CN116015592A - Homomorphic encryption system meeting zero knowledge proof - Google Patents
Homomorphic encryption system meeting zero knowledge proof Download PDFInfo
- Publication number
- CN116015592A CN116015592A CN202211447692.5A CN202211447692A CN116015592A CN 116015592 A CN116015592 A CN 116015592A CN 202211447692 A CN202211447692 A CN 202211447692A CN 116015592 A CN116015592 A CN 116015592A
- Authority
- CN
- China
- Prior art keywords
- terminal
- ciphertext
- data
- verification
- key corresponding
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Landscapes
- Management, Administration, Business Operations System, And Electronic Commerce (AREA)
Abstract
The invention relates to a homomorphic encryption system meeting zero knowledge proof, comprising: the first terminal acquires a first ciphertext corresponding to the data according to a K-Elgamal algorithm and a public key corresponding to the second terminal, acquires a second ciphertext corresponding to the data according to the K-Elgamal algorithm and the public key corresponding to the supervision terminal, constructs a verification parameter corresponding to the data according to M-Pedersen promise, the public key corresponding to the second terminal and the public key corresponding to the supervision terminal, transmits the first ciphertext to the second terminal, transmits the second ciphertext to the supervision terminal, and uploads the verification parameter to the blockchain platform; the second terminal decrypts the first ciphertext according to the private key corresponding to the second terminal to obtain data; the supervision terminal decrypts the second ciphertext according to the private key corresponding to the supervision terminal to obtain data; and the blockchain platform performs equality verification according to the first ciphertext, the second ciphertext and the verification parameter, if the verification is passed, the blockchain platform records the data transmitted between the first terminal and the second terminal, and if the verification is not passed, the blockchain platform does not record the data.
Description
Technical Field
The invention belongs to the technical field of privacy data protection algorithms, and relates to a homomorphic encryption system meeting zero knowledge proof.
Background
In the big data age, the data value is rapidly increased, and the relationship with national security, social development and personal legal rights is also gradually tightened. Data circulation is an important link for releasing data value, but with the high-speed development of the internet, the problem of disclosure of private data is more and more serious. Homomorphic encryption is a special encryption mode, a calculator can directly operate on ciphertext, and the result after decryption is calculated is the same as the result calculated by the same method through plaintext. Homomorphic encryption can enable participating calculators to calculate under the condition of no key, and the calculation result of each step does not need to be decrypted in the calculation process, so that high calculation cost is avoided. The ciphertext participating in the calculation does not need to be sent to the party with the secret key, so that the cost in communication is reduced, and the distributed calculation task can be distributed to a plurality of participants to balance the cost. The data demander can only obtain the final result through ciphertext calculation and cannot know the intermediate calculation process and the information of the intermediate ciphertext, so that the safety and the privacy of the data are improved. The existing transaction privacy protection scheme based on homomorphic encryption has the problems of low verification rate, easy leakage of data and the like, and a reasonable utilization mode is difficult to find in contradiction between openness and confidentiality, so that fairness and reliability in practical application are reduced, and development of privacy protection technology is hindered. Zero knowledge proof can prove the legitimacy of the data to others. One of the most important techniques for constructing a zero knowledge proof system and designing some other security protocols is the "commitment" in which the committee first makes a commitment to others and, in a later verification stage, proves that the commitment made has been fulfilled, similar to the commitment made in real life. Briefly, the commitment protocol is a two-stage protocol in which two parties participate, and is first a commitment stage in which a commitment party commits to a certain message v and sends it to a verifier, while ensuring that the verifier does not know any information about the message v. The other is the open phase, the committee discloses a message v, proving to be consistent with the commitments made in the commitment phase, without tampering. The commitment protocol has two basic properties, hiding and binding. By hidden, it is meant that no one other than the committee can know the information about the commitment message v made during the commitment phase, and that the message can be well hidden. Binding means that in the promise opening phase, anyone cannot open the promise with information other than message v and passes verification. The homomorphic encryption and zero knowledge proof technology can be combined to solve the problem that data are abused and cannot be supervised and verified.
Through the above analysis, the problems and defects existing in the prior art are as follows: in daily application, homomorphic encryption algorithms are widely applied to various large scenes due to the characteristics of low computational complexity and good performance, but encrypted data are invisible, so that the conditions of data abuse and incapability of supervision and verification occur, and the existing semi-homomorphic encryption algorithms cannot conduct data supervision and zero knowledge equality verification.
Disclosure of Invention
To overcome the problems in the related art, embodiments of the present disclosure provide a homomorphic encryption system that satisfies zero knowledge proof. The technical scheme is as follows:
according to a first aspect of embodiments of the present disclosure, there is provided a homomorphic encryption system that satisfies zero knowledge proof, comprising:
the first terminal is used for acquiring a first ciphertext corresponding to the data according to the K-Elgamal algorithm and a public key corresponding to the second terminal;
the first terminal is further used for obtaining a second ciphertext corresponding to the data according to the K-Elgamal algorithm and a public key corresponding to the supervision terminal;
the first terminal is further configured to construct a verification parameter corresponding to the data according to the M-Pedersen commitment, the public key corresponding to the second terminal, and the public key corresponding to the supervision terminal;
the first terminal is further configured to send the first ciphertext to a second terminal, send the second ciphertext to the supervision terminal, and upload the verification parameter to a blockchain platform;
the second terminal is used for decrypting the first ciphertext according to a private key corresponding to the second terminal to obtain the data;
the supervision terminal is used for decrypting the second ciphertext according to a private key corresponding to the supervision terminal to obtain the data;
and the blockchain platform is used for carrying out equality verification according to the first ciphertext, the second ciphertext and the verification parameter, if the verification is passed, the blockchain platform records the data transmitted between the first terminal and the second terminal, and if the verification is not passed, the blockchain platform does not record the data transmitted between the first terminal and the second terminal.
In one embodiment of the present invention, in one embodiment,
the second terminal is used for according to the formulaGenerating a public key corresponding to the second terminal;
the supervision terminal is used for according to the formulaGenerating a public key corresponding to the supervision terminal;
wherein said beta 1 A public key corresponding to the second terminal; the a 1 A private key corresponding to the second terminal; said beta 2 A public key corresponding to the supervision terminal; the a 2 A private key corresponding to the supervision terminal; (g, h, q) is a system parameter, said p is a random prime number, and a q-order finite field Z is constructed according to said q q G and h areThe generator of->For said Z q Is a multiplicative group of (a); the a 1 Is a random integer and a 1 <q; the a 2 Is a random integer and a 2 <q。
In one embodiment of the present invention, in one embodiment,
the first terminal is configured to obtain ciphertext according to the following formula:
wherein, M is the data;
when i=1, (y) 11 、y 21 、y 31 ) Representing the first ciphertext; the k is 11 ,k 21 ∈Z q-1 The method comprises the steps of carrying out a first treatment on the surface of the And (k) 11 ,q-1)=1;(k 21 Q-1) =1, representing a first random number;
when i=2, (y) 12 、y 22 、y 32 ) Representing the second ciphertext; the k is 12 ,k 22 ∈Z q-1 The method comprises the steps of carrying out a first treatment on the surface of the And (k) 12 ,q-1)=1;(k 22 Q-1) =1, representing a second random number.
In one embodiment of the present invention, in one embodiment,
In one embodiment of the present invention, in one embodiment,
the first terminal is further configured to promise the data to obtain:
wherein said b 1 D, said d 1 Said b 2 And said d 2 Is a third random number; the M is the data;
the first terminal is further configured to calculate t according to the following formula 1 And t 2 ;
Wherein said r 1 The r is 2 And said r 3 Is a second random number;
the first terminal is further configured to pair β according to a first hash function 1 ,β 2 ,t 1 ,t 2 ,y 21 ,y 22 Hash operation is carried out to obtain a hash value c 1 ;
The first terminal is further configured to calculate s according to the following formula 1 、s 2 Sum s 3 ;
s 2 =r 2 +c 1 *d 1 ;
s 3 =r 3 +c 1 *d 2 ;
The first terminal is further configured to, according to the t 1 ,t 2 ,s 1 ,s 2 ,s 3 Acquiring the verification parameter (t 1 ,t 2 ,s 1 ,s 2 ,s 3 )。
In one embodiment of the present invention, in one embodiment,
the blockchain platform is further configured to, upon receipt of the (y 11 、y 21 、y 31 ) Said (y) 12 、y 22 、y 32 ) And said (t) 1 ,t 2 ,s 1 ,s 2 ,s 3 ) Then, according to the first hash function pair beta 1 ,β 2 ,t 1 ,t 2 ,y 21 ,y 22 Hash operation is carried out to obtain a hash value c 2 ;
The blockchain platform is further configured to 2 Said (y) 11 、y 21 、y 31 ) Said (y) 12 、y 22 、y 32 ) And said (t) 1 ,t 2 ,s 1 ,s 2 ,s 3 ) Whether a first verification equation is established is detected, and if the first verification equation is established, verification is determined to be passed.
In one embodiment, the first validation equation includes:
drawings
The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate embodiments consistent with the disclosure and together with the description, serve to explain the principles of the disclosure.
Fig. 1 is a schematic diagram of a homomorphic encryption system satisfying zero knowledge proof according to an embodiment of the present invention.
Detailed Description
The present invention will be described in further detail with reference to specific examples, but embodiments of the present invention are not limited thereto.
Problems and defects existing in the prior art are as follows: in daily application, homomorphic encryption algorithms are widely applied to various large scenes due to the characteristics of low computational complexity and good performance, but encrypted data are invisible, so that the conditions of data abuse and incapability of supervision and verification occur, and the existing semi-homomorphic encryption algorithms cannot conduct data supervision and zero knowledge equality verification.
The difficulty of solving the problems and the defects is as follows: how to ensure the security of data in homomorphic encryption and operation process and how to combine promise technology and homomorphic encryption algorithm to verify the legitimacy of data circulation, i.e. to verify whether the information contained in ciphertext is consistent after different public keys are encrypted.
The meaning of solving the problems and the defects is as follows: the homomorphic encryption technology can hide secret data and calculate the secret data through ciphertext, and the zero knowledge proof technology can verify the legitimacy of the circulation of the data. By encrypting and calculating the data and storing the calculation result in the form of ciphertext, specific data cannot be revealed even if the calculation result is stolen by other people, so that the safety of the data in the aspects of calculation and transmission can be ensured. The privacy protection algorithm meeting the zero knowledge proof can generate the zero knowledge proof evidence to prove the validity of the encrypted data, the data passing the verification can be stored, and the storage is refused if the verification is not passed, so that the possibility of malicious tampering and malicious use is avoided, and the risk of privacy disclosure of a user is reduced. Therefore, the privacy protection algorithm which can carry out zero knowledge proof and homomorphic encryption is constructed, and the method has practical significance and wide application space.
Referring to fig. 1, fig. 1 is a schematic diagram of a homomorphic encryption system satisfying zero knowledge proof according to an embodiment of the invention, the system includes:
the first terminal is used for acquiring a first ciphertext corresponding to the data according to the K-Elgamal algorithm and a public key corresponding to the second terminal;
the first terminal is also used for acquiring a second ciphertext corresponding to the data according to the K-Elgamal algorithm and a public key corresponding to the supervision terminal;
the first terminal is also used for constructing verification parameters corresponding to the data according to the M-Pedersen promise, the public key corresponding to the second terminal and the public key corresponding to the supervision terminal;
the first terminal is also used for sending the first ciphertext to the second terminal, sending the second ciphertext to the supervision terminal and uploading the verification parameters to the blockchain platform;
the second terminal is used for decrypting the first ciphertext according to the private key corresponding to the second terminal to obtain data;
the supervision terminal is used for decrypting the second ciphertext according to the private key corresponding to the supervision terminal to obtain data;
and the block chain platform is used for carrying out equality verification according to the first ciphertext, the second ciphertext and the verification parameter, if the verification is passed, the block chain platform records the data transmitted between the first terminal and the second terminal, and if the verification is not passed, the block chain platform does not record the data transmitted between the first terminal and the second terminal.
The K-Elgamal algorithm consists of four parts: system parameters, key generation algorithms, encryption algorithms, and decryption algorithms.
When the algorithm is applied, own system parameters are necessarily generated in the application design, the system parameters cannot be modified after being set, and the system parameters remain unchanged in the whole application process. The generation process of the system parameters is as follows:
1. system parameters:
randomly selecting a prime number q to construct a q-order finite field Z q Wherein g, h is(Z q Multiplication group of (c) is a generator of (1). (g, h, q) was used as system parameters.
2. Key generation algorithm:
after obtaining the system parameters, each decrypting party (e.g., the second terminal and the supervising terminal) may generate its own public-private key pair using the system parameters, and in one implementation, may be according to the formulaGenerating public keys of all decryption parties;
wherein B is i A is the public key of the ith decryption party, a i For a random integer selected for the ith decryption party, and a i <q, and the private key sk of the ith decrypting party i =a i 。
Specifically, the generation process of the public and private key of the second terminal is as follows: selecting a random integer a 1 (a 1 <q) calculation using system parameters (g, h, q)Will a 1 Private key sk as second terminal 1 =a 1 Beta is to 1 Public key, pk, as second terminal 1 =β 1 。
The generation process of the public and private keys of the supervision terminal is as follows: selecting a random integer a 2 (a 2 <q) calculation using system parameters (g, h, q)Will a 2 Private key sk as supervision terminal 2 =a 2 Beta is to 2 Public key, pk, as supervising terminal 2 =β 2 。
3. Encryption algorithm:
selecting a first random number k for each decrypting party 1i ,k 2i ∈Z q-1 The method comprises the steps of carrying out a first treatment on the surface of the And (k) 1i ,q-1)=1;(k 2i Q-1) =1, and calculates ciphertext (y 1i 、y 2i And y 3i );
Wherein, the liquid crystal display device comprises a liquid crystal display device,
wherein k is 1i And k 2i A random number selected for the ith decryption party; m is plaintext data, (y) 1i ,y 2i ) To complete the data for zero knowledge proof, (y) 2i ,y 3i ) Is data for decryption.
Specifically, a first random number k is selected for the second terminal 11 And k 21 ;k 11 ∈Z q-1 ,k 21 ∈Z q-1 The method comprises the steps of carrying out a first treatment on the surface of the And (k) 11 ,q-1)=1;(k 21 Q-1) =1, and calculates a first ciphertext (y 11 、y 21 、y 31 );
Selecting a second random number k for a supervising terminal 12 And k 22 ;k 12 ∈Z q-1 ,k 22 ∈Z q-1 The method comprises the steps of carrying out a first treatment on the surface of the And (k) 12 ,q-1)=1;(k 22 Q-1) =1, and calculates a second ciphertext (y 12 、y 22 、y 32 );
4. Decryption algorithm:
ciphertext (y) 1i 、y 2i And y 3i ) Transmitting to the corresponding decryption party, and after the decryption party receives the ciphertext, the decryption party can use a preset formulaObtaining plaintext data M, specifically:
first ciphertext (y 11 、y 21 、y 31 ) The first ciphertext is sent to the second terminal, and after the second terminal receives the first ciphertext, the second terminal can perform the following stepsAcquiring plaintext data M;
second ciphertext (y 12 、y 22 、y 32 ) Sending the second ciphertext to the monitoring terminal, and after the monitoring terminal receives the second ciphertext, obtaining the second ciphertext according to the second ciphertextAnd acquiring plaintext data M.
The present disclosure provides an M-Pedersen commitment capable of satisfying multiplication homomorphism based on the Pedersen commitment, and two application protocols are designed based on the commitment, which can satisfy information hiding and zero knowledge equality proof thereof, and the M-Pedersen commitment is described in detail below.
The M-Pedersen commitment architecture is divided into three phases:
(1) An initialization stage: selecting a prime number q and q-1 containing another large prime factor to construct a multiplication groupWherein g, h is->Selecting a random number k, and calculating b=h k modq, disclosure (g, B, q); />
Notably, are: the B and K-Elgamal algorithms in the M-Pedersen commitments are interchangeable.
(2) A promise stage: the commitment party selects the random number a, b as a blinding factor, calculates the commitment value E (M, a, b) = (g) of the plaintext data M a B b ,MB a ) Then E (M, a, b) is sent to the verifier;
(3) Opening phase: the commitment party sends (M, a, B) to the verifier, which calculates the commitment value for M using the known (g, B, q) and verifies if it is equal to E (M, a, B), and accepts if so, or rejects otherwise.
M-Pedersen promises to meet multiplicative homomorphism, if comm1, comm2 are each using a blinding factor (a 1 ,b 1 ),(a 2 ,b 2 ) For m 1 ,m 2 Is comm=comm1 x comm2 is the use of a blinding factor (a 1 +a 2 ,b 1 +b 2 ) For m 1 *m 2 Is to:
2. protocol design
In the construction of M-Pedersen commitment, it is mentioned that the data M can be sent to the verifier, and the verifier verifies whether the commitment is correct or not, but in some cases, the commitment party is not willing to tell other people about own information, and it is inappropriate to prove to other people that the data M is actually known by the commitment party, and the data M is directly sent to the verifier; in some specific application scenarios, the same data M needs to be encrypted with different public keys, and the verifier verifies whether the encrypted data M is identical; two protocols are constructed for different situations to solve the above problems respectively.
Protocol 1: the Prover Prover proves (M, e, f) to the Verifier that (y) 1 =g e Bf,y 2 =MB e ) This is true.
Non-interactive proof process:
1. promise party:
(1) Selecting a random number s 1 ,s 2 ,s 3 And (3) calculating:
(2) Carrying out hash operation on the parameters according to a first hash function to obtain:
c=Hash(g,B,u 1 ,u 2 ,y 1 ,y 2 );
(3) And (3) calculating:
v 1 =s 1 +c*e;
v 2 =s 2 +c*f;
(4) Will (u) 1 ,u 2 ,v 1 ,v 2 ,v 3 ) Sending to a verification party;
2. and (3) verification:
(1) Calculating c=hash (g, B, u) using the same first Hash function 1 ,u 2 ,y 1 ,y 2 );
(2) And (3) verification:
whether or not it is. If both equations are true, the success is proved, otherwise the failure is confirmed.
Protocol 2: the committee performs commitment on the plaintext data M by using different parameters to obtain:
and prove to the verifier that the same data is hidden in both commitments.
Non-interactive proof process:
1. promise party:
(1) Selecting a random number r 1 ,r 2 ,r 3 And (3) calculating:
(2) And carrying out hash operation on the parameters by using a second hash function to obtain:
c 1 =Hash(B 1 ,B 2 ,t 1 ,t 2 ,Q 1 ,Q 2 );
(3) And (3) calculating:
s 2 =r 2 +c 1 *a 1 ;
s 3 =r 3 +c 1 *a 2 ;
(4) Will (t) 1 ,t 2 ,s 1 ,s 2 ,s 3 ) And sent to the verifier.
2. The verifier:
(1) Computing c using the same second hash function 2 =Hash(B 1 ,B 2 ,t 1 ,t 2 ,Q 1 ,Q 2 );
(2) And (3) verification:
whether or not it is. If both equations are true, it is verified that the same plaintext data M is hidden in both commitments.
Specifically, the first terminal is further configured to promise data by using different parameters to obtain:
wherein b 1 、d 1 、b 2 And d 2 Is a third random number; m is plaintext data;
the first terminal is also used for calculating t according to the following formula 1 And t 2 ;
Wherein r is 1 ,r 2 And r 3 Is a second random number;
the first terminal is further configured to pair B according to a second hash function 1 ,B 2 ,t 1 ,t 2 ,Q 1 ,Q 2 Hash operation is carried out to obtain a hash value c 2 ;
The first terminal is also used for calculating s according to the following formula 1 、s 2 Sum s 3 ;
s 2 =r 2 +c 1 *d 1 ;
s 3 =r 3 +c 1 *d 2 ;
The first terminal is also used for 1 ,t 2 ,s 1 ,s 2 ,s 3 Acquisition of verification parameters (t 1 ,t 2 ,s 1 ,s 2 ,s 3 )。
Block chainA platform for, upon receipt (P 1 ,Q 1 )、(P 2 ,Q 2 ) And (t) 1 ,t 2 ,s 1 ,s 2 ,s 3 ) Then, according to the first hash function pair B 1 ,B 2 ,t 1 ,t 2 ,Q 1 ,Q 2 Hash operation is carried out to obtain a hash value c 2 ;
Blockchain platform also for use in accordance with C 2 And detecting whether the first verification equation is satisfied, and if the first verification equation is satisfied, determining that the verification is passed.
Wherein the first validation equation includes:
further, the equality proof process of the present disclosure may refer to protocol 2, and assume that Alice wants to prove to Bob that the same data is encrypted with a different public key, where for convenience of description, the protocol proof process is divided into a proof generation process and a verification process. KGenerator (m, r) 1 ,r 2 ,r 3 ,g,β 1 ,β 2 P) represents an evidence-generating process function for promiseAnd->Hiding the same message m produces evidence, kkrifeier (ElProof, y 1 ,y 2 ,g,β 1 ,β 2 P) represents a verification process function, where elproof= (t) 1 ,t 2 ,s 1 ,s 2 ,s 3 ) For verifying E 1 (m,a 1 ,b 1 ) And E is 2 (m,a 2 ,b 2 ) Whether the same message is hidden. Alice only needs to use the function KGenerThe atom () generates evidence, and Bob receives the evidence and verifies the evidence by using the function kkriffier ().
According to the invention, firstly, M-Pedersen commitment meeting multiplication operation is designed on the basis of the Pedersen commitment, and a multiplication homomorphic privacy protection algorithm meeting zero knowledge equality evidence is designed by combining with an Elgamal encryption algorithm, so that the problem of data abuse and incapability of supervision and verification is well solved.
In the present disclosure, the first terminal is a terminal where the first blockchain account is located, the second terminal is a terminal where the second blockchain account is located, the supervising terminal is a terminal where the supervising account is located, and the blockchain platform may refer to a verification node in the blockchain platform.
The following describes the aspects of the present disclosure in detail by way of examples.
Prover C wants to prove use A 1 Public key of (A) and A 2 Is the same plaintext data m=20.
1. And (3) generating system parameters:
randomly selecting the prime number q=167, the element g=5, h=13, g= (167,5, 13) is generated as the system parameter.
2. And (3) key generation:
A 1 randomly select sk 1 =a 1 =32 as a 1 Generates a public key pk 1 =β 1 =72;
A 2 Randomly select sk 2 =a 2 =17 as a 2 Generates a public key pk 2 =β 2 =155; 3. encryption:
c selecting a random number k 11 =23,k 21 =37 using a 1 Is encrypted by a public key of (2):
y 11 =5 23 72 37 mod167=44;
y 21 =20*72 23 mod167=69;
y 31 =13 23 mod167=71;
c selecting a random number k 12 =7,k 22 =29 using a 2 Is encrypted by a public key of (2):
y 12 =5 7 155 29 mod167=84;
y 22 =20*155 7 mod167=85;
y 32 =13 7 mod167=104;
wherein (y) 11 ,y 21 ),(y 12 ,y 22 ) For verification (y) 21 ,y 31 ),(y 22 ,y 32 ) For decryption.
4. Decryption:
A 1 using private key a 1 =32 sum (y) 21 ,y 31 ) Decryption is carried out to obtain:
A 2 using private key a 2 =17 and (y 22 ,y 32 ) Decryption is carried out to obtain:
5. and (3) equality verification:
1) The prover C selects a random number r 1 =10,r 2 =18,r 3 =12。
2) Building a promise:
3) Calculation using hash function
c 1 =Hash(B 1 ,B 2 ,t 1 ,t 2 ,Q 1 ,Q 2 )=63;
4) And (3) calculating:
s 2 =r 2 +c 1 *a 1 =18+63*23=1467;
s 3 =r 3 +c 1 *a 2 =12+63*7=453;
5) Prover C will (t) 1 ,t 2 ,s 1 ,s 2 ,s 3 ) And sent to the verifier.
6) And (3) verifying by a verifier:
(1) Computing c using the same Hash function 2 ;
c 2 =Hash(B 1 ,B 2 ,t 1 ,t 2 ,Q 1 ,Q 2 )=63;
In the description of the present invention, the terms "first," "second," and the like are used for descriptive purposes only and are not to be construed as indicating or implying relative importance or implicitly indicating the number of technical features indicated. Thus, a feature defining "a first" or "a second" may explicitly or implicitly include one or more such feature. In the description of the present invention, the meaning of "a plurality" is two or more, unless explicitly defined otherwise.
In the description of the present specification, a description referring to terms "one embodiment," "some embodiments," "examples," "specific examples," or "some examples," etc., means that a particular feature, structure, material, or characteristic point described in connection with the embodiment or example is included in at least one embodiment or example of the present invention. In this specification, schematic representations of the above terms are not necessarily directed to the same embodiment or example. Furthermore, the particular features, structures, materials, or characteristic data points described may be combined in any suitable manner in any one or more embodiments or examples. Further, one skilled in the art can engage and combine the different embodiments or examples described in this specification.
The foregoing is a further detailed description of the invention in connection with the preferred embodiments, and it is not intended that the invention be limited to the specific embodiments described. It will be apparent to those skilled in the art that several simple deductions or substitutions may be made without departing from the spirit of the invention, and these should be considered to be within the scope of the invention.
Claims (7)
1. A homomorphic encryption system that satisfies zero knowledge proof, comprising:
the first terminal is used for acquiring a first ciphertext corresponding to the data according to the K-Elgamal algorithm and a public key corresponding to the second terminal;
the first terminal is further used for obtaining a second ciphertext corresponding to the data according to the K-Elgamal algorithm and a public key corresponding to the supervision terminal;
the first terminal is further configured to construct a verification parameter corresponding to the data according to the M-Pedersen commitment, the public key corresponding to the second terminal, and the public key corresponding to the supervision terminal;
the first terminal is further configured to send the first ciphertext to a second terminal, send the second ciphertext to the supervision terminal, and upload the verification parameter to a blockchain platform;
the second terminal is used for decrypting the first ciphertext according to a private key corresponding to the second terminal to obtain the data;
the supervision terminal is used for decrypting the second ciphertext according to a private key corresponding to the supervision terminal to obtain the data;
and the blockchain platform is used for carrying out equality verification according to the first ciphertext, the second ciphertext and the verification parameter, if the verification is passed, the blockchain platform records the data transmitted between the first terminal and the second terminal, and if the verification is not passed, the blockchain platform does not record the data transmitted between the first terminal and the second terminal.
2. The homomorphic encryption system of claim 1 wherein the proof of zero knowledge is satisfied,
the second terminal is used for according to the formulaGenerating a public key corresponding to the second terminal;
the supervision terminal is used for according to the formulaGenerating a public key corresponding to the supervision terminal;
wherein said beta 1 A public key corresponding to the second terminal; the a 1 A private key corresponding to the second terminal; said beta 2 A public key corresponding to the supervision terminal; the a 2 A private key corresponding to the supervision terminal; (g, h, q) is a system parameter, said p is a random prime number, and a q-order finite field Z is constructed according to said q q G and h areThe generator of->For said Z q Is a multiplicative group of (a); the a 1 Is a random integer and a 1 < q; the a 2 Is a random integer and a 2 <q。
3. The homomorphic encryption system satisfying zero-knowledge proof of claim 2, wherein,
the first terminal is configured to obtain ciphertext according to the following formula:
wherein, M is the data;
when i=1, (y) 11 、y 21 、y 31 ) Representing the first ciphertext; the k is 11 ,k 21 ∈Z q-1 The method comprises the steps of carrying out a first treatment on the surface of the And (k) 11 ,q-1)=1;(k 21 Q-1) =1, representing a first random number;
when i=2, (y) 12 、y 22 、y 32 ) Representing the second ciphertext; the k is 12 ,k 22 ∈Z q-1 The method comprises the steps of carrying out a first treatment on the surface of the And (k) 12 ,q-1)=1;(k 22 Q-1) =1, representing a second random number.
5. The homomorphic encryption system satisfying zero-knowledge proof of claim 3, wherein,
the first terminal is further configured to promise the data to obtain:
wherein said b 1 D, said d 1 Said b 2 And said d 2 Is a third random number; the M is the data;
the first terminal is further configured to calculate t according to the following formula 1 And t 2 ;
Wherein the method comprises the steps ofThe r is 1 The r is 2 And said r 3 Is a second random number;
the first terminal is further configured to pair β according to a first hash function 1 ,β 2 ,t 1 ,t 2 ,y 21 ,y 22 Hash operation is carried out to obtain a hash value c 1 ;
The first terminal is further configured to calculate s according to the following formula 1 、s 2 Sum s 3 ;
s 2 =r 2 +c 1 *d 1 ;
s 3 =r 3 +c 1 *d 2 ;
The first terminal is further configured to, according to the t 1 ,t 2 ,s 1 ,s 2 ,s 3 Acquiring the verification parameter (t 1 ,t 2 ,s 1 ,s 2 ,s 3 )。
6. The homomorphic encryption system of claim 5 wherein the proof of zero knowledge is satisfied,
the blockchain platform is further configured to, upon receipt of the (y 11 、y 21 、y 31 ) Said (y) 12 、y 22 、y 32 ) And said (t) 1 ,t 2 ,s 1 ,s 2 ,s 3 ) Then, according to the first hash function pair beta 1 ,β 2 ,t 1 ,t 2 ,y 21 ,y 22 Hash operation is carried out to obtain a hash value c 2 ;
The blockchain platform is further configured to 2 Said (y) 11 、y 21 、y 31 ) Said (y) 12 、y 22 、y 32 ) And said (t) 1 ,t 2 ,s 1 ,s 2 ,s 3 ) Whether a first verification equation is established is detected, and if the first verification equation is established, verification is determined to be passed.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202211447692.5A CN116015592A (en) | 2022-11-18 | 2022-11-18 | Homomorphic encryption system meeting zero knowledge proof |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202211447692.5A CN116015592A (en) | 2022-11-18 | 2022-11-18 | Homomorphic encryption system meeting zero knowledge proof |
Publications (1)
Publication Number | Publication Date |
---|---|
CN116015592A true CN116015592A (en) | 2023-04-25 |
Family
ID=86034252
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202211447692.5A Pending CN116015592A (en) | 2022-11-18 | 2022-11-18 | Homomorphic encryption system meeting zero knowledge proof |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN116015592A (en) |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN116827555A (en) * | 2023-07-21 | 2023-09-29 | 安徽省大数据中心 | Encryption and decryption method and system for blockchain data based on ciphertext key relationship verification |
-
2022
- 2022-11-18 CN CN202211447692.5A patent/CN116015592A/en active Pending
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN116827555A (en) * | 2023-07-21 | 2023-09-29 | 安徽省大数据中心 | Encryption and decryption method and system for blockchain data based on ciphertext key relationship verification |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
He et al. | A provably-secure cross-domain handshake scheme with symptoms-matching for mobile healthcare social network | |
Ateniese et al. | Secret handshakes with dynamic and fuzzy matching. | |
US11895231B2 (en) | Adaptive attack resistant distributed symmetric encryption | |
CN104270249B (en) | It is a kind of from the label decryption method without certificate environment to identity-based environment | |
US5796833A (en) | Public key sterilization | |
JP2008503966A (en) | Anonymous certificate for anonymous certificate presentation | |
JP2007089171A (en) | Malleable pseudonym certificate system and method | |
CN104301108B (en) | It is a kind of from identity-based environment to the label decryption method without certificate environment | |
JP2004208263A (en) | Apparatus and method of blind signature based on individual identification information employing bilinear pairing | |
US11804960B2 (en) | Distributed symmetric encryption | |
Huang et al. | Somewhat semantic secure public key encryption with filtered-equality-test in the standard model and its extension to searchable encryption | |
McCorry et al. | Authenticated key exchange over bitcoin | |
Kamil et al. | A lightweight CLAS scheme with complete aggregation for healthcare mobile crowdsensing | |
Wen et al. | Provably secure authenticated key exchange protocols for low power computing clients | |
CN116015592A (en) | Homomorphic encryption system meeting zero knowledge proof | |
Nkurunziza et al. | ECAAP‐SG: Efficient certificateless anonymous authentication protocol for SG | |
Lee et al. | Provably secure extended chaotic map-based three-party key agreement protocols using password authentication | |
Quercia et al. | Tata: Towards anonymous trusted authentication | |
CN114978622A (en) | Anonymous credential verification method and system based on block chain and zero-knowledge proof | |
Ansah et al. | Enhancing user and transaction privacy in bitcoin with unlinkable coin mixing scheme | |
Kilciauskas et al. | Authenticated key agreement protocol based on provable secure cryptographic functions | |
Gervais et al. | Certificateless authenticated key agreement for decentralized WBANs | |
CN114417419A (en) | Outsourcing cloud storage medical data aggregation method with security authorization and privacy protection | |
WO2023055371A1 (en) | Replicated secret share generation for distributed symmetric cryptography | |
Zaw et al. | User authentication in SSL handshake protocol with zero-knowledge proof |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination |