CN112950367B

CN112950367B - Method and device for generating and executing intelligent contract transaction

Info

Publication number: CN112950367B
Application number: CN201911267595.6A
Authority: CN
Inventors: 林立; 马宝利
Original assignee: Alipay Hangzhou Information Technology Co Ltd
Current assignee: Alipay Hangzhou Information Technology Co Ltd
Priority date: 2019-12-11
Filing date: 2019-12-11
Publication date: 2021-09-14
Anticipated expiration: 2039-12-11
Also published as: WO2021114819A1; CN112950367A

Abstract

The embodiment of the specification provides a method and a device for protecting private data and initiating and executing intelligent contract transactions. By utilizing the method for initiating the intelligent contract transaction, the privacy data input into the intelligent contract is divided into the privacy text and the privacy value. And for the private text, based on the public keys of the appointed multiple participants, aggregating to generate a symmetric secret key, and encrypting by adopting a symmetric encryption mode to obtain text encryption data. For the privacy value, a contract public key and private key pair is generated on the basis of a symmetric secret key, and the contract public key is used for encrypting the privacy value in a homomorphic encryption mode to obtain value encryption data. When the encrypted intelligent contract transaction is issued to the block chain, the block chain link points can perform homomorphic operation on the numerical value encrypted data, so that the chain execution is performed. Moreover, the design of the encryption algorithm ensures that only the appointed party can decrypt and restore the plain text of the privacy text and the privacy value, thereby protecting the privacy security.

Description

Method and device for generating and executing intelligent contract transaction

Technical Field

One or more embodiments of the present disclosure relate to the field of blockchain technologies and the field of data security, and in particular, to a method and an apparatus for performing intelligent contract transactions in a blockchain on the premise of protecting private data from being leaked.

Background

The block chain technology is an application mode for realizing data distributed storage by utilizing computer technologies such as point-to-point transmission, a consensus mechanism, an encryption algorithm and the like. In a blockchain network, the storage and recording of data is achieved by means of transactions. The transaction content of each transaction is commonly maintained by all nodes of the blockchain network, and any party cannot tamper the content in the block.

Currently, more and more blockchain platforms support intelligent contracts to perform richer transactions. The intelligent contract is a transaction contract which can be automatically executed, is written into a block chain in a digital form, and ensures that the whole process of storage, reading and execution is transparent, traceable and not falsifiable by the characteristics of the block chain technology.

Because of the transparent traceable nature described above, each transaction in the blockchain is publicly recorded in a block, which is accessible to any node. When the transaction relates to personal privacy, how to not reveal privacy information on the premise of ensuring that the node can normally verify and execute the transaction becomes a problem to be solved.

It is therefore desirable to provide an efficient solution to the ability to generate and execute intelligent contract transactions without compromising privacy.

Disclosure of Invention

One or more embodiments of the present specification describe a method for generating and executing intelligent contract transactions, which can generate and execute intelligent contract transactions without revealing data privacy.

According to a first aspect, there is provided a method of initiating a smart contract transaction that protects private data, performed by a first party, the method comprising:

determining a first contract identification of a first intelligent contract to be invoked, m participants involved in the transaction, and private data to be filled in the first intelligent contract; wherein each of the m participants is pre-configured with a participant private key and a participant public key, the participant private key being generated based on a first cyclic group, the participant public key comprising a first public key portion and a second public key portion, wherein the first public key portion is generated based on a second cyclic group, the second public key portion being generated based on a pairing between the first cyclic group and the second cyclic group; each participant also generates a key cross item for other participants by adopting a generating mode corresponding to the private key of the participant; the private data comprises a first private text;

generating first auxiliary information, wherein the first auxiliary information comprises a first aggregation result of performing first aggregation on first public key parts of the m participants;

performing a second aggregation corresponding to the first aggregation on second public key portions of the m participants; generating a first symmetric key according to a second aggregation result and the first contract identifier;

encrypting the first private text by using the first symmetric key to generate first encrypted data;

generating a first transaction for invoking the first intelligent contract, and filling first transaction content into the first intelligent contract, wherein the first transaction content comprises the information of the m participants, the first auxiliary information, and the first encrypted data.

In one embodiment, the privacy data further comprises a first privacy value; correspondingly, the method further comprises the following steps: generating a contract private key and a corresponding contract public key based on the first symmetric key and the first contract identifier; encrypting the first privacy value based on the contract public key by using a first homomorphic encryption algorithm to generate second encrypted data; including the second encrypted data in the first transaction content.

According to one embodiment, the first party performs its key configuration beforehand by:

arbitrarily taking a first random number, and arbitrarily taking a first element in the first cyclic group; mapping the identity of the first participant to a second element in the first cyclic group using a predetermined hash mapping function; obtaining a participant private key of the first participant based on group operations of the first random number, a first element and a second element in the first cyclic group;

performing group operation on a second generator corresponding to the second cyclic group based on the first random number to obtain a first public key part of the first participant; obtaining a second public key portion of the first participant based on a pairing between the first element in the first cyclic group and the second generator.

In one embodiment, the key configuration of the first party further comprises: and for any second party in the m parties, mapping the identifier of the second party to a third element in the first cyclic group by using the hash mapping function, and based on the group operation of the first random number, the first element and the third element in the first cyclic group, obtaining a key cross item of the first party for the second party and at least issuing the key cross item to the second party.

According to one embodiment, the first party generates the first assistance information by:

arbitrarily taking a second random number, and performing group operation on a second generator corresponding to the second cyclic group based on the second random number to generate an auxiliary field; performing first aggregation on m first public key parts of the m participants based on the second random number to generate a first aggregation result; the auxiliary field and the first aggregation result constitute the first auxiliary information;

correspondingly, the second aggregation result is a result of second aggregation of m second public key parts of the m participants based on the second random number.

According to one embodiment, the step of generating the first symmetric key may include performing a hash operation on the second aggregation result and the first contract identifier to obtain the first symmetric key.

In one embodiment, the step of generating a contract private key and a corresponding contract public key may comprise: performing predetermined hash operation on the first symmetric secret key and the first contract identifier to obtain a contract private key; and performing group operation on a third generation element in a third cyclic group based on the contract private key to obtain the contract public key.

According to one embodiment, the process of generating the second encrypted data may include: and performing group operation in the third cyclic group based on the selected third random number, the first privacy numerical value and the contract public key to obtain second encrypted data.

In one embodiment, the method includes generating, based on a sigma-zero knowledge proof protocol, a first proof of validity of the first privacy-value encryption using the contract public key; accordingly, the contract public key and the first proof may be included in the first transaction content.

In one embodiment, the method further comprises generating a second proof that the first privacy value is within a legal range based on a bulletproof of scope protocol; accordingly, the second proof may be included in the first transaction content.

According to a second aspect, there is provided a method of performing a smart contract transaction that protects private data, performed by a second party, the method comprising:

acquiring transaction content of a first transaction invoking a first intelligent contract, wherein the transaction content comprises information of m participants involved in the transaction, first auxiliary information and first encrypted data; wherein the m participants comprise the second participant; each of the m participants is respectively configured with a participant private key and a participant public key in advance, the participant private key is generated based on a first cyclic group, the participant public key comprises a first public key part and a second public key part, the first public key part is generated based on a second cyclic group, and the second public key part is generated based on pairing between the first cyclic group and the second cyclic group; each participant also generates a key cross item for other participants by adopting a generating mode corresponding to the private key of the participant; the first assistance information comprises a first aggregation result of first public key portions of the m participants, the first encrypted data being data that encrypts first private text;

aggregating the key cross terms generated by other participants in the m participants aiming at the second participant and the private keys of the participants of the second participant to obtain a third aggregation result;

restoring a second aggregation result obtained by aggregating the second public key parts of the m participants according to the third aggregation result, the first auxiliary information and a pairing algorithm between the first cyclic group and the second cyclic group;

determining a first symmetric key according to the second aggregation result and a first contract identifier of the first intelligent contract;

decrypting the first encrypted data by using the first symmetric secret key to obtain the first privacy text;

and recording the local transaction state at least according to the first privacy text.

According to one embodiment, the transaction content of the first transaction further comprises second encryption data obtained by encrypting the first privacy value; in such a case, the method further comprises determining a contract private key based on the first symmetric key and the first contract identification; decrypting the second encrypted data by using the contract private key by using a first homomorphic decryption algorithm to obtain the first privacy value; correspondingly, the recording the local transaction state further includes recording the transaction state according to the first privacy value.

According to one embodiment, the transaction content is obtained by: in response to receiving a transaction notification from a first node of a blockchain network, transaction content for the first transaction is obtained from the blockchain.

According to one embodiment, the private key of the second party is generated by: arbitrarily taking a fourth random number, and arbitrarily taking a fourth element in the first cyclic group; mapping the identity of the second participant to a fifth element in the first cyclic group using a predetermined hash mapping function; obtaining a participant private key of the second participant based on group operations of the fourth random number, a fourth element and a fifth element in the first cyclic group;

correspondingly, a cross-key generated by any third party of the m parties for the second party is generated by: and performing group operation in the first cyclic group based on the fifth random number arbitrarily taken by the third party, the sixth element arbitrarily taken by the third party and the fifth element to obtain a key cross item of the third party for the second party.

