CN113743935A - Method and system for chain anonymous payment channel based on MimbleWimble - Google Patents
Method and system for chain anonymous payment channel based on MimbleWimble Download PDFInfo
- Publication number
- CN113743935A CN113743935A CN202110956886.7A CN202110956886A CN113743935A CN 113743935 A CN113743935 A CN 113743935A CN 202110956886 A CN202110956886 A CN 202110956886A CN 113743935 A CN113743935 A CN 113743935A
- Authority
- CN
- China
- Prior art keywords
- transaction
- channel
- amount
- sum
- payer
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 27
- 238000004220 aggregation Methods 0.000 claims abstract description 23
- 230000002776 aggregation Effects 0.000 claims abstract description 22
- 238000000151 deposition Methods 0.000 claims abstract description 15
- 238000009826 distribution Methods 0.000 claims abstract description 11
- 230000004931 aggregating effect Effects 0.000 claims abstract description 5
- 230000009471 action Effects 0.000 claims description 8
- 238000010276 construction Methods 0.000 claims description 6
- 230000001105 regulatory effect Effects 0.000 claims description 4
- 238000012790 confirmation Methods 0.000 abstract description 4
- 238000005516 engineering process Methods 0.000 description 10
- 230000008859 change Effects 0.000 description 4
- 230000002708 enhancing effect Effects 0.000 description 3
- 238000012546 transfer Methods 0.000 description 3
- 238000012795 verification Methods 0.000 description 3
- 238000010586 diagram Methods 0.000 description 2
- 230000002452 interceptive effect Effects 0.000 description 2
- 239000000463 material Substances 0.000 description 2
- 238000010200 validation analysis Methods 0.000 description 2
- 230000004075 alteration Effects 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000005540 biological transmission Effects 0.000 description 1
- 239000002131 composite material Substances 0.000 description 1
- 125000004122 cyclic group Chemical group 0.000 description 1
- 238000013500 data storage Methods 0.000 description 1
- 238000000354 decomposition reaction Methods 0.000 description 1
- 239000012632 extractable Substances 0.000 description 1
- 238000012423 maintenance Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000002265 prevention Effects 0.000 description 1
- 230000008569 process Effects 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q20/00—Payment architectures, schemes or protocols
- G06Q20/38—Payment protocols; Details thereof
- G06Q20/382—Payment protocols; Details thereof insuring higher security of transaction
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q20/00—Payment architectures, schemes or protocols
- G06Q20/38—Payment protocols; Details thereof
- G06Q20/40—Authorisation, e.g. identification of payer or payee, verification of customer or shop credentials; Review and approval of payers, e.g. check credit lines or negative lists
- G06Q20/401—Transaction verification
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q20/00—Payment architectures, schemes or protocols
- G06Q20/38—Payment protocols; Details thereof
- G06Q20/40—Authorisation, e.g. identification of payer or payee, verification of customer or shop credentials; Review and approval of payers, e.g. check credit lines or negative lists
- G06Q20/405—Establishing or using transaction specific rules
Abstract
The application discloses a method and a system for a downlink anonymous payment channel based on a MimbleWimble, comprising the following steps: opening a channel: determining the lowest amount of money to be deposited, opening a payment channel by respectively depositing coins larger than the lowest amount of money into the channels, and taking the part larger than the lowest amount of money as random amount of money when depositing money, and deconstructing the random amount of money to be incapable of spending; updating the channel state: generating a pre-transaction according to the negotiated transaction amount of the current round based on the transaction mode of the bottom-layer MimbleWimble, generating a transaction based on the pre-transaction, and performing transaction aggregation, wherein when performing transaction aggregation, the transaction aggregation is performed, except for aggregating the pre-transaction generated by the payer and the transaction generated by the payee, the balance currently owned by the payee is aggregated; a step of closing the channel: and closing the payment channel after the transaction parties refund according to the current latest balance distribution state. The method can improve the expandability of the bitcoin network and reduce the confirmation time of the transaction and the transaction commission charge under the condition of ensuring the anonymity.
Description
Technical Field
The application relates to the technical field of information security, in particular to a method and a system for a chain-down anonymous payment channel based on Mimblewinmbles.
Background
The block chain is used as a distributed data storage scheme, has the characteristics of being incapable of being forged, traceable, public, transparent, collective in maintenance and the like, and is widely applied to various industries in recent years. The bitcoin is a decentralized payment system proposed by the inventor in 2008, and has strong attraction since birth as the most successful application of the block chain technology. However, the bitcoin system can only process no more than 7 transactions per second, the transaction speed is slow, the confirmation time is long, and the transaction speed of the bitcoin is urgently needed to be improved. Meanwhile, in order to verify the authenticity and correctness of each transaction, the blockchain stores each transaction occurring between users in the network and adds the transaction to the block, which results in low transaction throughput and poor expandability of the blockchain. Furthermore, placing each transaction on the chain may cause privacy issues, and an attacker can analyze the user identity and attack the launch through the transaction sheets disclosed in the blockchain.
