading the public key of the block chain committee, wherein the private key of the block chain committee is stored in a distributed mode by each block chain committee node;
step 3: a user initiates an application to a block chain committee node to request an identity key, the block chain committee node responds to the user application, when a preset number of block chain committee nodes agree that the user joins, the block chain committee node calculates by using the block chain committee private key stored in the step 2, generates a group private key with timeliness limitation for the user, carries out identity binding, and simultaneously the block chain committee node locally reserves a ciphertext of the user private key for identity tracking;
step 4: the block chain committee node and the agent node jointly use the block chain committee private key generated in the step 2 to perform joint calculation on time, and generate revocation auxiliary information bound with time;
step 5: using the group private key generated in the step 3 and the revocation auxiliary information bound in the step 4 to complete anonymous signature, and protecting user identity privacy;
Step 6: checking whether the anonymous signature finished in the step 5 is valid or not through a block chain committee node and an agent node, if so, uploading the anonymous signature, and if not, executing the step 7;
step 7: step 3, the preset number of blockchain committee nodes jointly use the blockchain committee private key calculation generated in step 2 to reveal that step 6 is used for checking the user identity of the invalid anonymous signature, and the user identity is added into a revocation list, so that the anonymous signature after the user is not valid any more.
The step 1 specifically comprises the following steps:
step 1.1: the proxy node selects a bilinear pair parameter, wherein g, cryptophan hydrochloride>G respectively 1 ,G 2 E is G 1 ,G 2 To G T Mapping of f, & gt>g 2 ,h 0 ,h 1 ,h 2 Is G 1 Random group elements in (a);
step 1.2: the proxy node selects a Hash algorithm to generate a Hash parameter H {0,1} →Z q ;
Step 1.3: the agent node generates a full binary tree, generates a binary tree parameter BT, carries out time binding on each leaf node from left to right according to the time increasing sequence, and carries out random number binding on each node;
step 1.4: the proxy node generates the data in steps 1.1 to 1..3Transmitting to all blockchain committee nodes;
Step 1.5: the blockchain committee node receives the transmission of step 1.4Then, a CL encryption and decryption public-private key pair (CL.sk) is obtained through a CL.KeyGen algorithm i ,CL.pk i ) And gives out zero knowledge proof of CL encryption and decryption public and private key pair correctnessSending public key and zero knowledge proof of CL encryption and decryptionTo the proxy node;
step 1.6: the proxy node receives the CL encryption and decryption public key and zero knowledge proof sent in the step 1.5After that, the public key and zero knowledge proof of CL encryption and decryption of the block chain committee node are collated +.>And add the entry blockchain committee node key pair list +.>Finishing node information publication and node ordering, and broadcasting a blockchain committee node key pair list to all blockchain committee nodes>
Step 1.7: the blockchain committee node receives the blockchain committee node key pair list broadcast in step 1.6After that, the CL encryption and decryption public key and the corresponding zero knowledge proof of each node are verifiedAnd transmitting authentication information to all blockchain committee nodes;
step 1.8: when more than half of the verification information sent in the step 1.7 is received as error information by the block chain committee node, the block chain committee node corresponding to the error information is removed from the block chain link point network; when all the blockchain committee nodes receive the verification information sent in the step 1.7 to be all correct information, the blockchain committee node key pair list is obtained And (5) carrying out uplink.
Step 2 is a key generation stage (KeyGen) (n, t): the key generation protocol gives the number n of nodes of the block chain committee and a malicious node threshold t, and the joint key is reduced from an n-n threshold to a t-n threshold through a key generation stage, and the method specifically comprises the following steps of:
step 2.1: all blockchain committee node operations Generating polynomial values of n corresponding nodes +.>And polynomial coefficient promise->Simultaneously encrypting the n polynomial values using a CL encryption algorithm: /> And performing zero knowledge proof on the polynomial value encryption ciphertext and the polynomial value promise:Finally pair->Use->Promise to getFor->And->Zero knowledge proof is performed: />And sendTo proxy node, broadcast polynomial constant term coefficient promise and zero knowledge proof ++to all block chain committee nodes and proxy nodes simultaneously>All the block chain committee nodes run verifiable secret sharing, generate n polynomial values of the total number of nodes of the committee, conduct CL encryption on the polynomial values, give corresponding zero knowledge proof, ensure that the polynomial values are correct, send CL ciphertexts of the polynomial values to the proxy nodes, and broadcast commitments of the secret values to all the committee nodes after committing the secret values, and can verify the subsequently received aggregation polynomial values through the commitments of the secret values;
Step 2.2: the proxy node receives the transmission in the step 2.1Andand then, verifying the correctness of the polynomial coefficient promise and the polynomial value encryption ciphertext and the correctness of the encryption format: /> Confirm->Andafter correctness of (2), the proxy node aggregates { c 'the polynomial value encrypted ciphertext' j =CL Eval ({c i,j } i∈[1,n] ,+)} j∈[1,n] And then the polynomial coefficient promises are aggregated: /> And transmitting the aggregated polynomial-valued encrypted ciphertext c' j To the corresponding node N j Finally broadcast polynomial coefficient commitmentTo all block chain committee nodes, the agent node carries out zero knowledge proof verification on CL ciphertext of a polynomial value from each node, ensures that the ciphertext from the same node is encrypted for the corresponding polynomial value, aggregates polynomial values and polynomial coefficient promises sent to the same node, aggregates n number of polynomial values into 1, achieves the effect of reducing traffic, sends the aggregated polynomial values to the corresponding nodes, and broadcasts the aggregated polynomial coefficient promises;
step 2.3: all blockchain committee nodes receive the polynomial constant term coefficient commitment and its zero knowledge proof in step 2.1Step 2.2, the polynomial value encryption ciphertext c 'sent by the proxy node' j And polynomial coefficient commitment->Then, the polynomial constant term promises broadcasted in step 2.1 are aggregated: />And verifies whether the polynomial constant term promise is correct: />When the verification is correct, proving that the proxy node does not delete the polynomial, and after the verification is passed, the proxy node decrypts the polynomial value encrypted ciphertext: />And verifies whether the polynomial values are correct: when the polynomial value of the current blockchain committee node is determined to be correct, the vk transmitted in step 2.1 A Polymerization is carried out: />Set->For the private key fragments of the block chain committee, assembling the private key fragments of each block chain committee node to obtain the private key of the block chain committee, and setting vk A Obtaining public and private key pair of the block chain committee for the public and private keys of the block chain committee and storing the public and private key pair locally>When the verification is incorrect, the block chain committee node sends verification information to other block chain committee nodes, after all the block chain committee nodes receive the aggregated polynomial values and polynomial commitments, the polynomial commitments are compared with the polynomial commitments broadcasted in the first step, if the polynomial commitments are correct, the fact that the agent node does not delete or forge the polynomial at will is ensured, then the polynomial values are decrypted, the decrypted polynomial values are committed, and the values calculated by the polynomial coefficient commitments are compared, and if the polynomial commitments are correct, the fact that the agent does not forge malicious information in the whole process is ensured;
Step 2.4: step 2.1-step 2.3 are executed regularly to finish the regular updating of the private key fragments of the block chain committee node, and the operations are required to be completed four times in parallel in the block chain key generation stage to generate corresponding four groups of keys (gamma) A ,γ B ,γ C ,γ O ) Corresponding promiseAre held together by the respective committee nodes, each node holding a sub-secret +.>And secret commitment (vk) A ,vk B ,vk C ,g 1 )。
The step 3 is used for issuing a secret key to a user and is mainly divided into two parts: first, pre-calculation is performed: calculating an index fragment part of a user key through index combination inversion, storing the complete index fragment on a chain by using a CL encryption scheme, and then using an index ciphertext in pre-calculation to finish the calculation of the user key, wherein the method specifically comprises the following steps:
step 3.1: pre-computing by adopting an index joint inversion algorithm to provide index information for generating a group private key of a user,the exponential joint inversion algorithm is used for generating the components of the user key and the expiration information, is automatically performed after the system is initialized, and can perform a large amount of pre-calculation so as to reserve the issuance of the private key of each user and the generation of the expiration information. This algorithm mainly generates r' =r (γ A +ζ), where r is the key γ A The security of the key is ensured in a one-time pad mode, and the user key is issued through the fragment information subsequently:
Step 3.1.1: all blockchain committee nodes select a random number r k ←Z q And uses the blockchain committee public key vk generated in step 2.3 A Encrypting the random number to obtain a first encrypted ciphertext, and performing zero knowledge proof calculation on the first encrypted ciphertext:finally, all the block chain committee nodes encrypt the first encrypted ciphertext and zero knowledge proof thereof>The method comprises the steps that the method comprises the steps of sending the method to all block chain committee nodes, selecting random numbers by all the block chain committee nodes, encrypting the random numbers by using a system key generated in a KeyGen stage, wherein each node has a definite encryption public key, and can jointly decrypt and take out plaintext corresponding to ciphertext through the nodes reaching a threshold number, in order to ensure the correctness of a message, each node needs to carry out zero knowledge proof calculation on the ciphertext, so that the sender of the message is the holder of the message, encryption of the random numbers accords with encryption means, namely encryption by using the same parameters, encryption by using the same public key, and finally sending the ciphertext of the random numbers to other nodes;
step 3.1.2: each blockchain committee node receives the random number encrypted ciphertext and zero knowledge proof of the other blockchain committee nodes in step 3.1.1 Thereafter, the content of each blockchain committee node is testedAnd if the random number encryption ciphertext and the zero knowledge proof verification pass, aggregating the random number encryption ciphertext:each blockchain committee node selects a random number and homomorphism between the random number and the random number encrypted ciphertext in step 3.1.1: zeta type toy k ←Z q ,And gives a zero knowledge proof: /> Finally, each blockchain committee node transmits aggregate ciphertext information, random numbers, and zero knowledge proof +.>To other block chain committee nodes, each block chain committee node carries out zero knowledge proof verification on random number ciphertext from other nodes, after verification, all the random number ciphertext is aggregated through homomorphic calculation of a CL encryption scheme, so that a joint random number r is obtained, each node selects a random number again and adds the random number with own key fragments to obtain->And homomorphically multiplying the plaintext data with ciphertext data of r, each node obtaining a final result of r' =r (γ A +ζ) one ciphertext fragment information r' =r (γ) Ak +ξ k ) In order to ensure that each node performs correct operation, zero knowledge proof needs to be calculated again, the correctness of the calculated fragments is ensured, and finally the fragment information and the zero knowledge proof are sent to all nodes;
Step 3.1.3: each blockchain committee node receives the aggregate ciphertext information, the random number, and the zero knowledge proof of step 3.1.2Later, messages of other blockchain committee nodes are validated: /> After each block chain committee node verifies that the aggregation ciphertext of all nodes passes, performing secondary aggregation on the aggregation ciphertext to obtain a second aggregation ciphertext: /> Each blockchain committee node decrypts the second aggregate ciphertext using the key of step 2 and gives zero knowledge proof of the decrypted message to ensure the correctness of the message: r is (r) k ←CL Dec (CL.sk k ,c' r ),Finally, the decrypted message and the zero knowledge proof are sent to other block chain committee nodes, each block chain committee node performs zero knowledge proof verification on the fragment information from other nodes, and the messages are aggregated, so that r' =r (gamma) A +ζ), each node needs to decrypt the ciphertext information by using its own key fragment, in order to ensure the correctness of the decryption operation of each node, each node needs to give a decrypted zero knowledge proof, and send the decrypted fragment to other committee nodes, and through aggregation, the final message decryption is completed, and r' =r (γ A +ζ) plaintext information;
step 3.1.4: each blockchain committee node receives the decrypted ciphertext information of step 3.1.3 and its zero knowledge proofAnd then, verifying the decrypted ciphertext information of each node:and after the verification is passed, all decrypted ciphertext information is aggregated to obtain the completely decrypted exponent information with the mask: r' =r (γ) A +ζ) and stores temp [ i ]]=(r' i ,ξ i ,r i,k ) If the verification is not passed, the blockchain committee node transmits verification information to other blockchain committee nodes, each blockchain committee node verifies the decrypted fragments of each node, and if there is no error information, all the decrypted fragments are aggregated to obtain final exponent information r' =r (γ A +ξ);/>
Step 3.2: based on the index information of the step 3.1, jointly issuing a user identity, generating a group private key with time-efficiency limitation, and carrying out identity binding, and simultaneously, locally reserving a user private key ciphertext;
step 3.2.1: the current user i generates a user CL public-private key pair of the CL and gives corresponding zero knowledge proof to the key pair: (CL. Sk) i ,CL.pk i )=CL.KeyGen,The current user i then selects the random number x i ←Z q Setting usk i =x i And commits the random number and gives zero knowledge proof to ensure the correctness of the current user i key: / >Selecting a random number r≡Z q Calculation ofs x =r x +c x x i Finally, the current user i sends promise of the user private key, CL public key and zero knowledge proof corresponding to each user private key and CL public key +.>Selecting a random number or a designated number as a user key of the current user i for the proxy node, performing zero knowledge proof on the key in order to ensure that the key information of the user is correct and not forged, continuously generating a CL encryption key pair to encrypt private key fragments of the user in order to ensure that the group private key of the user is not revealed in a subsequent algorithm, giving corresponding zero knowledge proof, and finally sending self basic information and a zero knowledge proof packaging request of the user key to the proxy node;
step 3.2.2: the proxy node receives the promise of the user private key, the CL public key and the zero knowledge proof corresponding to each user private key and the CL public key sent by the current user i in the step 3.2.1And then, verifying the correctness of the data of the user: /> After passing the verification, the proxy node allocates a leaf node eta to the current user i, wherein the leaf node eta has a corresponding time corresponding to the identity expiration date tau of the user i According to the expiration time tau of the proxy node i The proxy node gives the path node u of the current user i by using a CS-TBK scheme j ∈Path(η):=(u 1 ,...,ul)←CS-TBK(BT,τ i ) The proxy node selects a random number for the current user i and computes the base part of the current user i group private key: (ζ) 1 ,...,ζ l )←Z q Calculate the base part of the key +.>Finally, the proxy node sends the base part and random number of the private key of the current user i group +.>Promise of user private key generated in step 3.2.1, CL public key, zero knowledge proof corresponding to each user private key and CL public key ≡>The method comprises the steps that verification is not passed to all block chain committee nodes, the block chain committee nodes send verification information to other block chain committee nodes, after receiving information from a user, an agent node verifies the data of the user, if the verification is not passed, the user is broadcasted to a blacklist on a chain, if the verification is passed, the user is distributed with expiration time which is bound with binary leaf child nodes, once the user is distributed to the binary leaf child nodes, the block chain overall nodes calculate each path node of a binary tree to obtain a group key (the number of the path length) of the user, the random number of the length from the binary tree leaf node to a root node is selected, the base number part of the key is calculated, the key index part is generated in an index inverse operation algorithm, and the index part and the base number part of the group key of the user and the specific information of the user are sent to the committee nodes;
Step 3.2.3: each blockchain committee node receives the base part of the private key of the current user i group and the random number sent by the proxy node in step 3.2.2Promise of user private key generated in step 3.2.1, CL public key, zero knowledge proof corresponding to each user private key and CL public key ≡>And then, verifying the correctness of the data of the user: /> Verification passAfter that, according to the plaintext information r j Temp and plaintext information r in the' query step 3.1.4 j ' other bound value r i,k And pass throughComputing the group private key fragments of the current user i while passing { C } j,k =CL Enc (CL.pk i ,A j,k )} j∈[1,l] Encrypting the fragments of the group private key, and finally each block chain committee node transmits ciphertext fragments { C (C) of the user group private key j,k } j∈[1,l] To the agent node and other block chain committee nodes, the verification is not passed, the block chain committee nodes send verification information to the other block chain committee nodes, each block chain committee node verifies the basic information of the user after receiving the user group key information from the agent node and the basic information of the user, inquires that the index part of the user group key corresponds to the stored fragments, calculates the key of the user to obtain the group key fragments of the user, encrypts the group key fragments through the CL public key of the user to obtain group key fragment ciphertext, and each node sends the group key fragment ciphertext to the agent node;
Step 3.2.4: the proxy node receives the ciphertext fragment { C } of the user group private key sent by the blockchain committee in step 3.2.3 j,k } j∈[1,l] After that, user group private key information ({ C) is transmitted j,k ,r j ',ζ j ,ξ j ,u j } j∈[1,l] ,τ i ) The proxy node sorts the key fragments to the current user i to obtain a key fragment list, and sends the list to the user;
step 3.2.5: user group private key information ({ C) sent by current user i at receiving proxy node j,k ,r j ',ζ j ,ξ j ,u j } j∈[1,l] ,τ i ) Then, the current user i decrypts the encrypted ciphertext of the user group private key fragment by the blockchain committee node, and aggregates the group private key fragment private key of the user: { A j,k =CL Dec (CL.sk i ,C j,k )} j∈[1,l] ,And finally, finishing the calculation of the private key of the user: /> Decrypting the key fragments by the current user i through the CL private key, then aggregating the key fragments issued by each node to the user, and eliminating the mask of the node key, thereby obtaining the final user group private key;
step 3.2.6: each blockchain committee node receives the ciphertext fragment { C } of the private key of the user group sent by the other blockchain committee nodes in step 3.2.3 j,k } j∈[1,l] Thereafter, the key fragments generated in step 2.3 are usedBy passing throughCalculating a private key of a user to obtain encryption information of ciphertext fragments of the private key of the user group, sending the encryption information of the ciphertext fragments of the private key of the user group to proxy nodes, and each blockchain committee node needs to locally store a key of the node for the follow-up traceability of users with wrong signatures, but if the private key is directly stored in plaintext, the key of the user is leaked and is unacceptable to the user, so the private key of the user needs to be stored in the ciphertext form and is stored as fragments on each node, so the key of the user needs to be encrypted by using a threshold key, then the private key mask of the node is eliminated, and the final encryption storage of the key fragments is completed;
Step 3.2.7: after receiving the encryption information of the ciphertext fragments of the user group private key sent by each blockchain committee node in step 3.2.6, the proxy node transmits the encryption information of the ciphertext fragments of the user group private key to the proxy nodeThe encryption information is aggregated to obtain encryption information of the private key ciphertext of the user group:and the encryption information { C 'of the private key ciphertext of the user group' j } j∈[1,l] The encrypted fragments are sent to the block chain committee node, the proxy node aggregates the encrypted fragments of all nodes, the calculation of the encrypted ciphertext of the key with the mask is completed for the user, the encrypted ciphertext is sent to all committee nodes, and the committee nodes can conveniently execute the next step of mask elimination;
step 3.2.8: each blockchain committee node receives the encryption information { C 'of the user group private key ciphertext sent by the proxy node in step 3.2.7' j } j∈[1,l] After that, throughEncryption information { C 'of private key ciphertext of user group' j } j∈[1,l] Performing partial mask elimination calculation to obtain half mask encryption information of the user group private key, and finally transmitting half mask encryption information C' of the user group private key " j,k To the proxy node, each block chain committee node eliminates the mask fragments of the aggregated ciphertext to obtain encrypted fragments of the user group key, and then sends the fragments to the proxy node;
Step 3.2.9: the proxy node receives the user group private key semi-mask encryption information C' sent by the blockchain committee node in step 3.2.8 " j,k And then, aggregation is carried out, mask information of the user group private key is completely eliminated, and encryption information of the user group private key is obtained: { C' j =(C” j,k } j∈[1,l] And transmitting the encrypted information { C }' of the aggregated user group private key " j =(C” j,k } j∈[1,l] To the block chain committee node, the agent node completes the mask elimination of the user group key fragments after aggregation, and the state is also the result of encrypting the user group private key by using the node threshold public key, each node stores the ciphertext of the key locally, and if the identity of the user needs to be revealed later, the specific key fragments can be used for encryption calculationComparing the user information with the local storage key ciphertext, and tracking the user information;
step 3.2.10: each blockchain committee node receives the encryption information { C "of the private key of the user group sent by the proxy node in step 3.2.9" j =(C” j,k } j∈[1,l] Thereafter, stored locally:gsk i ={(C” j ,ζ j ,ξ j ),u j } j∈[1,l] ,reg[i]=(τ i ,grt i ,{C” j } j∈[1,l] )。
the step 4 is a revocation (revocation) step, which is used for generating expiration auxiliary information of the user, and in this step, information of the subsequent user for signature can be obtained, so long as the user has signature keys of the same binary tree node in the revocation step and the registration step, the information of the user can be guaranteed not to expire, and in addition, the information can effectively reduce the storage of the user for time precision and eliminate the connection between the user and expiration time, thereby achieving the effect of irreversible tracking (namely, the private key information of the user is disclosed, and the signature of the user which has no problem in the front direction is not known), and the method specifically comprises the following steps:
Step 4.1: the agent node obtains the current time t and matches with the time-bound full binary tree BT obtained in the step 1.3, and the CS-TBK algorithm is operated to obtain information of a plurality of nodes: y= (v) 1 ,...,v num ) C, selecting a random number by CS-TBK (BT, t): { ζ' j } j∈[1,num] ←Z q And finally, the current time, the obtained information of a plurality of nodes and the random number are sent: (t, { v) j ,ζ' j } j∈[1,num] ) To the block chain committee node, the proxy node uses CS-TBK algorithm to select the highest tree root of all nodes after the current time in the binary tree, namely, if the leaf node of the tree root is used, the necessary time is longer than the current time, namely, the user information can be indicated not to expire by having the root node, so that the selected root node in CS-TBK algorithm needs to be signed, and the selected root node and the random number are selectedTransmitting to the committee node;
step 4.2: each blockchain committee node receives the current time sent in step 4.1, the obtained multiple node information and the random number: (t, { v) j ,ζ' j } j∈[1,num] ) Then, selecting the number of binary tree nodes and the index information with the mask stored in the step 3.1.4:is-> Performing joint calculation to obtain masked revocation assistance information { B }, and j,t,k } j∈[1,num] finally, the masked revocation assistance information { B j,t,k } j∈[1,num] Giving agent nodes, after each block chain committee node receives the random number from the agent node and binary tree root nodes, taking out the root node quantity of joint triples ∈obtained from the index joint inversion algorithm pre-calculated in step 3.1>And each node gets r separately j,k Calculating signature fragments and sending the fragments to the proxy node, wherein the content does not need to be encrypted similar to the user identity issuance stage because the expiration auxiliary information is public information;
step 4.3: the proxy node receives the masked revocation assistance information { B }, sent by the block chain committee node in step 4.2 j,t,k } j∈[1,num] Then, selecting the random number and carrying out promise calculation on the random number: y is t ←Z q ,After commitment calculation is completed, aggregating various pieces of withdrawal auxiliary information with masks to obtain complete withdrawal auxiliary information: />Finally pass-> The revocation assistance information is collated and sent to the blockchain committee node, and the proxy node aggregates the node key fragments to obtain the final root node signature, namely the outdated assistance information, and the outdated assistance information is disclosed to the whole network.
The step 5 specifically comprises the following steps:
step 5.1: the user selects a random number: alpha, beta, d ≡Z q ;
Step 5.2: the user uses the basic parameters in the step 1.1, the user group private key obtained in the step 3 and the revocation auxiliary information obtained in the step 4.3And the random numbers α, β, d+.z selected in step 5.1 q Obtaining various relation parameters: psi phi type 1 =f α ,/> δ=αξ,δ'=αξ';
Step 5.3: the user again selects a random number: r is (r) α ,r β ,r ζ ,r ξ ,r ζ' ,r ξ' ,r u ,r x ,r δ ,r δ' ←Z q ;
Step 5.4: the user uses the random number selected in the step 5.3 and each relation parameter calculated in the step 5.2 to calculate to obtain a proving parameter:
step 5.5: the user uses the relation parameters in step 5.2 and the proving parameters in step 5.4 to generate a Hash value in the non-interactive zero knowledge proving to make random challenges: c≡H (ψ) 1 ,…,ψ 7 ,R 1 ,…,R 6 ,m);
Step 5.6: the user uses the random challenge in step 5.5 to calculate a non-interactive zero knowledge proof: s is(s) α =r α +cα,s β =r β +cβ,s ζ =r ζ +cζ,s ξ =r ξ +cξ,s ζ' =r ζ' +cζ',s ξ' =r ξ' +cξ',s u =r u +cu,s x =r x +cx i ,s δ =r δ +cδ,s δ' =r δ' +cδ';
Step 5.7: the user sorts the relation parameters in step 5.2, the random challenges in step 5.5 and the non-interactive zero knowledge proof in step 5.6 to obtain signature information sigma= (ψ) 1 ,…,ψ 7 ,c,s α ,s β ,s ζ ,s ξ ,s ζ' ,s ξ' ,s u ,s x ,s δ ,s δ' ) And send to the proxy node;
the method mainly ensures that the key used in the signature is the key issued by the user in the identity issuing stage, the signature information of the used nodes is the signature of a plurality of nodes generated in the revocation stage, the tree root node is one of the results of running the CS-TBK algorithm in the current time, the signature of the user identity group key and the signature of the tree root node is the same node, the user owns the user private key and all the signature steps are carried out according to the designed steps, and no illegal operation exists.
The step 6 specifically comprises the following steps:
step 6.1: the proxy node receives signature information sigma= (ψ) sent by the user in step 5.7 1 ,…,ψ 7 ,c,s α ,s β ,s ζ ,s ξ ,s ζ' ,s ξ' ,s u ,s x ,s δ ,s δ' ) After that, throughAfter the format verification is passed, the agent node performs zero knowledge proof verification on the user signature information, after the zero knowledge proof verification is passed, the user signature information sigma and verification information 0/1 are sent to other block chain committee nodes, and when the format verification or the zero knowledge proof verification is not passed, the agent node sends the verification information to the other block chain committee nodes, and the zero knowledge proof verification comprises the following steps:
step 6.1.1: and (3) calculating:
step 6.1.2: and (3) verification: 0/1+.c+.noteq.H (ψ) 1 ,…,ψ 7 ,R' 1 ,…,R' 6 ,m);
Step 6.1.3: and (3) verification:
step 6.2: after each block chain committee node receives user signature information sigma and verification result 0/1 sent by the proxy node in the step 6.1, repeating the verification operation in the step 6.1, and if the verification is passed and is consistent with the verification result of the proxy node, carrying out uplink operation on the message; if the verification is not passed and is consistent with the verification result of the proxy node, discarding the message; if the verification information sent by the agent node in the step 6.1 is inconsistent, the block chain committee node sends the verification information to other block chain committee nodes, and if the block chain committee node confirmation of the preset number in the step 3 is inconsistent with the verification information of the agent node in the step 6.1, the agent node is switched.
Step 7 is a joint tracking (Open) phase, and when the committee node finds that the data on the chain has error data, the joint tracking needs to be performed on the user identity of the uplink data, which specifically includes the following steps:
step 7.1: each blockchain committee node verifies the signature information of the user in step 6.2, and after finding that the verification is not passed, calculates decryption fragments of the group private key in the signature information of the user and performs zero knowledge proof calculation on the decryption fragments:finally, the decrypted fragments of the user group key and their zero knowledge proof (A' i ,π' i ) To proxy nodes, each blockchain Committee node first uses +.>Decrypting to obtain decryption fragments of the private key of the user, and providing corresponding zero knowledge proof for ensuring the accuracy of decryption;
step 7.2: the proxy node receives the user group key decryption fragments and the zero knowledge proof (A 'sent by the block chain committee node in the step 7.1' i ,π' i ) And then, verifying the correctness of the decryption operation:after the proxy node passes the verification, the proxy node is used for each nodeAggregate the decrypted fragments of (a) and calculate the private key of the user: />A=ψ 2 And (3) finally, sending the group private key of the user to each block chain committee node, verifying the decryption zero knowledge proof of the user by the agent node, ensuring the correctness and format consistency of the content, and then aggregating the decryption fragments to obtain a complete user private key;
Step 7.3: each block chain committee node receives the private key of the user group sent by the proxy node in the step 7.2 and passes throughThe user private key is encrypted and calculated to obtain encrypted fragments of the user private key, and the encrypted fragments are simultaneously obtained throughPerforming zero knowledge proof calculation on the encrypted user private key to obtain zero knowledge proof (C 'of the correctness of the encryption operation' k ,π' i ) Finally, the encryption fragment and zero knowledge proof of the encryption operation (C 'are sent' k ,π' i ) To the proxy node, each blockchain committee node can not reveal the private key information of the user at the beginning of issuing the user identity, so that all nodes store the encryption form of the private key of the user, and therefore, the user identity can be compared only by continuing to encrypt the private key of the user, and therefore, all nodes use own private key->Encrypting a private key of a user to obtain an encrypted fragment, giving out zero knowledge proof of the encrypted fragment, sending the encrypted fragment and the zero knowledge proof to a proxy node, and aggregating by the proxy node;
step 7.4: the proxy node receives the encryption fragments and the zero knowledge proof of encryption operation (C 'sent by the block chain committee node in step 7.3' k ,π' i ) Then, the encryption fragments of the private key of the user group are carried out Zero knowledge proof verification:if the verification is passed, the received encrypted fragments are aggregated to complete the encryption of the private key of the user group: />Finally, the encryption form C' of the private key of the user group is sent to the block chain committee node, and the proxy node firstly verifies whether the encryption fragments of each node are correct or not and whether the private key of the node is used or not>Encrypting the user private key, then aggregating encryption fragments of the user private key to obtain a complete ciphertext of the user private key, and then sending the ciphertext to all committee nodes, so that each node can compare the secret key with the local secret key and search the specific information of the wrong user;
step 7.5: after receiving the encrypted form C 'of the private key of the user group sent by the proxy node in the step 7.4, the blockchain committee node inquires reg [ k ] in a user registry, so that the reg [ k ] contains C', finally, the specific information k of the user is obtained, whether the blockchain committee node has the information of the user in the registry or not, and the specific information of the user is output.
A distributed supervisory system for identity privacy protection and traceability on a blockchain, comprising the following modules:
the system initialization module is used for initializing parameters and generating basic parameters, and the basic parameters are used for realizing the step 1 of the distributed supervision method for protecting and tracking identity privacy on the blockchain;
The block chain committee key module generates a block chain committee public and private key pair based on basic parameters generated by the system initialization module, and uplinks and stores the block chain committee public and private key pair, and is used for realizing the step 2 of the distributed supervision method for protecting identity privacy and being traceable on a block chain;
the user identity issuing module generates a group private key for a user based on the block chain committee private key stored by the block chain committee key module, carries out identity binding, and simultaneously locally stores ciphertext of the user private key, and is used for realizing the step 3 of the distributed supervision method for protecting and tracking identity privacy on the block chain;
the revocation module is used for generating revocation auxiliary information bound with time based on a block chain committee private key generated by the block chain committee key module and realizing the step 4 of the distributed supervision method for protecting identity privacy and being traceable on the block chain;
the signature module is used for completing anonymous signature by using the group private key generated by the user identity issuing module and the revocation auxiliary information bound by the revocation module, and is used for realizing the step 5 of the distributed supervision method for protecting the identity privacy and being traceable on the blockchain;
The verification module is used for verifying whether the anonymous signature completed by the signature module is effective or not and realizing the step 6 of the distributed supervision method for protecting and tracking the identity privacy on the blockchain;
the identity revealing module is used for revealing the identity of the mediacy signature which is verified to be invalid by the verification module through the private key of the blockchain committee generated by the private key module of the blockchain committee, and adding a revocation list to realize the step 7 of the distributed supervision method for protecting the identity privacy and being traceable on the blockchain.
The invention also provides a readable storage medium, wherein the readable storage medium stores instructions which, when run on a computer, cause the computer to execute the distributed supervision method for identity privacy protection and traceability on a blockchain.
In summary, the present invention adopts the joint calculation of the preset number of blockchain committee nodes, reveals the user identity, updates the private key fragments of the blockchain committee nodes at regular time and receives, verifies, aggregates and forwards the message by the proxy nodes, thereby improving the user identity security, enhancing the system flexibility and security, and reducing the system complexity.
Claims (10)
1. The distributed supervision method for protecting identity privacy and being traceable on the blockchain is characterized by comprising the following steps of:
step 1: initializing parameters, and generating basic parameters needed in the subsequent protocol: bilinear pair parameters, hash parameters, binary tree parameters, and chaining;
step 2: generating a public and private key pair of the block chain committee by joint calculation of the block chain committee node and the proxy node by using the basic parameters generated in the step 1, and then, uploading the public key of the block chain committee, wherein the private key of the block chain committee is stored in a distributed mode by each block chain committee node;
step 3: a user initiates an application to a block chain committee node to request an identity key, the block chain committee node responds to the user application, when a preset number of block chain committee nodes agree that the user joins, the block chain committee node calculates the block chain committee private key stored in the step 2, generates a group private key with timeliness limitation for the user, carries out identity binding, and simultaneously the block chain committee node locally reserves a ciphertext of the user private key;
step 4: the block chain committee node and the agent node jointly use the block chain committee private key generated in the step 2 to perform joint calculation on time, and generate revocation auxiliary information bound with time;
Step 5: using the group private key generated in the step 3 and the revocation auxiliary information bound in the step 4 to complete anonymous signature;
step 6: checking whether the anonymous signature finished in the step 5 is valid or not through a block chain committee node and an agent node, if so, uploading the anonymous signature, and if not, executing the step 7;
step 7: step 3, the preset number of blockchain committee nodes jointly use the blockchain committee private key calculation generated in step 2 to reveal that step 6 is used for checking the user identity of the invalid anonymous signature, and the user identity is added into a revocation list, so that the anonymous signature after the user is not valid any more.
2. The method for protecting identity privacy and traceable distributed supervision on a blockchain according to claim 1, wherein the step 1 specifically comprises the following steps:
step 1.1: the proxy node selects a bilinear pair parameter, wherein (1)>G respectively 1 ,G 2 E is G 1 ,G 2 To G T Mapping of->Is G 1 Random group elements in (a);
step 1.2: the proxy node selects a Hash algorithm to generate a Hash parameter H {0,1} →Z q ;
Step 1.3: the agent node generates a full binary tree, generates a binary tree parameter BT, carries out time binding on each leaf node from left to right according to the time increasing sequence, and carries out random number binding on each node;
Step 1.4: the proxy node uses the basic parameters generated in the steps 1.1 to 1.3:transmitting to all blockchain committee nodes;
step 1.5: the blockchain committee node receives the transmission of step 1.4Then, a CL encryption and decryption public-private key pair (CL.sk) is obtained through a CL.KeyGen algorithm i ,CL.pk i ) And is combined withGiving out zero knowledge proof of CL encryption and decryption public and private key pair correctnessSending public key and zero knowledge proof of CL encryption and decryptionTo the proxy node;
step 1.6: the proxy node receives the CL encryption and decryption public key and zero knowledge proof sent in the step 1.5After that, the public key and zero knowledge proof of CL encryption and decryption of the block chain committee node are collated +.>And add the entry blockchain committee node key pair list +.>Finishing node information publication and node ordering, and broadcasting a blockchain committee node key pair list to all blockchain committee nodes>
Step 1.7: the blockchain committee node receives the blockchain committee node key pair list broadcast in step 1.6After that, the CL encryption and decryption public key and the corresponding zero knowledge proof of each node are verifiedAnd transmitting authentication information to all blockchain committee nodes;
step 1.8: when more than half of the tests sent in step 1.7 are received by the blockchain committee node When the evidence information is error information, removing the block chain committee node corresponding to the error information from the block chain link point network; when all the blockchain committee nodes receive the verification information sent in the step 1.7 to be all correct information, the blockchain committee node key pair list is obtainedAnd (5) carrying out uplink.
3. The method of claim 1, wherein the step 2 comprises the steps of:
step 2.1: all blockchain committee node operations Generating polynomial values of n corresponding nodes +.>And commitment of polynomial coefficientsSimultaneously encrypting the n polynomial values using a CL encryption algorithm: /> And performing zero knowledge proof on the polynomial value encryption ciphertext and the polynomial value promise:finally pair->Use->Promise to get->For->And->Zero knowledge proof is performed: />And sendTo proxy node, broadcast polynomial constant term coefficient promise and zero knowledge proof ++to all block chain committee nodes and proxy nodes simultaneously>
Step 2.2: the proxy node receives the transmission in the step 2.1Andand then, verifying the correctness of the polynomial coefficient promise and the polynomial value encryption ciphertext and the correctness of the encryption format: / > Confirm->Andafter correctness of (2), the proxy node aggregates { c 'the polynomial value encrypted ciphertext' j =CL Eval ({c i,j } i∈[1,n] ,+)} j∈[1,n] And then the polynomial coefficient promises are aggregated: /> And transmitting the aggregated polynomial-valued encrypted ciphertext c' j To the corresponding node N j Finally broadcast polynomial coefficient commitmentTo the global blockchain committee node;
step 2.3: all blockchain committee nodes receive the polynomial constant term coefficient commitment and its zero knowledge proof in step 2.1Step 2.2, the polynomial value encryption ciphertext c 'sent by the proxy node' j And polynomial coefficient commitment->Then, the polynomial constant term promises broadcasted in step 2.1 are aggregated:and verifies whether the polynomial constant term promise is correct: />When the verification is correct, after the verification is passed, the proxy node carries out decryption operation on the encrypted ciphertext of the polynomial value:and verifies whether the polynomial values are correct: /> When the polynomial value of the current blockchain committee node is determined to be correct, the vk transmitted in step 2.1 A Polymerization is carried out: />Setting upFor the private key fragments of the block chain committee, assembling the private key fragments of each block chain committee node to obtain the private key of the block chain committee, and setting vk A Obtaining public and private key pair of the block chain committee for the public and private keys of the block chain committee and storing the public and private key pair locally >When the verification is incorrect, the block chain committee node sends verification information to other block chain committee nodes;
step 2.4: and (3) performing step 2.1-step 2.3 regularly to finish the regular updating of the private key fragments of the block chain committee node.
4. The method for protecting identity privacy and traceable distributed supervision on a blockchain according to claim 1, wherein the step 3 specifically comprises the following steps:
step 3.1: pre-calculating by adopting an index joint inversion algorithm to provide index information for a group private key of a generated user;
step 3.1.1: all blockchain committee nodes select a random number r k ←Z q And uses the blockchain committee public key vk generated in step 2.3 A Encrypting the random number to obtain a first encrypted ciphertext, and performing zero knowledge proof calculation on the first encrypted ciphertext:finally, all the block chain committee nodes encrypt the first encrypted ciphertext and zero knowledge proof thereof>Transmitting to the global blockchain committee node;
step 3.1.2: each blockchain committee node receives the random number encrypted ciphertext and zero knowledge proof of the other blockchain committee nodes in step 3.1.1And then, verifying the content of each block chain committee node, and if the random number encryption ciphertext and the zero knowledge proof verification pass, aggregating the random number encryption ciphertext: Each blockchain committee node selects a random number and homomorphism between the random number and the random number encrypted ciphertext in step 3.1.1: zeta type toy k ←Z q ,And gives a zero knowledge proof: /> Finally, each blockchain committee node transmits aggregate ciphertext information, random numbers, and zero knowledge proof +.>To other blockchain committee nodes;
step 3.1.3: each blockchain committee node receives the aggregate ciphertext information, the random number, and the zero knowledge proof of step 3.1.2Later, messages of other blockchain committee nodes are validated: /> After each block chain committee node verifies that the aggregation ciphertext of all nodes passes, performing secondary aggregation on the aggregation ciphertext to obtain a second aggregation ciphertext: /> Each blockchain committee node decrypts the second aggregate ciphertext using the key of step 2 and gives zero knowledge proof of the decrypted message to ensure the correctness of the message: r is (r) k ←CL Dec (CL.sk k ,c' r ),Finally, the decryption message and the zero knowledge proof are sent to other block chain committee nodes;
step 3.1.4: each blockchain committee node receives the decrypted ciphertext information of step 3.1.3 and its zero knowledge proofAnd then, verifying the decrypted ciphertext information of each node:and after the verification is passed, all decrypted ciphertext information is aggregated to obtain the completely decrypted exponent information with the mask: r' =r (γ) A +ζ) and stores temp [ i ]]=(r' i ,ξ i ,r i,k ) If the verification is not passed, the block chain committee node sends verification information to other block chain committee nodes;
step 3.2: based on the index information of the step 3.1, jointly issuing a user identity, generating a group private key with time-efficiency limitation, and carrying out identity binding, and simultaneously, locally reserving a user private key ciphertext;
step 3.2.1: the current user i generates a user CL public-private key pair of the CL and gives corresponding zero knowledge proof to the key pair: (CL. Sk) i ,CL.pk i )=CL.KeyGen,The current user i then selects the random number x i ←Z q Setting usk i =x i And commits to this random number and gives zero knowledge proof:selecting a random number r≡Z q Calculate-> s x =r x +c x x i Finally, the current user i sends promise of the user private key, CL public key and zero knowledge proof corresponding to each user private key and CL public key +.>Giving the agent node;
step 3.2.2: the proxy node receives the promise of the user private key, the CL public key and the zero knowledge proof corresponding to each user private key and the CL public key sent by the current user i in the step 3.2.1And then, verifying the correctness of the data of the user: /> After passing the verification, the proxy node allocates a leaf node eta to the current user i, wherein the leaf node eta has a corresponding time corresponding to the identity expiration date tau of the user i According to the expiration time tau of the proxy node i The proxy node gives the path node u of the current user i by using a CS-TBK scheme j ∈Path(η):=(u 1 ,...,ul)←CS-TBK(BT,τ i ) The proxy node selects a random number for the current user i and computes the base part of the current user i group private key: (ζ) 1 ,...,ζ l )←Z q Calculate the base part of the key +.>Finally, the proxy node sends the base part and random number of the private key of the current user i group +.>Promise of user private key generated in step 3.2.1, CL public key, zero knowledge proof corresponding to each user private key and CL public key ≡>For all blockchain committee nodes, the verification is failed, and the blockchain committee nodes issueSending the verification information to other blockchain committee nodes;
step 3.2.3: each blockchain committee node receives the base part of the private key of the current user i group and the random number sent by the proxy node in step 3.2.2Promise of user private key generated in step 3.2.1, CL public key, zero knowledge proof corresponding to each user private key and CL public key ≡>And then, verifying the correctness of the data of the user: /> After passing the verification, according to the plaintext information r j Temp and plaintext information r in the' query step 3.1.4 j ' other bound value r i,k And pass throughComputing the group private key fragments of the current user i while passing { C } j,k =CL Enc (CL.pk i ,A j,k )} j∈[1,l] Encrypting the fragments of the group private key, and finally each block chain committee node transmits ciphertext fragments { C (C) of the user group private key j,k } j∈[1,l] To the agent node and other blockchain committee nodes, the verification is failed, the blockchain committee nodes send verification information to the other blockchain committee nodes;
step 3.2.4: the proxy node receives the ciphertext fragment { C } of the user group private key sent by the blockchain committee in step 3.2.3 j,k } j∈[1,l] After that, user group private key information ({ C) is transmitted j,k ,r j ',ζ j ,ξ j ,u j } j∈[1,l] ,τ i ) To the current user i;
Step 3.2.5: user group private key information ({ C) sent by current user i at receiving proxy node j,k ,r j ',ζ j ,ξ j ,u j } j∈[1,l] ,τ i ) Then, the current user i decrypts the encrypted ciphertext of the user group private key fragment by the blockchain committee node, and aggregates the group private key fragment private key of the user: { A j,k =CL Dec (CL.sk i ,C j,k )} j∈[1,l] ,And finally, finishing the calculation of the private key of the user: />
Step 3.2.6: each blockchain committee node receives the ciphertext fragment { C } of the private key of the user group sent by the other blockchain committee nodes in step 3.2.3 j,k } j∈[1,l] Thereafter, the key fragments generated in step 2.3 are usedBy passing throughCalculating the private key of the user to obtain encryption information of ciphertext fragments of the private key of the user group, and sending the encryption information of the ciphertext fragments of the private key of the user group to the proxy node;
Step 3.2.7: after receiving the encrypted information of the ciphertext fragments of the user group private key sent by each blockchain committee node in step 3.2.6, the proxy node aggregates the encrypted information of the ciphertext fragments of the user group private key to obtain the encrypted information of the ciphertext of the user group private key:and the encryption information { C 'of the private key ciphertext of the user group' j } j∈[1,l] Transmitting to a blockchain committee node;
step 3.2.8: each blockchain committee node receives the encryption information { C 'of the user group private key ciphertext sent by the proxy node in step 3.2.7' j } j∈[1,l] After that, throughEncryption information { C 'of private key ciphertext of user group' j } j∈[1,l] Performing partial mask elimination calculation to obtain half mask encryption information of the user group private key, and finally transmitting half mask encryption information C' of the user group private key " j,k To the proxy node;
step 3.2.9: the proxy node receives the user group private key semi-mask encryption information C' sent by the blockchain committee node in step 3.2.8 " j,k And then, aggregation is carried out, mask information of the user group private key is completely eliminated, and encryption information of the user group private key is obtained: { C' j =(C” j,k } j∈[1,l] And transmitting the encrypted information { C }' of the aggregated user group private key " j =(C” j,k } j∈[1,l] To a blockchain committee node;
step 3.2.10: each blockchain committee node receives the encryption information { C "of the private key of the user group sent by the proxy node in step 3.2.9" j =(C” j,k } j∈[1,l] Thereafter, stored locally:gsk i ={(C” j ,ζ j ,ξ j ),u j } j∈[1,l] ,reg[i]=(τ i ,grt i ,{C” j } j∈[1,l] )。
5. the method of claim 1, wherein the step 4 comprises the steps of:
step 4.1: the agent node obtains the current time t and matches with the time-bound full binary tree BT obtained in the step 1.3, and the CS-TBK algorithm is operated to obtain information of a plurality of nodes: y= (v) 1 ,...,v num ) C, selecting a random number by CS-TBK (BT, t): { ζ' j } j∈[1,num] ←Z q And finally, the current time, the obtained information of a plurality of nodes and the random number are sent: (t, { v) j ,ζ' j } j∈[1,num] ) To a blockchain committee node;
step 4.2: each blockchain committee node receives the current time sent in step 4.1, the obtained multiple node information and the random number: (t, { v) j ,ζ' j } j∈[1,num] ) Then, selecting the number of binary tree nodes and the index information with the mask stored in the step 3.1.4:is-> Performing joint calculation to obtain masked revocation assistance information { B }, and j,t,k } j∈[1,num] finally, the masked revocation assistance information { B j,t,k } j∈[1,num] Giving the agent node;
step 4.3: the proxy node receives the masked revocation assistance information { B }, sent by the block chain committee node in step 4.2 j,t,k } j∈[1,num] Then, selecting the random number and carrying out promise calculation on the random number: y is t ←Z q ,After commitment calculation is completed, aggregating various pieces of withdrawal auxiliary information with masks to obtain complete withdrawal auxiliary information:finally pass-> The revocation assistance information is consolidated and transmitted to blockchain committee nodes.
6. The method of claim 1, wherein the step 5 comprises the steps of:
step 5.1: the user selects a random number: alpha, beta, d ≡Z q ;
Step 5.2: the user uses the basic parameters in the step 1.1, the user group private key obtained in the step 3 and the revocation auxiliary information obtained in the step 4.3And the random numbers α, β, d+.z selected in step 5.1 q Obtaining various relation parameters: psi phi type 1 =f α ,/> δ=αξ,δ'=αξ';
Step 5.3: the user again selects a random number: r is (r) α ,r β ,r ζ ,r ξ ,r ζ' ,r ξ' ,r u ,r x ,r δ ,r δ' ←Z q ;
Step 5.4: the user uses the random number selected in the step 5.3 and each relation parameter calculated in the step 5.2 to calculate to obtain a proving parameter:
step 5.5: the user uses the relation parameters in step 5.2 and the proving parameters in step 5.4 to generate a Hash value in the non-interactive zero knowledge proving to make random challenges: c≡H (ψ) 1 ,…,ψ 7 ,R 1 ,…,R 6 ,m);
Step 5.6: the user uses the random challenge in step 5.5 to calculate a non-interactive zero knowledge proof: s is(s) α =r α +cα,s β =r β +cβ,s ζ =r ζ +cζ,s ξ =r ξ +cξ,s ζ' =r ζ' +cζ',s ξ' =r ξ' +cξ',s u =r u +cu,s x =r x +cx i ,s δ =r δ +cδ,s δ' =r δ' +cδ';
Step 5.7: the user sorts the relation parameters in step 5.2, the random challenges in step 5.5 and the non-interactive zero knowledge proof in step 5.6 to obtain signature information sigma= (ψ) 1 ,…,ψ 7 ,c,s α ,s β ,s ζ ,s ξ ,s ζ' ,s ξ' ,s u ,s x ,s δ ,s δ' ) And sent to the proxy node.
7. The method of claim 1, wherein the step 6 comprises the steps of:
step 6.1: substitution ofThe processing node receives signature information sigma= (ψ) sent by the user in step 5.7 1 ,…,ψ 7 ,c,s α ,s β ,s ζ ,s ξ ,s ζ' ,s ξ' ,s u ,s x ,s δ ,s δ' ) After that, throughAfter the format verification is passed, the agent node performs zero knowledge proof verification on the user signature information, after the zero knowledge proof verification is passed, the user signature information sigma and verification information 0/1 are sent to other block chain committee nodes, and when the format verification or the zero knowledge proof verification is not passed, the agent node sends the verification information to the other block chain committee nodes, and the zero knowledge proof verification comprises the following steps:
step 6.1.1: and (3) calculating:
step 6.1.2: and (3) verification: 0/1+.c+.noteq.H (ψ) 1 ,…,ψ 7 ,R' 1 ,…,R' 6 ,m);
Step 6.1.3: and (3) verification:
step 6.2: after each block chain committee node receives user signature information sigma and verification result 0/1 sent by the proxy node in the step 6.1, repeating the verification operation in the step 6.1, and if the verification is passed and is consistent with the verification result of the proxy node, carrying out uplink operation on the message; if the verification is not passed and is consistent with the verification result of the proxy node, discarding the message; if the verification information sent by the agent node in the step 6.1 is inconsistent, the block chain committee node sends the verification information to other block chain committee nodes, and if the block chain committee node confirmation of the preset number in the step 3 is inconsistent with the verification information of the agent node in the step 6.1, the agent node is switched.
8. The method of claim 1, wherein the step 7 comprises the steps of:
step 7.1: each blockchain committee node verifies the signature information of the user in step 6.2, and after finding that the verification is not passed, calculates decryption fragments of the group private key in the signature information of the user and performs zero knowledge proof calculation on the decryption fragments:finally, the decrypted fragments of the user group key and their zero knowledge proof (A' i ,π' i ) To the proxy node;
step 7.2: the proxy node receives the user group key decryption fragments and the zero knowledge proof (A 'sent by the block chain committee node in the step 7.1' i ,π' i ) And then, verifying the correctness of the decryption operation:after the proxy node passes the verification, the decryption fragments of each node are aggregated, and the private key of the user is calculated: />A=ψ 2 And (a') and finally sending the group private key of the user to each block chain committee node;
step 7.3: each blockchain committee node receives the data7.2 after the private key of the user group sent by the proxy node, passing throughThe user private key is encrypted and calculated to obtain encrypted fragments of the user private key, and the encrypted fragments are simultaneously obtained through Performing zero knowledge proof calculation on the encrypted user private key to obtain zero knowledge proof (C 'of the correctness of the encryption operation' k ,π' i ) Finally, the encryption fragment and zero knowledge proof of the encryption operation (C 'are sent' k ,π' i ) To the proxy node;
step 7.4: the proxy node receives the encryption fragments and the zero knowledge proof of encryption operation (C 'sent by the block chain committee node in step 7.3' k ,π' i ) And then, carrying out zero knowledge proof verification on the encrypted fragments of the private key of the user group:if the verification is passed, the received encrypted fragments are aggregated to complete the encryption of the private key of the user group: />Finally, the encryption form C' of the private key of the user group is sent to the block chain committee node;
step 7.5: after receiving the encrypted form C 'of the private key of the user group sent by the proxy node in the step 7.4, the block chain committee node inquires reg [ k ] in the user registry, so that the reg [ k ] contains C', and finally, the specific information k of the user is obtained.
9. A distributed supervisory system for protecting and tracking identity privacy on a blockchain, applying a distributed supervisory method for protecting and tracking identity privacy on a blockchain as defined in any of claims 1-8, wherein the distributed supervisory system for protecting and tracking identity privacy on a blockchain comprises the following modules:
The system initialization module initializes parameters and generates basic parameters;
the system comprises a system initialization module, a block chain committee key module, a block chain committee public-private key module and a block chain data processing module, wherein the system initialization module is used for generating a basic parameter of a block chain committee public-private key pair based on the basic parameter generated by the system initialization module, and carrying out uplink and storage on the block chain committee public-private key pair;
the user identity issuing module generates a group private key for a user based on the block chain committee private key stored by the block chain committee key module, performs identity binding, and simultaneously locally stores ciphertext of the user private key;
the revocation module is used for generating revocation auxiliary information bound with time based on the block chain committee private key generated by the block chain committee key module;
the signature module completes anonymous signature by using the group private key generated by the user identity issuing module and the revocation auxiliary information bound by the revocation module;
the verification module is used for verifying whether the anonymous signature completed by the signature module is valid or not;
and the identity revealing module is used for revealing the identity of the clear signature which is verified to be invalid by the verification module through the private key of the blockchain committee generated by the blockchain committee key module and adding the clear signature into the revocation list.
10. A readable storage medium having instructions stored therein, which when executed on a computer, cause the computer to perform a distributed method of identity privacy protection and traceable on a blockchain as defined in any of claims 1-8.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311835033.3A CN117792607A (en) | 2023-12-28 | 2023-12-28 | Identity privacy protection and traceable distributed supervision method and system on blockchain and readable storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311835033.3A CN117792607A (en) | 2023-12-28 | 2023-12-28 | Identity privacy protection and traceable distributed supervision method and system on blockchain and readable storage medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN117792607A true CN117792607A (en) | 2024-03-29 |
Family
ID=90388866
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202311835033.3A Pending CN117792607A (en) | 2023-12-28 | 2023-12-28 | Identity privacy protection and traceable distributed supervision method and system on blockchain and readable storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN117792607A (en) |
-
2023
- 2023-12-28 CN CN202311835033.3A patent/CN117792607A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN110084068B (en) | Block chain system and data processing method for block chain system | |
| US10903991B1 (en) | Systems and methods for generating signatures | |
| CN108667625B (en) | Digital signature method of cooperative SM2 | |
| CN111814191B (en) | Block chain private data protection method, device and system | |
| JP2007089171A (en) | Malleable pseudonym certificate system and method | |
| CN113360943A (en) | Block chain private data protection method and device | |
| CN113645020A (en) | Alliance chain privacy protection method based on safe multi-party computing | |
| WO2022089865A1 (en) | Identifying denial-of-service attacks | |
| CN115473631A (en) | Block chain certificateless aggregation signcryption key negotiation method based on Chinese remainder theorem | |
| US20240121109A1 (en) | Digital signatures | |
| CN115834067A (en) | Ciphertext data sharing method in edge cloud collaborative scene | |
| WO2021213959A1 (en) | (ec)dsa threshold signature with secret sharing | |
| CN113098681A (en) | Port order enhanced and updatable blinded key management method in cloud storage | |
| CN116797227A (en) | Method and system for secure exchange protection of client privacy information based on homomorphic encryption | |
| CN108964906B (en) | Digital signature method for cooperation with ECC | |
| CN116232578A (en) | Multi-party collaborative signature system, method and equipment integrating quantum key distribution | |
| CN114978622A (en) | Anonymous credential verification method and system based on block chain and zero-knowledge proof | |
| Steinwandt et al. | Attribute-based group key establishment | |
| CN117792607A (en) | Identity privacy protection and traceable distributed supervision method and system on blockchain and readable storage medium | |
| An et al. | Secret handshakes: Full dynamicity, deniability and lattice-based design | |
| Rasmussen et al. | Weak and strong deniable authenticated encryption: on their relationship and applications | |
| Shin et al. | A verifier-based password-authenticated key exchange using tamper-proof hardware | |
| CN114066449A (en) | Multi-center collaborative supervision block chain user identity anonymity and tracking method and system | |
| Barker et al. | SP 800-56A. recommendation for pair-wise key establishment schemes using discrete logarithm cryptography (revised) | |
| CN111541538B (en) | Data transmission method and device, server, computer equipment and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |