CN114978622A - Anonymous credential verification method and system based on block chain and zero-knowledge proof - Google Patents

Anonymous credential verification method and system based on block chain and zero-knowledge proof Download PDF

Info

Publication number
CN114978622A
CN114978622A CN202210493796.3A CN202210493796A CN114978622A CN 114978622 A CN114978622 A CN 114978622A CN 202210493796 A CN202210493796 A CN 202210493796A CN 114978622 A CN114978622 A CN 114978622A
Authority
CN
China
Prior art keywords
contract
party computing
transaction
identity
computing device
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Withdrawn
Application number
CN202210493796.3A
Other languages
Chinese (zh)
Inventor
郑云山
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Shanghai Tidong Network Technology Co ltd
Original Assignee
Individual
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Individual filed Critical Individual
Priority to CN202210493796.3A priority Critical patent/CN114978622A/en
Publication of CN114978622A publication Critical patent/CN114978622A/en
Withdrawn legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0407Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the identity of one or more communicating identities is hidden
    • H04L63/0421Anonymous communication, i.e. the party's identifiers are hidden from the other party or parties, e.g. using an anonymizer
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network
    • H04L67/1097Protocols in which an application is distributed across nodes in the network for distributed storage of data in networks, e.g. transport arrangements for network file system [NFS], storage area networks [SAN] or network attached storage [NAS]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/06Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
    • H04L9/0643Hash functions, e.g. MD5, SHA, HMAC or f9 MAC
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • H04L9/0869Generation of secret information including derivation or calculation of cryptographic keys or passwords involving random numbers or seeds
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/30Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy
    • H04L9/3066Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy involving algebraic varieties, e.g. elliptic or hyper-elliptic curves
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3218Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using proof of knowledge, e.g. Fiat-Shamir, GQ, Schnorr, ornon-interactive zero-knowledge proofs
    • H04L9/3221Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using proof of knowledge, e.g. Fiat-Shamir, GQ, Schnorr, ornon-interactive zero-knowledge proofs interactive zero-knowledge proofs

Abstract

The invention provides an anonymous voucher verification method and system based on a block chain and zero knowledge proof, which are used for creating a bitcoin address for transaction and creating a transaction contract T B (ii) a The user in the block chain randomly selects the message m, and simultaneously sends the hash value to the terminal equipment, and the terminal equipment sends the hash value h to the third-party computing equipment LThe computing device L checks whether the hash value h matches any h in the transaction contract previously signed by the third party computing device L, the user blinds the message m to w', and waits for the contract T to be requested O Is confirmed; user creation of a transaction contract T O ', the third party computing device L waits for a trading contract T O ' confirmed, thereby establishing a trading contract T F To complete the exchange, the user sees the trade contract T from the blockchain F And obtaining a blind signature sigma' from the signature; the user blindly obtains sigma and sends the certificate to the terminal equipment, and the terminal equipment establishes a trading contract T F Transaction contract T B And the validation is started.

