CN106911470B - Bit currency transaction privacy enhancement method - Google Patents

Bit currency transaction privacy enhancement method Download PDF

Info

Publication number
CN106911470B
CN106911470B CN201710050768.3A CN201710050768A CN106911470B CN 106911470 B CN106911470 B CN 106911470B CN 201710050768 A CN201710050768 A CN 201710050768A CN 106911470 B CN106911470 B CN 106911470B
Authority
CN
China
Prior art keywords
transaction
verification
amount
receiver
value
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201710050768.3A
Other languages
Chinese (zh)
Other versions
CN106911470A (en
Inventor
伍前红
王沁
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beihang University
Original Assignee
Beihang University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beihang University filed Critical Beihang University
Priority to CN201710050768.3A priority Critical patent/CN106911470B/en
Publication of CN106911470A publication Critical patent/CN106911470A/en
Application granted granted Critical
Publication of CN106911470B publication Critical patent/CN106911470B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communication
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0819Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
    • H04L9/0825Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) using asymmetric-key encryption or public key infrastructure [PKI], e.g. key signature or public key certificates
    • GPHYSICS
    • G06COMPUTING; CALCULATING; COUNTING
    • G06QDATA PROCESSING SYSTEMS OR METHODS, SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL, SUPERVISORY OR FORECASTING PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL, SUPERVISORY OR FORECASTING PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/02Payment architectures, schemes or protocols involving a neutral party, e.g. certification authority, notary or trusted third party [TTP]
    • G06Q20/023Payment architectures, schemes or protocols involving a neutral party, e.g. certification authority, notary or trusted third party [TTP] the neutral party being a clearing house
    • GPHYSICS
    • G06COMPUTING; CALCULATING; COUNTING
    • G06QDATA PROCESSING SYSTEMS OR METHODS, SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL, SUPERVISORY OR FORECASTING PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL, SUPERVISORY OR FORECASTING PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/04Payment circuits
    • G06Q20/06Private payment circuits, e.g. involving electronic currency used among participants of a common payment scheme
    • G06Q20/065Private payment circuits, e.g. involving electronic currency used among participants of a common payment scheme using e-cash
    • GPHYSICS
    • G06COMPUTING; CALCULATING; COUNTING
    • G06QDATA PROCESSING SYSTEMS OR METHODS, SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL, SUPERVISORY OR FORECASTING PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL, SUPERVISORY OR FORECASTING PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/38Payment protocols; Details thereof
    • G06Q20/382Payment protocols; Details thereof insuring higher security of transaction
    • G06Q20/3829Payment protocols; Details thereof insuring higher security of transaction involving key management

Abstract

A bit currency transaction privacy enhancement method comprises the following steps: 1. initializing, and outputting a system encryption and decryption and verification initial value; 2. calculating the total input amount; 3. encrypting each amount sent; 4, carrying out a verification process to ensure that the transaction value is always positive and ensure that the transaction input and output are equal; 5. after passing the verification, the data is sent, and the receiver decrypts the data; 6. the trade bill is published and confirmed all over the network. Through the steps, the complete design is carried out from the problems of the existing bitcoin system, and the problem of privacy disclosure of the quota exposure in the bitcoin system is solved; the method covers a bit currency system, a homomorphic encryption system and a commitment value to prove a plurality of cryptology primitives, applies methods in different fields to the actual problem of privacy enhancement, has encryption and decryption performance, homomorphic characteristics, zero knowledge characteristics, safety, high efficiency and compatibility, and realizes the smooth transaction process of the encrypted bit currency.

