CN116015592A - Homomorphic encryption system meeting zero knowledge proof - Google Patents

Homomorphic encryption system meeting zero knowledge proof Download PDF

Info

Publication number
CN116015592A
CN116015592A CN202211447692.5A CN202211447692A CN116015592A CN 116015592 A CN116015592 A CN 116015592A CN 202211447692 A CN202211447692 A CN 202211447692A CN 116015592 A CN116015592 A CN 116015592A
Authority
CN
China
Prior art keywords
terminal
ciphertext
data
verification
key corresponding
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202211447692.5A
Other languages
Chinese (zh)
Inventor
谢敏
房春朋
裴庆祺
肖阳
马立川
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Guangzhou Lianrong Information Technology Co ltd
Xidian University
Original Assignee
Guangzhou Lianrong Information Technology Co ltd
Xidian University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Guangzhou Lianrong Information Technology Co ltd, Xidian University filed Critical Guangzhou Lianrong Information Technology Co ltd
Priority to CN202211447692.5A priority Critical patent/CN116015592A/en
Publication of CN116015592A publication Critical patent/CN116015592A/en
Pending legal-status Critical Current

Links

Images

Landscapes

  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)

Abstract

The invention relates to a homomorphic encryption system meeting zero knowledge proof, comprising: the first terminal acquires a first ciphertext corresponding to the data according to a K-Elgamal algorithm and a public key corresponding to the second terminal, acquires a second ciphertext corresponding to the data according to the K-Elgamal algorithm and the public key corresponding to the supervision terminal, constructs a verification parameter corresponding to the data according to M-Pedersen promise, the public key corresponding to the second terminal and the public key corresponding to the supervision terminal, transmits the first ciphertext to the second terminal, transmits the second ciphertext to the supervision terminal, and uploads the verification parameter to the blockchain platform; the second terminal decrypts the first ciphertext according to the private key corresponding to the second terminal to obtain data; the supervision terminal decrypts the second ciphertext according to the private key corresponding to the supervision terminal to obtain data; and the blockchain platform performs equality verification according to the first ciphertext, the second ciphertext and the verification parameter, if the verification is passed, the blockchain platform records the data transmitted between the first terminal and the second terminal, and if the verification is not passed, the blockchain platform does not record the data.

