WO2021081866A1 - Transaction method, device, and system based on account model, and storage medium - Google Patents

Transaction method, device, and system based on account model, and storage medium Download PDF

Info

Publication number
WO2021081866A1
WO2021081866A1 PCT/CN2019/114586 CN2019114586W WO2021081866A1 WO 2021081866 A1 WO2021081866 A1 WO 2021081866A1 CN 2019114586 W CN2019114586 W CN 2019114586W WO 2021081866 A1 WO2021081866 A1 WO 2021081866A1
Authority
WO
WIPO (PCT)
Prior art keywords
transaction
node
commitment
coin
mixing
Prior art date
Application number
PCT/CN2019/114586
Other languages
French (fr)
Chinese (zh)
Inventor
辛佳骏
来鑫
张骁
李武璐
Original Assignee
深圳市网心科技有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 深圳市网心科技有限公司 filed Critical 深圳市网心科技有限公司
Priority to CN201980060387.0A priority Critical patent/CN112771562A/en
Priority to PCT/CN2019/114586 priority patent/WO2021081866A1/en
Publication of WO2021081866A1 publication Critical patent/WO2021081866A1/en

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/04Payment circuits
    • G06Q20/06Private payment circuits, e.g. involving electronic currency used among participants of a common payment scheme
    • G06Q20/065Private payment circuits, e.g. involving electronic currency used among participants of a common payment scheme using e-cash
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/04Payment circuits
    • G06Q20/06Private payment circuits, e.g. involving electronic currency used among participants of a common payment scheme
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/38Payment protocols; Details thereof
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/38Payment protocols; Details thereof
    • G06Q20/382Payment protocols; Details thereof insuring higher security of transaction
    • G06Q20/3823Payment protocols; Details thereof insuring higher security of transaction combining multiple encryption tools for a transaction
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q40/00Finance; Insurance; Tax strategies; Processing of corporate or income taxes
    • G06Q40/04Trading; Exchange, e.g. stocks, commodities, derivatives or currency exchange

Definitions

  • This application relates to the field of blockchain technology, and more specifically to a transaction method, device, system and storage medium based on an account model.
  • the account model is a commonly used transaction model.
  • the transaction process is similar to that of the user using a bank account to conduct a transaction. For example, when user Alice wants to send 10 amount of currency to user Bob, just subtract 10 from user Alice's account balance, and add 10 to user Bob's account balance.
  • each block has a consensus on the global state and the transactions in the block. Because, in the transaction process based on the account model, both parties of the transaction conduct the transaction in clear text, and during the transaction, the transaction amount of both parties is disclosed.
  • the existing blockchain transaction system based on the account model uses clear text for transactions, which not only easily leads to the problem of transaction information leakage, but also poses a threat to the privacy of both parties to the transaction to a large extent.
  • This application provides a transaction method, device, system and storage medium based on an account model, which are used to achieve the purpose of ensuring that transaction information is not leaked when transactions are conducted based on the account model.
  • the first aspect of the embodiments of the present invention discloses a blockchain system based on an account model.
  • the system includes a transaction initiator node, a transaction receiver node, and a coin mixer node, wherein:
  • the transaction initiator node is used to perform encryption and commitment calculation on the transaction amount based on the determined shared public key and random number to obtain encrypted transaction information, and the shared public key is received by the transaction initiator node based on the transaction Public key generation of the node;
  • the transaction receiver node is configured to determine whether the transaction information initiated by the transaction initiator node is on-chain based on the shared public key, and after determining the on-chain, send a currency mixing notification to the coin mixer node, And receive the mixed currency result fed back by the coin mixer node, and after determining that the mixed currency result meets expectations, perform a non-interactive zero-knowledge proof based on the mixed currency result, and determine that it has the transaction amount commitment in the transaction information and the transaction
  • the initiator node randomly selects a random number, obtains the pending transaction amount in the transaction amount commitment, and updates its own account amount based on the pending transaction amount;
  • the coin mixing node is configured to perform a coin mixing operation based on the coin mixing notification, and send the obtained coin mixing result to the transaction receiver node.
  • the second aspect of the embodiments of the present invention discloses a transaction method based on an account model, which is suitable for a transaction initiator node, and the method includes:
  • the transaction initiator node determines the account amount commitment, the pending transaction amount, the public key and random number of the transaction receiver node, and performs the commitment calculation to obtain the transaction amount commitment, account balance commitment and shared public key;
  • the transaction initiator node uses the shared public key to encrypt the pending transaction amount to obtain the ciphertext
  • the transaction initiator node performs range certification on the transaction amount commitment and the account balance commitment, and obtains the commitment scope certification, and the commitment scope certification is used to indicate that the amount in the transaction amount commitment and the account balance commitment is A positive number;
  • the transaction initiator node generates a confidential transaction based on the transaction amount commitment, the random public key, the ciphertext, and the scope proof of the commitment;
  • the transaction initiator node generates transaction information using the confidential transaction, handling fee information and signature, and sends the transaction information to the node of the blockchain system.
  • the transaction initiator node performs range certification on the account balance commitment and the account balance commitment, and obtains the commitment range certification, including:
  • the transaction initiator node uses the range certificate randomly generated when the blockchain system is initialized to perform range verification on the transaction amount commitment and the account balance commitment, and obtain the promised range certification.
  • the transaction initiator node performs range certification on the account balance commitment and the account balance commitment, and obtains the commitment range certification, including:
  • the transaction initiator node uses the pre-obtained supervisor random number and the generators involved in the multi-party supervisable range certificate randomly generated when the blockchain system is initialized to prove the transaction amount commitment and the account balance commitment to obtain the scope of the commitment. prove;
  • the block verifier node is allowed to obtain the transaction information including the promised range certificate, verify whether the promised range certificate is correct, and verify that the Whether the supervisor's random number signed by the supervisor node in the proof of the scope of the promise is correct, after the transaction information is put on the chain, the supervisor node is allowed to obtain the proof of the scope of the promise in the transaction information, and The scope of commitment proves the supervisor random number and related parameters signed by the supervisor node, so that the supervisor node can calculate whether the transaction amount in the transaction information is based on the supervisor nonce signed by the supervisor node and related parameters. correct.
  • the third aspect of the embodiments of the present invention discloses a transaction method based on an account model, which is suitable for a transaction receiver node, and the method includes:
  • the transaction receiver node determines the transaction information initiated by the agreed transaction initiator node based on the shared public key
  • the transaction receiver node anonymously initiates a currency mixing notification for the transaction information to the currency mixing node, and the currency mixing notification includes the handling fee information in the transaction information, as well as the transaction receiver node and the transaction Part of the information shared between the initiator nodes;
  • the transaction receiver node receives the coin mixing result sent by the coin mixing node, and performs a non-interactive zero-knowledge proof based on the coin mixing result;
  • the transaction receiver node receives the currency mixing result sent by the currency mixer node, and performs a non-interactive zero-knowledge proof based on the currency mixing result, including:
  • the transaction receiver node performs a hash calculation on the current coin mixing result and the number of times of coin mixing according to the random number of the transaction initiator node obtained in advance to obtain a hash value;
  • the transaction receiver node performs a non-interactive zero-knowledge proof based on the hash commitment and the result of the coin mixing to obtain a first certificate and a second certificate.
  • the first certificate is used to prove that the transaction receiver node is The owner of the current transaction
  • the second proof is used to prove that the number of times of coin mixing after this time of coin mixing is within the acceptance range of the number of coin mixing times of the transaction receiver node.
  • the method further includes:
  • the transaction receiver node sets additional field information in the transaction information, and the additional field information is used to indicate the currency mixing sequence and currency mixing information of the currency mixer node during the currency mixing process.
  • the transaction receiver node anonymously initiates a coin mixing notification of the transaction information to the coin mixer node
  • the coin mixer node obtains the random mapping and the corresponding random mapping from the supervisor node in advance
  • the relevant parameters of the coin mixing node make the verifiable shuffle calculation based on the random number selected randomly, the random mapping and the relevant parameters corresponding to the random mapping, to obtain the coin mixing proof, and send the coin mixing proof and the random mapping to the block verification
  • the author node so that the block verifier node verifies whether the mixed currency proof is correct, and verifies whether the signature of the supervisor node in the random mapping is correct.
  • the fourth aspect of the embodiments of the present invention discloses a transaction device based on an account model.
  • the device includes a processor and a memory, and a program is stored in the memory.
  • the program is executed by the processor, the implementation of the present invention is achieved.
  • the fifth aspect of the embodiments of the present invention discloses a transaction device based on an account model.
  • the device includes a processor and a memory, and a program is stored in the memory.
  • the program is executed by the processor, the implementation is implemented as in the present invention.
  • a computer-readable storage medium stores a transaction program, and the transaction program can be executed by one or more processors to realize the implementation of the present invention.
  • the transaction method disclosed in the second aspect or to implement the transaction method disclosed in the third aspect of the embodiment of the present invention.
  • the seventh aspect of the embodiments of the present invention discloses a computer program product, which is characterized by including computer instructions, which when running on a computer, enables the computer to execute the transaction method disclosed in the second aspect of the embodiments of the present invention, or, Realize the transaction method disclosed in the third aspect of the embodiment of the present invention.
  • the eighth aspect of the embodiments of the present invention discloses a blockchain system based on an account model, which is characterized by including: a transaction initiator node, a block proposer node, a block validator node, a supervisor node, and a coin mixer Nodes and transaction receiver nodes;
  • the transaction initiator node includes the computer program product disclosed in the seventh aspect of the embodiment of the present invention, or includes a transaction initiator node having the transaction device disclosed in the fourth aspect of the embodiment of the present invention, and the transaction initiator is configured to
  • the determined shared public key and random number are encrypted and promised to calculate the transaction amount to obtain encrypted transaction information, and the shared public key is generated by the transaction initiator node based on the public key of the transaction receiver node;
  • the block producer node is used to collect the transaction information, and after determining that the transaction information is correct, send the transaction information to the block verifier node;
  • the block verifier node is used to verify the received transaction information and the currency mixing result, confirm whether the transaction information and the currency mixing result are correct, and determine whether the transaction continues to be executed based on the verification result;
  • the supervisor node is used to provide a supervisor random number to the transaction initiator node and the block verifier node, the supervisor random number is signed by the supervisor node, and the verification of the transaction information and the verifier node Supervise the process and the result of the coin mixing node;
  • the transaction receiver node includes the computer program product disclosed in the seventh aspect of the embodiment of the present invention, or includes a transaction receiver node having the transaction device disclosed in the fifth aspect of the embodiment of the present invention, for determining based on the shared public key Whether the transaction information initiated by the transaction initiator node is on the chain or not, after determining the on-chain, send a coin mixing notification to the coin mixer node, and receive the coin mixing result fed back by the coin mixer node, and then determine whether the transaction information is on the chain. The result of the coin mixing meets expectations.
  • a non-interactive zero-knowledge proof is performed, and it is determined that it has the transaction amount commitment in the transaction information and the random number randomly selected by the transaction initiator node, and the transaction amount commitment is obtained.
  • the coin mixer node is configured to perform a coin mixing operation based on the coin mixing notification, and send the obtained coin mixing result to the transaction receiver node and the block validator node.
  • the transaction initiator node obtains the supervisor's random number from the supervisor node in advance, during the commitment calculation process: the transaction initiator node is also used to obtain the The random number of the supervisor and the generator involved in the multi-party supervisable range certificate randomly generated when the blockchain system is initialized, the transaction amount commitment and the account balance commitment are certified, and the commitment scope certification is obtained;
  • the block verifier node is also used to obtain transaction information including the scope proof of the promise, verify whether the scope proof of the promise is correct, and verify that the supervisor node in the scope proof of the promise is signed Whether the random number of the supervisor is correct;
  • the supervisor node is also used to obtain the scope certificate of the promise in the transaction information after the transaction information is on the chain, and the supervisor random number and related signatures of the supervisor node in the scope certificate of the promise. And calculate whether the transaction amount in the transaction information is correct based on the supervisor random number signed by the supervisor node and related parameters.
  • the coin mixer node obtains the random mapping and the related parameters corresponding to the random mapping from the supervisor node in advance, the coin mixer node is also used to After the coin is notified, based on the random number selected at random, the random mapping and the related parameters corresponding to the random mapping are subjected to a Verifiable Shuffle calculation to obtain a coin mixing certificate, and the coin mixing certificate and the random mapping are sent to the Block validator node;
  • the block verifier node is also used to verify whether the mixed currency proof is correct, and verify whether the signature of the supervisor node in the random mapping is correct.
  • the present invention provides a transaction method, device, system and storage medium based on an account model.
  • a plaintext account and a ciphertext account are set for each user based on the account model, and the transaction initiator node treats the transaction amount, encrypts it based on the public key of the transaction receiver node, and calculates the promise after encryption.
  • the transaction receiver node determines the real transaction information based on the information agreed with the transaction initiator node, and completes the transaction.
  • the ciphertext transaction is initiated by the transaction initiator node, and the transaction receiver node determines the real transaction information based on the information agreed with the transaction initiator node, and completes the transaction, which can effectively avoid the leakage of transaction information between the transaction parties, thereby Realize the purpose of ensuring that transaction information is not leaked when trading based on the account model.
  • FIG. 1 is a schematic flowchart of a transaction method on the side of a transaction initiator node disclosed in an embodiment of the present invention
  • FIG. 2 is a schematic flowchart of a transaction method on the side of a block proposer node and a block verifier node disclosed in an embodiment of the present invention
  • Fig. 3 is a schematic flowchart of a transaction method on the side of a transaction receiver node, a coin mixer node, and a block validator node disclosed in an embodiment of the present invention
  • FIG. 4 is a schematic diagram of a currency mixing operation disclosed in an embodiment of the present invention.
  • FIG. 5 is a schematic flow diagram of a supervision method on the side of a transaction initiator node, a block validator node, and a supervisor node disclosed in an embodiment of the present invention
  • FIG. 6 is a schematic flow diagram of a supervision method on the side of a coin mixer node, a block validator node, and a supervisor node disclosed in an embodiment of the present invention
  • FIG. 7 is a schematic structural diagram of a transaction device based on an account model disclosed in an embodiment of the present invention.
  • FIG. 8 is a schematic structural diagram of another transaction device based on an account model disclosed in an embodiment of the present invention.
  • Fig. 9 is a schematic structural diagram of a trading system based on an account model disclosed in an embodiment of the present invention.
  • the account model is used as a reference model, and two accounts, a plaintext account and a ciphertext account, are established for each user.
  • anonymous transactions are conducted based on ciphertext accounts, thereby protecting the identities and transaction content of both parties to the transaction, and realizing the purpose of not leaking the identities and transaction content of both parties to the transaction.
  • the specific implementation is described by the following embodiments.
  • Commitment (Commitment, C): The commitment algorithm hides a value in an encrypted ciphertext. The promiser can choose to decrypt the promised random number. Once a promise is issued, the promiser cannot use another random number to calculate the same promise calculation result, and must use the random number used when generating the promise.
  • Confidential Transaction is a cryptographic scheme proposed by Gregory Maxwell. Confidential transactions use the commitment algorithm to hide the transaction amount, so that only both parties to the transaction can see the transaction amount, while others cannot see the transaction amount, and both parties cannot forge the transaction amount.
  • ACT Anonymous Confidential Transaction
  • TS transaction sender
  • TR transaction receiver
  • Block proposer Block Proposer
  • BP Block Verifier
  • BV Block Verifier
  • SSP Shuffle Service Provider
  • Regulator but it is not limited to the 6 nodes mentioned above.
  • Both the transaction initiator node and the transaction receiver node can be executed by ordinary users, and each user can either initiate a transaction or receive a transaction.
  • the selection range of the block proposer node and the block validator node is determined by the consensus between the blocks. Under normal circumstances, it is considered that there is a block proposer node and multiple block validator nodes in a blockchain transaction system.
  • the block proposer node is used to collect all transactions initiated by the transaction initiator node within a preset time period, detect whether there is any problem with the transaction data, and send the transaction with no problem to the block validator node. If there is a coin mixer node in the blockchain trading system, and the coin mixer node performs the coin mixing operation, the block proposer node also needs to collect all the coin mixing results within the preset time period, and at the same time, detect the coin mixer If there is a problem with the result, send the mixed currency result without problem to the block validator node.
  • the block verifier node is used to verify the legitimacy of each transaction. And, verify the result of the mixed currency when the result of the mixed currency is received.
  • the currency mixer node is used to provide currency mixing services and collect a certain fee as income.
  • Each transaction receiver node can independently choose any coin mixing node that it believes to perform any round of coin mixing services.
  • a certain coin mixer node independently selected by any transaction receiver may record the coin mixing record of the transaction receiver node, but multiple coin mixer nodes selected by any transaction receiver node will not all participate in receiving the transaction. Conspiracy attacks on the privacy of the authors.
  • the supervisor node is one or more institutions. According to the consensus strategy tree, the transaction amount and currency mixing situation in the entire blockchain system can be supervised.
  • the embodiment of the invention discloses a block chain system using an account model as a reference model.
  • the range certificate and the generators involved in the subsequent multi-party supervisable Bulletproof range certificate are randomly generated.
  • the specific generation method is not limited in the embodiment of the present invention. It is only necessary to ensure that any two generations are generated.
  • the logarithmic relationship between the elements are all unknown, that is, g, g 1 ,..., g n , h ⁇ G, where, It is the multiplication cyclic group.
  • two accounts are set up for each user in the blockchain system, a plaintext account and a ciphertext account.
  • the user randomly sets the private key and generates the public key corresponding to the private key.
  • the private key of user Alice is x A
  • the public key of user Alice is
  • the private key of user Bob is x B
  • the public key of this user Bob is
  • each coin mixer node obtains the signed supervisor random number from the supervisor node in advance during the initialization process for subsequent verifiable shuffle.
  • the embodiment of the present invention provides a flowchart of a transaction method based on an account model. Based on the above-mentioned blockchain system, the transaction method specifically includes the following steps:
  • FIG. 1 shows a schematic diagram of the transaction process on the side of the transaction initiator node, including: S101 to S106.
  • the transaction initiator node confirms the account amount commitment
  • the transaction amount x 1 and the public key pk B of the transaction receiver node, and the transaction amount x 1 is used to perform the commitment calculation to obtain the transaction amount commitment C 1 , and the public key pk B and random public key of the transaction receiver node are used Generate a shared public key key pair.
  • the account amount commitment of the transaction initiator node Random public key R 0 is the first random number r 0 randomly selected by the transaction initiator node.
  • the transaction amount commitment is generated
  • the transaction initiator node uses the shared public key key pair as an encryption key to encrypt the transaction amount x 1 to obtain a ciphertext corresponding to the transaction amount.
  • the transaction initiator node uses the shared public key As the encryption key, the second random number r 1 randomly selected by the transaction initiator node completes the encryption of the transaction amount x 1 to obtain the ciphertext AES ⁇ x 1 , r 1 ⁇ corresponding to the transaction amount.
  • the transaction initiator node calculates the account amount commitment The difference between the transaction amount commitment C 1 and the account balance commitment In S103, the calculation process of account balance commitment is as follows:
  • S104 The transaction initiator node commits to the transaction amount C 1 and the account balance commitment Prove the scope and get the scope of commitment, the scope of commitment is used to indicate the transaction amount commitment C 1 and the account balance commitment The amount in is a positive number.
  • the transaction initiator node promises C 1 for the transaction amount and the account balance promise Proof of scope.
  • the transaction initiator node can use the range certificate randomly generated when the blockchain system is initialized to commit to the transaction amount C 1 and the account balance commitment Prove the scope and get the promised scope proof
  • the transaction initiator node obtains the supervisor nonce of the supervisor node in the blockchain system in advance, the supervisor nonce is signed by the supervisor node.
  • the transaction initiator node can also use the supervisor's random number and the generator involved in the multi-party supervisable range proof (Bulletproof) randomly generated when the blockchain system is initialized, to commit to the transaction amount C 1 and account balance commitment Prove the scope and get the promised scope proof
  • the transaction initiator node promises C 1 and a random public key based on the transaction amount
  • the ciphertext AES ⁇ x 1 , r 1 ⁇ and the promised range proof generate confidential transactions.
  • S105 if the transaction initiator node adopts the range certificate randomly generated when the blockchain system is initialized, it promises C 1 for the transaction amount and promises for the account balance Prove the scope and get the promised scope proof
  • the confidential transaction obtained by executing S105 is:
  • the confidential transaction obtained by executing S105 is:
  • the transaction initiator node generates transaction information using the confidential transaction, handling fee information, and signature, and sends the transaction information to the node of the blockchain system.
  • the handling fee information can actually be regarded as the number of times Gas can be executed by the coin mixer node agreed by the recipient of the subsequent transaction.
  • Signature refers to the signature of the confidential transaction and fee information by the transaction initiator node, which is used to indicate that the confidential transaction and fee information with the signature is provided by the transaction initiator.
  • the transaction initiator node attaches the fee information and signature in plain text.
  • the transaction initiator node uses the plaintext and the confidential transaction obtained by executing S105 to generate transaction information, and sends the transaction information to the node of the blockchain system, and the block proposer node in the blockchain system collects it.
  • Figure 2 shows a schematic diagram of the transaction process on the side of the block proposer node and the block verifier node, including: S107 and S108.
  • the block proposer node checks the collected transaction information initiated by the transaction initiator node, and after determining that there is no problem with the transaction information, sends the transaction information to the block verifier node.
  • the block proposer node will collect all transaction information and currency mixing results sent by the transaction initiator node to the node of the blockchain system within a preset period of time or at any time, and compare the collected transactions The information and the mixed currency result are checked to determine whether there is a problem with the transaction information and the mixed currency result. After determining that there is no problem, the transaction information and the mixed currency result are sent to the block verifier node.
  • the block proposer node will receive the transaction information initiated by the transaction initiator node this time, verify the transaction information, and send the transaction information to the district after confirming that the transaction information is correct. Block validator node.
  • the block verifier node receives the transaction information sent by the block proposer node, and verifies whether the scope proof and signature of the commitment in the transaction information are correct, and if they are correct, the transaction information is put on the chain; if it is not correct, Then discard the transaction information.
  • the block verifier node first verifies the signature of the plaintext part of the transaction information to verify whether the signature belongs to the transaction initiator node that initiated the transaction, if not, discard the transaction information, if so, continue to verify the transaction information The amount of transaction information in the confidential transaction part of the transaction promises to be verified.
  • the verification of the transaction amount commitment C 1 by the block validator node is mainly to check whether the transaction amount commitment C 1 in the transaction information is Legal elements in.
  • the verification of the transaction amount commitment C 1 by the block validator node can actually be realized based on the elliptic curve. As long as the verification transaction amount commitment C 1 is non-zero on the elliptic curve, the transaction amount commitment C 1 is considered Legal elements in.
  • the block verifier node After verifying that the transaction amount commitment C 1 is correct, the block verifier node continues to verify the scope proof of the confidential transaction part of the transaction information, which is used to verify whether the scope proof of the transaction amount and the account balance is correct, that is, the promised The scope proof can correctly prove that the pending transaction amount and the account balance are positive.
  • the block verifier node needs to verify whether the supervisor's nonce related to the promised scope proof is signed by the corresponding supervisor node, and if so, determine the scope of the promise If the proof is correct, upload the transaction information to the UTXO transaction pool; if not, discard the transaction information.
  • each block verifier node must synchronize the supervisor node information and verify the correctness of the supervisor's public-private key pair through the strategy tree.
  • the strategy tree is used to store the supervisor strategy, and its specific form in the block includes but not limited to the Merkle Tree root and the MPT tree root.
  • the strategy is determined by the consensus of the consensus node, and the strategy is reflected in each block, and can be updated by the consensus of the consensus node.
  • Figure 3 shows the transaction flow chart on the side of the transaction receiver node, the coin mixer node and the block verifier node, including S109 to S113.
  • the transaction receiver node determines the transaction information initiated by the transaction initiator node based on the shared public key key pair.
  • the transaction receiver node sets its own private key x B and generates the public key corresponding to the private key
  • the transaction receiver node and the transaction initiator node shared the public keys of both parties before the transaction, and the transaction receiver node also obtained the random public key randomly selected by the transaction initiator node in advance.
  • the second random number r 1 and the third random number r 2 are also obtained.
  • the transaction receiver node is based on its own public key and a random public key randomly selected by the known transaction initiator node
  • the shared public key can be determined.
  • the transaction receiver finds that there is transaction information with the same shared public key in the UTXO transaction pool, it is determined that the transaction information with the transaction initiator node has been sent to the chain.
  • the transaction receiver node initiates a currency mixing notification of the transaction information to the anonymously contacted currency mixing node.
  • the transaction receiver node informs the pre-appointed currency mixer node to mix the transaction information through an anonymous contact, and sends a currency mixing notification to the currency mixer node.
  • the mixed currency notification includes the transaction fee information in the plaintext part of the transaction information, as well as part of the information shared between the transaction receiver node and the transaction initiator node.
  • the fee information is used to indicate the number of times the coin mixing node can perform coin mixing.
  • the number of times Gas indicated by the fee information may be 0 times or more, which is not limited in the embodiment of the present invention, and the value depends on the transaction initiator node.
  • the number of coin mixer nodes that can be agreed upon by the transaction receiver node is not limited.
  • the transaction receiver node can be a coin mixer node, or it can be agreed that two or more coin mixer nodes will mix the currency of the transaction information respectively.
  • the currency mixer node performs a currency mixing operation on the transaction amount commitment C 1 in the transaction information based on the currency mixing notification and the handling fee information in the transaction information, to obtain the result of the currency mixing, and combine the currency mixing The result is sent to the transaction receiver node and the block proposer node.
  • the coin mixer node based on the transaction fee information sent by the transaction receiver node and the information shared between some transaction receiver nodes and the transaction initiator node, the coin mixer node commits to the transaction amount C 1 in the transaction information for multiple rounds Mixed currency.
  • k is the preset parameter of the blockchain system, which can be set at any time according to requirements.
  • different SSPs and different rounds of coin mixing can choose different k.
  • a block can always contain mutually exclusive mixed currency results from multiple currency mixing nodes, that is, multiple currency mixing proofs in a block cannot contain the same transaction multiple times.
  • the transaction receiver node judges whether the result of the coin mixing meets expectations, and performs a non-interactive zero-knowledge proof based on the result of the coin mixing, and determines that it has the transaction amount commitment C 1 and the transaction initiator node in the transaction information Random number selected at random.
  • the transaction receiver node calculates the coin mixing result C′ 1 obtained after the coin mixing and the number of coin mixing Gas′ after the coin mixing according to the third random number r 2 of the known transaction initiator node.
  • the mixed currency result
  • the specific value of the number of coin mixing Gas' depends on the specific parameter settings of the transaction initiator node. Assuming that the initial number of coin mixing is 3, the number of coin mixing is reduced by 1.
  • the result of mixing coins here is that C′ 1 is the result of one coin mixing, and Gas′ is the value of the initial number of coin mixing minus 1.
  • the transaction receiver node sends ⁇ r 2 , C Hash , Chaum-Pedersen(C′ 1 , C Hash ), ⁇
  • the coin mixer node uses random numbers to confuse the original transaction UTXO and combine ⁇ C′ 1 ,Gas′,C Hash ,Chaum-Pedersen(C′ 1 ,C Hash ), ⁇ As additional output.
  • the specific non-interactive zero-knowledge proof can be illustrated by the following example.
  • r 1 and r 2 are two random numbers.
  • E and F are open to Bob.
  • Bob checks whether If the verification passes, Bob confirms that E and F hide the same secret.
  • the transaction receiver node can add an additional field to the UTXO transaction: Additional.
  • the Additional is used to specify the next currency mixing service provider and related currency mixing information. Take 2 rounds of coin mixing and two coin mixing nodes as an example:
  • the transaction receiver node selects random numbers r 2 , r 3 , and calculates the results C′ 1 and C” 1 after the coin mixing, and the number of coin mixing Gas′ and Gas” after two coin mixing.
  • the transaction receiver node generates a shared public key key by sharing the public key with the second coin mixer node And calculate the ciphertext: ⁇ r 3 , C Hash2 , Chaum-Pedersen(C′′ B , C Hash2 ), ⁇ , and use the ciphertext and g ⁇ as the information of the Additional field.
  • hash 1 Hash(C′ B
  • the transaction receiver node generates and sends the ciphertext: ⁇ r 2 , C Hash1 , Chaum-Pedersen(C′ 1 , C Hash1 ), ⁇
  • the first coin mixing node uses a random number r 3 to obfuscate the old transaction UTXO and ⁇ C′ 1 , Gas′, C Hash , Chaum-Pedersen(C′ 1 , C Hash ), Additional ⁇ as additional output.
  • the second coin mixing node uses the information provided in Additional to continue the next round of coin mixing services.
  • the receiver node determines its own transaction having the transaction information in a transaction amount committed transaction information after receiving the random number and the transaction initiator node randomly selected C.
  • S113 Trading receiver node to acquire the amount of the transaction to be committed C 1 in the transaction amount x 1, and be based on the transaction value x 1 update their account amount.
  • the transaction receiver node receives the transaction information confirmed by itself through a transaction that receives UTXO.
  • the transaction receiver node will send a special receiving transaction, which will be uploaded to the chain after block consensus, and the corresponding UTXO must be removed.
  • the transaction at this time, the receiver node transaction based on the transaction information in the transaction amount committed C 1, to determine the amount of the transaction to be committed to the transaction in the amount of C 1 x 1, and be based on the transaction value x 1 update their account amount .
  • the block verifier node receives the coin mixing result sent by the coin mixer node for verification, and verifies whether the coin mixing result is correct and whether the coin mixing proof random number is signed by the supervisor node.
  • a ciphertext account is set for each user based on the account model, and the transaction initiator node treats the transaction amount, encrypts it based on the public key of the transaction receiver node, and promises to calculate the encrypted transaction information. And after being verified by the block verifier node, it is placed in the UTXO transaction pool, and then the transaction receiver node agrees that the currency mixer node will mix the currency, and if the currency mix reaches the expected situation, it proves that it has the current position. The amount and random number in the transaction, after completing the proof, receive the transaction information, and complete the update of the amount of your account.
  • Initiating a ciphertext transaction through the above-mentioned transaction initiator node can effectively ensure that various transaction information is not leaked during the transaction process.
  • the transaction receiver node determines the correct transaction information based on the mixed currency, thereby completing the transaction, which can effectively avoid the leakage of the identity information and transaction information of both parties to the transaction. Therefore, when transactions are performed based on the blockchain system based on the account model disclosed in the embodiments of the present invention, the user and transaction information can not be leaked during the transaction process, so that the blockchain system has confidentiality and anonymity.
  • the characteristics of sex and supervisability are characteristics of sex and supervisability.
  • the supervisor in the blockchain system based on the account model disclosed in the embodiment of the present invention supervises the transaction process.
  • the specific process is as follows Examples are described.
  • the transaction initiator node can use the supervisor's random number and the multi-party supervisory range proof (Bulletproof) that is randomly generated when the blockchain system is initialized.
  • Bulletproof multi-party supervisory range proof
  • Figure 5 shows a schematic diagram of the supervision process on the side of the transaction initiator node, block validator node, and supervisor node, including the following steps:
  • S501 The supervisor node signs the random number S with a public and private key pair, and saves the signature and the random number S locally.
  • s L , s R and ⁇ are also random numbers selected by the supervisor node, Is the additive group of integer modulo p.
  • each supervisor node executes S501 and signs the random number S respectively.
  • the transaction initiator node applies for a random number S from the supervisor node, and performs Bulletproof based on the obtained random number S signed by the supervisor node, and obtains the promised scope proof.
  • the transaction initiator node promises C 1 and the account balance for the transaction amount.
  • a random number S from the supervisor node.
  • the transaction initiator node can also apply for multiple random numbers S signed by different supervisor nodes and save them locally.
  • the transaction initiator node commits to the transaction amount C 1 and the account balance based on the random number signed by the supervisor node and the generator involved in the Bulletproof generated randomly by the blockchain system initialization. Prove the scope and get the promised scope proof
  • the transaction initiator node sends the transaction information including the scope proof of the commitment to the node of the blockchain system, which is obtained by the block verifier node.
  • the block verifier node obtains the transaction information including the scope proof of the promise, verifies whether the scope proof of the promise is correct, and verifies whether the signature of the supervisor node in the scope proof of the promise is correct.
  • the block verifier node mainly verifies whether the promised range proof can correctly prove whether the pending transaction amount and account balance in the transaction information are positive. If it is a positive number, confirm that the scope of the commitment proves correct. If it is a non-positive number, it is determined that the scope of the commitment proved to be wrong.
  • the block verifier node will also synchronously receive the supervisor node information, so it can verify whether the supervisor node signature in the promised scope proof is correct.
  • the transaction information is put on the chain.
  • the supervisor node After the transaction information is on the chain, the supervisor node obtains the proof of the scope of the promise in the transaction information, and the random number and parameters of the supervisor node signature in the proof of the scope of the promise, based on the random number and parameters of the supervisor node's signature Calculate whether the transaction amount in the transaction information is correct.
  • the transaction initiator node sends A and S to the block validator node, and the block validator node randomly selects and replies
  • the block validator node performs calculations:
  • the block validator node sends the calculated T 1 and T 2 to the transaction initiator node, and the transaction initiator node randomly selects and replies
  • Bulletproof is used to prove that the value of a promise is between [0,2 n -1].
  • the transaction initiator node executes Bulletproof by using the obtained parameters, and obtains:
  • the information in a L can be derived from the parameter l, that is, v, which is the transaction amount in the transaction information, can be obtained to determine the transaction amount is it right or not.
  • the transaction amount in the entire blockchain system can be supervised, so that the blockchain system has the characteristics of supervisability.
  • the supervisor node is also introduced to supervise the coin mixing process and the result of the coin mixing.
  • Figure 6 shows a schematic diagram of the supervision process on the side of the coin mixer node, the supervisor node, and the block validator node, including the following steps:
  • S601 The supervisor node randomly selects a random mapping, signs the random mapping based on the public and private key pair, calculates related parameters and challenges corresponding to the random mapping, and signs the challenge x with the public and private keys.
  • the supervisor node randomly selects a random mapping ⁇ ().
  • multiple supervisor nodes jointly randomly select ⁇ ().
  • Supervisor node calculation: And x Hash(C A1
  • the supervisor node uses the public and private key to sign the challenge x, and sends the signed challenge x to the coin mixer node that applies for random mapping.
  • the coin mixer node receives the random mapping sent by the supervisor node and the relevant parameters corresponding to the random mapping, and performs a verifiable shuffle calculation based on the random number selected at random, the random mapping and the relevant parameters corresponding to the random mapping, and obtains the proof of the coin mixing, and Send the mixed currency proof and random mapping to the block verifier node.
  • the coin mixer node obtains the product proof based on the multi-party supervisable and provable confusion calculation:
  • the coin mixer node obtains the power proof based on the multi-party supervisable and provable confusion calculation:
  • the block verifier node verifies whether the mixed currency proof is correct, and verifies whether the signature of the supervisor node in the random mapping is correct.
  • the block verifier node verifies whether the coin mixing proof can prove that the coin mixing sequence is carried out in a random mapping order, if it is, it is determined that the coin mixing proof is correct, if not, it is determined that the coin mixing proof is wrong.
  • the block verifier node will also synchronously receive the supervisor node information, so it can verify whether the supervisor node signature in the promised scope proof is correct.
  • the embodiment of the present invention also correspondingly discloses a transaction device based on the account model.
  • the transaction device is suitable for the transaction initiator node.
  • the device includes:
  • the commitment calculation module 701 is used to determine the account amount commitment, the pending transaction amount, the public key and random number of the transaction receiver node, and perform the commitment calculation to obtain the transaction amount commitment, the account balance commitment, and the shared public key.
  • the encryption module 702 is configured to use the shared public key to encrypt the amount to be traded to obtain a ciphertext.
  • the certification module 703 is used to perform range certification on the account balance commitment and the account balance commitment, and obtain the commitment scope certification, and the commitment scope certification is used to indicate that the amount in the transaction amount commitment and the account balance commitment is A positive number.
  • the certification module 703 is specifically used to: use a range certification randomly generated during the initialization of the blockchain system to perform range certification on the transaction amount commitment and the account balance commitment, and obtain the commitment range certification.
  • the proof module 703 is specifically used to: use the pre-obtained supervisor random number and the generators involved in the multi-party supervisable Bulletproof scope proof that is randomly generated when the blockchain system is initialized, and promise the transaction amount and account Proof of the Bulletproof scope of the balance commitment is carried out, and the scope of the commitment is proved.
  • the transaction generation module 704 is configured to generate a confidential transaction based on the transaction amount commitment, a random public key, the ciphertext, and the scope proof of the commitment, and generate transaction information using the confidential transaction, fee information, and signature.
  • the sending module 705 is used to send the transaction information to the node of the blockchain system.
  • a plaintext account and a ciphertext account are set for each user based on the account model, and the transaction initiator node treats the transaction amount, encrypts it based on the public key of the transaction receiver node, and calculates the promise after encryption.
  • the transaction receiver node determines the real transaction information based on the information agreed with the transaction initiator node, and completes the transaction.
  • the ciphertext transaction is initiated by the above transaction initiator node, and the transaction receiver node determines the real transaction information based on the information agreed with the transaction initiator node, and completes the transaction, which can effectively avoid the leakage of the identity information and transaction information of both parties to the transaction. In this way, the purpose of ensuring that users and transaction information are not leaked when transactions are based on the account model is realized, so that the blockchain system has the characteristics of confidentiality, anonymity and supervisability.
  • the embodiment of the present invention also correspondingly discloses a transaction device based on the account model.
  • the transaction device is suitable for the transaction initiator node.
  • the device includes:
  • the determining module 801 is configured to determine the transaction information initiated by the agreed transaction initiator node based on the shared public key.
  • the currency mixing notification module 802 is used to anonymously initiate a currency mixing notification for the transaction information to the currency mixing node.
  • the currency mixing notification includes the handling fee information in the transaction information, as well as the transaction receiver node and the transaction information. Part of the information shared between the transaction initiator nodes.
  • the update module 803 is configured to receive the result of the coin mixing sent by the coin mixing node, and perform a non-interactive zero-knowledge proof based on the result of the coin mixing. If it is determined that it has the transaction amount commitment in the transaction information, obtain the The amount to be traded in the transaction amount promise and a random number randomly selected by the transaction initiator node, and the account amount is updated based on the amount to be traded.
  • the update module 803 for non-interactive zero-knowledge proof based on the result of the coin mixing, the update module 803 is specifically used to:
  • the transaction initiator node According to the pre-obtained random number of the transaction initiator node, perform a hash calculation on the current coin mixing result and the number of coin mixing to obtain a hash value, and calculate the hash commitment corresponding to the hash value, according to the A non-interactive zero-knowledge proof is performed on the hash commitment and the result of the coin mixing to obtain a first proof and a second proof.
  • the first proof is used to prove that the transaction receiver node is the owner of the current transaction.
  • the second proof is used to prove that the number of times of coin mixing after this time of coin mixing is within the accepted range of the number of times of coin mixing of the transaction receiver node.
  • the transaction device also includes:
  • the setting module is used to set additional field information in the transaction information, and the additional field information is used to indicate the coin mixing order and coin mixing information of the coin mixing node during the coin mixing process.
  • the transaction initiator node can also be the transaction receiver node, and the transaction receiver node can also be the transaction initiator node. Therefore, the transaction devices disclosed in Figures 7 and 8 can exist in both the transaction initiator node and the transaction initiator node. In the transaction receiver node.
  • a plaintext account and a ciphertext account are set for each user based on the account model, and the transaction receiver node determines the encrypted transaction initiated by the transaction initiator node based on the information agreed with the transaction initiator node After the information is placed in the UTXO transaction pool, the transaction receiver node agrees that the currency mixer node will mix the currency, and if the currency mixing reaches the expectation, it proves that it has the amount and random number in the current transaction. After completing the proof, receive the transaction information and complete the update of the amount of your account.
  • the transaction receiver node After the above transaction receiver node determines that the encrypted transaction information is the correct transaction information based on the mixed currency, the transaction is completed, which can effectively avoid the leakage of the identity information and transaction information of both parties to the transaction, so as to ensure that the transaction is based on the account model.
  • the purpose of not leaking user and transaction information makes the blockchain system possess the characteristics of confidentiality, anonymity and supervisability.
  • the embodiment of the present invention also discloses a blockchain system based on the account model.
  • the blockchain system includes: a transaction initiator node 901, a block proposer node 902, a block validator node 903, a supervisor node 904, a coin mixer node 905, and a transaction receiver node 906.
  • the transaction initiator node 901 is used to agree with the transaction receiver node 906 on the shared public key and random number required for the transaction, and based on the shared public key and random number, the transaction amount is encrypted and the commitment calculation is performed to obtain encrypted transaction information .
  • the block proposer node 902 is used to collect transaction information in the current time period and perform a preliminary inspection on the transaction information. After determining that the transaction information is not problematic, the transaction information is sent to the block verifier node.
  • the block verifier node 903 is used to verify the received transaction information and the result of the currency mixing, confirm whether the transaction information and the result of the currency mixing are correct, and determine whether the transaction continues to be executed based on the verification result.
  • the supervisor node 904 is used to provide the supervisor nonce to the transaction initiator node 901 and the block verifier node 903, and the supervisor nonce is signed by the supervisor node.
  • the coin mixer node 905 is configured to perform a coin mixing operation based on the coin mixing notification from the transaction receiver node 906, and send the obtained coin mixing result to the block validator node node 903 and the transaction receiver node 906.
  • the transaction receiver node 906 is used to determine whether the transaction information of the transaction initiator node 901 is on the chain based on the shared public key agreed upon with the transaction initiator node 901, and after the transaction information is determined to be on the chain, send a currency mixing notification to the coin mixer node 905 , And receive the mixed currency result fed back by the coin mixer node 905, after determining that the mixed currency result meets expectations, perform a non-interactive zero-knowledge proof based on the mixed currency result, and determine that it has the transaction amount commitment and the transaction initiator node in the transaction information 901 A random number selected at random, obtains the pending transaction amount in the transaction amount commitment, and updates its account amount based on the pending transaction amount.
  • the embodiment of the present invention also provides a computer-readable storage medium, and a transaction program is stored on the computer-readable storage medium, and the transaction program can be executed by one or more processors to implement the foregoing transaction method.
  • the embodiment of the present invention also provides a computer program product, including computer instructions, which, when run on a computer, enables the computer to execute the transaction method disclosed in the foregoing embodiment of the present invention.
  • a plaintext account and a ciphertext account are set for each user based on the account model, and the transaction initiator node treats the transaction amount, and encrypts it based on the public key of the transaction receiver node.
  • prove that you have the amount and random number in the current transaction after completing the certification, receive the transaction information, and complete the update of your account amount.
  • the transaction receiver node determines the correct transaction information based on the mixed currency to complete the transaction, which can effectively avoid the leakage of the identity information and transaction information of both parties to the transaction, thereby realizing the transaction based on the account model
  • the purpose of ensuring that user and transaction information is not leaked makes the blockchain system have the characteristics of confidentiality, anonymity and supervisability.

Landscapes

  • Business, Economics & Management (AREA)
  • Engineering & Computer Science (AREA)
  • Accounting & Taxation (AREA)
  • Theoretical Computer Science (AREA)
  • Finance (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Strategic Management (AREA)
  • General Business, Economics & Management (AREA)
  • Development Economics (AREA)
  • Computer Security & Cryptography (AREA)
  • Economics (AREA)
  • Marketing (AREA)
  • Technology Law (AREA)
  • Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Computer Hardware Design (AREA)
  • Software Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Financial Or Insurance-Related Operations Such As Payment And Settlement (AREA)

Abstract

Provided are a transaction method, device, and system based on account model, and a storage medium. In this method, a plaintext account and a ciphertext account are set for each user based on the account model, and the transaction initiator node , performs encryption on the pending transaction amount based on the public key of the transaction receiver node and performs the commitment calculation to obtain the encrypted transaction information, subsequently, the transaction receiver node determines the real transaction information based on the information agreed with the transaction initiator node, and completes the transaction. Through initiating the ciphertext transaction by the above transaction initiator node, determining, by the transaction receiver node, the real transaction information based on the information agreed with the transaction initiator node, and completing the transaction, it can effectively avoid the leakage of transaction information between the two parties to the transaction, so as to achieve the purpose of ensuring that transaction information is not leaked when transactions are based on the account model.

Description

基于账户模型的交易方法、装置、系统和存储介质Transaction method, device, system and storage medium based on account model 技术领域Technical field
本申请涉及区块链技术领域,更具体的说是涉及一种基于账户模型的交易方法、装置、系统和存储介质。This application relates to the field of blockchain technology, and more specifically to a transaction method, device, system and storage medium based on an account model.
背景技术Background technique
在现有的区块链技术中,账户模型作为常用到的交易模型,当用户在账户模型中进行交易时,其交易过程与用户使用银行账户进行交易类似。例如,用户Alice要发送10金额的货币给用户Bob时,直接将用户Alice的账户余额减去10,在用户Bob的账户余额加上10即可。In the existing blockchain technology, the account model is a commonly used transaction model. When a user conducts a transaction in the account model, the transaction process is similar to that of the user using a bank account to conduct a transaction. For example, when user Alice wants to send 10 amount of currency to user Bob, just subtract 10 from user Alice's account balance, and add 10 to user Bob's account balance.
在现有基于账户模型的区块链交易系统中,为了确保交易的正确性,每一个区块都对全局的状态(state)以及该区块中的交易进行共识。由于,在基于账户模型的交易过程中,交易双方是采用明文的方式进行交易,在交易的过程中,交易双方的交易金额被公开。In the existing blockchain transaction system based on the account model, in order to ensure the correctness of the transaction, each block has a consensus on the global state and the transactions in the block. Because, in the transaction process based on the account model, both parties of the transaction conduct the transaction in clear text, and during the transaction, the transaction amount of both parties is disclosed.
综上所述,现有基于账户模型的区块链交易系统采用明文方式进行交易,不仅容易引发交易信息泄露的问题,很大程度上对交易双方的隐私也造成了威胁。In summary, the existing blockchain transaction system based on the account model uses clear text for transactions, which not only easily leads to the problem of transaction information leakage, but also poses a threat to the privacy of both parties to the transaction to a large extent.
发明内容Summary of the invention
本申请提供了一种基于账户模型的交易方法、装置、系统和存储介质,用于实现在基于账户模型进行交易时,确保交易信息不被泄露的目的。This application provides a transaction method, device, system and storage medium based on an account model, which are used to achieve the purpose of ensuring that transaction information is not leaked when transactions are conducted based on the account model.
为实现上述目的,本申请提供如下技术方案:In order to achieve the above objectives, this application provides the following technical solutions:
本发明实施例第一方面公开了一种基于账户模型的区块链系统,所述系统包括交易发起者节点、交易接收者节点、混币者节点,其中:The first aspect of the embodiments of the present invention discloses a blockchain system based on an account model. The system includes a transaction initiator node, a transaction receiver node, and a coin mixer node, wherein:
所述交易发起者节点,用于基于确定的共享公钥和随机数对待交易金额进行加密和承诺计算,得到加密的交易信息,所述共享公钥由所述交易发起者节点基于所述交易接收者节点的公钥生成;The transaction initiator node is used to perform encryption and commitment calculation on the transaction amount based on the determined shared public key and random number to obtain encrypted transaction information, and the shared public key is received by the transaction initiator node based on the transaction Public key generation of the node;
所述交易接收者节点,用于基于所述共享公钥确定所述交易发起者节点发起的所述交易信息是否上链,在确定上链后,向所述混币者节点发送混币通知,并接收所述混币者节点反馈的混币结果,在确定所述混币结果符合预期,基于该混币结果进行非交互式零知识证明,确定自身具有交易信息中交易金额承诺和所述交易发起者节点随机选择的随机数,获取所述交易金额承诺中的所述待交易金额,并基于所述待交易金额更新自己的账户金额;The transaction receiver node is configured to determine whether the transaction information initiated by the transaction initiator node is on-chain based on the shared public key, and after determining the on-chain, send a currency mixing notification to the coin mixer node, And receive the mixed currency result fed back by the coin mixer node, and after determining that the mixed currency result meets expectations, perform a non-interactive zero-knowledge proof based on the mixed currency result, and determine that it has the transaction amount commitment in the transaction information and the transaction The initiator node randomly selects a random number, obtains the pending transaction amount in the transaction amount commitment, and updates its own account amount based on the pending transaction amount;
所述混币者节点,用于基于所述混币通知执行混币操作,并将得到的混币结果发送至所述交易接收者节点。The coin mixing node is configured to perform a coin mixing operation based on the coin mixing notification, and send the obtained coin mixing result to the transaction receiver node.
本发明实施例第二方面公开了一种基于账户模型的交易方法,适用于交易发起者节点,所述方法包括:The second aspect of the embodiments of the present invention discloses a transaction method based on an account model, which is suitable for a transaction initiator node, and the method includes:
交易发起者节点确定账户金额承诺、待交易金额、交易接收者节点的公钥和随机数,并进行承诺计算,得到交易金额承诺、账户余额承诺和共享公钥;The transaction initiator node determines the account amount commitment, the pending transaction amount, the public key and random number of the transaction receiver node, and performs the commitment calculation to obtain the transaction amount commitment, account balance commitment and shared public key;
所述交易发起者节点利用所述共享公钥对所述待交易金额进行加密,获取密文;The transaction initiator node uses the shared public key to encrypt the pending transaction amount to obtain the ciphertext;
所述交易发起者节点对所述交易金额承诺和所述账户余额承诺进行范围证明,得到承诺的范围证明,所述承诺的范围证明用于指示所述交易金额承诺和账户余额承诺中的金额为正数;The transaction initiator node performs range certification on the transaction amount commitment and the account balance commitment, and obtains the commitment scope certification, and the commitment scope certification is used to indicate that the amount in the transaction amount commitment and the account balance commitment is A positive number;
所述交易发起者节点基于所述交易金额承诺、随机公钥、所述密文和所述承诺的范围证明生成机密交易;The transaction initiator node generates a confidential transaction based on the transaction amount commitment, the random public key, the ciphertext, and the scope proof of the commitment;
所述交易发起者节点利用所述机密交易、手续费信息和签名生成交易信息,并将所述交易信息发送至区块链系统的节点上。The transaction initiator node generates transaction information using the confidential transaction, handling fee information and signature, and sends the transaction information to the node of the blockchain system.
在一种可能的设计中,所述交易发起者节点对所述账户余额承诺和所述账户余额承诺进行范围证明,得到承诺的范围证明,包括:In a possible design, the transaction initiator node performs range certification on the account balance commitment and the account balance commitment, and obtains the commitment range certification, including:
所述交易发起者节点采用区块链系统初始化时随机生成的范围证明对交易金额承诺和账户余额承诺进行范围证明,得到承诺的范围证明。The transaction initiator node uses the range certificate randomly generated when the blockchain system is initialized to perform range verification on the transaction amount commitment and the account balance commitment, and obtain the promised range certification.
在一种可能的设计中,所述交易发起者节点对所述账户余额承诺和所述账户余额承诺进行范围证明,得到承诺的范围证明,包括:In a possible design, the transaction initiator node performs range certification on the account balance commitment and the account balance commitment, and obtains the commitment range certification, including:
交易发起者节点利用预先获取的监管者随机数和区块链系统初始化时随机生成的多方可监管范围证明中涉及到的生成元,对交易金额承诺和账户余额 承诺进行范围证明,得到承诺的范围证明;The transaction initiator node uses the pre-obtained supervisor random number and the generators involved in the multi-party supervisable range certificate randomly generated when the blockchain system is initialized to prove the transaction amount commitment and the account balance commitment to obtain the scope of the commitment. prove;
相应地,将所述交易信息发送至区块链系统的节点上之后,使得区块验证者节点获取包括所述承诺的范围证明的交易信息,验证所述承诺的范围证明是否正确,以及验证所述承诺的范围证明中的由监管者节点进行签名的监管者随机数是否正确,在使所述交易信息上链后,使监管者节点获取所述交易信息中的承诺的范围证明,以及所述承诺的范围证明中的监管者节点签名的监管者随机数和相关参数,使所述监管者节点基于该监管者节点签名的监管者随机数和相关参数计算所述交易信息中的待交易金额是否正确。Correspondingly, after the transaction information is sent to the node of the blockchain system, the block verifier node is allowed to obtain the transaction information including the promised range certificate, verify whether the promised range certificate is correct, and verify that the Whether the supervisor's random number signed by the supervisor node in the proof of the scope of the promise is correct, after the transaction information is put on the chain, the supervisor node is allowed to obtain the proof of the scope of the promise in the transaction information, and The scope of commitment proves the supervisor random number and related parameters signed by the supervisor node, so that the supervisor node can calculate whether the transaction amount in the transaction information is based on the supervisor nonce signed by the supervisor node and related parameters. correct.
本发明实施例第三方面公开了一种基于账户模型的交易方法,适用于交易接收者节点,所述方法包括:The third aspect of the embodiments of the present invention discloses a transaction method based on an account model, which is suitable for a transaction receiver node, and the method includes:
交易接收者节点基于共享公钥确定约定的交易发起者节点发起交易信息;The transaction receiver node determines the transaction information initiated by the agreed transaction initiator node based on the shared public key;
所述交易接收者节点匿名向混币者节点发起对所述交易信息的混币通知,所述混币通知包括所述交易信息中的手续费信息,以及所述交易接收者节点和所述交易发起者节点之间共享的部分信息;The transaction receiver node anonymously initiates a currency mixing notification for the transaction information to the currency mixing node, and the currency mixing notification includes the handling fee information in the transaction information, as well as the transaction receiver node and the transaction Part of the information shared between the initiator nodes;
所述交易接收者节点接收所述混币者节点发送的混币结果,并基于所述混币结果进行非交互式零知识证明;The transaction receiver node receives the coin mixing result sent by the coin mixing node, and performs a non-interactive zero-knowledge proof based on the coin mixing result;
若确定自身具有所述交易信息中的交易金额承诺,获取所述交易金额承诺中的待交易金额和交易发起者节点随机选择的随机数,并基于所述待交易金额更新自己的账户金额。If it is determined that it has the transaction amount commitment in the transaction information, obtain the pending transaction amount in the transaction amount promise and the random number randomly selected by the transaction initiator node, and update the own account amount based on the pending transaction amount.
在一种可能的设计中,所述交易接收者节点接收所述混币者节点发送的混币结果,并基于所述混币结果进行非交互式零知识证明,包括:In a possible design, the transaction receiver node receives the currency mixing result sent by the currency mixer node, and performs a non-interactive zero-knowledge proof based on the currency mixing result, including:
所述交易接收者节点根据预先获取的所述交易发起者节点的随机数,对当前的混币结果和混币次数进行哈希计算,得到哈希值;The transaction receiver node performs a hash calculation on the current coin mixing result and the number of times of coin mixing according to the random number of the transaction initiator node obtained in advance to obtain a hash value;
所述交易接收者节点计算所述哈希值所对应的哈希承诺;Calculating the hash commitment corresponding to the hash value by the transaction receiver node;
所述交易接收者节点根据所述哈希承诺和所述混币结果进行非交互式零知识证明,得到第一证明和第二证明,所述第一证明用于证明所述交易接收者节点为当前交易的拥有者,所述第二证明用于证明该次混币之后的混币次数在所述交易接收者节点的混币次数接受范围内。The transaction receiver node performs a non-interactive zero-knowledge proof based on the hash commitment and the result of the coin mixing to obtain a first certificate and a second certificate. The first certificate is used to prove that the transaction receiver node is The owner of the current transaction, the second proof is used to prove that the number of times of coin mixing after this time of coin mixing is within the acceptance range of the number of coin mixing times of the transaction receiver node.
在一种可能的设计中,所述交易接收者节点基于共享公钥确定约定的交易 发起者节点发起交易信息之后,还包括:In a possible design, after the transaction receiver node determines the agreed transaction initiator node based on the shared public key, after the transaction information is initiated, the method further includes:
所述交易接收者节点在所述交易信息中设置附加字段信息,所述附加字段信息用于指示混币过程中所述混币者节点的混币顺序和混币信息。The transaction receiver node sets additional field information in the transaction information, and the additional field information is used to indicate the currency mixing sequence and currency mixing information of the currency mixer node during the currency mixing process.
在一种可能的设计中,所述交易接收者节点匿名向混币者节点发起对所述交易信息的混币通知之后,若混币者节点预先由监管者节点处获取随机映射以及对应随机映射的相关参数,使所述混币者节点基于随机选择的随机数,随机映射以及对应随机映射的相关参数进行Verifiable Shuffle计算,得到混币证明,并将混币证明和随机映射发送给区块验证者节点,使所述区块验证者节点验证该混币证明是否正确,以及验证随机映射中的监管者节点签名是否正确。In a possible design, after the transaction receiver node anonymously initiates a coin mixing notification of the transaction information to the coin mixer node, if the coin mixer node obtains the random mapping and the corresponding random mapping from the supervisor node in advance The relevant parameters of the coin mixing node make the verifiable shuffle calculation based on the random number selected randomly, the random mapping and the relevant parameters corresponding to the random mapping, to obtain the coin mixing proof, and send the coin mixing proof and the random mapping to the block verification The author node, so that the block verifier node verifies whether the mixed currency proof is correct, and verifies whether the signature of the supervisor node in the random mapping is correct.
本发明实施例第四方面公开了一种基于账户模型的交易装置,所述装置包括处理器和存储器,所述存储器中存储有程序,所述程序被所述处理器执行时实现如本发明实施例第二方面公开的交易方法。The fourth aspect of the embodiments of the present invention discloses a transaction device based on an account model. The device includes a processor and a memory, and a program is stored in the memory. When the program is executed by the processor, the implementation of the present invention is achieved. Example of the transaction method disclosed in the second aspect.
本发明实施例第五方面公开了一种基于账户模型的交易装置,所述装置包括处理器和存储器,所述存储器中存储有程序,所述程序被所述处理器执行时实现如本发明实施例第三方面公开的交易方法。The fifth aspect of the embodiments of the present invention discloses a transaction device based on an account model. The device includes a processor and a memory, and a program is stored in the memory. When the program is executed by the processor, the implementation is implemented as in the present invention. Example of the transaction method disclosed in the third aspect.
本发明实施例第六方面公开了一种计算机可读存储介质,所述计算机可读存储介质上存储有交易程序,所述交易程序可被一个或者多个处理器执行,以实现如本发明实施例第二方面公开的交易方法,或,实现如本发明实施例第三方面公开的交易方法。In a sixth aspect of the embodiments of the present invention, a computer-readable storage medium is disclosed. The computer-readable storage medium stores a transaction program, and the transaction program can be executed by one or more processors to realize the implementation of the present invention. For example, the transaction method disclosed in the second aspect, or to implement the transaction method disclosed in the third aspect of the embodiment of the present invention.
本发明实施例第七方面公开了一种计算机程序产品,其特征在于,包括计算机指令,当其在计算机上运行时,使得计算机可以执行如本发明实施例第二方面公开的交易方法,或,实现如本发明实施例第三方面公开的交易方法。The seventh aspect of the embodiments of the present invention discloses a computer program product, which is characterized by including computer instructions, which when running on a computer, enables the computer to execute the transaction method disclosed in the second aspect of the embodiments of the present invention, or, Realize the transaction method disclosed in the third aspect of the embodiment of the present invention.
本发明实施例第八方面公开了一种基于账户模型的区块链系统,其特征在于,包括:交易发起者节点,出块提议者节点,区块验证者节点,监管者节点、混币者节点和交易接收者节点;The eighth aspect of the embodiments of the present invention discloses a blockchain system based on an account model, which is characterized by including: a transaction initiator node, a block proposer node, a block validator node, a supervisor node, and a coin mixer Nodes and transaction receiver nodes;
所述交易发起者节点包括本发明实施例第七方面公开的计算机程序产品,或者,包括具有本发明实施例第四方面公开的交易装置的交易发起者节点,所述交易发起者,用于基于确定的共享公钥和随机数对待交易金额进行加密和承诺计算,得到加密的交易信息,所述共享公钥由所述交易发起者节点基于所述 交易接收者节点的公钥生成;The transaction initiator node includes the computer program product disclosed in the seventh aspect of the embodiment of the present invention, or includes a transaction initiator node having the transaction device disclosed in the fourth aspect of the embodiment of the present invention, and the transaction initiator is configured to The determined shared public key and random number are encrypted and promised to calculate the transaction amount to obtain encrypted transaction information, and the shared public key is generated by the transaction initiator node based on the public key of the transaction receiver node;
所述出块提议者节点,用于收集所述交易信息,并在确定所述交易信息无误后,将所述交易信息发送至区块验证者节点;The block producer node is used to collect the transaction information, and after determining that the transaction information is correct, send the transaction information to the block verifier node;
所述区块验证者节点,用于对接收到的交易信息以及混币结果进行验证,确实交易信息和混币结果是否正确,基于验证结果确定该交易是否继续执行;The block verifier node is used to verify the received transaction information and the currency mixing result, confirm whether the transaction information and the currency mixing result are correct, and determine whether the transaction continues to be executed based on the verification result;
所述监管者节点,用于向交易发起者节点和区块验证者节点提供监管者随机数,该监管者随机数由监管者节点签名,以及对所述交易信息,所述验证者节点的验证过程和混币者节点的混币结果进行监管;The supervisor node is used to provide a supervisor random number to the transaction initiator node and the block verifier node, the supervisor random number is signed by the supervisor node, and the verification of the transaction information and the verifier node Supervise the process and the result of the coin mixing node;
所述交易接收者节点包括本发明实施例第七方面公开的计算机程序产品,或者,包括具有本发明实施例第五方面公开的交易装置的交易接收者节点,用于基于所述共享公钥确定所述交易发起者节点发起的所述交易信息是否上链,在确定上链后,向所述混币者节点发送混币通知,并接收所述混币者节点反馈的混币结果,在确定所述混币结果符合预期,基于该混币结果进行非交互式零知识证明,确定自身具有交易信息中交易金额承诺和所述交易发起者节点随机选择的随机数,获取所述交易金额承诺中的所述待交易金额,并基于所述待交易金额更新自己的账户金额;The transaction receiver node includes the computer program product disclosed in the seventh aspect of the embodiment of the present invention, or includes a transaction receiver node having the transaction device disclosed in the fifth aspect of the embodiment of the present invention, for determining based on the shared public key Whether the transaction information initiated by the transaction initiator node is on the chain or not, after determining the on-chain, send a coin mixing notification to the coin mixer node, and receive the coin mixing result fed back by the coin mixer node, and then determine whether the transaction information is on the chain. The result of the coin mixing meets expectations. Based on the result of the coin mixing, a non-interactive zero-knowledge proof is performed, and it is determined that it has the transaction amount commitment in the transaction information and the random number randomly selected by the transaction initiator node, and the transaction amount commitment is obtained. The pending transaction amount of and update his account amount based on the pending transaction amount;
所述混币者节点,用于基于所述混币通知执行混币操作,并将得到的混币结果发送至所述交易接收者节点和所述区块验证者节点。The coin mixer node is configured to perform a coin mixing operation based on the coin mixing notification, and send the obtained coin mixing result to the transaction receiver node and the block validator node.
在一种可能的设计中,若所述交易发起者节点预先由所述监管者节点处获取监管者随机数,在进行承诺计算过程中:所述交易发起者节点,还用于基于利用预先获取的监管者随机数和区块链系统初始化时随机生成的多方可监管范围证明中涉及到的生成元,对交易金额承诺和账户余额承诺进行范围证明,得到承诺的范围证明;In a possible design, if the transaction initiator node obtains the supervisor's random number from the supervisor node in advance, during the commitment calculation process: the transaction initiator node is also used to obtain the The random number of the supervisor and the generator involved in the multi-party supervisable range certificate randomly generated when the blockchain system is initialized, the transaction amount commitment and the account balance commitment are certified, and the commitment scope certification is obtained;
相应地,Correspondingly,
所述区块验证者节点,还用于在获取包括所述承诺的范围证明的交易信息,验证所述承诺的范围证明是否正确,以及验证所述承诺的范围证明中的由监管者节点进行签名的监管者随机数是否正确;The block verifier node is also used to obtain transaction information including the scope proof of the promise, verify whether the scope proof of the promise is correct, and verify that the supervisor node in the scope proof of the promise is signed Whether the random number of the supervisor is correct;
所述监管者节点,还用于在所述交易信息上链后,获取所述交易信息中的承诺的范围证明,以及所述承诺的范围证明中的监管者节点签名的监管者随机 数和相关参数,并基于该监管者节点签名的监管者随机数和相关参数计算所述交易信息中的待交易金额是否正确。The supervisor node is also used to obtain the scope certificate of the promise in the transaction information after the transaction information is on the chain, and the supervisor random number and related signatures of the supervisor node in the scope certificate of the promise. And calculate whether the transaction amount in the transaction information is correct based on the supervisor random number signed by the supervisor node and related parameters.
在一种可能的设计中,若所述混币者节点预先由所述监管者节点处获取随机映射以及对应随机映射的相关参数,所述混币者节点,还用于在接收到所述混币通知之后,基于随机选择的随机数,所述随机映射以及对应所述随机映射的相关参数进行Verifiable Shuffle计算,得到混币证明,并将所述混币证明和所述随机映射发送给所述区块验证者节点;In a possible design, if the coin mixer node obtains the random mapping and the related parameters corresponding to the random mapping from the supervisor node in advance, the coin mixer node is also used to After the coin is notified, based on the random number selected at random, the random mapping and the related parameters corresponding to the random mapping are subjected to a Verifiable Shuffle calculation to obtain a coin mixing certificate, and the coin mixing certificate and the random mapping are sent to the Block validator node;
所述区块验证者节点,还用于验证所述混币证明是否正确,以及验证所述随机映射中的监管者节点签名是否正确。The block verifier node is also used to verify whether the mixed currency proof is correct, and verify whether the signature of the supervisor node in the random mapping is correct.
综上,本发明提供了一种基于账户模型的交易方法、装置、系统和存储介质。在本发明实施例中,基于账户模型为每一个用户设置一个明文账户和一个密文账户,并由交易发起者节点对待交易金额,基于交易接收者节点的公钥进行加密以及承诺计算得到加密后的交易信息,后续由交易接收者节点基于与交易发起者节点约定好的信息确定真实的交易信息,并完成交易。通过上述交易发起者节点发起密文交易,由交易接收者节点基于与交易发起者节点约定好的信息确定真实的交易信息,并完成交易,可以有效的避免交易双方之间的交易信息泄露,从而实现在基于账户模型进行交易时,确保交易信息不被泄露的目的。In summary, the present invention provides a transaction method, device, system and storage medium based on an account model. In the embodiment of the present invention, a plaintext account and a ciphertext account are set for each user based on the account model, and the transaction initiator node treats the transaction amount, encrypts it based on the public key of the transaction receiver node, and calculates the promise after encryption. After the transaction information, the transaction receiver node determines the real transaction information based on the information agreed with the transaction initiator node, and completes the transaction. The ciphertext transaction is initiated by the transaction initiator node, and the transaction receiver node determines the real transaction information based on the information agreed with the transaction initiator node, and completes the transaction, which can effectively avoid the leakage of transaction information between the transaction parties, thereby Realize the purpose of ensuring that transaction information is not leaked when trading based on the account model.
附图说明Description of the drawings
为了更清楚地说明本发明实施例或现有技术中的技术方案,下面将对实施例或现有技术描述中所需要使用的附图作简单地介绍,显而易见地,下面描述中的附图仅仅是本申请的实施例,对于本领域普通技术人员来讲,在不付出创造性劳动的前提下,还可以根据提供的附图获得其他的附图。In order to explain the embodiments of the present invention or the technical solutions in the prior art more clearly, the following will briefly introduce the drawings that need to be used in the description of the embodiments or the prior art. Obviously, the drawings in the following description are only These are the embodiments of the present application. For those of ordinary skill in the art, other drawings can be obtained based on the provided drawings without creative work.
图1为本发明实施例公开的交易发起者节点一侧的交易方法的流程示意图;FIG. 1 is a schematic flowchart of a transaction method on the side of a transaction initiator node disclosed in an embodiment of the present invention;
图2为本发明实施例公开的出块提议者节点和区块验证者节点一侧的交易方法的流程示意图;2 is a schematic flowchart of a transaction method on the side of a block proposer node and a block verifier node disclosed in an embodiment of the present invention;
图3为本发明实施例公开的交易接收者节点、混币者节点和区块验证者节 点一侧的交易方法的流程示意图;Fig. 3 is a schematic flowchart of a transaction method on the side of a transaction receiver node, a coin mixer node, and a block validator node disclosed in an embodiment of the present invention;
图4为本发明实施例公开的一种混币操作示意图;4 is a schematic diagram of a currency mixing operation disclosed in an embodiment of the present invention;
图5为本发明实施例公开的一种交易发起者节点、区块验证者节点和监管者节点侧的监管方法流程示意图;FIG. 5 is a schematic flow diagram of a supervision method on the side of a transaction initiator node, a block validator node, and a supervisor node disclosed in an embodiment of the present invention;
图6为本发明实施例公开的一种混币者节点、区块验证者节点和监管者节点侧的监管方法流程示意图;FIG. 6 is a schematic flow diagram of a supervision method on the side of a coin mixer node, a block validator node, and a supervisor node disclosed in an embodiment of the present invention;
图7为本发明实施例公开的一种基于账户模型的交易装置的结构示意图;FIG. 7 is a schematic structural diagram of a transaction device based on an account model disclosed in an embodiment of the present invention;
图8为本发明实施例公开的另一种基于账户模型的交易装置的结构示意图;8 is a schematic structural diagram of another transaction device based on an account model disclosed in an embodiment of the present invention;
图9为本发明实施例公开的一种基于账户模型的交易系统的结构示意图。Fig. 9 is a schematic structural diagram of a trading system based on an account model disclosed in an embodiment of the present invention.
具体实施方式Detailed ways
下面将结合本发明实施例中的附图,对本发明实施例中的技术方案进行清楚、完整地描述,显然,所描述的实施例仅仅是本发明一部分实施例,而不是全部的实施例。基于本申请中的实施例,本领域普通技术人员在没有做出创造性劳动前提下所获得的所有其他实施例,都属于本申请保护的范围。The technical solutions in the embodiments of the present invention will be clearly and completely described below in conjunction with the accompanying drawings in the embodiments of the present invention. Obviously, the described embodiments are only a part of the embodiments of the present invention, rather than all the embodiments. Based on the embodiments in this application, all other embodiments obtained by those of ordinary skill in the art without creative work shall fall within the protection scope of this application.
由背景技术可知,用户在现有基于账户模型的区块链交易系统中进行交易时,首先,交易双方为公开的,且所进行的交易是以明文方式进行的。其次,为确保交易的正确性需要经过全网的共识。由此,很大程度上对交易双方的隐私造成了威胁,由此引发交易双方的身份和交易信息的泄露问题。It can be known from the background technology that when a user conducts a transaction in an existing blockchain transaction system based on an account model, first of all, both parties to the transaction are public, and the transaction is conducted in a clear text manner. Secondly, in order to ensure the correctness of transactions, a consensus of the entire network is required. As a result, to a large extent the privacy of both parties to the transaction is threatened, which leads to the leakage of the identity and transaction information of both parties.
因此,本发明实施例以账户模型作为基准模型,为每个用户建立明文账户和密文账户两个账户。在具体进行交易过程中,基于密文账户进行匿名交易,从而保护交易双方的身份和交易内容,实现交易双方的身份和交易内容不被泄露的目的。具体实现方式通过以下实施例进行说明。Therefore, in the embodiment of the present invention, the account model is used as a reference model, and two accounts, a plaintext account and a ciphertext account, are established for each user. In the actual transaction process, anonymous transactions are conducted based on ciphertext accounts, thereby protecting the identities and transaction content of both parties to the transaction, and realizing the purpose of not leaking the identities and transaction content of both parties to the transaction. The specific implementation is described by the following embodiments.
以下为本发明实施例中使用到的部分区块链的技术用语。The following are technical terms of part of the blockchain used in the embodiments of the present invention.
承诺(Commitment,C):承诺算法是将一个数值隐藏进一个加密后的密文中。承诺者可以选择解密承诺的随机数。承诺一旦发出,承诺者无法使用另一个随机数进行计算得到相同的承诺计算结果,必须要使用生成承诺时所采用的随机数。Commitment (Commitment, C): The commitment algorithm hides a value in an encrypted ciphertext. The promiser can choose to decrypt the promised random number. Once a promise is issued, the promiser cannot use another random number to calculate the same promise calculation result, and must use the random number used when generating the promise.
机密交易(Confidential Transaction,CT):机密交易是由Gregory Maxwell提出的一种密码学方案。机密交易使用承诺算法隐藏交易金额,使得只有交易双方可以看到交易的金额,而其他人看不到交易金额,同时双方无法伪造交易金额。Confidential Transaction (CT): Confidential Transaction is a cryptographic scheme proposed by Gregory Maxwell. Confidential transactions use the commitment algorithm to hide the transaction amount, so that only both parties to the transaction can see the transaction amount, while others cannot see the transaction amount, and both parties cannot forge the transaction amount.
匿名机密交易(Anonymous Confidential Transaction,ACT):是在机密交易的基础上,匿名机密交易,使得交易双方的身份不被双方以外的人发现。Anonymous Confidential Transaction (ACT): An anonymous confidential transaction is based on a confidential transaction, so that the identities of both parties to the transaction cannot be discovered by anyone other than the two parties.
在本发明实施例中,基于账户模型的区块链交易系统中可以存在6个角色,例如:交易发起者(Transaction Sender,TS),交易接收者(Transaction Receiver,TR),出块提议者(Block Proposer,BP)、区块验证者(Block Verifier,BV)、混币者(Shuffle Service Provider,SSP)和监管者(Regulator)。但并不仅限于上述提及的6个节点。In the embodiment of the present invention, there may be six roles in the blockchain transaction system based on the account model, such as: transaction sender (TS), transaction receiver (TR), block proposer ( Block Proposer, BP, Block Verifier (BV), Shuffle Service Provider (SSP), and Regulator. But it is not limited to the 6 nodes mentioned above.
交易发起者节点和交易接收者节点均可以由普通用户执行,每个用户既可以发起交易,也可以接收交易。Both the transaction initiator node and the transaction receiver node can be executed by ordinary users, and each user can either initiate a transaction or receive a transaction.
出块提议者节点和区块验证者节点的选取范围由区块间的共识确定。一般情况下会认为一个区块链交易系统中存在一个出块提议者节点和多个区块验证者节点。The selection range of the block proposer node and the block validator node is determined by the consensus between the blocks. Under normal circumstances, it is considered that there is a block proposer node and multiple block validator nodes in a blockchain transaction system.
出块提议者节点用于收集预设时间段内所有交易发起者节点发起的交易,并检测交易数据是否有问题,将没有问题的交易发送给区块验证者节点。若该区块链交易系统中存在混币者节点,且混币者节点执行了混币操作,出块提议者节点则还需要收集预设时间段内的所有混币结果,同时,检测混币结果是否有问题,将没有问题的混币结果发送给区块验证者节点。The block proposer node is used to collect all transactions initiated by the transaction initiator node within a preset time period, detect whether there is any problem with the transaction data, and send the transaction with no problem to the block validator node. If there is a coin mixer node in the blockchain trading system, and the coin mixer node performs the coin mixing operation, the block proposer node also needs to collect all the coin mixing results within the preset time period, and at the same time, detect the coin mixer If there is a problem with the result, send the mixed currency result without problem to the block validator node.
区块验证者节点用于验证每个交易的合法性。以及,在接收到混币结果时对混币结果进行验证。The block verifier node is used to verify the legitimacy of each transaction. And, verify the result of the mixed currency when the result of the mixed currency is received.
混币者节点用于提供混币服务,并收取一定的手续费作为收入。每个交易接收者节点可以自主选择任意个自己相信的混币者节点进行任意轮混币服务。我们假设任意交易接收者自主选择的某一个混币者节点可能会记录交易接收者节点的混币记录,但是任意一个交易接收者节点选择的多个混币者节点不会全部参与针对该交易接收者隐私的共谋攻击。The currency mixer node is used to provide currency mixing services and collect a certain fee as income. Each transaction receiver node can independently choose any coin mixing node that it believes to perform any round of coin mixing services. We assume that a certain coin mixer node independently selected by any transaction receiver may record the coin mixing record of the transaction receiver node, but multiple coin mixer nodes selected by any transaction receiver node will not all participate in receiving the transaction. Conspiracy attacks on the privacy of the authors.
监管者节点为一个或多个机构,根据共识后的策略树可以监管整个区块链 系统中的交易金额以及混币情况。The supervisor node is one or more institutions. According to the consensus strategy tree, the transaction amount and currency mixing situation in the entire blockchain system can be supervised.
本发明实施例公开了一种以账户模型为基准模型的区块链系统。该区块链系统在初始化过程中,会随机生成范围证明以及后续多方可监管Bulletproof范围证明中涉及到的生成元,具体生成方式在本发明实施例中并不限定,只需要确保任意两个生成元之间的对数关系都是未知的即可g,g 1,...,g n,h∈G,其中,
Figure PCTCN2019114586-appb-000001
为乘法循环群。 The embodiment of the invention discloses a block chain system using an account model as a reference model. During the initialization process of the blockchain system, the range certificate and the generators involved in the subsequent multi-party supervisable Bulletproof range certificate are randomly generated. The specific generation method is not limited in the embodiment of the present invention. It is only necessary to ensure that any two generations are generated. The logarithmic relationship between the elements are all unknown, that is, g, g 1 ,..., g n , h ∈ G, where,
Figure PCTCN2019114586-appb-000001
It is the multiplication cyclic group.
在该区块链系统中以账户模型为基础,为每个区块链系统中的用户设置两个账户,一个明文账户和一个密文账户。用户在对密文账户初始化的过程中,随机设置私钥,以及生成对应该私钥的公钥。In the blockchain system, based on the account model, two accounts are set up for each user in the blockchain system, a plaintext account and a ciphertext account. In the process of initializing the ciphertext account, the user randomly sets the private key and generates the public key corresponding to the private key.
例如:用户Alice的私钥为x A,该用户Alice的公钥为
Figure PCTCN2019114586-appb-000002
For example: the private key of user Alice is x A , and the public key of user Alice is
Figure PCTCN2019114586-appb-000002
用户Bob的私钥为x B,该用户Bob的公钥为
Figure PCTCN2019114586-appb-000003
The private key of user Bob is x B , and the public key of this user Bob is
Figure PCTCN2019114586-appb-000003
在该区块链系统中,每个混币者节点在初始化的过程中,提前从监管者节点处获取已经签名的监管者随机数,用于后续的可验证混币(Verifiable Shuffle)。In the blockchain system, each coin mixer node obtains the signed supervisor random number from the supervisor node in advance during the initialization process for subsequent verifiable shuffle.
本发明实施例提供的一种基于账户模型的交易方法的流程图,基于上述区块链系统,该交易方法具体包括以下步骤:The embodiment of the present invention provides a flowchart of a transaction method based on an account model. Based on the above-mentioned blockchain system, the transaction method specifically includes the following steps:
具体的,图1示出了交易发起者节点一侧的交易流程示意图,包括:S101至S106。Specifically, FIG. 1 shows a schematic diagram of the transaction process on the side of the transaction initiator node, including: S101 to S106.
S101:交易发起者节点确定账户金额承诺
Figure PCTCN2019114586-appb-000004
待交易金额x 1和交易接收者节点的公钥pk B,并利用所述待交易金额x 1进行承诺计算,得到交易金额承诺C 1,利用交易接收者节点的公钥pk B和随机公钥
Figure PCTCN2019114586-appb-000005
生成共享公钥key pair。 S101: The transaction initiator node confirms the account amount commitment
Figure PCTCN2019114586-appb-000004
The transaction amount x 1 and the public key pk B of the transaction receiver node, and the transaction amount x 1 is used to perform the commitment calculation to obtain the transaction amount commitment C 1 , and the public key pk B and random public key of the transaction receiver node are used
Figure PCTCN2019114586-appb-000005
Generate a shared public key key pair.
在S101中,交易发起者节点的账户金额承诺
Figure PCTCN2019114586-appb-000006
随机公钥
Figure PCTCN2019114586-appb-000007
中的r 0为交易发起者节点随机选择的第一随机数r 0。账户金额承诺中的
Figure PCTCN2019114586-appb-000008
为交易发起者账户中的金额,
Figure PCTCN2019114586-appb-000009
为交易发起者节点随机选择的一个随机数。 In S101, the account amount commitment of the transaction initiator node
Figure PCTCN2019114586-appb-000006
Random public key
Figure PCTCN2019114586-appb-000007
R 0 is the first random number r 0 randomly selected by the transaction initiator node. In the account amount commitment
Figure PCTCN2019114586-appb-000008
Is the amount in the transaction initiator’s account,
Figure PCTCN2019114586-appb-000009
A random number randomly selected by the transaction initiator node.
举例来说,在具体实现利用待交易金额x 1进行承诺计算的过程中,结合交易发起者节点进行承诺计算时随机选择的第二随机数r 1,生成交易金额承诺
Figure PCTCN2019114586-appb-000010
For example, in the process of using the transaction amount x 1 to perform the commitment calculation, combined with the second random number r 1 randomly selected when the transaction initiator node performs the commitment calculation, the transaction amount commitment is generated
Figure PCTCN2019114586-appb-000010
举例来说,利用交易接收者节点的公钥pk B和随机公钥
Figure PCTCN2019114586-appb-000011
生成共享公钥key
Figure PCTCN2019114586-appb-000012
For example, using the public key pk B of the transaction receiver node and the random public key
Figure PCTCN2019114586-appb-000011
Generate shared public key key
Figure PCTCN2019114586-appb-000012
S102:交易发起者节点利用共享公钥key pair作为加密密钥,对待交易金额x 1进行加密,得到对应待交易金额的密文。 S102: The transaction initiator node uses the shared public key key pair as an encryption key to encrypt the transaction amount x 1 to obtain a ciphertext corresponding to the transaction amount.
举例来说,在S102中,交易发起者节点利用共享公钥中的
Figure PCTCN2019114586-appb-000013
作为加密秘钥,结合交易发起者节点随机选择的第二随机数r 1完成对待交易金额x 1的加密,得到对应待交易金额的密文AES{x 1,r 1}。 For example, in S102, the transaction initiator node uses the shared public key
Figure PCTCN2019114586-appb-000013
As the encryption key, the second random number r 1 randomly selected by the transaction initiator node completes the encryption of the transaction amount x 1 to obtain the ciphertext AES{x 1 , r 1 } corresponding to the transaction amount.
S103:交易发起者节点计算账户金额承诺
Figure PCTCN2019114586-appb-000014
与交易金额承诺C 1之间的差值,得到账户余额承诺
Figure PCTCN2019114586-appb-000015
在S103中,账户余额承诺的计算过程如下所示: S103: The transaction initiator node calculates the account amount commitment
Figure PCTCN2019114586-appb-000014
The difference between the transaction amount commitment C 1 and the account balance commitment
Figure PCTCN2019114586-appb-000015
In S103, the calculation process of account balance commitment is as follows:
Figure PCTCN2019114586-appb-000016
Figure PCTCN2019114586-appb-000016
S104:交易发起者节点对所述交易金额承诺C 1和账户余额承诺
Figure PCTCN2019114586-appb-000017
进行范围证明,得到承诺的范围证明,所述承诺的范围证明用于指示所述交易金额承诺C 1和账户余额承诺
Figure PCTCN2019114586-appb-000018
中的金额为正数。 S104: The transaction initiator node commits to the transaction amount C 1 and the account balance commitment
Figure PCTCN2019114586-appb-000017
Prove the scope and get the scope of commitment, the scope of commitment is used to indicate the transaction amount commitment C 1 and the account balance commitment
Figure PCTCN2019114586-appb-000018
The amount in is a positive number.
举例来说,在S104中,交易发起者节点对交易金额承诺C 1和账户余额承诺
Figure PCTCN2019114586-appb-000019
进行范围证明。可选的,交易发起者节点可以采用区块链系统初始化时随机生成的范围证明对交易金额承诺C 1和账户余额承诺
Figure PCTCN2019114586-appb-000020
进行范围证明,得到承诺的范围证明
Figure PCTCN2019114586-appb-000021
For example, in S104, the transaction initiator node promises C 1 for the transaction amount and the account balance promise
Figure PCTCN2019114586-appb-000019
Proof of scope. Optionally, the transaction initiator node can use the range certificate randomly generated when the blockchain system is initialized to commit to the transaction amount C 1 and the account balance commitment
Figure PCTCN2019114586-appb-000020
Prove the scope and get the promised scope proof
Figure PCTCN2019114586-appb-000021
若交易发起者节点提前获取了区块链系统中的监管者节点的监管者随机数,该监管者随机数由监管者节点进行签名。可选的,交易发起者节点也可以采用监管者随机数和区块链系统初始化时随机生成的多方可监管范围证明(Bulletproof)中涉及到的生成元,对交易金额承诺C 1和账户余额承诺
Figure PCTCN2019114586-appb-000022
进行范围证明,得到承诺的范围证明
Figure PCTCN2019114586-appb-000023
If the transaction initiator node obtains the supervisor nonce of the supervisor node in the blockchain system in advance, the supervisor nonce is signed by the supervisor node. Optionally, the transaction initiator node can also use the supervisor's random number and the generator involved in the multi-party supervisable range proof (Bulletproof) randomly generated when the blockchain system is initialized, to commit to the transaction amount C 1 and account balance commitment
Figure PCTCN2019114586-appb-000022
Prove the scope and get the promised scope proof
Figure PCTCN2019114586-appb-000023
S105:交易发起者节点基于所述交易金额承诺C 1、随机公钥
Figure PCTCN2019114586-appb-000024
密文AES{x 1,r 1}和承诺的范围证明生成机密交易。 S105: The transaction initiator node promises C 1 and a random public key based on the transaction amount
Figure PCTCN2019114586-appb-000024
The ciphertext AES{x 1 , r 1 } and the promised range proof generate confidential transactions.
在S105中,若交易发起者节点采用区块链系统初始化时随机生成的范围证明对交易金额承诺C 1和账户余额承诺
Figure PCTCN2019114586-appb-000025
进行范围证明,得到承诺的范围证明
Figure PCTCN2019114586-appb-000026
执行S105得到的机密交易为:
Figure PCTCN2019114586-appb-000027
In S105, if the transaction initiator node adopts the range certificate randomly generated when the blockchain system is initialized, it promises C 1 for the transaction amount and promises for the account balance
Figure PCTCN2019114586-appb-000025
Prove the scope and get the promised scope proof
Figure PCTCN2019114586-appb-000026
The confidential transaction obtained by executing S105 is:
Figure PCTCN2019114586-appb-000027
若交易发起者节点采用监管者随机数和区块链系统初始化时随机生成的Bulletproof中涉及到的生成元,对交易金额承诺C 1和账户余额承诺
Figure PCTCN2019114586-appb-000028
进行范围证明,得到承诺的范围证明
Figure PCTCN2019114586-appb-000029
执行S105得到的机密交易为:
Figure PCTCN2019114586-appb-000030
If the transaction initiator node uses the supervisor's random number and the generator involved in the Bulletproof randomly generated when the blockchain system is initialized, it promises C 1 for the transaction amount and the account balance promise
Figure PCTCN2019114586-appb-000028
Prove the scope and get the promised scope proof
Figure PCTCN2019114586-appb-000029
The confidential transaction obtained by executing S105 is:
Figure PCTCN2019114586-appb-000030
S106:交易发起者节点利用所述机密交易、手续费信息和签名生成交易信息,并将所述交易信息发送至区块链系统的节点上。S106: The transaction initiator node generates transaction information using the confidential transaction, handling fee information, and signature, and sends the transaction information to the node of the blockchain system.
在S106中,手续费信息实际上可以认为是后续交易接收方所约定的混币者节点可执行的混币次数Gas。In S106, the handling fee information can actually be regarded as the number of times Gas can be executed by the coin mixer node agreed by the recipient of the subsequent transaction.
签字指交易发起者节点对机密交易和手续费信息的签名,用于指示具有该签名的机密交易和手续费信息由交易发起提供。Signature refers to the signature of the confidential transaction and fee information by the transaction initiator node, which is used to indicate that the confidential transaction and fee information with the signature is provided by the transaction initiator.
在具体实现中,交易发起者节点通过明文附带该手续费信息以及签名。交易发起者节点利用该明文和执行S105得到的机密交易生成交易信息,并将该交易信息发送至区块链系统的节点上,任由区块链系统中的出块提议者节点进行收集。In specific implementation, the transaction initiator node attaches the fee information and signature in plain text. The transaction initiator node uses the plaintext and the confidential transaction obtained by executing S105 to generate transaction information, and sends the transaction information to the node of the blockchain system, and the block proposer node in the blockchain system collects it.
图2示出了出块提议者节点和区块验证者节点一侧的交易流程示意图,包括:S107和S108。Figure 2 shows a schematic diagram of the transaction process on the side of the block proposer node and the block verifier node, including: S107 and S108.
S107:出块提议者节点对收集到的所述交易发起者节点发起的交易信息进行检验,在确定所述交易信息无问题之后,将所述交易信息发送至区块验证者节点。S107: The block proposer node checks the collected transaction information initiated by the transaction initiator node, and after determining that there is no problem with the transaction information, sends the transaction information to the block verifier node.
需要说明的是,出块提议者节点会收集预设时间段内,或者任一时刻交易发起者节点发送到区块链系统的节点上的所有交易信息和混币结果,并对收集到的交易信息和混币结果进行检验,确定该交易信息和混币结果是否有问题,在确定无问题之后,将交易信息和混币结果发送给区块验证者节点。It should be noted that the block proposer node will collect all transaction information and currency mixing results sent by the transaction initiator node to the node of the blockchain system within a preset period of time or at any time, and compare the collected transactions The information and the mixed currency result are checked to determine whether there is a problem with the transaction information and the mixed currency result. After determining that there is no problem, the transaction information and the mixed currency result are sent to the block verifier node.
在具体实现S107的过程中,出块提议者节点会收到交易发起者节点本次发起的交易信息,对该交易信息进行检验,并在确认该交易信息无误后,将该交易信息发送至区块验证者节点。In the process of implementing S107, the block proposer node will receive the transaction information initiated by the transaction initiator node this time, verify the transaction information, and send the transaction information to the district after confirming that the transaction information is correct. Block validator node.
S108:区块验证者节点接收出块提议者节点发送的交易信息,并验证所述交易信息中的承诺的范围证明和签名是否正确,若正确,使所述交易信息上链,若不正确,则丢弃该交易信息。S108: The block verifier node receives the transaction information sent by the block proposer node, and verifies whether the scope proof and signature of the commitment in the transaction information are correct, and if they are correct, the transaction information is put on the chain; if it is not correct, Then discard the transaction information.
在S108中,区块验证者节点首先对交易信息中明文部分的签名进行验证,验证该签名是否属于发起该的交易发起者节点,若否,则丢弃该交易信息,若是,则继续对交易信息中机密交易部分的交易金交易信息额承诺进行验证。In S108, the block verifier node first verifies the signature of the plaintext part of the transaction information to verify whether the signature belongs to the transaction initiator node that initiated the transaction, if not, discard the transaction information, if so, continue to verify the transaction information The amount of transaction information in the confidential transaction part of the transaction promises to be verified.
区块验证者节点具体对交易金额承诺C 1的验证,主要是检验交易信息中的交易金额承诺C 1是否为
Figure PCTCN2019114586-appb-000031
中的合法元素。区块验证者节点对交易金额承诺C 1的验证,实际上可以基于椭圆曲线实现,只要验证交易金额承诺C 1在椭圆曲线上点为非0点,即认为交易金额承诺C 1
Figure PCTCN2019114586-appb-000032
中的合法元素。 The verification of the transaction amount commitment C 1 by the block validator node is mainly to check whether the transaction amount commitment C 1 in the transaction information is
Figure PCTCN2019114586-appb-000031
Legal elements in. The verification of the transaction amount commitment C 1 by the block validator node can actually be realized based on the elliptic curve. As long as the verification transaction amount commitment C 1 is non-zero on the elliptic curve, the transaction amount commitment C 1 is considered
Figure PCTCN2019114586-appb-000032
Legal elements in.
在验证交易金额承诺C 1正确后,区块验证者节点再继续对交易信息中机密交易部分的承诺的范围证明进行验证,用于验证待交易金额和账户余额的范围证明是否正确,即承诺的范围证明能够正确证明待交易金额和账户余额为正数。 After verifying that the transaction amount commitment C 1 is correct, the block verifier node continues to verify the scope proof of the confidential transaction part of the transaction information, which is used to verify whether the scope proof of the transaction amount and the account balance is correct, that is, the promised The scope proof can correctly prove that the pending transaction amount and the account balance are positive.
若承诺的范围证明是基于监管者随机数生成的,则区块验证者节点需要验证与该承诺的范围证明相关的监管者随机数是否由对应的监管者节点签名,若是,则确定承诺的范围证明无误,将该交易信息上传至UTXO交易池中;若否,则丢弃该交易信息。If the promised scope proof is generated based on the supervisor's random number, the block verifier node needs to verify whether the supervisor's nonce related to the promised scope proof is signed by the corresponding supervisor node, and if so, determine the scope of the promise If the proof is correct, upload the transaction information to the UTXO transaction pool; if not, discard the transaction information.
需要说明的是,每个区块验证者节点都要同步监管者节点信息并通过策略树验证监管者公私钥对的正确性。It should be noted that each block verifier node must synchronize the supervisor node information and verify the correctness of the supervisor's public-private key pair through the strategy tree.
策略树用于存储监管者策略,其在区块中的具体形式包括但不限于Merkle Tree树根以及MPT树根。策略通过共识节点的共识确定,策略则体现在每一个区块中,并可以通过共识节点的共识来更新。The strategy tree is used to store the supervisor strategy, and its specific form in the block includes but not limited to the Merkle Tree root and the MPT tree root. The strategy is determined by the consensus of the consensus node, and the strategy is reflected in each block, and can be updated by the consensus of the consensus node.
图3示出了交易接收者节点、混币者节点和区块验证者节点一侧的交易流程图,包括S109至S113。Figure 3 shows the transaction flow chart on the side of the transaction receiver node, the coin mixer node and the block verifier node, including S109 to S113.
S109:交易接收者节点基于共享公钥key pair确定所述交易发起者节点发起交易信息。S109: The transaction receiver node determines the transaction information initiated by the transaction initiator node based on the shared public key key pair.
需要说明的是,交易接收者节点在初始化过程中,设置自己的私钥x B,并生成对应私钥的公钥
Figure PCTCN2019114586-appb-000033
It should be noted that during the initialization process, the transaction receiver node sets its own private key x B and generates the public key corresponding to the private key
Figure PCTCN2019114586-appb-000033
进一步需要说明的是,交易接收者节点与交易发起者节点在交易之前共享了双方的公钥,以及交易接收者节点也提前获取了交易发起者节点随机选择的随机公钥
Figure PCTCN2019114586-appb-000034
第二随机数r 1和第三随机数r 2It should be further noted that the transaction receiver node and the transaction initiator node shared the public keys of both parties before the transaction, and the transaction receiver node also obtained the random public key randomly selected by the transaction initiator node in advance.
Figure PCTCN2019114586-appb-000034
The second random number r 1 and the third random number r 2 .
在S109中,交易接收者节点基于自己的公钥和已知的交易发起者节点随机选择的随机公钥
Figure PCTCN2019114586-appb-000035
可以确定共享公钥,当交易接收方发现UTXO交易池中存在具有相同共享公钥的交易信息,确定与交易发起者节点之间的交易信息已发送至链上。 In S109, the transaction receiver node is based on its own public key and a random public key randomly selected by the known transaction initiator node
Figure PCTCN2019114586-appb-000035
The shared public key can be determined. When the transaction receiver finds that there is transaction information with the same shared public key in the UTXO transaction pool, it is determined that the transaction information with the transaction initiator node has been sent to the chain.
S110:交易接收者节点向匿名联系的混币者节点发起对所述交易信息的混币通知。S110: The transaction receiver node initiates a currency mixing notification of the transaction information to the anonymously contacted currency mixing node.
