CN110728576A - Decentralized anonymous data transaction method based on zero knowledge proof - Google Patents

Decentralized anonymous data transaction method based on zero knowledge proof Download PDF

Info

Publication number
CN110728576A
CN110728576A CN201910766253.2A CN201910766253A CN110728576A CN 110728576 A CN110728576 A CN 110728576A CN 201910766253 A CN201910766253 A CN 201910766253A CN 110728576 A CN110728576 A CN 110728576A
Authority
CN
China
Prior art keywords
data
seller
transaction
buyer
coin
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201910766253.2A
Other languages
Chinese (zh)
Inventor
欧嵬
罗恩韬
邓铭巍
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Hunan University of Science and Engineering
Original Assignee
Hunan University of Science and Engineering
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hunan University of Science and Engineering filed Critical Hunan University of Science and Engineering
Priority to CN201910766253.2A priority Critical patent/CN110728576A/en
Publication of CN110728576A publication Critical patent/CN110728576A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q40/00Finance; Insurance; Tax strategies; Processing of corporate or income taxes
    • G06Q40/04Trading; Exchange, e.g. stocks, commodities, derivatives or currency exchange
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/02Details
    • H04L12/16Arrangements for providing special services to substations
    • H04L12/18Arrangements for providing special services to substations for broadcast or conference, e.g. multicast
    • H04L12/1804Arrangements for providing special services to substations for broadcast or conference, e.g. multicast for stock exchange and similar applications
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0819Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
    • H04L9/0825Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) using asymmetric-key encryption or public key infrastructure [PKI], e.g. key signature or public key certificates

Landscapes

  • Engineering & Computer Science (AREA)
  • Business, Economics & Management (AREA)
  • Accounting & Taxation (AREA)
  • Finance (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Marketing (AREA)
  • Economics (AREA)
  • Development Economics (AREA)
  • Strategic Management (AREA)
  • Technology Law (AREA)
  • Physics & Mathematics (AREA)
  • General Business, Economics & Management (AREA)
  • General Physics & Mathematics (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Financial Or Insurance-Related Operations Such As Payment And Settlement (AREA)

Abstract

The invention discloses a decentralized anonymous data transaction method based on zero knowledge proof, which ensures the authenticity of data by erecting super nodes and then establishes the anonymity of transaction based on zero knowledge verification technology (ZK-SNARKs) and a DAP scheme of Zerocash. And intelligent contracts are deployed to ensure the benefits of both the buyer and the seller. The technical effect of the present invention is that, by implementing the present invention, decentralized and anonymous transactions can be brought to data sellers and data buyers. Specifically, the invention can complete data transaction by the seller sending information and the buyer deploying intelligent contract, which is simple and convenient for both parties. Furthermore, the present invention utilizes the DAP scheme to provide anonymity of the transaction, and experiments show that this scheme has almost the same performance as Zerocash, which means that it is a practical scheme in data transaction.

Description

Decentralized anonymous data transaction method based on zero knowledge proof
Technical Field
The invention relates to a block chain technology, in particular to a decentralized anonymous data transaction method based on zero knowledge certification.
Background
Blockchains are a new technology first proposed by bitcoin. It describes a distributed ledger without third party involvement. In such a distributed ledger, once data is confirmed, it is not easily tampered with. This is achieved by a novel consensus mechanism called proof of work (PoW). PoW describes a secure accounting system that solves the byzantine problem by introducing computational competition of distributed nodes to ensure data consistency and ledger consistency. In short, a single node that wins the competition will obtain the net-wide accounting rights, and after the "blocks" it collects will be accepted by the net-wide nodes and joined to the "chain" of each node, containing all the transactions it collects and the timestamps of the transactions in case of double payment.
There are many items that currently incorporate IoV and Blockchain, such as smartcarachain and unblock. These items look at blockchains and their distribution, whereby it is desirable to give ownership of data back to the data provider, which typically means that the data owner is free to dominate the collected data. As more data is collected by the user, the more valuable the data becomes, which in turn provides the user with the incentive to collect more data, creating a virtuous circle. Many industries currently require user-provided usage data to support subsequent product development, service provisioning, etc., and vendors and service providers are interested in this data because they can analyze it to build better and more targeted products and services to gain more profits. This need for data makes data transactions very important. Carblock proposes a data transaction mode through an intelligent contract, thereby eliminating the participation of a third party. However, this approach requires the buyer to deploy two intelligent contracts to validate the data and the transaction. This may be inconvenient for the buyer.
In addition to this, anonymity is a function of great interest to the user. In 2014, based on bitcoin, Zcash proposed a new scheme for anonymous payments in blockchain systems with zero knowledge proof. This scheme achieves extremely strong payment anonymity. However, no research has emerged to date regarding anonymous transactions at IoV.
Disclosure of Invention
In order to overcome the technical problems that the conventional data transaction is inconvenient and information can not be provided anonymously, the invention provides a decentralized anonymous data transaction method based on zero knowledge proof, which can realize convenient data transaction and anonymous information provision.
In order to achieve the technical purpose, the technical scheme of the invention is as follows:
a decentralization anonymous data transaction method based on zero knowledge certification comprises the following steps:
step 1, information sending: the buyer of the data is a node in the block chain system to buy the data of the seller which is also the node in the block chain system, wherein the data is encrypted by a data encryption public key, when the buyer needs to buy the data, the buyer firstly receives verification information which is sent by the seller and used for verifying the authenticity of the data and an encrypted data encryption private key, then the buyer checks the verification information by the block chain system, if the verification is true, the next step is executed, otherwise, the transaction is stopped;
step 2, anonymous payment: the buyer casts a new digital coin A by storing a corresponding amount of digital currency in the hosting party, and when casting the digital coin, a secret value for using the digital coin is generated, then another digital coin B bound with the address public key of the seller is cast, the value of the digital coin A is transferred to the digital coin B, and finally the conversion of the currency value is broadcasted;
step 3, intelligent contract: the buyer first encrypts the secret value of the digital coin B using the seller's seller encryption public key to obtain a ciphertext of the secret value, and then the buyer uses the encrypted data decryption private key obtained in step 1 to create the following intelligent contract: that is, if the seller provides the original text of the data encryption private key, the seller will obtain the ciphertext of the secret value;
and step 4, completing the transaction: and after obtaining the data encryption private key, the buyer decrypts the data of the seller through the data encryption private key and sends the ciphertext of the secret value of the digital coin B to the seller, so that the seller uses the digital coin B through the seller address private key and the coin encryption private key of the seller.
In the step 1, the data is uploaded to a super node in a block chain system for storage, and when the super node receives the data, the authenticity of the data is verified, and the data is stored only after the authenticity is verified.
In the step 1, after the super nodes store the data, the data ids of the data are generated to serve as verification information for verifying the authenticity of the data, and each super node in the block chain generates the data ids in the same way, so that each super node generates the same data id when receiving the same data, and broadcasts the data id to the whole block chain system after the super nodes complete the generation, so as to add the data id to a public account book.
In the method for de-centralizing anonymous data transaction based on zero knowledge proof, in step 1, the dataID is a hash of corresponding data.
In the step 1, the buyer checks the verification information through the blockchain system and checks whether corresponding dataID exists in the public ledger book.
The technical effect of the present invention is that, by implementing the present invention, decentralization and anonymity can be brought to data sellers and data buyers. Specifically, the invention can complete data transaction by the seller sending information and the buyer deploying intelligent contract, which is simple and convenient for both parties. In addition, the present invention utilizes the DAP scheme to provide anonymity of transactions, and experiments show that the present scheme has almost the same performance as zerocase, which means that it is a practical scheme in data transactions.
The invention will be further explained with reference to the drawings.
Drawings
FIG. 1 is a schematic diagram of a super node;
FIG. 2 is a schematic diagram of a data transaction process;
FIG. 3 is a schematic diagram of an intelligent contract;
figure 4 is a graph of the performance of the GenerateID algorithm.
Detailed Description
The embodiment provides a decentralized anonymous data transaction scheme on the basis of a block chain. In the following, a specific example of the car networking is described, in which the data buyers are generally car companies and insurance companies, the sellers are car users, and the specific data is various data collected during the operation of the car. When applied to the Internet of vehicles, the system allows data buyers (e.g., insurance companies) to purchase data collected by the seller's vehicle sensors in a decentralized and anonymous manner. In particular, it achieves three goals: (1) the seller sends a piece of information, and the buyer deploys a section of intelligent contract to complete a reliable transaction; (2) no third party mechanism participates in the transaction process; (3) the transaction participants and information (including the transfer amount) are not visible except for the transaction party.
The scheme of the embodiment is based on an extension of zerocas, which is a blockchain system supporting anonymous payment. It describes such a system: each node in the system may deposit their base currency (e.g., bitcoins) into a host to cast a new currency in zerocase's distributed ledger that will bind to the node's address public key. The casting process will produce some secret values that can only be used by those who know the private key of the corresponding address and all of the secret values; to use a new currency, a node that possesses the address private key and knows the secret value will broadcast a transaction: i 'destroy' my old currency to cast two new currencies, wherein one (or two) of the two new currencies is bound to a target address public key and bound with a receiver, and the total value of the two new currencies is equal to the value of the original old currency; in addition, to avoid adding extra channels and assumptions of information, a cryptogram containing the secret value of the new coin is transacted, which cryptogram will be encrypted by the recipient's encryption public key; finally, the coin recipient scans his local ledger and decrypts the ciphertext using his encryption private key until he finds his transaction. He can then use the currency he receives using his private address key and the decrypted secret value. The system achieves anonymity by introducing zk-SNARKs, which is a cryptographic scheme that allows anyone to check the correctness of statement statements in a short time.
The system can be applied to data transaction of the Internet of vehicles. Each buyer and seller can join such a system by depositing any digital currency into an escrow to achieve the goal of an anonymous transaction. However, this transaction is a money transfer that only satisfies the seller's requirements and not the interests of both parties to the transaction. I.e. the system does not guarantee that the buyer obtains the data he wants. To solve this problem, the present embodiment constructs a concept of a super node.
Super nodes are nodes operated by trusted third parties that have all the functions of normal nodes, such as transaction broadcasting, transaction checking and consensus, while they also have some special functions.
And (6) data checking and storing. The owner of the vehicle can upload data to the supernode through the network protocol interface from the corresponding vehicle sensor, and the data is encrypted by the encryption public key generated by the hardware, so that the supernode cannot see the data. When the super nodes receive the data, they verify their authenticity by checking whether the data came from the vehicle sensors, and store and compress them when the verification is successful. This functionality makes the super nodes distributed servers and the data in these servers trusted.
And generating the dataID. After the data inspection and storage process, each supernode will generate a ciphertext of the dataID of the data and the address public key of the data uploader (encrypted by the encryption public key). The dataID is a hash of the corresponding data and is encrypted by the uploader's public encryption key (note that this is a different key pair than the key used for data encryption), since the process is the same for each super node, different super nodes will generate the same dataID if they receive the same metadata. Therefore, they can reach consensus among all super nodes using the practical Byzantine Fault tolerance mechanism [3 ]. Thereafter, the super node broadcasts the dataID after consensus is completed to the entire blockchain system to achieve consensus that adds it to the common ledger. In this way, each buyer can verify the dataID by simply checking the public ledger to confirm the authenticity of the data.
And (6) data retrieval. Anyone in the system can obtain the encrypted data through the corresponding dataID in the supernode. However, only the person possessing the data encryption private key can obtain the original data. It is noted that during the data transaction process, the present embodiment does not construct a private communication channel, for example, the seller sends data to the buyer alone, so it is not necessary to add additional infrastructure or worry about eavesdropping by third parties.
Through the super node (the main functions are shown in fig. 1), the seller can upload his data, and the buyer can confirm his authenticity and obtain the data. However, this is still insufficient for anonymous data transactions because the data is encrypted by the seller's data encryption public key, and the buyer must know the data encryption private key to obtain the data.
So far, the present embodiment has converted the currency to data problem into the currency to private key problem. Then how does the present embodiment make a currency to private key transaction in the blockchain? The present embodiment finds a solution-Hashed-TimeLock Contract (HLTC) [4 ]. HLTC is a technology for cross-chain payments. It requires the payer to set up an intelligent contract for a cryptographic puzzle (typically a hash value of the sha256 function) and anyone triggering the contract and solving the puzzle (i.e. providing an original image of the hash value) can obtain the amount of money the payer deposits into the escrow. The key point of HLTC is to ensure that only the recipient knows the answer to the puzzle.
Through the super node and the HLTC, the embodiment may finally extend the Zerocash system to perform anonymous data transaction. The main steps of data transaction are given below.
Step 1: and (5) sending information. If the buyer wants to purchase the seller's data, the seller first needs to send some information to the buyer. It is necessary to include (1) dataID; (2) a hash of the data decryption private key. The buyer checks the data ID in the public ledger. If it exists in the ledger, the buyer confirms the authenticity of the data. But he cannot get the data immediately because the data is encrypted and he does not know the decryption key. The hash value is the information necessary for deploying the intelligent contract after the new and old coins are transferred.
Step two: and (4) making anonymous payment. The purchaser now needs to deposit a corresponding amount of digital currency in escrow to cast coin a. He then casts another coin B bound to the recipient address public key and transfers the value of coin a to coin B. Next, the present embodiment modifies the original scheme of zerocas: this embodiment broadcasts A, B a conversion of monetary value, but this embodiment does not broadcast the cryptogram of the coin B secret value.
And 3, step 3: and (4) intelligent contracts. Up to now, the seller still does not get the coin B because he does not know the secret value, and the buyer does not get the data because he does not know the data encryption private key. Therefore, the purchaser first encrypts the secret value of the coin B using the encrypted public key of the receiver. The buyer then uses the hash he obtained in step 1 to create such a hash-lock intelligent contract: if someone can provide the original image of the hash value, i.e. the data encryption private key, he will get a ciphertext of the secret value.
This is an overview of the construction of the present embodiment, which is shown briefly in fig. 2. If the smart contract is triggered and completed, the buyer obtains the encrypted private key to decrypt the data and the seller obtains the secret value to use the coin. In this way, the data transaction is completed.
The following presents a detailed technical background for the present embodiment, which uses zero knowledge proof (zk-SNARK) as the main encryption technique for anonymous data transaction in the present embodiment. The following are three components of zk-SNARK:
arithmetic circuit
The arithmetic circuit consists of a line with a specific value and a bilinear gate with only addition and multiplication utility. Given finite field
Figure BDA0002172031750000071
One is
Figure BDA0002172031750000072
The arithmetic circuit can only receive
Figure BDA0002172031750000073
The input of an element in the domain, and its gate output element is also
Figure BDA0002172031750000074
Taking into account the input
Figure BDA0002172031750000075
And auxiliary inputThe satisfiability of the present embodiment with the boolean-like operation is defined as follows:
circuit satisfaction problem defining 2.1 circuit C:
Figure BDA0002172031750000077
bilinear gates are defined by relationships
Figure BDA0002172031750000078
Its language is
Figure BDA0002172031750000079
Note that a is what this embodiment is intended to obtain in zk-SNARKs, which this embodiment is referred to as witness.
Secondary operation program
zk-SNARKs use Quadratic Arithmetic Programs (QAPs) [7] to convert any arithmetic circuit into a corresponding set of polynomials. The main idea of QAPs is to convert the circuit into three sets of basic polynomials and a target polynomial, which must satisfy the fact that: there is a product of three sets of basic polynomials and the target polynomial can be divided exactly using some coefficients. This embodiment gives a formal definition of QAPs below.
Definition 2.2 size m and in the Domain
Figure BDA00021720317500000811
The quadratic arithmetic procedure with degree d is a quadrupleWherein
Figure BDA0002172031750000082
Are three vectors, each of which is m +1 in-domain
Figure BDA00021720317500000812
A polynomial ofIs exactly d.
As mentioned above in this embodiment, QAPs pose a satisfaction problem:
definition 2.3A size m
Figure BDA0002172031750000083
The satisfaction problem of (a), (x, s) to
Figure BDA0002172031750000084
Of (2), which satisfies (1)
Figure BDA0002172031750000085
And n is less than or equal to m; (2) x is the number ofi=siWhere i ∈ [ n ]](x is a stretch of s); (3) the target polynomial z (z) can be adjusted by dividing the following polynomial:
Figure BDA0002172031750000086
for the present embodiment
Figure BDA0002172031750000087
Refers to
Figure BDA0002172031750000088
The language of (1).
The present embodiment has so far defined operational circuits and QAPs. Since the QAP is the result of the encoding arithmetic circuit, this embodiment can combine definitions 2.1, 2.2, and 2.3 to obtain a complete definition of QAPs.
Definition of 2.4 one in the Domain
Figure BDA0002172031750000089
QAP above is composed of three sets of m +1 polynomials
Figure BDA00021720317500000810
Where k ∈ {0.. m }, and a target polynomial t (x). Assuming F is a function, domain
Figure BDA00021720317500000814
The upper N functions are used as the input of the function, the N 'functions are used as the output of the function, and the sum of the input element and the output element is N + N'. This example considers that if Q calculation F satisfies:
Figure BDA0002172031750000091
is an effective distribution of F inputs and outputs if and only if there is a coefficient(s)N+1,…,sm) Satisfies t (x) divided by p (x):
Figure BDA0002172031750000092
in other words, some polynomial h (x) must exist such that h (x) · t (x) · p (x). The magnitude of Q is m, and the degree of Q is that of t (x).
Verifiable Computing (VC)
ForVerifiable Computation (VC) [8 ] for Domain arithmetic Circuit C]:
Figure BDA0002172031750000094
Allowing provers to speak using common parameters generated by a VC
Figure BDA0002172031750000096
Non-interactive proofs are generated, and anyone can verify the proofs using another generated public parameter. Moreover, the verification process requires only a short time. Specifically, VC contains three sets of polynomial time algorithms: KeyGen (), computer (), and Verify (). The following embodiment defines three algorithms:
·(EKF,VKF)←KeyGen(F,1λ) Public key generation algorithm obtaining function F (
Figure BDA0002172031750000095
Domain arithmetic circuit C) and a security parameter λ as inputs; it then outputs the public calculation key EKFAnd a public verification key VKF
·(y,π)←Compute(EKFX) proving calculation algorithm to obtain the calculation key EKFAnd x is used to output y ← F (x) and a non-interactive proof of correctness of y.
·b←Verify(VKFX, pi, y) proof of verification algorithm to obtain verification key VKFX and proof pi will be the inputs. And if y ← f (x), outputting b ═ 1.
The three algorithms defined above are the main parts of the VC scheme. It is noted that the system as defined by the present embodiment is not in fact publicly verifiable, the verification key VKFShould be hidden in some designated verifier, otherwise the scheme is vulnerable. To avoid this problem, the present embodiment introduces the concept of zero-knowledge verifiable computations, which requires that the verifier only knows the output of the computation and not the prover's input. Specifically, the present embodiment changes the proof calculation algorithm computer () and the proof verification algorithm Verify ().
·(π)←Compute(EKFX, a) prove that the calculation algorithm will calculate the key EKFAnd
Figure BDA0002172031750000101
(see definition 2.1) as input to output the statement
Figure BDA0002172031750000102
Non-interactive proofs of pi.
·1←Verify(VKFX, pi) proof that the verification algorithm will verify the key VKFX and prove pi as inputs if certain
Figure BDA0002172031750000103
The output b is 1.
By this change, the key EK is calculatedFAnd a verification key VKFCan be published in the system, allowing anyone to check for a proof of pi. This is a very suitable solution for blockchain systems, as it allows each node in the system to check the transaction, thereby reaching consensus in the chain. This scheme is also referred to as non-interactive zero-knowledge proof. According to these definitions, the present embodiment gives the properties that the zk-VC scheme should satisfy.
Correctness for any function F, and for any input to F, an honest prover can always convince the verifier that he knows proof a. That is, if the present embodiment is operated (EK)F, (EKF,VKF)←KeyGen(F,1λ) And (pi) ← computer (EK)FX, a), this example will always get 1 ← Verify (VK)F,x,π)
Security for any function F and any probabilistic polynomial time opponents
Figure BDA0002172031750000104
Figure BDA0002172031750000105
Efficiency KeyGen () is assumed to be a one-time operation, which costs up evenly across many calculations, but this embodiment still requires a more economical Verify () than calculation F.
DAP
The primary payment scheme used herein is the Decentralized Anonymous Payment (DAP) scheme proposed by zerocas. As described earlier in this embodiment, this is an anonymous solution in payment. The DAP scheme consists of a polynomial time algorithm tuple: setup, CreateAddress, Mint, Pour, Receive.
Setup the algorithm is executed by a trusted third party. It needs to input a security parameter and then output a common parameter pp, which includes the common parameters of zk-SNARKs.
Createdaddress the algorithm is executed by a user in the system. Each user can generate at least one pair (a)pk,ask) Wherein a ispk=(addrpk,pkenc) And ask=(addrsk,skenc). Specifically, addrskIs a random number, and
Figure BDA0002172031750000111
where PRF () is a pseudo-random function, which is a pair of address keys bound to a user; encryption key pair (pk)enc,skenc) Is based on key-private encryption scheme [9 ]]Generated, it is used for encryption. Note that the user may generate any number of key pairs.
Mint the algorithm is executed by the payer. It needs to input the common parameters pp, the monetary value v and the destination address public key addrpkThen it will output the coins c and TXmint. Here, the present embodiment shows a specific step (i) of casting a coin in which the algorithm generates three random values ρ, r, s; (ii) algorithmic computationk:=COMMr(addrpk||ρ),cm:=COMMs(v | | k). COMM () is a static hidden non-interactive submission scheme that satisfies verifiability: given c: ═ COMMr(s) anyone knowing r and s can verify the COMMr(s) equals c.
(iii) Outputting a coinage result by an algorithm: coin c ═ addrpkV, p, r, s, cm) and coinage transaction TXmin t(v, k, s, cm). Note that anyone can check cm:COMMs(v | | k) to verify whether cm is a coin commitment (coin commitment) with value v. And nobody can distinguish the coin owner or serial number sn because they do not know the address key addrpkAnd a secret value ρ. As previously mentioned, TXmin t(v, k, s, cm) can only be added to the public ledger if the payer deposits the correct number of funding coins into the escrow.
Pour the algorithm is executed by the payer who spent the old currency. This is an operation of transferring the value of the input old coin set to the output new coin set, and the sum of the values of the old coin set is equal to the sum of the values of the new coin set. Suppose a public and private key pair with an address
Figure BDA0002172031750000113
The payer wants to pay the moneyPaid to the receiver, the payer will produce and cast two new coinsAndbinding to two address public keys respectivelyAnd
Figure BDA0002172031750000125
and their value
Figure BDA0002172031750000126
(Note that to hide a particular transaction amount, one of the pens is bound to the recipient's public address key, while the value of another currency may be 0); inputting a common parameter pp, a plum root tree root rt and an old coin coldAn address private key
Figure BDA0002172031750000127
One from cmoldEffective authentication path to tree root rtoldTwo denominations
Figure BDA0002172031750000128
And
Figure BDA0002172031750000129
two new address public keys
Figure BDA00021720317500001210
And
Figure BDA00021720317500001211
there are also some transaction information strings. For each i e {1,2}, the algorithm performs the following steps: (1) the algorithm generates three random values
Figure BDA00021720317500001212
(2) Algorithmic computation
Figure BDA00021720317500001213
The algorithm calculates a zk-SNARKs proof for the following NP statement:
giving a root rt of a plum tree, a serial number snoldAnd a monetary commitmentI know note coldAnd a secret private key
Figure BDA00021720317500001216
The following conditions are met:
a. this currency satisfies: c. ColdIs/are as follows
Figure BDA00021720317500001217
And is
Figure BDA00021720317500001218
Figure BDA00021720317500001219
And
Figure BDA00021720317500001220
the same is true;
b. this address private key matches the address public key:
Figure BDA00021720317500001221
c. this sequence number can be correctly calculated:
d. this monetary commitment exists as a leaf on the tree root of the plum, which is rt in root;
e. these denominations satisfy:
Figure BDA00021720317500001223
after all these operations are performed, the algorithm will output a transactionWherein C is1Is a plain text
Figure BDA00021720317500001225
From pkencEncrypted ciphertext (C)2The same thing); two new coins
Figure BDA00021720317500001226
Still, if the sequence number snoldPresent in the previous TXpourThen this TX at this timepourWill be rejected by the ledger, thus avoiding double flowers. Note that one coin c is to be usediThe payer must know the following values: monetary value viThree random numbers ρi,ri,siAnd a corresponding address private key addrsk
Receive the algorithm is executed by the recipient. Obtaining a common parameter pp, a pair of recipient keys (a)pk,ask) And current public ledger, Algorithm scanning transaction TX in ledgerpourTo find and resolveCipher text Ci(use his skenc) Thereby obtaining the required secret value to use the coin.
The anonymity of the DAP is primarily reflected in the chur transaction because zk-SNARKs, the payer does not have to disclose the identity of both parties, the transaction amount and the account balance in the open field. Furthermore, the purchaser cannot track the orientation of the coins he casts in the monetary value transaction because he does not know the serial number of the coin.
The following describes how to construct decentralized and anonymous data transaction scenarios using DAPs and smart contracts.
The nouns to be mentioned are first explained as follows:
the payer: the payer is a node in the blockchain. The present embodiment uses the payer to represent the data buyer. I.e. the party paying. In the arrangement, for convenience, the present embodiment sometimes uses him to designate a payer.
The payee: the payee is a node in the block chain. The present embodiment uses the recipient to represent the data seller. I.e. the party receiving the payment. In the scenario configuration, the present embodiment will sometimes refer to her as the payee for convenience.
dataID: the dataID is generated by the supernode. Specifically, the data ID is obtained by hash-hashing the data and encrypting the hashed result using the encryption public key of the uploader.
ID: it contains the ciphertext of the dataID and the public key of the uploader address.
Address: the user can generate the address key pair (addr)pk,addrsk) Time-joining the system and issuing the public key addr in the systempk. Private key addrskReserved by the user to receive the coins sent to him. It is noted that any number of address key pairs may be generated by the user.
Coin: the coin c comprises a coin acceptance cm, a currency value v, a serial number sn and a coin address addrpk. cm is a string generated by some cryptographic function (see section 3.2), which would be appended to the ledger if coin c were cast; v is the denomination of c, i.e., the amount of the base coin (e.g., bitcoin);s is a unique string bound to c to avoid double cost; addrpkIs the address public key of the coin owner, representing who owns c.
General ledger: the solution of the present embodiment is based on a digital currency system, such as bitcoin. Here, the present embodiment refers to basecoin as a basic coin. The distributed ledger L of the present embodiment is a transaction sequence that can only be added and cannot be deleted or modified. In addition, it contains transactions of basic coins and two types of new transactions.
λ: it represents an adjustable security parameter for generating a set of global common parameters pp.
Data encryption key: it comprises (E)pk,Esk) In which EpkIs a data encryption public key for encrypting data, EskIt is the data encryption private key used to decrypt the data.
Vendor encryption key: it is a key pair generated by key-private encryption scheme. It consists of encrypted public key pkencAnd an encryption private key skencAnd (4) forming.
hash: the embodiment uses Hash to represent the Hash function Hash 256.
Novel transaction
Mint: mint transaction TXmin tIs a statement: one coinage with a coinage commitment of cm and a value of v was successfully cast. It contains the coin commitment cm, the coin value v and two values k and s. That is, TXmin t=:(cm,v,k,s)
Pour: pour transaction TXpourIs a statement: the old coin is "destroyed", two new coins are cast, and the value of the old coin is transferred to the two new coins. It includes a Merkle tree root rt, old currency snoldSerial number of (1), two new monetary commitments
Figure BDA0002172031750000141
And
Figure BDA0002172031750000142
and a proof of the transaction initiator's possession of the old currency, a public value. It is noted that,
Figure BDA0002172031750000143
andat least one of which is bound to the address public key of the payee, and the total value of the two new currencies should be equal to the old currency. That is to say that the position of the first electrode,
Figure BDA0002172031750000145
list: for a given time T, there are three lists in addition to the ledger as public knowledge:
·IDListTthis is a list of all IDs generated by the supernode.
·cmListTThis is the ledger LTThe list of all monetary commitments that occurred in Mint and Pour transactions.
·snListTThis is the ledger LTA list of all currency serial numbers that appear in the Pour transaction.
Note that IDListTThe IDs included in (a) need to be agreed upon not only in the super node but also in the entire block chain system.
Merkle tree containing currency commitment and data ID: for a given time T, in cmListTPresence of TreeTAnd rt isTIs its root. In addition, this embodiment uses PathiTo denote with respect to rtTLeaf ofiThe valid authentication path.
The scheme of this embodiment is a tuple of a polynomial time algorithm (GenerateID, GetID, VerifyID, Setup, createdaddress, Mint, Pour, VerifyTransaction, Recieve) and an intelligent contract, which are summarized here.
·(dataID,Cpk)←GenerateID(data,addrpk,pkenc) At the input data set, addrpkAnd pkencThen, the algorithm calculates the result of hash on the data set, and then outputs dataID, which is obtained by pkencCipher text for encrypting the result of the data hash, CpkIs addrpkUsing pkencAnd (4) encrypted ciphertext.
·(dataID)←GetID(IDListT,addrpk,skenc) Inputting an IDListTAn addrpkAnd one skencThen the algorithm will use skencDecrypting IDListTEach C inpkTo output addr with himpkThe corresponding dataID.
·(b1)←VerifyID(dataID,IDListT) Enter a dataID and an IDListTThen, the algorithm will scan IDListTIf dataID is present in IDListTIn this case, the output b1 is 1.
H. (pp) ← Setup (λ). when the security parameter λ is input, the algorithm outputs a common parameter pp, which contains the common parameter of zk-SNARKs and some pseudo-random values.
·(addrpk,addrsk) And (3) when the common parameter pp is input, the algorithm outputs the address key pair addrpkAnd addrsk
·(c,TXmin t)←Mint(pp,v,addrpk) Inputting the public parameter pp, the monetary value v and the target address public key addrpkThereafter, the algorithm outputs a new coin c and a new mint transaction TXmin t
·
Figure BDA0002172031750000161
Inputting a common parameter pp, a plum root tree root rt and an old coin coldAn address private key
Figure BDA0002172031750000163
One from cmoldEffective authentication path to tree root rtoldTwo dollar value
Figure BDA0002172031750000164
And
Figure BDA0002172031750000165
two new address public keysAnd
Figure BDA0002172031750000167
there are also some trade information character strings, the algorithm outputs two new coinsAnd a pourer transaction TXpour
·(b2)←VerifyTransaction(pp,TXmin t/TXpourL) inputting a common parameter pp, a TXmin tOr TXpourAnd book LTIf the transaction is valid, the algorithm output b2 is 1.
(coinsSet)←Recieve(pp,addrpk,addrsk,LT) Input the common parameter pp, address key pair (addr)pk,addrsk) And book LTThe algorithm outputs a set of coins, coisset.
The construction of intelligent contracts is described below:
the intelligent contract of this embodiment is a HILT, in the pourr stage, for generating a new coin
Figure BDA0002172031750000169
Four random values are generated
Figure BDA00021720317500001610
The four random values are the values necessary to use the new coin (another desired value is addrskSee algorithm Pour). However, in the algorithm of the present embodiment, the present embodiment does not disclose them to the payee or the public. This means that even if one payer broadcasts TXpourAnd verified by other nodes, the payee still cannot get the coins she casts for the payer because the payer does not get the data. Thus, in broadcast TXpourThen, the payer needs to be in the blockIntelligent contracts are deployed in the chain to obtain data. Here, the present embodiment gives a detailed step of deploying the smart contract.
1. The payer enters two initial values: hash (E)sk),Cv,addrpk. Wherein hash (E)sk) Data encryption private key E that is dataskThe hash value of (1), which the payer obtained before payment (see section 2); cvPk which the payer generates in the pour and is the payeeencFour random values for encryption
Figure BDA0002172031750000171
The ciphertext of (1).
2. The payer deploys a contract that: if someone can provide a hash (E)sk) The provider will return to Cv(ii) a But the original image (i.e. E)sk) Pk to be paid by payerencEncrypted and sent to the payer.
When someone inputs hash (E)sk) Is (i.e. E)sk) This intelligent contract is triggered. Obviously, due to the nature of the hash function, only the payee can give the pre-image, which means that only the payee can obtain CvOnly the recipient can decrypt CvBecause she is the only one with the decryption key skencThe person of (1). At the same time, EskAfter encryption is sent to the payer. Up to now, the payer has obtained the data-encryption private key EskHe can download encrypted data from the supernode and use EskDecrypting it, thereby obtaining metadata; for the payee, she can use CvAnd use skencDecryption CvThe secret value is obtained so that the payee eventually obtains the note that the payer cast for her, since she has all the necessary values: four secret random values and addrskThe present embodiment illustrates the flow of the smart contract in fig. 3.
The present embodiment uses asymmetric encryption in the smart contract to ensure security. As described above, all returned and sent messages are encrypted by the payee's public encryption key, which means that even if a message is eavesdropped by an adversary of probabilistic polynomial time, the probability of successful eavesdropping Pr [ successful decryption ] ≦ negl.
To test the effectiveness of the protocol of this example, several experiments were designed. First, this embodiment tests basic algorithms of the scheme of this embodiment, including createdaddress, Mint, power, smart contract, and GenerateID. Second, this example presents three different sizes of data to test the performance of the GenerateID algorithm, as the performance of such an algorithm is related to the size of the data. The code of this example was written in java, and all experiments were performed in the same machine (Intercore i5-6300@2.30GHz with 12GB of RAM).
TABLE 1 Algorithm Performance
Figure BDA0002172031750000181
Table 1 shows the performance of a particular algorithm in the scheme. Similar to zerocase, the Merkle tree was not maintained in the experiment in this example because this is not very relevant to the performance of the algorithm in this example. It is worth noting that the present embodiment produces a large result (e.g., a public and private key with a high number of bits) in each basic algorithm of zerocas, and thus this causes a large delay. In practical applications, these time consumptions may be lower. In addition, the smart contract of this embodiment is triggered spontaneously, and specifically, the hash primitive of the data encryption key is automatically input in this embodiment.
Figure 4 shows the performance of the GenerateID algorithm for entering data of different sizes. As shown, the latency of the algorithm of the present embodiment increases as the data size increases. The nature of the hash function leads to such a result that if the present embodiment changes the way dataID is generated, the latency is reduced.

Claims (5)

1. A decentralization anonymous data transaction method based on zero knowledge certification is characterized by comprising the following steps:
step 1, information sending: the method comprises the steps that a buyer of data is a node in a blockchain system to buy the data of a seller which is also the node in the blockchain system, wherein the data is encrypted through a data encryption public key, when the buyer needs to buy the data, verification information used for verifying the authenticity of the data and an encrypted data encryption private key which are sent by the seller are received firstly, then the buyer checks the verification information through the blockchain system, if the verification is true, the next step is executed, and otherwise, the transaction is stopped;
step 2, anonymous payment: the buyer casts a new digital coin A by storing a corresponding amount of digital currency in the hosting party, and when casting the digital coin, a secret value for using the digital coin is generated, then another digital coin B bound with the address public key of the seller is cast, the value of the digital coin A is transferred to the digital coin B, and finally the conversion of the currency value is broadcasted;
step 3, intelligent contract: the buyer first encrypts the secret value of the digital coin B using the seller's seller encryption public key to obtain a ciphertext of the secret value, and then the buyer uses the encrypted data decryption private key obtained in step 1 to create the following intelligent contract: that is, if the seller provides the original text of the data encryption private key, the seller will obtain the ciphertext of the secret value;
and step 4, completing the transaction: and after obtaining the data encryption private key, the buyer decrypts the data of the seller through the data encryption private key and sends the ciphertext of the secret value of the digital coin B to the seller, so that the seller uses the digital coin B through the seller address private key and the coin encryption private key of the seller.
2. The method for de-centralizing anonymous data transaction based on zero knowledge identification as claimed in claim 1, wherein in step 1, the data is uploaded to super nodes in the blockchain system for storage, and the super nodes verify the authenticity of the data when receiving the data, and store the data after verifying the authenticity.
3. The method as claimed in claim 2, wherein in step 1, the super nodes generate data ids of the data as verification information for verifying authenticity of the data after storing the data, and each super node in the blockchain generates data ids of the data in the same manner, so that each super node generates the same data id when receiving the same data, and broadcasts the data id to the whole blockchain system after completing the generation, so as to add the data id to the public ledger.
4. The method of claim 3, wherein in step 1, the dataID is a hash of the corresponding data.
5. The method as claimed in claim 3, wherein the step 1, the buyer checks the verification information through the blockchain system by checking whether the corresponding dataID exists in the public ledger.
CN201910766253.2A 2019-08-19 2019-08-19 Decentralized anonymous data transaction method based on zero knowledge proof Pending CN110728576A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201910766253.2A CN110728576A (en) 2019-08-19 2019-08-19 Decentralized anonymous data transaction method based on zero knowledge proof

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201910766253.2A CN110728576A (en) 2019-08-19 2019-08-19 Decentralized anonymous data transaction method based on zero knowledge proof

Publications (1)

Publication Number Publication Date
CN110728576A true CN110728576A (en) 2020-01-24

Family

ID=69217170

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910766253.2A Pending CN110728576A (en) 2019-08-19 2019-08-19 Decentralized anonymous data transaction method based on zero knowledge proof

Country Status (1)

Country Link
CN (1) CN110728576A (en)

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111369251A (en) * 2020-03-07 2020-07-03 中国人民解放军国防科技大学 Block chain transaction supervision method based on user secondary identity structure
CN111507721A (en) * 2020-04-23 2020-08-07 深圳前海微众银行股份有限公司 Block chain cross-chain transaction method and device
CN113836588A (en) * 2021-11-29 2021-12-24 湖南宸瀚信息科技有限责任公司 Privacy protection system of transaction data based on block chain
CN113988865A (en) * 2021-12-29 2022-01-28 国网电子商务有限公司 Power settlement privacy protection method and device
CN114401118A (en) * 2021-12-27 2022-04-26 浙江数秦科技有限公司 Login password verification system based on intelligent contract
CN115860750A (en) * 2023-02-27 2023-03-28 国网江西省电力有限公司信息通信分公司 Electric vehicle power transaction identity authentication privacy protection method

Cited By (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111369251A (en) * 2020-03-07 2020-07-03 中国人民解放军国防科技大学 Block chain transaction supervision method based on user secondary identity structure
CN111507721A (en) * 2020-04-23 2020-08-07 深圳前海微众银行股份有限公司 Block chain cross-chain transaction method and device
CN113836588A (en) * 2021-11-29 2021-12-24 湖南宸瀚信息科技有限责任公司 Privacy protection system of transaction data based on block chain
CN114401118A (en) * 2021-12-27 2022-04-26 浙江数秦科技有限公司 Login password verification system based on intelligent contract
CN114401118B (en) * 2021-12-27 2024-04-30 浙江数秦科技有限公司 Login password verification system based on intelligent contract
CN113988865A (en) * 2021-12-29 2022-01-28 国网电子商务有限公司 Power settlement privacy protection method and device
CN115860750A (en) * 2023-02-27 2023-03-28 国网江西省电力有限公司信息通信分公司 Electric vehicle power transaction identity authentication privacy protection method

Similar Documents

Publication Publication Date Title
Delgado-Segura et al. A fair protocol for data trading based on bitcoin transactions
US11861606B2 (en) Blockchain system for confidential and anonymous smart contracts
CN108418689B (en) Zero-knowledge proof method and medium suitable for block chain privacy protection
CN110728576A (en) Decentralized anonymous data transaction method based on zero knowledge proof
US20200193432A1 (en) Method and system for settling a blockchain transaction
US20200127813A1 (en) Method and system for creating a user identity
CN111886829A (en) Computer-implemented system and method for distrusting zero knowledge or paid
US8024274B2 (en) Practical secrecy-preserving, verifiably correct and trustworthy auctions
CN110730963B (en) System and method for information protection
CN111815322B (en) Distributed payment method with selectable privacy service based on Ethernet
CN113159762B (en) Blockchain transaction method based on Paillier and game theory
Batten et al. Off-line digital cash schemes providing untraceability, anonymity and change
CN109615376A (en) A kind of method of commerce and device based on zero-knowledge proof
Gao et al. Secure, fair and instant data trading scheme based on bitcoin
CN114424223A (en) Divisible token
CN112365252A (en) Account model-based privacy transaction method and device and related equipment
Ou et al. A decentralized and anonymous data transaction scheme based on blockchain and zero-knowledge proof in vehicle networking (workshop paper)
Devidas et al. Identity verifiable ring signature scheme for privacy protection in blockchain
KR20220070303A (en) Proxyed Ledger-to-Ledger Authentication
Chenli et al. Fairtrade: Efficient atomic exchange-based fair exchange protocol for digital data trading
Park et al. Blockchain-Based Secure and Fair IoT Data Trading System with Bilateral Authorization.
CN114844622A (en) Private transaction generation and verification method and system based on block chain
Durfee et al. Distribution chain security
CN114547695A (en) Block chain transaction privacy protection method based on homomorphic encryption in Internet of things
Quesnelle An analysis of anonymity in the zcash cryptocurrency

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination