CN112765668B - Zero-knowledge proof privacy protection method, system, storage medium and equipment - Google Patents
Zero-knowledge proof privacy protection method, system, storage medium and equipment Download PDFInfo
- Publication number
- CN112765668B CN112765668B CN202110132123.0A CN202110132123A CN112765668B CN 112765668 B CN112765668 B CN 112765668B CN 202110132123 A CN202110132123 A CN 202110132123A CN 112765668 B CN112765668 B CN 112765668B
- Authority
- CN
- China
- Prior art keywords
- calculating
- modulo
- proof
- equal
- mod
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6218—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
- G06F21/6245—Protecting personal data, e.g. for financial or medical purposes
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/602—Providing cryptographic facilities or services
Abstract
The invention belongs to the technical field of privacy protection, and discloses a method, a system, a storage medium and equipment for protecting privacy of zero knowledge proof, wherein the method for protecting privacy of zero knowledge proof comprises four proof processes, namely a balance proof for proving that the total consumption sum of a sender is equal to the sending sum and the change sum; the format correct proof is used for proving that the commitment format is a standard commitment format; the range certification is used for proving that the total consumption amount, the sending amount and the change amount of the sender are all larger than zero; the equality proof is used for proving that the plaintext corresponding to the ciphertext is equal to the plaintext corresponding to the commitment; three roles including a sending party, a receiving party and a monitoring party are assumed in a transaction scene. The invention provides a zero-knowledge proof privacy protection method, a system, a storage medium and equipment, relates to an anonymous transaction system under the supervision condition of a supervision party, can effectively solve the problem that an enterprise excessively collects and abuses a large amount of user privacy data, effectively supervises the user privacy leakage condition, and ensures the privacy safety of a user.
Description
Technical Field
The invention belongs to the technical field of privacy protection, and particularly relates to a zero-knowledge proof privacy protection method, a zero-knowledge proof privacy protection system, a storage medium and a device.
Background
Currently, in practical applications, the protection of user privacy by e-commerce enterprises still has problems: (1) User privacy data is heavily and excessively collected by e-commerce enterprises. There are clear rules for the network operator to collect and use personal information, but there are no corresponding rules in the existing laws and regulations for how to use and for which responsibility should be taken. In the aspect of supervision, currently, government information systems and websites have requirements for establishing a security level protection system, and a regular checking and reminding mechanism is provided for security vulnerabilities, but no security standard requirements exist for non-government websites and systems. Enterprises collect user information, largely to verify user identity, and better grasp market trends by analyzing transaction data. However, the phenomenon of killing big data is endless, and personalized recommendations are seen everywhere, which directly or indirectly damages the interests of users. Therefore, when the e-commerce enterprise operates in the market, the problem that the enterprise excessively collects a large amount of user privacy data for abuse needs to be solved, and the privacy safety of the user is ensured. (2) Private data leakage events frequently occur in the e-commerce enterprises. Personal information of consumers is gradually becoming an important resource, thereby generating a vicious competition in the industry, and the information consumers and the customers become poor competition means of a plurality of merchants. All departments and organizations collecting personal information have responsibility for protecting the personal information of citizens from both emotions and laws, and citizens including primary and secondary school students do not agree that their personal information can be provided to other departments and organizations as commercial resources when providing the personal information to the relevant departments and organizations, and if the personal information of citizens is leaked out from them, the departments and organizations collecting the personal information are difficult to be retailed.
Through the above analysis, the problems and defects of the prior art are as follows:
(1) The excessive collection and use behaviors of the e-commerce enterprises on the user information cannot be effectively monitored.
(2) The privacy leakage condition of the user cannot be effectively supervised.
The difficulty in solving the above problems and defects is: after the electronic commerce enterprise acquires the privacy information of the user, the information can be copied and backed up for multiple times, so that the privacy information of the user cannot be effectively supervised under the condition of manual supervision. The information is a static carrier, and the information cannot judge and respond to any external behaviors by itself. Once the private data information of the user is leaked, the existence of the network black products enables the leaked information to be sold and abused, which causes trouble to the user, and the leaked information cannot be erased. The difficulty to solve the above problems lies in how to ensure that a government trusted party can monitor and verify the validity and authenticity of data under the condition that government enterprises and other parties cannot acquire the plaintext of the data.
The significance of solving the problems and the defects is as follows: the method can be applied to the field of electronic commerce in a wide range of application range for protecting the privacy of users. In the era of the rapid development of current information technology, the advanced data acquisition and transmission technologies such as 5G, the Internet of things and the like will bring data streams with richer contents, stronger timeliness and larger volume, wherein countless private data are wrapped. In the era of the flood of data, whether the individual user is safe to enjoy the service or the enterprise explores an emerging business model, it is important to implement privacy protection. The method can deeply analyze and understand by combining with the block chain trust exchange network and privacy protection, legally and synergetically explore the value in the data, avoid the risk in the data, and possibly create a new round of explosive growth which is small enough to cause the informatization industry and a good prospect which is big enough to promote the human society to enter the information era in advance. In the process, the development of the privacy protection technology is the key for balancing value income and privacy risks and realizing pareto optimal and sustainable development.
Disclosure of Invention
Aiming at the problems in the prior art, the invention provides a zero-knowledge proof privacy protection method, a system, a storage medium and equipment, and particularly relates to an anonymous transaction system under the condition that a supervisor can supervise.
The invention is realized in this way, a zero-knowledge proof privacy protection method, the zero-knowledge proof privacy protection method includes four proof processes, which are respectively a balance proof, a correct format proof, a range proof and an equal proof; three roles including a sending party, a receiving party and a monitoring party are assumed in a transaction scene.
Further, the four certification processes of the zero-knowledge certification privacy protection method include:
(1) Accounting balance certification: proving that the total consumption amount of the sender is equal to the sending amount and the change amount;
(2) And (3) proving that the format is correct: proving that the commitment format is a standard commitment format;
(3) The range proves that: proving that the total consumption amount, the sending amount and the change making amount of the sender are all larger than zero;
(4) Equal proof: and proving that the plaintext corresponding to the ciphertext is equal to the plaintext corresponding to the commitment.
Further, the zero-knowledge proof privacy protection method defines three roles including:
(1) A sender: sending the property quantity to a receiver and sending out a transaction amount;
(2) The receiving side: receiving a send quantity property from a sender, receiving a transaction amount;
(3) The monitoring party: transaction validity and authenticity may be verified from the transaction.
Further, the zero-knowledge proof privacy protection method further includes user registration, including:
(1) A sender locally generates a public and private key, and the public key is externally disclosed;
(2) The receiving party locally generates a public and private key, and the public key is externally disclosed;
(3) The supervisor locally generates a public and private key, and the public key is externally disclosed.
Further, in the zero-knowledge proof privacy protection method, the method for the sender to calculate the transaction disclosure data by a zero-knowledge proof privacy protection algorithm includes:
(1) Generating an accounting balance certificate bp;
(2) Generating a proof fp with a correct format;
(3) Generating a range attestation rp;
(4) Generating an equal proof ep;
(5) A policing encryption field e is generated.
Further, the zero-knowledge proof privacy protection method further includes the step of sending a transaction, including:
(1) The sender sends the transaction disclosure data to the receiver;
(2) The receiving party verifies the zero knowledge proof after receiving the transaction;
(3) The supervisor verifies the ciphertext e;
(4) If the transaction passes the verification, the transaction is stored and validated.
Further, in the zero-knowledge proof privacy protection method, the step of generating public and private keys by the sender, the receiver and the supervisor respectively includes:
(1) A public key pub _ S = { G1, G2, H, P } of a sender, and a private key priv _ S = { X };
(2) The public key pub _ R = { G1, G2, H, P } of the receiving party, and the private key priv _ R = { X };
(3) The supervisor public key pub _ G = { G1, G2, H, P }, and the private key priv _ G = { X }.
Further, the sender generates his own total property, and issues a commitment and a random number of the amount of the property and the change property.
Further, the sender generates accounting balance certification, comprising:
the sender uses pub _ S, transfer amount v _ S and its committed random number r _ S, change amount v _ r and its committed random number r _ r, total amount committed random number r _ o to generate accounting balance proof bp, the accounting balance proof generation includes:
(1) Taking the public key field P of the sender, calculating P-1 as P _1
(2) Taking the time of the Unix timestamp of the system, and generating a random number rnd by taking the time as a seed
(3) Taking the public key field P of the sender, calculating P-4 as limit
(4) Calculating limit ^5 as limit _5
(5) Using rnd as seed to generate a random number mix less than limit
(6) Calculate the value of mix modulo limit plus 2 as a, calculate mix/limit as mix
(7) Calculate the value of mix modulo limit plus 2 as b, calculate mix/limit as mix
(8) Calculate the value of mix modulo limit plus 2 as d, calculate mix/limit as mix
(9) Calculating the value of mix modulo limit plus 2 as e, and calculating mix/limit as mix
(10) Calculate the value of mix modulo limit plus 2 as f, calculate mix/limit as mix
(11) Taking the public key field G1 of the sender, calculating G1^ a modulo P as G1a
(12) Taking the public key field H of the sender, calculating H ^ b modulo P as hb
(13) Calculate g1a hb modulo P as t1_ P
(14) Taking the public key field G1 of the sender, calculating G1^ d modulo P as G1d
(15) Taking the public key field H of the sending party, calculating the H ^ e modulo P as he
(16) Calculate g1d he modulo P as t2_ P
(17) Calculate a + d modulo P _1 as ad
(18) Taking a public key field G1 of a sender, calculating G1^ ad modulo P as G1ad
(19) Taking the public key field H of the sending party, calculating H ^ f modulo P as hf
(20) Calculate g1ad hf modulo P as t3_ P
(21) After t1_ P, t2_ P and t3_ P are spliced, the Hash value modulo P is calculated and is used as c
(22) P _1- (c × v _ R (mod P _ 1)) + a modulo P _1 is calculated as R _ v _ R
(23) Calculate P _1- (c R _ R (mod P _ 1)) + b modulo P _1 as R _ R
(24) P _1- (c × v _ s (mod P _ 1)) + d mod P _1 is calculated as R _ v _ s
(25) P _1- (c × R _ s (mod P _ 1)) + e modulo P _1 is calculated as R _ R
(26) P _1- (c × r _ o (mod P _ 1)) + f modulo P _1 is calculated as S _ or
(27) bp = { c, R _ v, R _ R, S _ v, S _ R, S _ or } is the accounting balance certificate.
Further, the generating of the proof of correct format by the sender includes:
the sender uses promised random numbers r of pub _ S, amount v and amount v to generate a correct format proof fp, wherein the correct format proof generation comprises the following steps:
(1) Taking the public key field P of the sender, calculating P-1 as P _1
(2) Taking the time of the Unix timestamp of the system, and generating a random number rnd _ a by taking the time as a seed
(3) Random number rnd _ b is generated by taking rnd _ a as seed
(4) Taking the public key field P of the sender, calculating P-4 as limit
(5) Using rnd _ a as seed to generate a random number a less than limit
(6) Calculate a +2 as a
(7) Seed rnd _ b to generate a random number b less than limit
(8) Calculate b +2 as b
(9) Calculating the G1a mode P as G1a
(10) Calculating H ^ b mode P as hb
(11) Calculate g1a hb modulo P as t1_ P
(12) Calculating G2^ b modulo P as t2_ P
(13) After t1_ P and t2_ P are spliced, the Hash value modulo P is calculated and is used as c
(14) Calculating P _1-v c modulo P _1 as vc
(15) Calculate a + vc modulo P _1 as z1
(16) Calculating P _1-r × c modulo P _1 as r1c
(17) Calculate b + r1c modulo P _1 as z2
(18) fp = { c, z1, z2} is proof of format correctness.
Further, the sender generates an equal proof, comprising:
the sender uses pub _ S = { pub1.g1, pub1.g2, pub1.h, pub1.p }, pub _ R = { pub2.g1, pub2.g2, pub2.h, pub2.p }, commitment C1= { C1.commitment, C1.r }, commitment C2= { C2.commitment, C2.r }, for generating the committed amount V, and the equal proof ep is generated, including:
(1) Calculate C1. Comment C2. Comment modulo P as y
(2) Declaring ep = { t, s } as an equal proof result
(3) Let g be an array of length 4, with elements { pub1.G1, pub2.G1, pub1.H, pub2.H }
(4) Let x be an array of length 4, with the elements { V, V, C1.R, C2.R }
(5) Let a be an array of length 4, the elements being { -1, -1,0,0}
(6) Let pub be pub1
(7) Declaring v as a length-4 null array
(8) Taking the public key field P of the sender, calculating P-1 as P _1
(9) Statement ssnum of 0
(10) Traversing a, if the traversal value is not 0, adding 1 to ssnum
(11) Generating a list rbi with n random numbers with pub as a seed, where n =4 if ssnum is 0, otherwise n =3
(12) Declaring line as 0
(13) Statement last is 0
(14) Sequentially traversing each element in a to enable each traversal value to be ai
If ai is equal to 0, let vi be rbi line, line plus 1
If ai is not equal to 0, the following determination and steps are performed
If ssnum equals 1, let v [ i ] be last (ai mod P _ 1) modulo P _1, ssnum plus 1
If ssnum is not equal to 1, let v [ i ] be rbi [ line ], line add 1, ssnum subtract 1, let last be (last-ai) v [ i ]) modulo P _1
(15) Statement t equals 1
(16) Declaring c _ hash as null array
(17) Go through g with each go through value gi, in the ith iteration, perform the following steps
Calculating (gi ^ vi) mode P, and assigning gi as new variable
Let t equal (t × Gi) modulo P
Add gi to c _ hash
(18) Add y to c _ hash
(19) Add t to c _ hash
(20) Calculate the hash of c _ hash as c
(21) Calculate c modulo P as c _ bi
(22) Traversing v to obtain a value vi in each traversal, and executing the following steps in the ith iteration
Calculating (vi-c _ bi x [ i ]) modulo P _1, calculating mash
Adding mash into ep.s
(23)ep.t=t
(24) Ep is the proof of equality generated.
Further, the sender generates a scope attestation that includes:
the sender use amount v, the commitment C = { c.commit, C.r }, the sender public key pub _ S = { G1, G2, H, P }, and the generation range certification rp include:
(1) Taking the public key field P of the sender, calculating P-1 as P _1
(2) V is converted into binary and stored in aL, and the low bit of the binary is positioned at the low bit of aL
(3) Declaring aR as an array of limit lengths
(4) Cycles limit, in the ith cycle, (aL [ i ] -1) modulo P _1 is calculated as aR [ i ]
(5) Randomly generating a random number array mix of length 4 x (limit + 1)
(6) Taking the first element in mix and the element with index 0 as alpha
(7) The second element in mix and the element with index 1 are taken as rou
(8) Six random numbers were randomly generated as sL, sR, tao1, tao2, g and h
(9) Calculating H ^ alpha mode P as A
(10) Calculating H ^ rou modulo P as S
(11) Cycle limit, in the ith cycle, the following operations are sequentially performed
Calculating g [ i ] < Lambda > i ] modulo P as gaL
Calculating h [ i ] ^ aR [ i ] model P as haR
Calculating g [ i ] ^ sL [ i ] mode P as gsL
Calculating h [ i ] < Lambda > sR [ i ] modulo P as hsR
A gaL haR modulo P is calculated as A
Calculating S gsL hsR modulo P as S
(12) Declare an array AS of length 2, padding elements { A, S }
(13) Hash the array AS AS y bytes
(14) Declare an array ASy of length 2, fill element { AS, y _ bytes }
(15) Taking hash of array Asy as z _ bytes
(16) Declare an array ASyz of length 2, fill element { ASy, z _ bytes }
(17) Hash the set of Asyz as x _ byt es
(18) Calculate x _ bytes modulo P _1 as x
(19) Calculating y _ bytes modulo P _1 as y
(20) Calculating z _ bytes modulo P _1 as z
(21) Empty array with statement l and r as limit length
(22) To make tv equal to 0
(23) Let t1 equal 0
(24) Let t2 equal 0
(25) N2 is equal to 1
(26) Ny is made equal to 1
(27) The cycle limit is repeated, and in the ith cycle, the following operations are performed in sequence
Calculate aL [ i ] -z as aLz
Calculate sL [ i ]. X as sLx
Calculating (aLz + sLx) modulo P as l [ i ]
Calculating the value of z ^2 modulo P _1 and multiplying by n2 to be z2n
Calculating aR [ i ] + z as arz
Calculating (arz + sR [ i ]. Times mod P _ 1). Times ny + z2n modulo P _1 as r [ i ]
Calculating l [ i ] r [ i ] as lr
Calculating tv + lr modulo P _1 as tv
Calculating ny sR [ i ] modulo P _1 as ysR
Calculate aLz × ysR modulo P _1 as aLzysR
(ny arz + z2 n) mod P _1 modulo sL [ i ] is calculated as n2nyaRzsl
T1+ (aLzysR n2nyaRzsl mod P _ 1) was calculated as t1
Calculating t2+ sLi < ysR > modulo P _1 as t2
Calculating n 2x2 modulo P _1 as n2
Calculating ny y modulo P _1 as ny
(28) Calculating (G1 ^ T1 mod P) (H ^ tao mod P) mode P as T1
(29) Calculating (G1 ^ T2 mod P) (H ^ tao mod P) mode P as T2
(30) Calculating (x ^2mod P _1) × tao2 as x2tao2
(31) (z ^2mod P _1) × r is calculated as z2gama
(32) Calculate x2tao2+ x tao + z2 gamma modulo P _1 as tao _ x
(33) Rou x + alpha modulo P _1 is calculated as miu
(34) Let n be equal to limit
(35) rp = { n, tao _ x, a, S, T1, T2, miu, l, r, g, h } is range proof.
Further, the sender encrypts the required supervision content including the privacy information of the sender and the receiver and the transaction data by using the public key of the supervisor to generate a ciphertext e.
Further, the receiver verifies accounting balance certification, including:
the receiving party uses a change promise CM _ R, a transfer promise CM _ S, a total promise CM _ O, a public key pub = { G1, G2, H, P }, and the accounting balance certificate bp = { c, R _ v, R _ R, S _ v, S _ R, S _ or }, and comprises:
(1) Calculating G1^ R _ v modulo P as G1rv
(2) Calculating H ^ R _ R modulo P as hrr
(3) Calculating CM _ R ^ c modulo P as cmrc
(4) (g 1rv hrr (mod P)). Cmrc modulo P is calculated as t1_ v
(5) Calculating G1^ S _ v modulo P as G1sv
(6) Calculating H ^ S _ r mode P as hsr
(7) Calculating CM _ S ^ c modulo P as cmsc
(8) (g 1sv hsr (mod P)). Cmsc modulo P was calculated as t2_ v
(9) Calculate R _ v + S _ v as rvsv
(10) Calculating G1^ rvsv mode P as G1rvsv
(11) Computing H ^ S _ or modulo P as hsor
(12) Calculating CM _ O ^ c modulo P as cmoc
(13) (g 1rvsv hsor (mod P)). Cmoc modulo P was calculated as t3_ v
(14) After t1_ v, t2_ v and t3_ v are spliced, calculating the post-hash value modulo P of the spliced values as c _ v
(15) And c _ v is judged to be equal to 0, if yes, the verification is passed, otherwise, the verification is not passed.
Further, the verifying the proof of the correct format by the receiving party includes:
the receiving side uses a public key pub = { G1, G2, H, P }, a ciphertext C = { C1, C2} obtained by encrypting the content by the public key pub, and the format correctness proves fp = { C, z1, z2}, which includes:
(1) Calculating c2^ c mode P as c1c
(2) Calculating the G1^ z1 modulo P as G1z1
(3) Computing the H ^ z2 modulo P as hz2
(4) Calculate clc g1z1 modulo P as c1c
(5) Calculate c1c hz2 modulo P as t1_ v
(6) Calculating c1^ c modulo P as c2c
(7) Calculating G2^ z2 modulo P as G2z2
(8) Calculate c2c g2z2 modulo P as t2_ v
(9) Calculating the post-modulus P of the hash value after splicing t1_ v and t2_ v as c _ v
(10) And judging whether the c _ v is equal to 0, if so, passing the verification, otherwise, failing to pass the verification.
Further, the receiver uses a public key pub _ S = { pub1.g1, pub1.g2, pub1.h, pub1.p }, pub _ R = { pub2.g1, pub2.g2, pub2.h, pub2.p }, a ciphertext C1= { C1.c1, C1.c2}, a ciphertext C2= { C2.c1, C2.c2}, and the equality proof ep = { S, t } verifies an equality proof, including:
(1) Taking the public key field P of the receiving party, and calculating C1.C2 modulo P as y
(2) Let g be an array of length 4, where the array { pub1.G1, pub2.G1, pub1.H, pub2.H } is filled
(3) Let pub _ S be renamed as pub
(4) Let a be an array of length 4, where the array {1, -1,0,0} is populated
(5) Statement b equals 0
(6) Taking the public key field P of the receiving party, calculating P-1 as P _1
(7) Declaring c _ hash as an infinite space array
(8) Traversing g, enabling each traversal value to be gi, and adding gi to c _ map in each iteration
(9) Adding y and lp.t into c _ map in sequence
(10) Calculating the hash value of c _ hash as c
(11) Calculating the value of c modulo P as c _ bi
(12) Let the new variable t _ verify be y
(13) Calculating t _ verify ^ c _ bi modulo P as t _ verify
(14) Traversing g to make each traversal value gi, and executing the following steps in the ith iteration
Calculating the value of gi ^ lp.s [ i ] modulo P as buf
Calculating the value of t _ verify and buf modulo P as t _ verify
(15) Judging whether t _ verify is equal to lp.t, if so, continuing to execute the following steps, otherwise, failing to verify, and terminating the flow
(16) Calculating-c _ bi b as cb
(17) Declaring a New variable mix equal to 0
(18) A is traversed, and each traversal value is ai
Calculating the value ai x lp.s [ i ] modulo P _1 as aisi
The value of mix + aisi modulo P _1 is calculated as mix
(19) And judging whether mix is equal to cb, if so, successfully verifying, and otherwise, failing to verify.
Further, the receiver authentication scope certificate includes:
the receiver verifies the equal proof using the amount v, ciphertext C = { C1, C2}, public key pub = { G1, G2, H, P }, range proof rp = { n, tao _ x, a, S, T1, T2, miu, l, r, G, H }, including:
(1) Taking the public key field P of the receiving party, calculating P-1 as P _1
(2) Taking the public key field P of the receiving party, calculating P-2 as P _2
(3) Declaring l, r, g, h as an array of length n
(4) Let the new variable V equal C2
(5) Let the new variable tv equal 0
(6) Circulating n times, and in the ith circulation, executing the following steps
(tv + l [ i ]. R [ i ]) norm P _1 is calculated as tv
(7) Declare an array AS of length 2, fill element { A, B }
(8) Hash the array As As y _ bytes
(9) Declare an array ASy of length 2, fill element { AS, y _ bytes }
(10) Hash the array Asy as z _ bytes
(11) Declare an array ASyz of length 2, fill element { ASy, z _ bytes }
(12) Hash is taken on the set of Asyz as x _ bytes
(13) Calculate x _ bytes modulo P _1 as x
(14) Calculating y _ bytes modulo P _1 as y
(15) Calculating z _ bytes modulo P _1 as z
(16) Declaring h _ as a null array of length n
(17) Computing y ^ P _2 modulo P _1 as y _ inv
(18) Computing y ^ P _1 modulo P as y _2P
(19) Calculate y x y _ inv modulo P _1 as vf
(20) Let the new variable y _1 equal to 1
(21) The circulation is performed for n times, and the following steps are executed in the ith circulation
Calculating h [ i ] < y > < 1 > modulo P as h _ [ i ]
Calculating y _ 1x y _invmodulo P _1 as y _1
(22) Calculating H ^ tao _ x modulo P as htaox
(23) Calculating (G1 ^ tv mod P). Htaox modulo P as left
(24) Calculating z ^2 modulo P _1 as z2
(25) Calculating z ^3 modulo P _1 as z3
(26) Calculating the value of y ^ rp.n modulo P _1 minus 1 as ny _1
(27) Calculate the value of y-1 as y _ x1
(28) The inverse of y _ x1 modulo P _1 is computed as y _ x1
(29) Calculating ny _1^ y _x1modulo P _1 as ny _1
(30) Calculate z-z2 modulo P _1 as z _ z2
(31) Calculate z _ z 2ny _1 as ibx
(32) Calculating 2^ rp.n modulo P _1 as n _1_2
(33) Calculate z3 x n _1_2 as z3n12
(34) Calculate ibx-z3n12 as ibx
(35) Calculating pub.G1^ ibx mode P as gibx
(36) (V ^ z 2mod (P)). Gibx modulo P is calculated as right
(37) Calculating x as x2
(38) Calculating T1^ x modulo P as T1x
(39) Calculating T2^ x2 modulo P as T2x2
(40) Calculate (right T1x mod P) T2x2 modulo P as right
(41) Judging whether left is equal to right, if yes, continuing to execute the following steps, otherwise, failing to verify, terminating the flow
(42) Calculating S ^ x modulo P as P
(43) P = mod P P is calculated as P
(44) Declare variable gz equal to 1; h _ mix equals 1; n2 is equal to 1; ny is equal to 1;
(45) Circulating n times, and in the ith circulation, executing the following steps
Calculating g [ i ] < Lambda > z modulo P as gz _ inv
Calculating the inverse of gz _ inv modulo P multiplied by gz as gz
Calculating z ny + z2n 2 as mix
Calculating h _ [ i ] < Lambda > mix modulus P as mix
Calculating h _ mix modulo P as h _ mix
Calculating n 2x2 modulo P _1 as n2
Calculating ny y modulo P _1 as ny
(46) Calculating P × gz modulo P as P
(47) Calculating P x h _ mix modulo P as P
(48) Calculating H ^ miu modulo P as P _ check
(49) N times, in the ith cycle, the following steps are carried out
gl = mod P g [ i ] < i > l [ i ] modulo P is calculated as gl
Calculating h [ i ] r [ i ] modulo P as hr
Calculating P _ check × gl modulo P as P _ check
Calculating P _ check hr modulo P as P _ check
(50) And judging whether P is equal to P _ check, if so, passing the range certification verification, and if not, failing to pass the verification.
Further, the supervisor verifies the ciphertext e, if the verification is passed, the transaction is legal and valid, otherwise, the transaction is considered invalid, and the transaction is discarded.
Another object of the present invention is to provide a zero-knowledge proof privacy protection system using the zero-knowledge proof privacy protection method, the zero-knowledge proof privacy protection system including:
the accounting balance proving module is used for proving that the total consumption amount of the sender is equal to the sending amount and the change amount;
the format correct proving module is used for proving that the commitment format is a standard commitment format;
the range proving module is used for proving that the total consumption amount, the sending amount and the change amount of the sender are all larger than zero;
and the equal proving module is used for proving that the plaintext corresponding to the ciphertext is equal to the plaintext corresponding to the commitment.
It is another object of the present invention to provide a computer program product stored on a computer readable medium, comprising a computer readable program for providing a user input interface to implement the zero-knowledge proof privacy preserving method when executed on an electronic device.
It is another object of the present invention to provide a computer-readable storage medium storing instructions that, when executed on a computer, cause the computer to perform the zero-knowledge proof privacy protection method.
By combining all the technical schemes, the invention has the advantages and positive effects that: the invention provides a zero-knowledge proof privacy protection method, a zero-knowledge proof privacy protection system, a storage medium and a piece of equipment, relates to an anonymous transaction system under the supervision of a supervision party, can effectively solve the problem that a large amount of user privacy data for abuse are excessively acquired by an enterprise, effectively supervises the privacy leakage condition of a user, and ensures the privacy safety of the user.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings needed to be used in the embodiments of the present invention will be briefly described below, and it is obvious that the drawings described below are only some embodiments of the present invention, and it is obvious for those skilled in the art that other drawings can be obtained according to the drawings without creative efforts.
Fig. 1 is a flowchart of a zero-knowledge proof privacy protection method according to an embodiment of the present invention.
FIG. 2 is a block diagram of a zero knowledge proof privacy protection system provided by an embodiment of the invention;
in the figure: 1. an accounting balance certification module; 2. a format correct proof module; 3. a range attestation module; 4. an equality proving module.
Fig. 3 is a schematic diagram of a method for user registration according to an embodiment of the present invention.
Fig. 4 is a schematic diagram of a method for a sender to calculate transaction disclosure data by a zero-knowledge proof privacy protection algorithm according to an embodiment of the present invention.
Fig. 5 is a schematic diagram of a method for sending a transaction according to an embodiment of the present invention.
Fig. 6 shows all the generated certification fields and encrypted fields provided by the embodiment of the present invention, all users can verify the correctness of the zero-knowledge certification, and the supervisor can decrypt and obtain the plaintext of the private data.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention more apparent, the present invention is further described in detail with reference to the following embodiments. It should be understood that the specific embodiments described herein are merely illustrative of the invention and do not limit the invention.
In view of the problems in the prior art, the present invention provides a method, system, storage medium, and device for protecting privacy of zero-knowledge proof, which are described in detail below with reference to the accompanying drawings.
The zero-knowledge proof privacy protection method provided by the embodiment of the invention comprises four proof processes, namely a balance proof, a correct format proof, a range proof and an equal proof; three roles including a sending party, a receiving party and a monitoring party are assumed in a transaction scene.
As shown in fig. 1, the method for protecting privacy with zero knowledge proof provided by the embodiment of the present invention includes the following steps:
s101, accounting balance certification: proving that the total consumption amount of the sender is equal to the sending amount and the change amount;
s102, the format is correctly proved: proving that the commitment format is a standard commitment format;
s103, range proving: proving that the total consumption amount, the sending amount and the change making amount of the sender are all larger than zero;
s104, equal proof: and proving that the plaintext corresponding to the ciphertext is equal to the plaintext corresponding to the commitment.
The zero-knowledge proof privacy protection method provided by the embodiment of the invention defines three roles, including:
(1) A sender: sending the property quantity to a receiver and sending out a transaction amount;
(2) The receiving side: receiving a send quantity property from a sender, receiving a transaction amount;
(3) The monitoring party: transaction validity and authenticity may be verified from the transaction.
As shown in fig. 2, the zero-knowledge proof privacy protection system provided by the embodiment of the present invention includes:
the accounting balance proving module 1 is used for proving that the total consumption amount of the sender is equal to the sending amount and the change amount;
the format correct proving module 2 is used for proving that the commitment format is a standard commitment format;
the range proving module 3 is used for proving that the total consumption amount, the sending amount and the change making amount of the sender are all larger than zero;
and the equality proving module 4 is used for proving that the plaintext corresponding to the ciphertext is equal to the plaintext corresponding to the commitment.
The present invention will be further described with reference to the following examples.
Example 1
Aiming at the problems in the prior art, the invention provides a zero-knowledge proof privacy protection scheme.
The scheme has four proving processes and assumes three roles in a transaction scene.
The four proving procedures and effects are respectively as follows:
accounting balance certification: proving that the total consumption amount of the sender is equal to the sending amount and the change amount;
and (3) proving that the format is correct: proving that the commitment format is a standard commitment format;
the range proves that: proving that the total consumption amount, the sending amount and the change making amount of the sender are all larger than zero;
equal proof: and proving that the plaintext corresponding to the ciphertext is equal to the plaintext corresponding to the commitment.
The three roles are defined in turn as:
a sender: sending the property quantity to a receiver and sending out a transaction amount;
the receiving side: receiving a send quantity property from a sender, receiving a transaction amount;
the monitoring party: transaction validity and authenticity may be verified from the transaction.
Further, the sender, the receiver and the supervisor respectively generate a public key and a private key belonging to the sender:
a public key pub _ S = { G1, G2, H, P } of a sender, and a private key priv _ S = { X };
the public key pub _ R = { G1, G2, H, P } of the receiving party, and the private key priv _ R = { X };
a supervisor public key pub _ G = { G1, G2, H, P }, and a private key priv _ G = { X };
further, the sender generates his own total property, and issues a commitment and a random number of the amount of the property and the change property.
Further, the sender generates accounting balance certificates. The sender uses pub _ S, transfer amount v _ S and committed random number r _ S, change amount v _ r and committed random number r _ r, and total amount committed random number r _ o to generate accounting balance certificate bp, which comprises the following steps:
(1)P_1=P-1
(2) rnd = rand (time), which is the current time
(3)limit=P-4
(4)limit_5=limit^5
(5) mix = rand (rnd) and mix < limit
(6)a=(mix mod limit)+2,mix=mix/limit
(7)b=(mix mod limit)+2,mix=mix/limit
(8)d=(mix mod limit)+2,mix=mix/limit
(9)e=(mix mod limit)+2,mix=mix/limit
(10)f=(mix mod limit)+2,mix=mix/limit
(11)g1a=G1^a(mod P)
(12)hb=H^b(mod P)
(13)t1_p=g1a*hb(mod P)
(14)g1d=G1^d(mod P)
(15)he=H^e(mod P)
(16)t2_p=g1d*he(mod P)
(17)ad=a+d(mod P_1)
(18)g1ad=G1^ad(mod P)
(19)hf=H^f(mod P)
(20)t3_p=g1ad*hf(mod P)
(21)c=Hash(t1_p:+t2_p:+t3_p)(mod P)
(22)R_v=(P_1-(c*v_r(mod P_1))+a)mod P_1
(23)R_r=(P_1-(c*r_r(mod P_1))+b)mod P_1
(24)S_v=(P_1-(c*v_s(mod P_1))+d)mod P_1
(25)S_r=(P_1-(c*r_s(mod P_1))+e)mod P_1
(26)S_or=(P_1-(c*r_o(mod P_1))f)mod P_1
(27) bp = { c, R _ v, R _ R, S _ v, S _ R, S _ or } is the accounting balance certificate.
Further, the sender generates proof of format correctness. The sender uses the promised random number r of pub _ S, amount v and amount v to generate a correct format proof fp, and the correct format proof generation comprises the following steps:
(1)P_1=P-1
(2)rnd_a=rand(time)
(3)rnd_b=rand(rnd_a)
(4)limit=P-4
(5) a = rand (rnd _ a), where a < limit
(6)a=a+2
(7) b = rand (rnd _ b), where b < limit
(8)b=b+2
(9)g1a=G1^a(mod P)
(10)hb=H^b(mod P)
(11)t1_p=g1a*hb(mod P)
(12)t2_p=G2^b(mod P)
(13)c=Hash(t1_p:+t2_p)(mod P)
(14)vc=P_1-v*c(mod P_1)
(15)z1=a+vc(mod P_1)
(16)r1c=P_1-r*c(mod P_1)
(17)z2=b+r1c(mod P_1)
(18) fp = { c, z1, z2} is proof of format correctness.
Further, the sender generates an equality proof. The sender uses pub _ S = { pub1.g1, pub1.g2, pub1.h, pub1.p }, pub _ R = { pub2.g1, pub2.g2, pub2.h, pub2.p }, commitment C1= { C1.commitment, C1.r }, commitment C2= { C2.commitment, C2.r }, an amount V for generating commitments, and the equal proof ep is generated as the following steps:
(1)y=C1.commitment*C2.commitment(mod P)
(2) Declaring ep = { t, s } as an equality proof result
(3)g={pub1.G1,pub2.G1,pub1.H,pub2.H}
(4)x={V,V,C1.r,C2.r}
(5)a={-1,-1,0,0}
(6)pub=pub1
(7) Declaring v as an array of length 4
(8)P_1=P-1
(9)ssnum=0
(10) Traversing a, if the traversal value is not 0, ssnum = ssnum +1
(11) rbi = rand (n, pub), where n =4 if ssnum is 0, otherwise n =3, rbi is the array, n is the array length
(12)line=0
(13)last=0
(14) Traversal a, traversal value ai
If ai =0, v [ i ] = rbi [ line ], line = line +1
If ai! If not =0, then
If ssnum =1, v [ i ] = last: (ai mod P _ 1) mod P _1, ssnum = ssnum-1
If ssnum! V [ i ] = rbi [ line ], line = line +1, ssnum = ssnum-1, last = (last-a [ i ]. Times v [ i ]) mod P _1
(15)t=1
(16) Declaring c _ hash as null array
(17) Traversing g, the traversal value is gi, the iteration base number is i
gi=(gi^v[i])mod P
t=(t*Gi)mod P
Add gi to c _ map
(18) Add y to c _ hash
(19) Add t to c _ map
(20)c=Hash(c_mash)
(21)c_bi=c mod P
(22) V is traversed, the traversal value is vi, the iteration base number is i
mash=(vi-c_bi*x[i])mod P_1
Adding mash to ep.s
(23)ep.t=t
(24) So ep is the proof of equality generated.
Further, the sender generates a range attestation. The sender usage amount v, the commitment C = { c.commitment, C.r }, the sender public key pub _ S = { G1, G2, H, P }, and the range certificate rp is generated by the following steps:
(1)P_1=P-1
(2) V is converted into binary and stored in aL, and the low bit of the binary is positioned at the low bit of aL
(3) Declaring aR as an array of limit lengths
(4) Limit cycles, i is the number of cycles, aR [ i ] = (aL [ i ] -1) mod P _1
(5) Randomly generating a random number array mix of length 4 x (limit + 1)
(6)alpha=mix[0]
(7)rou=mix[1]
(8) Randomly generating sL sR tao1 tao 2g h
(9)A=H^alpha mod P
(10)S=H^rou mod P
(11) Number of cycles, i is the number of cycles
gaL=(g[i]^aL[i])mod P
haR=(h[i]^aR[i])mod P
gsL=(g[i]^sL[i])mod P
hsR=(h[i]^sR[i])mod P
A=(A*gaL*haR)mod P
S=(S*gsL*hsR)mod P
(12)AS=[A,S]
(13)y_bytes=Hash(AS)
(14)ASy=[AS,y_bytes]
(15)z_bytes=Hash(ASy)
(16)ASyz=[ASy,z_bytes]
(17)x_bytes=Hash(ASyz)
(18)x=x_bytes mod P_1
(19)y=y_bytes mod P_1
(20)z=z_bytes mod P_1
(21) Array with statement l and r as limit length
(22)tv=0
(23)t1=0
(24)t2=0
(25)n2=1
(26)ny=1
(27) Number of cycles, i is the number of cycles
aLz=aL[i]-z
sLx=sL[i]*x
l[i]=(aLz+sLx)mod P
z2n=(z^2mod P_1)*n2
arz=aR[i]+z
r[i]=((arz+sR[i]*x mod P_1)*ny+z2n)mod P_1
lr=l[i]*r[i]
tv=(tv+lr)mod P_1
ysR=(ny*sR[i])mod P_1
aLzysR=(aLz*ysR)mod P_1
n2nyaRzsl=((ny*arz+z2n)mod P_1)mod sL[i]
t1=t1+(aLzysR*n2nyaRzsl mod P_1)
t2=(t2+sL[i]*ysR)mod P_1
n2=(n2*2)mod P_1
ny=(ny*y)mod P_1
(28)T1=(G1^t1 mod P)*(H^tao1 mod P)mod P
(29)T2=(G1^t2 mod P)*(H^tao2 mod P)mod P
(30)x2tao2=(x^2mod P_1)*tao2
(31)z2gama=(z^2mod P_1)*r
(32)tao_x=(x2tao2+x*tao1+z2gama)mod P_1
(33)miu=(rou*x+alpha)mod P_1
(34)n=limit
(35) rp = { n, tao _ x, a, S, T1, T2, miu, l, r, g, h } is range proof.
Further, the sender encrypts the required supervision content including the privacy information of the sender and the receiver and the transaction data by using the public key of the supervisor to generate a ciphertext e.
Further, the recipient verifies the accounting balance certification. The receiving party uses the change promise CM _ R, the transfer promise CM _ S, the total promise CM _ O, the public key pub = { G1, G2, H, P }, and the accounting balance certificate bp = { c, R _ v, R _ R, S _ v, S _ R, S _ or } to perform the following steps:
(1)g1rv=G1^R_v(mod P)
(2)hrr=H^R_r(mod P)
(3)cmrc=CM_R^c(mod P)
(4)t1_v=(g1rv*hrr(mod P))*cmrc(mod P)
(5)g1sv=G1^S_v(mod P)
(6)hsr=H^S_r(mod P)
(7)cmsc=CM_S^c(mod P)
(8)t2_v=(g1sv*hsr(mod P))*cmsc(mod P)
(9)rvsv=R_v+S_v
(10)g1rvsv=G1^rvsv(mod P)
(11)hsor=H^S_or(mod P)
(12)cmoc=CM_O^c(mod P)
(13)t3_v=(g1rvsv*hsor(mod P))*cmoc(mod P)
(14)c_v=Hash(t1_v:+t2_v:+t3_v)(mod P)
(15) If c _ v = =0 then the validation is passed, otherwise not.
Further, the receiver verifies that the format is correctly certified. The receiving side uses a public key pub = { G1, G2, H, P }, a ciphertext C = { C1, C2} obtained by encrypting the content by the public key pub, and the correct format proves that fp = { C, z1, z2}, and the following steps are carried out:
(1)c1c=c2^c(mod P)
(2)g1z1=G1^z1(mod P)
(3)hz2=H^z2(mod P)
(4)c1c=clc*g1z1(mod P)
(5)t1_v=c1c*hz2(mod P)
(6)c2c=c1^c(mod P)
(7)g2z2=G2^z2(mod P)
(8)t2_v=c2c*g2z2(mod P)
(9)c=Hash(t1_v:+t2_v)(mod P)
(10) If c _ v = =0 then the validation passes, otherwise it does not pass.
Further, the receiver verifies the equality proof that ep = { S, t } is equal, using the public key pub _ S = { pub1.G1, pub1.G2, pub1.H, pub1.P }, pub _ R = { pub2.G1, pub2.G2, pub2.H, pub2.P }, the ciphertext C1= { C1.C1, C1.C2}, and the ciphertext C2= { C2.C1, C2.C2 }. The following steps are carried out:
(1)y=C1.C2*C2.C2(mod P)
(2)g={pub1.G1,pub2.G1,pub1.H,pub2.H}
(3)pub=pub1
(4)a={1,-1,0,0}
(5)b=0
(6)P_1=P-1
(7) Declaring c _ hash as null array
(8) Traversing g, adding gi into c _ map, wherein the traversal value is gi
(9) Adding y and lp.t into c _ map in sequence
(10)c=Hash(c_mash)
(11)c_bi=c mod P
(12)t_verify=y
(13)t_verify=(t_verify^c_bi)mod P
(14) Traversing g, the traversal value is gi, the iteration base number is i
buf=(gi^lp.s[i])mod P
t_verify=(t_verify*buf)mod P
(15) If t _ verify! If = lp.t, the verification fails
(16)cb=-c_bi*b
(17)mix=0
(18) Traversal a, traversal value ai
aisi=(ai*lp.s[i])mod P_1
mix=(mix+aisi)mod P_1
(19) If mix is not equal to cb, the verification fails, otherwise the verification succeeds.
Further, the recipient verifies the scope proof. The receiving party verifies the equal proof using the amount v, the ciphertext C = { C1, C2}, the public key pub = { G1, G2, H, P }, the range proof rp = { n, tao _ x, a, S, T1, T2, miu, l, r, G, H }, and performs the following steps:
(1)P_1=P-1
(2)P_2=P-2
(3) Statement l, r, g, h are n length arrays
(4)V=C2
(5)tv=0
(6) N times of circulation, i is the number of circulation
tv=(tv+l[i]*r[i])mod P_1
(7)AS=[A,B]
(8)y_bytes=Hash(AS)
(9)ASy=[AS,y_bytes]
(10)z_bytes=Hash(ASy)
(11)ASyz=[ASy,z_bytes]
(12)x_bytes=Hash(ASyz)
(13)x=x_bytes mod P_1
(14)y=y_bytes mod P_1
(15)z=z_bytes mod P_1
(16) Declaring h _ as an array of length n
(17)y_inv=y^P_2mod P_1
(18)y_2p=y^P_1mod P
(19)vf=y*y_inv mod P_1
(20)y_1=1
(21) N times of circulation, i is the number of circulation
h_[i]=h[i]^y_1mod P
y_1=(y_1*y_inv)mod P_1
(22)htaox=H^tao_x mod P
(23)left=(G1^tv mod P)*htaox mod P
(24)z2=z^2mod(P_1)
(25)z3=z^3mod(P_1)
(26)ny_1=y^rp.n mod(P_1)-1
(27)y_x1=y-1
(28)y_x1=y_x1^(-1)mod P_1
(29)ny_1=ny_1^y_x1 mod(P_1)
(30)z_z2=(z-z2)mod(P_1)
(31)ibx=z_z2*ny_1
(32)n_1_2=2^rp.n mod(P_1)
(33)z3n12=z3*n_1_2
(34)ibx=ibx-z3n12
(35)gibx=pub.G1^ibx mod P
(36)right=(V^z2 mod P)*gibx modP
(37)x2=x*x
(38)T1x=T1^x mod P
(39)T2x2=T2^x2 mod P
(40)right=(right*T1x mod P)*T2x2 mod P
(41) If left and right are not equal, then the verification is determined not to pass
(42)p=S^x mod P
(43)p=p*A mod P
(44)gz=1;h_mix=1;n2=1;ny=1;
(45) N cycles, i is the number of cycles
gz_inv=g[i]^z mod P
gz=gz*(gz_inv^(-1)mod P)
mix=z*ny+z2*n2
mix=h_[i]^mix mod P
h_mix=h_mix*mix mod P
n2=n2*2mod(P_1)
ny=ny*y mod(P_1)
(46)p=p*gz mod P
(47)p=p*h_mix mod P
(48)P_check=H^miu mod P
(49) N cycles, i is the number of cycles
gl=g[i]^l[i]mod P
hr=h[i]^r[i]mod P
P_check=P_check*gl mod P
P_check=P_check*hr mod P
(50) If P and P check are equal, the scope proves that the verification is passed, and how the verification is not passed.
Further, the supervisor verifies the ciphertext e, if the verification is passed, the transaction is legal and valid, otherwise, the transaction is considered invalid, and the transaction is discarded.
Example 2
As shown in fig. 3, the user registration is performed according to the following steps:
(1) A sender locally generates a public and private key, and the public key is externally disclosed;
(2) The receiving party locally generates a public and private key, and the public key is externally disclosed;
(3) The supervisor locally generates a public and private key, and the public key is externally disclosed.
As shown in fig. 4, the sender calculates the transaction disclosure data by the zero-knowledge proof privacy protection algorithm, according to the following steps:
(1) Generating an accounting balance certificate bp;
(2) Generating a proof fp with a correct format;
(3) Generating a range attestation rp;
(4) Generating an equal proof ep;
(5) A policing encryption field e is generated.
As shown in fig. 5, the transaction is sent, which is performed as follows:
(1) The sender sends the transaction disclosure data to the receiver;
(2) The receiving party verifies the zero knowledge proof after receiving the transaction;
(3) The supervisor verifies the ciphertext e;
(4) If the transaction passes the verification, the transaction is stored and validated.
The specific procedures of the present invention will now be described with specific examples.
In the auction example, the invention can ensure the whole course of the auction process to be anonymous and supervise, and the specific implementation flow is as follows.
(1) Before the auction begins, potential buyers, auction sellers and supervisors register accounts in the system, obtain respective public keys and private keys, and give infinite system account funds to the potential buyers.
(2) During the auction process, the potential buyers bid, and the bidding process is the same as the transfer process, namely the potential buyers transfer money to the auction seller. The buyer generates an accounting balance certificate bp, a format correct certificate fp, a range certificate rp and an equality certificate ep, supervises the encrypted field e, and then the seller initiates transfer.
(3) After receiving the transaction, the auction side verifies the zero knowledge proof;
(4) The supervisor verifies the ciphertext e;
(5) If the verification is passed, the transaction is stored and validated, and the bidding is considered to be successful, and the next bidding is waited.
(6) After bidding is finished, the supervisor decrypts the bidding contents and only checks all the bidding contents, and a bidding success party is given.
(7) The auction hides the identity and the bid amount of the bidder in the whole process, and the final result is only given by the trusted supervisor according to all transaction contents.
The technical effects of the present invention will be described in detail with reference to experiments.
The invention is realized experimentally, and the experimental output is as follows:
public key:
P:33333f914834ced561c145797d9b5782719dbd1b43a668d4b01151f9c0e67d9f
G1:3174504ed79fb7791f5980fd36107f441286198271ebc8e02499005520e4013a
G2:231dba42e1eb3afd09fae4f7f2b13e1686d744b003d200b5bd37bdf877bcadb9
H:65449a792d4abe211d1be86b74e158ff32e708d5717e854e162a9f1a0633394
private key:
X:1da7643b396061c17ac2cbd08d700a6f71cf56826a23af231a872dfa9af1e55f
generating a proof of correct format:
C:26ac016ded7c755456e2f98b621d2481403845ec93d55851b4dd5a74ae1d395b
Z1:31dcd46aab6cc21f248316069fc34a28ff1a24862061f3dac1ddf0edcc9e2005
Z2:296471ee814fdab02845c36c4ecbd759554ef4891d732eeddc512cbba88eefbc
and (3) verifying that the format is correct:
proof of format correctness!
Setting the amount of money: 16
Encrypting the same content using different public keys
Generation of equal proof:
s:[0b4eb86f14a4b5f016706df6e15bfa830414c318cf44707831b9e61fb1bdcc8f0b4eb86f14a4b5f016706df6e15bfa830414c318cf44707831b9e61fb1bdcc8f02f06aaf43e24b96bcf3baf345f0dcac47aa8f67cd8fb16fba5092f3f00710922776d6ba325a83705a5479504165d388ca27d101235e16340f5d997581004040]
t:73572ad326fd564027cb8b2e6bbced7303b71e37e750ca25eed9c72f71cccf
verification of equivalence proves that:
equal proof verification!
Setting up legitimate transactions
Generating an accounting balance certificate:
s:[16728e075b434a946683d1f9d7cf99f6da8e1f7357bd942497f8df37330bce1c]
t:09fb9a71955cc1fa6483aebedac802b777b466042a8e680d4d102595aacabb53
verifying accounting balance certification:
verification of accounting balance certificate is passed!
Setting illegal transactions:
generating an accounting balance certificate:
s:[1dce60d7d17eee182ec299f98d20f9becfbfca2c55f5357cda8c0a27f7b1e7ce0d4011e5042ac5abe5ec1e721944351fa2bc3dc53d1b50337d80045de98b45a9]
t:1368dcd8658813075e551a2277a60100f214263d351c7384525187dcba93a82b
verifying accounting balance certification:
accountant balance certification verification failed!
Generation of equal proof:
s:[21fab46a3bb6ee942faf63fa6efa7c89c39c198a8e35e501646d76d5fa79e76621fab46a3bb6ee942faf63fa6efa7c89c39c198a8e35e501646d76d5fa79e76622715bb53e845add06c994dcaf636e97fcf0c2b41b189a8197bd157a1c1acf510699e9734ce3aeec542e933aa5673a836f66a812d456b21f17e4da80e750398c]
t:0434568b2029a5f5d150c7f66e9a44d927c7716766ff3701ba351603c120977e
verification of equivalence proves that:
equal proof verification!
Generating a proof of correct format:
C:04879e7df788c0c4d37e83d87e08b27cd944884a51176edc8ecb32578e1e000d
Z1:24e32f1a37c91e4e6396c5bfd1f8331acb9ff5ea483701c3ac0273dab87cca46
Z2:0ada337717dde4f7fa74c6b9efcd1187a59db6193ae1925cbbfd4463cb9bec91
and (3) verifying that the format is correct:
proof of format correctness!
In the above embodiments, the implementation may be wholly or partially realized by software, hardware, firmware, or any combination thereof. When used in whole or in part, is implemented in a computer program product that includes one or more computer instructions. When loaded or executed on a computer, cause the flow or functions according to embodiments of the invention to occur, in whole or in part. The computer may be a general purpose computer, a special purpose computer, a network of computers, or other programmable device. The computer instructions may be stored in a computer readable storage medium or transmitted from one computer readable storage medium to another, for example, the computer instructions may be transmitted from one website site, computer, server, or data center to another website site, computer, server, or data center via wire (e.g., coaxial cable, fiber optic, digital Subscriber Line (DSL), or wireless (e.g., infrared, wireless, microwave, etc.)). The computer-readable storage medium can be any available medium that can be accessed by a computer or a data storage device, such as a server, a data center, etc., that includes one or more of the available media. The usable medium may be a magnetic medium (e.g., floppy Disk, hard Disk, magnetic tape), an optical medium (e.g., DVD), or a semiconductor medium (e.g., solid State Disk (SSD)), among others.
The above description is only for the purpose of illustrating the present invention and the appended claims are not to be construed as limiting the scope of the invention, which is intended to cover all modifications, equivalents and improvements that are within the spirit and scope of the invention as defined by the appended claims.
Claims (4)
1. A zero-knowledge proof privacy protection method is characterized in that the zero-knowledge proof privacy protection method further comprises the following steps that a sender calculates transaction disclosure data through a zero-knowledge proof privacy protection algorithm, and the method comprises the following steps:
(1) Generating an accounting balance certificate bp;
(2) Generating a proof fp with a correct format;
(3) Generating a range attestation rp;
(4) Generating an equal proof ep;
(5) Generating a supervision encryption field e;
the zero-knowledge proof privacy protection method further comprises the step of sending a transaction, wherein the step of sending the transaction comprises the following steps:
(1) The sender sends the transaction disclosure data to the receiver;
(2) The receiving party verifies the zero knowledge proof after receiving the transaction;
(3) The supervisor verifies the ciphertext e;
(4) If the transaction passes the verification, the transaction is stored and takes effect;
in the zero-knowledge proof privacy protection method, the method for generating the public and private keys by the sender, the receiver and the supervisor respectively comprises the following steps:
(1) A public key pub _ S = { G1, G2, H, P } of a sender, and a private key priv _ S = { X };
(2) The public key pub _ R = { G1, G2, H, P } of the receiving party, and the private key priv _ R = { X };
(3) A supervisor public key pub _ G = { G1, G2, H, P }, and a private key priv _ G = { X };
the sender generates own total property and sends out commitments and random numbers of the money of the property and the change property;
the sender generates accounting balance certification, comprising:
the sender uses pub _ S, transfer amount v _ S and its committed random number r _ S, change amount v _ r and its committed random number r _ r, total amount committed random number r _ o to generate accounting balance certificate bp, the accounting balance certificate generation includes:
(1) Taking a public key field P of a sender, and calculating P-1 as P _1;
(2) Taking a Unix timestamp time of a system, and generating a random number rnd by taking the time as a seed;
(3) Taking a public key field P of a sender, and calculating P-4 as limit;
(4) Calculating limit ^5 as limit _5;
(5) Using rnd as a seed to generate a random number mix less than limit;
(6) Calculating the value of the mix modulus limit plus 2 as a, and calculating the mix/limit as mix;
(7) Calculating the value of the mix modulus limit plus 2 as b, and calculating the mix/limit as mix;
(8) Calculating the value of the mix modulo limit plus 2 as d, and calculating the mix/limit as mix;
(9) Calculating the value of the mix modulo limit plus 2 as e, and calculating the mix/limit as mix;
(10) Calculating the value of the mix modulus limit plus 2 as f, and calculating the mix/limit as mix;
(11) Taking a public key field G1 of a sender, and calculating a model P of G1^ a as G1a;
(12) Taking a public key field H of a sending party, and calculating H ^ b modulo P as hb;
(13) Calculating g1a hb modulo P as t1_ P;
(14) Taking a public key field G1 of a sender, and calculating G1^ d modulo P as G1d;
(15) Taking a public key field H of a sending party, and calculating an H ^ e modulo P as he;
(16) Calculating g1d he modulo P as t2_ P;
(17) Calculating a + d modulo P _1 as ad;
(18) Taking a public key field G1 of a sender, and calculating G1^ ad modulo P as G1ad;
(19) Taking a public key field H of a sending party, and calculating an H ^ f modulo P as hf;
(20) Calculating g1ad × hf modulo P as t3_ P;
(21) Splicing t1_ P, t2_ P and t3_ P, and calculating a hash value modulo P as c;
(22) Calculating P _1- (c x v _ R (mod P _ 1)) + a modulo P _1 as R _ v;
(23) Calculating P _1- (c × R _ R (mod P _ 1)) + b modulo P _1 as R _ R;
(24) Calculating P _1- (c × v _ S (mod P _ 1)) + d modulo P _1 as S _ v;
(25) Calculating P _1- (c × r _ S (mod P _ 1)) + e modulo P _1 as S _ r;
(26) Calculating P _1- (c x r _ o (mod P _ 1)) + f modulo P _1 as S _ or;
(27) bp = { c, R _ v, R _ R, S _ v, S _ R, S _ or } is the accounting balance certificate;
the sender generates a proof of correct format, comprising:
the sender uses promised random numbers r of pub _ S, amount v and amount v to generate a correct format proof fp, wherein the correct format proof generation comprises the following steps:
(1) Taking a public key field P of a sender, and calculating P-1 as P _1;
(2) Taking a system Unix timestamp time, and generating a random number rnd _ a by taking the time as a seed;
(3) Generating a random number rnd _ b by taking rnd _ a as a seed;
(4) Taking a public key field P of a sender, and calculating P-4 as limit;
(5) Taking the rnd _ a as a seed to generate a random number a smaller than limit;
(6) Calculating a +2 as a;
(7) Taking the rnd _ b as a seed, and generating a random number b smaller than limit;
(8) Calculating b +2 as b;
(9) Calculating G1^ a modulo P as G1a;
(10) Calculating H ^ b mode P as hb;
(11) Calculating g1a hb modulo P as t1_ P;
(12) Calculating G2^ b modulo P as t2_ P;
(13) Splicing t1_ P and t2_ P, and calculating a hash value modulo P as c;
(14) Calculating P _1-v c modulo P _1 as vc;
(15) Calculating a + vc modulo P _1 as z1;
(16) Calculating P _1-r × c modulo P _1 as r1c;
(17) Calculating b + r1c modulo P _1 as z2;
(18) fp = { c, z1, z2} is a format correct proof;
the sender generates an equal proof comprising: the sender uses pub _ S = { pub1.g1, pub1.g2, pub1.h, pub1.p }, pub _ R = { pub2.g1, pub2.g2, pub2.h, pub2.p }, commitment C1= { C1.commitment, C1.r }, commitment C2= { C2.commitment, C2.r }, for generating the committed amount V, and the equal proof ep is generated, including:
(1) Calculating c 1.comment c 2.comment modulo P as y;
(2) Declare ep = { t, s } as an equivalence proof result;
(3) Let g be an array of length 4, the elements being { pub1.G1, pub2.G1, pub1.H, pub2.H };
(4) Let x be an array of length 4, the elements being { V, V, C1.R, C2.R };
(5) Let a be an array with length of 4, and the elements be { -1, -1,0,0};
(6) Let pub be pub1;
(7) Declaring v as a null array of length 4;
(8) Taking a public key field P of a sender, and calculating P-1 as P _1;
(9) Declare ssnum as 0;
(10) Traversing a, if the traversal value is not 0, adding 1 to ssnum;
(11) Generating a list rbi with n random numbers with pub as a seed, wherein n =4 if ssnum is 0, otherwise n =3;
(12) Line is declared to be 0;
(13) Declare last to be 0;
(14) Sequentially traversing each element in a to enable each traversal value to be ai
If ai is equal to 0, let vi be rbi line, line plus 1;
if ai is not equal to 0, performing the following determination and steps thereof;
if ssnum equals 1, let v [ i ] last (ai mod P _ 1) modulo P _1, ssnum plus 1;
if ssnum is not equal to 1, let v [ i ] be rbi [ line ], line add 1, ssnum subtract 1, let last be (last-ai x v [ i ]) modulo P _1;
(15) Declare t equal to 1;
(16) Declare c _ hash as a null array;
(17) And traversing g, enabling each traversal value to be gi, and executing the following steps in the ith iteration:
calculating (gi ^ v [ i ]) mode P, and giving gi as a new variable;
let t equal (t × Gi) modulo P;
adding gi to c _ hash;
(18) Adding y into c _ hash;
(19) Adding t into c _ hash;
(20) Calculating the hash of the c _ hash as c;
(21) Calculating c modulo P as c _ bi;
(22) And traversing v to obtain a value vi in each traversal, and executing the following steps in the ith iteration:
calculating (vi-c _ bi x [ i ]) modulo P _1, calculating the map;
adding the mash into ep.s;
(23)ep.t=t;
(24) Thus ep is the generated equal proof;
the sender generates a scope attestation, including:
the sender use amount v, the commitment C = { c.commit, C.r }, the sender public key pub _ S = { G1, G2, H, P }, and the generation range certification rp include:
(1) Taking a public key field P of a sender, and calculating P-1 as P _1;
(2) Converting v into binary, and storing the binary into aL, wherein the low bit of the binary is positioned at the low bit of the aL;
(3) Declaring aR as an array of limit lengths;
(4) Cycle limit, in the ith cycle, (aL [ i ] -1) modulo P _1 is calculated as aR [ i ];
(5) Randomly generating a random number array mix with the length of 4 x (limit + 1);
(6) Taking the first element in the mix and the element with the index of 0 as alpha;
(7) Taking the second element in mix and the element with the index of 1 as rou;
(8) Randomly generating six random numbers as sL, sR, tao1, tao2, g and h;
(9) Calculating H ^ alpha mode P as A;
(10) Calculating H ^ rou modulo P as S;
(11) The cycle limit is repeated, and in the ith cycle, the following operations are performed in sequence
Calculating g [ i ] ^ aL [ i ] model P as gaL;
calculating h [ i ] ^ aR [ i ] model P as haR;
calculating g [ i ] ^ sL [ i ] model P as gsL;
calculating h [ i ] ^ sR [ i ] mode P as hsR;
calculating A gaL haR modulo P as A;
calculating S gsL hsR modulo P as S;
(12) Declaring an array AS with the length of 2, and filling elements { A, S };
(13) Taking hash of the array AS AS y _ bytes;
(14) Declare an array ASy of length 2, padding elements { AS, y _ bytes };
(15) Taking hash of the array Asy as z _ bytes;
(16) Declare an array ASyz of length 2, padding elements { ASy, z _ bytes };
(17) Taking hash of the set Asyz as x _ byt es;
(18) Calculating x _ bytes modulo P _1 as x;
(19) Calculating y _ bytes modulo P _1 as y;
(20) Calculating z _ bytes modulo P _1 as z;
(21) Declaring l and r as empty arrays of limit length;
(22) To make tv equal to 0;
(23) T1 is made equal to 0;
(24) T2 is made equal to 0;
(25) N2 is equal to 1;
(26) Ny is made equal to 1;
(27) The cycle limit is repeated, and in the ith cycle, the following operations are performed in sequence
Calculating aL [ i ] -z as aLz;
calculating sL [ i ]. X as sLx;
calculating (aLz + sLx) modulo P as l [ i ];
calculating the value of z ^2 modulo P _1 and multiplying the value by n2 to be used as z2n;
calculating aR [ i ] + z as arz;
calculating (arz + sR [ i ]. Times mod P _ 1). Ny + z2n modulo P _1 as r [ i ];
calculating l [ i ] r [ i ] as lr;
calculating tv + lr modulo P _1 as tv;
calculating ny sR [ i ] modulo P _1 as ysR;
calculating aLz × ysR modulo P _1 as aLzysR;
calculating (ny arz + z2 n) mod P _1 modulo sL [ i ] as n2nyaRzsl;
t1+ (aLzysR n2nyaRzsl mod P _ 1) was calculated as t1;
calculating t2+ sL [ i ]. YsR module P _1 as t2;
calculating n 2x2 modulo P _1 as n2;
calculating ny x y modulo P _1 as ny;
(28) Calculating (G1 ^ T1 mod P) (H ^ tao1 mod P) mode P as T1;
(29) Calculating (G1 ^ T2 mod P) (H ^ tao 2mod P) mode P as T2;
(30) Calculating (x ^2mod P _1) × tao2 as x2 tao;
(31) Calculating (z ^2mod P _1) × r as z2gama;
(32) Calculating x2tao2+ x tao + z2 gamma modulo P _1 as tao _ x;
(33) Calculating rou x + alpha modulo P _1 as miu;
(34) Let n be equal to limit;
(35) rp = { n, tao _ x, a, S, T1, T2, miu, l, r, g, h } is range proof;
the sender encrypts the required supervision content, including the privacy information of the sender and the receiver and the transaction data, by using a public key of a supervisor to generate a ciphertext e;
the receiver verifies accounting balance certification, which comprises the following steps:
the receiving party uses a change promise CM _ R, a transfer promise CM _ S, a total promise CM _ O, a public key pub = { G1, G2, H, P }, and the accounting balance certificate bp = { c, R _ v, R _ R, S _ v, S _ R, S _ or }, and includes:
(1) Calculating G1^ R _ v modulo P as G1rv;
(2) Calculating H ^ R _ R modulo P as hrr;
(3) Calculating CM _ R ^ c modulo P as cmrc;
(4) Calculating (g 1rv hrr (mod P)). Cmrc modulo P as t1_ v;
(5) Calculating G1^ S _ v modulo P as G1sv;
(6) Calculating H ^ S _ r mode P as hsr;
(7) Calculating CM _ S ^ c modulo P as cmsc;
(8) Calculating (g 1sv hsr (mod P)) × cmsc modulo P as t2_ v;
(9) Calculating R _ v + S _ v as rvsv;
(10) Calculating G1^ rvsv model P as G1rvsv;
(11) Calculating H ^ S _ or modulo P as hsor;
(12) Calculating CM _ O ^ c modulo P as cmoc;
(13) Calculating (g 1rvsv hsor (mod P)). Cmoc modulo P as t3_ v;
(14) Splicing t1_ v, t2_ v and t3_ v, and calculating a post-Hash value modulo P of the spliced values to be used as c _ v;
(15) Judging whether the c _ v is equal to 0, if so, passing the verification, otherwise, failing to pass the verification;
the receiver verifies the proof of the correct format, including:
the receiving side uses a public key pub = { G1, G2, H, P }, a ciphertext C = { C1, C2} obtained by encrypting the content by the public key pub, and the format correctness proves fp = { C, z1, z2}, which includes:
(1) Calculating c2^ c modulo P as c1c;
(2) Calculating G1^ z1 modulo P as G1z1;
(3) Calculating an H ^ z2 modulo P as hz2;
(4) Calculating clc x g1z1 modulo P as c1c;
(5) Calculating c1c hz2 modulo P as t1_ v;
(6) Calculating c1^ c modulo P as c2c;
(7) Calculating G2^ z2 modulo P as G2z2;
(8) Calculating c2c x g2z2 modulo P as t2_ v;
(9) Splicing t1_ v and t2_ v, and calculating a post-module P of a hash value of the spliced t1_ v and t2_ v to serve as c _ v;
(10) Judging whether the c _ v is equal to 0, if so, passing the verification, otherwise, failing to pass the verification;
the receiver uses a public key pub _ S = { pub1.g1, pub1.g2, pub1.h, pub1.p }, pub _ R = { pub2.g1, pub2.g2, pub2.h, pub2.p }, a ciphertext C1= { C1.c1, C1.c2}, a ciphertext C2= { C2.c1, C2.c2}, and the equality proof ep = { S, t } proof equality proof includes:
(1) Taking a public key field P of a receiving party, and calculating C1.C2 modulo P as y;
(2) Let g be an array of length 4, where the arrays { pub1.G1, pub2.G1, pub1.H, pub2.H } are filled;
(3) Pub _ S is renamed to pub;
(4) Let a be an array of length 4, where array {1, -1,0,0} is filled;
(5) Declare b equal to 0;
(6) Taking a public key field P of a receiver, and calculating P-1 as P _1;
(7) Declaring c _ hash as an infinite space array;
(8) Traversing g, enabling the value of each traversal to be gi, and adding gi into c _ mash in each iteration;
(9) Adding y and lp.t into c _ map in sequence;
(10) Calculating the hash value of c _ hash as c;
(11) Calculating the value of c modulo P as c _ bi;
(12) Setting the value of a new variable t _ verify as y;
(13) Calculating t _ verify ^ c _ bi modulo P as t _ verify;
(14) And traversing g, enabling each traversal value to be gi, and executing the following steps in the ith iteration:
calculating the value of gi ^ lp.s [ i ] mode P as buf;
calculating the value of t _ verify and buf modulo P as t _ verify;
(15) Judging whether t _ verify is equal to lp.t, if so, continuing to execute the following steps, otherwise, terminating the flow if the verification fails;
(16) Calculating-c _ bi b as cb;
(17) Declare a new variable mix equal to 0;
(18) Traversing a, and enabling the value of each traversal to be ai;
calculating the value of ai x lp.s [ i ] modulo P _1 as aisi;
calculating the value of mix + aisi modulo P _1 as mix;
(19) Judging whether mix is equal to cb, if so, verifying successfully, otherwise, verifying to fail;
the receiver authentication scope certificate comprises:
the receiver verifies the equality proof by using an amount v, a ciphertext C = { C1, C2}, a public key pub = { G1, G2, H, P }, a range proof rp = { n, tao _ x, A, S, T1, T2, miu, l, r, G, H }, and comprises the following steps:
(1) Taking a public key field P of a receiver, and calculating P-1 as P _1;
(2) Taking a public key field P of a receiving party, and calculating P-2 as P _2;
(3) Declaring l, r, g and h as an array with the length of n;
(4) Let the new variable V equal C2;
(5) Let the new variable tv equal 0;
(6) And circulating n times, and in the ith circulation, executing the following steps:
calculating (tv + l [ i ]. R [ i ]) modulo P _1 as tv;
(7) Declare an array AS of length 2, padding elements { A, B };
(8) Taking hash of the array As As y _ bytes;
(9) Declare an array ASy of length 2, padding elements { AS, y _ bytes };
(10) Taking hash of the array Asy as z _ bytes;
(11) Declare an array ASyz of length 2, padding elements { ASy, z _ bytes };
(12) Taking Hash of the set Asyz as x _ bytes;
(13) Calculating x _ bytes modulo P _1 as x;
(14) Calculating y _ bytes modulo P _1 as y;
(15) Calculating z _ bytes modulo P _1 as z;
(16) Declaring h _ as a null array with the length of n;
(17) Calculating y ^ P _2 modulo P _1 as y _ inv;
(18) Calculating y ^ P _1 modulo P as y _2P;
(19) Calculating y x y _ inv modulo P _1 as vf;
(20) Let the new variable y _1 equal to 1;
(21) And (5) circulating n times, and executing the following steps in the ith circulation:
calculating h [ i ] ^ y _1 modulo P as h _ [ i ];
calculating y _ 1x y _invmodulo P _1 as y _1;
(22) Calculating H ^ tao _ x modulo P as htaox;
(23) Calculating (G1 ^ tv mod P) htaox modulo P as left;
(24) Calculating z ^2 modulo P _1 as z2;
(25) Calculating z ^3 modulo P _1 as z3;
(26) Calculating the value of y ^ rp.n modulo P _1 minus 1 as ny _1;
(27) Calculating the value of y-1 as y _ x1;
(28) Calculating the inverse element of y _ x1 modulo P _1 as y _ x1;
(29) Calculating ny _1^ y _ x1 modulo P _1 as ny _1;
(30) Calculating z-z2 modulo P _1 as z _ z2;
(31) Calculating z _ z 2ny _1 as ibx;
(32) Calculating 2^ rp.n modulo P _1 as n _1_2;
(33) Calculating z3 × n _1_2 as z3n12;
(34) Calculating ibx-z3n12 as ibx;
(35) Calculating pub, G1^ ibx mode P as gibx;
(36) Calculating (V ^ z 2mod (P)). Gibx modulo P as right;
(37) Calculating x as x2;
(38) Calculating T1^ x modulo P as T1x;
(39) Calculating T2^ x2 modulo P as T2x2;
(40) Calculating (right x T1x mod P) x T2x2 modulo P as right;
(41) Judging whether left is equal to right, if yes, continuing to execute the following steps, otherwise, failing to verify, and terminating the flow;
(42) Calculating S ^ x modulo P as P;
(43) P = mod P calculates P a modulo P as P;
(44) Declaring variable gz equal to 1, h _ mix equal to 1, n2 equal to 1, ny equal to 1;
(45) And circulating n times, and in the ith circulation, executing the following steps:
calculating g [ i ] ^ z modulo P as gz _ inv;
calculating the inverse element of gz _ inv modulo P multiplied by gz as gz;
calculating z ny + z2n 2 as mix;
calculating h _ [ i ] < Lambda > mix modulus P as mix;
calculating h _ mix modulo P as h _ mix;
calculating n 2x2 modulo P _1 as n2;
calculating ny x y modulo P _1 as ny;
(46) Calculating P × gz modulo P as P;
(47) Calculating P x h _ mix modulo P as P;
(48) Calculating H ^ miu modulo P as P _ check;
(49) Cycle rp.n times, in the ith cycle, the following steps are performed:
gl = mod P calculating g [ i ] < Lambda > i ] modulo P as gl;
calculating h [ i ] r [ i ] modulo P as hr;
calculating P _ check × gl modulo P as P _ check;
calculating P _ check hr modulo P as P _ check;
(50) Judging whether P is equal to P _ check, if so, verifying the range certificate to pass, otherwise, not verifying the range certificate to pass;
and the supervisor verifies the ciphertext e, if the verification is passed, the transaction is legal and effective, otherwise, the transaction is considered invalid, and the transaction is discarded.
2. A computer device comprising a memory and a processor, the memory storing a computer program that, when executed by the processor, causes the processor to perform the zero-knowledge proof privacy preserving method of claim 1, the four proof procedures being:
(1) Accounting balance certification: proving that the total consumption amount of the sender is equal to the sending amount and the change amount;
(2) And (3) proving that the format is correct: proving that the commitment format is a standard commitment format;
(3) The range proves that: proving that the total consumption amount, the sending amount and the change making amount of the sender are all larger than zero;
(4) Equal proof: and proving that the plaintext corresponding to the ciphertext is equal to the plaintext corresponding to the commitment.
3. A computer-readable storage medium storing a computer program which, when executed by a processor, causes the processor to perform the zero-proof-of-knowledge privacy protection method of claim 1,
the four proof flows are:
(1) Accounting balance certification: proving that the total consumption amount of the sender is equal to the sending amount and the change amount;
(2) And (3) proving that the format is correct: proving that the commitment format is a standard commitment format;
(3) The range proves that: proving that the total consumption amount, the sending amount and the change making amount of the sender are all larger than zero;
(4) Equal proof: and proving that the plaintext corresponding to the ciphertext is equal to the plaintext corresponding to the commitment.
4. A zero-knowledge-proof privacy protection system applying the zero-knowledge-proof privacy protection method of claim 1, the zero-knowledge-proof privacy protection system comprising:
the accounting balance proving module is used for proving that the total consumption amount of the sender is equal to the sending amount and the change amount;
the format correct proving module is used for proving that the commitment format is a standard commitment format;
the range proving module is used for proving that the total consumption amount, the sending amount and the change amount of the sender are all larger than zero;
and the equal proving module is used for proving that the plaintext corresponding to the ciphertext is equal to the plaintext corresponding to the commitment.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110132123.0A CN112765668B (en) | 2021-01-31 | 2021-01-31 | Zero-knowledge proof privacy protection method, system, storage medium and equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110132123.0A CN112765668B (en) | 2021-01-31 | 2021-01-31 | Zero-knowledge proof privacy protection method, system, storage medium and equipment |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN112765668A CN112765668A (en) | 2021-05-07 |
| CN112765668B true CN112765668B (en) | 2023-01-03 |
Family
ID=75704244
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110132123.0A Active CN112765668B (en) | 2021-01-31 | 2021-01-31 | Zero-knowledge proof privacy protection method, system, storage medium and equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112765668B (en) |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114580029A (en) * | 2022-04-28 | 2022-06-03 | 浙江甲骨文超级码科技股份有限公司 | Block chain digital asset privacy protection method, device, equipment and storage medium |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110011781A (en) * | 2019-03-04 | 2019-07-12 | 华中科技大学 | A kind of homomorphic cryptography method encrypting and support zero-knowledge proof for transaction amount |
| CN110473105A (en) * | 2019-08-20 | 2019-11-19 | 深圳市网心科技有限公司 | A kind of block chain transaction settlement method, system and relevant device |
| CN110933045A (en) * | 2019-11-08 | 2020-03-27 | 中国电子科技网络信息安全有限公司 | Block chain digital asset privacy protection method based on commitment |
| CN111966976A (en) * | 2020-07-22 | 2020-11-20 | 复旦大学 | Anonymous investigation method based on zero knowledge proof and block chain |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US11475444B2 (en) * | 2019-04-25 | 2022-10-18 | Consensys Software Inc. | Systems and methods for anonymous cryptocurrency transactions |
-
2021
- 2021-01-31 CN CN202110132123.0A patent/CN112765668B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110011781A (en) * | 2019-03-04 | 2019-07-12 | 华中科技大学 | A kind of homomorphic cryptography method encrypting and support zero-knowledge proof for transaction amount |
| CN110473105A (en) * | 2019-08-20 | 2019-11-19 | 深圳市网心科技有限公司 | A kind of block chain transaction settlement method, system and relevant device |
| CN110933045A (en) * | 2019-11-08 | 2020-03-27 | 中国电子科技网络信息安全有限公司 | Block chain digital asset privacy protection method based on commitment |
| CN111966976A (en) * | 2020-07-22 | 2020-11-20 | 复旦大学 | Anonymous investigation method based on zero knowledge proof and block chain |
Non-Patent Citations (5)
| Title |
|---|
| DAPS: A Decentralized Anonymous Payment Scheme with Supervision;zhaoyang wang等;《Algorithms and Architecture for Parallel Processing》;20201202;全文 * |
| Enabling Privacy and Traceability in Supply Chains using Blockchain and Zero Knowledge Proofs;Shubham Sahai等;《2020 IEEE International Conference on Blockchain (Blockchain)》;20201211;全文 * |
| 区块链隐私保护技术;刘滋润等;《计算机工程与设计》;20190630(第06期);全文 * |
| 基于身份自证实的秘密共享方案;裴庆祺等;《计算机学报》;20100131(第01期);全文 * |
| 基于零知识证明的区块链隐私保护算法;李龚亮等;《华中科技大学学报(自然科学版)》;20200731;全文 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN112765668A (en) | 2021-05-07 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11842317B2 (en) | Blockchain-based authentication and authorization | |
| Zhang et al. | A blockchain-based multi-cloud storage data auditing scheme to locate faults | |
| Eckey et al. | Optiswap: Fast optimistic fair exchange | |
| Wang et al. | Privacy-preserving public auditing for data storage security in cloud computing | |
| Wei et al. | SecCloud: Bridging secure storage and computation in cloud | |
| Awadallah et al. | An integrated architecture for maintaining security in cloud computing based on blockchain | |
| US10846372B1 (en) | Systems and methods for trustless proof of possession and transmission of secured data | |
| Han et al. | A survey on blockchain-based integrity auditing for cloud data | |
| US20200250655A1 (en) | Efficient, environmental and consumer friendly consensus method for cryptographic transactions | |
| Papadimitriou et al. | DStress: Efficient differentially private computations on distributed data | |
| EP4092984A1 (en) | Data processing method and apparatus, device and medium | |
| Oppermann et al. | Secure cloud computing: Reference architecture for measuring instrument under legal control | |
| US8117456B2 (en) | Network system, server and information terminal for list matching | |
| Wang et al. | A fair and privacy-preserving image trading system based on blockchain and group signature | |
| CN112765668B (en) | Zero-knowledge proof privacy protection method, system, storage medium and equipment | |
| CN111861480B (en) | Traffic detection model transaction method and device, electronic equipment and storage medium | |
| Peters et al. | IT security for measuring instruments: Confidential checking of software functionality | |
| Cho et al. | Verifiable credential proof generation and verification model for decentralized SSI-based credit scoring data | |
| Liang et al. | Decentralized crowdsourcing for human intelligence tasks with efficient on-chain cost | |
| CN116527322A (en) | Combined credit investigation method and device based on block chain and privacy calculation | |
| KR102494873B1 (en) | Transaction execution device to implement a virtual machine based on a zero-knowledge proof circuit for general operation verification | |
| Zhang et al. | OWL: A data sharing scheme with controllable anonymity and integrity for group users | |
| CN114026586A (en) | Zero knowledge or pay protocol for granting access to encrypted assets | |
| US11263063B1 (en) | Methods and systems for device-specific event handler generation | |
| US20230010339A1 (en) | Methods and systems for device-specific event handler generation |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| CB02 | Change of applicant information |
Address after: 710071 Xi'an Electronic and Science University, 2 Taibai South Road, Shaanxi, Xi'an Applicant after: XIDIAN University Applicant after: Xi'an Lianrong Technology Co.,Ltd. Address before: 710071 Xi'an Electronic and Science University, 2 Taibai South Road, Shaanxi, Xi'an Applicant before: XIDIAN University Applicant before: XI'AN XIDIAN LIANRONG TECHNOLOGY Co.,Ltd. |
|
| CB02 | Change of applicant information | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |