WO2022144966A1 - 情報処理システム、制御方法、情報処理装置および制御プログラム - Google Patents
情報処理システム、制御方法、情報処理装置および制御プログラム Download PDFInfo
- Publication number
- WO2022144966A1 WO2022144966A1 PCT/JP2020/049119 JP2020049119W WO2022144966A1 WO 2022144966 A1 WO2022144966 A1 WO 2022144966A1 JP 2020049119 W JP2020049119 W JP 2020049119W WO 2022144966 A1 WO2022144966 A1 WO 2022144966A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- commitment
- item
- information processing
- information
- zero
- Prior art date
Links
- 230000010365 information processing Effects 0.000 title claims abstract description 129
- 238000000034 method Methods 0.000 title claims description 21
- 238000012795 verification Methods 0.000 claims description 98
- 238000004891 communication Methods 0.000 claims description 31
- 238000012545 processing Methods 0.000 claims description 24
- 230000005540 biological transmission Effects 0.000 claims description 5
- 239000013598 vector Substances 0.000 description 25
- 230000006870 function Effects 0.000 description 20
- 238000010586 diagram Methods 0.000 description 13
- 238000013500 data storage Methods 0.000 description 12
- 238000006243 chemical reaction Methods 0.000 description 5
- 238000012986 modification Methods 0.000 description 5
- 230000004048 modification Effects 0.000 description 5
- 238000004364 calculation method Methods 0.000 description 3
- 230000008569 process Effects 0.000 description 3
- 239000004065 semiconductor Substances 0.000 description 3
- 238000005401 electroluminescence Methods 0.000 description 2
- 230000003287 optical effect Effects 0.000 description 2
- 230000004044 response Effects 0.000 description 2
- NAWXUBYGYWOOIX-SFHVURJKSA-N (2s)-2-[[4-[2-(2,4-diaminoquinazolin-6-yl)ethyl]benzoyl]amino]-4-methylidenepentanedioic acid Chemical compound C1=CC2=NC(N)=NC(N)=C2C=C1CCC1=CC=C(C(=O)N[C@@H](CC(=C)C(O)=O)C(O)=O)C=C1 NAWXUBYGYWOOIX-SFHVURJKSA-N 0.000 description 1
- 235000013334 alcoholic beverage Nutrition 0.000 description 1
- 230000001174 ascending effect Effects 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 239000004973 liquid crystal related substance Substances 0.000 description 1
- 230000000873 masking effect Effects 0.000 description 1
- 239000007787 solid Substances 0.000 description 1
- 238000012546 transfer Methods 0.000 description 1
- 238000010200 validation analysis Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/50—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols using hash chains, e.g. blockchains or hash trees
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3218—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using proof of knowledge, e.g. Fiat-Shamir, GQ, Schnorr, ornon-interactive zero-knowledge proofs
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L2209/00—Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
- H04L2209/04—Masking or blinding
- H04L2209/046—Masking or blinding of operations, operands or results of the operations
Definitions
- the present invention relates to an information processing system, a control method, an information processing device and a control program.
- a user with certain data may want to prove to others the authenticity that the data has not been tampered with.
- a database such as a blockchain, which is difficult to illegally rewrite data after registration, may be used.
- the converted value converted from the data by the conversion function may be registered in the database instead of the original data itself.
- the converted value is sometimes referred to as a commitment and may be a string or number that makes it difficult to infer the original data.
- a certain information processing device converts a certain data into a commitment and registers it in a database.
- the information processing device transmits the data before conversion to another information processing device.
- Other information processing devices convert the received data into commitments and compare them with the commitments registered in the database. If the two commitments match, the other information processing device determines that the received data has not been tampered with.
- zero-knowledge proof a cryptographic technique called zero-knowledge proof may be used.
- one information processing device generates zero-knowledge proof information from the original data with a sufficiently small probability that it can be accidentally generated without knowing the original data, and sends it to another information processing device.
- Another information processing device verifies the received zero-knowledge proof information according to a specific algorithm, and determines whether the received zero-knowledge proof information proves the knowledge of the other user.
- a cryptographic library that performs anonymous user authentication has been proposed.
- the proposed cryptographic library generates mask data by masking the item values with random numbers for each non-disclosure item that is not disclosed to the other party. Further, the cryptographic library associates with the mask data to generate zero-knowledge proof information to prove that it has knowledge of item values and random numbers.
- the cryptographic library sends mask data and zero-knowledge proof information to the other party.
- the user may want to prove the authenticity of a specific item value among multiple item values included in the data to others while concealing other item values.
- conventional authenticity proof techniques that utilize databases register their commitment to the entire data in the database and require that the entire original data be disclosed to others as proof information.
- mask data and zero-knowledge proof information are transmitted to the other party for each item value to be kept secret. Therefore, if the zero-knowledge proof is applied in order to realize the above-mentioned authenticity proof, the amount of data of the proof information may increase.
- the present invention aims to reduce the amount of data of proof information for proving the authenticity of item values.
- an information processing system including a first information processing device and a second information processing device.
- the first information processing device conceals two or more first item values out of a plurality of item values included in the data to generate a first commitment, and the number of users of the first information processing device is two or more.
- Zero-knowledge proof information for proving to have knowledge of the first item value of is generated from two or more first item values.
- the first information processing device transmits the second item value among the plurality of item values, the generated first commitment, and the generated zero-knowledge proof information to the second information processing device. ..
- the second information processing device generates a second commitment from the received second item value.
- the second information processing apparatus receives the first and second commitments based on the relationship between the third commitment stored in the database and the zero-knowledge proof information received. Verify the authenticity of the item value of 2.
- a control method executed by the first information processing device and the second information processing device is provided. Further, in one embodiment, an information processing device having a communication unit and a processing unit is provided. Further, in one embodiment, a control program to be executed by a computer is provided.
- the amount of proof information data for proving the authenticity of item values is reduced.
- FIG. 1 is a diagram for explaining the information processing system of the first embodiment.
- the information processing system of the first embodiment includes information processing devices 10, 20 and a database 30.
- the information processing device 10 is a transmission device that transmits proof information for proving the authenticity of data that the data has not been tampered with.
- the information processing device 20 is a verification device that receives proof information and verifies the authenticity of the data.
- the information processing devices 10 and 20 may be terminal devices operated by the user or server devices, respectively.
- the database 30 is referred to by the information processing apparatus 20 at the time of authenticity verification. Writing may be performed from the information processing device 10 to the database 30.
- the database 30 may be held in the information processing device 20, or may be held in a database server different from the information processing devices 10 and 20.
- the database 30 may be a database in which it is difficult to illegally rewrite data after registration, or may be a blockchain.
- the information processing device 10 has a storage unit 11, a processing unit 12, and a communication unit 13.
- the information processing device 20 has a communication unit 21 and a processing unit 22.
- the storage unit 11 may be a volatile semiconductor memory such as a RAM (RandomAccessMemory) or a non-volatile storage such as an HDD (HardDiskDrive) or a flash memory.
- the processing units 12 and 22 are processors such as a CPU (Central Processing Unit), a GPU (Graphics Processing Unit), and a DSP (Digital Signal Processor).
- the processing units 12 and 22 may include electronic circuits for specific purposes such as ASIC (Application Specific Integrated Circuit) and FPGA (Field Programmable Gate Array).
- the processor executes a program stored in a memory such as RAM.
- a collection of multiple processors may be referred to as a multiprocessor or simply a "processor".
- the communication units 13 and 21 are communication interfaces for performing data communication via a network.
- the communication unit 13 communicates with the information processing device 20.
- the communication unit 21 communicates with the information processing device 10.
- the network may include a LAN (Local Area Network) or may include a wide area network such as the Internet.
- the communication units 13 and 21 may be a wired communication interface connected to a wired communication device such as a switch or a router by a cable. Further, the communication units 13 and 21 may be a wireless communication interface connected to a wireless communication device such as an access point or a base station by a wireless link.
- the storage unit 11 stores data 14 known to a certain user.
- the data 14 may be transaction data indicating a contract such as a product sales contract or a service provision contract.
- the data 14 includes two or more item values including the item values 15a and 15b and the item value 16.
- the item values 15a, 15b, and 16 are, for example, human-readable character strings or numerical values. Examples of the item values 15a, 15b, 16 include transaction date and time, transaction partner, product name or service name, transaction amount, and the like.
- the information processing apparatus 10 discloses the item value 16 to the information processing apparatus 20 while concealing the two or more item values including the item values 15a and 15b without disclosing them to the information processing apparatus 20. And try to prove the authenticity of the disclosed item value 16. For example, the information processing apparatus 10 discloses the transaction amount of the transaction data while concealing the transaction partner.
- the processing unit 12 conceals the item values 15a and 15b and generates a commitment 17.
- the commitment 17 is, for example, a symbol string or a numerical value whose item values 15a and 15b are difficult to infer from themselves.
- one commitment may be generated for two or more item values.
- the conversion from the item values 15a and 15b to the commitment 17 may be a one-way conversion in which the inverse conversion from the commitment 17 to the item value 15 is difficult. Concealment of item value 15 may be referred to as unreadable.
- the processing unit 12 generates zero-knowledge proof information 18 for proving that the certifier who is the user on the information processing apparatus 10 side has the knowledge of the item values 15a and 15b.
- the zero-knowledge proof information 18 is, for example, a symbol string or a numerical value.
- Zero-knowledge proof information 18 is associated with commitment 17.
- the processing unit 12 generates zero-knowledge proof information 18 from the item values 15a and 15b used for the commitment 17.
- one zero-knowledge proof information may be generated for two or more item values.
- the zero-knowledge proof proves that the commitment 17 is generated based on the knowledge of the item values 15a and 15b based on the zero-knowledge proof information 18 even if the item values 15a and 15b themselves are not disclosed.
- the probability that zero-knowledge proof information 18 consistent with commitment 17 is accidentally generated without knowing the item values 15a and 15b is sufficiently small.
- the communication unit 13 transmits the item value 16 included in the data 14 and the commitment 17 and the zero-knowledge proof information 18 generated by the processing unit 12 to the information processing device 20.
- the communication unit 13 does not have to transmit the item values 15a and 15b to the information processing device 20.
- the communication unit 21 receives the item value 16, the commitment 17, and the zero-knowledge proof information 18 from the information processing device 10.
- the processing unit 22 reads the commitment 31 from the database 30. Commitment 31 corresponds to the entire data 14.
- the commitment 31 is the product of the commitments of the item values 15a and 15b and the commitments of the item values 16.
- the information processing apparatus 10 may generate a commitment 31 and register it in the database 30.
- the information processing apparatus 20 verifies that the item value 16 has not been tampered with by using the item value 16, the commitment 17, the zero-knowledge proof information 18, and the commitment 31.
- the processing unit 22 In verifying authenticity, the processing unit 22 generates a commitment 23 from the received item value 16.
- the commitment 23 is, for example, a symbol string or a numerical value generated in the same manner as the commitment 17.
- the processing unit 22 verifies the authenticity of the received item value 16 based on the relationship between the commitments 17 and 23 and the commitment 31 stored in the database 30 and the received zero-knowledge proof information 18. ..
- the processing unit 22 calculates the product of the commitments 17 and 23 and determines whether the product and the commitment 31 match. If the commitments 17 and 23 are numerical values having a specific number of digits, respectively, the product of the commitments 17 and 23 may be a residual numerical value (remainder) from which the overflow is removed. Further, for example, the processing unit 22 verifies that the zero-knowledge proof information 18 is consistent with the commitment 17 from the commitment 17 and the zero-knowledge proof information 18. If both the matching with the commitment 31 and the zero-knowledge proof of the item value 15 are successful, the processing unit 22 determines that the received item value 16 is genuine.
- the information processing apparatus 10 falsifies the item value 16 and presents it to the information processing apparatus 20 after the commitment 31 is registered in the database 30. If the information processing apparatus 10 does not falsify the commitment 17 corresponding to the item values 15a and 15b, the matching between the commitments 17 and 23 and the commitment 31 fails. When the information processing device 10 falsifies the commitment 17 so that this collation succeeds, the information processing device 10 sets the item values 15a and 15b so that the falsified commitment 17 is generated due to the one-way concealment. Cannot be calculated backwards. Therefore, the information processing apparatus 10 cannot generate the zero-knowledge proof information 18 consistent with the falsified commitment 17, and the zero-knowledge proof fails.
- the information processing apparatus 10 generates the commitment 17 and the zero-knowledge proof information 18 from the item values 15a and 15b, and the information processing apparatus 10 together with the item value 16. Send to 20.
- the information processing apparatus 20 converts the item value 16 into the commitment 23, collates the commitments 17 and 23 with the commitment 31 of the database 30, and verifies the zero-knowledge proof information 18.
- the information processing apparatus 10 proves the authenticity of the item value 16 included in the data 14 to the information processing apparatus 20 without disclosing the item values 15a and 15b included in the data 14 to the information processing apparatus 20. can do. Therefore, the risk of leakage of the item values 15a and 15b, which are not subject to the proof of authenticity, is reduced, and the protection of the data 14 is strengthened. Further, the information processing apparatus 10 can prove the authenticity of the item value 16 which is a part of the data 14 by using the database 30 for proving the authenticity of the entire data 14.
- the information processing device 20 can detect that the item value 16 is not genuine. Therefore, the reliability of the certification information transmitted from the information processing device 10 to the information processing device 20 is maintained.
- the commitment 17 related to the zero-knowledge proof of the item values 15a and 15b is also used for collation with the commitment 31.
- the product of the commitment 17 used for the zero-knowledge proof of the item values 15a and 15b and the commitment 23 converted from the item value 16 is compared with the commitment 31.
- only one commitment 17 may be generated from two or more item values without being generated for each non-disclosure item value, and one zero-knowledge proof information 18 may be generated without being generated for each non-disclosure item value. May only be generated. Therefore, the amount of data of the certification information transmitted from the information processing device 10 to the information processing device 20 is reduced.
- FIG. 2 is a diagram showing an example of an information processing system according to a second embodiment.
- the information processing system of the second embodiment has a plurality of database servers such as database servers 41 and 42 and terminal devices 100 and 200.
- the terminal device 100 corresponds to the information processing device 10 of the first embodiment.
- the terminal device 200 corresponds to the information processing device 20 of the first embodiment.
- the database servers 41, 42 and the terminal devices 100, 200 are connected to the network 40.
- the network 40 may include a LAN or may include a wide area network such as the Internet.
- the database servers 41 and 42 are server devices that manage the blockchain.
- the database servers 41 and 42 may be referred to as a computer or an information processing device.
- Blockchain is sometimes referred to as a distributed ledger.
- a blockchain is a database in which it is difficult to illegally rewrite data after it has been registered without leaving any trace of falsification.
- the database servers 41 and 42 maintain the same blockchain. Multiple database servers work together to ensure the authenticity of the blockchain.
- the blockchain corresponds to the database 30 of the first embodiment.
- the terminal device 100 is a client device used by a certifier.
- the certifier is a user who holds certain data and proves to the verifier that the data has not been tampered with.
- the terminal device 100 transmits proof information for proving the authenticity of the data to the terminal device 200 in response to the operation of the certifier.
- the terminal device 100 may be referred to as a computer, information processing device or transmission device.
- the terminal device 100 may be a smartphone, a tablet terminal, a personal computer, or the like.
- the terminal device 200 is a client device used by the verifier.
- a verifier is a user who verifies the authenticity of the data held by the certifier.
- the terminal device 200 receives the certification information from the terminal device 100 and verifies the authenticity of the data with reference to the blockchain.
- the terminal device 200 may be referred to as a computer, information processing device or verification device.
- the terminal device 200 may be a smartphone, a tablet terminal, a personal computer, or the like.
- the information processing system of the second embodiment is used for the following purposes, for example.
- the certifier has license data such as driver's license data. License data includes items such as age and address.
- the certifier proves to the verifier that the age included in the license data owned by the certifier is adult age or older. At this time, the certifier may want to avoid disclosing the entire license data to the verifier from the viewpoint of personal information protection.
- the certifier has transaction data showing a transaction involving the transfer of money with a third party.
- Transaction data includes items such as transaction amount and transaction partner.
- the certifier certifies to the verifier that the transaction amount contained in the transaction data owned by the certifier is below the threshold value in order to claim that the tax processing is being carried out legally.
- the certifier may want to avoid disclosing the entire transaction data to the verifier from the viewpoint of maintaining the confidentiality of the transaction.
- the certifier claims that he / she is dealing with a good company certified by a public institution, so that the trading partner included in the transaction data he / she owns is included in the prescribed list. To prove to the verifier. At this time, the certifier may want to avoid disclosing the entire transaction data to the verifier from the viewpoint of maintaining the confidentiality of the transaction.
- FIG. 3 is a block diagram showing a hardware example of the terminal device.
- the terminal device 100 includes a CPU 101, a RAM 102, an HDD 103, a GPU 104, an input interface 105, a medium reader 106, and a communication interface 107. These hardware are connected to the bus.
- the CPU 101 corresponds to the processing unit 12 of the first embodiment.
- the RAM 102 or the HDD 103 corresponds to the storage unit 11 of the first embodiment.
- the communication interface 107 corresponds to the communication unit 13 of the first embodiment.
- the database servers 41 and 42 and the terminal device 200 may have the same hardware as the terminal device 100.
- the CPU of the terminal device 200 corresponds to the processing unit 22 of the first embodiment.
- the communication interface included in the terminal device 200 corresponds to the communication unit 21 of the first embodiment.
- the CPU 101 is a processor that executes a program instruction.
- the CPU 101 loads at least a part of the program and data stored in the HDD 103 into the RAM 102, and executes the program.
- the terminal device 100 may have a plurality of processors.
- a set of processors may be referred to as a multiprocessor or simply a "processor".
- the RAM 102 is a volatile semiconductor memory that temporarily stores a program executed by the CPU 101 and data used for calculation by the CPU 101.
- the terminal device 100 may have a type of volatile memory other than RAM.
- HDD 103 is a non-volatile storage that stores software programs such as OS (Operating System), middleware, and application software, and data.
- the terminal device 100 may have other types of non-volatile storage such as a flash memory and an SSD (Solid State Drive).
- the GPU 104 cooperates with the CPU 101 to output an image to the display device 111 connected to the terminal device 100.
- the display device 111 is, for example, a CRT (Cathode Ray Tube) display, a liquid crystal display, an organic EL (Electro Luminescence) display, or a projector.
- Another output device such as a printer may be connected to the terminal device 100.
- the input interface 105 receives an input signal from the input device 112 connected to the terminal device 100.
- the input device 112 is, for example, a mouse, a touch panel or a keyboard.
- a plurality of input devices may be connected to the terminal device 100.
- the medium reader 106 is a reading device that reads programs and data recorded on the recording medium 113.
- the recording medium 113 is, for example, a magnetic disk, an optical disk, or a semiconductor memory. Magnetic disks include flexible disks (FDs) and HDDs. Optical discs include CDs (Compact Discs) and DVDs (Digital Versatile Discs).
- the medium reader 106 copies the programs and data read from the recording medium 113 to other recording media such as the RAM 102 and the HDD 103.
- the read program may be executed by the CPU 101.
- the recording medium 113 may be a portable recording medium.
- the recording medium 113 may be used for distribution of programs and data. Further, the recording medium 113 and the HDD 103 may be referred to as computer-readable recording media.
- the communication interface 107 is connected to the network 40.
- the communication interface 107 communicates with the database servers 41 and 42 and the terminal device 200 via the network 40.
- the communication interface 107 may be a wired communication interface connected to a wired communication device such as a switch or a router, or may be a wireless communication interface connected to a wireless communication device such as a base station or an access point.
- FIG. 4 is a diagram showing a structural example of the blockchain.
- the blockchain managed by the database servers 41 and 42 includes a plurality of linearly connected blocks. The new block will be added to the end of the blockchain.
- the blockchain includes blocks 131, 132, 133.
- the block 131 is the block immediately before the block 132.
- the block 133 is a block immediately after the block 132.
- the block 132 includes the main body data 134, the previous block hash value 135 and the nonce value 136.
- the main body data 134 is a set of records corresponding to transactions that occurred in a certain period.
- One record contains a transaction ID that identifies the transaction and a commitment generated from the transaction data.
- Commitment is an unreadable number so that the original transaction data cannot be inferred. Commitments are generated using a one-way function.
- the previous block hash value 135 is a hash value generated by the hash function from the entire block 131 immediately before the block 132.
- the block 131 and the block 132 are concatenated by the previous block hash value 135.
- the nonce value 136 is a random number.
- the nonce value 136 affects the pre-block hash value that will be included in the block 133 one after the block 132. To tamper with the records contained in a block in the middle of the blockchain, it is necessary to recalculate the previous block hash value of all subsequent blocks. Therefore, it is difficult to conceal the falsification of the blockchain from the viewpoint of the amount of calculation.
- the transaction data 137 includes a plurality of items related to one transaction.
- the transaction data 137 includes the item number, item name and value of each of the plurality of items.
- the item number is an integer indicating the order of the items.
- the item name is a character string indicating the name of the item.
- the value is a number or string as an item value.
- transaction data 137 includes four items.
- the first item is “Destination” and its value is “Company A”.
- the second item is the “delivery amount”, and the value is "1 million yen”.
- the third item is the "delivery date” and its value is "October 22, 2020”.
- the fourth item is "item” and its value is "commodity B”.
- the commitment registered in the blockchain is a numerical value generated from the entire transaction data in order to efficiently ensure the reliability of the transaction data.
- the terminal device 100 transmits the entire transaction data to the terminal device 200
- the terminal device 200 verifies the authenticity of the received transaction data by converting the received transaction data into a commitment and collating it with the blockchain. be able to.
- the terminal device 100 may not want to transmit at least a part of the values included in the transaction data to the terminal device 200. Therefore, the information processing system of the second embodiment realizes a proof that conceals at least a part of the values.
- FIG. 5 is a diagram showing an example of data used for authenticity verification of disclosed items.
- the terminal device 100 conceals the first value, the second value, and the third value among the four values included in the transaction data, and transmits the fourth value to the terminal device 200.
- the terminal device 100 cannot prove that the transmitted fourth value is a genuine value included in the transaction data only by transmitting the fourth value to the terminal device 200. Therefore, the terminal device 100 generates a commitment to be registered in the blockchain by a specific method, and transmits information for proving the authenticity of the fourth value in addition to the fourth value to the terminal device 200.
- the terminal device 100 generates commitments 142 to 145 (commitments C 1 , C 2 , C 3 , C 4 ) by converting each of the four values included in the transaction data into commitments.
- the terminal device 100 replaces the character string with a numerical value such as a character code, and then converts the numerical value into a commitment. Specific examples of the functions that generate commitments 142 to 145 will be described later.
- the terminal device 100 calculates the product of the generated commitments 142 to 145 as the commitment 141 (commitment C).
- Commitments 141 to 145 are numerical values, respectively, and the number of digits may be the same.
- the product of the two commitments may be the remainder (remainder) of the arithmetic product excluding the overflow.
- the terminal device 100 registers the commitment 141, which is the product of the commitments 142 to 145, in the blockchain.
- the terminal device 100 After the commitment 141 is registered in the blockchain, the terminal device 100 attempts to disclose the fourth of the four values, the value 153 (value v4), to the terminal device 200. At this time, the terminal device 100 calculates the product of the commitments 142, 143, and 144 corresponding to the non-disclosure items as the commitment 151 (commitment C hidden ).
- the terminal device 100 generates zero-knowledge proof information 152 (zero-knowledge proof information ⁇ hidden ) indicating that the certifier knows the values of the three non-disclosure items used in the commitment 151.
- Zero-knowledge proof information 152 is a set of numerical values generated by a specific algorithm from the values of non-disclosure items. Zero-knowledge proof does not require the transmission of the non-disclosure item value itself. If the certifier does not know the value of the non-disclosure item, it is stochastically extremely difficult for the terminal device 100 to generate zero-knowledge proof information 152 consistent with the commitment 151. Thus, the success of certain validation procedures for commitment 151 and zero-knowledge proof information 152 proves that the certifier knows the value of the non-disclosure item.
- the terminal device 100 transmits the commitment 151, the zero-knowledge proof information 152, and the value 153 to the terminal device 200.
- the terminal device 200 determines the success or failure of the verification of the zero-knowledge proof information 152 by inputting the commitment 151 and the zero-knowledge proof information 152 into the verification function.
- Successful verification of zero-knowledge proof information 152 indicates that the certifier knows the value of the non-disclosure item used in commitment 151.
- Failure to verify zero-knowledge proof information 152 indicates that the certifier may not know the value of the non-disclosure item used in commitment 151.
- the terminal device 200 converts the received value 153 into a commitment. If the value 153 is authentic, the commitment generated is the same as the commitment 145. The terminal device 200 calculates the product of the received commitment 151 and the converted commitment from the value 153. Then, the terminal device 200 compares the calculated product with the commitment 141 registered in the blockchain. If the calculated product and the commitment 141 match, then the verification of the commitment is successful. If the calculated product does not match the commitment 141, the commitment verification fails.
- the terminal device 200 determines that the received value 153 is genuine when the verification of the commitment is successful and the verification of the knowledge of the non-disclosure item is successful. On the other hand, if at least one of the verification of the commitment and the verification of the knowledge of the non-disclosure item fails, the terminal device 200 determines that the received value 153 may have been tampered with. In addition, the terminal device 200 may execute either the verification of the commitment or the verification of the knowledge of the non-disclosure item first. Further, if one of the two verifications fails, the terminal device 200 does not have to execute the other.
- the verification of the commitment by the terminal device 200 fails. If the commitment 151 is tampered with so that the product matches the commitment 141, the terminal device 100 cannot back-calculate the value of the non-disclosure item such that the commitment 151 is generated from the one-way commitment. Therefore, the zero-knowledge proof information 152 consistent with the commitment 151 is not generated, and the proof of knowledge of the non-disclosure item by the terminal device 200 fails. From the above, the authenticity of the value 153 is indirectly confirmed through the verification of the commitment and the verification of the knowledge of the non-disclosure items.
- the terminal device 100 discloses the value of a specific item to the terminal device 200 for proof of a certain fact.
- the terminal device 100 can also use the zero-knowledge proof technique to prove that the value of a specific item satisfies a specific condition without disclosing the value itself. Examples of such proofs are range proofs that prove that a value belongs to a particular range, and Set Membership proofs that prove that a value is an element of a particular set. Can be mentioned.
- FIG. 6 is a diagram showing an example of data used for range certification of non-disclosure items.
- the terminal device 100 conceals the first value, the second value, and the third value among the four values included in the transaction data, and transmits the fourth value to the terminal device 200. Further, the terminal device 100 proves to the terminal device 200 that the third value belongs to a specific range. An example of range proof is given here, but the same applies to Set Membership proof. Further, although the fourth value is disclosed to the terminal device 200 here, none of the four values included in the transaction data may be disclosed to the terminal device 200.
- the terminal device 100 generates commitments 142 to 145 by converting each of the four values included in the transaction data into a commitment.
- the terminal device 100 calculates the product of commitments 142 to 145 as commitment 141.
- the terminal device 100 registers the commitment 141 in the blockchain.
- zero-knowledge proof information 154 (zero-knowledge proof information ⁇ range ) indicating that the value used for the commitment 144 belongs to a specific range for the third item to be range-certified. do.
- the zero-knowledge proof information 154 is a set of numerical values generated by a specific algorithm from the value and range information of the third item. Range certification does not require the transmission of the value itself of the item to be certified. If the value used for commitment 144 does not belong to a particular range, zero-knowledge proof information 154 consistent with commitment 144 will not be generated. Thus, the success of a particular verification procedure for commitment 144 and zero-knowledge proof information 154 proves that the value belongs to a particular range.
- the terminal device 100 calculates the product of commitments 142 and 143 as commitment 155 (commitment C hidden ) for the remaining non-disclosure items that are not subject to range certification among the three non-disclosure items. Further, the terminal device 100 generates zero-knowledge proof information 152 indicating that the certifier knows the values of the three non-disclosure items.
- the commitment 155 depends on the value of the first item and the value of the second item
- the zero-knowledge proof information 152 depends on the value of the first item, the value of the second item, and the value of the third item. Depends on the value.
- the terminal device 100 transmits the commitment 144, 155, the zero-knowledge proof information 152, 154, and the value 153 to the terminal device 200.
- the terminal device 200 determines the success or failure of the verification of the zero-knowledge proof information 154 by inputting the commitment 144 and the zero-knowledge proof information 154 into the verification function.
- Successful verification of zero-knowledge proof information 154 indicates that the values used for commitment 144 belong to a particular range.
- Failure to verify zero-knowledge proof information 154 indicates that the values used for commitment 144 may not belong to a particular range.
- the terminal device 200 calculates the product of the received commitments 144 and 155. If the commitments 144 and 155 are authentic, the product is the same as the commitment 151 above. The terminal device 200 determines the success or failure of the verification of the zero-knowledge proof information 152 by inputting the calculated product and the zero-knowledge proof information 152 into the verification function. Also, the terminal device 200 converts the received value 153 into a commitment. The terminal device 200 calculates the product of the commitments converted from the commitments 144 and 155 and the value 153 and compares it with the commitments 141 registered in the blockchain.
- the terminal device 200 determines that the received value 153 is genuine and the value subject to range certification belongs to a specific range.
- the success of the above three verifications indicates that the certifier knows the value subject to range certification, the value belongs to a particular range, and the value has not been tampered with.
- the terminal device 200 determines that the received value 153 may have been tampered with or the range verification may have failed.
- the terminal device 200 may execute the above three verifications in any order. Further, if any one of the verifications fails, the terminal device 200 does not have to execute the remaining verifications. When the disclosure item does not exist, the terminal device 200 may compare the product of the commitments of the non-disclosure items with the commitment 141 of the blockchain.
- FIG. 7 is a diagram showing an example of calculating the product of commitments.
- the product of commitments calculated in the proof example of FIG. 6 will be described.
- the terminal device 200 applies the zero-knowledge proof information 154 to the commitment 144 to verify the range proof that proves that the value of the third item belongs to a specific range.
- the terminal device 200 calculates the product of the commitment 155 and the commitment 144. This product corresponds to the product of commitments 142, 143, 144.
- the terminal device 200 applies the zero-knowledge proof information 152 to the product of the commitments 142, 143, and 144 to verify the knowledge proof that proves that the certifier knows the value of the non-disclosure item.
- the terminal device 200 converts the value 153 into the commitment 145, and calculates the product of the commitment used in the knowledge proof and the commitment 145. This product corresponds to the product of commitments 142,143,144,145.
- the terminal device 200 compares the product of the commitments 142, 143, 144, 145 with the commitment 141 registered in the blockchain to verify the authenticity.
- the product of the vectors a and b is defined as in the equation (1).
- the product of the vectors a and b is a vector generated by calculating the product of the elements ai and bi for each dimension.
- the b-th power of a is defined as in the mathematical formula (2).
- the b-th power of a is a scalar value generated by calculating the bi- th power of ai for each dimension and calculating the product of all the dimensions.
- the inner product of the vectors a and b is defined as in the mathematical formula (3).
- the inner product of the vectors a and b is a scalar value generated by calculating the product of ai and bi for each dimension and calculating the sum of all the dimensions.
- the database server 41 defines the parameter group shown in the formula (4).
- This parameter group is public information disclosed to the terminal devices 100 and 200.
- the parameter group includes p, n'g, n'h, and u.
- the database server 41 receives the security parameter ⁇ from the administrator of the information processing system, and selects a prime number q that satisfies the condition shown in the equation (4) based on the security parameter ⁇ .
- the database server 41 generates a group G q having a prime number q as an order, and selects g i , hi , u from the group G q .
- the group G q is, for example, a set of natural numbers less than q. n'is an integer equal to or greater than the maximum number of items that can be included in the transaction data, and is specified by the administrator. Further, the database server 41 selects the prime number p.
- the terminal device 100 When the transaction data includes n items, the terminal device 100 generates the vectors g and h shown in the mathematical formula (5) based on the above parameters.
- the vector g is a vector in which n of the gi included in the parameter group are listed from the smallest subscript.
- the vector h is a vector in which n of h i included in the parameter group are listed from the smallest subscript.
- the terminal device 100 generates a set Z p having a prime number p as an order, and selects n random numbers from the set Z p .
- the set Z p is, for example, a set of natural numbers less than p.
- the prime number p may be the same as the prime number q, and the set Z p may be the same as the group G q .
- the terminal device 100 enumerates n random numbers and generates the vector r shown in the equation (6).
- the terminal device 100 generates a vector v in which the values included in the transaction data are listed in ascending order of the item numbers. Then, the terminal device 100 generates the commitment C registered in the blockchain as in the mathematical formula (7) based on the vectors g, h, v, and r. Commitment C is the product of g to the vth power and h to the rth power. From the above definition of exponentiation and product, commitment C can also be calculated by calculating the product of gi to the power of vi and hi to the power of ri as a commitment for each item, and calculating the product of the commitments of n items. Generated.
- the terminal device 100 registers the commitment C in the blockchain in association with the transaction ID. Further, the terminal device 100 stores the vector r as confidential information. It is difficult to infer the vectors v and r from the commitment C.
- the terminal device 100 When transmitting the certification information from the terminal device 100 to the terminal device 200, the terminal device 100 accepts the designation of the disclosure item, the range certification item, and the Set Membership certification item from the certifier who has knowledge of the transaction data. However, there may be no disclosure item. Further, there may be no range proof item. In addition, there may be no Set Membership certification item. If a range proof item exists, the certifier also specifies the minimum and maximum values for the range. If the SetMembership certification item exists, the set of candidate values is also specified by the certifier.
- the terminal device 100 generates the commitment C hidden shown in the equation (8) based on the vectors g, h, v, r and the parameter u.
- the vector v' is the vector v minus the values of the disclosed items, and is a vector in which the values of the non-disclosure items are listed.
- the vector r' is the vector r minus the random numbers for the disclosed items, and is a vector in which the random numbers for the non-disclosure items are listed.
- the auxiliary information c is an inner product of the vectors v'and r'. Commitment C hidden corresponds to the product of the commitment of the non-disclosure item and the amendment uc.
- the terminal device 100 generates the zero-knowledge proof information ⁇ hidden corresponding to the commitment C hidden by the function ProveInnerProduct.
- the function ProveInnerProduct generates zero-knowledge proof information ⁇ hidden , which is a set of numerical values, from the vectors v', r'used for the commitment C hidden .
- the zero-knowledge proof information ⁇ hidden is information for proving that the certifier knows all the values of the non-disclosure item and the random numbers for the non-disclosure item used in the above-mentioned commitment C hidden .
- the terminal device 100 when the range proof item exists, the terminal device 100 generates the commitment C range, j shown in the formula (10) for each range proof item.
- Commitment C range, j is the commitment of the range proof item j , which is the product of g j to the vj power and h j to the rj power.
- the terminal device 100 when the range proof item exists, the terminal device 100 generates the zero-knowledge proof information ⁇ range, j corresponding to the commitment C range, j by the function ProveRangeProof, as shown in the mathematical formula (11).
- the function ProveRangeProof generates zero-knowledge proof information ⁇ range, j , which is a set of numerical values, from v j , r j used for the commitment C range, j , and the minimum value min j and the maximum value max j of the range.
- Zero-knowledge proof information ⁇ range, j is information for proving that v j is equal to or greater than the minimum value of min j and is equal to or less than the maximum value of max j .
- the terminal device 100 When the Set Membership certification item exists, the terminal device 100 generates the commitment C set, k shown in the formula (12) for each Set Membership certification item.
- Commitment C set, k is the commitment of the Set Membership certification item k.
- the terminal device 100 when the Set Membership certification item exists, the terminal device 100 generates zero-knowledge proof information ⁇ set, k corresponding to the commitment C set, k by the function ProveSetProof, as shown in the mathematical formula (13).
- the function ProveSetProof generates zero-knowledge proof information ⁇ set, k , which is a set of numerical values, from v k , r k used for commitment C set, k , and a set k of candidate values.
- the zero-knowledge proof information ⁇ set, k is information for proving that v k used for the commitment C set, k is included in the set set k .
- the terminal device 100 deducts the commitment C range, j of each range certification item from the above-mentioned commitment C hidden .
- the terminal device 100 divides C hidden by C range, j .
- the terminal device 100 deducts the commitment C range and k of each Set Membership certification item from the above-mentioned commitment C hidden .
- the terminal device 100 divides C hidden by C range, j . Therefore, the commitment C hidden is modified as shown in equation (14).
- the terminal device 100 may generate the commitment C hidden by calculating the product of the commitments of the remaining non-disclosure items excluding the range certification item and the Set Membership certification item.
- the terminal device 100 transmits the certification information to the terminal device 200.
- the proof information includes a transaction ID that identifies the transaction data, a commitment C hidden , zero-knowledge proof information ⁇ hidden , and auxiliary information c. If the disclosure item is present, the proof information includes the disclosure item value v rev and the random number r rev for the disclosure item. If a range proof item is present, the proof information includes commitment C range, j , zero-knowledge proof information ⁇ range, j , minimum value min j , and maximum value max j . If the Set Membership item is present, the proof information includes the commitment C set, k , the zero-knowledge proof information ⁇ set, k, and the set of candidate values set k . The proof information may include commitment C.
- the terminal device 200 receives the certification information from the terminal device 100. Then, the terminal device 200 reads the commitment C corresponding to the transaction ID from the blockchain. Next, when the range proof item exists, the terminal device 200 verifies the zero-knowledge proof information ⁇ range, j by the function VerifyRangeProof as shown in the mathematical formula (15).
- the function VerifyRangeProof generates the verification result proof range, j from the commitment C range, j , the zero-knowledge proof information ⁇ range, j , the minimum value min j , and the maximum value max j .
- the verification result proof range, j is a flag indicating true or false.
- the terminal device 200 verifies the zero-knowledge proof information ⁇ set, k by the function VerifySetProof as shown in the mathematical formula (16).
- the function VerifySetProof generates the verification result proof set, k from the commitment C set, k , the zero-knowledge proof information ⁇ set, k, and the set set k .
- Verification result proof set, k is a flag indicating true or false.
- the terminal device 200 multiplies the received commitment C hidden by the commitment C range, j of each range certification item. Further, when the Set Membership certification item exists, the terminal device 200 multiplies the received commitment C hidden by the commitment C set and k of each Set Membership certification item. Therefore, the commitment C hidden is modified as shown in equation (17).
- the terminal device 200 verifies the zero-knowledge proof information ⁇ hidden by the function VerifyInnerProduct as shown in the mathematical formula (18).
- the function VerifyInnerProduct generates the verification result proof hidden from the modified commitment C hidden and the received zero-knowledge proof information ⁇ hidden .
- Verification result proof hidden is a flag indicating true or false.
- proof hidden true indicates that the verification is successful, that is, the certifier knows all the values of the non-disclosure items and the random numbers for the non-disclosure items.
- proof hidden false indicates that the verification fails, that is, the certifier does not know all the values of the non-disclosure items and the random numbers for the non-disclosure items.
- the terminal device 200 when the disclosure item exists, the terminal device 200 generates the disclosure item commitment C rev from the received disclosure item value v rev and the random number r rev for the disclosure item. Then, as shown in the formula (19), the terminal device 200 calculates the product of the commitment C hidden , C rev and the modification term u- c , and compares it with the commitment C of the blockchain. The reason for multiplying the modified term uc is to eliminate the modified term uc in the equation (8). If the calculated product matches commitment C, then the commitment verification is successful. If the calculated product does not match commitment C, then the commitment verification fails.
- Pedersen commitment The commitment adopted above may be called the Pedersen commitment.
- the Pedersen commitment is also described, for example, in the following literature. Torben Pryds Pedersen, "Non-Interactive and Information-Theoretic Secure Verifiable Secret Sharing", Proc of the 11th Annual International Cryptology Conference (CRYPTO '91), pp. 129-140, August 11, 1991.
- zero-knowledge proof for the product of commitments is used.
- the zero-knowledge proof for the product of commitments is described, for example, in the following literature. Benedikt Bunz, Jonathan Bootle, Dan Boneh, Andrew Poelstra, Pieter Wuille and Greg Maxwell, "Bulletproofs: Short Proofs for Confidential Transactions and More", Proc. Of the 2018 IEEE , 2018.
- the Set Membership certification is also described in the following documents, for example. Daniel Benarroch, Matteo Campanelli, Dario Fiore, Kobi Gurkan and Dimitris Kolonelos, "Zero-Knowledge Proofs for Set Membership: Efficient, Succinct, Modular", Cryptology ePrint Archive, 2019.
- the terminal device 100 has a single zero to prove that it has knowledge of the values of the two or more non-disclosure items for the product of the commitments of the two or more non-disclosure items. Generate knowledge proof information. Therefore, the terminal device 100 can reduce the amount of data of the certification information as compared with the case where the commitment and the zero-knowledge proof information are transmitted for each non-disclosure item. For example, the terminal device 100 can suppress the data amount of zero-knowledge proof information to 2log 2 (2m) + 9 with respect to the number m of non-disclosure items.
- FIG. 8 is a block diagram showing a functional example of the information processing system.
- the database server 41 has a parameter generation unit 411, a parameter storage unit 412, and a blockchain storage unit 413.
- the parameter storage unit 412 and the blockchain storage unit 413 are implemented using, for example, a storage area of a RAM or an HDD.
- the parameter generation unit 411 is implemented by using, for example, a CPU and a program.
- the parameter generation unit 411 receives the security parameter ⁇ from the administrator of the information processing system. For safety, the security parameter ⁇ may be changed periodically. The parameter generation unit 411 generates the above-mentioned parameter group based on the received security parameter ⁇ and stores it in the parameter storage unit 412 as public information.
- the parameter storage unit 412 stores the parameter group including the above-mentioned p, gi, hi , and u as public information.
- the terminal devices 100 and 200 can read the parameter group from the parameter storage unit 412.
- the blockchain storage unit 413 stores a blockchain having the structure described above.
- the database server 42 also stores the same blockchain as the database server 41.
- the terminal device 100 can register the commitment in the blockchain in association with the transaction ID.
- the terminal device 200 can read the commitment corresponding to a specific transaction ID from the blockchain.
- the terminal device 100 has a blockchain registration unit 121, a transaction data storage unit 122, a certification information generation unit 123, and a certification information storage unit 124.
- the transaction data storage unit 122 and the certification information storage unit 124 are implemented using, for example, the storage area of the RAM 102 or the HDD 103.
- the blockchain registration unit 121 and the certification information generation unit 123 are implemented by using the CPU 101 and a program.
- the blockchain registration unit 121 reads the parameter group from the database server 41.
- the blockchain registration unit 121 generates a random number, and generates the above-mentioned commitment C from the transaction data and the random number stored in the transaction data storage unit 122.
- the blockchain registration unit 121 registers the transaction ID and the commitment C in the blockchain. Further, the blockchain registration unit 121 stores the generated random numbers in the transaction data storage unit 122.
- the transaction data storage unit 122 stores the transaction data possessed by the certifier. A transaction ID is attached to the transaction data. Further, the transaction data storage unit 122 stores random numbers as confidential information. The transaction data storage unit 122 may store the commitment C.
- the certification information generation unit 123 generates the above-mentioned certification information in response to a request from the certifier, and stores the generated certification information in the certification information storage unit 124. Further, the certification information generation unit 123 transmits the generated certification information to the terminal device 200.
- the certification information generation unit 123 accepts the designation of the disclosure item, the range certification item, and the Set Membership certification item from the certifier.
- the certification information generation unit 123 reads transaction data and random numbers from the transaction data storage unit 122, and reads parameter groups from the database server 41.
- the proof information generation unit 123 holds commitment and zero-knowledge proof information for knowledge proof of non-disclosure items, commitment and zero-knowledge proof information for range proof, and commitment and zero-knowledge proof information for Set Membership proof. Generate.
- the certification information storage unit 124 stores the generated certification information.
- the certification information may be deleted from the certification information storage unit 124 after being transmitted to the terminal device 200.
- the terminal device 200 has a verification unit 221 and a verification result storage unit 222.
- the verification result storage unit 222 is implemented using, for example, a storage area of a RAM or an HDD.
- the verification unit 221 is implemented using, for example, a CPU and a program.
- the verification unit 221 receives the certification information from the terminal device 100 and reads out the parameter group from the database server 41.
- the verification unit 221 verifies the certification information and stores the verification result in the verification result storage unit 222. Further, the verification unit 221 displays the verification result on the display device.
- the verification result is valid, which indicates success of verification, or invalid, which indicates failure of verification. In the case of verification failure, the verification result may include information on the cause of the failure. If the verification is successful, the verification result may include the value of the disclosure item, the range information of the range certification, and the set information of the Set Membership certification.
- the verification unit 221 verifies that the value of the range proof item belongs to a specific range from the commitment of the range proof and the zero-knowledge proof information. Further, the verification unit 221 verifies that the value of the Set Membership certification item is included in a specific set from the commitment of the Set Membership certification and the zero-knowledge proof information. In addition, the verification unit 221 verifies that the certifier knows the value of the non-disclosure item from the knowledge proof commitment and the zero-knowledge proof information. Further, the verification unit 221 reads the commitment C corresponding to the transaction ID from the database server 41 and determines whether or not it matches the commitment derived from the proof information.
- the verification result storage unit 222 stores the generated verification result.
- the verification result may be deleted from the verification result storage unit 222 after the verifier confirms the verification result.
- FIG. 9 is a diagram showing an example of data stored in the database server and the terminal device.
- the parameter storage unit 412 stores the parameter group.
- the parameter group includes p, g 1 , ..., gn ' , h 1 , ..., h n' , u.
- the blockchain storage unit 413 stores the transaction ID and the commitment C in association with each other.
- the transaction data storage unit 122 stores the transaction ID and the transaction data.
- the transaction data includes values v 1 , ..., V n corresponding to n items.
- the transaction data includes item numbers and item names of n items.
- the transaction data storage unit 122 stores random numbers r 1 , ..., R n corresponding to n items.
- the certification information storage unit 124 stores the certification information.
- the proof information includes transaction ID, commitment C hidden , zero-knowledge proof information ⁇ hidden and auxiliary information c. If the disclosure item is present, the proof information includes the disclosure item value v rev and the random number r rev for the disclosure item. If a range proof item is present, the proof information includes commitment C range, j , zero-knowledge proof information ⁇ range, j , minimum value min j , and maximum value max j . If the Set Membership proof item is present, the proof information includes the commitment C set, k , the zero-knowledge proof information ⁇ set, k, and the set set k .
- FIG. 10 is a flowchart showing an example of a procedure for generating certification information.
- the blockchain registration unit 121 acquires a public parameter group.
- the blockchain registration unit 121 generates random numbers for the number of items included in the transaction data based on the acquired parameter group.
- the blockchain registration unit 121 generates a commitment from each of the values included in the transaction data, and generates a commitment C as the product of those commitments.
- the blockchain registration unit 121 transmits the transaction ID and the commitment C to the database server 41 and registers them in the blockchain. Further, the blockchain registration unit 121 stores the random number generated in step S11 as secret information.
- the certification information generation unit 123 receives from the certifier the designation of the disclosure item, the range certification item, and the Set Membership certification item among the plurality of items included in the transaction data. The certification information generation unit 123 further accepts the designation of the minimum value and the maximum value of the numerical range for the range certification item, and further accepts the designation of the set of candidate values for the Set Membership certification item.
- the certification information generation unit 123 generates auxiliary information c from the value and random number of the non-disclosure item, and generates commitment C hidden from the value and random number of the non-disclosure item and auxiliary information c.
- the certification information generation unit 123 generates zero-knowledge proof information ⁇ hidden for the commitment C hidden from the values and random numbers of the non-disclosure items.
- Zero-knowledge proof information ⁇ hidden is information for proving that the certifier knows all the values and random numbers of non-disclosure items.
- the certification information generation unit 123 When the range certification item exists, the certification information generation unit 123 generates the commitment C range, j from the value of the range certification item j and the random number. (S17) When the range certification item exists, the certification information generation unit 123 has zero-knowledge proof information ⁇ range, j for the commitment C range, j from the value of the range certification item j, the random number, and the minimum and maximum values of the range. To generate. Zero-knowledge proof information ⁇ range, j is information for proving that the value of the range proof item belongs to the numerical range defined by the minimum value and the maximum value.
- the certification information generation unit 123 When the Set Membership certification item exists, the certification information generation unit 123 generates the commitment C set and k from the value and the random number of the Set Membership certification item k. (S19) When the Set Membership certification item exists, the certification information generation unit 123 generates zero-knowledge proof information ⁇ set, k for the commitment C set, k from the value of the Set Membership certification item k and the set of random numbers and candidate values. Generate. Zero-knowledge proof information ⁇ set, k is information for certifying that the value of the Set Membership proof item is included in the specified set.
- the certification information generation unit 123 divides the commitment C hidden by the commitment C range, j of the range certification item j and the commitment C set, k of the Set Membership certification item k, so that C hidden to C range, j , C set and k are deducted.
- the deduction of commitment C range, j may be executed in step S16 or step S17.
- the deduction of commitment C set, k may be performed in step S18 or step S19.
- the certification information generation unit 123 includes transaction ID, auxiliary information c, commitment C hidden , C range, j , C set, k , zero-knowledge proof information ⁇ hidden , ⁇ range, j , ⁇ set, k , and disclosure items. Generates proof information that includes a set of values, random numbers for disclosure items, minimum values, maximum values, and candidate values.
- the certification information generation unit 123 transmits the certification information to the terminal device 200 of the verifier.
- the terminal device 100 and the terminal device 200 may communicate directly with each other or may communicate with each other via another information processing device.
- FIG. 11 is a flowchart showing an example of a procedure for verifying certification information.
- the verification unit 221 receives the certification information from the terminal device 100 of the certifier.
- the verification unit 221 accesses the database server 41 and acquires the commitment C corresponding to the transaction ID included in the proof information from the blockchain.
- the verification unit 221 determines the value of the range proof item j from the commitment C range, j , the zero-knowledge proof information ⁇ range, j , the minimum value, and the maximum value included in the proof information. Verify that it belongs to a specific numerical range.
- the verification unit 221 sets the value of the Set Membership certification item k from the set of commitment C set, k , zero-knowledge proof information ⁇ set, k and candidate values included in the certification information. Verify that is an element of a particular set.
- the verification unit 221 corrects C hidden by multiplying the commitment C hidden by the commitment C range, j and the commitment C set, k .
- the verification unit 221 verifies that the certifier knows all the values and random numbers of the non-disclosure items from the modified commitment C hidden and the zero-knowledge proof information ⁇ hidden .
- the verification unit 221 When the disclosure item exists, the verification unit 221 generates a disclosure item commitment C rev from the disclosure item value and the random number included in the proof information. The verification unit 221 further multiplies the commitment C hidden by the commitment C rev and the amendment u- c .
- the verification unit 221 compares the product of the commitments generated in step S36 with the commitment C of the blockchain, and verifies the agreement between the two.
- the verification unit 221 determines whether the verifications in steps S32, S33, S35, and S37 are all successful. If all the verifications are successful, the process proceeds to step S39. If at least one verification fails, the process proceeds to step S40.
- the verification unit 221 determines that the content presented by the certifier is genuine. For example, the verification unit 221 determines that the value of the disclosure item, the value of the non-disclosure range certification item, or the value of the non-disclosure Set Membership certification item is genuine. Then, the process proceeds to step S41.
- the verification unit 221 determines that the content presented by the certifier is invalid. For example, the verification unit 221 determines that the value of the disclosure item, the value of the non-disclosure range certification item, or the value of the non-disclosure Set Membership certification item is not genuine.
- the verification unit 221 displays the verification result of step S39 or step S40 on the display device connected to the terminal device 200. If the verification result is successful and the disclosure item exists, the verifier may visually confirm whether the value of the disclosure item satisfies a specific condition. If the verifier finds that the value of a certain item satisfies a specific condition, the verifier may perform an operation for administrative procedures such as an approval procedure and a settlement procedure on the terminal device 200.
- the terminal device 100 registered the commitment C in the blockchain, but another information processing device may register the commitment C in the blockchain.
- the database server 41 may register the commitment C in the blockchain.
- FIG. 12 is a block diagram showing another functional example of the information processing system. Modifications of the information processing system include a database server 41a corresponding to the database server 41 and a terminal device 100a corresponding to the terminal device 100.
- the database server 41a has a parameter generation unit 411, a parameter storage unit 412, a blockchain storage unit 413, and a blockchain registration unit 414.
- the blockchain registration unit 414 receives the transaction ID and transaction data. Then, the blockchain registration unit 414 generates a commitment C from the transaction data in the same manner as the blockchain registration unit 121, and registers the transaction ID and the commitment C in the blockchain. Further, the blockchain registration unit 414 transmits the transaction ID, the transaction data, and the random number used for the commitment C to the terminal device 100a.
- the terminal device 100a has a transaction data storage unit 122, a certification information generation unit 123, a certification information storage unit 124, and a transaction data reception unit 125.
- the transaction data receiving unit 125 receives the transaction ID, the transaction data, and the random number from the database server 41a.
- the transaction data receiving unit 125 stores the transaction ID, the transaction data, and the random number in the transaction data storage unit 122.
- the database server 41a may further transmit the commitment C to the terminal device 100a.
- the blockchain is used for verifying the authenticity of the transaction data. Therefore, the reliability of the information transmitted from the certifier to the verifier is improved.
- the commitment generated from the transaction data is registered in the blockchain instead of the transaction data itself. Therefore, it is suppressed that the transaction data is widely disclosed, and the confidential information contained in the transaction data is protected.
- the certifier in proving that the value of a specific item in the transaction data satisfies a specific condition, the certifier can conceal the value of another item. Therefore, the risk that the confidential information contained in the transaction data is leaked to the verifier is reduced. In addition, it is proved that the value of a specific item has not been tampered with by using the zero-knowledge proof information for proving that the certifier knows the value of the non-disclosure item. Therefore, the reliability of the information transmitted from the certifier to the verifier is improved. In addition, by using range proof and Set Membership proof, which are a type of zero-knowledge proof technology, the certifier can conceal the value of a specific item and prove that the value satisfies a specific condition. can. Therefore, the risk of leakage of confidential information is further reduced.
- the commitment to the whole of a plurality of items is defined as the product of the commitments for each item.
- a single commitment and a single zero-knowledge proof information are used to prove knowledge of the values of two or more non-disclosure items. Therefore, the certifier can generate zero-knowledge proof information with the amount of data of O (log 2 m) for the number m of non-disclosure items, and the amount of data is smaller than the case of generating zero-knowledge proof information for each item. do.
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Information Retrieval, Db Structures And Fs Structures Therefor (AREA)
Abstract
Description
本発明の上記および他の目的、特徴および利点は本発明の例として好ましい実施の形態を表す添付の図面と関連した以下の説明により明らかになるであろう。
[第1の実施の形態]
第1の実施の形態を説明する。
第1の実施の形態の情報処理システムは、情報処理装置10,20およびデータベース30を含む。情報処理装置10は、データが改竄されていないというデータの真正性を証明するための証明情報を送信する送信装置である。情報処理装置20は、証明情報を受信してデータの真正性を検証する検証装置である。情報処理装置10,20はそれぞれ、ユーザが操作する端末装置であってもよいし、サーバ装置であってもよい。
次に、第2の実施の形態を説明する。
図2は、第2の実施の形態の情報処理システムの例を示す図である。
端末装置100は、CPU101、RAM102、HDD103、GPU104、入力インタフェース105、媒体リーダ106および通信インタフェース107を有する。これらハードウェアはバスに接続されている。CPU101は、第1の実施の形態の処理部12に対応する。RAM102またはHDD103は、第1の実施の形態の記憶部11に対応する。通信インタフェース107は、第1の実施の形態の通信部13に対応する。
データベースサーバ41,42によって管理されるブロックチェーンは、直線的に連結された複数のブロックを含む。新しいブロックは、ブロックチェーンの末尾に追加される。一例として、ブロックチェーンは、ブロック131,132,133を含む。ブロック131は、ブロック132の1つ前のブロックである。ブロック133は、ブロック132の1つ後のブロックである。ブロック132は、本体データ134、前ブロックハッシュ値135およびナンス値136を含む。
ブロックチェーンに登録されるコミットメントは、取引データの信頼性を効率的に確保するため、取引データ全体から生成される数値である。端末装置100が端末装置200に取引データ全体を送信すれば、端末装置200は受信された取引データをコミットメントに変換してブロックチェーンと照合することで、受信された取引データの真正性を検証することができる。しかし、端末装置100は、取引データに含まれる少なくとも一部の値を端末装置200に送信したくないことがある。そこで、第2の実施の形態の情報処理システムは、少なくとも一部の値を秘匿した証明を実現する。
ここでは、端末装置100は、取引データに含まれる4個の値のうち第1の値、第2の値および第3の値を秘匿し、第4の値を端末装置200に送信する。ただし、端末装置100は、第4の値を端末装置200に送信するだけでは、送信された第4の値が取引データに含まれる真正な値であることを証明できない。そこで、端末装置100は、ブロックチェーンに登録するコミットメントを特定の方法で生成すると共に、第4の値に加えて第4の値の真正性を証明するための情報を端末装置200に送信する。
ここでは、端末装置100は、取引データに含まれる4個の値のうち第1の値、第2の値および第3の値を秘匿し、第4の値を端末装置200に送信する。また、端末装置100は、第3の値が特定の範囲に属していることを端末装置200に対して証明する。なお、ここでは範囲証明の例を挙げているが、Set Membership証明の場合も同様である。また、ここでは第4の値を端末装置200に開示しているが、取引データに含まれる4個の値の何れも端末装置200に開示しないようにしてもよい。
ここでは、図6の証明例で算出されるコミットメントの積を説明する。前述のように、端末装置200は、コミットメント144に対してゼロ知識証明情報154を適用して、第3の項目の値が特定の範囲に属することを証明する範囲証明に対する検証を行う。次に、端末装置200は、コミットメント155とコミットメント144の積を算出する。この積は、コミットメント142,143,144の積に相当する。端末装置200は、コミットメント142,143,144の積に対してゼロ知識証明情報152を適用して、非開示項目の値を証明者が知っていることを証明する知識証明に対する検証を行う。
次に、範囲証明項目が存在する場合、端末装置200は、数式(15)に示すように、関数VerifyRangeProofによってゼロ知識証明情報πrange,jを検証する。関数VerifyRangeProofは、コミットメントCrange,j、ゼロ知識証明情報πrange,j、最小値minjおよび最大値maxjから、検証結果proofrange,jを生成する。検証結果proofrange,jは、trueまたはfalseを示すフラグである。proofrange,j=trueは検証成功、すなわち、範囲証明項目の値が特定の範囲に属することを示す。proofrange,j=falseは検証失敗、すなわち、範囲証明項目の値が特定の範囲に属するとは言えないことを示す。
図8は、情報処理システムの機能例を示すブロック図である。
データベースサーバ41は、パラメータ生成部411、パラメータ記憶部412およびブロックチェーン記憶部413を有する。パラメータ記憶部412およびブロックチェーン記憶部413は、例えば、RAMまたはHDDの記憶領域を用いて実装される。パラメータ生成部411は、例えば、CPUおよびプログラムを用いて実装される。
端末装置200は、検証部221および検証結果記憶部222を有する。検証結果記憶部222は、例えば、RAMまたはHDDの記憶領域を用いて実装される。検証部221は、例えば、CPUおよびプログラムを用いて実装される。
図9は、データベースサーバと端末装置が記憶するデータの例を示す図である。
(S10)ブロックチェーン登録部121は、公開のパラメータ群を取得する。
(S11)ブロックチェーン登録部121は、取得されたパラメータ群に基づいて、取引データに含まれる項目の個数だけ乱数を生成する。
(S15)証明情報生成部123は、非開示項目の値および乱数から、コミットメントChiddenに対するゼロ知識証明情報πhiddenを生成する。ゼロ知識証明情報πhiddenは、非開示項目の値および乱数の全てを証明者が知っていることを証明するための情報である。
(S17)証明情報生成部123は、範囲証明項目が存在する場合、範囲証明項目jの値および乱数と範囲の最小値および最大値から、コミットメントCrange,jに対するゼロ知識証明情報πrange,jを生成する。ゼロ知識証明情報πrange,jは、範囲証明項目の値が最小値および最大値によって規定される数値範囲に属することを証明するための情報である。
(S19)証明情報生成部123は、Set Membership証明項目が存在する場合、Set Membership証明項目kの値および乱数と候補値の集合から、コミットメントCset,kに対するゼロ知識証明情報πset,kを生成する。ゼロ知識証明情報πset,kは、Set Membership証明項目の値が指定の集合に含まれることを証明するための情報である。
(S30)検証部221は、証明者の端末装置100から証明情報を受信する。
(S31)検証部221は、データベースサーバ41にアクセスして、証明情報に含まれる取引IDに対応するコミットメントCをブロックチェーンから取得する。
(S35)検証部221は、修正後のコミットメントChiddenおよびゼロ知識証明情報πhiddenから、非開示項目の値および乱数の全てを証明者が知っていることを検証する。
(S38)検証部221は、ステップS32,S33,S35,S37の検証が全て成功したか判断する。全ての検証が成功した場合、処理がステップS39に進む。少なくとも1つの検証が失敗した場合、処理がステップS40に進む。
情報処理システムの変形例は、データベースサーバ41に対応するデータベースサーバ41aと、端末装置100に対応する端末装置100aとを含む。
11 記憶部
12,22 処理部
13,21 通信部
14 データ
15a,15b,16 項目値
17,23,31 コミットメント
18 ゼロ知識証明情報
30 データベース
Claims (9)
- 第1の情報処理装置と第2の情報処理装置とを有し、
前記第1の情報処理装置は、
データに含まれる複数の項目値のうちの2以上の第1の項目値を秘匿化して第1のコミットメントを生成し、前記第1の情報処理装置のユーザが前記2以上の第1の項目値の知識を有することを証明するためのゼロ知識証明情報を前記2以上の第1の項目値から生成し、
前記複数の項目値のうちの第2の項目値と、生成された前記第1のコミットメントと、生成された前記ゼロ知識証明情報とを、前記第2の情報処理装置に送信し、
前記第2の情報処理装置は、
受信された前記第2の項目値から第2のコミットメントを生成し、
前記第1のコミットメントおよび前記第2のコミットメントとデータベースに記憶された第3のコミットメントとの間の関係と、受信された前記ゼロ知識証明情報とに基づいて、受信された前記第2の項目値の真正性を検証する、
情報処理システム。 - 前記第1の情報処理装置は更に、
前記第2の項目値から前記第2のコミットメントを生成し、前記第1のコミットメントと前記第2のコミットメントとの積を算出して前記第3のコミットメントを生成し、前記第3のコミットメントを前記データベースに登録し、
前記真正性の検証では、前記第2の情報処理装置は、
前記第1のコミットメントと前記第2のコミットメントとの積を算出して、前記データベースに記憶された前記第3のコミットメントと比較する、
請求項1記載の情報処理システム。 - 前記真正性の検証では、前記第2の情報処理装置は、
前記第1のコミットメントと前記第2のコミットメントとの積が前記第3のコミットメントと一致し、かつ、前記ゼロ知識証明情報による証明に成功した場合、受信された前記第2の項目値が真正であると判定する、
請求項1記載の情報処理システム。 - 前記第1のコミットメントの生成では、前記第1の情報処理装置は、
前記2以上の第1の項目値をそれぞれ秘匿化して2以上の第4のコミットメントを生成し、生成された前記2以上の第4のコミットメントの積を算出して前記第1のコミットメントを生成する、
請求項1記載の情報処理システム。 - 前記第1の情報処理装置は更に、
前記2以上の第1の項目値のうちの第3の項目値を秘匿化して第5のコミットメントを生成し、前記第3の項目値が特定の条件を満たすことを証明するための他のゼロ知識証明情報を前記第3の項目値から生成し、
前記第2の情報処理装置への送信では、前記第1の情報処理装置は、
前記第5のコミットメントと前記他のゼロ知識証明情報とを更に送信し、
前記真正性の検証では、前記第2の情報処理装置は、
前記第1のコミットメント、前記第2のコミットメントおよび前記第5のコミットメントと前記第3のコミットメントとの間の関係と、受信された前記ゼロ知識証明情報と、受信された前記他のゼロ知識証明情報とに基づいて、前記第2の項目値の真正性、前記第3の項目値が前記特定の条件を満たすことおよび前記第3の項目値の真正性を検証する、
請求項1記載の情報処理システム。 - 第1の情報処理装置と第2の情報処理装置とを有し、
前記第1の情報処理装置は、
データに含まれる複数の項目値のうちの2以上の第1の項目値を秘匿化して第1のコミットメントを生成し、前記第1の情報処理装置のユーザが前記2以上の第1の項目値の知識を有することを証明するための第1のゼロ知識証明情報を前記2以上の第1の項目値から生成し、
前記複数の項目値のうちの第2の項目値を秘匿化して第2のコミットメントを生成し、前記第2の項目値が特定の条件を満たすことを証明するための第2のゼロ知識証明情報を前記第2の項目値から生成し、
生成された前記第1のコミットメントと、生成された前記第1のゼロ知識証明情報と、生成された前記第2のコミットメントと、生成された前記第2のゼロ知識証明情報とを、前記第2の情報処理装置に送信し、
前記第2の情報処理装置は、
前記第1のコミットメントおよび前記第2のコミットメントとデータベースに記憶された第3のコミットメントとの間の関係と、受信された前記第1のゼロ知識証明情報と、受信された前記第2のゼロ知識証明情報とに基づいて、前記第2の項目値が前記特定の条件を満たすことおよび前記第2の項目値の真正性を検証する、
情報処理システム。 - 第1の情報処理装置が、
データに含まれる複数の項目値のうちの2以上の第1の項目値を秘匿化して第1のコミットメントを生成し、前記第1の情報処理装置のユーザが前記2以上の第1の項目値の知識を有することを証明するためのゼロ知識証明情報を前記2以上の第1の項目値から生成し、
前記複数の項目値のうちの第2の項目値と、生成された前記第1のコミットメントと、生成された前記ゼロ知識証明情報とを送信し、
第2の情報処理装置が、
受信された前記第2の項目値から第2のコミットメントを生成し、
前記第1のコミットメントおよび前記第2のコミットメントとデータベースに記憶された第3のコミットメントとの間の関係と、受信された前記ゼロ知識証明情報とに基づいて、受信された前記第2の項目値の真正性を検証する、
制御方法。 - 他の情報処理装置から、データに含まれる複数の項目値のうちの2以上の第1の項目値に対応する第1のコミットメントと、前記第1のコミットメントに使用された前記2以上の第1の項目値の知識を前記他の情報処理装置のユーザが有することを証明するためのゼロ知識証明情報と、前記複数の項目値のうちの第2の項目値とを受信する通信部と、
受信された前記第2の項目値から第2のコミットメントを生成し、前記第1のコミットメントおよび前記第2のコミットメントとデータベースに記憶された第3のコミットメントとの間の関係と、受信された前記ゼロ知識証明情報とに基づいて、受信された前記第2の項目値の真正性を検証する処理部と、
を有する情報処理装置。 - コンピュータに、
他のコンピュータから、データに含まれる複数の項目値のうちの2以上の第1の項目値に対応する第1のコミットメントと、前記第1のコミットメントに使用された前記2以上の第1の項目値の知識を前記他のコンピュータのユーザが有することを証明するためのゼロ知識証明情報と、前記複数の項目値のうちの第2の項目値とを受信し、
受信された前記第2の項目値から第2のコミットメントを生成し、
前記第1のコミットメントおよび前記第2のコミットメントとデータベースに記憶された第3のコミットメントとの間の関係と、受信された前記ゼロ知識証明情報とに基づいて、受信された前記第2の項目値の真正性を検証する、
処理を実行させる制御プログラム。
Priority Applications (5)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202080107535.2A CN116491102A (zh) | 2020-12-28 | 2020-12-28 | 信息处理***、控制方法、信息处理装置以及控制程序 |
JP2022572826A JPWO2022144966A1 (ja) | 2020-12-28 | 2020-12-28 | |
PCT/JP2020/049119 WO2022144966A1 (ja) | 2020-12-28 | 2020-12-28 | 情報処理システム、制御方法、情報処理装置および制御プログラム |
EP20967979.4A EP4270865A4 (en) | 2020-12-28 | 2020-12-28 | INFORMATION PROCESSING SYSTEM, CONTROL METHOD, INFORMATION PROCESSING APPARATUS AND CONTROL PROGRAM |
US18/323,066 US20230308279A1 (en) | 2020-12-28 | 2023-05-24 | Information processing system and information processing apparatus |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
PCT/JP2020/049119 WO2022144966A1 (ja) | 2020-12-28 | 2020-12-28 | 情報処理システム、制御方法、情報処理装置および制御プログラム |
Related Child Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US18/323,066 Continuation US20230308279A1 (en) | 2020-12-28 | 2023-05-24 | Information processing system and information processing apparatus |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2022144966A1 true WO2022144966A1 (ja) | 2022-07-07 |
Family
ID=82260362
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/JP2020/049119 WO2022144966A1 (ja) | 2020-12-28 | 2020-12-28 | 情報処理システム、制御方法、情報処理装置および制御プログラム |
Country Status (5)
Country | Link |
---|---|
US (1) | US20230308279A1 (ja) |
EP (1) | EP4270865A4 (ja) |
JP (1) | JPWO2022144966A1 (ja) |
CN (1) | CN116491102A (ja) |
WO (1) | WO2022144966A1 (ja) |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2024089522A1 (en) * | 2022-10-27 | 2024-05-02 | QPQ Ltd. | System and method for proving membership of subset from given set and linear operation therefor |
Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP2003188872A (ja) * | 2001-10-03 | 2003-07-04 | Internatl Business Mach Corp <Ibm> | リストマッチング方法、ネットワークシステム、そのサーバ及び情報端末 |
JP2020502865A (ja) * | 2018-11-07 | 2020-01-23 | アリババ・グループ・ホールディング・リミテッドAlibaba Group Holding Limited | ブロックチェーン機密トランザクションの管理 |
Family Cites Families (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US10277395B2 (en) * | 2017-05-19 | 2019-04-30 | International Business Machines Corporation | Cryptographic key-generation with application to data deduplication |
US11329825B2 (en) * | 2018-12-17 | 2022-05-10 | Insights Network | System and method for authenticating user identity |
-
2020
- 2020-12-28 CN CN202080107535.2A patent/CN116491102A/zh active Pending
- 2020-12-28 WO PCT/JP2020/049119 patent/WO2022144966A1/ja active Application Filing
- 2020-12-28 EP EP20967979.4A patent/EP4270865A4/en not_active Withdrawn
- 2020-12-28 JP JP2022572826A patent/JPWO2022144966A1/ja not_active Withdrawn
-
2023
- 2023-05-24 US US18/323,066 patent/US20230308279A1/en active Pending
Patent Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP2003188872A (ja) * | 2001-10-03 | 2003-07-04 | Internatl Business Mach Corp <Ibm> | リストマッチング方法、ネットワークシステム、そのサーバ及び情報端末 |
JP2020502865A (ja) * | 2018-11-07 | 2020-01-23 | アリババ・グループ・ホールディング・リミテッドAlibaba Group Holding Limited | ブロックチェーン機密トランザクションの管理 |
Non-Patent Citations (5)
Title |
---|
"Specification of the Identity Mixer Cryptographic Library", IBM RESEARCH - ZURICH, 29 April 2010 (2010-04-29) |
BENEDIKT BUNZJONATHAN BOOTLEDAN BONEHANDREW POELSTRAPIETER WUILLEGREG MAXWELL: "Bulletproofs: Short Proofs for Confidential Transactions and More", PROCEEDINGS OF THE 2018 IEEE SYMPOSIUM ON SECURITY AND PRIVACY, 21 May 2018 (2018-05-21), pages 315 - 334, XP033377741, DOI: 10.1109/SP.2018.00020 |
DANIEL BENARROCHMATTEO CAMPANELLIDARIO FIOREKOBI GURKANDIMITRIS KOLONELOS: "Zero-Knowledge Proofs for Set Membership: Efficient, Succinct, Modular", CRYPTOLOGY EPRINT ARCHIVE, REPORT 2019/1255, 27 October 2019 (2019-10-27) |
See also references of EP4270865A4 |
TORBEN PRYDS PEDERSEN: "Non-Interactive and Information-Theoretic Secure Verifiable Secret Sharing", PROCEEDINGS OF THE 11TH ANNUAL INTERNATIONAL CRYPTOLOGY CONFERENCE (CRYPTO '91, 11 August 1991 (1991-08-11), pages 129 - 140 |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2024089522A1 (en) * | 2022-10-27 | 2024-05-02 | QPQ Ltd. | System and method for proving membership of subset from given set and linear operation therefor |
Also Published As
Publication number | Publication date |
---|---|
EP4270865A1 (en) | 2023-11-01 |
EP4270865A4 (en) | 2024-02-28 |
CN116491102A (zh) | 2023-07-25 |
JPWO2022144966A1 (ja) | 2022-07-07 |
US20230308279A1 (en) | 2023-09-28 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US11743052B2 (en) | Platform for generating authenticated data objects | |
US10491390B2 (en) | Proof chaining and decomposition | |
US11025610B2 (en) | Distributed ledger-based profile verification | |
CN110674128B (zh) | 区块链的链上治理 | |
CN113302610B (zh) | 基于区块链的可信平台 | |
US11924348B2 (en) | Honest behavior enforcement via blockchain | |
KR20070007021A (ko) | 컴퓨터 프로그램 소자, 컴퓨터 프로그램 매체, 사용자입증-서명 값 생성용 입증 값 발행 방법 및 시스템 | |
US11818271B2 (en) | Linking transactions | |
CN115943411A (zh) | 用于保护数据的噪声交易 | |
US20230308279A1 (en) | Information processing system and information processing apparatus | |
Kaafarani et al. | An adaptive decision-making approach for better selection of blockchain platform for health insurance frauds detection with smart contracts: development and performance evaluation | |
JP2023554148A (ja) | 機密データのブロック | |
US20230107805A1 (en) | Security System | |
Chenli et al. | Provnet: Networked blockchain for decentralized secure provenance | |
US20220393892A1 (en) | Composite Cryptographic Systems with Variable Configuration Parameters and Memory Bound Functions | |
CN116361823A (zh) | 用于隐私保护的区块链的选择性审计处理 | |
CN112016118B (zh) | 用于匿名数据库评级更新的方法和*** | |
US20230245112A1 (en) | Non-interactive token certification and verification | |
WO2022153377A1 (ja) | 制御方法、情報処理システム、情報処理装置および制御プログラム | |
CN113491090B (zh) | 基于区块链的可信平台 | |
WO2022208724A1 (ja) | 検証方法、制御方法、情報処理装置および検証プログラム | |
KR20220056036A (ko) | 일반 연산 검증용 영지식 증명 서킷 기반 가상머신을 구현하기 위한 거래 수행장치 | |
CN112929177A (zh) | 应用于区块链服务器的区块链匿名用户审计方法、*** | |
US20230421399A1 (en) | Cross chain access granting to applications | |
Gaddam et al. | LucidiTEE: Scalable Policy-Based Multiparty Computation with Fairness |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 20967979 Country of ref document: EP Kind code of ref document: A1 |
|
ENP | Entry into the national phase |
Ref document number: 2022572826 Country of ref document: JP Kind code of ref document: A |
|
WWE | Wipo information: entry into national phase |
Ref document number: 202080107535.2 Country of ref document: CN |
|
WWE | Wipo information: entry into national phase |
Ref document number: 2020967979 Country of ref document: EP |
|
NENP | Non-entry into the national phase |
Ref country code: DE |
|
ENP | Entry into the national phase |
Ref document number: 2020967979 Country of ref document: EP Effective date: 20230728 |