WO2021143029A1 - 零知识证明方法、装置及存储介质 - Google Patents

零知识证明方法、装置及存储介质 Download PDF

Info

Publication number
WO2021143029A1
WO2021143029A1 PCT/CN2020/093629 CN2020093629W WO2021143029A1 WO 2021143029 A1 WO2021143029 A1 WO 2021143029A1 CN 2020093629 W CN2020093629 W CN 2020093629W WO 2021143029 A1 WO2021143029 A1 WO 2021143029A1
Authority
WO
WIPO (PCT)
Prior art keywords
proof
data
multiplication
formula
zero
Prior art date
Application number
PCT/CN2020/093629
Other languages
English (en)
French (fr)
Inventor
陆陈一帆
来学嘉
贾牧
谢丹力
张鹏程
Original Assignee
平安科技(深圳)有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 平安科技(深圳)有限公司 filed Critical 平安科技(深圳)有限公司
Publication of WO2021143029A1 publication Critical patent/WO2021143029A1/zh

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3218Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using proof of knowledge, e.g. Fiat-Shamir, GQ, Schnorr, ornon-interactive zero-knowledge proofs
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/008Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols involving homomorphic encryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures

Definitions

  • This application relates to the field of blockchain technology, in particular to a zero-knowledge proof method, device, and computer-readable storage medium.
  • Zero-Knowledge Proof (Zero-Knowledge Proof) is developed by S.Gold It was proposed by wasser, S. Micali and C. Rackoff in the early 1980s. It refers to the ability of the prover to convince the verifier that a certain assertion is correct without providing any useful information to the verifier.
  • Zero-knowledge proof is essentially an agreement involving two or more parties, that is, a series of steps that two or more parties need to take to complete a task. The prover proves to the verifier and makes it believe that he knows or possesses a certain message, but the certification process cannot disclose any information about the certified message to the verifier.
  • the certification protocols used are also diverse.
  • the Multiplication Proof Agreement (Commitment Multiplication Protocol) is used to prove that an encrypted number is the encrypted product of two other encrypted numbers.
  • the inventor realizes that the existing multiplication certification protocols mainly rely on multi-party secure calculations. These multiplication certification protocols not only have a very complicated calculation process and a large amount of calculation, but also have multiple rounds of data interaction, and the overall efficiency is very poor.
  • the multiplication proof protocol that does not rely on multi-party secure calculations will generate a large number of parameters, which will consume a large amount of storage space and is poor in practicability.
  • this application provides a zero-knowledge proof method, device, and computer-readable storage medium, the main purpose of which is to not only improve the calculation efficiency of the multiplication proof protocol, but also effectively control the data size generated by the proof.
  • this application provides a zero-knowledge proof method, which includes:
  • One or more trusted third parties create base points g, h, i and upload them to the public data storage system;
  • the proof initiator creates a multiplication proof based on the base point, and proves that the encrypted product data [ab] encrypted data is data a under the premise that the encrypted data [a] and [b] are known but the original data a and b are not known And the product of data b;
  • Any third party verifies the proof of multiplication based on the base point.
  • the present application also provides a zero-knowledge proof device, including a memory and a processor, the memory stores a zero-knowledge proof system that can run on the processor, and the zero-knowledge proof system When executed by the processor, the steps of the zero-knowledge proof method as described below are realized:
  • One or more trusted third parties create base points g, h, i and upload them to the public data storage system;
  • the proof initiator creates a multiplication proof based on the base point, and proves that the encrypted product data [ab] encrypted data is data a under the premise that the encrypted data [a] and [b] are known but the original data a and b are not known And the product of data b;
  • Any third party verifies the proof of multiplication based on the base point.
  • the present application also provides a computer-readable storage medium storing a zero-knowledge proof system, and the zero-knowledge proof system can be executed by at least one processor to enable The at least one processor executes the steps of the zero-knowledge proof method as described below:
  • One or more trusted third parties create base points g, h, i and upload them to the public data storage system;
  • the proof initiator creates a multiplication proof based on the base point, and proves that the encrypted product data [ab] encrypted data is data a under the premise that the encrypted data [a] and [b] are known but the original data a and b are not known And the product of data b;
  • Any third party verifies the proof of multiplication based on the base point.
  • the zero-knowledge proof method, device and computer-readable storage medium proposed in this application provide a new multiplication proof creation and verification scheme that does not rely on multi-party secure calculations.
  • the created multiplication proof is only equivalent to a digital signature Sig_xy or
  • the size of the number p can be disclosed, and any third party can verify whether the proof of multiplication is passed or not through a simple formula calculation.
  • This proof protocol is not only computationally efficient, but the data generated by the proof is very small, which is very suitable for public data storage and distributed databases such as blockchain.
  • Figure 1 is a flow chart of a preferred embodiment of the zero-knowledge proof method for the application
  • Figure 2 is a schematic diagram of a preferred embodiment of the zero-knowledge proof device of the application
  • This application provides a zero-knowledge proof method.
  • FIG. 1 it is a flowchart of a preferred embodiment of the zero-knowledge proof method of this application.
  • the method supports any proof initiator to propose a transaction to prove that a corresponding encrypted product data is the product of two other corresponding encrypted data, and supports any third party to carry out the certification Inspection, the method includes the steps:
  • One or more trusted third parties create base points g, h, and i and upload them to the public data storage system;
  • the proof initiator creates a multiplication proof based on the base point, and proves that the encrypted product data [ab] is encrypted data under the premise that the encrypted data [a] and [b] are known but the original data a and b are not known The product of data a and data b.
  • Independent data storage system refers to third-party platforms such as blockchain networks, distributed databases, cloud servers, and distributed systems.
  • , there is h g ⁇ n in the operation of the discrete logarithm problem, where g is the basis. Due to the complexity of the discrete logarithm problem, It is difficult to calculate the value of the integer n with the knowledge of h and g. Therefore, the calculation environment involved in this application is based on calculations on an elliptic curve. In an elliptic curve, the basis is a point, not a number.
  • [a] is the encrypted text of the original text a
  • [b] is the encrypted text of the original text b.
  • This application needs to create a ciphertext [ab] and prove to a third party that [ab] is the encrypted ciphertext of the product of a and b. in:
  • the public data storage system may be cloud storage or a blockchain network.
  • the public data storage system is mainly used to store public parameters (the base point), and can also store the encrypted product data, known encrypted data, and parameters related to the multiplication certification protocol.
  • the proof initiator proposes a transaction to prove that a corresponding encrypted product data is the product of the other two corresponding encrypted data
  • any third party can prove according to the public parameters, the corresponding encrypted product data, the corresponding known encrypted data, and the multiplication. Protocol-related parameters determine whether the corresponding encrypted product data is the product of two corresponding known encrypted data.
  • a trusted third party creates the base points g, h, i, or multiple trusted third parties create the base points g, h, i together.
  • g is a public parameter
  • h and i are set by a trusted third party or set by multiple trusted third parties' own platforms through a network (such as the Internet, blockchain network) collaboratively set and uploaded to the public data storage system of.
  • step S2 the certification initiator creates a ciphertext [ab] through the first formula, and sets its key z to ay + bx.
  • data a is the unit price of goods
  • data b is the quantity of goods
  • step S3 the certification initiator uses xy (representing the product of the above x and y) as the private key and it ⁇ xy as the public key to create the multiplication certificate.
  • the public key it ⁇ xy can be obtained by the second formula, or can be directly generated according to the base point i. Use the private key xy to digitally sign the relevant parameters of the certification transaction request (the specific parameters are not limited in this embodiment) to obtain Sig_xy, and disclose Sig_xy.
  • the public Sig_xy is the proof of multiplication.
  • step S4 any third party can verify the proof of multiplication in the following ways:
  • the traditional digital signature verification method is used to detect whether Sig_xy is signed by the private key xy corresponding to P_xy, and the specific method is not repeated here.
  • [ab] encrypted data ab is the invoice amount
  • data a is the unit price of the goods
  • data b is the quantity of the goods.
  • the principle of the above verification scheme is: if it is proved that the initiator does not know xy, or the non-xy value z is selected as the private key, then because of the discrete logarithm problem, it is proved that the initiator does not know the correspondence between the base point h and the base point i, then Unable to create the secret key "?” corresponding to the encrypted share ab (g ⁇ ab * h ⁇ ?); It is also impossible to create any other encryption share c (arbitrary value) corresponding key "?” (g ⁇ c * h ⁇ ?); it is also impossible to create a Range Proof (range of the encrypted share ab) Prove).
  • the public p is the proof of multiplication.
  • step S4 any third party can verify the proof of multiplication in the following ways:
  • this program Compared with the previous program, this program generates smaller data and requires less storage space.
  • the embodiment of this application proposes a new multiplication proof creation and verification scheme that does not rely on multi-party secure calculations.
  • the created multiplication proof is only equivalent to the size of a digital signature Sig_xy or a publicly available number p, and any third party simply The formula calculation can check whether the proof of multiplication is passed.
  • This proof protocol is not only computationally efficient, but the data generated by the proof is very small, which is very suitable for public data storage and distributed databases such as blockchain.
  • FIG. 2 is a schematic diagram of a preferred embodiment of the zero-knowledge certification device of this application.
  • the zero-knowledge certification device 1 is suitable for the above-mentioned zero-knowledge certification method.
  • the zero-knowledge certification device 1 includes a memory 11, a processor 12, and a network interface 13.
  • the memory 11 includes at least one type of readable storage medium, and the readable storage medium includes flash memory, hard disk, multimedia card, card-type memory (for example, SD or DX memory, etc.), magnetic memory, magnetic disk, optical disk, and the like.
  • the memory 11 may be an internal storage unit of the zero-knowledge certification device 1 in some embodiments, such as a hard disk of the zero-knowledge certification device 1.
  • the memory 11 may also be an external storage device of the zero-knowledge proof device 1, for example, a plug-in hard disk equipped on the zero-knowledge proof device 1, or a smart memory card (Smart Memory Card). Media Card, SMC), Secure Digital (SD) card, Flash Card, etc.
  • the memory 11 may also include both the internal storage unit of the zero-knowledge proof device 1 and an external storage device.
  • the readable storage medium may be non-volatile or volatile.
  • the memory 11 can be used not only to store application software and various data installed in the zero-knowledge proof device 1, for example, the program code of the zero-knowledge proof system 10 corresponding to the zero-knowledge proof method, etc., but also to temporarily Store the data that has been output or will be output.
  • the processor 12 may be a central processing unit (Central Processing Unit) in some embodiments. Unit, CPU), controller, microcontroller, microprocessor or other data processing chip, used to run the program code or processing data stored in the memory 11, for example, the zero-knowledge proof system corresponding to the zero-knowledge proof method 10 program code and so on.
  • CPU Central Processing Unit
  • controller microcontroller
  • microprocessor or other data processing chip, used to run the program code or processing data stored in the memory 11, for example, the zero-knowledge proof system corresponding to the zero-knowledge proof method 10 program code and so on.
  • the network interface 13 may optionally include a standard wired interface and a wireless interface (such as a WI-FI interface), and is usually used to establish a communication connection between the zero-knowledge proof device 1 and other electronic devices.
  • the components 11-13 of the zero-knowledge proof device 1 communicate with each other through a communication bus.
  • Fig. 2 only shows the zero-knowledge proof device 1 with components 11-13. Those skilled in the art can understand that the structure shown in Fig. 2 does not constitute a limitation on the zero-knowledge proof device 1, and may include more Fewer or more components, or combinations of certain components, or different component arrangements.
  • the specific implementation of the zero-knowledge certification device of the present application is substantially the same as the specific implementation of the above-mentioned zero-knowledge certification method, and will not be repeated here.
  • an embodiment of the present application also proposes a computer-readable storage medium, which includes the program code of the zero-knowledge proof system 10 corresponding to the zero-knowledge proof method, which is related to the zero-knowledge proof method.
  • the program code of the zero-knowledge proof system 10 corresponding to the proof method is executed by the processor, the steps of the zero-knowledge proof method are implemented.
  • the computer-readable storage medium may be non-volatile or volatile.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Storage Device Security (AREA)

Abstract

本申请涉及一种区块链技术,揭露了一种零知识证明方法,该方法包括:由一个或多个可信第三方创建基点g、h、i,并上传至公共数据存储系统;证明发起方根据所述基点创建加密乘积数据[ab]并设置对应的密钥z;证明发起方根据所述基点创建乘法证明,在已知加密数据[a]和[b]但并不知道原始数据a和b的前提下证明所述加密乘积数据[ab]加密的数据是数据a和数据b的乘积;任何第三方根据所述基点校验所述乘法证明。本申请还揭露了一种零知识证明装置及计算机可读存储介质。利用本申请,可以提高乘法证明协议的计算效率,并且证明产生的数据很小,非常适用于区块链等公共数据存储和分布式数据库。

Description

零知识证明方法、装置及存储介质
本申请要求于2020年01月19日提交中国专利局、申请号为202010068608.3、发明名称为“零知识证明方法、装置及存储介质”的中国专利申请的优先权,其全部内容通过引用结合在申请中。
技术领域
本申请涉及区块链技术领域,尤其涉及一种零知识证明方法、装置及计算机可读存储介质。
背景技术
零知识证明(Zero—Knowledge Proof),是由 S.Gold wasser、S.Micali及 C.Rackoff在20世纪80年代初提出的。它指的是证明者能够在不向验证者提供任何有用的信息的情况下,使验证者相信某个论断是正确的。零知识证明实质上是一种涉及两方或更多方的协议,即两方或更多方完成一项任务所需采取的一系列步骤。证明者向验证者证明并使其相信自己知道或拥有某一消息,但证明过程不能向验证者泄漏任何关于被证明消息的信息。
目前,零知识证明技术在涉及数据安全较为重要的领域的应用越来越多,所使用的证明协议也多种多样。其中,乘法证明协议(Commitment Multiplication Protocol)用来证明一个加密数字是另外两个加密数字相乘后的加密乘积。发明人意识到现有乘法证明协议主要依赖多方安全计算,这些乘法证明协议不但计算过程非常复杂,计算量大,而且还会有多轮数据交互,总体效率非常差。而不依赖多方安全计算的乘法证明协议又会产生大量参数,从而导致耗费大量存储空间,实用性差。
技术问题
因此,如何保证既提高乘法证明协议的计算效率,又能有效控制证明产生的数据大小,已经成为一个亟待解决的技术问题。
技术解决方案
鉴于以上内容,本申请提供一种零知识证明方法、装置及计算机可读存储介质,其主要目的在于既提高乘法证明协议的计算效率,又能有效控制证明产生的数据大小。
为实现上述目的,本申请提供一种零知识证明方法,该方法包括:
由一个或多个可信第三方创建基点g、h、i,并上传至公共数据存储系统;
证明发起方根据所述基点创建加密乘积数据[ab]并设置对应的密钥z;
证明发起方根据所述基点创建乘法证明,在已知加密数据[a]和[b]但并不知道原始数据a和b的前提下证明所述加密乘积数据[ab]加密的数据是数据a和数据b的乘积;
任何第三方根据所述基点校验所述乘法证明。
此外,为实现上述目的,本申请还提供一种零知识证明装置,包括存储器、处理器,所述存储器上存储有可在所述处理器上运行的零知识证明系统,所述零知识证明系统被所述处理器执行时实现如下所述的零知识证明方法的步骤:
由一个或多个可信第三方创建基点g、h、i,并上传至公共数据存储系统;
证明发起方根据所述基点创建加密乘积数据[ab]并设置对应的密钥z;
证明发起方根据所述基点创建乘法证明,在已知加密数据[a]和[b]但并不知道原始数据a和b的前提下证明所述加密乘积数据[ab]加密的数据是数据a和数据b的乘积;
任何第三方根据所述基点校验所述乘法证明。
进一步地,为实现上述目的,本申请还提供一种计算机可读存储介质,所述计算机可读存储介质存储有零知识证明系统,所述零知识证明系统可被至少一个处理器执行,以使所述至少一个处理器执行如下所述的零知识证明方法的步骤:
由一个或多个可信第三方创建基点g、h、i,并上传至公共数据存储系统;
证明发起方根据所述基点创建加密乘积数据[ab]并设置对应的密钥z;
证明发起方根据所述基点创建乘法证明,在已知加密数据[a]和[b]但并不知道原始数据a和b的前提下证明所述加密乘积数据[ab]加密的数据是数据a和数据b的乘积;
任何第三方根据所述基点校验所述乘法证明。
有益效果
本申请提出的零知识证明方法、装置及计算机可读存储介质,提供了一种新的不依赖多方安全计算的乘法证明的创建和检验方案,所创建的乘法证明只相当于一个数字签名Sig_xy或可公开数字p的大小,且任何第三方通过简单公式计算即可检验所述乘法证明是否通过。这个证明协议不但计算效率高而且证明产生的数据很小,非常适用于区块链等公共数据存储和分布式数据库。
附图说明
图1为本申请零知识证明方法较佳实施例的流程图;
图2为本申请零知识证明装置较佳实施例的示意图;
本申请目的的实现、功能特点及优点将结合实施例,参照附图做进一步说明。
本发明的实施方式
为了使本申请的目的、技术方案及优点更加清楚明白,以下结合附图及实施例,对本申请进行进一步详细说明。应当理解,此处所描述的具体实施例仅用以解释本申请,并不用于限定本申请。基于本申请中的实施例,本领域普通技术人员在没有做出创造性劳动前提下所获得的所有其他实施例,都属于本申请保护的范围。
需要说明的是,在本申请中涉及“第一”、“第二”等的描述仅用于描述目的,而不能理解为指示或暗示其相对重要性或者隐含指明所指示的技术特征的数量。由此,限定有“第一”、“第二”的特征可以明示或者隐含地包括至少一个该特征。另外,各个实施例之间的技术方案可以相互结合,但是必须是以本领域普通技术人员能够实现为基础,当技术方案的结合出现相互矛盾或无法实现时应当认为这种技术方案的结合不存在,也不在本申请要求的保护范围之内。
本申请提供一种零知识证明方法。
参照图1所示,为本申请零知识证明方法较佳实施例的流程图。
在本申请零知识证明方法一实施例中,该方法支持任何证明发起方提出交易来证明一个对应加密乘积数据是另外两个对应已知加密数据的乘积,并支持任何第三方对所述证明进行检验,该方法包括步骤:
S1、由一个或多个可信第三方创建基点g、h、i,并上传至公共数据存储系统;
S2、证明发起方根据所述基点创建加密乘积数据[ab]并设置对应的密钥z;
S3、证明发起方根据所述基点创建乘法证明,在已知加密数据[a]和[b]但并不知道原始数据a和b的前提下证明所述加密乘积数据[ab]加密的数据是数据a和数据b的乘积。
S4、任何第三方根据所述基点校验所述乘法证明。
在对本申请方案进行说明之前,对用到的名词、符号、算法进行说明。
名词定义:
独立数据存储系统:指的是区块链网络、分布式数据库、云端服务器、分布式系统等第三方平台。
双线性映射:对于任意的g1∈G1;g2∈G2;a,b∈Zp,均有e(g1^a,g2^b)=e(g1,g2)^ab成立。其中,e称为双线性映射。本申请不对g1和g2顺序进行限制,g1可以等于g2。为方便表述,以下描述都以e(g^a,g^b)=e(g,g)^ab来呈现。在本申请中e(g,g)^ab也可以用gt^ab来代表。
离散对数:已知有限循环群G=< g >{g^n|k = 0, 1, 2,...}, 及其生成元g和阶n = |G|,在离散对数问题的运算中存在h=g^n,其中,g是基,由于离散对数问题的复杂性,很难在知道h和g的情况下计算出整数n的值。因此,本申请中涉及的运算环境为基于椭圆曲线上的运算,椭圆曲线中,基是一个点不是数。
佩德森承诺(Pedersen Commitment)加密算法:在离散对数问题的运算环境下,a为原文,x为密钥,对a加密后的密文[a]=g^a * h^x,其中,g与h各代表一个基,h=g^n。佩德森承诺算法具有加法同态特性并可以作为双线性映射公式中的参数(输入因子)。
加法同态加密算法:具有加法同态特性,即R和S是域,加密算法E:R→S具有加法同态特性,则如果存在有效算法⊕,使得E(x+y)=E(x) ⊕ E(y)或者x+y=D(E(x) ⊕ E(y))成立;且该加密算法加密后得到的值可以作为双线性映射中的参数(输入因子),即e(g1^a ,g2^b)中的g1^a或g2^b。
符号定义:
[a]是对原文a加密后的密文,[b]是对原文b加密后的密文。本申请需要创建出密文[ab]并向第三方证明[ab]是a和b的乘积的加密密文。其中:
[a] = g^a * h^x;
[b] = g^b * h^y;
[ab] = g^ab * h^z;
x为加密数据a的密钥;y为加密数据b的密钥;z为加密数据ab的密钥。
优选地,所述公共数据存储系统可以是云端存储也可以是区块链网络。所述公共数据存储系统主要用于存储公共参数(所述基点),也可以存储所述加密乘积数据、已知加密数据和与乘法证明协议有关的参数等。当证明发起方提出交易来证明一个对应加密乘积数据是另外两个对应已知加密数据的乘积后,任何第三方可以根据所述公共参数、对应加密乘积数据、对应已知加密数据和与乘法证明协议有关的参数来判定对应加密乘积数据是否是两个对应已知加密数据的乘积。
在步骤S1中,由一个可信第三方创建所述基点g,h,i,或由多个可信第三方一起创建所述基点g,h,i。其中,g是公共参数,h和i是一个可信第三方设置或多个可信第三方自己的平台通过网络(如互联网、区块链网络)协同设置并上传至所述公共数据存储系统中的。
具体地,可信第三方生成一个随机数α,并基于预先设置的基点g,通过h=g^α,i=h^α=g^αα得到基点h与i。
在步骤S2中,证明发起方通过第一公式创建密文[ab],并将其密钥z设置为ay + bx。
其中,所述第一公式为:
[ab] = g^ab * h^(ay+bx)
= g^ab * h^z
x为加密数据a的密钥;y为加密数据b的密钥。
例如,数据a为货物单价,数据b为货物数量,数据ab为发票金额(发票金额=货物单价*货物数量)。
在步骤S3中,证明发起方使用xy(代表上述x和y的乘积)作为私钥,it^xy作为公钥,创建所述乘法证明。
所述公钥it^xy可以通过第二公式获得,也可以根据基点i直接生成。用所述私钥xy对该证明交易请求有关参数(具体什么参数在本实施例中不做限制)进行数字签名得到Sig_xy,并公开Sig_xy。所述公开的Sig_xy就是所述乘法证明。
其中,所述第二公式为:
it^xy = e(i^xy, g)
在步骤S4中,任何第三方可以通过以下方式校验所述乘法证明:
(1)获取公开的Sig_xy。
(2)通过第三公式计算得出与Sig_xy对应的公钥P_xy。
其中,所述第三公式为:
P_xy = e([a], [b]) / e([ab], g)
    = (gt^ab * ht^(ay + bx) * it^xy) / (gt^ab * ht^(ay + bx))
= it^xy
(3)通过P_xy检测Sig_xy是否是与P_xy对应的私钥xy签署的。
在本实施例中,通过传统对数字签名验证的方式来检测Sig_xy是否是与P_xy对应的私钥xy签署的,具体方式在此不再赘述。
(4)若检测出Sig_xy是与P_xy对应的私钥xy签署的,代表[ab]加密的数据是数据a和数据b的乘积,即对所述乘法证明检验通过。
例如,[ab]加密的数据ab为发票金额,数据a为货物单价,数据b为货物数量,当检验出[ab]加密的数据是数据a和数据b的乘积时,即发票金额=货物单价*货物数量,银行可以验证发票真实性。
上述校验方案的原理为:如果证明发起方不知道xy,或者选择了非xy的值z为私钥,那么因为离散对数问题,证明发起方不知道基点h和基点i的对应关系,就无法创建出加密份额ab对应的秘钥“?”(g^ab * h^?);也同样无法创建出任何其他加密份额c(任意值)对应的秘钥“?”(g^c * h^?);更无法创建出对加密份额ab的Range Proof(范围证明)。
可选地,在步骤S3中,还可以设置数据p=xy,并公开p。所述公开的p就是所述乘法证明。
在步骤S4中,任何第三方可以通过以下方式校验所述乘法证明:
(1)获取公开的p。
(2)通过所述第三公式计算出P_xy。
(3)通过第四公式检验所述乘法证明。
其中,所述第四公式为:
P_xy == it^xy
若所述第四公式成立则检验通过。
该方案相对于上一方案所产生的数据更小,所需要的存储空间更小。
本申请实施例提出了一种新的不依赖多方安全计算的乘法证明的创建和检验方案,所创建的乘法证明只相当于一个数字签名Sig_xy或可公开数字p的大小,且任何第三方通过简单公式计算即可检验所述乘法证明是否通过。这个证明协议不但计算效率高而且证明产生的数据很小,非常适用于区块链等公共数据存储和分布式数据库。
本申请还提出一种零知识证明装置。参照图2所示,为本申请零知识证明装置较佳实施例的示意图。
在本实施例中,零知识证明装置1适用于上述零知识证明方法,该零知识证明装置1包括:存储器11、处理器12及网络接口13。
其中,存储器11至少包括一种类型的可读存储介质,所述可读存储介质包括闪存、硬盘、多媒体卡、卡型存储器(例如,SD或DX存储器等)、磁性存储器、磁盘、光盘等。存储器11在一些实施例中可以是所述零知识证明装置1的内部存储单元,例如该零知识证明装置1的硬盘。存储器11在另一些实施例中也可以是所述零知识证明装置1的外部存储设备,例如该零知识证明装置1上配备的插接式硬盘,智能存储卡(Smart Media Card,SMC),安全数字(Secure Digital,SD)卡,闪存卡(Flash Card)等。进一步地,存储器11还可以既包括该零知识证明装置1的内部存储单元也包括外部存储设备。所述可读存储介质可以是非易失性,也可以是易失性。
存储器11不仅可以用于存储安装于该零知识证明装置1的应用软件及各类数据,例如,与所述零知识证明方法对应的零知识证明系统10的程序代码等,还可以用于暂时地存储已经输出或者将要输出的数据。
处理器12在一些实施例中可以是一中央处理器(Central Processing Unit, CPU)、控制器、微控制器、微处理器或其他数据处理芯片,用于运行存储器11中存储的程序代码或处理数据,例如,与所述零知识证明方法对应的零知识证明系统10的程序代码等。
网络接口13可选的可以包括标准的有线接口、无线接口(如WI-FI接口),通常用于在该零知识证明装置1与其他电子设备之间建立通信连接。零知识证明装置1的组件11-13通过通信总线相互通信。
图2仅示出了具有组件11-13的零知识证明装置1,本领域技术人员可以理解的是,图2示出的结构并不构成对零知识证明装置1的限定,可以包括比图示更少或者更多的部件,或者组合某些部件,或者不同的部件布置。
本申请之零知识证明装置的具体实施方式与上述零知识证明方法的具体实施方式大致相同,在此不再赘述。
此外,本申请实施例还提出一种计算机可读存储介质,所述计算机可读存储介质中包括与所述零知识证明方法对应的零知识证明系统10的程序代码,所述与所述零知识证明方法对应的零知识证明系统10的程序代码被处理器执行时实现如所述零知识证明方法的步骤。所述计算机可读存储介质可以是非易失性,也可以是易失性。
本申请之计算机可读存储介质的具体实施方式与上述零知识证明方法的具体实施方式大致相同,在此不再赘述。
上述本申请实施例序号仅仅为了描述,不代表实施例的优劣。
需要说明的是,在本文中,术语“包括”、“包含”或者其任何其他变体意在涵盖非排他性的包含,从而使得包括一系列要素的过程、装置、物品或者方法不仅包括那些要素,而且还包括没有明确列出的其他要素,或者是还包括为这种过程、装置、物品或者方法所固有的要素。在没有更多限制的情况下,由语句“包括一个……”限定的要素,并不排除在包括该要素的过程、装置、物品或者方法中还存在另外的相同要素。
通过以上的实施方式的描述,本领域的技术人员可以清楚地了解到上述实施例方法可借助软件加必需的通用硬件平台的方式来实现,当然也可以通过硬件,但很多情况下前者是更佳的实施方式。基于这样的理解,本申请的技术方案本质上或者说对现有技术做出贡献的部分可以以软件产品的形式体现出来,该计算机软件产品存储在如上所述的一个存储介质(如ROM/RAM、磁碟、光盘)中,包括若干指令用以使得一台终端设备(可以是手机,计算机,服务器,或者网络设备等)执行本申请各个实施例所述的方法。
以上仅为本申请的优选实施例,并非因此限制本申请的专利范围,凡是利用本申请说明书及附图内容所作的等效结构或等效流程变换,或直接或间接运用在其它相关的技术领域,均同理包括在本申请的专利保护范围内。

Claims (20)

  1. 一种零知识证明方法,其中,该方法包括:
    由一个或多个可信第三方创建基点g、h、i,并上传至公共数据存储系统;
    证明发起方根据所述基点创建加密乘积数据[ab]并设置对应的密钥z;
    证明发起方根据所述基点创建乘法证明,在已知加密数据[a]和[b]但并不知道原始数据a和b的前提下证明所述加密乘积数据[ab]加密的数据是数据a和数据b的乘积;
    任何第三方根据所述基点校验所述乘法证明。
  2. 根据权利要求1所述的零知识证明方法,其中,所述基点g是预先设置的公共参数,所述基点h和i是根据所述基点g由一个可信第三方设置或多个可信第三方协同设置。
  3. 根据权利要求2所述的零知识证明方法,其中,所述一个或多个可信第三方生成一个随机数α,并通过h=g^α,i=h^α=g^αα得到所述基点h与i。
  4. 根据权利要求1所述的零知识证明方法,其中,在所述证明发起方根据所述基点创建加密乘积数据[ab]并设置对应的密钥z的步骤中:
    证明发起方通过第一公式创建所述加密乘积数据[ab],并将所述密钥z设置为ay + bx,其中,所述第一公式为[ab] = g^ab * h^(ay+bx)= g^ab * h^z,x为加密数据a的密钥,y为加密数据b的密钥。
  5. 根据权利要求4所述的零知识证明方法,其中,所述证明发起方根据所述基点创建乘法证明的步骤包括:
    证明发起方使用xy作为私钥,it^xy作为公钥,创建所述乘法证明,其中:
    所述公钥it^xy通过第二公式获得,所述第二公式为it^xy = e(i^xy, g);
    证明发起方根据所述私钥xy对证明交易请求中的参数进行数字签名得到Sig_xy,并将所述Sig_xy作为所述乘法证明进行公开。
  6. 根据权利要求5所述的零知识证明方法,其中,所述任何第三方根据所述基点校验所述乘法证明的步骤包括:
    获取公开的所述Sig_xy;
    通过第三公式计算得出与所述Sig_xy对应的公钥P_xy,其中,所述第三公式为P_xy = e([a], [b]) / e([ab], g) = (gt^ab * ht^(ay + bx) * it^xy) / (gt^ab * ht^(ay + bx)) = it^xy;
    通过所述公钥P_xy检测所述Sig_xy是否是与P_xy对应的私钥xy签署的;
    若检测出所述Sig_xy是所述私钥xy签署的,表示对所述乘法证明检验通过。
  7. 根据权利要求4所述的零知识证明方法,其中,所述证明发起方根据所述基点创建乘法证明的步骤包括:
    设置数据p=xy,并将所述数据p作为所述乘法证明进行公开。
  8. 根据权利要求7所述的零知识证明方法,其中,所述任何第三方根据所述基点校验所述乘法证明的步骤包括:
    获取公开的所述数据p;
    通过第三公式计算出公钥P_xy,其中,所述第三公式为P_xy = e([a], [b]) / e([ab], g) = (gt^ab * ht^(ay + bx) * it^xy) / (gt^ab * ht^(ay + bx))   = it^xy;
    通过第四公式检验所述乘法证明,其中,所述第四公式为P_xy == it^xy,若所述第四公式成立则表示对所述乘法证明检验通过。
  9. 一种零知识证明装置,其中,所述装置包括存储器、处理器,所述存储器上存储有可在所述处理器上运行的零知识证明系统,所述零知识证明系统被所述处理器执行时实现如下所述的零知识证明方法的步骤:
    由一个或多个可信第三方创建基点g、h、i,并上传至公共数据存储系统;
    证明发起方根据所述基点创建加密乘积数据[ab]并设置对应的密钥z;
    证明发起方根据所述基点创建乘法证明,在已知加密数据[a]和[b]但并不知道原始数据a和b的前提下证明所述加密乘积数据[ab]加密的数据是数据a和数据b的乘积;
    任何第三方根据所述基点校验所述乘法证明。
  10. 根据权利要求9所述的零知识证明装置,其中,在所述证明发起方根据所述基点创建加密乘积数据[ab]并设置对应的密钥z的步骤中:
    证明发起方通过第一公式创建所述加密乘积数据[ab],并将所述密钥z设置为ay + bx,其中,所述第一公式为[ab] = g^ab * h^(ay+bx)= g^ab * h^z,x为加密数据a的密钥,y为加密数据b的密钥。
  11. 根据权利要求10所述的零知识证明装置,其中,所述证明发起方根据所述基点创建乘法证明的步骤包括:
    证明发起方使用xy作为私钥,it^xy作为公钥,创建所述乘法证明,其中:
    所述公钥it^xy通过第二公式获得,所述第二公式为it^xy = e(i^xy, g);
    证明发起方根据所述私钥xy对证明交易请求中的参数进行数字签名得到Sig_xy,并将所述Sig_xy作为所述乘法证明进行公开。
  12. 根据权利要求11所述的零知识证明装置,其中,所述任何第三方根据所述基点校验所述乘法证明的步骤包括:
    获取公开的所述Sig_xy;
    通过第三公式计算得出与所述Sig_xy对应的公钥P_xy,其中,所述第三公式为P_xy = e([a], [b]) / e([ab], g) = (gt^ab * ht^(ay + bx) * it^xy) / (gt^ab * ht^(ay + bx)) = it^xy;
    通过所述公钥P_xy检测所述Sig_xy是否是与P_xy对应的私钥xy签署的;
    若检测出所述Sig_xy是所述私钥xy签署的,表示对所述乘法证明检验通过。
  13. 根据权利要求10所述的零知识证明装置,其中,所述证明发起方根据所述基点创建乘法证明的步骤包括:
    设置数据p=xy,并将所述数据p作为所述乘法证明进行公开。
  14. 根据权利要求13所述的零知识证明装置,其中,所述任何第三方根据所述基点校验所述乘法证明的步骤包括:
    获取公开的所述数据p;
    通过第三公式计算出公钥P_xy,其中,所述第三公式为P_xy = e([a], [b]) / e([ab], g) = (gt^ab * ht^(ay + bx) * it^xy) / (gt^ab * ht^(ay + bx))   = it^xy;
    通过第四公式检验所述乘法证明,其中,所述第四公式为P_xy == it^xy,若所述第四公式成立则表示对所述乘法证明检验通过。
  15. 一种计算机可读存储介质,其中,所述计算机可读存储介质存储有零知识证明系统,所述零知识证明系统可被至少一个处理器执行,以使所述至少一个处理器执行如下所述的零知识证明方法的步骤:
    由一个或多个可信第三方创建基点g、h、i,并上传至公共数据存储系统;
    证明发起方根据所述基点创建加密乘积数据[ab]并设置对应的密钥z;
    证明发起方根据所述基点创建乘法证明,在已知加密数据[a]和[b]但并不知道原始数据a和b的前提下证明所述加密乘积数据[ab]加密的数据是数据a和数据b的乘积;
    任何第三方根据所述基点校验所述乘法证明。
  16. 根据权利要求15所述的计算机可读存储介质,其中,在所述证明发起方根据所述基点创建加密乘积数据[ab]并设置对应的密钥z的步骤中:
    证明发起方通过第一公式创建所述加密乘积数据[ab],并将所述密钥z设置为ay + bx,其中,所述第一公式为[ab] = g^ab * h^(ay+bx)= g^ab * h^z,x为加密数据a的密钥,y为加密数据b的密钥。
  17. 根据权利要求16所述的计算机可读存储介质,其中,所述证明发起方根据所述基点创建乘法证明的步骤包括:
    证明发起方使用xy作为私钥,it^xy作为公钥,创建所述乘法证明,其中:
    所述公钥it^xy通过第二公式获得,所述第二公式为it^xy = e(i^xy, g);
    证明发起方根据所述私钥xy对证明交易请求中的参数进行数字签名得到Sig_xy,并将所述Sig_xy作为所述乘法证明进行公开。
  18. 根据权利要求17所述的计算机可读存储介质,其中,所述任何第三方根据所述基点校验所述乘法证明的步骤包括:
    获取公开的所述Sig_xy;
    通过第三公式计算得出与所述Sig_xy对应的公钥P_xy,其中,所述第三公式为P_xy = e([a], [b]) / e([ab], g) = (gt^ab * ht^(ay + bx) * it^xy) / (gt^ab * ht^(ay + bx)) = it^xy;
    通过所述公钥P_xy检测所述Sig_xy是否是与P_xy对应的私钥xy签署的;
    若检测出所述Sig_xy是所述私钥xy签署的,表示对所述乘法证明检验通过。
  19. 根据权利要求16所述的计算机可读存储介质,其中,所述证明发起方根据所述基点创建乘法证明的步骤包括:
    设置数据p=xy,并将所述数据p作为所述乘法证明进行公开。
  20. 根据权利要求19所述的计算机可读存储介质,其中,所述任何第三方根据所述基点校验所述乘法证明的步骤包括:
    获取公开的所述数据p;
    通过第三公式计算出公钥P_xy,其中,所述第三公式为P_xy = e([a], [b]) / e([ab], g)    = (gt^ab * ht^(ay + bx) * it^xy) / (gt^ab * ht^(ay + bx))   = it^xy;
    通过第四公式检验所述乘法证明,其中,所述第四公式为P_xy == it^xy,若所述第四公式成立则表示对所述乘法证明检验通过。
PCT/CN2020/093629 2020-01-19 2020-05-30 零知识证明方法、装置及存储介质 WO2021143029A1 (zh)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN202010068608.3A CN111245626B (zh) 2020-01-19 2020-01-19 零知识证明方法、装置及存储介质
CN202010068608.3 2020-01-19

Publications (1)

Publication Number Publication Date
WO2021143029A1 true WO2021143029A1 (zh) 2021-07-22

Family

ID=70864206

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2020/093629 WO2021143029A1 (zh) 2020-01-19 2020-05-30 零知识证明方法、装置及存储介质

Country Status (2)

Country Link
CN (1) CN111245626B (zh)
WO (1) WO2021143029A1 (zh)

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111769953B (zh) * 2020-06-29 2023-03-24 中钞信用卡产业发展有限公司杭州区块链技术研究院 一种数字证照证明方法、装置、设备及可读存储介质
CN111800275A (zh) * 2020-07-09 2020-10-20 深圳壹账通智能科技有限公司 零知识协议参数初始化方法、装置及存储介质
CN114257381B (zh) * 2021-12-21 2023-11-21 四川启睿克科技有限公司 基于零知识证明的良品率计算方法

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20090182667A1 (en) * 2006-05-05 2009-07-16 Parkes David C Practical secrecy-preserving, verifiably correct and trustworthy auctions
CN109102286A (zh) * 2018-08-02 2018-12-28 平安科技(深圳)有限公司 跨账本交易方法及装置
CN110505046A (zh) * 2019-07-29 2019-11-26 深圳壹账通智能科技有限公司 多数据提供方加密数据跨平台零知识校验方法、装置及介质

Family Cites Families (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR100727281B1 (ko) * 2001-03-24 2007-06-13 데이트그리티 코포레이션 검증가능한 비밀 셔플들 및 전자 투표에 대한 그 응용
US20030074330A1 (en) * 2001-10-11 2003-04-17 Nokia Corporation Efficient electronic auction schemes with privacy protection
CN108335106A (zh) * 2018-01-24 2018-07-27 深圳壹账通智能科技有限公司 基于区块链的零知识多账本兑换转账方法、装置及存储介质
CN109245897B (zh) * 2018-08-23 2020-06-19 北京邮电大学 一种基于非交互的零知识证明的节点认证方法和装置
CN109257427B (zh) * 2018-09-26 2021-04-02 网宿科技股份有限公司 一种基于区块链的业务处理方法及系统
CN109257184B (zh) * 2018-11-08 2021-02-26 西安电子科技大学 基于匿名广播加密的可链接环签名方法
US10447475B1 (en) * 2018-11-08 2019-10-15 Bar Ilan University System and method for managing backup of cryptographic keys
CN109547209B (zh) * 2018-11-19 2020-09-08 北京大学 一种两方sm2数字签名生成方法
CN109995781B (zh) * 2019-03-29 2021-06-22 腾讯科技(深圳)有限公司 数据的传输方法、装置、介质以及设备
CN110224837B (zh) * 2019-06-06 2021-11-19 西安纸贵互联网科技有限公司 基于分布式身份标识的零知识证明方法及终端

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20090182667A1 (en) * 2006-05-05 2009-07-16 Parkes David C Practical secrecy-preserving, verifiably correct and trustworthy auctions
CN109102286A (zh) * 2018-08-02 2018-12-28 平安科技(深圳)有限公司 跨账本交易方法及装置
CN110505046A (zh) * 2019-07-29 2019-11-26 深圳壹账通智能科技有限公司 多数据提供方加密数据跨平台零知识校验方法、装置及介质

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
YANG WENTAO: "[Translation] Brief Introduction of zkSNARKs (Zero Knowledge Proofs)", 8 November 2019 (2019-11-08), XP055828952, Retrieved from the Internet <URL:https://zhuanlan.zhihu.com/p/31780893> *
ZHENG WENTING; POPA RALUCA ADA; GONZALEZ JOSEPH E.; STOICA ION: "Helen: Maliciously Secure Coopetitive Learning for Linear Models", 2019 IEEE SYMPOSIUM ON SECURITY AND PRIVACY (SP), IEEE, 19 May 2019 (2019-05-19), pages 724 - 738, XP033617080, DOI: 10.1109/SP.2019.00045 *

Also Published As

Publication number Publication date
CN111245626A (zh) 2020-06-05
CN111245626B (zh) 2021-05-18

Similar Documents

Publication Publication Date Title
WO2021238527A1 (zh) 数字签名生成方法、装置、计算机设备和存储介质
CN110505046B (zh) 多数据提供方加密数据跨平台零知识校验方法、装置及介质
US10505949B2 (en) Blockchain-based system, and electronic apparatus and method in the system
He et al. An efficient and provably‐secure certificateless signature scheme without bilinear pairings
CN113569294B (zh) 一种零知识证明方法及装置、电子设备、存储介质
WO2021143029A1 (zh) 零知识证明方法、装置及存储介质
US8121290B2 (en) Pseudo-random function calculating device and method and number-limited anonymous authentication system and method
US20130326602A1 (en) Digital Signatures
WO2009065356A1 (fr) Procédé, système et dispositif de réseau pour une authentification mutuelle
CN110311776B (zh) 范围证明方法、装置、计算机设备和存储介质
CN111835526B (zh) 一种生成匿名凭证的方法及系统
TW201320701A (zh) 資訊處理裝置、資訊處理方法及程式
CN107911217B (zh) 基于ecdsa算法协同生成签名的方法、装置和数据处理系统
CN111294202A (zh) 一种面向联盟链的身份认证方法
Malina et al. Efficient security solution for privacy-preserving cloud services
WO2022116176A1 (zh) 数字签名的生成方法、装置和服务器
Padhye et al. ECDLP‐based certificateless proxy signature scheme with message recovery
CN115834056A (zh) 一种无证书有序聚合签名方法、系统及相关装置
CN109257181A (zh) 无证书环境下椭圆曲线盲签密方法
CN111262707B (zh) 数字签名方法及验证方法、设备、存储介质
CN113112268A (zh) 匿名多重签名方法、计算机设备和存储介质
CN116170144B (zh) 智能电网匿名认证方法、电子设备及存储介质
CN113792282B (zh) 身份数据验证方法、装置、计算机设备和存储介质
JP4772965B2 (ja) エンティティの真正性および/またはメッセージの完全性を証明するための方法
Yang et al. A minimal disclosure signature authentication scheme based on consortium blockchain

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 20914397

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 20914397

Country of ref document: EP

Kind code of ref document: A1