JP2019184995A - Blockchain network and establishment method therefor - Google Patents

Abstract

To simplify the signature handling for a block for which a consensus has been built in a blockchain network which requires signatures of a plurality of nodes to build a consensus for the adoption of a block.SOLUTION: After completion of a setup, a first node 110 sends a first message including a generated block to N nodes (S301). Each node evaluates the validity of the block on the basis of a rule for building the consensus (S302). If the block is valid, the node sends, to each node, a second message which includes a signature sbased on shared secret keys f(x) with respect to a hash value h of the block for which the consensus is to be built (S303-1). After k signatures are collected at a j-th node, the node combines these signatures to generate a signature corresponding to a public key PK (S304). A block for which a consensus is to be built has a signature SK.h appended thereto and is added to the blockchain of each node (S306).SELECTED DRAWING: Figure 3

Description

  The present invention relates to a blockchain network and a determination method therefor, and more particularly, to a blockchain network that requires signatures by a plurality of nodes for consensus building regarding the adoption of a block, and a determination method for the adoption therefor. .

  Blockchain is attracting attention as a technology that can replace the traditional mechanism of credit granting by a centralized third party. A unit of data called a “block” is given to a plurality of nodes participating in consensus building for the block, and its validity is evaluated at each node. When the predetermined condition is satisfied, each node determines that a consensus for the adoption of the block is formed from a plurality of possible blocks, and accepts the block. More specifically, the block is added to the block chain of each node. A block that is a target of consensus building is given to each node by any node.

  Here, the consensus algorithm of what procedure is used to form a consensus and what is a predetermined condition for consensus formation affects the reliability and performance of the blockchain network. Depending on the agreement algorithm, for example, the allowable number of failures (also called “benign failures”) that do not operate normally due to physical reasons such as communication conditions, power supply, etc., differs, and is defined in the agreement algorithm. The allowable number of any obstacles (also referred to as “Byzantine failures”) that do not follow the prescribed rules specified is different. As a scene where a node does not follow a predetermined rule, there are physical reasons, when there is unauthorized access to the node, and when the administrator of the node has an unauthorized intention. .

  An example of an agreement algorithm is one that requires a signature by k nodes (k is an integer satisfying 2 ≦ k ≦ N) among N nodes (N is an integer of 2 or more) participating in the agreement formation. It is done. Considering the example of N = 5 and k = 3, this means that a signature by a majority of nodes participating in consensus building is required. In order to show that consensus has been formed and that the adoption of the consensus building block has been confirmed, it is necessary to attach k or more signatures as a basis.

  However, there are many possible combinations of nodes for which the signatures by k nodes can satisfy the predetermined conditions in the agreement algorithm, depending on the values of N and k. There are aspects that complicate handling. For example, in order to verify the signature of a certain block afterwards, it is necessary to individually check whether or not a plurality of signatures attached to the block satisfy a predetermined condition.

  The present invention has been made in view of such problems, and its purpose is to establish a blockchain network that requires signatures by a plurality of nodes for consensus building regarding the adoption of a block, and to confirm the adoption for that purpose. In the method, it is to reduce the complexity of handling signatures for blocks for which an agreement has been formed.

In order to achieve such an object, according to the first aspect of the present invention, N nodes (N is an integer of 2 or more) participate in the consensus building for the adoption of a block, and k nodes (k is A key generation method for a blockchain network that requires a signature of 2 ≦ k ≦ N), where the i-th node (i is an integer satisfying 1 ≦ i ≦ N) is (1) From the step of determining the (k−1) th order polynomial f _i (x) represented by the equation and the j-th node (j is an integer satisfying 1 ≦ j ≦ N), f _j (x _i ) (x _i Is the integer given to the i-th node) and the value of a _jm · g ₁ (g ₁ is the generator of the cyclic group G ₁ ) at each m from 0 to k−1; A step of calculating SKi represented by (k−1) degree polynomial f (x) with unknown, and equation (3) Characterized in that it comprises the step of calculating a PKi represented.

  Moreover, the 2nd aspect of this invention is characterized by further including the step which receives PKj from a jth node in a 1st aspect.

  The third aspect of the present invention is characterized in that, in the first aspect, the method further includes a step of calculating PKj for the j-th node.

The fourth aspect of the present invention further includes the step of calculating f (0) · g ₁ from coordinates (x _j , PKj) relating to k nodes in the second or third aspect. And

According to a fifth aspect of the present invention, in the fourth aspect, the calculation of f (0) · g ₁ is performed using Lagrange interpolation.

Further, a sixth aspect of the present invention is characterized in that, in the fourth or fifth aspect, the step of transmitting the calculated f (0) · g ₁ as a public key PK is further included.

  According to a seventh aspect of the present invention, in the sixth aspect, the transmission includes transmission of the public key PK outside the block chain network.

Further, according to the eighth aspect of the present invention, N nodes (N is an integer of 2 or more) participate in consensus building concerning the adoption of a block, and k nodes (k is an integer satisfying 2 ≦ k ≦ N). ), The i-th node (i is an integer satisfying 1 ≦ i ≦ N) sends a block to the N nodes. From the j-th node (j is an integer satisfying 1 ≦ j ≦ N), and the hash value h of the block is an unknown (k−1) degree polynomial f (x) at a value at x = x _j A step of receiving a signature sj multiplied by a certain f (x _j ), a step of calculating f (0) · h from coordinates (xj, s _j ) relating to k nodes, and a calculated f (0) · h is added to the block as a signature corresponding to the public key. And-up, characterized in that it comprises a step for confirming the adoption of the by adding the block in which the signature is added to the block chain block. Here, G ₁ is a cyclic group in which g ₁ is a generator, G ₂ is a cyclic group in which g ₂ is a generator, G _T is a cyclic group in which g _T is a generator, and G ₁ × G ₂ can be defined is bilinear mapping e to G _T, and allows defining a hash function providing the hash value h of the block consensus target as mapping from arbitrary data to the cyclic group G _2. In addition, the i-th node can access the value of xj in each j from 1 to N, and the j-th node can access the value of f (x _j ).

  According to a ninth aspect of the present invention, in the eighth aspect, the calculation of f (0) · h is performed using Lagrange interpolation.

  Further, a tenth aspect of the present invention is the f (0) in the eighth or ninth aspect, in which it is determined whether or not the signature has k or more signatures, and the determination result is affirmative. -The calculation of h is performed.

  According to one aspect of the present invention, a signature with an unknown secret key is generated using a signature with a predetermined number k of secret key shares out of a set of N secret key shares. Can indicate that an agreement has been reached regarding the adoption of the block.

It is a figure which shows the blockchain network in the 1st Embodiment of this invention. It is a flowchart of the key generation method in the 1st Embodiment of this invention. It is a flowchart of the determination method about adoption of the block in the 2nd Embodiment of this invention.

  Hereinafter, embodiments of the present invention will be described in detail with reference to the drawings.

(First embodiment)
FIG. 1 shows a block chain network according to a first embodiment of the present invention. In the network 100, N is 5 as an example, and includes a first node 110, a second node 120, a third node 130, a fourth node 140, and a fifth node 150. As illustrated for the first node 110, each node includes a communication unit 111 such as a communication interface, a processing unit 112 such as a processor and a CPU, and a storage unit 113 including a storage device or a storage medium such as a memory and a hard disk. Each of the processes described below can be realized by executing a predetermined program, and the node 110 may include one or a plurality of devices or servers. One or a plurality of programs may be included, and may be recorded on a computer-readable storage medium to form a non-transitory program product. The hardware configuration of other nodes is the same. In the following description, the first node 110 will be mainly described, but the same processing can be performed in other nodes. In addition, the network 100 may include nodes that do not participate in consensus building.

  Rules for agreement algorithm and rules for setup are defined in a predetermined program, and are stored in a storage device or storage medium accessible from the storage unit 113 or the first node 110 via a network. Can do.

  A process that N nodes participating in consensus building should execute in order to make a transition from a state in which they can communicate with each other to a state in which consensus building regarding the adoption of a block can be performed is referred to as “setup”. The setup is started in response to a setup request outside or inside the network 100, and FIG. 1 shows an example in which the request is transmitted from the outside. The request can include the number k of signatures necessary for consensus building, and may be determined in advance in the rules for setup. In addition, the request may include designation of N nodes participating in the consensus building, and this designation may be determined in advance in a rule for setup.

  When the values of N and k are determined in any way and the execution of the setup process proceeds, each node has one public key assigned to all the nodes participating in the consensus building, each node participating in the consensus building N public key shares assigned to, and one private key share assigned to the node. Each node also holds N and k values or k / N values. The value of N can also be obtained from the number of public key shares.

  The secret key and the public key are in a relationship that the plaintext signed by the secret key can be verified by the public key, and the same applies to the secret key share and the corresponding public key share. Here, the “secret key share” is generated so that a signature with a secret key can be generated using a signature with a predetermined number k of secret key shares among a set of N secret key shares. One of a set of private key shares. Therefore, without knowing the secret key, a signature corresponding to the public key can be generated based on the k secret key shares, and the signature can be added to the block for which an agreement is formed. The added signature can be verified by the public key.

  1 will be further described. One public key assigned to the entire network 100 is PK (abbreviation for public key), a secret key corresponding to the public key is SK (abbreviation for secret key), and the first node. 110, the second node 120, the third node 130, the fourth node 140, and the fifth node 150 are assigned public key shares and private key shares PK1 and SK1, PK2 and SK2, PK3 and SK3, respectively. , PK4 and SK4, PK5 and SK5. After the setup, for example, the first node stores PK, PK1 to PK5, and SK1 in the storage unit 113 or a storage device or storage medium that can communicate with the node. These stored data will be accessible from the node in a later consensus building or decision process.

  Here, the public key PK is necessary for verification of the signature to be finally added, but may not be generated at the setup stage. This is because the node or device that verifies the signature only needs to have the public key PK at the time of verification, and it is not always necessary that each node of the network 100 has it at the time of initial setting.

FIG. 2 shows the flow of these key generation methods according to this embodiment. Here, as an example, consider a (k−1) th order polynomial f (x), and the value of f (x _i ) (i is an integer from 1 to N representing the i-th node, and x _i is an arbitrary integer). Is a secret key share SKi for each node.

First, the i-th node determines a (k−1) -order polynomial f _i (x) using a _im (m is an integer from 0 to k−1) as a coefficient (S201). Each node can calculate f _i (x) by selecting or generating and storing a _im according to the setup rules.

Next, the i-th node uses the generator g ₁ of the cyclic group G ₁ to transmit the value of a _im · g ₁ in each m from 0 to k−1 or a message including the value to another node ( S202). The i-th node transmits the value of f _i (x _j ) or a message including the value to the j-th node (j is an integer from 1 to N). Here, the transmission of f _i (x _j ) may be transmitted before m and a _im · g ₁ or may be transmitted at the same time.

The generation source g ₁ is stored and known in each node, or given to N nodes participating in consensus formation from any node, so that each of the N nodes is accessible and used Shall be able to. Similarly, for the value of the integer x _i that gives the secret key share f (x _i ) to the i-th node, it is assumed that each of the N nodes is accessible and can be used. For example, these values may be stored in a storage unit or a storage medium accessible from each node or each node.

Then, in the j-th node, f _i (x _j ) is added for i from 1 to N to calculate f (x _j ), that is, the secret key share SKj (S204). If the polynomial f (x) is defined as:

This is not known to any node, but by considering f (x _j ) as in the following equation, f (x _j ) A value can be calculated at each node.

Further, each node can calculate m and a _im · g ₁ at its own node and has already received those from other nodes, and therefore, SKj · g ₁ as public key share PKj according to the following equation: Can be calculated (S205).

Calculation of the public key share PKi by this equation is possible for all nodes without knowing f (x) because m, a _im · g _{1 and} x _i are known for all i.

In this way, the public key shares and private key shares pair obtained, and a hash function that gives the hash value h of the block consensus target mapping to a cyclic group G2 to the g ₂ a generator from an arbitrary data the SKJ · h multiplied by SKJ in h as the signature _{s j,} a mapping e to the cyclic group _{G T} which the _{g T} a generator from _{G 1} × _{G 2,} defines a bilinear mapping satisfies the following equation By doing so, it can be seen that the encryption method is established. Here, a and b are arbitrary integers.

That is, at the i-th node, when the hash value h and the signature s _j of the block to be agreed upon are received from the j-th node, using the public key share PKj known by the above algorithm,

Therefore, the signature s _j received from the j-th node can be verified using the known generation source g ₁ . The hash value may be calculated from the consensus formation target block in each node by defining a hash function in the setup rule.

  In the above description, it is assumed that a signature scheme is used in which the value of (k−1) degree polynomial function f (x) is defined as a secret key share, and the value obtained by multiplying the secret key share by the generator of the cyclic group is the public key share. However, different signature schemes can be adopted as long as a signature with a secret key can be generated using a signature with a predetermined number k of secret key shares out of a set of N secret key shares. In this case, instead of giving each node a set of secret key shares generated by any node in the network 100 or nodes outside the network, each secret key share can be generated in a distributed manner at each node. It is desirable that

  In the above description, the public key share PKj and the secret key share SKj in the j-th node have been described as examples. However, when the process performed there is described with the i-th node as a center, it is natural. Suppose that the subscript is changed as appropriate.

(Second Embodiment)
FIG. 3 shows a flow of a determination method for adoption of a block according to the second embodiment of the present invention. From the state where the setup is completed, the first node 110 generates a block and transmits a first message including the block to N nodes participating in the consensus building (S301). The transmitting node can also receive the block itself. Here, messages can be transmitted or received directly or indirectly between nodes, and data related to consensus building can be transmitted to other nodes constituting the network 100, and data can be received from other nodes. .

  Each node that has received the first message evaluates the validity of the block based on a consensus rule defined in the program that the node has (S302). The details of the effectiveness evaluation vary depending on whether the sender is a legitimate sending node, whether the data format of the block satisfies a predetermined format or other predetermined conditions according to the application, or whether a branch has occurred. There may be different rules depending on the node. Further, when evaluating the effectiveness, it may be necessary to send and receive messages with other nodes.

If the node is evaluated as valid, the node transmits to each node a second message having a signature s _i for the hash value h of the block to be agreed upon using the secret key share f (x _i ) accessible by the node. (S303-1). The signature can be performed by multiplying the hash value by the secret key share given to the node. The transmission destination may include its own node. If it is evaluated as invalid, the block is rejected (S303-2).

After k signatures are collected at the j-th node, the node synthesizes these signatures to generate a signature corresponding to the public key PK (S304). Specifically, each node periodically or intermittently determines whether or not the k / N condition is satisfied, and if satisfied, the received k or more than k secret key shares are received. Can be calculated as a signature SK · h with a secret key SK corresponding to the public key PK. Here, the (k−1) degree polynomial f (x) can be uniquely determined if k or more points (x _i , f (x _i )) are known, and the value of f (0) is What is considered as the value of the unknown secret key SK is used. If k points (x _i , f (x _i ) · h) are known from k signatures, the function f (x) · h is determined. The calculation of f (0) · h can be performed using Lagrange interpolation, for example.

The public key PK can be calculated from, for example, Lagrange interpolation from k or more points (x _j , PKj) = (x _j , f (x _j ) · g ₁ ). May be distributed as necessary, or generated by a node or device inside or outside the network 100 that performs signature verification based on k public key shares PKj at or before verification. May be.

  If necessary, the generated single signature SK · h is broadcast or transmitted to another node (S305). Since the effectiveness of k nodes or more has already been evaluated, it may be possible to add a block to the block chain of the node when synthesis is successful. Each node may be able to add a block in response to transmitting the combined signature to each node and receiving a predetermined number or more of the combined signatures.

  Finally, the agreement formation target block is added with the signature SK · h and added to the block chain of each node (S306). Thereby, the adoption of the block in the network 100 is confirmed.

  In the above description, it is considered that one secret key share is given to each node, but it is also conceivable that the number of shares given to one node is plural. Further, in the above description, details of the block to be evaluated for effectiveness are not mentioned, but it may include one or a plurality of transactions, or may include any one or a plurality of data. it can. The spirit of the present invention can also be applied to the evaluation of the effectiveness by a computer network having a plurality of nodes for one or a plurality of data not necessarily forming a chain.

  In addition, in the present specification, additional information is provided unless there is a description of “only”, such as “based only on XX”, “according to only XX”, and “when only XX”. Note that it is also assumed that

  Also, just in case, even if there is an aspect of performing an operation different from the operation described in this specification in any method, program, terminal, device, server, or system (hereinafter “method etc.”), each of the present invention The aspect is directed to the same operation as any of the operations described in this specification, and there is an operation different from the operation described in this specification. It is added that it is not outside the scope of the embodiment.

DESCRIPTION OF SYMBOLS 100 Network 110 1st node 111 Communication part 112 Processing part 113 Storage part 120 2nd node 130 3rd node 140 4th node 150 5th node

Claims (12)

A blockchain network in which N nodes (N is an integer equal to or greater than 2) participate in consensus building for the adoption of a block and require signatures by k nodes (k is an integer satisfying 2 ≦ k ≦ N) A key generation method for the i-th node (i is an integer satisfying 1 ≦ i ≦ N),
Determining a (k-1) degree polynomial f _i (x) represented by equation (1);
From the j-th node (j is an integer satisfying 1 ≦ j ≦ N), f _j (x _i ) (x _i is an integer given to the i-th node), and a _jm at each m from 0 to k−1 · _{g 1} value _{(g 1} is generator of a cyclic group _{G 1)} receiving a,
Calculating SKi represented by equation (2) with the (k-1) th order polynomial f (x) unknown,
(3) The method of calculating PKi represented by Formula, The method characterized by the above-mentioned.

  The method of claim 1, further comprising receiving PKj from the jth node.   The method of claim 1, further comprising calculating PKj for the jth node. The method according to claim 2 or 3, further comprising the step of calculating f (0) · g ₁ from coordinates (x _j , PKj) relating to k nodes. The method according to claim 4, wherein the calculation of f (0) · g ₁ is performed using Lagrange interpolation. In the i-th node (i is an integer satisfying 1 ≦ i ≦ N), N nodes (N is an integer of 2 or more) participate in consensus building for the adoption of the block, and k nodes (k is 2). ≦ k ≦ N, which is a program for executing a key generation method for a blockchain network that requires a signature, wherein the i-th node includes:
Determining a (k-1) degree polynomial f _i (x) represented by equation (1);
From the j-th node (j is an integer satisfying 1 ≦ j ≦ N), f _j (x _i ) (x _i is an integer given to the i-th node), and a _jm at each m from 0 to k−1 · _{g 1} value _{(g 1} is generator of the cyclic group _{G 1)} receiving a,
Calculating SKi represented by equation (2) with the (k-1) th order polynomial f (x) unknown,
(3) The program characterized by including the step which calculates PKi represented by Formula.

A blockchain network in which N nodes (N is an integer equal to or greater than 2) participate in consensus building for the adoption of a block and require signatures by k nodes (k is an integer satisfying 2 ≦ k ≦ N) I (where i is an integer satisfying 1 ≦ i ≦ N),
(K-1) order polynomial f _i (x) represented by equation (1) is determined,
From the j-th node (j is an integer satisfying 1 ≦ j ≦ N), f _j (x _i ) (x _i is an integer given to the i-th node), and a _jm at each m from 0 to k−1 · _{g 1} value _{(g 1} is generator of the cyclic group _{G 1)} receives,
SKi represented by the equation (2) is calculated while the (k-1) th order polynomial f (x) is unknown,
(3) A node characterized by calculating PKi represented by the equation.

A blockchain network in which N nodes (N is an integer equal to or greater than 2) participate in consensus building for the adoption of a block and require signatures by k nodes (k is an integer satisfying 2 ≦ k ≦ N) Wherein the i th node (i is an integer satisfying 1 ≦ i ≦ N) is
Transmitting a block to the N nodes;
From the j-th node (j is an integer satisfying 1 ≦ j ≦ N), f (x−1) is a value at x = x _j of an unknown (k−1) -degree polynomial f (x) in the hash value h of the block receiving a signature sj multiplied by _j );
calculating f (0) · h from coordinates (xj, s _j ) for k nodes;
Adding the calculated f (0) · h to the block as a signature corresponding to the public key;
Adding the block with the signature to a block chain to confirm the acceptance of the block.
Here, G ₁ is a cyclic group in which g ₁ is a generator, G ₂ is a cyclic group in which g ₂ is a generator, G _T is a cyclic group in which g _T is a generator, and G ₁ × G ₂ can be defined is bilinear mapping e to G _T, and allows defining a hash function providing the hash value h of the block consensus target as mapping from arbitrary data to the cyclic group G _2. In addition, the i-th node can access the value of xj in each j from 1 to N, and the j-th node can access the value of f (x _j ).   The method according to claim 8, wherein the calculation of f (0) · h is performed using Lagrange interpolation.   10. The calculation according to claim 8, wherein a determination is made as to whether or not the signature has k or more signatures, and if the determination result is affirmative, the calculation of f (0) · h is performed. Method. In the i-th node (i is an integer satisfying 1 ≦ i ≦ N), N nodes (N is an integer of 2 or more) participate in consensus building for the adoption of the block, and k nodes (k is 2). An integer satisfying ≦ k ≦ N) for executing the method of determining the adoption for a blockchain network that requires a signature according to the i-th node,
Transmitting a block to the N nodes;
From the j-th node (j is an integer satisfying 1 ≦ j ≦ N), f (x−1) is a value at x = x _j of an unknown (k−1) -degree polynomial f (x) in the hash value h of the block receiving a signature sj multiplied by _j );
calculating f (0) · h from coordinates (xj, s _j ) for k nodes;
Adding the calculated f (0) · h to the block as a signature corresponding to the public key;
Adding the block to which the signature has been added to a block chain to confirm the adoption of the block.
Here, G ₁ is a cyclic group in which g ₁ is a generator, G ₂ is a cyclic group in which g ₂ is a generator, G _T is a cyclic group in which g _T is a generator, and G ₁ × G ₂ can be defined is bilinear mapping e to G _T, and allows defining a hash function providing the hash value h of the block consensus target as mapping from arbitrary data to the cyclic group G _2. In addition, the i-th node can access the value of xj in each j from 1 to N, and the j-th node can access the value of f (x _j ). A blockchain network in which N nodes (N is an integer equal to or greater than 2) participate in consensus building for the adoption of a block and require signatures by k nodes (k is an integer satisfying 2 ≦ k ≦ N) I (where i is an integer satisfying 1 ≦ i ≦ N),
Send a block to the N nodes;
From the j-th node (j is an integer satisfying 1 ≦ j ≦ N), f (x−1) is a value at x = x _j of an unknown (k−1) -degree polynomial f (x) in the hash value h of the block _j ) received the signature sj multiplied by
f (0) · h is calculated from coordinates (xj, s _j ) relating to k nodes, and the calculated f (0) · h is added to the block as a signature corresponding to the public key;
A node that adds the block to which the signature has been added to a block chain to confirm the adoption of the block.
Here, G ₁ is a cyclic group in which g ₁ is a generator, G ₂ is a cyclic group in which g ₂ is a generator, G _T is a cyclic group in which g _T is a generator, and G ₁ × G ₂ can be defined is bilinear mapping e to G _T, and allows defining a hash function providing the hash value h of the block consensus target as mapping from arbitrary data to the cyclic group G _2. In addition, the i-th node can access the value of xj in each j from 1 to N, and the j-th node can access the value of f (x _j ).

Images