Description

Bit currency transaction privacy enhancement method
The technical field is as follows:
the invention designs a bit currency transaction privacy enhancement method which is used for protecting the cleartext amount in the bit currency transaction process. The scheme realizes the encryption and decryption operation of the sum through the homomorphic system, ensures the amount privacy in the transmission process, and simultaneously ensures the requirements that the hidden amount is always positive and the total input and output amounts are equal in the transaction through the proof of the commitment value. The scheme belongs to the fields of cryptography in information security and cryptology currency.
(II) technical background:
in 2008, the inventor of japan (Satoshi Nakamoto) designed and issued a point-to-point decentralized digital currency, bitcoin. The bitcoin system proposes a novel point-to-point-based distributed mode, and removes a credible central mechanism of the traditional electronic money. The characteristics of decentralization, information non-tampering, information wide spread and information anonymity, which are shown by the bitcoin and underlying zone block chain technology, are gradually concerned and deeply researched by academia and industry.
The generation and development of bitcoin has led to the rise of a series of internet currencies based on cryptography. According to different working principles, the method can be roughly divided into three categories: PoW-based, PoS-based, and PoW + PoS-based. POW (Proof of work) refers to how much money is obtained, and depending on the amount of work you contribute to digging a mine, the better the computer performance, the more mines you are assigned to, and the represented money is: bitcoin, reiter coin, dog coin, Zcash. The POS (Proof of Stake) carries out the system of interest distribution according to the amount and time of the money held by you, and in the POS mode, the income of your 'digging mine' is proportional to the age of your money and is not related to the calculation performance of a computer, and the representative is as follows: bit stock, intelligent house black currency. Representatives based on PoW + PoS are: ether houses, counting coins. Others include currencies such as: ruby coin, sidereal coin, and contract coin.
The emergence of bitcoin and other electronic money has led to the wide application of blockchain technology, and in the era of blockchain 1.0, the underlying industrial structure formed by using digital money such as bitcoin as a core forms an industrial group and an industrial chain of mining machines, mine pools, digital money, payment purses, exchanges and digital money gateways. In the era of blockchain 2.0, the focus of technology and application is shifted from pure electronic money to the application of underlying technology blockchain technology, so that diversified, multi-style and multi-scenario applications are formed, and the larger the category and industry span is, the higher the degree of independence is. Asset verification, financial services, charitables, media and communities, research and investment, intelligent contracts, justice anti-counterfeiting, asset transactions, bank settlement, e-commerce, social communications, internet of things, file storage, and the like.
Aiming at the problem of transaction privacy disclosure caused by the use of large-area bit coins, the scheme encrypts and transmits the plaintext transaction amount by applying a homomorphic encryption scheme Paillier system. The system is proposed by Pascal Paillier in 1999, the difficulty of the encryption system is based on the problem of complex order residual difficulty, and the system has the security of resisting attack of selected plaintext under a standard model. The system has the addition homomorphism characteristic, so that corresponding plaintext addition and subtraction operations are realized by multiplying the encrypted ciphertext, and the property is applied to the verification process under the condition of not revealing privacy. Besides homomorphism characteristics, the system also has high efficiency, so that the scheme can carry out pre-calculation and quick calculation by applying the Chinese remainder theorem, and the encryption and decryption steps in the bit currency transaction time are met.
After the encryption system is used for encryption, the generated ciphertext exists in each transaction order. In order to ensure that the plaintext hidden by the corresponding ciphertext meets the requirements of positive value and equality, the scheme uses commitment value certification for verification. The method proposed by Wucheng red et al in 2004 is adopted to prove the commitment value in a specific interval, and the method ensures a small expanded domain under a relatively simple process of steps, so that the secret amount is kept at a positive value for proving. The idea of Hash mapping value equality is used for proving that two commitment values are equal, and the fact that the two commitment values contain the same secret is verified under the condition that the committed number is not leaked. The two commitment value proving schemes both have zero knowledge characteristics, and the encrypted amount is guaranteed not to be leaked in the verification process.
(III) the invention content:
1. the purpose is as follows: the invention aims to provide a bit currency transaction privacy enhancement method to realize a privacy enhancement function of encrypting and hiding an original transaction amount plaintext in a transaction process. The scheme ensures that the encrypted ciphertext value well protects the privacy of a trader on one hand, and also ensures that the hidden trading value is always a positive value and the total number of the trading value is consistent with that of the trading value, so as to meet the compatibility with the original bit system.
2. The technical scheme is as follows:
the method of the invention is divided into six steps, which are sequentially dispersed in a transaction layer and a verification layer: 1) and initializing the system and generating an initial value. 2) And calculating a total input value of the transaction, namely the total income of the order transaction and the mine digging. 3) The system uses the recipient public key to encrypt the transmitted amounts separately at the transaction layer, while using the system public key to encrypt each amount of the same amount at the verification layer. 4) And verifying whether the hidden amount is positive and whether the input and output total amounts are equal in the verification layer. 5) And after the verification of the verification layer is passed, the transaction layer sends the encrypted amount to a receiver, and the receiver decrypts according to the private key of the receiver. 6) And after the receiver checks the transaction list without errors, the whole network broadcasting transaction list is carried out to wait for confirmation.
2.1 basic knowledge:
2.1.1 bit coin system
The bitcoin system contains three technical elements: transaction, consensus mechanism, distributed network. The three technical elements also form a three-layer structure of bitcoin and block chains: transaction sheet, block chain. The existence form of the bitcoin is a transaction order which is irreversible, and each transaction order records transaction data of a plurality of users, including information such as transaction sources, sending addresses, transaction amounts, signatures and the like. Each transaction order is identified by a special identifier generated by the SHA-256 hashing algorithm. When each transaction order is completed, the system must broadcast to the whole network to wait for confirmation. After each absenteeism person verifies the transaction order in the past period of time and finds out a hash value with d continuous zeros of the first character, a data block can be generated, and each data block is finally confirmed and cannot be changed after six data blocks are generated. The unalterable data blocks form a chain structure, i.e., a chain of blocks. The generation of the block is confirmed by the calculation power of the distributed whole network nodes, the larger the calculation power is, the easier the new block is to be found, but due to the corresponding adjustment of the calculation difficulty, the corresponding calculation time is kept at about 10 minutes. Compared with the original electronic currency system, the bit currency system has the advantages of decentralization, non-counterfeiting, openness and verifiability, cryptology safety and the like, and the system has proven to be stable and expandable through development of last 9 years.
2.1.2 Paillier public key encryption system
The Paillier encryption system provides security against chosen plaintext attack under a standard model, has high-efficiency encryption and decryption efficiency and the characteristic of homomorphism, and comprises the following encryption and decryption steps:
generating: let p and q be large prime numbers, g be a system generator, let n be pq, calculate λ be λ (n) lcm (p-1, q-1), where the public key is (n, g) and the private key is λ.
Encryption: c is gm·rnmod n2Wherein r is arbitrarily selected.
And (3) decryption:
homomorphic properties: decsk(Encpk(m1)·Encpk(m2)modn2)=m1+m2mod n。
2.1.3 commitment value attestation
The proof of the commitment value is mainly used for a verification layer of a scheme, on one hand, the problem that the committed value is always positive is solved, and on the other hand, the equal input and output characteristics are guaranteed after the operation of the committed value is solved. In order to ensure that the encrypted privacy amount is always positive to prevent the theft of the bitcoin, the scheme adopts an efficient proof method of the commitment value in a specific interval proposed by Wu-Qian-hong et al in 2004. The method has relatively simple design steps, the expansion domain is 1, so that the committed number can be limited in a specific interval, and the scheme sets the lower bound to 0, namely the committed number can be proved to be a positive value. In order to ensure that the encrypted value is consistent with the transaction input value as output, the scheme adopts a method for proving that two commitment numbers are equal. The scheme is simple in design idea, the secret value is hidden in the commitment value, the randomly selected value is added, whether the two hash functions are equal or not is used for judging whether the two hash functions are consistent, and the fact that the two hash functions are consistent can be proved.
2.2 technical solution content
The invention designs a bit currency transaction privacy enhancement method, which is realized by dividing the method into six steps according to a flow, wherein a scheme framework is divided into a transaction layer and a verification layer, and the six steps are sequentially distributed in the two layers;
the invention relates to a bit currency transaction privacy enhancement method, which comprises the following operation steps:
step 1: system initialization/KeyGen: generating security parameters for encryption and decryption operation and verification; the system inputs security parameters and outputs a generated public key and private key pair (pk) for the encryption and decryption operationi,ski) While outputting the public key pk for verificationdNote that this public key has no pairing private key;
step 2: calculate input total/Insum: calculating a total input value of the transaction, namely the total income of the single transaction and the mine digging (the income is not included in the non-initial block chain); if the transaction sheet is used as a newly confirmed block, the transaction sheet obtains an extra 50-bit currency fee as a reward, and the total income is the sum of the operation of the part of plaintext and the original ciphertext; if the transaction list is not the head list of the new confirmation block, no extra income exists, and the total income is the value transmitted by the last transaction;
and step 3: encrypted item/Encrypt: the system uses the public key of the receiver to encrypt the transmission amount respectively in the transaction layer, and uses the public key of the system to encrypt each amount of the same amount in the verification layer; the amount encrypted in the transaction layer is sent to each receiver account after passing through the verification layer, and the encrypted amount sent in the verification layer is noticed to enter a 'dumb account', the account has no private key, and the amount is discarded after verification;
and 4, step 4: verification item/Verify: verifying whether the hidden amount is a positive value and whether the input and output total amounts are equal or not at a verification layer; the verification layer is divided into two steps, and in the first step, the concealed money amount is always proved to be a positive value through a proof method of the commitment value in a specific interval; secondly, the two proof methods with equal commitment values are used for proving that the total number before and after the input and the output of the hidden money amount is equal; when the two steps are true, entering a sending link of a transaction layer;
and 5: decryption item/decryption: after the verification of the verification layer is passed, the transaction layer sends the encrypted amount to a receiver, and the receiver decrypts the amount according to the private key of the receiver; after the receiver checks that the receiving amount of the receiver is correct, the next transaction is continued; the recipient's received value is the input value of the next order;
step 6: broadcast acknowledgement/Broadcast: after the receiver checks the transaction list without errors, the whole network broadcasting transaction list is carried out to wait for confirmation; the original plaintext information on the transaction sheet processed by the scheme is hidden into the ciphertext which cannot be read, so that the only privacy which is possibly analyzed and processed in the transaction process is ensured.
Wherein, the specific implementation of the "system initialization/KeyGen" in step 1 is as follows:
the input of the system is a safety parameter, and the output is a parameter for encryption and decryption operation and verification; at the transaction level, for each different receiver i, the system generates two large prime numbers p for each receiveriAnd q isi(ii) a ReceiverThe private key is ski=λiThe public key is pki=(ni,gi) Wherein n isi=piqi
Meanwhile, at a verification layer, the system outputs a public key pk of 'dumb account' for verificationd=(nd,gd) Note that this public key has no pairing private key; that is, the system account cannot operate on the received amount; system generation parameter Vα(gα,hα) And Vβ(gβ,hβ) For verification.
Wherein, in step 2, "calculate the total input value/enum", the calculation of the total input value is discussed in two cases, which is specifically done as follows:
if the transaction slip is used as the newly confirmed block, the transaction slip will receive an additional 50-bit currency fee as a reward (by 1 month 2017, now halved to 25-bit currency), and the total income is the sum of the operation of the plain text and the original cipher text of the part, and is expressed as
If the transaction sheet is not the head sheet of the new confirmation block, no extra income is generated, and the total income is the value transmitted by the transaction of the previous order and is expressed as
In step 3, the encryption item/Encrypt is used to Encrypt the same amount at the transaction layer and the verification layer at the same time, and the specific implementation is as follows:
at the transaction level, the scheme uses the public keys pk of the different recipients1,pk2,...,pkiEncrypting the transmitted plaintext amount m by using Paillier encryption system1,m2,...,miIs c1,c2,...,ciExpressed as:
meanwhile, at the verification layer, the scheme uses the same public key pk of the systemdThe amount m to be sent by each of the transaction layers1,m2,...,miEncryption is performed, expressed as:
wherein the scheme sets a random number rd=hβ
The verification layer of the verification item/Verify in the step 4 is divided into two steps, and in the first step, the concealed money is always proved to be a positive value through a proof method of a commitment value in a specific interval; secondly, the two proof methods with equal commitment values are used for proving that the total number before and after the input and the output of the hidden money amount is equal; the specific method comprises the following steps:
for the first step, Verify-I, the scheme uses proof of commitment value in a certain interval to guarantee the encrypted amount miIf the value is positive, the sender Alice makes commitments respectively for different receivers iFor simplicity, use E0,E1,E2,E3F, V instead of Ei0,Ei1,Ei2,Ei3,Fi,Vi
1) Alice sets v- α2y+ω>2t+l+s+TWherein α is arbitrarily chosen not equal to 0, omega is more than 0 and less than or equal to 2s+T(ii) a Set r3-rα2+r1α+r2∈[-2sn+1,...,2sn-1]Wherein r is arbitrarily selected1,r2,r3∈[-2sn+1,...,2sn-1](ii) a Then, calculating:
alice sends (V, E)2,E3F) to the recipient;
2) the receiver calculates:
E1=E0(mi,r)/ga=gyhrmod n
3) alice and the receiver each calculate:
wherein r is*=-rα2-r1α-r2
4) The receiver verifies the correctness of PK1, PK2, PK3, and whether v > 2 is satisfiedt+l+s+TIf satisfied, the recipient can be confident that x > a;
5) for each receiver miThe scheme can prove that m can be proved by repeating the steps 1) to 4)i>0(i={1,2,...,i});
The proof part will be for each recipient miRepeating the execution for i times, and if any one of the execution fails, the transaction fails; if all becomeSuccessfully, the system passes and continues the verification of the next step;
for the second step, Verify-II, the scheme uses proof that the two commitment values are equal to ensure that the transaction output inputs are consistent, i.e., m-m1+m2+...+mi=∑mi(ii) a Alice now makes two commitments as follows:
wherein r isα∈{-2sn+1,...,2sn-1},rβ=nd∈{-2sn+1,...,2sn-1 }; if a "dumb account" receiving the same amount wants to verify whether the amount of plaintext contained in the received ciphertext is equal to the value sent by Alice, it needs to perform the following two steps:
1) secret value equal m- ∑ m hidden in commitment values E and Fi
2) The operated cipher text H ═ Π cidEquals one of the commitments F;
to achieve step 1) above, we demonstrate the following:
alice randomly selects ω ∈ { 1., 2 ·i+tb-1},ηα∈{1,...,2l+t+sn-1},ηβ∈{1,...,2l+t+ sn-1 }; then, calculating:
alice calculates u ═ H (W)α||Wβ);
3, Alice calculates:
D=ω+um,Dα=ηα+urα,Dβ=ηβ+urβ
and transmitting (u, D)α,Dβ) To "dumb account";
"dumb account" test if u ═ u', wherein
If the partial step is verified successfully, the following partial step is continued to prove that:
the "dumb account" calculates the received ciphertext:
2. from the above, we can choose r arbitrarily in the encryption processd=hβOptionally selecting r in the verification processβ=nd(ii) a And during system initialization we set upAnd gd=gβTherefore, the following steps are adopted:
3. checking whether H is equal to F, if not, the transaction fails, if so, the transaction passes, and carrying out the next step;
in conclusion, when the steps of the two parts are true, the sending link of the transaction layer is entered.
Wherein, after the 'decryption item/decryption' in the step 5 passes the authentication of the certificate layer, the transaction layer will encrypt the amount ciSending to the receiver, which is implemented as follows:
the receiver follows the private key sk of the receiveriAnd (3) decryption:
whereinx∈Sn={u<n2|x=1 mod n};
After the receiver checks that the receiving amount of the receiver is correct, the next transaction is continued; the recipient's received value is the input value of the next order; it is worth noting that when the transaction is completed, the amount of ciphertext in the "dumb account" will be discarded, which serves merely as a bridge to relate the value of the validation layer to the value sent.
Wherein, in step 6, the "Broadcast confirmation/Broadcast" is to perform the whole network Broadcast transaction ticket waiting confirmation after the receiver checks the receiver without error, and the specific implementation is as follows:
original plaintext information on the transaction sheet processed by the scheme is hidden into an unreadable ciphertext, so that the only privacy possibly analyzed and processed in the transaction process is ensured; we can mark this transaction ticket as TAliceThe process is equally applicable to any other single transaction.
Through the steps, the bit currency privacy enhancement method provided by the invention is discussed, and the method is generated from the problems of the existing bit currency system, and then is completely designed for solving the privacy leakage problem of the number exposure in the bit currency system; the method covers a bit currency system, a homomorphic encryption system and a commitment value to prove a plurality of cryptology primitives, and the method in different fields is newly applied to the actual problem of privacy enhancement, and is designed according to the scheme, wherein the scheme has the advantages of encryption and decryption performance, homomorphic characteristic, zero knowledge characteristic, safety, high efficiency and compatibility; finally, the system method realizes the smooth transaction process of the encrypted bitcoin.
3. The advantages and the effects are as follows:
the invention provides a bit currency transaction privacy enhancement method, which realizes the hiding function of the amount in the transaction under the condition of ensuring the compatibility with an original bit currency system and ensures the requirements of positive encrypted amount and equal input and output all the time. The method has 1) homomorphism characteristic, so that the system can carry out addition and subtraction operation on the ciphertext. 2) Zero knowledge property, transmission and verification do not reveal any plaintext values. 3) And safety, and can resist different types of active attacks and passive attacks. 4) High efficiency, less computational complexity compared with solutions such as Zerocoin and the like, and algorithm acceleration can be performed through pre-calculation and Chinese remainder theorem. 5) Compatibility, compatibility with traditional bitcoin systems, can be transplanted into the original system.
(IV) description of the drawings:
FIG. 1 is a block flow diagram of the method of the present invention.
The numbers, codes and symbols in the figures are explained as follows:
in the illustration, the Insum/Encrypt/Verify/Decrypt/Braodcast respectively represent the steps 2-6, the transition layer/Verification layer respectively represent two layers of the system architecture, and m1,m2,...,miAmount of plaintext to send to the recipient, c1,c2,...,ciFor the encrypted ciphertext amount, (pk)i,ski) For encrypted public and private key pair, Enc/Dec is the encryption and decryption process, and Dumb account is the 'Dumb account' set during authentication.
(V) detailed description of the preferred embodiments
The invention relates to a bit currency transaction privacy enhancement method which is realized by dividing six steps according to a flow, and a scheme framework is divided into a transaction layer and a verification layer. The system flow of the method is shown in fig. 1, and the specific implementation steps of the method are introduced as follows by combining a flow diagram:
the invention discloses a bit currency transaction privacy enhancing method, which comprises the following specific implementation steps:
step 1: system initialization/KeyGen: and inputting security parameters and outputting parameters for encryption and decryption operation and verification. At the transaction level, for each different receiver i, the system generates two large prime numbers p for each receiveriAnd q isi. The recipient private key is ski=λiThe public key is pki=(ni,gi) Wherein n isi=piqi
At the same time, at the verification layer, the system outputs a public of 'dumb account' for verificationKey pkd=(nd,gd) Note that this public key has no pairing private key. That is, the system account cannot operate on the received amount; system generation parameter Vα(gα,hα) And Vβ(gβ,hβ) For verification;
note that since the "dumb account" and the commitment value are both certified at the verification level, and their parameters are generated by the system, the recipe setting gβ=gdAndto ensure that the operated ciphertext can become a commitment number;
step 2: calculate total input value/Insum: and calculating a total input value of the transaction, namely the total income of the order transaction and the mine digging.
If the transaction slip is used as the newly confirmed block, the transaction slip will receive an additional 50-bit currency fee as a reward (by 1 month 2017, now halved to 25-bit currency), and the total income is the sum of the operation of the plain text and the original cipher text of the part, and is expressed as
If the transaction sheet is not the head sheet of the new confirmation block, no extra income is generated, and the total income is the value transmitted by the transaction of the previous order and is expressed as
And step 3: encrypted item/Encrypt: at the transaction level, the scheme uses the public keys pk of the different recipients1,pk2,...,pkiEncrypting the transmitted plaintext amount m by using Paillier encryption system1,m2,...,miIs c1,c2,...,ciExpressed as:
meanwhile, at the verification layer, the scheme uses the same public key pk of the systemdThe amount m to be sent by each of the transaction layers1,m2,...,miEncryption is performed, expressed as:
wherein the scheme sets a random number rd=hβ
Common to both layers is that the same transaction amount m is encryptediExcept that the transaction layer uses a different public key pk from the recipientiThe verification layer uses the same public key pk from the systemdThe method is used for realizing the homomorphism characteristic of the Paillier system. Therein having the same amount miThe correctness of the value obtained by the receiver after verification is ensured;
and 4, step 4: verification item/Verify: the system verifies whether the hidden amount is a positive value and whether the input and output total amounts are equal at a verification layer. The verification layer is divided into two steps, and in the first step, the concealed money amount is always proved to be a positive value through a proof method of the commitment value in a specific interval; secondly, the two proof methods with equal commitment values are used for proving that the total number before and after the input and the output of the hidden money amount is equal;
for the first step, the scheme uses proof of commitment values in certain intervals to guarantee the amount m that is encryptediIf the value is positive, the sender Alice makes commitments respectively for different receivers iFor simplicity, use E0,E1,E2, E3F, V instead of Ei0,Ei1,Ei2,Ei3,Fi,Vi
1) Alice sets v- α2y+ω>2t+l+s+TWherein α is arbitrarily chosen not equal to 0, omega is more than 0 and less than or equal to 2s+T(ii) a Set r3-rα2+r1α+r2∈[-2sn+1,...,2sn-1]Wherein r is arbitrarily selected1,r2,r3∈[-2sn+1,...,2sn-1](ii) a Then, calculating:
alice sends (V, E)2,E3F) to the recipient;
2) the receiver calculates:
E1=E0(mi,r)/ga=gyhrmod n
3) alice and the receiver each calculate:
wherein r is*=-rα2-r1α-r2
4) The receiver verifies the correctness of PK1, PK2, PK3, and whether v > 2 is satisfiedt+l+s+TIf yes, the receiver can confirmX is greater than a;
5) for each receiver miThe scheme repeats steps 1-4 to demonstrate mi>0(i={1,2,...,i})。
The proof part will be for each recipient miRepeating the execution for i times, and if any one of the execution fails, the transaction fails; if all succeed, the system returns to 1 and continues with the next step of verification.
For the second step, the scheme uses proof that the two commitment values are equal to ensure that the transaction output is consistent before and after the input, i.e. m is m1+m2+...+mi=∑mi. Alice now makes two commitments as follows:
wherein r isα∈{-2sn+1,...,2sn-1},rβ=nd∈{-2sn+1,...,2sn-1 }; if a "dumb account" receiving the same amount wants to verify whether the amount of plaintext contained in the received ciphertext is equal to the value sent by Alice, it needs to perform the following two steps:
1) secret value equal m- ∑ m hidden in commitment values E and Fi
2) The operated cipher text H ═ Π cidEqual to one of the commitments F.
To achieve step 1) above, we demonstrate the following:
alice randomly selects ω ∈ { 1., 2 ·i+tb-1},ηα∈{1,...,2l+t+sn-1},ηβ∈{1,...,2l+t+ sn-1 }; then, calculating:
alice calculates u ═ H (W)α||Wβ);
3, Alice calculates:
D=ω+um,Dα=ηα+urα,Dβ=ηβ+urβ
and transmitting (u, D)α,Dβ) To "dumb account";
"dumb account" test if u ═ u', wherein
If the partial step is verified successfully, the following partial step is continued to prove that:
the "dumb account" calculates the received ciphertext:
2. from the above, we can choose r arbitrarily in the encryption processd=hβOptionally selecting r in the verification processβ=nd(ii) a And during system initialization we set upAnd gd=gβTherefore, the following steps are adopted:
3. check if H equals F, if no, transaction fails, if yes return to 1, and proceed to the next step.
In conclusion, when the steps of the two parts are true, entering a sending link of a transaction layer;
and 5: decryption item/Dcprypt: after the certificate layer passes the verification, the transaction layer encrypts the amount ciSending the data to a receiver, and the receiver sends the data to the receiver according to the private key sk of the receiveriAnd (3) decryption:
whereinx∈Sn={u<n2|x=1 mod n};
After the receiver checks that the receiving amount is correct, the next transaction is continued. The recipient's received value is the input value for the next order. It is worth noting that when the transaction is completed, the amount of the ciphertext in the "dumb account" will be discarded, which serves only as a bridge to link the value of the verification layer with the value sent;
step 6: broadcast acknowledgement/Broadcast: and after the receiver checks the transaction list without errors, the whole network broadcasting transaction list is carried out to wait for confirmation. The original plaintext information on the transaction sheet processed by the scheme is hidden into the ciphertext which cannot be read, so that the only privacy which is possibly analyzed and processed in the transaction process is ensured. We can mark this transaction ticket as TAliceThe process is equally applicable to any other single transaction.

Claims (1)

1.A bit currency transaction privacy enhancement method is characterized by comprising the following steps: the operation steps are as follows:
step 1: system initialization/KeyGen: generating security parameters for encryption and decryption operation and verification; the system inputs security parameters and outputs a public key pk generated by encryption and decryption operationiAnd the private key skiWhile outputting the public key pk for verificationdNote that this public key has no pairing private key;
step 2: calculate input total/Insum: calculating a total input value of the transaction, namely the total income of the single transaction and the mine digging; if the transaction sheet is used as a newly confirmed block, the transaction sheet obtains an extra 50-bit currency fee as a reward, and the total income is the sum of operations of the plaintext and the original ciphertext; if the transaction list is not the head list of the new confirmation block, no extra income exists, and the total income is the value transmitted by the last transaction;
and step 3: encrypted item/Encrypt: the system uses the public key of the receiver to encrypt the transmission amount respectively in the transaction layer, and uses the public key of the system to encrypt each amount of the same amount in the verification layer; the amount encrypted in the transaction layer is sent to each receiver account after passing through the verification layer, the encrypted amount sent in the verification layer is noticed to enter a 'dumb account', the dumb account is an account without a private key, and the amount is discarded after verification;
and 4, step 4: verification item/Verify: verifying whether the hidden amount is a positive value and whether the input and output total amounts are equal or not at a verification layer; the verification layer is divided into two steps, and in the first step, the concealed money amount is always proved to be a positive value through a proof method of the commitment value in a specific interval; secondly, the two proof methods with equal commitment values are used for proving that the total number before and after the input and the output of the hidden money amount is equal; when the two steps are true, entering a sending link of a transaction layer;
and 5: decryption item/decryption: after the verification of the verification layer is passed, the transaction layer sends the encrypted amount to a receiver, and the receiver decrypts the amount according to the private key of the receiver; after the receiver checks that the receiving amount of the receiver is correct, the next transaction is continued; the recipient's received value is the input value of the next order;
step 6: broadcast acknowledgement/Broadcast: after the receiver checks the transaction list without errors, the whole network broadcasting transaction list is carried out to wait for confirmation; original plaintext information on the processed transaction list is hidden into an unreadable ciphertext, so that the only privacy possibly analyzed and processed in the transaction process is ensured;
the "calculate total input value/enum" in step 2 is divided into two cases, which are as follows:
if the transaction order is used as a newly confirmed block, the transaction order will obtain an additional 50-bit currency fee as a reward, and the total income is the sum of the operation of the part of plaintext and the original ciphertext and is expressed as
If the transaction sheet is not the head sheet of the new confirmation block, no extra income is generated, and the total income is the value transmitted by the transaction of the previous order and is expressed as
The verification layer of the verification item/Verify in the step 4 is divided into two steps, and in the first step, the concealed money is always proved to be a positive value through a proof method of a commitment value in a specific interval; secondly, the total number before and after the input and the output of the hidden money amount is proved to be equal by two proving methods with equal commitment values; the specific method comprises the following steps:
for the first step, Verify-I, the scheme uses proof of commitment value in a certain interval to guarantee the encrypted amount miIf the value is positive, the sender Alice makes commitments respectively for different receivers iFor simplicity, use E0,E1,E2,E3F, V instead of Ei0,Ei1,Ei2,Ei3,Fi,Vi
4.11) Alice sets v α2y+ω>2t+l+s+TWherein α is arbitrarily chosen not equal to 0, omega is more than 0 and less than or equal to 2s+T
Set r3-rα2+r1α+r2∈[-2sn+1,...,2sn-1],
Wherein r is arbitrarily selected1,r2,r3∈[-2sn+1,...,2sn-1](ii) a Then, calculating:
alice sends (V, E)2,E3F) to the recipient;
4.12) receiver calculates:
E1=E0(mi,r)/ga=gyhrmod n
4.13) Alice and the receiver each calculate:
wherein r is*=-rα2-r1α-r2
4.14) receiver verification of correctness of PK1, PK2, PK3, and whether v > 2 is satisfiedt+l+s+TIf so, the recipient is assured that x > a;
4.15) for each receiver miThe protocol can be demonstrated by repeating steps 4.11-4.14)
mi>0(i={1,2,...,i});
The proof part will be for each recipient miRepeatedly performing i times if it isIf any one fails, the transaction fails; if all the verification steps are successful, the system passes and the verification of the next step is continued;
for the second step, Verify-II, the scheme uses proof that the two commitment values are equal to ensure that the transaction output inputs are consistent, i.e., m-m1+m2+...+mi=∑mi(ii) a Alice now makes two commitments as follows:
wherein r isα∈{-2sn+1,...,2sn-1},rβ=nd∈{-2sn+1,...,2sn-1 }; if a "dumb account" receiving the same amount wants to verify whether the amount of plaintext contained in the received ciphertext is equal to the value sent by Alice, it needs to perform the following two steps:
(1) secret value equal m- ∑ m hidden in commitment values E and Fi
(2) The operated cipher text H ═ cidEquals one of the commitments F;
in order to realize the above step (1), the following verification was made:
① Alice random selection
ω∈{1,...,2i+tb-1},ηα∈{1,...,2l+t+sn-1},ηβ∈{1,...,2l+t+sn-1 }; then, calculating:
② Alice calculates u-H (W)α||Wβ);
③ Alice calculates:
D=ω+um,Dα=ηα+urα,Dβ=ηβ+urβ
and transmitting (u, D)α,Dβ) To "dumb account";
④ "dumb account" test if u ═ u', where
If the partial step is verified successfully, the following partial step is continued to prove that:
①, "dumb account" calculates the received ciphertext:
② As can be seen from the above, r is arbitrarily chosen during encryptiond=hβOptionally selecting r in the verification processβ=nd(ii) a And during system initialization, set upAnd gd=gβTherefore, the following steps are adopted:
③, checking whether H equals F, if not, the transaction fails, if yes, passing, and proceeding to the next step;
in conclusion, when the steps of the two parts are true, entering a sending link of a transaction layer;
wherein, the specific implementation of the "system initialization/KeyGen" in step 1 is as follows:
the input of the system is a safety parameter, and the output is a parameter for encryption and decryption operation and verification; at the transaction level, for each different recipient i, the system generates two large prime numbers p for each recipientiAnd q isi(ii) a The recipient private key is ski=λiThe public key is pki=(ni,gi) Wherein n isi=piqi
Meanwhile, at a verification layer, the system outputs a public key pk of 'dumb account' for verificationd=(nd,gd) Note that this public key has no pairing private key; that is, the system account cannot operate on the received amount; system generation parameter Vα(gα,hα) And Vβ(gβ,hβ) For verification;
in step 3, the encryption item/Encrypt is used to Encrypt the same amount at the transaction layer and the verification layer at the same time, and the specific implementation is as follows:
at the transaction level, the scheme uses the public keys pk of the different recipients1,pk2,...,pkiEncrypting the transmitted plaintext amount m by using Paillier encryption system1,m2,...,miIs c1,c2,...,ciExpressed as:
meanwhile, at the verification layer, the scheme uses the same public key pk of the systemdThe amount m to be sent by each of the transaction layers1,m2,...,miEncryption is performed, expressed as:
wherein the scheme sets a random number rd=hβ
Wherein, after the 'decryption item/decryption' in the step 5 passes the authentication of the certificate layer, the transaction layer will encrypt the amount ciSending to the receiver, which is implemented as follows:
the receiver follows the private key sk of the receiveriAnd (3) decryption:
whereinx∈Sn={u<n2|x=1modn};
After the receiver checks that the receiving amount of the receiver is correct, the next transaction is continued; the recipient's received value is the input value of the next order; when the transaction is completed, the ciphertext amount in the 'dumb account' is discarded, and the ciphertext amount is only used as a bridge to enable the value of the verification layer to be linked with the sent value;
wherein, in step 6, the "Broadcast confirmation/Broadcast" is to perform the whole network Broadcast transaction ticket waiting confirmation after the receiver checks the receiver without error, and the specific implementation is as follows: original plaintext information on the processed transaction list is hidden into an unreadable ciphertext, so that the only privacy that can be analyzed and processed in the transaction process is ensured; marking the transaction order as TAliceThe process is equally applicable to any other single transaction.
CN201710050768.3A 2017-01-23 2017-01-23 Bit currency transaction privacy enhancement method Active CN106911470B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201710050768.3A CN106911470B (en) 2017-01-23 2017-01-23 Bit currency transaction privacy enhancement method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201710050768.3A CN106911470B (en) 2017-01-23 2017-01-23 Bit currency transaction privacy enhancement method

