CN110992010B - Digital currency issue total amount control method and verification method - Google Patents

Digital currency issue total amount control method and verification method Download PDF

Info

Publication number
CN110992010B
CN110992010B CN201911240879.6A CN201911240879A CN110992010B CN 110992010 B CN110992010 B CN 110992010B CN 201911240879 A CN201911240879 A CN 201911240879A CN 110992010 B CN110992010 B CN 110992010B
Authority
CN
China
Prior art keywords
issuing
banknote
transaction
bank
row
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201911240879.6A
Other languages
Chinese (zh)
Other versions
CN110992010A (en
Inventor
代文昊
顾小卓
付毛毛
范广
王梓梁
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Institute of Information Engineering of CAS
Original Assignee
Institute of Information Engineering of CAS
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Institute of Information Engineering of CAS filed Critical Institute of Information Engineering of CAS
Priority to CN201911240879.6A priority Critical patent/CN110992010B/en
Publication of CN110992010A publication Critical patent/CN110992010A/en
Application granted granted Critical
Publication of CN110992010B publication Critical patent/CN110992010B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/04Payment circuits
    • G06Q20/06Private payment circuits, e.g. involving electronic currency used among participants of a common payment scheme
    • G06Q20/065Private payment circuits, e.g. involving electronic currency used among participants of a common payment scheme using e-cash
    • G06Q20/0655Private payment circuits, e.g. involving electronic currency used among participants of a common payment scheme using e-cash e-cash managed centrally
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/38Payment protocols; Details thereof
    • G06Q20/382Payment protocols; Details thereof insuring higher security of transaction
    • G06Q20/3829Payment protocols; Details thereof insuring higher security of transaction involving key management
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/38Payment protocols; Details thereof
    • G06Q20/40Authorisation, e.g. identification of payer or payee, verification of customer or shop credentials; Review and approval of payers, e.g. check credit lines or negative lists
    • G06Q20/401Transaction verification

Landscapes

  • Business, Economics & Management (AREA)
  • Accounting & Taxation (AREA)
  • Engineering & Computer Science (AREA)
  • Finance (AREA)
  • Strategic Management (AREA)
  • Physics & Mathematics (AREA)
  • General Business, Economics & Management (AREA)
  • General Physics & Mathematics (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Control Of Vending Devices And Auxiliary Devices For Vending Devices (AREA)
  • Financial Or Insurance-Related Operations Such As Payment And Settlement (AREA)

Abstract

The invention discloses a digital currency issue total amount control method and a verification method. The issuing method comprises the following steps: 1) The central row generates a corresponding identity authentication private key sk for each set banknote issuing row according to the identity information of each banknote issuing row 1 And public key pk 1 And sends the corresponding set banknote issuing row through the secret transmission channel; each time the bank note issuing row is set to issue bank notes, a private key sk used in a block chain is randomly generated x And public key pk x The method comprises the steps of carrying out a first treatment on the surface of the The private key of the banknote issuing line is SK= (SK) 1 ,sk x ) Public key Pk= (PK) 1 ,pk x ) The method comprises the steps of carrying out a first treatment on the surface of the 2) The banknote issuing bank performs multi-receiver signcryption on the banknote issuing amount and the banknote issuing bank identity, and attaches signcryption information to banknote issuing transaction information; 3) Judging whether the banknote issuing amount and the identity of the banknote issuing bank are tampered or not by the central bank according to the banknote issuing transaction, and if not tampered and the banknote issuing bank corresponds to the required issuing amount, allowing the banknote issuing bank to issue the banknote issuing amount; otherwise, the release is refused. The method meets the requirements of controllable release quantity, safety and high efficiency.

Description

Digital currency issue total amount control method and verification method
Technical Field
The invention belongs to the technical field of cryptography, and relates to a trusted digital currency issuing total amount control method and a trusted digital currency issuing total amount verification method.
Background
In recent years, cryptocurrency has gradually matured, and many countries have begun to study blockchain and related technologies and have begun to drive the issuance of digital currency in the central row. Compared with common currency, the digital currency is issued in a central line, which is helpful for improving payment efficiency, reducing payment cost, preventing tax evasion and money laundering, etc.
At present, the central office issues digital currency still in the research and exploration stage, and internationally has no successful experience and precedent, so that the research and practice of the leading field of how the digital currency absorbs the conversion blockchain technology are important.
From 2008, the present clever proposed a series of crypto currencies such as bitcoin, ethernet, EOS, and the like, to be released and circulated. These cryptocurrencies are not limited by time and space, enabling the payment process to be more convenient and efficient than traditional currencies. Particularly, in the cross-border transaction, the fast transfer of funds can be realized fast, conveniently and with low cost. Meanwhile, the encrypted currencies utilize cryptographic algorithms and protocols, and a distributed accounting system is adopted, so that artificial currency expansion is theoretically prevented, the security of the currencies can be ensured, and the encrypted currencies have good anonymity. However, due to the decentralised nature of these cryptocurrencies, no institution or government has given credit support, which is theoretically not regulated by government authorities, resulting in a large price fluctuation and inability to recover after loss or theft of the currencies.
The central row digital currency is an encrypted currency issued by the national central row. It has legal status, national main authority endorsement and definite issuing responsibility main body, and is true currency. Compared with the decentralised cryptocurrency, the national credit and the capability of the central row can ensure that the digital currency of the central row has stable price for a long time, and is more suitable for practical use. Although many countries are researching and promoting the release of digital currency in the central office, no country is currently successful in releasing digital currency in the central office. Banknote issuing authorization, sensitive information protection, controllable issuing amount and the like are all problems faced by digital currency in a central row. In addition, there is a great interest in maintaining some of the advantages of decentralised cryptocurrencies, such as whether digital currencies can technically prevent significant expansion of currency after the central row is the subject of issuing responsibility, and also an important factor affecting the widespread use of digital currencies in the central row.
Zero knowledge proof is a cryptographic verification technique proposed by s.goldwasser, s.micali, and c.rackoff at the beginning of the 80 s of the 20 th century. It refers to the ability of a prover to trust that a certain assertion is correct without providing any useful information to the verifier. Zero knowledge proof techniques are used in some cryptocurrency items to make cryptocurrency obtain better attributes, such as zero knowledge proof in ZCAsh to achieve truly anonymous transactions.
Multi-receiver signcryption is another research hotspot in the field of contemporary cryptography. The technique is applied to the blockchain, and can ensure the controllable anonymity of the transaction. When a message needs to be transmitted to multiple receivers, the traditional encryption scheme has low efficiency and instantaneity due to repeated encryption processes, and cannot meet the actual application requirements. Thus, a multi-receiver signcryption scheme is proposed. In a multi-recipient signcryption scheme, a signcryption person performs one-time signcryption on a message, and each recipient can verify confidentiality and reliability of the received message by using its own private key.
The safe and effective banknote issuing is a precondition for issuing digital currency. Many properties of digital money also need to be ensured in banknote dispensing operations. The banknote issuing operation of the central digital currency has the following requirements: firstly, digital currency is authorized to be issued by a banknote issuing row through a central row, secondly, the issuing amount of the currency can be supervised by the central row, thirdly, sensitive information such as the identity of the banknote issuing row and the issuing amount can be prevented from being revealed, and thirdly, more participants can trust that the banknote issuing action of each banknote issuing row is legal while the privacy of the identity of the banknote issuing row and the issuing amount is ensured.
At present, the central office issues digital currency still in the research and exploration stage, and internationally has no successful experience and precedent, so that the research and practice of the leading field of how the digital currency absorbs the conversion blockchain technology are important.
Disclosure of Invention
In order to solve the above problems, the present invention provides a trusted digital currency issue total amount control method and a trusted digital currency issue total amount verification method. The invention comprises two algorithms, a range proving cryptographic algorithm and a trusted issue proving algorithm. The invention designs a range proving cipher algorithm by using a certificate-free public key cipher system and a multi-receiver signing technology in order to meet the requirements of central line digital currency, such as central line authorization, controllable and supervision of issue quantity, dynamic hiding of identity information of a banknote issuing line, secret state of issue quantity and the like. And generating an identity authentication public and private key pair in the algorithm center row according to the identity information of each banknote issuing row, and issuing the identity authentication public and private key pair to each banknote issuing row through a secret transmission channel. And each banknote issuing row randomly generates different public and private key pairs used in the blockchain when issuing banknotes, simultaneously carries out multi-receiver signcryption operation on the banknote issuing quantity and the banknote issuing row identity, and attaches the signcryption information to banknote issuing transaction information. Although the bank note issuing bank uses different public and private keys on the blockchain each time, the central bank can still judge which bank note issuing bank the bank note issuing transaction belongs to, and maintains a remaining bank note issuing amount promise table of the bank note issuing bank to judge the validity of the bank note issuing.
In order to ensure that a user can not know the identity information of a banknote issuing bank and the banknote issuing amount in banknote issuing transactions and still judge whether each banknote issuing transaction of the banknote issuing bank is legal or not, the invention designs a trusted issuing amount proving algorithm by using a zero knowledge proving technology. In the algorithm, a commitment table of the remaining banknote dispensing amount of the banknote dispensing row is maintained and issued in a central row, and the commitment table does not directly expose the identity information of the banknote dispensing row and the remaining banknote dispensing amount, but publishes the hash value of the set sensitive information. The central office can obtain the detailed content of the banknote issuing transaction in the block through a range proving cryptographic algorithm, generate non-interactive zero knowledge evidence according to the information, package the evidence and updated information such as the remaining banknote issuing amount promise table of the banknote issuing office into a transaction for issuing. The user can extract information from the transaction to verify the legitimacy of all the banknote-issuing transactions in the block to which the transaction is directed.
The technical scheme of the invention is as follows:
a digital currency issue total amount control method includes the steps of:
1) The central row generates a corresponding identity authentication private key sk for each set banknote issuing row according to the identity information of each set banknote issuing row 1 And public key pk 1 And sends the corresponding set banknote issuing row through the secret transmission channel; each time the bank note issuing row is set to issue bank notes, a private key sk used in a block chain is randomly generated x And public key pk x The method comprises the steps of carrying out a first treatment on the surface of the The private key of the banknote issuing line is SK= (SK) 1 ,sk x ) Public key Pk= (PK) 1 ,pk x );
2) The banknote issuing bank performs multi-receiver signcryption on the banknote issuing amount and the banknote issuing bank identity, and attaches signcryption information to banknote issuing transaction information;
3) Judging whether the banknote issuing amount and the identity of the banknote issuing bank are tampered or not by the central bank according to the banknote issuing transaction, and if not tampered and the banknote issuing bank corresponds to the required issuing amount, allowing the banknote issuing bank to issue the banknote issuing amount; otherwise, the release is refused.
Further, the method for generating the private key SK and the public key PK of the banknote issuing bank comprises the following steps:
11 Selecting a security parameter lambda and a base domain F q Where q is a large prime number, and q>2 λ The method comprises the steps of carrying out a first treatment on the surface of the Selecting one definition defined in F q Elliptic curve E (F) q ) And E (F) q ) The last generation element P, the order of which is prime number n; selecting six hash functions
Figure BDA0002306191780000031
H 1 :E(F q )×E(F q )→{0,1} w 、H 2 ,H 3 ,H 4 :{0,1} w →{0,1} w And->
Figure BDA0002306191780000034
W is a positive integer and n-1 is the cyclic group +.>
Figure BDA0002306191780000035
Maximum value of (2); selecting a symmetric encryption function E sk () Decryption function D corresponding to the decryption function D sk () Where sk represents a symmetric key;
12 The central office generates an own identity authentication public-private key pair(s) c ,P c ) Public and private key pairs (s c2 ,P c2 ) The method comprises the steps of carrying out a first treatment on the surface of the Wherein the private key s c Public key P c =s c P, private key s c2 Public key P c2 =s c2 P; the central row publishes the public parameters pp= { q, E (F) q ),n,P c ,P c2 ,H 0 ,H 1 ,H 2 ,H 3 ,H 4 ,H 5 E, D and appointing the issuing quantity of the banknote issuing line;
13 With the identity ID of the issuing bank a as input, calculating qid=h in the central row 0 (ID) and hairCorresponding identity authentication private key sk of banknote row A A =s c * QID and identity authentication public key PK A =sk A P; then the central office sends the public and private key pair (sk) of identity authentication to the banknote issuing office A through a secure channel A ,PK A );
14 Random selection of banknote issuing line A
Figure BDA0002306191780000032
And calculate PK x =sk x P, as the public and private key pair of the blockchain of the banknote issuing at this time, obtaining the complete private key SK= (SK) of the banknote issuing bank A A ,sk x ) Complete public key Pk= (PK) A ,PK x ) The method comprises the steps of carrying out a first treatment on the surface of the Wherein the identity authentication public-private key pair (sk) A ,PK A ) The fixing is not disclosed for the blockchain, and the public-private key pair (sk) is changed every time the banknote is issued x ,PK x )。
Further, the banknote issuing bank A performs the banknote issuing bank identification PK on the banknote issuing quantity v and the banknote issuing bank A The method for performing multi-receiver signcryption comprises the following steps:
21 Bank note issuing row a randomly selects σ e {0,1} w Calculate r=h 1 (σ,PK A ),U=r·P;
22 Calculating F) A =r·PK x ,K A =r·PK A ,T A =H 1 (K A ,F A ),F c =r·P c2 ,K c =r·P c T is as follows c =H 1 (K c ,F c );
23 Calculation of (c)
Figure BDA0002306191780000033
The i represents a connection operation;
24 Calculating symmetric key sk=h) 4 (σ), and v=e sk (v),Γ=E sk (PK A );
25 Calculating h=h 5 (U,V,Γ,PK A ,PK x ),H′=H 6 (U,V,Γ,PK A ,PK x ),W=sk A +r*H+sk x *H′,Λ=H 5 (v,σ,C A ,C c ,V,Γ,U,W);
26 Banknote issuing line a generates ciphertext ct=<(C A ,C c ),V,Γ,W,U,A>Banknote issuing transaction tx= (PK) x CT, Δ) and issue the banknote dispensing transaction tx onto a blockchain; delta represents the data structure that needs to be implemented to prevent ductile attacks.
Further, the implementation method of the step 3) is as follows:
31 The central row extracts ciphertext ct=from the banknote transaction tx issued on the blockchain<(C A ,C c ),V,Γ,W,U,Λ>The method comprises the steps of carrying out a first treatment on the surface of the Calculate k=s c ·U,F=s c2 ·U,T=H 1 (K, F) and H 2 (T);
32 Through C) A =H 2 Calculating (T) Y to obtain Y; y represents C A Remove H 2 The remainder after (T);
33 Calculation of (c)
Figure BDA0002306191780000041
34 Set sk' =h) 4 (σ), calculate v' =d sk′ (V),PK A ′=D sk′ (Γ),H=H 5 (U,V,Γ,PK A ′,PK x ),H′=H 5 (U,V,Γ,PK A ′,PK x ),Λ′=H 5 (v′,σ,C A ,C c ,V,Γ,U,W);
35 Central row searching for PK A 'corresponding bank note issuing bank, judging whether the bank note issuing transaction tx is initiated by bank note issuing bank a, if yes, initiating by bank note issuing bank a, and Λ' = Λ, PK A ′+U·H+PK x H' = p·w, the current issue volume v and the banknote issuing bank identity PK are determined A Not tampered, otherwise refusing to issue;
36 The central office row judges whether the residual issue quantity of the bank note issuing row A meets the issue quantity v or not according to the maintained residual issue quantity promise of the bank note issuing row A, and if yes, the residual issue quantity promise of the bank note issuing row A is updated and the bank note issuing row A is allowed to issue the bank note issuing quantity of the time; otherwise, the release is refused.
Further, the complete public key of the central row is (P c ,P c2 ) The complete private key is(s) c ,s c2 ) The method comprises the steps of carrying out a first treatment on the surface of the Which is a kind ofMiddle private key
Figure BDA0002306191780000042
Private key->
Figure BDA0002306191780000043
A digital currency issue total amount verification method includes the steps:
1) The central office generates a Circuit which has the security coefficient lambda and meets the credibility certification of the banknote issuing transaction according to the security parameter lambda, and generates a certification key pk proof And a verification key (pk) proof ,vk proof ):=KeyGen(1 λ Circuit) and discloses a security parameter lambda, a trusted Circuit, a certification key pk proof Verification key vk proof
2) The central row distributes the total issuing amount Sum of each set banknote issuing row i i A commitment transaction is then initiated, which contains an initial remaining amount list of bank note issuer i
Figure BDA0002306191780000044
Wherein->
Figure BDA0002306191780000045
For the hash value, PK, of the latest chunk in the longest blockchain at the time of initiation of the commitment transaction i A complete public key of the banknote issuing bank i;
3) The central bank monitors the block chain, when the new block new is found to have banknote issuing transaction, the issuing quantity v is obtained from the banknote issuing transaction i Calculating new remaining amount promise of banknote issuing bank
Figure BDA0002306191780000046
And generating a plurality of non-interactive zero-knowledge proofs, pi i Non-interactive zero knowledge proof for banknote issuing row i; then non-interactive zero knowledge proof of the bank note issuing bank i and updated remaining bank note issuing amount promises to be packed into a transaction tx for issuing;
4) After obtaining the transaction tx from the block, the verifier verifies the validity of all the banknote issuing transactions in the block to which the transaction is directed.
Generating zero knowledge proof pi i The method of (1) is as follows:
11 A) setting
Figure BDA0002306191780000051
tx j For the j-th banknote issuing transaction,/a transaction>
Figure BDA0002306191780000052
The surplus promise of the bank note issuing bank is carried out for the bank note issuing bank i after the bank note issuing of the previous block is completed;
12 A) setting
Figure BDA0002306191780000053
Wherein(s) c ,s c2 ) As a private key of the central row,
Figure BDA0002306191780000054
the banknote dispensing row i is used for dispensing the banknote from the previous block, and the banknote dispensing row i is used for dispensing the banknote from the previous block>
Figure BDA0002306191780000055
The banknote issuing bank quantity after the banknote issuing bank of the current block is completed for the banknote issuing bank i;
13 Generating zero knowledge proof pi i :=Prove(pk proof ,x i ,a i )。
Further, after obtaining the transaction tx from the block, the verifier verifies the validity of all banknote issuing transactions in the block to which the transaction is directed by the verifier by the following steps:
21 A) the verifier extracts from the transaction tx
Figure BDA0002306191780000056
Finding out the trusted proof transaction of the corresponding block, if old= 0, finding out the originally issued promised transaction, extracting +.>
Figure BDA0002306191780000057
22 Extraction from tx
Figure BDA0002306191780000058
Find out the banknote dispensing transaction tx in the corresponding block 1 …tx j
23 A) setting
Figure BDA0002306191780000059
24 Calculating b) i :=Verify(vk proof ,x ii ) If verification is successful b i =1, otherwise equal to 0;
25 Output b) A ∧b B If the output is equal to 1, then the banknote dispensing transaction in block new is determined to be within the legal range.
Further, new banknote issuing and remaining amount promise
Figure BDA00023061917800000510
Further, the verifier is a bank note issuing bank or a user.
Compared with the prior art, the invention has the following positive effects:
1. the invention designs a range proving cryptographic algorithm by using the ideas of multi-receiver signcryption and a certificate-free public key cryptosystem. The algorithm ensures that the issuing operation of the digital currency of the central row can meet the requirements of authority of the central row, controllable issuing amount, dynamic hiding of identity information, secret issuing amount and the like, and has higher safety and efficiency.
2. The invention designs a trusted issue quantity proving algorithm by utilizing a non-interactive zero knowledge proving technology. The algorithm realizes trusted banknote issuing, namely banknote issuing operation can enable any participating node (including a user) in the block chain to verify whether the issuing amount of each banknote issuing row is within the issuing range on the premise of not revealing sensitive information such as the identity, the banknote issuing amount and the like of the banknote issuing row. The characteristic makes the digital currency of the central line inherit the advantages of common encrypted currency for preventing large-scale currency expansion, and makes the public possess the right of supervising the issue quantity of the currency issuing line, thereby being beneficial to the popularization and circulation of the digital currency of the central line.
3. Comparison experiment: the test environment is four cores of a system ubuntu16.04, a memory 16GB DDR3 1600MHz and a CPU 7-4790@3.6GHz, and the following two algorithms are realized by using C++ and tested. For the range proving algorithm, encryption of a plaintext takes 3ms, decryption takes 4ms, and the ciphertext length is 457 bytes; for the trusted issue proving algorithm, only 9ms is needed to verify the evidence, and the evidence size is 288 bytes which is fixed. Therefore, the scheme has millisecond-level running speed, better performance, capability of meeting actual application and stronger practicability.
Drawings
FIG. 1 is a flow chart of the method of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention more apparent, the present invention will be described in further detail below with reference to the accompanying drawings.
And (3) a step of: range-proving cryptographic algorithm
Describing a range proof cryptographic algorithm, the private key of the banknote issuing line is SK= (SK) 1 ,sk x ) Wherein sk is 1 Is part of private key, is generated by a central line according to the identity information of a banknote issuing line, sk x The transformed private key is dynamically hidden for each identity in the blockchain. The public key corresponding to SK is Pk= (PK) 1 ,pk x ),pk 1 From sk 1 Generating pk x From sk x And (5) generating. Wherein the public-private key pair (sk) 1 ,pk 1 ) For identity authentication public-private key pair, the public key pk is kept unchanged 1 Only the bank note issuing row and the central row know that the bank note issuing row is in identity binding with the bank note issuing row; public and private key pair (sk) x ,pk x ) For public and private key pairs in the traditional block chain, dynamic hiding is controlled by the banknote issuing bank, and each dynamic hiding represents a public and private key pair (sk) x ,pk x ) Is a transformation of (a).
The algorithm comprises the following steps:
1) System set-up
The security parameter lambda is input, a base domain F is selected in a central row q Where q is a large prime number, and q>2 λ . Selecting one definition defined in F q Elliptic curve E (F) q ) And E (F) q ) The last generation element P is a big prime number n. Then, the central row selects six hashesFunction of
Figure BDA0002306191780000061
H 1 :E(F q )×E(F q )→{0,1} w ,H 2 ,H 3 ,H 4 :{0,1} w →{0,1} w And
Figure BDA0002306191780000062
w is a positive integer, ">
Figure BDA0002306191780000063
Is an integer cyclic group with a maximum value of n-1, n-1 is the cyclic group +.>
Figure BDA0002306191780000064
Is the maximum value of (a). At the same time, the central row also selects a symmetrical encryption function E sk () Decryption function D corresponding to the decryption function D sk () Where sk represents a symmetric key. Next, the central row generates its own public-private key pair (s c ,P c ) Wherein the private key->
Figure BDA0002306191780000065
Public key P c =s c P. The central row generates public-private key pairs (s c2 ,P c2 ) Wherein the private key->
Figure BDA0002306191780000066
Public key P c2 =s c2 P. Finally, the central row publishes the common parameters pp= { q, E (F) q ),n,P c ,P c2 ,H 0 ,H 1 ,H 2 ,H 3 ,H 4 ,H 5 E, D }, and specifies the issue of the issuer.
2) Extracting part of private key
With the identity ID E {0,1} of the banknote issuing bank A * As input, the central row calculates qid=h 0 (ID) identity authentication private key sk corresponding to banknote issuing bank A A =s c * QID and identity authentication public key PK A =sk A P. Next, the central row is sent out via the secure channelBank a sends an identity authentication public-private key pair (sk) A ,PK A )。
3) Setting a full private key
Banknote issuing bank A random selection
Figure BDA0002306191780000071
And calculate PK x =sk x P is used as the public and private key pair of the block chain of the banknote issuing. The complete private key of bank note issuing bank A is (sk) A ,sk x ) The complete public key is (PK A ,PK x ). Wherein the identity authentication public-private key pair (sk) A ,PK A ) The fixing is not disclosed for the blockchain, and the public-private key pair (sk) is changed every time the banknote is issued x ,PK x ) Dynamic hiding of the identity in the blockchain is achieved.
4) Signcryption of issue volume
In order to achieve the issue v of bank a kept secret on the blockchain, but disclosed for the central row and bank a. The ciphertext can be decrypted by the central row and the banknote issuing row A using the multi-receiver signing technique. The private key of the bank note issuing bank A is (sk) A ,sk x ) Public Key (PK) A ,PK x ) The public key of the central row is (P) c ,P c2 ). Banknote issuing bank A pair issuing volume v and identity information PK A The ciphertext CT is obtained by the following operation:
a) Randomly selecting sigma epsilon {0,1} w Calculate r=h 1 (σ,PK A ),U=r·P。
b) Calculation F A =r·PK x ,K A =r·PK A T is as follows A =H 1 (K A ,F A ),F c =r·P c2 ,K c =r·P c T is as follows c =H 1 (K c ,F c )。
c) Calculation C i (i∈{A,c}),
Figure BDA0002306191780000072
The i represents a connection operation; wherein A represents a banknote issuing row, and C represents a central row, namely the banknote issuing row and the central row are required to be respectively calculated to obtain C A 、C c
d) Calculating a symmetric key sk=h 4 (σ), and v=e sk (v),Γ=E sk (PK A )。
e) Calculate h=h 5 (U,V,Γ,PK A ,PK x ),H′=H 6 (U,V,Γ,PK A ,PK x ),W=sk A +r*H+sk x *H′,Λ=H 5 (v,σ,C A ,C c ,V,Γ,U,W)。
f) Setting ciphertext ct=<(C A ,C c ),V,Γ,W,U,Λ>Banknote issuing transaction tx= (PK x CT, delta), delta represents the data structure that needs to be implemented to prevent ductile attacks, such as signing transactions. The bank note issuing bank a issues the bank note issuing transaction tx to the blockchain.
5) Decryption of release amount
The central row firstly extracts ciphertext CT=from banknote issuing transaction tx issued on the blockchain<(C A ,C c ),V,Γ,W,U,Λ>The central row and the banknote issuing row a can use their private keys (taking the central row as an example(s) c ,s c2 ) The following operations are performed:
a) Calculate k=s c ·U,F=s c2 ·U,T=H 1 (K, F) and H 2 (T)。
b) By H 2 (T) through C i =H 2 (T) Y is find C i (i.epsilon. { A, C }), Y represents C i Remove H 2 The remainder after (T). For the central row and the banknote issuing row, only ciphertext belonging to the central row is matched during decryption, and the central row is matched with C c Banknote issuing bank matching C A The method comprises the steps of carrying out a first treatment on the surface of the Taking the example of the central row, only C needs to be intercepted c Removing H 2 The remainder after (T) being Y, e.g. C c =1001,H 2 (T) =10, then y=01.
c) Calculation of
Figure BDA0002306191780000081
d) Set sk' =h 4 (σ), v' =d sk′ (V),PK A ′=D sk′ (Γ),H=H 5 (U,V,Γ,PK A ′,PK x ),H′=H 5 (U,V,Γ,PK A ′,PK x ),Λ′=H 5 (v′,σ,C A ,C c ,V,Γ,U,W)。
e) Search for PK in the central row A 'corresponding issuer, determine if the transaction was initiated by a legitimate issuer, and if Λ' = Λ and PK A ′+U·H+PK x H' = p·w, then the issue v and the issuer identity PK are explained A Not tampered with, otherwise "rejected".
f) For efficiency (avoiding the central row from traversing the blocks) and for disclosing verifiable uses, the central row maintains a banknote issuing bank remaining issue commitment (trusted issue attestation algorithm detailed), determines if the banknote issuing bank has sufficient issue, updates the commitment if so, otherwise "refuses".
And a second module: trusted issue verification algorithm
Next, a trusted issue verification algorithm will be described, with the primary idea being that the user, without knowing the issuer identity and the issue amount, and verifying the legitimacy of the issuing amount of the banknote issuing transaction of the block, and judging whether the banknote issuing bank issues excessive money or not, thereby trusting the banknote issuing bank. In the following description, a central row C, a banknote issuing row i { i epsilon A, B }, a banknote issuing row surplus commitment List maintained and issued by the central row will appear i =HASH(PK i ‖HASH head ‖Balance i ) (wherein PK i HASH for authenticating public key of banknote issuing bank and not disclosing it externally head Hash value of block of bill issuing exchange is used to ensure randomness, prevent bill issuing transaction without the bank of the block i Remaining amount of money for the row), user.
When a bill issuing bank issues a bill issuing transaction, the central bank can perform legal verification of the bill issuing amount on the transaction, and generates a trusted proof transaction containing non-interactive zero knowledge proof and new bill issuing bank remaining amount promise for the block where the transaction is located, so that a user can perform legal verification of the bill issuing amount on the bill issuing transaction in the block without knowing from which bill issuing bank the bill issuing transaction originates and hiding the issuing amount.
To simplify the description of the algorithmThe assumption is that
Figure BDA0002306191780000082
old represents the previous block with the banknote issuing transaction, new represents the current block and the banknote issuing transaction in the block is tx 1 …tx j J is the number of banknote issuing transactions in the block. The algorithm of the invention uses the pinoccio protocol proposed by Bryan Parno et al as a non-interactive zero knowledge proof algorithm, and details of the algorithm are not described again. To simplify the description of the algorithm, assume that the banknote issuing row i { i e a, B } is two, described as follows:
1) System set-up
The central row inputs the security parameter lambda, generates a Circuit with the security coefficient lambda which meets the credibility certification of the banknote issuing transaction, and generates a certification key and a verification key (pk) proof ,vk proof ):=KeyGen(1 λ Circuit) and discloses a security parameter lambda, a trusted Circuit, a certification key pk proof Verification key vk proof
2) Initializing a list of bank note issuing row residuals
The central row distributes the total issuing amount Sum of each banknote issuing row i { i E A, B }, then initiating a commitment transaction, the transaction information comprising an initial remaining amount list of the bank note issuer
Figure BDA0002306191780000091
Wherein->
Figure BDA0002306191780000092
Hash values for the most recent chunk in the longest blockchain at the time of initiation of the commitment transaction. The list information does not expose the identity of the issuer and the amount remaining.
3) Generating a trusted proof of banknote issuing transactions
The central row monitors the block chain, and when the banknote issuing transaction appears in the new block new and all the banknote issuing transactions meet the range proving algorithm, the central row obtains the issuing quantity v according to the range proving algorithm i Calculating new bill-issuing bank-note running surplus promise
Figure BDA0002306191780000093
Generating two zero knowledge proofs pi i { i ε A, B }, the generation process is as follows:
a) Setting up
Figure BDA0002306191780000094
tx j For the j-th banknote issuing transaction,/a transaction>
Figure BDA0002306191780000095
For the bank note issuing bank i, the remaining amount promise after the bank note issuing of the previous block is completed, the bank note issuing bank i is provided with +.>
Figure BDA0002306191780000096
Is the head hash value of the previous block (block and +.>
Figure BDA0002306191780000097
The previous block is the same block); />
Figure BDA0002306191780000098
Is the head hash value of the current block (block and +.>
Figure BDA0002306191780000099
The current block is the same block).
b) Setting up
Figure BDA00023061917800000910
Wherein(s) c ,s c2 ) As a private key of the central row,
Figure BDA00023061917800000911
the banknote dispensing row i is used for dispensing the banknote from the previous block, and the banknote dispensing row i is used for dispensing the banknote from the previous block>
Figure BDA00023061917800000912
The banknote issuing row i is used for issuing the banknote remaining quantity after the banknote issuing of the current block is completed.
c) Generating zero knowledge proof pi i :=Prove(pk proof ,x i ,a i ) Wherein x is i As an input of the disclosure of the present invention,a i as private input, i.e. evidence, i e a, B.
d) Generating trusted proof transaction and broadcasting by CCFL package information
Figure BDA00023061917800000913
Delta represents the data structure that needs to be implemented to prevent a ductile attack, such as signing a transaction.
4) Verifying trust attestation
After the user obtains the trusted proof transaction tx from the block, the issue amount of the banknote issuing bank can be verified through the following process:
a) Extraction from tx
Figure BDA00023061917800000914
Finding out the trusted proof transaction of the corresponding block, if old= 0, finding out the originally issued promised transaction, extracting +.>
Figure BDA00023061917800000915
b) Extraction from tx
Figure BDA00023061917800000916
Find the banknote issuing transaction in the corresponding block as tx 1 …tx j J represents the total number of banknote dispensing transactions in the block.
c) Setting up
Figure BDA00023061917800000917
d) Calculation b i :=Verify(vk proof ,x ii ) If verification is successful b i =1, otherwise equal to 0.
e) Output b A ∧b B . The output is equal to 1 and the user believes that the banknote dispensing transaction in block new is within legal range.
The zero knowledge proof precondition of the algorithm is that the central office issues an initial issue commitment, then the trusted transaction verified by the user judges whether the issue of the bank note issuing bank is within the initial commitment range based on the commitment,if the central office needs to dynamically increase the issue of the bank note issuing office, the issue promise is issued once more as in step 2, and the difference between the issue promise and the initialization promise is that the block hash value in the dynamic issue promise is in the last trusted transaction
Figure BDA0002306191780000101
Through the range proving cipher algorithm and the trusted issue quantity proving algorithm, the banknote issuing rows can dynamically hide the identity and not reveal the issue amount, and a user can perform validity verification on the behavior of the banknote issuing rows under the condition that the user cannot judge which banknote issuing row the banknote issuing transaction belongs to, cannot read the issue amount and does not know the issue total amount.
Although the specific details, algorithms for implementation, and figures of the present invention have been disclosed for illustrative purposes to aid in understanding the contents of the present invention and the implementation thereof, it will be appreciated by those skilled in the art that: various alternatives, variations and modifications are possible without departing from the spirit and scope of the invention and the appended claims. The invention should not be limited to the preferred embodiments of the present description and the disclosure of the drawings, but the scope of the invention is defined by the claims.

Claims (5)

1. A digital currency issue total amount verification method includes the steps:
1) The central office generates a Circuit which has the security coefficient lambda and meets the credibility certification of the banknote issuing transaction according to the security parameter lambda, and generates a certification key pk proof And a verification key (pk) proof ,vk proof ):=KeyGen(1 λ Circuit) and discloses a security parameter lambda, a trusted Circuit, a certification key pk proof Verification key vk proof
2) The central row distributes the total issuing amount Sum of each set banknote issuing row i i A commitment transaction is then initiated, which contains an initial remaining amount list of bank note issuer i
Figure FDA0004073806390000011
Wherein->
Figure FDA0004073806390000012
For the hash value, PK, of the latest chunk in the longest blockchain at the time of initiation of the commitment transaction i A complete public key of the banknote issuing bank i;
3) The central bank monitors the block chain, when the new block new is found to have banknote issuing transaction, the issuing quantity v is obtained from the banknote issuing transaction i Calculating new remaining amount promise of banknote issuing bank
Figure FDA0004073806390000013
And generating a plurality of non-interactive zero-knowledge proofs, pi i Non-interactive zero knowledge proof for banknote issuing row i; then non-interactive zero knowledge proof of the bank note issuing bank i and updated remaining bank note issuing amount promises to be packed into a transaction tx for issuing;
4) After obtaining the transaction tx from the block, the verifier verifies the validity of all the banknote issuing transactions in the block to which the transaction is directed.
2. The method of claim 1, wherein zero knowledge proof pi is generated i The method of (1) is as follows:
11 A) setting
Figure FDA0004073806390000014
tx j For the j-th banknote issuing transaction,/a transaction>
Figure FDA0004073806390000015
The surplus promise of the bank note issuing bank is carried out for the bank note issuing bank i after the bank note issuing of the previous block is completed;
12 A) setting
Figure FDA0004073806390000016
Wherein(s) c ,s c2 ) Private key of the central row->
Figure FDA0004073806390000017
The banknote dispensing row i is used for dispensing the banknote from the previous block, and the banknote dispensing row i is used for dispensing the banknote from the previous block>
Figure FDA0004073806390000018
The banknote issuing bank quantity after the banknote issuing bank of the current block is completed for the banknote issuing bank i;
13 Generating zero knowledge proof pi i :=Prove(pk proof ,x i ,a i )。
3. A method according to claim 1 or claim 2, wherein the method of verifying the validity of all banknote-issuing transactions in the block to which the transaction is directed after the verifier has obtained the transaction tx from the block is:
21 A) the verifier extracts from the transaction tx
Figure FDA0004073806390000019
Finding out the trusted proof transaction of the corresponding block, if old= 0, finding out the originally issued promised transaction, extracting +.>
Figure FDA00040738063900000110
22 Extraction from tx
Figure FDA00040738063900000111
Find out the banknote dispensing transaction tx in the corresponding block 1 …tx j
23 A) setting
Figure FDA00040738063900000112
24 Calculating b) i :=Verify(vk proof ,x ii ) If verification is successful b i =1, otherwise equal to 0;
25 Output b) A ∧b B If the output is equal to 1, then the banknote dispensing transaction in block new is determined to be within the legal range.
4. The method of claim 1, wherein a new banknote issuing bank remaining amount promise
Figure FDA0004073806390000021
5. The method of claim 1, wherein the validator is a bank note issuer or a user.
CN201911240879.6A 2019-12-06 2019-12-06 Digital currency issue total amount control method and verification method Active CN110992010B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201911240879.6A CN110992010B (en) 2019-12-06 2019-12-06 Digital currency issue total amount control method and verification method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201911240879.6A CN110992010B (en) 2019-12-06 2019-12-06 Digital currency issue total amount control method and verification method

Publications (2)

Publication Number Publication Date
CN110992010A CN110992010A (en) 2020-04-10
CN110992010B true CN110992010B (en) 2023-05-16

Family

ID=70090650

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201911240879.6A Active CN110992010B (en) 2019-12-06 2019-12-06 Digital currency issue total amount control method and verification method

Country Status (1)

Country Link
CN (1) CN110992010B (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114285546B (en) * 2021-11-24 2023-12-12 淮阴工学院 Heterogeneous signcryption communication method applicable to vehicle-mounted ad hoc network

Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110383311A (en) * 2018-11-07 2019-10-25 阿里巴巴集团控股有限公司 Supervise the transaction of block chain secret

Family Cites Families (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10521776B2 (en) * 2002-10-01 2019-12-31 Andrew H B Zhou UN currency (virtual payment cards) issued by central bank or other issuer for mobile and wearable devices
US20150356523A1 (en) * 2014-06-07 2015-12-10 ChainID LLC Decentralized identity verification systems and methods
US11816642B2 (en) * 2017-03-20 2023-11-14 Steven Victor Wasserman Blockchain digital currency: systems and methods for use in enterprise blockchain banking
CN113904785A (en) * 2017-05-16 2022-01-07 江峰 Multi-center finite-area block chain authentication system with ownership currency issuing mechanism and block chain issuing mechanism
CN107392605A (en) * 2017-06-26 2017-11-24 中国人民银行数字货币研究所 The distributing method and system of digital cash
CN108765129B (en) * 2018-05-17 2019-08-23 北京众享比特科技有限公司 The distribution of traditional bank assets and system for settling account and method based on block chain
CN109191123B (en) * 2018-08-10 2022-08-12 中国人民银行数字货币研究所 Digital currency agency issuing limit control system and method

Patent Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110383311A (en) * 2018-11-07 2019-10-25 阿里巴巴集团控股有限公司 Supervise the transaction of block chain secret

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
Omar Abdulkader;等.IBMSDC: Intelligent Blockchain based Management System for protecting Digital Currencies Transactions.《 2019 Third World Conference on Smart Trends in Systems Security and Sustainablity (WorldS4)》.2019,全文. *

Also Published As

Publication number Publication date
CN110992010A (en) 2020-04-10

Similar Documents

Publication Publication Date Title
US6446052B1 (en) Digital coin tracing using trustee tokens
Law et al. How to make a mint: the cryptography of anonymous electronic cash
EP0786178B1 (en) Secret-key certificates
Yi et al. A new blind ECDSA scheme for bitcoin transaction anonymity
Tomescu et al. Utt: Decentralized ecash with accountable privacy
Chen et al. A novel electronic cash system with trustee-based anonymity revocation from pairing
CN1108041C (en) Digital signature method using elliptic curve encryption algorithm
Zhang et al. Provably-secure electronic cash based on certificateless partially-blind signatures
CN107908932B (en) Digital currency anti-counterfeiting and verification method, system and equipment based on L algorithm
Jacobson et al. Mix-based electronic payments
JP2002534701A (en) Auto-recoverable, auto-encryptable cryptosystem using escrowed signature-only keys
CN110599164B (en) Supervision-capable quick payment method for any payee under chain
CN113468570A (en) Private data sharing method based on intelligent contract
CN106506165A (en) Fictitious assets anonymity sort method based on homomorphic cryptography
Naganuma et al. Auditable zerocoin
Cao et al. Strong anonymous mobile payment against curious third-party provider
Ni et al. Dual-anonymous off-line electronic cash for mobile payment
JPH11508707A (en) Restricted blind certificate on private key
CN110992010B (en) Digital currency issue total amount control method and verification method
CN111539719B (en) Audit coin-mixing service method and system model based on blind signature
Verbücheln How perfect offline wallets can still leak bitcoin private keys
Sakalauskas et al. A simple off-line E-cash system with observers
Juels Trustee tokens: Simple and practical anonymous digital coin tracing
CN111262844A (en) Privacy protection method based on cryptographic technology
CN114399307B (en) Computer transaction method for blockchain privacy

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant