JPWO2019180588A5 - - Google Patents

Description

This specification relates generally to computer-implemented methods and systems suitable for implementation on a computer processor, eg, a node of a blockchain network, or a group of such processors. Improved methods are provided for generating proofs that enable efficient zero-knowledge verification of statements. The method is suitable for incorporation into existing discrete logarithm-based zero-knowledge proof protocols for circuit satisfiability that do not require the use of bilinear pairing-friendly elliptic curves. The present invention is particularly, but not exclusively, a method performed by a prover to create a proof, and a method performed by a verifier to verify the proof, and a method between two or more participants. Suitable for collaborative work. To achieve secure, trustless exchanges between participants, one of the parties can prove knowledge of a key or statement without revealing the statement.

In this document, the term 'blockchain' includes all forms of electronic, computer-based, distributed ledgers. These include consensus-based blockchain and transaction chain technologies, permissioned and permissionless ledgers, shared ledgers, and variants thereof. The most widely known use of blockchain technology is the Bitcoin ledger, but other blockchain implementations have been proposed and developed.

Here, for convenience and explanation, reference may be made to Bitcoin, but it should be noted that the present invention is not limited to use with the Bitcoin blockchain, but rather alternative blockchain implementations and protocols. are also within the scope of the present invention. The term "user" here refers to a human or processor-based resource. A blockchain is a peer-to-peer electronic ledger implemented as a computer-based, decentralized, distributed system composed of blocks of transactions.

Each transaction is a data structure that encodes the transfer of control of digital assets between participants in a blockchain system and includes at least one input and at least one output. Each block contains the hash of the predecessor block it chains together, creating a permanent, immutable record of all transactions written to the blockchain before its start. Transactions contain small programs known as scripts embedded in their inputs and outputs that specify how and by whom the outputs of the transaction can be accessed. On the Bitcoin platform, these scripts are written using a stack-based scripting language.

In addition, this document references the construction of known zero-knowledge proof protocols and systems that use arithmetic circuits. Blockchain is a decentralized permission enabling solution to the problem of fair dealing between two mutually distrustful parties without the need for third party arbitration or escrow. provided a global mechanism without The fair exchange of data or information for monetary rewards or in exchange for information such as digital goods is specified in a transaction protocol known as ZKCP (Zero-Knowledge Contingent Payments) [2]. has been made In ZKCP, the specified data is transferred from the seller to the buyer only when the payment is confirmed, and the payment from the buyer to the seller is completed only when this specified data is valid according to the terms of the sale. be. The details of such a protocol are known [1], but it is basically based on a combination of hash-time-locked contracts (HTLC) and zero-knowledge proofs, This is the data that the encrypted information ('digital goods') must be valid/accurate and the 'password' to decrypt this information must be revealed on the blockchain in order to claim the payment. It verifies something at the same time.

A central component of the ZKCP protocol is zero-knowledge proof against a set of dependent statements about data/information validity or accuracy, key validity, and corresponding hash values. Such complex compound statements require an efficient zero-knowledge proof system for general computation, and ultimately this means that one party can run arbitrary programs with secret inputs, It then allows other parties to prove that the program validated the input and ran correctly without revealing any information about the secret input or execution of the program. In the known ZKCP example, the universal zero-knowledge proof system employed is a concise, non-interactive demonstration of knowledge, as implemented in the Pinocchio protocol [3] and the C++ libsnark library [4]. (succinct non-interactive arguments of knowledge; SNARK) framework.

Zero-knowledge SNARK (zkSNARK) provides a zero-knowledge way to prove the validity of any computation that can be expressed as an arithmetic circuit. The two main distinguishing properties of zkSNARK are that they are non-interactive (the prover sends the proof to the verifier in one move) and concise (the proof is small and easy to verify). That is. However, they have considerable limitations:
- Proof generation is very computationally demanding.
- The proof key is very large and proportional to the circuit size.
- They rely on strong, untested cryptographic assumptions (ie, knowledge of exponent assumptions and pairing-based assumptions).
- For a given program (circuit) they require a common reference string (CRS) to be computed by a third party that must be trusted to remove configuration parameters. do. Anyone with knowledge of the configuration parameters has the ability to create false proofs.

Construction of zkSNARK proving statements involving arbitrary cryptographic elliptic curve key manipulations has not been attempted to date, but hypothetically could consist of arithmetic circuits with hundreds of thousands or millions of gates. would result in proof generation times of several minutes and proof keys of hundreds of megabytes in size.

Technical Background A basic system for interactive zero-knowledge proofing can use the Σ (sigma) protocol with several communication steps between the prover and the verifier. Usually, the Σ protocol requires three moves (three moves), i.e., the prover sends an initial commitment (a) to the verifier, then the verifier responds with a random challenge (x), and finally the prover responds with a final response, namely 'opening' (z). The verifier then accepts or rejects the statement based on the transcript (a,x,z).

The Σ protocol can be used to prove knowledge of or statements about evidence (w) that are known only to the prover. The protocol is zero-knowledge if the commitment reveals no information or secret about the evidence to the verifier except for the fact that the statement about the evidence is true [5].

Central to many interactive zero-knowledge protocols is the commitment scheme that is used for the satisfiability of arithmetic circuits. A commitment allows a prover to commit to a secret value in advance and then verifiably reveal (open) the secret value. Commitment schemes have two main properties. First, it is hidden and commitment keeps the value secret. Second, it's tied and a commitment can only be opened to the original committed value. The Pedersen commitment [5] scheme includes two elliptic curve generating points, G and F, in the group G of prime order p known to all parties. A committer generates a secure random number r in a field of prime integer Z _p and commits to a secret value s:
Com(s,r)=s*G+r*F
(by elliptic curve addition/multiplication), where x represents elliptic curve point multiplication.

The committer can fully open the commitment (ie it can be verified) at a later stage by providing the values s and r. A committer can also open a commitment in response to a specific challenge value as part of the Σ protocol without revealing the secret s or the random number r.

The Pedersen commitment is additively homomorphic, i.e. adding two commitments (on an elliptic curve) yields a commitment to the sum of the committed values, i.e.:
( _s1 *G+ _r1 *F)+( _s2 *G+ _r2 *F)=( _s1 + _s2 )*G+( _r1 + _r2 )*F
is.

Arithmetic circuit satisfiability proof can be achieved with 'zero knowledge'. The arithmetic circuit (on the field Z _p ) is a virtual composition of arithmetic gates connected by wires (forming a directed acyclic graph), which is capable of performing arbitrarily complex calculations, Computations must be limited to integer arithmetic and must not have data dependent loops or variable state.

Each gate has two input wires and one output wire and performs a multiply (x) or add (+) operation on the inputs. FIG. 1(a) shows a schematic diagram of a multiplication gate with left (w _L ) and right (w _R ) wire inputs and one wire output (w _O ); , shows a schematic diagram of a simple arithmetic circuit with three input wires ( _w1 , _w2 , _w3 ), one output wire ( _w6 ), and two internal wires ( _w4 , _w5 ). .

In practice, a complete circuit has free input wires and free output wires that define external (circuit) input and output values. A legal assignment defines the values of the wires as satisfying the circuit, i.e. each wire is assigned a value and the output of each gate corresponds exactly to the product or sum of the inputs. (i.e. the gate is consistent).

For a given arithmetic circuit, the prover first commits to each wire value in a legal assignment (using the Pedersen commitment) and then, with the wire value as evidence , the circuit Prove to the verifier that you know the legal assignments to the circuit without revealing the wire values by running a special Σ protocol that has a verifier for each gate in can be done. These Σ protocols exploit the isomorphism of Pedersen commitments, as described below.

To generate a proof (that the circuit is satisfied), the prover first makes a commitment for each wire w _i (where n is the number of wires, i=1,...,n) in the circuit:
W _i =Com(w _i , r _i )
, and send these to the verifier.

A Σ _zero protocol is run for each 'summing' gate in the circuit (one shown in FIG. 1(b)), which ensures that w _L +w _R −w _O =0 (i.e. It involves proving (with zero knowledge) that w _L and w _R are equal to the output wire w _O and that the summation gate is satisfied). This includes the following steps, namely:
1. The prover generates a commitment to zero: B=Com(0, r _B ) and sends it to the verifier.
2. The verifier responds with a random challenge value: x← _Zp .
3. The prover then calculates the opening value: z=x(r _L +r _R −r _O )+r _B and sends it to the verifier.
4. A verifier proves Com(0,z)=x×(W _L +W _R −W _O )+B as a proof that w _L +w _R −w _O =0.
B represents a curve point similar to the public key; B=r*F+0*G
r _B represents the private key of the corresponding pair.

A Σ _prod protocol is run for each 'multiplication' gate (shown in FIG. 1(a)), which ensures that w _L ·w _R =w _O for each multiplication gate (i.e. multiplication gate is satisfied).
1. A prover generates five random binding values: t ₁ , t ₂ , t ₃ , t ₄ , t ₅ <-Z _p .
2. Prover computes _C1 =Com( _t1 , _t3 ), _C2 =Com( _t2 , _t5 ), _C3 = _t1 * _WR + _t4 *F and sends them to verifier .
3. The verifier responds with a random challenge value: x← _Zp .
4. Values that the prover can open:
_e1 = _wLx + _t1
e2 = _wRx + _t2
z1 = _rLx + _t3
z2 = _rRx + _t5
z ₃ = (r _O −w _L r _R )x+t ₄
and send these to the verifier.
5. Then, as a proof that the verifier has w _L ·w _R =w _O , the following equation:
Com( _e1 , _z1 )=x× _WL + _C1
Com(e ₂ , z ₂ )=x×W _R +C ₂
e ₁ ×W _R +z ₃ ×F=x× _WO +C ₃
to inspect.

The Σ _zero and Σ _prod protocols can be run in parallel for verification of each gate in the circuit and can use the same verification challenge value (x) for all gates.

As an example, consider the circuit of FIG. 1(b). first verifies the wire commitments (W ₁ , _. send to person

The verifier then responds with a random challenge x←Z _p , and the prover computes the values that each gate opens (one for each addition and five for each multiplication) and sends them back to the verifier. Then, the verifier executes the Σ protocol check,
_w1 · _w2 = _w4
w4 · _w5 = _w6
w2 + _w3 = _w5
, thus verifying that the commitments W ₁ , . . . , W ₆ correspond to satisfying the wire values _{w 1} , .

If provers wish to show that a particular wire has a particular value in addition to satisfying the circuit, they can be completely open to commitments to the associated wires. In this example, the verifier can also send the values w ₆ and r ₆ to the verifier to indicate that w ₆ is the actual output from a particular legal assignment (and the verifier can verify that W ₆ =Com(w ₆ ,r ₆ )).

The example of FIG. 1(b) is a simple circuit. In practice, useful circuits consist of many more gates. Of particular interest are arithmetic circuits for SHA-256 hash functions, where the prover knows a preimage (input) to the SHA-256 function that hashes to a particular (output) value. without revealing the pre-image. One of the most efficient circuit implementations for the SHA-256 algorithm consists of 27,904 arithmetic gates (Zcash2016). Proving knowledge of the SHA-256 pre-image would then require sending about 5MB of data in both the initial commitment and opening rounds of the above protocol, leaving the prover and verifier It requires about 200,000 elliptic curve operations for both (each taking several seconds of processor time).

There are several methods developed to significantly improve the performance of the parallel Σ protocol approach for proving arithmetic circuit satisfiability. Known approaches (NPL 5, NPL 6) use circuit wire It involves batching a commitment to value. These methods enable proof systems whose communication complexity is reduced from O(n) to O(√n) or O(log(n)).

Also in comparison to proving the satisfiability of the same SHA circuit, the protocol [5] has a proof key size of only 5 KB and a key generation time of 180 ms. The proof size is 24 KB and takes about 4 seconds to generate and the proof also takes about 4 seconds to verify.

を計算し、それを検証者に送信する。 These methods will not be fully described here, except that the main vector batching protocol employed will be described in the following steps. This follows the same properties as a regular Pedersen commitment, but a commitment to n elements (m=m ₁ , . . . , m _n ) only requires sending a single group element:
1. The prover and verifier agree on the group element F←G.
2. A prover generates n random numbers x ₁ , . . . , x _n ←Z _p .
3. The prover computes the points K _i =x _i ×F(for i=1, . . . , n). These values form the proof key PrK that is sent to the verifier.
4. The prover generates a random number: r← _Zp .
5. Prover's Commitment:

and send it to the verifier.

Campanelli, Matteo, et al. "Zero-knowledge contingent payments revisited: Attacks and payments for services." Commun. ACM (2017). https://github.com/zcash-hackworks/pay-to-sudoku Parno, Bryan, et al. "Pinocchio: Nearly practical verifiable computation." Security and Privacy (SP), 2013 IEEE Symposium on. IEEE, 2013. https://github.com/scipr-lab/libsnark Bootle, Jonathan, et al. "Efficient zero-knowledge proof systems." Foundations of Security Analysis and Design VIII. Springer, Cham, 2015. 1-31. Groth, Jens. "Linear Algebra with Sub-linear Zero-Knowledge Arguments." CRYPTO. Vol. 5677. 2009. https://bitcointalk.org/index.php?topic=81865.msg901491#msg901491 Bootle, Jonathan, et al. "Efficient zero-knowledge arguments for arithmetic circuits in the discrete log setting." Annual International Conference on the Theory and Applications of Cryptographic Techniques. Springer, Berlin, Heidelberg, 2016. Standards for Efficient Cryptography (SEC) (Certicom Research, http://www.secg.org/sec2-v2.pd Bitcoin Developer Reference (http://bitcoin.org/en/developer-reference)

Overall, the present invention resides in a computer-implemented method for enabling zero-knowledge proof or verification of statements. A prover can use the methods herein to prove to a verifier that a statement is true while keeping the evidence for the statement confidential. These statements are compound statements that simultaneously require both arithmetic circuit satisfiability and a subordinate statement of public key validity (key statement proof).

The methods herein can be used in known protocols for circuit satisfiability, such as existing discrete logarithm-based zero-knowledge proof protocols. The method is particularly suitable for protocols that do not require the use of bilinear pairing friendly elliptic curves.

The method includes the prover sending to the verifier a set of data comprising statements relating to given function circuit outputs and elliptic curve points, the function circuit inputs being the corresponding elliptic curve points Equal to the multiplier (s). The data includes individual wire commitments and/or batched commitments, inputs, and outputs for the circuit of the statement. The prover may include in the data, or have previously shared, the elliptic curves or specifications of each elliptic curve used in the statement. The prover then sends the opening in response to a challenge from the verifier. Alternatively, the prover also includes a proof key.

Using the data received from the prover, the verifier can determine that the circuit is satisfied and verify the statement, thus determining that the prover holds evidence for the statement. Elliptic curve points can also be calculated. Upon receiving the data, the verifier determines through computation that the data fits the statement. The invention is particularly suitable for zero-knowledge proof of equivalence of hash preimages and elliptic curve private keys.

Thus, according to the present invention there is provided a method and system as defined in the appended claims.

It thus allows zero-knowledge proof or verification of a statement (S), where the prover proves to the verifier that the statement is true while keeping the evidence (W) for that statement secret. It would be desirable to provide a computer-implemented method for This proof can be an explicit proof.

Allows zero-knowledge proof or verification of a statement (S) where the prover proves to the verifier that the statement is true while keeping the evidence (w) for that statement secret A computer-implemented method for
Prover to Verifier:
A function circuit is implemented such that, for a given function circuit output (h) and elliptic curve point (P), the function circuit input (s) to the wires of the function circuit is the corresponding elliptic curve point multiplier (s). a statement (S) represented by an arithmetic circuit having m gates and n wires configured to determine equality;
individual wire commitments and/or batched commitments for the wires of the circuit;
function circuit output (h);
a certification key (PrK);
including sending
This allows the verifier to determine that the circuit is satisfied, compute the elliptic curve point (P), and verify the statement, thus proving that the prover holds evidence (w) for the statement. allow you to decide.

The method involves a prover sending a set of data (a set of data) to a verifier. A set of data implements a function circuit such that for a given function circuit output (h) and elliptic curve point (P), the function circuit input (s) to the function circuit or to a wire within the function circuit is It contains a statement with an arithmetic circuit with m gates and n wires configured to determine if it is equal to the corresponding elliptic curve point multiplier (s). A function circuit may be a circuit that implements the functionality of a hash function. A preimage for a hash function circuit or for a wire within a function circuit can be equal to the corresponding elliptic curve point multiplier .

The data also includes individual wire commitments and/or batched commitments. The or each commitment can be wire inputs and outputs (which are encrypted) on the gates of the circuit. Data also includes inputs. The inputs act as key openings for the wires of the arithmetic circuit [elliptic curve point (P)]. Either the prover or the verifier can name the wires. The input or key opening may be for the first wire in the circuit. The data also includes function circuit outputs. The data can contain the elliptic curve or a specification for each elliptic curve used in the statement.

After sending the data, the prover receives a challenge value from the verifier and responds with an opening. The opening can be a value statement according to the Σ (sigma) protocol. An opening value may be for each gate in the circuit that allows the verifier to determine the statement to be true and compute the elliptic curve point.

As an alternative to waiting for a challenge, the prover may also send the proof key to the verifier. A certification key may be generated from data that is part of the proof. A proof key may be a hash of one or more of the random numbers used for proofing.

The data sent to the verifier allows the verifier to determine that the circuit is satisfied, compute the elliptic curve points, verify the statement, and thus that the prover holds evidence for the statement. make it possible to

The set of data sent to the verifier and/or the opening to the challenge sent to the verifier can act like a key that is created independently of the verifier. A challenge from the verifier is akin to determining the identity of the prover and the integrity of the key.

An input or key opening may be to the first wire in the arithmetic circuit. However, proving knowledge of the intermediate wires is more difficult than proving knowledge of the initial wires, so a random wire is preferably chosen. Moreover, choosing a random wire other than the first wire is more robust and prevents discovery of proofs or evidence by malicious third parties.

A verifier enables zero-knowledge proof or verification of a statement that verifies that the statement is true without knowing the evidence (w) for the statement by analyzing the data received from the prover. It would be equally desirable to provide a complementary computer-implemented method for For clarity, the method of the present invention extends to the reverse action taken by the verifier in a plug-and-socket manner. The invention extends to full collaboration between provers and verifiers.

The prover may, in addition to or instead of waiting for the challenge value, send the verifier a random value that allows the verifier to determine the statement to be true and compute the elliptic curve points. . Upon receiving data from the prover, the verifier may instead receive a random value that allows the verifier to determine the statement to be true and compute the elliptic curve points. The random value may be a function of at least one commitment. This function can be a hash function.

Random values or challenges can be substituted to improve the convenience and efficiency of the process. There are also risks associated with verifiers generating non-random challenges in an attempt to extract information about the evidence . Moreover, replacing the challenge value with a random value provided by the Prover transforms the method from interactive to non-interactive. Provers can generate proofs offline that can be independently and publicly verified. A random value may be the output from a hash function. Using the output from a hash of one or more commitments instead of a random value (x) takes advantage of the Fiat-Shamir principle.

A random value may be computed by hashing the concatenation of all commitments generated by the prover and sent to the verifier.

A commitment may be W _i =Com(w _i , r _i ),
Com is a commitment to functional circuits,
w _i is the wire value,
r _i is a random number, i.e. it is different for each wire commitment,
i is the wire type,
Com(w, r)=w×G+r×F,
F and G are elliptic curve points.

The input for wire l in the arithmetic circuit can be ko=r _l ×F,
ko is the key opening input,
r _l is a random number,
F is a point on the elliptic curve.

The wire can be the first wire in the circuit.

A verifier can confirm that the circuit is satisfied by elliptic curve point subtraction:
pk _l = Com(w _l , r _l )−ko _l
We can compute the public key for wire l via

The prover may send a batch of wire commitments and generate random numbers for computing elliptic curve points for each wire to form a proof key.

とすることができ、
ｒは、証明者によって生成された乱数であり、
証明者は、ワイヤ値ｗ_ｉ（ｆｏｒ ｉ＝１，…，ｎ）のベクトルｗへのコミットメントを計算し、
ｗ_ｎは、キーオープンされるものであり、
Ｋ_ｉは、計算された楕円曲線点であり、
ｗ_ｉはワイヤ値であり、
Ｆは楕円曲線上の点である。 A batched commitment on evidence is

and can be
r is a random number generated by the prover,
The prover computes the commitment of the wire values w _i (for i=1,...,n) to the vector w,
w _n is what is key-opened,
K _i is the calculated elliptic curve point,
w _i is the wire value,
F is a point on the elliptic curve.

であり、
ｋｏ_ｎはキーオープニング入力であり、
ｒは乱数であり、
Ｆは楕円曲線上の点である。 The input for wire n in the arithmetic circuit is

and
_kon is the key opening input,
r is a random number,
F is a point on the elliptic curve.

The input may be for the first wire.

を介して、キーステートメントワイヤの公開鍵オープニングを計算し得る。 The verifier uses elliptic curve arithmetic:

can compute the public key opening of the key statement wire via

The prover may also send a fully open commitment to at least one wire. The method may use the Pedersen commitment. A statement can only use one arithmetic circuit for a function circuit. The function circuit may implement a hash function, preferably a SHA-256 hash function.

The method can be used by a prover to enable zero-knowledge-bearing transactions (which can be zero-knowledge-bearing transactions) on data such as cryptographic keys, where the prover can (which may be a vanity address) and the data received (which may be a payment in the form of UTXO) and a communication channel with the verifier (which may be open). ), and the prover receives from the verifier a verifier-generated elliptic curve public key pk _B from a secure random private key skB, where pk _V =sk _V ×G, where G is an elliptic curve is a point,
The prover protects the provided data with a lock value i such that data=pk _V +i×G.

The prover may be performing a search for the required pattern in Base58 encoded addresses obtained by varying i. The prover sends to the verifier their public key, pk _P =i×G, and the output f(i) from the function circuit whose input (e.g., preimage) is the lock value i. .

The prover can send the verifier a statement proof proving to the verifier that the input to the function circuit is the private key corresponding to pk _P , so that the verifier verifies the proof and pk = pk _V + pk _P , knowing the lock value i allows derivation of the perfect secret key for the data by checking that the address corresponding to p k V + pk P matches the agreed pattern, and that the lock value i is the function circuit input to the function circuit.

A prover may receive a transaction Tx ₁ containing an output containing the received data that can be accessed by a signature from the prover and a function circuit input. The transaction may be a hash time lock function. Data received may provide access to UTXO.

A prover can sign the transaction and broadcast the transaction on the blockchain, which is mined into a block to provide a signature and value i to unlock the transaction. Providing transaction Tx ₂ allows the prover to access the data from the output of transaction Tx ₁ , and the transaction is revealed on the blockchain, thus allowing the verifier to lock identifying the value i to allow access to data provided by the prover;
sk=sk _B +i, and
pk=sk×G.

Data provided by the Prover may include a vanity address. Data received from verifiers may include cryptocurrency payments (eg, UTXO).

Transactions can be completely atomic and trustless, with buyers only getting paid if they provide a valid value i, which is publicly revealed on the blockchain. By splitting the private key, the value exposed on the blockchain is of no use to anyone else and does not compromise the security of the perfect private key.

A computer-implemented method may involve a prover performing a trustless fair exchange of data (without a centralized exchange by a third party) with a verifier. This can be described as a cross-chain atomic swap or atomic trade. This is because in this context we refer to fair interchangeability, where either both parties complete the transaction or neither party completes it. This swap can be performed between blockchains that support scripting functionality that enables hashed time-locked contracts.

A prover has access to first data, such as UTXO of 1 bitcoin on a first blockchain, and a verifier has access to a second data, such as 100 LTC, on a second blockchain. and the prover and verifier agree to exchange data. The method involves the prover generating a key pair for the second blockchain, transmitting the public key to the verifier, and holding the private key; Upon receiving the key, the verifier generates a key pair for the first blockchain and holds a private key (s _B ), and the prover makes a statement, one or more commitments, an input or sending the key opening and function circuit output (h) and the elliptic curve specification.

A prover can create a first blockchain transaction Tx _A that sends first data to a common public key address, and broadcasts the transaction on the first blockchain network to the address is determined by the sum of the input and the verifier public key. This data can be accessed by the Prover after no swap has been performed within 24 hours.

The prover can verify a second blockchain transaction Tx _B , which was created by the verifier after confirming that the first blockchain contains the first blockchain transaction Tx _A. and broadcast on a second blockchain network, the transaction sending second data in the form of 100 LTC to a prover public key address, the prover public key address being a valid signature, and the values that are the function circuit inputs that determine the function circuit output. This data can be accessed by the verifier after no swap has been performed within 24 hours.

The prover confirms that the second blockchain transaction Tx _B is contained on the second blockchain, and by providing a signature and said value which is the function circuit input of the function circuit output, the second so that the verifier observes the above values, which are the function circuit inputs that determine the function circuit output, and the secret (of P _C which is s _B +s from the elliptic curve point multiplication isomorphism) Providing a signature with the key allows access to the first data.

The data to be exchanged can be cryptocurrencies, the first data corresponding to a first cryptocurrency amount, preferably Bitcoin, and the second data, preferably Litecoin. Litecoin) corresponds to the amount of the second cryptocurrency.

As noted above, every action by the Prover requires a reverse action by the Verifier to verify the proof. The invention extends to methods or actions performed by a verifier. Thus, a zero-knowledge proof or verification of a statement is one in which the prover proves to the verifier that the statement is true, preferably explicitly, while keeping the evidence for that statement confidential. A computer-implemented method is provided for enabling a verifier to: implement a function circuit, preferably a hash function, of a given function circuit, and preferably a specified for the output of the function circuit and the elliptic curve point with m gates and n wires configured to determine if the function circuit input or preimage to the function circuit is equal to the elliptic curve point multiplier A statement with an arithmetic circuit that has: The verifier also identifies individual wire commitments and/or batched commitments that are encrypted wire inputs and outputs for the wires of the circuit and the wires in the arithmetic circuit (preferably wires other than the first wire). ) and the function circuit output (h). The verifier may also receive the elliptic curve or a specification for each elliptic curve used in the statement. The verifier can send the challenge value to the prover and then receive the opening. The opening may follow the Σ protocol and may contain a value for each gate in the circuit that allows the verifier to determine the statement to be true and compute the elliptic curve point. . Additionally or alternatively, the verifier may receive a certification key from the prover.

The verifier then determines that the circuit is satisfied, computes the elliptic curve points (P), and thus determines that the prover holds evidence (w) for the statement.

This implies that the prover knows the values for each gate of the statement circuit using the Sigma protocol if the proof is interactive, or if the Fiat-Shamir heuristic is used. This can be achieved by proving with zero knowledge using the key. The verifier can receive Σ_zero and Σ_prod commitments for each gate from the prover, respond with challenge values, receive opening values from the prover, and check the commitments. A verifier can confirm that the circuit is satisfied by computing the public key for wire l via elliptic curve point subtraction. A verifier may verify that each public key for each wire matches the key(s) specified in the statement. The verifier can determine that the fully opened wire matches the specifiable values in the statement to complete the verification.

It is also desirable to provide a computer-readable storage medium having computer-executable instructions that, when executed, by a prover, by a verifier, or by a prover and a verifier working together. configure the processor to perform the method performed by

It is also desirable to provide an electronic device having an interface device, one or more processors coupled to the interface device, and a memory coupled to the one or more processors, the memory storing computer executable instructions. and the computer-executable instructions, when executed, configure the one or more processors to perform the methods claimed herein. It would also be desirable to provide a node of a blockchain network configured to perform the claimed method. It would also be desirable to provide a blockchain network with such nodes.

Aspects of the invention will be elucidated and apparent with reference to the embodiments described herein. Embodiments of the present invention will now be described, by way of example only, with reference to the accompanying drawings, including: FIG.
Figures 1(a) and (b) are the diagrams used in the Technical Background section above to describe the basic system for interactive zero-knowledge proofs: Figure 1(a), left and right wire inputs and 1 1(b) is a schematic diagram of a multiplication gate with three wire outputs and FIG. 1(b) is a schematic diagram of an arithmetic circuit with three gates, three input wires, one output wire and two internal wires. FIG. 2 is a schematic diagram of a complex circuit for statements, including arithmetic circuits for hash functions and elliptic curve multiplication; 2 is an alternative schematic diagram of arithmetic circuits for the compound statement of FIG. 1, where only one arithmetic circuit is required; FIG. Fig. 4 is a schematic diagram of an arithmetic circuit with 4 gates and 5 wires, the wires having their public key, which is revealed or opened from the wire commitment with the key opening value; have a public key. Schematic representation of the data exchanged between the prover and verifier for the proof of a statement S that has a circuit description and whose first wire has the corresponding public key. Fig. 4 is another schematic representation of the data exchanged between the prover and verifier; 5 is a schematic diagram of checks performed by a verifier to verify that the circuit of FIG. 4 is satisfied, that the input wire has the required public key, and that the hash of the output wire has the required value; FIG.

Overview The present invention enables efficient zero-knowledge verification of compound statements that simultaneously require both arithmetic circuit satisfiability and a dependent statement of public key validity (key statement proof). Public-key elliptic curve specifications are employed within isomorphic commitment functions to prove circuit satisfiability. This allows certification of public key statements corresponding to private keys used as circuit inputs and/or outputs in an efficient manner.

The proof size and computational cost of generating proofs for statements containing both circuit satisfiability and elliptic curve key pairs can be greatly reduced. Our method can be easily incorporated into existing discrete logarithm-based zero-knowledge proof protocols for circuit satisfiability, which do not require the use of bilinear pairing-friendly elliptic curves. The method is fully compatible with the Bitcoin secp256k1 standard.

Two applications are described that relate to fair exchange transactions between two parties on a blockchain, such as the Bitcoin blockchain. The first involves zero-knowledge-bearing payments for trustless sales of outsourced vanity addresses, which require zero-knowledge proof of equality between SHA256 hash preimages and elliptic curve (e.g., Bitcoin) private keys. and The second involves improving the security of cross-chain atomic swaps, where the SHA256 hash preimage multiplies the unknown private key (with the provided public key) by the provided nonce. require proof of equality.

General Solution This invention relates to a method that enables the proof of a particular class of compound statements involving relationships with elliptic curve public/private key pairs (based on elliptic curve point multiplication).

It is considered impractical to use zkSNARK to prove statements involving arbitrary cryptographic elliptic-curve key operations, so the method does not conform to the "isomorphism" used to construct proofs on general circuit satisfiability. using information about the elliptic curve public key that is extracted directly from the "homomorphic hiding" (or commitment scheme). The specific type of elliptic curve involved in the method statement is the same as that used in the circuit commitment scheme.

However, the SNARK method requires a pairing operation and therefore a special bilinear pairing friendly elliptic curve. This makes the use of zk-SNARK impossible as the elliptic curves used on some blockchains are not compatible with bilinear pairing friendly elliptic curves.

As an example, statements relating to Bitcoin public keys use the Bitcoin secp256k1 curve, which is incompatible.

Thus, the method of the present invention is compatible with other protocols for proving arithmetic circuit satisfiability that do not rely on pairings and have fewer cryptographic assumptions. Overall, the method of the present invention is more efficient than zkSNARKS. This is because fewer computations are required, resulting in smaller proof sizes for trustless exchange applications.

As an example, the schematic diagram of FIG. 2, which represents a composite circuit for "statement 1" below, includes subcircuits for both hash functions and elliptic curve multiplication. In FIG. 2, the schematic is a private key 's' and its corresponding paired public key 'P' and the value 'h' (which is the hash of the private key 's'). has one input. This schematic contains two arithmetic circuits, the first performing a hash on the private key (Hash) and the second performing an elliptic curve multiplication (EC mult) on the private key. The outputs (Out) of these circuits are compared with the inputs.

Note that these internal gates are for illustrative purposes only. This circuit checks that the hash output is equal to the Elliptic Curve (EC) public key. Only the inputs 'h', 'P' and outputs are fully revealed to the verifier. All other values are encrypted.

statement 1
"Given the output h of the hash function (H) and the elliptic curve point P (public key), the preimage of the hash s (i.e., h = H(s)) is the elliptic curve point multiplier (private key, i.e., P=s×G, where G is the elliptic curve generating point)."

The method allows the prover to prove this particular statement with zero knowledge. Examples of applications that benefit from such methods are described below for trustless data exchange (e.g. selling outsourced Bitcoin vanity addresses), and anonymized secure cross-chain atomic swaps. be.

Verification that statement 1 is true takes, as an example, inputs 'h', 'P', 's' and outputs '1' if the statement is true, else It can be determined using the following pseudocode function, which outputs '0':
int verify(h,P,s)
{
if(h == H(s) && P == sx G) {
return 1
}
else {
return 0
}
}

Verifying 'statement 1' with zero-knowledge, that is, verifying the value of 's' by the prover in the zkSNARK system while keeping the value of 's' secret from the verifier can be performed using a hash function and an ellipse Arithmetic circuits would be required for both curve point multiplications.

Arithmetic circuits for SHA-256 hash functions are widely used and optimized to typically contain less than 30,000 multiplication gates, but no examples of arithmetic circuits for cryptographic elliptic curve point multiplication implementations are known in the literature. do not have. Even if such circuits were known, they would be impractical due to their size and complexity, and would involve many more gates.

The method works with a complete arithmetic circuit for a single hash function, as shown in FIG. It has a schematic diagram of an arithmetic circuit. This circuit verifies that the hash output is correct and that the public key is equal to the EC's encrypted input (key statement proof). Values highlighted in blue, i.e. input 'h', 'P' and output '1' are revealed to the verifier, all other values are encrypted.

Using the circuit of FIG. 3, the prover can determine, via circuit satisfiability, that the hash of the private key 's' is 'h', and that the elliptic curve generation point is G, the corresponding We can explicitly prove that the public key 'P' is equal to 's×G'. The private key 's' is the pre-image of the hash, or input to the function, and is not revealed to the verifier when proving the statement.

It goes without saying that verifying that 's×G' is equal to 'P' can be removed from the circuit proof at negligible additional computational cost by using the elliptic curve required in the commitment scheme as part of the proof protocol. can be extracted. Such an operation is called 'key-statement proof' and uses a commitment-opening procedure called 'key-opening'.

Technical Effects The well-known zk-SNARK (Zero-knowledge Succinct Non-interactive Arguments of Knowledge) is an implementation of a general proof system for arithmetic circuit satisfiability. In the SNARK framework, statements encoded as arithmetic circuits are transformed into constructs called Quadratic Arithmetic Programs (QAPs) consisting of sets of polynomials. A statement can then be proved by demonstrating the validity of this set of expressions at a single point. The main advantages of the SNARK method are that the verifier only needs to perform a few elliptic curve (pairing) operations (which take a few milliseconds), the proof is very small (288 bytes) and independent of circuit size. That is.

The very small proof and verification times achieved by the SNARK method come at the expense of trustworthy setup, non-standard cryptographic assumptions, and a much heavier computational load imposed on the prover. The SNARK method also requires the use of elliptic curve bilinear pairing. However, the use of computationally feasible bilinear pairings requires the use of special 'pairing-friendly' elliptic curves. This precludes the use of many standard cryptographic elliptic curve parameter sets, including Bitcoin secp256k1. Then statements involving general elliptic curve point multiplication must use explicit circuits (which can be very large).

As a comparison with the Σ protocol approach for proving SHA circuit satisfiability described in the previous section, when using the SNARK (Pinocchio) framework, the proof key takes about 10 seconds to generate and is about 7 MB in size. and it will take about 10 seconds to generate the proof as well. However, the proof size is 288B and it takes only about 5ms to verify (Non-Patent Document 8).

Moreover, incorporating explicit elliptic curve multiplication (key statements) into the circuit will multiply both proof key size and proof generation time by at least an order of magnitude.

The present invention enables zero-knowledge proof of statements involving elliptic curve public-private key relationships concurrently with general arithmetic circuit satisfiability. This is achieved with negligible computational cost beyond proving arithmetic circuit satisfiability, creating an explicit arithmetic circuit for the elliptic curve point multiplication operation that significantly increases the computational cost of the proof. make it unnecessary.

Implementations Implementations of the present invention are described below for both batch and non-batch commitment-based zero-knowledge proof systems.

In these examples, the zero-knowledge proof protocol involves two parties, a prover (P) and a verifier (V). The purpose of this protocol is for the prover to convince the verifier that a given statement (S) is true, while keeping information about the evidence against that statement confidential. The statement is an arithmetic circuit (C) with m gates and n wires, and a dependent assertion on the elliptic curve public key corresponding to one (or more) of the circuit wire values: pk _l Configured. where the subscript l is the wire index of the key statement. In addition, statements may also include assertions about fully opened (public) wire values (ie public inputs/outputs of a circuit).

The elliptic curve public key(s) specified in the statement are defined by the target elliptic curve specification (which is the full set of elliptic curve parameters: T = (p, a, b, G, n, h) ).

For Bitcoin scripts, these parameters are defined by the secp256k1 (Non-Patent Document 9) specification. This use includes the base generation point G. In addition to specifying the base point, the statement must also specify a second point F (where F=f×G and f is an element of _Zp ). The value of f must be provably random (e.g. Bitcoin genesis block hash), or a "nothing up my sleeve" number, such as the first 256 bits of the binary representation of π.

Batched and unbatched commitments are described with reference to FIG. 4, which is a representative arithmetic circuit with 4 gates and 5 wires. Input wire (w ₁ ) has its public key revealed or opened from wire commitment W ₁ with 'key opening' value ko ₁ .

Implementation—Individual Wire Commitments Using FIG. 4 as an example, a 'key opening' is an individual commitment for each wire in the circuit that is made by the prover and sent to the verifier. These key openings follow the known Σ protocol for arithmetic circuit satisfiability. FIG. 5 shows the data exchanged between the prover and the verifier.

Satisfaction is achieved by including several steps, as follows:
1. For each wire i (i=1,...,n) of the circuit is committed using the Pedersen commitment:
W _i =Com(w _i , r _i )
here,
Com(w,r)=w*G+r*F
2. For a circuit wire l that requires illumination of the corresponding public key (key statement proof), the prover also has the key opening:
ko _l =r _l ×F
also send.
3. Optionally, if the circuit wire j requires that it be publicly revealed (a fully exposed wire), the prover can use the full opening tuple:
( _wj , _rj )
to send.
4. It is then proved that each gate of the circuit is satisfied with zero knowledge using the Σ protocol, which means that the prover has the Σ _zero and Σ _prod commitments (i.e., B or C ₁ , respectively) for each gate. C ₂ , C ₃ ) are calculated and sent, the verifier responds with a challenge value (x), then the prover sends the opening values (z and e values), and the verifier checks the commitment Including.
5. Once the verifier confirms that the circuit is satisfied, then the verifier performs elliptic curve point subtraction:
pk _l = Com(w _l , r _l )−ko _l
Compute the public key for wire l via .
6. Then the verifier verifies that each pk _l matches the key(s) specified in the statement (and the fully opened wire matches the specified value) to complete.

Detailed Implementation--Individual Wire Commitments Continuing to refer to FIG. 4, we provide an explicit example detailing the individual commitments and verifications of this example. It describes verifying the satisfiability of a simple arithmetic circuit, both as a key statement proof of one of the wires and a full disclosure of one of the other wires.

The circuit C shown in FIG. 4 has five wires w _i (i=1, . . . , 5) and four gates g _j (j=1, . . . , 4). Gates 1 and 3 are addition gates and gates 2 and 4 are multiplication gates.

The prover and verifier agree on a statement containing the circuit, the value of wire 5, and the public key of wire 1, along with the elliptic curve and commitment specification. The statement (S) that the prover wishes to prove to the verifier that it is true is:
“I know the satisfication assignments to circuit C (i.e. wire values {w _i } _i=1 ⁵ that satisfy all gates, where wire 1 is the public key P (i.e. P=w ₁ ×G ) and wire 5 has the value h (i.e., w _n =h)”
is.

The values for wires 1 through 4 are not disclosed. The prover and verifier then interact as shown in FIG. 6 and as described below:
1. The prover generates 5 random blinding values (r ₁ ,..., r ₅ ), then computes 5 wire commitments (W ₁ ,..., W ₅ ) and sends them to the verifier .
2. The prover computes the key opening for wire 1: ko ₁ =r ₁ ×F and sends it to the verifier.
3. The prover sends the complete opening information (w ₅ , r ₅ ) for wire 5 to the verifier.
4. For addition gates (g ₁ and g ₃ ), the prover makes a commitment to zero (using random nonces r _B1 and r _B3 ): B ₁ =Com(0, r _B1 ) and B ₃ =Com(0, r _B3 ) and send them to the verifier.
5. For the multiplication gates (g ₂ and g ₄ ), the prover generates commitments as follows, i.e.:
About Gate 2:
_C12 = Com( _t12 , _t32 )
_C2 =Com( _t22 , _t52 ) and _C3 = _t12 * _W1 + _t42 *F
About Gate 4:
_C14 = Com( _t14 , _t34 )
_C2 =Com( _t24 , _t54 ) and _C3 = _t14 * _W3 + _t44 *F
, where the t _xx value is a random blinding nonce. The prover sends these commitments to the verifier.
6. The verifier then generates a random challenge value x and sends it to the prover. Alternatively, the verifier may generate the value x by hashing the concatenation of all commitments using the Fiat-Shamir heuristic.
7. For the addition gates (g ₁ and g ₃ ), the prover has the following openings:
z ₁ =x(r ₁ +r ₁ -r ₂ )+r _B1
z ₃ =x(r ₂ +r ₁ -r ₄ )+r _B3
and send them to the verifier.
8. For the multiplication gates (g ₂ and g ₄ ), the prover has the following openings:
_e12 = _w1x + _t12
e22 = _w2x + _t22
z12 = _r1x + _t32
z22 = _r2x + _t52
z ₃₂ =(r ₃ -w ₁ r ₂ )x+t <sub>42

e14</sub> = _w3x + _t14
e24 = _w4x + _t24
z14 = _r3x + _t34
z24 = _r4x + _t54
z ₃₄ =(r ₅ −w ₃ r ₄ )x+t ₄₄
and send them to the verifier.
9. Finally, a verifier checks for equality. If these pass, the proof is verified.

The verification performed by the verifier is summarized in FIG. 7, where the tests in the inner box confirm that the circuit is satisfied and that the first wire has the required public key and the fifth wire has the required value.

Challenge 'x' in FIGS. 5 and 6 provides interactive proof, with communication back and forth between prover and verifier.

This interaction can be inconvenient when zero-knowledge contingent payment (ZKCP) is made, as the seller and buyer may not be available or online at the same time. Also, the buyer (verifier) may want the proof to be publicly verifiable, for example, it may be part of an advertisement for a digital good.

Furthermore, proofs are strictly zero-knowledge only in perfect special-honest verifier models, i.e., where the verifier generates truly random numbers as a challenge, and the proof is strictly zero-knowledge. only when it is assumed that you do not choose a challenge value to try and retrieve information about.

To solve these problems, the Fiat-Shamir heuristic is applied, which replaces the random challenge value 'x' with the output of the hash of the commitment made by the prover. In the random oracle model (where the output of a cryptographic hash function is considered truly random), the prover cannot cheat and the verifier can inspect the generated challenge value.

Thus, this example can be improved by transforming the interactive proof system into a non-interactive one using the Fiat-Shamir heuristic, and the prover can be verified offline independently and publicly. Proofs can be generated that can be

More specifically, the challenge value (x) is the sum of all of the commitments generated by the prover (i.e., all of the wire commitments and the B and C ₁ , C ₂ , C ₃ commitments for the sum and product gates, respectively). all) is replaced with a value computed by hashing (eg, with SHA-256) the concatenation of

Implementation—Batching Vector Commitments A compressed proof system for circuit satisfiability with batching of vector commitments [8, 6] uses the method described below, which is batched. It allows extracting key statement proofs from the completed circuit wire commitments.

を計算し、それを検証者に送信する。
５． 証明者がまた、ベクトルコミットのためのキーオープニング：

を送信する。
６． 検証者が、楕円曲線演算：

を介して、キーステートメントワイヤの公開鍵オープニングを計算する。 To avoid repetition, we will not describe the complete process, and the following steps will focus on generating a batched wire commitment and demonstrating that it contains the specified public key. ing. In the following steps, given that wire l is given a key opening and n wires are batched together in a vector commitment, batched commitments are generated as follows.
1. A prover generates n−1 random numbers x ₁ , . . . , x _n−1 ←Z _p .
2. The prover computes the elliptic curve points K _i =x _i ×G (for i=1, . . . , n−1). These values plus K _n =G form the proof key PrK that is sent to the verifier.
3. The prover generates a random value: r← _Zp .
4. A prover's commitment to a vector w of wire values w _i (for i=1,...,n), where w _n is to be key-opened:

and send it to the verifier.
5. Prover also key opening for vector commit:

to send.
6. Verifier, elliptic curve arithmetic:

Compute the public key opening of the key statement wire via .

SUMMARY OF THE INVENTION Proving equivalence of hashed preimages and elliptic curve private keys can be used in a number of applications. Two applications are described below that outline the construction of a specific example of a key-statement zero-knowledge proof for use.

Statement S below is, for the purposes of the application example, a more specific version of Statement 1 above:
S:
“Given a SHA-256 hash function (H) with public output h and a public point P on a secp256k1 elliptic curve, a secret preimage s of the hash (i.e., h=H(s)) is the elliptic curve equal to the point multiplier (i.e. the corresponding private key, i.e. P=s*G)

で構成される。 In the example provided, this statement is a SHA-256 hash function C _SHA256 (n of wires w _i (with i=1, . . . , n) and m gates), i.e.

consists of

Therefore, to fully verify this statement, the prover will demonstrate to the verifier that he knows the sufficiency assignment to the SHA256 circuit using a secp256k1-based commitment scheme, and that the wire We simply have to provide the key opening (ko ₁ ) for 1 and the full opening (w _n , r _n ) for wire n. The verifier is not told the value of the input wire (w ₁ ), ie the value of any other wire except the output wire _wn , which is completely opened.

Usage I
The examples of the invention described in the implementation section above can be applied to ZKCPs for outsourced Bitcoin vanity addresses that represent data exchanged for payment or access to resources.

などの、所望の（名前のような）文字列を含むアドレスを生じる秘密鍵を見つけるために、鍵空間がブルートフォース（総当たり）探索される。 Bitcoin addresses are encoded in a human readable alphanumeric format (Base58 encoding) to make them easy to publish, copy and transcribe. The use of this format has led to the popularity of so-called vanity addresses, such as the one below:
[External 1]

A brute-force search of the key space is performed to find a private key that yields an address containing a desired string (such as a name), such as .

Since deriving vanity addresses with meaningful patterns is computationally expensive (e.g., the address shown above required roughly 10 ¹³ different public key generations before a match was found), the search is common, and there are several online marketplaces where vanity addresses are sold on consignment. This can be done safely using the isomorphism of elliptic curve point multiplication [7].

Outsourcing the generation is safe, but selling vanity addresses is unreliable. The buyer may obtain the required value before the seller receives payment, the seller may receive payment before delivering the required value, or both may have to rely on an escrow service. The present invention can be used to enable trustless selling of vanity addresses via ZKCP. The following describes the steps taken between the Buyer/Verifier and the Seller/Verifier.
1. The buyer and seller agree on the required vanity pattern (Str) and price (a bitcoin) and establish a communication channel that need not be secure.
2. A buyer generates a secure random private key skB and a corresponding elliptic curve public key, public key pk _B =sk _B ×G.
3. Buyer sends pk _B to seller.
4. The seller then performs a search for the required pattern in the Base58 encoded address derived from pk=pk _B +i×G by varying i.
5. If an address with the required pattern is found, the seller saves i and signals the buyer to send pk _s =i×G and the SHA256 hash H(i).
6. The seller also provides proof to the buyer that the preimage for H(i) is the private key corresponding to pk _s , as explained in the example above.
7. The buyer verifies the proof and confirms that the addresses corresponding to pk=pk _B +pk _s match the agreed pattern. At this point (by proof), the buyer will be able to derive the perfect secret key (sk _B +i) for the vanity address by himself, given the value i, and that the particular value i is h= We know to hash to H(i).
8. The buyer then constructs a Hash Time Locked Contract (HTLC) transaction Tx ₁ containing outputs including the agreed fee (a). This output can be unlocked in two ways, namely:
i. At any time, with a signature from the seller and a hash preimage i,
ii. For example, with a signature from the buyer after a specified time using the CHECKLOCKTIMEVERIFY (OP_CLTV) script opcode, which can be used to prevent output from being consumed until a specified time or block height. ,
can be unlocked.
9. Buyers then sign and broadcast this transaction to the blockchain, where it is mined into blocks.
10. Once confirmed, the seller can charge a fee on the output of Tx ₁ by providing a transaction Tx ₂ that supplies the value i for unlocking his signature and hash lock, and the value i is revealed on the blockchain.
11. The buyer can compute the final vanity address private key sk=sk _B +i, where pk=sk×G.
12. If the buyer does not supply the value i before the specified OP_CLTV time, the seller can provide a signature to reclaim the fee (to prevent the fee from being lost by uncooperative buyers).

Transactions are then completely atomic and trustless, and buyers are only paid if they provide a valid value i, which is publicly revealed on the blockchain. Due to the splitting of the private key, this value is of no use to anyone else and does not compromise the security of the perfect private key.

Application II
The examples of the invention described in the implementation section above can be applied to private data exchanges between two parties, each with the data to be exchanged recorded on a different blockchain. .

More specifically, the present invention applies to privacy-preserving cross-chain atomic swaps, also known as atomic trades, which are trustless fair exchange protocols that leverage blockchain transaction mechanisms. can be done. This protocol is used to trade two different cryptocurrency tokens on two different blockchains without a centralized third-party exchange. The word 'atomic' in this context refers to the nature of a fair exchange, either both parties complete the transaction or neither party completes the transaction.

An example of a known basic protocol is performed according to the following steps. To be secure, both cryptocurrencies used in swaps must have scripting capabilities to allow for hashed and time-locked contracts. This swap involves two parties, Alice and Bob. In this example, Alice has 1 Bitcoin and has agreed to trade it for Bob's 100 Litecoins.
1. Alice generates a litecoin public key P _A to send to Bob.
2. Bob generates a Bitcoin public key _PB to send to Alice.
3. Alice generates a secure random number x.
4. Alice computes the SHA-256 hash of x: h=H(x).
5. Alice has a bitcoin transaction Tx _A that:
i. Pay 1 bitcoin to P _B with the value hashing to valid signature AND h,
ii. OR refund 1 bitcoin to Alice after 24 hours,
create a bitcoin transaction Tx _A that is
6. Alice broadcasts the transaction to the Bitcoin network.
7. When Bob observes that Tx _A is confirmed on the Bitcoin blockchain, the following Litecoin transaction Tx _B , i.e.
i. Pay _PA 100 litecoins with the value hashing to a valid signature AND h,
ii. OR refund Bob 100 litecoins after 24 hours,
create a bitcoin transaction Tx _B that is
8. Bob broadcasts the transaction to the Litecoin network.
9. Once the transaction is confirmed, Alice can claim Litecoin output by providing her signature and the value x.
10. When Bob observes the value x on the Litecoin blockchain, he can claim bitcoin output by providing his signature and the value x.

This example ensures that either both get the coin or neither get it. Alice generates a hash value and only she knows the preimage, but she is required to reveal this preimage in order to claim the coin, and that's how Bob gets his coin. allow you to claim If either party does not follow the protocol towards completion, both of them can reclaim their coins after the lockout period.

One significant drawback of the known protocol described above is that transactions on both blockchains are trivially linkable, and once confirmed, the eigenvalue x is permanently stored on both blockchains as It looks open. This affects both coin convertibility and transaction privacy.

In order not to link two transactions, a different key must be used for the output on each chain, but for the protocol to be secure and trustless, Bob allows Alice to allow her to use her hash pre Proof must be given that revealing the image will teach him the information necessary to unlock his coin.

By employing the key statement proof described in the example above, hash-locked outputs on a second blockchain can be transformed into regular pay-to-public-key-hash (P2PKH) outputs. , can break any possible link while hiding the nature of the transaction.

Applying the above example where Alice has 1 Bitcoin and has agreed to trade it for Bob's 100 Litecoins, the refinement process would include the following actions:
2. Alice generates a Litecoin public key P _A (with private key s _A ) to send to Bob.
3. Bob generates a Bitcoin public key P _B (with private key s _B ) to send to Alice.
4. Alice generates a secure random number x←Z _p .
5. Alice computes the SHA-256 hash of x: h=H(x) and the elliptic curve public key corresponding to x: P _x =x×G.
6. Alice securely sends both h and P _x to Bob.
7. Alice also sends Bob a key statement proof that the preimage of h is equal to the private key that generated _Px .
8. Alice has a bitcoin transaction Tx _A that:
i. pay 1 bitcoin to the public key P _C =P _B +P _x ,
ii. OR refund 1 bitcoin to Alice after 24 hours,
create a bitcoin transaction Tx _A that is
9. Alice broadcasts the transaction to the Bitcoin network.
10. When Bob observes that Tx _A is confirmed on the Bitcoin blockchain, the following Litecoin transaction Tx _B , i.e.
i. Pay _PA 100 litecoins with a value that SHA-256 hashes to a valid signature AND h,
ii. OR refund Bob 100 litecoins after 24 hours,
create a bitcoin transaction Tx _B that is
11. Bob broadcasts the transaction to the Litecoin network.
12. Once the transaction is confirmed, Alice can claim Litecoin output by providing her signature and the value x.
13. When Bob observes a value x on the Litecoin blockchain, he can request a Bitcoin output by providing a signature with a private key of P _C that is s _B +x from the isomorphism of elliptic curve point multiplication. can.

General Applications The present invention is a zero-knowledge proof of a statement (S) in which a prover proves to a verifier that the statement is true while keeping the evidence (w) for that statement secret. or suitable for verification. Secrets can be handled by functions such as hash functions, but can also include cryptographic elliptic curve key operations, such as the validity of statements about public keys. In the above example, the method of the present invention is used to enable trustless ZKCP for vanity addresses. This can also be applied, for example, to derivation of passwords, verification of valid machine-readable documents such as passports or identity cards, or other such sensitive transactions.

It should be noted that the above-described embodiments are illustrative rather than limiting of the invention, and those skilled in the art will appreciate numerous alternative implementations without departing from the scope of the invention as defined by the appended claims. You can design the form.

In the claims, any reference signs placed between parentheses shall not be construed as limiting the claim. Use of the terms "comprise" and "comprise" and the like does not exclude the presence of elements or steps other than those listed in any claim or the specification as a whole. As used herein, "comprising" means "including or consisting of" and "having" means "including or consisting of".

Reference to elements in the singular does not exclude reference to those elements in the plural, and vice versa. The invention can be implemented by hardware having several separate elements and by a suitably programmed computer.

In a device claim enumerating several means, several of these means may be embodied by one and the same item of hardware. The mere fact that certain measures are recited in mutually different dependent claims does not indicate that a combination of these measures cannot be used to advantage.

Claims (26)

Allows zero-knowledge proof or verification of a statement (S) where the prover proves to the verifier that the statement is true while keeping the evidence (w) for that statement secret A computer-implemented method for
Prover to Verifier:
Implementing a function circuit such that, for a given function circuit output (h) and an elliptic curve point (P), the function circuit input (s) to a wire of said function circuit corresponds to the elliptic curve point multiplier (s) a statement (S) represented by an arithmetic circuit having m gates and n wires configured to determine if is equal to
individual wire commitments and/or batched commitments for wires of the circuit;
function circuit output (h);
a certification key (PrK);
including sending
This allows the verifier to determine that the circuit is satisfied and to compute the elliptic curve point (P) to verify the statement, thus allowing the prover to verify the evidence for the statement (w ), allowing us to determine that we hold
A computer-implemented method. The computer-implemented method of claim 1, wherein the prover transmits individual wire commitments and communicates with the verifier using a Σ protocol to prove knowledge of the evidence (w). . 3. The computer-implemented method of claim 1 or 2, wherein the prover receives a challenge value (x) from the verifier and responds with an opening. 2. The prover sends to the verifier a random value (x) that allows the verifier to determine the statement to be true and to compute the elliptic curve point (P). or the computer-implemented method of claim 2. 5. The computer-implemented method of claim 4, wherein the random value (x) is a function of at least one commitment. 6. The computer-implemented method of claim 4 or 5, wherein the random value (x) is computed by hashing a concatenation of all the commitments generated by the prover and sent to the verifier. . the commitment W _i is W _i =Com(w _i , r _i );
Com is a commitment to said functional circuit,
w _i is the wire value,
r _i is a random number that is different for each wire commitment,
i is the wire type,
Com(w, r)=w×G+r×F,
F and G are elliptic curve points,
7. A computer-implemented method according to any one of claims 1-6. the input to wire l in said arithmetic circuit is ko=r _l ×F,
ko is the key opening input,
r _l is a random number,
F is a point on the elliptic curve,
8. The computer-implemented method of claim 7. The verifier confirms that the circuit satisfies the elliptic curve point subtraction:
pk _l = Com(w _l , r _l )−ko _l
9. The computer-implemented method of claim 8, wherein the public key for wire l can be computed via . 2. The computer implemented claim 1, wherein the prover sends batches of wire commitments and generates random numbers for computing elliptic curve points for each wire to form the proof key (PrK). Method. said batched commitments relating to said evidence are:

and
r is a random number generated by the prover,
The prover computes the commitment of the wire values w _i (for i=1,...,n) to the vector w,
w _n is what is key-opened,
K _i is the calculated elliptic curve point,
w _i is the wire value,
F is a point on the elliptic curve,
11. The computer-implemented method of claim 10. The input for wire n in said arithmetic circuit is:

and
_kon is the key opening input,
r is a random number,
F is a point on the elliptic curve,
12. The computer-implemented method of claim 11. The verifier uses elliptic curve arithmetic:

13. The computer-implemented method of claim 12, computing the public key opening of the key statement wire via . 14. The computer-implemented method of any one of claims 1-13, wherein the prover further sends a fully open commitment on at least one wire. 15. The computer-implemented method of any one of claims 1-14, wherein the method uses the Pedersen commitment. 16. The computer-implemented method of any one of claims 1-15, wherein the statement uses only one arithmetic circuit for the function circuit. 17. The computer-implemented method of any one of claims 1-16, wherein the function circuit implements a hash function, preferably a SHA-256 hash function. The method is used by the Prover to enable zero-knowledge-bearing transactions on data, such as cryptographic keys, and
The Prover cooperates with a Verifier to verify data provided and received and establishes a communication channel with the Verifier;
The prover receives from the verifier a verifier-generated elliptic curve public key pk _B from a secure random private key skB, where pk _V =sk _V ×G, where G is an elliptic curve point ,
the prover protects the provided data with a lock value i such that data=pk _V +i×G;
said prover sends to a verifier their public key, where pk _P =i×G, and the output f(i) from said function circuit whose function circuit input is said lock value i;
the prover sending to the verifier a statement (S) proof proving to the verifier that the input to the function circuit is the private key corresponding to pk _P ;
Knowing the lock value i by the verifier verifying the proof and confirming that the address corresponding to pk = pk _V + pk _P matches the agreed pattern, the data (sk _B + i) and specifying that said lock value i is said function circuit input to said function circuit,
the prover receives a transaction Tx ₁ containing an output containing the received data that can be accessed by a signature from the prover and the function circuit input;
The prover signs the transaction and broadcasts the transaction on the blockchain, which is mined into a block to provide a signature and value i to unlock the transaction, a second transaction Tx ₂ allows the prover to access the data from the output of the transaction Tx ₁ , and the transaction is revealed on the blockchain,
thus enabling the verifier to specify the lock value i to access the data provided by the prover;
sk=sk _B +i, and
pk=sk×G,
18. A computer-implemented method according to any one of claims 1-17. 19. The computer-implemented method of claim 18, wherein the data provided by the prover includes a vanity address. 19. The computer-implemented method of claim 18, wherein the data received from the verifier includes cryptocurrency payments. The prover conducts trustless and fair data exchange with the verifier,
The prover has access to first data on a first blockchain, the verifier has access to second data on a second blockchain, and the prover and verifier have access to Parties agree to exchange said data and the method:
the prover generates a key pair for the second blockchain, transmits a public key (P _A ) to the verifier, and holds a private key (s _A );
The prover receives a verifier public key (P _B ) for the first blockchain, and the verifier generates a key pair for the first blockchain and holds a private key (s _B ). and
the prover sends a statement (S), one or more commitments, inputs (P _x ) and function circuit outputs (h), and an elliptic curve specification;
said prover creating a first blockchain transaction Tx _A sending said first data to a common public key address (P _c ) and broadcasting the transaction on a first blockchain network; the address is defined by the sum of the input (P _x ) and the verifier public key (P _c ), where P _C =P _B +P _x ;
by the verifier after the prover verifies a second blockchain transaction Tx _B , the transaction confirming that the first blockchain includes the first blockchain transaction Tx _A ; Created and broadcast on the second blockchain network, the transaction sends the second data to a prover public key address (P _A ), where the prover public key address (P _A ) is:
a valid signature on said prover public key address (P _A );
a value that is the function circuit input preimage that determines the function circuit output (h);
is accessible by the Prover using
the prover confirms that the second blockchain transaction Tx _B is contained on the second blockchain, with a signature and the value that is the function circuit input of the function circuit output (h); accessing said second data by providing a
Thus, the verifier observes the values that are the function circuit inputs that determine the function circuit output (h), and from the isomorphism of elliptic curve point multiplication derives the private key of P _C that is s _B +s enabling access to the first data by providing a signature using
18. The computer-implemented method of any one of claims 1-17, comprising: The data to be exchanged is a cryptocurrency, the first data corresponds to a first cryptocurrency amount, preferably Bitcoin, and the second data is a second cryptocurrency, preferably Litecoin. 22. The computer-implemented method of claim 21, corresponding to an amount of cryptocurrency of . A computer-readable storage medium having computer-executable instructions which, when executed, cause a processor to perform the method of any one of claims 1-22. computer readable storage medium. an interface device;
one or more processors coupled to the interface device;
23. A memory coupled to the one or more processors, the memory storing computer-executable instructions, which, when executed, are a memory that configures the one or more processors to perform the method of
An electronic device having A node of a blockchain network, the node being configured to perform the method of any one of claims 1-22. A blockchain network comprising a node according to claim 25.