WO2021147283A1 - 一种交易发送者的监管方法和系统 - Google Patents

一种交易发送者的监管方法和系统 Download PDF

Info

Publication number
WO2021147283A1
WO2021147283A1 PCT/CN2020/104492 CN2020104492W WO2021147283A1 WO 2021147283 A1 WO2021147283 A1 WO 2021147283A1 CN 2020104492 W CN2020104492 W CN 2020104492W WO 2021147283 A1 WO2021147283 A1 WO 2021147283A1
Authority
WO
WIPO (PCT)
Prior art keywords
signature
transaction
sender
utxo
calculate
Prior art date
Application number
PCT/CN2020/104492
Other languages
English (en)
French (fr)
Inventor
张凡
林齐平
刘海英
高胜
窦国威
段伟民
孙登峰
Original Assignee
数据通信科学技术研究所
兴唐通信科技有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 数据通信科学技术研究所, 兴唐通信科技有限公司 filed Critical 数据通信科学技术研究所
Publication of WO2021147283A1 publication Critical patent/WO2021147283A1/zh

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/38Payment protocols; Details thereof
    • G06Q20/40Authorisation, e.g. identification of payer or payee, verification of customer or shop credentials; Review and approval of payers, e.g. check credit lines or negative lists
    • G06Q20/401Transaction verification
    • G06Q20/4014Identity check for transactions
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • G06F21/6245Protecting personal data, e.g. for financial or medical purposes
    • G06F21/6254Protecting personal data, e.g. for financial or medical purposes by anonymising data, e.g. decorrelating personal data from the owner's identification
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/38Payment protocols; Details thereof
    • G06Q20/382Payment protocols; Details thereof insuring higher security of transaction
    • G06Q20/3825Use of electronic signatures
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/38Payment protocols; Details thereof
    • G06Q20/382Payment protocols; Details thereof insuring higher security of transaction
    • G06Q20/3829Payment protocols; Details thereof insuring higher security of transaction involving key management
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/38Payment protocols; Details thereof
    • G06Q20/383Anonymous user system
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/38Payment protocols; Details thereof
    • G06Q20/40Authorisation, e.g. identification of payer or payee, verification of customer or shop credentials; Review and approval of payers, e.g. check credit lines or negative lists
    • G06Q20/401Transaction verification
    • G06Q20/4016Transaction verification involving fraud or risk level assessment in transaction processing
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3226Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using a predetermined code, e.g. password, passphrase or PIN
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
    • H04L9/3255Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures using group based signatures, e.g. ring or threshold signatures

Definitions

  • This application relates to the field of blockchain technology, and in particular to a method and system for monitoring transaction senders.
  • blockchain is essentially the use of chained data structures to verify and store data, and the use of distributed consensus mechanisms to generate and update data, thereby ensuring the consistency of the state of honest nodes across the network.
  • Decentralization, verifiability, and tamper resistance are the basic attributes of blockchain technology.
  • verifiability, and tamper resistance are the basic attributes of blockchain technology.
  • the issue of data privacy protection becomes particularly important.
  • privacy protection is mainly reflected in two aspects: anonymity and secrecy. Among them, anonymity refers to the concealment of the identities of transaction initiators and transaction recipients, while confidentiality refers to the concealment of transaction amounts.
  • the current Bitcoin system can only provide weak anonymity for transactions, that is, the true identities of the transaction initiator and the transaction receiver have nothing to do with the corresponding public key.
  • Monero and Zcoin can solve the privacy protection problem, the length of evidence for Monero is relatively large, and Zcoin requires the participation of a trusted third party, and the generation of evidence takes too long.
  • this embodiment of the application aims to provide a method and system for monitoring transaction senders to solve the existing lack of efficient and concise privacy protection schemes and the inability of the supervision center to conduct illegal transactions, financial fraud and other violations. Regulatory issues.
  • an embodiment of the present application provides a method for supervising transaction senders, which includes: obtaining the signature message of the transaction sender from the blockchain; judging whether the transaction sender is based on the signature in the signature message and the private key of the supervision center The real sender using the unspent UTXO; and the identity of the real sender is inquired based on the unspent UTXO, where the signature hides the sender of the transaction.
  • the transaction sender can be supervised while the transaction sender and the transaction amount are hidden, so as to avoid illegal transactions, financial fraud and other violations by the transaction sender.
  • querying the identity of the real sender according to the unspent UTXO includes: determining the corresponding user public key according to the unspent UTXO; and querying the identity of the real sender in the database according to the user public key.
  • the beneficial effect of the above-mentioned further improvement scheme is that the identity of the real sender can be queried according to the unspent UTXO, so that the transaction sender can be effectively supervised.
  • the beneficial effect of the above-mentioned further improvement scheme is: according to the signature in the signed message and the private key of the supervision center, the supervision center can supervise the transaction sender as needed through calculation, judgment and other steps.
  • the transaction sender before obtaining the signature message of the transaction sender from the blockchain, it also includes: the transaction sender generates a signature and sends the signature message; the verifier on the blockchain receives the signature message and verifies the signature; and when the signature verification is passed, The data including the unspent amount of UTXO will be uploaded to the chain through consensus.
  • the beneficial effect of the above-mentioned further improvement scheme is that the verifier can realize the consensus on the chain through signature verification.
  • the supervision center before obtaining the signature message of the transaction sender from the blockchain and after confirming the transaction, it also includes: the supervision center generates the unspent UTXO according to the output of the transaction and saves it in the database.
  • the beneficial effect of the above-mentioned further improvement scheme is that the supervision center can supervise the transaction sender at any time by updating the database in real time.
  • the signature is a linkable threshold ring signature
  • the linkable threshold ring signature is generated based on the following calculation formula:
  • the beneficial effect of the above-mentioned further improvement scheme is: the use of supervised linkable ring signature technology to hide the transaction sender and obfuscate the unspent UTXO to protect the privacy of the digital currency transaction sender, thereby realizing an efficient and concise privacy protection scheme.
  • an embodiment of the present application provides a system for monitoring transaction senders, which includes: a receiving module, which is used to obtain a signature message of the transaction sender from the blockchain; and a processing module, which is used to follow the signature in the signature message Determine whether the transaction sender is the real sender using the unspent UTXO with the private key of the supervision center; and the query module is used to query the real sender's identity based on the unspent UTXO, where the signature hides the transaction sender.
  • the i-th transaction sender is the real sender using the unspent UTXO, where the signature is a linkable threshold ring signature Among them, 1 ⁇ i ⁇ n, n is the total unspent amount of UTXO participating in the signature; i is the ith unspent amount of UTXO participating in the signature; G, H are the group Q (Q is the prime order elliptic curve point group)
  • the two generators (basis points) of; C i is the secret state amount; UPK
  • the beneficial effect of the above-mentioned further improvement scheme is: according to the signature in the signed message and the private key of the supervision center, the supervision center can supervise the transaction sender as needed through calculation, judgment and other steps.
  • the supervision system also includes a signature generation module of the transaction sender, which is used to generate a linkable threshold ring signature based on the following calculation formula
  • the beneficial effect of adopting the above-mentioned further improvement scheme is: the use of supervised linkable ring signature technology to protect the privacy of the digital currency transaction sender, thereby realizing an efficient and concise privacy protection scheme.
  • Fig. 1 is a flowchart of a method for supervising transaction senders according to an embodiment of the present application
  • Fig. 2 is a flowchart of judging whether a transaction sender is a real sender using UTXO with unspent amount according to an embodiment of the application;
  • Figure 3 is a flow chart of verifying signatures according to an embodiment of the present application.
  • Fig. 4 is a flowchart of a method for generating a linkable threshold ring signature according to an embodiment of the present application.
  • Fig. 5 is a flowchart of a supervisory system for a transaction sender according to an embodiment of the present application.
  • a specific embodiment of this application discloses a method for supervising the transaction sender, that is, how to conduct the transaction sender when the transaction sender and transaction amount are hidden on the blockchain to protect the privacy of the transaction sender.
  • the supervision method of the transaction sender includes: step S102, obtaining the signature message of the transaction sender from the blockchain.
  • the supervision center for example, the central bank, the public security organ, etc.
  • the supervision center obtains the signature information of the transaction from the blockchain; step S104, according to the signature in the signature message and the supervision center private key, it is judged whether the transaction sender is using the unspent UTXO (Unspent Transaction) Output, also known as unspent transaction output, represents the true sender of the combination of the user’s public key address and the corresponding secret amount).
  • the supervisory center uses the signature in the acquired signed message and the known supervisory center private key. It is determined whether the transaction sender is the real sender who uses the unspent UTXO; and step S106, the identity of the real sender is inquired according to the unspent UTXO, wherein the signature hides the transaction sender.
  • the method for monitoring the transaction sender provided in this embodiment can realize the supervision of the transaction sender while concealing the transaction sender and the transaction amount, so as to prevent the transaction sender from conducting illegal transactions, Financial fraud and other violations.
  • querying the identity of the real sender according to the unspent UTXO S106 also includes: determining the corresponding user public key according to the unspent UTXO, where the unspent UTXO represents the combination of the user's public key address and the corresponding encrypted amount ; And according to the user’s public key to query the real sender’s identity in the database, specifically, the user’s identity and the user’s public key are stored in the database of the monitoring center through a one-to-one correspondence. Therefore, the monitoring center can be The identity of the real sender can be found in the database by searching.
  • Figures 2 to 4 three aspects of signature generation, signature verification, and supervision of transaction senders will be described in detail.
  • the signature for the linkable threshold ring signature is As shown in Figure 4, the linkable threshold ring signature is generated based on the following calculation formula:
  • Step S404 randomly select e i ⁇ R Z q * and calculate intermediate variables Where c 1 , c 2 ⁇ R Z q *;
  • Step S406 randomly select t i ⁇ R Z q * and calculate
  • the steps for generating the linkable threshold ring signature ⁇ are as follows:
  • the signature generation method provided in this embodiment uses a linkable threshold ring signature to hide the initiator of the digital currency. From the signature result We cannot find the real transaction initiator, because the UTXO of the real transaction initiator and the UTXO used to confuse the real transaction initiator together form a ring set, that is Therefore, apart from the parties to the transaction and the supervision center, others do not know who the real transaction initiator is.
  • this application reduces the transaction length, transaction generation time and verification time, and the more UTXO required for a transaction, the more obvious the advantages. This is because the signature length of this application is fixed (only related to the ring length), but the signature length of Monero is different. Its length increases exponentially as the UTXO required by the transaction sender increases. Because of this, compared with Monero, the more UTXOs required by an exchange, the more obvious the advantages of this application in terms of signature length, generation time and verification time.
  • the transaction sender before obtaining the signature message of the transaction sender from the blockchain, it also includes: the transaction sender generates a signature and sends the signature message; the verifier on the blockchain receives the signature message and verifies the signature; and when the signature verification is passed , The data including the unspent UTXO will be chained through the consensus. Specifically, after the verification of the signature is passed, the transaction is confirmed to achieve the consensus chaining.
  • the verifier is receiving a signed message Then, perform the following verification operations:
  • the supervision center before obtaining the signature message of the transaction sender from the blockchain and after confirming the transaction, it also includes: the supervision center generates the unspent UTXO according to the output of the transaction and saves it in the database. Specifically, the supervision center updates in real time The database realizes the supervision of the transaction sender at any time.
  • a specific example of the implementation of supervision on transaction senders is as follows: if the supervision center wants to supervise the sender of a certain transaction, the supervision center can find the signature information of the transaction from the blockchain Then:
  • the corresponding user public key UPK can be found according to the real UTXO, and then the supervision center can inquire the identity of the real sender corresponding to the UPK in the database.
  • the supervision center can supervise the transaction senders at any time, so as to avoid illegal transactions, financial fraud, and other violations by the transaction sender.
  • the supervisory system of the transaction sender includes: a receiving module 502, which is used to obtain the signature message of the transaction sender from the blockchain; and a processing module 504, which is used to determine whether the transaction sender is based on the signature in the signature message and the private key of the supervision center
  • the real sender using the unspent UTXO and the query module 506, which is used to query the real sender's identity according to the unspent UTXO, where the signature hides the transaction sender.
  • the query module 506 is configured to determine the corresponding user public key according to the unspent UTXO, and query the identity of the real sender in the database according to the user public key.
  • the transaction sender supervision system provided in this embodiment can hide the transaction sender and the transaction amount, that is, except for the transaction parties and the supervision center, others do not know the real transaction initiation In the case of who is the person, the transaction sender can be supervised to avoid illegal transactions, financial fraud and other violations by the transaction sender.
  • the person is the real sender using the unspent UTXO, where the signature is a linkable threshold ring signature Among them, 1 ⁇ i ⁇ n, n is the total unspent amount of UTXO participating in the signature; i is the ith unspent amount of UTXO participating in the signature; G, H are the group Q (Q is the prime order elliptic curve point group)
  • the two generators (basis points) of; C i is the secret amount; UPK is the user
  • the supervisory system of the transaction sender also includes the signature generation module of the transaction sender, which is used to generate the linkable threshold ring signature based on the following calculation formula
  • the supervisory system of the transaction sender also includes a signature verification module and a storage module. These modules correspond to the supervisory method of the transaction sender, so I will not repeat them here.
  • a linkable threshold ring signature is used to hide the initiator of the digital currency. From the signature result We cannot find the real transaction initiator, because the UTXO of the real transaction initiator and the UTXO used to confuse the real transaction initiator together form a ring set, that is Therefore, in addition to the transaction parties and the supervision center, others do not know who the real transaction initiator is;
  • this application reduces the transaction length, transaction generation time and verification time, and with The more UTXOs a transaction needs, the more obvious the advantages. This is because the signature length of this application is fixed (only related to the ring length), but the signature length of Monero is different.
  • the procedures for implementing the methods in the foregoing embodiments may be completed by instructing relevant hardware through a computer program, and the program may be stored in a computer-readable storage medium.
  • the computer-readable storage medium is a magnetic disk, an optical disk, a read-only storage memory or a random storage memory, etc.

Landscapes

  • Engineering & Computer Science (AREA)
  • Business, Economics & Management (AREA)
  • Accounting & Taxation (AREA)
  • Computer Security & Cryptography (AREA)
  • Theoretical Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Finance (AREA)
  • Strategic Management (AREA)
  • General Business, Economics & Management (AREA)
  • Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Medical Informatics (AREA)
  • Databases & Information Systems (AREA)
  • Computer Hardware Design (AREA)
  • Software Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Financial Or Insurance-Related Operations Such As Payment And Settlement (AREA)

Abstract

一种交易发送者的监管方法和系统,所述方法包括:从区块链上获取交易发送者的签名消息(S102);根据签名消息中的签名和监管中心私钥判断交易发送者是否为使用未花费金额UTXO的真实发送者(S104);以及根据未花费金额UTXO查询到真实发送者的身份,其中,签名隐藏交易发送者(S106)。实现了在隐藏交易发送者和交易金额的情况下,能够对交易发送者进行监管。

Description

一种交易发送者的监管方法和系统 技术领域
本申请涉及区块链技术领域,尤其涉及一种交易发送者的监管方法和系统。
背景技术
比特币自2008年进入人们的视野以来,历经近十年的发展,各种加密货币纷纷出现,例如门罗币、零币、莱特币等。比特币具有去中心化,分布式记账以及用户身份匿名等优点。但交易的金额是明文传输的,这严重限制了比特币的广泛应用。后来的门罗币、零币等虚拟加密货币利用一些密码技术(比如环签名等特殊数字签名、承诺、零知识证明、同态加密等)来解决交易的隐私保护问题。例如门罗币采用borromean环签名和Perdersen承诺技术来实现对交易金额的隐藏,而零币利用zk-snark这种非交互式零知识证明方案对交易身份以及交易金额进行隐藏。
区块链作为加密货币的支撑技术,本质上是利用链式数据结构来验证和存储数据,利用分布式共识机制来生成并更新数据,从而保证全网诚实节点的状态一致性。去中心化、可验证以及防篡改是区块链技术的基本属性。随着对区块链技术的深入研究以及其可能的应用场景的探讨,数据的隐私保护问题显得尤为重要。在区块链系统中,隐私保护主要体现在两个方面:匿名性和秘密性。其中匿名性是指交易发起者和交易接收者的身份隐藏,而秘密性是指交易金额的隐藏。目前比特币系统只能对交易提供弱的匿名性,即交易发起者和交易接收者的真实身份与对应的公钥无关。而门罗币和零币虽然能解决隐私保护问题,但门罗币的证据长度比较大,而零币需要可信任第三方的参与,并且证据生成时间过长。
因而现有技术中存在缺少高效简洁的隐私保护方案技术问题,以及还存在中央银行等监管中心无法对非法交易、金融诈骗等违规行为进行监管的技术问题。
发明内容
鉴于上述的分析,本申请实施例旨在提供一种交易发送者的监管方法和系统,用以解决现有的缺少高效简洁的隐私保护方案以及监管中心无法对非法交易、金融诈骗等违规行为进行监管的问题。
一方面,本申请实施例提供了一种交易发送者的监管方法,包括:从区块链上获取交易发送者的签名消息;根据签名消息中的签名和监管中心私钥判断交易发送者是否为使用未花费金额UTXO的真实发送者;以及根据未花费金额UTXO查询到真实发送者的身份,其中,签名隐藏交易发送者。
上述技术方案的有益效果如下:能够在隐藏交易发送者和交易金额的情况下,实现对交易发送者进行监管,以避免该交易发送者进行非法交易、金融诈骗等违规行为。
基于上述方法的进一步改进,根据未花费金额UTXO查询到真实发送者的身份包括:根据未花费金额UTXO确定对应的用户公钥;以及根据用户公钥在数据库中查询到真实发送者的身份。
上述进一步改进方案的有益效果是:能够根据未花费金额UTXO查询到真实发送者的身份,从而对交易发送者进行有效的监管。
基于上述方法的进一步改进,根据签名消息中的签名和监管中心私钥判断交易发送者是否为使用未花费金额UTXO的真实发送者包括:根据签名,计算中间变量L i=f n-2(i)*(C i–T i)+b i*H;根据签名,计算中间变量R i=f n-2(i)*UPK i+b i*G;判断L i是否等于h*R i;以及当L i等于h*R i时,确定第i个交易发送者为使用未花费金额UTXO的真实发送者,其中,1≤i≤n,签名为可链接门限环签名
Figure PCTCN2020104492-appb-000001
Figure PCTCN2020104492-appb-000002
其中,n为参与签名的总未花费金额UTXO个数;i为参与签名的第i个未花费金额UTXO;G,H为素数阶椭圆曲线点群Q的两个生成元;C i为密态金额;UPK为用户公钥;h为监管中心私钥;T i,a i,b i为中间变量,i=1,2,…n;f 2(x)为次数为2的多项式;以及f n-2(x)为次数为n-2的多项式。
上述进一步改进方案的有益效果是:根据签名消息中的签名和监管中心私钥,通过计算、判断等步骤监管中心可以按需对交易发送者进行 监管。
进一步,从区块链上获取交易发送者的签名消息之前还包括:交易发送者生成签名并发送签名消息;区块链上的验证者接收签名消息并验证签名;以及当签名的验证通过时,将包括未花费金额UTXO的数据通过共识上链。
进一步,区块链上的验证者验证签名包括:根据签名,计算中间变量M i=f 2(i)*T i+a i*H;根据签名,计算中间变量L i=f n-2(i)*(C i–T i)+b i*H;根据签名,计算中间变量R i=f n-2(i)*UPK i+b i*G;验证f 2(0),f n-2(0)是否等于
Figure PCTCN2020104492-appb-000003
以及当f 2(0),f n-2(0)等于
Figure PCTCN2020104492-appb-000004
Figure PCTCN2020104492-appb-000005
时,验证通过,其中,1≤i≤n,签名为可链接门限环签名
Figure PCTCN2020104492-appb-000006
n为参与签名的总未花费金额UTXO个数;i为参与签名的第i个未花费金额UTXO;G,H为素数阶椭圆曲线点群Q的两个生成元;Hash为抗碰撞哈希函数;C i为密态金额;UPK为用户公钥;T i,a i,b i为中间变量,i=1,2,…n;f 2(x)为次数为2的多项式;以及f n-2(x)为次数为n-2的多项式。
上述进一步改进方案的有益效果是:验证者通过签名验证能够实现共识上链。
进一步,在从区块链上获取交易发送者的签名消息之前并且在确认交易之后还包括:监管中心根据交易的输出生成未花费金额UTXO并保存在数据库中。
上述进一步改进方案的有益效果是:监管中心通过实时更新数据库,能够随时对交易发送者进行监管。
进一步,签名为可链接门限环签名为
Figure PCTCN2020104492-appb-000007
Figure PCTCN2020104492-appb-000008
基于以下计算公式生成可链接门限环签名:
对i=1,2,令s i=r i-usk i,对i=3,…,n随机选择s iRZ q*并计算中间变量
Figure PCTCN2020104492-appb-000009
随机选择e iRZ q*并计算中间变量
Figure PCTCN2020104492-appb-000010
其中c 1,c 2RZ q*;
随机选择t iRZ q*并计算
中间变量
Figure PCTCN2020104492-appb-000011
以及
中间变量
Figure PCTCN2020104492-appb-000012
其中c iRZ q*,i=3,…,n;
计算哈希值
Figure PCTCN2020104492-appb-000013
然后根据(c,c 1,c 2)计算2次插值多项式f 2(x),使得f 2(0)=c,f 2(1)=c 1,f 2(2)=c 2,再根据(c,c 3,c 4,…,c n)计算n-2次插值多项式f n-2(x),使得f n-2(0)=c,f n-2(i)=c i,i=3,…,n;以及
计算
Figure PCTCN2020104492-appb-000014
其中,n为参与签名的总未花费金额UTXO个数;i为参与签名的第i个未花费金额UTXO;G,H为素数阶椭圆曲线点群Q的两个生成元;q为群Q的阶;Z q为模q的整数环;Z q*为Z q\{0};Hash为抗碰撞哈希函数;∈ R为元素从集合中随机选取;v i为交易金额,整数,0≤v i<2 64,i=1,2,…;C i为密态金额;r i,c i,e i,s i,t i为随机数r i,c i,e i,s i,t i∈Z q*,i=1,2,…n;UPK,usk为用户公钥和对应的私钥;a i,b i为中间变量;f 2(x)为次数为2的多项式;以及f n-2(x)为次数为n-2的多项式。
上述进一步改进方案的有益效果是:使用带监管的可链接环签名技术隐藏交易发送者并混淆未花费金额UTXO来保护数字货币交易发送者的隐私,从而实现了高效简洁的隐私保护方案。
另一方面,本申请实施例提供了一种交易发送者的监管系统,包括:接收模块,用于从区块链上获取交易发送者的签名消息;处理模块,用于根据签名消息中的签名和监管中心私钥判断交易发送者是否为使用未花费金额UTXO的真实发送者;以及查询模块,用于根据未花费金额UTXO查询到真实发送者的身份,其中,签名隐藏交易发送者。
基于上述系统的进一步改进,处理模块包括:计算模块,用于根据签名,计算中间变量L i=f n-2(i)*(C i–T i)+b i*H并且计算中间变量R i=f n-2(i)*UPK i+b i*G;判断模块,用于判断L i是否等于h*R i;以及确定模块,用于当L i等于h*R i时,确定第i个交易发送者为使用未花费金额UTXO 的真实发送者,其中,签名为可链接门限环签名
Figure PCTCN2020104492-appb-000015
Figure PCTCN2020104492-appb-000016
其中,1≤i≤n,n为参与签名的总未花费金额UTXO个数;i为参与签名的第i个未花费金额UTXO;G,H为群Q(Q为素数阶椭圆曲线点群)的两个生成元(基点);C i为密态金额;UPK为用户公钥;h为监管中心私钥;T i,a i,b i为中间变量,i=1,2,…n;f 2(x)为次数为2的多项式;以及f n-2(x)为次数为n-2的多项式。
上述进一步改进方案的有益效果是:根据签名消息中的签名和监管中心私钥,通过计算、判断等步骤监管中心可以按需对交易发送者进行监管。
基于上述系统的进一步改进,监管系统还包括交易发送者的签名生成模块,用于基于以下计算公式生成可链接门限环签名
Figure PCTCN2020104492-appb-000017
Figure PCTCN2020104492-appb-000018
对i=1,2,令s i=r i-usk i,对i=3,…,n随机选择s iRZ q*并计算中间变量
Figure PCTCN2020104492-appb-000019
随机选择e iRZ q*并计算中间变量
Figure PCTCN2020104492-appb-000020
其中c 1,c 2RZ q*;
随机选择t iRZ q*并计算
中间变量
Figure PCTCN2020104492-appb-000021
以及
中间变量
Figure PCTCN2020104492-appb-000022
其中c iRZ q*,i=3,…,n;
计算哈希值
Figure PCTCN2020104492-appb-000023
然后根据(c,c 1,c 2)计算2次插值多项式f 2(x),使得f 2(0)=c,f 2(1)=c 1,f 2(2)=c 2,再根据(c,c 3,c 4,…,c n)计算n-2次插值多项式f n-2(x),使得f n-2(0)=c,f n-2(i)=c i,i=3,…,n;
计算
Figure PCTCN2020104492-appb-000024
其中,n为参与签名的总未花费金额UTXO个数;i为参与签名的第 i个未花费金额UTXO;G,H为素数阶椭圆曲线点群Q的两个生成元;q为群Q的阶;Z q为模q的整数环;Z q*为Z q\{0};Hash为抗碰撞哈希函数;∈ R为元素从集合中随机选取;v i为交易金额,整数,0≤v i<2 64,i=1,2,…;C i为密态金额;r i,c i,e i,s i,t i为随机数r i,c i,e i,s i,t i∈Z q*,i=1,2,…n;UPK,usk为用户公钥和对应的私钥;a i,b i为中间变量;f 2(x)为次数为2的多项式;以及f n-2(x)为次数为n-2的多项式。
采用上述进一步改进方案的有益效果是:使用带监管的可链接环签名技术保护数字货币交易发送者的隐私,从而实现了高效简洁的隐私保护方案。
本申请中,上述各技术方案之间还可以相互组合,以实现更多的优选组合方案。本申请的其他特征和优点将在随后的说明书中阐述,并且,部分优点可从说明书中变得显而易见,或者通过实施本申请而了解。本申请的目的和其他优点可通过说明书以及附图中所特别指出的内容中来实现和获得。
附图说明
附图仅用于示出具体实施例的目的,而并不认为是对本申请的限制,在整个附图中,相同的参考符号表示相同的部件。
图1为根据本申请的实施例的交易发送者的监管方法的流程图;
图2为根据本申请的实施例的判断交易发送者是否为使用未花费金额UTXO的真实发送者的流程图;
图3为根据本申请的实施例的验证签名的流程图;
图4为根据本申请的实施例的可链接门限环签名的生成方法的流程图;以及
图5为根据本申请的实施例的交易发送者的监管系统的流程图。
附图标记:
502-接收模块;504-处理模块;506-查询模块
具体实施方式
下面结合附图来具体描述本申请的优选实施例,其中,附图构成本 申请一部分,并与本申请的实施例一起用于阐释本申请的原理,并非用于限定本申请的范围。
本申请的一个具体实施例,公开了一种交易发送者的监管方法,即,在区块链上隐藏交易发送者和交易金额以保护交易发送者的隐私的情况下,如何对交易发送者进行监管。如图1所示,交易发送者的监管方法包括:步骤S102,从区块链上获取交易发送者的签名消息,具体地,监管中心(例如,中央银行、公安机关等)如果想对某个交易的发送者进行监管,则该监管中心从区块链上获取交易的签名信息;步骤S104,根据签名消息中的签名和监管中心私钥判断交易发送者是否为使用未花费金额UTXO(Unspent Transaction Output,又称未花费交易输出,表示用户公钥地址和对应的密态金额的组合)的真实发送者,具体地,监管中心根据获取的签名消息中的签名和已知的监管中心私钥来判断该交易发送者是否为使用未花费金额UTXO的真实发送者;以及步骤S106,根据未花费金额UTXO查询到真实发送者的身份,其中,签名隐藏交易发送者。
与现有技术相比,本实施例提供的交易发送者的监管方法,能够在隐藏交易发送者和交易金额的情况下,实现对交易发送者进行监管,以避免该交易发送者进行非法交易、金融诈骗等违规行为。
具体地,根据未花费金额UTXO查询到真实发送者的身份S106还包括:根据未花费金额UTXO确定对应的用户公钥,其中,未花费金额UTXO表示用户公钥地址和对应的密态金额的组合;以及根据用户公钥在数据库中查询到真实发送者的身份,具体地,用户的身份与用户公钥通过一一对应关系保存在监控中心的数据库中,因此,监控中心根据用户公钥可以在数据库中通过检索查询到真实发送者的身份。下文中参照图2至图4,分别对签名生成、签名验证和对交易发送者实施监管三个方面进行详细描述。
首先,参照图4对签名生成进行详细描述。
对签名为可链接门限环签名为
Figure PCTCN2020104492-appb-000025
Figure PCTCN2020104492-appb-000026
如图4所示,基于以下计算公式生成可链接门限环签名:
步骤S402:对i=1,2,令s i=r i-usk i,对i=3,…,n随机选择s iRZ q* 并计算中间变量
Figure PCTCN2020104492-appb-000027
步骤S404:随机选择e iRZ q*并计算中间变量
Figure PCTCN2020104492-appb-000028
其中c 1,c 2RZ q*;
步骤S406:随机选择t iRZ q*并计算
中间变量
Figure PCTCN2020104492-appb-000029
以及
中间变量
Figure PCTCN2020104492-appb-000030
其中c iRZ q*,i=3,…,n;
步骤S408:计算哈希值
Figure PCTCN2020104492-appb-000031
然后根据(c,c 1,c 2)计算2次插值多项式f 2(x),使得f 2(0)=c,f 2(1)=c 1,f 2(2)=c 2,再根据(c,c 3,c 4,…,c n)计算n-2次插值多项式f n-2(x),使得f n-2(0)=c,f n-2(i)=c i,i=3,…,n;
步骤S410:
计算
Figure PCTCN2020104492-appb-000032
其中,n为参与签名的总未花费金额UTXO个数;i为参与签名的第i个未花费金额UTXO;G,H为素数阶椭圆曲线点群Q的两个生成元;q为群Q的阶;Z q为模 q的整数环;Z q*为Z q\{0};Hash为抗碰撞哈希函数;∈ R为元素从集合中随机选取;v i为交易金额,整数,0≤v i<2 64,i=1,2,…;C i为密态金额;r i,c i,e i,s i,t i为随机数r i,c i,e i,s i,t i∈Z q*,i=1,2,…n;UPK,usk为用户公钥和对应的私钥;a i,b i为中间变量;f 2(x)为次数为2的多项式;以及f n-2(x)为次数为n-2的多项式。
在具体实例中,生成可链接门限环签名σ的步骤如下:
设监管中心的公钥为(X,Y)∈Q,这里X=x*G,Y=y*G,x,y∈ RZ q*;用户的身份与其长期公钥的绑定关系保存在监管中心的数据库里。每产生一笔确认过的交易(即通过共识已经上链),监管中心都要根据该交易的输出生成UTXO并保存在数据库中。另外,监管中心知道H相对于G的离散对数h,即H=h*G。
交易发送者向监管中心发送询问请求,监管中心返回的信息主要包括密态金额(即加过密的金额),即C=v*G+r*H,其中v为金额,r为随机整数;返回的结果还有与该密态金额对应的用户公钥UPK=usk*G。
Figure PCTCN2020104492-appb-000033
构成可追踪门限环签名的环成员。我们把用户公钥和密态金额的组合(也就是(UPK,C))称为UTXO,即未花费金额(Unspent Transaction Output)。下面假设(UPK 1,C 1)和(UPK 2,C 2)是属于交易发送者的,而且他要在一笔交易中消费这两个UTXO的钱(在一笔交易中想要消费几个UTXO的钱都能支持)。其余UTXO都是为了帮助隐藏这两个真实消费的UTXO。
注意,属于交易发送者自己的UTXO是指对应的用户公钥UPK已知,密态金额C=v*G+r*H中的随机数r和金额v都已知,也就是说下面例子中usk 1,usk 2,v 1,v 2,r 1,r 2是已知的。
生成可链接门限环签名的过程如下:
(1)对i=1,2,令s i=r i-usk i,对i=3,…,n随机选择s iRZ q*并计算
Figure PCTCN2020104492-appb-000034
(2)随机选择e iRZ q*并计算
Figure PCTCN2020104492-appb-000035
其中c 1,c 2RZ q*;
(3)随机选择t iRZ q*并计算
Figure PCTCN2020104492-appb-000036
以及
Figure PCTCN2020104492-appb-000037
其中c iRZ q*,i=3,…,n;
(4)计算
Figure PCTCN2020104492-appb-000038
然后根据(c,c 1,c 2)计算2次插值多项式f 2(x),使得f 2(0)=c,f 2(1)=c 1,f 2(2)=c 2,再根据(c,c 3,c 4,…,c n)计算n-2次插值多项式f n-2(x),使得f n-2(0)=c,f n-2(i)=c i,i=3,…,n;
(5)计算
Figure PCTCN2020104492-appb-000039
Figure PCTCN2020104492-appb-000040
则签名结果为
Figure PCTCN2020104492-appb-000041
与现有技术相比,本实施例提供的签名生成方法,采用基于可链接的门限环签名对数字货币的发起者进行隐藏。从签名结果
Figure PCTCN2020104492-appb-000042
Figure PCTCN2020104492-appb-000043
中我们找不出真正的交易发起者,因为真正的交易发起者的UTXO和用来混淆真正交易发起者的UTXO一起构成一个环的集合,也就是
Figure PCTCN2020104492-appb-000044
因此,除了交易双方和监管中心,其它人不知道真正的交易发起者是谁。此外,与门罗币相比,本申请减少了交易长度、交易的生成时间和验证时间,并且随着一笔交易所需要的UTXO越多,优势越明显。这是因为本申请的签名长度是固定的(只与环长度有关),但是门罗币的签名长度却不一样,它的长度随着交易发送者需要的UTXO的增加而成倍地增加。也因为如此,相比门罗币,随着一笔交易所需要的UTXO越多,在签名长度,生成时间和验证时间这三个方面,本申请的优势越明显。
接下来,参照图3对签名验证进行详细描述。
如图3所示,区块链上的验证者验证签名包括:步骤S302,根据签名,计算中间变量M i=f 2(i)*T i+a i*H;步骤S304,根据签名,计算中间变量L i=f n-2(i)*(C i–T i)+b i*H;步骤S306,根据签名,计算中间变量R i=f n-2(i)*UPK i+b i*G;步骤S308,验证f 2(0),f n-2(0)是否等于
Figure PCTCN2020104492-appb-000045
Figure PCTCN2020104492-appb-000046
以及步骤S310,当f 2(0),f n-2(0)等于
Figure PCTCN2020104492-appb-000047
Figure PCTCN2020104492-appb-000048
时,验证通过,其中,1≤i≤n,签名为可链接门限环签名
Figure PCTCN2020104492-appb-000049
n为参与签名的总未花费金额UTXO个数;i为参与签名的第i个未花费金额UTXO;G,H为素数阶椭圆曲线点群Q的两个生成元;Hash为抗碰撞哈希函数;C i为密态金额;UPK为用户公钥;T i,a i,b i为中间变量,i=1,2,…n;f 2(x)为次数为2的多项式;以及f n-2(x)为次数为n-2的多项式。
具体地,从区块链上获取交易发送者的签名消息之前还包括:交易发送者生成签名并发送签名消息;区块链上的验证者接收签名消息并验证签名;以及当签名的验证通过时,将包括未花费金额UTXO的数据通过共识上链,具体地,当签名的验证通过后,对该交易进行确认以实现共识上链。
以下以具体实例的方式对签名验证进行说明。验证者在收到签名消 息
Figure PCTCN2020104492-appb-000050
后,进行如下验证操作:
(1)计算M i=f 2(i)*T i+a i*H,1≤i≤n;
(2)计算L i=f n-2(i)*(C i–T i)+b i*H,1≤i≤n;
(3)计算R i=f n-2(i)*UPK i+b i*G,1≤i≤n;
(4)验证
Figure PCTCN2020104492-appb-000051
如果相等则验证通过,否则验证终止。
最后,参照图2,对监管交易发送者进行详细描述。
根据签名消息中的签名和监管中心私钥判断交易发送者是否为使用未花费金额UTXO的真实发送者包括:步骤S202,根据签名,计算中间变量L i=f n-2(i)*(C i–T i)+b i*H;步骤S204,根据签名,计算中间变量R i=f n-2(i)*UPK i+b i*G;步骤206,判断L i是否等于h*R i;以及步骤S208,当L i等于h*R i时,确定该第i个交易发送者为使用未花费金额UTXO的真实发送者,其中,1≤i≤n,签名为可链接门限环签名
Figure PCTCN2020104492-appb-000052
Figure PCTCN2020104492-appb-000053
其中,n为参与签名的总UTXO个数;i为参与签名的第i个UTXO;G,H为素数阶椭圆曲线点群Q的两个生成元;C i为密态金额;UPK为用户公钥;h为监管中心私钥;T i,a i,b i为中间变量,i=1,2,…n;f 2(x)为次数为2的多项式;以及f n-2(x)为次数为n-2的多项式。具体地,在从区块链上获取交易发送者的签名消息之前并且在确认交易之后还包括:监管中心根据交易的输出生成未花费金额UTXO并保存在数据库中,具体地,监管中心通过实时更新数据库实现随时对交易发送者进行监管。
关于对交易发送者实施监管的具体实例如下:监管中心如果想对某个交易的发送者进行监管,那么该监管中心可以从区块链上找到交易的签名信息
Figure PCTCN2020104492-appb-000054
然后:
(1)计算L i=f n-2(i)*(C i–T i)+b i*H,1≤i≤n;
(2)计算R i=f n-2(i)*UPK i+b i*G,1≤i≤n;
(3)监管中心知道监管中心私钥h,所以判断L i?=h*R i,1≤i≤n,如果相等就表明第i个交易发送者为真实使用UTXO的交易发送者,不相等就是随机选取的UTXO;
(4)现在,根据真实的UTXO可以找到对应的用户公钥UPK,然 后监管中心就可以在数据库中查询到与该UPK对应的真实发送者的身份。
本实施例提供的交易发送者的监管方法,监管中心能够随时对交易发送者进行监管,以避免该交易发送者进行非法交易、金融诈骗等违规行为。
下文中,参照图5对交易发送者的监管系统进行详细描述。
交易发送者的监管系统包括:接收模块502,用于从区块链上获取交易发送者的签名消息;处理模块504,用于根据签名消息中的签名和监管中心私钥判断交易发送者是否为使用未花费金额UTXO的真实发送者;以及查询模块506,用于根据未花费金额UTXO查询到真实发送者的身份,其中,签名隐藏交易发送者。具体地,查询模块506用于根据未花费金额UTXO确定对应的用户公钥以及根据用户公钥在数据库中查询到真实发送者的身份。
与现有技术相比,本实施例提供的交易发送者的监管系统,能够在隐藏交易发送者和交易金额的情况下,即除了交易双方和监管中心之外,其他人不知道真正的交易发起者是谁的情况下,实现对交易发送者进行监管,以避免该交易发送者进行非法交易、金融诈骗等违规行为。
处理模块504还包括:计算模块,用于根据签名,计算中间变量L i=f n-2(i)*(C i–T i)+b i*H并且计算中间变量R i=f n-2(i)*UPK i+b i*G;判断模块,用于判断L i是否等于h*R i;以及确定模块,用于当L i等于h*R i时,确定第i个交易发送者为使用未花费金额UTXO的真实发送者,其中,签名为可链接门限环签名
Figure PCTCN2020104492-appb-000055
其中,1≤i≤n,n为参与签名的总未花费金额UTXO个数;i为参与签名的第i个未花费金额UTXO;G,H为群Q(Q为素数阶椭圆曲线点群)的两个生成元(基点);C i为密态金额;UPK为用户公钥;h为监管中心私钥;T i,a i,b i为中间变量,i=1,2,…n;f 2(x)为次数为2的多项式;以及f n-2(x)为次数为n-2的多项式。
交易发送者的监管系统还包括交易发送者的签名生成模块,用于基于以下计算公式生成可链接门限环签名
Figure PCTCN2020104492-appb-000056
Figure PCTCN2020104492-appb-000057
对i=1,2,令s i=r i-usk i,对i=3,…,n随机选择s iRZ q*并计算中 间变量
Figure PCTCN2020104492-appb-000058
随机选择e iRZ q*并计算中间变量
Figure PCTCN2020104492-appb-000059
其中c 1,c 2RZ q*;
随机选择t iRZ q*并计算中间变量
Figure PCTCN2020104492-appb-000060
以及
中间变量
Figure PCTCN2020104492-appb-000061
其中c iRZ q*,i=3,…,n;
计算哈希值
Figure PCTCN2020104492-appb-000062
然后根据(c,c 1,c 2)计算2次插值多项式f 2(x),使得f 2(0)=c,f 2(1)=c 1,f 2(2)=c 2,再根据(c,c 3,c 4,…,c n)计算n-2次插值多项式f n-2(x),使得f n-2(0)=c,f n-2(i)=c i,i=3,…,n;
计算
Figure PCTCN2020104492-appb-000063
其中,n为参与签名的总未花费金额UTXO个数;i为参与签名的第i个未花费金额UTXO;G,H为素数阶椭圆曲线点群Q的两个生成元;q为群Q的阶;Z q为模q的整数环;Z q*为Z q\{0};Hash为抗碰撞哈希函数;∈ R为元素从集合中随机选取;v i为交易金额,整数,0≤v i<2 64,i=1,2,…;C i为密态金额;r i,c i,e i,s i,t i为随机数r i,c i,e i,s i,t i∈Z q*,i=1,2,…n;UPK,usk为用户公钥和对应的私钥;a i,b i为中间变量;f 2(x)为次数为2的多项式;以及f n-2(x)为次数为n-2的多项式。
交易发送者的监管系统还包括签名验证模块和存储模块,这些模块与交易发送者的监管方法相对应,因此,这里不再赘述。
本申请的实施例所提供的交易发送者的监控方法和系统,具有以下技术效果:(1)采用基于可链接的门限环签名对数字货币的发起者进行隐藏。从签名结果
Figure PCTCN2020104492-appb-000064
我们找不出真正的交易发起者,因为真正的交易发起者的UTXO和用来混淆真正交易发起者的UTXO都在一起构成一个环的集合,也就是
Figure PCTCN2020104492-appb-000065
因此,除了交易双方和监管中心,其它人不知道真正的交易发起者是谁;(2)与门罗币相比,本申请减少了交易长度、交易的生成时间和验证时间,并且随着一笔交易所需要的UTXO越多,优势越明显。这是因为本申请的签名长度是固定的(只与环长度有关),但是门罗币的签名长度却不一样,它的长度随着交易发送者需要的UTXO的增加而成倍地增加。也因为如此,相比门罗币,随着一笔交易所需要的UTXO越多,在签名长度、生成时间和验证时间这三个方面,本申请的优势越明显;以及(3)监管中心可以随时对交易发送者进行监管。
本领域技术人员可以理解,实现上述实施例方法的全部或部分流程,可以通过计算机程序来指令相关的硬件来完成,所述的程序可存储于计算机可读存储介质中。其中,所述计算机可读存储介质为磁盘、光盘、只读存储记忆体或随机存储记忆体等。
以上所述,仅为本申请较佳的具体实施方式,但本申请的保护范围并不局限于此,任何熟悉本技术领域的技术人员在本申请揭露的技术范围内,可轻易想到的变化或替换,都应涵盖在本申请的保护范围之内。

Claims (10)

  1. 一种交易发送者的监管方法,其特征在于,包括:
    从区块链上获取交易发送者的签名消息;
    根据所述签名消息中的签名和监管中心私钥判断所述交易发送者是否为使用未花费金额UTXO的真实发送者;以及
    根据所述未花费金额UTXO查询到所述真实发送者的身份,其中,所述签名隐藏所述交易发送者。
  2. 根据权利要求1所述的交易发送者的监管方法,其特征在于,根据所述未花费金额UTXO查询到所述真实发送者的身份包括:
    根据所述未花费金额UTXO确定对应的用户公钥;以及
    根据所述用户公钥在数据库中查询到所述真实发送者的身份。
  3. 根据权利要求1所述的交易发送者的监管方法,其特征在于,根据所述签名消息中的签名和监管中心私钥判断所述交易发送者是否为使用未花费金额UTXO的真实发送者包括:
    根据所述签名,计算中间变量L i=f n-2(i)*(C i–T i)+b i*H;
    根据所述签名,计算中间变量R i=f n-2(i)*UPK i+b i*G;
    判断所述中间变量L i是否等于h*R i;以及
    当所述中间变量L i等于h*R i时,确定第i个交易发送者为使用所述未花费金额UTXO的真实发送者,
    其中,1≤i≤n,所述签名为可链接门限环签名
    Figure PCTCN2020104492-appb-100001
    Figure PCTCN2020104492-appb-100002
    其中,n为参与签名的总未花费金额UTXO个数;i为参与签名的第i个未花费金额UTXO;G,H为素数阶椭圆曲线点群Q的两个生成元;C i为密态金额;UPK为用户公钥;h为监管中心私钥;T i,a i,b i为中间变量,i=1,2,…n;f 2(x)为次数为2的多项式;以及f n-2(x)为次数为n-2的多项式。
  4. 根据权利要求1所述的交易发送者的监管方法,其特征在于,从区块链上获取交易发送者的签名消息之前,还包括:
    所述交易发送者生成签名并发送所述签名消息;
    所述区块链上的验证者接收所述签名消息并验证所述签名;以及
    当所述签名的验证通过时,将包括所述未花费金额UTXO的数据通 过共识上链。
  5. 根据权利要求4所述的交易发送者的监管方法,其特征在于,所述区块链上的验证者验证所述签名包括:
    根据所述签名,计算中间变量M i=f 2(i)*T i+a i*H;
    根据所述签名,计算中间变量L i=f n-2(i)*(C i–T i)+b i*H;
    根据所述签名,计算中间变量R i=f n-2(i)*UPK i+b i*G;
    验证f 2(0),f n-2(0)是否等于
    Figure PCTCN2020104492-appb-100003
    以及
    当f 2(0),f n-2(0)等于
    Figure PCTCN2020104492-appb-100004
    时,所述验证通过,
    其中,1≤i≤n,所述签名为可链接门限环签名
    Figure PCTCN2020104492-appb-100005
    Figure PCTCN2020104492-appb-100006
    n为参与签名的总未花费金额UTXO个数;i为参与签名的第i个未花费金额UTXO;G,H为素数阶椭圆曲线点群Q的两个生成元;Hash为抗碰撞哈希函数;C i为密态金额;UPK为用户公钥;T i,a i,b i为中间变量,i=1,2,…n;f 2(x)为次数为2的多项式;以及f n-2(x)为次数为n-2的多项式。
  6. 根据权利要求1所述的交易发送者的监管方法,其特征在于,在从区块链上获取交易发送者的签名消息之前并且在确认交易之后,还包括:
    所述监管中心根据所述交易的输出生成所述未花费金额UTXO并保存在数据库中。
  7. 根据权利要求1所述的交易发送者的监管方法,其特征在于,所述签名为可链接门限环签名为
    Figure PCTCN2020104492-appb-100007
    基于以下计算公式生成所述可链接门限环签名:
    对i=1,2,令s i=r i-usk i,对i=3,…,n随机选择s iRZ q*并计算中间变量
    Figure PCTCN2020104492-appb-100008
    随机选择e iRZ q*并计算中间变量
    Figure PCTCN2020104492-appb-100009
    其中c 1,c 2RZ q*;
    随机选择t iRZ q*并计算
    中间变量
    Figure PCTCN2020104492-appb-100010
    以及
    中间变量
    Figure PCTCN2020104492-appb-100011
    其中c iRZ q*,i=3,…,n;
    计算哈希值
    Figure PCTCN2020104492-appb-100012
    然后根据(c,c 1,c 2)计算2次插值多项式f 2(x),使得f 2(0)=c,f 2(1)=c 1,f 2(2)=c 2,再根据(c,c 3,c 4,…,c n)计算n-2次插值多项式f n-2(x),使得f n-2(0)=c,f n-2(i)=c i,i=3,…,n;以及
    计算
    Figure PCTCN2020104492-appb-100013
    其中,n为参与签名的总未花费金额UTXO个数;i为参与签名的第i个未花费金额UTXO;G,H为素数阶椭圆曲线点群Q的两个生成元;q为群Q的阶;Z q为模q的整数环;Z q*为Z q\{0};Hash为抗碰撞哈希函数;∈ R为元素从集合中随机选取;v i为交易金额,整数,0≤v i<2 64,i=1,2,…;C i为密态金额;r i,c i,e i,s i,t i为随机数r i,c i,e i,s i,t i∈Z q*,i=1,2,…n;UPK,usk为用户公钥和对应的私钥;a i,b i为中间变量;f 2(x)为次数为2的多项式;以及f n-2(x)为次数为n-2的多项式。
  8. 一种交易发送者的监管系统,其特征在于,包括:
    接收模块,用于从区块链上获取交易发送者的签名消息;
    处理模块,用于根据所述签名消息中的签名和监管中心私钥判断所述交易发送者是否为使用未花费金额UTXO的真实发送者;以及
    查询模块,用于根据所述未花费金额UTXO查询到所述真实发送者的身份,其中,所述签名隐藏所述交易发送者。
  9. 根据权利要求8所述的交易发送者的监管系统,其特征在于,所述处理模块包括:
    计算模块,用于根据所述签名,计算中间变量L i=f n-2(i)*(C i–T i)+b i*H并且计算中间变量R i=f n-2(i)*UPK i+b i*G;
    判断模块,用于判断所述L i是否等于h*R i;以及
    确定模块,用于当所述L i等于h*R i时,确定第i个交易发送者为使 用所述未花费金额UTXO的真实发送者,
    其中,所述签名为可链接门限环签名
    Figure PCTCN2020104492-appb-100014
    Figure PCTCN2020104492-appb-100015
    其中,1≤i≤n,n为参与签名的总未花费金额UTXO个数;i为参与签名的第i个未花费金额UTXO;G,H为素数阶椭圆曲线点群Q的两个生成元;C i为密态金额;UPK为用户公钥;h为监管中心私钥;T i,a i,b i为中间变量,i=1,2,…n;f 2(x)为次数为2的多项式;以及f n-2(x)为次数为n-2的多项式。
  10. 根据权利要求8所述的交易发送者的监管系统,其特征在于,还包括交易发送者的签名生成模块,用于基于以下计算公式生成可链接门限环签名
    Figure PCTCN2020104492-appb-100016
    对i=1,2,令s i=r i-usk i,对i=3,…,n随机选择s iRZ q*并计算中间变量
    Figure PCTCN2020104492-appb-100017
    随机选择e iRZ q*并计算中间变量
    Figure PCTCN2020104492-appb-100018
    其中c 1,c 2RZ q*;
    随机选择t iRZ q*并计算
    中间变量
    Figure PCTCN2020104492-appb-100019
    以及
    中间变量
    Figure PCTCN2020104492-appb-100020
    其中c iRZ q*,i=3,…,n;
    计算哈希值
    Figure PCTCN2020104492-appb-100021
    然后根据(c,c 1,c 2)计算2次插值多项式f 2(x),使得f 2(0)=c,f 2(1)=c 1,f 2(2)=c 2,再根据(c,c 3,c 4,…,c n)计算n-2次插值多项式f n-2(x),使得f n-2(0)=c,f n-2(i)=c i,i=3,…,n;以及
    计算
    Figure PCTCN2020104492-appb-100022
    其中,n为参与签名的总未花费金额UTXO个数;i为参与签名的第i个未花费金额UTXO;G,H为素数阶椭圆曲线点群Q的两个生成元;q 为群Q的阶;Z q为模q的整数环;Z q*为Z q\{0};Hash为抗碰撞哈希函数;∈ R为元素从集合中随机选取;v i为交易金额,整数,0≤v i<2 64,i=1,2,…;C i为密态金额;r i,c i,e i,s i,t i为随机数r i,c i,e i,s i,t i∈Z q*,i=1,2,…n;UPK,usk为用户公钥和对应的私钥;a i,b i为中间变量;f 2(x)为次数为2的多项式;以及f n-2(x)为次数为n-2的多项式。
PCT/CN2020/104492 2020-01-22 2020-07-24 一种交易发送者的监管方法和系统 WO2021147283A1 (zh)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN202010073884.9 2020-01-22
CN202010073884.9A CN111311264B (zh) 2020-01-22 2020-01-22 一种交易发送者的监管方法和系统

Publications (1)

Publication Number Publication Date
WO2021147283A1 true WO2021147283A1 (zh) 2021-07-29

Family

ID=71158257

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2020/104492 WO2021147283A1 (zh) 2020-01-22 2020-07-24 一种交易发送者的监管方法和系统

Country Status (2)

Country Link
CN (1) CN111311264B (zh)
WO (1) WO2021147283A1 (zh)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111311264B (zh) * 2020-01-22 2023-12-22 数据通信科学技术研究所 一种交易发送者的监管方法和系统

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107453865A (zh) * 2017-07-18 2017-12-08 众安信息技术服务有限公司 一种保护数据发送源隐私的多方数据共享方法及系统
CN109636599A (zh) * 2018-11-07 2019-04-16 广西师范大学 基于群签名的许可区块链隐私保护和监管方法
US20190199515A1 (en) * 2017-12-26 2019-06-27 Akamai Technologies, Inc. Concurrent transaction processing in a high performance distributed system of record
CN110009349A (zh) * 2019-03-26 2019-07-12 阿里巴巴集团控股有限公司 区块链中生成和验证可链接环签名的方法及装置
CN110401540A (zh) * 2019-07-25 2019-11-01 郑州师范学院 一种基于区块链可公开校验的门限群签名方法
CN111311264A (zh) * 2020-01-22 2020-06-19 数据通信科学技术研究所 一种交易发送者的监管方法和系统

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107453865A (zh) * 2017-07-18 2017-12-08 众安信息技术服务有限公司 一种保护数据发送源隐私的多方数据共享方法及系统
US20190199515A1 (en) * 2017-12-26 2019-06-27 Akamai Technologies, Inc. Concurrent transaction processing in a high performance distributed system of record
CN109636599A (zh) * 2018-11-07 2019-04-16 广西师范大学 基于群签名的许可区块链隐私保护和监管方法
CN110009349A (zh) * 2019-03-26 2019-07-12 阿里巴巴集团控股有限公司 区块链中生成和验证可链接环签名的方法及装置
CN110401540A (zh) * 2019-07-25 2019-11-01 郑州师范学院 一种基于区块链可公开校验的门限群签名方法
CN111311264A (zh) * 2020-01-22 2020-06-19 数据通信科学技术研究所 一种交易发送者的监管方法和系统

Also Published As

Publication number Publication date
CN111311264B (zh) 2023-12-22
CN111311264A (zh) 2020-06-19

Similar Documents

Publication Publication Date Title
CN107508686B (zh) 身份认证方法和系统以及计算设备和存储介质
CN109698754B (zh) 基于环签名的车队安全管理系统及方法、车辆管理平台
Ma et al. Redactable blockchain in decentralized setting
Shen et al. Blockchain-based lightweight certificate authority for efficient privacy-preserving location-based service in vehicular social networks
CN110545279A (zh) 兼具隐私和监管功能的区块链交易方法、装置及系统
JP2008503966A (ja) 匿名証明書呈示に関する匿名証明書
Ibrahim Securecoin: a robust secure and efficient protocol for anonymous bitcoin ecosystem.
GB2490407A (en) Joint encryption using base groups, bilinear maps and consistency components
CN113360943A (zh) 一种区块链隐私数据的保护方法及装置
CN112785306B (zh) 基于Paillier的同态加密方法及应用系统
WO2022089865A1 (en) Identifying denial-of-service attacks
CN110851859B (zh) 一种具有(n,t)门限的分布式权威节点区块链系统的认证方法
CN115396115A (zh) 区块链数据隐私保护方法、装置、设备及可读存储介质
Tonien et al. Multi-party concurrent signatures
WO2021147283A1 (zh) 一种交易发送者的监管方法和系统
CN111340488B (zh) 一种可监管的密态交易金额的生成方法和装置
JP3513324B2 (ja) ディジタル署名処理方法
Li et al. AvecVoting: Anonymous and verifiable E-voting with untrustworthy counters on blockchain
Yang et al. Cryptanalysis of a transaction scheme with certificateless cryptographic primitives for IoT-based mobile payments
CN114710294A (zh) 一种新型区块链隐私保护方法
CN112819465B (zh) 基于Elgamal的同态加密方法及应用系统
CN115865426A (zh) 隐私求交方法和装置
CN114978622A (zh) 一种基于区块链和零知识证明的匿名凭证验证方法及系统
Byun PDAKE: a provably secure PUF-based device authenticated key exchange in cloud setting
Tornos et al. Optimizing ring signature keys for e-voting

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 20916043

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 20916043

Country of ref document: EP

Kind code of ref document: A1