Description

Homomorphic encryption system meeting zero knowledge proof
Technical Field
The invention belongs to the technical field of privacy data protection algorithms, and relates to a homomorphic encryption system meeting zero knowledge proof.
Background
In the big data age, the data value is rapidly increased, and the relationship with national security, social development and personal legal rights is also gradually tightened. Data circulation is an important link for releasing data value, but with the high-speed development of the internet, the problem of disclosure of private data is more and more serious. Homomorphic encryption is a special encryption mode, a calculator can directly operate on ciphertext, and the result after decryption is calculated is the same as the result calculated by the same method through plaintext. Homomorphic encryption can enable participating calculators to calculate under the condition of no key, and the calculation result of each step does not need to be decrypted in the calculation process, so that high calculation cost is avoided. The ciphertext participating in the calculation does not need to be sent to the party with the secret key, so that the cost in communication is reduced, and the distributed calculation task can be distributed to a plurality of participants to balance the cost. The data demander can only obtain the final result through ciphertext calculation and cannot know the intermediate calculation process and the information of the intermediate ciphertext, so that the safety and the privacy of the data are improved. The existing transaction privacy protection scheme based on homomorphic encryption has the problems of low verification rate, easy leakage of data and the like, and a reasonable utilization mode is difficult to find in contradiction between openness and confidentiality, so that fairness and reliability in practical application are reduced, and development of privacy protection technology is hindered. Zero knowledge proof can prove the legitimacy of the data to others. One of the most important techniques for constructing a zero knowledge proof system and designing some other security protocols is the "commitment" in which the committee first makes a commitment to others and, in a later verification stage, proves that the commitment made has been fulfilled, similar to the commitment made in real life. Briefly, the commitment protocol is a two-stage protocol in which two parties participate, and is first a commitment stage in which a commitment party commits to a certain message v and sends it to a verifier, while ensuring that the verifier does not know any information about the message v. The other is the open phase, the committee discloses a message v, proving to be consistent with the commitments made in the commitment phase, without tampering. The commitment protocol has two basic properties, hiding and binding. By hidden, it is meant that no one other than the committee can know the information about the commitment message v made during the commitment phase, and that the message can be well hidden. Binding means that in the promise opening phase, anyone cannot open the promise with information other than message v and passes verification. The homomorphic encryption and zero knowledge proof technology can be combined to solve the problem that data are abused and cannot be supervised and verified.
Through the above analysis, the problems and defects existing in the prior art are as follows: in daily application, homomorphic encryption algorithms are widely applied to various large scenes due to the characteristics of low computational complexity and good performance, but encrypted data are invisible, so that the conditions of data abuse and incapability of supervision and verification occur, and the existing semi-homomorphic encryption algorithms cannot conduct data supervision and zero knowledge equality verification.
Disclosure of Invention
To overcome the problems in the related art, embodiments of the present disclosure provide a homomorphic encryption system that satisfies zero knowledge proof. The technical scheme is as follows:
according to a first aspect of embodiments of the present disclosure, there is provided a homomorphic encryption system that satisfies zero knowledge proof, comprising:
the first terminal is used for acquiring a first ciphertext corresponding to the data according to the K-Elgamal algorithm and a public key corresponding to the second terminal;
the first terminal is further used for obtaining a second ciphertext corresponding to the data according to the K-Elgamal algorithm and a public key corresponding to the supervision terminal;
the first terminal is further configured to construct a verification parameter corresponding to the data according to the M-Pedersen commitment, the public key corresponding to the second terminal, and the public key corresponding to the supervision terminal;
the first terminal is further configured to send the first ciphertext to a second terminal, send the second ciphertext to the supervision terminal, and upload the verification parameter to a blockchain platform;
the second terminal is used for decrypting the first ciphertext according to a private key corresponding to the second terminal to obtain the data;
the supervision terminal is used for decrypting the second ciphertext according to a private key corresponding to the supervision terminal to obtain the data;
and the blockchain platform is used for carrying out equality verification according to the first ciphertext, the second ciphertext and the verification parameter, if the verification is passed, the blockchain platform records the data transmitted between the first terminal and the second terminal, and if the verification is not passed, the blockchain platform does not record the data transmitted between the first terminal and the second terminal.
In one embodiment of the present invention, in one embodiment,
the second terminal is used for according to the formula
Figure BDA0003950993820000031
Generating a public key corresponding to the second terminal;
the supervision terminal is used for according to the formula
Figure BDA0003950993820000032
Generating a public key corresponding to the supervision terminal;
wherein said beta 1 A public key corresponding to the second terminal; the a 1 A private key corresponding to the second terminal; said beta 2 A public key corresponding to the supervision terminal; the a 2 A private key corresponding to the supervision terminal; (g, h, q) is a system parameter, said p is a random prime number, and a q-order finite field Z is constructed according to said q q G and h are
Figure BDA0003950993820000033
The generator of->
Figure BDA0003950993820000034
For said Z q Is a multiplicative group of (a); the a 1 Is a random integer and a 1 <q; the a 2 Is a random integer and a 2 <q。
In one embodiment of the present invention, in one embodiment,
the first terminal is configured to obtain ciphertext according to the following formula:
Figure BDA0003950993820000041
Figure BDA0003950993820000042
Figure BDA0003950993820000043
wherein, M is the data;
when i=1, (y) 11 、y 21 、y 31 ) Representing the first ciphertext; the k is 11 ,k 21 ∈Z q-1 The method comprises the steps of carrying out a first treatment on the surface of the And (k) 11 ,q-1)=1;(k 21 Q-1) =1, representing a first random number;
when i=2, (y) 12 、y 22 、y 32 ) Representing the second ciphertext; the k is 12 ,k 22 ∈Z q-1 The method comprises the steps of carrying out a first treatment on the surface of the And (k) 12 ,q-1)=1;(k 22 Q-1) =1, representing a second random number.
In one embodiment of the present invention, in one embodiment,
the second terminal is used for according to
Figure BDA0003950993820000044
Acquiring the data;
the supervision terminal is used for according to
Figure BDA0003950993820000045
And acquiring the data.
In one embodiment of the present invention, in one embodiment,
the first terminal is further configured to promise the data to obtain:
Figure BDA0003950993820000046
Figure BDA0003950993820000047
wherein said b 1 D, said d 1 Said b 2 And said d 2 Is a third random number; the M is the data;
the first terminal is further configured to calculate t according to the following formula 1 And t 2
Figure BDA0003950993820000048
Figure BDA0003950993820000049
Wherein said r 1 The r is 2 And said r 3 Is a second random number;
the first terminal is further configured to pair β according to a first hash function 12 ,t 1 ,t 2 ,y 21 ,y 22 Hash operation is carried out to obtain a hash value c 1
The first terminal is further configured to calculate s according to the following formula 1 、s 2 Sum s 3
Figure BDA0003950993820000051
s 2 =r 2 +c 1 *d 1
s 3 =r 3 +c 1 *d 2
The first terminal is further configured to, according to the t 1 ,t 2 ,s 1 ,s 2 ,s 3 Acquiring the verification parameter (t 1 ,t 2 ,s 1 ,s 2 ,s 3 )。
In one embodiment of the present invention, in one embodiment,
the blockchain platform is further configured to, upon receipt of the (y 11 、y 21 、y 31 ) Said (y) 12 、y 22 、y 32 ) And said (t) 1 ,t 2 ,s 1 ,s 2 ,s 3 ) Then, according to the first hash function pair beta 12 ,t 1 ,t 2 ,y 21 ,y 22 Hash operation is carried out to obtain a hash value c 2
The blockchain platform is further configured to 2 Said (y) 11 、y 21 、y 31 ) Said (y) 12 、y 22 、y 32 ) And said (t) 1 ,t 2 ,s 1 ,s 2 ,s 3 ) Whether a first verification equation is established is detected, and if the first verification equation is established, verification is determined to be passed.
In one embodiment, the first validation equation includes:
Figure BDA0003950993820000052
Figure BDA0003950993820000053
drawings
The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate embodiments consistent with the disclosure and together with the description, serve to explain the principles of the disclosure.
Fig. 1 is a schematic diagram of a homomorphic encryption system satisfying zero knowledge proof according to an embodiment of the present invention.
Detailed Description
The present invention will be described in further detail with reference to specific examples, but embodiments of the present invention are not limited thereto.
Problems and defects existing in the prior art are as follows: in daily application, homomorphic encryption algorithms are widely applied to various large scenes due to the characteristics of low computational complexity and good performance, but encrypted data are invisible, so that the conditions of data abuse and incapability of supervision and verification occur, and the existing semi-homomorphic encryption algorithms cannot conduct data supervision and zero knowledge equality verification.
The difficulty of solving the problems and the defects is as follows: how to ensure the security of data in homomorphic encryption and operation process and how to combine promise technology and homomorphic encryption algorithm to verify the legitimacy of data circulation, i.e. to verify whether the information contained in ciphertext is consistent after different public keys are encrypted.
The meaning of solving the problems and the defects is as follows: the homomorphic encryption technology can hide secret data and calculate the secret data through ciphertext, and the zero knowledge proof technology can verify the legitimacy of the circulation of the data. By encrypting and calculating the data and storing the calculation result in the form of ciphertext, specific data cannot be revealed even if the calculation result is stolen by other people, so that the safety of the data in the aspects of calculation and transmission can be ensured. The privacy protection algorithm meeting the zero knowledge proof can generate the zero knowledge proof evidence to prove the validity of the encrypted data, the data passing the verification can be stored, and the storage is refused if the verification is not passed, so that the possibility of malicious tampering and malicious use is avoided, and the risk of privacy disclosure of a user is reduced. Therefore, the privacy protection algorithm which can carry out zero knowledge proof and homomorphic encryption is constructed, and the method has practical significance and wide application space.
Referring to fig. 1, fig. 1 is a schematic diagram of a homomorphic encryption system satisfying zero knowledge proof according to an embodiment of the invention, the system includes:
the first terminal is used for acquiring a first ciphertext corresponding to the data according to the K-Elgamal algorithm and a public key corresponding to the second terminal;
the first terminal is also used for acquiring a second ciphertext corresponding to the data according to the K-Elgamal algorithm and a public key corresponding to the supervision terminal;
the first terminal is also used for constructing verification parameters corresponding to the data according to the M-Pedersen promise, the public key corresponding to the second terminal and the public key corresponding to the supervision terminal;
the first terminal is also used for sending the first ciphertext to the second terminal, sending the second ciphertext to the supervision terminal and uploading the verification parameters to the blockchain platform;
the second terminal is used for decrypting the first ciphertext according to the private key corresponding to the second terminal to obtain data;
the supervision terminal is used for decrypting the second ciphertext according to the private key corresponding to the supervision terminal to obtain data;
and the block chain platform is used for carrying out equality verification according to the first ciphertext, the second ciphertext and the verification parameter, if the verification is passed, the block chain platform records the data transmitted between the first terminal and the second terminal, and if the verification is not passed, the block chain platform does not record the data transmitted between the first terminal and the second terminal.
The K-Elgamal algorithm consists of four parts: system parameters, key generation algorithms, encryption algorithms, and decryption algorithms.
When the algorithm is applied, own system parameters are necessarily generated in the application design, the system parameters cannot be modified after being set, and the system parameters remain unchanged in the whole application process. The generation process of the system parameters is as follows:
1. system parameters:
randomly selecting a prime number q to construct a q-order finite field Z q Wherein g, h is
Figure BDA0003950993820000071
(Z q Multiplication group of (c) is a generator of (1). (g, h, q) was used as system parameters.
2. Key generation algorithm:
after obtaining the system parameters, each decrypting party (e.g., the second terminal and the supervising terminal) may generate its own public-private key pair using the system parameters, and in one implementation, may be according to the formula
Figure BDA0003950993820000081
Generating public keys of all decryption parties;
wherein B is i A is the public key of the ith decryption party, a i For a random integer selected for the ith decryption party, and a i <q, and the private key sk of the ith decrypting party i =a i
Specifically, the generation process of the public and private key of the second terminal is as follows: selecting a random integer a 1 (a 1 <q) calculation using system parameters (g, h, q)
Figure BDA0003950993820000082
Will a 1 Private key sk as second terminal 1 =a 1 Beta is to 1 Public key, pk, as second terminal 1 =β 1
The generation process of the public and private keys of the supervision terminal is as follows: selecting a random integer a 2 (a 2 <q) calculation using system parameters (g, h, q)
Figure BDA0003950993820000083
Will a 2 Private key sk as supervision terminal 2 =a 2 Beta is to 2 Public key, pk, as supervising terminal 2 =β 2
3. Encryption algorithm:
selecting a first random number k for each decrypting party 1i ,k 2i ∈Z q-1 The method comprises the steps of carrying out a first treatment on the surface of the And (k) 1i ,q-1)=1;(k 2i Q-1) =1, and calculates ciphertext (y 1i 、y 2i And y 3i );
Wherein, the liquid crystal display device comprises a liquid crystal display device,
Figure BDA0003950993820000084
Figure BDA0003950993820000085
Figure BDA0003950993820000086
wherein k is 1i And k 2i A random number selected for the ith decryption party; m is plaintext data, (y) 1i ,y 2i ) To complete the data for zero knowledge proof, (y) 2i ,y 3i ) Is data for decryption.
Specifically, a first random number k is selected for the second terminal 11 And k 21 ;k 11 ∈Z q-1 ,k 21 ∈Z q-1 The method comprises the steps of carrying out a first treatment on the surface of the And (k) 11 ,q-1)=1;(k 21 Q-1) =1, and calculates a first ciphertext (y 11 、y 21 、y 31 );
Selecting a second random number k for a supervising terminal 12 And k 22 ;k 12 ∈Z q-1 ,k 22 ∈Z q-1 The method comprises the steps of carrying out a first treatment on the surface of the And (k) 12 ,q-1)=1;(k 22 Q-1) =1, and calculates a second ciphertext (y 12 、y 22 、y 32 );
4. Decryption algorithm:
ciphertext (y) 1i 、y 2i And y 3i ) Transmitting to the corresponding decryption party, and after the decryption party receives the ciphertext, the decryption party can use a preset formula
Figure BDA0003950993820000091
Obtaining plaintext data M, specifically:
first ciphertext (y 11 、y 21 、y 31 ) The first ciphertext is sent to the second terminal, and after the second terminal receives the first ciphertext, the second terminal can perform the following steps
Figure BDA0003950993820000092
Acquiring plaintext data M;
second ciphertext (y 12 、y 22 、y 32 ) Sending the second ciphertext to the monitoring terminal, and after the monitoring terminal receives the second ciphertext, obtaining the second ciphertext according to the second ciphertext
Figure BDA0003950993820000093
And acquiring plaintext data M.
The present disclosure provides an M-Pedersen commitment capable of satisfying multiplication homomorphism based on the Pedersen commitment, and two application protocols are designed based on the commitment, which can satisfy information hiding and zero knowledge equality proof thereof, and the M-Pedersen commitment is described in detail below.
The M-Pedersen commitment architecture is divided into three phases:
(1) An initialization stage: selecting a prime number q and q-1 containing another large prime factor to construct a multiplication group
Figure BDA0003950993820000094
Wherein g, h is->
Figure BDA0003950993820000095
Selecting a random number k, and calculating b=h k modq, disclosure (g, B, q); />
Notably, are: the B and K-Elgamal algorithms in the M-Pedersen commitments are interchangeable.
(2) A promise stage: the commitment party selects the random number a, b as a blinding factor, calculates the commitment value E (M, a, b) = (g) of the plaintext data M a B b ,MB a ) Then E (M, a, b) is sent to the verifier;
(3) Opening phase: the commitment party sends (M, a, B) to the verifier, which calculates the commitment value for M using the known (g, B, q) and verifies if it is equal to E (M, a, B), and accepts if so, or rejects otherwise.
M-Pedersen promises to meet multiplicative homomorphism, if comm1, comm2 are each using a blinding factor (a 1 ,b 1 ),(a 2 ,b 2 ) For m 1 ,m 2 Is comm=comm1 x comm2 is the use of a blinding factor (a 1 +a 2 ,b 1 +b 2 ) For m 1 *m 2 Is to:
Figure BDA0003950993820000101
2. protocol design
In the construction of M-Pedersen commitment, it is mentioned that the data M can be sent to the verifier, and the verifier verifies whether the commitment is correct or not, but in some cases, the commitment party is not willing to tell other people about own information, and it is inappropriate to prove to other people that the data M is actually known by the commitment party, and the data M is directly sent to the verifier; in some specific application scenarios, the same data M needs to be encrypted with different public keys, and the verifier verifies whether the encrypted data M is identical; two protocols are constructed for different situations to solve the above problems respectively.
Protocol 1: the Prover Prover proves (M, e, f) to the Verifier that (y) 1 =g e Bf,y 2 =MB e ) This is true.
Non-interactive proof process:
1. promise party:
(1) Selecting a random number s 1 ,s 2 ,s 3 And (3) calculating:
Figure BDA0003950993820000102
Figure BDA0003950993820000103
(2) Carrying out hash operation on the parameters according to a first hash function to obtain:
c=Hash(g,B,u 1 ,u 2 ,y 1 ,y 2 );
(3) And (3) calculating:
v 1 =s 1 +c*e;
v 2 =s 2 +c*f;
Figure BDA0003950993820000111
(4) Will (u) 1 ,u 2 ,v 1 ,v 2 ,v 3 ) Sending to a verification party;
2. and (3) verification:
(1) Calculating c=hash (g, B, u) using the same first Hash function 1 ,u 2 ,y 1 ,y 2 );
(2) And (3) verification:
Figure BDA0003950993820000112
Figure BDA0003950993820000113
whether or not it is. If both equations are true, the success is proved, otherwise the failure is confirmed.
Protocol 2: the committee performs commitment on the plaintext data M by using different parameters to obtain:
Figure BDA0003950993820000114
Figure BDA0003950993820000115
and prove to the verifier that the same data is hidden in both commitments.
Non-interactive proof process:
1. promise party:
(1) Selecting a random number r 1 ,r 2 ,r 3 And (3) calculating:
Figure BDA0003950993820000116
Figure BDA0003950993820000117
(2) And carrying out hash operation on the parameters by using a second hash function to obtain:
c 1 =Hash(B 1 ,B 2 ,t 1 ,t 2 ,Q 1 ,Q 2 );
(3) And (3) calculating:
Figure BDA0003950993820000118
s 2 =r 2 +c 1 *a 1
s 3 =r 3 +c 1 *a 2
(4) Will (t) 1 ,t 2 ,s 1 ,s 2 ,s 3 ) And sent to the verifier.
2. The verifier:
(1) Computing c using the same second hash function 2 =Hash(B 1 ,B 2 ,t 1 ,t 2 ,Q 1 ,Q 2 );
(2) And (3) verification:
Figure BDA0003950993820000121
Figure BDA0003950993820000122
whether or not it is. If both equations are true, it is verified that the same plaintext data M is hidden in both commitments.
Specifically, the first terminal is further configured to promise data by using different parameters to obtain:
Figure BDA0003950993820000123
Figure BDA0003950993820000124
wherein b 1 、d 1 、b 2 And d 2 Is a third random number; m is plaintext data;
the first terminal is also used for calculating t according to the following formula 1 And t 2
Figure BDA0003950993820000125
Figure BDA0003950993820000126
Wherein r is 1 ,r 2 And r 3 Is a second random number;
the first terminal is further configured to pair B according to a second hash function 1 ,B 2 ,t 1 ,t 2 ,Q 1 ,Q 2 Hash operation is carried out to obtain a hash value c 2
The first terminal is also used for calculating s according to the following formula 1 、s 2 Sum s 3
Figure BDA0003950993820000127
s 2 =r 2 +c 1 *d 1
s 3 =r 3 +c 1 *d 2
The first terminal is also used for 1 ,t 2 ,s 1 ,s 2 ,s 3 Acquisition of verification parameters (t 1 ,t 2 ,s 1 ,s 2 ,s 3 )。
Block chainA platform for, upon receipt (P 1 ,Q 1 )、(P 2 ,Q 2 ) And (t) 1 ,t 2 ,s 1 ,s 2 ,s 3 ) Then, according to the first hash function pair B 1 ,B 2 ,t 1 ,t 2 ,Q 1 ,Q 2 Hash operation is carried out to obtain a hash value c 2
Blockchain platform also for use in accordance with C 2 And detecting whether the first verification equation is satisfied, and if the first verification equation is satisfied, determining that the verification is passed.
Wherein the first validation equation includes:
Figure BDA0003950993820000131
Figure BDA0003950993820000132
further, the equality proof process of the present disclosure may refer to protocol 2, and assume that Alice wants to prove to Bob that the same data is encrypted with a different public key, where for convenience of description, the protocol proof process is divided into a proof generation process and a verification process. KGenerator (m, r) 1 ,r 2 ,r 3 ,g,β 12 P) represents an evidence-generating process function for promise
Figure BDA0003950993820000133
And->
Figure BDA0003950993820000134
Hiding the same message m produces evidence, kkrifeier (ElProof, y 1 ,y 2 ,g,β 12 P) represents a verification process function, where elproof= (t) 1 ,t 2 ,s 1 ,s 2 ,s 3 ) For verifying E 1 (m,a 1 ,b 1 ) And E is 2 (m,a 2 ,b 2 ) Whether the same message is hidden. Alice only needs to use the function KGenerThe atom () generates evidence, and Bob receives the evidence and verifies the evidence by using the function kkriffier ().
According to the invention, firstly, M-Pedersen commitment meeting multiplication operation is designed on the basis of the Pedersen commitment, and a multiplication homomorphic privacy protection algorithm meeting zero knowledge equality evidence is designed by combining with an Elgamal encryption algorithm, so that the problem of data abuse and incapability of supervision and verification is well solved.
In the present disclosure, the first terminal is a terminal where the first blockchain account is located, the second terminal is a terminal where the second blockchain account is located, the supervising terminal is a terminal where the supervising account is located, and the blockchain platform may refer to a verification node in the blockchain platform.
The following describes the aspects of the present disclosure in detail by way of examples.
Prover C wants to prove use A 1 Public key of (A) and A 2 Is the same plaintext data m=20.
1. And (3) generating system parameters:
randomly selecting the prime number q=167, the element g=5, h=13, g= (167,5, 13) is generated as the system parameter.
2. And (3) key generation:
A 1 randomly select sk 1 =a 1 =32 as a 1 Generates a public key pk 1 =β 1 =72;
A 2 Randomly select sk 2 =a 2 =17 as a 2 Generates a public key pk 2 =β 2 =155; 3. encryption:
c selecting a random number k 11 =23,k 21 =37 using a 1 Is encrypted by a public key of (2):
y 11 =5 23 72 37 mod167=44;
y 21 =20*72 23 mod167=69;
y 31 =13 23 mod167=71;
c selecting a random number k 12 =7,k 22 =29 using a 2 Is encrypted by a public key of (2):
y 12 =5 7 155 29 mod167=84;
y 22 =20*155 7 mod167=85;
y 32 =13 7 mod167=104;
wherein (y) 11 ,y 21 ),(y 12 ,y 22 ) For verification (y) 21 ,y 31 ),(y 22 ,y 32 ) For decryption.
4. Decryption:
A 1 using private key a 1 =32 sum (y) 21 ,y 31 ) Decryption is carried out to obtain:
Figure BDA0003950993820000141
A 2 using private key a 2 =17 and (y 22 ,y 32 ) Decryption is carried out to obtain:
Figure BDA0003950993820000142
5. and (3) equality verification:
1) The prover C selects a random number r 1 =10,r 2 =18,r 3 =12。
2) Building a promise:
Figure BDA0003950993820000151
Figure BDA0003950993820000152
3) Calculation using hash function
c 1 =Hash(B 1 ,B 2 ,t 1 ,t 2 ,Q 1 ,Q 2 )=63;
4) And (3) calculating:
Figure BDA0003950993820000153
s 2 =r 2 +c 1 *a 1 =18+63*23=1467;
s 3 =r 3 +c 1 *a 2 =12+63*7=453;
5) Prover C will (t) 1 ,t 2 ,s 1 ,s 2 ,s 3 ) And sent to the verifier.
6) And (3) verifying by a verifier:
(1) Computing c using the same Hash function 2
c 2 =Hash(B 1 ,B 2 ,t 1 ,t 2 ,Q 1 ,Q 2 )=63;
(2)
Figure BDA0003950993820000154
Figure BDA0003950993820000155
It can be seen that
Figure BDA0003950993820000156
(3)
Figure BDA0003950993820000157
Figure BDA0003950993820000158
It can be seen that
Figure BDA0003950993820000159
From (1) and (2), the verification passes.
In the description of the present invention, the terms "first," "second," and the like are used for descriptive purposes only and are not to be construed as indicating or implying relative importance or implicitly indicating the number of technical features indicated. Thus, a feature defining "a first" or "a second" may explicitly or implicitly include one or more such feature. In the description of the present invention, the meaning of "a plurality" is two or more, unless explicitly defined otherwise.
In the description of the present specification, a description referring to terms "one embodiment," "some embodiments," "examples," "specific examples," or "some examples," etc., means that a particular feature, structure, material, or characteristic point described in connection with the embodiment or example is included in at least one embodiment or example of the present invention. In this specification, schematic representations of the above terms are not necessarily directed to the same embodiment or example. Furthermore, the particular features, structures, materials, or characteristic data points described may be combined in any suitable manner in any one or more embodiments or examples. Further, one skilled in the art can engage and combine the different embodiments or examples described in this specification.
The foregoing is a further detailed description of the invention in connection with the preferred embodiments, and it is not intended that the invention be limited to the specific embodiments described. It will be apparent to those skilled in the art that several simple deductions or substitutions may be made without departing from the spirit of the invention, and these should be considered to be within the scope of the invention.

Claims (7)

1. A homomorphic encryption system that satisfies zero knowledge proof, comprising:
the first terminal is used for acquiring a first ciphertext corresponding to the data according to the K-Elgamal algorithm and a public key corresponding to the second terminal;
the first terminal is further used for obtaining a second ciphertext corresponding to the data according to the K-Elgamal algorithm and a public key corresponding to the supervision terminal;
the first terminal is further configured to construct a verification parameter corresponding to the data according to the M-Pedersen commitment, the public key corresponding to the second terminal, and the public key corresponding to the supervision terminal;
the first terminal is further configured to send the first ciphertext to a second terminal, send the second ciphertext to the supervision terminal, and upload the verification parameter to a blockchain platform;
the second terminal is used for decrypting the first ciphertext according to a private key corresponding to the second terminal to obtain the data;
the supervision terminal is used for decrypting the second ciphertext according to a private key corresponding to the supervision terminal to obtain the data;
and the blockchain platform is used for carrying out equality verification according to the first ciphertext, the second ciphertext and the verification parameter, if the verification is passed, the blockchain platform records the data transmitted between the first terminal and the second terminal, and if the verification is not passed, the blockchain platform does not record the data transmitted between the first terminal and the second terminal.
2. The homomorphic encryption system of claim 1 wherein the proof of zero knowledge is satisfied,
the second terminal is used for according to the formula
Figure FDA0003950993810000011
Generating a public key corresponding to the second terminal;
the supervision terminal is used for according to the formula
Figure FDA0003950993810000012
Generating a public key corresponding to the supervision terminal;
wherein said beta 1 A public key corresponding to the second terminal; the a 1 A private key corresponding to the second terminal; said beta 2 A public key corresponding to the supervision terminal; the a 2 A private key corresponding to the supervision terminal; (g, h, q) is a system parameter, said p is a random prime number, and a q-order finite field Z is constructed according to said q q G and h are
Figure FDA0003950993810000021
The generator of->
Figure FDA0003950993810000022
For said Z q Is a multiplicative group of (a); the a 1 Is a random integer and a 1 < q; the a 2 Is a random integer and a 2 <q。
3. The homomorphic encryption system satisfying zero-knowledge proof of claim 2, wherein,
the first terminal is configured to obtain ciphertext according to the following formula:
Figure FDA0003950993810000023
Figure FDA0003950993810000024
Figure FDA0003950993810000025
wherein, M is the data;
when i=1, (y) 11 、y 21 、y 31 ) Representing the first ciphertext; the k is 11 ,k 21 ∈Z q-1 The method comprises the steps of carrying out a first treatment on the surface of the And (k) 11 ,q-1)=1;(k 21 Q-1) =1, representing a first random number;
when i=2, (y) 12 、y 22 、y 32 ) Representing the second ciphertext; the k is 12 ,k 22 ∈Z q-1 The method comprises the steps of carrying out a first treatment on the surface of the And (k) 12 ,q-1)=1;(k 22 Q-1) =1, representing a second random number.
4. The homomorphic encryption system satisfying zero-knowledge proof of claim 3, wherein,
the second terminal is used for according to
Figure FDA0003950993810000026
Acquiring the data;
the supervision terminal is used for according to
Figure FDA0003950993810000027
And acquiring the data. />
5. The homomorphic encryption system satisfying zero-knowledge proof of claim 3, wherein,
the first terminal is further configured to promise the data to obtain:
Figure FDA0003950993810000031
Figure FDA0003950993810000032
wherein said b 1 D, said d 1 Said b 2 And said d 2 Is a third random number; the M is the data;
the first terminal is further configured to calculate t according to the following formula 1 And t 2
Figure FDA0003950993810000033
Figure FDA0003950993810000034
Wherein the method comprises the steps ofThe r is 1 The r is 2 And said r 3 Is a second random number;
the first terminal is further configured to pair β according to a first hash function 1 ,β 2 ,t 1 ,t 2 ,y 21 ,y 22 Hash operation is carried out to obtain a hash value c 1
The first terminal is further configured to calculate s according to the following formula 1 、s 2 Sum s 3
Figure FDA0003950993810000035
s 2 =r 2 +c 1 *d 1
s 3 =r 3 +c 1 *d 2
The first terminal is further configured to, according to the t 1 ,t 2 ,s 1 ,s 2 ,s 3 Acquiring the verification parameter (t 1 ,t 2 ,s 1 ,s 2 ,s 3 )。
6. The homomorphic encryption system of claim 5 wherein the proof of zero knowledge is satisfied,
the blockchain platform is further configured to, upon receipt of the (y 11 、y 21 、y 31 ) Said (y) 12 、y 22 、y 32 ) And said (t) 1 ,t 2 ,s 1 ,s 2 ,s 3 ) Then, according to the first hash function pair beta 1 ,β 2 ,t 1 ,t 2 ,y 21 ,y 22 Hash operation is carried out to obtain a hash value c 2
The blockchain platform is further configured to 2 Said (y) 11 、y 21 、y 31 ) Said (y) 12 、y 22 、y 32 ) And said (t) 1 ,t 2 ,s 1 ,s 2 ,s 3 ) Whether a first verification equation is established is detected, and if the first verification equation is established, verification is determined to be passed.
7. The homomorphic encryption system of claim 6, wherein the first validation equation comprises:
Figure FDA0003950993810000041
Figure FDA0003950993810000042
/>
CN202211447692.5A 2022-11-18 2022-11-18 Homomorphic encryption system meeting zero knowledge proof Pending CN116015592A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202211447692.5A CN116015592A (en) 2022-11-18 2022-11-18 Homomorphic encryption system meeting zero knowledge proof

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202211447692.5A CN116015592A (en) 2022-11-18 2022-11-18 Homomorphic encryption system meeting zero knowledge proof

Publications (1)

Publication Number Publication Date
CN116015592A true CN116015592A (en) 2023-04-25

Family

ID=86034252

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202211447692.5A Pending CN116015592A (en) 2022-11-18 2022-11-18 Homomorphic encryption system meeting zero knowledge proof

Country Status (1)

Country Link
CN (1) CN116015592A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116827555A (en) * 2023-07-21 2023-09-29 安徽省大数据中心 Encryption and decryption method and system for blockchain data based on ciphertext key relationship verification

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116827555A (en) * 2023-07-21 2023-09-29 安徽省大数据中心 Encryption and decryption method and system for blockchain data based on ciphertext key relationship verification

Similar Documents

Publication Publication Date Title
He et al. A provably-secure cross-domain handshake scheme with symptoms-matching for mobile healthcare social network
Ateniese et al. Secret handshakes with dynamic and fuzzy matching.
US11895231B2 (en) Adaptive attack resistant distributed symmetric encryption
CN104270249B (en) It is a kind of from the label decryption method without certificate environment to identity-based environment
US5796833A (en) Public key sterilization
JP2008503966A (en) Anonymous certificate for anonymous certificate presentation
JP2007089171A (en) Malleable pseudonym certificate system and method
CN104301108B (en) It is a kind of from identity-based environment to the label decryption method without certificate environment
JP2004208263A (en) Apparatus and method of blind signature based on individual identification information employing bilinear pairing
US11804960B2 (en) Distributed symmetric encryption
Huang et al. Somewhat semantic secure public key encryption with filtered-equality-test in the standard model and its extension to searchable encryption
McCorry et al. Authenticated key exchange over bitcoin
Kamil et al. A lightweight CLAS scheme with complete aggregation for healthcare mobile crowdsensing
Wen et al. Provably secure authenticated key exchange protocols for low power computing clients
CN116015592A (en) Homomorphic encryption system meeting zero knowledge proof
Nkurunziza et al. ECAAP‐SG: Efficient certificateless anonymous authentication protocol for SG
Lee et al. Provably secure extended chaotic map-based three-party key agreement protocols using password authentication
Quercia et al. Tata: Towards anonymous trusted authentication
CN114978622A (en) Anonymous credential verification method and system based on block chain and zero-knowledge proof
Ansah et al. Enhancing user and transaction privacy in bitcoin with unlinkable coin mixing scheme
Kilciauskas et al. Authenticated key agreement protocol based on provable secure cryptographic functions
Gervais et al. Certificateless authenticated key agreement for decentralized WBANs
CN114417419A (en) Outsourcing cloud storage medical data aggregation method with security authorization and privacy protection
WO2023055371A1 (en) Replicated secret share generation for distributed symmetric cryptography
Zaw et al. User authentication in SSL handshake protocol with zero-knowledge proof

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination