CN115564434A - Block chain supervision privacy protection method based on zero knowledge proof - Google Patents

Block chain supervision privacy protection method based on zero knowledge proof Download PDF

Info

Publication number
CN115564434A
CN115564434A CN202211167365.4A CN202211167365A CN115564434A CN 115564434 A CN115564434 A CN 115564434A CN 202211167365 A CN202211167365 A CN 202211167365A CN 115564434 A CN115564434 A CN 115564434A
Authority
CN
China
Prior art keywords
transaction
identity
key
address
sig
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202211167365.4A
Other languages
Chinese (zh)
Inventor
张文芳
周磊
王小敏
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Southwest Jiaotong University
Original Assignee
Southwest Jiaotong University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Southwest Jiaotong University filed Critical Southwest Jiaotong University
Priority to CN202211167365.4A priority Critical patent/CN115564434A/en
Publication of CN115564434A publication Critical patent/CN115564434A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/38Payment protocols; Details thereof
    • G06Q20/382Payment protocols; Details thereof insuring higher security of transaction
    • G06Q20/3821Electronic credentials
    • G06Q20/38215Use of certificates or encrypted proofs of transaction rights
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/38Payment protocols; Details thereof
    • G06Q20/382Payment protocols; Details thereof insuring higher security of transaction
    • G06Q20/3823Payment protocols; Details thereof insuring higher security of transaction combining multiple encryption tools for a transaction
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/38Payment protocols; Details thereof
    • G06Q20/382Payment protocols; Details thereof insuring higher security of transaction
    • G06Q20/3825Use of electronic signatures
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/38Payment protocols; Details thereof
    • G06Q20/382Payment protocols; Details thereof insuring higher security of transaction
    • G06Q20/3829Payment protocols; Details thereof insuring higher security of transaction involving key management
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/38Payment protocols; Details thereof
    • G06Q20/40Authorisation, e.g. identification of payer or payee, verification of customer or shop credentials; Review and approval of payers, e.g. check credit lines or negative lists
    • G06Q20/401Transaction verification
    • G06Q20/4014Identity check for transactions
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • H04L9/0863Generation of secret information including derivation or calculation of cryptographic keys or passwords involving passwords or one-time passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • H04L9/0869Generation of secret information including derivation or calculation of cryptographic keys or passwords involving random numbers or seeds
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3218Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using proof of knowledge, e.g. Fiat-Shamir, GQ, Schnorr, ornon-interactive zero-knowledge proofs
    • H04L9/3221Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using proof of knowledge, e.g. Fiat-Shamir, GQ, Schnorr, ornon-interactive zero-knowledge proofs interactive zero-knowledge proofs
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3226Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using a predetermined code, e.g. password, passphrase or PIN
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3263Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Business, Economics & Management (AREA)
  • Accounting & Taxation (AREA)
  • Signal Processing (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Physics & Mathematics (AREA)
  • General Business, Economics & Management (AREA)
  • General Physics & Mathematics (AREA)
  • Theoretical Computer Science (AREA)
  • Strategic Management (AREA)
  • Finance (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)

Abstract

The invention discloses a block chain supervision privacy protection method based on zero knowledge certification, which comprises the steps of initializing the key generation of a supervisor by a system and establishing a user transaction address; a user applies for a resource access authorization certificate to a supervision authority by using own identity information; transaction sending and transaction receiving; the miners verify whether the transaction is legal or not, and if not, the transaction is directly discarded and ended; the supervisor judges whether the identity of the user needs to be tracked or not, and if not, the process is finished directly; and the supervisor decrypts the tracing data by using the own encrypted private key, cancels the anonymity of the transaction and realizes identity tracing by combining the identity tracing list IDList. The invention takes zkSNARK technology as a construction foundation, utilizes a cryptology commitment mechanism to hide account balance and transaction amount, realizes dynamic increase and cancellation of user identity by uniformly maintaining identity authorization Mercury tree by a supervisor, and realizes anonymous authentication and transaction supervision of user identity by fusing zkSNARK technology.

Description

Block chain supervision privacy protection method based on zero knowledge proof
Technical Field
The invention relates to the technical field of block chains, in particular to a block chain supervision privacy protection method based on zero knowledge proof.
Background
The blockchain technique is considered to be the 5 th subversive computational paradigm after mainframe computers, personal computers, the internet, mobile societies, the 4 th milestone after human credit evolution history followed by blood affinity credits, precious metal credits, or central bank note credits. Therefore, the relevant policy documents are continuously issued by governments of various countries, the strategic layout of the block chain industry is increased, and the block chain technology is actively embraced, so that the leading right of a new generation of information technology is seized. According to statistics, in 2019-2020, special policies or laws and regulations specially aiming at the aspects of block chain industry development and industry supervision are issued in 24 countries all over the world.
The supervised privacy protection on the blockchain has great significance for blockchain transactions, and the following problems generally exist in the existing blockchain-based transaction scheme: the method mainly focuses on the realization of fairness of transaction and data privacy, and does not consider the supervision of a data market. The unsupervisability is crucial to decentralized, anonymous trading systems, and the lack of unsupervisability may inadvertently provide a natural barrier to criminals. If an effective access control mechanism and a supervision tracing mechanism are lacked, and the anonymity characteristic of privacy protection application is added, criminal evidence obtaining is difficult, identity tracking is difficult, and various safety events are frequent. Thus, without improving the privacy of the original blockchain, data leakage in some areas may not only limit the development of blockchain techniques, but may even result in irretrievable losses. At present, a solution which gives consideration to privacy and supervision under an account model is still in a starting stage, the existing mode is still immature and imperfect, and the following relevant research schemes exist:
1) An audit service is provided for the private transaction by utilizing an integrated encryption signature scheme and a zero-knowledge proof technology, but consideration for anonymous identity revocation of suspicious private transactions is lacked, so that the scheme is difficult to trace to the source.
2) By introducing two entities, namely Identity Providers (Identity Providers) and anonymous Revokers (anonymous Revokers), the transaction process is guaranteed to be supervised, but the privacy service provided by the scheme still has the defect that in the scheme, if a user uses the same account to carry out multiple transactions, the link relation between two transaction parties can be mined.
In summary, solutions that give consideration to privacy and supervision under the current account model are still in a starting stage, and the above problems cannot be perfectly solved, and the existing solutions have a problem of 'considering both privacy and supervision', that is, providing complete privacy while giving consideration to supervision cannot be given consideration to both privacy and supervision while having a defect in privacy.
Disclosure of Invention
Aiming at the defects in the prior art, the invention provides a block chain supervision privacy protection method based on zero knowledge proof.
In order to achieve the purpose of the invention, the invention adopts the technical scheme that:
a block chain supervision privacy protection method based on zero knowledge proof comprises the following steps:
s1, initializing a block chain system and acquiring common parameters of the block chain system, wherein the block chain system comprises a trading party and a monitoring party;
s2, generating a supervisor key and creating a transaction party user address at the supervisor, and applying a resource access authorization certificate to the supervisor by the transaction party according to the identity information of the transaction party and initiating a transaction;
s3, the miners verify the validity of the initiated transaction, if the initiated transaction is not legal, the transaction is discarded and ended, and if the initiated transaction is legal, the operation goes to the step S4;
s4, judging whether the user identities of the two transaction parties are tracked or not by the monitoring party, if not, ending the process, and if so, entering the step S5;
and S5, the supervisor decrypts the traceback number by using the encrypted private key, cancels the anonymity of the transaction and finishes the identity tracking of both parties of the transaction according to the transaction party identity traceback list.
Further, the system parameters generated in S1 include a certification key and a verification key for generating the zkSNARK certification, and public parameters of an encryption and signature algorithm, and the specific calculation process is as follows:
inputting algorithm safety parameter lambda, transaction transmission constraint circuit C send And a transaction interfaceConstraint circuit C rcv And generating a system parameter pp: = (pp) enc ,pp sig ,pk send ,pk rcv ,vk send ,vk rcv ) Wherein (pk) send ,vk send ) Zero knowledge proof generation/verification key pair (pk) for transaction transmitting circuit rcv ,vk rcv ) Zero knowledge proof generation/verification key pairs, pp, for transaction receiving circuits enc For cryptographic algorithm common parameters, pp sig Are parameters common to the signature algorithm.
Further, in S2, a specific manner for generating the supervisor key and creating the transaction party user address in the supervisor is as follows:
s201, calculating an encryption key and a signature key of a monitoring party, wherein the calculation mode is as follows:
(pk enc,s ,sk enc,s ):=K enc (pp enc )
(pk sig,s ,sk sig,s ):=K sig (pp sig )
wherein, (pk) enc,s ,sk enc,s ) To encrypt the key pair, (pk) sig,s ,sk sig,s ) As a signed key pair
S202, calculating a communication key pair according to the encryption key and the signature key calculated in the S201, wherein the calculation mode is as follows:
(pk enc ,sk enc ):=K enc (pp enc )
wherein, K enc (pp enc ) Is a communication key pair;
s203, selecting a random number as an address private key and selecting a random number, and calculating an address public key according to the address private key and the random number in the following calculation mode:
a pk :=PRF(a sk ,r)
wherein, a sk Is an address private key, r is a random number, a pk Is an address public key;
s204, calculating the user transaction address according to the address public key, wherein the calculation mode is as follows:
addr:=CRH(a pk )
wherein CRH (-) is an anti-collision hash function.
Further, the specific way in which the transactor applies for the resource access authorization certificate to the supervisor according to the identity information of the transactor in S2 is as follows:
s211, the user side sends the address public key, the zero knowledge proof and the identity information of the user side to the supervisor side
S212, the supervisor verifies the validity of the user identity, and if the validity is verified, the address public key and the identity information of the user party are stored in an identity tracing list;
s213, for the user with valid identity authentication, the supervisor calculates the supervision auxiliary information and the user authorization certificate in the following calculation mode:
C aux :=ε enc (pk enc,s ,a pk )
Item auth :=CRH(a pk ||C aux )
wherein, C aux For the supervision of auxiliary information, CRH (. Circle.) is a collision-resistant hash function, item aut Authorizing a certificate for the user;
s214, the supervisor price reorganizes the identity authorization Mercker tree, updates the user authorization certificate into the identity authorization Mercker tree, and broadcasts the new identity authorization Mercker tree into the block chain network.
Further, the initiating of the transaction in S2 includes a transaction sending and a transaction receiving, wherein,
the specific mode of transaction sending is as follows: a user side generates zkSNARK zero knowledge proof in the process of executing transaction transmission, and utilizes a transaction transmission constraint circuit to constrain the transaction process;
the specific mode of transaction reception is as follows: and after the transaction is completed, adding the transaction promise into the Mercker tree of the transaction promise of the latest block, and when the transaction receiver receives the transaction, proving that the transaction receiver knows the trapdoor of the transaction promise in the block and proving the existence of the transaction promise.
Further, the verification of the validity of the initiated transaction in S3 includes verification of validity of transaction sending and transaction receiving, where if the transaction type is transaction sending, the verification method is as follows: :
s301, let tx send :=(addr A ,C s are ,π send ,x,σ m,A ,pk sig,A ),
Wherein: addr A Transaction address, C, for the sender of the transaction s are Receiving trapdoors, pi for assets shared by a transaction sender and a transaction receiver send Zero-knowledge proof, memory message m for transaction transmission A :=(x,π send ,pk sig,A ,C s arem,A To the message m A Signature, pk sig,A Signing the key for the transaction sender;
Figure BDA0003862227770000051
rt aut authorizing a root node, cm, of a Merck tree for identity tx In order to commit to the transaction,
Figure BDA0003862227770000052
an account balance commitment for a sender of the transaction before the transaction,
Figure BDA0003862227770000053
Account balance commitment, item, for a sender of a post-transaction aut,A Authorizing a certificate for a transaction sender user, a pk,A To be the public key address of the sender of the transaction,
Figure BDA0003862227770000054
transaction sender transaction Serial number, C aux,A Encryption result of address public key of transaction sender for supervisor, h sig,A Hash of a signature Key for a sender of a transaction A Is h sig,A And a private transaction sender address key a sk,A The pseudo-random calculation of (a);
s302, verifying whether balance commitment of the account is as
Figure BDA0003862227770000055
If not, the verification fails, and a verification result res =0 is output;
s303, verifying whether the transaction serial number of the transaction sender appears in the public serial number set, if so, failing to verify, and outputting a verification result res =0;
s304, verifying rt auth And whether the root of the Merck tree is authorized for the latest identity, if not, the verification fails, and a verification result res =0 is output.
Further, if the transaction type is transaction reception, the verification method is as follows:
s311, note tx send :=(addr B ,x,π rcv ,σ m,B ,pk sig,B ),
Wherein: addr B As transaction address, pi, of the transaction receiver rcv Zero knowledge proof, memory message m for transaction receiver B :=(x,π rcv ,pk sig,Bm,B To the message m B Signature, pk sig,B Signing the key for the transaction recipient;
Figure BDA0003862227770000061
rt tx committing Merck Tree root, rt to transaction aut The identity of the root of the Merck tree,
Figure BDA0003862227770000062
An account balance commitment for a pre-transaction recipient,
Figure BDA0003862227770000063
Account balance commitment sn for transaction receiver after transaction v As transaction sequence number, C aux,B Encryption result of address public key of transaction receiver for supervisor, h sig,B Hash of the signature Key for the transaction recipient, h B Is h sig,B And a private transaction receiver address key a sk,B Pseudo-random computation result of (3), item aut,B Authorizing a certificate for a transaction recipient user, a pk,B In order to be the public key address of the transaction recipient,
Figure BDA0003862227770000064
a transaction serial number of the transaction receiver;
s312, verifying whether the balance commitment of the account is as
Figure BDA0003862227770000065
If not, the verification fails, and a verification result res =0 is output;
s313, verifying rt aut Whether the identity is the root of the latest identity authorization Mercker tree or not, if not, the authentication fails, and an authentication result res =0 is output;
s314, verifying rt tx Whether the data appears in the account book or not is judged, if not, the verification fails, and a verification result res =0 is output;
s315, after the transaction verification is passed, miners need to add the published serial numbers into the public serial number set, and update the balance commitments of the corresponding account addresses into new balance commitments according to the information published in the transaction sending and transaction receiving processes.
Further, in S4, it is verified through zero knowledge proof whether the monitoring auxiliary information is generated as required, and if not, the monitoring party uses its own encryption priority and the identity tracing list tracing account address to correspond to the true identity
The invention has the following beneficial effects:
1. the invention meets the condition that the account book has no leakage, and the account balance and the transaction amount are stored in the blockchain in a committed form, so that the account balance and the transaction amount are hidden.
2. The method also provides unlinkability of the transaction, and the transaction process is divided into two steps to be carried out: the transaction sender generates a transaction commitment and the transaction receiver provides a proof to receive the asset. And hiding the transaction link relation.
3. The invention also provides monitorability by requiring that each transaction needs to be attached with monitoring and tracing information, only the transaction initiated by the user authorized by the monitoring party can pass verification, only the monitoring party can trace the identity of the transaction participant, and meanwhile, the malicious user cannot initiate the transaction which cannot be traced by the monitoring party and passes verification. The whole process restrains the behaviors of both transaction parties and ensures the correctness of the transaction execution process by the zkSNARK technology.
Drawings
Fig. 1 is a schematic flow chart of a block chain supervised privacy protection method based on zero knowledge proof according to the present invention.
Detailed Description
The following description of the embodiments of the present invention is provided to facilitate the understanding of the present invention by those skilled in the art, but it should be understood that the present invention is not limited to the scope of the embodiments, and it will be apparent to those skilled in the art that various changes may be made without departing from the spirit and scope of the invention as defined and defined in the appended claims, and all matters produced by the invention using the inventive concept are protected.
A block chain policeable privacy protection method based on zero knowledge proof, as shown in fig. 1, includes the following steps:
s1, initializing a blockchain system and acquiring common parameters of the blockchain system, wherein the blockchain system comprises a trading party and a monitoring party;
in this embodiment, the system parameters generated in S1 include a certification key and a verification key for generating the zkSNARK certification, and public parameters of an encryption and signature algorithm, and the specific calculation process is as follows:
inputting algorithm safety parameter lambda, transaction transmission constraint circuit C send And a transaction reception constraint circuit C rcv And generating a system parameter pp: = (pp) enc ,pp sig ,pk send ,pk rcv ,vk send ,vk rcv ) Wherein (pk) send ,vk send ) Zero knowledge proof generation/verification key pair (pk) for transaction transmitting circuit rcv ,vk rcv ) Zero knowledge proof generation/verification key pairs, pp, for transaction receiving circuits enc For encryptionCommon parameter, pp sig For the public parameters of the signature algorithm, the specific calculation mode is as follows:
s1-1, pair circuit C send According to the formula:
(pk send ,vk send ):=KeyGen(1 λ ,C send )
and calculating a zero-knowledge proof generation/verification key pair of the transaction sending circuit, wherein lambda is an input algorithm security parameter. S1-2, pair circuit C rcv According to the formula:
(pk rcv ,vk rcv ):=KeyGen(1 λ ,C rcv )
a computing transaction receiving circuit zero knowledge proof generation/verification key pair.
S1-3, according to a formula:
Figure BDA0003862227770000081
Figure BDA0003862227770000082
calculating the public parameter pp of the encryption algorithm enc Public parameter pp of signature algorithm sig
S2, generating a supervisor key and creating a transaction party user address in the supervisor, and applying a resource access authorization certificate to the supervisor by the transaction party according to the identity information of the transaction party and initiating a transaction;
specifically, in this embodiment, the specific way for the supervisor to generate the supervisor key and create the transaction part user address is as follows:
s201, calculating an encryption key and a signature key of a monitoring party, wherein the calculation mode is as follows:
(pk enc,s ,sk enc,s ):=K enc (pp enc )
(pk sig,s ,sk sig,s ):=K sig (pp sig )
wherein, (pk) enc,s ,sk enc,s ) To encrypt the key pair, (pk) sig,s ,sk sig,s ) As a signed key pair
S202, calculating a communication key pair according to the encryption key and the signature key calculated in the S201, wherein the calculation mode is as follows:
(pk enc ,sk enc ):=K enc (pp enc )
wherein, K enc (pp enc ) Is a communication key pair;
s203, selecting a random number as an address private key and selecting a random number, and calculating an address public key according to the address public key and the random number in the following calculation mode:
a pk :=PRF(a sk ,r)
wherein, a sk Is an address private key, r is a random number, a pk Is an address public key;
s204, calculating the user transaction address according to the address public key, wherein the calculation mode is as follows:
addr:=CRH(a pk )
wherein CRH (-) is an anti-collision hash function.
Address public key a pk After the hash processing, the public address is used as the account address of the user to be disclosed to the outside; address private key a sk For account authentication, only those who know the private key of the account address have access to the account.
The specific mode that the transactor applies for the resource access authorization certificate to the supervisor according to the identity information of the transactor is as follows:
s211, the user side sends the address public key, the zero knowledge certificate and the identity information of the user side to the supervisor side;
the user will (a) pk ,π id ID) to the supervisor, where a pk Is the public key of the user's address, pi id Is a zero-knowledge proof to ensure that the user sending the message does have a pk Corresponding address private key a sk . Here, offline technical channels or other systems (e.g., face recognition systems) can be combined to avoid malicious users from falsifying the identity information ID of others.
S212、The supervisor verifies the validity of the user identity, if the validity is valid, the address public key a is used pk And the identity information ID of the user side is stored in an identity tracing list IDList;
s213, for the user with valid identity authentication, the supervisor calculates the supervision auxiliary information and the user authorization certificate in the following calculation mode:
C aux :=ε enc (pk enc,s ,a pk )
Item aut :=CRH(a pk ||C aux )
wherein, C aux For the supervision of auxiliary information, CRH (. Circle.) is a collision-resistant hash function, item aut Authorizing a certificate for the user;
s214, the supervisor price reorganizes the identity authorization Mercker tree, updates the user authorization certificate into the identity authorization Mercker tree, and broadcasts the new identity authorization Mercker tree into the block chain network. All nodes in the network verify the validity of the user identity according to the latest identity authorization Mercker tree.
Because the specific transaction process involves two parties, the description of the transaction sending algorithm and the transaction receiving algorithm is based on the scene: alice (sender) initiates transfer to Bob (receiver) with the transfer amount v t
If the transaction is a specific transaction sending method:
remember Alice account
Figure BDA0003862227770000101
Note that Alice address private key is a sk,A The address public key is a pk,A :=PRF(a sk,A ,r A ),r A Is a random number.
Through C send And (3) constraint: v. of t Must be greater than zero; v. of t Must be equal to or less than
Figure BDA0003862227770000102
Selecting a random number rho v Calculating transaction sequence number sn v :=PRF(a sk,A ,ρ v )。
Creating a transaction commitment
Figure BDA0003862227770000103
Selecting a random number
Figure BDA0003862227770000104
Calculating transaction sequence numbers
Figure BDA0003862227770000105
Updating accounts
Figure BDA0003862227770000106
Generation (pk) sig,A ,sk sig,A ):=K sig (pp sig )。
Calculate h sig,A :=CRH(pk sig,A ) And h A :=PRF(a sk,A ,h sig,A )。
Using the public key pk of the transaction recipient enc,B Encrypted transaction sequence number C share :=ε enc (pk enc,B ,sn v )。
Address public key a pk,A Encrypting with the public key of the supervisor, calculating C aux,A :=ε enc (pk enc,s ,a pk,A )
Computing Item auth,A :=CRH(a pk,A ||C aux,A )。
