CN110851859A - Distributed authoritative node block chain system with (n, t) threshold and authentication method thereof - Google Patents

Distributed authoritative node block chain system with (n, t) threshold and authentication method thereof Download PDF

Info

Publication number
CN110851859A
CN110851859A CN201911004459.8A CN201911004459A CN110851859A CN 110851859 A CN110851859 A CN 110851859A CN 201911004459 A CN201911004459 A CN 201911004459A CN 110851859 A CN110851859 A CN 110851859A
Authority
CN
China
Prior art keywords
user
key
transaction
authentication
proxy
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201911004459.8A
Other languages
Chinese (zh)
Other versions
CN110851859B (en
Inventor
周俊
沈华杰
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
East China Normal University
Original Assignee
East China Normal University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by East China Normal University filed Critical East China Normal University
Priority to CN201911004459.8A priority Critical patent/CN110851859B/en
Publication of CN110851859A publication Critical patent/CN110851859A/en
Application granted granted Critical
Publication of CN110851859B publication Critical patent/CN110851859B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • G06F21/6245Protecting personal data, e.g. for financial or medical purposes
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • G06F21/6227Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database where protection concerns the structure of data, e.g. records, types, queries
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/64Protecting data integrity, e.g. using checksums, certificates or signatures
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2107File encryption

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Databases & Information Systems (AREA)
  • Medical Informatics (AREA)
  • Storage Device Security (AREA)

Abstract

The invention discloses a distributed authoritative node block chain system with (n, t) thresholds and an authentication method thereof, which is characterized in that the system consists of n authoritative nodes with a CA threshold framework, each authoritative node plays a role of an authentication Center (CA), and the authentication comprises the following steps: system initialization, secret sharing, blockchain node initialization, proxy key request, proxy key recovery, wallet generation, authentication, verification, transaction signing, and transaction verification. Compared with the prior art, the method is simple and feasible, the efficiency is high, the user can avoid public key replacement attack by carrying out public key authentication on the user, the address is periodically updated by the user, effective privacy protection is provided for transaction, the method is particularly suitable for application of all alliance chains, the enemy cannot acquire user privacy data by analyzing the conventional transaction data in the public account book, and the requirements of high efficiency and privacy are met.

Description

Distributed authoritative node block chain system with (n, t) threshold and authentication method thereof
Technical Field
The invention relates to the technical field of information security, in particular to a distributed authoritative node block chain system with (n, t) thresholds and an authentication method thereof.
Background
In recent years, the block chain technology has been rapidly advanced, and has received wide attention from the industrial and academic circles. The blockchain is just a cryptographically verifiable data list, but the place where the blockchain is different from the traditional database is that the integrity of the data stored in the blockchain is guaranteed by using the cryptographic theory, namely the data stored in the blockchain is not worried about being tampered with maliciously. In addition to guaranteeing data integrity, another favored feature of blockchains is their distributed and public nature, where all data is stored in a public, distributed stored book, and therefore blockchains are also used as technical carriers for various electronic currencies, but the use of distributed book technology also buries an accident end for blockchains, i.e. users are exposed to the risk of privacy disclosure.
In the bitcoin proposed by the inventor in 2009, each blockchain user has one or more blockchain addresses as a pseudonym of the user in the blockchain network, so as to achieve anonymity in cryptography. However, since anyone has stored the relationship of a complete account book, there has been a corresponding study that the identity information of the holder of a certain blockchain address can be determined by analyzing the transaction records of the address, and thus the anonymity of the blockchain does not provide a good privacy protection for the user. Furthermore, existing block-chain structures are vulnerable to 51% computational attacks, i.e. once a network node or nodes have been colluded to have 51% of the computational power of the entire network, this node can control the entire block-chain network. The blockchain may also diverge, i.e., the lists of data stored by multiple nodes differ at some point in time, resulting in subsequent data all being different. The architecture of the blockchain without authentication also makes it very vulnerable to address replacement, and existing solutions either use inefficient authentication mechanisms or attempt to join a single point of online Certificate Authority (CA) to authenticate all network nodes, which requires frequent interactions between the CA and the network nodes in real time to issue public key certificates, which results in a significant computational and communication load. Moreover, in a distributed trust blockchain system, a single-point CA often means that the trust is not enough, and therefore, when an enterprise builds its own blockchain service, an enterprise often adopts a federation chain structure. The alliance chain is one of block chains, different from the most widely used public chain, the alliance chain has one or more administrators, a new node is added into a network and needs to be authenticated by the administrators, the blocks are generated by the administrators, and once loss caused by malicious operation occurs, the administrators can stop the loss in time. Therefore, the blockchain service created by the enterprise itself at present, including the distributed transaction system, often adopts the architecture of the alliance chain. However, the structure of the alliance chain does not solve the pain of block chain privacy protection, and as an enterprise-oriented block chain type, the alliance chain does not provide an effective tracing means, and cannot find out a malicious user who destroys the system.
In summary, the block chain in the prior art has a risk of privacy disclosure, and the large-scale application of the block chain system is severely restricted.
Disclosure of Invention
The invention aims to provide a distributed threshold lightweight CA authentication method aiming at the defects of the prior art, which adopts a multi-mechanism distributed CA structure to enable a CA to issue an agent key to a user, so that a trust model of the CA is distributed, the authority of a single CA is dispersed, the user can avoid public key replacement attack by authenticating the public key of the user, the user can update the address periodically, effective privacy protection is provided for transaction, the method is particularly suitable for application of all alliances, an adversary can not obtain user privacy data by analyzing the past transaction data in a public ledger book, and the requirements of high efficiency and privacy are met.
The purpose of the invention is realized as follows: a distributed authoritative node blockchain system with (n, t) thresholds is characterized in that the blockchain system is composed of n authoritative nodes with a certificate authority CA threshold framework, and each authoritative node plays a role of a certificate authority; the authentication center is composed of an account pool and a block pool which are connected by a transaction controller.
An authentication method of a blockchain system with (n, t) threshold distributed authoritative nodes is characterized in that a CA issues an agent key to a user, the user authenticates the public key of the user through the agent key and carries out privacy protection of periodically updated addresses, and the authentication process specifically comprises the following steps:
system initialization
The system generates a master public key on the premise of giving security parameters;
secret sharing
The system generates a secret sharing polynomial and distributes part of generated private keys to the distributed CA;
(III) Block Link Point initialization
Generating a block chain node in the network and generating a long-term public and private key pair for the block chain node, wherein the public key is used as a certificate of the identity of the public key stored at a CA;
(IV) proxy Key request
The user requests the agent key from the CA, and the CA respectively calculates a part of the agent keys and sends the part of the agent keys to the user;
(IV) proxy Key recovery
After the user receives partial proxy keys sent by threshold CA, the complete proxy key can be calculated by secret recovery means;
(VI) wallet generation
A user generates a periodically updated short-term public and private key pair, wherein the short-term public key is used as an address of the wallet;
(VII) wallet authentication
The user authenticates the wallet address through the proxy authentication key;
(eighth) authentication verification
Others can verify the authentication of the wallet address through the master public key and the public key of the user;
(nine) transaction signatures
A user carries out digital signature on the transaction through a short-term public and private key;
(Ten) transaction verification
All the persons can verify the transaction through the short-term public key of the sender, if the verification is passed, the transaction is established, and the transaction can be stored into the block chain by the CA.
The system initialization process of the step (I) specifically comprises the following steps:
a) input 1λWherein λ is a security parameter;
b) the system selects two safety prime numbers p with the length of lambda0,q0And satisfies the following formula (I).
q0=2q′0+1,p0=2p′0+1 (wherein p'0,q′0Is prime number) (I)
Then calculate n0=p0·q0,m0=p′0·q′0. Select e0,d0So that e0·d0≡1(modφ(m0) Then n credible nodes are selected as distributed CA ((n, t) threshold, wherein n > t) and a common CA master public key pk is setCA=(n0,e0) A hash function is disclosed
Figure BDA0002242316950000031
The secret sharing process in the step (two) specifically comprises the following steps:
a) the system will d0Private key d dispersed into n partsi(i-1, 2, …, n), i.e. one selected according to the following formula (II)
Figure BDA0002242316950000032
T-1 order polynomial of (1):
Figure BDA0002242316950000033
for each CAj(j ∈ 1,2, …, n), calculating djF (j) and sends to the corresponding CAjAfter the step is finished, the system destroys p0,q0And d0
b) Define operator Δ ═ n! A subset of any t CA' S is defined as S, and for any i ∈ {0, …, n } \ S, j ∈ S, and is defined by the following formula (III):
Figure BDA0002242316950000034
then obtaining the following formula (IV) according to a Lagrange interpolation method:
Figure BDA0002242316950000035
the block link point initialization process in the step (three) specifically includes the following steps:
a) when a new user u joins the network, a block link point and a node identifier are created, and then 1 is inputλWherein λ is a safety parameter;
b) selecting two large prime numbers pu,quLength k, and n is calculated according to the formula (I)u=pu·quAnd selecting eu,duSatisfies eudu=1(modφ(nu) And let pk)u=(nu,eu),sku=(du)。
The proxy key request process of the step (four) specifically includes the following steps:
a) the user calculates the request body x by the public hash function h (-) according to the following formula (V):
x=h(nu,eu)(V)
and sends request information (u, pk) to all CAsuX), wherein: u represents the true identity of the user; pkuIs the public key of the user, i.e. the identifier of the block chain node;
b) when CA is injAfter receiving the request sent by the user u, the CA verifies whether the u is a legal user, namely the user who purchases the block chain service, and if the u is legal, the CAjThe identity information pair (u, pku) is deposited into an account pool and a partial proxy key is calculated as follows (VI):
Figure BDA0002242316950000041
and v is to beu,jAnd sending the data to the user u.
The proxy key recovery process of the step (five) specifically includes the following steps:
a) when the user u receives not less than t partial proxy keys and records as
Figure BDA0002242316950000042
Then, the intermediate variable w is calculated by the following formula (VII):
Figure BDA0002242316950000043
wherein: w is a middle variable generated in the calculation process, and the right side of the equation is Lagrange interpolation performed on an index;
b) obtaining intermediate variables from formulas (IV) and (VII)
Wherein: e.g. of the type0And 4 Delta2A pair of (a, b) can be found such that 4 Δ2.a+e0b=-1。
c) Calculating a proxy key v of a user according to the following equation (IX)u
vu=waxb(IX)
d) The user verifies v asuIs correct, i.e. vuWhether or not it is
Figure BDA0002242316950000046
Figure BDA0002242316950000047
If COR ≡ 1(mod m)0) If yes, the proxy key is correct; otherwise the proxy key is wrong, the user submits an error message to the CA, and the previous user u is now represented by the parties a, b of the transaction, in order to indicate both parties to the transaction.
The wallet generating process of the step (six) specifically comprises the following steps:
a) input 1λWherein, the input is a safety parameter;
b) selecting two large prime numbers pb,i,qb,iWith a length of k, calculating nb,i=Pb,i·qb,iAnd selecting eb,i,db,iSatisfies eb,idb,i=1(modφ(nb,i) Let pk)b,i=(nb,i,eb,i),skb,iLet wallet address be pk ═ db, ib,iWherein i represents the ith update; b is a trading party; u represents all users.
The wallet authentication process of the step (seven) specifically comprises the following steps:
a) when the user a wants to receive the account transfer of other people, the user a firstly carries out the account transfer to the own address pkb,iAuthentication is performed, input 1λ,vb,pkb,i,pkCA,skb,pkbIn a
Figure BDA0002242316950000051
Random selection on domain
Figure BDA0002242316950000052
The intermediate variable r is calculated by the following formula (XI)i,ki
Figure BDA0002242316950000053
The intermediate variable g is calculated according to the following formula (XII)i,yi
b) Address pk of user bb,iIs Certb,i=(yi,gi)。
The authentication verification process in the step (eight) specifically includes the following steps:
a) input 1λ,pkb=(nb,eb),pkb,i=(nb,i,eb,i),Certb,i=(yi,gi),pkCA=(n0,e0) The intermediate variable k 'is calculated by the following formula (XIII)'iAnd r'i
Figure BDA0002242316950000055
Figure BDA0002242316950000056
b) User a checks h (r 'according to the following formula (XIV)'i,nb,i,eb,i)=k′jIf so, verifying the address correctly, otherwise, possibly replacing the address;
Figure BDA0002242316950000057
Figure BDA0002242316950000058
Figure BDA0002242316950000059
therefore, the temperature of the molten metal is controlled,
h(r′i,nb,i,eb,i)=h(ri,nb,i,eb,i)=ki=k′i
the transaction signature of the step (nine) is signed by a transaction generator a, and the process specifically comprises the following steps:
a) input 1λ,T,ska,i′,pka,i′Wherein i 'is the ith' updated address of the user a, and a random number r is selectedi′R{0,1}λCalculated according to the following formula (XV):
Figure BDA00022423169500000511
wherein: sigmaa,T,i′Is a signature on the transaction; and | represents a connection symbol.
The transaction verification process of the step (ten) specifically includes the following steps:
a) input 1λ,σa,T,1′,pka,i′And (5) firstly verifying the validity of the public key according to the method in the step (eight), and then calculating according to the following formula (XVI):
Figure BDA0002242316950000061
will yi′Is converted into wi′||si′
And checking whether the following formula (XVII) holds:
if yes, the verification is passed, otherwise, the verification is not passed.
Compared with the prior art, the invention has the following advantages:
1) a distributed CA structure, which distributes the trust model of the CA and distributes the authority of the single CA; preventing single point attack; the decentralized trust structure of the block chain is matched, and the address replacement attack is effectively prevented by adding the CA.
2) By adopting the agent CA structure, the CA issues an agent key to the user, and the user does not need to perform complicated interaction with the CA every time the user performs authentication, thereby achieving high efficiency.
3) The address is periodically updated by the user, and the enemy cannot acquire the user privacy data by analyzing the past transaction data in the public ledger.
Drawings
FIG. 1 is a schematic diagram of a network architecture according to the present invention;
FIG. 2 is a schematic diagram of a CA structure;
FIG. 3 is a schematic diagram of an embodiment;
FIG. 4 is a schematic view of the flow structure of the present invention.
Detailed Description
Firstly, the mathematical theory applied by the invention is explained as follows:
1. hash function
The Hash function maps a variable length message to a fixed length Hash value or message digest. The hashing algorithm has many ways, and the methods commonly adopted at present are MD2, MD4, MD5 and secure hashing algorithm (SHA-1). For a Hash function (a string composed of 0 and 1) whose input and output are both bit strings, the length of the bit string x is denoted as an "at", and the bit strings x and y are denoted as x | | y. Setting compression: {0,1}m+t→{0,1}mIs a compression function (where t ≧ 1). Constructing an iterative Hash function based on the compression function compress
Figure BDA0002242316950000063
The evaluation of the iterative Hash function h consists essentially of the following three steps.
1) Pretreatment: given an input bit string x, where | x | ≧ m + t +1, a string y is constructed with a disclosed algorithm such that | y | ≡ 0(mod t). Is recorded as y ═ y1||y2||…||yrWherein for 1. ltoreq. i. ltoreq. r, there is yi|=t。
2) And (3) treatment: assuming that IV is a public initial value bit string of length m, then calculate:
z0←IV,
z1←compress(z0||y1),
z2←compress(z1||y2),
Figure BDA0002242316950000071
zr←compress(zr-1||yr),
3) and (3) output conversion: setting g: {0,1}m→ 0, 1 is a public function. Definition of h (x) ═ g (z)r)。
2. Proxy signature algorithm
The signatory can issue a proxy-key to some other user, and the user who acquires the proxy key can sign the message instead of the signatory.
The specific algorithm is as follows:
1) and (3) proxy generation: for an original signer p0And a proxy signer piWherein p is0Has a public key of (n)0,e0) The private key is (n)0,e0)piIs IDiThe public key is (n)i,ei)。p0Computing
Figure BDA0002242316950000072
Figure BDA0002242316950000073
And will ui,mw,wiIs sent to pi
2) And (3) recovering the proxy key: p is a radical ofiUpon receiving p0U of transmissioni,mw,wiThen, can calculate
Figure BDA0002242316950000074
To derive a proxy key vi
3) Proxy signature: p is a radical ofiMessage m is signed using the proxy key:
randomly selecting t epsilon [1, n ∈ ]0]Calculating
Figure BDA0002242316950000076
Wherein the signature is (y, u).
4) Signature verification: the message recipient can verify the signature (y, u):
computing
Figure BDA0002242316950000077
And checking whether h (m, r') is satisfied or not, if so, the signature is correct, and if not, the signature is wrong.
3. Shamir secret sharing
The Shamir (k, n) secret sharing algorithm divides the secret S into n sub-secrets, any k of which can recover S, but any k-1 of which cannot.
Secret sharing process:
assuming a secret S, arbitrarily taking the random number a1,…,ak-1. Let a0S, the following polynomial is constructed:
f(x)=a0+a1x+a2x2+…ak-1xk-1(mod p)
taking n random numbers xiRespectively carry in f (x), calculate yi=f(xi)。
Secret recovery process:
let k data be (x)1,y1),...,(xk,yk) Carry in and calculate
Figure BDA0002242316950000081
The present invention is further illustrated by the following specific examples, which include the following entities: the sender, the evaluator and the receiver, and only the legal receiver is allowed to have the decryption key to decrypt the final calculation result.
Example 1
Referring to fig. 1, the present invention is composed of n authoritative nodes 1 with a CA threshold architecture, and each authoritative node 1 plays a role of a Certificate Authority (CA) 2. In the off-line stage, if and only if not less than the threshold t authentication Centers (CA)2 issue partial authentication keys for the user, the user can recover the correct overall authentication key for proving the legal identity of the user to other users in the transaction. When the user periodically updates the identity information in the online stage and authenticates the updated identity information to other users in the transaction, the user does not need to interact with the distributed CA any more, and self-authentication can be realized by the integral authentication key recovered in the offline stage. Therefore, the system structure greatly reduces the local computing overhead and communication overhead of the resource-limited user terminal. The invention disperses the trust model of CA, weakens the centralized power of single CA to a certain extent, and effectively prevents the damage of malicious CA single point failure to the block chain system. On the other hand, the invention adopts the CA structure with the (n, t) threshold structure, so that the identity authentication in the block chain system is more flexible, and the threshold t can be respectively set according to the requirements of the safety and the availability of different network application environments. Finally, in the present invention, the CA and CA communicate with each other, and the CA is responsible for verifying the transaction generated between users and logging into the block chain, so that the block chain structure keeps the data stored by each CA synchronized and consistent.
Referring to fig. 2, each authority node 1 plays a role of a Certificate Authority (CA) 2; the Certification Authority (CA)2 is composed of an account pool 22 and a block pool 23 to which a transaction controller 21 is connected.
Referring to fig. 3 to 4, the CA authentication method of the present invention comprises the following steps:
the method comprises the following steps: system initialization
a) Input 1λWherein λ is a safety parameter, and λ is 512;
b) two 512-bit large prime numbers p'0,q′0Obtained according to formula (I):
q0=2q′0+1,p0=2p′0+1 (wherein p'0,q′0Is prime number) (I)
p′0=502685947109675170232331548873580302627339221691414046222112209314972 96784397,
q′0=446799484190953087660487404120419512904906144081084900190881149623176 15599097,
P is obtained by calculation0,q0,n0=p0·q0
p0=100537189421935034046466309774716060525467844338282809244422441862994 593568793;
q0=893598968381906175320974808240839025809812288162169800381762299246352 31198193;
n0=898399287514574364766187335084138121105839112868955405208801629784250 3447278245065186363664333852060585694749885884592135277741138062217981517429 362791049;
Selecting an integer e065537 and phi (n)0)=4p′0q′0Are relatively prime, and e0Less than phi (n)0) Calculating d0:d0·e0≡1mod(φ(n0) Obtained by
d02011278262113590045294947980584169936503787397044923280776284772295729291521791132129403529602305823351353400022384315959037981553462846552517747513952257. Wherein, the CA master public key is pkCA=(n0,e0)。
Step two: secret sharing
a) According to the secret sharing principle, the system will d0Private key d dispersed into n partsi(i ═ 1,2, …, n) and sent to n CAs, respectively, i.e. one selected according to the following formula (II)
Figure BDA0002242316950000091
T-1 order polynomial of (1):
Figure BDA0002242316950000092
for each CAj(j ∈ 1,2, …, n), calculating djF (j) and sends to the corresponding CAjAfter the step is finished, the system destroys p0,q0And d0
In this embodiment, n is selected to be 5 and t is selected to be 3.
a1=111868139482427763033413840861771967448222506008169586182543367613992 623427261;
a2=102086987004631591958852232552663001368244520618222043795905559992876 750911991;
a3=105509764525196833675959783501653247049903558926667050080341953994783 283325233;
d1=201127826211359004529494798058416993650378739704492328077628477229572 9291522110597020415785790974049208269488238250686544591040233521637434119400 171616744;
d2=201127826211359004529494798058416993650378739704492328077628477229572 9291522110597020415785790974049208269488238250686544591040233521637434119400 171616748;
d3=201127826211359004529494798058416993650378739704492328077628477229572 9291522110597020415785790974049208269488238250686544591040233521637434119400 171616754;
d4=201127826211359004529494798058416993650378739704492328077628477229572 9291522110597020415785790974049208269488238250686544591040233521637434119400 171616762;
d5=201127826211359004529494798058416993650378739704492328077628477229572 9291522110597020415785790974049208269488238250686544591040233521637434119400 171616772。
Step three: block chain node initialization
When a new user u joins the network, a block link point and a node identifier are created, and then 1 is inputλWherein λ is a safety parameter; two large prime numbers p of 512 bits are selectedu,quAnd calculate nu=pu·qu
pu=107513213546145434094281653760010721386161376807556788679865009269593 320778641;
qu=856753065403156487199857648705898757902222166363120155636892236131585 59234427;
nu=921122752770042690968634494968463881232136417575438137154187800448919 1550387403678276985477281435782877772667199637422197936885437097898642226948 493473707。
Selecting an integer eu65537 and phi (n)u) Relatively prime, and e is less than phi (n)u) And calculating d: d.e.ident.1 mod (phi (n)u) To obtain:
du=213846875557260777012798477820852006545111243929540431463157718293945 4803227816464007373217136305085031521835655529619945486690694857543833074018 515858273。
step four: proxy key request
a) The user calculates x ═ h (n) by means of a public hash function h (·)u,eu) And transmits request information (u, pk) to all CAsuX), u represents the true identity of the user, pkuThe public key of the user, namely the identifier of the block chain node, calculates the request body x according to the following formula (V):
x=h(nu,eu)(V)
b) when CA is injAfter receiving the request sent by the user u, the CA verifies whether the u is a legal user (a user who purchases the block chain service), and if the u is legal, the CA verifies that the u is a legal userjThe identity information pair (u, pk)u) The account pool is credited with, and a portion of the proxy key is calculated as follows (VI):
Figure BDA0002242316950000111
x is 34229368949702775535486670805532819702848175206385354385109072861246234918113; the proxy keys are respectively:
vu,1=31074695685836099634753164556607619078945865204692427848513033028639 7371634139810045085958163147355200949602839252561445553784762980435190261947 1099787719;
vu,2=73789566422831300153459151766666862968798825534917250574384403964839 8016604382400221458528595557606480626019611344299217247246845903200889801675 2529795660;
vu,3=79939733556509559718474148249558799268480130412002087949811008434838 9034565483606294715813919305141288812938700508237978582984365162267613696796 3095940626;
vu,4=17221895236855057993585343781187480750423600929136000867758831151949 13909026068409530825457737667638306771151013515936407379793411551124861042234 097874372;
vu,5=47608928782128537215600559876428998911173597436942960323938497341927 0691522980304038671020408825092622271272175404599574927450423445513920533875 7314947857。
step five: proxy key recovery
a) When the user u receives not less than t partial proxy keys and records as
Figure BDA0002242316950000112
Then, the intermediate variable w is calculated by the following formula (VII):
Figure BDA0002242316950000113
wherein: w is a middle variable generated in the calculation process, and the right side of the equation is Lagrange interpolation performed on an index;
b) obtaining intermediate variables from formulas (IV) and (VII)
Figure BDA0002242316950000114
Figure BDA0002242316950000115
Wherein: e.g. of the type0And 4 Delta2A pair of (a, b) can be found such that 4 Δ2.a+e0b=-1。
c) Calculating a proxy key v of a user according to the following equation (IX)u
vu=waxb(IX)
w=5448008741470273527977346493550158516483005928174925115284777271631864 5276470828129108627910296196097991084467636059807715380081018390301564660138 91149424;
vu4712691729553089439760273523066311877826260038654936923475248469170827356264825506588103938269937795419054495282278965753252223481661059251418397543505956 verified vuAnd (4) correct.
Step six: wallet generation
a) Input 1λWherein: λ is a safety parameter.
b) Selecting two large prime numbers pb,i,qb,iLength k, calculating nb,i=pb,i·qb,iAnd selecting eb,i,db,iSatisfy eb,idb,i=1(modφ(nb,i)). Let pkb,i=(nb,i,eb,i),skb,i=(db,i) (ii) a Let wallet address be pkb,i(ii) a The wallet address needs to be updated periodically, i denotes the ith update.
pu,i=98905411631433183413607147068875624006656974845456685657046402584491 734670889;
qu,i=72730738245982562336422357343086698203136123108136595248092083835528 635746699;
nu,i=71934636044769260093995329713239506247969832130470478253745193385689 9130506945641885189730589476195707523528053059103992724064025091447357445419 3533145411;
Selecting an integer eu,i65537 and phi (n)u,i) Relatively prime and e is smallIn phi (n)u,i) And calculating d: d.e.ident.1 mod (phi (n)u,i) To obtain:
du,i=13270209954396148046697339460656814174252029700129515877867149671681 5089000545726876218655830907051290616375356118420547425241310812842915016453 5354645153。
step seven: wallet authentication
a) In order to prevent public key replacement attack, when a user a wants to receive the transfer of others, the user a firstly needs to address pk of the user ab,iAuthentication is performed, input 1λ,vb,pkb,i,pkCA,skb,pkb. In that
Figure BDA0002242316950000124
Random selection on domain
Figure BDA0002242316950000121
The intermediate variable r is calculated by the following formula (XI)i,ki
Figure BDA0002242316950000122
The intermediate variable g is calculated according to the following formula (XII)i,yi
Figure BDA0002242316950000123
b) Address pk of user bb,iIs Certb,i=(yi,gi) Obtaining:
ti=7377853991639920693270177433470989967622853179914631740065118262053887 4941715049719741369767163189980493422634343343983686792659548032085219493930 69401389;
ri=4759149528279737629950452887827267383269268578610334060880301554450520 5274665359284511768356431340465717240196877947375822388984867405413951979581 09081923;
ki=7446901942716709609768648643136422722018005928006405900707411968380378 9573252862826059520378472568990735673744661207596598569759916733197063216483 52959654;
gi=5934957782677915040975265171998683088387466645141307370265579950722329 5419254028474043401717148768628917625173772679615073505349650437207510116864 87922359;
yi=6197268909245805163825572692399037393703611513936488943462969002309231 06242858989778175566762176507111710878607248621661671553397220734028113691322 8866397。
step eight: verification of authentication
a) Input 1λ,pkb=(nb,eb),pkb,i=(nb,i,eb,i),Certb,i=(yi,gi),pkCA=(n0,e0) The intermediate variable k 'is calculated by the following formula (XIII)'iAnd r'i
Figure BDA0002242316950000131
b) User a checks h (r 'according to the following formula (XIV)'i,nb,i,eb,i)=k′jIf so, verifying the address correctly, otherwise, possibly replacing the address;
Figure BDA0002242316950000134
Figure BDA0002242316950000135
thus, h (r'i,nb,i,eb,i)=h(ri,nb,i,eb,i)=ki=k′i(ii) a Obtaining:
k′i=7446901942716709609768648643136422722018005928006405900707411968380378 9573252862826059520378472568990735673744661207596598569759916733197063216483 52959654;
r′iat 4759149528279737629950452887827267383269268578610334060880301554450520527466535928451176835643134046571724019687794737582238898486740541395197958109081923, the signature was found to be correct by empirical calculation.
Step nine: transaction signatures
a) Input 1λ,T,ska,i′,pka,i′Wherein i 'is the ith' updated address of the user a, and a random number r is selectedj′R{0,1}λCalculated according to the following formula (XIV):
Figure BDA0002242316950000141
Figure BDA0002242316950000142
wherein: sigmaa,T,iIs a signature on the transaction; | | represents a connection symbol;
and calculating to obtain:
wi′=642594131613360864268557952175729557884346946736788458689331267123217 8055740243311716175315457731090228336036213248675490550041374780874470257701 551528412;
si′=649078488826320808016511405352022573128350889809076138102819090894148 81808616824156711317142122570503580868038222362954724557139511511817286534246 25726065;
yi′=876302786523043390228772324678370078170883092845252914250675446971938 0895006891602696361364369441141142861812013529386417964928664794239558824637 148205589;
σa,T,i′=471269172955308943976027352306631187782626003865493692347524846917 0827356264825506588103938269937795419054495282278965753252223481661059251418 397543505956。
step ten: verification of transactions
a) Input 1λ,σa,T,i′,pka,i′And (5) firstly verifying the validity of the public key according to the method in the step (eight), and then calculating according to the following formula (XVI):
Figure BDA0002242316950000143
obtaining:
yi′=87630278652304339022877232467837007817088309284525291425067544697193 8089500689160269636136436944114114286181201352938641796492866479423955882463 7148205589。
will yi′Is converted into wi′||si′Obtaining:
wi′=64259413161336086426855795217572955788434694673678845868933126712321 7805574024331171617531545773109022833603621324867549055004137478087447025770 1551528412;
si′=649078488826320808016511405352022573128350889809076138102819090894148 81808616824156711317142122570503580868038222362954724557139511511817286534246 25726065。
and checking whether the following formula (XVII) holds:
Figure BDA0002242316950000151
obtaining:
g(wi′) 6490784888263208080165114053520225731283508898090761381028190908941488180861682415671131714212257050358086803822236295472455713951151181728653424625726065 byAnd (5) verifying and calculating to obtain correct signature.
The invention has been described in further detail in order to avoid limiting the scope of the invention, and it is intended that all such equivalent embodiments be included within the scope of the following claims. The present invention is not limited to the above embodiments, and variations and advantages that can be realized by those skilled in the art are included in the present invention without departing from the spirit and scope of the inventive concept, and the scope of the present invention is defined by the appended claims.

Claims (12)

1. A blockchain system with (n, t) threshold distributed authority nodes, wherein the blockchain system is composed of n authority nodes with certificate authority CA threshold architecture, and each authority node plays a role of a certificate authority; the authentication center is composed of an account pool and a block pool which are connected by a transaction controller.
2. The method for authenticating the blockchain system with the (n, t) threshold distributed authoritative nodes according to claim 1, wherein the CA issues a proxy key to the user, and the user authenticates the public key of the user through the proxy key to perform privacy protection of periodically updating the address, wherein the authentication process specifically includes the following steps:
system initialization
The system generates a master public key on the premise of giving security parameters;
secret sharing
The system generates a secret sharing polynomial and distributes part of generated private keys to the distributed CA;
(III) Block Link Point initialization
Generating a block chain node in the network and generating a long-term public and private key pair for the block chain node, wherein the public key is used as a certificate of the identity of the public key stored at a CA;
(IV) proxy Key request
The user requests the agent key from the CA, and the CA respectively calculates a part of the agent keys and sends the part of the agent keys to the user;
(IV) proxy Key recovery
After the user receives partial proxy keys sent by threshold CA, the complete proxy key can be calculated by secret recovery means;
(VI) wallet generation
A user generates a periodically updated short-term public and private key pair, wherein the short-term public key is used as an address of the wallet;
(VII) wallet authentication
The user authenticates the wallet address through the proxy authentication key;
(eighth) authentication verification
Others can verify the authentication of the wallet address through the master public key and the public key of the user;
(nine) transaction signatures
A user carries out digital signature on the transaction through a short-term public and private key;
(Ten) transaction verification
All the persons can verify the transaction through the short-term public key of the sender, if the verification is passed, the transaction is established, and the transaction can be stored into the block chain by the CA.
3. The method according to claim 2, wherein the system initialization procedure of step (a) includes the following steps:
a) input 1λWherein λ is a security parameter;
b) the system selects two safety prime numbers p with the length of lambda0,q0And satisfies the following formula (I).
q0=2q′0+1,p0=2p′0+1 (wherein p'0,q′0Is prime number) (I)
Then calculate n0=p0·q0,m0=p′0·q′0. Select e0,d0So that e0·d0≡1(modφ(m0) Then n trusted nodes are selected as distributed CA ((n, t) threshold, where n is>t) and sets a common CA master public key pkCA=(n0,e0) A hash function is disclosed
Figure FDA0002242316940000021
4. The method for authenticating a blockchain system with (n, t) threshold distributed authoritative nodes according to claim 2, wherein the secret sharing process of the step (two) specifically includes the following steps:
a) the system will d0Private key d dispersed into n partsi(i ═ 1,2, …, n) and sent to n CAs, respectively, i.e. one selected according to the following formula (II)T-1 order polynomial of (1):
f(x)=at-1xt-1+…+a2x2+a1x+d0(mod m0)
(wherein
Figure FDA0002242316940000023
) (II)
For each CAj(j ∈ 1,2, …, n), calculating djF (j) and sends to the corresponding CAjAfter the step is finished, the system destroys p0,q0And d0
b) Define operator Δ ═ n! A subset of any t CA' S is defined as S, and for any i ∈ {0, …, n } \ S, j ∈ S, and is defined by the following formula (III):
Figure FDA0002242316940000031
then obtaining the following formula (IV) according to a Lagrange interpolation method:
Figure FDA0002242316940000032
5. the method for authenticating a blockchain system with (n, t) threshold distributed authoritative nodes according to claim 2, wherein the blockchain node initialization procedure of the step (three) specifically includes the following steps:
a) when a new user u joins the network, a block link point and a node identifier are created, and then 1 is inputλWherein λ is a safety parameter;
b) selecting two large prime numbers pu,quLength k, and calculate nu=pu·quAnd selecting eu,duSatisfies eudu=1(modφ(nu) And let pk)u=(nu,eu),sku=(du)。
6. The method according to claim 2, wherein the proxy key request procedure in step (iv) includes the following steps:
a) the user calculates the request body x by the public hash function h (-) according to the following formula (V):
x=h(nu,eu) (V)
and sends request information (u, pk) to all CAsuX), wherein: u represents the true identity of the user; pkuIs the public key of the user, i.e. the identifier of the block chain node;
b) when CA is injAfter receiving the request sent by the user u, the CA verifies whether the u is a legal user, namely the user who purchases the block chain service, and if the u is legal, the CAjThe identity information pair (u, pk)u) The account pool is credited with, and a portion of the proxy key is calculated as follows (VI):
Figure FDA0002242316940000041
and v is to beu,jAnd sending the data to the user u.
7. The method according to claim 2, wherein the proxy key recovery procedure of step (five) comprises the following steps:
a) when the user u receives not less than t partial proxy keys and records as
Figure FDA0002242316940000042
) Then, the intermediate variable w is calculated by the following formula (VII):
Figure FDA0002242316940000043
wherein: w is a middle variable generated in the calculation process, and the right side of the equation is Lagrange interpolation performed on an index;
b) obtaining intermediate variables from formulas (IV) and (VII)
Figure FDA0002242316940000044
Figure FDA0002242316940000045
Wherein: e.g. of the type0And 4 Delta2A pair of (a, b) can be found such that 4 Δ2·a+e0b=-1。
c) Calculating a proxy key v of a user according to the following equation (IX)u
vu=waxb(IX)
d) The user verifies v asuIs correct, i.e. vuWhether or not it is
Figure FDA0002242316940000046
Figure FDA0002242316940000047
If COR ≡ 1(mod m)0) If yes, the proxy key is correct; whether or notThe proxy key is wrong and the user submits an error message to the CA, the previous user u now being represented by the parties a, b of the transaction in order to indicate the parties to the transaction.
8. The method for authenticating a blockchain system with (n, t) threshold distributed authoritative nodes according to claim 2, wherein the wallet generating process of the step (six) specifically comprises the following steps:
a) input 1λWherein λ is a safety parameter;
b) selecting two large prime numbers pb,i,qb,iWith a length of k, calculating nb,i=pb,i·qb,iAnd selecting eb,i,db,iSatisfies eb,idb,i=1(modφ(nb,i) Let pk)b,i=(nb,i,eb,i),skb,i=(db,i) Let wallet address be pkb,iWherein i represents the ith update; b is a trading party; u represents all users.
9. The method for authenticating a blockchain system with (n, t) threshold distributed authoritative nodes according to claim 2, wherein the wallet authentication procedure of the step (seven) specifically comprises the following steps:
a) when the user a wants to receive the account transfer of other people, the user a firstly carries out the account transfer to the own address pkb,iAuthentication is performed, input 1λ,vb,pkb,i,pkCA,skb,pkbIn aRandom selection on domainThe intermediate variable r is calculated by the following formula (XI)i,ki
Figure FDA0002242316940000053
The intermediate variable g is calculated according to the following formula (XII)i,yi
Figure FDA0002242316940000054
b) Address pk of user bb,iIs Certb,i=(yi,gi)。
10. The method according to claim 2, wherein the authentication verification process of step (eight) comprises the following steps:
a) input 1λ,pkb=(nb,eb),pkb,i=(nb,i,eb,i),Certb,i=(yi,gi),pkCA=(n0,e0) The intermediate variable k 'is calculated by the following formula (XIII)'iAnd r'i
Figure FDA0002242316940000055
Figure FDA0002242316940000056
b) User a checks h (r 'according to the following formula (XIV)'i,nb,i,eb,i)=k′jIf so, verifying the address correctly, otherwise, possibly replacing the address;
Figure FDA0002242316940000057
Figure FDA0002242316940000058
therefore, the temperature of the molten metal is controlled,
h(r′i,nb,i,eb,i)=h(ri,nb,i,eb,i)=ki=k′i
11. the method for authenticating a blockchain system with (n, T) threshold distributed authority nodes according to claim 2, wherein the transaction signature of the step (nine) is signed by the transaction generator a for T, and the process specifically includes the following steps:
a) input 1λ,T,ska,i′,pka,i′Wherein i 'is the ith' updated address of the user a, and a random number r is selectedi′R{0,1}λCalculated according to the following formula (XV):
wi′←g(H(T)||ri′),si′←g(wi′)⊕wi′
Figure FDA0002242316940000061
wherein: sigmaa,T,i′Is a signature on the transaction; and | represents a connection symbol.
12. The method according to claim 2, wherein the transaction verification process of step (ten) comprises the following steps:
a) input 1λa,T,i′,pka,i′And (5) firstly verifying the validity of the public key according to the method in the step (eight), and then calculating according to the following formula (XVI):
Figure FDA0002242316940000062
will yi′Is converted into wi′||si′
And checking whether the following formula (XVII) holds:
si′⊕wi′=g(wi′) (XVII)
if yes, the verification is passed, otherwise, the verification is not passed.
CN201911004459.8A 2019-10-22 2019-10-22 Authentication method of distributed authority node block chain system with (n, t) threshold Active CN110851859B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201911004459.8A CN110851859B (en) 2019-10-22 2019-10-22 Authentication method of distributed authority node block chain system with (n, t) threshold

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201911004459.8A CN110851859B (en) 2019-10-22 2019-10-22 Authentication method of distributed authority node block chain system with (n, t) threshold

Publications (2)

Publication Number Publication Date
CN110851859A true CN110851859A (en) 2020-02-28
CN110851859B CN110851859B (en) 2023-09-29

Family

ID=69596758

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201911004459.8A Active CN110851859B (en) 2019-10-22 2019-10-22 Authentication method of distributed authority node block chain system with (n, t) threshold

Country Status (1)

Country Link
CN (1) CN110851859B (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111371790A (en) * 2020-03-05 2020-07-03 中国工商银行股份有限公司 Data encryption sending method based on alliance chain, related method, device and system
CN112686672A (en) * 2021-01-08 2021-04-20 新晨科技股份有限公司 Block chain endorsement signature compression method, electronic device and storage medium
CN116384999A (en) * 2023-04-19 2023-07-04 北方工业大学 Lightweight hierarchical deterministic wallet model supporting invisible addresses and method

Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107273760A (en) * 2017-06-09 2017-10-20 济南浪潮高新科技投资发展有限公司 One kind is based on many CA application authentication methods of block chain
CN107395349A (en) * 2017-08-16 2017-11-24 深圳国微技术有限公司 A kind of block chain network cryptographic key distribution method based on self-certified public key system
CN109003083A (en) * 2018-07-27 2018-12-14 山东渔翁信息技术股份有限公司 A kind of ca authentication method, apparatus and electronic equipment based on block chain
CN109150968A (en) * 2018-07-13 2019-01-04 上海大学 A kind of block chain distributed storage method based on privacy sharing
WO2019034951A1 (en) * 2017-08-15 2019-02-21 nChain Holdings Limited Threshold digital signature method and system
CN109684878A (en) * 2018-12-17 2019-04-26 杭州安恒信息技术股份有限公司 One kind being based on block chain technology privacy information tamper resistant method and system
CN110197081A (en) * 2019-05-30 2019-09-03 北京理工大学 A kind of cloud data sharing secret protection scheme based on block chain
CN110289951A (en) * 2019-06-03 2019-09-27 杭州电子科技大学 A kind of shared content monitoring method based on Threshold key sharing and block chain

Patent Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107273760A (en) * 2017-06-09 2017-10-20 济南浪潮高新科技投资发展有限公司 One kind is based on many CA application authentication methods of block chain
WO2019034951A1 (en) * 2017-08-15 2019-02-21 nChain Holdings Limited Threshold digital signature method and system
CN107395349A (en) * 2017-08-16 2017-11-24 深圳国微技术有限公司 A kind of block chain network cryptographic key distribution method based on self-certified public key system
CN109150968A (en) * 2018-07-13 2019-01-04 上海大学 A kind of block chain distributed storage method based on privacy sharing
CN109003083A (en) * 2018-07-27 2018-12-14 山东渔翁信息技术股份有限公司 A kind of ca authentication method, apparatus and electronic equipment based on block chain
CN109684878A (en) * 2018-12-17 2019-04-26 杭州安恒信息技术股份有限公司 One kind being based on block chain technology privacy information tamper resistant method and system
CN110197081A (en) * 2019-05-30 2019-09-03 北京理工大学 A kind of cloud data sharing secret protection scheme based on block chain
CN110289951A (en) * 2019-06-03 2019-09-27 杭州电子科技大学 A kind of shared content monitoring method based on Threshold key sharing and block chain

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111371790A (en) * 2020-03-05 2020-07-03 中国工商银行股份有限公司 Data encryption sending method based on alliance chain, related method, device and system
CN111371790B (en) * 2020-03-05 2022-06-17 中国工商银行股份有限公司 Data encryption sending method based on alliance chain, related method, device and system
CN112686672A (en) * 2021-01-08 2021-04-20 新晨科技股份有限公司 Block chain endorsement signature compression method, electronic device and storage medium
CN116384999A (en) * 2023-04-19 2023-07-04 北方工业大学 Lightweight hierarchical deterministic wallet model supporting invisible addresses and method

Also Published As

Publication number Publication date
CN110851859B (en) 2023-09-29

Similar Documents

Publication Publication Date Title
US10211981B2 (en) System and method for generating a server-assisted strong password from a weak secret
CN106972931B (en) Method for transparentizing certificate in PKI
WO2021042685A1 (en) Transaction method, device, and system employing blockchain
JP4527358B2 (en) An authenticated individual cryptographic system that does not use key escrow
CN114730420A (en) System and method for generating signatures
JP2019507510A (en) Common secret determination for secure exchange of information and hierarchical and deterministic encryption keys
JP2023024499A (en) System and method for enabling secure storage of large block chain over multiple storage nodes, which are implemented by computer
JP2008545353A (en) Establishing a reliable relationship between unknown communicating parties
CN110851859B (en) Authentication method of distributed authority node block chain system with (n, t) threshold
US20190356496A1 (en) Public Key Infrastructure & Method of Distribution
Xi et al. ZAMA: A ZKP-based anonymous mutual authentication scheme for the IoV
CN116418560A (en) System and method for online quick identity authentication based on blockchain intelligent contract
CN114866259B (en) Block chain controlled traceable identity privacy method based on secret sharing
WO2022089865A1 (en) Identifying denial-of-service attacks
CN111181718A (en) Anti-quantum computing IKE system based on alliance chain and negotiation communication method
Hossain et al. ICAS: Two-factor identity-concealed authentication scheme for remote-servers
CN112529573A (en) Combined block chain threshold signature method and system
Yin et al. Two‐Round Password‐Based Authenticated Key Exchange from Lattices
CN113132104A (en) Active and safe ECDSA (electronic signature SA) digital signature two-party generation method
CN113098681B (en) Port order enhanced and updatable blinded key management method in cloud storage
CN116827584B (en) Method for certificateless anonymous cross-domain authentication of Internet of things equipment based on blockchain
CN112039837A (en) Electronic evidence preservation method based on block chain and secret sharing
CN111147240A (en) Privacy protection method and system with traceability
CN110740034A (en) Method and system for generating QKD network authentication key based on alliance chain
CN113014376B (en) Method for safety authentication between user and server

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant