CN111539719B - Audit coin-mixing service method and system model based on blind signature - Google Patents

Audit coin-mixing service method and system model based on blind signature Download PDF

Info

Publication number
CN111539719B
CN111539719B CN202010182313.9A CN202010182313A CN111539719B CN 111539719 B CN111539719 B CN 111539719B CN 202010182313 A CN202010182313 A CN 202010182313A CN 111539719 B CN111539719 B CN 111539719B
Authority
CN
China
Prior art keywords
coin
mixing
blind signature
user
address
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202010182313.9A
Other languages
Chinese (zh)
Other versions
CN111539719A (en
Inventor
汤红波
游伟
乔康
赵宇
刘树新
柏溢
朱可云
李海涛
许明艳
王领伟
陈云杰
秦小刚
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Information Engineering University of PLA Strategic Support Force
Network Communication and Security Zijinshan Laboratory
Original Assignee
Information Engineering University of PLA Strategic Support Force
Network Communication and Security Zijinshan Laboratory
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Information Engineering University of PLA Strategic Support Force , Network Communication and Security Zijinshan Laboratory filed Critical Information Engineering University of PLA Strategic Support Force
Priority to CN202010182313.9A priority Critical patent/CN111539719B/en
Publication of CN111539719A publication Critical patent/CN111539719A/en
Application granted granted Critical
Publication of CN111539719B publication Critical patent/CN111539719B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/38Payment protocols; Details thereof
    • G06Q20/382Payment protocols; Details thereof insuring higher security of transaction
    • G06Q20/3825Use of electronic signatures
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/38Payment protocols; Details thereof
    • G06Q20/382Payment protocols; Details thereof insuring higher security of transaction
    • G06Q20/3829Payment protocols; Details thereof insuring higher security of transaction involving key management
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/38Payment protocols; Details thereof
    • G06Q20/40Authorisation, e.g. identification of payer or payee, verification of customer or shop credentials; Review and approval of payers, e.g. check credit lines or negative lists
    • G06Q20/401Transaction verification

Landscapes

  • Business, Economics & Management (AREA)
  • Engineering & Computer Science (AREA)
  • Accounting & Taxation (AREA)
  • Computer Security & Cryptography (AREA)
  • Finance (AREA)
  • Strategic Management (AREA)
  • Physics & Mathematics (AREA)
  • General Business, Economics & Management (AREA)
  • General Physics & Mathematics (AREA)
  • Theoretical Computer Science (AREA)
  • Financial Or Insurance-Related Operations Such As Payment And Settlement (AREA)

Abstract

The invention belongs to the technical field of blockchain privacy protection, and particularly relates to an auditable coin-mixing service method and a system model based on blind signatures, wherein the method comprises the steps that before the coin-mixing service starts, a coin-mixing server and a user respectively generate key pairs, public keys are disclosed, and private keys are stored; the coin mixing service starts; responding by the coin mixing server; blinding; blind signature, blind unlocking and coin mixing service is completed. The system model includes a mixing server, a user, and an audit blockchain. The auditable mixed coin service method based on the blind signature not only can split the links of the input address and the output address to realize the purpose of privacy protection, but also effectively reduces the expenditure of calculation and storage by utilizing a strong blind signature algorithm based on an elliptic curve. In addition, the scheme also has good safety characteristics including anonymity, DOS attack prevention and theft attack prevention, and realizes safe auditable blind coin mixing service through an economic punishment mechanism and an audit block chain.

Description

Audit coin-mixing service method and system model based on blind signature
Technical Field
The invention belongs to the technical field of blockchain privacy protection, and particularly relates to an auditable coin-mixing service method and system model based on blind signatures.
Background
Blockchains are used as a public ledger system in which transaction information is collected and recorded in detail, and any participant can query the information on the chain, so that the risk of privacy disclosure is serious. To protect user privacy, the blockchain provides a certain pseudonymization, and the user can locally generate a random address irrelevant to identity information by a series of cryptographic transformations. Such random addresses (or pseudonyms) are typically used as account numbers for transaction inputs and outputs, and, although having better anonymity than conventional account numbers, provide limited privacy protection. By tracking and analyzing the blockchain transaction, an attacker can track the association between the account and the transaction by matching with information such as address ID, IP and the like, so that the transaction privacy and the identity privacy can be deduced. Unlike the traditional field, the information recorded on the blockchain can not be deleted and tampered, and the sensitive information can not be saved once being revealed, so that the blockchain system should pay more attention to the privacy protection problem, and the complete privacy protection service is also urgently required to be provided for the blockchain user.
One intuitive blockchain privacy protection approach is called "coinage". The 'mixed coin' is a privacy protection method for increasing the attack difficulty by confusing the transaction contents on the premise of not changing the transaction result. In early coin mixing schemes, in order to correctly complete the coin mixing operation and output to the corresponding user address, the coin mixing server knows all the coin mixing information, and the input address and output address of the user are transparent to the coin mixing server, with serious risk of privacy disclosure. In order to defend against such privacy disclosure risks, researchers have proposed an improvement scheme adopting a blind signature technology, so that the mixed coin server can not establish the association between the input and output addresses while normally providing the mixed coin service. The schemes adopting the blind signature technology can effectively resist the risk of revealing the privacy of the blockchain user by the coin mixing server, but also have the problem of high calculation and storage cost. However, the computational and memory overhead is currently a bottleneck limiting the development of blockchain, so that a more efficient and energy-efficient blind signature scheme needs to be designed under the condition of meeting the security strength. In addition, the money mixing server has the risk of theft of funds, and the user also has the possibility of delaying payment, and the illegal operation of any party can cause the reduction of safety and execution efficiency, so that an auditable money mixing service protocol is also required to be designed to monitor the behaviors of both the money mixing server and the user at the same time, and the safety and the efficiency of the money mixing service are ensured.
Disclosure of Invention
In order to solve the problem that the existing coin mixing scheme is insufficient in efficiency and accountability, the invention provides an auditable coin mixing service method and a system model based on a blind signature, which can effectively reduce the expenditure of calculation and storage and improve the coin mixing service efficiency under the same security intensity, and has auditable capability, can resist DOS attack and theft attack and improve the protection capability of privacy security.
In order to solve the technical problems, the invention adopts the following technical scheme:
the invention provides an auditable coin-mixing service method based on blind signature, which comprises the following steps:
before the coin mixing service starts, the coin mixing server and the user respectively generate key pairs, both disclose public keys and store private keys;
beginning the coin mixing service, and requesting the coin mixing service from the coin mixing server by a user;
if the request is accepted by the coin mixing server, a hosting address is sent to the user;
after receiving the host address, the user blindly reminds the money mixing transaction message and transfers money mixing funds to the host address within a limited time;
the method comprises the steps that a coin mixing server performs blind signature on a blinded coin mixing transaction message, and sends the blind signature to an audit block chain within a limited time;
the user blinds the blind signature, and sends the operation evidence to the audit block chain for verification through the anonymous address in a limited time;
after the blind signature verification is successful, the mixing currency server transfers the mixing currency funds from another escrow address to the destination address of the user within a limited time.
Further, the mixing server M generates a key pair (P, d), the user U generates a key pair (Q, f), where P represents the public key of M, d represents the private key of M, Q represents the public key of U, and f represents the private key of U.
Further, the coin-mixing service starts, the user U requests the coin-mixing service, and sends a request instruction { D, P, v ] to the coin-mixing server M U Defining a set of mixing parameters
Figure BDA0002412991530000031
(t 1 ,t 2 ,t 3 ,t 4 ) Representing the defined time to complete the different steps, v representing the single money mixing fund, +.>
Figure BDA0002412991530000032
Representing the number of blocks required by M to confirm the success of the U transfer transaction, ρ representing the rate of the U-to-M payable mixed coin service, v M Representing deposit, v preset in M-way system U Representing money transfer funds of user U to money mixing server M, v M >>v U
Further, when the request is accepted by the coin mixing server, the sending of the hosting address to the user specifically includes: the coin mixing server M randomly selects an integer
Figure BDA0002412991530000033
Representing a positive integer set, calculating r=kg, where R represents the managed address, provided by M to U, G is a finite cyclic group of order n, and then transmitting { R, sign d (R) } give U, sign d (R) means that the token server M digitally signs the escrow address R using its own private key d.
Further, U blinds the mixed coin transaction message m and transfers mixed coin funds to the escrow address R within a defined time, defining m= { U out ||P||v U I nonce }, where U out Represents the destination address of U, P represents the public key of M, v U Representing the money transfer of the user U to the money mixing server M, nonce representing a random number generating a different message; the method specifically comprises the following steps: if sign is signed d (R) success of verification at time t 1 Inside, (1) U randomly selects three integers
Figure BDA0002412991530000034
As a blinding factor, a=αr+βq+λg= (x, y), r=x (modn) is then calculated, where a represents a point on the elliptic curve, x represents the x-coordinate value of the point a, y represents the y-coordinate value of the point a, R represents the value of the x-coordinate value modulo the value, and n represents the order; if r=0, α, β, λ is reselected; u calculates c=sha256 (m||r), c' =α -1 (c-lambda), c' represents a blind message, c represents a value obtained by hash operation after combining r of the message m, SHA256 represents a hash function with a hash value of 256 bits; (2) U is from U in Transfer of mixed funds to R, the transaction being recorded on an audit blockchain, noted transfer (v, U) in ,R),U in The real address of U is represented, and the ID number of the transaction is tx_id; after step (1) and step (2) are completed, U sends (c', v, tx_id, sign) f (c', v, tx_id)) to sign the M request f (c', v, tx_id) is expressed byThe user U digitally signs the transmitted content (c', v, tx_id) using its own private key f.
Further, the money mixing server M performs blind signature on the blinded money mixing transaction message c', and sends the blind signature to the audit block chain within a limited time, which specifically includes: if sign is signed f (c', v, tx_id) and tx_id verification succeed, at time t 2 In, M calculates a blind signature S' =d -1 (k-c ') (modn), and will (S', sign) d (S') sending to U and audit blockchain, sign d (S ') means that the token server M digitally signs the blind signature S ' using its own private key d, M sends the blind signature S ' to the audit blockchain as a transfer d (S')),R,R P ),R P Representing the address of the audit blockchain.
Further, the user U blinds the blind signature S', and sends the operation certificate (c, S, m) to the audit blockchain for verification by the anonymous address within a defined time, specifically including: if sign is signed d (S') verification success at time t 3 In this, U calculates s= (αs '+β) (modn), S represents the user U blinding the blind signature S' to obtain the signature (c, S), and uses U in ' the address sends (c, S, m) to the audit block chain, U in ' represents the anonymous address of the U.
Further, after the blind signature verification is successful, the money mixing server transfers money mixing funds from another escrow address to the destination address of the user within a limited time, and specifically comprises the following steps: by equation c=sha256 (m||r x (cG+SQ) mod n) verifying signature (c, S), R x Indicating that the x coordinate value is taken, if the verification is successful, at time t 4 In, M is from R' to U out Transfer of mixed money funds, R' represents M to U out The escrow address for transferring the mixed funds, independent of R, is recorded on an audit blockchain, denoted transfer (v-vρ, R', U) out ) The coin mixing service is completed.
Further, if at time t 1 In the process, if U fails to transfer the money mixing funds to the managed address R on time, both sides terminate the protocol;
if at time t 2 In, M fails to send the blind signature S' to the audit block chain on time, U discloses transfer(v,U in R) and { R, sign } d (R) as evidence that M violates the protocol, and upon verification of the violation of M, the system will withdraw the M's request for redemption of the deposit;
if at time t 3 In U in 'fail to send (c, S, M) to audit blockchain, M discloses (S', sign d (S')) as evidence, proving that U violates the protocol;
if at time t 4 In, M fails to reach U out Transfer of mixed money funds, U publication { (c, S, m), S' }, will be at t 1 Transfer of inner completion (v, U in R), and M is not at t 4 Transfer (v-vρ, R', U) out ) As evidence, M is demonstrated to violate the protocol.
The invention also provides a system model of auditable coin-mixing service based on blind signature, comprising:
the coin mixing server is an executor of the coin mixing service;
the user is a requester of the coin-mixing service;
audit blockchain, a supervisor of the coin-mixing service, for third party verification.
Compared with the prior art, the invention has the following advantages:
1. high efficiency. The high efficiency of the invention is mainly reflected in low storage cost and low calculation cost in the signing process. The storage cost of the signature process depends on the key length, and the calculation cost depends on the calculation time.
2. Auditability. In the invention, the audit block chain is used as an audit log, the user and the coin mixing server both need to observe the protocol, and corresponding steps are executed at the regulated time, so that when one party violates the protocol, the correct accountability of the protocol can be ensured.
3. Safety. The present invention relates generally to three security features including anonymity, DOS attack prevention, and theft attack prevention.
Anonymity: the most important feature of the coin-feed service method is anonymity, and the anonymity degree is measured by unlinkability and untraceability. (1) untraceability. Pass-through prevention of coin mixing serverThe same escrow addresses R and R', respectively receive and send mixed money funds, ensure that the user inputs the address U in And output address U out Cannot be connected to each other in an audit blockchain transaction, so the input and output addresses are not traceable, as shown in FIG. 4, an attacker knows the user U n By auditing the addresses of blockchain open ledger tracking transactions, one can obtain the slave U nin To R n And R is n ' to U out But the attacker cannot write U nin And U out To be connected. (2) unlinkability. The server obtains U through audit block chain in ' transmitted (c, S, m), in successful verification equation c=sha256 (m||r x After (cG+SQ) mod n, the money is transferred due to U in And U in ' no correlation and single-time mixing funds are fixed, so that the server cannot de-anonymize only by amount, and must infer a blind signature from the original message and signature to link the signature and the blind signature, however, to do so, the server must know three blinding factors α, β, λ, which are known only to the user, so that the mixing service of the present invention has unlinkable properties.
DOS attack prevention: in the method, each user only interacts with the coin mixing server, and the adherence refusal protocol does not affect other users or slow down the coin mixing process. In addition, since participating in the coin-mixing service requires a fee, the DOS attack is launched against the coin-mixing server, which may bring about a great economic burden to the attacker.
Theft protection attack: since the mixing server pays deposit far exceeding single mixing funds and the agreement contains auditable accountability mechanism, the mixing server will not be refunded against theft of the mixing funds.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings that are required in the embodiments or the description of the prior art will be briefly described, and it is obvious that the drawings in the following description are some embodiments of the present invention, and other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
FIG. 1 is a block diagram of a system model of a blind signature-based auditable coin-mixing service in accordance with an embodiment of the invention;
FIG. 2 is a flow chart of an auditable coin-blending service method based on blind signatures in accordance with an embodiment of the present invention;
FIG. 3 is a flow chart of a Schnorr strong blind signature algorithm based on elliptic curves according to an embodiment of the invention;
FIG. 4 is a trace attack analysis diagram of an embodiment of the present invention.
Detailed Description
For the purpose of making the objects, technical solutions and advantages of the embodiments of the present invention more apparent, the technical solutions of the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings in the embodiments of the present invention, and it is apparent that the described embodiments are some embodiments of the present invention, but not all embodiments, and all other embodiments obtained by those skilled in the art without making any inventive effort based on the embodiments of the present invention are within the scope of protection of the present invention.
Example 1
As shown in fig. 1, the system model of the auditable coin-mixing service based on the blind signature provided in the embodiment includes a coin-mixing server, a user and an audit block chain.
Coin mixing server (Mixer): the coin server M is an executor of the coin service. The coinage server provides the escrow address R to the user, who receives the message from U in And outputting the amount v to be confused. From U in After confirmation of the transaction to R, M generates another escrow address R' to U out Transferring funds v-vρ. To increase security and reduce the risk of being attacked, an incentive mechanism may be introduced to allow multiple hybrid servers to gain access to the service in a competitive manner.
User (User): the user U is the requestor of the mixing server. The user uses the coin mixing server to make himself at the address U in Funds transfer to another address U out . With the help of the mixed coin service, it is very difficult for an attacker to get U in And U out To be connected.
Audit blockchain (Audit blockchain): the audit blockchain is a supervisor of the coin-mixing service and can be seen as a bulletin board with only added non-modifiable for third party verification. The audit blockchain shares information in the form of a blockchain, and the sender can record evidence information on the blockchain in a transaction mode. Both the user and the coin-mixing server can issue blockchain messages, and the messages cannot be deleted once issued, and if any party in the user and the coin-mixing server violates a protocol, the behavior of the offender can be proved through auditing the public information contained in the blockchain.
The risk that the block chain user privacy is revealed by the coin mixer can be effectively resisted by adopting the blind signature technology, but the existing coin mixing service scheme based on the blind signature also has the problem of high calculation and storage cost. Because the mathematical basis of the elliptic curve cryptosystem is the discrete logarithm problem of an elliptic curve addition group, compared with the traditional public key cryptosystem based on the large integer factorization problem, the elliptic curve cryptosystem has the advantages of higher unit security strength, shorter key length and higher security, and therefore, in order to reduce calculation and storage cost, the invention expands the Schnorr blind signature onto an elliptic curve by utilizing an affine transformation construction method. In addition, to ensure the security of the blind signature, three random blinding parameters are adopted herein, and a Schnorr strong blind signature algorithm based on an elliptic curve is constructed, as shown in fig. 3.
Under a system model of auditable coin-mixing service based on blind signature, an elliptic curve-based Schnorr strong blind signature algorithm is applied, an economic punishment mechanism and audit measures are adopted, and an efficient and safe auditable coin-mixing service method based on blind signature is designed, so that behaviors of a coin-mixing server and a user are restricted through economic punishment. In one aspect, for a mixing server, the mixing server is required to preset a large loyalty deposit (far exceeding the single mixing amount) as a credit guarantee before the mixing server provides the mixing service. If the mixing server normally provides service, corresponding rewards can be obtained after each mixing service, and the integrity deposit can be redeemed, if the mixing server performs illegal operation, funds are deliberately delayed or stolen, and once verified, the integrity deposit is totally penalized. On the other hand, for the user, the user transfers the money to the money mixing server before the money mixing service, if the process is normally executed, the money mixing requirement is completed, and if the application is deliberately delayed or maliciously initiated (DoS attack), once verified, the money mixing fund is penalized as the cost of the money mixing server. To maximize revenue, both the coin server and the user may follow the rules of the protocol, ensuring proper execution of the protocol. The auditing measures are to record the mixed coin information of the mixed coin server and the user by utilizing the characteristic that an auditing block chain is not tamperable, and the mixed coin information is used as trusted evidence for auditing the behavior of the mixed coin server and the user. Compared with the prior art, the method has the main characteristics of high efficiency, and reduces the storage cost and the calculation cost of the signature process by applying the Schnorr strong blind signature based on the elliptic curve.
As shown in fig. 2, the auditable coin-mixing service method based on the blind signature in this embodiment specifically includes the following steps:
and step 1, initializing a system.
Before the beginning of the coin-mixing service, the coin-mixing server M generates a key pair (P, d), the user U generates a key pair (Q, f), both public keys are disclosed, and the private key is saved. Where P represents the public key of M, d represents the private key of M, Q represents the public key of U, and f represents the private key of U.
And 2, requesting the coin mixing service.
The coin mixing service starts, the user U requests the coin mixing service and sends a request instruction { D, P, v ] to the coin mixing server M U Defining a set of mixing parameters
Figure BDA0002412991530000091
(t 1 ,t 2 ,t 3 ,t 4 ) Representing the defined time to complete the different steps, v representing the single money mixing fund, +.>
Figure BDA0002412991530000092
Representing the number of blocks required by M to confirm the success of the U transfer transaction, ρ representing the rate of the U-to-M payable mixed coin service, v M Representing deposit, v preset in M-way system U Representing money transfer funds of user U to money mixing server M, v M >>v U
Step 3 (a), hosting address distribution.
The coinage server M accepts the request and sends the escrow address to the user U. The coin mixing server M randomly selects an integer
Figure BDA0002412991530000093
Representing a positive integer set, calculating r=kg, where R represents a hosting address, unique to each user, provided by M to U, G is a finite cyclic group of order n, and then transmitting { R, sign d (R) } give U, sign d (R) means that the token server M digitally signs the escrow address R using its own private key d.
And 3 (b) refusing the coin mixing service.
The coin mixing server M refuses the request and sends an empty message to the user U.
Step 4 (a 1), blinding.
U blindly reminds the mixed currency transaction message m and transfers the mixed currency funds to the escrow address R, defining m= { U out ||P||v U I nonce }, where U out Represents the destination address of U, P represents the public key of M, v U Representing the money transfer of the user U to the money mixing server M, nonce representing a random number generating a different message; signature sign d (R) success of verification at time t 1 And (1) U randomly selects three integers alpha, beta,
Figure BDA0002412991530000101
as a blinding factor, a=αr+βq+λg= (x, y), r=x (modn) is then calculated, where a represents a point on the elliptic curve, x represents the x-coordinate value of the point a, y represents the y-coordinate value of the point a, R represents the value of the x-coordinate value modulo the value, and n represents the order; if r=0, α, β, λ is reselected; u calculates c=sha256 (m||r), c' =α -1 (c-lambda), c' represents a blind message, c represents a value obtained by hash operation after combining r of the message m, SHA256 represents a hash function with a hash value of 256 bits; (2) U is from U in Transfer of mixed funds to R, the transaction being recorded on an audit blockchain, noted transfer (v, U) in ,R),U in The real address of U is represented, and the ID number of the transaction is tx_id; after step (1) and step (2) are completed, U sends (c', v, tx_id, sign) f (c', v, tx_id)) to sign the M request f (c ', v, tx_id) means that the user U digitally signs the transmitted content (c', v, tx_id) using its own private key f.
Step 4 (a 2), t 1 And (5) internal auditing.
If at time t 1 In this case, if U fails to transfer the money mixing funds to the escrow address R on time, both parties terminate the protocol.
And (4) verifying.
Signature sign d (R) authentication failure, terminating the protocol.
Step 5 (a 1), blind signature.
The money mixing server M blindly signs the blinded money mixing transaction message c'. Signature sign f (c', v, tx_id) and tx_id verification succeed, at time t 2 In, M calculates a blind signature S' =d -1 (k-c ') (modn), and will (S', sign) d (S') sending to U and audit blockchain, sign d (S ') means that the token server M digitally signs the blind signature S ' using its own private key d, M sends the blind signature S ' to the audit blockchain as a transfer d (S')),R,R P ),R P Representing the address of the audit blockchain.
Step 5 (a 2), t 2 And (5) internal auditing.
If at time t 2 In which M fails to send the blind signature S' to the audit blockchain on time, U discloses transfer (v, U in R) and { R, sign } d (R) as evidence that M violates the protocol, and upon verification of the violation of M, the system will withdraw the M's request for redemption of the deposit.
And 5 (b) verifying.
Signature sign f (c', v, tx_id) or tx_id failed verification, terminating the protocol.
Step 6 (a 1), blindness removing.
The user U blinds the blind signature S'. Signature sign d (S') verification success at time t 3 In the method, U calculates S= (alpha S '+beta) (modn), and S represents that a user U blinds a blind signature S' to obtain a signatureName (c, S), and in U in ' the address sends (c, S, m) to the audit block chain, U in ' represents the anonymous address of the U.
Step 6 (a 2), t 3 And (5) internal auditing.
If at time t 3 In U in 'fail to send (c, S, M) to audit blockchain, M discloses (S', sign d (S')) as evidence, U is proved to violate the protocol.
And (6) verifying.
Signature sign d (S') authentication fails and the protocol is terminated.
And 7 (a 1) finishing the coin mixing service.
By equation c=sha256 (m||r x (cG+SQ) mod n) verifying signature (c, S), R x Indicating that the x coordinate value is taken, if the verification is successful, at time t 4 In, M is from R' to U out Transfer of mixed money funds, R' represents M to U out The escrow address for transferring the mixed funds, independent of R, is recorded on an audit blockchain, denoted transfer (v-vρ, R', U) out ) The coin mixing service is completed.
Usability is demonstrated as follows:
cG+SQ=(c+(αS'+β)d)G
=(c+(αd -1 (k-c')+β)d)G
=(c+αk-αc'+βd)G
=(c+αk-α(α -1 (c-λ))+βd)G
=(αk+λ+βd)G
=αR+βQ+λG
SHA256(m||R x (cG+SQ)modn)
=SHA256(m||R x (αR+βQ+λG)modn)
=SHA256(m||xmodn)
=SHA256(m||r)
=c
step 7 (a 2), t 4 And (5) internal auditing.
If at time t 4 In, M fails to reach U out Transfer of mixed money funds, U publication { (c, S, m), S' }, will be at t 1 Transfer of inner completion (v, U in R), and M is not at t 4 Transfer (v-vρ, R', U) out ) As evidence, M is demonstrated to violate the protocol.
And 7 (b) verifying.
Equation c=sha256 (m||r x (cg+sq) mod n) fails authentication, terminating the protocol.
The auditable mixed coin service method based on the blind signature not only can split the links of the input address and the output address to realize the purpose of privacy protection, but also effectively reduces the expenditure of calculation and storage by utilizing a strong blind signature algorithm based on an elliptic curve. In addition, the scheme also has good safety characteristics including anonymity, DOS attack prevention and theft attack prevention, and realizes safe auditable blind coin mixing service through an economic punishment mechanism and an audit block chain.
It should be noted that, in this document, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus.
Those of ordinary skill in the art will appreciate that: all or part of the steps for implementing the above method embodiments may be implemented by hardware related to program instructions, and the foregoing program may be stored in a computer readable storage medium, where the program, when executed, performs steps including the above method embodiments; and the aforementioned storage medium includes: various media in which program code may be stored, such as ROM, RAM, magnetic or optical disks.
Finally, it should be noted that: the foregoing description is only illustrative of the preferred embodiments of the present invention, and is not intended to limit the scope of the present invention. Any modification, equivalent replacement, improvement, etc. made within the spirit and principle of the present invention are included in the protection scope of the present invention.

Claims (9)

1. The auditable coin-mixing service method based on the blind signature is designed under a system model of the auditable coin-mixing service based on the blind signature, wherein the system model of the auditable coin-mixing service based on the blind signature comprises a coin-mixing server, a user and an audit blockchain, the coin-mixing server is an executor of the coin-mixing service, the user is a requester of the coin-mixing service, and the audit blockchain is a supervisor of the coin-mixing service and used for third party verification; characterized in that the method comprises the following steps:
before the coin mixing service starts, the coin mixing server and the user respectively generate key pairs, both disclose public keys and store private keys;
beginning the coin mixing service, and requesting the coin mixing service from the coin mixing server by a user;
if the request is accepted by the coin mixing server, a hosting address is sent to the user;
after receiving the host address, the user blindly reminds the money mixing transaction message and transfers money mixing funds to the host address within a limited time;
the method comprises the steps that a coin mixing server performs blind signature on a blinded coin mixing transaction message, and sends the blind signature to an audit block chain within a limited time;
the user blinds the blind signature, and sends the operation evidence to the audit block chain for verification through the anonymous address in a limited time;
after the blind signature verification is successful, the mixing currency server transfers the mixing currency funds from another escrow address to the destination address of the user within a limited time.
2. The blind signature based auditable coin service method of claim 1 wherein the coin server M generates a key pair (P, d) and the user U generates a key pair (Q, f), wherein P represents the public key of M, d represents the private key of M, Q represents the public key of U, and f represents the private key of U.
3. The auditable coin-mixing service method based on blind signature as claimed in claim 2, wherein the coin-mixing service is started, the user U requests the coin-mixing service, and sends a request instruction { D, P, v ] to the coin-mixing server M U A set of coinage parameters d= { t } is defined 1 ,t 2 ,t 3 ,t 4 ,v,ω,ρ,v M },(t 1 ,t 2 ,t 3 ,t 4 ) Representing a defined time to complete the various steps, v represents a single mixing fund,
Figure FDA0004055262120000021
representing the number of blocks required by M to confirm the success of the U transfer transaction, ρ representing the rate of the U-to-M payable mixed coin service, v M Representing deposit, v preset in M-way system U Representing money transfer funds of user U to money mixing server M, v M >>v U
4. The auditable coin-mixing service method based on blind signature as claimed in claim 3 wherein the coin-mixing server accepting the request, then sending the escrow address to the user comprises: the coin mixing server M randomly selects an integer
Figure FDA0004055262120000022
Representing a positive integer set, calculating r=kg, where R represents the managed address, provided by M to U, G is a finite cyclic group of order n, and then transmitting { R, sign d (R) } give U, sign d (R) means that the token server M digitally signs the escrow address R using its own private key d.
5. The auditable mixed currency service method based on blind signature according to claim 4, wherein U blinds the mixed currency transaction message m and transfers mixed currency funds to the escrow address R within a defined time, defining m= { U out ||P||v U I nonce }, where U out Represents the destination address of U, P represents the public key of M, v U Representing the money transfer of the user U to the money mixing server M, nonce representing a random number generating a different message; the method specifically comprises the following steps: if sign is signed d (R) success of verification at time t 1 Inside, (1) U randomly selects three integers
Figure FDA0004055262120000023
As a blinding factor, a=a=is then calculatedαr+βq+λg= (x, y), r=x (modn), where a represents a point on the elliptic curve, x represents an x coordinate value of the point a, y represents a y coordinate value of the point a, R represents a value obtained by modulo operation of the x coordinate value, and n represents an order; if r=0, α, β, λ is reselected; u calculates c=sha256 (m||r), c' =α -1 (c-lambda), c' represents a blind message, c represents a value obtained by hash operation after combining r of the message m, SHA256 represents a hash function with a hash value of 256 bits; (2) U is from U in Transfer of mixed funds to R, the transaction being recorded on an audit blockchain, noted transfer (v, U) in ,R),U in The real address of U is represented, and the ID number of the transaction is tx_id; after step (1) and step (2) are completed, U sends (c', v, tx_id, sign) f (c', v, tx_id)) to sign the M request f (c ', v, tx_id) means that the user U digitally signs the transmitted content (c', v, tx_id) using its own private key f.
6. The auditable coin-mixing service method based on blind signature as claimed in claim 5, wherein the coin-mixing server M blindly signs the blinded coin-mixing transaction message c' and sends the blind signature to the audit blockchain within a limited time, and specifically comprising: if sign is signed f (c', v, tx_id) and tx_id verification succeed, at time t 2 In, M calculates a blind signature S' =d -1 (k-c ') (modn), and will (S', sign) d (S') sending to U and audit blockchain, sign d (S ') means that the token server M digitally signs the blind signature S ' using its own private key d, M sends the blind signature S ' to the audit blockchain as a transfer d (S')),R,R P ),R P Representing the address of the audit blockchain.
7. The auditable coin-mixing service method based on blind signature as claimed in claim 6, characterized in that the user U blinds the blind signature S' and sends the operation certificate (c, S, m) to the audit blockchain verification by anonymous address within a limited time, in particular comprising: if sign is signed d (S') verification success at time t 3 In this, U calculates s= (αs '+β) (modn), S representing the blind signature S' by the user UBlind solution, obtaining signature (c, S) and using U in ' the address sends (c, S, m) to the audit block chain, U in ' represents the anonymous address of the U.
8. The blind signature based auditable money mixing service method as in claim 7, wherein after the blind signature verification is successful, the money mixing server transfers money mixing funds from another escrow address to the destination address of the user within a defined time, specifically comprising: by equation c=sha256 (m||r x (cG+SQ) mod n) verifying signature (c, S), R x Indicating that the x coordinate value is taken, if the verification is successful, at time t 4 In, M is from R' to U out Transfer of mixed money funds, R' represents M to U out The escrow address for transferring the mixed funds, independent of R, is recorded on an audit blockchain, denoted transfer (v-vρ, R', U) out ) The coin mixing service is completed.
9. The blind signature based auditable coin service method of claim 8 wherein,
if at time t 1 In the process, if U fails to transfer the money mixing funds to the managed address R on time, both sides terminate the protocol;
if at time t 2 In which M fails to send the blind signature S' to the audit blockchain on time, U discloses transfer (v, U in R) and { R, sign } d (R) as evidence that M violates the protocol, and upon verification of the violation of M, the system will withdraw the M's request for redemption of the deposit;
if at time t 3 In U in 'fail to send (c, S, M) to audit blockchain, M discloses (S', sign d (S')) as evidence, proving that U violates the protocol;
if at time t 4 In, M fails to reach U out Transfer of mixed money funds, U publication { (c, S, m), S' }, will be at t 1 Transfer of inner completion (v, U in R), and M is not at t 4 Transfer (v-vρ, R', U) out ) As evidence, M is demonstrated to violate the protocol.
CN202010182313.9A 2020-03-16 2020-03-16 Audit coin-mixing service method and system model based on blind signature Active CN111539719B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010182313.9A CN111539719B (en) 2020-03-16 2020-03-16 Audit coin-mixing service method and system model based on blind signature

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010182313.9A CN111539719B (en) 2020-03-16 2020-03-16 Audit coin-mixing service method and system model based on blind signature

Publications (2)

Publication Number Publication Date
CN111539719A CN111539719A (en) 2020-08-14
CN111539719B true CN111539719B (en) 2023-04-25

Family

ID=71974816

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010182313.9A Active CN111539719B (en) 2020-03-16 2020-03-16 Audit coin-mixing service method and system model based on blind signature

Country Status (1)

Country Link
CN (1) CN111539719B (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116132087B (en) * 2022-09-30 2024-04-26 中国人民解放军战略支援部队信息工程大学 Webpage access log privacy protection method and system based on blockchain

Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107948143A (en) * 2017-11-15 2018-04-20 安徽大学 Identity-based privacy protection integrity detection method and system in cloud storage

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20170109955A1 (en) * 2015-10-20 2017-04-20 Follow My Vote, Inc. Blockchain electronic voting system and method

Patent Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107948143A (en) * 2017-11-15 2018-04-20 安徽大学 Identity-based privacy protection integrity detection method and system in cloud storage

Non-Patent Citations (4)

* Cited by examiner, † Cited by third party
Title
"Blindcoin: blinded, accountable mixes for bitcoin";VALENTA L等;《International Conference on Financial Cryptography and Data Security》;20150101;第112-126页 *
"DCAP: A Secure and Efficient Decentralized Conditional Anonymous Payment System Based on Blockchain";Chao Lin等;《 IEEE Transactions on Information Forensics and Security》;20200128;第5卷;第2440-2452页 *
"基于盲签名技术的比特币混币系统设计与实现";吴文栋;《中国优秀硕士学位论文全文数据库信息科技辑》;20151215;第2015年卷(第12期);第25,42-45页 *
基于聚合签名与加密交易的全匿名区块链;王子钰等;《计算机研究与发展》;20181015;第55卷(第10期);第2185-2198页 *

Also Published As

Publication number Publication date
CN111539719A (en) 2020-08-14

Similar Documents

Publication Publication Date Title
US11861606B2 (en) Blockchain system for confidential and anonymous smart contracts
Bünz et al. Zether: Towards privacy in a smart contract world
Delgado-Segura et al. A fair protocol for data trading based on bitcoin transactions
CN110337665B (en) System and method for information protection
US20170344983A1 (en) BIXCoin: A Secure Peer-to-Peer Payment System Based on the Public Payments Ledger
TW201944757A (en) Computer-implemented system and method suitable for increasing the security of instant off-line blockchain transactions
CN110612547A (en) System and method for information protection
CN112132560A (en) Method and device for managing digital assets on chain
CN113875186A (en) Proof of knowledge
Horn et al. Authentication and payment in future mobile systems
JP2005503696A (en) Cryptographic authentication method
CN111539719B (en) Audit coin-mixing service method and system model based on blind signature
CN112418834A (en) Safe mixed currency processing method and system compatible with bit currency and supporting down-link transaction
CN116664298A (en) Implementation method and device of block chain-based decentralization data transaction system
Suliyanti et al. Evaluation of hash rate-based double-spending based on proof-of-work blockchain
Đurić et al. Internet payment system: A new payment system for internet transactions
Wang et al. A consumer scalable anonymity payment scheme with role based access control
Wang et al. MOBT: A kleptographically-secure hierarchical-deterministic wallet for multiple offline Bitcoin transactions
CN111523892B (en) Block chain cross-chain transaction method and device
CN110992010B (en) Digital currency issue total amount control method and verification method
Li et al. A regulatable data privacy protection scheme for energy transactions based on consortium blockchain
CN111062833A (en) Signature authentication method of contract data and related device
Ham et al. Secure one-way mobile payment system keeping low computation in mobile devices
Vasco et al. Anonymous subscription schemes: A flexible construction for on-line services access
CN112633890B (en) Verification method and device for hidden rights and interests evidence based on blockchain

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
TA01 Transfer of patent application right
TA01 Transfer of patent application right

Effective date of registration: 20201229

Address after: 450000 Science Avenue 62, Zhengzhou High-tech Zone, Henan Province

Applicant after: Information Engineering University of Strategic Support Force,PLA

Applicant after: Purple Mountain Laboratories

Address before: 450000 Science Avenue 62, Zhengzhou High-tech Zone, Henan Province

Applicant before: Information Engineering University of Strategic Support Force,PLA

GR01 Patent grant
GR01 Patent grant