CN112765668A - Zero-knowledge proof privacy protection method, system, storage medium and equipment - Google Patents

Abstract

The invention belongs to the technical field of privacy protection, and discloses a method, a system, a storage medium and equipment for protecting privacy of zero knowledge proof, wherein the method for protecting privacy of zero knowledge proof comprises four proof processes, namely a balance proof for proving that the total consumption sum of a sender is equal to the sending sum and the change sum; the format correct proof is used for proving that the commitment format is a standard commitment format; the range certification is used for proving that the total consumption amount, the sending amount and the change amount of the sender are all larger than zero; the equality proof is used for proving that the plaintext corresponding to the ciphertext is equal to the plaintext corresponding to the commitment; three roles including a sending party, a receiving party and a monitoring party are assumed in a transaction scene. The invention provides a zero-knowledge proof privacy protection method, a system, a storage medium and equipment, relates to an anonymous transaction system under the supervision condition of a supervision party, can effectively solve the problem that an enterprise excessively collects and abuses a large amount of user privacy data, effectively supervises the user privacy leakage condition, and ensures the privacy safety of a user.

Description

Zero-knowledge proof privacy protection method, system, storage medium and equipment

Technical Field

The invention belongs to the technical field of privacy protection, and particularly relates to a zero-knowledge proof privacy protection method, a zero-knowledge proof privacy protection system, a storage medium and a device.

Background

At present, in 2012, the amount of electronic commerce transaction in China reaches 7.85 trillion yuan, which is increased by 30.8% on a par with the prior art; the network retail amount exceeds 1.3 trillion yuan and accounts for 6.3 percent of the total retail amount of the social consumer goods; the direct employees of the e-commerce service enterprises exceed 200 million persons, and the indirect employees number exceeds 1500 million persons. The electronic commerce transaction amount and the network retail transaction amount are respectively increased to more than 18 trillion and 3 trillion yuan, China becomes the electronic commerce market with the largest global scale, and the electronic commerce industry becomes the production industry with the highest development potential and the highest international competitiveness.

In practical applications, the protection of user privacy by e-commerce enterprises still has problems: (1) user privacy data is heavily and excessively collected by e-commerce enterprises. There are clear rules for the network operator to collect and use personal information, but there are no corresponding rules in the existing laws and regulations for how to use and the responsibility to be carried. In the aspect of supervision, currently, government information systems and websites have requirements for establishing a security level protection system, and regular inspection and reminding mechanisms are provided for security vulnerabilities, but no requirements for security regulations are provided for non-government websites and systems. Enterprises collect user information, largely to verify user identity, and better grasp market trends by analyzing transaction data. However, the phenomenon of big data maturity is endless, and personalized recommendations are everywhere visible, which directly or indirectly impairs the benefits of users. Therefore, when an e-commerce enterprise operates in the market, the problem that the enterprise excessively collects a large amount of misuse user privacy data needs to be solved, and the privacy safety of the user is ensured. (2) Private data leakage events frequently occur in the e-commerce enterprises. The personal information of consumers is gradually becoming an important resource, thereby generating a vicious competition in the industry, and the information consumers and the customers become poor competition means of a plurality of merchants. All departments and organizations collecting personal information have responsibility for protecting the personal information of citizens from both psychological and legal reasons, including citizens in the middle school students, and when providing personal information to the relevant departments and organizations, the departments and organizations collecting personal information cannot agree that the personal information can be provided to other departments and organizations as commercial resources, and if the personal information of citizens is leaked out from the departments and organizations, the departments and organizations collecting personal information cannot be reputed.

Through the above analysis, the problems and defects of the prior art are as follows:

(1) the excessive collection and use behaviors of the e-commerce enterprises on the user information cannot be effectively monitored.

(2) The privacy leakage condition of the user cannot be effectively monitored.

The difficulty in solving the above problems and defects is: after the electronic commerce enterprise acquires the private information of the user, the information can be copied and backed up for many times, so that the private information of the user cannot be effectively monitored under the condition of manual monitoring. The information acts as a static carrier, which itself cannot make decisions and responses to any external behavior. Once the private data information of the user is leaked, the existence of the network black products enables the leaked information to be sold and abused, which causes trouble to the user, and the leaked information cannot be erased. The difficulty to solve the above problems lies in how to guarantee that the validity and authenticity of data can not be recognized under the condition that a government credible party can monitor and the government enterprise and other parties can not know the plaintext of the data.

The significance of solving the problems and the defects is as follows: the method can be applied to the field of electronic commerce and has a wide application range for protecting the privacy of users. In the era of the rapid development of current information technology, the advanced data acquisition and transmission technologies such as 5G, the Internet of things and the like will bring richer contents, stronger timeliness and larger data flow, wherein countless private data are wrapped. In the era of the flood of data, whether the individual user is safe to enjoy the service or the enterprise explores an emerging business model, it is important to implement privacy protection. The method can deeply analyze and understand by combining with the block chain trust exchange network and privacy protection, legally and synergetically explore the value in the data, avoid the risk in the data, and possibly create a new round of explosive growth which is small enough to cause the informatization industry and a good prospect which is big enough to promote the human society to enter the information era in advance. In the process, the development of the privacy protection technology is the key for balancing value income and privacy risks and realizing pareto optimal and sustainable development.

Disclosure of Invention

Aiming at the problems in the prior art, the invention provides a zero-knowledge proof privacy protection method, a system, a storage medium and equipment, and particularly relates to an anonymous transaction system under the condition that a supervisor can supervise.

The invention is realized in this way, a zero-knowledge proof privacy protection method, the zero-knowledge proof privacy protection method includes four proving flows, which are respectively a meterage balance proof, a format correct proof, a range proof and an equal proof; three roles including a sending party, a receiving party and a monitoring party are assumed in a transaction scene.

Further, the four certification processes of the zero-knowledge certification privacy protection method include:

(1) accounting balance certification: proving that the total consumption amount of the sender is equal to the sending amount and the change amount;

(2) and (3) proving that the format is correct: proving that the commitment format is a standard commitment format;

(3) the range proves that: proving that the total consumption amount, the sending amount and the change making amount of the sender are all larger than zero;

(4) equal proof: and proving that the plaintext corresponding to the ciphertext is equal to the plaintext corresponding to the commitment.

Further, the zero-knowledge proof privacy protection method defines three roles including:

(1) a sender: sending the property quantity to a receiver and sending out a transaction amount;

(2) the receiving side: receiving a send quantity property from a sender, receiving a transaction amount;

(3) the monitoring party: transaction validity and authenticity may be verified from the transaction.

Further, the zero-knowledge proof privacy protection method further includes user registration, including:

(1) a sender locally generates a public and private key, and the public key is externally disclosed;

(2) the receiving party locally generates a public and private key, and the public key is externally disclosed;

(3) the supervisor locally generates a public and private key, and the public key is externally disclosed.

Further, in the zero-knowledge proof privacy protection method, the method for the sender to calculate the transaction disclosure data by a zero-knowledge proof privacy protection algorithm includes:

(1) generating an accounting balance certificate bp;

(2) generating a proof fp with a correct format;

(3) generating a range attestation rp;

(4) generating an equal proof ep;

(5) a policing encryption field e is generated.

Further, the zero-knowledge proof privacy protection method further includes the step of sending a transaction, including:

(1) the sender sends the transaction disclosure data to the receiver;

(2) the receiving party verifies the zero knowledge proof after receiving the transaction;

(3) the supervisor verifies the ciphertext e;

(4) if the verification is passed, the transaction is stored and validated.

Further, in the zero-knowledge proof privacy protection method, the method for generating public and private keys by the sender, the receiver and the supervisor respectively includes:

(1) the sender public key pub _ S ═ { G1, G2, H, P }, and the private key priv _ S ═ X };

(2) the public key pub _ R of the receiving party is { G1, G2, H, P }, and the private key priv _ R is { X };

(3) the supervisor public key pub _ G ═ { G1, G2, H, P }, and the private key priv _ G ═ X }.

Further, the sender generates his own total property, and issues a commitment and a random number of the amount of the property and the change property.

Further, the sender generates accounting balance certification, comprising:

the sender uses pub _ S, transfer amount v _ S and committed random number r _ S, change amount v _ r and committed random number r _ r, total amount committed random number r _ o to generate accounting balance certificate bp, the accounting balance certificate generation comprises:

(1) taking the public key field P of the sender, calculating P-1 as P _1

(2) Taking the time of the Unix timestamp of the system, and generating a random number rnd by taking the time as a seed

(3) Taking the public key field P of the sender, calculating P-4 as limit

(4) Calculating limit ^5 as limit _5

(5) Using rnd as seed to generate a random number mix less than limit

(6) Calculate the value of mix modulo limit plus 2 as a, calculate mix/limit as mix

(7) Calculate the value of mix modulo limit plus 2 as b, calculate mix/limit as mix

(8) Calculate the value of mix modulo limit plus 2 as d, calculate mix/limit as mix

(9) Calculate the value of mix modulo limit plus 2 as e, calculate mix/limit as mix

(10) Calculate the value of mix modulo limit plus 2 as f, calculate mix/limit as mix

(11) Taking the public key field G1 of the sender, calculating G1^ a modulo P as G1a

(12) Taking the public key field H of the sender, calculating H ^ b modulo P as hb

(13) Calculate g1a × hb modulo P as t1_ P

(14) Taking the public key field G1 of the sender, calculating G1^ d modulo P as G1d

(15) Taking the public key field H of the sending party, calculating the H ^ e modulo P as he

(16) Calculate g1d × he modulo P as t2_ P

(17) Calculate a + d modulo P _1 as ad

(18) Taking the public key field G1 of the sender, calculating G1^ ad modulo P as G1ad

(19) Taking the public key field H of the sending party, calculating H ^ f modulo P as hf

(20) Calculate g1ad hf modulo P as t3_ P

(21) After splicing t1_ P, t2_ P and t3_ P, the hash value modulo P is calculated as c

(22) P _1- (c x v _ R (mod P _1)) + a modulo P _1 is calculated as R _ v _ R

(23) Calculate P _1- (c R _ R (mod P _1)) + b modulo P _1 as R _ R

(24) P _1- (c x v _ s (modP _1)) + d modulo P _1 is calculated as R _ v _ s

(25) P _1- (c x R _ s (modP _1)) + e modulo P _1 is calculated as R _ R

(26) P _1- (c r _ o (mod P _1)) + f modulo P _1 is calculated as S _ or

(27) bp { c, R _ v, R _ R, S _ v, S _ R, S _ or } is the proof of accounting balance.

Further, the generating of the proof of correct format by the sender includes:

the sender uses the promised random number r of pub _ S, amount v to generate the format correctness proof fp, which format correctness proof explicitly generates, including:

(1) taking the public key field P of the sender, calculating P-1 as P _1

(2) Taking the time of the Unix timestamp of the system, and generating a random number rnd _ a by taking the time as a seed

(3) Random number rnd _ b is generated by taking rnd _ a as seed

(4) Taking the public key field P of the sender, calculating P-4 as limit

(5) Using rnd _ a as seed to generate a random number a less than limit

(6) Calculate a +2 as a

(7) Seed rnd _ b to generate a random number b less than limit

(8) Calculate b +2 as b

(9) Calculating G1^ a modulo P as G1a

(10) Calculating H ^ b mode P as hb

(11) Calculate g1a × hb modulo P as t1_ P

(12) Computing G2^ b modulo P as t2_ P

(13) After t1_ P and t2_ P are concatenated, the hash value modulo P is calculated as c

(14) Calculating P _1-v c modulo P _1 as vc

(15) Calculate a + vc modulo P _1 as z1

(16) Calculating P _1-r c modulo P _1 as r1c

(17) Calculate b + r1c modulo P _1 as z2

(18) And fp is the proof of correct format { c, z1, z2 }.

Further, the sender generates an equal proof, comprising:

the sender uses pub _ S ═ pub1.g1, pub1.g2, pub1.h, pub1.p }, pub _ R ═ pub2.g1, pub2.g2, pub2.h, pub2.p }, commitment C1 ═ C1.commitment, C1.r }, commitment C2 ═ C2.commitment, C2.r }, for generating the committed amount V, and the equal proof ep is generated, including:

(1) calculate C1. comment C2. comment modulo P as y

(2) Declaring ep ═ { t, s } as an equality proof result

(3) Let g be an array of length 4, with elements { pub1.G1, pub2.G1, pub1.H, pub2.H }

(4) Let x be an array of length 4, with the elements { V, V, C1.r, C2.r }

(5) Let a be an array of length 4, the elements being { -1, -1,0,0}

(6) Let pub be pub1

(7) Declaring v as a length-4 null array

(8) Taking the public key field P of the sender, calculating P-1 as P _1

(9) Statement ssnum of 0

(10) Traversing a, if the traversal value is not 0, adding 1 to ssnum

(11) Using pub as seed to generate list rbi with n random numbers, where n is 4 if ssnum is 0, otherwise n is 3

(12) Declaring line as 0

(13) Statement last is 0

(14) Sequentially traversing each element in a to enable each traversal value to be ai

If ai is equal to 0, let vi be rbi line, line plus 1

If ai is not equal to 0, the following determination and steps are performed

If ssnum equals 1, let v [ i ] be last (ai mod P _1) modulo P _1, ssnum plus 1

If ssnum is not equal to 1, let v [ i ] be rbi [ line ], line plus 1, ssnum minus 1, let last be (last-ai + v [ i ]) modulo P _1

(15) Statement t equals 1

(16) Declaring c _ hash as null array

(17) Traversing g to make each traversal value gi, and executing the following steps in the ith iteration

(gi ^ vi) modulo P is calculated, given gi as a new variable

Let t equal (t × Gi) modulo P

Add gi to c _ hash

(18) Add y to c _ hash

(19) Add t to c _ hash

(20) Calculate the hash of c _ hash as c

(21) Calculate c modulo P as c _ bi

(22) Traversing v to obtain a value vi in each traversal, and executing the following steps in the ith iteration

Calculating (vi-c _ bi x [ i ]) modulo P _1, calculating mash

Adding mash to ep.s

(23)ep.t＝t

(24) So ep is the proof of equality generated.

Further, the sender generates a scope attestation that includes:

the sender use amount v, the commitment C ═ c.commitment, C.r }, and the sender public key pub _ S ═ G1, G2, H, P }, where the generation range certificate rp includes:

(1) taking the public key field P of the sender, calculating P-1 as P _1

(2) V is converted into binary and stored in aL, and the low bit of the binary is positioned at the low bit of aL

(3) Declaring aR as an array of limit lengths

(4) Cycles limit, in the ith cycle, (aL [ i ] -1) modulo P _1 is calculated as aR [ i ]

(5) Randomly generating a random number array mix of length 4 x (limit +1)

(6) Taking the first element in mix and the element with index 0 as alpha

(7) The second element in mix and the element with index 1 are taken as rou

(8) Six random numbers were randomly generated as sL, sR, tao1, tao2, g, and h

(9) Calculating H ^ alpha mode P as A

(10) Calculating H ^ rou modulo P as S

(11) The cycle limit is repeated, and in the ith cycle, the following operations are performed in sequence

Calculating g [ i ] < Lambda > i ] modulo P as gaL

Calculating h [ i ] < Lambda > aR [ i ] modulo P as haR

Calculating g [ i ] < SP > sL [ i ] modulo P as gsL

Calculating h [ i ] < SP > i </SP > as hsR

A gaL haR modulo P is calculated as A

Calculating S gsL hsR modulo P as S

(12) Declare an array AS of length 2, padding elements { A, S }

(13) Hash the array AS AS y bytes

(14) Declare an array ASy of length 2, fill element { AS, y _ bytes }

(15) Taking hash of array Asy as z _ bytes

(16) Declare an array ASyz of length 2, fill element { ASy, z _ bytes }

(17) Hash the set of Asyz as x _ byt1es

(18) Calculate x _ bytes modulo P _1 as x

(19) Calculating y _ bytes modulo P _1 as y

(20) Calculating z _ bytes modulo P _1 as z

(21) Empty array with statement l and r as limit length

(22) To make tv equal to 0

(23) Let t1 equal 0

(24) Let t2 equal 0

(25) N2 equals 1

(26) Ny is made equal to 1

(27) The cycle limit is repeated, and in the ith cycle, the following operations are performed in sequence

Calculate aL [ i ] -z as aLz

Calculate sL [ i ] x as sLx

Calculating (aLz + sLx) modulo P as l [ i ]

Calculating the value of z ^2 modulo P _1 and multiplying by n2 as z2n

aR [ i ] + z was calculated as arz

Calculating (arz + sR [ i ]. times mod P _1) ny + z2n modulo P _1 as r [ i ]

Calculating l [ i ] r [ i ] as lr

Calculating tv + lr modulo P _1 as tv

Calculating ny sR [ i ] modulo P _1 as ysR

Calculate aLz x ysR modulo P _1 as aLzysR

(ny × arz + z2n) modP _1 modulo sL [ i ] was calculated as n2nyaRzsl

T1+ (aLzysR n2nyaRzsl mod P _1) was calculated as t1

T2+ sL [ i ]. ysR modulus P _1 is calculated as t2

Calculate n 2x2 modulo P _1 as n2

Calculating ny y modulo P _1 as ny

(28) Calculating (G1^ T1 modP) × (H ^ tao1 modP) modulo P as T1

(29) Calculating (G1^ T2 modP) × (H ^ tao2 modP) modulo P as T2

(30) (x ^2modP _1) × tao2 is calculated as x2tao2

(31) Calculating (z ^2mod P _1) × r as z2gama

(32) Calculate x2tao2+ x tao1+ z2 gamma modulo P _1 as tao _ x

(33) Rou x + alpha modulo P _1 was calculated as miu

(34) Let n be equal to limit

(35) rp ═ n, tao _ x, a, S, T1, T2, miu, l, r, g, h } is proof of range.

Further, the sender encrypts the required supervision content including the privacy information of the sender and the receiver and the transaction data by using the public key of the supervisor to generate a ciphertext e.

Further, the receiver verifies accounting balance certification, including:

the receiving party uses a change promise CM _ R, a transfer promise CM _ S, a total promise CM _ O, a public key pub ═ G1, G2, H, P }, and the balance of balance certificate bp ═ c, R _ v, R _ R, S _ v, S _ R, S _ or }, and includes:

(1) calculating G1^ R _ v modulo P as G1rv

(2) Calculating H ^ R _ R modulo P as hrr

(3) Calculating CM _ R ^ c modulo P as cmrc

(4) (g1rv hrr (mod P)) cmrc modulo P is calculated as t1_ v

(5) Calculating G1^ S _ v modulo P as G1sv

(6) Calculating H ^ S _ r modulo P as hsr

(7) Calculating CM _ S ^ c modulo P as cmsc

(8) (g1sv hsr (mod P) cmsc modulo P was calculated as t2_ v

(9) Calculate R _ v + S _ v as rvsv

(10) Calculating G1^ rvsv mode P as G1rvsv

(11) Computing H ^ S _ or modulo P as hsor

(12) Calculating CM _ O ^ c modulo P as cmoc

(13) (g1rvsv hsor (mod P)) cmoc modulo P is calculated as t3_ v

(14) After splicing t1_ v, t2_ v and t3_ v, calculating the post-modulus P of the hash value as c _ v

(15) And c _ v is judged to be equal to 0, if yes, the verification is passed, otherwise, the verification is not passed.

Further, the verifying the proof of the correct format by the receiving party includes:

the receiver uses the public key pub ═ { G1, G2, H, P }, and the public key pub encrypts the content to obtain the ciphertext C ═ { C1, C2}, and the correct format proves fp ═ C, z1, z2}, which includes:

(1) calculating c2^ c modulo P as c1c

(2) Calculating G1^ z1 modulo P as G1z1

(3) H ^ z2 modulo P is calculated as hz2

(4) Calculate clc x g1z1 modulo P as c1c

(5) Calculate c1c × hz2 modulo P as t1_ v

(6) Calculating c1^ c modulo P as c2c

(7) Calculating G2^ z2 modulo P as G2z2

(8) Calculate c2c × g2z2 modulo P as t2_ v

(9) After splicing t1_ v and t2_ v, calculating the post-modulus P of the hash value as c _ v

(10) And judging whether the c _ v is equal to 0, if so, passing the verification, otherwise, failing to pass the verification.

Further, the receiver uses a public key pub _ S ═ pub1.g1, pub1.g2, pub1.h, pub1.p }, pub _ R ═ pub2.g1, pub2.g2, pub2.h, pub2.p }, a ciphertext C1 ═ { C1.c1, C1.c2}, a ciphertext C2 ═ C2.c1, C2.c2}, and the equal proof ep ═ { S, t } proof is equal, including:

(1) taking the public key field P of the receiving party, and calculating C1.C2 modulo P as y

(2) Let g be an array of length 4, where the array { pub1.G1, pub2.G1, pub1.H, pub2.H } is filled

(3) Let pub _ S be renamed as pub

(4) Let a be an array of length 4, where the array {1, -1,0,0} is filled

(5) Statement b equals 0

(6) Taking the public key field P of the receiving party, calculating P-1 as P _1

(7) Declaring c _ hash as an infinite space array

(8) Traversing g, enabling each traversal value to be gi, and adding gi to c _ map in each iteration

(9) Adding y and lp.t into c _ map in sequence

(10) Calculating the hash value of c _ hash as c

(11) Calculate the value of c modulo P as c _ bi

(12) Let the new variable t _ verify be y

(13) Calculating t _ verify ^ c _ bi modulo P as t _ verify

(14) Traversing g to make each traversal value gi, and executing the following steps in the ith iteration

Calculating the value of gi ^ lp.s [ i ] modulo P as buf

Calculating the value of t _ verify and buf modulo P as t _ verify

(15) Judging whether t _ verify is equal to lp.t, if so, continuing to execute the following steps, otherwise, failing to verify, and terminating the flow

(16) Calculating-c _ bi b as cb

(17) Declaring a New variable mix equal to 0

(18) Traversing a to make each traversal value ai

Calculating the value of ai x lp. sI modulo P _1 as aisi

The value of mix + aisi modulo P _1 is calculated as mix

(19) And judging whether mix is equal to cb, if so, successfully verifying, and otherwise, failing to verify.

Further, the receiver authentication scope certification comprises:

the receiver uses an equal proof of an amount v, ciphertext C ═ { C1, C2}, public key pub ═ G1, G2, H, P }, range proof rp ═ n, tao _ x, a, S, T1, T2, miu, l, r, G, H }, including:

(1) taking the public key field P of the receiving party, calculating P-1 as P _1

(2) Taking the public key field P of the receiving party, calculating P-2 as P _2

(3) Declaring l, r, g, h as an array of length n

(4) Let the new variable V equal C2

(5) Let the new variable tv equal 0

(6) Circulating n times, and in the ith circulation, executing the following steps

(tv + l [ i ]. times r [ i ]) modulo P _1 is calculated as tv

(7) Declare an array AS of length 2, fill element { A, B }

(8) Hashing the array As As y _ bytes

(9) Declare an array ASy of length 2, fill element { AS, y _ bytes }

(10) Taking hash of array Asy as z _ bytes

(11) Declare an array ASyz of length 2, fill element { ASy, z _ bytes }

(12) Hash is taken on the set of Asyz as x _ bytes

(13) Calculate x _ bytes modulo P _1 as x

(14) Calculating y _ bytes modulo P _1 as y

(15) Calculating z _ bytes modulo P _1 as z

(16) Declaring h _ as a null array of length n

(17) Computing y ^ P _2 modulo P _1 as y _ inv

(18) Computing y ^ P _1 modulo P as y _2P

(19) Calculate y x y _ inv modulo P _1 as vf

(20) Let the new variable y _1 equal to 1

(21) The circulation is performed for n times, and the following steps are executed in the ith circulation

Calculating h [ i ] < Lambda > y _1 modulo P as h _ [ i ]

Calculating y _ 1x y _ inv modulo P _1 as y _1

(22) Computing H ^ tao _ x modulo P as htaox

(23) Calculating (G1^ tv modP). htaox modulo P as left

(24) Computing z ^2 modulo P _1 as z2

(25) Calculating z ^3 modulo P _1 as z3

(26) Calculating the value of y ^ rp.n modulo P _1 minus 1 as ny _1

(27) Calculate the value of y-1 as y _ x1

(28) The inverse of y _ x1 modulo P _1 is computed as y _ x1

(29) Calculating ny _1^ y _ x1 modulo P _1 as ny _1

(30) Calculate z-z2 modulo P _1 as z _ z2

(31) Calculate z _ z 2ny _1 as ibx

(32) Calculating 2^ rp.n modulo P _1 as n _1_2

(33) Calculate z3 × n _1_2 as z3n12

(34) Calculate ibx-z3n12 as ibx

(35) Calculating pub.G1^ ibx mode P as gibx

(36) Calculating (V ^ z 2mod (P) > gibx modulo P as right

(37) Calculate x as x2

(38) Calculating T1^ x modulo P as T1x

(39) Calculating T2^ x2 modulo P as T2x2

(40) Calculate (right T1x modP) T2x2 modulo P as right

(41) Judging whether left is equal to right, if yes, continuing to execute the following steps, otherwise, failing to verify, terminating the flow

(42) Calculating S ^ x modulo P as P

(43) P is modP, P is calculated as P

(44) Declare variable gz equal to 1; h _ mix equals 1; n2 equals 1; ny is equal to 1;

(45) circulating n times, and in the ith circulation, executing the following steps

Calculating g [ i ] < Lambda > z modulo P as gz _ inv

Calculating the inverse of gz _ inv modulo P multiplied by gz as gz

Calculate z ny + z2n 2 as mix

Calculating h _ [ i ] < Lambda > mix modulus P as mix

Calculating h _ mix modulo P as h _ mix

Calculate n 2x2 modulo P _1 as n2

Calculating ny y modulo P _1 as ny

(46) Calculating P × gz modulo P as P

(47) Calculating P x h _ mix modulo P as P

(48) Calculating H ^ miu modulo P as P _ check

(49) N times, in the ith cycle, the following steps are carried out

g [ i ] < i > l [ i ] modulo P is calculated as gl ═ modP

Calculating h [ i ] r [ i ] modulo P as hr

Calculating P _ check × gl modulo P as P _ check

Calculating P _ check hr modulo P as P _ check

(50) And judging whether P is equal to P _ check, if so, passing the range certification verification, and if not, failing to pass the verification.

Further, the supervisor verifies the ciphertext e, if the verification is passed, the transaction is legal and valid, otherwise, the transaction is considered invalid, and the transaction is discarded.

Another object of the present invention is to provide a zero-knowledge proof privacy protection system using the zero-knowledge proof privacy protection method, the zero-knowledge proof privacy protection system comprising:

the accounting balance proving module is used for proving that the total consumption amount of the sender is equal to the sending amount and the change amount;

the format correct proving module is used for proving that the commitment format is a standard commitment format;

the range proving module is used for proving that the total consumption amount, the sending amount and the change amount of the sender are all larger than zero;

and the equal proving module is used for proving that the plaintext corresponding to the ciphertext is equal to the plaintext corresponding to the commitment.

It is another object of the present invention to provide a computer program product stored on a computer readable medium, comprising a computer readable program for providing a user input interface to implement the zero-knowledge proof privacy preserving method when executed on an electronic device.

It is another object of the present invention to provide a computer-readable storage medium storing instructions that, when executed on a computer, cause the computer to perform the zero-knowledge proof privacy protection method.

By combining all the technical schemes, the invention has the advantages and positive effects that: the invention provides a zero-knowledge proof privacy protection method, a system, a storage medium and equipment, relates to an anonymous transaction system under the supervision condition of a supervision party, can effectively solve the problem that an enterprise excessively collects a large amount of user privacy data for abuse, effectively supervises the user privacy leakage condition, and ensures the privacy safety of a user.

Drawings

In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings needed to be used in the embodiments of the present invention will be briefly described below, and it is obvious that the drawings described below are only some embodiments of the present invention, and it is obvious for those skilled in the art that other drawings can be obtained according to the drawings without creative efforts.

Fig. 1 is a flowchart of a zero-knowledge proof privacy protection method according to an embodiment of the present invention.

FIG. 2 is a block diagram of a zero knowledge proof privacy protection system provided by an embodiment of the invention;

in the figure: 1. an accounting balance certification module; 2. a format correct proof module; 3. a range attestation module; 4. an equal proof module.

Fig. 3 is a schematic diagram of a method for user registration according to an embodiment of the present invention.

Fig. 4 is a schematic diagram of a method for a sender to calculate transaction disclosure data by a zero-knowledge proof privacy protection algorithm according to an embodiment of the present invention.

Fig. 5 is a schematic diagram of a method for sending a transaction according to an embodiment of the present invention.

Fig. 6 shows all the generated certification fields and encrypted fields provided by the embodiment of the present invention, all users can verify the correctness of the zero-knowledge certification, and the supervisor can decrypt and obtain the plaintext of the private data.

Detailed Description

In order to make the objects, technical solutions and advantages of the present invention more apparent, the present invention is further described in detail with reference to the following embodiments. It should be understood that the specific embodiments described herein are merely illustrative of the invention and are not intended to limit the invention.

In view of the problems in the prior art, the present invention provides a method, system, storage medium, and device for protecting privacy with zero knowledge proof, which are described in detail below with reference to the accompanying drawings.

The zero-knowledge proof privacy protection method provided by the embodiment of the invention comprises four proof processes, namely a balance proof, a format correct proof, a range proof and an equal proof; three roles including a sending party, a receiving party and a monitoring party are assumed in a transaction scene.

As shown in fig. 1, the method for protecting privacy with zero knowledge proof provided by the embodiment of the present invention includes the following steps:

s101, accounting balance certification: proving that the total consumption amount of the sender is equal to the sending amount and the change amount;

s102, the format is correct to prove that: proving that the commitment format is a standard commitment format;

s103, range proving: proving that the total consumption amount, the sending amount and the change making amount of the sender are all larger than zero;

s104, equal proof: and proving that the plaintext corresponding to the ciphertext is equal to the plaintext corresponding to the commitment.

The zero-knowledge proof privacy protection method provided by the embodiment of the invention defines three roles, including:

(1) a sender: sending the property quantity to a receiver and sending out a transaction amount;

(2) the receiving side: receiving a send quantity property from a sender, receiving a transaction amount;

(3) the monitoring party: transaction validity and authenticity may be verified from the transaction.

As shown in fig. 2, the zero-knowledge proof privacy protection system provided by the embodiment of the present invention includes:

the accounting balance proving module 1 is used for proving that the total consumption amount of the sender is equal to the sending amount and the change amount;

the correct format proving module 2 is used for proving that the commitment format is a standard commitment format;

the range proving module 3 is used for proving that the total consumption amount, the sending amount and the change making amount of the sender are all larger than zero;

and the equality proving module 4 is used for proving that the plaintext corresponding to the ciphertext is equal to the plaintext corresponding to the commitment.

The present invention will be further described with reference to the following examples.

Example 1

Aiming at the problems in the prior art, the invention provides a zero-knowledge proof privacy protection scheme.

The scheme has four proving processes and assumes three roles in a transaction scene.

The four proving procedures and effects are respectively as follows:

accounting balance certification: proving that the total consumption amount of the sender is equal to the sending amount and the change amount;

and (3) proving that the format is correct: proving that the commitment format is a standard commitment format;

the range proves that: proving that the total consumption amount, the sending amount and the change making amount of the sender are all larger than zero;

equal proof: and proving that the plaintext corresponding to the ciphertext is equal to the plaintext corresponding to the commitment.

The three roles are defined in turn as:

a sender: sending the property quantity to a receiver and sending out a transaction amount;

the receiving side: receiving a send quantity property from a sender, receiving a transaction amount;

the monitoring party: transaction validity and authenticity may be verified from the transaction.

Further, the sender, the receiver and the supervisor respectively generate a public key and a private key belonging to the sender:

the sender public key pub _ S ═ { G1, G2, H, P }, and the private key priv _ S ═ X };

the public key pub _ R of the receiving party is { G1, G2, H, P }, and the private key priv _ R is { X };

the supervisor public key pub _ G ═ { G1, G2, H, P }, and the private key priv _ G ═ X };

further, the sender generates his own total property and issues a commitment and a random number of the amount of the property and the change property.

Further, the sender generates accounting balance certificates. The sender uses pub _ S, transfer amount v _ S and its committed random number r _ S, change amount v _ r and its committed random number r _ r, total amount committed random number r _ o to generate accounting balance certificate bp, accounting balance certificate is generated as the following steps:

(1)P_1＝P-1

(2) rnd (random) (time), and time is the current time

(3)limit＝P-4

(4)limit_5＝limit^5

(5) mix ═ rand (rnd) and mix < limit

(6)a＝(mix mod limit)+2，mix＝mix/limit

(7)b＝(mix mod limit)+2，mix＝mix/limit

(8)d＝(mix mod limit)+2，mix＝mix/limit

(9)e＝(mix mod limit)+2，mix＝mix/limit

(10)f＝(mix mod limit)+2，mix＝mix/limit

(11)g1a＝G1^a(modP)

(12)hb＝H^b(mod P)

(13)t1_p＝g1a*hb(mod P)

(14)g1d＝G1^d(modP)

(15)he＝H^e(modP)

(16)t2_p＝g1d*he(mod P)

(17)ad＝a+d(mod P_1)

(18)g1ad＝G1^ad(mod P)

(19)hf＝H^f(modP)

(20)t3_p＝g1ad*hf(mod P)

(21)c＝Hash(t1_p:+t2_p:+t3_p)(mod P)

(22)R_v＝(P_1-(c*v_r(mod P_1))+a)mod P_1

(23)R_r＝(P_1-(c*r_r(mod P_1))+b)mod P_1

(24)S_v＝(P_1-(c*v_s(mod P_1))+d)mod P_1

(25)S_r＝(P_1-(c*r_s(modP_1))+e)mod P_1

(26)S_or＝(P_1-(c*r_o(mod P_1))f)mod P_1

(27) bp { c, R _ v, R _ R, S _ v, S _ R, S _ or } is the proof of accounting balance.

Further, the sender generates proof of format correctness. The sender uses the promised random number r of pub _ S, amount v and amount v to generate a format correct proof fp, and the format correct proof is generated as the following steps:

(1)P_1＝P-1

(2)rnd_a＝rand(time)

(3)rnd_b＝rand(rnd_a)

(4)limit＝P-4

(5) a ═ rand (rnd _ a), where a < limit

(6)a＝a+2

(7) b ═ rand (rnd _ b), where b < limit

(8)b＝b+2

(9)g1a＝G1^a(modP)

(10)hb＝H^b(mod P)

(11)t1_p＝g1a*hb(mod P)

(12)t2_p＝G2^b(mod P)

(13)c＝Hash(t1_p:+t2_p)(mod P)

(14)vc＝P_1-v*c(mod P_1)

(15)z1＝a+vc(mod P_1)

(16)r1c＝P_1-r*c(mod P_1)

(17)z2＝b+r1c(mod P_1)

(18) And fp is the proof of correct format { c, z1, z2 }.

Further, the sender generates an equal proof. The sender uses pub _ S ═ pub1.g1, pub1.g2, pub1.h, pub1.p }, pub _ R ═ pub2.g1, pub2.g2, pub2.h, pub2.p }, commitment C1 ═ C1.commitment, C1.R }, commitment C2 ═ C2.commitment, C2.R }, for generating the committed amount V, and the equal proof ep is generated as follows:

(1)y＝C1.commitment*C2.commitment(modP)

(2) declaring ep ═ { t, s } as an equality proof result

(3)g＝{pub1.G1,pub2.G1,pub1.H,pub2.H}

(4)x＝{V,V,C1.r,C2.r}

(5)a＝{-1,-1,0,0}

(6)pub＝pub1

(7) Declaring v as an array of length 4

(8)P_1＝P-1

(9)ssnum＝0

(10) Traversing a, if the traversal value is not 0, then ssnum is ssnum +1

(11) rbi ═ rand (n, pub), where n is 4 if ssnum is 0, otherwise n is 3, rbi is an array, and n is the array length

(12)line＝0

(13)last＝0

(14) Traversal a, traversal value ai

If ai is equal to 0, v [ i ] ═ rbi [ line ], line +1

If ai! When the value is equal to 0, then

If ssnum is 1, v [ i ] ═ last (ai modP _1) modP _1, ssnum ═ ssnum-1

If ssnum! 1, then vi is rbi line, line +1, ssnum-1, last-i modP _1

(15)t＝1

(16) Declaring c _ hash as null array

(17) Traversing g, the traversal value is gi, the iteration base number is i

gi＝(gi^v[i])mod P

t＝(t*Gi)mod P

Add gi to c _ hash

(18) Add y to c _ hash

(19) Add t to c _ hash

(20)c＝Hash(c_mash)

(21)c_bi＝c modP

(22) V is traversed, the traversal value is vi, the iteration base number is i

mash＝(vi-c_bi*x[i])modP_1

Adding mash to ep.s

(23)ep.t＝t

(24) So ep is the proof of equality generated.

Further, the sender generates a range attestation. The sender use amount v, the commitment C ═ c.commitment, C.r }, the sender public key pub _ S ═ G1, G2, H, P }, and the range certificate rp is generated as follows:

(1)P_1＝P-1

(2) v is converted into binary and stored in aL, and the low bit of the binary is positioned at the low bit of aL

(3) Declaring aR as an array of limit lengths

(4) Limit cycles, i cycles, aR [ i ] ═ aL [ i ] -1) mod P _1

(5) Randomly generating a random number array mix of length 4 x (limit +1)

(6)alpha＝mix[0]

(7)rou＝mix[1]

(8) Randomly generating sL sRetao 1 tao 2g h

(9)A＝H^alpha mod P

(10)S＝H^rou modP

(11) Number of cycles, i is the number of cycles

gaL＝(g[i]^aL[i])modP

haR＝(h[i]^aR[i])modP

gsL＝(g[i]^sL[i])modP

hsR＝(h[i]^sR[i])modP

A＝(A*gaL*haR)mod P

S＝(S*gsL*hsR)modP

(12)AS＝[A,S]

(13)y_bytes＝Hash(AS)

(14)ASy＝[AS,y_bytes]

(15)z_bytes＝Hash(ASy)

(16)ASyz＝[ASy,z_bytes]

(17)x_bytes＝Hash(ASyz)

(18)x＝x_bytes modP_1

(19)y＝y_bytes modP_1

(20)z＝z_bytes modP_1

(21) Array with statement l and r as limit length

(22)tv＝0

(23)t1＝0

(24)t2＝0

(25)n2＝1

(26)ny＝1

(27) Number of cycles, i is the number of cycles

aLz＝aL[i]-z

sLx＝sL[i]*x

l[i]＝(aLz+sLx)mod P

z2n＝(z^2modP_1)*n2

arz＝aR[i]+z

r[i]＝((arz+sR[i]*x mod P_1)*ny+z2n)modP_1

lr＝l[i]*r[i]

tv＝(tv+lr)mod P_1

ysR＝(ny*sR[i])modP_1

aLzysR＝(aLz*ysR)mod P_1

n2nyaRzsl＝((ny*arz+z2n)modP_1)mod sL[i]

t1＝t1+(aLzysR*n2nyaRzsl mod P_1)

t2＝(t2+sL[i]*ysR)modP_1

n2＝(n2*2)modP_1

ny＝(ny*y)modP_1

(28)T1＝(G1^t1 modP)*(H^tao1 modP)modP

(29)T2＝(G1^t2 modP)*(H^tao2 modP)modP

(30)x2tao2＝(x^2modP_1)*tao2

(31)z2gama＝(z^2mod P_1)*r

(32)tao_x＝(x2tao2+x*tao1+z2gama)modP_1

(33)miu＝(rou*x+alpha)mod P_1

(34)n＝limit

(35) rp ═ n, tao _ x, a, S, T1, T2, miu, l, r, g, h } is proof of range.

Further, the sender encrypts the required supervision content including the privacy information of the sender and the receiver and the transaction data by using the public key of the supervisor to generate a ciphertext e.

Further, the recipient verifies the accounting balance certification. The receiver uses the change promise CM _ R, the transfer promise CM _ S, the total promise CM _ O, the public key pub ═ G1, G2, H, P }, the accounting balance proof bp ═ c, R _ v, R _ R, S _ v, S _ R, S _ or } to proceed the following steps:

(1)g1rv＝G1^R_v(modP)

(2)hrr＝H^R_r(mod P)

(3)cmrc＝CM_R^c(mod P)

(4)t1_v＝(g1rv*hrr(modP))*cmrc(mod P)

(5)g1sv＝G1^S_v(mod P)

(6)hsr＝H^S_r(mod P)

(7)cmsc＝CM_S^c(mod P)

(8)t2_v＝(g1sv*hsr(mod P))*cmsc(modP)

(9)rvsv＝R_v+S_v

(10)g1rvsv＝G1^rvsv(modP)

(11)hsor＝H^S_or(modP)

(12)cmoc＝CM_O^c(mod P)

(13)t3_v＝(g1rvsv*hsor(mod P))*cmoc(modP)

(14)c_v＝Hash(t1_v:+t2_v:+t3_v)(mod P)

(15) if c _ v is 0, the verification is passed, otherwise, the verification is not passed.

Further, the receiver verifies that the format is correctly certified. The receiver uses the public key pub ═ G1, G2, H, P }, the public key pub encrypts the content to obtain the ciphertext C ═ { C1, C2}, the format is correct to prove fp ═ C, z1, z2}, and the following steps are carried out:

(1)c1c＝c2^c(mod P)

(2)g1z1＝G1^z1(mod P)

(3)hz2＝H^z2(modP)

(4)c1c＝clc*g1z1(modP)

(5)t1_v＝c1c*hz2(modP)

(6)c2c＝c1^c(mod P)

(7)g2z2＝G2^z2(mod P)

(8)t2_v＝c2c*g2z2(modP)

(9)c＝Hash(t1_v:+t2_v)(mod P)

(10) if c _ v is 0, the verification is passed, otherwise, the verification is not passed.

Further, the receiver verifies equality by using a public key pub _ S ═ { pub1.g1, pub1.g2, pub1.h, pub1.p }, pub _ R ═ { pub2.g1, pub2.g2, pub2.h, pub2.p }, a ciphertext C1 ═ { C1.C1, C1.C2}, a ciphertext C2 ═ { C2.C1, C2.C2}, and the equality proves that ep ═ { S, t } verifies equality. The following steps are carried out:

(1)y＝C1.C2*C2.C2(mod P)

(2)g＝{pub1.G1,pub2.G1,pub1.H,pub2.H}

(3)pub＝pub1

(4)a＝{1,-1,0,0}

(5)b＝0

(6)P_1＝P-1

(7) declaring c _ hash as null array

(8) Traversing g, adding gi into c _ map, wherein the traversal value is gi

(9) Adding y and lp.t into c _ map in sequence

(10)c＝Hash(c_mash)

(11)c_bi＝c modP

(12)t_verify＝y

(13)t_verify＝(t_verify^c_bi)modP

(14) Traversing g, the traversal value is gi, the iteration base number is i

buf＝(gi^lp.s[i])modP

t_verify＝(t_verify*buf)mod P

(15) If t _ verify! If it is lp, the verification fails

(16)cb＝-c_bi*b

(17)mix＝0

(18) Traversal a, traversal value ai

aisi＝(ai*lp.s[i])mod P_1

mix＝(mix+aisi)mod P_1

(19) If mix is not equal to cb, the verification fails, otherwise the verification succeeds.

Further, the recipient verifies the scope proof. The receiving party uses the proof of equal amount v, ciphertext C ═ { C1, C2}, public key pub ═ G1, G2, H, P }, range proof rp ═ n, tao _ x, a, S, T1, T2, miu, l, r, G, H } verification, and the following steps are carried out:

(1)P_1＝P-1

(2)P_2＝P-2

(3) statement l, r, g, h are n length arrays

(4)V＝C2

(5)tv＝0

(6) N times of circulation, i is the number of circulation

tv＝(tv+l[i]*r[i])modP_1

(7)AS＝[A,B]

(8)y_bytes＝Hash(AS)

(9)ASy＝[AS,y_bytes]

(10)z_bytes＝Hash(ASy)

(11)ASyz＝[ASy,z_bytes]

(12)x_bytes＝Hash(ASyz)

(13)x＝x_bytes modP_1

(14)y＝y_bytes modP_1

(15)z＝z_bytes modP_1

(16) Declaring h _ as an array of length n

(17)y_inv＝y^P_2modP_1

(18)y_2p＝y^P_1modP

(19)vf＝y*y_inv modP_1

(20)y_1＝1

(21) N times of circulation, i is the number of circulation

h_[i]＝h[i]^y_1mod P

y_1＝(y_1*y_inv)modP_1

(22)htaox＝H^tao_x modP

(23)left＝(G1^tv modP)*htaox modP

(24)z2＝z^2mod(P_1)

(25)z3＝z^3mod(P_1)

(26)ny_1＝y^rp.n mod(P_1)-1

(27)y_x1＝y-1

(28)y_x1＝y_x1^(-1)modP_1

(29)ny_1＝ny_1^y_x1 mod(P_1)

(30)z_z2＝(z-z2)mod(P_1)

(31)ibx＝z_z2*ny_1

(32)n_1_2＝2^rp.n mod(P_1)

(33)z3n12＝z3*n_1_2

(34)ibx＝ibx-z3n12

(35)gibx＝pub.G1^ibx mod P

(36)right＝(V^z2 mod P)*gibx modP

(37)x2＝x*x

(38)T1x＝T1^x modP

(39)T2x2＝T2^x2 mod P

(40)right＝(right*T1x modP)*T2x2 modP

(41) If left and right are not equal, then the verification is determined not to pass

(42)p＝S^x mod P

(43)p＝p*A mod P

(44)gz＝1；h_mix＝1；n2＝1；ny＝1；

(45) N cycles, i is the number of cycles

gz_inv＝g[i]^z mod P

gz＝gz*(gz_inv^(-1)modP)

mix＝z*ny+z2*n2

mix＝h_[i]^mix modP

h_mix＝h_mix*mix modP

n2＝n2*2mod(P_1)

ny＝ny*y mod(P_1)

(46)p＝p*gz mod P

(47)p＝p*h_mix mod P

(48)P_check＝H^miu mod P

(49) N cycles, i is the number of cycles

gl＝g[i]^l[i]modP

hr＝h[i]^r[i]modP

P_check＝P_check*gl mod P

P_check＝P_check*hr mod P

(50) If P and P check are equal, the scope proves that the verification is passed, and how the verification is not passed.

Further, the supervisor verifies the ciphertext e, if the verification is passed, the transaction is legal and valid, otherwise, the transaction is considered invalid, and the transaction is discarded.

Example 2

As shown in fig. 3, the user registration is performed according to the following steps:

(1) a sender locally generates a public and private key, and the public key is externally disclosed;

(2) the receiving party locally generates a public and private key, and the public key is externally disclosed;

(3) the supervisor locally generates a public and private key, and the public key is externally disclosed.

As shown in fig. 4, the sender calculates the transaction disclosure data by the zero-knowledge proof privacy protection algorithm, according to the following steps:

(1) generating an accounting balance certificate bp;

(2) generating a proof fp with a correct format;

(3) generating a range attestation rp;

(4) generating an equal proof ep;

(5) a policing encryption field e is generated.

As shown in fig. 5, the transaction is sent, which is performed as follows:

(1) the sender sends the transaction disclosure data to the receiver;

(2) the receiving party verifies the zero knowledge proof after receiving the transaction;

(3) the supervisor verifies the ciphertext e;

(4) if the verification is passed, the transaction is stored and validated.

The specific procedures of the present invention will now be described with specific examples.

In the auction example, the invention can ensure the whole course of the auction process to be anonymous and supervise, and the specific implementation flow is as follows.

(1) Before the auction begins, potential buyers, auction sellers and supervisors all register accounts in the system, obtain respective public keys and private keys, and give infinite system account funds to the potential buyers.

(2) During the auction process, the potential buyers bid, and the bidding process is the same as the transfer process, namely the potential buyers transfer money to the auction seller. The buyer generates an accounting balance certificate bp, a format correct certificate fp, a range certificate rp and an equality certificate ep, supervises the encrypted field e, and then the seller initiates transfer.

(3) After receiving the transaction, the auction side verifies the zero knowledge proof;

(4) the supervisor verifies the ciphertext e;

(5) if the verification is passed, the transaction is stored and validated, and the bidding is considered to be successful, and the next bidding is waited.

(6) After bidding is finished, the supervisor decrypts the bidding contents and only checks all the bidding contents, and a bidding success party is given.

(7) The auction hides the identity and the bid amount of the bidder in the whole process, and the final result is only given by the trusted supervisor according to all transaction contents.

The technical effects of the present invention will be described in detail with reference to experiments.

The invention is experimentally realized, and the experimental output is as follows:

public key:

P:33333f914834ced561c145797d9b5782719dbd1b43a668d4b01151f9c0e67d9f

G1:3174504ed79fb7791f5980fd36107f441286198271ebc8e02499005520e4013a

G2:231dba42e1eb3afd09fae4f7f2b13e1686d744b003d200b5bd37bdf877bcadb9

H:65449a792d4abe211d1be86b74e158ff32e708d5717e854e162a9f1a0633394

private key:

X:1da7643b396061c17ac2cbd08d700a6f71cf56826a23af231a872dfa9af1e55f

generating a proof of correct format:

C:26ac016ded7c755456e2f98b621d2481403845ec93d55851b4dd5a74ae1d395b

Z1:31dcd46aab6cc21f248316069fc34a28ff1a24862061f3dac1ddf0edcc9e2005

Z2:296471ee814fdab02845c36c4ecbd759554ef4891d732eeddc512cbba88eefbc

and (3) verifying that the format is correct:

proof of format correctness!

Setting the amount of money: 16

Encrypting the same content using different public keys

Generating an equal proof:

s:[0b4eb86f14a4b5f016706df6e15bfa830414c318cf44707831b9e61fb1bdcc8f 0b4eb86f14a4b5f016706df6e15bfa830414c318cf44707831b9e61fb1bdcc8f 02f06aaf43e24b96bcf3baf345f0dcac47aa8f67cd8fb16fba5092f3f0071092 2776d6ba325a83705a5479504165d388ca27d101235e16340f5d997581004040]

t:73572ad326fd564027cb8b2e6bbced7303b71e37e750ca25eed9c72f71cccf

verification of equivalence proves that:

equal proof verification!

Setting up legitimate transactions

Generating an accounting balance certificate:

s:[16728e075b434a946683d1f9d7cf99f6da8e1f7357bd942497f8df37330bce1c]

t:09fb9a71955cc1fa6483aebedac802b777b466042a8e680d4d102595aacabb53

verifying accounting balance certification:

verification of accounting balance certificate!

Setting illegal transactions:

generating an accounting balance certificate:

s:[1dce60d7d17eee182ec299f98d20f9becfbfca2c55f5357cda8c0a27f7b1e7ce 0d4011e5042ac5abe5ec1e721944351fa2bc3dc53d1b50337d80045de98b45a9]

t:1368dcd8658813075e551a2277a60100f214263d351c7384525187dcba93a82b

verifying accounting balance certification:

accountant balance certification verification failed!

Generating an equal proof:

s:[21fab46a3bb6ee942faf63fa6efa7c89c39c198a8e35e501646d76d5fa79e766 21fab46a3bb6ee942faf63fa6efa7c89c39c198a8e35e501646d76d5fa79e766 22715bb53e845add06c994dcaf636e97fcf0c2b41b189a8197bd157a1c1acf51 0699e9734ce3aeec542e933aa5673a836f66a812d456b21f17e4da80e750398c]

t:0434568b2029a5f5d150c7f66e9a44d927c7716766ff3701ba351603c120977e

verification of equivalence proves that:

equal proof verification!

Generating a proof of correct format:

C:04879e7df788c0c4d37e83d87e08b27cd944884a51176edc8ecb32578e1e000d

Z1:24e32f1a37c91e4e6396c5bfd1f8331acb9ff5ea483701c3ac0273dab87cca46

Z2:0ada337717dde4f7fa74c6b9efcd1187a59db6193ae1925cbbfd4463cb9bec91

and (3) verifying that the format is correct:

proof of format correctness!

In the above embodiments, the implementation may be wholly or partially realized by software, hardware, firmware, or any combination thereof. When used in whole or in part, can be implemented in a computer program product that includes one or more computer instructions. When loaded or executed on a computer, cause the flow or functions according to embodiments of the invention to occur, in whole or in part. The computer may be a general purpose computer, a special purpose computer, a network of computers, or other programmable device. The computer instructions may be stored in a computer readable storage medium or transmitted from one computer readable storage medium to another, for example, from one website site, computer, server, or data center to another website site, computer, server, or data center by wire (e.g., coaxial cable, fiber optic, Digital Subscriber Line (DSL), or wireless (e.g., infrared, wireless, microwave, etc.)). The computer-readable storage medium can be any available medium that can be accessed by a computer or a data storage device, such as a server, a data center, etc., that includes one or more of the available media. The usable medium may be a magnetic medium (e.g., floppy Disk, hard Disk, magnetic tape), an optical medium (e.g., DVD), or a semiconductor medium (e.g., Solid State Disk (SSD)), among others.

The above description is only for the purpose of illustrating the present invention and the appended claims are not to be construed as limiting the scope of the invention, which is intended to cover all modifications, equivalents and improvements that are within the spirit and scope of the invention as defined by the appended claims.

Claims (10)

1. A zero-knowledge proof privacy protection method is characterized in that the zero-knowledge proof privacy protection method comprises four proof processes which are respectively as follows:

accounting balance certification: proving that the total consumption amount of the sender is equal to the sending amount and the change amount;

and (3) proving that the format is correct: proving that the commitment format is a standard commitment format;

the range proves that: proving that the total consumption amount, the sending amount and the change making amount of the sender are all larger than zero;

equal proof: and proving that the plaintext corresponding to the ciphertext is equal to the plaintext corresponding to the commitment.

2. The zero-knowledge proof privacy preserving method of claim 1, wherein the three roles defined by the zero-knowledge proof privacy preserving method include:

(1) a sender: sending the property quantity to a receiver and sending out a transaction amount;

(2) the receiving side: receiving a send quantity property from a sender, receiving a transaction amount;

(3) the monitoring party: transaction validity and authenticity may be verified from the transaction.

3. The zero-knowledge proof privacy preserving method of claim 1, further comprising a user registration comprising:

(1) a sender locally generates a public and private key, and the public key is externally disclosed;

(2) the receiving party locally generates a public and private key, and the public key is externally disclosed;

(3) the supervisor locally generates a public and private key, and the public key is externally disclosed.

4. The zero-knowledge proof privacy preserving method of claim 1, further comprising the step of the sender calculating transaction disclosure data by a zero-knowledge proof privacy preserving algorithm, comprising:

(1) generating an accounting balance certificate bp;

(2) generating a proof fp with a correct format;

(3) generating a range attestation rp;

(4) generating an equal proof ep;

(5) a policing encryption field e is generated.

5. The zero-knowledge proof privacy preserving method of claim 1, further comprising the sending transaction, in the zero-knowledge proof privacy preserving method, comprising:

(1) the sender sends the transaction disclosure data to the receiver;

(2) the receiving party verifies the zero knowledge proof after receiving the transaction;

(3) the supervisor verifies the ciphertext e;

(4) if the verification is passed, the transaction is stored and validated.

6. The zero-knowledge proof privacy protection method of claim 1, wherein in the zero-knowledge proof privacy protection method, the sender, the receiver and the supervisor respectively generate their own public and private keys, and the method comprises:

(1) the sender public key pub _ S ═ { G1, G2, H, P }, and the private key priv _ S ═ X };

(2) the public key pub _ R of the receiving party is { G1, G2, H, P }, and the private key priv _ R is { X };

(3) the supervisor public key pub _ G ═ { G1, G2, H, P }, and the private key priv _ G ═ X }.

7. The method of zero knowledge proof privacy protection of claim 1 wherein the sender generates his own master property, issues a commitment and a random number to the property and the amount of the property being changed.

8. A computer device, characterized in that the computer device comprises a memory and a processor, the memory storing a computer program which, when executed by the processor, causes the processor to carry out the steps of: the four proof flows are:

(1) accounting balance certification: proving that the total consumption amount of the sender is equal to the sending amount and the change amount;

(2) and (3) proving that the format is correct: proving that the commitment format is a standard commitment format;

(3) the range proves that: proving that the total consumption amount, the sending amount and the change making amount of the sender are all larger than zero;

(4) equal proof: and proving that the plaintext corresponding to the ciphertext is equal to the plaintext corresponding to the commitment.

9. A computer-readable storage medium storing a computer program which, when executed by a processor, causes the processor to perform the steps of:

the four proof flows are:

(1) accounting balance certification: proving that the total consumption amount of the sender is equal to the sending amount and the change amount;

(2) and (3) proving that the format is correct: proving that the commitment format is a standard commitment format;

(3) the range proves that: proving that the total consumption amount, the sending amount and the change making amount of the sender are all larger than zero;

(4) equal proof: and proving that the plaintext corresponding to the ciphertext is equal to the plaintext corresponding to the commitment.

10. A zero-knowledge proof privacy protection system applying the zero-knowledge proof privacy protection method according to any one of claims 1 to 8, the zero-knowledge proof privacy protection system comprising:

the accounting balance proving module is used for proving that the total consumption amount of the sender is equal to the sending amount and the change amount;

the format correct proving module is used for proving that the commitment format is a standard commitment format;

the range proving module is used for proving that the total consumption amount, the sending amount and the change amount of the sender are all larger than zero;

and the equal proving module is used for proving that the plaintext corresponding to the ciphertext is equal to the plaintext corresponding to the commitment.

Images