Publications (2)

Publication Number Publication Date
CN106911470A CN106911470A (en) 2017-06-30
CN106911470B true CN106911470B (en) 2020-07-07

Family

ID=59207453

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201710050768.3A Active CN106911470B (en) 2017-01-23 2017-01-23 Bit currency transaction privacy enhancement method

Country Status (1)

Country Link
CN (1) CN106911470B (en)

Families Citing this family (20)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107330775A (en) * 2017-07-05 2017-11-07 贵州大学 A kind of first valency sealing method of commerce based on bit coin agreement
CN107506989A (en) * 2017-08-18 2017-12-22 特兰旗(厦门)科技有限公司 Exchange method and device
CN108418783A (en) * 2017-09-01 2018-08-17 矩阵元技术(深圳)有限公司 A kind of protection method of block chain intelligence contract privacy, medium
CN107886314A (en) * 2017-11-20 2018-04-06 北京比特大陆科技有限公司 Ideal money settlement method, device and electronic equipment
CN108021821A (en) * 2017-11-28 2018-05-11 北京航空航天大学 Multicenter block chain transaction intimacy protection system and method
CN108418689B (en) * 2017-11-30 2020-07-10 矩阵元技术(深圳)有限公司 Zero-knowledge proof method and medium suitable for block chain privacy protection
CN108200174B (en) * 2018-01-04 2019-10-25 成都理工大学 Based on the distributed mobile phone protecting platform of block chain and its implementation
WO2019195989A1 (en) * 2018-04-09 2019-10-17 Huawei Technologies Co., Ltd. Zero-knowledge range proof with reversible commitment
WO2019209168A2 (en) * 2018-04-26 2019-10-31 华为国际有限公司 Data processing method, related apparatus, and blockchain system
CN108712409A (en) * 2018-05-09 2018-10-26 梧州市兴能农业科技有限公司 A kind of e bill transaction system based on privately owned block chain
CN108805574B (en) * 2018-05-19 2021-01-26 深圳市图灵奇点智能科技有限公司 Transaction method and system based on privacy protection
CN108734017B (en) * 2018-05-20 2020-11-13 深圳市图灵奇点智能科技有限公司 Driving data sharing method and device, system and computer storage medium
CN108763955B (en) * 2018-05-20 2020-11-13 深圳市图灵奇点智能科技有限公司 Travel data sharing method and apparatus, travel data sharing system, and computer storage medium
CN109087099A (en) * 2018-07-31 2018-12-25 杭州复杂美科技有限公司 A kind of privacy method of commerce and system, equipment and storage medium
CN110326013A (en) * 2018-11-07 2019-10-11 阿里巴巴集团控股有限公司 The block catenary system of open transaction and privately owned transaction is supported under account model
BR112019008160A2 (en) * 2018-11-07 2019-09-10 Alibaba Group Holding Ltd computer-implemented method performed by a consensus node of a block chain network, non-transient computer readable storage medium, and system
CA3040791C (en) * 2018-11-27 2020-12-15 Alibaba Group Holding Limited System and method for information protection
CA3040357A1 (en) 2018-11-27 2019-04-18 Alibaba Group Holding Limited System and method for information protection
US10700850B2 (en) 2018-11-27 2020-06-30 Alibaba Group Holding Limited System and method for information protection
WO2019072275A2 (en) 2018-11-27 2019-04-18 Alibaba Group Holding Limited System and method for information protection

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103259650B (en) * 2013-04-25 2015-12-09 河海大学 A kind of rationality many secret sharings method to honest participant's justice
US20160358165A1 (en) * 2015-06-08 2016-12-08 Blockstream Corporation Cryptographically concealing amounts transacted on a ledger while preserving a network's ability to verify the transaction

Also Published As

Publication number Publication date
CN106911470A (en) 2017-06-30

Similar Documents

Publication Publication Date Title
Noether et al. Ring confidential transactions
US20210021606A1 (en) Selectivity in privacy and verification with applications
JP6515246B2 (en) Determination of common secrets for the secure exchange of information and hierarchical and deterministic encryption keys
Menezes et al. Handbook of applied cryptography
Van Saberhagen CryptoNote v 2.0
Ziegeldorf et al. Coinparty: Secure multi-party mixing of bitcoins
Chaudhry et al. A secure and efficient authenticated encryption for electronic payment systems using elliptic curve cryptography
Wang et al. Privacy-preserving public auditing for data storage security in cloud computing
CN106961336B (en) A kind of key components trustship method and system based on SM2 algorithm
Liu et al. Anonymous reputation system for IIoT-enabled retail marketing atop PoS blockchain
US8437474B2 (en) Public key encryption for groups
CN108418689B (en) Zero-knowledge proof method and medium suitable for block chain privacy protection
US5907618A (en) Method and apparatus for verifiably providing key recovery information in a cryptographic system
El Mrabet et al. Guide to pairing-based cryptography
US6708893B2 (en) Multiple-use smart card with security features and method
Simmons Subliminal communication is easy using the DSA
JP4593533B2 (en) System and method for updating keys used for public key cryptography
CN101420300B (en) Double factor combined public key generating and authenticating method
EP0252499B1 (en) Method, apparatus and article for identification and signature
Law et al. How to make a mint: the cryptography of anonymous electronic cash
CN102664732B (en) The anti-quantum computation attack of CPK public key system realize method and system
CN107579819B (en) A kind of SM9 digital signature generation method and system
CN108021821A (en) Multicenter block chain transaction intimacy protection system and method
Kou Payment technologies for E-commerce
JP2011182454A (en) Key agreement and transport protocol

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant