CN108090751A

CN108090751A - Electronic cash system

Info

Publication number: CN108090751A
Application number: CN201711346525.0A
Authority: CN
Inventors: 周福才; 李宇溪; 徐紫枫; 柳璐; 秦诗悦
Original assignee: Northeastern University China
Current assignee: Northeastern University China
Priority date: 2017-12-15
Filing date: 2017-12-15
Publication date: 2018-05-29

Abstract

The present invention relates to a kind of electronic cash systems.The electronic cash system includes subscription client U_iTo local bank server LB_jSend withdrawal request, LB_jFor U_iBank of deposit's server；LB_jElectronic cash M is generated according to withdrawal request and is sent to U_i；LB_jUpdate U_iUser account table；U_iVerify the validity of M；When verification result is effective, exports and preserve M；When verification result is invalid, U is repeated_iTo local bank server LB_jSend withdrawal request and subsequent step.The electronic cash system of the present invention, subscription client U_iTo local bank server LB_jSend withdrawal request, LB_jFor U_iBank of deposit's server；LB_jElectronic cash M is generated according to withdrawal request and is sent to U_i；U_iVerify the validity of M；It when verification result is effective, exports and preserves M, solve the various limiting factors that traditional bank note is brought in can merchandising, while the effectively anonymity of protection user.

Description

Electronic cash system

Technical field

The present invention relates to Internet technical field more particularly to a kind of electronic cash systems.

Background technology

With the rapid development of computer and Internet technology, e-commerce has been deep into people in modern society and has lived The various aspects of running.However, people, while enjoying huge convenient caused by e-commerce, information security is hidden with individual Private problem is also increasingly prominent.The security and privacy of e-commerce can not be effectively ensured in traditional cash transaction means, meanwhile, People are also unwilling frequently to transmit their personal information and credit card account by internet, therefore commercially desirable more The network privacy and network anonymous relevant service.Under the promotion of this demand, electronic cash (Electronic Cash, E- Cash concept) is come into being.

Electronic cash is a kind of currency to be circulated with data mode.Electronic cash system is using cryptography instrument cash number Value is converted into a series of ciphering sequence number, and cash is made to depart from traditional paper or metal, is stored in software or smart card In.The purpose of design electronic cash system is to realize that people carry out normal electronic cash transaction on a communication network, and electronics is existing This golden change means will be progressively ripe, and one surely receives for consumers in general.Therefore, it is the strong of guarantee Electronic Commerce in China Kang Fazhan, develops the network safety payment system of oneself, and especially electronic cash system is imperative.

Although electronic cash has lot of advantages and characteristic, some key techniques being related to still urgently are sent out It is bright.The problem of primary is how to ensure the safety of system；Secondly, people how to be made really to receive and using the pass of electronic cash Key is that electronic cash to be ensured equally is difficult to be forged and replicate with traditional bank note：It is difficult to be forged to realize, electronics is existing Golden system is traded using the digital signature that can not be forged as a cash.However, unlike conventional currency, electronics The digitlization feature of cash causes it can easily be duplicated, so in many electronic cash systems, can exist in different friendships The behavior of same electronic cash of payment, i.e. Double spending behavior in easily.In order to avoid the growth of Double spending behavior, some electricity Sub- cash system by the identity information of user by it is a kind of it is hiding in a manner of encode into electronic cash, make user payment when still Anonymity is kept, if detecting Double spending behavior, the user's identity if can be lifted.In addition, the electricity proposed at present In sub- cash system, both sides is required at least to be interacted three times when each agreement carries out, this is to communication efficiency and network Safety requirements is very high, so the problem of number for how reducing both sides' interaction is also one extremely important in practical applications.

On the whole, the objective of the electronic cash system of design safety is to solve the various limits that traditional bank note is brought in transaction Factor processed, while the effectively anonymity of protection user, are allowed to be increasingly becoming a kind of important tool of e-payment, cash are led to hand over Easily develop towards numerical and intelligent direction.

The content of the invention

(1) technical problems to be solved

For the problems of the prior art, the present invention provides a kind of electronic cash system, the system, subscription client U_iTo Local bank server LB_jSend withdrawal request, LB_jFor U_iBank of deposit's server；LB_jElectronics is generated according to withdrawal request Cash M is sent to U_i；U_iVerify the validity of M；When verification result is effective, exports and preserve M, tradition during solution can merchandise The various limiting factors that bank note is brought, while the effectively anonymity of protection user.

(2) technical solution

In order to achieve the above object, the main technical schemes that the present invention uses include：

A kind of electronic cash system, the system, including：Subscription client and local bank's server；

S401, the subscription client U_iTo local bank server LB_jSend withdrawal request, the LB_jFor the U_i's Bank of deposit's server；

S402, the LB_jElectronic cash M is generated according to the withdrawal request and is sent to the U_i；The LB_jDescribed in update U_iUser account table；

S403, the U_iVerify the validity of the M；

S404 when verification result is effective, is exported and is preserved the M；

S405 repeats step S401 and subsequent step when verification result is invalid.

(3) advantageous effect

The beneficial effects of the invention are as follows：Subscription client U_iTo local bank server LB_jSend withdrawal request, LB_jFor U_i Bank of deposit's server；LB_jElectronic cash M is generated according to withdrawal request and is sent to U_i；U_iVerify the validity of M；When verification is tied It when fruit is effective, exports and preserves M, solve the various limiting factors that traditional bank note is brought in can merchandising, while effectively protection use The anonymity at family.

Description of the drawings

Fig. 1 is a kind of electronic cash system Organization Chart of the present invention；

Fig. 2 is another electronic cash system Organization Chart of the invention；

Fig. 3 is another electronic cash system Organization Chart of the invention；

Fig. 4 is another electronic cash system Organization Chart of the invention；

Fig. 5 is the flow chart of the registration process of the specific embodiment of the invention；

Fig. 6 is the flow chart of opening an account of the specific embodiment of the invention；

Fig. 7 is the withdrawal process flow diagram flow chart of the specific embodiment of the invention；

Fig. 8 is the payment process flow chart of the specific embodiment of the invention；

Fig. 9 is the deposit process flow diagram flow chart of the specific embodiment of the invention.

Specific embodiment

In order to preferably explain the present invention, in order to understand, below in conjunction with the accompanying drawings, by specific embodiment, to this hair It is bright to be described in detail.

Some key techniques that electronic cash is related to still urgently are invented.The problem of primary is how to ensure system Safety；Secondly, people how to be made really to receive and are electronic cash to be ensured with traditional bank note using the key of electronic cash It is equally difficult to be forged and replicate：Be difficult to be forged to realize, electronic cash system using the digital signature that can not be forged as One cash is traded.However, unlike conventional currency, the digitlization feature of electronic cash cause it be easy to by It replicates, so in many electronic cash systems, can have the behavior that same electronic cash is paid in different transaction, i.e., Double spending behavior.In order to avoid the growth of Double spending behavior, some electronic cash systems are by the identity information of user with one The hiding mode of kind is encoded into electronic cash, user is made to still maintain anonymity in payment, if detecting Double spending Behavior, the user's identity can be then lifted.In addition, in the electronic cash system proposed at present, when each agreement carries out Both sides is required at least to be interacted three times, this is very high to the safety requirements of communication efficiency and network, so how to reduce both sides The problem of interactive number is also one extremely important in practical applications.

Based on this, the present invention provides a kind of electronic cash system, includes at least：Subscription client and local bank's service Device, subscription client U_iTo local bank server LB_jSend withdrawal request, LB_jFor U_iBank of deposit's server；LB_jAccording to Withdrawal request generation electronic cash M is sent to U_i；U_iVerify the validity of M；When verification result is effective, exports and preserve M, Solve the various limiting factors that traditional bank note is brought in can merchandising, while the effectively anonymity of protection user.

Referring to Fig. 1, electronic cash system provided in this embodiment, including：Subscription client and local bank's server.It is logical The electronic cash system shown in FIG. 1 being made of subscription client and local bank's server is crossed, it can be achieved that user passes through user Client extracts the function of electronic cash from local bank's server.

In addition, referring to Fig. 2, electronic cash system provided in this embodiment further includes：Central Bank's server.It is logical The electronic cash system shown in Fig. 2 being made of subscription client, local bank's server and Central Bank's server is crossed, it can be real Now following function：1) initialization of electronic cash system.2) registration of client and the registration of local bank's server.3) user It is opened an account by subscription client in local bank's server.4) user is extracted by subscription client from local bank's server Electronic cash.5) Central Bank's server monitoring illegal transaction.

In addition, referring to Fig. 3, electronic cash system provided in this embodiment further includes：Merchant client.Pass through Fig. 3 The shown electronic cash system being made of subscription client, local bank's server, Central Bank's server and merchant client System is, it can be achieved that following function：1) initialization of electronic cash system.2) registration of client and the note of local bank's server Volume.3) user is opened an account by subscription client in local bank's server.4) user is taken by subscription client from local bank Electronic cash is extracted in business device.5) user pays purchase expenses by subscription client to merchant client.6) businessman passes through business Family's client is stored in electronic cash in local bank's server.7) Central Bank's server monitoring illegal transaction.8) two client The electronic cash arbitration at end.

Wherein, client can be subscription client, or merchant client, 2) registration of subscription client, business The registration of family's client and the registration of local bank's server.7) for arbitration 2 subscription clients between electronic transaction dispute or Person arbitrates the electronic transaction dispute between 2 merchant clients, alternatively, between 1 subscription client of arbitration and 1 merchant client Electronic transaction dispute.

Below by taking electronic cash system framework shown in Fig. 4 as an example, the operation to electronic cash system provided by the invention Flow is described in detail.

The electronic cash system of the present invention, the entity of participation mainly have following four：The Central Bank (Central Bank, CB), local bank (Local Bank, LB), consumer (Customer, C) and businessman (Merchant, M).Wherein center silver Row can regard group manager and opener in group signature scheme as, and local bank can regard the signer in group signature scheme as And arbitrator, and consumer then acts as the role of verifier in group signature scheme with businessman.

The Central Bank CB is the creator of system, as central banking institution, be responsible for local bank and Distributing electronic cash verification information, and bank certificate and user certificate are issued for legal local bank and user, and manage dimension User's registration table is protected, wherein being user identifier；

The local bank LB is electronic cash publisher, possesses bank's credentials of Central Bank's method, is responsible for It opens an account for user and manages its electronic cash account, specifically, when client withdraws the money, in addition, local bank should have visitor Family identity and electronic cash authenticity verification ability.

The consumer C is electronic cash lawful owner, and by opening an account, agreement is interacted with local bank, is obtained One's own account, wherein the electronic cash comprising certain numerical value, consumer C can use branch when being traded with businessman M Agreement is paid by the electronic cash payment of respective value to businessman.

The businessman M is electronic cash lawful owner, obtains to test offline during the electronic cash of consumer's transmission The legitimacy of electronic cash is demonstrate,proved, and is stored in the account of oneself.

Therefore the electronic cash system of the present invention is to support the Fair Off-line E-cash system of multi-bank.

As shown in figure 4, Central Bank CB is legal local bank LB, consumer C and businessman's M certificates, for Consumer C in system also needs to send the tracking key of oneself to Central Bank CB to manage.Local bank LB passes through center The certificate that bank CB is issued represents it oneself is legal bank, by the signature key of generation come electronic cash, and Off-line state is can be at after this.User U can apply opening an account to local bank LB, can be from this local bank after opening an account successfully Into line access electronic cash, during withdrawal, the electronic cash to be issued oneself of local bank LB is signed, and is showed in electronics Binding certificate in gold, local bank LB prove the certificate by Groth-Sahai non-interactive zero-knowledge proofs method to user Legal validity.In payment process, consumer C needs will obtain electronic cash payment and give businessman M, and send simultaneously The sequence number and transaction ID of cash.According to the characteristics of Groth-Sahai non-interactive zero-knowledge proof methods, businessman M is not It needs to interact with bank or user's either side, will not know any personal information of user, can verify that this pen shows Whether gold is legal effectively, if generating economic dispute during cash circulation or having illegal act, user can be to central silver Electronic cash is opened in row CB applications, so as to track out the identity of disabled user.In addition, in certain special cases, if being It needs to confirm whether certain cash belongs to certain user in system, request for arbitration, silver can be initiated to the bank for signing and issuing this cash Row can export and judge as a result, owner can be transferred through with greetings judging this electronics in the case where not disclosing user identity Whether cash is that certain user generates.

In specific implementation, consumer holds local device client, and electronic cash is stored in local device.Consumer During to merchant transaction, transmission is the electronic cash stored in local device, but needs to modify to it before sending, and is made It meets validity, it may be verified that property.Consumer possesses the client of oneself, when sale fund, can select displaying Quick Response Code, Paying party is by scanning the two-dimensional code or the modes such as input address connect beneficiary and pay the bill.

First, the initialization of electronic cash system

The idiographic flow for completing the initialization of electronic cash system is as follows：

S101-1, Central Bank server CB select systematic parameter.

S101-2, CB production can include the main private of CB to group's public key pk and private key that electronic cash is verified, private key Key msk and unlatching key sk0.

S101-3, CB set up database, the electronic cash that database has spent for storage, and LB_jPossess to database Access rights.

For example, Central Bank server selection systematic parameter, production can be to group's public key p that electronic cash is verified^k And private key (the main private key msk of the Central Bank and unlatching key sk0).Central Bank's server is locally set up in the Central Bank For one database dedicated for storing the electronic cash Reg [C] spent, all local banks possess the access to this database Permission.

2nd, the registration of client and the registration of local bank's server

Local bank or user are registered in systems, and the entity of participation is Central Bank's server and local bank Server/subscription client, it is any to want that the entity for adding in this system perform this step with Central Bank's interaction.It can regard as Group members M in group signature scheme_eThe interactive association carried out between (user or local bank) and group manager (Central Bank) View, is separately operable at user or local bank end and Central Bank server-side group members M_eWith (pk, sk₁,sk₂) to input, center Bank runs the agreement using PK as input.When the agreement is run successfully, the one side Central Bank is in group members registration table reg In establish an entry for group members, be denoted as reg [e], the content local bank credentials and public affairs of the content item of entry Key；Another aspect group members M_e(user or local bank) obtains the local bank credentials cert that the Central Bank issues_e, Another place bank generates signature key and authentication secret (ssk_e,vk_e), user generates tracking key tk [e].

This step includes registration, the registration of merchant client and the registration of local bank's server of subscription client.

1st, the registration of local bank's server

Such as LB_jRegister flow path is as follows in electronic cash system：

S201-1, LB_jKey in PKI calculates (lbsk [j], lbpk [j]) and sends the commitment value Y ' of key_j To CB.

S201-1 is specifically included：

S201-1-1, LB_jThe key in PKI is transferred to (lbsk [j], lbpk [j]).

S201-1-2, LB_jRandomly choose y '_j←Z_p。

S201-1-3, LB_jIt calculatesBy Y '_jIt is sent to CB.

S201-2, CB are according to Y '_jGenerate LB_jCredentials cert_jFirst half, and be sent to LB_j。

S201-2 is specifically included：

S201-2-1, CB are selected

S201-2-1, CB generate LB_jCredentials cert_jFirst half (y_j″,A_j,X_j,2), and send (y_j″,A_j, X_j,2) give LB_j。

Wherein,

S201-3, LB_jDetermine cert_jFirst half it is effective after, calculate LB_jPrivate key sk [j], and sign to sk [j] S [j] is obtained, s [j] is sent to CB.

S201-3 is specifically included：

S201-3-1, LB_jVerificationIt is whether true.

S201-3-2, if so, then LB_jCalculate sk [j]=y_j=y '_j+y_j", and obtain equation

S201-3-3 is rightIt is signed to obtain s_j。

S201-3-4, by (j, lbpk [j], A_j,X_j,S_j) it is sent to CB.

Wherein, s_jFor LB_jIt is rightThe signature value signed.

Lbpk [j] is LB_jPublic key；A_j) and X_j,2It is LB_jThe certificate obtained with the Central Bank in interaction before A part.

After S201-4, CB verify that s [j] is correct according to lbpk [j], by LB_jInformation be added to registration table Reg_LBIn [j].

Specifically, after CB verifies that s [j] is correct according to lbpk [j], by (j, lbpk [j], A_j,X_j,S_j) it is added to registration table Reg_LBIn [j].

S201-5, CB send cert_jFront and rear part X_j,1To LB_j。

Specifically, CB sends cert_jFront and rear partTo LB_j。

S201-6, LB_jVerify X_j,1After correct, by cert_jFirst half and X_j,1Merge into cert_j。

S201-6 is specifically included：

S201-6-1, LB_jVerificationIt is whether true；

S201-6-2, if set up, LB_jVerify X_j,1Correctly；

S201-6-3, by cert_jFirst half and X_j,1Merge into cert_j。

S201-7, LB_jGenerate ssk_jAnd electronic cash authentication secret vk, and announce vk.

S201-7 is specifically included：

S201-7-1, LB_jChoose random number z ← Z_p；

S201-7-2, LB_jGenerate ssk_j=k^zAnd vk=g^z, and announce vk.

2nd, the registration of subscription client, the registration of merchant client

Wherein, the registration of subscription client and the register flow path of merchant client are identical, and the present embodiment is only with user client It is illustrated exemplified by the registration at end.

Such as U_iRegister flow path is as follows in electronic cash system：

S202-1, U_iKey in PKI calculates (lbsk [i], lbpk [i]) and sends the commitment value Y ' of key_iIt gives CB。

S202-2, CB are according to Y '_iGenerate U_iCredentials cert_iFirst half, and be sent to U_i。

S202-3, U_iDetermine cert_iFirst half it is effective after, calculate U_iPrivate key y_i, and to y_iIt is signed to obtain s_i, will s_iIt is sent to CB.

S202-4, CB verify s according to lbpk [i]_iAfter correct, by U_iInformation be added to registration table Reg_uIn [i].

S202-5, CB send cert_iFront and rear part X_i,1To U_i。

S202-6, U_iVerify X_i,1After correct, by cert_iFirst half and X_i,1Merge into cert_i。

S202-7, U_iAccording to y_iGeneration tracking key tk [i], encryption tk [i] obtain user tracking key ciphertext e_i。

S202-8, U_iBy e_i, A_i, X_i,2,CB is sent to after signature.

Wherein, A_i, X_i,2It is U respectively_iCertificate a part, be in user registration course and bank interaction when obtain 's.

y_iIt is U_iPrivate key and in registration process user generate.U can be regarded as_iPublic key information.

CB is by tuple (i, lbpk [i], A_i,X_i,e_i,s_i) it is added to Reg_uIn [i].

Wherein, X_iIt is U_iA part for certificate information obtains in user registration course and when bank interacts.

S_iIt is user to its private key y_iThe signature value signed.

Below again with the flow shown in Fig. 5, the registration of registration and local bank's server to client illustrates again.

1.1, local bank server LB_jIt is registered, LB_jPossess key in PKI to (lbsk [j], lbpk [j]), It calculates and sends the commitment value Y ' of key_jGive Central Bank server CB.

Specifically, LB_jAdministrative staff click on local bank LB_jRegistration button in client, client transfer local bank The key in PKI possessed randomly chooses y ' to (lbsk [j], lbpk [j])_j←Z_p, calculate and sendIn giving Entreat bank server.

In electronic cash system provided by the invention, each bank is required for being registered, and can just attain power to obtain User, which opens an account and receives user, accesses the functions such as electronic cash, if not registering, can not use.

1.2, CB generation local bank credentials cert_jFirst half and be sent to LB_j。

Specifically, CB receives the registration response of local bank, administrative staff receive the response that local bank sends, then CB is selected It selectsGenerate local bank credentials cert_jFirst half (y_j″,A_j,X_j,2) whereinAnd send (y_j″,A_j,X_j,2) give local bank LB_j。

1.3, LB_jVerify the validity of first half certificate, if effectively, the private key sk [j] of oneself is calculated, and to private key It is signed to obtain s [j], signature is sent to CB.

Specifically, local bank LB_jAfter client receives tuple sequence, equation is verified It is whether true, if so, calculate private key sk [j]=y_j=y '_j+y_j", obtain equation It is rightIt is signed to obtain s [j], finally, by (j, lbpk [j], A_j,X_j,S_j) it is sent to CB.

After 1.4, CB receive s [j], the correctness of signature s [j] is verified using lbpk [j], then by the information of local bank It is added to registration table Reg_LBIn [j].Then the last part X of membership certificate is sent_j,1To LB_j。

Specifically, after CB receives s [j], the correctness of signature s [j] is verified with lbpk [j], then by tuple (j, lbpk [j],A_j,X_j,S_j) it is added to registration table Reg_LBIn [j].Then the last part of membership certificate is sentIt gives LB_j。

1.5, LB_jVerify the value X received_j,1Correctness, be such as proved to be successful, then obtain an effective certificate cert_j.With Afterwards, LB_jGenerate electronic cash signature private key ssk_jAnd electronic cash authentication secret vk, then announce authentication secret.

Specifically, LB_jVerify the value X received_j,1Whether be really(whether withMeet with peer-to-peerIt is such as proved to be successful, then obtains an effective certificate Then, LB_jSelect random number z ← Z_p, generation electronic cash signature private key ssk_j=k^zAnd electronic cash authentication secret vk= g^z, then announce authentication secret.Local bank client prompting administrative staff succeed in registration simultaneously.

So far local bank's registration terminates.

User's registration, with bank registration (step 2.1 to step 2.5) is substantially the same, but subscription client U_iReceive card Book cert_iAfterwards, without calculating electronic cash signature private key and authentication secret, but need to utilize private key y_iIt generates it and tracks key Tk [i] simultaneously encrypts tk [i] and obtains e_i.Finally, it is necessary in e_iTogether with A_i, X_i,2,On signed and be sent to the Central Bank clothes Business device.Central Bank's server is by tuple (i, lbpk [i], A_i,X_i,e_i,s_i) it is added to registration table Reg_uIn [i].

Specifically, carry out step 2.1 during user's registration first to step 2.5, it is substantially the same with bank log-in protocol.Registration Function is by communicating to complete between subscription client and Central Bank's server.User first clicks on subscription client Login ID, inputs the public private key pair having in PKI, and subscription client sends user key commitment value (subscription client pair Its public key is signed, and server is sent to using signature as request；) it is sent to Central Bank's server.The Central Bank first The validity of server authentication signature, if effectively, issuing credentials and being sent to subscription client；Subscription client is to service The response of device is handled, and obtains membership certificate, and certificate is being locally stored in subscription client, and prompt user's registration into Work(.Meanwhile subscription client generates it and tracks key：Utilize private key y_iIt generates it and tracks key tk [i], and encrypt tk [i] and obtain To e_i.Finally, it is necessary in e_iTogether with A_i, X_i,2,On signed and be sent to Central Bank's server.Central Bank's server By tuple (i, lbpk [i], A_i,X_i,e_i,s_i) it is added to registration table Reg_uIn [i].

Registration action for user in itself for be exactly to click on registration, input PKI public and private key can, remaining and server Between interaction carried out by subscription client, without user handle.

The registration of merchant client is by communicating to complete between merchant client and Central Bank's server.With Family businessman first clicks on merchant client login ID, and merchant client recalls the public and private key of user from local, it is close to send user Key commitment value (merchant client signs to its public key, and Central Bank's server is sent to using signature as request) is sent to Central Bank's server.The validity of Central Bank's server authentication signature first, if effectively, issuing credentials and being sent to Merchant client；Merchant client handles the response of central bank server, obtains membership certificate, businessman client Certificate is being locally stored in end, and prompts user registration success.Meanwhile merchant client generates its and tracks key, it is last, it is necessary to It is signed in all parameters claimed and is sent to Central Bank's server.The Central Bank is added the user in registration table.

3rd, user is opened an account by subscription client in local bank's server

User opens an account in local bank, runs between user and local bank.User opens local user client Hold U_i, selection opens an account, and local bank is clicked in local bank's list of interface display lawful registration.Meanwhile U_iUtilize user The credentials preserved, by Generating Certificate commitment value proof value and tracking ciphertext key proves the legal of its identity Property, it is sent to local bank server LB_j, after local bank's server authentication request passes through, then user opens in this bank therefore Family.Local bank's server generation response data simultaneously returns to subscription client, then sends tracking key ciphertext to central silver Row server asks user tracking key, and Central Bank's server by utilizing opens key and the ciphertext of transmission is decrypted, and Generation response data returns to local bank's client, and local bank's client handles response, will track key ciphertext To being stored in user's table.

This process Central Bank need not know which place bank user selects, this is also safe one individual character of electronic cash Matter.Central Bank's server first carries out the information received authentication before response is performed, main to verify bank's card The legitimacy of book.Legitimacy by response data (tracking key) by returning to local bank's server afterwards.Local bank takes Business device is immediately handled response, by tracking key ciphertext to being stored in user's table.

S301, U_iTo U_iCertificate cert_iIt is promised to undertake, obtains commitment valueAnd produce proof value Π_i。

Wherein, cert_iFor

S301 is specifically included：

S301-1, U_iRandom selectionWherein b=1 ..., 5.

S301-2, U_iIt calculates

Wherein,

Wherein,Represent the vectorial representation of commitment value.Promise generation is carried out to the element in bracket for c () expressions Value a part, collectively constitute capitalization vector It is the non-interactive type under system generation is assumed based on DLin Proof system generalized reference string CRS (system generated common parameter when initializing).σ_iIt is user U_iThe i-th of certificate Part.It is the unlatching key of Central Bank's selection, is used when generating dispute and needing and track client,

S301-3, U_iAccording toIt calculates：

S302, U_iIt willΠ_iAnd e_iIt is sent to LB_j。

Specifically, U_iIt willIt is sent to LB_j。

S303, LB_jConfirm U_iIdentity and cert_iIt is U after legal_iIt opens an account.

S303 is specifically included：

S303-1, LB_jVerify whether following equation is true：

Wherein τ_T(u) 3 × 3 matrixes are represented, (3,3) position is u ∈ G_TRemaining position is unit member 1, i.e.,

So shown herein as 3 × 3 matrixes, wherein it is unit member 1 that (3,3) position, which is remaining position of e (g, u),.

S303-2, if equation is set up, LB_jConfirm U_iIdentity and cert_iIt is legal, to U_iReturn to confirmation message and for U_iIt opens Family.

S303-2, if equation is invalid, LB_jConfirm U_iIdentity and cert_iIt is illegal, to U_iReturn to failure information.

S304, LB_jBy e_iIt is sent to CB.

S305, CB calculate tracking key value tk [i] according to sk0, by e_iAnd tk [i] is sent to LB_j。

Specifically, CB is according to sk0 (α₁,α₂) calculateBy e_iAnd tk [i] is sent to LB_j。

S306, LB_jBy (e_i, tk [i]) it is added to user and opens an account in list.

It is opened an account in local bank's server by subscription client to user and said again with the flow shown in Fig. 6 again below It is bright.

2.1, subscription client U_iNeed the certificate cert to holding_iPromise to undertake and calculate commitment value

Because wanting to consider from privacy of user, user is not desired to reveal the certificate information of oneself to local bank, is only conceivable to Square bank report oneself is validated user, so needing to handle the certificate of subscription client storage.Processing procedure is to use Subscription client is opened at family, and selection opens an account, and local bank is clicked in local bank's list of interface display lawful registration, with I.e. subscription client calculates the commitment value of user certificate, and commitment value does not reveal certificate information, but can make local bank's verification card The validity of book.

Specifically, U_iNeed the certificate to holdingIt is promised to undertake, visitor Family end randomly choosesWherein b=1 ..., 5, calculate commitment valueWherein,

2.2, user simultaneously generates proof value Π_i。

This step is only that user applies for after opening a bank account in somewhere that subscription client is in local in subscription client The proof value of calculating.

Specifically, client is calculated on the proof value Π for meeting following equation_i：

The proof value of each equation will include 9 group elements.

Proof valueIt calculates as follows：

2.3, U_iIt will promise to undertake, it was demonstrated that be worth the ciphertext together with tracking keySend jointly to LB_j。

Specifically, U_iIt will promise to undertake, it was demonstrated that be worth the ciphertext together with tracking keyIt sends jointly to LB_j。

2.4, LB_jThe true legitimacy of identity, that is, certificate of user is verified, if the verification passes, then to U_iReturn to confirmation letter Breath 1 represents that user can access electronic cash herein, opens an account for user, otherwise to U_iReturn to failure information 0.

Specifically, LB_jIt receives user to open an account response, to verify the true legitimacy of the identity, i.e. certificate of user, that is, verify Whether following equalities are true：

If the verification passes, then to U_iConfirmation message 1 is returned, represents that user can access electronic cash herein, is user It opens an account, otherwise to U_iReturn to failure information 0.After subscription client receives the information of bank client return, shown really to user Recognize and open an account successfully or fail.

2.5, local bank is in order to obtain arbitration right to this user, it is necessary to be opened with to apply obtaining this to the Central Bank The tracking key tk [i] of family user, the Central Bank will assign local bank for the arbitration legal capacity of user.

Local bank in this step is not what the Central Bank selected, but user oneself selection opened in somewhere bank Family, this local bank is in order to obtain the arbitration right to this user, it is necessary to apply obtaining this use of opening an account to the Central Bank The tracking key at family, the Central Bank will assign local bank for the arbitration legal capacity of user.

Specifically, LB_jIn order to obtain to U_iArbitration right, it is necessary to apply obtaining chasing after for this user that opens an account to the Central Bank Track key

2.6, LB_jIn U_iThe ciphertext e on tracking key is extracted in the information of transmission_i, it is sent to Central Bank's service Device.

Specifically, after user opens an account successfully, LB_jBy U_iThe ciphertext e on tracking key is extracted in the information of transmission_i, hair Give Central Bank's server.

2.7, Central Bank's server by utilizing opens key sk0, calculates tk [i], extracts the tracking key tk of user [i], and it is sent to local bank LB_j。

Specifically, after Central Bank's server-side receives the information of local bank's client, administrative staff's confirmation message source It can agree to that Central Bank's server-side performs response rearward.Central Bank server by utilizing sk0 (α₁,α₂) calculateThe tracking key tk [i] of user is extracted, and is sent to LB_j。

2.8, LB_jBy two tuple (e_i, tk [i]) it is added to user and opens an account list reg_uIn [i].

Specifically, LB_jIt receives two tuple (e after Central Bank's server info_i, tk [i]) it is added to user and opens an account list reg_uIn [i].

4th, user extracts electronic cash by subscription client from local bank's server

User takes an electronic cash away in its bank to open an account, and user obtains the electronic cash M of bank's signature, and bank is then The corresponding amount of money is deducted in the account of user.Subscription client sends withdrawal request, and local bank's server by utilizing electronics shows Data sending is to subscription client in response for golden signature key generation electronic cash values, and more new user account table.User visitor The processing of family end responds and verifies the validity of electronic cash, exported if effectively and preserve electronic cash, if invalid send out again Send request.

S401, subscription client U_iTo local bank server LB_jSend withdrawal request, LB_jFor U_iThe bank of deposit service Device.

S402, LB_jElectronic cash M is generated according to withdrawal request and is sent to U_i。

In addition, LB_jU can also be updated_iUser account table.

Since withdrawal request includes withdraw funds, S402 is specifically included：

S402-0, LB_jConfirm that withdraw funds are not more than U_iAmount deposited in user account table.

S402-1 determines electronic cash M according to withdrawal request.

S402-2, LB_jUtilize electronic cash signature key ssk_jIt signs to M, generation signature value σ (M).

S402-2 is specifically included：

S402-2-1, LB_jChoose random number s ← Z_p。

Wherein, Z_pRefer to cyclic group, s is 0 to the random integers selected between p integers.

S402-2-2, LB_jσ (M) is calculated by equation below：

σ (M)=(ssk_jF(M)^s,g^s)=(k^ZF(m)^s,g^s)。

g^sFor the s power of g, g^sFor LB_jPart when M is signed, k are the length of M, M=(m₁,…,m_k)∈{0,1}^k。

Wherein u₀To u_kFor the random vector that electronic cash system is issued in initialization, u_iFor i-th of value of random vector u:(u₀,u₁,…,u_k)←G^k+1Here electronic cash length is also k, so for electronic cash M, calculates its signature function as σ (M)=(ssk_jF(M)^s,g^s)=(k^ZF(m)^s,g^s)。

S402-3, LB_jTo LB_jCertificate cert_jIt is promised to undertake And produce proof value

Wherein, cert_j=(A_j,X_j,j_j),σ_j4= (u^z,g^z), σ_j5=k^ZF(M)^s, σ_j6=g^s；

And meet following equation：

Wherein X_j, y_j, A_jIt is a part for the certificate information of local bank respectively, certificate should be cert_j=(A_j,X_j,j_j), These three values are the local banks and two sides generate during Central Bank's interactive mode in registration.

E () is Bilinear Pairing oeprator, Ω=g^γIt is parameter disclosed in the Central Bank, γ is that Central Bank master is close Key；

S402-4, LB_jBy σ_j,U is sent to σ (M)_i。

S403, U_iVerify the validity of M.

S403 is specifically included：

S403-1, U_iAccording to σ_j,Verify LB_jIdentity.

S403-2, U_iVerify σ (M).

Specifically, verifying whether following equation meets：

σ_j,5, σ_j,4,2, σ_j,6, σ_j,4,1, σ_j,4,2For LB_jIssue U_iM in the element that includes.

S403-3, if the verification result of S403-1 is to be verified, and, the verification result of S403-2 is also to be verified, Then determine that verification result is effective.

S403-4, if the verification result of S403-1 is to verify not by if alternatively, the verification result of 403-2 is to verify not Pass through, it is determined that verification result is invalid.

S404 when verification result is effective, is exported and is preserved M.

S405 when verification result is invalid, repeats step S401 to S403.

Below again with flow shown in Fig. 7, from local bank's server electronics is extracted by subscription client to user Cash illustrates again.

3.1, LB_jUtilize electronic cash signature private key ssk_jSignature generation signature value σ (M) is carried out to electronic cash M.

Specifically, user clicks on withdrawal function in subscription client, local bank is selected.U_iShow user in local silver Capable remaining sum, user click on withdrawal function, U_iShow input frame, user inputs withdraw funds (being less than remaining sum).U_iBy withdrawal request It is sent to LB_j。

LB_jReceive user's withdrawal request, verification withdraw funds are less than amount deposited, successful then continue to execute, and otherwise return Refusal request service.

LB_jClient utilizes electronic cash signature private key ssk_jIt signs to electronic cash M：Choose random value s ← Z_pIf The length of electronic cash M is expressed as k, then can be calculated as σ (M)=(ssk for the signature value of M_jF(M)^s,g^s)=(k^ZF (m)^s,g^s), wherein(m=(m₁,…,m_k)∈{0,1}^k)。

3.2, LB_jIt also needs that the certificate of oneself is promised to undertake and proved, generatesSo LB_jFinally give birth to Into σ_j, and generate proof value

Specifically, LB_jIt also needs that the certificate of oneself is promised to undertake and proved, generatesSo LB_jFinally GenerationAnd generate proof value

Wherein,σ_j4=(u²,g²), σ_j5=k^ZF (M)^s, σ_j6=g^s。

And meet following equation：

3.3, LB_jIt willAnd proof valueOne acts as U is sent to for electronic cash M_i。

3.4, U_iVerification of correctness will be carried out to obtained electronic cash values, first had to LB_jIdentity verified, Its secondary signature to this cash judges；If prove that the electronic cash that the client obtains is by verification twice Authentic and valid, and this electronic cash can be used for later payment arrangement.

Specifically, U_iObtained electronic cash values will carry out verification of correctness, first have to LB_jIdentity verified, i.e., Verify that the equation of proof value and isomorphism is set up.Its secondary signature to this cash judges, that is, verifies whether signature value is full The following two equatioies of foot：

If prove that the electronic cash that the client obtains is authentic and valid, and this electronics shows by verification twice Gold can be used for later payment arrangement.Then U_iIt withdraws the money successfully to user's display, and this electronic cash is being locally stored.

5th, user pays purchase expenses by subscription client to merchant client

User wants to carry out shopping in businessman to need to pay an electronic cash, and businessman's output represents to receive, exports and be for 1 0 represents refusal.If this time the transaction ID of transaction is R, and the electronic cash in transaction is the F electronics that consumer spends Cash.Subscription client firstly generates certificate commitment value and proof value, then together by cash sequence number and anti-dual branch It pays during value is bound into the electronic cash that will be paid and is sent to merchant client, merchant client verifies electronics after receiving response Cash validity exports if effectively and stores electronic cash, and to consumer client's returning response result.

Wherein, the payment process of subscription client is as follows：Consumer selects to click in subscription client and pay, and scans business Family's Quick Response Code or the upper family's client address information of input, after success, subscription client into certificate commitment value and proof, with The electronic cash taken out in local bank is selected in the client of family, subscription client is by cash sequence number and prevents dual payment Value is bound into the electronic cash that will be paid, and the value of above-mentioned generation is sent to merchant client by subscription client.

In the above process, what consumer was presented to businessman is 3 things：1) identity information of consumer, i.e. certificate are held Promise value and proof value.2) electronic cash.3) prove the effective information of electronic cash (sequence number prevents dual payoff).

In specific consumption, consumer (passes through scanning using local user's client identification merchant client address first The approach such as Quick Response Code or input address), after identifying successfully, then payment amount can be selected, into selection electronic cash interface, Select the electronic cash taken out from bank.Subscription client carries out series of computation after chosen successfully, and user can point after finishing Payment is hit, the electronic cash of selection is sent to businessman.After merchant client is responded, validity and the source of cash are verified Legitimacy, after being proved to be successful prompt note from the merchant receive cash one, amount of money XX.

S501, U_iIt calculates sequence number S when spending electronic cash and prevents dual payoff

S502, U_iBy M'sIt is substituted for U_iTo the promise of oneself identity

S503, U_iGenerate the temporary mark of the electronic cash spent

S504, U_iGenerate proof value

S504 is specifically included：

U_iAccording toIt calculates：

S505, U_iGenerate the electronic cash spent

S506, U_iPay M' to merchant client.

S507, merchant client is to U_iIdentity verified.

S507 is specifically included：

Merchant client verifies whether following equation is true：

Whether S508, merchant client confirm M' by LB_jSignature.

S508 is specifically included：

Merchant client verifies whether following equation is true：

S509, if S507 is verified, and, S508 confirms successfully, then merchant client receives M'.

S510, electronic cash system, which is deleted, spends the relevant transaction ID of electronic cash, and performs transaction.

Purchase expenses is paid again to merchant client by subscription client to user with flow shown in Fig. 8 again below Secondary explanation.

4.1, spend problem again in order to prevent, consumer (namely special user), which needs to calculate first, is spending this electronics Sequence number S and anti-dual payoff T during cash.

Specifically, user wants in businessman do shopping to need to pay an electronic cash, consumer-user is first turned on Client U_i, select payment function.U_iThe remaining sum and number of electronic cash in client, consumer's selection are shown to consumer Need the corresponding electronic cash paid.U_iIt calculates sequence number S when spending electronic cash and prevents dual payoff

4.2, U_iThe electronic cash taken out from bank is modified, by letter related with bank identity in electronic cash BreathIt is substituted for U_iTo the promise of oneself identity

4.3, U_iThe generation interim ID related with this electronic cash, is denoted as σ₀, generate proof value

Specifically, U_iThe generation interim ID related with this electronic cash：It is denoted as σ₀.It provides down simultaneously Row formula accordingly proves：

First three equation is on σ '_1,1,σ'_1,2,σ'_2,2,σ'₃It is secondary with peer-to-peer, therefore the proof of each equation with The method of proof of step 2.2 is identical.According to Groth-Sahai proof systems, for the proof of the 4th equationIt calculates such as Under：

4.4, U_iSequence number S, anti-dual payoff T and interim ID are added in electronic cash M', then electronic cash

4.5, U_iPay electronic cash M' to merchant client.

Specifically, consumer needs to assist U_iBind seller addresses.U_iIt needs by with scanning the two-dimensional code or input businessman The modes such as location information identify seller addresses.It realizes and gives electronic cash payment to businessman M_j。

4.6, after merchant client receives electronic cash, first have to be verified with the identity to user.

It specifically, after merchant client receives electronic cash, first has to be verified with the identity to user, i.e. verification card Whether bright value meets equation：

4.7, merchant client judges the signature of this cash, that is, verifies whether following equalities are true, to determine Now whether gold is signed by bank.

4.8, if upper 2 steps are proved to be successful, receive the electronic cash, electronic cash system is automatically deleted transaction It identifies and performs bargain transaction, otherwise refuse.

Specifically, if upper 2 steps are proved to be successful, receive the electronic cash, merchant client prompting businessman receives Money success, otherwise refuses.

6th, businessman is stored in electronic cash by merchant client in local bank's server

Businessman is stored in an electronic cash in its bank to open an account, and bank then increases corresponding gold in the account of user Volume.Merchant client firstly generates certificate commitment value and proof value, then sends jointly to local silver together with the cash received Row server, local bank's server verify electronic cash validity after receiving response, continue to verify electronic cash if effectively Whether cost is repeated, if being both verified, more new user account table, most backward merchant client returning response.

S601, merchant client is by M''sMerchant client is substituted for oneself identity It promises to undertakeAnd produce proof value

In S601 replaced generations, are deposited electronic cash by S602, merchant clientIt is sent to local bank's server LB_c。

S603, LB_cVerify merchant client identity.

S604, LB_cDetermine M " whether effectively.

S605, if S603 is verified, and, S604 confirms successfully, then LB_cCheck database in whether have with S-phase with Value.

S606, if without the value same with S-phase, LB_cBy the account of M " deposit merchant clients, and M " is recorded in the database Transaction Information, Transaction Information include at least S and T.

S607, if having the value same with S-phase, LB_cIt is corresponding to obtain S values in databaseIt calculatesBy g^1/S+i+1Bring T=g into^Z·(g^1/S+i+1)^R It acquiresAccording toIdentify Double spending subscriber identity information.

Below again with flow shown in Fig. 9, in local bank's server electronics is stored in by merchant client to businessman Cash illustrates again.

5.1, the electronic cash obtained at consumer is stored in bank by businessman, it is necessary first at electronic cash Reason, is substituted for promise of the client to oneself identity by information related with customer identification in electronic cash, and provides corresponding card Bright value, with step 4.2.

Specifically, merchant client electronic cash M' is stored in bank LB_c, the selection deposit work(first in merchant client Can, merchant client shows local bank's list that user has opened an account, and user selects bank LB_c.Merchant client shows user The cash M' of deposit bank is wanted in the electronic cash locally received, user's selection.Merchant client is firstly the need of by electronic cash It is handled, by information related with customer identification in electronic cashIt is substituted for businessman client Hold the promise to oneself identityAnd corresponding proof value is provided, with step 4.2.

5.2, by treated, cash is sent to LB to merchant client_c。

Specifically, merchant client will treated cashHair Give LB_c。

5.3, LB_cIt first has to determine the true legitimacy that the identity of businessman is promised to undertake and proved, the same step of verification method 2.4。

5.4, LB_cElectronic cash is judged, that is, verify whether can the signature value in M " make true with peer-to-peer.

5.5, if step 5.3 and 5.4 verification are set up simultaneously, prove LB_cObtained electronic cash be it is authentic and valid, And it is deposited into Merchant Account.

5.6, LB_cIt needs to check whether there is value and S-phase etc. in electronic cash deposit electronic cash database Reg [C], if There is equal situation, then this electronic cash, which is repeated, spent, then bank extracts the middle T in two equal cashes of S values, T' is calculated as below：Subsequent bank can be by g^1/S+i+1Value bring T into and acquireSo as to weight Again subscriber identity information is spent to be identified.It was spent if not being repeated, this cash is stored in Merchant Account.And It spends in electronic cash database and records this cash.

Specifically, LB_cIn electronic cash deposit electronic cash database Reg [C] if in check whether there is value and S-phase etc. and have Equal situation, then this electronic cash, which is repeated, spent, then during bank is extracted in two equal cashes of S valuesIt is calculated as below：Then LB_cBy g^1/S+i+1Value bring T=g into^Z·(g^1/S+i+1)^RIt can acquireSo as to Double spending client identity Information is identified.It was spent if not being repeated, this cash is stored in Merchant Account.And spending electronic cash number According to recording this cash in storehouse.

7th, Central Bank's server monitoring illegal transaction

If there are illegal transaction, validated user or local bank have the right to circulate a notice of the Central Bank.The Central Bank needs to pass through This step tracks out the identity of counterparty user.Central Bank input user's credentials C_IDWith opening key sk0, output is used Family identity ID.

S701, CB extract C (σ from electronic cash M " ' is middle₃), C (σ are opened by sk0₃), it calculates

S702, CB are in Reg_LBList item has been searched whether in [i]

S702, if there is list itemThe client identity that then CB is related to according to d trackings M " ', client are user visitor Family end, alternatively, client is merchant client.

For example,

6.1, Central Bank's server extracts to obtain the certificate commitment value C (σ of client first from electronic cash₃), profit With unlatching key sk0=(α₁,α₂), C (σ are opened in signature₃), it calculates

Specifically, validated user or local bank first be by local client, during illegal electronic cash is sent to Entreat bank server.Central Bank's server authentication effectiveness of information, if effectively, extracting to obtain from electronic cash first The certificate commitment value C (σ of user₃), using opening key sk0=(α₁,α₂), C (σ are opened in signature₃), it calculates

6.2, Central Bank's server is in register list Reg_LBList item has been searched whether in [i]If being returned in the presence of if Corresponding identifier d is returned, tracks the identity of client.

8th, the electronic cash arbitration of two clients

Wherein, client can be subscription client, or merchant client, you can to arbitrate 2 user clients Electronic transaction dispute between end can also arbitrate the electronic transaction dispute between 2 merchant clients, can also arbitrate 1 user Electronic transaction dispute between client and 1 merchant client.

Under particular case, if user both sides generate dispute, user view is come by the somewhere bank of electronic cash Judge whether certain electronic cash is to be arbitrated by this judgement of user's generation, inputs certain electronic cash and tracking key Key tk [d], output judge vector τ, and owner can be transferred through with greetings judging whether this electronic cash is to possess tracking key User's generation of tk [d].

Below by taking dispute occurs for user 1 and user 2 as an example, illustrate.

S801, user 1 is by subscription client 1 according to electronic cash M_dIn vk determine to sign and issue M_dLocal bank service Device LB_d, and to LB_dSend M_dRequest for arbitration.

S802, LB_dExtract M_dUser tracking key ciphertext e_d, corresponding tracking key value tk [d] is determined, according to tk [d] Confirm M_dGeneration client.

S803, LB_dOutput blinds valueAnd generation client, so that client 2 is able to verify thatValidity, and with Track arbitrated procedure.

S803 is specifically included：

S803-1, LB_dChoose β ← Z_p。

S803-2, LB_dOutputAnd generation client.

S804, the subscription client 2 of user 2 is by being based onWith e (σ_4,2,c₃)=e (c₂, g) and it tests CardValidity, and pass throughTrack arbitrated procedure.

For example,

7.1, user extracts verification public key vk from electronic cash, to find the place silver for signing and issuing this electronic cash Row, and to its server LB_dSend target electronic cash value M_dTo apply performing arbitration.

Specifically, dispute occurs for user 1 and user 2, then user 1 selects arbitration function in subscription client 1, from user Verification public key vk is extracted in the electronic cash received at 1, to identify the local bank for signing and issuing this electronic cash.User Client 1 is to LB_dSend target electronic cash value M_dTo apply performing arbitration.

7.2, LB_dFrom electric M_dIn extract user tracking key ciphertext e_d, it is close that corresponding tracking is found from user's table Key value tk [d], to confirm that this cash is strictly thus user's generation.

Specifically, LB_dAfter administrator confirms, LB_dFrom M_dIn extract user tracking key ciphertext e_d.It is looked for from user's table To corresponding tracking key value tk [d], to confirm that this cash is strictly thus user's generation.

7.3, LB_dOutput one blinds valueAnd generation client.Anyone is able to verify that the effective of this value of blinding Property, and determine the result of tracing process.

Specifically, LB_dChoose β ← Z_p, export one and blind tripleAnd Client is generated to subscription client 2.

Subscription client 2 passes through equationWith e (σ_4,2,c₃)=e (c₂, g) and verify this ternary The validity of group, and pass through verification equationWhether into Rob Roy determine tracing process as a result, most at last As a result user 2 is distributed to by 2 interface of subscription client.

System provided in this embodiment, subscription client U_iTo local bank server LB_jSend withdrawal request, LB_jFor U_i Bank of deposit's server；LB_jElectronic cash M is generated according to withdrawal request and is sent to U_i；U_iVerify the validity of M；When verification is tied It when fruit is effective, exports and preserves M, solve the various limiting factors that traditional bank note is brought in can merchandising, while effectively protection use The anonymity at family.

It should be clear that the invention is not limited in particular configuration described above and shown in figure and processing. For brevity, it is omitted here the detailed description to known method.In the above-described embodiments, several tools have been described and illustrated The step of body, is as example.But procedure of the invention is not limited to described and illustrated specific steps, this field Technical staff can be suitable between being variously modified, change and add or changing the step after the spirit of the present invention is understood Sequence.

It should also be noted that, the exemplary embodiment referred in the present invention, is retouched based on a series of step or device State certain methods or system.But the present invention is not limited to the order of above-mentioned steps, that is to say, that can be according in embodiment The order referred to performs step, may also be distinct from that the order in embodiment or several steps perform simultaneously.

Finally it should be noted that：Above-described embodiments are merely to illustrate the technical scheme rather than to it Limitation；Although the present invention is described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that： It can still modify to the technical solution recorded in previous embodiment or to which part or all technical characteristic into Row equivalent substitution；And these modifications or substitutions, the essence of appropriate technical solution is not made to depart from various embodiments of the present invention technical side The scope of case.

Claims

1. a kind of electronic cash system, which is characterized in that the system, including：Subscription client and local bank's server；

S401, the subscription client U_iTo local bank server LB_jSend withdrawal request, the LB_jFor the U_iOpen an account Bank server；

S402, the LB_jElectronic cash M is generated according to the withdrawal request and is sent to the U_i；The LB_jUpdate the U_iUse Family credit；

S403, the U_iVerify the validity of the M；

S405 repeats step S401 and subsequent step when verification result is invalid.

2. system according to claim 1, which is characterized in that the S402 is specifically included：

S402-0, the LB_jConfirm that the withdraw funds are not more than the U_iAmount deposited in user account table；

S402-1, the LB_jElectronic cash M is determined according to the withdrawal request；

S402-2, the LB_jUtilize electronic cash signature key ssk_jIt signs to the M, generation signature value σ (M)；

S402-3, the LB_jTo the LB_jCertificate cert_jIt is promised to undertakeAnd Produce proof valueThe cert_j=(A_j,X_j,j_j)；

S402-4, the LB_jBy the σ_j, it is describedThe U is sent to the σ (M)_i；

The S402-2 is specifically included：

S402-2-1, the LB_jChoose random number s ← Z_p, wherein, Z_pRefer to cyclic group, s is to be selected 0 between p integers A random integers；

S402-2-2, the LB_jσ (M) is calculated by equation below：

σ (M)=(ssk_jF(M)^s,g^s)=(k^ZF(m)^s,g^s)；

The g^sFor the s power of g, the g^sFor LB_jPart when M is signed, k are the length of the M,M=(m₁,…,m_k)∈{0,1}^k；

It is describedσ_j4=(u^z,g^z), σ_j5=k^ZF(M)^s, σ_j6 =g^s；

And meet following equation：

<mrow> <mfenced open = "{" close = ""> <mtable> <mtr> <mtd> <mrow> <mi>e</mi> <mrow> <mo>(</mo> <msub> <mi>&sigma;</mi> <mrow> <mi>j</mi> <mo>,</mo> <mn>1</mn> <mo>,</mo> <mn>1</mn> </mrow> </msub> <mo>,</mo> <mi>g</mi> <mo>)</mo> </mrow> <mo>=</mo> <mi>e</mi> <mrow> <mo>(</mo> <mi>u</mi> <mo>,</mo> <msub> <mi>&sigma;</mi> <mrow> <mi>j</mi> <mo>,</mo> <mn>1</mn> <mo>,</mo> <mn>2</mn> </mrow> </msub> <mo>)</mo> </mrow> </mrow> </mtd> </mtr> <mtr> <mtd> <mrow> <mi>e</mi> <mrow> <mo>(</mo> <msub> <mi>&sigma;</mi> <mrow> <mi>j</mi> <mo>,</mo> <mn>3</mn> </mrow> </msub> <mo>,</mo> <msub> <mi>&Omega;&sigma;</mi> <mrow> <mi>j</mi> <mo>,</mo> <mn>1</mn> <mo>,</mo> <mn>2</mn> </mrow> </msub> <mo>)</mo> </mrow> <mo>=</mo> <mi>e</mi> <mrow> <mo>(</mo> <mi>u</mi> <mo>,</mo> <mi>g</mi> <mo>)</mo> </mrow> <mo>&CenterDot;</mo> <mi>e</mi> <mrow> <mo>(</mo> <mi>u</mi> <mo>,</mo> <msub> <mi>&sigma;</mi> <mrow> <mi>j</mi> <mo>,</mo> <mn>2</mn> <mo>,</mo> <mn>2</mn> </mrow> </msub> <mo>)</mo> </mrow> </mrow> </mtd> </mtr> <mtr> <mtd> <mrow> <mi>e</mi> <mrow> <mo>(</mo> <msub> <mi>&sigma;</mi> <mrow> <mi>j</mi> <mo>,</mo> <mn>1</mn> <mo>,</mo> <mn>2</mn> </mrow> </msub> <mo>,</mo> <mi>g</mi> <mo>)</mo> </mrow> <mo>=</mo> <mi>e</mi> <mrow> <mo>(</mo> <mi>u</mi> <mo>,</mo> <msub> <mi>&sigma;</mi> <mrow> <mi>j</mi> <mo>,</mo> <mn>2</mn> <mo>,</mo> <mn>2</mn> </mrow> </msub> <mo>)</mo> </mrow> </mrow> </mtd> </mtr> </mtable> </mfenced> <mo>;</mo> </mrow>

Wherein e () is Bilinear Pairing oeprator, Ω=g^γIt is parameter disclosed in the Central Bank, γ is that Central Bank master is close Key；

The S403 is specifically included：

S403-1, the U_iAccording to the σ_j, it is describedVerify the LB_jIdentity；

S403-2, the U_iVerify the σ (M)；

S403-3, if the verification result of S403-1 is to be verified, and, the verification result of S403-2 is also to be verified, then really It is effective to determine verification result；

S403-4, if the verification result of S403-1 for verification not by, if alternatively, the verification result of 403-2 for verification not by, It is invalid then to determine verification result.

3. system according to claim 2, which is characterized in that the S403-2 is specifically included：

Verify whether following equation meets：

<mrow> <mfenced open = "{" close = ""> <mtable> <mtr> <mtd> <mi>e</mi> <mo>(</mo> <msub> <mi>&sigma;</mi> <mrow> <mi>j</mi> <mo>,</mo> <mn>5</mn> </mrow> </msub> <mo>,</mo> <mi>g</mi> <mo>)</mo> <mo>=</mo> <mi>e</mi> <mo>(</mo> <mi>k</mi> <mo>,</mo> <msub> <mi>&sigma;</mi> <mrow> <mi>j</mi> <mo>,</mo> <mn>4</mn> <mo>,</mo> <mn>2</mn> </mrow> </msub> <mo>)</mo> <mo>&CenterDot;</mo> <mi>e</mi> <mo>(</mo> <mi>F</mi> <mrow> <mo>(</mo> <mi>M</mi> <mo>)</mo> </mrow> <mo>,</mo> <msub> <mi>&sigma;</mi> <mrow> <mi>j</mi> <mo>,</mo> <mn>6</mn> </mrow> </msub> <mo>)</mo> </mtd> </mtr> <mtr> <mtd> <mi>e</mi> <mo>(</mo> <msub> <mi>&sigma;</mi> <mrow> <mi>j</mi> <mo>,</mo> <mn>4</mn> <mo>,</mo> <mn>1</mn> </mrow> </msub> <mo>,</mo> <mi>g</mi> <mo>)</mo> <mo>=</mo> <mi>e</mi> <mo>(</mo> <mi>u</mi> <mo>,</mo> <msub> <mi>&sigma;</mi> <mrow> <mi>j</mi> <mo>,</mo> <mn>4</mn> <mo>,</mo> <mn>2</mn> </mrow> </msub> <mo>)</mo> </mtd> </mtr> </mtable> </mfenced> <mo>;</mo> </mrow>

The σ_j,5, σ_j,4,2, σ_j,6, σ_j,4,1, σ_j,4,2For LB_jIssue U_iM in the element that includes.

4. system according to claim 3, which is characterized in that the system further includes：Central Bank's server；

Central Bank's server performs S101 before S401 execution, completes the initialization of the electronic cash system；

The S101 is specifically included：

S101-1, Central Bank's server CB select systematic parameter；

S101-2, the CB productions can include described to group's public key pk and private key that electronic cash is verified, the private key The main private key msk of CB and unlatching key sk0；

S101-3, the CB set up database, the electronic cash that the database has spent for storage, and the LB_jPossess pair The access rights of the database.

5. system according to claim 4, which is characterized in that before the S401, after the S101, further include：

S201, the LB_jIt is registered in the electronic cash system；

S202, the U_iIt is registered in the electronic cash system；

The S201 is specifically included：

S201-1, the LB_jKey in PKI calculates (lbsk [j], lbpk [j]) and sends the commitment value Y of key_j' To the CB；

S201-2, the CB is according to the Y_j' the generation LB_jCredentials cert_jFirst half, and be sent to described LB_j；

S201-3, the LB_jDetermine the cert_jFirst half it is effective after, calculate the LB_jPrivate key sk [j], and to described Sk [j] is signed to obtain s [j], and the s [j] is sent to the CB；

After S201-4, the CB verify that the s [j] is correct according to lbpk [j], by (j, lbpk [j], A_j,X_j,S_j) it is added to note Volume table Reg_LBIn [j]；

S201-5, the CB send the cert_jFront and rear partTo the LB_j；

S201-6, the LB_jVerify the X_j,1After correct, by the cert_jFirst half and the X_j,1Merge into cert_j；

S201-7, the LB_jGenerate ssk_jAnd electronic cash authentication secret vk, and announce the vk；

The S202 is specifically included：

S202-1, the U_iKey in PKI calculates (lbsk [i], lbpk [i]) and sends the commitment value Y of key_i' give The CB；

S202-2, the CB is according to the Y_i' the generation U_iCredentials cert_iFirst half, and be sent to the U_i；

S202-3, the U_iDetermine the cert_iFirst half it is effective after, calculate the U_iPrivate key y_i, and to the y_iIt carries out Signature obtains s_i, by the s_iIt is sent to the CB；

S202-4, the CB verify s according to lbpk [i]_jAfter correct, by the U_iInformation be added to registration table Reg_uIn [i]；

S202-5, the CB send the cert_iFront and rear part X_i,1To the U_i；

S202-6, the U_iVerify the X_i,1After correct, by the cert_iFirst half and the X_i,1Merge into cert_i；

S202-7, the U_iAccording to the y_iGeneration tracking key tk [i], encrypts the tk [i] and obtains user tracking key ciphertext e_i；

S202-8, the U_iBy the e_i, A_i, X_i,2,The CB is sent to after signature；

The CB is by tuple (i, lbpk [i], A_i,X_i,e_i,s_i) it is added to the Reg_uIn [i].

6. system according to claim 5, which is characterized in that the S201-1 is specifically included：

S201-1-1, the LB_jThe key in PKI is transferred to (lbsk [j], lbpk [j])；

S201-1-2, the LB_jRandomly choose y_j'←Z_p；

S201-1-3, the LB_jIt calculatesBy the Y_j' it is sent to the CB；

The S201-2 is specifically included：

S201-2-1, the CB selections

S201-2-1, the CB generate the LB_jCredentials cert_jFirst half (y_j”,A_j,X_j,2), and send (y_j”, A_j,X_j,2) give the LB_j；

Wherein,

The S201-3 is specifically included：

S201-3-1, the LB_jVerificationIt is whether true；

S201-3-2, if so, the then LB_jCalculate sk [j]=y_j=y_j'+y_j", and obtain equation

S201-3-3 is rightIt is signed to obtain s_j；

S201-3-4, by (j, lbpk [j], A_j,X_j,S_j) it is sent to the CB；

The S201-6 is specifically included：

S201-6-1, the LB_jVerificationIt is whether true；

S201-6-2, if set up, the LB_jVerify the X_j,1Correctly；

S201-6-3, by the cert_jFirst half and the X_j,1Merge into cert_j；

The S201-7 is specifically included：

S201-7-1, the LB_jChoose random number z ← Z_p；

S201-7-2, the LB_jGenerate ssk_j=k^zAnd vk=g^z, and announce the vk.

7. system according to claim 6, which is characterized in that before the S401, after the S202, further include：

S301, the U_iTo the U_iCertificate cert_iIt is promised to undertake, obtains commitment valueAnd produce proof value Π_i；

S302, the U_iBy described inThe Π_iAnd the e_iIt is sent to the LB_j；

S303, the LB_jConfirm the U_iIdentity and cert_iIt is the U after legal_iIt opens an account；

S304, the LB_jBy the e_iIt is sent to the CB；

S305, the CB is according to sk0 (α₁,α₂) calculateBy the e_iAnd the tk [i] is sent to The LB_j；

S306, the LB_jBy (e_i, tk [i]) it is added to user and opens an account in list；

The cert_iFor

The S301 is specifically included：

S301-1, the U_iRandom selectionWherein b=1 ..., 5；

S301-2, the U_iIt calculates

Wherein, it is described

S301-3, the U_iAccording toIt calculates：

The S302 is specifically included：

The U_iBy described inIt is sent to the LB_j；

The S303 is specifically included：

S303-1, the LB_jVerify whether following equation is true：

S303-2, if equation is set up, the LB_jConfirm the U_iIdentity and cert_iIt is legal, to the U_iReturn to confirmation message simultaneously For the U_iIt opens an account；

S303-2, if equation is invalid, the LB_jConfirm the U_iIdentity and cert_iIt is illegal, to the U_iReturn is unsuccessfully believed Breath.

8. system according to claim 7, which is characterized in that the system also includes：Merchant client；

After the S404, further include：

S501, the U_iIt calculates sequence number S when spending electronic cash and prevents dual payoff

S502, the U_iBy the M'sIt is substituted for the U_iTo the promise of oneself identity

S503, the U_iGenerate the temporary mark of the electronic cash spent

S504, the U_iGenerate proof value

S505, the U_iGenerate the electronic cash spent

<mrow> <msup> <mi>M</mi> <mo>&prime;</mo> </msup> <mo>=</mo> <mo>{</mo> <mover> <mi>&sigma;</mi> <mo>&RightArrow;</mo> </mover> <mo>=</mo> <mrow> <mo>(</mo> <msub> <mi>&sigma;</mi> <mn>0</mn> </msub> <mo>,</mo> <mover> <mi>C</mi> <mo>&RightArrow;</mo> </mover> <mo>(</mo> <mrow> <msub> <msup> <mi>&sigma;</mi> <mo>&prime;</mo> </msup> <mrow> <mi>i</mi> <mn>1</mn> </mrow> </msub> </mrow> <mo>)</mo> <mo>,</mo> <mover> <mi>C</mi> <mo>&RightArrow;</mo> </mover> <mo>(</mo> <mrow> <msub> <msup> <mi>&sigma;</mi> <mo>&prime;</mo> </msup> <mrow> <mi>i</mi> <mn>2</mn> </mrow> </msub> </mrow> <mo>)</mo> <mo>,</mo> <mover> <mi>C</mi> <mo>&RightArrow;</mo> </mover> <mo>(</mo> <mrow> <msub> <msup> <mi>&sigma;</mi> <mo>&prime;</mo> </msup> <mrow> <mi>i</mi> <mn>3</mn> </mrow> </msub> </mrow> <mo>)</mo> <mo>,</mo> <msub> <mi>&sigma;</mi> <mn>4</mn> </msub> <mo>,</mo> <msub> <mi>&sigma;</mi> <mn>5</mn> </msub> <mo>,</mo> <msub> <mi>&sigma;</mi> <mn>6</mn> </msub> <mo>)</mo> </mrow> <mo>,</mo> <msub> <msup> <mover> <mi>&pi;</mi> <mo>&RightArrow;</mo> </mover> <mo>&prime;</mo> </msup> <mrow> <mi>i</mi> <mn>1</mn> </mrow> </msub> <mo>,</mo> <msub> <msup> <mover> <mi>&pi;</mi> <mo>&RightArrow;</mo> </mover> <mo>&prime;</mo> </msup> <mrow> <mi>i</mi> <mn>2</mn> </mrow> </msub> <mo>,</mo> <msub> <msup> <mover> <mi>&pi;</mi> <mo>&RightArrow;</mo> </mover> <mo>&prime;</mo> </msup> <mrow> <mi>i</mi> <mn>3</mn> </mrow> </msub> <mo>,</mo> <msub> <msup> <mover> <mi>&pi;</mi> <mo>&RightArrow;</mo> </mover> <mo>&prime;</mo> </msup> <mrow> <mi>i</mi> <mn>4</mn> </mrow> </msub> <mo>,</mo> <mi>S</mi> <mo>,</mo> <mi>T</mi> <mo>}</mo> <mo>;</mo> </mrow>

S506, the U_iPay the M' to the merchant client；

S507, the merchant client is to the U_iIdentity verified；

Whether S508, the merchant client confirm the M' by the LB_jSignature；

S509, if the S507 is verified, and, the S508 confirms successfully, then the merchant client receives the M'；

S510, the electronic cash system, which is deleted, spends the relevant transaction ID of electronic cash, and performs the transaction；

The S504 is specifically included：

The U_iAccording toIt calculates：

The S507 is specifically included：

The merchant client verifies whether following equation is true：

The S508 is specifically included：

The merchant client verifies whether following equation is true：

<mrow> <mfenced open = "{" close = ""> <mtable> <mtr> <mtd> <mi>e</mi> <mo>(</mo> <msub> <mi>&sigma;</mi> <mn>5</mn> </msub> <mo>,</mo> <mi>g</mi> <mo>)</mo> <mo>=</mo> <mi>e</mi> <mo>(</mo> <mi>k</mi> <mo>,</mo> <msub> <mi>&sigma;</mi> <mrow> <mn>4</mn> <mo>,</mo> <mn>2</mn> </mrow> </msub> <mo>)</mo> <mo>&CenterDot;</mo> <mi>e</mi> <mo>(</mo> <mi>F</mi> <mrow> <mo>(</mo> <mi>M</mi> <mo>)</mo> </mrow> <mo>,</mo> <msub> <mi>&sigma;</mi> <mn>6</mn> </msub> <mo>)</mo> </mtd> </mtr> <mtr> <mtd> <mi>e</mi> <mo>(</mo> <msub> <mi>&sigma;</mi> <mrow> <mn>4</mn> <mo>,</mo> <mn>1</mn> </mrow> </msub> <mo>,</mo> <mi>g</mi> <mo>)</mo> <mo>=</mo> <mi>e</mi> <mo>(</mo> <mi>u</mi> <mo>,</mo> <msub> <mi>&sigma;</mi> <mrow> <mn>4</mn> <mo>,</mo> <mn>2</mn> </mrow> </msub> <mo>)</mo> </mtd> </mtr> </mtable> </mfenced> <mo>.</mo> </mrow>

9. system according to claim 8, which is characterized in that after the S509, further include：

S601, the merchant client is by the M''sThe merchant client is substituted for certainly The promise of own identityAnd produce proof value

In S601 replaced generations, are deposited electronic cash by S602, the merchant clientIt is sent to local bank's service Device LB_c；

S603, the LB_cVerify the merchant client identity；

S604, the LB_cDetermine the M " whether effectively；

S605, if the S603 is verified, and, the S604 confirms successfully, then the LB_cCheck in the database whether There is the value same with the S-phase；

S606, if without the value same with the S-phase, LB_cThe M " is stored in the account of the merchant client, and in the number According to the Transaction Information that the M " is recorded in storehouse, the Transaction Information includes at least S and T；

S607, if having the value same with the S-phase, LB_cIt is corresponding to obtain S values in the databaseMeter It calculatesBy the g^1/S+i+1Bring T=g into^Z· (g^1/S+i+1)^RIt acquiresAccording to describedIdentify Double spending subscriber identity information.

10. system according to claim 9, which is characterized in that after the S509, further include：

S701, the CB extract C (σ from electronic cash M " ' is middle₃), the C (σ are opened by the sk0₃), it calculates

S702, the CB is in the Reg_LBList item has been searched whether in [i]

S702, if there is list itemThe client identity that then CB is related to according to the d trackings M " ', the client For subscription client, alternatively, the client is merchant client.

11. system according to claim 10, which is characterized in that after the S509, further include：

S801, client 1 is according to electronic cash M_dIn vk determine to sign and issue the M_dLocal bank server LB_d, and to described LB_dSend the M_dRequest for arbitration；

S802, the LB_dExtract the M_dUser tracking key ciphertext e_d, determine corresponding tracking key value tk [d], according to The tk [d] confirms the M_dGeneration client；

S803, the LB_dOutput blinds valueAnd generation client；

S804, the client 2 pass throughWith e (σ_4,2,c₃)=e (c₂, g) and verificationValidity, and lead to It crossesTrack arbitrated procedure；

The S803 is specifically included：

S803-1, the LB_dChoose β ← Z_p；

S803-2, the LB_dOutputAnd generation client.