CN111340488B - Method and device for generating manageable secret transaction amount - Google Patents
Method and device for generating manageable secret transaction amount Download PDFInfo
- Publication number
- CN111340488B CN111340488B CN202010108717.3A CN202010108717A CN111340488B CN 111340488 B CN111340488 B CN 111340488B CN 202010108717 A CN202010108717 A CN 202010108717A CN 111340488 B CN111340488 B CN 111340488B
- Authority
- CN
- China
- Prior art keywords
- transaction
- transaction amount
- amount
- random number
- generating
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 76
- 238000012795 verification Methods 0.000 claims abstract description 32
- 230000001105 regulatory effect Effects 0.000 claims description 7
- 238000004364 calculation method Methods 0.000 claims description 4
- 238000005516 engineering process Methods 0.000 description 9
- 230000006872 improvement Effects 0.000 description 8
- 230000009286 beneficial effect Effects 0.000 description 6
- 230000006870 function Effects 0.000 description 5
- 230000008569 process Effects 0.000 description 5
- 239000003999 initiator Substances 0.000 description 2
- 238000004458 analytical method Methods 0.000 description 1
- 238000004590 computer program Methods 0.000 description 1
- 238000010586 diagram Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 230000002452 interceptive effect Effects 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 238000012544 monitoring process Methods 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 239000004065 semiconductor Substances 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q20/00—Payment architectures, schemes or protocols
- G06Q20/38—Payment protocols; Details thereof
- G06Q20/382—Payment protocols; Details thereof insuring higher security of transaction
- G06Q20/3829—Payment protocols; Details thereof insuring higher security of transaction involving key management
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q20/00—Payment architectures, schemes or protocols
- G06Q20/38—Payment protocols; Details thereof
- G06Q20/382—Payment protocols; Details thereof insuring higher security of transaction
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q20/00—Payment architectures, schemes or protocols
- G06Q20/38—Payment protocols; Details thereof
- G06Q20/382—Payment protocols; Details thereof insuring higher security of transaction
- G06Q20/3827—Use of message hashing
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q20/00—Payment architectures, schemes or protocols
- G06Q20/38—Payment protocols; Details thereof
- G06Q20/40—Authorisation, e.g. identification of payer or payee, verification of customer or shop credentials; Review and approval of payers, e.g. check credit lines or negative lists
- G06Q20/401—Transaction verification
Landscapes
- Business, Economics & Management (AREA)
- Engineering & Computer Science (AREA)
- Accounting & Taxation (AREA)
- Computer Security & Cryptography (AREA)
- Finance (AREA)
- Strategic Management (AREA)
- Physics & Mathematics (AREA)
- General Business, Economics & Management (AREA)
- General Physics & Mathematics (AREA)
- Theoretical Computer Science (AREA)
- Storage Device Security (AREA)
Abstract
The application relates to a generation method and a generation device of a manageable secret state transaction amount, belongs to the technical field of blockchain, and solves the problems that in the prior art, the transaction generation time is long, the supervision is impossible, each transaction is generated by a transaction sender, and a transaction receiver cannot generate the transaction amount. The method includes generating, by a generator, a secret transaction amount; receiving the confidential transaction amount by a verification party and verifying the confidential transaction amount; and supervising the amount of the encrypted transaction by a supervising center, wherein the generating party is one of a sender and a receiver of the transaction and the verifying party is the other of the sender and the receiver of the transaction. On the premise of privacy protection, the secret state transaction amount can be flexibly generated by a transaction sender or a transaction receiver; and the supervision center may perform supervision on the confidential transaction amount.
Description
Technical Field
The application relates to the technical field of blockchains, in particular to a generation method and device of a manageable secret state transaction amount.
Background
Digital currency has the advantages of decentralization, distributed accounting, anonymous user identity and the like. The amount of the transaction is transmitted in the clear, which severely limits the wide range of applications for the digital currency. The latter virtual cryptocurrency such as digital currency uses some cryptographic techniques (such as ring signature or other special digital signature, commitment, zero knowledge proof, homomorphic encryption, etc.) to solve the privacy protection problem of transactions. For example, one of the digital currencies employs a borromean ring signature and Perdersen commitment technique to effect concealment of the transaction amount, while one of the digital currencies utilizes a zk-snark, such as a non-interactive zero knowledge proof scheme, to conceal the transaction identity and transaction amount.
The blockchain is taken as a supporting technology of the cryptocurrency, the chained data structure is used for verifying and storing data, and the distributed consensus mechanism is used for generating and updating data, so that the state consistency of honest nodes of the whole network is ensured. Decentralization, verifiable, and tamper-proof are fundamental attributes of blockchain technology. With the intensive research on blockchain technology and the discussion of possible application scenarios thereof, the problem of protecting the privacy of data is particularly important. In blockchain systems, privacy protection is mainly embodied in two aspects: anonymity and confidentiality. Where anonymity refers to the concealment of the identity of the transaction initiator and the transaction recipient, and secrecy refers to the concealment of the transaction amount. Current digital currency systems can only provide weak anonymity for transactions, i.e., the true identity of the transaction initiator and the transaction recipient is independent of the corresponding public key. While digital currency can solve privacy protection problems, the evidence length of one of the digital currencies is relatively large, while one of the digital currencies requires participation of a trusted third party, and the evidence generation time is too long.
One of the cryptographic techniques currently used in digital currency includes ring signature, commitment, bulletproof, and the like. One of the digital currencies is designed for decentralization and complete anonymity, so that the full privacy protection technology has no supervision function. The hiding of the amount of one of the digital currencies is demonstrated using the petersen commitment and the Bulletproof scope. A ring signature technique of one of the digital currencies is used to hide the true unexpired transaction output (utxo), and the number of unexpired transaction outputs is equal to the number of rings. The more the non-spent transaction output of a transaction, the greater the transaction length, the generation time and verification time of the transaction.
One of the cryptographic techniques currently used in digital currency is mainly zk-snark technology. The digital currency adopts hash to promise the amount, and the output of each transaction is promise of the amount and the receiving public key; the input is a double-proof mark, namely, the promise of the amount corresponding to a certain non-spent transaction output, and the double-proof mark is the promise of the private key and the amount corresponding to the public key.
To hide the promise of the amount of the non-spent transaction output, one of the digital currencies employs Merkle tree technology, i.e., each validated transaction output promise is taken as a leaf node and a Merkle tree is constructed, and then a tree root is disclosed, the leaf node and the neighboring nodes for calculating the tree root being taken as authentication paths for the leaf node. Therefore, the more transactions are confirmed, the greater the height of the Merkle tree is, and the longer the public key amount and the generation time required for generating the transactions are. zk-snark techniques require a trusted third party and require pre-computation. Although the verification time of the transaction is very short (5.6 ms) and the transaction length is short, the transaction generation time (2 min2 s) and the amount of public key required for generation (896 MB) are too large.
In addition, existing digital currencies exist in which each transaction is generated by a transaction sender, and the transaction recipient cannot generate a transaction amount.
Disclosure of Invention
In view of the above analysis, the embodiments of the present application aim to provide a method and an apparatus for generating a manageable confidential transaction amount, which are used for solving the problems that the existing transaction has long generation time, cannot be supervised, each transaction is generated by a transaction sender, and a transaction receiver cannot generate a transaction amount.
In one aspect, an embodiment of the present application provides a method for generating a manageable secret transaction amount, including: generating the secret transaction amount by a generator; receiving the encrypted transaction amount by a verification party and verifying the encrypted transaction amount; and policing the amount of the encrypted transaction by a policing center, wherein the generating party is one of a transaction sender and a receiver and the verifying party is the other of the transaction sender and the receiver.
The beneficial effects of the technical scheme are as follows: the generation method of the manageable secret state transaction amount provided by the embodiment of the application can realize that the secret state transaction amount can be flexibly generated by a transaction sender or a transaction receiver in digital currency on the premise of privacy protection; and the supervision center may perform supervision on the confidential transaction amount.
Based on a further improvement of the above method, the generating of the cryptographic transaction amount by the generating party comprises: generating an unexpanded transaction output based on the regulatory center public key, the transaction amount, and the first random number, wherein the unexpanded transaction output comprises an encrypted amount; generating a first intermediate variable and a second intermediate variable by replacing the transaction amount and the first random number with a second random number and a third random number, respectively, based on the non-spent transaction output; hashing the administrative center public key, the unconsumed transaction output, and the first and second intermediate variables and taking the computed hash value as a commitment value; calculating based on the first intermediate variable, the second intermediate variable, the commitment value, the second random number, and the third random number to obtain evidence; and constructing an amount range proof from the encrypted amount to generate a closed transaction amount, wherein the closed transaction amount includes the non-spent transaction output, the evidence, the bearing value, and the amount range proof.
Based on a further improvement of the above method, the generating of the cryptographic transaction amount by the generating party comprises: according to formula (F, C) = (r×z, r×h m +v*G m ) Calculating the unexpanded transaction output (F, C), wherein C is an encrypted amount; according to formula R F =lr*Z,R C =lr*H m +lv*G m Calculating the first intermediate variable R F And said second intermediate variable R C The method comprises the steps of carrying out a first treatment on the surface of the According to the formula c=hash (G m ||H m ||Z||F||C||R F ||R C ) Calculating the hash value c; calculating according to the formula tr=lr-c×r, tv=lv-c×v to obtain evidence (tr, tv, c); according to the encrypted amount c=r×h m +v*G m Constructing an amount range proof, rangeproof, to generate the encrypted transaction amount (F, C, tr, tv, C, rangeproof), wherein Z e G is a public key of the supervision center, z=z×h m ,z∈ R Z* q ;H m And G m Two generating elements of prime order elliptic curve point group G; r, lr and lv respectivelyFor the first, second and third random numbers and r, lr and lv e Z q The method comprises the steps of carrying out a first treatment on the surface of the v is the transaction amount; tr and tv are the first intermediate variable and the second intermediate variable, respectively; z is Z q * Is Z q 0, the order of q group G, Z q An integer ring that is modulo q; hash is a collision-resistant Hash function; e-shaped article R Randomly selected from the collection for the element.
