WO2019105407A1 - 一种适合区块链隐私保护的零知识证明方法和介质 - Google Patents
一种适合区块链隐私保护的零知识证明方法和介质 Download PDFInfo
- Publication number
- WO2019105407A1 WO2019105407A1 PCT/CN2018/118131 CN2018118131W WO2019105407A1 WO 2019105407 A1 WO2019105407 A1 WO 2019105407A1 CN 2018118131 W CN2018118131 W CN 2018118131W WO 2019105407 A1 WO2019105407 A1 WO 2019105407A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- user
- proof
- phase
- random number
- zero
- Prior art date
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3218—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using proof of knowledge, e.g. Fiat-Shamir, GQ, Schnorr, ornon-interactive zero-knowledge proofs
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q20/00—Payment architectures, schemes or protocols
- G06Q20/38—Payment protocols; Details thereof
- G06Q20/382—Payment protocols; Details thereof insuring higher security of transaction
- G06Q20/3825—Use of electronic signatures
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q20/00—Payment architectures, schemes or protocols
- G06Q20/38—Payment protocols; Details thereof
- G06Q20/40—Authorisation, e.g. identification of payer or payee, verification of customer or shop credentials; Review and approval of payers, e.g. check credit lines or negative lists
- G06Q20/405—Establishing or using transaction specific rules
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
- H04L63/0435—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply symmetric encryption, i.e. same key used for encryption and decryption
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0869—Network architectures or network communication protocols for network security for authentication of entities for achieving mutual authentication
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3218—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using proof of knowledge, e.g. Fiat-Shamir, GQ, Schnorr, ornon-interactive zero-knowledge proofs
- H04L9/3221—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using proof of knowledge, e.g. Fiat-Shamir, GQ, Schnorr, ornon-interactive zero-knowledge proofs interactive zero-knowledge proofs
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3247—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
Definitions
- the invention relates to a privacy protection technology of a blockchain, in particular to a zero-knowledge proof method in blockchain privacy protection.
- the blockchain system acts as a public account book, which solves the consensus problem established by the trust of all parties. Every participant is able to get a complete data backup, all transaction data is open and transparent, the advantages of this blockchain, but on the other hand, for many blockchain applications, this feature is fatal of. Because many times, not only users themselves want their account privacy and transaction information to be protected, many business accounts and transaction information are important assets and trade secrets of these organizations, and they do not want to be shared publicly with their peers, especially sensitive. Data needs to balance privacy protection and compliance regulation. For business scenarios involving a large number of trade secrets and benefits, data exposure does not meet business rules and regulatory requirements.
- a smart contract is a piece of code that runs on a blockchain that controls and manages the database.
- the assets of each account are stored in the database of the smart contract, and the data in the database can be operated by the smart contract under certain conditions.
- the balance of each account and the operation of the balance are recorded and performed in a smart contract.
- an inter-node transfer operation is performed by broadcasting a message between all nodes and executing a smart contract.
- the balance of each node is private information, and each node wants its balance to be invisible to other nodes.
- the transfer content is also private information, so changes in the balance in the broadcast message do not want other nodes to be visible.
- it is necessary to support the change operation of the balance in the smart contract and everyone can operate the balance.
- a consistent public ledger is maintained between the nodes.
- the ledger records the balance information of each node, and the nodes operate on the common ledger through a certain consensus mechanism.
- the transaction information of all users in the book, including other information recorded in the blockchain is exposed, and the user's privacy protection problem arises.
- the system needs to realize the characteristics of the blockchain transaction verifiable and historically checkable while ensuring the privacy of the user, and ensure the validity of the transaction.
- Bitcoin's solution to privacy protection is to achieve anonymity by blocking the association between the transaction address and the address holder's true identity. So although you can see the address of the sender and recipient of each transfer record, it does not correspond to a specific person in the real world. However, such protection is very weak.
- the association between the account and the transaction can be traced through the address ID, IP information, and the like.
- CoinJoin The idea of the principle of the coin is to split the relationship between the input address and the output address. In a transaction, if there are a lot of people involved, including a lot of input and output, it will be more difficult to find the corresponding pair of each person in the input and output, so that the connection between input and output is actually split. . It is better to mix coins and small amounts of coins each time. Although this method is highly anonymous, its risk assessment is not in place and must be trusted by anonymous third parties.
- the balance on the public ledger is directly encrypted. Only the node itself or the relevant party that gives the right can view the transaction information, and the remaining nodes cannot operate the data, and the account information is difficult to maintain consistency.
- Chinaledger proposed a scheme based on the Central Counterparty (CCP).
- the transaction initiator uses the CCP's public key to encrypt the transaction. After signing, it is submitted to the CCP.
- the CCP realizes decryption, checks the signature, checks the balance, and if it is valid, realizes the transfer of the transfer amount. .
- the remaining nodes can only endorse the transaction, but cannot endorse the balance.
- this scheme protects the privacy of the node user, it is too centralized, and the whole system relies on the reputation transaction of the CCP.
- Ring Signature A ring signature is a simplified group signature, which is named because a signature consists of a certain rule.
- a signature consists of a certain rule.
- one member of the ring uses his private key and the public key of other members to sign, but does not need permission from other members, and the verifier only knows that the signature comes from this ring, but I don’t know who is The real signer.
- Ring signatures solve the problem of full anonymity for signers, which allows a member to sign on behalf of a group of people without revealing the signer's information.
- the ring signature technology only solves the issue of the anonymity of the trader and cannot protect the privacy of the transaction.
- Homomorphic Encryption is a method that can perform calculations without prior decryption of encrypted data.
- homomorphic encryption By using homomorphic encryption to store data on the blockchain, a perfect balance can be achieved without any major changes to the blockchain attributes.
- the blockchain is still a public blockchain.
- the data on the blockchain will be encrypted, thus taking care of the privacy of the public blockchain.
- the homomorphic encryption technique makes the public blockchain have the privacy effect of the private blockchain.
- the addition homomorphic encryption technique can be used to hide the transaction finance and user balance on the blockchain, and to ensure the remaining users' operations on the balance on the public accounts.
- homomorphic encryption cannot confirm the consistency of the transaction and lacks the verification link for the validity of the transaction.
- Zero-knowledge proof is a cryptographic technique, a kind of zero-knowledge proof that proves certain data operations without revealing the data itself, allowing both parties (certifiers and verifiers) to prove A proposal is real and does not need to reveal any information other than it is true.
- cryptocurrency and blockchain this usually refers to transactional information data.
- Zcash by introducing zero-knowledge proof technology zk-SNARKs, achieves zero-knowledge-level anonymous cryptocurrency. When using Zcash for trading, neither the transaction address nor the transaction amount is exposed, but Zcash uses The scenario is more limited. ZCash only targets the UTXO model of Bitcoin. It cannot be extended to the balance model such as Ethereum, and it does not support smart contracts very well.
- Zcash In terms of performance, Zcash needs circuit conversion and computation for consumption when generating proof.
- the resources and time are very large, so Zcash's light nodes do not use SNARK technology when initiating transactions, but only the whole node uses SNARK technology; when generating system parameters, Zcash must have one or more strong centers to generate system parameters.
- the trapping gates that control the entire system are also hidden in the system parameters; and the usage scenarios are relatively simple, and the SNARK technology in Zcash has no other applications at present.
- the object of the present invention is to solve the above problems, and provide a zero-knowledge proof method and medium suitable for blockchain privacy protection, which can support bitcoin UTXO and Ethereum balance model, and can be well combined with smart contracts.
- a zero-knowledge proof method and medium suitable for blockchain privacy protection which can support bitcoin UTXO and Ethereum balance model, and can be well combined with smart contracts.
- the technical solution of the present invention is as follows:
- the present invention discloses a zero-knowledge proof method suitable for blockchain privacy protection, including:
- the proof generation phase the balance ciphertext of the attestation node and the transfer amount ciphertext respectively using the attestation node and the verification node public key encryption are generated, and the node is generated to generate random parameters and the system parameters obtained in the initialization phase are used as general inputs, and the relevant proof is obtained.
- the certification node sends ⁇ to the verification node, and the verification node combines the system parameters, parses the ⁇ to verify whether the condition is met, and if so, allows the transaction.
- the party performing the transaction during the user configuration phase uses the paillier encryption system.
- the proof generation phase when the user A having the balance t A transfers the amount to the user B as t, the following operations are performed:
- Step 1 User A gets the ciphertext of t A from the ledger: Where r is a random number and N A is the public key of user A;
- Step 2 To get Evidence The way to generate parameters includes steps (1) to (3):
- N A is the public key of user A
- N B is the public key of user B
- r t For the generated random number, l is the random number used in the pederson promise
- ⁇ and ⁇ are two parameters representing the plain space of the scheme.
- Step 3 Use system parameter PP as a general input and A use private input Generate evidence that proves the above assertion, and the way to generate the proof includes the following steps:
- H is the hash function in cryptography.
- the proof generation phase when the user A having the balance t A transfers the amount to the user B as t, the following operations are performed:
- Step 1 User A gets the ciphertext of t A from the ledger: Where r is a random number and N A is the public key of user A;
- Step 2 To get Evidence The way to generate parameters includes steps (1) to (3):
- N A is the public key of user A
- N B is the public key of user B
- r t For the generated random number, l is the random number used in the pederson promise
- ⁇ and ⁇ are two parameters representing the plain space of the scheme.
- Step 3 Use system parameter PP as a general input and A use private input Generate evidence that proves the above assertion, and the way to generate the proof includes the following steps:
- the extractor in the process of user A obtaining the ciphertext of t A from the ledger, if user A does not know the value of the random number r, the extractor is used.
- the algorithm obtains the random number r through the plaintext t A and the private key ⁇ A .
- the proof generation phase the balance ciphertext of the attestation node and the transfer amount ciphertext respectively using the attestation node and the verification node public key encryption are generated, and the node is generated to generate random parameters and the system parameters obtained in the initialization phase are used as general inputs, and the relevant proof is obtained.
- the certification node sends ⁇ to the verification node, and the verification node combines the system parameters, parses the ⁇ to verify whether the condition is met, and if so, allows the transaction.
- the invention also discloses an embodiment of a computer readable storage medium.
- the present invention also discloses an embodiment of a computer readable storage medium in which a participant in a user configuration phase of a computer program runs a paillier encryption system.
- the present invention also discloses an embodiment of a computer readable storage medium.
- the user A having the balance t A performs the following operations when transferring the amount to the user B as t:
- Step 1 User A gets the ciphertext of t A from the ledger: Where r is a random number and N A is the public key of user A;
- Step 2 To get Evidence The way to generate parameters includes steps (1) to (3):
- N A is the public key of user A
- N B is the public key of user B
- r t For the generated random number, l is the random number used in the pederson promise
- ⁇ and ⁇ are two parameters representing the plain space of the scheme.
- Step 3 Use system parameter PP as a general input and A use private input Generate evidence that proves the above assertion, and the way to generate the proof includes the following steps:
- H represents a hash function in cryptography
- the present invention also discloses an embodiment of a computer readable storage medium.
- the user A having the balance t A performs the following operations when transferring the amount to the user B as t:
- Step 1 User A gets the ciphertext of t A from the ledger: Where r is a random number and N A is the public key of user A;
- Step 2 To get Evidence The way to generate parameters includes steps (1) to (3):
- N A is the public key of user A
- N B is the public key of user B
- r t For the generated random number, l is the random number used in the pederson promise
- ⁇ and ⁇ are two parameters representing the plain space of the scheme.
- Step 3 Use system parameter PP as a general input and A use private input Generate evidence that proves the above assertion, and the way to generate the proof includes the following steps:
- the present invention also discloses a computer readable storage medium according to an embodiment, the user A obtained from the cipher text books of t A in the process, if the user A does not know the value of the random number r, the algorithm using the plaintext decimator t A and the private key ⁇ A get the random number r.
- the present invention also discloses an embodiment of a computer readable storage medium.
- the present invention also discloses an embodiment of a computer readable storage medium.
- the method of the present invention includes an initialization phase system parameter (including a parameter generation process and meaning), and a specific process of generating a zero-knowledge proof in the generation phase (including the ciphertext generated in the process, The formulas and parameters involved, as well as the verification phase (including the formulas and conditions for verification, etc.).
- the zero-knowledge proof scheme suitable for blockchain privacy protection of the present invention protects the transaction amount by combining the homomorphic encryption algorithm.
- the data in the public ledger of the smart contract is stored using homomorphic encrypted ciphertext, and during the transaction, a non-interactive zero-knowledge proof is generated to verify the legitimacy and validity of the transaction.
- the solution of the specific algorithm is to consider two transaction participants in the blockchain, the proof node and the verification node.
- the system first initializes the parameters, the transaction node generates the public-private key pair and defines the encryption mode; then the node obtains the balance ciphertext and the transfer amount ciphertext respectively using the certification node and the verification node public key encryption; the certification node obtains the relevant parameters through calculation.
- the advantage of the algorithm of the present invention is that it can simultaneously support the bitcoin UTXO model and the Ethereum balance model, but is more suitable for the balance model, and is suitable for intelligent contract design, can be well combined with smart contracts; system parameters can be configured The system parameters include trapdoor information, and the security of the scheme is strictly proved.
- system parameters can be generated by multi-party security calculation, and in the alliance chain scenario, the supervisory node can generate system parameters;
- the application scenarios of the solution are numerous, and can be applied to include, but are not limited to, supply chain finance, clearing and settlement, loan scenarios, etc.
- the solution of the present invention designs a zero-knowledge proof system for a specific algebraic structure of transactions, and consumes less computing resources and time. Even the light node can generate a proof process.
- FIG. 1 is a flow chart showing an embodiment of a zero-knowledge proof method for cryptographic chain privacy protection of the present invention.
- an additive homomorphic encryption algorithm is used to encrypt the private data in the blockchain, and a non-interactive zero-knowledge proof is generated in the transaction process to prove the validity of the transaction.
- the implementation steps of the (non-interactive) zero-knowledge proof method suitable for blockchain privacy protection of this embodiment are as shown in FIG. 1 and include four phases: an initialization phase, a user configuration phase, a certification generation phase, and a verification phase. These four stages are explained separately.
- N A and N B B's public key may be generated as follows t ciphertext generation mode to:
- ⁇ and ⁇ are two parameters representing the plain space of the scheme.
- H represents a hash function in cryptography.
- Option 2 is:
- Option 1 (corresponding to scenario 1 of the third phase):
- the transaction is allowed, and the smart contract on the node automatically modifies the balance of the two nodes of the transaction on the public ledger.
- the present invention also discloses a computer readable storage medium having stored thereon a computer program executed by a processor, running the method steps as described in the above embodiments.
- the usable scenarios of the present invention include: when performing asset transfer in the supply chain finance and consistency maintenance of the account information, the balance information of each node is encrypted by using an additive homomorphic encryption algorithm, and is performed between nodes. Broadcast non-interactive zero-knowledge proofs to prove the validity of the transaction; protect customer privacy while improving customer identification efficiency and reduce time cost in clearing and settlement scenarios; encrypted withdrawals and borrower transaction records in lending scenarios And track and protect the effectiveness of the payment process.
- DSPs digital signal processors
- ASICs application specific integrated circuits
- FPGAs field programmable gate arrays
- Programmable logic devices, discrete gate or transistor logic, discrete hardware components, or any combination thereof designed to perform the functions described herein are implemented or executed.
- a general purpose processor may be a microprocessor, but in the alternative, the processor may be any conventional processor, controller, microcontroller, or state machine.
- the processor may also be implemented as a combination of computing devices, such as a combination of a DSP and a microprocessor, a plurality of microprocessors, one or more microprocessors in conjunction with a DSP core, or any other such configuration.
- a software module may reside in RAM memory, flash memory, ROM memory, EPROM memory, EEPROM memory, registers, hard disk, a removable disk, a CD-ROM, or any other form of storage medium known in the art.
- An exemplary storage medium is coupled to the processor to enable the processor to read and write information to/from the storage medium.
- the storage medium can be integrated into the processor.
- the processor and the storage medium can reside in an ASIC.
- the ASIC can reside in the user terminal.
- the processor and the storage medium may reside as a discrete component in the user terminal.
- the functions described may be implemented in hardware, software, firmware, or any combination thereof. If implemented as a computer program product in software, the functions may be stored on or transmitted as one or more instructions or code on a computer readable medium.
- Computer readable media includes both computer storage media and communication media including any medium that facilitates transfer of a computer program from one place to another.
- a storage medium may be any available media that can be accessed by a computer.
- such computer readable media may comprise RAM, ROM, EEPROM, CD-ROM or other optical disk storage, disk storage or other magnetic storage device, or can be used to carry or store instructions or data structures. Any other medium that is desirable for program code and that can be accessed by a computer.
- any connection is also properly referred to as a computer readable medium.
- the software is transmitted from a web site, server, or other remote source using coaxial cable, fiber optic cable, twisted pair, digital subscriber line (DSL), or wireless technologies such as infrared, radio, and microwave.
- the coaxial cable, fiber optic cable, twisted pair cable, DSL, or wireless technologies such as infrared, radio, and microwave are included in the definition of the medium.
- Disks and discs as used herein include compact discs (CDs), laser discs, optical discs, digital versatile discs (DVDs), floppy discs, and Blu-ray discs, in which disks are often reproduced magnetically. Data, and discs optically reproduce data with a laser. Combinations of the above should also be included within the scope of computer readable media.
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Business, Economics & Management (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Accounting & Taxation (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Computing Systems (AREA)
- Finance (AREA)
- Strategic Management (AREA)
- Physics & Mathematics (AREA)
- General Business, Economics & Management (AREA)
- General Physics & Mathematics (AREA)
- Theoretical Computer Science (AREA)
- Development Economics (AREA)
- Economics (AREA)
- Storage Device Security (AREA)
Abstract
本发明公开了一种适合区块链隐私保护的零知识证明方法和介质,可支持比特币的UTXO以及以太坊的余额模型,且能很好的与智能合约相结合,进一步提升方案的安全性,扩展了方案的应用场景,且针对交易的特定代数结构设计的零知识证明,即使轻节点也可以生成证明过程。其技术方案为,方法包括:初始化阶段生成***参数,包含参数的生成过程和含义;证明生成阶段生成零知识证明的具体过程,包含过程中生成的密文,涉及到的公式和参数等;以及验证阶段,包含验证的公式和条件等。
Description
本发明涉及区块链的隐私保护技术,尤其涉及区块链隐私保护中的零知识证明方法。
区块链***作为公开的账本,其解决了各方信任建立的共识问题。每一个参与者都能够获得完整的数据备份,所有交易数据都是公开和透明的,这个区块链的优势特点,但另一方面,对于很多区块链应用方来说,这个特点又是致命的。因为很多时候,不仅用户本身希望其帐户隐私和交易信息被保护,就商业机构来说,很多帐户和交易信息更是这些机构的重要资产和商业机密,不希望公开分享給同行,尤其是对敏感数据需要平衡隐私保护和合规监管,对于涉及大量商业机密和利益的业务场景来说,数据的暴露不符合业务规则和监管要求。
智能合约是运行在区块链上的一段代码,该代码控制和管理数据库。每个账户的资产存储在智能合约的数据库中,并可以通过智能合约在满足特定的条件下对数据库中的数据进行操作。例如在供应链金融场景中,每个账户的余额以及对该余额的操作都在智能合约中记录和进行。如节点间转账操作即是通过在全部节点间广播消息,并执行智能合约来执行。每个节点的余额都是隐私信息,各节点希望其余额对其他节点不可见。转账内容也属于隐私信息,因此广播消息中余额的变动不希望其他节点可见。同时,还需要支持智能合约中余额的变动操作,所有人都能对余额进行操作。
在区块链***中,各节点间维持的是一致的公共账本,此账本记录了每个节点的余额信息,节点间通过一定的共识机制对公共账本进行操作。这种情况下账本中所有用户的交易信息,包括区块链上记载的其他信息都被暴露,用户的隐私保护问题随之产生。***需要在保障用户隐私的情况下,实现区块链交易可验证、历史可查等特性,保证交易的有效性。比特币对隐私保护的解决思路是,通过隔断交易地址和地址持有人真实身份的关联,来达到匿名的效果。所以虽然能够看到每一笔转账记录的发送方和接受方的地址,但无法对应到现实世界中的具体某个人。但这样的保护是很弱的,通过观察和跟踪区块链的信息,通过地址ID、IP信息等还是可以追查到帐户和交易的关联性。
为了解决区块链的隐私保护问题,目前有混币、环签名、同态加密、零知识证明等几种方式:
1.混币原理(CoinJoin):混币原理的实现思路是割裂输入地址和输出地址之间的关系。在一个交易中,假如有很多人参与,其中包括大量输入和输出,这样会比较难在输入和输出中找 出每个人的对应对,这样一来,输入与输出之间的联系被事实上割裂。多次混币、每次少量币,效果更好。此方法虽然高度匿名,但其风险评估不到位,必须信赖匿名的第三方。
2.对公共账本上的余额直接进行加密,只有节点本身或者赋予权利的相关方能对交易信息可见,其余节点无法操作数据,账本信息难以保持一致性。例如Chinaledger提出了基于中央对手方(CCP)的方案,交易发起方使用CCP的公钥加密交易,签名后提交给CCP,由CCP实现解密、检验签名、检验余额,如果是有效再实现转账金额过户。此方法中,其余节点只能背书交易,而不能背书余额,此方案虽然保护了节点用户隐私,但过于中心化,整个***依赖于CCP的信誉交易。还有以太坊社区提出的基于状态旁路(State channel)的隐私保护方案,此方案交易过程中,区块链中节点将交易提交到智能合约里,智能合约实现中间流程明细的加密,其余节点不可见;到交易完成时,再把最终价值分配方案解密,返回到区块链其余节点上。但此方法只保护了中间过程部分的隐私,交易的总额变动也是对所有节点透明的。
3.环签名:环签名是一种简化的类群签名,它因为签名由一定的规则组成一个环而得名。在环签名方案中,环中一个成员利用他的私钥和其他成员的公钥进行签名,但却不需要征得其他成员的允许,而验证者只知道签名来自这个环,但不知到谁是真正的签名者。环签名解决了对签名者完全匿名问题,环签名允许一个成员代表一组人进行签名而***漏签名者的信息。但环签名技术只解决了交易者匿名问题,无法对交易内容进行隐私保护。
4.同态加密:同态加密是一种无需对加密数据进行提前解密就可以执行计算的方法。通过使用同态加密技术在区块链上存储数据可以达到一种完美的平衡,不会对区块链属性造成任何重大的改变。也就是说,区块链仍旧是公有区块链。然而,区块链上的数据将会被加密,因此照顾到了公有区块链的隐私问题,同态加密技术使公有区块链具有私有区块链的隐私效果。可利用加法同态加密技术隐藏区块链上的交易金融和用户余额,且保证其余用户对公共账目上余额的操作。但同态加密无法确认交易的一致性,缺少对交易有效性的验证环节。
5.零知识证明:零知识证明是一种密码学技术,是一种在无需泄露数据本身情况下证明某些数据运算的一种零知识证明,允许两方(证明者和验证者)来证明某个提议是真实的,而且无需泄露除了它是真实的之外的任何信息。在密码学货币和区块链中,这通常是指交易信息数据。例如Zcash,其是通过引入零知识证明技术zk-SNARKs,以达到零知识级匿名的加密货币,在使用Zcash进行交易时,既不会暴露交易双方地址,也不会暴露交易金额,但Zcash使用的场景比较局限性,ZCash只针对比特币的UTXO模型,不能推广到如以太坊的余额模型,并且不能很好的支持智能合约;在性能上,Zcash在生成证明时需要电路转换,消耗的计算资源和时间非常大,因此Zcash的轻节点在发起交易时根本不采用SNARK技术,而只是全节点才采用SNARK技术;在生成***参数时,Zcash必须要有一个或者多个强中心生成***参数,系 统参数中还隐藏有控制整个***的陷门;且其使用场景较为单一,Zcash中的SNARK技术目前没有其他应用。
发明内容
以下给出一个或多个方面的简要概述以提供对这些方面的基本理解。此概述不是所有构想到的方面的详尽综览,并且既非旨在指认出所有方面的关键性或决定性要素亦非试图界定任何或所有方面的范围。其唯一的目的是要以简化形式给出一个或多个方面的一些概念以为稍后给出的更加详细的描述之序。
本发明的目的在于解决上述问题,提供了一种适合区块链隐私保护的零知识证明方法和介质,可支持比特币的UTXO以及以太坊的余额模型,且能很好的与智能合约相结合,进一步提升方案的安全性,扩展了方案的应用场景,且针对交易的特定代数结构设计的零知识证明,即使轻节点也可以生成证明过程。
本发明的技术方案为:本发明揭示了一种适合区块链隐私保护的零知识证明方法,包括:
在初始化阶段生成***参数;
在用户配置阶段生成交易节点公私钥对并定义加密方式;
在证明生成阶段,生成证明节点的余额密文以及分别使用证明节点和验证节点公钥加密的转账金额密文,证明节点生成随机参数并以初始化阶段得到的***参数作为通用输入,计算得到相关证明参数,以此生成非交互式零知识证明π;
在验证阶段,证明节点将π发送给验证节点,验证节点结合***参数,对π进行解析后验证是否满足条件,若满足则允许交易。
根据本发明的适合区块链隐私保护的零知识证明方法的一实施例,在初始化阶段生成***参数为:PP=(p,G
1,G
2,G
T,e,g
1,h,g
2,g
T,vk,σ,T),其中(p,G
1,G
2,G
T,e,g
1,g
2)←G
bp(1
n)是双线性组,
是另外一个G
1的生成元且
g
T=e(g
1,g
2)是G
T的生成元,签名密钥为sk=x而验证密钥为
计算在0到2
ε-1的签名:
计算双线性映射
根据本发明的适合区块链隐私保护的零知识证明方法的一实施例,在用户配置阶段进行交易的参与方使用paillier加密体系。
根据本发明的适合区块链隐私保护的零知识证明方法的一实施例,在证明生成阶段,拥有余额t
A的用户A在向用户B转账金额为t时,执行以下操作:
而且
即,
是相同的明文用不同公钥加密得到的密文,并由CM
t做出pederson承诺,其中N
A为用户A的公钥,N
B为用户B的公钥,r
t和
为生成的随机数,l为使用在pederson承诺中的随机数;
(3)t∈[0,(2
ε)
γ],t′=t
A-t∈[0,(2
ε)
γ),其中
设置N=N
A·N
B;
根据以上的定义和公式,计算
根据c,计算:
z
3=r
3/(r/r
t)
c mod N
A
对于j=0,1,2,..,γ-1计算:
最后,A发送零知识证明π给B:
根据本发明的适合区块链隐私保护的零知识证明方法的一实施例,在证明生成阶段,拥有余额t
A的用户A在向用户B转账金额为t时,执行以下操作:
而且
即,
是相同的明文用不同公钥加密得到的密文,并由CM
t做出pederson承诺,其中N
A为用户A的公钥,N
B为用户B的公钥,r
t和
为生成的随机数,l为使用在pederson承诺中的随机数;
(3)t∈[0,(2
ε)
γ],t′=t
A-t∈[0,(2
ε)
γ),其中
设置N=N
A·N
B;
z
3=r
3/(r/r
t)
c mod N
A
对于j=0,1,2,..,γ-1计算:
最后,A发送零知识证明π给B:
根据本发明的适合区块链隐私保护的零知识证明方法的一实施例,用户A从账本中得到t
A的密文的过程中,若用户A不知道随机数r的数值,则利用抽取器算法通过明文t
A和私钥λ
A得到随机数r。
根据本发明的适合区块链隐私保护的零知识证明方法的一实施例,在验证阶段,接收到证明π之后,验证者解析π,结合通用输入PP,对于j=0,1,2..,γ-1,验证阶段检查是否满足以下的条件:
本发明还揭示了一种计算机可读存储介质的一实施例,其上存储计算机程序,计算机程序被读取到处理器中执行以运行如下的步骤:
在初始化阶段生成***参数;
在用户配置阶段生成交易节点公私钥对并定义加密方式;
在证明生成阶段,生成证明节点的余额密文以及分别使用证明节点和验证节点公钥加密的转账金额密文,证明节点生成随机参数并以初始化阶段得到的***参数作为通用输入,计算得到相关证明参数,以此生成非交互式零知识证明π;
在验证阶段,证明节点将π发送给验证节点,验证节点结合***参数,对π进行解析后验证是否满足条件,若满足则允许交易。
本发明还揭示了一种计算机可读存储介质的一实施例,计算机程序运行的步骤中,在初始化阶段生成***参数为:PP=(p,G
1,G
2,G
T,e,g
1,h,g
2,g
T,vk,σ,T),其中(p,G
1,G
2,G
T,e,g
1,g
2)←G
bp(1
n)是双线性组,
是另外一个G
1的生成元且
g
T=e(g
1,g
2)是G
T的生成元,签名密钥为sk=x而验证密钥为
计算在0到2
ε-1的 签名:
计算双线性映射
本发明还揭示了一种计算机可读存储介质的一实施例,计算机程序运行的用户配置阶段进行交易的参与方使用paillier加密体系。
本发明还揭示了一种计算机可读存储介质的一实施例,计算机程序运行的证明生成阶段,拥有余额t
A的用户A在向用户B转账金额为t时,执行以下操作:
而且
即,
是相同的明文用不同公钥加密得到的密文,并由CM
t做出pederson承诺,其中N
A为用户A的公钥,N
B为用户B的公钥,r
t和
为生成的随机数,l为使用在pederson承诺中的随机数;
设置N=N
A·N
B;
根据以上的定义和公式,计算
根据c,计算:
z
3=r
3/(r/r
t)
c mod N
A
对于j=0,1,2,..,γ-1计算:
最后,A发送零知识证明π给B:
本发明还揭示了一种计算机可读存储介质的一实施例,计算机程序运行的证明生成阶段,拥有余额t
A的用户A在向用户B转账金额为t时,执行以下操作:
而且
即,
是相同的明文用不同公钥加密得到的密文,并由CM
t做出pederson承诺,其中N
A为用户A的公钥,N
B为用户B的公钥,r
t和
为生成的随机数,l为使用在pederson承诺中的随机数;
(3)t∈[0,(2
ε)
γ],t′=t
A-t∈[0,(2
ε)
γ),其中
设置N=N
A·N
B;
z
3=r
3/(r/r
t)
c mod N
A
对于j=0,1,2,..,γ-1计算:
最后,A发送零知识证明π给B:
本发明还揭示了一种计算机可读存储介质的一实施例,用户A从账本中得到t
A的密文的过程中,若用户A不知道随机数r的数值,则利用抽取器算法通过明文t
A和私钥λ
A得到随机数r。
本发明还揭示了一种计算机可读存储介质的一实施例,计算机程序运行的验证阶段,接收到证明π之后,验证者解析π,结合通用输入PP,对于j=0,1,2..,γ-1,验证阶段检查是否满足以下的条件:
本发明对比现有技术有如下的有益效果:本发明的方法包括初始化阶段***参数(包含参数的生成过程和含义),证明生成阶段生成零知识证明的具体过程(包含过程中生成的密文,涉及到的公式和参数等),以及验证阶段(包含验证的公式和条件等)。具体而言,本发明的适合于区块链隐私保护的零知识证明方案,通过结合同态加密算法,针对交易金额进行保护。智能合约的公共账本中的数据使用同态加密后的密文存储,并在交易过程中,生成非交互式的零知 识证明,验证交易的合法性和有效性。具体算法的方案为:考虑区块链中两交易参与方,证明节点和验证节点。***首先初始化参数,交易节点生成公私钥对及并定义加密方式;之后证明节点获取其余额密文以及分别使用证明节点和验证节点公钥加密的转账金额密文;证明节点通过计算得到相关参数,生成非交互式零知识证明π;证明节点将π发送给验证节点,验证节点结合***参数,对π进行解析,验证是否满足条件,若满足,则允许交易。本发明算法的优势在于,可同时支持比特币的UTXO模型及以太坊的余额模型,但更适合于余额模型,且针对适配智能合约设计,能很好的与智能合约结合;***参数可配置,***参数中包含陷门信息,并且在方案的安全性上有严格证明,在公链场景可以采取多方安全计算的方式生成***参数,而联盟链场景中可以是监管节点生成***参数;本发明方案的应用场景较多,可应用在包括但不限于供应链金融、清算和结算、借贷场景等;本发明方案针对交易的特定代数结构设计零知识证明***,消耗的计算资源和时间较小,即使轻节点也可生成证明过程。
在结合以下附图阅读本公开的实施例的详细描述之后,能够更好地理解本发明的上述特征和优点。在附图中,各组件不一定是按比例绘制,并且具有类似的相关特性或特征的组件可能具有相同或相近的附图标记。
图1示出了本发明的合区块链隐私保护的零知识证明方法的一实施例的流程图。
以下结合附图和具体实施例对本发明作详细描述。注意,以下结合附图和具体实施例描述的诸方面仅是示例性的,而不应被理解为对本发明的保护范围进行任何限制。
本发明的方案中使用了加法同态加密算法对区块链中的隐私数据进行加密,并在交易过程中生成非交互式的零知识证明以证明交易的有效性。
为了简单起见,以下提到的实施例只考虑在智能合约中的两个参与方用户A和B。假定明文空间是[0,2
β],其中β=ε·γ(若β≠ε·γ,则可以通过适当放大范围,以使β=ε·γ成立)。本实施例的适合区块链隐私保护的(非交互式)零知识证明方法的实施步骤如图1所示,包括四个阶段:初始化阶段、用户配置阶段、证明生成阶段和验证阶段,以下针对这四个阶段分别进行说明。
一、初始化阶段
在***的初始化阶段,生成***参数PP。(p,G
1,G
2,G
T,e,g
1,g
2)←G
bp(1
n)是双线性组。假定
是另外一个G
1的生成元,其中
假定g
T=e(g
1,g
2)是G
T的生成元。签名密钥sk=x而验证密钥
接着计算在0到2
ε-1的签名:
同时,计算以下的双线性映射:
综上,***参数为PP=(p,G
1,G
2,G
T,e,g
1,h,g
2,g
T,vk,σ,T)。
二、用户配置阶段
在用户配置阶段,当进行交易时,参与方使用paillier加密体系。考虑用户A,其公钥、私钥以及加密方法如下所示:
公钥:PK
A=N
A,其中N
A是两个大素数p
A和q
A的乘积。
私钥:SK
A=λ
A=lcm(p
A-1,q
A-1)。(标准的lcm函数是计算参数的最小公倍数)
三、证明生成阶段
在证明生成阶段,拥有余额t
A的用户A在向用户B转账金额为t时,执行以下操作:
EXTRACTOR(抽取器)算法的具体实现步骤如下:
1:Function EXTRACTOR(C,t
A,λ
A)
4:计算a,其中aλ
A+1=0mod N
A(因为gcd(λ
A,N
A)=1)
6:end function
A使用其公钥N
A和B的公钥N
B可生成如下的t的密文,生成方式为:
用Pederson承诺的形式得到t,t′=t
A-t,生成方式为:
其中,l,l′是使用在pederson承诺中的随机数。
(3)t∈[0,(2
ε)
γ],t′=t
A-t∈[0,(2
ε)
γ),其中
方案一:
设置N=N
A·N
B。
根据以上的定义和公式,计算
其中,H代表密码学中的哈希函数。
根据c,计算:
z
3=r
3/(r/r
t)
c mod N
A
对于j=0,1,2,..,γ-1计算:
最后,A发送零知识证明π给B:
方案二为:
设置N=N
A·N
B。
z
3=r
3/(r/r
t)
c mod N
A
对于j=0,1,2,..,γ-1计算:
最后,A发送零知识证明π给B:
四、验证阶段
接收到证明π之后,验证者按如上方式解析π,结合通用输入PP,对于j=0,1,2..,γ-1,验证阶段两方案分别检查是否满足以下的条件:
方案一(对应第三阶段的方案一):
方案二(对应第三阶段的方案二):
若条件都满足,则允许交易,节点上的智能合约自动对公共账本上对交易两节点的余额进行相应修改。
此外,本发明还公开了计算机可读存储介质,其上存储计算机程序,计算机程序被处理器执行,运行如上述实施例所述的方法步骤。
以上实施例仅为举例,本发明的可使用场景包括:供应链金融中进行资产转移、账本信息一致性维护时,对各节点的余额信息使用加法同态加密算法进行加密,并在节点间进行交易时,广播非交互式零知识证明,以证明交易的有效性;在清算和结算场景中,保护客户隐私的同时提升客户识别效率并降低时间成本;借贷场景中加密出款及借款方交易记录,并跟踪和保护付款的流动过程的有效性。
尽管为使解释简单化将上述方法图示并描述为一系列动作,但是应理解并领会,这些方法不受动作的次序所限,因为根据一个或多个实施例,一些动作可按不同次序发生和/或与来自本文中图示和描述或本文中未图示和描述但本领域技术人员可以理解的其他动作并发地发生。
本领域技术人员将进一步领会,结合本文中所公开的实施例来描述的各种解说性逻辑板块、模块、电路、和算法步骤可实现为电子硬件、计算机软件、或这两者的组合。为清楚地解说硬件与软件的这一可互换性,各种解说性组件、框、模块、电路、和步骤在上面是以其功能性的形式作一般化描述的。此类功能性是被实现为硬件还是软件取决于具体应用和施加于整体*** 的设计约束。技术人员对于每种特定应用可用不同的方式来实现所描述的功能性,但这样的实现决策不应被解读成导致脱离了本发明的范围。
结合本文所公开的实施例描述的各种解说性逻辑板块、模块、和电路可用通用处理器、数字信号处理器(DSP)、专用集成电路(ASIC)、现场可编程门阵列(FPGA)或其它可编程逻辑器件、分立的门或晶体管逻辑、分立的硬件组件、或其设计成执行本文所描述功能的任何组合来实现或执行。通用处理器可以是微处理器,但在替换方案中,该处理器可以是任何常规的处理器、控制器、微控制器、或状态机。处理器还可以被实现为计算设备的组合,例如DSP与微处理器的组合、多个微处理器、与DSP核心协作的一个或多个微处理器、或任何其他此类配置。
结合本文中公开的实施例描述的方法或算法的步骤可直接在硬件中、在由处理器执行的软件模块中、或在这两者的组合中体现。软件模块可驻留在RAM存储器、闪存、ROM存储器、EPROM存储器、EEPROM存储器、寄存器、硬盘、可移动盘、CD-ROM、或本领域中所知的任何其他形式的存储介质中。示例性存储介质耦合到处理器以使得该处理器能从/向该存储介质读取和写入信息。在替换方案中,存储介质可以被整合到处理器。处理器和存储介质可驻留在ASIC中。ASIC可驻留在用户终端中。在替换方案中,处理器和存储介质可作为分立组件驻留在用户终端中。
在一个或多个示例性实施例中,所描述的功能可在硬件、软件、固件或其任何组合中实现。如果在软件中实现为计算机程序产品,则各功能可以作为一条或更多条指令或代码存储在计算机可读介质上或藉其进行传送。计算机可读介质包括计算机存储介质和通信介质两者,其包括促成计算机程序从一地向另一地转移的任何介质。存储介质可以是能被计算机访问的任何可用介质。作为示例而非限定,这样的计算机可读介质可包括RAM、ROM、EEPROM、CD-ROM或其它光盘存储、磁盘存储或其它磁存储设备、或能被用来携带或存储指令或数据结构形式的合意程序代码且能被计算机访问的任何其它介质。任何连接也被正当地称为计算机可读介质。例如,如果软件是使用同轴电缆、光纤电缆、双绞线、数字订户线(DSL)、或诸如红外、无线电、以及微波之类的无线技术从web网站、服务器、或其它远程源传送而来,则该同轴电缆、光纤电缆、双绞线、DSL、或诸如红外、无线电、以及微波之类的无线技术就被包括在介质的定义之中。如本文中所使用的盘(disk)和碟(disc)包括压缩碟(CD)、激光碟、光碟、数字多用碟(DVD)、软盘和蓝光碟,其中盘(disk)往往以磁的方式再现数据,而碟(disc)用激光以光学方式再现数据。上述的组合也应被包括在计算机可读介质的范围内。
提供对本公开的先前描述是为使得本领域任何技术人员皆能够制作或使用本公开。对本公开的各种修改对本领域技术人员来说都将是显而易见的,且本文中所定义的普适原理可被应用 到其他变体而不会脱离本公开的精神或范围。由此,本公开并非旨在被限定于本文中所描述的示例和设计,而是应被授予与本文中所公开的原理和新颖性特征相一致的最广范围。
Claims (16)
- 一种适合区块链隐私保护的零知识证明方法,其特征在于,包括:在初始化阶段生成***参数;在用户配置阶段生成交易节点公私钥对并定义加密方式;在证明生成阶段,生成证明节点的余额密文以及分别使用证明节点和验证节点公钥加密的转账金额密文,证明节点生成随机参数并以初始化阶段得到的***参数作为通用输入,计算得到相关证明参数,以此生成非交互式零知识证明π;在验证阶段,证明节点将π发送给验证节点,验证节点结合***参数,对π进行解析后验证是否满足条件,若满足则允许交易。
- 根据权利要求2所述的适合区块链隐私保护的零知识证明方法,其特征在于,在用户配置阶段进行交易的参与方使用paillier加密体系。
- 根据权利要求2所述的适合区块链隐私保护的零知识证明方法,其特征在于,在证明生成阶段,拥有余额t A的用户A在向用户B转账金额为t时,执行以下操作:(1) 而且 即,C t, 是相同的明文用不同公钥加密得到的密文,并由CM t做出pederson承诺,其中N A为用户A的公钥,N B为用户B的公钥,r t和 为生成的随机数,l为使用在pederson承诺中的随机数;(3)t∈[0,(2 ε) γ],t′=t A-t∈[0,(2 ε) γ),其中设置N=N A·N B;根据以上的定义和公式,计算根据c,计算:z 1=r 1/r t cmod N A z l=r l-c·l mod(N*p)z 3=r 3/(r/r t) cmod N A对于j=0,1,2,..,γ-1计算:最后,A发送零知识证明π给B:
- 根据权利要求2所述的适合区块链隐私保护的零知识证明方法,其特征在于,在证明生成阶段,拥有余额t A的用户A在向用户B转账金额为t时,执行以下操作:(1) 而且 即,C t, 是相同的明文用不同公钥加密得到的密文,并由CM t做出pederson承诺,其中N A为用户A的公钥,N B为用户B的公钥,r t和 为生成的随机数,l为使用在pederson承诺中的随机数;(3)t∈[0,(2 ε) γ],t′=t A-t∈[0,(2 ε) γ),其中设置N=N A·N B;z 1=r 1/r t cmod N A z l′=r l′-c·l′mod(N*p)z 3=r 3/(r/r t) cmod N A对于j=0,1,2,..,γ-1计算:最后,A发送零知识证明π给B:
- 根据权利要求4或5所述的适合区块链隐私保护的零知识证明方法,其特征在于,用户A从账本中得到t A的密文的过程中,若用户A不知道随机数r的数值,则利用抽取器算法通过明文t A和私钥λ A得到随机数r。
- 一种计算机可读存储介质,其特征在于,其上存储计算机程序,计算机程序被读取到处理器中执行以运行如下的步骤:在初始化阶段生成***参数;在用户配置阶段生成交易节点公私钥对并定义加密方式;在证明生成阶段,生成证明节点的余额密文以及分别使用证明节点和验证节点公钥加密的转账金额密文,证明节点生成随机参数并以初始化阶段得到的***参数作为通用输入,计算得到相关证明参数,以此生成非交互式零知识证明π;在验证阶段,证明节点将π发送给验证节点,验证节点结合***参数,对π进行解析后验证是否满足条件,若满足则允许交易。
- 根据权利要求10所述的计算机可读存储介质,其特征在于,计算机程序运行的用户配置阶段进行交易的参与方使用paillier加密体系。
- 根据权利要求10所述的计算机可读存储介质,其特征在于,计算机程序运行的证明生成阶段,拥有余额t A的用户A在向用户B转账金额为t时,执行以下操作:(1) 而且 即,C t, 是相同的明文用不同公钥加密得到的密文,并由CM t做出pederson承诺,其中N A为用户A的公钥,N B为用户B的公钥,r t和 为生成的随机数,l为使用在pederson承诺中的随机数;(3)t∈[0,(2 ε) γ],t′=t A-t∈[0,(2 ε) γ),其中设置N=N A·N B;根据以上的定义和公式,计算根据c,计算:z 1=r 1/r t cmod N A z l=r l-c·l mod(N*p)z 3=r 3/(r/r t) cmod N A对于j=0,1,2,..,γ-1计算:最后,A发送零知识证明π给B:
- 根据权利要求10所述的计算机可读存储介质,其特征在于,计算机程序运行的证明生成阶段,拥有余额t A的用户A在向用户B转账金额为t时,执行以下操作:(1) 而且 即,C t, 是相同的明文用不同公钥加密得到的密文,并由CM t做出pederson承诺,其中N A为用户A的公钥,N B为用户B的公钥,r t和 为生成的随机数,l为使用在pederson承诺中的随机数;(3)t∈[0,(2 ε) γ],t′=t A-t∈[0,(2 ε) γ),其中设置N=N A·N B;z 1=r 1/r t cmod N A z l′=r l′-c·l′mod(N*p)z 3=r 3/(r/r t) cmod N A对于j=0,1,2,..,γ-1计算:最后,A发送零知识证明π给B:
- 根据权利要求12或13所述的计算机可读存储介质,其特征在于,用户A从账本中得到t A的密文的过程中,若用户A不知道随机数r的数值,则利用抽取器算法通过明文t A和私钥λ A得到随机数r。
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201711241178.5 | 2017-11-30 | ||
CN201711241178.5A CN108418689B (zh) | 2017-11-30 | 2017-11-30 | 一种适合区块链隐私保护的零知识证明方法和介质 |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2019105407A1 true WO2019105407A1 (zh) | 2019-06-06 |
Family
ID=63125306
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/CN2018/118131 WO2019105407A1 (zh) | 2017-11-30 | 2018-11-29 | 一种适合区块链隐私保护的零知识证明方法和介质 |
Country Status (2)
Country | Link |
---|---|
CN (1) | CN108418689B (zh) |
WO (1) | WO2019105407A1 (zh) |
Cited By (11)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US10680800B2 (en) | 2018-12-21 | 2020-06-09 | Alibaba Group Holding Limited | Blockchain data protection based on generic account model and homomorphic encryption |
US10790987B2 (en) | 2018-12-21 | 2020-09-29 | Alibaba Group Holding Limited | Blockchain data protection based on generic account model and homomorphic encryption |
CN112069262A (zh) * | 2020-09-09 | 2020-12-11 | 上海万向区块链股份公司 | 基于区块链智能合约的对账数据上链方法 |
US11049099B2 (en) * | 2018-11-30 | 2021-06-29 | Advanced New Technologies Co., Ltd. | Methods for implementing privacy protection in blockchain |
CN113822672A (zh) * | 2021-11-22 | 2021-12-21 | 浙江数秦科技有限公司 | 一种基于零知识证明的区块链共识方法 |
US11244306B2 (en) | 2018-08-06 | 2022-02-08 | Advanced New Technologies Co., Ltd. | Method, apparatus and electronic device for blockchain transactions |
US11341492B2 (en) * | 2018-08-30 | 2022-05-24 | Advanced New Technologies Co., Ltd. | Method, apparatus and electronic device for blockchain transactions |
US11341487B2 (en) | 2018-12-29 | 2022-05-24 | Advanced New Technologies Co., Ltd. | System and method for information protection |
US11398911B1 (en) | 2020-07-12 | 2022-07-26 | Run Interactive, Inc. | System for interacting objects as tokens on a blockchain using a class-based language |
US11475365B2 (en) | 2020-04-09 | 2022-10-18 | International Business Machines Corporation | Verification of stochastic gradient descent |
US11575665B2 (en) | 2020-12-07 | 2023-02-07 | International Business Machines Corporation | Authorizing uses of goods or services using bonding agreement |
Families Citing this family (60)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN108418689B (zh) * | 2017-11-30 | 2020-07-10 | 矩阵元技术(深圳)有限公司 | 一种适合区块链隐私保护的零知识证明方法和介质 |
CN111768304A (zh) | 2018-08-06 | 2020-10-13 | 阿里巴巴集团控股有限公司 | 区块链交易方法及装置、电子设备 |
CN111899001A (zh) * | 2018-08-30 | 2020-11-06 | 创新先进技术有限公司 | 基于区块链的汇款方法及装置 |
CN110909073B (zh) * | 2018-09-14 | 2023-06-13 | 宏达国际电子股份有限公司 | 基于智能合约分享隐私数据的方法及*** |
CN111833186A (zh) * | 2018-09-20 | 2020-10-27 | 创新先进技术有限公司 | 基于区块链的交易方法、装置和节点设备 |
CN111833057A (zh) * | 2018-09-30 | 2020-10-27 | 创新先进技术有限公司 | 基于区块链的交易方法、装置和节点设备 |
CN109257182B (zh) * | 2018-10-24 | 2021-06-25 | 杭州趣链科技有限公司 | 基于同态密码学承诺与零知识范围证明的隐私保护方法 |
KR102215773B1 (ko) * | 2018-11-07 | 2021-02-17 | 어드밴스드 뉴 테크놀로지스 씨오., 엘티디. | 영-지식 증명을 갖는 계정 노트 모델에 기초한 블록체인 데이터 보호 |
KR102180991B1 (ko) | 2018-11-07 | 2020-12-17 | 어드밴스드 뉴 테크놀로지스 씨오., 엘티디. | 블록 체인 기밀 거래의 규제 |
KR102208891B1 (ko) | 2018-11-07 | 2021-01-29 | 어드밴스드 뉴 테크놀로지스 씨오., 엘티디. | 블록체인 기밀 트랜잭션에서 암호화된 트랜잭션 정보 복구 |
CN109447791B (zh) * | 2018-11-09 | 2021-07-16 | 北京邮电大学 | 一种基于区块链的资金交易方法及装置 |
BR112019007232B1 (pt) | 2018-11-27 | 2022-02-15 | Advanced New Technologies Co., Ltd | Métodos implementados por computador para proteção da informação, sistemas para proteção da informação e meio de armazenamento legível por computador não transitório |
PL3745637T3 (pl) | 2018-11-27 | 2021-11-02 | Advanced New Technologies Co., Ltd. | System i sposób ochrony informacji |
SG11201902778UA (en) | 2018-11-27 | 2019-05-30 | Alibaba Group Holding Ltd | System and method for information protection |
KR102248154B1 (ko) | 2018-11-27 | 2021-05-06 | 어드밴스드 뉴 테크놀로지스 씨오., 엘티디. | 정보 보호를 위한 시스템 및 방법 |
US10700850B2 (en) | 2018-11-27 | 2020-06-30 | Alibaba Group Holding Limited | System and method for information protection |
RU2735439C2 (ru) | 2018-11-27 | 2020-11-02 | Алибаба Груп Холдинг Лимитед | Система и способ для защиты информации |
CN109614820A (zh) * | 2018-12-06 | 2019-04-12 | 山东大学 | 基于零知识证明的智能合约认证数据隐私保护方法 |
CN109615376B (zh) * | 2018-12-10 | 2020-09-01 | 北京八分量信息科技有限公司 | 一种基于零知识证明的交易方法及装置 |
US11151558B2 (en) * | 2018-12-12 | 2021-10-19 | American Express Travel Related Services Company, Inc | Zero-knowledge proof payments using blockchain |
CN109858281B (zh) * | 2019-02-01 | 2020-09-18 | 杭州云象网络技术有限公司 | 一种基于零知识证明的区块链账户模型隐私保护方法 |
CN110011781B (zh) * | 2019-03-04 | 2020-05-19 | 华中科技大学 | 用于交易金额加密且支持零知识证明的同态加密方法和介质 |
CN109922077B (zh) * | 2019-03-27 | 2021-06-04 | 北京思源理想控股集团有限公司 | 一种基于区块链的身份认证方法及其*** |
CN110311782B (zh) * | 2019-04-29 | 2020-04-14 | 山东工商学院 | 个人信息的零知识证明方法、***及存储介质 |
CN110336672B (zh) * | 2019-04-29 | 2020-07-28 | 山东工商学院 | 基于零知识证明的公民隐私保护的方法、***及存储介质 |
CN110223063B (zh) * | 2019-05-07 | 2023-06-20 | 平安科技(深圳)有限公司 | 基于零知识证明的供应链数据管理方法及装置 |
WO2020233423A1 (zh) * | 2019-05-20 | 2020-11-26 | 创新先进技术有限公司 | 基于交易类型的收据存储方法和节点 |
CN110263088B (zh) * | 2019-05-20 | 2021-04-02 | 创新先进技术有限公司 | 结合代码标注与事件类型的有条件的收据存储方法和节点 |
CN110189124A (zh) * | 2019-05-24 | 2019-08-30 | 杭州复杂美科技有限公司 | 防攻击方法、设备和存储介质 |
CN110363528B (zh) * | 2019-06-27 | 2022-06-24 | 矩阵元技术(深圳)有限公司 | 协同地址的生成、交易签名方法及装置、存储介质 |
CN110414981B (zh) * | 2019-07-04 | 2023-05-09 | 华中科技大学 | 一种支持ZKPs的同态加密方法和区块链交易金额加密方法 |
CN110473105B (zh) * | 2019-08-20 | 2024-01-16 | 深圳市迅雷网络技术有限公司 | 一种区块链交易结算方法、***及相关设备 |
US10652019B1 (en) | 2019-08-28 | 2020-05-12 | Qed-It Systems Ltd. | Atomic swap using zero-knowledge proofs, and applications thereof |
CN110717755A (zh) * | 2019-09-05 | 2020-01-21 | 深圳壹账通智能科技有限公司 | 加密数据零知识校验方法、装置及介质 |
CN111008836B (zh) * | 2019-11-15 | 2023-09-05 | 哈尔滨工业大学(深圳) | 一种隐私安全转账支付方法、装置、***及存储介质 |
CN111160909B (zh) * | 2019-12-31 | 2024-01-16 | 深圳市迅雷网络技术有限公司 | 区块链供应链交易隐藏静态监管***及方法 |
CN111079190A (zh) * | 2019-12-31 | 2020-04-28 | 深圳市网心科技有限公司 | 区块链供应链交易隐藏动态监管***及方法 |
CN111277415B (zh) * | 2020-01-20 | 2023-12-19 | 布比(北京)网络技术有限公司 | 基于区块链智能合约的隐私保护方法及装置 |
CN111369251B (zh) * | 2020-03-07 | 2021-09-28 | 中国人民解放军国防科技大学 | 一种基于用户二级身份结构的区块链交易监管方法 |
CN111553792A (zh) * | 2020-03-24 | 2020-08-18 | 平安科技(深圳)有限公司 | 基于区块链的数据验证方法及装置 |
CN111586049A (zh) * | 2020-05-08 | 2020-08-25 | 国网电子商务有限公司 | 一种针对移动互联网的轻量级密钥认证方法及装置 |
CN111724493A (zh) * | 2020-05-15 | 2020-09-29 | 新大陆数字技术股份有限公司 | 高速公路车载收费装置、高速公路收费***及方法 |
CN111950021A (zh) * | 2020-07-31 | 2020-11-17 | 南京航空航天大学 | 一种智能合约的数据馈赠中隐私泄露问题的解决方法 |
CN111931209B (zh) * | 2020-08-18 | 2024-03-22 | 金网络(北京)数字科技有限公司 | 基于零知识证明的合同信息验证方法及装置 |
CN111861480B (zh) * | 2020-09-21 | 2020-12-18 | 浙江大学 | 一种流量检测模型交易方法、装置、电子设备及存储介质 |
CN112241434B (zh) * | 2020-09-24 | 2021-06-22 | 华中农业大学 | 一种面向数据隐私保护的联盟区块链*** |
CN112632636B (zh) * | 2020-12-23 | 2024-06-04 | 深圳前海微众银行股份有限公司 | 一种密文数据比较结果的证明与验证方法及装置 |
CN113222747B (zh) * | 2020-12-31 | 2024-01-26 | 上海零数众合信息科技有限公司 | 一种区块链隐私交易方法 |
CN112765268B (zh) * | 2020-12-31 | 2022-11-04 | 杭州趣链科技有限公司 | 基于区块链的数据隐私保护方法、装置及设备 |
CN112733163B (zh) * | 2021-01-04 | 2023-02-03 | 北京航空航天大学 | 基于离散对数相等性证明的可监管零知识证明方法及装置 |
CN113225189B (zh) * | 2021-01-05 | 2024-02-02 | 上海零数众合信息科技有限公司 | 一种基于量子抗性的环形保密业务方法 |
CN113159762B (zh) * | 2021-01-28 | 2024-04-09 | 武汉天喻信息产业股份有限公司 | 基于Paillier和博弈论的区块链交易方法 |
CN114124406B (zh) * | 2021-11-19 | 2023-08-29 | 重庆邮电大学 | 基于条件匿名环签名和隐私计算的联盟链隐私保护方法 |
CN114257381B (zh) * | 2021-12-21 | 2023-11-21 | 四川启睿克科技有限公司 | 基于零知识证明的良品率计算方法 |
CN114760067B (zh) * | 2022-03-30 | 2023-09-12 | 西安电子科技大学 | 一种用零知识证明的区块链群智感知***隐私安全保护方法 |
CN115567214A (zh) * | 2022-08-24 | 2023-01-03 | 深圳市沃享科技有限公司 | 智能合约的执行方法、装置、终端设备及计算机介质 |
CN115829754B (zh) * | 2023-02-16 | 2023-05-05 | 之江实验室 | 一种面向隐私保护区块链的交易监管方法及装置 |
CN116561789B (zh) * | 2023-07-07 | 2023-09-19 | 北京天润基业科技发展股份有限公司 | 隐私数据的处理方法、装置、电子设备及可读存储介质 |
CN117391726A (zh) * | 2023-12-06 | 2024-01-12 | 哈尔滨工业大学(深圳)(哈尔滨工业大学深圳科技创新研究院) | 一种基于区块链的可信能源数据交易方法 |
CN117786757B (zh) * | 2024-02-26 | 2024-04-30 | 成都数据集团股份有限公司 | 一种隐私计算管理***及方法 |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN106982205A (zh) * | 2017-03-01 | 2017-07-25 | 中钞***产业发展有限公司北京智能卡技术研究院 | 基于区块链的数字资产处理方法和装置 |
CN107273759A (zh) * | 2017-05-08 | 2017-10-20 | 上海点融信息科技有限责任公司 | 用于保护区块链数据的方法、设备以及计算机可读存储介质 |
CN107274184A (zh) * | 2017-05-11 | 2017-10-20 | 上海点融信息科技有限责任公司 | 基于零知识证明的区块链数据处理 |
CN108418689A (zh) * | 2017-11-30 | 2018-08-17 | 矩阵元技术(深圳)有限公司 | 一种适合区块链隐私保护的零知识证明方法和介质 |
Family Cites Families (8)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN104850984B (zh) * | 2014-05-13 | 2018-04-06 | 电子科技大学 | 一种离线电子货币支付的安全运行方法 |
CN104601605B (zh) * | 2015-02-28 | 2018-01-02 | 北方工业大学 | 云存储中基于变色龙哈希函数的高效隐私保护审计方法 |
CN105187212A (zh) * | 2015-08-07 | 2015-12-23 | 河海大学 | 一种具有指定可验证性的Schnorr环签名方案 |
CN106503994B (zh) * | 2016-11-02 | 2020-07-28 | 西安电子科技大学 | 基于属性加密的区块链隐私数据访问控制方法 |
CN106549749B (zh) * | 2016-12-06 | 2019-12-24 | 杭州趣链科技有限公司 | 一种基于加法同态加密的区块链隐私保护方法 |
CN106911470B (zh) * | 2017-01-23 | 2020-07-07 | 北京航空航天大学 | 一种比特币交易隐私增强方法 |
CN107358424B (zh) * | 2017-06-26 | 2020-09-29 | 中国人民银行数字货币研究所 | 一种基于数字货币的交易方法和装置 |
CN108418783B (zh) * | 2017-09-01 | 2021-03-19 | 矩阵元技术(深圳)有限公司 | 一种保护区块链智能合约隐私的方法、介质 |
-
2017
- 2017-11-30 CN CN201711241178.5A patent/CN108418689B/zh active Active
-
2018
- 2018-11-29 WO PCT/CN2018/118131 patent/WO2019105407A1/zh active Application Filing
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN106982205A (zh) * | 2017-03-01 | 2017-07-25 | 中钞***产业发展有限公司北京智能卡技术研究院 | 基于区块链的数字资产处理方法和装置 |
CN107273759A (zh) * | 2017-05-08 | 2017-10-20 | 上海点融信息科技有限责任公司 | 用于保护区块链数据的方法、设备以及计算机可读存储介质 |
CN107274184A (zh) * | 2017-05-11 | 2017-10-20 | 上海点融信息科技有限责任公司 | 基于零知识证明的区块链数据处理 |
CN108418689A (zh) * | 2017-11-30 | 2018-08-17 | 矩阵元技术(深圳)有限公司 | 一种适合区块链隐私保护的零知识证明方法和介质 |
Cited By (18)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US11244306B2 (en) | 2018-08-06 | 2022-02-08 | Advanced New Technologies Co., Ltd. | Method, apparatus and electronic device for blockchain transactions |
US11379826B2 (en) | 2018-08-06 | 2022-07-05 | Advanced New Technologies Co., Ltd. | Method, apparatus and electronic device for blockchain transactions |
US11392942B2 (en) | 2018-08-30 | 2022-07-19 | Advanced New Technologies Co., Ltd. | Method, apparatus and electronic device for blockchain transactions |
US11341492B2 (en) * | 2018-08-30 | 2022-05-24 | Advanced New Technologies Co., Ltd. | Method, apparatus and electronic device for blockchain transactions |
US11049099B2 (en) * | 2018-11-30 | 2021-06-29 | Advanced New Technologies Co., Ltd. | Methods for implementing privacy protection in blockchain |
US11063769B2 (en) | 2018-12-21 | 2021-07-13 | Advanced New Technologies Co., Ltd. | Blockchain data protection based on generic account model and homomorphic encryption |
US10790987B2 (en) | 2018-12-21 | 2020-09-29 | Alibaba Group Holding Limited | Blockchain data protection based on generic account model and homomorphic encryption |
US10708039B1 (en) | 2018-12-21 | 2020-07-07 | Alibaba Group Holding Limited | Blockchain data protection based on generic account model and homomorphic encryption |
US10680800B2 (en) | 2018-12-21 | 2020-06-09 | Alibaba Group Holding Limited | Blockchain data protection based on generic account model and homomorphic encryption |
US11416854B2 (en) | 2018-12-29 | 2022-08-16 | Advanced New Technologies Co., Ltd. | System and method for information protection |
US11341487B2 (en) | 2018-12-29 | 2022-05-24 | Advanced New Technologies Co., Ltd. | System and method for information protection |
US11475365B2 (en) | 2020-04-09 | 2022-10-18 | International Business Machines Corporation | Verification of stochastic gradient descent |
US11917066B1 (en) | 2020-07-12 | 2024-02-27 | Run Interactive, Inc. | System for interacting objects as tokens on a blockchain using a class-based language |
US11398911B1 (en) | 2020-07-12 | 2022-07-26 | Run Interactive, Inc. | System for interacting objects as tokens on a blockchain using a class-based language |
CN112069262B (zh) * | 2020-09-09 | 2022-05-24 | 上海万向区块链股份公司 | 基于区块链智能合约的对账数据上链方法 |
CN112069262A (zh) * | 2020-09-09 | 2020-12-11 | 上海万向区块链股份公司 | 基于区块链智能合约的对账数据上链方法 |
US11575665B2 (en) | 2020-12-07 | 2023-02-07 | International Business Machines Corporation | Authorizing uses of goods or services using bonding agreement |
CN113822672A (zh) * | 2021-11-22 | 2021-12-21 | 浙江数秦科技有限公司 | 一种基于零知识证明的区块链共识方法 |
Also Published As
Publication number | Publication date |
---|---|
CN108418689B (zh) | 2020-07-10 |
CN108418689A (zh) | 2018-08-17 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
WO2019105407A1 (zh) | 一种适合区块链隐私保护的零知识证明方法和介质 | |
CN108418783B (zh) | 一种保护区块链智能合约隐私的方法、介质 | |
Morais et al. | A survey on zero knowledge range proofs and applications | |
Liu et al. | Anonymous reputation system for IIoT-enabled retail marketing atop PoS blockchain | |
JP6873270B2 (ja) | ブロックチェーンにおけるスマートコントラクトに基づくトランザクション活動の取扱注意データを保護するための方法及びデバイス | |
Wang et al. | Designated-verifier proof of assets for bitcoin exchange using elliptic curve cryptography | |
US10833861B2 (en) | Protection of confidentiality, privacy and ownership assurance in a blockchain based decentralized identity management system | |
JP2021529397A (ja) | ブロックチェーンアドレスおよび所有者の検証のためのシステムおよび方法 | |
WO2020147568A1 (zh) | 基于区块链的存证方法和装置 | |
Rosenberg | Handbook of financial cryptography and security | |
CN113568946A (zh) | 用于管理多个区块链网络中的交易的方法、***和装置 | |
Singh et al. | A novel credential protocol for protecting personal attributes in blockchain | |
CN113595734A (zh) | 用于管理多个区块链网络中的交易的方法、***和装置 | |
CN113595733A (zh) | 用于管理多个区块链网络中的交易的方法、***和装置 | |
Zhou et al. | Distributed bitcoin account management | |
Wu et al. | The survey on the development of secure multi-party computing in the blockchain | |
Islam | A privacy-preserving transparent central bank digital currency system based on consortium blockchain and unspent transaction outputs | |
Montenegro et al. | Secure sealed-bid online auctions using discreet cryptographic proofs | |
Takaragi et al. | Secure revocation features in eKYC-privacy protection in central bank digital currency | |
Devidas et al. | Identity verifiable ring signature scheme for privacy protection in blockchain | |
CN114866289B (zh) | 一种基于联盟链的隐私信用数据安全保护方法 | |
CN111523892B (zh) | 一种区块链的跨链交易方法及装置 | |
WO2021139545A1 (en) | Methods and devices for facilitating split invoice financing | |
WO2021139605A1 (en) | Methods and devices for providing decentralized identity verification | |
Li et al. | A blockchain‐based traceable group loan system |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 18884126 Country of ref document: EP Kind code of ref document: A1 |
|
NENP | Non-entry into the national phase |
Ref country code: DE |
|
122 | Ep: pct application non-entry in european phase |
Ref document number: 18884126 Country of ref document: EP Kind code of ref document: A1 |