JP6754319B2 - Blockchain update system, server device, client device, blockchain update method, and program - Google Patents

Description

The present invention relates to a blockchain technology for the purpose of preventing tampering, and more particularly to a technology that uses request calculation of a client-server model to update a blockchain.

As a technique for safely requesting a calculation from another person in an online network such as the Internet, there is a request calculation (Server-aided Computation) (see, for example, Non-Patent Document 1). Non-Patent Document 1 describes Outsourcing Pairing Computation on an elliptic curve as a technique for request calculation.

Examples of the technology using a blockchain for the purpose of preventing tampering include Bitcoin (see, for example, Non-Patent Document 2) and Ethereum (see, for example, Non-Patent Document 3). Bitcoin and Ethereum use hash functions as an implementation of one-way functions. Bitcoin uses SHA-256 as the hash function, and Ethereum uses Keccak-256 and Keccak-512 (so-called SHA-3) as the hash function.

Aurora Guillevic and Damien Vergnaud, "Algorithms for Outsourcing Pairing Computation", [online], [Search May 15, 2017], Internet <URL: https://www.cardis.org/proceedings/cardis_2014/pdf/CARDIS2014_12 .pdf> Satoshi Nakamoto, "Bitcoin: A Peer-to-Peer Electronic Cash System", [online], [Searched May 15, 2017], Internet <URL: https://bitcoin.org/bitcoin.pdf> DR. GAVIN WOOD, "ETHEREUM: A SECURE DECENTRALISED GENERALISED TRANSACTION LEDGER", [online], [Search May 15, 2017], Internet <URL: http://gavwood.com/Paper.pdf>

Bitcoin and Ethereum provide cryptocurrencies to miners as a reward for successful mining. In other words, in order to proceed with the renewal of the blockchain, it is necessary to take measures to give the miners a positive incentive. This success fee creates free mining competition among miners, but as a result, there is a problem that the overlapping part of calculation increases when looking at the entire system.

In order to eliminate the overlapping part of the calculation, it is conceivable to create a centralized server device and that server device performs mining. However, in this case, the problem is that the mining load is concentrated on the server device. In addition, a mechanism is conceivable in which the mining search space is divided and redistributed to the client device so that the load is not concentrated on the server device. However, in this case, the problem is that the client device knows the mining result before the server device.

An object of the present invention is to realize a blockchain renewal technique capable of renewing a blockchain safely and efficiently in view of the above points.

In order to solve the above problems, the blockchain update system of the present invention includes at least one server device and a plurality of client devices. The server device divides the search space of the blockchain proof of work into a format that can be calculated in parallel to generate a plurality of post-division search spaces, and a search space division unit that can calculate each of the post-division search spaces. A search space conversion unit that converts and generates a plurality of post-conversion search spaces, a request calculation request unit that sends any one of the post-conversion search spaces to the client device that requested the transaction, and a block for the post-conversion search space. The calculation result receiver that receives the request calculation result of the chain one-way function and the information necessary for confirming the transaction from the client device that requested the transaction, and the calculation result of the one-way function that is the inverse conversion of the request calculation result. A calculation result verification unit that verifies whether the information required for transaction confirmation is correct, and a blockchain update unit that updates the blockchain using the calculation results if the calculation results satisfy the specified conditions. And, including. The client device includes a transaction request transmission unit that requests a transaction from the server device, a request calculation execution unit that calculates a unidirectional function using the converted search space received from the server device, and obtains a request calculation result, and a request calculation. It includes a calculation result transmitter that transmits the result and information necessary for confirming the transaction to the server device.

In the present invention, since the server device requests the client device for the request calculation, the calculation resource can be obtained from the client device, so that the load on the server device is reduced as compared with the case where only the server device performs mining. In addition, since the server device does not provide a transaction unless it can be verified that the request calculation has been performed correctly, it is possible to reduce casual attacks and brute force attacks related to transactions from the client device. In addition, since the server device uses request calculation to convert the original information into a format that does not leak, the client device does not leak information about mining. Furthermore, since the server device divides the mining space in parallel and allocates it to the client device, it is possible to reduce the overlap of calculation as compared with the case of free competition mining, so that the calculation resource of the entire system is more efficient. Can be used for. Therefore, according to the present invention, the blockchain can be updated safely and efficiently.

FIG. 1 is a diagram illustrating a functional configuration of a blockchain update system. FIG. 2 is a diagram illustrating a functional configuration of the server device. FIG. 3 is a diagram illustrating a functional configuration of the client device. FIG. 4 is a diagram illustrating a processing procedure of the blockchain update method. FIG. 5 is a diagram for explaining the data structure of the blockchain. FIG. 6 is a diagram for explaining the division and transformation of the Proof of Work (PoW) search space.

Hereinafter, embodiments of the present invention will be described in detail. In the drawings, components having the same function are designated by the same reference numeral, and duplicate description will be omitted.

An embodiment of the present invention is a blockchain update system and method for updating a blockchain for the purpose of preventing tampering in an online network such as the Internet by using request calculation. In the blockchain update system and method of the embodiment, for example, a pairing operation on an elliptic curve is used as an implementation method of a one-way function in the blockchain. Further, as a transaction request that triggers request calculation, for example, client authentication in which the server device verifies the validity of the client device is used. Further, as the request calculation, for example, a pairing proxy calculation is used.

A configuration example of the blockchain update system of the embodiment will be described with reference to FIG. The blockchain update system includes at least one server device 1 and a plurality of client devices 2 ₁ , ..., 2 _N (N ≧ 2). In this embodiment, the server device 1 and the client devices 2 ₁ , ..., 2 _N are connected to the communication network 3, respectively. The communication network 3 is a circuit-switched or packet-switched communication network configured so that each connected device can communicate with each other. For example, the Internet, LAN (Local Area Network), WAN (Wide Area Network). Etc. can be used.

As shown in FIG. 2, for example, the server device 1 included in the blockchain update system includes a blockchain storage unit 10, a search space division unit 11, a search space conversion unit 12, a transaction request reception unit 13, and a request calculation request unit 14. , The calculation result receiving unit 15, the calculation result verification unit 16, and the blockchain updating unit 17. The client device 2 _i (i = 1, ..., N) included in the blockchain update system includes, for example, a transaction request transmission unit 21, a request calculation execution unit 22, and a calculation result transmission unit 23, as shown in FIG. Including. The server device 1 is block chain updating method embodiments are realized by performing the processing of each step shown in FIG. 4 with cooperation with the client device 2 _i.

In the server device 1 and the client device 2 _i , for example, a special program is read into a known or dedicated computer having a central processing unit (CPU), a main memory (RAM: Random Access Memory), and the like. It is a special device configured. The server device 1 and the client device 2 _i execute each process under the control of the central processing unit, for example. The data input to the server device 1 and the client device 2 _i and the data obtained by each process are stored in the main storage device, for example, and the data stored in the main storage device is stored in the central processing unit as needed. It is read out and used for other processing. At least a part of each processing unit of the server device 1 and the client device 2 _i may be configured by hardware such as an integrated circuit.

Hereinafter, the processing procedure of the blockchain update method executed by the blockchain update system of the embodiment will be described with reference to FIG.

The blockchain storage unit 10 of the server device 1 stores the blockchain to be updated. As shown in FIG. 5, this blockchain is on the elliptic curve G ₁ obtained from the output result of the one-way function of the previous block and the value (item) added in the current block. The one-way function is calculated using the point P of and the point Q on the elliptic curve G ₂ used as an alternative to nonce. The point P is uniquely fixed every time the blockchain is updated. The miner searches for a point Q in which the calculation result of the pairing operation e (P, Q), which is a one-way function, satisfies a predetermined condition while arbitrarily changing the value of the point Q. The predetermined condition is, for example, that the first r bit is 0 (r is a predetermined integer). In the following explanation, G ₁ , G ₂ , and G _T are groups of n bits, and e: G ₁ × G ₂ → G _t is a pairing operation.

In step S11, the search space division unit 11 of the server device 1 sets the search space Q of the proof of work (PoW) in the blockchain stored in the blockchain storage unit 10 into a format capable of parallel calculation. Divide into m pieces so as to be (see FIG. 6). In the following description, the divided search space (also called the search space after division) is Q ₁ , Q ₂ , ..., Q _m . That is, Q: = {Q ₁ , Q ₂ ,…, Q _m }. m is a predetermined integer, for example, the client device 2 _i of the number N, may be appropriately set in view of the computing resources of the client device 2 _i. Since the search space Q is a set of points on the elliptic curve G ₂ , the search space can be divided based on the number of points included in the search spaces Q ₁ , Q ₂ ,…, and Q _m after each division. Alternatively, it may be performed based on the range on the elliptic curve G ₂ . The search space division unit 11 inputs the search spaces Q ₁ , Q ₂ , ..., Q _m after division to the search space conversion unit 12.

In step S12, the search space conversion unit 12 of the server device 1 receives the post-division search space Q ₁ , Q ₂ , ..., Q _m from the search space division unit 11, and the post-division search space Q ₁ , Q ₂ , ..., Convert each Q _m into a format that can be calculated by request (see Fig. 6). In addition, the output P of the one-way function corresponding to the last block of the blockchain is converted into a format that can be calculated by request. In the following description, the converted split after search space (also referred to as a transformed search _{space) Q '1, Q' 2} , ..., Q ' and _m, transformed output of the one-way function (converted one direction (Also called sex function output) is P'. Specifically, the k and 1 m or more or less of each integer, for each k, P ': = aP, Q' k: = calculating the bQ _k. However, a and b are predetermined values a and b ← {0, 1} ⁿ . Further, the search space conversion unit 12 calculates c: = (ab) ^-1 using a and b, and stores the calculation result c. Since a and b can be as long as the security parameter length, they can be calculated on average faster than ordinary elliptical scalar multiplication. Search space converter 12, converted search space _{Q '1, Q' 2,} ..., and inputs the Q _'m and converted one-way function output P' to request computation request section 14.

In step S21, the transaction request transmission unit 21 of the client device 2 _i transmits a predetermined transaction request to the server device 1. This transaction is used as an opportunity for the blockchain update process, and may be unrelated to the blockchain, but it is desirable that it occurs regularly. Here, it is assumed that a client authentication request for verifying the validity of the client device 2 _i is transmitted to the server device 1.

In step S13, the transaction request receiving unit 13 of the server device 1 receives the transaction request transmitted by the client device 2 _i . The transaction request receiving unit 13 inputs information indicating the client device 2 _i that has transmitted the transaction request to the request calculation request unit 14.

In step S14, request calculation request unit 14 of the server device 1 searches the converted from space converter 12 search space _{Q '1, Q' 2,} ..., receives the Q _'m and converted one-way function output P' , converted search space Q _'1, Q' _2, ..., and Q 'either after is one conversion search space Q of _{m' j (1 ≦ j ≦} m) and converted one-way function output P ' Is transmitted to the client device 2 _i that has transmitted the transaction request. Usually, the converted search space Q _'j contains more points obtained by converting the point on the elliptic curve G _2, and transmits all of its points to the client device 2 _i.

In step S22, request calculation execution unit 22 of the client device 2 _i receives the converted search space Q and 'a _j converted one-way function output P' from the server device 1, and converted search space Q _'j The pairing operation, which is a blockchain one-way function, is calculated using the converted one-way function output P'and the request calculation result e (P', _Q'j ) is obtained. If the point of converting the point on the elliptic curve G ₂ in the converted search space Q _'j contains multiple, to calculate a pairing operation for all the points. That is, requests the calculation result _{e (P ', Q' j} ) will be present only the number of points included in the converted search space Q _'j. The request calculation request unit 14 inputs the request calculation result e (P', _Q'j ) to the calculation result transmission unit 23.

In step S23, the client device 2 _i calculation results transmitter 23, request the calculation result from the request computation request section 14 e (P ', Q' j) receive, request calculation result _{e (P ', Q' j} ) and The information necessary for confirming the transaction is transmitted to the server device 1. The information required to confirm a transaction is determined based on the type of transaction. Since client authentication is used as the transaction in this embodiment, the information required for confirming the transaction is, for example, authentication information unique to the client device 2 _i such as the value of the one-time password.

In step S15, the calculation result receiving unit 15 of the server device 1 receives the request calculation result e (P', _Q'j ) from the client device 2 _i and the information necessary for confirming the transaction. The calculation result receiving unit 15 inputs the request calculation result e (P', _Q'j ) and the information necessary for confirming the transaction into the calculation result verification unit 16.

In step S16, the calculation result verification unit 16 of the server device 1 receives the request calculation result e (P', _Q'j ) and the information necessary for confirming the transaction from the calculation result receiving unit 15, and the request calculation result e ( P ', Q' calculation result e (P a one-way function that inversely converts the _j), and a Q _j) and required to verify the transaction information to verify correct or not. Request calculation result _{e (P ', Q' j} ) If there is more than one, all requests calculation result _{e (P ', Q' j} ) to verify correct or not on. The inverse transformation of the request calculation result e (P', _Q'j ) is calculated as follows using the bilinearity of the pairing operation. In addition, "^" represents a superscript in the superscript. That is, "(ab) ^ ^-1 " is "ab ^-1 ".

_{e (P ', Q' j} ) c = e (aP, bQ j) (ab) ^ - 1 = e (P, Q j) (ab) (ab) ^ - 1 = e (P, Q j)
Whether or not the information required for transaction confirmation is correct may be determined by using a general authentication means according to the type of authentication information. Judgment as to whether or not the calculation result e (P, Q _j ) of the pairing operation is correct can be realized by the procedure described in "5.1 Self-corrector for bilinear function" in Reference 1 below.
[Reference 1] Tsuyoshi Yamamoto, Tetsutaro Kobayashi, "Self-correction for homomorphic maps", The 2010 Symposium on Cryptography and Information Security (SCIS2010), 2D2-3

The calculation result verification unit 16 determines that the verification of the calculation result e (P, Q _j ) obtained by inversely converting the request calculation result e (P', _Q'j ) and the information required for transaction confirmation is correct. Allow access to client device 2 _i . If either is not correct, it rejects the access of the client device 2 _i. When permitting access, the calculation result verification unit 16 inputs the calculation result e (P, Q _j ) to the blockchain update unit 17.

In step S17, the block chain update unit 17 of the server device 1, the calculation result calculated result from the verification unit 16 e (P, Q _j) receive, the calculation result e (P, Q _j) satisfy predetermined conditions to Verify if exists. If there is something that meets the specified conditions, the blockchain is updated using the calculation result e (P, Q _j ). Specifically, if there is a point Q _j that satisfies e (P, Q _j ) ≤ 2 ^nr -1, the blockchain is updated using that point Q _j . By updating the blockchain, the output result of the one-way function to be passed to the next block is determined.

In the above embodiment, the client authentication using the one-time password is mentioned as the transaction, but the M-Pin described in Reference 2 below may be used. In the M-Pin, the client device 2 _i performs scalar multiplication on an elliptic curve based on the value y obtained from the server device 1, and returns the calculation result V to the server device 1. M-Pin, the client device 2 _i already have the computing power on the elliptic curve, and, since the use of it at the time of authentication, the above embodiment and the affinity is higher client authentication method.
[Reference 2] Michael Scott, "M-Pin Full Technology (Version 3.1)", [online], [Searched May 15, 2017], Internet <URL: https://www.miracl.com/hubfs /mpinfull_3.1.pdf>

With the above configuration, the following effects can be obtained according to the blockchain update system of the embodiment. First, since the server device 1 can obtain calculation resources from the client device 2 _i , the load on the server device 1 is reduced as compared with the case where only the server device 1 performs mining. Further, since the server device 1 does not provide a transaction unless it can be verified that the request calculation has been performed correctly, it is possible to reduce casual attacks and brute force attacks related to transactions from the client device 2 _i side. Further, since the server device 1 converts the original information into a format that does not leak using the request calculation, the client device 2 _i does not leak the information related to mining. Further, by allocating server 1 divides the mining space in parallel to the client device 2 _i, it is possible to reduce the overlapping portion of the calculation as compared with the case of mining free competition, the entire system computing resources It can be used more efficiently. Therefore, according to this embodiment, the blockchain can be updated safely and efficiently.

Although the embodiments of the present invention have been described above, the specific configuration is not limited to these embodiments, and may be appropriately modified in design without departing from the spirit of the present invention. Needless to say, it is included in the present invention. The various kinds of processing described in the embodiments may be executed not only in time series according to the order described, but also in parallel or individually according to the processing capability of the device that executes the processing or the need.

[Program, recording medium]
When various processing functions in each device described in the above embodiment are realized by a computer, processing contents of functions that each device should have are described by a program. By executing this program on a computer, various processing functions of the above-described devices are realized on the computer.

The program describing the processing content can be recorded on a computer-readable recording medium. The computer-readable recording medium may be, for example, a magnetic recording device, an optical disk, a photomagnetic recording medium, a semiconductor memory, or the like.

In addition, the distribution of this program is carried out, for example, by selling, transferring, renting, or the like a portable recording medium such as a DVD or CD-ROM on which the program is recorded. Further, the program may be stored in the storage device of the server computer, and the program may be distributed by transferring the program from the server computer to another computer via a network.

A computer that executes such a program first stores, for example, a program recorded on a portable recording medium or a program transferred from a server computer in its own storage device. Then, when the process is executed, the computer reads the program stored in its own storage device and executes the process according to the read program. Further, as another execution form of this program, a computer may read the program directly from a portable recording medium and execute processing according to the program, and further, the program is transferred from the server computer to this computer. It is also possible to execute the process according to the received program one by one each time. In addition, the above processing is executed by a so-called ASP (Application Service Provider) type service that realizes the processing function only by the execution instruction and result acquisition without transferring the program from the server computer to this computer. May be. The program in this embodiment includes information used for processing by a computer and equivalent to the program (data that is not a direct command to the computer but has a property of defining the processing of the computer, etc.).

Further, in this embodiment, the present device is configured by executing a predetermined program on the computer, but at least a part of these processing contents may be realized by hardware.

1 Server device 2 Client device 3 Communication network 10 Blockchain storage unit 11 Search space division unit 12 Search space conversion unit 13 Transaction request reception unit 14 Request calculation request unit 15 Calculation result reception unit 16 Calculation result verification unit 17 Blockchain update unit 21 Transaction request transmission unit 22 Request calculation execution unit 23 Calculation result transmission unit

Claims (6)

A blockchain update system that includes at least one server device and multiple client devices.
The above server device
A search space division unit that divides the search space of the blockchain proof of work into a format that can be calculated in parallel to generate multiple post-division search spaces.
A search space conversion unit that converts each of the above-mentioned post-division search spaces into a request-computable format to generate a plurality of post-conversion search spaces.
A request calculation request unit that transmits any one of the converted search spaces to the client device that requested the transaction, and
A calculation result receiving unit that receives the request calculation result of the blockchain one-way function for the converted search space and the information necessary for confirming the transaction from the client device that requested the transaction.
A calculation result verification unit that verifies whether the calculation result of the one-way function obtained by inversely converting the request calculation result and the information necessary for confirming the transaction are correct.
If any of the above calculation results satisfies a predetermined condition, a blockchain update unit that updates the blockchain using the calculation result, and a blockchain update unit.
Including
The above client device
A transaction request transmitter that requests the transaction to the server device, and
A request calculation execution unit that calculates the one-way function using the converted search space received from the server device and obtains the request calculation result.
A calculation result transmission unit that transmits the request calculation result and the information necessary for confirming the transaction to the server device, and
Only including,
Let m and r be predetermined integers, k be 1 or more and m or less, j be 1 or more and m or less, G ₁ , G ₂ , and G _{T be} groups of n bits, and e be. e: G ₁ × G ₂ → G _t pairing, a, b ← {0, 1} ⁿ , c = (ab) ^-1, and P is the above one corresponding to the last block of the blockchain. Let the points on the elliptic curve G ₁ which is the output of the directional function be, and let Q be a set of points on the elliptic curve G ₂ which is the search space of the proof of work of the blockchain .
The search space division unit divides the search space Q into m pieces to generate the search spaces Q ₁ , Q ₂ , ..., Q _m after the division .
The search space conversion unit, P for each k ': = aP, Q' k: = a bQ _k is calculated and the converted search space _{Q '1, Q' 2,} ..., Q 'm and converted after a It produces the one-way function output P'and
The request computation request unit, the converted search space Q _'1, Q' _2, ..., Q the client and _j and the converted one-way function output P '' converted search space Q included in the _m ' It is sent to the device and
The request calculation execution unit calculates e (P', _Q'j ) using the converted search space _Q'j and the converted one-way function output P', and obtains the requested calculation result. Is a thing
The above calculation result verification unit calculates e (P', _Q'j ) ^c = e (P, Q _j ) to obtain the above calculation result e (P, Q _j ).
The blockchain update unit updates the blockchain using the calculation result e (P, Q _j ) that satisfies e (P, Q _j ) ≤ 2 ^nr -1 .
Blockchain update system. The server device used in the blockchain update system according to claim 1 . The client device used in the blockchain update system according to claim 1 . A blockchain update method executed by a blockchain update system including at least one server device and a plurality of client devices.
The server device divides the search space of the blockchain proof of work into a format that can be calculated in parallel to generate a plurality of post-division search spaces.
The server device converts each of the divided search spaces into a format that can be requested and calculated to generate a plurality of converted search spaces.
The client device requests a transaction from the server device,
The server device transmits any one of the converted search spaces to the client device that requested the transaction.
The client device calculates the one-way function of the blockchain using the converted search space received from the server device, and obtains the request calculation result of the one-way function of the blockchain.
The client device transmits the request calculation result and the information necessary for confirming the transaction to the server device.
The server device receives the request calculation result and the information necessary for confirming the transaction from the client device that requested the transaction.
The server device verifies whether the calculation result of the one-way function obtained by inversely converting the request calculation result and the information necessary for confirming the transaction are correct.
If any of the above calculation results satisfies a predetermined condition, the server device updates the blockchain using the calculation result .
Let m and r be predetermined integers, k be 1 or more and m or less, j be 1 or more and m or less, G ₁ , G ₂ , and G _{T be} groups of n bits, and e be. e: G ₁ × G ₂ → G _t pairing, a, b ← {0, 1} ⁿ , c = (ab) ^-1, and P is the above one corresponding to the last block of the blockchain. Let the points on the elliptic curve G ₁ which is the output of the directional function be, and let Q be a set of points on the elliptic curve G ₂ which is the search space of the proof of work of the blockchain .
The server device divides the search space Q into m pieces to generate the search spaces Q ₁ , Q ₂ , ..., Q _m after the division .
It said server device, P for each k ': = aP, Q' k: = a bQ _k is calculated and the converted search space _{Q '1, Q' 2,} ..., Q 'm and converted unidirectional Generate function output P'and
Said server apparatus, the converted search space Q _'1, Q' _2, ..., Q and _j and the converted one-way function output P '' converted search space Q included in _m 'to the client apparatus Send and
The client device calculates e (P', _Q'j ) using the converted search space _Q'j and the converted one-way function output P', and obtains the requested calculation result.
The server device calculates e (P', _Q'j ) ^c = e (P, Q _j ) to obtain the above calculation result e (P, Q _j ).
The server device updates the blockchain using the calculation result e (P, Q _j ) satisfying e (P, Q _j ) ≤ 2 ^nr -1 .
How to update the blockchain. Program for causing a computer to function as the server equipment according to claim 2. The program for operating a computer as the client device according to claim 3.

Images