CN110009318A - A kind of digital cash method for tracing based on door sieve coin - Google Patents
A kind of digital cash method for tracing based on door sieve coin Download PDFInfo
- Publication number
- CN110009318A CN110009318A CN201910223291.3A CN201910223291A CN110009318A CN 110009318 A CN110009318 A CN 110009318A CN 201910223291 A CN201910223291 A CN 201910223291A CN 110009318 A CN110009318 A CN 110009318A
- Authority
- CN
- China
- Prior art keywords
- account
- requestee
- public key
- tracking
- key
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 57
- 230000007774 longterm Effects 0.000 claims abstract description 48
- 125000004122 cyclic group Chemical group 0.000 claims description 7
- 239000011159 matrix material Substances 0.000 claims description 7
- 238000011084 recovery Methods 0.000 claims description 7
- 238000004364 calculation method Methods 0.000 claims description 6
- 230000002776 aggregation Effects 0.000 claims description 4
- 238000004220 aggregation Methods 0.000 claims description 4
- 241000208340 Araliaceae Species 0.000 claims 1
- 235000005035 Panax pseudoginseng ssp. pseudoginseng Nutrition 0.000 claims 1
- 235000003140 Panax quinquefolius Nutrition 0.000 claims 1
- 235000008434 ginseng Nutrition 0.000 claims 1
- 238000003780 insertion Methods 0.000 claims 1
- 230000037431 insertion Effects 0.000 claims 1
- 238000012360 testing method Methods 0.000 description 16
- 230000007246 mechanism Effects 0.000 description 5
- 230000006870 function Effects 0.000 description 4
- 230000008569 process Effects 0.000 description 4
- 238000004458 analytical method Methods 0.000 description 3
- 238000010586 diagram Methods 0.000 description 3
- 230000000694 effects Effects 0.000 description 3
- 238000013507 mapping Methods 0.000 description 3
- 238000012795 verification Methods 0.000 description 3
- 230000008094 contradictory effect Effects 0.000 description 2
- 238000011161 development Methods 0.000 description 2
- 238000005516 engineering process Methods 0.000 description 2
- 238000012544 monitoring process Methods 0.000 description 2
- 230000035772 mutation Effects 0.000 description 2
- 201000009032 substance abuse Diseases 0.000 description 2
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 230000001186 cumulative effect Effects 0.000 description 1
- 239000003814 drug Substances 0.000 description 1
- 229940079593 drug Drugs 0.000 description 1
- 235000013399 edible fruits Nutrition 0.000 description 1
- 230000002708 enhancing effect Effects 0.000 description 1
- 238000011156 evaluation Methods 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 230000003993 interaction Effects 0.000 description 1
- 230000002452 interceptive effect Effects 0.000 description 1
- 238000005457 optimization Methods 0.000 description 1
- 230000001737 promoting effect Effects 0.000 description 1
- 238000005070 sampling Methods 0.000 description 1
- 230000000007 visual effect Effects 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q20/00—Payment architectures, schemes or protocols
- G06Q20/04—Payment circuits
- G06Q20/06—Private payment circuits, e.g. involving electronic currency used among participants of a common payment scheme
- G06Q20/065—Private payment circuits, e.g. involving electronic currency used among participants of a common payment scheme using e-cash
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q20/00—Payment architectures, schemes or protocols
- G06Q20/38—Payment protocols; Details thereof
- G06Q20/382—Payment protocols; Details thereof insuring higher security of transaction
- G06Q20/3825—Use of electronic signatures
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q20/00—Payment architectures, schemes or protocols
- G06Q20/38—Payment protocols; Details thereof
- G06Q20/382—Payment protocols; Details thereof insuring higher security of transaction
- G06Q20/3829—Payment protocols; Details thereof insuring higher security of transaction involving key management
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q20/00—Payment architectures, schemes or protocols
- G06Q20/38—Payment protocols; Details thereof
- G06Q20/40—Authorisation, e.g. identification of payer or payee, verification of customer or shop credentials; Review and approval of payers, e.g. check credit lines or negative lists
- G06Q20/401—Transaction verification
Landscapes
- Business, Economics & Management (AREA)
- Accounting & Taxation (AREA)
- Engineering & Computer Science (AREA)
- Finance (AREA)
- Strategic Management (AREA)
- Physics & Mathematics (AREA)
- General Business, Economics & Management (AREA)
- General Physics & Mathematics (AREA)
- Theoretical Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Financial Or Insurance-Related Operations Such As Payment And Settlement (AREA)
Abstract
The present invention relates to a kind of digital cash method for tracing based on door sieve coin, comprising the following steps: system initialization generates the key of system parameter and tracking authority;User generates trading card, and the artificial payee that pays the bill generates a public key, and is embedded in long-term public key tracking label;Artificial Send only Account of paying the bill is coined;Requestee pulls in one group of combined account and hides true Send only Account;Generate a public key tracking label;Trading card is completed, and is signed to trading card.Trading card is broadcasted into P2P network;Miner generates block, and miner collects the trading card in P2P network, and the validity of trading card is collected in verifying, and carries out digging mine with effective trading card, is generated new block, is broadcasted the block;Authority tracking malice requestee is tracked, tracking authority can track the public key and long-term public key of malice requestee when finding malice requestee, to cancel its anonymity, while generate the correctness of evidence proof tracking result.
Description
Technical field
The invention belongs to technical field of network security, and in particular to a kind of digital cash method for tracing based on door sieve coin.
Background technique
Password currency is a kind of digital cash based on public key cryptography.Traditional electronic money is based on a credible third
Side, and password currency is decentralization, both parties need not move through third party and can directly trade.The transaction of password currency
With verifying realized by block chain, block chain is the open account book an of decentralization, by participants all in system with
A kind of mode can verify that, permanent is safeguarded.Block chain is a far-reaching technology, it is changed in real world
The mode of transaction is considered as the maximum change after internet occurs.
Protecting privacy of user is one of most attracting feature of password currency.If do not protected in process of exchange, user's is quick
Feel information, malice businessman will sell the Transaction Information of user and obtain interests.Meanwhile sensitive information is let out in password moneytary operations
Dew may cause harassing and wrecking of the daily life of user by all kinds of spams and malice advertisement.Therefore, it is hidden to explore password currency
Private enhancing technology is extremely important.
Bit coin is the password currency of first decentralization, has been constantly subjected to academia and industry since 2009 come out
Extensive concern.Bit coin is user's pseudonymity system, not up to really anonymous, and the assumed name mechanism of bit coin is not enough to
Protect privacy of the user in real-world applications.For example, if requestee pays same quotient using multiple billing address jointly
When product, then the address of same requestee will be linked.In order to improve secret protection grade in password currency, a variety of structures
Make and be suggested, such as door sieve coin, reach generation (Dash), zero coin (Zerocash).
Currently invention addresses the decentralization password currency that door sieve coin is a kind of resources open, focus mainly on the hidden of currency
Private and anonymity.It was issued in a branch as byte coin in 2014, had become the maximum password of accounting at present
One of currency, by March, 2018, its market value is up to 5,700,000,000 dollars.Door sieve coin be based on CryptoNote agreement so as to
The privacy of identities of payee is enough protected, while protecting specific payee hidden from the identity in hair ring using linkable ring signatures
Private, this is referred to as ring clandestine dealing agreement (RingCT).2017, Sun and Au et al. proposed a kind of new efficient
RingCT agreement (RingCT 2.0), the agreement use a kind of powerful tool, the referred to as accumulator of unidirectional domain, hand over
The size of Yi Dan has been effectively saved the memory space of data independently of the quantity for inputting account in ring.
In password moneytary operations, anonymity is the necessary condition for protecting privacy of user.However, anonymity is also brought
New problem, such as illegal transaction can not be examined, the perfect guilty tool of unlawful activities is become, such as evades a tax, wash
Money, violated object are traded and are extorted.In recent years, constantly increase to reach the case where illegal objective abuses anonymous password currency, present
The trend of liter.The notorious black Silk Road is exactly to carry out drug trade using bit coin and Tor network to avoid being tracked
Or punishment.In May, 2017, network attack WannaCry have attacked more than 30 ten thousand computers in global 150 countries, have passed through encryption
File asks for ransom money to user.Victim is required to pay the bit coin for being worth 300-600 dollars to three hard coded accounts.According to
Estimate, economic loss caused by WannaCry is about 4,000,000,000 dollars, and criminal is still unknown so far.After three months, violate
The bit coin of guilty person payment has been converted as door sieve coin, is more difficult to track true criminal.Therefore, in anonymous password goods
In coin, traceability is highly important.
Above-mentioned password currency such as bit coin, door sieve coin, zero coin do not consider password goods while protecting privacy of user
The traceability of coin is not able to achieve effective supervision of password currency, it is difficult to balance privacy of user and currency monitoring in password currency
Between relationship.In block chain, although the method that some pairs of anonymous password currency trackings have been proposed, existing to be based on
Method that cryptography tool is tracked password currency is simultaneously few, and fewer and fewer for the method for tracing of door sieve coin.
Summary of the invention
In order to solve the above-mentioned problems in the prior art, and the Privacy Protection to password currency in block chain
And abuse anonymity problem, the present invention provides a kind of digital cash method for tracing based on door sieve coin, balance in digital cash
The relationship of privacy of user and currency monitoring, and provide two kinds of tracking mechanisms is respectively used to the long-term account of tracking user and primary
Account.
The method of the present invention is participated in business online without tracking the authoritative moment, the only intervention when needing to track user, and is tracked
Authority will not interfere any transaction, and for honest user, anonymity remains to be guaranteed, but malicious act occurs in user
When, tracking authority can be tracked to cancel its anonymity, to supervise the system;For the password currency based on block chain
Transaction, supervision and secret protection be two it is of crucial importance but the problem of seem contradiction, this method perfection has been compatible with two attributes.
Therefore achievement of the present invention is for promoting the sustainable development of the password currency based on block chain to have important theory
Meaning and practical value.
The method of the present invention technical problems to be solved are achieved through the following technical solutions:
A kind of digital cash method for tracing based on door sieve coin, including the following steps:
Step S100. system is established, and system parameter is generated: selection security parameter λ generates the open parameter pp of system and chases after
The public key (ω, z) of track authority;For each user in the system of addition, system distributes long term keys for it.Specifically,
Step S101: one security parameter λ of selection, call the parameter generation algorithm of unidirectional domain accumulator to generate accumulator public
Parameter desc=ACC.Gen (1 altogetherλ), call the parameter generation algorithm of signatures of Knowledge to generate signatures of Knowledge common parameter par=
SoK.Gen(1λ).Wherein, unidirectional domain GqAccumulator algorithm include f=(ACC.Gen, ACC.Eval, ACC.Wit), knowledge label
Name algorithm includes Sok=(SoK.Gen, SoK.Sign, SoK.Verf);
Step S102: the Big prime q of one safety of selection, and generate using q as the cyclic group G of rankq, select random elementH is the Hash function of impact resistant, H:{ 0,1 }*→Gq;
Step S103: system public parameter is
Step S104: private key ω ∈ G is generated for tracking authority is randomq, and the public key for calculating tracking authority is z=h0 ω;
Step S105: to the user of the system of addition, system is its automatic distribution public private key pair, meets (A '=h0 a′, B '=
h0 b′), wherein (A ', B ') is the long-term public key of user, disclose in systems, is used for identity user;(a ', b ') is the length of user
Phase private key.
Step S200. generates trading card:
In order to without loss of generality, it is assumed that requestee has one group of Send only Account (total m) in a trading card, while in order to
Requestee's privacy is protected, needs requestee to pull in the combined account (mixins) of other n-1 groups to cover true payment and acknowledge a debt
Family generates Send only Account matrix (such as Fig. 3);It is assumed that collecting account shares t.Specifically, for Send only Account: setting A indicates n
A user inputs the set of account, and really pay the bill artificial s-th of user, and Send only Account collection is combined into As, corresponding to Send only Account
Private key beFor exporting account: one group of output address is R=
{pkOut, j}1≤j≤t, output account aggregation is AR。
Step S201 requestee generates a public key y according to the long-term public key of payee for payee, and be embedded in wherein
Long-term public key tracks label ct;
The artificial payee of step S201-1. payment generates a public key.
The step S201-2. payment artificial account generates long-term public key and tracks label.
The artificial Send only Account of step S202. payment is coined;Requestee restores corresponding one according to oneself a public key pk
Secondary private key sk.And coined according to a secondary key and amount of money a, select random number r calculate promise to undertake c, coined (cn, ck)=(c,
(r, a)), setting Send only Account are act=(pk, cn), and corresponding private key is ask=(sk, cn).Wherein, cn indicates that amount of money a is corresponding
Digital cash, (pk, sk) indicate requestee a key pair.
Step S202-1. requestee is according to oneself long-term private and key recovery parameter, according in step S201-1
Mode calculates the corresponding private key sk of a public key pk;
Step S202-2. requestee coins according to a public key pk and amount of money a.
Step S203. requestee generates output account, and coins for output account;It proves in input and output account simultaneously
The amount of money is equal.
Step S203-1. requestee selects random element rOut, j∈Zq(1≤j≤t), to output address pkOut, j∈R(1≤
J≤t) it output is calculated coinsRequestee will export account actOut, j=
(pkOut, j, cnOut, j) set A is addedRIn, send currency key ckOut, j=(rOut, j, aOut, j) give a public key for pkOut, j's
Payee.
Step S203-2. spends more (i.e. requestee spends the money more than the amount of money in Send only Account) in order to prevent, and requestee needs
Prove that input account is equal with account amount of money is exported.
Step S204. requestee generates a cost and proves, it was demonstrated that the correctness that this spends, and to the trading card label
Name, ultimately produces transaction record (tx, π, S, CT).Wherein, S={ s1, s2..., smIndicate account corresponding address sequence number,
CT=(ct1, ct2) indicate the ciphertext indexed;
Step S204-1. requestee calls accumulator algorithm, calculates accumulated value
And evidenceTo prove the public key in k-th of accountIndeed add up into vkIn.
The sequence number s of step S204-2. calculating Send only Accountk。
Step S204-3. calculates a public key and tracks label C T.
Step S204-4. requestee generates the signatures of Knowledge π about trading card tx using linkable ring signatures;
Step S204-5. requestee exports one group of transaction record (tx, π, S, CT).Wherein, S={ s1, s2..., smIndicate
The sequence number of account corresponding address, CT=(ct1, ct2) indicate that a public key tracks label;
Step S300. block generates:
Step S301. miner verifies trading card;Miner randomly selects the trading card in P2P network, and verifies having for transaction
Effect property;
Step S301-1: miner is according to input accountInput account AR=
{(pkOut, j, cnOut, j)}1≤j≤t,It is calculated with the ciphertext CT of trading card tx
Step S301-2: miner is according to accumulated value (v1..., vm+1), sequence number S, trading card tx and prove π verify Verf
(tx, ct1, ct2, (v1..., vm+1, s1..., sm), π)=1 whether true.
Step S302. generates new block according to effective trading card, broadcasts the block to P2P network;
The validity of other users verifying new block in step S303.P2P network.
The requestee of step S400. tracking authority's tracking malice:
Step S401. malice requestee tracking.When system needs are tracked malice requestee, tracking authority can be with
The public key and long-term public key of malice requestee are tracked according to the private key of oneself and tracking label, tracking authority is after tracking
Generating tracking proves.
Step S402. malice requestee tracks verifying: any entity in system can verify the effective of tracking proof
Property.
Further, the specific steps of the step S201-1 are as follows: requestee search payee long-term public key be (A ',
B '), requestee selects random number r ' ∈ Gq, calculate a key recovery parameter R '=h0 r′And cryptographic Hash h=H (A 'r′, B ').
The public key of the payee is y=B ' h0 h.Payee can be after gathering according to the long-term private of oneself (a ', b ') and close
Key restores parameter R ', calculates a account corresponding private key x=b '+H (R 'a′, B ').
Further, the specific steps of the step S201-2 are as follows: requestee calculates long-term according to the public key z of tracking authority
Public key tracks label ct=zh, while generating the corresponding signatures of Knowledge of tracking label
Further, the specific steps of the step S202-2 are as follows: requestee selects random number r to calculate promise Coined (cn, ck)=(c, (r, a)), the secondary account of requestee be act=(pk,
Cn), the private key of corresponding account is ask=(sk, ck).Wherein (pk, sk) indicates the key pair of requestee.
Further, the specific steps of the step S203-2 are as follows: requestee, which needs to calculate, spends more private key And spend more public key If the sums of money for inputting account is equal to the sums of money of output account, i.e.,ThenMeet
Further, the specific steps of the step S204-2 are as follows: according to the private key of accountThe sequence of calculation number Carry out unique identification Send only Account.
Further, the specific steps of the step S204-3 are as follows: selection random numberAdded according to the public key z of tracking authority
Row number γ of the close true requestee in Send only Account matrix, obtains ciphertext CT=(ct1, ct2), wherein
Further, the specific steps of the step S204-4 are as follows: requestee is generated as follows about trading card
The signatures of Knowledge π of tx;
Further, the specific steps of the step S302 are as follows: the effective trading card of miner { tx }, according to these trading cards
Merkle Hash tree is generated, the cryptographic Hash Pre_Hash of the root Root of Merkle Hash tree and previous block is put together together
Shi Jinhang digs mine, that is, finds a suitable random number non and the cryptographic Hash of block is made to be less than target value:
H (non | | Pre_hash | | tx | | tx | | ... | | tx) < target
If digging mine success, new block is generated;
Further, the specific steps of the step S303 are as follows: current block blkn, the Hash of miner's verifying new block
Whether value meets condition, i.e., verifying H (non | | Pre_hash | | tx | | tx | | ... | | tx) < target it is whether true with receive
Or refuse the block.
Further, the specific steps of public key of malice requestee are tracked in the step S401 are as follows: Tracking Payments people
A public key, tracking authority according to private key ω, ciphertext CT=(ct1, ct2) calculate p=ct1/ct2 ω-1, search and meet p=h3 γ
Index γ ∈ [1, n], obtain a public key of γ corresponding account;Meanwhile it tracking authority and the calculating of signatures of Knowledge algorithm is called to know
Know signatureAs proof ψ ', it was demonstrated that the primary public affairs of the really requestee of γ
Index value of the key in payer account gathers.
Further, the specific steps of the long-term public key of malice requestee are tracked in the step S401 are as follows: Tracking Payments people
Long-term public key, tracking authority according to private key ω and long-term public key tracking label calculateB ' is to account payable
The long-term public key of people, y are the public key of requestee, while signatures of Knowledge algorithm being called to generate signatures of KnowledgeAs proof ψ, it was demonstrated that B ' is correctly opened by oneself.
Further, the specific steps of the step S402 are as follows: any entity can call signatures of Knowledge to test in system
Algorithm is demonstrate,proved to verify Verf (B ', (z, y, ct), ψ)=1 and Verf (γ, (z, ct1, ct2), ψ)=1 whether true, if so,
Illustrate that ψ and ψ are efficiently generated.
Compared with prior art, beneficial effects of the present invention:
(1) traceable door sieve coin: the invention proposes a kind of new digital cash password method for tracing, can be in door sieve
Conditional anonymity and traceability are realized simultaneously in the transaction of coin, and normal transaction can guarantee the anonymity of participating user
Property, exist simultaneously one tracking authority can in any suspicious transaction cancel payment people anonymity, balance door well
Contradictory relationship is seemed between anonymity and traceability in sieve coin;
(2) two kinds of tracking mechanisms: the present invention realizes traceable door sieve coin digital cash method for tracing, chases after comprising two kinds
Track mechanism: tracking authority can track the public key that label tracks requestee by a public key in transaction record;In turn,
Tracking authority can track the long-term public key that label tracks malicious user according to the long-term public key in public key of requestee;
(3) system optimization: the method for the present invention is participated in business without tracking the authoritative moment, is only joined needing to track user
With tracking authority will not interfere any transaction, and track and expense that verifying generates is smaller, and system is realized simple, reach higher
Operation efficiency.
Detailed description of the invention
Fig. 1 is traceable door sieve coin method operational process schematic diagram of the method for the present invention specific embodiment.
Fig. 2 is public key generating process schematic diagram of payee of the method for the present invention specific embodiment.
Fig. 3 is the input account matrix schematic diagram in the trading card of the method for the present invention specific embodiment.
Fig. 4 is that trading card and the verifying transaction increased time overhead of single stage are generated in the method for the present invention specific embodiment
Test chart.
Fig. 5 is the efficiency test figure of the verifying transaction single stage of the method for the present invention specific embodiment.
Specific embodiment
It should be noted that all features disclosed in this specification or disclosed all methods or in the process the step of,
It other than mutually exclusive feature and/or step, can combine in any way, the combination of these any modes is also at this
Within the protection scope of invention.
Any feature disclosed in this specification (including any accessory claim, abstract and attached drawing), except non-specifically chatting
It states, can be replaced by other alternative features that are equivalent or have similar purpose.That is, unless specifically stated, each feature is only
It is an example in a series of equivalent or similar characteristics.
Further detailed description is done to the present invention combined with specific embodiments below, but embodiments of the present invention are not limited to
This.
The present invention is to propose a kind of new password about traceable door sieve coin based on public key cryptography theory
The method for tracing of currency gives two kinds of tracking mechanisms, and the method is the improvement of sieve coin system on the door, balances password well
Contradictory relationship is seemed between privacy of user and supervision in currency, is applied to the higher block chain environment of security requirement.Can
In door sieve coin system of tracking, the progress that normal transaction all can be anonymous as in door sieve coin system exists simultaneously one
Tracking authority can track the public key or/and long-term public key of requestee in any suspicious transaction, cancel payment people's
Anonymity;Tracking authority will not interfere any transaction, only just participate in when needing to investigate completed transaction.
Therefore the method for the present invention not only has facilitation to the development of password currency, while having many theory significances and showing
Sincere justice.
Firstly, simply being introduced cryptography theory applied by the method for the present invention:
(1) Bilinear map
Enable G1, GTIt is two groups that rank is p.If mapping e:G1×G1→GTThen meet following three items for bilinear map
Part: 1. bilinearity, for any u, v ∈ G1, a, b ∈ Zp, e (ua, vb)=e (u, v)abIt sets up;2. non-degeneracy, for G1In
Generation member g, meet e (g, g) ≠ 1.3. computability: to any u, v ∈ G1, e (u, v) can be calculated effectively.
(2) accumulator of unidirectional domain
One group of given element can be accumulated as an individual value by accumulator, and there are an evidences to be used to prove some member
Element is indeed added in accumulator.For any λ ∈ N, F={ FλIt is one group of sequence of function, X={ XλIt is one group of satisfactionFinite aggregate sequence.One accumulator race is by three polynomial times as described below
Algorithm composition:
Accumulator parameter generates ACC.Gen (1λ): the algorithm inputs security parameter λ, exports description desc and some
Assistance messages.
Accumulator evaluation ACC.Eval (desc, X): the algorithm input description desc andExport an accumulated value v
=f (u, X), wherein F ∈ Fλ, u ∈ Uλ, f (u, X)=f (... f (u, x1)…xn),
Accumulator evidence ACC.Wit (desc, x, X): algorithm input description desc,With x ∈ X, one is exported
Evidence ω, wherein v=f (w, x).
The example that following unidirectional domain accumulator is employed herein: the domain for the element that can add up is Gq=<h>, unidirectional relationship
It is defined as Rq={ (y, x) ∈ Zq×Gq: x=hy, relationship RqEffectively it can verify that, effective sampling, unidirectional.
Specific algorithm is described as follows:
ACC.Gen(1λ): safe Big prime p is randomly choosed, and generates the cyclic group G that rank is p1=<g0> and G2, setting
Bilinear map e:G1×G1→G2, sum functionWherein the mapping relations of f are
We can define f:(u, v) → u (x+ α), wherein α be fromIn randomly selected auxiliary information, for simplicity, u is general
It is set asIn identical element.The mapping relations of g areIt may be defined asThe domain for the element that can be added up
For using prime number q as the cyclic group G of rankq=<h>meetsFinally, output descriptionWherein n is the maximum value for the number of elements that can be added up.
ACC.Eval (desc, X): according to public informationIt calculatesTo calculate the cumulative of X
G ° of f of value (1, X), wherein uiIt is multinomialCoefficient.
ACC.Wit (desc, xs, X): the relationship Ω of this accumulator be defined as Ω (ω, x, v)=1 set up and if only ifIt sets up.Element xs∈ X:={ x1, x2..., xnEvidence ωsIt can be according to public informationIt calculates as follows:
Wherein, uiIt is multinomialCoefficient.
(3) signatures of Knowledge (SoK)
Corresponding languageNP relationship R knowledge signature it is multinomial by three as described below
Formula time algorithm composition:
Parameter generates Gen (1λ): the algorithm inputs security parameter λ, exports open parameter par.
Signature generates Sign (m, x, y): the algorithm inputs message m, and relationship (x, y) ∈ R exports the signature π of knowledge.
Signature verification Verf (m, π, y): the algorithm inputs message m, and the signature π of knowledge states y, output 0/1.
The example of signatures of Knowledge used in the method for the present invention can according to Fiat-Shamir normal form, zero-knowledge protocol and
Zksnark is obtained.
(4) it promises to undertake
One commitment scheme allows promise person to promise to undertake selected message, so that the message is invisible to other people
And promise person can disclose message.One commitment scheme is made of three polynomial time algorithms as described below:
Promise to undertake that parameter generates CGen (1λ): the algorithm inputs security parameter λ, exports an open promise key ctk.
Promise to undertake and generate Com (ctk, m, r): key ctk, message m and random number r are promised to undertake in algorithm input, and c is promised to undertake in output.
Promise to undertake verifying Open (c, m, r): the algorithm, which inputs, promises to undertake c, message m and random number r, verifying c=Com (ctr, m,
R) whether true.
Pedersen commitment scheme is used in the method for the present invention, detail is as follows:
CKGen(1λ): input security parameter 1λ, output promise key ctk=(Gq, q, g, h), wherein GqIt is with Big prime q
For the cyclic group of rank, g, h are GqIn random generation member.
Com (ctk, m): to message m ∈ ZqIt is promised to undertake, randomly chooses r ∈ Zq, calculate c=gmhr。
It is well known that this commitment scheme is in GqDiscrete logarithm assumption on group is set up the perfect hiding of lower satisfaction and can be counted
The strong binding calculated.
(5) mutation of ElGamal encryption
Herein, we utilize the mutation of original ElGamal encipherment scheme, and the program is made of algorithm as described below:
KeyGen (λ): the algorithm inputs security parameter λ, and generating cyclic group G, the g ∈ G that a rank is prime number q is crowd G
Generate member, random selectionFor private key, export (x, z).
Enc (z, m): the algorithm inputs public key z, and message m selects random number α, encrypts C=(c to message m1, c2)=(zα,
mgα), export the ciphertext (c of m1, c2)。
Dec (x, C): the algorithm inputs private key x, ciphertext C, exports message
Referring to Fig.1, the method for the present invention is implemented as follows:
A kind of digital cash method for tracing based on door sieve coin, including the following steps:
Step S100. system is established, and system parameter is generated: selection security parameter λ generates the open parameter of system;
Step S101: one security parameter λ of selection, call the parameter generation algorithm of unidirectional domain accumulator to generate accumulator public
Parameter desc=ACC.Gen (1 altogetherλ), call the parameter generation algorithm of signatures of Knowledge to generate signatures of Knowledge common parameter par=
SoK.Gen(1λ).Wherein, unidirectional domain GqAccumulator algorithm include f=(ACC.Gen, ACC.Eval, ACC.Wit), knowledge label
Name algorithm includes Sok=(SoK.Gen, SoK.Sign, SoK.Verf);
Step S102: the Big prime q of one safety of selection, and generate using q as the cyclic group G of rankq, select random elementH is the Hash function of impact resistant, H:{ 0,1 }*→Gq;
Step S103: system public parameter is
Step S104: private key ω ∈ G is generated for tracking authority random 40q, and the public key for calculating tracking authority is z=h0 ω;
Step S105: to the user 30 of the system of addition, system is that (system distributes key other side to its automatic distribution public private key pair
Method is referring to https: //bitcoin.org/en/developer-guide#wallet-programs), meet (A '=h0 a′, B,
=h0 b′), wherein (A ', B ') is the long-term public key of user, disclose in systems, is used for identity user;(a ', b ') is user's
Long-term private.
Step S200. user 30 generates trading card:
In order to without loss of generality, it is assumed that requestee has one group of Send only Account (total m) in a trading card, while in order to
Requestee's privacy is protected, needs requestee to pull in the combined account (mixins) of other n-1 groups to cover true payment and acknowledge a debt
Family generates Send only Account matrix (such as Fig. 3);It is assumed that collecting account shares t.Specifically, for Send only Account: setting A indicates n
A user inputs the set of account, and really pay the bill artificial s-th of user, and Send only Account collection is combined into As, corresponding to Send only Account
Private key beFor exporting account: one group of output address is R=
{pkOut, j}1≤j≤t, output account aggregation is AR。
For step S201. according to the long-term public key of payee, the artificial payee that pays the bill generates a public key y, and is embedded in wherein
Long-term public key tracks label ct, as shown in Figure 2;
Step S201-1: the artificial payee that pays the bill generates a public key.The long-term public key of requestee lookup payee
For (A ', B '), requestee selects random number r ' ∈ Gq, calculate a key recovery parameter R '=h0 r′And cryptographic Hash h=H (A
′r′, B ').The public key of the payee is y=B ' h0 h.Payee can be after gathering according to the long-term private of oneself
(a ', b ') and key recovery parameter R ' calculates a account corresponding private key x=b '+H (R 'a′, B ');
Step S201-2: the artificial account of paying the bill generates long-term public key tracking label.Requestee's public affairs authoritative according to tracking
Key z calculates long-term public key and tracks label ct=zh, while generating the corresponding signatures of Knowledge of tracking label
The artificial Send only Account of step S202. payment is coined;Requestee restores corresponding one according to oneself a public key pk
Secondary private key sk.And coined according to a secondary key and amount of money a, coined (cn, ck)=(c, (r, a)), setting Send only Account are
Act=(pk, cn), corresponding private key are ask=(sk, cn).Wherein, cn indicates the corresponding digital cash of amount of money a, (pk, sk) table
Show the key pair of requestee.
Step S202-1: requestee is according to oneself long-term private and key recovery parameter, according in step S201-1
Mode calculates the corresponding private key sk of a public key pk;
Step S202-2: requestee coins according to a public key pk and amount of money a.Requestee selects random number r to calculate
It promises to undertakeCoined (cn, ck)=(c, (r, a)), the secondary account of requestee are act
=(pk, cn), the private key of corresponding account are ask=(sk, ck).Wherein (pk, sk) indicates the key pair of requestee.
Step S203. requestee generates output account, and coins for output account;It proves in input and output account simultaneously
The amount of money is equal.
Step S203-1: requestee selects random element rOut, j∈Zq(1≤j≤t), to output address pkOut, j∈R(1≤
J≤t) it output is calculated coinsRequestee will export account actOut, j=
(pkOut, j, cnOut, j) set A is addedRIn, send currency key ckOut, j=(rOut, j, aOut, j) give a public key for pkOut, j's
Payee;
Step S203-2: (i.e. requestee spends the money more than the amount of money in Send only Account) is spent more in order to prevent, requestee needs
Prove that input account is equal with account amount of money is exported.Specifically, requestee, which needs to calculate, spends more private key And spend more public key If the sums of money for inputting account is equal to the sums of money of output account, i.e.,ThenMeet
Step S204. requestee generates a cost and proves, it was demonstrated that the correctness that this spends, and to the trading card label
Name, ultimately produces transaction record (tx, π, S, CT).Wherein, S={ s1, s2..., smIndicate account corresponding address sequence number,
CT=(ct1, ct2) indicate the ciphertext indexed;
Step S204-1. requestee calls accumulator algorithm, calculates accumulated value
And evidenceTo prove the public key in k-th of accountIndeed add up into vkIn.
The sequence number s of step S204-2. calculating Send only Accountk(1≤k≤m).According to the private key of accountThe sequence of calculation
NumberCarry out unique identification Send only Account;
Step S204-3. calculates a public key and tracks label C T.Select random numberAccording to the public key z encryption of tracking authority
True row number γ of the requestee in Send only Account matrix, obtains ciphertext CT=(ct1, ct2), wherein
Step S204-4. requestee generates the signatures of Knowledge π about trading card tx as follows;
Step S204-5. requestee exports one group of transaction record (tx, π, S, CT).Wherein, S={ s1, s2..., smIndicate
The sequence number of account corresponding address, CT=(ct1, ct2) indicate that a public key tracks label.
Step S205. repeats step S201-S204 when user 30 needs to generate trading card.
Step S300. miner 20 generates block.
Step S301. miner verifies trading card;Miner randomly selects the trading card in P2P network, and verifies having for transaction
Effect property;
Step S301-1: miner is according to input accountInput account AR=
{(pkOut, j, cnoUt, j)}1≤j≤t,It is calculated with the ciphertext CT of trading card tx
Step S301-2: miner is according to accumulated value (v1..., vm+1), sequence number S, trading card tx and prove π verify Verf
(tx, ct1, ct2, (v1..., vm+1, s1..., sm), π)=1 whether true.
Step S302. generates new block according to effective trading card, broadcasts the block to P2P network.Miner effectively trades
Single { tx } generates Merkle Hash tree according to these trading cards, by the Kazakhstan of the root Root of Merkle Hash tree and previous block
Uncommon value Pre_Hash puts together while carrying out digging mine, that is, finds a suitable random number non and make the cryptographic Hash of block small
In target value:
H (non | | Pre_hash | | tx | | tx | | ... | | tx) < target
If digging mine success, new block is generated.
The validity of other users verifying new block in step S303.P2P network.Current block is blkn, miner tests
Whether the cryptographic Hash of card new block meets condition, i.e. verifying H (non | | Pre_hash | | tx | | tx | | ... | | tx) < target
It is whether true to accept or reject the block.
Step S304. repeats step S301-S303 when miner 20 needs to generate block.
Step S400. tracking authority 40 tracks the requestee of malice:
Step S401. malice requestee tracking.When system needs are tracked malice requestee, tracking authority can be with
The public key and long-term public key of malice requestee are tracked according to the private key of oneself and tracking label, tracking authority is after tracking
Generating tracking proves.
The public key of step S401-1. track requestee, tracking authority is according to private key ω, ciphertext CT=(ct1, ct2) calculate
P=ct1/ct2ω-1, search and meet p=h3 γIndex γ ∈ [1, n], obtain a public key of γ corresponding account;Meanwhile it tracking
Authority calls signatures of Knowledge algorithm calculation knowledge signatureAs prove ψ ',
Prove index value of the public key of the really requestee of γ in payer account's set.
The long-term public key of step S401-2. Tracking Payments people, tracking authority track label according to private key ω and long-term public key
It calculatesB ' is the long-term public key of corresponding requestee, and y is the public key of requestee, while calling knowledge label
Name algorithm generates signatures of KnowledgeAs proof ψ, it was demonstrated that B ' is correctly beaten by oneself
It opens.
Step S402. malice requestee tracks verifying: any entity in system can verify the effective of tracking proof
Property.Any entity can call signatures of Knowledge verification algorithm to verify Verf (B ', (z, y, ct), ψ)=1 and Verf in system
(γ, (z, ct1, ct2), ψ)=1 whether true, if so, illustrate that ψ and ψ are efficiently generated.
Step S403. repeats step S401-S402 when tracking authority 40 needs to track malice requestee.
The practicability of method for tracing in order to better illustrate the present invention, the present invention to key step carried out efficiency analysis and
Emulation testing.
Experimental situation: the hardware test platform of this test is: Inter (R) Core (TM) i7-7700CPU, dominant frequency
3.6Ghz, memory 16.0GB;Software platform are as follows: Windows10 operating system (64), 2010 compiler of Visual Studio
And Matlab2014a.All programs call Miracl cryptographic libraries to realize big integer operation and elliptic curve group using C++.?
When test, we use asymmetric double linear group e:G1×G2→GT, and using Tate to realizing, in order to meet safety,
In test, crowd G is taken1With group G2Rank it is identical, and be all the Big prime of 1024 bits, for each group of test code, be carried out
100 times, and take its average operating time as test result.This method has mainly carried out efficiency test to following three aspects.
It generates trading card (step 200) and verifies the key step that trading card (step 301) is digital coin systems, to friendship
Signature (the step 204) of Yi Dan is the most time-consuming part generated in trading card.Therefore, in this method for trading card generate and
Trading card verifying tests the time loss difference that step is corresponded in the two steps and 2.0 agreement of RingCT respectively
(RingCT2.0 agreement is equally based on sieve coin, identical as some steps in this method, but traceability is not implemented).Due to this
Increase currency tracking function in method, therefore compared to 2.0 agreement of RingCT, the trading card in this method generates and transaction
Single verification step increases the time overhead of a part, but increased amount very little, does not influence man-machine interaction experience, specific test knot
Fruit such as Fig. 4, abscissa are the number that requestee inputs account, and ordinate is time (millisecond), from fig. 4 it can be seen that trading card
Generate and trading card verify two step increased times be all it is constant, respectively may be about 0.70 millisecond and 1.07 milliseconds, user
It is not felt by interactive difference;This is consistent with theoretical analysis result, verifies the two steps with trading card because generating in trading card
In, relative to RingCT2.0, this method increases the calculating of tracking label, and tracks calculating and of input account of label
Number is unrelated, only related with the input index value of account.
Secondly, this method tests the efficiency of verifying trading card (step 301), because verifying trading card can be by P2P network
In miner be performed a plurality of times, therefore, the time overhead for verifying trading card directly affects the execution efficiency of this method, and test result is such as
Shown in Fig. 5, horizontal axis indicate input account number, the longitudinal axis indicate time (second), time overhead with input account increase and
Increase.This is consistent with analysis result, because influence of the combined account to the time is cumulatively added device and reduces, and inputs the number of account
It will affect the verifying in verifying trading card to knowledge proof, because of this time as the increase of input account linearly increases.
Again, the important creativeness of this method is the traceability of digital cash, and therefore, this method pays tracking authority's tracking
The time overhead of money people's (step 400) is tested.For tracking authority, identify a malice requestee long-term account and
The time overhead of one secondary account is about 6.331 milliseconds.
The above content is a further detailed description of the present invention in conjunction with specific preferred embodiments, and it cannot be said that
Specific implementation of the invention is only limited to these instructions.For those of ordinary skill in the art to which the present invention belongs, exist
Under the premise of not departing from present inventive concept, a number of simple deductions or replacements can also be made, all shall be regarded as belonging to of the invention
Protection scope.
Claims (10)
1. a kind of digital cash method for tracing based on door sieve coin, it is characterised in that: include the following steps:
Step S100. system is established, and system parameter is generated: selection security parameter λ, generates the open parameter pp and tracking power of system
The public key (ω, z) of prestige;For each user in the system of addition, system distributes long term keys for it;
Step S200. generates trading card:
It is assumed that requestee has one group of Send only Account in a trading card, total m Send only Account, while in order to protect requestee hidden
Private needs requestee to pull in the combined account (mixins) of other n-1 groups to cover true payer account, generates payment account
Family matrix (n × m dimension);It is assumed that collecting account shares t, for Send only Account: setting A indicates that n user inputs the collection of account
It closes, really pay the bill artificial s-th of user, and Send only Account collection is combined into As, private key corresponding to Send only Account isFor exporting account: one group of output address is R=
{pkout,j}1≤j≤t, output account aggregation is AR;
Step S201. is according to the long-term public key of payee, and the artificial payee that pays the bill generates a public key y, and insertion length wherein
Phase public key tracks label ct;
Pay the bill artificial Send only Account of step S202. is coined, and requestee restores corresponding primary private according to oneself a public key pk
Key sk, and being coined according to a secondary key and amount of money a selects random number r to calculate and promises to undertake c, coined (cn, ck)=(c, (r,
A)), setting Send only Account is act=(pk, cn), and corresponding private key is ask=(sk, cn);
Wherein, cn indicates that the corresponding digital cash of amount of money a, (pk, sk) indicate the key pair of requestee;
Step S203. requestee generates output account, and coins for output account;The amount of money in input and output account is proved simultaneously
It is equal;
Step S204. requestee generates a cost and proves, it was demonstrated that the correctness that this spends, and sign to the trading card, most
Generate transaction record (tx, π, S, CT) afterwards;
Wherein, S={ s1,s2,…,smIndicate account corresponding address sequence number, CT=(ct1,ct2) indicate the ciphertext indexed;
Step S300. block generates:
Step S301. miner verifies trading card;Miner randomly selects the trading card in P2P network, and verifies the validity of transaction;
Step S302. generates new block according to effective trading card, broadcasts the block to P2P network;
The validity of other users verifying new block in step S303.P2P network;
The requestee of step S400. tracking authority's tracking malice:
Step S401. malice requestee tracking, when system needs are tracked malice requestee, tracking authority is according to oneself
Private key and tracking label track the public key and long-term public key of malice requestee, tracking authority generates tracking after tracking
It proves;
Step S402. malice requestee tracks verifying: any entity in system can verify the validity that tracking proves.
2. a kind of digital cash method for tracing based on door sieve coin according to claim 1, it is characterised in that: the step
The specific steps of S100 are as follows:
Step S101: one security parameter λ of selection calls the parameter generation algorithm of unidirectional domain accumulator to generate the public ginseng of accumulator
Number desc=ACC.Gen (1λ), call the parameter generation algorithm of signatures of Knowledge to generate signatures of Knowledge common parameter par=
SoK.Gen(1λ).Wherein, unidirectional domain GqAccumulator algorithm include f=(ACC.Gen, ACC.Eval, ACC.Wit), knowledge label
Name algorithm includes Sok=(SoK.Gen, SoK.Sign, SoK.Verf);
Step S102: the Big prime q of one safety of selection, and generate using q as the cyclic group G of rankq, select random elementH is the Hash function of impact resistant, H: { 0,1 }*→Gq;
Step S103: system public parameter is
Step S104: private key ω ∈ G is generated for tracking authority is randomq, and the public key for calculating tracking authority is z=h0 ω;
Step S105: to the user of the system of addition, system is its automatic distribution public private key pair, meets (A '=h0 a′, B '=h0 b′);
Wherein, (A ', B ') is the long-term public key of user, is disclosed in systems, and identity user is used for;(a′, b′) it is the long-term of user
Private key.
3. a kind of digital cash method for tracing based on door sieve coin according to claim 1, it is characterised in that: the step
The specific steps of S201 are as follows:
Step S201-1: the artificial payee that pays the bill generates a public key, and the long-term public key that requestee searches payee is
(A ', B '), requestee select random number r ' ∈ Gq, calculate a key recovery parameter R '=h0 x′And cryptographic Hash h=H (A 'x′,
B '), the public key of the payee is y=B ' h0 h, payee is after gathering according to the long-term private of oneself (a ', b ') and close
Key restores parameter R ', calculates a account corresponding private key x=b '+H (R′a′,B′);
Step S201-2: the artificial account of paying the bill generates long-term public key tracking label, and requestee counts according to the public key z of tracking authority
Calculate long-term public key tracking label ct=zh, while generating the corresponding signatures of Knowledge of tracking label
4. the method for tracing and system of a kind of sieve coin according to claim 1, it is characterised in that: the step S202's
Specific steps are as follows:
Step S202-1: requestee is according to oneself long-term private and key recovery parameter, in the way of in step S201-1
Calculate the corresponding private key sk of a public key pk;
Step S202-2: requestee coins according to a public key pk and amount of money a, and requestee selects random number r to calculate promiseCoined (cn, ck)=(c, (r, a)), the secondary account of requestee are act=
(pk, cn), the private key of corresponding account are ask=(sk, ck);
Wherein, (pk, sk) indicates the key pair of requestee.
5. a kind of digital cash method for tracing based on door sieve coin according to claim 1, it is characterised in that: the step
The specific steps of S203 are as follows:
Step S203-1: requestee selects random element rout,j∈Zq(1≤j≤t), to output address pkout,j∈R(1≤j≤
T) output is calculated to coinRequestee will export account actout,j=
(pkout,j,cnout,j) set A is addedRIn, send currency key ckout,j=(rout,j,aout,j) give a public key for pkout,j's
Payee;
Step S203-2: spending more in order to prevent, and requestee needs to prove that input account is equal with output account amount of money, requestee's meter
Private key is spent more in calculationAnd spend more public key If the sums of money for inputting account is equal to output account
Sums of money, i.e.,ThenMeet
6. a kind of digital cash method for tracing based on door sieve coin according to claim 1, it is characterised in that: step S204
Specific steps are as follows:
Step S204-1. requestee calls accumulator algorithm, calculates accumulated valueAnd card
According toTo prove the public key in k-th of accountIndeed add up into vkIn;
The sequence number s of step S204-2. calculating Send only Accountk(1≤k≤m), according to the private key of accountThe sequence of calculation numberCarry out unique identification Send only Account;
Step S204-3. calculates a public key and tracks label C T, selects random numberIt is true according to the public key z encryption of tracking authority
Row number γ of the requestee in Send only Account matrix, obtains ciphertext CT=(ct1,ct2);
Wherein,
Step S204-4. requestee generates the signatures of Knowledge π about trading card tx as follows;
Step S204-5. requestee exports one group of transaction record (tx, π, S, CT), wherein S={ s1,s2,…,smIndicate account
The sequence number of corresponding address, CT=(ct1,ct2) indicate that a public key tracks label.
7. a kind of digital cash method for tracing based on door sieve coin according to claim 1, it is characterised in that: step S301
Specific steps are as follows:
Step S301-1: miner is according to input accountInput account AR=
{(pkout,j,cnout,j)}1≤j≤t,It is calculated with the ciphertext CT of trading card tx
Step S301-2: miner is according to accumulated value (v1,…,vm+1), sequence number S, trading card tx and prove π verifying Verf (tx,
ct1,ct2,(v1,…,vm+1,s1,…,sm), π)=1 whether true.
8. a kind of digital cash method for tracing based on door sieve coin according to claim 1, it is characterised in that: step S302
Specific steps are as follows: the effective trading card of miner { tx }, according to these trading cards generate Merkle Hash tree, by Merkle Hash
The root Root of tree and the cryptographic Hash Pre_Hash of previous block put together carries out digging mine simultaneously, that is, find one suitably with
Machine number non makes the cryptographic Hash of block be less than target value:
H(non||Pre_hash||tx||tx||…||tx)<target
If digging mine success, new block is generated.
9. a kind of digital cash method for tracing based on door sieve coin according to claim 8, it is characterised in that: step S303
Specific steps are as follows: current block blkn, miner verify new block cryptographic Hash whether meet condition, i.e., verifying H (non | |
Pre_hash | | tx | | tx | | ... | | tx) whether < target true to accept or reject the block.
10. a kind of digital cash method for tracing based on door sieve coin according to claim 1, it is characterised in that: step
The specific steps of public key of malice requestee are tracked in S401 are as follows: the public key of Tracking Payments people, tracking authority is according to private
Key ω, ciphertext CT=(ct1,ct2) calculateLookup meets p=h3 γIndex γ ∈ [1, n], obtain γ
Public key of corresponding account;Meanwhile it tracking authority and calling signatures of Knowledge algorithm calculation knowledge signatureAs proof ψ ', it was demonstrated that the public key of the really requestee of γ is being paid
Index value in money people's account aggregation;
The specific steps of the long-term public key of malice requestee are tracked in step S401 are as follows: the long-term public key of Tracking Payments people, tracking power
Wigan calculates B '=y/ct ' according to private key ω and long-term public key tracking labelω-1, B ' is the long-term public key of corresponding requestee, and y is to pay
The public key of money people, while signatures of Knowledge algorithm being called to generate signatures of Knowledge
As proof ψ, it was demonstrated that B ' is correctly opened by oneself.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910223291.3A CN110009318A (en) | 2019-03-22 | 2019-03-22 | A kind of digital cash method for tracing based on door sieve coin |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910223291.3A CN110009318A (en) | 2019-03-22 | 2019-03-22 | A kind of digital cash method for tracing based on door sieve coin |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN110009318A true CN110009318A (en) | 2019-07-12 |
Family
ID=67167884
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201910223291.3A Pending CN110009318A (en) | 2019-03-22 | 2019-03-22 | A kind of digital cash method for tracing based on door sieve coin |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN110009318A (en) |
Cited By (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110378697A (en) * | 2019-07-22 | 2019-10-25 | 南京信息工程大学 | A kind of light node UTXO transaction verification method of block chain based on RSA accumulator and its device |
| CN111144862A (en) * | 2019-12-31 | 2020-05-12 | 深圳四方精创资讯股份有限公司 | Method, device, equipment and storage medium for realizing digital currency double-off-line payment |
| CN111555865A (en) * | 2020-04-03 | 2020-08-18 | 深圳华数云计算技术有限公司 | Method, system and storage medium for multi-terminal common management of digital currency |
| CN112418834A (en) * | 2020-10-21 | 2021-02-26 | 西安电子科技大学 | Safe mixed currency processing method and system compatible with bit currency and supporting down-link transaction |
| WO2021046668A1 (en) * | 2019-09-09 | 2021-03-18 | 深圳市网心科技有限公司 | Blockchain system, information transmission method, system and apparatus, and computer medium |
| CN112990928A (en) * | 2021-05-10 | 2021-06-18 | 南开大学 | Monitorable anonymous legal digital currency issuing and circulating method |
| CN113269649A (en) * | 2021-06-16 | 2021-08-17 | 上海势炎信息科技有限公司 | System and method for tracking digital currency |
| CN115021946A (en) * | 2022-08-09 | 2022-09-06 | 西南石油大学 | Method for removing centralized mixed coins based on ring signature |
| CN115277000A (en) * | 2022-06-17 | 2022-11-01 | 湖南天河国云科技有限公司 | Information transmission method based on menuo currency |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107358440A (en) * | 2017-06-26 | 2017-11-17 | 中国人民银行数字货币研究所 | The method and system of digital cash customization tracking |
| US20180089655A1 (en) * | 2016-09-27 | 2018-03-29 | The Toronto-Dominion Bank | Real time virtual draft system and method |
| CN108764874A (en) * | 2018-05-17 | 2018-11-06 | 深圳前海微众银行股份有限公司 | Anonymous refund method, system and storage medium based on block chain |
-
2019
- 2019-03-22 CN CN201910223291.3A patent/CN110009318A/en active Pending
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20180089655A1 (en) * | 2016-09-27 | 2018-03-29 | The Toronto-Dominion Bank | Real time virtual draft system and method |
| CN107358440A (en) * | 2017-06-26 | 2017-11-17 | 中国人民银行数字货币研究所 | The method and system of digital cash customization tracking |
| CN108764874A (en) * | 2018-05-17 | 2018-11-06 | 深圳前海微众银行股份有限公司 | Anonymous refund method, system and storage medium based on block chain |
Non-Patent Citations (1)
| Title |
|---|
| 秦波等: "比特币与法定数字货币", 《密码学报》 * |
Cited By (14)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110378697A (en) * | 2019-07-22 | 2019-10-25 | 南京信息工程大学 | A kind of light node UTXO transaction verification method of block chain based on RSA accumulator and its device |
| CN110378697B (en) * | 2019-07-22 | 2023-03-31 | 南京信息工程大学 | Block chain light node UTXO transaction verification method and device based on RSA accumulator |
| WO2021046668A1 (en) * | 2019-09-09 | 2021-03-18 | 深圳市网心科技有限公司 | Blockchain system, information transmission method, system and apparatus, and computer medium |
| CN112789824A (en) * | 2019-09-09 | 2021-05-11 | 深圳市网心科技有限公司 | Block chain system, information transmission method, system, device and computer medium |
| CN111144862B (en) * | 2019-12-31 | 2022-11-18 | 深圳四方精创资讯股份有限公司 | Method, device, equipment and storage medium for realizing digital currency double-off-line payment |
| CN111144862A (en) * | 2019-12-31 | 2020-05-12 | 深圳四方精创资讯股份有限公司 | Method, device, equipment and storage medium for realizing digital currency double-off-line payment |
| CN111555865A (en) * | 2020-04-03 | 2020-08-18 | 深圳华数云计算技术有限公司 | Method, system and storage medium for multi-terminal common management of digital currency |
| CN111555865B (en) * | 2020-04-03 | 2023-06-20 | 深圳华数云计算技术有限公司 | Method, system and storage medium for managing digital currency jointly by multiple terminals |
| CN112418834A (en) * | 2020-10-21 | 2021-02-26 | 西安电子科技大学 | Safe mixed currency processing method and system compatible with bit currency and supporting down-link transaction |
| CN112990928A (en) * | 2021-05-10 | 2021-06-18 | 南开大学 | Monitorable anonymous legal digital currency issuing and circulating method |
| CN113269649A (en) * | 2021-06-16 | 2021-08-17 | 上海势炎信息科技有限公司 | System and method for tracking digital currency |
| CN115277000A (en) * | 2022-06-17 | 2022-11-01 | 湖南天河国云科技有限公司 | Information transmission method based on menuo currency |
| CN115277000B (en) * | 2022-06-17 | 2023-08-25 | 湖南天河国云科技有限公司 | Information transmission method based on door coin |
| CN115021946A (en) * | 2022-08-09 | 2022-09-06 | 西南石油大学 | Method for removing centralized mixed coins based on ring signature |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN110009318A (en) | A kind of digital cash method for tracing based on door sieve coin | |
| Peng et al. | Privacy preservation in permissionless blockchain: A survey | |
| Khalilov et al. | A survey on anonymity and privacy in bitcoin-like digital cash systems | |
| Dagher et al. | Provisions: Privacy-preserving proofs of solvency for bitcoin exchanges | |
| Miers et al. | Zerocoin: Anonymous distributed e-cash from bitcoin | |
| Ziegeldorf et al. | Coinparty: Secure multi-party mixing of bitcoins | |
| Möser et al. | An inquiry into money laundering tools in the Bitcoin ecosystem | |
| Möser | Anonymity of bitcoin transactions | |
| JP2022095918A (en) | Tokenizing method and system for executing exchange on block chain | |
| Bella et al. | Verifying the SET registration protocols | |
| Dyson et al. | The challenges of investigating cryptocurrencies and blockchain related crime | |
| Andola et al. | Anonymity on blockchain based e-cash protocols—A survey | |
| CN107533700A (en) | Verify electronic transaction | |
| Zhu et al. | Hybrid blockchain design for privacy preserving crowdsourcing platform | |
| CN109919619A (en) | Privacy of identities guard method in a kind of transaction of block chain | |
| CN108876669A (en) | Course notarization system and method applied to multi-platform shared education resources | |
| US20220253813A1 (en) | Cryptographicaly secured hybrid (on and off blockchain) cryptocurrency system | |
| Chan et al. | Simple and scalable blockchain with privacy | |
| Dold | The GNU Taler system: practical and provably secure electronic payments | |
| Galal et al. | Aegis: Privacy-preserving market for non-fungible tokens | |
| Fabian et al. | Adoption of security and privacy measures in bitcoin–stated and actual behavior | |
| Abadi et al. | Payment with Dispute Resolution: A Protocol for Reimbursing Frauds Victims | |
| Abadi et al. | Earn while you reveal: private set intersection that rewards participants | |
| Fuchsbauer et al. | Non-interactive mimblewimble transactions, revisited | |
| Quesnelle | An analysis of anonymity in the zcash cryptocurrency |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20190712 |