Calculate path auth,A :=Path(Item auth,A ) Proof Item auth,A Present at rt auth The identity of the root node is authorized in the leaf nodes of the merkel tree.
Note the book
Figure BDA0003862227770000111
Note the book
Figure BDA0003862227770000112
Computing transactions sending zero knowledge proofs pi send :=Prove(pk send ,x,W)。
Memory m A :=(x,pk sig,A ,π send ,C s are ) Calculate the message m A Is signed
Figure BDA0003862227770000113
Let tX send :=(addr A ,C share ,π send ,x,σ m,A ,pk sig,A ) Output tx send
The invention adopts zkSNARK zero knowledge to prove that the correctness of the transaction is ensured. The user generates a zkSNARK zero knowledge proof pi in the process of executing the transaction sending algorithm send ,C send The transaction transmission constraint circuit mainly constrains:
proving that the user has rights to use the account, i.e. proving that the user knows to open the account
Figure BDA0003862227770000114
Secret value of
Figure BDA0003862227770000115
Account balance
Figure BDA0003862227770000116
Address private key a sk,A
Certifying that
Figure BDA0003862227770000117
sn v
Figure BDA0003862227770000118
h A Is generated according to a set rule.
Certifying transaction amount v t Is greater than zero; certifying transaction amount v t Less than or equal to account balance
Figure BDA0003862227770000119
A balance change of the transaction account is legitimate.
path auth,A The function of (1): proving that the user is indeed a legitimate user authorized by the supervisor; certificate C aux,A It is true that the address public key a of the sender of the transaction is encrypted by the encryption public key of the supervisor pk,A To obtain; proving that the user does have a pk,A Corresponding private key a sk,A I.e. proving a pk,A :=PRF(a sk,A ,r A )。
tx send Chinese publication
Figure BDA0003862227770000121
The effect of (a) is to avoid double flower attacks. Since the miners maintain the set SNList of published serial numbers sn, alice can easily detect the transaction when it is replayed. The algorithm adopts a one-time signature scheme to ensure that the zero knowledge proof is inextensible, namely, a unique label is generated for different transactions, and the zero knowledge proof copies in different transactions can not be the same. The system hides the transaction amount and the public key of the transaction receiver in the commitment cm tx Of although tx send The account address from which the transaction is initiated is disclosed externally, but because of the binding and hiding of the commitment, no one can analyze the specific transaction amount and the transaction object.
If the transaction receiving specific method is as follows:
tx send after the transaction is completed, the transaction promises cm tx It is added to the Mercker tree of the transaction commitment of the latest block, and when receiving the transaction, the transaction receiver needs to prove that he knows the trapdoor of a certain transaction commitment in the block (which may be the latest block or a block in the past) and prove the existence of the commitment.
Account keeping Bob
Figure BDA0003862227770000122
Let Bob address private key be a sk,B The address public key is a pk,B :=PRF(a sk,B ,r B ),r B Is a random number.
Scanning by account address addr A Initiated transaction tx send Calculating
Figure BDA0003862227770000123
If it is not
Figure BDA0003862227770000124
The output result of the decryption is true:
computing
Figure BDA0003862227770000125
And determines whether or not the result is a transaction tx send Middle cm tx The values are consistent.
Judgment of
Figure BDA0003862227770000126
Whether or not it exists on the transaction committed mercker tree.
Judging transaction sequence number sn v Whether it is already present in the SNList.
And if all the verification results pass, continuing to execute downwards, otherwise, terminating.
Calculate path tx :=Path(cm tx ). Giving a path of Merkel tree certification, certification cm tx At rt tx Promises on leaf nodes of the mercker tree for transactions of the root node.
Selecting a random number
Figure BDA0003862227770000131
Calculating out
Figure BDA0003862227770000132
Updating accounts
Figure BDA0003862227770000133
Generating
Figure BDA0003862227770000134
Calculate h sig,B :=CRH(pk sig,B ) And h B :=PRF(a sk,B ,h sig,B )。
Address public key a pk,B Encryption and calculation by using public key of supervisor
Figure BDA0003862227770000135
Computing Item auth,B :=CRH(a pk,B ||C aux,B )。
Calculate path auth,B :=Path(Item auth,B ). A Merkel tree attestation path is given, proving Item auth,B At rt auth The identity of the root node is authorized on a leaf node of the merkel tree.
Note the book
Figure BDA0003862227770000136
Note the book
Figure BDA0003862227770000137
Computing transaction receipt zero knowledge proof pi rcv :=Prove(pk rcv ,x,w)。
Memory m B :=(x,π rcv ,pk sig,B ) Calculate the message m B Is signed
Figure BDA00038622277700001312
Let tX rcv :=(addr B ,x,π rcv ,σ m,B ,pk sig,B ) Output tx rcv
The invention uses zkSNARK zero knowledge to prove that the transaction can be correctly received. The user generates a zkSNARK zero knowledge proof pi in the process of executing the transaction receiving algorithm rcv The corresponding intersectionEasy receiving circuit C rcv The following are mainly constrained:
proving that the user has rights to use the account, i.e. proving that the user knows to open the account
Figure BDA0003862227770000138
Secret value of
Figure BDA0003862227770000139
Account balance
Figure BDA00038622277700001310
Address private key a sk,B
A change in balance of the transaction account is legitimate; certifying that
Figure BDA00038622277700001311
h B Is generated according to a set rule.
Proving that the recipient of the transaction knows the promise cm of opening tx The secret value of (2).
Constraining the public key of the account address of the receiving asset to be cm tx The address public key specified in (1).
path tx The function of (1): to ensure that the link between the transaction initiator and the transaction receiver is broken, at tx rcv It is not published which transaction promise in the transaction promise pool is specifically received by the transaction receiver, but in order to avoid an attacker from forging a non-existent transaction promise, the transaction receiver needs to provide a Merck certification path for certifying the received transaction promise cm tx Indeed in the transaction promise pool.
path auth,B The function of (1): proving that the user is indeed a legitimate user authorized by the supervisor; certificate C aux,B Is to encrypt the address public key a of the transaction sender with the supervisor encryption public key pk,B To obtain; proving that the user does have a pk,B Corresponding private key a sk,B I.e. proving a pk,B :=PRF(a sk,B ,r B )。
The algorithm still adopts a one-time signature scheme to ensure zeroKnowledge-proven non-malleability. Because each transaction is bound with a unique transaction serial number sn v After the transaction reception is completed, tx rcv Will publish the used transaction sequence number and because the published sequence number set SNList is maintained in the system, if the attacker replays tx after the transaction reception is completed rcv It can be easily recognized by miners.
S3, the miners verify the validity of the initiated transaction, if the initiated transaction is not legal, the transaction is discarded and ended, and if the initiated transaction is legal, the operation goes to the step S4;
and the verification of the validity of the initiated transaction in the S3 comprises the verification of the validity of the transaction sending and the transaction receiving, wherein if the transaction type is the transaction sending, the verification mode is as follows:
s301, let tx send :=(addr A ,C s are ,π send ,x,σ m,A ,pk sig,A ),
Wherein: addr A Transaction address, C, for the sender of the transaction s are Receiving trapdoors, π for assets shared by a transaction sender and a transaction receiver send Zero-knowledge proof, memory message m for transaction transmission A :=(x,π send ,pk sig,A ,C s are ),σ m,A To a message m A Signature, pk sig,A Signing the key for the transaction sender;
Figure BDA0003862227770000141
rt auth authorizing a root node, cm, of a Merck tree for identity tx In order to make a commitment for the transaction,
Figure BDA0003862227770000142
an account balance commitment for a sender of the transaction before the transaction,
Figure BDA0003862227770000151
Account balance commitment, item, for a sender of a post-transaction aut,A As a sender of the transactionUser authorization certificate, a pk,A To be the public key address of the sender of the transaction,
Figure BDA0003862227770000152
transaction sender transaction Serial number, C aux,A Encryption result of address public key of transaction sender for supervisor, h sig,A Hash of a signature Key for a sender of a transaction A Is h sig,A And a private transaction sender address key a sk,A The pseudo-random calculation of (a);
s302, verifying whether the balance commitment of the account is as
Figure BDA0003862227770000153
If not, the verification fails, and a verification result res =0 is output;
s303, verifying whether the transaction serial number of the transaction sender appears in the public serial number set, if so, failing to verify, and outputting a verification result res =0;
s304, verifying rt aut Whether the current identity is the root of the latest identity authorization Mercker tree or not, if not, the authentication fails, and an output authentication result res =0 is output;
through the steps as described above, the method comprises the following steps,
note the book
Figure BDA0003862227770000154
Memory m A :=(x,π send ,C share ,pk sig,A )。
Calculating res: = V sig (pk sig,A m A ,σ m,A )。
Wherein: recording message m A :=(x,π rcv ,pk sig,Bm,A To the message m A The signature of (2).
Calculating res': = Verify (vk) send ,x,π send ) Then, res ^ res' is output.
Wherein: vk send The circuit zero knowledge proof validation key is sent for the transaction.
If the transaction type is the transaction receiving, the verification mode is as follows:
s311, note tx send :=(addr B ,x,π rcv ,σ m,B ,pk sig,B ),
Wherein: addr B As transaction address, pi, of the transaction receiver rcv Zero knowledge proof, memory message m for transaction recipient B :=(x,π rcv ,pk sig,Bm,B To the message m B Signature, pk sig,B Signing the key for the transaction recipient;
Figure BDA0003862227770000161
rt tx committing Merck Tree root, rt to transaction aut The identity of the root of the Merck tree,
Figure BDA0003862227770000162
An account balance commitment for a pre-transaction recipient,
Figure BDA0003862227770000163
Account balance commitment sn for transaction receiver after transaction v As transaction sequence number, C aux,B Encryption result of address public key of transaction receiver for supervisor, h sig,B Hash of the signature Key for the transaction recipient, h B Is h sig,B And a private transaction receiver address key a sk,B Pseudo-random computation result of (3), item aut,B Authorizing a certificate for a transaction recipient user, a pk,B In order for the transaction recipient public key address,
Figure BDA0003862227770000164
a transaction serial number of the transaction receiver;
s312, verifying whether the balance commitment of the account is as
Figure BDA0003862227770000165
If not, the verification fails, and a verification result res =0 is output;
s313, verifying rt auth Whether the identity is the root of the latest identity authorization Mercker tree or not, if not, the authentication fails, and an authentication result res =0 is output;
s314, verifying rt tx Whether the data appears in the account book or not, if not, the verification fails, and a verification result res =0 is output;
through the above steps, recording
Figure BDA0003862227770000166
Memory m B :=(x,π send ,pk sig,B )。
Calculating res: = V sig (pk sig,B m B ,σ m,B )。
Calculating res': = Verify (vk) rcv ,x,π rcv ). The res ^ res' is output.
Wherein: vk rcv Zero knowledge proof verification key for transaction receiving circuit
S315, after the transaction verification is passed, miners need to add the published serial numbers into the public serial number set, and update the balance commitment of the corresponding account address into a new balance commitment according to the information published in the transaction sending and transaction receiving processes.
S4, judging whether the user identities of the two transaction parties are tracked or not by the monitoring party, if not, ending the process, and if so, entering the step S5;
and S5, the supervisor decrypts the traceback number by using the encrypted private key, cancels the anonymity of the transaction and finishes the identity tracking of both parties of the transaction according to the transaction party identity traceback list.
In this embodiment, the specific method includes the following substeps
Let tX send/rcv ·C aux :=ε enc (pk enc,s ,a pk ) Calculating a pk :=D enc (sk enc,s ,a pk ). Whether or notIs to receive a transaction tx rcv Or to send a transaction tx send All contain supervision auxiliary information C aux And through zero knowledge proof, ensure C aux The identity tracing method is generated as required, so that for a suspicious account address, a supervisor can easily trace the real identity corresponding to the account address by using the own encryption private key and the identity tracing list IDList.
The present invention is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the invention. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
The principle and the implementation mode of the invention are explained by applying specific embodiments in the invention, and the description of the embodiments is only used for helping to understand the method and the core idea of the invention; meanwhile, for a person skilled in the art, according to the idea of the present invention, there may be variations in the specific embodiments and the application scope, and in summary, the content of the present specification should not be construed as a limitation to the present invention.
It will be appreciated by those of ordinary skill in the art that the embodiments described herein are intended to assist the reader in understanding the principles of the invention and are to be construed as being without limitation to such specifically recited embodiments and examples. Those skilled in the art can make various other specific changes and combinations based on the teachings of the present invention without departing from the spirit of the invention, and these changes and combinations are within the scope of the invention.

Claims (8)

1. A block chain supervision privacy protection method based on zero knowledge proof is characterized by comprising the following steps:
s1, initializing a block chain system and acquiring common parameters of the block chain system, wherein the block chain system comprises a trading party and a monitoring party;
s2, generating a supervisor key and creating a transaction party user address in the supervisor, and applying a resource access authorization certificate to the supervisor by the transaction party according to the identity information of the transaction party and initiating a transaction;
s3, the miners verify the validity of the initiated transaction, if the initiated transaction is not legal, the transaction is discarded and ended, and if the initiated transaction is legal, the operation goes to the step S4;
s4, judging whether the user identities of the two transaction parties are tracked or not by the monitoring party, if not, ending the process, and if so, entering the step S5;
and S5, the supervisor decrypts the traceback number by using the encrypted private key, cancels the anonymity of the transaction and finishes the identity tracking of both parties of the transaction according to the transaction party identity traceback list.
2. The method of claim 1, wherein the system parameters generated in S1 include a certification key and a verification key for generating zkSNARK certification and common parameters of encryption and signature algorithms, and the specific calculation process is as follows:
inputting algorithm safety parameter lambda, transaction transmission constraint circuit C send And a transaction reception constraint circuit C rcv And generating a system parameter pp: = (pp) enc ,pp sig ,pk send ,pk rcv ,vk send ,vk rcv ) Wherein (pk) send ,vk send ) Zero knowledge proof generation/verification key pair (pk) for transaction transmitting circuit rcv ,vk rcv ) Zero knowledge proof generation/verification key pairs, pp, for transaction receiving circuits enc For cryptographic algorithm common parameters, pp sig Are parameters common to the signature algorithm.
3. The method of claim 1, wherein the specific way of generating the supervisor key and creating the transaction party user address in the supervisor in S2 is as follows:
s201, calculating an encryption key and a signature key of a monitoring party, wherein the calculation mode is as follows:
(pk enc,s ,sk enc,s ):=K enc (pp enc )
(pk sig,s ,sk sig,s ):=K sig (pp sig )
wherein, (pk) enc,s ,sk enc,s ) To encrypt the key pair, (pk) sig,s ,sk sig,s ) As a signed key pair
S202, calculating a communication key pair according to the encryption key and the signature key calculated in the S201, wherein the calculation mode is as follows:
(pk enc ,sk enc ):=K enc (pp enc )
wherein, K enc (pp enc ) Is a communication key pair;
s203, selecting a random number as an address private key and selecting a random number, and calculating an address public key according to the address private key and the random number in the following calculation mode:
a pk :=PRF(a sk ,r)
wherein, a sk Is an address private key, r is a random number, a pk Is an address public key;
s204, calculating the user transaction address according to the address public key, wherein the calculation mode is as follows:
addr:=CRH(a pk )
wherein CRH (-) is an anti-collision hash function.
4. The method for privacy protection with supervision based on blockchain of zero knowledge certification according to claim 1, wherein the specific manner of the transaction party applying for the resource access authorization certificate to the supervision party according to the identity information of the transaction party in S2 is as follows:
s211, the user side sends the address public key, the zero knowledge proof and the identity information of the user side to the monitoring side
S212, the supervisor verifies the validity of the user identity, and if the validity is verified, the address public key and the identity information of the user party are stored in an identity tracing list;
s213, for the user with valid identity authentication, the supervisor calculates the supervision auxiliary information and the user authorization certificate in the following calculation mode:
C aux :=ε enc (pk enc,s ,at pk )
Item auth :=CRH(a pk ||C aux )
wherein, C aux For the supervision of auxiliary information, CRH (. Circle.) is a collision-resistant hash function, item auth Authorizing a certificate for the user;
s214, the supervisor reorganizes the identity authorized Merck tree, updates the user authorization certificate to the identity authorized Merck tree, and broadcasts the new identity authorized Merck tree to the blockchain network.
5. The method of claim 1, wherein initiating a transaction in S2 comprises transaction sending and transaction receiving, wherein,
the specific mode of transaction sending is as follows: a user side generates zkSNARK zero knowledge proof in the process of executing transaction transmission, and utilizes a transaction transmission constraint circuit to constrain the transaction process;
the specific mode of transaction reception is as follows: and after the transaction is completed, adding the transaction promise into the Mercker tree of the transaction promise of the latest block, and when the transaction receiver receives the transaction, proving that the transaction receiver knows the trapdoor of the transaction promise in the block and proving the existence of the transaction promise.
6. The method according to claim 1, wherein the verifying the validity of the initiated transaction in S3 comprises a validity verification of the transaction transmission and the transaction reception, wherein if the transaction type is the transaction transmission, the verification method is as follows:
s301, let tx send :=(addr A ,C s are ,π send ,x,σ m,A ,pk sig,A ),
Wherein: addr A Transaction address, C, for the sender of the transaction s are Receiving trapdoors, pi for assets shared by a transaction sender and a transaction receiver send Zero-knowledge proof, memory message m for transaction transmission A :=(x,π send ,pk sig,A ,C s arem,A To the message m A Signature, pk sig,A Signing the key for the transaction sender;
Figure FDA0003862227760000041
rt auth authorizing a root node, cm, of a Merck tree for identity tx In order to commit to the transaction,
Figure FDA0003862227760000042
an account balance commitment for a sender of the transaction before the transaction,
Figure FDA0003862227760000043
Account balance commitment Item for transaction sender after transaction auth,A Authorizing a certificate for a transaction sender user, a pk,A To be the public key address of the sender of the transaction,
Figure FDA0003862227760000044
transaction sender transaction Serial number, C aux,A Encryption result of address public key of transaction sender for supervisor, h sig,A Hash of a signature Key for a sender of a transaction A Is h sig,A And a private key a of the address of the sender of the transaction sk,A The pseudo-random calculation of (a);
s302, verifying whether balance commitment of account before transaction is as
Figure FDA0003862227760000045
If not, the verification fails, and a verification result res =0 is output;
s303, verifying whether the transaction serial number of the transaction sender appears in the public serial number set, if so, failing to verify, and outputting a verification result res =0;
s304, verifying rt auth And whether the root of the Merck tree is authorized for the latest identity, if not, the verification fails, and a verification result res =0 is output.
7. The method of claim 6, wherein if the transaction type is transaction receipt, the verification method comprises:
s311, note tx send :=(addr B ,x,π rcv ,σ m,B ,pk sig,B ),
Wherein: addr B As transaction address, pi, of the transaction receiver rcv Zero knowledge proof, memory message m for transaction receiver B :=(x,π rcv ,pk sig,Bm,B To the message m B Signature, pk sig,B Signing a secret for a transaction recipientA key;
Figure FDA0003862227760000046
rt tx committing Merck Tree root, rt to transaction auth The identity of the root of the Merck tree,
Figure FDA0003862227760000047
An account balance commitment for a pre-transaction recipient,
Figure FDA0003862227760000051
Account balance commitment sn for transaction receiver after transaction v As transaction sequence number, C aux,B Encryption result of address public key of transaction receiver for supervisor, h sig,B Hash of the signature Key for the transaction recipient, h B Is h sig,B And a private transaction receiver address key a sk,B Pseudo-random computation result of (3), item aut,B Authorizing a certificate for a transaction recipient user, a pk,B In order to be the public key address of the transaction recipient,
Figure FDA0003862227760000052
a transaction serial number of the transaction receiver;
s312, verifying whether the balance commitment before the account transaction is as
Figure FDA0003862227760000053
If not, the verification fails, and a verification result res =0 is output;
s313, verifying rt aut Whether the identity is the root of the latest identity authorization Mercker tree or not, if not, the authentication fails, and an authentication result res =0 is output;
s314, verifying rt tx Whether the data appears in the account book or not is judged, if not, the verification fails, and a verification result res =0 is output;
s315, after the transaction verification is passed, miners need to add the published serial numbers into the public serial number set, and update the balance commitments of the corresponding account addresses into new balance commitments according to the information published in the transaction sending and transaction receiving processes.
8. The block chain supervision privacy protection method based on zero knowledge certification as claimed in claim 1, wherein in S5, it is verified whether the supervision assistance information is generated as required through zero knowledge certification, and if not, the supervisor uses its own encryption priority to determine whether the identity corresponding to the identity tracing list tracing account address is true.
CN202211167365.4A 2022-09-23 2022-09-23 Block chain supervision privacy protection method based on zero knowledge proof Pending CN115564434A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202211167365.4A CN115564434A (en) 2022-09-23 2022-09-23 Block chain supervision privacy protection method based on zero knowledge proof

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202211167365.4A CN115564434A (en) 2022-09-23 2022-09-23 Block chain supervision privacy protection method based on zero knowledge proof

Publications (1)

Publication Number Publication Date
CN115564434A true CN115564434A (en) 2023-01-03

Family

ID=84742474

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202211167365.4A Pending CN115564434A (en) 2022-09-23 2022-09-23 Block chain supervision privacy protection method based on zero knowledge proof

Country Status (1)

Country Link
CN (1) CN115564434A (en)

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115829754A (en) * 2023-02-16 2023-03-21 之江实验室 Privacy protection block chain oriented transaction supervision method and device
CN115860750A (en) * 2023-02-27 2023-03-28 国网江西省电力有限公司信息通信分公司 Electric vehicle power transaction identity authentication privacy protection method
CN115906183A (en) * 2023-01-06 2023-04-04 南京理工大学 Auditable and traceable block chain privacy protection system and method
CN116432204A (en) * 2023-04-20 2023-07-14 兰州理工大学 Supervision transaction privacy protection method based on homomorphic encryption and zero knowledge proof
CN116633560A (en) * 2023-06-13 2023-08-22 北京交通大学 Privacy protection and supervision method for block chain multicast transaction mode
CN117611330A (en) * 2024-01-23 2024-02-27 天津金城银行股份有限公司 Credit data processing system, method, device, equipment and medium

Cited By (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115906183A (en) * 2023-01-06 2023-04-04 南京理工大学 Auditable and traceable block chain privacy protection system and method
CN115829754A (en) * 2023-02-16 2023-03-21 之江实验室 Privacy protection block chain oriented transaction supervision method and device
CN115860750A (en) * 2023-02-27 2023-03-28 国网江西省电力有限公司信息通信分公司 Electric vehicle power transaction identity authentication privacy protection method
CN115860750B (en) * 2023-02-27 2023-05-30 国网江西省电力有限公司信息通信分公司 Electric automobile electric power transaction identity authentication privacy protection method
CN116432204A (en) * 2023-04-20 2023-07-14 兰州理工大学 Supervision transaction privacy protection method based on homomorphic encryption and zero knowledge proof
CN116432204B (en) * 2023-04-20 2023-11-17 兰州理工大学 Supervision transaction privacy protection method based on homomorphic encryption and zero knowledge proof
CN116633560A (en) * 2023-06-13 2023-08-22 北京交通大学 Privacy protection and supervision method for block chain multicast transaction mode
CN116633560B (en) * 2023-06-13 2024-03-08 北京交通大学 Privacy protection and supervision method for block chain multicast transaction mode
CN117611330A (en) * 2024-01-23 2024-02-27 天津金城银行股份有限公司 Credit data processing system, method, device, equipment and medium
CN117611330B (en) * 2024-01-23 2024-04-09 天津金城银行股份有限公司 Credit data processing system, method, device, equipment and medium

Similar Documents

Publication Publication Date Title
Wazid et al. AKM-IoV: Authenticated key management protocol in fog computing-based Internet of vehicles deployment
RU2708344C1 (en) Protection of these block chains using homomorphic encryption
CN115564434A (en) Block chain supervision privacy protection method based on zero knowledge proof
Juels et al. The ring of gyges: Investigating the future of criminal smart contracts
CN107911216B (en) Block chain transaction privacy protection method and system
Banerjee et al. Design of an anonymity-preserving group formation based authentication protocol in global mobility networks
CN109862046B (en) Traceable anonymous method in alliance chain
Bojjagani et al. Secure authentication and key management protocol for deployment of internet of vehicles (IoV) concerning intelligent transport systems
CN109687965B (en) Real-name authentication method for protecting user identity information in network
CN113360943B (en) Block chain privacy data protection method and device
CN112231769A (en) Block chain-based numerical verification method and device, computer equipment and medium
CN110278082A (en) A kind of the group member dissemination method and equipment of group's digital signature
Alzuwaini et al. An Efficient Mechanism to Prevent the Phishing Attacks.
Sathya et al. A comprehensive study of blockchain services: future of cryptography
CN112272088A (en) Auditable signature method based on multiple secure parties and related components
CN106657002A (en) Novel crash-proof base correlation time multi-password identity authentication method
KR20200016506A (en) Method for Establishing Anonymous Digital Identity
CN116432204A (en) Supervision transaction privacy protection method based on homomorphic encryption and zero knowledge proof
CN114866259A (en) Block chain controlled traceable identity privacy method based on secret sharing
CN112948789B (en) Identity authentication method and device, storage medium and electronic equipment
CN110572392A (en) Identity authentication method based on HyperLegger network
Chen et al. Privacy-preserving anomaly detection of encrypted smart contract for blockchain-based data trading
Radanliev Cyber-attacks on Public Key Cryptography
Frederiksen A holistic approach to enhanced security and privacy in digital health passports
Reddy et al. Block Chain for Financial Application using IOT

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination