CN106911470B  Bit currency transaction privacy enhancement method  Google Patents
Bit currency transaction privacy enhancement method Download PDFInfo
 Publication number
 CN106911470B CN106911470B CN201710050768.3A CN201710050768A CN106911470B CN 106911470 B CN106911470 B CN 106911470B CN 201710050768 A CN201710050768 A CN 201710050768A CN 106911470 B CN106911470 B CN 106911470B
 Authority
 CN
 China
 Prior art keywords
 transaction
 verification
 amount
 receiver
 value
 Prior art date
 Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
 Active
Links
 238000000034 method Methods 0.000 claims abstract description 23
 230000005540 biological transmission Effects 0.000 claims description 4
 238000004364 calculation method Methods 0.000 description 9
 238000005516 engineering process Methods 0.000 description 5
 230000000875 corresponding Effects 0.000 description 4
 238000010586 diagram Methods 0.000 description 2
 RTZKZFJDLAIYFHUHFFFAOYSAN diethyl ether Chemical compound data:image/svg+xml;base64,PD94bWwgdmVyc2lvbj0nMS4wJyBlbmNvZGluZz0naXNvLTg4NTktMSc/Pgo8c3ZnIHZlcnNpb249JzEuMScgYmFzZVByb2ZpbGU9J2Z1bGwnCiAgICAgICAgICAgICAgeG1sbnM9J2h0dHA6Ly93d3cudzMub3JnLzIwMDAvc3ZnJwogICAgICAgICAgICAgICAgICAgICAgeG1sbnM6cmRraXQ9J2h0dHA6Ly93d3cucmRraXQub3JnL3htbCcKICAgICAgICAgICAgICAgICAgICAgIHhtbG5zOnhsaW5rPSdodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hsaW5rJwogICAgICAgICAgICAgICAgICB4bWw6c3BhY2U9J3ByZXNlcnZlJwp3aWR0aD0nMzAwcHgnIGhlaWdodD0nMzAwcHgnIHZpZXdCb3g9JzAgMCAzMDAgMzAwJz4KPCEtLSBFTkQgT0YgSEVBREVSIC0tPgo8cmVjdCBzdHlsZT0nb3BhY2l0eToxLjA7ZmlsbDojRkZGRkZGO3N0cm9rZTpub25lJyB3aWR0aD0nMzAwJyBoZWlnaHQ9JzMwMCcgeD0nMCcgeT0nMCc+IDwvcmVjdD4KPHBhdGggY2xhc3M9J2JvbmQtMCcgZD0nTSAxMy42MzY0LDE2MS44MDkgTCA4MS44MTgyLDEyMi40NDUnIHN0eWxlPSdmaWxsOm5vbmU7ZmlsbC1ydWxlOmV2ZW5vZGQ7c3Ryb2tlOiMzQjQxNDM7c3Ryb2tlLXdpZHRoOjIuMHB4O3N0cm9rZS1saW5lY2FwOmJ1dHQ7c3Ryb2tlLWxpbmVqb2luOm1pdGVyO3N0cm9rZS1vcGFjaXR5OjEnIC8+CjxwYXRoIGNsYXNzPSdib25kLTEnIGQ9J00gODEuODE4MiwxMjIuNDQ1IEwgMTAzLjM4MywxMzQuODk1JyBzdHlsZT0nZmlsbDpub25lO2ZpbGwtcnVsZTpldmVub2RkO3N0cm9rZTojM0I0MTQzO3N0cm9rZS13aWR0aDoyLjBweDtzdHJva2UtbGluZWNhcDpidXR0O3N0cm9rZS1saW5lam9pbjptaXRlcjtzdHJva2Utb3BhY2l0eToxJyAvPgo8cGF0aCBjbGFzcz0nYm9uZC0xJyBkPSdNIDEwMy4zODMsMTM0Ljg5NSBMIDEyNC45NDgsMTQ3LjM0Nicgc3R5bGU9J2ZpbGw6bm9uZTtmaWxsLXJ1bGU6ZXZlbm9kZDtzdHJva2U6I0U4NDIzNTtzdHJva2Utd2lkdGg6Mi4wcHg7c3Ryb2tlLWxpbmVjYXA6YnV0dDtzdHJva2UtbGluZWpvaW46bWl0ZXI7c3Ryb2tlLW9wYWNpdHk6MScgLz4KPHBhdGggY2xhc3M9J2JvbmQtMicgZD0nTSAxNzUuMDUyLDE0Ny4zNDYgTCAxOTYuNjE3LDEzNC44OTUnIHN0eWxlPSdmaWxsOm5vbmU7ZmlsbC1ydWxlOmV2ZW5vZGQ7c3Ryb2tlOiNFODQyMzU7c3Ryb2tlLXdpZHRoOjIuMHB4O3N0cm9rZS1saW5lY2FwOmJ1dHQ7c3Ryb2tlLWxpbmVqb2luOm1pdGVyO3N0cm9rZS1vcGFjaXR5OjEnIC8+CjxwYXRoIGNsYXNzPSdib25kLTInIGQ9J00gMTk2LjYxNywxMzQuODk1IEwgMjE4LjE4MiwxMjIuNDQ1JyBzdHlsZT0nZmlsbDpub25lO2ZpbGwtcnVsZTpldmVub2RkO3N0cm9rZTojM0I0MTQzO3N0cm9rZS13aWR0aDoyLjBweDtzdHJva2UtbGluZWNhcDpidXR0O3N0cm9rZS1saW5lam9pbjptaXRlcjtzdHJva2Utb3BhY2l0eToxJyAvPgo8cGF0aCBjbGFzcz0nYm9uZC0zJyBkPSdNIDIxOC4xODIsMTIyLjQ0NSBMIDI4Ni4zNjQsMTYxLjgwOScgc3R5bGU9J2ZpbGw6bm9uZTtmaWxsLXJ1bGU6ZXZlbm9kZDtzdHJva2U6IzNCNDE0MztzdHJva2Utd2lkdGg6Mi4wcHg7c3Ryb2tlLWxpbmVjYXA6YnV0dDtzdHJva2UtbGluZWpvaW46bWl0ZXI7c3Ryb2tlLW9wYWNpdHk6MScgLz4KPHRleHQgeD0nMTQwLjU1MicgeT0nMTc3LjU1NScgY2xhc3M9J2F0b20tMicgc3R5bGU9J2ZvbnQtc2l6ZTozMXB4O2ZvbnQtc3R5bGU6bm9ybWFsO2ZvbnQtd2VpZ2h0Om5vcm1hbDtmaWxsLW9wYWNpdHk6MTtzdHJva2U6bm9uZTtmb250LWZhbWlseTpzYW5zLXNlcmlmO3RleHQtYW5jaG9yOnN0YXJ0O2ZpbGw6I0U4NDIzNScgPk88L3RleHQ+Cjwvc3ZnPgo= data:image/svg+xml;base64,PD94bWwgdmVyc2lvbj0nMS4wJyBlbmNvZGluZz0naXNvLTg4NTktMSc/Pgo8c3ZnIHZlcnNpb249JzEuMScgYmFzZVByb2ZpbGU9J2Z1bGwnCiAgICAgICAgICAgICAgeG1sbnM9J2h0dHA6Ly93d3cudzMub3JnLzIwMDAvc3ZnJwogICAgICAgICAgICAgICAgICAgICAgeG1sbnM6cmRraXQ9J2h0dHA6Ly93d3cucmRraXQub3JnL3htbCcKICAgICAgICAgICAgICAgICAgICAgIHhtbG5zOnhsaW5rPSdodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hsaW5rJwogICAgICAgICAgICAgICAgICB4bWw6c3BhY2U9J3ByZXNlcnZlJwp3aWR0aD0nODVweCcgaGVpZ2h0PSc4NXB4JyB2aWV3Qm94PScwIDAgODUgODUnPgo8IS0tIEVORCBPRiBIRUFERVIgLS0+CjxyZWN0IHN0eWxlPSdvcGFjaXR5OjEuMDtmaWxsOiNGRkZGRkY7c3Ryb2tlOm5vbmUnIHdpZHRoPSc4NScgaGVpZ2h0PSc4NScgeD0nMCcgeT0nMCc+IDwvcmVjdD4KPHBhdGggY2xhc3M9J2JvbmQtMCcgZD0nTSAzLjM2MzY0LDQ1LjM0NiBMIDIyLjY4MTgsMzQuMTkyNicgc3R5bGU9J2ZpbGw6bm9uZTtmaWxsLXJ1bGU6ZXZlbm9kZDtzdHJva2U6IzNCNDE0MztzdHJva2Utd2lkdGg6MS4wcHg7c3Ryb2tlLWxpbmVjYXA6YnV0dDtzdHJva2UtbGluZWpvaW46bWl0ZXI7c3Ryb2tlLW9wYWNpdHk6MScgLz4KPHBhdGggY2xhc3M9J2JvbmQtMScgZD0nTSAyMi42ODE4LDM0LjE5MjYgTCAzMC43MjM3LDM4LjgzNTYnIHN0eWxlPSdmaWxsOm5vbmU7ZmlsbC1ydWxlOmV2ZW5vZGQ7c3Ryb2tlOiMzQjQxNDM7c3Ryb2tlLXdpZHRoOjEuMHB4O3N0cm9rZS1saW5lY2FwOmJ1dHQ7c3Ryb2tlLWxpbmVqb2luOm1pdGVyO3N0cm9rZS1vcGFjaXR5OjEnIC8+CjxwYXRoIGNsYXNzPSdib25kLTEnIGQ9J00gMzAuNzIzNywzOC44MzU2IEwgMzguNzY1NSw0My40Nzg2JyBzdHlsZT0nZmlsbDpub25lO2ZpbGwtcnVsZTpldmVub2RkO3N0cm9rZTojRTg0MjM1O3N0cm9rZS13aWR0aDoxLjBweDtzdHJva2UtbGluZWNhcDpidXR0O3N0cm9rZS1saW5lam9pbjptaXRlcjtzdHJva2Utb3BhY2l0eToxJyAvPgo8cGF0aCBjbGFzcz0nYm9uZC0yJyBkPSdNIDQ1LjIzNDUsNDMuNDc4NiBMIDUzLjI3NjMsMzguODM1Nicgc3R5bGU9J2ZpbGw6bm9uZTtmaWxsLXJ1bGU6ZXZlbm9kZDtzdHJva2U6I0U4NDIzNTtzdHJva2Utd2lkdGg6MS4wcHg7c3Ryb2tlLWxpbmVjYXA6YnV0dDtzdHJva2UtbGluZWpvaW46bWl0ZXI7c3Ryb2tlLW9wYWNpdHk6MScgLz4KPHBhdGggY2xhc3M9J2JvbmQtMicgZD0nTSA1My4yNzYzLDM4LjgzNTYgTCA2MS4zMTgyLDM0LjE5MjYnIHN0eWxlPSdmaWxsOm5vbmU7ZmlsbC1ydWxlOmV2ZW5vZGQ7c3Ryb2tlOiMzQjQxNDM7c3Ryb2tlLXdpZHRoOjEuMHB4O3N0cm9rZS1saW5lY2FwOmJ1dHQ7c3Ryb2tlLWxpbmVqb2luOm1pdGVyO3N0cm9rZS1vcGFjaXR5OjEnIC8+CjxwYXRoIGNsYXNzPSdib25kLTMnIGQ9J00gNjEuMzE4MiwzNC4xOTI2IEwgODAuNjM2NCw0NS4zNDYnIHN0eWxlPSdmaWxsOm5vbmU7ZmlsbC1ydWxlOmV2ZW5vZGQ7c3Ryb2tlOiMzQjQxNDM7c3Ryb2tlLXdpZHRoOjEuMHB4O3N0cm9rZS1saW5lY2FwOmJ1dHQ7c3Ryb2tlLWxpbmVqb2luOm1pdGVyO3N0cm9rZS1vcGFjaXR5OjEnIC8+Cjx0ZXh0IHg9JzM5LjMyMzInIHk9JzQ5LjgwNzQnIGNsYXNzPSdhdG9tLTInIHN0eWxlPSdmb250LXNpemU6OHB4O2ZvbnQtc3R5bGU6bm9ybWFsO2ZvbnQtd2VpZ2h0Om5vcm1hbDtmaWxsLW9wYWNpdHk6MTtzdHJva2U6bm9uZTtmb250LWZhbWlseTpzYW5zLXNlcmlmO3RleHQtYW5jaG9yOnN0YXJ0O2ZpbGw6I0U4NDIzNScgPk88L3RleHQ+Cjwvc3ZnPgo= CCOCC RTZKZFJDLAIYFHUHFFFAOYSAN 0.000 description 2
 230000005477 standard model Effects 0.000 description 2
 230000001133 acceleration Effects 0.000 description 1
 230000000694 effects Effects 0.000 description 1
 230000002708 enhancing Effects 0.000 description 1
 230000002427 irreversible Effects 0.000 description 1
 238000005065 mining Methods 0.000 description 1
 239000010979 ruby Substances 0.000 description 1
 229910001750 ruby Inorganic materials 0.000 description 1
 238000010200 validation analysis Methods 0.000 description 1
Classifications

 H—ELECTRICITY
 H04—ELECTRIC COMMUNICATION TECHNIQUE
 H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
 H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communication
 H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
 H04L9/0816—Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
 H04L9/0819—Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
 H04L9/0825—Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) using asymmetrickey encryption or public key infrastructure [PKI], e.g. key signature or public key certificates

 G—PHYSICS
 G06—COMPUTING; CALCULATING; COUNTING
 G06Q—DATA PROCESSING SYSTEMS OR METHODS, SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL, SUPERVISORY OR FORECASTING PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL, SUPERVISORY OR FORECASTING PURPOSES, NOT OTHERWISE PROVIDED FOR
 G06Q20/00—Payment architectures, schemes or protocols
 G06Q20/02—Payment architectures, schemes or protocols involving a neutral party, e.g. certification authority, notary or trusted third party [TTP]
 G06Q20/023—Payment architectures, schemes or protocols involving a neutral party, e.g. certification authority, notary or trusted third party [TTP] the neutral party being a clearing house

 G—PHYSICS
 G06—COMPUTING; CALCULATING; COUNTING
 G06Q—DATA PROCESSING SYSTEMS OR METHODS, SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL, SUPERVISORY OR FORECASTING PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL, SUPERVISORY OR FORECASTING PURPOSES, NOT OTHERWISE PROVIDED FOR
 G06Q20/00—Payment architectures, schemes or protocols
 G06Q20/04—Payment circuits
 G06Q20/06—Private payment circuits, e.g. involving electronic currency used among participants of a common payment scheme
 G06Q20/065—Private payment circuits, e.g. involving electronic currency used among participants of a common payment scheme using ecash

 G—PHYSICS
 G06—COMPUTING; CALCULATING; COUNTING
 G06Q—DATA PROCESSING SYSTEMS OR METHODS, SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL, SUPERVISORY OR FORECASTING PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL, SUPERVISORY OR FORECASTING PURPOSES, NOT OTHERWISE PROVIDED FOR
 G06Q20/00—Payment architectures, schemes or protocols
 G06Q20/38—Payment protocols; Details thereof
 G06Q20/382—Payment protocols; Details thereof insuring higher security of transaction
 G06Q20/3829—Payment protocols; Details thereof insuring higher security of transaction involving key management
Abstract
A bit currency transaction privacy enhancement method comprises the following steps: 1. initializing, and outputting a system encryption and decryption and verification initial value; 2. calculating the total input amount; 3. encrypting each amount sent; 4, carrying out a verification process to ensure that the transaction value is always positive and ensure that the transaction input and output are equal; 5. after passing the verification, the data is sent, and the receiver decrypts the data; 6. the trade bill is published and confirmed all over the network. Through the steps, the complete design is carried out from the problems of the existing bitcoin system, and the problem of privacy disclosure of the quota exposure in the bitcoin system is solved; the method covers a bit currency system, a homomorphic encryption system and a commitment value to prove a plurality of cryptology primitives, applies methods in different fields to the actual problem of privacy enhancement, has encryption and decryption performance, homomorphic characteristics, zero knowledge characteristics, safety, high efficiency and compatibility, and realizes the smooth transaction process of the encrypted bit currency.
Description
The technical field is as follows:
the invention designs a bit currency transaction privacy enhancement method which is used for protecting the cleartext amount in the bit currency transaction process. The scheme realizes the encryption and decryption operation of the sum through the homomorphic system, ensures the amount privacy in the transmission process, and simultaneously ensures the requirements that the hidden amount is always positive and the total input and output amounts are equal in the transaction through the proof of the commitment value. The scheme belongs to the fields of cryptography in information security and cryptology currency.
(II) technical background:
in 2008, the inventor of japan (Satoshi Nakamoto) designed and issued a pointtopoint decentralized digital currency, bitcoin. The bitcoin system proposes a novel pointtopointbased distributed mode, and removes a credible central mechanism of the traditional electronic money. The characteristics of decentralization, information nontampering, information wide spread and information anonymity, which are shown by the bitcoin and underlying zone block chain technology, are gradually concerned and deeply researched by academia and industry.
The generation and development of bitcoin has led to the rise of a series of internet currencies based on cryptography. According to different working principles, the method can be roughly divided into three categories: PoWbased, PoSbased, and PoW + PoSbased. POW (Proof of work) refers to how much money is obtained, and depending on the amount of work you contribute to digging a mine, the better the computer performance, the more mines you are assigned to, and the represented money is: bitcoin, reiter coin, dog coin, Zcash. The POS (Proof of Stake) carries out the system of interest distribution according to the amount and time of the money held by you, and in the POS mode, the income of your 'digging mine' is proportional to the age of your money and is not related to the calculation performance of a computer, and the representative is as follows: bit stock, intelligent house black currency. Representatives based on PoW + PoS are: ether houses, counting coins. Others include currencies such as: ruby coin, sidereal coin, and contract coin.
The emergence of bitcoin and other electronic money has led to the wide application of blockchain technology, and in the era of blockchain 1.0, the underlying industrial structure formed by using digital money such as bitcoin as a core forms an industrial group and an industrial chain of mining machines, mine pools, digital money, payment purses, exchanges and digital money gateways. In the era of blockchain 2.0, the focus of technology and application is shifted from pure electronic money to the application of underlying technology blockchain technology, so that diversified, multistyle and multiscenario applications are formed, and the larger the category and industry span is, the higher the degree of independence is. Asset verification, financial services, charitables, media and communities, research and investment, intelligent contracts, justice anticounterfeiting, asset transactions, bank settlement, ecommerce, social communications, internet of things, file storage, and the like.
Aiming at the problem of transaction privacy disclosure caused by the use of largearea bit coins, the scheme encrypts and transmits the plaintext transaction amount by applying a homomorphic encryption scheme Paillier system. The system is proposed by Pascal Paillier in 1999, the difficulty of the encryption system is based on the problem of complex order residual difficulty, and the system has the security of resisting attack of selected plaintext under a standard model. The system has the addition homomorphism characteristic, so that corresponding plaintext addition and subtraction operations are realized by multiplying the encrypted ciphertext, and the property is applied to the verification process under the condition of not revealing privacy. Besides homomorphism characteristics, the system also has high efficiency, so that the scheme can carry out precalculation and quick calculation by applying the Chinese remainder theorem, and the encryption and decryption steps in the bit currency transaction time are met.
After the encryption system is used for encryption, the generated ciphertext exists in each transaction order. In order to ensure that the plaintext hidden by the corresponding ciphertext meets the requirements of positive value and equality, the scheme uses commitment value certification for verification. The method proposed by Wucheng red et al in 2004 is adopted to prove the commitment value in a specific interval, and the method ensures a small expanded domain under a relatively simple process of steps, so that the secret amount is kept at a positive value for proving. The idea of Hash mapping value equality is used for proving that two commitment values are equal, and the fact that the two commitment values contain the same secret is verified under the condition that the committed number is not leaked. The two commitment value proving schemes both have zero knowledge characteristics, and the encrypted amount is guaranteed not to be leaked in the verification process.
(III) the invention content:
1. the purpose is as follows: the invention aims to provide a bit currency transaction privacy enhancement method to realize a privacy enhancement function of encrypting and hiding an original transaction amount plaintext in a transaction process. The scheme ensures that the encrypted ciphertext value well protects the privacy of a trader on one hand, and also ensures that the hidden trading value is always a positive value and the total number of the trading value is consistent with that of the trading value, so as to meet the compatibility with the original bit system.
2. The technical scheme is as follows:
the method of the invention is divided into six steps, which are sequentially dispersed in a transaction layer and a verification layer: 1) and initializing the system and generating an initial value. 2) And calculating a total input value of the transaction, namely the total income of the order transaction and the mine digging. 3) The system uses the recipient public key to encrypt the transmitted amounts separately at the transaction layer, while using the system public key to encrypt each amount of the same amount at the verification layer. 4) And verifying whether the hidden amount is positive and whether the input and output total amounts are equal in the verification layer. 5) And after the verification of the verification layer is passed, the transaction layer sends the encrypted amount to a receiver, and the receiver decrypts according to the private key of the receiver. 6) And after the receiver checks the transaction list without errors, the whole network broadcasting transaction list is carried out to wait for confirmation.
2.1 basic knowledge:
2.1.1 bit coin system
The bitcoin system contains three technical elements: transaction, consensus mechanism, distributed network. The three technical elements also form a threelayer structure of bitcoin and block chains: transaction sheet, block chain. The existence form of the bitcoin is a transaction order which is irreversible, and each transaction order records transaction data of a plurality of users, including information such as transaction sources, sending addresses, transaction amounts, signatures and the like. Each transaction order is identified by a special identifier generated by the SHA256 hashing algorithm. When each transaction order is completed, the system must broadcast to the whole network to wait for confirmation. After each absenteeism person verifies the transaction order in the past period of time and finds out a hash value with d continuous zeros of the first character, a data block can be generated, and each data block is finally confirmed and cannot be changed after six data blocks are generated. The unalterable data blocks form a chain structure, i.e., a chain of blocks. The generation of the block is confirmed by the calculation power of the distributed whole network nodes, the larger the calculation power is, the easier the new block is to be found, but due to the corresponding adjustment of the calculation difficulty, the corresponding calculation time is kept at about 10 minutes. Compared with the original electronic currency system, the bit currency system has the advantages of decentralization, noncounterfeiting, openness and verifiability, cryptology safety and the like, and the system has proven to be stable and expandable through development of last 9 years.
2.1.2 Paillier public key encryption system
The Paillier encryption system provides security against chosen plaintext attack under a standard model, has highefficiency encryption and decryption efficiency and the characteristic of homomorphism, and comprises the following encryption and decryption steps:
generating: let p and q be large prime numbers, g be a system generator, let n be pq, calculate λ be λ (n) lcm (p1, q1), where the public key is (n, g) and the private key is λ.
Encryption: c is g^{m}·r^{n}mod n^{2}Wherein r is arbitrarily selected.
And (3) decryption:
homomorphic properties: dec_{sk}(Enc_{pk}(m_{1})·Enc_{pk}(m_{2})modn^{2})＝m_{1}+m_{2}mod n。
2.1.3 commitment value attestation
The proof of the commitment value is mainly used for a verification layer of a scheme, on one hand, the problem that the committed value is always positive is solved, and on the other hand, the equal input and output characteristics are guaranteed after the operation of the committed value is solved. In order to ensure that the encrypted privacy amount is always positive to prevent the theft of the bitcoin, the scheme adopts an efficient proof method of the commitment value in a specific interval proposed by WuQianhong et al in 2004. The method has relatively simple design steps, the expansion domain is 1, so that the committed number can be limited in a specific interval, and the scheme sets the lower bound to 0, namely the committed number can be proved to be a positive value. In order to ensure that the encrypted value is consistent with the transaction input value as output, the scheme adopts a method for proving that two commitment numbers are equal. The scheme is simple in design idea, the secret value is hidden in the commitment value, the randomly selected value is added, whether the two hash functions are equal or not is used for judging whether the two hash functions are consistent, and the fact that the two hash functions are consistent can be proved.
2.2 technical solution content
The invention designs a bit currency transaction privacy enhancement method, which is realized by dividing the method into six steps according to a flow, wherein a scheme framework is divided into a transaction layer and a verification layer, and the six steps are sequentially distributed in the two layers;
the invention relates to a bit currency transaction privacy enhancement method, which comprises the following operation steps:
step 1: system initialization/KeyGen: generating security parameters for encryption and decryption operation and verification; the system inputs security parameters and outputs a generated public key and private key pair (pk) for the encryption and decryption operation_{i},sk_{i}) While outputting the public key pk for verification_{d}Note that this public key has no pairing private key;
step 2: calculate input total/Insum: calculating a total input value of the transaction, namely the total income of the single transaction and the mine digging (the income is not included in the noninitial block chain); if the transaction sheet is used as a newly confirmed block, the transaction sheet obtains an extra 50bit currency fee as a reward, and the total income is the sum of the operation of the part of plaintext and the original ciphertext; if the transaction list is not the head list of the new confirmation block, no extra income exists, and the total income is the value transmitted by the last transaction;
and step 3: encrypted item/Encrypt: the system uses the public key of the receiver to encrypt the transmission amount respectively in the transaction layer, and uses the public key of the system to encrypt each amount of the same amount in the verification layer; the amount encrypted in the transaction layer is sent to each receiver account after passing through the verification layer, and the encrypted amount sent in the verification layer is noticed to enter a 'dumb account', the account has no private key, and the amount is discarded after verification;
and 4, step 4: verification item/Verify: verifying whether the hidden amount is a positive value and whether the input and output total amounts are equal or not at a verification layer; the verification layer is divided into two steps, and in the first step, the concealed money amount is always proved to be a positive value through a proof method of the commitment value in a specific interval; secondly, the two proof methods with equal commitment values are used for proving that the total number before and after the input and the output of the hidden money amount is equal; when the two steps are true, entering a sending link of a transaction layer;
and 5: decryption item/decryption: after the verification of the verification layer is passed, the transaction layer sends the encrypted amount to a receiver, and the receiver decrypts the amount according to the private key of the receiver; after the receiver checks that the receiving amount of the receiver is correct, the next transaction is continued; the recipient's received value is the input value of the next order;
step 6: broadcast acknowledgement/Broadcast: after the receiver checks the transaction list without errors, the whole network broadcasting transaction list is carried out to wait for confirmation; the original plaintext information on the transaction sheet processed by the scheme is hidden into the ciphertext which cannot be read, so that the only privacy which is possibly analyzed and processed in the transaction process is ensured.
Wherein, the specific implementation of the "system initialization/KeyGen" in step 1 is as follows:
the input of the system is a safety parameter, and the output is a parameter for encryption and decryption operation and verification; at the transaction level, for each different receiver i, the system generates two large prime numbers p for each receiver_{i}And q is_{i}(ii) a ReceiverThe private key is sk_{i}＝λ_{i}The public key is pk_{i}＝(n_{i},g_{i}) Wherein n is_{i}＝p_{i}q_{i}；
Meanwhile, at a verification layer, the system outputs a public key pk of 'dumb account' for verification_{d}＝(n_{d},g_{d}) Note that this public key has no pairing private key; that is, the system account cannot operate on the received amount; system generation parameter V_{α}(g_{α},h_{α}) And V_{β}(g_{β},h_{β}) For verification.
Wherein, in step 2, "calculate the total input value/enum", the calculation of the total input value is discussed in two cases, which is specifically done as follows:
if the transaction slip is used as the newly confirmed block, the transaction slip will receive an additional 50bit currency fee as a reward (by 1 month 2017, now halved to 25bit currency), and the total income is the sum of the operation of the plain text and the original cipher text of the part, and is expressed as
If the transaction sheet is not the head sheet of the new confirmation block, no extra income is generated, and the total income is the value transmitted by the transaction of the previous order and is expressed as
In step 3, the encryption item/Encrypt is used to Encrypt the same amount at the transaction layer and the verification layer at the same time, and the specific implementation is as follows:
at the transaction level, the scheme uses the public keys pk of the different recipients_{1},pk_{2},...,pk_{i}Encrypting the transmitted plaintext amount m by using Paillier encryption system_{1},m_{2},...,m_{i}Is c_{1},c_{2},...,c_{i}Expressed as:
meanwhile, at the verification layer, the scheme uses the same public key pk of the system_{d}The amount m to be sent by each of the transaction layers_{1},m_{2},...,m_{i}Encryption is performed, expressed as:
wherein the scheme sets a random number r_{d}＝h_{β}。
The verification layer of the verification item/Verify in the step 4 is divided into two steps, and in the first step, the concealed money is always proved to be a positive value through a proof method of a commitment value in a specific interval; secondly, the two proof methods with equal commitment values are used for proving that the total number before and after the input and the output of the hidden money amount is equal; the specific method comprises the following steps:
for the first step, VerifyI, the scheme uses proof of commitment value in a certain interval to guarantee the encrypted amount m_{i}If the value is positive, the sender Alice makes commitments respectively for different receivers iFor simplicity, use E_{0},E_{1},E_{2},E_{3}F, V instead of E_{i0},E_{i1},E_{i2},E_{i3},F_{i},V_{i}；
1) Alice sets v α^{2}y+ω＞2^{t+l+s+T}Wherein α is arbitrarily chosen not equal to 0, omega is more than 0 and less than or equal to 2^{s+T}(ii) a Set r_{3}rα^{2}+r_{1}α+r_{2}∈[2^{s}n+1,...,2^{s}n1]Wherein r is arbitrarily selected_{1},r_{2},r_{3}∈[2^{s}n+1,...,2^{s}n1](ii) a Then, calculating:
alice sends (V, E)_{2},E_{3}F) to the recipient;
2) the receiver calculates:
E_{1}＝E_{0}(m_{i},r)/g^{a}＝g^{y}h^{r}mod n
3) alice and the receiver each calculate:
wherein r is^{*}＝rα^{2}r_{1}αr_{2}；
4) The receiver verifies the correctness of PK1, PK2, PK3, and whether v > 2 is satisfied^{t+l+s+T}If satisfied, the recipient can be confident that x > a;
5) for each receiver m_{i}The scheme can prove that m can be proved by repeating the steps 1) to 4)_{i}＞0(i＝{1,2,...,i})；
The proof part will be for each recipient m_{i}Repeating the execution for i times, and if any one of the execution fails, the transaction fails; if all becomeSuccessfully, the system passes and continues the verification of the next step;
for the second step, VerifyII, the scheme uses proof that the two commitment values are equal to ensure that the transaction output inputs are consistent, i.e., mm_{1}+m_{2}+...+m_{i}＝∑m_{i}(ii) a Alice now makes two commitments as follows:
wherein r is_{α}∈{2^{s}n+1,...,2^{s}n1},r_{β}＝n_{d}∈{2^{s}n+1,...,2^{s}n1 }; if a "dumb account" receiving the same amount wants to verify whether the amount of plaintext contained in the received ciphertext is equal to the value sent by Alice, it needs to perform the following two steps:
1) secret value equal m ∑ m hidden in commitment values E and F_{i}；
2) The operated cipher text H ═ Π c_{id}Equals one of the commitments F;
to achieve step 1) above, we demonstrate the following:
alice randomly selects ω ∈ { 1., 2 ·^{i+t}b1},η_{α}∈{1,...,2^{l+t+s}n1},η_{β}∈{1,...,2^{l+t+} ^{s}n1 }; then, calculating:
alice calculates u ═ H (W)_{α}W_{β})；
3, Alice calculates:
D＝ω+um,D_{α}＝η_{α}+ur_{α},D_{β}＝η_{β}+ur_{β}
and transmitting (u, D)_{α},D_{β}) To "dumb account";
"dumb account" test if u ═ u', wherein
If the partial step is verified successfully, the following partial step is continued to prove that:
the "dumb account" calculates the received ciphertext:
2. from the above, we can choose r arbitrarily in the encryption process_{d}＝h_{β}Optionally selecting r in the verification process_{β}＝n_{d}(ii) a And during system initialization we set upAnd g_{d}＝g_{β}Therefore, the following steps are adopted:
3. checking whether H is equal to F, if not, the transaction fails, if so, the transaction passes, and carrying out the next step;
in conclusion, when the steps of the two parts are true, the sending link of the transaction layer is entered.
Wherein, after the 'decryption item/decryption' in the step 5 passes the authentication of the certificate layer, the transaction layer will encrypt the amount c_{i}Sending to the receiver, which is implemented as follows:
the receiver follows the private key sk of the receiver_{i}And (3) decryption:
whereinx∈S_{n}＝{u＜n^{2}x＝1 mod n}；
After the receiver checks that the receiving amount of the receiver is correct, the next transaction is continued; the recipient's received value is the input value of the next order; it is worth noting that when the transaction is completed, the amount of ciphertext in the "dumb account" will be discarded, which serves merely as a bridge to relate the value of the validation layer to the value sent.
Wherein, in step 6, the "Broadcast confirmation/Broadcast" is to perform the whole network Broadcast transaction ticket waiting confirmation after the receiver checks the receiver without error, and the specific implementation is as follows:
original plaintext information on the transaction sheet processed by the scheme is hidden into an unreadable ciphertext, so that the only privacy possibly analyzed and processed in the transaction process is ensured; we can mark this transaction ticket as T_{Alice}The process is equally applicable to any other single transaction.
Through the steps, the bit currency privacy enhancement method provided by the invention is discussed, and the method is generated from the problems of the existing bit currency system, and then is completely designed for solving the privacy leakage problem of the number exposure in the bit currency system; the method covers a bit currency system, a homomorphic encryption system and a commitment value to prove a plurality of cryptology primitives, and the method in different fields is newly applied to the actual problem of privacy enhancement, and is designed according to the scheme, wherein the scheme has the advantages of encryption and decryption performance, homomorphic characteristic, zero knowledge characteristic, safety, high efficiency and compatibility; finally, the system method realizes the smooth transaction process of the encrypted bitcoin.
3. The advantages and the effects are as follows:
the invention provides a bit currency transaction privacy enhancement method, which realizes the hiding function of the amount in the transaction under the condition of ensuring the compatibility with an original bit currency system and ensures the requirements of positive encrypted amount and equal input and output all the time. The method has 1) homomorphism characteristic, so that the system can carry out addition and subtraction operation on the ciphertext. 2) Zero knowledge property, transmission and verification do not reveal any plaintext values. 3) And safety, and can resist different types of active attacks and passive attacks. 4) High efficiency, less computational complexity compared with solutions such as Zerocoin and the like, and algorithm acceleration can be performed through precalculation and Chinese remainder theorem. 5) Compatibility, compatibility with traditional bitcoin systems, can be transplanted into the original system.
(IV) description of the drawings:
FIG. 1 is a block flow diagram of the method of the present invention.
The numbers, codes and symbols in the figures are explained as follows:
in the illustration, the Insum/Encrypt/Verify/Decrypt/Braodcast respectively represent the steps 26, the transition layer/Verification layer respectively represent two layers of the system architecture, and m_{1},m_{2},...,m_{i}Amount of plaintext to send to the recipient, c_{1},c_{2},...,c_{i}For the encrypted ciphertext amount, (pk)_{i},sk_{i}) For encrypted public and private key pair, Enc/Dec is the encryption and decryption process, and Dumb account is the 'Dumb account' set during authentication.
(V) detailed description of the preferred embodiments
The invention relates to a bit currency transaction privacy enhancement method which is realized by dividing six steps according to a flow, and a scheme framework is divided into a transaction layer and a verification layer. The system flow of the method is shown in fig. 1, and the specific implementation steps of the method are introduced as follows by combining a flow diagram:
the invention discloses a bit currency transaction privacy enhancing method, which comprises the following specific implementation steps:
