WO2019209168A2 - Procédé de traitement de données, appareil associé, et système de chaînes de blocs - Google Patents

Procédé de traitement de données, appareil associé, et système de chaînes de blocs Download PDF

Info

Publication number
WO2019209168A2
WO2019209168A2 PCT/SG2018/050200 SG2018050200W WO2019209168A2 WO 2019209168 A2 WO2019209168 A2 WO 2019209168A2 SG 2018050200 W SG2018050200 W SG 2018050200W WO 2019209168 A2 WO2019209168 A2 WO 2019209168A2
Authority
WO
WIPO (PCT)
Prior art keywords
transaction amount
plaintext
ciphertext
sender
amount
Prior art date
Application number
PCT/SG2018/050200
Other languages
English (en)
Chinese (zh)
Other versions
WO2019209168A3 (fr
Inventor
阮子瀚
吴双
贺伟
Original Assignee
华为国际有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 华为国际有限公司 filed Critical 华为国际有限公司
Priority to CN201880092481.XA priority Critical patent/CN111989891B/zh
Priority to PCT/SG2018/050200 priority patent/WO2019209168A2/fr
Publication of WO2019209168A2 publication Critical patent/WO2019209168A2/fr
Publication of WO2019209168A3 publication Critical patent/WO2019209168A3/fr

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/30Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials

Definitions

  • the present application relates to the field of blockchain technology, and in particular, to a data processing method, a related device, and a blockchain system. Background technique
  • a blockchain is a distributed database that maintains a growing list of ordered records called blocks. Each block contains a timestamp and a link to the previous block. The blockchain naturally has the function of tamper-proof data. Once recorded, the data in the block cannot be unilaterally modified.
  • P2P peer-to-peer
  • the blockchain is an open, distributed ledger that effectively records transactions between the parties and other various information and records them permanently in a verifiable manner.
  • the user's account balance is not directly encrypted and stored on the block, causing the user's account to be completely exposed on all nodes. In this way, in addition to the basic functions of decoupling the blockchain and making the information untamperable, the user's account privacy is completely exposed on all nodes of the blockchain.
  • the use of additive homomorphic encryption can protect the privacy of the transaction amount in the blockchain system, but it is not possible for the verifier to verify whether the transaction is valid. Because the verifier can only determine that the plain text of the output amount is equal to the plain text of the input amount, it is impossible to confirm whether the plaintext of the input amount and the plaintext of the output amount are within the valid range. Therefore, how to protect the transaction amount privacy in the blockchain system, if the verification node cannot know the plaintext of the transaction amount, it is an urgent problem to verify whether the plaintext of the transaction amount is within the valid range. Summary of the invention
  • the embodiment of the present application provides a data processing method, a related device, and a blockchain system, which can protect the privacy of the transaction amount. If the verification party cannot obtain the plaintext of the transaction amount, verify whether the transaction amount is within the valid range, and ensure that the transaction amount is within the valid range. The legality of the transaction.
  • an embodiment of the present application provides a data processing method, which is applied to a blockchain system, where the system includes a sender and a verification party, and the method includes: the sender uses an additive homomorphic encryption algorithm to perform a transaction.
  • the plaintext M of the amount is encrypted, and the ciphertext (C, B) of the transaction amount is generated; the sender sends the ciphertext (C, B) of the transaction amount to the verifier; the verifier according to the transaction
  • the ciphertext of the amount (C, B) verifies whether the plaintext M of the transaction amount belongs to the first valid range; the first valid range is [0, 2 U -1], and U is the plaintext M of the transaction amount Bit length.
  • the embodiment of the present application can protect the privacy of the transaction amount in the blockchain system, and if the verification party cannot know the plaintext of the transaction amount, verify whether the transaction amount is within the valid range, and ensure the legality of the transaction.
  • the plaintext M of the transaction amount is first divided into the plaintext of thousands of small blocks, and then the plaintext of each small block is separately encrypted, and the valid range is Proof, etc., to ensure that the regulator can effectively decrypt the ciphertext of each small transaction amount.
  • the plaintext M k of the L transaction amount is equal in length.
  • the method further includes: the sender generates a zero-knowledge proof that the plaintext M of the transaction amount belongs to the first valid range; and the ciphertext of the verification party according to the transaction amount ( C, B) verifying whether the plaintext M of the transaction amount belongs to the first valid range includes: the verification party verifies that the plaintext M of the transaction amount belongs to the zero-knowledge proof of the first valid range.
  • the authenticator can verify whether the transaction amount is within the valid range, thereby verifying the legality of the transaction.
  • the transaction amount includes an output amount; the method further includes: the sender calculating a ciphertext C′ of a difference between the input amount and the output amount, and generating C′ is a force secret
  • the addition homomorphic zero-knowledge proof of the ciphertext with zero plaintext wherein C is a ciphertext calculated according to the ciphertext of the output amount and the ciphertext of the input amount, and the ciphertext of the input amount
  • the ciphertext of the amount received by the sender in the last transaction, or the ciphertext of the input amount is a secret generated by the sender by using the addition homomorphic encryption algorithm to encrypt the amount generated in the current transaction.
  • the verifier verifies that the C' is an additive homomorphic zero-knowledge proof that encrypts the ciphertext with plaintext zero.
  • the verification party verifies that the input amount is equal to the output amount, thereby verifying the legality of the transaction.
  • the system further includes a supervisor, where the public key of the add-on homomorphic encryption algorithm is provided by the supervisor; the method further includes: the sender generating the supervisor a zero-knowledge proof of the ciphertext (C, B) decrypting the transaction amount; the verifier verifying that the supervisor can decrypt the zero-knowledge proof of the ciphertext (C, B) of the transaction amount; the regulator The ciphertext (C, B) of the transaction amount is decrypted using a private key corresponding to the public key.
  • the authenticator can verify that the supervisor can decrypt the ciphertext of the transaction amount, thereby verifying the legality of the ciphertext.
  • the system further includes a third party, configured to provide a random secret, where the random secret Y is used to generate a digital signature for each integer in the first valid range;
  • the zero-knowledge proof that the sender generates the plaintext M of the transaction amount that belongs to the first valid range includes: the sender generates a digital signature for each integer in the first valid range according to the random secret Y provided by the third party.
  • the plaintext M that generates the transaction amount belongs to the zero-knowledge proof of the first valid range.
  • the embodiment of the present application provides a specific method for proving that the plaintext in the transaction amount ciphertext belongs to the valid range, and is Each digit in the valid range generates a digital signature, which proves that the plaintext in the transaction amount ciphertext belongs to one of the above digital signatures, which proves that the plaintext in the transaction amount ciphertext belongs to the valid range.
  • the verifier is not provided with the clear amount of the transaction amount, the legality of the transaction amount is verified, and the transaction privacy is guaranteed.
  • the zero-knowledge proof that the sender generates the plaintext M of the transaction amount that belongs to the first valid range includes: the sender generates N first parameters; N is a positive integer;
  • the zero-knowledge proof that the verification party verifies that the plaintext M of the transaction amount belongs to the first valid range includes: the verification party generates N second parameters; wherein, the N first parameters and the N second parameters— Corresponding; the verifier verifies whether the N second parameters are equal to the corresponding first parameter, and if they are equal, the plaintext M of the transaction amount belongs to the first valid range.
  • the embodiment of the present application verifies whether the plaintext in the transaction amount ciphertext belongs to the valid range according to the comparison between the first parameter generated by the sender and the second parameter generated by the verifier, and verifies the transaction without providing the plaintext of the transaction amount to the verifier.
  • the legality of the amount to ensure the privacy of the transaction.
  • the sending, by the sender, the zero-knowledge proof that the plaintext M of the transaction amount belongs to the first valid range further includes: the sender generating a first verification parameter; Determining, by the verification party, that the plaintext M of the transaction amount belongs to the first valid range, the zero-knowledge proof further includes: the verification party generates a second verification parameter; Determining whether the N second parameters are equal to the corresponding first parameter includes: the verification party verifies whether the first parameter is equal to the second verification The parameters, if equal, the N second parameters are equal to the corresponding first parameter.
  • the embodiment of the present application verifies whether the first parameter generated by the sender is equal to the second parameter generated by the verifier according to the first verification parameter generated by the sender and the second verification parameter generated by the verifier, and further proves the plaintext in the transaction amount ciphertext. Whether it is a valid scope, if the transaction amount is not provided to the verifier, the legality of the transaction amount is verified, and the transaction privacy is guaranteed.
  • the embodiment of the present application provides a data processing method, which is applied to a blockchain system, where the system includes a sender and a verification party, and the method includes: the sender uses an additive homomorphic encryption algorithm to perform a transaction.
  • the plaintext M of the amount is encrypted, and the ciphertext (C, B) of the transaction amount is generated; the sender sends the ciphertext (C, B) of the transaction amount to the verifier, so that the verifier is based on the
  • the ciphertext (C, B) describing the transaction amount verifies whether the plaintext M of the transaction amount belongs to the first valid range; the first valid range is [0, 2 U -1], and U is the plaintext of the transaction amount
  • the bit length of M is applied to a blockchain system, where the system includes a sender and a verification party, and the method includes: the sender uses an additive homomorphic encryption algorithm to perform a transaction.
  • the plaintext M of the amount is encrypted, and the ciphertext (C, B)
  • the system further includes a supervisor; the sender encrypts the plaintext M of the transaction amount by using an additive homomorphic encryption algorithm, and generates a ciphertext (C, B) of the transaction amount, including: The sender divides the plaintext M of the transaction amount into the plaintext M k of the L transaction amount, and encrypts the plaintext M k of the L transaction amount by using an additive homomorphic encryption algorithm, respectively, to generate a ciphertext of the L transaction amount.
  • C, B ciphertext
  • the plaintext M k of the L transaction amount is equal in length.
  • the method further includes: the sender generates a zero-knowledge proof that the plaintext M of the transaction amount belongs to the first valid range; and the sender sends the ciphertext of the transaction amount ( C, B) sent to the verifier, so that the verifier verifies whether the plaintext M of the transaction amount belongs to the first valid range according to the ciphertext (C, B) of the transaction amount, including: the sender Transmitting the ciphertext (C, B) of the transaction amount to the verifier, so that the verifier verifies that the plaintext M of the transaction amount belongs to the first according to the ciphertext (C, B) of the transaction amount Zero knowledge proof of the valid range.
  • the transaction amount includes an output amount; the method further includes: the sender calculating a ciphertext C′ of a difference between the input amount and the output amount, and generating C′ is a force secret An additive homomorphic zero-knowledge proof of a ciphertext having a plaintext of zero, such that the verifier verifies that the C' is an additive homomorphic zero-knowledge proof that encrypts a plaintext with a plaintext of zero; wherein, the C is based on a ciphertext calculated by the ciphertext of the output amount and the ciphertext of the input amount, the ciphertext of the input amount being a ciphertext of the amount received by the sender in the previous transaction, or the input amount
  • the ciphertext is a ciphertext generated by the sender by using the addition homomorphic encryption algorithm to encrypt the amount generated in the current transaction.
  • the system further includes a supervisor, where the public key of the add-on homomorphic encryption algorithm is provided by the supervisor; the method further includes: the sender generating the supervisor Decrypting the zero-knowledge proof of the ciphertext C of the transaction amount to enable the verifier to verify that the supervisor can decrypt the zero-knowledge proof of the ciphertext C of the transaction amount.
  • the system further includes a third party, configured to provide a random secret Y, where the random secret Y is used to generate a digital signature for each integer in the first valid range;
  • the zero-knowledge proof that the sender generates the plaintext M of the transaction amount that belongs to the first valid range includes: the sender generates the number generated according to the random secret Y provided by the third party as each integer in the first valid range.
  • the plaintext M in which the signature generates the transaction amount belongs to the zero-knowledge proof of the first valid range.
  • an embodiment of the present application provides a data processing method, which is applied to a blockchain system, where the system includes a sender and a verification party, and the method includes: the verification party receives a transaction sent by the sender.
  • the bit length of the plaintext M of the amount is U; the verifier verifies whether the plaintext M of the transaction amount belongs to the first valid range according to the ciphertext (C, B) of the transaction amount; the first valid range is [0, 2 U -1].
  • the verifying party verifies whether the plaintext M of the transaction amount belongs to the first valid range according to the ciphertext (C, B) of the transaction amount includes: the verifier verifies the transaction The plaintext M of the amount belongs to the zero-knowledge proof of the first valid range; wherein, the zero-knowledge proof that the plaintext M of the transaction amount belongs to the first valid range is generated by the sender.
  • the transaction amount includes an output amount; the method further includes: the verifying The ciphertext C' that verifies the difference between the input amount and the output amount is an additive homomorphic zero-knowledge proof that encrypts the ciphertext with plaintext zero; wherein C is a ciphertext and a place according to the output amount a ciphertext calculated by the ciphertext of the input amount, the ciphertext of the input amount being a ciphertext of the amount received by the sender in the previous transaction, or the ciphertext of the input amount being used by the sender
  • the ciphertext generated by the addition homomorphic encryption algorithm for encrypting the amount generated in the current transaction; the ciphertext C' of the difference between the input amount and the output amount is an addition homomorphism of the ciphertext encrypted with plaintext zero
  • a zero knowledge proof is generated by the sender.
  • the system further includes a supervisor, where the public key of the add-on homomorphic encryption algorithm is provided by the supervisor; the method further includes: the authenticator is further configured to verify the The supervisor can decrypt the zero-knowledge proof of the ciphertext (C, B) of the transaction amount; wherein the supervisor can decrypt the zero-knowledge proof of the ciphertext (C, B) of the transaction amount by the sender generate.
  • the embodiment of the present application provides a blockchain system, where the system includes a sender and a verification party: the sender is configured to encrypt the plaintext M of the transaction amount by using an additive homomorphic encryption algorithm to generate a transaction amount. Ciphertext (C, B), and sending the ciphertext (C, B) of the transaction amount to the verifier; the verifier is used to verify the ciphertext (C, B) according to the transaction amount Whether the plaintext M of the transaction amount belongs to the first valid range; the first valid range is [0, 2 U -1], and U is the bit length of the plaintext M of the transaction amount.
  • the system further includes a supervisor; the sender is configured to divide the plaintext M of the transaction amount into the plaintext M k of the L transaction amount, respectively, using an additive homomorphic encryption algorithm
  • the plaintext of the L transaction amount is encrypted to generate a ciphertext (C k , B k ) of the L transaction amount;
  • the verifier is used to verify the plaintext M k S of the transaction amount according to the ciphertext (C k , B k ) of the transaction amount a second valid range; the second valid range is [0, 2 U -1], where u is a plaintext bit length of the transaction amount;
  • the supervisor is configured to decrypt the private key corresponding to the public key parts of said transaction amount L ciphertext (C k, B k), obtaining the transaction amount L parts plaintext M
  • the sender is further configured to generate a zero-knowledge proof that the plaintext M of the transaction amount belongs to the first valid range; the verifier is used for the ciphertext according to the transaction amount (C B) Verify that the plaintext M of the transaction amount belongs to the zero-knowledge proof of the first valid range.
  • the transaction amount includes an output amount; the sender is further configured to calculate a ciphertext C′ of a difference between the input amount and the output amount, and generate C′ to encrypt the plaintext to zero.
  • Encryption homomorphic zero-knowledge proof of ciphertext wherein, C is a ciphertext calculated according to the ciphertext of the output amount and the ciphertext of the input amount, and the ciphertext of the input amount is the sender
  • the ciphertext of the amount received in the last transaction, or the ciphertext of the input amount is a ciphertext generated by the sender by using the addition homomorphic encryption algorithm to encrypt the amount generated in the current transaction; the authenticator It is also used to verify that the C' is an additive homomorphic zero-knowledge proof that encrypts the ciphertext with plaintext zero.
  • the system further includes a supervisor, the public key of the add-on homomorphic encryption algorithm is provided by the supervisor; the sender is further configured to generate the supervisor to decrypt the The ciphertext of the transaction amount (C, B) Zero-knowledge proof; the verifier is further configured to verify that the supervisor can decrypt the zero-knowledge proof of the ciphertext (c, B) of the transaction amount; the supervisor is configured to adopt a corresponding to the public key The private key decrypts the ciphertext (C, B) of the transaction amount.
  • the system further includes a third party, configured to provide a random secret, where the random secret Y is used to generate a digital signature for each integer in the first valid range;
  • the sender is configured to generate a zero-knowledge proof that the plaintext of the transaction amount belongs to the first valid range according to the digital signature generated by the random secret Y provided by the third party for each integer in the valid range.
  • the sender is used to generate N first parameters
  • the ⁇ authenticator is used to generate N second parameters; where the N first parameters and the N The second parameter-corresponding; verifying whether the N second parameters are equal to the corresponding first parameter, and if they are equal, the plaintext M of the transaction amount belongs to the first valid range.
  • the sender is further configured to generate a first verification parameter, where the first verification parameter is determined by the N first parameters, and the verification party is further configured to generate a second verification parameter.
  • the second verification parameter is determined by the N second parameters; the verifier is further configured to verify whether the first parameter is equal to the second verification parameter, and if they are equal, the N second parameters Equal to the corresponding first parameter.
  • the embodiment of the present application provides a sender, which is applied to a blockchain system, where the system includes a sender and a ⁇ authenticator, and the sender includes: an encryption unit, configured to use an additive homomorphic encryption algorithm.
  • Encrypting the plaintext M of the transaction amount generating a ciphertext (C, B) of the transaction amount; wherein, the plaintext M of the transaction amount has a bit length U; and a sending unit, configured to cipher the transaction amount ( C, B) sent to the verifier, so that the verifier verifies whether the plaintext M of the transaction amount belongs to the first valid range according to the ciphertext (C, B) of the transaction amount; the first valid The range is [0, 2 U -1], and U is the bit length of the plaintext M of the transaction amount.
  • the system further includes a supervisor;
  • L is a positive integer greater than or equal to 2; an encryption subunit, configured to encrypt the plaintext of the L transaction amount by using an additive homomorphic encryption algorithm, respectively, to generate a ciphertext of the transaction amount of L (C k , B k ), to enable the supervisor to decrypt the ciphertext (C k , B k ) of the L transaction amount by using a private key corresponding to the public key, to obtain the plaintext M k of the L transaction amount, And obtaining, according to the plaintext M k of the L transaction amount, a plaintext M of the transaction amount; the public key of the addition homomorphic encryption algorithm is provided by the supervisor; the sending unit, configured to use the L share transaction amount ciphertext (C k, B k) is sent to the verifier to cause the verifier verifying the plaintext M k transaction amount whether the transaction amount based on the ciphertext (C k, B k) It belongs to the second valid range; wherein, the second valid range is [0
  • the sender further includes: a first generating unit, configured to generate a zero-knowledge proof that the plaintext M of the transaction amount belongs to a first valid range; the sending unit is configured to: The ciphertext (C, B) of the transaction amount is sent to the verifier, so that the verifier verifies that the plaintext M of the transaction amount belongs to the first valid range according to the ciphertext (C, B) of the transaction amount. Zero knowledge proof.
  • the transaction amount includes an output amount
  • the sender further includes: a second student a unit, a ciphertext C' for calculating a difference between the input amount and the output amount, and generating C' is an additive homomorphic zero-knowledge proof of the ciphertext encrypted with plaintext zero, so that the verifier verifies the C' is an additive homomorphic zero-knowledge proof of the ciphertext in which the plaintext is zero; wherein C is a ciphertext calculated according to the ciphertext of the output amount and the ciphertext of the input amount, the input The ciphertext of the amount is the ciphertext of the amount received by the sender in the previous transaction, or the ciphertext of the input amount is the sender encrypting the amount generated in the current transaction by using the adding homomorphic encryption algorithm by the sender Generated ciphertext.
  • the system further includes a supervisor, the public key of the add-on homomorphic encryption algorithm is provided by the supervisor; the sender further includes: a third generating unit, configured to generate The supervisor may decrypt the zero-knowledge proof of the ciphertext (C, B) of the transaction amount to enable the verifier to verify that the supervisor can decrypt the zero knowledge of the ciphertext (C, B) of the transaction amount prove.
  • the system further includes a third party, configured to provide a random secret, where the random secret Y is used to generate a digital signature for each integer in the first valid range;
  • the first generating unit is configured to generate the plaintext M of the ciphertext C of the transaction amount according to the digital signature generated by the third party provided by the third party for each integer in the first valid range to belong to the first valid range.
  • the embodiment of the present application provides a verification party, which is applied to a blockchain system, where the system includes a sender and a verification party, where the verification party includes: a receiving unit, configured to receive the sending by the sender The ciphertext (C, B) of the transaction amount; wherein, the ciphertext (C, B) of the transaction amount is a ciphertext generated by the sender using the addition homomorphic encryption algorithm to encrypt the plaintext M of the transaction amount;
  • the length of the plaintext M of the transaction amount is U;
  • the verification unit is configured to verify, according to the ciphertext (C, B) of the transaction amount, whether the plaintext M of the transaction amount belongs to the first valid range;
  • the range is [0, 2 U -1].
  • the verification unit is configured to verify that the plaintext M of the transaction amount belongs to the zero-knowledge proof of the first valid range; wherein, the plaintext M of the transaction amount belongs to the zero of the first valid range
  • the proof of knowledge is generated by the sender.
  • the transaction amount includes an output amount; the verification unit is further configured to verify that the ciphertext C′ of the difference between the input amount and the output amount is a ciphertext encrypted with a plaintext of zero.
  • the C is a ciphertext calculated according to the ciphertext of the output amount and the ciphertext of the input amount, and the ciphertext of the input amount is the sender last time
  • the ciphertext of the amount received in the transaction, or the ciphertext of the input amount is a ciphertext generated by the sender by using the addition homomorphic encryption algorithm to encrypt the amount generated in the current transaction, the input amount and the amount
  • the ciphertext C' describing the difference of the output amount is the added homomorphic zero-knowledge proof of the ciphertext in which the plaintext is zero is generated by the sender.
  • the system further includes a supervisor, the public key of the addicating homomorphic encryption algorithm is provided by the supervisor; the verification unit is further configured to verify that the supervisor can decrypt the A zero-knowledge proof of the ciphertext (C, B) of the transaction amount; wherein the zero-knowledge proof that the supervisor can decrypt the ciphertext (C, B) of the transaction amount is generated by the sender.
  • the embodiment of the present application provides a sender, which is applied to a blockchain system, where the system includes sending And the authenticator, the sender includes: a processor, a memory, and a transceiver, wherein: the processor, the memory, and the transceiver are connected to each other, the memory is used to store a computer program, the computer program Included in the program instruction, the processor is configured to invoke the program instruction, and execute the data processing method provided by the second aspect of the embodiment of the present application or any possible implementation manner of the second aspect.
  • the embodiment of the present application provides a verification party, which is applied to a blockchain system, where the system includes a sender and a verification party, where the verification party includes: a processor, a memory, and a transceiver, where: The processor, the memory, and the transceiver are connected to each other, the memory is used to store a computer program, the computer program includes program instructions, the processor is configured to invoke the program instructions, and the embodiment of the present application is executed.
  • a data processing method provided by the third aspect or any one of the possible implementations of the third aspect.
  • the embodiment of the present application provides a computer readable storage medium, where the computer readable storage medium stores a computer program, where the computer program includes program instructions, when executed by a processor, The processor performs the data processing method provided by the second aspect of the embodiment of the present application or any possible implementation manner of the second aspect.
  • the embodiment of the present application provides a computer readable storage medium, where the computer readable storage medium stores a computer program, where the computer program includes program instructions, when the program instructions are executed by a processor,
  • the processor performs the data processing method provided by the third aspect of the embodiment of the present application or any possible implementation manner of the third aspect.
  • the embodiment of the present application can protect the privacy of the transaction amount in the blockchain system, and if the verification party cannot know the plaintext of the transaction amount, verify whether the transaction amount is within the valid range, and ensure the legality of the transaction.
  • the plaintext of the transaction amount can be divided into the plaintext of the transaction amount of thousands of small pieces, and then the plaintext of the transaction amount of each small piece is separately P And the proof of its valid scope, etc., to ensure that the regulator can effectively decrypt the ciphertext of each small transaction amount.
  • FIG. 1 is a schematic structural diagram of a blockchain system according to an embodiment of the present application
  • Figure 2 is a schematic diagram of the input amount and output amount
  • FIG. 3 is a schematic flowchart of a data processing method according to an embodiment of the present application.
  • FIG. 4 is a schematic flowchart of another data processing method according to an embodiment of the present application.
  • FIG. 5 is a schematic diagram of a process for a sender to process a transaction amount plaintext M according to an embodiment of the present application
  • FIG. 6 is a schematic flowchart of another data processing method according to an embodiment of the present application.
  • FIG. 7 is a schematic structural diagram of a sender according to an embodiment of the present disclosure.
  • FIG. 8 is a schematic structural diagram of a verification party according to an embodiment of the present application.
  • FIG. 9 is a schematic structural diagram of another sender according to an embodiment of the present disclosure.
  • FIG. 10 is a schematic structural diagram of another authenticator according to an embodiment of the present application. detailed description The technical solutions in the embodiments of the present application will be described clearly and in detail in conjunction with the accompanying drawings.
  • the blockchain system can include at least a sender and a verifier.
  • the sender is used to initiate a transaction to the recipient, and the transaction amount is encrypted; the verifier is used to verify whether the transaction initiated by the sender to the receiver is legal.
  • the blockchain system may further include a supervisor for providing a pair of public and private keys, providing the public key to the sender to encrypt the transaction amount, and the supervisor may use the private key to decrypt the transaction amount for monitoring.
  • the trading behavior of the blockchain network timely detection of abnormal trading behavior and corresponding treatment.
  • the sender may be a sender's mobile phone or a computer terminal
  • the verification party may be a bank server, etc.
  • the supervisor may be a computer or server of the regulatory agency.
  • the blockchain system can be applied to a federated chain scenario, and can be applied to an alliance formed between multiple organizations that cannot find a unified trusted third party.
  • the sender initiates a transaction to the receiver.
  • the sender pays a certain amount of the transaction to the receiver, and the verifier can verify whether the transaction is legal.
  • Whether the transaction is legal or not is mainly reflected in two aspects: First, whether the output amount is equal to the input amount; Second, whether the output amount and the input amount are valid ranges. If the output amount is equal to the input amount, and the output amount and the input amount are both valid, the transaction is a legal transaction.
  • the output amount and the input amount please refer to Figure 2.
  • the transaction amount that the sender A intends to pay is X.
  • the receiver A The transaction amount received is Y, and the transaction received by the receiver A 2 The amount is Z.
  • X is the input amount
  • the maximum value is determined by the bit length of the transaction amount, and if the bit length of the transaction amount is U, the maximum value is 2 U -1.
  • the data processing method can at least include the following steps:
  • S301 The sender encrypts the plaintext M of the transaction amount by using an addition homomorphic encryption algorithm, and generates a ciphertext (C, B) of the transaction amount.
  • the above addencing homomorphic encryption algorithm may be an ElGamal algorithm.
  • C in the ciphertext (C, B) of the transaction amount is the ciphertext body of the transaction amount plaintext M
  • 6 is the auxiliary ciphertext of the transaction amount plaintext M, which is used to assist in decrypting the ciphertext body C in the subsequent supervisor decryption process.
  • the plaintext M of the transaction amount has a bit length U and U is a positive integer.
  • the transaction amount includes an output amount.
  • the input amount may be the ciphertext of the amount received by the sender in the previous transaction, no further encryption is required, and the subsequent step of zero-knowledge proof that the transaction amount belongs to the valid range.
  • the transaction amount may include an input amount in addition to the output gold. That is, the sender must encrypt both the output amount and the input amount, and the subsequent zero-knowledge proof that the transaction amount is within the valid range.
  • the sender directly uses the ciphertext of the amount received in the previous transaction, or whether the sender needs to force the P value of the input amount and the subsequent zero-knowledge proof that the transaction amount belongs to the valid range, etc., depending on The initial setting of the blockchain system, that is, the transaction model in the blockchain system is whether the sender directly forwards the transaction amount received by the sender in the last transaction, or whether the sender regenerates in each transaction. Enter the amount.
  • the supervisor has a pair of asymmetric ciphers, including the public and private keys.
  • the sender can encrypt the plaintext M of the transaction amount by using the public key provided by the regulator, and generate the ciphertext of the transaction amount, which can ensure that the regulator can decrypt the ciphertext of the transaction amount by using the private key corresponding to the public key, so that the regulator can Regulate the transaction.
  • S302 The sender sends the ciphertext (C, B) of the transaction amount to the ⁇ authentic party.
  • the verifier cannot know the plaintext M of the transaction amount, and the sender is prevented from being tracked by the user on other nodes, thereby causing information leakage. Therefore, after the sender encrypts the plaintext M of the transaction amount, the ciphertext (C, B) of the transaction amount is generated, and the ciphertext (C, B) of the transaction amount is sent to the authenticator, so that the verifier corrects the transaction. The legality of the amount is verified.
  • S303 The verifier verifies whether the plaintext M of the transaction amount belongs to the first valid range according to the ciphertext (C, B) of the transaction amount.
  • the verifier can verify that the plaintext M of the transaction amount belongs to the zero-knowledge proof of the first valid range.
  • the zero-knowledge proof that the plaintext M of the transaction amount belongs to the first valid range is generated by the sender.
  • the embodiment of the present application can adopt the addition homomorphic ElGamal encryption algorithm, because in the blockchain system, the addition homomorphic ElGamal encryption algorithm can be zero knowledge of the first valid range with the plaintext M of the transaction amount. Prove that the algorithm is compatible.
  • the data obtained by the addition homomorphic ElGamal encryption algorithm is two-dimensional data
  • the data obtained by the zero-knowledge proof algorithm of the effective range is also two-dimensional
  • the above two algorithms belong to the same mathematical system, so this Both algorithms are compatible in this mathematical system.
  • zero-knowledge proof means that the prover can believe that a certain assertion is correct without providing any useful information to the verifier.
  • the sender cannot provide the plaintext M of the transaction amount to the verifier, but the plaintext M of the transaction amount is believed to belong to the first valid range.
  • a digital signature may be generated for all integers in the first valid range, and the sender only needs to prove that the plaintext of the transaction amount corresponds to one of the digital signatures of all integers in the first range, that is, The plaintext M that can prove the transaction amount belongs to the first valid range.
  • Addition homomorphic encryption is an encryption form that allows people to perform a specific algebraic operation on a ciphertext to obtain a result that is still force-p-secret, and the result of decrypting it is the same as that of plaintext. In other words, additive homomorphic encryption allows people to operate in encrypted data to get the correct results without the need to decrypt the entire process.
  • the sender when the sender provides the public key of the added homomorphic ElGamal encryption algorithm to the plaintext M of the transaction amount by the supervisor, the sender can also generate zero knowledge of the ciphertext (C, B) that the supervisor can decrypt the transaction amount. prove.
  • the verifier can also verify the zero-knowledge proof of the ciphertext (C, B) that the above-mentioned regulator can decrypt the transaction amount.
  • the order in which the sender generates the above-mentioned transaction amount of the plaintext M that belongs to the first valid range and the zero-knowledge proof that generates the ciphertext (C, B) that the above-mentioned supervisor can decrypt the transaction amount is not limited.
  • the verification party verifies that the plaintext M of the above transaction amount belongs to the zero-knowledge proof of the first valid range and the order of zero-knowledge proof that the above-mentioned supervisor can decrypt the transaction amount of the ciphertext (C, B) is not limited.
  • the sender can also calculate the ciphertext C' of the difference between the input amount and the output amount, and generate C' to add the homomorphic zero-knowledge proof of the ciphertext with the plaintext zero.
  • the verifier can also verify that the above C' is a ciphertext encrypted with zero plaintext. Addition homomorphism zero knowledge proof.
  • the sender may generate at least one first parameter when the plaintext M of the transaction amount is generated to belong to the zero-knowledge proof of the first valid range.
  • the verifier can also generate at least one second parameter when verifying that the plaintext M of the transaction amount belongs to the zero-knowledge proof of the first valid range.
  • the first parameter corresponds to the second parameter.
  • the same calculation method is applicable to the zero-knowledge proof of the ciphertext (C, B) that the supervisor can decrypt the transaction amount, and also applies to the C' is the addition homomorphic zero-knowledge proof of the ciphertext encrypted with plaintext zero, that is, the verification
  • the input amount is equal to the output amount and will not be described here.
  • the sender when generating the zero-knowledge proof, may further generate a first verification parameter, where the first verification parameter is determined by the plurality of first parameters.
  • the verification party may also generate a second verification parameter when verifying the zero-knowledge proof, and the second verification parameter is determined by the plurality of second parameters.
  • the second verification parameter generated by the verifier is equal to the first verification parameter generated by the sender, it means that the plurality of first parameters are respectively equal to the second parameter corresponding to the plurality of second parameters. Thereby verifying the above zero knowledge proof.
  • the embodiment of the present application can protect the privacy of the transaction amount in the blockchain system, and if the verification party cannot know the plaintext of the transaction amount, verify whether the transaction amount is within the valid range, and ensure the legality of the transaction. And with the supervision of the regulator when needed.
  • the embodiment of the present application provides another data processing method.
  • the transaction amount of the plaintext M has a large bit length, the supervisor may not be able to effectively decrypt the transaction with a large bit length.
  • the data processing method can at least include the following steps:
  • the plaintext M of the transaction amount has a length U
  • bit length of the plaintext M of the transaction amount is 64
  • the maximum value of the plaintext M k of each transaction amount is 2 8 -1.
  • bit lengths of the plaintext M k of the above L transaction amounts may not be equal.
  • the transaction amount may be an output amount, or the transaction amount may be an output amount and an input amount, depending on the initialization setting of the blockchain system.
  • the transaction amount may be an output amount, or the transaction amount may be an output amount and an input amount, depending on the initialization setting of the blockchain system.
  • the output amount and the bit length of the input amount are not necessarily the same. Therefore, when the sender separately divides and encrypts the output amount and the input amount, the number of divided shares may be different, and the bits of the divided transaction amount may be different. The length can also be different.
  • the number of input amounts may be at least one
  • the number of output amounts may be at least one, that is, in one transaction, there may be multiple input amounts, or multiple output amounts.
  • the sender encrypts the plaintext M k of the L transaction amount by using an additive homomorphic encryption algorithm, and generates a ciphertext (C k , B k ) of the L transaction amount.
  • the public key of the above addition homomorphic encryption algorithm can be provided by the supervisor. Encrypting the transaction amount by using the public key provided by the regulator can ensure that the regulator can decrypt the ciphertext (C k , B k ) of the transaction amount by using the private key corresponding to the public key, so that the regulator can supervise the transaction.
  • the above addencing homomorphic encryption algorithm may be an ElGamal algorithm.
  • Transaction amount ciphertext (C k, B k) Q is a transaction amount in plaintext ciphertext body 4, the secondary ciphertext plaintext 4 of the transaction amount for a subsequent auxiliary regulators decryption process to decrypt the ciphertext body.
  • r k is a randomly generated integer
  • Gi is a multiplicative group of primes
  • g 4 is the above-described additive homomorphism
  • the sender sends the ciphertext (C k , B k ) of the L transaction amount to the authenticator.
  • the verifier cannot know the plaintext of the transaction amount, and the sender is prevented from being tracked by the user on other nodes, thereby causing information leakage. Therefore, after the sender adds the homomorphic ElGamal encryption to the plaintext of the transaction amount, the sender directly sends the ciphertext of the transaction amount to the authenticator, so that the verifier can verify the legality of the transaction amount.
  • the verifier verifies that the plaintext M k S of the transaction amount belongs to the second valid range according to the ciphertext (C k , B k ) of the transaction amount.
  • the verifier verifies whether the plaintext M k of each transaction amount belongs to the second valid range, wherein the plaintext bit length of the transaction amount is u, and the second valid range is [0, 2 U -1].
  • the verifier can verify that the plaintext M k of the transaction amount belongs to the zero-knowledge proof of the second valid range.
  • the zero-knowledge proof that the plaintext M k of the transaction amount belongs to the second valid range is generated by the sender.
  • the blockchain system may further include a trusted third party, and the trusted third party may separately generate a digital signature for each integer in the second valid range, and the sender only needs to prove the transaction.
  • the plaintext in the ciphertext (C k , B k ) of the amount corresponds to one of the digital signatures of all integers in the second valid range, and the plaintext of the transaction amount is proved to belong to the second valid range.
  • FIG. 5 shows a process in which the sender clears, encrypts, and clarifies the transaction amount.
  • the first is the process of encrypting the plaintext of the transaction amount.
  • the sender uses the encryption algorithm of the addition and homomorphism to encrypt the plaintext M k of the transaction amount to obtain the ciphertext (C k , B k ) of the corresponding transaction amount.
  • Second proof transaction amount plaintext M k belongs to the effective range of the second process, which belongs to the sender generates a second zero-knowledge proof of the effective range of the plaintext M k transaction amount
  • transaction amount plaintext M k belongs to the second range effective
  • the zero-knowledge proof is represented by 7l k .
  • the ciphertext (C k , B k ) of the transaction amount proves that the plaintext M k S of the transaction amount should be one of 2 U digital signatures Gi in 0 to 2 U -1, thereby proving the transaction amount.
  • the plaintext M k belongs to the second valid range [0, 2 U -1].
  • the digital signature Gi is generated by a trusted third party in the data processing system, and Gi represents the signature of the digital i, where iG[0, 2 U -1], i is an integer.
  • i is an integer.
  • the sender generates a k, by the authenticator to verify the correctness of a k, if correct, then the transaction amount The plain text] ⁇ belongs to the second valid range.
  • the specific calculation method of a k can be referred to the description in the next embodiment.
  • the sender can also generate a zero-knowledge proof of the ciphertext (C k , B k ) that the supervisor can decrypt the transaction amount.
  • the verifier can also verify the zero-knowledge proof of the ciphertext (C k , B k ) that the above-mentioned regulator can decrypt the transaction amount.
  • the sender generates the plaintext M k of the transaction amount, and the zero-knowledge proof of the second valid range and the zero-knowledge proof of the ciphertext (C k , B k ) that generates the above-mentioned supervisory decryptable transaction amount Not limited.
  • the verification party verifies that the plaintext M k of the transaction amount belongs to the second valid range of the zero-knowledge proof and the order of verifying the zero-knowledge proof of the ciphertext (C k , B k ) that the above-mentioned supervisor can decrypt the transaction amount is not limited.
  • the sender can also calculate the ciphertext C' of the difference between the input amount and the output amount, and generate C' to add the homomorphic zero-knowledge proof of the ciphertext with the plaintext zero.
  • the verifier can also verify that the above C' is an additive homomorphic zero-knowledge proof that encrypts the ciphertext with plaintext zero. It can be known that when the output amount is equal to the input amount, and the output amount and the input amount are both valid, the transaction can be proved to be legal.
  • the plaintext M k of the above transaction amount belongs to the zero-knowledge proof of the second valid range
  • the above C" is the additive homomorphic zero-knowledge proof of the ciphertext encrypted with plaintext zero and the above-mentioned supervisor can decrypt the transaction amount.
  • the zero-knowledge proof of the ciphertext (C k , B k ) is generated by the sender and verified by the verifier. Specifically, the sender generates the corresponding parameters, and the verifier verifies the correctness of the corresponding parameters.
  • the sender generates a transaction amount for each small block of plaintext plaintext M k M k belonging to the second proving effective range, generating at least one first parameter, respectively, the plaintext M k for each small block.
  • the verification party may also generate at least one second parameter when verifying that the plaintext of the transaction amount belongs to the zero-knowledge proof of the second valid range.
  • the first parameter corresponds to the second parameter.
  • the above method is also used to prove that the supervisor can decrypt the ciphertext (C k , B k ) of the transaction amount of each small block.
  • C' is the addition homomorphic zero knowledge proof of the ciphertext encrypted with plaintext zero
  • the sender needs to calculate a first parameter according to all the input amounts and all the output amounts, and there is no need to The transaction amount is calculated.
  • the verifier can also calculate a second parameter based on all the output amounts and all the input amounts. When the second parameter generated by the verifier is equal to the first parameter generated by the sending mode, it can be verified that C' is a ciphertext encrypted with plaintext zero, that is, the input amount is verified to be equal to the output amount.
  • the sender when generating the zero-knowledge proof, may further generate a first verification parameter, where the first verification parameter is determined by the plurality of first parameters.
  • the verification party may also generate a second verification parameter when verifying the zero-knowledge proof, and the second verification parameter is determined by the plurality of second parameters.
  • the second verification parameter generated by the verifier is equal to the first verification parameter generated by the sender, it means that the plurality of first parameters are respectively equal to the second parameter corresponding to the plurality of second parameters. Thereby verifying the above zero knowledge proof.
  • S405 The regulator uses the private key corresponding to the public key to decrypt the ciphertext (C k , B k ) of the L transaction amount, and obtains the plaintext M k of the L transaction amount.
  • the supervisor has a pair of asymmetric passwords, including public and private keys.
  • the public key is provided to the sender to encrypt the transaction amount using the addition homomorphic encryption algorithm, obtain the encrypted ciphertext (C k , B k ), protect the transaction privacy, and prevent information leakage.
  • the private key is saved by the supervisor and used to decrypt the ciphertext (C k , B k ) of the transaction amount sent by the sender.
  • To obtain the decrypted plaintext M k so that the above-described recombinant regulators of L M k M to obtain the original amount of the transaction, whereby the transaction regulation.
  • the regulator obtains the plaintext M of the transaction amount according to the plaintext M k of the above L transaction amount.
  • the supervisor needs to reorganize the plaintext M k of the transaction amount of the L bit length u to obtain the original bit length U.
  • the plaintext M of the transaction amount so that the regulator can supervise the transaction.
  • Embodiments of the present application can divide the plaintext M of the transaction amount into plaintexts of thousands of small blocks when the length of the plaintext M of the transaction amount is long, and then encrypt and decrypt the plaintext of each small block separately. And the proof of its valid scope, etc., while protecting the privacy of the transaction and coordinating the supervision, ensuring that the regulator can effectively decrypt the ciphertext of each small transaction amount.
  • the data processing method includes at least the following steps:
  • system initialization can include the following aspects:
  • the following describes the process by which the sender encrypts a single output amount. If there are multiple output amounts, the following process of encrypting a single output amount is repeated.
  • the plaintext M of the output amount is divided as an example for description.
  • the sender uses the addition homomorphic encryption algorithm to encrypt the plaintext M of the output amount, which specifically includes the following steps:
  • the sender divides the plaintext M of the output amount into the plaintext of the output amount of the L-bit length u
  • the above-described addition and homomorphic encryption algorithm may be an ElGamal algorithm.
  • the ciphertext body of the output ciphertext (C k , B k ) is the ciphertext body of the output amount plaintext 4 , and is the auxiliary ciphertext of the output amount plaintext]1 ⁇ , which is used to assist in decrypting the ciphertext body in the subsequent supervisor decryption process. .
  • the zero-knowledge proof generated by the sender includes the following aspects:
  • the sender generates a zero-knowledge proof that the supervisor can decrypt the ciphertext (C k , B k ) of each output amount.
  • the ciphertext body C of an output amount can be output according to the L share obtained after the division.
  • the above process may be repeated for encryption and certification; or the ciphertext of the transaction amount received by the sender in the last transaction may be directly used as the input amount of the transaction, and the above process need not be repeated.
  • the sender directly sources the ciphertext of the transaction amount received in the last transaction depends on the initialization setting of the blockchain system for the transaction model, that is, the transaction model in the blockchain system is that the sender directly forwards the message to the receiver. The amount of the transaction received in the last transaction, or the sender will regenerate the input amount in each transaction.
  • the random number of the ciphertext subject, 4) is the random number of the ciphertext subject C '' d. Generate a random number to calculate the first parameter
  • the plain text of the total input amount is calculated.
  • the difference from the plain text of the total output amount, the calculation method used in the encrypted data is the ratio of the ciphertext of the total input amount to the ciphertext of the total output amount.
  • the ciphertext of the total output amount is equal to the multiplication of the ciphertexts of the plurality of output amounts, and the ciphertext of the total input amount is equal to the multiplication of the ciphertexts of the plurality of input amounts.
  • the sender calculates a first verification parameter d, which is a result calculated using a hash function H, wherein the input of H includes the above, Q, , , V;, a k lR 5 .
  • the sender also outputs a Z j and t / for all output amounts and all input amounts. It can be known that if in the blockchain system, the sender re-generates the input amount in each transaction, the sender must finally output one for each input amount, Q, V p Z Mk , Z rt , Z vt , the sender sends the above parameters of the output to the authenticator.
  • the verifier verifies that the zero-knowledge proof includes the following aspects:
  • the verifier verifies that the plaintext M k of each output amount belongs to the zero-knowledge proof of the second valid range and the zero-knowledge proof that the supervisor can decrypt.
  • the first parameter %, ⁇ generated by the sender is used to prove that the plaintext % of the output amount has a digital signature generated by the corresponding trusted third party, that is, the plaintext of the output amount is proved] 1 ⁇ belongs to the second valid range ;
  • the first parameter generated by the sender Used to prove that C; is a legal ciphertext, which proves that the supervisor can decrypt the ciphertext.
  • Certificate verification means the following three aspects:
  • the verifier verifies that the plaintext M k of each output amount belongs to the second valid range
  • the verifier verifies that C' is the ciphertext with the plaintext zero encrypted, that is, the output amount is equal to the input amount;
  • the verifier verifies that the supervisor can decrypt the ciphertext (C k , B k ) of each output amount.
  • the first and second aspects of the above verification verify the legality of the transaction; the third aspect of the above verification verifies the legality of the ciphertext.
  • the input of the hash function H includes, C;, , E k , V k , a k lR 5 .
  • the input of the hash function H includes, Q, £>;
  • the verifier verifies the legitimacy of the transaction.
  • the supervisor decryption can include the following aspects:
  • the regulator uses its private key ask to decrypt the ciphertext (C k , B k ) of each output amount,
  • the regulator calculates g 3 °, ⁇ , ..., And respectively Compare, find out the plaintext M t of the output amount.
  • the regulator can pre-calculate Where / is an integer, /G[0,2 U -1], and a precomputed table ( g 3 °, , .., gf 4 ) is generated, which the supervisor can reuse in the multiple decryption process.
  • the result obtained by each decryption is compared with the pre-calculation table to find the value of the plaintext 4 of the output amount.
  • the embodiment of the present application provides a specific calculation method of the data processing method, according to which the plaintext of the transaction amount can be segmented. Then, each of the small blocks of the plaintext is encrypted, decrypted, and proved to be valid. In the protection of transaction privacy and supervision, the regulator can effectively decrypt the ciphertext of each small transaction amount. The plain text M of the land transaction amount is restored, and the transaction is effectively supervised.
  • the embodiment of the present application further provides a sender, which is applied to the blockchain system shown in FIG. 1.
  • the system may include at least a sender and a ⁇ authenticator.
  • the sender 70 may at least include: encryption.
  • the encryption unit 710 encrypts the plaintext M of the transaction amount by using the addition homomorphic encryption algorithm, and generates a ciphertext (C, B) of the transaction amount; wherein, the length of the plaintext M of the transaction amount is U.
  • C, B ciphertext
  • the sending unit 720 is configured to send the ciphertext (C, B) of the transaction amount to the verification party, so that the verification party verifies whether the plaintext M of the transaction amount belongs to the first valid range; the first valid range is [ 0, 2 U -1] , please refer to the description of S302 for details.
  • g 4 is the public key of the above addition homomorphic encryption algorithm
  • g 4 g 3 ask
  • ask is the private key of the above addition homomorphic encryption algorithm.
  • the above blockchain system further includes a supervisor.
  • the above encryption unit 710 includes: a division subunit 7110 and an encryption subunit 7120. among them:
  • the encryption subunit 7120 is configured to encrypt the plaintext of the L transaction amount by using an additive homomorphic encryption algorithm, respectively, to generate a ciphertext (C k , B k ) of the L transaction amount, so that the above-mentioned supervisor adopts the public key corresponding private key to decrypt the transaction amount of the L-parts ciphertext (C k, B k), to obtain the above parts of the transaction amount L plaintext M k, M and the plaintext based on the amount of the transaction amount of the transaction parts L plaintext M k,
  • the public key of the above-described addition homomorphic encryption algorithm is provided by the supervisor; for details, please refer to the descriptions of S402, S405 and S406, or refer to the description of 2) in S602.
  • the sending unit 720 is configured to send the ciphertext (C k , B k ) of the L transaction amount to the verification party, so that the verification party verifies the ciphertext ( C k , B k ) of the L transaction amount Whether the plaintext M k belongs to the second valid range; wherein, the second valid range is [0, 2 U -1], and u is the bit length of the plaintext of the transaction amount.
  • the second valid range is [0, 2 U -1]
  • u is the bit length of the plaintext of the transaction amount.
  • the sender 70 further includes: a first generating unit 730, configured to generate a zero-knowledge proof that the plaintext M of the transaction amount belongs to the first valid range, and the description of 2) in S603 is described in detail. .
  • the sending unit 720 is configured to send the ciphertext (C, B) of the transaction amount to the verification party, so that the verification party verifies that the plaintext M of the transaction amount belongs to the ciphertext (C, B) of the transaction amount.
  • the transaction amount includes an output amount.
  • the sender 70 further includes: a second generating unit 740, configured to calculate a ciphertext C' of the difference between the input amount and the output amount, and generate C' is an additive homomorphic zero-knowledge proof that encrypts the ciphertext with the plaintext zero
  • the above-mentioned verifier verifies that the above C' is an additive homomorphic zero-knowledge proof that encrypts the ciphertext with the plaintext zero; wherein, the above C" is the density calculated according to the ciphertext of the output amount and the ciphertext of the input amount.
  • the ciphertext of the input amount is the ciphertext of the amount received by the sender 70 in the previous transaction, or the ciphertext of the input amount is the amount generated by the sender 70 using the addition homomorphic encryption algorithm for the current transaction.
  • the ciphertext generated by encryption refer to the description in 3) of S603.
  • the system further includes a supervisor, and the public key of the add-on homomorphic encryption algorithm is provided by the supervisor; for detailed description, refer to the description of S301.
  • the sender 70 further includes: a third generating unit 750, configured to generate a zero-knowledge proof that the supervisor can decrypt the ciphertext (C, B) of the transaction amount, so that the verifying party verifies that the supervisor can decrypt the transaction amount
  • a third generating unit 750 configured to generate a zero-knowledge proof that the supervisor can decrypt the ciphertext (C, B) of the transaction amount, so that the verifying party verifies that the supervisor can decrypt the transaction amount
  • a third generating unit 750 configured to generate a zero-knowledge proof that the supervisor can decrypt the ciphertext (C, B) of the transaction amount, so that the verifying party verifies that the supervisor can decrypt the transaction amount
  • the zero-knowledge proof of the ciphertext (C, B) please refer to the description of 1) in S603 for details.
  • the system further includes a third party, configured to provide a random secret, and the random secret Y is used to generate a digital signature for each integer in the first valid range.
  • a third party configured to provide a random secret
  • the random secret Y is used to generate a digital signature for each integer in the first valid range.
  • the first generating unit 730 is configured to generate the plaintext M of the ciphertext C of the transaction amount according to the digital signature generated by the random secret Y provided by the third party for each integer in the first valid range, belonging to the first valid range.
  • Zero knowledge proof please refer to the description of 2) in S603 for detailed description.
  • the embodiment of the present application further provides a verification party, which is applied to the blockchain system shown in FIG. 1.
  • the system may include at least a sender and a verification party.
  • the verification party 80 may at least include: a receiving unit. 810.
  • a verification unit 820 where:
  • the receiving unit 810 is configured to receive the ciphertext (C, B) of the transaction amount sent by the sender 70; wherein, the ciphertext (C, B) of the transaction amount is the plaintext of the transaction amount by the sender 70 using the addition homomorphic encryption algorithm M-encrypted ciphertext;
  • the length of the plaintext M of the transaction amount is U.
  • the verification unit 820 is configured to verify, according to the ciphertext (C, B) of the transaction amount, whether the plaintext M of the transaction amount belongs to the first valid range; the first valid range is [0, 2 U -1], please refer to S303 for details. Or the description of S404.
  • the verification unit 820 is configured to verify that the plaintext M of the transaction amount belongs to the zero-knowledge proof of the first valid range; wherein, the plaintext M of the transaction amount belongs to the zero-knowledge proof of the first valid range by the sender 70
  • the plaintext M of the transaction amount belongs to the zero-knowledge proof of the first valid range by the sender 70
  • the sender 70 For details, please refer to the description of 1) in S604.
  • the transaction amount includes an output amount; the verification unit 820 is further configured to verify that the ciphertext C' of the difference between the input amount and the output amount is the added homomorphic zero knowledge of the ciphertext encrypted with the plaintext being zero.
  • C' is the ciphertext calculated according to the ciphertext of the output amount and the ciphertext of the input amount
  • the ciphertext of the input amount is the ciphertext of the amount received by the sender 70 in the previous transaction, or the input amount
  • the ciphertext is the ciphertext generated by the sender 70 by using the addition homomorphic encryption algorithm to encrypt the amount generated in the current transaction
  • the ciphertext C' of the difference between the input amount and the output amount is a secret with a plaintext of zero.
  • the addition of the homomorphic zero knowledge of the text is generated by the sender 70. For details, please refer to 2 in S604. description of.
  • the blockchain system further includes a supervisor, and the public key of the addencing homomorphic encryption algorithm is provided by the supervisor.
  • the verification unit 820 is further configured to verify the zero-knowledge proof of the ciphertext (C, B) that the supervisor can decrypt the transaction amount; wherein the supervisor can decrypt the zero-knowledge proof of the ciphertext (C, B) of the transaction amount by the sender 70 generation, please refer to the description of 1) in S604 for details.
  • the embodiment of the present application further provides another sender.
  • the sender 90 may at least include: at least one processor 901, at least one network interface 904, a user interface 903, a memory 905, and at least one communication bus 902. , display 906.
  • the communication bus 902 is used to implement connection communication between these components.
  • each component in the sender 90 may also be coupled through other connectors, which may include various types of interfaces, transmission lines, buses, etc.
  • coupling refers to interconnections in a particular manner, including being directly connected or indirectly connected by other devices.
  • the processor 901 may include at least one of the following types: a central processing unit (CPU), a digital signal processor (DSP), a microprocessor, and an application specific integrated circuit (Application Specific Integrated Circuit, ASIC), Microcontroller Unit (MCU), Field Programmable Gate Array (FPGA), or integrated circuit for implementing logic operations.
  • processor 901 can be a single-CPU processor or a multi-core processor.
  • the plurality of processors or units included within processor 901 may be integrated in one chip or on a plurality of different chips.
  • the user interface 903 may include a keyboard, a physical button (pressing a button, a rocker button, etc.), a dial, a slide switch, a joystick, a click wheel, a light mouse (a light mouse is a touch sensitive surface that does not display a visual output, or is The extension of the touch sensitive surface formed by the touch screen) and the like.
  • Network interface 904 can optionally include standard wired interface, wireless interface (such as WI-FI interface X
  • the memory 905 may be a non-power-down volatile memory, such as an EMMC (Embedded Multi Media Card), a UFS (Universal Flash Storage), or a Read-Only Memory (ROM).
  • the memory 905 includes the flash in the embodiment of the present application, or other types of static storage devices that can store static information and instructions, and may also be a volatile memory, such as a random access memory ( Random Access Memory (RAM) or other type of dynamic storage device that can store information and instructions. It can also be Electrically Erasable Programmable Read-Only Memory (EEPROM) or CD-ROM (Compact Disc Read).
  • EEPROM Electrically Erasable Programmable Read-Only Memory
  • CD-ROM Compact Disc Read
  • CD-ROM Compact Discs, laser discs, CDs, digital versatile discs, Blu-ray discs, etc.
  • disk storage media or other magnetic storage devices, or can be used for carrying or storing Program code in the form of an instruction or data structure and accessible by a computer Any other computer readable storage media, but is not limited thereto.
  • the memory 905 can also optionally be at least one storage system located away from the foregoing processor 901. As shown in FIG. 9, an operating system, a network communication module, a user interface module, and program instructions may be included in the memory 905 as a computer storage medium.
  • Memory 905 can exist independently and coupled to processor 901 via a connector.
  • the memory 905 can also be integrated with the processor 901.
  • the memory 905 can store each of the program instructions that execute the solution of the present application.
  • the computer program instructions are controlled by the processor 901, and various types of computer program instructions to be executed can also be regarded as the driver of the processor 901.
  • the processor 901 is configured to execute computer program instructions stored in the memory 905 to implement the method in the method embodiments of FIGS. 3-6 of the present application.
  • the computer program instructions are large in number and can form computer executable instructions executable by at least one of the processors 901 to drive the associated processor to perform various types of processing, such as communication signals supporting the various types of wireless communication protocols described above. Processing algorithms, operating system runs, or application runs.
  • Display 906 is used to display information input by the user.
  • display 906 can include a display panel and a touch panel.
  • the display panel can be a Liquid Crystal Display (LCD), an Organic Light-Emitting Diode (OLED), a Light Emitting Diode (LED) display device, or a Cathode Ray Tube (Cathode Ray Tube). , CRT), etc. to configure the display panel.
  • Touch panels also known as touch screens, touch sensitive screens, etc., can collect contact or non-contact operations on or near the user (eg, the user uses a finger, stylus, etc.
  • the operation near the touch panel may also include a somatosensory operation; the operation includes a single point control operation, a multi-point control operation, and the like, and the corresponding connection device is driven according to a preset program.
  • the verification party 100 may include at least: at least one processor 1001, at least one network interface 1004, a user interface 1003, and a memory 1005.
  • the communication bus 1002 is used to implement connection communication between these components.
  • each component in the authenticator 100 may also be coupled by other connectors, which may include various types of interfaces, transmission lines, buses, etc.
  • coupling refers to interconnections in a particular manner, including being directly connected or indirectly connected by other devices.
  • the processor 1001 is similar to the processor 901, and details are not described herein again.
  • the user interface 1003 is similar to the user interface 903 and will not be described here.
  • the memory 1005 is similar to the memory 905.
  • the processor 1001 is configured to execute the computer program instructions stored in the memory 905, so as to implement the method in the method embodiment of FIG. 3 to FIG. 6 in the present application, and details are not described herein.
  • the display 1006 is similar to the display 906 and will not be described again.
  • the embodiment of the present application further provides a computer readable storage medium, where the computer readable storage medium stores instructions, when it is run on a computer or a processor, causing the computer or the processor to execute any of the above data processing methods.
  • the various component modules of the above apparatus may be stored in the computer readable storage medium if implemented in the form of a software functional unit and sold or used as a standalone product.
  • the embodiment of the present application further provides a computer program product including instructions, and the technical solution of the present application may contribute to the prior art or all or part of the technical solution may be a software product.
  • the computer software product is stored in a storage medium, including thousands of instructions for causing a computer device, mobile terminal or processor therein to perform all or part of the steps of the methods described in various embodiments of the present application.
  • a storage medium including thousands of instructions for causing a computer device, mobile terminal or processor therein to perform all or part of the steps of the methods described in various embodiments of the present application.
  • the type of storage medium please refer to the description of the memory 905 or 1005.
  • the modules in the apparatus of the embodiment of the present application may be combined, divided, and deleted according to actual needs.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computing Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Financial Or Insurance-Related Operations Such As Payment And Settlement (AREA)

Abstract

Un mode de réalisation de la présente invention concerne un procédé de traitement de données, un appareil associé, et un système de chaînes de blocs. Le procédé comprend les étapes suivantes : un expéditeur utilise un algorithme de chiffrement homomorphique d'addition pour chiffrer un cryptogramme M d'un montant de transaction de sorte à générer un cryptogramme du montant de la transaction, le bit du cryptogramme M du montant de la transaction ayant une longueur de U; l'expéditeur envoie le texte chiffré du montant de la transaction à une partie de vérification; selon le texte chiffré du montant de la transaction, la partie de vérification vérifie si le cryptogramme M du montant de la transaction se situe dans une première plage effective de [0, 2U-1]. Le mode de réalisation de la présente invention peut protéger la confidentialité d'un montant de transaction dans un système de chaînes de blocs, et protéger la légitimité d'une transaction en vérifiant si un montant de transaction se situe dans une plage effective lorsqu'une partie de vérification n'est pas apte à apprendre le cryptogramme du montant de la transaction.
PCT/SG2018/050200 2018-04-26 2018-04-26 Procédé de traitement de données, appareil associé, et système de chaînes de blocs WO2019209168A2 (fr)

Priority Applications (2)

Application Number Priority Date Filing Date Title
CN201880092481.XA CN111989891B (zh) 2018-04-26 数据处理方法、相关装置及区块链系统
PCT/SG2018/050200 WO2019209168A2 (fr) 2018-04-26 2018-04-26 Procédé de traitement de données, appareil associé, et système de chaînes de blocs

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/SG2018/050200 WO2019209168A2 (fr) 2018-04-26 2018-04-26 Procédé de traitement de données, appareil associé, et système de chaînes de blocs

Publications (2)

Publication Number Publication Date
WO2019209168A2 true WO2019209168A2 (fr) 2019-10-31
WO2019209168A3 WO2019209168A3 (fr) 2019-12-12

Family

ID=68295255

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/SG2018/050200 WO2019209168A2 (fr) 2018-04-26 2018-04-26 Procédé de traitement de données, appareil associé, et système de chaînes de blocs

Country Status (1)

Country Link
WO (1) WO2019209168A2 (fr)

Cited By (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111161075A (zh) * 2019-12-31 2020-05-15 深圳市网心科技有限公司 区块链交易数据证明监管方法、系统及相关设备
CN111355578A (zh) * 2020-03-16 2020-06-30 北京有链科技有限公司 一种具有双监管方的公钥加密解密方法及系统
CN111429138A (zh) * 2020-03-25 2020-07-17 中国工商银行股份有限公司 区块链节点数据安全交互方法及第一交互节点
CN111931209A (zh) * 2020-08-18 2020-11-13 金网络(北京)电子商务有限公司 基于零知识证明的合同信息验证方法及装置
CN112734423A (zh) * 2020-12-31 2021-04-30 杭州趣链科技有限公司 一种基于区块链的交易方法及终端设备
CN114257366A (zh) * 2021-12-20 2022-03-29 成都卫士通信息产业股份有限公司 信息同态处理方法、装置、设备及计算机可读存储介质
US11341487B2 (en) 2018-12-29 2022-05-24 Advanced New Technologies Co., Ltd. System and method for information protection
US11341492B2 (en) 2018-08-30 2022-05-24 Advanced New Technologies Co., Ltd. Method, apparatus and electronic device for blockchain transactions
US11379826B2 (en) 2018-08-06 2022-07-05 Advanced New Technologies Co., Ltd. Method, apparatus and electronic device for blockchain transactions
CN116432204A (zh) * 2023-04-20 2023-07-14 兰州理工大学 基于同态加密和零知识证明的可监管交易隐私保护方法
CN116886268A (zh) * 2023-08-10 2023-10-13 云海链控股股份有限公司 数据传输验证方法、装置、设备及计算机可读存储介质
WO2024001558A1 (fr) * 2022-06-29 2024-01-04 中兴通讯股份有限公司 Procédé et dispositif de traitement de données, dispositif informatique et support de stockage lisible

Family Cites Families (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9613292B1 (en) * 2012-01-26 2017-04-04 Hrl Laboratories, Llc Secure multi-dimensional pattern matching for secure search and recognition
US11062303B2 (en) * 2015-06-08 2021-07-13 Blockstream Corporation Cryptographically concealing amounts transacted on a ledger while preserving a network's ability to verify the transaction
WO2017107047A1 (fr) * 2015-12-22 2017-06-29 华为技术有限公司 Procédé et terminal de mise en correspondance d'attributs d'utilisateur
CN106549749B (zh) * 2016-12-06 2019-12-24 杭州趣链科技有限公司 一种基于加法同态加密的区块链隐私保护方法
CN106911470B (zh) * 2017-01-23 2020-07-07 北京航空航天大学 一种比特币交易隐私增强方法
CN107317666B (zh) * 2017-05-25 2020-04-10 深圳前海大道金融服务有限公司 一种支持浮点运算的并行全同态加解密方法
CN108021821A (zh) * 2017-11-28 2018-05-11 北京航空航天大学 多中心区块链交易隐私保护系统及方法

Cited By (19)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US11379826B2 (en) 2018-08-06 2022-07-05 Advanced New Technologies Co., Ltd. Method, apparatus and electronic device for blockchain transactions
US11341492B2 (en) 2018-08-30 2022-05-24 Advanced New Technologies Co., Ltd. Method, apparatus and electronic device for blockchain transactions
US11392942B2 (en) * 2018-08-30 2022-07-19 Advanced New Technologies Co., Ltd. Method, apparatus and electronic device for blockchain transactions
US11341487B2 (en) 2018-12-29 2022-05-24 Advanced New Technologies Co., Ltd. System and method for information protection
US11416854B2 (en) 2018-12-29 2022-08-16 Advanced New Technologies Co., Ltd. System and method for information protection
CN111161075A (zh) * 2019-12-31 2020-05-15 深圳市网心科技有限公司 区块链交易数据证明监管方法、系统及相关设备
CN111161075B (zh) * 2019-12-31 2024-04-05 深圳市迅雷网络技术有限公司 区块链交易数据证明监管方法、系统及相关设备
CN111355578A (zh) * 2020-03-16 2020-06-30 北京有链科技有限公司 一种具有双监管方的公钥加密解密方法及系统
CN111429138A (zh) * 2020-03-25 2020-07-17 中国工商银行股份有限公司 区块链节点数据安全交互方法及第一交互节点
CN111931209B (zh) * 2020-08-18 2024-03-22 金网络(北京)数字科技有限公司 基于零知识证明的合同信息验证方法及装置
CN111931209A (zh) * 2020-08-18 2020-11-13 金网络(北京)电子商务有限公司 基于零知识证明的合同信息验证方法及装置
CN112734423A (zh) * 2020-12-31 2021-04-30 杭州趣链科技有限公司 一种基于区块链的交易方法及终端设备
CN114257366A (zh) * 2021-12-20 2022-03-29 成都卫士通信息产业股份有限公司 信息同态处理方法、装置、设备及计算机可读存储介质
CN114257366B (zh) * 2021-12-20 2024-04-12 成都卫士通信息产业股份有限公司 信息同态处理方法、装置、设备及计算机可读存储介质
WO2024001558A1 (fr) * 2022-06-29 2024-01-04 中兴通讯股份有限公司 Procédé et dispositif de traitement de données, dispositif informatique et support de stockage lisible
CN116432204B (zh) * 2023-04-20 2023-11-17 兰州理工大学 基于同态加密和零知识证明的可监管交易隐私保护方法
CN116432204A (zh) * 2023-04-20 2023-07-14 兰州理工大学 基于同态加密和零知识证明的可监管交易隐私保护方法
CN116886268A (zh) * 2023-08-10 2023-10-13 云海链控股股份有限公司 数据传输验证方法、装置、设备及计算机可读存储介质
CN116886268B (zh) * 2023-08-10 2024-04-26 云海链控股股份有限公司 数据传输验证方法、装置、设备及计算机可读存储介质

Also Published As

Publication number Publication date
WO2019209168A3 (fr) 2019-12-12
CN111989891A (zh) 2020-11-24

Similar Documents

Publication Publication Date Title
WO2019209168A2 (fr) Procédé de traitement de données, appareil associé, et système de chaînes de blocs
CN113424185B (zh) 快速不经意传输
CN108292402B (zh) 用于信息的安全交换的公共秘密的确定和层级确定性密钥
CN110011781B (zh) 用于交易金额加密且支持零知识证明的同态加密方法和介质
US7594261B2 (en) Cryptographic applications of the Cartier pairing
US8180047B2 (en) Trapdoor pairings
US9590807B2 (en) Identity based public key cryptosystem
US9705683B2 (en) Verifiable implicit certificates
CN111066285A (zh) 基于sm2签名恢复公钥的方法
CN107425971B (zh) 无证书的数据加/解密方法和装置、终端
JP6882705B2 (ja) 鍵交換システムおよび鍵交換方法
CN108696518B (zh) 区块链上用户通信加密方法、装置、终端设备及存储介质
CN104168114A (zh) 一种分布式的基于(k,n)门限证书加密方法及系统
TWI807103B (zh) 用於共享公共秘密之電腦實施系統及方法
WO2023184858A1 (fr) Procédé et appareil de génération d'horodatage, dispositif électronique et support de stockage
Yin et al. An efficient and secured data storage scheme in cloud computing using ECC-based PKI
TW202232913A (zh) 共享金鑰產生技術
TW202318833A (zh) 臨界簽章方案
WO2022116175A1 (fr) Procédé et appareil pour générer une signature numérique et serveur
CN116318696A (zh) 一种双方无初始信任情况下代理重加密数字资产授权方法
CN116455561A (zh) 用于轻量装置的嵌入式tls协议
US11496287B2 (en) Privacy preserving fully homomorphic encryption with circuit verification
Chavan et al. Secure CRM cloud service using RC5 algorithm
CN111989891B (zh) 数据处理方法、相关装置及区块链系统
Barker et al. SP 800-56A. recommendation for pair-wise key establishment schemes using discrete logarithm cryptography (revised)

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 18916534

Country of ref document: EP

Kind code of ref document: A2

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 18916534

Country of ref document: EP

Kind code of ref document: A2