In a specific embodiment, the first auxiliary information includes an auxiliary field and the first aggregation result, the auxiliary field is generated by performing a group operation on a second generator of a second cyclic group based on a random number; in such a case, the second polymerization result is reduced by: and calculating a first pairing result of the third aggregation result and the auxiliary field and a second pairing result of the fifth element and the first aggregation result, and integrating the first pairing result and the second pairing result to obtain the second aggregation result.

According to one embodiment, the step of determining the first symmetric key specifically comprises: and carrying out Hash operation on the second aggregation result and the first contract identifier to obtain the first symmetric key.

In one embodiment, the step of determining the contract private key specifically includes: and carrying out predetermined hash operation on the first symmetric secret key and the first contract identifier to obtain the contract private key.

In one embodiment, the second encrypted data is generated by performing a group operation in a third cyclic group based on the first privacy value and a contract public key corresponding to the contract private key; in such a case, the first privacy value is decrypted by: obtaining a result of performing group operation on a fourth generator of the third cyclic group by using the first privacy value by using the contract private key; and then traversing the possible group operation result of the fourth generator to restore the first privacy value.

According to one embodiment, the second party further performs the following steps:

acquiring a second privacy text and a second privacy value for updating the transaction state, wherein the second privacy value and the first privacy value conform to a preset relationship;

encrypting the second private text by using the first symmetric key to generate third encrypted data;

generating a corresponding contract public key based on the contract private key;

encrypting the second privacy value based on the contract public key by using a first homomorphic encryption algorithm to generate fourth encrypted data;

generating a second transaction for invoking the first intelligent contract, and filling second transaction content into the first intelligent contract, wherein the second transaction content comprises the information of the m participants, the third encrypted data, and the fourth encrypted data.

Specifically, in one embodiment, the step of generating the corresponding contract public key may include: and performing group operation on a third generation element in a third agreed circulation group based on the contract private key to obtain the contract public key.

In one embodiment, the method further comprises: generating a third proof of validity of the second privacy numerical encryption by using the contract public key based on a sigma-zero knowledge proof protocol; accordingly, the contract public key and the third proof may be included in the second transaction content.

In one embodiment, the method further includes generating a fourth attestation, based on a bulletproof of range attestation protocol, the fourth attestation proving that the second privacy value is within a legal range and a relative magnitude of the second privacy value to the first privacy value is within a predetermined range; accordingly, the fourth proof may be included in the second transaction content.

According to a third aspect, there is provided an apparatus for initiating a smart contract transaction for protecting private data, the apparatus being deployed in a terminal corresponding to a first party, the apparatus comprising:

the system comprises a determining unit, a processing unit and a processing unit, wherein the determining unit is configured to determine a first contract identification of a first intelligent contract to be invoked, m participants involved in the transaction and privacy data to be filled in the first intelligent contract; wherein each of the m participants is pre-configured with a participant private key and a participant public key, the participant private key being generated based on a first cyclic group, the participant public key comprising a first public key portion and a second public key portion, wherein the first public key portion is generated based on a second cyclic group, the second public key portion being generated based on a pairing between the first cyclic group and the second cyclic group; each participant also generates a key cross item for other participants by adopting a generating mode corresponding to the private key of the participant; the private data comprises a first private text;

a side information generating unit configured to generate first side information including a first aggregation result of first aggregating the first public key parts of the m participants;

a symmetric key generation unit configured to perform a second aggregation corresponding to the first aggregation on second public key portions of the m participants; generating a first symmetric key according to a second aggregation result and the first contract identifier;

a first encryption unit configured to encrypt the first private text with the first symmetric key, generating first encrypted data;

a first transaction generating unit configured to generate a first transaction invoking the first intelligent contract, and fill first transaction content into the first intelligent contract, the first transaction content including information of the m participants, the first auxiliary information, and the first encryption data.

According to a fourth aspect, there is provided an apparatus for performing intelligent contract transactions that protects private data, the apparatus being deployed in a terminal corresponding to a second party, the apparatus comprising:

the acquisition unit is configured to acquire transaction content of a first transaction for calling a first intelligent contract, wherein the transaction content comprises information of m participants involved in the transaction, first auxiliary information and first encrypted data; wherein the m participants comprise the second participant; each of the m participants is respectively configured with a participant private key and a participant public key in advance, the participant private key is generated based on a first cyclic group, the participant public key comprises a first public key part and a second public key part, the first public key part is generated based on a second cyclic group, and the second public key part is generated based on pairing between the first cyclic group and the second cyclic group; each participant also generates a key cross item for other participants by adopting a generating mode corresponding to the private key of the participant; the first assistance information comprises a first aggregation result of first public key portions of the m participants, the first encrypted data being data that encrypts first private text;

the aggregation unit is configured to aggregate key cross terms generated by other participants in the m participants for the second participant and the participant private key of the second participant to obtain a third aggregation result;

a reduction unit configured to reduce a second aggregation result obtained by aggregating second public key portions of the m participants according to the third aggregation result, the first auxiliary information, and a pairing algorithm between the first cyclic group and the second cyclic group;

a symmetric key determining unit, configured to determine a first symmetric key according to the second aggregation result and the first contract identifier of the first smart contract;

a first decryption unit configured to decrypt the first encrypted data with the first symmetric key to obtain the first private text;

a recording unit configured to record a local transaction status at least according to the first privacy text.

According to a fifth aspect, there is provided a computer readable storage medium having stored thereon a computer program which, when executed in a computer, causes the computer to perform the method of the first and second aspects.

According to a sixth aspect, there is provided a computing device comprising a memory and a processor, wherein the memory has stored therein executable code, and wherein the processor, when executing the executable code, implements the methods of the first and second aspects.

According to the method and the device provided by one embodiment of the specification, private data input to the intelligent contract is encrypted by using a special key design, so that only a specified party can decrypt the private data. More specifically, the private data input to the smart contract is divided into two parts: privacy text and privacy values. For the private text, based on public keys of a plurality of appointed participants, a symmetric secret key is generated through aggregation, and the private text is encrypted in a symmetric encryption mode to obtain text encryption data. For the privacy value, a contract public key and private key pair is generated on the basis of the symmetric secret key, and the contract public key is used for encrypting the privacy value in a homomorphic encryption mode to obtain numerical value encryption data. When the encrypted data are filled into an intelligent contract and issued to the block chain, nodes in the block chain can perform homomorphic operation on the numerical value encrypted data. Therefore, the above encryption mode does not affect the chain execution of the contract logic, and the nodes in the blockchain can still execute the intelligent contract and perform modification operation on the variables in the intelligent contract. Meanwhile, only the appointed party can decrypt and restore the plain text of the private text and the private numerical value through the special encryption algorithm, so that the privacy safety is protected.

Drawings

In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings needed to be used in the description of the embodiments are briefly introduced below, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and it is obvious for those skilled in the art to obtain other drawings based on these drawings without creative efforts.

FIG. 1 illustrates a schematic diagram of an execution process of a smart contract transaction, according to one embodiment;

FIG. 2 illustrates a schematic diagram of a privacy protection scheme, according to one embodiment;

FIG. 3 illustrates a flow diagram of a method of initiating a smart contract transaction, according to one embodiment;

FIG. 4 shows a process diagram for a node in a blockchain performing a first transaction;

FIG. 5 illustrates a flow diagram of a method of performing intelligent contract transactions, according to one embodiment;

FIG. 6 illustrates a flow diagram in one embodiment in which a second party initiates a second transaction;

FIG. 7 illustrates a schematic block diagram of an apparatus for initiating a smart contract transaction, according to one embodiment;

FIG. 8 illustrates a schematic block diagram of an apparatus to perform intelligent contract transactions, according to one embodiment.

Detailed Description

The scheme provided by the specification is described below with reference to the accompanying drawings.

FIG. 1 illustrates a schematic diagram of an execution process of a smart contract transaction, according to one embodiment. In the example of fig. 1, multiple entities a, B, C, D are involved, collectively completing a service. For example, organization a is an overseas enterprise and organization B is a branch within it; institution C is an overseas bank and institution D is an domestic branch of the bank. And, agency C and agency D have on-chain identities of blockchains, and can connect to blockchain networks. Assume that the overseas agency a mortises certain assets to the overseas bank C in order to authorize its corresponding domestic branch B to obtain a loan amount of equal amount from the domestic bank D. Then, the institution C and the institution D can realize the recording and tracking of the whole processes of credit granting, borrowing and repayment by means of the block chain in an intelligent contract mode without performing down-chain interaction.

Specifically, upon receiving a trust request from institution a, institution C may initiate a transaction Tx1 to the blockchain network that invokes an intelligent contract, which may be a contract previously developed and deployed into the blockchain, with the necessary contract execution logic defined and having some interface functions for the caller to pass in parameters. The institution C may fill in the necessary information in the transaction Tx1 that invoked the contract via the above-described interface, including, for example, the authorized executive as D, the beneficiary as B, the credit limit as v, and some other conventions and protocols. More specifically, under the form of transactions supported by a typical blockchain platform (e.g., an etherhouse), institution C may initiate such a transaction, where the initiator field (from field) is its own on-chain identity (e.g., an account address), the target field (to field) is the contract address of the intelligent contract, and the data field includes the interface function invoked and the parameters entered.

After the institution C initiates the intelligent contract transaction Tx1, the transaction propagates through each node in the blockchain network, and is finally recorded in a certain block and accessed to the blockchain. Each node in the blockchain network then performs the transaction. More specifically, for a blockchain platform supporting intelligent contracts, a virtual machine, such as an ethernet virtual machine EVM, is deployed in each node to execute contract logic in the intelligent contracts and implement common changes of contract states on the network through a consensus mechanism.

For the above intelligent contract transaction Tx1 initiated by institution C, each node in the blockchain network executes the intelligent contract in that transaction. More specifically, each node executes the contract logic in accordance with the deployed contract code and modifies the state of variables in the intelligent contract using the parameters passed in transaction Tx1, e.g., updating the variable values of variables representing the credit line to v.

Institution D is authorized to make a loan payment to institution B via transaction Tx1 described above. Subsequent institution D may continue to record the transaction with institution B by invoking the transaction of the intelligent contract described above. Specifically, when institution D issues payment v1 to institution B or receives payment v2, a transaction Tx2 invoking the intelligent contract described above may be initiated, into which updated information is filled, including, for example, the contra-institution being B, the payment being issued v1, or the payment being received v2, as well as some other supplemental information.

Through the processes, the mechanism C and the mechanism D can record the whole multi-party interaction process on the block chain in an intelligent contract mode, and ensure the reality, effectiveness and incapability of tampering of the record.

The foregoing describes an intelligent contract involving multiple participants, using a credit and debit scenario as an example. It is understood that the smart contracts can be applied to various scenarios to realize various functions, and are not limited to the application scenarios described above. For example, in one scenario, multiple participants may maintain a common database using smart contracts, and when there is a data update at each participant, the data update is implemented by invoking the smart contract to update the variables therein.

As can be seen from the above exemplary description, transactions involving smart contracts in blockchains (or simply smart contract transactions) are more complex than ordinary transfer transactions. In one aspect, a smart contract transaction may involve multiple participants, and in one aspect, a smart contract transaction may involve more complex data inputs that include not only values such as dollar amounts, but also other content such as text. For example, in the transaction Tx1 described above, the input data includes not only the amount of credit v, but also other supplementary content such as other conventions and agreements. The two aspects bring greater difficulty and higher challenge to the protection of private data in intelligent contract transaction.

To this end, in one or more embodiments of the present description, a privacy protection scheme is presented for intelligent contract transactions involving multiple parties. Fig. 2 shows a schematic diagram of a privacy protection scheme according to one embodiment. The scheme utilizes a special key design to encrypt private data input to the intelligent contract, so that only a specified party can decrypt the private data to be visible. More specifically, the private data input to the smart contract is divided into two parts: the privacy text and the privacy value are used for carrying out different processing on the two parts of privacy data. For the private text, based on public keys of a plurality of appointed participants, a symmetric secret key is generated through aggregation, and the private text is encrypted in a symmetric encryption mode to obtain text encryption data. For the privacy value, a contract public key and private key pair is generated on the basis of the symmetric secret key, and the contract public key is used for encrypting the privacy value in a homomorphic encryption mode to obtain numerical value encryption data. Optionally, a proof of validity of the privacy value may be generated based on a zero-knowledge proof protocol.

When the encrypted data are filled into an intelligent contract and issued to the block chain, the nodes in the block chain can verify the validity of the privacy numerical value based on a zero-knowledge proof protocol, and homomorphic operation can be performed on the numerical encrypted data after the verification is passed. Therefore, the above encryption mode does not affect the chain execution of the contract logic, and the nodes in the blockchain can still execute the intelligent contract and perform modification operation on the variables in the intelligent contract. Meanwhile, only the appointed party can decrypt and restore the plain text of the private text and the private numerical value through the special encryption algorithm, so that the privacy safety is protected.

Specific implementations of the above concepts are described below.

First, an initialization configuration process of the key is described.

Suppose that n participants in the whole trading system form a total set U ═ U₁，…，u_n}. The set U has blockchain accounts, with the possibility of follow-upA set of all possible users that initiate a predefined type of smart contract transaction. In the initial configuration stage, each participant configures own private key and public key of the participant, wherein the configuration of the private key and the public key depends on two cycle groups G appointed by the whole system₁And G₂. In particular, the participant private key is based on a first cyclic group G₁And the participant public key is generated to include two parts, a first public key part R and a second public key part a, wherein the first public key part R is based on a second cyclic group G₂Generating, the second public key part A being based on the first cyclic group G₁And a second cyclic group G₂And the pairing between them.

The characteristics of the cyclic group are briefly described below. A cyclic group may typically consist of a set of points on an elliptic curve over a finite field. An elliptic curve is a mathematical curve that can be generally expressed as the following binary third-order equation:

y²＝x³+ax+b (1)

wherein a and b are coefficients.

Rules of operation between points may be defined on the elliptic curve. Two points, point P and point Q, are taken on the elliptic curve, connecting P, Q the two points to form a straight line L, which will intersect the third point S on the elliptic curve, pass S to form a straight line perpendicular to the X axis, pass another point R (generally, the point S is symmetrical about the X axis) of the elliptic curve, and the point R is defined as the result of the operations on point P and point Q. In one recording mode, the above dot operation is described as "addition" between dots, i.e., P + Q ═ R. In another recording mode, the operation between the above points is denoted as "multiplication" between the points, i.e., P × Q — R. The latter recording mode is used hereinafter.

When the point P and the point Q are the same point, the straight line L is a tangent line of the elliptic curve at the point P, and the point R obtained by this means can be expressed as: r ═ P². The result P of the exponentiation operation on the point P can be obtained by continuously performing the operation for a plurality of times^m＝P*P*…*P。

For more convenient use of the elliptic curve for data encryption and decryption, the elliptic curve may be defined in a finite field Fp. The finite field Fp is a field containing a finite number of elements, the number of which is a prime number p. The prime p is also called the order of the finite field. Operations within a finite field are defined based on taking the norm p.

The elliptic curve represented by equation (1) over the finite field Fp is often denoted Ep (a, b). By selecting the coefficients a, b and the finite field p, an elliptic curve can be uniquely defined, with different elliptic curves having different safety characteristics. Common elliptic curves include P-256, secp256k1, and the like.

After the elliptic curve is constrained to a finite field, the points comprised by the elliptic curve evolve from an infinite number of points that are continuous on the curve to a set of points T that comprise a finite number of discrete points. Based on the operation rule of the points on the elliptic curve, the point set T forms a cyclic group, i.e. an abelian group. The number of the point concentration points is the order of the cyclic group.

Specifically, the cyclic group formed by elliptic curves in the finite field has the following characteristics:

1. operating on a group between any two elements P and Q in the cyclic group, i.e., P x Q, the result of which is still in the cyclic group;

2. performing group operation on any single element P in the cyclic group for m times to obtain a result P^mP × P … × P remains in the cyclic group; the above group operation, forward operation is very easy, but reverse operation is almost impossible;

3. the cycle group has a generator g, or called as the base point of the elliptic curve, and also has an infinite point 0 of the elliptic curve, which satisfies gⁿ＝0。

Based on the above characteristics of the cyclic groups, two cyclic groups G can be agreed by the system in advance₁And G₂For generating keys by each participant, wherein the two cyclic groups each have a generator g₁And g₂. In addition, the system may also contract the two cyclic groups G₁And G₂The pairing algorithm e between. The above agreed information can be written into the SDK used by the participant as a configuration parameter. Accordingly, each participant can perform initialization configuration of its own key based on the parameter information agreed above.

For example, any one participant u_iMay be based on the first cyclic group G₁Generating its participant private key.

In particular, the participant u_iCan arbitrarily choose a random number r_i∈Z_pReferred to as the first random number for simplicity. The first random number requires a rank Z in two cyclic groups_pWithin the range. In addition, one element X is arbitrarily selected from the first cyclic group_i∈G₁Referred to as the first element.

Then, using a predetermined hash mapping function H: s → G₁The identity u of the participant itself is determined_iMapping to a first cyclic group G₁To obtain the second element H (u) in the first cyclic group_i). Then, based on the first random number r_iA first element X_iAnd a second element H (u)_i) Group operation in the first cyclic group, resulting in σ_iiAs the participant private key. Specifically, in one example, for the second element H (u)_i) Performing group operation on the first random number, and performing group operation between the result and the first element to obtain a private key of a participant, namely:

participant u as opposed to private key generation_iA participant public key pk is also generated_i＝(R_i，A_i) Including based on the second cyclic group G₂The generated first public key part R_iBased on the first cyclic group G₁And a second cyclic group G₂A second public key part A generated by the pairing_i。

In particular, party u_iMay be based on the selected first random number r_iFor the second cyclic group G₂Corresponding second generator g₂Performing group operation to obtain a first public key part R_i. In one example, the first public key portion is obtained by:

furthermore, a first cyclic group G is calculated by a pairing function e between the two cyclic groups₁The first element X in (1)_iAnd generator g of the second cyclic group₂The second public key part A is obtained as the pairing result_iNamely:

A_i＝e(X_i，g₂) (4)

thus, each participant u_iGenerates own private key sigma of the participant_iiAnd the public key pk of the participants_i＝(R_i，A_i)。

In addition, each participant also adopts a generation method corresponding to the private key of the participant to generate key cross terms aiming at other participants. For example, the participant u_iMay be directed to another participant u_j(where i ≠ j), generating a key cross term sigma_ij. Key cross term sigma_ijGeneration method of (2) and its own private key sigma_iiCorresponding to the generation mode of the same, only identifying the self-identification u_iIs replaced by the party identity u to which it is directed_jTo (3) is performed.

That is, for another participant u_jParticipant u_iThe aforementioned hash mapping function H is still used: s → G₁Identify the participant u_jMapping to a first cyclic group G₁To obtain the third element H (u) in the first cyclic group_j). Then, based on the aforementioned first random number r_iA first element X_iAnd a third element H (u)_j) Group operation in the first cyclic group, resulting in participant u_iFor participant u_jIs a key cross term σ_ij. In particular, the key cross term σ_ijCan be determined by the following formula:

participant u_iMay be directed to participant u_jGenerated key cross term sigma_ijSent to the participant u_j. Or, party u_iIt may also be published in the whole blockchain network for key cross-terms it generates for each other participant.

When each party generates a key cross term for the other parties, the following cross term matrix may be formed:

in the matrix, the kth row represents a key cross term generated by the kth participant for other participants; column k indicates the key cross-over terms generated by each other participant for the kth participant. The elements on the diagonal correspond to private keys generated by the respective participants for themselves, but the private keys are held by the participants themselves and are not disclosed.

In the above manner, each participant in the total set U composed of possible participants is configured to form a participant private key, a participant public key, and generate a key cross-item. Based on the key configuration, the encryption and decryption of the private data in the intelligent contract transaction can be carried out.

Embodiments of a method of initiating a smart contract transaction that protects private data are described next.

FIG. 3 illustrates a flow diagram of a method of initiating a smart contract transaction, according to one embodiment. The method flow may be performed by any participant, referred to as the first participant for simplicity. It is to be understood that the steps performed by the parties referred to herein are more specifically performed by the terminal devices to which the party accounts correspond.

As shown in fig. 3, first, in step 31, a first contract identification of a first intelligent contract to be invoked, m parties involved in the transaction, and privacy data to be filled in the first intelligent contract are determined.

The first intelligent contract is about the contract currently called by the first participant for achieving the target work expected by the first participantCan be used. In particular, the first intelligent contract may be a contract of various functional types, such as contracts that implement data storage or interaction, contracts that make payments or purchases, and so forth. In one specific example, the first intelligent contract is a credit loan contract used by institution C in the scenario of FIG. 1. First contract identifier T of first intelligent contract_idThis may be the contract address of the first intelligent contract or it may be another kind of id identification.

The first party may also determine the m parties involved in the transaction, including the first party itself. It is to be understood that the m participants are a subset S of the total set U of all possible participants, and thus, each of the m participants is pre-configured with a participant private key and a participant public key in the manner described above. And each participant also generates a key cross item for other participants by adopting a generation method corresponding to the private key of the participant.

In addition, the first participant acquires the privacy data which needs to be filled into the intelligent contract in the transaction, wherein the privacy data comprises the first privacy text. In a typical case, the privacy data further comprises a first privacy value. That is, the first party divides the private data into a text part and a numerical part for subsequent different processing thereof.

More specifically, in the case where the first intelligent contract is the aforementioned credit loan contract, the privacy value may include, for example, a credit line v; the privacy text may include, for example, currency type, supplemental agreement, other terms, and the like.

Next, in step 32, the first participant generates first auxiliary information, which includes a first aggregation result of performing a first aggregation on the first public key portions of the m participants; then, in step 33, a second aggregation corresponding to the first aggregation is performed on the second public key portions of the m participants, and the first symmetric key is determined according to the second aggregation result and the first contract identifier.

It is to be understood that the first auxiliary information is used in combination with the private key portion and the cross-item portion in a subsequent decryption phase to help recover the first symmetric key. According to a configuration feature of the respective key portions, in one embodiment, the first auxiliary information is generated based on an aggregation of the first public key portions. Specifically, the first auxiliary information may be generated in the following manner.

First, the first party takes a random number t, called the second random number. A second cyclic group G based on the second random number t₂Corresponding second generator g₂A group operation is performed to generate the auxiliary field c 1. Specifically, the auxiliary field may be determined by the following formula:

in addition, the first participant performs the first aggregation on the m first public key parts of the m participants based on the second random number t to obtain a first aggregation result c₂. More specifically, the m first public key parts R are first matched_iPolymerizing to obtain a first polymerization value R_S＝Π_i∈SR_i. Since each first public key part R_iA first polymerization value R corresponding to an element in the second cyclic group, and thus polymerizing these elements_SStill an element in the second cyclic group. Then, performing a power operation on the first aggregation value based on a second random number t to obtain a first aggregation result c₂Namely:

the above-mentioned auxiliary field c₁And first polymerization result c₂I.e. constitutes the first auxiliary information.

Then, in step 33, m second public key parts A are applied_iAnd performing a second polymerization corresponding to the first polymerization. That is, similarly, first m second public key parts A_iCarrying out polymerization to obtain a second polymerization value A_s＝Π_i∈SA_i. Then, performing a power operation on the second aggregation value based on a second random number t to obtain a second aggregation result

Then, according to the second polymerization result

And a first contract identifier T_idThe first symmetric key K is determined.

In one embodiment, the first symmetric key K is obtained by aggregating the second aggregated result

And a first contract identifier T_idApplying a predetermined function operation f₁And obtaining, namely:

preferably, the function f₁Is an inverse unsolvable function.

More specifically, in one embodiment, the function f is as described above₁To hash function H, then equation (9) can be written as:

in the above manner, the first party obtains the first symmetric key K, which may be used to encrypt the privacy text.

Then, in a next step 34, the first party encrypts the first private text M using the first symmetric key K, generating first encrypted data E₁. In this step, any symmetric encryption algorithm may be used for encryption, such as the AES-GCM algorithm.

To this end, the first party has implemented the encryption of the private text.

In case the private data further comprises a private value, in an embodiment, in step 35, based on the first symmetric key K and the first contract identification T as described above_idAnd generating a corresponding contract private key and a contract public key for encrypting the privacy value.

The contract private key SK may first be generated. In one embodiment, the first contract identifier T is obtained by pairing a first symmetric key K and a first contract identifier T_idApplying a predetermined function operation f₂To obtain a contract private key SK, i.e.:

SK＝f₂(K，T_id) (11)

wherein the function f in formula (11)₂And f in the formula (9)₁May or may not be the same. Preferably, f₂Is an inverse unsolvable function. More specifically, in one embodiment, the function f is as described above₂For the hash function H, then equation (11) can be written as:

SK＝H(K，T_id) (12)

on the basis of the contract private key SK, the third cyclic group G can be paired on the basis of the contract private key SK₃The third generator h performs group operation to obtain a contract public key PK:

PK＝h^SK (13)

wherein the third cyclic group G₃The first cyclic group and the second cyclic group may be different from each other, or one of them may be multiplexed.

Based on the above generation of the contract private key and public key, next at step 36, the first privacy value is encrypted based on the contract public key PK using a homomorphic encryption algorithm to generate second encrypted data E₂。

As known to those skilled in the art, homomorphic encryption is an encryption function that performs addition and multiplication operations on plaintext and then encrypts the plaintext, and performs corresponding operations on ciphertext after encryption, and the result is equivalent. For example, using the same public key PK_AEncryption v₁And v₂To obtain

And

satisfy the requirement of

And

thus, with the private key SK_ADecryption

Can obtain v₁+v₂(ii) a Using the private key SK_ADecryption

Can obtain v₁-v₂。

Due to the characteristics of homomorphic encryption, the privacy value can be homomorphic encrypted, so that the node in the block chain can directly perform contract logic specified operation on the encrypted privacy value without decryption, and the privacy value cannot be disclosed.

There are many homomorphic encryption algorithms, and in step 36, the existing homomorphic encryption algorithm may be selected, and the first privacy value is homomorphic encrypted based on the contract public key PK generated in the previous step.

In one embodiment, an EI-Gamal encryption algorithm is improved, and homomorphic encryption is performed based on the improved EI-Gamal algorithm. According to the algorithm, a further random number r, called third random number, may be chosen, based on which third random number r, the first privacy value v to be encrypted, and the contract public key PK, in the third cyclic group G₃To obtain second encrypted data E₂。

More specifically, the second encrypted data E₂This can be obtained by the following formula:

E₂＝(PK^r，g^vh^r) (14)

in the above formula (14), PK is a contract public key, r is a third random number, v is a first privacy value, and G and h are third cycle groups G₃Two generators. Can verify that the encryption of the above equation (14)The mode satisfies homomorphism:

thus, by the above-mentioned step 34, the first encrypted data E that encrypts the first private text is obtained₁Through the above step 36, the second encrypted data E for encrypting the first privacy value is obtained₂。

Thus, next, at step 37, a first transaction Tx1 is generated which invokes the first intelligent contract, and first transaction content is filled into the first intelligent contract, wherein the first transaction content may include information of the m participants, first auxiliary information and first encryption data E₁. In case the privacy data comprise a privacy value, the first transaction content further comprises the above-mentioned second encryption data E for encrypting the privacy value₂. Thus, the privacy text and the privacy value in the privacy data are respectively encrypted as first encryption data E₁And second encrypted data E₂And then filled into the intelligent contract so that the intelligent contract transactions do not reveal the private data of the participants.

In one embodiment, the first party further generates a first proof σ of validity of the encryption of the first privacy value based on a sigma-zero knowledge proof protocol₁。

Zero-knowledge proof is one way to prove the authenticity of information without revealing the plaintext information. For example, the owner has a private input s, which can generate a public part L(s) based on s, and then disclose a zero knowledge proof σ. By using the zero-knowledge proof, the verifier can verify that the owner has the private input s, and the private input s can generate L(s) without revealing plaintext information of s.

For example, signatures are a way of zero knowledge proof. The private key is the private input s, the public key is the corresponding public part L(s), and the signature based on the public key is the zero knowledge proof sigma. The verifier can verify that someone has a private key corresponding to the public key without revealing the private key itself.

In the above scenario of the first transaction invoking the smart contract, in a specific embodiment, a sigma-zero knowledge proof protocol may be employed to generate a first proof σ of validity of the first privacy value encryption using the contract public key PK₁The first proof sigma₁Containing signature information based on the public key PK. Accordingly, when the first transaction message is filled in step 27, the contract public key is also included in the first transaction message, and the uplink is published.

In one embodiment, the second proof σ that the first privacy value is in a legal range is generated based on a bulletproof of range protocol₂。

The range proof proves that the value of a variable v is within a preset range without revealing the real value size of the variable v. The range certification also belongs to one of zero knowledge certifications. There have been a number of scope attestation protocols, of which the bullletproof scope attestation protocol is a proposed solution for improving the privacy of secure transactions in some crypto digital currency blockchain networks. In a specific embodiment, said second proof σ is generated using said contract private key SK as proof (witness) using the bulletproof of scope protocol₂For proving that the first privacy value is within a predefined legal range.

Specifically, in one example, the first intelligent contract is a credit loan contract, the first transaction is a transaction for initiating credit, and the first privacy value includes a credit line v. In such a case, the above-mentioned predefined legal range is, for example, greater than 0.

In generating the above-mentioned second certificate σ₂In the case of (2), correspondingly, the second certificate σ is₂Included in the first transaction context, the uplink is published.

Through the above process, the first party initiates a first transaction in the blockchain network, the first transaction invoking a first smart contractAnd the transaction content comprises information of m participants, first auxiliary information and first encrypted data obtained by encrypting the privacy text. In the case where the privacy data further includes a privacy value, second encryption data obtained by encrypting the privacy value is further included in the transaction content. Optionally, the transaction content further includes the first certificate σ₁And/or the second proof sigma₂。

After the first party sends the first transaction, each node in the blockchain network receives the transaction and executes the transaction. Fig. 4 shows a schematic diagram of a process in which a node in a blockchain performs a first transaction.

As shown in fig. 4, first, the first transaction is verified 41. The verification comprises at least verifying the signature of the first transaction by the transaction initiator, i.e. the above-mentioned first party. The verification of the signature may be performed with the public key using a signature pre-published by the first party.

The first certificate sigma mentioned above is included in the transaction content of the first transaction₁The node may check whether the encryption of the first privacy value is legitimate according to the first proof. As mentioned previously, the first proof σ is disclosed₁At the same time, the first party also publishes the contract public key PK in the transaction. The node may then use the contract public key PK to proof the protocol with zero knowledge based on the first proof σ₁And verifying the encryption validity of the first privacy value.

Including the above-mentioned second certificate sigma in the transaction content of the first transaction₂The node may check whether the range of the first privacy value meets the predetermined range based on the second proof. For example, in the second certification σ₂In the case of generation using the bullletproof Range attestation protocol, a node may base a second attestation σ according to the Range attestation protocol₂And checking whether the range of the first privacy value is legal or not. For example, it is checked whether the first privacy value is greater than 0.

In the event that both checks pass, the node executes the contract logic of the first intelligent contract in the first transaction, at step 42, against the second encrypted data E₂And carrying out operation related to homomorphic operation. In general, the information involved in the privacy text does not affect the execution logic of the contract, and therefore the node may not have the first encrypted data E₁Processing is performed to record it only as part of the transaction content. However, the execution process of the intelligent contract involves the operations of reading, writing, modifying, recording and the like of some variables, namely the variables are encrypted as the privacy values into the second encrypted data E₂. As described above, the second encrypted data E₂The nodes are generated by adopting a homomorphic encryption mode, so that the nodes can directly perform operations related to homomorphic operation without decrypting the nodes.

For example, when the value to be calculated in the second encrypted data needs to be summed with the previously stored value, the homomorphic operation shown in the foregoing formula (15) may be adopted; when the value to be determined in the second encrypted data needs to be subtracted from the previously stored value, the homomorphic operation shown in the foregoing formula (16) can be adopted.

In one example, the first transaction is, for example, a newly created credit loan contract, and the first privacy value is, for example, a parameter value that was first introduced for the credit line. At this time, the second encrypted data homomorphically encrypted according to the first privacy value is recorded as a corresponding parameter value for subsequent homomorphic operation.

After the chain execution of the first intelligent contract, the node sends a notification to the m parties involved in the first transaction, step 43, to inform the respective parties that the current first transaction is relevant. In one embodiment, the node notifies each relevant participant by way of log notification. In another embodiment, the node may also directly notify the respective involved parties of the transaction content of the first transaction.

After receiving the notice of the blockchain node, each participant can execute the intelligent contract transaction and update the local transaction state. The process by which the relevant parties perform the intelligent contract transaction is described below.

FIG. 5 illustrates a flow diagram of a method of performing a smart contract transaction, according to one embodiment, performed by a second one of the m participants. The second party is any one of the m parties other than the first party. For example, where the first party initiating the first transaction described above is institution C illustrated in fig. 1, the second party may be the corresponding institution D.

As shown in fig. 5, first at step 51, the second party obtains the transaction content of the first transaction Tx invoking the first intelligent contract.

In one embodiment, the second party receives a log notification from a node of the blockchain, and reads transaction content of the first transaction from the blockchain according to the log notification. In another embodiment, the block link point directly transmits the transaction content of the first transaction to the relevant participant, whereupon the second participant receives the transaction content directly from the node.

As mentioned above, the transaction content of the first transaction includes information of the m participants involved in the transaction, first auxiliary information, and first encryption data E₁And optionally second encrypted data E₂. Wherein the first auxiliary information comprises a first aggregation result of the first public key parts of the m participants, first encrypted data E₁Is data encrypted for a first private text, second encrypted data E₂Is data encrypted for the first privacy value. Therefore, the second party needs to recover the first privacy text corresponding to the first encrypted data and the first privacy value corresponding to the second encrypted data by using the first auxiliary information, by using the private key of the second party and the key cross terms generated by the other parties for the second party.

Then, in step 52, the second party aggregates the key cross terms generated by the other parties of the m parties with respect to the second party and the party private key of the second party, to obtain a third aggregation result.

For simplicity and clarity, use u_jRepresenting the second party. According to the key configuration procedure described above, the second party has a first round robin group G based₁Generated private key sigma_jj。

More specifically, the secondParticipant u_jGenerates its private key σ in the following manner_jj. First, the second party arbitrarily takes the fourth random number r_jAnd optionally taking the fourth element X in the first cyclic group_j(ii) a The identity u of the second party is then used using a predetermined hash mapping function_jMapping to the first cyclic group to obtain the fifth element H (u)_j) (ii) a Based on a fourth random number r_jFourth element X_jAnd a fifth element H (u)_j) Group operation in the first cyclic group, i.e. obtaining the private key sigma of the second party_jj. More specifically, the private key of the second party may be expressed as:

furthermore, as previously described, the other participants in the total set of participants U also generate a key cross-term for the second participant that corresponds to the form of the private key. E.g. another party u_k(where k ≠ j ≠ n ≠ 1, …) for the second participant u_jGenerating a cross term sigma with a key_kj：

The key cross-terms formed by the respective other parties for the second party are shown in the foregoing matrix (6).

Thus, the second party may determine from the above matrix the key cross-term σ for which m-1 other parties of the m parties to the transaction have generated_kjThe m-1 key cross terms sigma_kjTogether with its own private key σ_jjCarrying out polymerization to obtain a third polymerization result sigma_SWherein:

σ_S＝Π_k∈Sσ_kj (19)

as previously described, the respective participant private keys are based on a first cyclicity G₁Generated, the key cross item and the private key of the participant have corresponding calculation modes, namelyGenerated based on the first cyclicity, the third aggregation result is therefore an element in the first cyclic group.

On the other hand, the first auxiliary information is generated based on an aggregation of first public key portions of the m participants, which are based on the second cyclic group G₂And (4) generating.

Thus, in the next step 53, the third aggregation result in the first cyclic group, the first auxiliary information in the second cyclic group, and the first cyclic group G may be used₁And a second cyclic group G₂The second aggregation result of aggregating the second public key parts of the m participants is restored by the pairing algorithm.

More specifically, as mentioned above, the first auxiliary information includes the auxiliary field c₁And first polymerization result c₂Wherein the auxiliary field c₁By pairing a second cyclic group G based on a second random number t₂Second generator g of₂Performing a group operation to generate a first aggregated result c₂Generated by aggregating m first public key portions of m participants based on the above-mentioned second random number t.

More specifically, as shown in the foregoing formula (7) and formula (8),

based on the auxiliary field c shown above₁And first polymerization result c₂Reduction of the second polymerization result can be achieved by the following pairing procedure: calculating the third polymerization result σ_S(in the first cyclic group) and an auxiliary field c₁A first pairing result (in a second cyclic group), and a fifth element H (u) used in generating a second participant private key_j) (in the first cycle group) and the first polymerization result c₂And (4) synthesizing the first pairing result and the second pairing result of the second pairing result (in the second cycle group) to obtain a second polymerization result.

In particular, the second polymerization result

Can be expressed as:

equation (20) is derived based on the nature of the pairing algorithm between the two cyclic groups. Specifically, the method comprises the following steps:

thus, the second polymerization result is reduced

Then, at step 54, the second polymerization result is based on

And a first contract identification T of a first intelligent contract_idAnd obtaining a first symmetric key K.

The calculation of this step 54 is exactly the same as step 33 in fig. 3. Specifically, the first symmetric key K can be calculated according to the above equation (9). More specifically, the second aggregation result and the first contract identifier may be hashed according to the foregoing formula (10), so as to obtain the first symmetric key K.

Next, in step 55, the first encrypted data E1 is decrypted by using the first symmetric key K, so as to obtain a first private text. In this step, the original first private text can be decrypted from the first encrypted data by using only the decryption algorithm corresponding to the symmetric encryption algorithm used in step 34 of fig. 3.

In case the second cryptographic data is also included in the transaction content, then in step 56 a contract private key SK is generated based on the first symmetric key K and the first contract identity.

The calculation of this step 56 is exactly the same as step 35 in fig. 3. Specifically, the contract private key SK can be calculated according to the foregoing formula (11). More specifically, the first symmetric key and the first contract identifier may be hashed according to the foregoing formula (12), so as to obtain the contract private key SK.

Then, in a step 57, the second encrypted data E is decrypted using the contract private key SK using the first homomorphic decryption algorithm₂And obtaining a first privacy value. In this step, the original first privacy value v can be decrypted from the second encrypted data by using only the decryption algorithm corresponding to the homomorphic asymmetric encryption algorithm used in step 36 of fig. 3.

Specifically, in the aforementioned step 36, the modified EI-Gamal algorithm is used to perform homomorphic encryption, so as to obtain the second encrypted data E in the form of formula (14)₂Then, the result g of the group operation performed on the fourth generator g of the third cyclic group based on the first privacy value v may be obtained by first using the contract private key SK and by the following operation^v：

And then traversing the possible group operation result of the fourth generator g to restore the first privacy value v.

The second party then decrypts the original first privacy text in step 55 and decrypts the original first privacy value in step 57, so that the full privacy data that is filled into the first smart contract by the first transaction is obtained.

Then, at step 58, the second party records the local transaction status based on the decrypted first privacy text and the first privacy value.

For example, in the scenario shown in FIG. 1, when the first party is institution C and the first transaction is a newly created trust contract, the second party may be institution D. Through the decryption process, the institution D can obtain the amount value v of the credit loan and other protocol contents indicated by the first privacy text. Based on these, the local transaction status is recorded.

As can be seen from the above processes, according to the embodiments described in this specification, when an intelligent contract is initiated and executed, the private data filled in the intelligent contract is divided into the private text and the private numerical value, which are processed separately and encrypted and decrypted in different ways. The process of initiating and executing an intelligent contract in the above embodiments has at least the following advantages.

Firstly, it can be seen from the above decryption process that only m parties specified by the initiator can use their own private key and key cross terms to restore the symmetric key and contract private key required for decryption, and further decrypt the private data. In this way, privacy data protection of intelligent contracts involving multiple parties is achieved.

Secondly, it can be seen from the generation process of the first encrypted data that the first symmetric key is obtained based on the public key aggregation of the m parties, and the first encrypted data is obtained by encrypting the private text with the first symmetric key. Even if the number m of participants takes a large value, it does not cause a concomitant increase in the data size of the first encrypted data. In other words, the ciphertext size of the first encrypted data is substantially constant and does not increase as the authorized group size increases. Compared with a ciphertext generation mode for encrypting each participant respectively in the conventional technology, the fixed-length ciphertext generation mode can effectively reduce communication and storage costs, and is more suitable for scenes of frequent communication and multiple storage in a block chain.

In addition, in the above embodiment, a homomorphic encryption manner is adopted for the privacy value, so that the block link points can be homomorphically operated without being decrypted, and the execution of contract logic is not affected.

The process of the second party decrypting the private data in the first transaction invoking the first smart contract to execute the first transaction is described above. In some cases, the second party may invoke the first smart contract again, initiating subsequent transactions, and thereby updating the variable state therein. For example, if the second party is institution D of fig. 1, and the first transaction described above is used to obtain credit on line v, the second party may then perform a loan transaction with institution B. Then, the structure D may record the borrowing and repayment status with the organization B within the credit line v by subsequently calling the first intelligent contract again.

Fig. 6 illustrates a flow diagram in one embodiment where a second party initiates a second transaction. It will be appreciated that the flow is the process of initiating a subsequent transaction to the first transaction after the second party has performed the aforementioned first transaction.

As shown in fig. 6, first, in step 61, a second privacy text and a second privacy value for updating the transaction status are obtained, wherein the second privacy value and the first privacy value conform to a predetermined relationship.

Specifically, the second privacy text is a newly generated privacy text to be filled in the transaction, and the second privacy value is a variable value related to a variable corresponding to the first privacy value. For example, when the aforesaid second party D performs the actual loan transaction with the institution B, the second privacy text may be a description of the loan transaction, and the second privacy value may be the amount v' of the loan actually issued to the institution B, or the amount v "of the repayment of the institution B. Obviously, the second privacy value is related to the first privacy value and needs to be in a predetermined relationship with the first privacy value, for example, in this case, the second privacy value v' or v "needs to be less than or equal to the first privacy value v.

The second party then encrypts the second private text with the first symmetric key K, generating third encrypted data E, step 62₃. Here, the first symmetric key K is the symmetric key recovered by the second party through the aforementioned step 54 of fig. 5. Since the second party is still invoking the first intelligent contract, which is a continuation of the first transaction, and has the same group of parties, the key in the first transaction may still be used in the transaction.

Next, in step 63, the second participant generates a corresponding contract public key PK based on the aforementioned contract private key SK. Here the contract private key SK, i.e. the contract private key that the second party obtained by the aforementioned step 56 of fig. 5. Based on the contract private key, the corresponding contract public key PK can be easily obtained by adopting an agreed public key generation method.

In particular, the method comprises the following steps of,the third generator h in the third agreed cyclic group may be grouped based on the contract private key SK in the manner of the foregoing formula (13), and a contract public key PK ═ h may be obtained^SK。

Then, in step 64, the second privacy value is encrypted based on the contract public key PK using the first homomorphic encryption algorithm, generating fourth encrypted data E₄. The encryption process is the same as the step 36 in fig. 3, and is not described again.

Then, in step 65, the second party generates a second transaction invoking the aforementioned first intelligent contract, and fills in the first intelligent contract with second transaction content including information of the same m parties, and third encryption data E₃And fourth encrypted data E₄。

It should be noted that, since all the m parties can recover the first symmetric key and the contract private key through the first auxiliary information in the first transaction, the subsequent transactions for the m parties may not include the first auxiliary information any more. Optionally, however, the second party may also fill the aforementioned first auxiliary information into the second transaction content again to assist the other parties in decryption or verification.

In one embodiment, the second party further generates a third proof σ of validity of the above-mentioned second privacy-value encryption by using the contract public key PK based on a sigma-zero knowledge proof protocol₃And the contract public key and the third certificate sigma₃Included in the aforementioned second transaction content. The third proof is generated in a manner similar to that of the first proof, and is not described in detail.

In one embodiment, the second party further generates a fourth proof σ based on the bulletproof of scope proof protocol₄The fourth attestation is to attest that a second privacy value is within a legitimate range, and that a relative magnitude of the second privacy value to the first privacy value is within a predetermined range. More specifically, in the above example of credit, the fourth verification is required to verify that not only is the second privacy value v 'or v "greater than 0, but also that the second privacy value v' or v" is less thanOr equal to the first privacy value v, i.e. the difference between the first privacy value minus the second privacy value is greater than or equal to 0. Likewise, the second party proves this fourth certificate σ₄Included in the second transaction content.

After the second party initiates the second transaction in the above manner, each node in the blockchain performs the on-chain execution on the first intelligent contract in the second transaction, and the execution manner is similar to that in fig. 4. Only the differences are described below.

In the verification step, the above-mentioned third certificate σ is included in the transaction content of the second transaction₃In case of (2), the node checks whether the encryption of the second privacy value is legitimate according to the third proof.

The fourth certificate σ mentioned above is included in the transaction content of the second transaction₄In this case, the node checks whether the range of the second privacy value is within the predetermined range and whether the relative magnitude of the second privacy value to the aforementioned first privacy value is within the predetermined range, based on the fourth proof. For example, the node may check whether the second privacy value is greater than 0 and whether the first privacy value is greater than or equal to the second privacy value according to the bulletproof of scope protocol.

Under the condition that the verification is passed, the node executes contract logic of the first intelligent contract in the second transaction and encrypts fourth encrypted data E₄And carrying out homomorphic operation.

For example, in one example, the first privacy value is the credit amount v and the second privacy value is the debit amount v'. Assume that a variable x is also set in the first intelligent contract, representing a loanable balance. In such a case, the second encrypted data E can be encrypted₂And fourth encrypted data E₄Performing homomorphic operation corresponding to the subtraction to obtain a cryptographic value of the variable x, namely:

E_PK(x)＝E_PK(v)/E_PK(v′)＝(PK^r/PK^r′，g^vh^r/g^v′h^r′)＝E_PK(v-v′) (22)

in another example, the second privacy value is a payment amount v ". In thatIn such a case, it is possible to compare the previously stored E_PK(x) And fourth encrypted data E_PK(v ") performing a homomorphic operation corresponding to the addition as an encrypted value of the new loanable balance x, namely:

E_PK(x)*E_PK(v″)＝E_PK(x+v″) (23)

furthermore, the previously stored encrypted value of the borrowed amount may be compared with the value E_PK(v ") performing a homomorphic operation corresponding to the subtraction as an encrypted value of the new debited amount.

Therefore, the block chain link point can perform homomorphic operation on the second privacy numerical value in the second transaction, so that the variable parameter in the first intelligent contract is updated, and the on-chain execution of the second transaction is realized. For subsequent transactions which also call the aforementioned first intelligent contract and are directed to the same m participants, transactions can be initiated and executed in a manner similar to the second transaction, so that the updating conditions of various transaction variables in the subsequent transactions are continuously recorded and tracked, and meanwhile, privacy protection in the process of executing the intelligent contract transaction on the chain is realized.

According to an embodiment of another aspect, an apparatus for initiating a smart contract transaction is provided, and the apparatus is disposed in a terminal corresponding to a first participant, and the terminal may be embodied as any device or platform with computing and processing capabilities. Wherein the initiated transaction involves m participants, each of the m participants having a participant private key and a participant public key pre-configured therewith, the participant private key generated based on a first cyclic group, the participant public key comprising a first public key portion and a second public key portion, wherein the first public key portion is generated based on a second cyclic group, the second public key portion being generated based on a pairing between the first cyclic group and the second cyclic group; each participant also generates a key cross term for other participants in a generation manner corresponding to the participant private key. Under this premise, fig. 7 shows a schematic block diagram of an apparatus for initiating a smart contract transaction according to one embodiment. As shown in fig. 7, the transaction initiation device 700 includes:

a determining unit 71 configured to determine a first contract identification of a first intelligent contract to be invoked, m participants involved in the transaction, and private data to be filled in the first intelligent contract; the private data comprises a first private text;

an auxiliary information generating unit 72 configured to generate first auxiliary information including a first aggregation result of first aggregating the first public key parts of the m participants;

a symmetric key generation unit 73 configured to perform a second aggregation corresponding to the first aggregation on second public key portions of the m participants; generating a first symmetric key according to a second aggregation result and the first contract identifier;

a first encryption unit 74 configured to encrypt the first private text with the first symmetric key, generating first encrypted data;

a first transaction generating unit 77 configured to generate a first transaction invoking the first intelligent contract, and fill in first transaction content into the first intelligent contract, the first transaction content including information of the m participants, the first auxiliary information, and the first encrypted data.

In one embodiment, the privacy data further comprises a first privacy value; in such a case, the apparatus 700 further comprises:

a contract key generation unit 75 configured to generate a contract private key and a corresponding contract public key based on the first symmetric key and the first contract identifier;

a second encryption unit 76 configured to encrypt the first privacy value based on the contract public key using a first homomorphic encryption algorithm, generating second encrypted data;

and, the first transaction content filled in by the first transaction generating unit 77 includes the second encrypted data.

According to an embodiment, the apparatus 700 further includes a key configuration unit (not shown), specifically configured to:

In one embodiment, the key configuration unit is further configured to: and for any second party in the m parties, mapping the identifier of the second party to a third element in the first cyclic group by using the hash mapping function, and based on the group operation of the first random number, the first element and the third element in the first cyclic group, obtaining a key cross item of the first party for the second party and at least issuing the key cross item to the second party.

According to an embodiment, the auxiliary information generating unit 72 is specifically configured to:

According to an embodiment, the symmetric key generating unit 73 is specifically configured to perform a hash operation on the second aggregation result and the first contract identifier to obtain the first symmetric key.

In one embodiment, the contract key generation unit 75 is specifically configured to: performing predetermined hash operation on the first symmetric secret key and the first contract identifier to obtain a contract private key; and performing group operation on a third generation element in a third cyclic group based on the contract private key to obtain the contract public key.

According to an embodiment, the second encryption unit 76 is specifically configured to: and performing group operation in the third cyclic group based on the selected third random number, the first privacy numerical value and the contract public key to obtain second encrypted data.

In one embodiment, the apparatus further comprises a proof generating unit (not shown) configured to generate a first proof of validity of the first privacy numerical value encryption using the contract public key based on a sigma-zero knowledge proof protocol; accordingly, the first transaction generating unit 77 may include the contract public key and the first proof in the first transaction content.

In one embodiment, the credential generation unit is further configured to generate a second credential that the first privacy value is within a legal range based on a bulletproof of scope protocol; accordingly, the first transaction generation unit 77 may include the second proof in the first transaction content.

According to an embodiment of another aspect, an apparatus for executing a smart contract transaction is provided, and the apparatus is disposed in a terminal corresponding to a second participant, and the terminal may be embodied as any device or platform with computing and processing capabilities. Wherein the executed transaction involves m participants, each of the m participants having a participant private key and a participant public key pre-configured therewith, the participant private key generated based on a first cyclic group, the participant public key comprising a first public key portion and a second public key portion, wherein the first public key portion is generated based on a second cyclic group, the second public key portion being generated based on a pairing between the first cyclic group and the second cyclic group; each participant also generates a key cross term for other participants in a generation manner corresponding to the participant private key. Under this premise, fig. 8 shows a schematic block diagram of an apparatus for performing intelligent contract transactions according to one embodiment. As shown in fig. 8, the transaction execution apparatus 800 includes:

an obtaining unit 81 configured to obtain transaction content of a first transaction invoking a first smart contract, including information of m parties involved in the transaction, first auxiliary information, and first encrypted data; the first auxiliary information comprises a first aggregation result of first public key portions of the m participants, the first encrypted data is data that encrypts a first privacy text, and the second encrypted data is data that encrypts a first privacy value;

an aggregation unit 82, configured to aggregate the key cross terms generated by the other participants in the m participants for the second participant and the participant private keys of the second participant to obtain a third aggregation result;

a reduction unit 83, configured to reduce, according to the third aggregation result, the first auxiliary information, and a pairing algorithm between the first cyclic group and the second cyclic group, a second aggregation result obtained by aggregating the second public key portions of the m participants;

a symmetric key determining unit 84, configured to determine a first symmetric key according to the second aggregation result and the first contract identifier of the first smart contract;

a first decryption unit 85 configured to decrypt the first encrypted data by using the first symmetric key to obtain the first private text;

a recording unit 88 configured to record a local transaction status based on at least the first privacy text.

In one embodiment, the transaction content acquired by the acquisition unit further includes second encryption data obtained by encrypting the first privacy value; in such a case, the apparatus 800 further comprises:

a contract key determination unit 86 configured to generate a contract private key based on the first symmetric key and the first contract identification;

a second decryption unit 87 configured to decrypt the second encrypted data with the contract private key using a first homomorphic decryption algorithm to obtain the first privacy value;

the recording unit 88 is further configured to record a local transaction status based on the first privacy value.

According to an embodiment, the obtaining unit 81 is specifically configured to: in response to receiving a transaction notification from a first node of a blockchain network, transaction content for the first transaction is obtained from the blockchain.

According to an embodiment, the apparatus 800 further comprises a key configuration unit (not shown) configured to: arbitrarily taking a fourth random number, and arbitrarily taking a fourth element in the first cyclic group; mapping the identity of the second participant to a fifth element in the first cyclic group using a predetermined hash mapping function; obtaining a participant private key of the second participant based on group operations of the fourth random number, a fourth element and a fifth element in the first cyclic group;

In a specific embodiment, the first auxiliary information includes an auxiliary field and the first aggregation result, the auxiliary field is generated by performing a group operation on a second generator of a second cyclic group based on a random number; in such a case, the reduction unit 83 is specifically configured to: and calculating a first pairing result of the third aggregation result and the auxiliary field and a second pairing result of the fifth element and the first aggregation result, and integrating the first pairing result and the second pairing result to obtain the second aggregation result.

According to one embodiment, the symmetric key determination unit 84 is specifically configured to: and carrying out Hash operation on the second aggregation result and the first contract identifier to obtain the first symmetric key.

In one embodiment, the contract key determination unit 86 is specifically configured to: and carrying out predetermined hash operation on the first symmetric secret key and the first contract identifier to obtain the contract private key.

In one embodiment, the second encrypted data is generated by performing a group operation in a third cyclic group based on the first privacy value and a contract public key corresponding to the contract private key; in such a case, the second decryption unit 87 is specifically configured to: obtaining a result of performing group operation on a fourth generator of the third cyclic group by using the first privacy value by using the contract private key; and then traversing the possible group operation result of the fourth generator to restore the first privacy value.

According to one embodiment, the apparatus 800 further comprises a second transaction initiation unit, comprising (not shown):

the acquisition module is configured to acquire a second privacy text and a second privacy value for updating the transaction state, wherein the second privacy value and the first privacy value conform to a preset relationship;

a third encryption module configured to encrypt the second private text with the first symmetric key to generate third encrypted data;

the public key generating module is configured to generate a corresponding contract public key based on the contract private key;

a fourth encryption module configured to encrypt the second privacy value based on the contract public key using a first homomorphic encryption algorithm to generate fourth encrypted data;

and the transaction generation module is configured to generate a second transaction for calling the first intelligent contract, and fill second transaction content into the first intelligent contract, wherein the second transaction content comprises the information of the m participants, the third encryption data and the fourth encryption data.

More specifically, in one embodiment, the public key generation module is configured to: and performing group operation on a third generation element in a third agreed circulation group based on the contract private key to obtain the contract public key.

In an embodiment, the second transaction initiation unit further includes a certification generation module configured to generate a third certification of validity of the second privacy value encryption by using the contract public key based on a sigma-zero knowledge certification protocol; accordingly, the transaction generation module may include the contract public key and the third proof in the second transaction content.

In one embodiment, the credential generation module is further configured to generate a fourth credential based on a bulletproof of scope credential protocol, where the fourth credential is used to prove that the second privacy value is within a legal range, and a relative size of the second privacy value and the first privacy value is within a predetermined range; accordingly, the transaction generation module may include the fourth proof in the second transaction content.

By the device, the safety of the private data in the intelligent contract transaction is protected under the condition that the block chain is not influenced to execute the intelligent contract transaction on the chain.

According to an embodiment of another aspect, there is also provided a computer-readable storage medium having stored thereon a computer program which, when executed in a computer, causes the computer to perform the method described in connection with fig. 3 and 5.

According to an embodiment of yet another aspect, there is also provided a computing device comprising a memory and a processor, the memory having stored therein executable code, the processor, when executing the executable code, implementing the method described in connection with fig. 3 and 5.

Those skilled in the art will recognize that, in one or more of the examples described above, the functions described in this invention may be implemented in hardware, software, firmware, or any combination thereof. When implemented in software, the functions may be stored on or transmitted over as one or more instructions or code on a computer-readable medium.

The above-mentioned embodiments, objects, technical solutions and advantages of the present invention are further described in detail, it should be understood that the above-mentioned embodiments are only exemplary embodiments of the present invention, and are not intended to limit the scope of the present invention, and any modifications, equivalent substitutions, improvements and the like made on the basis of the technical solutions of the present invention should be included in the scope of the present invention.

Claims

1. A method of initiating a smart contract transaction for protecting private data, performed by a first party, the method comprising:

2. The method of claim 1, the privacy data further comprising a first privacy value; the method further comprises the following steps:

generating a contract private key and a corresponding contract public key based on the first symmetric key and the first contract identifier;

encrypting the first privacy value based on the contract public key by using a first homomorphic encryption algorithm to generate second encrypted data;

including the second encrypted data in the first transaction content.

3. The method according to claim 1, further comprising performing key configuration of the first party in advance, specifically including:

arbitrarily taking a first random number, and arbitrarily taking a first element in the first cyclic group;

mapping the identity of the first participant to a second element in the first cyclic group using a predetermined hash mapping function; obtaining a participant private key of the first participant based on group operations of the first random number, a first element and a second element in the first cyclic group;

performing group operation on a second generator corresponding to the second cyclic group based on the first random number to obtain a first public key part of the first participant;

obtaining a second public key portion of the first participant based on a pairing between the first element in the first cyclic group and the second generator.

4. The method of claim 3, wherein pre-provisioning the first party's key further comprises:

and for any second party in the m parties, mapping the identifier of the second party to a third element in the first cyclic group by using the hash mapping function, and based on the group operation of the first random number, the first element and the third element in the first cyclic group, obtaining a key cross item of the first party for the second party and at least issuing the key cross item to the second party.

5. The method of claim 1, wherein the generating first assistance information comprises:

arbitrarily taking a second random number, and performing group operation on a second generator corresponding to the second cyclic group based on the second random number to generate an auxiliary field;

performing first aggregation on m first public key parts of the m participants based on the second random number to generate a first aggregation result;

the auxiliary field and the first aggregation result constitute the first auxiliary information;

the second aggregation result is a result of second aggregating m second public key parts of the m participants based on the second random number.

6. The method of claim 1, wherein the generating a first symmetric key comprises:

and carrying out hash operation on the second aggregation result and the first contract identifier to obtain the first symmetric secret key.

7. The method of claim 2, wherein generating a contract private key and a corresponding contract public key based on the first symmetric key and the first contract identification comprises:

performing predetermined hash operation on the first symmetric secret key and the first contract identifier to obtain a contract private key;

and performing group operation on a third generation element in a third cyclic group based on the contract private key to obtain the contract public key.

8. The method of claim 7, wherein generating second encrypted data comprises:

and performing group operation in the third cyclic group based on the selected third random number, the first privacy numerical value and the contract public key to obtain second encrypted data.

9. The method of claim 1, further comprising,

generating a first proof of validity of the first privacy numerical encryption by using the contract public key based on a sigma-zero knowledge proof protocol;

wherein populating the first intelligent contract with first transaction content includes including the contract public key and the first proof in the first transaction content.

10. The method of claim 1, further comprising,

generating a second proof that the first privacy value is within a legal range based on a bulletproof range proof protocol;

wherein populating the first smart contract with first transactional content includes including the second proof in the first transactional content.

11. A method of performing an intelligent contract transaction that protects private data, performed by a second party, the method comprising:

12. The method of claim 11, wherein the transaction content of the first transaction further comprises second encryption data encrypted against the first privacy value; the method further comprises the following steps:

determining a contract private key based on the first symmetric key and the first contract identification;

decrypting the second encrypted data by using the contract private key by using a first homomorphic decryption algorithm to obtain the first privacy value;

the recording the local transaction state further includes recording the transaction state based on the first privacy value.

13. The method of claim 11, wherein obtaining transactional content for a first transaction invoking a first smart contract comprises:

in response to receiving a transaction notification from a first node of a blockchain network, transaction content for the first transaction is obtained from the blockchain.

14. The method of claim 11, wherein the second party's private key is generated by:

arbitrarily taking a fourth random number, and arbitrarily taking a fourth element in the first cyclic group;

mapping the identity of the second participant to a fifth element in the first cyclic group using a predetermined hash mapping function; obtaining a participant private key of the second participant based on group operations of the fourth random number, a fourth element and a fifth element in the first cyclic group;

a cross-key term generated by a third party of any of the m parties for the second party is generated by: and performing group operation in the first cyclic group based on the fifth random number arbitrarily taken by the third party, the sixth element arbitrarily taken by the third party and the fifth element to obtain a key cross item of the third party for the second party.

15. The method of claim 14, wherein the first assistance information comprises an assistance field and the first aggregated result, the assistance field generated by a group operation on a second generator of a second cyclic group based on a random number;

the reducing a second aggregation result of aggregating second public key portions of the m participants includes:

and calculating a first pairing result of the third aggregation result and the auxiliary field and a second pairing result of the fifth element and the first aggregation result, and integrating the first pairing result and the second pairing result to obtain the second aggregation result.

16. The method of claim 11, wherein determining a first symmetric key based on the second aggregation result and a first contract identification of the first smart contract comprises:

and carrying out Hash operation on the second aggregation result and the first contract identifier to obtain the first symmetric key.

17. The method of claim 12, wherein determining a contract private key based on the first symmetric key and the first contract identification comprises:

and carrying out predetermined hash operation on the first symmetric secret key and the first contract identifier to obtain the contract private key.

18. The method of claim 12, wherein the second cryptographic data is generated by performing a group operation in a third round group based on the first privacy value and a contract public key corresponding to the contract private key;

decrypting the second encrypted data using the contract private key to obtain the first privacy value, comprising:

obtaining a result of performing group operation on a fourth generator of the third cyclic group by using the first privacy value by using the contract private key;

and traversing the possible group operation result of the fourth generator to restore the first privacy value.

19. The method of claim 12, further comprising:

20. The method of claim 19, wherein generating a corresponding contract public key based on the contract private key comprises:

and performing group operation on a third generation element in a third agreed circulation group based on the contract private key to obtain the contract public key.

21. The method of claim 19, further comprising:

generating a third proof of validity of the second privacy numerical encryption by using the contract public key based on a sigma-zero knowledge proof protocol;

wherein populating the first intelligent contract with second transaction content includes including the contract public key and the third proof in the second transaction content.

22. The method of claim 19, further comprising,

generating a fourth attestation, based on a bulletproof of range attestation protocol, the fourth attestation being for attesting that the second privacy value is within a legal range and that a relative magnitude of the second privacy value to the first privacy value is within a predetermined range;

wherein populating the first smart contract with second transactional content includes including the fourth attestation in the second transactional content.

23. An apparatus for initiating a smart contract transaction to protect private data, the apparatus being disposed in a terminal corresponding to a first party, the apparatus comprising:

24. The apparatus of claim 23, wherein the privacy data further comprises a first privacy value, the apparatus further comprising:

a contract key generation unit configured to generate a contract private key and a corresponding contract public key based on the first symmetric key and the first contract identifier;

a second encryption unit configured to encrypt the first privacy value based on the contract public key using a first homomorphic encryption algorithm to generate second encrypted data;

the first transaction content filled by the first transaction generation unit further includes the second encrypted data.

25. An apparatus for performing intelligent contract transactions to protect private data, the apparatus being disposed in a terminal corresponding to a second party, the apparatus comprising:

26. The apparatus of claim 25, wherein the transaction content of the first transaction further comprises second encryption data encrypted with the first privacy value; the device further comprises:

a contract key determination unit configured to generate a contract private key based on the first symmetric key and the first contract identifier;

the second decryption unit is configured to decrypt the second encrypted data by using the contract private key by using a first homomorphic decryption algorithm to obtain the first privacy value;

the recording unit is further configured to record a local transaction status according to the first privacy value.

27. A computer-readable storage medium, having stored thereon a computer program which, when executed in a computer, causes the computer to perform the method of any of claims 1-22.

28. A computing device comprising a memory and a processor, wherein the memory has stored therein executable code that, when executed by the processor, performs the method of any of claims 1-22.