step 1: system initialization/KeyGen: and inputting security parameters and outputting parameters for encryption and decryption operation and verification. At the transaction level, for each different receiver i, the system generates two large prime numbers p for each receiver_{i}And q is_{i}. The recipient private key is sk_{i}＝λ_{i}The public key is pk_{i}＝(n_{i},g_{i}) Wherein n is_{i}＝p_{i}q_{i}；
At the same time, at the verification layer, the system outputs a public of 'dumb account' for verificationKey pk_{d}＝(n_{d},g_{d}) Note that this public key has no pairing private key. That is, the system account cannot operate on the received amount; system generation parameter V_{α}(g_{α},h_{α}) And V_{β}(g_{β},h_{β}) For verification;
note that since the "dumb account" and the commitment value are both certified at the verification level, and their parameters are generated by the system, the recipe setting g_{β}＝g_{d}Andto ensure that the operated ciphertext can become a commitment number;
step 2: calculate total input value/Insum: and calculating a total input value of the transaction, namely the total income of the order transaction and the mine digging.
If the transaction slip is used as the newly confirmed block, the transaction slip will receive an additional 50bit currency fee as a reward (by 1 month 2017, now halved to 25bit currency), and the total income is the sum of the operation of the plain text and the original cipher text of the part, and is expressed as
If the transaction sheet is not the head sheet of the new confirmation block, no extra income is generated, and the total income is the value transmitted by the transaction of the previous order and is expressed as
And step 3: encrypted item/Encrypt: at the transaction level, the scheme uses the public keys pk of the different recipients_{1},pk_{2},...,pk_{i}Encrypting the transmitted plaintext amount m by using Paillier encryption system_{1},m_{2},...,m_{i}Is c_{1},c_{2},...,c_{i}Expressed as:
meanwhile, at the verification layer, the scheme uses the same public key pk of the system_{d}The amount m to be sent by each of the transaction layers_{1},m_{2},...,m_{i}Encryption is performed, expressed as:
wherein the scheme sets a random number r_{d}＝h_{β}；
Common to both layers is that the same transaction amount m is encrypted_{i}Except that the transaction layer uses a different public key pk from the recipient_{i}The verification layer uses the same public key pk from the system_{d}The method is used for realizing the homomorphism characteristic of the Paillier system. Therein having the same amount m_{i}The correctness of the value obtained by the receiver after verification is ensured;
and 4, step 4: verification item/Verify: the system verifies whether the hidden amount is a positive value and whether the input and output total amounts are equal at a verification layer. The verification layer is divided into two steps, and in the first step, the concealed money amount is always proved to be a positive value through a proof method of the commitment value in a specific interval; secondly, the two proof methods with equal commitment values are used for proving that the total number before and after the input and the output of the hidden money amount is equal;
for the first step, the scheme uses proof of commitment values in certain intervals to guarantee the amount m that is encrypted_{i}If the value is positive, the sender Alice makes commitments respectively for different receivers iFor simplicity, use E_{0},E_{1},E_{2}, E_{3}F, V instead of E_{i0},E_{i1},E_{i2},E_{i3},F_{i},V_{i}。
1) Alice sets v α^{2}y+ω＞2^{t+l+s+T}Wherein α is arbitrarily chosen not equal to 0, omega is more than 0 and less than or equal to 2^{s+T}(ii) a Set r_{3}rα^{2}+r_{1}α+r_{2}∈[2^{s}n+1,...,2^{s}n1]Wherein r is arbitrarily selected_{1},r_{2},r_{3}∈[2^{s}n+1,...,2^{s}n1](ii) a Then, calculating:
alice sends (V, E)_{2},E_{3}F) to the recipient;
2) the receiver calculates:
E_{1}＝E_{0}(m_{i},r)/g^{a}＝g^{y}h^{r}mod n
3) alice and the receiver each calculate:
wherein r is^{*}＝rα^{2}r_{1}αr_{2}；
4) The receiver verifies the correctness of PK1, PK2, PK3, and whether v > 2 is satisfied^{t+l+s+T}If yes, the receiver can confirmX is greater than a;
5) for each receiver m_{i}The scheme repeats steps 14 to demonstrate m_{i}＞0(i＝{1,2,...,i})。
The proof part will be for each recipient m_{i}Repeating the execution for i times, and if any one of the execution fails, the transaction fails; if all succeed, the system returns to 1 and continues with the next step of verification.
For the second step, the scheme uses proof that the two commitment values are equal to ensure that the transaction output is consistent before and after the input, i.e. m is m_{1}+m_{2}+...+m_{i}＝∑m_{i}. Alice now makes two commitments as follows:
wherein r is_{α}∈{2^{s}n+1,...,2^{s}n1},r_{β}＝n_{d}∈{2^{s}n+1,...,2^{s}n1 }; if a "dumb account" receiving the same amount wants to verify whether the amount of plaintext contained in the received ciphertext is equal to the value sent by Alice, it needs to perform the following two steps:
1) secret value equal m ∑ m hidden in commitment values E and F_{i}；
2) The operated cipher text H ═ Π c_{id}Equal to one of the commitments F.
To achieve step 1) above, we demonstrate the following:
alice randomly selects ω ∈ { 1., 2 ·^{i+t}b1},η_{α}∈{1,...,2^{l+t+s}n1},η_{β}∈{1,...,2^{l+t+} ^{s}n1 }; then, calculating:
alice calculates u ═ H (W)_{α}W_{β})；
3, Alice calculates:
D＝ω+um,D_{α}＝η_{α}+ur_{α},D_{β}＝η_{β}+ur_{β}
and transmitting (u, D)_{α},D_{β}) To "dumb account";
"dumb account" test if u ═ u', wherein
If the partial step is verified successfully, the following partial step is continued to prove that:
the "dumb account" calculates the received ciphertext:
2. from the above, we can choose r arbitrarily in the encryption process_{d}＝h_{β}Optionally selecting r in the verification process_{β}＝n_{d}(ii) a And during system initialization we set upAnd g_{d}＝g_{β}Therefore, the following steps are adopted:
3. check if H equals F, if no, transaction fails, if yes return to 1, and proceed to the next step.
In conclusion, when the steps of the two parts are true, entering a sending link of a transaction layer;
and 5: decryption item/Dcprypt: after the certificate layer passes the verification, the transaction layer encrypts the amount c_{i}Sending the data to a receiver, and the receiver sends the data to the receiver according to the private key sk of the receiver_{i}And (3) decryption:
whereinx∈S_{n}＝{u＜n^{2}x＝1 mod n}；
After the receiver checks that the receiving amount is correct, the next transaction is continued. The recipient's received value is the input value for the next order. It is worth noting that when the transaction is completed, the amount of the ciphertext in the "dumb account" will be discarded, which serves only as a bridge to link the value of the verification layer with the value sent;
step 6: broadcast acknowledgement/Broadcast: and after the receiver checks the transaction list without errors, the whole network broadcasting transaction list is carried out to wait for confirmation. The original plaintext information on the transaction sheet processed by the scheme is hidden into the ciphertext which cannot be read, so that the only privacy which is possibly analyzed and processed in the transaction process is ensured. We can mark this transaction ticket as T_{Alice}The process is equally applicable to any other single transaction.
Claims (1)
1.A bit currency transaction privacy enhancement method is characterized by comprising the following steps: the operation steps are as follows:
step 1: system initialization/KeyGen: generating security parameters for encryption and decryption operation and verification; the system inputs security parameters and outputs a public key pk generated by encryption and decryption operation_{i}And the private key sk_{i}While outputting the public key pk for verification_{d}Note that this public key has no pairing private key;
step 2: calculate input total/Insum: calculating a total input value of the transaction, namely the total income of the single transaction and the mine digging; if the transaction sheet is used as a newly confirmed block, the transaction sheet obtains an extra 50bit currency fee as a reward, and the total income is the sum of operations of the plaintext and the original ciphertext; if the transaction list is not the head list of the new confirmation block, no extra income exists, and the total income is the value transmitted by the last transaction;
and step 3: encrypted item/Encrypt: the system uses the public key of the receiver to encrypt the transmission amount respectively in the transaction layer, and uses the public key of the system to encrypt each amount of the same amount in the verification layer; the amount encrypted in the transaction layer is sent to each receiver account after passing through the verification layer, the encrypted amount sent in the verification layer is noticed to enter a 'dumb account', the dumb account is an account without a private key, and the amount is discarded after verification;
and 4, step 4: verification item/Verify: verifying whether the hidden amount is a positive value and whether the input and output total amounts are equal or not at a verification layer; the verification layer is divided into two steps, and in the first step, the concealed money amount is always proved to be a positive value through a proof method of the commitment value in a specific interval; secondly, the two proof methods with equal commitment values are used for proving that the total number before and after the input and the output of the hidden money amount is equal; when the two steps are true, entering a sending link of a transaction layer;
and 5: decryption item/decryption: after the verification of the verification layer is passed, the transaction layer sends the encrypted amount to a receiver, and the receiver decrypts the amount according to the private key of the receiver; after the receiver checks that the receiving amount of the receiver is correct, the next transaction is continued; the recipient's received value is the input value of the next order;
step 6: broadcast acknowledgement/Broadcast: after the receiver checks the transaction list without errors, the whole network broadcasting transaction list is carried out to wait for confirmation; original plaintext information on the processed transaction list is hidden into an unreadable ciphertext, so that the only privacy possibly analyzed and processed in the transaction process is ensured;
the "calculate total input value/enum" in step 2 is divided into two cases, which are as follows:
if the transaction order is used as a newly confirmed block, the transaction order will obtain an additional 50bit currency fee as a reward, and the total income is the sum of the operation of the part of plaintext and the original ciphertext and is expressed as
If the transaction sheet is not the head sheet of the new confirmation block, no extra income is generated, and the total income is the value transmitted by the transaction of the previous order and is expressed as
The verification layer of the verification item/Verify in the step 4 is divided into two steps, and in the first step, the concealed money is always proved to be a positive value through a proof method of a commitment value in a specific interval; secondly, the total number before and after the input and the output of the hidden money amount is proved to be equal by two proving methods with equal commitment values; the specific method comprises the following steps:
for the first step, VerifyI, the scheme uses proof of commitment value in a certain interval to guarantee the encrypted amount m_{i}If the value is positive, the sender Alice makes commitments respectively for different receivers iFor simplicity, use E_{0},E_{1},E_{2},E_{3}F, V instead of E_{i0},E_{i1},E_{i2},E_{i3},F_{i},V_{i}；
4.11) Alice sets v α^{2}y+ω＞2^{t+l+s+T}Wherein α is arbitrarily chosen not equal to 0, omega is more than 0 and less than or equal to 2^{s+T}；
Set r_{3}rα^{2}+r_{1}α+r_{2}∈[2^{s}n+1,...,2^{s}n1]，
Wherein r is arbitrarily selected_{1},r_{2},r_{3}∈[2^{s}n+1,...,2^{s}n1](ii) a Then, calculating:
alice sends (V, E)_{2},E_{3}F) to the recipient;
4.12) receiver calculates:
E_{1}＝E_{0}(m_{i},r)/g^{a}＝g^{y}h^{r}mod n
4.13) Alice and the receiver each calculate:
wherein r is^{*}＝rα^{2}r_{1}αr_{2}；
4.14) receiver verification of correctness of PK1, PK2, PK3, and whether v > 2 is satisfied^{t+l+s+T}If so, the recipient is assured that x > a;
4.15) for each receiver m_{i}The protocol can be demonstrated by repeating steps 4.114.14)
m_{i}＞0(i＝{1,2,...,i})；
The proof part will be for each recipient m_{i}Repeatedly performing i times if it isIf any one fails, the transaction fails; if all the verification steps are successful, the system passes and the verification of the next step is continued;
for the second step, VerifyII, the scheme uses proof that the two commitment values are equal to ensure that the transaction output inputs are consistent, i.e., mm_{1}+m_{2}+...+m_{i}＝∑m_{i}(ii) a Alice now makes two commitments as follows:
wherein r is_{α}∈{2^{s}n+1,...,2^{s}n1},r_{β}＝n_{d}∈{2^{s}n+1,...,2^{s}n1 }; if a "dumb account" receiving the same amount wants to verify whether the amount of plaintext contained in the received ciphertext is equal to the value sent by Alice, it needs to perform the following two steps:
(1) secret value equal m ∑ m hidden in commitment values E and F_{i}；
(2) The operated cipher text H ═ c_{id}Equals one of the commitments F;
in order to realize the above step (1), the following verification was made:
① Alice random selection
ω∈{1,...,2^{i+t}b1},η_{α}∈{1,...,2^{l+t+s}n1},η_{β}∈{1,...,2^{l+t+s}n1 }; then, calculating:
② Alice calculates uH (W)_{α}W_{β})；
③ Alice calculates:
D＝ω+um,D_{α}＝η_{α}+ur_{α},D_{β}＝η_{β}+ur_{β}
and transmitting (u, D)_{α},D_{β}) To "dumb account";
④ "dumb account" test if u ═ u', where
If the partial step is verified successfully, the following partial step is continued to prove that:
①, "dumb account" calculates the received ciphertext:
② As can be seen from the above, r is arbitrarily chosen during encryption_{d}＝h_{β}Optionally selecting r in the verification process_{β}＝n_{d}(ii) a And during system initialization, set upAnd g_{d}＝g_{β}Therefore, the following steps are adopted:
③, checking whether H equals F, if not, the transaction fails, if yes, passing, and proceeding to the next step;
in conclusion, when the steps of the two parts are true, entering a sending link of a transaction layer;
wherein, the specific implementation of the "system initialization/KeyGen" in step 1 is as follows:
the input of the system is a safety parameter, and the output is a parameter for encryption and decryption operation and verification; at the transaction level, for each different recipient i, the system generates two large prime numbers p for each recipient_{i}And q is_{i}(ii) a The recipient private key is sk_{i}＝λ_{i}The public key is pk_{i}＝(n_{i},g_{i}) Wherein n is_{i}＝p_{i}q_{i}；
Meanwhile, at a verification layer, the system outputs a public key pk of 'dumb account' for verification_{d}＝(n_{d},g_{d}) Note that this public key has no pairing private key; that is, the system account cannot operate on the received amount; system generation parameter V_{α}(g_{α},h_{α}) And V_{β}(g_{β},h_{β}) For verification;
in step 3, the encryption item/Encrypt is used to Encrypt the same amount at the transaction layer and the verification layer at the same time, and the specific implementation is as follows:
at the transaction level, the scheme uses the public keys pk of the different recipients_{1},pk_{2},...,pk_{i}Encrypting the transmitted plaintext amount m by using Paillier encryption system_{1},m_{2},...,m_{i}Is c_{1},c_{2},...,c_{i}Expressed as:
meanwhile, at the verification layer, the scheme uses the same public key pk of the system_{d}The amount m to be sent by each of the transaction layers_{1},m_{2},...,m_{i}Encryption is performed, expressed as:
wherein the scheme sets a random number r_{d}＝h_{β}；
Wherein, after the 'decryption item/decryption' in the step 5 passes the authentication of the certificate layer, the transaction layer will encrypt the amount c_{i}Sending to the receiver, which is implemented as follows:
the receiver follows the private key sk of the receiver_{i}And (3) decryption:
whereinx∈S_{n}＝{u＜n^{2}x＝1modn}；
After the receiver checks that the receiving amount of the receiver is correct, the next transaction is continued; the recipient's received value is the input value of the next order; when the transaction is completed, the ciphertext amount in the 'dumb account' is discarded, and the ciphertext amount is only used as a bridge to enable the value of the verification layer to be linked with the sent value;
wherein, in step 6, the "Broadcast confirmation/Broadcast" is to perform the whole network Broadcast transaction ticket waiting confirmation after the receiver checks the receiver without error, and the specific implementation is as follows: original plaintext information on the processed transaction list is hidden into an unreadable ciphertext, so that the only privacy that can be analyzed and processed in the transaction process is ensured; marking the transaction order as T_{Alice}The process is equally applicable to any other single transaction.
Priority Applications (1)
Application Number  Priority Date  Filing Date  Title 

CN201710050768.3A CN106911470B (en)  20170123  20170123  Bit currency transaction privacy enhancement method 
Applications Claiming Priority (1)
Application Number  Priority Date  Filing Date  Title 

CN201710050768.3A CN106911470B (en)  20170123  20170123  Bit currency transaction privacy enhancement method 
Publications (2)
Publication Number  Publication Date 

CN106911470A CN106911470A (en)  20170630 
CN106911470B true CN106911470B (en)  20200707 
Family
ID=59207453
Family Applications (1)
Application Number  Title  Priority Date  Filing Date 

CN201710050768.3A Active CN106911470B (en)  20170123  20170123  Bit currency transaction privacy enhancement method 
Country Status (1)
Country  Link 

CN (1)  CN106911470B (en) 
Families Citing this family (20)
Publication number  Priority date  Publication date  Assignee  Title 

CN107330775A (en) *  20170705  20171107  贵州大学  A kind of first valency sealing method of commerce based on bit coin agreement 
CN107506989A (en) *  20170818  20171222  特兰旗（厦门）科技有限公司  Exchange method and device 
CN108418783A (en) *  20170901  20180817  矩阵元技术（深圳）有限公司  A kind of protection method of block chain intelligence contract privacy, medium 
CN107886314A (en) *  20171120  20180406  北京比特大陆科技有限公司  Ideal money settlement method, device and electronic equipment 
CN108021821A (en) *  20171128  20180511  北京航空航天大学  Multicenter block chain transaction intimacy protection system and method 
CN108418689B (en) *  20171130  20200710  矩阵元技术（深圳）有限公司  Zeroknowledge proof method and medium suitable for block chain privacy protection 
CN108200174B (en) *  20180104  20191025  成都理工大学  Based on the distributed mobile phone protecting platform of block chain and its implementation 
WO2019195989A1 (en) *  20180409  20191017  Huawei Technologies Co., Ltd.  Zeroknowledge range proof with reversible commitment 
WO2019209168A2 (en) *  20180426  20191031  华为国际有限公司  Data processing method, related apparatus, and blockchain system 
CN108712409A (en) *  20180509  20181026  梧州市兴能农业科技有限公司  A kind of e bill transaction system based on privately owned block chain 
CN108805574B (en) *  20180519  20210126  深圳市图灵奇点智能科技有限公司  Transaction method and system based on privacy protection 
CN108734017B (en) *  20180520  20201113  深圳市图灵奇点智能科技有限公司  Driving data sharing method and device, system and computer storage medium 
CN108763955B (en) *  20180520  20201113  深圳市图灵奇点智能科技有限公司  Travel data sharing method and apparatus, travel data sharing system, and computer storage medium 
CN109087099A (en) *  20180731  20181225  杭州复杂美科技有限公司  A kind of privacy method of commerce and system, equipment and storage medium 
CN110326013A (en) *  20181107  20191011  阿里巴巴集团控股有限公司  The block catenary system of open transaction and privately owned transaction is supported under account model 
BR112019008160A2 (en) *  20181107  20190910  Alibaba Group Holding Ltd  computerimplemented method performed by a consensus node of a block chain network, nontransient computer readable storage medium, and system 
CA3040791C (en) *  20181127  20201215  Alibaba Group Holding Limited  System and method for information protection 
CA3040357A1 (en)  20181127  20190418  Alibaba Group Holding Limited  System and method for information protection 
US10700850B2 (en)  20181127  20200630  Alibaba Group Holding Limited  System and method for information protection 
WO2019072275A2 (en)  20181127  20190418  Alibaba Group Holding Limited  System and method for information protection 
Family Cites Families (2)
Publication number  Priority date  Publication date  Assignee  Title 

CN103259650B (en) *  20130425  20151209  河海大学  A kind of rationality many secret sharings method to honest participant's justice 
US20160358165A1 (en) *  20150608  20161208  Blockstream Corporation  Cryptographically concealing amounts transacted on a ledger while preserving a network's ability to verify the transaction 

2017
 20170123 CN CN201710050768.3A patent/CN106911470B/en active Active
Also Published As
Publication number  Publication date 

CN106911470A (en)  20170630 
Similar Documents
Publication  Publication Date  Title 

Noether et al.  Ring confidential transactions  
US20210021606A1 (en)  Selectivity in privacy and verification with applications  
JP6515246B2 (en)  Determination of common secrets for the secure exchange of information and hierarchical and deterministic encryption keys  
Menezes et al.  Handbook of applied cryptography  
Van Saberhagen  CryptoNote v 2.0  
Ziegeldorf et al.  Coinparty: Secure multiparty mixing of bitcoins  
Chaudhry et al.  A secure and efficient authenticated encryption for electronic payment systems using elliptic curve cryptography  
Wang et al.  Privacypreserving public auditing for data storage security in cloud computing  
CN106961336B (en)  A kind of key components trustship method and system based on SM2 algorithm  
Liu et al.  Anonymous reputation system for IIoTenabled retail marketing atop PoS blockchain  
US8437474B2 (en)  Public key encryption for groups  
CN108418689B (en)  Zeroknowledge proof method and medium suitable for block chain privacy protection  
US5907618A (en)  Method and apparatus for verifiably providing key recovery information in a cryptographic system  
El Mrabet et al.  Guide to pairingbased cryptography  
US6708893B2 (en)  Multipleuse smart card with security features and method  
Simmons  Subliminal communication is easy using the DSA  
JP4593533B2 (en)  System and method for updating keys used for public key cryptography  
CN101420300B (en)  Double factor combined public key generating and authenticating method  
EP0252499B1 (en)  Method, apparatus and article for identification and signature  
Law et al.  How to make a mint: the cryptography of anonymous electronic cash  
CN102664732B (en)  The antiquantum computation attack of CPK public key system realize method and system  
CN107579819B (en)  A kind of SM9 digital signature generation method and system  
CN108021821A (en)  Multicenter block chain transaction intimacy protection system and method  
Kou  Payment technologies for Ecommerce  
JP2011182454A (en)  Key agreement and transport protocol 
Legal Events
Date  Code  Title  Description 

PB01  Publication  
PB01  Publication  
SE01  Entry into force of request for substantive examination  
SE01  Entry into force of request for substantive examination  
GR01  Patent grant  
GR01  Patent grant 