CN111989891A

CN111989891A - Data processing method, related device and block chain system

Info

Publication number: CN111989891A
Application number: CN201880092481.XA
Authority: CN
Inventors: 阮子瀚; 吴双; 贺伟
Original assignee: Huawei International Pte Ltd
Current assignee: Huawei International Pte Ltd
Priority date: 2018-04-26
Filing date: 2018-04-26
Publication date: 2020-11-24
Also published as: WO2019209168A2; WO2019209168A3

Abstract

The embodiment of the application provides a data processing method, a related device and a block chain system, wherein the method comprises the following steps: the sender encrypts a plaintext M of the transaction amount by adopting an addition homomorphic encryption algorithm to generate a ciphertext of the transaction amount; wherein, the bit length of the plaintext M of the transaction amount is U; the sender sends the ciphertext of the transaction amount to a verifier; the verifying party verifies whether the plaintext M of the transaction amount belongs to a first valid range according to the ciphertext of the transaction amount; the first effective range is [0, 2 ]^U‑1]. By implementing the embodiment of the application, the privacy of the transaction amount can be protected in the blockchain system, and under the condition that the verifier cannot know the plaintext of the transaction amount,and verifying whether the transaction amount is within the effective range or not, and ensuring the validity of the transaction.

Description

Data processing method, related device and block chain system

Data processing method, related device and block chain system technical field

The present application relates to the field of block chain technologies, and in particular, to a data processing method, a related apparatus, and a block chain system. Background

A block chain is a distributed database that maintains an ever-increasing list of ordered records called blocks. Each block contains a timestamp and a link to the previous block. The blockchain naturally has the function of tamper-proofing the data, and once recorded, the data in the block cannot be modified in a single way. Data on the blockchain can be automatically managed by using a Peer-to-Peer network (Peer-to-Peer, P2P) and distributed timestamp servers. The blockchain is an open distributed ledger, which can effectively record transactions between two parties and other various information, and can permanently record in a verifiable manner. On a traditional block chain, the account balance of a user is not encrypted and is directly stored on a block, so that the account of the user is completely exposed on all nodes. In this way, besides the basic functions of block chain decentralization and information non-tampering, the account privacy of the user is completely exposed on all nodes of the block chain.

In the prior art, the privacy of the transaction amount in the blockchain system can be protected by adopting addition homomorphic encryption, but a verifier cannot verify whether the transaction is valid. Because the verifier can only determine that the plaintext of the output amount is equal to the plaintext of the input amount, the verifier cannot confirm whether the plaintext of the input amount and the plaintext of the output amount are within the valid range. Therefore, how to protect the privacy of the transaction amount in the blockchain system is to verify whether the plaintext of the transaction amount is in the effective range under the condition that the verification node cannot know the plaintext of the transaction amount for the purpose of solving the problem. Disclosure of Invention

The embodiment of the application provides a data processing method, a related device and a blockchain system, which can protect the privacy of transaction amount, verify whether the transaction amount is in an effective range or not under the condition that a verifying party cannot acquire the plaintext of the transaction amount, and ensure the legality of the transaction.

In a first aspect, an embodiment of the present application provides a data processing method, which is applied to a block chain system, where the system includes a sender and an authenticator, and the method includes: the sender encrypts a plaintext M of the transaction amount by adopting an addition homomorphic encryption algorithm to generate a ciphertext (C, B) of the transaction amount; the verifier verifies whether the plaintext M of the transaction amount belongs to a first valid range according to the ciphertext (C, B) of the transaction amount; the first effective range is [0, 2 ]^U-1]And U is the bit length of the plaintext M of the transaction amount.

By implementing the method and the device, the privacy of the transaction amount can be protected in the blockchain system, and the validity of the transaction amount is ensured by verifying whether the transaction amount is in the effective range under the condition that the verifying party cannot know the plaintext of the transaction amount.

In one possible implementation, C = =c, C

B = g; wherein r is a randomly generated integer, g₃For the generator of Gi, the order of Gi S is the multiplicative group of prime numbers, g₄Is the public key of the additive homomorphic encryption algorithm, g₄=g₃ ^aSkAnd ask is a private key of the addition homomorphic encryption algorithm.

In one possible implementation, the system further comprises a monitoring party; the sender encrypts a plaintext M of the transaction amount by adopting an addition homomorphic encryption algorithm to generate a ciphertext (C, B) of the transaction amount, and the method comprises the following steps: the sender sends the plaintext of the transaction amountM is divided into L clear texts of transaction amount_kRespectively adopting addition homomorphic encryption algorithm to make clear text M of said L transaction sums_kEncrypting to generate L cipher texts of transaction amount (C)_k, B_k) The public key of the addition homomorphic encryption algorithm is provided by the supervisor, k is a positive integer, k = L, L is a positive integer larger than or equal to 2; the verifying party verifying whether the plaintext M of the transaction amount belongs to a first validity range according to the ciphertext (C, B) of the transaction amount comprises: the verifying party verifies the cryptogram (C) according to the transaction amount_k, B_k) Verifying whether the clear text of the transaction amount belongs to a second valid range; wherein the second effective range is [0, 2 ]^U-1 ], u being the transaction amount

A bit length; the method further comprises the following steps: the supervisor decrypts the ciphertext (C) of the L transaction amounts using the private key corresponding to the public key_k, B_k) Obtaining the clear text M of the L transaction amounts_kAnd according to the clear text M of the L transaction amounts_kObtaining a plaintext M for the transaction amount.

According to the embodiment of the application, when the transaction amount plaintext length is large, the transaction amount plaintext M is firstly divided into thousands of small blocks of plaintext, then the small blocks of plaintext are respectively encrypted, the small blocks of plaintext belong to the valid range, and the like, so that the guarantee supervisor can effectively decrypt the small blocks of ciphertext of the transaction amount.

In one possible implementation, the plaintext M of the transaction amount L is_kThe lengths are equal.

In one possible implementation, the method further includes: the sender generates a zero-knowledge proof that the plaintext M of the transaction amount belongs to a first effective range; the verifying party verifying whether the plaintext M of the transaction amount belongs to the first valid range according to the ciphertext (C, B) of the transaction amount comprises the verifying party verifying that the plaintext M of the transaction amount belongs to a zero-knowledge proof of the first valid range.

The embodiment of the application can ensure that the verifying party verifies whether the transaction amount is in the valid range under the condition that the transaction amount is encrypted, and further verifies the validity of the transaction.

In one possible implementation, the transaction amount includes an output amount; the method further comprises the following steps: the sender calculates a ciphertext C 'of a difference value between the input amount and the output amount and generates an addition homomorphic zero knowledge proof that C' is a ciphertext with a force secret and a plaintext of zero; the C is a ciphertext obtained by calculation according to the ciphertext of the output amount and the ciphertext of the input amount, the ciphertext of the input amount is the ciphertext of the amount received by the sender in the last transaction, or the ciphertext of the input amount is the ciphertext generated by encrypting the amount generated in the current transaction by the sender through the addition homomorphic encryption algorithm; and the verifying party verifies that the C' is an addition homomorphic zero knowledge proof of the ciphertext encrypted with plaintext as zero.

The embodiment of the application can ensure that the verifier verifies that the input amount is equal to the output amount under the condition that the transaction amount is encrypted, and further verifies the validity of the transaction.

In one possible implementation, the system further comprises a supervisor, the public key of the additive homomorphic encryption algorithm being provided by the supervisor; the method further comprises the following steps: the sender generating a zero knowledge proof of ciphertext (C, B) that the supervisor can decrypt the transaction amount; the verifying party verifies a zero knowledge proof that the supervisor can decrypt the ciphertext (C, B) of the transaction amount; the supervisor decrypts the cryptograph (C, B) of the transaction amount using a private key corresponding to the public key.

The embodiment of the application can ensure that the verifying party verifies the ciphertext of the transaction amount which can be decrypted by the monitoring party under the condition that the transaction amount is encrypted, thereby verifying the validity of the ciphertext.

In one possible implementation, the system further comprises a third party for providing a random secret, the random secret beingSecret machine_YFor generating a digital signature for each integer within said first validity range; the sender generates zero-knowledge proof that the plaintext M of the transaction amount belongs to a first effective range, and the zero-knowledge proof comprises the following steps: the sender based on the random secret provided by the third party_YGenerating a digital signature for each integer within the first validity range generates a zero knowledge proof that the plaintext M of the transaction amount falls within the first validity range.

The embodiment of the application provides a specific method for proving that the plaintext in the ciphertext of the transaction amount belongs to the valid range, a digital signature is generated for each number in the valid range, and the fact that the plaintext in the ciphertext of the transaction amount belongs to one of the digital signatures can prove that the plaintext in the ciphertext of the transaction amount belongs to the valid range. And under the condition that the clear text of the transaction amount is not provided for the verifying party, the legality of the transaction amount is verified, and the transaction privacy is ensured.

In one possible implementation, the sending party generating a zero-knowledge proof that the plaintext M of the transaction amount belongs to the first valid range includes: the sender generates N first parameters; n is a positive integer; the zero-knowledge proof that the verifier verifies that the plaintext M of the transaction amount belongs to the first valid range comprises: the verifier generates N second parameters; wherein the N first parameters correspond to the N second parameters; and the verifying party verifies whether the N second parameters are equal to the corresponding first parameters, and if so, the plaintext M of the transaction amount belongs to a first valid range.

According to the embodiment of the application, whether the plaintext in the transaction amount ciphertext belongs to the effective range is verified according to the comparison of the first parameter generated by the sender and the second parameter generated by the verifier, the legality of the transaction amount is verified under the condition that the transaction amount plaintext is not provided for the verifier, and the transaction privacy is guaranteed.

In one possible implementation, the sending party generating a zero-knowledge proof that the plaintext M of the transaction amount belongs to the first valid range further includes: the sender generates a first verification parameter; the verifying party verifies that the plaintext M of the transaction amount belongs to the zero knowledge proof of the first valid range, and the verifying party further comprises the following steps: the verifier generates a second verification parameter; the second verification parameter is determined by the N second parameters; the verifying party verifying whether the N second parameters are equal to the corresponding first parameters comprises: and the verifier verifies whether the first parameters are equal to the second verification parameters, and if so, the N second parameters are equal to the corresponding first parameters.

According to the embodiment of the application, whether the first parameter generated by the sender is equal to the second parameter generated by the verifier is verified according to the first verification parameter generated by the sender and the second verification parameter generated by the verifier, so that whether the plaintext in the transaction amount ciphertext belongs to an effective range is proved, the legality of the transaction amount is verified under the condition that the transaction amount plaintext is not provided for the verifier, and the transaction privacy is guaranteed.

In a second aspect, an embodiment of the present application provides a data processing method, which is applied to a block chain system, where the system includes a sender and an authenticator, and the method includes: the sender encrypts the plaintext M of the transaction amount by adopting an addition homomorphic encryption algorithm to generate a ciphertext (C, B) of the transaction amount, and sends the ciphertext (C, B) of the transaction amount to the verifier so that the verifier verifies whether the plaintext M of the transaction amount belongs to a first effective range according to the ciphertext (C, B) of the transaction amount; the first effective range is [0, 2 ]^U-1]And U is the bit length of the clear text M of the transaction amount.

In one possible implementation, C = =c, C

B ₌g; wherein r is a randomly generated integer, g₃For the generator of Gi, the order of Gi S is the multiplicative group of prime numbers, g₄Is the public key of the additive homomorphic encryption algorithm, g₄=g₃ ^aSkAsk is stationThe private key of the additive homomorphic encryption algorithm is described.

In one possible implementation, the system further comprises a monitoring party; the sender encrypts a plaintext M of the transaction amount by adopting an addition homomorphic encryption algorithm to generate a ciphertext (C, B) of the transaction amount, and the method comprises the following steps: the sender divides the plaintext M of the transaction amount into L parts of plaintext M of the transaction amount_kRespectively adopting addition homomorphic encryption algorithm to make clear text M of said L transaction sums_kEncrypting to generate L cipher texts of transaction amount (C)_k, B_k) To enable the supervisor to decrypt the ciphertext (C) of the L transaction amounts using the private key corresponding to the public key_k, B_k) Obtaining the clear text M of the L transaction amounts_kAnd according to the clear text M of the L transaction amounts_kObtaining a plaintext M of the transaction amount, wherein a public key of the addition homomorphic encryption algorithm is provided by the supervisor, k is a positive integer, k = L, L is a positive integer larger than or equal to 2; the sender sends the ciphertext (C, B) of the transaction amount to the verifier, so that the verifier verifies whether the plaintext M of the transaction amount belongs to a first valid range according to the ciphertext (C, B) of the transaction amount comprises: the sender encrypts the L transaction amounts (C)_k, B_k) Sending it to the verifier to have the verifier depend on the cryptogram (C) of the transaction amount_k, B_k) Verifying the plaintext M of the transaction amount_kWhether it falls within a second valid range; wherein the second effective range is [0, 2 ]^U-1 ], u being the clear text bit length of said transaction amount.

In one possible implementation, the method further includes: the sender generates a zero-knowledge proof that the plaintext M of the transaction amount belongs to a first effective range; the sender sends the ciphertext (C, B) of the transaction amount to the verifier, so that the verifier verifies whether the plaintext M of the transaction amount belongs to a first valid range according to the ciphertext (C, B) of the transaction amount comprises: and the sender sends the ciphertext (C, B) of the transaction amount to the verifier so that the verifier verifies that the plaintext M of the transaction amount belongs to the zero knowledge proof of the first effective range according to the ciphertext (C, B) of the transaction amount.

In one possible implementation, the transaction amount includes an output amount; the method further comprises the following steps: the sender calculates a ciphertext C ' of a difference value between the input amount and the output amount and generates an addition homomorphic zero knowledge proof that C ' is a ciphertext with a plaintext of zero, so that the verifier verifies that C ' is an addition homomorphic zero knowledge proof of the ciphertext with the plaintext of zero; and C is a ciphertext obtained by calculation according to the ciphertext of the output amount and the ciphertext of the input amount, wherein the ciphertext of the input amount is the ciphertext of the amount received by the sender in the last transaction, or the ciphertext of the input amount is the ciphertext generated by encrypting the amount generated in the current transaction by the sender by adopting the addition homomorphic encryption algorithm.

In one possible implementation, the system further comprises a supervisor, the public key of the additive homomorphic encryption algorithm being provided by the supervisor; the method further comprises the following steps: the sender generates a zero knowledge proof of ciphertext C of the transaction amount that the supervisor can decrypt, such that the verifier verifies that the supervisor can decrypt the zero knowledge proof of ciphertext C of the transaction amount.

In a possible implementation, the system further comprises a third party for providing a random secret Y, the random secret Y_YFor generating a digital signature for each integer within said first validity range; the sender generates zero-knowledge proof that the plaintext M of the transaction amount belongs to a first effective range, and the zero-knowledge proof comprises the following steps: the sender based on the random secret provided by the third party_YGenerating a zero knowledge proof that the clear text M of the transaction amount for the digital signature generated for each integer within the first validity range belongs to the first validity range。

In a third aspect, the embodiment of the application provides a data processing method, which is applied to a block chain system, wherein the system comprises a sender and a verifier, and the method comprises the steps that the verifier receives a ciphertext (C, B) of a transaction amount sent by the sender, wherein the ciphertext (C, B) of the transaction amount is generated by encrypting a plaintext M of the transaction amount by the sender through an addition homomorphic encryption algorithm; the bit length of the plaintext M of the transaction amount is U, and the verifying party verifies whether the plaintext M of the transaction amount belongs to a first effective range according to the ciphertext (C, B) of the transaction amount; the first effective range is [0, 2 ]^U-1］。

In one possible implementation, the verifying party verifying whether the plaintext M of the transaction amount belongs to a first validity range based on the ciphertext (C, B) of the transaction amount comprises: the verifying party verifies that the plaintext M of the transaction amount belongs to a zero-knowledge proof of a first valid range; wherein the zero-knowledge proof that the plaintext M of the transaction amount falls within the first validity range is generated by the sender.

In one possible implementation, the transaction amount includes an output amount; the method further comprises the following steps: the verifier verifies that the ciphertext C' of the difference between the input amount and the output amount is an addition homomorphic zero-recognition certificate of the ciphertext with the plaintext being encrypted as zero; the sender sends an input amount ciphertext and an output amount ciphertext to the C, wherein the C is a ciphertext obtained by calculation according to the output amount ciphertext and the input amount ciphertext, the input amount ciphertext is an amount ciphertext received by the sender in the last transaction, or the input amount ciphertext is a ciphertext generated by encrypting the amount generated in the current transaction by the sender through the addition homomorphic encryption algorithm, and the ciphertext C' of the difference value between the input amount and the output amount is an addition homomorphic zero knowledge proof generated by the sender, wherein the ciphertext of which the plaintext is zero is encrypted.

In one possible implementation, the system further comprises a supervisor, the public key of the additive homomorphic encryption algorithm being provided by the supervisor; the method further comprises the following steps: the verifier is also for verifying a zero-knowledge proof that the supervisor can decrypt a ciphertext (C, B) of the transaction amount; wherein a zero knowledge proof of knowledge that the custodian can decrypt the ciphertext (C, B) of the transaction amount is generated by the sender.

In a fourth aspect, an embodiment of the present application provides a block chain system, where the system includes a sender and an authenticator: the sender is used for encrypting the plaintext M of the transaction amount by adopting an addition homomorphic encryption algorithm to generate ciphertext (C, B) of the transaction amount and sending the ciphertext (C, B) of the transaction amount to the verifier; the verifier is used for verifying whether the plaintext M of the transaction amount belongs to a first valid range according to the ciphertext (C, B) of the transaction amount; the first effective range is [0, 2 ]^U-1]And U is the bit length of the plaintext M of the transaction amount.

In one possible implementation, C = B₌g; wherein r is a randomly generated integer, g₃For the generator of Gi, the order of Gi S is the multiplicative group of prime numbers, g₄Is the public key of the additive homomorphic encryption algorithm, g₄=g₃ ^aSkAnd ask is a private key of the addition homomorphic encryption algorithm.

In one possible implementation, the system further comprises a monitoring party; the sender is used for dividing the clear text M of the transaction amount into L portions of clear text M of the transaction amount_kRespectively encrypting the plain texts of the L transaction amounts by adopting an addition homomorphic encryption algorithm to generate the cipher texts (C) of the L transaction amounts_k, B_k) The public key of the addition homomorphic encryption algorithm is provided by the supervisor, k is a positive integer, k = L, L is a positive integer larger than or equal to 2; the verifier is arranged to verify the cryptogram (C) according to the transaction amount_k, B_k) Verifying the plaintext M of the transaction amount_kWhether S belongs to a second effective range; the second effective range is [0, 2 ]^U-1]U is the plaintext bit length of the transaction amount; the supervisor is used for decrypting by adopting a private key corresponding to the public keyCiphertext (C) of the L transaction amounts_k, B_k) Obtaining the clear text M of the L transaction amounts_kAnd according to the clear text M of the L transaction amounts_kObtaining a plaintext M for the transaction amount.

In a possible implementation manner, the sender is further configured to generate a zero-knowledge proof that the plaintext M of the transaction amount belongs to a first valid range; the verifying party is used for verifying that the plaintext M of the transaction amount belongs to a zero knowledge proof of a first effective range according to the ciphertext (C, B) of the transaction amount.

In one possible implementation, the transaction amount includes an output amount; the sender is also used for calculating a ciphertext C 'of a difference value between the input amount and the output amount and generating an addition homomorphic zero knowledge proof that C' is the ciphertext encrypted with the plaintext as zero; the C is a ciphertext obtained by calculation according to the ciphertext of the output amount and the ciphertext of the input amount, the ciphertext of the input amount is the ciphertext of the amount received by the sender in the last transaction, or the ciphertext of the input amount is the ciphertext generated by encrypting the amount generated in the current transaction by the sender through the addition homomorphic encryption algorithm; the verifier is also configured to verify that C is an additive homomorphic zero knowledge proof of ciphertext encrypted with plaintext zero.

In one possible implementation, the system further comprises a supervisor, the public key of the additive homomorphic encryption algorithm being provided by the supervisor; the sender is further configured to generate a zero-knowledge proof that the custodian can decrypt a ciphertext (C, B) of the transaction amount; the verifying party is further configured to verify a zero knowledge proof that the supervisor can decrypt the ciphertext (c, B) of the transaction amount; the supervisor is used for decrypting the cryptograph (C, B) of the transaction amount by adopting a private key corresponding to the public key.

In one possible implementation, the system further comprises a third party for providing a random secret, the random secret being_YFor generating a digital signature for each integer within said first validity range; the senderFor use in dependence on a random secret provided by the third party_YGenerating a clear text proof of zero knowledge that the transaction amount falls within the first validity range for the digital signature generated for each integer within the validity range.

In a possible implementation manner, the sender is configured to generate N first parameters; the < verifier is used for generating N second parameters; wherein the N first parameters correspond to the N second parameters; and verifying whether the N second parameters are equal to the corresponding first parameters, and if so, determining that the plaintext M of the transaction amount belongs to a first effective range.

In a possible implementation manner, the sender is further configured to generate a first verification parameter; the first verification parameter is determined by the N first parameters; the verifier is also used for generating a second verification parameter; the second verification parameter is determined by the N second parameters; the verifier is further configured to verify whether the first parameter is equal to the second verification parameter, and if so, the N second parameters are equal to the corresponding first parameters.

In a fifth aspect, an embodiment of the present application provides a sender, which is applied to a block chain system, where the system includes a sender and a < verifier, and the sender includes: the system comprises an encryption unit, a sending unit, a verifying party and a processing unit, wherein the encryption unit is used for encrypting a plaintext M of a transaction amount by adopting an addition homomorphic encryption algorithm to generate a ciphertext (C, B) of the transaction amount, the bit length of the plaintext M of the transaction amount is U, and the sending unit is used for sending the ciphertext (C, B) of the transaction amount to the verifying party so that the verifying party verifies whether the plaintext M of the transaction amount belongs to a first effective range according to the ciphertext (C, B) of the transaction amount; the first effective range is [0, 2 ]^U-1 ], U being the bit length of the plaintext M of said transaction amount.

In one possible implementation, C = B = g; wherein r is a randomly generated integer, g₃For the generator of Gi, the order of Gi S is the multiplicative group of prime numbers, g₄Is the public key of the additive homomorphic encryption algorithm, g₄=g₃ ^aSkAnd ask is a private key of the addition homomorphic encryption algorithm.