Description

Anonymous credential verification method and system based on block chain and zero knowledge proof
Technical Field
The application relates to the technical field of block chains, in particular to an anonymous credential verification method and system based on block chains and zero knowledge proof.
Background
With the rapid development of network technology, online services such as electronic payment, electronic medical treatment, electronic government affairs and the like are increasingly applied, and network life gradually becomes an integral part of people's life. The authentication process is allowed to have a very important position as an important component of network information security, and the application service can confirm the legality of the user identity through the authentication of identity certificates (user names/passwords and certificates) submitted by the user, so that the service security is guaranteed. However, as users have become more concerned about privacy issues, conventional authentication processes have also become increasingly exposed to some of their privacy concerns. In a typical authentication mechanism, a user is generally required to submit a complete identity credential to an application service, and therefore, the application service can obtain other information (age, gender, history) of the user through the credential. In fact, the application service only needs to verify whether the user has the qualification of obtaining the service, so that excessive user information is leaked to the application service by the authentication mode, which may cause dangers that a malicious service provider sells user privacy information to other entities, or user history records are connected in series, user archives are established, and user behaviors are tracked. Under such circumstances, anonymous authentication techniques for protecting user privacy are becoming a hot spot in the research of authentication techniques today.
The block chain is a distributed account book, and all nodes in the system share the full data. The operation of the data in the block chain is not controlled by a single main body, any node can write into the database, and the legality and correctness of the data are guaranteed through a consensus mechanism. The block chain technology ensures that all historical data are strictly recorded according to the time sequence through the hash function, and has the characteristic of traceability.
Zero-knowledge proof techniques are an important component of modern cryptography that can allow a prover to prove to a verifier that certain knowledge is correct without revealing any useful information. The zero knowledge proves to have three properties of correctness, completeness and zero knowledge. The zero knowledge proof technology is expected to solve a plurality of problems in the information security field such as data security, privacy security, supervision and inspection and the like, and in addition, the combination of the zero knowledge proof and the block chain is also expected to solve the privacy protection problem of the block chain. On one hand, the zero knowledge proof can prove the correctness of the data without revealing the privacy of the data, and the privacy of the data is protected; on the other hand, zero-knowledge proof only needs to generate evidence of a small data volume, and can finish proof of large-batch data. Zero knowledge proof techniques have been developed over thirty years.
Zero-knowledge proofs can be divided into interactive and non-interactive. The interactive zero knowledge proof is the basis of the zero knowledge proof protocol. In the interactive zero-knowledge proof process, the prover and the verifier need to constantly interact with each other, and eventually the verifier can believe with a high probability that the prover really has some knowledge. The prover does not pass any information about this knowledge to the verifier during the course of the interaction.
The prover declares to the verifier that he owns a certain knowledge X and sends it a message about X that does not reveal the value of X. The verifier sends a message to the prover after receiving the information, the prover proves the value of X to the verifier by using the message, and the verifier can trust the prover to really know the value of X after interactive question answering for many times. The prover does not reveal any information to the verifier that the value of X can be inferred during the course of the interaction.
The non-interactive zero-knowledge proof can verify whether the prover has an answer without interaction between the prover and the verifier, thereby avoiding the possibility of collusion.
Disclosure of Invention
In order to solve the technical problem, the invention provides an anonymous voucher verification method and system based on a block chain and zero knowledge proof. In the transaction process, the amount of the plaintext is not stored in the block chain, but the block chain exists in a commitment value mode, and the legality of the transaction is ensured by verifying whether the amount is balanced before and after the transaction and whether the expenditure is exceeded. The one-time public and private key generated by the user in the process of generating the commitment is used for generating the one-time address, and an attacker cannot acquire the relation between the one-time address and the real identity of the user through statistical analysis or other modes, so that the transaction performed by the user cannot be traced, and the privacy of the user is protected.
An anonymous credential verification method based on blockchain and zero-knowledge proof, comprising the steps of:
step S1, the terminal device creates a new temporary bitcoin address to perform a transaction, and creates a transaction contract T B
Step S2, the user in the blockchain randomly selects a message m, and sends a hash value H ═ H (m) to the terminal device, where H is a hash function;
step S3, the terminal device sends the hash value h to the third party computing device L and requests the third party computing device L to create the transaction contract T which can provide a bitcoins to the terminal device 0 The terminal device must be at t 2 Providing a valid credential within a time;
at step S4, the third party computing device L checks whether the hash value h matches any h in the previously signed transaction contract, and if not, the third party computing device L creates the request contract T 0 And submitting to a blockchain;
step S5, the user blinds the message m to obtain w', and waits for the contract T request 0 Is confirmed;
step S6, the user creates a transaction contract T that provides a + w bitcoins to the third party computing device L 0 ', the third party computing device L must be at t 1 Providing a valid blind signature to a user within time;
step S7, the third party computing device L waits for the transaction contract T 0 ' confirmed, thereby establishing a trading contract T F To complete the exchange and to contract the transaction T F Registering to a blockchain, wherein a transaction contract T F IncludedBlind signature σ', at which point the transaction contract T is 0 ' the a + w bits of currency will be sent to the third party computing device L;
step S8, the user sees the trade contract T from the blockchain F And obtaining a blind signature sigma' from the signature;
step S9, the user blindly obtains σ from the blind signature σ', and sends the credential V ═ m, σ to the terminal device, and the terminal device creates the transaction contract T containing the credential V ═ m, σ F Thus, T F The bit currency in the contract is sent to the terminal equipment to trade the contract T B And the validation is started.
Further, in step S9, a transaction contract T containing the anonymous credential V ═ m, σ is created for the terminal device F The specific process comprises the following steps:
an initial setting stage, generating public parameters { G, q, G '}, wherein G is an elliptic curve group, q is a large prime number and is the order of an elliptic curve, G' is a generating element of the group G, a user generates a private key sk according to a random function, and generates a public key PK (sk G) according to the elliptic curve on a finite field;
generating a confusion address, namely selecting a random function r as a one-time private key by the terminal equipment, generating a one-time public key PK ═ r × G through an elliptic curve on a finite field, sending the one-time public key to third-party computing equipment L through a downlink communication or hidden channel, generating a one-time address according to a formula P ═ HASH (r × PK | i) G' + PK, and taking the one-time address as a receiving address of a transaction;
data anonymous storage protocol generation, comprising: a pseudo identity generation stage, an encryption key generation stage and a data encryption stage;
the transaction generation and verification, inputting the private key sk and the random number R, the system will generate the unlocking script < e, s >, wherein e is HASH (R | | message), and s is R + e sk. After unlocking, inputting a one-time public key and a random number of the terminal device to generate transaction information and submitting the transaction information to a verification node, calculating R '═ G-e PK by the verification node according to an unlocking script < e, s > submitted by the terminal device, and then verifying whether e' | message is established.
Further, in the pseudo-identity generation stage, the terminal device and the third-party computing device L negotiate two random numbers T, R with each other, and use the two random numbers and the identity T of the terminal device id Generating a public/private key pair: (PKpse/SKpse), the public and private key pair is used as a public and private key for generating a pseudo identity, and the pseudo identity is generated as PseID after encryption;
an encryption key generation stage, wherein the third-party computing equipment L generates a symmetric encryption key K;
and in the data encryption stage, original data M, a corresponding pseudo identity PseID and a current timestamp Ts are input, a symmetric encryption key K is used for encryption, a ciphertext C is generated and stored in a local database, and meanwhile, the address of data in the database is stored in a block chain.
Further, the pseudo identity generation is based on an ElGamal encryption algorithm, a large prime number p meeting the security requirement is selected, and a group with the order of p is generated
Figure BDA0003632923860000041
A generator of
Figure BDA0003632923860000042
Selecting a single hash function to generate a public and private key pair PKT/SKT, generating a unique identity Tidi (i is more than or equal to 1 and less than or equal to n), wherein i is the serial number of the current terminal equipment, n is the number of the terminal equipment, and selecting a random number
Figure BDA0003632923860000043
Identify the unique identity of itself Tid i The random number R and the random number are sent to a third-party computing device L together, and the random number T is encrypted and then sent to a terminal device by the third-party computing device L;
the third-party computing equipment L receives the Tid sent by the terminal equipment i And after R, calculate: g is a radical of formula H(T)·R Then, the public and private key pair for generating the pseudo identity for the terminal device is:
Figure BDA0003632923860000044
SK ρse ≡H(Tid)+H(g H(r)·R );
the third party computing device L divides the identity Tid of the terminal device into n groups, and the length of each group is L, that is: tid ═ Tid 1 Tid 2 …Tid n
For each packet Tid i Selecting a random number r i ,1<i<n,1<r i < p-1, p is order, and calculates:
Figure BDA0003632923860000045
Figure BDA0003632923860000046
the pseudo identity of the terminal equipment is as follows:
PseID=(c 1 ,c′ 1 )(c 2 ,c′ 2 )…(c n ,c′ n )。
an anonymous credential validation system based on blockchain and zero-knowledge proof for implementing the anonymous credential validation method, comprising: owner, third party computing device, blockchain, and data anonymity storage protocol;
the terminal equipment is used as a data generator and is provided with a sensor or intelligent equipment with a data collecting function;
the third-party computing equipment is used for helping the terminal equipment to generate a pseudo identity, and after the pseudo identity is generated for the terminal equipment, the pseudo identity replaces a real identity and is stored in a data anonymous storage protocol together with data;
and the address of each piece of data in the data anonymous storage protocol is stored in the block chain, and meanwhile, the corresponding relation between the pseudo identity and the real identity is stored in the block chain for evidence collection and source tracing.
Drawings
In order to more clearly illustrate the technical solutions in the embodiments of the present invention, the drawings needed to be used in the description of the embodiments will be briefly introduced below, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and it is obvious for those skilled in the art to obtain other drawings based on these drawings without inventive labor.
FIG. 1 is a flow diagram of an anonymous credential validation method based on blockchain and zero-knowledge proof of the present invention;
FIG. 2 is a schematic flow diagram of a terminal device of the present invention creating a transaction contract containing credentials;
FIG. 3 is a schematic diagram of the anonymous credential validation system of the present invention based on blockchains and zero knowledge proof.
Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present application clearer, the technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are some embodiments of the present application, but not all embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
In the drawings of the embodiments of the present invention, in order to better and more clearly describe the working principle of each element in the system, the connection relationship of each part in the apparatus is shown, only the relative position relationship between each element is clearly distinguished, and the restriction on the signal transmission direction, the connection sequence, and the size, the dimension, and the shape of each part structure in the element or structure cannot be formed.
As shown in fig. 1, it is a flow chart of the anonymous credential verification method based on block chain and zero knowledge proof of the present invention, which includes the following steps:
step S1, the terminal device creates a new temporary bitcoin address to perform a transaction, and creates a transaction contract T B
Step S2, the user in the blockchain randomly selects a message m, and sends a hash value H (m) to the terminal device, where H is a hash function and the length of the message m is k.
Step S3, the terminal device sends the hash value h to the third party computing device L, and requests the third party computing device L to create a trade contract T which can provide a bitcoins to the terminal device 0 : the terminal device must be at t 2 A valid credential is provided within time.
At step S4, the third party computing device L checks whether the hash value h matches any h in the transaction contract previously signed by the third party computing device L. If not, the third party computing device L creates the request contract T 0 And submitted onto the blockchain.
Step S5, the user blinds the message m to obtain w', and waits for the contract T request 0 Is confirmed.
Step S6, the user creates a transaction contract T that provides a + w bitcoins to the third party computing device L 0 ', the third party computing device L must be at t 1 Providing a valid blind signature to the user over time, wherein at T 0 In' there are a bitcoins that the user is going to pay for the rental of the physical property terminal equipment, and w bitcoins are left by the third party computing device L as rewards for him to complete his task.
Step S7, the third party computing device L waits for the transaction contract T 0 ' confirmed, thereby establishing a trading contract T F To complete the fair exchange of bitcoins → certificates, and to trade the contract T F Registering to a blockchain, wherein a transaction contract T F Contains a blind signature σ', at which point the transaction contract T is 0 The a + w bits of' would be sent to the third party computing device L.
Step S8, the user sees the trade contract T from the blockchain F And derives therefrom the blind signature σ'.
Step S9, the user blindly obtains σ from the blind signature σ', and sends the credential V ═ m, σ to the terminal device, and the terminal device creates the transaction contract T containing the credential V ═ m, σ F Thus, T F The bitcoin in (1) will be sent to the terminal device. At this time, the transaction contract T B And the validation is started.
The above process constitutes an anonymous credential verification system with privacy protection and fairness based on blockchains.
As shown in fig. 2, a transaction contract T is created for a terminal device containing an anonymous credential V ═ (m, σ) F The specific process comprises the following steps: initializing, generating a confusion address, generating a commitment, and generating and verifying a transaction:
(1) initial setup phase
Public parameters { G, q, G '}, where G is the elliptic curve group, q is a large prime number, the order of the elliptic curve, and G' is the generator of the group G, are generated. The user generates a private key sk according to a random function, and generates a public key PK (sk G) according to an elliptic curve on a finite field, wherein a public and private key pair (sk, PK) is stored by the user, and the public key can be published.
(2) Obfuscated address generation
The terminal device selects a random function r as a one-time private key, a one-time public key PK (r) G is generated through an elliptic curve on a finite field, the one-time public key is sent to a third-party computing device L through a down-link communication or a hidden channel, a system generates a one-time address according to a formula P (r) PK | i) G' + PK, and the one-time address is used as a receiving address of a transaction. The terminal device needs to ensure that the one time public key has never been used before.
(3) Data anonymous storage protocol generation, comprising: a pseudo identity generating stage, an encryption key generating stage and a data encryption stage.
A pseudo identity generation stage: the terminal device and the third party computing device L negotiate two random numbers T, R with each other, using the two random numbers and the identity T of the terminal device id Generating a public/private key pair: and (PKpse/SKpse), wherein the public and private key pair is used as a public and private key for generating the pseudo identity, and the pseudo identity is generated as PseID after encryption.
An encryption key generation stage: the third party computing device L generates a symmetric encryption key K.
A data encryption stage: inputting original data M, corresponding pseudo identity PseID and current timestamp Ts, encrypting by using a symmetric encryption key K to generate a ciphertext C, storing the ciphertext C in a local database, and storing the address of data in the database in a block chain.
The pseudo-identity generation is based on the ElGamal encryption algorithm, and is specifically described as follows:
selecting a large prime number p meeting the safety requirement to generate a group with the order of p
Figure BDA0003632923860000071
A generator of
Figure BDA0003632923860000072
Parameters are as follows:<p,g>disclosed is a method for producing a semiconductor device. Selecting a single hash function: h (). A public-private key pair PKT/SKT is generated, which is used to encrypt a subsequently generated random number T. And generating a unique identity Tidi (i is more than or equal to 1 and less than or equal to n), wherein i is the serial number of the current terminal equipment, and n is the number of the terminal equipment. Selecting random numbers
Figure BDA0003632923860000073
Identify the unique identity of itself Tid i And the random number R and the random number are sent to a third-party computing device L together, and the random number T is encrypted and then sent to the terminal device by the third-party computing device L. The third-party computing equipment L receives the Tid sent by the terminal equipment i And after R, calculate: g H(T)·R Then, the public and private key pair for generating the pseudo identity for the terminal device is:
Figure BDA0003632923860000074
SK pse ≡H(Tid)+H(g H(T)·R );
the third party computing device L divides the identity Tid of the terminal device into n groups, and the length of each group is L, that is: tid ═ Tid 1 Tid 2 …Tid n
For each packet Tid i Selecting a random number r i ,1<i<n,1<r i < p-1, p is order, and calculates:
Figure BDA0003632923860000081
Figure BDA0003632923860000082
the pseudo identity of the terminal equipment is as follows:
PseID=(c 1 ,c′ 1 )(c 2 ,c′ 2 )...(c n ,c′ n );
so far, the pseudo identity generated by the third-party computing device L for the terminal device has been completed, and according to the structure of the protocol, the pseudo identity needs to be able to reversely find the real identity if necessary, and a decryption process is given below.
Inputting: pseudo identity PseID, private key SK for terminal device decryption pse
Using SK pse And (3) calculating:
Figure BDA0003632923860000083
calculated Tid i Combined to form a complete Tid:
Tid=Tid 1 Tid 2 …Tid n
so far, the decryption phase is completed, and the third party computing device L also saves the mapping relationship between the pseudo identity PseID and the real identity Tid, which is recorded as:
Mapping=<PseID,Tid>;
the mapping relationship is used as an important relationship for proving the real identity and is stored on the block chain.
(4) Transaction generation and verification
Transaction generation is the core stage in the transaction flow, expends funds belonging to itself and transfers them to other users. There is a lock script in each output structure and only if the user provides the corresponding unlock script can the amount be spent. The content in the lock script is the user's public key and the point G' on the elliptic curve over the finite field used to generate the public key, because the terminal device only knows the public key and address of the recipient when initiating the transaction, the private key is saved by the recipient himself. When the user needs to spend time, the system can generate an unlocking script < e, s > only by inputting a private key sk and a random number R, wherein e is HASH (R | | message), and s is R + e sk. Wherein, R ═ R × G, the message is the transaction information, including the information such as the transaction ID.
And after the terminal equipment is unlocked, transferring accounts, inputting the one-time public key and the random number of the terminal equipment to generate transaction information, and submitting the transaction information to the verification node.
After the terminal equipment submits the transaction information, the verification node verifies the transaction, including whether the user has double flowers, whether the money before and after the transaction is balanced, and whether the signature of the user is correct. Whether the user "double flowers" is verified by the serial number, it is checked whether the serial number to be currently spent has been recorded in the book L in which the serial number that has been spent has been recorded.
According to the unlocking script < e, s > submitted by the terminal device, the verification node calculates R '═ s G-e PK, and then verifies whether e ═ HASH (R' | message) is established. When the verification is passed, the transaction is legal, and after the Locktime locking time, the transaction is broadcasted and packaged to the block.
The invention also provides an anonymous voucher verification system based on the block chain and zero knowledge proof, which can establish a transaction contract containing the anonymous voucher for an owner, and protect the real identity of the owner by using the anonymous voucher, thereby realizing the protection of the corresponding relation between the identity and data.
As shown in fig. 3, it is a schematic structural diagram of an anonymous credential validation system based on block chain and zero knowledge proof according to the present invention, where the anonymous credential validation system includes 4 roles, which are: owner, third party computing device, blockchain, and data anonymity storage protocol.
The terminal device is used as a data generator and can be a sensor or an intelligent device with a data collecting function, and the computing power of the device is relatively weak, so that complex encryption and decryption operations cannot be performed. Aiming at the problem, the protocol introduces a third-party computing device, the third-party computing device has strong computing capability, low transmission delay and high real-time performance, is closer to the terminal device in position, and is suitable for helping the terminal device generate the pseudo identity.
Data anonymous storage protocol: the end device and the edge computing device have a secure channel therebetween for two-way communication and the edge computing device is trusted. After the third-party computing device generates the pseudo identity for the terminal device, the pseudo identity replaces a real identity and data and is stored in the data anonymous storage protocol, the advantages of decentralized block chain, tamper resistance and traceability are considered, the address of each piece of data in the data anonymous storage protocol is stored in the block chain, and meanwhile, the corresponding relation between the pseudo identity and the real identity is also stored and is stored in the block chain for later evidence collection and traceability.
The data anonymous storage protocol provided by the invention realizes anonymous storage by generating a pseudo identity for the terminal equipment, and the starting point of the pseudo identity generation algorithm is that the pseudo identity can not only protect the real identity, but also can reversely obtain the real identity through the pseudo identity if necessary, so that the mapping relation between the pseudo identity and the real identity is also the key point of the data anonymous storage protocol which needs to be protected.
In the above embodiments, the implementation may be wholly or partially realized by software, hardware, firmware, or any combination thereof. When implemented in software, may be implemented in whole or in part in the form of a computer program product. The computer program product includes one or more computer instructions. When loaded and executed on a computer, cause the processes or functions described in accordance with the embodiments of the application to occur, in whole or in part. The computer may be a general purpose computer, a special purpose computer, a network of computers, or other programmable device. The computer instructions may be stored in or transmitted over a computer-readable storage medium. The computer-readable storage medium can be any available medium that can be accessed by a computer or a data storage device, such as a server, a data center, etc., that incorporates one or more of the available media. The usable medium may be a magnetic medium (e.g., floppy disk, hard disk, magnetic tape), an optical medium (e.g., DVD), or a semiconductor medium (e.g., Solid State Disk (SSD)), among others.
While the invention has been described with reference to specific embodiments, the scope of the invention is not limited thereto, and those skilled in the art can easily conceive various equivalent modifications or substitutions within the technical scope of the invention. Therefore, the protection scope of the present application shall be subject to the protection scope of the claims.

Claims (5)

1. An anonymous credential verification method based on blockchain and zero-knowledge proof, comprising the steps of:
step S1, the terminal device creates a new temporary bitcoin address to perform a transaction, and creates a transaction contract T B
Step S2, the user in the blockchain randomly selects a message m, and sends a hash value H ═ H (m) to the terminal device, where H is a hash function;
step S3, the terminal device sends the hash value h to the third party computing device L and requests the third party computing device L to create the transaction contract T which can provide a bitcoins to the terminal device O The terminal device must be at t 2 Providing a valid credential within a time;
at step S4, the third party computing device L checks whether the hash value h matches any h in the previously signed transaction contract, and if not, the third party computing device L creates the request contract T O And submitting to a blockchain;
step S5, the user blinds the message m to obtain w', and waits for the contract T request O Is confirmed;
step S6, the user creates a transaction contract T that provides a + w bitcoins to the third party computing device L O ', the third party computing device L must be at t 1 Providing a valid blind signature to a user within time;
in step S7, the third party computing device L waits for the trading contract T O ' confirmed, thereby establishing a trading contract T F To complete the exchange and to contract the transaction T F Registering to a blockchain, wherein a transaction contract T F Contains a blind signature σ', at which point the transaction contract T is O ' the a + w bits of currency will be sent to the third party computing device L;
step S8, the user sees the trade contract T from the blockchain F And obtaining a blind signature sigma' from the signature;
step S9, the user blindly obtains σ from the blind signature σ', and sends the credential V ═ m, σ to the terminal device, and the terminal device creates the transaction contract T containing the credential V ═ m, σ F Thus, T F The bit currency in the contract is sent to the terminal equipment to trade the contract T B And the validation is started.
2. The anonymous credential validation method of claim 1, wherein in step S9, a transaction contract T is created for the terminal device that contains the anonymous credential V ═ (m, σ) F The specific process comprises the following steps:
an initial setting stage, generating public parameters { G, q, G '}, wherein G is an elliptic curve group, q is a large prime number and is the order of an elliptic curve, G' is a generating element of the group G, a user generates a private key sk according to a random function, and generates a public key PK (sk G) according to the elliptic curve on a finite field;
generating a confusion address, wherein the terminal device selects a random function r as a disposable private key, generates a disposable public key PK (r G) through an elliptic curve on a finite field, sends the disposable public key to a third-party computing device L through a down-link communication or covert channel, generates a disposable address according to a formula P (r PK i) G' + PK, and takes the disposable address as a receiving address of a transaction;
data anonymous storage protocol generation comprising: a pseudo identity generation stage, an encryption key generation stage and a data encryption stage;
and (3) transaction generation and verification, inputting a private key sk and a random number R, and generating an unlocking script < e, s >, wherein e is HASH (R | | message) and s is R + e sk. After unlocking, inputting a one-time public key and a random number of the terminal equipment to generate transaction information and submitting the transaction information to a verification node, calculating R's G-e PK by the verification node according to an unlocking script < e, s > submitted by the terminal equipment, and then verifying whether e ' HASH (R ' I message) is established or not.
3. The anonymous credential validation method of claim 2,
in the pseudo-identity generation stage, the terminal device and the third-party computing device L negotiate two random numbers T and R with each other, and the two random numbers and the identity T of the terminal device are used id Generating a public/private key pair: (PKpse/SKpse), the public and private key pair is used as a public and private key for generating a pseudo identity, and the pseudo identity is generated as PseID after encryption;
an encryption key generation stage, wherein the third-party computing equipment L generates a symmetric encryption key K;
and in the data encryption stage, inputting original data M, a corresponding pseudo identity PseID and a current timestamp Ts, encrypting by using a symmetric encryption key K to generate a ciphertext C, storing the ciphertext C in a local database, and storing the address of data in the database in a block chain.
4. The anonymous credential validation method of claim 3, wherein the pseudo-identity generation is based on ElGamal encryption algorithm, selecting a large prime number p that meets security requirements, generating a group of order p
Figure FDA0003632923850000021
A generator of
Figure FDA0003632923850000022
Selecting a single hash function to generate a public and private key pair PKT/SKT, generating a unique identity Tidi (i is more than or equal to 1 and less than or equal to n), wherein i is the serial number of the current terminal equipment, n is the number of the terminal equipment, and selecting a random number
Figure FDA0003632923850000023
Identify the unique identity of itself Tid i Is sent to the first party together with the random number RThe third-party computing equipment L encrypts the random number T and then sends the encrypted random number T to the terminal equipment;
the third-party computing equipment L receives the Tid sent by the terminal equipment i And R, calculating: g H(T)·R Then, the public and private key pair for generating the pseudo identity for the terminal device is:
Figure FDA0003632923850000033
SK pse ≡H(Tid)+H(g H(T)·R );
the third party computing device L divides the identity Tid of the terminal device into n groups, and the length of each group is L, that is: tid ═ Tid 1 Tid 2 …Tid n
For each packet Tid i Selecting a random number r i ,1<i<n,1<r i < p-1, p is order, and calculates:
Figure FDA0003632923850000031
Figure FDA0003632923850000032
the pseudo identity of the terminal equipment is as follows:
PseID=(c 1 ,c′ 1 )(c 2 ,c′ 2 )...(c n ,c′ n )。
5. an anonymous credential validation system based on blockchain and zero-knowledge proof, for implementing the anonymous credential validation method of any one of claims 1-4, comprising: owner, third party computing device, blockchain, and data anonymity storage protocol;
the terminal equipment is used as a data generator and is provided with a sensor or intelligent equipment with a data collecting function;
the third-party computing equipment is used for helping the terminal equipment to generate a pseudo identity, and after the pseudo identity is generated for the terminal equipment, the pseudo identity replaces a real identity and is stored in a data anonymous storage protocol together with data;
and the address of each piece of data in the data anonymous storage protocol is stored in the block chain, and meanwhile, the corresponding relation between the pseudo identity and the real identity is stored in the block chain for evidence collection and source tracing.
CN202210493796.3A 2022-05-08 2022-05-08 Anonymous credential verification method and system based on block chain and zero-knowledge proof Withdrawn CN114978622A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210493796.3A CN114978622A (en) 2022-05-08 2022-05-08 Anonymous credential verification method and system based on block chain and zero-knowledge proof

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210493796.3A CN114978622A (en) 2022-05-08 2022-05-08 Anonymous credential verification method and system based on block chain and zero-knowledge proof

Publications (1)

Publication Number Publication Date
CN114978622A true CN114978622A (en) 2022-08-30

Family

ID=82980609

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210493796.3A Withdrawn CN114978622A (en) 2022-05-08 2022-05-08 Anonymous credential verification method and system based on block chain and zero-knowledge proof

Country Status (1)

Country Link
CN (1) CN114978622A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116471081A (en) * 2023-04-18 2023-07-21 中国石油天然气股份有限公司辽宁销售分公司 Indoor security anonymous authentication method based on Internet of things technology

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116471081A (en) * 2023-04-18 2023-07-21 中国石油天然气股份有限公司辽宁销售分公司 Indoor security anonymous authentication method based on Internet of things technology
CN116471081B (en) * 2023-04-18 2023-12-12 中国石油天然气股份有限公司辽宁销售分公司 Indoor security anonymous authentication method based on Internet of things technology

Similar Documents

Publication Publication Date Title
JP6515246B2 (en) Determination of common secrets for the secure exchange of information and hierarchical and deterministic encryption keys
CN110419053B (en) System and method for information protection
JP5205398B2 (en) Key authentication method
US7472277B2 (en) User controlled anonymity when evaluating into a role
US8856524B2 (en) Cryptographic methods, host system, trusted platform module, computer arrangement, computer program product and computer program
JP4781269B2 (en) Key agreement and transport protocol
CN111814191B (en) Block chain private data protection method, device and system
US20050135606A1 (en) Method and apparatus for verifiable generation of public keys
CN109963282B (en) Privacy protection access control method in IP-supported wireless sensor network
JP2008503966A (en) Anonymous certificate for anonymous certificate presentation
JP2003536320A (en) System, method and software for remote password authentication using multiple servers
JPH10510692A (en) Computer assisted exchange method of encryption key between user computer unit U and network computer unit N
KR20210139344A (en) Methods and devices for performing data-driven activities
CN113360943A (en) Block chain private data protection method and device
US7222362B1 (en) Non-transferable anonymous credentials
KR20040099943A (en) System and Method for Authenticating Content User
CN114978622A (en) Anonymous credential verification method and system based on block chain and zero-knowledge proof
WO2019174404A1 (en) Digital group signature method, device and apparatus, and verification method, device and apparatus
JP2002500842A (en) Automatic recovery and automatic authentication possible encryption system
CN116318654A (en) SM2 algorithm collaborative signature system, method and equipment integrating quantum key distribution
Su et al. Secure blockchain-based electronic voting mechanism.
CN113468614A (en) Kerberos cross-domain authentication method based on Bulletprofs
Persiano et al. A secure and private system for subscription-based remote services
CN116886411B (en) Secure multiparty computing method based on anonymous authentication
CN114696997B (en) Anti-quantum computing communication method and system based on CA and Guo-secret algorithm

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
TA01 Transfer of patent application right
TA01 Transfer of patent application right

Effective date of registration: 20221114

Address after: 201,900 Room 149, Zone A, 1st Floor, Building 1, No. 58 Dijie Road, Baoshan District, Shanghai

Applicant after: Shanghai Tidong Network Technology Co.,Ltd.

Address before: Room 2411, No. 2, Lane 270, Wuxing Road, Xuhui District, Shanghai, 200030

Applicant before: Zheng Yunshan

WW01 Invention patent application withdrawn after publication
WW01 Invention patent application withdrawn after publication

Application publication date: 20220830