KR102494873B1 - Transaction execution device to implement a virtual machine based on a zero-knowledge proof circuit for general operation verification - Google Patents

Abstract

The present invention relates to a transaction execution device for realizing a virtual machine based on a zero-knowledge proof circuit for verifying general operations. Including, but when a transaction is requested from any one of the plurality of nodes, at least one of the plurality of nodes checks whether the value encrypted and stored in each note is within a preset validity range, and the input note in a state where the value is encrypted Check whether the sum of values of and the sum of output notes are the same, and if the value is confirmed, delete the input note stored in the note registry, save the output note as a new one, and any one of the plurality of nodes, user input a receiver that receives; Among the plurality of items used in transactions, some items that require encryption are determined according to user input, a smart contract is constructed so that some items are encrypted using elliptic curve cryptography, and some items are encrypted through zero-knowledge proof. One or more processors that perform proof to perform a transaction using a smart contract and store a plurality of result values obtained as a result of performing the transaction; and a memory in which at least one command executed by the processor is stored.

Description

Transaction Execution Device for Implementing Zero-Knowledge Proof Circuit-based Virtual Machine for General Operation Verification

The present invention relates to a transaction execution device for implementing a virtual machine based on a zero-knowledge proof circuit for general operation verification, and more specifically, even if a block chain participant does not know the contents of a block, it performs a role of proof and reporting among all nodes It relates to a transaction execution device for implementing a virtual machine based on a zero-knowledge proof circuit for verifying general operations that allows a node to quickly verify that the contents of a block are not forged or tampered with.

Blockchain refers to a distributed digital ledger in which the integrity of transaction details is secured and participants share the details without the intervention of a trusted third party (Trusted Third Parity) in a P2P (Peer to Peer) network.

Blockchain can be divided into public blockchain and private blockchain. Public blockchain is an unspecified number of people participating in the network, and the advantage of high reliability is that all people who transact have records However, it has the disadvantage that it is difficult to change the initial rule and it is slow.

The private blockchain is a blockchain with limited participants, and has the advantage of being faster and more efficient than the public one.

On the other hand, a smart contract function has emerged to conclude and fulfill various types of contracts such as financial transactions, real estate contracts, and notarization based on blockchain. This is a program that records the contract conditions in the blockchain and automatically executes the contract when the conditions are met. Since the developer can directly code the contract conditions and contents, in principle, it is possible to implement all types of contracts that humans can imagine. can For example, various types of contracts can be implemented using the Ethereum platform.

However, there is a problem in that all information is disclosed when using smart contracts, and the demand for conducting transactions by keeping only the items desired by the user in the transaction is increasing.

A representative example of blockchain application is cryptocurrency such as Bitcoin and Ethereum. After Ethereum introduced the Ethereum Virtual Machine (EVM), the EVM allows users to program their own way rather than performing a predefined series of tasks.

However, EVM has a problem in that efficiency is very low compared to existing virtual machines such as JVM (Java Virtual Machine) and it is difficult to support complex application environments.

Numerous blockchain implementations have emerged over the past decade, but no innovation has occurred in terms of accumulating and storing transactions, and in this case, there is a limit to scalability because all transaction contents must be verified.

In other words, since a separate verification algorithm is used for each type of transaction, there is a problem that the verification burden increases as the size of the transaction increases. We need to lead structural innovation.

Blockchain is divided into a simple form of block chain made of UTXO (Unspent Transaction Output), represented by Bitcoin, and a complex form of block chain that handles a state tree, such as Ethereum.

Currently, zero-knowledge proofs are used only when processing some transactions on simple blockchains. At this time, the zero-knowledge proof refers to a system in which a prover proves to a verifier that he or she knows knowledge without disclosing the knowledge and information that the prover knows.

The purpose of the present invention is to provide a transaction execution device for realizing a virtual machine based on a zero-knowledge proof circuit for general operation verification that enables general transactions through a universally usable block chain by using smart contracts and zero-knowledge proofs. do.

In addition, the present invention does not limit the data on the blockchain to a ledger, but expands it to a smart contract, encrypts some of it, and proves the encrypted data through zero-knowledge proof so that a transaction can be made. It is an object of the present invention to provide a transaction execution device for implementing a zero-knowledge proof circuit-based virtual machine for general operation verification that can be used universally by encrypting with .

In addition, since the private key and the group private key are used together to sign the transaction, even if the private key is hacked, it is a zero-knowledge proof for general operation verification that can prevent damage caused by hacking by requesting the signature of the group private key. An object of the present invention is to provide a transaction execution device for implementing a circuit-based virtual machine.

In addition, the present invention is to provide a virtual machine based on a zero-knowledge proof circuit for general operation verification and an execution method thereof that enable zero-knowledge proof to be used not only for predefined types of transactions but also for various types of transactions desired by users. The purpose.

In addition, the present invention is for general operation verification, which allows a node that plays a role of proof and reporting among all nodes to quickly verify that the contents of a block are not forged or tampered with, even if the block chain participants do not know the contents of the block. Its purpose is to provide a zero-knowledge proof circuit-based virtual machine and its execution method.

In addition, an object of the present invention is to provide a zero-knowledge proof circuit-based virtual machine for verifying general operations and an execution method thereof, which rapidly increase the block sync speed to participants so that new participants can quickly participate in the network.

In addition, when the zero-knowledge proof technology is applied to transactional data storage, the present invention prunes actual data and compresses data in a manner that leaves only evidence for the data, thereby saving data storage space. Its purpose is to provide a zero-knowledge proof circuit-based virtual machine for verification and its execution method.