The beneficial effects of the further improved scheme are as follows: in each transaction process, the transaction sender or the transaction receiver can flexibly generate the secret state transaction amount, and compared with the existing ring signature, merkle tree and zk-snark technology, the secret state transaction amount generation time is greatly shortened.
Based on a further improvement of the above method, the verifying party receiving the encrypted transaction amount and verifying the encrypted transaction amount comprises: the verifier receives the first random number through a secure channel; based on the first random number, a regulatory center public key, and an unconsumed transaction output in the closed state transaction amount, solving a discrete logarithm through an exhaustion method to obtain the transaction amount.
Based on a further improvement of the above method, the verifying party receiving the encrypted transaction amount and verifying the encrypted transaction amount further comprises: calculating the second random number and the third random number according to the evidence in the secret state transaction amount; calculating the first intermediate variable and the second intermediate variable based on the regulatory center public key, the second random number, and the third random number; performing hash calculation on the public key of the supervision center, the non-spent transaction output in the encrypted transaction amount and the calculated first and second intermediate variables, and verifying whether the calculated hash value is equal to the promised value in the encrypted transaction amount; and verifying whether the monetary range certificate is valid by determining whether the calculated transaction monetary amount is within the monetary range certificate.
Based on a further improvement of the above method, the verifying party receiving the encrypted transaction amount and verifying the encrypted transaction amount comprises: equation (F, C) = @ according to the unexpired transaction outputr*Z,r*H m +v*G m ) Solving discrete logarithms through an exhaustion method to obtain the transaction amount v; according to the evidence (tr, tv, c), the second random number lr and the third random number lv are calculated by the following formula: tr=lr-c r, tv=lv-c v; calculating the first intermediate variable R according to the following formula F And said second intermediate variable R C :R F =lr*Z,R C =lr*H m +lv*G m The method comprises the steps of carrying out a first treatment on the surface of the According to the formula Hash (G m ||H m ||Z||F||C||R F ||R C ) Calculating the hash value; and determining whether the transaction amount v is within the range proving rangeproof to verify whether the range proving rangeproof is legal, wherein the encrypted state transaction amount is (F, C, tr, tv, C, rangeproof); z e G is the public key of the supervision center, z=z×h m ,z∈ R Z* q ;H m And G m Two generating elements of prime order elliptic curve point group G; r is a first random number and r, lr and lv e Z q The method comprises the steps of carrying out a first treatment on the surface of the The transaction amount v is equal to or less than 0 v<2 64 Integers within the range; tr and tv are intermediate variables; z is Z q * Is Z q 0, the order of q group G, Z q An integer ring that is modulo q; hash is a collision-resistant Hash function; e-shaped article R Randomly selected from the collection for the element.
The beneficial effects of the further improved scheme are as follows: in each transaction process, the transaction sender or the transaction receiver verifies the confidential transaction amount, and the transaction generation time for generating the confidential transaction amount by the method is short, so that the verification time of the confidential transaction amount is correspondingly shortened.
Based on a further improvement of the method, the supervising the confidential transaction amount by the supervising center comprises: obtaining the secret transaction amount from a blockchain; verifying the legitimacy of the encrypted transaction amount; and decrypting the unexpired transaction output according to the monitoring center private key.
Based on a further improvement of the above method, verifying the legitimacy of the cryptographic transaction amount comprises: verifying whether the calculated hash value is equal to a promise value in the secret transaction amount; and verifying whether the monetary range certificate is valid by determining whether the calculated transaction monetary amount is within the monetary range certificate.
Based on a further improvement of the above method, decrypting the unexpired transaction output from the monitoring center private key includes: according to the formula f=r=z=r×z×h m Calculating to obtain r.times.H m =z -1 * A value of F; according to c=r×h m +v*G m Calculating to obtain v G m =C-r*H m Is a value of (2); according to v.times.G m V e {0, …,2 64 Obtaining a value of a plaintext transaction amount v through direct searching, wherein (F, C) is the non-spent transaction output in the confidential transaction amount, Z is the public key of the monitoring center, and Z is the private key of the monitoring center; r is a first random number; h m And G m Is two generator elements of prime order elliptic curve point group G.
The beneficial effects of the further improved scheme are as follows: if necessary, the supervision center can perform validity verification and decryption on the confidential transaction amount so as to supervise the confidential transaction amount.
On the other hand, the embodiment of the application provides a generation device of a manageable confidential transaction amount, which comprises the following steps: the generation module is positioned at the generator and is used for generating the confidential transaction amount; the verification module is positioned at the verification party and used for receiving the secret transaction amount through the verification party and verifying the secret transaction amount; and a supervision module, located at a supervision center, for supervising the confidential transaction amount, wherein the generator is one of a transaction sender and a receiver, and the verifier is the other of the transaction sender and the receiver.
Compared with the prior art, the application has at least one of the following beneficial effects:
1. on the premise of privacy protection, the method realizes that the secret transaction amount can be flexibly generated by a transaction sender or a transaction receiver in digital currency for the first time;
2. compared with the existing ring signature, merkle tree and zk-snark technology, the method shortens the generation time of the secret transaction amount; and
3. if necessary, the supervision center can perform validity verification and decryption on the confidential transaction amount so as to supervise the confidential transaction amount.
In the application, the technical schemes can be mutually combined to realize more preferable combination schemes. Additional features and advantages of the application will be set forth in the description which follows, and in part will be obvious from the description, or may be learned by practice of the application. The objectives and other advantages of the application may be realized and attained by the structure particularly pointed out in the written description and drawings.
Drawings
The drawings are only for purposes of illustrating particular embodiments and are not to be construed as limiting the application, like reference numerals being used to refer to like parts throughout the several views.
FIG. 1 is a flow chart of a method of generating a policable, closed transaction amount in accordance with an embodiment of the present application;
FIG. 2 is a flow chart of a producer generating a secret transaction amount according to an embodiment of the present application;
FIG. 3 is a flow chart of a verifier receiving a confidential transaction amount and verifying the confidential transaction amount in accordance with an embodiment of the present application;
FIG. 4 is a flow chart of a monitoring center monitoring a closed transaction amount according to an embodiment of the present application; and
fig. 5 is a block diagram of a generation apparatus of a manageable, closed-state transaction amount according to an embodiment of the application.
Reference numerals:
502-a generation module; 504-a verification module; 506-a supervision module;
Detailed Description
The following detailed description of preferred embodiments of the application is made in connection with the accompanying drawings, which form a part hereof, and together with the description of the embodiments of the application, are used to explain the principles of the application and are not intended to limit the scope of the application.
The application discloses a generation method of a manageable secret state transaction amount. As shown in fig. 1, the method for generating the manageable confidential transaction amount includes: step S102, generating a secret transaction amount by a generating party, wherein the generating party is one of a transaction sender and a transaction receiver; step S104, receiving the confidential transaction amount and verifying the confidential transaction amount by a verification party, wherein the verification party is the other of the transaction sender and the receiver; and step S106, the confidential transaction amount is supervised by a supervision center.
Compared with the prior art, the generation method of the manageable secret state transaction amount can realize that the transaction amount can be flexibly generated by a transaction sender or a transaction receiver in digital currency on the premise of privacy protection; and the supervision center can conduct supervision on the confidential transaction amount.
Hereinafter, a method of generating a manageable amount of a closed transaction will be described in detail with reference to fig. 1 to 4.
The generation method of the manageable secret transaction amount comprises the following steps: step S102, generating a secret transaction amount by a generating party, wherein the generating party is one of a transaction sender and a transaction receiver. As shown in fig. 2, the generating of the confidential transaction amount by the generating party includes: step S202, generating an unexpanded transaction output based on the supervision center public key, the transaction amount and the first random number, wherein the unexpanded transaction output comprises an encrypted amount; step S204, generating a first intermediate variable and a second intermediate variable by replacing the transaction amount and the first random number with the second random number and the third random number respectively based on the non-spent transaction output; step S206, hash calculation is carried out on the supervision center public key, the unconsumed transaction output and the first intermediate variable and the second intermediate variable, and the calculated hash value is taken as a promise value; step S208, calculating based on the first intermediate variable, the second intermediate variable, the promise value, the second random number and the third random number to obtain evidence; and step S210, constructing an amount range certificate according to the encrypted amount to generate a secret transaction amount, wherein the secret transaction amount comprises an unexpired transaction output, evidence, a bearing value and the amount range certificate.
Specifically, the generator generates a secret trading fundThe amounts include: according to formula (F, C) = (r×z, r×h m +v*G m ) Calculating an unconsumed transaction output (F, C), wherein C is an encrypted amount; according to formula R F =lr*Z,R C =lr*H m +lv*G m Calculating a first intermediate variable R F And a second intermediate variable R C The method comprises the steps of carrying out a first treatment on the surface of the According to the formula c=hash (G m ||H m ||Z||F||C||R F ||R C ) Calculating a hash value c; calculating according to the formula tr=lr-c×r, tv=lv-c×v to obtain evidence (tr, tv, c); according to the encryption amount c=r×h m +v*G m Constructing an amount range proof rangeproof to generate a secret transaction amount (F, C, tr, tv, C, rangeproof), wherein Z e G is a public key of the supervision center, z=z×h m ,z∈ R Z* q ;H m And G m Two generating elements of prime order elliptic curve point group G; r, lr and lv are the first, second and third random numbers, respectively, and r, lr and lv e Z q The method comprises the steps of carrying out a first treatment on the surface of the v is the transaction amount; tr and tv are the first intermediate variable and the second intermediate variable, respectively; z is Z q * Is Z q 0, the order of q group G, Z q An integer ring that is modulo q; hash is a collision-resistant Hash function; e-shaped article R Randomly selected from the collection for the element.
The generation method of the manageable secret transaction amount further comprises the following steps: step S104, receiving the confidential transaction amount and verifying the confidential transaction amount by a verification party, wherein the verification party is the other of the transaction sender and the receiver. As shown in fig. 3, the verifying party receiving the encrypted transaction amount and verifying the encrypted transaction amount includes: step S302, a verifier receives a first random number through a secure channel; step S304, based on the first random number, the supervision center public key and the un-spent transaction output in the secret state transaction amount, solving the discrete logarithm through an exhaustion method to obtain the transaction amount; step 306, calculating a second random number and a third random number according to the evidence in the secret transaction amount; step 308, calculating a first intermediate variable and a second intermediate variable based on the supervision center public key, the second random number and the third random number; step S310, carrying out hash calculation on the public key of the supervision center, the non-spent transaction output in the encrypted transaction amount and the calculated first intermediate variable and second intermediate variable, and verifying whether the calculated hash value is equal to the promised value in the encrypted transaction amount; and step S312, verifying whether the monetary range certificate is legal by determining whether the calculated transaction monetary amount is within the monetary range certificate.
Specifically, the verifying party receiving the encrypted transaction amount and verifying the encrypted transaction amount includes: according to the formula (F, C) = (r x Z, r x H) of the unconsumed transaction output m +v*G m ) Solving discrete logarithms through an exhaustion method to obtain transaction amount v; according to the evidence (tr, tv, c), the second random number lr and the third random number lv are calculated by the following formula: tr=lr-c r, tv=lv-c v; calculating a first intermediate variable R according to the following formula F And a second intermediate variable R C :R F =lr*Z,R C =lr*H m +lv*G m The method comprises the steps of carrying out a first treatment on the surface of the According to the formula Hash (G m ||H m ||Z||F||C||R F ||R C ) Calculating a hash value; and determining whether the transaction amount v is within the range proving rangeproof to verify whether the range proving rangeproof is legal, wherein the encrypted state transaction amount is (F, C, tr, tv, C, rangeproof); z e G is the public key of the supervision center, z=z×h m ,z∈ R Z* q ;H m And G m Two generating elements of prime order elliptic curve point group G; r is a first random number and r, lr and lv e Z q The method comprises the steps of carrying out a first treatment on the surface of the Transaction amount v is equal to or less than 0 v<2 64 Integers within the range; tr and tv are intermediate variables; z is Z q * Is Z q 0, the order of q group G, Z q An integer ring that is modulo q; hash is a collision-resistant Hash function; e-shaped article R Randomly selected from the collection for the element.
Compared with the prior art, the method for generating the confidential transaction amount provided by the embodiment verifies the confidential transaction amount by the transaction sender or the transaction receiver in each transaction process, and correspondingly shortens the verification time of the confidential transaction amount because the transaction generation time for generating the confidential transaction amount by the method is short
The generation method of the manageable secret transaction amount further comprises the following steps: and step S106, the confidential transaction amount is supervised by a supervision center. As shown in fig. 4, the supervising center supervising the amount of the confidential transaction includes: step S402, obtaining a secret transaction amount from a blockchain; step S404, verifying the legitimacy of the confidential transaction amount; and step S406, decrypting the non-spent transaction output according to the private key of the monitoring center. Specifically, the present application relates to a method for manufacturing a semiconductor device. Verifying the legitimacy of the encrypted transaction amount includes: verifying whether the calculated hash value is equal to the promised value in the secret transaction amount; and verifying whether the monetary range verification is legal by determining whether the calculated transaction monetary amount is within the monetary range verification.
Specifically, decrypting the unconsumed transaction output based on the monitoring center private key includes: according to the formula f=r=z=r×z×h m Calculating to obtain r.times.H m =z -1 * A value of F; according to c=r×h m +v*G m Calculating to obtain v G m =C-r*H m Is a value of (2); according to v.times.G m V e {0, …,2 64 Obtaining a value of a plaintext transaction amount v through direct searching, wherein (F, C) is the non-spent transaction output in the confidential transaction amount, Z is a public key of a monitoring center, and Z is a private key of the monitoring center; r is a first random number; h m And G m Is two generator elements of prime order elliptic curve point group G.
According to the generation method of the manageable secret transaction amount, if necessary, the supervision center can perform validity verification and decryption on the secret transaction amount so as to supervise the secret transaction amount.
When the payment device or the WeChat is used for daily payment, the transaction amount can be generated by a sender or input by a receiver, but until now, all digital currencies are seen to be not in favor of the method, the transaction amount can only be generated by the transaction sender and sent to the receiver, and the WeChat and the payment device are not privacy-protected and are not real digital currencies. The present application utilizes a new method to generate a transaction amount that can be implemented by either the sender or the recipient of the transaction, while the other party can always verify and calculate the actual transaction amount. The method for generating the transaction amount is flexible and convenient and is closer to daily life experience. Furthermore, since the transaction amount is in a confidential state during the transaction, the confidential state amount can be monitored.
Hereinafter, a method of generating a manageable amount of a close transaction will be described in detail by way of specific examples.
1. Initialization of
Let the public key of the supervision center be Z e G, where z=z×h m ,z∈ R Z* q 。
2. Generating a closed transaction amount
Let the transaction amount be v, its privacy protection be as follows:
(1) Randomly selecting r epsilon Z q Calculate (F, C) = (r×z, r×h) m +v*G m );
(2) Randomly selecting lr, lv e Z q Calculating R F =lr*Z,R C =lr*H m +lv*G m ;
(3) Calculate c=hash (G m ||H m ||Z||F||C||R F ||R C );
(4) Calculating tr=lr-c×r, tv=lv-c×v, and obtaining evidence (tr, tv, c);
(5) According to c=r×h m +v*G m Constructing a range proof, wherein the range proof result is marked as a rangeproof;
(6) Then (F, C, tr, tv, C, rangeproof) is the secret verifiable data for the amount v.
