CN115564434A - A zero-knowledge proof-based privacy protection method for blockchain supervision - Google Patents

A zero-knowledge proof-based privacy protection method for blockchain supervision Download PDF

Info

Publication number
CN115564434A
CN115564434A CN202211167365.4A CN202211167365A CN115564434A CN 115564434 A CN115564434 A CN 115564434A CN 202211167365 A CN202211167365 A CN 202211167365A CN 115564434 A CN115564434 A CN 115564434A
Authority
CN
China
Prior art keywords
transaction
key
identity
address
sig
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202211167365.4A
Other languages
Chinese (zh)
Inventor
张文芳
周磊
王小敏
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Southwest Jiaotong University
Original Assignee
Southwest Jiaotong University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Southwest Jiaotong University filed Critical Southwest Jiaotong University
Priority to CN202211167365.4A priority Critical patent/CN115564434A/en
Publication of CN115564434A publication Critical patent/CN115564434A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/38Payment protocols; Details thereof
    • G06Q20/382Payment protocols; Details thereof insuring higher security of transaction
    • G06Q20/3821Electronic credentials
    • G06Q20/38215Use of certificates or encrypted proofs of transaction rights
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/38Payment protocols; Details thereof
    • G06Q20/382Payment protocols; Details thereof insuring higher security of transaction
    • G06Q20/3823Payment protocols; Details thereof insuring higher security of transaction combining multiple encryption tools for a transaction
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/38Payment protocols; Details thereof
    • G06Q20/382Payment protocols; Details thereof insuring higher security of transaction
    • G06Q20/3825Use of electronic signatures
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/38Payment protocols; Details thereof
    • G06Q20/382Payment protocols; Details thereof insuring higher security of transaction
    • G06Q20/3829Payment protocols; Details thereof insuring higher security of transaction involving key management
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/38Payment protocols; Details thereof
    • G06Q20/40Authorisation, e.g. identification of payer or payee, verification of customer or shop credentials; Review and approval of payers, e.g. check credit lines or negative lists
    • G06Q20/401Transaction verification
    • G06Q20/4014Identity check for transactions
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • H04L9/0863Generation of secret information including derivation or calculation of cryptographic keys or passwords involving passwords or one-time passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • H04L9/0869Generation of secret information including derivation or calculation of cryptographic keys or passwords involving random numbers or seeds
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3218Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using proof of knowledge, e.g. Fiat-Shamir, GQ, Schnorr, ornon-interactive zero-knowledge proofs
    • H04L9/3221Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using proof of knowledge, e.g. Fiat-Shamir, GQ, Schnorr, ornon-interactive zero-knowledge proofs interactive zero-knowledge proofs
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3226Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using a predetermined code, e.g. password, passphrase or PIN
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3263Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Business, Economics & Management (AREA)
  • Accounting & Taxation (AREA)
  • Signal Processing (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Physics & Mathematics (AREA)
  • General Business, Economics & Management (AREA)
  • General Physics & Mathematics (AREA)
  • Theoretical Computer Science (AREA)
  • Strategic Management (AREA)
  • Finance (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)

Abstract

The invention discloses a block chain supervision privacy protection method based on zero knowledge certification, which comprises the steps of initializing the key generation of a supervisor by a system and establishing a user transaction address; a user applies for a resource access authorization certificate to a supervision authority by using own identity information; transaction sending and transaction receiving; the miners verify whether the transaction is legal or not, and if not, the transaction is directly discarded and ended; the supervisor judges whether the identity of the user needs to be tracked or not, and if not, the process is finished directly; and the supervisor decrypts the tracing data by using the own encrypted private key, cancels the anonymity of the transaction and realizes identity tracing by combining the identity tracing list IDList. The invention takes zkSNARK technology as a construction foundation, utilizes a cryptology commitment mechanism to hide account balance and transaction amount, realizes dynamic increase and cancellation of user identity by uniformly maintaining identity authorization Mercury tree by a supervisor, and realizes anonymous authentication and transaction supervision of user identity by fusing zkSNARK technology.

Description

一种基于零知识证明的区块链可监管隐私保护方法A zero-knowledge proof-based method for blockchain regulated privacy protection

技术领域technical field

本发明涉及区块链技术领域,具体涉及一种基于零知识证明的区块链可监管隐私保护方法。The invention relates to the technical field of block chains, in particular to a zero-knowledge proof-based block chain supervision privacy protection method.

背景技术Background technique

区块链技术被认为是继大型计算机、个人计算机、互联网、移动社交之后的第5次颠覆式计算范式,人类信用进化史上继血亲信用、贵金属信用、央行纸币信用之后的第4个里程碑。因此各国政府陆续出台相关政策文件,加大对区块链产业的战略布局,积极拥抱区块链技术,以实现抢占新一代信息技术的主导权。据统计,2019年~2020年,全球24个国家发布了专门针对区块链产业发展及行业监管方面的专项政策或法律法规。Blockchain technology is considered to be the fifth subversive computing paradigm after mainframe computers, personal computers, the Internet, and mobile social networking, and the fourth milestone in the history of human credit evolution after blood relative credit, precious metal credit, and central bank banknote credit. Therefore, governments of various countries have successively issued relevant policy documents, increased the strategic layout of the blockchain industry, and actively embraced blockchain technology in order to seize the dominance of the new generation of information technology. According to statistics, from 2019 to 2020, 24 countries around the world have issued special policies or laws and regulations specifically aimed at the development of the blockchain industry and industry supervision.

区块链上可监管的隐私保护对于区块链交易有重大意义,现有基于区块链的交易方案普遍存在以下问题:主要聚焦于交易的公平性及数据隐私性实现,没有考虑到数据市场的可监管性。可监管性对于去中心化、匿名的交易系统是至关重要的,缺乏可监管性可能会不经意间为犯罪分子提供天然壁垒。如果缺乏有效的访问控制机制和监管追溯机制,加之隐私保护应用的匿名特性,会使得罪行取证难、身份追踪难,导致各类安全事件频发。因此,若不改进原始区块链的隐私性,在某些领域中的数据泄露,不仅可能会限制区块链技术的发展,甚至可能导致难以挽回的损失。目前基于账户模型下兼顾隐私性和可监管性的解决方案还处于起步阶段,现有的方式还不成熟,不完善,目前有以下的相关研究方案:Regulatory privacy protection on the blockchain is of great significance for blockchain transactions. Existing blockchain-based transaction solutions generally have the following problems: they mainly focus on the fairness of transactions and the realization of data privacy, without considering the data market regulability. Supervisability is critical to a decentralized, anonymous transaction system, and the lack of it may inadvertently provide a natural barrier to criminals. If there is no effective access control mechanism and regulatory traceability mechanism, coupled with the anonymous nature of privacy protection applications, it will make it difficult to obtain evidence of crimes and identity tracking, resulting in frequent occurrence of various security incidents. Therefore, if the privacy of the original blockchain is not improved, data leakage in certain fields may not only limit the development of blockchain technology, but may even cause irreparable losses. At present, the solution based on the account model that takes into account both privacy and supervision is still in its infancy, and the existing methods are immature and incomplete. Currently, there are the following related research programs:

1)利用集成加密签名方案和零知识证明技术为隐私交易提供了审计服务,但缺乏对可疑隐私交易的匿名身份撤销的考量,导致方案溯源困难。1) Using the integrated encrypted signature scheme and zero-knowledge proof technology to provide audit services for private transactions, but lack of consideration for the revocation of anonymous identity of suspicious private transactions, resulting in difficulty in traceability of the scheme.

2)通过引入了身份提供方(Identity Providers)和匿名撤销者(AnonymityRevokers)两个实体,保证交易过程可监管,但该方案所提供的隐私服务仍然存在缺陷,即在该方案中,如果用户使用同一账户进行多次交易,那么交易双方的链接关系就能被挖掘出来。2) By introducing two entities, Identity Providers and Anonymity Revokers, the transaction process can be supervised, but the privacy service provided by this scheme still has defects, that is, in this scheme, if the user uses If the same account conducts multiple transactions, then the link relationship between the two parties can be mined.

综上,目前账户模型下兼顾隐私性和可监管性的解决方案还处于起步阶段,均无法完美解决上述问题,现有方案存在“顾此失彼”的问题,即提供完全隐私的同时不能兼顾监管,兼顾监管的同时其隐私性又存在缺陷。To sum up, the current account model that considers both privacy and regulatory solutions is still in its infancy, and none of them can perfectly solve the above problems. While monitoring, its privacy is flawed.

发明内容Contents of the invention

针对现有技术中的上述不足,本发明提供了一种基于零知识证明的区块链可监管隐私保护方法。Aiming at the above-mentioned deficiencies in the prior art, the present invention provides a zero-knowledge proof-based blockchain-supervisable privacy protection method.

为了达到上述发明目的,本发明采用的技术方案为:In order to achieve the above-mentioned purpose of the invention, the technical scheme adopted in the present invention is:

一种基于零知识证明的区块链可监管隐私保护方法,包括如下步骤:A zero-knowledge proof-based privacy protection method for blockchain supervision, comprising the following steps:

S1、初始化区块链系统并获取区块链系统公共参数,其中,所述区块链系统包括交易方和监管方;S1. Initialize the blockchain system and obtain the public parameters of the blockchain system, wherein the blockchain system includes a transaction party and a supervisor;

S2、在监管方生成监管方密钥并创建交易方用户地址,交易方根据自己的身份信息向监管方申请资源访问授权证书并发起交易;S2. The supervisor generates the supervisor key and creates the user address of the transaction party, and the transaction party applies to the supervisor for a resource access authorization certificate based on its own identity information and initiates a transaction;

S3、由矿工验证所发起交易的合法性,若不合法则丢弃该交易并结束,若合法则进入步骤S4;S3. The miners verify the legitimacy of the initiated transaction. If it is not legal, discard the transaction and end it. If it is legal, go to step S4;

S4、由监管方判定是否跟踪交易双方的用户身份,若不跟踪则结束流程,若跟踪流程则进入步骤S5;S4. The regulator determines whether to track the user identities of both parties to the transaction. If not, the process ends, and if the process is tracked, enter step S5;

S5、监管方利用加密私钥解密追溯数并撤销交易的匿名性,根据交易方身份追溯列表完成交易双方的身份追踪。S5. The regulator uses the encrypted private key to decrypt the traceability number and revoke the anonymity of the transaction, and completes the identity tracking of both parties according to the transaction party identity traceability list.

进一步的,所述S1中生成系统参数包括用于生成zkSNARK证明的证明密钥和验证密钥以及加密、签名算法的公共参数,具体的计算过程为:Further, the generation system parameters in S1 include the proof key and verification key used to generate the zkSNARK proof, as well as the public parameters of the encryption and signature algorithms, and the specific calculation process is:

输入算法安全参数λ,交易发送约束电路Csend及交易接收约束电路Crcv,生成系统参数pp:=(ppenc,ppsig,pksend,pkrcv,vksend,vkrcv),其中(pksend,vksend)为交易发送电路零知识证明生成/验证密钥对,(pkrcv,vkrcv)为交易接收电路零知识证明生成/验证密钥对,ppenc为加密算法公共参数,ppsig为签名算法公共参数。Input algorithm security parameter λ, transaction sending constraint circuit C send and transaction receiving constraint circuit C rcv to generate system parameter pp:=(pp enc , pp sig , pk send , pk rcv , vk send , vk rcv ), where (pk send , vk send ) generates/verifies the key pair for the zero-knowledge proof of the transaction sending circuit, (pk rcv , vk rcv ) generates/verifies the key pair for the zero-knowledge proof of the transaction receiving circuit, pp enc is the public parameter of the encryption algorithm, and pp sig is Signature algorithm public parameters.

进一步的,所述S2中在监管方生成监管方密钥并创建交易方用户地址的具体方式为:Further, in the S2, the specific method for generating the key of the supervisor and creating the user address of the transaction party at the supervisor is as follows:

S201、计算监管方的加密密钥和签名密钥,计算方式为:S201. Calculate the encryption key and signature key of the supervisor, and the calculation method is:

(pkenc,s,skenc,s):=Kenc(ppenc)(pk enc, s , sk enc, s ):=K enc (pp enc )

(pksig,s,sksig,s):=Ksig(ppsig)(pk sig, s , sk sig, s ): = K sig (pp sig )

其中,(pkenc,s,skenc,s)为加密密钥对,(pksig,s,sksig,s)为签名密钥对Among them, (pk enc, s , sk enc, s ) is an encryption key pair, (pk sig, s , sk sig, s ) is a signature key pair

S202、根据S201计算的加密密钥和签名密钥计算通信密钥对,计算方式为:S202. Calculate the communication key pair according to the encryption key and signature key calculated in S201, and the calculation method is:

(pkenc,skenc):=Kenc(ppenc)(pk enc , sk enc ):=K enc (pp enc )

其中,Kenc(ppenc)为通信密钥对;Among them, K enc (pp enc ) is a communication key pair;

S203、选择一个随机数作为地址私钥并选择一个随机数,根据地址私钥和随机数计算地址公钥,计算方式为:S203. Select a random number as the address private key and select a random number, and calculate the address public key according to the address private key and the random number. The calculation method is:

apk:=PRF(ask,r)a pk := PRF( ask , r)

其中,ask为地址私钥,r为随机数,apk为地址公钥;Among them, ask is the private key of the address, r is a random number, and a pk is the public key of the address;

S204、根据地址公钥计算用户交易地址,计算方式为:S204. Calculate the user's transaction address according to the address public key, and the calculation method is:

addr:=CRH(apk)addr:=CRH(a pk )

其中,CRH(·)为抗碰撞哈希函数。Among them, CRH( ) is a collision-resistant hash function.

进一步的,所述S2中交易方根据自己的身份信息向监管方申请资源访问授权证书的具体方式为:Further, the specific method for the transaction party in S2 to apply for a resource access authorization certificate from the supervisory party according to its own identity information is as follows:

S211、用户方将地址公钥、零知识证明和自己的身份信息发送给监管方S211, the user side sends the address public key, zero-knowledge proof and its own identity information to the regulator

S212、监管方验证用户身份的有效性,若有效则将地址公钥和用户方的身份信息存储于身份追溯列表中;S212. The regulator verifies the validity of the user's identity, and if valid, stores the address public key and the user's identity information in the identity traceability list;

S213、对身份验证有效的用户,监管方计算监管辅助信息和用户授权证书,计算方式为:S213. For users whose identity verification is valid, the regulator calculates the supervisory auxiliary information and user authorization certificate, and the calculation method is:

Caux:=εenc(pkenc,s,apk)C aux :=ε enc (pk enc, s , a pk )

Itemauth:=CRH(apk||Caux)Item auth :=CRH(a pk ||C aux )

其中,Caux为监管辅助信息,CRH(·)为抗碰撞哈希函数,Itemaut为用户授权证书;Among them, C aux is the regulatory auxiliary information, CRH( ) is the anti-collision hash function, and Item aut is the user authorization certificate;

S214、监管方价重新组织身份授权默克尔树,将用户授权证书更新到身份授权默克尔树中,并将新的身份授权默克尔树广播到区块链网络中。S214. The regulatory party reorganizes the identity authorization Merkle tree, updates the user authorization certificate to the identity authorization Merkle tree, and broadcasts the new identity authorization Merkle tree to the blockchain network.

进一步的,所述S2中发起交易包括交易发送和交易接收,其中,Further, the transaction initiation in S2 includes transaction sending and transaction receiving, wherein,

交易发送的具体方式为:用户方在执行交易发送过程中生成zkSNARK零知识证明,并利用交易发送约束电路对交易过程进行约束;The specific method of transaction sending is: the user side generates zkSNARK zero-knowledge proof during the execution of the transaction sending process, and uses the transaction sending constraint circuit to constrain the transaction process;

交易接收的具体方式为:在交易完成后将交易承诺加入最新区块的交易承诺默克尔树中,交易接收方接收交易时,证明交易接收方知道区块中交易承诺的陷门并证明交易承诺的存在性。The specific method of transaction reception is: after the transaction is completed, the transaction commitment is added to the transaction commitment Merkle tree of the latest block. When the transaction receiver receives the transaction, it proves that the transaction receiver knows the trapdoor of the transaction commitment in the block and proves that the transaction The existence of promises.

进一步的,所述S3中验证所发起交易的合法性包括交易发送和交易接收的合法性验证,其中,若交易类型为交易发送时验证方式为::Further, verifying the legitimacy of the transaction initiated in S3 includes verifying the legitimacy of transaction sending and transaction receiving, wherein, if the transaction type is transaction sending, the verification method is:

S301、记txsend:=(addrA,Cs are,πsend,x,σm,A,pksig,A),S301, record tx send :=(addr A , C s are , π send , x, σ m, A , pk sig, A ),

其中:addrA为交易发送方交易地址、Cs are为交易发送方与交易接收方共享的资产接收陷门、πsend为交易发送发零知识证明、记消息mA:=(x,πsend,pksig,A,Cs arem,A为对消息mA的签名、pksig,A为交易发送方签名密钥;Among them: addr A is the transaction address of the transaction sender, C s are is the asset receiving trapdoor shared by the transaction sender and the transaction receiver, π send is a zero-knowledge proof for transaction sending, and the message m A : =(x, π send , pk sig, A , C s arem, A is the signature for message m A , pk sig, A is the signature key of the transaction sender;

Figure BDA0003862227770000051
Figure BDA0003862227770000051

rtaut为身份授权默克尔树的根节点,cmtx为交易承诺,

Figure BDA0003862227770000052
为交易前交易发送方的账户余额承诺、
Figure BDA0003862227770000053
为交易后交易发送方的账户余额承诺、Itemaut,A为交易发送方用户授权证书、apk,A为交易发送方公钥地址,
Figure BDA0003862227770000054
交易发送方交易序列号、Caux,A为监管方对交易发送方的地址公钥的加密结果、hsig,A为交易发送方签名秘钥的哈希、hA为hsig,A和交易发送方地址私钥ask,A的伪随机计算结果、;rt aut is the root node of the identity authorization Merkle tree, cm tx is the transaction commitment,
Figure BDA0003862227770000052
is the account balance commitment of the transaction sender before the transaction,
Figure BDA0003862227770000053
is the account balance commitment of the transaction sender after the transaction, Item aut, A is the user authorization certificate of the transaction sender, a pk, A is the public key address of the transaction sender,
Figure BDA0003862227770000054
The transaction sequence number of the transaction sender, C aux, A is the encryption result of the address public key of the transaction sender by the regulator, h sig, A is the hash of the signature key of the transaction sender, h A is h sig, A and the transaction The sender address private key a sk, the pseudo-random calculation result of A ;

S302、根据交易发送方的用户地址验证帐户的余额承诺是否为

Figure BDA0003862227770000055
若不是则验证失败,输出验证结果res=0;S302. According to the user address of the transaction sender, verify whether the balance commitment of the account is
Figure BDA0003862227770000055
If not, the verification fails, and the verification result res=0 is output;

S303、验证交易发送方交易序列号是否出现在公开序列号集合中,若是则验证失败,输出验证结果res=0;S303. Verify whether the transaction serial number of the transaction sender appears in the public serial number set, if so, the verification fails, and the verification result res=0 is output;

S304、验证rtauth是否为最新的身份授权默克尔树的根,若不是则验证失败,输出输出验证结果res=0。S304. Verify whether rt auth is the root of the latest identity authorization Merkle tree, if not, the verification fails, and the output verification result res=0 is output.

进一步的,若交易类型为交易接收时验证方式为:Further, if the transaction type is transaction received, the verification method is:

S311、记txsend:=(addrB,x,πrcv,σm,B,pksig,B),S311, record tx send :=(addr B , x, π rcv , σ m, B , pk sig, B ),

其中:addrB为交易接收方的交易地址、πrcv为交易接收方的零知识证明、记消息mB:=(x,πrcv,pksig,Bm,B为对消息mB的签名、pksig,B为交易接收方签名密钥;Among them: addr B is the transaction address of the transaction recipient, π rcv is the zero-knowledge proof of the transaction recipient, record message m B : = (x, π rcv , pk sig, Bm, B is the key to the message m B Signature, pk sig, B is the signature key of the transaction recipient;

Figure BDA0003862227770000061
Figure BDA0003862227770000061

rttx为交易承诺默克尔树根、rtaut身份授权默克尔树根、

Figure BDA0003862227770000062
为交易前交易接收方的账户余额承诺、
Figure BDA0003862227770000063
为交易后交易接收方的账户余额承诺、snv为交易序列号、Caux,B为监管方对交易接收方的地址公钥的加密结果、hsig,B为交易接收方签名秘钥的哈希、hB为hsig,B和交易接收方地址私钥ask,B的伪随机计算结果、Itemaut,B为交易接收方用户授权证书、apk,B为交易接收方公钥地址,
Figure BDA0003862227770000064
交易接收方交易序列号;rt tx is the transaction commitment Merkle root, rt aut identity authorized Merkle root,
Figure BDA0003862227770000062
It is the account balance commitment of the transaction receiver before the transaction,
Figure BDA0003862227770000063
is the account balance commitment of the transaction receiver after the transaction, sn v is the transaction sequence number, C aux, B is the encryption result of the address public key of the transaction receiver by the regulator, h sig, and B is the hash of the signature key of the transaction receiver H, h B is h sig, B and the private key of the transaction recipient address a sk, the pseudo-random calculation result of B, Item aut, B is the user authorization certificate of the transaction recipient, a pk, B is the public key address of the transaction recipient,
Figure BDA0003862227770000064
The transaction serial number of the transaction recipient;

S312、根据交易发送方的用户地址验证帐户的余额承诺是否为

Figure BDA0003862227770000065
若不是则验证失败,输出验证结果res=0;S312. According to the user address of the transaction sender, verify whether the balance commitment of the account is
Figure BDA0003862227770000065
If not, the verification fails, and the verification result res=0 is output;

S313、验证rtaut是否为最新的身份授权默克尔树的根,不是,则验证失败,输出验证结果res=0;S313. Verify whether rt aut is the root of the latest identity authorization Merkle tree, if not, the verification fails, and the verification result res=0 is output;

S314、验证rttx是否在账本中出现,若没有则验证失败,输出验证结果res=0;S314. Verify whether rt tx appears in the account book, if not, the verification fails, and the verification result res=0 is output;

S315、交易验证通过后,矿工需要把已经公布的序列号加入到公开序列号集合中,并且根据交易发送和交易接收过程中中公布的信息,将相应账户地址的余额承诺更新为新的余额承诺。S315. After the transaction verification is passed, the miner needs to add the published serial number to the public serial number set, and update the balance commitment of the corresponding account address to a new balance commitment according to the information published during the transaction sending and transaction receiving process .

进一步的,所述S4中,通过零知识证明验证监管辅助信息是否为按要求生成,若不是,则监管方利用自身加密死要和身份追溯列表追溯帐户地址对应的真是身份Further, in the above S4, it is verified through zero-knowledge proof whether the supervisory auxiliary information is generated as required. If not, the supervisor uses its own encryption to trace the real identity corresponding to the account address with the identity tracing list.

本发明具有以下有益效果:The present invention has the following beneficial effects:

1、本发明满足账本无泄漏性,通过承诺的形式将账户余额和交易金额存储在区块链中,实现账户余额和交易金额的隐藏。1. The present invention satisfies the non-leakage of the ledger, stores the account balance and transaction amount in the block chain through the form of commitment, and realizes the hiding of the account balance and transaction amount.

2、本方法还提供了交易的不可链接性,通过将交易过程拆分为两步进行:先是交易发送方生成交易承诺,后由交易接收方提供证明来接收资产。实现交易链接关系的隐藏。2. This method also provides unlinkability of the transaction, by splitting the transaction process into two steps: first, the transaction sender generates a transaction commitment, and then the transaction receiver provides proof to receive the asset. Realize the hiding of transaction link relationship.

3、本发明还通过要求每笔交易均需附上监管追溯信息来提供可监管性,只有经过监管方授权的用户发起的交易才能通过验证,也只有监管方能够追溯到交易参与方的身份,同时恶意用户不能发起一笔监管方无法追溯的交易并且通过验证。上述整个过程以zkSNARK技术约束交易双方的行为和保证交易执行过程的正确性。3. The present invention also provides supervisorability by requiring each transaction to be attached with supervisory traceability information. Only transactions initiated by users authorized by the supervisor can pass verification, and only the supervisor can trace back to the identity of the transaction participants. At the same time, malicious users cannot initiate a transaction that cannot be traced by the supervisor and pass the verification. The entire process above uses zkSNARK technology to constrain the behavior of both parties to the transaction and ensure the correctness of the transaction execution process.

附图说明Description of drawings

图1为本发明基于零知识证明的区块链可监管隐私保护方法流程示意图。Fig. 1 is a schematic flow diagram of the method for privacy protection based on zero-knowledge proof of blockchain in the present invention.

具体实施方式detailed description

下面对本发明的具体实施方式进行描述,以便于本技术领域的技术人员理解本发明,但应该清楚,本发明不限于具体实施方式的范围,对本技术领域的普通技术人员来讲,只要各种变化在所附的权利要求限定和确定的本发明的精神和范围内,这些变化是显而易见的,一切利用本发明构思的发明创造均在保护之列。The specific embodiments of the present invention are described below so that those skilled in the art can understand the present invention, but it should be clear that the present invention is not limited to the scope of the specific embodiments. For those of ordinary skill in the art, as long as various changes Within the spirit and scope of the present invention defined and determined by the appended claims, these changes are obvious, and all inventions and creations using the concept of the present invention are included in the protection list.

一种基于零知识证明的区块链可监管隐私保护方法,如图1所示,包括如下步骤:A zero-knowledge proof-based blockchain regulatory privacy protection method, as shown in Figure 1, includes the following steps:

S1、初始化区块链系统并获取区块链系统公共参数,其中,所述区块链系统包括交易方和监管方;S1. Initialize the blockchain system and obtain the public parameters of the blockchain system, wherein the blockchain system includes a transaction party and a supervisor;

本实施例里,在S1中生成系统参数包括用于生成zkSNARK证明的证明密钥和验证密钥以及加密、签名算法的公共参数,具体的计算过程为:In this embodiment, the generation of system parameters in S1 includes the proof key and verification key used to generate the zkSNARK certificate, as well as the public parameters of encryption and signature algorithms. The specific calculation process is:

输入算法安全参数λ,交易发送约束电路Csend及交易接收约束电路Crcv,生成系统参数pp:=(ppenc,ppsig,pksend,pkrcv,vksend,vkrcv),其中(pksend,vksend)为交易发送电路零知识证明生成/验证密钥对,(pkrcv,vkrcv)为交易接收电路零知识证明生成/验证密钥对,ppenc为加密算法公共参数,ppsig为签名算法公共参数,具体计算方式为:Input algorithm security parameter λ, transaction sending constraint circuit C send and transaction receiving constraint circuit C rcv to generate system parameter pp:=(pp enc , pp sig , pk send , pk rcv , vk send , vk rcv ), where (pk send , vk send ) generates/verifies the key pair for the zero-knowledge proof of the transaction sending circuit, (pk rcv , vk rcv ) generates/verifies the key pair for the zero-knowledge proof of the transaction receiving circuit, pp enc is the public parameter of the encryption algorithm, and pp sig is Signature algorithm public parameters, the specific calculation method is:

S1-1、对电路Csend,根据公式:S1-1. For the circuit C send , according to the formula:

(pksend,vksend):=KeyGen(1λ,Csend)(pk send , vk send ):=KeyGen(1 λ , C send )

计算交易发送电路零知识证明生成/验证密钥对,其中λ为输入算法安全参数。S1-2、对电路Crcv,根据公式:Calculate the transaction sending circuit zero-knowledge proof to generate/verify the key pair, where λ is the security parameter of the input algorithm. S1-2. For the circuit C rcv , according to the formula:

(pkrcv,vkrcv):=KeyGen(1λ,Crcv)(pk rcv , vk rcv ):=KeyGen(1 λ , C rcv )

计算交易接收电路零知识证明生成/验证密钥对。Calculate the transaction receiving circuit zero-knowledge proof to generate/verify the key pair.

S1-3、根据公式:S1-3. According to the formula:

Figure BDA0003862227770000081
Figure BDA0003862227770000081

Figure BDA0003862227770000082
Figure BDA0003862227770000082

计算加密算法公共参数ppenc,签名算法公共参数ppsigCalculate the public parameter pp enc of the encryption algorithm and the public parameter pp sig of the signature algorithm.

S2、在监管方生成监管方密钥并创建交易方用户地址,交易方根据自己的身份信息向监管方申请资源访问授权证书并发起交易;S2. The supervisor generates the supervisor key and creates the user address of the transaction party, and the transaction party applies to the supervisor for a resource access authorization certificate based on its own identity information and initiates a transaction;

具体而言,在本实施例里,在监管方生成监管方密钥并创建交易方用户地址的具体方式为:Specifically, in this embodiment, the specific way for the supervisor to generate the supervisor key and create the user address of the transaction party is as follows:

S201、计算监管方的加密密钥和签名密钥,计算方式为:S201. Calculate the encryption key and signature key of the supervisor, and the calculation method is:

(pkenc,s,skenc,s):=Kenc(ppenc)(pk enc, s , sk enc, s ):=K enc (pp enc )

(pksig,s,sksig,s):=Ksig(ppsig)(pk sig, s , sk sig, s ): = K sig (pp sig )

其中,(pkenc,s,skenc,s)为加密密钥对,(pksig,s,sksig,s)为签名密钥对Among them, (pk enc, s , sk enc, s ) is an encryption key pair, (pk sig, s , sk sig, s ) is a signature key pair

S202、根据S201计算的加密密钥和签名密钥计算通信密钥对,计算方式为:S202. Calculate the communication key pair according to the encryption key and signature key calculated in S201, and the calculation method is:

(pkenc,skenc):=Kenc(ppenc)(pk enc , sk enc ):=K enc (pp enc )

其中,Kenc(ppenc)为通信密钥对;Among them, K enc (pp enc ) is a communication key pair;

S203、选择一个随机数作为地址私钥并选择一个随机数,根据地址公钥和随机数计算地址公钥,计算方式为:S203. Select a random number as the address private key and select a random number, and calculate the address public key according to the address public key and the random number. The calculation method is:

apk:=PRF(ask,r)a pk := PRF( ask , r)

其中,ask为地址私钥,r为随机数,apk为地址公钥;Among them, ask is the private key of the address, r is a random number, and a pk is the public key of the address;

S204、根据地址公钥计算用户交易地址,计算方式为:S204. Calculate the user's transaction address according to the address public key, and the calculation method is:

addr:=CRH(apk)addr:=CRH(a pk )

其中,CRH(·)为抗碰撞哈希函数。Among them, CRH( ) is a collision-resistant hash function.

地址公钥apk经哈希处理过后,作为用户的账户地址对外公开;地址私钥ask用于账户确权,只有知道账户地址私钥的人才有权使用该账户。After the address public key a pk is hashed, it is disclosed as the user's account address; the address private key a sk is used to confirm the account right, and only those who know the account address private key have the right to use the account.

交易方根据自己的身份信息向监管方申请资源访问授权证书的具体方式为:The specific method for the transaction party to apply for a resource access authorization certificate from the regulator based on its own identity information is as follows:

S211、用户方将地址公钥、零知识证明和自己的身份信息发送给监管方;S211. The user side sends the address public key, zero-knowledge proof and its own identity information to the regulator;

用户将(apk,πid,ID)发送给监管方,其中apk是用户地址公钥,πid是一份零知识证明,用来保证发送消息的用户的确拥有apk对应的地址私钥ask。此处,可以结合线下的技术渠道或其它系统(比如,人脸识别系统)来避免恶意用户冒用别人的身份信息ID。The user sends (a pk , π id , ID) to the supervisor, where a pk is the user address public key, and π id is a zero-knowledge proof to ensure that the user who sent the message does have the address private key corresponding to a pk ask . Here, offline technical channels or other systems (such as face recognition systems) can be combined to prevent malicious users from falsely using other people's identity information ID.

S212、监管方验证用户身份的有效性,若有效则将地址公钥apk和用户方的身份信息ID存储于身份追溯列表IDList中;S212. The regulator verifies the validity of the user identity, and if valid, stores the address public key a pk and the user's identity information ID in the identity traceability list IDList;

S213、对身份验证有效的用户,监管方计算监管辅助信息和用户授权证书,计算方式为:S213. For users whose identity verification is valid, the regulator calculates the supervisory auxiliary information and user authorization certificate, and the calculation method is:

Caux:=εenc(pkenc,s,apk)C aux :=ε enc (pk enc, s , a pk )

Itemaut:=CRH(apk||Caux)Item aut :=CRH(a pk ||C aux )

其中,Caux为监管辅助信息,CRH(·)为抗碰撞哈希函数,Itemaut为用户授权证书;Among them, C aux is the regulatory auxiliary information, CRH( ) is the anti-collision hash function, and Item aut is the user authorization certificate;

S214、监管方价重新组织身份授权默克尔树,将用户授权证书更新到身份授权默克尔树中,并将新的身份授权默克尔树广播到区块链网络中。网络中的所有节点根据最新的身份授权默克尔树来验证用户身份的合法性。S214. The regulatory party reorganizes the identity authorization Merkle tree, updates the user authorization certificate to the identity authorization Merkle tree, and broadcasts the new identity authorization Merkle tree to the blockchain network. All nodes in the network verify the legitimacy of user identity based on the latest identity authorization Merkle tree.

由于具体交易过程涉及两方参与,因此交易发送算法及交易接收算法描述基于场景:Alice(发送方)向Bob(接收方)发起转账,转账金额为vtSince the specific transaction process involves the participation of two parties, the description of the transaction sending algorithm and transaction receiving algorithm is based on the scenario: Alice (the sender) initiates a transfer to Bob (the receiver), and the transfer amount is v t .

若为交易发送具体方法:The specific method for sending a transaction:

记Alice账户

Figure BDA0003862227770000101
Deposit Alice account
Figure BDA0003862227770000101

记Alice地址私钥为ask,A,地址公钥为apk,A:=PRF(ask,A,rA),rA为随机数。Note that the private key of Alice's address is ask, A , the public key of the address is a pk, A :=PRF( ask, A , r A ), r A is a random number.

通过Csend约束:vt必须大于零;vt必须小于等于

Figure BDA0003862227770000102
Constrained by C send : v t must be greater than zero; v t must be less than or equal to
Figure BDA0003862227770000102

选择一随机数ρv,计算交易序列号snv:=PRF(ask,A,ρv)。Select a random number ρ v , and calculate the transaction sequence number sn v :=PRF( ask, A , ρ v ).

创建交易承诺

Figure BDA0003862227770000103
Create transaction commitment
Figure BDA0003862227770000103

选择一随机数

Figure BDA0003862227770000104
计算交易序列号
Figure BDA0003862227770000105
choose a random number
Figure BDA0003862227770000104
Calculate transaction sequence number
Figure BDA0003862227770000105

更新账户

Figure BDA0003862227770000106
update account
Figure BDA0003862227770000106

生成(pksig,A,sksig,A):=Ksig(ppsig)。Generate (pk sig, A , sk sig, A ): = K sig (pp sig ).

计算hsig,A:=CRH(pksig,A)及hA:=PRF(ask,A,hsig,A)。Calculate h sig,A :=CRH(pk sig,A ) and h A :=PRF( ask,A ,h sig,A ).

用交易接收方的公钥pkenc,B加密交易序列号Cshare:=εenc(pkenc,B,snv)。Encrypt the transaction sequence number C share with the public key pk enc, B of the transaction recipient: =ε enc (pk enc, B , sn v ).

将地址公钥apk,A用监管方加密公钥加密,计算Caux,A:=εenc(pkenc,s,apk,A)Encrypt the address public key a pk, A with the encrypted public key of the supervisor, and calculate C aux, A : =ε enc (pk enc, s , a pk, A )

计算Itemauth,A:=CRH(apk,A||Caux,A)。Calculate Item auth, A := CRH(a pk, A ||C aux, A ).

计算pathauth,A:=Path(Itemauth,A),证明Itemauth,A存在于以rtauth为根节点的身份授权默克尔树的叶子节点中。Calculate path auth, A :=Path(Item auth, A ), prove that Item auth, A exists in the leaf node of the identity authorization Merkle tree with rt auth as the root node.

remember

Figure BDA0003862227770000111
Figure BDA0003862227770000111

Figure BDA0003862227770000112
remember
Figure BDA0003862227770000112

计算交易发送零知识证明πsend:=Prove(pksend,x,W)。Compute transaction send zero-knowledge proof π send := Prove(pk send , x, W).

记mA:=(x,pksig,A,πsend,Cs are),计算对消息mA的签名

Figure BDA0003862227770000113
Record m A :=(x, pk sig, A , π send , C s are ), calculate the signature for message m A
Figure BDA0003862227770000113

记txsend:=(addrA,Cshare,πsend,x,σm,A,pksig,A),输出txsendRecord tx send :=(addr A , C share , π send , x, σ m, A , pk sig, A ), output tx send .

本发明采用zkSNARK零知识证明保证交易的正确性。用户在执行交易发送算法过程中会生成一份zkSNARK零知识证明πsend,Csend交易发送约束电路主要约束了以下内容:The present invention uses zkSNARK zero-knowledge proof to ensure the correctness of transactions. During the execution of the transaction sending algorithm, the user will generate a zkSNARK zero-knowledge proof π send , and the C send transaction sending constraint circuit mainly constrains the following:

证明用户有权使用该账户,即证明用户知道打开账户

Figure BDA0003862227770000114
的秘密值
Figure BDA0003862227770000115
账户余额
Figure BDA0003862227770000116
地址私钥ask,A。To prove that the user has the right to use the account, that is, to prove that the user knows to open the account
Figure BDA0003862227770000114
the secret value of
Figure BDA0003862227770000115
Account Balance
Figure BDA0003862227770000116
Address private key a sk, A .

证明

Figure BDA0003862227770000117
snv
Figure BDA0003862227770000118
hA是按既定规则生成的。prove
Figure BDA0003862227770000117
sn v ,
Figure BDA0003862227770000118
h A is generated according to established rules.

证明交易金额vt大于零;证明交易金额vt小于等于账户余额

Figure BDA0003862227770000119
Prove that the transaction amount v t is greater than zero; prove that the transaction amount v t is less than or equal to the account balance
Figure BDA0003862227770000119

交易账户的余额变化是合法的。Changes in the balance of the trading account are legal.

pathauth,A的作用:证明用户的的确是经过监管方授权的合法用户;证明Caux,A的确是用监管方加密公钥加密交易发送方的地址公钥apk,A而来;证明用户的确拥有apk,A对应的私钥ask,A,即证明apk,A:=PRF(ask,A,rA)。The role of path auth, A : to prove that the user is indeed a legitimate user authorized by the regulator; to prove that C aux, A is indeed encrypted with the regulator's encrypted public key to encrypt the transaction sender's address public key a pk, A ; to prove that the user It is true that a pk, A corresponds to the private key a sk, A , which proves that a pk, A := PRF( ask, A , r A ).

txsend中公布

Figure BDA0003862227770000121
的作用是避免双花攻击。由于矿工维护了已公开的序列号sn的集合SNList,Alice在重放这笔交易的时候,就会很容易被矿工所检测到。算法采用一次性签名方案,保证零知识证明的不可延展性,即为不同交易生成一个唯一标签,保证不同交易中的零知识证明副本不能相同。系统将交易金额及交易接收方的公钥隐藏在承诺cmtx当中,虽然txsend对外公开了发起这笔交易的账户地址,但由于承诺的绑定性和隐藏性,任何人都不能从中分析出具体的交易金额及交易对象。Announced in tx send
Figure BDA0003862227770000121
The role is to avoid double flower attacks. Since the miners maintain the set SNList of the public sequence numbers sn, Alice will be easily detected by the miners when replaying the transaction. The algorithm uses a one-time signature scheme to ensure the inextensibility of zero-knowledge proofs, that is, to generate a unique label for different transactions, and to ensure that the copies of zero-knowledge proofs in different transactions cannot be the same. The system hides the transaction amount and the public key of the transaction receiver in the commitment cm tx . Although tx send discloses the address of the account that initiated the transaction, due to the binding and hidden nature of the commitment, no one can analyze it. The specific transaction amount and transaction object.

若为交易接收具体方法:If it is a transaction receiving specific method:

txsend交易完成后,交易承诺cmtx就会被加入到最新区块的交易承诺默克尔树中,交易接收方在接收交易的时候,需要证明他知道区块(可以是最新区块,也可以是过去某个区块)中某个交易承诺的陷门,并证明该承诺的存在性。After the tx send transaction is completed, the transaction commitment cm tx will be added to the transaction commitment Merkle tree of the latest block. When receiving the transaction, the transaction receiver needs to prove that he knows the block (it can be the latest block, or It can be a trapdoor of a transaction commitment in a block in the past, and prove the existence of the commitment.

记Bob账户

Figure BDA0003862227770000122
Debit Bob's account
Figure BDA0003862227770000122

记Bob地址私钥为ask,B,地址公钥为apk,B:=PRF(ask,B,rB),rB为随机数。Write Bob's address private key as ask, B , address public key as a pk, B :=PRF( ask, B , r B ), r B is a random number.

扫描由账户地址addrA发起的交易txsend,计算

Figure BDA0003862227770000123
如果
Figure BDA0003862227770000124
解密的输出结果为真:Scan the transaction tx send initiated by the account address addr A , calculate
Figure BDA0003862227770000123
if
Figure BDA0003862227770000124
The decrypted output is true:

计算

Figure BDA0003862227770000125
并判断其结果是否与交易txsend中的cmtx值一致。calculate
Figure BDA0003862227770000125
And judge whether the result is consistent with the cm tx value in the transaction tx send .

判断

Figure BDA0003862227770000126
是否存在于交易承诺默克尔树上。judge
Figure BDA0003862227770000126
Whether to exist on the transaction commitment merkle tree.

判断交易序列号snv是否已经出现在SNList中。Determine whether the transaction sequence number sn v has appeared in the SNList.

上述验证结果如果全部通过,则继续向下执行,否则,终止。If the above verification results are all passed, continue to execute downward, otherwise, terminate.

计算pathtx:=Path(cmtx)。给出一条默克尔树证明路径,证明cmtx在以rttx为根节点的交易承诺默克尔树的叶子节点上。Calculate path tx :=Path(cm tx ). Give a Merkle tree proof path, proving that cm tx is on the leaf node of the transaction commitment Merkle tree with rt tx as the root node.

选择一随机数

Figure BDA0003862227770000131
计算
Figure BDA0003862227770000132
choose a random number
Figure BDA0003862227770000131
calculate
Figure BDA0003862227770000132

更新账户

Figure BDA0003862227770000133
update account
Figure BDA0003862227770000133

生成

Figure BDA0003862227770000134
generate
Figure BDA0003862227770000134

计算hsig,B:=CRH(pksig,B)及hB:=PRF(ask,B,hsig,B)。Calculate h sig,B :=CRH(pk sig,B ) and h B :=PRF( ask,B ,h sig,B ).

将地址公钥apk,B用监管方公钥加密,计算

Figure BDA0003862227770000135
Encrypt the address public key a pk and B with the public key of the supervisor, and calculate
Figure BDA0003862227770000135

计算Itemauth,B:=CRH(apk,B||Caux,B)。Calculate Item auth, B := CRH(a pk, B ||C aux, B ).

计算pathauth,B:=Path(Itemauth,B)。给出一条默克尔树证明路径,证明Itemauth,B在以rtauth为根节点的身份授权默克尔树的叶子节点上。Compute path auth, B :=Path(Item auth, B ). A Merkle tree certification path is given to prove Item auth, and B is on the leaf node of the Merkle tree authorized with rt auth as the root node.

Figure BDA0003862227770000136
remember
Figure BDA0003862227770000136

Figure BDA0003862227770000137
remember
Figure BDA0003862227770000137

计算交易接收零知识证明πrcv:=Prove(pkrcv,x,w)。Computational transaction receives zero-knowledge proof π rcv := Prove(pk rcv , x, w).

记mB:=(x,πrcv,pksig,B),计算对消息mB的签名

Figure BDA00038622277700001312
Record m B :=(x, π rcv , pk sig, B ), calculate the signature for message m B
Figure BDA00038622277700001312

记txrcv:=(addrB,x,πrcv,σm,B,pksig,B),输出txrcvRecord tx rcv :=(addr B , x, π rcv , σ m, B , pk sig, B ), output tx rcv .

本发明采用zkSNARK零知识证明保证交易能被正确接收。用户在执行交易接收算法过程中会生成一份zkSNARK零知识证明πrcv,相应的交易接收电路Crcv主要约束了以下内容:The present invention adopts zkSNARK zero-knowledge proof to ensure that transactions can be received correctly. During the execution of the transaction receiving algorithm, the user will generate a zkSNARK zero-knowledge proof π rcv , and the corresponding transaction receiving circuit C rcv mainly constrains the following:

证明用户有权使用该账户,即证明用户知道打开账户

Figure BDA0003862227770000138
的秘密值
Figure BDA0003862227770000139
账户余额
Figure BDA00038622277700001310
地址私钥ask,B。To prove that the user has the right to use the account, that is, to prove that the user knows to open the account
Figure BDA0003862227770000138
the secret value of
Figure BDA0003862227770000139
Account Balance
Figure BDA00038622277700001310
Address private key a sk, B .

交易账户的余额变化是合法的;证明

Figure BDA00038622277700001311
hB是按既定规则生成的。Changes in the balance of the trading account are legitimate; proof
Figure BDA00038622277700001311
h B is generated according to established rules.

证明交易接收方知道打开承诺cmtx的秘密值。Proof that the recipient of the transaction knows the secret value that opens the commitment cm tx .

约束接收资产的账户地址公钥为cmtx中指定的地址公钥。The public key of the account address constrained to receive assets is the public key of the address specified in cm tx .

pathtx的作用:为保证断开交易发起方及交易接收方之间的链接关系,在txrcv中并没有公布交易接收方具体接收的是交易承诺池中的哪一个交易承诺,但为避免攻击者伪造不存在的交易承诺,因此需要交易接收方提供一条默克尔证明路径,证明所接收的交易承诺cmtx的确存在于交易承诺池中。The role of path tx : In order to ensure that the link between the transaction initiator and the transaction receiver is broken, in tx rcv , it is not announced which transaction commitment in the transaction commitment pool the transaction receiver receives, but in order to avoid attacks The attacker forges a non-existent transaction commitment, so the transaction receiver needs to provide a Merkle proof path to prove that the received transaction commitment cm tx does exist in the transaction commitment pool.

pathauth,B的作用:证明用户的的确是经过监管方授权的合法用户;证明Caux,B的确是用监管方加密公钥加密交易发送方的地址公钥apk,B而来;证明用户的确拥有apk,B对应的私钥ask,B,即证明apk,B:=PRF(ask,B,rB)。The role of path auth, B : to prove that the user is indeed a legitimate user authorized by the regulator; to prove that C aux, B is indeed encrypted with the regulator's encrypted public key to encrypt the transaction sender's address public key a pk, B ; to prove that the user It is true that a pk, B corresponds to the private key a sk, B , which proves that a pk, B := PRF( ask, B , r B ).

算法仍然采用一次性签名方案,保证零知识证明的不可延展性。由于每笔交易均会绑定一个唯一的交易序列号snv,交易接收完成后,txrcv中会公布使用过的交易序列号,又因为系统当中维护了已公开的序列号集合SNList,因此如果攻击者在交易接收完成后重放txrcv,就会很容易被矿工识别。The algorithm still uses a one-time signature scheme to ensure the inextensibility of zero-knowledge proofs. Since each transaction will be bound with a unique transaction serial number sn v , after the transaction is received, the used transaction serial number will be published in tx rcv , and because the system maintains the public serial number set SNList, so if After the attacker replays the tx rcv after the transaction is received, it will be easily identified by the miners.

S3、由矿工验证所发起交易的合法性,若不合法则丢弃该交易并结束,若合法则进入步骤S4;S3. The miners verify the legitimacy of the initiated transaction. If it is not legal, discard the transaction and end it. If it is legal, go to step S4;

所述S3中验证所发起交易的合法性包括交易发送和交易接收的合法性验证,其中,若交易类型为交易发送时验证方式为:Verifying the legitimacy of the transaction initiated in S3 includes verifying the legitimacy of transaction sending and transaction receiving, wherein, if the transaction type is transaction sending, the verification method is:

S301、记txsend:=(addrA,Cs are,πsend,x,σm,A,pksig,A),S301, record tx send :=(addr A , C s are , π send , x, σ m, A , pk sig, A ),

其中:addrA为交易发送方交易地址、Cs are为交易发送方与交易接收方共享的资产接收陷门、πsend为交易发送发零知识证明、记消息mA:=(x,πsend,pksig,A,Cs are),σm,A为对消息mA的签名、pksig,A为交易发送方签名密钥;Among them: addr A is the transaction address of the transaction sender, C s are is the asset receiving trapdoor shared by the transaction sender and the transaction receiver, π send is a zero-knowledge proof for transaction sending, and the message m A : =(x, π send , pk sig, A , C s are ), σ m, A is the signature for message m A , pk sig, A is the signature key of the transaction sender;

Figure BDA0003862227770000141
Figure BDA0003862227770000141

rtauth为身份授权默克尔树的根节点,cmtx为交易承诺,

Figure BDA0003862227770000142
为交易前交易发送方的账户余额承诺、
Figure BDA0003862227770000151
为交易后交易发送方的账户余额承诺、Itemaut,A为交易发送方用户授权证书、apk,A为交易发送方公钥地址,
Figure BDA0003862227770000152
交易发送方交易序列号、Caux,A为监管方对交易发送方的地址公钥的加密结果、hsig,A为交易发送方签名秘钥的哈希、hA为hsig,A和交易发送方地址私钥ask,A的伪随机计算结果、;rt auth is the root node of the identity authorization Merkle tree, cm tx is the transaction commitment,
Figure BDA0003862227770000142
is the account balance commitment of the transaction sender before the transaction,
Figure BDA0003862227770000151
is the account balance commitment of the transaction sender after the transaction, Item aut, A is the user authorization certificate of the transaction sender, a pk, A is the public key address of the transaction sender,
Figure BDA0003862227770000152
The transaction sequence number of the transaction sender, C aux, A is the encryption result of the address public key of the transaction sender by the regulator, h sig, A is the hash of the signature key of the transaction sender, h A is h sig, A and the transaction The sender address private key a sk, the pseudo-random calculation result of A ;

S302、根据交易发送方的用户地址验证帐户的余额承诺是否为

Figure BDA0003862227770000153
若不是则验证失败,输出验证结果res=0;S302. According to the user address of the transaction sender, verify whether the balance commitment of the account is
Figure BDA0003862227770000153
If not, the verification fails, and the verification result res=0 is output;

S303、验证交易发送方交易序列号是否出现在公开序列号集合中,若是则验证失败,输出验证结果res=0;S303. Verify whether the transaction serial number of the transaction sender appears in the public serial number set, if so, the verification fails, and the verification result res=0 is output;

S304、验证rtaut是否为最新的身份授权默克尔树的根,若不是则验证失败,输出输出验证结果res=0;S304, verify whether rt aut is the root of the latest identity authorization Merkle tree, if not, the verification fails, and the output verification result res=0;

经过上述步骤,After the above steps,

Figure BDA0003862227770000154
remember
Figure BDA0003862227770000154

记mA:=(x,πsend,Cshare,pksig,A)。Note m A :=(x, π send , C share , pk sig , A ).

计算res:=Vsig(pksig,AmA,σm,A)。Compute res: = V sig (pk sig, A m A , σ m, A ).

其中:记消息mA:=(x,πrcv,pksig,Bm,A为对消息mA的签名。Wherein: record message m A :=(x, π rcv , pk sig, Bm, A is the signature for message m A.

计算res′:=Verify(vksend,x,πsend),输出res∧res′。Calculate res':=Verify(vk send , x, π send ), output res∧res'.

其中:vksend为交易发送电路零知识证明验证密钥。Among them: vk send is the zero-knowledge proof verification key of the transaction sending circuit.

若交易类型为交易接收时验证方式为:If the transaction type is transaction received, the verification method is:

S311、记txsend:=(addrB,x,πrcv,σm,B,pksig,B),S311, record tx send :=(addr B , x, π rcv , σ m, B , pk sig, B ),

其中:addrB为交易接收方的交易地址、πrcv为交易接收方的零知识证明、记消息mB:=(x,πrcv,pksig,Bm,B为对消息mB的签名、pksig,B为交易接收方签名密钥;Among them: addr B is the transaction address of the transaction recipient, π rcv is the zero-knowledge proof of the transaction recipient, record message m B : = (x, π rcv , pk sig, Bm, B is the key to the message m B Signature, pk sig, B is the signature key of the transaction receiver;

Figure BDA0003862227770000161
Figure BDA0003862227770000161

rttx为交易承诺默克尔树根、rtaut身份授权默克尔树根、

Figure BDA0003862227770000162
为交易前交易接收方的账户余额承诺、
Figure BDA0003862227770000163
为交易后交易接收方的账户余额承诺、snv为交易序列号、Caux,B为监管方对交易接收方的地址公钥的加密结果、hsig,B为交易接收方签名秘钥的哈希、hB为hsig,B和交易接收方地址私钥ask,B的伪随机计算结果、Itemaut,B为交易接收方用户授权证书、apk,B为交易接收方公钥地址,
Figure BDA0003862227770000164
交易接收方交易序列号;rt tx is the transaction commitment Merkle root, rt aut identity authorized Merkle root,
Figure BDA0003862227770000162
It is the account balance commitment of the transaction receiver before the transaction,
Figure BDA0003862227770000163
is the account balance commitment of the transaction receiver after the transaction, sn v is the transaction sequence number, C aux, B is the encryption result of the address public key of the transaction receiver by the regulator, h sig, and B is the hash of the signature key of the transaction receiver H, h B is h sig, B and the private key of the transaction recipient address a sk, the pseudo-random calculation result of B, Item aut, B is the user authorization certificate of the transaction recipient, a pk, B is the public key address of the transaction recipient,
Figure BDA0003862227770000164
The transaction serial number of the transaction receiver;

S312、根据交易发送方的用户地址验证帐户的余额承诺是否为

Figure BDA0003862227770000165
若不是则验证失败,输出验证结果res=0;S312. According to the user address of the transaction sender, verify whether the balance commitment of the account is
Figure BDA0003862227770000165
If not, the verification fails, and the verification result res=0 is output;

S313、验证rtauth是否为最新的身份授权默克尔树的根,不是,则验证失败,输出验证结果res=0;S313. Verify whether rt auth is the root of the latest identity authorization Merkle tree, if not, the verification fails, and the verification result res=0 is output;

S314、验证rttx是否在账本中出现,若没有则验证失败,输出验证结果res=0;S314. Verify whether rt tx appears in the account book, if not, the verification fails, and the verification result res=0 is output;

经过上述步骤,记After the above steps, remember

Figure BDA0003862227770000166
Figure BDA0003862227770000166

记mB:=(x,πsend,pksig,B)。Note m B :=(x, π send , pk sig, B ).

计算res:=Vsig(pksig,BmB,σm,B)。Compute res: = V sig (pk sig, B m B , σ m, B ).

计算res′:=Verify(vkrcv,x,πrcv)。输出res∧res′。Compute res': =Verify(vk rcv , x, π rcv ). Output res∧res′.

其中:vkrcv为交易接收电路零知识证明验证密钥Among them: vk rcv is the zero-knowledge proof verification key of the transaction receiving circuit

S315、交易验证通过后,矿工需要把已经公布的序列号加入到公开序列号集合中,并且根据交易发送和交易接收过程中中公布的信息,将相应账户地址的余额承诺更新为新的余额承诺。S315. After the transaction verification is passed, the miner needs to add the published serial number to the public serial number set, and update the balance commitment of the corresponding account address to a new balance commitment according to the information published during the transaction sending and transaction receiving process .

S4、由监管方判定是否跟踪交易双方的用户身份,若不跟踪则结束流程,若跟踪流程则进入步骤S5;S4. The regulator determines whether to track the user identities of both parties to the transaction. If not, the process ends, and if the process is tracked, enter step S5;

S5、监管方利用加密私钥解密追溯数并撤销交易的匿名性,根据交易方身份追溯列表完成交易双方的身份追踪。S5. The regulator uses the encrypted private key to decrypt the traceability number and revoke the anonymity of the transaction, and completes the identity tracking of both parties according to the transaction party identity traceability list.

本实施例里,具体方法包括以下子步骤In this embodiment, the specific method includes the following sub-steps

记txsend/rcv·Caux:=εenc(pkenc,s,apk),计算apk:=Denc(skenc,s,apk)。无论是接收交易txrcv还是发送交易txsend,均包含了监管辅助信息Caux,并通过零知识证明保证了Caux是按要求生成的,因此对于可疑账户地址,监管方利用自己的加密私钥和身份追溯列表IDList,可以很容易追溯出账户地址对应的真实身份。Record tx send/rcv ·C aux :=ε enc (pk enc,s ,a pk ), calculate a pk :=D enc (sk enc,s ,a pk ). Whether it is receiving transaction tx rcv or sending transaction tx send , it contains regulatory auxiliary information C aux , and through zero-knowledge proof, it is guaranteed that C aux is generated as required. Therefore, for suspicious account addresses, the regulator uses its own encrypted private key And IDList, which can easily trace the real identity corresponding to the account address.

本发明是参照根据本发明实施例的方法、设备(系统)、和计算机程序产品的流程图和/或方框图来描述的。应理解可由计算机程序指令实现流程图和/或方框图中的每一流程和/或方框、以及流程图和/或方框图中的流程和/或方框的结合。可提供这些计算机程序指令到通用计算机、专用计算机、嵌入式处理机或其他可编程数据处理设备的处理器以产生一个机器,使得通过计算机或其他可编程数据处理设备的处理器执行的指令产生用于实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能的装置。The present invention is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the invention. It should be understood that each procedure and/or block in the flowchart and/or block diagram, and a combination of procedures and/or blocks in the flowchart and/or block diagram can be realized by computer program instructions. These computer program instructions may be provided to a general purpose computer, special purpose computer, embedded processor, or processor of other programmable data processing equipment to produce a machine such that the instructions executed by the processor of the computer or other programmable data processing equipment produce a An apparatus for realizing the functions specified in one or more procedures of the flowchart and/or one or more blocks of the block diagram.

这些计算机程序指令也可存储在能引导计算机或其他可编程数据处理设备以特定方式工作的计算机可读存储器中,使得存储在该计算机可读存储器中的指令产生包括指令装置的制造品,该指令装置实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能。These computer program instructions may also be stored in a computer-readable memory capable of directing a computer or other programmable data processing apparatus to operate in a specific manner, such that the instructions stored in the computer-readable memory produce an article of manufacture comprising instruction means, the instructions The device realizes the function specified in one or more procedures of the flowchart and/or one or more blocks of the block diagram.

这些计算机程序指令也可装载到计算机或其他可编程数据处理设备上,使得在计算机或其他可编程设备上执行一系列操作步骤以产生计算机实现的处理,从而在计算机或其他可编程设备上执行的指令提供用于实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能的步骤。These computer program instructions can also be loaded onto a computer or other programmable data processing device, causing a series of operational steps to be performed on the computer or other programmable device to produce a computer-implemented process, thereby The instructions provide steps for implementing the functions specified in the flow diagram procedure or procedures and/or block diagram procedures or blocks.

本发明中应用了具体实施例对本发明的原理及实施方式进行了阐述,以上实施例的说明只是用于帮助理解本发明的方法及其核心思想;同时,对于本领域的一般技术人员,依据本发明的思想,在具体实施方式及应用范围上均会有改变之处,综上所述,本说明书内容不应理解为对本发明的限制。In the present invention, specific examples have been applied to explain the principles and implementation methods of the present invention, and the descriptions of the above examples are only used to help understand the method of the present invention and its core idea; meanwhile, for those of ordinary skill in the art, according to this The idea of the invention will have changes in the specific implementation and scope of application. To sum up, the contents of this specification should not be construed as limiting the present invention.

本领域的普通技术人员将会意识到,这里所述的实施例是为了帮助读者理解本发明的原理,应被理解为本发明的保护范围并不局限于这样的特别陈述和实施例。本领域的普通技术人员可以根据本发明公开的这些技术启示做出各种不脱离本发明实质的其它各种具体变形和组合,这些变形和组合仍然在本发明的保护范围内。Those skilled in the art will appreciate that the embodiments described here are to help readers understand the principles of the present invention, and it should be understood that the protection scope of the present invention is not limited to such specific statements and embodiments. Those skilled in the art can make various other specific modifications and combinations based on the technical revelations disclosed in the present invention without departing from the essence of the present invention, and these modifications and combinations are still within the protection scope of the present invention.

Claims (8)

1. A block chain supervision privacy protection method based on zero knowledge proof is characterized by comprising the following steps:
s1, initializing a block chain system and acquiring common parameters of the block chain system, wherein the block chain system comprises a trading party and a monitoring party;
s2, generating a supervisor key and creating a transaction party user address in the supervisor, and applying a resource access authorization certificate to the supervisor by the transaction party according to the identity information of the transaction party and initiating a transaction;
s3, the miners verify the validity of the initiated transaction, if the initiated transaction is not legal, the transaction is discarded and ended, and if the initiated transaction is legal, the operation goes to the step S4;
s4, judging whether the user identities of the two transaction parties are tracked or not by the monitoring party, if not, ending the process, and if so, entering the step S5;
and S5, the supervisor decrypts the traceback number by using the encrypted private key, cancels the anonymity of the transaction and finishes the identity tracking of both parties of the transaction according to the transaction party identity traceback list.
2. The method of claim 1, wherein the system parameters generated in S1 include a certification key and a verification key for generating zkSNARK certification and common parameters of encryption and signature algorithms, and the specific calculation process is as follows:
inputting algorithm safety parameter lambda, transaction transmission constraint circuit C send And a transaction reception constraint circuit C rcv And generating a system parameter pp: = (pp) enc ,pp sig ,pk send ,pk rcv ,vk send ,vk rcv ) Wherein (pk) send ,vk send ) Zero knowledge proof generation/verification key pair (pk) for transaction transmitting circuit rcv ,vk rcv ) Zero knowledge proof generation/verification key pairs, pp, for transaction receiving circuits enc For cryptographic algorithm common parameters, pp sig Are parameters common to the signature algorithm.
3. The method of claim 1, wherein the specific way of generating the supervisor key and creating the transaction party user address in the supervisor in S2 is as follows:
s201, calculating an encryption key and a signature key of a monitoring party, wherein the calculation mode is as follows:
(pk enc,s ,sk enc,s ):=K enc (pp enc )
(pk sig,s ,sk sig,s ):=K sig (pp sig )
wherein, (pk) enc,s ,sk enc,s ) To encrypt the key pair, (pk) sig,s ,sk sig,s ) As a signed key pair
S202, calculating a communication key pair according to the encryption key and the signature key calculated in the S201, wherein the calculation mode is as follows:
(pk enc ,sk enc ):=K enc (pp enc )
wherein, K enc (pp enc ) Is a communication key pair;
s203, selecting a random number as an address private key and selecting a random number, and calculating an address public key according to the address private key and the random number in the following calculation mode:
a pk :=PRF(a sk ,r)
wherein, a sk Is an address private key, r is a random number, a pk Is an address public key;
s204, calculating the user transaction address according to the address public key, wherein the calculation mode is as follows:
addr:=CRH(a pk )
wherein CRH (-) is an anti-collision hash function.
4. The method for privacy protection with supervision based on blockchain of zero knowledge certification according to claim 1, wherein the specific manner of the transaction party applying for the resource access authorization certificate to the supervision party according to the identity information of the transaction party in S2 is as follows:
s211, the user side sends the address public key, the zero knowledge proof and the identity information of the user side to the monitoring side
S212, the supervisor verifies the validity of the user identity, and if the validity is verified, the address public key and the identity information of the user party are stored in an identity tracing list;
s213, for the user with valid identity authentication, the supervisor calculates the supervision auxiliary information and the user authorization certificate in the following calculation mode:
C aux :=ε enc (pk enc,s ,at pk )
Item auth :=CRH(a pk ||C aux )
wherein, C aux For the supervision of auxiliary information, CRH (. Circle.) is a collision-resistant hash function, item auth Authorizing a certificate for the user;
s214, the supervisor reorganizes the identity authorized Merck tree, updates the user authorization certificate to the identity authorized Merck tree, and broadcasts the new identity authorized Merck tree to the blockchain network.
5. The method of claim 1, wherein initiating a transaction in S2 comprises transaction sending and transaction receiving, wherein,
the specific mode of transaction sending is as follows: a user side generates zkSNARK zero knowledge proof in the process of executing transaction transmission, and utilizes a transaction transmission constraint circuit to constrain the transaction process;
the specific mode of transaction reception is as follows: and after the transaction is completed, adding the transaction promise into the Mercker tree of the transaction promise of the latest block, and when the transaction receiver receives the transaction, proving that the transaction receiver knows the trapdoor of the transaction promise in the block and proving the existence of the transaction promise.
6. The method according to claim 1, wherein the verifying the validity of the initiated transaction in S3 comprises a validity verification of the transaction transmission and the transaction reception, wherein if the transaction type is the transaction transmission, the verification method is as follows:
s301, let tx send :=(addr A ,C s are ,π send ,x,σ m,A ,pk sig,A ),
Wherein: addr A Transaction address, C, for the sender of the transaction s are Receiving trapdoors, pi for assets shared by a transaction sender and a transaction receiver send Zero-knowledge proof, memory message m for transaction transmission A :=(x,π send ,pk sig,A ,C s arem,A To the message m A Signature, pk sig,A Signing the key for the transaction sender;
Figure FDA0003862227760000041
rt auth authorizing a root node, cm, of a Merck tree for identity tx In order to commit to the transaction,
Figure FDA0003862227760000042
an account balance commitment for a sender of the transaction before the transaction,
Figure FDA0003862227760000043
Account balance commitment Item for transaction sender after transaction auth,A Authorizing a certificate for a transaction sender user, a pk,A To be the public key address of the sender of the transaction,
Figure FDA0003862227760000044
transaction sender transaction Serial number, C aux,A Encryption result of address public key of transaction sender for supervisor, h sig,A Hash of a signature Key for a sender of a transaction A Is h sig,A And a private key a of the address of the sender of the transaction sk,A The pseudo-random calculation of (a);
s302, verifying whether balance commitment of account before transaction is as
Figure FDA0003862227760000045
If not, the verification fails, and a verification result res =0 is output;
s303, verifying whether the transaction serial number of the transaction sender appears in the public serial number set, if so, failing to verify, and outputting a verification result res =0;
s304, verifying rt auth And whether the root of the Merck tree is authorized for the latest identity, if not, the verification fails, and a verification result res =0 is output.
7. The method of claim 6, wherein if the transaction type is transaction receipt, the verification method comprises:
s311, note tx send :=(addr B ,x,π rcv ,σ m,B ,pk sig,B ),
Wherein: addr B As transaction address, pi, of the transaction receiver rcv Zero knowledge proof, memory message m for transaction receiver B :=(x,π rcv ,pk sig,Bm,B To the message m B Signature, pk sig,B Signing a secret for a transaction recipientA key;
Figure FDA0003862227760000046
rt tx committing Merck Tree root, rt to transaction auth The identity of the root of the Merck tree,
Figure FDA0003862227760000047
An account balance commitment for a pre-transaction recipient,
Figure FDA0003862227760000051
Account balance commitment sn for transaction receiver after transaction v As transaction sequence number, C aux,B Encryption result of address public key of transaction receiver for supervisor, h sig,B Hash of the signature Key for the transaction recipient, h B Is h sig,B And a private transaction receiver address key a sk,B Pseudo-random computation result of (3), item aut,B Authorizing a certificate for a transaction recipient user, a pk,B In order to be the public key address of the transaction recipient,
Figure FDA0003862227760000052
a transaction serial number of the transaction receiver;
s312, verifying whether the balance commitment before the account transaction is as
Figure FDA0003862227760000053
If not, the verification fails, and a verification result res =0 is output;
s313, verifying rt aut Whether the identity is the root of the latest identity authorization Mercker tree or not, if not, the authentication fails, and an authentication result res =0 is output;
s314, verifying rt tx Whether the data appears in the account book or not is judged, if not, the verification fails, and a verification result res =0 is output;
s315, after the transaction verification is passed, miners need to add the published serial numbers into the public serial number set, and update the balance commitments of the corresponding account addresses into new balance commitments according to the information published in the transaction sending and transaction receiving processes.
8. The block chain supervision privacy protection method based on zero knowledge certification as claimed in claim 1, wherein in S5, it is verified whether the supervision assistance information is generated as required through zero knowledge certification, and if not, the supervisor uses its own encryption priority to determine whether the identity corresponding to the identity tracing list tracing account address is true.
CN202211167365.4A 2022-09-23 2022-09-23 A zero-knowledge proof-based privacy protection method for blockchain supervision Pending CN115564434A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202211167365.4A CN115564434A (en) 2022-09-23 2022-09-23 A zero-knowledge proof-based privacy protection method for blockchain supervision

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202211167365.4A CN115564434A (en) 2022-09-23 2022-09-23 A zero-knowledge proof-based privacy protection method for blockchain supervision

Publications (1)

Publication Number Publication Date
CN115564434A true CN115564434A (en) 2023-01-03

Family

ID=84742474

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202211167365.4A Pending CN115564434A (en) 2022-09-23 2022-09-23 A zero-knowledge proof-based privacy protection method for blockchain supervision

Country Status (1)

Country Link
CN (1) CN115564434A (en)

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115829754A (en) * 2023-02-16 2023-03-21 之江实验室 Privacy protection block chain oriented transaction supervision method and device
CN115860750A (en) * 2023-02-27 2023-03-28 国网江西省电力有限公司信息通信分公司 A privacy protection method for electric vehicle power transaction identity authentication
CN115906183A (en) * 2023-01-06 2023-04-04 南京理工大学 Auditable and traceable block chain privacy protection system and method
CN116432204A (en) * 2023-04-20 2023-07-14 兰州理工大学 Supervision transaction privacy protection method based on homomorphic encryption and zero knowledge proof
CN116633560A (en) * 2023-06-13 2023-08-22 北京交通大学 A privacy protection and supervision method for blockchain multicast transaction mode
CN117611330A (en) * 2024-01-23 2024-02-27 天津金城银行股份有限公司 Credit data processing system, method, device, equipment and medium

Cited By (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115906183A (en) * 2023-01-06 2023-04-04 南京理工大学 Auditable and traceable block chain privacy protection system and method
CN115829754A (en) * 2023-02-16 2023-03-21 之江实验室 Privacy protection block chain oriented transaction supervision method and device
CN115860750A (en) * 2023-02-27 2023-03-28 国网江西省电力有限公司信息通信分公司 A privacy protection method for electric vehicle power transaction identity authentication
CN115860750B (en) * 2023-02-27 2023-05-30 国网江西省电力有限公司信息通信分公司 A privacy protection method for electric vehicle power transaction identity authentication
CN116432204A (en) * 2023-04-20 2023-07-14 兰州理工大学 Supervision transaction privacy protection method based on homomorphic encryption and zero knowledge proof
CN116432204B (en) * 2023-04-20 2023-11-17 兰州理工大学 Supervision transaction privacy protection method based on homomorphic encryption and zero knowledge proof
CN116633560A (en) * 2023-06-13 2023-08-22 北京交通大学 A privacy protection and supervision method for blockchain multicast transaction mode
CN116633560B (en) * 2023-06-13 2024-03-08 北京交通大学 A privacy protection and supervision method for blockchain multicast transaction mode
CN117611330A (en) * 2024-01-23 2024-02-27 天津金城银行股份有限公司 Credit data processing system, method, device, equipment and medium
CN117611330B (en) * 2024-01-23 2024-04-09 天津金城银行股份有限公司 Credit data processing system, method, device, equipment and medium

Similar Documents

Publication Publication Date Title
Bera et al. Designing blockchain-based access control protocol in IoT-enabled smart-grid system
Irshad et al. A provably secure and efficient authenticated key agreement scheme for energy internet-based vehicle-to-grid technology framework
CN115564434A (en) A zero-knowledge proof-based privacy protection method for blockchain supervision
Bojjagani et al. Secure authentication and key management protocol for deployment of Internet of Vehicles (IoV) concerning intelligent transport systems
CN109309565B (en) Security authentication method and device
CN109862046B (en) Traceable anonymous method in alliance chain
CN111563261A (en) Privacy protection multi-party computing method and system based on trusted execution environment
KR101634158B1 (en) Method for authenticating identity and generating share key
Das et al. AI-envisioned blockchain-enabled signature-based key management scheme for industrial cyber–physical systems
CN107911216A (en) A kind of block chain transaction method for secret protection and system
CN113301022B (en) Internet of things equipment identity security authentication method based on block chain and fog calculation
WO2021228239A1 (en) Asset type consistency evidence generation method and system, transaction method and system, and transaction verification method and system
CN113360943B (en) Block chain privacy data protection method and device
WO2018153486A1 (en) Method for signing a new block in a decentralized blockchain consensus network
WO2024093426A1 (en) Federated machine learning-based model training method and apparatus
Jan et al. A verifiably secure ECC based authentication scheme for securing IoD using FANET
CN109741068A (en) Internetbank inter-bank contracting method, apparatus and system
CN109728896A (en) A kind of incoming call certification and source tracing method and process based on block chain
CN112231769A (en) Block chain-based numerical verification method and device, computer equipment and medium
CN111355591A (en) Block chain account safety management method based on real-name authentication technology
Dwivedi et al. Design of blockchain and ECC-based robust and efficient batch authentication protocol for vehicular ad-hoc networks
Anikin et al. Symmetric encryption with key distribution based on neural networks
Akram et al. Blockchain-based privacy-preserving authentication protocol for UAV networks
CN113569263A (en) Secure processing method and device for cross-private-domain data and electronic equipment
CN110866754A (en) A pure software DPVA identity authentication method based on dynamic password

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination