CN111865582B - Private key offline storage method, system and storage medium based on zero knowledge proof - Google Patents

Private key offline storage method, system and storage medium based on zero knowledge proof Download PDF

Info

Publication number
CN111865582B
CN111865582B CN202010699612.XA CN202010699612A CN111865582B CN 111865582 B CN111865582 B CN 111865582B CN 202010699612 A CN202010699612 A CN 202010699612A CN 111865582 B CN111865582 B CN 111865582B
Authority
CN
China
Prior art keywords
service layer
offline
private key
key
business
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202010699612.XA
Other languages
Chinese (zh)
Other versions
CN111865582A (en
Inventor
翟红鹰
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Shaanxi Heyou Network Technology Co ltd
Original Assignee
Shaanxi Heyou Network Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Shaanxi Heyou Network Technology Co ltd filed Critical Shaanxi Heyou Network Technology Co ltd
Priority to CN202010699612.XA priority Critical patent/CN111865582B/en
Publication of CN111865582A publication Critical patent/CN111865582A/en
Application granted granted Critical
Publication of CN111865582B publication Critical patent/CN111865582B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0819Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0442Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply asymmetric encryption, i.e. different keys for encryption and decryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network
    • H04L67/1097Protocols in which an application is distributed across nodes in the network for distributed storage of data in networks, e.g. transport arrangements for network file system [NFS], storage area networks [SAN] or network attached storage [NAS]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/008Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols involving homomorphic encryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • H04L9/0869Generation of secret information including derivation or calculation of cryptographic keys or passwords involving random numbers or seeds
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3218Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using proof of knowledge, e.g. Fiat-Shamir, GQ, Schnorr, ornon-interactive zero-knowledge proofs
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
    • H04L9/3252Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures using DSA or related signature schemes, e.g. elliptic based signatures, ElGamal or Schnorr schemes

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Telephonic Communication Services (AREA)
  • Storage Device Security (AREA)

Abstract

The invention discloses a private key offline storage method, a private key offline storage system and a private key offline storage medium based on zero knowledge proof. The method comprises the following steps: dividing a server into a business service layer and an offline service layer; a certain user end is registered in a service layer to become a new user, and the service layer generates a corresponding account according to the user information of the user end; the business service layer establishes secure communication with the offline service layer by using the apiID, apiKey, business identification code, userID and IP; under a channel of secure communication, a business service layer and an offline service layer respectively generate two parts of private keys by using zero knowledge proof and ECDSA two-step signature; the business service layer and the off-line service layer respectively convert the private key into a key for storage; homomorphic encryption is carried out by using respective private keys to obtain a final public key; the user initiates a signature; two-step signature is realized based on ECDSA algorithm. The technical scheme of the invention solves the technical problems that in the related technology, the server private key storage technology is unsafe, and illegal personnel use the server security hole to dislike.

Description

Private key offline storage method, system and storage medium based on zero knowledge proof
Technical Field
The invention relates to the technical field of blockchain, in particular to a private key offline storage method and system based on zero knowledge proof and a computer readable storage medium.
Background
The block chain technology is a brand new distributed infrastructure and computing mode for verifying and storing data by utilizing a block chain data structure, generating and updating the data by utilizing a distributed node consensus algorithm, ensuring the safety of data transmission and access by utilizing a cryptography mode, and programming and operating the data by utilizing an intelligent contract consisting of an automatic script code.
As enterprise services of the blockchain, the private key is frequently used for signature processing in the application process, so that a plurality of enterprises can put the account private key on a server at present, manual operation can be reduced, workload is reduced, and automatic operation can be performed. But at present, private key storage of enterprises on a server generally comprises the following modes:
(1) Storing the privateKey on a disk;
(2) Storing the privateKey in a database;
(3) The program generates an encryption password according to the user information, encrypts the privateKey into a key, stores the private key in a database, and stores the key in a disk;
(4) The program generates an encryption password according to the user information, encrypts the privateKey into a key, and stores the encryption password and the key into a database;
(5) The program generates a password according to the user information by a certain rule, and encrypts the privateKey into a key, and the key is stored in a disk;
(6) The program generates a password according to the user information by a certain rule, encrypts the privateKey into a key, and stores the key into a database;
for the cases (1) and (2), if the operation and maintenance or hacker uses the loopholes of the server, the private key can be directly obtained, and the security is extremely poor.
In the case of (3) and (4), although the private key is not directly stored, the private key can be directly solved by acquiring and storing the encrypted password and the key by using the vulnerability of the server itself, and the security is poor.
In the case of (5) and (6), the password of the key is generated in the program, and then the key is stored additionally, so that the security is very good compared with the former case, but the security takes a certain time to manually utilize the loophole of the server itself, and the private key can be directly obtained.
Therefore, there is a need to provide a new method, system and computer-readable storage medium for offline storage of private keys based on zero-knowledge proof, so as to solve the above technical problems.
Disclosure of Invention
The invention mainly aims to provide a private key offline storage method based on zero knowledge proof, which aims to solve the technical problems that in the related technology, the server private key storage technology is unsafe and illegal personnel use server security loopholes to disqualify.
In order to achieve the above purpose, the invention provides a private key offline storage method based on zero knowledge proof, comprising the following steps:
in the process of managing the private key by the server, dividing the server into a business service layer and an off-line service layer, wherein the business service layer is used for being directly connected with an external network and directly butt-jointed with a user terminal; the offline service layer is connected with the business service layer through an intranet; when the business service layer requests to connect with the offline service layer, an apiID, an apiKey and a business identification code issued by the offline service layer are required to be provided; when the offline service layer receives the request, the IP of the business service layer needs to be authenticated, and the apiID, apiKey and the business identification code need to be authorized and authenticated;
a certain user end is registered in the business service layer to become a new user, and the business service layer generates a corresponding account according to the user information of the user end;
the business service layer establishes secure communication with the offline service layer by using apiID, apiKey, business identification code, userID and IP;
under a channel of secure communication, the business service layer and the offline service layer respectively generate two parts of private keys by using zero knowledge verification and ECDSA two-step signature;
the business service layer and the off-line service layer respectively convert the private key into a key for storage;
homomorphic encryption is carried out by using respective private keys to obtain a final public key, and the public key finally represents an account of the user terminal;
the user terminal initiates a signature;
two-step signature is realized based on ECDSA algorithm.
Preferably, each service request is initiated by the service layer, and each request is associated with a certain user terminal; the following definitions are not used:
marking the associated user end as U1;
marking a private key of the business service layer as prvKey1, marking a key corresponding to the prvKey1 as a key1, and marking an encryption key corresponding to the key1 as pwd1;
and marking the private key of the offline service layer as prvKey2, marking the corresponding key as key2, and marking the encryption key corresponding to the key as pwd2.
Preferably, in the step of converting the private key into the key for storage by the service layer and the offline service layer, the storage processes of the key on the service layer and the offline service layer are the same; the method specifically comprises the following steps:
generating a random salt value salt for each user terminal independently;
then in the program, splicing userID, a random salt value salt and an inherent salt value subsalt to finally obtain a spliced string pwdAbl, wherein the inherent salt value subsalt is manually input when the program is started;
generating displacement amount tag randomly by a program;
carrying out displacement change on pwdAbll by using tag to obtain pwdBlur;
intercepting the first 16 bits of pwdBlur as an encryption password pwd of a key;
encrypting the prvKey by using pwd to obtain a keystore;
the userID, pwd1, keystore, sal, tag are subjected to a repository process.
Preferably, the step of initiating the signature by the user terminal specifically includes the following steps:
the user terminal initiates a signature request, and the business service layer acquires related information of the user from a database, wherein the related information comprises a key1, a tag1, a salt1 and a userID;
the program also performs data splicing according to the operation during creation, and finally pwd1 is obtained;
finally, the pwd1 is used for decrypting the key1 to obtain a private key prvKey1 of the business service;
the business service layer establishes secure communication with the offline service layer by using apiID, apiKey, business identification code, userID and IP;
after receiving the request, the offline service decrypts the private key prvKey2 of the user from the database after passing the authority verification;
after the communication is established successfully, performing ECDSA two-step signature through zero knowledge proof by using prvKey1 and prvKey2 to obtain final signature data.
Preferably, the step of implementing two-step signature based on ECDSA algorithm specifically includes the following steps:
the business service layer and the offline service layer respectively generate a random number k1 and a random number k2, and random points corresponding to the random numbers are R1 and R2 respectively;
realizing safe transfer of R1 and R2 through zero knowledge proof;
after receiving R1, the offline service acquires a final random point as R by using k 2X R1;
the offline service obtains a signature s' after calculation according to calculation;
after receiving s', the business service calculates the final s, and the final signature content is (r, s).
In order to solve the technical problem, the invention also provides a private key offline storage system based on zero knowledge proof, which is characterized by comprising the following steps: a memory, a processor, and a computer program stored on the memory and executable on the processor; the computer program when executed by the processor implements the steps of the zero knowledge proof based private key offline storage method.
In order to solve the technical problem, the invention also provides a computer readable storage medium, which is characterized in that the computer readable storage medium is stored with a computer program, and the computer program realizes the steps of the private key offline storage method based on zero knowledge proof when being executed by a processor.
The invention provides a private key offline storage method based on zero knowledge proof, wherein in the process of managing a private key by a server, the server is divided into a business service layer and an offline service layer; a certain user end is registered in the business service layer to become a new user, and the business service layer generates a corresponding account according to the user information of the user end; the business service layer establishes secure communication with the offline service layer by using apiID, apiKey, business identification code, userID and IP; under a channel of secure communication, the business service layer and the offline service layer respectively generate two parts of private keys by using zero knowledge proof and ECDSA two-step signature; the business service layer and the off-line service layer respectively convert the private key into a key for storage; homomorphic encryption is carried out by using respective private keys to obtain a final public key, and the public key finally represents an account of the user terminal; the user terminal initiates a signature; two-step signature is realized based on ECDSA algorithm. The invention provides a private key offline storage scheme based on zero knowledge proof, which converts the original single private key signature form into two private key signatures, ensures the security of storing the private keys of a final server, and simultaneously reduces the risk of asset loss caused by attack of a vulnerability of the server.
Drawings
FIG. 1 is a diagram showing the architecture interaction of a client, a business service layer and an offline service layer in the present invention;
FIG. 2 is a flowchart of the user side generating a corresponding private key according to the present invention;
FIG. 3 is a diagram showing the architecture interaction between a business service layer and an offline service layer according to the present invention;
FIG. 4 is a flowchart of the user side initiated signature operation in the present invention;
fig. 5 is a workflow diagram of implementing a two-step signature based on the ECDSA algorithm in the present invention.
The achievement of the objects, functional features and advantages of the present invention will be further described with reference to the accompanying drawings, in conjunction with the embodiments.
Detailed Description
It should be understood that the specific embodiments described herein are for purposes of illustration only and are not intended to limit the scope of the invention.
In order to facilitate the explanation of the technical scheme of the present invention, the following description is first made on the technical concept related to the technical scheme of the present invention:
1. homomorphic encryption
Homomorphic encryption is a cryptographic technique based on the theory of computational complexity of mathematical problems. The homomorphically encrypted data is processed to obtain an output, and the output is decrypted, the result of which is the same as the output result obtained by processing the unencrypted original data by the same method.
In essence, homomorphic encryption refers to the re-encryption of plaintext by performing addition and multiplication operations on the ring, and the equivalent result is obtained by performing corresponding operations on ciphertext after encryption. The formula is as follows:
a, b represent plaintext;
en represents an encryption operation;
dec represents a decryption operation;
the result indicates the operation of ciphertext on the domain;
and represents the operation of plaintext over the domain;
Dec(En(a)⊙En(b))=a⊕b。
2. zero knowledge proof
Zero knowledge proof, also known as zero knowledge protocol, is a probabilistic based verification method in which a prover can trust that a certain assertion is correct without providing any useful information to the verifier.
The use process of zero knowledge proof:
assuming that private keys corresponding to two users a, B and a are sk, and public keys are pka=sk×g; the public key corresponding to the user B is PKb;
a selects a random number R, calculates r=r×g, and sends R to B;
b, selecting a random code c and sending the c to A;
a calculates a response value z=r+c×sk, and sends z to B;
b, after receiving z, checking, and judging that z=r+c+pka;
after z has no problem, B selects a new random number c' to send to A;
a again calculates z ' =r+c ' ×sk and sends z ' to B;
b calculates that A possesses private key a according to z and z'. a= (z-z ')/(c-c');
at this time, B completes proving that a has possession of a private key without knowing a private key.
3. ECDSA two-step signature
ECDSA (Elliptic Curve Digital Signature Algorithm); elliptic curve digital signature algorithm.
The method has the advantages that under the condition of the known public key, the private key corresponding to the public key cannot be deduced; in addition, the default possession of the private key corresponding to the public key can be verified using a preset method without exposing any information of the private key.
ECDSA is widely used in blockchain. In addition, ECDSA is additive homomorphic. And (3) researching an ECDSA two-step signature method according to the ECDSA and the characteristics of zero knowledge proof. The ECDSA two-step signature is to realize the signature under the condition that the two parties do not know the private key of the other party on the basis of zero knowledge proof, and finally obtain the final signature data.
In the signing process of the ECDSA two-step signature, the private keys are not mutually transmitted, and meanwhile, the private key corresponding to the final signature is not generated.
ECDSA two-part private key generation process:
assuming that the first part A private key is pk1 and the public key is P1; the private key of the second part B is pk2, and the public key of the second part B is P2;
using zero knowledge proof to transfer public keys P1 and P2 corresponding to the two private keys;
homomorphic encryption with the respective private key results in a final public key P, which ultimately represents the user's account;
ECDSA two-step signature process:
assuming that the first part A private key is pk1 and the second part B private key is pk2;
a and B respectively generate a random number k1 and k2, and random points corresponding to the random numbers are R1 and R2 respectively;
realizing safe transmission of R1 and R2 through zero knowledge proof;
b, after R1 is received, obtaining a final random point as R by using k 2X R1;
b, acquiring a signature s' after calculation according to calculation;
and after receiving s', calculating the final s, wherein the final signature content is (r, s).
According to the existing server private key preservation strategy, then ECDSA two-step signature is added, so that the security of server private key storage can be reinforced.
Referring to fig. 1-2 in combination, in order to achieve the above objective, in one embodiment of the present invention, a private key offline storage method based on zero knowledge proof includes the following steps:
s1, dividing a server into a business service layer and an off-line service layer in the process of managing a private key by the server, wherein the business service layer is used for being directly connected with an external network and directly butt-jointed with a user terminal; the offline service layer is connected with the business service layer through an intranet; when the business service layer requests to connect with the offline service layer, the apiID, apiKey and business identification code issued by the offline service layer are required to be provided; when the offline service layer receives the request, the IP of the business service layer needs to be authenticated, and the apiID, apiKey and the business identification code need to be authorized and authenticated;
s2, a certain user end is registered in the business service layer to be a new user, and the business service layer generates a corresponding account according to the user information of the user end;
s3, the business service layer establishes secure communication with the offline service layer by using apiID, apiKey, business identification code, userID and IP;
s4, under a channel of secure communication, the business service layer and the offline service layer respectively generate two parts of private keys by using zero knowledge proof and ECDSA two-step signature;
specifically, referring to fig. 3, the business service layer and the offline service layer generate a private according to userID.
S5, the business service layer and the off-line service layer respectively convert the private key into a key for storage;
s6, homomorphic encryption is carried out by using the respective private keys to obtain a final public key, and the public key finally represents the account of the user side;
specifically, referring again to fig. 3, zero knowledge proof is used to transfer the public keys corresponding to the two private keys.
S7, the user terminal initiates a signature;
s8, realizing two-step signature based on ECDSA algorithm.
The invention provides a private key offline storage scheme based on zero knowledge proof, which converts the original single private key signature form into two private key signatures, ensures the security of storing the private keys of a final server, and simultaneously reduces the risk of asset loss caused by attack of a vulnerability of the server.
Each service request is initiated by the service layer, and each request is associated with a certain user terminal; the following definitions are not used:
marking the associated user end as U1;
marking a private key of the business service layer as prvKey1, marking a key corresponding to the prvKey1 as a key1, and marking an encryption key corresponding to the key1 as pwd1;
and marking the private key of the offline service layer as prvKey2, marking the corresponding key as key2, and marking the encryption key corresponding to the key as pwd2.
In the step S5, the storing processes of the key store on the business service layer and the off-line service layer are the same; the method specifically comprises the following steps:
s51, generating a random salt value salt for each user terminal independently;
s52, in the program, splicing userID, a random salt value salt and an inherent salt value subsalt to finally obtain a spliced string pwdAbl, wherein the inherent salt value subsalt is manually input when the program is started;
s53, the program randomly generates a displacement tag;
s54, using tag to carry out displacement change on pwdAbll to obtain pwdBlur;
s55, the first 16 bits of pwdBlur are intercepted and used as an encryption password pwd of a key;
s56, encrypting the prvKey by using pwd to obtain a keyore;
s57, carrying out repository processing on userID, pwd1 and keystore, sal, tag.
In the storage of the keystore, after the random salt value salt has been used, why is the tag displacement needed? This is because if salt is simply used, it tends to result in a final pwd that is particularly long, and if the displacement is not used to directly intercept, neither salt nor subsalt may be functional, and thus the security may be reduced. The tag displacement is used, the original inherent sequence is disordered, and then the data is intercepted, so that all the data can be ensured to be useful, and meanwhile, the length of pwd can be ensured not to be too long.
Referring to fig. 4, the step S7 specifically includes the following steps:
s71, the user side initiates a signature request, and the business service layer acquires related information of the user from a database, wherein the related information comprises a keystore1, a tag1, a salt1 and a userID;
s72, the program performs data splicing according to the operation during creation, and finally pwd1 is obtained;
s73, finally, using pwd1 to decrypt the key1 to obtain a private key prvKey1 of the business service;
s74, the business service layer establishes secure communication with the offline service layer by using the apiID, apiKey, business identification code, userID and IP;
s75, after receiving the request, the offline service decrypts the private key prvKey2 of the user from the database after passing the authority verification; the operation is the same as the step S72 and the step S73.
And S76, after the communication is established successfully, performing ECDSA two-step signature through zero knowledge proof by using prvKey1 and prvKey2 to obtain final signature data.
Referring to fig. 5, it is assumed that the data to be signed is m, and the corresponding hash data is z=hash (m). ECDSA two-step signature using zero knowledge proof.
The step S8 specifically includes the following steps:
s81, the business service layer and the off-line service layer respectively generate a random number k1 and a random number k2, and the random points corresponding to the random numbers are R1 and R2 respectively;
s82, realizing safe transmission of R1 and R2 through zero knowledge proof;
s83, after receiving R1, the offline service acquires a final random point as R by using k 2X R1;
s84, the off-line service obtains a signature S' after calculation according to calculation;
s85, after receiving S', the business service calculates the final S, and the final signature content is (r, S).
The invention also provides a private key offline storage system based on zero knowledge proof.
A private key offline storage system based on zero knowledge proof, comprising: a memory, a processor, and a computer program stored on the memory and executable on the processor; the computer program when executed by the processor implements the steps of the zero knowledge proof based private key offline storage method.
The specific steps of the private key offline storage method based on the zero knowledge proof refer to the above embodiments, and because the private key offline storage system based on the zero knowledge proof adopts all the technical schemes of all the embodiments, at least the private key offline storage system based on the zero knowledge proof has all the beneficial effects brought by the technical schemes of the embodiments, and the detailed description is omitted.
The invention also provides a computer readable storage medium.
The computer readable storage medium stores a computer program which when executed by a processor implements the steps of the private key offline storage method based on zero knowledge proof.
The specific steps of the private key offline storage method based on zero knowledge proof refer to the above embodiments, and because the computer readable storage medium adopts all the technical solutions of all the above embodiments, at least all the beneficial effects brought by the technical solutions of the above embodiments are provided, and will not be described in detail herein.
From the above description of embodiments, it will be clear to a person skilled in the art that the above embodiment method may be implemented by means of software plus a necessary general hardware platform, but may of course also be implemented by means of hardware, but in many cases the former is a preferred embodiment. Based on this understanding, the technical solution of the present invention may be embodied essentially or in a part contributing to the prior art in the form of a software product stored in a computer readable storage medium (e.g. ROM/RAM, magnetic disc, optical disc) as described above, comprising instructions for causing a terminal device to enter the method according to the embodiments of the present invention.
In the description of the present specification, the descriptions of the terms "one embodiment," "another embodiment," "other embodiments," or "first through X-th embodiments," etc., mean that a particular feature, structure, material, or characteristic described in connection with the embodiment or example is included in at least one embodiment or example of the present invention. In this specification, schematic representations of the above terms do not necessarily refer to the same embodiments or examples. Furthermore, the particular features, structures, materials, method steps or characteristics described may be combined in any suitable manner in any one or more embodiments or examples.
It should be noted that, in this document, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or system that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or system. Without further limitation, an element defined by the phrase "comprising one … …" does not exclude the presence of other like elements in a process, method, article, or system that comprises the element.
The foregoing embodiment numbers of the present invention are merely for the purpose of description, and do not represent the advantages or disadvantages of the embodiments.
The foregoing description is only of the preferred embodiments of the present invention, and is not intended to limit the scope of the invention, but rather is intended to cover any equivalents of the structures disclosed herein or equivalent processes shown in the accompanying drawings, or any application, directly or indirectly, in other related arts.

Claims (7)

1. The private key offline storage method based on zero knowledge proof is characterized by comprising the following steps:
in the process of managing the private key by the server, dividing the server into a business service layer and an off-line service layer, wherein the business service layer is used for being directly connected with an external network and directly butt-jointed with a user terminal; the offline service layer is connected with the business service layer through an intranet; when the business service layer requests to connect with the offline service layer, the apiID, apiKey and business identification code issued by the offline service layer are required to be provided; when the offline service layer receives the request, the IP of the business service layer needs to be authenticated, and the apiID, apiKey and the business identification code need to be authorized and authenticated;
a certain user end is registered in the business service layer to become a new user, and the business service layer generates a corresponding account according to the user information of the user end;
the business service layer establishes secure communication with the offline service layer by using apiID, apiKey, business identification code, userID and IP;
under a channel of secure communication, the business service layer and the offline service layer respectively generate two parts of private keys by using zero knowledge proof and ECDSA two-step signature;
the business service layer and the off-line service layer respectively convert the private key into a key for storage;
homomorphic encryption is carried out by using respective private keys to obtain a final public key, and the public key finally represents an account of the user terminal;
the user terminal initiates a signature;
two-step signature is realized based on ECDSA algorithm.
2. The zero knowledge proof based private key offline storage method according to claim 1, wherein each service request is initiated by the service layer, and each request is associated with a certain user terminal; the following definitions are not used:
marking the associated user end as U1;
marking a private key of the business service layer as prvKey1, marking a key corresponding to the prvKey1 as a key1, and marking an encryption key corresponding to the key1 as pwd1;
and marking the private key of the offline service layer as prvKey2, marking the corresponding key as key2, and marking the encryption key corresponding to the key as pwd2.
3. The method for storing private keys offline based on zero knowledge proof according to claim 1, wherein in the step of converting private keys into keys for storage by the business service layer and the offline service layer, respectively, the storing processes of the keys on the business service layer and the offline service layer are the same; the method specifically comprises the following steps:
generating a random salt value salt for each user terminal independently;
then in the program, splicing userID, a random salt value salt and an inherent salt value subsalt to finally obtain a spliced string pwdAbl, wherein the inherent salt value subsalt is manually input when the program is started;
generating displacement amount tag randomly by a program;
carrying out displacement change on pwdAbll by using tag to obtain pwdBlur;
intercepting the first 16 bits of pwdBlur as an encryption password pwd of a key;
encrypting the prvKey by using pwd to obtain a keystore;
the userID, pwd1, keystore, salt, tag are subjected to a repository process.
4. The method for offline storage of private keys based on zero-knowledge proof as set forth in claim 1, wherein the step of initiating the signature by the user terminal specifically comprises the steps of:
the user terminal initiates a signature request, and the business service layer acquires related information of the user from a database, wherein the related information comprises a key1, a tag1, a salt1 and a userID;
the program also performs data splicing according to the operation during creation, and finally pwd1 is obtained;
finally, the pwd1 is used for decrypting the key1 to obtain a private key prvKey1 of the business service;
the business service layer establishes secure communication with the offline service layer by using apiID, apiKey, business identification code, userID and IP;
after receiving the request, the offline service decrypts the private key prvKey2 of the user from the database after passing the authority verification;
after the communication is established successfully, performing ECDSA two-step signature through zero knowledge proof by using prvKey1 and prvKey2 to obtain final signature data.
5. The private key offline storage method based on zero-knowledge proof according to claim 1, wherein the step of implementing two-step signature based on ECDSA algorithm specifically comprises the following steps:
the business service layer and the offline service layer respectively generate a random number k1 and a random number k2, and random points corresponding to the random numbers are R1 and R2 respectively;
realizing safe transfer of R1 and R2 through zero knowledge proof;
after receiving R1, the offline service acquires a final random point as R by using k 2X R1;
the offline service obtains a signature s' after calculation according to calculation;
after receiving s', the business service calculates the final s, and the final signature content is (r, s).
6. A private key offline storage system based on zero knowledge proof, comprising: a memory, a processor, and a computer program stored on the memory and executable on the processor; the computer program, when executed by the processor, implements the steps of the zero knowledge proof based private key offline storage method of any one of claims 1 to 5.
7. A computer-readable storage medium, on which a computer program is stored which, when being executed by a processor, implements the steps of the zero knowledge proof based private key offline storage method of any one of claims 1 to 5.
CN202010699612.XA 2020-07-20 2020-07-20 Private key offline storage method, system and storage medium based on zero knowledge proof Active CN111865582B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010699612.XA CN111865582B (en) 2020-07-20 2020-07-20 Private key offline storage method, system and storage medium based on zero knowledge proof

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010699612.XA CN111865582B (en) 2020-07-20 2020-07-20 Private key offline storage method, system and storage medium based on zero knowledge proof

Publications (2)

Publication Number Publication Date
CN111865582A CN111865582A (en) 2020-10-30
CN111865582B true CN111865582B (en) 2023-05-09

Family

ID=73001749

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010699612.XA Active CN111865582B (en) 2020-07-20 2020-07-20 Private key offline storage method, system and storage medium based on zero knowledge proof

Country Status (1)

Country Link
CN (1) CN111865582B (en)

Families Citing this family (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112632581A (en) * 2020-12-28 2021-04-09 深圳壹账通智能科技有限公司 User data processing method and device, computer equipment and storage medium
CN112508576A (en) * 2021-02-04 2021-03-16 腾讯科技(深圳)有限公司 Key management method, system and storage medium based on block chain
CN113542247B (en) * 2021-07-06 2022-11-29 建信金融科技有限责任公司 Service pushing method, device and equipment based on data encryption
CN115865532B (en) * 2023-02-27 2023-04-21 北京徐工汉云技术有限公司 Communication processing method and device for offline service data

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109274481A (en) * 2018-08-01 2019-01-25 中国科学院数据与通信保护研究教育中心 A kind of traceable method of data of block chain
WO2019197926A1 (en) * 2018-04-13 2019-10-17 nChain Holdings Limited Computer-implemented system and method suitable for increasing the security of instant off-line blockchain transactions
CN110570283A (en) * 2019-09-11 2019-12-13 炫盛(上海)科技有限公司 shopping method and system based on block chain
CN110958117A (en) * 2018-09-26 2020-04-03 埃森哲环球解决方案有限公司 Block chain interoperability with support for zero knowledge proof
CN111178884A (en) * 2019-12-16 2020-05-19 平安壹钱包电子商务有限公司 Information processing method, device, equipment and readable storage medium

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20190327086A1 (en) * 2018-04-24 2019-10-24 Bartosz Slowik Reciprocal data mirror system and method of data security

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2019197926A1 (en) * 2018-04-13 2019-10-17 nChain Holdings Limited Computer-implemented system and method suitable for increasing the security of instant off-line blockchain transactions
CN109274481A (en) * 2018-08-01 2019-01-25 中国科学院数据与通信保护研究教育中心 A kind of traceable method of data of block chain
CN110958117A (en) * 2018-09-26 2020-04-03 埃森哲环球解决方案有限公司 Block chain interoperability with support for zero knowledge proof
CN110570283A (en) * 2019-09-11 2019-12-13 炫盛(上海)科技有限公司 shopping method and system based on block chain
CN111178884A (en) * 2019-12-16 2020-05-19 平安壹钱包电子商务有限公司 Information processing method, device, equipment and readable storage medium

Also Published As

Publication number Publication date
CN111865582A (en) 2020-10-30

Similar Documents

Publication Publication Date Title
US11621833B2 (en) Secure multiparty loss resistant storage and transfer of cryptographic keys for blockchain based systems in conjunction with a wallet management system
JP6515246B2 (en) Determination of common secrets for the secure exchange of information and hierarchical and deterministic encryption keys
CN111865582B (en) Private key offline storage method, system and storage medium based on zero knowledge proof
US20210328777A1 (en) Management of access authorization using an immutable ledger
US11528127B2 (en) Computer-implemented system and method for highly secure, high speed encryption and transmission of data
Kumar et al. Data outsourcing: A threat to confidentiality, integrity, and availability
Youn et al. Authorized client‐side deduplication using CP‐ABE in cloud storage
CN116684093B (en) Identity authentication and key exchange method and system
Barenghi et al. Snake: An end-to-end encrypted online social network
CN116318654A (en) SM2 algorithm collaborative signature system, method and equipment integrating quantum key distribution
CN116232578A (en) Multi-party collaborative signature system, method and equipment integrating quantum key distribution
Chaudhari et al. Efficient and secure group based collusion resistant public auditing scheme for cloud storage
Chaudhari et al. Towards lightweight provable data possession for cloud storage using indistinguishability obfuscation
US11973861B2 (en) Secure key generation
US12010216B2 (en) Computer-implemented system and method for highly secure, high speed encryption and transmission of data
US20230188325A1 (en) Computer-implemented system and method for highly secure, high speed encryption and transmission of data
Varfolomeev On the comparison of methods for asymmetric execution of cryptographic primitives and protocols in the context of using small parameters and short keys
Vijayan et al. A Blockchain-Based Access Control System for Cloud Storage
Barker Draft NIST SP 800-71, Recommendation for Key Establishment Using Symmetric Block Ciphers
CN113868715A (en) Signature method and system based on quantum key
EP4383643A2 (en) Secure multiparty loss resistant storage and transfer of cryptographic keys for blockchain based systems in conjunction with a wallet management system
Gopularam et al. Data Confidentiality in Public Cloud: A Method for Inclusion of ID-PKC Schemes in OpenStack Cloud
Mugal et al. An approach for Preserving Privacy in Public Auditing of Cloud data

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
TA01 Transfer of patent application right
TA01 Transfer of patent application right

Effective date of registration: 20230417

Address after: Room 5-01, Floor 5, Building 6, Headquarters Economic Park, No. 1309, Shangye Road, Fengxi New Town, Xixian New District, Xianyang City, Shaanxi Province, 712000

Applicant after: SHAANXI HEYOU NETWORK TECHNOLOGY CO.,LTD.

Address before: 100123 Room 202, 2 / F, building F1, Dongyi International Media Industrial Park, No.8, Gaojing Cultural Park Road, Chaoyang District, Beijing

Applicant before: Puhua Yunchuang Technology (Beijing) Co.,Ltd.

GR01 Patent grant
GR01 Patent grant