In one possible implementation, the system further comprises a monitoring party; the encryption unit includes: a dividing subunit, configured to divide the plaintext M of the transaction amount into L parts of plaintext M of the transaction amount_k;Wherein k is a positive integer, k = l.,

l is a positive integer greater than or equal to 2; an encryption subunit, configured to encrypt the plaintext of the L transaction amounts by using an addition homomorphic encryption algorithm, respectively, to generate ciphertext (C) of the L transaction amounts_k, B_k) To enable the supervisor to decrypt the ciphertext (C) of the L transaction amounts using the private key corresponding to the public key_k, B_k) Obtaining the clear text M of the L transaction amounts_kAnd according to the clear text M of the L transaction amounts_kObtaining a plaintext M of the transaction amount, wherein a public key of the addition homomorphic encryption algorithm is provided by the supervisor; the sending unit is used for sending the ciphertext (C) of the L transaction amounts_k， B_k) Sending it to the verifier to have the verifier depend on the cryptogram (C) of the transaction amount_k, B_k) Verifying the plaintext M of the transaction amount_kWhether it falls within a second valid range; wherein the second effective range is [0, 2 ]^U-1 ], u being the clear text M of said transaction amount_kBit length of (d).

In a possible implementation manner, the sender further includes: the first generation unit is used for generating a zero-knowledge proof that the plaintext M of the transaction amount belongs to a first effective range; the sending unit is used for sending the ciphertext (C, B) of the transaction amount to the verifier so that the verifier verifies that the plaintext M of the transaction amount belongs to a zero knowledge proof of a first effective range according to the ciphertext (C, B) of the transaction amount.

In one possible implementation, the transaction amount includes an output amount; the sender further comprises: a second generation unit, configured to calculate a ciphertext C ' of a difference between the input amount and the output amount, and generate an addition homomorphic zero knowledge proof that C ' is a ciphertext in which a plaintext is zero encrypted, so that the verifier verifies that C ' is the addition homomorphic zero knowledge proof that C is a ciphertext in which a plaintext is zero encrypted; and C is a ciphertext obtained by calculation according to the ciphertext of the output amount and the ciphertext of the input amount, wherein the ciphertext of the input amount is the ciphertext of the amount received by the sender in the last transaction, or the ciphertext of the input amount is the ciphertext generated by encrypting the amount generated in the current transaction by the sender through the addition homomorphic encryption algorithm.

In one possible implementation, the system further comprises a supervisor, the public key of the additive homomorphic encryption algorithm being provided by the supervisor; the sender further comprises: a third generating unit for generating a zero-knowledge proof that the supervisor can decrypt the ciphertext (C, B) of the transaction amount, so that the verifier verifies that the supervisor can decrypt the zero-knowledge proof of the ciphertext (C, B) of the transaction amount.

In one possible implementation, the system further comprises a third party for providing a random secret, the random secret being_YFor generating a digital signature for each integer within said first validity range; the first generation unit is used for generating a zero-knowledge proof that the plaintext M of the ciphertext C of the transaction amount belongs to the first effective range according to the digital signature generated by the random secret y provided by the third party for each integer in the first effective range.

In a sixth aspect, an embodiment of the present application provides a verifier applied to a blockchain system, where the system includes a sender and a verifier, and the verifier includes: the receiving unit is used for receiving a cryptograph (C, B) of the transaction amount sent by the sender, wherein the cryptograph (C, B) of the transaction amount is generated by encrypting a plaintext M of the transaction amount by the sender by adopting an addition homomorphic encryption algorithm; a clear text M of the transaction amount with a bit length of U, a verification unit for verifying the bureau according to the cipher text (C, B) of the transaction amountWhether the plaintext M of the transaction amount belongs to a first valid range; the first effective range is [0, 2 ]^U-1］。

In one possible implementation, C = =c, C

In a possible implementation, the verification unit is configured to < verify that the plaintext M of the transaction amount belongs to a zero-knowledge proof of a first validity range; wherein a zero-knowledge proof that the plaintext M of the transaction amount falls within a first validity range is generated by the sender.

In one possible implementation, the transaction amount includes an output amount; the verification unit is also used for verifying that a ciphertext C' of the difference value between the input amount and the output amount is an addition homomorphic zero knowledge proof of a ciphertext with a plaintext being encrypted as zero; the C is a ciphertext obtained by calculation according to the ciphertext of the output amount and the ciphertext of the input amount, the ciphertext of the input amount is the ciphertext of the amount received by the sender in the last transaction, or the ciphertext of the input amount is the ciphertext generated by encrypting the amount generated in the current transaction by the sender through the addition homomorphic encryption algorithm, and the ciphertext C' of the difference value between the input amount and the output amount is an addition homomorphic zero knowledge proof generated by the sender after encrypting the ciphertext of which the plaintext is zero.

In one possible implementation, the system further comprises a supervisor, the public key of the additive homomorphic encryption algorithm being provided by the supervisor; the verification unit is further configured to verify a zero knowledge proof that the supervisor can decrypt a ciphertext (C, B) of the transaction amount; wherein a zero knowledge proof of knowledge that the custodian can decrypt the ciphertext (C, B) of the transaction amount is generated by the sender.

In a seventh aspect, an embodiment of the present application provides a sender, which is applied to a block chain system, where the system includes a sender and an authenticator, and the sender includes: a processor, a memory, and a transceiver, wherein: the processor, the memory and the transceiver are connected to each other, the memory is used for storing a computer program, the computer program includes program instructions, and the processor is configured to call the program instructions to execute the data processing method provided by any possible implementation manner of the second aspect or the second aspect of the embodiments of the present application.

In an eighth aspect, an embodiment of the present application provides a verifier applied to a blockchain system, where the system includes a sender and a verifier, and the verifier includes: a processor, a memory, and a transceiver, wherein: the processor, the memory and the transceiver are connected to each other, the memory is used for storing a computer program, the computer program includes program instructions, and the processor is configured to invoke the program instructions to execute the data processing method provided in any possible implementation manner of the third aspect or the third aspect of the embodiment of the present application.

In a ninth aspect, the present application provides a computer-readable storage medium, which stores a computer program, where the computer program includes program instructions, and the program instructions, when executed by a processor, cause the processor to execute a data processing method provided in any possible implementation manner of the second aspect or the second aspect of the present application.

In a tenth aspect, the present application provides a computer-readable storage medium, where a computer program is stored, where the computer program includes program instructions, and when the program instructions are executed by a processor, the processor is caused to execute a data processing method provided in any possible implementation manner of the third aspect or the third aspect of the present application.

By implementing the method and the device, the privacy of the transaction amount can be protected in the blockchain system, and the validity of the transaction amount is ensured by verifying whether the transaction amount is in the effective range under the condition that the verifying party cannot know the plaintext of the transaction amount. Meanwhile, when the bit length of the transaction amount plaintext is large, the transaction amount plaintext can be divided into thousands of small blocks of transaction amount plaintext, and then the P cipher and the proof that the transaction amount plaintext belongs to the effective range are respectively carried out on the transaction amount plaintext of each small block, so that the condition that a supervision party can effectively decrypt the ciphertext of each small block of transaction amount is ensured. Drawings

In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below.

Fig. 1 is a block chain system architecture according to an embodiment of the present disclosure;

FIG. 2 is a schematic diagram of an input amount and an output amount;

fig. 3 is a schematic flow chart of a data processing method according to an embodiment of the present application;

fig. 4 is a schematic flow chart of another data processing method according to an embodiment of the present application;

FIG. 5 is a diagram illustrating a process of a sender processing a plaintext M of a transaction amount according to an embodiment of the present application;

fig. 6 is a schematic flow chart of another data processing method according to an embodiment of the present application;

fig. 7 is a schematic structural diagram of a sender according to an embodiment of the present application;

fig. 8 is a schematic structural diagram of an authenticator according to an embodiment of the present application;

fig. 9 is a schematic structural diagram of another sender according to an embodiment of the present application;

fig. 10 is a schematic structural diagram of another authenticator provided in the embodiment of the present application. Detailed description of the preferred embodimentsthe technical solutions in the embodiments of the present application will be described in detail below with reference to the accompanying drawings.

First, a block chain system provided in an embodiment of the present application is described with reference to fig. 1. As shown in fig. 1, the blockchain system may include at least a sender and an authenticator. The sender is used for initiating a transaction to the receiver and encrypting the transaction amount; the verifying party is used for verifying whether the transaction initiated by the sending party to the receiving party is legal or not. The blockchain system can also comprise a supervisor, which is used for providing a pair of public and private keys, providing the public key to the sender to encrypt the transaction amount, and the supervisor can decrypt the transaction amount by using the private key so as to monitor the transaction behavior of the blockchain network, find abnormal transaction behavior in time and perform corresponding processing. In a specific implementation, the sender may be a terminal such as a mobile phone or a computer of the sender, the verifier may be a server of a bank, and the supervisor may be a computer or a server of a regulatory agency.

The blockchain system can be applied to a alliance chain scene, namely an alliance formed by a plurality of organizations which cannot find a unified trusted third party, for example, in an alliance chain of financial services, a sender initiates a transaction to a receiver, the sender pays a certain transaction amount to the receiver, and a verifier can verify whether the transaction is legal. Whether a transaction is legitimate is mainly reflected in two aspects: first, whether the output amount equals the input amount; second, whether the output amount and the input amount belong to the valid range. If the output amount is equal to the input amount and both the output amount and the input amount belong to the valid range, the transaction is a legal transaction. For the explanation of the output amount and the input amount, see fig. 2 in detail. Assuming that the transaction amount that sender A intends to pay is X, sender A now pays X to the receiver and receiver A respectively₂The receiver A receives Y transaction amount₂The received transaction amount is Z. Then X is the input amount and Y and Z are the output amounts. Only if X = Y + Z, and X, Y, Z are all greater than or equal to 0 and less than or equal to the maximum value, is the transaction legitimate. Wherein, the maximum value is determined by the bit length of the transaction amount, and if the bit length of the transaction amount is U, the maximum value is 2^U-1。

Next, a data processing method provided by the embodiment of the present application is described with reference to the block chain system described in fig. 1. As shown in fig. 3, the data processing method may include at least the following steps:

s301, the sender encrypts a plaintext M of the transaction amount by adopting an addition homomorphic encryption algorithm to generate a ciphertext (C, B) of the transaction amount.

Specifically, the above-described addition homomorphic encryption algorithm may be an ElGamal algorithm. C in the cryptographs (C, B) of the transaction amount is a cryptograph main body of the transaction amount plaintext M, and 6 is an auxiliary cryptograph of the transaction amount plaintext M, and is used for assisting in decrypting the cryptograph main body C in the decryption process of a subsequent supervisor.

Specifically, C = gf, B = g₃ ^rWherein r is a randomly generated integer, g₃Gi's generator, G, is a multiplicative group of prime order, G₄Public key, g, for the above-mentioned additively homomorphic encryption algorithm₄=g₃ ^askAnd ask is the private key of the addition homomorphic encryption algorithm.

The bit length of the plaintext M of the transaction amount is U, and U is a positive integer.

In one possible implementation, the transaction amount includes an output amount. When the transaction amount only includes the output amount, the input amount may be a ciphertext of the amount received by the sender in the last transaction, without performing encryption and subsequent zero-knowledge proof that the transaction amount falls within the valid range.

In another possible implementation, the transaction amount may include an input amount in addition to the export amount. Namely, the sender needs to encrypt the output amount and the input amount at the same time, and subsequently prove zero knowledge that the transaction amount belongs to an effective range.

It can be known whether the sender directly uses the ciphertext of the amount received in the last transaction, or whether the sender needs to apply a P-cipher to the input amount and subsequently perform zero-knowledge proof that the transaction amount falls within an effective range, etc., depending on the initialization setting of the blockchain system, that is, the transaction model in the blockchain system is that the sender directly forwards the transaction amount received in the last transaction to the receiver, or the sender regenerates the input amount in each transaction.

The number of the input amount may be at least one, and the number of the output amount may be at least one. In one possible implementation, the supervisor possesses a pair of asymmetric passwords, including a public key and a private key. The sender can encrypt the plaintext M of the transaction amount by adopting the public key provided by the supervisor to generate the ciphertext of the transaction amount, so that the supervisor can decrypt the ciphertext of the transaction amount by adopting the private key corresponding to the public key, and the supervisor can supervise the transaction conveniently.

S302, the sender sends the cryptograph (C, B) of the transaction amount to the < verifier.

Specifically, after the sender encrypts the transaction amount by using the addition homomorphic encryption algorithm, the verifier cannot know the plaintext M of the transaction amount, so that the sender is prevented from being tracked by users on other nodes, and information leakage is avoided. Therefore, after encrypting the plaintext M of the transaction amount, the sending party generates the ciphertext (C, B) of the transaction amount and sends the ciphertext (C, B) of the transaction amount to the verifying party, so that the verifying party verifies the legality of the transaction amount.

And S303, the verifying party verifies whether the plaintext M of the transaction amount belongs to a first valid range according to the ciphertext (C, B) of the transaction amount.

Specifically, if the bit length of the plaintext M of the transaction amount is U, the first valid range is [0, 2 ]^U-1]. In particular, the verifying party may verify that the plaintext M of the transaction amount belongs to a zero knowledge proof of the first validity range. A proof of zero knowledge that the plaintext M of the transaction amount falls within the first validity range is generated by the sender. It can be appreciated that the embodiment of the present application may employ an addition homomorphic ElGamal encryption algorithm, because in the blockchain system, the addition homomorphic ElGamal encryption algorithm may belong to the first encryption algorithm with the plaintext M of the transaction amountZero knowledge of the effective range proves algorithm compatibility. Specifically, the data obtained by the addition homomorphic ElGamal encryption algorithm is two-dimensional data, and the data obtained by the effective range zero knowledge proof algorithm is also two-dimensional, and the two algorithms belong to the same group of mathematical system, so that the two algorithms can be compatible in the mathematical system. It will be appreciated that a zero knowledge proof means that the prover is able to convince the verifier that some argument is correct without providing the verifier with any useful information. For zero knowledge proof that the clear text M of the transaction amount belongs to the first validity range, the sender cannot provide the clear text M of the transaction amount to the verifier, but the verifier is made to believe that the clear text M of the transaction amount belongs to the first validity range. In this embodiment, a digital signature may be generated for all integers in the first valid range, and the sender may prove that the plaintext M of the transaction amount belongs to the first valid range only by proving that the plaintext of the transaction amount corresponds to one of the digital signatures of all integers in the first range. Additive homomorphic encryption is a form of encryption that allows one to perform a particular algebraic operation on a ciphertext to obtain a result that is still a strong P-cipher, and to decrypt it to obtain the same result as the same operation on the plaintext. In other words, additive homomorphic encryption allows one to operate on encrypted data with the correct results without the need to decrypt the data throughout.

Furthermore, when the sender provides the supervisor with the public key of the ElGamal encryption algorithm that is homomorphic to the plaintext M of the transaction amount, the sender may also generate a zero-knowledge proof that the supervisor can decrypt the ciphertext (C, B) of the transaction amount. The verifying party can also verify the zero-knowledge proof that the supervising party can decrypt the ciphertext (C, B) of the transaction amount.

It can be known that the order of the zero knowledge proof generated by the sender and the zero knowledge proof generated by the ciphertext (C, B) of the transaction amount decryptable by the supervisor is not limited. The sequence of the zero knowledge proof for verifying that the plaintext M of the transaction amount belongs to the first effective range and the zero knowledge proof for verifying that the supervisor can decrypt the ciphertext (C, B) of the transaction amount is not limited.

In addition, the sender can also calculate the ciphertext C 'of the difference value between the input amount and the output amount and generate an addition homomorphic zero knowledge proof that C' is the ciphertext encrypted with the plaintext as zero. The verifier can also verify that C' is an additive homomorphic zero knowledge proof that encrypts ciphertext with plaintext zero.

It will be appreciated that when the output amount equals the input amount, and both the output amount and the input amount are within the valid range, the transaction can be verified as being legitimate.

In particular, the sender may generate at least one first parameter when generating a zero knowledge proof that the plaintext M of the transaction amount belongs to a first validity range. The verifier may also generate at least one second parameter when verifying that the plaintext M of the transaction amount belongs to the zero knowledge proof of the first validity range. Wherein the first parameter corresponds to the second parameter. When at least one second parameter generated by the verifier is respectively equal to at least one first parameter generated by the sender, the plaintext M of the transaction amount can be verified to belong to the first valid range. The same calculation method is suitable for the zero knowledge proof of the ciphertext (C, B) of which the supervisor can decrypt the transaction amount, and is also suitable for the addition homomorphic zero knowledge proof of which C' is the ciphertext of which the plaintext is encrypted to be zero, namely, the input amount is verified to be equal to the output amount, and the details are not repeated herein.

Specifically, the sender may further generate a first authentication parameter when generating the zero-knowledge proof, where the first authentication parameter is determined by the plurality of first parameters. The verifier may also generate a second verification parameter when verifying the zero-knowledge proof, the second verification parameter being determined by the plurality of second parameters. When the second authentication parameter generated by the authenticator is equal to the first authentication parameter generated by the sender, it means that the plurality of first parameters are respectively equal to the corresponding second parameters in the plurality of second parameters. Thereby verifying the zero knowledge proof.

By implementing the method and the device, the privacy of the transaction amount can be protected in the blockchain system, and the validity of the transaction amount is ensured by verifying whether the transaction amount is in the effective range under the condition that the verifying party cannot know the plaintext of the transaction amount. And can be matched with the supervision of a supervision party when in need.

In another possible embodiment, the present application provides another data processing method, and when the bit length of the transaction amount plaintext M is larger, the monitoring party may not be able to effectively decrypt the ciphertext of the transaction amount plaintext with the larger bit length. Therefore, in the embodiment of the present application, the plaintext M of the transaction amount may be divided into thousands of small blocks of plaintext of the transaction amount, and then the plaintext of the transaction amount of each small block may be encrypted and decrypted, and the certification that the plaintext belongs to the valid range, etc. respectively, so as to ensure that the supervisor may effectively decrypt the ciphertext of the transaction amount of each small block. Please refer to fig. 4. As shown in fig. 4, the data processing method may include at least the following steps:

s401, the sender divides the clear text M of the transaction amount into L portions of clear text M of the transaction amount_k。

Optionally, if the bit length of the plaintext M of the transaction amount is U, the plaintext M of the transaction amount is divided into L parts of the plaintext M of the transaction amount with the bit length U_kWherein, L × U = U, k is a positive integer, and k = L.

For example, when the bit length of the plaintext M for the transaction amount is 64, L =4 and u =16 may be set, that is, the plaintext M for the transaction amount is divided into 4 parts of the plaintext M for the transaction amount with the bit length of 16_kWherein k = l, 2, 3, 4. At this time, the plaintext M of each transaction amount_kHas a maximum value of 2¹⁶-1。

For another example, when the bit length of the plaintext M for the transaction amount is 64, L =8 and u =8 may be set, that is, the plaintext M for the transaction amount may be divided into 8 parts of the plaintext M for the transaction amount having a bit length of 8_kWherein k = l, 2, 3

8. At this time, the plaintext M of each transaction amount_kMaximum ofThe value is 2⁸-1。

It can be appreciated that the above-mentioned plaintext M for the transaction amount of L shares_kMay not be equal.

Specifically, the transaction amount may be an output amount, or the transaction amount may be an output amount and an input amount, depending on the initialization settings of the blockchain system. The detailed description may refer to the description in S301, and is not repeated herein.

It is understood that the bit length of the output amount and the input amount are not necessarily the same, and therefore, when the sender performs division encryption on the output amount and the input amount, the number of divided copies may be different, and the bit length of the divided transaction amount may be different. In addition, the number of input amounts may be at least one, and the number of output amounts may be at least one, that is, a plurality of input amounts or a plurality of output amounts may be provided in one transaction.

S402, the sender adopts addition homomorphic encryption algorithm to clear text M of L transaction amounts_kEncrypting to generate L cipher texts of transaction amount (C)_k, B_k）。

In particular, k = L. The public key of the above described additively homomorphic encryption algorithm may be provided by a supervisor. Encrypting the transaction amount with the public key provided by the supervisor ensures that the supervisor can decrypt the cryptograph (C) of the transaction amount with the private key corresponding to the public key_k, B_k) So that the supervisor can supervise the transaction.

Specifically, the above-described addition homomorphic encryption algorithm may be an ElGamal algorithm. Cryptograph (C) of transaction amount_k, B_k) Q in (1) is the clear text of the transaction amount₄The ciphertext body of (1) being the clear text of the transaction amount₄The auxiliary ciphertext is used for assisting in decrypting the ciphertext body in the decryption process of the subsequent supervisor.

Specifically, C_k = gf^k g［^k , B_k= g' wherein, r_kIs a randomly generated integer, g₃Generator of Gi, Gi being a multiplicative group of prime order, g₄Public key, g, for the above-mentioned additively homomorphic encryption algorithm₄=g₃ ^askAnd ask is the private key of the addition homomorphic encryption algorithm.

S403, the sender sends the ciphertext (C) of the transaction amount in L shares_k, B_k) And sending the data to a verifier.

Specifically, after the sender performs addition homomorphic ElGamal encryption on the transaction amount, the verifier cannot acquire the plaintext of the transaction amount, and information leakage caused by tracking of the sender by users on other nodes is avoided. Therefore, after the sender carries out the ElGamal encryption of the addition homomorphism on the plaintext of the transaction amount, the sender directly sends the ciphertext of the transaction amount to the verifier, so that the verifier verifies the legality of the transaction amount.

S404, the verifier verifies the cryptograph (C) according to the transaction amount_k, B_k) Verifying plaintext M for a transaction amount_kWhether S belongs to the second effective range.

Specifically, the verifier verifies the plaintext M for each transaction amount separately_kWhether the transaction amount belongs to a second effective range, wherein the bit length of the plaintext of the transaction amount is u, and the second effective range is [0, 2 ]^U-1］。

In particular, the verifying party may verify the plaintext M of the transaction amount_kA proof of zero knowledge belonging to the second valid range. Clear text M of the transaction amount_kA proof of zero knowledge belonging to the second validity range is generated by the sender. In this embodiment, the blockchain system may further include a trusted third party, which may generate a digital signature for each integer in the second valid range, and the sender only needs to prove the cryptogram (C) of the transaction amount_k, B_k) The plaintext in (a) corresponds to one of the digital signatures of all integers in the second valid range, i.e. the plaintext of the transaction amount can be proved to belong to the second valid range.

Referring specifically to FIG. 5, FIG. 5 illustrates the sender segmenting the transaction amount M in plaintext,Encryption and scope attestation processes. As shown in FIG. 5, the clear text M of the transaction amount is divided into 8 parts of clear text M of the transaction amount with the bit length u_kWherein k = l, 2,.. 8. Firstly, the process of encrypting the plaintext of the transaction amount is carried out, and the sender adopts the addition homomorphic encryption algorithm to encrypt the plaintext M of the transaction amount respectively_kAfter encryption, the corresponding cipher text (C) of the transaction amount is obtained_k, B_k). Secondly, the clear text M for proving the transaction amount_kBelonging to a second valid range, the senders being respectively the plaintext M of the transaction amount_kGenerating a clear text M of the transaction amount which belongs to the zero knowledge proof of the second effective range_kZero knowledge belonging to the second valid range is proved by 7l_kAnd (4) showing. In particular, a cryptogram (C) based on the transaction amount_k, B_k) Plain text M proving transaction amount_kS should be 0 to 2^U1 in 2^UOne of the digital signatures Gi, thus proving the clear text M of the transaction amount_kIs within the second valid range [0, 2 ]^U-1 ] or less. Wherein the digital signature_GiGenerated by a trusted third party in the data processing system,_Girepresenting a signature of the number i, where iG [0, 2 ]^U-1 ], i is an integer. It will be appreciated that in the actual calculation process, the plaintext M for each transaction amount_kGenerate corresponding a_kPlaintext M characterizing a transaction amount_kBelonging to a second effective range, the sender generates a_kThereafter, the verifier verifies a_kIf the validity of the transaction amount is correct, the plaintext represents the transaction amount ^ belongs to the second valid range. a is_kThe specific calculation method can be seen from the description in the following embodiment.

In addition, the sender may also generate a ciphertext (C) that the supervisor may decrypt the transaction amount_k, B_k) Zero knowledge proof of (a). The verifying party can also verify the cryptograph (C) of the transaction amount decryptable by the supervising party_k, B_k) Zero knowledge proof of (a).

It will be appreciated that the sender generates a clear text of the transaction amount M_kThe zero knowledge proof belonging to the second valid range and the cryptogram (C) for generating the above-mentioned supervisor decryptable transaction amount_k, B_k) The order of the zero knowledge proof of (a) is not limited. The verifier verifies the plaintext M of the transaction amount_kA zero knowledge proof belonging to a second valid range and a cryptogram (C) verifying that the supervisor can decrypt the transaction amount_k, B_k) The order of the zero knowledge proof of (a) is not limited.

In addition, the sender can also calculate the ciphertext C 'of the difference value between the input amount and the output amount and generate an addition homomorphic zero knowledge proof that C' is the ciphertext encrypted with the plaintext as zero. The verifier can also verify that C' is an additive homomorphic zero knowledge proof that encrypts ciphertext with plaintext zero. It will be appreciated that when the output amount equals the input amount, and both the output amount and the input amount fall within the valid range, the transaction can be verified as being legitimate.

It will be appreciated that the clear text M of the transaction amount is_kThe zero knowledge proof belonging to the second effective range, the above-mentioned C' are addition homomorphic zero knowledge proof of cipher text in which the plaintext is encrypted to zero and cipher text in which the above-mentioned supervisory party can decrypt the transaction amount (C)_k, B_k) The zero-knowledge proof of (A) is generated by the sender and verified by the verifier. Specifically, the sender generates corresponding parameters, and the verifier verifies the correctness of the corresponding parameters.

Specifically, the sender is in the clear M for each small block_kGenerating a plaintext M for a transaction amount_kIn the case of proof of zero knowledge belonging to the second validity range, the plaintext M for each small block is determined separately_kAt least one first parameter is generated. The verifier may also generate at least one second parameter when verifying that the plaintext of the transaction amount ^ belongs to the zero knowledge proof of the second validity range. Wherein the first parameter corresponds to the second parameter. When at least one second parameter generated by the verifier is equal to at least one first parameter generated by the sender, the plaintext M of the transaction amount can be verified_kBelonging to the second valid range. Likewise, the above approach is also used to demonstrateThe supervisor can decrypt the cryptogram (C) of the transaction amount for each tile_k, B_k). For the proof that the verification C' is the addition homomorphic zero knowledge proof of the ciphertext of which the plaintext is encrypted to be zero, the sender needs to calculate a first parameter according to all input amounts and all output amounts integrally, and the calculation is not required to be carried out according to the transaction amount of each small block. The verifier may also calculate a second parameter based on all the output amounts and all the input amounts as a whole. When the second parameter generated by the verifier is equal to the first parameter generated by the sending method, it can be verified that C' is the ciphertext with the encrypted plaintext being zero, i.e. it is verified that the input amount is equal to the output amount.

S405, the supervisor adopts the private key corresponding to the public key to decrypt the ciphertext (C) of the L transaction amounts_k, B_k) Obtaining a plaintext M of L transaction amounts_k。

Specifically, the supervisor possesses a pair of asymmetric passwords, including a public key and a private key. Providing the public key to the sender to encrypt the plaintext of the transaction amount using an addition homomorphic encryption algorithm to obtain an encrypted ciphertext (C)_k, B_k) The privacy of the transaction is protected, and information leakage is prevented. The private key is held by the supervisor for decrypting the cryptogram (C) of the transaction amount sent by the sender_k, B_k) Obtaining the decrypted plaintext M_kSo that the supervisor can recombine the above L M_kThe initial transaction amount M is obtained to supervise the transaction.

S406, the supervisory party is according to the aboveClear text M of the transaction amount of L_kThe clear text M of the transaction amount is obtained.

Specifically, if the clear text M of the transaction amount of the L shares is_kThe bit length of the transaction amount is u, and the supervisor needs to use L parts of the clear text M of the transaction amount with the bit length of u_kAnd recombining to obtain the original clear text M of the transaction amount with the bit length of U so as to facilitate the supervision of the transaction by the supervision party. Wherein the content of the first and second substances,^M = Sti ^M4²，＜）^ ^k=1、、 ^U

by implementing the embodiment of the application, when the bit length of the plaintext M of the transaction amount is long, the plaintext M of the transaction amount can be divided into thousands of small blocks of plaintexts, and then the plaintexts of each small block are respectively encrypted and decrypted and proved to belong to an effective range, so that the transaction privacy is protected, the supervision is matched, and meanwhile, the situation that a supervision party can effectively decrypt the ciphertext of each small block of the transaction amount is ensured.

Next, another data processing method provided in the embodiment of the present application is described with reference to fig. 6. As shown in fig. 6, the data processing method at least includes the following steps:

and S601, initializing the system.

Specifically, system initialization may include several aspects:

1) the clear text M of the transaction amount is divided into L shares, and the bit length of each share is u. For example, in a scenario where the bit length of the plaintext of the trading amount is 64, L =4 and u =16 may be set. g₃、 g₅Are respectively G₂G, G₂Are multiplicative groups of prime order. H is a secure hash function.

2) Setting the private key of the supervisor as ask and the public key as g₄=g₃ ^aGeneration of integers in gas 2^UAnd (3) digital signature:

and (6) signing. It can be appreciated that L, U, H, g is described above₃、 g₅、 g₄Gi is a parameter disclosed in the blockchain system_^The sender encrypts each output amount S602.

Specifically, the following description will be made of a process in which the sender encrypts a single output amount, and if there are a plurality of output amounts, the following process of encrypting a single output amount may be repeated.

In the present embodiment, the following description will be given taking an example of dividing the plaintext M of the output amount. The sender adopts an addition homomorphic encryption algorithm to encrypt the plaintext M of the output amount, and the encryption method specifically comprises the following steps:

1) the sender divides the plaintext M of the output amount into L parts of plaintext with the bit length u

M_{k G} [0, 2^M - 1]Wherein k = L, 2, L, M H M_k(r f. assuming that the bit length of the plaintext M for the output amount is 64, L =4 and u =16 are set, and the plaintext M for the output amount is divided into 4 parts of the plaintext M for the output amount having the bit length of 16_tWherein k = l, 2, 3, 4. Then:

M = Y_al-_i ^M _k {²¹⁶）^k = M, * 2¹⁶ + M₂ * 2^16*2 + M₃ * 2^16*3 + M₄ * 2^16*4。

2) respectively encrypting the plaintext of each output sum by adopting an addition homomorphic encryption algorithm to generate the ciphertext (C) of the output sum_k， B_k）。

Specifically, the encryption algorithm of the above addition homomorphism may be an ElGamal algorithm. Cipher text (C) of output amount_k, B_k) In (1) is the plaintext of the output amount₄The cipher text main body is an auxiliary cipher text of output amount plain text 1^ and is used for assisting in decrypting the cipher text main body in the decryption process of a subsequent supervisor.

In particular, the amount of the solvent to be used,

wherein r is_kAre randomly generated integers.

And S603, the sender generates a zero-knowledge proof.

Specifically, here, the process of generating the zero knowledge proof for a single output amount is still performed, and if there are a plurality of output amounts, the following process of generating the zero knowledge proof for a single output amount may be repeated.

Specifically, the sender-generated zero-knowledge proof includes the following aspects:

1) the sender generates a ciphertext (C) that the supervisor can decrypt each output amount_k, B_k) Zero knowledge proof of (a).

Wherein

Specifically, random numbers are generated

And calculating a first parameter a = e { V =_k, g₅） ^k e（g_i, g₅）^kIt can be known that a ciphertext body C of an output amount can be obtained according to L ciphertext bodies C of the output amount obtained after division_kAnd (3) calculating: c = H_k ^L__ cf. it can be seen that the above is encryption and proof of the amount of output (proving that the supervisor can decrypt each small block of ElGamal ciphertext and proving that the plaintext in ciphertext falls within the second valid range). For the input amount, the process can be repeated to carry out encryption and certification; or directly using the cipher text of the transaction amount received by the sender in the last transaction as the input amount of the transaction without repeating the process. Whether the sender directly uses the ciphertext of the transaction amount received in the last transaction depends on the initialization setting of the blockchain system for the transaction model, namely, the transaction model in the blockchain system is that the sender directly forwards the transaction amount received in the last transaction to the receiverThe transaction amount, or the sender, in each transaction, regenerates the input amount.

3) The sender computes the ciphertext of C "= (total input amount-total output amount), and generates an additive homomorphic zero knowledge proof that C" is the ciphertext with the encrypted plaintext zero.

Specifically, assume that there are Y output amounts M (M)^ou,'^y) And its ciphertext body C^{ou，'^y) X input amounts M (^;v) And its ciphertext body C (^MWherein X = l, 2, ·, X, Y = l, 2,. and Y. The sender may calculate s using the random number of each ciphertext body, specifically where # is

Random number of cipher text main body, 4) cipher text main body C^{' ’}d is a random number. Generating random numbers to calculate first parameters

^Rs = 。

It should be noted that, when the total input amount and the total output amount are proved to be equal, the difference between the plaintext of the total input amount and the plaintext of the total output amount is calculated, and the calculation method adopted in the encrypted data is the ratio of the ciphertext of the total input amount to the ciphertext of the total output amount. And the ciphertext of the total output amount is equal to the multiplication of the ciphertexts of the plurality of output amounts, and the ciphertext of the total input amount is equal to the multiplication of the ciphertexts of the plurality of input amounts.

4) The sender calculates a first verification parameter d, which is the result of the calculation using a hash function H, where the inputs of H include the above-mentioned, Q,, V; a is a_klR₅. The sender calculates according to the first verification parameter d:^zm_t =h+dM_k, Z_rt =co_k+dr_k , Z_k =t_k+dv_klZ_s=r_sthe + d3 sender eventually outputs one for each output amount,

%， z_Mt , z_rt , z_vtwherein k = l,

2, L, the sender also outputs a Z for all the output amounts and all the input amounts_jAnd_t/. It can be appreciated that if the sender generates an input amount again in each transaction in the blockchain system, the sender will eventually output one, Q, V, for each input amount_p Z_Mk , Z_rt , Z_vtAnd the sender sends the output parameters to the verifier.

S604, the verifier verifies the zero knowledge proof.

Specifically, the verifier verifies zero knowledge proof including the following aspects:

1) the verifier verifies the plaintext M for each output amount_kAnd the zero knowledge proof belonging to the second effective range is decrypted by the supervisor.

It can be known that the first parameter%, < lambda > used for proving that the plaintext% of the output amount exists in the corresponding digital signature generated by the trusted third party, i.e. proving that the plaintext of the output amount > 1 </lambda > belongs to the second valid range; first parameters generated by a sender

For certification, C; and the ciphertext is legal, i.e. the ciphertext can be decrypted by the proving supervisor.

Specifically, the verifying party

D: ₌g^g^Z C:^d， E _{' =}gK where k = L, 2. For input goldIf the sender source uses the amount ciphertext received by the last transaction, the input amount does not need to be verified; otherwise, the verifier needs to repeat the operation to verify that the input amount belongs to the zero knowledge proof of the second effective range and the zero knowledge proof which can be decrypted by the supervisor.

2) The verifier verifies that C' is an additive homomorphic zero knowledge proof of the ciphertext encrypted with plaintext zero. Specifically, and calculating a second parameter < = (7'

The verifier calculates a second verification parameter by using a hash function, wherein the input of H comprises C; the carbon consumption is >/,/, V; aX if the second verification parameter is equal to the first verification parameter, d'₌d, the verification of the verifier is passed. Here, "the verifier verifies" refers to the following three aspects:

1. the verifier verifies the plaintext M for each output amount_kBelongs to a second effective range;

2. the verifier verifies that the sum C' is the ciphertext of which the plaintext is encrypted to be zero, namely the output amount is equal to the input amount;

3. the verifier verifies that the supervisor can decrypt the ciphertext (C) for each output amount_k, B_k）。

In both

aspects

1 and 2 of the above verification, the validity of the transaction is verified; in the above verification of aspect 3, the validity of the ciphertext is verified.

It is known that the sender calculates a first authentication parameter_tWhen, the input of the hash function H comprises C; b, E_k, V_k, a_klR₅. When the verifier calculates the second verification parameter, the input of the hash function H comprises Q, >; ,

, V_kwhen aX is calculated as/= t/, it means that the input parameters of the hash function H are equal to each other. I.e. D_k’ = D_k , E_k' =E_k, a_k' =a_k, R_s’ = R_s. Due to the first parameter, for proving (C)_k， B_k) Being the ciphertext of the synthesis, then D_k’ =D_kAnd (/ = means (C)_k, B_k) The output amount of each small block can be decrypted for a legal ciphertext, namely, the output amount of each small block can be verified by a supervisor. Since the first parameter is used to prove that the plain text of the output amount has a corresponding digital signature generated by a trusted third party, then

Meaning that the plaintext% of the output amount falls within the second valid range. Since the first parameter is used to prove that C 'is the ciphertext with the encrypted plaintext zero, then/= verify that C' is the ciphertext with the encrypted plaintext zero, i.e. verify that the total input amount equals the total output amount. And then the verifying party verifies the validity of the transaction by combining the verified result that the ciphertext of each output amount belongs to the valid range.

And S605, the supervisor decrypts.

In particular, the supervisor decryption may include several aspects:

1) the supervisor uses its private key ask to decrypt the ciphertext (C) of each output amount_k, B_k），

K

2) The supervisory calculates g₃°、 ^、 ...、

And are respectively connected with

Comparing to find out the plaintext M of the output amount_t. In particular, the supervisor may pre-compute

Wherein,/is an integer,/is greater than or equal to%G[0,2^U-1]Generating a pre-calculation table (g)₃°、、 ..、 gf⁴) The supervisor can repeatedly use the pre-calculation table in multiple decryption processes, compares the decryption result obtained in each decryption process with the pre-calculation table, and finds out the plaintext of the output amount₄The value of (c).

3) And restoring the plaintext M of the output amount according to the decrypted values of the plaintext% of the plurality of output amounts. Wherein the content of the first and second substances,

it should be appreciated that the decryption process of the administrator is also applicable to decryption of the input amount, and will not be described herein. It will be appreciated that the above calculation process is equally applicable to scenarios where the clear text of the transaction amount need not be segmented, and will not be described in detail herein.

The embodiment of the application provides a specific calculation method of the data processing method, and the clear text of the transaction amount can be segmented according to the calculation method. Then, the clear text of each small block is encrypted and decrypted respectively, and the proof that the clear text belongs to the effective range is proved, so that the monitoring party is ensured to effectively decrypt the cipher text of the transaction amount of each small block while the transaction privacy is protected and the monitoring is matched, the clear text M of the transaction amount is successfully restored, and the transaction is effectively monitored.

The embodiment of the present application further provides a sender, which is applied to the block chain system shown in fig. 1, where the system at least includes a sender and < verifier, and as shown in fig. 7, the sender 70 at least includes an encryption unit 710 and a sending unit 720, where:

the encryption unit 710 encrypts the plaintext M of the transaction amount by using an addition homomorphic encryption algorithm to generate the ciphertext (C, B) of the transaction amount, wherein the bit length of the plaintext M of the transaction amount is U, and the detailed description refers to the description of S301.

A sending unit 720, configured to send the ciphertext (C, B) of the transaction amount to the verifier, so that the verifier verifies whether the plaintext M of the transaction amount falls within a first valid range; first effect of the aboveIn the range of [0, 2^U-1 ], please refer to the description of S302.

In a possible implementation, the additive homomorphic encryption algorithm may be an ElGamal algorithm, where C = gf and B = g₃ ^rWherein r is a randomly generated integer, g₃Generator of Gi, multiplicative group with Gi S order being prime, g₄Public key for the above-mentioned additive homomorphic encryption algorithm, g₄=g₃ ^askAnd ask is the private key of the addition homomorphic encryption algorithm.

In a possible implementation manner, the above block chain system further includes a monitoring party. The encryption unit 710 includes: a partition subunit 7110 and an encryption subunit 7120. Wherein:

a dividing subunit 7110 for dividing the above clear text M of the transaction amount into L clear texts M of the transaction amount_kWherein k is a positive integer, k = L, and L is a positive integer greater than or equal to 2, and please refer to the description of S401 or the description of 1) in S602.

An encryption subunit 7120, for encrypting the plain text of the above L transaction amounts by using an addition homomorphic encryption algorithm to generate ciphertext (C) of the L transaction amounts_k, B_k) So that the supervisor can use the private key corresponding to the public key to decrypt the ciphertext (C) of the L transaction amounts_k, B_k) Obtaining the clear text M of the transaction amount of the L shares_kAnd according to the clear text M of the above-mentioned L transaction amounts_kObtaining a plaintext M of the transaction amount, wherein a public key of the addition homomorphic encryption algorithm is provided by the supervisor; for a detailed description, please refer to the descriptions of S402, S405, and S406, or refer to the description of 2) in S602.

A sending unit 720 for sending the ciphertext (C) of the L transaction amounts_k, B_k) Sending the transaction amount to the verifier to make the verifier verify the ciphertext (C) of the transaction amount_k, B_k) Clear text M of_kWhether it falls within a second valid range; wherein the second effective range is [0, 2 ]^U-1］, u is the bit length of the plaintext of the transaction amount, and please refer to the descriptions of S403 and S404.

In one possible implementation, the sender 70 further includes: the first generating unit 730 is configured to generate a zero-knowledge proof that the plaintext M of the transaction amount belongs to the first valid range, please refer to the description of 2) in S603.

The sending unit 720 is configured to send the ciphertext (C, B) of the transaction amount to the verifier, so that the verifier verifies that the plaintext M of the transaction amount belongs to the zero knowledge proof of the first valid range according to the ciphertext (C, B) of the transaction amount. In one possible implementation, the transaction amount includes an output amount. The sender 70 further includes: a second generating unit 740, configured to calculate a ciphertext C ' of a difference between the input amount and the output amount, and generate an addition homomorphic zero knowledge proof that C ' is a ciphertext whose encrypted plaintext is zero, so that the verifier verifies that C ' is an addition homomorphic zero knowledge proof that C is a ciphertext whose encrypted plaintext is zero; wherein C ″ is a ciphertext calculated from the ciphertext of the output amount and the ciphertext of the input amount, the ciphertext of the input amount is a ciphertext of an amount received by the sender 70 in the previous transaction, or the ciphertext of the input amount is a ciphertext generated by the sender 70 by encrypting an amount generated in the current transaction by using the addition homomorphic encryption algorithm, and the detailed description refers to the description in S603 3).

In a possible implementation manner, the system further includes a supervisor, and the public key of the addition homomorphic encryption algorithm is provided by the supervisor; for a detailed description, refer to the description of S301.

The sender 70 further includes: a third generating unit 750, configured to generate a zero knowledge proof of the ciphertext (C, B) of the transaction amount that the administrator can decrypt, so that the verifier verifies the zero knowledge proof of the ciphertext (C, B) of the transaction amount that the administrator can decrypt, which is described in detail with reference to 1) in S603.

In a possible implementation manner, the system further includes a third party configured to provide a random secret Y, where the random secret Y is configured to generate a digital signature for each integer within the first valid range, and please refer to the description in 3) of S601.

The first generating unit 730 is configured to generate a zero knowledge proof that the plaintext M of the ciphertext C of the transaction amount belongs to the first valid range according to the digital signature generated by the random secret Y provided by the third party for each integer in the first valid range, which is described in detail with reference to 2) in S603.

The embodiment of the present application further provides an authenticator applied to the block chain system shown in fig. 1, where the system at least includes a sending party and an authenticator, and as shown in fig. 7, the authenticator 80 at least includes a receiving unit 810 and an authentication unit 820, where:

the receiving unit 810 is used for receiving the ciphertext (C, B) of the transaction amount sent by the sender 70, wherein the ciphertext (C, B) of the transaction amount is generated by encrypting the plaintext M of the transaction amount by the sender 70 by adopting an addition homomorphic encryption algorithm; the bit length of the plaintext M of the transaction amount is U, and please refer to the description of S302 or S403 for detailed description.

A verification unit 820, configured to verify whether the plaintext M of the transaction amount belongs to a first valid range according to the ciphertext (C, B) of the transaction amount; the first effective range is [0, 2 ]^U-1]Please refer to the description of S303 or S404.

In a possible implementation, the additive homomorphic encryption algorithm may be an ElGamal algorithm, where C = gf and B = g₃ ^rWherein r is a randomly generated integer, g₃Generator of Gi, multiplicative group with Gi S order being prime, g₄Is the public key of the additive homomorphic encryption algorithm, g₄=g₃ ^askAnd ask is a private key of the addition homomorphic encryption algorithm.

In one possible implementation, the verification unit 820 is configured to verify that the plaintext M of the transaction amount belongs to a zero-knowledge proof of a first validity range; wherein the zero-knowledge proof that the plaintext M of the transaction amount belongs to the first valid range is generated by the sender 70, please refer to the description of 1) in S604.

In one possible implementation, the transaction amount includes an output amount; the verification unit 820 is further configured to verify that the ciphertext C' of the difference between the input amount and the output amount is an addition homomorphic zero knowledge proof of the ciphertext in which the plaintext is encrypted to be zero; wherein C 'is a ciphertext calculated according to the ciphertext of the output amount and the ciphertext of the input amount, the ciphertext of the input amount is the ciphertext of the amount received by the sender 70 in the last transaction, or the ciphertext of the input amount is the ciphertext generated by encrypting the amount generated in the current transaction by the sender 70 by using the addition homomorphic encryption algorithm, the ciphertext C' of the difference value between the input amount and the output amount is an addition homomorphic zero knowledge proof generated by the sender 70, which is the ciphertext whose plaintext is zero, and the detailed description refers to the description of 2) in S604.

In a possible implementation manner, the blockchain system further includes a supervisor, and the public key of the addition homomorphic encryption algorithm is provided by the supervisor.

The verification unit 820 is also used to verify zero knowledge proof that the supervisor can decrypt the ciphertext (C, B) of the transaction amount; wherein the zero-knowledge proof that the supervisor can decrypt the ciphertext (C, B) of the transaction amount is generated by the sender 70, please refer to the description of 1) in S604.

An embodiment of the present application further provides another sender, as shown in fig. 9, the sender 90 may at least include: at least one processor 901, at least one network interface 904, a user interface 903, memory 905, at least one communication bus 902, a display screen 906. Where a communication bus 902 is used to implement the connection communication between these components, it should be understood that each component in the sender 90 may also be coupled through other connectors, which may include various interfaces, transmission lines or buses, etc., and in various embodiments of the present application, the coupling refers to the interconnection through a specific manner, including direct connection or indirect connection through other devices.

Among other things, the processor 901 may include at least one of the following types: a general purpose Central Processing Unit (CPU), a Digital Signal Processor (DSP), a microprocessor, an Application Specific Integrated Circuit (ASIC), a Microcontroller (MCU), a Field Programmable Gate Array (FPGA), or an Integrated Circuit for implementing logical operations. For example, the processor 901 may be a single-core (single-CPU) processor or a multi-core (multi-CPU) processor. The multiple processors or units included within processor 901 may be integrated on one chip or located on multiple different chips.

The user interface 903 may include a keypad, physical buttons (push buttons, rocker buttons, etc.), dials, slide switches, joysticks, click wheels, a light mouse (a light mouse is a touch-sensitive surface that does not display visual output, or is an extension of a touch-sensitive surface formed by a touch screen), and so forth. The network interface 904 may optionally include a standard wired interface, a wireless interface (e.g., WI-FI interface X)

The Memory 905 may be a nonvolatile Memory, such as an EMMC (Embedded multimedia Card), an UFS (Universal Flash Storage) or a Read-Only Memory (ROM), and optionally, the Memory 905 may include a Flash Memory in the embodiment of the present application, or another type of static Storage device that can store static information and instructions, or a nonvolatile Memory (volatile Memory), such as a Random Access Memory (RAM) or another type of dynamic Storage device that can store information and instructions, or an Electrically Erasable Programmable Read-Only Memory (EEPROM), a Read-Only optical Disc (Compact Disc Read-Only Memory, CD-ROM) or other optical disk storage, optical disk storage (including compact disk, laser disk, optical disk, digital versatile disk, blu-ray disk, etc.), magnetic disk storage media or other magnetic storage devices, or any other computer-readable storage medium that can be used to carry or store program code in the form of instructions or data structures and that can be accessed by a computer, but is not limited to. Optionally, the memory 905 may also be at least one memory system located remotely from the processor 901. As shown in fig. 9, the memory 905, which is a type of computer storage medium, may include therein an operating system, a network communication module, a user interface module, and program instructions.

The memory 905 may be separate and coupled to the processor 901 through a connector. The memory 905 may also be integrated with the processor 901. The memory 905 can store various computer program instructions for executing the program instructions of the present application, and the processor 901 controls the execution of the computer program instructions, and the executed computer program instructions can also be regarded as a driver of the processor 901. For example, the processor 901 is configured to execute computer program instructions stored in the memory 905 to implement the methods in the method embodiments of fig. 3-6 of the present application. The computer program instructions may be provided in a large number of instructions that form computer-executable instructions that can be executed by at least one of the processors 901 to drive the associated processor to perform various types of processing, such as communication signal processing algorithms, operating system operations, or application program operations that support the various types of wireless communication protocols described above.

A display screen 906 for displaying information input by the user. Illustratively, the display screen 906 may include a display panel and a touch panel. The Display panel may be configured by a Liquid Crystal Display (LCD), an Organic Light-Emitting Diode (OLED), a Light-Emitting Diode (LED) Display device, a Cathode Ray Tube (CRT), or the like. The touch panel, also called a touch screen, a touch sensitive screen, etc., may collect contact or non-contact operations (such as operations performed by a user on or near the touch panel using any suitable object or accessory, such as a finger, a stylus, etc., and may also include body sensing operations; the operations include single-point control operations, multi-point control operations, etc.) and drive the corresponding connection device according to a preset program.

The embodiment of the present application provides another verifier, as shown in fig. 10, where < verifier 100 at least includes: may include at least: at least one processor 1001, at least one network interface 1004, a user interface 1003, memory 1005, at least one communication bus 1002, a display screen 1006. Where the communication bus 1002 is used to implement connection communication between these components, it should be understood that the components in the authenticator 100 may also be coupled through other connectors, which may include various interfaces, transmission lines or buses, etc., and in various embodiments of the present application, coupling refers to interconnection through a specific manner, including direct connection or indirect connection through other devices.

The processor 1001 is similar to the processor 901, and is not described herein again.

The user interface 1003 is similar to the user interface 903 and will not be described in detail.

The memory 1005 is similar to the memory 905, and the processor 1001 is configured to execute the computer program instructions stored in the memory 905, so as to implement the method in the embodiment of the methods in fig. 3 to 6 in this application, which is not described herein again.

The display 1006 is similar to the display 906 and will not be described in detail herein.

Embodiments of the present application also provide a computer-readable storage medium having instructions stored therein, which when executed on a computer or a processor, cause the computer or the processor to perform one or more steps of any one of the data processing methods described above. The respective constituent modules of the above-described apparatus may be stored in the computer-readable storage medium if they are implemented in the form of software functional units and sold or used as independent products.

Based on such understanding, the embodiments of the present application also provide a computer program product containing instructions, where a technical solution of the present application substantially or partially contributes to the prior art, or all or part of the technical solution may be embodied in the form of a software product stored in a storage medium, and the computer software product contains thousands of instructions to enable a computer device, a mobile terminal, or a processor therein to execute all or part of the steps of the method described in the embodiments of the present application. The kind of the storage medium refers to the related description of the

memory

905 or 1005.

The steps in the method of the embodiment of the application can be sequentially adjusted, combined and deleted according to actual needs.

The modules in the device can be merged, divided and deleted according to actual needs.

The above embodiments are only used for illustrating the technical solutions of the present application, and not for limiting the same; although the present application has been described in detail with reference to the foregoing embodiments, it should be understood by those of ordinary skill in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some technical features may be equivalently replaced; such modifications or substitutions do not depart from the scope of the embodiments of the present application.

Claims

Claims to follow

1. A data processing method is applied to a block chain system, the system comprises a sender and an authenticator, and the method is characterized by comprising the following steps:

the sender encrypts the plaintext M of the transaction amount using an additive homomorphic encryption algorithm, generates a ciphertext (C,

B）；

the sender sending a cryptogram (C, B) of the transaction amount to the verifier;

the verifier verifies whether the plaintext M of the transaction amount belongs to a first effective range according to the ciphertext (C, B) of the transaction amount, wherein the first effective range is [0, 2 ]^U-1 ], U being the bit length of the plaintext M of said transaction amount.

2. As claimed in claimThe method of 1, wherein C = g ^ g₄ ^rB = g; wherein r is a randomly generated integer, g₃Generator of Gi, multiplicative group with Gi S order being prime, g₄A public key, g, of said additive homomorphic encryption algorithm₄=g₃ ^askAnd ask is a private key of the addition homomorphic encryption algorithm.

3. The method of claim 1 or 2, wherein the system further comprises a supervisor;

the sender encrypts a plaintext M of the transaction amount by adopting an addition homomorphic encryption algorithm to generate a ciphertext (C, B) of the transaction amount, and the steps comprise: the sender divides the clear text M of the transaction amount into L clear texts of the transaction amount_kRespectively adopting addition homomorphic encryption algorithm to make clear text M of said L transaction sums_kii line encryption to generate L transaction amount ciphertexts (C)_k, B_k) The public key of the addition homomorphic encryption algorithm is provided by the supervisor, k is a positive integer, k = L, L is a positive integer larger than or equal to 2;

the verifying party verifies whether the plaintext M of the transaction amount belongs to a first valid range according to the ciphertext (C, B) of the transaction amount comprises the following steps: the verifying party verifies the cryptogram (C) according to the transaction amount_k, B_k) Verifying whether the plain text of the transaction amount belongs to a second valid range; wherein the second effective range is [0, 2 ]^U-1 ], u being the clear text M of said transaction amount_kBit length of (d);

the method further comprises the following steps: the supervisor decrypts ciphertext (C) of the L transaction amounts by using a private key corresponding to the public key_k, B_k) Obtaining the clear text M of the L transaction amounts_kAnd obtaining the plaintext M of the transaction amount according to the plaintext of the L transaction amounts.

4. The method of any one of claims 1-3, further comprising: the sender generates a zero-knowledge proof that the plaintext M of the transaction amount belongs to a first effective range;

the verifying party verifies whether the plaintext M of the transaction amount belongs to a first valid range according to the ciphertext (C, B) of the transaction amount comprises the following steps: the verifying party verifies that the plaintext M of the transaction amount belongs to a zero-knowledge proof of a first validity range.

5. The method of any of claims 1-4, wherein the transaction amount comprises an output amount; the method further comprises the following steps: the sender calculates a ciphertext C 'of a difference value between the input amount and the output amount and generates an addition homomorphic zero knowledge proof that C' is the ciphertext encrypted with the plaintext as zero; the C' is a ciphertext obtained by calculation according to the ciphertext of the output amount and the ciphertext of the input amount, the ciphertext of the input amount is the ciphertext of the amount received by the sender in the last transaction, or the ciphertext of the input amount is the ciphertext generated by the sender applying the addition homomorphic encryption algorithm to apply the force P to the amount generated in the current transaction;

and the verifying party verifies that the C' is an addition homomorphic zero knowledge proof of the ciphertext encrypted with plaintext as zero.

6. The method of claim 1 or 2, wherein the system further comprises a supervisor, a public key of the additive homomorphic encryption algorithm being provided by the supervisor;

the method further comprises the following steps: the sender generating a zero knowledge proof that the supervisor can decrypt the ciphertext (C, B) of the transaction amount;

the verifying party verifies a zero knowledge proof that the supervisor can decrypt the ciphertext (C, B) of the transaction amount; the supervisor decrypts the cryptograph (C, B) of the transaction amount using a private key corresponding to the public key.

7. The method of claim 4, wherein the sender generating a zero knowledge proof that the plaintext M of the transaction amount falls within a first valid range comprises: the sender generates N first parameters; n is a positive integer;

the zero-knowledge proof that the verifier verifies that the plaintext M of the transaction amount falls within the first validity range comprises: the verifier generates N second parameters; wherein the N first parameters correspond to the N second parameters;

and the verifying party verifies whether the N second parameters are equal to the corresponding first parameters, and if so, the plaintext M of the transaction amount belongs to a first valid range.

8. The method of claim 7, wherein the sender generating a zero knowledge proof that the plaintext M of the transaction amount falls within a first validity range further comprises: the sender generates a first verification parameter; the first verification parameter is determined by the N first parameters;

the zero-knowledge proof that the verifier verifies that the plaintext M of the transaction amount falls within the first validity range further comprises: the verifier generates a second verification parameter; the second verification parameter is determined by the N second parameters; the verifying party verifying whether the N second parameters are equal to the corresponding first parameters comprises:

and the verifier verifies whether the first parameters are equal to the second verification parameters, and if so, the N second parameters are equal to the corresponding first parameters.

9. A data processing method is applied to a block chain system, the system comprises a sender and an authenticator, and the method is characterized by comprising the following steps:

the sender encrypts the plaintext M of the transaction amount using an additive homomorphic encryption algorithm, generates a ciphertext (C,

B）；

the sender sends the ciphertext (C, B) of the transaction amount to the verifier so that the verifier verifies whether the plaintext M of the transaction amount belongs to a first effective range according to the ciphertext (C, B) of the transaction amount; the first effective range is [0, 2 ]^U-1]And U is the bit length of the plaintext M of the transaction amount.

10. The method of claim 9, wherein C = =c =i n o n
B = g; wherein r is a randomly generated integer, g₃Generator of Gi, multiplicative group with Gi S order being prime, g₄Is the public key of the additive homomorphic encryption algorithm, g₄=g₃ ^askAnd ask is a private key of the addition homomorphic encryption algorithm.

11. The method of claim 9 or 10, wherein the system further comprises a supervisor; the sender encrypts a plaintext M of the transaction amount by adopting an addition homomorphic encryption algorithm to generate a ciphertext (C, B) of the transaction amount, and the steps comprise: the sender divides the clear text M of the transaction amount into L clear texts of the transaction amount_kRespectively adopting addition homomorphic encryption algorithm to make clear text M of said L transaction sums_kii line encryption to generate L transaction amount ciphertexts (C)_k, B_k) To enable the supervisor to decrypt the ciphertext (C) of the L transaction amounts using the private key corresponding to the public key_k, B_k) Obtaining the clear text M of the L transaction amounts_kAnd according to the clear text M of the L transaction amounts_kObtaining a plaintext M of the transaction amount, wherein a public key of the addition homomorphic encryption algorithm is provided by the supervisor, k is a positive integer, k = L, L is a positive integer larger than or equal to 2;

the sender sends the ciphertext (C, B) of the transaction amount to the verifier, so that the verifier verifies whether the plaintext M of the transaction amount belongs to a first valid range according to the ciphertext (C, B) of the transaction amount comprises: the sender encrypts the L transaction amounts (C)_k, B_k) Sending it to the verifier to have the verifier depend on the cryptogram (C) of the transaction amount_k, B_k) Verifying the plaintext M of the transaction amount_kWhether it falls within a second valid range; wherein the second effective range is [0, 2 ]^U-1 ], u being the bit length of the plaintext of said transaction amount.

12. A data processing method is applied to a block chain system, the system comprises a sender and an authenticator, and the method comprises the following steps:

the verifier receives a ciphertext (C, B) of the transaction amount sent by the sender, wherein the ciphertext (C, B) of the transaction amount is generated by encrypting a plaintext M of the transaction amount by the sender by adopting an addition homomorphic encryption algorithm; the bit length of the plaintext M of the transaction amount is U;

the verifier verifies whether the plaintext M of the transaction amount belongs to a first valid range according to the ciphertext (C, B) of the transaction amount; the first effective range is [0, 2 ]^U-1］。

13. The method of claim 12,
b = g; wherein r is a randomly generated integer, g₃Generator of Gi, multiplicative group with Gi S order being prime, g₄Is the public key of the additive homomorphic encryption algorithm, g₄=g₃ ^askAnd ask is a private key of the addition homomorphic encryption algorithm.

14. A blockchain system, the system comprising a sender and an authenticator, the system comprising:

the sender is used for encrypting the plaintext M of the transaction amount by adopting an addition homomorphic encryption algorithm to generate ciphertext (C, B) of the transaction amount and sending the ciphertext (C, B) of the transaction amount to the verifier;

the verifying party is used for verifying whether the plaintext M of the transaction amount belongs to a first valid range according to the ciphertext (C, B) of the transaction amount; the first effective range is [0, 2 ]^U-1 ], U being the bit length of the plaintext M of said transaction amount.

15. The system of claim 14, wherein C = &
B = g; wherein r is a randomly generated integer, g₃Generator of Gi, multiplicative group with Gi S order being prime, g₄Is the public key of the additive homomorphic encryption algorithm, g₄=g₃ ^askAnd ask is a private key of the addition homomorphic encryption algorithm. 16. The system of claim 14 or 15, wherein the system further comprises a supervisor; the sender is used for dividing the clear text M of the transaction amount into L portions of clear text M of the transaction amount_kRespectively adopting addition homomorphic encryption algorithm to make clear text M of said L transaction sums_kii line encryption to generate L transaction amount ciphertexts (C)_k, B_k) The public key of the addition homomorphic encryption algorithm is provided by the supervisor, k is a positive integer, k = L, L is a positive integer larger than or equal to 2;

the verifier is arranged to verify the cryptogram (C) according to the transaction amount_k, B_k) Verifying the plaintext M of the transaction amount_kWhether it falls within a second valid range; the second effective range is [0, 2 ]^U-1]U is the bit length of the plaintext of the transaction amount;

the supervisor is used for decrypting the ciphertext (C) of the L transaction amounts by using the private key corresponding to the public key_k, B_k) Obtaining the clear text M of the L transaction amounts_kAnd according to the clear text M of the L transaction amounts_kObtaining a plaintext M for the transaction amount.

17. The system of any one of claims 14-16, wherein the sender is further configured to generate a zero knowledge proof that the plaintext M of the transaction amount falls within a first validity range;

and the verifying party is used for verifying that the plaintext M of the transaction amount belongs to a zero knowledge proof of a first effective range according to the ciphertext (C, B) of the transaction amount.

18. The system of any one of claims 14-17, wherein the transaction amount comprises an output amount; the sender is also used for calculating a ciphertext C 'of a difference value between the input amount and the output amount and generating an addition homomorphic zero knowledge proof that C' is the ciphertext encrypted with the plaintext as zero; the C' is a ciphertext obtained by calculation according to the ciphertext of the output amount and the ciphertext of the input amount, the ciphertext of the input amount is the ciphertext of the amount received by the sender in the last transaction, or the ciphertext of the input amount is the ciphertext generated by encrypting the amount generated in the current transaction by the sender through the addition homomorphic encryption algorithm;

the verifier is also configured to verify that C is an additive homomorphic zero knowledge proof of ciphertext encrypted with plaintext zero.

19. The system of claim 14 or 15, wherein the system further comprises a supervisor, a public key of the force mouth homomorphic encryption algorithm being provided by the supervisor;

the sender is further configured to generate a zero-knowledge proof that the custodian can decrypt a ciphertext (C, B) of the transaction amount; the verifying party is further configured to verify a zero knowledge proof that the supervisor can decrypt the ciphertext (C, B) of the transaction amount; the supervisor is used for decrypting the cryptograph (C, B) of the transaction amount by adopting a private key corresponding to the public key.

20. The system of claim 17, wherein the sender is configured to generate N first parameters; the verifier is used for generating N second parameters; wherein the N first parameters correspond to the N second parameters one-to-one;

and verifying whether the N second parameters are equal to the corresponding first parameters, and if so, determining that the plaintext M of the transaction amount belongs to a first effective range. 21. The system of claim 20, wherein the sender is further configured to generate a first authentication parameter; the first verification parameter is determined by the N first parameters;

the verifier is also used for generating a second verification parameter; the second verification parameter is determined by the N second parameters; the verifier is further configured to verify whether the first parameter is equal to the second verification parameter, and if so, the N second parameters are equal to the corresponding first parameters.

22. A sender applied to a block chain system, the system comprising the sender and an authenticator, wherein the sender comprises:

the encryption unit is used for encrypting the plaintext M of the transaction amount by adopting an addition homomorphic encryption algorithm to generate ciphertext (C, B) of the transaction amount, wherein the bit length of the plaintext M of the transaction amount is U;

a sending unit, configured to send the ciphertext (C, B) of the transaction amount to the verifier, so that the verifier verifies, according to the ciphertext (C, B) of the transaction amount, whether the plaintext M of the transaction amount belongs to a first valid range; the first effective range is [0, 2 ]^U-1]And U is the bit length of the plaintext M of the transaction amount.

23. The sender according to claim 22, wherein,
b = g; wherein r is a randomly generated integer, g₃Generator of Gi, multiplicative group with Gi S order being prime, g₄Is the public key of the additive homomorphic encryption algorithm, g₄=g₃ ^askAnd ask is a private key of the addition homomorphic encryption algorithm.

24. The sender according to claim 22 or 23, wherein the system further comprises a supervisor; said force^pThe secret unit includes:

a dividing subunit, configured to divide the plaintext M of the transaction amount into L parts of plaintext M of the transaction amount_kWherein k is a positive integer, k = L, L is a positive integer greater than or equal to 2;

an encryption subunit, configured to separately apply an addition homomorphic encryption algorithm to the plaintext M of the L transaction amounts_kEncrypting to generate L cipher texts of transaction amount (C)_k, B_k) So that the supervisor decrypts the ciphertext (C) of the L transaction amounts by using the private key corresponding to the public key_k, B_k) Obtaining the clear text M of the L transaction amounts_kAnd according to the clear text M of the L transaction amounts_kObtaining a plaintext M of the transaction amount, wherein a public key of the addition homomorphic encryption algorithm is provided by the supervisor;

the sending unit is used for sending the ciphertext (C) of the L transaction amounts_k, B_k) Sending it to the verifier to have the verifier depend on the cryptogram (C) of the transaction amount_k, B_k) Verifying the plaintext M of the transaction amount_kWhether it falls within a second valid range; wherein the second effective range is [0, 2 ]^U-1]And u is the bit length of the plaintext of the transaction amount.

25. An authenticator applied to a block chain system, the system comprising a sender and an authenticator, the authenticator comprising:

the receiving unit is used for receiving a cryptograph (C, B) of the transaction amount sent by the sender, wherein the cryptograph (C, B) of the transaction amount is generated by encrypting the plaintext M of the transaction amount by the sender by adopting an addition homomorphic encryption algorithm; the bit length of the plaintext M of the transaction amount is U;

the verification unit is used for verifying whether the plaintext M of the transaction amount belongs to a first valid range according to the ciphertext (C, B) of the transaction amount; the first effective range is [0, 2 ]^U-1］。

26. The validating party of claim 25,
b = g; wherein r is a randomly generated integer, g₃Generator of Gi, multiplicative group with Gi S order being prime, g₄Is the public key of the additive homomorphic encryption algorithm, g₄=g₃ ^askAnd ask is a private key of the addition homomorphic encryption algorithm.

27. A sender applied to a block chain system, the system comprising the sender and an authenticator, wherein the sender comprises: a processor, a memory, and a transceiver, wherein:

the processor, the memory and the transceiver are interconnected, the memory for storing a computer program comprising program instructions, the processor being configured to invoke the program instructions to perform the data processing method of any of claims 9 to 11.

28. An authenticator applied to a block chain system, the system comprising a sender and an authenticator, the authenticator comprising: a processor, a memory, and a transceiver, wherein:

the processor, the memory and the transceiver are interconnected, the memory for storing a computer program comprising program instructions, the processor being configured to invoke the program instructions to perform the data processing method of claim 12 or 13.

29. A computer-readable storage medium, characterized in that the computer-readable storage medium stores a computer program comprising program instructions that, when executed by a processor, cause the processor to carry out the data processing method according to any one of claims 9-11.

30. A computer-readable storage medium, characterized in that it stores a computer program comprising program instructions which, when executed by a processor, cause the processor to carry out the data processing method according to any one of claims 12 or 13.