WO2019209168A2 - Data processing method, related apparatus, and blockchain system - Google Patents

Data processing method, related apparatus, and blockchain system Download PDF

Info

Publication number
WO2019209168A2
WO2019209168A2 PCT/SG2018/050200 SG2018050200W WO2019209168A2 WO 2019209168 A2 WO2019209168 A2 WO 2019209168A2 SG 2018050200 W SG2018050200 W SG 2018050200W WO 2019209168 A2 WO2019209168 A2 WO 2019209168A2
Authority
WO
WIPO (PCT)
Prior art keywords
transaction amount
plaintext
ciphertext
sender
amount
Prior art date
Application number
PCT/SG2018/050200
Other languages
French (fr)
Chinese (zh)
Other versions
WO2019209168A3 (en
Inventor
阮子瀚
吴双
贺伟
Original Assignee
华为国际有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 华为国际有限公司 filed Critical 华为国际有限公司
Priority to CN201880092481.XA priority Critical patent/CN111989891A/en
Priority to PCT/SG2018/050200 priority patent/WO2019209168A2/en
Publication of WO2019209168A2 publication Critical patent/WO2019209168A2/en
Publication of WO2019209168A3 publication Critical patent/WO2019209168A3/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/30Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials

Definitions

  • the present application relates to the field of blockchain technology, and in particular, to a data processing method, a related device, and a blockchain system. Background technique
  • a blockchain is a distributed database that maintains a growing list of ordered records called blocks. Each block contains a timestamp and a link to the previous block. The blockchain naturally has the function of tamper-proof data. Once recorded, the data in the block cannot be unilaterally modified.
  • P2P peer-to-peer
  • the blockchain is an open, distributed ledger that effectively records transactions between the parties and other various information and records them permanently in a verifiable manner.
  • the user's account balance is not directly encrypted and stored on the block, causing the user's account to be completely exposed on all nodes. In this way, in addition to the basic functions of decoupling the blockchain and making the information untamperable, the user's account privacy is completely exposed on all nodes of the blockchain.
  • the use of additive homomorphic encryption can protect the privacy of the transaction amount in the blockchain system, but it is not possible for the verifier to verify whether the transaction is valid. Because the verifier can only determine that the plain text of the output amount is equal to the plain text of the input amount, it is impossible to confirm whether the plaintext of the input amount and the plaintext of the output amount are within the valid range. Therefore, how to protect the transaction amount privacy in the blockchain system, if the verification node cannot know the plaintext of the transaction amount, it is an urgent problem to verify whether the plaintext of the transaction amount is within the valid range. Summary of the invention
  • the embodiment of the present application provides a data processing method, a related device, and a blockchain system, which can protect the privacy of the transaction amount. If the verification party cannot obtain the plaintext of the transaction amount, verify whether the transaction amount is within the valid range, and ensure that the transaction amount is within the valid range. The legality of the transaction.
  • an embodiment of the present application provides a data processing method, which is applied to a blockchain system, where the system includes a sender and a verification party, and the method includes: the sender uses an additive homomorphic encryption algorithm to perform a transaction.
  • the plaintext M of the amount is encrypted, and the ciphertext (C, B) of the transaction amount is generated; the sender sends the ciphertext (C, B) of the transaction amount to the verifier; the verifier according to the transaction
  • the ciphertext of the amount (C, B) verifies whether the plaintext M of the transaction amount belongs to the first valid range; the first valid range is [0, 2 U -1], and U is the plaintext M of the transaction amount Bit length.
  • the embodiment of the present application can protect the privacy of the transaction amount in the blockchain system, and if the verification party cannot know the plaintext of the transaction amount, verify whether the transaction amount is within the valid range, and ensure the legality of the transaction.
  • the plaintext M of the transaction amount is first divided into the plaintext of thousands of small blocks, and then the plaintext of each small block is separately encrypted, and the valid range is Proof, etc., to ensure that the regulator can effectively decrypt the ciphertext of each small transaction amount.
  • the plaintext M k of the L transaction amount is equal in length.
  • the method further includes: the sender generates a zero-knowledge proof that the plaintext M of the transaction amount belongs to the first valid range; and the ciphertext of the verification party according to the transaction amount ( C, B) verifying whether the plaintext M of the transaction amount belongs to the first valid range includes: the verification party verifies that the plaintext M of the transaction amount belongs to the zero-knowledge proof of the first valid range.
  • the authenticator can verify whether the transaction amount is within the valid range, thereby verifying the legality of the transaction.
  • the transaction amount includes an output amount; the method further includes: the sender calculating a ciphertext C′ of a difference between the input amount and the output amount, and generating C′ is a force secret
  • the addition homomorphic zero-knowledge proof of the ciphertext with zero plaintext wherein C is a ciphertext calculated according to the ciphertext of the output amount and the ciphertext of the input amount, and the ciphertext of the input amount
  • the ciphertext of the amount received by the sender in the last transaction, or the ciphertext of the input amount is a secret generated by the sender by using the addition homomorphic encryption algorithm to encrypt the amount generated in the current transaction.
  • the verifier verifies that the C' is an additive homomorphic zero-knowledge proof that encrypts the ciphertext with plaintext zero.
  • the verification party verifies that the input amount is equal to the output amount, thereby verifying the legality of the transaction.
  • the system further includes a supervisor, where the public key of the add-on homomorphic encryption algorithm is provided by the supervisor; the method further includes: the sender generating the supervisor a zero-knowledge proof of the ciphertext (C, B) decrypting the transaction amount; the verifier verifying that the supervisor can decrypt the zero-knowledge proof of the ciphertext (C, B) of the transaction amount; the regulator The ciphertext (C, B) of the transaction amount is decrypted using a private key corresponding to the public key.
  • the authenticator can verify that the supervisor can decrypt the ciphertext of the transaction amount, thereby verifying the legality of the ciphertext.
  • the system further includes a third party, configured to provide a random secret, where the random secret Y is used to generate a digital signature for each integer in the first valid range;
  • the zero-knowledge proof that the sender generates the plaintext M of the transaction amount that belongs to the first valid range includes: the sender generates a digital signature for each integer in the first valid range according to the random secret Y provided by the third party.
  • the plaintext M that generates the transaction amount belongs to the zero-knowledge proof of the first valid range.
  • the embodiment of the present application provides a specific method for proving that the plaintext in the transaction amount ciphertext belongs to the valid range, and is Each digit in the valid range generates a digital signature, which proves that the plaintext in the transaction amount ciphertext belongs to one of the above digital signatures, which proves that the plaintext in the transaction amount ciphertext belongs to the valid range.
  • the verifier is not provided with the clear amount of the transaction amount, the legality of the transaction amount is verified, and the transaction privacy is guaranteed.
  • the zero-knowledge proof that the sender generates the plaintext M of the transaction amount that belongs to the first valid range includes: the sender generates N first parameters; N is a positive integer;
  • the zero-knowledge proof that the verification party verifies that the plaintext M of the transaction amount belongs to the first valid range includes: the verification party generates N second parameters; wherein, the N first parameters and the N second parameters— Corresponding; the verifier verifies whether the N second parameters are equal to the corresponding first parameter, and if they are equal, the plaintext M of the transaction amount belongs to the first valid range.
  • the embodiment of the present application verifies whether the plaintext in the transaction amount ciphertext belongs to the valid range according to the comparison between the first parameter generated by the sender and the second parameter generated by the verifier, and verifies the transaction without providing the plaintext of the transaction amount to the verifier.
  • the legality of the amount to ensure the privacy of the transaction.
  • the sending, by the sender, the zero-knowledge proof that the plaintext M of the transaction amount belongs to the first valid range further includes: the sender generating a first verification parameter; Determining, by the verification party, that the plaintext M of the transaction amount belongs to the first valid range, the zero-knowledge proof further includes: the verification party generates a second verification parameter; Determining whether the N second parameters are equal to the corresponding first parameter includes: the verification party verifies whether the first parameter is equal to the second verification The parameters, if equal, the N second parameters are equal to the corresponding first parameter.
  • the embodiment of the present application verifies whether the first parameter generated by the sender is equal to the second parameter generated by the verifier according to the first verification parameter generated by the sender and the second verification parameter generated by the verifier, and further proves the plaintext in the transaction amount ciphertext. Whether it is a valid scope, if the transaction amount is not provided to the verifier, the legality of the transaction amount is verified, and the transaction privacy is guaranteed.
  • the embodiment of the present application provides a data processing method, which is applied to a blockchain system, where the system includes a sender and a verification party, and the method includes: the sender uses an additive homomorphic encryption algorithm to perform a transaction.
  • the plaintext M of the amount is encrypted, and the ciphertext (C, B) of the transaction amount is generated; the sender sends the ciphertext (C, B) of the transaction amount to the verifier, so that the verifier is based on the
  • the ciphertext (C, B) describing the transaction amount verifies whether the plaintext M of the transaction amount belongs to the first valid range; the first valid range is [0, 2 U -1], and U is the plaintext of the transaction amount
  • the bit length of M is applied to a blockchain system, where the system includes a sender and a verification party, and the method includes: the sender uses an additive homomorphic encryption algorithm to perform a transaction.
  • the plaintext M of the amount is encrypted, and the ciphertext (C, B)
  • the system further includes a supervisor; the sender encrypts the plaintext M of the transaction amount by using an additive homomorphic encryption algorithm, and generates a ciphertext (C, B) of the transaction amount, including: The sender divides the plaintext M of the transaction amount into the plaintext M k of the L transaction amount, and encrypts the plaintext M k of the L transaction amount by using an additive homomorphic encryption algorithm, respectively, to generate a ciphertext of the L transaction amount.
  • C, B ciphertext
  • the plaintext M k of the L transaction amount is equal in length.
  • the method further includes: the sender generates a zero-knowledge proof that the plaintext M of the transaction amount belongs to the first valid range; and the sender sends the ciphertext of the transaction amount ( C, B) sent to the verifier, so that the verifier verifies whether the plaintext M of the transaction amount belongs to the first valid range according to the ciphertext (C, B) of the transaction amount, including: the sender Transmitting the ciphertext (C, B) of the transaction amount to the verifier, so that the verifier verifies that the plaintext M of the transaction amount belongs to the first according to the ciphertext (C, B) of the transaction amount Zero knowledge proof of the valid range.
  • the transaction amount includes an output amount; the method further includes: the sender calculating a ciphertext C′ of a difference between the input amount and the output amount, and generating C′ is a force secret An additive homomorphic zero-knowledge proof of a ciphertext having a plaintext of zero, such that the verifier verifies that the C' is an additive homomorphic zero-knowledge proof that encrypts a plaintext with a plaintext of zero; wherein, the C is based on a ciphertext calculated by the ciphertext of the output amount and the ciphertext of the input amount, the ciphertext of the input amount being a ciphertext of the amount received by the sender in the previous transaction, or the input amount
  • the ciphertext is a ciphertext generated by the sender by using the addition homomorphic encryption algorithm to encrypt the amount generated in the current transaction.
  • the system further includes a supervisor, where the public key of the add-on homomorphic encryption algorithm is provided by the supervisor; the method further includes: the sender generating the supervisor Decrypting the zero-knowledge proof of the ciphertext C of the transaction amount to enable the verifier to verify that the supervisor can decrypt the zero-knowledge proof of the ciphertext C of the transaction amount.
  • the system further includes a third party, configured to provide a random secret Y, where the random secret Y is used to generate a digital signature for each integer in the first valid range;
  • the zero-knowledge proof that the sender generates the plaintext M of the transaction amount that belongs to the first valid range includes: the sender generates the number generated according to the random secret Y provided by the third party as each integer in the first valid range.
  • the plaintext M in which the signature generates the transaction amount belongs to the zero-knowledge proof of the first valid range.
  • an embodiment of the present application provides a data processing method, which is applied to a blockchain system, where the system includes a sender and a verification party, and the method includes: the verification party receives a transaction sent by the sender.
  • the bit length of the plaintext M of the amount is U; the verifier verifies whether the plaintext M of the transaction amount belongs to the first valid range according to the ciphertext (C, B) of the transaction amount; the first valid range is [0, 2 U -1].
  • the verifying party verifies whether the plaintext M of the transaction amount belongs to the first valid range according to the ciphertext (C, B) of the transaction amount includes: the verifier verifies the transaction The plaintext M of the amount belongs to the zero-knowledge proof of the first valid range; wherein, the zero-knowledge proof that the plaintext M of the transaction amount belongs to the first valid range is generated by the sender.
  • the transaction amount includes an output amount; the method further includes: the verifying The ciphertext C' that verifies the difference between the input amount and the output amount is an additive homomorphic zero-knowledge proof that encrypts the ciphertext with plaintext zero; wherein C is a ciphertext and a place according to the output amount a ciphertext calculated by the ciphertext of the input amount, the ciphertext of the input amount being a ciphertext of the amount received by the sender in the previous transaction, or the ciphertext of the input amount being used by the sender
  • the ciphertext generated by the addition homomorphic encryption algorithm for encrypting the amount generated in the current transaction; the ciphertext C' of the difference between the input amount and the output amount is an addition homomorphism of the ciphertext encrypted with plaintext zero
  • a zero knowledge proof is generated by the sender.
  • the system further includes a supervisor, where the public key of the add-on homomorphic encryption algorithm is provided by the supervisor; the method further includes: the authenticator is further configured to verify the The supervisor can decrypt the zero-knowledge proof of the ciphertext (C, B) of the transaction amount; wherein the supervisor can decrypt the zero-knowledge proof of the ciphertext (C, B) of the transaction amount by the sender generate.
  • the embodiment of the present application provides a blockchain system, where the system includes a sender and a verification party: the sender is configured to encrypt the plaintext M of the transaction amount by using an additive homomorphic encryption algorithm to generate a transaction amount. Ciphertext (C, B), and sending the ciphertext (C, B) of the transaction amount to the verifier; the verifier is used to verify the ciphertext (C, B) according to the transaction amount Whether the plaintext M of the transaction amount belongs to the first valid range; the first valid range is [0, 2 U -1], and U is the bit length of the plaintext M of the transaction amount.
  • the system further includes a supervisor; the sender is configured to divide the plaintext M of the transaction amount into the plaintext M k of the L transaction amount, respectively, using an additive homomorphic encryption algorithm
  • the plaintext of the L transaction amount is encrypted to generate a ciphertext (C k , B k ) of the L transaction amount;
  • the verifier is used to verify the plaintext M k S of the transaction amount according to the ciphertext (C k , B k ) of the transaction amount a second valid range; the second valid range is [0, 2 U -1], where u is a plaintext bit length of the transaction amount;
  • the supervisor is configured to decrypt the private key corresponding to the public key parts of said transaction amount L ciphertext (C k, B k), obtaining the transaction amount L parts plaintext M
  • the sender is further configured to generate a zero-knowledge proof that the plaintext M of the transaction amount belongs to the first valid range; the verifier is used for the ciphertext according to the transaction amount (C B) Verify that the plaintext M of the transaction amount belongs to the zero-knowledge proof of the first valid range.
  • the transaction amount includes an output amount; the sender is further configured to calculate a ciphertext C′ of a difference between the input amount and the output amount, and generate C′ to encrypt the plaintext to zero.
  • Encryption homomorphic zero-knowledge proof of ciphertext wherein, C is a ciphertext calculated according to the ciphertext of the output amount and the ciphertext of the input amount, and the ciphertext of the input amount is the sender
  • the ciphertext of the amount received in the last transaction, or the ciphertext of the input amount is a ciphertext generated by the sender by using the addition homomorphic encryption algorithm to encrypt the amount generated in the current transaction; the authenticator It is also used to verify that the C' is an additive homomorphic zero-knowledge proof that encrypts the ciphertext with plaintext zero.
  • the system further includes a supervisor, the public key of the add-on homomorphic encryption algorithm is provided by the supervisor; the sender is further configured to generate the supervisor to decrypt the The ciphertext of the transaction amount (C, B) Zero-knowledge proof; the verifier is further configured to verify that the supervisor can decrypt the zero-knowledge proof of the ciphertext (c, B) of the transaction amount; the supervisor is configured to adopt a corresponding to the public key The private key decrypts the ciphertext (C, B) of the transaction amount.
  • the system further includes a third party, configured to provide a random secret, where the random secret Y is used to generate a digital signature for each integer in the first valid range;
  • the sender is configured to generate a zero-knowledge proof that the plaintext of the transaction amount belongs to the first valid range according to the digital signature generated by the random secret Y provided by the third party for each integer in the valid range.
  • the sender is used to generate N first parameters
  • the ⁇ authenticator is used to generate N second parameters; where the N first parameters and the N The second parameter-corresponding; verifying whether the N second parameters are equal to the corresponding first parameter, and if they are equal, the plaintext M of the transaction amount belongs to the first valid range.
  • the sender is further configured to generate a first verification parameter, where the first verification parameter is determined by the N first parameters, and the verification party is further configured to generate a second verification parameter.
  • the second verification parameter is determined by the N second parameters; the verifier is further configured to verify whether the first parameter is equal to the second verification parameter, and if they are equal, the N second parameters Equal to the corresponding first parameter.
  • the embodiment of the present application provides a sender, which is applied to a blockchain system, where the system includes a sender and a ⁇ authenticator, and the sender includes: an encryption unit, configured to use an additive homomorphic encryption algorithm.
  • Encrypting the plaintext M of the transaction amount generating a ciphertext (C, B) of the transaction amount; wherein, the plaintext M of the transaction amount has a bit length U; and a sending unit, configured to cipher the transaction amount ( C, B) sent to the verifier, so that the verifier verifies whether the plaintext M of the transaction amount belongs to the first valid range according to the ciphertext (C, B) of the transaction amount; the first valid The range is [0, 2 U -1], and U is the bit length of the plaintext M of the transaction amount.
  • the system further includes a supervisor;
  • L is a positive integer greater than or equal to 2; an encryption subunit, configured to encrypt the plaintext of the L transaction amount by using an additive homomorphic encryption algorithm, respectively, to generate a ciphertext of the transaction amount of L (C k , B k ), to enable the supervisor to decrypt the ciphertext (C k , B k ) of the L transaction amount by using a private key corresponding to the public key, to obtain the plaintext M k of the L transaction amount, And obtaining, according to the plaintext M k of the L transaction amount, a plaintext M of the transaction amount; the public key of the addition homomorphic encryption algorithm is provided by the supervisor; the sending unit, configured to use the L share transaction amount ciphertext (C k, B k) is sent to the verifier to cause the verifier verifying the plaintext M k transaction amount whether the transaction amount based on the ciphertext (C k, B k) It belongs to the second valid range; wherein, the second valid range is [0
  • the sender further includes: a first generating unit, configured to generate a zero-knowledge proof that the plaintext M of the transaction amount belongs to a first valid range; the sending unit is configured to: The ciphertext (C, B) of the transaction amount is sent to the verifier, so that the verifier verifies that the plaintext M of the transaction amount belongs to the first valid range according to the ciphertext (C, B) of the transaction amount. Zero knowledge proof.
  • the transaction amount includes an output amount
  • the sender further includes: a second student a unit, a ciphertext C' for calculating a difference between the input amount and the output amount, and generating C' is an additive homomorphic zero-knowledge proof of the ciphertext encrypted with plaintext zero, so that the verifier verifies the C' is an additive homomorphic zero-knowledge proof of the ciphertext in which the plaintext is zero; wherein C is a ciphertext calculated according to the ciphertext of the output amount and the ciphertext of the input amount, the input The ciphertext of the amount is the ciphertext of the amount received by the sender in the previous transaction, or the ciphertext of the input amount is the sender encrypting the amount generated in the current transaction by using the adding homomorphic encryption algorithm by the sender Generated ciphertext.
  • the system further includes a supervisor, the public key of the add-on homomorphic encryption algorithm is provided by the supervisor; the sender further includes: a third generating unit, configured to generate The supervisor may decrypt the zero-knowledge proof of the ciphertext (C, B) of the transaction amount to enable the verifier to verify that the supervisor can decrypt the zero knowledge of the ciphertext (C, B) of the transaction amount prove.
  • the system further includes a third party, configured to provide a random secret, where the random secret Y is used to generate a digital signature for each integer in the first valid range;
  • the first generating unit is configured to generate the plaintext M of the ciphertext C of the transaction amount according to the digital signature generated by the third party provided by the third party for each integer in the first valid range to belong to the first valid range.
  • the embodiment of the present application provides a verification party, which is applied to a blockchain system, where the system includes a sender and a verification party, where the verification party includes: a receiving unit, configured to receive the sending by the sender The ciphertext (C, B) of the transaction amount; wherein, the ciphertext (C, B) of the transaction amount is a ciphertext generated by the sender using the addition homomorphic encryption algorithm to encrypt the plaintext M of the transaction amount;
  • the length of the plaintext M of the transaction amount is U;
  • the verification unit is configured to verify, according to the ciphertext (C, B) of the transaction amount, whether the plaintext M of the transaction amount belongs to the first valid range;
  • the range is [0, 2 U -1].
  • the verification unit is configured to verify that the plaintext M of the transaction amount belongs to the zero-knowledge proof of the first valid range; wherein, the plaintext M of the transaction amount belongs to the zero of the first valid range
  • the proof of knowledge is generated by the sender.
  • the transaction amount includes an output amount; the verification unit is further configured to verify that the ciphertext C′ of the difference between the input amount and the output amount is a ciphertext encrypted with a plaintext of zero.
  • the C is a ciphertext calculated according to the ciphertext of the output amount and the ciphertext of the input amount, and the ciphertext of the input amount is the sender last time
  • the ciphertext of the amount received in the transaction, or the ciphertext of the input amount is a ciphertext generated by the sender by using the addition homomorphic encryption algorithm to encrypt the amount generated in the current transaction, the input amount and the amount
  • the ciphertext C' describing the difference of the output amount is the added homomorphic zero-knowledge proof of the ciphertext in which the plaintext is zero is generated by the sender.
  • the system further includes a supervisor, the public key of the addicating homomorphic encryption algorithm is provided by the supervisor; the verification unit is further configured to verify that the supervisor can decrypt the A zero-knowledge proof of the ciphertext (C, B) of the transaction amount; wherein the zero-knowledge proof that the supervisor can decrypt the ciphertext (C, B) of the transaction amount is generated by the sender.
  • the embodiment of the present application provides a sender, which is applied to a blockchain system, where the system includes sending And the authenticator, the sender includes: a processor, a memory, and a transceiver, wherein: the processor, the memory, and the transceiver are connected to each other, the memory is used to store a computer program, the computer program Included in the program instruction, the processor is configured to invoke the program instruction, and execute the data processing method provided by the second aspect of the embodiment of the present application or any possible implementation manner of the second aspect.
  • the embodiment of the present application provides a verification party, which is applied to a blockchain system, where the system includes a sender and a verification party, where the verification party includes: a processor, a memory, and a transceiver, where: The processor, the memory, and the transceiver are connected to each other, the memory is used to store a computer program, the computer program includes program instructions, the processor is configured to invoke the program instructions, and the embodiment of the present application is executed.
  • a data processing method provided by the third aspect or any one of the possible implementations of the third aspect.
  • the embodiment of the present application provides a computer readable storage medium, where the computer readable storage medium stores a computer program, where the computer program includes program instructions, when executed by a processor, The processor performs the data processing method provided by the second aspect of the embodiment of the present application or any possible implementation manner of the second aspect.
  • the embodiment of the present application provides a computer readable storage medium, where the computer readable storage medium stores a computer program, where the computer program includes program instructions, when the program instructions are executed by a processor,
  • the processor performs the data processing method provided by the third aspect of the embodiment of the present application or any possible implementation manner of the third aspect.
  • the embodiment of the present application can protect the privacy of the transaction amount in the blockchain system, and if the verification party cannot know the plaintext of the transaction amount, verify whether the transaction amount is within the valid range, and ensure the legality of the transaction.
  • the plaintext of the transaction amount can be divided into the plaintext of the transaction amount of thousands of small pieces, and then the plaintext of the transaction amount of each small piece is separately P And the proof of its valid scope, etc., to ensure that the regulator can effectively decrypt the ciphertext of each small transaction amount.
  • FIG. 1 is a schematic structural diagram of a blockchain system according to an embodiment of the present application
  • Figure 2 is a schematic diagram of the input amount and output amount
  • FIG. 3 is a schematic flowchart of a data processing method according to an embodiment of the present application.
  • FIG. 4 is a schematic flowchart of another data processing method according to an embodiment of the present application.
  • FIG. 5 is a schematic diagram of a process for a sender to process a transaction amount plaintext M according to an embodiment of the present application
  • FIG. 6 is a schematic flowchart of another data processing method according to an embodiment of the present application.
  • FIG. 7 is a schematic structural diagram of a sender according to an embodiment of the present disclosure.
  • FIG. 8 is a schematic structural diagram of a verification party according to an embodiment of the present application.
  • FIG. 9 is a schematic structural diagram of another sender according to an embodiment of the present disclosure.
  • FIG. 10 is a schematic structural diagram of another authenticator according to an embodiment of the present application. detailed description The technical solutions in the embodiments of the present application will be described clearly and in detail in conjunction with the accompanying drawings.
  • the blockchain system can include at least a sender and a verifier.
  • the sender is used to initiate a transaction to the recipient, and the transaction amount is encrypted; the verifier is used to verify whether the transaction initiated by the sender to the receiver is legal.
  • the blockchain system may further include a supervisor for providing a pair of public and private keys, providing the public key to the sender to encrypt the transaction amount, and the supervisor may use the private key to decrypt the transaction amount for monitoring.
  • the trading behavior of the blockchain network timely detection of abnormal trading behavior and corresponding treatment.
  • the sender may be a sender's mobile phone or a computer terminal
  • the verification party may be a bank server, etc.
  • the supervisor may be a computer or server of the regulatory agency.
  • the blockchain system can be applied to a federated chain scenario, and can be applied to an alliance formed between multiple organizations that cannot find a unified trusted third party.
  • the sender initiates a transaction to the receiver.
  • the sender pays a certain amount of the transaction to the receiver, and the verifier can verify whether the transaction is legal.
  • Whether the transaction is legal or not is mainly reflected in two aspects: First, whether the output amount is equal to the input amount; Second, whether the output amount and the input amount are valid ranges. If the output amount is equal to the input amount, and the output amount and the input amount are both valid, the transaction is a legal transaction.
  • the output amount and the input amount please refer to Figure 2.
  • the transaction amount that the sender A intends to pay is X.
  • the receiver A The transaction amount received is Y, and the transaction received by the receiver A 2 The amount is Z.
  • X is the input amount
  • the maximum value is determined by the bit length of the transaction amount, and if the bit length of the transaction amount is U, the maximum value is 2 U -1.
  • the data processing method can at least include the following steps:
  • S301 The sender encrypts the plaintext M of the transaction amount by using an addition homomorphic encryption algorithm, and generates a ciphertext (C, B) of the transaction amount.
  • the above addencing homomorphic encryption algorithm may be an ElGamal algorithm.
  • C in the ciphertext (C, B) of the transaction amount is the ciphertext body of the transaction amount plaintext M
  • 6 is the auxiliary ciphertext of the transaction amount plaintext M, which is used to assist in decrypting the ciphertext body C in the subsequent supervisor decryption process.
  • the plaintext M of the transaction amount has a bit length U and U is a positive integer.
  • the transaction amount includes an output amount.
  • the input amount may be the ciphertext of the amount received by the sender in the previous transaction, no further encryption is required, and the subsequent step of zero-knowledge proof that the transaction amount belongs to the valid range.
  • the transaction amount may include an input amount in addition to the output gold. That is, the sender must encrypt both the output amount and the input amount, and the subsequent zero-knowledge proof that the transaction amount is within the valid range.
  • the sender directly uses the ciphertext of the amount received in the previous transaction, or whether the sender needs to force the P value of the input amount and the subsequent zero-knowledge proof that the transaction amount belongs to the valid range, etc., depending on The initial setting of the blockchain system, that is, the transaction model in the blockchain system is whether the sender directly forwards the transaction amount received by the sender in the last transaction, or whether the sender regenerates in each transaction. Enter the amount.
  • the supervisor has a pair of asymmetric ciphers, including the public and private keys.
  • the sender can encrypt the plaintext M of the transaction amount by using the public key provided by the regulator, and generate the ciphertext of the transaction amount, which can ensure that the regulator can decrypt the ciphertext of the transaction amount by using the private key corresponding to the public key, so that the regulator can Regulate the transaction.
  • S302 The sender sends the ciphertext (C, B) of the transaction amount to the ⁇ authentic party.
  • the verifier cannot know the plaintext M of the transaction amount, and the sender is prevented from being tracked by the user on other nodes, thereby causing information leakage. Therefore, after the sender encrypts the plaintext M of the transaction amount, the ciphertext (C, B) of the transaction amount is generated, and the ciphertext (C, B) of the transaction amount is sent to the authenticator, so that the verifier corrects the transaction. The legality of the amount is verified.
  • S303 The verifier verifies whether the plaintext M of the transaction amount belongs to the first valid range according to the ciphertext (C, B) of the transaction amount.
  • the verifier can verify that the plaintext M of the transaction amount belongs to the zero-knowledge proof of the first valid range.
  • the zero-knowledge proof that the plaintext M of the transaction amount belongs to the first valid range is generated by the sender.
  • the embodiment of the present application can adopt the addition homomorphic ElGamal encryption algorithm, because in the blockchain system, the addition homomorphic ElGamal encryption algorithm can be zero knowledge of the first valid range with the plaintext M of the transaction amount. Prove that the algorithm is compatible.
  • the data obtained by the addition homomorphic ElGamal encryption algorithm is two-dimensional data
  • the data obtained by the zero-knowledge proof algorithm of the effective range is also two-dimensional
  • the above two algorithms belong to the same mathematical system, so this Both algorithms are compatible in this mathematical system.
  • zero-knowledge proof means that the prover can believe that a certain assertion is correct without providing any useful information to the verifier.
  • the sender cannot provide the plaintext M of the transaction amount to the verifier, but the plaintext M of the transaction amount is believed to belong to the first valid range.
  • a digital signature may be generated for all integers in the first valid range, and the sender only needs to prove that the plaintext of the transaction amount corresponds to one of the digital signatures of all integers in the first range, that is, The plaintext M that can prove the transaction amount belongs to the first valid range.
  • Addition homomorphic encryption is an encryption form that allows people to perform a specific algebraic operation on a ciphertext to obtain a result that is still force-p-secret, and the result of decrypting it is the same as that of plaintext. In other words, additive homomorphic encryption allows people to operate in encrypted data to get the correct results without the need to decrypt the entire process.
  • the sender when the sender provides the public key of the added homomorphic ElGamal encryption algorithm to the plaintext M of the transaction amount by the supervisor, the sender can also generate zero knowledge of the ciphertext (C, B) that the supervisor can decrypt the transaction amount. prove.
  • the verifier can also verify the zero-knowledge proof of the ciphertext (C, B) that the above-mentioned regulator can decrypt the transaction amount.
  • the order in which the sender generates the above-mentioned transaction amount of the plaintext M that belongs to the first valid range and the zero-knowledge proof that generates the ciphertext (C, B) that the above-mentioned supervisor can decrypt the transaction amount is not limited.
  • the verification party verifies that the plaintext M of the above transaction amount belongs to the zero-knowledge proof of the first valid range and the order of zero-knowledge proof that the above-mentioned supervisor can decrypt the transaction amount of the ciphertext (C, B) is not limited.
  • the sender can also calculate the ciphertext C' of the difference between the input amount and the output amount, and generate C' to add the homomorphic zero-knowledge proof of the ciphertext with the plaintext zero.
  • the verifier can also verify that the above C' is a ciphertext encrypted with zero plaintext. Addition homomorphism zero knowledge proof.
  • the sender may generate at least one first parameter when the plaintext M of the transaction amount is generated to belong to the zero-knowledge proof of the first valid range.
  • the verifier can also generate at least one second parameter when verifying that the plaintext M of the transaction amount belongs to the zero-knowledge proof of the first valid range.
  • the first parameter corresponds to the second parameter.
  • the same calculation method is applicable to the zero-knowledge proof of the ciphertext (C, B) that the supervisor can decrypt the transaction amount, and also applies to the C' is the addition homomorphic zero-knowledge proof of the ciphertext encrypted with plaintext zero, that is, the verification
  • the input amount is equal to the output amount and will not be described here.
  • the sender when generating the zero-knowledge proof, may further generate a first verification parameter, where the first verification parameter is determined by the plurality of first parameters.
  • the verification party may also generate a second verification parameter when verifying the zero-knowledge proof, and the second verification parameter is determined by the plurality of second parameters.
  • the second verification parameter generated by the verifier is equal to the first verification parameter generated by the sender, it means that the plurality of first parameters are respectively equal to the second parameter corresponding to the plurality of second parameters. Thereby verifying the above zero knowledge proof.
  • the embodiment of the present application can protect the privacy of the transaction amount in the blockchain system, and if the verification party cannot know the plaintext of the transaction amount, verify whether the transaction amount is within the valid range, and ensure the legality of the transaction. And with the supervision of the regulator when needed.
  • the embodiment of the present application provides another data processing method.
  • the transaction amount of the plaintext M has a large bit length, the supervisor may not be able to effectively decrypt the transaction with a large bit length.
  • the data processing method can at least include the following steps:
  • the plaintext M of the transaction amount has a length U
  • bit length of the plaintext M of the transaction amount is 64
  • the maximum value of the plaintext M k of each transaction amount is 2 8 -1.
  • bit lengths of the plaintext M k of the above L transaction amounts may not be equal.
  • the transaction amount may be an output amount, or the transaction amount may be an output amount and an input amount, depending on the initialization setting of the blockchain system.
  • the transaction amount may be an output amount, or the transaction amount may be an output amount and an input amount, depending on the initialization setting of the blockchain system.
  • the output amount and the bit length of the input amount are not necessarily the same. Therefore, when the sender separately divides and encrypts the output amount and the input amount, the number of divided shares may be different, and the bits of the divided transaction amount may be different. The length can also be different.
  • the number of input amounts may be at least one
  • the number of output amounts may be at least one, that is, in one transaction, there may be multiple input amounts, or multiple output amounts.
  • the sender encrypts the plaintext M k of the L transaction amount by using an additive homomorphic encryption algorithm, and generates a ciphertext (C k , B k ) of the L transaction amount.
  • the public key of the above addition homomorphic encryption algorithm can be provided by the supervisor. Encrypting the transaction amount by using the public key provided by the regulator can ensure that the regulator can decrypt the ciphertext (C k , B k ) of the transaction amount by using the private key corresponding to the public key, so that the regulator can supervise the transaction.
  • the above addencing homomorphic encryption algorithm may be an ElGamal algorithm.
  • Transaction amount ciphertext (C k, B k) Q is a transaction amount in plaintext ciphertext body 4, the secondary ciphertext plaintext 4 of the transaction amount for a subsequent auxiliary regulators decryption process to decrypt the ciphertext body.
  • r k is a randomly generated integer
  • Gi is a multiplicative group of primes
  • g 4 is the above-described additive homomorphism
  • the sender sends the ciphertext (C k , B k ) of the L transaction amount to the authenticator.
  • the verifier cannot know the plaintext of the transaction amount, and the sender is prevented from being tracked by the user on other nodes, thereby causing information leakage. Therefore, after the sender adds the homomorphic ElGamal encryption to the plaintext of the transaction amount, the sender directly sends the ciphertext of the transaction amount to the authenticator, so that the verifier can verify the legality of the transaction amount.
  • the verifier verifies that the plaintext M k S of the transaction amount belongs to the second valid range according to the ciphertext (C k , B k ) of the transaction amount.
  • the verifier verifies whether the plaintext M k of each transaction amount belongs to the second valid range, wherein the plaintext bit length of the transaction amount is u, and the second valid range is [0, 2 U -1].
  • the verifier can verify that the plaintext M k of the transaction amount belongs to the zero-knowledge proof of the second valid range.
  • the zero-knowledge proof that the plaintext M k of the transaction amount belongs to the second valid range is generated by the sender.
  • the blockchain system may further include a trusted third party, and the trusted third party may separately generate a digital signature for each integer in the second valid range, and the sender only needs to prove the transaction.
  • the plaintext in the ciphertext (C k , B k ) of the amount corresponds to one of the digital signatures of all integers in the second valid range, and the plaintext of the transaction amount is proved to belong to the second valid range.
  • FIG. 5 shows a process in which the sender clears, encrypts, and clarifies the transaction amount.
  • the first is the process of encrypting the plaintext of the transaction amount.
  • the sender uses the encryption algorithm of the addition and homomorphism to encrypt the plaintext M k of the transaction amount to obtain the ciphertext (C k , B k ) of the corresponding transaction amount.
  • Second proof transaction amount plaintext M k belongs to the effective range of the second process, which belongs to the sender generates a second zero-knowledge proof of the effective range of the plaintext M k transaction amount
  • transaction amount plaintext M k belongs to the second range effective
  • the zero-knowledge proof is represented by 7l k .
  • the ciphertext (C k , B k ) of the transaction amount proves that the plaintext M k S of the transaction amount should be one of 2 U digital signatures Gi in 0 to 2 U -1, thereby proving the transaction amount.
  • the plaintext M k belongs to the second valid range [0, 2 U -1].
  • the digital signature Gi is generated by a trusted third party in the data processing system, and Gi represents the signature of the digital i, where iG[0, 2 U -1], i is an integer.
  • i is an integer.
  • the sender generates a k, by the authenticator to verify the correctness of a k, if correct, then the transaction amount The plain text] ⁇ belongs to the second valid range.
  • the specific calculation method of a k can be referred to the description in the next embodiment.
  • the sender can also generate a zero-knowledge proof of the ciphertext (C k , B k ) that the supervisor can decrypt the transaction amount.
  • the verifier can also verify the zero-knowledge proof of the ciphertext (C k , B k ) that the above-mentioned regulator can decrypt the transaction amount.
  • the sender generates the plaintext M k of the transaction amount, and the zero-knowledge proof of the second valid range and the zero-knowledge proof of the ciphertext (C k , B k ) that generates the above-mentioned supervisory decryptable transaction amount Not limited.
  • the verification party verifies that the plaintext M k of the transaction amount belongs to the second valid range of the zero-knowledge proof and the order of verifying the zero-knowledge proof of the ciphertext (C k , B k ) that the above-mentioned supervisor can decrypt the transaction amount is not limited.
  • the sender can also calculate the ciphertext C' of the difference between the input amount and the output amount, and generate C' to add the homomorphic zero-knowledge proof of the ciphertext with the plaintext zero.
  • the verifier can also verify that the above C' is an additive homomorphic zero-knowledge proof that encrypts the ciphertext with plaintext zero. It can be known that when the output amount is equal to the input amount, and the output amount and the input amount are both valid, the transaction can be proved to be legal.
  • the plaintext M k of the above transaction amount belongs to the zero-knowledge proof of the second valid range
  • the above C" is the additive homomorphic zero-knowledge proof of the ciphertext encrypted with plaintext zero and the above-mentioned supervisor can decrypt the transaction amount.
  • the zero-knowledge proof of the ciphertext (C k , B k ) is generated by the sender and verified by the verifier. Specifically, the sender generates the corresponding parameters, and the verifier verifies the correctness of the corresponding parameters.
  • the sender generates a transaction amount for each small block of plaintext plaintext M k M k belonging to the second proving effective range, generating at least one first parameter, respectively, the plaintext M k for each small block.
  • the verification party may also generate at least one second parameter when verifying that the plaintext of the transaction amount belongs to the zero-knowledge proof of the second valid range.
  • the first parameter corresponds to the second parameter.
  • the above method is also used to prove that the supervisor can decrypt the ciphertext (C k , B k ) of the transaction amount of each small block.
  • C' is the addition homomorphic zero knowledge proof of the ciphertext encrypted with plaintext zero
  • the sender needs to calculate a first parameter according to all the input amounts and all the output amounts, and there is no need to The transaction amount is calculated.
  • the verifier can also calculate a second parameter based on all the output amounts and all the input amounts. When the second parameter generated by the verifier is equal to the first parameter generated by the sending mode, it can be verified that C' is a ciphertext encrypted with plaintext zero, that is, the input amount is verified to be equal to the output amount.
  • the sender when generating the zero-knowledge proof, may further generate a first verification parameter, where the first verification parameter is determined by the plurality of first parameters.
  • the verification party may also generate a second verification parameter when verifying the zero-knowledge proof, and the second verification parameter is determined by the plurality of second parameters.
  • the second verification parameter generated by the verifier is equal to the first verification parameter generated by the sender, it means that the plurality of first parameters are respectively equal to the second parameter corresponding to the plurality of second parameters. Thereby verifying the above zero knowledge proof.
  • S405 The regulator uses the private key corresponding to the public key to decrypt the ciphertext (C k , B k ) of the L transaction amount, and obtains the plaintext M k of the L transaction amount.
  • the supervisor has a pair of asymmetric passwords, including public and private keys.
  • the public key is provided to the sender to encrypt the transaction amount using the addition homomorphic encryption algorithm, obtain the encrypted ciphertext (C k , B k ), protect the transaction privacy, and prevent information leakage.
  • the private key is saved by the supervisor and used to decrypt the ciphertext (C k , B k ) of the transaction amount sent by the sender.
  • To obtain the decrypted plaintext M k so that the above-described recombinant regulators of L M k M to obtain the original amount of the transaction, whereby the transaction regulation.
  • the regulator obtains the plaintext M of the transaction amount according to the plaintext M k of the above L transaction amount.
  • the supervisor needs to reorganize the plaintext M k of the transaction amount of the L bit length u to obtain the original bit length U.
  • the plaintext M of the transaction amount so that the regulator can supervise the transaction.
  • Embodiments of the present application can divide the plaintext M of the transaction amount into plaintexts of thousands of small blocks when the length of the plaintext M of the transaction amount is long, and then encrypt and decrypt the plaintext of each small block separately. And the proof of its valid scope, etc., while protecting the privacy of the transaction and coordinating the supervision, ensuring that the regulator can effectively decrypt the ciphertext of each small transaction amount.
  • the data processing method includes at least the following steps:
  • system initialization can include the following aspects:
  • the following describes the process by which the sender encrypts a single output amount. If there are multiple output amounts, the following process of encrypting a single output amount is repeated.
  • the plaintext M of the output amount is divided as an example for description.
  • the sender uses the addition homomorphic encryption algorithm to encrypt the plaintext M of the output amount, which specifically includes the following steps:
  • the sender divides the plaintext M of the output amount into the plaintext of the output amount of the L-bit length u
  • the above-described addition and homomorphic encryption algorithm may be an ElGamal algorithm.
  • the ciphertext body of the output ciphertext (C k , B k ) is the ciphertext body of the output amount plaintext 4 , and is the auxiliary ciphertext of the output amount plaintext]1 ⁇ , which is used to assist in decrypting the ciphertext body in the subsequent supervisor decryption process. .
  • the zero-knowledge proof generated by the sender includes the following aspects:
  • the sender generates a zero-knowledge proof that the supervisor can decrypt the ciphertext (C k , B k ) of each output amount.
  • the ciphertext body C of an output amount can be output according to the L share obtained after the division.
  • the above process may be repeated for encryption and certification; or the ciphertext of the transaction amount received by the sender in the last transaction may be directly used as the input amount of the transaction, and the above process need not be repeated.
  • the sender directly sources the ciphertext of the transaction amount received in the last transaction depends on the initialization setting of the blockchain system for the transaction model, that is, the transaction model in the blockchain system is that the sender directly forwards the message to the receiver. The amount of the transaction received in the last transaction, or the sender will regenerate the input amount in each transaction.
  • the random number of the ciphertext subject, 4) is the random number of the ciphertext subject C '' d. Generate a random number to calculate the first parameter
  • the plain text of the total input amount is calculated.
  • the difference from the plain text of the total output amount, the calculation method used in the encrypted data is the ratio of the ciphertext of the total input amount to the ciphertext of the total output amount.
  • the ciphertext of the total output amount is equal to the multiplication of the ciphertexts of the plurality of output amounts, and the ciphertext of the total input amount is equal to the multiplication of the ciphertexts of the plurality of input amounts.
  • the sender calculates a first verification parameter d, which is a result calculated using a hash function H, wherein the input of H includes the above, Q, , , V;, a k lR 5 .
  • the sender also outputs a Z j and t / for all output amounts and all input amounts. It can be known that if in the blockchain system, the sender re-generates the input amount in each transaction, the sender must finally output one for each input amount, Q, V p Z Mk , Z rt , Z vt , the sender sends the above parameters of the output to the authenticator.
  • the verifier verifies that the zero-knowledge proof includes the following aspects:
  • the verifier verifies that the plaintext M k of each output amount belongs to the zero-knowledge proof of the second valid range and the zero-knowledge proof that the supervisor can decrypt.
  • the first parameter %, ⁇ generated by the sender is used to prove that the plaintext % of the output amount has a digital signature generated by the corresponding trusted third party, that is, the plaintext of the output amount is proved] 1 ⁇ belongs to the second valid range ;
  • the first parameter generated by the sender Used to prove that C; is a legal ciphertext, which proves that the supervisor can decrypt the ciphertext.
  • Certificate verification means the following three aspects:
  • the verifier verifies that the plaintext M k of each output amount belongs to the second valid range
  • the verifier verifies that C' is the ciphertext with the plaintext zero encrypted, that is, the output amount is equal to the input amount;
  • the verifier verifies that the supervisor can decrypt the ciphertext (C k , B k ) of each output amount.
  • the first and second aspects of the above verification verify the legality of the transaction; the third aspect of the above verification verifies the legality of the ciphertext.
  • the input of the hash function H includes, C;, , E k , V k , a k lR 5 .
  • the input of the hash function H includes, Q, £>;
  • the verifier verifies the legitimacy of the transaction.
  • the supervisor decryption can include the following aspects:
  • the regulator uses its private key ask to decrypt the ciphertext (C k , B k ) of each output amount,
  • the regulator calculates g 3 °, ⁇ , ..., And respectively Compare, find out the plaintext M t of the output amount.
  • the regulator can pre-calculate Where / is an integer, /G[0,2 U -1], and a precomputed table ( g 3 °, , .., gf 4 ) is generated, which the supervisor can reuse in the multiple decryption process.
  • the result obtained by each decryption is compared with the pre-calculation table to find the value of the plaintext 4 of the output amount.
  • the embodiment of the present application provides a specific calculation method of the data processing method, according to which the plaintext of the transaction amount can be segmented. Then, each of the small blocks of the plaintext is encrypted, decrypted, and proved to be valid. In the protection of transaction privacy and supervision, the regulator can effectively decrypt the ciphertext of each small transaction amount. The plain text M of the land transaction amount is restored, and the transaction is effectively supervised.
  • the embodiment of the present application further provides a sender, which is applied to the blockchain system shown in FIG. 1.
  • the system may include at least a sender and a ⁇ authenticator.
  • the sender 70 may at least include: encryption.
  • the encryption unit 710 encrypts the plaintext M of the transaction amount by using the addition homomorphic encryption algorithm, and generates a ciphertext (C, B) of the transaction amount; wherein, the length of the plaintext M of the transaction amount is U.
  • C, B ciphertext
  • the sending unit 720 is configured to send the ciphertext (C, B) of the transaction amount to the verification party, so that the verification party verifies whether the plaintext M of the transaction amount belongs to the first valid range; the first valid range is [ 0, 2 U -1] , please refer to the description of S302 for details.
  • g 4 is the public key of the above addition homomorphic encryption algorithm
  • g 4 g 3 ask
  • ask is the private key of the above addition homomorphic encryption algorithm.
  • the above blockchain system further includes a supervisor.
  • the above encryption unit 710 includes: a division subunit 7110 and an encryption subunit 7120. among them:
  • the encryption subunit 7120 is configured to encrypt the plaintext of the L transaction amount by using an additive homomorphic encryption algorithm, respectively, to generate a ciphertext (C k , B k ) of the L transaction amount, so that the above-mentioned supervisor adopts the public key corresponding private key to decrypt the transaction amount of the L-parts ciphertext (C k, B k), to obtain the above parts of the transaction amount L plaintext M k, M and the plaintext based on the amount of the transaction amount of the transaction parts L plaintext M k,
  • the public key of the above-described addition homomorphic encryption algorithm is provided by the supervisor; for details, please refer to the descriptions of S402, S405 and S406, or refer to the description of 2) in S602.
  • the sending unit 720 is configured to send the ciphertext (C k , B k ) of the L transaction amount to the verification party, so that the verification party verifies the ciphertext ( C k , B k ) of the L transaction amount Whether the plaintext M k belongs to the second valid range; wherein, the second valid range is [0, 2 U -1], and u is the bit length of the plaintext of the transaction amount.
  • the second valid range is [0, 2 U -1]
  • u is the bit length of the plaintext of the transaction amount.
  • the sender 70 further includes: a first generating unit 730, configured to generate a zero-knowledge proof that the plaintext M of the transaction amount belongs to the first valid range, and the description of 2) in S603 is described in detail. .
  • the sending unit 720 is configured to send the ciphertext (C, B) of the transaction amount to the verification party, so that the verification party verifies that the plaintext M of the transaction amount belongs to the ciphertext (C, B) of the transaction amount.
  • the transaction amount includes an output amount.
  • the sender 70 further includes: a second generating unit 740, configured to calculate a ciphertext C' of the difference between the input amount and the output amount, and generate C' is an additive homomorphic zero-knowledge proof that encrypts the ciphertext with the plaintext zero
  • the above-mentioned verifier verifies that the above C' is an additive homomorphic zero-knowledge proof that encrypts the ciphertext with the plaintext zero; wherein, the above C" is the density calculated according to the ciphertext of the output amount and the ciphertext of the input amount.
  • the ciphertext of the input amount is the ciphertext of the amount received by the sender 70 in the previous transaction, or the ciphertext of the input amount is the amount generated by the sender 70 using the addition homomorphic encryption algorithm for the current transaction.
  • the ciphertext generated by encryption refer to the description in 3) of S603.
  • the system further includes a supervisor, and the public key of the add-on homomorphic encryption algorithm is provided by the supervisor; for detailed description, refer to the description of S301.
  • the sender 70 further includes: a third generating unit 750, configured to generate a zero-knowledge proof that the supervisor can decrypt the ciphertext (C, B) of the transaction amount, so that the verifying party verifies that the supervisor can decrypt the transaction amount
  • a third generating unit 750 configured to generate a zero-knowledge proof that the supervisor can decrypt the ciphertext (C, B) of the transaction amount, so that the verifying party verifies that the supervisor can decrypt the transaction amount
  • a third generating unit 750 configured to generate a zero-knowledge proof that the supervisor can decrypt the ciphertext (C, B) of the transaction amount, so that the verifying party verifies that the supervisor can decrypt the transaction amount
  • the zero-knowledge proof of the ciphertext (C, B) please refer to the description of 1) in S603 for details.
  • the system further includes a third party, configured to provide a random secret, and the random secret Y is used to generate a digital signature for each integer in the first valid range.
  • a third party configured to provide a random secret
  • the random secret Y is used to generate a digital signature for each integer in the first valid range.
  • the first generating unit 730 is configured to generate the plaintext M of the ciphertext C of the transaction amount according to the digital signature generated by the random secret Y provided by the third party for each integer in the first valid range, belonging to the first valid range.
  • Zero knowledge proof please refer to the description of 2) in S603 for detailed description.
  • the embodiment of the present application further provides a verification party, which is applied to the blockchain system shown in FIG. 1.
  • the system may include at least a sender and a verification party.
  • the verification party 80 may at least include: a receiving unit. 810.
  • a verification unit 820 where:
  • the receiving unit 810 is configured to receive the ciphertext (C, B) of the transaction amount sent by the sender 70; wherein, the ciphertext (C, B) of the transaction amount is the plaintext of the transaction amount by the sender 70 using the addition homomorphic encryption algorithm M-encrypted ciphertext;
  • the length of the plaintext M of the transaction amount is U.
  • the verification unit 820 is configured to verify, according to the ciphertext (C, B) of the transaction amount, whether the plaintext M of the transaction amount belongs to the first valid range; the first valid range is [0, 2 U -1], please refer to S303 for details. Or the description of S404.
  • the verification unit 820 is configured to verify that the plaintext M of the transaction amount belongs to the zero-knowledge proof of the first valid range; wherein, the plaintext M of the transaction amount belongs to the zero-knowledge proof of the first valid range by the sender 70
  • the plaintext M of the transaction amount belongs to the zero-knowledge proof of the first valid range by the sender 70
  • the sender 70 For details, please refer to the description of 1) in S604.
  • the transaction amount includes an output amount; the verification unit 820 is further configured to verify that the ciphertext C' of the difference between the input amount and the output amount is the added homomorphic zero knowledge of the ciphertext encrypted with the plaintext being zero.
  • C' is the ciphertext calculated according to the ciphertext of the output amount and the ciphertext of the input amount
  • the ciphertext of the input amount is the ciphertext of the amount received by the sender 70 in the previous transaction, or the input amount
  • the ciphertext is the ciphertext generated by the sender 70 by using the addition homomorphic encryption algorithm to encrypt the amount generated in the current transaction
  • the ciphertext C' of the difference between the input amount and the output amount is a secret with a plaintext of zero.
  • the addition of the homomorphic zero knowledge of the text is generated by the sender 70. For details, please refer to 2 in S604. description of.
  • the blockchain system further includes a supervisor, and the public key of the addencing homomorphic encryption algorithm is provided by the supervisor.
  • the verification unit 820 is further configured to verify the zero-knowledge proof of the ciphertext (C, B) that the supervisor can decrypt the transaction amount; wherein the supervisor can decrypt the zero-knowledge proof of the ciphertext (C, B) of the transaction amount by the sender 70 generation, please refer to the description of 1) in S604 for details.
  • the embodiment of the present application further provides another sender.
  • the sender 90 may at least include: at least one processor 901, at least one network interface 904, a user interface 903, a memory 905, and at least one communication bus 902. , display 906.
  • the communication bus 902 is used to implement connection communication between these components.
  • each component in the sender 90 may also be coupled through other connectors, which may include various types of interfaces, transmission lines, buses, etc.
  • coupling refers to interconnections in a particular manner, including being directly connected or indirectly connected by other devices.
  • the processor 901 may include at least one of the following types: a central processing unit (CPU), a digital signal processor (DSP), a microprocessor, and an application specific integrated circuit (Application Specific Integrated Circuit, ASIC), Microcontroller Unit (MCU), Field Programmable Gate Array (FPGA), or integrated circuit for implementing logic operations.
  • processor 901 can be a single-CPU processor or a multi-core processor.
  • the plurality of processors or units included within processor 901 may be integrated in one chip or on a plurality of different chips.
  • the user interface 903 may include a keyboard, a physical button (pressing a button, a rocker button, etc.), a dial, a slide switch, a joystick, a click wheel, a light mouse (a light mouse is a touch sensitive surface that does not display a visual output, or is The extension of the touch sensitive surface formed by the touch screen) and the like.
  • Network interface 904 can optionally include standard wired interface, wireless interface (such as WI-FI interface X
  • the memory 905 may be a non-power-down volatile memory, such as an EMMC (Embedded Multi Media Card), a UFS (Universal Flash Storage), or a Read-Only Memory (ROM).
  • the memory 905 includes the flash in the embodiment of the present application, or other types of static storage devices that can store static information and instructions, and may also be a volatile memory, such as a random access memory ( Random Access Memory (RAM) or other type of dynamic storage device that can store information and instructions. It can also be Electrically Erasable Programmable Read-Only Memory (EEPROM) or CD-ROM (Compact Disc Read).
  • EEPROM Electrically Erasable Programmable Read-Only Memory
  • CD-ROM Compact Disc Read
  • CD-ROM Compact Discs, laser discs, CDs, digital versatile discs, Blu-ray discs, etc.
  • disk storage media or other magnetic storage devices, or can be used for carrying or storing Program code in the form of an instruction or data structure and accessible by a computer Any other computer readable storage media, but is not limited thereto.
  • the memory 905 can also optionally be at least one storage system located away from the foregoing processor 901. As shown in FIG. 9, an operating system, a network communication module, a user interface module, and program instructions may be included in the memory 905 as a computer storage medium.
  • Memory 905 can exist independently and coupled to processor 901 via a connector.
  • the memory 905 can also be integrated with the processor 901.
  • the memory 905 can store each of the program instructions that execute the solution of the present application.
  • the computer program instructions are controlled by the processor 901, and various types of computer program instructions to be executed can also be regarded as the driver of the processor 901.
  • the processor 901 is configured to execute computer program instructions stored in the memory 905 to implement the method in the method embodiments of FIGS. 3-6 of the present application.
  • the computer program instructions are large in number and can form computer executable instructions executable by at least one of the processors 901 to drive the associated processor to perform various types of processing, such as communication signals supporting the various types of wireless communication protocols described above. Processing algorithms, operating system runs, or application runs.
  • Display 906 is used to display information input by the user.
  • display 906 can include a display panel and a touch panel.
  • the display panel can be a Liquid Crystal Display (LCD), an Organic Light-Emitting Diode (OLED), a Light Emitting Diode (LED) display device, or a Cathode Ray Tube (Cathode Ray Tube). , CRT), etc. to configure the display panel.
  • Touch panels also known as touch screens, touch sensitive screens, etc., can collect contact or non-contact operations on or near the user (eg, the user uses a finger, stylus, etc.
  • the operation near the touch panel may also include a somatosensory operation; the operation includes a single point control operation, a multi-point control operation, and the like, and the corresponding connection device is driven according to a preset program.
  • the verification party 100 may include at least: at least one processor 1001, at least one network interface 1004, a user interface 1003, and a memory 1005.
  • the communication bus 1002 is used to implement connection communication between these components.
  • each component in the authenticator 100 may also be coupled by other connectors, which may include various types of interfaces, transmission lines, buses, etc.
  • coupling refers to interconnections in a particular manner, including being directly connected or indirectly connected by other devices.
  • the processor 1001 is similar to the processor 901, and details are not described herein again.
  • the user interface 1003 is similar to the user interface 903 and will not be described here.
  • the memory 1005 is similar to the memory 905.
  • the processor 1001 is configured to execute the computer program instructions stored in the memory 905, so as to implement the method in the method embodiment of FIG. 3 to FIG. 6 in the present application, and details are not described herein.
  • the display 1006 is similar to the display 906 and will not be described again.
  • the embodiment of the present application further provides a computer readable storage medium, where the computer readable storage medium stores instructions, when it is run on a computer or a processor, causing the computer or the processor to execute any of the above data processing methods.
  • the various component modules of the above apparatus may be stored in the computer readable storage medium if implemented in the form of a software functional unit and sold or used as a standalone product.
  • the embodiment of the present application further provides a computer program product including instructions, and the technical solution of the present application may contribute to the prior art or all or part of the technical solution may be a software product.
  • the computer software product is stored in a storage medium, including thousands of instructions for causing a computer device, mobile terminal or processor therein to perform all or part of the steps of the methods described in various embodiments of the present application.
  • a storage medium including thousands of instructions for causing a computer device, mobile terminal or processor therein to perform all or part of the steps of the methods described in various embodiments of the present application.
  • the type of storage medium please refer to the description of the memory 905 or 1005.
  • the modules in the apparatus of the embodiment of the present application may be combined, divided, and deleted according to actual needs.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computing Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Financial Or Insurance-Related Operations Such As Payment And Settlement (AREA)

Abstract

Provided in an embodiment of the present application are a data processing method, a related apparatus, and a blockchain system, wherein the method comprises: a sender using an addition homomorphic encryption algorithm to encrypt a plaintext M of a transaction amount so as to generate a ciphertext of the transaction amount, the bit length of the plaintext M of the transaction amount being U; the sender sending the ciphertext of the transaction amount to a verification party; according to the ciphertext of the transaction amount, the verification party verifying whether the plaintext M of the transaction amount is within a first effective range, the first effective range being [0, 2U-1]. The embodiment of the present application may protect the privacy of a transaction amount in a blockchain system, and protect the legitimacy of a transaction by verifying whether a transaction amount is within an effective range when a verification party is unable to learn the plaintext of the transaction amount.

Description

数据处理方法、 相关装置及区块链*** 技术领域  Data processing method, related device and blockchain system
本申请涉及区块链技术领域, 尤其涉及一种数据处理方法、 相关装置及区块链***。 背景技术  The present application relates to the field of blockchain technology, and in particular, to a data processing method, a related device, and a blockchain system. Background technique
区块链是一个分布式数据库, 它保持不断增长的名为区块(block) 的有序记录列表。 每个块包含一个时间戳和指向前一个区块的链接。 区块链天然具有防篡改数据的功能, 一 旦记录, 块中的数据不能被单方面修改。 通过使用对等网络(Peer to Peer, P2P)和分布式 时间戳服务器, 区块链上的数据可以实现自动管理。 区块链是一个开放的分布式分类帐, 可以有效地记录双方之间的交易以及其它各种信息, 并以可验证的方式永久记录。 传统区 块链上, 用户的账户余额没有经过加密直接存储在区块上, 导致用户的账户完全暴露在所 有节点上。 这种方式在实现了区块链去中心化、 信息不可篡改的基本功能外, 用户的账户 隐私完全暴露在区块链的所有节点上。  A blockchain is a distributed database that maintains a growing list of ordered records called blocks. Each block contains a timestamp and a link to the previous block. The blockchain naturally has the function of tamper-proof data. Once recorded, the data in the block cannot be unilaterally modified. By using peer-to-peer (Peer-to-Peer) (P2P) and distributed timestamp servers, data on the blockchain can be managed automatically. The blockchain is an open, distributed ledger that effectively records transactions between the parties and other various information and records them permanently in a verifiable manner. On the traditional blockchain, the user's account balance is not directly encrypted and stored on the block, causing the user's account to be completely exposed on all nodes. In this way, in addition to the basic functions of decoupling the blockchain and making the information untamperable, the user's account privacy is completely exposed on all nodes of the blockchain.
现有技术中, 采用加法同态加密可以保护区块链***中交易金额的隐私的问题, 但无 法使验证方验证交易是否有效。 因为验证方只能确定输出金额的明文与输入金额的明文相 等, 而无法确认输入金额的明文和输出金额的明文是否在有效范围内。 因此, 如何在区块 链***中保护交易金额隐私, 在验证节点无法获知交易金额的明文的情况下, 验证交易金 额的明文是否在有效范围内是丞待解决的问题。 发明内容  In the prior art, the use of additive homomorphic encryption can protect the privacy of the transaction amount in the blockchain system, but it is not possible for the verifier to verify whether the transaction is valid. Because the verifier can only determine that the plain text of the output amount is equal to the plain text of the input amount, it is impossible to confirm whether the plaintext of the input amount and the plaintext of the output amount are within the valid range. Therefore, how to protect the transaction amount privacy in the blockchain system, if the verification node cannot know the plaintext of the transaction amount, it is an urgent problem to verify whether the plaintext of the transaction amount is within the valid range. Summary of the invention
本申请实施例提供了一种数据处理方法、 相关装置及区块链***, 可以保护交易金额 的隐私, 在验证方无法获知交易金额的明文的情况下, 验证交易金额是否在有效范围内, 保证交易的合法性。  The embodiment of the present application provides a data processing method, a related device, and a blockchain system, which can protect the privacy of the transaction amount. If the verification party cannot obtain the plaintext of the transaction amount, verify whether the transaction amount is within the valid range, and ensure that the transaction amount is within the valid range. The legality of the transaction.
第一方面, 本申请实施例提供了一种数据处理方法, 应用于区块链***, 所述***包 括发送方及验证方, 所述方法包括: 所述发送方采用加法同态加密算法对交易金额的明文 M加密, 生成交易金额的密文(C, B) ; 所述发送方将所述交易金额的密文(C, B)发 送至所述验证方; 所述验证方根据所述交易金额的密文(C, B)验证所述交易金额的明文 M是否属于第一有效范围; 所述第一有效范围为 [0, 2U-1] , U为所述交易金额的明文 M的 比特位长度。 In a first aspect, an embodiment of the present application provides a data processing method, which is applied to a blockchain system, where the system includes a sender and a verification party, and the method includes: the sender uses an additive homomorphic encryption algorithm to perform a transaction. The plaintext M of the amount is encrypted, and the ciphertext (C, B) of the transaction amount is generated; the sender sends the ciphertext (C, B) of the transaction amount to the verifier; the verifier according to the transaction The ciphertext of the amount (C, B) verifies whether the plaintext M of the transaction amount belongs to the first valid range; the first valid range is [0, 2 U -1], and U is the plaintext M of the transaction amount Bit length.
实施本申请实施例可以在区块链***中保护交易金额的隐私, 在验证方无法获知交易 金额的明文的情况下, 验证交易金额是否在有效范围内, 保证交易的合法性。  The embodiment of the present application can protect the privacy of the transaction amount in the blockchain system, and if the verification party cannot know the plaintext of the transaction amount, verify whether the transaction amount is within the valid range, and ensure the legality of the transaction.
在一种可能的实现方式中, 所述 C =
Figure imgf000003_0001
B = g;; 其中, r 为随机生成的整数, g3 为 Gi的生成元, Gi S阶为素数的乘法群, g4为所述加法同态加密算法的公钥, g4=g3 aSk, ask为所述加法同态加密算法的私钥。 In a possible implementation manner, the C =
Figure imgf000003_0001
B = g;; where r is a randomly generated integer, g 3 is the generator of Gi, Gi S is the prime multiplicative group, g 4 is the public key of the additive homomorphic encryption algorithm, g 4 = g 3 aSk , ask is the private key of the addition homomorphic encryption algorithm.
在一种可能的实现方式中, 所述***还包括监管方; 所述发送方采用加法同态加密算 法对交易金额的明文 M加密, 生成交易金额的密文(C, B) 包括: 所述发送方将所述交 易金额的明文 M分割成 L份交易金额的明文 Mk, 分别采用加法同态加密算法对所述 L份 交易金额的明文 Mk进行加密, 生成 L份交易金额的密文(Ck, Bk) ; 所述加法同态加密 算法的公钥由所述监管方提供, k为正整数, k=l , L, L为大于或等于 2的正整数; 所 述验证方根据所述交易金额的密文(C, B)验证所述交易金额的明文 M是否属于第一有 效范围包括: 所述验证方验证根据所述交易金额的密文(Ck, Bk)验证所述交易金额的明 文 ]^是否属于第二有效范围; 其中, 所述第二有效范围为[0, 2U-1], u为所述交易金额的
Figure imgf000004_0001
比特位长度; 所述方法还包括: 所述监管方采用与所述公钥对应的私钥解密所述 L份交易金额的密文(Ck, Bk) , 获得所述 L份交易金额的明文 Mk, 并根据所述 L份交易 金额的明文 Mk获得所述交易金额的明文 M。 In a possible implementation manner, the system further includes a supervisor; the sender encrypts the plaintext M of the transaction amount by using an additive homomorphic encryption algorithm, and generates a ciphertext (C, B) of the transaction amount, including: The sender divides the plaintext M of the transaction amount into the plaintext M k of the L transaction amount, respectively, using the addition homomorphic encryption algorithm for the L shares The plaintext M k of the transaction amount is encrypted to generate a ciphertext (C k , B k ) of the L transaction amount; the public key of the addition homomorphic encryption algorithm is provided by the regulator, k is a positive integer, k=l , L, L is a positive integer greater than or equal to 2; the verification party verifies whether the plaintext M of the transaction amount belongs to the first valid range according to the ciphertext (C, B) of the transaction amount, including: the verification party Verifying whether the plaintext of the transaction amount is a second valid range according to the ciphertext (C k , B k ) of the transaction amount; wherein, the second valid range is [0, 2 U -1], u is the transaction amount
Figure imgf000004_0001
The method further includes: the supervisor uses the private key corresponding to the public key to decrypt the ciphertext (C k , B k ) of the L transaction amount, and obtains the L transaction amount. The plaintext M k , and the plaintext M of the transaction amount is obtained according to the plaintext M k of the L transaction amount.
本申请实施例可以在交易金额明文长度较大时, 先将交易金额的明文 M分割成若千份 小块的明文, 然后再分别对每个小块的明文进行加密、 以及其属于有效范围的证明等, 保 证监管方可以有效地解密每个小块交易金额的密文。  In the embodiment of the present application, when the length of the transaction amount is large, the plaintext M of the transaction amount is first divided into the plaintext of thousands of small blocks, and then the plaintext of each small block is separately encrypted, and the valid range is Proof, etc., to ensure that the regulator can effectively decrypt the ciphertext of each small transaction amount.
在一种可能的实现方式中, 上述 L份交易金额的明文 Mk长度相等。 In a possible implementation manner, the plaintext M k of the L transaction amount is equal in length.
在一种可能的实现方式中, 所述方法还包括: 所述发送方生成所述交易金额的明文 M 属于第一有效范围的零知识证明; 所述验证方根据所述交易金额的密文( C, B)验证所述 交易金额的明文 M是否属于第一有效范围包括:所述验证方验证所述交易金额的明文 M属 于第一有效范围的零知识证明。  In a possible implementation manner, the method further includes: the sender generates a zero-knowledge proof that the plaintext M of the transaction amount belongs to the first valid range; and the ciphertext of the verification party according to the transaction amount ( C, B) verifying whether the plaintext M of the transaction amount belongs to the first valid range includes: the verification party verifies that the plaintext M of the transaction amount belongs to the zero-knowledge proof of the first valid range.
本申请实施例可以在交易金额已加密的情况下, 使验证方验证交易金额是否属于有效 范围内, 进而验证交易的合法性。  In the embodiment of the present application, if the transaction amount is encrypted, the authenticator can verify whether the transaction amount is within the valid range, thereby verifying the legality of the transaction.
在一种可能的实现方式中, 所述交易金额包括输出金额; 所述方法还包括: 所述发送 方计算输入金额与输出金额的差值的密文 C', 并生成 C'是力口密了明文为零的密文的加法同 态零知识证明; 其中, 所述 C为根据所述输出金额的密文与所述输入金额的密文计算得到 的密文, 所述输入金额的密文为所述发送方在上一次交易中接收的金额的密文, 或者所述 输入金额的密文为所述发送方采用所述加法同态加密算法对当前交易中生成的金额进行加 密生成的密文; 所述验证方验证所述 C'是加密了明文为零的密文的加法同态零知识证明。  In a possible implementation manner, the transaction amount includes an output amount; the method further includes: the sender calculating a ciphertext C′ of a difference between the input amount and the output amount, and generating C′ is a force secret The addition homomorphic zero-knowledge proof of the ciphertext with zero plaintext; wherein C is a ciphertext calculated according to the ciphertext of the output amount and the ciphertext of the input amount, and the ciphertext of the input amount The ciphertext of the amount received by the sender in the last transaction, or the ciphertext of the input amount is a secret generated by the sender by using the addition homomorphic encryption algorithm to encrypt the amount generated in the current transaction. The verifier verifies that the C' is an additive homomorphic zero-knowledge proof that encrypts the ciphertext with plaintext zero.
本申请实施例可以在交易金额已加密的情况下,使验证方验证输入金额等于输出金额, 进而验证交易的合法性。  In the embodiment of the present application, if the transaction amount is encrypted, the verification party verifies that the input amount is equal to the output amount, thereby verifying the legality of the transaction.
在一种可能的实现方式中, 所述***还包括监管方, 所述加法同态加密算法的公钥由 所述监管方提供; 所述方法还包括: 所述发送方生成所述监管方可解密所述交易金额的密 文( C, B)的零知识证明; 所述验证方验证所述监管方可解密所述交易金额的密文(C, B) 的零知识证明;所述监管方采用与所述公钥对应的私钥解密所述交易金额的密文(C, B)。  In a possible implementation manner, the system further includes a supervisor, where the public key of the add-on homomorphic encryption algorithm is provided by the supervisor; the method further includes: the sender generating the supervisor a zero-knowledge proof of the ciphertext (C, B) decrypting the transaction amount; the verifier verifying that the supervisor can decrypt the zero-knowledge proof of the ciphertext (C, B) of the transaction amount; the regulator The ciphertext (C, B) of the transaction amount is decrypted using a private key corresponding to the public key.
本申请实施例可以在交易金额已加密的情况下, 使验证方验证监管方可解密交易金额 的密文, 从而验证密文的合法性。  In the embodiment of the present application, if the transaction amount is encrypted, the authenticator can verify that the supervisor can decrypt the ciphertext of the transaction amount, thereby verifying the legality of the ciphertext.
在一种可能的实现方式中, 所述***还包括第三方, 用于提供随机秘密丫, 所述随机秘 密 Y用于为所述第一有效范围内的每个整数生成一个数字签名; 所述发送方生成所述交易 金额的明文 M属于第一有效范围的零知识证明包括: 所述发送方根据所述第三方提供的随 机秘密 Y为所述第一有效范围内的每个整数生成数字签名生成所述交易金额的明文 M属于 第一有效范围的零知识证明。 In a possible implementation manner, the system further includes a third party, configured to provide a random secret, where the random secret Y is used to generate a digital signature for each integer in the first valid range; The zero-knowledge proof that the sender generates the plaintext M of the transaction amount that belongs to the first valid range includes: the sender generates a digital signature for each integer in the first valid range according to the random secret Y provided by the third party. The plaintext M that generates the transaction amount belongs to the zero-knowledge proof of the first valid range.
本申请实施例提供了一种具体的证明交易金额密文中的明文属于有效范围的方法, 为 有效范围内的每个数字生成一个数字签名, 证明交易金额密文中的明文属于上述数字签名 中的一个即可证明该交易金额密文中的明文属于有效范围。 在不向验证方提供交易金额明 文的情况下, 验证交易金额的合法性, 保证交易隐私。 The embodiment of the present application provides a specific method for proving that the plaintext in the transaction amount ciphertext belongs to the valid range, and is Each digit in the valid range generates a digital signature, which proves that the plaintext in the transaction amount ciphertext belongs to one of the above digital signatures, which proves that the plaintext in the transaction amount ciphertext belongs to the valid range. In the case where the verifier is not provided with the clear amount of the transaction amount, the legality of the transaction amount is verified, and the transaction privacy is guaranteed.
在一种可能的实现方式中, 所述发送方生成所述交易金额的明文 M属于第一有效范围 的零知识证明包括: 所述发送方生成 N个第一参数; N为正整数; 所述验证方验证所述交 易金额的明文 M属于第一有效范围的零知识证明包括: 所述验证方生成 N个第二参数; 其 中, 所述 N个第一参数与所述 N个第二参数—对应; 所述验证方验证所述 N个第二参数 是否与对应的所述第一参数相等, 若相等, 则所述交易金额的明文 M属于第一有效范围。  In a possible implementation manner, the zero-knowledge proof that the sender generates the plaintext M of the transaction amount that belongs to the first valid range includes: the sender generates N first parameters; N is a positive integer; The zero-knowledge proof that the verification party verifies that the plaintext M of the transaction amount belongs to the first valid range includes: the verification party generates N second parameters; wherein, the N first parameters and the N second parameters— Corresponding; the verifier verifies whether the N second parameters are equal to the corresponding first parameter, and if they are equal, the plaintext M of the transaction amount belongs to the first valid range.
本申请实施例根据对比发送方生成的第一参数与验证方生成的第二参数, 来验证交易 金额密文中的明文是否属于有效范围, 在不向验证方提供交易金额明文的情况下, 验证交 易金额的合法性, 保证交易隐私。  The embodiment of the present application verifies whether the plaintext in the transaction amount ciphertext belongs to the valid range according to the comparison between the first parameter generated by the sender and the second parameter generated by the verifier, and verifies the transaction without providing the plaintext of the transaction amount to the verifier. The legality of the amount to ensure the privacy of the transaction.
在一种可能的实现方式中, 所述发送方生成所述交易金额的明文 M属于第一有效范围 的零知识证明还包括: 所述发送方生成第一验证参数; 所述第一验证参数由所述 N个第一 参数决定;所述验证方验证所述交易金额的明文 M属于第一有效范围的零知识证明还包括: 所述验证方生成第二验证参数; 所述第二验证参数由所述 N个第二参数决定; 所述验证方 验证所述 N个第二参数是否与对应的所述第一参数相等包括: 所述验证方验证所述第一参 数是否等于所述第二验证参数,若相等,则所述 N个第二参数与相应的所述第一参数相等。  In a possible implementation manner, the sending, by the sender, the zero-knowledge proof that the plaintext M of the transaction amount belongs to the first valid range further includes: the sender generating a first verification parameter; Determining, by the verification party, that the plaintext M of the transaction amount belongs to the first valid range, the zero-knowledge proof further includes: the verification party generates a second verification parameter; Determining whether the N second parameters are equal to the corresponding first parameter includes: the verification party verifies whether the first parameter is equal to the second verification The parameters, if equal, the N second parameters are equal to the corresponding first parameter.
本申请实施例根据发送方生成的第一验证参数与验证方生成的第二验证参数来验证发 送方生成的第一参数是否与验证方生成的第二参数相等, 进而证明交易金额密文中的明文 是否属于有效范围, 在不向验证方提供交易金额明文的情况下, 验证交易金额的合法性, 保证交易隐私。  The embodiment of the present application verifies whether the first parameter generated by the sender is equal to the second parameter generated by the verifier according to the first verification parameter generated by the sender and the second verification parameter generated by the verifier, and further proves the plaintext in the transaction amount ciphertext. Whether it is a valid scope, if the transaction amount is not provided to the verifier, the legality of the transaction amount is verified, and the transaction privacy is guaranteed.
第二方面, 本申请实施例提供了一种数据处理方法, 应用于区块链***, 所述***包 括发送方及验证方, 所述方法包括: 所述发送方采用加法同态加密算法对交易金额的明文 M 加密, 生成交易金额的密文 (C, B) ; 所述发送方将所述交易金额的密文 (C , B) 发 送至所述验证方, 以使所述验证方根据所述交易金额的密文 (C, B)验证所述交易金额的 明文 M是否属于第一有效范围; 所述第一有效范围为 [0 , 2U-1] , U为所述交易金额的明 文 M的比特位长度。 In a second aspect, the embodiment of the present application provides a data processing method, which is applied to a blockchain system, where the system includes a sender and a verification party, and the method includes: the sender uses an additive homomorphic encryption algorithm to perform a transaction. The plaintext M of the amount is encrypted, and the ciphertext (C, B) of the transaction amount is generated; the sender sends the ciphertext (C, B) of the transaction amount to the verifier, so that the verifier is based on the The ciphertext (C, B) describing the transaction amount verifies whether the plaintext M of the transaction amount belongs to the first valid range; the first valid range is [0, 2 U -1], and U is the plaintext of the transaction amount The bit length of M.
在一种可能的实现方式中, 所述 C =
Figure imgf000005_0001
B = g;; 其中, r 为随机生成的整数, g3 为 Gi的生成元, Gi S阶为素数的乘法群, g4为所述加法同态加密算法的公钥, g4=g3 aSk, ask为所述加法同态加密算法的私钥。 In a possible implementation manner, the C =
Figure imgf000005_0001
B = g;; where r is a randomly generated integer, g 3 is the generator of Gi, Gi S is the prime multiplicative group, g 4 is the public key of the additive homomorphic encryption algorithm, g 4 = g 3 aSk , ask is the private key of the addition homomorphic encryption algorithm.
在一种可能的实现方式中, 所述***还包括监管方; 所述发送方采用加法同态加密算 法对交易金额的明文 M 加密, 生成交易金额的密文 (C, B) 包括: 所述发送方将所述交 易金额的明文 M分割成 L份交易金额的明文 Mk, 分别采用加法同态加密算法对所述 L份 交易金额的明文 Mk进行加密, 生成 L份交易金额的密文 (Ck, Bk) , 以使所述监管方采 用与所述公钥对应的私钥解密所述 L份交易金额的密文 (Ck, Bk) , 获得所述 L份交易金 额的明文 Mk, 并根据所述 L份交易金额的明文 Mk获得所述交易金额的明文 M; 所述加法 同态加密算法的公钥由所述监管方提供, k为正整数, k=l , L; L为大于或等于 2的正 整数; 所述发送方将所述交易金额的密文 (C, B)发送至所述验证方, 以使所述验证方根 据所述交易金额的密文( C, B)验证所述交易金额的明文 M是否属于第一有效范围包括: 所述发送方将所述 L份交易金额的密文(Ck, Bk)发送至所述验证方, 以使所述验证方根 据所述交易金额的密文(Ck, Bk)验证所述交易金额的明文 Mk是否属于第二有效范围; 其 中, 所述第二有效范围为[0, 2U-1], u为所述交易金额的明文 比特位长度。 In a possible implementation manner, the system further includes a supervisor; the sender encrypts the plaintext M of the transaction amount by using an additive homomorphic encryption algorithm, and generates a ciphertext (C, B) of the transaction amount, including: The sender divides the plaintext M of the transaction amount into the plaintext M k of the L transaction amount, and encrypts the plaintext M k of the L transaction amount by using an additive homomorphic encryption algorithm, respectively, to generate a ciphertext of the L transaction amount. (C k , B k ) , such that the supervisor uses the private key corresponding to the public key to decrypt the ciphertext (C k , B k ) of the L transaction amount, and obtains the L transaction amount plaintext M k, and the plaintext M according to the transaction amount to the transaction amount plaintext parts L M K; adding the homomorphic public key encryption algorithm provided by the regulators, k is a positive integer, k = l , L; L is a positive integer greater than or equal to 2; the sender sends the ciphertext (C, B) of the transaction amount to the verifier, so that the verification root Determining whether the plaintext M of the transaction amount belongs to the first valid range according to the ciphertext (C, B) of the transaction amount includes: the sender quoting the ciphertext of the L transaction amount (C k , B k ) Sending to the verifier, so that the verifier verifies whether the plaintext M k of the transaction amount belongs to the second valid range according to the ciphertext (C k , B k ) of the transaction amount; wherein, the second party The valid range is [0, 2 U -1], where u is the length of the plaintext bit of the transaction amount.
在一种可能的实现方式中, 上述 L份交易金额的明文 Mk长度相等。 In a possible implementation manner, the plaintext M k of the L transaction amount is equal in length.
在一种可能的实现方式中, 所述方法还包括: 所述发送方生成所述交易金额的明文 M 属于第一有效范围的零知识证明; 所述发送方将所述交易金额的密文(C, B)发送至所述 验证方, 以使所述验证方根据所述交易金额的密文( C, B)验证所述交易金额的明文 M是 否属于第一有效范围包括:所述发送方将所述交易金额的密文(C, B)发送至所述验证方, 以使所述验证方根据所述交易金额的密文(C, B)验证所述交易金额的明文 M属于第一 有效范围的零知识证明。  In a possible implementation, the method further includes: the sender generates a zero-knowledge proof that the plaintext M of the transaction amount belongs to the first valid range; and the sender sends the ciphertext of the transaction amount ( C, B) sent to the verifier, so that the verifier verifies whether the plaintext M of the transaction amount belongs to the first valid range according to the ciphertext (C, B) of the transaction amount, including: the sender Transmitting the ciphertext (C, B) of the transaction amount to the verifier, so that the verifier verifies that the plaintext M of the transaction amount belongs to the first according to the ciphertext (C, B) of the transaction amount Zero knowledge proof of the valid range.
在一种可能的实现方式中, 所述交易金额包括输出金额; 所述方法还包括: 所述发送 方计算输入金额与输出金额的差值的密文 C', 并生成 C'是力口密了明文为零的密文的加法同 态零知识证明, 以使所述验证方验证所述 C'是加密了明文为零的密文的加法同态零知识证 明; 其中, 所述 C为根据所述输出金额的密文与所述输入金额的密文计算得到的密文, 所 述输入金额的密文为所述发送方在上一次交易中接收的金额的密文, 或者所述输入金额的 密文为所述发送方采用所述加法同态加密算法对当前交易中生成的金额进行加密生成的密 文。  In a possible implementation manner, the transaction amount includes an output amount; the method further includes: the sender calculating a ciphertext C′ of a difference between the input amount and the output amount, and generating C′ is a force secret An additive homomorphic zero-knowledge proof of a ciphertext having a plaintext of zero, such that the verifier verifies that the C' is an additive homomorphic zero-knowledge proof that encrypts a plaintext with a plaintext of zero; wherein, the C is based on a ciphertext calculated by the ciphertext of the output amount and the ciphertext of the input amount, the ciphertext of the input amount being a ciphertext of the amount received by the sender in the previous transaction, or the input amount The ciphertext is a ciphertext generated by the sender by using the addition homomorphic encryption algorithm to encrypt the amount generated in the current transaction.
在一种可能的实现方式中, 所述***还包括监管方, 所述加法同态加密算法的公钥由 所述监管方提供; 所述方法还包括: 所述发送方生成所述监管方可解密所述交易金额的密 文 C的零知识证明, 以使所述验证方验证所述监管方可解密所述交易金额的密文 C的零知 识证明。  In a possible implementation manner, the system further includes a supervisor, where the public key of the add-on homomorphic encryption algorithm is provided by the supervisor; the method further includes: the sender generating the supervisor Decrypting the zero-knowledge proof of the ciphertext C of the transaction amount to enable the verifier to verify that the supervisor can decrypt the zero-knowledge proof of the ciphertext C of the transaction amount.
在一种可能的实现方式中, 所述***还包括第三方, 用于提供随机秘密 Y, 所述随机秘 密 Y用于为所述第一有效范围内的每个整数生成一个数字签名; 所述发送方生成所述交易 金额的明文 M属于第一有效范围的零知识证明包括: 所述发送方根据所述第三方提供的随 机秘密 Y为所述第一有效范围内的每个整数生成的数字签名生成所述交易金额的明文 M属 于第一有效范围的零知识证明。 In a possible implementation manner, the system further includes a third party, configured to provide a random secret Y, where the random secret Y is used to generate a digital signature for each integer in the first valid range; The zero-knowledge proof that the sender generates the plaintext M of the transaction amount that belongs to the first valid range includes: the sender generates the number generated according to the random secret Y provided by the third party as each integer in the first valid range. The plaintext M in which the signature generates the transaction amount belongs to the zero-knowledge proof of the first valid range.
第三方面, 本申请实施例提供了一种数据处理方法, 应用于区块链***, 所述***包 括发送方及验证方,所述方法包括:所述验证方接收所述发送方发送的交易金额的密文( C, B) ; 其中, 所述交易金额的密文(C, B) 为所述发送方采用加法同态加密算法对交易金 额的明文 M加密生成的密文; 所述交易金额的明文 M的比特位长度为 U; 所述验证方根 据所述交易金额的密文(C, B)验证所述交易金额的明文 M是否属于第一有效范围; 所 述第一有效范围为[0, 2U-1]。 In a third aspect, an embodiment of the present application provides a data processing method, which is applied to a blockchain system, where the system includes a sender and a verification party, and the method includes: the verification party receives a transaction sent by the sender. The ciphertext of the amount (C, B); wherein, the ciphertext (C, B) of the transaction amount is a ciphertext generated by the sender using the addition homomorphic encryption algorithm to encrypt the plaintext M of the transaction amount; The bit length of the plaintext M of the amount is U; the verifier verifies whether the plaintext M of the transaction amount belongs to the first valid range according to the ciphertext (C, B) of the transaction amount; the first valid range is [0, 2 U -1].
在一种可能的实现方式中, 所述验证方根据所述交易金额的密文(C, B)验证所述交 易金额的明文 M是否属于第一有效范围包括: 所述验证方验证所述交易金额的明文 M属 于第一有效范围的零知识证明; 其中, 所述交易金额的明文 M属于第一有效范围的零知识 证明由所述发送方生成。  In a possible implementation manner, the verifying party verifies whether the plaintext M of the transaction amount belongs to the first valid range according to the ciphertext (C, B) of the transaction amount includes: the verifier verifies the transaction The plaintext M of the amount belongs to the zero-knowledge proof of the first valid range; wherein, the zero-knowledge proof that the plaintext M of the transaction amount belongs to the first valid range is generated by the sender.
在一种可能的实现方式中, 所述交易金额包括输出金额; 所述方法还包括: 所述验证 方验证输入金额与所述输出金额的差值的密文 C'是加密了明文为零的密文的加法同态零知 识证明;其中,所述 C为根据所述输出金额的密文与所述输入金额的密文计算得到的密文, 所述输入金额的密文为所述发送方在上一次交易中接收的金额的密文, 或者所述输入金额 的密文为所述发送方采用所述加法同态加密算法对当前交易中生成的金额加密生成的密文; 所述输入金额与所述输出金额的差值的密文 C'是加密了明文为零的密文的加法同态零知识 证明由所述发送方生成。 In a possible implementation manner, the transaction amount includes an output amount; the method further includes: the verifying The ciphertext C' that verifies the difference between the input amount and the output amount is an additive homomorphic zero-knowledge proof that encrypts the ciphertext with plaintext zero; wherein C is a ciphertext and a place according to the output amount a ciphertext calculated by the ciphertext of the input amount, the ciphertext of the input amount being a ciphertext of the amount received by the sender in the previous transaction, or the ciphertext of the input amount being used by the sender The ciphertext generated by the addition homomorphic encryption algorithm for encrypting the amount generated in the current transaction; the ciphertext C' of the difference between the input amount and the output amount is an addition homomorphism of the ciphertext encrypted with plaintext zero A zero knowledge proof is generated by the sender.
在一种可能的实现方式中, 所述***还包括监管方, 所述加法同态加密算法的公钥由 所述监管方提供; 所述方法还包括: 所述验证方还用于验证所述监管方可解密所述交易金 额的密文(C, B) 的零知识证明; 其中, 所述监管方可解密所述交易金额的密文(C, B) 的零知识证明由所述发送方生成。  In a possible implementation manner, the system further includes a supervisor, where the public key of the add-on homomorphic encryption algorithm is provided by the supervisor; the method further includes: the authenticator is further configured to verify the The supervisor can decrypt the zero-knowledge proof of the ciphertext (C, B) of the transaction amount; wherein the supervisor can decrypt the zero-knowledge proof of the ciphertext (C, B) of the transaction amount by the sender generate.
第四方面, 本申请实施例提供了一种区块链***, 所述***包括发送方及验证方: 所 述发送方用于采用加法同态加密算法对交易金额的明文 M加密,生成交易金额的密文( C, B) , 并将所述交易金额的密文(C, B)发送至所述验证方; 所述验证方用于根据所述交 易金额的密文(C, B)验证所述交易金额的明文 M是否属于第一有效范围; 所述第一有 效范围为 [0, 2U-1] , U为所述交易金额的明文 M的比特位长度。 In a fourth aspect, the embodiment of the present application provides a blockchain system, where the system includes a sender and a verification party: the sender is configured to encrypt the plaintext M of the transaction amount by using an additive homomorphic encryption algorithm to generate a transaction amount. Ciphertext (C, B), and sending the ciphertext (C, B) of the transaction amount to the verifier; the verifier is used to verify the ciphertext (C, B) according to the transaction amount Whether the plaintext M of the transaction amount belongs to the first valid range; the first valid range is [0, 2 U -1], and U is the bit length of the plaintext M of the transaction amount.
在一种可能的实现方式中, 所述 C = B = g;; 其中, r 为随机生成的整数, g3 为 Gi的生成元, Gi S阶为素数的乘法群, g4为所述加法同态加密算法的公钥, g4=g3 aSk, ask为所述加法同态加密算法的私钥。 In a possible implementation manner, the C = B = g;; wherein r is a randomly generated integer, g 3 is a generator of Gi, Gi S is a multiplicative group of prime numbers, and g 4 is the addition The public key of the homomorphic encryption algorithm, g 4 =g 3 aSk , ask is the private key of the addition homomorphic encryption algorithm.
在一种可能的实现方式中, 所述***还包括监管方; 所述发送方用于将所述交易金额 的明文 M分割成 L份交易金额的明文 Mk, 分别采用加法同态加密算法对所述 L份交易金 额的明文 进行加密, 生成 L份交易金额的密文(Ck, Bk) ; 所述加法同态加密算法的 公钥由所述监管方提供, k为正整数, k=l , L; L为大于或等于 2的正整数; 所述验证 方用于根据所述交易金额的密文(Ck, Bk)验证所述交易金额的的明文 MkS否属于第二有 效范围; 所述第二有效范围为 [0, 2U-1] , u为所述交易金额的明文 比特位长度; 所述 监管方用于采用与所述公钥对应的私钥解密所述 L份交易金额的密文(Ck, Bk) , 获得所 述 L份交易金额的明文 Mk, 并根据所述 L份交易金额的明文 Mk获得所述交易金额的明文 M。 In a possible implementation, the system further includes a supervisor; the sender is configured to divide the plaintext M of the transaction amount into the plaintext M k of the L transaction amount, respectively, using an additive homomorphic encryption algorithm The plaintext of the L transaction amount is encrypted to generate a ciphertext (C k , B k ) of the L transaction amount; the public key of the addition homomorphic encryption algorithm is provided by the regulator, k is a positive integer, k =l , L; L is a positive integer greater than or equal to 2; the verifier is used to verify the plaintext M k S of the transaction amount according to the ciphertext (C k , B k ) of the transaction amount a second valid range; the second valid range is [0, 2 U -1], where u is a plaintext bit length of the transaction amount; the supervisor is configured to decrypt the private key corresponding to the public key parts of said transaction amount L ciphertext (C k, B k), obtaining the transaction amount L parts plaintext M k, and obtains the plain of the transaction amount based on the transaction amount L parts plaintext M k M.
在一种可能的实现方式中, 所述发送方还用于生成所述交易金额的明文 M属于第一有 效范围的零知识证明; 所述验证方用于根据所述交易金额的密文(C, B)验证所述交易金 额的明文 M属于第一有效范围的零知识证明。  In a possible implementation, the sender is further configured to generate a zero-knowledge proof that the plaintext M of the transaction amount belongs to the first valid range; the verifier is used for the ciphertext according to the transaction amount (C B) Verify that the plaintext M of the transaction amount belongs to the zero-knowledge proof of the first valid range.
在一种可能的实现方式中, 所述交易金额包括输出金额; 所述发送方还用于计算输入 金额与输出金额的差值的密文 C', 并生成 C'是加密了明文为零的密文的加法同态零知识证 明; 其中, 所述 C为根据所述输出金额的密文与所述输入金额的密文计算得到的密文, 所 述输入金额的密文为所述发送方在上一次交易中接收的金额的密文, 或者所述输入金额的 密文为所述发送方采用所述加法同态加密算法对当前交易中生成的金额加密生成的密文; 所述验证方还用于验证所述 C'是加密了明文为零的密文的加法同态零知识证明。  In a possible implementation manner, the transaction amount includes an output amount; the sender is further configured to calculate a ciphertext C′ of a difference between the input amount and the output amount, and generate C′ to encrypt the plaintext to zero. Encryption homomorphic zero-knowledge proof of ciphertext; wherein, C is a ciphertext calculated according to the ciphertext of the output amount and the ciphertext of the input amount, and the ciphertext of the input amount is the sender The ciphertext of the amount received in the last transaction, or the ciphertext of the input amount is a ciphertext generated by the sender by using the addition homomorphic encryption algorithm to encrypt the amount generated in the current transaction; the authenticator It is also used to verify that the C' is an additive homomorphic zero-knowledge proof that encrypts the ciphertext with plaintext zero.
在一种可能的实现方式中, 所述***还包括监管方, 所述加法同态加密算法的公钥由 所述监管方提供; 所述发送方还用于生成所述监管方可解密所述交易金额的密文(C, B) 的零知识证明; 所述验证方还用于验证所述监管方可解密所述交易金额的密文(c, B)的 零知识证明;所述监管方用于采用与所述公钥对应的私钥解密所述交易金额的密文( C, B)。 In a possible implementation, the system further includes a supervisor, the public key of the add-on homomorphic encryption algorithm is provided by the supervisor; the sender is further configured to generate the supervisor to decrypt the The ciphertext of the transaction amount (C, B) Zero-knowledge proof; the verifier is further configured to verify that the supervisor can decrypt the zero-knowledge proof of the ciphertext (c, B) of the transaction amount; the supervisor is configured to adopt a corresponding to the public key The private key decrypts the ciphertext (C, B) of the transaction amount.
在一种可能的实现方式中, 所述***还包括第三方, 用于提供随机秘密丫, 所述随机秘 密 Y用于为所述第一有效范围内的每个整数生成一个数字签名; 所述发送方用于根据所述 第三方提供的随机秘密 Y为所述有效范围内的每个整数生成的数字签名生成所述交易金额 的明文属于第一有效范围的零知识证明。 In a possible implementation manner, the system further includes a third party, configured to provide a random secret, where the random secret Y is used to generate a digital signature for each integer in the first valid range; The sender is configured to generate a zero-knowledge proof that the plaintext of the transaction amount belongs to the first valid range according to the digital signature generated by the random secret Y provided by the third party for each integer in the valid range.
在一种可能的实现方式中, 所述发送方用于生成 N个第一参数; 所述<验证方用于生成 N个第二参数; 其中, 所述 N个第一参数与所述 N个第二参数—对应; 验证所述 N个第 二参数是否与对应的所述第一参数相等, 若相等, 则所述交易金额的明文 M属于第一有效 范围。  In a possible implementation, the sender is used to generate N first parameters, and the <authenticator is used to generate N second parameters; where the N first parameters and the N The second parameter-corresponding; verifying whether the N second parameters are equal to the corresponding first parameter, and if they are equal, the plaintext M of the transaction amount belongs to the first valid range.
在一种可能的实现方式中, 所述发送方还用于生成第一验证参数; 所述第一验证参数 由所述 N个第一参数决定; 所述验证方还用于生成第二验证参数; 所述第二验证参数由所 述 N个第二参数决定; 所述验证方还用于验证所述第一参数是否等于所述第二验证参数, 若相等, 则所述 N个第二参数与相应的所述第一参数相等。  In a possible implementation manner, the sender is further configured to generate a first verification parameter, where the first verification parameter is determined by the N first parameters, and the verification party is further configured to generate a second verification parameter. The second verification parameter is determined by the N second parameters; the verifier is further configured to verify whether the first parameter is equal to the second verification parameter, and if they are equal, the N second parameters Equal to the corresponding first parameter.
第五方面, 本申请实施例提供了一种发送方, 应用于区块链***, 所述***包括发送 方及<验证方, 所述发送方包括: 加密单元, 用于采用加法同态加密算法对交易金额的明文 M加密,生成交易金额的密文(C, B);其中,所述交易金额的明文 M的比特位长度为 U; 发送单元, 用于将所述交易金额的密文(C, B)发送至所述验证方, 以使所述验证方根据 所述交易金额的密文(C, B)验证所述交易金额的明文 M是否属于第一有效范围; 所述 第一有效范围为[0, 2U-1] , U为所述交易金额的明文 M的比特位长度。 In a fifth aspect, the embodiment of the present application provides a sender, which is applied to a blockchain system, where the system includes a sender and a <authenticator, and the sender includes: an encryption unit, configured to use an additive homomorphic encryption algorithm. Encrypting the plaintext M of the transaction amount, generating a ciphertext (C, B) of the transaction amount; wherein, the plaintext M of the transaction amount has a bit length U; and a sending unit, configured to cipher the transaction amount ( C, B) sent to the verifier, so that the verifier verifies whether the plaintext M of the transaction amount belongs to the first valid range according to the ciphertext (C, B) of the transaction amount; the first valid The range is [0, 2 U -1], and U is the bit length of the plaintext M of the transaction amount.
在一种可能的实现方式中, 所述 C = B = g;; 其中, r 为随机生成的整数, g3 为 Gi的生成元, Gi S阶为素数的乘法群, g4为所述加法同态加密算法的公钥, g4=g3 aSk, ask为所述加法同态加密算法的私钥。 In a possible implementation manner, the C = B = g;; wherein r is a randomly generated integer, g 3 is a generator of Gi, Gi S is a multiplicative group of prime numbers, and g 4 is the addition The public key of the homomorphic encryption algorithm, g 4 =g 3 aSk , ask is the private key of the addition homomorphic encryption algorithm.
在一种可能的实现方式中,所述***还包括监管方;所述加密单元包括:分割子单元, 用于将所述交易金额的明文 M分割成 L份交易金额的明文 Mk;其中, k为正整数, k=l, ...,In a possible implementation, the system further includes a supervisor; the encryption unit includes: a split subunit, configured to divide the plaintext M of the transaction amount into a plaintext Mk of the L transaction amount ; wherein k is a positive integer, k=l, ...,
L; L为大于或等于 2的正整数; 加密子单元, 用于分别采用加法同态加密算法对所述 L份 交易金额的明文 ]^加密, 生成 L份交易金额的密文(Ck, Bk), 以使所述监管方采用与 所述公钥对应的私钥解密所述 L份交易金额的密文(Ck, Bk), 获得所述 L份交易金额的 明文 Mk, 并根据所述 L份交易金额的明文 Mk获得所述交易金额的明文 M; 所述加法同态 加密算法的公钥由所述监管方提供;所述发送单元,用于将所述 L份交易金额的密文(Ck, Bk)发送至所述验证方, 以使所述验证方根据所述交易金额的密文(Ck, Bk)验证所述交 易金额的明文 Mk是否属于第二有效范围; 其中, 所述第二有效范围为[0, 2U-1], u为所述 交易金额的明文 Mk的比特位长度。 L; L is a positive integer greater than or equal to 2; an encryption subunit, configured to encrypt the plaintext of the L transaction amount by using an additive homomorphic encryption algorithm, respectively, to generate a ciphertext of the transaction amount of L (C k , B k ), to enable the supervisor to decrypt the ciphertext (C k , B k ) of the L transaction amount by using a private key corresponding to the public key, to obtain the plaintext M k of the L transaction amount, And obtaining, according to the plaintext M k of the L transaction amount, a plaintext M of the transaction amount; the public key of the addition homomorphic encryption algorithm is provided by the supervisor; the sending unit, configured to use the L share transaction amount ciphertext (C k, B k) is sent to the verifier to cause the verifier verifying the plaintext M k transaction amount whether the transaction amount based on the ciphertext (C k, B k) It belongs to the second valid range; wherein, the second valid range is [0, 2 U -1], and u is the bit length of the plaintext M k of the transaction amount.
在一种可能的实现方式中, 所述发送方还包括: 第一生成单元, 用于生成所述交易金 额的明文 M属于第一有效范围的零知识证明;所述发送单元用于将所述交易金额的密文( C, B)发送至所述验证方, 以使所述验证方根据所述交易金额的密文(C, B)验证所述交易 金额的明文 M属于第一有效范围的零知识证明。  In a possible implementation, the sender further includes: a first generating unit, configured to generate a zero-knowledge proof that the plaintext M of the transaction amount belongs to a first valid range; the sending unit is configured to: The ciphertext (C, B) of the transaction amount is sent to the verifier, so that the verifier verifies that the plaintext M of the transaction amount belongs to the first valid range according to the ciphertext (C, B) of the transaction amount. Zero knowledge proof.
在一种可能的实现方式中, 所述交易金额包括输出金额; 所述发送方还包括: 第二生 成单元, 用于计算输入金额与输出金额的差值的密文 C', 并生成 C'是加密了明文为零的密 文的加法同态零知识证明, 以使所述验证方验证所述 C'是加密了明文为零的密文的加法同 态零知识证明; 其中, 所述 C为根据所述输出金额的密文与所述输入金额的密文计算得到 的密文, 所述输入金额的密文为所述发送方在上一次交易中接收的金额的密文, 或者所述 输入金额的密文为所述发送方采用所述加法同态加密算法对当前交易中生成的金额加密生 成的密文。 In a possible implementation, the transaction amount includes an output amount; the sender further includes: a second student a unit, a ciphertext C' for calculating a difference between the input amount and the output amount, and generating C' is an additive homomorphic zero-knowledge proof of the ciphertext encrypted with plaintext zero, so that the verifier verifies the C' is an additive homomorphic zero-knowledge proof of the ciphertext in which the plaintext is zero; wherein C is a ciphertext calculated according to the ciphertext of the output amount and the ciphertext of the input amount, the input The ciphertext of the amount is the ciphertext of the amount received by the sender in the previous transaction, or the ciphertext of the input amount is the sender encrypting the amount generated in the current transaction by using the adding homomorphic encryption algorithm by the sender Generated ciphertext.
在一种可能的实现方式中, 所述***还包括监管方, 所述加法同态加密算法的公钥由 所述监管方提供; 所述发送方还包括: 第三生成单元, 用于生成所述监管方可解密所述交 易金额的密文(C, B) 的零知识证明, 以使所述验证方验证所述监管方可解密所述交易金 额的密文(C, B) 的零知识证明。  In a possible implementation, the system further includes a supervisor, the public key of the add-on homomorphic encryption algorithm is provided by the supervisor; the sender further includes: a third generating unit, configured to generate The supervisor may decrypt the zero-knowledge proof of the ciphertext (C, B) of the transaction amount to enable the verifier to verify that the supervisor can decrypt the zero knowledge of the ciphertext (C, B) of the transaction amount prove.
在一种可能的实现方式中, 所述***还包括第三方, 用于提供随机秘密丫, 所述随机秘 密 Y用于为所述第一有效范围内的每个整数生成一个数字签名; 所述第一生成单元用于根 据所述第三方提供的随机秘密 y为所述第一有效范围内的每个整数生成的数字签名生成所 述交易金额的密文 C的明文 M属于第一有效范围的零知识证明。 In a possible implementation manner, the system further includes a third party, configured to provide a random secret, where the random secret Y is used to generate a digital signature for each integer in the first valid range; The first generating unit is configured to generate the plaintext M of the ciphertext C of the transaction amount according to the digital signature generated by the third party provided by the third party for each integer in the first valid range to belong to the first valid range. Zero knowledge proof.
第六方面, 本申请实施例提供了一种验证方, 应用于区块链***, 所述***包括发送 方及验证方,所述验证方包括:接收单元,用于接收所述发送方发送的交易金额的密文(C, B) ; 其中, 所述交易金额的密文(C , B) 为所述发送方采用加法同态加密算法对交易金 额的明文 M加密生成的密文; 所述交易金额的明文 M的比特位长度为 U; 验证单元, 用 于根据所述交易金额的密文( C, B)验证所述交易金额的明文 M是否属于第一有效范围; 所述第一有效范围为[0, 2U-1]。 In a sixth aspect, the embodiment of the present application provides a verification party, which is applied to a blockchain system, where the system includes a sender and a verification party, where the verification party includes: a receiving unit, configured to receive the sending by the sender The ciphertext (C, B) of the transaction amount; wherein, the ciphertext (C, B) of the transaction amount is a ciphertext generated by the sender using the addition homomorphic encryption algorithm to encrypt the plaintext M of the transaction amount; The length of the plaintext M of the transaction amount is U; the verification unit is configured to verify, according to the ciphertext (C, B) of the transaction amount, whether the plaintext M of the transaction amount belongs to the first valid range; The range is [0, 2 U -1].
在一种可能的实现方式中, 所述 C =
Figure imgf000009_0001
B = g;; 其中, r 为随机生成的整数, g3 为 Gi的生成元, Gi S阶为素数的乘法群, g4为所述加法同态加密算法的公钥, g4=g3 aSk, ask为所述加法同态加密算法的私钥。 In a possible implementation manner, the C =
Figure imgf000009_0001
B = g;; where r is a randomly generated integer, g 3 is the generator of Gi, Gi S is the prime multiplicative group, g 4 is the public key of the additive homomorphic encryption algorithm, g 4 = g 3 aSk , ask is the private key of the addition homomorphic encryption algorithm.
在一种可能的实现方式中, 所述验证单元用于<验证所述交易金额的明文 M属于第一有 效范围的零知识证明; 其中, 所述交易金额的明文 M属于第一有效范围的零知识证明由所 述发送方生成。  In a possible implementation manner, the verification unit is configured to verify that the plaintext M of the transaction amount belongs to the zero-knowledge proof of the first valid range; wherein, the plaintext M of the transaction amount belongs to the zero of the first valid range The proof of knowledge is generated by the sender.
在一种可能的实现方式中, 所述交易金额包括输出金额; 所述验证单元还用于验证输 入金额与所述输出金额的差值的密文 C'是加密了明文为零的密文的加法同态零知识证明; 其中, 所述 C为根据所述输出金额的密文与所述输入金额的密文计算得到的密文, 所述输 入金额的密文为所述发送方在上一次交易中接收的金额的密文, 或者所述输入金额的密文 为所述发送方采用所述加法同态加密算法对当前交易中生成的金额进行加密生成的密文, 所述输入金额与所述输出金额的差值的密文 C'是加密了明文为零的密文的加法同态零知识 证明由所述发送方生成。  In a possible implementation manner, the transaction amount includes an output amount; the verification unit is further configured to verify that the ciphertext C′ of the difference between the input amount and the output amount is a ciphertext encrypted with a plaintext of zero. Adding a homomorphic zero-knowledge proof; wherein, the C is a ciphertext calculated according to the ciphertext of the output amount and the ciphertext of the input amount, and the ciphertext of the input amount is the sender last time The ciphertext of the amount received in the transaction, or the ciphertext of the input amount is a ciphertext generated by the sender by using the addition homomorphic encryption algorithm to encrypt the amount generated in the current transaction, the input amount and the amount The ciphertext C' describing the difference of the output amount is the added homomorphic zero-knowledge proof of the ciphertext in which the plaintext is zero is generated by the sender.
在一种可能的实现方式中, 所述***还包括监管方, 所述加法同态加密算法的公钥由 所述监管方提供;所述验证单元还用于验证所述监管方可解密所述交易金额的密文( C, B) 的零知识证明; 其中, 所述监管方可解密所述交易金额的密文(C, B) 的零知识证明由所 述发送方生成。  In a possible implementation, the system further includes a supervisor, the public key of the addicating homomorphic encryption algorithm is provided by the supervisor; the verification unit is further configured to verify that the supervisor can decrypt the A zero-knowledge proof of the ciphertext (C, B) of the transaction amount; wherein the zero-knowledge proof that the supervisor can decrypt the ciphertext (C, B) of the transaction amount is generated by the sender.
第七方面, 本申请实施例提供了一种发送方, 应用于区块链***, 所述***包括发送 方及验证方, 所述发送方包括: 处理器、 存储器和收发器, 其中: 所述处理器、 所述存储 器和所述收发器相互连接, 所述存储器用于存储计算机程序, 所述计算机程序包括程序指 令, 所述处理器被配置用于调用所述程序指令, 执行本申请实施例第二方面或第二方面的 任一种可能的实现方式提供的数据处理方法。 In a seventh aspect, the embodiment of the present application provides a sender, which is applied to a blockchain system, where the system includes sending And the authenticator, the sender includes: a processor, a memory, and a transceiver, wherein: the processor, the memory, and the transceiver are connected to each other, the memory is used to store a computer program, the computer program Included in the program instruction, the processor is configured to invoke the program instruction, and execute the data processing method provided by the second aspect of the embodiment of the present application or any possible implementation manner of the second aspect.
第八方面, 本申请实施例提供了一种验证方, 应用于区块链***, 所述***包括发送 方及验证方, 所述验证方包括: 处理器、 存储器和收发器, 其中: 所述处理器、 所述存储 器和所述收发器相互连接, 所述存储器用于存储计算机程序, 所述计算机程序包括程序指 令, 所述处理器被配置用于调用所述程序指令, 执行本申请实施例第三方面或第三方面的 任一种可能的实现方式提供的数据处理方法。  In an eighth aspect, the embodiment of the present application provides a verification party, which is applied to a blockchain system, where the system includes a sender and a verification party, where the verification party includes: a processor, a memory, and a transceiver, where: The processor, the memory, and the transceiver are connected to each other, the memory is used to store a computer program, the computer program includes program instructions, the processor is configured to invoke the program instructions, and the embodiment of the present application is executed. A data processing method provided by the third aspect or any one of the possible implementations of the third aspect.
第九方面, 本申请实施例提供了一种计算机可读存储介质, 所述计算机可读存储介质 存储有计算机程序, 所述计算机程序包括程序指令, 所述程序指令当被处理器执行时, 使 所述处理器执行本申请实施例第二方面或第二方面的任一种可能的实现方式提供的数据处 理方法。  In a ninth aspect, the embodiment of the present application provides a computer readable storage medium, where the computer readable storage medium stores a computer program, where the computer program includes program instructions, when executed by a processor, The processor performs the data processing method provided by the second aspect of the embodiment of the present application or any possible implementation manner of the second aspect.
第十方面, 本申请实施例提供了一种计算机可读存储介质, 所述计算机可读存储介质 存储有计算机程序, 所述计算机程序包括程序指令, 所述程序指令当被处理器执行时, 使 所述处理器执行本申请实施例第三方面或第三方面的任一种可能的实现方式提供的数据处 理方法。  In a tenth aspect, the embodiment of the present application provides a computer readable storage medium, where the computer readable storage medium stores a computer program, where the computer program includes program instructions, when the program instructions are executed by a processor, The processor performs the data processing method provided by the third aspect of the embodiment of the present application or any possible implementation manner of the third aspect.
实施本申请实施例可以在区块链***中保护交易金额的隐私, 在验证方无法获知交易 金额的明文的情况下, 验证交易金额是否在有效范围内, 保证交易的合法性。 同时, 在交 易金额明文的比特位长度较大时, 可以将交易金额的明文分割成若千份小块的交易金额的 明文,然后再分别对每个小块的交易金额的明文进行力 P密、以及其属于有效范围的证明等, 保证监管方可以有效地解密每个小块交易金额的密文。 附图说明  The embodiment of the present application can protect the privacy of the transaction amount in the blockchain system, and if the verification party cannot know the plaintext of the transaction amount, verify whether the transaction amount is within the valid range, and ensure the legality of the transaction. At the same time, when the length of the transaction amount is clear, the plaintext of the transaction amount can be divided into the plaintext of the transaction amount of thousands of small pieces, and then the plaintext of the transaction amount of each small piece is separately P And the proof of its valid scope, etc., to ensure that the regulator can effectively decrypt the ciphertext of each small transaction amount. DRAWINGS
为了更清楚地说明本申请实施例或现有技术中的技术方案, 下面将对实施例或现有技 术描述中所需要使用的附图作筒单地介绍。  In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the drawings to be used in the embodiments or the prior art description will be briefly described below.
图 1为本申请实施例提供的区块链***架构示意图;  FIG. 1 is a schematic structural diagram of a blockchain system according to an embodiment of the present application;
图 2为输入金额及输出金额示意图;  Figure 2 is a schematic diagram of the input amount and output amount;
图 3为本申请实施例提供的一种数据处理方法流程示意图;  3 is a schematic flowchart of a data processing method according to an embodiment of the present application;
图 4为本申请实施例提供的另一种数据处理方法流程示意图;  4 is a schematic flowchart of another data processing method according to an embodiment of the present application;
图 5为本申请实施例中发送方处理交易金额明文 M的过程示意图;  FIG. 5 is a schematic diagram of a process for a sender to process a transaction amount plaintext M according to an embodiment of the present application;
图 6为本申请实施例提供的另一种数据处理方法流程示意图;  FIG. 6 is a schematic flowchart of another data processing method according to an embodiment of the present application;
图 7为本申请实施例提供的一种发送方的结构示意图;  FIG. 7 is a schematic structural diagram of a sender according to an embodiment of the present disclosure;
图 8为本申请实施例提供的一种验证方的结构示意图;  FIG. 8 is a schematic structural diagram of a verification party according to an embodiment of the present application;
图 9为本申请实施例提供的另一种发送方的结构示意图;  FIG. 9 is a schematic structural diagram of another sender according to an embodiment of the present disclosure;
图 10为本申请实施例提供的另一种验证方的结构示意图。 具体实施方式 下面将结合附图对本申请实施例中的技术方案进行清楚、 详尽地描述。 FIG. 10 is a schematic structural diagram of another authenticator according to an embodiment of the present application. detailed description The technical solutions in the embodiments of the present application will be described clearly and in detail in conjunction with the accompanying drawings.
首先结合图 1介绍本申请实施例提供的区块链***。 如图 1所示, 区块链***至少可 以包括发送方及验证方。 其中, 发送方用于向接收方发起交易, 将交易金额加密; 验证方 用于验证发送方向接收方发起的交易是否合法。 该区块链***还可以包括监管方, 用于提 供一对公私钥, 将公钥提供给发送方使其对交易金额进行加密处理, 监管方可采用其私钥 对交易金额进行解密, 以便监测区块链网络的交易行为, 及时发现异常交易行为并作出相 应处理。 在具体地实现中, 发送方可以是发款人的手机或电脑等终端, 验证方可以是银行 的服务器等, 监管方可以是监管机构的电脑或服务器等。  First, the blockchain system provided by the embodiment of the present application is introduced in conjunction with FIG. As shown in Figure 1, the blockchain system can include at least a sender and a verifier. Wherein, the sender is used to initiate a transaction to the recipient, and the transaction amount is encrypted; the verifier is used to verify whether the transaction initiated by the sender to the receiver is legal. The blockchain system may further include a supervisor for providing a pair of public and private keys, providing the public key to the sender to encrypt the transaction amount, and the supervisor may use the private key to decrypt the transaction amount for monitoring. The trading behavior of the blockchain network, timely detection of abnormal trading behavior and corresponding treatment. In a specific implementation, the sender may be a sender's mobile phone or a computer terminal, the verification party may be a bank server, etc., and the supervisor may be a computer or server of the regulatory agency.
该区块链***可应用于联盟链场景中, 即可应用于多个无法找到统一可信第三方的组 织之间组成的联盟, 例如在金融业务的联盟链中, 发送方向接收方发起一个交易, 发送方 向接收方支付一定的交易金额, 验证方可以验证该交易是否合法。 交易是否合法主要体现 在两个方面: 第一, 输出金额是否等于输入金额; 第二, 输出金额及输入金额是否属于有 效范围。 若输出金额等于输入金额, 且输出金额及输入金额均属于有效范围, 则说明该交 易为合法的交易。 对于输出金额及输入金额的解释, 具体可参见图 2。 假设发送方 A打算 支付的交易金额为 X, 现在发送方 A要将 X分别支付给接收方 及接收方 A2, 接收方 A: 接收到的交易金额为 Y, 接收方 A2接收到的交易金额为 Z。 那么, X即为输入金额, Y和 Z即为输出金额。 只有当 X=Y+Z, 且 X, Y, Z均大于或等于 0, 且小于或等于最大值时, 表明该交易合法。 其中, 上述最大值由交易金额的比特位长度决定, 若该交易金额的比特 位长度为 U, 则最大值为 2U-1。 The blockchain system can be applied to a federated chain scenario, and can be applied to an alliance formed between multiple organizations that cannot find a unified trusted third party. For example, in a coalition chain of financial services, the sender initiates a transaction to the receiver. The sender pays a certain amount of the transaction to the receiver, and the verifier can verify whether the transaction is legal. Whether the transaction is legal or not is mainly reflected in two aspects: First, whether the output amount is equal to the input amount; Second, whether the output amount and the input amount are valid ranges. If the output amount is equal to the input amount, and the output amount and the input amount are both valid, the transaction is a legal transaction. For the explanation of the output amount and the input amount, please refer to Figure 2. Suppose that the transaction amount that the sender A intends to pay is X. Now the sender A wants to pay X to the receiver and the receiver A 2 respectively . The receiver A: The transaction amount received is Y, and the transaction received by the receiver A 2 The amount is Z. Then, X is the input amount, and Y and Z are the output amounts. Only when X=Y+Z, and X, Y, Z are greater than or equal to 0, and less than or equal to the maximum value, indicates that the transaction is legal. Wherein, the maximum value is determined by the bit length of the transaction amount, and if the bit length of the transaction amount is U, the maximum value is 2 U -1.
接下来结合图 1介绍的区块链***, 介绍本申请实施例提供的数据处理方法。 如图 3 所示, 数据处理方法至少可以包括以下几个步骤:  Next, the data processing method provided by the embodiment of the present application is introduced in conjunction with the blockchain system introduced in FIG. As shown in Figure 3, the data processing method can at least include the following steps:
S301 : 发送方采用加法同态加密算法对交易金额的明文 M加密, 生成交易金额的密文 (C, B) 。  S301: The sender encrypts the plaintext M of the transaction amount by using an addition homomorphic encryption algorithm, and generates a ciphertext (C, B) of the transaction amount.
具体地, 上述加法同态加密算法可以是 ElGamal算法。 交易金额的密文(C, B) 中的 C为交易金额明文 M的密文主体, 6为交易金额明文 M的辅助密文, 用于在后续监管方 解密过程中辅助解密密文主体 C。  Specifically, the above addencing homomorphic encryption algorithm may be an ElGamal algorithm. C in the ciphertext (C, B) of the transaction amount is the ciphertext body of the transaction amount plaintext M, and 6 is the auxiliary ciphertext of the transaction amount plaintext M, which is used to assist in decrypting the ciphertext body C in the subsequent supervisor decryption process.
具体地, C = gf , B = g3 r ; 其中, r为随机生成的整数, g3 Gi的生成元, G:是阶 为素数的乘法群, g4为上述加法同态加密算法的公钥, g4=g3 ask, ask为上述加法同态加密算 法的私钥。 Specifically, C = gf , B = g 3 r ; where r is a randomly generated integer, a generator of g 3 Gi, G: is a multiplicative group of primes, and g 4 is the public of the above-described additive homomorphic encryption algorithm The key, g 4 =g 3 ask , ask is the private key of the above addition homomorphic encryption algorithm.
其中, 交易金额的明文 M的比特位长度为 U, U为正整数。  Among them, the plaintext M of the transaction amount has a bit length U and U is a positive integer.
在一种可能的实现方式中, 上述交易金额包括输出金额。 当交易金额只包括输出金额 时, 输入金额可以是发送方在上一次交易中接收的金额的密文, 无需再进行加密以及后续 对于交易金额属于有效范围的零知识证明的步骤。  In a possible implementation manner, the transaction amount includes an output amount. When the transaction amount includes only the output amount, the input amount may be the ciphertext of the amount received by the sender in the previous transaction, no further encryption is required, and the subsequent step of zero-knowledge proof that the transaction amount belongs to the valid range.
在另外一种可能的实现方式中,交易金额除了包括输出金额外,还可以包括输入金额。 即发送方需同时对输出金额及输入金额进行加密, 以及后续对于交易金额属于有效范围的 零知识证明等。  In another possible implementation, the transaction amount may include an input amount in addition to the output gold. That is, the sender must encrypt both the output amount and the input amount, and the subsequent zero-knowledge proof that the transaction amount is within the valid range.
可以知道的是, 发送方是否直接使用上一次交易中接收的金额的密文, 或者发送方是 否需要对输入金额进行力 P密以及后续对于交易金额属于有效范围的零知识证明等, 取决于 该区块链***的初始化设置, 即该区块链***中的交易模型是发送方直接向接收方转发其 在上一次交易中接收的交易金额, 还是该发送方在每一次交易中都会重新产生输入金额。 It can be known whether the sender directly uses the ciphertext of the amount received in the previous transaction, or whether the sender needs to force the P value of the input amount and the subsequent zero-knowledge proof that the transaction amount belongs to the valid range, etc., depending on The initial setting of the blockchain system, that is, the transaction model in the blockchain system is whether the sender directly forwards the transaction amount received by the sender in the last transaction, or whether the sender regenerates in each transaction. Enter the amount.
需要说明的是,输入金额的个数可以是至少一个,输出金额的个数也可以是至少一个。 在一种可能的实现方式中, 监管方拥有一对非对称密码, 包括公钥及私钥。 发送方可 采用监管方提供的公钥对交易金额的明文 M加密, 生成交易金额的密文, 可以保证监管方 能够采用与该公钥对应的私钥解密该交易金额的密文, 以便监管方对交易进行监管。  It should be noted that the number of input amounts may be at least one, and the number of output amounts may be at least one. In one possible implementation, the supervisor has a pair of asymmetric ciphers, including the public and private keys. The sender can encrypt the plaintext M of the transaction amount by using the public key provided by the regulator, and generate the ciphertext of the transaction amount, which can ensure that the regulator can decrypt the ciphertext of the transaction amount by using the private key corresponding to the public key, so that the regulator can Regulate the transaction.
S302: 发送方将交易金额的密文 (C, B) 发送至<验证方。  S302: The sender sends the ciphertext (C, B) of the transaction amount to the <authentic party.
具体地, 发送方采用上述加法同态加密算法对交易金额加密后, 验证方无法获知该交 易金额的明文 M, 避免了该发送方被其他节点上的用户跟踪, 从而导致信息泄露。 因此, 发送方在对交易金额的明文 M 加密后, 生成交易金额的密文 (C, B) , 并将该交易金额 的密文 ( C, B) 发送至验证方, 以使验证方对交易金额的合法性进行验证。  Specifically, after the sender encrypts the transaction amount by using the addition and homomorphic encryption algorithm, the verifier cannot know the plaintext M of the transaction amount, and the sender is prevented from being tracked by the user on other nodes, thereby causing information leakage. Therefore, after the sender encrypts the plaintext M of the transaction amount, the ciphertext (C, B) of the transaction amount is generated, and the ciphertext (C, B) of the transaction amount is sent to the authenticator, so that the verifier corrects the transaction. The legality of the amount is verified.
S303 : 验证方根据交易金额的密文 (C, B) 验证交易金额的明文 M是否属于第一有 效范围。  S303: The verifier verifies whether the plaintext M of the transaction amount belongs to the first valid range according to the ciphertext (C, B) of the transaction amount.
具体地, 若交易金额的明文 M的比特位长度为 U, 那么第一有效范围为[0 , 2U-1]。 具体地, 验证方可以验证交易金额的明文 M属于第一有效范围的零知识证明。 该交易 金额的明文 M属于第一有效范围的零知识证明由发送方生成。 可以知道的是, 本申请实施 例可以采用加法同态的 ElGamal加密算法, 因为在该区块链***中, 加法同态的 ElGamal 加密算法可以与交易金额的明文 M属于第一有效范围的零知识证明算法兼容。 具体来说, 加法同态的 ElGamal加密算法得出的数据是二维的数据, 且有效范围的零知识证明算法得 出的数据也是二维的, 上述两种算法属于同一组数学体系, 因此这两种算法在该数学体系 里可以兼容。 可以知道的是, 零知识证明指的是证明者能够在不向验证者提供任何有用信 息的情况下, 使验证者相信某个论断是正确的。 对于交易金额的明文 M属于第一有效范围 的零知识证明, 发送方不能向验证方提供该交易金额的明文 M, 但是要使验证方相信交易 金额的明文 M属于第一有效范围。 在本申请实施例中可以为第一有效范围内的所有整数生 成一个数字签名, 发送方只需证明该交易金额的明文对应的是该第一范围内所有整数的数 字签名中的其中一个, 即可证明该交易金额的明文 M属于第一有效范围。 加法同态加密是 一种加密形式, 它允许人们对密文进行特定的代数运算得到仍是力 P密的结果, 将其解密所 得到的结果与对明文进行同样的运算结果一样。 换言之, 加法同态加密可以使人们在加密 的数据中进行操作得出正确的结果, 而整个过程无需对数据进行解密。 Specifically, if the bit length of the plaintext M of the transaction amount is U, the first valid range is [0, 2 U -1]. Specifically, the verifier can verify that the plaintext M of the transaction amount belongs to the zero-knowledge proof of the first valid range. The zero-knowledge proof that the plaintext M of the transaction amount belongs to the first valid range is generated by the sender. It can be known that the embodiment of the present application can adopt the addition homomorphic ElGamal encryption algorithm, because in the blockchain system, the addition homomorphic ElGamal encryption algorithm can be zero knowledge of the first valid range with the plaintext M of the transaction amount. Prove that the algorithm is compatible. Specifically, the data obtained by the addition homomorphic ElGamal encryption algorithm is two-dimensional data, and the data obtained by the zero-knowledge proof algorithm of the effective range is also two-dimensional, and the above two algorithms belong to the same mathematical system, so this Both algorithms are compatible in this mathematical system. It can be known that zero-knowledge proof means that the prover can believe that a certain assertion is correct without providing any useful information to the verifier. For the zero-knowledge proof that the plaintext M of the transaction amount belongs to the first valid range, the sender cannot provide the plaintext M of the transaction amount to the verifier, but the plaintext M of the transaction amount is believed to belong to the first valid range. In the embodiment of the present application, a digital signature may be generated for all integers in the first valid range, and the sender only needs to prove that the plaintext of the transaction amount corresponds to one of the digital signatures of all integers in the first range, that is, The plaintext M that can prove the transaction amount belongs to the first valid range. Addition homomorphic encryption is an encryption form that allows people to perform a specific algebraic operation on a ciphertext to obtain a result that is still force-p-secret, and the result of decrypting it is the same as that of plaintext. In other words, additive homomorphic encryption allows people to operate in encrypted data to get the correct results without the need to decrypt the entire process.
此外, 当发送方对交易金额的明文 M使用加法同态的 ElGamal加密算法的公钥由监管 方提供时, 发送方还可以生成监管方可解密交易金额的密文 (C, B) 的零知识证明。 验证 方还可以验证上述监管方可解密交易金额的密文 (C, B) 的零知识证明。  In addition, when the sender provides the public key of the added homomorphic ElGamal encryption algorithm to the plaintext M of the transaction amount by the supervisor, the sender can also generate zero knowledge of the ciphertext (C, B) that the supervisor can decrypt the transaction amount. prove. The verifier can also verify the zero-knowledge proof of the ciphertext (C, B) that the above-mentioned regulator can decrypt the transaction amount.
可以知道的是, 发送方生成上述交易金额的明文 M属于第一有效范围的零知识证明与 生成上述监管方可解密交易金额的密文 (C, B) 的零知识证明的先后顺序不做限定。 验证 方验证上述交易金额的明文 M属于第一有效范围的零知识证明与验证上述监管方可解密交 易金额的密文 (C, B) 的零知识证明的先后顺序也不做限定。  It can be known that the order in which the sender generates the above-mentioned transaction amount of the plaintext M that belongs to the first valid range and the zero-knowledge proof that generates the ciphertext (C, B) that the above-mentioned supervisor can decrypt the transaction amount is not limited. . The verification party verifies that the plaintext M of the above transaction amount belongs to the zero-knowledge proof of the first valid range and the order of zero-knowledge proof that the above-mentioned supervisor can decrypt the transaction amount of the ciphertext (C, B) is not limited.
此外, 发送方还可以计算输入金额与输出金额的差值的密文 C', 并生成 C'是加密了明 文为零的密文的加法同态零知识证明。 验证方还可以验证上述 C'是加密了明文为零的密文 的加法同态零知识证明。 In addition, the sender can also calculate the ciphertext C' of the difference between the input amount and the output amount, and generate C' to add the homomorphic zero-knowledge proof of the ciphertext with the plaintext zero. The verifier can also verify that the above C' is a ciphertext encrypted with zero plaintext. Addition homomorphism zero knowledge proof.
可以知道的是,当输出金额等于输入金额,且输出金额及输入金额均属于有效范围时, 可证明该交易是合法的。  It can be known that when the output amount is equal to the input amount, and the output amount and the input amount are both valid ranges, the transaction can be proved to be legal.
具体地, 发送方在生成交易金额的明文 M属于第一有效范围的零知识证明时, 可生成 至少一个第一参数。而验证方在验证交易金额的明文 M属于第一有效范围的零知识证明时, 也可生成至少一个第二参数。 其中, 上述第一参数与上述第二参数—对应。 当验证方生 成的至少一个第二参数分别与发送方生成的至少一个第一参数相等时, 即可验证交易金额 的明文 M属于第一有效范围。 同样的计算方式适用于监管方可解密交易金额的密文 (C, B) 的零知识证明, 也适用于 C'是加密了明文为零的密文的加法同态零知识证明, 即验证 了输入金额等于输出金额, 在此不再赘述。  Specifically, the sender may generate at least one first parameter when the plaintext M of the transaction amount is generated to belong to the zero-knowledge proof of the first valid range. The verifier can also generate at least one second parameter when verifying that the plaintext M of the transaction amount belongs to the zero-knowledge proof of the first valid range. The first parameter corresponds to the second parameter. When the at least one second parameter generated by the verifier is equal to the at least one first parameter generated by the sender, respectively, the plaintext M of the transaction amount is verified to belong to the first valid range. The same calculation method is applicable to the zero-knowledge proof of the ciphertext (C, B) that the supervisor can decrypt the transaction amount, and also applies to the C' is the addition homomorphic zero-knowledge proof of the ciphertext encrypted with plaintext zero, that is, the verification The input amount is equal to the output amount and will not be described here.
具体地, 发送方在生成上述零知识证明时, 还可生成一个第一验证参数, 该第一验证 参数由上述多个第一参数决定。 而验证方在验证上述零知识证明时, 也还可生成一个第二 验证参数, 该第二验证参数由上述多个第二参数决定。 当验证方生成的第二验证参数等于 上述发送方生成的第一验证参数时, 意味着上述多个第一参数分别等于上述多个第二参数 中与之对应的第二参数。 从而验证了上述零知识证明。  Specifically, when generating the zero-knowledge proof, the sender may further generate a first verification parameter, where the first verification parameter is determined by the plurality of first parameters. The verification party may also generate a second verification parameter when verifying the zero-knowledge proof, and the second verification parameter is determined by the plurality of second parameters. When the second verification parameter generated by the verifier is equal to the first verification parameter generated by the sender, it means that the plurality of first parameters are respectively equal to the second parameter corresponding to the plurality of second parameters. Thereby verifying the above zero knowledge proof.
实施本申请实施例可以在区块链***中保护交易金额的隐私, 在验证方无法获知交易 金额的明文的情况下, 验证交易金额是否在有效范围内, 保证交易的合法性。 且在有需要 时能够配合监管方的监管。  The embodiment of the present application can protect the privacy of the transaction amount in the blockchain system, and if the verification party cannot know the plaintext of the transaction amount, verify whether the transaction amount is within the valid range, and ensure the legality of the transaction. And with the supervision of the regulator when needed.
在另一种可能的实施例中, 本申请实施例提供了另外一种数据处理方法, 当交易金额 明文 M的比特位长度较大时, 监管方可能无法有效地解密比特位长度较大的交易金额明文 的密文。 因此, 在本申请实施例中可以先将交易金额的明文 M分割成若千份小块的交易金 额的明文, 然后再分别对每个小块的交易金额的明文进行加密、 解密以及其属于有效范围 的证明等, 保证监管方可以有效地解密每个小块交易金额的密文。 具体请参见图 4。 如图 4 所示, 数据处理方法至少可以包括以下几个步骤:  In another possible embodiment, the embodiment of the present application provides another data processing method. When the transaction amount of the plaintext M has a large bit length, the supervisor may not be able to effectively decrypt the transaction with a large bit length. The amount of ciphertext in plain text. Therefore, in the embodiment of the present application, the plaintext M of the transaction amount may be first divided into the plaintext of the transaction amount of thousands of small pieces, and then the plaintext of the transaction amount of each small block is separately encrypted, decrypted, and valid. Proof of scope, etc., to ensure that the regulator can effectively decrypt the ciphertext of each small transaction amount. See Figure 4 for details. As shown in Figure 4, the data processing method can at least include the following steps:
S401 : 发送方将交易金额的明文 M分割为 L份交易金额的明文 MkS401: The sender transaction amount plaintext M into L parts transaction amount plaintext M k.
可选地, 若交易金额的明文 M的比特位长度为 U, 将其分割成 L份比特位长度为 u的 交易金额的明文 Mk, 其中, L*u=U, k为正整数, k=l . L。 Optionally, if the plaintext M of the transaction amount has a length U, it is divided into a plaintext M k of the transaction amount of the L-bit length u, where L*u=U, k is a positive integer, k =l . L.
例如, 当交易金额的明文 M的比特位长度为 64时, 可以设置 L=4 , u=16 , 即将该交 易金额的明文 M分割成 4份比特位长度为 16的交易金额的明文 Mk, 其中, k=l、 2、 3、 4。 此时, 每个交易金额的明文 Mk的最大值即为 216-1。 For example, when the bit length of plaintext M of the transaction amount to 64, set L = 4, u = 16, is about the amount of the transaction plaintext M is divided into four parts bit length of the transaction amount 16 of plaintext M K, Where k = l, 2, 3, 4. At this time, the maximum value of the plaintext M k of each transaction amount is 2 16 -1.
又例如, 当交易金额的明文 M的比特位长度为 64时, 可以设置 L=8 , u=8 , 即将该交 易金额的明文 M分割成 8份比特位长度为 8的交易金额的明文 Mk, 其中, k=l、 2、 3......、For another example, when the bit length of the plaintext M of the transaction amount is 64, L=8 and u=8 may be set, that is, the plaintext M of the transaction amount is divided into the plaintext M k of the transaction amount of 8 bit lengths of 8. , where k=l, 2, 3...,
8。 此时, 每个交易金额的明文 Mk的最大值即为 28-1。 8. At this time, the maximum value of the plaintext M k of each transaction amount is 2 8 -1.
可以知道的是, 上述 L份交易金额的明文 Mk的比特位长度也可以不相等。 It can be known that the bit lengths of the plaintext M k of the above L transaction amounts may not be equal.
具体地, 交易金额可以是输出金额, 或者交易金额可以是输出金额及输入金额, 具体 取决于该区块链***的初始化设置。 详细说明可参考 S301中的描述, 在此不再赘述。  Specifically, the transaction amount may be an output amount, or the transaction amount may be an output amount and an input amount, depending on the initialization setting of the blockchain system. For details, refer to the description in S301, and details are not described here.
可以知道的是, 输出金额与输入金额的比特位长度不一定会相同, 因此发送方在分别 对输出金额及输入金额进行分割加密时, 分割的份数可以不同, 分割的交易金额的比特位 长度也可以不同。 此外, 输入金额的个数可以是至少一个, 输出金额的个数也可以是至少 一个, 即在一次交易中, 可以有多个输入金额, 也可以有多个输出金额。 It can be known that the output amount and the bit length of the input amount are not necessarily the same. Therefore, when the sender separately divides and encrypts the output amount and the input amount, the number of divided shares may be different, and the bits of the divided transaction amount may be different. The length can also be different. In addition, the number of input amounts may be at least one, and the number of output amounts may be at least one, that is, in one transaction, there may be multiple input amounts, or multiple output amounts.
S402: 发送方分别采用加法同态加密算法对 L份交易金额的明文 Mk加密, 生成 L份 交易金额的密文 (Ck, Bk) 。 S402: The sender encrypts the plaintext M k of the L transaction amount by using an additive homomorphic encryption algorithm, and generates a ciphertext (C k , B k ) of the L transaction amount.
具体地, k=l、 ...、 L。 上述加法同态加密算法的公钥可以由监管方提供。 采用监管方 提供的公钥对交易金额进行加密, 可以保证监管方能够采用与该公钥对应的私钥解密该交 易金额的密文 (Ck, Bk) , 以便监管方对交易进行监管。 Specifically, k=l, ..., L. The public key of the above addition homomorphic encryption algorithm can be provided by the supervisor. Encrypting the transaction amount by using the public key provided by the regulator can ensure that the regulator can decrypt the ciphertext (C k , B k ) of the transaction amount by using the private key corresponding to the public key, so that the regulator can supervise the transaction.
具体地, 上述加法同态加密算法可以是 ElGamal算法。 交易金额的密文 ( Ck, Bk) 中 的 Q为交易金额明文 4的密文主体, 为交易金额明文 4的辅助密文, 用于在后续监管 方解密过程中辅助解密密文主体 。 Specifically, the above addencing homomorphic encryption algorithm may be an ElGamal algorithm. Transaction amount ciphertext (C k, B k) Q is a transaction amount in plaintext ciphertext body 4, the secondary ciphertext plaintext 4 of the transaction amount for a subsequent auxiliary regulators decryption process to decrypt the ciphertext body.
具体地, Ck = gfk g[k , Bk = g ' 其中, rk为随机生成的整数, g3 Gi的生成元, Gi 是阶为素数的乘法群, g4为上述加法同态加密算法的公钥, g4=g3 ask, ask为上述加法同态加 密算法的私钥。 Specifically, C k = gf k g[ k , B k = g ' where r k is a randomly generated integer, a generator of g 3 Gi , Gi is a multiplicative group of primes, and g 4 is the above-described additive homomorphism The public key of the encryption algorithm, g 4 =g 3 ask , ask is the private key of the above addition homomorphic encryption algorithm.
S403 : 发送方将 L份交易金额的密文 (Ck, Bk) 发送至验证方。 S403: The sender sends the ciphertext (C k , B k ) of the L transaction amount to the authenticator.
具体地, 发送方对交易金额进行加法同态的 ElGamal加密后, 验证方无法获知该交易 金额的明文, 避免了该发送方被其他节点上的用户跟踪, 从而导致信息泄露。 因此, 发送 方在对交易金额的明文进行加法同态的 ElGamal加密后, 直接将该交易金额的密文发送至 验证方, 以使验证方对交易金额的合法性进行验证。  Specifically, after the sender adds the homomorphic ElGamal encryption to the transaction amount, the verifier cannot know the plaintext of the transaction amount, and the sender is prevented from being tracked by the user on other nodes, thereby causing information leakage. Therefore, after the sender adds the homomorphic ElGamal encryption to the plaintext of the transaction amount, the sender directly sends the ciphertext of the transaction amount to the authenticator, so that the verifier can verify the legality of the transaction amount.
S404: 验证方根据交易金额的密文(Ck, Bk)验证交易金额的明文 MkS否属于第二有 效范围。 S404: The verifier verifies that the plaintext M k S of the transaction amount belongs to the second valid range according to the ciphertext (C k , B k ) of the transaction amount.
具体地, 验证方分别验证每一个交易金额的明文 Mk是否属于第二有效范围, 其中, 交 易金额的明文 的比特位长度为 u, 上述第二有效范围为[0 , 2U-1]。 Specifically, the verifier verifies whether the plaintext M k of each transaction amount belongs to the second valid range, wherein the plaintext bit length of the transaction amount is u, and the second valid range is [0, 2 U -1].
具体地, 验证方可以验证交易金额的明文 Mk属于第二有效范围的零知识证明。 该交易 金额的明文 Mk属于第二有效范围的零知识证明由发送方生成。在本申请实施例中, 该区块 链***还可以包括可信第三方, 可以由该可信第三方分别为第二有效范围内的每个整数生 成一个数字签名, 发送方只需证明该交易金额的密文(Ck, Bk) 中的明文 ]^对应的是该第 二有效范围内所有整数的数字签名中的其中一个,即可证明该交易金额的明文 属于第二 有效范围。 Specifically, the verifier can verify that the plaintext M k of the transaction amount belongs to the zero-knowledge proof of the second valid range. The zero-knowledge proof that the plaintext M k of the transaction amount belongs to the second valid range is generated by the sender. In the embodiment of the present application, the blockchain system may further include a trusted third party, and the trusted third party may separately generate a digital signature for each integer in the second valid range, and the sender only needs to prove the transaction. The plaintext in the ciphertext (C k , B k ) of the amount corresponds to one of the digital signatures of all integers in the second valid range, and the plaintext of the transaction amount is proved to belong to the second valid range.
具体可见图 5, 图 5示出了发送方对交易金额明文 M分割、 加密及范围证明的过程。 如图 5所示, 将交易金额的明文 M分割成 8份比特位长度为 u的交易金额的明文 Mk, 其 中, k=l , 2, ..., 8。 首先是加密交易金额的明文 的过程, 发送方分别采用加法同态的 加密算法对交易金额的明文 Mk加密后得到相应的交易金额的密文(Ck, Bk) 。 其次是证明 交易金额的明文 Mk属于第二有效范围的过程, 发送方分别为交易金额的明文 Mk生成其属 于第二有效范围的零知识证明, 交易金额的明文 Mk属于第二有效范围的零知识证明由 7lk 表示。 具体来说就是根据交易金额的密文 (Ck, Bk) 证明交易金额的明文 Mk S应的是 0 到 2U-1 中 2U个数字签名 Gi中的其中一个, 从而证明交易金额的明文 Mk是属于第二有效范 围[0 , 2U-1]以内的。 其中, 数字签名 Gi由该数据处理***中的可信第三方生成, Gi表示数 字 i的签名, 其中 iG[0 , 2U-1], i为整数。 可以知道的是, 在实际计算过程中, 针对每一个 交易金额的明文 Mk, 生成对应的 ak表征交易金额的明文 Mk属于第二有效范围, 发送方生 成 ak后, 由验证方验证 ak的正确性, 若正确, 则表示交易金额的明文 ]^属于第二有效范 围。 ak具体的计算方式可参见下一实施例里的描述。 Specifically, FIG. 5 shows a process in which the sender clears, encrypts, and clarifies the transaction amount. As illustrated, the transaction amount plaintext M is divided into 5 parts of 8 bits length transaction amount plaintext M u K, where, k = l, 2, ... , 8. The first is the process of encrypting the plaintext of the transaction amount. The sender uses the encryption algorithm of the addition and homomorphism to encrypt the plaintext M k of the transaction amount to obtain the ciphertext (C k , B k ) of the corresponding transaction amount. Second proof transaction amount plaintext M k belongs to the effective range of the second process, which belongs to the sender generates a second zero-knowledge proof of the effective range of the plaintext M k transaction amount, transaction amount plaintext M k belongs to the second range effective The zero-knowledge proof is represented by 7l k . Specifically, the ciphertext (C k , B k ) of the transaction amount proves that the plaintext M k S of the transaction amount should be one of 2 U digital signatures Gi in 0 to 2 U -1, thereby proving the transaction amount. The plaintext M k belongs to the second valid range [0, 2 U -1]. Wherein, the digital signature Gi is generated by a trusted third party in the data processing system, and Gi represents the signature of the digital i, where iG[0, 2 U -1], i is an integer. What you can know is that in the actual calculation process, for each one Transaction amount plaintext M k, a k characterizing generate a corresponding transaction amount plaintext M k belongs to the second effective range, the sender generates a k, by the authenticator to verify the correctness of a k, if correct, then the transaction amount The plain text]^ belongs to the second valid range. The specific calculation method of a k can be referred to the description in the next embodiment.
此外, 发送方还可以生成监管方可解密交易金额的密文(Ck, Bk) 的零知识证明。 验 证方还可以验证上述监管方可解密交易金额的密文(Ck, Bk) 的零知识证明。 In addition, the sender can also generate a zero-knowledge proof of the ciphertext (C k , B k ) that the supervisor can decrypt the transaction amount. The verifier can also verify the zero-knowledge proof of the ciphertext (C k , B k ) that the above-mentioned regulator can decrypt the transaction amount.
可以知道的是,发送方生成上述交易金额的明文 Mk属于第二有效范围的零知识证明与 生成上述监管方可解密交易金额的密文(Ck, Bk) 的零知识证明的先后顺序不做限定。 验 证方验证上述交易金额的明文 Mk属于第二有效范围的零知识证明与验证上述监管方可解 密交易金额的密文(Ck, Bk) 的零知识证明的先后顺序也不做限定。 It can be known that the sender generates the plaintext M k of the transaction amount, and the zero-knowledge proof of the second valid range and the zero-knowledge proof of the ciphertext (C k , B k ) that generates the above-mentioned supervisory decryptable transaction amount Not limited. The verification party verifies that the plaintext M k of the transaction amount belongs to the second valid range of the zero-knowledge proof and the order of verifying the zero-knowledge proof of the ciphertext (C k , B k ) that the above-mentioned supervisor can decrypt the transaction amount is not limited.
此外, 发送方还可以计算输入金额与输出金额的差值的密文 C', 并生成 C'是加密了明 文为零的密文的加法同态零知识证明。 验证方还可以验证上述 C'是加密了明文为零的密文 的加法同态零知识证明。 可以知道的是, 当输出金额等于输入金额, 且输出金额及输入金 额均属于有效范围时, 可证明该交易是合法的。  In addition, the sender can also calculate the ciphertext C' of the difference between the input amount and the output amount, and generate C' to add the homomorphic zero-knowledge proof of the ciphertext with the plaintext zero. The verifier can also verify that the above C' is an additive homomorphic zero-knowledge proof that encrypts the ciphertext with plaintext zero. It can be known that when the output amount is equal to the input amount, and the output amount and the input amount are both valid, the transaction can be proved to be legal.
可以知道的是, 上述交易金额的明文 Mk属于第二有效范围的零知识证明、 上述 C"是 加密了明文为零的密文的加法同态零知识证明及上述监管方可解密交易金额的密文(Ck, Bk) 的零知识证明均由发送方生成, 由验证方验证。 具体由发送方生成相应的参数, 由验 证方验证相应的参数的正确性。 It can be known that the plaintext M k of the above transaction amount belongs to the zero-knowledge proof of the second valid range, the above C" is the additive homomorphic zero-knowledge proof of the ciphertext encrypted with plaintext zero and the above-mentioned supervisor can decrypt the transaction amount. The zero-knowledge proof of the ciphertext (C k , B k ) is generated by the sender and verified by the verifier. Specifically, the sender generates the corresponding parameters, and the verifier verifies the correctness of the corresponding parameters.
具体地, 发送方在为每个小块的明文 Mk生成交易金额的明文 Mk属于第二有效范围的 零知识证明时,分别针对每个小块的明文 Mk生成至少一个第一参数。 而验证方在验证交易 金额的明文 ]^属于第二有效范围的零知识证明时, 也可生成至少一个第二参数。 其中, 上 述第一参数与上述第二参数—对应。 当验证方生成的至少一个第二参数分别与发送方生 成的至少一个第一参数相等时, 即可验证交易金额的明文 Mk属于第二有效范围。 同样地, 上述方式也用于证明监管方可解密每个小块的交易金额的密文(Ck, Bk) 。 对于验证 C'是 加密了明文为零的密文的加法同态零知识证明, 发送方需根据所有的输入金额及所有的输 出金额整体计算出一个第一参数, 此处无需根据每个小块的交易金额来计算。 验证方也可 根据所有的输出金额及所有的输入金额整体计算出一个第二参数。 当验证方生成的第二参 数与发送方式生成的第一参数相等时, 即可验证 C'是加密了明文为零的密文, 即验证了输 入金额等于输出金额。 Specifically, zero-knowledge, the sender generates a transaction amount for each small block of plaintext plaintext M k M k belonging to the second proving effective range, generating at least one first parameter, respectively, the plaintext M k for each small block. The verification party may also generate at least one second parameter when verifying that the plaintext of the transaction amount belongs to the zero-knowledge proof of the second valid range. The first parameter corresponds to the second parameter. When the at least one second parameter generated by the verifier is equal to the at least one first parameter generated by the sender, respectively, the plaintext M k of the transaction amount is verified to belong to the second valid range. Similarly, the above method is also used to prove that the supervisor can decrypt the ciphertext (C k , B k ) of the transaction amount of each small block. For the verification C' is the addition homomorphic zero knowledge proof of the ciphertext encrypted with plaintext zero, the sender needs to calculate a first parameter according to all the input amounts and all the output amounts, and there is no need to The transaction amount is calculated. The verifier can also calculate a second parameter based on all the output amounts and all the input amounts. When the second parameter generated by the verifier is equal to the first parameter generated by the sending mode, it can be verified that C' is a ciphertext encrypted with plaintext zero, that is, the input amount is verified to be equal to the output amount.
具体地, 发送方在生成上述零知识证明时, 还可生成一个第一验证参数, 该第一验证 参数由上述多个第一参数决定。 而验证方在验证上述零知识证明时, 也还可生成一个第二 验证参数, 该第二验证参数由上述多个第二参数决定。 当验证方生成的第二验证参数等于 上述发送方生成的第一验证参数时, 意味着上述多个第一参数分别等于上述多个第二参数 中与之对应的第二参数。 从而验证了上述零知识证明。  Specifically, when generating the zero-knowledge proof, the sender may further generate a first verification parameter, where the first verification parameter is determined by the plurality of first parameters. The verification party may also generate a second verification parameter when verifying the zero-knowledge proof, and the second verification parameter is determined by the plurality of second parameters. When the second verification parameter generated by the verifier is equal to the first verification parameter generated by the sender, it means that the plurality of first parameters are respectively equal to the second parameter corresponding to the plurality of second parameters. Thereby verifying the above zero knowledge proof.
S405: 监管方采用与公钥对应的私钥解密 L份交易金额的密文(Ck, Bk) , 获得 L份 交易金额的明文 MkS405: The regulator uses the private key corresponding to the public key to decrypt the ciphertext (C k , B k ) of the L transaction amount, and obtains the plaintext M k of the L transaction amount.
具体地, 监管方拥有一对非对称密码, 包括公钥及私钥。 公钥提供给发送方使其使用 加法同态加密算法对交易金额的明文 加密, 获得加密后的密文(Ck, Bk), 保护交易隐 私,防止信息泄露。私钥由监管方保存,用于解密发送方发送的交易金额的密文(Ck, Bk), 获得解密后的明文 Mk, 以便监管方重组上述 L个 Mk获得最初的交易金额 M, 从而对交易 进行监管。 Specifically, the supervisor has a pair of asymmetric passwords, including public and private keys. The public key is provided to the sender to encrypt the transaction amount using the addition homomorphic encryption algorithm, obtain the encrypted ciphertext (C k , B k ), protect the transaction privacy, and prevent information leakage. The private key is saved by the supervisor and used to decrypt the ciphertext (C k , B k ) of the transaction amount sent by the sender. To obtain the decrypted plaintext M k, so that the above-described recombinant regulators of L M k M to obtain the original amount of the transaction, whereby the transaction regulation.
S406: 监管方根据上述 L份交易金额的明文 Mk获得交易金额的明文 M。 S406: The regulator obtains the plaintext M of the transaction amount according to the plaintext M k of the above L transaction amount.
具体地,若上述 L份交易金额的明文 Mk的比特位长度均为 u,监管方需将此 L份比特 位长度为 u的交易金额的明文 Mk重组得到原始的比特位长度为 U的交易金额的明文 M, 以便监管方对交易进行监管。 其中, M = StiM42,<)^ k=1、 、 U Specifically, if the bit length of the plaintext M k of the L transaction amount is u, the supervisor needs to reorganize the plaintext M k of the transaction amount of the L bit length u to obtain the original bit length U. The plaintext M of the transaction amount, so that the regulator can supervise the transaction. Where M = Sti M 4 2 , <)^ k=1 , , U
实施本申请实施例可以在交易金额的明文 M的比特位长度较长时, 将交易金额的明文 M分割成若千份小块的明文, 然后再分别对每个小块的明文进行加密、 解密以及其属于有 效范围的证明等, 在保护交易隐私、 配合监管的同时, 保证监管方可有效地解密每个小块 交易金额的密文。  Embodiments of the present application can divide the plaintext M of the transaction amount into plaintexts of thousands of small blocks when the length of the plaintext M of the transaction amount is long, and then encrypt and decrypt the plaintext of each small block separately. And the proof of its valid scope, etc., while protecting the privacy of the transaction and coordinating the supervision, ensuring that the regulator can effectively decrypt the ciphertext of each small transaction amount.
接下来结合图 6介绍本申请实施例提供的另一种数据处理方法。 如图 6所示, 数据处 理方法至少包括以下几个步骤:  Next, another data processing method provided by the embodiment of the present application is introduced in conjunction with FIG. 6. As shown in Figure 6, the data processing method includes at least the following steps:
S601 : ***初始化。  S601: System initialization.
具体地, ***初始化可以包括以下几个方面:  Specifically, system initialization can include the following aspects:
1)设置将交易金额的明文 M分割成 L份, 每份的比特位长度为 u。 例如, 在交易金 额的明文的比特位长度为 64的场景下, 可以设置 L=4, u=16。 g3、 g5分别为 、 G2的生 成元, G、 G2均是阶为素数的乘法群。 H为一个安全的哈希函数。 1) Set the plaintext M of the transaction amount into L shares, and the length of each bit is u. For example, in a scenario where the plaintext bit length of the transaction amount is 64, L=4, u=16 can be set. g 3 and g 5 are respectively generators of G 2 , and G and G 2 are multiplicative groups whose order is prime. H is a safe hash function.
2)设置监管方的私钥为 ask, 公钥为 g4=g3 a气 中的整数生成 2U个数字签名:
Figure imgf000016_0001
签名。 可以知道的是, 上述 L、 U、 H、 g3、 g5、 g4、 Gi在该区块链***中均为公开的参数^ S602: 发送方加密每个输出金额。 2) Set the private key of the supervisor to ask, and the public key to generate 2 U digital signatures for the integer in g 4 = g 3 a :
Figure imgf000016_0001
signature. It can be known that the above L, U, H, g 3 , g 5 , g 4 , Gi are all public parameters in the blockchain system ^ S602: The sender encrypts each output amount.
具体地, 以下介绍发送方对单个输出金额进行加密的过程, 若存在多个输出金额, 重 复以下对单个输出金额加密的过程即可。  Specifically, the following describes the process by which the sender encrypts a single output amount. If there are multiple output amounts, the following process of encrypting a single output amount is repeated.
在本实施例以对输出金额的明文 M进行分割为例进行说明。发送方采用加法同态加密 算法对输出金额的明文 M加密具体包括以下几个步骤:  In the present embodiment, the plaintext M of the output amount is divided as an example for description. The sender uses the addition homomorphic encryption algorithm to encrypt the plaintext M of the output amount, which specifically includes the following steps:
1)发送方将输出金额的明文 M分割为 L份比特位长度为 u的输出金额的明文
Figure imgf000016_0002
1) The sender divides the plaintext M of the output amount into the plaintext of the output amount of the L-bit length u
Figure imgf000016_0002
Mk G [0, 2M - 1] , 其中, k=l , 2, L, M H Mk(r f。 假设, 输出金额的明文 M的比特位长度为 64, 设置 L=4, u=16, 将该输出金额的明文 M分割成 4份比特位长度为 16的输出金额的明文 Mt, 其中, k=l、 2、 3、 4。 则: M k G [0, 2 M - 1] , where k = l , 2, L, MHM k (rf. Assume that the plaintext M of the output amount has a bit length of 64, and L=4, u=16, The plaintext M of the output amount is divided into four plaintexts M t of the output amount of the bit length of 16, wherein k = 1, 2, 3, 4.
M = Yal-i M k {216k = M, * 216 + M2 * 216*2 + M3 * 216*3 + M4 * 216*4M = Y a l- i M k { 216 ) k = M, * 2 16 + M 2 * 2 16*2 + M 3 * 2 16*3 + M 4 * 2 16*4 .
2)分别采用加法同态的加密算法对每个输出金额的明文 加密, 生成输出金额的密 文( Ck, Bk) 。 2) Encrypt the plaintext of each output amount by using the encryption algorithm of the addition homomorphism to generate the secret of the output amount. Text (C k , B k ).
具体地, 上述加法同态的加密算法可以是 ElGamal算法。 输出金额的密文( Ck, Bk) 中的 为输出金额明文 4的密文主体, 为输出金额明文]1^的辅助密文,用于在后续监 管方解密过程中辅助解密密文主体 。 Specifically, the above-described addition and homomorphic encryption algorithm may be an ElGamal algorithm. The ciphertext body of the output ciphertext (C k , B k ) is the ciphertext body of the output amount plaintext 4 , and is the auxiliary ciphertext of the output amount plaintext]1^, which is used to assist in decrypting the ciphertext body in the subsequent supervisor decryption process. .
具体地,
Figure imgf000017_0001
其中, rk为随机生成的整数。 specifically,
Figure imgf000017_0001
Where r k is a randomly generated integer.
S603: 发送方生成零知识证明。  S603: The sender generates a zero-knowledge proof.
具体地,此处依然是对于单个输出金额生成零知识证明的过程,若存在多个输出金额, 重复以下对单个输出金额生成零知识证明的过程即可。  Specifically, here is still a process of generating a zero-knowledge proof for a single output amount, and if there are multiple output amounts, repeat the following process of generating a zero-knowledge proof for a single output amount.
具体地, 发送方生成的零知识证明包括以下几个方面:  Specifically, the zero-knowledge proof generated by the sender includes the following aspects:
1)发送方生成监管方可解密每个输出金额的密文(Ck, Bk) 的零知识证明。 1) The sender generates a zero-knowledge proof that the supervisor can decrypt the ciphertext (C k , B k ) of each output amount.
其中
Figure imgf000017_0005
具体地,生成随机数
Figure imgf000017_0002
,并计算第一参数 A = e{Vk, g5k e(gi, g5k 可以知道的是, 一个输出金额的密文主体 C可以根据分割后得到的 L份输出金额的密 文主体 ck计算: c = Hk L__ cf . 可以知道的是, 上述是对于输出金额的加密及证明 (证明监管方可解密每个小块的 ElGamal密文及证明密文中的明文属于第二有效范围)。 对于输入金额, 可以是重复上述过 程进行加密及证明; 或者直接源用上次交易中该发送方接收的交易金额的密文, 作为本次 交易的输入金额, 无需重复上述过程。 发送方是否直接源用上次交易中接收的交易金额的 密文取决于该区块链***对于交易模型的初始化设置, 即该区块链***中的交易模型是发 送方直接向接收方转发其在上一次交易中接收的交易金额, 还是该发送方在每一次交易中 都会重新产生输入金额。 among them
Figure imgf000017_0005
Specifically, generating a random number
Figure imgf000017_0002
And calculating the first parameter A = e{V k , g 5 ) k e(g i , g 5 ) k, it can be known that the ciphertext body C of an output amount can be output according to the L share obtained after the division. The ciphertext body c k is calculated: c = H k L __ cf . It can be known that the above is the encryption and proof of the output amount (proving that the supervisor can decrypt each small block of ElGamal ciphertext and prove that the plaintext in the ciphertext belongs to Second effective range). For the input amount, the above process may be repeated for encryption and certification; or the ciphertext of the transaction amount received by the sender in the last transaction may be directly used as the input amount of the transaction, and the above process need not be repeated. Whether the sender directly sources the ciphertext of the transaction amount received in the last transaction depends on the initialization setting of the blockchain system for the transaction model, that is, the transaction model in the blockchain system is that the sender directly forwards the message to the receiver. The amount of the transaction received in the last transaction, or the sender will regenerate the input amount in each transaction.
3)发送方计算 C"=(总输入金额-总输出金额)的密文, 并生成 C"是加密了明文为零的 密文的加法同态零知识证明。  3) The sender calculates the ciphertext of C"=(total input amount-total output amount), and generates C" is the addition homomorphic zero-knowledge proof of the ciphertext encrypted with plaintext zero.
具体地,假设有 Y个输出金额 M(ou,'y)及其密文主体 C{ou,'y) , X个输入金额 M(;v)及其密 文主体 C(M , 其中, x=l , 2, ..., X, y=l , 2, ..., Y。 发送方可利用各密文主体的随机数 计算 s, 具体来说, 其中# 为
Figure imgf000017_0004
Specifically, suppose there are Y output amounts M( ou, ' y ) and its ciphertext body C {ou , ' y ), X input amounts M ( ;v ) and its ciphertext body C ( M , where x =l , 2, ..., X, y=l , 2, ..., Y. The sender can use the random number of each ciphertext body to calculate s, specifically, where # is
Figure imgf000017_0004
Figure imgf000017_0003
密文主体 的随机数, 4 )为密文主体 C' ’d的随机数。 生成随机数 计算第一参数
Figure imgf000017_0003
The random number of the ciphertext subject, 4) is the random number of the ciphertext subject C '' d. Generate a random number to calculate the first parameter
Rs = 。 R s = .
需要说明的是, 在证明总输入金额与总输出金额相等时, 计算的是总输入金额的明文 与总输出金额的明文的差值, 在加密后的数据中采用的计算方式是总输入金额的密文与总 输出金额的密文的比值。 而总输出金额的密文等于多个输出金额密文的累乘, 总输入金额 的密文等于多个输入金额密文的累乘。 It should be noted that when the total input amount is equal to the total output amount, the plain text of the total input amount is calculated. The difference from the plain text of the total output amount, the calculation method used in the encrypted data is the ratio of the ciphertext of the total input amount to the ciphertext of the total output amount. The ciphertext of the total output amount is equal to the multiplication of the ciphertexts of the plurality of output amounts, and the ciphertext of the total input amount is equal to the multiplication of the ciphertexts of the plurality of input amounts.
4)发送方计算第一验证参数 d, 该第一验证参数^ /是利用哈希函数 H计算的结果, 其 中 H的输入包括上述 , Q, , , V;, aklR5。发送方根据验上述第一验证参数 d 计算: zmt =h+dMk, Zrt =cok+drk , Zk =tk+dvklZs=rs+d3 发送方最终分别针对每个输出金额输出一个 ,
Figure imgf000018_0001
%, zMt , zrt , zvt , 其中 k=l, 4) The sender calculates a first verification parameter d, which is a result calculated using a hash function H, wherein the input of H includes the above, Q, , , V;, a k lR 5 . The sender calculates according to the above first verification parameter d: z m t =h+dM k , Z rt =co k +dr k , Z k =t k +dv k lZ s =r s +d3 Output one for each output amount,
Figure imgf000018_0001
%, z Mt , z rt , z vt , where k=l,
2, L, 发送方还针对所有的输出金额及所有的输入金额输出一个 Zjt/。 可以知道的 是, 若在该区块链***中, 发送方在每一次交易中都会重新产生输入金额, 那么发送方最 终还需针对每个输入金额输出一个 , Q, Vp ZMk , Zrt , Zvt , 发送方将输出的上述参 数发送至验证方。 2, L, the sender also outputs a Z j and t / for all output amounts and all input amounts. It can be known that if in the blockchain system, the sender re-generates the input amount in each transaction, the sender must finally output one for each input amount, Q, V p Z Mk , Z rt , Z vt , the sender sends the above parameters of the output to the authenticator.
S604: 验证方验证零知识证明。  S604: The verifier verifies the zero knowledge proof.
具体地, 验证方验证零知识证明包括以下几个方面:  Specifically, the verifier verifies that the zero-knowledge proof includes the following aspects:
1)验证方验证每个输出金额的明文 Mk属于第二有效范围的零知识证明与监管方可解 密的零知识证明。 1) The verifier verifies that the plaintext M k of each output amount belongs to the zero-knowledge proof of the second valid range and the zero-knowledge proof that the supervisor can decrypt.
可以知道的是, 发送方生成的第一参数%, ^用于证明输出金额的明文%存在对应 的可信第三方生成的数字签名, 即 即证明输出金额的明文]1^属于第二有 效范围; 发送方生成的第一参数
Figure imgf000018_0002
用于证明 , C;为合法的密文, 即证明监管方可 解密该密文。 It can be known that the first parameter %, ^ generated by the sender is used to prove that the plaintext % of the output amount has a digital signature generated by the corresponding trusted third party, that is, the plaintext of the output amount is proved] 1^ belongs to the second valid range ; the first parameter generated by the sender
Figure imgf000018_0002
Used to prove that C; is a legal ciphertext, which proves that the supervisor can decrypt the ciphertext.
具体地, 验证方 Specifically, the verifier
Figure imgf000018_0003
Figure imgf000018_0003
D: =g^gZ C:d, E ' = gK 其中 k=l, 2, ..., L。 对于输入金额, 若发送方源用上次交易接收的金额密文, 则无需再验证输入金额; 否 则验证方需重复上述运算验证输入金额属于第二有效范围的零知识证明与监管方可解密的 零知识证明。 D: = g^g Z C: d , E ' = gK where k = l, 2, ..., L. For the input amount, if the sender source uses the amount of ciphertext received by the last transaction, there is no need to verify the input amount; otherwise, the verifier needs to repeat the above operation to verify that the input knowledge amount belongs to the second valid range and the knowledge certificate can be decrypted by the supervisor. Zero knowledge proof.
2)验证方验证 C'是加密了明文为零的密文的加法同态零知识证明。 具体地, 并计算第二参数<= (7 ' 2) Verifier verification C' is the addition homomorphic zero-knowledge proof of the ciphertext encrypted with plaintext zero. Specifically, and calculate the second parameter <= (7 '
Figure imgf000018_0004
验证方利用哈希函数计算第二验证参数 ,其中 H的输入包括 , C;, £>/, /, V;, aX 若第二验证参数等于第一验证参数, ^d' = d,则表明验证方验证通过。此处“验 证方验证通过”指的是以下三个方面:
Figure imgf000018_0004
The verifier uses the hash function to calculate the second verification parameter, where the input of H includes, C;, £>/, /, V;, aX, if the second verification parameter is equal to the first verification parameter, ^d' = d, indicating The verifier is verified. Here "Certificate verification" means the following three aspects:
1、 验证方验证了每个输出金额的明文 Mk属于第二有效范围; 1. The verifier verifies that the plaintext M k of each output amount belongs to the second valid range;
2、 验证方验证了以及 C'是加密了明文为零的密文, 即输出金额等于输入金额; 2. The verifier verifies that C' is the ciphertext with the plaintext zero encrypted, that is, the output amount is equal to the input amount;
3、 验证方验证了监管方可解密每个输出金额的密文(Ck, Bk) 。 3. The verifier verifies that the supervisor can decrypt the ciphertext (C k , B k ) of each output amount.
以上验证的第 1和第 2两个方面, 验证了交易的合法性; 以上验证的第 3方面, 验证 了密文的合法性。  The first and second aspects of the above verification verify the legality of the transaction; the third aspect of the above verification verifies the legality of the ciphertext.
可以知道的是,发送方计算第一验证参数 t /时,哈希函数 H的输入包括 , C;, , Ek, Vk, aklR5。 验证方计算第二验证参数 时, 哈希函数 H的输入包括 , Q, £>;, It can be known that when the sender calculates the first verification parameter t / , the input of the hash function H includes, C;, , E k , V k , a k lR 5 . When the verifier calculates the second verification parameter, the input of the hash function H includes, Q, £>;,
, Vk , aX 当计算出 / = t /时,意味着该哈希函数 H的各个输入参数也各自相等。 即 Dk’ = Dk , Ek' =Ek, ak' =ak, Rs’ = Rs。 由于第一参数 , 用于证明 ( Ck, Bk)为合 法的密文, 那么 Dk’ =Dk, /= 意味着 (Ck, Bk) 为合法的密文, 即验证了监管方可解 密每个小块的输出金额。由于第一参数 用于证明输出金额的明文 存在对应的可信第三 方生成的数字签名, 那么
Figure imgf000019_0001
^意味着输出金额的明文%属于第二有效范围。 由于第一 参数 用于证明 C'是加密了明文为零的密文, 那么 /= 验证了 C'是加密了明文为零的 密文, 即验证了总的输入金额等于总的输出金额。 再结合前述验证的每个输出金额的密文 属于其有效范围的结果, 验证方验证了该交易的合法性。 , V k , aX When / = t / is calculated, it means that the input parameters of the hash function H are also equal. That is, D k ' = D k , E k ' = E k , a k ' = a k , R s ' = R s . Since the first parameter is used to prove that ( C k , B k ) is a legal ciphertext, then D k ' = D k , /= means that (C k , B k ) is a legal ciphertext, ie verification of supervision You can decrypt the output amount of each small block. Since the first parameter is used to prove that the plaintext of the output amount has a digital signature generated by the corresponding trusted third party, then
Figure imgf000019_0001
^ means that the plain text % of the output amount belongs to the second valid range. Since the first parameter is used to prove that C' is the ciphertext with the plaintext zero encrypted, then /= verifies that C' is the ciphertext with the plaintext zero encrypted, ie the total input amount is equal to the total output amount. In combination with the result of the ciphertext of each output amount verified as described above, the verifier verifies the legitimacy of the transaction.
S605: 监管方解密。  S605: The supervisor decrypts.
具体地, 监管方解密可以包括以下几个方面:  Specifically, the supervisor decryption can include the following aspects:
1)监管方采用其私钥 ask解密每个输出金额的密文(Ck, Bk),
Figure imgf000019_0002
1) The regulator uses its private key ask to decrypt the ciphertext (C k , B k ) of each output amount,
Figure imgf000019_0002
K  K
2)监管方计算 g3°、 ^、 ...、
Figure imgf000019_0003
并分别与
Figure imgf000019_0004
比较, 找出输出金额的明文 Mt。 具体地, 监管方可预先计算
Figure imgf000019_0005
其中, /为整数, /G[0,2U-1], 生成预计算表( g3°、 、 ..、 gf4), 监管方可在多次解密过程中重复使用该预计算表, 将每次解密得到的 与该预计算表进行比较, 找出输出金额的明文 4的值。 2) The regulator calculates g 3 °, ^, ...,
Figure imgf000019_0003
And respectively
Figure imgf000019_0004
Compare, find out the plaintext M t of the output amount. Specifically, the regulator can pre-calculate
Figure imgf000019_0005
Where / is an integer, /G[0,2 U -1], and a precomputed table ( g 3 °, , .., gf 4 ) is generated, which the supervisor can reuse in the multiple decryption process. The result obtained by each decryption is compared with the pre-calculation table to find the value of the plaintext 4 of the output amount.
3)根据解密得出的多个输出金额的明文%的值还原输出金额的明文 M。 其中,
Figure imgf000019_0006
可以知道的是, 上述监管方解密的过程同样适用于输入金额的解密, 在此不再赘述。 可以知道的是, 上述计算过程同样适用于无需分割交易金额明文的场景, 在此不再赘 述。 3) Restore the plaintext M of the output amount according to the value of the plaintext % of the plurality of output amounts obtained by the decryption. among them,
Figure imgf000019_0006
It can be known that the above-mentioned process of decryption by the supervisor is also applicable to the decryption of the input amount, which will not be described here. It can be known that the above calculation process is also applicable to a scenario in which the clear transaction amount is not required, and will not be described here.
本申请实施例提供了该数据处理方法具体的计算方法, 根据该计算方法可以对交易金 额的明文进行分割。 然后再分别对每个小块的明文进行加密、 解密以及其属于有效范围的 证明等, 在保护交易隐私、 配合监管的同时, 保证监管方有效地解密每个小块交易金额的 密文, 顺利地还原交易金额的明文 M, 对交易进行有效的监管。  The embodiment of the present application provides a specific calculation method of the data processing method, according to which the plaintext of the transaction amount can be segmented. Then, each of the small blocks of the plaintext is encrypted, decrypted, and proved to be valid. In the protection of transaction privacy and supervision, the regulator can effectively decrypt the ciphertext of each small transaction amount. The plain text M of the land transaction amount is restored, and the transaction is effectively supervised.
本申请实施例还提供了一种发送方, 应用于图 1所示的区块链***, 该***至少可以 包括发送方及<验证方,如图 7所示,发送方 70至少可以包括:加密单元 710、发送单元 720, 其中:  The embodiment of the present application further provides a sender, which is applied to the blockchain system shown in FIG. 1. The system may include at least a sender and a <authenticator. As shown in FIG. 7, the sender 70 may at least include: encryption. Unit 710, sending unit 720, where:
加密单元 710, 采用加法同态加密算法对交易金额的明文 M加密, 生成交易金额的密 文(C, B) ; 其中, 上述交易金额的明文 M的比特位长度为 U, 详细说明请参照 S301的 描述。  The encryption unit 710 encrypts the plaintext M of the transaction amount by using the addition homomorphic encryption algorithm, and generates a ciphertext (C, B) of the transaction amount; wherein, the length of the plaintext M of the transaction amount is U. For details, please refer to S301. description of.
发送单元 720, 用于将上述交易金额的密文(C, B)发送至上述验证方, 以使上述验 证方验证上述交易金额的明文 M是否属于第一有效范围;上述第一有效范围为[0, 2U-1] , 详细说明请参照 S302的描述。 The sending unit 720 is configured to send the ciphertext (C, B) of the transaction amount to the verification party, so that the verification party verifies whether the plaintext M of the transaction amount belongs to the first valid range; the first valid range is [ 0, 2 U -1] , please refer to the description of S302 for details.
在一种可能的实现方式中,上述加法同态加密算法可以是 ElGamal算法,上述 C = gf , B = g3 r ; 其中, r为随机生成的整数, g3 Gi的生成元, Gi S阶为素数的乘法群, g4为上 述加法同态加密算法的公钥, g4=g3 ask, ask为上述加法同态加密算法的私钥。 In a possible implementation manner, the additive homomorphic encryption algorithm may be an ElGamal algorithm, where C = gf , B = g 3 r ; where r is a randomly generated integer, a generator of g 3 Gi, a Gi S order For the multiplicative group of prime numbers, g 4 is the public key of the above addition homomorphic encryption algorithm, g 4 =g 3 ask , ask is the private key of the above addition homomorphic encryption algorithm.
在一种可能的实现方式中, 上述区块链***还包括监管方。 上述加密单元 710包括: 分割子单元 7110及加密子单元 7120。 其中:  In a possible implementation manner, the above blockchain system further includes a supervisor. The above encryption unit 710 includes: a division subunit 7110 and an encryption subunit 7120. among them:
分割子单元 7110, 用于将上述交易金额的明文 M分割成 L份交易金额的明文 Mk; 其 中, k为正整数, k=l , L; L为大于或等于 2的正整数, 详细说明请参照 S401的描 述, 或者参照 S602中 1) 的描述。 The dividing subunit 7110 is configured to divide the plaintext M of the transaction amount into the plaintext M k of the L transaction amount; wherein k is a positive integer, k=l, L; L is a positive integer greater than or equal to 2, and the detailed description Please refer to the description of S401, or refer to the description of 1) in S602.
加密子单元 7120, 用于分别采用加法同态加密算法对上述 L份交易金额的明文 加 密, 生成 L份交易金额的密文(Ck, Bk) , 以使上述监管方采用与上述公钥对应的私钥解 密上述 L份交易金额的密文(Ck, Bk), 获得上述 L份交易金额的明文 Mk, 并根据上述 L 份交易金额的明文 Mk获得交易金额的明文 M, 上述加法同态加密算法的公钥由所述监管 方提供; 详细说明请参照 S402、 S405及 S406的描述, 或者参照 S602中 2) 的描述。 The encryption subunit 7120 is configured to encrypt the plaintext of the L transaction amount by using an additive homomorphic encryption algorithm, respectively, to generate a ciphertext (C k , B k ) of the L transaction amount, so that the above-mentioned supervisor adopts the public key corresponding private key to decrypt the transaction amount of the L-parts ciphertext (C k, B k), to obtain the above parts of the transaction amount L plaintext M k, M and the plaintext based on the amount of the transaction amount of the transaction parts L plaintext M k, The public key of the above-described addition homomorphic encryption algorithm is provided by the supervisor; for details, please refer to the descriptions of S402, S405 and S406, or refer to the description of 2) in S602.
发送单元 720, 用于将上述 L份交易金额的密文(Ck, Bk)发送至上述验证方, 以使 上述验证方验证上述 L份交易金额的密文( Ck, Bk) 的明文 Mk是否属于第二有效范围; 其中, 第二有效范围为[0, 2U-1], u为交易金额的明文 的比特位长度, 详细说明请参照 S403及 S404的描述。 The sending unit 720 is configured to send the ciphertext (C k , B k ) of the L transaction amount to the verification party, so that the verification party verifies the ciphertext ( C k , B k ) of the L transaction amount Whether the plaintext M k belongs to the second valid range; wherein, the second valid range is [0, 2 U -1], and u is the bit length of the plaintext of the transaction amount. For details, please refer to the descriptions of S403 and S404.
在一种可能的实现方式中, 发送方 70还包括: 第一生成单元 730, 用于生成上述交易 金额的明文 M属于第一有效范围的零知识证明, 详细说明请参照 S603中 2) 的描述。  In a possible implementation, the sender 70 further includes: a first generating unit 730, configured to generate a zero-knowledge proof that the plaintext M of the transaction amount belongs to the first valid range, and the description of 2) in S603 is described in detail. .
发送单元 720用于将上述交易金额的密文( C, B)发送至上述验证方, 以使上述验证 方根据所述交易金额的密文(C, B)验证上述交易金额的明文 M属于第一有效范围的零 知识证明。 在一种可能的实现方式中, 所述交易金额包括输出金额。 发送方 70还包括: 第二生成 单元 740, 用于计算输入金额与输出金额的差值的密文 C', 并生成 C'是加密了明文为零的 密文的加法同态零知识证明, 以使上述验证方验证上述 C'是加密了明文为零的密文的加法 同态零知识证明; 其中, 上述 C"为根据上述输出金额的密文与上述输入金额的密文计算得 到的密文, 上述输入金额的密文为发送方 70在上一次交易中接收的金额的密文, 或者上述 输入金额的密文为发送方 70 采用所述加法同态加密算法对当前交易中生成的金额加密生 成的密文, 详细说明请参照 S603中 3) 的描述。 The sending unit 720 is configured to send the ciphertext (C, B) of the transaction amount to the verification party, so that the verification party verifies that the plaintext M of the transaction amount belongs to the ciphertext (C, B) of the transaction amount. A valid range of zero-knowledge proofs. In a possible implementation manner, the transaction amount includes an output amount. The sender 70 further includes: a second generating unit 740, configured to calculate a ciphertext C' of the difference between the input amount and the output amount, and generate C' is an additive homomorphic zero-knowledge proof that encrypts the ciphertext with the plaintext zero The above-mentioned verifier verifies that the above C' is an additive homomorphic zero-knowledge proof that encrypts the ciphertext with the plaintext zero; wherein, the above C" is the density calculated according to the ciphertext of the output amount and the ciphertext of the input amount. The ciphertext of the input amount is the ciphertext of the amount received by the sender 70 in the previous transaction, or the ciphertext of the input amount is the amount generated by the sender 70 using the addition homomorphic encryption algorithm for the current transaction. For the detailed description of the ciphertext generated by encryption, refer to the description in 3) of S603.
在一种可能的实现方式中, 上述***还包括监管方, 所述加法同态加密算法的公钥由 所述监管方提供; 详细说明请参照 S301的描述。  In a possible implementation manner, the system further includes a supervisor, and the public key of the add-on homomorphic encryption algorithm is provided by the supervisor; for detailed description, refer to the description of S301.
发送方 70还包括: 第三生成单元 750, 用于生成上述监管方可解密上述交易金额的密 文( C, B)的零知识证明,以使上述验证方验证上述监管方可解密上述交易金额的密文( C, B) 的零知识证明, 详细说明请参照 S603中 1) 的描述。  The sender 70 further includes: a third generating unit 750, configured to generate a zero-knowledge proof that the supervisor can decrypt the ciphertext (C, B) of the transaction amount, so that the verifying party verifies that the supervisor can decrypt the transaction amount For the zero-knowledge proof of the ciphertext (C, B), please refer to the description of 1) in S603 for details.
在一种可能的实现方式中, 上述***还包括第三方, 用于提供随机秘密丫, 上述随机秘 密 Y用于为上述第一有效范围内的每个整数生成一个数字签名,详细说明请参照 S601中 3) 的描述。  In a possible implementation, the system further includes a third party, configured to provide a random secret, and the random secret Y is used to generate a digital signature for each integer in the first valid range. For details, refer to S601. Description of 3).
第一生成单元 730用于才艮据上述第三方提供的随机秘密 Y为第一有效范围内的每个整 数生成的数字签名生成所述交易金额的密文 C的明文 M属于第一有效范围的零知识证明, 详细说明请参照 S603中 2) 的描述。  The first generating unit 730 is configured to generate the plaintext M of the ciphertext C of the transaction amount according to the digital signature generated by the random secret Y provided by the third party for each integer in the first valid range, belonging to the first valid range. Zero knowledge proof, please refer to the description of 2) in S603 for detailed description.
本申请实施例还提供了一种验证方, 应用于图 1所示的区块链***, 该***至少可以 包括发送方及验证方,如图 7所示,验证方 80至少可以包括:接收单元 810、验证单元 820, 其中:  The embodiment of the present application further provides a verification party, which is applied to the blockchain system shown in FIG. 1. The system may include at least a sender and a verification party. As shown in FIG. 7, the verification party 80 may at least include: a receiving unit. 810. A verification unit 820, where:
接收单元 810, 用于接收发送方 70发送的交易金额的密文(C, B) ; 其中, 交易金额 的密文(C, B)为发送方 70采用加法同态加密算法对交易金额的明文 M加密生成的密文; 交易金额的明文 M的比特位长度为 U, 详细说明请参照 S302或 S403的描述。  The receiving unit 810 is configured to receive the ciphertext (C, B) of the transaction amount sent by the sender 70; wherein, the ciphertext (C, B) of the transaction amount is the plaintext of the transaction amount by the sender 70 using the addition homomorphic encryption algorithm M-encrypted ciphertext; The length of the plaintext M of the transaction amount is U. For details, please refer to the description of S302 or S403.
验证单元 820, 用于根据上述交易金额的密文( C, B)验证交易金额的明文 M是否属 于第一有效范围; 第一有效范围为 [0, 2U-1] , 详细说明请参照 S303或 S404的描述。 The verification unit 820 is configured to verify, according to the ciphertext (C, B) of the transaction amount, whether the plaintext M of the transaction amount belongs to the first valid range; the first valid range is [0, 2 U -1], please refer to S303 for details. Or the description of S404.
在一种可能的实现方式中,上述加法同态加密算法可以是 ElGamal算法,上述 C = gf , B = g3 r ; 其中, r为随机生成的整数, g3 Gi的生成元, Gi S阶为素数的乘法群, g4为所 述加法同态加密算法的公钥, g4=g3 ask, ask为所述加法同态加密算法的私钥。 In a possible implementation manner, the additive homomorphic encryption algorithm may be an ElGamal algorithm, where C = gf , B = g 3 r ; where r is a randomly generated integer, a generator of g 3 Gi, a Gi S order Is a multiplicative group of prime numbers, g 4 is the public key of the additive homomorphic encryption algorithm, g 4 =g 3 ask , ask is the private key of the additive homomorphic encryption algorithm.
在一种可能的实现方式中,验证单元 820用于验证交易金额的明文 M属于第一有效范 围的零知识证明; 其中, 交易金额的明文 M属于第一有效范围的零知识证明由发送方 70 生成, 详细说明请参照 S604中 1) 的描述。  In a possible implementation manner, the verification unit 820 is configured to verify that the plaintext M of the transaction amount belongs to the zero-knowledge proof of the first valid range; wherein, the plaintext M of the transaction amount belongs to the zero-knowledge proof of the first valid range by the sender 70 For details, please refer to the description of 1) in S604.
在一种可能的实现方式中, 交易金额包括输出金额; 验证单元 820还用于验证输入金 额与输出金额的差值的密文 C'是加密了明文为零的密文的加法同态零知识证明; 其中, C' 为根据输出金额的密文与输入金额的密文计算得到的密文,输入金额的密文为发送方 70在 上一次交易中接收的金额的密文,或者输入金额的密文为发送方 70采用所述加法同态加密 算法对当前交易中生成的金额加密生成的密文, 输入金额与输出金额的差值的密文 C'是力口 密了明文为零的密文的加法同态零知识证明由发送方 70生成,详细说明请参照 S604中 2) 的描述。 In a possible implementation manner, the transaction amount includes an output amount; the verification unit 820 is further configured to verify that the ciphertext C' of the difference between the input amount and the output amount is the added homomorphic zero knowledge of the ciphertext encrypted with the plaintext being zero. Proof; where C' is the ciphertext calculated according to the ciphertext of the output amount and the ciphertext of the input amount, and the ciphertext of the input amount is the ciphertext of the amount received by the sender 70 in the previous transaction, or the input amount The ciphertext is the ciphertext generated by the sender 70 by using the addition homomorphic encryption algorithm to encrypt the amount generated in the current transaction, and the ciphertext C' of the difference between the input amount and the output amount is a secret with a plaintext of zero. The addition of the homomorphic zero knowledge of the text is generated by the sender 70. For details, please refer to 2 in S604. description of.
在一种可能的实现方式中, 上述区块链***还包括监管方, 上述加法同态加密算法的 公钥由监管方提供。  In a possible implementation manner, the blockchain system further includes a supervisor, and the public key of the addencing homomorphic encryption algorithm is provided by the supervisor.
验证单元 820还用于验证监管方可解密交易金额的密文 ( C, B )的零知识证明;其中, 监管方可解密上述交易金额的密文 ( C, B ) 的零知识证明由发送方 70生成, 详细说明请 参照 S604中 1 ) 的描述。  The verification unit 820 is further configured to verify the zero-knowledge proof of the ciphertext (C, B) that the supervisor can decrypt the transaction amount; wherein the supervisor can decrypt the zero-knowledge proof of the ciphertext (C, B) of the transaction amount by the sender 70 generation, please refer to the description of 1) in S604 for details.
本申请实施例还提供了另外一种发送方, 如图 9所示, 发送方 90至少可以包括: 至少 一个处理器 901, 至少一个网络接口 904, 用户接口 903, 存储器 905, 至少一个通信总线 902, 显示屏 906。 其中, 通信总线 902用于实现这些组件之间的连接通信, 应当理解, 发 送方 90中的各个组件还可以通过其他连接器相耦合, 所述其他连接器可包括各类接口、传 输线或总线等, 在本申请的各个实施例中, 耦合是指通过特定方式的相互联系, 包括直接 相连或通过其他设备间接相连。  The embodiment of the present application further provides another sender. As shown in FIG. 9, the sender 90 may at least include: at least one processor 901, at least one network interface 904, a user interface 903, a memory 905, and at least one communication bus 902. , display 906. The communication bus 902 is used to implement connection communication between these components. It should be understood that each component in the sender 90 may also be coupled through other connectors, which may include various types of interfaces, transmission lines, buses, etc. In various embodiments of the present application, coupling refers to interconnections in a particular manner, including being directly connected or indirectly connected by other devices.
其中,处理器 901可以包括如下至少一种类型:通用中央处理器( Central Processing Unit, CPU ) , 数字信号处理器 ( Digital Signal Processor , DSP )、 微处理器、 专用集成电路 ( Application Specific Integrated Circuit, ASIC)、 微控制器 ( Microcontroller Unit, MCU )、 现场可编程门阵列 ( Field Programmable Gate Array, FPGA )、 或者用于实现逻辑运算的集 成电路。 例如, 处理器 901可以是一个单核 ( single-CPU )处理器或多核 ( multi-CPU )处 理器。 处理器 901 内包括的多个处理器或单元可以是集成在一个芯片中或位于多个不同的 芯片上。  The processor 901 may include at least one of the following types: a central processing unit (CPU), a digital signal processor (DSP), a microprocessor, and an application specific integrated circuit (Application Specific Integrated Circuit, ASIC), Microcontroller Unit (MCU), Field Programmable Gate Array (FPGA), or integrated circuit for implementing logic operations. For example, processor 901 can be a single-CPU processor or a multi-core processor. The plurality of processors or units included within processor 901 may be integrated in one chip or on a plurality of different chips.
用户接口 903可以包括键盘、物理按钮 (按压按钮、摇臂按钮等)、拨号盘、滑动开关、 操纵杆、 点击滚轮、 光鼠 (光鼠是不显示可视输出的触摸敏感表面, 或者是由触摸屏形成 的触摸敏感表面的延伸)等等。 网络接口 904可选的可以包括标准的有线接口、 无线接口 (如 WI-FI接口 X  The user interface 903 may include a keyboard, a physical button (pressing a button, a rocker button, etc.), a dial, a slide switch, a joystick, a click wheel, a light mouse (a light mouse is a touch sensitive surface that does not display a visual output, or is The extension of the touch sensitive surface formed by the touch screen) and the like. Network interface 904 can optionally include standard wired interface, wireless interface (such as WI-FI interface X
存储器 905可以是非掉电易失性存储器,例如是 EMMC( Embedded Multi Media Card, 嵌入式多媒体卡)、 UFS ( Universal Flash Storage ,通用闪存存储)或只读存储器 ( Read-Only Memory, ROM ), 可选的, 存储器 905包括本申请实施例中的 flash, 或者是可存储静态信 息和指令的其他类型的静态存储设备, 还可以是掉电易失性存储器 ( volatile memory ), 例 如随机存取存储器 ( Random Access Memory, RAM )或者可存储信息和指令的其他类型的 动态存储设备, 也可以是电可擦可编程只读存储器 ( Electrically Erasable Programmable Read-Only Memory, EEPROM )、 只读光盘 ( Compact Disc Read-Only Memory, CD-ROM ) 或其他光盘存储、光碟存储(包括压缩光碟、激光碟、光碟、数字通用光碟、蓝光光碟等)、 磁盘存储介质或者其他磁存储设备、 或者能够用于携带或存储具有指令或数据结构形式的 程序代码并能够由计算机存取的任何其他计算机可读存储介质, 但不限于此。 可选的, 存 储器 905可选的还可以是至少一个位于远离前述处理器 901的存储***。 如图 9所示, 作 为一种计算机存储介质的存储器 905中可以包括操作***、 网络通信模块、 用户接口模块 以及程序指令。  The memory 905 may be a non-power-down volatile memory, such as an EMMC (Embedded Multi Media Card), a UFS (Universal Flash Storage), or a Read-Only Memory (ROM). Optionally, the memory 905 includes the flash in the embodiment of the present application, or other types of static storage devices that can store static information and instructions, and may also be a volatile memory, such as a random access memory ( Random Access Memory (RAM) or other type of dynamic storage device that can store information and instructions. It can also be Electrically Erasable Programmable Read-Only Memory (EEPROM) or CD-ROM (Compact Disc Read). -Only Memory, CD-ROM) or other disc storage, CD storage (including compact discs, laser discs, CDs, digital versatile discs, Blu-ray discs, etc.), disk storage media or other magnetic storage devices, or can be used for carrying or storing Program code in the form of an instruction or data structure and accessible by a computer Any other computer readable storage media, but is not limited thereto. Optionally, the memory 905 can also optionally be at least one storage system located away from the foregoing processor 901. As shown in FIG. 9, an operating system, a network communication module, a user interface module, and program instructions may be included in the memory 905 as a computer storage medium.
存储器 905可以是独立存在, 通过连接器与处理器 901相耦合。 存储器 905也可以和 处理器 901集成在一起。 其中, 存储器 905能够存储执行本申请方案的程序指令在内的各 类计算机程序指令, 并由处理器 901来控制执行, 被执行的各类计算机程序指令也可被视 为是处理器 901的驱动程序。 例如, 处理器 901用于执行存储器 905中存储的计算机程序 指令, 从而实现本申请中图 3 -图 6方法实施例中的方法。 所述计算机程序指令数量很大, 可形成能够被处理器 901 中的至少一个处理器执行的计算机可执行指令, 以驱动相关处理 器执行各类处理, 如支持上述各类无线通信协议的通信信号处理算法、 操作***运行或应 用程序运行。 Memory 905 can exist independently and coupled to processor 901 via a connector. The memory 905 can also be integrated with the processor 901. The memory 905 can store each of the program instructions that execute the solution of the present application. The computer program instructions are controlled by the processor 901, and various types of computer program instructions to be executed can also be regarded as the driver of the processor 901. For example, the processor 901 is configured to execute computer program instructions stored in the memory 905 to implement the method in the method embodiments of FIGS. 3-6 of the present application. The computer program instructions are large in number and can form computer executable instructions executable by at least one of the processors 901 to drive the associated processor to perform various types of processing, such as communication signals supporting the various types of wireless communication protocols described above. Processing algorithms, operating system runs, or application runs.
显示屏 906, 用于显示由用户输入的信息。 示例性的, 显示屏 906可以包括显示面板 和触控面板。 其中, 显示面板可以采用液晶显示器 ( Liquid Crystal Display, LCD )、 有机发 光二极管 ( Organic Light-Emitting Diode, OLED )、发光二级管 ( Light Emitting Diode, LED ) 显示设备或阴极射线管 ( Cathode Ray Tube, CRT )等来配置显示面板。 触控面板, 也称为 触摸屏、触敏屏等,可收集用户在其上或附近的接触或者非接触操作 (比如用户使用手指、 触笔等任何适合的物体或附件在触控面板上或在触控面板附近的操作, 也可以包括体感操 作; 该操作包括单点控制操作、 多点控制操作等操作类型), 并根据预先设定的程式驱动相 应的连接装置。  Display 906 is used to display information input by the user. Illustratively, display 906 can include a display panel and a touch panel. The display panel can be a Liquid Crystal Display (LCD), an Organic Light-Emitting Diode (OLED), a Light Emitting Diode (LED) display device, or a Cathode Ray Tube (Cathode Ray Tube). , CRT), etc. to configure the display panel. Touch panels, also known as touch screens, touch sensitive screens, etc., can collect contact or non-contact operations on or near the user (eg, the user uses a finger, stylus, etc. on any suitable object or accessory on the touch panel or The operation near the touch panel may also include a somatosensory operation; the operation includes a single point control operation, a multi-point control operation, and the like, and the corresponding connection device is driven according to a preset program.
本申请实施例提供了另外一种验证方, 如图 10所示, <验证方 100至少可以包括: 至少 可以包括: 至少一个处理器 1001, 至少一个网络接口 1004, 用户接口 1003 ,存储器 1005, 至少一个通信总线 1002, 显示屏 1006。 其中, 通信总线 1002用于实现这些组件之间的连 接通信, 应当理解, 验证方 100中的各个组件还可以通过其他连接器相耦合, 所述其他连 接器可包括各类接口、 传输线或总线等, 在本申请的各个实施例中, 耦合是指通过特定方 式的相互联系, 包括直接相连或通过其他设备间接相连。  The embodiment of the present application provides another verification party. As shown in FIG. 10, the verification party 100 may include at least: at least one processor 1001, at least one network interface 1004, a user interface 1003, and a memory 1005. A communication bus 1002, display 1006. The communication bus 1002 is used to implement connection communication between these components. It should be understood that each component in the authenticator 100 may also be coupled by other connectors, which may include various types of interfaces, transmission lines, buses, etc. In various embodiments of the present application, coupling refers to interconnections in a particular manner, including being directly connected or indirectly connected by other devices.
其中, 处理器 1001与处理器 901类似, 在此不再赘述。  The processor 1001 is similar to the processor 901, and details are not described herein again.
用户接口 1003与用户接口 903类似, 在此不再赘述。  The user interface 1003 is similar to the user interface 903 and will not be described here.
存储器 1005与存储器 905类似, 处理器 1001用于执行存储器 905中存储的计算机程 序指令, 从而实现本申请中图 3 -图 6方法实施例中的方法, 在此不再赘述。  The memory 1005 is similar to the memory 905. The processor 1001 is configured to execute the computer program instructions stored in the memory 905, so as to implement the method in the method embodiment of FIG. 3 to FIG. 6 in the present application, and details are not described herein.
显示屏 1006与显示屏 906类似, 在此不再赘述。  The display 1006 is similar to the display 906 and will not be described again.
本申请实施例还提供了一种计算机可读存储介质, 该计算机可读存储介质中存储有指 令, 当其在计算机或处理器上运行时, 使得计算机或处理器执行上述任一个数据处理方法 中的一个或多个步骤。 上述装置的各组成模块如果以软件功能单元的形式实现并作为独立 的产品销售或使用时, 可以存储在所述计算机可读取存储介质中。  The embodiment of the present application further provides a computer readable storage medium, where the computer readable storage medium stores instructions, when it is run on a computer or a processor, causing the computer or the processor to execute any of the above data processing methods. One or more steps. The various component modules of the above apparatus may be stored in the computer readable storage medium if implemented in the form of a software functional unit and sold or used as a standalone product.
基于这样的理解, 本申请实施例还提供一种包含指令的计算机程序产品, 本申请的技 术方案本质上或者说对现有技术做出贡献的部分或者该技术方案的全部或部分可以以软件 产品的形式体现出来, 该计算机软件产品存储在一个存储介质中, 包括若千指令用以使得 一台计算机设备、 移动终端或其中的处理器执行本申请各个实施例所述方法的全部或部分 步骤。 该存储介质的种类请参考存储器 905或 1005的相关描述。  Based on the understanding, the embodiment of the present application further provides a computer program product including instructions, and the technical solution of the present application may contribute to the prior art or all or part of the technical solution may be a software product. The computer software product is stored in a storage medium, including thousands of instructions for causing a computer device, mobile terminal or processor therein to perform all or part of the steps of the methods described in various embodiments of the present application. For the type of storage medium, please refer to the description of the memory 905 or 1005.
本申请实施例方法中的步骤可以根据实际需要进行顺序调整、 合并和删减。  The steps in the method of the embodiment of the present application may be sequentially adjusted, merged, and deleted according to actual needs.
本申请实施例装置中的模块可以根据实际需要进行合并、 划分和删减。  The modules in the apparatus of the embodiment of the present application may be combined, divided, and deleted according to actual needs.
以上所述, 以上实施例仅用以说明本申请的技术方案, 而非对其限制; 尽管参照前述 实施例对本申请进行了详细的说明, 本领域的普通技术人员应当理解: 其依然可以对前述 各实施例所记载的技术方案进行修改, 或者对其中部分技术特征进行等同替换; 而这些修 改或者替换, 并不使相应技术方案的本质脱离本申请各实施例技术方案的范围。 The above embodiments are only used to illustrate the technical solutions of the present application, and are not limited thereto. Although the present application has been described in detail with reference to the foregoing embodiments, those skilled in the art should understand that The technical solutions described in the embodiments are modified, or some of the technical features are equivalently replaced; and the modifications or substitutions do not deviate from the technical solutions of the embodiments of the present application.

Claims

权 利 要 求 Rights request
1、 一种数据处理方法, 应用于区块链***, 所述***包括发送方及验证方, 其特征在 于, 所述方法包括: A data processing method, applied to a blockchain system, the system comprising a sender and a verification party, wherein the method comprises:
所述发送方采用加法同态加密算法对交易金额的明文 M加密,生成交易金额的密文( C, The sender uses the addition homomorphic encryption algorithm to encrypt the plaintext M of the transaction amount, and generates a ciphertext of the transaction amount (C,
B) ; B);
所述发送方将所述交易金额的密文(C, B)发送至所述验证方;  Sending, by the sender, the ciphertext (C, B) of the transaction amount to the authenticator;
所述验证方根据所述交易金额的密文(C, B)验证所述交易金额的明文 M是否属于 第一有效范围,所述第一有效范围为[0, 2U-1], U为所述交易金额的明文 M的比特位长度。 The verifier verifies whether the plaintext M of the transaction amount belongs to the first valid range according to the ciphertext (C, B) of the transaction amount, and the first valid range is [0, 2 U -1], U is The length of the plaintext M of the transaction amount.
2、 如权利要求 1所述的方法, 其特征在于, 所述 C = g^g4 r , B = g;; 其中, r为随机 生成的整数, g3 Gi的生成元, Gi S阶为素数的乘法群, g4为所述加法同态加密算法的公 钥, g4=g3 ask, ask为所述加法同态加密算法的私钥。 2. The method according to claim 1, wherein said C = g^g 4 r , B = g;; wherein r is a randomly generated integer, a generator of g 3 Gi, and a Gi S order is A multiplicative group of prime numbers, g 4 is the public key of the additive homomorphic encryption algorithm, g 4 =g 3 ask , ask is the private key of the additive homomorphic encryption algorithm.
3、 如权利要求 1或 2所述的方法, 其特征在于, 所述***还包括监管方; 3. The method of claim 1 or 2, wherein the system further comprises a supervisor;
所述发送方采用加法同态加密算法对交易金额的明文 M加密,生成交易金额的密文( C, B)包括: 所述发送方将所述交易金额的明文 M分割成 L份交易金额的明文 Mk, 分别采用 加法同态加密算法对所述 L份交易金额的明文 Mkii行加密,生成 L份交易金额的密文(Ck, Bk) ; 所述加法同态加密算法的公钥由所述监管方提供, k为正整数, k=l , L, L为大 于或等于 2的正整数; The sender encrypts the plaintext M of the transaction amount by using an additive homomorphic encryption algorithm, and generates a ciphertext (C, B) of the transaction amount, including: the sender divides the plaintext M of the transaction amount into L transaction amounts. The plaintext M k , respectively, encrypts the plaintext M k ii line of the L transaction amount by using an additive homomorphic encryption algorithm, and generates a ciphertext (C k , B k ) of the L transaction amount; the addition homomorphic encryption algorithm The public key is provided by the supervisor, k is a positive integer, k=l, L, L is a positive integer greater than or equal to 2;
所述验证方根据所述交易金额的密文(C, B)验证所述交易金额的明文 M是否属于 第一有效范围包括: 所述验证方验证根据所述交易金额的密文(Ck, Bk)验证所述交易金 额的明文 是否属于第二有效范围; 其中, 所述第二有效范围为[0, 2U-1], u为所述交易 金额的明文 Mk的比特位长度; Whether the verification party verifies that the plaintext M of the transaction amount belongs to the first valid range according to the ciphertext (C, B) of the transaction amount includes: the verification party verifies the ciphertext according to the transaction amount (C k , B k ) verifying whether the plaintext of the transaction amount belongs to the second valid range; wherein, the second valid range is [0, 2 U -1], and u is the bit length of the plaintext M k of the transaction amount;
所述方法还包括: 所述监管方采用与所述公钥对应的私钥解密所述 L份交易金额的密 文(Ck, Bk) , 获得所述 L份交易金额的明文 Mk, 并根据所述 L份交易金额的明文 获 得所述交易金额的明文 M。 The method further includes: the supervisor uses the private key corresponding to the public key to decrypt the ciphertext (C k , B k ) of the L transaction amount, and obtains the plaintext M k of the L transaction amount, And obtaining the plaintext M of the transaction amount according to the plain text of the L transaction amount.
4、 如权利要求 1-3任一项所述的方法, 其特征在于, 所述方法还包括: 所述发送方生 成所述交易金额的明文 M属于第一有效范围的零知识证明; The method according to any one of claims 1 to 3, wherein the method further comprises: the sender generating a zero-knowledge proof that the plaintext M of the transaction amount belongs to the first valid range;
所述验证方根据所述交易金额的密文(C, B)验证所述交易金额的明文 M是否属于 第一有效范围包括: 所述验证方验证所述交易金额的明文 M属于第一有效范围的零知识证 明。  Whether the verification party verifies that the plaintext M of the transaction amount belongs to the first valid range according to the ciphertext (C, B) of the transaction amount includes: the verification party verifies that the plaintext M of the transaction amount belongs to the first valid range Zero knowledge proof.
5、 如权利要求 1-4任一项所述的方法, 其特征在于, 所述交易金额包括输出金额; 所述方法还包括: 所述发送方计算输入金额与输出金额的差值的密文 C', 并生成 C'是 加密了明文为零的密文的加法同态零知识证明; 其中, 所述 C'为根据所述输出金额的密文 与所述输入金额的密文计算得到的密文, 所述输入金额的密文为所述发送方在上一次交易 中接收的金额的密文, 或者所述输入金额的密文为所述发送方采用所述加法同态加密算法 对当前交易中生成的金额进行力 P密生成的密文; The method according to any one of claims 1 to 4, wherein the transaction amount includes an output amount; the method further comprises: the sender calculating a ciphertext of a difference between the input amount and the output amount C', and generates C' is an additive homomorphic zero-knowledge proof of the ciphertext encrypted with plaintext zero; wherein, the C' is calculated according to the ciphertext of the output amount and the ciphertext of the input amount Ciphertext, the ciphertext of the input amount is the sender's last transaction The ciphertext of the received amount, or the ciphertext of the input amount is a ciphertext generated by the sender by using the addition homomorphic encryption algorithm to generate a force P secret for the amount generated in the current transaction;
所述验证方验证所述 C'是加密了明文为零的密文的加法同态零知识证明。  The verifier verifies that the C' is an additive homomorphic zero-knowledge proof that encrypts the ciphertext with plaintext zero.
6、 如权利要求 1或 2所述的方法, 其特征在于, 所述***还包括监管方, 所述加法同 态加密算法的公钥由所述监管方提供; 6. The method according to claim 1 or 2, wherein the system further comprises a supervisor, the public key of the addition homomorphic encryption algorithm being provided by the supervisor;
所述方法还包括: 所述发送方生成所述监管方可解密所述交易金额的密文(C, B) 的 零知识证明;  The method further includes: the sender generating a zero-knowledge proof that the supervisor can decrypt the ciphertext (C, B) of the transaction amount;
所述验证方验证所述监管方可解密所述交易金额的密文(C, B) 的零知识证明; 所述监管方采用与所述公钥对应的私钥解密所述交易金额的密文(C, B) 。  The verifier verifies that the supervisor can decrypt the zero-knowledge proof of the ciphertext (C, B) of the transaction amount; the supervisor uses the private key corresponding to the public key to decrypt the ciphertext of the transaction amount (C, B).
7、 如权利要求 4所述的方法, 其特征在于, 所述发送方生成所述交易金额的明文 M 属于第一有效范围的零知识证明包括: 所述发送方生成 N个第一参数; N为正整数; The method according to claim 4, wherein the sender generates the zero-knowledge proof that the plaintext M of the transaction amount belongs to the first valid range, and includes: the sender generates N first parameters; Is a positive integer;
所述验证方验证所述交易金额的明文 M属于第一有效范围的零知识证明包括: 所述验证方生成 N个第二参数; 其中,所述 N个第一参数与所述 N个第二参数—对 应;  The zero-knowledge proof that the verification party verifies that the plaintext M of the transaction amount belongs to the first valid range includes: the verification party generates N second parameters; wherein, the N first parameters and the N second Parameter—correspondence;
所述验证方验证所述 N个第二参数是否与对应的所述第一参数相等, 若相等, 则所述 交易金额的明文 M属于第一有效范围。  The verifier verifies whether the N second parameters are equal to the corresponding first parameter, and if they are equal, the plaintext M of the transaction amount belongs to the first valid range.
8、 如权利要求 7所述的方法, 其特征在于, 所述发送方生成所述交易金额的明文 M 属于第一有效范围的零知识证明还包括: 所述发送方生成第一验证参数; 所述第一验证参 数由所述 N个第一参数决定; The method of claim 7, wherein the sending of the plaintext M of the transaction amount to the zero-knowledge proof of the first valid range further comprises: the sender generating the first verification parameter; The first verification parameter is determined by the N first parameters;
所述验证方验证所述交易金额的明文 M属于第一有效范围的零知识证明还包括: 所述验证方生成第二验证参数; 所述第二验证参数由所述 N个第二参数决定; 所述验证方验证所述 N个第二参数是否与对应的所述第一参数相等包括:  The zero-knowledge proof that the verification party verifies that the plaintext M of the transaction amount belongs to the first valid range further includes: the verification party generates a second verification parameter; the second verification parameter is determined by the N second parameters; Whether the verifier verifies whether the N second parameters are equal to the corresponding first parameter includes:
所述验证方验证所述第一参数是否等于所述第二验证参数, 若相等, 则所述 N个第二 参数与相应的所述第一参数相等。  The verifier verifies whether the first parameter is equal to the second verification parameter, and if they are equal, the N second parameters are equal to the corresponding first parameter.
9、 一种数据处理方法, 应用于区块链***, 所述***包括发送方及验证方, 其特征在 于, 所述方法包括: A data processing method, applied to a blockchain system, the system comprising a sender and a verification party, wherein the method comprises:
所述发送方采用加法同态加密算法对交易金额的明文 M加密,生成交易金额的密文( C, The sender uses the addition homomorphic encryption algorithm to encrypt the plaintext M of the transaction amount, and generates a ciphertext of the transaction amount (C,
B) ; B);
所述发送方将所述交易金额的密文(C, B)发送至所述验证方, 以使所述验证方根据 所述交易金额的密文(C, B)验证所述交易金额的明文 M是否属于第一有效范围; 所述 第一有效范围为 [0, 2U-1] , U为所述交易金额的明文 M的比特位长度。 Transmitting, by the sender, the ciphertext (C, B) of the transaction amount to the verifier, so that the verifier verifies the plaintext of the transaction amount according to the ciphertext (C, B) of the transaction amount Whether M belongs to the first valid range; the first valid range is [0, 2 U -1], and U is the bit length of the plaintext M of the transaction amount.
10、 如权利要求 9所述的方法, 其特征在于, 所述 C =
Figure imgf000026_0001
B = g;; 其中, r为随 机生成的整数, g3 Gi的生成元, Gi S阶为素数的乘法群, g4为所述加法同态加密算法的 公钥, g4=g3 ask, ask为所述加法同态加密算法的私钥。 10. The method of claim 9 wherein said C =
Figure imgf000026_0001
B = g;; where r is a randomly generated integer, a generator of g 3 Gi , a Gi S order is a multiplicative group of prime numbers, and g 4 is the additive homomorphic encryption algorithm The public key, g 4 =g 3 ask , ask is the private key of the addition homomorphic encryption algorithm.
11、 如权利要求 9或 10所述的方法, 其特征在于, 所述***还包括监管方; 所述发送方采用加法同态加密算法对交易金额的明文 M加密,生成交易金额的密文( C, B)包括: 所述发送方将所述交易金额的明文 M分割成 L份交易金额的明文 Mk, 分别采用 加法同态加密算法对所述 L份交易金额的明文 Mkii行加密,生成 L份交易金额的密文(Ck, Bk),以使所述监管方采用与所述公钥对应的私钥解密所述 L份交易金额的密文( Ck, Bk), 获得所述 L份交易金额的明文 Mk, 并根据所述 L份交易金额的明文 Mk获得所述交易金额 的明文 M; 所述加法同态加密算法的公钥由所述监管方提供, k为正整数, k=l , L; L 为大于或等于 2的正整数; The method according to claim 9 or 10, wherein the system further comprises a supervisor; the sender encrypts the plaintext M of the transaction amount by using an additive homomorphic encryption algorithm, and generates a ciphertext of the transaction amount ( C, B) includes: the sender divides the plaintext M of the transaction amount into the plaintext M k of the L transaction amount, and encrypts the plaintext M k ii line of the L transaction amount by using an additive homomorphic encryption algorithm, respectively Generating a ciphertext (C k , B k ) of the L transaction amount, so that the supervisor decrypts the ciphertext ( C k , B k ) of the L transaction amount by using a private key corresponding to the public key obtaining the amount of the transaction plaintext parts L M K, the plaintext M and the transaction amount based on the transaction amount plaintext parts L M K; adding the homomorphic public key encryption algorithm provided by the regulators , k is a positive integer, k=l , L; L is a positive integer greater than or equal to 2;
所述发送方将所述交易金额的密文(C, B)发送至所述验证方, 以使所述验证方根据 所述交易金额的密文(C, B)验证所述交易金额的明文 M是否属于第一有效范围包括: 所述发送方将所述 L份交易金额的密文(Ck, Bk)发送至所述验证方, 以使所述验证方根 据所述交易金额的密文(Ck, Bk)验证所述交易金额的明文 Mk是否属于第二有效范围; 其 中, 所述第二有效范围为[0, 2U-1], u为所述交易金额的明文 的比特位长度。 Transmitting, by the sender, the ciphertext (C, B) of the transaction amount to the verifier, so that the verifier verifies the plaintext of the transaction amount according to the ciphertext (C, B) of the transaction amount Whether the M belongs to the first valid range includes: the sender sending the ciphertext (C k , B k ) of the L transaction amount to the verification party, so that the verification party is dense according to the transaction amount The text (C k , B k ) verifies whether the plaintext M k of the transaction amount belongs to the second valid range; wherein, the second valid range is [0, 2 U -1], and u is the plaintext of the transaction amount The length of the bit.
12、 一种数据处理方法, 应用于区块链***, 所述***包括发送方及验证方, 其特征 在于, 所述方法包括: 12. A data processing method, applied to a blockchain system, the system comprising a sender and a verification party, wherein the method comprises:
所述验证方接收所述发送方发送的交易金额的密文(C, B) ; 其中, 所述交易金额的 密文(C, B)为所述发送方采用加法同态加密算法对交易金额的明文 M加密生成的密文; 所述交易金额的明文 M的比特位长度为 U;  The verification party receives the ciphertext (C, B) of the transaction amount sent by the sender; wherein, the ciphertext (C, B) of the transaction amount is the transaction amount of the sender using the addition homomorphic encryption algorithm The plaintext M encrypts the generated ciphertext; the length of the plaintext M of the transaction amount is U;
所述验证方根据所述交易金额的密文(C, B)验证所述交易金额的明文 M是否属于 第一有效范围; 所述第一有效范围为[0, 2U-1]。 The verifier verifies whether the plaintext M of the transaction amount belongs to the first valid range according to the ciphertext (C, B) of the transaction amount; the first valid range is [0, 2 U -1].
13、 如权利要求 12所述的方法, 其特征在于,
Figure imgf000027_0001
B = g;; 其中, r为随 机生成的整数, g3 Gi的生成元, Gi S阶为素数的乘法群, g4为所述加法同态加密算法的 公钥, g4=g3 ask, ask为所述加法同态加密算法的私钥。 13. The method of claim 12, wherein
Figure imgf000027_0001
B = g;; where r is a randomly generated integer, a generator of g 3 Gi, a Gi S order is a multiplicative group of prime numbers, g 4 is the public key of the additive homomorphic encryption algorithm, g 4 =g 3 ask , ask is the private key of the addition homomorphic encryption algorithm.
14、 一种区块链***, 所述***包括发送方及验证方, 其特征在于: 14. A blockchain system, the system comprising a sender and a verification party, wherein:
所述发送方用于采用加法同态加密算法对交易金额的明文 M加密, 生成交易金额的密 文(C, B) , 并将所述交易金额的密文(C, B)发送至所述<验证方;  The sender is configured to encrypt the plaintext M of the transaction amount by using an additive homomorphic encryption algorithm, generate a ciphertext (C, B) of the transaction amount, and send the ciphertext (C, B) of the transaction amount to the <verified party;
所述验证方用于根据所述交易金额的密文(C, B)验证所述交易金额的明文 M是否 属于第一有效范围; 所述第一有效范围为[0, 2U-1], U为所述交易金额的明文 M的比特位 长度。 The verifier is configured to verify, according to the ciphertext (C, B) of the transaction amount, whether the plaintext M of the transaction amount belongs to the first valid range; the first valid range is [0, 2 U -1], U is the bit length of the plaintext M of the transaction amount.
15、 如权利要求 14所述的***, 其特征在于, 所述 C =
Figure imgf000027_0002
B = g;; 其中, r为随 机生成的整数, g3 Gi的生成元, Gi S阶为素数的乘法群, g4为所述加法同态加密算法的 公钥, g4=g3 ask, ask为所述加法同态加密算法的私钥。 15. The system of claim 14 wherein said C =
Figure imgf000027_0002
B = g;; where r is a randomly generated integer, a generator of g 3 Gi, a Gi S order is a multiplicative group of prime numbers, g 4 is the public key of the additive homomorphic encryption algorithm, g 4 =g 3 ask , ask is the private key of the addition homomorphic encryption algorithm.
16、 如权利要求 14或 15所述的***, 其特征在于, 所述***还包括监管方; 所述发送方用于将所述交易金额的明文 M分割成 L份交易金额的明文 Mk, 分别采用 加法同态加密算法对所述 L份交易金额的明文 Mkii行加密,生成 L份交易金额的密文(Ck, Bk) ; 所述加法同态加密算法的公钥由所述监管方提供, k为正整数, k=l , L, L为大 于或等于 2的正整数; 16. The system as claimed in claim 14 or 15, characterized in that the system further comprises regulators; said sender for dividing the plaintext M to the transaction amount of the transaction amount L parts plaintext M K, Encrypting the plaintext M k ii of the L transaction amount by using an additive homomorphic encryption algorithm to generate a ciphertext (C k , B k ) of the L transaction amount; the public key of the addition homomorphic encryption algorithm The regulator provides that k is a positive integer, k = l, L, L is a positive integer greater than or equal to 2;
所述验证方用于根据所述交易金额的密文( Ck, Bk)验证所述交易金额的明文 Mk是否 属于第二有效范围; 所述第二有效范围为 [0, 2U-1] , u为所述交易金额的明文 的比特位 长度; The verifier is configured to verify, according to the ciphertext (C k , B k ) of the transaction amount, whether the plaintext M k of the transaction amount belongs to the second valid range; the second valid range is [0, 2 U - 1], u is the length of the plaintext of the transaction amount;
所述监管方用于采用与所述公钥对应的私钥解密所述 L份交易金额的密文( Ck, Bk) , 获得所述 L份交易金额的明文 Mk, 并根据所述 L份交易金额的明文 Mk获得所述交易金额 的明文 M。 The supervisor is configured to decrypt the ciphertext (C k , B k ) of the L transaction amount by using a private key corresponding to the public key, obtain the plaintext M k of the L transaction amount, and according to the The plaintext M k of the L transaction amount obtains the plaintext M of the transaction amount.
17、 如权利要求 14-16任一项所述的***, 其特征在于, 所述发送方还用于生成所述 交易金额的明文 M属于第一有效范围的零知识证明; The system according to any one of claims 14-16, wherein the sender is further configured to generate a zero-knowledge proof that the plaintext M of the transaction amount belongs to the first valid range;
所述验证方用于根据所述交易金额的密文(C, B)验证所述交易金额的明文 M属于 第一有效范围的零知识证明。  The verifier is configured to verify, according to the ciphertext (C, B) of the transaction amount, that the plaintext M of the transaction amount belongs to the zero-knowledge proof of the first valid range.
18、如权利要求 14-17任一项所述的***,其特征在于, 所述交易金额包括输出金额; 所述发送方还用于计算输入金额与输出金额的差值的密文 C', 并生成 C'是加密了明文 为零的密文的加法同态零知识证明; 其中, 所述 C'为根据所述输出金额的密文与所述输入 金额的密文计算得到的密文, 所述输入金额的密文为所述发送方在上一次交易中接收的金 额的密文, 或者所述输入金额的密文为所述发送方采用所述加法同态加密算法对当前交易 中生成的金额加密生成的密文; The system according to any one of claims 14-17, wherein the transaction amount includes an output amount; the sender is further configured to calculate a ciphertext C' of a difference between the input amount and the output amount, And generating C' is an additive homomorphic zero-knowledge proof that encrypts the ciphertext with the plaintext zero; wherein, the C' is a ciphertext calculated according to the ciphertext of the output amount and the ciphertext of the input amount, The ciphertext of the input amount is a ciphertext of the amount received by the sender in the last transaction, or the ciphertext of the input amount is generated by the sender using the addition homomorphic encryption algorithm on the current transaction The amount of encrypted ciphertext generated;
所述验证方还用于验证所述 C'是加密了明文为零的密文的加法同态零知识证明。  The verifier is also used to verify that the C' is an additive homomorphic zero-knowledge proof that encrypts the ciphertext with plaintext zero.
19、 如权利要求 14或 15所述的***, 其特征在于, 所述***还包括监管方, 所述力口 法同态加密算法的公钥由所述监管方提供; The system according to claim 14 or 15, wherein the system further comprises a supervisor, the public key of the homomorphic encryption algorithm being provided by the supervisor;
所述发送方还用于生成所述监管方可解密所述交易金额的密文( C, B)的零知识证明; 所述验证方还用于验证所述监管方可解密所述交易金额的密文( C, B)的零知识证明; 所述监管方用于采用与所述公钥对应的私钥解密所述交易金额的密文(C, B) 。  The sender is further configured to generate a zero-knowledge proof that the supervisor can decrypt the ciphertext (C, B) of the transaction amount; the verifier is further configured to verify that the supervisor can decrypt the transaction amount a zero-knowledge proof of ciphertext (C, B); the supervisor is used to decrypt the ciphertext (C, B) of the transaction amount using a private key corresponding to the public key.
20、 如权利要求 17所述的***, 其特征在于, 所述发送方用于生成 N个第一参数; 所述验证方用于生成 N个第二参数; 其中,所述 N个第一参数与所述 N个第二参数一 一对应; The system according to claim 17, wherein the sender is configured to generate N first parameters; the verifier is used to generate N second parameters; wherein the N first parameters One-to-one correspondence with the N second parameters;
验证所述 N个第二参数是否与对应的所述第一参数相等, 若相等, 则所述交易金额的 明文 M属于第一有效范围。 Verifying whether the N second parameters are equal to the corresponding first parameter, and if they are equal, the plaintext M of the transaction amount belongs to the first valid range.
21、 如权利要求 20所述的***, 其特征在于, 所述发送方还用于生成第一验证参数; 所述第一验证参数由所述 N个第一参数决定; The system according to claim 20, wherein the sender is further configured to generate a first verification parameter; the first verification parameter is determined by the N first parameters;
所述验证方还用于生成第二验证参数; 所述第二验证参数由所述 N个第二参数决定; 所述验证方还用于验证所述第一参数是否等于所述第二验证参数, 若相等, 则所述 N 个第二参数与相应的所述第一参数相等。  The verification party is further configured to generate a second verification parameter; the second verification parameter is determined by the N second parameters; the verification party is further configured to verify whether the first parameter is equal to the second verification parameter And if equal, the N second parameters are equal to the corresponding first parameter.
22、 一种发送方, 应用于区块链***, 所述***包括发送方及验证方, 其特征在于, 所述发送方包括: 22. A sender, applied to a blockchain system, the system includes a sender and a verifier, wherein the sender includes:
加密单元, 用于采用加法同态加密算法对交易金额的明文 M加密, 生成交易金额的密 文(C, B) ; 其中, 所述交易金额的明文 M的比特位长度为 U;  An encryption unit, configured to encrypt the plaintext M of the transaction amount by using an additive homomorphic encryption algorithm, and generate a ciphertext (C, B) of the transaction amount; wherein, the plaintext M of the transaction amount has a bit length U;
发送单元, 用于将所述交易金额的密文(C, B)发送至所述验证方, 以使所述验证方 根据所述交易金额的密文(C, B)验证所述交易金额的明文 M是否属于第一有效范围; 所述第一有效范围为 [0, 2U-1] , U为所述交易金额的明文 M的比特位长度。 a sending unit, configured to send the ciphertext (C, B) of the transaction amount to the verification party, so that the verification party verifies the transaction amount according to the ciphertext (C, B) of the transaction amount Whether the plaintext M belongs to the first valid range; the first valid range is [0, 2 U -1], and U is the bit length of the plaintext M of the transaction amount.
23、 如权利要求 22所述的发送方, 其特征在于,
Figure imgf000029_0001
B = g;; 其中, r为 随机生成的整数, g3 Gi的生成元, Gi S阶为素数的乘法群, g4为所述加法同态加密算法 的公钥, g4=g3 ask, ask为所述加法同态加密算法的私钥。 23. The sender of claim 22, wherein:
Figure imgf000029_0001
B = g;; where r is a randomly generated integer, a generator of g 3 Gi, a Gi S order is a multiplicative group of prime numbers, g 4 is the public key of the additive homomorphic encryption algorithm, g 4 =g 3 ask , ask is the private key of the addition homomorphic encryption algorithm.
24、 如权利要求 22或 23所述的发送方, 其特征在于, 所述***还包括监管方; 所述力 p密单元包括: The sender according to claim 22 or 23, wherein the system further comprises a supervisor; the force p- tight unit comprises:
分割子单元, 用于将所述交易金额的明文 M分割成 L份交易金额的明文 Mk; 其中, k 为正整数, k=l , L; L为大于或等于 2的正整数; Sub-dividing means for dividing the plaintext M to the transaction amount of the transaction amount L parts plaintext M K; where, k is a positive integer, k = l, L; L is a positive integer equal to or greater than 2;
加密子单元, 用于分别采用加法同态加密算法对所述 L份交易金额的明文 Mk加密, 生成 L份交易金额的密文(Ck, Bk) , 以使所述监管方采用与所述公钥对应的私钥解密所 述 L份交易金额的密文( Ck, Bk) , 获得所述 L份交易金额的明文 Mk, 并根据所述 L份 交易金额的明文 Mk获得所述交易金额的明文 M; 所述加法同态加密算法的公钥由所述监 管方提供; The encryption sub-unit, using an adder for respectively homomorphic encryption algorithm to the plain text M k L encrypted parts amount of the transaction, the transaction amount generating parts L ciphertext (C k, B k), so that the use of the regulators public key corresponding to the private key to decrypt the transaction amount L of the parts of the ciphertext (C k, B k), obtaining the L parts plaintext M k transaction amount, and the plaintext M according to the transaction amount L k parts Obtaining a plaintext M of the transaction amount; the public key of the addition homomorphic encryption algorithm is provided by the supervisor;
所述发送单元, 用于将所述 L份交易金额的密文(Ck, Bk)发送至所述验证方, 以使 所述验证方根据所述交易金额的密文(Ck, Bk)验证所述交易金额的明文 Mk是否属于第二 有效范围; 其中, 所述第二有效范围为 [0, 2U-1] , u为所述交易金额的明文 的比特位长 度。 The sending unit is configured to send the ciphertext (C k , B k ) of the L transaction amount to the verification party, so that the verification party is ciphertext according to the transaction amount (C k , B k) verifying the transaction amount whether the plaintext M k belongs to the second effective range; wherein the second effective range is [0, 2 U -1], u is the bit length of the plaintext transaction amount.
25、 一种验证方, 应用于区块链***, 所述***包括发送方及验证方, 其特征在于, 所述验证方包括: 25. A verification party, applied to a blockchain system, the system comprising a sender and a verification party, wherein the verification party comprises:
接收单元, 用于接收所述发送方发送的交易金额的密文(C, B) ; 其中, 所述交易金 额的密文(C, B) 为所述发送方采用加法同态加密算法对交易金额的明文 M加密生成的 密文; 所述交易金额的明文 M的比特位长度为 U;  a receiving unit, configured to receive a ciphertext (C, B) of the transaction amount sent by the sender; wherein, the ciphertext (C, B) of the transaction amount is a transaction for the sender by using an additive homomorphic encryption algorithm The ciphertext generated by the plaintext M of the amount of money; the length of the plaintext M of the transaction amount is U;
验证单元, 用于根据所述交易金额的密文(C, B)验证所述交易金额的明文 M是否 属于第一有效范围; 所述第一有效范围为[0, 2U-1]。 a verification unit, configured to verify, according to the ciphertext (C, B) of the transaction amount, whether the plaintext M of the transaction amount is It belongs to the first effective range; the first effective range is [0, 2 U -1].
26、 如权利要求 25所述的验证方, 其特征在于,
Figure imgf000030_0001
B = g;; 其中, r为 随机生成的整数, g3 Gi的生成元, Gi S阶为素数的乘法群, g4为所述加法同态加密算法 的公钥, g4=g3 ask, ask为所述加法同态加密算法的私钥。 26. The verifier according to claim 25, wherein:
Figure imgf000030_0001
B = g;; where r is a randomly generated integer, a generator of g 3 Gi, a Gi S order is a multiplicative group of prime numbers, g 4 is the public key of the additive homomorphic encryption algorithm, g 4 =g 3 ask , ask is the private key of the addition homomorphic encryption algorithm.
27、 一种发送方, 应用于区块链***, 所述***包括发送方及验证方, 其特征在于, 所述发送方包括: 处理器、 存储器和收发器, 其中: 27. A sender, applied to a blockchain system, the system comprising a sender and a verifier, wherein the sender comprises: a processor, a memory, and a transceiver, wherein:
所述处理器、 所述存储器和所述收发器相互连接, 所述存储器用于存储计算机程序, 所述计算机程序包括程序指令, 所述处理器被配置用于调用所述程序指令, 执行如权利要 求 9-11任意一项所述的数据处理方法。  The processor, the memory and the transceiver are connected to each other, the memory is for storing a computer program, the computer program comprises program instructions, and the processor is configured to invoke the program instruction, and execute the right The data processing method of any of 9-11 is required.
28、 一种验证方, 应用于区块链***, 所述***包括发送方及验证方, 其特征在于, 所述验证方包括: 处理器、 存储器和收发器, 其中: 28. A verifier, applied to a blockchain system, the system comprising a sender and a verifier, wherein the verifier includes: a processor, a memory, and a transceiver, wherein:
所述处理器、 所述存储器和所述收发器相互连接, 所述存储器用于存储计算机程序, 所述计算机程序包括程序指令, 所述处理器被配置用于调用所述程序指令, 执行如权利要 求 12或 13所述的数据处理方法。  The processor, the memory and the transceiver are connected to each other, the memory is for storing a computer program, the computer program comprises program instructions, and the processor is configured to invoke the program instruction, and execute the right The data processing method of claim 12 or 13 is required.
29、 一种计算机可读存储介质, 其特征在于, 所述计算机可读存储介质存储有计算机 程序, 所述计算机程序包括程序指令, 所述程序指令当被处理器执行时, 使所述处理器执 行如权利要求 9-11任意一项所述的数据处理方法。 29. A computer readable storage medium, characterized in that the computer readable storage medium stores a computer program, the computer program comprising program instructions, the program instructions, when executed by a processor, causing the processor A data processing method according to any one of claims 9-11.
30、 一种计算机可读存储介质, 其特征在于, 所述计算机可读存储介质存储有计算机 程序, 所述计算机程序包括程序指令, 所述程序指令当被处理器执行时, 使所述处理器执 行如权利要求 12或 13任意一项所述的数据处理方法。 30. A computer readable storage medium, characterized in that the computer readable storage medium stores a computer program, the computer program comprising program instructions, the program instructions, when executed by a processor, causing the processor A data processing method according to any one of claims 12 or 13.
PCT/SG2018/050200 2018-04-26 2018-04-26 Data processing method, related apparatus, and blockchain system WO2019209168A2 (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
CN201880092481.XA CN111989891A (en) 2018-04-26 2018-04-26 Data processing method, related device and block chain system
PCT/SG2018/050200 WO2019209168A2 (en) 2018-04-26 2018-04-26 Data processing method, related apparatus, and blockchain system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/SG2018/050200 WO2019209168A2 (en) 2018-04-26 2018-04-26 Data processing method, related apparatus, and blockchain system

Publications (2)

Publication Number Publication Date
WO2019209168A2 true WO2019209168A2 (en) 2019-10-31
WO2019209168A3 WO2019209168A3 (en) 2019-12-12

Family

ID=68295255

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/SG2018/050200 WO2019209168A2 (en) 2018-04-26 2018-04-26 Data processing method, related apparatus, and blockchain system

Country Status (2)

Country Link
CN (1) CN111989891A (en)
WO (1) WO2019209168A2 (en)

Cited By (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111161075A (en) * 2019-12-31 2020-05-15 深圳市网心科技有限公司 Block chain transaction data certification supervision method, system and related equipment
CN111355578A (en) * 2020-03-16 2020-06-30 北京有链科技有限公司 Public key encryption and decryption method and system with double monitoring parties
CN111429138A (en) * 2020-03-25 2020-07-17 中国工商银行股份有限公司 Block link point data safety interaction method and first interaction node
CN111931209A (en) * 2020-08-18 2020-11-13 金网络(北京)电子商务有限公司 Contract information verification method and device based on zero knowledge certification
CN112734423A (en) * 2020-12-31 2021-04-30 杭州趣链科技有限公司 Transaction method based on block chain and terminal equipment
CN114257366A (en) * 2021-12-20 2022-03-29 成都卫士通信息产业股份有限公司 Information homomorphic processing method, device, equipment and computer readable storage medium
US11341492B2 (en) 2018-08-30 2022-05-24 Advanced New Technologies Co., Ltd. Method, apparatus and electronic device for blockchain transactions
US11341487B2 (en) 2018-12-29 2022-05-24 Advanced New Technologies Co., Ltd. System and method for information protection
US11379826B2 (en) 2018-08-06 2022-07-05 Advanced New Technologies Co., Ltd. Method, apparatus and electronic device for blockchain transactions
CN116432204A (en) * 2023-04-20 2023-07-14 兰州理工大学 Supervision transaction privacy protection method based on homomorphic encryption and zero knowledge proof
CN116886268A (en) * 2023-08-10 2023-10-13 云海链控股股份有限公司 Data transmission verification method, device, equipment and computer readable storage medium
WO2024001558A1 (en) * 2022-06-29 2024-01-04 中兴通讯股份有限公司 Data processing method and device, and computer device and readable storage medium

Families Citing this family (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112418857B (en) * 2020-11-30 2023-06-30 北京八分量信息科技有限公司 Hidden transaction method and device based on UTXO model and related products
CN112632636B (en) * 2020-12-23 2024-06-04 深圳前海微众银行股份有限公司 Ciphertext data comparison result proving and verifying method and device
CN112819465B (en) * 2021-01-28 2023-08-15 武汉天喻聚联科技有限公司 Homomorphic encryption method and application system based on Elgamal
US11943360B2 (en) 2021-06-22 2024-03-26 International Business Machines Corporation Generative cryptogram for blockchain data management

Family Cites Families (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9613292B1 (en) * 2012-01-26 2017-04-04 Hrl Laboratories, Llc Secure multi-dimensional pattern matching for secure search and recognition
WO2016200885A1 (en) * 2015-06-08 2016-12-15 Blockstream Corporation Cryptographically concealing amounts transacted on a ledger while preserving a network's ability to verify the transaction
EP3379444A4 (en) * 2015-12-22 2018-12-05 Huawei Technologies Co., Ltd. User attribute matching method and terminal
CN106549749B (en) * 2016-12-06 2019-12-24 杭州趣链科技有限公司 Block chain privacy protection method based on addition homomorphic encryption
CN106911470B (en) * 2017-01-23 2020-07-07 北京航空航天大学 Bit currency transaction privacy enhancement method
CN107317666B (en) * 2017-05-25 2020-04-10 深圳前海大道金融服务有限公司 Parallel full homomorphic encryption and decryption method supporting floating point operation
CN108021821A (en) * 2017-11-28 2018-05-11 北京航空航天大学 Multicenter block chain transaction intimacy protection system and method

Cited By (19)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US11379826B2 (en) 2018-08-06 2022-07-05 Advanced New Technologies Co., Ltd. Method, apparatus and electronic device for blockchain transactions
US11341492B2 (en) 2018-08-30 2022-05-24 Advanced New Technologies Co., Ltd. Method, apparatus and electronic device for blockchain transactions
US11392942B2 (en) * 2018-08-30 2022-07-19 Advanced New Technologies Co., Ltd. Method, apparatus and electronic device for blockchain transactions
US11341487B2 (en) 2018-12-29 2022-05-24 Advanced New Technologies Co., Ltd. System and method for information protection
US11416854B2 (en) 2018-12-29 2022-08-16 Advanced New Technologies Co., Ltd. System and method for information protection
CN111161075A (en) * 2019-12-31 2020-05-15 深圳市网心科技有限公司 Block chain transaction data certification supervision method, system and related equipment
CN111161075B (en) * 2019-12-31 2024-04-05 深圳市迅雷网络技术有限公司 Blockchain transaction data proving and supervising method, system and related equipment
CN111355578A (en) * 2020-03-16 2020-06-30 北京有链科技有限公司 Public key encryption and decryption method and system with double monitoring parties
CN111429138A (en) * 2020-03-25 2020-07-17 中国工商银行股份有限公司 Block link point data safety interaction method and first interaction node
CN111931209B (en) * 2020-08-18 2024-03-22 金网络(北京)数字科技有限公司 Contract information verification method and device based on zero knowledge proof
CN111931209A (en) * 2020-08-18 2020-11-13 金网络(北京)电子商务有限公司 Contract information verification method and device based on zero knowledge certification
CN112734423A (en) * 2020-12-31 2021-04-30 杭州趣链科技有限公司 Transaction method based on block chain and terminal equipment
CN114257366A (en) * 2021-12-20 2022-03-29 成都卫士通信息产业股份有限公司 Information homomorphic processing method, device, equipment and computer readable storage medium
CN114257366B (en) * 2021-12-20 2024-04-12 成都卫士通信息产业股份有限公司 Information homomorphic processing method, device, equipment and computer readable storage medium
WO2024001558A1 (en) * 2022-06-29 2024-01-04 中兴通讯股份有限公司 Data processing method and device, and computer device and readable storage medium
CN116432204B (en) * 2023-04-20 2023-11-17 兰州理工大学 Supervision transaction privacy protection method based on homomorphic encryption and zero knowledge proof
CN116432204A (en) * 2023-04-20 2023-07-14 兰州理工大学 Supervision transaction privacy protection method based on homomorphic encryption and zero knowledge proof
CN116886268A (en) * 2023-08-10 2023-10-13 云海链控股股份有限公司 Data transmission verification method, device, equipment and computer readable storage medium
CN116886268B (en) * 2023-08-10 2024-04-26 云海链控股股份有限公司 Data transmission verification method, device, equipment and computer readable storage medium

Also Published As

Publication number Publication date
CN111989891A (en) 2020-11-24
WO2019209168A3 (en) 2019-12-12

Similar Documents

Publication Publication Date Title
WO2019209168A2 (en) Data processing method, related apparatus, and blockchain system
CN113424185B (en) Fast inadvertent transmission
CN108292402B (en) Determination of a common secret and hierarchical deterministic keys for the secure exchange of information
CN110011781B (en) Homomorphic encryption method and medium for transaction amount encryption and supporting zero knowledge proof
US7594261B2 (en) Cryptographic applications of the Cartier pairing
US8180047B2 (en) Trapdoor pairings
CN110247757B (en) Block chain processing method, device and system based on cryptographic algorithm
US9590807B2 (en) Identity based public key cryptosystem
US9705683B2 (en) Verifiable implicit certificates
CN107425971B (en) Certificateless data encryption/decryption method and device and terminal
JP6882705B2 (en) Key exchange system and key exchange method
CN108696518B (en) Block chain user communication encryption method and device, terminal equipment and storage medium
CN104168114A (en) Distributed type (k, n) threshold certificate-based encrypting method and system
TWI807103B (en) Computer implemented system and method for sharing a common secret
WO2023184858A1 (en) Timestamp generation method and apparatus, and electronic device and storage medium
Yin et al. An efficient and secured data storage scheme in cloud computing using ECC-based PKI
TW202232913A (en) Generating shared keys
TW202318833A (en) Threshold signature scheme
WO2022116175A1 (en) Method and apparatus for generating digital signature and server
CN116318696B (en) Proxy re-encryption digital asset authorization method under condition of no initial trust of two parties
CN116455561A (en) Embedded TLS protocol for lightweight devices
Chavan et al. Secure CRM cloud service using RC5 algorithm
Barker et al. SP 800-56A. recommendation for pair-wise key establishment schemes using discrete logarithm cryptography (revised)
CN111885056A (en) Zero knowledge proving method and device based on block chain and electronic equipment
JP2007208410A (en) Id base encryption communication system

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 18916534

Country of ref document: EP

Kind code of ref document: A2

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 18916534

Country of ref document: EP

Kind code of ref document: A2