According to a preferred embodiment of the present invention, a plurality of nodes that share information on a blockchain that shares a distributed database and hold a private key and a public key, but when a transaction is requested from any one of the plurality of nodes, At least one of the plurality of nodes checks whether the value encrypted and stored in each note is within a preset valid range, and whether the sum of the values of the input note and the sum of the values of the output note are the same in a state where the value is encrypted. a receiver that checks whether or not the value is confirmed, deletes the input note stored in a note registry, and newly stores the output note, and any one of the plurality of nodes receives a user input; Among the plurality of items used in the transaction, some items requiring encryption are determined according to the user's input, and a smart contract is constructed so that the partial items are encrypted using an elliptic curve encryption method, and zero-knowledge Proof is performed to perform a transaction using the smart contract, and a plurality of result values obtained as a result of the transaction are stored, and a predetermined hash algorithm is used for some of the public keys of nodes joined to a specific group. A group secret key having the same number of bits as the secret key is generated at a predetermined period from the synthesized bit string by performing a predetermined bit operation on each series of bit strings, one or more processors distributing the group secret key to nodes joined to the specific group; and a memory in which at least one command executed by the processor is stored, and when any one of the plurality of nodes is subscribed to the specific group, the processor controls the addition or withdrawal of a node from the specific group. When a change occurs, the group private key is newly generated based on the public key of a node joined to the specific group after the change occurs, and distributed to nodes joined to the specific group after the change occurs, and the plurality of The node generates a general operation verification circuit having the number of reference instructions, the number of reference machine steps, and the size of the reference system, and the general operation verification circuit and zk-SNARK (Zero-Knowledge Succinct Non-Interactive Argument of Knowledge) a circuit generator for verifying a general operation that generates a proof key and a verification key using an algorithm; a prover terminal generating evidence using a proof key including the circuit for verifying the general operation, coefficients of polynomial functions obtained through the zk-SNARK algorithm, and information necessary for verification and proof among the circuits for verifying the general operation; and a verifier terminal that verifies whether the evidence is valid using a verification key including the circuit for verifying the general operation, information necessary for verification and verification in the circuit for verifying the general operation, and the evidence. The circuit generator for verification of operation includes a circuit generation module for generating a circuit for verification of general operation that operates in any program having the number of reference instructions, the number of reference machine steps, and the size of a reference system; General operation verification including a zk-SNARK key generation module that generates a proof key and a verification key using security parameters and the circuit generated by the circuit generation module after receiving key generator information, prover information, and verifier information In a transaction execution device for implementing a zero-knowledge proof circuit-based virtual machine for general operation verification, if the transaction execution device for implementing the zero-knowledge proof circuit-based virtual machine for general operation verification performs verification of evidence without executing a transaction, A storage unit, a code generation unit, a compiler, a stack, and a code execution unit are further included to check whether a corresponding transaction is a correct transaction, wherein the storage unit stores evidence generated by the prover terminal 300, and the code generation unit The evidence stored in the storage unit generates code coded in Solidity language, and the code generated by the code generation unit is compiled by the compiler and converted into Ethereum bytecode for operation in a virtual machine, and the compiler The code generated by the code generation unit is compiled to generate Ethereum bytecode, the Ethereum bytecode is provided to the code execution unit, and the code execution unit executes the Ethereum bytecode generated by the compilation unit. After verifying the evidence, the Ethereum bytecode is separated into opcodes and stored in the stack. The code is stored, and when the verifier terminal presents a plurality of problems to the prover terminal, the prover terminal uses recursive zero-knowledge proof to obtain evidence 1 corresponding to the first problem (Question 1) among the plurality of problems. (Proof 1) is generated, Proof 2 (Proof 2) is created using the second question (Question 2) and the evidence 1 (Proof 1) among the plurality of questions, and the third final question (Question 1) is generated. 3) and Proof 2 above for the third question (Question 3). Final proof 3 (Proof 3) is generated, and the prover terminal uses proof 1 (Proof 1) corresponding to the first problem (Question 1) to obtain final proof 3 corresponding to the third final problem (Question 3) (Proof 3) is not submitted for each of the plurality of problems, but only the final proof 3 (Proof 3) excluding proofs 1, 2, and 3 is submitted to the verifier terminal, and the verifier terminal is characterized by proving the legitimacy of the final proof 3 and the remaining proofs 1, 2, and 3 related to the final proof 3 by verifying only the final proof 3.

According to another embodiment of the present invention, the at least one command is executed to receive a transaction including authentication information of a user and a unique value of the authentication device from an authentication device, and based on the authentication information, the smart contract to determine a user's token stored in , authenticate a user based on validity information of the token, ownership information of the token and the transaction, and determine whether the token is valid based on the validity information of the token. characterized by

According to another embodiment of the present invention, when the transaction is an auction, the transaction conditions set in the smart contract include a transaction start time and a transaction progress time, and the transaction executed by the smart contract is the set transaction start time It is characterized in that the transaction starts at , and the transaction ends after the set transaction progress time has elapsed.

According to another embodiment of the present invention, the transaction executed by the smart contract is characterized in that the bidding is stopped when the buyer attempts to bid for the same auction for the second time.

According to another embodiment of the present invention, at least one first node among the plurality of nodes generates at least one transaction including identification information and transaction information of specific nodes, and at least one of the plurality of nodes A second node generates at least one main block including both a block header and a block body based on the identification information and the transaction information, and at least one second node among the plurality of nodes generates the identification information and the transaction information. Based on the information, at least one sub-block including only the header of the block is generated, and the at least one main block or the sub-block in which the at least one second node is generated is transferred to the specific nodes based on the identification information. And it is characterized in that it is differentially shared with the rest of the nodes except for the specific node.

According to another embodiment of the present invention, the processor is configured to execute computer readable instructions contained in the memory, perform a data privacy-related agreement with a user, and perform a data privacy-related agreement with a user according to the data privacy-related agreement. It is characterized in that the user data is delivered to the service by using a contract with a service to access user data corresponding to information.

According to another embodiment of the present invention, the processor independently creates a public blockchain and a private blockchain, stores public data in a public block of the public blockchain, and stores private data in a public block of the private blockchain. Store in a private block, simultaneously create a private block of the private blockchain when creating a public block of the public blockchain, and record the hash value of the simultaneously created private block and the hash value of the previous public block in the header of the public block And, when creating a private block of the private blockchain, the hash value of the previous private block is recorded in the header of the corresponding private block.

According to another embodiment of the present invention, the processor obtains information about the smart contract, obtains one or more simulation transaction information from a database, and assigns the simulation transaction information to the transaction conditions of the smart contract. Acquiring, comparing the obtained result with the simulation transaction information, and verifying the integrity of the smart contract based on the comparison result between the obtained result and the simulation transaction information.

According to another embodiment of the present invention, the circuit generation module 210 implements a virtual machine based on a zero-knowledge proof circuit for general operation verification, characterized in that it generates a circuit for general operation verification using Equation 1. transaction execution device to do so.

[Equation 1]

C =

C: Circuit

: 기준 명령어의 개수,

: the number of reference commands,

T: the number of reference machine steps,

n: the size of the reference system

According to another embodiment of the present invention, the prover terminal 300 generates evidence using the proof key generated by the general operation verification circuit generator 200, but uses Equation 2 to generate the evidence. generate, calculate the coefficient of the polynomial function through Equation 2, generate the proof using the coefficient of the polynomial function, the proof of the QAP, and the public key, and the verifier terminal 400 uses a part of the verification key and verification Equation 3 is calculated using the information necessary for proof and Equation 3 is calculated, 12 pairings are calculated using the result value of Equation 3 and the verification key, and necessary checks are performed. It is characterized in that the amount of calculation required for the calculation of , which is the calculation result of Equation 3, can be reduced by using the multiplication technique.

[Equation 2]

: QAP 인스턴스인

와 QAP의 증거

에서 파생

: QAP instance

and evidence of QAP

derived from

[Equation 3]

vk: verification key,

n: input size,

C: Circuit

According to the present invention, by using smart contracts and zero-knowledge proof, general transactions are possible through a universally usable block chain.

In addition, according to the present invention, the data uploaded to the blockchain is not limited to a ledger, but is expanded to a smart contract, part of it is encrypted, and the encrypted part is proved through zero-knowledge proof so that a transaction can be made, so that the person who makes the smart contract wants By selectively encrypting, it is possible to use it universally.

In addition, according to the present invention, since a private key and a group private key are used together to sign a transaction, even if the private key is hacked, damage due to hacking can be prevented by requesting a signature of the group private key.

In addition, there is an advantage that general operation verification is possible, and according to the present invention, there is an advantage that zero-knowledge proof can be used for various types of transactions desired by users as well as predefined types of transactions.

In addition, according to the present invention, even if a blockchain participant does not know the contents of a block, there is an advantage in that a node performing a role of proof and reporting among all nodes can quickly verify that the contents of a block are not forged or tampered with.

In addition, according to the present invention, there is an advantage in that new participants can quickly join the network by rapidly increasing the block sync speed to the participants.

In addition, according to the present invention, when the zero-knowledge proof technology is applied to transactional data storage, there is an advantage in that data storage space can be saved by compressing data in a way that prunes actual data and leaves only proof of the data. there is.

1 is a block diagram of a transaction execution device for implementing a virtual machine based on a zero-knowledge proof circuit for verifying general operations according to an embodiment of the present invention.
2 is a diagram illustrating a process of performing a transaction on a blockchain according to an embodiment of the present invention.
3 is a block diagram of a plurality of nodes according to an embodiment of the present invention.
4 is a diagram illustrating a process of performing a transaction on a blockchain according to another embodiment of the present invention.
5 is a block diagram of a block chain of nodes according to an embodiment of the present invention.
1 is a block diagram for explaining the internal structure of a transaction execution device for implementing a virtual machine based on a zero-knowledge proof circuit for verifying general operations according to an embodiment of the present invention.
2 is a block diagram for explaining the internal structure of a circuit generator for verifying general operations according to an embodiment of the present invention.
3 is a flowchart for explaining an embodiment of a method for generating a zero-knowledge proof circuit for verifying general operations according to the present invention.
4 is an exemplary diagram for explaining a process of generating a zero-knowledge proof circuit for verifying general operations according to the present invention.

The above objects, features and advantages will be described later in detail with reference to the accompanying drawings, and accordingly, those skilled in the art to which the present invention belongs will be able to easily implement the technical spirit of the present invention. In describing the present invention, if it is determined that the detailed description of the known technology related to the present invention may unnecessarily obscure the subject matter of the present invention, the detailed description will be omitted. Hereinafter, preferred embodiments according to the present invention will be described in detail with reference to the accompanying drawings. In the drawings, the same reference numerals are used to indicate the same or similar components.

1 is a block diagram of a transaction execution device for implementing a virtual machine based on a zero-knowledge proof circuit for verifying general operations according to an embodiment of the present invention.

Referring to FIG. 1, a transaction execution apparatus for implementing a virtual machine based on a zero-knowledge proof circuit for general operation verification may be composed of a plurality of nodes 100 capable of communicating with each other through a communication network, and the plurality of nodes 100 Information can be shared on a block chain that shares a distributed database. A plurality of nodes 100 may have a private key and a public key.

First, we will explain the blockchain. Blockchain is a distributed data storage technology that puts data in blocks, connects them in the form of a chain, and replicates and stores them on numerous computers at the same time, called a public ledger.

Transaction records are sent to all users participating in transactions without storing transaction records in a centralized server, and all transaction participants share and compare information for each transaction to prevent forgery or alteration of data.

Blockchain does not store or manage transaction records in a centralized server, but rather maintains and manages a network where individual servers participating in transactions gather, and these individual servers, or participants, are called nodes.

Since there is no central manager, the role of the node distributing the block is important, and a new block is created only when more than half of the participating nodes agree. The nodes store the blockchain in their computers, and even if some nodes are hacked and errors occur in the existing contents, the data remains in the majority of nodes, so the data can be continuously preserved.

In one embodiment of the present invention, a blockchain is implemented with a plurality of nodes 100 as participants, and the plurality of nodes 100 include a first node 110, a second node 120, and a third node ( 130), the fourth node 140, the fifth node 150, and the sixth node 160, and each of the plurality of nodes 100 may be implemented in the form of a terminal or in the form of a server. there is. In one embodiment of the present invention, for convenience, the plurality of nodes 100 are illustrated as 6 nodes, but the present invention is not limited thereto.

In addition, in one embodiment of the present invention, a plurality of nodes 100 can perform transactions by providing a protocol that enables anonymous transactions even on a general-purpose blockchain.

Meanwhile, at least one first node 110 among the plurality of nodes 100 may generate at least one transaction including identification information and transaction information of specific nodes, and at least one of the plurality of nodes 100 The second node may generate at least one main block including both a block header and a block body based on the identification information and the transaction information.

In addition, at least one second node among the plurality of nodes 100 generates at least one sub-block including only the header of the block based on the identification information and the transaction information, and at least one second node is generated. Based on the identification information, the main block or sub-block of can be differentially shared with other nodes excluding specific nodes and specific nodes.

In this way, without designating a group in advance, the block containing the transaction is shared to specific nodes related to the block through the identification information included in the block, and the sub-block containing only the block header is distributed to the remaining nodes unrelated to the block. can be shared automatically.

2 is a diagram illustrating a process of performing a transaction on a blockchain according to an embodiment of the present invention.

First, all notes may be stored in a note registry, and each note may encrypt and store a corresponding value and who owns it.

Referring to FIG. 2, when a transaction occurs, if a transaction is requested from any one of the plurality of nodes 100 on the block chain, in the range proof step (S210), at least one of the plurality of nodes 100 encrypts each note. It is possible to check whether the stored value is within the preset validity range. That is, you can check whether the value of each note is in a valid range.

In the sum transaction step ( S220 ), at least one of the plurality of nodes 100 may check whether the sum of the values of the input notes and the sum of the values of the output notes are the same in a state in which the values are encrypted. That is, it can be checked whether the sum of the values of the input notes and the sum of the values of the output notes are the same.

In the result storage step S230, at least one of the plurality of nodes 100 may delete the input note stored in the note registry and newly store the output note when the value is confirmed. That is, when both the range proof and sum transaction are confirmed, the input notes in the note registry can be deleted and the output notes can be created and registered.

3 is a block diagram of a plurality of nodes according to an embodiment of the present invention.

Referring to FIG. 3 , each of the plurality of nodes 100 may include a receiver 111 , a processor 112 that performs actual calculations, and a memory 113 . In FIG. 3, the first node 110 is representatively illustrated.

The receiver 111 receives user input.

The processor 112 may execute program commands stored in the memory 113 . The processor 112 may mean a central processing unit (CPU), a graphics processing unit (GPU), or a dedicated processor on which methods according to an embodiment of the present invention are performed. The memory 113 may be composed of volatile storage media and/or non-volatile storage media. For example, the memory 113 may include read only memory (ROM) and/or random access memory (RAM).

The memory 113 stores at least one instruction executed through the processor 112 . Here, the processor 112 is configured to execute computer readable instructions contained in the memory 113, perform a data privacy-related agreement with the user, and user data corresponding to the user's personal information according to the data privacy-related agreement. You can pass user data to the service by using a contract with the service you want to access.

In this way, it is possible to provide an optimal balance between the vitalization of the data ecosystem, such as the data-based 4th industry, and the demand for personal privacy protection.

On the other hand, at least one command stored in the memory 113 is executed to receive a transaction including user authentication information and a unique value of the authentication device from the authentication device, and the user's token stored in the smart contract based on the authentication information and authenticate the user based on the validity information of the token, the ownership information of the token and the transaction, and determine whether the token is valid based on the validity information of the token.

In this way, it is possible to provide high security by performing user authentication using a non-fungible token.

4 is a diagram illustrating a process of performing a transaction on a blockchain according to another embodiment of the present invention.

Referring to FIG. 4 , in the step of determining encryption items (S410), when some items requiring encryption among a plurality of items used in a transaction are determined according to a user's input through the receiver, the processor may determine encryption items.

Then, in the smart contract configuration step (S420), the processor may configure a smart contract so that some items determined as encryption items are encrypted using an elliptic curve cryptography method. When encrypting some encrypted items in a smart contract, additional transactions can be performed by performing calculations on the resulting values using elliptic curve cryptography. For details related to the elliptic curve cryptography method, refer to Patent Publication No. 10-2008-0055378.

Then, in the zero-knowledge proof step (S430), the processor may perform proof through zero-knowledge proof for some encrypted items.

Then, in the transaction execution step (S440), the processor may perform a first transaction using a smart contract.

Then, in the result storage step (S450), the processor may store a plurality of result values obtained as a result of performing the first transaction.

Thereafter, the processor may perform an operation on a plurality of result values to obtain an updated result value, and perform step S440 again to perform a second transaction using the smart contract using the updated result value. .

Here, we will briefly review the above-mentioned smart contract. A smart contract is when the transaction conditions and details are registered in the smart contract system, the applicable laws and procedures are automatically applied and the results are delivered to the transaction parties. Accordingly, transaction procedures are simplified, costs incurred in transactions are reduced, and a safe contract can be established between transaction parties.

For example, insurance companies and hospitals can simplify payment and settlement systems by automatically paying insurance premiums while protecting patient medical records through smart contracts, prevent insurance fraud by creating a ledger that is difficult to falsify, and support smart contracts. A representative platform is Ethereum.

In addition, if the transaction is an auction, the transaction conditions set in the smart contract include the transaction start time and transaction progress time, and the transaction executed by the smart contract starts at the set transaction start time and ends after the set transaction progress time. do. In this way, the reason why the transaction is made within the transaction start time and the transaction execution time is that the 24-hour transaction time is not necessary.

At this time, the transaction executed by the smart contract can cause bidding to be stopped if the buyer attempts to bid for the same auction a second time. This is to avoid allowing the same buyer to bid twice.

On the other hand, the processor obtains information about the smart contract, obtains one or more simulation transaction information from the database, obtains a result of substituting the simulation transaction information into the transaction conditions of the smart contract, compares the obtained result with the simulation transaction information, , the integrity of the smart contract can be verified based on the obtained result and the comparison result of the simulation transaction information.

Meanwhile, a process of generating a group secret key by a processor will be described later.

A processor can generate a group secret key that can be used for dual signature, together with a secret key when nodes in its own group sign a transaction. A processor can share with nodes in its own group and distribute the group public key to other groups to be used for signature verification of the group private key.

The processor may map and store index information identifying each node in the group and public key information of each node. For example, when a processor manages 100 nodes, index information 1 to 100 of 100 nodes and each public key may be mapped and stored.

First, the processor may select some of the node's public keys to generate a group secret key. The processor may randomly select a public key mapped to index information 1, 3, 25, and 99, or may use the method of the example below.

For example, the processor may select a public key having an index corresponding to a multiple of the quotient of the total number of nodes in the group divided by a predetermined natural number. For example, if the total number of nodes is 100, a public key mapped with an index of 14, 28, 42, 56, 50, 84, or 98, which is a multiple of 14, which is a quotient divided by a random natural number of 7, can be selected.

Next, the processor may convert each selected public key through a predetermined hash generation algorithm so that bit information consisting only of bits is output. For example, a bit string consisting of 160 bits can be extracted by applying base58 decoding to each public key.

Thereafter, the processor may generate one synthesized bit sequence by performing a bitwise operation (eg, ^, &, >>, << or a combination thereof) on each bit sequence.

Thereafter, the processor may generate a group secret key by connecting a bit string composed of time information to the synthesized bit string. At this time, UNIX TIME can be used for the time information bit string. The processor may connect an arbitrary bit string to the bit string of time information so that the number of bits of the group secret key is equal to the number of bits of the secret key.

For example, to create a 256-bit group secret key, when the synthesized bit string is 160 bits, 96 bits must be connected, so the time information bit string can be configured as Currnet Time (32bit) x sysrandom (64bit). there is. However, this is only an example, and the method for generating a group secret key is not limited to this example.

When one group secret key is continuously used, the processor may newly generate a group secret key at predetermined intervals in order to prevent a risk of exposure of the group secret key by a malicious attack. In addition, when a change (eg, addition or withdrawal of a node) occurs in a group, the processor may newly generate a group secret key and distribute it to nodes within the group. That is, when any one of a plurality of nodes is subscribed to a specific group, when a change including addition or withdrawal of a node from the specific group occurs, the processor retrieves the public key of the node joined to the specific group after the change occurs. Based on this, a group secret key can be newly generated and distributed to nodes joined to a specific group after a change has occurred.

The generation period of the group secret key may be, for example, 5 to 60 seconds, but these figures are examples only and are not limiting.

The processor may generate a group public key from the group private key through a predetermined function. The predetermined function is an irreversible function that can generate a group public key based on the group private key, but cannot create a group private key based on the first group public key. For example, an elliptic curve multiplication function (Elliptic Curve Digital Signature Algorithm, ECDSA), but is not limited thereto.

Meanwhile, the processor may independently create a public blockchain and a private blockchain, store public data in a public block of the public blockchain, and store private data in a private block of the private blockchain.

On the other hand, when the public block of the public block is created, the processor simultaneously creates the private block of the private block, records the hash value of the simultaneously created private block and the hash value of the previous public block in the header of the public block, and records the hash value of the private block. When creating a private block on the chain, the hash value of the previous private block can be recorded in the header of the private block.

In this way, it is possible to enhance the security of important data by operating a multi-layered blockchain consisting of a public blockchain and a private blockchain and storing important data in the private blockchain.

5 is a block diagram of a block chain of nodes according to an embodiment of the present invention.

Referring to FIG. 5, a multi-layered blockchain composed of a public blockchain 510 connected by public blocks and a private blockchain 520 connected by private blocks is operated and stored. Various transactions are stored in the public blockchain 510, and important data that should not be exposed to the outside, such as users' subscription information, users' private keys, and content encryption keys, that is, private data is stored in the private blockchain 520. do.

Private blocks constituting the private blockchain 520 are encrypted with a random encryption key. In addition, the random encryption key is divided into several pieces and distributedly stored only in representative nodes 110, excluding general nodes, among the nodes constituting the Innocoin blockchain network. Various transactions stored in the public blockchain 510 may include, for example, coin remittance, users' public keys, and wallet addresses. Block generation technology (eg, proof-of-work or proof-of-stake, hash operation) applied to the public blockchain 510 and the private blockchain 520 may be a known blockchain technology.

Blocks of the blockchains 510 and 520 are composed of a header and a body. The hash value, difficulty, nonce, time stamp, and Merkle Root of the previous block are recorded in the header, and various transaction information and block indexes are recorded in the body. Here, the index of the block includes the index of the private block. That is, when a transaction to store specific important data in a private block occurs, the information of the transaction is recorded in the body of the public block, and the index for the private block in which the important data corresponding to the transaction is recorded is stored in the body of the public block. is recorded in

Accordingly, when a search for specific important data is requested, a private block storing the specific important data can be found by referring to the index. When a public block constituting the public blockchain 510 is created, a private block constituting the private blockchain 520 is also created at the same time. In addition, the hash value of the previous block and the hash value of the private block created simultaneously with the public block are recorded in the header of the public block. In this way, forgery and falsification of private blocks can be prevented. Naturally, the hash value of the previous private block is recorded in the header of the private block.

On the other hand, among the terms used in this specification, “zero knowledge proof (ZKP)” refers to any knowledge other than whether a proposition is true or false when a prover proves that a certain proposition is true to the other verifier in cryptography. It also means the process of interaction that does not expose.

The party that tries to prove that a proposition is true is called the prover, and the party that participates in the proof process and exchanges information with the prover is called the verifier. When parties participating in a zero-knowledge proof arbitrarily change the protocol for the purpose of deceiving the other party, the parties are said to be dishonest or dishonest. In other cases, it is said to be honest.

6 is a block diagram for explaining the internal structure of a transaction execution device for implementing a virtual machine based on a zero-knowledge proof circuit for general operation verification according to an embodiment of the present invention. 7 is a block diagram for explaining the internal structure of a circuit generator for verifying general operations according to an embodiment of the present invention.

Referring to FIG. 6 , a plurality of nodes 100 of a transaction execution apparatus for implementing a virtual machine based on a zero-knowledge proof circuit for verifying general operations include a circuit generator 200 for verifying general operations, a prover terminal 300, and a verifier. A user terminal 400 is included.

The circuit generator 200 for verifying general arithmetic operations is a device that generates circuits for verifying general arithmetic operations. The circuit generator 200 for verifying the general operation includes a circuit generator module 210 and a zk-SNARK key generator module 220 as shown in FIG. 7 .

The circuit generation module 210 receives the number of reference instructions, the number of reference machine steps, and the size of the reference system, and verifies a general operation operating in any program having the number of reference instructions, the number of reference machine steps, and the size of the reference system. After generating the circuit for general operation, the circuit for verifying the general operation is provided to the zk-SNARK key generation module 220.

In one embodiment, the circuit generation module 210 generates a circuit for verifying general operations that satisfies the following [Equation 1]. That is, the circuit generator 200 for verifying general operations can generate a circuit that operates in any program having the following commands, T or less machine steps, and size n or less.

[Equation 1]

C =

C: Circuit

: 기준 명령어의 개수,

: the number of reference commands,

T: the number of reference machine steps,

n: the size of the reference system

이하의 명령어, T 이하의 머신 스텝, n 이하의 크기를 갖는 어떤 프로그램에서도 동작하는 서킷 C는 프로그램이나 주요 입력 값에 의존하지 않고,

, T, n 값에만 의존하기 때문에 유니버셜. zk-SNARK 키 생성 모듈(220)과 결합한다면 검증 시스템의 파라미터 또한 유니버셜하게 된다.As described above, based on [Equation 1]

Circuit C, which operates on any program with instructions less than T, machine steps less than T, and size less than n, does not depend on the program or key input values,

, T, universal because it depends only on the value of n. When combined with the zk-SNARK key generation module 220, the parameters of the verification system also become universal.

In the above case, all programs can be verified by generating a key once, and then a key suitable for a given calculation range can be selected, thereby reducing the cost of generating keys for each program.

) 및 서킷 생성 모듈(210)에 의해 생성된 서킷(

)를 이용하여 증명 키(pk) 및 검증 키(vk)를 생성한다. The zk-SNARK key generation module 220 receives key generator information, prover information, and verifier information, and then sets security parameters (

) and the circuit generated by the circuit generation module 210 (

) to generate a proof key (pk) and a verification key (vk).

First, the zk-SNARK key generation module 220 uses a zk-SNARK (Zero-Knowledge Succinct Non-Interactive Argument of Knowledge) algorithm to generate evidence capable of proving possession of specific information such as a secret key without disclosing information. generate

That is, the zk-SNARK key generation module 220 converts the verification rule into a mathematical form indicating a triple vector, and then converts the verification rule into the triple vector into a Lagrange polynomial or fast Fourier transform to generate a polynomial function. .

More specifically, the zk-SNARK key generation module 220 converts the verification rule into a rank-1 constraint system (R1CS) format and then converts the R1CS into a quadratic arithmetic program (QAP). At this time, the verification rule relates to whether the input amount is greater than the output amount, whether the transaction has an appropriate signature, or whether the input belongs to UTXO.

를 통해 각

를 값을 산출할 수 있다. Then, the zk-SNARK key generation module 220 generates a random element

each through

value can be calculated.

는 QAP 인스턴스이며 증명 키(pk) 및 검증 키(vk)를 생성하는데 사용된다. 즉, 본 발명은 증명 키(pk)의 크기를 줄이기 위해 산술 회로로부터 파생된 QAP의 구조적 특성을 이용한 것이다. From here,

is a QAP instance and is used to generate a proof key (pk) and a verification key (vk). That is, the present invention uses the structural characteristics of the QAP derived from the arithmetic circuit to reduce the size of the proof key (pk).

Also, R1CS is a triple vector (A, B, C). This triple vector means a mathematical form of a verification rule, and QAP is expressed as [Equation 2] through a Lagrangian polynomial or fast Fourier transform.

At this time, the zk-SNARK key generation module 220 generates a proof key (pk) and a verification key (vk) only once per circuit.

)를 생성할 수 있고, 어느 검증자 단말(400)이 검증 키(vk)를 이용하여 증거(

)를 검증할 수 있는 것이다.Therefore, once generated, any prover terminal 300 uses the proof key pk to prove (

) can be generated, and any verifier terminal 400 uses the verification key vk to evidence (

) can be verified.

The present invention achieves additional efficiencies in space rather than time. Specifically, the structural characteristics of the QAP derived from the arithmetic circuit are used to reduce the size of the proof key pk.

Therefore, all programs can be verified by generating a circuit once, and then a key suitable for a given calculation range can be selected. Through this, it is possible to reduce the cost of generating keys for each program.

)를 생성하는 단말이다. 이러한 증명자 단말(300)은 일반연산 검증용 서킷 생성기(200)에서 생성된 증명 키(pk), zk-SNARK 알고리즘을 통해 획득된 다항함수의 계수 및 검증과 증명에 필요한 정보(

)를 이용하여 증거(

)를 생성한다. The prover terminal 300 uses the proof key (pk) generated by the circuit generator 200 for verifying general operation to prove evidence (

) is a terminal that generates The prover terminal 300 includes a proof key (pk) generated by the circuit generator 200 for verifying general operation, coefficients of polynomial functions obtained through the zk-SNARK algorithm, and information necessary for verification and proof (

) using evidence (

) to create

)를 생성할 수 있다. In one embodiment, the prover terminal 300 refers to the following [Equation 2] as evidence (

) can be created.

[Equation 2]

: QAP 인스턴스인

와 QAP의 증거

에서 파생

: QAP instance

and evidence of QAP

derived from

), QAP의 증거 (

) 및 공개키 (

) 를 이용해서 증거(

)를 생성할 수 있다. That is, the prover terminal 300 calculates the coefficient through [Equation 2] (

), evidence of QAP (

) and public key (

) using the evidence (

) can be created.

) 및 증거(

)를 수신하면 증거(

)가 유효한지 검증하는 역할을 수행한다. The verifier terminal 400 includes a verification key (vk), information necessary for verification and verification (

) and evidence (

) upon receipt of evidence (

) plays a role in verifying whether it is valid.

) 를 이용하여 [수학식 3]을 산출하고, 검증 키(vk) 및 [수학식 3]의 결과 값을 이용하여 12개의 페어링을 계산하고 필요한 점검을 수행한다.First, the verifier terminal 400 includes a part of the verification key vk and information necessary for verification and verification (

) is used to calculate [Equation 3], and 12 pairings are calculated using the verification key (vk) and the resulting value of [Equation 3], and necessary checks are performed.

[Equation 3]

vk: verification key,

n: input size,

C: Circuit

의 계산에 필요한 연산 량을 줄일 수 있고, 페어링 평가에는 입력 크기 n과 무관하게 일정한 시간이 걸리더라도, 이러한 평가는 매우 비싸고 작은 서킷에 대해 지배적이다.In the process of calculating [Equation 3], the variable-based multi-scalar multiplication technique is used to calculate the result of [Equation 3].

can reduce the amount of computation required for the computation of , and even though pairing evaluation takes constant time independent of the input size n, such evaluation is very expensive and dominates for small circuits.

In a transaction execution device for realizing a virtual machine based on a zero-knowledge proof circuit for general operation verification, when verification of evidence is performed, it is confirmed that the corresponding transaction is a correct transaction. At this time, since the zero-knowledge proof technology capable of verifying general operations is applied to the opcode execution module of the virtual machine, it is possible to know whether the corresponding transaction is a correct transaction by performing verification of the zero-knowledge evidence even if the transaction is not executed.

A transaction execution device for realizing a virtual machine based on a zero-knowledge proof circuit for general operation verification for this purpose includes a code generation unit, a compiler, a storage unit, a stack, and a code execution unit.

The code generation unit generates code coded in the Solidity language for the zero-knowledge evidence stored in the storage unit. At this time, since Solidity is a language made for humans to understand, it is necessary to change it to a machine language that the virtual machine can understand in order to operate in the virtual machine. Accordingly, the code generated by the code generator is compiled by the compiler and converted into Ethereum bytecode for operation in the virtual machine.

The compiler compiles the code generated by the code execution unit to generate Ethereum bytecode, and provides the Ethereum bytecode to the code execution unit.

The storage unit stores the zero-knowledge evidence generated by the prover terminal. When the virtual machine verifies the zero-knowledge evidence stored in the storage unit, it can determine whether the transaction is correct. That is, since zero-knowledge proof technology is applied to the virtual machine according to an embodiment of the present invention, it is possible to know whether a corresponding transaction is a correct transaction through verification of the zero-knowledge proof even if the transaction is not executed.

In the stack, opcodes separated from the Ethereum bytecode are stored in the process of executing the Ethereum bytecode by the code execution unit.

The code execution unit executes the Ethereum bytecode generated by the compilation unit to verify the zero-knowledge evidence. At this time, the code execution unit separates the Ethereum bytecode into opcodes and stores them in the stack, and the opcodes stored in the stack are sequentially executed.

In the present invention, zero-knowledge proof technology is applied to the code execution unit, so that even if a transaction is not executed, it is possible to know whether a corresponding transaction is a correct transaction by performing verification on the zero-knowledge evidence.

As described above, if the zero-knowledge proof technology capable of verifying general operations is applied to the opcode execution module of the transaction execution device to implement the zero-knowledge proof circuit-based virtual machine for general operation verification, TX data among the data stored in the storage module is zero. Replaced by Proof of Knowledge. Therefore, since the zero-knowledge proof technology capable of verifying general operations is applied to the opcode execution module of the virtual machine according to the present invention, it is possible to know whether a corresponding transaction is a correct transaction by performing verification of the zero-knowledge proof even without executing a transaction. There is.

8 is a flowchart for explaining an embodiment of a method for generating a zero-knowledge proof circuit for verifying general operations according to the present invention.

Referring to FIG. 8 , the general arithmetic verification circuit generator 200 generates a general arithmetic verification circuit having the number of reference instructions, the number of reference machine steps, and the size of the reference system (step S310).

In one embodiment of step S310, the general operation verification circuit generator 200 receives the number of reference instructions, the number of reference machine steps, and the size of the reference system, and receives the number of reference instructions, the number of reference machine steps, and the reference system. It is possible to create a circuit for verifying general operations that operates in any program with a size of .

이하의 명령어, T 이하의 머신 스텝, n 이하의 크기를 갖는 어떤 프로그램에서도 동작하는 서킷을 생성할 수 있다.At this time, the circuit generator 200 for verifying general operation is as shown in [Equation 1].

You can create a circuit that works with any program with the following instructions, T or less machine steps, and size n or less.

이하의 명령어, T 이하의 머신 스텝, n 이하의 크기를 갖는 어떤 프로그램에서도 동작하는 서킷 C는 프로그램이나 주요 입력 값에 의존하지 않고,

, T, n 값에만 의존하기 때문에 유니버셜. zk-SNARK 키 생성 모듈(220)과 결합한다면 검증 시스템의 파라미터 또한 유니버셜하게 된다.As described above, based on [Equation 1]

Circuit C, which operates on any program with instructions less than T, machine steps less than T, and size less than n, does not depend on the program or key input values,

, T, universal because it depends only on the value of n. When combined with the zk-SNARK key generation module 220, the parameters of the verification system also become universal.

In the above case, all programs can be verified by generating a key once, and then a key suitable for a given calculation range can be selected, thereby reducing the cost of generating keys for each program.

The general operation verification circuit generator 200 generates a proof key and a verification key by using the general operation verification circuit and zk-SNARK (Zero-Knowledge Succinct Non-Interactive Argument of Knowledge) algorithm (step S320).

In one embodiment of step S320, the general operation verification circuit generator 200 receives the key generator information, prover information, and verifier information, and then the security parameter and the general operation verification generated by the circuit generation module. A proof key and a verification key are generated using the circuit.

At this time, the circuit generator 200 for general operation verification may generate a polynomial function by converting the verification rule into a mathematical form indicating a triple vector, and then converting the verification rule converted into the triple vector into a Lagrange polynomial or fast Fourier transform. .

The prover terminal generates evidence using the proof key including the circuit for verifying the general operation, the coefficients of the polynomial function obtained through the zk-SNARK algorithm, and information necessary for verification and verification from the circuit for verifying the general operation. (Step S330).

The verifier terminal verifies whether the evidence is valid using the verification key, information necessary for verification and verification in the general operation verification circuit, and the evidence (step S340).

9 is an exemplary diagram for explaining a process of generating a zero-knowledge proof circuit for verifying general operations according to the present invention.

Referring to FIG. 9 , proving the legitimacy of a given proof (a single proof) means proving the legitimacy of many proofs related thereto. As an example, it will be explained with reference to a scenario in which the prover checks whether the prover has correctly solved the five problems presented to the prover.

In the conventional zero-knowledge proof, as shown in FIG. 9A, the prover A must create and submit four proofs. And, verifiers B, C, D, and E must verify using the proof they received.

However, when recursive zero-knowledge proof is used as shown in FIG. 9b according to the present invention, prover A submits only the finally calculated Proof_4, and verifiers B, C, D, and E use this to verify.

This will be described in detail with reference to FIG. 9B. When the verifier terminal 400 presents a plurality of problems to the prover terminal 300, the prover terminal 300 uses recursive zero-knowledge proof to solve the plurality of problems. Proof 1 (Proof 1) corresponding to the first question (Question 1) is generated, and proof 2 (Proof 2) is generated by using the second question (Question 2) and the proof 1 (Proof 1) among multiple questions. Create a final proof 3 (Proof 3) for the third final problem (Question 3) using the third final problem (Question 3) and the evidence 2 (Proof 2) among the plurality of problems,

The prover terminal 300 generates final proof 3 (Proof 3) corresponding to the third question (Question 3) using proof 1 (Proof 1) corresponding to the first question (Question 1), Submit only the final proof 3 (Proof 3) excluding proofs 1, 2, and 3 to the verifier terminal 400 without submitting each evidence for a plurality of problems,

The verifier terminal 400 verifies only the final evidence 3 (Proof 3) and proves the legitimacy of the final proof 3 and the remaining evidences 1, 2, and 3 related to the final proof 3.

Although described by the limited embodiments and drawings, the present invention is not limited to the above embodiments, and those skilled in the art can make various modifications and variations from these descriptions. Therefore, the spirit of the present invention should be grasped only by the claims described below, and all equivalent or equivalent modifications thereof will be said to belong to the scope of the spirit of the present invention.

100: node 110: first node
111: receiver 112: processor
113: memory 120: second node
130: third node 140: fourth node
150: fifth node 160: sixth node
200: circuit generator for general operation verification 210: circuit generation module
220: zk-SNARK key generation module
300: prover terminal
400: verifier terminal
510: public blockchain 520: private blockchain

Claims (3)

A transaction execution device for implementing a virtual machine based on a zero-knowledge proof circuit for verifying general operations,
A plurality of nodes 100; including,
When any one of the plurality of nodes 100 is subscribed to a specific group and a change including adding or leaving a node in the specific group occurs, the group secret of the group changed based on the public key of the specific group. A processor 112 for generating a new key and distributing it to nodes joined to a specific group after a change has occurred; and
A memory 113 storing at least one command executed by the processor 112; includes,
The plurality of nodes 100 include at least one first node 110 and at least one second node 120,
The first node 110 is
generating at least one transaction including identification information and transaction information of specific nodes;
The second node 120 is
At least one main block (M) including both a block header and a block body is generated based on the identification information and transaction information, and at least one sub block (S) including only a block header is generated based on the identification information and transaction information Generates, and shares the main block (M) or sub-block (S) including the transaction with specific nodes based on the identification information of the at least one main block (M) or at least one sub-block (S) , characterized in that the sub-block (S) including only the block header is shared with the remaining nodes except for the specific node
A transaction execution device to implement a zero-knowledge proof circuit for general operation verification.
According to claim 1,
The processor 112 is
independently create a public blockchain and a private blockchain, store public data in a public block of the public blockchain, and store private data in a private block of the private blockchain;
When a public block of the public block chain is created, a private block of the private block chain is simultaneously created, and the hash value of the simultaneously created private block and the hash value of the previous public block are recorded in the header of the public block. When creating a private block, the hash value of the previous private block is recorded in the header of the private block.
A transaction execution device to implement a zero-knowledge proof circuit for general operation verification.
According to claim 2,
The processor 112 is
Acquiring information about the smart contract and obtaining one or more simulation transaction information from the database;
obtaining a result of substituting the simulation transaction information into the transaction conditions of the smart contract;
Compare the obtained result with the simulation transaction information,
Characterized in that the integrity of the smart contract is verified based on the obtained result and the comparison result of the simulation transaction information
A transaction execution device to implement a zero-knowledge proof circuit for general operation verification.

Images