3. Verifying a cryptographic transaction amount
This process may be generated by the transaction sender or may be accomplished by the transaction recipient. Whichever party generates the encrypted transaction amount data, r is required to be sent to the other party in a secret manner through a secure channel, and the other party performs amount verification. The verification process is as follows:
(1) After r is received, since v is a relatively small integer, it can be informed by the generator or by the formula (F, C) = (r x Z, r x H) m +v*G m ) And solving discrete logarithms through an exhaustion method to obtain the value of v.
(2) Since evidence (tr, tv, c) is known, one can take the following formula:
tr=lr–c*r,
tv=lv-c v, solving for the values of variables lr and lv.
(3) Then it can be calculated that:
R F =lr*Z,
R C =lr*H m +lv*G m 。
(4) Then judge c and Hash (G m ||H m ||Z||F||C||R F ||R C ) The phases are not equal.
(5) Finally, the verification range proves whether the rangeproof is legal or not.
4. Implementing supervision (when needed)
All transactions are conducted using a secret amount, (F, C, tr, tv, C, rangeproof) is secret verifiable data of amount v, where (F, C) = (r x Z, r x H) m +v*G m ). After verifying the legitimacy of the encrypted amount, the supervision center decrypts (F, C) according to the private key z.
(1) First from f=r=z=r×z×h m Can calculate and obtain r.times.H m =z -1 *F;
(2) Then from c=r×h m +v*G m Can calculate v G m =C-r*H m Is a value of (2).
Thus finally get v×g m . Since v is {0, …,2 64 The value of plaintext v, i.e. the plaintext of the monetary amount, can be obtained by direct search, which is a relatively small discrete logarithm.
In another embodiment of the present application, a device for generating a manageable amount of a confidential transaction is disclosed, comprising: a generation module 502 located at the generator and configured to generate a secret transaction amount; a verification module 504 located at the verifier and configured to receive the amount of the encrypted transaction by the verifier and verify the amount of the encrypted transaction; and a supervision module 506, located at the supervision center, for supervising the amount of the confidential transaction, wherein the generating party is one of the sender and the receiver of the transaction, and the verifying party is the other of the sender and the receiver of the transaction.
The generation device of the manageable secret transaction amount further comprises a plurality of other modules, and the generation device of the manageable secret transaction amount corresponds to the generation method of the manageable secret transaction amount, so that the plurality of other modules are not described in detail in order to avoid redundancy.
Compared with the prior art, the generation method and the generation device for the manageable confidential transaction amount provided by the embodiment of the application can realize at least one of the following beneficial effects:
1. on the premise of privacy protection, the method realizes that the secret state transaction amount can be flexibly generated by a transaction sender or a transaction receiver for the first time in digital currency, and correspondingly, the secret state transaction amount can be verified by the transaction receiver or the transaction sender;
2. compared with the existing ring signature, merkle tree and zk-snark technology, the method shortens the generation time of the secret transaction amount; and
3. if necessary, the supervision center can perform validity verification and decryption on the confidential transaction amount so as to supervise the confidential transaction amount.
Those skilled in the art will appreciate that all or part of the flow of the methods of the embodiments described above may be accomplished by way of a computer program to instruct associated hardware, where the program may be stored on a computer readable storage medium. Wherein the computer readable storage medium is a magnetic disk, an optical disk, a read-only memory or a random access memory, etc.
The present application is not limited to the above-mentioned embodiments, and any changes or substitutions that can be easily understood by those skilled in the art within the technical scope of the present application are intended to be included in the scope of the present application.
Claims (9)
1. A method for generating a manageable, closed transaction amount, comprising:
generating the secret transaction amount by a generator;
receiving the encrypted transaction amount by a verification party and verifying the encrypted transaction amount; and
and supervising the secret transaction amount by a supervision center, wherein the generating party is one of a transaction sender and a transaction receiver, and the verifying party is the other of the transaction sender and the transaction receiver, and wherein generating the secret transaction amount by the generating party comprises: generating an unexpanded transaction output based on the regulatory center public key, the transaction amount, and the first random number, wherein the unexpanded transaction output comprises an encrypted amount; generating a first intermediate variable and a second intermediate variable based on the non-spent transaction output by replacing the transaction amount and the first random number with a second random number and a third random number, respectively; hashing the administrative center public key, the unconsumed transaction output, and the first and second intermediate variables and taking the computed hash value as a commitment value; calculating based on the first intermediate variable, the second intermediate variable, the commitment value, the second random number, and the third random number to obtain evidence; and constructing an amount range proof from the encrypted amount to generate a closed transaction amount, wherein the closed transaction amount includes the non-spent transaction output, the evidence, a bearing value, and the amount range proof.
2. The method of generating a policable, closed transaction amount of claim 1, wherein generating the closed transaction amount by a generating party comprises:
according to formula (F, C) = (r×z, r×h m +v*G m ) Calculating the unexpanded transaction output (F, C), wherein C is an encrypted amount;
according to formula R F =lr*Z,R C =lr*H m +lv*G m Calculating the first intermediate variable R F And said second intermediate variable R C ;
According to the formula c=hash (G m ||H m ||Z||F||C||R F ||R C ) Calculating the hash value c;
calculating according to the formula tr=lr-c×r, tv=lv-c×v to obtain evidence (tr, tv, c); and
according to the encryption amount c=r×h m +v*G m Constructing an amount range proof rangeproof to generate said encrypted transaction amount (F, C, tr, tv, C, rangeproof),
wherein Z e G is the public key of the supervision center, z=z×h m ,z∈ R Z* q ;H m And G m Two generating elements of prime order elliptic curve point group G; r, lr and lv are the first, second and third random numbers, respectively, and r, lr and lv e Z q The method comprises the steps of carrying out a first treatment on the surface of the v is the transaction amount; tr and tv are the first intermediate variable and the second intermediate variable, respectively; z is Z q * Is Z q 0, the order of q group G, Z q An integer ring that is modulo q; hash is a collision-resistant Hash function; e-shaped article R Randomly selected from the collection for the element.
3. The method of claim 2, wherein the step of the verifier receiving the encrypted transaction amount and verifying the encrypted transaction amount comprises:
the verifier receives the first random number through a secure channel;
based on the first random number, a regulatory center public key, and an unconsumed transaction output in the closed state transaction amount, solving a discrete logarithm through an exhaustion method to obtain the transaction amount.
4. The method of claim 3, wherein the step of the verifier receiving the encrypted transaction amount and verifying the encrypted transaction amount further comprises:
calculating the second random number and the third random number according to the evidence in the secret state transaction amount;
calculating the first intermediate variable and the second intermediate variable based on the regulatory center public key, the second random number, and the third random number;
performing hash calculation on the public key of the supervision center, the non-spent transaction output in the encrypted transaction amount and the calculated first and second intermediate variables, and verifying whether the calculated hash value is equal to the promised value in the encrypted transaction amount; and
verifying whether the monetary range verification is legal by determining whether the calculated transaction monetary amount is within the monetary range verification.
5. The method of claim 4, wherein the step of the verifier receiving the encrypted transaction amount and verifying the encrypted transaction amount comprises:
equation (F, C) = (r x Z, r x H) according to the unconsumed transaction output m +v*G m ) Solving discrete logarithms through an exhaustion method to obtain the transaction amount v;
according to the evidence (tr, tv, c), the second random number lr and the third random number lv are calculated by the following formula:
tr=lr–c*r,
tv=lv–c*v;
calculating the first intermediate variable R according to the following formula F And said second intermediate variable R C :
R F =lr*Z,
R C =lr*H m +lv*G m ;
According to the formula Hash (G m ||H m ||Z||F||C||R F ||R C ) Calculating the hash value; and
determining whether the transaction amount v is within the range proving rangeproof to verify whether the range proving rangeproof is legal, wherein the encrypted state transaction amount is (F, C, tr, tv, C, rangeproof); z e G is the public key of the supervision center, z=z×h m ,z∈ R Z* q ;H m And G m Two generating elements of prime order elliptic curve point group G; r is a first random number and r, lr and lv e Z q The method comprises the steps of carrying out a first treatment on the surface of the The transaction amount v is equal to or less than 0 v<2 64 Integers within the range; tr and tv are intermediate variables; z is Z q * Is Z q 0, the order of q group G, Z q An integer ring that is modulo q; hash is a collision-resistant Hash function; e-shaped article R Randomly selecting elements from a collection。
6. The method of claim 4, wherein the supervising center supervising the encrypted transaction amount comprises:
obtaining the secret transaction amount from a blockchain;
verifying the legitimacy of the encrypted transaction amount; and
and decrypting the non-spent transaction output according to the private key of the monitoring center.
7. The method of claim 6, wherein verifying the legitimacy of the encrypted transaction amount comprises:
verifying whether the calculated hash value is equal to a promise value in the secret transaction amount; and
verifying whether the monetary range verification is legal by determining whether the calculated transaction monetary amount is within the monetary range verification.
8. The method of claim 6, wherein decrypting the non-spent transaction output based on the monitoring center private key comprises:
according to the formula f=r=z=r×z×h m Calculating to obtain r.times.H m =z -1 * A value of F;
according to c=r×h m +v*G m Calculating to obtain v G m =C-r*H m Is a value of (2);
according to v.times.G m V e {0, …,2 64 Obtaining a value of a plaintext transaction amount v through direct searching, wherein (F, C) is the non-spent transaction output in the confidential transaction amount, Z is the public key of the monitoring center, and Z is the private key of the monitoring center; r is a first random number; h m And G m Is two generator elements of prime order elliptic curve point group G.
9. A device for generating a policable, closed transaction amount, comprising:
the generation module is positioned at the generator and is used for generating the confidential transaction amount;
the verification module is positioned at the verification party and used for receiving the secret transaction amount through the verification party and verifying the secret transaction amount; and
a supervision module, located at a supervision center, for supervising the confidential transaction amount, wherein the generating party is one of a transaction sender and a transaction receiver, and the verifying party is the other of the transaction sender and the transaction receiver, wherein the generating module is configured to: generating an unexpanded transaction output based on the regulatory center public key, the transaction amount, and the first random number, wherein the unexpanded transaction output comprises an encrypted amount; generating a first intermediate variable and a second intermediate variable based on the non-spent transaction output by replacing the transaction amount and the first random number with a second random number and a third random number, respectively; hashing the administrative center public key, the unconsumed transaction output, and the first and second intermediate variables and taking the computed hash value as a commitment value; calculating based on the first intermediate variable, the second intermediate variable, the commitment value, the second random number, and the third random number to obtain evidence; and constructing an amount range proof from the encrypted amount to generate a closed transaction amount, wherein the closed transaction amount includes the non-spent transaction output, the evidence, a bearing value, and the amount range proof.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010108717.3A CN111340488B (en) | 2020-02-21 | 2020-02-21 | Method and device for generating manageable secret transaction amount |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010108717.3A CN111340488B (en) | 2020-02-21 | 2020-02-21 | Method and device for generating manageable secret transaction amount |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN111340488A CN111340488A (en) | 2020-06-26 |
| CN111340488B true CN111340488B (en) | 2023-11-14 |
Family
ID=71185320
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010108717.3A Active CN111340488B (en) | 2020-02-21 | 2020-02-21 | Method and device for generating manageable secret transaction amount |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111340488B (en) |
Families Citing this family (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112990928B (en) * | 2021-05-10 | 2021-08-24 | 南开大学 | Safety protection method for digital currency transaction data |
| CN113965331B (en) * | 2021-12-22 | 2022-04-01 | 鹏城实验室 | Secret state prediction verification method, device, equipment and storage medium |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109472601A (en) * | 2018-11-21 | 2019-03-15 | 北京蓝石环球区块链科技有限公司 | The block chain framework of privacy transaction can be supervised |
| CN109727031A (en) * | 2018-12-27 | 2019-05-07 | 数据通信科学技术研究所 | A kind of anonymous digital cash transaction monitoring and managing method of center concealment |
| CN110383311A (en) * | 2018-11-07 | 2019-10-25 | 阿里巴巴集团控股有限公司 | Supervise the transaction of block chain secret |
| CN110545279A (en) * | 2019-09-05 | 2019-12-06 | 国网区块链科技(北京)有限公司 | block chain transaction method, device and system with privacy and supervision functions |
-
2020
- 2020-02-21 CN CN202010108717.3A patent/CN111340488B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110383311A (en) * | 2018-11-07 | 2019-10-25 | 阿里巴巴集团控股有限公司 | Supervise the transaction of block chain secret |
| CN109472601A (en) * | 2018-11-21 | 2019-03-15 | 北京蓝石环球区块链科技有限公司 | The block chain framework of privacy transaction can be supervised |
| CN109727031A (en) * | 2018-12-27 | 2019-05-07 | 数据通信科学技术研究所 | A kind of anonymous digital cash transaction monitoring and managing method of center concealment |
| CN110545279A (en) * | 2019-09-05 | 2019-12-06 | 国网区块链科技(北京)有限公司 | block chain transaction method, device and system with privacy and supervision functions |
Also Published As
| Publication number | Publication date |
|---|---|
| CN111340488A (en) | 2020-06-26 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| KR102627039B1 (en) | Threshold digital signature method and system | |
| TWI760149B (en) | Determining a common secret for the secure exchange of information and hierarchical, deterministic cryptographic keys | |
| WO2021042685A1 (en) | Transaction method, device, and system employing blockchain | |
| CN108885741B (en) | Tokenization method and system for realizing exchange on block chain | |
| CN113364576B (en) | Data encryption evidence storing and sharing method based on block chain | |
| JP3872107B2 (en) | Encryption key recovery system | |
| Liu et al. | An efficient method to enhance Bitcoin wallet security | |
| KR20240011260A (en) | Computer-implemented method of generating a threshold vault | |
| Dikshit et al. | Efficient weighted threshold ECDSA for securing bitcoin wallet | |
| CN104636672B (en) | A kind of secure data reporting system based on Hash tree and anonymity technology | |
| CN112785306B (en) | Homomorphic encryption method and application system based on Paillier | |
| CN113098681B (en) | Port order enhanced and updatable blinded key management method in cloud storage | |
| CN111340488B (en) | Method and device for generating manageable secret transaction amount | |
| CN116432204B (en) | Supervision transaction privacy protection method based on homomorphic encryption and zero knowledge proof | |
| CN118473656A (en) | Blockchain transaction data privacy protection method for non-virtual identity transaction party | |
| TW202318833A (en) | Threshold signature scheme | |
| CN115001673A (en) | Key processing method, device and system based on unified multi-domain identifier | |
| CN117081803B (en) | Internet of things ciphertext access control method based on blockchain | |
| CN106453253A (en) | Efficient identity-based concealed signcryption method | |
| CN117614624A (en) | Identity authentication security trust method based on key agreement in Internet of vehicles | |
| EP4385168A1 (en) | Generating digital signature shares | |
| CN114697001B (en) | Information encryption transmission method, equipment and medium based on blockchain | |
| CN111340489A (en) | Custodable transaction recipient protection method and apparatus | |
| Li et al. | Blockchain Encryption Algorithm Based on Aggregated Signature | |
| Verma et al. | ID-based multiuser signature schemes and their applications |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |