CN111539719A - Auditable mixed currency service method and system model based on blind signature - Google Patents

Abstract

The invention belongs to the technical field of block chain privacy protection, and particularly relates to an auditable mixed coin service method and a system model based on blind signature, wherein the method comprises the steps that before the mixed coin service is started, a mixed coin server and a user respectively generate key pairs, public keys are both disclosed, and private keys are stored; starting a mixed coin service; responding by a mixed coin server; blinding; blind signature, blind solution and mixed currency service. The system model comprises a mixed currency server, a user and an audit block chain. The auditable mixed currency service method based on the blind signature can not only split the link between the input address and the output address and realize the purpose of privacy protection, but also effectively reduce the expense of calculation and storage by utilizing the strong blind signature algorithm based on the elliptic curve. In addition, the scheme also has good security characteristics including anonymity, DOS attack prevention and theft attack prevention, and realizes safe and auditable blind mixed currency service through an economic punishment mechanism and an audit block chain.

Description

Auditable mixed currency service method and system model based on blind signature

Technical Field

The invention belongs to the technical field of block chain privacy protection, and particularly relates to an auditable mixed currency service method and a system model based on blind signatures.

Background

The blockchain is used as an open ledger system, transaction information is collected and recorded in detail, and any participant can inquire the information on the chain, so that the blockchain faces serious privacy disclosure risks. In order to protect the privacy of the user, a certain pseudonymity is provided for the block chain, and the user can generate a random address irrelevant to identity information locally through a series of cryptology transformations. Such random addresses (or pseudonyms) are typically used as account numbers for the input and output of transactions, and although they have better anonymity than traditional account numbers, they also provide limited privacy protection. An attacker can trace and analyze the blockchain transaction and track the relevance between the account and the transaction by matching with information such as address ID, IP and the like, so that the transaction privacy and the identity privacy can be inferred. Different from the traditional field, information recorded on a blockchain cannot be deleted or tampered, and sensitive information cannot be saved once being revealed, so that a blockchain system is required to pay more attention to the privacy protection problem, and a complete privacy protection service is urgently required to be provided for blockchain users.

One intuitive blockchain privacy protection approach is called "mixed currency". The mixed currency is a privacy protection method for increasing the attack difficulty by mixing the transaction content on the premise of not changing the transaction result. In the early coin mixing scheme, in order to correctly complete the coin mixing operation and output the coin mixing operation to the corresponding user address, the coin mixing server knows all coin mixing information, and the input address and the output address of the user are transparent to the coin mixing server, so that serious privacy disclosure risks exist. In order to prevent privacy leakage risks, researchers propose an improved scheme of adopting a blind signature technology, and ensure that the mixed currency server cannot establish relevance between input and output addresses while normally providing a mixed currency service. The scheme adopting the blind signature technology can effectively resist the risk that the mixed currency server reveals the privacy of the users of the block chain, but also has the problem of high calculation and storage cost. However, at present, the computation and storage overhead is a bottleneck limiting the development of the blockchain, and therefore, under the condition of meeting the security strength, a more efficient and energy-saving blind signature scheme needs to be designed. In addition, the money mixing server has a risk of stealing funds, the user has a possibility of delaying payment, and the illegal operation of any party causes the reduction of security and execution efficiency, so an auditable money mixing service protocol is required to be designed to supervise the behaviors of both the money mixing server and the user simultaneously, and the security and the high efficiency of the money mixing service are ensured.

Disclosure of Invention

In order to solve the problem that the existing mixed coin scheme is insufficient in efficiency and accountability, the invention provides an auditable mixed coin service method and a system model based on blind signatures, which can effectively reduce the calculation and storage expenses under the same security intensity, improve the mixed coin service efficiency, have auditable capability, resist DOS (disk operating system) attacks and theft attacks and improve the protection capability of privacy security.

In order to solve the technical problems, the invention adopts the following technical scheme:

the invention provides an auditable mixed currency service method based on blind signature, which comprises the following steps:

before the mixed coin service starts, a mixed coin server and a user respectively generate key pairs, public keys are disclosed, and private keys are stored;

the mixed coin service is started, and a user requests the mixed coin service from a mixed coin server;

if the mixed coin server accepts the request, the escrow address is sent to the user;

after receiving the escrow address, the user blindly changes the mixed currency transaction message and transfers the mixed currency fund to the escrow address within a limited time;

the mixed currency server carries out blind signature on the blinded mixed currency transaction message and sends the blind signature to the audit block chain within limited time;

the user blindly resolves the blind signature, and sends the operation certificate to an audit block chain for verification through an anonymous address within a limited time;

after the blind signature verification is successful, the mixed currency server transfers the mixed currency funds from another escrow address to the destination address of the user within a limited time.

Further, the mixed currency server M generates a key pair (P, d), and the user U generates a key pair (Q, f), wherein P represents the public key of M, d represents the private key of M, Q represents the public key of U, and f represents the private key of U.

Further, the mixed coin service is started, the user U requests the mixed coin service, and sends a request instruction { D, P, v } to the mixed coin server M_UDefine a set of coin mix parameters

(t₁,t₂,t₃,t₄) Indicating a defined time to complete the different steps, v indicating a single confound fund,

representing the number of blocks required for M to confirm the success of the U transfer transaction, ρ representing the mixed currency service rate for U to M, v_MIndicating deposit, v, preset by M to the system_UIndicating the mixed money fund transferred by the user U to the mixed money server M, v_M>>v_U。

Further, if the mixed coin server accepts the request, sending the escrow address to the user specifically includes: the mixed coin server M randomly selects an integer

Representing a set of positive integers, calculating R-kG, where R represents a managed address, provided by M to U, G is a finite cyclic group of order n, and then transmitting { R, sign_d(R) } to U, sign_d(R) denotes that the escrow address R is digitally signed by the mixed currency server M using its own private key d.

Further, U blinds the mixed currency transaction message m and transfers the mixed currency funds to the escrow address R within a defined time, with m being defined as { U ═ U {_out||P||v_U| nonce }, where U_outIndicating the destination address of U, P indicating the public key of M, v_UExpressing the mixed money fund transferred from the user U to the mixed money server M, and the nonce expressing the random number for generating different messages; the method specifically comprises the following steps: if sign is signed_d(R) verification is successful at time t₁Inner, (1) U randomly selects three integers

And (3) as a blinding factor, calculating A (α R + β Q + lambda G) (x, y), R (x) (modn), wherein A represents a point on the elliptic curve, x represents an x coordinate value of the point A, y represents a y coordinate value of the point A, R represents a value obtained by modulo operation of the x coordinate value, and n represents an order, if R (0), α, lambda is reselected, and U calculates c (SHA 256(m | | R), c' (. α) and c | α^-1(c-lambda), c' represents a blind message, c represents a value obtained by combining the message m with r and performing hash operation, and SHA256 represents a hash function with the hash value of 256 bits; (2) u slave U_inTransferring the mixed money fund to the R, wherein the transaction is recorded on an audit block chain and is marked as transfer (v, U)_in,R)，U_inRepresenting the real address of U, and the ID number of the transaction is tx _ ID; after the step (1) and the step (2) are finished, U sends (c', v, tx _ id, sign)_f(c', v, tx _ id)) to the M request signature, sign_f(c ', v, tx _ id) indicates that the user U digitally signs the transmission content (c', v, tx _ id) using its own private key f.

Further, mix coin clothesThe server M carries out blind signature on the blinded mixed currency transaction message c' and sends the blind signature to the audit block chain within a limited time, and the blind signature method specifically comprises the following steps: if sign is signed_f(c', v, tx _ id) and tx _ id verification succeeded, at time t₂In the method, M calculates blind signature S ═ d^-1(k-c ') (modn), and (S', sign)_d(S')) to U and audit Block chain, sign_d(S ') shows that the mixed currency server M uses the private key d thereof to digitally sign the blind signature S', and the M sends the blind signature S 'to the audit block chain to be marked as transfer ((S', sign)_d(S')),R,R_P)，R_PIndicating the address of the audit block chain.

Further, the user U blindly removes the blind signature S', and sends the operation certificate (c, S, m) to the audit block chain verification through an anonymous address within a limited time, which specifically includes: if sign is signed_d(S') the verification is successful, at time t₃In the method, U calculates S ═ α S '+ β (modn), S represents that the user U blindly removes the blind signature S', obtains signatures (c, S), and uses U to obtain the signature_in' the address sends (c, S, m) to the audit block chain, U_in' denotes the anonymous address of U.

Further, after the blind signature verification is successful, the mixed money server transfers the mixed money fund from another escrow address to the destination address of the user within a limited time, and the method specifically comprises the following steps: by the equation c SHA256(m | | | R)_x(cG + SQ) modn) verification signature (c, S), R_xThe x coordinate value is taken for representation, if the verification is successful, at the time t₄In, M goes from R' to U_outTransferring the money of mixed coins, R' represents M to U_outAnd (4) the escrow address for transferring the funds of the mixed coins is independent of R, and the transaction is recorded on an audit block chain and is marked as transfer (v-v rho, R', U)_out) And the mixed currency service is finished.

Further, if at time t₁If the U fails to transfer the mixed money fund to the escrow address R on time, the two parties terminate the protocol;

if at time t₂In the meantime, M fails to send a blind signature S' to the chain of audit blocks on time, U publishes transfer (v, U)_inR) and { R, sign_d(R) } as evidence that M violates the protocol, and that the system will revoke M's violating operation once M's violations have been verifiedA redemption request for M's deposit;

if at time t₃Inner, U_in'failure to send (c, S, M) to Audit Block chain, M publishes (S', sign)_d(S')) as evidence, proving that U violates the protocol;

if at time t₄In, M fails to go to U_outTransfer of money mix, U public { (c, S, m), S' }, will be at t₁Internal transfer (v, U)_inR), and M is not at t₄Transfer (v-v ρ, R', U) is accomplished internally_out) As evidence, M is proved to violate the protocol.

The invention also provides a system model of auditable mixed currency service based on blind signature, which comprises:

the mixed coin server is an executor of the mixed coin service;

the user is a requester of the mixed currency service;

and the audit block chain is a supervisor of the mixed currency service and is used for third party verification.

Compared with the prior art, the invention has the following advantages:

1. high efficiency. The high efficiency of the invention is mainly reflected in low storage overhead and low calculation overhead of the signature process. The storage overhead of the signature process depends on the length of the key, and the calculation overhead depends on the operation time.

2. Auditability. The invention uses the audit block chain as the audit log, the user and the mixed currency server need to abide by the agreement, corresponding steps are executed in the specified time, and when one party violates the agreement, the agreement can be ensured to be correctly accountable.

3. And (4) safety. The present invention relates generally to three security features, including anonymity, DOS attack resistance, and theft attack resistance.

Anonymity: the most important characteristic of the mixed currency service method is anonymity, and the anonymity degree is measured by unlinkability and untraceability. (1) Untraceable. The mixed coin server respectively receives and sends the mixed coin funds through different escrow addresses R and R' to ensure that a user inputs an address U_inAnd an output address U_outCannot be interconnected in an audit blockchain transaction and thus the input and output addresses are not traceable, as shown in fig. 4, the attacker knows user U_nThe address of (1) can be obtained from U through auditing the blockchain public ledger tracking transaction_ninTo R_nAnd R_nTo U_outBut the attacker cannot trade U_ninAnd U_outAre linked together. (2) Unlinkability. The server obtains U through the audit block chain_in' transmitted (c, S, m), upon successful verification of the equation c — SHA256(m | | | R)_x(cG + SQ) modn), the money fund is transferred, since U_inAnd U_in'unassociated' and the single mixed money fund is fixed, so the server cannot de-anonymize only by amount, and must deduce a blind signature from the original message and signature to link the signature and the blind signature, however, to do so, the server must know the three blinding factors α, λ, which are only known by the user, so the mixed money service of the present invention has unlinkability.

And (3) preventing DOS attack: in the method, each user only interacts with the coin-mixing server, and refusing to obey the protocol does not affect other users or slow down the coin-mixing process. In addition, because the participation in the mixed coin service requires charging, DOS attack is initiated aiming at the mixed coin server, which brings huge economic burden to an attacker.

Anti-theft attack: because the mixed bank server pays the deposit far exceeding the single mixed bank fund, and the agreement comprises an auditable accountability mechanism, the mixed bank server illegally steals the mixed bank fund without payment.

Drawings

In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly introduced below, and it is obvious that the drawings in the following description are some embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to these drawings without creative efforts.

FIG. 1 is a block diagram of a system model for a blind signature based auditable coin-in-batch service according to an embodiment of the invention;

FIG. 2 is a flow chart of a blind signature based auditable coin-in-batch service method of an embodiment of the invention;

FIG. 3 is a flow chart of a Schnorr strong blind signature algorithm based on elliptic curves according to an embodiment of the present invention;

fig. 4 is a diagram of a trace attack analysis according to an embodiment of the present invention.

Detailed Description

In order to make the objects, technical solutions and advantages of the embodiments of the present invention clearer and more complete, the technical solutions in the embodiments of the present invention will be described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are some, but not all, embodiments of the present invention, and based on the embodiments of the present invention, all other embodiments obtained by a person of ordinary skill in the art without creative efforts belong to the scope of the present invention.

Example one

As shown in fig. 1, the system model of auditable mixed currency service based on blind signature provided by the present embodiment includes a mixed currency server, a user and an audit block chain.

Coin mixing server (Mixer): the money mixing server M is an executor of the money mixing service. The mixed coin server provides a managed address R for a user, and the user receives a request from a U_inAnd outputting the amount v to be obfuscated. Slave U_inAfter the transaction to R is confirmed, M generates another escrow address R' to U_outThe funds v-v ρ are transferred. In order to increase the security and reduce the attack risk, an incentive mechanism can be introduced, so that a plurality of mixed coin servers obtain the opportunity of participating in the service in a competitive mode.

User (User): user U is the requestor of the coin-in-batch server. The user can locate himself at the address U through the mixed coin server_inTo another address U_out. With the help of mixed currency service, it is difficult for an attacker to draw U_inAnd U_outAre linked together.

Audit block chain (Audit block chain): the audit block chain is a supervisor of the mixed currency service, and can be regarded as a bulletin board which is only added with unalterable value and used for third party verification. The audit block chain shares information in the form of the block chain, and a sender can record evidence information on the block chain in a transaction mode. The user and the mixed coin server can issue the blockchain message, the message can not be deleted once issued, and if any one of the user and the mixed coin server violates the protocol, the behavior of the offending party can be proved by auditing the public information contained in the blockchain.

The risk that the bank note mixer reveals the privacy of users in the block chain can be effectively resisted by adopting the blind signature technology, but the existing bank note mixing service scheme based on the blind signature still has the problem of high calculation and storage overhead. Because the mathematical basis of the elliptic curve cryptosystem is the discrete logarithm problem of an elliptic curve addition group, compared with the traditional public key cryptosystem based on the large integer factorization problem, the elliptic curve cryptosystem has higher unit security strength and has the advantages of shorter key length and higher security, so that in order to reduce the calculation and storage expenses, the Schnorr blind signature is expanded to an elliptic curve by using the method of constructing the blind signature by the affine transformation. In addition, in order to ensure the security of the blind signature, three random blind parameters are adopted in the text, and a Schnorr strong blind signature algorithm based on an elliptic curve is constructed, as shown in fig. 3.

Under a system model of auditable mixed coin service based on blind signatures, a Schnorr strong blind signature algorithm based on elliptic curves is applied, an economic punishment mechanism and auditing measures are adopted, an efficient and safe auditable mixed coin service method based on blind signatures is designed, and behaviors of a mixed coin server and a user are restricted through economic punishment and punishment. On the one hand, for the mixed coin server, before the mixed coin server provides the mixed coin service, the mixed coin server is required to preset a large-amount integrity deposit (far exceeding the single mixed coin amount) as a credit guarantee. If the mixed coin server is normally providing service, the corresponding prize can be obtained after each mixed coin service and the loyalty deposit can be redeemed, if the mixed coin server performs a violation, the fund is intentionally delayed or stolen, and once verified, the loyalty deposit will be totally penalized. On the other hand, for the user, the user transfers the mixed money fund to the mixed money server before the mixed money service, if the flow is executed normally, the mixed money requirement is completed, and if the application is intentionally delayed or maliciously initiated (DoS attack), the mixed money fund is not penalized as the cost of the mixed money server once being verified. In order to maximize the income, the mixed coin server and the user can obey the protocol rules to ensure the normal execution of the protocol. The auditing measures are that the mixed coin information of the mixed coin server and the user is recorded by utilizing the characteristic that an auditing block chain can not be tampered, and the recorded mixed coin information is used as a credible evidence for auditing the behavior of the mixed coin server and the user. Compared with the existing scheme, the method has the main characteristic of high efficiency, and reduces the storage overhead and the calculation overhead in the signature process by applying the Schnorr strong blind signature based on the elliptic curve.

As shown in fig. 2, the auditable mixed currency service method based on blind signature of the embodiment specifically includes the following steps:

step 1, initializing a system.

Before the mixed coin service is started, the mixed coin server M generates a key pair (P, d), and the user U generates a key pair (Q, f), which both disclose public keys and store private keys. Where P represents the public key of M, d represents the private key of M, Q represents the public key of U, and f represents the private key of U.

And step 2, requesting mixed currency service.

The mixed coin service is started, the user U requests the mixed coin service and sends a request instruction { D, P, v } to the mixed coin server M_UDefine a set of coin mix parameters

(t₁,t₂,t₃,t₄) Indicating a defined time to complete the different steps, v indicating a single confound fund,

representing the number of blocks required for M to confirm the success of the U transfer transaction, ρ representing the mixed currency service rate for U to M, v_MIndicating deposit, v, preset by M to the system_UIndicating the mixed money fund transferred by the user U to the mixed money server M, v_M>>v_U。

And step 3(a), hosting address distribution.

Mixed coinAnd the server M receives the request, and then sends the hosting address to the user U. The mixed coin server M randomly selects an integer

Representing a set of positive integers, calculating R-kG, where R represents a managed address, is unique to each user, is provided by M to U, G is a finite cyclic group of order n, and then transmitting { R, sign_d(R) } to U, sign_d(R) denotes that the escrow address R is digitally signed by the mixed currency server M using its own private key d.

And 3(b) mixed coin service rejection.

The mixed coin server M refuses the request and sends a null message to the user U.

And 4, step (a1) and blinding.

U blinding the mixed currency transaction message m and transferring the mixed currency fund to the escrow address R, wherein m is defined as { U ═ U_out||P||v_U| nonce }, where U_outIndicating the destination address of U, P indicating the public key of M, v_UExpressing the mixed money fund transferred from the user U to the mixed money server M, and the nonce expressing the random number for generating different messages; signature sign_d(R) verification is successful at time t₁In (1) U randomly selects three integers α,

and (3) as a blinding factor, calculating A (α R + β Q + lambda G) (x, y), R (x) (modn), wherein A represents a point on the elliptic curve, x represents an x coordinate value of the point A, y represents a y coordinate value of the point A, R represents a value obtained by modulo operation of the x coordinate value, and n represents an order, if R (0), α, lambda is reselected, and U calculates c (SHA 256(m | | R), c' (. α) and c | α^-1(c-lambda), c' represents a blind message, c represents a value obtained by combining the message m with r and performing hash operation, and SHA256 represents a hash function with the hash value of 256 bits; (2) u slave U_inTransferring the mixed money fund to the R, wherein the transaction is recorded on an audit block chain and is marked as transfer (v, U)_in,R)，U_inRepresenting the real address of U, and the ID number of the transaction is tx _ ID; after the step (1) and the step (2) are finished, U sends (c', v, tx _ id, sign)_f(c', v, tx _ id)) request to MName sign_f(c ', v, tx _ id) indicates that the user U digitally signs the transmission content (c', v, tx _ id) using its own private key f.

Step 4(a2), t₁And (6) internal auditing.

If at time t₁And if the U fails to transfer the mixed money funds to the escrow address R in time, the two parties terminate the protocol.

And 4(b) verifying.

Signature sign_d(R) failing the verification, terminating the protocol.

Step 5(a1), blind signature.

And the mixed coin server M carries out blind signature on the blinded mixed coin transaction message c'. Signature sign_f(c', v, tx _ id) and tx _ id verification succeeded, at time t₂In the method, M calculates blind signature S ═ d^-1(k-c ') (modn), and (S', sign)_d(S')) to U and audit Block chain, sign_d(S ') shows that the mixed currency server M uses the private key d thereof to digitally sign the blind signature S', and the M sends the blind signature S 'to the audit block chain to be marked as transfer ((S', sign)_d(S')),R,R_P)，R_PIndicating the address of the audit block chain.

Step 5(a2), t₂And (6) internal auditing.

If at time t₂In the meantime, M fails to send a blind signature S' to the chain of audit blocks on time, U publishes transfer (v, U)_inR) and { R, sign_d(R) } as evidence that M violates the agreement, and that the system will revoke the M's deposit redemption request upon verification of M's violating operation.

And 5(b) verifying.

Signature sign_f(c', v, tx _ id) or tx _ id fails to verify, terminating the protocol.

Step 6(a1), clear.

And the user U blindly resolves the blind signature S'. Signature sign_d(S') the verification is successful, at time t₃In the method, U calculates S ═ α S '+ β (modn), S represents that the user U blindly removes the blind signature S', obtains signatures (c, S), and uses U to obtain the signature_in' the address sends (c, S, m) to the audit block chain, U_in' denotes the anonymous address of U.

Step 6(a2), t₃And (6) internal auditing.

If at time t₃Inner, U_in'failure to send (c, S, M) to Audit Block chain, M publishes (S', sign)_d(S')) as evidence, that U violates the protocol.

And 6(b) verifying.

Signature sign_d(S') the authentication fails, terminating the protocol.

And step 7(a1), the mixed currency service is completed.

By the equation c SHA256(m | | | R)_x(cG + SQ) modn) verification signature (c, S), R_xThe x coordinate value is taken for representation, if the verification is successful, at the time t₄In, M goes from R' to U_outTransferring the money of mixed coins, R' represents M to U_outAnd (4) the escrow address for transferring the funds of the mixed coins is independent of R, and the transaction is recorded on an audit block chain and is marked as transfer (v-v rho, R', U)_out) And the mixed currency service is finished.

The availability proves to be as follows:

cG+SQ＝(c+(αS'+β)d)G

＝(c+(αd^-1(k-c')+β)d)G

＝(c+αk-αc'+βd)G

＝(c+αk-α(α^-1(c-λ))+βd)G

＝(αk+λ+βd)G

＝αR+βQ+λG

SHA256(m||R_x(cG+SQ)modn)

＝SHA256(m||R_x(αR+βQ+λG)modn)

＝SHA256(m||xmodn)

＝SHA256(m||r)

＝c

step 7(a2), t₄And (6) internal auditing.

If at time t₄In, M fails to go to U_outTransfer of money mix, U public { (c, S, m), S' }, will be at t₁Internal transfer (v, U)_inR), and M is not at t₄Transfer (v-v ρ, R', U) is accomplished internally_out) As evidence, M is proved to violate the protocol.

And 7(b) verifying.

The equation c equals SHA256(m | | | R)_x(cG + SQ) modn) fails the verification, terminating the protocol.

The auditable mixed currency service method based on the blind signature can not only split the link between the input address and the output address and realize the purpose of privacy protection, but also effectively reduce the expense of calculation and storage by utilizing the strong blind signature algorithm based on the elliptic curve. In addition, the scheme also has good security characteristics including anonymity, DOS attack prevention and theft attack prevention, and realizes safe and auditable blind mixed currency service through an economic punishment mechanism and an audit block chain.

It should be noted that, in this document, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus.

Those of ordinary skill in the art will understand that: all or part of the steps for realizing the method embodiments can be completed by hardware related to program instructions, the program can be stored in a computer readable storage medium, and the program executes the steps comprising the method embodiments when executed; and the aforementioned storage medium includes: various media that can store program codes, such as ROM, RAM, magnetic or optical disks.

Finally, it is to be noted that: the above description is only a preferred embodiment of the present invention, and is only used to illustrate the technical solutions of the present invention, and not to limit the protection scope of the present invention. Any modification, equivalent replacement, or improvement made within the spirit and principle of the present invention shall fall within the protection scope of the present invention.

Claims (10)

1. An auditable mixed currency service method based on blind signature is characterized by comprising the following steps:

before the mixed coin service starts, a mixed coin server and a user respectively generate key pairs, public keys are disclosed, and private keys are stored;

the mixed coin service is started, and a user requests the mixed coin service from a mixed coin server;

if the mixed coin server accepts the request, the escrow address is sent to the user;

after receiving the escrow address, the user blindly changes the mixed currency transaction message and transfers the mixed currency fund to the escrow address within a limited time;

the mixed currency server carries out blind signature on the blinded mixed currency transaction message and sends the blind signature to the audit block chain within limited time;

the user blindly resolves the blind signature, and sends the operation certificate to an audit block chain for verification through an anonymous address within a limited time;

after the blind signature verification is successful, the mixed currency server transfers the mixed currency funds from another escrow address to the destination address of the user within a limited time.

2. An auditable mixed coin service method based on blind signature as claimed in claim 1, characterized in that the mixed coin server M generates a key pair (P, d) and the user U generates a key pair (Q, f), where P represents the public key of M, d represents the private key of M, Q represents the public key of U, and f represents the private key of U.

3. An auditable mixed coin service method based on blind signature as claimed in claim 2, characterized in that the mixed coin service is started, the user U requests the mixed coin service, and sends the request instruction { D, P, v } to the mixed coin server M_UDefine a set of coin mix parameters

(t₁,t₂,t₃,t₄) Indicating a defined time to complete the different steps, v indicating a single confound fund,

representing the number of blocks required for M to confirm the success of the U transfer transaction, ρ representing the mixed currency service rate for U to M, v_MIndicating M-preset pledges to the systemGold, v_UIndicating the mixed money fund transferred by the user U to the mixed money server M, v_M>>v_U。

4. An auditable mixed coin service method based on blind signature as claimed in claim 3, wherein, if the mixed coin server accepts the request, sending the escrow address to the user specifically includes: the mixed coin server M randomly selects an integer

Representing a set of positive integers, calculating R-kG, where R represents a managed address, provided by M to U, G is a finite cyclic group of order n, and then transmitting { R, sign_d(R) } to U, sign_d(R) denotes that the escrow address R is digitally signed by the mixed currency server M using its own private key d.

5. An auditable coin-in service method based on blind signatures according to claim 4, characterized in that U blindes the coin-in transaction message m and transfers the coin-in funds to the escrow address R within a defined time, defining m ═ { U ═ U }_out||P||v_U| nonce }, where U_outIndicating the destination address of U, P indicating the public key of M, v_UExpressing the mixed money fund transferred from the user U to the mixed money server M, and the nonce expressing the random number for generating different messages; the method specifically comprises the following steps: if sign is signed_d(R) verification is successful at time t₁Inner, (1) U randomly selects three integers

And (3) as a blinding factor, calculating A (α R + β Q + lambda G) (x, y), R (x) (modn), wherein A represents a point on the elliptic curve, x represents an x coordinate value of the point A, y represents a y coordinate value of the point A, R represents a value obtained by modulo operation of the x coordinate value, and n represents an order, if R (0), α, lambda is reselected, and U calculates c (SHA 256(m | | R), c' (. α) and c | α^-1(c-lambda), c' means Blind eliminationC represents a value obtained by combining the message m with r and performing hash operation, and SHA256 represents a hash function with a hash value of 256 bits; (2) u slave U_inTransferring the mixed money fund to the R, wherein the transaction is recorded on an audit block chain and is marked as transfer (v, U)_in,R)，U_inRepresenting the real address of U, and the ID number of the transaction is tx _ ID; after the step (1) and the step (2) are finished, U sends (c', v, tx _ id, sign)_f(c', v, tx _ id)) to the M request signature, sign_f(c ', v, tx _ id) indicates that the user U digitally signs the transmission content (c', v, tx _ id) using its own private key f.

6. The auditable mixed currency service method based on blind signatures as claimed in claim 5, wherein the mixed currency server M blindly signs the blinded mixed currency transaction message c' and sends the blind signature to the audit block chain within a limited time, specifically comprising: if sign is signed_f(c', v, tx _ id) and tx _ id verification succeeded, at time t₂In the method, M calculates blind signature S ═ d^-1(k-c ') (modn), and (S', sign)_d(S')) to U and audit Block chain, sign_d(S ') shows that the mixed currency server M uses the private key d thereof to digitally sign the blind signature S', and the M sends the blind signature S 'to the audit block chain to be marked as transfer ((S', sign)_d(S')),R,R_P)，R_PIndicating the address of the audit block chain.

7. The auditable mixed currency service method based on blind signatures as claimed in claim 6, wherein the user U blindly de-signs the blind signature S' and sends the proof of operation (c, S, m) to the audit block chain verification via an anonymous address within a limited time, specifically comprising: if sign is signed_d(S') the verification is successful, at time t₃In the method, U calculates S ═ α S '+ β (modn), S represents that the user U blindly removes the blind signature S', obtains signatures (c, S), and uses U to obtain the signature_in' the address sends (c, S, m) to the audit block chain, U_in' denotes the anonymous address of U.

8. An auditable coin-in service method based on blind signatures according to claim 7,the method is characterized in that after the blind signature verification is successful, the mixed coin server transfers the mixed coin fund from another escrow address to the destination address of the user within a limited time, and specifically comprises the following steps: by the equation c SHA256(m | | | R)_x(cG + SQ) modn) verification signature (c, S), R_xThe x coordinate value is taken for representation, if the verification is successful, at the time t₄In, M goes from R' to U_outTransferring the money of mixed coins, R' represents M to U_outAnd (4) the escrow address for transferring the funds of the mixed coins is independent of R, and the transaction is recorded on an audit block chain and is marked as transfer (v-v rho, R', U)_out) And the mixed currency service is finished.

9. An auditable coin-in service based on blind signatures according to claim 8,

if at time t₁If the U fails to transfer the mixed money fund to the escrow address R on time, the two parties terminate the protocol;

if at time t₂In the meantime, M fails to send a blind signature S' to the chain of audit blocks on time, U publishes transfer (v, U)_inR) and { R, sign_d(R) } as evidence that M violates the agreement, and that the system redeems the deposit of the revoked M upon verification of the M's violating operation;

if at time t₃Inner, U_in'failure to send (c, S, M) to Audit Block chain, M publishes (S', sign)_d(S')) as evidence, proving that U violates the protocol;

if at time t₄In, M fails to go to U_outTransfer of money mix, U public { (c, S, m), S' }, will be at t₁Internal transfer (v, U)_inR), and M is not at t₄Transfer (v-v ρ, R', U) is accomplished internally_out) As evidence, M is proved to violate the protocol.

10. A system model for auditable mixed currency services based on blind signatures, comprising:

the mixed coin server is an executor of the mixed coin service;

the user is a requester of the mixed currency service;

and the audit block chain is a supervisor of the mixed currency service and is used for third party verification.

Images