在S110中,交易接收者节点通过匿名联系的方式,通知预先约定好的混币者节点对交易信息进行混币,并向混币者节点发送混币通知。在该混币通知中包括交易信息中明文部分的手续费信息,以及交易接收者节点和交易发起者节点之间共享的部分信息。In S110, the transaction receiver node informs the pre-appointed currency mixer node to mix the transaction information through an anonymous contact, and sends a currency mixing notification to the currency mixer node. The mixed currency notification includes the transaction fee information in the plaintext part of the transaction information, as well as part of the information shared between the transaction receiver node and the transaction initiator node.
该手续费信息用于指示混币者节点可以进行混币的次数。The fee information is used to indicate the number of times the coin mixing node can perform coin mixing.
可选的,手续费信息所指示的混币次数Gas可以为0次及以上,本发明实施例对此并不限定,该取值取决于交易发起者节点。Optionally, the number of times Gas indicated by the fee information may be 0 times or more, which is not limited in the embodiment of the present invention, and the value depends on the transaction initiator node.
在本发明实施例中,并不限定交易接收者节点可约定的混币者节点的个数。In the embodiment of the present invention, the number of coin mixer nodes that can be agreed upon by the transaction receiver node is not limited.
可选的,交易接收者节点可以1个混币者节点,也可以约定2个或2个以上的混币者节点分别对交易信息进行混币。Optionally, the transaction receiver node can be a coin mixer node, or it can be agreed that two or more coin mixer nodes will mix the currency of the transaction information respectively.
S111:混币者节点基于所述混币通知和所述交易信息中的手续费信息对所述交易信息中的交易金额承诺C 1进行混币操作,得到混币结果,并将所述混币结果发送至交易接收者节点和出块提议者节点。 S111: The currency mixer node performs a currency mixing operation on the transaction amount commitment C 1 in the transaction information based on the currency mixing notification and the handling fee information in the transaction information, to obtain the result of the currency mixing, and combine the currency mixing The result is sent to the transaction receiver node and the block proposer node.
在S111中,混币者节点基于由交易接收者节点发送的手续费信息,以及部分交易接收者节点和交易发起者节点之间共享的信息,对交易信息中的交易金额承诺C 1进行多轮混币。 In S111, based on the transaction fee information sent by the transaction receiver node and the information shared between some transaction receiver nodes and the transaction initiator node, the coin mixer node commits to the transaction amount C 1 in the transaction information for multiple rounds Mixed currency.
需要说明的是,在一轮混币当中,会有K笔交易由混币者节点进行Verifiable Shuffle的证明,并将混币结果提交至区块验证者节点进行验证,同时将混币结果发送给交易发起者节点进行计算。由于,一轮混币有K笔交易参与,其他人只能确定与交易接收者节点进行交易的交易发送者节点所发送的交易是其中一笔,并不能确定具体是哪一笔,因此,每一轮混币都实现了k匿名。当混币者节点对一笔交易进行n轮混币之后,可以实现k n匿名。 It should be noted that in a round of coin mixing, there will be K transactions that will be verified by the coin mixer node for Verifiable Shuffle, and the result of the coin mixing will be submitted to the block validator node for verification, and the result of the coin mixing will be sent to The transaction initiator node performs calculations. Since there are K transactions involved in a round of currency mixing, other people can only determine that the transaction sent by the transaction sender node that performs the transaction with the transaction receiver node is one of the transactions, and cannot determine the specific one. Therefore, every All rounds of coin mixing have achieved k anonymity. After the coin mixing node performs n rounds of coin mixing for a transaction, k n anonymity can be realized.
如图4所示,每次混币都会有k笔交易参与,这些交易都在UTXO交易池中,并不一定来自同一个区块,混币结束后,会在下次共识之后更新UTXO交易池。其中,k为区块链系统预设参数,可根据需求随时进行设定。可选的,不同的SSP不同轮次的混币可以选择不同的k。As shown in Figure 4, there are k transactions involved in each currency mixing. These transactions are in the UTXO transaction pool and not necessarily from the same block. After the currency mixing is over, the UTXO transaction pool will be updated after the next consensus. Among them, k is the preset parameter of the blockchain system, which can be set at any time according to requirements. Optionally, different SSPs and different rounds of coin mixing can choose different k.
进一步需要说明的是,一个区块总可以包含来自多个混币者节点的互斥的 混币结果,即一个区块中的多个混币证明中,不能包含多次同一笔交易。It should be further noted that a block can always contain mutually exclusive mixed currency results from multiple currency mixing nodes, that is, multiple currency mixing proofs in a block cannot contain the same transaction multiple times.
S112:交易接收者节点判断所述混币结果是否符合预期,并基于所述混币结果进行非交互式零知识证明,确定自身具有所述交易信息中的交易金额承诺C 1和交易发起者节点随机选择的随机数。 S112: The transaction receiver node judges whether the result of the coin mixing meets expectations, and performs a non-interactive zero-knowledge proof based on the result of the coin mixing, and determines that it has the transaction amount commitment C 1 and the transaction initiator node in the transaction information Random number selected at random.
在S112中,交易接收者节点根据已知的交易发起者节点的第三随机数r 2,计算混币之后得到的混币结果C′ 1和混币之后的混币次数Gas′。 In S112, the transaction receiver node calculates the coin mixing result C′ 1 obtained after the coin mixing and the number of coin mixing Gas′ after the coin mixing according to the third random number r 2 of the known transaction initiator node.
其中,混币结果
Figure PCTCN2019114586-appb-000036
混币次数Gas′具体值取决于交易发起者节点的具体参数设置。假设初始混币次数为3,每执行一次混币则减1。这里的混币结果为C′ 1为一次混币的结果,则Gas′为初始混币次数减1之后的值。 Among them, the mixed currency result
Figure PCTCN2019114586-appb-000036
The specific value of the number of coin mixing Gas' depends on the specific parameter settings of the transaction initiator node. Assuming that the initial number of coin mixing is 3, the number of coin mixing is reduced by 1. The result of mixing coins here is that C′ 1 is the result of one coin mixing, and Gas′ is the value of the initial number of coin mixing minus 1.
在具体实现中,交易接收者节点首先计算hash 1=Hash(C′ 1||Gas′),并将hash 1映射到
Figure PCTCN2019114586-appb-000037
Figure PCTCN2019114586-appb-000038
然后计算
Figure PCTCN2019114586-appb-000039
再计算
Figure PCTCN2019114586-appb-000040
并提供非交互式零知识证明:Chaum-Pedersen(C′ 1,C Hash)和
Figure PCTCN2019114586-appb-000041
In the specific implementation, the transaction receiver node first calculates hash 1 = Hash(C′ 1 ||Gas′), and maps hash 1 to
Figure PCTCN2019114586-appb-000037
for
Figure PCTCN2019114586-appb-000038
Then calculate
Figure PCTCN2019114586-appb-000039
Recalculate
Figure PCTCN2019114586-appb-000040
And provide non-interactive zero-knowledge proof: Chaum-Pedersen (C′ 1 , C Hash ) and
Figure PCTCN2019114586-appb-000041
其中,
Figure PCTCN2019114586-appb-000042
是整数模p加法群。 among them,
Figure PCTCN2019114586-appb-000042
Is the additive group of integer modulo p.
Chaum-Pedersen(C′ 1,C Hash)用于证明C′ 1和C Hash中承诺了相同的密文。也就是说,可以证明交易接收者节点是该交易的拥有者,可以完成该交易信息指示的交易。 Chaum-Pedersen (C′ 1 , C Hash ) is used to prove that C′ 1 and C Hash promise the same ciphertext. In other words, it can be proved that the transaction receiver node is the owner of the transaction and can complete the transaction indicated by the transaction information.
Figure PCTCN2019114586-appb-000043
用于证明该轮混币之后的混币次数是交易接收者节点可以接受的混币次数。
Figure PCTCN2019114586-appb-000043
It is used to prove that the number of coin mixing after this round of coin mixing is the number of coin mixing times that the transaction receiver node can accept.
交易接收者节点发送{r 2,C Hash,Chaum-Pedersen(C′ 1,C Hash),
Figure PCTCN2019114586-appb-000044
}给混币者节点,混币者节点使用随机数对原来的交易UTXO进行混淆并将{C′ 1,Gas′,C Hash,Chaum-Pedersen(C′ 1,C Hash),
Figure PCTCN2019114586-appb-000045
}作为额外输出。 The transaction receiver node sends {r 2 , C Hash , Chaum-Pedersen(C′ 1 , C Hash ),
Figure PCTCN2019114586-appb-000044
} To the coin mixer node, the coin mixer node uses random numbers to confuse the original transaction UTXO and combine {C′ 1 ,Gas′,C Hash ,Chaum-Pedersen(C′ 1 ,C Hash ),
Figure PCTCN2019114586-appb-000045
} As additional output.
具体的非交互式零知识证明可以通过以下例子进行说明。The specific non-interactive zero-knowledge proof can be illustrated by the following example.
假设Alice有一个秘密x,她使用两组不同的参数{g 1,h 1}和{g 2,h 2}分别进行计算,得到
Figure PCTCN2019114586-appb-000046
其中r 1,r 2是两个随机数。E和F对Bob是公开,此时Alice要向Bob证明E和F隐藏了相同的秘密,使用以下非交互式零知识证明流程进行证明: Suppose Alice has a secret x, and she uses two different sets of parameters {g 1 , h 1 } and {g 2 , h 2 } to calculate separately, and get
Figure PCTCN2019114586-appb-000046
Among them, r 1 and r 2 are two random numbers. E and F are open to Bob. At this time, Alice wants to prove to Bob that E and F hide the same secret, and use the following non-interactive zero-knowledge proof process to prove it:
首先,Alice生成随机数ω,η 1,η 2,然后进行计算得到: First, Alice generates random numbers ω, η 1 , η 2 , and then calculates:
Figure PCTCN2019114586-appb-000047
Figure PCTCN2019114586-appb-000047
其次,Alice生成挑战:c=H(W 1||W 2),其中H()表示一个哈希函数。 Second, Alice generates a challenge: c=H(W 1 ||W 2 ), where H() represents a hash function.
其次,Alice计算D=ω+cx,D 1=η 1+cr 1,D 2=η 2+cr 2,并且发送(c,D,D 1,D 2)给Bob作为证明。 Secondly, Alice calculates D=ω+cx, D 11 +cr 1 , D 22 +cr 2 , and sends (c, D, D 1 , D 2 ) to Bob as a proof.
最后,Bob检验是否
Figure PCTCN2019114586-appb-000048
如果验证通过,则Bob确认E和F隐藏了相同的秘密。 Finally, Bob checks whether
Figure PCTCN2019114586-appb-000048
If the verification passes, Bob confirms that E and F hide the same secret.
假设混币者节点作为计算服务商,其公钥稳定不变,并且时刻在线。可选的,交易接收者节点可以为UTXO交易额外增加一个字段:Additional。Assume that the coin mixer node is a computing service provider, and its public key is stable and unchanging, and it is always online. Optionally, the transaction receiver node can add an additional field to the UTXO transaction: Additional.
该Additional用于指定下一个混币服务商及相关的混币信息。以混币2轮,两个混币者节点为例:The Additional is used to specify the next currency mixing service provider and related currency mixing information. Take 2 rounds of coin mixing and two coin mixing nodes as an example:
首先,交易接收者节点选择随机数r 2,r 3,并计算混币之后的结果C′ 1和C″ 1,以及进行两次混币之后的混币次数Gas′和Gas″。 First, the transaction receiver node selects random numbers r 2 , r 3 , and calculates the results C′ 1 and C” 1 after the coin mixing, and the number of coin mixing Gas′ and Gas” after two coin mixing.
其中,
Figure PCTCN2019114586-appb-000049
among them,
Figure PCTCN2019114586-appb-000049
然后,交易接收者节点计算hash 2=Hash(C″ B||Gas″),再计算
Figure PCTCN2019114586-appb-000050
Figure PCTCN2019114586-appb-000051
并提供证明:Chaum-Pedersen(C″ 1,C Hash2)和Chaum-Pedersen
Figure PCTCN2019114586-appb-000052
Then, the transaction receiver node calculates hash 2 =Hash(C" B ||Gas"), and then calculates
Figure PCTCN2019114586-appb-000050
with
Figure PCTCN2019114586-appb-000051
And provide proof: Chaum-Pedersen (C″ 1 , C Hash2 ) and Chaum-Pedersen
Figure PCTCN2019114586-appb-000052
交易接收者节点通过与第二个混币者节点共享公钥的方式,生成共享公钥key
Figure PCTCN2019114586-appb-000053
并计算得到密文:{r 3,C Hash2,Chaum-Pedersen(C″ B,C Hash2),
Figure PCTCN2019114586-appb-000054
},并将该密文和g γ作为Additional字段的信息。 The transaction receiver node generates a shared public key key by sharing the public key with the second coin mixer node
Figure PCTCN2019114586-appb-000053
And calculate the ciphertext: {r 3 , C Hash2 , Chaum-Pedersen(C″ B , C Hash2 ),
Figure PCTCN2019114586-appb-000054
}, and use the ciphertext and g γ as the information of the Additional field.
然后再计算:Then calculate:
hash 1=Hash(C′ B||Gas′||Additional),再计算
Figure PCTCN2019114586-appb-000055
并提供证明: hash 1 = Hash(C′ B ||Gas′||Additional), then calculate
Figure PCTCN2019114586-appb-000055
And provide proof:
Chaum-Pedersen(C′ 1,C Hash1),
Figure PCTCN2019114586-appb-000056
Chaum-Pedersen(C′ 1 , C Hash1 ),
Figure PCTCN2019114586-appb-000056
交易接收者节点生成并发送密文:{r 2,C Hash1,Chaum-Pedersen(C′ 1,C Hash1),
Figure PCTCN2019114586-appb-000057
}给第一个混币者节点,第一个混币者节点使用随机数r 3对旧的交易UTXO进行混淆并将{C′ 1,Gas′,C Hash,Chaum-Pedersen(C′ 1,C Hash),
Figure PCTCN2019114586-appb-000058
Additional}作为额外 输出。 The transaction receiver node generates and sends the ciphertext: {r 2 , C Hash1 , Chaum-Pedersen(C′ 1 , C Hash1 ),
Figure PCTCN2019114586-appb-000057
} To the first coin mixing node, the first coin mixing node uses a random number r 3 to obfuscate the old transaction UTXO and {C′ 1 , Gas′, C Hash , Chaum-Pedersen(C′ 1 , C Hash ),
Figure PCTCN2019114586-appb-000058
Additional} as additional output.
第二混币者节点则通过Additional中提供的信息,继续进行下一轮的混币服务。The second coin mixing node uses the information provided in Additional to continue the next round of coin mixing services.
在具体实现中,交易接收者节点确定自身具有所述交易信息中的交易金额承诺C 1和交易发起者节点随机选择的随机数之后接收该交易信息。 In a specific implementation, the receiver node determines its own transaction having the transaction information in a transaction amount committed transaction information after receiving the random number and the transaction initiator node randomly selected C.
S113:交易接收者节点获取所述交易金额承诺C 1中的待交易金额x 1,并基于所述待交易金额x 1更新自己的账户金额。 S113: Trading receiver node to acquire the amount of the transaction to be committed C 1 in the transaction amount x 1, and be based on the transaction value x 1 update their account amount.
在S113中,交易接收者节点通过一个接收UTXO的交易接收自身确认的交易信息,交易接收者节点会发送一笔特殊的接收交易,并在经过区块共识之后上链,在UTXO中要去掉对应的交易,此时,交易接收者节点基于交易信息中的交易金额承诺C 1,确定该交易金额承诺C 1中的待交易金额x 1,并基于所述待交易金额x 1更新自己的账户金额。 In S113, the transaction receiver node receives the transaction information confirmed by itself through a transaction that receives UTXO. The transaction receiver node will send a special receiving transaction, which will be uploaded to the chain after block consensus, and the corresponding UTXO must be removed. the transaction, at this time, the receiver node transaction based on the transaction information in the transaction amount committed C 1, to determine the amount of the transaction to be committed to the transaction in the amount of C 1 x 1, and be based on the transaction value x 1 update their account amount .
S114:区块验证者节点接收混币者节点发送的混币结果进行验证,并验证该混币结果是否正确以及混币证明随机数是否由监管者节点签名。S114: The block verifier node receives the coin mixing result sent by the coin mixer node for verification, and verifies whether the coin mixing result is correct and whether the coin mixing proof random number is signed by the supervisor node.
在本发明实施例中,基于账户模型为每一个用户设置了一个密文账户,由交易发起者节点对待交易金额,基于交易接收者节点的公钥进行加密以及承诺计算得到加密后的交易信息,并在通过区块验证者节点验证后放置于UTXO交易池中,然后再由交易接收者节点约定混币者节点对交易进行混币,并再混币达到预期的情况下,证明自己具有当前所进行的交易中的金额和随机数,在完成证明后,接收该交易信息,并完成对自己的账户金额的更新。通过上述交易发起者节点发起密文交易,可以有效的确保在交易过程各种交易信息不被泄露。交易接收者节点基于混币确定正确的交易信息,从而完成交易,可以有效的避免交易双方的身份信息以及交易信息泄露。因此,基于本发明实施例公开的基于账户模型的区块链系统进行交易时,能够实现在交易的过程过程中,用户和交易信息不被泄露的目的,使得区块链系统具有机密性、匿名性和可监管性的特征。In the embodiment of the present invention, a ciphertext account is set for each user based on the account model, and the transaction initiator node treats the transaction amount, encrypts it based on the public key of the transaction receiver node, and promises to calculate the encrypted transaction information. And after being verified by the block verifier node, it is placed in the UTXO transaction pool, and then the transaction receiver node agrees that the currency mixer node will mix the currency, and if the currency mix reaches the expected situation, it proves that it has the current position. The amount and random number in the transaction, after completing the proof, receive the transaction information, and complete the update of the amount of your account. Initiating a ciphertext transaction through the above-mentioned transaction initiator node can effectively ensure that various transaction information is not leaked during the transaction process. The transaction receiver node determines the correct transaction information based on the mixed currency, thereby completing the transaction, which can effectively avoid the leakage of the identity information and transaction information of both parties to the transaction. Therefore, when transactions are performed based on the blockchain system based on the account model disclosed in the embodiments of the present invention, the user and transaction information can not be leaked during the transaction process, so that the blockchain system has confidentiality and anonymity. The characteristics of sex and supervisability.
由于账户模型天然支持智能合约,进一步的使得该区块链系统可以支持机密交易的智能合约。Since the account model naturally supports smart contracts, this further enables the blockchain system to support smart contracts for confidential transactions.
基于上述本发明实施例公开的基于账户模型的交易方法,在交易的过程中,结合本发明实施例公开的基于账户模型的区块链系统中的监管方对交易过程进行监管,具体过程通过以下实施例进行说明。Based on the transaction method based on the account model disclosed in the above embodiment of the present invention, in the transaction process, the supervisor in the blockchain system based on the account model disclosed in the embodiment of the present invention supervises the transaction process. The specific process is as follows Examples are described.
在上述图1中公开的交易发起者节点一侧的交易流程中,交易发起者节点可以采用监管者随机数和区块链系统初始化时随机生成的多方可监管范围证明(Bulletproof)中涉及到的生成元,对交易金额承诺C 1和账户余额承诺
Figure PCTCN2019114586-appb-000059
进行范围证明,得到承诺的范围证明
Figure PCTCN2019114586-appb-000060
In the transaction process on the side of the transaction initiator node disclosed in Figure 1 above, the transaction initiator node can use the supervisor's random number and the multi-party supervisory range proof (Bulletproof) that is randomly generated when the blockchain system is initialized. Generator, commitment to transaction amount C 1 and account balance commitment
Figure PCTCN2019114586-appb-000059
Prove the scope and get the promised scope proof
Figure PCTCN2019114586-appb-000060
具体的,图5示出了交易发起者节点、区块验证者节点和监管者节点一侧的监管流程示意图,包括如下步骤:Specifically, Figure 5 shows a schematic diagram of the supervision process on the side of the transaction initiator node, block validator node, and supervisor node, including the following steps:
S501:监管者节点对随机数S,并使用公私钥对对随机数S进行签名,并在本地保存签名和随机数S。S501: The supervisor node signs the random number S with a public and private key pair, and saves the signature and the random number S locally.
在S501中,
Figure PCTCN2019114586-appb-000061
In S501,
Figure PCTCN2019114586-appb-000061
其中,
Figure PCTCN2019114586-appb-000062
s L,s R和ρ也是监管者节点选择的随机数,
Figure PCTCN2019114586-appb-000063
是整数模p加法群。 among them,
Figure PCTCN2019114586-appb-000062
s L , s R and ρ are also random numbers selected by the supervisor node,
Figure PCTCN2019114586-appb-000063
Is the additive group of integer modulo p.
监管者节点在保存随机数S的同时,也对s L,s R和ρ进行保存。 While the supervisor node saves the random number S, it also saves s L , s R and ρ.
可选的,若是存在多个监管者节点,则由各个监管者节点分别执行S501,各自对随机数S进行签名。Optionally, if there are multiple supervisor nodes, each supervisor node executes S501 and signs the random number S respectively.
S502:交易发起者节点向监管者节点申请随机数S,并基于获取的监管者节点签名的随机数S进行Bulletproof,得到承诺的范围证明。S502: The transaction initiator node applies for a random number S from the supervisor node, and performs Bulletproof based on the obtained random number S signed by the supervisor node, and obtains the promised scope proof.
在S502中,交易发起者节点在对所述交易金额承诺C 1和账户余额承诺
Figure PCTCN2019114586-appb-000064
进行范围证明之前,向监管者节点申请随机数S。可选的,如果存在多个监管者节点,交易发起者节点也可以申请多个有不同监管者节点签名的随机数S,并保存在本地。 In S502, the transaction initiator node promises C 1 and the account balance for the transaction amount.
Figure PCTCN2019114586-appb-000064
Before proceeding with scope proof, apply for a random number S from the supervisor node. Optionally, if there are multiple supervisor nodes, the transaction initiator node can also apply for multiple random numbers S signed by different supervisor nodes and save them locally.
在具体实现中,交易发起者节点基于获取的监管者节点签名的随机数和区块链系统初始化随机生成的Bulletproof中涉及到的生成元对交易金额承诺C 1和账户余额承诺
Figure PCTCN2019114586-appb-000065
进行范围证明,得到承诺的范围证明
Figure PCTCN2019114586-appb-000066
 In the specific implementation, the transaction initiator node commits to the transaction amount C 1 and the account balance based on the random number signed by the supervisor node and the generator involved in the Bulletproof generated randomly by the blockchain system initialization.
Figure PCTCN2019114586-appb-000065
Prove the scope and get the promised scope proof
Figure PCTCN2019114586-appb-000066
S503,交易发起者节点将包含该承诺的范围证明的交易信息发送至区块链系统的节点上,由区块验证者节点获取。S503: The transaction initiator node sends the transaction information including the scope proof of the commitment to the node of the blockchain system, which is obtained by the block verifier node.
在S503中,具体交易发起者节点生成包含该承诺的范围证明的交易信息的 过程可以参见上述图1公开的S105和S106的说明,这里不再进行赘述。In S503, the process for the specific transaction initiator node to generate the transaction information including the scope proof of the commitment can be referred to the description of S105 and S106 disclosed in Figure 1 above, which will not be repeated here.
S504:区块验证者节点获取包含该承诺的范围证明的交易信息,验证该承诺的范围证明是否正确,以及验证该承诺的范围证明中的监管者节点签名是否正确。S504: The block verifier node obtains the transaction information including the scope proof of the promise, verifies whether the scope proof of the promise is correct, and verifies whether the signature of the supervisor node in the scope proof of the promise is correct.
在S504中,区块验证者节点主要是验证该承诺的范围证明是否能够正确证明交易信息中的待交易金额和账户余额是否为正数。若为正数,确定该承诺的范围证明正确。若为非正数,则确定该承诺的范围证明错误。In S504, the block verifier node mainly verifies whether the promised range proof can correctly prove whether the pending transaction amount and account balance in the transaction information are positive. If it is a positive number, confirm that the scope of the commitment proves correct. If it is a non-positive number, it is determined that the scope of the commitment proved to be wrong.
在区块链系统中,区块验证者节点也会同步接收监管者节点信息,因此可以验证该承诺的范围证明中的监管者节点签名是否正确。In the blockchain system, the block verifier node will also synchronously receive the supervisor node information, so it can verify whether the supervisor node signature in the promised scope proof is correct.
在具体实现中,区块验证者节点在验证交易信息中的承诺的范围证明,以及监管者节点签名均为正确后,交易信息上链。In the specific implementation, after the block verifier node verifies the scope of the commitment in the transaction information, and the signature of the supervisor node is correct, the transaction information is put on the chain.
S505:在交易信息上链后,监管者节点获取交易信息中的承诺的范围证明,以及承诺的范围证明中的监管者节点签名的随机数和参数,基于该监管者节点签名的随机数和参数计算交易信息中的交易金额是否正确。S505: After the transaction information is on the chain, the supervisor node obtains the proof of the scope of the promise in the transaction information, and the random number and parameters of the supervisor node signature in the proof of the scope of the promise, based on the random number and parameters of the supervisor node's signature Calculate whether the transaction amount in the transaction information is correct.
在S505中,承诺的范围证明中的参数为:In S505, the parameters in the promised scope proof are:
Figure PCTCN2019114586-appb-000067
Figure PCTCN2019114586-appb-000067
具体该承诺的范围证明中的参数的获取过程如下:The specific process of obtaining the parameters in the proof of the scope of the commitment is as follows:
若交易发起者节点随机选择随机数r,获取监管者节点签名的随机数S,承诺的值v∈[0,2 n-1],交易承诺C v=g vh rIf the transaction initiator node randomly selects a random number r and obtains the random number S signed by the supervisor node, the promised value v ∈ [0, 2 n -1], and the transaction promise C v =g v h r .
具体执行Bulletproof的计算过程如下:The specific calculation process of Bulletproof is as follows:
Figure PCTCN2019114586-appb-000068
Figure PCTCN2019114586-appb-000068
监管者节点签名的随机数
Figure PCTCN2019114586-appb-000069
The random number signed by the supervisor node
Figure PCTCN2019114586-appb-000069
其中,a L∈{0,1} ns.t.<a L,2 n>=v,
Figure PCTCN2019114586-appb-000070
 Wherein, a L ∈ {0,1} n st <a L ,2 n> = v,
Figure PCTCN2019114586-appb-000070
交易发起者节点将A和S发送给区块验证者节点,区块验证者节点随机选择并回复
Figure PCTCN2019114586-appb-000071
The transaction initiator node sends A and S to the block validator node, and the block validator node randomly selects and replies
Figure PCTCN2019114586-appb-000071
区块验证者节点进行计算:The block validator node performs calculations:
Figure PCTCN2019114586-appb-000072
Figure PCTCN2019114586-appb-000072
Figure PCTCN2019114586-appb-000073
Figure PCTCN2019114586-appb-000073
区块验证者节点将计算得到的T 1,T 2给交易发起者节点,交易发起者节点随机选择并回复
Figure PCTCN2019114586-appb-000074
The block validator node sends the calculated T 1 and T 2 to the transaction initiator node, and the transaction initiator node randomly selects and replies
Figure PCTCN2019114586-appb-000074
Bulletproof用于证明一个承诺的值处于[0,2 n-1]之间,交易发起者节点利用获取到的各个参数执行Bulletproof,得到: Bulletproof is used to prove that the value of a promise is between [0,2 n -1]. The transaction initiator node executes Bulletproof by using the obtained parameters, and obtains:
Figure PCTCN2019114586-appb-000075
Figure PCTCN2019114586-appb-000075
在监管者节点知道自己的监管者节点签名的随机数的情况下,可以由该参数l中推导出a L中的信息,即获取v,也就是交易信息中的交易金额,从而确定该交易金额是否正确。 In the case that the supervisor node knows the random number signed by its supervisor node , the information in a L can be derived from the parameter l, that is, v, which is the transaction amount in the transaction information, can be obtained to determine the transaction amount is it right or not.
在发明实施例公开的基于账户模型的交易方法中,通过引入监管者节点,可以实现对整个区块链系统中的交易金额进行监管,从而使得区块链系统具有可监管性的特征。In the transaction method based on the account model disclosed in the embodiment of the invention, by introducing a supervisor node, the transaction amount in the entire blockchain system can be supervised, so that the blockchain system has the characteristics of supervisability.
在上述图3中公开的交易接收者节点、混币者节点和区块验证者节点一侧的交易流程中,同样引入监管者节点对混币过程和混币结果进行监管。In the transaction process on the side of the transaction receiver node, the coin mixer node, and the block validator node disclosed in Figure 3 above, the supervisor node is also introduced to supervise the coin mixing process and the result of the coin mixing.
具体的,图6示出了混币者节点、监管者节点和区块验证者节点一侧的监管流程示意图,包括如下步骤:Specifically, Figure 6 shows a schematic diagram of the supervision process on the side of the coin mixer node, the supervisor node, and the block validator node, including the following steps:
S601:监管者节点对随机选择随机映射,并基于公私钥对对随机映射进行签名,并计算对应该随机映射的相关参数和挑战,并使用公私钥对该挑战x进行签名。S601: The supervisor node randomly selects a random mapping, signs the random mapping based on the public and private key pair, calculates related parameters and challenges corresponding to the random mapping, and signs the challenge x with the public and private keys.
在S601中,监管者节点随机选择随机映射π()。可选的,若为多个监管者节点,则由多个监管者节点共同随机选择π()。In S601, the supervisor node randomly selects a random mapping π(). Optionally, if there are multiple supervisor nodes, multiple supervisor nodes jointly randomly select π().
监管者节点计算
Figure PCTCN2019114586-appb-000076
其中,i∈{1,k}。 Supervisor node calculation
Figure PCTCN2019114586-appb-000076
Among them, i ∈ {1, k}.
监管者节点计算:
Figure PCTCN2019114586-appb-000077
和x=Hash(C A1||...||C Au)。其中,{r A1,…,r Au}为监管者节点随机选择的u个随机数。 Supervisor node calculation:
Figure PCTCN2019114586-appb-000077
And x=Hash(C A1 ||...||C Au ). Among them, {r A1 ,...,r Au } are u random numbers randomly selected by the supervisor node.
监管者节点利用公私钥对对挑战x进行签名,并将签名后的挑战x发送给申请随机映射的混币者节点。The supervisor node uses the public and private key to sign the challenge x, and sends the signed challenge x to the coin mixer node that applies for random mapping.
S602:在进行混币之前,混币者节点向监管者节点申请随机映射。S602: Before the coin mixing, the coin mixing node applies to the supervisor node for random mapping.
S603:混币者节点接收监管者节点发送的随机映射以及对应随机映射的相关参数,并基于随机选择的随机数,随机映射以及对应随机映射的相关参数进行Verifiable Shuffle计算,得到混币证明,并将混币证明和随机映射发送给区 块验证者节点。S603: The coin mixer node receives the random mapping sent by the supervisor node and the relevant parameters corresponding to the random mapping, and performs a verifiable shuffle calculation based on the random number selected at random, the random mapping and the relevant parameters corresponding to the random mapping, and obtains the proof of the coin mixing, and Send the mixed currency proof and random mapping to the block verifier node.
在S603中,混币者节点基于从监管者节点处获取的随机映射、x=Hash(C A1||...||C Au)和
Figure PCTCN2019114586-appb-000078
结合自身随机选择的随机数{s 1,…,s u},进行计算得到: In S603, the coin mixer node is based on the random mapping obtained from the supervisor node, x=Hash(C A1 ||...||C Au ) and
Figure PCTCN2019114586-appb-000078
Combine the random number {s 1 ,…, s u } randomly selected by itself, and calculate it to get:
Figure PCTCN2019114586-appb-000079
Figure PCTCN2019114586-appb-000079
y=Hash(C B1||...||C Bu) y=Hash(C B1 ||...||C Bu )
z=Hash(C B1||...||C Bu||y) z=Hash(C B1 ||...||C Bu ||y)
设定
Figure PCTCN2019114586-appb-000080
并计算: set up
Figure PCTCN2019114586-appb-000080
And calculate:
Figure PCTCN2019114586-appb-000081
Figure PCTCN2019114586-appb-000081
Figure PCTCN2019114586-appb-000082
Figure PCTCN2019114586-appb-000082
Figure PCTCN2019114586-appb-000083
Figure PCTCN2019114586-appb-000083
Figure PCTCN2019114586-appb-000084
Figure PCTCN2019114586-appb-000084
混币者节点基于多方可监管可证明混淆计算得到乘积证明:The coin mixer node obtains the product proof based on the multi-party supervisable and provable confusion calculation:
Figure PCTCN2019114586-appb-000085
Figure PCTCN2019114586-appb-000085
混币者节点基于多方可监管可证明混淆计算得到乘幂证明:The coin mixer node obtains the power proof based on the multi-party supervisable and provable confusion calculation:
Figure PCTCN2019114586-appb-000086
Figure PCTCN2019114586-appb-000086
S604:区块验证者节点验证该混币证明是否正确,以及验证随机映射中的监管者节点签名是否正确。S604: The block verifier node verifies whether the mixed currency proof is correct, and verifies whether the signature of the supervisor node in the random mapping is correct.
在S604中,区块验证者节点验证该混币证明是否可以证明混币顺序是按照随机映射的顺序进行,若是,则确定混币证明正确,若否,则确定混币证明错误。In S604, the block verifier node verifies whether the coin mixing proof can prove that the coin mixing sequence is carried out in a random mapping order, if it is, it is determined that the coin mixing proof is correct, if not, it is determined that the coin mixing proof is wrong.
基于上述举例,具体的验证混币顺序的方式为:Based on the above example, the specific method of verifying the order of mixing coins is:
验证
Figure PCTCN2019114586-appb-000087
以及
Figure PCTCN2019114586-appb-000088
元素的合法性并根据
Figure PCTCN2019114586-appb-000089
Figure PCTCN2019114586-appb-000090
计算C -Z
Figure PCTCN2019114586-appb-000091
最后验证乘积证明以及乘幂证明。如果验证均通过,确定该混币证明 可以证明混币顺序是按照随机映射的顺序进行。 verification
Figure PCTCN2019114586-appb-000087
as well as
Figure PCTCN2019114586-appb-000088
The legality of the elements is based on
Figure PCTCN2019114586-appb-000089
with
Figure PCTCN2019114586-appb-000090
Calculate C -Z and
Figure PCTCN2019114586-appb-000091
Finally, verify the product proof and the power proof. If the verifications are passed, it is determined that the currency mixing certificate can prove that the currency mixing sequence is carried out in the order of random mapping.
在区块链系统中,区块验证者节点也会同步接收监管者节点信息,因此可以验证该承诺的范围证明中的监管者节点签名是否正确。In the blockchain system, the block verifier node will also synchronously receive the supervisor node information, so it can verify whether the supervisor node signature in the promised scope proof is correct.
在发明实施例公开的基于账户模型的交易方法中,通过引入监管者节点,可以实现对整个区块链系统中的混币过程进行监管,从而使得区块链系统具有可监管性的特征。In the transaction method based on the account model disclosed in the embodiment of the invention, by introducing a supervisor node, it is possible to supervise the currency mixing process in the entire blockchain system, so that the blockchain system has the characteristics of supervisability.
基于上述本发明实施例公开的基于账户模型的交易方法,本发明实施例还对应公开了一种基于账户模型的交易装置,如图7所示,该交易装置适用于交易发起者节点,该交易装置包括:Based on the transaction method based on the account model disclosed in the above embodiment of the present invention, the embodiment of the present invention also correspondingly discloses a transaction device based on the account model. As shown in FIG. 7, the transaction device is suitable for the transaction initiator node. The device includes:
承诺计算模块701,用于确定账户金额承诺、待交易金额、交易接收者节点的公钥和随机数,并进行承诺计算,得到交易金额承诺、账户余额承诺和共享公钥。The commitment calculation module 701 is used to determine the account amount commitment, the pending transaction amount, the public key and random number of the transaction receiver node, and perform the commitment calculation to obtain the transaction amount commitment, the account balance commitment, and the shared public key.
加密模块702,用于利用所述共享公钥对所述待交易金额进行加密,获取密文。The encryption module 702 is configured to use the shared public key to encrypt the amount to be traded to obtain a ciphertext.
证明模块703,用于对所述账户余额承诺和所述账户余额承诺进行范围证明,得到承诺的范围证明,所述承诺的范围证明用于指示所述交易金额承诺和账户余额承诺中的金额为正数。The certification module 703 is used to perform range certification on the account balance commitment and the account balance commitment, and obtain the commitment scope certification, and the commitment scope certification is used to indicate that the amount in the transaction amount commitment and the account balance commitment is A positive number.
可选的,该证明模块703,具体用于:采用区块链系统初始化时随机生成的范围证明对交易金额承诺和账户余额承诺进行范围证明,得到承诺的范围证明。Optionally, the certification module 703 is specifically used to: use a range certification randomly generated during the initialization of the blockchain system to perform range certification on the transaction amount commitment and the account balance commitment, and obtain the commitment range certification.
可选的,该证明模块703,具体用于:利用预先获取的监管者随机数和区块链系统初始化时随机生成的多方可监管Bulletproof范围证明中涉及到的生成元,对交易金额承诺和账户余额承诺进行Bulletproof范围证明,得到承诺的范围证明。Optionally, the proof module 703 is specifically used to: use the pre-obtained supervisor random number and the generators involved in the multi-party supervisable Bulletproof scope proof that is randomly generated when the blockchain system is initialized, and promise the transaction amount and account Proof of the Bulletproof scope of the balance commitment is carried out, and the scope of the commitment is proved.
交易生成模块704,用于基于所述交易金额承诺、随机公钥、所述密文和所述承诺的范围证明生成机密交易,并利用所述机密交易、手续费信息和签名生成交易信息。The transaction generation module 704 is configured to generate a confidential transaction based on the transaction amount commitment, a random public key, the ciphertext, and the scope proof of the commitment, and generate transaction information using the confidential transaction, fee information, and signature.
发送模块705,用于将所述交易信息发送至区块链系统的节点上。The sending module 705 is used to send the transaction information to the node of the blockchain system.
在本发明实施例中,基于账户模型为每一个用户设置一个明文账户和一个密文账户,并由交易发起者节点对待交易金额,基于交易接收者节点的公钥进行加密以及承诺计算得到加密后的交易信息,后续由交易接收者节点基于与交易发起者节点约定好的信息确定真实的交易信息,并完成交易。通过上述交易发起者节点发起密文交易,由交易接收者节点基于与交易发起者节点约定好的信息确定真实的交易信息,并完成交易,可以有效的避免交易双方的身份信息以及交易信息泄露,从而实现在基于账户模型进行交易时,确保用户和交易信息不被泄露的目的,使得区块链系统具有机密性、匿名性和可监管性的特征。In the embodiment of the present invention, a plaintext account and a ciphertext account are set for each user based on the account model, and the transaction initiator node treats the transaction amount, encrypts it based on the public key of the transaction receiver node, and calculates the promise after encryption. After the transaction information, the transaction receiver node determines the real transaction information based on the information agreed with the transaction initiator node, and completes the transaction. The ciphertext transaction is initiated by the above transaction initiator node, and the transaction receiver node determines the real transaction information based on the information agreed with the transaction initiator node, and completes the transaction, which can effectively avoid the leakage of the identity information and transaction information of both parties to the transaction. In this way, the purpose of ensuring that users and transaction information are not leaked when transactions are based on the account model is realized, so that the blockchain system has the characteristics of confidentiality, anonymity and supervisability.
基于上述本发明实施例公开的基于账户模型的交易方法,本发明实施例还对应公开了一种基于账户模型的交易装置,如图8所示,该交易装置适用于交易发起者节点,该交易装置包括:Based on the transaction method based on the account model disclosed in the above embodiment of the present invention, the embodiment of the present invention also correspondingly discloses a transaction device based on the account model. As shown in FIG. 8, the transaction device is suitable for the transaction initiator node. The device includes:
确定模块801,用于基于共享公钥确定约定的交易发起者节点发起交易信息。The determining module 801 is configured to determine the transaction information initiated by the agreed transaction initiator node based on the shared public key.
混币通知模块802,用于匿名向混币者节点发起对所述交易信息的混币通知,所述混币通知包括所述交易信息中的手续费信息,以及所述交易接收者节点和所述交易发起者节点之间共享的部分信息。The currency mixing notification module 802 is used to anonymously initiate a currency mixing notification for the transaction information to the currency mixing node. The currency mixing notification includes the handling fee information in the transaction information, as well as the transaction receiver node and the transaction information. Part of the information shared between the transaction initiator nodes.
更新模块803,用于接收所述混币者节点发送的混币结果,并基于所述混币结果进行非交互式零知识证明,若确定自身具有所述交易信息中的交易金额承诺,获取所述交易金额承诺中的待交易金额和交易发起者节点随机选择的随机数,并基于所述待交易金额更新自己的账户金额。The update module 803 is configured to receive the result of the coin mixing sent by the coin mixing node, and perform a non-interactive zero-knowledge proof based on the result of the coin mixing. If it is determined that it has the transaction amount commitment in the transaction information, obtain the The amount to be traded in the transaction amount promise and a random number randomly selected by the transaction initiator node, and the account amount is updated based on the amount to be traded.
在更新模块803中,针对基于所述混币结果进行非交互式零知识证明,该更新模块803具体用于:In the update module 803, for non-interactive zero-knowledge proof based on the result of the coin mixing, the update module 803 is specifically used to:
根据预先获取的所述交易发起者节点的随机数,对当前的混币结果和混币次数进行哈希计算,得到哈希值,计算所述哈希值所对应的哈希承诺,根据所述哈希承诺和所述混币结果进行非交互式零知识证明,得到第一证明和第二证明,所述第一证明用于证明所述交易接收者节点为当前交易的拥有者,所述第二证明用于证明该次混币之后的混币次数在所述交易接收者节点的混币次数接受范围内。According to the pre-obtained random number of the transaction initiator node, perform a hash calculation on the current coin mixing result and the number of coin mixing to obtain a hash value, and calculate the hash commitment corresponding to the hash value, according to the A non-interactive zero-knowledge proof is performed on the hash commitment and the result of the coin mixing to obtain a first proof and a second proof. The first proof is used to prove that the transaction receiver node is the owner of the current transaction. The second proof is used to prove that the number of times of coin mixing after this time of coin mixing is within the accepted range of the number of times of coin mixing of the transaction receiver node.
可选的,该交易装置中还包括:Optionally, the transaction device also includes:
设置模块,用于在所述交易信息中设置附加字段信息,所述附加字段信息用于指示混币过程中所述混币者节点的混币顺序和混币信息。The setting module is used to set additional field information in the transaction information, and the additional field information is used to indicate the coin mixing order and coin mixing information of the coin mixing node during the coin mixing process.
在实际应用中,交易发起者节点也可以是交易接收者节点,交易接收者节点也可以是交易发起者节点,因此,上述图7和图8公开的交易装置可同时存在于交易发起者节点和交易接收者节点中。In practical applications, the transaction initiator node can also be the transaction receiver node, and the transaction receiver node can also be the transaction initiator node. Therefore, the transaction devices disclosed in Figures 7 and 8 can exist in both the transaction initiator node and the transaction initiator node. In the transaction receiver node.
在本发明实施例中,基于账户模型为每一个用户设置一个明文账户和一个密文账户,在交易接收者节点基于与交易发起者节点约定的信息,确定交易发起者节点发起的已加密的交易信息被放置于UTXO交易池中后,交易接收者节点约定混币者节点对交易进行混币,并再混币达到预期的情况下,证明自己具有当前所进行的交易中的金额和随机数,在完成证明后,接收该交易信息,并完成对自己的账户金额的更新。通过上述交易接收者节点基于混币确定已加密的交易信息为正确的交易信息后,完成交易,可以有效的避免交易双方的身份信息以及交易信息泄露,从而实现在基于账户模型进行交易时,确保用户和交易信息不被泄露的目的,使得区块链系统具有机密性、匿名性和可监管性的特征。In the embodiment of the present invention, a plaintext account and a ciphertext account are set for each user based on the account model, and the transaction receiver node determines the encrypted transaction initiated by the transaction initiator node based on the information agreed with the transaction initiator node After the information is placed in the UTXO transaction pool, the transaction receiver node agrees that the currency mixer node will mix the currency, and if the currency mixing reaches the expectation, it proves that it has the amount and random number in the current transaction. After completing the proof, receive the transaction information and complete the update of the amount of your account. After the above transaction receiver node determines that the encrypted transaction information is the correct transaction information based on the mixed currency, the transaction is completed, which can effectively avoid the leakage of the identity information and transaction information of both parties to the transaction, so as to ensure that the transaction is based on the account model. The purpose of not leaking user and transaction information makes the blockchain system possess the characteristics of confidentiality, anonymity and supervisability.
基于上述本发明实施例公开的基于账户模型的交易方法和交易装置,本发明实施例还公开了一种基于账户模型的区块链系统。Based on the transaction method and transaction device based on the account model disclosed in the above embodiment of the present invention, the embodiment of the present invention also discloses a blockchain system based on the account model.
如图9所示,该区块链系统包括:交易发起者节点901,出块提议者节点902,区块验证者节点903,监管者节点904、混币者节点905和交易接收者节点906。As shown in FIG. 9, the blockchain system includes: a transaction initiator node 901, a block proposer node 902, a block validator node 903, a supervisor node 904, a coin mixer node 905, and a transaction receiver node 906.
该交易发起者节点901,用于与交易接收者节点906约定交易时所需的共享公钥和随机数,并基于共享公钥和随机数对待交易金额进行加密和承诺计算,得到加密的交易信息。The transaction initiator node 901 is used to agree with the transaction receiver node 906 on the shared public key and random number required for the transaction, and based on the shared public key and random number, the transaction amount is encrypted and the commitment calculation is performed to obtain encrypted transaction information .
该出块提议者节点902,用于收集当前时间段内的交易信息,并对交易信息进行初验,在确定交易信息无问题后,将该交易信息发送至区块验证者节点。The block proposer node 902 is used to collect transaction information in the current time period and perform a preliminary inspection on the transaction information. After determining that the transaction information is not problematic, the transaction information is sent to the block verifier node.
该区块验证者节点903,用于对接收到的交易信息以及混币结果进行验证,确实交易信息和混币结果是否正确,基于验证结果确定该交易是否继续执行。The block verifier node 903 is used to verify the received transaction information and the result of the currency mixing, confirm whether the transaction information and the result of the currency mixing are correct, and determine whether the transaction continues to be executed based on the verification result.
该监管者节点904,用于向交易发起者节点901和区块验证者节点903提供监管者随机数,该监管者随机数由监管者节点签名。The supervisor node 904 is used to provide the supervisor nonce to the transaction initiator node 901 and the block verifier node 903, and the supervisor nonce is signed by the supervisor node.
该混币者节点905,用于基于交易接收者节点906的混币通知执行混币操作,并将得到的混币结果发送至区块验证者节点节点903和交易接收者节点906。The coin mixer node 905 is configured to perform a coin mixing operation based on the coin mixing notification from the transaction receiver node 906, and send the obtained coin mixing result to the block validator node node 903 and the transaction receiver node 906.
该交易接收者节点906,用于基于与交易发起者节点901约定的共享公钥确定交易发起者节点901的交易信息是否上链,在确定上链后,向混币者节点905发送混币通知,并接收混币者节点905反馈的混币结果,在确定该混币结果符合预期,基于该混币结果进行非交互式零知识证明,确定自身具有交易信息中交易金额承诺和交易发起者节点901随机选择的随机数,获取交易金额承诺中的待交易金额,并基于所述待交易金额更新自己的账户金额。The transaction receiver node 906 is used to determine whether the transaction information of the transaction initiator node 901 is on the chain based on the shared public key agreed upon with the transaction initiator node 901, and after the transaction information is determined to be on the chain, send a currency mixing notification to the coin mixer node 905 , And receive the mixed currency result fed back by the coin mixer node 905, after determining that the mixed currency result meets expectations, perform a non-interactive zero-knowledge proof based on the mixed currency result, and determine that it has the transaction amount commitment and the transaction initiator node in the transaction information 901 A random number selected at random, obtains the pending transaction amount in the transaction amount commitment, and updates its account amount based on the pending transaction amount.
本发明实施例还提供了一种计算机可读存储介质,计算机可读存储介质上存储有交易程序,该交易程序可被一个或者多个处理器执行,以实现上述交易方法。The embodiment of the present invention also provides a computer-readable storage medium, and a transaction program is stored on the computer-readable storage medium, and the transaction program can be executed by one or more processors to implement the foregoing transaction method.
本发明实施例还提供了一种计算机程序产品,包括计算机指令,当其在计算机上运行时,使得计算机可以执行上述本发明实施例中公开的交易方法。The embodiment of the present invention also provides a computer program product, including computer instructions, which, when run on a computer, enables the computer to execute the transaction method disclosed in the foregoing embodiment of the present invention.
综上所述,在本发明实施例中,基于账户模型为每一个用户设置一个明文账户和一个密文账户,并由交易发起者节点对待交易金额,基于交易接收者节点的公钥进行加密以及承诺计算得到加密后的交易信息,并在通过区块验证者节点验证后放置于UTXO交易池中,然后再由交易接收者节点约定混币者节点对交易进行混币,并再混币达到预期的情况下,证明自己具有当前所进行的交易中的金额和随机数,在完成证明后,接收该交易信息,并完成对自己的账户金额的更新。通过上述交易发起者节点发起密文交易,交易接收者节点基于混币确定正确的交易信息,从而完成交易,可以有效的避免交易双方的身份信息以及交易信息泄露,从而实现在基于账户模型进行交易时,确保用户和交易信息不被泄露的目的,使得区块链系统具有机密性、匿名性和可监管性的特征。In summary, in the embodiment of the present invention, a plaintext account and a ciphertext account are set for each user based on the account model, and the transaction initiator node treats the transaction amount, and encrypts it based on the public key of the transaction receiver node. Commitment to calculate the encrypted transaction information, and place it in the UTXO transaction pool after being verified by the block validator node, and then the transaction receiver node agrees that the currency mixer node will mix the currency, and then the currency will be mixed to meet expectations In the case of, prove that you have the amount and random number in the current transaction, after completing the certification, receive the transaction information, and complete the update of your account amount. Through the above transaction initiator node to initiate a ciphertext transaction, the transaction receiver node determines the correct transaction information based on the mixed currency to complete the transaction, which can effectively avoid the leakage of the identity information and transaction information of both parties to the transaction, thereby realizing the transaction based on the account model At the same time, the purpose of ensuring that user and transaction information is not leaked makes the blockchain system have the characteristics of confidentiality, anonymity and supervisability.
在上述实施例中,可以全部或部分地通过软件、硬件、固件或者其任意组合来实现。当使用软件实现时,可以全部或部分地以计算机程序产品的形式实现。In the above-mentioned embodiments, it may be implemented in whole or in part by software, hardware, firmware, or any combination thereof. When implemented by software, it can be implemented in the form of a computer program product in whole or in part.
本说明书中的各个实施例均采用递进的方式描述,各个实施例之间相同相似的部分互相参见即可,每个实施例重点说明的都是与其他实施例的不同之处。尤其,对于系统或系统实施例而言,由于其基本相似于方法实施例,所以描述得比较简单,相关之处参见方法实施例的部分说明即可。以上所描述的系统及系统实施例仅仅是示意性的,其中所述作为分离部件说明的单元可以是或者也可以不是物理上分开的,作为单元显示的部件可以是或者也可以不是物理单元,即可以位于一个地方,或者也可以分布到多个网络单元上。可以根据实际的需要选择其中的部分或者全部模块来实现本实施例方案的目的。本领域普通技术人员在不付出创造性劳动的情况下,即可以理解并实施。The various embodiments in this specification are described in a progressive manner, and the same or similar parts between the various embodiments can be referred to each other, and each embodiment focuses on the differences from other embodiments. In particular, for the system or the system embodiment, since it is basically similar to the method embodiment, the description is relatively simple, and for related parts, please refer to the part of the description of the method embodiment. The system and system embodiments described above are merely illustrative, where the units described as separate components may or may not be physically separated, and the components displayed as units may or may not be physical units, that is, It can be located in one place, or it can be distributed to multiple network units. Some or all of the modules can be selected according to actual needs to achieve the objectives of the solutions of the embodiments. Those of ordinary skill in the art can understand and implement it without creative work.
专业人员还可以进一步意识到,结合本文中所公开的实施例描述的各示例的单元及算法步骤,能够以电子硬件、计算机软件或者二者的结合来实现,为了清楚地说明硬件和软件的可互换性,在上述说明中已经按照功能一般性地描述了各示例的组成及步骤。这些功能究竟以硬件还是软件方式来执行,取决于技术方案的特定应用和设计约束条件。专业技术人员可以对每个特定的应用来使用不同方法来实现所描述的功能,但是这种实现不应认为超出本发明的范围。Professionals may further realize that the units and algorithm steps of the examples described in the embodiments disclosed in this article can be implemented by electronic hardware, computer software, or a combination of both, in order to clearly illustrate the possibilities of hardware and software. Interchangeability, in the above description, the composition and steps of each example have been generally described in accordance with the function. Whether these functions are performed by hardware or software depends on the specific application and design constraint conditions of the technical solution. Professionals and technicians can use different methods for each specific application to implement the described functions, but such implementation should not be considered as going beyond the scope of the present invention.
对所公开的实施例的上述说明,使本领域专业技术人员能够实现或使用本发明。对这些实施例的多种修改对本领域的专业技术人员来说将是显而易见的,本文中所定义的一般原理可以在不脱离本发明的精神或范围的情况下,在其它实施例中实现。因此,本发明将不会被限制于本文所示的这些实施例,而是要符合与本文所公开的原理和新颖特点相一致的最宽的范围。The foregoing description of the disclosed embodiments enables those skilled in the art to implement or use the present invention. Various modifications to these embodiments will be obvious to those skilled in the art, and the general principles defined herein can be implemented in other embodiments without departing from the spirit or scope of the present invention. Therefore, the present invention will not be limited to the embodiments shown in this document, but should conform to the widest scope consistent with the principles and novel features disclosed in this document.

Claims (15)

  1. 一种基于账户模型的区块链系统,其特征在于,所述系统包括交易发起者节点、交易接收者节点、混币者节点,其中:A blockchain system based on an account model, characterized in that the system includes a transaction initiator node, a transaction receiver node, and a coin mixer node, wherein:
    所述交易发起者节点,用于基于确定的共享公钥和随机数对待交易金额进行加密和承诺计算,得到加密的交易信息,所述共享公钥由所述交易发起者节点基于所述交易接收者节点的公钥生成;The transaction initiator node is used to perform encryption and commitment calculation on the transaction amount based on the determined shared public key and random number to obtain encrypted transaction information, and the shared public key is received by the transaction initiator node based on the transaction Public key generation of the node;
    所述交易接收者节点,用于基于所述共享公钥确定所述交易发起者节点发起的所述交易信息是否上链,在确定上链后,向所述混币者节点发送混币通知,并接收所述混币者节点反馈的混币结果,在确定所述混币结果符合预期,基于该混币结果进行非交互式零知识证明,确定自身具有交易信息中交易金额承诺和所述交易发起者节点随机选择的随机数,获取所述交易金额承诺中的所述待交易金额,并基于所述待交易金额更新自己的账户金额;The transaction receiver node is configured to determine whether the transaction information initiated by the transaction initiator node is on-chain based on the shared public key, and after determining the on-chain, send a currency mixing notification to the coin mixer node, And receive the mixed currency result fed back by the coin mixer node, and after determining that the mixed currency result meets expectations, perform a non-interactive zero-knowledge proof based on the mixed currency result, and determine that it has the transaction amount commitment in the transaction information and the transaction The initiator node randomly selects a random number, obtains the pending transaction amount in the transaction amount commitment, and updates its own account amount based on the pending transaction amount;
    所述混币者节点,用于基于所述混币通知执行混币操作,并将得到的混币结果发送至所述交易接收者节点。The coin mixing node is configured to perform a coin mixing operation based on the coin mixing notification, and send the obtained coin mixing result to the transaction receiver node.
  2. 一种基于账户模型的交易方法,其特征在于,适用于交易发起者节点,所述方法包括:A transaction method based on an account model, characterized in that it is suitable for a transaction initiator node, and the method includes:
    交易发起者节点确定账户金额承诺、待交易金额、交易接收者节点的公钥和随机数,并进行承诺计算,得到交易金额承诺、账户余额承诺和共享公钥;The transaction initiator node determines the account amount commitment, the pending transaction amount, the public key and random number of the transaction receiver node, and performs the commitment calculation to obtain the transaction amount commitment, account balance commitment and shared public key;
    所述交易发起者节点利用所述共享公钥对所述待交易金额进行加密,获取密文;The transaction initiator node uses the shared public key to encrypt the pending transaction amount to obtain the ciphertext;
    所述交易发起者节点对所述交易金额承诺和所述账户余额承诺进行范围证明,得到承诺的范围证明,所述承诺的范围证明用于指示所述交易金额承诺和账户余额承诺中的金额为正数;The transaction initiator node performs range certification on the transaction amount commitment and the account balance commitment, and obtains the commitment scope certification, and the commitment scope certification is used to indicate that the amount in the transaction amount commitment and the account balance commitment is A positive number;
    所述交易发起者节点基于所述交易金额承诺、随机公钥、所述密文和所述承诺的范围证明生成机密交易;The transaction initiator node generates a confidential transaction based on the transaction amount commitment, the random public key, the ciphertext, and the scope proof of the commitment;
    所述交易发起者节点利用所述机密交易、手续费信息和签名生成交易信息,并将所述交易信息发送至区块链系统的节点上。The transaction initiator node generates transaction information using the confidential transaction, handling fee information and signature, and sends the transaction information to the node of the blockchain system.
  3. 根据权利要求2所述的方法,其特征在于,所述交易发起者节点对所述账户余额承诺和所述账户余额承诺进行范围证明,得到承诺的范围证明,包 括:The method according to claim 2, characterized in that, the transaction initiator node performs range certification on the account balance commitment and the account balance commitment, and obtains the commitment range certification, including:
    所述交易发起者节点采用区块链系统初始化时随机生成的范围证明对交易金额承诺和账户余额承诺进行范围证明,得到承诺的范围证明。The transaction initiator node uses the range certificate randomly generated when the blockchain system is initialized to perform range verification on the transaction amount commitment and the account balance commitment, and obtain the promised range certification.
  4. 根据权利要求2所述的方法,其特征在于,所述交易发起者节点对所述账户余额承诺和所述账户余额承诺进行范围证明,得到承诺的范围证明,包括:The method according to claim 2, wherein the transaction initiator node performs range certification on the account balance commitment and the account balance commitment, and obtains the commitment range certification, comprising:
    交易发起者节点利用预先获取的监管者随机数和区块链系统初始化时随机生成的多方可监管范围证明中涉及到的生成元,对交易金额承诺和账户余额承诺进行范围证明,得到承诺的范围证明;The transaction initiator node uses the pre-obtained supervisor random number and the generators involved in the multi-party supervisable range certificate randomly generated when the blockchain system is initialized to prove the transaction amount commitment and the account balance commitment to obtain the scope of the commitment. prove;
    相应地,将所述交易信息发送至区块链系统的节点上之后,使得区块验证者节点获取包括所述承诺的范围证明的交易信息,验证所述承诺的范围证明是否正确,以及验证所述承诺的范围证明中的由监管者节点进行签名的监管者随机数是否正确,在使所述交易信息上链后,使监管者节点获取所述交易信息中的承诺的范围证明,以及所述承诺的范围证明中的监管者节点签名的监管者随机数和相关参数,使所述监管者节点基于该监管者节点签名的监管者随机数和相关参数计算所述交易信息中的待交易金额是否正确。Correspondingly, after the transaction information is sent to the node of the blockchain system, the block verifier node is allowed to obtain the transaction information including the promised range certificate, verify whether the promised range certificate is correct, and verify that the Whether the supervisor's random number signed by the supervisor node in the proof of the scope of the promise is correct, after the transaction information is put on the chain, the supervisor node is allowed to obtain the proof of the scope of the promise in the transaction information, and The scope of commitment proves the supervisor random number and related parameters signed by the supervisor node, so that the supervisor node can calculate whether the transaction amount in the transaction information is based on the supervisor nonce signed by the supervisor node and related parameters. correct.
  5. 一种基于账户模型的交易方法,其特征在于,适用于交易接收者节点,所述方法包括:A transaction method based on an account model, characterized in that it is suitable for a transaction receiver node, and the method includes:
    交易接收者节点基于共享公钥确定约定的交易发起者节点发起交易信息;The transaction receiver node determines the transaction information initiated by the agreed transaction initiator node based on the shared public key;
    所述交易接收者节点匿名向混币者节点发起对所述交易信息的混币通知,所述混币通知包括所述交易信息中的手续费信息,以及所述交易接收者节点和所述交易发起者节点之间共享的部分信息;The transaction receiver node anonymously initiates a currency mixing notification for the transaction information to the currency mixing node, and the currency mixing notification includes the handling fee information in the transaction information, as well as the transaction receiver node and the transaction Part of the information shared between the initiator nodes;
    所述交易接收者节点接收所述混币者节点发送的混币结果,并基于所述混币结果进行非交互式零知识证明;The transaction receiver node receives the coin mixing result sent by the coin mixing node, and performs a non-interactive zero-knowledge proof based on the coin mixing result;
    若确定自身具有所述交易信息中的交易金额承诺,获取所述交易金额承诺中的待交易金额和交易发起者节点随机选择的随机数,并基于所述待交易金额更新自己的账户金额。If it is determined that it has the transaction amount commitment in the transaction information, obtain the pending transaction amount in the transaction amount promise and the random number randomly selected by the transaction initiator node, and update the own account amount based on the pending transaction amount.
  6. 根据权利要求5所述的方法,其特征在于,所述交易接收者节点接收所述混币者节点发送的混币结果,并基于所述混币结果进行非交互式零知识证 明,包括:The method according to claim 5, wherein the transaction receiver node receives the currency mixing result sent by the currency mixing node, and performing non-interactive zero-knowledge proof based on the currency mixing result, comprising:
    所述交易接收者节点根据预先获取的所述交易发起者节点的随机数,对当前的混币结果和混币次数进行哈希计算,得到哈希值;The transaction receiver node performs a hash calculation on the current coin mixing result and the number of times of coin mixing according to the random number of the transaction initiator node obtained in advance to obtain a hash value;
    所述交易接收者节点计算所述哈希值所对应的哈希承诺;Calculating the hash commitment corresponding to the hash value by the transaction receiver node;
    所述交易接收者节点根据所述哈希承诺和所述混币结果进行非交互式零知识证明,得到第一证明和第二证明,所述第一证明用于证明所述交易接收者节点为当前交易的拥有者,所述第二证明用于证明该次混币之后的混币次数在所述交易接收者节点的混币次数接受范围内。The transaction receiver node performs a non-interactive zero-knowledge proof based on the hash commitment and the result of the coin mixing to obtain a first certificate and a second certificate. The first certificate is used to prove that the transaction receiver node is The owner of the current transaction, the second proof is used to prove that the number of times of coin mixing after this time of coin mixing is within the acceptance range of the number of coin mixing times of the transaction receiver node.
  7. 根据权利要求5所述的方法,其特征在于,所述交易接收者节点基于共享公钥确定约定的交易发起者节点发起交易信息之后,还包括:The method according to claim 5, wherein after the transaction receiver node determines the transaction information initiated by the agreed transaction initiator node based on the shared public key, the method further comprises:
    所述交易接收者节点在所述交易信息中设置附加字段信息,所述附加字段信息用于指示混币过程中所述混币者节点的混币顺序和混币信息。The transaction receiver node sets additional field information in the transaction information, and the additional field information is used to indicate the currency mixing sequence and currency mixing information of the currency mixer node during the currency mixing process.
  8. 根据权利要求5所述的方法,其特征在于,所述交易接收者节点匿名向混币者节点发起对所述交易信息的混币通知之后,若混币者节点预先由监管者节点处获取随机映射以及对应随机映射的相关参数,使所述混币者节点基于随机选择的随机数,随机映射以及对应随机映射的相关参数进行Verifiable Shuffle计算,得到混币证明,并将混币证明和随机映射发送给区块验证者节点,使所述区块验证者节点验证该混币证明是否正确,以及验证随机映射中的监管者节点签名是否正确。The method according to claim 5, characterized in that, after the transaction receiver node anonymously initiates a coin mixing notification of the transaction information to the coin mixer node, if the coin mixer node obtains random information from the supervisor node in advance Mapping and the relevant parameters corresponding to the random mapping, so that the coin mixer node performs Verifiable Shuffle calculations based on the random number selected at random, the random mapping and the relevant parameters corresponding to the random mapping, to obtain the coin mixing proof, and the coin mixing proof and random mapping Send to the block verifier node, so that the block verifier node verifies whether the mixed currency proof is correct, and verifies whether the signature of the supervisor node in the random mapping is correct.
  9. 一种基于账户模型的交易装置,其特征在于,所述装置包括处理器和存储器,所述存储器中存储有程序,所述程序被所述处理器执行时实现如权利要求2至4中任一项所述的交易方法。A transaction device based on an account model, characterized in that the device includes a processor and a memory, and a program is stored in the memory, and when the program is executed by the processor, the implementation is as in any one of claims 2 to 4 The transaction method described in the item.
  10. 一种基于账户模型的交易装置,其特征在于,所述装置包括处理器和存储器,所述存储器中存储有程序,所述程序被所述处理器执行时实现如权利要求5至8中任一项所述的交易方法。A transaction device based on an account model, characterized in that the device includes a processor and a memory, and a program is stored in the memory, and when the program is executed by the processor, the implementation is as in any one of claims 5 to 8. The transaction method described in the item.
  11. 一种计算机可读存储介质,其特征在于,所述计算机可读存储介质上存储有交易程序,所述交易程序可被一个或者多个处理器执行,以实现如权利要求2至4所述的交易方法,或,实现如权利要求5至8所述的交易方法。A computer-readable storage medium, characterized in that a transaction program is stored on the computer-readable storage medium, and the transaction program can be executed by one or more processors to implement the method described in claims 2 to 4 The transaction method, or, to implement the transaction method as described in claims 5 to 8.
  12. 一种计算机程序产品,其特征在于,包括计算机指令,当其在计算机 上运行时,使得计算机可以执行如权利要求2至4所述的交易方法,或,实现如权利要求5至8所述的交易方法。A computer program product, characterized in that it includes computer instructions, which when run on a computer, enable the computer to execute the transaction method as claimed in claims 2 to 4, or to implement the transaction method as claimed in claims 5 to 8 Trading method.
  13. 一种基于账户模型的区块链系统,其特征在于,包括:交易发起者节点,出块提议者节点,区块验证者节点,监管者节点、混币者节点和交易接收者节点;A blockchain system based on an account model, which is characterized by including: a transaction initiator node, a block proposer node, a block validator node, a supervisor node, a coin mixer node, and a transaction receiver node;
    所述交易发起者节点包括权利要求12中所述的计算机程序产品,或者,包括具有权利要求9所述的交易装置的交易发起者节点,所述交易发起者,用于基于确定的共享公钥和随机数对待交易金额进行加密和承诺计算,得到加密的交易信息,所述共享公钥由所述交易发起者节点基于所述交易接收者节点的公钥生成;The transaction initiator node includes the computer program product described in claim 12, or includes a transaction initiator node having the transaction device described in claim 9, and the transaction initiator is configured to share a public key based on a determination Encryption and commitment calculation of the transaction amount with a random number to obtain encrypted transaction information, and the shared public key is generated by the transaction initiator node based on the public key of the transaction receiver node;
    所述出块提议者节点,用于收集所述交易信息,并在确定所述交易信息无误后,将所述交易信息发送至区块验证者节点;The block producer node is used to collect the transaction information, and after determining that the transaction information is correct, send the transaction information to the block verifier node;
    所述区块验证者节点,用于对接收到的交易信息以及混币结果进行验证,确实交易信息和混币结果是否正确,基于验证结果确定该交易是否继续执行;The block verifier node is used to verify the received transaction information and the currency mixing result, confirm whether the transaction information and the currency mixing result are correct, and determine whether the transaction continues to be executed based on the verification result;
    所述监管者节点,用于向交易发起者节点和区块验证者节点提供监管者随机数,该监管者随机数由监管者节点签名,以及对所述交易信息,所述验证者节点的验证过程和混币者节点的混币结果进行监管;The supervisor node is used to provide a supervisor random number to the transaction initiator node and the block verifier node, the supervisor random number is signed by the supervisor node, and the verification of the transaction information and the verifier node Supervise the process and the result of the coin mixing node;
    所述交易接收者节点包括权利要求12中所述的计算机程序产品,或者,包括具有权利要求10所述的交易装置的交易接收者节点,用于基于所述共享公钥确定所述交易发起者节点发起的所述交易信息是否上链,在确定上链后,向所述混币者节点发送混币通知,并接收所述混币者节点反馈的混币结果,在确定所述混币结果符合预期,基于该混币结果进行非交互式零知识证明,确定自身具有交易信息中交易金额承诺和所述交易发起者节点随机选择的随机数,获取所述交易金额承诺中的所述待交易金额,并基于所述待交易金额更新自己的账户金额;The transaction receiver node includes the computer program product described in claim 12, or includes a transaction receiver node having the transaction device described in claim 10, configured to determine the transaction initiator based on the shared public key Whether the transaction information initiated by the node is on the chain, after the chain is determined, the coin mixing notification is sent to the coin mixer node, and the coin mixing result fed back by the coin mixing node is received. When determining the coin mixing result In line with expectations, perform a non-interactive zero-knowledge proof based on the result of the currency mixing, determine that it has the transaction amount commitment in the transaction information and the random number randomly selected by the transaction initiator node, and obtain the pending transaction in the transaction amount commitment Amount, and update your account amount based on the pending transaction amount;
    所述混币者节点,用于基于所述混币通知执行混币操作,并将得到的混币结果发送至所述交易接收者节点和所述区块验证者节点。The coin mixer node is configured to perform a coin mixing operation based on the coin mixing notification, and send the obtained coin mixing result to the transaction receiver node and the block validator node.
  14. 根据权利要求13所述的系统,其特征在于,若所述交易发起者节点预先由所述监管者节点处获取监管者随机数,在进行承诺计算过程中:所述交 易发起者节点,还用于基于利用预先获取的监管者随机数和区块链系统初始化时随机生成的多方可监管范围证明中涉及到的生成元,对交易金额承诺和账户余额承诺进行范围证明,得到承诺的范围证明;The system according to claim 13, wherein if the transaction initiator node obtains the supervisor random number from the supervisor node in advance, in the process of performing the commitment calculation: the transaction initiator node also uses Based on the pre-obtained supervisor random number and the generators involved in the multi-party supervisable range certificate randomly generated when the blockchain system is initialized, the transaction amount commitment and the account balance commitment are scoped to prove the scope of the commitment;
    相应地,Correspondingly,
    所述区块验证者节点,还用于在获取包括所述承诺的范围证明的交易信息,验证所述承诺的范围证明是否正确,以及验证所述承诺的范围证明中的由监管者节点进行签名的监管者随机数是否正确;The block verifier node is also used to obtain transaction information including the scope proof of the promise, verify whether the scope proof of the promise is correct, and verify that the supervisor node in the scope proof of the promise is signed Whether the random number of the supervisor is correct;
    所述监管者节点,还用于在所述交易信息上链后,获取所述交易信息中的承诺的范围证明,以及所述承诺的范围证明中的监管者节点签名的监管者随机数和相关参数,并基于该监管者节点签名的监管者随机数和相关参数计算所述交易信息中的待交易金额是否正确。The supervisor node is also used to obtain the scope certificate of the promise in the transaction information after the transaction information is on the chain, and the supervisor random number and related signatures of the supervisor node in the scope certificate of the promise. And calculate whether the transaction amount in the transaction information is correct based on the supervisor random number signed by the supervisor node and related parameters.
  15. 根据权利要求13所述的系统,其特征在于,若所述混币者节点预先由所述监管者节点处获取随机映射以及对应随机映射的相关参数,所述混币者节点,还用于在接收到所述混币通知之后,基于随机选择的随机数,所述随机映射以及对应所述随机映射的相关参数进行Verifiable Shuffle计算,得到混币证明,并将所述混币证明和所述随机映射发送给所述区块验证者节点;The system according to claim 13, wherein if the coin mixer node obtains the random mapping and related parameters corresponding to the random mapping from the supervisor node in advance, the coin mixer node is also used to After receiving the coin mixing notification, based on the randomly selected random number, the random mapping and the related parameters corresponding to the random mapping are subjected to Verifiable Shuffle calculation to obtain the coin mixing certificate, and the coin mixing certificate is combined with the random number. Send the mapping to the block verifier node;
    所述区块验证者节点,还用于验证所述混币证明是否正确,以及验证所述随机映射中的监管者节点签名是否正确。The block verifier node is also used to verify whether the mixed currency proof is correct, and verify whether the signature of the supervisor node in the random mapping is correct.
PCT/CN2019/114586 2019-10-31 2019-10-31 Transaction method, device, and system based on account model, and storage medium WO2021081866A1 (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
CN201980060387.0A CN112771562A (en) 2019-10-31 2019-10-31 Account model-based transaction method, device, system and storage medium
PCT/CN2019/114586 WO2021081866A1 (en) 2019-10-31 2019-10-31 Transaction method, device, and system based on account model, and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/CN2019/114586 WO2021081866A1 (en) 2019-10-31 2019-10-31 Transaction method, device, and system based on account model, and storage medium

Publications (1)

Publication Number Publication Date
WO2021081866A1 true WO2021081866A1 (en) 2021-05-06

Family

ID=75693768

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2019/114586 WO2021081866A1 (en) 2019-10-31 2019-10-31 Transaction method, device, and system based on account model, and storage medium

Country Status (2)

Country Link
CN (1) CN112771562A (en)
WO (1) WO2021081866A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114826554A (en) * 2022-07-01 2022-07-29 国网区块链科技(北京)有限公司 Block chain-based electricity price privacy protection method and system and storage medium

Families Citing this family (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112990928B (en) * 2021-05-10 2021-08-24 南开大学 Safety protection method for digital currency transaction data
CN113469685A (en) * 2021-07-19 2021-10-01 东南大学 Privacy protection method for encrypting transaction amount and transaction confusion of Ether house
CN113988863B (en) * 2021-12-28 2022-03-29 浙江大学 Supervision-capable online payment privacy protection method and device and electronic equipment
CN114580029A (en) * 2022-04-28 2022-06-03 浙江甲骨文超级码科技股份有限公司 Block chain digital asset privacy protection method, device, equipment and storage medium

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108737068A (en) * 2018-04-13 2018-11-02 中国地质大学(武汉) A kind of password moneytary operations method for secret protection and system based on block chain
CN109447602A (en) * 2018-10-16 2019-03-08 北京航空航天大学 A kind of mixed coin method of the collaborative distributed digital cash of multicenter that protecting privacy
CN109584055A (en) * 2018-09-20 2019-04-05 阿里巴巴集团控股有限公司 Method of commerce, device and remittance abroad method, apparatus based on block chain
CN110009323A (en) * 2019-02-01 2019-07-12 阿里巴巴集团控股有限公司 Block chain method of commerce and device, electronic equipment, storage medium
CN110011781A (en) * 2019-03-04 2019-07-12 华中科技大学 A kind of homomorphic cryptography method encrypting and support zero-knowledge proof for transaction amount

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108737068A (en) * 2018-04-13 2018-11-02 中国地质大学(武汉) A kind of password moneytary operations method for secret protection and system based on block chain
CN109584055A (en) * 2018-09-20 2019-04-05 阿里巴巴集团控股有限公司 Method of commerce, device and remittance abroad method, apparatus based on block chain
CN109447602A (en) * 2018-10-16 2019-03-08 北京航空航天大学 A kind of mixed coin method of the collaborative distributed digital cash of multicenter that protecting privacy
CN110009323A (en) * 2019-02-01 2019-07-12 阿里巴巴集团控股有限公司 Block chain method of commerce and device, electronic equipment, storage medium
CN110011781A (en) * 2019-03-04 2019-07-12 华中科技大学 A kind of homomorphic cryptography method encrypting and support zero-knowledge proof for transaction amount

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114826554A (en) * 2022-07-01 2022-07-29 国网区块链科技(北京)有限公司 Block chain-based electricity price privacy protection method and system and storage medium
CN114826554B (en) * 2022-07-01 2022-09-13 国网区块链科技(北京)有限公司 Block chain-based electricity price privacy protection method, system and storage medium

Also Published As

Publication number Publication date
CN112771562A (en) 2021-05-07

Similar Documents

Publication Publication Date Title
RU2719451C1 (en) Protection of data of block chains based on common model based on accounts and homomorphic encryption
CN108418689B (en) Zero-knowledge proof method and medium suitable for block chain privacy protection
WO2021081866A1 (en) Transaction method, device, and system based on account model, and storage medium
Zhou et al. Efficient certificateless multi-copy integrity auditing scheme supporting data dynamics
TWI719435B (en) Input obtaining method and device for safe multi-party calculation agreement
Wang et al. Certificateless public auditing for data integrity in the cloud
US9036818B2 (en) Private key generation apparatus and method, and storage media storing programs for executing the methods
Au et al. Constant-size dynamic k-times anonymous authentication
JP2008503966A (en) Anonymous certificate for anonymous certificate presentation
JP2009526411A5 (en)
JP2004208263A (en) Apparatus and method of blind signature based on individual identification information employing bilinear pairing
JP2005253083A (en) New fair blind signature process
WO2019174402A1 (en) Group membership issuing method and device for digital group signature
Ji et al. Privacy-preserving certificateless provable data possession scheme for big data storage on cloud, revisited
CN113360943A (en) Block chain private data protection method and device
CN109104410B (en) Information matching method and device
Gennaro et al. Okamoto-Tanaka revisited: Fully authenticated Diffie-Hellman with minimal overhead
Xiong et al. Anonymous auction protocol based on time-released encryption atop consortium blockchain
Cui et al. Escrow free attribute-based signature with self-revealability
TW202318833A (en) Threshold signature scheme
CN110557260B (en) SM9 digital signature generation method and device
WO2019174404A1 (en) Digital group signature method, device and apparatus, and verification method, device and apparatus
CN108964906B (en) Digital signature method for cooperation with ECC
Feng et al. A new public remote integrity checking scheme with user and data privacy
CN116318736A (en) Two-level threshold signature method and device for hierarchical management

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 19950295

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 19950295

Country of ref document: EP

Kind code of ref document: A1