The MimbleWimble is a protection technology for enhancing the privacy of a bitcoin blockchain system, which is proposed by an anonymous student in 2016, and combines a plurality of cryptographic technologies including secret transactions, aggregated signatures, range certificates and the like to realize good privacy. The lightning network is a concept proposed by scholars in recent years for the problems of long confirmation time, poor expansibility and the like of the bitcoin network. The lightning network is composed of a point-to-point network, is a second layer technology which operates on bitcoin and other block chains, and realizes a real-time massive transaction network without trusting an opposite party and a trusted third party. Often both parties to and from a transaction can create a payment channel by crediting the channel with a fixed amount in advance, the payment channel allowing the parties to perform the transaction outside the chain while maintaining the security of the transaction on the chain to relieve the burden of the blockchain. However, although the lightning network changes most transactions to be conducted down-link, the act of opening and closing channels submitted as evidence on-link can still expose a user's vast amount of private information.
As a block chain privacy enhancing technology, Mimblewimble has been applied to various new digital currencies, such as Grin, by the feature that it can hide the identities and transaction amounts of both parties of a transaction. However, the mimblelamb technique has certain drawbacks in terms of handling fees and transaction validation time. Two problems are most prominent. One is that the miners still need to be paid a high commission to ensure that the transaction is recorded in the chain, and the miners need to verify the zero knowledge proof of commitments and amounts in the transaction order to ensure the authenticity of the transaction, which results in a long transaction validation time. These drawbacks limit the widespread use of this technology.
Disclosure of Invention
The present application is directed to solving, at least to some extent, one of the technical problems in the related art.
Therefore, an object of the present application is to provide a method for link-down anonymous payment channel based on mimblelamb, which can improve the scalability of a bitcoin network and reduce the transaction confirmation time and transaction commission under the condition of ensuring anonymity, i.e. both parties of the transaction and the transaction amount are not disclosed.
Another objective of the present application is to provide a system of link-down anonymous payment channel based on the Mimblewimble.
In order to achieve the above object, an embodiment of an aspect of the present application provides a method for an anonymous payment channel under a link based on a Mimblewimble, including the following steps: opening a channel: determining a minimum amount of money to be deposited, opening a payment path by depositing coins larger than the minimum amount of money into paths, respectively, and at the time of depositing, regarding a portion larger than the minimum amount of money as a random amount of money, and deconstructing the random amount of money so as not to be spent; updating the channel state: generating a pre-transaction according to the negotiated transaction amount of the current round based on the transaction mode of the bottom-layer MimbleWimble, generating a transaction based on the pre-transaction, and performing transaction aggregation, wherein when performing transaction aggregation, the transaction aggregation is performed, except for aggregating the pre-transaction generated by the payer and the transaction generated by the payee, the balance currently owned by the payee is aggregated; a step of closing the channel: and closing the payment channel after the transaction parties refund according to the current latest balance distribution state.
In order to achieve the above object, an embodiment of another aspect of the present application provides a system for anonymous payment channel under link based on a Mimblewimble, including: the opening module is used for determining the lowest amount of money to be deposited, respectively depositing coins larger than the lowest amount of money into the channels to open the payment channels, and during depositing, the part larger than the lowest amount of money is used as random amount of money, and the random amount of money is deconstructed to be incapable of spending; the updating module is used for generating a pre-transaction according to the negotiated transaction amount of the current round based on the transaction mode of the bottom-layer MimbleWimble, generating a transaction based on the pre-transaction and performing transaction aggregation, wherein when the transaction aggregation is performed, the balance currently owned by the payee is aggregated besides the pre-transaction generated by the payer and the transaction generated by the payee; and the closing module is used for closing the payment channel after the transaction parties refund according to the current latest balance distribution state.
The method and the system for the chain-down anonymous payment channel based on the MimbleWimble can be used for improving the expandability and the quick transaction of the block chain, realize the quick and large amount of small payment among users, improve the expandability of the block chain and have the following beneficial effects:
1) anonymity of the transaction may be achieved. Anonymity is manifested in two ways: hiding the payment amount and both parties. In the aspect of payment amount, besides the blinding factor provided by the Pedersen promises, the amount of deposited coins is guaranteed to be known only by both transaction parties, a random amount is further added in the scheme, only a depositor is guaranteed to know the specific amount deposited by the depositor, and even a partner in a payment channel cannot know the specific amount. After the payment channel is opened, the down-link transaction is transferred into the payment channel established by the two parties to be executed, the down-link transaction is not uploaded to the block chain, and finally only the transaction operation of opening and closing the channel is displayed on the chain. Because the blockchain system is based on the MimbleWimbles, the transactions uploaded to the blockchain are continuously aggregated and subjected to coin mixing operation, and the operation of mixing a large number of transactions enables an attacker not to analyze the identities of both transaction parties through a single transaction, so that the anonymity of the user identities can be effectively ensured.
2) Can realize the anti-theft attack of the coins. Both parties deposit a random amount of money while opening the payment channel by the fixed amount of money negotiated by both parties. The extra amount is only known by the depositor, the other party of the payment channel is kept secret, and the extra amount can be disclosed only when the channel is refunded and closed, so that the situation that the two parties of the transaction cannot use the payment channel for performing the offline transaction due to the transaction reversion after the coins are locked is avoided.
3) Prevention of broadcast old transaction attacks can be achieved. After each channel updating operation is executed, two transaction parties need to exchange blind factors used in the previous round of transaction with the partners in the channel, so that if any party wants to do wrongness from the broadcast old transaction to refuse payment, the other party can recursively construct committed transaction of the wrongness doing party through the blind factors, and the money in the channel of the wrongness doing party is not received and is owned by the other party.
Additional aspects and advantages of the present application will be set forth in part in the description which follows and, in part, will be obvious from the description, or may be learned by practice of the present application.
Drawings
The foregoing and/or additional aspects and advantages of the present application will become apparent and readily appreciated from the following description of the embodiments, taken in conjunction with the accompanying drawings of which:
FIG. 1 is a flowchart of a method for a MimbleWimble-based down-link anonymous payment channel according to one embodiment of the present application;
FIG. 2 is a flowchart framework of a method for a MimbleWimble-based chain anonymous payment channel according to an embodiment of the present application;
fig. 3 is a schematic structural diagram of a system for link-down anonymous payment channels based on mimblewinmbles according to an embodiment of the present application.
Detailed Description
Reference will now be made in detail to embodiments of the present application, examples of which are illustrated in the accompanying drawings, wherein like or similar reference numerals refer to the same or similar elements or elements having the same or similar function throughout. The embodiments described below with reference to the drawings are exemplary and intended to be used for explaining the present application and should not be construed as limiting the present application.
The method combines the MimbleWimble privacy protection technology with the lightning network, and can improve the expandability and the transaction speed of the block chain while protecting the privacy of users of the block chain. Any user of the blockchain using the MimbleWimble technology can open a channel for paying under the chain between the user and another user who often transacts with the user through negotiation, and transfer a large amount of transactions which originally need to be conducted on the chain to be conducted under the chain, and only two transactions for opening and closing the channel are stored on the chain. In this solution, when the user opens the channel, he first negotiates the minimum value of the amount of money each person deposits into the channel, and besides, each person needs to deposit an additional random amount of money again, so as to prevent a malicious attacker from opening the user's commitment by the known amount of money, thereby enhancing the security of inputting the commitment. After the channel is opened, the two people use the transaction form of the MimbleWimble confidential transaction to conduct the offline transaction, and the transactions are aggregated after each transaction. When the channel is closed, the channel refunds for two users according to the current amount distribution mode of the two users, and any user can initiate refund at any time.
The mimblelamb system mainly comprises several basic components: commitment scheme COMM, aggregate signature SIG, and non-interactive zero knowledge proof system II.
(1) The commitment scheme is as follows: the Pedersen commitment based on discrete logarithm hypothesis in the cyclic group, C ═ v × H + k × G, was chosen.
Let Commit scheme COMM ═ time (Setup, Commit, Vercom), include the following algorithm:
the Setup algorithm is a commitment initialization algorithm, which uses a commitment parameter compAs input, three contents are output, the commitment value field vpKey value field kpAnd a commitment value field Cp。
Commit algorithm generates commitments to an algorithm that assigns a commitment value v e vpAnd a random number k ∈ kpAs input, a commitment C ∈ C is outputp. The commitment has a value v and the random number k.
The Vercom algorithm is a commitment verification algorithm, taking a tuple (C, v, k) as an input, outputting 1 if C is a valid commitment, otherwise outputting 0.
(2) Aggregating signatures: aggregate signatures include SIG ═ (KeyGen, Sign, Agg, Versig) with the Schnorr signature used in the Grin project.
KeyGen algorithm is a key generation algorithm, and sig ispAs input, for generating a private key sk ∈ skpAnd a public key pk ∈ pkp。
Sign algorithm is signature algorithm, and sig ispThe private key sk and the message m are used as input, and the signature sig of the message m by the private key sk is output.
The Agg algorithm is a signature aggregation algorithm, and the algorithm combines two messages l0And l1Generated signature sig0And sig1Aggregation is performed and an aggregated signature sig is generated.
The Versig algorithm is a signature verification algorithm and is used for verifying the correctness and the authenticity of a signature.
(3) Non-interactive zero knowledge proof system II
In this application, commitments and amounts in the project are verified using a non-interactive zero knowledge proof system, but without revealing any knowledge. On the one hand, the certification system is able to verify the value of the commitment without opening the commitment, and on the other hand, the amount of the transaction in the scheme must be guaranteed to be within a fixed range. Current popular ballistic proof certificates were chosen, the certification system including II ═ (Setup, Prv, Ver).
The Setup algorithm is an initialization algorithm that generates the parameter crs and provides a valid proof extractor that simulates extractables.
The Prv algorithm is a proof algorithm used to generate a zero knowledge proof pi.
The Vet algorithm is a verification algorithm for verifying the authenticity of a proof.
The scheme of the down-link anonymous payment channel is used for realizing a two-way payment channel and mainly comprises the following parts:
coin: each coin C contains a coin amount v and a coin key k, which can be spent only by a user who owns both.
Trading: in the payment channel, the transaction allows the two parties that created the channel to freely allocate the deposit within the channel. In general, a transaction consists of three parts: the input coin tx.in, the output coin tx.out and a proof P, denoted tx ═ C, C', P. P is a triple including (KE, sig, pi), wherein sig is a signature performed on the transaction, KE is a transaction kernel used for verifying whether the transaction signature is correct, and pi is an output of the range certification.
Pre-trading: the pre-transaction allows one party to transfer funds to another party in a payment channel with which he is working. Similar to the transaction, the pre-transaction also includes three attributes, an input coin ptx.in, an output change coin ptx.out, and a coin ptx.pay paid out to the recipient.
A linked transaction scheme: let p: is ═ comp,sigpCrs), the trade plan under the chain mainly comprises the following algorithms:
(tx,k)←Compose(p,(C1,v1,k1),(C2,v2,k2)): the merging algorithm composite takes two coins as input, outputs transaction tx for the two parties of the transaction to open a payment channel for chain payment, and the two parties of the transaction call the merging algorithm and deposit a certain amount of money into the channel.
(C ', v', k '), (C ", v", k ") ← Decompose (p, (C, v, k), v'): the decomposition algorithm De-compound takes as input one coin and outputs two coins of sum v 'and v ", respectively, the sum of the output sums being equal to the input coin sum v for decomposing the coin of sum v into two valid coins C' and C".
(ptx, k ') ← Send (p, (C, v, k), v'): the Send algorithm Send takes as input a coin C and the Send amount v 'and outputs a pre-transaction ptx and a coin key k'. When the sender wishes to perform a transaction to update the allocated value of the deposit in the channel, the sender first calls the Send algorithm to perform the transaction.
(tx, k "). ae ← Receive (p, ptx, v", (C, v, k)): the receiving algorithm Receive takes as input the pre-transaction ptx, the transaction amount v "equal to ptx. pay and a coin C, outputting a final transaction tx and a key k". The receiver uses the algorithm to update the received pre-trades and convert them into the final valid trades.
tx←Agg(p,tx0,tx1): transaction aggregation algorithm Agg combines two transactions tx0And tx1As input, the two transactions are aggregated, and the aggregated transaction tx is output.
(Cf1,vf1,kf1),(Cf2,vf2,kf2)←Refund(p,(C1,v1,k1),(C2,v2,k2),tx,
(C′1,v′1,k′1),(C′2,v′2,k′2)): refund algorithm reflnd four coins C1,C2,C′1,C′2And transaction tx as input, outputting two final coins Cf1And Cf2. When a user in the channel wants to close the channel and take out the balance in the current channel, both sides of the channel refund by calling a refund algorithm and close the channel.
The method and system for link-down anonymous payment channel based on mimblewinmbles proposed in the embodiments of the present application are described below with reference to the accompanying drawings.
First, a proposed method for link-down anonymous payment channel based on a Mimblewimble according to an embodiment of the present application will be described with reference to the accompanying drawings.
Fig. 1 is a flowchart of a method for link-down anonymous payment channel based on mimblewinmbles according to an embodiment of the present application.
As shown in fig. 1, the method for link-down anonymous payment channel based on Mimblewimble includes the following steps:
in step S101, an open channel step: determining the lowest amount of money deposited, opening the payment path by depositing coins larger than the lowest amount of money into the paths, respectively, and at the time of depositing, a portion larger than the lowest amount of money is regarded as a random amount, and the random amount is deconstructed to be unable to be spent.
Optionally, in an embodiment of the present application, the step of opening the channel specifically includes: determining the minimum amount of the payment channel which is opened by the negotiation of both transaction parties; selecting the sum larger than the lowest sum from the owned sums according to a preset selection strategy, and simultaneously storing the sum with the random sum into a payment channel; executing a preset construction algorithm, checking the validity of the deposited coins, and ensuring that the coins deposited in the payment channel are legal and do not carry out double-flower action and are greater than the regulated values of the two actions; after the two parties of the transaction deposit the coins into the payment channel, generating deposit transaction; executing a preset deconstruction algorithm, and decomposing the deposited coin into a first effective coin and a second effective coin, wherein the sum of the first effective coin is the lowest sum negotiated by two persons, and the second effective sum is a random sum; after both parties of the transaction deposit coins larger than the minimum sum of money into the payment channel, the success of opening the payment channel is judged, and the current state and the current key of the available coins are determined.
Specifically, referring to fig. 2, in a specific embodiment, the step of opening the channel is specifically implemented by six steps:
step 1: amount v for both parties to negotiate to open a payment channelinitAnd plan to move subsequent mass transactions between the two to be performed down-chain.
Step 2: the two parties select the minimum sum v larger than the amount negotiated in the step 1 from the money owned by the two parties according to a certain selection strategyinitWhile additionally crediting a random amount v 'known only to the depositor'aAnd v'bIt is deposited into the payment channel. The random amount being used only to protect oneselfThe deposit acceptance transaction cannot be easily opened and cannot be transferred through the transaction within the payment channel.
And step 3: a construction algorithm (see table 1) is executed, first checking the validity of the deposited coins and ensuring that the coins deposited in the payout channel are legitimate and not double-figured and that the amount is greater than a predetermined value vinit。
Table 1 construction algorithm
And 4, step 4: both parties deposit coins into the channel to generate a deposit transaction txfund。
And 5: both parties perform a deconstruction algorithm (see Table 2) to break the deposited coin into two valid coins (C ', v ', k ') and (C ", v", k "), one of which is the amount v negotiated between the two partiesinitAnd the other amount is the random amount of deposit. This operation ensures that they agree on the amount of money in the current channel state and allocates the amount that they can currently spend.
TABLE 2 deconstruction Algorithm
Step 6: both parties have deposited into the payment channel a value v greater than a fixed valueinitThe amount of the coin, the opening of the payment channel is successful, and the current state is state0The current secret key of the available coins for two persons is ka,0And kb,0。
In step S102, an update channel state step: and generating a pre-transaction according to the negotiated transaction amount of the current round based on the transaction mode of the bottom-layer MimbleWimble, generating a transaction based on the pre-transaction, and performing transaction aggregation, wherein when performing transaction aggregation, the balance currently owned by the payee is aggregated besides the pre-transaction generated by the payer and the transaction generated by the payee.
Optionally, in an embodiment of the present application, the step of updating the channel state further includes: determining the transaction amount of the current round corresponding to the negotiation current state between the payer and the payee; when the payer executes the sending algorithm to construct the pre-transaction, the transaction amount needing to be paid to the payer and the amount of change to the payer are obtained, and meanwhile, the payer generates a corresponding secret key for the transaction amount needing to be paid to the payer; the payer sends the constructed pre-transaction to the payee; when the payee executes the receiving algorithm, the correctness of the pre-transaction received in the current round is checked, a new transaction is generated, and the receiver aggregates the transaction generated in the current round and the balance coin under the current state of the receiver and generates the final transaction of the current round; after the payee issues the current round of final transaction, the payer and payee exchange the key used in the last state.
Specifically, on the basis of the above embodiment, the channel state updating phase is similar to the transaction phase on the chain, and is specifically implemented by six steps:
and 7: the payer and the payee negotiate that the current status is stateiTransaction amount v of the current roundi。
And 8: the payer executes a send algorithm (e.g. table 3) to construct a pre-transaction whose output contains two parts, the transaction amount v to be paid to the payeriAnd the amount v' of change given to the payer, and the payer is viGenerating a key k'i。
TABLE 3 Transmission Algorithm
And step 9: the payer sends the constructed pre-transaction ptxi to the payee.
Step 10: the payee executes the acceptance algorithm (see table 4) to first check the correctness of the received pre-transaction in the current round and generate a new transactionEasily tx'iWherein the key k of the new transactioniOnly the payee himself knows. Next, the recipient deals with the transaction ptx generated in this roundi、tx′iAnd the balance coin C in the current stateb,i-1The aggregation is carried out to ensure that the transaction scale is fixed, rather than linearly increasing as the transaction progresses and the amount allocated under the chain changes, and the final transaction tx of the current round is generatedi。
TABLE 4 reception Algorithm
Step 11: the payee issues the current round of final transaction txi。
Step 12: payer and payee exchange last status statei-1Key k used ina,i-1And kb,i-1。
In step S103, a close channel step: and closing the payment channel after the transaction parties refund according to the current latest balance distribution state.
Optionally, in an embodiment of the present application, the step of closing the channel includes: broadcasting the transaction to refund in any transaction direction block chain in the payment channel, and executing a refund algorithm; and determining coins containing the random sum stored when the two transaction parties disclose opening the channel, merging the random sum of the two transaction parties in the channel and the balance in the current channel, and then changing the merged sum to the two transaction parties.
Optionally, in an embodiment of the present application, after executing the refund algorithm, the method further includes: checking whether the distribution balance of the two parties of the current channel is correct and effective, and checking whether the final transaction of the current round is the latest transaction.
Optionally, in an embodiment of the present application, the step of closing the channel further includes: if the check is invalid, the honest transactor may be credited with the wrongback coin key and the transaction amount for each round and transferred to itself.
Specifically, on the basis of the above embodiment, the channel closing stage is specifically realized by three steps:
step 13: any direction blockchain broadcast transaction tx within a payment channeliA refund is made and a refund algorithm is executed (see table 5). Checking the distribution balance C of both parties of the current channela,iAnd Cb,iWhether it is valid correctly, and check txiWhether it is the latest transaction.
TABLE 5 refund Algorithm
Step 14: coin C 'containing random amount and stored when both trading parties reveal open channel'aAnd C'bIf the check is valid, the random sum of the two parties in the channel and the balance C in the current channel are checkeda,iAnd Cb,iMerging and then switching to the two parties; if the check is invalid, the honest transactor may pass through the recursive coin key kx,0,kx,1,,...,kx,i-1And transaction amount per round { v }0,v1,,...,vi-1The coins of the wrongdoers are not collected and transferred to the user.
Step 15: the passage is closed.
In summary, the present application includes three parts, namely, opening a channel, updating a channel state and closing the channel. Opening a channel: the two parties of the transaction negotiate the lowest amount of money to be deposited firstly, and open the payment channel by respectively depositing coins larger than the amount of money into the channel, during deposit, the part larger than the lowest amount of money is used as random amount, is deconstructed to be incapable of being spent, and is only used as a protection factor to be respectively stored in the two parties of the transaction, after the payment channel under the chain is opened, the two parties can transfer a large amount of subsequent transactions to the chain to be carried out, thereby reducing the burden of the block chain. Updating the channel state: the method is similar to the common transaction mode of the bottom-layer MimbleWimble, and comprises four steps of negotiating transaction amount of the current round, generating pre-transaction, generating transaction and transaction aggregation, wherein the transaction aggregation aggregates the current balance of the payee besides aggregating the pre-transaction generated by the payer and the transaction generated by the payee so as to ensure that the transaction capacity is fixed. Closing the channel: and the transaction parties refund according to the current latest balance distribution state and close the channel.
According to the method for the chain-down anonymous payment channel based on the Mimblewinbles, the anonymity of the transaction can be guaranteed through the bottom-layer cryptography technology of the Mimblewinbles, and therefore the anonymity between two transaction parties after the chain-down anonymous payment channel is opened is guaranteed. The random amount deposited ensures that a malicious attacker cannot open a commitment through exhaustion to steal the user's coins. In addition, after each round of transaction is finished, the two parties of the transaction exchange coin keys used in the round of transaction to prevent old transactions from being broadcast.
Next, a link-down anonymous payment channel system based on a Mimblewimble proposed according to an embodiment of the present application is described with reference to the accompanying drawings.
Fig. 3 is a schematic structural diagram of a system of a link-down anonymous payment channel based on a mimblewiggle according to an embodiment of the application.
As shown in fig. 3, the system of chain anonymous payment channel based on Mimblewimble includes: an open module 100, an update module 200, and a close module 300.
The opening module 100 is configured to determine a minimum amount of money to be deposited, open a payment channel by depositing coins larger than the minimum amount into the channel, and when depositing, use a portion larger than the minimum amount as a random amount, and the random amount is deconstructed to be unable to be spent. And the updating module 200 is used for updating the channel state, generating a pre-transaction according to the negotiated transaction amount of the current round through a transaction mode based on a bottom-layer Mimblewimble, generating a transaction based on the pre-transaction, and performing transaction aggregation, wherein when the transaction aggregation is performed, the pre-transaction generated by the payer and the transaction generated by the payee are aggregated, and the balance currently owned by the payee is aggregated. And the closing module 300 is configured to close the payment channel after the two transaction parties refund according to the current latest balance allocation state.
Optionally, in an embodiment of the present application, the opening module is specifically configured to determine a minimum amount of money for which the transaction parties negotiate to open the payment channel; selecting the sum larger than the lowest sum from the owned sums according to a preset selection strategy, and simultaneously storing the sum with the random sum into a payment channel; executing a preset construction algorithm, checking the validity of the deposited coins, and ensuring that the coins deposited in the payment channel are legal and do not carry out double-flower action and are greater than the regulated values of the two actions; after the two parties of the transaction deposit the coins into the payment channel, generating deposit transaction; executing a preset deconstruction algorithm, and decomposing the deposited coin into a first effective coin and a second effective coin, wherein the sum of the first effective coin is the lowest sum negotiated by two persons, and the second effective sum is a random sum; after both parties of the transaction deposit coins larger than the minimum sum of money into the payment channel, the success of opening the payment channel is judged, and the current state and the current key of the available coins are determined.
Optionally, in an embodiment of the present application, the update module is specifically configured to determine a transaction amount of the current round corresponding to the current state negotiated by the payer and the payee; when the payer executes the sending algorithm to construct the pre-transaction, the transaction amount needing to be paid to the payer and the amount of change to the payer are obtained, and meanwhile, the payer generates a corresponding secret key for the transaction amount needing to be paid to the payer; the payer sends the constructed pre-transaction to the payee; when the payee executes the receiving algorithm, the correctness of the pre-transaction received in the current round is checked, a new transaction is generated, and the receiver aggregates the transaction generated in the current round and the balance coin under the current state of the receiver and generates the final transaction of the current round; after the payee issues the current round of final transaction, the payer and payee exchange the key used in the last state.
Optionally, in an embodiment of the present application, the closing module is specifically configured to broadcast a refund to the blockchain transaction from any one transaction direction in the payment channel, and execute a refund algorithm; and determining coins containing the random sum stored when the two transaction parties disclose opening the channel, merging the random sum of the two transaction parties in the channel and the balance in the current channel, and then changing the merged sum to the two transaction parties.
It should be noted that the foregoing explanation of the embodiment of the method for anonymous payment channel under chain based on Mimblewimble is also applicable to the system for anonymous payment channel under chain based on Mimblewimble in this embodiment, and will not be described herein again.
According to the chain-down anonymous payment channel system based on the Mimblewinbles, the anonymity of the transaction can be guaranteed through the bottom-layer cryptography technology of the Mimblewinbles, and therefore the anonymity between two transaction parties after the chain-down anonymous payment channel is opened is guaranteed. The random amount deposited ensures that a malicious attacker cannot open a commitment through exhaustion to steal the user's coins. In addition, after each round of transaction is finished, the two parties of the transaction exchange coin keys used in the round of transaction to prevent old transactions from being broadcast.
Furthermore, the terms "first", "second" and "first" are used for descriptive purposes only and are not to be construed as indicating or implying relative importance or implicitly indicating the number of technical features indicated. Thus, a feature defined as "first" or "second" may explicitly or implicitly include at least one such feature. In the description of the present application, "plurality" means at least two, e.g., two, three, etc., unless specifically limited otherwise.
In the description herein, reference to the description of the term "one embodiment," "some embodiments," "an example," "a specific example," or "some examples," etc., means that a particular feature, structure, material, or characteristic described in connection with the embodiment or example is included in at least one embodiment or example of the application. In this specification, the schematic representations of the terms used above are not necessarily intended to refer to the same embodiment or example. Furthermore, the particular features, structures, materials, or characteristics described may be combined in any suitable manner in any one or more embodiments or examples. Furthermore, various embodiments or examples and features of different embodiments or examples described in this specification can be combined and combined by one skilled in the art without contradiction.
Although embodiments of the present application have been shown and described above, it is understood that the above embodiments are exemplary and should not be construed as limiting the present application, and that variations, modifications, substitutions and alterations may be made to the above embodiments by those of ordinary skill in the art within the scope of the present application.
Claims (10)
1. A chain anonymous payment channel method based on Mimblewinmbles is characterized by comprising the following steps:
opening a channel: determining a minimum amount of money to be deposited, opening a payment path by depositing coins larger than the minimum amount of money into paths, respectively, and at the time of depositing, regarding a portion larger than the minimum amount of money as a random amount of money, and deconstructing the random amount of money so as not to be spent;
updating the channel state: generating a pre-transaction according to the negotiated transaction amount of the current round based on the transaction mode of the bottom-layer MimbleWimble, generating a transaction based on the pre-transaction, and performing transaction aggregation, wherein when performing transaction aggregation, the transaction aggregation is performed, except for aggregating the pre-transaction generated by the payer and the transaction generated by the payee, the balance currently owned by the payee is aggregated; and
a step of closing the channel: and closing the payment channel after the transaction parties refund according to the current latest balance distribution state.
2. The method according to claim 1, characterized in that said step of opening a channel comprises in particular:
determining the minimum amount of the transaction parties negotiating to open the payment channel;
selecting the sum larger than the minimum sum from the owned sums according to a preset selection strategy, and simultaneously storing the sum with the random sum into the payment channel;
executing a preset construction algorithm, checking the validity of the deposited coins, and ensuring that the coins deposited in the payment channel are legal and do not carry out double-flower action and are greater than the regulated values of the two actions;
generating deposit transaction after the two transaction parties deposit the coins into the payment channel;
executing a preset deconstruction algorithm, and decomposing the deposited coin into a first effective coin and a second effective coin, wherein the sum of the first effective coin is the lowest sum negotiated by the two persons, and the second effective sum is the random sum;
and after both parties of the transaction deposit coins larger than the minimum sum into the payment channel, judging that the payment channel is successfully opened, and determining the current state and the current key of the available coins.
3. The method of claim 2, wherein the step of updating the channel status further comprises:
determining the transaction amount of the current round corresponding to the negotiation current state between the payer and the payee;
when the payer executes a pre-transaction constructed by a sending algorithm, acquiring the transaction amount to be paid to the payer and the amount to be changed to the payer, and generating a corresponding key for the transaction amount to be paid to the payer by the payer;
the payer sends the constructed pre-transaction to the payee;
when the payee executes an acceptance algorithm, checking the correctness of the pre-transaction received in the current round and generating a new transaction, and the receiver aggregates the transaction generated in the current round and the balance coin in the current state and generates a final transaction in the current round;
after the payee issues the current round of final transaction, the payer and payee exchange the key used in the last state.
4. The method of claim 3, wherein the closing the channel step comprises:
broadcasting the transaction to a block chain for refund in any transaction direction in the payment channel, and executing the refund algorithm;
and determining coins containing the random sum stored when the two transaction parties disclose opening the channel, merging the random sum of the two transaction parties in the channel and the balance in the current channel, and then changing the merged sum to the two transaction parties.
5. The method of claim 4, after executing the refund algorithm, further comprising:
checking whether the distribution balance of the two parties of the current channel is correct and effective, and checking whether the current round of final transaction is the latest transaction.
6. The method of claim 5, wherein the closing a channel step further comprises:
if the check is invalid, the honest transactor may be credited with the wrongback coin key and the transaction amount for each round and transferred to itself.
7. A chain anonymous payment channel system based on Mimblewinble is characterized by comprising:
the opening module is used for determining the lowest amount of money to be deposited, respectively depositing coins larger than the lowest amount of money into the channels to open the payment channels, and during depositing, the part larger than the lowest amount of money is used as random amount of money, and the random amount of money is deconstructed to be incapable of spending;
the updating module is used for updating the channel state, generating a pre-transaction according to the negotiated transaction amount of the current round through a transaction mode based on a bottom-layer Mimblewigle, generating a transaction based on the pre-transaction and performing transaction aggregation, wherein when the transaction aggregation is performed, the balance currently owned by the payee is aggregated besides the pre-transaction generated by the payer and the transaction generated by the payee; and
and the closing module is used for closing the payment channel after the transaction parties refund according to the current latest balance distribution state.
8. The system according to claim 7, wherein the opening module is specifically configured to determine a minimum amount by which the transaction parties negotiate to open the payment channel; selecting the sum larger than the minimum sum from the owned sums according to a preset selection strategy, and simultaneously storing the sum with the random sum into the payment channel; executing a preset construction algorithm, checking the validity of the deposited coins, and ensuring that the coins deposited in the payment channel are legal and do not carry out double-flower action and are greater than the regulated values of the two actions; generating deposit transaction after the two transaction parties deposit the coins into the payment channel; executing a preset deconstruction algorithm, and decomposing the deposited coin into a first effective coin and a second effective coin, wherein the sum of the first effective coin is the lowest sum negotiated by the two persons, and the second effective sum is the random sum; and after both parties of the transaction deposit coins larger than the minimum sum into the payment channel, judging that the payment channel is successfully opened, and determining the current state and the current key of the available coins.
9. The system of claim 8, wherein the update module is specifically configured to determine a transaction amount of the current round that the payer negotiates with the payee for the current status; when the payer executes a pre-transaction constructed by a sending algorithm, acquiring the transaction amount to be paid to the payer and the amount to be changed to the payer, and generating a corresponding key for the transaction amount to be paid to the payer by the payer; the payer sends the constructed pre-transaction to the payee; when the payee executes an acceptance algorithm, checking the correctness of the pre-transaction received in the current round and generating a new transaction, and the receiver aggregates the transaction generated in the current round and the balance coin in the current state and generates a final transaction in the current round; after the payee issues the current round of final transaction, the payer and payee exchange the key used in the last state.
10. The system of claim 9, wherein the shutdown module is specifically configured to refund any transaction in the payment channel to a blockchain broadcast transaction and execute the refund algorithm; and determining coins containing the random sum stored when the two transaction parties disclose opening the channel, merging the random sum of the two transaction parties in the channel and the balance in the current channel, and then changing the merged sum to the two transaction parties.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110956886.7A CN113743935A (en) | 2021-08-19 | 2021-08-19 | Method and system for chain anonymous payment channel based on MimbleWimble |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110956886.7A CN113743935A (en) | 2021-08-19 | 2021-08-19 | Method and system for chain anonymous payment channel based on MimbleWimble |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN113743935A true CN113743935A (en) | 2021-12-03 |
Family
ID=78731837
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110956886.7A Pending CN113743935A (en) | 2021-08-19 | 2021-08-19 | Method and system for chain anonymous payment channel based on MimbleWimble |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113743935A (en) |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20190139037A1 (en) * | 2017-11-07 | 2019-05-09 | Ramy Abdelmageed Ebrahim Khalil | System and method for scaling blockchain networks with secure off-chain payment hubs |
| CN110223067A (en) * | 2019-06-12 | 2019-09-10 | 北京航空航天大学 | A pair of of pay this extra method and system under a kind of chain with decentralization characteristic |
| CN111277415A (en) * | 2020-01-20 | 2020-06-12 | 布比(北京)网络技术有限公司 | Privacy protection method and device based on block chain intelligent contract |
| CN111314086A (en) * | 2020-02-11 | 2020-06-19 | 上海宓猿信息技术有限公司 | Method for implementing block chain privacy protocol |
| CN112150144A (en) * | 2020-08-12 | 2020-12-29 | 江苏大学 | Block chain anonymous transaction method based on cross-node multi-hop payment |
-
2021
- 2021-08-19 CN CN202110956886.7A patent/CN113743935A/en active Pending
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20190139037A1 (en) * | 2017-11-07 | 2019-05-09 | Ramy Abdelmageed Ebrahim Khalil | System and method for scaling blockchain networks with secure off-chain payment hubs |
| CN110223067A (en) * | 2019-06-12 | 2019-09-10 | 北京航空航天大学 | A pair of of pay this extra method and system under a kind of chain with decentralization characteristic |
| CN111277415A (en) * | 2020-01-20 | 2020-06-12 | 布比(北京)网络技术有限公司 | Privacy protection method and device based on block chain intelligent contract |
| CN111314086A (en) * | 2020-02-11 | 2020-06-19 | 上海宓猿信息技术有限公司 | Method for implementing block chain privacy protocol |
| CN112150144A (en) * | 2020-08-12 | 2020-12-29 | 江苏大学 | Block chain anonymous transaction method based on cross-node multi-hop payment |
Non-Patent Citations (1)
| Title |
|---|
| 王子钰;刘建伟;张宗洋;喻辉;: "基于聚合签名与加密交易的全匿名区块链", 计算机研究与发展, no. 10 * |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11861606B2 (en) | Blockchain system for confidential and anonymous smart contracts | |
| CN109858281B (en) | Block chain account model privacy protection method based on zero knowledge proof | |
| Cui et al. | Pay as you decrypt: Decryption outsourcing for functional encryption using blockchain | |
| Yi et al. | A new blind ECDSA scheme for bitcoin transaction anonymity | |
| CN110009354A (en) | Voting method based on group ranking in a kind of block chain | |
| CN115801260B (en) | Block chain-assisted collaborative attack and defense game method in untrusted network environment | |
| CN110599164A (en) | Method for rapidly paying by any payee under supervision chain | |
| Naganuma et al. | Auditable zerocoin | |
| Yasusaka et al. | Privacy-preserving pre-consensus protocol for blockchains | |
| CN111539719B (en) | Audit coin-mixing service method and system model based on blind signature | |
| CN113743935A (en) | Method and system for chain anonymous payment channel based on MimbleWimble | |
| CN114547695A (en) | Block chain transaction privacy protection method based on homomorphic encryption in Internet of things | |
| Quesnelle | An analysis of anonymity in the zcash cryptocurrency | |
| CN113205346A (en) | Depocenter encryption authentication and authentication method capable of canceling bill | |
| Youssef et al. | A resilient micro-payment infrastructure: an approach based on blockchain technology | |
| Seo et al. | Enhancing Scalability with Payment Requests Aggregation in Lightning Network | |
| Jakobsson | Mini-cash: A minimalistic approach to e-commerce | |
| Kong et al. | PPFP: An Efficient Privacy-Preserving Fair Payment Protocol for V2G Based on Blockchain | |
| Guan et al. | Off-chain anonymous payment channel scheme based on mimblewimble | |
| Michalopoulos et al. | A V2X reputation system with privacy considerations | |
| CN115021946B (en) | Method for removing centralized mixed coins based on ring signature | |
| Dotan et al. | Haze: A Compliant Privacy Mixer | |
| Shah et al. | Blockchain Security: A Systematic Review | |
| CN113313490B (en) | Block chain intelligent contract transaction method for separating asset from contract | |
| Wang et al. | Fair payment protocols for e-commerce |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |